Ubuntu spelling was wrong and the matrix for operating system
does not do anything but run the same build twice.
---
.github/workflows/build.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index eb2c4f5fe..0
>
> Yes. Makes sense. The change makes it is a lot more clear. I think it is
> actually not equivalent but the new one is definitively the correct one.
>
I looked at the code again and I have to actually retract my ACK.
The previous code means P2P mode with static key or P2P mode without
--pul
peers.
>
> Add warning at startup to notify users about the change.
>
> Signed-off-by: Arne Schwabe
> Signed-off-by: Antonio Quartulli
> ---
> src/openvpn/options.c | 6 ++
> 1 file changed, 6 insertions(+)
>
> diff --git a/src/openvpn/options.c b/src/openvp
controlled via
> '--tls-version-min'.
>
> At the same time automatically set '--tls-version-min' to 1.0 if the
> user requires compatibility with versions onlder than 2.3.7, as that was
> the only version supported back then.
>
> Signed-off-by: Arne Schwabe
at-mode with a version
> older than 2.4.0.
>
> Signed-off-by: Arne Schwabe
> Signed-off-by: Antonio Quartulli
> ---
> doc/man-sections/generic-options.rst | 2 ++
> src/openvpn/options.c| 7 +++
>
Acked-By: Arne Schwabe
___
options->comp.flags &= ~COMP_F_ALLOW_COMPRESS;
> +options->comp.flags |= COMP_F_ALLOW_ASYM;
> }
> else if (streq(p[1], "yes"))
> {
>
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
ile the list of accepted ciphers is specified via --data-ciphers.
>
> --cipher can still be used for compatibility reasons, but won't affect
> the cipher negotiation.
>
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-d
more modern and safer
> values, while allowing backwards-compatible behaviour on demand.
>
> The backwards-compatible behaviour is intructed via the config
> knob '--compat-mode' implemented in this patch.
>
> Signed-off-by: Arne Schwabe
> Signed-o
Am 04.09.21 um 11:56 schrieb Antonio Quartulli:
> The new condition is equivalent to the old one, but easier to grasp.
>
> Also add message to inform uset that cipher negotiation, in this case,
> it indeed disabled.
>
> Signed-off-by: Arne Schwabe
> Signed-off-
future.
>
> v2:
> * changed // to /* */
> * changed "NOT IMPLEMENTED" to "REMOVED FEATURE"
> * removed extra empty lines after removing ifdef blocks
> * clarified on IRC that tls_final has to be removed and therefore that
> hunk is correct
> * removed mi_pr
> -}
> -
> OPENVPN_EXPORT int
> openvpn_plugin_func_v3(const int v3structver,
> struct openvpn_plugin_args_func_in const *args,
> @@ -496,21 +362,7 @@ openvpn_plugin_func_v3(const int v3structver,
>
> case OPENVPN_PLUGIN_TLS_FINAL:
> plugin_log(PL
ka 'unsigned char') is not a
structure or union
if (!IN6_IS_ADDR_UNSPECIFIED(rgi6->gateway.addr_ipv6.s6_addr))
^~~~
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
>
> Actually this else could be possibly eliminated as, in this case, the
> callback is not conditionally compiled in. Unlike things like pkcs11-id
> support. Will check and simplify.
I think in client vs server mode the management interface is still
different enough that many of these are a
>
> +static bool
> +management_callback_remote_entry(void *arg, unsigned *count, char **remote)
> +{
> +assert(arg);
> +assert(count);
> +
> +struct context *c = (struct context *) arg;
> +struct connection_list *l = c->options.connection_list;
> +bool ret = true;
> +
> +
Am 22.08.21 um 17:28 schrieb selva.n...@gmail.com:
> From: Selva Nair
Makes sense.
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
not caught during config initialisation.
This also prepares for adding Chacha20-Poly1305 when available to
data-ciphers by making the detection logic used to check if
cipher_kt_get returns non-NULL work on these systems.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto.c | 6 ++
src
default in data-ciphers
when available. This makes picking Chacha20-Poly1305 easier as it only
requires to change server (by changing priority) or client side (removing
AES-GCM from data-ciphers) to change to Chacha20-Poly1305.
Signed-off-by: Arne Schwabe
---
Changes.rst
th/client-deny");
> msg(M_CLIENT, "client-kill CID [M]: Kill client instance CID with
> message M (def=RESTART)");
> msg(M_CLIENT, "env-filter [level] : Set env-var filter level");
> #ifdef MANAGEMENT_PF
>
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
: incooperate other comments from Selva
Signed-off-by: Arne Schwabe
---
doc/management-notes.txt| 45 +
include/openvpn-plugin.h.in | 2 +-
2 files changed, 32 insertions(+), 15 deletions(-)
diff --git a/doc/management-notes.txt b/doc/management-notes.txt
gt; }
> }
>
Apart from the fact that we might want to abort (M_FATAL) if this fails
instead basically ignoring the error and just log it, the change is
fine. Considering the return status was ignored before, this patch is
otherwise good. But failing also does not
Am 10.08.21 um 12:17 schrieb Maximilian Fillinger:
>> From: Arne Schwabe [mailto:a...@rfc2549.org]
>> Sent: dinsdag 10 augustus 2021 12:12
>> To: Maximilian Fillinger ; openvpn-
>> de...@lists.sourceforge.net
>> Subject: Re: [Openvpn-devel] [PATCH] Replace dep
Am 10.08.21 um 08:16 schrieb Max Fillinger:
> +#if MBEDTLS_VERSION_NUMBER < 0x0210
Is that really 2.16? Looking at the API doc
(https://tls.mbed.org/api/version_8h.html#adb4f54ebb33fd1a25e2c4d4480cf4936)
it sounds like there should be a 16 in that number.
Arne
__
option and not as
a mean to provide 100% compatibility.
Patch v2: rebase
Patch v3: Fix version number off by a factor of 10
Signed-off-by: Arne Schwabe
---
Changes.rst | 23 +++
doc/man-sections/generic-options.rst | 21 ++
src/openvpn/comp.h | 1
and not as
a mean to provide 100% compatibility.
Patch v2: rebase
Signed-off-by: Arne Schwabe
---
Changes.rst | 23 +++
doc/man-sections/generic-options.rst | 21 ++
src/openvpn/comp.h | 1 +
src/openvpn/options.c| 97
and not as
a mean to provide 100% compatibility.
Signed-off-by: Arne Schwabe
---
Changes.rst | 23 +++
doc/man-sections/generic-options.rst | 21 ++
src/openvpn/comp.h | 1 +
src/openvpn/options.c| 97
the unit tests do not compile under Windows since Windows does not
provide a unistd.h header. The header is still included on Unix
platforms via syshead.h
Signed-off-by: Arne Schwabe
---
tests/unit_tests/openvpn/test_argv.c | 1 -
tests/unit_tests/openvpn/test_auth_token.c | 1 -
tests
Signed-off-by: Arne Schwabe
Patch v3: Some minor cleanups in the script (rename CNs, add more comments)
Signed-off-by: Arne Schwabe
---
doc/man-sections/script-options.rst | 3 +
sample/sample-scripts/totpauth.py | 111
2 files changed, 114 insertions
.
Patch V2: Fix grammar/spelling mistakes (thanks ticantech), move
to openvpn-examples(5).
Patch v3: use server.key and server.crt instead of server.pem/serverkey.pem
Signed-off-by: Arne Schwabe
---
Changes.rst | 4 +
doc/Makefile.am
-by: Arne Schwabe
---
doc/management-notes.txt| 41 ++---
include/openvpn-plugin.h.in | 2 +-
2 files changed, 30 insertions(+), 13 deletions(-)
diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index c20344298..d794a4a98 100644
--- a/doc
nt to push_peer_info, fix
push_peer_info >= 2 that should be > 2
Signed-off-by: Arne Schwabe
---
src/openvpn/init.c | 99 +++
src/openvpn/options.c | 8 +-
src/openvpn/ssl.c | 133 ++
src/op
>
> nice idea! :)
Thanks!
>> +
>> +void
>> +p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
>> +{
>> +/* Set the common options */
>> +p2p_ncp_set_options(multi, session);
>> +
>> +struct gc_arena gc = gc_new();
>> +
>> +/* Query the common cipher here to log
Signed-off-by: Arne Schwabe
---
src/openvpn/init.c | 1 +
src/openvpn/ssl.c | 1 -
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index a1401e805..d5d192663 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -595,6 +595,7
Am 23.07.21 um 08:40 schrieb Gert Doering:
> Hi,
>
> On Thu, Jul 22, 2021 at 06:24:09PM +0200, Arne Schwabe wrote:
>> @@ -3116,6 +3117,7 @@ do_init_crypto_tls(struct context *c, const unsigned
>> int flags)
>> to.auth_token_generate = o
The problematic behaviour happens when start a profile without
auth-user-pass and connect to a server that pushes auth-token
When the auth token expires OpenVPN asks for auth User and password
again.
The problem is that the auth_user_pass_setup sets
auth_user_pass_enabled = true; This function is
Am 20.07.21 um 02:00 schrieb Antonio Quartulli:
> Hi,
>
> This patch does not apply on top of master + v6-cleanup + 8/9
> Can you rebase it? or maybe you you can point me to some commit in your
> branch that I can pull for now?
>
> Cheers,
>
>
Sure the dco branch on github.com/schwabe/openvpn i
ogical place, general cleanups, add session id mismatch check
Patch v6: Rework some comments and general cleanup of small things
Signed-off-by: Arne Schwabe
---
doc/man-sections/server-options.rst| 4 +-
src/openvpn/auth_token.c | 89 --
src/openvpn/
>> /*
>> * reuse the same session id and timestamp and null terminate it at
>> * for base64 decode it only decodes the session id part of it
>> */
>
> This comment above does not make much sense to me, but since it has been
> there since "ever", I'd suggest
Am 16.07.21 um 14:18 schrieb Arne Schwabe:
> The experience with openurl/OPEN_URL has shown that just sending
> a URL to a client is not enough and we often need different
> behaviour of the client depending on circumstances. Replace
> OPEN_URL with a more flexible WEBAUTH pending
The experience with openurl/OPEN_URL has shown that just sending
a URL to a client is not enough and we often need different
behaviour of the client depending on circumstances. Replace
OPEN_URL with a more flexible WEBAUTH pending auth method.
Signed-off-by: Arne Schwabe
---
doc/management
ogical place, general cleanups, add session id mismatch check
Signed-off-by: Arne Schwabe
---
doc/man-sections/server-options.rst| 4 +-
src/openvpn/auth_token.c | 76 +-
src/openvpn/auth_token.h | 9 +++
src/op
he TLS session reaches its fully authenticated
state.
Signed-off-by: Arne Schwabe
---
doc/man-sections/server-options.rst| 4 +-
src/openvpn/auth_token.c | 58 --
src/openvpn/auth_token.h | 9
src/openvpn/
e only available as commercial OpenVPN Connect client and not in use
anymore.
Patch V2: rebase.
Patch V3: fix formatting, clarifying commit message, remove initial
token workaround for old v3.
Signed-off-by: Arne Schwabe
---
doc/man-sections/server-options.rst| 4 +--
src/o
in deferred state (ks->authenticated == KS_DEFERRED)
will not have data channel keys generated. This avoids corner
cases where a not fully authenticated sessions might leak data.
Signed-off-by: Arne Schwabe
Patch v2: rebased
Patch v3: fix crash in non TLS mode
Signed-off-by: Arne Schw
We ensure here that the tls session is authenticated before sending
a push_reply
This a part of to fix CVE-2020-15078 in the master branch.
---
src/openvpn/push.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index b6f1252d2..b27f401
Commit bc36d9d569 removed the autoconf detection of various OpenSSL
functions. This overlooked HAVE_SSL_CTX_SET_SECURITY_LEVEL check in
tls_ctx_set_cert_profile. Replace this also with a version number
based check.
Tested with LibreSSL on OpenBSD 6.8, OpenSSL 1.1 and wolfSSL.
Signed-off-by: Arne
Am 14.06.21 um 16:21 schrieb Antonio Quartulli:
> Hi,
>
> On 14/06/2021 15:58, Arne Schwabe wrote:
>>> At this point I'd ask, why not re-moving/ignoring --hand-window entirely
>>> and live with the 60s default?
>>
>>
>> That is one of the ma
>
> Ok, after clarifying in chat, I understood that the time needed by a
> peer to elect a key as "usable" is defined by auth_deferred_expire_window().
>
> If reneg-sec is smaller than hand-window (which is 60s by default) then
> we can have this particular situation.
>
> Now, we are assuming th
Am 14.06.21 um 03:01 schrieb Antonio Quartulli:
> Hi,
>
> On 14/06/2021 02:56, Arne Schwabe wrote:
>> Am 14.06.21 um 02:24 schrieb Antonio Quartulli:
>>> @Arne, ideas?
>>>
>>
>> Yes. When reneg-sec is below 60 or 120 (would need to double check), you
Am 14.06.21 um 02:24 schrieb Antonio Quartulli:
> @Arne, ideas?
>
Yes. When reneg-sec is below 60 or 120 (would need to double check), you
need that value on both server and client since otherwise the timeouts
for changing active keys mismatch as the value is 60s normally but
changes if reneg-sec
Am 11.06.21 um 02:41 schrieb Antonio Quartulli:
> Hi,
>
> On 20/05/2021 17:11, Arne Schwabe wrote:
>> When not using username and password (i.e. auth-user-pass) it can still make
>> to provide the client with an auth-token, e.g. for allowing a session to
>> continu
considered bad in a
protocol.
This patch fixes the problem by keeping normal original retry
logic intact but adds a flags to initial packets that they are
are held back to be retrasmitted until we have another packet
from the client.
Signed-off-by: Arne Schwabe
---
src/openvpn/reliable.c | 52
Am 09.06.21 um 08:26 schrieb Gert Doering:
> Hi,
>
> On Tue, Jun 08, 2021 at 05:24:34PM +0200, Arne Schwabe wrote:
>> +steps:
>> + - name: Install dependencies
>> +run: sudo apt update && sudo apt install -y mingw-w64 libtool
>> automake
clang does not like if the format argument of printf like function
is not a string literal:
warning: format string is not a string literal (potentially insecure)
Use "%s" as string literal to silence the warning.
Signed-off-by: Arne Schwabe
---
src/openvpn/options.c | 2 +-
1 file
building on macOS
and Windows (not included in this commit). The matrix is a bit different
than Coverity and uses different Ubuntu version with their native OpenSSL
(1.0.2, 1.1.1)/mbed TLS instead of manually compiling different OpenSSL
versions on just Ubuntu 20.04.
Signed-off-by: Arne Schwabe
from management being ignored
Patch v4: Fix race condition, we need to accept the config from
management if we are in CAS_WAITING_AUTH or earlier states
and not just in CAS_WAITING_AUTH state
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 7 +--
src/openvpn/ssl.c
from management being ignored
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 7 +--
src/openvpn/ssl.c| 9 -
src/openvpn/ssl_common.h | 1 +
3 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 3f9710134
Am 02.06.21 um 05:42 schrieb selva.n...@gmail.com:
> From: Selva Nair
>
> I couldn't figure out the details of how to use CR_TEXT or OPEN_URL
> from the docs. This is an attempt to improve the documentation based
> on my reading of the sources and some guess-work.
>
> I might have edited somethi
eak;
> }
> -client_method = strtok(NULL, ":");
> +client_method = strtok(NULL, ",");
> }
>
> gc_free(&gc);
>
Yes. Stupid copy&paste mistake from my side.
Acked-By: Arne Schwabe
pointed out.
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Am 24.05.21 um 20:45 schrieb selva.n...@gmail.com:
> From: Selva Nair
>
> Fix --ca or --ca-path check when --pkcs11-id or --cryptoapicert
> is used with --peer-fingerprint.
>
> The multiple --ca or --capath checks are consolidated into a function
>
Yes that change makes s
Am 24.05.2021 um 16:07 schrieb tincantech via Openvpn-devel:
Hi,
Is this expected ?
I might to check if it is even a good idea to allow tls-verify and other
verify options together peer-fingerprint. (You could implement
peer-fingerprint with tls-verify as well. Since we haven't published 2
Hopefully this clarifies things:
- the default output format of OpenSSL is PEM-encoded ; openssl uses
the default extension .pem
- the OpenVPN .crt and .key files are ALSO PEM-encoded by default, but
they've just been named differently by the easy-rsa tools to ensure
that the files can be eas
Am 20.05.2021 um 18:56 schrieb tincantech:
Hi,
again, I do not understand why openvpn choose to switch to .pem
for this tutorial. PEM -> Private Email, which this is not.
You have a certificate and a key and every other openvpn tutorial
on openvpn and probably the entire planet uses .crt and .
in deferred state (ks->authenticated == KS_DEFERRED)
will not have data channel keys generated. This avoids corner
cases where a not fully authenticated sessions might leak data.
Signed-off-by: Arne Schwabe
Patch v2: rebased
Signed-off-by: Arne Schwabe
---
src/openvpn/forward.h|
is
initially generated instead when pushing the token. Even I don't know
anymore why I did it in this way in the first place. Also use
multi->auth_token_initial as source for the sesssion ID since it should
now always be available.
Signed-off-by: Arne Schwabe
---
src/openvpn/auth
Previously we relied on checking tls_authentication_status to check
wether to determine if the context auth state is actually valid or not.
This patch eliminates that check by introducing waiting on the
authentication as extra state in the context auth, state machine.
Signed-off-by: Arne Schwabe
This extract the update of a deferred key status into into own
function.
Patch v2: Do not ignore auth_deferred_expire. Minor format changes.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_verify.c | 96 ++--
1 file changed, 62 insertions(+), 34 deletions
p2p mode server without (without ncp)
Signed-off-by: Arne Schwabe
---
src/openvpn/forward.c| 6 +++---
src/openvpn/forward.h| 13 -
src/openvpn/multi.c | 15 ---
src/openvpn/occ.c| 2 +-
src/openvpn/openvpn.h| 4 +++-
src/openvpn/push.c |
restore that. But to avoid all the NCP/non-NCP special
cases to be implemented in P2P. P2P will directly switch from always
non-NCP to always NCP.
Signed-off-by: Arne Schwabe
---
Changes.rst | 4 +++
doc/man-sections/protocol-options.rst | 8 ++
src/openvpn/init.c
: Arne Schwabe
---
doc/man-sections/client-options.rst | 8 +++
src/openvpn/misc.c | 37 +
src/openvpn/misc.h | 21 +---
src/openvpn/options.c | 5
src/openvpn/ssl.c | 12
in tls_multi and one explicit one. Merge these to one.
Signed-off-by: Arne Schwabe
---
src/openvpn/auth_token.c | 12 +--
src/openvpn/ssl_common.h | 4 +-
src/openvpn/ssl_verify.c | 8 +-
tests/unit_tests/openvpn/test_auth_token.c | 91
deterministically determine according to
IV_PROTO and IV_CIPHER what options can be used and start using these
There are no poor man's NCP or other compatibility workaround like in the
normal NCP, making this NCP leaner and more deterministic.
Signed-off-by: Arne Schwabe
---
src/openvpn/i
Signed-off-by: Arne Schwabe
---
.gitignore | 2 ++
doc/Makefile.am| 25 +
doc/openvpn-examples.5.rst | 17 +
doc/openvpn.8.rst | 2 +-
4 files changed, 41 insertions(+), 5 deletions(-)
create mode 100644 doc/openvpn
.
Patch V2: Fix grammar/spelling mistakes (thanks ticantech), move
to openvpn-examples(5).
Signed-off-by: Arne Schwabe
---
Changes.rst | 4 +
doc/Makefile.am | 1 +
doc/man-sections/example-fingerprint.rst | 196
> I just want this to be verified because the manual reads that:
> udp6 will force only udp on IPv6, at least that is how I read it.
Not on the server side. It is one of the quirks that we need to fix at
some point. See the ipv6only option of --bind for more details
>
>> +
>> +# The ip add
This is allows scripts and pluginsto parse/react to a CR_RESPONSE message
Patch V2: doc fixes, do not put script under ENABLE_PLUGIN
Patch V3: rebase
Signed-off-by: Arne Schwabe
---
doc/man-sections/script-options.rst | 28 -
include/openvpn-plugin.h.in | 7 +++-
src
Am 17.05.21 um 19:16 schrieb tincantech:
> Hi,
>
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, 12 May 2021 14:15, Arne Schwabe wrote:
>
>> This is meant to give new users a quickstart for a useable OpenVPN
>> setup. Our own documentation is lacking in
Am 17.05.21 um 17:31 schrieb Gert Doering:
> Hi,
>
> On Mon, May 17, 2021 at 02:57:32PM +, tincantech via Openvpn-devel wrote:
>> I think it would useful to allow comment inside the
>> markers.
>
> I've run across this as well, and share that sentiment. It would be nice.
>
> That said, I'
Am 17.05.21 um 01:58 schrieb David Sommerseth:
> On 16/05/2021 19:14, Arne Schwabe wrote:
>
> First of all, I do like Steffan's proposal:
>
>> Remove the option, and:
>> * if auth != none -> replay prevention is always enabled;
>> * if auth == none ->
>
> Given 2, how clear is our timeline on sunsetting non-AEAD ciphers? That
> would automatically sunset --no-replay. (I've lost track a bit...)
Heated debate as that is equal to drop compatibility completely with
OpenVPN 2.3. We have already a heated debate if dropping 2.3 config
compatibility
>> +++ b/doc/Makefile.am
>> @@ -25,6 +25,7 @@ dist_noinst_DATA = \
>> man-sections/connection-profiles.rst \
>> man-sections/encryption-options.rst \
>> man-sections/examples.rst \
>> + man-sections/examples.rst \
>
> I suspect you intended to add doc/man-sections/example-fin
the unit tests do not compile under windows since they are missing
the correct ifdef guards
Signed-off-by: Arne Schwabe
---
tests/unit_tests/openvpn/test_argv.c | 2 ++
tests/unit_tests/openvpn/test_auth_token.c | 2 ++
tests/unit_tests/openvpn/test_crypto.c | 4
tests/unit_tests
This done to allow to include parts win32.c when building unit tests
as win32.c itself has too many dependencies and cannot be included in
a small unit test.
Also fix a missing Windows.h include in error.h that otherwise
breaks complation when included from unit tests.
Signed-off-by: Arne
Signed-off-by: Arne Schwabe
---
doc/man-sections/protocol-options.rst | 5 +
1 file changed, 5 insertions(+)
diff --git a/doc/man-sections/protocol-options.rst
b/doc/man-sections/protocol-options.rst
index 4b6928c68..34d4255ee 100644
--- a/doc/man-sections/protocol-options.rst
+++ b/doc
way.
Signed-off-by: Arne Schwabe
---
Changes.rst | 4 +
doc/Makefile.am | 1 +
doc/man-sections/example-fingerprint.rst | 194 +++
3 files changed, 199 insertions(+)
create mode 100644 doc/man-sections/example
This is is a small memory leak as this key is only leaked once
per server start.
Signed-off-by: Arne Schwabe
---
src/openvpn/init.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 1d77a9d42..49c742928 100644
--- a/src/openvpn/init.c
+++ b/src
Signed-off-by: Arne Schwabe
---
src/openvpn/error.h | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index 1a5521654..469afe20a 100644
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -202,8 +202,14 @@ FILE *msg_fp(const
This patch set has a number of small fixes/improvements and documentation
fixes/updates. They should be able to be applied in any order and have weak
relationship to each other at best. I am sending them in one patch set to
make review/keeping track of patches easier.
Arne Schwabe (9):
Remove
implicitly assume that iovec is present
and do not need to make this explicit check
Signed-off-by: Arne Schwabe
---
configure.ac | 1 -
src/openvpn/syshead.h | 6 +++---
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/configure.ac b/configure.ac
index f05faf991..dce7982cc
The extra function does give really give a better understanding
of the code or does give any other benefit, inline it to make
the code more streamlined.
Signed-off-by: Arne Schwabe
---
src/openvpn/init.c | 23 ++-
1 file changed, 6 insertions(+), 17 deletions(-)
diff --git
getpeername is part of SUSv3 and Windows also provides the function
as part of winsocks.
getpid is also provided by both Posix and windows and we do not even
use getpid on Windows since we rather call GetCurrentProcessId.
Signed-off-by: Arne Schwabe
---
configure.ac | 4 ++--
src
of caching.
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 3 +--
src/openvpn/push.c | 2 +-
src/openvpn/ssl.c| 2 +-
src/openvpn/ssl.h| 3 ---
src/openvpn/ssl_common.h | 5 -
src/openvpn/ssl_verify.c | 25 +++--
src/openvpn
Am 06.05.21 um 23:49 schrieb Antonio Quartulli:
> Hi Arne,
>
> after our discussion on IRC I understood you expected this patch to not
> change the server behaviour.
>
> If something is suboptimal, it means it was suboptimal also before this
> patch.
>
> However, with your patch I can clearly se
v3: avoid rearming timer
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 2 +-
src/openvpn/push.c | 11 -
src/openvpn/ssl_common.h | 16 +---
src/openvpn/ssl_verify.c | 53 ++--
src/openvpn/ssl_verify.h | 3 +--
5 files changed
>> Could you explain why you need the process ID of the daemon? I am trying
>> to figure out why that is needed. I also don't understand the secure in
>> this context. What are you protecting yourself against? You are not
>> protecting your script being called from a malicious program as that
>>
Am 29.04.21 um 19:15 schrieb Richard T Bonhomme:
> From: string vest
>
> Under Windows, programmatically retrieving the parent process ID of
> the openvpn instance which called a script is practically impossible.
> The only sensible way, currently available, is to write a PID file.
>
> This patc
Am 03.05.21 um 19:22 schrieb tincantech via Openvpn-devel:
> ‐‐‐ Original Message ‐‐‐
> On Thursday, 29 April 2021 18:15, Richard T Bonhomme
> wrote:
>
>> From: string vest stringves...@gmail.com
>
>> Under Windows, programmatically retrieving the parent process ID of
>> the openvpn ins
tas_cache_last_udpate when actually updating the cache.
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 2 +-
src/openvpn/push.c | 3 ++-
src/openvpn/ssl_common.h | 16 +---
src/openvpn/ssl_verify.c | 53 ++--
src/openvpn/ssl_verify.h | 3
Detected-by: clang -fsanitize=address
Signed-off-by: Arne Schwabe
---
tests/unit_tests/openvpn/test_misc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/unit_tests/openvpn/test_misc.c
b/tests/unit_tests/openvpn/test_misc.c
index 15f6cbff6..c3bea8fc8 100644
--- a/tests/unit_tests
Signed-off-by: Arne Schwabe
---
src/openvpn/socket.c | 13 -
src/openvpn/syshead.h | 7 ---
2 files changed, 20 deletions(-)
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 23b12560b..407e411c0 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -1451,7
801 - 900 of 2567 matches
Mail list logo
