Re: [Openvpn-devel] [PATCH v6 2/3] crypto_openssl: add initialization to pick up local configuration
On Sun, 2020-06-07 at 13:11 +0200, Gert Doering wrote:
> Hi,
>
> > diff --git a/src/openvpn/crypto_openssl.c
> > b/src/openvpn/crypto_openssl.c
> > index 4ac77fde..fd57edd2 100644
> > --- a/src/openvpn/crypto_openssl.c
> > +++ b/src/openvpn/crypto_openssl.c
> > @@ -149,6 +149,11 @@ crypto_init_lib_engine(const char
> > *engine_name)
> > void
> > crypto_init_lib(void)
> > {
> > +#if (OPENSSL_VERSION_NUMBER >= 0x1010L)
> > +OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
> > +#else
> > +OPENSSL_config(NULL);
> > +#endif
>
> This is failing on some of the Travis builds, with the error message
>
> 1191 crypto_openssl.c: In function `crypto_init_lib':
> 1192 crypto_openssl.c:155:5: error: implicit declaration of function
> `OPENSSL_config'; did you mean `OPENSSL_init'? [-Werror=implicit-
> function-declaration]
> 1193 OPENSSL_config(NULL);
> 1194 ^~
>
> https://travis-ci.org/github/OpenVPN/openvpn/builds/695633823
>
> From what I can see, this is for the builds with "openssl 1.0.1u" and
> "openssl 1.0.2u" on Bionic.
>
>
> I'm not sure if we intend to support these versions, but this needs
> to be fixed - either the code needs to be adjusted or the travis
> build matrix (for master).
Sorry about that. Best guess is it's missing an include for
openssl/conf.h. You don't need that today because pretty much every
other openssl header includes it, but that may not always have been so.
Does the below patch fix it? If it does, it should probably be folded
into the other patch. It should be safe because openssl/conf.h has
existed for every version of openssl you support.
James
---8>8>8><8<8<8---
From: James Bottomley
Subject: [PATCH] crypto_openssl: add include for openssl/conf.h
Fix build failure on older versions of openssl.
Signed-off-by: James Bottomley
---
src/openvpn/crypto_openssl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index fd57edd2..94b6d85b 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -43,6 +43,7 @@
#include "crypto_backend.h"
#include "openssl_compat.h"
+#include
#include
#include
#include
--
2.26.2
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4 6/7] options: enable IPv4 redirection logic only if really required
Hi, On Sat, May 30, 2020 at 02:05:59AM +0200, Antonio Quartulli wrote: > From: Antonio Quartulli > > If no IPv4 redirection flag is set, do not enable the IPv4 > redirection logic at all so that it won't bother adding any > useless IPv4 route. > > Trac: #208 > Signed-off-by: Antonio Quartulli I can see why we want this - I tried to connect to a "v6-only-in-tunnel" server over v4, specifying "redirect-gateway !ipv4 ipv6", and it tried to install a v4 /32 redirect route... Sun Jun 7 13:20:43 2020 net_route_v4_add: 199.102.77.82/32 via 193.149.48.190 dev [NULL] table 0 metric -1 ... which is harmless, but "unnecesary fumbling" is not desirable. The reason why I'm a bit unhappy about applying it is that it will change behaviour for the "redirect-private" case, and that might break people's setups. For "redirect-gateway" or "redirect-gateway def1" (etc), it will not change anything. Can we make this conditional in a way that does not break "redirect-private"? (I used to use "redirect-private" to handle overlapping IPv4 routes without actually redirecting the whole gateway - think "VPN server is on 192.0.2.1 and you want to push 'route 192.0.2.0/24'". IPv6 handles this automatically, but v4 needs "redirect-private" for that to work) thanks :) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v6 2/3] crypto_openssl: add initialization to pick up local configuration
Hi,
> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
> index 4ac77fde..fd57edd2 100644
> --- a/src/openvpn/crypto_openssl.c
> +++ b/src/openvpn/crypto_openssl.c
> @@ -149,6 +149,11 @@ crypto_init_lib_engine(const char *engine_name)
> void
> crypto_init_lib(void)
> {
> +#if (OPENSSL_VERSION_NUMBER >= 0x1010L)
> +OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
> +#else
> +OPENSSL_config(NULL);
> +#endif
This is failing on some of the Travis builds, with the error message
1191 crypto_openssl.c: In function `crypto_init_lib':
1192 crypto_openssl.c:155:5: error: implicit declaration of function
`OPENSSL_config'; did you mean `OPENSSL_init'?
[-Werror=implicit-function-declaration]
1193 OPENSSL_config(NULL);
1194 ^~
https://travis-ci.org/github/OpenVPN/openvpn/builds/695633823
From what I can see, this is for the builds with "openssl 1.0.1u" and
"openssl 1.0.2u" on Bionic.
I'm not sure if we intend to support these versions, but this needs to
be fixed - either the code needs to be adjusted or the travis build
matrix (for master).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: route: warn on IPv4 routes installation when no IPv4 is configured
Acked-by: Gert Doering "because it makes sense" :-) Tested on the client side (only) because this is really independent of client/server setup. Nicely warns if (and only if) a route for IPv4 or IPv6 is encountered without a previous ifconfig/ifconfig-ipv6. Your patch has been applied to the master branch. commit 826d8953a335fdbc8d20d800f800a44d0674f00a Author: Antonio Quartulli Date: Sat May 30 02:05:58 2020 +0200 route: warn on IPv4 routes installation when no IPv4 is configured Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <2020053600.1680-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19946.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4 7/7] ipv6-pool: get rid of size constraint
Hi,
On Sat, May 30, 2020 at 02:06:00AM +0200, Antonio Quartulli wrote:
> o->ifconfig_ipv6_pool_defined = true;
> -o->ifconfig_ipv6_pool_base =
> -add_in6_addr( o->server_network_ipv6, 0x1000 );
> +o->ifconfig_ipv6_pool_base = add_in6_addr(o->server_network_ipv6, 2);
> o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6;
Thinking more about this, I'm not totally happy with this particular
change.
Yes, it makes sense for smallish pools (/112 to /124) because there we
do not have room for "wasting addresses".
OTOH, changing this for an existing /64 pool - or anything "large enough
that 0x1000 addresses will not matter" - would change behaviour in existing
setups - that's one of the feedbacks I already received via Twitter on the
patchset
https://twitter.com/tschaeferm/status/1266822120497188876
One of the notable things that it would break is our buildbot t_client
test environment - all clients would receive new v6 addresses, and since
one of the tests is "have I received what I expect?" this would cause
a buildbot explosion.
My idea would be to make this conditional on the pool size - if the size
is /64.../111, make it +0x1000 ("keep existing behaviour for large-enough
pools"), if it's /112.../124, make it +2
Thoughts?
gert
PS: the rest of the patch is fine
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: pool: add support for ifconfig-pool-persist with IPv6 only
Acked-by: Gert Doering
Much nicer code than in v4 :-)
Stared-at-code, and ran the t_client and t_server tests with ipv4-only,
ipv4+ipv6 and ipv6-only pools (ipv4-only is something I never wanted to
do again... :-) ).
Tested pool mishandling ("corrupt" and "out-of-bounds" v4+v6 addresses,
mismatching pool indexes, etc.) - and that all behaves like planned. \o/
Something for the cleanup patch: pool.c seems to have grown an include
for "options.h", but I can not see a reason why this is needed (it
compiles fine without)...?
Your patch has been applied to the master branch.
commit 6a8cd033b1812a26b9b35c17eef33240d7ac2719
Author: Antonio Quartulli
Date: Sat Jun 6 23:16:24 2020 +0200
pool: add support for ifconfig-pool-persist with IPv6 only
Signed-off-by: Antonio Quartulli
Acked-by: Gert Doering
Message-Id: <20200606211624.10877-...@unstable.cc>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19990.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
