[Openvpn-devel] [PATCH v2] ifconfig-ipv6(-push): allow using hostnames

2017-12-02 Thread Antonio Quartulli
Similarly to ifconfig(-push), its IPv6 counterpart is now able to accept hostnames as well instead of IP addresses in numeric form. Basically this means that the user is now allowed to specify something like this: ifconfig-ipv6-push my.hostname.cx/64 This is exactly the same behaviour that we al

Re: [Openvpn-devel] Follow up on sending messages to the GUI

2017-12-02 Thread Jonathan K. Bullard
Hi, On Fri, Dec 1, 2017 at 10:58 AM, Selva Nair wrote: > > Hi, > > On Fri, Dec 1, 2017 at 8:53 AM, Arne Schwabe wrote: >> >> Am 30.11.2017 um 03:03 schrieb Selva Nair: >> >> Cross-posting to users and devel as this may be of interest to both. >> >> Hi, >> >> I have made a draft implementation of

[Openvpn-devel] [PATCH 2/7] Remove ENABLE_CRYPTO

2017-12-02 Thread Antonio Quartulli
The crypto engine cannot be disabled anymore, therefore get rid of all the related ifdefs in the code. This change makes the code simpler and reduces our the number of config combinations we have to test after a new change is applied. [re-enable unit-tests that were previously disabled] Signed-o

[Openvpn-devel] [PATCH 4/7] Remove SSL_LIB_VER_STR

2017-12-02 Thread Antonio Quartulli
SSL_LIB_VER_STR made sense only when ENABLE_CRYPTO also existed. It can now be removed and thus simplify the code. Signed-off-by: Antonio Quartulli --- src/openvpn/options.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c ind

[Openvpn-devel] [PATCH 5/7] Remove CIPHER_ENABLED

2017-12-02 Thread Antonio Quartulli
Now that ENABLE_CRYPTO has been removed, CIPHER_ENABLED is basically a useless shortcut which does not really help the readability of the code. Remove it and use its expanded expression instead. Signed-off-by: Antonio Quartulli --- src/openvpn/init.c| 4 ++-- src/openvpn/openvpn.h | 2 -- 2

[Openvpn-devel] [PATCH 3/7] Remove ENABLE_PUSH_PEER_INFO

2017-12-02 Thread Antonio Quartulli
ENABLE_PUSH_PEER_INFO depended on ENABLE_CRYPTO that now does not exist anymore. Get rid of ENABLE_PUSH_PEER_INFO by assuming that it is always enabled and simplify the code. Signed-off-by: Antonio Quartulli --- src/openvpn/init.c | 2 -- src/openvpn/options.c| 10 -- src/open

[Openvpn-devel] [PATCH 6/7] Remove MD5SUM

2017-12-02 Thread Antonio Quartulli
Apparently the MS5SUM macro is not used anywhere. Remove it. Signed-off-by: Antonio Quartulli --- src/openvpn/openvpn.h | 1 - 1 file changed, 1 deletion(-) diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index d843c913..fe8324ab 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/o

[Openvpn-devel] [PATCH 1/7] Remove option to disable crypto engine

2017-12-02 Thread Antonio Quartulli
With this patch we remove the possibility to disable the crypto engine (ENABLE_CRYPTO define) at configuration time. [Some unit-test are temporarily disabled and will be enabled again when ENABLE_CRYPTO is completely removed from the codebase] [--disable-crypto has been removed from .travis.yml t

[Openvpn-devel] [PATCH 7/7] Remove TLS_MODE

2017-12-02 Thread Antonio Quartulli
Now that ENABLE_CRYPTO has been removed, TLS_MODE is basically a useless shortcut which does not really help the readability of the code. Remove it and use its expanded expression instead. Signed-off-by: Antonio Quartulli --- src/openvpn/forward.c | 2 +- src/openvpn/init.c| 2 +- src/openv

[Openvpn-devel] [PATCH v2] Allow learning iroutes with network made up of all 0s (only if netbits < 8)

2017-12-02 Thread Antonio Quartulli
It is plausible for a user to be willing to add a route for a network made up of all 0s via a VPN client (i.e. 0.0.0.0/1), therefore such iroute should be supported. As of now the option parsing code will accept such iroute, but the learning routine will (silently) reject it after a sanity check.

[Openvpn-devel] [PATCH v7] convert *_inline attributes to bool

2017-12-02 Thread Antonio Quartulli
Carrying around the INLINE_TAG is not really efficient, because it requires a strcmp() to be performed every time we want to understand if the data is stored inline or not. Convert all the *_inline attributes to bool to make the logic easier and checks more efficient. Signed-off-by: Antonio Quart

[Openvpn-devel] [PATCH 2/2] PF: never drop essential ICMPv6 packets

2017-12-02 Thread Antonio Quartulli
Some ICMPv6 packets can't be dropped otherwise the entire overlaying network layer (IPv6) would just stop working. Such packets are described in RFC4890, sec. 4.4.1. Improve the mroute packet parsing routine in order to detect these specific packets types and thus avoid PF to drop them. This way

[Openvpn-devel] [PATCH 1/2] PF: implement support for IPv6 subnets

2017-12-02 Thread Antonio Quartulli
The PF subnets component has been extended to also accept IPv6 networks. The syntax is exactly the same as the IPv4 subnets. The user only needs to list the IPv6 networks in the same "[SUBNETS DROP/ACCEPT]" block as the IPv4 ones. Example: [SUBNETS ACCEPT] -180.180.0.0/16 -2001:caca:beef::/48 T

Re: [Openvpn-devel] Follow up on sending messages to the GUI

2017-12-02 Thread Selva Nair
Hi On Sat, Dec 2, 2017 at 7:08 AM, Jonathan K. Bullard wrote: > Hi, > > On Fri, Dec 1, 2017 at 10:58 AM, Selva Nair wrote: > > > > Hi, > > > > On Fri, Dec 1, 2017 at 8:53 AM, Arne Schwabe wrote: > >> > .. > >> > >> Could we have some text stating that clients might only display one > message

Re: [Openvpn-devel] [PATCH 2/2] PF: never drop essential ICMPv6 packets

2017-12-02 Thread Antonio Quartulli
On 03/12/17 00:47, Arne Schwabe wrote: > Am 02.12.17 um 17:24 schrieb Antonio Quartulli: >> Some ICMPv6 packets can't be dropped otherwise the entire >> overlaying network layer (IPv6) would just stop working. >> >> Such packets are described in RFC4890, sec. 4.4.1. >> >> Improve the mroute packe

Re: [Openvpn-devel] [PATCH v2] ifconfig-ipv6(-push): allow using hostnames

2017-12-02 Thread Selva Nair
Hi, On Sat, Dec 2, 2017 at 3:54 AM, Antonio Quartulli wrote: > Similarly to ifconfig(-push), its IPv6 counterpart is now able to > accept hostnames as well instead of IP addresses in numeric form. > If dns names currently work for ifconfig-push (I didn't know), makes sense to support it for ip

Re: [Openvpn-devel] [PATCH v2] ifconfig-ipv6(-push): allow using hostnames

2017-12-02 Thread Antonio Quartulli
Hi, On 03/12/17 04:27, Selva Nair wrote: > Hi, > > On Sat, Dec 2, 2017 at 3:54 AM, Antonio Quartulli wrote: > >> Similarly to ifconfig(-push), its IPv6 counterpart is now able to >> accept hostnames as well instead of IP addresses in numeric form. >> > > If dns names currently work for ifconfi

[Openvpn-devel] Fwd: [PATCH v2] ifconfig-ipv6(-push): allow using hostnames

2017-12-02 Thread Selva Nair
oops forgot to cc the list.. -- Forwarded message -- From: Selva Nair Date: Sat, Dec 2, 2017 at 10:16 PM Subject: Re: [Openvpn-devel] [PATCH v2] ifconfig-ipv6(-push): allow using hostnames To: Antonio Quartulli Hi, On Sat, Dec 2, 2017 at 9:25 PM, Antonio Quartulli wrote: > H

Re: [Openvpn-devel] Fwd: [PATCH v2] ifconfig-ipv6(-push): allow using hostnames

2017-12-02 Thread Antonio Quartulli
Hi, On 03/12/17 11:39, Selva Nair wrote: > oops forgot to cc the list.. > > -- Forwarded message -- > From: Selva Nair > Date: Sat, Dec 2, 2017 at 10:16 PM > Subject: Re: [Openvpn-devel] [PATCH v2] ifconfig-ipv6(-push): allow using > hostnames > To: Antonio Quartulli > > > Hi,

[Openvpn-devel] [PATCH v3] ifconfig-ipv6(-push): allow using hostnames

2017-12-02 Thread Antonio Quartulli
Similarly to ifconfig(-push), its IPv6 counterpart is now able to accept hostnames as well instead of IP addresses in numeric form. Basically this means that the user is now allowed to specify something like this: ifconfig-ipv6-push my.hostname.cx/64 This is exactly the same behaviour that we al

Re: [Openvpn-devel] [PATCH v3] ifconfig-ipv6(-push): allow using hostnames

2017-12-02 Thread Antonio Quartulli
Sorry, I did some mistake on my own. Will send v4. On 03/12/17 12:09, Antonio Quartulli wrote: > Similarly to ifconfig(-push), its IPv6 counterpart is now able to > accept hostnames as well instead of IP addresses in numeric form. > > Basically this means that the user is now allowed to specify >

[Openvpn-devel] [PATCH v4] ifconfig-ipv6(-push): allow using hostnames

2017-12-02 Thread Antonio Quartulli
Similarly to ifconfig(-push), its IPv6 counterpart is now able to accept hostnames as well instead of IP addresses in numeric form. Basically this means that the user is now allowed to specify something like this: ifconfig-ipv6-push my.hostname.cx/64 This is exactly the same behaviour that we al

Re: [Openvpn-devel] [PATCH v2] ifconfig-ipv6(-push): allow using hostnames

2017-12-02 Thread Selva Nair
Hi, Responding to this old version just to be on record. I realized patch this was assigned to Gert on patchwork too late after started responding on my own. Sorry for jumping the gun. Have to make keeping an eye on patchwork a habit.. I'll leave the latest v4 alone. cheers, Selva

Re: [Openvpn-devel] [PATCH v2] ifconfig-ipv6(-push): allow using hostnames

2017-12-02 Thread Antonio Quartulli
Hi, On 03/12/17 12:38, Selva Nair wrote: > Hi, > > Responding to this old version just to be on record. > > I realized patch this was assigned to Gert on patchwork too late after > started responding on my own. Sorry for jumping the gun. Have to make > keeping an eye on patchwork a habit.. No p

Re: [Openvpn-devel] [PATCH] Added OpenSSL FIPS 2.0 support to OpenVPN

2017-12-02 Thread Antonio Quartulli
Hi, On 25/11/17 04:23, j...@carroll.com wrote: > From: JimC > > Modified the autoconf, automake and code to support building OpenVPN with > OpenSSL FIPS Object Module v2.0 validated encryption. > > * Adds: --enable-fips-mode switch to configure.ac > * Adds: --enable-fips-mode co