Re: [Openvpn-devel] [PATCH applied] Fix bounds check in read_key()
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Even though this fix have been backported and applied to release/2.3 and older, we will only plan releases for v2.3 and v2.4. We have mainly backported this issue to release/2.3, but it was very easy to cherry-pick this fix to the older branches; thus it was done so. This patch is also sent out to the list a bit earlier than we normally do , as the security impact of this issue is considered to be minimal. This requires configurations to use --key-method 1 and will only work in some of the many possible configuration possibilities. When also considering that --key-method 2 have been the default since April 2005, then it is hopefully clear that this is not a very critical issue. This patch has been applied to the following branches commit 3b1a61e9fb27213c46f76312f4065816bee8ed01 (master) commit c7e259160b28e94e4ea7f0ef767f8134283af255 (release/2.4) commit fce34375295151f548a26c2d0eb30141e427c81a (release/2.3) commit a9f5c744d6b09f2495ca48d2c926efd3a4b981e6 (release/2.2) commit c560f95e7038daa3a1b5a08b69b85fb68d4eeef3 (release/2.1) Author: Steffan Karger Date: Tue Aug 15 10:04:33 2017 +0200 Fix bounds check in read_key() CVE: 2017-12166 Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com> Acked-by: Gert Doering <g...@greenie.muc.de> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <80690690-67ac-3320-1891-9fecedc6a...@fox-it.com> URL: https://www.mail-archive.com/search?l=mid=80690690-67ac-3320-1891-9fecedc6a...@fox-it.com Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZxFJzAAoJEIbPlEyWcf3yMoMP/16ULjZeoATgUyEFJFDnymiZ xVpABNTnZ+vsFYjjTcx6RKXbGbvGZVmEqTFe5tke7CgeaVMyR13gtI7XjTscWlXK KTZ9LdDK18cJ4dX/UmUpWoyt4wtEI0pPdcCx2T9uQXe3suYHz+iJscFwTfHZ6Jc6 HHE4PKc8137nfKGJANuT7mJFZ+z0EZBUwfeQqskO6RqOwTEn9AxlXpXEuTyAtYTp e9WcX70aDWX9B5UfpyhBX7ztO5ItpLkGoL5VtYZkFi5VYBPrwJ9kOLuzDmaa27s3 H9MJWqbDDvTDyju+7jqc17mBcsr1LoisN0+uR+5N9qCsfeeMpVlEX/u/b7WGUNSN OjlOqiqNsUI0OmWR6vueuByB8RFwJjqelL7GEr81o/RXzb9I33TN66L1SKMPPcS5 TtBSSjXkasYht3eYYxJBtnGwABQcpEFdwu2LWnZqDdTyr93DIlsQ+XokbalWllgH ZHgs+sgQ4AJh7YG7vlvO95QQ984XVBbTFIC9mlOdffVu4ARGBuJfMz84aVxWx9Wt lviSvMeXYdF9Nj0hKIk+ntLxXR0HCeFq3DbVxSpw56AlzZHypBD6xRfgmsMu1g4a np0sYWGpzEvk5KE8NbbRtJUv0qxQ8bFU4otgJ+hcKwBvSEcZdu7KdzCeHUKq2AXw 2evGMbq03th94EP0D+M+ =eAY7 -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] systemd: Enable systemd's auto-restart feature for server profiles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Applying lazy-ack policy to this patch. Despite one reservation to this change, the overall discussion was in favour of this enhancement. Your patch has been applied to the following branches commit a4686e99b047081f0ef6f7945450183088464aa5 (master) commit 1c112c38d46207905bff97969cf787baada59711 (release/2.4) Author: David Sommerseth Date: Thu Sep 7 01:52:02 2017 +0200 systemd: Enable systemd's auto-restart feature for server profiles Signed-off-by: David Sommerseth <dav...@openvpn.net> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <20170906235202.26551-1-dav...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15370.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZxFCQAAoJEIbPlEyWcf3yjWcQAL1RFXTYuZLw+eJ1eoNIuZx2 N21HiIh887SNvexzgKthJNVGj5AeDQo4DXRdd5UxxGK6Czh2FZUuZSExv4lNsugI t56Y3UmWXB6J3PcvmkSyTIPuQVPXNW0qCL3VDV88Bx7Is3JvZsm/kLVLuzXsDwFS vQyHpJ6y3nAavPMigTvP6kYNXN8oz6L7oSeQxWfj5p21cLYFNablSILxFcuCXJtN iyC0tZ+gr7WhqE7g/cY1GG7I8mlfEFj6DrtQCb08T6XGbnPNI4qmL/PujAHlpATO qyEfjTpMVPJVz4ylPKGRe1B/GWa4USOh1M6PgdVIDJYAZAbAcncJMNyHf+gseUMt RGgCz8ri9eR+uOcM4ZDiZNVywj/BOsMDAKjZ/tGWI9DfKxkQu5WjmaCslkdhSM0e 2lk/SA3PCCcyFF7WQ/bynYqUi0aVM+2F/5YSH8xJXFxyd6VSJseoiyhGLxXKl1lo M9GjujoiEjimNUJNQQxDBWfnRaNGSVGlCLZtCgsj2VkkZ9fGE8FhLjPLJMNL+c8I Iba6E3HsDsI5vMI9ZFRGQ0MHdr9gEbRee+IoMnQZx9lSHuW583tQ6IcIOBbatgGH OsG6wCPU9vjFOLh6ABRlgGCStfK+CHzYq9GRaCw7jb3GjBNrckuJA7SYBqGSvVS+ mKGFSB6n+Y7fhlZ/sdXL =orEs -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] tcp-server: ensure AF family is propagated to child context
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 682e7feac3bd57e6ce7e60504cb4da5c894d0e18 (master) commit b3b7d073ce05fa6b11a28f9e70d66c4907274db5 (release/2.4) Author: Antonio Quartulli Date: Thu Sep 7 17:55:30 2017 +0800 tcp-server: ensure AF family is propagated to child context Trac: 933 Signed-off-by: Antonio Quartulli <anto...@openvpn.net> Acked-by: Arne Schwabe <a...@rfc2549.org> Message-Id: <20170907095530.15972-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15380.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZxFAuAAoJEIbPlEyWcf3yLi0QAKqWdmij1JLt2kA7Ww0Qcgkc pixB3s0Ir5J51ZIOodYlcN8hyoRXCdLe6EX3mjumZEMvwJ7XWDa7yrr3t9WZBgLN lpW1M8jCvlevBc0sLNguFmQn++3ZDYhXN1HiDLep7hdIQrHaNGf4n4VRMtZjlITz h2xyVUDTFCuCXFDAUFIxhYngdfdn3ySWXu6RmgK4MewMGoZ8qIPrVHgjsqvBpFUr /tTnfMxZQ+fdmSth2MfWbGRapW5E7LXv2EdRiqPnhG9mhZABUHKWbL74MdUaU2yV h2dW209/ufQ9GfviRy2pLLc7XsE5LljoRlkYsB9NlDw7dA1NyVYTq6XrgcZcngbg pSFllWqVFPBvt5l7nBLY8ZcaCezFV56QaOmor8moDiKAEty0cPlweqIjCFIQakap POcBcDrzX1i5ZDC7/njCeri/KHqhhGI1irWCzJCCqdHhG0zOOCfLyruaeINqoD3A Uke/QmTzO5C6opIbGgIzalcF94BucgKFeLxsAfLuvknZxmIfS46u/OWUxUKTDzaN 8322lkeTSntCldxY0mL9b3mfhkcUsycFl88QAALIfda5Aea5aTvfYuIrzkC1D22N /yoVZ0S2+tLnU607PTYxkqGNLbxGaovN/hUfoXU9DIP4alnsPrR30ZrPVCXxM9By Ul8auE5SiGSDBdPctczF =8SRp -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] lz4: Move towards a newer LZ4 API
On 07/09/17 22:40, Simon Matter wrote: > Hi, > > While we are at it, I found it useful to see the used LZ4 version at > runtime as it is done with LZO and other libraries. > > I've patched my rpms with the patch attached. Thanks a lot! I think this makes sense. But I think we can do this stuff as a separate patch, not part of this round of patches. Lets target this after we have sorted out the current LZ4 patches have been applied. Then it is much easier to test and validate this approach. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Better error recognition and error/status reporting to the mgmt i/f
y has to be FATAL, but "route add" failures are borderline cases. > E.g., if "--redirect-gateway" fails, the tunnel may be considered > meaningless in many use cases and thus a fatal error. So, some but not > all route-add errors may have to be treated as FATAL. This is the crux of it. There is no way OpenVPN by itself knows beforehand when a route change is fatal or not. This touches more some kind of policy handling, which needs to be configurable. Right now it is more the kind of "best efforts" approach on the routing setup and "required" for the IP address configuration. > If there is consensus, and an appetite for patch review, I can send in > some patches for 2 to 5 and possibly 1. For 0, I'm not sure how to keep > track of past errors to construct a useful status message. I think we all agree we need to improve this. But how and at which scale is currently an open topic. Right now, I think it is good to take some time to discuss and debate this issue. Perhaps we should allocate one community developers meeting after the hackathon for discussing this. I'm suggesting after the hackathon, to ensure we have some clear path forward on how we want to clean up route.c/tun.c. This is a massive effort and I doubt it will be done too quickly, so once the have some path forward we should look into the error handling as well instantly afterwards. Anyway ... Thank you, Selva, for going into the depths here. We sure have quite something to consider and discuss. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] pf: clean up temporary files if plugin init fails
On 15/09/17 08:39, Steffan Karger wrote: > close_instance() tries to remove the file in c2.pf.filename, but that only > works if we actually set that if we fail. So, set that filename as soon > as we know we've created the file. > > Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com> > --- > v2: As suggested by Antionio, get rid of local 'gc' and 'file' vars. > > src/openvpn/pf.c | 10 -- > 1 file changed, 4 insertions(+), 6 deletions(-) > > diff --git a/src/openvpn/pf.c b/src/openvpn/pf.c > index 5fe1734..7479347 100644 > --- a/src/openvpn/pf.c > +++ b/src/openvpn/pf.c > @@ -618,19 +618,18 @@ pf_load_from_buffer_list(struct context *c, const > struct buffer_list *config) > void > pf_init_context(struct context *c) > { > -struct gc_arena gc = gc_new(); > #ifdef PLUGIN_PF > if (plugin_defined(c->plugins, OPENVPN_PLUGIN_ENABLE_PF)) > { > -const char *pf_file = create_temp_file(c->options.tmp_dir, "pf", > ); > -if (pf_file) > +c->c2.pf.filename = create_temp_file(c->options.tmp_dir, "pf", > + >c2.gc); Patch looks good. But it introduces a new compile warning. pf.c: In function ‘pf_init_context’: pf.c:624:27: warning: assignment discards ‘const’ qualifier from pointer target type [enabled by default] c->c2.pf.filename = create_temp_file(c->options.tmp_dir, "pf", I'm pondering if we need create_temp_file() to actually return a const char * - wouldn't just a plain char * be enough? The alternative is to cast the const away here; but that just feels too hacky in this code path. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Summary of today's (Wed, 12th Sep 2017) community meeting
On 12/09/17 21:50, Samuli Seppänen wrote: > Hi, > > Here's the summary of today's IRC meeting. > > --- > > COMMUNITY MEETING > > Place: #openvpn-meeting on irc.freenode.net > Date: Wednesday 12th Sep 2017 > Time: 20:00 CET (19:00 UTC) > > Planned meeting topics for this meeting were here: > > <https://community.openvpn.net/openvpn/wiki/Topics-2017-09-12> > > The next meeting has not been scheduled yet. > > Your local meeting time is easy to check from services such as > > <http://www.timeanddate.com/worldclock> > > SUMMARY > > chipitsine, cron2, dazo, mattock ordex and syzzer participated in this > meeting. > > Discussed tls-crypt-v2. Ordex has implemented this on the OpenVPN 3 > side. Syzzer is still working on it on the OpenVPN 2 side. > > -- > > Discussed having a regular meeting schedule again. Agreed that having a > one-hour meeting every Wednesday at 19:00 CEST makes sense. We will > start the meetings next week (20th September). > > -- > > Discussed the upcoming 2.4.4 release. We have enough commits for a > maintenance release, but there is one security fix in the pipeline, as > well as a fix to the NSI installer. It was agreed that the security fix > should have a CVE. The release date was set to 25th September. Just a slight correction here. We will attempt to have the git tree signed with the proper tags by September 25. But aiming for the release to happen soon after this have happened. As we need to co-ordinate this with both CVE assignment and the PR team, we need to have a somewhat flexible schedule to ensure everyone is aligned. And for those wondering about the severity of this CVE; it is considered to have a really low impact and not being critical at all. This requires a special option to be used, which is also believed to be very seldom used. But as it can be more critical if this option is used, we decided to request a CVE for it. [...snip...] > Briefly discussed dazo's lz4 v2 patch. Cron2 promised to review it in > the next few days. The patch which was referenced is this one: <https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15396.html> -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Topics for tomorrow's (Tue, 12th Sep 2017) community meeting
On 11/09/17 13:14, Samuli Seppänen wrote: > Hi, > > We're going to have an IRC meeting tomorrow starting at 20:00 CEST > (18:00 UTC) on #openvpn-meeting irc.freenode.net. You do not have > to be logged in to Freenode to join the channel. If we can slide this to 20:30-ish (CEST) - that is, delay it 30 minutes. It will be far easier for both Gert and me to join the meeting. (We just quickly chatted about it on IRC). If not, we'll come as quickly as we can manage. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] proper configuring of "tls-verify"
On 11/09/17 14:02, Илья Шипицин wrote: > > > 2017-09-11 16:54 GMT+05:00 Илья Шипицин <chipits...@gmail.com > <mailto:chipits...@gmail.com>>: > > > > 2017-09-11 16:45 GMT+05:00 Jan Just Keijser <janj...@nikhef.nl > <mailto:janj...@nikhef.nl>>: > > Hi, > > On 11/09/17 13:22, Илья Шипицин wrote: > > Hello, > > is someone actually using "tls-verify" in production ? > we tried to implement additional certificate check using > tls-verify > > > while it works in general, in case when it hits "exit 1", it > look like a timeout from client point of view. it is not any > good > > > do you mean that when a client is denied access (i.e. the > tls-verify script exits 1 on the server) that the client sees > this as a timeout? that is "normal" behaviour, as the server > does not tell the client *WHY* access is refused - it simply > stop responding to a client that does not pass > authentication/authorization. The client will not hear from the > server, and will time out after a specified interval. This is > actually the most secure way to do things, as a rogue client > cannot DoS a server this way. > > > I'd say it depends. > > we run a lot of openvpn-gui with real people sitting in front of > them, from their point of view it "oh, it does not work! fix it!" > in out case better UX is to deliver proper reason to the client > > for someone maybe the better UX is to keep silence > > > > what is wrong with timeout is endless retry. > there's no way to pass authentication once it failed, so why does client > have to retry ? User-friendliness and security seldom walks hand-in-hand. As this friendliness provides enough information fragments for an attacker to figure out "I need to try something else". A non-responding server gives no clues. It can be a crappy server or it can be access denied; the attacker doesn't know - thus making it harder to figure out what to do next. The client will by default try to reconnect, because that is what it in most cases is told to do when the server is unresponsive. And since this happens with many seconds in between, a single client will not attempt to DoS a server by mistake by retrying in a too tight loop. A failed authentication is a failed authentication. Thus UX client front-ends could treat this silence like that - but also account for other types of connectivity issues. If it should try to reconnect or not, well, that's entirely up to the configuration file. There is --single-session which can be used to control this. But for servers running OpenVPN clients, retrying indefinitely at regular intervals may just as well be valuable; if it is an issue which is temporary. Then these clients would reconnect once everything is back online again on the server side. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] systemd: Enable systemd's auto-restart feature for server profiles
On 07/09/17 23:02, fragmentux wrote: i, > > all your comment are totally valid from a sys-admin point of view but > from an openvpn POV, the only responsibility is to provide a secure VPN. > > Use all of systemd's functions to maximize openvpn's process *security* > But *forcing* restart as an almost unconditional default is nonsense. We are in the position to promote sane and good defaults. This behaviour is considered sane and good by many sys-admins. So when these two view-points intersects, I see no harm of us actually promoting this change. > How would you do this for non-systemd systems ? Isn't that obvious? systemd unit files are for systemd. Non-systemd systems doesn't have systemd unit files, thus there is very little we can do about them. > I disagree with making this change to the default > openvpn-server@.service unit file. Your opposition have been noted. > If you really want to include them then how about: > > Either: > openvpn-server@.service (responsible for start/stop etc actions) > openvpn-server-auto-restart@.service (speaks for itself) NAK. This is not how the design around systemd unit files is intended to be used. Plus: it already exists a Debian bug ticket where there are comments about us adding 2 more unit files. If adding even more, I can already sense the heat increasing on that ticket. > Or rather > include extra .service files in ./contrib. as samples or such. NAK. I rather have a document simply describing how to change the defaults using 'systemctl edit'. Which is exactly how systemd is designed to be used. But we should have a baseline of recommended defaults, and sys-admins can choose to opt-out of these defaults through standard mechanisms, not by adding complexity through more unit files to scan through. Just image a system which actively uses both openvpn-server@ and openvpn-server-autorestart@. Unless we also split up /etc/openvpn/server ... it will be even more confusing when investigating a server in 2 years why something is misbehaving. "Did this config run through this or that unit file?". openvpn-server@ is clear and specific, it handles server configurations. Period. If you want a specific configuration or all openvpn-server@ OpenVPN configurations to behave differently from the recommended defaults, then you do that through 'systemctl edit', where it is very visible if this specific configuration have some additional tweaks not - through 'systemctl status'. This way sys-admins won't have remember or research which 'sub-unit file' of openvpn-server@ to achieve a specific behaviour. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] lz4: Move towards a newer LZ4 API
We are using a deprecated function, LZ4_compress_limitedOutput(), which will be removed with time. The correct function to use is LZ4_compress_default(). Both function takes the same number of arguments and data types, so the change is minimal. This patch will also enforce the system LZ4 library to be at least v1.7.1. If the system library is not found or it is older, it will be build using the bundled LZ4 library. The version number requirement is based on the LZ4 version we ship. The changes in configure.ac for the version check is modelled around the same approach we use for OpenSSL. Plus it does a few minor reformats and improvements to comply with more recommend autoconf coding style. This patch is a result of the discussions in this mail thread: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14135.html Signed-off-by: David Sommerseth <dav...@openvpn.net> --- v2 - Don't use LZ4 version based #ifdef wrapper function Do the LZ4 version check in ./configure --- configure.ac | 72 +++--- src/openvpn/comp-lz4.c | 3 ++- 2 files changed, 53 insertions(+), 22 deletions(-) diff --git a/configure.ac b/configure.ac index 6f1044e8..74443353 100644 --- a/configure.ac +++ b/configure.ac @@ -1088,37 +1088,67 @@ dnl AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4]) AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4]) if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then -AC_CHECKING([for LZ4 Library and Header files]) -havelz4lib=1 - -# if LZ4_LIBS is set, we assume it will work, otherwise test -if test -z "${LZ4_LIBS}"; then - AC_CHECK_LIB(lz4, LZ4_compress, - [ LZ4_LIBS="-llz4" ], - [ - AC_MSG_RESULT([LZ4 library not found.]) - havelz4lib=0 - ]) +if test -z "${LZ4_CFLAGS}" -a -z "${LZ4_LIBS}"; then + # if the user did not explicitly specify flags, try to autodetect + PKG_CHECK_MODULES([LZ4], + [liblz4 >= 1.7.1], + [have_lz4="yes"], + [] # If this fails, we will do another test next + ) fi saved_CFLAGS="${CFLAGS}" +saved_LIBS="${LIBS}" CFLAGS="${CFLAGS} ${LZ4_CFLAGS}" -AC_CHECK_HEADERS(lz4.h, - , - [ - AC_MSG_RESULT([LZ4 headers not found.]) - havelz4lib=0 - ]) - -if test $havelz4lib = 0 ; then - AC_MSG_RESULT([LZ4 library or header not found, using version in src/compat/compat-lz4.*]) +LIBS="${LIBS} ${LZ4_LIBS}" + +# If pkgconfig check failed or LZ4_CFLAGS/LZ4_LIBS env vars +# are used, check the version directly in the LZ4 include file +if test "${have_lz4}" != "yes"; then + AC_CHECK_HEADERS([lz4.h], +[have_lz4h="yes"], +[]) + + if test "${have_lz4h}" = "yes" ; then + AC_MSG_CHECKING([additionally if system LZ4 version >= 1.7.1]) + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM([[ +#include +]], +[[ +/* Version encoding: MMNNPP (Major miNor Patch) - see lz4.h for details */ +#if LZ4_VERSION_NUMBER < 10701L +#error LZ4 is too old +#endif +]] + )], + [ + AC_MSG_RESULT([ok]) + have_lz4="yes" + ], + [AC_MSG_RESULT([system LZ4 library is too old])] + ) + fi +fi + +# if LZ4_LIBS is set, we assume it will work, otherwise test +if test -z "${LZ4_LIBS}"; then + AC_CHECK_LIB([lz4], +[LZ4_compress], +[LZ4_LIBS="-llz4"], +[have_lz4="no"]) +fi + +if test "${have_lz4}" != "yes" ; then + AC_MSG_RESULT([ usuable LZ4 library or header not found, using version in src/compat/compat-lz4.*]) AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/]) LZ4_LIBS="" fi OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}" OPTIONAL_LZ4_LIBS="${LZ4_LIBS}" -AC_DEFINE(ENABLE_LZ4, 1, [Enable LZ4 compression library]) +AC_DEFINE(ENABLE_LZ4, [1], [Enable LZ4 compression library]) CFLAGS="${saved_CFLAGS}" +LIBS="${saved_LIBS}" fi diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c index e056caa8..bdb3247d 100644 --- a/src/openvpn/comp-lz4.c +++ b/src/openvpn/comp-lz4.c @@ -43,6 +43,7 @@ #include "memdbg.h" + static void lz4_compress_init(struct compress_context *compctx) { @@ -86,7 +87,
Re: [Openvpn-devel] [PATCH] lz4: Changing how LZ4 library handling is done
On 07/09/17 16:06, David Sommerseth wrote: > On 07/09/17 08:12, Gert Doering wrote: >> Hi, >> >> On Thu, Sep 07, 2017 at 03:22:25AM +0200, David Sommerseth wrote: >>> This change will expect the system to have LZ4 libraries and headers >>> installed by default. We still carry a bundled LZ4 library, which >>> must now be explicitly enabled through providing --enable-bundled-lz4 >>> to ./configure. Otherwise, as before, --disable-lz4 will completely >>> remove any LZ4 support. >> >> I'm totally missing the *reason* why you want to change this > > Bundled libraries are considered to be bad, as it requires active > maintenance. Just look at which version we ship in OpenVPN (1.6.0) and Just a correction. We bundle lz4-1.7.1, not 1.6.0. That was a left-over from my testing of the API update patch. But that doesn't change my argument that much. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] systemd: Enable systemd's auto-restart feature for server profiles
On 07/09/17 08:16, Gert Doering wrote: > > Restarting is good, but if there is something faulty that leads to > "the process always dies right away", this can lead to very quickly > filling disks with not-so-useful logging... Oh, I overlooked this one. Just one comment in regards to the "filling disks". That naturally depends on how logging is configured on the system, and that varies a lot. But my experience based on defaults in the environments I use: * systemd journal have some reasonably sane defaults to avoid this to happen; IIRC it defaults to rotate the journal when reaching 10-15% of available disk space *or* 4GB of log data. * RHEL (and clones) usually have rsyslog installed too, which the journal forwards log data too. And it most commonly it also have logrotate installed too (at least on the server variant) which runs on a regular basis. But it also depends on how big the partition where /var/log resides is. So the risks for such restarts to cause full disks should be fairly minimal. And for those who have enabled remote logging, that is often to pay more attention to log events, so then such scenarios would probably be detected even quicker. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] lz4: Changing how LZ4 library handling is done
On 07/09/17 08:12, Gert Doering wrote: > Hi, > > On Thu, Sep 07, 2017 at 03:22:25AM +0200, David Sommerseth wrote: >> This change will expect the system to have LZ4 libraries and headers >> installed by default. We still carry a bundled LZ4 library, which >> must now be explicitly enabled through providing --enable-bundled-lz4 >> to ./configure. Otherwise, as before, --disable-lz4 will completely >> remove any LZ4 support. > > I'm totally missing the *reason* why you want to change this Bundled libraries are considered to be bad, as it requires active maintenance. Just look at which version we ship in OpenVPN (1.6.0) and we've had two rebase patches on the -devel ML which have been ignored, first updating to v1.7.4.2 [0] and then v1.7.5 [1]. I have not bothered yet to send a new rebase request to the latest v1.8.0 [2]. That is an awfully bad track record. [0] Dec 15, 2016 <https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13575.html> [1] Feb 21, 2017 <https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14137.html> [2] Aug 17, 2017 <https://github.com/lz4/lz4/releases/tag/v1.8.0> If we even manage to miss that there are CVE fixes in the LZ4 library, then we've in even bigger trouble. Especially if we're so bad at updating just the maintenance releases. Yes, I can already hear you say that updates caused by CVEs will be handled more promptly. But from my point of view, that's just words. We do not have any processes for handling bundled libraries nor response times nor who and how updates in bundled libraries are tracked. > We don't have --enable-bundled-compat flags for the rest of the things > in compat/ either, don't we? Somehow I expected that argument from you, Gert. But that is truly comparing apples and oranges. LZ4 is a large library compared to the compat functions we do provide: 1605 compat-basename.c 2208 compat-inet_ntop.c 2261 compat-inet_pton.c 2353 compat-daemon.c 3210 compat-gettimeofday.c 4057 compat-dirname.c 49760 compat-lz4.c The code complexity of compat-dirname.c (which is the second largest compat code) is negligible compared to compat-lz4.c So the risk of a security issue should be considerably lower in these other functions we add. Secondly, we only use our compat-*.c functions if the underlying system does not carry those features - most commonly, these are libc related functions. So if a systems libc does not carry a function we need, we need to have a wrapper for a specific function. And strictly speaking, LZ4 is not a requirement for OpenVPN to function as an application. > Also, I can't see consensus that "remove the bundled lz4" is the way to > go - this was on the plate for the hackathon to discuss. You and Antonio > are convinced that this is a good way forward, applying a very specific > Linux-distro-based mindset to it ("missing libraries are a problem of the > package builder, why should we care?") - please listen to my arguments: there > are people out there that build OpenVPN from source (tarball or git), and > they are looking at library dependencies with a slightly different view. Hence the --enable-bundled-lz4. If you do not have or want to build LZ4 yourself first, then you can use our bundled LZ4 - with the risks that implies. But this is done explicitly, so a developer or package maintainer is forced to take a decision here first. But equally important, if anyone is going to build OpenVPN from source, what is the chances that they will not be able to build LZ4 from source before building OpenVPN? And we already have several other external libraries we depend on which we do not carry a compat-* version for ... LZO being the most obvious one, as it is a 1:1 comparison to LZ4. Then there is openssl/mbedtls. But we do have feature specific dependencies pkcs11-helper, p11kit, which is available on all our supported platforms. Then there is libpam (for *nix). And Linux can add libselinux and libsystemd into the mix as well. This patch actually aligns LZ4 to be treated more equally to LZO, with the distinction that we do have --enable-bundled-lz4 - at least for some time forward. And some more arguments why bundled libraries are bad, here even from a FreeBSD perspective: <https://www.freebsd.org/doc/en/books/porters-handbook/bundled-libs.html> A couple of other with more generic perspectives: <http://www.professionalsecurity.co.uk/products/computer-systems-and-it-security-news/library-bundles-a-game-of-chance/> <https://blog.flameeyes.eu/2009/03/bundling-libraries-the-curse-of-the-ancients/> And the perspective from a few Linux distros: <https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies> <https://fedoraproject.org/wiki/Bundled_Libraries?rd=Packaging:Bundled_Libraries> -- kind regards, David Sommerseth OpenVPN Technologies, Inc
Re: [Openvpn-devel] [PATCH] lz4: Move towards a newer LZ4 API
On 07/09/17 08:13, Gert Doering wrote:> HI, > > On Thu, Sep 07, 2017 at 04:28:27AM +0200, David Sommerseth wrote: >> We are using a deprecated function, LZ4_compress_limitedOutput(), which >> will be removed with time. The correct function to use is >> LZ4_compress_default(). >> Both function takes the same number of arguments and data types, so the >> change >> is minimal. > > I wonder why we should bother to have a wrapper function here. > > We can ship a lz4 library that has the new function, and if a system only > provides an older version, declare it unsuitable (configure check) and > use the bundled one. Yeah, I was thinking along those lines too when working on this patch. I just remembered vaguely our IRC chat long time a go and looked back at the initial mail discussion, and there was a preference for the wrapping back then. But I like much more that we have a defined LZ4 version which we support, and ditch the #ifdef'ed wrapper. I'll send a v2 soon. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] systemd: Enable systemd's auto-restart feature for server profiles
On 07/09/17 14:17, Samuli Seppänen wrote: > On 07/09/2017 11:13, Gert Doering wrote: >> Hi, >> >> On Thu, Sep 07, 2017 at 11:04:01AM +0300, Samuli Seppänen wrote: >>> "Note that units which are configured for Restart= and which reach the >>> start limit are not attempted to be restarted anymore; however, they may >>> still be restarted manually at a later point, from which point on, the >>> restart logic is again activated." >> >> Which is not what I hoped for... "turn it off and leave it so" is non >> helpful (it might be a transient error preventing the startup). >> > > Good point. Systemd seems to be able to adjust its restart behavior > depending on exit code of the main service process (i.e. OpenVPN) using > "RestartForceExitStatus" and "RsstartPreventExitStatus"[1]. Perhaps > these could be helpful in our case... Okay, lets try to align what OpenVPN does in various scenarios and compare it how we want restarts to happen. First, have a look at the man page: <https://www.freedesktop.org/software/systemd/man/systemd.service.html#Restart=> Then realise that OpenVPN (AFAIK) only operates with two exit codes: #define OPENVPN_EXIT_STATUS_GOOD0 #define OPENVPN_EXIT_STATUS_ERROR 1 #define OPENVPN_EXIT_STATUS_USAGE 1 #define OPENVPN_EXIT_STATUS_CANNOT_OPEN_DEBUG_FILE 1 (from error.h) So the RestartForceExitStatus/RestartPreventExitStatus is not going to be helpful if all graceful errors results in 1, which is the most common way OpenVPN stops - through the M_FATAL. So that leaves us with SIGSEGV, SIGABRT and similar unclean exit signals. To avoid restarts on faulty configurations or if we can define scenarios where we do not want OpenVPN to be restarted automatically, we need to introduce more exit codes. This way we can implicitly tell systemd if it should restart OpenVPN or not. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] systemd: Enable systemd's auto-restart feature for server profiles
On 07/09/17 15:07, Gert Doering wrote: > Hi, > > On Thu, Sep 07, 2017 at 03:02:20PM +0200, David Sommerseth wrote: >>> Which is not what I hoped for... "turn it off and leave it so" is non >>> helpful (it might be a transient error preventing the startup). >> >> I'm confused. What is it you want? >> >> * try restarting in an endless loop? >> * try restarting X times and then stop trying? > > "exponential decay" > > Restart a few times quickly, and then slow down, like "re-try after 1s, 3s, > 5s, 10s, 15s, 30s, 60s, ... and then stick to every-5-minutes" or so > (like OpenVPN's own connection re-try logic :-) ). Yes, that is a nice idea. But to my knowledge, that is not something systemd supports today. So we can't have that easily. We could look into a ExcePreStart=, which tracks how long time it has gone since the last restart and adds the "exponential decay" sleep. But that means more code to maintain. > That way you get quick restart if a temporary failure happens, and avoid > filling logs with useless crap if the error persists - like "bind to an > IP address that is not present in the system, because the ppp0 interface > where it would show up is down", or something like this. > > But if that cannot be done, that's how it is - and in that case, "stop > trying" is not what I want. Which means the current patch is what is possible to achieve today. :) -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] systemd: Enable systemd's auto-restart feature for server profiles
On 07/09/17 10:13, Gert Doering wrote: > Hi, > > On Thu, Sep 07, 2017 at 11:04:01AM +0300, Samuli Seppänen wrote: >> "Note that units which are configured for Restart= and which reach the >> start limit are not attempted to be restarted anymore; however, they may >> still be restarted manually at a later point, from which point on, the >> restart logic is again activated." > > Which is not what I hoped for... "turn it off and leave it so" is non > helpful (it might be a transient error preventing the startup). I'm confused. What is it you want? * try restarting in an endless loop? * try restarting X times and then stop trying? -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] systemd: Enable systemd's auto-restart feature for server profiles
On 07/09/17 10:04, Samuli Seppänen wrote: > On 07/09/2017 10:16, Samuli Seppänen wrote: >> On 07/09/2017 09:16, Gert Doering wrote: >>> Hi, >>> >>> On Thu, Sep 07, 2017 at 01:52:02AM +0200, David Sommerseth wrote: >>>> @@ -18,6 +18,8 @@ DeviceAllow=/dev/net/tun rw >>>> ProtectSystem=true >>>> ProtectHome=true >>>> KillMode=process >>>> +RestartSec=5s >>>> +Restart=on-failure >>> >>> Is there a way to get exponential backoff on restart? >>> >>> Restarting is good, but if there is something faulty that leads to >>> "the process always dies right away", this can lead to very quickly >>> filling disks with not-so-useful logging... >>> >>> (Otherwise, yes, restarting is good :-) ) >>> >> >> Hi, >> >> From systemd.unit man-page[1]: >> >> StartLimitIntervalSec=, StartLimitBurst= >> >> Configure unit start rate limiting. By default, units which are >> started more than 5 times within 10 seconds are not permitted to >> start any more times until the 10 second interval ends. >> >> I verified this behavior on CentOS 7 using another daemon (monit) by >> setting "Restart=on-failure" for it, breaking its config file and >> forcibly killing it. Note that RestartSec is the default, i.e. 100ms: >> >> --- >> >> Sep 07 09:55:37 centos-7 systemd[1]: monit.service: control process >> exited, code=exited status=1 >> >> Sep 07 09:55:37 centos-7 systemd[1]: Unit monit.service entered failed >> state. >> >> Sep 07 09:55:37 centos-7 systemd[1]: monit.service holdoff time over, >> scheduling restart. >> >> Sep 07 09:55:37 centos-7 systemd[1]: Stopping Pro-active monitoring >> utility for unix systems... >> >> Sep 07 09:55:37 centos-7 systemd[1]: Starting Pro-active monitoring >> utility for unix systems... >> >> Sep 07 09:55:37 centos-7 systemd[1]: monit.service start request >> repeated too quickly, refusing to start. >> >> Sep 07 09:55:37 centos-7 systemd[1]: Failed to start Pro-active >> monitoring utility for unix systems. >> >> Sep 07 09:55:37 centos-7 systemd[1]: Unit monit.service entered failed >> state. >> >> --- >> >> As you can see, systemd quickly realizes that monit will not come back >> up and stops trying. >> >> However, when I added "RestartSec=5s" the StartLimit* thresholds were >> never triggered. This meant that systemd never ceased trying to restart >> the monit service. >> >> David: any particular reason why you added RestartSec? Why not just let >> it be the default (100ms)? Partly to avoid respawning too fast. We don't know what kind of additional plug-ins or management interface tools have been integrated and how they react if OpenVPN goes into a tight restart-loop. And partly to _escape_ the stopping of restarts. I'm not sure I'm easily buying into the "faulty configuration" argument. Because these restart scenarios mostly happens when a sys-admin is _not_ around. If you're playing with configurations, do a restart to test the new config, you are around to handle a failed situation. The only area where this can fail is when we break options and OpenVPN get updated automatically. But in both these scenarios, a restart delay of 5 seconds won't cause too much stress on the system. I also opted for not much longer delay, as if a restart happens successfully, most users won't notice that too much. If it is 30 seconds or 1 minute, that is much more noticeable. But I'm open for adjusting this too. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] lz4: Move towards a newer LZ4 API
We are using a deprecated function, LZ4_compress_limitedOutput(), which will be removed with time. The correct function to use is LZ4_compress_default(). Both function takes the same number of arguments and data types, so the change is minimal. To ensure we still build without issues against older LZ4 libraries without this new API, a simple wrapper function have been added and will only be enabled if we don't have the proper LZ4 versions, which means versions older than v1.7.0. This compat API wrapper is currently located in comp-lz4.c, simply because adding it to compat-lz4.h would mean adding logic to lz4-rebaser.sh to preserve this wrapper; lz4-rebaser.sh will overwrite compat-lz4.[ch]. I didn't see any other files where it would make reasonable sense to add it. And it seemed overkill to add a completely new file to support a single file which would basically carry 8 lines of code for a function only used comp-lz4.c. In addition, adding new files means Makefile.am files needs to be updated accordingly and the new header file would be required to be included in comp-lz4.c. So, placing it in comp-lz4.c seemed to be the best fit, and it is closely tied to where it is used so it won't be that easy to just ignore it later on. This patch is a result of the discussions in this mail thread: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14135.html Signed-off-by: David Sommerseth <dav...@openvpn.net> --- src/openvpn/comp-lz4.c | 13 - 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c index e056caa8..ad95968a 100644 --- a/src/openvpn/comp-lz4.c +++ b/src/openvpn/comp-lz4.c @@ -43,6 +43,17 @@ #include "memdbg.h" + +#if defined(LZ4_VERSION_NUMBER) && LZ4_VERSION_NUMBER < 10700 +/* Wrapper to re-enable the old API if LZ4 is older than v1.7.0 */ +static int +LZ4_compress_default(const char* source, char* dest, int inputSize, int maxOutputSize) +{ +return LZ4_compress_limitedOutput(source, dest, inputSize, maxOutputSize); +} +#endif + + static void lz4_compress_init(struct compress_context *compctx) { @@ -86,7 +97,7 @@ do_lz4_compress(struct buffer *buf, return false; } -zlen = LZ4_compress_limitedOutput((const char *)BPTR(buf), (char *)BPTR(work), BLEN(buf), zlen_max ); +zlen = LZ4_compress_default((const char *)BPTR(buf), (char *)BPTR(work), BLEN(buf), zlen_max ); if (zlen <= 0) { -- 2.13.5 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] lz4: Changing how LZ4 library handling is done
This change will expect the system to have LZ4 libraries and headers installed by default. We still carry a bundled LZ4 library, which must now be explicitly enabled through providing --enable-bundled-lz4 to ./configure. Otherwise, as before, --disable-lz4 will completely remove any LZ4 support. Also improve the autoconf code slightly, to use AS_HELP_STRING() where needed and wrap some strings/values with [] where it was missing in the LZ4 segment of ./confiugre.ac. Signed-off-by: David Sommerseth <dav...@openvpn.net> --- Changes.rst| 8 +++ configure.ac | 57 ++ src/compat/Makefile.am | 5 - 3 files changed, 42 insertions(+), 28 deletions(-) diff --git a/Changes.rst b/Changes.rst index 53a14438..128f148a 100644 --- a/Changes.rst +++ b/Changes.rst @@ -308,6 +308,14 @@ User-visible Changes Maintainer-visible changes -- +- OpenVPN will not use the bundled LZ4 library by default if a system + library have not been found. The bundled library needs to be enabled + explicitly by adding --enable-bundled-lz4 to ./configure. This is to + remove any ambiguity of which library is being used. And defaulting to + use the system library is best from a security perspective; this way the + LZ4 library can be updated externally without requiring OpenVPN to be + rebuilt and packaged. + - OpenVPN no longer supports building with crypto support, but without TLS support. As a consequence, OPENSSL_CRYPTO_{CFLAGS,LIBS} and OPENSSL_SSL_{CFLAGS,LIBS} have been merged into OPENSSL_{CFLAGS,LIBS}. This diff --git a/configure.ac b/configure.ac index 6f1044e8..a33e9172 100644 --- a/configure.ac +++ b/configure.ac @@ -66,11 +66,17 @@ AC_ARG_ENABLE( ) AC_ARG_ENABLE(lz4, - [ --disable-lz4 Disable LZ4 compression support], - [enable_lz4="$enableval"], + [AS_HELP_STRING([--disable-lz4], [disable LZ4 compression support @<:@default=enabled@:>@])], + , [enable_lz4="yes"] ) +AC_ARG_ENABLE(bundled-lz4, + [AS_HELP_STRING([--enable-bundled-lz4], [enable bundled LZ4 library instead of system library @<:@default=disabled@:>@])], + [enable_bundled_lz4="$enableval"], + [enable_bundled_lz4="no"] +) + AC_ARG_ENABLE(comp-stub, [ --enable-comp-stub Don't compile compression support but still allow limited interoperability with compression-enabled peers], [enable_comp_stub="$enableval"], @@ -1087,37 +1093,34 @@ dnl AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4]) AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4]) +AM_CONDITIONAL([ENABLE_BUNDLED_LZ4], [test "${enable_bundled_lz4}" = "yes"]) if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then -AC_CHECKING([for LZ4 Library and Header files]) -havelz4lib=1 +if test "$enable_bundled_lz4" = "no"; then + AC_CHECKING([for LZ4 Library and Header files]) -# if LZ4_LIBS is set, we assume it will work, otherwise test -if test -z "${LZ4_LIBS}"; then - AC_CHECK_LIB(lz4, LZ4_compress, - [ LZ4_LIBS="-llz4" ], - [ - AC_MSG_RESULT([LZ4 library not found.]) - havelz4lib=0 - ]) -fi - -saved_CFLAGS="${CFLAGS}" -CFLAGS="${CFLAGS} ${LZ4_CFLAGS}" -AC_CHECK_HEADERS(lz4.h, - , - [ - AC_MSG_RESULT([LZ4 headers not found.]) - havelz4lib=0 - ]) - -if test $havelz4lib = 0 ; then - AC_MSG_RESULT([LZ4 library or header not found, using version in src/compat/compat-lz4.*]) - AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/]) + # if LZ4_LIBS is set, we assume it will work, otherwise test + if test -z "${LZ4_LIBS}"; then + AC_CHECK_LIB(lz4, LZ4_compress, + [ LZ4_LIBS="-llz4" ], + [ +AC_MSG_ERROR([LZ4 library not found. An alternative is to use --enable-bundled-lz4, or just --disable-lz4]) + ]) + fi + saved_CFLAGS="${CFLAGS}" + CFLAGS="${CFLAGS} ${LZ4_CFLAGS}" + AC_CHECK_HEADERS(lz4.h, +, +[ +AC_MSG_ERROR([LZ4 headers not found. An alternative is to use --enable-bundled-lz4, or just --disable-lz4]) +]) +else + AC_MSG_RESULT([using bundled lz4 library (in src/compat/compat-lz4.*)]) + AC_DEFINE([NEED_COMPAT_LZ4], [1], [use bundled copy of LZ4 source in compat/]) LZ4_LIBS="" fi OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}" OPTIONAL_LZ4_LIBS="${LZ4_LIBS}" -AC_DEFINE(ENABLE_LZ4, 1, [
[Openvpn-devel] [PATCH] systemd: Enable systemd's auto-restart feature for server profiles
Systemd supervises services it has started and can act upon unexpected scenarios. This change will restart OpenVPN after 5 seconds if the OpenVPN process exits unexpectedly. The on-failure mode is the recommended mode by upstream systemd. This change have been tested on a test server for some month, and it works indeed as intended when provoking the OpenVPN process to stop. Signed-off-by: David Sommerseth <dav...@openvpn.net> --- distro/systemd/openvpn-ser...@.service.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/distro/systemd/openvpn-ser...@.service.in b/distro/systemd/openvpn-ser...@.service.in index b343868a..a8366a04 100644 --- a/distro/systemd/openvpn-ser...@.service.in +++ b/distro/systemd/openvpn-ser...@.service.in @@ -18,6 +18,8 @@ DeviceAllow=/dev/net/tun rw ProtectSystem=true ProtectHome=true KillMode=process +RestartSec=5s +Restart=on-failure [Install] WantedBy=multi-user.target -- 2.13.5 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] systemd: Ensure systemd shuts down OpenVPN in a proper way
By default, when systemd is stopping OpenVPN it will send the SIGTERM to all processes within the same process control-group. This can come as a surprise to plug-ins which may have fork()ed out child processes. So we tell systemd to only send the SIGTERM signal to the main OpenVPN process and let OpenVPN take care of the shutdown process on its own. If the main OpenVPN process does not stop within 90 seconds (unless changed), it will send SIGKILL to all remaining processes within the same process control-group. This issue have been reported in both Debian and Fedora. Trac: 581 Signed-off-by: David Sommerseth <dav...@openvpn.net> --- distro/systemd/openvpn-cli...@.service.in | 1 + distro/systemd/openvpn-ser...@.service.in | 1 + 2 files changed, 2 insertions(+) diff --git a/distro/systemd/openvpn-cli...@.service.in b/distro/systemd/openvpn-cli...@.service.in index 49e3f51c..cbcef653 100644 --- a/distro/systemd/openvpn-cli...@.service.in +++ b/distro/systemd/openvpn-cli...@.service.in @@ -17,6 +17,7 @@ DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true ProtectHome=true +KillMode=process [Install] WantedBy=multi-user.target diff --git a/distro/systemd/openvpn-ser...@.service.in b/distro/systemd/openvpn-ser...@.service.in index 9a8a2c73..b343868a 100644 --- a/distro/systemd/openvpn-ser...@.service.in +++ b/distro/systemd/openvpn-ser...@.service.in @@ -17,6 +17,7 @@ DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true ProtectHome=true +KillMode=process [Install] WantedBy=multi-user.target -- 2.13.5 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Warn that DH config option is only meaningful in a tls-server context
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. Glared at code and tested a simple client config. Works as expected. I did one simple on-the-fly update, prefixing the message with 'WARNING: ', which is what we do other places where M_WARN is used. Your patch has been applied to the following branches commit 47a0a80b7718fe88451c82bdfe838e5a6e3c4248 (master) commit b1298bbb2be73e978bb5b555d1bd8722cf9b28b0 (release/2.4) Author: Gert van Dijk Date: Sun Aug 27 18:15:15 2017 +0200 Warn that DH config option is only meaningful in a tls-server context Signed-off-by: Gert van Dijk <g...@gertvandijk.net> Acked-by: Steffan Karger <steffan.kar...@fox-it.com> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <20170827161515.2424-1-g...@gertvandijk.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15332.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZsIGVAAoJEIbPlEyWcf3yTjUP/2aub3MTttpcfCDw4t+zjrH/ oKkvQvpEdH7+ynec0o7GJOw9eZ3/ejSIiZ4EMPFTCyUes/Bd+zfgM2RWvnJd7Jxe D7TbSOj0nF56Ywn8rlVh9dM4BsS34yte4cpYnWLf3JJ3tzzihiAA2CQOxP0V95PE Lqesq2rXbxvjV05fjvjSHxsgC6fHZO8zR/1aBKBeghD3rB67iKnjGcNZxnqULIop e/20EcTlzyXOtqcWQnqqmdY1umNYbrNurBBxI8WcpDK3i9cRGjnc9+pEqkmfAHEE DzAKnpThDhoSvJo/wpvMJmBQUm741I0SQdasGB9lNFNyzjcvOuxt8oXR9rcp+FZX vnKZnfV1haA9pgyuJERUt/EIkvQP3QvRKqfvZpJy4fioaWZav/uOsRaXWc8z11HB okUV6CfwnpB7ltEKkrYm3xabiQE0OvAKVkZNVK1vfdKI0O9Qm9E1z8rwmCMnAfQv YLJ95cYHVS2U9ch9dP148/AXa9d+HKeg6Xh/FS2OD92jtBlZI374QKhbERmhaE1q YeIPqMc2sulSVOUTx2IXRKCFlZhr6LwYtDWtm0PeZraom4iyXIf6b8Aq8LwfeU6d cp44vk/Ob8Zz9Vk26Tf3zgRzn1RV378HipKXn3w0wNmmLYAO0jox+IvO97rXfKaL kWmHx5qUQ4wnMo6dBL74 =aY2R -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 5fd8e94d311825571931414064e4d13ed808f9b5 (master) commit a4c5c4bba4963ad107d6bf6eb5937a4cde6c1a0c (release/2.4) Author: Szilárd Pfeiffer Date: Mon Sep 4 10:10:12 2017 +0200 OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag Signed-off-by: Szilárd Pfeiffer <coro...@pfeifferszilard.hu> Acked-by: Steffan Karger <steffan.kar...@fox-it.com> Message-Id: <20170904081012.1975-1-coro...@pfeifferszilard.hu> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15356.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZsIGwAAoJEIbPlEyWcf3yszEP/0fmB/zeaW8PYUGFtibr7pWv To4m59Levm/xbMngDHEIfD4vUzWffaw77yNSDjCKow3+eevjox1jtxcRfj8cFV0W rQ+VcuEPerIpkgKewBK36wdjZguEmR74IoLFYQMOyOEK66gxl4+KQoXMeUsSZCmJ 8g5tt43pfQfGdt5xJz4wDwMWSlXmVnEs4E9yhs4OP7HQEGQpnFZVz5oQyEJQAh0L 1URRZitqm4A5ny2mKfbc2k29r56D5gCzHONIhMVYNlLh7tjqCEs6FJEsV6OCI6Bz s8eTdC9/hZwxFzPU+VKQ4hPkWxqSSRI1GDwna4kCtYAUtUbU1YTplN1IohBqoBAA McNVEvRRAXwB9o9dBNhT30E/hepsFhpfbE2slrJwXK1U81gQjxuriJKcjfg1p9I5 NGYbQSgsmp6aUyyS1rjy+hx7MxByvEphJydhWCKRkQkV4Z0gNr6Ah3mzyDnxnTcr VbnSH34nDlT8FBHl3vt7G7GVpcsFWL7Zt75tpBSwxCgZ8bO6LsTsD+cmktwkdpCb gTrSeiA27sDr02I40RHoBgO9wl89U0UUfZc/d+AdQmFE/Pkgj2XfwVAT8ZsqaHZR T4sQQEPw7aa3BZZJlqy1WdYJd3z7+ZToosi151/hYM/HbDo82/sk6QeIhFFAU74C Ye11BnY4kZG1J04RD58s =bH+Z -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] fragment.c: simplify boolean expression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. Code change is just obvious. Your patch has been applied to the following branches commit 10ae9ed5fe7f09c7edb5af266149a9b5e9bcbaa4 (master) commit 14e4c58b6f903c562475379bb806e26c42d6a52e (release/2.4) Author: Antonio Quartulli Date: Thu Aug 24 15:55:47 2017 +0800 fragment.c: simplify boolean expression Signed-off-by: Antonio Quartulli <a...@unstable.cc> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <20170824075547.29844-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15313.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZsIExAAoJEIbPlEyWcf3y/38P/1ut5QuaBHv0coi7HlMqC+vE wOS4Ks0MBV5zhzAzIN/geKr5NPOXP6S/atqNSf4jUwoUfFkI4qR5jStff8YnAf8C ms3PNzBxEYcHoOhXw2VT2Qs38nQOx4lRTX0xu59gHtvsV1n+sldqMwLXpdrHIDkR Gl4gaqHUUAjx+hf2FRbr7C/2MhzDgb4Ugt0AhyipRiwkTKCwIQgjynvBhsAxoO9K KUwfypm9vMO2R9rdpVjCkL62urGbPZd06ftCIlrMEqmLq4hQHwVYDtCJaG4n5g4c WHf9yi+jl8UfvUVjGJI1vCudbhyFTIdEsCdwxGBvrPmrS0nF0eoD4smppdE1oACt DFJDZu+e21EIYmiziotg4LVg3pc1jbz27bMTLe4QplrRu6o4QsoXbVGorSvlVS3A EEIMKMX40+q7yyTwsj+7tpGKdSQ58f/CuBVYgOij8nY/QrMGgbC2tzbPwfkDMoUv LVwPOzNH3vZvn3QuzzQI2NI6S5//GsZKggp3X+D4V5oKm93Xw6RA/DuZWOVFC3gT nm4rGGbrWBT/pfaF4On2LueyS5c8ZykXnuIIWpVL0jlFS3aJitlk35H4Iz+ngvIj QhNlucqtccyS33HxCN6PU65F3ZG42/2UjViWsQl60AF0b+1bM/EOgEmwS3jUtZ48 2xyv0C/wjiG1/0ACUZo2 =qnN8 -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] travis: reorder matrix to speed up build
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit e0a6afa12ea14685d0497ab27453ccc2b09e6e1f (master) commit cac73d4b93e14f3bd5a1ed11b33f73adb29507a3 (release/2.4) Author: Steffan Karger Date: Sun Aug 20 11:19:04 2017 +0200 travis: reorder matrix to speed up build Signed-off-by: Steffan Karger <stef...@karger.me> Acked-by: Antonio Quartulli <a...@unstable.cc> Message-Id: <1503220744-5569-1-git-send-email-stef...@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15302.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZsIBaAAoJEIbPlEyWcf3ynvYQALjESHxTRQZtKF32rkvGWChA cFrKXwYqVy/Imfk8IF/ZYC9PHFtg2iD7atK/kQWSV8zcV9zQu5lUaB06JWxO5tP/ JfbNGENNKNJiFtY8uvxr9FlJF65ozViZP9sbFy/vn/0TSC8/zYNFdjSdWdzS+nHx Dxba8g8O9t2HOHEbfHQpaRCaIpYeI29q5l6eNv3LfNUrDvvpeJZI/yh6kt3X0J/S pKCPlUbZYs4BJ9hWMDBmVtqjrrQ2aEyEywzruk8AzeXoFUQrNdqlUULycB0u7W2H J0pib7uMqsWBED4zhJUmgTXHTTaNT9CErwuPGyNFT9tPYIrW3ibOn6afnq8mD5ZW WiV+wwXbWbSsYwfhApLzfUffKeIiKU0h27wF/RZTLnxuB4lJsxxwSJ0K8Af7ZD+F lFrwLzTK8CKFdN/UTIvmzX4x8/DwvPvnjgkGMTMj7HGvRgsYvfz5R0BO0+2lnPhV XdTkx860mGXnVVyzlGD41FEnUiv2GhkZJ6HreD64ZGpPbATuVFUG7YkP8L6EsgrB wIj3om9KEPP9rslqQstaz3A4Oe0kfnWL0h7amQhCzV+CYQhDwoNL+z7Ih290qubM xxKOvSV1lTaNbWz1JHbsWzhcPIxs5Z9J9AHU9eoSb/MxJvyV2vwvS/cAVIRHZ26d C61tRqicyurJm9lC7KyU =GDqd -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] man: Corrections to doc/openvpn.8
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. Thanks a lot for putting efforts into improving this. It will for sure make various distribution packagers happy, as this should remove several potential complaints from lint/sanity checkers. Plus it fixes a glaring and ugly typo for --verify-x509-name. I did a quick on-the-fly update, changing the Copyright year 2010 to 2017. Your patch has been applied to the following branches commit 510c8ade804566868a1e0aa4e046a69e576f4478 (master) commit b437bf1c0f60cc5e42d70334bde83a2f9e09be88 (release/2.4) Author: Richard Bonhomme Date: Sat Aug 19 21:37:35 2017 +0100 man: Corrections to doc/openvpn.8 Signed-off-by: Richard Bonhomme <fragmen...@gmail.com> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <20170819203735.8681-1-fragmen...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15297.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZsIA1AAoJEIbPlEyWcf3y/M4P/30R8DzRSt5GgblnijteLwa6 EWVxv5G94DF3e2XBIT3qkL0JaReaB3hPTh9yQGQPAQh0/bh+x0MSDsVPdpj1l8lY 8uITiS6n1uIXqi/35JgOvCcjCa7rRJP5w/J9tglAjkzxw+qM7Y5DUuyyVBYspLjf z0z9YBE6OtMnlr/H96b22IjrsDtKk2dqo06aXjk0CsTZHqAkwWgZy8AJHLjMRkSr PHgsHwSIBgX0+RnpKF/trVDKFXq1QHjJxmeYlzSPLMOJJ035MUpIU+zwEWWOz63C v/NXbOzf9pj9ZbKaqE68Pja3BM8jbCYLxwooUM5MIko3VgPAWUG8iEQcl7Mb/G/e Tnxju2OYd3FwoFp0YTKR25WwB9yEzlXX9EyTlLmkGf5Eg8+5jOXv+3c62u4CzXk2 xzcAv5xUALj1h7t419UKk2PZxpw34hRjwXHr67BtRtDIsaZNE2152147u/c7NVgU zG9zZNliSeLo4gNK6ae0Mc4bAqmFUOJs4hxAzXgToQg3wpRXafH8xQxh6FXG4pEe dY+JJlc50g8kdK7DWlPCp57642u8EJYxIsMGBYnDfpAkbmgPoYAQ++knBuA6r9mK pS3izYw+4C3twOLXhg7eDwaq2VIcLLl2qRf/y1jzH3Dix7n+GgM4Mrs59d06n7Bw cNLsORRojTRj6ugpJ8ZY =bD+x -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] fix a couple of typ0s in comments and strings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. No real code change, so this is safe. Your patch has been applied to the following branches commit 42d9f324f7362abfb9b51b24ef0fb7635b0194fc (master) commit 010ffbed20bcb19c59aeb6e46ae76d93c08c67ea (release/2.4) Author: Antonio Quartulli Date: Sat Aug 19 15:52:09 2017 +0800 fix a couple of typ0s in comments and strings Signed-off-by: Antonio Quartulli <a...@unstable.cc> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <20170819075209.28520-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15293.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZsH+FAAoJEIbPlEyWcf3yqoAP/AwQrZtjXg2ekianydhRsoyn cR/DGj7K30NKXireJy85gxo1rxm4wDLfrHaxJukoVBeqF+fWS8b+paGQH4RI8Ne2 sMUzOZuIDfIzqkZay8I7A3KHc0yhMh2RNG6E52uRMlpyCxJDVpRc2SRAGPKeNxxE POibpsGPhRwRbdRsHGIbZnHEW1Lj2cxmtociXIxMuRLvPtU8T6HJPR9Xyd79Pz4w BfJi73YJI3CLd+bgLc6hd2qvHtWZ+IBVDQbZlhKrd9+aFcj/py7bhjiNryvvPKuL kbRqXheO3+TUQpmUv8/raMtEbu/ZewoOkjPNheX9V5/ojfWxE4tccwzrk1fXWmn9 CC5XrMzEm8kdRtlip/2HZ23VbNe2poVdjIy8DLeaVhJQbixNImdlrIKCGyNjc1Xf MTMl4cFsoixU10VFesDuN+Bc0uN/1zVpenukDslNrZsmG8/DHwNFK3vCuvoUDZnM qitefzBdjGuL4MI9Etz/BdZfaSF9xJRPT/kq7W6Bj9tmqTrI/SkBpwdRdzw/2Zps 4xBdTwN4i24mAVNBRUEd7H+8aqsU4nQ4NGjnQgGsiU3JU2EeAMxJvmU0OkZR0WJL utVPRNXzc+BfbB/AfGvDRVOy0rX7jEXU6U9SqnQg/SPKdqOa70yRUgm/Mw3P/EeA oXLtAcjqdp2B6JtMoj+L =MiqZ -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] tls-crypt: don't leak memory for incorrect tls-crypt messages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. This code looks good. Hard to trigger to fully test it, but it follows the usual coding paterns we have. Your patch has been applied to the following branches commit fca89379c53fe2c145db96a5bcd32327c4bcfa78 (master) commit db52b6df6915d38a269bf68767faefd9cebf33bb (release/2.4) Author: Steffan Karger Date: Wed Aug 16 19:04:50 2017 +0200 tls-crypt: don't leak memory for incorrect tls-crypt messages Signed-off-by: Steffan Karger <stef...@karger.me> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <20170816170450.10415-1-stef...@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15282.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZsH8VAAoJEIbPlEyWcf3yEPkP/iJBHppjZLB98538ylLYRXZg QaT6ElLrbKr2fI6glC5dc63KUCNRv/oov1hR6RWfmWSEyjjaVj4xwzAt5eXq4us5 kiDvaqdWKQZORaPLMlYm46CC2+UJycgpgm0Nqi71GftSuJ6nbSVhGb/G7FFLkZHK eqeTXq8ApE3XI2cL2DOE8jw6z8l4wYop8EMt4eXRcOJAcc2paby55LdlGkleuqG3 iDD+bF7KNinme5XLgR2ujyOhwJJg+EUycEnwsKB6w3tRK+kfdG0/UG/AoXJiBebX cA5zFBgu5lXIJ1Dhtw8opvjpbt/x2FoVczMiAxNw7hHSv0e6UlNHUhkLHki3xxnj Lhv3/2Zz228VIWkofv41bBNmyXxWaRlNeved9XJNZdGq/flLXEnZYZfxBi5T8UEz gZDRv/k8NeYpgo3rPuwbtQUQ2oBRU0QF15Excm1qmG+7EMWt5/NowOjVD8N5QS9K PQlT4TfkCbTj6BIlCY9ZoMgC3LlM68Jwen/X54/Pa0Nty+BUX+sKxGUYkjWNrt/A E6FhVH+sh4YYdP9942qbXfqpoVgx49puoZVsUGvi+fblc8OtvOfjh4kxKS5JKWDl ozfFJ4kdFJG4LVyniZqm6wCeKOl8G9dULchOcLulKysN0nCGme98XsQogZIwhwWk vko0BRTINgNBTppWMM3W =KYjg -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] route: avoid definition of unused variables in certain configurations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. Looks good to me, but I haven't tested on all kind of platforms so if buildbot explodes, we'll take it from there. Your patch has been applied to the following branches commit 22e75ca1a88b83e83a12b7d7d0095651f547411d (master) commit 3c4e2a39de509bb445a86fba9573f07880ac541c (release/2.4) Author: Antonio Quartulli Date: Wed Aug 16 20:55:04 2017 +0800 route: avoid definition of unused variables in certain configurations Signed-off-by: Antonio Quartulli <anto...@openvpn.net> Reviewed-by: Steffan Karger <steffan.kar...@fox-it.com> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <20170816125504.21181-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15272.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZsH7AAAoJEIbPlEyWcf3yaWYQALBHdv7J4/o8B20Mx4OksLyI f0Pg0W64T44k5aDmyn+XzpDC4kWOgP5xrabvzXno1wfzn1llru3HTfL+DlGK8IQm 8d/YWid3gpC/pvOOpLcSqzmaxXocFL2BH7CEkhxJeM4DLV1hGUGe93XqSQ7uV9Fr MOPQaB0bhnbvRYRuqi3gG26zIL0sn7080eVKHPoAMY+ACHQxluidmDKwvemKkJh+ l+2ufn/zx3wKP7ByBh8lnCtGIHfkCmlraIZt/urunlizG6Vn3dFgBYB9EpCeB65e 9nfCzi5MX2TMBVyLU3XS1cWPTe9Qj6mmejN6YJLvWO8KBj9G5p9UdHtG0tnqJ06n 2dhhhGl7jLLZ9IbKhC+LnsB0f+z3qvQegxdDoI3Sb9vwltMDqs5PCOjmL7tF1ARY 0sl6oSucVvyf9UDTYvhzg3dkKQkOL0u4wSVSQsQeVDvu2ggIPjVvLia6uf8kTpw9 AKl/2wO5NMZBVanpFe2FWaLgsJ1viROO0vrcmoJoEgDYFOwrSo/P17NcnAv32aTR hLV+ts6+D+3uUbQVwwxeVcV7zc67i0Tj+pF/xnReSyCLogXkFTRF1hYga4rjs1h6 TrViGGYdU7qN5lq38zdh8lQSeTroaOIC1DvLGUB4YWsc9nHl96mqhuGW91lxft0e vfn55e+NRTi1KQ8nGFtQ =VBW9 -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] route: cleanup codestyle and make code more readable
On 23/08/17 07:30, Antonio Quartulli wrote: > This patch does not introduce any functional change. > > The code in route.c seems to have been written in different > periods by different people, without sticking to a clear > codestyle. For this reason the code in this file in not > consistent at all. > > Clean it up by: > - removing spaces from function invocations > - cutting line longer than 80 chars (where possible) > - moving function arguments on the same line when there is enough space > - adding empty line between var declarations and code > - adding empty line between code and final return > - adding empty line to make the code less sticky and easier to parse > > Signed-off-by: Antonio Quartulli <a...@unstable.cc> > --- > > Yes, this is a quite big patch. However, since we are planning a big > restructuring of the route.c file, it is better to take care of the > style in a separate patch (this) so that later we don't need to mixup cleanups > and refactoring. > > Note that this patch is based on master plus the following patches: > > - ensure function declarations are compiled with their definitions > - fix a couple of typ0s in comments and strings > - route: avoid definition of unused variables in certain configurations > - convert *_inline attributes to bool > - reformatting: fix style in crypto*.{c, h} > - Allow learning iroutes with network made up of all 0s (only if netbits < 8) > - ifconfig-ipv6(-push): allow using hostnames > > > Applying this patch without the above, might lead to screams, > natural disasters and endless nightmares. I got it applying quite nicely (working my way through more patches now). And yes, I like that we clean up the coding style further in this file. But unfortunately, I'll have to say NAK in this round. - Many places you replace spaces with tabs. - There are several scenarios where our uncrustify config actually improves your patch further (see the attachment). - And the contradictions like the ones below > -static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, > unsigned int flags, const struct route_gateway_info *rgi, const struct > env_set *es); > +static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, > + unsigned int flags, > + const struct route_gateway_info *rgi, > + const struct env_set *es); vs > static void > -delete_route(struct route_ipv4 *r, > - const struct tuntap *tt, > - unsigned int flags, > - const struct route_gateway_info *rgi, > - const struct env_set *es) > +delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int > flags, > + const struct route_gateway_info *rgi, const struct env_set *es) I think the change you do in the former one is also more readable than squeezing everything into as few lines as possible, especially when there's lots of arguments. Our uncrustify config doesn't touch these details of function declarations, as tun.c and route.c is fairly extreme in variations here. So we let that pass on the reformatting patch before the v2.4 release, to take care of them manually, as we didn't spend much extra time looking at more tweaks for uncrustify to make the result readable. But I'm not sure we documented our preferences on function declarations, I don't recall that now. Even though we are not united in the use of uncrustify after the reformatting patches we did in December, I think it makes sense to at least double check what uncrustify would change and consider those. The lesser the gap is to that result, the easier it will be to have a consistent coding style over the complete code base. For reference, the uncrustify command line I used was: $ uncrustify -c dev-tools/uncrustify.conf \ --no-backup -l C -p debug.uncr \ src/openvpn/route.c -- kind regards, David Sommerseth OpenVPN Technologies, Inc diff --git a/src/openvpn/route.c b/src/openvpn/route.c index 605c367c..3ae75b1b 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -57,20 +57,20 @@ static bool add_route_service(const struct route_ipv4 *, const struct tuntap *); static bool del_route_service(const struct route_ipv4 *, const struct tuntap *); static bool add_route_ipv6_service(const struct route_ipv6 *, - const struct tuntap *); + const struct tuntap *); static bool del_route_ipv6_service(const struct route_ipv6 *, - const struct tuntap *); + const struct tuntap *); #endif static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, - unsigned int flags, - const struct route_gateway_info *rgi, - const struct env_set *es); +
Re: [Openvpn-devel] Please take a second look at "#2 Improve TCP-over-TCP performance"
On 30/08/17 13:31, Alberto Gonzalez Rojas wrote: > Hi to all. > Would you please stop put me in copy? Uhm? The mailing list is Cc'ed not you directly. If you don't want to follow the discussions here, please consider to unsubscribe. You can do that from here: <https://sourceforge.net/projects/openvpn/lists/openvpn-devel/unsubscribe> Thank you very much -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] bash: substitute legacy `` with modern $()
On 24/08/17 21:18, Gert Doering wrote: > (gen-release-tarballs.sh only needs to work on FreeBSD and Linux, and > FreeBSD's /bin/sh is sufficiently modern so so it's likely to work > - but the test scripts need to run robustly everywhere a user builds, > so never assume "because bash says so!" is a way anywhere but into worlds > of pain. And yes, we've been there before :-) ) And to avoid style confusions ... as long as we can avoid having "one style" on the test scripts and "another style" on the dev-tools scripts, that will be easier to review and maintain. We can have more slack in dev-tools, but if we deviate, then we need to properly document it so we won't forget why. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] avoid useless assignment
On 24/08/17 20:40, Antonio Quartulli wrote: > > > On 25/08/17 02:40, Christian Hesse wrote: >> David Sommerseth <open...@sf.lists.topphemmelig.net> on Thu, 2017/08/24 >> 20:16: >>> On 24/08/17 09:57, Antonio Quartulli wrote: >>>> My effort in writing the commit message has been quite poor. >>>> >>>> The assignment is useless because 'ret' is re-assigned a few lines later >>>> without ever being read. >>> >>> Hmmm. I'm not convinced of this change. But I'm also weird in these >>> cases :) >>> >>> I think it is good defensive programming to predefine the state of >>> variables. When that is not done, it is up the the compiler to decide >>> what to do - which most of the times does a sane job these days. But >>> you're at the mercy of the compiler. >>> >>> In this case, I would expect the compiler to optimize this out anyway, >>> regardless of the approaches used. The compiler doesn't necessarily set >>> the value first to true and then to change it to the output of >>> multi_process_post(). It might just as well postpone the declaration. >>> >>> So I think a better approach would be to completely move the "bool ret" >>> down. So it will become: >>> >>>bool ret = multi_process_post(m, mi, mpp_flags); >>> >>> Which I think is also closer to what the compiler would end up with anyway. >> >> ISO C90 forbids mixed declarations and code in C. Probably compilers will >> start to complain. > > We try to stick to C99. I think it allows such mix, no? That is correct. We set -std=c99 unless CFLAGS already contains -std=. But we expect OpenVPN to be C99 compliant. And C99 allows this. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] avoid useless assignment
On 24/08/17 09:57, Antonio Quartulli wrote: > My effort in writing the commit message has been quite poor. > > The assignment is useless because 'ret' is re-assigned a few lines later > without ever being read. Hmmm. I'm not convinced of this change. But I'm also weird in these cases :) I think it is good defensive programming to predefine the state of variables. When that is not done, it is up the the compiler to decide what to do - which most of the times does a sane job these days. But you're at the mercy of the compiler. In this case, I would expect the compiler to optimize this out anyway, regardless of the approaches used. The compiler doesn't necessarily set the value first to true and then to change it to the output of multi_process_post(). It might just as well postpone the declaration. So I think a better approach would be to completely move the "bool ret" down. So it will become: bool ret = multi_process_post(m, mi, mpp_flags); Which I think is also closer to what the compiler would end up with anyway. -- kind regards, David Sommerseth OpenVPN Technologies, Inc > On 24/08/17 15:53, Antonio Quartulli wrote: >> Signed-off-by: Antonio Quartulli <a...@unstable.cc> >> --- >> src/openvpn/multi.h | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h >> index 5892ac07..6cdb0110 100644 >> --- a/src/openvpn/multi.h >> +++ b/src/openvpn/multi.h >> @@ -633,7 +633,7 @@ multi_process_outgoing_tun(struct multi_context *m, >> const unsigned int mpp_flags >> static inline bool >> multi_process_outgoing_link_dowork(struct multi_context *m, struct >> multi_instance *mi, const unsigned int mpp_flags) >> { >> -bool ret = true; >> +bool ret; >> set_prefix(mi); >> process_outgoing_link(>context); >> ret = multi_process_post(m, mi, mpp_flags); >> signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] bash: substitute legacy `` with modern $()
On 24/08/17 16:42, Antonio Quartulli wrote: > dev-tools/gen-release-tarballs.sh is only for devs, while > tests/t_cltsrv.sh is for running some tests, but I am not sure sure how > the latter would interact with non-linux systems. > > Maybe Gert knows(?) Tried running them through ksh or dash? Those are the most feature restrictive shells I can think of right now. Dash is supposed to be the most POSIX compliant shell, iirc. -- kind regards, David Sommerseth OpenVPN Technologies, Inc > On 24/08/17 22:37, Илья Шипицин wrote: >> openvpn is also built on many non bash systems. what about them? >> >> 24 авг. 2017 г. 18:34 пользователь "Antonio Quartulli" <a...@unstable.cc> >> написал: >> >> The backquotes for command substitution in bash are >> considered old-style in favour of the more modern $() [1]. >> Substitute them. >> >> [1]https://www.gnu.org/software/bash/manual/html_node/Command-Substitution. >> html#Command-Substitution >> >> Signed-off-by: Antonio Quartulli <a...@unstable.cc> >> --- >> >> note: I did not really know how to test this patch. >> >> dev-tools/gen-release-tarballs.sh | 10 +- >> tests/t_cltsrv.sh | 6 +++--- >> 2 files changed, 8 insertions(+), 8 deletions(-) >> >> diff --git a/dev-tools/gen-release-tarballs.sh b/dev-tools/gen-release- >> tarballs.sh >> index f9c620e3..550e5cd2 100755 >> --- a/dev-tools/gen-release-tarballs.sh >> +++ b/dev-tools/gen-release-tarballs.sh >> @@ -49,7 +49,7 @@ if [ $? -ne 0 ]; then >> fi >> >> # Extract the git URL >> -giturl="`git remote get-url $arg_remote_name 2>/dev/null`" >> +giturl="$(git remote get-url $arg_remote_name 2>/dev/null)" >> if [ $? -ne 0 ]; then >> echo "** ERROR ** Invalid git remote name: $arg_remote_name" >> exit 2 >> @@ -71,7 +71,7 @@ get_filename() >> { >> local wildcard="$1" >> >> -res="`find . -maxdepth 1 -type f -name \"$wildcard\" | head -n1 | cut >> -d/ -f2-`" >> +res="$(find . -maxdepth 1 -type f -name \"$wildcard\" | head -n1 | cut >> -d/ -f2-)" >> if [ $? -ne 0 ]; then >> echo "-- 'find' failed." >> exit 5 >> @@ -88,7 +88,7 @@ copy_files() >> local fileext="$1" >> local dest="$2" >> >> -file="`get_filename openvpn-*.*.*.$fileext`" >> +file="$(get_filename openvpn-*.*.*.$fileext)" >> if [ -z "$file" ]; then >> echo "** ERROR Failed to find source file" >> exit 5 >> @@ -106,7 +106,7 @@ sign_file() >> local signkey="$1" >> local srchfile="$2" >> local signtype="$3" >> -local file="`get_filename $srchfile`" >> +local file="$(get_filename $srchfile)" >> >> echo "-- Signing $file ..." >> case "$signtype" in >> @@ -169,7 +169,7 @@ fi >> # >> >> # Clone the remote repository >> -workdir="`mktemp -d -p /var/tmp openvpn-build-release-XX`" >> +workdir="$(mktemp -d -p /var/tmp openvpn-build-release-XX)" >> cd $workdir >> echo "-- Working directory: $workdir" >> echo "-- git clone $giturl" >> diff --git a/tests/t_cltsrv.sh b/tests/t_cltsrv.sh >> index 752251e4..1ab3db3e 100755 >> --- a/tests/t_cltsrv.sh >> +++ b/tests/t_cltsrv.sh >> @@ -25,14 +25,14 @@ top_builddir="${top_builddir:-..}" >> trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15 >> trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3 >> addopts= >> -case `uname -s` in >> +case $(uname -s) in >> FreeBSD) >> # FreeBSD jails map the outgoing IP to the jail IP - we need to >> # allow the real IP unless we want the test to run forever. >> -if test "`sysctl 2>/dev/null -n security.jail.jailed`" = 1 \ >> +if test "$(sysctl 2>/dev/null -n security.jail.jailed)" = 1 \ >> || ps -ostate= -p $$ | grep -q J; then >> addopts="--float" >> - if test "x`ifconfig | grep inet`" = x ; then >> + if test "x$(ifconfig | grep inet)" = x ; then >> echo "###" >> echo "### To run the test in a FreeBSD jail, you MUST add an IP >> alias for the jail's IP." >> echo "###" >> -- >> 2.14.1 signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] docs: Replace all PolarSSL references to mbed TLS
There were references in our documentation to the now deprecated PolarSSL library, which have changed name upstream to mbed TLS. In addition, where appropriate, the documentation now considers only mbed TLS 2.0 and newer. This is in accordance with the requirements ./configure sets. Signed-off-by: David Sommerseth <dav...@openvpn.net> --- INSTALL | 4 ++-- README.polarssl => README.mbedtls | 10 +- doc/doxygen/doc_data_crypto.h | 2 +- doc/doxygen/doc_key_generation.h | 6 +++--- doc/openvpn.8 | 16 +++- 5 files changed, 18 insertions(+), 20 deletions(-) rename README.polarssl => README.mbedtls (65%) diff --git a/INSTALL b/INSTALL index 97070604..3a31e6f1 100644 --- a/INSTALL +++ b/INSTALL @@ -75,8 +75,8 @@ REQUIRES: OPTIONAL (but recommended): (1) OpenSSL library, necessary for encryption, version 0.9.8 or higher required, available from http://www.openssl.org/ - (2) PolarSSL library, an alternative for encryption, version 1.1 or higher - required, available from https://polarssl.org/ + (2) mbed TLS library, an alternative for encryption, version 2.0 or higher + required, available from https://tls.mbed.org/ (3) LZO real-time compression library, required for link compression, available from http://www.oberhumer.com/opensource/lzo/ OpenBSD users can use ports or packages to install lzo, but remember diff --git a/README.polarssl b/README.mbedtls similarity index 65% rename from README.polarssl rename to README.mbedtls index 6f1fa51a..4875822d 100644 --- a/README.polarssl +++ b/README.mbedtls @@ -1,18 +1,18 @@ -This version of OpenVPN has PolarSSL support. To enable follow the following +This version of OpenVPN has mbed TLS support. To enable follow the following instructions: To Build and Install, - ./configure --with-crypto-library=polarssl + ./configure --with-crypto-library=mbedtls make make install -This version depends on PolarSSL 1.3 (and requires at least 1.3.3). +This version depends on mbed TLS 2.0 (and requires at least 2.0.0). * -Due to limitations in the PolarSSL library, the following features are missing -in the PolarSSL version of OpenVPN: +Due to limitations in the mbed TLS library, the following features are missing +in the mbed TLS version of OpenVPN: * PKCS#12 file support * --capath support - Loading certificate authorities from a directory diff --git a/doc/doxygen/doc_data_crypto.h b/doc/doxygen/doc_data_crypto.h index 925fcd52..c2b1866c 100644 --- a/doc/doxygen/doc_data_crypto.h +++ b/doc/doxygen/doc_data_crypto.h @@ -68,5 +68,5 @@ * * @par Crypto algorithms * This module uses the crypto algorithm implementations of the external - * crypto library (currently either OpenSSL (default), or PolarSSL). + * crypto library (currently either OpenSSL (default), or mbed TLS). */ diff --git a/doc/doxygen/doc_key_generation.h b/doc/doxygen/doc_key_generation.h index 4b225e09..4109ac5d 100644 --- a/doc/doxygen/doc_key_generation.h +++ b/doc/doxygen/doc_key_generation.h @@ -78,7 +78,7 @@ * * @subsection key_generation_random Source of random material * - * OpenVPN uses the either the OpenSSL library or the PolarSSL library as its + * OpenVPN uses the either the OpenSSL library or the mbed TLS library as its * source of random material. * * In OpenSSL, the \c RAND_bytes() function is called @@ -91,8 +91,8 @@ * - For OpenSSL's support for external crypto modules: * http://www.openssl.org/docs/crypto/engine.html * - * In PolarSSL, the Havege random number generator is used. For details, see - * the PolarSSL documentation. + * In mbed TLS, the Havege random number generator is used. For details, see + * the mbed TLS documentation. * * @section key_generation_exchange Key exchange: * diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 04ff9cb5..5f6f2db1 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4472,7 +4472,7 @@ datagram replay protection as the IV. .\"* .TP .B \-\-use\-prediction\-resistance -Enable prediction resistance on PolarSSL's RNG. +Enable prediction resistance on mbed TLS's RNG. Enabling prediction resistance causes the RNG to reseed in each call for random. Reseeding this often can quickly deplete the kernel @@ -4481,8 +4481,6 @@ entropy pool. If you need this option, please consider running a daemon that adds entropy to the kernel pool. -Note that this option only works with PolarSSL versions greater -than 1.1. .\"* .TP .B \-\-test\-crypto @@ -4583,7 +4581,7 @@ they are distributed with OpenVPN, they are totally insecure. .TP .B \-\-capath dir Directory containing trusted certificates (CAs and CRLs). -Not available with PolarSSL. +Not available with mbed TLS.
Re: [Openvpn-devel] testing openvpn on gitlab-ci cloud ?
On 21/08/17 10:23, Илья Шипицин wrote: > > 2) The travis-ci setup for coverity and an early check of github pull > requests (which only is an early staging area for patches to be sent to > the -devel list later). > > So I think we have everything that gitlab offers covered. Let's not add > another setup to maintain. > > > what I suggest is not "implement gitlab-ci immediately", I also do not > want to support more configurations. It's rather "let us take gitlab-ci > into account and implement it when there'll be appropriate task for it" I agree that we should not duplicate the Travis/GitHub efforts. But I think it is good to look at alternatives to that setup as well from time to time and spread out how we use various free services. Not that we change anything now and today. But keep the options open to see if there are better alternatives in a longer run. One of my biggest concerns regarding both Travis and GitHub is that they are free services built on proprietary solutions. Which means, our usage is completely depending on their willingness and grace. If they decide to change their business model, we're back on scratch unless we decide to follow along and take the consequences of their change - which may result in needing to cash out or accept fewer features. GitLab is different, in the sense that in addition to offer a free service (which is even less restricted than GitHub), they also offer the software running their service as an open source package you can host yourself. Or you can cash out for their enterprise solution, with even more advanced features and improved support. On top of that GitLab allows you to export most of your (meta)data in addition to the source code. So if GitLab changes their business model, we have an escape route. And a company who provide that possibility needs to be much more weary and careful to how they treat their users so they won't escape (unless they deliberately want that to happen, as part of a business decision). If I had to choose today which service provider to use, I would go for GitLab instantly. Because of their business model, I trust them more. And I don't see their solution been worse or better than GitHub. It is different, not 100% comparable and doesn't have the same amount of traction which GitHub does (if that is really important; I'm not convinced it does). But GitLab allows users to authenticate with GitHub credentials, so if you're on GitHub already it doesn't cost you that much to log into GitLab. Bottom line: I appreciate the efforts of Ilya. I think it is valuable work. I also don't think we should switch right now, but if there are some clear and obvious benefits of GitLab-CI over GitHub/Travis-CI, I think we should consider to switch within a reasonable time window (perhaps 3-6 months after decision is taken?). _But that decision cannot be taken without some clear and concise evidence of GitLab-CI being superior and worth the efforts of switching_. Without any evidence, we're just painting the bike shed. If changing, I prefer changing to a feature-improved bike shed. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/1] travis-ci: add libressl build for osx
On 19/08/17 10:30, Steffan Karger wrote: > Hi, > > On 13-08-17 22:52, Ilya Shipitsin wrote: >> Tunnelblick ships openvpn binary built with libressl >> (see https://github.com/Tunnelblick/Tunnelblick/issues/317 ) > > I'm a bit on the fence about this one. We do not support libressl, > while including a libressl build in travis creates an image as if we do. > On the other hand, it is useful to know when libressl builds break. > I'm leaning towards a NAK, to be perfectly clear about the state of our > libressl support: "we do not support it, we do not test it, using it is > completely at your own risk". I agree with Steffan. That is pretty clean; officially we only support OpenSSL and mbed TLS. The Tunnelblick project can easily enough re-use our Travis setup and slightly modify it to add libressl to run those tests for their userbase as well. But that's their decision how they want to test their stuff. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Add coverity static analysis to Travis CI config
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 4a05f15c9aafe314ae4d3642813ebf234c09276e (master) commit e12d5e35d56103357301d28e3f9ee0468e306bb1 (release/2.4) Author: Steffan Karger Date: Tue Aug 8 17:55:41 2017 +0200 Add coverity static analysis to Travis CI config Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com> Acked-by: Antonio Quartulli <a...@unstable.cc> Message-Id: <1502207741-31750-1-git-send-email-steffan.kar...@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15176.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZlypjAAoJEIbPlEyWcf3yuQEP/jOPlCPbSsgCDLWUHkNgLhOM CQ32K1dbYuOrPo7pmjewyebF0NdkB6dbUVAMBvy5vWtyPawAz+65KwtKVwORKcf/ INkJwerRG5W9gymd0OeFAydmvQ/OvgI40u8jrLAeGIFlqTsoqg4SmmyNgCnxL7zP u5p3J1j5RcWUBGaOGcUYyJsHGGkMSxlp3CcrDpXevqp65Pb8CvAHuxtOZHxKOrw4 Xm8SfdXaSm2NU0gUeKibQdPqkSq9bU1W1LH22EbxFFJLJVOKtpMvVF3bzbG4xR2c Zw8yFwqLxgwuT7a0/8dIGEgNLapkGKC5NFX+MlVAdG+EjX1cFaLoyeapvBANYqEB 8YjrJZjJPSEUmaejFcnIgMhWIIbsFGg+qzrXfRC601JuxYEEdANknIIlwIo5hXfq NmRD3ViqnBiKCTuW2cs1iMQvsWfyijgKUHkzPZlzllAUlEjKit8KGxbqtmZg5VDI UPOS+gvqQtqK0VRm1IJyKyHLQGIYYmV35rEEBZpA/Yf0sfohaRhzDOVIi1Lq/xQ4 mPyCU978f8plD1Q7QO+x5TGvFYsQaPoYwpd7uApDwDQN5wttMnBebnuHyej0a9Iv w19Brl8N8pypYHM44gkGG40jZaevE+7/qxxNScp5MbbEsJlyCZYCjwyEwUvMZ3ym WVjUZ3xdckzOjQDD0YiG =M2pE -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] crypto: create function to initialize encrypt and decrypt key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 974513ea64020c956b531b1cabd76fdbac6655d8 (master) commit 9df6a9f66463e0b3ffe3c186b213e80942c13b52 (release/2.4) Author: Steffan Karger Date: Fri Jul 7 12:47:04 2017 +0800 crypto: create function to initialize encrypt and decrypt key Signed-off-by: Steffan Karger <stef...@karger.me> Acked-by: Antonio Quartulli <a...@unstable.cc> Message-Id: <20170707044704.7239-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15011.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZlbiUAAoJEIbPlEyWcf3yN60QAJqE7LguoLJis3whFL4Iv+Hg lGOXbNQdEkGyMPh0P4QBWrjX2kJuxdg925sdocy1Rj4f8nIAQSr0j5ENIHn0fQI9 eXG0FpKlsdIbd1rcVEAJ7/Zk3P/FrhbMKoVIm0aSxDgmrT9r7tBCg3UlIXBkF5Iu 8k5akJYg1CA2sjRf3SXs629OojNHyiZ0RUB41gZfHd0JOCNbzlDuioLWbPJ6rmyV GBsTy4tiehTJdljFeaaHCbRGzjcIO4cNkeR5Gqhk7QUQeInips8QQlzst/nTlEsN DMtDM0xdeoWDQKu8Yd8iGAzXpMLHI0TtEuvugZL7u2l5T+DcyFQ5kueKts9A+zMn rRe9H16Xgp0mudVw34C5dJIe/NuN1+l85kgHFH3yozg35ggZuYPE/yxSUAaDBPMm E4tlC+tJ3EL/CUM3WaZYxxYtcN2nAdF3Atzoo6badi70B4IBQjbUUw70LGemlASx Me9FZxVWuCSxzHQrCR6GOaE+ZNHY9sk4GF7LqDU/Qg5qrDYgbfo1LKHjD4Oeso+v wFHRLN83LVP6TEl2+vSALylQb1XMfILrR85/rarN2krToh4sOws2C6bV5zmc5RyW MUlhxRvDs9LnIKHVa2c1vmiQTS7K9P6pBIkawwGX14QgSMJMjXwdWE5egVXvgyEx aDCLpgMOasYSeMvJP3S0 =BRt7 -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Highlight deprecated features
On 17/08/17 17:13, Arne Schwabe wrote: > Am 15.08.17 um 23:54 schrieb David Sommerseth: >> We have quite a list of deprecated options currently. Ensure this >> is highlighted both in documentation and code. >> >> This patch builds on the wiki page [1] enlisting all deprecated features >> and their status. There are also some options not listed here, as >> there exists patches in release/2.4 which awaits an update for git master. > > I think tls-remote-name (or what was it called?) which has been replaced > by verify-x509-name should be in the list. It has already been removed > from master and is deprecated since 2.3? From Changes.rst (both master and release/2.4), under the "Deprecated features" section: - ``--tls-remote`` is removed in OpenVPN 2.4, as indicated in the v2.3 man-pages. Similar functionality is provided via ``--verify-x509-name``, which does the same job in a better way. And on the wiki: <https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#a--tls-remote> Isn't that sufficient? ;-) -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. Simple and easy change. Your patch has been applied to the following branches commit 3b38c43b8d7aa22b3df12029ff43e0414891e48c (master) commit 78b329180bc1f1365b421907c6ad370c448db406 (release/2.4) Author: Antonio Quartulli Date: Mon Jul 24 22:35:59 2017 +0800 rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip Signed-off-by: Antonio Quartulli <a...@unstable.cc> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <20170724143559.11503-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15129.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZla1kAAoJEIbPlEyWcf3yZvIP/273G4Lp7RkcG5SNZW9dEgfC CffqIJb9shJstX+XKaFiGFjgYLbxmlc2YlNSLK8FKjRr9hvGZfqyw2NaDX2ojVBU 6pRmt4S+1wCoimGMjWBw8iH7n6cDAGsdmojPnfWJzi94MV9XPsJ2E9k870hpayH7 Jnm4hgc8W/FXJbM2vedhyMpDS5QwBxUikSptphKodAZdFXZm/fKt3JCLBi6ZnKOA pMHb/ZRduuySur0Z550Af4LymWmJabKLy/FpO5VZRcCN7VZ3Vz9PDiHVeuVrUO0z 9dp2NH4ZZ421/WOAHH2l7dCIFpccNg375iY7a2xXRsgexACJXZ03yUC+c81+NjDc taaQXKJX9tDIQtVGg03rJdAyTAYBbwyEk7MICk+Oqz6oER3wXIlVyONrPhwnaXlg DS3/EBVcQl9uExRBo7kW38SgZrmy6jvIkoJb35QTBJGhdgw2zrE78NAo+p8wLTxC cWs9PY6DUB+rSLDe1bN0xPwlh+Xv72BiZQ3OT8A51lh3qXNRK981wz/cTVY7U1Oh jLJ5Oex924uws2nxb3w9eKvhklFb6GttOF3rPO9OTAX/tI1f7GX/5QjdOumcaewG HKnfI3zJ6Yq5QIZdjg5kVil1v9lYpHspL6httDKR6gni957vKJ0YGyH4o7L0BLA2 MfYl6+SOHfSKOEuXeNBX =zrkJ -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Use consistent version references
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 500854c3fc956b274790991e4d6771ad9bf6f641 (master) commit 35e81e1a3d6809772f49f777ed6ec8e868505c6c (release/2.4) Author: David Sommerseth Date: Tue Aug 15 22:53:01 2017 +0200 Use consistent version references Signed-off-by: David Sommerseth <dav...@openvpn.net> Acked-by: Steffan Karger <stef...@karger.me> Message-Id: <20170815205301.14542-1-dav...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15260.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZla0jAAoJEIbPlEyWcf3yxDUP/iPqvMgXylxBHnBnzHHNwNEo 20x+FdnbKWA5GbjeZ3Gdk2NKrlrvl6lPBXBhxCg36dlwzl2oCumgn6cyj77B5hHy 4JItf3m33b/UmG8sc32TftA7AKi5qRGOIrj4es+YuHWEElVl/eB0ObcKENW5pdOf +tLvJBe8roNBmzl0gdaDzWDLQnv+XRvjSlI+8PAFKi2/HD3f/LMUJdZg5QTKwd9q IInk9x07poBNQ5ZoJi0Bb/fJ58bl+P3rVr8R19HkQ9uswwjOcow/q0M2Q8rD/iJT +0IiwzAUr1b503jJgX+KjYd3PCgEt1aIc4CMBsCD/1PUcFeUOJd4F+zKE98huFTG wctuzXM4Z7it3LHrQamBqWWzlOurt7UitkkS/w9ufiEMlcfiQxFgQBMO1tyUXqKm jRUp+aj1qKMa2QSA4vBhtfXfj/qyRBWmxbHzeU4xx2dF73aWhJbFcw/EzKAMcSb9 IaYOL3h/bAU05HIWmWmRdia092YjWWs/iNZNSJzTFk1COlMKvLhtN9fi9fn3YJAX VH5fyNjLILMX88dDAtPGK7y5I3qK9EddBmaw0Ma0KF62/wSdOKOnUUysHtNdHWia dQGMYpxVApuc7BoXh2TkYsKTNU2bahDhWregCgzFCfXFf2QuPyr1GcoLXo8iJuFe 2HCR7TFb0sR5Da2tauB2 =5Lvz -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] tls-crypt: introduce tls_crypt_kt()
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 489c7bf93ec618e03dbd9618efbb6e251a65e76c (master) commit d47228e71de6cbbf860746a50a3ecf8025e35653 (release/2.4) Author: Steffan Karger Date: Sat Aug 12 11:53:52 2017 +0200 tls-crypt: introduce tls_crypt_kt() Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com> Acked-by: Antonio Quartulli <a...@unstable.cc> Message-Id: <1502531632-16833-1-git-send-email-steffan.kar...@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15229.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZlGBTAAoJEIbPlEyWcf3ykpwP/3iuOWQMf6jgWs0ezR9A5YcT 08AjJ9aS5hfx/d8NWzuO6ZnOgm8AgepD+nnMbYSyBHWaRfkf1BOOHBeu7xuTXxA5 CpYWjEtAVA+cDlqn/BYjiT3mtTcg4ghX8itrSws2VLmVeg7LNy3zpvbkCZKcBfVR P/XjHdMQFTRlAYYsllKlIXYz94HawtjCti3ijCkMqUNekle7ufHQog8RDC0LJr8i bPRqxoIiqUrZVs/PUqdGbggWu/UiEzwgeAIBY4J2/0YC1ZVYWv18kbOatNIpGIbb wIH9T4+kvaiZ840+SaPmcZA1LRjsyxsEj8WwS6os3dmFp9H58PCO/Uyu/lvPRR8E 7o6kvdbFXoYsQMIpHwyUV025kIDPj+bWDSF4K3pTcb0yHr8cXqPpWqO6K7r9NqEc CTpWWNuD1Fy3gEAV8HYn5hM2yCQDzJmkHXnjQrb2ER3re2yB+4kFNiaZwmZd0Gmi uKBq0DP6qGEzSfxPpZdYHEoqHJ5pm9HavZIvG+5mt95rvwqBIvuVU8PdQ9g1qUzc nOKSYErbs0vvEVXlLWl2vWo3xwcsdMI4ut6nR0fxA1YQTwPyuh8+gbPgkBRB8DUk SjlJ5WcmWWbfN6L8IGpGCZMpjlcSwA/lTygzyqcFGvWHruap1J8qNMLrj2Gec7Dp 3D8sygBqVNi5Mrrxj/hh =W/rQ -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Move run_up_down() to init.c
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 4a9d1d70d5b0ff04dbf26ba7e679733a54c694b6 (master) commit 81b78cf5de03f843cdf917bb2ee350ba85f49cbd (release/2.4) Author: Steffan Karger Date: Tue Aug 15 17:39:46 2017 +0200 Move run_up_down() to init.c Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com> Acked-by: Antonio Quartulli <a...@unstable.cc> Message-Id: <1502811586-19578-1-git-send-email-steffan.kar...@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15256.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZlGAuAAoJEIbPlEyWcf3ylAQP/3mQukJluWtKhHBsbwNvC6RV pm0kQ6BXwhIpQoR0FrUo8uCWsH+Orlo/OfdwiImY7Kit+hCyUuCb4Bg7AlVj3MEE YQefMXJdu0SWyhUPITlDykW3RbtR6ATcoEsigi+BVmUbjZ3+nKtW5feN/OtHcsuk AMp1+NPIg5tM0cQPUxCZUFx2kObkNYDgk4IsgApMNeNgZmpVfAIv3yajOUyy347U XoAZUF2igUP3xjjGvXdNa9v/bZvQAX05xfs4avcOjVHS8445CCl9kROQ1fcF1iAf 8c6zlq/GfS7xT4XJ377dkpbiquPMSc8qJnI11c0t7Dxp29+shKaWY28dUuJ8SS7s dUQPd7tvWt3hV2fMHQ/NKROZDILwjTsU5BCZQBkvijJdjeCYxs+lpA+Qolab9e0h ekyZsiuHMBUsEH33F5V8noGooZMvx9+XmQVN4M0rMaMTwSUC/7xhrNkg0SoZPZve 8PxxQmeF9XXY6PfcBc90SSwP6cjqUCiQCVsJm9RWUaHC+6fF0ec6Lzg4NRf77DEn mxHCmCGikP0zcQB6/7lPaGS/iERFfrn3Y2i4u/so0ci1C/7WMOk0rnImoDAXiW40 AyCwbB0Efrt7Y2/W1RDwfK7B/Z4U8Ow747P6adaW0SiYkQSe/EmRsGE8S8lvdNcU qMYAqEXEk3khDZEvDX/p =qS4+ -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] remove the --disable-multi config switch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 299a8f8f1aa10b5b0d006ae77c26de33d55d4a25 (master) commit 12df7c26a5210052029acbf47bdf9aee673b34ee (release/2.4) Author: Antonio Quartulli Date: Wed Aug 16 21:24:54 2017 +0800 remove the --disable-multi config switch Signed-off-by: Antonio Quartulli <a...@unstable.cc> Acked-by: Steffan Karger <steffan.kar...@fox-it.com> Message-Id: <20170816132454.13046-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15275.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZlGAmAAoJEIbPlEyWcf3yHFMP/jU0S1g9wVZFNtvQQ2wL/ZxZ wFSP+jPrHVwOm3fKz8VVGVRdrjtaO1Cwja5xADJWt5KHVh5Bci8C+Yk0sEXoItYz uy9ko1JlRNIMQzjtrh8sLGCAYqlSUsR5GuqNpWqWLB92HdVIi882GNIBC3l0Uo0m XqH4/2agCxaTPO5nZk3+VtEhEkJoCFxcROjPiLgPUoHNUn4rg1MPc6EhhyBVzzeH QjccUEdYLA0Lar9fv2B/Nzke6CzXVzrCq/eyOXyP0PplxqSqAlnnDg9PKPrS9psl WT/lBlKOfb6AnwK870IRo+BoQVwNbI1d6mLbZNKoojdtRKDmqRvcx6vwFxirjklO WpGJoTEGtcjswXAHuGwCfPclsSQUtoKSkFjI863XtJsTvTXONrIzqW391Fmxb1x+ mWL08opLcBvTmOgT89G12wxzjaq5vV9jb6hPjNd2c//IeD1fXqFyPyNnFA9K+pYE PtywIuUt07kBOb7dBVkE/QFcYUNZBeGiuysSQPY4NOU0tY174MDpAIz0+1RfXlvW llQk3RPyp+TD5Z1NOZMgx5PrYlfpSKu9qDyeJAUxsT1w1iKV8gaySHeTd+c0RJol d8wuEwlnLqgs3N5T9LnPGb3HWGw82RNRhcq4+lr2+qGOfWGESYg1vz5rR3v8UueA VNY7h3NZ3rz/gIarz4Cy =HsyD -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] ntlm: avoid breaking anti-aliasing rules
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit e84b6994b4d2b53bcebd5415a58de4cecd411a7b (master) commit 30e0778a57a8db3d57d144471a869647037a115b (release/2.4) Author: Antonio Quartulli Date: Wed Aug 16 20:18:06 2017 +0800 ntlm: avoid breaking anti-aliasing rules Signed-off-by: Antonio Quartulli <anto...@openvpn.net> Acked-by: Steffan Karger <steffan.kar...@fox-it.com> Message-Id: <20170816121806.26471-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15268.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZlGAXAAoJEIbPlEyWcf3yypsP/302vOTwTQ/HizJ83s9QJYPh 9xRA2/4fwV9iNyoj76SHskMnAtkyIZGUlWN/mMIw9ekZF0lydIQn6XK0ftvhuwEr XYiaLhUzB1wIDTXRhU8scSW+Xe0ZzbQ1EQMKuUW6muTcGCVlCWRIQkZ8FFfJsxFi PnXFpEL1UuNCwaFbLdPbdVSXb14vgQ9q7++PCNFIc2Z7dyocsoFzFJlHL1fmaGd/ 1G2cURTDtFXinIphFOzTFdsog6CyRciqnqTWm8k8COAE23ESqdaU/74CbqT+W9W4 YCmixcNttTImeeVMIepPoCrC/zEEyyRMVha6MPhZu6o2zYVjgkkgXek0hoJoY8ns z6cFbDXs9IyeSQmO1rCQnm5f79yA/UQ3GZNNtaWg6vkl+Jp6KDhUpW5Vxh9z+VXo PGqCWxyGqVw+ycAs2X0bddHVIAwg5pTjGXVXcthZTgg584RlqmOXKZZ5VP940CCh JZ1SZam64wQqjWlxFcVmZ9AVnOWN+FSOoKvK8I4h9xHbrQMT6DkBzwoDXRBwb1il TSTl0Rev6HKrB6HF290BgLcHzpUzaKcRcw/bIMXRUO6L1Lp/ciOeEyiBTBrGdQw7 tT4rjvbJg0/iL0lM9GkDmjI0tWNmVS0V4+HC1r0mdtOxq9j0AJTBKtkiEY6Y+XWv gsmqfSDNCqn6d/osOEKx =8ER+ -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Highlight deprecated features
On 15/08/17 23:54, David Sommerseth wrote: > We have quite a list of deprecated options currently. Ensure this > is highlighted both in documentation and code. > > This patch builds on the wiki page [1] enlisting all deprecated features > and their status. There are also some options not listed here, as > there exists patches in release/2.4 which awaits an update for git master. > > Signed-off-by: David Sommerseth <dav...@openvpn.net> Sorry, I forgot the [1] reference in the commit message: [1] <https://community.openvpn.net/openvpn/wiki/DeprecatedOptions> -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Highlight deprecated features
We have quite a list of deprecated options currently. Ensure this is highlighted both in documentation and code. This patch builds on the wiki page [1] enlisting all deprecated features and their status. There are also some options not listed here, as there exists patches in release/2.4 which awaits an update for git master. Signed-off-by: David Sommerseth <dav...@openvpn.net> --- Changes.rst | 15 ++ doc/openvpn.8 | 78 ++- src/openvpn/options.c | 16 ++- 3 files changed, 77 insertions(+), 32 deletions(-) diff --git a/Changes.rst b/Changes.rst index 4358f78b..74d038a0 100644 --- a/Changes.rst +++ b/Changes.rst @@ -161,6 +161,9 @@ Asynchronous push reply Deprecated features --- +For an up-to-date list of all deprecated options, see this wiki page: +https://community.openvpn.net/openvpn/wiki/DeprecatedOptions + - ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5. Migrate away from ``--key-method 1`` as soon as possible. The recommended approach is to remove the ``--key-method`` option from the configuration files, OpenVPN @@ -181,6 +184,18 @@ Deprecated features - ``--keysize`` is deprecated and will be removed in v2.6 together with the support of ciphers with cipher block size less than 128 bits. +- ``--comp-lzo`` is deprecated in OpenVPN 2.4. Use ``--compress`` instead. + +- ``--ifconfig-pool-linear`` has been deprecated since OpenVPN 2.1 and will be + removed in v2.5. Use ``--topology p2p`` instead. + +- ``--client-cert-not-required`` is deprecated in OpenVPN 2.4 and will be removed + in v2.5. Use ``--verify-client-cert none`` for a functional equivalent. + +- ``--ns-cert-type`` is deprecated in OpenVPN 2.3.18 and v2.4. It will be removed + in v2.5. Use the far better ``--remote-cert-tls`` option which replaces this + feature. + User-visible Changes diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 056ae145..5da29300 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -769,7 +769,8 @@ Only use when none of the connecting clients are Windows systems. This mode is functionally equivalent to the .B \-\-ifconfig\-pool\-linear -directive which is available in OpenVPN 2.0 and is now deprecated. +directive which is available in OpenVPN 2.0, is deprecated and will be +removed in OpenVPN 2.5 .B subnet \-\- Use a subnet rather than a point-to-point topology by @@ -2485,15 +2486,17 @@ setting to be pushed later. .\"* .TP .B \-\-comp\-lzo [mode] +.B DEPRECATED +This option will be removed in a future OpenVPN release. Use the +newer +.B \-\-compress +instead. + Use LZO compression -- may add up to 1 byte per packet for incompressible data. .B mode may be "yes", "no", or "adaptive" (default). -This option is deprecated in favor of the newer -.B --compress -option. - In a server mode setup, it is possible to selectively turn compression on or off for individual clients. @@ -3106,9 +3109,13 @@ a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use .B \-\-ifconfig\-push + .\"* .TP .B \-\-ifconfig\-pool\-linear +.B DEPRECATED +This option will be removed in OpenVPN 2.5 + Modifies the .B \-\-ifconfig\-pool directive to @@ -3671,15 +3678,16 @@ to empty strings (""). The authentication module/script MUST have logic to detect this condition and respond accordingly. .\"* .TP -.B \-\-client\-cert\-not\-required (DEPRECATED) +.B \-\-client\-cert\-not\-required +.B DEPRECATED +This option will be removed in OpenVPN 2.5 + Don't require client certificate, client will authenticate using username/password only. Be aware that using this directive is less secure than requiring certificates from all clients. - .B Please note: -This option is now deprecated and will be removed in OpenVPN v2.5. -It is replaced by +This is replaced by .B \-\-verify\-client\-cert which allows for more flexibility. The option .B \-\-verify\-client\-cert none @@ -3744,7 +3752,10 @@ the authenticated username as the common name, rather than the common name from the client cert. .\"* .TP -.B \-\-compat\-names [no\-remapping] (DEPRECATED) +.B \-\-compat\-names [no\-remapping] +.B DEPRECATED +This option will be removed in OpenVPN 2.5 + Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this: .IP @@ -3792,7 +3803,10 @@ to make the transition to the new formatting less intrusive. It will be removed in OpenVPN v2.5. So please update your scripts/plug-ins where necessary. .\"
[Openvpn-devel] [PATCH] Use consistent version references
A simple clean-up where the version references have been unified all those places I could find now. The versioning scheme used is: * OpenVPN 2.x * v2.x We want to avoid: * 2.x (2.4 can be just an ordindary decimal number, OID reference, a version number or anything else) * OpenVPN v2.x (OpenVPN indicates we're talking about a version) In addition, several places where it made sense I tried to ensure the first version reference uses "OpenVPN 2.x" and the following references in the same section/paragraph uses "v2.x", to set the context for the version reference. In Changes.rst modified paragraphs exceeding 80 chars lines where reformatted as well. Signed-off-by: David Sommerseth <dav...@openvpn.net> --- Changes.rst| 52 ++ doc/openvpn.8 | 34 +++--- sample/sample-config-files/client.conf | 2 +- sample/sample-config-files/server.conf | 4 +-- src/openvpn/options.c | 8 +++--- 5 files changed, 51 insertions(+), 49 deletions(-) diff --git a/Changes.rst b/Changes.rst index 4358f78b..0999a835 100644 --- a/Changes.rst +++ b/Changes.rst @@ -161,25 +161,26 @@ Asynchronous push reply Deprecated features --- -- ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5. Migrate - away from ``--key-method 1`` as soon as possible. The recommended approach - is to remove the ``--key-method`` option from the configuration files, OpenVPN - will then use ``--key-method 2`` by default. Note that this requires changing - the option in both the client and server side configs. +- ``--key-method 1`` is deprecated in OpenVPN 2.4 and will be removed in v2.5. + Migrate away from ``--key-method 1`` as soon as possible. The recommended + approach is to remove the ``--key-method`` option from the configuration + files, OpenVPN will then use ``--key-method 2`` by default. Note that this + requires changing the option in both the client and server side configs. -- ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages. Similar - functionality is provided via ``--verify-x509-name``, which does the same job in - a better way. +- ``--tls-remote`` is removed in OpenVPN 2.4, as indicated in the v2.3 + man-pages. Similar functionality is provided via ``--verify-x509-name``, + which does the same job in a better way. -- ``--compat-names`` and ``--no-name-remapping`` were deprecated in 2.3 and will - be removed in 2.5. All scripts and plug-ins depending on the old non-standard - X.509 subject formatting must be updated to the standardized formatting. See - the man page for more information. +- ``--compat-names`` and ``--no-name-remapping`` were deprecated in OpenVPN 2.3 + and will be removed in v2.5. All scripts and plug-ins depending on the old + non-standard X.509 subject formatting must be updated to the standardized + formatting. See the man page for more information. -- ``--no-iv`` is deprecated in 2.4 and will be removed in 2.5. +- ``--no-iv`` is deprecated in OpenVPN 2.4 and will be removed in v2.5. -- ``--keysize`` is deprecated and will be removed in v2.6 together - with the support of ciphers with cipher block size less than 128 bits. +- ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6 + together with the support of ciphers with cipher block size less than + 128-bits. User-visible Changes @@ -302,7 +303,7 @@ Maintainer-visible changes files instead of older ones, to provide a unified behaviour across systemd based Linux distributions. -- With OpenVPN v2.4, the project has moved over to depend on and actively use +- With OpenVPN 2.4, the project has moved over to depend on and actively use the official C99 standard (-std=c99). This may fail on some older compiler/libc header combinations. In most of these situations it is recommended to use -std=gnu99 in CFLAGS. This is known to be needed when doing @@ -324,7 +325,7 @@ New features Security - CVE-2017-7522: Fix ``--x509-track`` post-authentication remote DoS - A client could crash a 2.4+ mbedtls server, if that server uses the + A client could crash a v2.4+ mbedtls server, if that server uses the ``--x509-track`` option and the client has a correct, signed and unrevoked certificate that contains an embedded NUL in the certificate subject. Discovered and reported to the OpenVPN security team by Guido Vranken. @@ -381,7 +382,7 @@ User-visible Changes Bugfixes - Fix fingerprint calculation in mbed TLS builds. This means that mbed TLS users - of OpenVPN 2.4.0, 2.4.1 and 2.4.2 that rely on the values of the + of OpenVPN 2.4.0, v2.4.1 and v2.4.2 that rely on the values of the ``tls_digest_*`` env vars, or that use ``--verify-hash`` will have to change the fingerprint values they check against. The security impact of the inc
Re: [Openvpn-devel] [PATCH applied] Deprecate --no-replay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. Please send patch for git master removing this feature. I considered applying it to git master, as a way to track it. But decided not to do that now. Your patch has been applied to the release/2.4 branch. commit e3da00918d2dd99c116f6da1a14a2a73b72829f4 Author: Steffan Karger Date: Sat Jul 1 13:22:08 2017 +0200 Deprecate --no-replay Signed-off-by: Steffan Karger Acked-by: David Sommerseth Message-Id: <20170701112208.18803-1-stef...@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15003.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZk01dAAoJEIbPlEyWcf3yTzoQAKR5rlvu5wf+TtXjluxO9CNx q9Ausjy8C8C87ltHEPm2CgNcq3BywqCyaxxoy+yox97PGeCgQ1EBRkOtlnwBdrZi 9Ad3gnyNlYw0iX/oZ3A7MH1dr6jH8f2gTLcxdwcyvacmeDpS0Y2R31VFKJbYHMKX 9afXWqxkpkFhVvi1Mwph3RR+dTO8OSxmVExGKM1E1q5aSB3Vfsp2vk2qtlUyaij7 uOAS/TaBole5k2VUnwfMH5fdw6fBnosc2eRw+kqY3NdjQKE3TiH5MuwqnsP5tsbt eW4Do5xT2kU+XgY2jp0dPI4ImD8aUfVYg0Ud54A4n0E0uf6KCkGCPkDBr5KhObiP if+Yl5Zv3W2W5ZsN7tbB+IyZGJMoqghqG0a/fw8Ef4A6ZsH+aSCtgQyE/CoTvFA/ 5I6q97EFQIiLsbyMAnk2Wb1IC1nxgO1HcHudOcGOtqLwz+ungHcdZQv6H5xecDDi 0YLteRG5sxM7CBxjOD3gs1nk+BbbtSp/DAFe3VNw+F0EVOCcmcuSGdBvW5ZwZcq8 FIrm6znVgvOklO+a0/jm0lYLSSiJmvhDh2zEK5ovFOD+Rw6KAodDoyz3d84oyRJG A9mb+v/3WgqxDRuM+O173Hti9pHcv3zXmmF5e9tuQIOEQdXSliGG+UV7fRvhW9up BemIFv02Qac9uW9yKFjJ =HIXh -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Deprecate --keysize
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. The patch have been slightly adopted to git master and applied to release/2.4. In addition, the final deprecation was moved to v2.6. Your patch has been applied to the following branches commit ad178f01444d61e48fca83c4f0bc5d82270cee87 (master) commit e2ab4958528a352c3ddad02446c10814afe68f6b (release/2.4) Author: Steffan Karger Date: Sat Jul 1 13:29:51 2017 +0200 Deprecate --keysize Signed-off-by: Steffan Karger <stef...@karger.me> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <20170701112951.19119-1-stef...@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15004.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkvu0AAoJEIbPlEyWcf3ygK0QAIVaDf3bnuxx1HhiOZVj6tho GejAD1sq3dSW3SRYfbvLtOpnr+LPVfbAvR203EeOJhj+2s3oaqrabI8GFH2r+xy4 NMgX1flrnjhv5bn1dJStDGNLAF//htb/YD9HxuOOgFuhqoHPsO8kzlULUzW+8PkZ hDgqWAm/IPUKJb2sfTUMat4CZxjE6Bf7qpsR8Znt0ilcaUzxwlwkRIeP/buC4zNJ MT3zzDfwGzEM6mxcNiNromc9TQl4Jjvpf6oNcYkDUu/RkUNvha3XsI39xr/FXFLS /VaQuOs4cZl0fzlP217hMl4IZ3f0EYT7jUHHBNMz+sPfB+e9F9BKktoKS8qGV185 uIC20+YQsfkKHJKM32XqRoi7OFjIevbljrSS8QSqOx6hx28rDRAkrvcIGrvrEGPu Og7XHM5KwvtsNo09ScZOhJEfdh3zWYlq7gdnXT1iCySwG4iQ2oAiiQj37wDcXwcG lrKW6ekk8RGxB/BZkSNo0oSPDlftIE/Yg81JNwcCHmUMDSsQzlHJTA4EYyhBFMic q4+OtqNp9n7xnUYzQxWpzKPUXZ8TYXTh4AQFVrHnYpLz2NJpytYjOiRZ+7kVa1oN rHz51ifHfo7Xj9jI7GAhUcMEZIjmjaiPBbC6b5MbJvkTgDrEUo+Jq8ps2/456rVR sx+X4/sifcGMFuoh235b =UleN -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Deprecate --ns-cert-type
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. This makes sense and works as expected. Your patch has been applied to the release/2.3 branch commit 49e12a39abdecb4c63ea0e577f9abc18e0eda082 Author: Steffan Karger Date: Tue Aug 8 22:00:47 2017 +0200 Deprecate --ns-cert-type Trac: #876 Signed-off-by: Steffan Karger <stef...@karger.me> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <150447-8186-1-git-send-email-stef...@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15180.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkuCYAAoJEIbPlEyWcf3y+84P/2g4Jn4jdgMd4yM/diLyWPBP Nyu3ukvrB9pAN81tekdr1H3ZtOaQEfLkBV3DfAsymaSC5NEODBWHVStgypcN6wRI azOuOBgsKF4jW32CWZWG76ZBvzkVutNUue/FCU0SxddFgvE0lFBcKTpY5oAzvNPx pHc4TLZ6ZpGPEuCCb3ypyYLvBHRK8oSmTZNnSVGsOby20ZWI8Lrn5JC+f6AavKQQ 2BcS4ke0r74tRDg+PnZ07BY3xGKlExkrrKIJfYzFhpMf8Nv7qzV0y6/sM1CEn43G RjQd5NaBx53ByVqpvMTgutlymr57W424y0uBdAXTGe2VvzwVP8duiTJ8OR+bKkKV y8MnZ7bDu8UFHqACMtd10KUCRgBBC5S0wSG2lUxtb31Qz2OG+dh6W7arMyPeUl7s XNAWgVJFUoNeqGLuvIfcgE+F667vvDIRODI4MccXoRDHrBtsQrFTPyRYNOIotMOO DVESfFCUKT6flU2l70rM0Oi1lAKpqg+RtZSNbA3eUo/wLnfqsYeGpDd7cx7q1WH3 erSnu6I6BJxob+h/O+aY8qJaYnj6qhye6qPg2Bwbykb/Pc35s7aqxI/wsFxKKSFL U5ZFzeceZokni1Ucurb0S+yiwHC23O0pFaNLU7KaaxJfqIYZCidFSeUDAOtQRybp VQloJpr/pdjBCRrMwfke =ia5o -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Deprecate --keysize
On 15/08/17 11:17, Илья Шипицин wrote: [...] > > there are special cases like Mikrotik openvpn (pretty popular), where > > user simply use what hardware vendor installed (without possibility to > > recompile). > > > > should we contact such hardware vendors as well ? > > there might be an non-predictable number of vendors shipping their own > openvpn version. We can't contact them all. It's their responsibility to > stay behind the changes in what they ship. > > If they don't, their users will complain aloud with them ;) > > On top of that, this does not prevent users from using their own config, > right? So they can still configure the client to avoid deprecated > options. > > > you cannot use regular openvpn config with Mikrotik > https://wiki.mikrotik.com/wiki/OpenVPN > > you can use mikrotik configuration options Which just emphasizes even more that Mikrotik needs to do their own homework on their own. Their config syntax is completely alien to us, so we have no direct influence on how their syntax ends up as a configuration OpenVPN is capable of understanding. And _we_ shouldn't care how Mikrotik does that, it's their own implementation design. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] sample-plugins: fix ASN1_STRING_to_UTF8 return value checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This is the slightly modified commit, which resolves the merge conflict when cherry-picking the corresponding commit from git master (c43045ca059). Below is the complete commit message. commit 5ed5030c349326c5448fd87424c1a2283ccee18f (release/2.4) Author: David Sommerseth Date: Mon Aug 14 15:19:37 2017 +0200 sample-plugins: fix ASN1_STRING_to_UTF8 return value checks As we did in 2d032c7f for the ASN1_STRING_to_UTF8() calls in the core code, we should also free(buf) if the function returns 0. [DS: On-the-fly merge conflict fix: There was a conflict against the OpenSSL 0.9.6b workaround in v2.4. Since we no longer support anything older than OpenSSL 0.9.8 in release/2.4, whack that workaround and be more consistent with git master those two places] Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <1501238302-16714-1-git-send-email-steffan.kar...@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15161.html Signed-off-by: David Sommerseth <dav...@openvpn.net> (cherry picked from commit c43045ca0590364552fbd060cc65ee1c50a4866a) - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkcvWAAoJEIbPlEyWcf3yka4P/jCrg3SkgPEGZxmWOU4RGQlh VSlcq64qKGggg7wEcG/G0UYCdiPwUT1zD0s/cFoJPNG/qSeX8D8LWOJosu41ISwH aTU8j6oQ/WCA3xLbi9gLL67Aq7IlEoclQF56YUzAfyAYfF1eDmaJ2L8OlwYPlvQO PAPYVKE/wHWXUaTa6xbgQJmL7evHg/Jr4ThnoOPGgrTwNPZFso4yrECd87wmhnXT yjyypzrh/XEgQLMdo09LYyReLYAmOKx7BlmR9sXcp3JiXctwtd8//lSUoX8XrtlG mNVzKBlWlzN4oPO0Llel33tuiSm4kGE7EQKbFzDx2Q6acEsvEmkVljILZ5Pe0MBi wpT9hNcGr5/mImXEcm0Ga/z/qKLTlrgQJBiKmn6WOfaFFuGKWSqtN5MzpW1MPDwc IUoPnlI/UaM86pLJqtq8+7/sAkM7V6H7zX9sMcz6JNi4HxdLIJg/ziL4qnRqU8ZA 88UOsY+2UnW4aJKZOkpNbGJiyUtUMn+NBwwd4tXsw5PXkh/Usjkyqhl5uGGTFEzu rJgHkwE89R6C9NYEvzC5u85pe8yMZ/eJtywIwate+G7BST/KU98Bfyxbpe9eMjzo qfewluWhHFzQaUSnSRk6jvzWCe3dr21nCyZM/ku9xKdI+vrmY0IwIjl8Haa2rAvD VEXemEB5tgG8jxqPP7z7 =zosr -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] sample-plugins: fix ASN1_STRING_to_UTF8 return value checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. I have a slightly modified version of this patch pending for release/2.4 (which lacks the OpenSSL 0.9.6b workaround removal). This will be considered to be added a bit later. Your patch has been applied to the master branch commit c43045ca0590364552fbd060cc65ee1c50a4866a Author: Steffan Karger Date: Fri Jul 28 12:38:22 2017 +0200 sample-plugins: fix ASN1_STRING_to_UTF8 return value checks Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <1501238302-16714-1-git-send-email-steffan.kar...@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15161.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkax0AAoJEIbPlEyWcf3ytLkQAIojuE34qq8HN2UTkIPoEDNz /LUzFJjLovzMEibI3Q1g8h3MkSlEi0ar6CHo1X4q4uXoD6dkb6K7Ccy2iU4HglqU rQtrjU/0tC/iVHmdRayhJc7aez4QIbovIfRuamA0dqC4zoEZutMRrbHF4prRy7Lc VFprsfEjJPV8yRvEfU34PWHaxFehU8l/9P530oMPeO+mFG0oKP7FCaYbgmV9KZLF CxjbHY8ZdEXQ++GBmKa/vklsdxb+QF03OoDTmNvqM5YqaCHsWkAxesu5ESwpJomC pkfG2dSd/0WZI8vuw02sgOAGDPXx5+rNSFpg2eDbynhC1w30lk9w5e281ViyDMcl h1DrLyP+MTMhIPYYQ5bZSwyct5Mwao+biGxdFmtnTOn1zWrG4M8d4uSA6Sf0pu2b /u+68KxrHG5/yra3RyTTIza4fCdLUVriepAQAqtHXlPSyGwKS8/eFzlzrFbFhEa8 iDeHJvtQSyPQvt/N3sprvtIKnv88GS3orrpEdDtFJYL2KSVJ4eb2mXKgYqkSDhL0 2KADnwl9cOmiHKBYKPq515GI6b6i63CmLmO32wXh44yU00k26vLfEX8s3ItOWlRD eJi7t1R8sZm1IJWmZM3AHsv+5h+Kn84f8YZit/fiZJivIREMb5LAVS/h9ZqBMyNX 4LgYGutbSjKU+fSrG2JB =KULp -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Document down-root plugin usage in client.down
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. Your patch has been applied to the following branches commit cbeff7b1b3f2815ee27f4479dca502c220fc4d15 (master) commit 597b6224e254775915956b8db45c090709b17b1a (release/2.4) Author: Conrad Hoffmann Date: Wed Aug 2 20:14:35 2017 +0200 Document down-root plugin usage in client.down Signed-off-by: Conrad Hoffmann <c...@bitfehler.net> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <20170802181435.14549-3...@bitfehler.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15164.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkavnAAoJEIbPlEyWcf3y9HMP/ihfyiarn7ADfF1wCrWxCrcU ZbtPELZHmIMxgAhmK7z6RSiomr7MmfCHi4M9MGrqBNYKSWTyySHg9vaPE5sT8ThP Rky9zwrgMBhJVvKIQEv63B/h3HjVGw9eg8SvkRbNlUYPh3lH8q1h7/2pmRiBsQi7 o6QUWrSSlX2/w2WFg21S8Uj0I+2pzMx7fHykEjbC/EUTuYGzxMWPxLqUEXY+ayD8 E92hewWDkVo8cNXTxQaw2UUk59LBUsux8hf7GnCnlTZ2yCTsaYbWFOOWsuW0FuKZ liN/xzIstlQn3HbWA27gbcUrjkOfdl7thANnFjormV8TSm8BYYmjhyKqyVx2g6pH jwWgOEuP3GlvykFj5dC3S5D4DfhHGVqgtYs9h+TieeN7qXO+hrkD+94cLqyYEAb4 rGeAUWKUjRCWzTG5doADRj3RA37ScUjtJptgXfqiWWUcKpUlIfxG90tiOTV1J737 bDgi8eSnSxCYSg56Difwtr7mAGuXejZNqil8zMXVjkRa5fc7qaxzk4pw/3T4o/aU R3Jl99KJtb/BKqL3GbQTZSEY7E8n3hGxCznK3t4u6Asu0f6eXrK/1TF4A1adOTVm ZBkpjrWWE+YAOtMCoiKBz/1R0fzCbbGVYoSrwuiXx+DJBg+pTWxRuKxrzcLtoB9r Jnh5QxUVgRguD7Z36lby =dFSr -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Use provided env vars in up/down script.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. Verified that ${dev} does indeed exists in --up and when the plug-in runs with OPENVPN_PLUGIN_DOWN mode, which is facilitated via the down-root plug-in. Your patch has been applied to the following branches commit 94c1ce22ebcc1f672bb80598afccc130aa01fafc (master) commit 9f390f0209aa119f7625a75ae309787bc6785831 (release/2.4) Author: Conrad Hoffmann Date: Wed Aug 2 20:14:34 2017 +0200 Use provided env vars in up/down script. Signed-off-by: Conrad Hoffmann <c...@bitfehler.net> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <20170802181435.14549-2...@bitfehler.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15165.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkau8AAoJEIbPlEyWcf3yxFwP/jdgEw7U5naNlSTSOmDnOE32 ox/JMuKEeWx4U4j+ngsijBGciX+kaEWihPCFfYgTnZw25aR2vQfz5eGeDpdNrf7h Sk/sddAjy1urIn97aA2gdbNOt2JXjuPYXPbTMvbp/HAby3rjdsP+WwftRS5PlNfC wh85felObSHULdw/9keLZMVYgrkNWKB1FdAsKxXW0ky5bj3qTYL5BNPtqPe0Iw6D iSi3XeUwRYDQ0tegzoIJYaEIzEfCSiTpr64mOvotVvmNDDg5y5QkMJg9UtXrkBsC xFd7CIOjBArht44U7OM0tK1KNEqa5W7n3EFUu10hsuEUVI5VAQwPLppTt9Zf7ja2 X0MhMBD7+Eh3lOX+SKjuOfO+lKhNtM3f0T3Nklrz7zxhNlMinn3a4w9xgDMHrsj2 vhBuQfRtvsnQEY41egibEL0dNRvwVSDdGziFtgRBc75qUihFD+yVbLdYxz1lQ9RP jmWKJn6QS6U4at88z0h+gYM2XYLXTbNzAn49C78HQZbTw2gSlpUcrVEEF554FPSt zWQ47p5sUbUDptS1pPrCPsh+s03drWYOYqVY6O2NHz4Qz+vgd//eXW2pKMf90l2E wuPxbA7wIzUGhwGWFzGyf/u7v9zqJnj9a7hOS7Poka90tSiMCsw1iIkLPsR5Lu2d yyhWjWqhpKLTr1rpc3dq =dG9l -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Move create_temp_file() out of #ifdef ENABLE_CRYPTO
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. This makes sense, code looks good and passes initial tests. Your patch has been applied to the following branches commit cd5a74d0d7c6347b31e261e98ca8984819e594df (master) commit a91c38fbabf6f949990ef8a3801d56225a47a33f (release/2.4) Author: Steffan Karger Date: Tue Jul 25 23:02:34 2017 +0200 Move create_temp_file() out of #ifdef ENABLE_CRYPTO Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <20170725210234.5673-1-stef...@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15146.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkatbAAoJEIbPlEyWcf3yjUQP/1yZE+5cYLEdBYrkbv61p1wY f7EG3F29hdCYEYHS1rTvYQbPZFy48YJL5mqvs6IKemQxVIYoEFkCF5KLdYIU6ZlU 1n6Km+yUqeYpU3Tm07Yl+20qCv3+H9FAMJkDjosoh6BIuF8HJD7NsAmDFoY23X2k TXicBKu9zgIHszzFhYQkhQBIBxhpVirZ2r2TqgXOmiz/rbRtmRsHeqFEEcfWv/mT YULxqREKDPTWKHsH/s1JbwoWwrhkzeeYdxoaYs6/qN7zuNj5bmfxfvzJXmtbRlH3 mi/fCtgxq9OJvokUpfSNVoKwf90VGEVy+occziE7KdOmWNCh4QpPBVt27PdloEmc dbbDES7YSndiaHXYoU9I15SP9pGgUI8DmUc9SU9PUPSGSdVG+aRhw4DzY400EQRL jTzdiOZB33xWJivKuxWXM0kWbdu1Nga4Q/aTwJCLaa+Xcuh/mdMZMCuPKfNiRTFZ iU4ZIqSGi84h1pt9azWftI9+7fLIaAsdmwhnQBy9rGz5afzC8rf2TlOmSTYzwdqA fI6TVlu9JosMxDnUtXN5NANRVB79JVYaCVxshCajDBUe4m/j1Ywz5R/PLqMk29zt WBbNdMsVBijJ1DhMFqZDxrBCyKh9OwPHRawdonRU4MD53aXbfBNRR7kCrCAcd3Rt /qnAV7+hg5KxbpF0UrC9 =CjJG -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Always use default keysize for NCP'd ciphers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. Checked code and ran a few quick local tests where it was observed that --keysize was reset to 0 when NCP was active. Your patch has been applied to the following branches commit 956bb1c32fa40ee184919b3ce569c90643a01b5b (master) commit 6f616aa6b7570db965b8eee1d8b8d182af4bb05f (release/2.4) Author: Steffan Karger Date: Thu Jul 20 19:55:57 2017 +0200 Always use default keysize for NCP'd ciphers Signed-off-by: Steffan Karger <stef...@karger.me> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <1500573357-20496-1-git-send-email-stef...@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15110.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkaszAAoJEIbPlEyWcf3yRloP/0fYFXg2FbBw1wC7kr45K9DK aOWseSiHZy20TcrPxUJySy8prN6LopyDf1HNsWkPmOWA7duZwZLio1n4Hmh393ew ooXHH/iNkp4CWWppAf7Z+nzN0Wn1pH2yHchbtZoT+rLqLQP5Rgt1y94yb6gx1FC5 JfBw99weWvVfvrvFDXdJlrnDJYoJtoyfd6Z+gJL2n+DBkoHPTaxN6yU28raIzksC gvs2j98WAThiIfTMbstDiR2Qxz7/puIR0xDZkzQkgLnq8jV5uoH4jvnHJFbQO3Wa cPuBHQguTsKe/q2si9y0qhLQ8zURdVy+yTOgzPDHueVuRJs7deeXbDClf1Wfn+dd RPdH4DQoCjsjDZ+AFyPCEn1hora1ulFpnVE97pWnFUIlTeRVIJ9P4r9/z4iABGmp TVfvapucdED0VKxeYqyZYlEXHK3Vxg7eruS9f2X7gPwTYJbQ8DvKqigZIuBjMEcE tGkzt4A3XNSbtHHcgdssI2WVInhRPQG1Y0YFSxPNLw5SYlkY2zlUlVCHROoOZfBT AilgH3kygPgymf+k+OLxVCCm8HL8TC8DD/YxczV8i6kKkvMbIQfR+wM1i592eKSQ Ryi4md7F+FJUfnDUB0JT07FK95jFF7ANStq+vhj9TyzyV3v6ktQVF3t+pgv6djyF YLY70Eu/WV15iXBZnddU =582X -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] add missing static attribute to functions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 72bcdfdc19243c1ed6cb8568f62f0c35e8b70f5f (master) commit d1e18d89d9ff4ce946f27d5b019c407bf750fe4b (release/2.4) Author: Antonio Quartulli Date: Fri Aug 11 17:07:42 2017 +0800 add missing static attribute to functions Signed-off-by: Antonio Quartulli <anto...@openvpn.net> Acked-by: Steffan Karger <stef...@karger.me> Message-Id: <20170811090744.31750-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15202.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZkarWAAoJEIbPlEyWcf3ykp8P/jZX5e+B8le3+hfEqpKHuaE1 739gAXun6mrVjbxQOcFrhBp68igoNzRNmZ6mTJYfhIfksgJGscZJ5y9RygLvHNHm XnHRFLwwdGiU1H+Cw28io1Z5mmLlbeFavvb3H2JaeDRNyZy3MqEF1U/G46zlJ93E 1lPVlqRj+ANkThw7VKKs0EBcW5cEQfTR4UkzSTT4anwDVqjBe970hYZnLevSLMVG mNzbPaUl+zON6z14RbnDqvVNxt53hccDJbxL4bLgNmEAJYBbxuwVc0/teYw1c0Mv bD7ACZXIW+8hFQIno+GxwOpCSamOF+g58x0peyTdKa5vBzNsgwTzktwgnux+4NFl 5rXR6vM88W5AtXnwXzGNYHkVTYVieNjunnUbV6Oo2KUwLLLPX7jh5/9lbmqBt2q0 ZuUABlnisIcNWsjpnQPdMhGlRjqaFBGN6Ww7/ozgaSev83xjughDpXoJfgybPcf1 jvZexEUrlasO50cdVvlbkRoXamFxUU3QgDRT/QY6qi95x67jrZP7cV/ThfAZLWfr qM7c5zN9uKaepy7m5Hmy9698VL+aotgUl+qsD8TfaO5cfzUc3mItIA538Tla9vAJ USGIaVrQQVHNBBESWg26mDBa2z0s++X1gjH6HrYxRDUqFNlaQyHulpl1atwy7iYL tGbxLS4+bA+n/HGEDU9b =lkM2 -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Deprecate --keysize
On 14/08/17 13:17, Steffan Karger wrote: > Hi, > > On 14-08-17 12:36, David Sommerseth wrote: >> On 01/07/17 13:29, Steffan Karger wrote: >>> The --keysize option can only be used with already deprecated ciphers, >>> such as CAST5, RC2 or BF. Deviating from the default keysize is >>> generally not a good idea (see man page text), and otherwise only >>> complicates our code.> >>> (If this patch is accepted, I'll send a follow-up patch to remove the >>> option from the master branch.) >> >> I agree to the wanted intention of this change. But, it hits badly if >> we remove --keysize on configurations still enforcing BF-CBC with >> --keysize 256. I don't have any numbers of how many users uses it; but >> I know many have preferred BF-CBC for a long time - at least before >> SWEET32 came and hit us all. Bare in mind that BF-CBC was the default >> since 2002-ish (probably even longer, if considering the OpenVPN v1.x >> branch). And many have added --cipher BF-CBC in their configs despite it >> was the default. >> >> As long as BF-CBC is available, we cannot remove --keysize. And to >> remove BF-CBC support, I think that needs a bit longer timespan than >> v2.5. Users *must* be far better prepared for that and we need to make >> loud and clear announcements with such a change. >> >> Yes, in all this, I know that NCP is a nice rescue. As long as everyone >> either runs v2.4 everywhere or deploys --ncp-ciphers and starts the >> migration. But I've lost confidence that the vast majority of our users >> pays closely attention to such feature changes - thus they won't notice >> until it stops working. We need to PUSH this information into their >> faces, with large posters carrying promises of rainbow coloured unicorns >> if they comply today(!). In addition to adding clear warnings in the >> log files for a looong time. >> >> So I propose: >> >> - We add the warning about removing --keysize for both v2.4 and v2.5. >> >> - Add a warning in v2.4 and v2.5 that ciphers with block sizes < 128 >> bits will be *removed* in v2.6 >> >> - When removing those ciphers in v2.6, we can remove --keysize together >> with the ciphers, as it will no longer be valid. But --keysize needs >> to be a NOP for some time (with a warning it has no effect), to avoid >> OpenVPN stopping to run on upgrades. > > Okay. Instead of sending the keysize removal patch, I'll send a patch > that warns that small block ciphers will be removed in 2.6. > > Can you then do s/2.5/2.6/ on the patch, or shall I send a v2? Yes, I can do that. I'll also remove the remark ("If this is accepted...") from the commit message too, commit to master and cherry-pick to release/2.4. I'll also use the term "OpenVPN v2.6" everywhere, to be more precise in the statements. But we will need to get started on the planning of the public stunts too. Getting a wiki page in place would be a nice starting point though. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Deprecate --keysize
On 01/07/17 13:29, Steffan Karger wrote: > The --keysize option can only be used with already deprecated ciphers, > such as CAST5, RC2 or BF. Deviating from the default keysize is > generally not a good idea (see man page text), and otherwise only > complicates our code.> > (If this patch is accepted, I'll send a follow-up patch to remove the > option from the master branch.) I agree to the wanted intention of this change. But, it hits badly if we remove --keysize on configurations still enforcing BF-CBC with --keysize 256. I don't have any numbers of how many users uses it; but I know many have preferred BF-CBC for a long time - at least before SWEET32 came and hit us all. Bare in mind that BF-CBC was the default since 2002-ish (probably even longer, if considering the OpenVPN v1.x branch). And many have added --cipher BF-CBC in their configs despite it was the default. As long as BF-CBC is available, we cannot remove --keysize. And to remove BF-CBC support, I think that needs a bit longer timespan than v2.5. Users *must* be far better prepared for that and we need to make loud and clear announcements with such a change. Yes, in all this, I know that NCP is a nice rescue. As long as everyone either runs v2.4 everywhere or deploys --ncp-ciphers and starts the migration. But I've lost confidence that the vast majority of our users pays closely attention to such feature changes - thus they won't notice until it stops working. We need to PUSH this information into their faces, with large posters carrying promises of rainbow coloured unicorns if they comply today(!). In addition to adding clear warnings in the log files for a looong time. So I propose: - We add the warning about removing --keysize for both v2.4 and v2.5. - Add a warning in v2.4 and v2.5 that ciphers with block sizes < 128 bits will be *removed* in v2.6 - When removing those ciphers in v2.6, we can remove --keysize together with the ciphers, as it will no longer be valid. But --keysize needs to be a NOP for some time (with a warning it has no effect), to avoid OpenVPN stopping to run on upgrades. - Ensure these changes are synchronised within OpenVPN 3 as well - Start a new wiki page: "How-To: Migrate to secure and modern OpenVPN configurations" where we list all deprecated features/options and their replacement (including examples). We also need to have a description on the reasoning for deprecating and removing these options. - And the most tricky one: Get some publicity that OpenVPN is going to deprecate and remove support for weak ciphers out to the public. Not just on crypto focused sites, but more broadly reaching "media channels". (I believe we can facilitate some of the PR work done by the company, but we do need more than that). Channels/sites I'm pondering on: ~ An official Press Release by the company? (Samuli and I can check) ~ twitter (via the @OpenVPN account) ~ reddit? (and similar sites) ~ LWN.net ~ arstechnica ~ ThreatPost ~ OS Distribution channels (blog posts, mailing lists, etc) ~ Our own wiki and web pages ~ others? The first round is to clearly state that BF-CBC, CAST and RC2 are deprecated and their support will be removed in a coming release (not mentioning version, on purpose!). Users are strongly advised to upgrade to OpenVPN v2.4 or server and client side instantly, to benefit from NCP (byt more less-tech worded) and to point at the "How-To" described above. And then we try to re-iterate this once again with the release of v2.5 and v2.6. I know and understand this hurts security focused people, and probably in even more those who understand crypto very well. But my personal experience is that the average users are usually less understanding than security minded people. (Yes, I've burnt my, and other's, fingers within the Fedora community with the v2.4 upgrade) -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] tests: Add a simple build sanity check
On 12/08/17 12:33, Steffan Karger wrote: [...] >> --- >> tests/Makefile.am | 2 +- >> tests/t_sanity_check.sh | 118 >> > > t_sanity_check is less descriptive than the t_usage proposed by Ilya. > (Sanity check could be anything, while we specifically test the usage > output.) Fair point. I tried to avoid t_usage, as it also checks for a segfault (which is where this all started). But when thinking of it, it does strictly tests usage*() for segfault. I can switch back to t_usage. [...] >> +check_option_count() >> +{ >> +num_min="$1" >> +num_max="$2" >> + >> +echo -n "Checking if number of options are between $num_min and >> $num_max ... " >> +optcount="$(cat sanity_check_options.$$ | wc -l )" >> +if [ $optcount -le $num_min ]; then >> +echo "FAIL (too few, found $optcount options)" >> +count_failure >> +return >> +fi >> +if [ $optcount -gt $num_max ]; then >> +echo "FAIL (too many, found $optcount options)" >> +count_failure >> +return >> +fi >> +echo "PASS (found $optcount options)" >> +} > > This is quite fragile. For example, this breaks 'make check' for > --disable-crypto builds. It will also fail easily after adding or > removing some options, and we probably have more configure flags that > will cause this check to fail. That's we I don't like it very much. Eeek, so the threshold values are not good enough. Well, that said, I never expected this proposal to get acceptance on the first review :) This is just to have a starting point for these checks. Based on how the current option parser is designed, it is hard to get this 100% correct. So I think we need to consider a threshold. For example, my system: $ openvpn --help | grep -E -- '^--' | wc -l 237 $ grep -E 'if \(streq\(p\[0\], ".*"\) && ' options.c | wc -l 277 We might be able to get closer to a realistic number by sending options.c via the preprocessor with the right set of "define" arguments. Or to rework the complete option parser to be based on a struct-like model where it is easy to write a tool which extracts the number of options and which options to expect which can be compared against the --help output. This way we could get a close to 100% perfect match. But I don't think doing such a code refactoring shoul be based purely on the testing requirements in our case. The code paths involved are quite solid and re-used in almost every possible way by OpenVPN (config files, PUSH_REPLY, CCD, CCD via management/plug-ins/script hooks, etc). Or we could get started on moving the man page over to a more parseable file format so we could extract options from the man page and compare it to --help. This way we enforce that the man page is up-to-date too. And it could make the man-page be generated according to which features OpenVPN is built with. Another approach is to make the threshold values (min/max) be based on which configure options/defines are enabled - which directly impacts the add_option() function in options.c. So have a baseline of arguments, if ENABLE_CRYPTO - add X to the baseline, and so on. I do think this test makes sense, as it can ensure 'make check' fails if we do something wonky with options.c. But I agree it is hard to get it right. So just pondering the alternatives and which ones makes most sense. That said, I don't buy the argument that testing options can make 'make check' fail if adding/removing options. To me that is similar to say unit tests are bad because they will fail when you change the behaviour or API of a function which already have a unit test. So tests will need to be adopted according to the changes done on code it is expected to test. But we can ensure doing those changes in the test-case can be done in an easily and understandable way. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] use NULL instead of 0 when assigning pointers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 280150a02a117eb0cc9c34e69ebe9ec3f4ded0f4 (master) commit a5c2cb6046e7e23554b7bd71a52079b559129e0d (release/2.4) Author: Antonio Quartulli Date: Fri Aug 11 17:07:44 2017 +0800 use NULL instead of 0 when assigning pointers Signed-off-by: Antonio Quartulli <anto...@openvpn.net> Acked-by: Gert Doering <g...@greenie.muc.de> Message-Id: <20170811090744.31750-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15204.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZjg/+AAoJEIbPlEyWcf3yXZgQAMJeK4kkVnxAPzS0bR3FxPQ6 d/y1gMGbJV/tEkhx17gkJwwERhxI3/S7bwsQZlGt3HUQyUU/SGS0ffB8EazbPrNm +0+cHC583d5ZJojXJLVfTPOjWv1z1H2zBAPrgRU3lfh4gBb0EM//0SswcVlSgPpU XugIauevSg6NE1wITatlh2ukHmPQsyXQvkKCm5vHyCbNsH/cDG5R1PGlk+edZNJ5 4LP6COpYc0oqQbsydBUDuSHRs8noIzjt7c79XNWUhQNZD5ABctLwJbOqwSyuK5N8 YazMHJLYLj8VChmykxLV7rUONhmF+BsDWjWsy1zxq3IbOrCh2CmkorrVAPa90o6q y0jGEe+rSd5EgkZ1DdJ8l2WXLLlpOroBjUvx8bh53zXNr5go0IX1+AYevVagVANP 4eWRArZI9pwihRBRTyLKNl+TQwiMrzQeKJycjRaknhuT9MQqZBJcCREImBxur4Px 3cYfl8iDvndw5V1PROpiqCeQ+rKYbMGvnBkAVGWeJWFCLAmnzYx4mTkKKlEkNaPA jpWmL+AKRoKMZ/TMEeLsXut5qe7/uE9/SeJiF0ZHsr5RwkTzpNz+l1ylSG76PXdW GD4XCrY+ZM847Asp6HFMPFgLOw+H3Vw7vZItplmSg8RG58rV6jpl8VQqHpFrV8k0 UgwRh9HpgqYLQxfcm6Cu =yQCv -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] remove unused functions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 4158f46f6474447520ebc7440050411eb8be8cb9 (master) commit e096613927ee814c8e4ecb1219cfe2ece9bf26bc (release/2.4) Author: Antonio Quartulli Date: Fri Aug 11 17:07:43 2017 +0800 remove unused functions Signed-off-by: Antonio Quartulli <anto...@openvpn.net> Acked-by: Steffan Karger <stef...@karger.me> Message-Id: <20170811090744.31750-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15205.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZjg/1AAoJEIbPlEyWcf3yzugP+gP0wPkoOvnhvaPoetdmmjxP aOUnArkRg9LfivX2K4xXhK2Tv/Ay1sajxhojqESLY2PX0dkWCUbvGcPaGV+MGatB h25umgQl//T2+9C7cc3eecyC/BToVaHM4/liWuaq6Ebq0mqoC3Wuk9P3LuXAozo7 Mt4SD6YAo0LTHNjeWesK81840UU/1QFDaS4uIGpYbj16iJE7KkuJK+L750tReLbg 115+Kd8tixdIjTfZguC5GbKfTdY0kiEbBGRjQ39ObqCBSzjOn6JDZS1oEzKebQyh Lb2QlNEtpvNta/FBlTxqCnRkEjbDF6yJTTbt962CMpG2kEz+X9VNuMNGx3FdYq4l n0Nd3S0WvfQIM+Z5Q1GRq4xNlPj0NSubPLIVWGF6XuZGx8S+qHRPdZjyJeFEBeSD VDzoOL43DPR6ikgFvtaWSD/xrObYWY0VaTONR3vwfq37dbmP4QYdPSk3d7upVBPx 0H+VsoZCYbfJwifuFskrDCLrC+rZdU+XIZ2ZYj27PjSsrt6gYWa3updX0Ptdkgmh m1CkZgsN22dmxtOitKhKnqZeF015TcHkKK8oJ5EVTtwXkUswvXxyxfZzTjkuV7DL N1+TSmP/gjNdGjos7QD8WZq0d6VWfm/5qCJXtESilw9e5CBJSwBdFAsy1Z6GNJXW DOnmIcTtmWh7sBDAsQSI =6A3v -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] make function declarations C99 compliant
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit e2a0cad46e8f98399387c334fec912b7bb7097fc (master) commit b5d7474822c89ff18d1005d4e90064051f160ce4 (release/2.4) Author: Antonio Quartulli Date: Fri Aug 11 17:07:40 2017 +0800 make function declarations C99 compliant Signed-off-by: Antonio Quartulli <anto...@openvpn.net> Acked-by: Steffan Karger <steffan.kar...@fox-it.com> Message-Id: <20170811090744.31750-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15203.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZjg/eAAoJEIbPlEyWcf3yRnwP/10HUlYwyVR5cLSwVj474ypR 8IdOabXBDkXnI13n7GVfaT4VpANljlhrtLHJqOi8J9DesV8DJri/BF7Jq34bpUNS 5N3oXn7dj7rzZEUnGLIjWsgJTvYaI2thrrUMMZ/YvDhn6pIWNUhdcesFJQz3a0Eo MDwD0KGcT+EpYX/m6adGmyCo9nwE9INFFEnjNBC8o3bvg8fLpBO5MDDDYnDvoX8Q 5AipW+9eebiHs0U05rHUgFA9clajp9wqajvykLI6bqT9HzgGNBLo2uT+UOFsnaX0 /3lx0JcEdoaWjhxM5CoonZ0j7fgauXQR3RcWDiQfd39HTT3S/fo0QxKm8yh7nN/V 5bemVVKibHwcGf6krVCa4GUK5EyJFMngjogOOaddhsrN2xkOCNt44zuIHUIXcQAa TkzqEqSbOi4FuU4OqzSyelxC65yVRC/FROo/Fg0K41fM6TqoSfXwSG5goqb1GPtT GTMLHQpSq+Oayfam9ytjtqx8tnMII65JzkxRFmg0oHIdkbQoXELAf9OVTV1h+jkk Pdlz3+DYrXzHetzGKlueRfTMRnr2cTmWH1oNOP3bxe/PkQdAy1FYVWfj+TrVkloL /fV6KhhVRVnquMUtF4m+9yxStvM/8rtnj2AWid6Dco72WSNGcMJOkTh5ymeQ9st7 nmNYwsP4Nz5r5BtfyXX1 =VsJ4 -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 5b004f99d069fe0238aacbb0b3288872a4d7ae17 (master) commit a0ee61b31ced8c49ed3926adaf8c42dca4702b49 (release/2.4) Author: Antonio Quartulli Date: Wed Aug 9 15:42:37 2017 +0800 OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey() Signed-off-by: Antonio Quartulli <anto...@openvpn.net> Acked-by: Steffan Karger <stef...@karger.me> Message-Id: <20170809074237.31291-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15186.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZjg/NAAoJEIbPlEyWcf3y1F4QAJyow7lPlSCgFUc5Yq7Yh5jy de+FtUTELHC9lostek1wGDEQc4xloAQKMUaJRRAMUAGOOpI7Td+rbRZ+MqkUg975 dvPnJloFAFdzwVHcRjfhS/fCZ78jAmgosCXwcz4kLj+TR6ZaYRDnlIbKV+KrNISD gMXoQnkaGcQRNkYIJJYIJ/13Eqh46Es2+O5UjSy3m/giSOfhOvy71o58WC4RwD3x jxsjObiR4tCFEj1VbqtL8zUc6e1YkBCHmLNMcDKIiHo7tPRxo6U2FfHq0KwFqo2R ZYn2VlzOeG332F33jqtXAUKPNLP9KrFIiFXeL++1jJWSwUoPlcW0oEBXclu6rUGG w+DiucOp/ZwI4sir1i7aZbZwqK1L9RIT9C0DI25bJ5BgukxIyz+zBR0IvcOtPnST OAvnbqM89uwf2KagJ0SPrfqNcGJoQ8jkJV2tm0UeNQGM+BB3fmEzRN+e82f7prbW 5rUy20NChdJc8LYNBO0jpfrabUSLQNSTbToEC6/pcG4CbLvVH6f+wTsmJVWzvcWB fGpHaBIyZ/emKJSorMByxYXFQRgOmN+i8LG3B3nEPM9ylQ0XKF0lfHdQq/AbAFdW PqcH4SEgSlXtP/FbVBydPbBKFZhtbePttfCQOtP6DdazSXUlOF2TztbwOghoWW7T 1FWTnln2Xy23ADls0Axm =oLsD -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] travis-ci: update pkcs11-helper to 1.22
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 28dba48541f5b212c7510ab3b0776dc39044502a (master) commit 9fffbfd094203126d2c7b8039762cd258c36631e (release/2.4) Author: Ilya Shipitsin Date: Wed Aug 9 13:12:19 2017 +0500 travis-ci: update pkcs11-helper to 1.22 Signed-off-by: Ilya Shipitsin <chipits...@gmail.com> Acked-by: Steffan Karger <stef...@karger.me> Message-Id: <20170809081219.10367-1-chipits...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15187.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZjg+/AAoJEIbPlEyWcf3ybecP/0L9hhRQ6nK6sPaTaGrlzTwl 3ae/F+td5Ve8vTKuGn3P93LAiA15KR2E4BxQ6yJh8nJnTPrGIdM4a9l48TkaTME5 kxeWc/K7dArOuIzooOvacPHeR359bMYkBHmqdDcP5R8HBTDVxay+2teyKzy5P7/y nryjmnOR5ZXdFHYy+8sXj+vthcwEJM9lZSoJzUk7d6syfsNYyBqx5xXrgey5dKON EdB8q0n/Ea7yI+KNpPq3zZ01II6Kn4fcKZRN3as4XCru7a+YJGVFWll3fw//VQIE pmguUad6kAAFiAvaltB0FCdAgRmAVQYVl1g6HdP7Fq4Slov7LwklNwXyEfGUJvmf PXTmqbcjBlavGpf9uMSNHZVWwfBn3DNAEx244N3fthK0IabPi6sf9wCb4ssaYAiy Zajn2H9gTiEBQxU9Akqt6iZS86MfqtKMb06KKZWTjCzXgCJr0KScABxVVDI2/7i1 9KdwkXPg0b9LhN3myVZFNXrTRKObQKjs0E+FUIYO4XQoFtYFFxTS+iT7qM6abYKq Xl2Yl0nfv7j7Oqd5xvSysnt8zJCBTUY/nsVHxOp6lhDpF29U41YwgGs1eHk0slVU iBmCAR4/3WlvYWphfZoG/LQtcvNR3y5LJxYFHLmhOTG2LtfL/y4McIdJ1TXoQQCa re+OGjU9/v16ZfzuP6m1 =URQP -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 4a9306255cf0e1cc056e66ed4fa0f2e687c137f6 (master) commit 14f67c3c9091c4adf903c25eb88c0b281fa3b15f (release/2.4) Author: Ilya Shipitsin Date: Mon Aug 7 18:23:00 2017 +0500 travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1 Acked-by: Steffan Karger <stef...@karger.me> Message-Id: <20170807132301.22759-2-chipits...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15171.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZjg+wAAoJEIbPlEyWcf3yrGwQAJwuwvNBwon3WAoMC7qxx8gm j/at9JNZKUaehhinZOOrmGYXeC6W/z/DxVYUjiALcNPHVabEex12C+Wo8ycOWVt8 nrEtOtrzrCHiHm69VRhhsiOvJlbJF0qfjboLeLq2YWEOtkYHL4TIMbU00DpbJKe+ a9r9LZe0Tv4UiMFIGeWgG+0xUtsARdhyJBhEmZ9XOYEexuqhDA8Fgc9/5oWf5K6S ajVV8AClaqYYhQFY2Zr9eZx1d7uDfVbKux6OvIyCnHT1HtTDdE9URHsboGwAOzy0 Vg2yOJz0gWflkUy0RXky/jmkBMBVquCBamsSrW4CM9nshIO+8wrFgJDWdmHf02hb qpLjIbLJbJixflaSBfUUP5AVpdGF55ViDGR53T6XmW9X24Sa0Xc5EC7KGo1o0Nvy 5lGAoAQjAQjaQah/zRQcdcoyklXjnojZracLQIzeOSsTPuQksPo2OTLw/Rxxv65K 0l+zIC0rDmQdBmvoArrzQ0nSX7bpfZPqXT7PKmwqZhOPvyBshjxx6SfdG42sTUMY 6+IRgPvIWYwu5dQ2IH1yrwrUl4Hg2yovhyvpsVmVdPc4s63m1DwIs+kwhj4qA319 GRdx6Eu6ro8S7hWWy+mtrFgmTUm1b4f2okbULnk/UB6L4JlvnzPUXc0wPRmZfiXq UshMOTMNvwU3QwhlIqW/ =P+7T -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] contrib: Remove keychain-mcd code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit 59e7e9fce8de6ea90d13baeaede83adc0b594e22 (master) commit b597ded895e372831bb19538e5591d5c52270a44 (release/2.4) Author: David Sommerseth Date: Tue Jul 25 15:03:14 2017 +0200 contrib: Remove keychain-mcd code Signed-off-by: David Sommerseth <dav...@openvpn.net> Acked-by: Jonathan K. Bullard <jkbull...@gmail.com> Message-Id: <20170725130314.12919-1-dav...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15130.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZjg+LAAoJEIbPlEyWcf3yOy4P/2nZicxE8HlV+T3jLDc93gN7 F0+O6wzKufYZq5+Jis2eA/iBenvO5maDZJufRLq4+QiLA1xg0+2BB13yqVi7Qwrp zbD5N0P4F5zQcOfGNS9/YfaRdCk7+lk9K/YR221FWxzrV/CLn53GcZ96cBbOcxFn /aojz7BgXzV4rQs344jKb0LNQonTXPLuCFtHxXvyWN9b/bHHerAuUdt0DgQDh6RJ b5pzDMJVEUiOHDtbu8nMQPPzxU+hdOSXZWaVnDfEp3P94kpbCjQtqryaYcmaUyV7 PduZ0n1e+TGSzFlTH9cUdF4HlXIcTWtUnwx30q2fFUEc+OSB9hWAA25+kbinUR69 zWnAChIEJviokvPlP6s2TUBy+QCI0qelGhVUYR6O36lTNBvCseF3j2Zy7XJMZk0j n+D8ZtRXm/498sLmYmvDm4pnUaSWnLIT5oxY3U80TJTIo1uY2ZtP396ndJNrHxPu KMV0htZhtlnqcbKnj+ejz6qwCG5t9Qlu4uGE5NYIaUDBH4LbIoW2mClG7+JBMH7L VUKlnod2rpSnbOkqPs9DNVHgTbz03+ujNeUQ8gptm4uIBLuOlD4qTwiqkVLPjj44 x02upwTZSubTWu441ijXwz9q0Dzy5HqiTtS7mj8sfkveUrNSM1gLmRRIE4mlZ0sp mon5H4n/VG1eYDhwWj/j =OShB -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Print ec bit details, refuse management-external-key if key is not RSA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit bb23eca847c8edac9c3979b7f35468b74db00459 (master) commit 4b8d654d1339b9adb1f7d554b1f5c16e05123f18 (release/2.4) Author: Arne Schwabe Date: Sun Jul 23 18:45:36 2017 +0200 Print ec bit details, refuse management-external-key if key is not RSA Acked-by: Steffan Karger <stef...@karger.me> Message-Id: <1500828336-30314-1-git-send-email-a...@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15124.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZjg98AAoJEIbPlEyWcf3yPeoP/2wafGf4dlzWiZsRTn1aZtj8 gqsxP7JG4a58SxKJb/YrR7RVaFQWYi2dz+f8r6lvabQRd7NDkQzKcEnkkYKjwcmO x8c97IAAhtRwXGY+ChRDgxCiH4PTqWSUv0gk/gjm7K4ijn7HUvU6dZQeDNqRsVSQ D0l3Zx50I6mZCdyiORK7I63aLs0yOJZylI8/5M/pQu9IaANwhnrp0m3JbQPZKwyI IzYEP+Q4SWQq6BHDRYtzU9SPjbyDNeKqUM77mPeX7Z8BbFp9+l3AjKTjqpESyhoS NQX9DXWLjIyzq9SV8/czVsPxhKPDfu2d4QtQldY4Ji/llZqBiCighk+cXBVT8efW A11sFAoI8VTm3C+ftbdH9ndYG8l8Vm2q8lSSke7S04Zgcnn2hMdgoRjPTax+9kM1 /jIjoOP7/NhXdKWeYcHKKTTJIluWcUS/WfTcRkOMda3xg1uDjrlZbMoyr7yWEqpH sOFXRsCDZQde2jup1nRb/+A0hHQIkKBf2GywTAQJi3hH6FgKRiUoIYddRcMMiWQu 4PHBtjx4kz5LkHG2rVlatQm9HMzNk3bD202I52KLjmD9z+56dsSGN03KyvBIfXsP HJeD9HyHk7Y0M3yX0AAWSdvuv2bKTYpP88UzBwAD5Ba/wsMJVUAuad3d6r79UxW1 9xuL94xvDQrvNwiD6Muy =kFT5 -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] ntlm: improve code style and readability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit c310f1ecba905f091e3a31cb3e6cba5ae75e996b (master) commit 8eb2f571e148e178e62a8fce20a06d4692203aeb (release/2.4) Author: Antonio Quartulli Date: Mon Jul 10 12:34:41 2017 +0800 ntlm: improve code style and readability Signed-off-by: Antonio Quartulli <a...@unstable.cc> Acked-by: Steffan Karger <stef...@karger.me> Message-Id: <20170710043441.24770-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15028.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZjg9uAAoJEIbPlEyWcf3y0l0P/RIDHjeC+dH7OgAVyrbb5Rfm HKGqqEaJcg1qAfQxOpH4+CAPF/FHBRToJ9mrTYK/BpelE8LxxCpf4tEjwgfrJWYX /1ZFZqBo29r/G6yvcVdvvtUkvYzfMytj2eXuKcX0nYTTTjsJBOjvHoyr4itqDrkR s7FAUXJ5TCKpxS1++nscq2AqasB4K7lo9r1oDBIATthj5sVf7JskmOKvvYITKPa/ kAVgV+fNzCtCVr16/7vI5oqiMify9bWc379+hebezwfAv2M2OAaKQXvknA13KTgW UCABEh33PY1JNbMKFHxlALVodSLdBI3cMLzmAZ9dVF4xAZmPVxHIV7TdUvs2ag5n ySqWmTWVjqV/CbtdhSW48EJ9XYVQ2KLmubtMWURSB9BUIOEvmBlcraJb8BJdgra5 l8++gEDocMgoFDK9zM77DqZOCIqBhZhJ5k9Gh5Qtp6fmN979ImEllaIJZvYot833 yl3pyEKsDq4jko3kWvO9993Ruubnu7VSfCabUjZ5jmU6/1CB/Tos6g5mXc/aMpXc D4uT9IURuG6Wx62nK0K6yuLhstaeRPUYeCM5HCcHSroID85LUYwKAB7oL3Z2Adnh R/1F4oY4Fxzo/RBjZGPx0hTwRYktEeYG3d7sYLbfFhmCh+b3uTNQ22D1+SWSzjRf XGc21zn2a0/M+PnJxRzo =KFUG -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] ntlm: restyle compressed multiple function calls
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit c2d08916f1b7933bec81422d1f14f84e9b1ef878 (master) commit 90f2edcbb7c1e890de96a9a44c87ca58dbd60b96 (release/2.4) Author: Antonio Quartulli Date: Mon Jul 10 12:34:40 2017 +0800 ntlm: restyle compressed multiple function calls Signed-off-by: Antonio Quartulli <a...@unstable.cc> Acked-by: Steffan Karger <stef...@karger.me> Message-Id: <20170710043441.24770-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15030.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZjg9iAAoJEIbPlEyWcf3ywC8QAMAVm4psZ96qwzryKr6Zteab nwRB11RGH1WK64/X5gem7Epj3Ldmv9BE3++45FQBc78jbZBBAQwW9hPVAdEfcWd2 iVa/KjJvcqZz7obMvt5uu3J0O1UOoHzXHdkXERgToJ375Zr1uUVTZd+e7Cpa+GdR rugF3g+rp3xy+JDyPf71uBHOlg2+35YayMpQ+DVmQzJOxYZzAn2CdloQsw5dN3Ja QM1kIpGa0X2FY/zJJdUOpffXj9ypbDg+06RSVemzIxKOMeZ0PsUiDa7zUSmkd/Fv GdmgwNCKoi3WT/+imHPvNoRVkBIA6cgwlpw3KhMu2Y2lOMYnOMI4yN2pyylIgvG1 KUnKJCwKjCjtd5ZFKSM32yN+XXW27gpHrCcZPn6kIWfFCVqHlv8WCEKkObydrrYU 5Ot/plM7WDlvvTTgVonTY/vUwFS+fc7cT1ixzY3lKGhg+raoGH4PTQsNV2C5Izo6 LN2xiCfvNTZWQkWUVDjual7r00qQvMSwu/IrTywlASRg2qgQH6HiKpL6Wdg1hGdY Fx/kfyo+RId+pD0aJCDFA5nxE0I+eVhMYc/2kDXvFLlPMvf0v+yawKvQ65jgEpxm vuUXYGs0cbL29xS42ZR1zcHpQGMEAwXcDRTD5wnEvRexGZbdtHVk2v5OPGzEpnu7 rAVCUqy4W5m97mJ5L5Uf =Nna+ -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] ntlm: convert binary buffers to uint8_t *
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit e7e4070cb7b90f4836b65c53360166e11fc3f383 (master) commit 3ace1139e7aa00580300fb5bef37ac6d47378630 (release/2.4) Author: Antonio Quartulli Date: Mon Jul 10 12:34:38 2017 +0800 ntlm: convert binary buffers to uint8_t * Signed-off-by: Antonio Quartulli <a...@unstable.cc> Acked-by: Steffan Karger <stef...@karger.me> Message-Id: <20170710043441.24770-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15032.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZjg9SAAoJEIbPlEyWcf3y0HgP/i35Nvj4wDpV/akcBP0SWLvR L6AcwCM7LBEgqOeNfSO18ysoK1nzp9EpglPyyFDrWtszJQ0ow+Dtwp7VqlzPUM7W fmFe6c0YaogaRCOyv1l/RJ+0E5BoTi7wj3baC2znEkE3MEDGE6I+Yjnxpy2QirTj /arxtDSmtap2/Ygyvtt7K5iRPJZ0y2macUHCGk3b7lPXMVFjyA1akTU7tiVmgUrp JFfiLXOOtJu50jGcE8oF+D7hZ6/cq21S/nfQPUKbG/0t1li43/wGt9exp5mHnHFx LvprBmjoKaQHj9eR/iqrirSvd/Sl9okDeuaFsNfgcTi87wtbwz7wfCudd/11f25H H+uVLT9Whq+PnFpF2ZuDVi7Z1/DejLxEY/uxK2TolV1MfO9hLeSiCPoz2NxPq179 FolBa2/8IzrC+8UhDL652Cp0kYZmSyal1jfQGr5fx8uNPGivQeUo6Y+Zmh8H5jEy 2Ij0dSc9Y+m6F+3VpxMGwhx7IR3Ro9vwW6jjmYpB/HK5o+sMQJ3g8wgqKpbDAzN3 /OTN/9vC47foHTuSGDyyTGR9Hf6zToYamMFX3sIV08XLRSMe92NPljL5pI9S+SS5 xQDLaPIERZLR7CSi9uKzpL5+lcSLNK6sNp2pN29W1e+uwASoszZe6qqqZ1yiLQ6w pV/MW6TKGqH+Ta0UrBO1 =Esi3 -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] tests: Add a simple build sanity check
This runs openvpn --help to check if the output is somewhat sensible and sane. It will catch if the binary segfaults, if it is a normal build or an --enable-small build and does some simple checks when a list of options is produced. This is based on the discussions in this [1] mailing thread. [1] https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15172.html Message-Id: <20170807132301.22759-3-chipits...@gmail.com> Signed-off-by: David Sommerseth <dav...@openvpn.net> --- tests/Makefile.am | 2 +- tests/t_sanity_check.sh | 118 2 files changed, 119 insertions(+), 1 deletion(-) create mode 100755 tests/t_sanity_check.sh diff --git a/tests/Makefile.am b/tests/Makefile.am index 0795680c..7af5101e 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -14,7 +14,7 @@ MAINTAINERCLEANFILES = \ SUBDIRS = unit_tests -test_scripts = t_client.sh +test_scripts = t_sanity_check.sh t_client.sh if ENABLE_CRYPTO test_scripts += t_lpback.sh t_cltsrv.sh endif diff --git a/tests/t_sanity_check.sh b/tests/t_sanity_check.sh new file mode 100755 index ..e6c228c8 --- /dev/null +++ b/tests/t_sanity_check.sh @@ -0,0 +1,118 @@ +#! /bin/sh +# +# t_sanity_check.sh -- Check that openvpn --help makes somewhat sense +# +# Copyright (C) 2017 David Sommerseth <dav...@openvpn.net> +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +set -u +top_builddir="${top_builddir:-..}" + +failed=0 +count_failure() +{ +failed=$(($failed + 1)) +} + + +check_option_count() +{ +num_min="$1" +num_max="$2" + +echo -n "Checking if number of options are between $num_min and $num_max ... " +optcount="$(cat sanity_check_options.$$ | wc -l )" +if [ $optcount -le $num_min ]; then +echo "FAIL (too few, found $optcount options)" +count_failure +return +fi +if [ $optcount -gt $num_max ]; then +echo "FAIL (too many, found $optcount options)" +count_failure +return +fi +echo "PASS (found $optcount options)" +} + + +check_options_present() +{ +for opt in $*; +do +echo -n "Checking for option --${opt} ..." +grep -E "^--${opt} " sanity_check_options.$$ 1>/dev/null 2>&1 +if [ $? -ne 0 ]; then +echo "FAIL (missing option)" +count_failure +else +echo "PASS" +fi +done +} + +echo "*** OpenVPN sanity check: openvpn --help" +echo -n "Running 'openvpn --help' ... " +"${top_builddir}/src/openvpn/openvpn" --help > sanity_check_log.$$ 2>&1 +res=$? +if [ $res -ne 1 ]; then +echo "FAIL (Something bad happened)" +cat sanity_check_log.$$ +count_failure +else +echo "PASS" +echo -n "Check build type ... " +linecount="$(cat sanity_check_log.$$ | wc -l)" +if [ $linecount -eq 1 ]; then +# Is this an --enable-small build? +grep "Usage message not available" sanity_check_log.$$ \ +1> /dev/null 2> /dev/null +if [ $? -ne 0 ]; then +echo "Unknown build type" +cat sanity_check_log.$$ +count_failure +else +echo "PASS (--enable-small build, no further checks)" +fi +else +echo "PASS (normal build)" + +# Extract only the options +echo -n "Extracting options ... " +grep -E -- ^-- sanity_check_log.$$ > sanity_check_options.$$ +if [ $? -ne 0 ]; then +echo "FAIL" +count_failure +else +echo "PASS" + +# Check that the number of option counts are between 220 and 245 +check_option_count 225 245 + +# Check for a selected subset of options we always expect to see +options_check="dev dev-type remote local port proto topology route ifconfig" +check_options_present $options_check +fi +fi +fi +echo "*** OpenVPN sanity check result - Failed tasks: $failed
Re: [Openvpn-devel] [PATCH 3/3] add a test to "openvpn --help"
On 09/08/17 12:28, Илья Шипицин wrote: > > > 2017-08-09 14:31 GMT+05:00 David Sommerseth > <open...@sf.lists.topphemmelig.net > <mailto:open...@sf.lists.topphemmelig.net>>: > > On 09/08/17 07:55, Илья Шипицин wrote: > [...] > > > For example: > > > > > > $ ./openvpn --help | grep -- ^-- | wc -l > > > 238 > > > > But to do the spoon feeding: > > > > optcount="$(${top_builddir}/src/openvpn/openvpn --help | grep -E -- > > ^-- | wc -l)" > > if [ $outcount -lt 220 ]; > > then > > exit_code=1 > > fi > > > > > > if you suggest "that's a better check", please describe your idea. > > it is not clear for me why your approach is better > > > The approach I suggest above covers: > > a) The program is able to execute and usage() works > > b) There is no unexpected bigger changes in usage(), the > number of options are within a reasonable threshold. > Granted, only minimum options is checked in the example above; > extending with an upper limit is easy and quick (for example > add '-o -gt 245') > > c) If the program segfaults, optcount => 0 which ensures this test >fails. > > With your check only testing if the exit code is not 1, you only have an > indication if the program segfaults or not. You don't know if usage() > provides nothing but garbage and then exiting with 1. Checking that a > certain amount of outputted lines starting with '--' gives an indication > that usage() most likely have a reasonable output. > > It would also be possible to build further on this check I suggest, to > also check for mandatory options (--dev, --dev-type, --remote, --listen, > --port, --proto, etc, etc). It is also possible to have a copy of the > expected "openvpn --help | grep -E -- ^--" output and do a diff - > probably filter out some less important/deprecated options). While > these are a nice checks too, it is not as crucial as ensuring we have at > least an reasonable expected amount of options. > > > > I'm afraid that that approach introduce implicit things (while my is > pretty explicit). > Value seems questionable for me. Well, then I'm just giving this patch a NAK, to be explicit. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/3] add a test to "openvpn --help"
On 09/08/17 07:55, Илья Шипицин wrote: [...] > > For example: > > > > $ ./openvpn --help | grep -- ^-- | wc -l > > 238 > > But to do the spoon feeding: > > optcount="$(${top_builddir}/src/openvpn/openvpn --help | grep -E -- > ^-- | wc -l)" > if [ $outcount -lt 220 ]; > then > exit_code=1 > fi > > > if you suggest "that's a better check", please describe your idea. > it is not clear for me why your approach is better The approach I suggest above covers: a) The program is able to execute and usage() works b) There is no unexpected bigger changes in usage(), the number of options are within a reasonable threshold. Granted, only minimum options is checked in the example above; extending with an upper limit is easy and quick (for example add '-o -gt 245') c) If the program segfaults, optcount => 0 which ensures this test fails. With your check only testing if the exit code is not 1, you only have an indication if the program segfaults or not. You don't know if usage() provides nothing but garbage and then exiting with 1. Checking that a certain amount of outputted lines starting with '--' gives an indication that usage() most likely have a reasonable output. It would also be possible to build further on this check I suggest, to also check for mandatory options (--dev, --dev-type, --remote, --listen, --port, --proto, etc, etc). It is also possible to have a copy of the expected "openvpn --help | grep -E -- ^--" output and do a diff - probably filter out some less important/deprecated options). While these are a nice checks too, it is not as crucial as ensuring we have at least an reasonable expected amount of options. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/3] add a test to "openvpn --help"
On 07/08/17 15:23, Ilya Shipitsin wrote: > inspired by > https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13808.html > --- > tests/Makefile.am | 2 +- > tests/t_usage.sh | 29 + > 2 files changed, 30 insertions(+), 1 deletion(-) > create mode 100755 tests/t_usage.sh > > diff --git a/tests/Makefile.am b/tests/Makefile.am > index 0795680c..7306d1d1 100644 > --- a/tests/Makefile.am > +++ b/tests/Makefile.am > @@ -14,7 +14,7 @@ MAINTAINERCLEANFILES = \ > > SUBDIRS = unit_tests > > -test_scripts = t_client.sh > +test_scripts = t_client.sh t_usage.sh > if ENABLE_CRYPTO > test_scripts += t_lpback.sh t_cltsrv.sh > endif > diff --git a/tests/t_usage.sh b/tests/t_usage.sh > new file mode 100755 > index ..f4845468 > --- /dev/null > +++ b/tests/t_usage.sh > @@ -0,0 +1,29 @@ > +#!/bin/sh > +# > +# run "openvpn --help" > +# - check that openvpn did not crash > +# > +# prerequisites: > +# - openvpn binary in current directory > +# > +# inspired by > https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13808.html > +# > + > +top_builddir="${top_builddir:-..}" > + > +if [ ! -x "${top_builddir}/src/openvpn/openvpn" ] > +then > +echo "no (executable) openvpn binary in current build tree. FAIL." >&2 > +exit 1 > +fi > + > +exit_code=0 > + > +"${top_builddir}/src/openvpn/openvpn" --help >/dev/null > + > +if [ $? -ne 1 ] > +then > + exit_code=1 > +fi This check is odd. Where the --help option is parsed, it calls usage(), usage_small(). And those functions will always call: openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); And OPENVPN_EXIT_STATUS_USAGE is defined as: error.h:#define OPENVPN_EXIT_STATUS_USAGE 1 I would rather recommend you to grep for some information you expect to be listed in --help and check if that was found instead. For example: $ ./openvpn --help | grep -- ^-- | wc -l 238 As we might vary number of options from time to time, I wouldn't check against 238. But that it should be above 220 in the foreseeable future would not be an unreasonable assumption. *BUT* the number of options might differ more in some other builds (depending on --enable-*/--disable-* arguments given to ./configure). -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 0/2] Improve usability of non-privileged operation
On 02/08/17 20:14, Conrad Hoffmann wrote: > Ohai! > > I recently undertook the project of not having my VPN client run as root > anymore. I noticed there are a lot of questions about this on the internet, > and > I think one reason that this is more difficult then necessary is that the > "official" client.down script doesn't work when used in the conjunction with > the down-root plugin. > > I noticed that both the up and the down script get a lot of information > through > environment variables, and the up script relies on that already anyways. So I > figured doing the same in the down script would be a reasonable thing to do > (it's also what the most commonly referred to external up/down scripts do). > > With this change, the down script can actually be used with the down-root > plugin just like this: > > plugin openvpn-plugin-down-root.so "/etc/openvpn/client.down" > > Hope this makes sense, > Conrad Hi Conrad, Nice catch! And thanks for your patches! As you're a new contributor, I just wanted to let you know your patch is in the pipe now and will be reviewed and tested as soon as some of us are ready to process it. And based on a 10 seconds look, this does look correct - we just need to need to do a little test run first. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] doc/openvpn.8: Correct --verify-x509-name *type* example
On 03/08/17 19:07, debbie10t wrote: > > > On 03/08/17 17:46, David Sommerseth wrote: >> On 03/08/17 18:03, debbie...@gmail.com wrote: >>> From: Richard Bonhomme <fragmen...@gmail.com> >>> >>> Signed-off-by: Richard Bonhomme <fragmen...@gmail.com> >>> --- >>> doc/openvpn.8 | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/doc/openvpn.8 b/doc/openvpn.8 >>> index 20bdd91..fdd5dde 100644 >>> --- a/doc/openvpn.8 >>> +++ b/doc/openvpn.8 >>> @@ -5340,7 +5340,7 @@ subject DN "C=KG, ST=NA, L=Bishkek, >>> CN=Server-1" would be matched by: >>> and >>> .B \-\-verify\-x509\-name Server\-1 name >>> or you could use >>> -.B \-\-verify\-x509\-name Server -name-prefix >>> +.B \-\-verify\-x509\-name Server\- name\-prefix >>> if you want a client to only accept connections to "Server-1", >>> "Server-2", etc. >> >> Just wondering ... Shouldn't the "Server-1" and "Server-2" be escaped >> too? >> >> > > Yes of course but I only wanted to correct the example at this time > and, as this is my first submission, I just wanted to get that right. > I will start a project to format the man page more thoroughly in time. Ahh, right. Well, I think we can fix at least the surrounding escape issues at the same time too. I do like small commits, but we can afford a bit bigger change sets on the man page on the surrounding issues. We seldom need to bisect man page issues ;-) -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] doc/openvpn.8: Correct --verify-x509-name *type* example
On 03/08/17 18:03, debbie...@gmail.com wrote: > From: Richard Bonhomme <fragmen...@gmail.com> > > Signed-off-by: Richard Bonhomme <fragmen...@gmail.com> > --- > doc/openvpn.8 | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/doc/openvpn.8 b/doc/openvpn.8 > index 20bdd91..fdd5dde 100644 > --- a/doc/openvpn.8 > +++ b/doc/openvpn.8 > @@ -5340,7 +5340,7 @@ subject DN "C=KG, ST=NA, L=Bishkek, CN=Server-1" would > be matched by: > and > .B \-\-verify\-x509\-name Server\-1 name > or you could use > -.B \-\-verify\-x509\-name Server -name-prefix > +.B \-\-verify\-x509\-name Server\- name\-prefix > if you want a client to only accept connections to "Server-1", "Server-2", > etc. Just wondering ... Shouldn't the "Server-1" and "Server-2" be escaped too? -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing
On 26/07/17 10:02, David Woodhouse wrote: [...snip...] > > Well yes, that's true. But it's more likely that I'll finally get round > to porting OpenVPN to something other than pkcs11-helper before that > happens, unfortunately. TL;DR: If you or anyone else have a chance to look into this, we will appreciate that effort enormously! Just grab us on ML or the #openvpn-devel IRC channel (FreeNode) and we can discuss it further. Steffan and I discussed what is needed to be done to port p11-kit awhile ago; we're also not too happy about the pkcs11-helper dependency. If we had only had support for one SSL library, it probably would have been somewhat simpler. But as we strive hard to have both mbed TLS and OpenSSL builds to be fairly feature comparable (from an OpenVPN perspective), this gets a bit more challenging. IIRC, one of the more challenging parts here is to get p11-kit to play nicely along with mbed TLS. We are concerned that there are some need to also adopt mbed TLS to support p11-kit. However, I quite recently heard some rumours that mbed TLS provides some API for offloading sign and decrypt operations outside of the library; that needs to be investigated further and to consider if this is a better way for the integration. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] cleanup: Move write_pid() to where it is being used
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Your patch has been applied to the following branches commit c5b12817c9aa3ae97fbdd2c2a9a9ab605087dff1 (master) commit cb438b513223744949e0958d9f14870880cfc407 (release/2.4) Author: David Sommerseth Date: Tue Jul 25 16:57:18 2017 +0200 cleanup: Move write_pid() to where it is being used Signed-off-by: David Sommerseth <dav...@openvpn.net> Acked-by: Steffan Karger <steffan.kar...@fox-it.com> Message-Id: <20170725145718.13175-1-dav...@openvpn.net> URL: https://www.mail-archive.com/search?l=mid=20170725145718.13175-1-dav...@openvpn.net Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZd2U/AAoJEIbPlEyWcf3yu/MP/jo74puMyZVUVTqtw/PlS7WA rrp5/x7hGPT634urKbqwZ60tvPCCn+uDs4lCy6XDZ5FTWgHDnpmNwaAOC8IZ5W1o HgBef2J8fiyloqGwE8C99OYAe04KdbCkQoxbKc1A6AWPXlP5wSd+vpGZtitM1HIa O4Pvj6mp0jf8+2JUj+nHebEfS8XcH9Tvv+xCivvPD4V4c3IoohYiTpO7whe88lGD oGr5fA3iK6X3xkkO5jrTTaP6qAnjKXqdB+3Ng83s1zKb01w3zquhXom46fBgiY/o QIn0MjRHiye01OLSrK0xo+ly0DGihTiAJpRc52+b83DcVSUB+nWbQr6xR/xw6xMg EK/paWg/mPvwFbUwUw74cMqThboWpJQtK6zlbCDqf7boOgEjdSCcMGMTeMxUAEYs fzBYPVAq/uxRlow02Ex/6z6QWv6YePRsFFr4AjXSCcvkHVJzCPuoKnJKmqvE115e +8Qv8kh7U/tXIzEd6nwkPwS5JqeJ9AaVom3Wx/Ithbc4dJIvW0CRCV6HNqqjeKOV jVvjDtQxYk05eRd0ASnCSA9MzrBwwfmpMVytNeVkoA4i13L+nFNHlV+1vsYfsaVP eBKULUuRHFd2dPLgS5mXpmhMadsCG/BNOZkZRFyJSqGFqSGuvBYiT2U+nKumrKtI GW46gViLXkoAWn5LEqTL =gDou -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] tls-crypt: avoid warnings when --disable-crypto is used
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK as well. Tested with --disable-crypto and no tls-crypt.c compiler complaints any more. Your patch has been applied to the following branches commit 2dfbf62b6ace1eb39f1ae7126bc5530a541bed58 (master) commit 8295f62f84be3dbc5203b9695d99a4f74fcb7295 (release/2.4) Author: Antonio Quartulli Date: Fri Jul 7 18:22:38 2017 +0800 tls-crypt: avoid warnings when --disable-crypto is used Signed-off-by: Antonio Quartulli <anto...@openvpn.net> Acked-by: Steffan Karger <stef...@karger.me> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <20170707102238.8781-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15014.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZd2K5AAoJEIbPlEyWcf3ysZgP/3yh9FM0DsTOYJ0XGNZRzrHO kHZfzkqLidjdsZMHKcp7UNtV9YgV2++vUbAptGZBC6ECLoHZHblPRUK4CrFFwL4d ErvGBu4k3+3hz6SApGi62dUHBguT2gPAiF2bIHhWUy1yOQfF/3ycSZaWz/hVml1a UF2hRUCCdObERP3Ho61LlCKeV+1HAjXyTOtb7JBFZ3UJD6vKBPSYeefZyojYx3Iw Vsov9RUUAJE0+ZJJ7jINB9EYe7nCdEJ78iTG7PXfd90E98QCL7g9ThZtR0nwhqGv ONmQDBghS0TBjB98cIml4G0mKMaVtCO5LxaC+lx776H3qZYw48himu0HD01/iNrQ tieSVdBvNvPfDcL/44T19US5ra6FJLLoQELwcSzctf90QLhpo1OSOTxKKu7XRr7V HwxQy/pWDFVbgDN5EpXJLL1H+0XHXpwifhZ07MfhPuzunB7lodocH7RsbuYxhSGD TyWZbnC+yPUoRCdC5K6Rof5jW+NUbQCcgJ6Jlvee2gDsjZAnlFxxCQm7Bp2TMpBe Et+HsKbWQf2Bl3lqc7+pMpuuELvputS8aoPhrCwH7JJN3bL/VdLQbpuu5YFGhG+6 BZnUqHcnOqzKL3HEZO5LEZQO+/xVqe7HsoRVF6Eir/bzJBM6bYSGV+0Tsuea/U7d 1vtIZc6hG/p5NuH2Pj42 =0ctS -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] cleanup: Move init_random_seed() to where it is being used
The init_random_seed() function is only used by the init_static() in init.c. As this function was pretty basic and it is only being called once, it was merged into init_static() instead of keeping it as a separate function. (I agree that calling functions often makes the code more readable, but I would rather see that as a part of cleaning up the whole init_static() function - in fact when moving all "unit tests" in init_static() to cmocka, it will not be too bad in the end.) Signed-off-by: David Sommerseth <dav...@openvpn.net> --- src/openvpn/init.c | 17 +++-- src/openvpn/misc.c | 19 --- src/openvpn/misc.h | 3 --- 3 files changed, 15 insertions(+), 24 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index bc3b81e3..860df774 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -610,6 +610,7 @@ init_port_share(struct context *c) #endif /* if PORT_SHARE */ + bool init_static(void) { @@ -619,8 +620,20 @@ init_static(void) crypto_init_dmalloc(); #endif -init_random_seed(); /* init random() function, only used as - * source for weak random numbers */ + +/* + * Initialize random number seed. random() is only used + * when "weak" random numbers are acceptable. + * SSL library routines are always used when cryptographically + * strong random numbers are required. + */ +struct timeval tv; +if (!gettimeofday(, NULL)) +{ +const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec; +srandom(seed); +} + error_reset(); /* initialize error.c */ reset_check_status(); /* initialize status check code in socket.c */ diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 8a76bba8..aff1bb2e 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -405,25 +405,6 @@ openvpn_popen(const struct argv *a, const struct env_set *es) /* - * Initialize random number seed. random() is only used - * when "weak" random numbers are acceptable. - * OpenSSL routines are always used when cryptographically - * strong random numbers are required. - */ - -void -init_random_seed(void) -{ -struct timeval tv; - -if (!gettimeofday(, NULL)) -{ -const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec; -srandom(seed); -} -} - -/* * Set environmental variable (int or string). * * On Posix, we use putenv for portability, diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 734e679c..a7aa7622 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -100,9 +100,6 @@ void set_std_files_to_null(bool stdin_only); extern int inetd_socket_descriptor; void save_inetd_socket_descriptor(void); -/* init random() function, only used as source for weak random numbers, when !ENABLE_CRYPTO */ -void init_random_seed(void); - /* set/delete environmental variable */ void setenv_str_ex(struct env_set *es, const char *name, -- 2.11.0 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] cleanup: Move write_pid() to where it is being used
The write_pid() function is only used in openvpn.c, so no need to have that in the misc.[ch] mixed bag. Signed-off-by: David Sommerseth <dav...@openvpn.net> --- src/openvpn/misc.c| 21 - src/openvpn/misc.h| 2 -- src/openvpn/openvpn.c | 21 + 3 files changed, 21 insertions(+), 23 deletions(-) diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index ae96aa69..8a76bba8 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -142,27 +142,6 @@ run_up_down(const char *command, gc_free(); } -/* Write our PID to a file */ -void -write_pid(const char *filename) -{ -if (filename) -{ -unsigned int pid = 0; -FILE *fp = platform_fopen(filename, "w"); -if (!fp) -{ -msg(M_ERR, "Open error on pid file %s", filename); -} - -pid = platform_getpid(); -fprintf(fp, "%u\n", pid); -if (fclose(fp)) -{ -msg(M_ERR, "Close error on pid file %s", filename); -} -} -} /* * Set standard file descriptors to /dev/null diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 32b64e8b..734e679c 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -68,8 +68,6 @@ void run_up_down(const char *command, const char *script_type, struct env_set *es); -void write_pid(const char *filename); - /* system flags */ #define S_SCRIPT (1<<0) #define S_FATAL (1<<1) diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index 08c09e6b..794de1a8 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -47,6 +47,27 @@ process_signal_p2p(struct context *c) return process_signal(c); } +/* Write our PID to a file */ +static void +write_pid(const char *filename) +{ +if (filename) +{ +unsigned int pid = 0; +FILE *fp = platform_fopen(filename, "w"); +if (!fp) +{ +msg(M_ERR, "Open error on pid file %s", filename); +} + +pid = platform_getpid(); +fprintf(fp, "%u\n", pid); +if (fclose(fp)) +{ +msg(M_ERR, "Close error on pid file %s", filename); +} +} +} /**/ -- 2.11.0 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] contrib: Remove keychain-mcd code
After the security audits performed by Cryptography Engineering the spring of 2017 [1], there were several concerns about the contrib code for the macOS keychain support. After more careful review of this code base, it was considered to be in such a bad shape that it will need a massive overhaul. There were more issues than what the security audit revealed. It was attempted several times to get in touch with the contributor of this code; with no response at all [2]. There has however been some discussions with the Tunnelblick project [3]. There is one person there willing to go through this and improve the situation. The main Tunnelblick maintainer is also willing to include the improved code to their project instead of having this as a contrib code in the upstream OpenVPN project. So this patch just removes the code which we will no longer ship as part of OpenVPN - and the Tunnelblick project will take over the responsibility for this code base on their own. And since this code base is purely macOS specific, this seems to be a far better place for this code to reside. Signed-off-by: David Sommerseth <dav...@openvpn.net> [1] <http://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits#OVPN-04-1:PossibleNULLpointerderefenceincontribkeychain-mcdcert_data.c> [2] <https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14559.html> [3] <https://github.com/Tunnelblick/Tunnelblick/pull/369> --- contrib/keychain-mcd/Makefile | 13 - contrib/keychain-mcd/cert_data.c| 866 contrib/keychain-mcd/cert_data.h| 50 --- contrib/keychain-mcd/common_osx.c | 100 - contrib/keychain-mcd/common_osx.h | 38 -- contrib/keychain-mcd/crypto_osx.c | 79 contrib/keychain-mcd/crypto_osx.h | 44 -- contrib/keychain-mcd/keychain-mcd.8 | 161 --- contrib/keychain-mcd/main.c | 310 - 9 files changed, 1661 deletions(-) delete mode 100644 contrib/keychain-mcd/Makefile delete mode 100644 contrib/keychain-mcd/cert_data.c delete mode 100644 contrib/keychain-mcd/cert_data.h delete mode 100644 contrib/keychain-mcd/common_osx.c delete mode 100644 contrib/keychain-mcd/common_osx.h delete mode 100644 contrib/keychain-mcd/crypto_osx.c delete mode 100644 contrib/keychain-mcd/crypto_osx.h delete mode 100644 contrib/keychain-mcd/keychain-mcd.8 delete mode 100644 contrib/keychain-mcd/main.c diff --git a/contrib/keychain-mcd/Makefile b/contrib/keychain-mcd/Makefile deleted file mode 100644 index c6431df1.. --- a/contrib/keychain-mcd/Makefile +++ /dev/null @@ -1,13 +0,0 @@ -CFILES = cert_data.c common_osx.c crypto_osx.c main.c -OFILES = $(CFILES:.c=.o) ../../src/openvpn/base64.o -prog = keychain-mcd - -CC = gcc -CFLAGS = -Wall -LDFLAGS = -framework CoreFoundation -framework Security -framework CoreServices - -$(prog): $(OFILES) - $(CC) $(LDFLAGS) $(OFILES) -o $(prog) - -%.o: %.c - $(CC) $(CFLAGS) -c $< -o $@ diff --git a/contrib/keychain-mcd/cert_data.c b/contrib/keychain-mcd/cert_data.c deleted file mode 100644 index c04f68ec.. --- a/contrib/keychain-mcd/cert_data.c +++ /dev/null @@ -1,866 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2010 Brian Raderman <br...@irregularexpression.org> - * Copyright (C) 2013-2015 Vasily Kulikov <seg...@openwall.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - */ - - -#include "cert_data.h" -#include -#include - -#include "common_osx.h" -#include "crypto_osx.h" -#include - -CFStringRef kCertDataSubjectName = CFSTR("subject"), -kCertDataIssuerName = CFSTR("issuer"), -kCertDataSha1Name = CFSTR("SHA1"), -kCertDataMd5Name = CFSTR("MD5"), -kCertDataSerialName = CFSTR("serial"), -kCertNameFwdSlash = CFSTR("/"), -kCertNameEquals = CFSTR("="); -CFStringRef kCertNameOrganization = CFSTR("o"), -kCertNameOrganizationa
Re: [Openvpn-devel] [PATCH applied] management: preserve wait_for_push field when asking for user/pass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ACK. Tested and glared at code. This matches quite well the analyzsis I had done before Antonio took over and completed. And it works as expected. Your patch has been applied to the following branches commit 3322c558fa742cb823fa919f682486973abc4f8e (master) commit e7ae4040efc5c48e00374f8863da58eef32e0709 (release/2.4) Author: Antonio Quartulli Date: Fri Jul 7 22:01:08 2017 +0800 management: preserve wait_for_push field when asking for user/pass Signed-off-by: Antonio Quartulli <a...@unstable.cc> Acked-by: David Sommerseth <dav...@openvpn.net> Message-Id: <20170707140108.31612-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15015.html Signed-off-by: David Sommerseth <dav...@openvpn.net> - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJZdfWwAAoJEIbPlEyWcf3yO8wQAIIkYjGfx0NjA/lbjm1qnEfq I4pc9sDgNGPo9NF5hWz+NDfkK6fxVjakW0fRJZe4HLXxrsSQIh64VX3BpfZglrIz gGvmbxrts9/TnXTwGhMOGZW/3GjwmhmUXT8yCxR0K8rOi41NNF8D6HmtDUxCI+Pa Tzfh5ddHgJu4E+kd+F1+k0CO6dyTyZCjuVSpT/MufGpZ0YcWr86F9xdtuzrprJda +FTpjpXD8eD8uHP3WTcrO+rGgWHkjoRErO+nlFwPSVH7Ob/Oc9xWL5ptjEmig/gW xBGRn+Sxp1GmDn326Wd4WdIYFqgdYlzs27/rR6xhDlmF9ger5EISYoETQuso5J2s GFKxjEV8IK8TJdSK8Fm5DyQNaOdTV5rwssUn6I6XDqJRDW4yNoyEEnVZKphYvTis eYBm2ckTjEvAs1dR9Of8LQUm/53aDwwzrkH/7pcZeo0rLIS05gpk6FUYtFFS1g8r yPxV6rrcCbDPozdXSiH0fF30jQDA/bmTkJJjJj54nDVPe4FAWNUvU4Kw7TH95O6c tEADa2hQl2kQwKY1eRVkA/PnA9rKx65WN1V8MU9NSC/gLuNC/IBqd90QL/aZ0l/Z I6ANDhbcNh0NkhFC+dQkS3InI/aFed0A1GpTNtzGswVRIpJ3LUGYGTKb8cQ0xr5c e2l7cIMeTzme9pyaybfu =BxCy -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] doc: The CRL processing is not a deprecated feature
The note related to the CRL processing was somehow put into the deprecated section. This is quite confusing. Since this is a fairly important change, and there have been a noticable amount of supports questions related to OpenVPN not starting due to CRL errors, I put this into the "New features" section labelled as an improvement. Otherwise I fear this would drown in the list of "User-visible Changes" later on. Signed-off-by: David Sommerseth <dav...@openvpn.net> --- Changes.rst | 13 +++-- 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/Changes.rst b/Changes.rst index 9db0a451..0b2b04dd 100644 --- a/Changes.rst +++ b/Changes.rst @@ -44,6 +44,13 @@ ECDH key exchange The TLS control channel now supports for elliptic curve diffie-hellmann key exchange (ECDH). +Improved Certificate Revocation List (CRL) processing +CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead +of inside OpenVPN itself. The crypto library implementations are more +strict than the OpenVPN implementation was. This might reject peer +certificates that would previously be accepted. If this occurs, OpenVPN +will log the crypto library's error description. + Dualstack round-robin DNS client connect Instead of only using the first address of each ``--remote`` OpenVPN will now try all addresses (IPv6 and IPv4) of a ``--remote`` entry. @@ -160,12 +167,6 @@ Deprecated features will then use ``--key-method 2`` by default. Note that this requires changing the option in both the client and server side configs. -- CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead of - inside OpenVPN itself. The crypto library implementations are more strict - than the OpenVPN implementation was. This might reject peer certificates - that would previously be accepted. If this occurs, OpenVPN will log the - crypto library's error description. - - ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages. Similar functionality is provided via ``--verify-x509-name``, which does the same job in a better way. -- 2.11.0 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Set tls-cipher restriction before loading certificates
On 26/06/17 16:00, Arne Schwabe wrote: [...snip...] >> >> Currently there is an agreement of the following profiles: >> >> - legacy: SHA1 and newer, RSA 2048-bit+, any elliptic curve. >> - preferred: SHA2 and newer, RSA 2048-bit+, any elliptic curve. >>(default in v2.5) >> - suiteb: SHA256/SHA384, ECDSA with P-256 or P-384. >> [...snip...] >> The suiteb profile is just reusing the mbed TLS definition directly. >> >> With that said ... The legacy profile does not include MD5. So either >> we allow MD5 into the legacy profile; or we need legacy-md5. >> > > Yes but I think that is seperate effort. I am not sure how to probably > implment that with OpenSSL. SECLEVEL is similar but does not have > exactly the same consequences. YOu could probably emulate the profiles > with some kind of tls-cipher settings. But if you do that, you still > need this patch :) I agree we need to have a mechanism for adjusting the SECLEVEL/--tls-cert-profile. The challenge is that we have users which expects a similar behaviour, regardless if their OpenVPN build is using OpenSSL or mbed TLS. For end users, that matters - and we can't tell them "for this OpenVPN variant, you need to use this syntax". In addition, AFAIK the --tls-cert-profile support is already released for OpenVPN Connect. IIRC, that approach was agreed upon between James and Steffan at the last Hackathon. Unless there are really strong reasons not to continue with --tls-cert-profile, I am of the opinion we should go that path. That is to ensure sites already rolled out --tls-cert-profile will not start yelling at us later on. OpenVPN 3 based clients needs to behave similarly to OpenVPN 2.x when it comes to configuration options. And OpenVPN 3 is what is inside OpenVPN Connect and PrivateTunnel clients, which again have ties to OpenVPN Access Server. We need to ensure we don't add fragmentation inside the OpenVPN environment. Of course, it won't be easy to make the users have the same experience regardless if OpenVPN use mbed TLS or OpenSSL under the hood. But I am do strongly believe that is the proper way to handle this. OpenVPN need to "glue" this together so the user experience is unified. I am also aware that we have a few mbed TLS specific features (--use-prediction-resistance) and there are some features only available in OpenSSL (f.ex. PKCS#12 support, --capath, --engine). This is unfortunate, and we should try to reduce such gaps to an absolute minimum. So I cannot give an ACK to any patches which contributes further to such a fragmentation - unless there are really strong reasons to do so. In this particular case, both OpenSSL and mbed TLS have a similar features, so in this case it should be possible to get a unified experience. So lets try to aim for that. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Set tls-cipher restriction before loading certificates
On 26/06/17 14:12, Arne Schwabe wrote: > Am 26.06.17 um 13:51 schrieb David Sommerseth: >> On 26/06/17 13:13, Arne Schwabe wrote: >>> OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This >>> can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only >>> if the cipher list is set before loading the certificates. This patch >>> changes the order of loading. >> >> I'm not fully convinced of the argumentation for this feature - unless >> something have changed in OpenSSL 1.1. I believe the same can be >> achieved by setting an environment variable before starting OpenVPN. >> >> $ OPENSSL_ENABLE_MD5_VERIFY=1 /usr/sbin/openvpn >> >> I know several Fedora users have deployed this, even when systemd is >> involved. This is needed on systems with OpenSSL 1.0 as well when they >> connect to a server having an MD5 based certificate or signed by a CA >> with an MD5 based certificate. >> >> So unless OpenSSL 1.1 have changed this behaviour from OpenSSL 1.0, I'm >> not really convinced we need this. >> >> > > See this also a bugfix. Since tls-cipher options affect certificate > loading, it is good to set it before certificate loading. E.g. you might > want to use @SECLEVEL=5 to only allow loading of SHA256 based certificates. > > Also I think your option is Fedora specific as I could not find anything > in the source code in my OSSL copy and the message also mentions it > being Fedora specific: > > ** WARNING ** [Fedora modification] MD5 certificate hash re-enabled via > OPENSSL_ENABLE_MD5_VERIFY environment variable. Nope, that is actually a warning I added in one of the earlier mbed TLS builds for Fedora. That patch have been removed again, as I moved back to compat-openssl10 when compat-openssl10-pkcs11-helper became available. The patch which adds that warning is a workaround so that uses already having deployed MD5 support when they used OpenSSL ... so we needed to ensure users did have this feature enabled. So instead of requiring users to define MBEDTLS_ENABLE_MD5_VERIFY, I re-used the OPENSSL_ENABLE_MD5_VERIFY variable name. And complained about it in the logs. But I'm actually a bit fascinated you found a Fedora build with that warning. IIRC, that build was from a scratch build, testing out this issue - used by a user which got into troubles during the mbed TLS based builds in Fedora 26 (not yet released) and Fedora Rawhide. With openvpn-2.4.2-1, I switched back to OpenSSL. As of the next Fedora 26 openvpn build, I will move further forward to OpenSSL 1.1 instead of compat-openssl10. Fedora Rawhide is already on openssl-1.1. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Set tls-cipher restriction before loading certificates
On 26/06/17 13:13, Arne Schwabe wrote: > OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This > can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only if > the cipher list is set before loading the certificates. This patch changes > the order of loading. I'm not fully convinced of the argumentation for this feature - unless something have changed in OpenSSL 1.1. I believe the same can be achieved by setting an environment variable before starting OpenVPN. $ OPENSSL_ENABLE_MD5_VERIFY=1 /usr/sbin/openvpn I know several Fedora users have deployed this, even when systemd is involved. This is needed on systems with OpenSSL 1.0 as well when they connect to a server having an MD5 based certificate or signed by a CA with an MD5 based certificate. So unless OpenSSL 1.1 have changed this behaviour from OpenSSL 1.0, I'm not really convinced we need this. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] test usage() ?
On 23/06/17 11:59, Илья Шипицин wrote: > Hello, > > following to > https://github.com/OpenVPN/openvpn/commit/49629380a7bdba25c24c9d410b79946fe29249f0 > > I spent some days on trying to get cmocka to test usage(), I gave up :-) > now, I think, we should just add "src/openvpn/openvpn --help" to .travis.yml > > the question is - can we rely on exit status "1" here ? Yes. > $ src/openvpn/openvpn --help >/dev/null > $ echo $? > 1 > $ > > > why does "1" mean "ok" here ? At the end of the usage() function, it calls openvpn_exit(OPENVPN_EXIT_STATUS_USAGE). OPENVPN_EXIT_STATUS_USAGE is defined to be 1 in error.h. And the argument given to openvpn_exit() is an integer which is used as the exit code when OpenVPN stops running. It is not uncommon that usage() returns a non-0. But that varies from project to project. In OpenVPN context 1 usually can be interpreted as "no tunnel was started". -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)
On 21/06/17 12:47, Samuli Seppänen wrote: > The OpenVPN community project team is proud to release OpenVPN 2.4.3. It > can be downloaded from here: > > <http://openvpn.net/index.php/open-source/downloads.html> > > OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In > the process several vulnerabilities were found, some of which are > remotely exploitable in certain circumstances. We recommend you to > upgrade to OpenVPN 2.4.3 or 2.3.17 as soon as possible. More details are > available in our official security announcement: > > <https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243> > > In addition a number of bugs with no security impact have been fixed. > The one big feature in the 2.4.3 release is support for building with > OpenSSL 1.1. > > A summary of all included changes is available here: > > <https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst> So just trying to hijack this discussion which is to be found a few more places elsewhere in this mail thread. No need to let this discussion run longer. There are several area where we definitely can improve the release process. Last round where we managed to mess up the 2.3.15 release, so I wrote a brand new "prepare release tarballs" script, which also handles the signing. This script _was_ used to produce the files to be pushed out for the 2.4.3/2.3.17 releases. But for reasons unknown to me, those tarballs got re-created somewhere later in the release chain. The contents of all tarballs are essentially the same, but due to the "nice" artefact that the tar format is non-deterministic on the output, even though the input is the same, that begins to prepare the stage for this chaos. Especially when what is being uploaded is partly from the initial run and then some files from a different run. All that is history now. Now we need to look forward. Many good points have been raised. - Do we need .tar.gz and .zip files? Where and why? The fewer source tarballs we need to handle, the less chance for errors - Improve Makefile.am to not generate dist-gz files when running distcheck. The distcheck run often provides very good indicator if we have packaged all the needed files in the source tarball. If this doesn't pass, something is really wrong. - Do we really need to re-create the source tarballs which the new ./dev-tools/gen-release-tarballs.sh? Why? - What can be done with Cloudflare to fully ensure their caches are truly purged when we ask for it? As Jonathan noticed, their caches are tightly connected to the web browser and have a non-deterministic behaviour across browsers, even on the same computer. - What else in the release process can be automated and put into a script? This to ensure consistency between all releases we do. - We need to write down a proper check-list of all the steps needed for a release, including putting a clear responsibility for each release. This list must also mention which scripts to be run. Again, automation is key to reduce the risk for errors. - Consider how many who really needs to be involved in producing a release. More chefs in a kitchen can result in great food, but it can also end up quite messy. - At the same time, ensure we don't end up in a "single point of failure". More of us core developers need to be able to step in for others, and still be able to produce a release without errors. This can be the end result if we have proper scripts, both for automated and manual tasks. My intention with these points are primarily "food for thought". I don't fully believe it will be easy to have a well structured debate about the complete release process in a mailing list thread. So I suggest we take a few weeks holiday, let this sink in, and then we can schedule a meeting some time in August where we discuss these issues. And lets hope we don't need to rush yet another release before August :) -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)
On 21/06/17 17:49, Gert Doering wrote: > Hi, > > On Wed, Jun 21, 2017 at 05:25:32PM +0200, Simon Matter wrote: >>> .gz is built with "make distcheck", .xz right after from the same >>> tree with "make dist-xz". >>> >>> What differs? >> >> The check sum of both extracted tarballs, not really their content. > > Ah. Yeah, that's one of the drawbacks of building two independent > tarballs - timestamps in the tar header (IIRC), so the end result always > differs in a few bytes. > >> I suggest to create .xz from .gz instead of building another tarball. That >> way the extracted tarballs from .gz and .xz share the same checksum -> >> less confusion in case something goes wrong - as it did with 2.4.2 and >> now. > > David, you're listening? Should be an easy-enough change from what > we have now... ("gunzip <...tar.gz | xz >...tar.xz" or however you > do xz balls) :-) Hmmm ... not a bad idea. But do we really need tar.gz at all these days? Why not just make autotools generate tar.xz by default and be done with it? Or to put it differently: Which platforms lacks lzma/xz support these days? -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)
On 21/06/17 15:11, Jonathan K. Bullard wrote: > And I tried using a VPN : ) to download from London, hoping to get a > different CloudFlare server, but get the same (bad) .targ.gz and/or > .tar.gz.asc as my original downloads. > > Should swupdates.openvpn.net be publicly accessible? It doesn't > resolve for me using Google DNS. Sorry, I obviously did a typo $ host swupdate.openvpn.net swupdate.openvpn.net has address 104.20.195.50 swupdate.openvpn.net has address 104.20.194.50 That should be public, and is "hidden" behind cloudflare, which seems to challenge us from time to time with its caching. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)
On 21/06/17 14:30, David Sommerseth wrote: > On 21/06/17 13:48, Jonathan K. Bullard wrote: >> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen <sam...@openvpn.net> wrote: >>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It >>> can be downloaded from here: >>> >>> <http://openvpn.net/index.php/open-source/downloads.html> >> >> Hi. Thanks for this release. >> >> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2 >> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz >> fails with: >> >> $ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc >> >> gpg: armor header: Version: GnuPG v1 >> gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz' >> gpg: Signature made Wed Jun 21 06:19:19 2017 EDT >> gpg:using RSA key D72AF3448CC2B034 >> gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7 >> gpg: using pgp trust model >> gpg: BAD signature from "OpenVPN - Security Mailing List >> <secur...@openvpn.net>" [unknown] >> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096 >> >> The SHA256 ofopenvpn-2.4.3.tar.gz is >> 84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b >> >> The SHA256 of openvpn-2.4.3.tar.gz.asc is >> 695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437 >> >> The files were downloaded from >> https://openvpn.net/index.php/open-source/downloads.html at about >> 10:24 UCT today from the New York City area. >> >> For reference, here is the output from verifying 2.3.17: >> >> $ gpg2 -v --verify /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc >> >> gpg: armor header: Version: GnuPG v1 >> gpg: assuming signed data in >> '/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz' >> gpg: Signature made Wed Jun 21 06:18:55 2017 EDT >> gpg:using RSA key D72AF3448CC2B034 >> gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7 >> gpg: using pgp trust model >> gpg: Good signature from "OpenVPN - Security Mailing List >> <secur...@openvpn.net>" [unknown] >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the owner. >> Primary key fingerprint: F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B 01E7 >> Subkey fingerprint: B596 06E2 D8C6 E10B 80BE 2B31 D72A F344 8CC2 B034 >> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096 >> >> Any ideas or suggestions? > > I believe it is Cloudflare playing tricks on us again. > > Attached are the proper signature files and below a list of the SHA256 > checksums: > > d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3 > openvpn-2.3.17.tar.xz > b206065f4a1720c022fde710c0449b5b25e9dda8ca2911a82bacf21b9fcb4e29 > openvpn-2.3.17.tar.xz.asc > 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571 > openvpn-2.4.3.tar.xz > 9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210 > openvpn-2.4.3.tar.xz.asc > > This is based on the files I've already pushed to the Fedora builder (koji), > which > I downloaded soon after the swupdates.openvpn.net server was updated. Lets try to attach the _proper_ signature file for v2.4.3. I managed to send the signature for the previous (v2.4.2) release in the previous mail. -- kind regards, David Sommerseth OpenVPN Technologies, Inc openvpn-2.4.3.tar.xz.asc Description: application/pgp-encrypted signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel