Re: [Openvpn-devel] [PATCH] Build with a few -Werror= flags if the compiler supports them

2016-12-16 Thread Steffan Karger
On 16-12-16 23:16, Julien Muchembled wrote: > Le 12/16/16 à 21:52, Steffan Karger a écrit : >>> +AX_CHECK_COMPILE_FLAG([ -Werror=implicit ], [ >>> +CFLAGS_EXTRA="$CFLAGS_EXTRA -Werror=implicit" >>> +]) >>> +AX_CHECK_COMPILE_FLAG([ -Werror=format -Werror=format-security ], [ >>> +

Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

2016-12-16 Thread debbie10t
On 16/12/16 18:14, David Sommerseth wrote: > On 16/12/16 16:57, Christian Hesse wrote: >> From: Christian Hesse >> >> Different unit instances create and destroy the same RuntimeDirectory. >> This leads to running instances where the status file (and possibly >> more runtime

Re: [Openvpn-devel] [PATCH] Build with a few -Werror= flags if the compiler supports them

2016-12-16 Thread Julien Muchembled
Le 12/16/16 à 21:52, Steffan Karger a écrit : >> +AX_CHECK_COMPILE_FLAG([ -Werror=implicit ], [ >> +CFLAGS_EXTRA="$CFLAGS_EXTRA -Werror=implicit" >> +]) >> +AX_CHECK_COMPILE_FLAG([ -Werror=format -Werror=format-security ], [ >> +CFLAGS_EXTRA="$CFLAGS_EXTRA -Werror=format

Re: [Openvpn-devel] [PATCH] Build with a few -Werror= flags if the compiler supports them

2016-12-16 Thread Steffan Karger
On 16-12-16 22:53, Arne Schwabe wrote: > Am 16.12.16 um 19:26 schrieb Julien Muchembled: >> The bug in Trac #792 (pointer wrongly truncated as 'int', leading to >> segfaults) >> would have been understood faster with either >> -Werror=implicit or -Werror=format >> (and above all, before

[Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

2016-12-16 Thread Christian Hesse
From: Christian Hesse Different unit instances create and destroy the same RuntimeDirectory. This leads to running instances where the status file (and possibly more runtime data) is no longer accessible. So do not handle this in unit files but provide a tmpfiles.d configuration

Re: [Openvpn-devel] [PATCH] Build with a few -Werror= flags if the compiler supports them

2016-12-16 Thread Arne Schwabe
Am 16.12.16 um 19:26 schrieb Julien Muchembled: > The bug in Trac #792 (pointer wrongly truncated as 'int', leading to > segfaults) > would have been understood faster with either > -Werror=implicit or -Werror=format > (and above all, before running buggy executables in production) > > Debian

Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

2016-12-16 Thread Christian Hesse
David Sommerseth on Fri, 2016/12/16 22:15: > On 16/12/16 20:09, Christian Hesse wrote: > > David Sommerseth on Fri, 2016/12/16 > > 19:14: > >> On 16/12/16 16:57, Christian Hesse wrote: > >>> From: Christian Hesse

Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

2016-12-16 Thread David Sommerseth
On 16/12/16 20:09, Christian Hesse wrote: > David Sommerseth on Fri, 2016/12/16 19:14: >> On 16/12/16 16:57, Christian Hesse wrote: >>> From: Christian Hesse >>> >>> Different unit instances create and destroy the same RuntimeDirectory. >>> This

Re: [Openvpn-devel] [PATCH] Build with a few -Werror= flags if the compiler supports them

2016-12-16 Thread Steffan Karger
Hi, On 16-12-16 19:26, Julien Muchembled wrote: > The bug in Trac #792 (pointer wrongly truncated as 'int', leading to > segfaults) > would have been understood faster with either > -Werror=implicit or -Werror=format > (and above all, before running buggy executables in production) > > Debian

[Openvpn-devel] CFT: OpenVPN 2.4 port update (upstream rc2) for FreeBSD

2016-12-16 Thread Matthias Andree
Greetings, I've put up a new OpenVPN 2.4-rc2 port for FreeBSD for testing. Get it from . This time, it also contains the openvpn23 and openvpn23-polarssl ports (as modified copies of what we have now) that I plan to keep for the

[Openvpn-devel] OpenVPN 2.4_rc2 released

2016-12-16 Thread Samuli Seppänen
The OpenVPN community project team is proud to release OpenVPN 2.4_rc2. It can be downloaded from here: Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Changes compared to

Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

2016-12-16 Thread Christian Hesse
David Sommerseth on Fri, 2016/12/16 19:14: > On 16/12/16 16:57, Christian Hesse wrote: > > From: Christian Hesse > > > > Different unit instances create and destroy the same RuntimeDirectory. > > This leads to running instances where the status

[Openvpn-devel] [PATCH] Build with a few -Werror= flags if the compiler supports them

2016-12-16 Thread Julien Muchembled
The bug in Trac #792 (pointer wrongly truncated as 'int', leading to segfaults) would have been understood faster with either -Werror=implicit or -Werror=format (and above all, before running buggy executables in production) Debian already compiles with -Werror=format-security, and it's indeed

Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

2016-12-16 Thread David Sommerseth
On 16/12/16 16:57, Christian Hesse wrote: > From: Christian Hesse > > Different unit instances create and destroy the same RuntimeDirectory. > This leads to running instances where the status file (and possibly > more runtime data) is no longer accessible. > > So create a

Re: [Openvpn-devel] [PATCH] Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset

2016-12-16 Thread Julien Muchembled
Le 12/16/16 à 18:03, Steffan Karger a écrit : > On 16-12-16 17:32, Julien Muchembled wrote: >> This fixes a regression in commit 8e95e20913: >> on amd64, an implicit declaration of ERR_error_string leads to segfaults >> if the returned pointer does not fit in an 'int'. >> >> Trac: #792 >> >> [...]

Re: [Openvpn-devel] What about adding -Werror=implicit -Werror=format -Werror=format-security ?

2016-12-16 Thread Arne Schwabe
Am 16.12.16 um 18:18 schrieb Илья Шипицин: > > > 2016-12-16 22:06 GMT+05:00 Steffan Karger >: > > On 16-12-16 17:42, Julien Muchembled wrote: > > To avoid issues like https://community.openvpn.net/openvpn/ticket/792 >

Re: [Openvpn-devel] What about adding -Werror=implicit -Werror=format -Werror=format-security ?

2016-12-16 Thread Илья Шипицин
2016-12-16 22:06 GMT+05:00 Steffan Karger : > On 16-12-16 17:42, Julien Muchembled wrote: > > To avoid issues like https://community.openvpn.net/openvpn/ticket/792 > to happen again, I wanted to also submit a patch that adds a few -Werror= > flags. However, I wonder

Re: [Openvpn-devel] What about adding -Werror=implicit -Werror=format -Werror=format-security ?

2016-12-16 Thread Steffan Karger
On 16-12-16 17:42, Julien Muchembled wrote: > To avoid issues like https://community.openvpn.net/openvpn/ticket/792 to > happen again, I wanted to also submit a patch that adds a few -Werror= flags. > However, I wonder what would be your preferred way to only add flags that are > supported by

Re: [Openvpn-devel] [PATCH] Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset

2016-12-16 Thread Steffan Karger
On 16-12-16 17:32, Julien Muchembled wrote: > This fixes a regression in commit 8e95e20913: > on amd64, an implicit declaration of ERR_error_string leads to segfaults > if the returned pointer does not fit in an 'int'. > > Trac: #792 > > Signed-off-by: Julien Muchembled > --- >

[Openvpn-devel] [PATCH] Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset

2016-12-16 Thread Julien Muchembled
This fixes a regression in commit 8e95e20913: on amd64, an implicit declaration of ERR_error_string leads to segfaults if the returned pointer does not fit in an 'int'. Trac: #792 Signed-off-by: Julien Muchembled --- This patch is for the 2.3 branch. In the master branch,

[Openvpn-devel] What about adding -Werror=implicit -Werror=format -Werror=format-security ?

2016-12-16 Thread Julien Muchembled
To avoid issues like https://community.openvpn.net/openvpn/ticket/792 to happen again, I wanted to also submit a patch that adds a few -Werror= flags. However, I wonder what would be your preferred way to only add flags that are supported by the compiler. One solution is with

[Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

2016-12-16 Thread Christian Hesse
From: Christian Hesse Different unit instances create and destroy the same RuntimeDirectory. This leads to running instances where the status file (and possibly more runtime data) is no longer accessible. So create a RuntimeDirectory per instance. Signed-off-by: Christian Hesse

Re: [Openvpn-devel] [PATCH applied] auth-gen-token: Hardening memory cleanup on auth-token failuers

2016-12-16 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your patch has been applied to the master branch commit 5d4cabff18718981a66ab9066b49297e42cb22b4 Author: David Sommerseth Date: Fri Dec 16 11:25:07 2016 +0100 auth-gen-token: Hardening memory cleanup on auth-token failuers

Re: [Openvpn-devel] [PATCH applied] Don't reopen tun if cipher changes

2016-12-16 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ACK. Tested it with some additional debug instrumentation, and it seems to work as intended. Your patch has been applied to the master branch. commit ec4dff3bbdcc9fedf7844701dc5aa2679d503667 Author: Steffan Karger Date: Thu

Re: [Openvpn-devel] [PATCH v4] auth-gen-token: Hardening memory cleanup on auth-token failuers

2016-12-16 Thread Steffan Karger
On 16-12-16 11:25, David Sommerseth wrote: > Further improve the memory management when a clients --auth-token > fails the server side token authentication enabled via --auth-gen-token. > > v2 - Add ASSERT() if base64 encoding of token fails > v3 - Use proper boolean logic in ASSERT() > v4 -

[Openvpn-devel] [PATCH v4] auth-gen-token: Hardening memory cleanup on auth-token failuers

2016-12-16 Thread David Sommerseth
Further improve the memory management when a clients --auth-token fails the server side token authentication enabled via --auth-gen-token. v2 - Add ASSERT() if base64 encoding of token fails v3 - Use proper boolean logic in ASSERT() v4 - Rebase against The Great Reformatting Signed-off-by: David