[Openvpn-devel] [PATCH 0/3] pre-ipv6-only clean up patchset

been performed. Antonio Quartulli (3): tun: ensure gc and argv are always freed tun: always pass a valid tt pointer tun: get rid of tt->did_ifconfig member src/openvpn/init.c | 7 +- src/openvpn/tun.c | 442 ++--- src/openvpn/tun.h | 1 -

[Openvpn-devel] [PATCH 1/3] tun: ensure gc and argv are always freed

From: Antonio Quartulli Everytime a argv object is initialized with argv_new(), it has to be released with argv_reset() once not needed anymore. The same holds for gc_arena objects initialized with gc_new() that have to be released with gc_free(). Ensure both kind of objects are always

[Openvpn-devel] [PATCH 3/3] tun: get rid of tt->did_ifconfig member

From: Antonio Quartulli tt->did_ifconfig is currently only read by the Linux platform, but it is currently iuselessly set also by every other system. The Linux platform does not actually even need this member and can directly rely on tt->did_ifconfig_setup. For the reasons above, remove

[Openvpn-devel] [PATCH 2/3] close_tun: always pass a valid tt pointer

From: Antonio Quartulli This patch is a small "logic restyle" which basically moves the check against "!tt" outside of the various close_tun() functions and replaces it with an ASSERT. This way the check if done only once and the function can rely on the assumption that

[Openvpn-devel] [PATCH 2/3] tun: always pass a valid tt pointer

From: Antonio Quartulli This patch is a small "logic restyle" which basically moves the check for "tt != NULL" outside of the various close_tun() implementations and replaces it with an ASSERT. This way the check is done only once and the function can rely on the assumption

Re: [Openvpn-devel] [PATCH 2/3] close_tun: always pass a valid tt pointer

Please ignore this patch. It was a just idling there when I did the git send-email. Cheers, -- Antonio Quartulli signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of

Re: [Openvpn-devel] [PATCH 2/3] tun: always pass a valid tt pointer

Hi, On 13/06/18 19:28, Gert Doering wrote: > Hi, > > On Wed, Jun 13, 2018 at 04:12:17PM +0800, Antonio Quartulli wrote: >> From: Antonio Quartulli >> >> This patch is a small "logic restyle" which basically moves the >> check for &q

Re: [Openvpn-devel] [PATCH 3/3] tun: get rid of tt->did_ifconfig member

On 13/06/18 19:29, Gert Doering wrote: > Hi, > > On Wed, Jun 13, 2018 at 04:12:18PM +0800, Antonio Quartulli wrote: >> From: Antonio Quartulli >> >> tt->did_ifconfig is currently only read by the Linux platform, but >> it is currently iusel

Re: [Openvpn-devel] [PATCH 1/3] tun: ensure gc and argv are always freed

Hi, On 13/06/18 19:06, Gert Doering wrote: > Hi, > > On Wed, Jun 13, 2018 at 04:12:15PM +0800, Antonio Quartulli wrote: >> From: Antonio Quartulli >> >> Everytime a argv object is initialized with argv_new(), it has >> to be released with argv_reset() once n

[Openvpn-devel] [PATCH v2 1/3] tun: ensure gc and argv are properly handled

From: Antonio Quartulli Everytime a argv object is initialized with argv_new(), it has to be released with argv_reset() once not needed anymore. Ensure this kind of objects are always properly released to avoid memory leaks. At the same time, remove those gc_arena objects that are initialized

[Openvpn-devel] [PATCH v2 2/3] tun: always pass a valid tt pointer

From: Antonio Quartulli This patch is a small "logic restyle" which basically moves the check for "tt != NULL" outside of the various close_tun() implementations and replaces it with an ASSERT. This way the check is done only once and the function can rely on the assumption

[Openvpn-devel] [PATCH v2 3/3] tun: get rid of tt->did_ifconfig member

From: Antonio Quartulli tt->did_ifconfig is currently only read by the Linux platform, but it is currently uselessly set also by every other system. The Linux platform does not actually even need this member and can directly rely on tt->did_ifconfig_setup. For the reasons above, remove

[Openvpn-devel] [PATCH v2 0/3] pre-ipv6-only clean up patchset

s are rpeorted in each patch. Cheers, p.s. buildbot is currently unusable due to the ongoing maintenance on the OpenVPN servers and therefor eonly local tests have been performed. Antonio Quartulli (3): tun: ensure gc and argv are properly handled tun: always pass a valid tt pointer tun: get r

[Openvpn-devel] [PATCH v4 1/8] tun: ensure interface can be configured with IPv6 only

From: Antonio Quartulli This change ensures that an interface is properly brought up and down even when only IPv6 settings are configured/pushed. At the same time, some code restyling took place to ensure the new generic logic is easier to read. Both do_ifconfig() and close_tun() (Linux only

[Openvpn-devel] [PATCH v3 2/8] windows: properly configure TAP driver when no IPv4 is configured

From: Antonio Quartulli This patch ensures that the TAP driver on a windows host is still configured, even though no IPv4 has been provided. In this case the TAP driver ioctl will be invoked with a fake 0.0.0.0/0.0.0.0 IPv4 which will simply start the interface and get it to a working state

Re: [Openvpn-devel] [PATCH 01/10] Add crypto_pem_{encode,decode}()

omment above a copy/paste incident? or there is something hidden in this unit test? > +static void > +crypto_pem_encode_decode_loopback(void **state) { > +struct gc_arena gc = gc_new(); > +struct buffer src_buf; > +buf_set_read(&src_buf, (void *)testtext, sizeof(testtext)); &g

Re: [Openvpn-devel] [PATCH 08/10] Move file-related functions from misc.c to platform.c

dir_exclusive, > + cn, &gc); > +if (!cn || !strcmp(cn, CCD_DEFAULT) || !platform_test_file(path)) > { > ks->authenticated = false; >

Re: [Openvpn-devel] [PATCH 09/10] Move execve/run_script helper functions to run_command.c

ow about re-arranging this patch (maybe by making it the first patch in the set) so that you don't need to do and undo the same code? Does it make sense? Cheers, -- Antonio Quartulli signature.asc Description: OpenPGP digital signature ---

[Openvpn-devel] [PATCH v5 1/8] tun: ensure interface can be configured with IPv6 only

From: Antonio Quartulli This change ensures that an interface is properly brought up and down even when only IPv6 settings are configured/pushed. At the same time, some code restyling took place to ensure the new generic logic is easier to read. Both do_ifconfig() and close_tun() (Linux only

Re: [Openvpn-devel] [PATCH] openvpn: Add missing OpenSSL includes

cated-APIs-disable.patch | 148 ++ Was this patch committed by accident? Cheers, -- Antonio Quartulli -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.

Re: [Openvpn-devel] [PATCH v3 2/8] windows: properly configure TAP driver when no IPv4 is configured

to understand what is different from what Selva tested. In the meantime, you have the full log attached to this email in case somebody wants to give it a look. Cheers, -- Antonio Quartulli Fri Jun 22 13:43:48 2018 us=883035 Current Parameter Settings: Fri Jun 22 13:43:48 2018 us=883535 config

Re: [Openvpn-devel] [PATCH 01/10] Add crypto_pem_{encode,decode}()

> some bug) we won't be able to realize that. >> >> However, I am not sure we have an easy way to check that..maybe you >> could use some SSL function that would normally load PEM data? > > That is a bit annoying to test indeed. How about I just verify that > this

Re: [Openvpn-devel] [PATCH v3 2/8] windows: properly configure TAP driver when no IPv4 is configured

Hi, On 22/06/18 17:46, Gert Doering wrote: > Hi, > > On Fri, Jun 22, 2018 at 03:27:02PM +0800, Antonio Quartulli wrote: >> Fri Jun 22 13:43:51 2018 us=116232 PUSH: Received control message: >> 'PUSH_REPLY,redirect-gateway !ipv4 ipv6,tun-ipv6,ping 10,ping-restart >&

[Openvpn-devel] [PATCH] route: fix format string passed to argv_printf

Signed-off-by: Antonio Quartulli --- src/openvpn/route.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/route.c b/src/openvpn/route.c index a45a273a..209daeab 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -1616,7 +1616,7 @@ add_route(struct

Re: [Openvpn-devel] [PATCH] route: fix format string passed to argv_printf

int DWORD variables in several spots and we always cast them to int or unsigned int. However, if we believe supporting %lu can be more useful, I can do that. Last opinion? :) Cheers, -- Antonio Quartulli signature.asc Description: OpenPGP digital signature -

Re: [Openvpn-devel] [PATCH] route: fix format string passed to argv_printf

ink all the arguments are valid - that is just the right thing in this case so we can avoid shortcut/forced casts. Will send v2 with this change included. Thanks all! Cheers, -- Antonio Quartulli signature.asc Descrip

Re: [Openvpn-devel] [PATCH v3 2/8] windows: properly configure TAP driver when no IPv4 is configured

Ethernet 2" is the TAP interface". My guts say that the issue might be related to "gateway-redirect", because only 8/8 makes sure that no logic is activated for IPv4 and without that patch there might be some IPv4 route being installed nonetheless. Cheers, -- Antonio Quartulli S

[Openvpn-devel] [PATCH v2] add support for %lu in argv_printf and prevent ASSERT

%lu is not supported by our tiny argv_printf implementation, therefore it will trigger an ASSERT() when parsing it at route.c:1638. Add support for '%lu' in argv_print() and prevent the ASSERT from being triggered. Signed-off-by: Antonio Quartulli --- It seems I managed to trigger t

Re: [Openvpn-devel] [PATCH v3 2/8] windows: properly configure TAP driver when no IPv4 is configured

path. > > But not very critical as the assert is fixed and route errors are not FATAL. > If you like the argv patch v2, would you mind giving your blessing? :-) Thanks! Cheers, > -- Antonio Quartulli signature.asc Description: OpenPGP digital signature -

Re: [Openvpn-devel] [PATCH] Add %d, %u and %lu tests to test_argv unit tests.

r, "%lu", -1L) > I just recommended something similar on IRC. I think it would make sense to "validate" argv_printf* against sprintf. Not just for %lu but also for the other formats. This way we know our code is doing what sprintf would also do. Cheers, -- Ant

[Openvpn-devel] [PATCH v4 2/8] windows: properly configure TAP driver when no IPv4 is configured

From: Antonio Quartulli This patch ensures that the TAP driver on a windows host is still configured, even though no IPv4 has been provided. In this case the TAP driver ioctl will be invoked with a fake 0.0.0.0/0.0.0.0 IPv4 which will simply start the interface and get it to a working state

[Openvpn-devel] [PATCH v3 4/8] pool: allow to configure an IPv6-only ifconfig-pool

From: Antonio Quartulli With this change a server is allowed to allocate an IPv6-only pool. This is required to make it capable of managing an IPv6-only tunnel. Trac: #208 Signed-off-by: Antonio Quartulli --- Changes from v2: - patchset rebased on top of current master - introduce missing

[Openvpn-devel] [PATCH v3 5/8] allow usage of --server-ipv6 even when no --server is specified

From: Antonio Quartulli Until now OpenVPN has not allowed to specify --server-ipv6 if no --server was also set. This constraint comes from the fact that most of the IPv6 logic (i.e. ifconfig-pool handling) relied on IPv4 components to be activated and configured as well. Now that the IPv6 code

Re: [Openvpn-devel] [PATCH v2] travis-ci: cleanup, refactor, upgrade ssl libraries

t be wiped after some time? Or do we need to wipe the cache manually? Cheers, -- Antonio Quartulli signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world&

Re: [Openvpn-devel] [PATCH v3 4/8] pool: allow to configure an IPv6-only ifconfig-pool

Hi, On 24/06/18 04:08, Antonio Quartulli wrote: > From: Antonio Quartulli > > With this change a server is allowed to allocate an > IPv6-only pool. This is required to make it capable > of managing an IPv6-only tunnel. After discussing with Gert, I'd say that maybe this

Re: [Openvpn-devel] [PATCHv2] openvpn: Add missing OpenSSL includes

> #include > #endif > diff --git a/src/openvpn/ssl_verify_openssl.c > b/src/openvpn/ssl_verify_openssl.c > index 9b984751..82460ae7 100644 > --- a/src/openvpn/ssl_verify_openssl.c > +++ b/src/openvpn/ssl_verify_openssl.c > @@ -46,6 +46,7 @@ > > #include &g

Re: [Openvpn-devel] [PATCH v3 1/2] crypto: always reload tls-auth/crypt key contexts

Hi, On 05/06/18 16:14, Antonio Quartulli wrote: > In preparation to having tls-auth/crypt keys per connection > block, it is important to ensure that such material is always > reloaded upon SIGUSR1, no matter if `persist-key` was specified > or not. > > This is required becaus

Re: [Openvpn-devel] [PATCH v3 1/2] crypto: always reload tls-auth/crypt key contexts

Hi, On 27/06/18 05:33, David Sommerseth wrote: > On 05/06/18 10:14, Antonio Quartulli wrote: >> In preparation to having tls-auth/crypt keys per connection >> block, it is important to ensure that such material is always >> reloaded upon SIGUSR1, no matter if `persist-key` wa

Re: [Openvpn-devel] [PATCH] Extend push-remove to also handle 'ifconfig'.

d = true; > +return; > +} > + > /* ifconfig-ipv6 is special, as not part of the push list */ > if (streq( p, "ifconfig-ipv6" )) > { > Once the small style glitches above, I can give this patch my ACK. I tested with my small environme

Re: [Openvpn-devel] [PATCH] Remove deprecated plugin functions from code samples

> > diff --git a/sample/sample-plugins/simple/simple.def > b/sample/sample-plugins/simple/simple.def > index > a87507d1fdc0f0bfd0434de577a818ef0cc62afb..556f362308bc6ce81829253f7a7fae9898be221a > 100755 > --- a/sample/sample-plugins/simple/simple.def > +++ b/sample/sample-plugins/simple/

Re: [Openvpn-devel] [PATCH] Remove deprecated plugin functions from code samples

On 01/07/18 05:08, Greg Cox wrote: > On Sat, Jun 30, 2018 at 5:49 PM, Antonio Quartulli wrote: > >> I'd remove the last paragraph and the greetings from the commit message. >> But this might be done at commit time. >> > > ​It was unclear how to handle &qu

Re: [Openvpn-devel] [PATCH] Extend push-remove to also handle 'ifconfig'.

-remove" statements somewhere and then checking > in push_option_ex()) > > Trac: #1072 > > Signed-off-by: Gert Doering > > --- > v2: style changes, manpage note about exact match Acked-by: Antonio Quartulli -- Antonio Quartulli signature.asc Description: OpenPGP

Re: [Openvpn-devel] [PATCH] Make up/down script errors not FATAL

inux. Anybody knows of a similar mechanism for Windows and macOS? Cheers, -- Antonio Quartulli signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world

Re: [Openvpn-devel] [PATCH v3 1/2] crypto: always reload tls-auth/crypt key contexts

Hi, On 27/06/18 09:50, Antonio Quartulli wrote: > Hi, > > On 27/06/18 05:33, David Sommerseth wrote: >> On 05/06/18 10:14, Antonio Quartulli wrote: >>> In preparation to having tls-auth/crypt keys per connection >>> block, it is important to ensure that such mat

Re: [Openvpn-devel] [PATCH] Implement parsing and sending INFO and INFO_PRE control messages

rting more features "just because they are supported in openvpn3" does not really sound like a reason to maintain more code on the community side, imho. Cheers, -- Antonio Quartulli signature.asc Description: OpenPGP digital signature -

Re: [Openvpn-devel] [PATCH v3 1/2] crypto: always reload tls-auth/crypt key contexts

> platform_stat() to figure out the size and get rid of the maxlen > argument, and doesn't throw fatal errors. Feel free to use that > implementation if you like it, or not if you don't (and I'll use yours

Re: [Openvpn-devel] OpenVPN Connect App on IOS // Support for IPv6-only networks with DNS64/NAT64

ket on https://community.openvpn.net (you need to create an account) so that we can better track this issue and ask you to provide more details? Thanks! Regards, -- Antonio Quartulli signature.asc Description: OpenPGP digital signature --

[Openvpn-devel] [PATCH v4 1/2] crypto: always reload tls-auth/crypt key contexts

context needs to be refreshed. To ensure that the `persist-key` logic will still work as expected, the tls-auth/crypt key is pre-loaded so that the keyfile is not required at runtime. Trac: #720 Cc: Steffan Karger Signed-off-by: Antonio Quartulli --- v2: - introduce this patch v3: - add key per

[Openvpn-devel] [PATCH v4 2/2] make tls-auth and tls-crypt per-connection-block options

, if any, are used. Trac: #720 Cc: Steffan Karger Signed-off-by: Antonio Quartulli --- v2: - convert tls-auth keyfile to inline key if persist-key was specified v3: - squash 2/3 and 3/3 in one patch to prevent temporary features breakages - restyle code introduced in options_postprocess_mutate_ce

Re: [Openvpn-devel] [PATCH v4 1/2] crypto: always reload tls-auth/crypt key contexts

e NULL. > > It *is* passed ? > of course :-) thanks! [cut] > > Otherwise, this looks good. > Cool, thanks! I will send v4 with these small fixes and a unit test for the buf_free_gc() function. Cheers, -- Antonio Quartulli signature.asc Description: OpenPGP digital

[Openvpn-devel] [PATCH v5 1/2] crypto: always reload tls-auth/crypt key contexts

context needs to be refreshed. To ensure that the `persist-key` logic will still work as expected, the tls-auth/crypt key is pre-loaded so that the keyfile is not required at runtime. Trac: #720 Cc: Steffan Karger Signed-off-by: Antonio Quartulli --- v2: - introduce this patch v3: - add key per

[Openvpn-devel] [PATCH v6 1/2] crypto: always reload tls-auth/crypt key contexts

context needs to be refreshed. To ensure that the `persist-key` logic will still work as expected, the tls-auth/crypt key is pre-loaded so that the keyfile is not required at runtime. Trac: #720 Cc: Steffan Karger Signed-off-by: Antonio Quartulli --- v2: - introduce this patch v3: - add key per

Re: [Openvpn-devel] [PATCH v2 2/9] Move execve/run_script helper functions to run_command.c

d long lines) and that the access to the security_script variable has been substituted with getter/setter functions. So, with or without the nitpick: Acked-by: Antonio Quartulli Cheers, -- Antonio Quartulli signature.asc Description: OpenPGP digital signature ---

Re: [Openvpn-devel] [PATCH v2 2/9] Move execve/run_script helper functions to run_command.c

On 11/07/18 10:01, Antonio Quartulli wrote: > Other than that little nitpick, the patch looks good. > > Checked with "git show --color-moved" and I could verify that the code > has only been moved (slightly adjusted to avoid long lines) and that the > access to the sec

[Openvpn-devel] [PATCH] socket: make socket_* functions static

being used, however, no this is just a copy/paste and no function change has been introduced. Signed-off-by: Antonio Quartulli --- src/openvpn/socket.c | 362 +-- src/openvpn/socket.h | 15 -- 2 files changed, 181 insertions(+), 196 deletions(-) diff --git a

[Openvpn-devel] [PATCH v2] socket: make stream_buf_* functions static

being used, however, no this is just a copy/paste and no function change has been introduced. Signed-off-by: Antonio Quartulli --- v2: - fix commit subject src/openvpn/socket.c | 362 +-- src/openvpn/socket.h | 15 -- 2 files changed, 181 insertions(+), 196

Re: [Openvpn-devel] [PATCH v2] socket: make stream_buf_* functions static

Hi, On 12/07/18 01:49, Gert Doering wrote: > Hi, > > On Thu, Jul 12, 2018 at 01:00:42AM +0800, Antonio Quartulli wrote: >> stream_buf_init(), stream_buf_close() and stream_buf_added() >> are only used within socket.c, therefore there is noneed to >> have them decla

[Openvpn-devel] [PATCH v3] socket: make stream_buf_* functions static

. Signed-off-by: Antonio Quartulli --- v2: - fix commit subject v3: - move functions back to their original locations and add prototypes before the first usage of the three functions --- src/openvpn/socket.c | 22 +++--- src/openvpn/socket.h | 15 --- 2 files changed

Re: [Openvpn-devel] Fix for NetBSD with subnet topology

community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > -- Antonio Quartulli signature.

Re: [Openvpn-devel] [PATCH v2 3/9] Add crypto_pem_{encode, decode}()

free(name_read); > +OPENSSL_free(header_read); > + OPENSSL_free(data_read); > +if (!BIO_free(bio)) > +{ > +ret = false;; > +} > + > +return ret; > +} > + [CUT] Other than those small remarks the patch looks good. Therefore: Acked-by:

Re: [Openvpn-devel] [PATCH v2 3/9] Add crypto_pem_{encode, decode}()

7;t think this leaks data; buf_write_alloc returns NULL if there is > not enough space available in dst, and won't change dst in that case. > So nothing to clean up in that case? > Right. The name *_alloc() fooled me, but actually there is nothing being allocated her

Re: [Openvpn-devel] [PATCH v3 2/9] Add crypto_pem_{encode, decode}()

caller to use the heap. > > Signed-off-by: Steffan Karger Acked-by: Antonio Quartulli -- Antonio Quartulli signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on o

Re: [Openvpn-devel] [PATCH v3] Parse static challenge response in auth-pam plugin

he general feeling was that the patch was correct. Maybe David wanted to spend some more time on this patch, but it slipped off the plate. As Selva said, if users of that function were following the header they would see a lot of explosions, while this is not the case. Therefore it should be

Re: [Openvpn-devel] [PATCH] Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'

ated as of type > "openvpn_plugin_handle_t" in the rest of the code. > > Signed-off-by: Selva Nair Will make some noise during application (git pw patch apply 87), such as: "Falling back to patching base and 3-way merge..." But it won't generate any conflict. Acked-by: Antonio Qua

Re: [Openvpn-devel] [PATCH v3 1/7] Introduce buffer_write_file()

me, fd); > - > - if (close(fd)) > -{ > -msg(M_ERR, "Close error on shared secret file %s", filename); > -} > +buffer_write_file(filename, &out); > > /* zero memory which held file content (memory will be freed by GC)

Re: [Openvpn-devel] [PATCH v3 2/7] tls-crypt-v2: add specification to doc/

primitives unlikely. > + * Making anything configurable adds complexity, both in implementation and > + usage. We should not add anymore complexity than is absolutely necessary. > + > +Potential ``tls-crypt-v2`` risks:

Re: [Openvpn-devel] [PATCH v4 1/7] Introduce buffer_write_file()

e rather than jumping to cleanup, because nothing has been initialized yet. The double error is harmless, but not very clean, especially because, no matter why open() failed, errno will always be changed to EBADF. (I think this also means t

Re: [Openvpn-devel] [PATCH v5 1/7] Introduce buffer_write_file()

Steffan Karger All looks good now! Thanks! Acked-by: Antonio Quartulli Tested-by: Antonio Quartulli Key generation (success and failure) and basic connection work as expected. 'make check' performed on various platforms, but no buildbot test has been executed. Cheers, -- Antonio Q

[Openvpn-devel] [PATCH] ssl_verify: define label only when required

The "cleanup" label in ssl_verify.c:verify_user_pass_plugin() is used only when PLUGIN_DEF_AUTH is defined, therefore make the label definition dependent on the same define. At the moment, gcc throws an error for unused label if PLUGIN_DEF_AUTH is not defined. Signed-off-by: Antonio

Re: [Openvpn-devel] [PATCH] ssl_verify: define label only when required

Hi, On 15/08/18 13:15, Antonio Quartulli wrote: > The "cleanup" label in ssl_verify.c:verify_user_pass_plugin() is used > only when PLUGIN_DEF_AUTH is defined, therefore make the label > definition dependent on the same define. > > At the moment, gcc throws an

Re: [Openvpn-devel] [PATCH] ssl_verify: define label only when required

On 15/08/18 13:32, Antonio Quartulli wrote: > Hi, > > On 15/08/18 13:15, Antonio Quartulli wrote: >> The "cleanup" label in ssl_verify.c:verify_user_pass_plugin() is used >> only when PLUGIN_DEF_AUTH is defined, therefore make the label >> definition depen

[Openvpn-devel] [PATCH v2] ssl_verify: define label only when required

ser_pass_plugin': ssl_verify.c:1223:1: warning: label 'cleanup' defined but not used [-Wunused-label] cleanup: ^~~ Signed-off-by: Antonio Quartulli --- src/openvpn/ssl_verify.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_ver

Re: [Openvpn-devel] [PATCH v2] ssl_verify: define label only when required

Hi, On 16/08/18 19:08, Matthias Andree wrote: > Am 15.08.2018 um 08:12 schrieb Antonio Quartulli: >> The "cleanup" label in ssl_verify.c:verify_user_pass_plugin() is used >> only when PLUGIN_DEF_AUTH is defined, therefore make the label >> definition dependent on t

Re: [Openvpn-devel] [PATCH v2] ssl_verify: define label only when required

it for some reason". I have seen this often also in newer code (like ovpn3). > - can we get rid of it? > Does any distro package openvpn with --disable-def-auth selected? If not, I guess we can get rid of it. But maybe David knows something we do

Re: [Openvpn-devel] [PATCH] mbedtls: print warning if random personalisation fails

On 29/08/18 20:04, Steffan Karger wrote: > ... instead of when it doesn't fail. Looks like 'someone' mixed up the > mbedtls return style (0 means success) with the openvpn internal return > style (true means success). > > Signed-off-by: Steffan Karger Acked-by:

Re: [Openvpn-devel] [PATCH] Add message explaining early TLS client hello failure

n the log. But should this be added in the local or remote >> configuration? It is the 2.3.6 reference which makes it confusing for me, >> otherwise I would have interpreted this as the local side where this warning >> occurs. So this could be clearer. > > 2.

Re: [Openvpn-devel] [PATCH] Fix combination of --dev tap and --topology subnet across multiple platforms.

ter staring at the code I couldn't identify any issue and the logic followed by the code is not more clear (for what it can be ..). I had a discussion with Gert on IRC and he clarified some doubts I had in a clear manner, therefore I am happy with this patch. Acked-by: Antonio Quartul

[Openvpn-devel] [PATCH 0/3] implement crl-persist logic

imilar.. Comments are welcome! Cheers, Antonio Quartulli (3): openvpn: implement crl-persist logic mbedtls: implement crl-persist related functions openssl: implement crl-persist related functions src/openvpn/init.c | 7 ++ src/openvpn/openvpn.h| 6 ++

[Openvpn-devel] [PATCH 2/3] mbedtls: implement crl-persist related functions

upon client connection was around 4-6 seconds. With this patch the delay gets close to 0. Signed-off-by: Antonio Quartulli --- src/openvpn/ssl_verify_mbedtls.c | 102 +++ 1 file changed, 83 insertions(+), 19 deletions(-) diff --git a/src/openvpn

[Openvpn-devel] [PATCH 1/3] openvpn: implement crl-persist logic

implemented later. Note: inline or dir CRL is not supported when crl-persist is specified. Signed-off-by: Antonio Quartulli --- src/openvpn/init.c | 7 +++ src/openvpn/openvpn.h| 6 ++ src/openvpn/options.c| 21 + src/openvpn

[Openvpn-devel] [PATCH 3/3] openssl: implement crl-persist related functions

around 5-8 seconds. With this patch the delay gets close to 0. Signed-off-by: Antonio Quartulli --- src/openvpn/ssl_verify_openssl.c | 183 +++ 1 file changed, 183 insertions(+) diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c

Re: [Openvpn-devel] [PATCH 0/3] implement crl-persist logic

On Wed, Oct 19, 2016 at 02:22:28PM +0800, Antonio Quartulli wrote: > Hello OpenVPN community, > not sure if this is any helpful, but I have also prepared a branch with these changes on github at https://github.com/ordex/openvpn/tree/crl-persist Maybe somebody prefers a comfy webbrowse

Re: [Openvpn-devel] [PATCH 3/3] openssl: implement crl-persist related functions

On Wed, Oct 19, 2016 at 02:22:31PM +0800, Antonio Quartulli wrote: > Implement the functions needed by the crl-persist logic when openssl > is enabled. Such functions are used in the ssl_verify module. > > Note that the CRL file is stored in an adhoc data structure and no > o

[Openvpn-devel] [PATCH] don't mix settings when crl-verify option appears more than once

clr-verify can be specified multiple times in the config file and the expected behaviour is that the last occurrence should be used. Therefore, reset the optional flags everytime a new crl-verify option is found. Signed-off-by: Antonio Quartulli --- src/openvpn/options.c | 8 1 file

Re: [Openvpn-devel] [PATCH] don't mix settings when crl-verify option appears more than once

On Wed, Oct 26, 2016 at 02:29:19PM +0200, Steffan Karger wrote: > Hi, > > On 26-10-16 14:06, Antonio Quartulli wrote: > > clr-verify can be specified multiple times in the config file and the > > expected behaviour is that the last occurrence should be used. > > > &

Re: [Openvpn-devel] [PATCH] don't mix settings when crl-verify option appears more than once

On Wed, Oct 26, 2016 at 03:30:39PM +0200, Arne Schwabe wrote: > > > Am 26.10.16 um 14:48 schrieb Steffan Karger: > > On 26-10-16 14:40, Antonio Quartulli wrote: > >> I was planning to do the rest of the refactoring in a second patch. > >> > >> At this p

[Openvpn-devel] [PATCH] reload CRL only if file was modified

several seconds to few milliseconds). Cc: Steffan Karger Signed-off-by: Antonio Quartulli --- Tested on linux by using my VM. No test was performed on Windows* (compiled-only). Note: the check "!(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))" may not always work as expected.

Re: [Openvpn-devel] [PATCH] reload CRL only if file was modified

last_mtime.tv_sec <= crl_stat.st_mtime) > { > ssl_ctx->crl_last_mtime.tv_sec = crl_stat.st_mtime; > backend_tls_ctx_reload_crl (ssl_ctx, crl_file, crl_file_inline); > } > > I slightly prefer thi

Re: [Openvpn-devel] [PATCH] reload CRL only if file was modified

ead of >=. > good point! I think we should definitely switch to !=. Thanks! -- Antonio Quartulli -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net h

[Openvpn-devel] [PATCH v2] reload CRL only if file was modified

several seconds to few milliseconds). Cc: Steffan Karger Signed-off-by: Antonio Quartulli --- Tested on linux by using my VM. No test was performed on Windows* (compiled-only). Note: the check "!(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))" may not always work as expected.

Re: [Openvpn-devel] [PATCH v2] reload CRL only if file was modified

On Thu, Dec 01, 2016 at 09:13:36AM +0100, Steffan Karger wrote: > Hi, > > Tested on linux and windows, works as expected, except for one thing: > > On 01-12-16 07:55, Antonio Quartulli wrote: > > + /* > > + * an inline CRL can't change at runtim

[Openvpn-devel] [PATCH v3] reload CRL only if file was modified

several seconds to few milliseconds). Cc: Steffan Karger Signed-off-by: Antonio Quartulli --- Changes since v2: - print warning if stat() on CRL fails - abort CRL (re)load if stat() fails Changes since v1: - move tls_ctx_reload_crl() before any invocation - add doxygen-doc for tls_ctx_reload_crl

[Openvpn-devel] #636: IPv6 subnets support in PF component

permit any other multicast traffic, unless explicitly allowed by the user. If you guys also think this is the way to go, does anybody know how to translate this "make NDP work" into a whitelist rule? "+ff00::/8" is too broad. Cheers, -- Antonio Q

Re: [Openvpn-devel] #636: IPv6 subnets support in PF component

ietf.org/rfc/rfc4890.txt [1] https://github.com/ordex/openvpn/tree/ipv6pf On Sun, Dec 04, 2016 at 12:51:43PM +0800, Antonio Quartulli wrote: > Dear all, > > as a "learning exercise" I started working on #636 over the weekend in the > attempt of digging deeper into the openvpn

[Openvpn-devel] [PATCH] convert *_inline attributes to bool

Carrying around the INLINE_TAG is not really efficient, because it requires a strcmp() to be performed every time we want to understand if the data is stored inline or not. Convert all the *_inline attributes to bool to make the logic easier and checks more efficient. Signed-off-by: Antonio

Re: [Openvpn-devel] [PATCH] convert *_inline attributes to bool

iner of the encoded text anymore. Thus the comment should be moved or reworded to reflect this change. Cheers, -- Antonio Quartulli -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi

Re: [Openvpn-devel] [PATCH] convert *_inline attributes to bool

On Sun, Dec 25, 2016 at 10:44:45AM +0100, Steffan Karger wrote: > > On 19-12-16 02:39, Antonio Quartulli wrote: > > Carrying around the INLINE_TAG is not really efficient, > > because it requires a strcmp() to be performed every > > time we want to understand if the data

Re: [Openvpn-devel] [PATCH] convert *_inline attributes to bool

On Sun, Dec 25, 2016 at 06:09:01PM +0800, Antonio Quartulli wrote: > On Sun, Dec 25, 2016 at 10:44:45AM +0100, Steffan Karger wrote: > > > > On 19-12-16 02:39, Antonio Quartulli wrote: > > > Carrying around the INLINE_TAG is not really efficient, > > > bec

[Openvpn-devel] [PATCH v2] convert *_inline attributes to bool

-off-by: Antonio Quartulli --- Based on master + [PATCH v3] reformatting: fix style in crypto*.{c, h} Changes from v1: - remove the INLINE_TAG from the options parsing logic at all. Now a boolean variable is passed around. - add print_if_inline() helper function (to misc.c/h) to make sure we

Re: [Openvpn-devel] [PATCH v2] convert *_inline attributes to bool

an be used that way. Am I wrong? [CUT] > > @@ -1209,11 +1204,12 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const > > char *ca_file, > > { > > crypto_msg(M_WARN, > > &quo

<    1   2   3   4   5   6   7   8   9   10   >