This allows to control the fallback cipher that is used when the
client/server do have any common cipher on a per client basis.
The patch is similar to Steffan's
[PATCH v4] Allow changing cipher from a ccd file.
Steffan's old patch also moves the cipher negotiation to
multi_established_connection() which I independently discovered and
implemented in commit 5e78bf66fa (Extract process_incoming_push_reply
from process_incoming_push_msg)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200711093655.23686-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20281.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ever since the NCPv2 the ncp_get_best_cipher uses the global
options->ncp_enabled option and ignore the tls_session->ncp_enabled
option.
The server side's poor man's NCP is implemented as seeing the list
of supported ciphers from the peer as just one cipher so this special
handling for poor man's NCP of the older NCP here is not needed anymore.
Theoretically we can now get rid of tls_session->ncp_enabled but doing
so requires more refactoring since options is not available in the
methods that still use it. And when we remove ncp-disable the variable
will be removed anyway.
This commit moves the data channel key generation for the corner case of a
client not supporting NCP but having the same cipher as the server to
the same function that also generates data channel keys for NCP and
poort man's NCP.
This has an unintended side effect of changing the calculated frame
size for this special case. The old path did call
tls_session_update_crypto_params.
To avoid this change in behaviour, this patch adds a hacky
workaround for this.
A proper solution for this needs still be found but this allows the patch
set to be merged.
Document the remaining usage of tls_poor_mans_ncp better.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200709101603.11941-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20251.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The simplify the control flow, it makes more sense to generate the
data keys when all the prerequisites for generating the data channel
keys (ncp cipher selection etc) are met instead of delaying it to the
next incoming PUSH_REQUEST message.
This also eliminates the need for the hack introduced by commit
3b06b57d9 to generate the data channel keys on the async file close
event.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200709101603.11941-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20253.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This clean ups the code and removes the surprising side effects
of preparing a push reply to also select protocol options.
We also remember if we have seen a push request without async
push. This improves reaction time if deferred auth is involved
like managment interface deferred auth. The other benefit is
removing a number of ifdefs.
NOTE: this patch breaks asynchronous authentication (via plugins
and possibly also via management interface). The next commit will
fix this. This is understood and hereby documented, but the two
individual commits are much cleaner without trying to fix it here
or squash both together.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200709101603.11941-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20255.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is a small refactoring to make both function more readable. It also
eliminates the ret variable in process_incoming_push_msg that now serves
no purpose anymore.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200709101603.11941-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20254.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This order the states from unauthenticated to authenticated and also
changes the comparison for KS_AUTH_FALSE from != to >
It also add comments and documents part using the state machine
better.
Remove a now obsolete comment and two obsolete ifdefs. While
keeping the ifdef in ssl_verify would save a few bytes of code,
this is too minor to justify keeping the ifdef
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200709101603.11941-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20258.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
For some reason, openvpn --version has since the beginning of time
returned exit code 1. A quick sample among common unix utilities confirms
that the rest of the world agrees with me that 0 makes more sense. Let's
make openvpn --version exit with exit code 0 too.
Signed-off-by: Steffan Karger <steffan.karger@foxcrypto.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <E1jsoYQ-0007AZ-BF@sfs-ml-1.v29.lw.sourceforge.com>
URL: https://www.mail-archive.com/search?l=mid&q=E1jsoYQ-0007AZ-BF@sfs-ml-1.v29.lw.sourceforge.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of having the whole function as
if (x) { func }
do
if (!x) return;
func
Due to the whitespace changes in the function body this patch looks
very strange. Ignoring whitespace makes the diff look sane.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200707121615.15736-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20231.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
For whatever reason, we never removed the pid file on program exit.
Not only this is unclean, but it also makes testing for "I want this
test case to FAIL" in t_client.sh more annoying to code for "is the
OpenVPN process still around?"...
Do not unlink the file if chroot() is active (might be outside the
chroot arena - testing for realpath etc. is left for someone else).
v2: make this work on M_FATAL exit, by unlinking from openvpn_exit() in
error.h - this requires moving write_pid() to init.c so module hierarchy
is maintained and introducing a static variable to save the PID file
name (otherwise it is no longer available when the top level GC is gone).
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200707084220.45753-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20224.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Both are tightly coupled often both are checked at the same time.
Merging them into one state makes the code simpler and also brings
us closer in the direction of a state machine
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200706163516.11390-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20216.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Turns out that renaming adapter by setting registry key doesn't
really work - while new adapter name is shown in control panel
etc, when one tries to change adapter properties (like set DNS)
with netsh call - it fails:
Fri Mar 13 09:05:36 2020 us=569311 Setting IPv4 dns servers
on 'OpenVPN Wintun' (if_index = 14) using service
Fri Mar 13 09:05:37 2020 us=118028 TUN: adding IPv4 dns failed
using service: Funktio ei kelpaa. [status=1 if_name=OpenVPN Wintun]
This renames adapter with netsh command, like:
netsh interface set interface
name="Local Area Connection 2" newname="OpenVPN Wintun"
Above functionality is used by tapctl.exe and openvpnsica.dll
(during installation).
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <20200703192029.306-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20207.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
t_client.sh reports a summary at the end:
Test sets succeeded: none.
Test sets failed: 1 2 3 4 5.
for tests that are skipped due to the pre-test ping check ("vpn target
IP must not ping before VPN ist started") the script forgot to add
the instance number to the summary line. Fixed.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200626082743.15397-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20130.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
multi_instance->defined is not used anywhere.
did_open_context is always set to true when a context is created in
multi_create_instance, so checking it for true is always true.
context_auth is also always set to CAS_PENDING in multi_create_instance.
connection_established_flag is only set to true if context_auth
is changed from CAS_PENDING to one another state, so we can also check
for cas_context != CAS_PENDING.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200703095506.28559-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20200.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The variable has no useful function (anymore?).
There is only one place where this variable was checked
else if (!c->c2.push_reply_deferred && c->c2.context_auth ==
CAS_SUCCEEDED)
This condition also depends on context_auth == CAS_SUCCEEDED but the only
code path that sets context_auth = CAS_SUCCEEDED also sets
push_reply_deferred = false;
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200702125224.13516-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20186.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The rules to generate $(builddir)/openssl.cnf from $(srcdir)/openssl.cnf.in
only worked for GNU Make. BSD make needs the rules more explicit, and
the target must not have a directory specification (fixes commit
542c69c37).
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Message-Id: <20200629175109.94276-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20159.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit ("Remove parameter config from multi_client_connect_mda") has
removed the config variable in favour of mi->cc_config, however one
occurence was not changed.
Fix it now by properly using mi->cc_config.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200701140517.11176-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20180.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
config is always used as mi->cc_config and we pass mi,
so directly use mi->cc_config
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200701122239.6924-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20177.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Remove default setting of "set txqueuelen to 100". This default dates
back to the "pre git" times (before 2005) and might have been beneficial
back then - nowadays, the Linux default is 500, and thus reducing(!)
txqueuelen by-default can cause TX packet drops on the tun interface,
and that's bad for throughput.
This is a similar change to commit f0b64e5dc (remove setting of the
socket send/receive buffers by default) - similar vintage of the
existing code, similar motivation.
Note: buffer length can be checked with "ip link show" (qlen NNN)
See also:
https://ivanvari.com/solving-openvpn-poor-throughput-and-packet-loss/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200629180405.17671-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20160.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This options allows the user to specify a network interface or VRF
device the OpenVPN process should use when making a connection or
binding to an address.
This is done by setting the SO_BINDTODEVICE option to the corresponding
socket (on Linux). SO_BINDTODEVICE forces all packets sent on that socket
to go out via the specified interface, and only packets coming in on
that interface are received by OpenVPN.
When used in a VRF context on Linux [0], you can also specify the name
of the VRF ("--bind-dev external_vrf"), which will put the OpenVPN
"network side" into this VRF. This allows making connections using a
non-default VRF and having the tun/tap interface in the default VRF.
Thanks to David Ahern (Cumulus Networks) for insights on this.
[0] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/networking/vrf.txt
Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1593427748-29801-2-git-send-email-max@rfc2324.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20156.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Some of the commits, especially engine have not strictly used uncrustify
clean code. Rerun uncrustify to make them compliant again.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200626125332.15385-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20142.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit introduces the allow-compression option that allow
changing the new default to the previous default or to a stricter
version.
Warning for comp-lzo/compress are not generated in the post option check
(options_postprocess_mutate) since these warnings should also be shown
on pushed options. Moving the showing the warning showing for
allow-compression to options_postprocess_mutate will complicate the
option handling without giving any other benefit.
Patch V2: fix spelling and grammer (thanks tincantech), also fix
uncompressiable to incompressible in three other instances in the
source code
Patch V3: fix overlong lines. Do not allow compression to be pushed
Patch V4: rename COMP_F_NO_ASYM to COMP_F_ALLOW_COMPRESS, fix style.
The logic of warnings etc in options.c has not been changed
since adding all the code to mutate_options would a lot more
and more complicated code and after discussion we decided that
it is okay as is.
Patch V5: Reword warnings, rebase on master
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200626110554.3690-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20138.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Also set warnings level to level2 and
enable "treat warnings as errors" flag.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200626101050.442-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=20200626101050.442-1-lstipakov@gmail.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--enable-small eliminates one of the openssl errors the test is
looking for, so alter the grep also to account for the message in this
version. Additionally output log.txt on failure so any test platform
gives an easy clue about what went wrong.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1592953354.2103.3.camel@HansenPartnership.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20102.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add config precursor and script to extra dist and make sure
built and test leftover files are cleaned up afterwards.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1592917531.4768.4.camel@HansenPartnership.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20088.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Testing engines is problematic, so one of the prerequisites built for
the tests is a simple openssl engine that reads a non-standard PEM
guarded key. The test is simply can we run a client/server
configuration with the usual sample key replaced by an engine key.
The trivial engine prints out some operations and we check for these
in the log to make sure the engine was used to load the key and that
it correctly got the password.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200622232319.8143-2-James.Bottomley@HansenPartnership.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20075.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
More recent OpenVPN APIs pass a function pointer for a logging function
(plugin_log()) to plugins. Using this will make the plugin logs appear
wherever openvpn logs to - file, syslog, stderr.
This patch converts plugin/auth-pam.c "fairly mechanically" to use this
new API. Real errors are logged with PLOG_ERR or PLOG_ERR|PLOG_ERRNO,
while debug info is logged with PLOG_NOTE (subject to the already-existing
debug level handling inside plugin/auth-pam, via "setenv verb <n>").
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20200620143940.11704-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20037.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The unit test duplicates some part of the test for
the ncp-cipher list but that is not a bad thing.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200605112519.22714-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19968.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
IPv4 pool handling needs lots of extra code to deal with "topology net30",
so we want to remove that combination in a future release.
Warn people about this in 2.5 so nobody is hit by this as a surprise.
Client- and ifconfig-support for net30 will stay, as "just net30" is not
what brings maintenance effort here (totally removing all options except
"topology subnet" would be beneficial but is a bit too radical today)
Trac: #1288
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200620180532.15738-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20041.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Replace existing ctime() output which is hard to sort and compare
with ISO 8601 / RFC 3399 "YYYY-MM-DD hh:mm:dd" format for file-based
logging (stderr or --log file).
RFC 3399 5.6 permits use of a space for full-date-full-time separation,
which is used to enhance readability.
Sylog or --machine-readable-output are not affected.
Trac: #719
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200620172303.15010-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20040.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When signalling the client that it should do Challenge response
without reconnecting (IV_SSO=crtext/INFOPRE=CR_TEXT), the server
needs forward the response via the management console.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200519220004.25136-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19910.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This implements sending AUTH_PENDING and INFO_PRE messages to clients
that indicate that the clients should be continue authentication with
a second factor. This can currently be out of band (openurl) or a normal
challenge/response two like TOTP (CR_TEXT).
Unfortunately this patch spend so much time in review in openvpn2 that
the corosponding IV_SSO commit in openvpn3 (34a3f264) already made its
way to released products so changing this right now is difficult.
https://github.com/OpenVPN/openvpn3/commit/34a3f264f56bd050d9b26d2e7163f88a
f9a559e2
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200519220004.25136-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19909.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When a client announces its support to support text based
challenge/response via IV_SSO=crtext,the client needs to also
be able to reply to that response.
This adds the "cr-response" management function to be able to
do this. The answer should be base64 encoded.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200519220004.25136-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19907.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenVPN 3 implements these messages to send information during the
authentication to the UI, implement these message also in OpenVPN 2.x
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200519220004.25136-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19912.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Basically calls to cipher_kt_get were calling
translate_cipher_name_from_openvpn. The only two exception were the
(broken) unit test and tls-crypt that uses cipher_kt_get("AES-256-CTR")
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20200605112519.22714-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19969.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The mbed TLS variant of the call already returned the normalised
name while the OpenSSL variant did not. On top of that, all calls but
one to cipher_kt_name were translate_cipher_name_to_openvpn. This commit
moves the call of translate_cipher_name_to_openvpn into cipher_kt_name
or avoids calling it twice in the case of mbed TLS.
The one case that did not translate_cipher_name_to_openvpn is an
internal ssl_openssl.c method that should call EVP_CIPHER_name anyway.
Also simplify cipher_name_cmp function that is only used by
openvpn --show-ciphers with the modified cipher_kt_name
function.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20200605112519.22714-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19970.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows git blame to ignore reformatting changes and instead
to show the previous commit that changed the line.
To avoid manually building the list of commits this commit
adds a file with a list of reformatting commits. I might have
missed a few but this should be a good start. To use the file
use:
git blame --ignore-revs-file=.git-blame-ignore-revs file
or to automatically always use the file
git config blame.ignoreRevsFile .git-blame-ignore-revs
Naming the file .git-blame-ignore-revs is a convention.
Some more details in this random blog post:
https://www.moxio.com/blog/43/ignoring-bulk-change-commits-with-git-blame
Patch V2: Remove merge commit of the great formatting, add small
reminder how to use the feature at the top of the file
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200604235338.11728-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19967.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When no IPv4 pool is configured (but we have an IPv6 pool
only), the multi_select_virtual_addr() function will spit
a warning when allocating an address for a new client.
This happens because the code will check for some IPv4
bits and will see that they are missing.
However, these bits are not really important, because in
this use case we don't want to configure any IPv4 address
at all.
For this reason it is safe to wrap this entire logic in
an if-block that just does not execute when no IPv4 pool
is configured.
This avoids the warning and will also avoid any other
hidden side effect.
Reported-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200610084549.4028-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20012.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 6a8cd033 ("pool: add support for ifconfig-pool-persist with IPv6
only") has accidentally introduced an include for 'options.h', which
revealed to not be useful at all. Remove it.
Reported-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200610090100.29738-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20011.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Remove separate ipv4.size and ipv6.size in the pool structure, return
to a single pool_size, which is also the allocated array size.
All calls to ifconfig_pool_size() change to "pool->size" now.
pool->size is set to the size of the active pool, or if both IPv4 and IPv6
are in use, to the smaller size (same underlying logic as in 452113155e,
but really put it into the size field).
This fixes a SIGSEGV crash if an ifconfig-pool-persist file is loaded
that has IPv6 and no IPv4 (= ipv6 handle is used) and that has more
entries than the IPv4 pool size (comparison was done with ipv6.size,
not with actual pool size), introduced by commit 6a8cd033b1.
While at it, fix pool size calculation for IPv6 pools >= /112
(too many -1), introduced by commit 452113155e.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200609080229.2564-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20006.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If no IPv4 redirection flag is set, do not enable the IPv4
redirection logic at all so that it won't bother adding any
useless IPv4 route.
Trac: #208
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200608153239.2260-1-a@unstable.cc>
URL: https://www.mail-archive.com/search?l=mid&q=20200608153239.2260-1-a@unstable.cc
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix build failure on older versions of openssl.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1591567858.4011.15.camel@HansenPartnership.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19996.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
