schwabe

schwabe

Member Since 10 years ago

Experience Points
346
follower
Lessons Completed
8
follow
Lessons Completed
50
stars
Best Reply Awards
61
repos

562 contributions in the last year

Pinned
⚡ OpenVPN for Android
⚡ Generates the data to write a NFC bluetooth pairing tag
⚡ DIY Multiprotocol TX Module
Activity
May
18
4 days ago
Activity icon
issue

schwabe issue comment schwabe/ics-openvpn

schwabe
schwabe

App reconnects every 2 minutes after update from 0.7.36 to 0.7.37

General information

  1. Android Version: 12
  2. Version of the app (version number/play store version/self-built): GooglePlay 0.7.37
  3. Server: SoftEther

Hello,

After latest app update to version 0.7.37 app started reconnecting to server every 2 minutes. The issue goes away when I install previous version 0.7.36

Here's the client logs:

[Server] Inactivity timeout (--ping-restart), restarting SIGUSR1[soft,ping-restart] received, process restarting

So it seems like new app version (0.7.37) sets some kind of reconnect timeout, for example:

ping-restart 0
keepalive 10 120

Regards

schwabe
schwabe

Can you post a whole log? There is something fishy going on but I have no idea what it is. Does it reproduce if you use OpenVPN3 core under general settings?

May
17
5 days ago
push

schwabe push schwabe/openvpn

schwabe
schwabe

fixup! Allow scripts and plugins to set a custom AUTH_FAILED message

commit sha: ba1dd0553497321f3884c8f2b548a86299a505f9

push time in 4 days ago
push

schwabe push schwabe/openvpn

schwabe
schwabe

Add uncrustify check to github actions

This adds checking if the code style is still clean github actions with the exact version of uncrustify that is required and might also be helpful for external commiters to get notified about code style problem when running the Github actions on their own repository.

Signed-off-by: Arne Schwabe [email protected] Acked-by: Gert Doering [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg24300.html Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Add ubuntu 22.04 to Github Actions

This adds Ubuntu 22.04 to the Github actions. mbed TLS in 22.04 is still old enough (2.28) to build with OpenVPN and GPL licensed.

Signed-off-by: Arne Schwabe [email protected] Acked-by: Gert Doering [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg24299.html

Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Implement --mtu-disc for IPv6 UDP sockets.

Commit 4225114b96 repaired "--mtu-disc yes" brokenness for IPv4 UDP sockets (caused by autoconf/ifdef issues). This patch adds new functionality to do --mtu-disc for IPv6 sockets as well.

Half of it (setsockopt(IPV6_MTU_DISCOVER)) was already there, but receiving of detailed socket errors was missing the enablement of setsockopt(IPV6_RECVERR) and parsing of IPPROTO_IPV6/IPV6_RECVERR messages received.

With that, we now get (sending over a route with "mtu 1300"):

2022-02-22 15:28:07 write UDPv6 [EMSGSIZE Path-MTU=1300]: Message too long (fd=3,code=90) 2022-02-22 15:28:07 Note adjusting 'mssfix 1400 mtu' to 'mssfix 1300 mtu' according to path MTU discovery 2022-02-22 15:28:07 Note adjusting 'fragment 1400 mtu' to 'fragment 1300 mtu' according to path MTU discovery

Signed-off-by: Gert Doering [email protected] Acked-by: Arne Schwabe [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]t/msg23879.html Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Fix M_ERRNO behavior on Windows

We use M_ERRNO flag in logging to display error code and error message. This has been broken on Windows, where we use error code from GetLastError() and error description from strerror(). strerror() expects C runtime error code, which is quite different from last error code from WinAPI call. As a result, we got incorrect error description.

The ultimate fix would be introducing another flag for WinAPI errors, like M_WINERR and use either that or M_ERRNO depends on context. However, the change would be quite intrusive and in some cases it is hard to say which one to use without looking into internals.

Instead we stick to M_ERRNO and in Windows case we first try to obtain error code from GetLastError() and if it returns ERROR_SUCCESS (which is 0), we assume that we have C runtime error and use errno. To get error description we use strerror_win32() with GetLastError() and strerror() with errno.

strerror_win32() uses FormatMessage() internally, which is the right way to get WinAPI error description.

Signed-off-by: Lev Stipakov [email protected] Acked-by: Selva Nair [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg24270.html

Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Fix non-compliant whitespace introduced by commit 54800aa975418fe35.

Uncrustify fix.

Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Pass proper sockaddr_* structure for IPv6 socket errors.

commit 043c67f363429 enhances format_extended_socket_error() by recognizing IPv6 extended socket errors, but neglected to change the "sockaddr_in" buffer passed to recvmsg() to "sockaddr_storage".

According to documentation, recvmsg() should not have overrun that buffer (we pass the size of the struct), but according to ASAN it does... so, pass a pointer to the correct structure.

Signed-off-by: Gert Doering [email protected] Acked-by: Arne Schwabe [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg24352.html Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

WIP: add Cmake based build

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Ensure that control channel packet are respecting tls-mtu

This ensure that control packets are actually smaller than tls-mtu. Since OpenVPN will consider a control message packet complete when the TLS record is complete, we have to ensure that the SSL library will still write one record, so the receiving side will only be able to get/read the control message content when a TLS record is complete. To achieve this goal, this commit does:

  • Splitting one read from TLS library into multiple control channel packets, splitting one TLS record into multiple control packets.
  • increase allowed number of outstanding packets to 6 from 4 on the sender side. This is still okay with older implementation as receivers will have room for 8.
  • calculate the overhead for control channel message to allow staying below that threshold.
  • remove maxlen from key_state_read_ciphertext and related functions as we now always allow control channel messages to be up to TLS_CHANNEL_BUF_SIZE in size and longer limit this by the mtu of control packets as the implemented splitting will take care of larger payloads from the SSL library

Patch v2: avoid assertion about to large buffer by sticking to 1250 max control size in this commit and leaving larger sizes for the --tls-mtu commit. Also fix various other small problems and grammer fixes.

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Allow setting control channel packet size with tls-mtu

Currently control packet size is controlled by tun-mtu in a very non-obvious way since the control overhead is not taken into account and control channel packet will end up with a different size than data channel packet.

Instead we decouple this and introduce tls-mtu which defaults to 1250.

Patch v2: rebase on latest patch set Patch v3: Introduce TLS_CHANNEL_MTU_MIN define and give explaination of its value.

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Add unit test for reliable_get_num_output_sequenced_available

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Always include ACKs for the last seen control packets

This adds an LRU cache for the last seen packets from the peer to send acks to all recently packets. This also packets to be acknowledged even if a single P_ACK_V1 gets lost, avoiding retransmissions. The downside is that we add up to 28 byte to an P_ACK_V1 (7* packet_id) and up to 24 bytes to other control channel packets (4* packet_id + peer session id). However these small increases in packet size are a small price to pay for increased reliability.

Currently OpenVPN will only send the absolute minimum of ACK messages. A single lost ACK message will trigger a resend from the peer and another ACK message.

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Fix IV_PLAT_VER and UV_ variables sent without push-peer-info

Commit 8c72d7981 changed the push_peer_info_detail to have an additional level for P2P NCP and shifting most of the other levels with 1. The check for UV_ and IV_PLAT_VER was not changed accordingly.

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Fix OpenVPN querying user/password if auth-token with user expires

The problematic behaviour happens when start a profile without auth-user-pass and connect to a server that pushes auth-token When the auth token expires OpenVPN asks for auth User and password again.

The problem is that the auth_user_pass_setup sets auth_user_pass_enabled = true; This function is called from two places. In ssl.c it is only called with an auth-token present or that variable already set. The other one is init_query_passwords.

Move setting auth_user_pass_enabled to the second place to ensure it is only set if we really want passwords.

Patch v2: Remove unrelated code change Patch v3: Rebase to master

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Implement --client-crresponse script options and plugin interface

This is allows scripts and pluginsto parse/react to a CR_RESPONSE message

Patch V2: doc fixes, do not put script under ENABLE_PLUGIN Patch V3: rebase

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Fix unchecked signess conversions reported by MSVC

Whenever possible the types have been aligned in the various parts of OpenVPN. If that was not possible, an explicit cast to a narrower type has been added.

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Add building with MSVC to github actions

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Add example script demonstrating TOTP via auth-pending

Signed-off-by: Arne Schwabe [email protected]

Patch v3: Some minor cleanups in the script (rename CNs, add more comments)

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Add OpenSSL 3.0 to mingw build

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Implement ED448 and ED25519 support in xkey_provider

OpenSSL's implementation of ED448 and ED25519 has a few idiosyncrasies. Instead of belonging to the elliptic curve type or to a common Edwards curve type, ED448 and ED25519 have each their own type.

Also, OpenSSL expects signatures using these curves to be done with the EVP_DigestSign API instead of the EVP_Sign API but using md=NULL.

This has been tested using a "fake" external key that used a normal software key instead of a hardware implementation but that makes no difference from the perspective of xkey_provider/management interface.

Patch v2: remove name functions from ed448/ed25519, ensure md is NULL for ed448/ed25519 and handle NULL/none better in general.

Patch v3: do not pass NULL as string for the OSSL params.

schwabe
schwabe

Implement exit notification via control channel

Current exit notification relies on data channel messages with specific prefix. Adding these to new data channel modules (DCO) adds uncessary complexity for the data for messages that from their idea belong to the control channel anyway.

This patch adds announcing support for control channel and sending/receving it. We use the simple EXIT message for this.

commit sha: b97d2839b16475418d41568e1d40ade673c09778

push time in 4 days ago
Activity icon
issue

schwabe issue comment schwabe/ics-openvpn

schwabe
schwabe

Optionally disable "Cancel Confirmation" Dialog

General information

  1. Android Version: 12
  2. Android Vendor: Samsung
  3. Device: Samsung Galaxy Note10
  4. Version of the app: 0.7.37

Description of the issue

When trying to use the app with Bixby Routines, I'm trying to connect and disconnect to my VPN automatically, but when using the Disconnect app action, a popup comes up for "Cancel Confirmation" which makes the automation useless.

Is it possible to silence this dialog popup in the configuration? And if not, I feel an optional flag should be added to disable the confirmation dialog.

schwabe
schwabe

@MarthinusBosman that is a design/user experience decision that I made. And a lot of people want the confirmation. So basically the question is only if it should be configurable and currently I don't see a compelling reason for that.

And for Samsung. I am quite annoyed/fed up with their broken Android stuff and software, so adding an extra hack just for their broken Bixby stuff is quite low on my motivation list.

Activity icon
issue

schwabe issue comment schwabe/ics-openvpn

schwabe
schwabe

App reconnects every 2 minutes after update from 0.7.36 to 0.7.37

General information

  1. Android Version: 12
  2. Version of the app (version number/play store version/self-built): GooglePlay 0.7.37
  3. Server: SoftEther

Hello,

After latest app update to version 0.7.37 app started reconnecting to server every 2 minutes. The issue goes away when I install previous version 0.7.36

Here's the client logs:

[Server] Inactivity timeout (--ping-restart), restarting SIGUSR1[soft,ping-restart] received, process restarting

So it seems like new app version (0.7.37) sets some kind of reconnect timeout, for example:

ping-restart 0
keepalive 10 120

Regards

schwabe
schwabe

@andronov-alexey well, if you using the old version, this bug will probably not be fixed since I have no idea what is happening in your setup.

Activity icon
issue

schwabe issue comment schwabe/ics-openvpn

schwabe
schwabe

Optionally disable "Cancel Confirmation" Dialog

General information

  1. Android Version: 12
  2. Android Vendor: Samsung
  3. Device: Samsung Galaxy Note10
  4. Version of the app: 0.7.37

Description of the issue

When trying to use the app with Bixby Routines, I'm trying to connect and disconnect to my VPN automatically, but when using the Disconnect app action, a popup comes up for "Cancel Confirmation" which makes the automation useless.

Is it possible to silence this dialog popup in the configuration? And if not, I feel an optional flag should be added to disable the confirmation dialog.

schwabe
schwabe

Those are the shortcuts. The intent are different are documented here: https://github.com/schwabe/ics-openvpn#controlling-from-external-apps

So this is already supported and used by other automation apps like Tasker. What you are seeing there are the shortcuts that you get when you long an app icon in a normal launcher. They are meant to be used by an interactive user and not by a automation app.

Activity icon
issue

schwabe issue comment SoftEtherVPN/SoftEtherVPN

schwabe
schwabe

Softether missing modern OpenVPN features like DATA_V2

Description

Hey, OpenVPN developer here. Softether is missing a number of OpenVPN features, most critically DATA_V2. The newest version of OpenVPN clients that will support kernel module accleration will not work with Softether server as these only support DATA_v2 and AEAD ciphers (Chacha20-Poly1305 and AES-GCM). DATA_V2 has been a feature for OpenVPN clients since 2.3.7.

schwabe
schwabe

You just need to have the peer id present and tell the client to also send one. You can very well just use a random id just ignore the peer id on received packets. OpenVPN itself uses it to track clients that change IP addresses but that Softether could just skip on that to make the implementation easier.

Activity icon
issue

schwabe issue comment SoftEtherVPN/SoftEtherVPN

schwabe
schwabe

Softether missing modern OpenVPN features like DATA_V2

Description

Hey, OpenVPN developer here. Softether is missing a number of OpenVPN features, most critically DATA_V2. The newest version of OpenVPN clients that will support kernel module accleration will not work with Softether server as these only support DATA_v2 and AEAD ciphers (Chacha20-Poly1305 and AES-GCM). DATA_V2 has been a feature for OpenVPN clients since 2.3.7.

schwabe
schwabe

I think Softether already supports AES-GCM with OpenVPN, there are already AEAD mode encryption things in Proto_OpenVPN.c.

We are also currently writing a protocol specifiction (https://github.com/openvpn/openvpn-rfc/), it is still WIP should not be taken as ground truth as it might contain error but might be helpful for looking up the details of the DATA v2 format.

Activity icon
issue

schwabe issue schwabe/ics-openvpn

schwabe
schwabe

Key public

To make issues more manageable, I would appreciate it if you fill out the following details as applicable:

General information

  1. Android Version
  2. Android Vendor/Custom ROM
  3. Device
  4. Version of the app (version number/play store version/self-built)

Description of the issue

yes

Log (if applicable)

yes

log contents
```yes

# Configuration file
Yes

add the contents of the configuration file if applicable be careful to not post private keys

Activity icon
issue

schwabe issue comment schwabe/ics-openvpn

schwabe
schwabe

Key public

To make issues more manageable, I would appreciate it if you fill out the following details as applicable:

General information

  1. Android Version
  2. Android Vendor/Custom ROM
  3. Device
  4. Version of the app (version number/play store version/self-built)

Description of the issue

yes

Log (if applicable)

yes

log contents
```yes

# Configuration file
Yes

add the contents of the configuration file if applicable be careful to not post private keys

schwabe
schwabe

This bug report has no information in it.

Activity icon
issue

schwabe issue comment schwabe/ics-openvpn

schwabe
schwabe

Optionally disable "Cancel Confirmation" Dialog

General information

  1. Android Version: 12
  2. Android Vendor: Samsung
  3. Device: Samsung Galaxy Note10
  4. Version of the app: 0.7.37

Description of the issue

When trying to use the app with Bixby Routines, I'm trying to connect and disconnect to my VPN automatically, but when using the Disconnect app action, a popup comes up for "Cancel Confirmation" which makes the automation useless.

Is it possible to silence this dialog popup in the configuration? And if not, I feel an optional flag should be added to disable the confirmation dialog.

schwabe
schwabe

There already intents that are designed to be used in automation.

Activity icon
issue

schwabe issue SoftEtherVPN/SoftEtherVPN

schwabe
schwabe

Softether missing modern OpenVPN features like DATA_V2

Description

Hey, OpenVPN developer here. Softether is missing a number of OpenVPN features, most critically DATA_V2. The newest version of OpenVPN clients that will support kernel module accleration will not work with Softether server as these only support DATA_v2 and AEAD ciphers (Chacha20-Poly1305 and AES-GCM). DATA_V2 has been a feature for OpenVPN clients since 2.3.7.

Activity icon
issue

schwabe issue comment schwabe/ics-openvpn

schwabe
schwabe

App reconnects every 2 minutes after update from 0.7.36 to 0.7.37

General information

  1. Android Version: 12
  2. Version of the app (version number/play store version/self-built): GooglePlay 0.7.37
  3. Server: SoftEther

Hello,

After latest app update to version 0.7.37 app started reconnecting to server every 2 minutes. The issue goes away when I install previous version 0.7.36

Here's the client logs:

[Server] Inactivity timeout (--ping-restart), restarting SIGUSR1[soft,ping-restart] received, process restarting

So it seems like new app version (0.7.37) sets some kind of reconnect timeout, for example:

ping-restart 0
keepalive 10 120

Regards

schwabe
schwabe

The runtime expections are red herrings. Ignore them for this ticket.

The default is to still restart a connection, so ignoring ping-restart just gives you the default which is still USR1. The ping restart of 3 10 is very agressive. That means that if there is any 10s hickup, the client will disconnect. And yes for UDP there is a 120s default. You can going back to 0.7.36 but this looks more like some other problem like bad server connection or mismatched control parameter being negotiated so pings are not getting through. So a complete log to look for those problems would be good.

May
16
6 days ago
Activity icon
issue

schwabe issue comment schwabe/ics-openvpn

schwabe
schwabe

App reconnects every 2 minutes after update from 0.7.36 to 0.7.37

General information

  1. Android Version: 12
  2. Version of the app (version number/play store version/self-built): GooglePlay 0.7.37
  3. Server: SoftEther

Hello,

After latest app update to version 0.7.37 app started reconnecting to server every 2 minutes. The issue goes away when I install previous version 0.7.36

Here's the client logs:

[Server] Inactivity timeout (--ping-restart), restarting SIGUSR1[soft,ping-restart] received, process restarting

So it seems like new app version (0.7.37) sets some kind of reconnect timeout, for example:

ping-restart 0
keepalive 10 120

Regards

schwabe
schwabe
  • Is that on an existing profile or a freshly imported profile?
  • are those reconnect timeouts thing you see in the generated config or that you speculate?
  • can you also share a log?
May
13
1 week ago
Activity icon
issue

schwabe issue schwabe/ics-openvpn

schwabe
schwabe

Crash issue

Caused by: java.lang.UnsatisfiedLinkError: dalvik.system.PathClassLoader[DexPathList[[zip file "/data/app/com.uuuvn.ownvpn-9d7DiEEQggJHkh8dMPEdiw==/base.apk"],nativeLibraryDirectories=[/data/app/com.uuuvn.ownvpn-9d7DiEEQggJHkh8dMPEdiw==/lib/arm64, /system/lib64, /vendor/lib64, /product/lib64]]] couldn't find "libopvpnutil.so"

what happened? please help me. I have seen doc/README FAQ. But I can't find problem. Can you explain correctly?

Activity icon
issue

schwabe issue comment schwabe/ics-openvpn

schwabe
schwabe

Crash issue

Caused by: java.lang.UnsatisfiedLinkError: dalvik.system.PathClassLoader[DexPathList[[zip file "/data/app/com.uuuvn.ownvpn-9d7DiEEQggJHkh8dMPEdiw==/base.apk"],nativeLibraryDirectories=[/data/app/com.uuuvn.ownvpn-9d7DiEEQggJHkh8dMPEdiw==/lib/arm64, /system/lib64, /vendor/lib64, /product/lib64]]] couldn't find "libopvpnutil.so"

what happened? please help me. I have seen doc/README FAQ. But I can't find problem. Can you explain correctly?

push

schwabe push schwabe/openvpn

schwabe
schwabe

Refactor early initialisation and uninitialisation into methods

This put the early initialisation and uninitialisation that needs to happen between option parsing and post processing into small methods.

Cherry-pick of 97056dbf9 as prerequirement for the provider patch

Signed-off-by: Arne Schwabe [email protected] Acked-by: Gert Doering [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg24328.html Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Allow loading of non default providers

This allows OpenVPN to load non-default providers. This is mainly useful for loading the legacy provider with --providers legacy default

Cherry-pick of 08081aa0a153 to release/2.5. Changes.rst has been adjust to better fit the changes in 2.5.

Signed-off-by: Arne Schwabe [email protected] Acked-by: Gert Doering [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg24327.html Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Add ubuntu 22.04 to Github Actions

This adds Ubuntu 22.04 to the Github actions. mbed TLS in 22.04 is still old enough (2.28) to build with OpenVPN and GPL licensed.

Signed-off-by: Arne Schwabe [email protected] Acked-by: Gert Doering [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg24329.html Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Add macos OpenSSL 3.0 and ASAN builds

Signed-off-by: Arne Schwabe [email protected] Acked-by: Gert Doering [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg24330.html Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Add --with-openssl-engine autoconf option (auto|yes|no)

This is a cherry-pick to release2.5 from 0df2261da. The OpenSSL engine tests fail otherwise and it is good to have the same behaviour as in master/2.6

This allows to select engine support at configure time. For OpenSSL 1.1 the default is not changed and we detect if engine support is available.

Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default is to disable engine support as engine support is deprecated and generates compiler warnings which in turn also break -Werror.

By using --with-openssl-engine=no or --with-openssl-engine=yes engine support can be forced on or off. If it is enabled but not detected an error will be thown.

This commit cleans up the configure logic a bit and removes the ENGINE_cleanup checks as we can just assume that it will be also available as macro or function if the other engine functions are available. Before the cleanup we would only check for the existance of engine.h if ENGINE_cleanup was not found.

Signed-off-by: Arne Schwabe [email protected] Acked-by: Gert Doering [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg24332.html Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Fix allowing/showing unsupported ciphers and digests

This is a minimal version to hide the non-supported ciphers in these show-cipher/show-digests listings. It also adds code to the kt_md_get/ kt_cipher_get functions to error out early instead of getting an ugly backtrace with OpenSSL errors later when actually trying to use the ciphers.

This allows make check to work again on with OpenSSL 3.0.

The changes are kept minimal to avoid pulling in all the other refactoring for OpenSSL 3.0.

This commit is partly cherry-picked from ab3f32b9.

Signed-off-by: Arne Schwabe [email protected] Acked-by: Gert Doering [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg24334.html Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Remove dependency on BF-CBC existance from test_ncp

The test_check_ncp_ciphers_list test assumed that BF-CBC is always available, which is no longer the case with OpenSSL 3.0. Rewrite the test to not rely on BF-CBC to be available.

This is a cherry-pick from c07f95f3

Patch V2: manually fix if condition. Somehow the git cherry-pick ended up with a broken if condition.

commit sha: 66906cdcb7faf36c746834145d4b75b000467333

push time in 1 week ago
May
12
1 week ago
push

schwabe push schwabe/openvpn

schwabe
schwabe

[OSSL3] Fix show-ciphers and show-digest showing not available ciphers

This is a minimal version to hide the non-supported ciphers in these listing. This allows make check to work again on with OpenSSL 3.0.

This avoid pulling in all the other refactoring for OpenSSL 3.0.

This is partly cherry-picked from ab3f32b9.

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Remove dependency on BF-CBC existance from test_ncp

The test_check_ncp_ciphers_list test assumed that BF-CBC is always available, which is no longer the case with OpenSSL 3.0. Rewrite the test to not rely on BF-CBC to be available.

Signed-off-by: Arne Schwabe [email protected] Acked-by: Max Fillinger [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg23003.html Signed-off-by: Gert Doering [email protected]

commit sha: 46ba505af8ccb53630446a23d5546d29b133e2fb

push time in 1 week ago
push

schwabe push schwabe/openvpn

schwabe
schwabe

Allow loading of non default providers

This allows OpenVPN to load non-default providers. This is mainly useful for loading the legacy provider with --providers legacy default

Cherry-pick of 08081aa0a153 to release/2.5. Changes.rst has been adjust to better fit the changes in 2.5.

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Add ubuntu 22.04 to Github Actions

This adds Ubuntu 22.04 to the Github actions. mbed TLS in 22.04 is still old enough (2.28) to build with OpenVPN and GPL licensed.

Signed-off-by: Arne Schwabe [email protected] Acked-by: Gert Doering [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg24299.html

Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Add macos OpenSSL 3.0 and ASAN builds

Signed-off-by: Arne Schwabe [email protected] Acked-by: Gert Doering [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg23018.html Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Add --with-openssl-engine autoconf option (auto|yes|no)

This is a cherry-pick to release2.5 from 0df2261da. The OpenSSL engine tests fail otherwise and it is good to have the same behaviour as in master/2.6

This allows to select engine support at configure time. For OpenSSL 1.1 the default is not changed and we detect if engine support is available.

Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default is to disable engine support as engine support is deprecated and generates compiler warnings which in turn also break -Werror.

By using --with-openssl-engine=no or --with-openssl-engine=yes engine support can be forced on or off. If it is enabled but not detected an error will be thown.

This commit cleans up the configure logic a bit and removes the ENGINE_cleanup checks as we can just assume that it will be also available as macro or function if the other engine functions are available. Before the cleanup we would only check for the existance of engine.h if ENGINE_cleanup was not found.

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

[OSSL3] Fix show-ciphers and show-digest showing not available ciphers

This is a minimal version to hide the non-supported ciphers in these listing. This allows make check to work again on with OpenSSL 3.0.

This avoid pulling in all the other refactoring for OpenSSL 3.0.

commit sha: b39cb966da95380620233367710b46c44b9fd936

push time in 1 week ago
Activity icon
issue

schwabe issue comment OpenVPN/openvpn-rfc

schwabe
schwabe

Improve doc: back-tick fix, packet/payload, etc

-- Only did non-bulk text updates through Section 3.2

-- Detailed language fix was on the imprecise use of the term "packet" when we meant the "payload". I think everybody gets the idea that the payload follows the headers; so TCP or UDP, we can address the payload

-- Revise "The OpenVPN Wire Protocol" section start

-- Bulk update converting double back-tick pairs to ...

-- Bulk convert apostrophe (') character to "'". This is not required for for proper rendering by the xml2rfc program; it is done to help some editors avoid incorrect syntax highlighting between apostrophes

schwabe
schwabe

I don't really like the ' to ' change. This sounds like a workaround to a broken editor and makes the source code less readable. I thought you used emacs as well and my emacs has no problems with the ' in the xml source code.

push

schwabe push schwabe/openvpn

schwabe
schwabe

Fix M_ERRNO behavior on Windows

We use M_ERRNO flag in logging to display error code and error message. This has been broken on Windows, where we use error code from GetLastError() and error description from strerror(). strerror() expects C runtime error code, which is quite different from last error code from WinAPI call. As a result, we got incorrect error description.

The ultimate fix would be introducing another flag for WinAPI errors, like M_WINERR and use either that or M_ERRNO depends on context. However, the change would be quite intrusive and in some cases it is hard to say which one to use without looking into internals.

Instead we stick to M_ERRNO and in Windows case we first try to obtain error code from GetLastError() and if it returns ERROR_SUCCESS (which is 0), we assume that we have C runtime error and use errno. To get error description we use strerror_win32() with GetLastError() and strerror() with errno.

strerror_win32() uses FormatMessage() internally, which is the right way to get WinAPI error description.

This commit is the backport of 54800aa975418fe3570f3206a5f9b277dc59bd47, adjusted for the different code base related to socket errors (print socket file descriptor) in x_check_status().

Signed-off-by: Lev Stipakov [email protected] Acked-by: Selva Nair [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg24274.html

Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Refactor early initialisation and uninitialisation into methods

This put the early initialisation and uninitialisation that needs to happen between option parsing and post processing into small methods.

Cherry-pick of 97056dbf9 as prerequirement for the provider patch

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Allow loading of non default providers

This allows OpenVPN to load non-default providers. This is mainly useful for loading the legacy provider with --providers legacy default

Cherry-pick of 08081aa0a153 to release/2.5

Signed-off-by: Arne Schwabe [email protected]

schwabe
schwabe

Add ubuntu 22.04 to Github Actions

This adds Ubuntu 22.04 to the Github actions. mbed TLS in 22.04 is still old enough (2.28) to build with OpenVPN and GPL licensed.

Signed-off-by: Arne Schwabe [email protected] Acked-by: Gert Doering [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg24299.html

Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Add macos OpenSSL 3.0 and ASAN builds

Signed-off-by: Arne Schwabe [email protected] Acked-by: Gert Doering [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg23018.html Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Add --with-openssl-engine autoconf option (auto|yes|no)

This is a cherry-pick to release2.5 from 0df2261da. The OpenSSL engine tests fail otherwise and it is good to have the same behaviour as in master/2.6

This allows to select engine support at configure time. For OpenSSL 1.1 the default is not changed and we detect if engine support is available.

Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default is to disable engine support as engine support is deprecated and generates compiler warnings which in turn also break -Werror.

By using --with-openssl-engine=no or --with-openssl-engine=yes engine support can be forced on or off. If it is enabled but not detected an error will be thown.

This commit cleans up the configure logic a bit and removes the ENGINE_cleanup checks as we can just assume that it will be also available as macro or function if the other engine functions are available. Before the cleanup we would only check for the existance of engine.h if ENGINE_cleanup was not found.

Signed-off-by: Arne Schwabe [email protected]

commit sha: 81dda8b0fcf95da9dbc229c15ceaba95b86262b5

push time in 1 week ago
May
11
1 week ago
push

schwabe push schwabe/openvpn

schwabe
schwabe

Skip check_engine test on OpenSSL 3.0

This test is known to break on OpenSSL 3.0. This is a rather hacky way of skipping this test but proper ways need a lot more intrusive changes like the ones in OpenVPN 2.6.

Signed-off-by: Arne Schwabe [email protected]

commit sha: 4596b3ef5f6aaa45f71119b8515493c6f5c98318

push time in 1 week ago
push

schwabe push schwabe/openvpn

schwabe
schwabe

Skip check_engine test on OpenSSL 3.0

This test is known to break on OpenSSL 3.0. This is a rather hacky way of skipping this test but proper ways need a lot more intrusive changes like the ones in OpenVPN 2.6.

Signed-off-by: Arne Schwabe [email protected]

commit sha: e7f3e3923fd321b2679a1b75e1b079088964f866

push time in 1 week ago
push

schwabe push schwabe/openvpn

schwabe
schwabe

Skip check_engine test on OpenSSL 3.0

This test is known to break on OpenSSL 3.0. This is a rather hacky way of skipping this test but proper ways need a lot more intrusive changes like the ones in OpenVPN 2.6.

Signed-off-by: Arne Schwabe [email protected]

commit sha: 9328b8bae5c425e11f9ef18f175ac7ed10f9fdab

push time in 1 week ago
push

schwabe push schwabe/openvpn

schwabe
schwabe

Add macos OpenSSL 3.0 and ASAN builds

Signed-off-by: Arne Schwabe [email protected] Acked-by: Gert Doering [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg23018.html Signed-off-by: Gert Doering [email protected]

schwabe
schwabe

Skip check_engine test on OpenSSL 3.0

This test is known to break on OpenSSL 3.0. This is a rather hacky way of skipping this test but proper ways need a lot more intrusive changes like the ones in OpenVPN 2.6.

Signed-off-by: Arne Schwabe [email protected]

commit sha: 82793a32d1804100a95f7abc152c2424bcc7dace

push time in 1 week ago
push

schwabe push schwabe/openvpn

schwabe
schwabe

Add ubuntu 22.04 to Github Actions

This adds Ubuntu 22.04 to the Github actions. mbed TLS in 22.04 is still old enough (2.28) to build with OpenVPN and GPL licensed.

Signed-off-by: Arne Schwabe [email protected] Acked-by: Gert Doering [email protected] Message-Id: [email protected] URL: https://www.mail-archive.com/[email protected]/msg24299.html

Signed-off-by: Gert Doering [email protected]

commit sha: 79bfc0c10d2d2027b8d3be05dd50ce1e95df5efc

push time in 1 week ago
Activity icon
created branch

schwabe in schwabe/openvpn create branch 25provider

createdAt 1 week ago
May
7
2 weeks ago
Activity icon
issue

schwabe issue comment schwabe/ics-openvpn

schwabe
schwabe

Capabilitie

Hi, could you please tell me if it is possible to configure the application to let all traffic through a LOCAL proxy (for example 127.0.0.1:8787) in advance? This is necessary for the network level ad blocker to work.

schwabe
schwabe

you can try the dhcp-option PROXY_HTTP if you are on a fairly modern Android but all bets are off

Activity icon
published release OpenVPN for Android 0.7.37

schwabe in schwabe/ics-openvpn create published release OpenVPN for Android 0.7.37

createdAt 2 weeks ago
Activity icon
created tag
createdAt 2 weeks ago
Previous