Re: [Openvpn-devel] [PATCH 3/3] travis-ci: update osx to xcode9.4 and modernize brew management
Hi, On 11-03-19 14:36, chipits...@gmail.com wrote: > From: Ilya Shipitsin > > osx image used for builds, i.e. xcode7.3 is outdated, we > can switch to "default" xcode9.4 and use more fast brew > travis-ci plugin > > Signed-off-by: Ilya Shipitsin > --- > .travis.yml | 8 ++-- > 1 file changed, 2 insertions(+), 6 deletions(-) > > diff --git a/.travis.yml b/.travis.yml > index bf46b14c..e61a8d38 100644 > --- a/.travis.yml > +++ b/.travis.yml > @@ -50,11 +50,9 @@ matrix: >compiler: clang > - env: SSLLIB="openssl" >os: osx > - osx_image: xcode7.3 >compiler: clang > - env: SSLLIB="mbedtls" >os: osx > - osx_image: xcode7.3 >compiler: clang > - env: SSLLIB="openssl" CHOST=x86_64-w64-mingw32 OPENSSL_VERSION="1.0.1u" >os: linux > @@ -76,6 +74,8 @@ addons: >apt: > update: true > packages: [ liblzo2-dev, libpam0g-dev, liblz4-dev, linux-libc-dev, > man2html, mingw-w64] > + homebrew: > +packages: [ lzo ] > > cache: >directories: > @@ -83,10 +83,6 @@ cache: >- ${HOME}/opt >- ${HOME}/Library/Caches/Homebrew > > -before_install: > - - if [ "${TRAVIS_OS_NAME}" = "osx" ]; then brew update ; fi > - - if [ "${TRAVIS_OS_NAME}" = "osx" ]; then brew install lzo; fi > - > install: >- if [ ! -z "${CHOST}" ]; then unset CC; fi >- .travis/build-deps.sh > build-deps.log 2>&1 || (cat build-deps.log && > exit 1) > Nice. Thanks for the updates. Acked-by: Steffan Karger -Steffan ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2/3] travis-ci: change trusty image to xenial
Hi, On 11-03-19 14:36, chipits...@gmail.com wrote: > From: Ilya Shipitsin > > Ubuntu Trusty reaches End of Life on April 30, 2019 > Let us switch to xenial. Also, it simplifies mingw builds. > We do not need to add xenial mingw manually anymore > > Signed-off-by: Ilya Shipitsin > --- > .travis.yml | 9 ++--- > .travis/build-deps.sh | 9 - > 2 files changed, 2 insertions(+), 16 deletions(-) > > diff --git a/.travis.yml b/.travis.yml > index 428131ec..bf46b14c 100644 > --- a/.travis.yml > +++ b/.travis.yml > @@ -1,5 +1,5 @@ > sudo: required > -dist: trusty > +dist: xenial > > os: linux > > @@ -75,12 +75,7 @@ matrix: > addons: >apt: > update: true > -packages: > - - liblzo2-dev > - - libpam0g-dev > - - liblz4-dev > - - linux-libc-dev > - - man2html > +packages: [ liblzo2-dev, libpam0g-dev, liblz4-dev, linux-libc-dev, > man2html, mingw-w64] > > cache: >directories: > diff --git a/.travis/build-deps.sh b/.travis/build-deps.sh > index 96a030cc..391b35ef 100755 > --- a/.travis/build-deps.sh > +++ b/.travis/build-deps.sh > @@ -130,15 +130,6 @@ build_openssl () { > fi > } > > -if [ ! -z ${CHOST+x} ]; then > - # > - # openvpn requires at least mingw-gcc-4.9, which is available at > xenial repo > - # > - sudo apt-add-repository "deb http://archive.ubuntu.com/ubuntu xenial > main universe" > - sudo apt-get update > - sudo apt-get -y install dpkg mingw-w64 > -fi > - > # Download and build crypto lib > if [ "${SSLLIB}" = "openssl" ]; then > download_openssl > Makes sense. (Too bad travis is so slow to roll out newer Ubuntu versions.) Acked-by: Steffan Karger -Steffan ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/3] travis-ci: add "linux-ppc64le" to build matrix
Hi, On 11-03-19 14:36, chipits...@gmail.com wrote: > From: Ilya Shipitsin > > Signed-off-by: Ilya Shipitsin > --- > .travis.yml | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/.travis.yml b/.travis.yml > index ede2aaa6..428131ec 100644 > --- a/.travis.yml > +++ b/.travis.yml > @@ -33,6 +33,9 @@ matrix: > - env: SSLLIB="openssl" OPENSSL_VERSION="1.1.0h" >os: linux >compiler: gcc > +- env: SSLLIB="openssl" OPENSSL_VERSION="1.1.0h" LABEL="linux-ppc64le" > + os: linux-ppc64le > + compiler: gcc > - env: SSLLIB="openssl" CFLAGS="-fsanitize=address" >os: linux >compiler: clang > Looks good to me and passes tests on travis. Acked-by: Steffan Karger -Steffan ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Summary of the community meeting (Wed, 12th Mar 2019)
Hi Jan Just, On 13-03-19 13:13, Jan Just Keijser wrote: > On 13/03/19 13:00, Samuli Seppänen wrote: >> Here's the summary of the IRC meeting. >> >> Talked about release OpenVPN 2.x Windows installers with OpenSSL 1.1.1. >> Agreed that this makes sense as people (on forums for example) already >> take 2.4.x and replace the OpenSSL libraries forcibly. Mattock tested >> openvpn-build with OpenSSL 1.1.1b and there were no issues - a NSI >> installer was produced. The next Windows installer release will thus >> have latest OpenSSL 1.1.1 version. If serious issues are found we can >> always have separate installer releases for OpenSSL 1.1.0 and 1.1.1 >> versions. >> > as always, thanks for the summary and chatlog; I really wanted to attend > this morning but got stuck in a work meeting. There was something > related to OpenSSL 1.1.1 support that I wanted to bring up: > > OpenSSL 1.1.1 does TLS v1.3; does OpenVPN support TLS v1.3 (for the > control channel) already? If so, then it might be a good chance to > change the internal key derivation stuff in OpenVPN: > > TLS < 1.2 --> use the sha1+md5 routines (which is basically what TLS > itself does for TSL < 1.1 > TLS >= 1.3 --> use the "export_keying_material" routines in OpenSSL, > which will create (sha2) keys for you, based on the connection parameters. > > That way, we can slowly migrate users away from the sha1+md5 stuff , > which will help with fips compliance as well. > > Thought, anyone? That would have been nice, except that older OpenVPN versions compiled against newer OpenSSL sort-of can do TLS 1.3 already. So we can't really couple the openvpn key derivation / PRF to the TLS version (without breaking existing setups). I've considered moving to using the key material exporter functionality too, and it would be cleaner for us to use. As far as I know though, mbed TLS doesn't support that extension. And that's tricky to work around, because the extension needs access to TLS-internal key material. In the end I think we might be better off by simply upgrading our internal hash. We discussed this two hackathons ago, but it didn't make it onto the 2.5 list. Mostly because for our usage, md5+sha1 is fine (all we need is preimage resistance, not collision resistance). But as we already agreed back then, even if it was for appearances only, we should migrate away from it. -Steffan ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [Openvpn-users] Why is the authentication tag transmitted before the encrypted data?
Hi Pieter, [ Adding in -devel, because this really is more of a devel topic. ] On 15-03-19 15:29, Pieter Hulshoff wrote: > I was wondering why the authentication tag is transmitted before the > encrypted data in stead of after it (like in e.g. MACsec). As far as I understand, mostly because the V1 data channel protocol put the HMAC before the ciphertext. James might remember why the original data channel protocol put the tag in front. The current GCM wire spec was proposed by James in <54648eac.70...@openvpn.net> (https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg09516.html). I had a short (off-list) discussion with James in 2015 where I proposed moving the tag to the end of the data frame, to facilitate hardware implementations. But because (software) implementation of the proposed protocol had already progressed, we ended up not adopting that proposal. -Steffan ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel