been performed.
Antonio Quartulli (3):
tun: ensure gc and argv are always freed
tun: always pass a valid tt pointer
tun: get rid of tt->did_ifconfig member
src/openvpn/init.c | 7 +-
src/openvpn/tun.c | 442 ++---
src/openvpn/tun.h | 1 -
From: Antonio Quartulli
Everytime a argv object is initialized with argv_new(), it has
to be released with argv_reset() once not needed anymore.
The same holds for gc_arena objects initialized with gc_new() that
have to be released with gc_free().
Ensure both kind of objects are always
From: Antonio Quartulli
tt->did_ifconfig is currently only read by the Linux platform, but
it is currently iuselessly set also by every other system.
The Linux platform does not actually even need this member and can
directly rely on tt->did_ifconfig_setup.
For the reasons above, remove
From: Antonio Quartulli
This patch is a small "logic restyle" which basically moves the
check against "!tt" outside of the various close_tun() functions
and replaces it with an ASSERT.
This way the check if done only once and the function can rely
on the assumption that
From: Antonio Quartulli
This patch is a small "logic restyle" which basically moves the
check for "tt != NULL" outside of the various close_tun()
implementations and replaces it with an ASSERT.
This way the check is done only once and the function can rely
on the assumption
Please ignore this patch. It was a just idling there when I did the git
send-email.
Cheers,
--
Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of
Hi,
On 13/06/18 19:28, Gert Doering wrote:
> Hi,
>
> On Wed, Jun 13, 2018 at 04:12:17PM +0800, Antonio Quartulli wrote:
>> From: Antonio Quartulli
>>
>> This patch is a small "logic restyle" which basically moves the
>> check for &q
On 13/06/18 19:29, Gert Doering wrote:
> Hi,
>
> On Wed, Jun 13, 2018 at 04:12:18PM +0800, Antonio Quartulli wrote:
>> From: Antonio Quartulli
>>
>> tt->did_ifconfig is currently only read by the Linux platform, but
>> it is currently iusel
Hi,
On 13/06/18 19:06, Gert Doering wrote:
> Hi,
>
> On Wed, Jun 13, 2018 at 04:12:15PM +0800, Antonio Quartulli wrote:
>> From: Antonio Quartulli
>>
>> Everytime a argv object is initialized with argv_new(), it has
>> to be released with argv_reset() once n
From: Antonio Quartulli
Everytime a argv object is initialized with argv_new(), it has
to be released with argv_reset() once not needed anymore.
Ensure this kind of objects are always properly released to avoid
memory leaks.
At the same time, remove those gc_arena objects that are initialized
From: Antonio Quartulli
This patch is a small "logic restyle" which basically moves the
check for "tt != NULL" outside of the various close_tun()
implementations and replaces it with an ASSERT.
This way the check is done only once and the function can rely
on the assumption
From: Antonio Quartulli
tt->did_ifconfig is currently only read by the Linux platform, but
it is currently uselessly set also by every other system.
The Linux platform does not actually even need this member and can
directly rely on tt->did_ifconfig_setup.
For the reasons above, remove
s are rpeorted in each patch.
Cheers,
p.s. buildbot is currently unusable due to the ongoing maintenance on
the OpenVPN servers and therefor eonly local tests have been performed.
Antonio Quartulli (3):
tun: ensure gc and argv are properly handled
tun: always pass a valid tt pointer
tun: get r
From: Antonio Quartulli
This change ensures that an interface is properly brought
up and down even when only IPv6 settings are configured/pushed.
At the same time, some code restyling took place to ensure the new
generic logic is easier to read. Both do_ifconfig() and close_tun()
(Linux only
From: Antonio Quartulli
This patch ensures that the TAP driver on a windows host is still
configured, even though no IPv4 has been provided.
In this case the TAP driver ioctl will be invoked with a fake
0.0.0.0/0.0.0.0 IPv4 which will simply start the interface and
get it to a working state
omment above a copy/paste incident? or there is something hidden
in this unit test?
> +static void
> +crypto_pem_encode_decode_loopback(void **state) {
> +struct gc_arena gc = gc_new();
> +struct buffer src_buf;
> +buf_set_read(&src_buf, (void *)testtext, sizeof(testtext));
&g
dir_exclusive,
> + cn, &gc);
> +if (!cn || !strcmp(cn, CCD_DEFAULT) || !platform_test_file(path))
> {
> ks->authenticated = false;
>
ow about re-arranging this patch (maybe by making it the first patch in
the set) so that you don't need to do and undo the same code?
Does it make sense?
Cheers,
--
Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
---
From: Antonio Quartulli
This change ensures that an interface is properly brought
up and down even when only IPv6 settings are configured/pushed.
At the same time, some code restyling took place to ensure the new
generic logic is easier to read. Both do_ifconfig() and close_tun()
(Linux only
cated-APIs-disable.patch | 148 ++
Was this patch committed by accident?
Cheers,
--
Antonio Quartulli
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.
to understand what is different from
what Selva tested. In the meantime, you have the full log attached to
this email in case somebody wants to give it a look.
Cheers,
--
Antonio Quartulli
Fri Jun 22 13:43:48 2018 us=883035 Current Parameter Settings:
Fri Jun 22 13:43:48 2018 us=883535 config
> some bug) we won't be able to realize that.
>>
>> However, I am not sure we have an easy way to check that..maybe you
>> could use some SSL function that would normally load PEM data?
>
> That is a bit annoying to test indeed. How about I just verify that
> this
Hi,
On 22/06/18 17:46, Gert Doering wrote:
> Hi,
>
> On Fri, Jun 22, 2018 at 03:27:02PM +0800, Antonio Quartulli wrote:
>> Fri Jun 22 13:43:51 2018 us=116232 PUSH: Received control message:
>> 'PUSH_REPLY,redirect-gateway !ipv4 ipv6,tun-ipv6,ping 10,ping-restart
>&
Signed-off-by: Antonio Quartulli
---
src/openvpn/route.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index a45a273a..209daeab 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -1616,7 +1616,7 @@ add_route(struct
int DWORD variables in several spots and we always cast them
to int or unsigned int.
However, if we believe supporting %lu can be more useful, I can do that.
Last opinion? :)
Cheers,
--
Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
-
ink all the arguments are valid - that is just
the right thing in this case so we can avoid shortcut/forced casts.
Will send v2 with this change included.
Thanks all!
Cheers,
--
Antonio Quartulli
signature.asc
Descrip
Ethernet 2" is the TAP interface".
My guts say that the issue might be related to "gateway-redirect",
because only 8/8 makes sure that no logic is activated for IPv4 and
without that patch there might be some IPv4 route being installed
nonetheless.
Cheers,
--
Antonio Quartulli
S
%lu is not supported by our tiny argv_printf implementation, therefore
it will trigger an ASSERT() when parsing it at route.c:1638.
Add support for '%lu' in argv_print() and prevent the ASSERT from being
triggered.
Signed-off-by: Antonio Quartulli
---
It seems I managed to trigger t
path.
>
> But not very critical as the assert is fixed and route errors are not FATAL.
>
If you like the argv patch v2, would you mind giving your blessing? :-)
Thanks!
Cheers,
>
--
Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
-
r, "%lu", -1L)
>
I just recommended something similar on IRC.
I think it would make sense to "validate" argv_printf* against sprintf.
Not just for %lu but also for the other formats. This way we know our
code is doing what sprintf would also do.
Cheers,
--
Ant
From: Antonio Quartulli
This patch ensures that the TAP driver on a windows host is still
configured, even though no IPv4 has been provided.
In this case the TAP driver ioctl will be invoked with a fake
0.0.0.0/0.0.0.0 IPv4 which will simply start the interface and
get it to a working state
From: Antonio Quartulli
With this change a server is allowed to allocate an
IPv6-only pool. This is required to make it capable
of managing an IPv6-only tunnel.
Trac: #208
Signed-off-by: Antonio Quartulli
---
Changes from v2:
- patchset rebased on top of current master
- introduce missing
From: Antonio Quartulli
Until now OpenVPN has not allowed to specify --server-ipv6
if no --server was also set. This constraint comes from the
fact that most of the IPv6 logic (i.e. ifconfig-pool handling)
relied on IPv4 components to be activated and configured as
well.
Now that the IPv6 code
t be wiped after some time? Or do we need to
wipe the cache manually?
Cheers,
--
Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world&
Hi,
On 24/06/18 04:08, Antonio Quartulli wrote:
> From: Antonio Quartulli
>
> With this change a server is allowed to allocate an
> IPv6-only pool. This is required to make it capable
> of managing an IPv6-only tunnel.
After discussing with Gert, I'd say that maybe this
> #include
> #endif
> diff --git a/src/openvpn/ssl_verify_openssl.c
> b/src/openvpn/ssl_verify_openssl.c
> index 9b984751..82460ae7 100644
> --- a/src/openvpn/ssl_verify_openssl.c
> +++ b/src/openvpn/ssl_verify_openssl.c
> @@ -46,6 +46,7 @@
>
> #include
&g
Hi,
On 05/06/18 16:14, Antonio Quartulli wrote:
> In preparation to having tls-auth/crypt keys per connection
> block, it is important to ensure that such material is always
> reloaded upon SIGUSR1, no matter if `persist-key` was specified
> or not.
>
> This is required becaus
Hi,
On 27/06/18 05:33, David Sommerseth wrote:
> On 05/06/18 10:14, Antonio Quartulli wrote:
>> In preparation to having tls-auth/crypt keys per connection
>> block, it is important to ensure that such material is always
>> reloaded upon SIGUSR1, no matter if `persist-key` wa
d = true;
> +return;
> +}
> +
> /* ifconfig-ipv6 is special, as not part of the push list */
> if (streq( p, "ifconfig-ipv6" ))
> {
>
Once the small style glitches above, I can give this patch my ACK.
I tested with my small environme
>
> diff --git a/sample/sample-plugins/simple/simple.def
> b/sample/sample-plugins/simple/simple.def
> index
> a87507d1fdc0f0bfd0434de577a818ef0cc62afb..556f362308bc6ce81829253f7a7fae9898be221a
> 100755
> --- a/sample/sample-plugins/simple/simple.def
> +++ b/sample/sample-plugins/simple/
On 01/07/18 05:08, Greg Cox wrote:
> On Sat, Jun 30, 2018 at 5:49 PM, Antonio Quartulli wrote:
>
>> I'd remove the last paragraph and the greetings from the commit message.
>> But this might be done at commit time.
>>
>
> It was unclear how to handle &qu
-remove" statements somewhere and then checking
> in push_option_ex())
>
> Trac: #1072
>
> Signed-off-by: Gert Doering
>
> ---
> v2: style changes, manpage note about exact match
Acked-by: Antonio Quartulli
--
Antonio Quartulli
signature.asc
Description: OpenPGP
inux. Anybody knows of a similar mechanism
for Windows and macOS?
Cheers,
--
Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world
Hi,
On 27/06/18 09:50, Antonio Quartulli wrote:
> Hi,
>
> On 27/06/18 05:33, David Sommerseth wrote:
>> On 05/06/18 10:14, Antonio Quartulli wrote:
>>> In preparation to having tls-auth/crypt keys per connection
>>> block, it is important to ensure that such mat
rting more features "just because they are supported in openvpn3" does
not really sound like a reason to maintain more code on the community
side, imho.
Cheers,
--
Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
-
> platform_stat() to figure out the size and get rid of the maxlen
> argument, and doesn't throw fatal errors. Feel free to use that
> implementation if you like it, or not if you don't (and I'll use yours
ket on https://community.openvpn.net (you
need to create an account) so that we can better track this issue and
ask you to provide more details?
Thanks!
Regards,
--
Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
--
context needs to
be refreshed.
To ensure that the `persist-key` logic will still work
as expected, the tls-auth/crypt key is pre-loaded so that
the keyfile is not required at runtime.
Trac: #720
Cc: Steffan Karger
Signed-off-by: Antonio Quartulli
---
v2:
- introduce this patch
v3:
- add key per
, if any, are used.
Trac: #720
Cc: Steffan Karger
Signed-off-by: Antonio Quartulli
---
v2:
- convert tls-auth keyfile to inline key if persist-key was specified
v3:
- squash 2/3 and 3/3 in one patch to prevent temporary features
breakages
- restyle code introduced in options_postprocess_mutate_ce
e NULL.
>
> It *is* passed ?
>
of course :-) thanks!
[cut]
>
> Otherwise, this looks good.
>
Cool, thanks!
I will send v4 with these small fixes and a unit test for the
buf_free_gc() function.
Cheers,
--
Antonio Quartulli
signature.asc
Description: OpenPGP digital
context needs to
be refreshed.
To ensure that the `persist-key` logic will still work
as expected, the tls-auth/crypt key is pre-loaded so that
the keyfile is not required at runtime.
Trac: #720
Cc: Steffan Karger
Signed-off-by: Antonio Quartulli
---
v2:
- introduce this patch
v3:
- add key per
context needs to
be refreshed.
To ensure that the `persist-key` logic will still work
as expected, the tls-auth/crypt key is pre-loaded so that
the keyfile is not required at runtime.
Trac: #720
Cc: Steffan Karger
Signed-off-by: Antonio Quartulli
---
v2:
- introduce this patch
v3:
- add key per
d long lines) and that the
access to the security_script variable has been substituted with
getter/setter functions.
So, with or without the nitpick:
Acked-by: Antonio Quartulli
Cheers,
--
Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
---
On 11/07/18 10:01, Antonio Quartulli wrote:
> Other than that little nitpick, the patch looks good.
>
> Checked with "git show --color-moved" and I could verify that the code
> has only been moved (slightly adjusted to avoid long lines) and that the
> access to the sec
being used, however, no
this is just a copy/paste and no function change has been
introduced.
Signed-off-by: Antonio Quartulli
---
src/openvpn/socket.c | 362 +--
src/openvpn/socket.h | 15 --
2 files changed, 181 insertions(+), 196 deletions(-)
diff --git a
being used, however, no
this is just a copy/paste and no function change has been
introduced.
Signed-off-by: Antonio Quartulli
---
v2:
- fix commit subject
src/openvpn/socket.c | 362 +--
src/openvpn/socket.h | 15 --
2 files changed, 181 insertions(+), 196
Hi,
On 12/07/18 01:49, Gert Doering wrote:
> Hi,
>
> On Thu, Jul 12, 2018 at 01:00:42AM +0800, Antonio Quartulli wrote:
>> stream_buf_init(), stream_buf_close() and stream_buf_added()
>> are only used within socket.c, therefore there is noneed to
>> have them decla
.
Signed-off-by: Antonio Quartulli
---
v2:
- fix commit subject
v3:
- move functions back to their original locations and add prototypes
before the first usage of the three functions
---
src/openvpn/socket.c | 22 +++---
src/openvpn/socket.h | 15 ---
2 files changed
community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
--
Antonio Quartulli
signature.
free(name_read);
> +OPENSSL_free(header_read);
> + OPENSSL_free(data_read);
> +if (!BIO_free(bio))
> +{
> +ret = false;;
> +}
> +
> +return ret;
> +}
> +
[CUT]
Other than those small remarks the patch looks good.
Therefore:
Acked-by:
7;t think this leaks data; buf_write_alloc returns NULL if there is
> not enough space available in dst, and won't change dst in that case.
> So nothing to clean up in that case?
>
Right. The name *_alloc() fooled me, but actually there is nothing being
allocated her
caller to use the heap.
>
> Signed-off-by: Steffan Karger
Acked-by: Antonio Quartulli
--
Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on o
he general
feeling was that the patch was correct.
Maybe David wanted to spend some more time on this patch, but it slipped
off the plate.
As Selva said, if users of that function were following the header they
would see a lot of explosions, while this is not the case.
Therefore it should be
ated as of type
> "openvpn_plugin_handle_t" in the rest of the code.
>
> Signed-off-by: Selva Nair
Will make some noise during application (git pw patch apply 87), such as:
"Falling back to patching base and 3-way merge..."
But it won't generate any conflict.
Acked-by: Antonio Qua
me, fd);
> -
> - if (close(fd))
> -{
> -msg(M_ERR, "Close error on shared secret file %s", filename);
> -}
> +buffer_write_file(filename, &out);
>
> /* zero memory which held file content (memory will be freed by GC)
primitives unlikely.
> + * Making anything configurable adds complexity, both in implementation and
> + usage. We should not add anymore complexity than is absolutely necessary.
> +
> +Potential ``tls-crypt-v2`` risks:
e rather than jumping to cleanup, because nothing has been
initialized yet.
The double error is harmless, but not very clean, especially because, no
matter why open() failed, errno will always be changed to EBADF.
(I think this also means t
Steffan Karger
All looks good now! Thanks!
Acked-by: Antonio Quartulli
Tested-by: Antonio Quartulli
Key generation (success and failure) and basic connection work as expected.
'make check' performed on various platforms, but no buildbot test has
been executed.
Cheers,
--
Antonio Q
The "cleanup" label in ssl_verify.c:verify_user_pass_plugin() is used
only when PLUGIN_DEF_AUTH is defined, therefore make the label
definition dependent on the same define.
At the moment, gcc throws an error for unused label if PLUGIN_DEF_AUTH
is not defined.
Signed-off-by: Antonio
Hi,
On 15/08/18 13:15, Antonio Quartulli wrote:
> The "cleanup" label in ssl_verify.c:verify_user_pass_plugin() is used
> only when PLUGIN_DEF_AUTH is defined, therefore make the label
> definition dependent on the same define.
>
> At the moment, gcc throws an
On 15/08/18 13:32, Antonio Quartulli wrote:
> Hi,
>
> On 15/08/18 13:15, Antonio Quartulli wrote:
>> The "cleanup" label in ssl_verify.c:verify_user_pass_plugin() is used
>> only when PLUGIN_DEF_AUTH is defined, therefore make the label
>> definition depen
ser_pass_plugin':
ssl_verify.c:1223:1: warning: label 'cleanup' defined but not used
[-Wunused-label]
cleanup:
^~~
Signed-off-by: Antonio Quartulli
---
src/openvpn/ssl_verify.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_ver
Hi,
On 16/08/18 19:08, Matthias Andree wrote:
> Am 15.08.2018 um 08:12 schrieb Antonio Quartulli:
>> The "cleanup" label in ssl_verify.c:verify_user_pass_plugin() is used
>> only when PLUGIN_DEF_AUTH is defined, therefore make the label
>> definition dependent on t
it for some reason".
I have seen this often also in newer code (like ovpn3).
> - can we get rid of it?
>
Does any distro package openvpn with --disable-def-auth selected? If
not, I guess we can get rid of it.
But maybe David knows something we do
On 29/08/18 20:04, Steffan Karger wrote:
> ... instead of when it doesn't fail. Looks like 'someone' mixed up the
> mbedtls return style (0 means success) with the openvpn internal return
> style (true means success).
>
> Signed-off-by: Steffan Karger
Acked-by:
n the log. But should this be added in the local or remote
>> configuration? It is the 2.3.6 reference which makes it confusing for me,
>> otherwise I would have interpreted this as the local side where this warning
>> occurs. So this could be clearer.
>
> 2.
ter staring at the code I couldn't identify any issue and the logic
followed by the code is not more clear (for what it can be ..).
I had a discussion with Gert on IRC and he clarified some doubts I had
in a clear manner, therefore I am happy with this patch.
Acked-by: Antonio Quartul
imilar..
Comments are welcome!
Cheers,
Antonio Quartulli (3):
openvpn: implement crl-persist logic
mbedtls: implement crl-persist related functions
openssl: implement crl-persist related functions
src/openvpn/init.c | 7 ++
src/openvpn/openvpn.h| 6 ++
upon client connection was around 4-6 seconds.
With this patch the delay gets close to 0.
Signed-off-by: Antonio Quartulli
---
src/openvpn/ssl_verify_mbedtls.c | 102 +++
1 file changed, 83 insertions(+), 19 deletions(-)
diff --git a/src/openvpn
implemented later.
Note: inline or dir CRL is not supported when crl-persist is specified.
Signed-off-by: Antonio Quartulli
---
src/openvpn/init.c | 7 +++
src/openvpn/openvpn.h| 6 ++
src/openvpn/options.c| 21 +
src/openvpn
around 5-8 seconds.
With this patch the delay gets close to 0.
Signed-off-by: Antonio Quartulli
---
src/openvpn/ssl_verify_openssl.c | 183 +++
1 file changed, 183 insertions(+)
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
On Wed, Oct 19, 2016 at 02:22:28PM +0800, Antonio Quartulli wrote:
> Hello OpenVPN community,
>
not sure if this is any helpful, but I have also prepared a branch with these
changes on github at https://github.com/ordex/openvpn/tree/crl-persist
Maybe somebody prefers a comfy webbrowse
On Wed, Oct 19, 2016 at 02:22:31PM +0800, Antonio Quartulli wrote:
> Implement the functions needed by the crl-persist logic when openssl
> is enabled. Such functions are used in the ssl_verify module.
>
> Note that the CRL file is stored in an adhoc data structure and no
> o
clr-verify can be specified multiple times in the config file and the
expected behaviour is that the last occurrence should be used.
Therefore, reset the optional flags everytime a new crl-verify
option is found.
Signed-off-by: Antonio Quartulli
---
src/openvpn/options.c | 8
1 file
On Wed, Oct 26, 2016 at 02:29:19PM +0200, Steffan Karger wrote:
> Hi,
>
> On 26-10-16 14:06, Antonio Quartulli wrote:
> > clr-verify can be specified multiple times in the config file and the
> > expected behaviour is that the last occurrence should be used.
> >
> &
On Wed, Oct 26, 2016 at 03:30:39PM +0200, Arne Schwabe wrote:
>
>
> Am 26.10.16 um 14:48 schrieb Steffan Karger:
> > On 26-10-16 14:40, Antonio Quartulli wrote:
> >> I was planning to do the rest of the refactoring in a second patch.
> >>
> >> At this p
several
seconds to few milliseconds).
Cc: Steffan Karger
Signed-off-by: Antonio Quartulli
---
Tested on linux by using my VM.
No test was performed on Windows* (compiled-only).
Note: the check "!(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))" may not
always work as expected.
last_mtime.tv_sec <= crl_stat.st_mtime)
> {
> ssl_ctx->crl_last_mtime.tv_sec = crl_stat.st_mtime;
> backend_tls_ctx_reload_crl (ssl_ctx, crl_file, crl_file_inline);
> }
>
> I slightly prefer thi
ead of >=.
>
good point! I think we should definitely switch to !=.
Thanks!
--
Antonio Quartulli
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
h
several
seconds to few milliseconds).
Cc: Steffan Karger
Signed-off-by: Antonio Quartulli
---
Tested on linux by using my VM.
No test was performed on Windows* (compiled-only).
Note: the check "!(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))" may not
always work as expected.
On Thu, Dec 01, 2016 at 09:13:36AM +0100, Steffan Karger wrote:
> Hi,
>
> Tested on linux and windows, works as expected, except for one thing:
>
> On 01-12-16 07:55, Antonio Quartulli wrote:
> > + /*
> > + * an inline CRL can't change at runtim
several
seconds to few milliseconds).
Cc: Steffan Karger
Signed-off-by: Antonio Quartulli
---
Changes since v2:
- print warning if stat() on CRL fails
- abort CRL (re)load if stat() fails
Changes since v1:
- move tls_ctx_reload_crl() before any invocation
- add doxygen-doc for tls_ctx_reload_crl
permit any other multicast traffic, unless explicitly allowed by the user.
If you guys also think this is the way to go, does anybody know how to
translate this "make NDP work" into a whitelist rule? "+ff00::/8" is too broad.
Cheers,
--
Antonio Q
ietf.org/rfc/rfc4890.txt
[1] https://github.com/ordex/openvpn/tree/ipv6pf
On Sun, Dec 04, 2016 at 12:51:43PM +0800, Antonio Quartulli wrote:
> Dear all,
>
> as a "learning exercise" I started working on #636 over the weekend in the
> attempt of digging deeper into the openvpn
Carrying around the INLINE_TAG is not really efficient,
because it requires a strcmp() to be performed every
time we want to understand if the data is stored inline
or not.
Convert all the *_inline attributes to bool to make the
logic easier and checks more efficient.
Signed-off-by: Antonio
iner of the encoded text anymore. Thus the comment should be moved or
reworded to reflect this change.
Cheers,
--
Antonio Quartulli
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi
On Sun, Dec 25, 2016 at 10:44:45AM +0100, Steffan Karger wrote:
>
> On 19-12-16 02:39, Antonio Quartulli wrote:
> > Carrying around the INLINE_TAG is not really efficient,
> > because it requires a strcmp() to be performed every
> > time we want to understand if the data
On Sun, Dec 25, 2016 at 06:09:01PM +0800, Antonio Quartulli wrote:
> On Sun, Dec 25, 2016 at 10:44:45AM +0100, Steffan Karger wrote:
> >
> > On 19-12-16 02:39, Antonio Quartulli wrote:
> > > Carrying around the INLINE_TAG is not really efficient,
> > > bec
-off-by: Antonio Quartulli
---
Based on master + [PATCH v3] reformatting: fix style in crypto*.{c, h}
Changes from v1:
- remove the INLINE_TAG from the options parsing logic at all. Now a
boolean variable is passed around.
- add print_if_inline() helper function (to misc.c/h) to make sure we
an be used that way. Am I wrong?
[CUT]
> > @@ -1209,11 +1204,12 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const
> > char *ca_file,
> > {
> > crypto_msg(M_WARN,
> > &quo
301 - 400 of 1367 matches
Mail list logo