Some small issues Gert might decide to fix on apply:
Typo "fucntion" in summary line of commit message.
> Arne Schwabe hat am 28.04.2022 00:34 geschrieben:
> This implement creating a reset packet without needing to setup a full control
"implements"
> session.
[...]
> diff --git a/src/openvpn/
Summary line: "HMAC-based session-id three-way-handshake" maybe? Just to help
one parse the word pile ;)
> Arne Schwabe hat am 28.04.2022 00:34 geschrieben:
> OpenVPN currently has a bit of a weakness in its early three way handshake
>
> A single client reset packet (first packet of the handsha
Am 29.04.22 um 12:28 schrieb Frank Lichtenheld:
Summary line: "HMAC-based session-id three-way-handshake" maybe? Just to help
one parse the word pile ;)
Arne Schwabe hat am 28.04.2022 00:34 geschrieben:
OpenVPN currently has a bit of a weakness in its early three way handshake
A single clien
The "offset" part of the review :)
> Arne Schwabe hat am 28.04.2022 00:34 geschrieben:
[...]
> diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c
> index a93027505..56baa2895 100644
> --- a/src/openvpn/ssl_pkt.c
> +++ b/src/openvpn/ssl_pkt.c
[...]
> @@ -430,3 +440,91 @@ tls_reset_standalo
Ack-By: Frank Lichtenheld
Trivial code move. Applied and compile-tested on top of master + 17 v2 + 18 v2.
> Arne Schwabe hat am 22.04.2022 16:29 geschrieben:
>
>
> This makes the code a bit more structured and easier to read.
[...]
Regards,
--
Frank Lichtenheld
___
> Frank Lichtenheld hat am 29.04.2022 12:28 geschrieben:
> > Arne Schwabe hat am 28.04.2022 00:34 geschrieben:
[...]
> > +
> > +}
> > +else
> > +{
> > +msg(D_MULTI_DEBUG, "Reset packet from client (%s), "
> > +"sending HMAC based reset challenge
> Arne Schwabe hat am 22.04.2022 16:29 geschrieben:
>
>
> Tls-crypt v2 is more complicated to implement a proper stateless
> handshake. To allow state handshake this commit does
>
> - introduce a new packet CONTROL_WKC_V1 that repeats the wrapped
>client key.
> - introduce a way to negot
> Frank Lichtenheld hat am 29.04.2022 15:11 geschrieben:
> > Arne Schwabe hat am 22.04.2022 16:29 geschrieben:
[...]
> > diff --git a/tests/unit_tests/openvpn/test_pkt.c
> > b/tests/unit_tests/openvpn/test_pkt.c
> > index c4e23521d..184b88383 100644
> > --- a/tests/unit_tests/openvpn/test_pkt.c
Stared at the code for a bit, seems to make sense and the unit test
finds it a valid packet (mbedTLS and OpenSSL).
v2 also adds uncrustify fixes to test_pkt.c, so the tree is clean
wrt uncrustify 0.72 now again. Great! (Even though the array indent
does not look nice yet this way)
Fixed the 3 t
> Frank Lichtenheld hat am 29.04.2022 15:18 geschrieben:
> > Frank Lichtenheld hat am 29.04.2022 15:11
> > geschrieben:
> > > Arne Schwabe hat am 22.04.2022 16:29 geschrieben:
> [...]
> > > diff --git a/tests/unit_tests/openvpn/test_pkt.c
> > > b/tests/unit_tests/openvpn/test_pkt.c
> > > index
> Arne Schwabe hat am 29.04.2022 13:31 geschrieben:
> Am 29.04.22 um 12:28 schrieb Frank Lichtenheld:
> >> Instead of allocating a connection for each client on the initial packet
> >> OpenVPN will now send back a response that contains an HMAC based cookie
> >> that the client will need to respon
One additional small issue:
> Arne Schwabe hat am 22.04.2022 16:29 geschrieben:
[...]
> diff --git a/src/openvpn/ssl_pkt.h b/src/openvpn/ssl_pkt.h
> index 75cdc1c58..48b94e952 100644
> --- a/src/openvpn/ssl_pkt.h
> +++ b/src/openvpn/ssl_pkt.h
> @@ -218,10 +224,12 @@ read_control_auth(struct buffe
From: Kristof Provost
Handle the DCO driver telling us that the peer went away, even if we're
not running in multi-instance mode.
Signed-off-by: Kristof Provost
---
src/openvpn/forward.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
in
From: Kristof Provost
We must create the peer before we can dco_set_peer or dco_new_key.
On the other hand, we must first process options, because those may
change our peer id and we should create the peer with the correct id.
Split up do_deferred_options() in do_deferred_options() and
finish_op
From: Kristof Provost
It's always used for open_tun_dco(), so we must ensure it's populated,
even if 'dev_node' is set.
Signed-off-by: Kristof Provost
---
src/openvpn/tun.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 245a6507..7976ad11 100644
Hi,
Here's the latest revision of the FreeBSD DCO patch, as well as three
DCO-related fixes.
Best regards,
Kristof
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
From: Kristof Provost
Implement data-channel offload for FreeBSD. The implementation and flow
is very similar to that of the Linux DCO support.
Signed-off-by: Kristof Provost
---
configure.ac | 6 +-
src/openvpn/Makefile.am| 1 +
src/openvpn/dco_freebsd.c | 6
17 matches
Mail list logo
