[Openvpn-devel] [PATCH 0/5] New feature: --auth-gen-token

[David Sommerseth]

This new feature enables re-authentication of on-going sessions without
asking the user for a new password.  This is in particular useful when
the authentication scheme is based on One Time Passwords (OTP).

When OTP is used and without auth-token support in the authentication module
OpenVPN is configured to use, the clients will be asked for a new OTP each
time OpenVPN starts a re-negotiation.  What often happens is that this
re-negotiation is disabled to avoid this.

OpenVPN does provide a remedy to this, by pushing a unique auth-token value
to each client.  Then the authentication module needs to keep track of which
client is using which auth-token value.  When a client receives the pushed
auth-token option and the attached value, it replaces the locally saved
password with this token value.  So for all coming re-authentications, the
client will send this value as the password instead of the users password.

But not all authentication modules adds support for this feature.  By adding
--auth-gen-token to the server configuration, the OpenVPN server will take
care of the auth-token processing and authentication.  This also means that
the server will not call the configured authentication module on
re-negotiations; it will do the re-negotiation internally by itself.

This feature may just as well be useful for non-OTP configurations as well.
Unless the OpenVPN client is configured with --auth-nocache, it will save
the users password in-memory for the lifetime of the OpenVPN session.  Using
this feature that password will be replaced by the auth-token instead.

The patch-set this thread covers focuses only on this new --auth-gen-token
feature.  The --auth-token option added to OpenVPN 2.3, but never properly
documented.  The --auth-token documentation is tracked in this mail thread:
http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12506.html
(Message-Id: 
)

One remark regarding PATCH 1/5.  This patch is needed by PATCH 5/5.  I just
chose to split it out as a separate patch to make the core auth-gen-token
patches easier to review.  This patch can be moved anywhere before PATCH 5/5
or squashed into PATCH 5/5 if that is requested.

David Sommerseth (5):
  Move memcmp_constant_time() to crypto.h
  auth-gen-token: Add --auth-gen-token option
  auth-gen-token: Generate an auth-token per client
  auth-gen-token: Push generated auth-tokens to the client
  auth-gen-token: Authenticate generated auth-tokens when client
re-authenticates

 doc/openvpn.8| 16 ++
 src/openvpn/crypto.c | 18 ---
 src/openvpn/crypto.h | 18 +++
 src/openvpn/init.c   |  2 ++
 src/openvpn/misc.c   |  5 +++
 src/openvpn/options.c| 16 ++
 src/openvpn/options.h|  2 ++
 src/openvpn/push.c   |  9 +-
 src/openvpn/ssl.c|  6 
 src/openvpn/ssl_common.h | 11 +++
 src/openvpn/ssl_verify.c | 83 
 11 files changed, 167 insertions(+), 19 deletions(-)

-- 
1.8.3.1


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 3/5] auth-gen-token: Generate an auth-token per client

[David Sommerseth]

When --auth-gen-token is used a random token key is generated for
each client after a successful user/password authentication.  This
token is expected to be returned in the password field on the
following authentications.

The token is 256 bits long and BASE64 encoded before it is stored.

Signed-off-by: David Sommerseth 
---
 src/openvpn/ssl.c|  6 ++
 src/openvpn/ssl_common.h |  6 ++
 src/openvpn/ssl_verify.c | 33 +
 3 files changed, 45 insertions(+)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index c7cf78d..54b6686 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1173,6 +1173,12 @@ tls_multi_free (struct tls_multi *multi, bool clear)
 
   cert_hash_free (multi->locked_cert_hash_set);
 
+  if (multi->auth_token)
+{
+  memset (multi->auth_token, 0, AUTH_TOKEN_SIZE);
+  free (multi->auth_token);
+}
+
   for (i = 0; i < TM_SIZE; ++i)
 tls_session_free (>session[i], false);
 
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 60121db..1b90c5e 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -351,6 +351,7 @@ struct tls_options
 /** @} name Index of key_state objects within a tls_session structure */
 /** @} addtogroup control_processor */
 
+#define AUTH_TOKEN_SIZE 32  /**< Size of server side generated auth 
tokens.  32 bytes == 256 bits */
 
 /**
  * Security parameter state of a single session within a VPN tunnel.
@@ -525,6 +526,11 @@ struct tls_multi
   uint32_t peer_id;
   bool use_peer_id;
 
+  char *auth_token;  /** If server sends a generated auth-token,
+  * this is the token to use for future
+  * user/pass authentications in this session.
+  */
+  time_t auth_token_tstamp; /**< timestamp of the generated token */
   /*
* Our session objects.
*/
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index d0c22b8..24ec56e 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -39,6 +39,8 @@
 
 #include "misc.h"
 #include "manage.h"
+#include "otime.h"
+#include "base64.h"
 #include "ssl_verify.h"
 #include "ssl_verify_backend.h"
 
@@ -1174,6 +1176,37 @@ verify_user_pass(struct user_pass *up, struct tls_multi 
*multi,
   if (man_def_auth != KMDA_UNDEF)
ks->auth_deferred = true;
 #endif
+
+  if ((session->opt->auth_generate_token) && (NULL == multi->auth_token))
+   {
+ /* Server is configured with --auth-gen-token but no token has yet 
been
+  * generated for this client.  Generate one and save it.
+  */
+ uint8_t tok[AUTH_TOKEN_SIZE];
+
+ if (!rand_bytes(tok, AUTH_TOKEN_SIZE))
+   {
+ msg( M_FATAL, "Failed to get enough randomness for authentication 
token");
+   }
+
+ /* The token should be longer than the input when being base64 
encoded*/
+ if( openvpn_base64_encode(tok, AUTH_TOKEN_SIZE, >auth_token) < 
AUTH_TOKEN_SIZE)
+   {
+ msg(D_TLS_ERRORS, "BASE64 encoding of token failed.  No 
auth-token will be activated now");
+ if (multi->auth_token)
+   {
+ memset (multi->auth_token, 0, AUTH_TOKEN_SIZE);
+ free (multi->auth_token);
+ multi->auth_token = NULL;
+   }
+   }
+ else
+   {
+ multi->auth_token_tstamp = now;
+ dmsg (D_SHOW_KEYS, "Generated token for client: %s", 
multi->auth_token);
+   }
+   }
+
   if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
set_common_name (session, up->username);
 #ifdef ENABLE_DEF_AUTH
-- 
1.8.3.1


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/5] Move memcmp_constant_time() to crypto.h

[David Sommerseth]

This function is quite useful other places, so make it generally
accessible.

Signed-off-by: David Sommerseth 
---
 src/openvpn/crypto.c | 18 --
 src/openvpn/crypto.h | 18 ++
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 3dd4a9e..026d9ae 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -66,24 +66,6 @@
 #define CRYPT_ERROR(format) \
   do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } 
while (false)
 
-/**
- * As memcmp(), but constant-time.
- * Returns 0 when data is equal, non-zero otherwise.
- */
-static int
-memcmp_constant_time (const void *a, const void *b, size_t size) {
-  const uint8_t * a1 = a;
-  const uint8_t * b1 = b;
-  int ret = 0;
-  size_t i;
-
-  for (i = 0; i < size; i++) {
-  ret |= *a1++ ^ *b1++;
-  }
-
-  return ret;
-}
-
 static void
 openvpn_encrypt_aead (struct buffer *buf, struct buffer work,
 struct crypto_options *opt) {
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 3b6bb98..9ae0610 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -476,6 +476,24 @@ void get_tls_handshake_key (const struct key_type 
*key_type,
  * Inline functions
  */
 
+/**
+ * As memcmp(), but constant-time.
+ * Returns 0 when data is equal, non-zero otherwise.
+ */
+static int
+memcmp_constant_time (const void *a, const void *b, size_t size) {
+  const uint8_t * a1 = a;
+  const uint8_t * b1 = b;
+  int ret = 0;
+  size_t i;
+
+  for (i = 0; i < size; i++) {
+  ret |= *a1++ ^ *b1++;
+  }
+
+  return ret;
+}
+
 static inline bool
 key_ctx_bi_defined(const struct key_ctx_bi* key)
 {
-- 
1.8.3.1


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 2/5] auth-gen-token: Add --auth-gen-token option

[David Sommerseth]

This sets the flag if the OpenVPN server should create authentication
tokens on-the-fly on successful --auth-user-pass-verify or --plugin with
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY processing.

If an OpenVPN server is running without this option, it should behave
as before.  Next patches will implement the auth-token generation and
passing it on to the clients.

The --auth-gen-token can be given an optional integer argument which
defines the lifetime of generated tokens.  The lifetime argument
must be given in number of seconds.

Signed-off-by: David Sommerseth 
---
 doc/openvpn.8| 16 
 src/openvpn/init.c   |  2 ++
 src/openvpn/options.c| 16 
 src/openvpn/options.h|  2 ++
 src/openvpn/ssl_common.h |  3 +++
 5 files changed, 39 insertions(+)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 1c341ae..521bd9b 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3595,6 +3595,22 @@ For a sample script that performs PAM authentication, see
 in the OpenVPN source distribution.
 .\"*
 .TP
+.B \-\-auth\-gen\-token [lifetime]
+After successful user/password authentication, the OpenVPN
+server will with this option generate a temporary
+authentication token and push that to client.  On the following
+renegotiations, the OpenVPN client will pass this token instead
+of the users password.  On the server side the server will do
+the token authentication internally and it will NOT do any
+additional authentications against configured external
+user/password authentication mechanisms.
+
+This feature is useful for environments which is configured
+to use One Time Passwords (OTP) as part of the user/password
+authentications and that authentication mechanism does not
+implement any auth-token support.
+.\"*
+.TP
 .B \-\-opt\-verify
 Clients that connect with options that are incompatible
 with those of the server will be disconnected.
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index cc8e945..5a8cb1f 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2427,6 +2427,8 @@ do_init_crypto_tls (struct context *c, const unsigned int 
flags)
   if (options->ccd_exclusive)
 to.client_config_dir_exclusive = options->client_config_dir;
   to.auth_user_pass_file = options->auth_user_pass_file;
+  to.auth_generate_token = options->auth_generate_token;
+  to.auth_token_lifetime = options->auth_token_lifetime;
 #endif
 
   to.x509_track = options->x509_track;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 1ed14b0..1037619 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -445,6 +445,11 @@ static const char usage_message[] =
   "  run command cmd to verify.  If method='via-env', pass\n"
   "  user/pass via environment, if method='via-file', pass\n"
   "  user/pass via temporary file.\n"
+  "--auth-gen-token  [lifetime] Generate a random authentication token which 
is pushed\n"
+  "  to each client, replacing the password.  Usefull when\n"
+  "  OTP based two-factor auth mechanisms are in use and\n"
+  "  --reneg-* options are enabled. Optionally a lifetime in 
seconds\n"
+  "  for generated tokens can be set.\n"
   "--opt-verify: Clients that connect with options that are incompatible\n"
   "  with those of the server will be disconnected.\n"
   "--auth-user-pass-optional : Allow connections by clients that don't\n"
@@ -864,6 +869,7 @@ init_options (struct options *o, const bool init_gc)
 #ifdef ENABLE_PKCS11
   o->pkcs11_pin_cache_period = -1;
 #endif /* ENABLE_PKCS11 */
+  o->auth_generate_token = false;
 
 /* tmp is only used in P2MP server context */
 #if P2MP_SERVER
@@ -1264,6 +1270,8 @@ show_p2mp_parms (const struct options *o)
   SHOW_INT (max_routes_per_client);
   SHOW_STR (auth_user_pass_verify_script);
   SHOW_BOOL (auth_user_pass_verify_script_via_file);
+  SHOW_BOOL (auth_generate_token);
+  SHOW_INT (auth_token_lifetime);
 #if PORT_SHARE
   SHOW_STR (port_share_host);
   SHOW_STR (port_share_port);
@@ -2194,6 +2202,8 @@ options_postprocess_verify_ce (const struct options 
*options, const struct conne
  "tcp-nodelay in the server configuration instead.");
   if (options->auth_user_pass_verify_script)
msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
+  if (options->auth_generate_token)
+   msg (M_USAGE, "--auth-gen-token requires --mode server");
 #if PORT_SHARE
   if (options->port_share_host || options->port_share_port)
msg (M_USAGE, "--port-share requires TCP server mode (--mode server 
--proto tcp-server)");
@@ -5973,6 +5983,12 @@ add_option (struct options *options,
   >auth_user_pass_verify_script,
   p[1], "auth-user-pass-verify", true);
  

[Openvpn-devel] [PATCH 5/5] auth-gen-token: Authenticate generated auth-tokens when client re-authenticates

[David Sommerseth]

On a server with --auth-gen-token enabled, the server will have created
a random token and pushed it to the client.  When the client needs to
renegotiate the connection or otherwise reconnect, it will at this point
use the auth-token as password.

Here we check if we have a token generated and that it has been pushed
to the client, if so, then we check if the token matches the locally
stored token.  If everything matches, we're done and the connection
is still authenticated.

If the auth-token authentication fails, we delete our local copy of
the token and changes the connection to not being authenticated.  From
this moment of, the client needs to do a full reconnect providing
the users password again.

This token authentication also considers the token lifetime, if that
have been set via --auth-gen-token.  If the token have expired, the
client is rejected and needs to do a full reconnect with a new
authentication using the users password.

Signed-off-by: David Sommerseth 
---
 src/openvpn/ssl_verify.c | 50 
 1 file changed, 50 insertions(+)

diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 24ec56e..aa982e4 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -1139,6 +1139,55 @@ verify_user_pass(struct user_pass *up, struct tls_multi 
*multi,
   string_mod_remap_name (up->username, COMMON_NAME_CHAR_CLASS);
   string_mod (up->password, CC_PRINT, CC_CRLF, '_');
 
+  /* If server is configured with --auth-gen-token and we have an
+   * authentication token for this client, base this authentication round
+   * based on this token instead.
+   */
+  if (session->opt->auth_generate_token && multi->auth_token_sent && NULL != 
multi->auth_token)
+{
+  /* Ensure that the username have not changed */
+  if (!tls_lock_username(multi, up->username))
+{
+  ks->authenticated = false;
+  goto done;
+}
+
+  /* If auth-token lifetime have been enabled, ensure the token is still 
valid */
+  if (session->opt->auth_token_lifetime > 0
+  && (multi->auth_token_tstamp + session->opt->auth_token_lifetime) < 
now )
+{
+  msg (D_HANDSHAKE, "Auth-token for client expired\n");
+  ks->authenticated = false;
+  goto done;
+}
+
+  if (memcmp_constant_time(multi->auth_token, up->password,
+ strlen(multi->auth_token)) != 0)
+{
+  memset (multi->auth_token, 0, AUTH_TOKEN_SIZE);
+  free (multi->auth_token);
+  multi->auth_token = NULL;
+  multi->auth_token_sent = false;
+  ks->authenticated = false;
+  tls_deauthenticate (multi);
+
+  msg (D_TLS_ERRORS, "TLS Auth Error: Auth token verification failed 
for username '%s' %s",
+   up->username,
+   (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN 
SET]" : "");
+}
+  else
+{
+  ks->authenticated = true;
+
+  if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
+set_common_name (session, up->username);
+  msg (D_HANDSHAKE, "TLS: Username/auth-token authentication succeeded 
for username '%s' %s",
+   up->username,
+   (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN 
SET]" : "");
+}
+  goto done;
+}
+
   /* call plugin(s) and/or script */
 #ifdef MANAGEMENT_DEF_AUTH
   if (man_def_auth == KMDA_DEF)
@@ -1226,6 +1275,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi 
*multi,
   msg (D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification 
failed for peer");
 }
 
+ done:
   gc_free ();
 }
 
-- 
1.8.3.1


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Change the hold command to communicate the time that OpenVPN would wait to the UI.

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Your patch has been applied to the master branch

commit 396d30c264e6cb6b9f57c3e566f3b7187662
Author: Arne Schwabe
Date:   Wed Oct 12 12:47:07 2016 +0200

 Change the hold command to communicate the time that OpenVPN would wait to 
the UI.

 Acked-by: Selva Nair 
 Message-Id: <1476269227-13290-1-git-send-email-a...@rfc2549.org>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12675.html
 Signed-off-by: David Sommerseth 


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJX/7OFAAoJEIbPlEyWcf3yy8MQAKWMd5Y9NkUY36Visbkufu2R
89tEQakX26zInduOAmmf879FvZcUBRSRWoxY9H0Jacvik0h9IWIikfopzqCG/17A
zMVS0XRcjylQf7OVrM8oSUCXTWoI15J+DibuI9PhyZUthBd3NZbH61c7RgCX9fzN
dwFlEl9dYNj01WUtj5R3bFUwSUZl5kw1dua7pqYjJIIIYNAdzTCd8ML/VSTG0O+M
9iybH28d4jOcd154qomjka2Yqz5sSs4cK7gGZ9dDaIoMreI+gKIBQiM1nl6hz16z
2yg7B+4VOxsj9prhCGrFeQyzXO6H8cRc8+NyFIO8ZiVjDaSkdXNn6oixfnDulo+i
go6Q5oPqs5wpk20b0KHIqBuz3fJ5DJobURRvazY3r7x3vFoYHg7Yo6f5VZyx+Xjh
c19MIWzCBnQLrx7d/E3PsBXMBgfcElVwmM8+j0eaC1KB0wWSqnIwlDvUyjrPVNgA
sFZQeTB664bKhxCkoH5vSd/pbevNm539HoMLmYIxJ8PwPuIcsWC+q7d2MkqBRage
jxz1w73b2+dcTyYj91241QV2wY/UcaOFOSEafVwoloRc2vZeWxzx7dEDxYTtkVvO
K3I8EY1hW3JsQzmGrRwIeJQ0dyEwlQWoIpoP1ra2roFYJcs+txTS2hS/E613v+U+
FrhurTzaG+gUTxM/EZTJ
=yszQ
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/10/16 11:13, Arne Schwabe wrote:
> This option was useful when Ipv6 tun support was non standard and
> was an internal/user specified flag that tracked the Ipv6
> capability of the tun device.
> 
> All supported OS support IPv6. Also tun-ipv6 is pushable by the
> remote so not putting tun-ipv6 does not forbid ipv6 addresses.
> 
> This commit also clean up a bit of the ipv6 related tun.c. Changes
> for most platforms are minimal.
> 
> For linux a bit more cleanup is done: - Remove compatibility
> defines that were added 2008 - Always use IFF_NO_PI for the linux
> tun and not only for IPv4 only tun setups (Android also always
> IFF_NO_PI works fine with Ipv6).
> 
> This commit also remove a non ipv6 fallback for tap driver from
> OpenVPN 2.2-beta or earlier and only warns.
> 
> Patch V2: Integrate Gert's comments Patch V3: Remove tun_ipv4
> option. It only used for MTU discovery and there it was wrong since
> it should on the transport protocol if at all Patch V4: Completely
> remove support for NetBSD <= 4.0 and remove NETBSD_MULTI_AF
> defines --- Changes.rst   |   3 ++ src/openvpn/forward.c |
> 2 +- src/openvpn/helper.c  |   2 - src/openvpn/init.c|   6 --- 
> src/openvpn/multi.c   |   8 ++- src/openvpn/openvpn.h |   5 -- 
> src/openvpn/options.c |  11 +--- src/openvpn/options.h |   1 - 
> src/openvpn/route.c   |  13 ++--- src/openvpn/tun.c | 139
> +++--- 
> src/openvpn/tun.h |   2 - 11 files changed, 30 insertions(+),
> 162 deletions(-)
> 
> diff --git a/Changes.rst b/Changes.rst index 9fcba75..2956003
> 100644 --- a/Changes.rst +++ b/Changes.rst @@ -135,6 +135,9 @@
> User-visible Changes ciphers configured in the config file.  Use
> --ncp-disable if you don't want that.
> 
> +- ALl tun devices on all platforms are considered always IPv6
> capable. The --tun-ipv6

Silly typo.  (I would have done this one in-flight, hadn't it been for
a few other minor things).

[...snip...]
> @@ -4577,7 +4569,6 @@ add_option (struct options *options, else if
> (streq (p[0], "tun-ipv6") && !p[1]) { VERIFY_PERMISSION
> (OPT_P_UP); -  options->tun_ipv6 = true; }

Should we add a "Deprecated/NO-OP option used." message?

[...snip]

> +++ b/src/openvpn/route.c @@ -1729,10 +1729,10 @@ add_route_ipv6
> (struct route_ipv6 *r6, const struct tuntap *tt, unsigned int fla 
> } #endif
> 
> -  if ( !tt->ipv6 ) +  if (!tt->did_ifconfig_ipv6_setup) { -
> msg( M_INFO, "add_route_ipv6(): not adding %s/%d, no IPv6 on if
> %s", -network, r6->netbits, device ); +  msg( M_INFO,
> "add_route_ipv6(): not adding %s/%d, no IPv6 ifconfig on if %s", +
> network, r6->netbits, device);

Wouldn't it be nicer we said "no IPv6 address configured on
interface %s" ?  Just trying to be slightly more user friendly in the
logs.

> --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -741,8 +741,8 @@
> do_ifconfig (struct tuntap *tt,
> 
> argv_init ();
> 
> -  msg( M_INFO, "do_ifconfig, tt->ipv6=%d,
> tt->did_ifconfig_ipv6_setup=%d", -   tt->ipv6,
> tt->did_ifconfig_ipv6_setup ); +  msg( M_INFO, "do_ifconfig,
> tt->did_ifconfig_ipv6_setup=%d", +
> tt->did_ifconfig_ipv6_setup );

While we're changing log lines ... could we make this one a bit less
technical, or at least increase the verb level if we want it to be so
technical?  Again, just to be more user friendly

[...snip...]

> @@ -1526,7 +1513,7 @@ open_tun_generic (const char *dev, const char
> *dev_type, const char *dev_node, bool dynamic_opened = false;
> 
> 
> -  if ( tt->ipv6 && ! ipv6_explicitly_supported ) +  if (  !
> ipv6_explicitly_supported ) msg (M_WARN, "NOTE: explicit support
> for IPv6 tun devices is not provided for this OS");

Isn't this if() block a NOOP?

$ git grep -Hni ipv6_explicitly_supported
src/openvpn/tun.c:1521:  bool ipv6_explicitly_supported, bool dynamic,
src/openvpn/tun.c:1529:  if ( tt->ipv6 && ! ipv6_explicitly_supported )

Could we kill this as well?


[...snip...0
> @@ -1977,53 +1940,13 @@ close_tun (struct tuntap *tt) int write_tun
> (struct tuntap* tt, uint8_t *buf, int len) { -  if (tt->ipv6) -
> { -  struct tun_pi pi; -  struct iphdr *iph; -  struct
> iovec vect[2]; -  int ret; - -  iph = (struct iphdr *)buf; 
> - -  pi.flags = 0; - -  if(iph->version == 6) -   pi.proto =
> htons(OPENVPN_ETH_P_IPV6); -  else -  pi.proto =
> htons(OPENVPN_ETH_P_IPV4); - -  vect[0].iov_len = sizeof(pi); -
> vect[0].iov_base =  -  vect[1].iov_len = len; -
> vect[1].iov_base = buf; - -  ret = writev(tt->fd, vect, 2); -
> return(ret - sizeof(pi)); -} -  else -return write (tt->fd,
> buf, len); +  return write (tt->fd, buf, len);

whitespace issue.

> }
> 
> int read_tun (struct tuntap* tt, uint8_t *buf, int len) { -  if
> (tt->ipv6) -{ -  struct iovec vect[2]; -  struct tun_pi
> pi; -  int ret; - -  vect[0].iov_len = sizeof(pi); -
> 

Re: [Openvpn-devel] [PATCH v2] Change the hold command to communicate the time that OpenVPN would wait to the UI.

[Gert Doering]

Hi,

On Wed, Oct 12, 2016 at 10:46:02PM -0400, Selva Nair wrote:
> Suggest to correct mechansim->mechanism (x2) in commit message during
> merge.

Will do.  (Too busy today, tomorrow or weekend-ish)

Thanks for the review.

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel