Build History for branch/main

Merge pull request #285 from robur-coop/fix-pin-to-local use a local git+file pin

Merge pull request #284 from robur-coop/mirage-48 update to mirage 4.8

Merge pull request #283 from robur-coop/ocaml-5.3 avoid effect, which is now a keyword in ocaml 5.3

Merge pull request #280 from robur-coop/optimizations Various optimizations

Refactor

Merge pull request #279 from robur-coop/nono-cstruct remove dependency on cstruct, use string and bytes instead

Merge pull request #278 from robur-coop/fix-ci fix CI: adjust to mirage 4.6.0 changes

link to the handbook

minor README updates

Merge pull request #274 from robur-coop/tweaks Tweak tests for more coverage

Merge pull request #276 from robur-coop/wait-more test mode: wait for 3 pings

Merge pull request #277 from robur-coop/minor e2e github action: don't output binary data onto console

Merge pull request #272 from robur-coop/e2e-testing Add and use pkcs12 in tls-crypt-v2 e2e test

Merge pull request #273 from robur-coop/test-openvpn-repo end-to-end: use openvpn repo to retrieve a more recent version

Merge pull request #270 from robur-coop/e2e-testing end-to-end testing shell scripts

Merge pull request #271 from robur-coop/no-cmdliner-1.3 avoid cmdliner 1.3.0 dependency

Compute routes with net_gateway or remote_host (#268) * Compute routes with net_gateway or remote_host And attempt autolocal.

Merge pull request #269 from robur-coop/cmdliner Bump cmdliner version constraint

Some enhancements for the miragevpn_client_lwt (#266) * miragevpn_client_lwt, FreeBSD: read/write tun interface uses a 4 byte header on FreeBSD (and OpenBSD and macOS with utun), there's a 4 byte header reading and writing a tun interface, which encodes the protocol type: 00000002 -- for IPv4 (the value of AF_INET) * miragevpn_client_lwt: add a host route to the VPN server for achieving this, we need to figure out the route to the server * miragevpn_client_lwt: catch Ctrl-C and exit manually. This allows at_exit to be run * miragevpn_client_lwt: fail hard if est_mvar contains another value i.e. on error or when ip configuration changes --------- Co-authored-by: Reynir Björnsson <reynir@reynir.dk>

fix openvpn-config-parser for server

server: use a --really-no-authentication flag. if not provided, exit early if there's no authentication (#265)

Improve openvpn_config_parser (#264) * Improve openvpn_config_parser We can now validate both client and server configurations, and the block size padding is now configurable.

Fix benchmark We should always have --dev tun.

Routes (#261) * implement --route parsing (again), also redirect-gateway * allow redirect_gateway being pushed by the server * lwt-client: configure routes, and also set ip properly * transport the routes in Established, apply them in the lwt client this also renames the miragevpn_mirage functors, thus qubes client needs to be updated Co-Authored-By: Hannes Mehnert <hannes@mehnert.org> Co-authored-by: Robur Team <team@robur.coop>

Merge pull request #260 from robur-coop/server-bloc mirage-server: use a block device, fix compilation

Option parsing: less magic in Config, introduce Config_ext This removes postprocessing from the configuration in config.ml, making it clearer and more in line with OpenVPN. Fixes #76. Co-Authored-By: Reynir Björnsson <reynir@reynir.dk> Co-Authored-By: Hannes Mehnert <hannes@mehnert.org>

server unikernel add NAT support (#259) server unikernel add NAT support Co-Authored-By: Reynir Björnsson <reynir@reynir.dk> Co-Authored-By: Hannes Mehnert <hannes@mehnert.org>

cirrus: update to FreeBSD 14.1

Merge pull request #258 from palainp/update update to ocaml-dns 8.0.0

Fail on push messages containing commas Co-authored-by: Hannes Mehnert <hannes@mehnert.org> Co-authored-by: Reynir Björnsson <reynir@reynir.dk>

Push directive (#254) * Parse 'push' configuration directive * Send --push push options, minor fix We send the push options specified with --push configuration directive. How we serialized --protocol-flags in push reply was wrong in an insignificant way. * Clarify comment, address review comment The comment about a_single_param (incorrectly referred to as a_param) was unclear. Also use the {|other string|} literal to avoid long, unreadable escape sequences.

Merge pull request #253 from robur-coop/client-unify unify mirage-nat and mirage-router into a single unikernel where `--nat` is a runtime argument

server: support client-to-client (#252) * config: support client-to-client * server: if client-to-client is specified, forward local packets * reply with host unreachable in case there's no such host * ignore multicast and broadcast traffic Co-authored-by: Reynir Björnsson <reynir@reynir.dk>

Merge pull request #251 from robur-coop/mirage-4.5.1 update to mirage 4.5.1

Miragevpn.server: authentication (#249) Miragevpn.server: add "?auth_user_pass : user:string -> pass:string -> bool" This is used for password authentication. On password authentication failure `AUTH_FAILED` is sent to the client and an `` `Exit `` action is returned. The client certificate is now validated against either `ca` or `peer-fingerprint` unless `verify-client-cert none`. We reject `verify-client-cert optional` as it is easy to inadvertently allow unauthenticated clients. Please reach out if `verify-client-cert optional` is useful to you. Co-authored-by: Reynir Björnsson <reynir@reynir.dk>

Control channel explicit exit notifications (#247) Parse better control channel messages Messages EXIT, RESTART and HALT are now better parsed. Messages RESTART and HALT can carry an optional message separated by a comma, e.g. HALT,shutting down The OpenVPN parser is very sloppy and only checks the prefixes "EXIT", "HALT", and "RESTART". Thus "HALTTTTT" is interpreted by OpenVPN as a HALT message. We choose not to be this sloppy with the parsing. Co-authored-by: Hannes Mehnert <hannes@mehnert.org>

Merge pull request #243 from robur-coop/enable-tls-ekm Reenable tls-ekm

Merge pull request #246 from robur-coop/minor config: check that server has proto = TCP if specified

Merge pull request #245 from robur-coop/compute-hmac-before-decoding validate the hmac before processing the incoming control packet

Merge pull request #244 from robur-coop/server-tls-crypt-v2 Server tls-crypt-v2 support

Merge pull request #242 from robur-coop/server-tls-crypt Add tls-crypt for our server, require if tls-mode is present as well

Merge pull request #240 from robur-coop/mirage45 update unikernels to mirage 4.5.0

Merge pull request #235 from robur-coop/server-tls-ekm Server tls-ekm negotiation

Merge pull request #237 from robur-coop/exitcc' Fix Use_cc_exit_notify bit value

miragevpn server: close connection on error

When `Established _` read incoming control channel messages (#234) * Read control channel messages * Add `send_control_message` function. For sending arbitrary control channel messages. * Add Iv_proto.Use_cc_exit_notify * Read incoming exit, restart and halt messages Other fixes and changes: * miragevpn-client-notun: handle end-of-file * Fix connect-retry-max logic: it would immediately fail always except if --connect-retry-max 0. * incoming_control*: we don't modify `session`

Merge pull request #233 from robur-coop/minor bugfix: use latest tls' state for ekm, as reported by @reynir

Merge pull request #232 from robur-coop/exitcc Keep TLS state when established

Merge pull request #231 from robur-coop/m-server more work on the server

Benchmark (#230) The benchmark sets up a client and server internally and does the handshake until established (by way of hard coded parsing messages emitted from each peer). The benchmark tests the data encoding ("upload") and data decoding ("download") and does not exercise the control channel as part of the benchmark. The benchmark is further parameterized on the (data channel) cipher.

Merge pull request #229 from robur-coop/server more work on server

Merge pull request #228 from robur-coop/server-sync adapt mirage/miragevpn_mirage to changes in miragevpn_server_notun from @reynir

Merge pull request #225 from robur-coop/server-no-tun add a lwt miragevpn_server_notun to ease development

Merge pull request #226 from robur-coop/config-server Try to handle --server a bit better

Merge pull request #224 from robur-coop/refactor Refactor common bindings to app/common (not exposed)

Merge pull request #222 from robur-coop/tls-0174 support tls 0.17.4

opam: restrict to randomconv < 0.2.0

Fix more tls-crypt bugs recently introduced

Fix tls-crypt

Rename Cstruct_ext.concat_with_empty_prefix Into Cstruct_ext.concat_with_unsafe_prefix and do not memset the prefix.

Merge pull request #220 from robur-coop/guard-alloc Move formatting into pp_error

Merge pull request #219 from robur-coop/encode-allocations Data packet encode allocations

Merge pull request #217 from robur-coop/encode-allocations encode: reduce allocations

Merge pull request #218 from robur-coop/minor Engine.out: minor tweaks, use Cstruct.create_unsafe

Merge pull request #216 from robur-coop/cstruct_ext-append' Rename Cstruct_ext.append_nocopy -> append'

Merge pull request #214 from robur-coop/cstruct-ext More garbage friendly cstruct wrapper

Merge pull request #215 from robur-coop/operation Rewrite operation converters

dune bu @fmt

Merge pull request #212 from robur-coop/fix-decode_tls_data decode_tls_data: don't add u_len twice

Reduce allocations in data path (#210) * Reduce allocations in data path

Merge pull request #211 from robur-coop/server-tls-ticket Server: allow any TLS session tickets in established state

mirage-router: revert the noop0/noop1 hack, require mirage 4.4.2

Merge pull request #208 from robur-coop/with-key-direction Be able to parse key-direction in our configuration file

Remove evaluated Cstruct.hexdump_pp on guards which slow down our process (#209) * Remove evaluated Cstruct.hexdump_pp on guards which slow down our process

Merge pull request #202 from robur-coop/udp UDP and eduvpn

Merge pull request #203 from robur-coop/ci cirrus: use FreeBSD 13-2