[Openvpn-devel] [PATCH v2] Fix memory leaks in HMAC initial packet id and dco open tun

: I3c344af047abe94c0178bde1781eb450f10d157d Signed-off-by: Arne Schwabe --- src/openvpn/dco_freebsd.c | 1 - src/openvpn/dco_linux.c | 1 - src/openvpn/init.c| 2 ++ src/openvpn/mudp.c| 1 + src/openvpn/ssl.c | 11 +++ src/openvpn/ssl.h | 6 ++ 6

[Openvpn-devel] [PATCH] Fix memory leaks in HMAC initial packet id and dco open tun

The open_tun_dco_generic already allocates the actual_name string, this shadows the allocation in the FreeBSD/Linux specific methods. The HMAC leaks are just forgotten frees/deinitialisations. Change-Id: I3c344af047abe94c0178bde1781eb450f10d157d Signed-off-by: Arne Schwabe --- src/openvpn

Re: [Openvpn-devel] [PATCH 1/3] dns option: allow up to eight addresses per server

it turned out that our previous idea to have more than one DNS server applied in order of priority does not work in most cases. Thus it became important to be able to specify backup addresses. So instead of doing Acked-By: Arne Schwabe ___ Openvpn-devel

Re: [Openvpn-devel] [PATCH v3] dco: print version to log if available

if (!fp) Note: this patch should only merged after "dco: don't use NetLink to exchange control packets" as it uses the same API version as that patch. Acked-By: Arne Schwabe ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net

Re: [Openvpn-devel] [PATCH v2] dco: don't use NetLink to exchange control packets

that userspace can happily process them as usual. Patch looks good and does what it promises. I ran this through the torture test on Ubuntu 22.04 and Bookworm (Debian 13) and saw no issues. Acked-By: Arne Schwabe ___ Openvpn-devel mailing list

Re: [Openvpn-devel] [PATCH] dco: print FreeBSD version

Am 09.03.23 um 10:26 schrieb Kristof Provost via Openvpn-devel: From: Kristof Provost Implement dco_version_string() for FreeBSD. Unlike Linux and Windows the DCO driver is built into the operating system itself, so we log the OS version as a proxy for the DCO version. ---

[Openvpn-devel] [PATCH] Ensure n = 2 is set in key2 structer in tls_crypt_v2_unwrap_client_key

: Iaeb163d83b95818e0b26faf9d25e7737dc8ecb23 Signed-off-by: Arne Schwabe --- src/openvpn/tls_crypt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 8882d5de0..4f22f8af7 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -533,6 +533,7

[Openvpn-devel] [PATCH] Set netlink socket to be non-blocking

a status in this case that allows us to continue. Change-Id: I35447c23a9350176007df5455bf9451021e9856d Signed-off-by: Arne Schwabe --- src/openvpn/dco_linux.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index 1a6566aad..6f1b999bb 100644

Re: [Openvpn-devel] [PATCH] FreeBSD 12.x workaround for IPv6 ifconfig is needed on 12.4 as well

. If it is *not* set, * "all new interfaces that are not already up" are configured by - * devd + /etc/pccard_ether as "inet6 ifdisabled". + * devd -> /etc/pccard_ether -> /etc/network.subr as "inet6 ifdisabled". * * T

Re: [Openvpn-devel] [PATCH] Avoid warning about missing braces when initialising key struct

Am 08.03.23 um 11:03 schrieb Antonio Quartulli: Hi, On 08/03/2023 00:57, Arne Schwabe wrote: This avoids the warning from gcc about initialising the key2 struct Change-Id: Ia73d24923b1efd99263f33ce13d90e04b59bd980 Signed-off-by: Arne Schwabe ---   src/openvpn/tls_crypt.c | 3 ++-   1 file

[Openvpn-devel] [PATCH] Avoid warning about missing braces when initialising key struct

This avoids the warning from gcc about initialising the key2 struct Change-Id: Ia73d24923b1efd99263f33ce13d90e04b59bd980 Signed-off-by: Arne Schwabe --- src/openvpn/tls_crypt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/openvpn/tls_crypt.c b/src/openvpn

[Openvpn-devel] [PATCH v8] Dynamic tls-crypt for secure soft_reset/session renegotiation

: Avoid triggering ASSERT added in v7 by properly setting keys.n = 2 when loading tls crypt v2 client keys. Add dyn-tls-crypt to protocol options printout. Signed-off-by: Arne Schwabe --- Changes.rst | 6 ++ src/openvpn/auth_token.h

[Openvpn-devel] [PATCH 2/2] Make sending plain text control message session aware

session and key but the current users of that (push replys and exit notification) already require the established session to be the active one, so there no changes needed at the moment. Signed-off-by: Arne Schwabe --- Changes.rst | 3 +++ doc/management-notes.txt | 13 + src

[Openvpn-devel] [PATCH 1/2] Use key_state instead of multi for tls_send_payload parameter

nge now allows to specify the key_state/TLS session that is used to send the control message. Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 5 - src/openvpn/ssl.c | 7 ++- src/openvpn/ssl.h | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/open

[Openvpn-devel] [PATCH] Only update frame calculation if we have a valid link sockets

sanitiser from llvm/clang finds this. Change-Id: I82a20ac72f60f8770ea1b4ab0c8cdea31868abe7 Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 15 --- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 622239f6b..e6f14f72d 100644

[Openvpn-devel] [PATCH] Improve description of compat-mode

Explicitly say that the version specified is the one of the peer and not the version we try to emulate. Change-Id: I3bd27a8d34d8cb4896a3b78508b7d16911571543 Signed-off-by: Arne Schwabe --- doc/man-sections/generic-options.rst | 21 +++-- 1 file changed, 15 insertions(+), 6

[Openvpn-devel] [PATCH 1/3] Add siphash reference implementation

OpenSSL only supports SIPHASH with OpenSSL 3.1 and newer. The source code of siphash is quite small and has very liberal CC0 license, so include it instead of pulling an extra library for it. Change-Id: I1292894fe7f537049a97bee97af4419e5e854a00 Signed-off-by: Arne Schwabe --- src/openvpn

[Openvpn-devel] [PATCH 2/3] Implement initial packet reflection protection using bloom filter

implementing tracking the subnets, so the bloom filter should be relatively easily be exchangable by another data structure. As hash funtion SIPHASH has been chosen since it was designed for this kind of application. Change-Id: I0a9274cab7fefce3b13c05052fb9a072e0bfa6b9 Signed-off-by: Arne Schwabe

[Openvpn-devel] [PATCH 3/3] Prefer OpenSSL's SIPHASH implementation when available

: I09aa27caa1a3aab0d1be6118b26d54a1c1bf7aa0 Signed-off-by: Arne Schwabe --- src/openvpn/Makefile.am | 1 + src/openvpn/bloom.c | 14 ++- src/openvpn/bloom.h | 6 + src/openvpn/openvpn.vcxproj | 1 + src/openvpn

Re: [Openvpn-devel] [PATCH 2/5] Fix unaligned access in macOS/Solaris hwaddr

Am 26.02.2023 um 11:02 schrieb Gert Doering: Hi, On Mon, Jan 30, 2023 at 06:29:33PM +0100, Arne Schwabe wrote: The undefined behaviour USAN clang checker found this. This fix is a bit messy but so are the original structures. I wonder... +struct sockaddr_dl sdl = { 0

[Openvpn-devel] [PATCH] Exit if a proper message instead of segfault on Android without management

The Android implementation is relying on the management interface to be always available. Trying to run the Android binary without the mangament interface outside the app leads to a segfault. Exit with a FATAL error instead. Signed-off-by: Arne Schwabe --- src/openvpn/manage.c | 4 src

Re: [Openvpn-devel] OpenVPN 2.5.9 released

Am 16.02.23 um 14:11 schrieb Jonathan K. Bullard: Not yet seeing anything about 2.5.9 at https://openvpn.net/community-downloads/ . (From the New York City metropolitan area.) Maybe caches need updating? I reached out to our the website team and

[Openvpn-devel] [PATCH] Add missing check for nl_socket_alloc failure

This can happen if the memory alloc fails. Signed-off-by: Arne Schwabe --- src/openvpn/dco_linux.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index c84f9cfe1..b1103c8d5 100644 --- a/src/openvpn/dco_linux.c +++ b

[Openvpn-devel] [PATCH] Use proper print format/casting when converting msg_channel handle

converting to a handle to avoid having to ifdef atoll/atol for 32/64 bit. Signed-off-by: Arne Schwabe --- src/openvpn/init.c| 3 ++- src/openvpn/options.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 0ad2c7e09..0d50d9189

Re: [Openvpn-devel] [PATCH] Improve format specifier for socket handle in Windows

Am 10.02.23 um 23:07 schrieb Antonio Quartulli: Hi, On 10/02/2023 20:54, Selva Nair wrote:     I also discussed this with Lev and, despite this being different from     what we do in the *nix world (where decimal representations make sense     for file descriptors), it seems to be the right

[Openvpn-devel] [PATCH v2 4/4] Reduce initialisation spam from verb <= 3 and print summary instead

the OPTIONS IMPORT: xx modified that are included in the new messages to D_PUSH_DEBUG (verb 7) since they do not add any useful information anymore. Patch v2: also compile with compression disabled Signed-off-by: Arne Schwabe --- src/openvpn/crypto.c | 4 +- src/openvpn/errlevel.h | 1 + src

[Openvpn-devel] [PATCH 4/4] Reduce initialisation spam from verb <= 3 and print summary instead

the OPTIONS IMPORT: xx modified that are included in the new messages to D_PUSH_DEBUG (verb 7) since they do not add any useful information anymore. Signed-off-by: Arne Schwabe --- src/openvpn/crypto.c | 4 +- src/openvpn/errlevel.h | 1 + src/openvpn/init.c | 143

[Openvpn-devel] [PATCH 0/4] Collections of miscellenaous patches

These are a few random patches that could have been sent as single patches to the list but I bundle them here to indicate their "low priority"/impact. Arne Schwabe (4): Combine extra_tun/frame parameter of frame_calculate_payload_overhead Update the last sections in the man page to

[Openvpn-devel] [PATCH] Fix LibreSSL not building in Github Actions

During the build of LibreSSL portable it pulls in a branch from OpenBSD upstream. Unfortunately they use master there instead of a fixed branch. So we work around this issue. Signed-off-by: Arne Schwabe --- .github/workflows/build.yaml | 8 1 file changed, 8 insertions(+) diff --git

[Openvpn-devel] [PATCH v2 5/5] Add building unit tests with mingw to github actions

This runs each test in its own action since order of stderr and stdout is seemingly random in github action Windows output and this way at least tests outputs are groups gy test Patch v2: use -static-libgcc to avoid comping gcc runtime libraries. Signed-off-by: Arne Schwabe --- .github

[Openvpn-devel] [PATCH 3/4] Revise the cipher negotiation about OpenVPN3 in the man page

. Signed-off-by: Arne Schwabe --- doc/man-sections/cipher-negotiation.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index b07176cd2..66afeb835 100644 --- a/doc/man-sections/cipher

[Openvpn-devel] [PATCH 1/4] Combine extra_tun/frame parameter of frame_calculate_payload_overhead

Instead of passing a value and a bool just pass the value and 0 if the caller does not want the value to be added. This also allows the function to be used by a function without a frame struct. Signed-off-by: Arne Schwabe --- src/openvpn/mss.c | 2 +- src/openvpn/mtu.c | 14 +- src

[Openvpn-devel] [PATCH 2/4] Update the last sections in the man page to a be a bit less outdated

Signed-off-by: Arne Schwabe --- doc/openvpn.8.rst | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/doc/openvpn.8.rst b/doc/openvpn.8.rst index 995467478..415f210ce 100644 --- a/doc/openvpn.8.rst +++ b/doc/openvpn.8.rst @@ -97,6 +97,8 @@ https

[Openvpn-devel] [PATCH 1/2] Add 'allow-compression stub-only and refuse framing with 'allow-compression no'

ion no otherwise. This ensures that we only enable DCO when no compression framing is used. Signed-off-by: Arne Schwabe --- Changes.rst | 5 +++ doc/man-sections/protocol-options.rst | 3 ++ src/openvpn/comp.c| 32 + src/openvpn/comp.h

[Openvpn-devel] [PATCH 2/2] Add debug output for sent IV variables in client mode with verb 7

This helps debugging what information a client is sending without having to use a debugger or to look at the server log. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 19 +++ 1 file changed, 19 insertions(+) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index

Re: [Openvpn-devel] [PATCH 1/2] Add 'allow-compression stub-only and refuse framing with 'allow-compression no'

Am 10.02.23 um 10:02 schrieb Lev Stipakov: We can certainly add logic that will make the client abort in this cases but that should affect all the other options that are being pushed that the client refuses. At least for compression we know for sure that the tunnel will be broken, doesn't it

Re: [Openvpn-devel] [PATCH 1/2] Add 'allow-compression stub-only and refuse framing with 'allow-compression no'

Am 10.02.2023 um 09:00 schrieb Lev Stipakov: Hi, I found this behavior a bit confusing. First, 2023-02-10 09:53:14 us=187000 Options error: Cannot set comp-lzo to 'no', allow-compression is set to 'no' 2023-02-10 09:53:14 us=187000 OPTIONS IMPORT: compression parms modified parms->params

[Openvpn-devel] [PATCH v2 5/5] Add building unit tests with mingw to github actions

This runs each test in its own action since order of stderr and stdout is seemingly random in github action Windows output and this way at least tests outputs are groups gy test Patch v2: use -static-libgcc to avoid comping gcc runtime libraries. Signed-off-by: Arne Schwabe --- .github

[Openvpn-devel] [PATCH] Fix LibreSSL not building in Github Actions

During the build of LibreSSL portable it pulls in a branch from OpenBSD upstream. Unfortunately they use master there instead of a fixed branch. So we work around this issue. Signed-off-by: Arne Schwabe --- .github/workflows/build.yaml | 8 1 file changed, 8 insertions(+) diff --git

Re: [Openvpn-devel] [PATCH] get_addr_generic: fix server crash in freeaddrinfo on musl libc

Am 09.02.23 um 16:53 schrieb Arne Schwabe: Am 09.02.23 um 16:36 schrieb Petr Štetiar: Server can crash on systems using musl libc when client with comma in commonName tries to connect:   ifconfig_pool_read(), in='VPN Client, abc,192.168.1.2,'   RESOLVE: Cannot parse IP address:  abc: (Name

Re: [Openvpn-devel] [PATCH] get_addr_generic: fix server crash in freeaddrinfo on musl libc

Am 09.02.23 um 16:36 schrieb Petr Štetiar: Server can crash on systems using musl libc when client with comma in commonName tries to connect: ifconfig_pool_read(), in='VPN Client, abc,192.168.1.2,' RESOLVE: Cannot parse IP address: abc: (Name does not resolve) as this leads to NULL

[Openvpn-devel] [PATCH 2/2] Add debug output for sent IV variables in client mode with verb 7

This helps debugging what information a client is sending without having to use a debugger or to look at the server log. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 19 +++ 1 file changed, 19 insertions(+) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index

[Openvpn-devel] [PATCH 1/2] Add 'allow-compression stub-only and refuse framing with 'allow-compression no'

ion no otherwise. This ensures that we only enable DCO when no compression framing is used. Signed-off-by: Arne Schwabe --- Changes.rst | 5 +++ doc/man-sections/protocol-options.rst | 3 ++ src/openvpn/comp.c| 32 + src/openvpn/comp.h

Re: [Openvpn-devel] [PATCH v3 2/3] Build unit tests in mingw Windows build

testdriver was mistakenly enabled to run, while originally it was only set to build. Corrected. v3: exclude check_engine_keys.sh when cross-compiling As suggested by Arne Schwabe Acked-By: Arne Schwabe Arne ___ Openvpn-devel mailing list Ope

Re: [Openvpn-devel] [PATCH v2 3/3] Add a unit test for functions in cryptoapi.c

Am 08.02.23 um 02:05 schrieb Selva Nair: Hi, On Tue, Feb 7, 2023 at 7:18 PM Arne Schwabe <mailto:a...@rfc2549.org>> wrote: Am 04.02.23 um 07:40 schrieb selva.n...@gmail.com <mailto:selva.n...@gmail.com>: > From: Selva Nair mailto:selva.n...@gmail.com>>

Re: [Openvpn-devel] [PATCH 1/5] Conditionally add subdir-objects option to automake

Am 08.02.2023 um 01:40 schrieb Selva Nair: On Tue, Feb 7, 2023 at 7:18 PM Arne Schwabe wrote: From: Selva Nair - Eliminates repeated warnings such as   warning: source file '$(openvpn_srcdir)/env_set.c' is in a subdirectory,   but option 'subdir-objects' is disabled

Re: [Openvpn-devel] [PATCH v2 3/3] Add a unit test for functions in cryptoapi.c

Am 04.02.23 um 07:40 schrieb selva.n...@gmail.com: From: Selva Nair - Though named cryptoapi_testdriver, right now this only tests parsing of thumbprint specified as a selector for --cryptioapicert option. More tests coming.. v2: a line that belongs here was mistakenly included in the

[Openvpn-devel] [PATCH 5/5] Add building and running mingw unittests to github actions

Signed-off-by: Arne Schwabe --- .github/workflows/build.yaml | 110 ++- 1 file changed, 108 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 132624547..c71bd2c4d 100644 --- a/.github/workflows/build.yaml

[Openvpn-devel] [PATCH 0/5] Build and run unittests with mingw in Github actions

dlls but since these binaries are not meant to be distributed, I don't think it is an issue. Arne Schwabe (3): Do not run check_engine test when crosscompiling Add missing stdint.h includes in unit tests files Add building unit tests with mingw to github actions Selva Nair (2): Conditionally

[Openvpn-devel] [PATCH 1/5] Conditionally add subdir-objects option to automake

ail-archive.com/openvpn-devel@lists.sourceforge.net/msg00013.html Signed-off-by: Selva Nair Signed-off-by: Arne Schwabe --- configure.ac | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 915000870..95d795c33 100644 --- a/configure

[Openvpn-devel] [PATCH 4/5] Add missing stdint.h includes in unit tests files

My mingw compiler/headers (mingw-w64 10.0.0 on macOS) seem to be more pendantic than the one that comes with Ubuntu 22.04 (github actions) or any of the other platforms including msvc/normal windows header. Signed-off-by: Arne Schwabe --- tests/unit_tests/example_test/test.c | 1 + tests

[Openvpn-devel] [PATCH 3/5] Do not run check_engine test when crosscompiling

Signed-off-by: Arne Schwabe --- tests/unit_tests/engine-key/Makefile.am | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/unit_tests/engine-key/Makefile.am b/tests/unit_tests/engine-key/Makefile.am index 246222514..0c2888576 100644 --- a/tests/unit_tests/engine-key/Makefile.am +++ b

[Openvpn-devel] [PATCH v2 2/5] Build unit tests in mingw Windows build

s only set to build. Corrected. Signed-off-by: Selva Nair Signed-off-by: Arne Schwabe --- configure.ac | 2 ++ tests/Makefile.am | 3 +++ tests/unit_tests/example_test/Makefile.am | 2 ++ tests/unit_tests/openvpn/Makefile.am

Re: [Openvpn-devel] [PATCH v3] Get rid of unused 'bool tuntap_buffer' arguments.

un() where it is, and fix non-WIN32 call from socket.c Acked-By: Arne Schwabe ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2 2/3] Build unit tests in mingw Windows build

Am 04.02.23 um 07:40 schrieb selva.n...@gmail.com: From: Selva Nair - Minor changes to the build system to include some dependencies for Windows build - test_tls_crypt not built as it will pull in win32.c and its dependencies - If cross-compiling, "make check" will only build the tests

Re: [Openvpn-devel] [PATCH 1/3] Conditionally add subdir-objects option to automake

See also past discussion on this topic: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00013.html Acked-By: Arne Schwabe ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/li

Re: [Openvpn-devel] [PATCH 4/4] cryptoapi.c: simplify parsing of thumbprint hex string

Thanks a lot for that. By adding win32-util.c and -lws2_32 where required, I can now build almost all tests using the autotools framework --- cmocka had to be cross-compiled using cmake which is a pain. I do not particularly like cmake though it's convenient for Windows MSVC build, so

Re: [Openvpn-devel] [PATCH 4/4] cryptoapi.c: simplify parsing of thumbprint hex string

Well, replying to myself: I tried building the unit tests using cmocka for Windows (cross-compiling using mingw-w64 with locally built cmocka). Unfortunately, none of the tests could be built out of the box because of missing dependencies, so I guess no one is running these tests on

[Openvpn-devel] [PATCH v7] Dynamic tls-crypt for secure soft_reset/session renegotiation

-off-by: Arne Schwabe --- Changes.rst | 6 ++ src/openvpn/auth_token.h | 2 +- src/openvpn/crypto.c | 7 +- src/openvpn/crypto.h | 16 +++- src/openvpn/init.c| 22 +++--- src/openvpn

[Openvpn-devel] [PATCH 3/5] Update LibreSSL to 3.7.0 in Github actions

The version 3.5.3 triggers undefined behaviour with the usan sanatizer. Updating LibreSSSL to 3.7.0 does unfortunately does not fix the issue but at least we are now using a current version. Signed-off-by: Arne Schwabe --- .github/workflows/build.yaml | 4 ++-- 1 file changed, 2 insertions

[Openvpn-devel] [PATCH 5/5] Add undefined and abort on error to clang sanaitize builds

with the latest LibreSSL version) an undefined behaviour in LibreSSL itself. Signed-off-by: Arne Schwabe --- .github/workflows/build.yaml | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 132624547..e98ed4544

[Openvpn-devel] [PATCH 1/5] Fix unaligned access in auth-token

The undefined behaviour USAN clang checker found this. The optimiser of clang/gcc will optimise the memcpy away in the auth_token case and output excactly the same assembly on amd64/arm64 but it is still better to not rely on undefined behaviour. Signed-off-by: Arne Schwabe --- src/openvpn

[Openvpn-devel] [PATCH 2/5] Fix unaligned access in macOS/Solaris hwaddr

The undefined behaviour USAN clang checker found this. This fix is a bit messy but so are the original structures. Signed-off-by: Arne Schwabe --- src/openvpn/route.c | 32 +++- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/src/openvpn/route.c b/src

[Openvpn-devel] [PATCH 4/5] Add printing USAN stack trace on github actions

This allows identifying the source of undefined behaviour more easily from the github action logs. Signed-off-by: Arne Schwabe --- .github/workflows/build.yaml | 5 + 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6adb69563

Re: [Openvpn-devel] [PATCH v2] Get rid of unused 'bool tuntap_buffer' arguments.

tic. It's only ever called from win32.c / overlapped_io_init(). v2: move alloc_buf_sock_tun() to win32.c Acked-By: Arne Schwabe ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/2] Fix unaligned access in macOS/Solaris hwaddr and auth-token

are the original structures. Signed-off-by: Arne Schwabe --- src/openvpn/auth_token.c | 10 -- src/openvpn/route.c | 32 +++- 2 files changed, 31 insertions(+), 11 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 7b963a9c5

[Openvpn-devel] [PATCH 2/2] Add undefined and abort on error to clang sanaitize builds

The -fno-sanitize-recover=all flag ensures that for all errors we actually abort the tests in the automated testing and not just print some errors in red that nobody sess. Also add the undefined tests to catch more bugs Signed-off-by: Arne Schwabe --- .github/workflows/build.yaml | 10

[Openvpn-devel] [PATCH v6] Introduce dynamic tls-crypt for secure soft_reset/session renegotiation

. Add more comments. Patch v6: consistently calld this feature dynamic tls-crypt crypt. Note this changes the export label and makes it incompatible with previous patches. Signed-off-by: Arne Schwabe --- Changes.rst | 6 ++ src/openvpn/auth_token.h

Re: [Openvpn-devel] [PATCH] openvpnmsica: fix adapters discovery logic for DCO

The ultimate solution to this would be moving adapter creation to MSM, a shared component which adds/removes the DCO driver. However this change is not trivial and requires a lot of work. For the time being we apply this band-aid by excluding Connect-created adapters from enumerations in

Re: [Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

Am 15.01.23 um 17:51 schrieb Selva Nair: Hi, On Sun, Jan 15, 2023 at 8:53 AM Arne Schwabe <mailto:a...@rfc2549.org>> wrote: Am 15.01.23 um 14:23 schrieb Selva Nair: > Hi, > >     We would like to be able to continue to build/ship OpenVPN with mbed

Re: [Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

Yes but neither mbed TLS nor OpenSSL is a system library on Windows or macOS. And even mbed TLS is sketchy as many distributions do not have in their base system. So just assume, at least for the sake of argument that they are not. In that case I think we need this exception. So I am asking

Re: [Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

Am 15.01.23 um 17:12 schrieb Илья Шипицин: that means 1) distributing openssl dll for windows installer is illegal 2) distributing openssl/libressl with tunnelblick is illegal It means the exception for OpenSSL applies to it and it is on very solid ground (at least with OpenSSL up to

Re: [Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

Am 15.01.23 um 17:07 schrieb Илья Шипицин: just curious, is linking against LibreSSL allowed ? os x Tunnelblick is shipped with both LibreSSL and OpenSSL builds, but neither of them is "system" lib as far as I know. LibreSSL counts as modification of OpenSSL. Arne

Re: [Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

Am 15.01.23 um 16:22 schrieb James Bottomley: On Sun, 2023-01-15 at 15:22 +0100, Arne Schwabe wrote: If that's the source of this issue, then I think there's a misunderstanding about the problem the OpenSSL exception is addressing. The problem was that the OpenSSL licence required additional

Re: [Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

If that's the source of this issue, then I think there's a misunderstanding about the problem the OpenSSL exception is addressing. The problem was that the OpenSSL licence required additional conditions be imposed on the binary as a whole, even though openssl itself was a system library.

Re: [Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

Am 15.01.23 um 14:23 schrieb Selva Nair: Hi, We would like to be able to continue to build/ship OpenVPN with mbed TLS. We want all contributors to ask if they agree to license change that adds explicit permission to link with Apache 2 licensed libraries: Special exception for

Re: [Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

Am 15.01.23 um 14:10 schrieb Matthias Andree: Am 15.01.23 um 12:44 schrieb Gert Doering: Hi, On Sat, Jan 14, 2023 at 05:28:09PM -0500, James Bottomley wrote: What do you mean "a source"? every apache licensed library that's statically linked with a GPLv2 program would be an example of this

Re: [Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

Am 15.01.23 um 13:52 schrieb Илья Шипицин: subject says "allow mbed TLS 3.x linking". is OpenSSL currently restrictive as well ? Yes that is what the subject says but OpenSSL 3 also uses Apache 2. In laymen terms, the Apache 2 license contains additional protections for users using the

Re: [Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

Am 15.01.23 um 13:21 schrieb Илья Шипицин: I am fine with dropping MBED TLS for good Please read the full mail. This also affects OpenSSL. We would like to reaffirm that contributors are still okay linking with OpenSSL even after OpenSSL changed its license to Apache2. Arne

Re: [Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

If you are okay with this, please reply to this mail and confirm that. Otherwise we might be forced to remove and/or rewrite your code. The GPL, in its spirit, was developed to empower users, not businesses. So, after pondering for many hours about planned obsolescence, vendor respect for the

Re: [Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

Also for platforms like Android, Windows and macOS we are shipping OpenSSL and mbed TLS ourselves since they are NOT provided by the system. Would I be correct in assuming that the "we" here isn't the openvpn project and is, in fact, some corporation that wants legal cover for its business

Re: [Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

Am 14.01.2023 um 20:57 schrieb James Bottomley: On Sat, 2023-01-14 at 18:29 +0100, Arne Schwabe wrote: Hey, This is the first round and will be only to the openvpn-devel list. After that I will also write to individuals email addresses but I want to start with sending this to the devel list

Re: [Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

Am 14.01.2023 um 19:35 schrieb Matthias Andree: Am 14.01.23 um 18:29 schrieb Arne Schwabe: We also considered going for a change from GPL2 to GPL2+ but we think that GPL3 would hurt the ability to distribute OpenVPN as part of router or other embedded devices as the GPL3 has been explicitly

[Openvpn-devel] Amend OpenVPN license to allow continued mbed TLS support (allow mbed TLS 3.x linking)

Hey, This is the first round and will be only to the openvpn-devel list. After that I will also write to individuals email addresses but I want to start with sending this to the devel list. We are writing to you since you are or were a contributor in past to OpenVPN and we would like to

[Openvpn-devel] [PATCH] Workaround: make ovpn-dco more reliable

This workaround avoids the kernel trigger ENOBUFS when the kernel internal queue is overrun with events of disconnectingh clients or similar. This is a workaround until we come up with a more permanent solution. Signed-off-by: Arne Schwabe --- src/openvpn/dco_linux.c | 5 + 1 file changed

Re: [Openvpn-devel] [PATCH] dco: print proper message in case of transport disconnection

Am 12.01.23 um 09:43 schrieb Lev Stipakov: Hi, -/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ This specific hunk is beyond my pay grade. And we should change it. Currently that header file is incompatible

Re: [Openvpn-devel] [PATCH] dco: send SIGUSR1 upon ping timeout

Am 12.01.23 um 01:04 schrieb Antonio Quartulli: When a peer is removed with reason "ping expire", we should kill the instance with SIGUSR1 and not SIGTERM Cc: Arne Schwabe Signed-off-by: Antonio Quartulli -- Arne, I am not 100% sure why but it seems for ping-restart we always u

[Openvpn-devel] [PATCH v2] Deprecate OCC checking

and disable-occ as deprecated. Patch v2: change one missed M_WARN to D_OCC Signed-off-by: Arne Schwabe --- Changes.rst | 6 ++ configure.ac | 1 - doc/man-sections/generic-options.rst | 3 ++- doc/man-sections/server-options.rst | 4 ++-- src

[Openvpn-devel] [PATCH] Deprecate OCC checking

and disable-occ as deprecated. Signed-off-by: Arne Schwabe --- Changes.rst | 6 ++ configure.ac | 1 - doc/man-sections/generic-options.rst | 3 ++- doc/man-sections/server-options.rst | 4 ++-- src/openvpn/errlevel.h | 3 ++- src

Re: [Openvpn-devel] [PATCH] options: Always define options->management_flags

Am 16.12.22 um 14:11 schrieb Frank Lichtenheld: On Mon, Dec 12, 2022 at 12:38:41PM +0100, Arne Schwabe wrote: Am 27.11.22 um 15:25 schrieb Frank Lichtenheld: That makes it possible to remove several preprocessor directives which is a good thing. The cost should be negligible. Acked-By: Arne

Re: [Openvpn-devel] [PATCH v4] Introduce dynamic tls-crypt for secure soft_reset/session renegotiation

/* * key_id increments to KEY_ID_MASK then recycles back to 1. * This way you know that if key_id is 0, it is the first key. */ ++session->key_id; session->key_id &= P_KEY_ID_MASK; if (!session->key_id) { session->key_id = 1; } Okay, so

[Openvpn-devel] [PATCH v2] Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled

This enables logging the peer id in p2mp mode if dco is enabled and the log level is high enough Patch v2: use check_debug_level to check current log level Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/openvpn/multi.c b/src

[Openvpn-devel] [PATCH v5] Add connect-freq-initial option to limit initial connection responses

return statement. Patch v5: add build files for msvc build Signed-off-by: Arne Schwabe --- Changes.rst | 4 ++ doc/man-sections/server-options.rst | 24 +++ src/openvpn/Makefile.am | 1 + src/openvpn/mudp.c | 14 src/openvpn

[Openvpn-devel] [PATCH v5] Introduce dynamic tls-crypt for secure soft_reset/session renegotiation

. Signed-off-by: Arne Schwabe --- Changes.rst | 6 ++ src/openvpn/auth_token.h | 2 +- src/openvpn/crypto.c | 7 +- src/openvpn/crypto.h | 16 +++- src/openvpn/init.c| 8 +- src

Re: [Openvpn-devel] [PATCH v4] Introduce dynamic tls-crypt for secure soft_reset/session renegotiation

Am 09.01.23 um 16:01 schrieb Frank Lichtenheld: On Mon, Dec 12, 2022 at 12:27:45PM +0100, Arne Schwabe wrote: Currently we have only one slot for renegotiation of the session/keys. If a replayed/faked packet is inserted by a malicous attacker, the legimate peer cannot renegotiate anymore

[Openvpn-devel] [PATCH v4] Add connect-freq-initial option to limit initial connection responses

return statement. Signed-off-by: Arne Schwabe --- Changes.rst | 4 ++ doc/man-sections/server-options.rst | 24 +++ src/openvpn/Makefile.am | 1 + src/openvpn/mudp.c | 14 src/openvpn/multi.c | 4 ++ src/openvpn

[Openvpn-devel] [PATCH v3] Add connect-freq-initial option to limit initial connection responses

. Patch v2: use strtol instead of atoi to be able to differentiate between an error parsing and parsing 0. Use int64_t instead int to avoid overflow errors. Patch v3: Add message when we start dropping. Add a few fixes to the logic. improve docs Signed-off-by: Arne

Re: [Openvpn-devel] [PATCH v2] Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up

is no longer supported. So conditionalize the workaround on "12.0..12.3", to be fully removed later when 12.3 is also running out of support. v2: fix version number comparison Thanks that looks now better. Acked-By: Arne Schwabe ___ Ope

Re: [Openvpn-devel] [PATCH 3/5] Assign and honour signal priority order

and also the problem with signal ordering. Acked-By: Arne Schwabe While reviewing the patch, I noticed that SIG_SOURCE_SOFT/SIG_SOURCE_HARD seems to be purely informational and have no real other meaning. ___ Openvpn-devel mailing list Openvpn-devel

Re: [Openvpn-devel] [PATCH 3/3] dco: improve comment about hidden debug message

"type %d, del_peer_reason %d", peer_id, dco->dco_message_type, dco->dco_del_peer_reason); /* Also clear the buffer if this was incoming packet for a dropped peer */ buf_init(>dco_packet_in, 0); Acked-By: Arne Schwabe

<    1   2   3   4   5   6   7   8   9   10   >