This extract the update of a deferred key status into into own
function.
Patch v2: Do not ignore auth_deferred_expire. Minor format changes.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_verify.c | 91 ++--
1 file changed, 59 insertions(+), 32 deletions
nput block and output block) are expected to
> be 8 bytes long, for this reason the prototype specifies the arguments
> as 3 arrays of 8 bytes in size.
>
> Convert the implementations to also explicitly mention the size of the
> array they expect to receive in input.
>
Acked-By:
>
>> @@ -369,7 +369,7 @@ bool
>> send_auth_pending_messages(struct tls_multi *tls_multi, const char *extra,
>> unsigned int timeout)
>> {
>> -struct key_state *ks = _multi->session[TM_ACTIVE].key[KS_PRIMARY];
>> +struct key_state *ks =
Am 26.04.21 um 15:26 schrieb Antonio Quartulli:
> From: Arne Schwabe
>
> Changes from v2:
> - moved event definitions to event.h
> - removed READ/WRITE_SHIFT and use EVENT_READ/WRITE
> - removed ifdefs around *_SHIFTS definitions in event.h
>
> Changes from v1:
>
| bs[1] == ' ')
> +{
> +msg(msglevel, "format error in hash fingerprint unexpected
> blank: %s",
> +str);
> +}
> +
> byte = 0;
> if (sscanf(bs, "%x", ) != 1)
> {
>
I would not have spen
It is hard to imagine that we still have any supported OS that does
not support non-blocking connect while still supporting non-blocking
sockets in general.
Patch V2: remove epoll.h removal that should have been in other patch.
Signed-off-by: Arne Schwabe
---
src/openvpn/socket.c | 8
This warnings makes make check fail if Werror is exmaple on
LLVM/Clang on macOS for me.
Signed-off-by: Arne Schwabe
---
tests/unit_tests/example_test/test.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/unit_tests/example_test/test.c
b/tests/unit_tests/example_test/test.c
index
With this change we always build multihome support if the operating
system supports it.
Patch v2: Remove also from config-msvc.h
Signed-off-by: Arne Schwabe
---
config-msvc.h | 1 -
configure.ac | 7 ---
src/openvpn/syshead.h | 2 +-
3 files changed, 1 insertion(+), 9
)?redirectedfrom=MSDN
Patch V2: also remove from config-msvc.h
Signed-off-by: Arne Schwabe
---
config-msvc.h | 1 -
configure.ac | 2 +-
src/openvpn/platform.c | 4
src/openvpn/syshead.h | 4
4 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/config-msvc.h b/config
We have two define that do exactly the same. Also move the check
from configure.ac to syshead.h since it is really only checking
for Windows.
Patch V2: Also remove from config-msvc.h
Signed-off-by: Arne Schwabe
---
config-msvc.h| 3 ---
configure.ac | 8
src
epoll.h inclusion to event.c
Patch V2: Add epoll.h syshead.h that accidently was put into another
patch
Signed-off-by: Arne Schwabe
---
configure.ac | 11 +--
src/compat/compat.h | 5 +
src/openvpn/event.c | 4
src/openvpn/socket.c | 16
This uses get_key_scan and get_primary key instead the directly
accessing the members of the struct to improve readiability of
the code.
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 3 +--
src/openvpn/push.c | 9 -
src/openvpn/ssl.c| 11 +++
src
state (ks->authenticated == KS_DEFERRED)
will not have data channel keys generated. This avoids corner
cases where not fully authenticated sessions might leak data.
Signed-off-by: Arne Schwabe
---
src/openvpn/forward.h| 2 +-
src/openvpn/init.c | 1 +
src/openvpn/ssl.c|
tls_pre_encrypt mainly performs the task of selecting the primary
encryption key but also performs other minor tasks. To allow only
querying for the key that should be used for encryption extract this
part of the function into its own function.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl.c
by forcing a refresh in some areas of the code
(latency = 0).
This patch changes the behaviour by always returning the last known
status and only updating the file status when the i/o timeout for the
caches is reached.
The patch also changes the DEFINE enum into a real enum.
Signed-off-by: Arne Schwabe
is
initially generated instead when pushing the token. Even I don't know
anymore why I did it in this way in the first place. Also use
multi->auth_token_initial as source for the sesssion ID since it should
now always be available.
Signed-off-by: Arne Schwabe
---
src/openvpn/auth_toke
Previously we relied on checking tls_authentication_status to check
wether to determine if the context auth state is actually valid or not.
This patch eliminates that check by introducing waiting on the
authentication as extra state in the context auth, state machine.
Signed-off-by: Arne Schwabe
This extract the update of a deferred key status into into own
function.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_verify.c | 90 ++--
1 file changed, 58 insertions(+), 32 deletions(-)
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
>> #ifndef _WIN32
>> +const char *device = tt->actual_name;
>
> This variable is not used in all cases embraced by "ifndef _WIN32".
> I.e. I think it is not used when any of the following is defined:
> TARGET_OPENBSD
> TARGET_NETBSD
> TARGET_AIX
>
> Therefore this change would fix *only*
Am 21.04.21 um 22:32 schrieb Gert Doering:
> Hi,
>
> On Wed, Apr 21, 2021 at 03:43:46PM +0200, Arne Schwabe wrote:
>> It is hard to imagine that we still have any supported OS that does
>> not support non-blocking connect while still supporting non-blocking
>> sockets
Move to definition inside the ifdef where they are used to avoid
unused warnings.
Fix a few printf related warnings when DWORD is used as paramter and
the printf format should be %lu (long unsigned int)
Signed-off-by: Arne Schwabe
---
src/openvpn/route.c | 4 ++--
src/openvpn/socket.c | 3
We have two define that do exactly the same. Also move the check
from configure.ac to syshead.h since it is really only checking
for Windows.
Signed-off-by: Arne Schwabe
---
configure.ac | 8
src/openvpn/platform.c | 2 +-
src/openvpn/ssl_verify.c | 2 +-
src/openvpn
With this change we always build multihome support if the operating
system supports it.
Signed-off-by: Arne Schwabe
---
configure.ac | 7 ---
src/openvpn/syshead.h | 2 +-
2 files changed, 1 insertion(+), 8 deletions(-)
diff --git a/configure.ac b/configure.ac
index 747325164
-off-by: Arne Schwabe
---
configure.ac | 11 +--
src/compat/compat.h | 5 +
src/openvpn/event.c | 4
src/openvpn/socket.c | 16
src/openvpn/syshead.h | 6 ++
5 files changed, 12 insertions(+), 30 deletions(-)
diff --git a/configure.ac b
It is hard to imagine that we still have any supported OS that does
not support non-blocking connect while still supporting non-blocking
sockets in general.
Signed-off-by: Arne Schwabe
---
src/openvpn/socket.c | 8
src/openvpn/syshead.h | 11 ---
2 files changed, 19 deletions
Also change the types to use C99 uint64_t and its printf u64 define.
Signed-off-by: Arne Schwabe
---
src/openvpn/common.h | 15 +++
src/openvpn/syshead.h | 5 -
2 files changed, 3 insertions(+), 17 deletions(-)
diff --git a/src/openvpn/common.h b/src/openvpn/common.h
index
)?redirectedfrom=MSDN
Signed-off-by: Arne Schwabe
---
configure.ac | 2 +-
src/openvpn/platform.c | 4
src/openvpn/syshead.h | 4
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index aaac65c3d..a67bf2595 100644
--- a/configure.ac
+++ b
ciphers.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_openssl.c | 15 ---
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index f8b36bf85..57731ed79 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn
Am 18.04.21 um 18:01 schrieb Arne Schwabe:
> context_2 and tls_multi have the same life cycle for TLS connections
> but so this move does not affect behaviour of the variable.
>
> OpenVPN TLS multi code has a grown a lot more complex and code that
> handles multi objects needs to
the state of the connect
authentication (more upcoming patches will move other states
into this variable).
Patch V2: also rename context_auth to multi_state, explain a bit why this
change is done.
Signed-off-by: Arne Schwabe
---
src/openvpn/forward.c| 10 ++
src/openvpn
Am 18.04.21 um 11:11 schrieb Gert Doering:
> Hi,
>
> I would have merged this now, but it breaks ENABLE_ASYNC_PUSH... and
> while at it, I have more questions.
>
> On Sun, Mar 28, 2021 at 02:02:40PM +0200, Arne Schwabe wrote:
> [..]
>> Patch V2: also rename context_a
Am 18.04.2021 um 12:11 schrieb Gert Doering:
Hi,
On Sun, Mar 28, 2021 at 02:02:41PM +0200, Arne Schwabe wrote:
[..]
@@ -2240,7 +2240,8 @@ error:
* to the TLS control channel (cleartext).
*/
static bool
-key_method_2_write(struct buffer *buf, struct tls_session *session
Signed-off-by: Arne Schwabe
---
src/openvpn/options.c | 6 ++
src/openvpn/options.h | 3 +++
2 files changed, 9 insertions(+)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 5934b0b84..10078a4d6 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3571,6
keywords, move checking the number of arguments
to the individual keywords.
Signed-off-by: Arne Schwabe
---
doc/man-sections/vpn-network-options.rst | 6 ++
src/openvpn/options.c| 26
src/openvpn/tun.c| 7 +++
src/openvpn
Am 16.04.21 um 00:27 schrieb Antonio Quartulli:
> Hi Arne,
>
> On 08/04/2021 16:02, Arne Schwabe wrote:
>> Instead maintaining two different representation of the data channel
>> options in struct options and struct tls_options, use the same
>> flags variable that tls
Am 16.04.21 um 00:22 schrieb Antonio Quartulli:
> Hi,
>
> On 08/04/2021 14:00, Arne Schwabe wrote:
>> OpenSSL also allows ARIA-GCM and that works well with our implementation
>> While the handpicked list was needed for earlier OpenSSL versions (and
>> is still n
Most of the functions remove were either already have a version check
against LibreSSL 2.9.0 or are also now deprecated in LibreSSL as well
according to the man pages in OpenBSD 6.8 like SSL_CTX_set_ecdh_auto
and SSL_library_init.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_openssl.c | 17
>
>> +if (options->chroot_dir == NULL || in_chroot ||
>> options->crl_file_inline)
>> +{
>> +tls_ctx_reload_crl(new_ctx, options->crl_file,
>> options->crl_file_inline);
>> +}
>> +else
>> +{
>> +struct gc_arena gc = gc_new();
>>
Am 09.04.2021 um 18:28 schrieb Gert Doering:
Hi,
there was a big discussion on the IRC channel today about interactions
between "--chroot" and "--persist-key" and how and when stuff is reloaded
or not.
Now, we all seem to agree that OpenVPN has way too many obscure options,
so I propose to
>>> and I was hoping that this would be resolved before removing something
>>> like --ncp-disable. Having said that, I now see that with openvpn 2.5,
>>> the server mtu is still 1379 in my setup, regardless of whether I use
>>> --ncp-disable or not - seems to me that is still too low.
>>>
>>
>>
Am 09.04.21 um 11:24 schrieb Jan Just Keijser:
> Hi,
>
> On 08/04/21 17:52, Gert Doering wrote:
>> Hi,
>>
>> On Thu, Apr 08, 2021 at 05:30:52PM +0200, Jan Just Keijser wrote:
>>> I don't have any evidence with 2.5 right now but this is just a matter
>>> of use/principle to me: I can very well
Am 08.04.21 um 16:36 schrieb Jan Just Keijser:
> Hi,
>
> On 08/04/21 16:02, Arne Schwabe wrote:
>> NCP has proven to be stable and apart from the one VPN Provider doing
>> hacky things with homebrewed NCP we have not had any reports about
>> ncp-disable being r
will restore that. But to avoid all the NCP/non-NCP special
cases to be implemented in P2P. P2P will directly switch from always
non-NCP to always NCP.
Signed-off-by: Arne Schwabe
---
Changes.rst | 4 +++
doc/man-sections/protocol-options.rst | 8 ++
src/openvpn/init.c
deterministically determine according to
IV_PROTO and IV_CIPHER what options can be used and start using these
There are no poor man's NCP or other compatibility workaround like in the
normal NCP, making this NCP leanear and more deterministic.
Signed-off-by: Arne Schwabe
---
src/openvpn/init.c
Instead maintaining two different representation of the data channel
options in struct options and struct tls_options, use the same
flags variable that tls_options uses.
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 5 -
src/openvpn/options.c | 4 ++--
src/openvpn/options.h | 4
of the if condition
Patch v4: fix documentation not mentioning method as 2nd line
Patch v5: fix deferred auth used by both plugin and script not working
Patch v6: Add missing async inotify for script deferred auth
Signed-off-by: Arne Schwabe
---
Changes.rst | 10 +++
doc/man-sections
of support for different
versions.
Arne Schwabe (3):
Change options->data_channel_use_ekm to flags
Remove --ncp-disable option
Support NCP in pure P2P VPN setups
Changes.rst | 4 +
doc/man-sections/protocol-options.rst | 8 +-
src/openvpn/init.c
These functions return const pointers in OpenSSL 3.0.0alpha14, so
our pointers should be also const to avoid casting the const away.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_openssl.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/ssl_openssl.c b/src
Signed-off-by: Arne Schwabe
---
src/openvpn/options.c | 11 +++
src/openvpn/options.h | 3 +++
2 files changed, 14 insertions(+)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index a72e1b9ae..00ad98f15 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
anyway.
Signed-off-by: Arne Schwabe
---
src/openvpn/init.c| 6 ++--
src/openvpn/options.c | 66 +--
src/openvpn/options.h | 8 +++---
3 files changed, 38 insertions(+), 42 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index
OpenSSL also allows ARIA-GCM and that works well with our implementation
While the handpicked list was needed for earlier OpenSSL versions (and
is still needed for Chacha20-Poly1305), the API nowadays with OpenSSL
1.0.2 and 1.1.x works as expected.
Signed-off-by: Arne Schwabe
---
src/openvpn
of the if condition
Patch v4: fix documentation not mentioning method as 2nd line
Patch v5: fix deferred auth used by both plugin and script not working
Patch v6: Add missing async inotify for script deferred auth
Signed-off-by: Arne Schwabe
---
Changes.rst | 10 +++
doc/man-sections
> I like the new approach a lot.
> It definitely helps keeping track of "what compat code do we need? and
> for which version?"
>
> Just one suggestion:
> I think it would still be useful to add a comment on the #endif line to
> explicitly say what if we are closing.
>
> i.e:
>
> #endif /*
Am 06.04.21 um 13:51 schrieb Antonio Quartulli:
> Hi,
>
> On 06/04/2021 13:14, Gert Doering wrote:
>> Now... what *is* the oldest mbedtls version we should reasonably support?
>>
>> For OpenSSL, we're stuck to 1.0.2 for the time being as that's still
>> the primary (and bugfix-backported) version
://en.cppreference.com/w/c/header).
Signed-off-by: Arne Schwabe
---
config-msvc.h| 11 ---
configure.ac | 26 ++---
src/compat/compat-daemon.c | 4
src/compat/compat-gettimeofday.c | 2 --
src/openvpn/platform.c | 4
While the check if all socket related functions are present sounds like
a good idea in theory, in reality it just adds time to configure runs.
Our poll check on windows is currently only depending on sys/poll.h
non-existance. Make the check and comment more explicit.
Signed-off-by: Arne Schwabe
stretch), LibreSSL (OpenBSD 6.8) and wolfSSL
Signed-off-by: Arne Schwabe
---
configure.ac | 84
src/openvpn/openssl_compat.h | 144 +++
2 files changed, 29 insertions(+), 199 deletions(-)
diff --git a/configure.ac b
Signed-off-by: Arne Schwabe
---
compat.m4 | 18 --
configure.ac | 8
src/openvpn/syshead.h | 4 +---
3 files changed, 1 insertion(+), 29 deletions(-)
diff --git a/compat.m4 b/compat.m4
index 47650f6d3..8fa9abee1 100644
--- a/compat.m4
+++ b
Use the modern names instead of the old GCM specific ones. AEAD instead
GCM makes especially sense when using Chacha20-Poly1305.
Signed-off-by: Arne Schwabe
---
src/openvpn/crypto_openssl.c | 4 ++--
src/openvpn/openssl_compat.h | 5 +
2 files changed, 7 insertions(+), 2 deletions(-)
diff
Am 05.04.21 um 09:38 schrieb Simon Matter:
>> Hi,
>>
>> On Sat, Apr 03, 2021 at 03:07:11PM +0200, Simon Matter wrote:
>>> Apr 3 15:00:30 gw-X1 openvpn[1477]: pre-compress bytes,833300152
>>> Apr 3 15:00:30 gw-X1 openvpn[1477]: post-compress bytes,796650159
>>> Apr 3 15:00:30 gw-X1
remove the TIME_BACKTRACK_PROTECTION defines from otime.h
Signed-off-by: Arne Schwabe
Acked-by: Gert Doering
Message-Id: <20210403184626.23067-1-a...@rfc2549.org>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22020.html
Signed-off-by: Gert Doering
Signed-off-by
into the patch, mention the
other removed defines that are always enabled.
Signed-off-by: Arne Schwabe
---
src/compat/compat-gettimeofday.c | 2 +-
src/openvpn/forward.c| 23 ++---
src/openvpn/forward.h| 6
src/openvpn/helper.c | 10 ++
src
here since the code has been ignoring the status forever there might
be corner cases where a FATAL message could trigger an unintened regression.
PATCH v2: Fix wrong order of fd,code in printed message.
Signed-off-by: Arne Schwabe
---
src/openvpn/error.c | 8
src/openvpn/event.c | 8
Commit c5fec838e moved the auth control file related
states into its own struct. Unfortunately I forgot
to also do the part inside #if defined(ENABLE_ASYNC_PUSH)
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src
Am 02.04.21 um 15:26 schrieb Max Fillinger:
> From: Uipko Berghuis
>
> In mbedtls 2.16.0 mbedtls_ctr_drbg_update() changed to
> mbedtls_ctr_drbg_update_ret(). Change the function name and handle
> the new return value error code.
> ---
> src/openvpn/ssl_mbedtls.c | 5 -
> 1 file changed, 4
> }
>
> void
> +make_empty_crl(struct tls_root_ctx *ctx)
> +{
> +if (ctx->crl == NULL)
> +{
> +ALLOC_OBJ_CLEAR(ctx->crl, mbedtls_x509_crl);
> +}
> +else
> +{
> +mbedtls_x509_crl_free(ctx->crl);
> +}
> +}
> +
This function is confsung me. This needs at
>
> To me it seems like you can of course build a scenario where compression
> _could_ be a problem some how, but there are certainly many use cases
> where it can be considered almost impossible to have your security
> weakaned by compression. I mean, there is also the SSH VPN mode with c be
the server will not push back any "disable compression"
> command. It works if the client connects with "--push-peer-info".
>
> Fix: turn around the order of checks, treat "no peer_info" the same
> as "peer_info does not contain
Am 01.04.21 um 15:13 schrieb Arne Schwabe:
> Using OpenVPN without P2MP support (pull, TLS) is unrealistic and
> building a binary without it is not something we realistically want
> to support anyway.
> }
> +/* Check if we have forbidding options in t
Signed-off-by: Arne Schwabe
---
src/openvpn/forward.c | 3 ++-
src/openvpn/openvpn.h | 12 +++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 6f7a50048..98caf6651 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn
This makes multi_get_create_instance_udp a bit shorter and better
structured and also prepares this method to be called from the
mutlti TCP context with DCO which will also need to assign unique peer
ids to instances.
Signed-off-by: Arne Schwabe
---
src/openvpn/mudp.c | 20
The variables are not used without the configured options but the
ifdef around them does not help readibility either.
Signed-off-by: Arne Schwabe
---
src/openvpn/mtcp.c| 5 -
src/openvpn/mudp.c| 2 --
src/openvpn/openvpn.h | 4
3 files changed, 11 deletions(-)
diff --git a/src
This functions seem to serve no purpose other than to add confusion.
Signed-off-by: Arne Schwabe
---
src/openvpn/init.c | 2 +-
src/openvpn/tun.h | 10 --
2 files changed, 1 insertion(+), 11 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 1a6015452..f0ae0b7f1
here since the code has been ignoring the status forever there might
be corner cases where a FATAL message could trigger an unintened regression.
Signed-off-by: Arne Schwabe
---
src/openvpn/error.c | 8
src/openvpn/event.c | 8 ++--
2 files changed, 10 insertions(+), 6 deletions
context directly to the called
function.
Signed-off-by: Arne Schwabe
---
src/openvpn/init.c | 60 +---
src/openvpn/socket.c | 109 +++
src/openvpn/socket.h | 40 ++--
3 files changed, 52 insertions(+), 157 deletions
This also eliminates the confusing name and eliminates
tunnel_server_udp as wrapper that only calls
tunnel_server_udp_single_threaded
Signed-off-by: Arne Schwabe
---
doc/doxygen/doc_eventloop.h| 2 +-
doc/doxygen/doc_tunnel_state.h | 2 +-
src/openvpn/mudp.c | 21
These are a number of patches that do various cleanups that
I did as part of implementing DCO but are good on their own.
Arne Schwabe (14):
Remove code for aligning non-swapped compression
Remove superflous ifdefs around enum like defines
Rename tunnel_server_udp_single_threaded
This is leftover of a never functional multi threaded openvpn
implementation attempt. It serves no purposes anymore.
Signed-off-by: Arne Schwabe
---
src/openvpn/mtcp.c | 2 +-
src/openvpn/mudp.c | 2 +-
src/openvpn/multi.c | 67 +++--
src/openvpn
Using OpenVPN without P2MP support (pull, TLS) is unrealistic and
building a binary without it is not something we realistically want
to support anyway.
Signed-off-by: Arne Schwabe
---
src/compat/compat-gettimeofday.c | 2 +-
src/openvpn/forward.c| 23 ++---
src/openvpn
These functions are small enough to be inlined and also avoids
dependency on socket.c from unit_tests using those functions.
Signed-off-by: Arne Schwabe
---
src/openvpn/socket.c | 36 ---
src/openvpn/socket.h | 50 +---
2 files
This function appears to completely unused and has not been touched
since 2008.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl.h | 11 ---
1 file changed, 11 deletions(-)
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 8c8cbe028..300a70d35 100644
--- a/src/openvpn/ssl.h
+++ b
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_common.h | 4
1 file changed, 4 deletions(-)
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 4e1ff6c84..18bce403a 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -293,10 +293,6 @@ struct
The code uses tuntap->options.txqueuelen instead.
Signed-off-by: Arne Schwabe
---
src/openvpn/tun.h | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h
index 7e8fb7647..60ebfdcba 100644
--- a/src/openvpn/tun.h
+++ b/src/openvpn/tun.h
@@ -165,9 +16
This is an optimisation for memory alignment for lzo. Compression is
deprecated so this optimisation is not very important anymore.
Furthermore it is conditionally compiled on !defined(ENABLE_LZ4), which
makes the code not compiled in by default anyway.
Signed-off-by: Arne Schwabe
---
src
Am 01.04.21 um 14:37 schrieb Gert Doering:
> Hi,
>
> On Thu, Apr 01, 2021 at 02:16:25PM +0200, Antonio Quartulli wrote:
>>> (Of course it makes lots of sense to defer this to iptables etc. on
>>> all platforms that have DCO *and* a reasonable firewall layer... dco-win
>>> will be interesting)
>>
This option has been deprecated in OpenVPN 2.4 and the ciphers that allow
using this option fall all into the SWEET32 category of ciphers with
64 bit block size.
Patch V2: Remove superflous check in OpenSSL codepath to check keysize
Signed-off-by: Arne Schwabe
---
config-msvc.h
commments and commit message
Patch V3: Only disable renegotiation where the SSL_OP_NO_RENEGOTIATION
define is available. LibreSSL, wolfSSL and OpenSSL 1.0.2 are
lacking this macro.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_mbedtls.c | 4
src/openvpn/ssl_openssl.c | 6
commments and commit message
Patch V3: Only disable renegotiation where the SSL_OP_NO_RENEGOTIATION
define is available. LibreSSL, wolfSSL and OpenSSL 1.0.2 are
lacking this macro.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_mbedtls.c | 4
src/openvpn/ssl_openssl.c | 4
Am 01.04.21 um 04:38 schrieb Tony He:
> Hi Antonio, Arne,
>
> According to the dump, this issue is caused by fragment. If I set
> link-mtu to 1472 in the condition of encryption "none", it's gone.
> I also can reproduce the fragment in my Linux x86-64 PC and Linux VM .
> They use kernel 5.4.
nce for connections with
> low (up to a few percent) packet loss.
This is a reasonable approach and thanks for adding the comments.
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
later packets have been ACKed. This improves performance when there are
small amounts of packet loss.
The patch was originally written by Steffan Karger for OpenVPN-NL.
I added some comments as suggested by Arne Schwabe.
Steffan Karger (1):
reliable: retransmit if 3 follow-up ACKs are received
Hi
AUTH_TOKEN_HMAC_OK is 1, so the first term is always 0/1 and the bool
from the second part is also 0/1, so the & does the same in this instance
as &&.
In this specific case & instead && does not change behaviour but using
&& is the intended semantic behavio
Am 31.03.21 um 09:56 schrieb Tony He:
>
>
> Antonio Quartulli 于2021年3月31日周三 下午3:32写道:
>
> Hi,
>
> On 31/03/2021 09:29, Tony He wrote:
> > Hi Arne,
> >
> > I'm going to test encryption "none" to narrow down this issue, but I
> > found your dco branch doesn't support
Am 30.03.21 um 09:36 schrieb Tony He:
> Hi Antonio, Arne,
>
> Sorry to bother you. I have a router based on Linux kernel
> 4.14.76(4.14.x is LTS version). Because of some reasons,
> it's hard to upgrade to v5.x to play ovpn-dco. So I am porting ovpn-dco
> to 4.14.76 kernel. After some hacking,
I found this when playing with building OpenVPN with cmake.
Signed-off-by: Arne Schwabe
---
src/openvpn/tun.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h
index 9d995dd46..902665cc6 100644
--- a/src/openvpn/tun.h
+++ b/src/openvpn
-elements
Patch V2: Also remove AX_EMPTY_ARRAY from configure.ac
Signed-off-by: Arne Schwabe
---
config-msvc.h | 1 -
configure.ac| 1 -
m4/ax_emptyarray.m4 | 40
src/openvpn/circ_list.h | 2 +-
src/openvpn/syshead.h | 2 --
5
forgotten about. I could
only find https://splint.org/release1.3.html and an similarly old research
paper.
Signed-off-by: Arne Schwabe
---
config-msvc.h | 1 -
m4/ax_varargs.m4| 77 -
src/openvpn/error.c | 4 ---
src/openvpn/error.h | 21
-elements
Signed-off-by: Arne Schwabe
---
config-msvc.h | 1 -
m4/ax_emptyarray.m4 | 40
src/openvpn/circ_list.h | 2 +-
src/openvpn/syshead.h | 2 --
4 files changed, 1 insertion(+), 44 deletions(-)
delete mode 100644 m4/ax_emptyarray.m4
diff
>
> Regarding mbedtls I am not sure how it is related to calling
> EVP_CIPHER_CTX_set_key_length.
>
That was probably misleading. I wanted to say that the mbed variant of
this function actually still has a more useful check in this function.
So I wanted to keep both checks rather than to
ver call
multi_client_generate_tls_keys for this session.
This commit changes postponing the key generation to be done only if
the multi_connect has not yet been finished.
Patch V2: Explain better in the commit message why this change is done.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl.c |
901 - 1000 of 2429 matches
Mail list logo