1. 01 Apr, 2020 1 commit
  2. 27 Jun, 2019 1 commit
  3. 04 Jun, 2019 1 commit
  4. 15 Apr, 2019 1 commit
  5. 09 Jan, 2019 1 commit
  6. 12 Feb, 2018 1 commit
    • Kevin Cernekee's avatar
      Fix crash on DTLS resumption · c032fcd9
      Kevin Cernekee authored
      If the mainloop is paused and then resumed, DTLS will attempt to
      reconnect at the same time as CSTP.  When DTLS-PSK is in use,
      gnutls_prf() will be called on a NULL vpninfo->https_sess pointer.
      Avoid this by deferring DTLS resumption until CSTP has reconnected, if
      DTLS-PSK is in use.
      Signed-off-by: default avatarKevin Cernekee <cernekee@gmail.com>
  7. 14 Aug, 2017 1 commit
    • Daniel Lenski's avatar
      tweak the dtls_state handling in preparation for supporting GlobalProtect ESP · cc6af8dd
      Daniel Lenski authored
      If a protocol wishes to have dtls_state set to DTLS_SLEEPING after closing
      UDP, then it must now do so explicitly, because the mainloop will no longer
      set it.  This patch make both existing protocols set dtls_state explicitly
      after closing the UDP connection.  (The nc protocol already did so
      explicitly, but the anyconnect protocol didn't.)
      The previous behavior, wherein dtls_state was *always* set to DTLS_SLEEPING
      after closing UDP, was incompatible with the GlobalProtect VPN.
      Disconnecting and reconnecting GlobalProtect VPN doesn't just require
      require reconnecting the UDP socket and resending probes; it actually
      invalidates any previously-obtained ESP secret.
      Signed-off-by: default avatarDaniel Lenski <dlenski@gmail.com>
      Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
  8. 15 May, 2017 2 commits
  9. 14 May, 2017 1 commit
  10. 13 Dec, 2016 2 commits
  11. 14 Sep, 2016 1 commit
    • David Woodhouse's avatar
      DTLS MTU detection fixes · 8adb493b
      David Woodhouse authored
      Most importantly, in some circumstances it was setting the "detected"
      MTU to the value of the first *failing* packet size, not the last
      working one. But also fix up various other issues too, and optimise it
      for the common case where the negotiated MTU *is* actually working.
      There are still issues with the way we choose the next candidate address,
      and it might never reach the actual best MTU. But it's better than it was.
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
  12. 12 Sep, 2016 1 commit
  13. 10 Sep, 2016 4 commits
  14. 31 Aug, 2016 1 commit
  15. 30 Aug, 2016 1 commit
  16. 25 Aug, 2016 3 commits
    • David Woodhouse's avatar
      Fix mingw build warning · 9566e725
      David Woodhouse authored
      Not sure if the --passtos is actually going to *work* on Windows, but it
      shouldn't do any harm if it isn't used. Shut it up.
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
    • Ralph Schmieder's avatar
      Add --passtos option to copy TOS/TCLASS from VPN packets · 37316927
      Ralph Schmieder authored
      This allows prioritised queuing of outbound packets. It is only of local
      significance (and importance) as it will influence queueing on the CPE
      which is typically the only place where this will be in effect. And the
      most effective place as the CPE is usually the bottleneck where all
      applications compete for limited upstream bandwidth.
      SPs do set the DSCP to 0 anyway at the trust boundary (which is the next
      hop from the CPE). Same goes for large corporations which also either
      reset the DSCP or have it set according to their policy, not the user's.
      It is implemented as an 'opt-in' using the --passtos command line switch
      in accordance with the OpenVPN implementation
      Signed-off-by: default avatarRalph Schmieder <ralph.schmieder@gmail.com>
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
    • Nikos Mavrogiannopoulos's avatar
      Always calculate the base_mtu value · d029f8d9
      Nikos Mavrogiannopoulos authored
      This patch fixes issues in base_mtu value calcuation (previously it was
      never calculated), and ensures that this value is always present. This
      value provides the server of an estimation of the link (or path) MTU between
      the server and the client, is much simpler to calculate than the tunnel MTU
      (does not rely on an estimation of the negotiated DTLS ciphers). As such
      it can provide the server with more reliable information than the X-CSTP-MTU
      Signed-off-by: default avatarNikos Mavrogiannopoulos <nmav@redhat.com>
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
  17. 04 Aug, 2016 2 commits
  18. 25 Jul, 2016 1 commit
  19. 06 May, 2016 2 commits
  20. 04 May, 2016 1 commit
  21. 22 Jan, 2016 2 commits
  22. 13 Jan, 2016 2 commits
  23. 05 Dec, 2015 1 commit
  24. 02 Dec, 2015 1 commit
  25. 07 Oct, 2015 1 commit
  26. 06 Oct, 2015 1 commit
  27. 06 Aug, 2015 3 commits