[Openvpn-devel] [PATCH applied] Re: Map restart signals from event loop to SIGTERM during exit-notification wait

2016-11-29 Thread Gert Doering
ACK, thanks a lot. I could reproduce the effect as well -- set "--explicit-exit-notify 5", try to connect to a non-responsive server (unused IP address, ...), and ~2 seconds before the 60 second timeout, press ctrl-c. Flooding of SIGUSR1 messages, no way to stop it (except "kill -9"), quite an

Re: [Openvpn-devel] [PATCH v2] Introduce and use secure_memzero() to erase secrets

2016-11-29 Thread Steffan Karger
Hi, On 29-11-16 00:00, Zhaomo Yang wrote: > Just wanted to let you know that we have a new implementation of > secure_memzero.h, which is available at > https://compsec.sysnet.ucsd.edu/secure_memzero.h > . > > The version I sent to you guys has

[Openvpn-devel] [PATCH applied] Re: Introduce and use secure_memzero() to erase secrets

2016-11-29 Thread Gert Doering
Another ACK from me. (David agreed on IRC that even while he is not happy with CLEAR(), it's ok to go forward with this one as it's a somewhat independent issue) Your patch has been applied to the master branch. commit 009521ac8ae613084b23b9e3e5dc4ebeccd4c6c8 Author: Steffan Karger Date: Mon

[Openvpn-devel] [PATCH] Force 'def1' method when --redirect-gateway is done through service

2016-11-29 Thread Selva Nair
The service deletes all added routes when the client process (openvpn) exits, causing the re-instated default route to disappear. Fix by rewriting "--redirect-gateway" to "--redirect-gateway def1" when routes are set using interactive service. Only the behaviour on Windows with intereactive

Re: [Openvpn-devel] [PATCH applied] Re: Map restart signals from event loop to SIGTERM during exit-notification wait

2016-11-29 Thread Gert Doering
Hi, On Tue, Nov 29, 2016 at 04:01:34PM -0500, Selva Nair wrote: > Just to be sure, I think the second ctrl-C or SIGTERM during exit-notify > wait should cause a prompt exit without waiting for exit-notify to > complete. That was the original behaviour and is supposed to be unchanged... It does

Re: [Openvpn-devel] [PATCH] reload CRL only if file was modified

2016-11-29 Thread Steffan Karger
On 29-11-16 17:43, Steffan Karger wrote: > Will test more thoroughly tonight (hopefully on Windows too), but have a > lot of faith that those will succeed. Just did this, on linux and windows, and code works as expected. So once you've taken care of the (minor) remarks in my previous mails, I

Re: [Openvpn-devel] [PATCH] reload CRL only if file was modified

2016-11-29 Thread Christian Hesse
Steffan Karger on Tue, 2016/11/29 17:43: > Hi, > > Thanks for following up. I did some stare-at-code and trivial tests. > Will test more thoroughly tonight (hopefully on Windows too), but have a > lot of faith that those will succeed. I have some comments from

Re: [Openvpn-devel] [PATCH] reload CRL only if file was modified

2016-11-29 Thread Christian Hesse
Christian Hesse on Tue, 2016/11/29 20:16: > Oops, missed that in my logs (and did not find the code)... You are right, > cache is cleared. > > Either of both is just fine and it works as-is. So ignore my patch. Oops again... Looks like I answered a wrong mail. Please ignore...

Re: [Openvpn-devel] [PATCH] reload CRL only if file was modified

2016-11-29 Thread Steffan Karger
Hi, One more thing. On 29-11-16 07:38, Antonio Quartulli wrote: > + if (!crl_file_inline) > +platform_stat(crl_file, _stat); If platform_stat() fails, we now silently ignore the error and continue using the old CRL. I think using the old CRL is fine, but we should print a warning to tell

Re: [Openvpn-devel] [PATCH v2] Introduce and use secure_memzero() to erase secrets

2016-11-29 Thread Gert Doering
Hi, On Tue, Nov 29, 2016 at 11:07:12AM +0100, Arne Schwabe wrote: > I think we should prefer memset_s if available since it is a C11 standard. Since we're currently compiling against C99, we can't rely on it being there (in my OS Zoo, only MacOS seems to have it, at least "have a manpage for it"

Re: [Openvpn-devel] [PATCH v2] Introduce and use secure_memzero() to erase secrets

2016-11-29 Thread Arne Schwabe
Am 29.11.16 um 11:18 schrieb Gert Doering: > Hi, > > On Tue, Nov 29, 2016 at 11:07:12AM +0100, Arne Schwabe wrote: >> I think we should prefer memset_s if available since it is a C11 standard. > Since we're currently compiling against C99, we can't rely on it being > there (in my OS Zoo, only

[Openvpn-devel] [PATCH 1/1] Clean up plugin path handling

2016-11-29 Thread Christian Hesse
From: Christian Hesse Drop --with-plugindir, instead use an environment variable PLUGINDIR to specify the plugin directory. This always defines PLUGIN_LIBDIR and enables plugin search path. Signed-off-by: Christian Hesse --- configure.ac| 14

Re: [Openvpn-devel] [PATCH 2/2] allow to enable plugin lookup with configure argument

2016-11-29 Thread Christian Hesse
David Sommerseth on Tue, 2016/11/29 00:47: > On 28/11/16 17:16, Christian Hesse wrote: > > From: Christian Hesse > > > > For plugin lookup (give relative path to plugin directory in > > configuration) we had to configure with something like

Re: [Openvpn-devel] [PATCH applied] Re: Map restart signals from event loop to SIGTERM during exit-notification wait

2016-11-29 Thread Selva Nair
On Tue, Nov 29, 2016 at 3:04 AM, Gert Doering wrote: > .. which fixes the issue for good. > > "Real signals" are still ignored (kill -USR1 from another window): > > Tue Nov 29 08:58:19 2016 event_wait : Interrupted system call (code=4) > Tue Nov 29 08:58:19 2016 Ignoring

Re: [Openvpn-devel] [PATCH 1/1] Use systemd service manager notification

2016-11-29 Thread David Sommerseth
On 29/11/16 16:27, Christian Hesse wrote: > From: Christian Hesse > > Notify systemd service manager when our initialization sequence > completed. This helps ordering services as dependencies can rely on vpn > being available. Funny detail is that I have a somewhat similar patch

[Openvpn-devel] [PATCH 2.4 and 2.3] When parsing "--setenv opt xx .." make sure a third parameter is present

2016-11-29 Thread Selva Nair
When no parameters are present, set it to "setenv opt" to trigger a descriptive error message. And, thus get rid of the pesky NULL pointer dereferencing. Resolves Trac 779 Signed-off-by: Selva Nair --- src/openvpn/options.c | 2 ++ 1 file changed, 2 insertions(+) diff

[Openvpn-devel] [PATCH v2.3] Map restart signals from event loop to SIGTERM during exit-notification wait

2016-11-29 Thread Selva Nair
Commit 63b3e000c9.. fixed SIGTERM getting lost during exit notification by ignoring any restart signals triggered during this interval. However, as reported in Trac 777, this could result in repeated triggering of restart signals when the event loop cannot continue without restart due to IO errors

Re: [Openvpn-devel] [PATCH] reload CRL only if file was modified

2016-11-29 Thread Antonio Quartulli
On Tue, Nov 29, 2016 at 05:43:33PM +0100, Steffan Karger wrote: [CUT..] > > > > +void > > +tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, > > + const char *crl_file_inline, bool reload) > > This is only used within ssl.c, so should be static and have a

Re: [Openvpn-devel] [PATCH v2] Introduce and use secure_memzero() to erase secrets

2016-11-29 Thread Steffan Karger
On 29-11-16 11:28, Arne Schwabe wrote: > > > Am 29.11.16 um 11:18 schrieb Gert Doering: >> Hi, >> >> On Tue, Nov 29, 2016 at 11:07:12AM +0100, Arne Schwabe wrote: >>> I think we should prefer memset_s if available since it is a C11 standard. >> Since we're currently compiling against C99, we

Re: [Openvpn-devel] [PATCH 1/1] Clean up plugin path handling

2016-11-29 Thread Christian Hesse
Christian Hesse on Tue, 2016/11/29 12:07: > From: Christian Hesse > > Drop --with-plugindir, instead use an environment variable PLUGINDIR > to specify the plugin directory. > > This always defines PLUGIN_LIBDIR and enables plugin search path. > > Signed-off-by:

[Openvpn-devel] combined ndis5 + ndis6 installer ?

2016-11-29 Thread Илья Шипицин
Hello, as we finished x86 + x64 installer, we can do something else now. @mattock, which installer are you going to build ? it used to be (ndis5, ndis6) x (x86, x64) matrix, what will be future matrix ? (and, yes, I'm going to build multi-language installer, probably right after 2.4 release)

[Openvpn-devel] [PATCH 1/1] Use systemd service manager notification

2016-11-29 Thread Christian Hesse
From: Christian Hesse Notify systemd service manager when our initialization sequence completed. This helps ordering services as dependencies can rely on vpn being available. Signed-off-by: Christian Hesse --- distro/systemd/openvpn-client@.service | 1 +

Re: [Openvpn-devel] [PATCH v2] Introduce and use secure_memzero() to erase secrets

2016-11-29 Thread Selva Nair
Hi, On Mon, Nov 28, 2016 at 5:14 PM, Steffan Karger wrote: > As described in trac #751, and shortly after reported by Zhaomo Yang, of > the University of California, San Diego, we use memset() (often through > the CLEAR() macro) to erase secrets after use. In some cases

Re: [Openvpn-devel] [PATCH] reload CRL only if file was modified

2016-11-29 Thread Steffan Karger
Hi, Thanks for following up. I did some stare-at-code and trivial tests. Will test more thoroughly tonight (hopefully on Windows too), but have a lot of faith that those will succeed. I have some comments from staring at the code though, see below. On 29-11-16 07:38, Antonio Quartulli wrote: >