[Openvpn-devel] man page --proto needs info on udp6/tcp6 in OpenVPN 2.4

2016-12-15 Thread Matthias Andree
see Subject. There's a related Trac-ker item against 2.3: -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org!

[Openvpn-devel] [PATCH v3] auth-gen-token: Hardening memory cleanup on auth-token failuers

2016-12-15 Thread David Sommerseth
Further improve the memory management when a clients --auth-token fails the server side token authentication enabled via --auth-gen-token. v2 - Add ASSERT() if base64 encoding of token fails v3 - Use proper boolean logic in ASSERT() Signed-off-by: David Sommerseth ---

Re: [Openvpn-devel] [PATCH v2] auth-gen-token: Hardening memory cleanup on auth-token failuers

2016-12-15 Thread David Sommerseth
[lets try unencrypted this time.] On 15/12/16 22:52, Steffan Karger wrote: > Hi, > > On 15 December 2016 at 13:22, David Sommerseth wrote: >> Further improve the memory management when a clients --auth-token >> fails the server side token authentication enabled via

[Openvpn-devel] CFT: OpenVPN 2.4 port update for FreeBSD

2016-12-15 Thread Matthias Andree
Greetings, I've put up an OpenVPN 2.4-rc1 port for FreeBSD up for testing. Get it from https://people.freebsd.org/~mandree/openvpn-2.4.r1-v1.tar.xz Or review the diff at https://reviews.freebsd.org/D8813 Cheers, Matthias signature.asc Description: OpenPGP digital signature

Re: [Openvpn-devel] [PATCH v2] auth-gen-token: Hardening memory cleanup on auth-token failuers

2016-12-15 Thread Steffan Karger
Hi, On 15 December 2016 at 13:22, David Sommerseth wrote: > Further improve the memory management when a clients --auth-token > fails the server side token authentication enabled via --auth-gen-token. > > v2 - Add ASSERT() if base64 encoding of token fails This will need

[Openvpn-devel] [PATCH v2] Don't reopen tun if cipher changes

2016-12-15 Thread Steffan Karger
When the pulled options change, OpenVPN will attempt to reopen the tun device. That might fail if the process has already dropper privileges, and is not needed unless the tun MTU is changed. This patch therefore ignores the cipher value for the digest if a fixed tun-mtu is used. Additionally,

Re: [Openvpn-devel] [PATCH] Don't reopen tun if cipher changes

2016-12-15 Thread Steffan Karger
Hi, On 15 December 2016 at 20:49, David Sommerseth wrote: > On 15/12/16 19:52, Steffan Karger wrote: >> -if (strstr(line, "peer-id ") != line) >> +if (strcmp(line, "peer-id ") == 0) > > Are you sure about this strcmp()? I'd expect line to

Re: [Openvpn-devel] [PATCH 0/2] LZ4 updates

2016-12-15 Thread David Woodhouse
On Thu, 2016-12-15 at 21:20 +0100, David Sommerseth wrote: > > There is also another potential issue with the current approach, if we link > against r129 or older ... the code will be using > LZ4_compress_limitedOutput().  If the system library is upgraded to a newer > upstream version which

[Openvpn-devel] [PATCH 1/2] lz4: Rebase compat-lz4 against upstream v1.7.4.2

2016-12-15 Thread David Sommerseth
Rebase process is based on description in commit 46e4b6639a950c56. The lz4 v1.7.4.2 is based on commit 018ddf799917ee5c68b5 in git://github.com/lz4/lz4 Signed-off-by: David Sommerseth --- src/compat/compat-lz4.c | 820 ++--

[Openvpn-devel] [PATCH 0/2] LZ4 updates

2016-12-15 Thread David Sommerseth
This patch set is rebasing the LZ4 compat library to the latest upstream LZ4 release (v1.7.4.2). This library is only used if ./configure cannot find a system LZ4 library. In addition, I've included Christian Hesse's patch he already sent to the mailing list as we should review those two

[Openvpn-devel] [PATCH 2/2] replace deprecated LZ4 function

2016-12-15 Thread David Sommerseth
From: Christian Hesse The LZ4 function LZ4_compress_limitedOutput() is deprecated, compiler gives warning: warning: ‘LZ4_compress_limitedOutput’ is deprecated: use LZ4_compress_default() instead The new function LZ4_compress_default() appeared in r129 (1.7.0), so replace the

Re: [Openvpn-devel] [PATCH] Don't reopen tun if cipher changes

2016-12-15 Thread David Sommerseth
On 15/12/16 19:52, Steffan Karger wrote: > When the pulled options change, OpenVPN will attempt to reopen the tun > device. That might fail if the process has already dropper privileges, > and is not needed unless the tun MTU is changed. This patch therefore > ignores the cipher value for the

[Openvpn-devel] [PATCH] Don't reopen tun if cipher changes

2016-12-15 Thread Steffan Karger
When the pulled options change, OpenVPN will attempt to reopen the tun device. That might fail if the process has already dropper privileges, and is not needed unless the tun MTU is changed. This patch therefore ignores the cipher value for the digest if a fixed tun-mtu is used. Additionally,

Re: [Openvpn-devel] ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

2016-12-15 Thread Thomas Glanzmann
Hello Roman, > You can try logging $ssl_preread_server_name in access_log. thank you. It seems that nginx is not able to extract the server_name from openconnect correctly: 2a01:598:8181:37ef:95e1:682:4c98:449e - [15/Dec/2016:17:45:57 +0100] "" When I connect with a browser:

Re: [Openvpn-devel] Coding style clean-up ... phase 1

2016-12-15 Thread Selva Nair
On Thu, Dec 15, 2016 at 8:00 AM, David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > > The only issue I noticed is that some functions, for loops and switch > > statements have their opening braces on the same line > > ssl.c line 272, tun.c line 697 and many such in the several files.

[Openvpn-devel] [PATCH 1/1] replace deprecated LZ4 function

2016-12-15 Thread Christian Hesse
From: Christian Hesse The LZ4 function LZ4_compress_limitedOutput() is deprecated, compiler gives warning: warning: ‘LZ4_compress_limitedOutput’ is deprecated: use LZ4_compress_default() instead The new function LZ4_compress_default() appeared in r129 (1.7.0), so replace the

Re: [Openvpn-devel] [PATCH 1/1] replace deprecated LZ4 function

2016-12-15 Thread David Sommerseth
On 15/12/16 15:06, Christian Hesse wrote: > From: Christian Hesse > > The LZ4 function LZ4_compress_limitedOutput() is deprecated, compiler > gives warning: > > warning: ‘LZ4_compress_limitedOutput’ is deprecated: use > LZ4_compress_default() instead > > The new function

Re: [Openvpn-devel] [PATCH 1/1] replace deprecated LZ4 function

2016-12-15 Thread David Woodhouse
On Thu, 2016-12-15 at 14:26 +0100, Christian Hesse wrote: > -    zlen = LZ4_compress_limitedOutput((const char *)BPTR(buf), (char > *)BPTR(work), BLEN(buf), zlen_max ); > +    zlen = LZ4_compress_default((const char *)BPTR(buf), (char > *)BPTR(work), BLEN(buf), zlen_max ); You might

[Openvpn-devel] [PATCH 1/1] replace deprecated LZ4 function

2016-12-15 Thread Christian Hesse
From: Christian Hesse The LZ4 function LZ4_compress_limitedOutput() is deprecated, compiler gives warning: warning: ‘LZ4_compress_limitedOutput’ is deprecated: use LZ4_compress_default() instead So replace the function. Signed-off-by: Christian Hesse ---

Re: [Openvpn-devel] Coding style clean-up ... phase 1

2016-12-15 Thread David Sommerseth
On 15/12/16 06:09, Selva Nair wrote: > > On Wed, Dec 14, 2016 at 4:18 PM, David Sommerseth > > wrote: > > On 13/12/16 22:42, David Sommerseth wrote: > > > > Hi all, > > > > So the first phase of

Re: [Openvpn-devel] [MERGE complete] The Great Reformatting - first phase

2016-12-15 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Reformatting merge complete. commit 1f004b2f06e987d73e48f7fd7b96b0b248274f58 Merge: 2417d55 81d882d Author: David Sommerseth Date: Thu Dec 15 13:45:06 2016 +0100 Merge 'reformatting' branch into master This concludes the first

[Openvpn-devel] [PATCH v2] auth-gen-token: Hardening memory cleanup on auth-token failuers

2016-12-15 Thread David Sommerseth
Further improve the memory management when a clients --auth-token fails the server side token authentication enabled via --auth-gen-token. v2 - Add ASSERT() if base64 encoding of token fails Signed-off-by: David Sommerseth --- src/openvpn/ssl_verify.c | 45

Re: [Openvpn-devel] [PATCH] auth-gen-token: Hardening memory cleanup on auth-token failuers

2016-12-15 Thread David Sommerseth
On 15/12/16 11:05, Gert Doering wrote: > Hi, > > On Wed, Dec 14, 2016 at 10:08:25PM +0100, Steffan Karger wrote: >> Looks good, but I think there's one more occurance you should >> incorporate in the patch: >> >> if (openvpn_base64_encode(tok, AUTH_TOKEN_SIZE, >>

Re: [Openvpn-devel] [PATCH] auth-gen-token: Hardening memory cleanup on auth-token failuers

2016-12-15 Thread Gert Doering
Hi, On Wed, Dec 14, 2016 at 10:08:25PM +0100, Steffan Karger wrote: > Looks good, but I think there's one more occurance you should > incorporate in the patch: > > if (openvpn_base64_encode(tok, AUTH_TOKEN_SIZE, > >auth_token) < AUTH_TOKEN_SIZE) Under which