FreeBSD Bugzilla – Attachment 216440 Details for
Bug 247974
security/openvpn-devel: Update to 202028 (2020-W28 snapshot)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
Full Git Log 2020-W16 to 2020-W28
16-28git.log (text/plain), 75.77 KB, created by
Eric F Crist
on 2020-07-14 14:57:35 UTC
(
hide
)
Description:
Full Git Log 2020-W16 to 2020-W28
Filename:
MIME Type:
Creator:
Eric F Crist
Created:
2020-07-14 14:57:35 UTC
Size:
75.77 KB
patch
obsolete
>commit 6168f53d6b7274026d4f392a22e64524a9b264d6 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Sat Jul 11 11:36:42 2020 +0200 > > Allow changing fallback cipher from ccd files/client-connect > > This allows to control the fallback cipher that is used when the > client/server do have any common cipher on a per client basis. > > The patch is similar to Steffan's > > [PATCH v4] Allow changing cipher from a ccd file. > > Steffan's old patch also moves the cipher negotiation to > multi_established_connection() which I independently discovered and > implemented in commit 5e78bf66fa9 (Extract process_incoming_push_reply > from process_incoming_push_msg) > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200711093655.23686-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20281.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit e539c95dc8d240327be17e8647e52556dd7fd92d >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Jul 9 12:16:01 2020 +0200 > > Cleanup: Remove special case code for old poor man's NCP. > > Ever since the NCPv2 the ncp_get_best_cipher uses the global > options->ncp_enabled option and ignore the tls_session->ncp_enabled > option. > > The server side's poor man's NCP is implemented as seeing the list > of supported ciphers from the peer as just one cipher so this special > handling for poor man's NCP of the older NCP here is not needed anymore. > > Theoretically we can now get rid of tls_session->ncp_enabled but doing > so requires more refactoring since options is not available in the > methods that still use it. And when we remove ncp-disable the variable > will be removed anyway. > > This commit moves the data channel key generation for the corner case of a > client not supporting NCP but having the same cipher as the server to > the same function that also generates data channel keys for NCP and > poort man's NCP. > > This has an unintended side effect of changing the calculated frame > size for this special case. The old path did call > tls_session_update_crypto_params. > To avoid this change in behaviour, this patch adds a hacky > workaround for this. > > A proper solution for this needs still be found but this allows the patch > set to be merged. > > Document the remaining usage of tls_poor_mans_ncp better. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200709101603.11941-6-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20251.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 07560d9ed11a4bfdd7f2446f2c6ff854ee091154 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Jul 9 12:16:00 2020 +0200 > > Generate data channel keys after connect options have been parsed > > The simplify the control flow, it makes more sense to generate the > data keys when all the prerequisites for generating the data channel > keys (ncp cipher selection etc) are met instead of delaying it to the > next incoming PUSH_REQUEST message. > > This also eliminates the need for the hack introduced by commit > 3b06b57d9 to generate the data channel keys on the async file close > event. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200709101603.11941-5-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20253.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 4f378ddb9932973965bb4931e85c991ddd86f7f0 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Jul 9 12:15:59 2020 +0200 > > Move protocol option negotiation from push_prepare to new function > > This clean ups the code and removes the surprising side effects > of preparing a push reply to also select protocol options. > > We also remember if we have seen a push request without async > push. This improves reaction time if deferred auth is involved > like managment interface deferred auth. The other benefit is > removing a number of ifdefs. > > NOTE: this patch breaks asynchronous authentication (via plugins > and possibly also via management interface). The next commit will > fix this. This is understood and hereby documented, but the two > individual commits are much cleaner without trying to fix it here > or squash both together. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200709101603.11941-4-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20255.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit ca514800ca126b69dbde846db819d8bf4c490e68 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Jul 9 12:16:03 2020 +0200 > > Code cleanup: remove superflous variable > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Antonio Quartulli <antonio@openvpn.net> > Message-Id: <20200709101603.11941-8-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20252.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit a6571181550f518eda3a63fb89e3a8191199dd24 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Jul 9 12:16:02 2020 +0200 > > Removed unused definition > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200709101603.11941-7-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20256.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 5e78bf66fa97818e0587ab1504cf7ecfd73df944 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Jul 9 12:15:58 2020 +0200 > > Extract process_incoming_push_reply from process_incoming_push_msg > > This is a small refactoring to make both function more readable. It also > eliminates the ret variable in process_incoming_push_msg that now serves > no purpose anymore. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Antonio Quartulli <antonio@openvpn.net> > Message-Id: <20200709101603.11941-3-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20254.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 5608041c7b343fbcd2d3317a8a49f43cb168a390 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Jul 9 12:15:57 2020 +0200 > > Make key_state->authenticated more state machine like > > This order the states from unauthenticated to authenticated and also > changes the comparison for KS_AUTH_FALSE from != to > > > It also add comments and documents part using the state machine > better. > > Remove a now obsolete comment and two obsolete ifdefs. While > keeping the ifdef in ssl_verify would save a few bytes of code, > this is too minor to justify keeping the ifdef > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Antonio Quartulli <antonio@openvpn.net> > Message-Id: <20200709101603.11941-2-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20258.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 2b09c1405fdfffe15b2b444b15cce7820263a048 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Jul 9 12:15:56 2020 +0200 > > Deprecate ncp-disable and add improved ncp to Changes.rst > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200709101603.11941-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20257.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 96ae327add16f06ac8bc28cfbf9ba0abfcc7129c >Author: Steffan Karger <steffan.karger@foxcrypto.com> >Date: Tue Jul 7 16:26:21 2020 +0200 > > Make openvpn --version exit with exit code 0 > > For some reason, openvpn --version has since the beginning of time > returned exit code 1. A quick sample among common unix utilities confirms > that the rest of the world agrees with me that 0 makes more sense. Let's > make openvpn --version exit with exit code 0 too. > > Signed-off-by: Steffan Karger <steffan.karger@foxcrypto.com> > Acked-by: Antonio Quartulli <antonio@openvpn.net> > Message-Id: <E1jsoYQ-0007AZ-BF@sfs-ml-1.v29.lw.sourceforge.com> > URL: https://www.mail-archive.com/search?l=mid&q=E1jsoYQ-0007AZ-BF@sfs-ml-1.v29.lw.sourceforge.com > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 05ffefcca997708e1f146bed6f5dba9b9f5b1e90 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Tue Jul 7 14:16:13 2020 +0200 > > Simplify multi_connection_established. > > Instead of having the whole function as > > if (x) { func } > > do > > if (!x) return; > func > > Due to the whitespace changes in the function body this patch looks > very strange. Ignoring whitespace makes the diff look sane. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Antonio Quartulli <antonio@openvpn.net> > Message-Id: <20200707121615.15736-3-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20231.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 008ec688d06101c0307e6d17a0239b134355dca4 >Author: Gert Doering <gert@greenie.muc.de> >Date: Tue Jul 7 10:42:20 2020 +0200 > > Remove --writepid file on program exit. > > For whatever reason, we never removed the pid file on program exit. > > Not only this is unclean, but it also makes testing for "I want this > test case to FAIL" in t_client.sh more annoying to code for "is the > OpenVPN process still around?"... > > Do not unlink the file if chroot() is active (might be outside the > chroot arena - testing for realpath etc. is left for someone else). > > v2: make this work on M_FATAL exit, by unlinking from openvpn_exit() in > error.h - this requires moving write_pid() to init.c so module hierarchy > is maintained and introducing a static variable to save the PID file > name (otherwise it is no longer available when the top level GC is gone). > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > Acked-by: Antonio Quartulli <antonio@openvpn.net> > Message-Id: <20200707084220.45753-1-gert@greenie.muc.de> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20224.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit a5e6f2d217309969a835f21b73b4dc0fbc70c4aa >Author: Arne Schwabe <arne@rfc2549.org> >Date: Mon Jul 6 18:35:16 2020 +0200 > > merge key_state->authenticated and key_state->auth_deferred > > Both are tightly coupled often both are checked at the same time. > Merging them into one state makes the code simpler and also brings > us closer in the direction of a state machine > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200706163516.11390-2-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20216.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit efe01d52e36c597484b6fa24c4820b6345d08ae6 >Author: Christopher Schenk <cschenk@mail.uni-paderborn.de> >Date: Tue Jun 30 11:54:44 2020 +0200 > > Unified success messages for setting mtu > > that makes sense. I updated the patch. > > Christopher > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200630095443.7188-1-cschenk@mail.uni-paderborn.de> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20171.html > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 5b313a3565558cd1da4723c3950df227f941cf62 >Author: Lev Stipakov <lev@openvpn.net> >Date: Fri Jul 3 22:20:29 2020 +0300 > > tap.c: fix adapter renaming > > Turns out that renaming adapter by setting registry key doesn't > really work - while new adapter name is shown in control panel > etc, when one tries to change adapter properties (like set DNS) > with netsh call - it fails: > > Fri Mar 13 09:05:36 2020 us=569311 Setting IPv4 dns servers > on 'OpenVPN Wintun' (if_index = 14) using service > Fri Mar 13 09:05:37 2020 us=118028 TUN: adding IPv4 dns failed > using service: Funktio ei kelpaa. [status=1 if_name=OpenVPN Wintun] > > This renames adapter with netsh command, like: > > netsh interface set interface > name="Local Area Connection 2" newname="OpenVPN Wintun" > > Above functionality is used by tapctl.exe and openvpnsica.dll > (during installation). > > Signed-off-by: Lev Stipakov <lev@openvpn.net> > Acked-by: Simon Rozman <simon@rozman.si> > Message-Id: <20200703192029.306-1-lstipakov@gmail.com> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20207.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit ec33bae311e7f3549b05de4a4c92fa7bc7144d29 >Author: Gert Doering <gert@greenie.muc.de> >Date: Fri Jun 26 10:27:43 2020 +0200 > > t_client.sh: correctly report all failed instances in summary > > t_client.sh reports a summary at the end: > > Test sets succeeded: none. > Test sets failed: 1 2 3 4 5. > > for tests that are skipped due to the pre-test ping check ("vpn target > IP must not ping before VPN ist started") the script forgot to add > the instance number to the summary line. Fixed. > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > Acked-by: Antonio Quartulli <antonio@openvpn.net> > Message-Id: <20200626082743.15397-1-gert@greenie.muc.de> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20130.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit c252dcc073155567c1982611ec6f065342909287 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Fri Jul 3 11:55:06 2020 +0200 > > Remove did_open_context, defined and connection_established_flag > > multi_instance->defined is not used anywhere. > > did_open_context is always set to true when a context is created in > multi_create_instance, so checking it for true is always true. > > context_auth is also always set to CAS_PENDING in multi_create_instance. > > connection_established_flag is only set to true if context_auth > is changed from CAS_PENDING to one another state, so we can also check > for cas_context != CAS_PENDING. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Antonio Quartulli <antonio@openvpn.net> > Message-Id: <20200703095506.28559-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20200.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 182a2fdd91c5d7a0f6e051182e833f2c7f460cb3 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Jul 2 14:52:24 2020 +0200 > > Remove push_reply_deferred variable > > The variable has no useful function (anymore?). > > There is only one place where this variable was checked > > else if (!c->c2.push_reply_deferred && c->c2.context_auth == > CAS_SUCCEEDED) > > This condition also depends on context_auth == CAS_SUCCEEDED but the only > code path that sets context_auth = CAS_SUCCEEDED also sets > push_reply_deferred = false; > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Lev Stipakov <lstipakov@gmail.com> > Message-Id: <20200702125224.13516-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20186.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 8a168a9ac82c197725091f67fb5812d4b64050d8 >Author: Gert Doering <gert@greenie.muc.de> >Date: Mon Jun 29 19:51:09 2020 +0200 > > Fix 'engine' unit test on FreeBSD (specifically 'not GNU make') > > The rules to generate $(builddir)/openssl.cnf from $(srcdir)/openssl.cnf.in > only worked for GNU Make. BSD make needs the rules more explicit, and > the target must not have a directory specification (fixes commit > 542c69c37). > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > Acked-by: James Bottomley <James.Bottomley@HansenPartnership.com> > Message-Id: <20200629175109.94276-1-gert@greenie.muc.de> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20159.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 712f2629c8406c017931a082cd996b439b5dfdc9 >Author: Antonio Quartulli <a@unstable.cc> >Date: Wed Jul 1 16:05:17 2020 +0200 > > multi.c: use mi->cc_config instead of config variable > > Commit ("Remove parameter config from multi_client_connect_mda") has > removed the config variable in favour of mi->cc_config, however one > occurence was not changed. > > Fix it now by properly using mi->cc_config. > > Signed-off-by: Antonio Quartulli <a@unstable.cc> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200701140517.11176-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20180.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 9f0a7dcc7fa21228dbd40d976aaee5a90ac48299 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Wed Jul 1 14:22:39 2020 +0200 > > Remove parameter config from multi_client_connect_mda > > config is always used as mi->cc_config and we pass mi, > so directly use mi->cc_config > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Antonio Quartulli <antonio@openvpn.net> > Message-Id: <20200701122239.6924-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20177.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 93439307e597007e0d60b904c0f3d9d85de26b49 >Author: Christopher Schenk <cschenk@mail.uni-paderborn.de> >Date: Mon Jun 29 21:09:30 2020 +0200 > > Log a note if someone wants to set a MTU below 1280 on IPv6 > > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200629190930.1360-2-cschenk@mail.uni-paderborn.de> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20161.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 3ef858b3d63c61be2f473a8dc5f1f79fa09a85d8 >Author: Gert Doering <gert@greenie.muc.de> >Date: Mon Jun 29 20:04:05 2020 +0200 > > Linux: do not change --txqueuelen OS default if not configured. > > Remove default setting of "set txqueuelen to 100". This default dates > back to the "pre git" times (before 2005) and might have been beneficial > back then - nowadays, the Linux default is 500, and thus reducing(!) > txqueuelen by-default can cause TX packet drops on the tun interface, > and that's bad for throughput. > > This is a similar change to commit f0b64e5dc (remove setting of the > socket send/receive buffers by default) - similar vintage of the > existing code, similar motivation. > > Note: buffer length can be checked with "ip link show" (qlen NNN) > > See also: > https://ivanvari.com/solving-openvpn-poor-throughput-and-packet-loss/ > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > Acked-by: Arne Schwabe <arne@rfc2549.org> > Message-Id: <20200629180405.17671-1-gert@greenie.muc.de> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20160.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 19d3c602e7a3881cf7c2244b7c40b9958c0b7ebc >Author: Maximilian Wilhelm <max@sdn.clinic> >Date: Mon Jun 29 12:49:07 2020 +0200 > > Add --bind-dev option. > > This options allows the user to specify a network interface or VRF > device the OpenVPN process should use when making a connection or > binding to an address. > > This is done by setting the SO_BINDTODEVICE option to the corresponding > socket (on Linux). SO_BINDTODEVICE forces all packets sent on that socket > to go out via the specified interface, and only packets coming in on > that interface are received by OpenVPN. > > When used in a VRF context on Linux [0], you can also specify the name > of the VRF ("--bind-dev external_vrf"), which will put the OpenVPN > "network side" into this VRF. This allows making connections using a > non-default VRF and having the tun/tap interface in the default VRF. > > Thanks to David Ahern (Cumulus Networks) for insights on this. > > [0] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/networking/vrf.txt > > Signed-off-by: Maximilian Wilhelm <max@sdn.clinic> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <1593427748-29801-2-git-send-email-max@rfc2324.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20156.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit d299367c42da4f8c1939535a330bed17b293cab7 >Author: Gert Doering <gert@greenie.muc.de> >Date: Fri Jun 26 15:03:20 2020 +0200 > > Add c1ff8f247f91c88a2df5502eeedf42857f9a6831 (engine, pool, SSO) to .git-blame-ignore-revs > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit c1ff8f247f91c88a2df5502eeedf42857f9a6831 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Fri Jun 26 14:53:32 2020 +0200 > > Reformat files using uncrustify > > Some of the commits, especially engine have not strictly used uncrustify > clean code. Rerun uncrustify to make them compliant again. > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200626125332.15385-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20142.html > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit c67e93b25208be2e893473bea4aabccbde914f47 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Fri Jun 26 13:05:54 2020 +0200 > > Make compression asymmetric by default and add warnings > > This commit introduces the allow-compression option that allow > changing the new default to the previous default or to a stricter > version. > > Warning for comp-lzo/compress are not generated in the post option check > (options_postprocess_mutate) since these warnings should also be shown > on pushed options. Moving the showing the warning showing for > allow-compression to options_postprocess_mutate will complicate the > option handling without giving any other benefit. > > Patch V2: fix spelling and grammer (thanks tincantech), also fix > uncompressiable to incompressible in three other instances in the > source code > > Patch V3: fix overlong lines. Do not allow compression to be pushed > > Patch V4: rename COMP_F_NO_ASYM to COMP_F_ALLOW_COMPRESS, fix style. > The logic of warnings etc in options.c has not been changed > since adding all the code to mutate_options would a lot more > and more complicated code and after discussion we decided that > it is okay as is. > > Patch V5: Reword warnings, rebase on master > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Lev Stipakov <lstipakov@gmail.com> > Message-Id: <20200626110554.3690-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20138.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 2569902c4455554657464077950fca52516ca81e >Author: Lev Stipakov <lev@openvpn.net> >Date: Fri Jun 26 13:10:50 2020 +0300 > > msvc: fix various level2 warnings > > Also set warnings level to level2 and > enable "treat warnings as errors" flag. > > Signed-off-by: Lev Stipakov <lev@openvpn.net> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200626101050.442-1-lstipakov@gmail.com> > URL: https://www.mail-archive.com/search?l=mid&q=20200626101050.442-1-lstipakov@gmail.com > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 013498ddfe0a2b7f8986e9edac2b9f062bdd5fd7 >Author: James Bottomley <James.Bottomley@HansenPartnership.com> >Date: Tue Jun 23 16:02:34 2020 -0700 > > engine-key tests: make check_engine_keys.sh work with --enable-small > > --enable-small eliminates one of the openssl errors the test is > looking for, so alter the grep also to account for the message in this > version. Additionally output log.txt on failure so any test platform > gives an easy clue about what went wrong. > > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <1592953354.2103.3.camel@HansenPartnership.com> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20102.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 21e3e9fc34128d37bd612def2acca29a5a18de77 >Author: James Bottomley <James.Bottomley@HansenPartnership.com> >Date: Tue Jun 23 06:05:31 2020 -0700 > > Fix make distcheck for new engine key unit test > > Add config precursor and script to extra dist and make sure > built and test leftover files are cleaned up afterwards. > > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <1592917531.4768.4.camel@HansenPartnership.com> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20088.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 542c69c37b347d1895dde076508d0f6554544860 >Author: James Bottomley <James.Bottomley@HansenPartnership.com> >Date: Mon Jun 22 16:23:19 2020 -0700 > > Add unit tests for engine keys > > Testing engines is problematic, so one of the prerequisites built for > the tests is a simple openssl engine that reads a non-standard PEM > guarded key. The test is simply can we run a client/server > configuration with the usual sample key replaced by an engine key. > The trivial engine prints out some operations and we check for these > in the log to make sure the engine was used to load the key and that > it correctly got the password. > > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> > > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200622232319.8143-2-James.Bottomley@HansenPartnership.com> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20075.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 933b4ab808891805232f599507fded916b284a43 >Author: Gert Doering <gert@greenie.muc.de> >Date: Sat Jun 20 16:39:40 2020 +0200 > > Convert plugin/auth-pam.c from stderr logging to plugin_log(). > > More recent OpenVPN APIs pass a function pointer for a logging function > (plugin_log()) to plugins. Using this will make the plugin logs appear > wherever openvpn logs to - file, syslog, stderr. > > This patch converts plugin/auth-pam.c "fairly mechanically" to use this > new API. Real errors are logged with PLOG_ERR or PLOG_ERR|PLOG_ERRNO, > while debug info is logged with PLOG_NOTE (subject to the already-existing > debug level handling inside plugin/auth-pam, via "setenv verb <n>"). > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > Acked-by: Selva Nair <selva.nair@gmail.com> > Message-Id: <20200620143940.11704-1-gert@greenie.muc.de> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20037.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 3bc12aefd571ab24543cff4cba2f0e25d3268941 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Fri Jun 5 13:25:19 2020 +0200 > > Add unit test for cipher name translations > > The unit test duplicates some part of the test for > the ncp-cipher list but that is not a bad thing. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200605112519.22714-3-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19968.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 02a0332084f0dc08e39067cc6fd68abb77a03c47 >Author: Gert Doering <gert@greenie.muc.de> >Date: Sat Jun 20 20:05:32 2020 +0200 > > Depreciation warning for --topology net30 on servers with IPv4 pools. > > IPv4 pool handling needs lots of extra code to deal with "topology net30", > so we want to remove that combination in a future release. > > Warn people about this in 2.5 so nobody is hit by this as a surprise. > > Client- and ifconfig-support for net30 will stay, as "just net30" is not > what brings maintenance effort here (totally removing all options except > "topology subnet" would be beneficial but is a bit too radical today) > > Trac: #1288 > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > Acked-by: Arne Schwabe <arne@rfc2549.org> > Message-Id: <20200620180532.15738-1-gert@greenie.muc.de> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20041.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit ff063b6f19e035da56fbf49c891e6376543b391d >Author: Gert Doering <gert@greenie.muc.de> >Date: Sat Jun 20 19:23:03 2020 +0200 > > Change timestamps in file-based logging to ISO 8601 time format. > > Replace existing ctime() output which is hard to sort and compare > with ISO 8601 / RFC 3399 "YYYY-MM-DD hh:mm:dd" format for file-based > logging (stderr or --log file). > > RFC 3399 5.6 permits use of a space for full-date-full-time separation, > which is used to enhance readability. > > Sylog or --machine-readable-output are not affected. > > Trac: #719 > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > Acked-by: Arne Schwabe <arne@rfc2549.org> > Message-Id: <20200620172303.15010-1-gert@greenie.muc.de> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20040.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 06498f21cdf051b0643606efda96b27b3c358e0c >Author: Arne Schwabe <arne@rfc2549.org> >Date: Wed May 20 00:00:04 2020 +0200 > > Implement forwarding client CR_RESPONSE messages to management > > When signalling the client that it should do Challenge response > without reconnecting (IV_SSO=crtext/INFOPRE=CR_TEXT), the server > needs forward the response via the management console. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: David Sommerseth <davids@openvpn.net> > Message-Id: <20200519220004.25136-6-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19910.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 1114b985dffaf7b2dcb04dfced5397562bb6606a >Author: Arne Schwabe <arne@rfc2549.org> >Date: Wed May 20 00:00:03 2020 +0200 > > Implement sending AUTH_PENDING challenges to clients > > This implements sending AUTH_PENDING and INFO_PRE messages to clients > that indicate that the clients should be continue authentication with > a second factor. This can currently be out of band (openurl) or a normal > challenge/response two like TOTP (CR_TEXT). > > Unfortunately this patch spend so much time in review in openvpn2 that > the corosponding IV_SSO commit in openvpn3 (34a3f264) already made its > way to released products so changing this right now is difficult. > > https://github.com/OpenVPN/openvpn3/commit/34a3f264f56bd050d9b26d2e7163f88a > f9a559e2 > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: David Sommerseth <davids@openvpn.net> > Message-Id: <20200519220004.25136-5-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19909.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit adb9bb918de6ceda1ab027aa02942e8c4efc3183 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Wed May 20 00:00:02 2020 +0200 > > Implement sending response to challenge via CR_RESPONSE > > When a client announces its support to support text based > challenge/response via IV_SSO=crtext,the client needs to also > be able to reply to that response. > > This adds the "cr-response" management function to be able to > do this. The answer should be base64 encoded. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: David Sommerseth <davids@openvpn.net> > Message-Id: <20200519220004.25136-4-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19907.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 1f76bbb5e5111d0a529ec192443e66ed436c83db >Author: Arne Schwabe <arne@rfc2549.org> >Date: Wed May 20 00:00:01 2020 +0200 > > Implement support for signalling IV_SSO to server > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: David Sommerseth <davids@openvpn.net> > Message-Id: <20200519220004.25136-3-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19908.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 7bdba5319b4d8b8af9c38c91b51b03a7630db99c >Author: Arne Schwabe <arne@rfc2549.org> >Date: Wed May 20 00:00:00 2020 +0200 > > Implement parsing and sending INFO and INFO_PRE control messages > > OpenVPN 3 implements these messages to send information during the > authentication to the UI, implement these message also in OpenVPN 2.x > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: David Sommerseth <davids@openvpn.net> > Message-Id: <20200519220004.25136-2-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19912.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 58bb8f3e146318a4e5c007fbe9c2b0e8cecf7a30 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Fri Jun 5 13:25:18 2020 +0200 > > Make cipher_kt_get also accept OpenVPN config cipher name > > Basically calls to cipher_kt_get were calling > translate_cipher_name_from_openvpn. The only two exception were the > (broken) unit test and tls-crypt that uses cipher_kt_get("AES-256-CTR") > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Steffan Karger <steffan@karger.me> > Message-Id: <20200605112519.22714-2-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19969.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit ff531767eafed263d7bd8243138fbb276215000d >Author: Arne Schwabe <arne@rfc2549.org> >Date: Fri Jun 5 13:25:17 2020 +0200 > > Make cipher_kt_name always return normalised cipher name > > The mbed TLS variant of the call already returned the normalised > name while the OpenSSL variant did not. On top of that, all calls but > one to cipher_kt_name were translate_cipher_name_to_openvpn. This commit > moves the call of translate_cipher_name_to_openvpn into cipher_kt_name > or avoids calling it twice in the case of mbed TLS. > > The one case that did not translate_cipher_name_to_openvpn is an > internal ssl_openssl.c method that should call EVP_CIPHER_name anyway. > > Also simplify cipher_name_cmp function that is only used by > openvpn --show-ciphers with the modified cipher_kt_name > function. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Steffan Karger <steffan@karger.me> > Message-Id: <20200605112519.22714-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19970.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 0213f80ed72ad8b6bb43db3bbd72a66ec2e12fcd >Author: Christopher Schenk <cschenk@mail.uni-paderborn.de> >Date: Tue Apr 21 17:46:12 2020 +0200 > > Set the correct mtu on windows based systems > > Signed-off-by: Christopher Schenk <cschenk@mail.uni-paderborn.de> > Acked-by: Selva Nair <selva.nair@gmail.com> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200421154612.14140-1-cschenk@mail.uni-paderborn.de> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19803.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit e0b49cb95286a62a4e615470c6d3fe841b433314 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Fri Jun 5 01:53:38 2020 +0200 > > Add .git-blame-ignore-revs with reformat commits > > This allows git blame to ignore reformatting changes and instead > to show the previous commit that changed the line. > > To avoid manually building the list of commits this commit > adds a file with a list of reformatting commits. I might have > missed a few but this should be a good start. To use the file > use: > > git blame --ignore-revs-file=.git-blame-ignore-revs file > > or to automatically always use the file > > git config blame.ignoreRevsFile .git-blame-ignore-revs > > Naming the file .git-blame-ignore-revs is a convention. > > Some more details in this random blog post: > > https://www.moxio.com/blog/43/ignoring-bulk-change-commits-with-git-blame > > Patch V2: Remove merge commit of the great formatting, add small > reminder how to use the feature at the top of the file > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: David Sommerseth <davids@openvpn.net> > Message-Id: <20200604235338.11728-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19967.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 9002885bd8a10d9375dc4f0baf2df05395c86f1a >Author: Antonio Quartulli <a@unstable.cc> >Date: Wed Jun 10 10:45:49 2020 +0200 > > multi: skip IPv4 logic in multi_select_virtual_addr() if no pool is configured > > When no IPv4 pool is configured (but we have an IPv6 pool > only), the multi_select_virtual_addr() function will spit > a warning when allocating an address for a new client. > This happens because the code will check for some IPv4 > bits and will see that they are missing. > > However, these bits are not really important, because in > this use case we don't want to configure any IPv4 address > at all. > > For this reason it is safe to wrap this entire logic in > an if-block that just does not execute when no IPv4 pool > is configured. > > This avoids the warning and will also avoid any other > hidden side effect. > > Reported-by: Gert Doering <gert@greenie.muc.de> > Signed-off-by: Antonio Quartulli <a@unstable.cc> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200610084549.4028-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20012.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 28e395856c897b6f2dea441dbe5eb4a151d75b85 >Author: Antonio Quartulli <a@unstable.cc> >Date: Wed Jun 10 11:01:00 2020 +0200 > > pool: remove useless 'options.h' include > > Commit 6a8cd033 ("pool: add support for ifconfig-pool-persist with IPv6 > only") has accidentally introduced an include for 'options.h', which > revealed to not be useful at all. Remove it. > > Reported-by: Gert Doering <gert@greenie.muc.de> > Signed-off-by: Antonio Quartulli <a@unstable.cc> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200610090100.29738-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20011.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit e7c0cd996f35965172c5def9531b6ab9ca10c389 >Author: Gert Doering <gert@greenie.muc.de> >Date: Tue Jun 9 10:02:29 2020 +0200 > > Simplify pool size handling, fix possible array overrun on pool reading. > > Remove separate ipv4.size and ipv6.size in the pool structure, return > to a single pool_size, which is also the allocated array size. > > All calls to ifconfig_pool_size() change to "pool->size" now. > > pool->size is set to the size of the active pool, or if both IPv4 and IPv6 > are in use, to the smaller size (same underlying logic as in 452113155e7, > but really put it into the size field). > > This fixes a SIGSEGV crash if an ifconfig-pool-persist file is loaded > that has IPv6 and no IPv4 (= ipv6 handle is used) and that has more > entries than the IPv4 pool size (comparison was done with ipv6.size, > not with actual pool size), introduced by commit 6a8cd033b18. > > While at it, fix pool size calculation for IPv6 pools >= /112 > (too many -1), introduced by commit 452113155e7. > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > Acked-by: Antonio Quartulli <a@unstable.cc> > Message-Id: <20200609080229.2564-1-gert@greenie.muc.de> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20006.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 1379e5271d0057fcaed82d6985e614ca2ed8c265 >Author: Antonio Quartulli <a@unstable.cc> >Date: Mon Jun 8 22:16:13 2020 +0200 > > ipv6-pool: get rid of size constraint > > Signed-off-by: Antonio Quartulli <a@unstable.cc> > > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200608201613.23750-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20005.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 070319c13524125d8325a0df15fe795cc2a4bcf2 >Author: Antonio Quartulli <antonio@openvpn.net> >Date: Mon Jun 8 17:32:39 2020 +0200 > > options: enable IPv4 redirection logic only if really required > > If no IPv4 redirection flag is set, do not enable the IPv4 > redirection logic at all so that it won't bother adding any > useless IPv4 route. > > Trac: #208 > Signed-off-by: Antonio Quartulli <antonio@openvpn.net> > > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200608153239.2260-1-a@unstable.cc> > URL: https://www.mail-archive.com/search?l=mid&q=20200608153239.2260-1-a@unstable.cc > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 25266ebba97d7f4169f902b8b0d3c38eaa4c43a4 >Author: James Bottomley <James.Bottomley@HansenPartnership.com> >Date: Sun Jun 7 15:10:58 2020 -0700 > > crypto_openssl: add include for openssl/conf.h > > Fix build failure on older versions of openssl. > > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> > Acked-by: Arne Schwabe <arne@rfc2549.org> > Message-Id: <1591567858.4011.15.camel@HansenPartnership.com> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19996.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 826d8953a335fdbc8d20d800f800a44d0674f00a >Author: Antonio Quartulli <antonio@openvpn.net> >Date: Sat May 30 02:05:58 2020 +0200 > > route: warn on IPv4 routes installation when no IPv4 is configured > > Same as already happens for IPv6, it is useful for the user to throw a > warning when an IPv4 route is about to be installed and the tun interface > has no IPv4 configured. > > The twin message for IPv4 is adapted to have the same format. > > The warning is not fatal, becuase the route might actually be external > to the tun interface and therefore it may still work. > > At the same time, modify the error message used for a route > installation failure to explicitly mention "IPv4" since this it is > used in the IPv4 code path only. > > Trac: #208 > Signed-off-by: Antonio Quartulli <antonio@openvpn.net> > > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200530000600.1680-6-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19946.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 6a8cd033b1812a26b9b35c17eef33240d7ac2719 >Author: Antonio Quartulli <antonio@openvpn.net> >Date: Sat Jun 6 23:16:24 2020 +0200 > > pool: add support for ifconfig-pool-persist with IPv6 only > > Without altering the pool logic, this patch enables using > a persistent IP pool also when the server is configured > with IPv6 only. > > Trac: #208 > Signed-off-by: Antonio Quartulli <antonio@openvpn.net> > > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200606211624.10877-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19990.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit a4071b20115c7d4e808df81169a986e65cec4efa >Author: James Bottomley <James.Bottomley@HansenPartnership.com> >Date: Thu May 28 15:59:19 2020 -0700 > > crypto_openssl: add initialization to pick up local configuration > > The test programme for the new openssl engine code requires overriding > the system default configuration file to point to the location of the > test engine. Add an initialization stanza that makes this behaviour > universal, so now anyone running openvpn configured with openssl can > specify their own configuration file with the OPENSSL_CONF environment > variable. > > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> > Acked-by: Arne Schwabe <arne@rfc2549.org> > Message-Id: <20200528225920.6983-3-James.Bottomley@HansenPartnership.com> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19936.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 8155f8aa0a8d801dd0d84e0ec844b9ca4c225df7 >Author: James Bottomley <James.Bottomley@HansenPartnership.com> >Date: Thu May 28 15:59:18 2020 -0700 > > openssl: add engine method for loading the key > > As well as doing crypto acceleration, engines can also be used to load > key files. If the engine is set, and the private key loading fails > for bio methods, this patch makes openvpn try to get the engine to > load the key. If that succeeds, we end up using an engine based key. > This can be used with the openssl tpm engines to make openvpn use a > TPM wrapped key file. > > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> > > Acked-by: Arne Schwabe <arne@rfc2549.org> > Message-Id: <20200528225920.6983-2-James.Bottomley@HansenPartnership.com> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19937.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 7d65aad8973fa85a007a3de8907b9cbced20b2b4 >Author: Antonio Quartulli <antonio@openvpn.net> >Date: Sat May 30 02:05:56 2020 +0200 > > allow usage of --server-ipv6 even when no --server is specified > > Until now OpenVPN has not allowed to specify --server-ipv6 > if no --server was also set. This constraint comes from the > fact that most of the IPv6 logic (i.e. ifconfig-pool handling) > relied on IPv4 components to be activated and configured as > well. > > Now that the IPv6 code path has been made independent from > IPv4, it is finally possible to to relax the constraint > mentioned above and make it possible for the user to have a > configurations with --server-ipv6 only. > > Trac: #208 > Signed-off-by: Antonio Quartulli <antonio@openvpn.net> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200530000600.1680-4-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19949.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 452113155e791fdf6091de0422391ff62bda2ac9 >Author: Antonio Quartulli <antonio@openvpn.net> >Date: Mon Jun 1 22:06:24 2020 +0200 > > pool: allow to configure an IPv6-only ifconfig-pool > > With this change a server is allowed to allocate an > IPv6-only pool. This is required to make it capable > of managing an IPv6-only tunnel. > > Trac: #208 > Signed-off-by: Antonio Quartulli <antonio@openvpn.net> > > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200601200624.14765-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19957.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 984bd1e1601e4b9562dbc88b02a8db60b884286f >Author: Jeremy Evans <code@jeremyevans.net> >Date: Wed May 20 11:34:04 2020 -0700 > > Switch assertion failure to returning false > > This assertion failure can be hit in production, which causes the > openvpn server process to stop and all clients to be disconnected. > Bug #1270 has been filed for this issue on Trac by another user > who has experienced the issue, and this patch attempts to address it. > > Tracing callers, it appears that some callers check ks->authenticated > before calling, but others do not. It may be possible to add the check > for the callers that do not check, but this seems to be a simpler > solution. > > To give some background, we hit this assertion failure, with the > following log output: > > ``` > Tue May 19 15:57:05 2020 username/73.135.141.11:1194 PUSH: Received > control message: 'PUSH_REQUEST' > Tue May 19 15:57:05 2020 username/73.135.141.11:1194 SENT CONTROL > [username]: 'PUSH_REPLY,redirect-gateway > def1,comp-lzo,persist-key,persist-tun,route-gateway 10.28.47.1,topology > subnet,ping 10,ping-restart 120,ifconfig 10.28.47.38 255.255.255.0,peer-id > 89' (status=1) > Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Assertion failed at > /path/to/openvpn-2.4.7/src/openvpn/ssl.c:1944 (ks->authenticated) > Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Exiting due to fatal > error > Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Closing TUN/TAP > interface > ``` > > using the following OpenVPN server configuration: > > ``` > port 1194 > proto udp > dev-type tun > ca ca.crt > cert server.crt > key server.key > dh dh.pem > topology subnet > push "redirect-gateway def1" > push "comp-lzo" > push "persist-key" > push "persist-tun" > keepalive 10 120 > comp-lzo > user nobody > group nobody > persist-key > persist-tun > cd /home/openvpn/server > chroot /var/empty > daemon > verb 3 > crl-verify crl.pem > tls-auth ta.key 0 > cipher AES-256-CBC > tls-version-min 1.2 > tls-cipher ECDHE-RSA-AES256-GCM-SHA384 > ncp-disable > mute-replay-warnings > script-security 3 > auth-user-pass-verify "ldap-auth/ldap-auth" via-env > auth-user-pass-optional > ``` > > and the following command line options: > > ``` > --config openvpn.conf --dev tun1 --local 206.131.72.52 \ > --log-append openvpn.log --status openvpn-status.log \ > --server 10.28.47.0 255.255.255.0 > ``` > > The failed assertion is inside the function > `tls_session_generate_data_channel_keys`, which is called 3 other places > in `ssl.c.`: > > * `key_method_2_write`: checks for `ks->authenticated` before calling > > * `key_method_2_read`: appears to run in client mode but not in server > mode > > * `tls_session_update_crypto_params`: runs in server mode and does not > check before calling > > That leads me to believe the problem caller is > `tls_session_update_crypto_params`. There.s three callers of > `tls_session_update_crypto_params`:. > > * `incoming_push_message` (`push.c`): Probably this caller, since the > server pushes configuration to clients, and the log shows the > assertion failure right after the push reply. > > * `multi_process_file_closed` (`multi.c`): Not this caller. NCP is > disabled in config, and async push was not enabled when compiling. > > * `do_deferred_options` (`init.c`): Not this caller. The server > configuration doesn't pull. > > Changing the assertion to returning false appears to be the simplest > fix. Another approach would be changing callers to check > `ks->authenticated` before calling, either > `tls_session_update_crypto_params` or `incoming_push_message`. > > Signed-off-by: Jeremy Evans <code@jeremyevans.net> > Acked-by: Steffan Karger <steffan.karger@foxcrypto.com> > Message-Id: <20200520183404.54822-1-code@jeremyevans.net> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19914.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 81d66a1f14d4be3282dd648ecc2049658e3a65ed >Author: Antonio Quartulli <a@unstable.cc> >Date: Sat May 30 02:05:54 2020 +0200 > > pool: prevent IPv6 pools to be larger than 2^16 addresses > > Signed-off-by: Antonio Quartulli <a@unstable.cc> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200530000600.1680-2-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19945.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit cc76e177606ba336bbcb63ebc5e4d85b4116057f >Author: Arne Schwabe <arne@rfc2549.org> >Date: Mon May 18 17:54:27 2020 +0200 > > Refuse server mode on Android > > After the commit 042429d3 "build: Remove --disable-server from ./configure" > Android needs another way to ensure that OpenVPN is not run in server mode. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: David Sommerseth <davids@openvpn.net> > Message-Id: <20200518155427.17283-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19904.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 14a57be4609fc23e4775072948bf722f21f25099 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu May 7 15:25:34 2020 +0200 > > Do not write extra 0 byte for --gen-key with auth-token/tls-crypt-v2 > > Change crypto_pem_encode to not put a nul-terminated terminated > string into the buffer. This was useful for printf but should > not be written into the file. > > Instead do not assume that the buffer is null terminated and > print only the number of bytes in the buffer. Also fix a > similar case in printing static key where the 0 byte was > never added to the buffer > > Patch V2: make pem_encode behave more like other similar functions in > OpenVPN > and do not null terminate. > > Patch V3: also make the mbed TLS variant of pem_decode behave like other > similar functions in OpeNVPN and accept a not null-terminated > buffer. > > Patch V4: The newly introduced unit test > test_tls_crypt_v2_write_client_key_file_metadata > was added after the V3 version of the patch and now misses the > strlen with memcmp replacment that were added to > test_tls_crypt_v2_write_client_key_file. Also add the > modifictions to this function. > > Unconditionally allocate buffer in mbed TLS path as > requested by Steffan. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Steffan Karger <steffan.karger@foxcrypto.com> > Message-Id: <20200507132534.6380-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19852.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 6001784afd89c4e9d9d15cc9f2e84cec6bbe0e39 >Author: Gert Doering <gert@greenie.muc.de> >Date: Wed May 13 16:11:47 2020 +0200 > > Change client side of t_lpback.sh configs to use inline material. > > We have no real test rig for "inline" key material (key, cert, ca, > tls-auth, tls-crypt*) yet. This change adds the "sample" key set > as inline config to the "loopback-client" config, while keeping > file-based configs for "loopback-server" - that way, testing both > methods of loading keys etc. in one go. > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > Acked-by: Antonio Quartulli <antonio@openvpn.net> > Message-Id: <20200513141147.17171-1-gert@greenie.muc.de> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19883.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 93ba6ccddafcc87f336f50dadde144ea4f6178ad >Author: Selva Nair <selva.nair@gmail.com> >Date: Thu Feb 20 22:00:28 2020 -0500 > > Persist management-query-remote and proxy prompts > > Currently this prompt is only output once, not re-written to the > management interface when the management client connects. It is thus > not seen by a client that connects after the prompt is output or one that > disconnects and reconnects. This leads to a deadlock: the daemon waiting > for the "remote" command from the client, the latter not aware of it. > > Resolve by adding the ">REMOTE" and ">PROXY" prompt to > man.persist.special_state_msg as done for other persisted prompts such > as ">PASSWORD" > > Signed-off-by: Selva Nair <selva.nair@gmail.com> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <1582254028-7763-1-git-send-email-selva.nair@gmail.com> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19497.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit a88504010466dd5f5e0eabefd487036082444426 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Tue May 12 14:43:44 2020 +0200 > > Fix session id and initial timestamp not being preserved > > In the initial state of checking whether an auth-token has been > validated, the check check if multi->auth_token is already set and > only then sets the value. This defeats the purpose and lead to always > a new auth-token with new session id and lifetime being generated when > the server restarts or the client reconnect to another server. > > Patch V2: Only set multi->auth_token when NULL to avoid leaking > memory. Improve comments and documentation of auth-token. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200512124344.15929-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19878.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit b0c94aff299fcec607d6a0194c4cdea8a33dd353 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Mar 26 18:23:32 2020 +0100 > > Document reneweal mechanic of auth-token in manual > > Our man page was missing the information that the life time of the > auth-token also depends on the reneg-sec > > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200326172332.2356-3-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19620.html > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 42fe3e8175822a4cf2c85cc4ce3fdffd41d74455 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Mar 26 18:23:31 2020 +0100 > > Fix session id in env missing first byte > > sizeof for a constant string return the size including the null byte. > For copying the session id this meant that we do not copy the first > byte. This made the session id reported to the external authenticator > one byte shorter than it was intended to be. > > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200326172332.2356-2-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19622.html > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 27ad978fd6721f05f0c484a1bdbf775b0ab36ab2 >Author: Antonio Quartulli <a@unstable.cc> >Date: Fri May 8 23:23:56 2020 +0200 > > get rid of INLINE_FILE_TAG constant > > Now that the whole inline logic has been converted to using bool flags, > the INLINE_FILE_TAG constant is not useful anymore. > > Get rid of the constant as it's now unused and to prevent any future > developer from mistakenly use it again. > > Signed-off-by: Antonio Quartulli <a@unstable.cc> > Acked-by: David Sommerseth <davids@openvpn.net> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200508212356.18522-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19863.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit d7e26a34319495e39b8e23a5717304d28a417c30 >Author: Antonio Quartulli <a@unstable.cc> >Date: Sun May 10 16:00:17 2020 +0200 > > tls-crypt-v2: fix testing of inline key > > The inline logic was recently changed by commit > ("convert *_inline attributes to bool"), however the code testing a > newly created tls-crypt-v2 client key was not adapted. > > Adapt tls-crypt-v2 test routine by properly signaling when the passed > key is inlined or not. > > Signed-off-by: Antonio Quartulli <a@unstable.cc> > Acked-by: David Sommerseth <davids@openvpn.net> > Message-Id: <20200510140017.16837-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19870.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 416162c5b66055da24e6e7b8acde4e7bb8f67522 >Author: Antonio Quartulli <a@unstable.cc> >Date: Fri May 8 23:14:34 2020 +0200 > > options: fix inlining auth-gen-token-secret file > > With commit ("convert *_inline attributes to bool") the logic for > signaling when a certain option is inline has been changed. > Due to an overlook, the auth-gen-token-secret was not converted, thus > making it impossible to be inlined. > > Fix parsing logic and allow auth-gen-token-secret to be inlined as well. > > Signed-off-by: Antonio Quartulli <a@unstable.cc> > Acked-by: David Sommerseth <davids@openvpn.net> > Message-Id: <20200508211434.27545-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19862.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 7ae8dbb7c4a2ca4a23efae7b08222a8db0efc529 >Author: David Sommerseth <davids@openvpn.net> >Date: Fri May 8 13:44:11 2020 +0200 > > options: Restore --tls-crypt-v2 inline file capability > > Commit cb2e9218f2bc73f re-factored the internal file handling, but > somehow overlooked the --tls-crypt-v2 option processing. It was no > longer possible to load a configuration file with this key file inlined. > > There where two issues here. First was that the OPT_P_INLINE flag was > not set, so the option parser rejected --tls-crypt-v2 as inline capable. > > Second issue was that the 'streq(p[1], INLINE_FILE_TAG)' check makes no > longer sense, as at this point p[1] contains the file contents. Instead > use the is_inline flag. > > Signed-off-by: David Sommerseth <davids@openvpn.net> > Acked-by: Antonio Quartulli <antonio@openvpn.net> > Message-Id: <20200508114411.15762-1-davids@openvpn.net> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19859.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit e8e410fdc6fb91451d8119b129bac7be00ff81df >Author: David Sommerseth <davids@openvpn.net> >Date: Fri May 8 13:42:43 2020 +0200 > > options: Fix failing inline tls-auth/crypt with persist-key > > A configuration file using --persist-key and with inlined --tls-auth or > --tls-crypt files was failing in check_file_access(). The file argument > to check_file_access() contained the key file and not the file name. > > This was because check_file_access_inline() which calls > check_file_access() if the file is not inlined was told the file was not > an inline file. > > The reason the check_file_access_inline() was misled was due to a prior > option_postprocess_mutate() call puts these key files into a connection > block entry in option_postprocess_mutate_ce(). OpenVPN was modified a > long while ago to always use connection blocks in the option structure > for simplicity. So the "root" key files would be transferred into a > connection entry in this method. > > When --persist-key is used, option_postprocess_mutate_ce() will load the > key file and "convert" the option into an inline option. But in > commit cb2e9218f2bc73fa2 this logic had lost the "inline indicator". The > result was that the connection entry had the key file content stored in > the object but was "tagged" as a normal file (name) not an inline file. > > Signed-off-by: David Sommerseth <davids@openvpn.net> > Acked-by: Antonio Quartulli <antonio@openvpn.net> > Message-Id: <20200508114243.15532-1-davids@openvpn.net> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19858.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 042429d3454ca57564e932a727a27c7d6bfeb2d6 >Author: David Sommerseth <davids@openvpn.net> >Date: Thu Feb 27 21:54:43 2020 +0100 > > build: Remove --disable-server from ./configure > > After some discussion among the core community developers [1,2], it was > decided to remove the possibility to build openvpn as a pure client. > This was alterted on the mailing list [3] that it was scheduled for > removal unless anyone had strong arguments why it was needed. > > The general consensus was that we had not received any strong arguments > to keep this possibility after approximately 5 months, so it was fine to > remove this ./configure option. > > By removing this, we remove quite some entangled sections of #ifdef > scattered all over the code base, making it more readable. > > One note: > Inside the options_postprocess_mutate_invariant() function, > the #ifdef P2MP_SERVER and #ifdef _WIN32 blocks where slightly > reworked to make the _WIN32 block more continous and avoiding having an > empty if(options->mode == MODE_SERVER) block. > > Signed-off-by: David Sommerseth <davids@openvpn.net> > > [1] > https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18830.h > tml > [2] > https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19505.h > tml > [3] > https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18829.h > tml > Acked-by: Arne Schwabe <arne@rfc2549.org> > Message-Id: <20200227205443.27562-1-davids@openvpn.net> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19506.html > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit cb2e9218f2bc73fa22da1f6e850e5fe97f689730 >Author: Antonio Quartulli <a@unstable.cc> >Date: Thu May 7 15:59:09 2020 +0200 > > convert *_inline attributes to bool > > Carrying around the INLINE_TAG is not really efficient, > because it requires a strcmp() to be performed every > time we want to understand if the data is stored inline > or not. > > Convert all the *_inline attributes to bool to make the > logic easier and checks more efficient. > > Signed-off-by: Antonio Quartulli <a@unstable.cc> > Acked-by: Arne Schwabe <arne@rfc2549.org> > Message-Id: <20200507135909.21227-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19854.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 4dddca52a8432095dd85ff652fae61a2aedb3785 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Apr 16 13:39:28 2020 +0200 > > Use crypto library functions for const time memcmp when possible > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200416113930.15192-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19749.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 3cb9b156c8094ab333fc4f3da57818471135ac5e >Author: Antonio Quartulli <a@unstable.cc> >Date: Tue Apr 28 15:17:00 2020 +0200 > > t_net.sh: assign MAC address directly during interface creation > > Signed-off-by: Antonio Quartulli <a@unstable.cc> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200428131700.9123-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19832.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit da1574ef7826d73f01e120cbd1ba40ce39a305b7 >Author: Gert Doering <gert@greenie.muc.de> >Date: Sun Apr 26 11:54:02 2020 +0200 > > Uncrustify the tests/unit_tests/ part of our tree. > > Apply uncrustify 0.70.1 (FreeBSD port) with our rules to that part > of the tree, which followed a more compact coding style so far. > > Acked-by: Steffan Karger <steffan.karger@fox-it.com> > Message-Id: <20200426095402.65047-1-gert@greenie.muc.de> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19823.html > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit a17e73531404aeb9d26ef874d55e46754ec523ab >Author: Arne Schwabe <arne@rfc2549.org> >Date: Mon Apr 20 12:44:35 2020 +0200 > > Add tls-crypt-v2 test writing metadata > > Acked-by: Steffan Karger <steffan.karger@fox-it.com> > Message-Id: <20200420104435.7082-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19798.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 75aa88af774abaa168bf72e43e1dbb57be14c044 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Tue Apr 21 12:11:22 2020 +0200 > > Fix tls_ctx_client/server_new leaving error on OpenSSL error stack > > In the corner case that the global OpenSSL has an invalid command like > > MinProtocol = TLSv1.0 > > (due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct) > the SSL_ctx_new function leaves the errors for parsing the config file > on the stack. > > OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value > > Since the later functions, especially the one of loading the > certificates expected a clean error this error got reported at the > wrong place. > > Print the warnings with crypto_msg when we detect that we are in this > situation (this also clears the stack). > > Debian Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958296 > > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200421101122.24284-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19802.html > > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit c40679fbb051228f6c5108adaa9f6fc6929b1e0f >Author: Antonio Quartulli <a@unstable.cc> >Date: Mon Apr 20 12:21:02 2020 +0200 > > remove bogus file check on --genkey argument > > When invoking openvpn as standalone with the --genkey > argument, options_postprocess() is not called at all > because do_genkey() takes over the execution earlier. > > For this reason, checking the --genkey argument in > options_postprocess_filechecks() is a no-op. > > Geti rid of the bogus check altogether. > > Signed-off-by: Antonio Quartulli <a@unstable.cc> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200420102102.20981-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19795.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 9cf7b4925a54d93fbea1cadcf3dc0e11f3ce358f >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Apr 16 13:39:30 2020 +0200 > > Another round of uncrustify code cleanup. > > After the last big formatting patch a number of changes have been > commited that do not conform with our style/uncrustify config. This > has lead to the problem that running uncrustify on before sending > PR some of the changes made by uncrustify need to be backed out again. > > To bring everything back to the agreed upon style, run uncrustify once > more. Uncrustify version used: > > Uncrustify-0.70.1_f > > I double checked the result by running uncrustify (Uncrustify-0.69.0_f) > from Ubuntu focal/20.04 which does not do any further changes and > uncrustify 0.66.1_f from Ubuntu bionic/18.04 > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200416113930.15192-3-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19750.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit cbde07f474ae9e92b329475767c4660dd35b4ee4 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Apr 16 13:39:29 2020 +0200 > > Minor style change to improve code style > > These are small manual changes that are done to improve the code > style and also make the result of uncrustify better without mixing > manual changes/automatic changes into a single commit. > > - Make prototype and function identical for gc_addspecial. Also fixes > uncrustify misparsing the embedded function pointer decleration > - Disallow uncrustify to reformat link_socket_init_phase1, which it > messes up > - Format the the parameters of a call of mbedtls_ssl_tls_prf to > be more inline with the rest of our function calls with multiple > arguments > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Antonio Quartulli <antonio@openvpn.net> > Message-Id: <20200416113930.15192-2-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19748.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit c577facffb09046da90c52f3ed1af5bdf7b25888 >Author: Arne Schwabe <arne@rfc2549.org> >Date: Thu Apr 16 17:26:18 2020 +0200 > > Refactor counting number of element in a : delimited list into function > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Antonio Quartulli <antonio@openvpn.net> > Message-Id: <20200416152619.5465-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19757.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit d8225e98f23d1f133b914bd63c90c8113c713fc7 >Author: Antonio Quartulli <a@unstable.cc> >Date: Thu Apr 16 15:49:25 2020 +0200 > > t_net.sh: use dummy interface instead of tun > > The tun interface has proved to be a bit fragile for basic netlink tests > as it may introduce delays in switching state, depending on the system > the test is ran on. > > For this reason, switch to dummy interface type and at the same type > set its oper-state to up right after creation to avoid hitting the > no-carrier state later. No-carrier has been problematic in pasts tests > as it sometimes persists long enough to create a discrepancy between the > various tests snapshots thus causing a test failure. > > Setting a static MAC addressis also re-enabled to avoid it being > different and thus causing a test failure when comparing snapshots. > > Signed-off-by: Antonio Quartulli <a@unstable.cc> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200416134925.8848-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19751.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit db3d737ba3ef9d83c5ceffa2f653d0ee4a8abb54 >Author: Antonio Quartulli <a@unstable.cc> >Date: Sat Apr 18 11:43:50 2020 +0200 > > sitnl: fix ignoring EEXIST when sending a netlink command > > The logic is to treat EEXIST as non-error because it means that the > address/soute we wanted to install already exists, therefore we can > move on and not fail. > > However, this logic is currently based on checking errno == EEXIST. > This is wrong, because sitnl_send() does not set errno, but returns the > error directly as negative value. > > Fix this issue by directly comparing the the return value with -EEXIST. > > Signed-off-by: Antonio Quartulli <a@unstable.cc> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200418094350.26349-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19777.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit b9ff398884aa4576f2d9f75f2e2b54cd9688d122 >Author: Antonio Quartulli <a@unstable.cc> >Date: Sat Apr 18 03:31:23 2020 +0200 > > sitnl: fix TUN/TAP confusion in error messages > > The is_tun_p2p() function can return false for both TAP or TUN > interfaces (under certain conditions), therefore we should not > assume any TUN/TAP type when printing related messages. > > Remove reference to TUN/TAP when printing messages under conditions > based on is_tun_p2p(). > > Signed-off-by: Antonio Quartulli <a@unstable.cc> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200418013123.22551-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19775.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > >commit 74fadcf4ebe860c15d12cb4e065c7ca0e0dc4497 >Author: Antonio Quartulli <a@unstable.cc> >Date: Sat Apr 18 03:18:49 2020 +0200 > > sitnl: fix failure reporting by keeping error negative > > The err->errno value reported by netlink is already negative. > > Prepending ierr->errno with '-' when forwarding it to > the caller results in a positive value and thus not > detected as error. > > Fix error handling in sitnl by not negating the sign of > the value returned by sitnl_send() in case of generic error. > > While at it, print the errno in decimal form along with > its string represenation. > > Reported-by: Richard Bonhomme <tincanteksup@gmail.com> > Signed-off-by: Antonio Quartulli <a@unstable.cc> > Acked-by: Gert Doering <gert@greenie.muc.de> > Message-Id: <20200418011849.382-1-a@unstable.cc> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19773.html > Signed-off-by: Gert Doering <gert@greenie.muc.de>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=216440">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 247974
:
216439
| 216440