Samuli Seppänen | 30 May 10:08 2016
Picon

Topics for today's (Monday, 30th May 2016) community meeting

Hi,

We're going to have an IRC meeting today starting at 20:00 CEST (18:00 
UTC) on #openvpn-meeting <at> irc.freenode.net. Note that the meeting 
channel has changed and that you do _not_ have to be logged in to 
Freenode to join the channel.

Current topic list along with basic information is here:

<https://community.openvpn.net/openvpn/wiki/Topics-2016-05-30>

If you have any other things you'd like to bring up, respond to this 
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments 
on the topics by responding to this email or to the summary email sent 
after the meeting. Whenever possible, we'll also respond to existing, 
related email threads.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
(Continue reading)

openvpn-devel | 25 May 19:57 2016

Add unit testing support

This is a series of two patches that add unit testing support to openvpn.

See https://github.com/OpenVPN/openvpn/pull/44 for a discussion.

Thanks to syzzer for his nitty-gritty review!

Jens

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
Selva Nair | 25 May 00:53 2016
Picon

[PATCH] Pass echo option to systemd-ask-password

Do not mask input when echo is requested. Useful for username
input and sometimes for challenge response.

Signed-off-by: Selva Nair <selva.nair <at> gmail.com>
---
 src/openvpn/console.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/console.c b/src/openvpn/console.c
index 86331a1..8a8acb4 100644
--- a/src/openvpn/console.c
+++ b/src/openvpn/console.c
 <at>  <at>  -167,7 +167,10  <at>  <at>  get_console_input_systemd (const char *prompt, const bool echo, char *input, con

   argv_init (&argv);
   argv_printf (&argv, SYSTEMD_ASK_PASSWORD_PATH);
-  argv_printf_cat (&argv, "%s", prompt);
+  if (echo)
+    argv_printf_cat (&argv, "--echo %s", prompt);
+  else
+    argv_printf_cat (&argv, "%s", prompt);

   if ((std_out = openvpn_popen (&argv, NULL)) < 0) {
 	  return false;
--

-- 
1.7.10.4

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
(Continue reading)

Jens Neuhalfen | 21 May 19:05 2016

Solaris 11: t_lpback.sh coredump on AES-GCM

Hi,

./t_lpback.sh fails with AES-GCM mode on Solaris 11. CRYPTO_gcm128_setiv from libcrypto seems to jump
into NULL pointer country. 

This is currently no issue for me, but in case anyone cares I put the coredump on
https://www.neuhalfen.name/__downloads__/openvpn/core_solaris11_aes-gcm_crash . 

cheers
Jens

./t_lpback.sh
-n Testing cipher AES-128-CBC...
OK
-n Testing cipher AES-128-CFB...
OK
-n Testing cipher AES-128-CFB1...
OK
-n Testing cipher AES-128-CFB8...
OK
-n Testing cipher AES-128-GCM...
FAILED
Sat May 21 19:01:09 2016 OpenVPN 2.3_git [git:master/b207d8ae9a6b0e99] i386-pc-solaris2.11 [SSL
(OpenSSL)] [IPv6] built on May 21 2016
Sat May 21 19:01:09 2016 library versions: OpenSSL 1.0.1p 9 Jul 2015
Sat May 21 19:01:09 2016 OpenVPN 2.3_git [git:master/b207d8ae9a6b0e99] i386-pc-solaris2.11 [SSL
(OpenSSL)] [IPv6] built on May 21 2016
Sat May 21 19:01:09 2016 Entering OpenVPN crypto self-test mode.
Sat May 21 19:01:09 2016 TESTING ENCRYPT/DECRYPT of packet length=1
Sat May 21 19:01:09 2016 TESTING ENCRYPT/DECRYPT of packet length=2
(Continue reading)

openvpn-devel | 21 May 11:22 2016

Refactor t_client.sh & improve output formatting

Ratio:
* Cleanup code
* Prepare for better automated integration tests (future)

Move global code into separate functions. Fixup formatting of code. 
Also add table output formatting to t_client.sh:

| ID | TEST                                | RESULT               |
| -- | ----------------------------------- | -------------------- |
|  1 | testing tun/udp/ipv4                | [SUCCESS]            |
|  2 | testing tun/udp/ipv4 with pam       | [FAIL: 5 fails]      |
| -- | ----------------------------------- | -------------------- |
Test sets succeded: 1.
Test sets failed: 2.

For easier review these patches have also been provided via GitHub pull request: 
https://github.com/OpenVPN/openvpn/pull/49

Due to moving code around and intention changes this patch looks rather large:
 1 file changed, 267 insertions(+), 180 deletions(-).

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
Jens Neuhalfen | 21 May 10:59 2016

Test documentation: What does t_cltsrv.sh do?

Hi,

in my quest to bring better testability to OpenVPN I am documenting some of the test cases. 

* t_client.sh runs connect & ping tests against servers
* t_lpback.sh runs the built-in crypto tests
* Can anybody tell me what ’t_cltsrv.sh’ tests?

Cheers 
Jens
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
samuli | 20 May 11:25 2016
Picon

[PATCH] Update contrib/pull-resolv-conf/client.up for no DOMAIN

From: Jeffrey Cutter <jeff_m_cutter <at> yahoo.com>

When no DOMAIN is received from push/pull, do not add either domain or
search to the resolv.conf. Fix typo in comment resolv.con[f]. Only add
new line when using domain or search.

URL: https://github.com/OpenVPN/openvpn/pull/34
Acked-by: Steffan Karger <steffan <at> karger.me>
Signed-off-by: Samuli Seppänen <samuli <at> openvpn.net>
---
 contrib/pull-resolv-conf/client.up | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/contrib/pull-resolv-conf/client.up b/contrib/pull-resolv-conf/client.up
index b28d4d1..8858b47 100644
--- a/contrib/pull-resolv-conf/client.up
+++ b/contrib/pull-resolv-conf/client.up
 <at>  <at>  -50,9 +50,10  <at>  <at>  nl='
 # or
 # "dhcp-option DNS 10.10.10.10" (multiple allowed)

-# each DNS option becomes a "nameserver" option in resolv.con
+# each DNS option becomes a "nameserver" option in resolv.conf
 # if we get one DOMAIN, that becomes "domain" in resolv.conf
 # if we get multiple DOMAINS, those become "search" lines in resolv.conf
+# if we get no DOMAINS, then don't use either domain or search.

 while true; do
   eval fopt=\$foreign_option_${i}
 <at>  <at>  -78,13 +79,15  <at>  <at>  while true; do
(Continue reading)

samuli | 19 May 10:51 2016
Picon

[PATCH] Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes

From: Samuli Seppänen <samuli <at> openvpn.net>

Signed-off-by: Samuli Seppänen <samuli <at> openvpn.net>
---
 CONTRIBUTING.rst | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
index 6033097..f87293c 100644
--- a/CONTRIBUTING.rst
+++ b/CONTRIBUTING.rst
 <at>  <at>  -4,15 +4,19  <at>  <at>  CONTRIBUTING TO THE OPENVPN PROJECT
 Patches should be written against the Git "master" branch. Some patches may get
 backported to a release branch.

-We do not currently accept GitHub pull requests for the core OpenVPN project.
-Instead, all patches must be sent to "openvpn-devel" mailing list for review:
+The preferred procedure to send patches to the "openvpn-devel" mailing list:

 - https://lists.sourceforge.net/lists/listinfo/openvpn-devel

-The subject line should preferably be prefixed with [PATCH]. To avoid merging
-issues the patches should be generated with git-format-patch or sent using
-git-send-email. Try to split large patches into small, atomic pieces to make
-reviews easier.
+While we do not merge GitHub pull requests as-is, we do allow their use for code
+review purposes. After the patch has been ACKed (reviewed and accepted), it must
+be sent to the mailing list. This last step does not necessarily need to be done
+by the patch author, although that is definitely recommended.
+
(Continue reading)

Kuhr Stefan | 18 May 11:05 2016
Picon

New NDIS6 drivers in 2.3.11?

Hello everyone,

 

I have posted a question in the "Community Project Server Administration Installation Help" forum about the updated ndis6 drivers in openvpn 2.3.11 for windows. I was advised to subscribe to the developer mailing list and ask there again, so here goes my inquiry from https://forums.openvpn.net/viewtopic.php?f=5&t=21728:

 

 

I noticed, that the NDIS6 drivers in the Windows Port of OpenVPN 2.3.11 (released this week) have been silently updated without notice in the changelog, albeit with the same driver version. It seems to me like there is now another signature on the driver package using the sha256 digest that has been created using an ev certificate. Is there anything else that has changed in the drivers except for the things I have observed? If there is no other change, what was the reasoning for the driver update? The older drivers from 2.3.10 have been timestamped way before the release of Windows 10, so the new requirement for ev certificates for drivers in windows 10 cannot be the reason, they will continue to run fine, because timestamping occurred before the ship date of windows 10. At least this is my understanding of the new ev cert enforcement in windows 10: If created before windows 10 rtm ship date, drivers will work.

 

Any official comment from the openvpn dev team?

 

Kind regards,

 

--

Stefan Kuhr

 

_______________________________________________
ads-tec GmbH
Sitz: 72622 Nürtingen
Registergericht Stuttgart HRB 224527

Geschaeftsfuehrer:
Dipl.-Ing. Thomas Speidel
_______________________________________________
Diese E-Mail enthaelt vertrauliche und/oder rechtlich
geschuetzte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrtuemlich erhalten
haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese E-Mail. Das unerlaubte Kopieren,
jegliche anderweitige Verwendung sowie die unbefugte
Weitergabe dieser Mail sind nicht gestattet.
_______________________________________________

This e-mail may contain confidential and/or privileged
information. If you are not the intended recipient (or have
received this e-mail in error) please notify the sender
immediately and destroy this e-mail. Any unauthorized
copying, disclosure, distribution or other use of the
material or parts thereof are strictly forbidden.
_______________________________________________

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Selva Nair | 14 May 05:12 2016
Picon

[PATCH (master)] Properly handle possible realloc failure

Signed-off-by: Selva Nair <selva.nair <at> gmail.com>
---
 src/openvpnserv/interactive.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index d83ea65..5ff80fa 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
 <at>  <at>  -1326,15 +1326,19  <at>  <at>  UpdateWaitHandles (LPHANDLE *handles_ptr, LPDWORD count,
       if (pos == size)
         {
           size += 10;
-          handles = realloc (handles, size * sizeof (HANDLE));
-          if (handles == NULL)
+          LPHANDLE tmp = realloc (handles, size * sizeof (HANDLE));
+          if (tmp == NULL)
             return ERROR_OUTOFMEMORY;
+          else
+            {
+              handles = tmp;
+              *handles_ptr = handles;
+            }
         }
       handles[pos++] = threads->data;
       threads = threads->next;
     }

-  *handles_ptr = handles;
   *count = pos;
   return NO_ERROR;
 }
--

-- 
1.7.10.4

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
Dorian Harmans | 13 May 18:44 2016
Picon

[PATCH] Add CHACHA20-POLY1305 ciphersuite IANA name translations.

---
 src/openvpn/ssl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index ddd0c9b..4291314 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
 <at>  <at>  -146,6 +146,7  <at>  <at>  static const tls_cipher_name_pair tls_cipher_name_translation_table[] = {
     {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
     {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
     {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
+    {"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
     {"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"},
     {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"},
     {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"},
 <at>  <at>  -174,6 +175,7  <at>  <at>  static const tls_cipher_name_pair tls_cipher_name_translation_table[] = {
     {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
     {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
     {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
+    {"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"},
     {"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"},
     {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"},
     {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"},
 <at>  <at>  -189,6 +191,7  <at>  <at>  static const tls_cipher_name_pair tls_cipher_name_translation_table[] = {
     {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
     {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
     {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
+    {"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
     {"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"},
     {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"},
     {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"},
--

-- 
2.7.4

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j

Gmane