[Openvpn-devel] The future of contrib/keychain-mcd

Hi, We have had the contrib/keychain-mcd code under a more thorough code review lately. And there are several issues found during that review which really needs to be improved. Basically most of the functions handling memory management have a very ambitious coding style. The result of function

[Openvpn-devel] [PATCH 2/2] sample-plugins/simple: Clean up the build method

This replaces a not so well functioning ./build script with a more proper Makefile. The README file is also updated accordingly. Signed-off-by: David Sommerseth --- sample/sample-plugins/simple/Makefile | 17 + sample/sample-plugins/simple/README | 33 +

[Openvpn-devel] [PATCH 1/2] plugin: Export base64 encode and decode functions

This patch builds on the "Export secure_memzero() to plug-ins" patch and adds export of openvpn_base64_encode() and openvpn_base64_decode() This also ships with a very simple plug-in which demonstrates how to use the new exported functions. Signed-off-by: David Sommerseth --- include/openvpn-pl

Re: [Openvpn-devel] [PATCH] Set a low interface metric for tap adapter when block-outside-dns is in use

On 05.05.2017 23:21, Selva Nair wrote: > Hi, > > On Thu, May 4, 2017 at 1:36 PM, ValdikSS > wrote: > > Hmm... If it starts with a random adapter, this metric lowering is not the > right fix, isn't it? Or did you mean to say "starting from lowest metric > adapter"? >

[Openvpn-devel] [PATCH] Document tls-crypt security considerations in man page

The tls-crypt commit message contained an elaborate discussion on the function's security properties. This commit adds the gist of that discussion, "rotate keys periodically" to the man page. (The 'real' solution will follow later: add support for per-client tls-crypt keys. That will make tls-cr

Re: [Openvpn-devel] [PATCH applied] Fix Changes.rst layout

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The correct direct URL for this commit is: Your patch has been applied to the following branches commit 7ad917760136807298c39d9260ff6bb074db03a4 (master) commit de7e

Re: [Openvpn-devel] [PATCH applied] Don't run packet_id unit tests for --disable-crypto builds

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 So I pushed the commit too early, as mail-archive.com's Message-ID isn't up-to-date yet. The proper URL is: Eventually the URL in the commit will be correct. Your

Re: [Openvpn-devel] [PATCH] Set a low interface metric for tap adapter when block-outside-dns is in use

Hi, On Thu, May 4, 2017 at 1:36 PM, ValdikSS wrote: > > Windows 10 before Creators Update used to resolve DNS using all available > adapters and IP addresses in parallel. > Now it still resolves addresses using all available adapters but in a > round-robin way, beginning with random adapter. >

[Openvpn-devel] [PATCH] Fix Changes.rst layout

The extra space before each line made the 2.4.1 section stand out from the other sections. Signed-off-by: Steffan Karger --- Changes.rst | 24 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/Changes.rst b/Changes.rst index 2a94990..c1583b3 100644 --- a/Ch

[Openvpn-devel] [PATCH] Don't run packet_id unit tests for --disable-crypto builds

Because there is no packet_id in those builds... This fixes 'make check' for --disable-crypto builds, caught by travis. Signed-off-by: Steffan Karger --- tests/unit_tests/openvpn/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/unit_tests/openvpn/Makefil

Re: [Openvpn-devel] [PATCH 1/2] In auth-pam plugin clear the password after use

On Fri, May 5, 2017 at 3:01 PM, David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 05/05/17 20:28, Gert Doering wrote: > > Hi, > > > > On Fri, May 05, 2017 at 02:24:01PM -0400, selva.n...@gmail.com wrote: > >> From: Selva Nair > >> > >> This adds a minimal secure_memzero() > >> > >

[Openvpn-devel] [PATCH applied] Re: cleanup: merge packet_id_alloc_outgoing() into packet_id_write()

ACK, thanks, plus 20:39 <@dazo> cron2: you can add ACK on me too on that one, I believe it is the same we've already reviewed "Stared at code", plus "passed all my client tests" plus "adds cmocka tests which are really useful for that stuff" (and they pass :) ). .. and this is a

Re: [Openvpn-devel] [PATCH 1/2] In auth-pam plugin clear the password after use

On 05/05/17 20:28, Gert Doering wrote: > Hi, > > On Fri, May 05, 2017 at 02:24:01PM -0400, selva.n...@gmail.com wrote: >> From: Selva Nair >> >> This adds a minimal secure_memzero() >> >> Signed-off-by: Selva Nair > > Feature-ACK, Code-NAK, but just because David is planning to export > secure_

[Openvpn-devel] [PATCH] plugin: Export secure_memzero() to plug-ins

The provides plug-ins with a safe and secure way to santize sensitive information such as passwords, by re-using the secure_memzero() implementation in OpenVPN. Signed-off-by: David Sommerseth --- include/openvpn-plugin.h.in | 25 ++--- src/openvpn/plugin.c| 3 ++- 2

Re: [Openvpn-devel] [PATCH 1/2] In auth-pam plugin clear the password after use

Hi, On Fri, May 05, 2017 at 02:24:01PM -0400, selva.n...@gmail.com wrote: > From: Selva Nair > > This adds a minimal secure_memzero() > > Signed-off-by: Selva Nair Feature-ACK, Code-NAK, but just because David is planning to export secure_memzero() to plugins from OpenVPN proper - mentioned j

[Openvpn-devel] [PATCH 1/2] In auth-pam plugin clear the password after use

From: Selva Nair This adds a minimal secure_memzero() Signed-off-by: Selva Nair --- src/plugins/auth-pam/auth-pam.c | 2 ++ src/plugins/auth-pam/utils.h| 16 2 files changed, 18 insertions(+) diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c

[Openvpn-devel] [PATCH 2/2] Parse static challenge response in auth-pam plugin

From: Selva Nair If static challenge is in use, the password passed to the plugin by openvpn is of the form "SCRV1:base64-pass:base64-response". Parse this string to separate it into password and response and use them to respond to queries in the pam conversation function. On the plugin paramete

[Openvpn-devel] [PATCH] v4, travis-ci: add 2 mingw "build only" configurations

Inspired by https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13032.html build options are taken from regular windows installer builds Signed-off-by: Ilya Shipitsin --- v2: moved download/build dependencies into functions, changed cross build detection from shell expansion ${CH

[Openvpn-devel] [PATCH v2] cleanup: merge packet_id_alloc_outgoing() into packet_id_write()

The functions packet_id_alloc_outgoing() and packet_id_write() were always called in tandem. Instead of forcing the caller to allocate a packet_id_net to do so, merge the two functions. This simplifies the API and reduces the chance on mistakes in the future. This patch adds unit tests to verify

[Openvpn-devel] [PATCH] plugins: Replace defer/simple with an improved replacement

The defer-w-pf plug-in is a complete rewrite of the simple.c, which moves the plug-in over to the newer Plug-in v3 API. In addition, it improves the example by adding a lot more comments and code documentation. And it avoids using system() and rather more realistic approaches by using POSIX threa

[Openvpn-devel] Fix for OpenVPN MTU Tunnel computation bug for TLS reconnects

When testing upgrading OpenVPN from 2.3 to 2.4, we ran into an issue where every time the same client reconnects the MTU for the tunnel used shrinks, eventually leading to packets being dropped by OpenVPN. Reproduced the problem with a 2 node setup, one as the server and the other one as a client