Re: [Openvpn-devel] [PATCH v2] Introduce and use secure_memzero() to erase secrets

2016-11-28 Thread Gert Doering
Hi, On Tue, Nov 29, 2016 at 12:36:25AM +0100, David Sommerseth wrote: > If we "do not care" if a memory region is wiped or not (just that it's > nice if it happens), then I'd say these are code paths which *do* *not* > require CLEAR() at all. "wiping" and "clearing a structure before using, so

[Openvpn-devel] [PATCH] reload CRL only if file was modified

2016-11-28 Thread Antonio Quartulli
In order to prevent annoying delays upon client connection, reload the CRL file only if it was modified since the last reload operation. If not, keep on using the already stored CRL. This change will boost client connection time in instances where the CRL file is quite large (dropping from

Re: [Openvpn-devel] [PATCH v2] Introduce and use secure_memzero() to erase secrets

2016-11-28 Thread Selva Nair
On Mon, Nov 28, 2016 at 6:36 PM, David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 28/11/16 23:14, Steffan Karger wrote: > > As described in trac #751, and shortly after reported by Zhaomo Yang, of > > the University of California, San Diego, we use memset() (often through > > the

[Openvpn-devel] [PATCH] Map restart signals from event loop to SIGTERM during exit-notification wait

2016-11-28 Thread Selva Nair
Commit 63b3e000c9.. fixed SIGTERM getting lost during exit notification by ignoring any restart signals triggered during this interval. However, as reported in Trac 777, this could result in repeated triggering of restart signals when the event loop cannot continue without restart due to IO errors

[Openvpn-devel] Trac 777 excessive logging with explicit-exit-notify

2016-11-28 Thread Selva Nair
Hi, Trac 777 reports repeated SIGUSR1 triggering during exit-notification wait and log trashing. As Gert pointed out this is partly related to "commit 63b3e000c9141f4ca03a374354da26334257bc18 , which

Re: [Openvpn-devel] [PATCH 1/2] show correct default for plugin dir in configure help

2016-11-28 Thread David Sommerseth
On 28/11/16 17:16, Christian Hesse wrote: > From: Christian Hesse > > Signed-off-by: Christian Hesse > --- > configure.ac | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/configure.ac b/configure.ac > index f4073d0..d0fe889 100644 > ---

Re: [Openvpn-devel] [PATCH 2/2] allow to enable plugin lookup with configure argument

2016-11-28 Thread David Sommerseth
On 28/11/16 17:16, Christian Hesse wrote: > From: Christian Hesse > > For plugin lookup (give relative path to plugin directory in > configuration) we had to configure with something like this: > > CFLAGS="$CFLAGS -DPLUGIN_LIBDIR=\\\"/usr/lib/openvpn/plugins\\\"" ./configure > >

Re: [Openvpn-devel] [PATCH v2] Introduce and use secure_memzero() to erase secrets

2016-11-28 Thread David Sommerseth
On 28/11/16 23:14, Steffan Karger wrote: > As described in trac #751, and shortly after reported by Zhaomo Yang, of > the University of California, San Diego, we use memset() (often through > the CLEAR() macro) to erase secrets after use. In some cases however, the > compiler might optimize these

Re: [Openvpn-devel] [PATCH v2] Introduce and use secure_memzero() to erase secrets

2016-11-28 Thread Zhaomo Yang
Hi folks, Just wanted to let you know that we have a new implementation of secure_memzero.h, which is available at https://compsec.sysnet.ucsd.edu/secure_memzero.h. The version I sent to you guys has a minor issue in dealing with memset_s. Also, this implementation synthesizes most of the

[Openvpn-devel] [PATCH v2] Introduce and use secure_memzero() to erase secrets

2016-11-28 Thread Steffan Karger
As described in trac #751, and shortly after reported by Zhaomo Yang, of the University of California, San Diego, we use memset() (often through the CLEAR() macro) to erase secrets after use. In some cases however, the compiler might optimize these calls away. This patch replaces these memset()

Re: [Openvpn-devel] [PATCH] Introduce and use secure_memzero() to erase secrets

2016-11-28 Thread Steffan Karger
On 28-11-16 17:39, Selva Nair wrote: > > On Mon, Nov 28, 2016 at 7:13 AM, Steffan Karger > > wrote: > > As described in trac #751, and shortly after reported by Zhaomo Yang, of > the University of California, San Diego, we use

[Openvpn-devel] [PATCH applied] Re: Fix windows path in Changes.rst

2016-11-28 Thread Gert Doering
Patch has been applied to the master branch. commit 6c6456f4384ec76649febba8ada7806905d84bc4 Author: Gert Doering Date: Mon Nov 28 20:06:52 2016 +0100 Fix windows path in Changes.rst Signed-off-by: Gert Doering Acked-by: Selva Nair

Re: [Openvpn-devel] [PATCH] Fix windows path in Changes.rst

2016-11-28 Thread Selva Nair
On Mon, Nov 28, 2016 at 2:06 PM, Gert Doering wrote: > Escape backslash characters in windows path names. > > Signed-off-by: Gert Doering > --- > Changes.rst | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/Changes.rst

[Openvpn-devel] [PATCH] Fix windows path in Changes.rst

2016-11-28 Thread Gert Doering
Escape backslash characters in windows path names. Signed-off-by: Gert Doering --- Changes.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Changes.rst b/Changes.rst index 6d7bd69..aa80c10 100644 --- a/Changes.rst +++ b/Changes.rst @@ -71,12

[Openvpn-devel] [PATCH applied] Re: update year in copyright message

2016-11-28 Thread Gert Doering
ACK, makes sense :-) Your patch has been applied to the master and release/2.3 branch. commit 7f7d6b2eb0f69f0e8952028488d7aa02619ad76f (master) commit 64dc639616df7787964e72759ef8aed875aadbf7 (release/2.3) Author: Christian Hesse Date: Mon Nov 28 18:08:20 2016 +0100 update year in

Re: [Openvpn-devel] [PATCH] Introduce and use secure_memzero() to erase secrets

2016-11-28 Thread Selva Nair
Hi, My sloppy cut-n-paste missed this one: in ssl_verify.c @@ -1262,7 +1262,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, "No auth-token will be activated now"); if (multi->auth_token) { - memset (multi->auth_token, 0, AUTH_TOKEN_SIZE); +

[Openvpn-devel] [PATCH 1/1] update year in copyright message

2016-11-28 Thread Christian Hesse
From: Christian Hesse This line has not been touched in a long time... Let's update the copyright message with recent year. Signed-off-by: Christian Hesse --- src/openvpn/options.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

[Openvpn-devel] [PATCH 2.3] Clean up format_hex_ex()

2016-11-28 Thread Steffan Karger
Cherry-pick of commit 29404010 from master, slightly reworked to match the 2.3 codebase (no flags inside space_break here), and pulled in the new static_assert() fallback we also have in master now. Fix a potential null-pointer dereference, and make the code a bit more readable while doing so.

Re: [Openvpn-devel] [PATCH] Introduce and use secure_memzero() to erase secrets

2016-11-28 Thread Selva Nair
On Mon, Nov 28, 2016 at 7:13 AM, Steffan Karger wrote: > As described in trac #751, and shortly after reported by Zhaomo Yang, of > the University of California, San Diego, we use memset() (often through > the CLEAR() macro) to erase secrets after use. In some cases

[Openvpn-devel] [PATCH applied] Re: Clean up format_hex_ex()

2016-11-28 Thread Gert Doering
ACK. Long-standing eye-hurting code. This is better - and (staring at "openvpn --verb 11" output) seems to do the same thing. At least the code now looks like one could understand what it wants to do :-) Your patch has been applied to the master branch. commit

[Openvpn-devel] [PATCH 1/2] show correct default for plugin dir in configure help

2016-11-28 Thread Christian Hesse
From: Christian Hesse Signed-off-by: Christian Hesse --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index f4073d0..d0fe889 100644 --- a/configure.ac +++ b/configure.ac @@ -303,7 +303,7 @@

[Openvpn-devel] [PATCH 2/2] allow to enable plugin lookup with configure argument

2016-11-28 Thread Christian Hesse
From: Christian Hesse For plugin lookup (give relative path to plugin directory in configuration) we had to configure with something like this: CFLAGS="$CFLAGS -DPLUGIN_LIBDIR=\\\"/usr/lib/openvpn/plugins\\\"" ./configure This allows to pass --enable-plugin-lookup to configure

[Openvpn-devel] [PATCH applied] Re: tls_process: don't set variable that's never read

2016-11-28 Thread Gert Doering
ACK. Easy enough. Your patch has been applied to the master branch. commit 06c54466c86ee3beff9b6cd75f40de5e431d8235 Author: Steffan Karger Date: Mon Nov 28 15:53:20 2016 +0100 tls_process: don't set variable that's never read Signed-off-by: Steffan Karger

[Openvpn-devel] [PATCH] Clean up format_hex_ex()

2016-11-28 Thread Steffan Karger
Fix a potential null-pointer dereference, and make the code a bit more readable while doing so. The NULL dereference could not be triggered, because the current code never called format_hex_ex() with maxouput == 0 and separator == NULL. But it's nicer to not depend on that. Our use of int vs

Re: [Openvpn-devel] Test installer with installer, openvpn-gui and openvpnserv2 improvements

2016-11-28 Thread debbie10t
On 28/11/16 09:43, Samuli Seppänen wrote: > Hi, > > Could somebody test the installer on Windows XP and ensure that > installation fails as expected? > > > This failed as expected with a dialogue box to open

[Openvpn-devel] [PATCH] Introduce and use secure_memzero() to erase secrets

2016-11-28 Thread Steffan Karger
As described in trac #751, and shortly after reported by Zhaomo Yang, of the University of California, San Diego, we use memset() (often through the CLEAR() macro) to erase secrets after use. In some cases however, the compiler might optimize these calls away. This patch replaces these memset()

Re: [Openvpn-devel] Test installer with installer, openvpn-gui and openvpnserv2 improvements

2016-11-28 Thread Samuli Seppänen
Il 25/11/2016 06:40, Selva Nair ha scritto: > Hi, > > On Thu, Nov 24, 2016 at 5:26 AM, Samuli Seppänen > wrote: > > Here's a Windows new test installer for 2.4_beta1: > > >