Re: [Openvpn-devel] [PATCH v2] Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up

longer supported. So conditionalize the workaround on "12.0..12.3", to be fully removed later when 12.3 is also running out of support. v2: fix version number comparison Thanks that looks now better. Acked-By: Arne Schwabe ___ Ope

Re: [Openvpn-devel] [PATCH 3/5] Assign and honour signal priority order

and also the problem with signal ordering. Acked-By: Arne Schwabe While reviewing the patch, I noticed that SIG_SOURCE_SOFT/SIG_SOURCE_HARD seems to be purely informational and have no real other meaning. ___ Openvpn-devel mailing list Openvpn-devel

Re: [Openvpn-devel] [PATCH 3/3] dco: improve comment about hidden debug message

"type %d, del_peer_reason %d", peer_id, dco->dco_message_type, dco->dco_del_peer_reason); /* Also clear the buffer if this was incoming packet for a dropped peer */ buf_init(&dco->dco_packet_in, 0); Acked-By: Arne Schwabe

Re: [Openvpn-devel] [PATCH 2/3] dco: bail out when no peer-specific message is delivered

so that we bail out immediately when we know that no message was truly delivered by DCO. Currently this can be verified by chacking that the peed_is is greater than -1. I think we should somewhere properly document that peer-id = -1 has this meaning. Acked-By: Arne Schw

Re: [Openvpn-devel] [PATCH 1/3] dco: properly re-initialize dco_del_peer_reason

-By: Arne Schwabe The place we do the reinitialisation is weird but for now just fix it. ARne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2] Add connect-freq-initial option to limit initial connection responses

--connect-freq-initial 100 10 to inform an amdin about the consequence of this feature. Patch v2: use strtol instead of atoi to be able to differentiate between an error parsing and parsing 0. Use int64_t instead int to avoid overflow errors. Signed-off-by: Arne Schwabe

Re: [Openvpn-devel] [PATCH] Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up

Am 27.12.22 um 23:35 schrieb Gert Doering: commit 5e19cc2c1bf22d introduced a workaround for a race condition that showed itself on IPv6 ifconfig on FreeBSD 12.x - sometimes breaking IPv6 connectivity on tun/tap interfaces. This was fixed on the FreeBSD side in 12.4, 13.1 and up, and 13.0 is no

[Openvpn-devel] [PATCH] Add connect-freq-initial option to limit initial connection responses

--connect-freq-initial 100 10 to inform an amdin about the consequence of this feature. Signed-off-by: Arne Schwabe --- Changes.rst | 4 ++ doc/man-sections/server-options.rst | 19 ++ src/openvpn/Makefile.am | 1 + src/openvpn/mudp.c | 14

Re: [Openvpn-devel] [PATCH] options.c: fix format security error when compiling without optimization

g(M_USAGE, "%s", str); } static void Acked-By: Arne Schwabe ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3] bandaid fix for TCP multipoint server crash with Linux-DCO

ndaid". v2: rebase on top of "move dco_installed back to link_socket" v3: move sock->fd check inside !residual_fully_formed clause (so we can still handle already-read packets) Acked-By: Arne Schwabe The move of going the tcp read path and allowing the residual_fully_formed pat

Re: [Openvpn-devel] [PATCH] bandaid fix for TCP multipoint server crash with Linux-DCO

e to the log what happened). This change will kill this particular TCP client instance (SIGTERM), but leave the rest of the server running fine - and given that in our tests this issue seems to be triggered by inbound TCP RST in just the wrong moment, so the TCP connection is gone anyway, it seems

[Openvpn-devel] [PATCH v2 2/4] Bail out when trying to install a TCP socket with residual data to DCO

Instead of getting the server in a very weird state, we bail out here. This is only a bandaid solution but better than the alternatives. Signed-off-by: Arne Schwabe --- src/openvpn/mtcp.c | 2 +- src/openvpn/multi.c | 10 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff

[Openvpn-devel] [PATCH v2 3/4] Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions

Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 17 + 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 6c6385c6e..50d88f19a 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3243,10 +3243,19

[Openvpn-devel] [PATCH v2 4/4] Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled

This enables logging the peer id in p2mp mode if dco is enabled and the log level is high enough Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 50d88f19a..f8366be28 100644 --- a/src

[Openvpn-devel] [PATCH v2 1/4] Ensure we do not promote a TA_TIMEOUT to a TA_READ event with dco

with dco sometimes we end up promoting a timeout event to read event. For the residual read, this problem is probably not solvable without changing the kernel DCO API (ie. passing our residual on new_peer to let the kernel handle assembling the next packet.) Signed-off-by: Arne Schwabe --- src

[Openvpn-devel] [PATCH 1/2] Replace custom min macro and use more C99 style in man_remote_entry_get

Signed-off-by: Arne Schwabe --- src/openvpn/manage.c | 12 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index be9a38952..7e326702f 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -865,8 +865,6

[Openvpn-devel] [PATCH 2/2] Replace realloc with new gc_realloc function

ensures that the pointer is instead freed when gc_free is called. Signed-off-by: Arne Schwabe --- src/openvpn/buffer.c | 33 ++ src/openvpn/buffer.h | 13 ++ src/openvpn/options.c | 6 ++--- tests/unit_tests

[Openvpn-devel] [PATCH v2 2/4] Bail out when trying to install a TCP socket with residual data to DCO

Instead of getting the server in a very weird state, we bail out here. This is only a bandaid solution but better than the alternatives. Signed-off-by: Arne Schwabe --- src/openvpn/mtcp.c | 2 +- src/openvpn/multi.c | 10 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff

[Openvpn-devel] [PATCH v2 4/4] Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled

This enables logging the peer id in p2mp mode if dco is enabled and the log level is high enough Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 50d88f19a..f8366be28 100644 --- a/src

[Openvpn-devel] [PATCH v2 3/4] Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions

Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 17 + 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 6c6385c6e..50d88f19a 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3243,10 +3243,19

[Openvpn-devel] [PATCH v2 1/4] Ensure we do not promote a TA_TIMEOUT to a TA_READ event with dco

with dco sometimes we end up promoting a timeout event to read event. For the residual read, this problem is probably not solvable without changing the kernel DCO API (ie. passing our residual on new_peer to let the kernel handle assembling the next packet.) Signed-off-by: Arne Schwabe --- src

Re: [Openvpn-devel] [PATCH] Allow skipping multple remotes via management interface

ce version is > 3. Older versions will ignore the count parameter and behave identically to using count = 1. Acked-By: Arne Schwabe Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3 3/3] Use a template for "unsupported management commands" error

Am 08.09.21 um 00:31 schrieb selva.n...@gmail.com: From: Selva Nair The message "ERROR: The 'foo' commmand is not supported by current daemon mode" is repeatedly used in manage.c. Move it to a function for uniformity in messaging. v3, v3: no change Acked-By: Arne S

Re: [Openvpn-devel] [PATCH v3 2/3] Permit unlimited connection entries and remotes

Am 08.09.21 um 00:31 schrieb selva.n...@gmail.com: From: Selva Nair Currently we allow a max of 64 connection entries and remotes. A larger number would allow users with 100's of independent config files for different end points of same provider to consolidate them to connection entries. v2,v3

Re: [Openvpn-devel] [PATCH v3 1/3] Add remote-count and remote-entry query via management

igned int from, to; +unsigned int count = (*man->persist.callback.remote_entry_count)(man->persist.callback.arg); + +from = (unsigned int) atoi(p1); +to = p2? (unsigned int) atoi(p2) : from + 1; + We probably want a space after p2. I know this has been very long and we are very close to 2.6 so

Re: [Openvpn-devel] [PATCH v2 3/3] Use a template for "unsupported management commands" error

Am 25.08.21 um 23:02 schrieb selva.n...@gmail.com: From: Selva Nair The message "ERROR: The 'foo' commmand is not supported by current daemon mode" is repeatedly used in manage.c. Move it to a function for uniformity in messaging. Acked-By: Arne Schwabe This p

Re: [Openvpn-devel] [PATCH v2 1/3] Add remote-count and remote-entry query via management

rn false from the true branches of the if. There are minor things that could be improved but the current state is still acceptable. Acked-By: Arne Schwabe ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 9/9] Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions

Am 25.12.22 um 00:13 schrieb Gert Doering: Hi, On Sat, Dec 24, 2022 at 08:42:53PM +0100, Arne Schwabe wrote: buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc)); +if (mi->context.c2.tls_multi) +{ +buf_printf(&out, &

[Openvpn-devel] [PATCH 1/9] Rename TM_UNTRUSTED to TM_INITIAL

Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c| 16 src/openvpn/ssl.h| 2 +- src/openvpn/ssl_common.h | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 9e5480528..a5fb4fd22 100644 --- a/src

[Openvpn-devel] [PATCH 5/9] Also drop incoming dco packet content when dropping the packet

If we get a message from a mismatched packet we need to clear the incoming message buffer to ensure we can receive another packet. Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 2 ++ src/openvpn/multi.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/src/openvpn/forward.c b

[Openvpn-devel] [PATCH 7/9] Bail out when trying to install a TCP socket with residual data to DCO

Instead of getting the server in a very weird state, we bail out here. This is only a bandaid solution but better than the alternatives. Signed-off-by: Arne Schwabe --- src/openvpn/mtcp.c | 2 +- src/openvpn/multi.c | 10 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff

[Openvpn-devel] [PATCH 2/9] Always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL

wacky state transition that when we have a failed reneogitiation (and move TM_ACTIVE to TM_LAME_DUCK) that a new session of a peer starts in TM_ACTIVE rather than TM_INITIAL Signed-off-by: Arne Schwabe --- src/openvpn/mudp.c | 2 +- src/openvpn/ssl.c | 99

[Openvpn-devel] [PATCH 8/9] Improve logging when seeing a message for an unkown peer

Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index d29b7efe3..6c6385c6e 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3283,7 +3283,17

[Openvpn-devel] [PATCH 9/9] Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions

Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 21 + 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 6c6385c6e..858d602ca 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -473,6 +473,10

[Openvpn-devel] [PATCH 3/9] Move dco_installed back to link_socket from link_socket.info.actual

kernel. Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 23 ++- src/openvpn/forward.c | 13 +++-- src/openvpn/init.c| 2 +- src/openvpn/mtcp.c| 6 +++--- src/openvpn/socket.c | 8 src/openvpn/socket.h | 11 +-- 6 files changed, 22

[Openvpn-devel] [PATCH 4/9] Ensure we do not promote a TA_TIMEOUT to a TA_WRITE/TA_READ event with dco

with dco sometimes we end up promoting a timeout event to write event or read event. For the residual read, this problem is probably not solvable without changing the kernel DCO API Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 24 src/openvpn/forward.h | 30

[Openvpn-devel] [PATCH 0/9] Various patches to improve DCO behaviour

freeze - Unload ovpn-dco sometimes does not work. Getting 'In use by xy ' failures. - Latest FreeBSD dco module seems to be very broken. Reverting latest commit fixes it. Arne Schwabe (9): Rename TM_UNTRUSTED to TM_INITIAL Always start session in TM_INITIAL rather than TM

[Openvpn-devel] [PATCH 6/9] Do not set nl socket buffer size

libnl increases the sizes we pass to 8192 anyway. Currently when we have a lot of events queued we might run into a NLE_NOMEM message and that terminates the server. So rather let the kernel decide the buffer sizes. Signed-off-by: Arne Schwabe --- src/openvpn/dco_linux.c | 3 --- 1 file changed

[Openvpn-devel] [PATCH v2 1/8] Make management password check constant time

byte in comparison Reported-by: Connor Edwards Signed-off-by: Arne Schwabe --- src/openvpn/manage.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index b11de224d..5465b7e9b 100644 --- a/src/openvpn/manage.c +++ b/src

[Openvpn-devel] [PATCH] Ensure that dco keepalive and mssfix options are also set in pure p2p mode

Signed-off-by: Arne Schwabe --- src/openvpn/dco_freebsd.c | 3 +++ src/openvpn/init.c| 42 --- 2 files changed, 29 insertions(+), 16 deletions(-) diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index 7f5e69e3e..cd4083c49 100644

[Openvpn-devel] [PATCH] Use include "buffer.h" instead of include

My own non-standard cmake based build system found this one. But even if this is not a problem with the normal autoconf based system we should still be consistent. Signed-off-by: Arne Schwabe --- src/openvpn/dco_freebsd.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src

Re: [Openvpn-devel] [PATCH] Reduce default restart pause to 1 second

Am 18.12.22 um 20:58 schrieb selva.n...@gmail.com: +--connect-retry n [max] Wait ``n`` seconds between connection attempts (default :code:`5`). you were close. but forgot to change the 5 in the next line to also say 1. Arne ___ Openvpn-devel ma

Re: [Openvpn-devel] [PATCH] Do not include auth-token in pulled option digest

ich breaks persist-tun. Makes sense Acked-By: Arne Schwabe ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 2/8] ssl_verify: Fix memleak if creating deferred auth control files fails

Am 15.12.2022 um 20:01 schrieb Arne Schwabe: From: David Sommerseth If the key_state_gen_auth_control_files() call fails, the code would just return without freeing the argv container. Instead the code should jump to an appropriate exit point where memory is being released. Also adjust the

[Openvpn-devel] [PATCH 1/8] Make management password check constant time

Edwards Signed-off-by: Arne Schwabe --- src/openvpn/manage.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 9349b62ad..d952618e7 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -198,7 +198,11

[Openvpn-devel] [PATCH 2/8] ssl_verify: Fix memleak if creating deferred auth control files fails

auth control files are really pre-created. Signed-off-by: David Sommerseth Reported-by: Trial of Bits (TOB-OVPN-2) Signed-off-by: Arne Schwabe --- src/openvpn/ssl_verify.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/openvpn/ssl_verify.c b/src/openvpn

[Openvpn-devel] [PATCH 6/8] Remove unused gc_arena

Reported-By: Trail of Bits Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 3 --- src/openvpn/multi.c | 2 -- 2 files changed, 5 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 7924fd5c6..c04511ee1 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn

[Openvpn-devel] [PATCH 5/8] Eliminate or comment empty blocks and switch fallthrough

, so use a comment for now. [1] https://en.cppreference.com/w/c/language/attributes/fallthrough Signed-off-by: Arne Schwabe --- src/openvpn/comp-lz4.c| 1 + src/openvpn/crypto.c | 1 + src/openvpn/init.c| 1 + src/openvpn/lzo.c | 1 + src/openvpn/options.c | 5

[Openvpn-devel] [PATCH 4/8] Improve documentation on user/password requirement and unicodize function

Signed-off-by: Arne Schwabe --- src/openvpn/misc.h | 1 + src/openvpn/ntlm.c | 13 + 2 files changed, 14 insertions(+) diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 2a6c0b8b3..6a883f70a 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -67,6 +67,7 @@ struct

[Openvpn-devel] [PATCH 3/8] Ensure that argument to parse_line has always space for final sentinel

remove_iroutes_from_push_route_list problem by looking for similar problems. Reported-By: Trial of Bits (TOB-OVPN-4) Signed-off-by: Arne Schwabe --- src/openvpn/options.c | 9 - src/openvpn/push.c| 4 ++-- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c

[Openvpn-devel] [PATCH 0/8] Improvement/fixes based on Trail of Bits audit

reported by Connor Edwards . Arne Schwabe (7): Make management password check constant time Ensure that argument to parse_line has always space for final sentinel Improve documentation on user/password requirement and unicodize function Eliminate or comment empty blocks and switch

[Openvpn-devel] [PATCH 7/8] Fix corner case that might lead to leaked file descriptor

Reported-By: Trail of Bits Signed-off-by: Arne Schwabe --- src/openvpn/misc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index d78106cdc..551606e0e 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -258,6 +258,7 @@ get_user_pass_cr

[Openvpn-devel] [PATCH 8/8] Deprecate NTLMv1 proxy auth method.

to remove that workaround. Reported-By: Trial of Bits (TOB-OVPN-7) Signed-off-by: Arne Schwabe --- src/openvpn/proxy.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index ed7201616..633caee09 100644 --- a/src/openvpn/proxy.c +++ b/src/openv

Re: [Openvpn-devel] [PATCH v2] management: add timer to output BYTECOUNT

r all peers every seconds. Acked-By: Arne Schwabe ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 3/3] Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range

ever again, it is better to keep the state correctly. Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 14 +- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 36bfbf10a..20196fe5d 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn

[Openvpn-devel] [PATCH 1/3] Improve debug logging of DCO swap key message and Linux dco_new_peer

Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 18 ++ src/openvpn/dco_linux.c | 10 -- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index feb38cd02..2396bcbf0 100644 --- a/src/openvpn/dco.c +++ b/src

[Openvpn-devel] [PATCH 2/3] Trigger a USR1 if dco_update_keys fails

When dco_update_keys fails, we are in some weird state that we are unlikely to recover since what userspace and kernel space think of the keys is very likely to not in sync anymore. So abandon the connection if this happens. Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 15

[Openvpn-devel] [PATCH] Improve debug logging of DCO on Linux

Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 7 --- src/openvpn/dco_linux.c | 10 -- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index feb38cd02..5cce3f641 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c

Re: [Openvpn-devel] [PATCH 2/2] management: add timer to push BYTECOUNT

Am 12.12.22 um 12:56 schrieb Lev Stipakov: From: Lev Stipakov At the moment BYTECOUNT in,out is pushed if there is traffic. With DCO, userspace process doesn't see the traffic, so we need to add a timer which periodically fetches stats from DCO and pushes to management client. The timer interva

Re: [Openvpn-devel] [PATCH 1/2] management: refactor bytecount routines

Am 12.12.22 um 10:58 schrieb Lev Stipakov: From: Lev Stipakov In preparation of DCO stats support, simplify call chains of bytecount routines. No functional changes. It would be nice to be a bit more verbose what you are actually simplyfing in the commit message. E.g. inlining all the vario

Re: [Openvpn-devel] [PATCH 1/4] Read DCO traffic stats from the kernel

Am 12.12.22 um 14:30 schrieb Gert Doering: Hi, On Mon, Dec 12, 2022 at 01:50:51PM +0100, Arne Schwabe wrote: I am not too much into FreeBSD parts, but +hash_iterator_init(m->hash, &hi); + +while ((he = hash_iterator_next(&hi))) +{ +struct multi_instance *m

Re: [Openvpn-devel] [PATCH 2/2] Fix message for too long tls-crypt-v2 metadata

Am 26.11.22 um 17:26 schrieb Max Fillinger: The current code only checks if the base64-encoded metadata is at most 980 characters. However, that can encode up to 735 bytes of data, while only up to 733 bytes are allowed. When passing 734 or 735 bytes, openvpn prints a misleading error message say

Re: [Openvpn-devel] [PATCH 1/4] Read DCO traffic stats from the kernel

Am 12.12.22 um 13:34 schrieb Lev Stipakov: Hi, This is good - I need an API to get stats to make openvpn-gui show those (via the management interface). I am not too much into FreeBSD parts, but +hash_iterator_init(m->hash, &hi); + +while ((he = hash_iterator_next(&hi))) +{ +

Re: [Openvpn-devel] [PATCH 2/2] Fix message for too long tls-crypt-v2 metadata

Am 12.12.22 um 13:03 schrieb Gert Doering: Hi, On Sat, Nov 26, 2022 at 05:26:48PM +0100, Max Fillinger wrote: The current code only checks if the base64-encoded metadata is at most 980 characters. However, that can encode up to 735 bytes of data, while only up to 733 bytes are allowed. When pas

Re: [Openvpn-devel] [PATCH 2/2] Fix message for too long tls-crypt-v2 metadata

saying that the base64 cannot be decoded. This patch checks the decoded length to show an accurate error message. Acked-By: Arne Schwabe ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo

Re: [Openvpn-devel] [PATCH 1/2] Correct tls-crypt-v2 metadata length in man page

: Arne Schwabe ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v4] Introduce dynamic tls-crypt for secure soft_reset/session renegotiation

duced. Patch v2: fix spellings of reneg and renegotiations. Patch v3: expand comment to original_tlscrypt_keydata and commit message, add Changes.rst Patch v4: improve commit message, Changes.rst Signed-off-by: Arne Schwabe --- Changes.rst | 6 ++ src/op

[Openvpn-devel] [PATCH] Disable DCO when TLS mode is not used

This disables DCO in both --secret mode and when no encryption/TLS is used. Also aligns the message with the deprecation warning we have in place. Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/openvpn/dco.c b/src

[Openvpn-devel] [PATCH] Ignore connection attempts while server is shutting down

like --connect-retry 1 3 into his/her client config and forces the client to reconnect during this time period. Signed-off-by: Arne Schwabe --- src/openvpn/mudp.c | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index bdf35a8ba

[Openvpn-devel] [PATCH] Fix unit test of test_pkt on little endian Linux

compiling test_pkt with windows. Signed-off-by: Arne Schwabe --- tests/unit_tests/openvpn/test_pkt.c | 21 - 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/tests/unit_tests/openvpn/test_pkt.c b/tests/unit_tests/openvpn/test_pkt.c index 615d26c55..e94b2852e 100644

Re: [Openvpn-devel] [PATCH] disable DCO if --secret is specified

Am 07.12.22 um 11:02 schrieb Antonio Quartulli: P2P mode with pre-shared key is deprecated, unsecure and should NOT be used. This said we still carry it around for a bit and we have to make sure it does not fights with DCO. Disable DCO at all when --secret is specified. Signed-off-by: Antonio Q

Re: [Openvpn-devel] [PATCH applied] Re: Fix connection cookie not including address and fix endianness in test

Am 06.12.22 um 17:19 schrieb Gert Doering: Hi, On Tue, Dec 06, 2022 at 04:54:38PM +0100, Gert Doering wrote: I have not server-tested this, as it "should not" make a difference, and Arne did test this on s390. The full server tests will run tonight, though. I *should* have, as that would hav

[Openvpn-devel] [PATCH] Fix connection cookie not including address and fix endianness in test

to run ./configure. Signed-off-by: Arne Schwabe --- src/openvpn/ssl_pkt.c | 4 ++-- tests/unit_tests/openvpn/test_pkt.c | 12 +++- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c index 7891e10ee..46bca21d8 100644

[Openvpn-devel] [PATCH] Allow reconnecting in p2p mode work under FreeBSD

This commit consists of two parts. - explicitly removing an existing peer in p2p mode - ignoring the ping timeout notification that is generated by the first part Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 9 + src/openvpn/dco_freebsd.c | 2 ++ src/openvpn/forward.c

[Openvpn-devel] [PATCH] Signal USR1 when connection initialising fails

When we fail initialisation the connection (e.g. P2P cipher NCP), we have a non-working connection. Even though previous version would then stay in this state, it does not really make sense to be in this state until the keepalive timeout expires and triggers a USR1 anyway. Signed-off-by: Arne

[Openvpn-devel] [PATCH] Introduce connection state for reconnecting peer in p2p

CO to work as the initial reconnect working. Signed-off-by: Arne Schwabe --- src/openvpn/forward.c| 19 + src/openvpn/init.c | 6 ++ src/openvpn/ssl.c| 46 +++- src/openvpn/ssl.h| 1 + src/openvpn/ssl_common.h |

Re: [Openvpn-devel] [PATCH v2] pull-filter: ignore leading "spaces" in option names

Am 29.11.2022 um 22:04 schrieb Gert Doering: Hi, On Tue, Nov 29, 2022 at 01:37:56PM -0500, selva.n...@gmail.com wrote: From: Selva Nair It seems sometimes comma-separated pulled options have an offending leading space. Not sure whether that is an error, but the change here matches the behav

[Openvpn-devel] [PATCH v2] Add section about common error with OpenVPN 2.6 and OpenSSL 3.0

We expect a number of configuration to no longer work with OpenVPN 2.6 and OpenSSL 3.0. This section tries to explain the most common errors that will come up and how to work around them. Patch V2: several mistakes highlighed and suggestions made by Frank included. Signed-off-by: Arne

Re: [Openvpn-devel] [PATCH] Add section about common error with OpenVPN 2.6 and OpenSSL 3.0

+ for more details (Available online under + https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst) Might want to use https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html#data-channel-cipher-negotiation instead? Doesn't exist yet, but will be create

[Openvpn-devel] [PATCH] Add section about common error with OpenVPN 2.6 and OpenSSL 3.0

We expect a number of configuration to no longer work with OpenVPN 2.6 and OpenSSL 3.0. This section tries to explain the most common errors that will come up and how to work around them. Signed-off-by: Arne Schwabe --- Changes.rst | 84 + 1

[Openvpn-devel] [PATCH v3 1/3] Use dedicated multi->dco_peer_id for DCO instead of multi->peer_id

e a failure adding a new peer, we don't try to set options for that peer or generating keys for it. Patch v2: fix one comparison checking for 0 instead of -1 Patch v3: make recovery after failing dco_add_peer more robust and the comparison that lead to not deleting a peer. Signed-off-

[Openvpn-devel] [PATCH] [RFC] fix warning with gcc 12.2.0 (compiler bug?)

‘check_malloc_return’ declared here 1076 | check_malloc_return(const void *p) | ^~~ This more a quick fix/heads up for other people encountering the issue on GCC 12.2.0 like on Ubuntu 22.10 until we figure out if this is a bug in our code or a compiler bug. Signed-off-by: Arne Schwabe

[Openvpn-devel] [PATCH v2 2/3] Use dedicated multi->dco_peer_id for DCO instead of multi->peer_id

son checking for 0 instead of -1 Signed-off-by: Arne Schwabe --- src/openvpn/dco.c| 24 src/openvpn/forward.c| 2 +- src/openvpn/init.c | 4 ++-- src/openvpn/multi.c | 8 src/openvpn/ssl.c| 1 + src/openvpn/ssl_common.h |

[Openvpn-devel] [PATCH v3 1/3] Move dco_installed from sock->info to sock->info.lsa.actual

windows code path Patch v3: fix mtcp server code path Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 27 +++ src/openvpn/dco_linux.c | 2 +- src/openvpn/forward.c | 8 src/openvpn/init.c | 2 +- src/openvpn/mtcp.c | 6 +++--- src/openvpn

Re: [Openvpn-devel] [PATCH] Check if pkcs11_cert is NULL before freeing it

pointer is fine. Maybe we should add as a comment that this function is special in this way. Acked-By: Arne Schwabe Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Fix logic error in checking early negotiation support check

Am 15.11.2022 um 13:36 schrieb Antonio Quartulli: Hi, On 15/11/2022 13:29, Arne Schwabe wrote: We want to check if EARLY_NEG_START is set and reserve the other bits for future expansions. Right now we also check if all reserved bits are zero. oops. Signed-off-by: Arne Schwabe ---   src

[Openvpn-devel] [PATCH] Fix logic error in checking early negotiation support check

We want to check if EARLY_NEG_START is set and reserve the other bits for future expansions. Right now we also check if all reserved bits are zero. oops. Signed-off-by: Arne Schwabe --- src/openvpn/mudp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/mudp.c b

Re: [Openvpn-devel] Do most commercial firewall appliances and VPN routers have OpenVPN-powered SSL VPN?

Am 14.11.22 um 16:03 schrieb Turritopsis Dohrnii Teo En Ming: Subject: Do most commercial firewall appliances and VPN routers have OpenVPN-powered SSL VPN? Good day from Singapore, On 10 Nov 2022, I saw the logs from Sophos XG210 Firewall SSL VPN client for Windows. Below are a few lines from

Re: [Openvpn-devel] [PATCH] FreeBSD DCO: support AES-192-GCM

* dco_get_supported_ciphers() { -return "none:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305"; +return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305"; } #endif /* defined(ENABLE_DCO) && defined(TARGET_FREEBSD)

Re: [Openvpn-devel] [PATCH]: FreeBSD DCO supports AES-192-GCM

Am 11.11.2022 um 11:20 schrieb Kristof Provost via Openvpn-devel: Minor update, but FreeBSD's if_ovpn now also supports AES-192-GCM. We may as well announce this support. This seems to be missing the patch. Arne ___ Openvpn-devel mailing list Op

[Openvpn-devel] [PATCH v5 2/2] Push server mtu to client when supported and support occ mtu

To maximise compatibility allow to lie our MTU in the default OCC message. Patch v2: improve documentation Patch v3: split changing default MTU into its own patch Patch v5: remove leftover mentions to default MTU Signed-off-by: Arne Schwabe --- Changes.rst | 6

[Openvpn-devel] [PATCH v5 1/2] Allow tun-mtu to be pushed

This allows tun-mtu to pushed but only up to the size of the preallocated buffers. This is not a perfect solution but should allow most of the use cases where the mtu is close enough to 1500 (or smaller). Signed-off-by: Arne Schwabe Patch v4: rebase for check_session_cipher name change Patch v5

[Openvpn-devel] [PATCH] Add algorithm and bits used in key_print2 method and refactor method

-digest], 0 bits): Signed-off-by: Arne Schwabe --- src/openvpn/crypto.c | 34 ++ 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 4a8f514cd..d7e882ae0 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn

[Openvpn-devel] [PATCH] Fix md_kt_size in mbed TLS when queried for size of "none"

Previously this would error out with a M_FATAL message about cipher not known. Align the mbed TLS version to OpenSSL version and also remove unreachable code. This manifested in key_print2 running into this M_FATAL message when used with an AEAD cipher and verb 7. Signed-off-by: Arne Schwabe

[Openvpn-devel] [PATCH] Remove unused addr_inet4or6, addr_guess_family and inline addr_copy_sa

addr_copy_sa is just a single line and putting that simple assignment into an extra function does not really improve clarity. Signed-off-by: Arne Schwabe --- src/openvpn/socket.h | 18 ++ 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/src/openvpn/socket.h b/src

[Openvpn-devel] [PATCH] Add packet type in accept/reject messages for HMAC packet

This allows a bit easier debugging when trying to figure what kind of packet triggered a reject/accpet. Signed-off-by: Arne Schwabe --- src/openvpn/mudp.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 4ab18b72c

[Openvpn-devel] [PATCH v6 1/2] Refactor/optimise code sending TLS control channel messages

the assumption that multiple reads from the SSL library split a control frame into multiple TLS records. Signed-off-by: Arne Schwabe --- src/openvpn/reliable.c| 55 ++ src/openvpn/reliable.h| 32 +++- src/openvpn/ssl.c | 156

[Openvpn-devel] [PATCH v6 2/2] Allow setting control channel packet size with max-packet-size

limit, add warning message for when wrapped tls-crypt-v2 keys will ignore max-packet-size Signed-off-by: Arne Schwabe --- Changes.rst | 11 +- doc/man-sections/link-options.rst | 34 --- src/openvpn/common.h | 13

[Openvpn-devel] [PATCH v2 1/3] Move dco_installed from sock->info to sock->info.lsa.actual

windows code path Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 7 --- src/openvpn/dco_linux.c | 2 +- src/openvpn/forward.c | 8 src/openvpn/init.c | 2 +- src/openvpn/mtcp.c | 6 +++--- src/openvpn/socket.c| 8 src/openvpn/socket.h| 12

Re: [Openvpn-devel] [PATCH] Ensure --auth-nocache is handled during renegotiation

s there is no delayed purge any longer -- auth-nocache handling is now done immediately after writing username/password to the send-buffer. Acked-By: Arne Schwabe I think the delaying and complicated logic, which thiss patch removes, is the last part of the attempt to try to use the same auth

<    1   2   3   4   5   6   7   8   9   10   >