Re: [Openvpn-devel] [PATCH 1/1] bind mount systemd notification socket into chroot

2016-12-09 Thread David Sommerseth
On 10/12/16 00:19, Christian Hesse wrote: > From: Christian Hesse > > sd_notify() uses a socket to communicate with systemd. Communication > fails if the socket is not available within the chroot. So bind mount > the socket into the chroot when startet from systemd. > > Unsharing

Re: [Openvpn-devel] [PATCH 1/1] Clean up plugin path handling

2016-12-09 Thread David Sommerseth
On 09/12/16 22:54, Christian Hesse wrote: > David Sommerseth on Fri, 2016/12/09 22:37: >> On 29/11/16 12:07, Christian Hesse wrote: >>> From: Christian Hesse >>> >>> Drop --with-plugindir, instead use an environment variable PLUGINDIR >>> to

Re: [Openvpn-devel] [PATCH 1/1] Clean up plugin path handling

2016-12-09 Thread Christian Hesse
David Sommerseth on Fri, 2016/12/09 23:40: > On 09/12/16 22:54, Christian Hesse wrote: > > David Sommerseth on Fri, 2016/12/09 > > 22:37: > >> On 29/11/16 12:07, Christian Hesse wrote: > >>> From: Christian Hesse

[Openvpn-devel] [PATCH 1/1] bind mount systemd notification socket into chroot

2016-12-09 Thread Christian Hesse
From: Christian Hesse sd_notify() uses a socket to communicate with systemd. Communication fails if the socket is not available within the chroot. So bind mount the socket into the chroot when startet from systemd. Unsharing namespace and mounting requires extra capability

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-09 Thread SviMik
> You can break this with something like: > > status /etc/openvpn/client/status.log > > in your configuration. Writing a status file > to /run/openvpn-{client,server}/status.log works, though. So the default > setups should be fine. Do we have any more cases where openvpn wants write > access

Re: [Openvpn-devel] [PATCH] push: Provide a warning if --ifconfig-push have argument mismatch with --topology

2016-12-09 Thread Gert Doering
Hi, On Fri, Dec 09, 2016 at 09:13:19AM +0100, Gert Doering wrote: > ... ifconfig_sanity_check() does *nothing* for TOP_SUBNET Overlooked the second patch (since it wasn't threaded). So with the other patch, that argument is no longer valid, of course. Apologies. [..] > Also we might to

[Openvpn-devel] [PATCH] mbedtls: include correct net/net_sockets header according to version

2016-12-09 Thread Magnus Kroken
is deprecated as of mbedTLS 2.4.0, it is renamed . OpenVPN will fail to build with mbedTLS 2.4.0 with MBEDTLS_DEPRECATED_REMOVED defined. Check MBEDTLS_VERSION_NUMBER, and include net.h for < 2.4.0 and net_sockets.h for >= 2.4.0. Signed-off-by: Magnus Kroken --- Tested,

[Openvpn-devel] [PATCH] Use getpassphrase on Solaris/illumos

2016-12-09 Thread Alexander Pyhalov
-- С уважением, Александр Пыхалов, программист отдела телекоммуникационной инфраструктуры управления информационно-коммуникационной инфраструктуры ЮФУ >From 971d1d5e66ba714fc8f74b8da0672e7da47dc557 Mon Sep 17 00:00:00 2001 From: Alexander Pyhalov Date: Fri, 9 Dec 2016

Re: [Openvpn-devel] help wanted: OpenSolaris building

2016-12-09 Thread Alexander Pyhalov
On 09/11/16 09:51 PM, Gert Doering wrote: > Hi, > > as you might know, we try to build everything we commit to git on all > supported platforms (using buildbot). This works quite well and has > helped us keep things consistently working across all platforms, at least > as far as we have tests for

Re: [Openvpn-devel] [PATCH] Improve ifconfig_sanity_check()

2016-12-09 Thread Gert Doering
Hi, On Fri, Dec 09, 2016 at 03:52:32AM +0100, David Sommerseth wrote: > - Instead of checking the complete in_addr_t (which lacked proper htonl()), > just do a simple peek at the last byte which contains the first octet > of an IP address or subnet mask. Have you *tested* this on a non-intel

Re: [Openvpn-devel] [PATCH] push: Provide a warning if --ifconfig-push have argument mismatch with --topology

2016-12-09 Thread Gert Doering
Hi, On Fri, Dec 09, 2016 at 03:50:48AM +0100, David Sommerseth wrote: > This adds a warning to the log file if --topology is configured to use > subnet or net30 and the 'subnet mask' argument of an --ifconfig-push option > is not an subnet mask. > > v2 - Make use of ifconfig_sanity_check() in

[Openvpn-devel] [PATCH 0/2] Improve --ifconfig and --ifconfig-push sanity check

2016-12-09 Thread David Sommerseth
This patch set is combining two separate mail threads [1] [2] as they are related. These patches have also been rearragned, where the first patch adds the generic improvements and prepares for the push.c update which is in the second patch. These patches combined will resolve the issue reported

[Openvpn-devel] [PATCH 2/2 v3] push: Provide a warning if --ifconfig-push have --topology mismatch

2016-12-09 Thread David Sommerseth
This adds a warning to the log file if --topology is configured to use subnet or net30 and the 'subnet mask' argument of an --ifconfig-push option is not an subnet mask. v2 - Make use of ifconfig_sanity_check() in tun.c instead of doing the exact same check and warning in

[Openvpn-devel] [PATCH 1/1] Handle SIGHUP during initialisation phase

2016-12-09 Thread Hervé CODINA
Without this commit, if remote host cannot be reached, we get stuck in loop trying to connect and we cannot reload a new configuration using SIGHUP. In this case, the only way to reload the configuration is to kill and relaunch the daemon. With this commit, following use case can be done: - Set

Re: [Openvpn-devel] Coding style clean-up ... phase 1

2016-12-09 Thread Gert Doering
Hi, On Fri, Dec 09, 2016 at 08:24:24AM -0500, Selva Nair wrote: > On Fri, Dec 9, 2016 at 2:42 AM, Gert Doering wrote: > > > if (a>0) > > { do_this(); } > > else > > { do_that(); } > > > > In such cases I would normally skip all braces, in spite of all the >

Re: [Openvpn-devel] [PATCH] mbedtls: include correct net/net_sockets header according to version

2016-12-09 Thread Steffan Karger
Hi, On 9 December 2016 at 10:07, Magnus Kroken wrote: > is deprecated as of mbedTLS 2.4.0, it is renamed > . OpenVPN will fail to build with > mbedTLS 2.4.0 with MBEDTLS_DEPRECATED_REMOVED defined. > > Check MBEDTLS_VERSION_NUMBER, and include net.h for < 2.4.0 and >

Re: [Openvpn-devel] Coding style clean-up ... phase 1

2016-12-09 Thread Steffan Karger
Hi, On 9 December 2016 at 00:14, David Sommerseth wrote: > I just spotted in ssl.c that we need sp_assign=add. > > [ ssl.c, tls1_PRF() ] > len = slen/2; > S1 = sec; > S2 = &(sec[len]); > len += (slen&1); /* add for odd, make longer */ > > I

Re: [Openvpn-devel] [PATCH] Improve ifconfig_sanity_check()

2016-12-09 Thread David Sommerseth
On 09/12/16 09:15, Gert Doering wrote: > Hi, > > On Fri, Dec 09, 2016 at 03:52:32AM +0100, David Sommerseth wrote: >> - Instead of checking the complete in_addr_t (which lacked proper htonl()), >> just do a simple peek at the last byte which contains the first octet >> of an IP address or

Re: [Openvpn-devel] Coding style clean-up ... phase 1

2016-12-09 Thread Selva Nair
On Fri, Dec 9, 2016 at 2:42 AM, Gert Doering wrote: > if (a>0) > { do_this(); } > else > { do_that(); } > In such cases I would normally skip all braces, in spite of all the arguments against it... But that's just me. That said the proposed re-formatting

[Openvpn-devel] [PATCH 1/1] Handle SIGHUP during initialisation phase

2016-12-09 Thread Herve Codina
Without this commit, if remote host cannot be reached, we get stuck in loop trying to connect and we cannot reload a new configuration using SIGHUP. In this case, the only way to reload the configuration is to kill and relaunch the daemon. With this commit, following use case can be done: - Set

[Openvpn-devel] [PATCH applied] Re: mbedtls: include correct net/net_sockets header according to version

2016-12-09 Thread Gert Doering
Your patch has been applied to the master branch. Thanks. I have not changed the #include formatting, as The Great Reformatting will catch it anyway. commit c00919e8bd6a4e36d9fa009f3b1a93b262a59fc6 Author: Magnus Kroken Date: Fri Dec 9 10:07:35 2016 +0100 mbedtls: include correct

[Openvpn-devel] On saving passwords

2016-12-09 Thread Selva Nair
Hi, A comment on the GUI github page said: "For ISO27001 certification, we are not allowed to let users save their VPN passwords locally. Is there a way to remove or disable the 'save password' box upon authentication ?" Although I suggested to use an up script to delete the saved password,

Re: [Openvpn-devel] [PATCH] systemd: Intermediate --chroot fix with the new sd_notify() implementation

2016-12-09 Thread Christian Hesse
Christian Hesse on Fri, 2016/12/09 18:37: > David Sommerseth on Wed, 2016/12/07 03:51: > > Commit c5931897ae8d663e7e introduced support for talking directly > > to the systemd service manager about the situation for the OpenVPN > > tunnel. This approach makes a

[Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-09 Thread Christian Hesse
From: Christian Hesse ProtectSystem=strict mounts the entire file system hierarchy read-only, except for the API file system subtrees /dev, /proc and /sys (which can be protected using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). ProtectHome=true makes the

Re: [Openvpn-devel] On saving passwords

2016-12-09 Thread Илья Шипицин
9 дек. 2016 г. 22:40 пользователь "Selva Nair" написал: Hi, A comment on the GUI github page said: "For ISO27001 certification, we are not allowed to let users save their VPN passwords locally. Is there a way to remove or disable the 'save password' box upon

Re: [Openvpn-devel] [PATCH] systemd: Intermediate --chroot fix with the new sd_notify() implementation

2016-12-09 Thread Christian Hesse
David Sommerseth on Wed, 2016/12/07 03:51: > Commit c5931897ae8d663e7e introduced support for talking directly > to the systemd service manager about the situation for the OpenVPN > tunnel. This approach makes a lot of sense and is mostly the proper > way to do it. But it was

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-09 Thread David Sommerseth
On 09/12/16 19:13, Christian Hesse wrote: > From: Christian Hesse > > ProtectSystem=strict mounts the entire file system hierarchy read-only, > except for the API file system subtrees /dev, /proc and /sys (which can > be protected using PrivateDevices=, ProtectKernelTunables=, >

Re: [Openvpn-devel] [PATCH] systemd: Intermediate --chroot fix with the new sd_notify() implementation

2016-12-09 Thread David Sommerseth
On 09/12/16 18:59, Christian Hesse wrote: > Christian Hesse on Fri, 2016/12/09 18:37: >> David Sommerseth on Wed, 2016/12/07 03:51: >>> Commit c5931897ae8d663e7e introduced support for talking directly >>> to the systemd service manager about the situation for

Re: [Openvpn-devel] Coding style clean-up ... phase 1

2016-12-09 Thread Selva Nair
On Fri, Dec 9, 2016 at 8:41 AM, Steffan Karger wrote: > > On 9 December 2016 at 00:14, David Sommerseth > wrote: > > I just spotted in ssl.c that we need sp_assign=add. > > > > [ ssl.c, tls1_PRF() ] > > len = slen/2; > > S1 = sec; >

Re: [Openvpn-devel] Coding style clean-up ... phase 1

2016-12-09 Thread Steffan Karger
On 9 December 2016 at 21:43, Selva Nair wrote: > On Fri, Dec 9, 2016 at 8:41 AM, Steffan Karger wrote: >> On 9 December 2016 at 00:14, David Sommerseth >> wrote: >> > I just spotted in ssl.c that we need sp_assign=add.

Re: [Openvpn-devel] [PATCH 1/1] Clean up plugin path handling

2016-12-09 Thread David Sommerseth
On 29/11/16 12:07, Christian Hesse wrote: > From: Christian Hesse > > Drop --with-plugindir, instead use an environment variable PLUGINDIR > to specify the plugin directory. > > This always defines PLUGIN_LIBDIR and enables plugin search path. > > Signed-off-by: Christian Hesse

Re: [Openvpn-devel] Coding style clean-up ... phase 1

2016-12-09 Thread David Sommerseth
On 09/12/16 22:27, Steffan Karger wrote: > > Sounds like we have a final config on the CodeStyle page now. Are we > ready to run it on all code now, and publish a reformat branch? > Agreed. I can do this later this night. -- kind regards, David Sommerseth OpenVPN Technologies, Inc

Re: [Openvpn-devel] [PATCH applied] systemd: Intermediate --chroot fix with the new sd_notify() implementation

2016-12-09 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your patch has been applied to the master branch commit 65140a3acfa42e5d42cdfcf8108f00a62d5767ff Author: David Sommerseth Date: Wed Dec 7 03:51:52 2016 +0100 systemd: Intermediate --chroot fix with the new sd_notify() implementation

Re: [Openvpn-devel] Coding style clean-up ... phase 1

2016-12-09 Thread Selva Nair
On Fri, Dec 9, 2016 at 4:39 PM, David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 09/12/16 22:27, Steffan Karger wrote: > > > > Sounds like we have a final config on the CodeStyle page now. Are we > > ready to run it on all code now, and publish a reformat branch? > > > > Agreed.

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-09 Thread Christian Hesse
David Sommerseth on Fri, 2016/12/09 20:42: > On 09/12/16 19:13, Christian Hesse wrote: > > From: Christian Hesse > > > > ProtectSystem=strict mounts the entire file system hierarchy read-only, > > except for the API file system subtrees /dev,

Re: [Openvpn-devel] [PATCH 1/1] Clean up plugin path handling

2016-12-09 Thread Christian Hesse
David Sommerseth on Fri, 2016/12/09 22:37: > On 29/11/16 12:07, Christian Hesse wrote: > > From: Christian Hesse > > > > Drop --with-plugindir, instead use an environment variable PLUGINDIR > > to specify the plugin directory. > > > > This