Hi, Here's the summary of the previous IRC meeting / sprint.
--- COMMUNITY MEETING Place: #openvpn-devel on irc.freenode.net List-Post: openvpn-devel@lists.sourceforge.net Date: Thursday 25th Aug 2011 Time: 18:00 UTC Planned meeting topics for this meeting were on this page: <https://community.openvpn.net/openvpn/wiki/Topics-2011-08-25> Next meeting will be announced in advance, but will probably be on the same weekday and at the same time. Your local meeting time is easy to check from services such as <http://www.timeanddate.com/worldclock> or with $ date -u SUMMARY andj, cron2, dazo, jamesyonan, mattock and novaflash participated in this meeting. -- This meeting was mostly a sprint, where Adriaan's (andj's) PolarSSL patches were reviewed, fixed and ACKed on the fly. The sprint focused on the "SSL library separation" patchset. This is the status of these patches before and after the meeting: <https://community.openvpn.net/openvpn/wiki/PolarSSLintegration?version=35#SSLlibraryseparation> <https://community.openvpn.net/openvpn/wiki/PolarSSLintegration?version=45#SSLlibraryseparation> If you have any comments regarding any of the patches (or ACKs) please chime in. If there are no complaints, the ACKed patches will be merged to the main Git repository soon. It will probably take 3-4 IRC sprints to go through the remaining PolarSSL patches. -- While the sprint was going on, dazo merged quite a few already ACKed patches into "master" (e.g. the tmp/winbuildfix branch). Noticed that there are still quite a few that are still lacking an ACK: <https://community.openvpn.net/openvpn/wiki/Topics-2011-08-25#Patchqueue> These will be covered in another meeting. --- Full chatlog as an attachment -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
mattock 20:58:05 james is attending, too maybe we could begin a little ahead of time? 20:58:44 as in now 20:58:47 cron2_ 20:59:03 no way andj 20:59:05 present cron2_ will argue the point for at least 60 seconds! 20:59 L'utente cron2_ è ora conosciuto come cron2 20:59 andj 20:59:15 hi everyone cron2 20:59:32 mattock: go ahead! dazo 20:59:56 hehe andj 21:00:07 15 seconds early, cron2 cron2 wants to demonstrate a constructive approach to things! 21:00 mattock 21:00:42 mkay so, topics here: https://community.openvpn.net/openvpn/wiki/Topics-2011-08-25?version=2 21:00:54 vpnHelper 21:00:56 Title: Topics-2011-08-25 â OpenVPN Community (at community.openvpn.net) L'utente jamesyonan è entrato nella stanza 21:01 mattock 21:01:15 hi jamesyonan! andj 21:01:19 evning +e 21:01:22 mattock 21:01:23 we were just starting jamesyonan 21:01:25 Hi all cron2 21:01:30 hi james mattock 21:01:39 jamesyonan: topics here: https://community.openvpn.net/openvpn/wiki/Topics-2011-08-25 vpnHelper 21:01:41 Title: Topics-2011-08-25 â OpenVPN Community (at community.openvpn.net) mattock 21:02:17 dazo: you got only ~1 hours, so should we start with quick review of your patch queue? cron2 21:02:37 I think the biggest outstanding batch is winbuildfix mattock 21:03:14 cron2: I think that's now in order cron2 21:03:22 has it been merged? and tested? 21:03:25 mattock 21:03:26 emphasis on _think_ dazo: did you already merge the patches I mentioned today? 21:03:49 dazo 21:03:56 nope, not yet I can do some tests on that now .... 21:04:02 mattock: did you paste a link somewhere? 21:04:14 mattock 21:05:09 nope, I pasted the headers to a private chat dazo 21:05:15 duh! mattock 21:05:16 I can email the patches to you if you want dazo 21:05:27 no wonder I didn't catch it in the chat log here mattock 21:06:06 andj: which SSL patches should we cover (later) today? dazo 21:06:12 okay, I have tried these patches, and they didn't apply cleanly at all mattock 21:06:17 hmm whitespace? 21:06:25 dazo 21:06:33 <mattock> [PATCH 1/2] Additional Visual Studio 2008 build fixes to tun.c <mattock> [PATCH 2/2] Fixed a typo in win32.h that prevented building with Visual ... 21:06:33 andj 21:06:58 mattock: the separation ones, starting at the topo dazo 21:07:00 the latter one, might have been fixed somewhere else along the road, but haven't had time to check it out andj 21:07:04 *top mattock 21:07:16 andj: ok, I'll update the topic list to reflect that https://community.openvpn.net/openvpn/wiki/Topics-2011-08-25 21:08:54 vpnHelper 21:08:55 Title: Topics-2011-08-25 â OpenVPN Community (at community.openvpn.net) mattock 21:09:55 dazo: maybe the first patch fails because of svn merger dazo 21:10:25 mattock: I don't think I've applied any of the patches in tmp/winbuildfix to master mattock 21:10:43 oh yes, part of those are still in tmp/winbuildfix forgot about that 21:10:45 dazo 21:10:47 yeah dazo too 21:10 cron2 21:11:17 dazo: please do mattock 21:11:19 can you see which apply cleanly, and I'll rebase the rest against latest "master"? dazo 21:12:10 I'll have a look at it now, as this is pretty tricky ... a "simple" merge gave a few conflicts ... rebasing might be a nightmare as well mattock 21:12:35 dazo: ok do you think it'll take a while... meaning, should we start reviewing the PolarSSL patches in parallel? 21:13:10 dazo 21:14:11 yeah, do that .... mattock 21:14:28 andj: the stage is yours dazo 21:14:30 it won't take that long ... but as this is fresh in my head now andj 21:14:43 ok, getting the first one out mattock 21:14:51 and jamesyonan's, too andj 21:15:05 https://github.com/andj/openvpn-ssl-refactoring/commit/46e7d0b6ae89634e70686bf48bfcdca07249f829 vpnHelper 21:15:06 Title: Commit 46e7d0b6ae89634e70686bf48bfcdca07249f829 to andj/openvpn-ssl-refactoring - GitHub (at github.com) andj 21:15:08 Is simple cron2 21:15:10 dazo: it shouldn't be that hard. the route.c one might conflict, but that should be fairly easy to solve out (or just ask ) andj 21:15:17 only adds stubs dazo 21:15:48 cron2: yeah ... there are this patch we were missing from JJO which conflicts, it seems ... I'm rebasing winbuildfix against the new merged master first cron2 21:16:15 ah, the #ifdef PF_INET6 stuff. That's big, and is going to conflict a lot on route.c dazo pays attention to andj's discussion as well with half an eye 21:16 andj is catching up on diffs of diffs in the background 21:17 andj 21:17:24 but the first patch is pretty much trivial cron2 21:17:27 andj: looks ok to me andj 21:18:01 ok, the next on is initialisation functions: https://github.com/andj/openvpn-ssl-refactoring/commit/ad858d74599484b3f0d4ee16ffa645e098978a1d vpnHelper 21:18:03 Title: Commit ad858d74599484b3f0d4ee16ffa645e098978a1d to andj/openvpn-ssl-refactoring - GitHub (at github.com) andj 21:18:31 and for that patch, I mad a diff between the additions and the removals: https://gist.github.com/1140049 vpnHelper 21:18:32 Title: andj's gist: 1140049 Gist (at gist.github.com) andj 21:18:43 so you can see what actually changed codewise note that the main change is the movement of the crypto initialisation to the crypto library init function 21:19:17 (the CRYPTO_MDEBUG stuff already got acked there) 21:19:30 cron2 21:20:44 I was about to ask about the CRYPTO_MDEBUG stuff the rest looks good -> ack 21:20:50 andj 21:21:23 ok, since we have the luxury of multiple reviewers, shall I move on after the first ack? 21:21:24 dazo 21:21:27 hah! one minor conflict in mtcp.c and route.c ... and 2 of mattocks patches applied cleanly andj 21:21:27 or wait? dazo: nice 21:21:34 mattock 21:21:43 cron2: you're very effective today andj 21:21:54 https://github.com/andj/openvpn-ssl-refactoring/commit/d58b991030ff321dd107e81a400a1e2e1a82bfea vpnHelper 21:21:55 Title: Commit d58b991030ff321dd107e81a400a1e2e1a82bfea to andj/openvpn-ssl-refactoring - GitHub (at github.com) andj 21:22:01 This one applies the crypto separation stuff to ssl.c 21:22:03 cron2 21:22:09 mattock: those have been trivial code move-a-round's, no need to understand crypto here andj 21:22:21 ensuring that the library independent-backend is used cron2 21:22:22 mattock: you're keeping track of the ACKs? andj 21:22:25 instead of OepnSSL mattock 21:22:27 cron2: naturally andj 21:22:29 OpenSSL nice 21:22:31 cron2 21:23:43 andj: I'm a bit confused about Al_len here andj 21:23:56 OpenSSL passes it back in -  HMAC_Final(&ctx,A1,&A1_len); 3651 But Polar doesn't 21:24:07 Since the length of the hash is predictable 21:24:17 cron2 21:24:21 aaah andj 21:24:24 You don't need to get it passed back cron2 21:24:32 ok, understood mattock 21:25:25 a small sidenote... once again, we have a Scientific Linux 6.0 buildslave/cross-compiling environment andj 21:25:58 I've been playing with build slaves at work for the dutch-official version of OpenVPN 21:26:08 novaflash 21:26:19 hey mattock 21:26:19 the previous one got destroyed by mistake (was assumed dead, because pings were blocked by iptables) novaflash 21:26:25 dutch official version? neat. mattock 21:26:27 andj: cool! cron2 21:26:37 mattock: you really need to stop filtering ICMP andj 21:26:42 novaflash: in the works, a government certified version mattock 21:26:43 cron2: yeah... cron2 21:26:51 andj: cool novaflash 21:26:52 andj; interested! andj 21:27:10 novaflash: I'll explain after the meeting novaflash 21:27:13 k cron2 feels a bit uneasy about the current patch 21:27 andj 21:27:43 TLS PRF one? cron2 21:27:57 the one waiting for an ACK right now mattock 21:28:06 jamesyonan: any comments on https://github.com/andj/openvpn-ssl-refactoring/commit/d58b991030ff321dd107e81a400a1e2e1a82bfea vpnHelper 21:28:08 Title: Commit d58b991030ff321dd107e81a400a1e2e1a82bfea to andj/openvpn-ssl-refactoring - GitHub (at github.com) andj 21:28:11 because of all the crypto stuff? cron2 21:28:44 it looks simple enough, but I've never worked with any SSL library, so I'm not sure what to keep an eye on jamesyonan 21:28:50 looking at it... andj 21:29:01 aha cron2 21:29:36 andj: where are the hmac_ctx_* functions defined? Do you have a link for those? andj 21:29:42 sure, just a sec cron2 21:29:46 (so I can just look at the implementation for openssl, and compare) andj 21:30:19 They're in here: https://github.com/andj/openvpn-ssl-refactoring/blob/master/crypto_openssl.c vpnHelper 21:30:21 Title: crypto_openssl.c at master from andj/openvpn-ssl-refactoring - GitHub (at github.com) andj 21:30:41 https://github.com/andj/openvpn-ssl-refactoring/blob/master/crypto_openssl.c#L747 to be exact vpnHelper 21:30:42 Title: crypto_openssl.c at master from andj/openvpn-ssl-refactoring - GitHub (at github.com) jamesyonan 21:31:14 the good thing about TLS PRF function is that if you break it, the connection is almost guaranteed not to negotiate andj 21:31:41 jamesyonan: my tests also involve PolarSSL <-> OpenSSL comms which should catch that sort of thing too 21:32:06 cron2 21:32:16 andj: looks good to me mattock 21:32:30 jamesyonan: ACK from you too? jamesyonan 21:32:46 yes andj 21:32:55 ok, next one is a straightforward move https://github.com/andj/openvpn-ssl-refactoring/commit/84a1af2ca444672ef3dcd9488c49e16b22f7646e 21:32:55 vpnHelper 21:32:57 Title: Commit 84a1af2ca444672ef3dcd9488c49e16b22f7646e to andj/openvpn-ssl-refactoring - GitHub (at github.com) andj 21:33:00 https://gist.github.com/1171317 vpnHelper 21:33:02 Title: andj's gist: 1171317 Gist (at gist.github.com) andj 21:33:04 shows no changes dazo is back 21:33 cron2 21:33:44 ack, then jamesyonan 21:33:57 looks good andj 21:34:28 https://github.com/andj/openvpn-ssl-refactoring/commit/4f5b4ca58d2a16d1d0a88701b260da5a24f1bb99 vpnHelper 21:34:30 Title: Commit 4f5b4ca58d2a16d1d0a88701b260da5a24f1bb99 to andj/openvpn-ssl-refactoring - GitHub (at github.com) RSS Update - testtrac: Fixed a typo in win32.h that prevented building with Visual Studio <http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=commitdiff;h=b9a13c7a0446fdd46ef834ad0de30a25cba89e74> || Additional Visual Studio 2008 build fixes to tun.c <http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=commitdiff;h=c5534a7dde9d209cb68cbf4340f87e08b450862a> || USE_PF_INET6 by def 21:34:39 andj 21:34:43 another move: https://gist.github.com/1171319 vpnHelper 21:34:44 Title: andj's gist: 1171319 Gist (at gist.github.com) andj 21:34:51 shows the 0 difference cron2 21:35:06 ack andj 21:35:38 https://github.com/andj/openvpn-ssl-refactoring/commit/7b0aaa1b779aca13c3d4f4ad36d32cf800cfec06 needs a slightly closer eye as some stuff got split vpnHelper 21:35:40 Title: Commit 7b0aaa1b779aca13c3d4f4ad36d32cf800cfec06 to andj/openvpn-ssl-refactoring - GitHub (at github.com) andj 21:35:42 into multiple files s/files/functions/ 21:35:50 cron2 21:39:54 as far as I can see, it's ok, but I'd want someone with more crypto to second-check jamesyonan 21:41:11 yeah, it looks pretty straightforward to me andj 21:41:47 cool: straightforward: https://github.com/andj/openvpn-ssl-refactoring/commit/47031a84fc2d27e03439ff29baa8f66b6f2794bf mattock 21:41:48 I take that as an ACK... vpnHelper 21:41:48 Title: Commit 47031a84fc2d27e03439ff29baa8f66b6f2794bf to andj/openvpn-ssl-refactoring - GitHub (at github.com) andj 21:43:07 That one moves stuff together, ensuring that it can be extracted into a function later cron2 21:43:18 ack jamesyonan 21:43:22 looks good andj 21:43:54 DH params: https://github.com/andj/openvpn-ssl-refactoring/commit/ab64efc6d3d85b901c0b65794a07ecaba046f376 vpnHelper 21:43:55 Title: Commit ab64efc6d3d85b901c0b65794a07ecaba046f376 to andj/openvpn-ssl-refactoring - GitHub (at github.com) andj 21:44:11 and a diff of diffs to make it less scary: https://gist.github.com/1171329 21:44:12 vpnHelper 21:44:14 Title: andj's gist: 1171329 Gist (at gist.github.com) cron2 21:45:38 looks good (the gist thing helps ) andj 21:45:55 cron2: yeah, I was surprised at its effectiveness cron2 21:45:56 andj: what do you use for automated testing? andj 21:46:06 I have a jenkins setup running and some custom tools from my employer 21:46:23 cron2 21:46:54 do you do "just unit tests" or "full client<->server connection plus data transfer" tests? andj 21:47:31 I'm mostly testing crypto, but I do need a simple client-server connection for that As unit testing this core is still tricky 21:48:06 cron2 21:48:15 indeed andj 21:48:21 mostly due to error.h having a lot of dependencies cron2 21:50:43 ok, back to the patches... andj 21:51:55 ok, the DH one is again reasonably strightforward or did you already ack that one? 21:52:02 https://github.com/andj/openvpn-ssl-refactoring/commit/9bb4886227f17d9a5f770294d7953555e7554b13 21:52:24 vpnHelper 21:52:25 Title: Commit 9bb4886227f17d9a5f770294d7953555e7554b13 to andj/openvpn-ssl-refactoring - GitHub (at github.com) andj 21:52:34 and a gist at https://gist.github.com/1171335 mattock 21:52:34 andj: it's marked as acked vpnHelper 21:52:35 Title: andj's gist: 1171335 Gist (at gist.github.com) cron2 21:53:05 ack andj 21:54:02 https://github.com/andj/openvpn-ssl-refactoring/commit/b598dc77bb01e900926fe1c897fab3fca87c1499 vpnHelper 21:54:03 Title: Commit b598dc77bb01e900926fe1c897fab3fca87c1499 to andj/openvpn-ssl-refactoring - GitHub (at github.com) andj 21:54:04 PKCS12 https://gist.github.com/1171346 21:54:14 vpnHelper 21:54:15 Title: andj's gist: 1171346 Gist (at gist.github.com) andj 21:54:36 nostly options-> disappearing cron2 21:58:31 I have no idea what that code does, but the move looks harmless mattock 21:58:55 jamesyonan: what do you think? andj 21:59:05 The code loads a PKCS#12 key, which is a combined CA + certificate + private key jamesyonan 22:00:58 looks okay to me andj 22:01:20 PKCS#11: https://github.com/andj/openvpn-ssl-refactoring/commit/2751963b9860a1a1fc82dec4851b11ddafac031e vpnHelper 22:01:21 Title: Commit 2751963b9860a1a1fc82dec4851b11ddafac031e to andj/openvpn-ssl-refactoring - GitHub (at github.com) andj 22:01:30 and a gist https://gist.github.com/1171494 22:01:31 vpnHelper 22:01:32 Title: andj's gist: 1171494 Gist (at gist.github.com) andj 22:02:08 although the gist isn't that useful here most of the code here is "load this using the OpenSSL API" 22:03:06 cron2 22:03:38 there is somewhat of a structural change with the "else" branch moving around andj 22:03:55 not in the original commit it's a diff artifact 22:03:59 cron2 22:04:05 oh? andj 22:04:09 oh wait no 22:04:17 cron2 22:04:38 ah, I see the old code was 22:04:40 else 22:04:41 { 22:04:42 if(...) ... 22:04:45 } 22:04:46 while the new one is 22:04:49 else if (...) ... 22:04:53 andj 22:05:06 yeah, just cleaned it up a little to show that it was a longer set of subclauses if ( A ) load A 22:05:17 cron2 22:05:21 ok andj 22:05:23 else if (B) load B etc 22:05:23 cron2 22:05:43 I needed to construct more of the "final view" in my head to see how things changed andj 22:05:48 windows cert: https://github.com/andj/openvpn-ssl-refactoring/commit/6cd93220509346eb2701188cbb8ca6e77451b494 vpnHelper 22:05:50 Title: Commit 6cd93220509346eb2701188cbb8ca6e77451b494 to andj/openvpn-ssl-refactoring - GitHub (at github.com) andj 22:06:13 no gist because it's sort of irrelevent for a single line cron2 22:06:15 I didn't say "ACK" yet - but ACK to the previous one, then andj 22:06:28 sorry, misunderstood the ok take all the time you need, verification is important 22:06:43 cron2 22:07:06 ack (and I think I'm done for today, no more brains left) 22:07:15 andj 22:07:18 https://github.com/andj/openvpn-ssl-refactoring/commit/df9b63c5c0b3333d7171e76dd3dab87b9274cbf8 vpnHelper 22:07:19 Title: Commit df9b63c5c0b3333d7171e76dd3dab87b9274cbf8 to andj/openvpn-ssl-refactoring - GitHub (at github.com) cron2 22:07:27 tireless, merciless... andj 22:07:39 I was already typing, sorry We can call it a day, unless someone else wants to take over 22:08:00 cron2 22:08:02 that one is too much for me for today *yawn* (sorry) 22:08:05 andj 22:08:23 besides, we need to get back to dazo cron2: no problem, happy enough we got half way 22:08:35 cron2 shakes dazo "heh, time to wake up"! 22:08 dazo 22:08:58 hehe ... as the speed was optimal, I just kept quiet andj 22:09:04 otherwise I can give a status update on the dutch openvpn thing I spoke about a few weeks ago mattock 22:09:08 dazo: how did winbuildfix merge go? cron2 22:09:08 so how's your merge going? andj 22:09:15 ok, moving that to the end of the meeting cron2 22:09:16 mattock: *5* dazo 22:09:16 mattock: I've pushed out a new master novaflash 22:09:20 andj; ping mattock 22:09:36 updated the topic page, see the ~10 patches on top... https://community.openvpn.net/openvpn/wiki/Topics-2011-08-25 vpnHelper 22:09:38 Title: Topics-2011-08-25 â OpenVPN Community (at community.openvpn.net) mattock 22:09:42 however, I don't think we can cover them today next meeting perhaps 22:09:47 dazo 22:10:02 re: winbuild stuff ... I *think* we've merged in everything needed, including the last outstanding patches into master branches now so if someone can try some windows builds now, that'd be great! 22:10:16 cron2 points at mattock 22:10 cron2 22:10:37 that was the primary goal, make the python build succeed on master dazo 22:10:48 yupp! cron2 22:10:54 if that's done for good now, we can revisit mingw and fix what broke in the process cron2 has a mingw VM and should be able to find time next week to try building there 22:11 dazo 22:11:19 cool! andj has a half-finished CMakeLists.txt 22:11 cron2 22:11:36 *shiver* dazo 22:11:52 anyhow, I need to split now ... but will follow up stuff tomorrow again cron2 has a strong dislike for any sort of automated build tool thing (mostly they just add new build dependencies because you need to get that damn tool up and running in the first place) 22:12 cron2 22:12:18 dazo: g'night cron2 needs to split off as well -> spend time with $wife 22:12 andj 22:12:28 cron2: was just playing with it mattock 22:12:31 dazo: bye! andj 22:12:46 me too in a minute, if the meeting is over, I'll give an update on the openvpn-nl thing mattock 22:12:48 cron2: could you check the last few ACKs on topic page to make sure I interpreted your ACKs correctly 22:13:06 sorry, PolarSSL page 22:13:13 https://community.openvpn.net/openvpn/wiki/PolarSSLintegration 22:13:18 vpnHelper 22:13:19 Title: PolarSSLintegration â OpenVPN Community (at community.openvpn.net) cron2 22:13:26 mattock: ack mattock 22:13:31 cron2: ok jamesyonan, andj: still energy for a few more polarssl patches, or continue in another meeting? 22:13:53 andj 22:14:09 I'm always rearing to go mattock 22:14:13 there are quite a few to cover still: https://community.openvpn.net/openvpn/wiki/PolarSSLintegration?version=45#SSLlibraryseparation vpnHelper 22:14:14 Title: PolarSSLintegration â OpenVPN Community (at community.openvpn.net) jamesyonan 22:14:47 I would rather do later if possible mattock 22:14:55 ok andj 22:14:59 ok, let's continue next week then novaflash: the polarssl integration patches started with a request from the dutch national communications security agency (NLNCSA) for help with a certified version of OpenVPN 22:15:33 mattock 22:15:46 good progress today! andj 22:15:50 indeed mattock 22:16:04 it'll take 3-4 meetings to get the rest ACKed novaflash 22:16:19 andj; cool. that probably means there will be a translation to dutch then. andj 22:16:25 no, not necessarily it mostly had to do with the crypto, and security 22:16:39 novaflash 22:16:58 and polarssl is... better? than openssl? andj 22:17:01 the version will be probably be released without the gui simpler, therefore easier to evaluate 22:17:09 novaflash 22:17:09 ah i see mattock 22:17:59 ok, I got to go now... will write the summary tomorrow morning andj 22:18:02 anyway for it to be government-approved, it needs to be compiled by a trusted party mattock cya! 22:18:07 mattock 22:18:14 good night all! novaflash 22:18:18 bye mattock
