[Openvpn-devel] [PATCH] Add generated openvpn.doxyfile to .gitignore

I think this was omitted in 66bf378e. Signed-off-by: Gert van Dijk --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 18a45202..25009d81 100644 --- a/.gitignore +++ b/.gitignore @@ -52,6 +52,7 @@ config-msvc-version.h

Re: [Openvpn-devel] [PATCH v2] Remove warning on pushed tun-ipv6 option.

Am 11.11.17 um 15:22 schrieb Gert Doering: > tun-ipv6 is a no-op nowadays, and we print a warning to let users know - > which is not helpful for server-pushed tun-ipv6 (which might be the > result of --server-ipv6 automatically pushing this). So, remove the > warning if parsing pushed options. >

Re: [Openvpn-devel] [PATCH] Remove warning on pushed tun-ipv6 option.

Hi, On 11-11-17 14:36, Gert Doering wrote: > tun-ipv6 is a no-op nowadays, and we print a warning to let users know - > which is not helpful for server-pushed tun-ipv6 (which might be the > result of --server-ipv6 automatically pushing this). So, remove the > warning if parsing pushed options. >

[Openvpn-devel] [PATCH v5 3/3] ensure function declarations are compiled with their definitions

From: Antonio Quartulli Function prototypes should be included when compiling their definitions so that it is clear to compilers and static analyzers that they are not static. This means that several declarations have to be moved to the related header files which in turn

[Openvpn-devel] [PATCH v5 2/3] merge *-inline.h files with their main header

*-inline.h files are not very useful anymore. In the attempt of cleaning up the code some more, merge them into their main header files. No functional change is part of this patch. Cc: Steffan Karger Signed-off-by: Antonio Quartulli --- v4:

[Openvpn-devel] [PATCH v5 1/3] pf: restyle pf_c2c/addr_test() to make them 'struct context' agnostic

In the attempt of getting rid of any pf-inline.h file, we need to make sure that inline functions do not trigger any circular include dependency. For this reason, avoid pf_c2c/addr_test() to be 'struct context' aware, so that pf-inline.h does not need to rely on the content of openvpn.h. Cc:

Re: [Openvpn-devel] [PATCH 5/7] re-implement argv_printf_*()

Hi David, On Wednesday, November 9, 2016 9:41:21 PM CET David Sommerseth wrote: > In the new argv_prep_format() function: > > + if (!in_token) > +{ > + ++*count; > + if (f[0]) > +f[j++] = delim; > +} > > What is the purpose of the f[0] check?

[Openvpn-devel] [PATCH] Use P_DATA_V2 for server->client packets too

P_DATA_V2 introduced the peer-id. This allows clients to float, but as a side-effect 32-bit aligns the encrypted data. That alignment improves performance particularly on cheaper/older CPUs. So although servers don't actually have a peer-id, still use the V2 packet format (with a zero-id) for

[Openvpn-devel] [PATCH] Remove warning on pushed tun-ipv6 option.

tun-ipv6 is a no-op nowadays, and we print a warning to let users know - which is not helpful for server-pushed tun-ipv6 (which might be the result of --server-ipv6 automatically pushing this). So, remove the warning if parsing pushed options. Also, remove the VERIFY_PERMISSION() call here which

[Openvpn-devel] [PATCH v4] Add --tls-cert-profile option for mbedtls builds

From: Steffan Karger This allows the user to specify what certificate crypto algorithms to support. The supported profiles are 'preferred', 'legacy' (default) and 'suiteb', as discussed in <84590a17-1c48-9df2-c48e-4160750b2...@fox-it.com>

Re: [Openvpn-devel] [PATCH] Add generated openvpn.doxyfile to .gitignore

Hi, On 11-11-17 18:14, Gert van Dijk wrote: > I think this was omitted in 66bf378e. > > Signed-off-by: Gert van Dijk > --- > .gitignore | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/.gitignore b/.gitignore > index 18a45202..25009d81 100644 > --- a/.gitignore >

Re: [Openvpn-devel] [PATCH v2] Remove warning on pushed tun-ipv6 option.

Hi, On 11-11-17 15:22, Gert Doering wrote: > tun-ipv6 is a no-op nowadays, and we print a warning to let users know - > which is not helpful for server-pushed tun-ipv6 (which might be the > result of --server-ipv6 automatically pushing this). So, remove the > warning if parsing pushed options. >

Re: [Openvpn-devel] [PATCH] Implement "status 4" (JSON) for management interface

Hi François, This is not a full review, but as just discussed face-to-face, here are some points from me: 1) Could we also please please enable this for non-management interface use case? I guess it's just adding the status version number 4 in option/config validator (and the manpage). 2) With

Re: [Openvpn-devel] [PATCH 12/13] Memory size arithmetic reviewed according to 64-bit MSVC complaints

Hi, Some of these changes are of dubious value as the string lengths involved are guaranteed to be small and there is no scope for overflow. And casting only stops the compiler warning, not potential overflow, if any.. As for the offending mixed int/size_t arithmetic, a better option is to just

Re: [Openvpn-devel] [PATCH] Remove warning on pushed tun-ipv6 option.

Hi, On Sat, Nov 11, 2017 at 03:16:13PM +0100, Steffan Karger wrote: > (I'll leave review of the correctness of the change to someone who > actually understands what tun-ipv6 exactly does.) "exactly and absolutely nothing" :-) (It *used* to be a flag to tell openvpn "switch the tun interface

[Openvpn-devel] [PATCH v2] Implement block-ipv6

This can be used to redirect all IPv6 traffic to the tun interface, effectively black holing the IPv6 traffic. Without ICMPv6 error messages this will result in timeouts when the server does not send error codes. block-ipv6 allows client side only blocking on all platforms that OpenVPN supports

Re: [Openvpn-devel] [PATCH v5 1/3] pf: restyle pf_c2c/addr_test() to make them 'struct context' agnostic

Hi, On 11-11-17 17:18, Antonio Quartulli wrote: > In the attempt of getting rid of any pf-inline.h file, we need > to make sure that inline functions do not trigger any circular > include dependency. > > For this reason, avoid pf_c2c/addr_test() to be 'struct context' > aware, so that

Re: [Openvpn-devel] [PATCH v4] Add --tls-cert-profile option for mbedtls builds

Hi, On 11/11/17 23:36, Steffan Karger wrote: > From: Steffan Karger > > This allows the user to specify what certificate crypto algorithms to > support. The supported profiles are 'preferred', 'legacy' (default) and > 'suiteb', as discussed in

Re: [Openvpn-devel] [PATCH 6/7] argv: do fewer memory re-allocations

On Wednesday, November 9, 2016 11:58:21 PM CET David Sommerseth wrote: > > argv_init (struct argv *a) > > { > > > >a->capacity = 0; > >a->argc = 0; > >a->argv = NULL; > > > > + argv_extend (a, 8); > > Why 8? Done any performance and/or memory utilization tests? Does the >

Re: [Openvpn-devel] [PATCH 7/7] Add gc_arena to struct argv to save allocations

On Thursday, November 10, 2016 4:01:20 PM CET David Sommerseth wrote: > On 28/10/16 18:42, Heiko Hund wrote: > > > > + a->gc = gc_new (); > >argv_extend (a, 8); > > } > > Any specific reason we want to keep our own gc_arena on argv? Why not > pass an existing gc_arena pointer to the

Re: [Openvpn-devel] [PATCH v5 2/3] merge *-inline.h files with their main header

Hi, On 11-11-17 17:18, Antonio Quartulli wrote: > *-inline.h files are not very useful anymore. > In the attempt of cleaning up the code some more, > merge them into their main header files. > > No functional change is part of this patch. > > Cc: Steffan Karger >

[Openvpn-devel] [PATCH v3] Add per session pseudo-random jitter to --reneg-sec intervals

From: Simon Matter While we were suffering from the "TLS Renegotiation Slowdown" bug here https://community.openvpn.net/openvpn/ticket/854 we realized that there is still room for improvement in our use case. It appears that TLS renegotiation is getting more and more

[Openvpn-devel] [PATCH v2] Remove warning on pushed tun-ipv6 option.

tun-ipv6 is a no-op nowadays, and we print a warning to let users know - which is not helpful for server-pushed tun-ipv6 (which might be the result of --server-ipv6 automatically pushing this). So, remove the warning if parsing pushed options. Also, remove the VERIFY_PERMISSION() call here which

[Openvpn-devel] [PATCH applied] Re: Remove warning on pushed tun-ipv6 option.

Patch has been applied to the master and release/2.4 branch (with the whitespace change as suggested by our styleguide enforcer :) ). commit 7a216d9dba558281d4b6a04124912081a79fcb88 (master) commit 81b6882116a55299d5da5542d757d65384829efe (release/2.4) Author: Gert Doering Date: Sat Nov 11

[Openvpn-devel] [PATCH 1/2] manpage: improve description of --status and --status-version

Signed-off-by: Gert van Dijk --- doc/openvpn.8 | 31 --- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index a4189ac2..267497fd 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2452,12 +2452,37 @@

[Openvpn-devel] [PATCH 2/2] Add negotiated cipher to status file format 2 and 3

With NCP turned off, this will still display the cipher used. Trac: #814 Signed-off-by: Gert van Dijk --- doc/openvpn.8 | 2 +- src/openvpn/multi.c | 11 +++ 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index