Re: [Openvpn-devel] [PATCH v6 2/3] crypto_openssl: add initialization to pick up local configuration
On Sun, 2020-06-07 at 13:11 +0200, Gert Doering wrote: > Hi, > > > diff --git a/src/openvpn/crypto_openssl.c > > b/src/openvpn/crypto_openssl.c > > index 4ac77fde..fd57edd2 100644 > > --- a/src/openvpn/crypto_openssl.c > > +++ b/src/openvpn/crypto_openssl.c > > @@ -149,6 +149,11 @@ crypto_init_lib_engine(const char > > *engine_name) > > void > > crypto_init_lib(void) > > { > > +#if (OPENSSL_VERSION_NUMBER >= 0x1010L) > > +OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); > > +#else > > +OPENSSL_config(NULL); > > +#endif > > This is failing on some of the Travis builds, with the error message > > 1191 crypto_openssl.c: In function `crypto_init_lib': > 1192 crypto_openssl.c:155:5: error: implicit declaration of function > `OPENSSL_config'; did you mean `OPENSSL_init'? [-Werror=implicit- > function-declaration] > 1193 OPENSSL_config(NULL); > 1194 ^~ > > https://travis-ci.org/github/OpenVPN/openvpn/builds/695633823 > > From what I can see, this is for the builds with "openssl 1.0.1u" and > "openssl 1.0.2u" on Bionic. > > > I'm not sure if we intend to support these versions, but this needs > to be fixed - either the code needs to be adjusted or the travis > build matrix (for master). Sorry about that. Best guess is it's missing an include for openssl/conf.h. You don't need that today because pretty much every other openssl header includes it, but that may not always have been so. Does the below patch fix it? If it does, it should probably be folded into the other patch. It should be safe because openssl/conf.h has existed for every version of openssl you support. James ---8>8>8><8<8<8--- From: James Bottomley Subject: [PATCH] crypto_openssl: add include for openssl/conf.h Fix build failure on older versions of openssl. Signed-off-by: James Bottomley --- src/openvpn/crypto_openssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index fd57edd2..94b6d85b 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -43,6 +43,7 @@ #include "crypto_backend.h" #include "openssl_compat.h" +#include #include #include #include -- 2.26.2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4 6/7] options: enable IPv4 redirection logic only if really required
Hi, On Sat, May 30, 2020 at 02:05:59AM +0200, Antonio Quartulli wrote: > From: Antonio Quartulli > > If no IPv4 redirection flag is set, do not enable the IPv4 > redirection logic at all so that it won't bother adding any > useless IPv4 route. > > Trac: #208 > Signed-off-by: Antonio Quartulli I can see why we want this - I tried to connect to a "v6-only-in-tunnel" server over v4, specifying "redirect-gateway !ipv4 ipv6", and it tried to install a v4 /32 redirect route... Sun Jun 7 13:20:43 2020 net_route_v4_add: 199.102.77.82/32 via 193.149.48.190 dev [NULL] table 0 metric -1 ... which is harmless, but "unnecesary fumbling" is not desirable. The reason why I'm a bit unhappy about applying it is that it will change behaviour for the "redirect-private" case, and that might break people's setups. For "redirect-gateway" or "redirect-gateway def1" (etc), it will not change anything. Can we make this conditional in a way that does not break "redirect-private"? (I used to use "redirect-private" to handle overlapping IPv4 routes without actually redirecting the whole gateway - think "VPN server is on 192.0.2.1 and you want to push 'route 192.0.2.0/24'". IPv6 handles this automatically, but v4 needs "redirect-private" for that to work) thanks :) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v6 2/3] crypto_openssl: add initialization to pick up local configuration
Hi, > diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c > index 4ac77fde..fd57edd2 100644 > --- a/src/openvpn/crypto_openssl.c > +++ b/src/openvpn/crypto_openssl.c > @@ -149,6 +149,11 @@ crypto_init_lib_engine(const char *engine_name) > void > crypto_init_lib(void) > { > +#if (OPENSSL_VERSION_NUMBER >= 0x1010L) > +OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); > +#else > +OPENSSL_config(NULL); > +#endif This is failing on some of the Travis builds, with the error message 1191 crypto_openssl.c: In function `crypto_init_lib': 1192 crypto_openssl.c:155:5: error: implicit declaration of function `OPENSSL_config'; did you mean `OPENSSL_init'? [-Werror=implicit-function-declaration] 1193 OPENSSL_config(NULL); 1194 ^~ https://travis-ci.org/github/OpenVPN/openvpn/builds/695633823 From what I can see, this is for the builds with "openssl 1.0.1u" and "openssl 1.0.2u" on Bionic. I'm not sure if we intend to support these versions, but this needs to be fixed - either the code needs to be adjusted or the travis build matrix (for master). gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: route: warn on IPv4 routes installation when no IPv4 is configured
Acked-by: Gert Doering "because it makes sense" :-) Tested on the client side (only) because this is really independent of client/server setup. Nicely warns if (and only if) a route for IPv4 or IPv6 is encountered without a previous ifconfig/ifconfig-ipv6. Your patch has been applied to the master branch. commit 826d8953a335fdbc8d20d800f800a44d0674f00a Author: Antonio Quartulli Date: Sat May 30 02:05:58 2020 +0200 route: warn on IPv4 routes installation when no IPv4 is configured Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <2020053600.1680-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19946.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4 7/7] ipv6-pool: get rid of size constraint
Hi, On Sat, May 30, 2020 at 02:06:00AM +0200, Antonio Quartulli wrote: > o->ifconfig_ipv6_pool_defined = true; > -o->ifconfig_ipv6_pool_base = > -add_in6_addr( o->server_network_ipv6, 0x1000 ); > +o->ifconfig_ipv6_pool_base = add_in6_addr(o->server_network_ipv6, 2); > o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6; Thinking more about this, I'm not totally happy with this particular change. Yes, it makes sense for smallish pools (/112 to /124) because there we do not have room for "wasting addresses". OTOH, changing this for an existing /64 pool - or anything "large enough that 0x1000 addresses will not matter" - would change behaviour in existing setups - that's one of the feedbacks I already received via Twitter on the patchset https://twitter.com/tschaeferm/status/1266822120497188876 One of the notable things that it would break is our buildbot t_client test environment - all clients would receive new v6 addresses, and since one of the tests is "have I received what I expect?" this would cause a buildbot explosion. My idea would be to make this conditional on the pool size - if the size is /64.../111, make it +0x1000 ("keep existing behaviour for large-enough pools"), if it's /112.../124, make it +2 Thoughts? gert PS: the rest of the patch is fine -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: pool: add support for ifconfig-pool-persist with IPv6 only
Acked-by: Gert Doering Much nicer code than in v4 :-) Stared-at-code, and ran the t_client and t_server tests with ipv4-only, ipv4+ipv6 and ipv6-only pools (ipv4-only is something I never wanted to do again... :-) ). Tested pool mishandling ("corrupt" and "out-of-bounds" v4+v6 addresses, mismatching pool indexes, etc.) - and that all behaves like planned. \o/ Something for the cleanup patch: pool.c seems to have grown an include for "options.h", but I can not see a reason why this is needed (it compiles fine without)...? Your patch has been applied to the master branch. commit 6a8cd033b1812a26b9b35c17eef33240d7ac2719 Author: Antonio Quartulli Date: Sat Jun 6 23:16:24 2020 +0200 pool: add support for ifconfig-pool-persist with IPv6 only Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <20200606211624.10877-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19990.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel