Gert Doering [Sun, 19 Mar 2017 18:41:35 +0000 (19:41 +0100)]
Make ENABLE_OCC no longer depend on !ENABLE_SMALL
OCC is useful functionality which (according to LEDE devs) adds only
about 3k to the binary size - and if the embedded router folks can
afford this trade-off, everyone else can :-)
Gert Doering [Sun, 19 Mar 2017 19:10:49 +0000 (20:10 +0100)]
Fix installation of IPv6 host route to VPN server when using iservice.
The "prepare IPv6 route message to interactive service" was properly
handing the correct interface index (r->adapter_index) for this case,
but then always overwrote the gateway address with our magic tun/tap
fe80::8 value. Only do this for "on tap adapter" routes.
Pinpointed by Selva Nair.
Trac #850
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20170319191049.23970-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14282.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 27740b376c1ca89a43dcff5c8309f1e1afecc5c9)
David Sommerseth [Sat, 25 Feb 2017 02:02:29 +0000 (03:02 +0100)]
cleanup: Remove faulty env processing functions
The env_set_add_to_environmenti() and env_set_remove_from_environment()
functions where not used in the code at all and they would cause an
ASSERT() in setenv_str_ex() later on, as it would not allow the
struct env_set *es pointer to be NULL (misc.c:807).
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170225020229.17287-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14195.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a87f119afcfcc1c855a6ea2ba3d765966f1f2591)
ignore remote-random-hostname if a numeric host is provided
Although it does not make sense to specify remote-random-hostname
when a numeric hostname is provided (being it the remote, the http
proxy or the socks server), this is still a valid configuration.
For this reason, this combination should still work as expected,
which means ignoring the randomization and directly using the
numeric IP.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170130152658.15786-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13993.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3c748aeb5e4b82c449e7de28846a3915ab45aeec)
David Sommerseth [Fri, 27 Jan 2017 14:21:20 +0000 (15:21 +0100)]
plugin: Improve the handling of default plug-in directory
OpenVPN uses a default plug-in directore, set using PLUGINDIR when
running ./configure. If this is set, it will use $LIBDIR/openvpn/plugin.
When using --plugin, OpenVPN will load plug-ins from this directory with
the only exception if the plug-in filename is based on an absolute path.
Any other relative paths are relative to the PLUGINDIR.
This patch adds a third variant, using plug-in paths starting with '.'
In this case, OpenVPN will use the relative directory of where OpenVPN
was started, or the directory OpenVPN have changed into due to --cd
being used before the actual --plugin option.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170127142120.10492-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13970.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f9609f1df9d8c070245b7c008dc54ac9ccdbe231)
Steffan Karger [Wed, 15 Mar 2017 21:20:20 +0000 (22:20 +0100)]
Be less picky about keyUsage extensions
We long recommended users to use --ns-cert-type to distinguish between
client and server certificates, but that extension is long deprecated and
now can even no longer be accurately checked in OpenSSL 1.1+. We support
a more modern alternative, --remote-cert-tls (which expands to
--remote-cert-ku + --remote-cert-eku), but are overly strict in checking
the keyUsage. This patch makes our implementation less picky, so that
correct-but-slightly-weird certicates will not immediately be rejected.
We currently allow users to specify a list of allowed keyUsage values, and
require that the remote certificate matches one of these values exactly.
This is for more strict than keyUsage usually requires; which is that a
certificate is okay to use if it can *at least* be used for our intended
purpose. This patch changes the behaviour to match that, by using the
library-provided mbedtls_x509_crt_check_key_usage() function in mbed TLS
builds, and performing the 'at least bits xyz' check for OpenSSL builds
(OpenSSL unfortunately does not expose a similar function).
Furthermore, this patch adds better error messages when the checking fails;
it now explains that is expects to match either of the supplied values,
and only does so if the check actually failed.
This patch also changes --remote-cert-tls to still require a specific EKU,
but only *some* keyUsage value. Both our supported crypto libraries will
check the keyUsage value for correctness during the handshake, but only if
it is present. So this still enforces a correct keyUsage, but is a bit
less picky about certificates that do not exactly match expectations.
This patch should be applied together with the 'deprecate --ns-cert-type'
patch I sent earlier.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1489612820-15284-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14265.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 92a5b9fb76cbb7f43a6aa86994ff559f06c55c7a)
Steffan Karger [Sat, 4 Mar 2017 18:49:57 +0000 (19:49 +0100)]
Deprecate --ns-cert-type
The nsCertType x509 extension is very old, and barely used. We already
have had an alternative for a long time: --remote-cert-tls uses the far
more common keyUsage and extendedKeyUsage extensions instead.
OpenSSL 1.1 longer exposes an API to (separately) check the nsCertType x509
extension. Since we want be able to migrate to OpenSSL 1.1, we should
deprecate this option immediately.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1488653397-2309-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14222.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2dc332266449d5378f1fe04f950cbebf128ec9c9)
CRL: use time_t instead of struct timespec to store last mtime
As of now, we store the last mtime for the CRL file in a timespec
object. However we store seconds only and we ignore the subsecond
field (this came into being because not all platforms have nanoseconds
precision in timespec).
Given the above, we can safely replace the timespec object with a
simple time_t.
Reported-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170316082117.21020-1-a@unstable.cc>
URL: http://www.mail-archive.com/search?l=mid&q=20170316082117.21020-1-a@unstable.cc Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f3705dd1e711ee9f8546b841e4b18e9e9a224975)
Eric Thorpe [Wed, 15 Mar 2017 22:40:31 +0000 (09:40 +1100)]
Fix Building Using MSVC
This patch enables the building of OpenVPN for the 2.4 and master
branches using MSVC (Visual Studio 2013 / MSVC v120), which currently
doesn't work with 2.4 or a clone of master. 2013 is being used as it
reduces the complexity of the redistributable requirements and has
mostly complete C99 support. Further changes will be necessary for 2015
support when the switch is made.
Note the changes to config-msvc-version.h.in are more of a work around.
It was a simpler approach when compared to modifying msvc-generate.js to
handle m4 syntax, and so it may be dropped if there is an intention to
update the javascript generator.
Signed-off by: Eric Thorpe <eric@sparklabs.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <df273b9b-6ca4-a539-cdf5-d4f9f991896b@sparklabs.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14268.html
Steffan Karger [Thu, 9 Mar 2017 08:13:32 +0000 (09:13 +0100)]
Remove duplicate X509 env variables
Commit 13b585e8 added support for multiple X509 env variables with the
same name, but as a side effect caused these variables to pile up for
each renegotiation. The old code would simply overwrite the old variables
(as long as an equally-long chain was used for the new session).
To stop the variables from piling up, this commit removes any old X509
env variables if we start negotiating a new TLS session.
Trac: #854
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1489047212-31994-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14237.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fd0361813cd3d5a55f3408a018e2ed776d79fef6)
Steffan Karger [Thu, 9 Mar 2017 10:47:35 +0000 (11:47 +0100)]
Fix types in WIN32 socket_listen_accept()
SOCKET_UNDEFINED is of type socket_descriptor_t (or SOCKET, in MS types),
so new_sd should be too. Also, the return value of this function is
always stored in a socket_descriptor_t variable, so it should return that
type (which makes sense now, because it returns new_sd) instead of an int.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1489056455-6004-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14239.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 33e1a869fc6edb6bce5816b11dbecfaca57b20d4)
Ilya Shipitsin [Sun, 5 Mar 2017 17:21:32 +0000 (20:21 +0300)]
travis-ci: remove unused files
Those files were commited by mistake. I implemented building
dependencies in 4 separate scripts, later Steffan Karger combined
all 4 scripts into "build-deps.sh".
Emmanuel Deloget [Mon, 20 Feb 2017 14:32:34 +0000 (15:32 +0100)]
OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()
The behavior of EVP_CipherInit() changed in OpenSSL 1.1 -- instead
of clearing the context when the cipher parameter was !NULL, it now
clears the context unconditionnaly. As a result, subsequent calls
to the function with additional information now fails.
The bulk work is done by EVP_CipherInit_ex() which has been part of the
OpenSSL interface since the dawn of time (0.9.8 already has it). Thus,
the change allows us to get the old behavior back instead of relying
on dirty tricks.
Gert Doering [Fri, 24 Feb 2017 13:52:22 +0000 (14:52 +0100)]
Fix '--dev null'
To test whether a server is reachable and all the key handling is
right, openvpn can connect with "--dev null --ifconfig-noexec" to
avoid needing to the client with elevated privileges.
This was erroring out for no good reason (because the "set environment
variables appropriately" code didn't know if this is a tun or tap
device...) - treat --dev null as "tap", done.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170224135222.44640-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14186.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 22c5381b71710ad0e1dbbccc1d5680fccb602311)
Gert Doering [Thu, 23 Feb 2017 08:49:54 +0000 (09:49 +0100)]
Add openssl_compat.h to openvpn_SOURCES
Commit b936ddfb63 introduced a new header file but forgot to include
it in the list of openvpn_SOURCES, so it did not get bundled in the
generated tarballs.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170223084954.58464-1-gert@greenie.muc.de>
URL: http://www.mail-archive.com/search?l=mid&q=20170223084954.58464-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 827c05732b0414dbf3cc05bf4ae6bfda042eadd3)
Emmanuel Deloget [Fri, 17 Feb 2017 22:00:48 +0000 (23:00 +0100)]
OpenSSL: don't use direct access to the internal of X509_STORE_CTX
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including X509_STORE_CTX. We have to use the defined
functions to do so.
Fortunately, these functions have existed since the dawn of time so
we don't have any compatibility issue here.
fix redirect-gateway behaviour when an IPv4 default route does not exist
When no IPv4 default route exists, the "redirect-gateway" routine
aborts even if the sub-option "local" was specified or if we are
connecting to the remote host using IPv6.
This is not expected because in either case OpenVPN should not
bother checking the existence of the default route as it is not
required at all.
Therefore, skip the IPv4 default route check when "local" is
specified or we are connecting to an IPv6 remote host.
Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170119162518.31752-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13905.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 14670a9d654be48f92b58ac47e6f74d3dcfe1733)
attempt to add IPv6 route even when no IPv6 address was configured
Even if no IPv6 address is configured, OpenVPN still supports
transporting IPv6 segments, therefore adding an IPv6 route
should always be allowed.
However, the route might fail to be installed or may just not work
as expected, therefore, a proper warning should be printed to inform
the user of the possible pitfall.
Always allow adding an IPv6 route and print a WARNING when
no IPv6 address is configured for the interface.
Trac: #832 Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170131112131.13570-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13994.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2b7650e7ec9241745e4f66c932d6cffaece927d7)
Ilya Shipitsin [Sun, 29 Jan 2017 06:58:11 +0000 (11:58 +0500)]
Resolve several travis-ci issues
MBEDTLS_VERSION, OPENSSL_VERSION were defined twice - in both
.travis.yml and .travis/build-deps.sh files, the last one
defined OPENSSL_VERSION via nonexistent OPENSSL_VERION
variable, which lead us to use openssl-1.0.1 instead of
openssl-1.0.2, I removed variable definition from build-deps.sh
"cache: [ apt: true ]" is not a travis supported option, it was
introduced by mistake, I removed it
LD_LIBRARY_PATH was defined for the entire test run, it includes
custom openssl build, which was picked by "wget", so "wget"
could not verify SSL cert at https://www.openssl.org sometimes.
We do not want wget to pick our custom LD_LIBRARY_PATH, so I moved
that variable to "script" section
LD_LIBRARY_PATH was defined for both linux and osx environments,
for the second DYLD_LIBRARY_PATH must be defined instead
v2: Upgrade openssl, mbedtls to the most recent versions
v3: DYLD_LIBRARY_PATH was defined via LD_LIBRARY_PATH by mistake
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1485673091-7600-1-git-send-email-chipitsine@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13983.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 208c03ea145ed89083c43267733487c99a805069)
Christian Hesse [Tue, 24 Jan 2017 14:39:47 +0000 (15:39 +0100)]
systemd: Do not race on RuntimeDirectory
Different unit instances create and destroy the same RuntimeDirectory.
This leads to running instances where the status file (and possibly
more runtime data) is no longer accessible.
So do not handle this in unit files but provide a tmpfiles.d
configuration and let systemd-tmpfiles do the work.
Nobody will (unintentionally) delete the directories and its content.
As /run is volatile we do not have to care about cleanup.
Signed-off-by: Christian Hesse <mail@eworm.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170124143947.27385-2-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13939.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 3de7be7b17de879a78eea4afe4c918c6104c635d)
Christian Hesse [Tue, 24 Jan 2017 14:39:46 +0000 (15:39 +0100)]
systemd: Use automake tools to install unit files
If systemd is enabled we install unit files to $libdir/systemd/system
(or the path specified by SYSTEMD_UNIT_DIR).
The unit files are generated on the fly with matching $sbindir.
Signed-off-by: Christian Hesse <mail@eworm.de> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170124143947.27385-1-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13940.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit ca5b4c2aad2370be7862660d274b7485f2d0af71)
David Sommerseth [Tue, 24 Jan 2017 23:23:44 +0000 (00:23 +0100)]
systemd: Move the READY=1 signalling to an earlier point
Currently, OpenVPN will first tell systemd it is ready once the
log will be appended with "Initialization Sequence Completed".
This turns out to cause some issues several places.
First, it adds challenges if --chroot is used in the configuration;
this is already fixed. Secondly, it will cause havoc on static key
p2p mode configurations where the log line above will not happen
before either sides have completed establishing a connection. And
thirdly, if a client configuration fails to establish a connection
within 90 seconds, it will also fail. For the third case this may
not be a critical issue itself, as the host just needs to get
an Internet access established first - which in some scenarios may
take much longer than those 90 seconds systemd grants after the
OpenVPN client configuration is started.
The approach this patch takes is to consider OpenVPN ready when
all the initial preparations and configurations have completed - but
before a connection to a remote side have been attempted. This
also removes the need for specially handling the --chroot scenario.
The final "Initialization Sequence Completed" message update is
kept (though slightly simplified) to indicate we're in a good
state - even though this update will not be visible if --chroot
is used (which was the situation also before this patch).
Trac: #827, #801 Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Christian Hesse <mail@eworm.de>
Message-Id: <20170124232344.7825-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13945.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit e83a8684f0a0d944e9d53cdad2b543cfd1b6fbae)
Steffan Karger [Sun, 22 Jan 2017 16:04:41 +0000 (17:04 +0100)]
Use SHA256 for the internal digest, instead of MD5
Our internal options digest uses MD5 hashes to store the state, instead of
storing the full options string. There's nothing wrong with that, but it
would still be better to use SHA256 because:
* That makes it easier to make OpenVPN "FIPS-compliant" (forbids MD5)
* We don't have to explain anymore that MD5 is fine too
The slightly less bytes for the digest (16 instead of 32) and operations
per connection setup are not worth sticking to MD5.
Note that might SHA256 not be available in de crypto lib, OpenVPN will
refuse to start and shout "Message hash algorithm 'SHA256' not found".
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1485101081-9784-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13926.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 5b48e8c9f85442936f744c3c550d9d41fe8c7b60)
David Sommerseth [Fri, 20 Jan 2017 21:04:57 +0000 (22:04 +0100)]
git: Merge .gitignore files into a single file
We already track a lot of files over the whole directory structure
in the main .gitignore file. But a few additional ones had been
added into some of the subdirectories.
This unifies all these files into a master file for the whole project,
making it easier to know where to look at and edit if changes needs
to be done.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170120210457.3383-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13916.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit d14b3c60c7796736e07bc3cddb0ab3a58475793e)
Steffan Karger [Sat, 14 Jan 2017 14:10:20 +0000 (15:10 +0100)]
More broadly enforce Allman style and braces-around-conditionals
We want { and } aligned, which means also adding a newline between each
for() and {, while() and {, etc.
Also, we agreed to always use braces with conditionals. The previous
uncrustify config added these for if()s, now also add these for while()
and for().
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1484403020-6857-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13875.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 4cd4899e8e80efae03c584a760fd107251735723)
David Sommerseth [Tue, 10 Jan 2017 20:34:32 +0000 (21:34 +0100)]
management: >REMOTE operation would overwrite ce change indicator
If the management interface on a client received a signal while waiting
for input on the management channel, the "connection entry changed" status
would be overwritten even though nothing was changed. Which could lead
into connecting to the wrong server.
This patch improves this by adding a check if a bool value was changed to
false. This change happens only on signals.
Further, the former 'ret' value have been renamed to 'ce_changed', to
clarify what the expected return value contains. Plus adding some comments
related to this.
And finally do some code style cleanup, breaking up too long lines, adding
some air here and there to improve the readability.
Signed-off-by: David Sommerseth <davids@openvpn.net> Cc: Selva Nair <selva.nair@gmail.com> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1484080473-10415-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13851.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit e81f313a71e548638d9e9679226ee84b3b614f13)
Selva Nair [Tue, 3 Jan 2017 20:38:03 +0000 (15:38 -0500)]
Always release dhcp address in close_tun() on Windows.
Also make sure --dhcp-pre-release results in not just dhcp_release()
in open_tun() but a subsequent dhcp_renew() as well. Else dhcp transaction
gets aborted as this call to release() happens after the adapter status
is changed to connected.
Fixes Trac #807 (but can't say the same for Trac #665 without knowing
how to reproduce it)
v2: Mark --dhcp-release as obsolete in manpage and option parser, and
remove the unused dhcp_release variable.
Enforce dhcp-renew with dhcp-pre-release while parsing the option
instead of in open_tun().
Trac: #807
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1483475883-17450-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13814.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit db5b9b45508ea8f66ea80565279af3edd9300499)
Gisle Vanem [Mon, 2 Jan 2017 16:17:51 +0000 (17:17 +0100)]
Crash in options.c
When compiling with --disable-crypto, openvpn would crash on --help as
commit 5d429efd97 introduce and extra %d into the "usage_message" string
but forgot to add it to the #ifndef ENABLE_CRYPTO fprintf() call.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <9d41f9dd-a587-5c1e-2e0d-ebb6c921f4ae@yahoo.no>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13808.html
Steffan Karger [Mon, 26 Dec 2016 19:15:43 +0000 (20:15 +0100)]
Textual fixes for Changes.rst
We will likely refer many people to the Changes.rst file once we've
released 2.4. This commits tries to polish the language a bit, and
adds two real changes:
- Remove duplicate mention of the changes --tls-cipher defaults
- Move the 'redirect-gateway' behavioural change from 'features' to
'behavioural changes'.
v2 - On the fly commit changes, based on comments from Selva Nair.
DS also added a few minor corrections on top of that.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1482779743-9548-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13732.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit f38942d1440575e23d9f8713db435b434381486e)
Steffan Karger [Sun, 25 Dec 2016 22:02:14 +0000 (23:02 +0100)]
man: encourage user to read on about --tls-crypt
As suggested by krzee in trac #790, refer to the --tls-crypt option
form the --tls-auth section of the man page, to encourage users to
check out the --tls-crypt feature.
Trac: #790 Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1482703334-18949-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13713.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 403dfe1bfdbdf6e5f8abac3401a96852562aec54)
Steffan Karger [Sun, 25 Dec 2016 22:38:25 +0000 (23:38 +0100)]
Document that RSA_SIGN can also request TLS 1.2 signatures
Ever since we support TLS 1.2 (OpenVPN 2.3.3+), the RSA_SIGN might not
only request MD5-SHA1 'TLS signatures', but also other variants.
Document this by updating the implementation hints, and explicitly
stating that we expect a PKCS#1 1.5 signature.
Trac: #764 Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1482705505-20302-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13714.html Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 1e36b814073c0f56c77e4922cc105f00b8558e7e)
David Sommerseth [Mon, 19 Dec 2016 18:52:12 +0000 (19:52 +0100)]
dev-tools: Added script for updating copyright years in files
Very simple tool which modifies the Copyright lines in all git checked-in
files with an updated year. Lines only listing a single year (2016) will
be modified to list a range instead.
Only the Copyright lines owners of specific owners will be modified. The
script will need to be slightly updated to cover more owners. See the
UPDATE_COPYRIGHT_LINES line in the script for the currently set owners.
v2 - On-the-fly-commit-update: use vendor/ instead of cmocka and
add @sophos.com to the list of copyright holders to update
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1482173532-25132-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13645.html
(cherry picked from commit da8f11f895bb78174d4412d82a6992c398da495a)
Steffan Karger [Thu, 15 Dec 2016 21:46:06 +0000 (22:46 +0100)]
Don't reopen tun if cipher changes
When the pulled options change, OpenVPN will attempt to reopen the tun
device. That might fail if the process has already dropper privileges,
and is not needed unless the tun MTU is changed. This patch therefore
ignores the cipher value for the digest if a fixed tun-mtu is used.
Additionally, this patch changes the md_ctx_update() call to include the
trailing zero byte of each option, to make sure that parsing "foo,bar"
results in a different hash than "foobar". (Sorry for not catching that
during the review...)
The unit tests are a bit lame, but it secretly serves as a way to lower
the bar for adding more buffer.c unit tests.
Trac: #761 Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1481838366-32335-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13579.html Signed-off-by: David Sommerseth <davids@openvpn.net>
David Sommerseth [Wed, 14 Dec 2016 21:05:00 +0000 (22:05 +0100)]
dev-tools: Add reformat-all.sh for code style unification
This script will run all files related to the currently checked out
git branch through uncrustify using a standardized style configuration.
Due to a bug in uncrustify 0.64, it is needed to add a special treatment
to one of the files at the moment. So this both pre- and post-patched
before/after uncrustify is run. This is to simply to assure that all
file processing will happen consistently each time.
Also added doc/doxygen/doc_key_generation.h to an ignore list, as
it carries some specific Doxygen formatting we should be careful with.
This file is anyhow not so critical and can be managed manually.
The src/compat/compat-lz4.[ch] files are also not touched, as they
are based on upstream formatting. This makes it easier to update
to a newer LZ4 version later on and even see what the differences
are.
v2 - Include updated config from CodeStyle wiki page
Remove line lenght restriction for The Great Reformatting
Update the script with improvements by krzee
v3 - Update with a fixed config from the CodeStyle wiki page
Corrected a typo in the commit message (0.63->0.64)
Minor changes to the reformat script (no pushd/popd,
some new lines moved around, bash->sh)
David Sommerseth [Tue, 13 Dec 2016 12:16:56 +0000 (13:16 +0100)]
Changes.rst: Mainatiner update on C99
Mention for maintainers that we've moved to build with -std=c99 by
default. Also document that 32-bit RHEL5 builds will need -std=gnu99
to be buildable.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1481631416-15377-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13518.html Signed-off-by: David Sommerseth <davids@openvpn.net>
systemd: Intermediate --chroot fix with the new sd_notify() implementation
Commit c5931897ae8d663e7e introduced support for talking directly
to the systemd service manager about the situation for the OpenVPN
tunnel. This approach makes a lot of sense and is mostly the proper
way to do it. But it was discovered that it breaks OpenVPN
configurations using --chroot.
The reason sd_notify() calls fails when using chroot() is that
sd_notify() expects to have access to a file as declared in the
$NOTIFY_SOCKET environment variable. It is the main systemd
instance which is responsible to provide both the environment variable
as well as the socket file sd_nodify() should use. When --chroot
comes into play, the $NOTIFY_SOCKET file will not be available
for OpenVPN any more.
As things are getting close to the 2.4_rc2 release we will not dare
to bring a too invasive fix. As well we need some time to discuss
an approrpriate solution. So this intermediate fix will only
provide a "successful start" message to the systemd service manager
right before chroot() happens. This will at least resolve the issue
in a safe and non-intrusive way.
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Christian Hesse <mail@eworm.de>
Message-Id: <1481079112-22990-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13416.html
Changes: Further improve systemd unit file updates
There were some reports that the directories mentioned should
have trailing /, to make it clearer they are directories and not
files. Also rephrased that sentence slightly to be even clearer
in this aspect.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Magnus Kroken [Fri, 9 Dec 2016 09:07:35 +0000 (10:07 +0100)]
mbedtls: include correct net/net_sockets header according to version
<mbedtls/net.h> is deprecated as of mbedTLS 2.4.0, it is renamed
<mbedtls/net_sockets.h>. OpenVPN will fail to build with
mbedTLS 2.4.0 with MBEDTLS_DEPRECATED_REMOVED defined.
Check MBEDTLS_VERSION_NUMBER, and include net.h for < 2.4.0 and
net_sockets.h for >= 2.4.0.
Signed-off-by: Magnus Kroken <mkroken@gmail.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1481274455-657-1-git-send-email-mkroken@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13451.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 7 Dec 2016 19:20:47 +0000 (20:20 +0100)]
Deprecate --no-iv
This fixes the bug of supporting --no-iv (since we're only accepting
bugfixes in the current release phase ;) ).
The --no-iv function decreases security if used (CBC *requires*
unpredictable IVs, other modes don't allow --no-iv at all), and even
marginally decreases other user's security by adding unwanted
complexity to our code.
Let's get rid of this.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1481138447-6292-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13430.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 7 Dec 2016 18:01:24 +0000 (19:01 +0100)]
Fix (and cleanup) crypto flags in combination with NCP
tls_session_update_crypto_params() did not properly set crypto_flags_or,
but instead set crypto_flags_and twice if a OFB/CFB mode was selected.
Also, the crypto flags in ks->crypto_options.flags were set before
tls_session_update_crypto_params() was called, causing those to not be
adjusted. To fix this, set the crypto flags in
tls_session_generate_data_channel_keys() instead of key_state_init().
While touching that code, remove the to _or and _and variables, which are
not needed at all.
Finally, refuse to accept --no-iv if NCP is enabled (we might otherwise
negotiate invalid combinations and ASSERT out later, and using --no-iv is
a bad idea anyway).
Trac: #784
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1481133684-5325-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13428.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 6 Dec 2016 12:26:02 +0000 (13:26 +0100)]
Refactor setting close-on-exec for socket FDs
The existing code can leak socket FDs to the "--up" script, which is
not desired. Brought up by Alberto Gonzalez Iniesta, based on debian
bug 367716.
Since different sockets get create at different times, just moving the
set_cloexec() to link_socket_init_phase1() is not good enough - so move
the call into create_socket_<family>(), so we will catch ALL socket
creations, no matter when or under which conditions they will be
created (SOCKS proxy socket, listening socket, ...).
--inetd gets an extra fd_cloexec() call, as socket FD is inherited.
Christian Hesse [Thu, 1 Dec 2016 21:31:04 +0000 (22:31 +0100)]
Refuse to daemonize when running from systemd
We start with systemd Type=notify, so refuse to daemonize. This does not
affect starting openvpn from script or command line.
v2: Update commit message about script and command line.
Signed-off-by: Christian Hesse <mail@eworm.de> Tested-By: Richard Bonhomme <fragmentux@gmail.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20161201213104.5667-2-list@eworm.de>
URL: http://www.mail-archive.com/search?l=mid&q=20161201213104.5667-2-list@eworm.de Signed-off-by: David Sommerseth <davids@openvpn.net>
Christian Hesse [Thu, 1 Dec 2016 21:31:03 +0000 (22:31 +0100)]
Use systemd service manager notification
Notify systemd service manager when our initialization sequence
completed. This helps ordering services as dependencies can rely on vpn
being available.
v2: Add curly brackets (and indention) to block the else-part, msg()
call was non-conditional before.
v3: Move systemd header include from init.h to init.c.
Signed-off-by: Christian Hesse <mail@eworm.de> Tested-By: Richard Bonhomme <fragmentux@gmail.com> Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20161201213104.5667-1-list@eworm.de>
URL: http://www.mail-archive.com/search?l=mid&q=20161201213104.5667-1-list@eworm.de Signed-off-by: David Sommerseth <davids@openvpn.net>
In order to prevent annoying delays upon client connection,
reload the CRL file only if it was modified since the last
reload operation.
If not, keep on using the already stored CRL.
This change will boost client connection time in instances
where the CRL file is quite large (dropping from several
seconds to few milliseconds).
Cc: Steffan Karger <steffan.karger@fox-it.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20161201104145.23821-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13345.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Wed, 30 Nov 2016 21:51:36 +0000 (16:51 -0500)]
Do not restart dns client service as a part of --register-dns processing
As reported and discussed on Trac #775, restarting dns service has
unwanted side effects when there are dependent services. And it
appears unnecessary to restart this service to get DNS registered
on Windows.
Resolve by removing two actions from --register-dns:
'net stop dnscache' and 'net start dnscache' run through the service
or directly.
Trac: #775
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1480542696-7123-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13331.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Wed, 30 Nov 2016 00:39:32 +0000 (19:39 -0500)]
Force 'def1' method when --redirect-gateway is done through service
The service deletes all added routes when the client process (openvpn)
exits, causing the re-instated default route to disappear.
Fix by rewriting "--redirect-gateway" to "--redirect-gateway def1" when
routes are set using interactive service.
Only the behaviour on Windows with intereactive service is affected.
Trac: #778
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1480466372-2396-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13307.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Wed, 30 Nov 2016 01:53:14 +0000 (20:53 -0500)]
When parsing '--setenv opt xx ..' make sure a third parameter is present
When no parameters are present, set it to "setenv opt" to trigger a
descriptive error message. And, thus get rid of the pesky NULL pointer
dereferencing.
Trac: #779
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1480470794-6349-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13311.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 28 Nov 2016 22:14:12 +0000 (23:14 +0100)]
Introduce and use secure_memzero() to erase secrets
As described in trac #751, and shortly after reported by Zhaomo Yang, of
the University of California, San Diego, we use memset() (often through
the CLEAR() macro) to erase secrets after use. In some cases however, the
compiler might optimize these calls away.
This patch replaces these memset() calls on secrets by calls to a new
secure_memzero() function, that will not be optimized away.
Since we use CLEAR() a LOT of times, I'm not changing that to use
secure_memzero() to prevent performance impact. I did annotate the macro
to point people at secure_memzero().
This patch also replaces some CLEAR() or memset() calls with a zero-
initialization using "= { 0 }" if that has the same effect, because that
better captures the intend of that code.
Trac: #751
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1480371252-3880-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13278.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 29 Nov 2016 02:27:04 +0000 (21:27 -0500)]
Map restart signals from event loop to SIGTERM during exit-notification wait
Commit 63b3e000c9.. fixed SIGTERM getting lost during exit notification
by ignoring any restart signals triggered during this interval. However,
as reported in Trac 777, this could result in repeated triggering of
restart signals when the event loop cannot continue without restart due
to IO errors or timeout.
Avoid by converting soft SIGUSR1 and SIGHUP signals received during
exit-notify wait period to SIGTERM.
Trac #777
Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1480386424-30876-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13284.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 28 Nov 2016 14:26:40 +0000 (15:26 +0100)]
Clean up format_hex_ex()
Fix a potential null-pointer dereference, and make the code a bit more
readable while doing so.
The NULL dereference could not be triggered, because the current code
never called format_hex_ex() with maxouput == 0 and separator == NULL.
But it's nicer to not depend on that.
Our use of int vs size_t for lengths needs some attention too, but I'm
not pulling that into this patch. Instead I decided to just make the
(previously existing) assumption that INT_MAX <= SIZE_MAX explicit by
adding a static_assert().
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1480343200-25908-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13259.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Mon, 28 Nov 2016 14:53:20 +0000 (15:53 +0100)]
tls_process: don't set variable that's never read
Found by the clang static analyzer: the state_change variable is set,
but never read afterwards. This code has been like this since 2005,
makes sense without setting state_change to true, and has worked fine
for the past 11 years.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1480344801-27855-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13260.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 23 Nov 2016 20:02:05 +0000 (21:02 +0100)]
Refactor data channel key generation API
Originally for "poor man's NCP", I introduced a simpler API for generating
data channel keys. That refactoring is no longer needed for that patch,
but I believe still worth a patch on it's own.
This patch should not change any functionality.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1479931325-25919-2-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13216.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Wed, 23 Nov 2016 21:21:44 +0000 (22:21 +0100)]
Poor man's NCP for non-NCP peers
Allows non-NCP peers (<= 2.3, or 2.4+ with --ncp-disable) to specify a
--cipher that is different from the one in our config, as long as the new
cipher value is allowed (i.e. in --ncp-ciphers at our side).
This works both client-to-server and server-to-client. I.e. a 2.4 client
with "cipher BF-CBC" and "ncp-ciphers AES-256-GCM:AES-256-CBC" can connect
to both a 2.3 server with "cipher BF-CBC" as well as a server with
"cipher AES-256-CBC" in its config. The other way around, a 2.3 client
with either "cipher BF-CBC" or "cipher AES-256-CBC" can connect to a 2.4
server with e.g. "cipher BF-CBC" and "ncp-ciphers AES-256-GCM:AES-256-CBC"
in its config.
This patch was inspired by Gert's "Poor man's NCP for 2.3 clients" patch,
but takes a different approach to avoid the need for server-side scripts
or client-side 'setenv UV_*' tricks.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1479936104-4045-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13218.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Sat, 17 Sep 2016 13:20:15 +0000 (16:20 +0300)]
Document the --auth-token option
This isn't an option to be used directly in any configuration files,
but to be used via --client-connect scripts or --plugin making use of
OPENVPN_PLUGIN_CLIENT_CONNECT or OPENVPN_PLUGIN_CLIENT_CONNECT_V2.
[v2 - Added lacking .B styling of options
- Clarified the token life time ]
Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474118415-14666-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12506.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 22 Nov 2016 20:09:26 +0000 (21:09 +0100)]
generate_key_expansion: make assumption explicit, use C99 features
This function potentially allocates memory, and can therefor not be run
again on an initialized key_ctx_bi. Make this explicit by adding an error
if someone tries do to this anyway.
While touching the function, cleanup it up a bit to make up for the added
lines of code.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1479845366-15774-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13202.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 22 Nov 2016 20:41:26 +0000 (21:41 +0100)]
--tls-crypt fixes
* Check return value of buf_init() (found by coverity)
* Use the TLS frame to determine the buffer size, as is done for the
reliability buffers used for tls-auth. (We previously incorrectly used
the TLS *plaintext* buffer size, which is bigger for typical setups
with tun-mtu <= 1500. Using the frame to calculate the size saves some
bytes for typical setups, and doesn't break setups with big tun-mtu.)
* More carefully handle errors in tls_crypt_wrap() - just drop the packet
instead of ASSERT()ing out (should not happen in the first place, but
this is a bit more friendly if it happens somehow anyway).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1479847286-17518-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13204.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
