Acked-by: Gert Doering
Yeah, thanks :-) (tested on the "p2p --secret" server, still does the
right thing. Have no "no secrets at all" setup, but from stare-at-code
I see no reason why this wouldn't work as well)
Dec 12 09:29:15 ubuntu2004 tun-udp-p2p[1272956]: No tls-client or tls-server
From: Lev Stipakov
In preparation of DCO stats support, simplify
call chains of bytecount routines. No functional changes.
Signed-off-by: Lev Stipakov
---
src/openvpn/forward.c | 4 +--
src/openvpn/manage.c | 64 -
src/openvpn/manage.h | 66
Hi,
On Mon, Dec 12, 2022 at 12:24:10PM +, Maximilian Fillinger wrote:
> Right now, openvpn just checks that we have at most 980 base64 characters
> and then tries to decode them into a 733 byte buffer. But 980 characters
> of base64 can encode up to 735 bytes. In that case, openvpn gives a
From: Lev Stipakov
At the moment BYTECOUNT in,out is pushed if there is traffic.
With DCO, userspace process doesn't see the traffic, so we need
to add a timer which periodically fetches stats from DCO and
pushes to management client. The timer interval is set by existing
"bytecount n"
Hi,
On Sat, Nov 26, 2022 at 05:26:48PM +0100, Max Fillinger wrote:
> The current code only checks if the base64-encoded metadata is at most
> 980 characters. However, that can encode up to 735 bytes of data, while
> only up to 733 bytes are allowed. When passing 734 or 735 bytes, openvpn
> prints
Am 26.11.22 um 17:26 schrieb Max Fillinger:
The manual page claims that the client metadata can be up to 735 bytes
(encoded as upt to 980 characters base64), but the actual maximum length
is 733 bytes which is also encoded as 980 characters in base64.
Signed-off-by: Max Fillinger
Acked-By:
Am 12.12.22 um 13:03 schrieb Gert Doering:
Hi,
On Sat, Nov 26, 2022 at 05:26:48PM +0100, Max Fillinger wrote:
The current code only checks if the base64-encoded metadata is at most
980 characters. However, that can encode up to 735 bytes of data, while
only up to 733 bytes are allowed. When
Hi!
> -Original Message-
> From: Gert Doering [mailto:g...@greenie.muc.de]
> Sent: maandag 12 december 2022 13:03
> To: Maximilian Fillinger
> Cc: openvpn-devel@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] [PATCH 2/2] Fix message for too long tls-
> crypt-v2 metadata
>
> Hi,
>
Hi,
On Mon, Dec 12, 2022 at 01:50:51PM +0100, Arne Schwabe wrote:
> > I am not too much into FreeBSD parts, but
> >
> >> +hash_iterator_init(m->hash, );
> >> +
> >> +while ((he = hash_iterator_next()))
> >> +{
> >> +struct multi_instance *mi = (struct multi_instance *)
Am 12.12.22 um 14:30 schrieb Gert Doering:
Hi,
On Mon, Dec 12, 2022 at 01:50:51PM +0100, Arne Schwabe wrote:
I am not too much into FreeBSD parts, but
+hash_iterator_init(m->hash, );
+
+while ((he = hash_iterator_next()))
+{
+struct multi_instance *mi = (struct
Am 12.12.22 um 10:58 schrieb Lev Stipakov:
From: Lev Stipakov
In preparation of DCO stats support, simplify
call chains of bytecount routines. No functional changes.
It would be nice to be a bit more verbose what you are actually
simplyfing in the commit message. E.g. inlining all the
Your patch has been applied to the master and release/2.6 branch.
commit 0bd2fa38fb70ad9022c05ffa67b2bd8751ca5a5b (master)
commit acc7ecc2721adf3628b1bf8eca4365663259844c (release/2.6)
Author: Max Fillinger
Date: Sat Nov 26 17:26:47 2022 +0100
Correct tls-crypt-v2 metadata length in man
Hi,
This is good - I need an API to get stats to make openvpn-gui show
those (via the management interface).
I am not too much into FreeBSD parts, but
> +hash_iterator_init(m->hash, );
> +
> +while ((he = hash_iterator_next()))
> +{
> +struct multi_instance *mi = (struct
Am 12.12.22 um 12:56 schrieb Lev Stipakov:
From: Lev Stipakov
At the moment BYTECOUNT in,out is pushed if there is traffic.
With DCO, userspace process doesn't see the traffic, so we need
to add a timer which periodically fetches stats from DCO and
pushes to management client. The timer
Am 26.11.22 um 17:26 schrieb Max Fillinger:
The current code only checks if the base64-encoded metadata is at most
980 characters. However, that can encode up to 735 bytes of data, while
only up to 733 bytes are allowed. When passing 734 or 735 bytes, openvpn
prints a misleading error message
Am 12.12.22 um 13:34 schrieb Lev Stipakov:
Hi,
This is good - I need an API to get stats to make openvpn-gui show
those (via the management interface).
I am not too much into FreeBSD parts, but
+hash_iterator_init(m->hash, );
+
+while ((he = hash_iterator_next()))
+{
+
Currently we have only one slot for renegotiation of the session/keys.
If a replayed/faked packet is inserted by a malicous attacker, the
legimate peer cannot renegotiate anymore.
This commit introduces dynamic tls-crypt. When both peer support this
feature, both peer create a dynamic tls-crypt
Acked-by: Gert Doering
Stare-at-code looks good, and testing confirms that it does fix over-eager
clients reconnecting too fast:
^C2022-12-12 14:03:11 us=841186 event_wait : Interrupted system call
(fd=-1,code=4)
2022-12-12 14:03:11 us=841294 SENT CONTROL [cron2-freebsd-tc-amd64]: 'RESTART'
Am 26.11.22 um 17:26 schrieb Max Fillinger:
The current code only checks if the base64-encoded metadata is at most
980 characters. However, that can encode up to 735 bytes of data, while
only up to 733 bytes are allowed. When passing 734 or 735 bytes, openvpn
prints a misleading error message
> So if you have a limit like 733, you need to actually decode the base64
> to check if it is short enough. The alternative would be to only allow
> 732 bytes, so we could check the base64 length again or use 735 bytes
> and use a maximum tls-crypt wrapped key size of 1026 bytes (which sounds
> a
Hi,
On Mon, Dec 12, 2022 at 05:06:47PM +, Maximilian Fillinger wrote:
> Well, now that my solution is acked, we can just go with it.
It got an after-NAK, as there is an off-by-one... so feel free to
send a v2 either way :-)
gert
--
"If was one thing all people took for granted, was
Hi,
On 12/12/2022 09:32, Gert Doering wrote:
Acked-by: Gert Doering
Yeah, thanks :-) (tested on the "p2p --secret" server, still does the
right thing. Have no "no secrets at all" setup, but from stare-at-code
I see no reason why this wouldn't work as well)
I know I am late to the party -
Hi,
On 05/12/2022 17:41, Kristof Provost via Openvpn-devel wrote:
[cut]
+
+int
+dco_get_peer_stats(dco_context_t *dco, struct multi_context *m)
+{
+
+struct ifdrv drv;
+uint8_t buf[4096];
+nvlist_t *nvl;
+const nvlist_t *const *nvpeers;
+size_t npeers;
+int ret;
+
+
Hi,
On Mon, Dec 12, 2022 at 09:53:36PM +0100, Antonio Quartulli wrote:
> On 05/12/2022 17:41, Kristof Provost via Openvpn-devel wrote:
> [cut]
> > +int
> > +dco_get_peer_stats(dco_context_t *dco, struct multi_context *m)
> > +{
> > +
> > +struct ifdrv drv;
> > +uint8_t buf[4096];
> > +
24 matches
Mail list logo