longer supported. So conditionalize the workaround on "12.0..12.3",
to be fully removed later when 12.3 is also running out of support.
v2: fix version number comparison
Thanks that looks now better.
Acked-By: Arne Schwabe
___
Ope
and also the problem with signal ordering.
Acked-By: Arne Schwabe
While reviewing the patch, I noticed that
SIG_SOURCE_SOFT/SIG_SOURCE_HARD seems to be purely informational and
have no real other meaning.
___
Openvpn-devel mailing list
Openvpn-devel
"type %d, del_peer_reason %d", peer_id, dco->dco_message_type,
dco->dco_del_peer_reason);
/* Also clear the buffer if this was incoming packet for a dropped
peer */
buf_init(&dco->dco_packet_in, 0);
Acked-By: Arne Schwabe
so that we bail out immediately when we know that no
message was truly delivered by DCO.
Currently this can be verified by chacking that the peed_is is greater
than -1.
I think we should somewhere properly document that peer-id = -1 has this
meaning.
Acked-By: Arne Schw
-By: Arne Schwabe
The place we do the reinitialisation is weird but for now just fix it.
ARne
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--connect-freq-initial 100 10
to inform an amdin about the consequence of this feature.
Patch v2: use strtol instead of atoi to be able to differentiate between
an error parsing and parsing 0. Use int64_t instead int to
avoid overflow errors.
Signed-off-by: Arne Schwabe
Am 27.12.22 um 23:35 schrieb Gert Doering:
commit 5e19cc2c1bf22d introduced a workaround for a race condition
that showed itself on IPv6 ifconfig on FreeBSD 12.x - sometimes breaking
IPv6 connectivity on tun/tap interfaces.
This was fixed on the FreeBSD side in 12.4, 13.1 and up, and 13.0 is
no
--connect-freq-initial 100 10
to inform an amdin about the consequence of this feature.
Signed-off-by: Arne Schwabe
---
Changes.rst | 4 ++
doc/man-sections/server-options.rst | 19 ++
src/openvpn/Makefile.am | 1 +
src/openvpn/mudp.c | 14
g(M_USAGE, "%s", str);
}
static void
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
ndaid".
v2: rebase on top of "move dco_installed back to link_socket"
v3: move sock->fd check inside !residual_fully_formed clause (so
we can still handle already-read packets)
Acked-By: Arne Schwabe
The move of going the tcp read path and allowing the
residual_fully_formed pat
e to the log what happened).
This change will kill this particular TCP client instance (SIGTERM),
but leave the rest of the server running fine - and given that
in our tests this issue seems to be triggered by inbound TCP RST
in just the wrong moment, so the TCP connection is gone anyway, it
seems
Instead of getting the server in a very weird state, we bail out here. This
is only a bandaid solution but better than the alternatives.
Signed-off-by: Arne Schwabe
---
src/openvpn/mtcp.c | 2 +-
src/openvpn/multi.c | 10 +-
2 files changed, 10 insertions(+), 2 deletions(-)
diff
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 17 +
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 6c6385c6e..50d88f19a 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3243,10 +3243,19
This enables logging the peer id in p2mp mode if dco is enabled
and the log level is high enough
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 50d88f19a..f8366be28 100644
--- a/src
with dco sometimes we end up promoting a timeout event to read event.
For the residual read, this problem is probably not solvable without
changing the kernel DCO API (ie. passing our residual on new_peer to
let the kernel handle assembling the next packet.)
Signed-off-by: Arne Schwabe
---
src
Signed-off-by: Arne Schwabe
---
src/openvpn/manage.c | 12
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index be9a38952..7e326702f 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -865,8 +865,6
ensures that the pointer is
instead freed when gc_free is called.
Signed-off-by: Arne Schwabe
---
src/openvpn/buffer.c | 33 ++
src/openvpn/buffer.h | 13 ++
src/openvpn/options.c | 6 ++---
tests/unit_tests
Instead of getting the server in a very weird state, we bail out here. This
is only a bandaid solution but better than the alternatives.
Signed-off-by: Arne Schwabe
---
src/openvpn/mtcp.c | 2 +-
src/openvpn/multi.c | 10 +-
2 files changed, 10 insertions(+), 2 deletions(-)
diff
This enables logging the peer id in p2mp mode if dco is enabled
and the log level is high enough
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 50d88f19a..f8366be28 100644
--- a/src
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 17 +
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 6c6385c6e..50d88f19a 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3243,10 +3243,19
with dco sometimes we end up promoting a timeout event to read event.
For the residual read, this problem is probably not solvable without
changing the kernel DCO API (ie. passing our residual on new_peer to
let the kernel handle assembling the next packet.)
Signed-off-by: Arne Schwabe
---
src
ce version
is > 3. Older versions will ignore the count parameter and
behave identically to using count = 1.
Acked-By: Arne Schwabe
Arne
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Am 08.09.21 um 00:31 schrieb selva.n...@gmail.com:
From: Selva Nair
The message
"ERROR: The 'foo' commmand is not supported by current daemon mode"
is repeatedly used in manage.c. Move it to a function for uniformity
in messaging.
v3, v3: no change
Acked-By: Arne S
Am 08.09.21 um 00:31 schrieb selva.n...@gmail.com:
From: Selva Nair
Currently we allow a max of 64 connection entries and remotes.
A larger number would allow users with 100's of independent
config files for different end points of same provider to
consolidate them to connection entries.
v2,v3
igned int from, to;
+unsigned int count =
(*man->persist.callback.remote_entry_count)(man->persist.callback.arg);
+
+from = (unsigned int) atoi(p1);
+to = p2? (unsigned int) atoi(p2) : from + 1;
+
We probably want a space after p2.
I know this has been very long and we are very close to 2.6 so
Am 25.08.21 um 23:02 schrieb selva.n...@gmail.com:
From: Selva Nair
The message
"ERROR: The 'foo' commmand is not supported by current daemon mode"
is repeatedly used in manage.c. Move it to a function for uniformity
in messaging.
Acked-By: Arne Schwabe
This p
rn false from the true branches of the if.
There are minor things that could be improved but the current state is
still acceptable.
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Am 25.12.22 um 00:13 schrieb Gert Doering:
Hi,
On Sat, Dec 24, 2022 at 08:42:53PM +0100, Arne Schwabe wrote:
buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
+if (mi->context.c2.tls_multi)
+{
+buf_printf(&out, &
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl.c| 16
src/openvpn/ssl.h| 2 +-
src/openvpn/ssl_common.h | 2 +-
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 9e5480528..a5fb4fd22 100644
--- a/src
If we get a message from a mismatched packet we need to clear
the incoming message buffer to ensure we can receive another
packet.
Signed-off-by: Arne Schwabe
---
src/openvpn/forward.c | 2 ++
src/openvpn/multi.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/src/openvpn/forward.c b
Instead of getting the server in a very weird state, we bail out here. This
is only a bandaid solution but better than the alternatives.
Signed-off-by: Arne Schwabe
---
src/openvpn/mtcp.c | 2 +-
src/openvpn/multi.c | 10 +-
2 files changed, 10 insertions(+), 2 deletions(-)
diff
wacky state transition that when we have a failed
reneogitiation (and move TM_ACTIVE to TM_LAME_DUCK) that a new session of
a peer starts in TM_ACTIVE rather than TM_INITIAL
Signed-off-by: Arne Schwabe
---
src/openvpn/mudp.c | 2 +-
src/openvpn/ssl.c | 99
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index d29b7efe3..6c6385c6e 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3283,7 +3283,17
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 21 +
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 6c6385c6e..858d602ca 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -473,6 +473,10
kernel.
Signed-off-by: Arne Schwabe
---
src/openvpn/dco.c | 23 ++-
src/openvpn/forward.c | 13 +++--
src/openvpn/init.c| 2 +-
src/openvpn/mtcp.c| 6 +++---
src/openvpn/socket.c | 8
src/openvpn/socket.h | 11 +--
6 files changed, 22
with dco sometimes we end up promoting a timeout event to write
event or read event. For the residual read, this problem is probably
not solvable without changing the kernel DCO API
Signed-off-by: Arne Schwabe
---
src/openvpn/forward.c | 24
src/openvpn/forward.h | 30
freeze
- Unload ovpn-dco sometimes does not work. Getting 'In use by xy ' failures.
- Latest FreeBSD dco module seems to be very broken. Reverting latest commit
fixes it.
Arne Schwabe (9):
Rename TM_UNTRUSTED to TM_INITIAL
Always start session in TM_INITIAL rather than TM
libnl increases the sizes we pass to 8192 anyway. Currently when we have
a lot of events queued we might run into a NLE_NOMEM message and that
terminates the server. So rather let the kernel decide the buffer sizes.
Signed-off-by: Arne Schwabe
---
src/openvpn/dco_linux.c | 3 ---
1 file changed
byte in comparison
Reported-by: Connor Edwards
Signed-off-by: Arne Schwabe
---
src/openvpn/manage.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index b11de224d..5465b7e9b 100644
--- a/src/openvpn/manage.c
+++ b/src
Signed-off-by: Arne Schwabe
---
src/openvpn/dco_freebsd.c | 3 +++
src/openvpn/init.c| 42 ---
2 files changed, 29 insertions(+), 16 deletions(-)
diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index 7f5e69e3e..cd4083c49 100644
My own non-standard cmake based build system found this one. But
even if this is not a problem with the normal autoconf based system
we should still be consistent.
Signed-off-by: Arne Schwabe
---
src/openvpn/dco_freebsd.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src
Am 18.12.22 um 20:58 schrieb selva.n...@gmail.com:
+--connect-retry n [max]
Wait ``n`` seconds between connection attempts (default :code:`5`).
you were close. but forgot to change the 5 in the next line to also say 1.
Arne
___
Openvpn-devel ma
ich breaks persist-tun.
Makes sense
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Am 15.12.2022 um 20:01 schrieb Arne Schwabe:
From: David Sommerseth
If the key_state_gen_auth_control_files() call fails, the code would
just return without freeing the argv container. Instead the code should
jump to an appropriate exit point where memory is being released.
Also adjust the
Edwards
Signed-off-by: Arne Schwabe
---
src/openvpn/manage.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 9349b62ad..d952618e7 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -198,7 +198,11
auth
control files are really pre-created.
Signed-off-by: David Sommerseth
Reported-by: Trial of Bits (TOB-OVPN-2)
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_verify.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn
Reported-By: Trail of Bits
Signed-off-by: Arne Schwabe
---
src/openvpn/forward.c | 3 ---
src/openvpn/multi.c | 2 --
2 files changed, 5 deletions(-)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 7924fd5c6..c04511ee1 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn
, so use a comment for now.
[1] https://en.cppreference.com/w/c/language/attributes/fallthrough
Signed-off-by: Arne Schwabe
---
src/openvpn/comp-lz4.c| 1 +
src/openvpn/crypto.c | 1 +
src/openvpn/init.c| 1 +
src/openvpn/lzo.c | 1 +
src/openvpn/options.c | 5
Signed-off-by: Arne Schwabe
---
src/openvpn/misc.h | 1 +
src/openvpn/ntlm.c | 13 +
2 files changed, 14 insertions(+)
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index 2a6c0b8b3..6a883f70a 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -67,6 +67,7 @@ struct
remove_iroutes_from_push_route_list problem by looking for similar
problems.
Reported-By: Trial of Bits (TOB-OVPN-4)
Signed-off-by: Arne Schwabe
---
src/openvpn/options.c | 9 -
src/openvpn/push.c| 4 ++--
2 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
reported
by Connor Edwards .
Arne Schwabe (7):
Make management password check constant time
Ensure that argument to parse_line has always space for final sentinel
Improve documentation on user/password requirement and unicodize
function
Eliminate or comment empty blocks and switch
Reported-By: Trail of Bits
Signed-off-by: Arne Schwabe
---
src/openvpn/misc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index d78106cdc..551606e0e 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -258,6 +258,7 @@ get_user_pass_cr
to remove that workaround.
Reported-By: Trial of Bits (TOB-OVPN-7)
Signed-off-by: Arne Schwabe
---
src/openvpn/proxy.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index ed7201616..633caee09 100644
--- a/src/openvpn/proxy.c
+++ b/src/openv
r all peers every seconds.
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
ever again, it is better to keep the state correctly.
Signed-off-by: Arne Schwabe
---
src/openvpn/dco.c | 14 +-
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 36bfbf10a..20196fe5d 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn
Signed-off-by: Arne Schwabe
---
src/openvpn/dco.c | 18 ++
src/openvpn/dco_linux.c | 10 --
2 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index feb38cd02..2396bcbf0 100644
--- a/src/openvpn/dco.c
+++ b/src
When dco_update_keys fails, we are in some weird state that we are
unlikely to recover since what userspace and kernel space think of
the keys is very likely to not in sync anymore. So abandon the
connection if this happens.
Signed-off-by: Arne Schwabe
---
src/openvpn/dco.c | 15
Signed-off-by: Arne Schwabe
---
src/openvpn/dco.c | 7 ---
src/openvpn/dco_linux.c | 10 --
2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index feb38cd02..5cce3f641 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
Am 12.12.22 um 12:56 schrieb Lev Stipakov:
From: Lev Stipakov
At the moment BYTECOUNT in,out is pushed if there is traffic.
With DCO, userspace process doesn't see the traffic, so we need
to add a timer which periodically fetches stats from DCO and
pushes to management client. The timer interva
Am 12.12.22 um 10:58 schrieb Lev Stipakov:
From: Lev Stipakov
In preparation of DCO stats support, simplify
call chains of bytecount routines. No functional changes.
It would be nice to be a bit more verbose what you are actually
simplyfing in the commit message. E.g. inlining all the vario
Am 12.12.22 um 14:30 schrieb Gert Doering:
Hi,
On Mon, Dec 12, 2022 at 01:50:51PM +0100, Arne Schwabe wrote:
I am not too much into FreeBSD parts, but
+hash_iterator_init(m->hash, &hi);
+
+while ((he = hash_iterator_next(&hi)))
+{
+struct multi_instance *m
Am 26.11.22 um 17:26 schrieb Max Fillinger:
The current code only checks if the base64-encoded metadata is at most
980 characters. However, that can encode up to 735 bytes of data, while
only up to 733 bytes are allowed. When passing 734 or 735 bytes, openvpn
prints a misleading error message say
Am 12.12.22 um 13:34 schrieb Lev Stipakov:
Hi,
This is good - I need an API to get stats to make openvpn-gui show
those (via the management interface).
I am not too much into FreeBSD parts, but
+hash_iterator_init(m->hash, &hi);
+
+while ((he = hash_iterator_next(&hi)))
+{
+
Am 12.12.22 um 13:03 schrieb Gert Doering:
Hi,
On Sat, Nov 26, 2022 at 05:26:48PM +0100, Max Fillinger wrote:
The current code only checks if the base64-encoded metadata is at most
980 characters. However, that can encode up to 735 bytes of data, while
only up to 733 bytes are allowed. When pas
saying that the base64 cannot be
decoded.
This patch checks the decoded length to show an accurate error message.
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo
: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
duced.
Patch v2: fix spellings of reneg and renegotiations.
Patch v3: expand comment to original_tlscrypt_keydata and commit message,
add Changes.rst
Patch v4: improve commit message, Changes.rst
Signed-off-by: Arne Schwabe
---
Changes.rst | 6 ++
src/op
This disables DCO in both --secret mode and when no encryption/TLS is
used. Also aligns the message with the deprecation warning we have in
place.
Signed-off-by: Arne Schwabe
---
src/openvpn/dco.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/dco.c b/src
like --connect-retry 1 3 into his/her
client config and forces the client to reconnect during this time period.
Signed-off-by: Arne Schwabe
---
src/openvpn/mudp.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index bdf35a8ba
compiling test_pkt with windows.
Signed-off-by: Arne Schwabe
---
tests/unit_tests/openvpn/test_pkt.c | 21 -
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/tests/unit_tests/openvpn/test_pkt.c
b/tests/unit_tests/openvpn/test_pkt.c
index 615d26c55..e94b2852e 100644
Am 07.12.22 um 11:02 schrieb Antonio Quartulli:
P2P mode with pre-shared key is deprecated, unsecure and should NOT be
used. This said we still carry it around for a bit and we have to make
sure it does not fights with DCO.
Disable DCO at all when --secret is specified.
Signed-off-by: Antonio Q
Am 06.12.22 um 17:19 schrieb Gert Doering:
Hi,
On Tue, Dec 06, 2022 at 04:54:38PM +0100, Gert Doering wrote:
I have not server-tested this, as it "should not" make a difference,
and Arne did test this on s390. The full server tests will run
tonight, though.
I *should* have, as that would hav
to
run ./configure.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_pkt.c | 4 ++--
tests/unit_tests/openvpn/test_pkt.c | 12 +++-
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c
index 7891e10ee..46bca21d8 100644
This commit consists of two parts.
- explicitly removing an existing peer in p2p mode
- ignoring the ping timeout notification that is generated by the first part
Signed-off-by: Arne Schwabe
---
src/openvpn/dco.c | 9 +
src/openvpn/dco_freebsd.c | 2 ++
src/openvpn/forward.c
When we fail initialisation the connection (e.g. P2P cipher NCP), we have
a non-working connection. Even though previous version would then stay in
this state, it does not really make sense to be in this state until the
keepalive timeout expires and triggers a USR1 anyway.
Signed-off-by: Arne
CO to work as the initial
reconnect working.
Signed-off-by: Arne Schwabe
---
src/openvpn/forward.c| 19 +
src/openvpn/init.c | 6 ++
src/openvpn/ssl.c| 46 +++-
src/openvpn/ssl.h| 1 +
src/openvpn/ssl_common.h |
Am 29.11.2022 um 22:04 schrieb Gert Doering:
Hi,
On Tue, Nov 29, 2022 at 01:37:56PM -0500, selva.n...@gmail.com wrote:
From: Selva Nair
It seems sometimes comma-separated pulled options have
an offending leading space. Not sure whether that is an error,
but the change here matches the behav
We expect a number of configuration to no longer work with OpenVPN
2.6 and OpenSSL 3.0. This section tries to explain the most common
errors that will come up and how to work around them.
Patch V2: several mistakes highlighed and suggestions made by Frank
included.
Signed-off-by: Arne
+ for more details (Available online under
+
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst)
Might want to use
https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html#data-channel-cipher-negotiation
instead?
Doesn't exist yet, but will be create
We expect a number of configuration to no longer work with OpenVPN
2.6 and OpenSSL 3.0. This section tries to explain the most common
errors that will come up and how to work around them.
Signed-off-by: Arne Schwabe
---
Changes.rst | 84 +
1
e a failure adding a new peer, we don't try to
set options for that peer or generating keys for it.
Patch v2: fix one comparison checking for 0 instead of -1
Patch v3: make recovery after failing dco_add_peer more robust
and the comparison that lead to not deleting a peer.
Signed-off-
‘check_malloc_return’ declared here
1076 | check_malloc_return(const void *p)
| ^~~
This more a quick fix/heads up for other people encountering the issue
on GCC 12.2.0 like on Ubuntu 22.10 until we figure out if this is a bug in
our code or a compiler bug.
Signed-off-by: Arne Schwabe
son checking for 0 instead of -1
Signed-off-by: Arne Schwabe
---
src/openvpn/dco.c| 24
src/openvpn/forward.c| 2 +-
src/openvpn/init.c | 4 ++--
src/openvpn/multi.c | 8
src/openvpn/ssl.c| 1 +
src/openvpn/ssl_common.h |
windows code path
Patch v3: fix mtcp server code path
Signed-off-by: Arne Schwabe
---
src/openvpn/dco.c | 27 +++
src/openvpn/dco_linux.c | 2 +-
src/openvpn/forward.c | 8
src/openvpn/init.c | 2 +-
src/openvpn/mtcp.c | 6 +++---
src/openvpn
pointer is fine. Maybe we should add as a comment that this
function is special in this way.
Acked-By: Arne Schwabe
Arne
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Am 15.11.2022 um 13:36 schrieb Antonio Quartulli:
Hi,
On 15/11/2022 13:29, Arne Schwabe wrote:
We want to check if EARLY_NEG_START is set and reserve the other bits
for future expansions. Right now we also check if all reserved bits are
zero. oops.
Signed-off-by: Arne Schwabe
---
src
We want to check if EARLY_NEG_START is set and reserve the other bits
for future expansions. Right now we also check if all reserved bits are
zero. oops.
Signed-off-by: Arne Schwabe
---
src/openvpn/mudp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/mudp.c b
Am 14.11.22 um 16:03 schrieb Turritopsis Dohrnii Teo En Ming:
Subject: Do most commercial firewall appliances and VPN routers have
OpenVPN-powered SSL VPN?
Good day from Singapore,
On 10 Nov 2022, I saw the logs from Sophos XG210 Firewall SSL VPN client
for Windows. Below are a few lines from
*
dco_get_supported_ciphers()
{
-return "none:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305";
+return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305";
}
#endif /* defined(ENABLE_DCO) && defined(TARGET_FREEBSD)
Am 11.11.2022 um 11:20 schrieb Kristof Provost via Openvpn-devel:
Minor update, but FreeBSD's if_ovpn now also supports AES-192-GCM.
We may as well announce this support.
This seems to be missing the patch.
Arne
___
Openvpn-devel mailing list
Op
To maximise compatibility allow to lie our MTU in the default OCC
message.
Patch v2: improve documentation
Patch v3: split changing default MTU into its own patch
Patch v5: remove leftover mentions to default MTU
Signed-off-by: Arne Schwabe
---
Changes.rst | 6
This allows tun-mtu to pushed but only up to the size of the preallocated
buffers. This is not a perfect solution but should allow most of the use
cases where the mtu is close enough to 1500 (or smaller).
Signed-off-by: Arne Schwabe
Patch v4: rebase for check_session_cipher name change
Patch v5
-digest], 0 bits):
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto.c | 34 ++
1 file changed, 18 insertions(+), 16 deletions(-)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 4a8f514cd..d7e882ae0 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn
Previously this would error out with a M_FATAL message about cipher
not known. Align the mbed TLS version to OpenSSL version and also remove
unreachable code. This manifested in key_print2 running into this
M_FATAL message when used with an AEAD cipher and verb 7.
Signed-off-by: Arne Schwabe
addr_copy_sa is just a single line and putting that simple assignment
into an extra function does not really improve clarity.
Signed-off-by: Arne Schwabe
---
src/openvpn/socket.h | 18 ++
1 file changed, 2 insertions(+), 16 deletions(-)
diff --git a/src/openvpn/socket.h b/src
This allows a bit easier debugging when trying to figure what kind
of packet triggered a reject/accpet.
Signed-off-by: Arne Schwabe
---
src/openvpn/mudp.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 4ab18b72c
the assumption that multiple reads from the SSL
library split a control frame into multiple TLS records.
Signed-off-by: Arne Schwabe
---
src/openvpn/reliable.c| 55 ++
src/openvpn/reliable.h| 32 +++-
src/openvpn/ssl.c | 156
limit, add warning message for
when wrapped tls-crypt-v2 keys will ignore max-packet-size
Signed-off-by: Arne Schwabe
---
Changes.rst | 11 +-
doc/man-sections/link-options.rst | 34 ---
src/openvpn/common.h | 13
windows code path
Signed-off-by: Arne Schwabe
---
src/openvpn/dco.c | 7 ---
src/openvpn/dco_linux.c | 2 +-
src/openvpn/forward.c | 8
src/openvpn/init.c | 2 +-
src/openvpn/mtcp.c | 6 +++---
src/openvpn/socket.c| 8
src/openvpn/socket.h| 12
s there is no delayed purge any
longer -- auth-nocache handling is now done immediately after
writing username/password to the send-buffer.
Acked-By: Arne Schwabe I think the delaying and complicated logic, which thiss patch removes,
is the last part of the attempt to try to use the same auth
201 - 300 of 1817 matches
Mail list logo