Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

2020-11-25 Thread Antonio Quartulli
inux kernel quickly. It was an hard decision to make, but the whole group decided to take this direction. People that want to use different configurations/settings will still be able to do so by using openvpn2 in userspace, as it happened until now. Cheers, > > Tony  >   > &

Re: [Openvpn-devel] [ovpn-dco] question about the comment about AEAD nonce

2020-11-24 Thread Antonio Quartulli
     -> > NONCE_WIRE_SIZE >  *    on wire] >  */ > > /* AEAD nonce size */ > #define NONCE_SIZE 12 > > Is " 0005 521c3b01 4308c041 83ba3099" wrong? Its size is 16 bytes, > but you also comment > "12-byte full IV" after two lines of it.  &

Re: [Openvpn-devel] [ovpn-dco] Kernel NULL point derefence

2020-11-24 Thread Antonio Quartulli
Hi Tony, Thanks a lot for all your tests. The faulty commit is: commit ba109be633fd802b856d6a125f47e2d0ff7ad749 Author: Antonio Quartulli Date: Sun Nov 22 16:13:17 2020 +0100 ovpn-dco: avoid potential out of bound access in aead_decrypt() I have just pushed a fix to master to address

Re: [Openvpn-devel] [ovpn-dco] performance issue

2020-11-20 Thread Antonio Quartulli
 0.00    0.00   52.50    0.00 >    0.00    0.00    0.00 > > 01:56:09     CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal >  %guest  %gnice   %idle > 01:56:11     all    0.53    0.00   25.66    0.26    0.00   32.28    0.00 >    0.00    0.00   41.27 > 01:56:11       0    1.12    0.00    8.43    0.56    0.00    2.81    0.00 >    0.00    0.00   87.08 > 01:56:11       1    0.00    0.00   41.00    0.00    0.00   58.50    0.00 >    0.00    0.00    0.50 > > > Tony > > > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] ovpn-dco: nestns-test.sh - fix the issue that veth is not created successfully

2020-11-18 Thread Antonio Quartulli
e user friendly. Nonetheless, your patch has been applied so that our script can work on older distros too. Best Regards, -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] ovpn-dco: nestns-test.sh - fix the issue that veth is not created successfully

2020-11-18 Thread Antonio Quartulli
ng Ubuntu 18.04 and that might be the reason. In any case, your patch is small and does not hurt :-) Thanks -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] ovpn-dco: nestns-test.sh - fix the issue that veth is not created successfully.

2020-11-18 Thread Antonio Quartulli
uot;./netns-test.sh", we can do ping test by > executing "ip netns exec peer0 ping 5.5.5.2" > > Tested in Ubuntu 18.04 PC. > > Signed-off-by: Tony He Applied to master in revision c56b9d024570 with slightly amended commit message. Cheers, -- Antonio Quartull

Re: [Openvpn-devel] [ovpn-dco] It seems not to compile ovpn-cli successfully

2020-11-18 Thread Antonio Quartulli
; > ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2^~~~ > ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2 ?0?2OVPN_CIPHER_ALG_CHACHA20_POLY1305 Ouch, this is my fault. It is fixed in the latest master now. Can you please give latest master another try and let us kno

Re: [Openvpn-devel] [PATCH] networking_iproute2: fix memory leak in net_iface_mtu_set()

2020-10-09 Thread Antonio Quartulli
Hi, On 09/10/2020 15:46, Steffan Karger wrote: > ASAN yelled at me that someone forgot to call argv_free(). Fix that. > > Signed-off-by: Steffan Karger I bet I know that someone! Thanks a lot for fixing this. Acked-by: Antonio Quartulli (this is for 2.5) -- Antonio

Re: [Openvpn-devel] [PATCH] Fix redirecting of IPv4 default gateway if connecting over IPv6.

2020-10-04 Thread Antonio Quartulli
> > Reported-By: François Kooman > Reported-By: Thomas Schäfer > Trac: #1332 > > Signed-off-by: Gert Doering The bug becomes obvious after reading commit aa34684972eb0 This fix is basically cleaning up some conditions which did not ada

Re: [Openvpn-devel] [PATCH v6 1/2] Selectively reformat too long lines

2020-09-24 Thread Antonio Quartulli
}, > {"tcp6-client","TCPv6_CLIENT", AF_INET6, PROTO_TCP_CLIENT}, > -{"tcp6","TCPv6", AF_INET6, PROTO_TCP}, > +{"tcp6", "TCPv6", AF_INET6, PROTO_TCP}, What are you actually fixing here? Adding a tab? I fee

[Openvpn-devel] Introducing the OpenVPN Data Channel Offload Linux kernel module (ovpn-dco)

2020-09-22 Thread Antonio Quartulli
nVPN Inc. for having provided all required resources to make this happen. Looking forward to see patches coming through! Happy hacking! [1] https://www.openvpn.net [2] https://github.com/openvpn/openvpn3#building-the-openvpn-3-client-on-linux [3] https://community.openvpn.net/openvpn/wiki/OpenVP

Re: [Openvpn-devel] [PATCH] Fix line number reporting on config file errors after segments

2020-09-21 Thread Antonio Quartulli
Hi, On 21/09/2020 09:50, Gert Doering wrote: > Hi, > > On Mon, Sep 21, 2020 at 09:22:38AM +0200, Antonio Quartulli wrote: >> Sorry for not chiming in earlier, but honestly I believe your other >> option would be "cleaner". The other option being "return int in

Re: [Openvpn-devel] [PATCH] Fix line number reporting on config file errors after segments

2020-09-21 Thread Antonio Quartulli
ntf(_tag, "", p[0]); > -p[1] = read_inline_file(is, BSTR(_tag), gc); > +p[1] = read_inline_file(is, BSTR(_tag), num_lines, gc); am I wrong or here we should add 1 to num_lines to include the opening tag that was parsed *before* entering read_inline_file()? Regards, -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Fix combination of --dev tap and --topology subnet across multiple platforms.

2020-09-18 Thread Antonio Quartulli
his automatically. > > Trac: #1085 > > Signed-off-by: Gert Doering This change is very well contained and straightforward. It just does what it says and makes the if-branches more clear. Acked-by: Antonio Quartulli -- Antonio Quartulli ___

Re: [Openvpn-devel] [PATCH v2] If IPv6 pool specification sets pool start to ::0 address, increment.

2020-09-17 Thread Antonio Quartulli
s > is a non-issue, as the address for the pool start will be incremented > anyway. > > v2: make comment more explicit about "we're only talking about the > host part here" and "base sees only only 32 bit of the host part" > > Reported-by: NicolaF_ in T

Re: [Openvpn-devel] [PATCH] If IPv6 pool specification sets pool start to ::0 address, increment.

2020-09-17 Thread Antonio Quartulli
for the comment that needs more verbosity. > > gert > -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] If IPv6 pool specification sets pool start to ::0 address, increment.

2020-09-17 Thread Antonio Quartulli
s smaller than 32? like for a 2001:db8:0:1:1234::0/124? Regards, > + */ > +if (base == 0) > +{ > +msg(D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: incrementing pool > start " > + "to avoid ::0 assignment"); > + base

Re: [Openvpn-devel] [PATCH v3] socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes

2020-09-14 Thread Antonio Quartulli
Hi, On 14/09/2020 11:04, Antonio Quartulli wrote: > Hi, > > On 09/09/2020 14:22, Gert Doering wrote: >> When a SOCKS5 server sends back a reply, it encodes an "address", >> which can be IPv4 (4 bytes), IPv6 (16 bytes) or "a domain name", >> whic

Re: [Openvpn-devel] [PATCH v3] socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes

2020-09-14 Thread Antonio Quartulli
sion on IRC I am fine with this patch, assuming the whitespace is added after the '+' operator. Further refactoring of this code will be carried on in later patches. Regards, -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] If IPv6 pool specification sets pool start to ::0 address, increment.

2020-09-14 Thread Antonio Quartulli
b8:0:1:1234::0/64 > + * as we only look at the rightmost 32 bits. So be it... > + */ > +if (base == 0) why not memcmp'ing ipv6.base with in6addr_any (defined in netinet/in.h)? This way you get rid of the first NOTE (unless this header is

Re: [Openvpn-devel] [PATCH v3] socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes

2020-09-14 Thread Antonio Quartulli
*/ > +alen = (unsigned char) c +1; since you are touching this line...how about making it straight? 1) why casting to unsigned char? "alen" is int. 2) please add a space after the '+' operator. Regards, -- Antonio Quartulli

Re: [Openvpn-devel] [PATCH] Fix description of --client-disconnect calling convention in manpage.

2020-09-11 Thread Antonio Quartulli
> Signed-off-by: Gert Doering Checked the code and I agree with Gert fix to the documentation. No additional argument is passed. Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net h

Re: [Openvpn-devel] [PATCH] Replace 'echo -n' with 'printf' in tests/t_lpback.sh

2020-09-11 Thread Antonio Quartulli
("... OK"). > > Reported-by: mnowak on Trac > Trac: #1196 > > Signed-off-by: Gert Doering Change is not invasive and makes sense. Gert is juggling way more platforms than I do, so if he believes this helps portability, I am with him. Ac

Re: [Openvpn-devel] [PATCH v3] Fix best gateway selection over netlink

2020-09-10 Thread Antonio Quartulli
gt; Signed-off-by: Vladislav Grishenko Thanks for taking care of this issue and for digging into the sitnl code. The change is really contained and and easy to review. Tested a bit and it works as expected. Acked-by: Antonio Quartulli -- Antonio Quartulli __

Re: [Openvpn-devel] [PATCH v3] Fix best gateway selection over netlink

2020-09-08 Thread Antonio Quartulli
with sitnl by default - this is how this issue was exposed) Regards, -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Kernel Acceleration Module

2020-08-31 Thread Antonio Quartulli
stest news because it seems > that no more news is found after Google? Thanks a lot!?0?2 > Thanks a lot for your interest. There has been quite some work on that front pushed by OpenVPN Inc. We will be sharing more in the next weeks. Stay tuned :-) Regards

[Openvpn-devel] [PATCH] travis: don't run t_net.sh test

2020-08-10 Thread Antonio Quartulli
RUN_SUDO=false which will make any pre-test fail, forcing the Makefile to skip that particular test. Signed-off-by: Antonio Quartulli --- Tested on travis: https://travis-ci.org/github/OpenVPN/openvpn/builds/716605942 .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b

[Openvpn-devel] [PATCH v2] t_net.sh: drop hard dependency on t_client.rc

2020-07-21 Thread Antonio Quartulli
to RUN_SUDO=sudo when the file is missing and no RUN_SUDO is passed via env. While at it, reword the error message to better match the current logic flow. Signed-off-by: Antonio Quartulli --- Changes from v1: * default to sudo when no RUN_SUDO is set externally * change warning message tests

Re: [Openvpn-devel] [PATCH 1/9 v3] Indicate that a client is in pull mode in IV_PROTO

2020-07-21 Thread Antonio Quartulli
Rewrite IV_PROTO paragraph in man page, incoperate spelling fixes > by tincanteksup. > > Signed-off-by: Arne Schwabe Thanks a lot for all the fixes. Looks good to me now. -- Antonio Quartulli ___ Openvpn-devel mailin

Re: [Openvpn-devel] [PATCH] t_net.sh: drop hard dependency on t_client.rc

2020-07-21 Thread Antonio Quartulli
if that does not work, set RUN_SUDO= correctly for your > system." >&2 > +RUN_SUDO=sudo" > fi > > done - less code, message conveyed if needed. > hmhmhmh makes sense. v2 incoming! -- Antonio Quartulli

Re: [Openvpn-devel] [PATCH v6 4/9] Implement tls-groups option to specify eliptic curves/groups

2020-07-21 Thread Antonio Quartulli
fix > > Patch V5: Fix compilation with OpenSSL 1.0.2 > > Patch V6: Redo the 'while((token = strsep(_groups, ":"))' change > that accidently got lost. > > Signed-off-by: Arne Schwabe Much better now. Acked-by: Antonio Quartulli -- Antonio Q

Re: [Openvpn-devel] [PATCH v5 4/9] Implement tls-groups option to specify eliptic curves/groups

2020-07-21 Thread Antonio Quartulli
On 21/07/2020 15:46, Antonio Quartulli wrote: > Aren't we calling strsep() twice in a row now? > Once in the while() condition and once at the end of the cycle? > > I think Arne agreed on the issue on IRC, but maybe forgot to fix the patch? > > However, please note

Re: [Openvpn-devel] [PATCH v5 4/9] Implement tls-groups option to specify eliptic curves/groups

2020-07-21 Thread Antonio Quartulli
+i++; > +} > +token = strsep(_groups, ":"); Aren't we calling strsep() twice in a row now? Once in the while() condition and once at the end of the cycle? I think Arne agreed on the issue on IRC, but maybe forgot to fix the patch? Regards,

Re: [Openvpn-devel] [PATCH v2 1/9] Indicate that a client is in pull mode in IV_PROTO

2020-07-20 Thread Antonio Quartulli
>= 2 to determine if DATA_V2 is supported. > + * Therefore any client announcing any of the flags must > + * also announce IV_PROTO_DATA_V2. We also treat bit 0 > + * as reserved for this reason */ > + > +/** Support P_DATA_V2 */ > +#define IV_PROTO_DATA_V2(1<<1) > + > +/**

[Openvpn-devel] [PATCH] options: don't leak inline'd key material in logfile

2020-07-17 Thread Antonio Quartulli
argument without any check. With the new logic this should not happen anymore. A new macro SHOW_STR_INLINE() is therefore introduced which will check the appropriate bool member before deciding to print the actual string content or not. Trac: #1304 Reported-by: Richard Bonhomme Signed-off-by: Antonio

[Openvpn-devel] [PATCH] t_net.sh: drop hard dependency on t_client.rc

2020-07-17 Thread Antonio Quartulli
to RUN_SUDO=sudo when the file is missing. The assignment is made as conditional so that a user can still override RUN_SUDO by speciying an alternate string on the command line. While at it, reword the error message to better match the current logic flow. Signed-off-by: Antonio Quartulli --- tests

Re: [Openvpn-devel] [PATCH 1/9] Indicate that a client is in pull mode in IV_PROTO

2020-07-17 Thread Antonio Quartulli
> +#define IV_PROTO_REQUEST_PUSH (1<<2) /**< Assume client will send a push > + * request and server does not need > + * to wait for a push-request to > send > + * a push-reply */ > + > /* Default field in X509 to be username */ > #define X509_USERNAME_FIELD_DEFAULT "CN" > > -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v7 2/6] client-connect: Add deferred support to the client-connect script handler

2020-07-17 Thread Antonio Quartulli
already applied) changed the style of many of our functions from: if (x) { do something } to: if (!x) { return } Now this patch is unfortunately introducing a set of functions all implemented using the old pattern. I suggest them to be converted before we merge this patch. I don't re

Re: [Openvpn-devel] [PATCH v7 1/6] client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect

2020-07-16 Thread Antonio Quartulli
handler calls, switch > to switch case > > Signed-off-by: Arne Schwabe Haven't done a full test, this is why we have "Gert and his rig"[tm], but the code looks good and I can't spot anything that may trigger my personal alarm. This version is much cleaner that what i

Re: [Openvpn-devel] [PATCH v6 8/14] client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect

2020-07-15 Thread Antonio Quartulli
else > +{ > +ASSERT(0); > + } > + > + handler = _connect_handlers[defer_state->cur_handler_index]; > +(defer_state->cur_handler_index)++; shouldn't these 2 lines above be inverted? (these parenthesis) Cheers, -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] reformat multi_client_generate_tls_keys according to uncrustify

2020-07-15 Thread Antonio Quartulli
Hi, On 15/07/2020 16:14, Arne Schwabe wrote: > The refactor accidently used a wrong code style template and > ended up using 2 instead of 4 as indent. > > Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli -- Antonio Quartulli ___

Re: [Openvpn-devel] [PATCH v5 10/14] client-connect: Move adding inotify watch into its own function

2020-07-15 Thread Antonio Quartulli
's all about moving a chunk of code in its own function and indenting it better than how it was. Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/li

Re: [Openvpn-devel] [PATCH v5 09/14] client-connect: Add deferred support to the client-connect script handler

2020-07-15 Thread Antonio Quartulli
multi_client_connect_post(m, mi, ccs->config_file, > + option_types_found); > +ccs_delete_config_file(mi); > +} > +return ret; > +} > + > /** > * Generates the data channel keys > */ > @@ -2251,7 +2451,7 @@ stat

Re: [Openvpn-devel] [PATCH v5 08/14] client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect

2020-07-14 Thread Antonio Quartulli
gt; }; > > diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h > index 7c469b01..ccc7f118 100644 > --- a/src/openvpn/openvpn.h > +++ b/src/openvpn/openvpn.h > @@ -217,6 +217,8 @@ struct context_1 > enum client_connect_status { > CAS_SUCCEEDED=0, > CAS_PENDING, > +CAS_PENDING_DEFERRED, > +CAS_PENDING_DEFERRED_PARTIAL, /**< at least handler succeeded, no > result yet*/ > CAS_FAILED, > CAS_PARTIAL,/**< Variant of CAS_FAILED: at least one > * client-connect script/plugin succeeded > @@ -225,6 +227,13 @@ enum client_connect_status { > */ > }; > > +static inline bool > +is_cas_pending(enum client_connect_status cas) > +{ > +return cas == CAS_PENDING || cas == CAS_PENDING_DEFERRED > + || cas == CAS_PENDING_DEFERRED_PARTIAL; > +} > + > /** > * Level 2 %context containing state that is reset on both \c SIGHUP and > * \c SIGUSR1 restarts. > Other than my stylistic comments the patch looks good and does what it says. IMHO the code is not the prettiest ever, but it gets difficult to suggest something different without an overhaul of the existing code. Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v5 07/14] client-connect: Change cas_context from int to enum

2020-07-14 Thread Antonio Quartulli
uth; > + > +enum client_connect_status context_auth; > > struct event_timeout push_request_interval; > int n_sent_push_requests; > The rest looks good and makes sense. Using enum is always better as the compiler (and the reader) has extra information about how a var

Re: [Openvpn-devel] [PATCH v5 06/14] client-connect: Refactor client-connect handling to calling a bunch of hooks in a loop

2020-07-14 Thread Antonio Quartulli
multi_client_connect_mda(m, mi, _types_found); > +ret = handlers[i](m, mi, _types_found); > cc_succeeded = cc_check_return(_succeeded_count, ret); > } > > Except for the indentation issue, the rest looks good. This patch simply makes the handlers invocation more generic and part of a loop. Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v5 05/14] client-connect: Refactor to use return values instead of modifying a passed-in flag

2020-07-14 Thread Antonio Quartulli
;MULTI: client has been rejected due to " > -" 'disable' directive"); > +"'disable' directive"); > cc_succeeded = false; > cc_succeeded_count = 0; > } > > - > - > if

Re: [Openvpn-devel] [PATCH v5 04/14] client-connect: Move multi_client_connect_setenv into early_setup

2020-07-14 Thread Antonio Quartulli
multi_select_virtual_addr(m, mi); > - > -/* do --client-connect setenvs */ > -multi_client_connect_setenv(m, mi); > - > multi_client_connect_call_plugin_v1(m, mi, _types_found, > _succeeded, >

Re: [Openvpn-devel] [PATCH v5 03/14] client-connect: Refactor multi_client_connect_source_ccd

2020-07-14 Thread Antonio Quartulli
thout really introducing any radical change. Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v5 02/14] client-connect: Split multi_connection_established into separate functions

2020-07-14 Thread Antonio Quartulli
file deletion, rebase on latest master. > > Signed-off-by: Arne Schwabe Thanks for taking care of my concerns. The patch looks good and does what it says. Unfortunately the code itself is already pretty convoluted, so this refactoring patch looks convoluted as well...but after looking t

Re: [Openvpn-devel] [PATCH v5 03/14] client-connect: Refactor multi_client_connect_source_ccd

2020-07-13 Thread Antonio Quartulli
+const char *ccd_client = >> + platform_gen_path(mi->context.options.client_config_dir, > cn, ); > Imho this is not prettier than the version above :D so I'd personally go with the version above instead of this. Cheers,

Re: [Openvpn-devel] [PATCH 8/8] Code cleanup: remove superflous variable

2020-07-09 Thread Antonio Quartulli
such scenario is not possible at all. For this reason this patch makes sense and it removes one more bit that was originally introduced in the attempt of implementing multi threading. Acked-by: Antonio Quartulli > return false; > } > else > -- Antonio Quartulli

Re: [Openvpn-devel] [PATCH 3/8] Extract process_incoming_push_reply from process_incoming_push_msg

2020-07-09 Thread Antonio Quartulli
} > - } > - } > -else if (ch == '\0') > -{ > -ret = PUSH_MSG_REPLY; > -} > -/* show_settings (>options); */ > +return process_incoming_push_reply(c, permission_mask, > + option_types_found, ); > +} > +else > +{ > +return PUSH_MSG_ERROR; > } > -return ret; > } > > > The rest looks good! Tested on the client side and the PUSH_REPLY was still properly processed as expected, Assuming that const gets fixed: Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 2/8] Make key_state->authenticated more state machine like

2020-07-09 Thread Antonio Quartulli
and it did not break anything visible (as expected). Acked-by: Antonio Quartulli On 09/07/2020 12:15, Arne Schwabe wrote: > This order the states from unauthenticated to authenticated and also > changes the comparison for KS_AUTH_FALSE from != to > > > It also add comments

Re: [Openvpn-devel] [PATCH 1/8] Deprecate ncp-disable and add improved ncp to Changes.rst

2020-07-09 Thread Antonio Quartulli
dynamic cipher negioating is a depracted debug feature that will be removed in OpenVPN 2.6 appears at the top of the log (first line actually) and does not seem easy to spot. How about adding some * or to make it pop out of the screen? I personally did not see it immediately, even though I knew it was there! (note: it may just be me) -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] Make key_state->authenticated more state machine like

2020-07-08 Thread Antonio Quartulli
ommon_name; > if (cn && strcmp(cn, multi->locked_cn)) > @@ -1461,7 +1457,7 @@ verify_final_auth_checks(struct tls_multi *multi, > struct tls_session *session) > } > > /* Don't allow the cert hashes to change once they

Re: [Openvpn-devel] [PATCH 3/3] Make key_state->authenticated more state machine like

2020-07-07 Thread Antonio Quartulli
461,7 +1454,7 @@ verify_final_auth_checks(struct tls_multi *multi, > struct tls_session *session) > } > > /* Don't allow the cert hashes to change once they have been locked */ > -if (ks->authenticated != KS_AUTH_FALSE && multi->locked_cert_hash_se

Re: [Openvpn-devel] [PATCH 1/3] Simplify multi_connection_established.

2020-07-07 Thread Antonio Quartulli
ile-tested. (but please fix the commit message before merging) Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Make openvpn --version exit with exit code 0

2020-07-07 Thread Antonio Quartulli
ickly tested the patch and I can confirm it does what it says :) Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] Remove --writepid file on program exit.

2020-07-07 Thread Antonio Quartulli
**/ > /** > @@ -274,7 +252,7 @@ openvpn_main(int argc, char *argv[]) > if (c.first_time) > { > c.did_we_daemonize = possibly_become_daemon(); > -write_pid(c.options.writepid); > +write_pid_file(c.options.writepid, c.options.chroot_dir); > } > > #ifdef ENABLE_MANAGEMENT > Other than the comment nitpick, everything looks good. The patch has been tested and works as expected. The pidfile is always removed, regardless of the openvpn exist status. Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 2/2] merge key_state->authenticated and key_state->auth_deferred

2020-07-06 Thread Antonio Quartulli
sion) > } > > /* Don't allow the cert hashes to change once they have been locked */ > -if (ks->authenticated && multi->locked_cert_hash_set) > +if (ks->authenticated != KS_AUTH_FALSE && multi->locked_cert_hash_set) > { > const struct cert_hash_set *chs = session->cert_hash_set; > if (chs && !cert_hash_compare(chs, multi->locked_cert_hash_set)) > @@ -1474,7 +1475,7 @@ verify_final_auth_checks(struct tls_multi *multi, > struct tls_session *session) > } > > /* verify --client-config-dir based authentication */ > -if (ks->authenticated && session->opt->client_config_dir_exclusive) > +if (ks->authenticated != KS_AUTH_FALSE && > session->opt->client_config_dir_exclusive) > { > struct gc_arena gc = gc_new(); > > @@ -1483,7 +1484,7 @@ verify_final_auth_checks(struct tls_multi *multi, > struct tls_session *session) > cn, ); > if (!cn || !strcmp(cn, CCD_DEFAULT) || !platform_test_file(path)) > { > -ks->authenticated = false; > +ks->authenticated = KS_AUTH_FALSE; > wipe_auth_token(multi); > msg(D_TLS_ERRORS, "TLS Auth Error: --client-config-dir > authentication failed for common name '%s' file='%s'", > session->common_name, > The rest looks good, but can't ACK as it is. Regards, -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] t_client.sh: correctly report all failed instances in summary

2020-07-03 Thread Antonio Quartulli
I can't easily come up with a t_client instance that verifies this failure, but I trust Gert to have done so after having spotted the issue. Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourc

Re: [Openvpn-devel] [PATCH] Remove did_open_context, defined and connection_established_flag

2020-07-03 Thread Antonio Quartulli
multi_create_instance. > > connection_established_flag is only set to true if context_auth > is changed from CAS_PENDING to one another state, so we can also check > for cas_context != CAS_PENDING. > > Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli -- Antonio Quartulli __

[Openvpn-devel] [PATCH] multi.c: use mi->cc_config instead of config variable

2020-07-01 Thread Antonio Quartulli
Commit ("Remove parameter config from multi_client_connect_mda") has removed the config variable in favour of mi->cc_config, however one occurence was not changed. Fix it now by properly using mi->cc_config. Signed-off-by: Antonio Quartulli --- src/openvpn/multi.c | 2 +- 1

Re: [Openvpn-devel] [PATCH] Remove parameter config from multi_client_connect_mda

2020-07-01 Thread Antonio Quartulli
Hi, On 01/07/2020 14:22, Arne Schwabe wrote: > config is always used as mi->cc_config and we pass mi, > so directly use mi->cc_config > > Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Ope

Re: [Openvpn-devel] [PATCH v4 3/3] Implement tls-groups option to specify eliptic curves/groups

2020-06-25 Thread Antonio Quartulli
: error: ld returned 1 exit status Any clue? On 23/06/2020 11:21, Antonio Quartulli wrote: > Hi, > > On 22/06/2020 16:02, Arne Schwabe wrote: > > [CUT] > >> @@ -343,6 +348,42 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, >> const char *profile)

Re: [Openvpn-devel] [PATCH v4 3/3] Implement tls-groups option to specify eliptic curves/groups

2020-06-23 Thread Antonio Quartulli
ps = string_alloc(groups, ); > + > +const char *token; > +while ((token = strsep(_groups, ":"))) > +{ > +if (streq(token, "secp256r1")) > +{ > +token = "prime256v1"; > +} > +int nid = OBJ_sn2n

[Openvpn-devel] [PATCH] pool: remove useless 'options.h' include

2020-06-10 Thread Antonio Quartulli
Commit 6a8cd033 ("pool: add support for ifconfig-pool-persist with IPv6 only") has accidentally introduced an include for 'options.h', which revealed to not be useful at all. Remove it. Reported-by: Gert Doering Signed-off-by: Antonio Quartulli --- src/openvpn/pool.c | 1 - 1 file

[Openvpn-devel] [PATCH] multi: skip IPv4 logic in multi_select_virtual_addr() if no pool is configured

2020-06-10 Thread Antonio Quartulli
. Reported-by: Gert Doering Signed-off-by: Antonio Quartulli --- src/openvpn/multi.c | 50 - 1 file changed, 27 insertions(+), 23 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 2fbbe9ec..99472f14 100644 --- a/src/openvpn/multi.c

Re: [Openvpn-devel] [PATCH] Simplify pool size handling, fix possible array overrun on pool reading.

2020-06-09 Thread Antonio Quartulli
< pool->size) > { > ret = add_in6_addr( pool->ipv6.base, hand ); > } > @@ -504,9 +490,9 @@ ifconfig_pool_list(const struct ifconfig_pool *pool, > struct status_output *out) > if (pool && out) > { > struct gc_arena

[Openvpn-devel] [PATCH v6] ipv6-pool: get rid of size constraint

2020-06-08 Thread Antonio Quartulli
Signed-off-by: Antonio Quartulli --- Changes from v5: - restyle base addr computation to avoid odd line wrapping Changes from v4: - make the base computation depending on the size of the pool: - large pools will still start at +0x1000 (backward compatible) - smaller pools

[Openvpn-devel] [PATCH v5] ipv6-pool: get rid of size constraint

2020-06-08 Thread Antonio Quartulli
Signed-off-by: Antonio Quartulli --- Changes from v4: - make the base computation depending on the size of the pool: - large pools will still start at +0x1000 (backward compatible) - smaller pools will start at +2 src/openvpn/helper.c | 21 + src/openvpn

Re: [Openvpn-devel] [PATCH v4 7/7] ipv6-pool: get rid of size constraint

2020-06-08 Thread Antonio Quartulli
t makes sense, especially to preserve the current behaviour on already deployed setups. New patch incoming! -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v5] options: enable IPv4 redirection logic only if really required

2020-06-08 Thread Antonio Quartulli
From: Antonio Quartulli If no IPv4 redirection flag is set, do not enable the IPv4 redirection logic at all so that it won't bother adding any useless IPv4 route. Trac: #208 Signed-off-by: Antonio Quartulli --- Changes from v4: - add warning about undefined behaviour when specifying

[Openvpn-devel] [PATCH v5] pool: add support for ifconfig-pool-persist with IPv6 only

2020-06-06 Thread Antonio Quartulli
From: Antonio Quartulli Without altering the pool logic, this patch enables using a persistent IP pool also when the server is configured with IPv6 only. Trac: #208 Signed-off-by: Antonio Quartulli --- Changes from v4: - prevent persist-pool parser from bailing out when only IPv4 addresses

Re: [Openvpn-devel] [PATCH v2 3/3] Implement tls-groups option to specify eliptic curves/groups

2020-06-04 Thread Antonio Quartulli
t;secp256r1")) > +{ > +token = "prime256v1"; > +} > +int nid = OBJ_sn2nid(token); > + > +if (nid == 0) > +{ > +msg(M_WARN, "Warning unknown curve/group specified: %s", token); >

[Openvpn-devel] [PATCH v5] pool: allow to configure an IPv6-only ifconfig-pool

2020-06-01 Thread Antonio Quartulli
From: Antonio Quartulli With this change a server is allowed to allocate an IPv6-only pool. This is required to make it capable of managing an IPv6-only tunnel. Trac: #208 Signed-off-by: Antonio Quartulli --- Changes from v4: - make 'IFCONFIG POOL' message symmetric across IPv4 and IPv6

Re: [Openvpn-devel] [PATCH v4 2/7] pool: allow to configure an IPv6-only ifconfig-pool

2020-06-01 Thread Antonio Quartulli
Hi, On 01/06/2020 12:40, Gert Doering wrote: > Hi, > > On Sat, May 30, 2020 at 02:05:55AM +0200, Antonio Quartulli wrote: >> From: Antonio Quartulli >> >> With this change a server is allowed to allocate an >> IPv6-only pool. This is required to make it ca

[Openvpn-devel] [PATCH v4 2/7] pool: allow to configure an IPv6-only ifconfig-pool

2020-05-29 Thread Antonio Quartulli
From: Antonio Quartulli With this change a server is allowed to allocate an IPv6-only pool. This is required to make it capable of managing an IPv6-only tunnel. Trac: #208 Signed-off-by: Antonio Quartulli --- Changes from v3: - properly compute pool size taking into account the actual base

[Openvpn-devel] [PATCH v4 7/7] ipv6-pool: get rid of size constraint

2020-05-29 Thread Antonio Quartulli
Signed-off-by: Antonio Quartulli --- src/openvpn/helper.c | 7 +++ src/openvpn/options.c | 13 + src/openvpn/pool.c| 12 3 files changed, 24 insertions(+), 8 deletions(-) diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 277e6972..2174b580 100644

[Openvpn-devel] [PATCH v4 3/7] allow usage of --server-ipv6 even when no --server is specified

2020-05-29 Thread Antonio Quartulli
From: Antonio Quartulli Until now OpenVPN has not allowed to specify --server-ipv6 if no --server was also set. This constraint comes from the fact that most of the IPv6 logic (i.e. ifconfig-pool handling) relied on IPv4 components to be activated and configured as well. Now that the IPv6 code

[Openvpn-devel] [PATCH v4 6/7] options: enable IPv4 redirection logic only if really required

2020-05-29 Thread Antonio Quartulli
From: Antonio Quartulli If no IPv4 redirection flag is set, do not enable the IPv4 redirection logic at all so that it won't bother adding any useless IPv4 route. Trac: #208 Signed-off-by: Antonio Quartulli --- Changes from v4: - move error message modification to previous patch Changes from

[Openvpn-devel] [PATCH v4 4/7] pool: add support for ifconfig-pool-persist with IPv6 only

2020-05-29 Thread Antonio Quartulli
From: Antonio Quartulli Without altering the pool logic, this patch enables using a persistent IP pool also when the server is configured with IPv6 only. Trac: #208 Signed-off-by: Antonio Quartulli --- Changes from v3: - patchset rebased on top of pre-ipv6-only patchset src/openvpn

[Openvpn-devel] [PATCH v4 1/7] pool: prevent IPv6 pools to be larger than 2^16 addresses

2020-05-29 Thread Antonio Quartulli
Signed-off-by: Antonio Quartulli --- src/openvpn/pool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c index 5d503a33..6dd72bb9 100644 --- a/src/openvpn/pool.c +++ b/src/openvpn/pool.c @@ -183,7 +183,7 @@ ifconfig_pool_init(enum

[Openvpn-devel] [PATCH v4 5/7] route: warn on IPv4 routes installation when no IPv4 is configured

2020-05-29 Thread Antonio Quartulli
From: Antonio Quartulli Same as already happens for IPv6, it is useful for the user to throw a warning when an IPv4 route is about to be installed and the tun interface has no IPv4 configured. The twin message for IPv4 is adapted to have the same format. The warning is not fatal, becuase

[Openvpn-devel] [PATCH v4 0/7] Allow IPv6-only tunnels

2020-05-29 Thread Antonio Quartulli
is also available at [1] in the ipv6-only branch) Cheers, Trac: #208 [1] https://gitlab.com/ordex986/openvpn Antonio Quartulli (7): pool: prevent IPv6 pools to be larger than 2^16 addresses pool: allow to configure an IPv6-only ifconfig-pool allow usage of --server-ipv6 even when

Re: [Openvpn-devel] [PATCH] Add .git-blame-ignore-revs with reformat commits

2020-05-29 Thread Antonio Quartulli
The conflict might be related to the reformatting (so you think we may want to hide it)...but I think we should not ignore it in any case as resolving a conflict is potentially a source of bugs. Regards, -- Antonio Quartulli ___ Open

Re: [Openvpn-devel] [PATCH] Change client side of t_lpback.sh configs to use inline material.

2020-05-13 Thread Antonio Quartulli
checking genkey as well. In any case, I stared at the change and it looks good! I did not run it myself but buildbot will immediately tell us if something is wrong. Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-de

[Openvpn-devel] [PATCH] tls-crypt-v2: fix testing of inline key

2020-05-10 Thread Antonio Quartulli
The inline logic was recently changed by commit ("convert *_inline attributes to bool"), however the code testing a newly created tls-crypt-v2 client key was not adapted. Adapt tls-crypt-v2 test routine by properly signaling when the passed key is inlined or not. Signed-off-by: Antonio

Re: [Openvpn-devel] [PATCH] get rid of TAG_FILE_INLINE constant

2020-05-10 Thread Antonio Quartulli
TAG; >^ > > I haven't dug into if client_filename really needs to be set to > INLINE_FILE_TAG. > whoop - I prepared a patch for this last occurrence (to be applied before this patch), but did not send it. Incoming... -- Antonio Quartulli

Re: [Openvpn-devel] [PATCH] get rid of TAG_FILE_INLINE constant

2020-05-08 Thread Antonio Quartulli
I managed to totally revert the name of the constant in the commit subject and commit message.. may somebody fix this upon merge? :-) It should be: INLINE_FILE_TAG Cheers, On 08/05/2020 23:23, Antonio Quartulli wrote: > Now that the whole inline logic has been converted to using bool fl

[Openvpn-devel] [PATCH] get rid of TAG_FILE_INLINE constant

2020-05-08 Thread Antonio Quartulli
Now that the whole inline logic has been converted to using bool flags, the TAG_FILE_INLINE constant is not useful anymore. Get rid of the constant as it's now unused and to prevent any future developer from mistakenly use it again. Signed-off-by: Antonio Quartulli --- to be applied after all

[Openvpn-devel] [PATCH] options: fix inlining auth-gen-token-secret file

2020-05-08 Thread Antonio Quartulli
be inlined as well. Signed-off-by: Antonio Quartulli --- src/openvpn/options.c | 10 +++--- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 56c9e411..2d2089e3 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @

Re: [Openvpn-devel] [PATCH 2/2] options: Restore --tls-crypt-v2 inline file capability

2020-05-08 Thread Antonio Quartulli
der if we should add unit-tests or t_client.sh test cases with inlined files too. Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/2] options: Fix failing inline tls-auth/crypt with persist-key

2020-05-08 Thread Antonio Quartulli
tent stored in > the object but was "tagged" as a normal file (name) not an inline file. > > Signed-off-by: David Sommerseth Thanks for fixing my bugs :-) Unfortunately the code has changed a bit since the issue of v1 until v11...so these nasty errors sneaked in. Acked-by:

[Openvpn-devel] [PATCH v11] convert *_inline attributes to bool

2020-05-07 Thread Antonio Quartulli
Carrying around the INLINE_TAG is not really efficient, because it requires a strcmp() to be performed every time we want to understand if the data is stored inline or not. Convert all the *_inline attributes to bool to make the logic easier and checks more efficient. Signed-off-by: Antonio

[Openvpn-devel] [PATCH v10] convert *_inline attributes to bool

2020-05-07 Thread Antonio Quartulli
Carrying around the INLINE_TAG is not really efficient, because it requires a strcmp() to be performed every time we want to understand if the data is stored inline or not. Convert all the *_inline attributes to bool to make the logic easier and checks more efficient. Signed-off-by: Antonio

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

2020-05-07 Thread Antonio Quartulli
gt; wolfSSL library]) > + else > + AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom > user_settings.h file for wolfSSL library]) > + fi > + > + WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${wolfssldir}" > + CFLAGS="${WOLFSSL_CFLAGS} ${CFLAGS

[Openvpn-devel] [PATCH] t_net.sh: assign MAC address directly during interface creation

2020-04-28 Thread Antonio Quartulli
Signed-off-by: Antonio Quartulli --- - tested with buildbot tests/t_net.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/t_net.sh b/tests/t_net.sh index 8f1bc361..c67c3df2 100755 --- a/tests/t_net.sh +++ b/tests/t_net.sh @@ -33,15 +33,13 @@ LAST_STATE

  1   2   3   4   5   6   7   >