[Openvpn-devel] [S] Change in openvpn[master]: GHA: Enable t_server_null tests
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/743?usp=email ) Change subject: GHA: Enable t_server_null tests .. Patch Set 1: Code-Review+2 (1 comment) Patchset: PS1: GH says this works :-) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/743?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I86203b8f9a6d3cfc5e56d3ce9452af694fd11011 Gerrit-Change-Number: 743 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Thu, 12 Sep 2024 17:48:48 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER no...
cron2 has uploaded a new patch set (#2) to the change originally created by ordex. ( http://gerrit.openvpn.net/c/openvpn/+/744?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification .. dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification some extra DCO calls may be made after receiving the DEL_PEER notification (i.e. due to timeout), but this will result in an error message due to the peer having disappeared already. An extra call might be, for example, an explicit DEL_PEER in the attempt of cleaning the peer state. For this reason, inform userspace that there is no peer in kernel anymore and prevent errors which may result confusing. Change-Id: Ife50e37cd49d55ec81a70319a524ffeaf0625a56 Signed-off-by: Antonio Quartulli Acked-by: Arne Schwabe Message-Id: <20240912165339.21058-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29226.html Signed-off-by: Gert Doering --- M src/openvpn/forward.c 1 file changed, 2 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/44/744/2 diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 40b7cc4..374ba47 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1256,6 +1256,8 @@ switch (dco->dco_message_type) { case OVPN_CMD_DEL_PEER: +/* peer is gone, unset ID to prevent more kernel calls */ +c->c2.tls_multi->dco_peer_id = -1; if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED) { msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id " -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/744?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ife50e37cd49d55ec81a70319a524ffeaf0625a56 Gerrit-Change-Number: 744 Gerrit-PatchSet: 2 Gerrit-Owner: ordex Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER no...
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/744?usp=email ) Change subject: dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification .. dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification some extra DCO calls may be made after receiving the DEL_PEER notification (i.e. due to timeout), but this will result in an error message due to the peer having disappeared already. An extra call might be, for example, an explicit DEL_PEER in the attempt of cleaning the peer state. For this reason, inform userspace that there is no peer in kernel anymore and prevent errors which may result confusing. Change-Id: Ife50e37cd49d55ec81a70319a524ffeaf0625a56 Signed-off-by: Antonio Quartulli Acked-by: Arne Schwabe Message-Id: <20240912165339.21058-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29226.html Signed-off-by: Gert Doering --- M src/openvpn/forward.c 1 file changed, 2 insertions(+), 0 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 40b7cc4..374ba47 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1256,6 +1256,8 @@ switch (dco->dco_message_type) { case OVPN_CMD_DEL_PEER: +/* peer is gone, unset ID to prevent more kernel calls */ +c->c2.tls_multi->dco_peer_id = -1; if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED) { msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id " -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/744?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ife50e37cd49d55ec81a70319a524ffeaf0625a56 Gerrit-Change-Number: 744 Gerrit-PatchSet: 2 Gerrit-Owner: ordex Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Remove check for anonymous unions from configure and cmake config
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/588?usp=email ) Change subject: Remove check for anonymous unions from configure and cmake config .. Remove check for anonymous unions from configure and cmake config Anonymous unions/structs are technically a custom GNU C99 feature but was already widely supported by other compilers. With C11 this feature has become a standard feature so all compilers nowadays support it. Change-Id: I1ef5f6f21f0135a628a63553c39515fa4549ce87 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240710160238.190189-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28914.html Signed-off-by: Gert Doering --- M config.h.cmake.in M configure.ac M src/openvpn/mroute.h 3 files changed, 1 insertion(+), 36 deletions(-) diff --git a/config.h.cmake.in b/config.h.cmake.in index 720d679..18af5e9 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -65,9 +65,6 @@ /* Enable --x509-username-field feature */ #cmakedefine ENABLE_X509ALTUSERNAME -/* Compiler supports anonymous unions */ -#define HAVE_ANONYMOUS_UNION_SUPPORT - /* Define to 1 if you have the header file. */ #cmakedefine HAVE_ARPA_INET_H 1 diff --git a/configure.ac b/configure.ac index 9e569bf..9bc15c8 100644 --- a/configure.ac +++ b/configure.ac @@ -564,28 +564,6 @@ , [[${SOCKET_INCLUDES}]] ) -AC_MSG_CHECKING([anonymous union support]) -AC_COMPILE_IFELSE( - [AC_LANG_PROGRAM( - [[ - struct mystruct { - union { - int m1; - char m2; - }; - }; - ]], - [[ - struct mystruct s; - s.m1 = 1; s.m2 = 2; - ]] - )], - [ - AC_MSG_RESULT([yes]) - AC_DEFINE([HAVE_ANONYMOUS_UNION_SUPPORT], [], [Compiler supports anonymous unions]) - ], - [AC_MSG_RESULT([no])] -) saved_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -Wl,--wrap=exit" diff --git a/src/openvpn/mroute.h b/src/openvpn/mroute.h index bc58493..8b457d4 100644 --- a/src/openvpn/mroute.h +++ b/src/openvpn/mroute.h @@ -96,17 +96,7 @@ uint8_t prefix[12]; in_addr_t addr; /* _network order_ IPv4 address */ } v4mappedv6; -} -#ifndef HAVE_ANONYMOUS_UNION_SUPPORT -/* Wrappers to support compilers that do not grok anonymous unions */ -mroute_union -#define raw_addr mroute_union.raw_addr -#define ether mroute_union.ether -#define v4 mroute_union.v4 -#define v6 mroute_union.v6 -#define v4mappedv6 mroute_union.v4mappedv6 -#endif -; +}; }; /* Double-check that struct packing works as expected */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/588?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1ef5f6f21f0135a628a63553c39515fa4549ce87 Gerrit-Change-Number: 588 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Remove check for anonymous unions from configure and cmake config
cron2 has uploaded a new patch set (#4) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/588?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Remove check for anonymous unions from configure and cmake config .. Remove check for anonymous unions from configure and cmake config Anonymous unions/structs are technically a custom GNU C99 feature but was already widely supported by other compilers. With C11 this feature has become a standard feature so all compilers nowadays support it. Change-Id: I1ef5f6f21f0135a628a63553c39515fa4549ce87 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240710160238.190189-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28914.html Signed-off-by: Gert Doering --- M config.h.cmake.in M configure.ac M src/openvpn/mroute.h 3 files changed, 1 insertion(+), 36 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/88/588/4 diff --git a/config.h.cmake.in b/config.h.cmake.in index 720d679..18af5e9 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -65,9 +65,6 @@ /* Enable --x509-username-field feature */ #cmakedefine ENABLE_X509ALTUSERNAME -/* Compiler supports anonymous unions */ -#define HAVE_ANONYMOUS_UNION_SUPPORT - /* Define to 1 if you have the header file. */ #cmakedefine HAVE_ARPA_INET_H 1 diff --git a/configure.ac b/configure.ac index 9e569bf..9bc15c8 100644 --- a/configure.ac +++ b/configure.ac @@ -564,28 +564,6 @@ , [[${SOCKET_INCLUDES}]] ) -AC_MSG_CHECKING([anonymous union support]) -AC_COMPILE_IFELSE( - [AC_LANG_PROGRAM( - [[ - struct mystruct { - union { - int m1; - char m2; - }; - }; - ]], - [[ - struct mystruct s; - s.m1 = 1; s.m2 = 2; - ]] - )], - [ - AC_MSG_RESULT([yes]) - AC_DEFINE([HAVE_ANONYMOUS_UNION_SUPPORT], [], [Compiler supports anonymous unions]) - ], - [AC_MSG_RESULT([no])] -) saved_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -Wl,--wrap=exit" diff --git a/src/openvpn/mroute.h b/src/openvpn/mroute.h index bc58493..8b457d4 100644 --- a/src/openvpn/mroute.h +++ b/src/openvpn/mroute.h @@ -96,17 +96,7 @@ uint8_t prefix[12]; in_addr_t addr; /* _network order_ IPv4 address */ } v4mappedv6; -} -#ifndef HAVE_ANONYMOUS_UNION_SUPPORT -/* Wrappers to support compilers that do not grok anonymous unions */ -mroute_union -#define raw_addr mroute_union.raw_addr -#define ether mroute_union.ether -#define v4 mroute_union.v4 -#define v6 mroute_union.v6 -#define v4mappedv6 mroute_union.v4mappedv6 -#endif -; +}; }; /* Double-check that struct packing works as expected */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/588?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1ef5f6f21f0135a628a63553c39515fa4549ce87 Gerrit-Change-Number: 588 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: tun: removed unnecessary route installations
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/731?usp=email ) Change subject: tun: removed unnecessary route installations .. tun: removed unnecessary route installations Removed superfluous calls to 'add_route_ipv6' for adding ipv6 routes after tun opening in OpenBSD, NetBSD and Darwin. Change-Id: I235891212b15277349810913c9c1763da5c48587 Signed-off-by: Marco Baffo Acked-by: Gert Doering Message-Id: <20240912142421.703-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29217.html Signed-off-by: Gert Doering --- M src/openvpn/tun.c 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 739e008..82c5c00 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -1008,8 +1008,7 @@ #endif /* ifdef _WIN32 */ } -#if defined(_WIN32)\ -|| defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) +#if defined(_WIN32) /* some of the platforms will auto-add a "network route" pointing * to the interface on "ifconfig tunX 2001:db8::1/64", others need @@ -1200,11 +1199,6 @@ "FreeBSD BSD 'ifconfig inet6 -ifdisabled' failed"); #endif -#if defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) \ -|| defined(TARGET_DARWIN) -/* and, hooray, we explicitly need to add a route... */ -add_route_connected_v6_net(tt, es); -#endif #elif defined(TARGET_AIX) argv_printf(&argv, "%s %s inet6 %s/%d mtu %d up", IFCONFIG_PATH, ifname, ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/731?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I235891212b15277349810913c9c1763da5c48587 Gerrit-Change-Number: 731 Gerrit-PatchSet: 4 Gerrit-Owner: mrbff Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: tun: removed unnecessary route installations
cron2 has uploaded a new patch set (#4) to the change originally created by mrbff. ( http://gerrit.openvpn.net/c/openvpn/+/731?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: tun: removed unnecessary route installations .. tun: removed unnecessary route installations Removed superfluous calls to 'add_route_ipv6' for adding ipv6 routes after tun opening in OpenBSD, NetBSD and Darwin. Change-Id: I235891212b15277349810913c9c1763da5c48587 Signed-off-by: Marco Baffo Acked-by: Gert Doering Message-Id: <20240912142421.703-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29217.html Signed-off-by: Gert Doering --- M src/openvpn/tun.c 1 file changed, 1 insertion(+), 7 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/31/731/4 diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 739e008..82c5c00 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -1008,8 +1008,7 @@ #endif /* ifdef _WIN32 */ } -#if defined(_WIN32)\ -|| defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) +#if defined(_WIN32) /* some of the platforms will auto-add a "network route" pointing * to the interface on "ifconfig tunX 2001:db8::1/64", others need @@ -1200,11 +1199,6 @@ "FreeBSD BSD 'ifconfig inet6 -ifdisabled' failed"); #endif -#if defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) \ -|| defined(TARGET_DARWIN) -/* and, hooray, we explicitly need to add a route... */ -add_route_connected_v6_net(tt, es); -#endif #elif defined(TARGET_AIX) argv_printf(&argv, "%s %s inet6 %s/%d mtu %d up", IFCONFIG_PATH, ifname, ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/731?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I235891212b15277349810913c9c1763da5c48587 Gerrit-Change-Number: 731 Gerrit-PatchSet: 4 Gerrit-Owner: mrbff Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: tun: removed unnecessary route installations
Attention is currently required from: flichtenheld, mrbff, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/731?usp=email ) Change subject: tun: removed unnecessary route installations .. Patch Set 3: Code-Review+2 (1 comment) Patchset: PS3: So, since I'm the one that wrote the original code, I went out to thoroughly test this ("our buildbots succeed", is, unfortunately, not completely indicative as I push an encompassing /48 route - so even if the /64 fails to get installed, things would still work). Test with t_client setup + added "--route-nopull" so you'll only get the connected routes, and then see if server tun/tap IPv6 address still pings. NetBSD: without the patch, error message on "route add", with the patch, everything works - no error messages anymore. OpenBSD: no error message, just double connected /64 route with different flags (UCn vs. UGS). With the patch, everything works, no double routes. MacOS (13.6.7): similar to NetBSD - without the patch, error message on "route add", with the patch, everything works. Could not test TAP mode, as system security gets in the way. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/731?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I235891212b15277349810913c9c1763da5c48587 Gerrit-Change-Number: 731 Gerrit-PatchSet: 3 Gerrit-Owner: mrbff Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Attention: mrbff Gerrit-Comment-Date: Thu, 12 Sep 2024 14:23:52 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/741?usp=email ) Change subject: GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1 .. GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1 Requires submodule checkout. Change-Id: I86ceceb4e1c716b33c6c6ec8853eca0fb4b394f1 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240911144231.32553-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29208.html Signed-off-by: Gert Doering --- M .github/workflows/build.yaml 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6207c95..8f0a7b5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -404,9 +404,10 @@ uses: actions/checkout@v4 with: path: mbedtls + submodules: true # versioning=semver-coerced repository: Mbed-TLS/mbedtls - ref: v3.5.2 + ref: v3.6.1 - name: "mbedtls: make no_test" run: make -j3 no_test SHARED=1 working-directory: mbedtls -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/741?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I86ceceb4e1c716b33c6c6ec8853eca0fb4b394f1 Gerrit-Change-Number: 741 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1
cron2 has uploaded a new patch set (#2) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/741?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1 .. GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1 Requires submodule checkout. Change-Id: I86ceceb4e1c716b33c6c6ec8853eca0fb4b394f1 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240911144231.32553-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29208.html Signed-off-by: Gert Doering --- M .github/workflows/build.yaml 1 file changed, 2 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/41/741/2 diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6207c95..8f0a7b5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -404,9 +404,10 @@ uses: actions/checkout@v4 with: path: mbedtls + submodules: true # versioning=semver-coerced repository: Mbed-TLS/mbedtls - ref: v3.5.2 + ref: v3.6.1 - name: "mbedtls: make no_test" run: make -j3 no_test SHARED=1 working-directory: mbedtls -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/741?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I86ceceb4e1c716b33c6c6ec8853eca0fb4b394f1 Gerrit-Change-Number: 741 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: dco-win: factor out getting dco version info own function
Attention is currently required from: flichtenheld, plaisthos, stipa. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/733?usp=email ) Change subject: dco-win: factor out getting dco version info own function .. Patch Set 2: Code-Review+2 (1 comment) Patchset: PS2: looks good to me. will process after the meetup when the prerequisite patches are merged -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/733?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8e8ddd35bd3cc3334faf7f57118d1892512ae9f7 Gerrit-Change-Number: 733 Gerrit-PatchSet: 2 Gerrit-Owner: stipa Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Attention: stipa Gerrit-Comment-Date: Wed, 11 Sep 2024 13:19:53 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Do not stop reading from file/uri when OPENSSL_STORE_load() returns e...
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/742?usp=email ) Change subject: Do not stop reading from file/uri when OPENSSL_STORE_load() returns error .. Do not stop reading from file/uri when OPENSSL_STORE_load() returns error OPENSSL_STORE_load() can error and return NULL even when the file or URI still has readable objects left. Fix by iterating until OPENSSL_STORE_eof(). Also clear such errors to avoid misleading messages printed at the end by crypto_print_openssl_errors(). Change-Id: I2bfa9ffbd17d0599014d38b2a2fd319766cdb1e3 Signed-off-by: Selva Nair Acked-by: Arne Schwabe Message-Id: <20240911104941.19429-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29187.html Signed-off-by: Gert Doering --- M src/openvpn/ssl_openssl.c 1 file changed, 42 insertions(+), 5 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 0d845f4..5fd6572 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -813,6 +813,15 @@ } return 0; } + +static void +clear_ossl_store_error(OSSL_STORE_CTX *store_ctx) +{ +if (OSSL_STORE_error(store_ctx)) +{ +ERR_clear_error(); +} +} #endif /* defined(HAVE_OPENSSL_STORE_API) */ /** @@ -864,7 +873,19 @@ { goto end; } -info = OSSL_STORE_load(store_ctx); +while (1) +{ +info = OSSL_STORE_load(store_ctx); +if (info || OSSL_STORE_eof(store_ctx)) +{ +break; +} +/* OPENSSL_STORE_load can return error and still have usable objects to follow. + * ref: man OPENSSL_STORE_open + * Clear error and recurse through the file if info = NULL and eof not reached + */ +clear_ossl_store_error(store_ctx); +} if (!info) { goto end; @@ -1099,7 +1120,19 @@ goto end; } -info = OSSL_STORE_load(store_ctx); +while (1) +{ +info = OSSL_STORE_load(store_ctx); +if (info || OSSL_STORE_eof(store_ctx)) +{ +break; +} +/* OPENSSL_STORE_load can return error and still have usable objects to follow. + * ref: man OPENSSL_STORE_open + * Clear error and recurse through the file if info = NULL and eof not reached. + */ +clear_ossl_store_error(store_ctx); +} if (!info) { goto end; @@ -1120,9 +1153,14 @@ OSSL_STORE_INFO_free(info); /* iterate through the store and add extra certificates if any to the chain */ -info = OSSL_STORE_load(store_ctx); -while (info && !OSSL_STORE_eof(store_ctx)) +while (!OSSL_STORE_eof(store_ctx)) { +info = OSSL_STORE_load(store_ctx); +if (!info) +{ +clear_ossl_store_error(store_ctx); +continue; +} x = OSSL_STORE_INFO_get1_CERT(info); if (x && SSL_CTX_add_extra_chain_cert(tls_ctx->ctx, x) != 1) { @@ -1131,7 +1169,6 @@ break; } OSSL_STORE_INFO_free(info); -info = OSSL_STORE_load(store_ctx); } end: -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/742?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I2bfa9ffbd17d0599014d38b2a2fd319766cdb1e3 Gerrit-Change-Number: 742 Gerrit-PatchSet: 2 Gerrit-Owner: selvanair Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Do not stop reading from file/uri when OPENSSL_STORE_load() returns e...
cron2 has uploaded a new patch set (#2) to the change originally created by selvanair. ( http://gerrit.openvpn.net/c/openvpn/+/742?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: Do not stop reading from file/uri when OPENSSL_STORE_load() returns error .. Do not stop reading from file/uri when OPENSSL_STORE_load() returns error OPENSSL_STORE_load() can error and return NULL even when the file or URI still has readable objects left. Fix by iterating until OPENSSL_STORE_eof(). Also clear such errors to avoid misleading messages printed at the end by crypto_print_openssl_errors(). Change-Id: I2bfa9ffbd17d0599014d38b2a2fd319766cdb1e3 Signed-off-by: Selva Nair Acked-by: Arne Schwabe Message-Id: <20240911104941.19429-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29187.html Signed-off-by: Gert Doering --- M src/openvpn/ssl_openssl.c 1 file changed, 42 insertions(+), 5 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/42/742/2 diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 0d845f4..5fd6572 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -813,6 +813,15 @@ } return 0; } + +static void +clear_ossl_store_error(OSSL_STORE_CTX *store_ctx) +{ +if (OSSL_STORE_error(store_ctx)) +{ +ERR_clear_error(); +} +} #endif /* defined(HAVE_OPENSSL_STORE_API) */ /** @@ -864,7 +873,19 @@ { goto end; } -info = OSSL_STORE_load(store_ctx); +while (1) +{ +info = OSSL_STORE_load(store_ctx); +if (info || OSSL_STORE_eof(store_ctx)) +{ +break; +} +/* OPENSSL_STORE_load can return error and still have usable objects to follow. + * ref: man OPENSSL_STORE_open + * Clear error and recurse through the file if info = NULL and eof not reached + */ +clear_ossl_store_error(store_ctx); +} if (!info) { goto end; @@ -1099,7 +1120,19 @@ goto end; } -info = OSSL_STORE_load(store_ctx); +while (1) +{ +info = OSSL_STORE_load(store_ctx); +if (info || OSSL_STORE_eof(store_ctx)) +{ +break; +} +/* OPENSSL_STORE_load can return error and still have usable objects to follow. + * ref: man OPENSSL_STORE_open + * Clear error and recurse through the file if info = NULL and eof not reached. + */ +clear_ossl_store_error(store_ctx); +} if (!info) { goto end; @@ -1120,9 +1153,14 @@ OSSL_STORE_INFO_free(info); /* iterate through the store and add extra certificates if any to the chain */ -info = OSSL_STORE_load(store_ctx); -while (info && !OSSL_STORE_eof(store_ctx)) +while (!OSSL_STORE_eof(store_ctx)) { +info = OSSL_STORE_load(store_ctx); +if (!info) +{ +clear_ossl_store_error(store_ctx); +continue; +} x = OSSL_STORE_INFO_get1_CERT(info); if (x && SSL_CTX_add_extra_chain_cert(tls_ctx->ctx, x) != 1) { @@ -1131,7 +1169,6 @@ break; } OSSL_STORE_INFO_free(info); -info = OSSL_STORE_load(store_ctx); } end: -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/742?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I2bfa9ffbd17d0599014d38b2a2fd319766cdb1e3 Gerrit-Change-Number: 742 Gerrit-PatchSet: 2 Gerrit-Owner: selvanair Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: generate_auth_token: simplify code
cron2 has uploaded a new patch set (#4) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/310?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: generate_auth_token: simplify code .. generate_auth_token: simplify code The previous code went through some hoops to avoid compiler warnings. But there is a much easier way by just telling it exactly what you want to do. Also fix typo in variable name while I'm here. Change-Id: Icc86334b26ba1fcc20f4cd03644018d1d16796e3 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240910170005.5586-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29178.html Signed-off-by: Gert Doering --- M src/openvpn/auth_token.c 1 file changed, 5 insertions(+), 11 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/10/310/4 diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index c4b59b9..192c7c2 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -182,24 +182,18 @@ char *initial_token_copy = string_alloc(multi->auth_token_initial, &gc); char *old_sessid = initial_token_copy + strlen(SESSION_ID_PREFIX); -char *old_tsamp_initial = old_sessid + AUTH_TOKEN_SESSION_ID_LEN*8/6; +char *old_tstamp_initial = old_sessid + AUTH_TOKEN_SESSION_ID_LEN*8/6; /* * We null terminate the old token just after the session ID to let * our base64 decode function only decode the session ID */ -old_tsamp_initial[12] = '\0'; -ASSERT(openvpn_base64_decode(old_tsamp_initial, old_tstamp_decode, 9) == 9); +old_tstamp_initial[12] = '\0'; +ASSERT(openvpn_base64_decode(old_tstamp_initial, old_tstamp_decode, 9) == 9); -/* - * Avoid old gcc (4.8.x) complaining about strict aliasing - * by using a temporary variable instead of doing it in one - * line - */ -uint64_t *tstamp_ptr = (uint64_t *) old_tstamp_decode; -initial_timestamp = *tstamp_ptr; +memcpy(&initial_timestamp, &old_tstamp_decode, sizeof(initial_timestamp)); -old_tsamp_initial[0] = '\0'; +old_tstamp_initial[0] = '\0'; ASSERT(openvpn_base64_decode(old_sessid, sessid, AUTH_TOKEN_SESSION_ID_LEN) == AUTH_TOKEN_SESSION_ID_LEN); } else if (!rand_bytes(sessid, AUTH_TOKEN_SESSION_ID_LEN)) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/310?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Icc86334b26ba1fcc20f4cd03644018d1d16796e3 Gerrit-Change-Number: 310 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: generate_auth_token: simplify code
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/310?usp=email ) Change subject: generate_auth_token: simplify code .. generate_auth_token: simplify code The previous code went through some hoops to avoid compiler warnings. But there is a much easier way by just telling it exactly what you want to do. Also fix typo in variable name while I'm here. Change-Id: Icc86334b26ba1fcc20f4cd03644018d1d16796e3 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240910170005.5586-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29178.html Signed-off-by: Gert Doering --- M src/openvpn/auth_token.c 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index c4b59b9..192c7c2 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -182,24 +182,18 @@ char *initial_token_copy = string_alloc(multi->auth_token_initial, &gc); char *old_sessid = initial_token_copy + strlen(SESSION_ID_PREFIX); -char *old_tsamp_initial = old_sessid + AUTH_TOKEN_SESSION_ID_LEN*8/6; +char *old_tstamp_initial = old_sessid + AUTH_TOKEN_SESSION_ID_LEN*8/6; /* * We null terminate the old token just after the session ID to let * our base64 decode function only decode the session ID */ -old_tsamp_initial[12] = '\0'; -ASSERT(openvpn_base64_decode(old_tsamp_initial, old_tstamp_decode, 9) == 9); +old_tstamp_initial[12] = '\0'; +ASSERT(openvpn_base64_decode(old_tstamp_initial, old_tstamp_decode, 9) == 9); -/* - * Avoid old gcc (4.8.x) complaining about strict aliasing - * by using a temporary variable instead of doing it in one - * line - */ -uint64_t *tstamp_ptr = (uint64_t *) old_tstamp_decode; -initial_timestamp = *tstamp_ptr; +memcpy(&initial_timestamp, &old_tstamp_decode, sizeof(initial_timestamp)); -old_tsamp_initial[0] = '\0'; +old_tstamp_initial[0] = '\0'; ASSERT(openvpn_base64_decode(old_sessid, sessid, AUTH_TOKEN_SESSION_ID_LEN) == AUTH_TOKEN_SESSION_ID_LEN); } else if (!rand_bytes(sessid, AUTH_TOKEN_SESSION_ID_LEN)) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/310?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Icc86334b26ba1fcc20f4cd03644018d1d16796e3 Gerrit-Change-Number: 310 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Various fixes for -Wconversion errors
cron2 has uploaded a new patch set (#7) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/267?usp=email ) Change subject: Various fixes for -Wconversion errors .. Various fixes for -Wconversion errors These are all fixes I considered "safe". They either - Have sufficient checks/shifts for a cast to be safe - Fix the type of a variable without requiring code changes - Are in non-critical unittest code v2: - add min_size instead of abusing min_int v6: - remove change of return value of link_socket_write. Move to separate patch. Change-Id: I6818b153bdeb1eed65870af99b0531e95807fe0f Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240910122008.23507-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29172.html Signed-off-by: Gert Doering --- M src/openvpn/buffer.c M src/openvpn/crypto.c M src/openvpn/integer.h M src/openvpn/mss.c M src/openvpn/otime.c M src/openvpn/otime.h M src/openvpn/packet_id.c M src/openvpn/reliable.c M src/openvpn/tls_crypt.c M src/openvpn/xkey_helper.c M tests/unit_tests/openvpn/mock_get_random.c M tests/unit_tests/openvpn/test_crypto.c M tests/unit_tests/openvpn/test_packet_id.c M tests/unit_tests/openvpn/test_provider.c M tests/unit_tests/openvpn/test_tls_crypt.c 15 files changed, 48 insertions(+), 34 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/67/267/7 diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index abe6a9c..9ee76aa 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -326,7 +326,7 @@ return false; } -const int size = write(fd, BPTR(buf), BLEN(buf)); +const ssize_t size = write(fd, BPTR(buf), BLEN(buf)); if (size != BLEN(buf)) { msg(M_ERRNO, "Write error on file '%s'", filename); @@ -863,7 +863,7 @@ { break; } -line[n++] = c; +line[n++] = (char)c; } while (c); diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index c226727..12ad0b9 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -26,6 +26,8 @@ #include "config.h" #endif +#include + #include "syshead.h" #include @@ -1283,8 +1285,8 @@ hex_byte[hb_index++] = c; if (hb_index == 2) { -unsigned int u; -ASSERT(sscanf((const char *)hex_byte, "%x", &u) == 1); +uint8_t u; +ASSERT(sscanf((const char *)hex_byte, "%" SCNx8, &u) == 1); *out++ = u; hb_index = 0; if (++count == keylen) @@ -1546,13 +1548,13 @@ ASSERT(cipher_kt_key_size(kt->cipher) <= MAX_CIPHER_KEY_LENGTH && md_kt_size(kt->digest) <= MAX_HMAC_KEY_LENGTH); -const uint8_t cipher_length = cipher_kt_key_size(kt->cipher); +const uint8_t cipher_length = (uint8_t)cipher_kt_key_size(kt->cipher); if (!buf_write(buf, &cipher_length, 1)) { return false; } -uint8_t hmac_length = md_kt_size(kt->digest); +uint8_t hmac_length = (uint8_t)md_kt_size(kt->digest); if (!buf_write(buf, &hmac_length, 1)) { diff --git a/src/openvpn/integer.h b/src/openvpn/integer.h index a1acaf9..34088ab 100644 --- a/src/openvpn/integer.h +++ b/src/openvpn/integer.h @@ -28,12 +28,12 @@ #ifndef htonll #define htonll(x) ((1==htonl(1)) ? (x) : \ - ((uint64_t)htonl((x) & 0x) << 32) | htonl((x) >> 32)) + ((uint64_t)htonl((uint32_t)((x) & 0x)) << 32) | htonl((uint32_t)((x) >> 32))) #endif #ifndef ntohll #define ntohll(x) ((1==ntohl(1)) ? (x) : \ - ((uint64_t)ntohl((x) & 0x) << 32) | ntohl((x) >> 32)) + ((uint64_t)ntohl((uint32_t)((x) & 0x)) << 32) | ntohl((uint32_t)((x) >> 32))) #endif static inline int @@ -72,6 +72,19 @@ } } +static inline size_t +min_size(size_t x, size_t y) +{ +if (x < y) +{ +return x; +} +else +{ +return y; +} +} + static inline int max_int(int x, int y) { diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index 635557c..ebdec25 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -165,7 +165,7 @@ return; } -for (olen = hlen - sizeof(struct openvpn_tcphdr), +for (olen = hlen - (int) sizeof(struct openvpn_tcphdr), opt = (uint8_t *)(tc + 1); olen > 1; olen -= optlen, opt += optlen) diff --git a/src/openvpn/otime.c b/src/openvpn/otime.c index 3cde574..d77c99e 100644 --- a/src/openvpn/otime.c +++ b/src/openvpn/otime.c @@ -105,7 +105,7 @@ /* format a time_t as ascii, or use current time if 0 */ const char * -time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc) +time_string(time_t t, long usec, bool
[Openvpn-devel] [M] Change in openvpn[master]: Various fixes for -Wconversion errors
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/267?usp=email ) Change subject: Various fixes for -Wconversion errors .. Various fixes for -Wconversion errors These are all fixes I considered "safe". They either - Have sufficient checks/shifts for a cast to be safe - Fix the type of a variable without requiring code changes - Are in non-critical unittest code v2: - add min_size instead of abusing min_int v6: - remove change of return value of link_socket_write. Move to separate patch. Change-Id: I6818b153bdeb1eed65870af99b0531e95807fe0f Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240910122008.23507-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29172.html Signed-off-by: Gert Doering --- M src/openvpn/buffer.c M src/openvpn/crypto.c M src/openvpn/integer.h M src/openvpn/mss.c M src/openvpn/otime.c M src/openvpn/otime.h M src/openvpn/packet_id.c M src/openvpn/reliable.c M src/openvpn/tls_crypt.c M src/openvpn/xkey_helper.c M tests/unit_tests/openvpn/mock_get_random.c M tests/unit_tests/openvpn/test_crypto.c M tests/unit_tests/openvpn/test_packet_id.c M tests/unit_tests/openvpn/test_provider.c M tests/unit_tests/openvpn/test_tls_crypt.c 15 files changed, 48 insertions(+), 34 deletions(-) diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index abe6a9c..9ee76aa 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -326,7 +326,7 @@ return false; } -const int size = write(fd, BPTR(buf), BLEN(buf)); +const ssize_t size = write(fd, BPTR(buf), BLEN(buf)); if (size != BLEN(buf)) { msg(M_ERRNO, "Write error on file '%s'", filename); @@ -863,7 +863,7 @@ { break; } -line[n++] = c; +line[n++] = (char)c; } while (c); diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index c226727..12ad0b9 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -26,6 +26,8 @@ #include "config.h" #endif +#include + #include "syshead.h" #include @@ -1283,8 +1285,8 @@ hex_byte[hb_index++] = c; if (hb_index == 2) { -unsigned int u; -ASSERT(sscanf((const char *)hex_byte, "%x", &u) == 1); +uint8_t u; +ASSERT(sscanf((const char *)hex_byte, "%" SCNx8, &u) == 1); *out++ = u; hb_index = 0; if (++count == keylen) @@ -1546,13 +1548,13 @@ ASSERT(cipher_kt_key_size(kt->cipher) <= MAX_CIPHER_KEY_LENGTH && md_kt_size(kt->digest) <= MAX_HMAC_KEY_LENGTH); -const uint8_t cipher_length = cipher_kt_key_size(kt->cipher); +const uint8_t cipher_length = (uint8_t)cipher_kt_key_size(kt->cipher); if (!buf_write(buf, &cipher_length, 1)) { return false; } -uint8_t hmac_length = md_kt_size(kt->digest); +uint8_t hmac_length = (uint8_t)md_kt_size(kt->digest); if (!buf_write(buf, &hmac_length, 1)) { diff --git a/src/openvpn/integer.h b/src/openvpn/integer.h index a1acaf9..34088ab 100644 --- a/src/openvpn/integer.h +++ b/src/openvpn/integer.h @@ -28,12 +28,12 @@ #ifndef htonll #define htonll(x) ((1==htonl(1)) ? (x) : \ - ((uint64_t)htonl((x) & 0x) << 32) | htonl((x) >> 32)) + ((uint64_t)htonl((uint32_t)((x) & 0x)) << 32) | htonl((uint32_t)((x) >> 32))) #endif #ifndef ntohll #define ntohll(x) ((1==ntohl(1)) ? (x) : \ - ((uint64_t)ntohl((x) & 0x) << 32) | ntohl((x) >> 32)) + ((uint64_t)ntohl((uint32_t)((x) & 0x)) << 32) | ntohl((uint32_t)((x) >> 32))) #endif static inline int @@ -72,6 +72,19 @@ } } +static inline size_t +min_size(size_t x, size_t y) +{ +if (x < y) +{ +return x; +} +else +{ +return y; +} +} + static inline int max_int(int x, int y) { diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index 635557c..ebdec25 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -165,7 +165,7 @@ return; } -for (olen = hlen - sizeof(struct openvpn_tcphdr), +for (olen = hlen - (int) sizeof(struct openvpn_tcphdr), opt = (uint8_t *)(tc + 1); olen > 1; olen -= optlen, opt += optlen) diff --git a/src/openvpn/otime.c b/src/openvpn/otime.c index 3cde574..d77c99e 100644 --- a/src/openvpn/otime.c +++ b/src/openvpn/otime.c @@ -105,7 +105,7 @@ /* format a time_t as ascii, or use current time if 0 */ const char * -time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc) +time_string(time_t t, long usec, bool show_usec, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(64, gc); struct timeval tv; diff --git a/src/openv
[Openvpn-devel] [M] Change in openvpn[master]: Various fixes for -Wconversion errors
Attention is currently required from: flichtenheld. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/267?usp=email ) Change subject: Various fixes for -Wconversion errors .. Patch Set 5: (2 comments) Patchset: PS5: I'll deal with it ASAP, but would ask you to look into link_socket_write*() as discussed on IRC. So yes it will make the patch larger, but if it makes things better aligned... File src/openvpn/socket.h: http://gerrit.openvpn.net/c/openvpn/+/267/comment/2bb2272e_c41da5d0 : PS5, Line 1184: static inline size_t this looks funny. `ssize_t` and keep the `-1`? (it's a whole call chain of `link_socket_write_*()` things, but somewhere underneath is a `write()` or `sendto()`, which both use `ssize_t`) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/267?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6818b153bdeb1eed65870af99b0531e95807fe0f Gerrit-Change-Number: 267 Gerrit-PatchSet: 5 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: cron2 Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 10 Sep 2024 10:56:14 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: dco-win: factor out getting dco version info own function
Attention is currently required from: flichtenheld, plaisthos, stipa. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/733?usp=email ) Change subject: dco-win: factor out getting dco version info own function .. Patch Set 1: (5 comments) Patchset: PS1: Overall the factoring-out looks good, but there's one textual change that I find to be "less clear now", and a few remarks. File src/openvpn/dco_win.c: http://gerrit.openvpn.net/c/openvpn/+/733/comment/728ea9f7_3e755e74 : PS1, Line 102: msg(D_DCO_DEBUG, "dco data_v3: %d", dco->supports_data_v3); I think keeping the "supports" here (= not changing the text) would ease understanding of the logs. http://gerrit.openvpn.net/c/openvpn/+/733/comment/69aa1495_3d39dec2 : PS1, Line 474: ZeroMemory(&version, sizeof(version)); `CLEAR(version)` exists (if you change this line anyway). Or just zeroize on assign `OVPN_VERSION = {0}`? http://gerrit.openvpn.net/c/openvpn/+/733/comment/4fdb9c97_bc7702f6 : PS1, Line 481: return BSTR(&out); technically this does something else if no DCO driver can be found - the old code returns "N/A", the new code returns "0.0.0". Is this intentional? http://gerrit.openvpn.net/c/openvpn/+/733/comment/bd3ba22f_ce91aaf0 : PS1, Line 562: dco_get_version(&version); see above wrt `CLEAR()` or `= {0}` -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/733?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8e8ddd35bd3cc3334faf7f57118d1892512ae9f7 Gerrit-Change-Number: 733 Gerrit-PatchSet: 1 Gerrit-Owner: stipa Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: cron2 Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Attention: stipa Gerrit-Comment-Date: Mon, 09 Sep 2024 14:30:15 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Ensures all params are ready before invoking dco_set_peer()
cron2 has uploaded a new patch set (#6) to the change originally created by its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/587?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by stipa, Code-Review-1 by cron2 Change subject: Ensures all params are ready before invoking dco_set_peer() .. Ensures all params are ready before invoking dco_set_peer() In UDP case, on a p2mp server, dco_set_peer() is currently called at the wrong time since the mssfix param is calculated later on in tls_session_update_crypto_params_do_work(). Move the dco_set_peer() inside tls_session_update_crypto_params_do_work(), and remove p2p_set_dco_keepalive() to avoid calling dco_set_peer() twice on the client side. This way, we'll ensure that all crypto and frame params are properly initialized and if an update occurs DCO will be notified. Change-Id: Ic8538e734dba53cd43fead3961e4401c8037e079 Signed-off-by: Gianmarco De Gregori Acked-by: Lev Stipakov Message-Id: <20240906145745.67596-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29086.html Signed-off-by: Gert Doering --- M src/openvpn/init.c M src/openvpn/multi.c M src/openvpn/ssl.c M src/openvpn/ssl.h 4 files changed, 34 insertions(+), 49 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/87/587/6 diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 4f63346..dd56961 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2178,27 +2178,6 @@ || !memcmp(a, &zero, sizeof(struct sha256_digest)); } -static bool -p2p_set_dco_keepalive(struct context *c) -{ -if (dco_enabled(&c->options) -&& (c->options.ping_send_timeout || c->c2.frame.mss_fix)) -{ -int ret = dco_set_peer(&c->c1.tuntap->dco, - c->c2.tls_multi->dco_peer_id, - c->options.ping_send_timeout, - c->options.ping_rec_timeout, - c->c2.frame.mss_fix); -if (ret < 0) -{ -msg(D_DCO, "Cannot set parameters for DCO peer (id=%u): %s", -c->c2.tls_multi->dco_peer_id, strerror(-ret)); -return false; -} -} -return true; -} - /** * Helper function for tls_print_deferred_options_results * Adds the ", " delimitor if there already some data in the @@ -2363,7 +2342,8 @@ if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, frame_fragment, - get_link_socket_info(c))) + get_link_socket_info(c), + &c->c1.tuntap->dco)) { msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); return false; @@ -2472,12 +2452,6 @@ } } -if (c->mode == MODE_POINT_TO_POINT && !p2p_set_dco_keepalive(c)) -{ -msg(D_TLS_ERRORS, "ERROR: Failed to apply DCO keepalive or MSS fix parameters"); -return false; -} - if (c->c2.did_open_tun) { c->c1.pulled_options_digest_save = c->c2.pulled_options_digest; @@ -2582,7 +2556,8 @@ if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, frame_fragment, - get_link_socket_info(c))) + get_link_socket_info(c), + &c->c1.tuntap->dco)) { msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher"); return false; diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 03177bb..0509911 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2364,21 +2364,6 @@ return false; } -if (mi->context.options.ping_send_timeout || mi->context.c2.frame.mss_fix) -{ -ret = dco_set_peer(&mi->context.c1.tuntap->dco, - mi->context.c2.tls_multi->dco_peer_id, - mi->context.options.ping_send_timeout, - mi->context.options.ping_rec_timeout, - mi->context.c2.frame.mss_fix); -if (ret < 0) -{ -msg(D_DCO, "Cannot set DCO peer parameters for %s (id=%u): %s", -multi_instance_string(mi, false, gc), -mi->context.c2.tls_multi->dco_peer_id, strerror(-ret)); -return false; -} -} return true; } @@ -2398,7 +2383,8 @@ struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->
[Openvpn-devel] [M] Change in openvpn[master]: Ensures all params are ready before invoking dco_set_peer()
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/587?usp=email ) Change subject: Ensures all params are ready before invoking dco_set_peer() .. Ensures all params are ready before invoking dco_set_peer() In UDP case, on a p2mp server, dco_set_peer() is currently called at the wrong time since the mssfix param is calculated later on in tls_session_update_crypto_params_do_work(). Move the dco_set_peer() inside tls_session_update_crypto_params_do_work(), and remove p2p_set_dco_keepalive() to avoid calling dco_set_peer() twice on the client side. This way, we'll ensure that all crypto and frame params are properly initialized and if an update occurs DCO will be notified. Change-Id: Ic8538e734dba53cd43fead3961e4401c8037e079 Signed-off-by: Gianmarco De Gregori Acked-by: Lev Stipakov Message-Id: <20240906145745.67596-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29086.html Signed-off-by: Gert Doering --- M src/openvpn/init.c M src/openvpn/multi.c M src/openvpn/ssl.c M src/openvpn/ssl.h 4 files changed, 34 insertions(+), 49 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 4f63346..dd56961 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2178,27 +2178,6 @@ || !memcmp(a, &zero, sizeof(struct sha256_digest)); } -static bool -p2p_set_dco_keepalive(struct context *c) -{ -if (dco_enabled(&c->options) -&& (c->options.ping_send_timeout || c->c2.frame.mss_fix)) -{ -int ret = dco_set_peer(&c->c1.tuntap->dco, - c->c2.tls_multi->dco_peer_id, - c->options.ping_send_timeout, - c->options.ping_rec_timeout, - c->c2.frame.mss_fix); -if (ret < 0) -{ -msg(D_DCO, "Cannot set parameters for DCO peer (id=%u): %s", -c->c2.tls_multi->dco_peer_id, strerror(-ret)); -return false; -} -} -return true; -} - /** * Helper function for tls_print_deferred_options_results * Adds the ", " delimitor if there already some data in the @@ -2363,7 +2342,8 @@ if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, frame_fragment, - get_link_socket_info(c))) + get_link_socket_info(c), + &c->c1.tuntap->dco)) { msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); return false; @@ -2472,12 +2452,6 @@ } } -if (c->mode == MODE_POINT_TO_POINT && !p2p_set_dco_keepalive(c)) -{ -msg(D_TLS_ERRORS, "ERROR: Failed to apply DCO keepalive or MSS fix parameters"); -return false; -} - if (c->c2.did_open_tun) { c->c1.pulled_options_digest_save = c->c2.pulled_options_digest; @@ -2582,7 +2556,8 @@ if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, frame_fragment, - get_link_socket_info(c))) + get_link_socket_info(c), + &c->c1.tuntap->dco)) { msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher"); return false; diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 03177bb..0509911 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2364,21 +2364,6 @@ return false; } -if (mi->context.options.ping_send_timeout || mi->context.c2.frame.mss_fix) -{ -ret = dco_set_peer(&mi->context.c1.tuntap->dco, - mi->context.c2.tls_multi->dco_peer_id, - mi->context.options.ping_send_timeout, - mi->context.options.ping_rec_timeout, - mi->context.c2.frame.mss_fix); -if (ret < 0) -{ -msg(D_DCO, "Cannot set DCO peer parameters for %s (id=%u): %s", -multi_instance_string(mi, false, gc), -mi->context.c2.tls_multi->dco_peer_id, strerror(-ret)); -return false; -} -} return true; } @@ -2398,7 +2383,8 @@ struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, frame_fragment, - get_link_socket_info(c))) + get_link_socket_info(c), + &c->c1.tuntap->dco))
[Openvpn-devel] [M] Change in openvpn[master]: Ensures all params are ready before invoking dco_set_peer()
Attention is currently required from: flichtenheld, its_Giaan, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/587?usp=email ) Change subject: Ensures all params are ready before invoking dco_set_peer() .. Patch Set 5: (1 comment) File src/openvpn/ssl.c: http://gerrit.openvpn.net/c/openvpn/+/587/comment/d42a3650_bc1c9ab6 : PS5, Line 1639: * keepalive and mss_fix are properly set. */ this comment needs to be corrected (if we do another round anyway, otherwise I'll do this on-commit) - the comment says "AND", the code says "OR"... -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/587?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic8538e734dba53cd43fead3961e4401c8037e079 Gerrit-Change-Number: 587 Gerrit-PatchSet: 5 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-Reviewer: stipa Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 09 Sep 2024 10:46:43 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Ensures all params are ready before invoking dco_set_peer()
Attention is currently required from: flichtenheld, its_Giaan, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/587?usp=email ) Change subject: Ensures all params are ready before invoking dco_set_peer() .. Patch Set 5: Code-Review-1 (1 comment) Patchset: PS5: I'm not sure the patch is actually fixing the problematic behaviour ("not updating mssfix correctly on pushed values"). If I run the code with `--tun-mtu 500` on the command line (proto UDP, IPv4), I see ``` 2024-09-09 12:36:53 us=890850 dco_set_peer: peer-id 0, keepalive 10/30, mss 460 ``` which sounds reasonable. if I run with `--tun-mtu 1500` locally, and the server pushes `--tun-mtu 1400`, I get ``` 2024-09-09 12:37:43 us=641363 net_iface_mtu_set: mtu 1400 for tun7 2024-09-09 12:37:43 us=642421 Data Channel MTU parms [ mss_fix:1400 max_frag:0 tun_mtu:1400 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ] 2024-09-09 12:37:43 us=642891 dco_set_peer: peer-id 1, keepalive 10/30, mss 1400 ``` which is not what I'd expect - but it is the same behaviour as "without this patch". So, to proceed here, I need instructions for "how to demonstrate the problem", which actually see a change in behaviour with the patch... -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/587?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic8538e734dba53cd43fead3961e4401c8037e079 Gerrit-Change-Number: 587 Gerrit-PatchSet: 5 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-Reviewer: stipa Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 09 Sep 2024 10:45:48 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: tun: use is_tun_p2p more consistently
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/380?usp=email ) Change subject: tun: use is_tun_p2p more consistently .. tun: use is_tun_p2p more consistently Using "tun" as the variable name for the return of is_tun_p2p is probably a historical accident. But it has actual consequences in that the other code often seems to assume that it does less checks than it actually does. Use "tun_p2p" as the variable name and remove checks that are not required. Also use is_tun_p2p in more places. Change-Id: Ice8b95f953c3f7e71657a78ea12b02a08c60aa67 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240906162514.78671-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29091.html Signed-off-by: Gert Doering --- M src/openvpn/tun.c 1 file changed, 48 insertions(+), 72 deletions(-) diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index ce3d882..739e008 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -499,31 +499,31 @@ static const char ifconfig_warn_how_to_silence[] = "(silence this warning with --ifconfig-nowarn)"; /* - * If !tun, make sure ifconfig_remote_netmask looks + * If !tun_p2p, make sure ifconfig_remote_netmask looks * like a netmask. * - * If tun, make sure ifconfig_remote_netmask looks + * If tun_p2p, make sure ifconfig_remote_netmask looks * like an IPv4 address. */ static void -ifconfig_sanity_check(bool tun, in_addr_t addr, int topology) +ifconfig_sanity_check(bool tun_p2p, in_addr_t addr) { struct gc_arena gc = gc_new(); const bool looks_like_netmask = ((addr & 0xFF00) == 0xFF00); -if (tun) +if (tun_p2p) { -if (looks_like_netmask && (topology == TOP_NET30 || topology == TOP_P2P)) +if (looks_like_netmask) { msg(M_WARN, "WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (%s) that looks more like a netmask. %s", print_in_addr_t(addr, 0, &gc), ifconfig_warn_how_to_silence); } } -else /* tap */ +else { if (!looks_like_netmask) { -msg(M_WARN, "WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. %s", +msg(M_WARN, "WARNING: Since you are using subnet topology, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. %s", ifconfig_warn_how_to_silence); } } @@ -667,13 +667,13 @@ struct buffer out = alloc_buf_gc(256, gc); if (tt->did_ifconfig_setup && !disable) { -if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)) +if (!is_tun_p2p(tt)) { buf_printf(&out, "%s %s", print_in_addr_t(tt->local & tt->remote_netmask, 0, gc), print_in_addr_t(tt->remote_netmask, 0, gc)); } -else if (tt->type == DEV_TYPE_TUN) +else if (tt->type == DEV_TYPE_TUN) /* tun p2p topology */ { const char *l, *r; if (remote) @@ -737,24 +737,24 @@ bool is_tun_p2p(const struct tuntap *tt) { -bool tun = false; +bool tun_p2p = false; if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET) || tt->type == DEV_TYPE_NULL) { -tun = false; +tun_p2p = false; } else if (tt->type == DEV_TYPE_TUN) { -tun = true; +tun_p2p = true; } else { msg(M_FATAL, "Error: problem with tun vs. tap setting"); /* JYFIXME -- needs to be caught earlier, in init_tun? */ } -return tun; +return tun_p2p; } /* @@ -831,12 +831,10 @@ if (ifconfig_local_parm && ifconfig_remote_netmask_parm) { -bool tun = false; - /* * We only handle TUN/TAP devices here, not --dev null devices. */ -tun = is_tun_p2p(tt); +bool tun_p2p = is_tun_p2p(tt); /* * Convert arguments to binary IPv4 addresses. @@ -853,7 +851,7 @@ NULL); tt->remote_netmask = getaddr( -(tun ? GETADDR_RESOLVE : 0) +(tun_p2p ? GETADDR_RESOLVE : 0) | GETADDR_HOST_ORDER | GETADDR_FATAL_ON_SIGNAL | GETADDR_FATAL, @@ -868,7 +866,7 @@ if (strict_warn) { struct addrinfo *curele; -ifconfig_sanity_check(tt->type == DEV_TYPE_TUN, tt->remote_netmask, tt->topology); +ifconfig_sanity_check(tun_p2p, tt->remote_netmask); /* * If local_public or remote_public addresses are defined, @@ -899,11 +897,11 @@ }
[Openvpn-devel] [M] Change in openvpn[master]: tun: use is_tun_p2p more consistently
cron2 has uploaded a new patch set (#9) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/380?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: tun: use is_tun_p2p more consistently .. tun: use is_tun_p2p more consistently Using "tun" as the variable name for the return of is_tun_p2p is probably a historical accident. But it has actual consequences in that the other code often seems to assume that it does less checks than it actually does. Use "tun_p2p" as the variable name and remove checks that are not required. Also use is_tun_p2p in more places. Change-Id: Ice8b95f953c3f7e71657a78ea12b02a08c60aa67 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240906162514.78671-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29091.html Signed-off-by: Gert Doering --- M src/openvpn/tun.c 1 file changed, 48 insertions(+), 72 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/80/380/9 diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index ce3d882..739e008 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -499,31 +499,31 @@ static const char ifconfig_warn_how_to_silence[] = "(silence this warning with --ifconfig-nowarn)"; /* - * If !tun, make sure ifconfig_remote_netmask looks + * If !tun_p2p, make sure ifconfig_remote_netmask looks * like a netmask. * - * If tun, make sure ifconfig_remote_netmask looks + * If tun_p2p, make sure ifconfig_remote_netmask looks * like an IPv4 address. */ static void -ifconfig_sanity_check(bool tun, in_addr_t addr, int topology) +ifconfig_sanity_check(bool tun_p2p, in_addr_t addr) { struct gc_arena gc = gc_new(); const bool looks_like_netmask = ((addr & 0xFF00) == 0xFF00); -if (tun) +if (tun_p2p) { -if (looks_like_netmask && (topology == TOP_NET30 || topology == TOP_P2P)) +if (looks_like_netmask) { msg(M_WARN, "WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (%s) that looks more like a netmask. %s", print_in_addr_t(addr, 0, &gc), ifconfig_warn_how_to_silence); } } -else /* tap */ +else { if (!looks_like_netmask) { -msg(M_WARN, "WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. %s", +msg(M_WARN, "WARNING: Since you are using subnet topology, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. %s", ifconfig_warn_how_to_silence); } } @@ -667,13 +667,13 @@ struct buffer out = alloc_buf_gc(256, gc); if (tt->did_ifconfig_setup && !disable) { -if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)) +if (!is_tun_p2p(tt)) { buf_printf(&out, "%s %s", print_in_addr_t(tt->local & tt->remote_netmask, 0, gc), print_in_addr_t(tt->remote_netmask, 0, gc)); } -else if (tt->type == DEV_TYPE_TUN) +else if (tt->type == DEV_TYPE_TUN) /* tun p2p topology */ { const char *l, *r; if (remote) @@ -737,24 +737,24 @@ bool is_tun_p2p(const struct tuntap *tt) { -bool tun = false; +bool tun_p2p = false; if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET) || tt->type == DEV_TYPE_NULL) { -tun = false; +tun_p2p = false; } else if (tt->type == DEV_TYPE_TUN) { -tun = true; +tun_p2p = true; } else { msg(M_FATAL, "Error: problem with tun vs. tap setting"); /* JYFIXME -- needs to be caught earlier, in init_tun? */ } -return tun; +return tun_p2p; } /* @@ -831,12 +831,10 @@ if (ifconfig_local_parm && ifconfig_remote_netmask_parm) { -bool tun = false; - /* * We only handle TUN/TAP devices here, not --dev null devices. */ -tun = is_tun_p2p(tt); +bool tun_p2p = is_tun_p2p(tt); /* * Convert arguments to binary IPv4 addresses. @@ -853,7 +851,7 @@ NULL); tt->remote_netmask = getaddr( -(tun ? GETADDR_RESOLVE : 0) +(tun_p2p ? GETADDR_RESOLVE : 0) | GETADDR_HOST_ORDER | GETADDR_FATAL_ON_SIGNAL | GETADDR_FATAL, @@ -868,7 +866,7 @@ if (strict_warn) { struct addrinfo *curele; -ifconfig_sanity_check(tt->type == DEV_TYPE_TUN, tt->remote_netmask,
[Openvpn-devel] [S] Change in openvpn[master]: Add test for static-challenge concatenation option
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/666?usp=email ) Change subject: Add test for static-challenge concatenation option .. Add test for static-challenge concatenation option Change-Id: I41f6c1f7acb58f30fc4db0e32505018f64fcad28 Signed-off-by: Selva Nair Acked-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240830141824.108599-1-selva.n...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29054.html Signed-off-by: Gert Doering --- M tests/unit_tests/openvpn/test_user_pass.c 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/tests/unit_tests/openvpn/test_user_pass.c b/tests/unit_tests/openvpn/test_user_pass.c index 4dc4b83..620542d 100644 --- a/tests/unit_tests/openvpn/test_user_pass.c +++ b/tests/unit_tests/openvpn/test_user_pass.c @@ -326,7 +326,25 @@ reset_user_pass(&up); -flags |= GET_USER_PASS_INLINE_CREDS; +flags |= GET_USER_PASS_STATIC_CHALLENGE_CONCAT; + +expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT Username:"); +will_return(query_user_exec_builtin, "c1user"); +expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT Password:"); +will_return(query_user_exec_builtin, "c1password"); +will_return(query_user_exec_builtin, true); +expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: Please enter token PIN"); +will_return(query_user_exec_builtin, "0123456"); +will_return(query_user_exec_builtin, true); +assert_true(get_user_pass_cr(&up, NULL, "UT", flags, challenge)); +assert_true(up.defined); +assert_string_equal(up.username, "c1user"); +/* password and response concatenated */ +assert_string_equal(up.password, "c1password0123456"); + +reset_user_pass(&up); + +flags = GET_USER_PASS_STATIC_CHALLENGE|GET_USER_PASS_INLINE_CREDS; /*FIXME: query_user_exec() called even though nothing queued */ will_return(query_user_exec_builtin, true); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/666?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I41f6c1f7acb58f30fc4db0e32505018f64fcad28 Gerrit-Change-Number: 666 Gerrit-PatchSet: 2 Gerrit-Owner: selvanair Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Static-challenge concatenation option
cron2 has uploaded a new patch set (#4) to the change originally created by selvanair. ( http://gerrit.openvpn.net/c/openvpn/+/665?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Static-challenge concatenation option .. Static-challenge concatenation option Extend "--static-challenge" option to take a third argument (= scrv1 or concat) to specify that the password and response should be concatenated instead of using the SCRV1 protocol. If unspecified, it defaults to "scrv1" meaning that the SCRV1 protocol should be used. v2: use scrv1|concat instead of 0|1 as option argument fix typos v3: improve and correct documentation in management-notes.txt Change-Id: I59a90446bfe73d8856516025a58a6f62cc98ab0d Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240719131407.75746-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28943.html Signed-off-by: Gert Doering --- M doc/man-sections/client-options.rst M doc/management-notes.txt M src/openvpn/manage.c M src/openvpn/misc.c M src/openvpn/misc.h M src/openvpn/options.c M src/openvpn/ssl.c 7 files changed, 70 insertions(+), 20 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/65/665/4 diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index b75fe5b..a06948e 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -541,12 +541,15 @@ Valid syntax: :: - static-challenge text echo + static-challenge text echo [format] The ``text`` challenge text is presented to the user which describes what information is requested. The ``echo`` flag indicates if the user's input should be echoed on the screen. Valid ``echo`` values are - :code:`0` or :code:`1`. + :code:`0` or :code:`1`. The optional ``format`` indicates whether + the password and response should be combined using the SCRV1 protocol + (``format`` = :code:`scrv1`) or simply concatenated (``format`` = :code:`concat`). + :code:`scrv1` is the default. See management-notes.txt in the OpenVPN distribution for a description of the OpenVPN challenge/response protocol. diff --git a/doc/management-notes.txt b/doc/management-notes.txt index b9947fa..b55135a 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -1320,14 +1320,20 @@ OpenVPN's --static-challenge option is used to provide the challenge text to OpenVPN and indicate whether or not the response -should be echoed. +should be echoed and how the response should be combined with the +password. When credentials are needed and the --static-challenge option is used, the management interface will send: - >PASSWORD:Need 'Auth' username/password SC:, + >PASSWORD:Need 'Auth' username/password SC:, - ECHO: "1" if response should be echoed, "0" to not echo + flag: an integer whose least significant bit is the ECHO flag and +the next significant bit is the FORMAT flag. +ECHO = (flag & 0x1) is 1 if response should be echoed, 0 to not echo +FORMAT = (flag & 0x2) is 1 if response should be concatenated with +password as plain text, 0 if response and password should be encoded +as described below. Thus flag could take values 0, 1, 2, or 3. TEXT: challenge text that should be shown to the user to facilitate their response @@ -1342,8 +1348,9 @@ The management interface client in this case should add the static challenge text to the auth dialog followed by a field for the user to -enter a response. Then the management interface client should pack the -password and response together into an encoded password and send: +enter a response. If flag = 0 or 1 (i.e., FORMAT=0), the management +interface client should pack the password and response together into +an encoded password and send: username "Auth" password "Auth" "SCRV1::" @@ -1354,6 +1361,12 @@ the user. The and/or the can be empty strings. +If flag = 2 or 3 (i.e., FORMAT=1), the client should simply concatenate +password and response with no separator and send: + + username "Auth" + password "Auth" "" + (As in all username/password responses described in the "COMMAND -- password and username" section above, the username can be in quotes, and special characters such as double quotes or backslashes must be @@ -1361,10 +1374,15 @@ For example, if user "foo" entered "bar" as the password and 8675309 as the PIN, the following management interface commands should be -issued: +issued if flag = 0 or 1 (i.e., FORMAT = 0): username "Auth" foo password "Auth" "SCRV1:YmFy:ODY3NTMwOQ==" ("YmFy" is the base 64 encoding of "bar" and "ODY3NTMwOQ==" is the base 64 encoding of "8675309".) + +or, if flag = 2 or 3 (i.e., FORMAT = 1): + + username "Auth" foo + password "Auth" "bar8675309"
[Openvpn-devel] [M] Change in openvpn[master]: Static-challenge concatenation option
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/665?usp=email ) Change subject: Static-challenge concatenation option .. Static-challenge concatenation option Extend "--static-challenge" option to take a third argument (= scrv1 or concat) to specify that the password and response should be concatenated instead of using the SCRV1 protocol. If unspecified, it defaults to "scrv1" meaning that the SCRV1 protocol should be used. v2: use scrv1|concat instead of 0|1 as option argument fix typos v3: improve and correct documentation in management-notes.txt Change-Id: I59a90446bfe73d8856516025a58a6f62cc98ab0d Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240719131407.75746-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28943.html Signed-off-by: Gert Doering --- M doc/man-sections/client-options.rst M doc/management-notes.txt M src/openvpn/manage.c M src/openvpn/misc.c M src/openvpn/misc.h M src/openvpn/options.c M src/openvpn/ssl.c 7 files changed, 70 insertions(+), 20 deletions(-) diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index b75fe5b..a06948e 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -541,12 +541,15 @@ Valid syntax: :: - static-challenge text echo + static-challenge text echo [format] The ``text`` challenge text is presented to the user which describes what information is requested. The ``echo`` flag indicates if the user's input should be echoed on the screen. Valid ``echo`` values are - :code:`0` or :code:`1`. + :code:`0` or :code:`1`. The optional ``format`` indicates whether + the password and response should be combined using the SCRV1 protocol + (``format`` = :code:`scrv1`) or simply concatenated (``format`` = :code:`concat`). + :code:`scrv1` is the default. See management-notes.txt in the OpenVPN distribution for a description of the OpenVPN challenge/response protocol. diff --git a/doc/management-notes.txt b/doc/management-notes.txt index b9947fa..b55135a 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -1320,14 +1320,20 @@ OpenVPN's --static-challenge option is used to provide the challenge text to OpenVPN and indicate whether or not the response -should be echoed. +should be echoed and how the response should be combined with the +password. When credentials are needed and the --static-challenge option is used, the management interface will send: - >PASSWORD:Need 'Auth' username/password SC:, + >PASSWORD:Need 'Auth' username/password SC:, - ECHO: "1" if response should be echoed, "0" to not echo + flag: an integer whose least significant bit is the ECHO flag and +the next significant bit is the FORMAT flag. +ECHO = (flag & 0x1) is 1 if response should be echoed, 0 to not echo +FORMAT = (flag & 0x2) is 1 if response should be concatenated with +password as plain text, 0 if response and password should be encoded +as described below. Thus flag could take values 0, 1, 2, or 3. TEXT: challenge text that should be shown to the user to facilitate their response @@ -1342,8 +1348,9 @@ The management interface client in this case should add the static challenge text to the auth dialog followed by a field for the user to -enter a response. Then the management interface client should pack the -password and response together into an encoded password and send: +enter a response. If flag = 0 or 1 (i.e., FORMAT=0), the management +interface client should pack the password and response together into +an encoded password and send: username "Auth" password "Auth" "SCRV1::" @@ -1354,6 +1361,12 @@ the user. The and/or the can be empty strings. +If flag = 2 or 3 (i.e., FORMAT=1), the client should simply concatenate +password and response with no separator and send: + + username "Auth" + password "Auth" "" + (As in all username/password responses described in the "COMMAND -- password and username" section above, the username can be in quotes, and special characters such as double quotes or backslashes must be @@ -1361,10 +1374,15 @@ For example, if user "foo" entered "bar" as the password and 8675309 as the PIN, the following management interface commands should be -issued: +issued if flag = 0 or 1 (i.e., FORMAT = 0): username "Auth" foo password "Auth" "SCRV1:YmFy:ODY3NTMwOQ==" ("YmFy" is the base 64 encoding of "bar" and "ODY3NTMwOQ==" is the base 64 encoding of "8675309".) + +or, if flag = 2 or 3 (i.e., FORMAT = 1): + + username "Auth" foo + password "Auth" "bar8675309" diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 24f3121..05b5a1a 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -3544,7 +3544,8 @@ if (sc) { buf_pri
[Openvpn-devel] [S] Change in openvpn[master]: Add test for static-challenge concatenation option
cron2 has uploaded a new patch set (#2) to the change originally created by selvanair. ( http://gerrit.openvpn.net/c/openvpn/+/666?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld, Code-Review+2 by plaisthos Change subject: Add test for static-challenge concatenation option .. Add test for static-challenge concatenation option Change-Id: I41f6c1f7acb58f30fc4db0e32505018f64fcad28 Signed-off-by: Selva Nair Acked-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240830141824.108599-1-selva.n...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29054.html Signed-off-by: Gert Doering --- M tests/unit_tests/openvpn/test_user_pass.c 1 file changed, 19 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/66/666/2 diff --git a/tests/unit_tests/openvpn/test_user_pass.c b/tests/unit_tests/openvpn/test_user_pass.c index 4dc4b83..620542d 100644 --- a/tests/unit_tests/openvpn/test_user_pass.c +++ b/tests/unit_tests/openvpn/test_user_pass.c @@ -326,7 +326,25 @@ reset_user_pass(&up); -flags |= GET_USER_PASS_INLINE_CREDS; +flags |= GET_USER_PASS_STATIC_CHALLENGE_CONCAT; + +expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT Username:"); +will_return(query_user_exec_builtin, "c1user"); +expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT Password:"); +will_return(query_user_exec_builtin, "c1password"); +will_return(query_user_exec_builtin, true); +expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: Please enter token PIN"); +will_return(query_user_exec_builtin, "0123456"); +will_return(query_user_exec_builtin, true); +assert_true(get_user_pass_cr(&up, NULL, "UT", flags, challenge)); +assert_true(up.defined); +assert_string_equal(up.username, "c1user"); +/* password and response concatenated */ +assert_string_equal(up.password, "c1password0123456"); + +reset_user_pass(&up); + +flags = GET_USER_PASS_STATIC_CHALLENGE|GET_USER_PASS_INLINE_CREDS; /*FIXME: query_user_exec() called even though nothing queued */ will_return(query_user_exec_builtin, true); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/666?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I41f6c1f7acb58f30fc4db0e32505018f64fcad28 Gerrit-Change-Number: 666 Gerrit-PatchSet: 2 Gerrit-Owner: selvanair Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Add a test for loading certificate and key using file: URI
cron2 has uploaded a new patch set (#3) to the change originally created by selvanair. ( http://gerrit.openvpn.net/c/openvpn/+/730?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Add a test for loading certificate and key using file: URI .. Add a test for loading certificate and key using file: URI We do not load any providers, so only file: URI internally supported by OpenSSL 3+ is tested. On non-OpenSSL 3 builds the test prints "SKIPPED". v2: avoid dead code; rebase to current master Change-Id: I7615116b5251319aa1f13d671bab7013f3a043ea Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240906103900.37037-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29076.html Signed-off-by: Gert Doering --- M tests/unit_tests/openvpn/test_ssl.c 1 file changed, 44 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/30/730/3 diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index a5c58a0..a1ca344 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -66,6 +66,10 @@ } #endif +#if defined(ENABLE_CRYPTO_OPENSSL) && (OPENSSL_VERSION_NUMBER > 0x3000L) +#define HAVE_OPENSSL_STORE +#endif + /* stubs for some unused functions instead of pulling in too many dependencies */ bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, @@ -234,6 +238,45 @@ tls_ctx_free(&ctx); } +/* test loading cert and key using file:/path URI */ +static void +test_load_certificate_and_key_uri(void **state) +{ +(void) state; + +#if !defined(HAVE_OPENSSL_STORE) +skip(); +#else /* HAVE_OPENSSL_STORE */ + +struct tls_root_ctx ctx = { 0 }; +const char *certfile = global_state.certfile; +const char *keyfile = global_state.keyfile; +struct gc_arena *gc = &global_state.gc; + +struct buffer certuri = alloc_buf_gc(6 + strlen(certfile) + 1, gc); /* 6 bytes for "file:/" */ +struct buffer keyuri = alloc_buf_gc(6 + strlen(keyfile) + 1, gc); /* 6 bytes for "file:/" */ + +/* Windows temp file path starts with drive letter -- add a leading slash for URI */ +const char *lead = ""; +#ifdef _WIN32 +lead = "/"; +#endif /* _WIN32 */ +assert_true(buf_printf(&certuri, "file:%s%s", lead, certfile)); +assert_true(buf_printf(&keyuri, "file:%s%s", lead, keyfile)); + +/* On Windows replace any '\' in path by '/' required for URI */ +#ifdef _WIN32 +string_mod(BSTR(&certuri), CC_ANY, CC_BACKSLASH, '/'); +string_mod(BSTR(&keyuri), CC_ANY, CC_BACKSLASH, '/'); +#endif /* _WIN32 */ + +tls_ctx_client_new(&ctx); +tls_ctx_load_cert_file(&ctx, BSTR(&certuri), false); +assert_int_equal(tls_ctx_load_priv_file(&ctx, BSTR(&keyuri), false), 0); +tls_ctx_free(&ctx); +#endif /* HAVE_OPENSSL_STORE */ +} + static void init_implicit_iv(struct crypto_options *co) { @@ -469,6 +512,7 @@ const struct CMUnitTest tests[] = { cmocka_unit_test(crypto_pem_encode_certificate), cmocka_unit_test(test_load_certificate_and_key), +cmocka_unit_test(test_load_certificate_and_key_uri), cmocka_unit_test(test_data_channel_roundtrip_aes_128_gcm), cmocka_unit_test(test_data_channel_roundtrip_aes_192_gcm), cmocka_unit_test(test_data_channel_roundtrip_aes_256_gcm), -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/730?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I7615116b5251319aa1f13d671bab7013f3a043ea Gerrit-Change-Number: 730 Gerrit-PatchSet: 3 Gerrit-Owner: selvanair Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Add a test for loading certificate and key using file: URI
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/730?usp=email ) Change subject: Add a test for loading certificate and key using file: URI .. Add a test for loading certificate and key using file: URI We do not load any providers, so only file: URI internally supported by OpenSSL 3+ is tested. On non-OpenSSL 3 builds the test prints "SKIPPED". v2: avoid dead code; rebase to current master Change-Id: I7615116b5251319aa1f13d671bab7013f3a043ea Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240906103900.37037-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29076.html Signed-off-by: Gert Doering --- M tests/unit_tests/openvpn/test_ssl.c 1 file changed, 44 insertions(+), 0 deletions(-) diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index a5c58a0..a1ca344 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -66,6 +66,10 @@ } #endif +#if defined(ENABLE_CRYPTO_OPENSSL) && (OPENSSL_VERSION_NUMBER > 0x3000L) +#define HAVE_OPENSSL_STORE +#endif + /* stubs for some unused functions instead of pulling in too many dependencies */ bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, @@ -234,6 +238,45 @@ tls_ctx_free(&ctx); } +/* test loading cert and key using file:/path URI */ +static void +test_load_certificate_and_key_uri(void **state) +{ +(void) state; + +#if !defined(HAVE_OPENSSL_STORE) +skip(); +#else /* HAVE_OPENSSL_STORE */ + +struct tls_root_ctx ctx = { 0 }; +const char *certfile = global_state.certfile; +const char *keyfile = global_state.keyfile; +struct gc_arena *gc = &global_state.gc; + +struct buffer certuri = alloc_buf_gc(6 + strlen(certfile) + 1, gc); /* 6 bytes for "file:/" */ +struct buffer keyuri = alloc_buf_gc(6 + strlen(keyfile) + 1, gc); /* 6 bytes for "file:/" */ + +/* Windows temp file path starts with drive letter -- add a leading slash for URI */ +const char *lead = ""; +#ifdef _WIN32 +lead = "/"; +#endif /* _WIN32 */ +assert_true(buf_printf(&certuri, "file:%s%s", lead, certfile)); +assert_true(buf_printf(&keyuri, "file:%s%s", lead, keyfile)); + +/* On Windows replace any '\' in path by '/' required for URI */ +#ifdef _WIN32 +string_mod(BSTR(&certuri), CC_ANY, CC_BACKSLASH, '/'); +string_mod(BSTR(&keyuri), CC_ANY, CC_BACKSLASH, '/'); +#endif /* _WIN32 */ + +tls_ctx_client_new(&ctx); +tls_ctx_load_cert_file(&ctx, BSTR(&certuri), false); +assert_int_equal(tls_ctx_load_priv_file(&ctx, BSTR(&keyuri), false), 0); +tls_ctx_free(&ctx); +#endif /* HAVE_OPENSSL_STORE */ +} + static void init_implicit_iv(struct crypto_options *co) { @@ -469,6 +512,7 @@ const struct CMUnitTest tests[] = { cmocka_unit_test(crypto_pem_encode_certificate), cmocka_unit_test(test_load_certificate_and_key), +cmocka_unit_test(test_load_certificate_and_key_uri), cmocka_unit_test(test_data_channel_roundtrip_aes_128_gcm), cmocka_unit_test(test_data_channel_roundtrip_aes_192_gcm), cmocka_unit_test(test_data_channel_roundtrip_aes_256_gcm), -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/730?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I7615116b5251319aa1f13d671bab7013f3a043ea Gerrit-Change-Number: 730 Gerrit-PatchSet: 3 Gerrit-Owner: selvanair Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Add a test for loading certificate and key to ssl context
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/729?usp=email ) Change subject: Add a test for loading certificate and key to ssl context .. Add a test for loading certificate and key to ssl context The test certificate used in test_ssl.c is updated to use 2048 bit RSA and the matching key is added. Tests include loading certificate and key as inlined pem as well as from files. Note that loading the key also checks that it matches the certificate, providing an indirect test that the latter was loaded correctly. Change-Id: Ic6f089896191145f68ce9a11023587d05dcec4d8 Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240906103814.36839-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29074.html Signed-off-by: Gert Doering --- M tests/unit_tests/openvpn/test_ssl.c 1 file changed, 113 insertions(+), 13 deletions(-) diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index da50e55..a5c58a0 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -79,18 +79,58 @@ return; } -const char *unittest_cert = "-BEGIN CERTIFICATE-\n" - "MIIBuTCCAUCgAwIBAgIUTLtjSBzx53qZRvZ6Ur7D9kgoOHkwCgYIKoZIzj0EAwIw\n" - "EzERMA8GA1UEAwwIdW5pdHRlc3QwIBcNMjMxMTIxMDk1NDQ3WhgPMjA3ODA4MjQw\n" - "OTU0NDdaMBMxETAPBgNVBAMMCHVuaXR0ZXN0MHYwEAYHKoZIzj0CAQYFK4EEACID\n" - "YgAEHYB2hn2xx3f4lClXDtdi36P19pMZA+kI1Dkv/Vn10vBZ/j9oa+P99T8duz/e\n" - "QlPeHpesNJO4fX8iEDj6+vMeWejOT7jAQ4MmG5EZjpcBKxCfwFooEvzu8bVujUcu\n" - "wTQEo1MwUTAdBgNVHQ4EFgQUPcgBEVXjF5vYfDsInoE3dF6UfQswHwYDVR0jBBgw\n" - "FoAUPcgBEVXjF5vYfDsInoE3dF6UfQswDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjO\n" - "PQQDAgNnADBkAjBLPAGrQAyinigqiu0RomoV8TVaknVLFSq6H6A8jgvzfsFCUK1O\n" - "dvNZhFPM6idKB+oCME2JLOBANCSV8o7aJzq7SYHKwPyb1J4JFlwKe/0Jpv7oh9b1\n" -"IJbuaM9Z/VSKbrIXGg==\n" -"-END CERTIFICATE-\n"; +static const char *const unittest_cert = +"-BEGIN CERTIFICATE-\n" +"MIIDYzCCAkugAwIBAgIRALrXTx4lqa8QgF7uGjISxmcwDQYJKoZIhvcNAQELBQAw\n" +"GDEWMBQGA1UEAwwNT1ZQTiBURVNUIENBMTAgFw0yMzAzMTMxNjA5MThaGA8yMTIz\n" +"MDIxNzE2MDkxOFowGTEXMBUGA1UEAwwOb3Zwbi10ZXN0LXJzYTEwggEiMA0GCSqG\n" +"SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7xFoR6fmoyfsJIQDKKgbYgFw0MzVuDAmp\n" +"Rx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/4dRR3skisBug6Vd5LXeB\n" +"GZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159x9FBDl5A3sLP18ubeex0\n" +"pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwTPnS+CRXrSq4JjGDJLsXl\n" +"0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIhLbG2DcIv8l29EuEj2w3j\n" +"u/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJcDjOZVCArAgMBAAGjgaQw\n" +"gaEwCQYDVR0TBAIwADAdBgNVHQ4EFgQUqYnRaBHrZmKLtMZES5AuwqzJkGYwUwYD\n" +"VR0jBEwwSoAU3MLDNDOK13DqflQ8ra7FeGBXK06hHKQaMBgxFjAUBgNVBAMMDU9W\n" +"UE4gVEVTVCBDQTGCFD55ErHXpK2JXS3WkfBm0NB1r3vKMBMGA1UdJQQMMAoGCCsG\n" +"AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAZVcXrezA9Aby\n" +"sfUNHAsMxrex/EO0PrIPSrmSmc9sCiD8cCIeB6kL8c5iPPigoWW0uLA9zteDRFes\n" +"ez+Z8wBY6g8VQ0tFPURDooUg5011GZPDcuw7/PsI4+I2J9q6LHEp+6Oo4faSn/kl\n" +"yWYCLjM4FZdGXbOijDacQJiN6HcRv0UdodBrEVRf7YHJJmMCbCI7ZUGW2zef/+rO\n" +"e4Lkxh0MLYqCkNKH5ZfoGTC4Oeb0xKykswAanqgR60r+upaLU8PFuI2L9M3vc6KU\n" +"F6MgVGSxl6eylJgDYckvJiAbmcp2PD/LRQQOxQA0yqeAMg2cbdvclETuYD6zoFfu\n" +"Y8aO7dvDlw==\n" +"-END CERTIFICATE-\n"; + +static const char *const unittest_key = +"-BEGIN PRIVATE KEY-\n" +"MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7xFoR6fmoyfsJ\n" +"IQDKKgbYgFw0MzVuDAmpRx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/\n" +"4dRR3skisBug6Vd5LXeBGZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159\n" +"x9FBDl5A3sLP18ubeex0pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwT\n" +"PnS+CRXrSq4JjGDJLsXl0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIh\n" +"LbG2DcIv8l29EuEj2w3ju/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJc\n" +"DjOZVCArAgMBAAECggEACqkuWAAJ3cyCBVWrXs8eDmLTWV9i9DmYvtS75ixIn2rf\n" +"v3cl12YevN0f6FgKLuqZT3Vqdqq+DCVhuIIQ9QkKMH8BQpSdE9NCCsFyZ23o8Gtr\n" +"EQ7ymfecb+RFwYx7NpqWrvZI32VJGArgPZH/zorLTTGYrAZbmBtHEqRsXOuEDw97\n" +"slwwcWaa9ztaYC8/N/7fgsnydaCFSaOByRlWuyvSmHvn6ZwLv8ANOshY6fstC0Jb\n" +"BW0GpSe9eZPjpl71VT2RtpghqLV5+iAoFDHoT+eZvBospcUGtfcZSU7RrBjKB8+a\n" +"U1d6hwKhduVs2peIQzl+FiOSdWriLcsZv79q4sBhsQKBgQDUDVTf5BGJ8apOs/17\n" +"YVk+Ad8Ey8sXvsfk49psmlCRa8Z4g0LVXfrP94qzhtl8U5kE9hs3nEF4j/kX1ZWG\n" +"k11tdsNTZN5x5bbAgEgPA6Ap6J/uto0HS8G0vSv0lyBymdKA3p/i5Dx+8Nc9cGns\n" +"LGI9MvviLX7pQFIkvbaCkdKwYwKBgQDirowjWZnm7BgVhF0G1m3DY9nQTYYU185W\n" +"UESaO5/nVzwUrA+FypJamD+AvmlSuY8rJe
[Openvpn-devel] [M] Change in openvpn[master]: Add a test for loading certificate and key to ssl context
cron2 has uploaded a new patch set (#3) to the change originally created by selvanair. ( http://gerrit.openvpn.net/c/openvpn/+/729?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Add a test for loading certificate and key to ssl context .. Add a test for loading certificate and key to ssl context The test certificate used in test_ssl.c is updated to use 2048 bit RSA and the matching key is added. Tests include loading certificate and key as inlined pem as well as from files. Note that loading the key also checks that it matches the certificate, providing an indirect test that the latter was loaded correctly. Change-Id: Ic6f089896191145f68ce9a11023587d05dcec4d8 Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240906103814.36839-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29074.html Signed-off-by: Gert Doering --- M tests/unit_tests/openvpn/test_ssl.c 1 file changed, 113 insertions(+), 13 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/29/729/3 diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index da50e55..a5c58a0 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -79,18 +79,58 @@ return; } -const char *unittest_cert = "-BEGIN CERTIFICATE-\n" - "MIIBuTCCAUCgAwIBAgIUTLtjSBzx53qZRvZ6Ur7D9kgoOHkwCgYIKoZIzj0EAwIw\n" - "EzERMA8GA1UEAwwIdW5pdHRlc3QwIBcNMjMxMTIxMDk1NDQ3WhgPMjA3ODA4MjQw\n" - "OTU0NDdaMBMxETAPBgNVBAMMCHVuaXR0ZXN0MHYwEAYHKoZIzj0CAQYFK4EEACID\n" - "YgAEHYB2hn2xx3f4lClXDtdi36P19pMZA+kI1Dkv/Vn10vBZ/j9oa+P99T8duz/e\n" - "QlPeHpesNJO4fX8iEDj6+vMeWejOT7jAQ4MmG5EZjpcBKxCfwFooEvzu8bVujUcu\n" - "wTQEo1MwUTAdBgNVHQ4EFgQUPcgBEVXjF5vYfDsInoE3dF6UfQswHwYDVR0jBBgw\n" - "FoAUPcgBEVXjF5vYfDsInoE3dF6UfQswDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjO\n" - "PQQDAgNnADBkAjBLPAGrQAyinigqiu0RomoV8TVaknVLFSq6H6A8jgvzfsFCUK1O\n" - "dvNZhFPM6idKB+oCME2JLOBANCSV8o7aJzq7SYHKwPyb1J4JFlwKe/0Jpv7oh9b1\n" -"IJbuaM9Z/VSKbrIXGg==\n" -"-END CERTIFICATE-\n"; +static const char *const unittest_cert = +"-BEGIN CERTIFICATE-\n" +"MIIDYzCCAkugAwIBAgIRALrXTx4lqa8QgF7uGjISxmcwDQYJKoZIhvcNAQELBQAw\n" +"GDEWMBQGA1UEAwwNT1ZQTiBURVNUIENBMTAgFw0yMzAzMTMxNjA5MThaGA8yMTIz\n" +"MDIxNzE2MDkxOFowGTEXMBUGA1UEAwwOb3Zwbi10ZXN0LXJzYTEwggEiMA0GCSqG\n" +"SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7xFoR6fmoyfsJIQDKKgbYgFw0MzVuDAmp\n" +"Rx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/4dRR3skisBug6Vd5LXeB\n" +"GZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159x9FBDl5A3sLP18ubeex0\n" +"pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwTPnS+CRXrSq4JjGDJLsXl\n" +"0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIhLbG2DcIv8l29EuEj2w3j\n" +"u/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJcDjOZVCArAgMBAAGjgaQw\n" +"gaEwCQYDVR0TBAIwADAdBgNVHQ4EFgQUqYnRaBHrZmKLtMZES5AuwqzJkGYwUwYD\n" +"VR0jBEwwSoAU3MLDNDOK13DqflQ8ra7FeGBXK06hHKQaMBgxFjAUBgNVBAMMDU9W\n" +"UE4gVEVTVCBDQTGCFD55ErHXpK2JXS3WkfBm0NB1r3vKMBMGA1UdJQQMMAoGCCsG\n" +"AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAZVcXrezA9Aby\n" +"sfUNHAsMxrex/EO0PrIPSrmSmc9sCiD8cCIeB6kL8c5iPPigoWW0uLA9zteDRFes\n" +"ez+Z8wBY6g8VQ0tFPURDooUg5011GZPDcuw7/PsI4+I2J9q6LHEp+6Oo4faSn/kl\n" +"yWYCLjM4FZdGXbOijDacQJiN6HcRv0UdodBrEVRf7YHJJmMCbCI7ZUGW2zef/+rO\n" +"e4Lkxh0MLYqCkNKH5ZfoGTC4Oeb0xKykswAanqgR60r+upaLU8PFuI2L9M3vc6KU\n" +"F6MgVGSxl6eylJgDYckvJiAbmcp2PD/LRQQOxQA0yqeAMg2cbdvclETuYD6zoFfu\n" +"Y8aO7dvDlw==\n" +"-END CERTIFICATE-\n"; + +static const char *const unittest_key = +"-BEGIN PRIVATE KEY-\n" +"MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7xFoR6fmoyfsJ\n" +"IQDKKgbYgFw0MzVuDAmpRx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/\n" +"4dRR3skisBug6Vd5LXeBGZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159\n" +"x9FBDl5A3sLP18ubeex0pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwT\n" +"PnS+CRXrSq4JjGDJLsXl0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIh\n" +"LbG2DcIv8l29EuEj2w3ju/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJc\n" +"DjOZVCArAgMBAAECggEACqkuWAAJ3cyCBVWrXs8eDmLTWV9i9DmYvtS75ixIn2rf\n" +"v3cl12YevN0f6FgKLuqZT3Vqdqq+DCVhuIIQ9QkKMH8BQpSdE9NCCsFyZ23o8Gtr\n" +"EQ7ymfecb+RFwYx7NpqWrvZI32VJGArgPZH/zorLTTGYrAZbmBtHEqRsXOuEDw97\n" +"slwwcWaa9ztaYC8/N/7fgsnydaCFSaOByRlWuyvSmHvn6ZwLv8ANOshY6fstC0Jb\n" +"BW0GpSe9eZPjpl71VT2RtpghqLV5+iAoFDHoT+eZvBospcUGtfcZSU7RrBjKB8+a\n" +"U1d6hwKhduVs2peIQzl+FiOSdWriLcsZv79q4sBhsQKBgQDUDVTf5BGJ8apOs/17\n" +"YVk+Ad8Ey8sXvsfk49psmlCRa8Z4g0LVXfrP94qzhtl8
[Openvpn-devel] [L] Change in openvpn[master]: Interpret --key and --cert option argument as URI
cron2 has uploaded a new patch set (#4) to the change originally created by selvanair. ( http://gerrit.openvpn.net/c/openvpn/+/726?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Interpret --key and --cert option argument as URI .. Interpret --key and --cert option argument as URI OpenSSL 3 has providers which can load keys and certificates from various key stores and HSMs using a provider-specific URI. While certificates are generally exportable, and some providers support a PEM file that acts as a proxy for non-exportable private keys, not all providers are expected to do so. A generic capability to read keys and certificates from URIs appears useful. This patch does this by extending the scope of the argument for "--key" and "--cert" options to include URIs. Many of OpenSSL 3 utilities also work the same way: e.g., the "-in" option for "openssl pkey" or "openssl x509" could be a filename or URI. Other applications have started emulating this behaviour: e.g., pkcs11: URI works as an alternative to a file name for certificates and keys in apache. Even for files, this has a nice side effect that non-PEM files get transparently parsed. E.g., a pkcs12 file could be used in place of a PEM file without needing any extra options. This is backward compatible as OpenSSL falls back to treating URIs with no scheme or unrecognized scheme as file names. Parsing of inlined keys and certificates is unchanged (those should be in PEM format). Specification of URIs that OpenSSL accepts depends on the providers that support them. Some are standard URIs such as "file:/path", but providers may support non-standard URIs with arbitrary scheme names. OpenSSL by itself recognizes only file URI. However, the implementation is agnostic to the URI specification as parsing is done by the provider that supports the URI. A new URI gets automatically recognized when the provider that supports it is loaded. Below are some usage examples: Relative or absolute path to a file or as a URI "file:/absolute/path": --key mykey.pem (same as what is currently supported) --key file:/path/to/mykey.pem --cert file:/path/to/mycert.pem Other file types supported by OpenSSL would also work: --key client.p12 --cert client.p12 pkcs11-provider supports "pkcs11:" URI (RFC 7512): --key pkcs11:token=Foo;id=%01 --cert pkcs11:token=Foo;id=%01 tpm2-provider recognizes a custom URI "handle:": --key handle:0x8100 These examples assume that required providers, if any, are loaded and configured. v2: same as PR 591 but with the fixup commit that addresses review comments is squashed. Change-Id: I82b32d5ab472926e7889a5f4a90caba14231879a Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240906103734.36633-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29075.html Signed-off-by: Gert Doering --- M doc/man-sections/tls-options.rst M src/openvpn/options.c M src/openvpn/ssl_openssl.c M tests/unit_tests/openvpn/test_ssl.c 4 files changed, 280 insertions(+), 27 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/26/726/4 diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index de74c0d..cdb8571 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -85,10 +85,17 @@ OpenVPN will log the usual warning in the logs if the relevant CRL is missing, but the connection will be allowed. ---cert file - Local peer's signed certificate in .pem format -- must be signed by a - certificate authority whose certificate is in ``--ca file``. Each peer - in an OpenVPN link running in TLS mode should have its own certificate +--cert file|uri + Local peer's signed certificate in .pem format or as a URI -- must be + signed by a certificate authority whose certificate is in ``--ca file`` + in the peer configuration. URI is supported only when built with + OpenSSL 3.0 or later and any required providers are loaded. Types + of URIs supported and their syntax depends on providers. OpenSSL has + internal support for "file:/absolute/path" URI in which case the scheme + "file:" is optional, and any file format recognized by OpenSSL (e.g., PEM, + PKCS12) is supported. PKCS#11 URI (RFC 7512) is supported by pkcs11-provider. + + Each peer in an OpenVPN link running in TLS mode should have its own certificate and private key file. In addition, each certificate should have been signed by the key of a certificate authority whose public key resides in the ``--ca`` certificate authority file. You can easily make your own @@ -203,10 +210,11 @@ The ``--hand-window`` parameter also controls the amount of time that the OpenVPN client repeats the pull request until it times out. ---key file - Local peer's private key in .pem format. U
[Openvpn-devel] [L] Change in openvpn[master]: Interpret --key and --cert option argument as URI
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/726?usp=email ) Change subject: Interpret --key and --cert option argument as URI .. Interpret --key and --cert option argument as URI OpenSSL 3 has providers which can load keys and certificates from various key stores and HSMs using a provider-specific URI. While certificates are generally exportable, and some providers support a PEM file that acts as a proxy for non-exportable private keys, not all providers are expected to do so. A generic capability to read keys and certificates from URIs appears useful. This patch does this by extending the scope of the argument for "--key" and "--cert" options to include URIs. Many of OpenSSL 3 utilities also work the same way: e.g., the "-in" option for "openssl pkey" or "openssl x509" could be a filename or URI. Other applications have started emulating this behaviour: e.g., pkcs11: URI works as an alternative to a file name for certificates and keys in apache. Even for files, this has a nice side effect that non-PEM files get transparently parsed. E.g., a pkcs12 file could be used in place of a PEM file without needing any extra options. This is backward compatible as OpenSSL falls back to treating URIs with no scheme or unrecognized scheme as file names. Parsing of inlined keys and certificates is unchanged (those should be in PEM format). Specification of URIs that OpenSSL accepts depends on the providers that support them. Some are standard URIs such as "file:/path", but providers may support non-standard URIs with arbitrary scheme names. OpenSSL by itself recognizes only file URI. However, the implementation is agnostic to the URI specification as parsing is done by the provider that supports the URI. A new URI gets automatically recognized when the provider that supports it is loaded. Below are some usage examples: Relative or absolute path to a file or as a URI "file:/absolute/path": --key mykey.pem (same as what is currently supported) --key file:/path/to/mykey.pem --cert file:/path/to/mycert.pem Other file types supported by OpenSSL would also work: --key client.p12 --cert client.p12 pkcs11-provider supports "pkcs11:" URI (RFC 7512): --key pkcs11:token=Foo;id=%01 --cert pkcs11:token=Foo;id=%01 tpm2-provider recognizes a custom URI "handle:": --key handle:0x8100 These examples assume that required providers, if any, are loaded and configured. v2: same as PR 591 but with the fixup commit that addresses review comments is squashed. Change-Id: I82b32d5ab472926e7889a5f4a90caba14231879a Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240906103734.36633-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29075.html Signed-off-by: Gert Doering --- M doc/man-sections/tls-options.rst M src/openvpn/options.c M src/openvpn/ssl_openssl.c M tests/unit_tests/openvpn/test_ssl.c 4 files changed, 280 insertions(+), 27 deletions(-) diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index de74c0d..cdb8571 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -85,10 +85,17 @@ OpenVPN will log the usual warning in the logs if the relevant CRL is missing, but the connection will be allowed. ---cert file - Local peer's signed certificate in .pem format -- must be signed by a - certificate authority whose certificate is in ``--ca file``. Each peer - in an OpenVPN link running in TLS mode should have its own certificate +--cert file|uri + Local peer's signed certificate in .pem format or as a URI -- must be + signed by a certificate authority whose certificate is in ``--ca file`` + in the peer configuration. URI is supported only when built with + OpenSSL 3.0 or later and any required providers are loaded. Types + of URIs supported and their syntax depends on providers. OpenSSL has + internal support for "file:/absolute/path" URI in which case the scheme + "file:" is optional, and any file format recognized by OpenSSL (e.g., PEM, + PKCS12) is supported. PKCS#11 URI (RFC 7512) is supported by pkcs11-provider. + + Each peer in an OpenVPN link running in TLS mode should have its own certificate and private key file. In addition, each certificate should have been signed by the key of a certificate authority whose public key resides in the ``--ca`` certificate authority file. You can easily make your own @@ -203,10 +210,11 @@ The ``--hand-window`` parameter also controls the amount of time that the OpenVPN client repeats the pull request until it times out. ---key file - Local peer's private key in .pem format. Use the private key which was - generated when you built your peer's certificate (see ``--cert file`` - above). +--key file|uri + Local peer's private key in .pem format or a URI. Use the private key + which w
[Openvpn-devel] [M] Change in openvpn[master]: Protect cached username, password and token on client
cron2 has uploaded a new patch set (#4) to the change originally created by selvanair. ( http://gerrit.openvpn.net/c/openvpn/+/728?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Protect cached username, password and token on client .. Protect cached username, password and token on client Keep the memory segment containing username and password in "struct user_pass" encrypted. Works only on Windows. Username and auth-token cached by the server are not covered here. v2: Encrypt username and password separately as it looks more robust. We continue to depend on the username and password buffer sizes to be a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE = 16, which is the case now. An error is logged if this is not the case. v3: move up ASSERT in auth_token.c Change-Id: I42e17e09a02f01aedadc2b03f9527967f6e1e8ff Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240906112908.1009-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29079.html Signed-off-by: Gert Doering --- M src/openvpn/auth_token.c M src/openvpn/misc.c M src/openvpn/misc.h M src/openvpn/proxy.c M src/openvpn/ssl.c M src/openvpn/ssl_verify.c M src/openvpn/win32.c M src/openvpn/win32.h M tests/unit_tests/openvpn/test_user_pass.c 9 files changed, 153 insertions(+), 8 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/28/728/4 diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 6787ea7..5de65cb 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -301,6 +301,7 @@ * Base64 is <= input and input is < USER_PASS_LEN, so using USER_PASS_LEN * is safe here but a bit overkill */ +ASSERT(up && !up->protected); uint8_t b64decoded[USER_PASS_LEN]; int decoded_len = openvpn_base64_decode(up->password + strlen(SESSION_ID_PREFIX), b64decoded, USER_PASS_LEN); diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 598fbae..ef4ab69 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -223,6 +223,7 @@ bool password_from_stdin = false; bool response_from_stdin = true; +unprotect_user_pass(up); if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED) { msg(M_WARN, "Note: previous '%s' credentials failed", prefix); @@ -479,14 +480,18 @@ secure_memzero(up, sizeof(*up)); up->nocache = nocache; } -/* - * don't show warning if the pass has been replaced by a token: this is an - * artificial "auth-nocache" - */ -else if (!warn_shown) +else { -msg(M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this"); -warn_shown = true; +protect_user_pass(up); +/* + * don't show warning if the pass has been replaced by a token: this is an + * artificial "auth-nocache" + */ +if (!warn_shown) +{ +msg(M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this"); +warn_shown = true; +} } } @@ -495,6 +500,7 @@ { if (strlen(token)) { +unprotect_user_pass(tk); strncpynt(tk->password, token, USER_PASS_LEN); tk->token_defined = true; @@ -505,6 +511,7 @@ { tk->defined = true; } +protect_user_pass(tk); } } @@ -513,6 +520,7 @@ { if (strlen(username)) { +unprotect_user_pass(tk); /* Clear the username before decoding to ensure no old material is left * and also allow decoding to not use all space to ensure the last byte is * always 0 */ @@ -523,6 +531,7 @@ { msg(D_PUSH, "Error decoding auth-token-username"); } +protect_user_pass(tk); } } @@ -779,3 +788,43 @@ return combined_path; } + +void +protect_user_pass(struct user_pass *up) +{ +if (up->protected) +{ +return; +} +#ifdef _WIN32 +if (protect_buffer_win32(up->username, sizeof(up->username)) +&& protect_buffer_win32(up->password, sizeof(up->password))) +{ +up->protected = true; +} +else +{ +purge_user_pass(up, true); +} +#endif +} + +void +unprotect_user_pass(struct user_pass *up) +{ +if (!up->protected) +{ +return; +} +#ifdef _WIN32 +if (unprotect_buffer_win32(up->username, sizeof(up->username)) +&& unprotect_buffer_win32(up->password, sizeof(up->password))) +{ +up->protected = false; +} +else +{ +purge_user_pass(up, true); +} +#endif +} diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 963f3e6..a967ec8 100644 --- a/src/openvpn/misc.h +++ b/src/op
[Openvpn-devel] [M] Change in openvpn[master]: Protect cached username, password and token on client
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/728?usp=email ) Change subject: Protect cached username, password and token on client .. Protect cached username, password and token on client Keep the memory segment containing username and password in "struct user_pass" encrypted. Works only on Windows. Username and auth-token cached by the server are not covered here. v2: Encrypt username and password separately as it looks more robust. We continue to depend on the username and password buffer sizes to be a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE = 16, which is the case now. An error is logged if this is not the case. v3: move up ASSERT in auth_token.c Change-Id: I42e17e09a02f01aedadc2b03f9527967f6e1e8ff Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240906112908.1009-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29079.html Signed-off-by: Gert Doering --- M src/openvpn/auth_token.c M src/openvpn/misc.c M src/openvpn/misc.h M src/openvpn/proxy.c M src/openvpn/ssl.c M src/openvpn/ssl_verify.c M src/openvpn/win32.c M src/openvpn/win32.h M tests/unit_tests/openvpn/test_user_pass.c 9 files changed, 153 insertions(+), 8 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 6787ea7..5de65cb 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -301,6 +301,7 @@ * Base64 is <= input and input is < USER_PASS_LEN, so using USER_PASS_LEN * is safe here but a bit overkill */ +ASSERT(up && !up->protected); uint8_t b64decoded[USER_PASS_LEN]; int decoded_len = openvpn_base64_decode(up->password + strlen(SESSION_ID_PREFIX), b64decoded, USER_PASS_LEN); diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 598fbae..ef4ab69 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -223,6 +223,7 @@ bool password_from_stdin = false; bool response_from_stdin = true; +unprotect_user_pass(up); if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED) { msg(M_WARN, "Note: previous '%s' credentials failed", prefix); @@ -479,14 +480,18 @@ secure_memzero(up, sizeof(*up)); up->nocache = nocache; } -/* - * don't show warning if the pass has been replaced by a token: this is an - * artificial "auth-nocache" - */ -else if (!warn_shown) +else { -msg(M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this"); -warn_shown = true; +protect_user_pass(up); +/* + * don't show warning if the pass has been replaced by a token: this is an + * artificial "auth-nocache" + */ +if (!warn_shown) +{ +msg(M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this"); +warn_shown = true; +} } } @@ -495,6 +500,7 @@ { if (strlen(token)) { +unprotect_user_pass(tk); strncpynt(tk->password, token, USER_PASS_LEN); tk->token_defined = true; @@ -505,6 +511,7 @@ { tk->defined = true; } +protect_user_pass(tk); } } @@ -513,6 +520,7 @@ { if (strlen(username)) { +unprotect_user_pass(tk); /* Clear the username before decoding to ensure no old material is left * and also allow decoding to not use all space to ensure the last byte is * always 0 */ @@ -523,6 +531,7 @@ { msg(D_PUSH, "Error decoding auth-token-username"); } +protect_user_pass(tk); } } @@ -779,3 +788,43 @@ return combined_path; } + +void +protect_user_pass(struct user_pass *up) +{ +if (up->protected) +{ +return; +} +#ifdef _WIN32 +if (protect_buffer_win32(up->username, sizeof(up->username)) +&& protect_buffer_win32(up->password, sizeof(up->password))) +{ +up->protected = true; +} +else +{ +purge_user_pass(up, true); +} +#endif +} + +void +unprotect_user_pass(struct user_pass *up) +{ +if (!up->protected) +{ +return; +} +#ifdef _WIN32 +if (unprotect_buffer_win32(up->username, sizeof(up->username)) +&& unprotect_buffer_win32(up->password, sizeof(up->password))) +{ +up->protected = false; +} +else +{ +purge_user_pass(up, true); +} +#endif +} diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 963f3e6..a967ec8 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -60,6 +60,7 @@ * use this second bool to track if the token (password) is defined */ bool token_defined; bool nocache; +bool protected; /* max length of username/password */
[Openvpn-devel] [S] Change in openvpn[master]: proxy.c: Clear sensitive data after use
cron2 has uploaded a new patch set (#2) to the change originally created by selvanair. ( http://gerrit.openvpn.net/c/openvpn/+/727?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: proxy.c: Clear sensitive data after use .. proxy.c: Clear sensitive data after use Usage of credentials is a bit odd in this file. Actually the copy of "struct user_pass" kept in p->up is not required at all. It just defeats the purpose of auth-nocahe as it never gets cleared. Removing it is beyond the scope of this patch -- we just ensure it's purged after use. Change-Id: Ic6d63a319d272a56ac0e278f1356bc5241b56a34 Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240905100724.4105-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29061.html Signed-off-by: Gert Doering --- M src/openvpn/proxy.c 1 file changed, 10 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/27/727/2 diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 5de0da4..eddacc9 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -247,7 +247,9 @@ struct buffer out = alloc_buf_gc(strlen(p->up.username) + strlen(p->up.password) + 2, gc); ASSERT(strlen(p->up.username) > 0); buf_printf(&out, "%s:%s", p->up.username, p->up.password); -return (const char *)make_base64_string((const uint8_t *)BSTR(&out), gc); +char *ret = (char *)make_base64_string((const uint8_t *)BSTR(&out), gc); +secure_memzero(BSTR(&out), out.len); +return ret; } static void @@ -736,6 +738,9 @@ ASSERT(0); } +/* clear any sensitive content in buf */ +secure_memzero(buf, sizeof(buf)); + /* send empty CR, LF */ if (!send_crlf(sd)) { @@ -983,6 +988,8 @@ { goto error; } +/* clear any sensitive content in buf */ +secure_memzero(buf, sizeof(buf)); /* receive reply from proxy */ if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) @@ -1086,10 +1093,12 @@ #endif done: +purge_user_pass(&p->up, true); gc_free(&gc); return ret; error: +purge_user_pass(&p->up, true); register_signal(sig_info, SIGUSR1, "HTTP proxy error"); /* SOFT-SIGUSR1 -- HTTP proxy error */ gc_free(&gc); return ret; -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/727?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic6d63a319d272a56ac0e278f1356bc5241b56a34 Gerrit-Change-Number: 727 Gerrit-PatchSet: 2 Gerrit-Owner: selvanair Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: proxy.c: Clear sensitive data after use
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/727?usp=email ) Change subject: proxy.c: Clear sensitive data after use .. proxy.c: Clear sensitive data after use Usage of credentials is a bit odd in this file. Actually the copy of "struct user_pass" kept in p->up is not required at all. It just defeats the purpose of auth-nocahe as it never gets cleared. Removing it is beyond the scope of this patch -- we just ensure it's purged after use. Change-Id: Ic6d63a319d272a56ac0e278f1356bc5241b56a34 Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld Message-Id: <20240905100724.4105-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29061.html Signed-off-by: Gert Doering --- M src/openvpn/proxy.c 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 5de0da4..eddacc9 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -247,7 +247,9 @@ struct buffer out = alloc_buf_gc(strlen(p->up.username) + strlen(p->up.password) + 2, gc); ASSERT(strlen(p->up.username) > 0); buf_printf(&out, "%s:%s", p->up.username, p->up.password); -return (const char *)make_base64_string((const uint8_t *)BSTR(&out), gc); +char *ret = (char *)make_base64_string((const uint8_t *)BSTR(&out), gc); +secure_memzero(BSTR(&out), out.len); +return ret; } static void @@ -736,6 +738,9 @@ ASSERT(0); } +/* clear any sensitive content in buf */ +secure_memzero(buf, sizeof(buf)); + /* send empty CR, LF */ if (!send_crlf(sd)) { @@ -983,6 +988,8 @@ { goto error; } +/* clear any sensitive content in buf */ +secure_memzero(buf, sizeof(buf)); /* receive reply from proxy */ if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) @@ -1086,10 +1093,12 @@ #endif done: +purge_user_pass(&p->up, true); gc_free(&gc); return ret; error: +purge_user_pass(&p->up, true); register_signal(sig_info, SIGUSR1, "HTTP proxy error"); /* SOFT-SIGUSR1 -- HTTP proxy error */ gc_free(&gc); return ret; -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/727?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic6d63a319d272a56ac0e278f1356bc5241b56a34 Gerrit-Change-Number: 727 Gerrit-PatchSet: 2 Gerrit-Owner: selvanair Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: configure: Try to use pkg-config to detect mbedTLS
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/671?usp=email ) Change subject: configure: Try to use pkg-config to detect mbedTLS .. configure: Try to use pkg-config to detect mbedTLS mbedTLS does not seem to have pkg-config support on e.g. Debian/Ubuntu, so we definitely need to keep the fallback check as well. Change-Id: I5d0da76018e874cda5dbab9202a2b817ad5e4692 Signed-off-by: Frank Lichtenheld Acked-by: Yuriy Darnobyt Message-Id: <20240906160510.76387-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29090.html Signed-off-by: Gert Doering --- M configure.ac 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index ea0da1f..9e569bf 100644 --- a/configure.ac +++ b/configure.ac @@ -1000,14 +1000,21 @@ if test -z "${MBEDTLS_CFLAGS}" -a -z "${MBEDTLS_LIBS}"; then # if the user did not explicitly specify flags, try to autodetect - LIBS="${LIBS} -lmbedtls -lmbedx509 -lmbedcrypto" - AC_CHECK_LIB( - [mbedtls], - [mbedtls_ssl_init], - [MBEDTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto"], - [AC_MSG_ERROR([Could not find mbed TLS.])], - [${PKCS11_HELPER_LIBS}] + PKG_CHECK_MODULES([MBEDTLS], + [mbedtls >= 2.0.0 mbedx509 >= 2.0.0 mbedcrypto >= 2.0.0], + [have_mbedtls="yes"], + [LIBS="${LIBS} -lmbedtls -lmbedx509 -lmbedcrypto"] ) + # mbedtls might not have pkgconfig integration, so try manually +if test "${have_mbedtls}" != "yes"; then + AC_CHECK_LIB( + [mbedtls], + [mbedtls_ssl_init], + [MBEDTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto"], + [AC_MSG_ERROR([Could not find mbed TLS.])], + [${PKCS11_HELPER_LIBS}] + ) + fi fi CFLAGS="${MBEDTLS_CFLAGS} ${PKCS11_HELPER_CFLAGS} ${CFLAGS}" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/671?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I5d0da76018e874cda5dbab9202a2b817ad5e4692 Gerrit-Change-Number: 671 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-Reviewer: uddr Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: configure: Try to use pkg-config to detect mbedTLS
cron2 has uploaded a new patch set (#4) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/671?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by uddr Change subject: configure: Try to use pkg-config to detect mbedTLS .. configure: Try to use pkg-config to detect mbedTLS mbedTLS does not seem to have pkg-config support on e.g. Debian/Ubuntu, so we definitely need to keep the fallback check as well. Change-Id: I5d0da76018e874cda5dbab9202a2b817ad5e4692 Signed-off-by: Frank Lichtenheld Acked-by: Yuriy Darnobyt Message-Id: <20240906160510.76387-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29090.html Signed-off-by: Gert Doering --- M configure.ac 1 file changed, 14 insertions(+), 7 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/71/671/4 diff --git a/configure.ac b/configure.ac index ea0da1f..9e569bf 100644 --- a/configure.ac +++ b/configure.ac @@ -1000,14 +1000,21 @@ if test -z "${MBEDTLS_CFLAGS}" -a -z "${MBEDTLS_LIBS}"; then # if the user did not explicitly specify flags, try to autodetect - LIBS="${LIBS} -lmbedtls -lmbedx509 -lmbedcrypto" - AC_CHECK_LIB( - [mbedtls], - [mbedtls_ssl_init], - [MBEDTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto"], - [AC_MSG_ERROR([Could not find mbed TLS.])], - [${PKCS11_HELPER_LIBS}] + PKG_CHECK_MODULES([MBEDTLS], + [mbedtls >= 2.0.0 mbedx509 >= 2.0.0 mbedcrypto >= 2.0.0], + [have_mbedtls="yes"], + [LIBS="${LIBS} -lmbedtls -lmbedx509 -lmbedcrypto"] ) + # mbedtls might not have pkgconfig integration, so try manually +if test "${have_mbedtls}" != "yes"; then + AC_CHECK_LIB( + [mbedtls], + [mbedtls_ssl_init], + [MBEDTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto"], + [AC_MSG_ERROR([Could not find mbed TLS.])], + [${PKCS11_HELPER_LIBS}] + ) + fi fi CFLAGS="${MBEDTLS_CFLAGS} ${PKCS11_HELPER_CFLAGS} ${CFLAGS}" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/671?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I5d0da76018e874cda5dbab9202a2b817ad5e4692 Gerrit-Change-Number: 671 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-Reviewer: uddr Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: GHA: Configure Renovate
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/722?usp=email ) Change subject: GHA: Configure Renovate .. GHA: Configure Renovate Maintain GitHub actions and other version references in GHA. Switch some GHA references from branch versions to tag version so the pinning works correctly. Change-Id: I06253be7ed783e3bf30e7df1d6da8ca888016711 Signed-off-by: Frank Lichtenheld Acked-by: Yuriy Darnobyt Message-Id: <20240906151243.69549-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29087.html Signed-off-by: Gert Doering --- M .github/workflows/build.yaml A renovate.json 2 files changed, 48 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6e361d5..6207c95 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -52,13 +52,13 @@ uses: actions/checkout@v4 - name: Restore from cache and install vcpkg -uses: lukka/run-vcpkg@v11 +uses: lukka/run-vcpkg@v11.5 with: vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e vcpkgJsonGlob: '**/mingw/vcpkg.json' - name: Run CMake with vcpkg.json manifest -uses: lukka/run-cmake@v10 +uses: lukka/run-cmake@v10.7 with: configurePreset: mingw-${{ matrix.arch }} buildPreset: mingw-${{ matrix.arch }} @@ -274,26 +274,26 @@ runs-on: windows-latest steps: - uses: actions/checkout@v4 - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@v3.30.1 - name: Install rst2html run: python -m pip install --upgrade pip docutils - name: Restore artifacts, or setup vcpkg (do not install any package) -uses: lukka/run-vcpkg@v11 +uses: lukka/run-vcpkg@v11.5 with: vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e vcpkgJsonGlob: '**/windows/vcpkg.json' - name: Run CMake with vcpkg.json manifest (NO TESTS) -uses: lukka/run-cmake@v10 +uses: lukka/run-cmake@v10.7 if: ${{ matrix.arch == 'arm64' }} with: configurePreset: win-${{ matrix.arch }}-release buildPreset: win-${{ matrix.arch }}-release - name: Run CMake with vcpkg.json manifest -uses: lukka/run-cmake@v10 +uses: lukka/run-cmake@v10.7 if: ${{ matrix.arch != 'arm64' }} with: configurePreset: win-${{ matrix.arch }}-release @@ -344,6 +344,7 @@ uses: actions/checkout@v4 with: path: libressl + # versioning=semver-coerced repository: libressl/portable ref: v3.8.3 - name: "libressl: autogen.sh" @@ -403,6 +404,7 @@ uses: actions/checkout@v4 with: path: mbedtls + # versioning=semver-coerced repository: Mbed-TLS/mbedtls ref: v3.5.2 - name: "mbedtls: make no_test" diff --git a/renovate.json b/renovate.json new file mode 100644 index 000..1e69955 --- /dev/null +++ b/renovate.json @@ -0,0 +1,40 @@ +{ +"$schema": "https://docs.renovatebot.com/renovate-schema.json";, +"packageRules": [ +{ +"matchDepTypes": [ +"action" +], +"groupName": "github actions", +"pinDigests": true, +"extends": [ +"schedule:monthly" +] +}, +{ +"matchDepNames": [ +"vcpkg" +], +"extends": [ +"schedule:monthly" +] +} +], +"customManagers": [ +{ +"customType": "regex", +"fileMatch": ["^\\.github/workflows/.+\\.ya?ml$"], +"matchStrings": ["vcpkgGitCommitId:\\s*(?.*?)\\n"], +"currentValueTemplate": "master", +"depNameTemplate": "vcpkg", +"packageNameTemplate": "https://github.com/microsoft/vcpkg";, +"datasourceTemplate": "git-refs" +}, +{ +"customType": "regex", +"fileMatch": ["^\\.github/workflows/.+\\.ya?ml$"], +"matchStrings": ["versioning=(?.*?)\\n\\s*repository:\\s*(?.*?)\\n\\s*ref:\\s*(?.*?)\\n"], +"datasourceTemplate": "github-tags" +} +] +} -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/722?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I06253be7ed783e3bf30e7df1d6da8ca888016711 Gerrit-Change-Number: 722 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-Reviewer: uddr Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sour
[Openvpn-devel] [M] Change in openvpn[master]: GHA: Configure Renovate
cron2 has uploaded a new patch set (#2) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/722?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by uddr Change subject: GHA: Configure Renovate .. GHA: Configure Renovate Maintain GitHub actions and other version references in GHA. Switch some GHA references from branch versions to tag version so the pinning works correctly. Change-Id: I06253be7ed783e3bf30e7df1d6da8ca888016711 Signed-off-by: Frank Lichtenheld Acked-by: Yuriy Darnobyt Message-Id: <20240906151243.69549-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29087.html Signed-off-by: Gert Doering --- M .github/workflows/build.yaml A renovate.json 2 files changed, 48 insertions(+), 6 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/22/722/2 diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6e361d5..6207c95 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -52,13 +52,13 @@ uses: actions/checkout@v4 - name: Restore from cache and install vcpkg -uses: lukka/run-vcpkg@v11 +uses: lukka/run-vcpkg@v11.5 with: vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e vcpkgJsonGlob: '**/mingw/vcpkg.json' - name: Run CMake with vcpkg.json manifest -uses: lukka/run-cmake@v10 +uses: lukka/run-cmake@v10.7 with: configurePreset: mingw-${{ matrix.arch }} buildPreset: mingw-${{ matrix.arch }} @@ -274,26 +274,26 @@ runs-on: windows-latest steps: - uses: actions/checkout@v4 - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@v3.30.1 - name: Install rst2html run: python -m pip install --upgrade pip docutils - name: Restore artifacts, or setup vcpkg (do not install any package) -uses: lukka/run-vcpkg@v11 +uses: lukka/run-vcpkg@v11.5 with: vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e vcpkgJsonGlob: '**/windows/vcpkg.json' - name: Run CMake with vcpkg.json manifest (NO TESTS) -uses: lukka/run-cmake@v10 +uses: lukka/run-cmake@v10.7 if: ${{ matrix.arch == 'arm64' }} with: configurePreset: win-${{ matrix.arch }}-release buildPreset: win-${{ matrix.arch }}-release - name: Run CMake with vcpkg.json manifest -uses: lukka/run-cmake@v10 +uses: lukka/run-cmake@v10.7 if: ${{ matrix.arch != 'arm64' }} with: configurePreset: win-${{ matrix.arch }}-release @@ -344,6 +344,7 @@ uses: actions/checkout@v4 with: path: libressl + # versioning=semver-coerced repository: libressl/portable ref: v3.8.3 - name: "libressl: autogen.sh" @@ -403,6 +404,7 @@ uses: actions/checkout@v4 with: path: mbedtls + # versioning=semver-coerced repository: Mbed-TLS/mbedtls ref: v3.5.2 - name: "mbedtls: make no_test" diff --git a/renovate.json b/renovate.json new file mode 100644 index 000..1e69955 --- /dev/null +++ b/renovate.json @@ -0,0 +1,40 @@ +{ +"$schema": "https://docs.renovatebot.com/renovate-schema.json";, +"packageRules": [ +{ +"matchDepTypes": [ +"action" +], +"groupName": "github actions", +"pinDigests": true, +"extends": [ +"schedule:monthly" +] +}, +{ +"matchDepNames": [ +"vcpkg" +], +"extends": [ +"schedule:monthly" +] +} +], +"customManagers": [ +{ +"customType": "regex", +"fileMatch": ["^\\.github/workflows/.+\\.ya?ml$"], +"matchStrings": ["vcpkgGitCommitId:\\s*(?.*?)\\n"], +"currentValueTemplate": "master", +"depNameTemplate": "vcpkg", +"packageNameTemplate": "https://github.com/microsoft/vcpkg";, +"datasourceTemplate": "git-refs" +}, +{ +"customType": "regex", +"fileMatch": ["^\\.github/workflows/.+\\.ya?ml$"], +"matchStrings": ["versioning=(?.*?)\\n\\s*repository:\\s*(?.*?)\\n\\s*ref:\\s*(?.*?)\\n"], +"datasourceTemplate": "github-tags" +} +] +} -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/722?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I06253be7ed783e3bf30e7df1d6da8ca888016711 Gerrit-Change-Number: 722 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenhel
[Openvpn-devel] [S] Change in openvpn[master]: configure: Allow to detect git checkout if .git is not a directory
cron2 has uploaded a new patch set (#4) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/675?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos, Code-Review+2 by uddr Change subject: configure: Allow to detect git checkout if .git is not a directory .. configure: Allow to detect git checkout if .git is not a directory E.g. if you use openvpn as a git submodule, it can be a file that points to the parent's git directory. The changes to Makefile.am are not strictly required, they still work with that case, but I wanted to keep the usage consistent. Change-Id: I9b7a3df012e7606ddb04a944e3fa33247180e8dd Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Acked-by: Yuriy Darnobyt Message-Id: <20240906172112.87148-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29092.html Signed-off-by: Gert Doering --- M Makefile.am M configure.ac 2 files changed, 8 insertions(+), 6 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/75/675/4 diff --git a/Makefile.am b/Makefile.am index 87230fe..84b7112 100644 --- a/Makefile.am +++ b/Makefile.am @@ -75,9 +75,9 @@ README.wolfssl config-version.h: - @CONFIGURE_GIT_CHFILES="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-files --name-status -r --ignore-submodules --quiet -- || echo \"+\"`"; \ - CONFIGURE_GIT_UNCOMMITTED="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-index --cached --quiet --ignore-submodules HEAD || echo \"*\"`"; \ - CONFIGURE_GIT_REVISION="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) rev-parse --symbolic-full-name HEAD | cut -d/ -f3-`/`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) rev-parse --short=16 HEAD`"; \ + @CONFIGURE_GIT_CHFILES="`$(GIT) -C \"$(top_srcdir)\" diff-files --name-status -r --ignore-submodules --quiet -- || echo \"+\"`"; \ + CONFIGURE_GIT_UNCOMMITTED="`$(GIT) -C \"$(top_srcdir)\" diff-index --cached --quiet --ignore-submodules HEAD || echo \"*\"`"; \ + CONFIGURE_GIT_REVISION="`$(GIT) -C \"$(top_srcdir)\" rev-parse --symbolic-full-name HEAD | cut -d/ -f3-`/`$(GIT) -C \"$(top_srcdir)\" rev-parse --short=16 HEAD`"; \ echo "#define CONFIGURE_GIT_REVISION \"$${CONFIGURE_GIT_REVISION}\"" > config-version.h.tmp; \ echo "#define CONFIGURE_GIT_FLAGS \"$${CONFIGURE_GIT_CHFILES}$${CONFIGURE_GIT_UNCOMMITTED}\"" >> config-version.h.tmp diff --git a/configure.ac b/configure.ac index 9ce826c..ea0da1f 100644 --- a/configure.ac +++ b/configure.ac @@ -1308,9 +1308,11 @@ AC_MSG_CHECKING([git checkout]) GIT_CHECKOUT="no" -if test -n "${GIT}" -a -d "${srcdir}/.git"; then - AC_DEFINE([HAVE_CONFIG_VERSION_H], [1], [extra version available in config-version.h]) - GIT_CHECKOUT="yes" +if test -n "${GIT}"; then + if ${GIT} -C "$srcdir" rev-parse --is-inside-work-tree >/dev/null 2>&1; then + AC_DEFINE([HAVE_CONFIG_VERSION_H], [1], [extra version available in config-version.h]) + GIT_CHECKOUT="yes" + fi fi AC_MSG_RESULT([${GIT_CHECKOUT}]) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/675?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I9b7a3df012e7606ddb04a944e3fa33247180e8dd Gerrit-Change-Number: 675 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-Reviewer: uddr Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: configure: Allow to detect git checkout if .git is not a directory
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/675?usp=email ) Change subject: configure: Allow to detect git checkout if .git is not a directory .. configure: Allow to detect git checkout if .git is not a directory E.g. if you use openvpn as a git submodule, it can be a file that points to the parent's git directory. The changes to Makefile.am are not strictly required, they still work with that case, but I wanted to keep the usage consistent. Change-Id: I9b7a3df012e7606ddb04a944e3fa33247180e8dd Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Acked-by: Yuriy Darnobyt Message-Id: <20240906172112.87148-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29092.html Signed-off-by: Gert Doering --- M Makefile.am M configure.ac 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/Makefile.am b/Makefile.am index 87230fe..84b7112 100644 --- a/Makefile.am +++ b/Makefile.am @@ -75,9 +75,9 @@ README.wolfssl config-version.h: - @CONFIGURE_GIT_CHFILES="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-files --name-status -r --ignore-submodules --quiet -- || echo \"+\"`"; \ - CONFIGURE_GIT_UNCOMMITTED="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-index --cached --quiet --ignore-submodules HEAD || echo \"*\"`"; \ - CONFIGURE_GIT_REVISION="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) rev-parse --symbolic-full-name HEAD | cut -d/ -f3-`/`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) rev-parse --short=16 HEAD`"; \ + @CONFIGURE_GIT_CHFILES="`$(GIT) -C \"$(top_srcdir)\" diff-files --name-status -r --ignore-submodules --quiet -- || echo \"+\"`"; \ + CONFIGURE_GIT_UNCOMMITTED="`$(GIT) -C \"$(top_srcdir)\" diff-index --cached --quiet --ignore-submodules HEAD || echo \"*\"`"; \ + CONFIGURE_GIT_REVISION="`$(GIT) -C \"$(top_srcdir)\" rev-parse --symbolic-full-name HEAD | cut -d/ -f3-`/`$(GIT) -C \"$(top_srcdir)\" rev-parse --short=16 HEAD`"; \ echo "#define CONFIGURE_GIT_REVISION \"$${CONFIGURE_GIT_REVISION}\"" > config-version.h.tmp; \ echo "#define CONFIGURE_GIT_FLAGS \"$${CONFIGURE_GIT_CHFILES}$${CONFIGURE_GIT_UNCOMMITTED}\"" >> config-version.h.tmp diff --git a/configure.ac b/configure.ac index 9ce826c..ea0da1f 100644 --- a/configure.ac +++ b/configure.ac @@ -1308,9 +1308,11 @@ AC_MSG_CHECKING([git checkout]) GIT_CHECKOUT="no" -if test -n "${GIT}" -a -d "${srcdir}/.git"; then - AC_DEFINE([HAVE_CONFIG_VERSION_H], [1], [extra version available in config-version.h]) - GIT_CHECKOUT="yes" +if test -n "${GIT}"; then + if ${GIT} -C "$srcdir" rev-parse --is-inside-work-tree >/dev/null 2>&1; then + AC_DEFINE([HAVE_CONFIG_VERSION_H], [1], [extra version available in config-version.h]) + GIT_CHECKOUT="yes" + fi fi AC_MSG_RESULT([${GIT_CHECKOUT}]) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/675?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I9b7a3df012e7606ddb04a944e3fa33247180e8dd Gerrit-Change-Number: 675 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-Reviewer: uddr Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement support for AEAD tag at the end
Attention is currently required from: stipa, syzzer. cron2 has uploaded a new patch set (#9) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/506?usp=email ) The following approvals got outdated and were removed: Code-Review+1 by stipa, Code-Review+2 by flichtenheld, Code-Review-1 by syzzer Change subject: Implement support for AEAD tag at the end .. Implement support for AEAD tag at the end Using the AEAD tag at the end is the standard way of doing AEAD. Several APIs even only support the tag at the end (e.g. mbed TLS). Having the tag at the front or end makes no difference for security but allows streaming HW implementations like NICs to be much more efficient as they do not need to buffer a whole packet content and encrypt it to finally write the tag but instead just add the calculated tag at the end of processing. Change-Id: I00821d75342daf3f813b829812d648fe298bea81 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240214132719.3031492-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28239.html Signed-off-by: Gert Doering --- M src/openvpn/crypto.c M src/openvpn/crypto.h M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/push.c M tests/unit_tests/openvpn/test_ssl.c 6 files changed, 80 insertions(+), 26 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/06/506/9 diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 207f145..c226727 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -104,14 +104,10 @@ ASSERT(cipher_ctx_reset(ctx->cipher, iv)); } -/* Reserve space for authentication tag */ -mac_out = buf_write_alloc(&work, mac_len); -ASSERT(mac_out); - dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc)); /* Buffer overflow check */ -if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) +if (!buf_safe(&work, buf->len + mac_len + cipher_ctx_block_size(ctx->cipher))) { msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d", @@ -121,9 +117,16 @@ } /* For AEAD ciphers, authenticate Additional Data, including opcode */ -ASSERT(cipher_ctx_update_ad(ctx->cipher, BPTR(&work), BLEN(&work) - mac_len)); +ASSERT(cipher_ctx_update_ad(ctx->cipher, BPTR(&work), BLEN(&work))); dmsg(D_PACKET_CONTENT, "ENCRYPT AD: %s", - format_hex(BPTR(&work), BLEN(&work) - mac_len, 0, &gc)); + format_hex(BPTR(&work), BLEN(&work), 0, &gc)); + +if (!(opt->flags & CO_AEAD_TAG_AT_THE_END)) +{ +/* Reserve space for authentication tag */ +mac_out = buf_write_alloc(&work, mac_len); +ASSERT(mac_out); +} /* Encrypt packet ID, payload */ ASSERT(cipher_ctx_update(ctx->cipher, BEND(&work), &outlen, BPTR(buf), BLEN(buf))); @@ -133,6 +136,14 @@ ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen)); ASSERT(buf_inc_len(&work, outlen)); +/* if the tag is at end the end, allocate it now */ +if (opt->flags & CO_AEAD_TAG_AT_THE_END) +{ +/* Reserve space for authentication tag */ +mac_out = buf_write_alloc(&work, mac_len); +ASSERT(mac_out); +} + /* Write authentication tag */ ASSERT(cipher_ctx_get_tag(ctx->cipher, mac_out, mac_len)); @@ -353,7 +364,6 @@ static const char error_prefix[] = "AEAD Decrypt error"; struct packet_id_net pin = { 0 }; const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; -uint8_t *tag_ptr = NULL; int outlen; struct gc_arena gc; @@ -406,19 +416,29 @@ /* keep the tag value to feed in later */ const int tag_size = OPENVPN_AEAD_TAG_LENGTH; -if (buf->len < tag_size) +if (buf->len < tag_size + 1) { -CRYPT_ERROR("missing tag"); +CRYPT_ERROR("missing tag or no payload"); } -tag_ptr = BPTR(buf); -ASSERT(buf_advance(buf, tag_size)); + +const int ad_size = BPTR(buf) - ad_start; + +uint8_t *tag_ptr = NULL; +int data_len = 0; + +if (opt->flags & CO_AEAD_TAG_AT_THE_END) +{ +data_len = BLEN(buf) - tag_size; +tag_ptr = BPTR(buf) + data_len; +} +else +{ +tag_ptr = BPTR(buf); +ASSERT(buf_advance(buf, tag_size)); +data_len = BLEN(buf); +} + dmsg(D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex(tag_ptr, tag_size, 0, &gc)); - -if (buf->len < 1) -{ -CRYPT_ERROR("missing payload"); -} - dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 0, &gc)); /* Buffer overflow check (should never fail) */ @@ -427,20 +447,19 @@ CRYPT_ERROR("potential buffer overflow"); } -{ -/* feed in tag and the authenticated data */ -const int ad_size = BPTR(buf) - ad_start - tag_size;
[Openvpn-devel] [M] Change in openvpn[master]: Implement support for AEAD tag at the end
Attention is currently required from: stipa, syzzer. cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/506?usp=email ) Change subject: Implement support for AEAD tag at the end .. Implement support for AEAD tag at the end Using the AEAD tag at the end is the standard way of doing AEAD. Several APIs even only support the tag at the end (e.g. mbed TLS). Having the tag at the front or end makes no difference for security but allows streaming HW implementations like NICs to be much more efficient as they do not need to buffer a whole packet content and encrypt it to finally write the tag but instead just add the calculated tag at the end of processing. Change-Id: I00821d75342daf3f813b829812d648fe298bea81 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240214132719.3031492-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28239.html Signed-off-by: Gert Doering --- M src/openvpn/crypto.c M src/openvpn/crypto.h M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/push.c M tests/unit_tests/openvpn/test_ssl.c 6 files changed, 80 insertions(+), 26 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 207f145..c226727 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -104,14 +104,10 @@ ASSERT(cipher_ctx_reset(ctx->cipher, iv)); } -/* Reserve space for authentication tag */ -mac_out = buf_write_alloc(&work, mac_len); -ASSERT(mac_out); - dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc)); /* Buffer overflow check */ -if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) +if (!buf_safe(&work, buf->len + mac_len + cipher_ctx_block_size(ctx->cipher))) { msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d", @@ -121,9 +117,16 @@ } /* For AEAD ciphers, authenticate Additional Data, including opcode */ -ASSERT(cipher_ctx_update_ad(ctx->cipher, BPTR(&work), BLEN(&work) - mac_len)); +ASSERT(cipher_ctx_update_ad(ctx->cipher, BPTR(&work), BLEN(&work))); dmsg(D_PACKET_CONTENT, "ENCRYPT AD: %s", - format_hex(BPTR(&work), BLEN(&work) - mac_len, 0, &gc)); + format_hex(BPTR(&work), BLEN(&work), 0, &gc)); + +if (!(opt->flags & CO_AEAD_TAG_AT_THE_END)) +{ +/* Reserve space for authentication tag */ +mac_out = buf_write_alloc(&work, mac_len); +ASSERT(mac_out); +} /* Encrypt packet ID, payload */ ASSERT(cipher_ctx_update(ctx->cipher, BEND(&work), &outlen, BPTR(buf), BLEN(buf))); @@ -133,6 +136,14 @@ ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen)); ASSERT(buf_inc_len(&work, outlen)); +/* if the tag is at end the end, allocate it now */ +if (opt->flags & CO_AEAD_TAG_AT_THE_END) +{ +/* Reserve space for authentication tag */ +mac_out = buf_write_alloc(&work, mac_len); +ASSERT(mac_out); +} + /* Write authentication tag */ ASSERT(cipher_ctx_get_tag(ctx->cipher, mac_out, mac_len)); @@ -353,7 +364,6 @@ static const char error_prefix[] = "AEAD Decrypt error"; struct packet_id_net pin = { 0 }; const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; -uint8_t *tag_ptr = NULL; int outlen; struct gc_arena gc; @@ -406,19 +416,29 @@ /* keep the tag value to feed in later */ const int tag_size = OPENVPN_AEAD_TAG_LENGTH; -if (buf->len < tag_size) +if (buf->len < tag_size + 1) { -CRYPT_ERROR("missing tag"); +CRYPT_ERROR("missing tag or no payload"); } -tag_ptr = BPTR(buf); -ASSERT(buf_advance(buf, tag_size)); + +const int ad_size = BPTR(buf) - ad_start; + +uint8_t *tag_ptr = NULL; +int data_len = 0; + +if (opt->flags & CO_AEAD_TAG_AT_THE_END) +{ +data_len = BLEN(buf) - tag_size; +tag_ptr = BPTR(buf) + data_len; +} +else +{ +tag_ptr = BPTR(buf); +ASSERT(buf_advance(buf, tag_size)); +data_len = BLEN(buf); +} + dmsg(D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex(tag_ptr, tag_size, 0, &gc)); - -if (buf->len < 1) -{ -CRYPT_ERROR("missing payload"); -} - dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 0, &gc)); /* Buffer overflow check (should never fail) */ @@ -427,20 +447,19 @@ CRYPT_ERROR("potential buffer overflow"); } -{ -/* feed in tag and the authenticated data */ -const int ad_size = BPTR(buf) - ad_start - tag_size; -ASSERT(cipher_ctx_update_ad(ctx->cipher, ad_start, ad_size)); -dmsg(D_PACKET_CONTENT, "DECRYPT AD: %s", - format_hex(BPTR(buf) - ad_size - tag_size, ad_size, 0, &gc)); -} + +/* feed in tag and the authenticated data */ +
[Openvpn-devel] [S] Change in openvpn[master]: Use a more robust way to get dco-win version
cron2 has uploaded a new patch set (#2) to the change originally created by stipa. ( http://gerrit.openvpn.net/c/openvpn/+/723?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: Use a more robust way to get dco-win version .. Use a more robust way to get dco-win version The current way doesn't work if the device is already in use. Starting from 1.3.0, dco-win creates a non-exclusive control device \\.\ovpn-dco-ver which can be opened by multiple apps and supports a single IOCTL to get a version number. https://github.com/OpenVPN/ovpn-dco-win/pull/76 This will be expecially handy later when checking which features driver supports. Change-Id: Ieb6f3a9d14d76000c1caf8ee1e959c6d0de832bf Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20240809192257.24208-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29009.html Signed-off-by: Gert Doering --- M src/openvpn/dco_win.c 1 file changed, 10 insertions(+), 3 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/23/723/2 diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c index e3ada76..3ec946f 100644 --- a/src/openvpn/dco_win.c +++ b/src/openvpn/dco_win.c @@ -389,9 +389,16 @@ OVPN_VERSION version; ZeroMemory(&version, sizeof(OVPN_VERSION)); -/* try to open device by symbolic name */ -HANDLE h = CreateFile(".\\ovpn-dco", GENERIC_READ | GENERIC_WRITE, - 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, NULL); +/* first, try a non-exclusive control device, available from 1.3.0 */ +HANDLE h = CreateFile(".\\ovpn-dco-ver", GENERIC_READ, + 0, NULL, OPEN_EXISTING, 0, NULL); + +if (h == INVALID_HANDLE_VALUE) +{ +/* fallback to a "normal" device, this will fail if device is already in use */ +h = CreateFile(".\\ovpn-dco", GENERIC_READ, + 0, NULL, OPEN_EXISTING, 0, NULL); +} if (h == INVALID_HANDLE_VALUE) { -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/723?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ieb6f3a9d14d76000c1caf8ee1e959c6d0de832bf Gerrit-Change-Number: 723 Gerrit-PatchSet: 2 Gerrit-Owner: stipa Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Use a more robust way to get dco-win version
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/723?usp=email ) Change subject: Use a more robust way to get dco-win version .. Use a more robust way to get dco-win version The current way doesn't work if the device is already in use. Starting from 1.3.0, dco-win creates a non-exclusive control device \\.\ovpn-dco-ver which can be opened by multiple apps and supports a single IOCTL to get a version number. https://github.com/OpenVPN/ovpn-dco-win/pull/76 This will be expecially handy later when checking which features driver supports. Change-Id: Ieb6f3a9d14d76000c1caf8ee1e959c6d0de832bf Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20240809192257.24208-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29009.html Signed-off-by: Gert Doering --- M src/openvpn/dco_win.c 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c index e3ada76..3ec946f 100644 --- a/src/openvpn/dco_win.c +++ b/src/openvpn/dco_win.c @@ -389,9 +389,16 @@ OVPN_VERSION version; ZeroMemory(&version, sizeof(OVPN_VERSION)); -/* try to open device by symbolic name */ -HANDLE h = CreateFile(".\\ovpn-dco", GENERIC_READ | GENERIC_WRITE, - 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, NULL); +/* first, try a non-exclusive control device, available from 1.3.0 */ +HANDLE h = CreateFile(".\\ovpn-dco-ver", GENERIC_READ, + 0, NULL, OPEN_EXISTING, 0, NULL); + +if (h == INVALID_HANDLE_VALUE) +{ +/* fallback to a "normal" device, this will fail if device is already in use */ +h = CreateFile(".\\ovpn-dco", GENERIC_READ, + 0, NULL, OPEN_EXISTING, 0, NULL); +} if (h == INVALID_HANDLE_VALUE) { -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/723?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ieb6f3a9d14d76000c1caf8ee1e959c6d0de832bf Gerrit-Change-Number: 723 Gerrit-PatchSet: 2 Gerrit-Owner: stipa Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Use a more robust way to get dco-win version
Attention is currently required from: flichtenheld, plaisthos, stipa. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/723?usp=email ) Change subject: Use a more robust way to get dco-win version .. Patch Set 1: Code-Review+2 (1 comment) Patchset: PS1: Looks good. Helps reduce friction (= avoid misleading error messages in log) when multiple programs are active, and possibly multiple DCO interfaces. Matches driver code change. Build errors are due to socks proxy not running, independent of the change here. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/723?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ieb6f3a9d14d76000c1caf8ee1e959c6d0de832bf Gerrit-Change-Number: 723 Gerrit-PatchSet: 1 Gerrit-Owner: stipa Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Attention: stipa Gerrit-Comment-Date: Fri, 09 Aug 2024 19:21:04 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XL] Change in openvpn[master]: Lay the foundation to support both old and new versions of DCO
cron2 has abandoned this change. ( http://gerrit.openvpn.net/c/openvpn/+/662?usp=email ) Change subject: Lay the foundation to support both old and new versions of DCO .. Abandoned it was decided that DCO_v2 and DCO_v3 (aka "in upstream kernel" or "ovpn") will not be supported at the same time, so this infrastructure is no longer needed or desirable -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/662?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6662605b60d4859949970cfe256c55cbcbd4a672 Gerrit-Change-Number: 662 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: cron2 Gerrit-CC: openvpn-devel Gerrit-MessageType: abandon ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XL] Change in openvpn[master]: Lay the foundation to support both old and new versions of DCO
Attention is currently required from: flichtenheld, its_Giaan, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/662?usp=email ) Change subject: Lay the foundation to support both old and new versions of DCO .. Patch Set 1: (1 comment) Patchset: PS1: Summing up the intermediate discussions on IRC 13:32 <@cron2> ordex, gianm: wrt https://gerrit.openvpn.net/c/openvpn/+/662 - do I remember correctly that we went for "we will at some point do a cut-over, and who wants to use dco_v2 needs to use 2.6, and master will only support dco_v3 / ovpn"? 13:32 <@ordex> Giaan: ^ 13:33 <@ordex> cron2: correct 13:33 <@ordex> that's the final decision 13:33 <@cron2> in that case, I think 662 can be abandoned and we'll see a new patch that does the renaming + code change, but no if() and no function pointers :-) 13:33 <@ordex> so we don't need abstraction layers or function pointers anymore 13:33 <@cron2> \o/ 13:33 <@ordex> correct 13:33 <@ordex> Giaan will publish that patch later on, once v3 will be ready for dev use -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/662?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6662605b60d4859949970cfe256c55cbcbd4a672 Gerrit-Change-Number: 662 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: cron2 Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 29 Jul 2024 11:33:54 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: console_systemd: rename query_user_exec to query_user_systemd
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/670?usp=email ) Change subject: console_systemd: rename query_user_exec to query_user_systemd .. console_systemd: rename query_user_exec to query_user_systemd This allows us to override query_user_exec for unit tests more consistently without having to jump through weird hoops. Fixes running test_pkcs11 with --enable-systemd. While here also fix documentation comments for query_user_exec*. Change-Id: I379e1eb6dc57b9fe4bbdaefbd947a14326e7117a Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240726104032.2112-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28983.html Signed-off-by: Gert Doering --- M src/openvpn/console.h M src/openvpn/console_systemd.c M tests/unit_tests/openvpn/test_pkcs11.c M tests/unit_tests/openvpn/test_user_pass.c 4 files changed, 37 insertions(+), 14 deletions(-) diff --git a/src/openvpn/console.h b/src/openvpn/console.h index 7358299..72ae8e0 100644 --- a/src/openvpn/console.h +++ b/src/openvpn/console.h @@ -65,11 +65,10 @@ /** - * Executes a configured setup, using the built-in method for querying the user. + * Loop through configured query_user slots, using the built-in method for + * querying the user. * This method uses the console/TTY directly. * - * @param setupPointer to the setup defining what to ask the user - * * @return True if executing all the defined steps completed successfully */ bool query_user_exec_builtin(void); @@ -77,21 +76,34 @@ #if defined(ENABLE_SYSTEMD) /** - * Executes a configured setup, using the compiled method for querying the user - * - * @param setupPointer to the setup defining what to ask the user + * Loop through configured query_user slots, using the systemd method for + * querying the user. + * If systemd is not running it will fall back to use + * query_user_exec_builtin() instead. * * @return True if executing all the defined steps completed successfully */ -bool query_user_exec(void); +bool query_user_exec_systemd(void); -#else /* ENABLE_SYSTEMD not defined*/ +/** + * Loop through configured query_user slots, using the compiled method for + * querying the user. + * + * @return True if executing all the defined steps completed successfully + */ +static inline bool +query_user_exec(void) +{ +return query_user_exec_systemd(); +} + +#else /* ENABLE_SYSTEMD not defined */ /** * Wrapper function enabling query_user_exec() if no alternative methods have * been enabled * */ -static bool +static inline bool query_user_exec(void) { return query_user_exec_builtin(); diff --git a/src/openvpn/console_systemd.c b/src/openvpn/console_systemd.c index c7cf1ad..cc91cd1 100644 --- a/src/openvpn/console_systemd.c +++ b/src/openvpn/console_systemd.c @@ -96,7 +96,7 @@ * */ bool -query_user_exec(void) +query_user_exec_systemd(void) { bool ret = true; /* Presume everything goes okay */ int i; diff --git a/tests/unit_tests/openvpn/test_pkcs11.c b/tests/unit_tests/openvpn/test_pkcs11.c index 6d283a2..5518fa1 100644 --- a/tests/unit_tests/openvpn/test_pkcs11.c +++ b/tests/unit_tests/openvpn/test_pkcs11.c @@ -75,6 +75,14 @@ { assert_true(0); } +#if defined(ENABLE_SYSTEMD) +bool +query_user_exec_systemd(void) +{ +assert_true(0); +return false; +} +#endif bool query_user_exec_builtin(void) { diff --git a/tests/unit_tests/openvpn/test_user_pass.c b/tests/unit_tests/openvpn/test_user_pass.c index b43e655..de60291 100644 --- a/tests/unit_tests/openvpn/test_user_pass.c +++ b/tests/unit_tests/openvpn/test_user_pass.c @@ -26,10 +26,6 @@ #include "config.h" #endif -#undef ENABLE_SYSTEMD -/* avoid redefining ENABLE_SYSTEMD in misc.c */ -#undef HAVE_CONFIG_H - #include "syshead.h" #include "manage.h" @@ -44,6 +40,13 @@ struct management *management; /* global */ /* mocking */ +#if defined(ENABLE_SYSTEMD) +bool +query_user_exec_systemd(void) +{ +return query_user_exec_builtin(); +} +#endif bool query_user_exec_builtin(void) { -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/670?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I379e1eb6dc57b9fe4bbdaefbd947a14326e7117a Gerrit-Change-Number: 670 Gerrit-PatchSet: 5 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: console_systemd: rename query_user_exec to query_user_systemd
cron2 has uploaded a new patch set (#5) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/670?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: console_systemd: rename query_user_exec to query_user_systemd .. console_systemd: rename query_user_exec to query_user_systemd This allows us to override query_user_exec for unit tests more consistently without having to jump through weird hoops. Fixes running test_pkcs11 with --enable-systemd. While here also fix documentation comments for query_user_exec*. Change-Id: I379e1eb6dc57b9fe4bbdaefbd947a14326e7117a Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240726104032.2112-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28983.html Signed-off-by: Gert Doering --- M src/openvpn/console.h M src/openvpn/console_systemd.c M tests/unit_tests/openvpn/test_pkcs11.c M tests/unit_tests/openvpn/test_user_pass.c 4 files changed, 37 insertions(+), 14 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/70/670/5 diff --git a/src/openvpn/console.h b/src/openvpn/console.h index 7358299..72ae8e0 100644 --- a/src/openvpn/console.h +++ b/src/openvpn/console.h @@ -65,11 +65,10 @@ /** - * Executes a configured setup, using the built-in method for querying the user. + * Loop through configured query_user slots, using the built-in method for + * querying the user. * This method uses the console/TTY directly. * - * @param setupPointer to the setup defining what to ask the user - * * @return True if executing all the defined steps completed successfully */ bool query_user_exec_builtin(void); @@ -77,21 +76,34 @@ #if defined(ENABLE_SYSTEMD) /** - * Executes a configured setup, using the compiled method for querying the user - * - * @param setupPointer to the setup defining what to ask the user + * Loop through configured query_user slots, using the systemd method for + * querying the user. + * If systemd is not running it will fall back to use + * query_user_exec_builtin() instead. * * @return True if executing all the defined steps completed successfully */ -bool query_user_exec(void); +bool query_user_exec_systemd(void); -#else /* ENABLE_SYSTEMD not defined*/ +/** + * Loop through configured query_user slots, using the compiled method for + * querying the user. + * + * @return True if executing all the defined steps completed successfully + */ +static inline bool +query_user_exec(void) +{ +return query_user_exec_systemd(); +} + +#else /* ENABLE_SYSTEMD not defined */ /** * Wrapper function enabling query_user_exec() if no alternative methods have * been enabled * */ -static bool +static inline bool query_user_exec(void) { return query_user_exec_builtin(); diff --git a/src/openvpn/console_systemd.c b/src/openvpn/console_systemd.c index c7cf1ad..cc91cd1 100644 --- a/src/openvpn/console_systemd.c +++ b/src/openvpn/console_systemd.c @@ -96,7 +96,7 @@ * */ bool -query_user_exec(void) +query_user_exec_systemd(void) { bool ret = true; /* Presume everything goes okay */ int i; diff --git a/tests/unit_tests/openvpn/test_pkcs11.c b/tests/unit_tests/openvpn/test_pkcs11.c index 6d283a2..5518fa1 100644 --- a/tests/unit_tests/openvpn/test_pkcs11.c +++ b/tests/unit_tests/openvpn/test_pkcs11.c @@ -75,6 +75,14 @@ { assert_true(0); } +#if defined(ENABLE_SYSTEMD) +bool +query_user_exec_systemd(void) +{ +assert_true(0); +return false; +} +#endif bool query_user_exec_builtin(void) { diff --git a/tests/unit_tests/openvpn/test_user_pass.c b/tests/unit_tests/openvpn/test_user_pass.c index b43e655..de60291 100644 --- a/tests/unit_tests/openvpn/test_user_pass.c +++ b/tests/unit_tests/openvpn/test_user_pass.c @@ -26,10 +26,6 @@ #include "config.h" #endif -#undef ENABLE_SYSTEMD -/* avoid redefining ENABLE_SYSTEMD in misc.c */ -#undef HAVE_CONFIG_H - #include "syshead.h" #include "manage.h" @@ -44,6 +40,13 @@ struct management *management; /* global */ /* mocking */ +#if defined(ENABLE_SYSTEMD) +bool +query_user_exec_systemd(void) +{ +return query_user_exec_builtin(); +} +#endif bool query_user_exec_builtin(void) { -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/670?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I379e1eb6dc57b9fe4bbdaefbd947a14326e7117a Gerrit-Change-Number: 670 Gerrit-PatchSet: 5 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: console_systemd: rename query_user_exec to query_user_systemd
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/670?usp=email ) Change subject: console_systemd: rename query_user_exec to query_user_systemd .. Patch Set 4: (1 comment) Patchset: PS4: LGTM -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/670?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I379e1eb6dc57b9fe4bbdaefbd947a14326e7117a Gerrit-Change-Number: 670 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Fri, 26 Jul 2024 10:40:14 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: console_systemd: rename query_user_exec to query_user_systemd
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/670?usp=email ) Change subject: console_systemd: rename query_user_exec to query_user_systemd .. Patch Set 4: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/670?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I379e1eb6dc57b9fe4bbdaefbd947a14326e7117a Gerrit-Change-Number: 670 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Fri, 26 Jul 2024 10:40:05 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: console_systemd: rename query_user_exec to query_user_systemd
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/670?usp=email ) Change subject: console_systemd: rename query_user_exec to query_user_systemd .. Patch Set 3: Code-Review+1 (2 comments) Patchset: PS3: I think this is a good change. I had one comment about the code-in-header and making them inline, though... what do you think? File src/openvpn/console.h: http://gerrit.openvpn.net/c/openvpn/+/670/comment/a68c3cbb_5ae4e68e : PS3, Line 94: static bool our normal convention seems to be "if there is code in .h files, it's tagged as inline". I can see that this is not true for the existing query_user_exec() wrapper, but maybe we want to fix this as well here? -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/670?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I379e1eb6dc57b9fe4bbdaefbd947a14326e7117a Gerrit-Change-Number: 670 Gerrit-PatchSet: 3 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Thu, 25 Jul 2024 15:55:19 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: add and send IV_PROTO_DNS_OPTION_V2 flag
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/680?usp=email ) Change subject: add and send IV_PROTO_DNS_OPTION_V2 flag .. add and send IV_PROTO_DNS_OPTION_V2 flag Incompatible changes to the --dns server address and --dns server exclude-domains options were introduced after the code for handling them was released. Add and send a new IV_PROTO flag, so servers which act on the flags set can differentiate between clients which have implemented --dns and those which just support the new option. This enables them to decide which variant of options to send to the client. Change-Id: I975057c20c1457ef88111f8d142ca3fd2039d5ff Signed-off-by: Heiko Hund Acked-by: Arne Schwabe Message-Id: <20240725112248.21075-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28970.html Signed-off-by: Gert Doering --- M src/openvpn/ssl.c M src/openvpn/ssl.h 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index e0e9591..14c38cf 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1900,8 +1900,8 @@ /* support for P_DATA_V2 */ int iv_proto = IV_PROTO_DATA_V2; -/* support for the --dns option */ -iv_proto |= IV_PROTO_DNS_OPTION; +/* support for the latest --dns option */ +iv_proto |= IV_PROTO_DNS_OPTION_V2; /* support for exit notify via control channel */ iv_proto |= IV_PROTO_CC_EXIT_NOTIFY; diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 1a45048..6c2bfc3 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -94,7 +94,7 @@ * result. */ #define IV_PROTO_NCP_P2P (1<<5) -/** Supports the --dns option introduced in version 2.6 */ +/** Supports the --dns option introduced in version 2.6. Not sent anymore. */ #define IV_PROTO_DNS_OPTION (1<<6) /** Support for explicit exit notify via control channel @@ -107,6 +107,9 @@ /** Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key) */ #define IV_PROTO_DYN_TLS_CRYPT (1<<9) +/** Supports the --dns option after all the incompatible changes */ +#define IV_PROTO_DNS_OPTION_V2 (1<<11) + /* Default field in X509 to be username */ #define X509_USERNAME_FIELD_DEFAULT "CN" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/680?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I975057c20c1457ef88111f8d142ca3fd2039d5ff Gerrit-Change-Number: 680 Gerrit-PatchSet: 2 Gerrit-Owner: d12fk Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: add and send IV_PROTO_DNS_OPTION_V2 flag
cron2 has uploaded a new patch set (#2) to the change originally created by d12fk. ( http://gerrit.openvpn.net/c/openvpn/+/680?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: add and send IV_PROTO_DNS_OPTION_V2 flag .. add and send IV_PROTO_DNS_OPTION_V2 flag Incompatible changes to the --dns server address and --dns server exclude-domains options were introduced after the code for handling them was released. Add and send a new IV_PROTO flag, so servers which act on the flags set can differentiate between clients which have implemented --dns and those which just support the new option. This enables them to decide which variant of options to send to the client. Change-Id: I975057c20c1457ef88111f8d142ca3fd2039d5ff Signed-off-by: Heiko Hund Acked-by: Arne Schwabe Message-Id: <20240725112248.21075-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28970.html Signed-off-by: Gert Doering --- M src/openvpn/ssl.c M src/openvpn/ssl.h 2 files changed, 6 insertions(+), 3 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/80/680/2 diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index e0e9591..14c38cf 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1900,8 +1900,8 @@ /* support for P_DATA_V2 */ int iv_proto = IV_PROTO_DATA_V2; -/* support for the --dns option */ -iv_proto |= IV_PROTO_DNS_OPTION; +/* support for the latest --dns option */ +iv_proto |= IV_PROTO_DNS_OPTION_V2; /* support for exit notify via control channel */ iv_proto |= IV_PROTO_CC_EXIT_NOTIFY; diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 1a45048..6c2bfc3 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -94,7 +94,7 @@ * result. */ #define IV_PROTO_NCP_P2P (1<<5) -/** Supports the --dns option introduced in version 2.6 */ +/** Supports the --dns option introduced in version 2.6. Not sent anymore. */ #define IV_PROTO_DNS_OPTION (1<<6) /** Support for explicit exit notify via control channel @@ -107,6 +107,9 @@ /** Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key) */ #define IV_PROTO_DYN_TLS_CRYPT (1<<9) +/** Supports the --dns option after all the incompatible changes */ +#define IV_PROTO_DNS_OPTION_V2 (1<<11) + /* Default field in X509 to be username */ #define X509_USERNAME_FIELD_DEFAULT "CN" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/680?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I975057c20c1457ef88111f8d142ca3fd2039d5ff Gerrit-Change-Number: 680 Gerrit-PatchSet: 2 Gerrit-Owner: d12fk Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Add Ubuntu 24.04 runner to Github Actions
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/676?usp=email ) Change subject: Add Ubuntu 24.04 runner to Github Actions .. Add Ubuntu 24.04 runner to Github Actions Change-Id: I44b9003143fdad90bfff7b2c86d0bb503f9157de Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240719131141.75324-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28942.html Signed-off-by: Gert Doering --- M .github/workflows/build.yaml 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d7c3ecd..6e361d5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -106,7 +106,7 @@ strategy: fail-fast: false matrix: -os: [ubuntu-20.04, ubuntu-22.04] +os: [ubuntu-20.04, ubuntu-22.04, ubuntu-24.04] sslpkg: [libmbedtls-dev] ssllib: [mbedtls] libname: [mbed TLS] @@ -122,6 +122,12 @@ ssllib: openssl pkcs11pkg: "libpkcs11-helper1-dev softhsm2 gnutls-bin" extraconf: --enable-pkcs11 + - os: ubuntu-24.04 +sslpkg: "libssl-dev" +libname: OpenSSL 3.0.13 +ssllib: openssl +pkcs11pkg: "libpkcs11-helper1-dev softhsm2 gnutls-bin" +extraconf: --enable-pkcs11 - os: ubuntu-20.04 sslpkg: "libssl-dev" libname: OpenSSL 1.1.1 @@ -173,7 +179,7 @@ strategy: fail-fast: false matrix: -os: [ubuntu-20.04] +os: [ubuntu-20.04, ubuntu-22.04, ubuntu-24.04] ssllib: [mbedtls, openssl] name: "clang-asan - ${{matrix.os}} - ${{matrix.ssllib}}" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/676?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I44b9003143fdad90bfff7b2c86d0bb503f9157de Gerrit-Change-Number: 676 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Add Ubuntu 24.04 runner to Github Actions
cron2 has uploaded a new patch set (#2) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/676?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Add Ubuntu 24.04 runner to Github Actions .. Add Ubuntu 24.04 runner to Github Actions Change-Id: I44b9003143fdad90bfff7b2c86d0bb503f9157de Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240719131141.75324-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28942.html Signed-off-by: Gert Doering --- M .github/workflows/build.yaml 1 file changed, 8 insertions(+), 2 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/76/676/2 diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d7c3ecd..6e361d5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -106,7 +106,7 @@ strategy: fail-fast: false matrix: -os: [ubuntu-20.04, ubuntu-22.04] +os: [ubuntu-20.04, ubuntu-22.04, ubuntu-24.04] sslpkg: [libmbedtls-dev] ssllib: [mbedtls] libname: [mbed TLS] @@ -122,6 +122,12 @@ ssllib: openssl pkcs11pkg: "libpkcs11-helper1-dev softhsm2 gnutls-bin" extraconf: --enable-pkcs11 + - os: ubuntu-24.04 +sslpkg: "libssl-dev" +libname: OpenSSL 3.0.13 +ssllib: openssl +pkcs11pkg: "libpkcs11-helper1-dev softhsm2 gnutls-bin" +extraconf: --enable-pkcs11 - os: ubuntu-20.04 sslpkg: "libssl-dev" libname: OpenSSL 1.1.1 @@ -173,7 +179,7 @@ strategy: fail-fast: false matrix: -os: [ubuntu-20.04] +os: [ubuntu-20.04, ubuntu-22.04, ubuntu-24.04] ssllib: [mbedtls, openssl] name: "clang-asan - ${{matrix.os}} - ${{matrix.ssllib}}" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/676?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I44b9003143fdad90bfff7b2c86d0bb503f9157de Gerrit-Change-Number: 676 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Fix missing spaces in various messages
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/679?usp=email ) Change subject: Fix missing spaces in various messages .. Fix missing spaces in various messages These result from broken up literals where it is easy to miss the missing space. Change-Id: Ic27d84c74c1dd6ff7973ca6966d186f475c67e21 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240722121034.10816-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28950.html Signed-off-by: Gert Doering --- M src/openvpn/dco.c M src/openvpn/multi.c M src/openvpn/options.c M src/openvpn/ssl_verify.c 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 78243b1..7f0d53d 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -185,7 +185,7 @@ } else { -msg(D_DCO_DEBUG, "Swapping primary and secondary keys to" +msg(D_DCO_DEBUG, "Swapping primary and secondary keys to " "primary-id=%d secondary-id=(to be deleted)", primary->key_id); } diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 162b23e..03177bb 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1804,7 +1804,7 @@ } else if (dco_enabled(o)) { -msg(M_INFO, "Client does not support DATA_V2. Data channel offloaing " +msg(M_INFO, "Client does not support DATA_V2. Data channel offloading " "requires DATA_V2. Dropping client."); auth_set_client_reason(tls_multi, "Data channel negotiation " "failed (missing DATA_V2)"); @@ -1815,7 +1815,7 @@ * not accept our pushed ciphers */ if (proto & IV_PROTO_NCP_P2P) { -msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client" +msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client " "option). It will not negotiate ciphers with this server. " "Expect this connection to fail."); } @@ -2027,7 +2027,7 @@ /* Not EOF but other error -> fall through to error state */ default: /* We received an unknown/unexpected value. Assume failure. */ -msg(M_WARN, "WARNING: Unknown/unexpected value in deferred" +msg(M_WARN, "WARNING: Unknown/unexpected value in deferred " "client-connect resultfile"); ret = CC_RET_FAILED; } @@ -2427,7 +2427,7 @@ */ if (!mi->context.c2.push_ifconfig_defined) { -msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote" +msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote " "--ifconfig address is available for %s", multi_instance_string(mi, false, &gc)); } @@ -2443,7 +2443,7 @@ print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc); /* JYFIXME -- this should cause the connection to fail */ -msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s)" +msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) " "violates tunnel network/netmask constraint (%s/%s)", multi_instance_string(mi, false, &gc), print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc), @@ -2492,7 +2492,7 @@ } else if (mi->context.options.iroutes) { -msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute" +msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute " "only works with tun-style tunnels", multi_instance_string(mi, false, &gc)); } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 64e67aa..ba9b05e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -7033,7 +7033,7 @@ } else if (streq(p[0], "max-routes") && !p[2]) { -msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored." +msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored. " "The number of routes is unlimited as of OpenVPN 2.4. " "This option will be removed in a future version, " "please remove it from your configuration."); @@ -9328,7 +9328,7 @@ s++; } msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the " -"--x509-username-field parameter to '%s'; please update your" +"--x509-username-field parameter to '%s'; please update your " "configuration", p[j]); } } diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 934ff8d..0b0e2c3 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -717,7 +717,7 @@ { const char *hex_f
[Openvpn-devel] [S] Change in openvpn[master]: Fix missing spaces in various messages
cron2 has uploaded a new patch set (#2) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/679?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: Fix missing spaces in various messages .. Fix missing spaces in various messages These result from broken up literals where it is easy to miss the missing space. Change-Id: Ic27d84c74c1dd6ff7973ca6966d186f475c67e21 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240722121034.10816-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28950.html Signed-off-by: Gert Doering --- M src/openvpn/dco.c M src/openvpn/multi.c M src/openvpn/options.c M src/openvpn/ssl_verify.c 4 files changed, 10 insertions(+), 10 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/79/679/2 diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 78243b1..7f0d53d 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -185,7 +185,7 @@ } else { -msg(D_DCO_DEBUG, "Swapping primary and secondary keys to" +msg(D_DCO_DEBUG, "Swapping primary and secondary keys to " "primary-id=%d secondary-id=(to be deleted)", primary->key_id); } diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 162b23e..03177bb 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1804,7 +1804,7 @@ } else if (dco_enabled(o)) { -msg(M_INFO, "Client does not support DATA_V2. Data channel offloaing " +msg(M_INFO, "Client does not support DATA_V2. Data channel offloading " "requires DATA_V2. Dropping client."); auth_set_client_reason(tls_multi, "Data channel negotiation " "failed (missing DATA_V2)"); @@ -1815,7 +1815,7 @@ * not accept our pushed ciphers */ if (proto & IV_PROTO_NCP_P2P) { -msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client" +msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client " "option). It will not negotiate ciphers with this server. " "Expect this connection to fail."); } @@ -2027,7 +2027,7 @@ /* Not EOF but other error -> fall through to error state */ default: /* We received an unknown/unexpected value. Assume failure. */ -msg(M_WARN, "WARNING: Unknown/unexpected value in deferred" +msg(M_WARN, "WARNING: Unknown/unexpected value in deferred " "client-connect resultfile"); ret = CC_RET_FAILED; } @@ -2427,7 +2427,7 @@ */ if (!mi->context.c2.push_ifconfig_defined) { -msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote" +msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote " "--ifconfig address is available for %s", multi_instance_string(mi, false, &gc)); } @@ -2443,7 +2443,7 @@ print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc); /* JYFIXME -- this should cause the connection to fail */ -msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s)" +msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) " "violates tunnel network/netmask constraint (%s/%s)", multi_instance_string(mi, false, &gc), print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc), @@ -2492,7 +2492,7 @@ } else if (mi->context.options.iroutes) { -msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute" +msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute " "only works with tun-style tunnels", multi_instance_string(mi, false, &gc)); } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 64e67aa..ba9b05e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -7033,7 +7033,7 @@ } else if (streq(p[0], "max-routes") && !p[2]) { -msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored." +msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored. " "The number of routes is unlimited as of OpenVPN 2.4. " "This option will be removed in a future version, " "please remove it from your configuration."); @@ -9328,7 +9328,7 @@ s++; } msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the " -"--x509-username-field parameter to '%s'; please update your" +"--x509-username-field parameter to '%s'; please update your " "configuration", p[j]); } } diff --git
[Openvpn-devel] [S] Change in openvpn[master]: Fix missing spaces in various messages
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/679?usp=email ) Change subject: Fix missing spaces in various messages .. Patch Set 1: Code-Review+2 (1 comment) Patchset: PS1: LGTM. Good that someone finally "just fixed these" ;-) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/679?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic27d84c74c1dd6ff7973ca6966d186f475c67e21 Gerrit-Change-Number: 679 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 22 Jul 2024 12:05:35 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: configure: Switch to C11 by default
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/673?usp=email ) Change subject: configure: Switch to C11 by default .. configure: Switch to C11 by default Mostly so we can use anonymous structs without jumping through hoops or relying on unofficial support. Change-Id: I72934e747d1ad68a7e3675afbeb1b63df7941186 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240710160306.190351-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28916.html Signed-off-by: Gert Doering --- M CMakeLists.txt M configure.ac 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 096837d..ad620fa 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -119,7 +119,7 @@ set(OPENVPN_VERSION_PATCH ${PRODUCT_VERSION_PATCH}) set(OPENVPN_VERSION_RESOURCE ${PRODUCT_VERSION_RESOURCE}) -set(CMAKE_C_STANDARD 99) +set(CMAKE_C_STANDARD 11) # Set the various defines for config.h.cmake.in if (${CMAKE_SYSTEM_NAME} STREQUAL "Linux") diff --git a/configure.ac b/configure.ac index 555c97e..9ce826c 100644 --- a/configure.ac +++ b/configure.ac @@ -421,10 +421,10 @@ AC_CHECK_PROGS([RST2HTML], [rst2html rst2html.py]) AM_CONDITIONAL([HAVE_PYDOCUTILS], [test "${RST2MAN}" -a "${RST2HTML}"]) -# Set -std=c99 unless user already specified a -std= +# Set -std=c11 unless user already specified a -std= case "${CFLAGS}" in *-std=*) ;; - *) CFLAGS="${CFLAGS} -std=c99" ;; + *) CFLAGS="${CFLAGS} -std=c11" ;; esac # -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/673?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I72934e747d1ad68a7e3675afbeb1b63df7941186 Gerrit-Change-Number: 673 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: configure: Switch to C11 by default
cron2 has uploaded a new patch set (#4) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/673?usp=email ) Change subject: configure: Switch to C11 by default .. configure: Switch to C11 by default Mostly so we can use anonymous structs without jumping through hoops or relying on unofficial support. Change-Id: I72934e747d1ad68a7e3675afbeb1b63df7941186 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240710160306.190351-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28916.html Signed-off-by: Gert Doering --- M CMakeLists.txt M configure.ac 2 files changed, 3 insertions(+), 3 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/73/673/4 diff --git a/CMakeLists.txt b/CMakeLists.txt index 096837d..ad620fa 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -119,7 +119,7 @@ set(OPENVPN_VERSION_PATCH ${PRODUCT_VERSION_PATCH}) set(OPENVPN_VERSION_RESOURCE ${PRODUCT_VERSION_RESOURCE}) -set(CMAKE_C_STANDARD 99) +set(CMAKE_C_STANDARD 11) # Set the various defines for config.h.cmake.in if (${CMAKE_SYSTEM_NAME} STREQUAL "Linux") diff --git a/configure.ac b/configure.ac index 555c97e..9ce826c 100644 --- a/configure.ac +++ b/configure.ac @@ -421,10 +421,10 @@ AC_CHECK_PROGS([RST2HTML], [rst2html rst2html.py]) AM_CONDITIONAL([HAVE_PYDOCUTILS], [test "${RST2MAN}" -a "${RST2HTML}"]) -# Set -std=c99 unless user already specified a -std= +# Set -std=c11 unless user already specified a -std= case "${CFLAGS}" in *-std=*) ;; - *) CFLAGS="${CFLAGS} -std=c99" ;; + *) CFLAGS="${CFLAGS} -std=c11" ;; esac # -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/673?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I72934e747d1ad68a7e3675afbeb1b63df7941186 Gerrit-Change-Number: 673 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Allow trailing \r and \n in control channel message
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/672?usp=email ) Change subject: Allow trailing \r and \n in control channel message .. Allow trailing \r and \n in control channel message Writing a reason from a script will easily end up adding extra \r\n characters at the end of the reason. Our current code pushes this to the peer. So be more liberal in accepting these message. Github: closes OpenVPN/openvpn#568 Change-Id: I47c992b6b73b1475cbff8a28f720cf50dc1fbe3e Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240710140623.172829-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28910.html Signed-off-by: Gert Doering --- M src/openvpn/forward.c M src/openvpn/ssl_pkt.c M src/openvpn/ssl_pkt.h M tests/unit_tests/openvpn/test_pkt.c 4 files changed, 92 insertions(+), 30 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 71b7167..40b7cc4 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -290,41 +290,14 @@ struct buffer buf = alloc_buf_gc(len, &gc); if (tls_rec_payload(c->c2.tls_multi, &buf)) { - while (BLEN(&buf) > 1) { -/* commands on the control channel are seperated by 0x00 bytes. - * cmdlen does not include the 0 byte of the string */ -int cmdlen = (int)strnlen(BSTR(&buf), BLEN(&buf)); +struct buffer cmdbuf = extract_command_buffer(&buf, &gc); -if (cmdlen < BLEN(&buf)) +if (cmdbuf.len > 0) { -/* include the NUL byte and ensure NUL termination */ -int cmdlen = (int)strlen(BSTR(&buf)) + 1; - -/* Construct a buffer that only holds the current command and - * its closing NUL byte */ -struct buffer cmdbuf = alloc_buf_gc(cmdlen, &gc); -buf_write(&cmdbuf, BPTR(&buf), cmdlen); - -/* check we have only printable characters or null byte in the - * command string and no newlines */ -if (!string_check_buf(&buf, CC_PRINT | CC_NULL, CC_CRLF)) -{ -msg(D_PUSH_ERRORS, "WARNING: Received control with invalid characters: %s", -format_hex(BPTR(&buf), BLEN(&buf), 256, &gc)); -} -else -{ -parse_incoming_control_channel_command(c, &cmdbuf); -} +parse_incoming_control_channel_command(c, &cmdbuf); } -else -{ -msg(D_PUSH_ERRORS, "WARNING: Ignoring control channel " -"message command without NUL termination"); -} -buf_advance(&buf, cmdlen); } } else diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c index 2ec0b2f..689cd7f 100644 --- a/src/openvpn/ssl_pkt.c +++ b/src/openvpn/ssl_pkt.c @@ -557,3 +557,43 @@ } return false; } + +struct buffer +extract_command_buffer(struct buffer *buf, struct gc_arena *gc) +{ +/* commands on the control channel are seperated by 0x00 bytes. + * cmdlen does not include the 0 byte of the string */ +int cmdlen = (int)strnlen(BSTR(buf), BLEN(buf)); + +if (cmdlen >= BLEN(buf)) +{ +buf_advance(buf, cmdlen); +/* Return empty buffer */ +struct buffer empty = { 0 }; +return empty; +} + +/* include the NUL byte and ensure NUL termination */ +cmdlen += 1; + +/* Construct a buffer that only holds the current command and + * its closing NUL byte */ +struct buffer cmdbuf = alloc_buf_gc(cmdlen, gc); +buf_write(&cmdbuf, BPTR(buf), cmdlen); + +/* Remove \r and \n at the end of the buffer to avoid + * problems with scripts and other that add extra \r and \n */ +buf_chomp(&cmdbuf); + +/* check we have only printable characters or null byte in the + * command string and no newlines */ +if (!string_check_buf(&cmdbuf, CC_PRINT | CC_NULL, CC_CRLF)) +{ +msg(D_PUSH_ERRORS, "WARNING: Received control with invalid characters: %s", +format_hex(BPTR(&cmdbuf), BLEN(&cmdbuf), 256, gc)); +cmdbuf.len = 0; +} + +buf_advance(buf, cmdlen); +return cmdbuf; +} diff --git a/src/openvpn/ssl_pkt.h b/src/openvpn/ssl_pkt.h index 88b9e8c..c8a27fb 100644 --- a/src/openvpn/ssl_pkt.h +++ b/src/openvpn/ssl_pkt.h @@ -230,6 +230,20 @@ uint8_t header, bool request_resend_wkc); + +/** + * Extracts a control channel message from buf and adjusts the size of + * buf after the message has been extracted + * @param buf The buffer the message should be extracted from + * @param gcgc_arena to be used for the returned buffer and displaying + * diagnostic messages + * @return A buffer
[Openvpn-devel] [M] Change in openvpn[master]: Allow trailing \r and \n in control channel message
cron2 has uploaded a new patch set (#5) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/672?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Allow trailing \r and \n in control channel message .. Allow trailing \r and \n in control channel message Writing a reason from a script will easily end up adding extra \r\n characters at the end of the reason. Our current code pushes this to the peer. So be more liberal in accepting these message. Github: closes OpenVPN/openvpn#568 Change-Id: I47c992b6b73b1475cbff8a28f720cf50dc1fbe3e Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240710140623.172829-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28910.html Signed-off-by: Gert Doering --- M src/openvpn/forward.c M src/openvpn/ssl_pkt.c M src/openvpn/ssl_pkt.h M tests/unit_tests/openvpn/test_pkt.c 4 files changed, 92 insertions(+), 30 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/72/672/5 diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 71b7167..40b7cc4 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -290,41 +290,14 @@ struct buffer buf = alloc_buf_gc(len, &gc); if (tls_rec_payload(c->c2.tls_multi, &buf)) { - while (BLEN(&buf) > 1) { -/* commands on the control channel are seperated by 0x00 bytes. - * cmdlen does not include the 0 byte of the string */ -int cmdlen = (int)strnlen(BSTR(&buf), BLEN(&buf)); +struct buffer cmdbuf = extract_command_buffer(&buf, &gc); -if (cmdlen < BLEN(&buf)) +if (cmdbuf.len > 0) { -/* include the NUL byte and ensure NUL termination */ -int cmdlen = (int)strlen(BSTR(&buf)) + 1; - -/* Construct a buffer that only holds the current command and - * its closing NUL byte */ -struct buffer cmdbuf = alloc_buf_gc(cmdlen, &gc); -buf_write(&cmdbuf, BPTR(&buf), cmdlen); - -/* check we have only printable characters or null byte in the - * command string and no newlines */ -if (!string_check_buf(&buf, CC_PRINT | CC_NULL, CC_CRLF)) -{ -msg(D_PUSH_ERRORS, "WARNING: Received control with invalid characters: %s", -format_hex(BPTR(&buf), BLEN(&buf), 256, &gc)); -} -else -{ -parse_incoming_control_channel_command(c, &cmdbuf); -} +parse_incoming_control_channel_command(c, &cmdbuf); } -else -{ -msg(D_PUSH_ERRORS, "WARNING: Ignoring control channel " -"message command without NUL termination"); -} -buf_advance(&buf, cmdlen); } } else diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c index 2ec0b2f..689cd7f 100644 --- a/src/openvpn/ssl_pkt.c +++ b/src/openvpn/ssl_pkt.c @@ -557,3 +557,43 @@ } return false; } + +struct buffer +extract_command_buffer(struct buffer *buf, struct gc_arena *gc) +{ +/* commands on the control channel are seperated by 0x00 bytes. + * cmdlen does not include the 0 byte of the string */ +int cmdlen = (int)strnlen(BSTR(buf), BLEN(buf)); + +if (cmdlen >= BLEN(buf)) +{ +buf_advance(buf, cmdlen); +/* Return empty buffer */ +struct buffer empty = { 0 }; +return empty; +} + +/* include the NUL byte and ensure NUL termination */ +cmdlen += 1; + +/* Construct a buffer that only holds the current command and + * its closing NUL byte */ +struct buffer cmdbuf = alloc_buf_gc(cmdlen, gc); +buf_write(&cmdbuf, BPTR(buf), cmdlen); + +/* Remove \r and \n at the end of the buffer to avoid + * problems with scripts and other that add extra \r and \n */ +buf_chomp(&cmdbuf); + +/* check we have only printable characters or null byte in the + * command string and no newlines */ +if (!string_check_buf(&cmdbuf, CC_PRINT | CC_NULL, CC_CRLF)) +{ +msg(D_PUSH_ERRORS, "WARNING: Received control with invalid characters: %s", +format_hex(BPTR(&cmdbuf), BLEN(&cmdbuf), 256, gc)); +cmdbuf.len = 0; +} + +buf_advance(buf, cmdlen); +return cmdbuf; +} diff --git a/src/openvpn/ssl_pkt.h b/src/openvpn/ssl_pkt.h index 88b9e8c..c8a27fb 100644 --- a/src/openvpn/ssl_pkt.h +++ b/src/openvpn/ssl_pkt.h @@ -230,6 +230,20 @@ uint8_t header, bool request_resend_wkc); + +/** + * Extracts a control channel message from buf and adjusts the size of + * buf after the message has been e
[Openvpn-devel] [M] Change in openvpn[master]: Static-challenge concatenation option
Attention is currently required from: plaisthos, selvanair. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/665?usp=email ) Change subject: Static-challenge concatenation option .. Patch Set 3: (1 comment) Patchset: PS3: You *can* send it to the mailing list, if you want (using the `dev-tools/gerrit-send-mail.py` script to get the threading halfway right, and add the acked-by: headers according to the +2 in gerrit). Usually Frank or I do this on behalf of the original submitter (because it's easy to do when the +2 comes by). I'm travelling so things take a bit longer. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/665?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I59a90446bfe73d8856516025a58a6f62cc98ab0d Gerrit-Change-Number: 665 Gerrit-PatchSet: 3 Gerrit-Owner: selvanair Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: cron2 Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: selvanair Gerrit-Comment-Date: Wed, 10 Jul 2024 20:20:34 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Allow trailing \r and \n in control channel message
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/672?usp=email ) Change subject: Allow trailing \r and \n in control channel message .. Patch Set 2: Code-Review-1 (3 comments) Patchset: PS2: getting close File src/openvpn/forward.c: http://gerrit.openvpn.net/c/openvpn/+/672/comment/fbe5364d_eb37f3f4 : PS2, Line 302: int buflen = (int)strlen(BSTR(&buf)) + 1; While this is besser than the original, I find it still confusing to call `strlen()` twice on the very same string, in direct sequence. What's wrong with `int buflen = cmdlen +1;`...? http://gerrit.openvpn.net/c/openvpn/+/672/comment/46ed5072_d7aeafa2 : PS2, Line 318: format_hex(BPTR(&buf), BLEN(&cmdbuf), 256, &gc)); > While it is not actually wrong to use BPTR(&buf) here, I would recommend > BPTR(&cmdbuf). […] It is "not wrong today", but this sort of booby trap will come back and bite us later - so this should both be `&cmdbuf` if that's the buffer we have looked at (especially with new code in the pipeline that might handle multiple commands in a single TLS record etc) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/672?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I47c992b6b73b1475cbff8a28f720cf50dc1fbe3e Gerrit-Change-Number: 672 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 08 Jul 2024 19:27:55 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: t_server_null: multiple improvements and fixes
cron2 has uploaded a new patch set (#6) to the change originally created by mattock. ( http://gerrit.openvpn.net/c/openvpn/+/669?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: t_server_null: multiple improvements and fixes .. t_server_null: multiple improvements and fixes - exit after a timeout if unable to kill servers - use sudo or equivalent only for server stop/start - use /bin/sh directly instead of through /usr/bin/env - simplify sudo call in the sample rc file - remove misleading and outdated documentation - make it work on OpenBSD 7.5 - make it work on NetBSD 10.0 - make server logs readable by normal users Change-Id: I2cce8ad4e0d262e1404ab1eb6ff673d8590b6b3a Signed-off-by: Samuli Seppänen Acked-by: Frank Lichtenheld Message-Id: <2024070417.26595-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28871.html Signed-off-by: Gert Doering --- M doc/t_server_null.rst M tests/t_server_null.rc-sample M tests/t_server_null.sh M tests/t_server_null_client.sh M tests/t_server_null_default.rc M tests/t_server_null_server.sh M tests/t_server_null_stress.sh 7 files changed, 64 insertions(+), 40 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/69/669/6 diff --git a/doc/t_server_null.rst b/doc/t_server_null.rst index e3a098a..5fe9080 100644 --- a/doc/t_server_null.rst +++ b/doc/t_server_null.rst @@ -43,6 +43,12 @@ * run as root * a privilege escalation tool (sudo, doas, su) and the permission to become root +If you use "doas" you should enable nopass feature in */etc/doas.conf*. For +example to allow users in the *wheel* group to run commands without a password +prompt:: + +permit nopass keepenv :wheel + Technical implementation @@ -73,13 +79,6 @@ * Waits until servers have launched. Then launch all clients, wait for them to exit and then check test results by parsing the client log files. Each client kills itself after some delay using an "--up" script. -Note that "make check" moves on once *t_server_null_client.sh* has exited. At -that point *t_server_null_server.sh* is still running, because it exists only -after waiting a few seconds for more client connections to potentially appear. -This is a feature and not a bug, but means that launching "make check" runs too -quickly might cause test failures or unexpected behavior such as leftover -OpenVPN server processes. - Configuration - diff --git a/tests/t_server_null.rc-sample b/tests/t_server_null.rc-sample index 28c3773..98d7869 100644 --- a/tests/t_server_null.rc-sample +++ b/tests/t_server_null.rc-sample @@ -1,6 +1,5 @@ # Uncomment to run tests with sudo -#SUDO_EXEC=`which sudo` -#RUN_SUDO="${SUDO_EXEC} -E" +#RUN_SUDO="sudo -E" TEST_RUN_LIST="1 2 3 10 11" diff --git a/tests/t_server_null.sh b/tests/t_server_null.sh index 0e53ba4..7627edf 100755 --- a/tests/t_server_null.sh +++ b/tests/t_server_null.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/bin/sh # TSERVER_NULL_SKIP_RC="${TSERVER_NULL_SKIP_RC:-77}" @@ -57,12 +57,7 @@ srcdir="${srcdir:-.}" -if [ -z "${RUN_SUDO}" ]; then -"${srcdir}/t_server_null_server.sh" & -else -$RUN_SUDO "${srcdir}/t_server_null_server.sh" & -fi - +"${srcdir}/t_server_null_server.sh" & "${srcdir}/t_server_null_client.sh" retval=$? diff --git a/tests/t_server_null_client.sh b/tests/t_server_null_client.sh index 8890007..e7dd332 100755 --- a/tests/t_server_null_client.sh +++ b/tests/t_server_null_client.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/bin/sh launch_client() { test_name=$1 @@ -76,19 +76,22 @@ count=0 server_max_wait=15 while [ $count -lt $server_max_wait ]; do -server_pids="" -server_count=$(set|grep 'SERVER_NAME_'|wc -l) +servers_up=0 +server_count=$(echo $TEST_SERVER_LIST|wc -w) # We need to trim single-quotes because some shells return quoted values # and some don't. Using "set -o posix" which would resolve this problem is # not supported in all shells. +# +# While inactive server configurations may get checked they won't increase +# the active server count as the processes won't be running. for i in `set|grep 'SERVER_NAME_'|cut -d "=" -f 2|tr -d "[\']"`; do server_pid=$(cat $i.pid 2> /dev/null) -server_pids="${server_pids} ${server_pid}" +if ps -p $server_pid > /dev/null 2>&1; then +servers_up=$(( $servers_up + 1 )) +fi done -servers_up=$(ps -p $server_pids 2>/dev/null|sed '1d'|wc -l) - echo "OpenVPN test servers up: ${servers_up}/${server_count}" if [ $servers_up -ge $server_count ]; then @@ -101,6 +104,7 @@ if [ $count -eq $server_max_wait ]; then retval=1 +exit $retval fi done diff --git a/tests/t_server_null_default.rc b/tests/t_server_null_default.rc index 63b6bcd..8
[Openvpn-devel] [M] Change in openvpn[master]: t_server_null: multiple improvements and fixes
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/669?usp=email ) Change subject: t_server_null: multiple improvements and fixes .. t_server_null: multiple improvements and fixes - exit after a timeout if unable to kill servers - use sudo or equivalent only for server stop/start - use /bin/sh directly instead of through /usr/bin/env - simplify sudo call in the sample rc file - remove misleading and outdated documentation - make it work on OpenBSD 7.5 - make it work on NetBSD 10.0 - make server logs readable by normal users Change-Id: I2cce8ad4e0d262e1404ab1eb6ff673d8590b6b3a Signed-off-by: Samuli Seppänen Acked-by: Frank Lichtenheld Message-Id: <2024070417.26595-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28871.html Signed-off-by: Gert Doering --- M doc/t_server_null.rst M tests/t_server_null.rc-sample M tests/t_server_null.sh M tests/t_server_null_client.sh M tests/t_server_null_default.rc M tests/t_server_null_server.sh M tests/t_server_null_stress.sh 7 files changed, 64 insertions(+), 40 deletions(-) diff --git a/doc/t_server_null.rst b/doc/t_server_null.rst index e3a098a..5fe9080 100644 --- a/doc/t_server_null.rst +++ b/doc/t_server_null.rst @@ -43,6 +43,12 @@ * run as root * a privilege escalation tool (sudo, doas, su) and the permission to become root +If you use "doas" you should enable nopass feature in */etc/doas.conf*. For +example to allow users in the *wheel* group to run commands without a password +prompt:: + +permit nopass keepenv :wheel + Technical implementation @@ -73,13 +79,6 @@ * Waits until servers have launched. Then launch all clients, wait for them to exit and then check test results by parsing the client log files. Each client kills itself after some delay using an "--up" script. -Note that "make check" moves on once *t_server_null_client.sh* has exited. At -that point *t_server_null_server.sh* is still running, because it exists only -after waiting a few seconds for more client connections to potentially appear. -This is a feature and not a bug, but means that launching "make check" runs too -quickly might cause test failures or unexpected behavior such as leftover -OpenVPN server processes. - Configuration - diff --git a/tests/t_server_null.rc-sample b/tests/t_server_null.rc-sample index 28c3773..98d7869 100644 --- a/tests/t_server_null.rc-sample +++ b/tests/t_server_null.rc-sample @@ -1,6 +1,5 @@ # Uncomment to run tests with sudo -#SUDO_EXEC=`which sudo` -#RUN_SUDO="${SUDO_EXEC} -E" +#RUN_SUDO="sudo -E" TEST_RUN_LIST="1 2 3 10 11" diff --git a/tests/t_server_null.sh b/tests/t_server_null.sh index 0e53ba4..7627edf 100755 --- a/tests/t_server_null.sh +++ b/tests/t_server_null.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/bin/sh # TSERVER_NULL_SKIP_RC="${TSERVER_NULL_SKIP_RC:-77}" @@ -57,12 +57,7 @@ srcdir="${srcdir:-.}" -if [ -z "${RUN_SUDO}" ]; then -"${srcdir}/t_server_null_server.sh" & -else -$RUN_SUDO "${srcdir}/t_server_null_server.sh" & -fi - +"${srcdir}/t_server_null_server.sh" & "${srcdir}/t_server_null_client.sh" retval=$? diff --git a/tests/t_server_null_client.sh b/tests/t_server_null_client.sh index 8890007..e7dd332 100755 --- a/tests/t_server_null_client.sh +++ b/tests/t_server_null_client.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/bin/sh launch_client() { test_name=$1 @@ -76,19 +76,22 @@ count=0 server_max_wait=15 while [ $count -lt $server_max_wait ]; do -server_pids="" -server_count=$(set|grep 'SERVER_NAME_'|wc -l) +servers_up=0 +server_count=$(echo $TEST_SERVER_LIST|wc -w) # We need to trim single-quotes because some shells return quoted values # and some don't. Using "set -o posix" which would resolve this problem is # not supported in all shells. +# +# While inactive server configurations may get checked they won't increase +# the active server count as the processes won't be running. for i in `set|grep 'SERVER_NAME_'|cut -d "=" -f 2|tr -d "[\']"`; do server_pid=$(cat $i.pid 2> /dev/null) -server_pids="${server_pids} ${server_pid}" +if ps -p $server_pid > /dev/null 2>&1; then +servers_up=$(( $servers_up + 1 )) +fi done -servers_up=$(ps -p $server_pids 2>/dev/null|sed '1d'|wc -l) - echo "OpenVPN test servers up: ${servers_up}/${server_count}" if [ $servers_up -ge $server_count ]; then @@ -101,6 +104,7 @@ if [ $count -eq $server_max_wait ]; then retval=1 +exit $retval fi done diff --git a/tests/t_server_null_default.rc b/tests/t_server_null_default.rc index 63b6bcd..825bb52 100755 --- a/tests/t_server_null_default.rc +++ b/tests/t_server_null_default.rc @@ -24,7 +24,7 @@ MAX_CLIENTS="10" CLIENT_MATCH="Test-Client" SERVER_EXEC="${top_builddir}/src/openvpn/openvpn" -SERVER
[Openvpn-devel] [XS] Change in openvpn[master]: mbedtls: Warn if --tls-version-min is too low
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/684?usp=email ) Change subject: mbedtls: Warn if --tls-version-min is too low .. mbedtls: Warn if --tls-version-min is too low Recent versions of mbedtls only support TLS 1.2. When the minimum version is set to TLS 1.0 or 1.1, log a warning and use 1.2 as the actual minimum version. Change-Id: Ibc641388d8016533c94dfef3618376f6dfa91f4e Signed-off-by: Max Fillinger Acked-by: Arne Schwabe Message-Id: <20240703174158.7137-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28865.html Signed-off-by: Gert Doering --- M src/openvpn/options.c 1 file changed, 9 insertions(+), 0 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index dbe1425..64e67aa 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8942,6 +8942,15 @@ msg(msglevel, "unknown tls-version-min parameter: %s", p[1]); goto err; } + +#ifdef ENABLE_CRYPTO_MBEDTLS +if (ver < TLS_VER_1_2) +{ +msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]); +ver = TLS_VER_1_2; +} +#endif + options->ssl_flags &= ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT); options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/684?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ibc641388d8016533c94dfef3618376f6dfa91f4e Gerrit-Change-Number: 684 Gerrit-PatchSet: 2 Gerrit-Owner: MaxF Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: mbedtls: Warn if --tls-version-min is too low
cron2 has uploaded a new patch set (#2) to the change originally created by MaxF. ( http://gerrit.openvpn.net/c/openvpn/+/684?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: mbedtls: Warn if --tls-version-min is too low .. mbedtls: Warn if --tls-version-min is too low Recent versions of mbedtls only support TLS 1.2. When the minimum version is set to TLS 1.0 or 1.1, log a warning and use 1.2 as the actual minimum version. Change-Id: Ibc641388d8016533c94dfef3618376f6dfa91f4e Signed-off-by: Max Fillinger Acked-by: Arne Schwabe Message-Id: <20240703174158.7137-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28865.html Signed-off-by: Gert Doering --- M src/openvpn/options.c 1 file changed, 9 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/84/684/2 diff --git a/src/openvpn/options.c b/src/openvpn/options.c index dbe1425..64e67aa 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8942,6 +8942,15 @@ msg(msglevel, "unknown tls-version-min parameter: %s", p[1]); goto err; } + +#ifdef ENABLE_CRYPTO_MBEDTLS +if (ver < TLS_VER_1_2) +{ +msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]); +ver = TLS_VER_1_2; +} +#endif + options->ssl_flags &= ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT); options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/684?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ibc641388d8016533c94dfef3618376f6dfa91f4e Gerrit-Change-Number: 684 Gerrit-PatchSet: 2 Gerrit-Owner: MaxF Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: t_server_null: multiple improvements and fixes
Attention is currently required from: mattock, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/669?usp=email ) Change subject: t_server_null: multiple improvements and fixes .. Patch Set 4: Code-Review-1 (1 comment) Patchset: PS4: OK, so the NetBSD problem seems to be "umask" - when run from BB, the server processes are started (sudo openvpn...) just fine - the resulting PID file (and Log file) are 600 ``` -rw--- 1 root users 6 Jul 3 16:22 t_server_null_server-1194_udp.pid -rw--- 1 root users 5 Jul 3 16:22 t_server_null_server-1195_tcp.pid -rw--- 1 root users 227 Jul 3 16:24 t_server_null_server-1195_tcp.status -rw--- 1 root users1991 Jul 3 16:24 t_server_null_server-1195_tcp.log -rw--- 1 root users 227 Jul 3 16:24 t_server_null_server-1194_udp.status -rw--- 1 root users1824 Jul 3 16:24 t_server_null_server-1194_udp.log ``` - some other element running as non-root cannot read the pid file, so assumes "the server process must have been not started", and neither proceeds with the client - since "the server has not been started" it's not killed either, and on the next run, the port is in use My suggestion would be to add an `umask 022` to the script that starts the server processes (I do not feel like digging into "why does BB set 077, when the system default is 022", and it *will* bite someone else running from the CLI eventually) Also, error handling, for "there is a file and I can't read it". -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/669?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I2cce8ad4e0d262e1404ab1eb6ff673d8590b6b3a Gerrit-Change-Number: 669 Gerrit-PatchSet: 4 Gerrit-Owner: mattock Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: mattock Gerrit-Comment-Date: Wed, 03 Jul 2024 14:30:03 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: t_server_null: multiple improvements and fixes
Attention is currently required from: mattock, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/669?usp=email ) Change subject: t_server_null: multiple improvements and fixes .. Patch Set 4: (1 comment) Patchset: PS4: not `tail -f`, obviously, I was thinking about `tail -20` or so, in case the log ends up being huge -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/669?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I2cce8ad4e0d262e1404ab1eb6ff673d8590b6b3a Gerrit-Change-Number: 669 Gerrit-PatchSet: 4 Gerrit-Owner: mattock Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: cron2 Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: mattock Gerrit-Comment-Date: Wed, 03 Jul 2024 14:16:12 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: t_server_null: multiple improvements and fixes
Attention is currently required from: mattock, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/669?usp=email ) Change subject: t_server_null: multiple improvements and fixes .. Patch Set 4: (1 comment) Patchset: PS4: So this works on FreeBSD and OpenBSD (great), while on NetBSD it works *sometimes*, and then it fails to start servers again because the old servers are still running. When it does not work, the error message could use some improvement ``` make check-TESTS ./t_server_null.sh: sudo /bin/kill -0 succeeded, good. OpenVPN test servers up: 0/ 2 OpenVPN test servers up: 0/ 2 OpenVPN test servers up: 0/ 2 OpenVPN test servers up: 0/ 2 OpenVPN test servers up: 0/ 2 OpenVPN test servers up: 0/ 2 All clients have disconnected from all servers Waiting for servers to exit cat: ./t_server_null_server-1194_udp.pid: No such file or directory Terminated [1] Terminated ("${@}" 2>&1; es... | tee -a "${log_fi... ``` (like, showing a "tail -f" of the server logs? - which are root-owned and mode 0600, so not trivial. Why are they 0600 anyway, is there an explicit umask call?) Not sure why the processes got stuck. When running from the CLI the servers are properly terminated... need to re-test from buildbot. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/669?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I2cce8ad4e0d262e1404ab1eb6ff673d8590b6b3a Gerrit-Change-Number: 669 Gerrit-PatchSet: 4 Gerrit-Owner: mattock Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: cron2 Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: mattock Gerrit-Comment-Date: Wed, 03 Jul 2024 14:13:57 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: configure: Try to detect LZO with pkg-config
cron2 has uploaded a new patch set (#9) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/556?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: configure: Try to detect LZO with pkg-config .. configure: Try to detect LZO with pkg-config On most systems this should work just fine. v2: - simplify code by removing -llzo special handling v3: - reintroduce support for autodetection without pkg-config, no need to break backwards compatibility right now v7: - Handle case correctly where lzo/lzo1x.h can not be included at all. On most distros this works even though the .pc file suggests to use it without. We had some partly solution for that but it wasn't really working. v8: - Handle systems that do not implicitly include limits.h in configure test builds. lzodefs.h usually relies on lzoconf.h to include it. Change-Id: I1c038dc4ec80d3499582d81eee61fee74f26e693 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240626161921.179301-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28848.html Signed-off-by: Gert Doering --- M config.h.cmake.in M configure.ac M src/openvpn/lzo.h 3 files changed, 23 insertions(+), 12 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/56/556/9 diff --git a/config.h.cmake.in b/config.h.cmake.in index effca2a..720d679 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -178,9 +178,6 @@ /* Define to 1 if you have the header file. */ #cmakedefine HAVE_LINUX_TYPES_H -/* Define to 1 if you have the header file. */ -#define HAVE_LZO_CONF_H - /* Define to 1 if you have the header file. */ #define HAVE_LZO1X_H 1 diff --git a/configure.ac b/configure.ac index c01ad09..555c97e 100644 --- a/configure.ac +++ b/configure.ac @@ -1143,8 +1143,17 @@ AC_ARG_VAR([LZO_CFLAGS], [C compiler flags for lzo]) AC_ARG_VAR([LZO_LIBS], [linker flags for lzo]) -have_lzo="yes" -if test -z "${LZO_LIBS}"; then +if test -z "${LZO_CFLAGS}" -a -z "${LZO_LIBS}"; then +# if the user did not explicitly specify flags, try to autodetect +PKG_CHECK_MODULES([LZO], + [lzo2], + [have_lzo="yes"], + [] +) + +if test "${have_lzo}" != "yes"; then + # try to detect without pkg-config + have_lzo="yes" AC_CHECK_LIB( [lzo2], [lzo1x_1_15_compress], @@ -1156,6 +1165,10 @@ [have_lzo="no"] )] ) +fi +else +# assume the user configured it correctly +have_lzo="yes" fi if test "${have_lzo}" = "yes"; then saved_CFLAGS="${CFLAGS}" @@ -1166,8 +1179,11 @@ [AC_CHECK_HEADERS( [lzo1x.h], , - [AC_MSG_ERROR([lzo1x.h is missing])] - )] + [AC_MSG_ERROR([lzo1x.h is missing])], +[#include + #include + #include ] + )], ) CFLAGS="${saved_CFLAGS}" fi diff --git a/src/openvpn/lzo.h b/src/openvpn/lzo.h index 62d73a1..c271527 100644 --- a/src/openvpn/lzo.h +++ b/src/openvpn/lzo.h @@ -37,17 +37,15 @@ * @addtogroup compression * @{ */ -#if defined(HAVE_LZO_CONF_H) +#if defined(HAVE_LZO_LZO1X_H) +#include +#elif defined(HAVE_LZO1X_H) /* The lzo.h magic gets confused and still wants * to include lzo/lzoconf.h even if our include paths * are setup to include the paths without lzo/ */ #include #include -#endif -#if defined(HAVE_LZO_LZO1X_H) -#include -#elif defined(HAVE_LZO1X_H) #include #endif -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/556?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1c038dc4ec80d3499582d81eee61fee74f26e693 Gerrit-Change-Number: 556 Gerrit-PatchSet: 9 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: configure: Try to detect LZO with pkg-config
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/556?usp=email ) Change subject: configure: Try to detect LZO with pkg-config .. configure: Try to detect LZO with pkg-config On most systems this should work just fine. v2: - simplify code by removing -llzo special handling v3: - reintroduce support for autodetection without pkg-config, no need to break backwards compatibility right now v7: - Handle case correctly where lzo/lzo1x.h can not be included at all. On most distros this works even though the .pc file suggests to use it without. We had some partly solution for that but it wasn't really working. v8: - Handle systems that do not implicitly include limits.h in configure test builds. lzodefs.h usually relies on lzoconf.h to include it. Change-Id: I1c038dc4ec80d3499582d81eee61fee74f26e693 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240626161921.179301-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28848.html Signed-off-by: Gert Doering --- M config.h.cmake.in M configure.ac M src/openvpn/lzo.h 3 files changed, 23 insertions(+), 12 deletions(-) diff --git a/config.h.cmake.in b/config.h.cmake.in index effca2a..720d679 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -178,9 +178,6 @@ /* Define to 1 if you have the header file. */ #cmakedefine HAVE_LINUX_TYPES_H -/* Define to 1 if you have the header file. */ -#define HAVE_LZO_CONF_H - /* Define to 1 if you have the header file. */ #define HAVE_LZO1X_H 1 diff --git a/configure.ac b/configure.ac index c01ad09..555c97e 100644 --- a/configure.ac +++ b/configure.ac @@ -1143,8 +1143,17 @@ AC_ARG_VAR([LZO_CFLAGS], [C compiler flags for lzo]) AC_ARG_VAR([LZO_LIBS], [linker flags for lzo]) -have_lzo="yes" -if test -z "${LZO_LIBS}"; then +if test -z "${LZO_CFLAGS}" -a -z "${LZO_LIBS}"; then +# if the user did not explicitly specify flags, try to autodetect +PKG_CHECK_MODULES([LZO], + [lzo2], + [have_lzo="yes"], + [] +) + +if test "${have_lzo}" != "yes"; then + # try to detect without pkg-config + have_lzo="yes" AC_CHECK_LIB( [lzo2], [lzo1x_1_15_compress], @@ -1156,6 +1165,10 @@ [have_lzo="no"] )] ) +fi +else +# assume the user configured it correctly +have_lzo="yes" fi if test "${have_lzo}" = "yes"; then saved_CFLAGS="${CFLAGS}" @@ -1166,8 +1179,11 @@ [AC_CHECK_HEADERS( [lzo1x.h], , - [AC_MSG_ERROR([lzo1x.h is missing])] - )] + [AC_MSG_ERROR([lzo1x.h is missing])], +[#include + #include + #include ] + )], ) CFLAGS="${saved_CFLAGS}" fi diff --git a/src/openvpn/lzo.h b/src/openvpn/lzo.h index 62d73a1..c271527 100644 --- a/src/openvpn/lzo.h +++ b/src/openvpn/lzo.h @@ -37,17 +37,15 @@ * @addtogroup compression * @{ */ -#if defined(HAVE_LZO_CONF_H) +#if defined(HAVE_LZO_LZO1X_H) +#include +#elif defined(HAVE_LZO1X_H) /* The lzo.h magic gets confused and still wants * to include lzo/lzoconf.h even if our include paths * are setup to include the paths without lzo/ */ #include #include -#endif -#if defined(HAVE_LZO_LZO1X_H) -#include -#elif defined(HAVE_LZO1X_H) #include #endif -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/556?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1c038dc4ec80d3499582d81eee61fee74f26e693 Gerrit-Change-Number: 556 Gerrit-PatchSet: 9 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: configure: Try to detect LZO with pkg-config
Attention is currently required from: plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/556?usp=email ) Change subject: configure: Try to detect LZO with pkg-config .. Patch Set 8: Code-Review+2 (1 comment) Patchset: PS8: this should appease all systems :-) - the to-be-expected fails are server-null, so (at least that's what I expect) not a fault of this patch -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/556?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1c038dc4ec80d3499582d81eee61fee74f26e693 Gerrit-Change-Number: 556 Gerrit-PatchSet: 8 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Comment-Date: Wed, 26 Jun 2024 13:51:15 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: configure: Try to detect LZO with pkg-config
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/556?usp=email ) Change subject: configure: Try to detect LZO with pkg-config .. Patch Set 7: Code-Review+2 (2 comments) Patchset: PS6: > close... […] I think the pc is broken... everything LZO itself includes uses ... but it's the same (`Cflags: -I${includedir}/lzo`) on gentoo... where it just happens to work because `/usr/include` is in the include path anyway. Gah. Patchset: PS7: Tested on FreeBSD 14, "configure with no option" -> succeeds & builds fine (LZO in /usr/local/..., make using `-I/usr/local/include/lzo -I/usr/local/include` because that's where cmocka and lz4 are living). Disabling LZ4 makes compilation succeed with only `-I/usr/local/include/lzo`. This is good :-) All the buildbots still succeed, which means this hasn't broken explicitly setting "whatever we used before". oi2024 has lzo in `/usr/include/`, so, boring case. obsd75 has lzo in `/usr/local/include/lzo`, patched configure works, compile works. With `--disable-lz4` there is no mention of `-I/usr/local/include` anymore, and it still succeeds ;-) nbsd81 has `/usr/pkg/include/lzo/` and the patched configure finds it fine, and then barfs on ``` configure:18379: checking for lzo1x.h configure:18379: gcc -c -g -O2 -std=c99 -I/usr/pkg/include/lzo conftest.c >&5 In file included from conftest.c:136:0: /usr/pkg/include/lzo/lzodefs.h:1035:6: error: #error "unexpected configuration - check your compiler defines" #error "unexpected configuration - check your compiler defines" ^ ``` which is something weird about UINT_MAX testing against LZO_0xL. Not sure how to fix that. It does not break on the buildbot as that one has a symlink from `/usr/include/lzo -> /usr/pkg/include/lzo` (to apease older source trees) - with that, the configure change works fine. Without, it bombs. I would still tend to progress the patch, unless someone has a good idea how to tackle this... -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/556?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1c038dc4ec80d3499582d81eee61fee74f26e693 Gerrit-Change-Number: 556 Gerrit-PatchSet: 7 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Wed, 26 Jun 2024 12:29:20 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: cron2 Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Http-proxy: fix bug preventing proxy credentials caching
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/523?usp=email ) Change subject: Http-proxy: fix bug preventing proxy credentials caching .. Http-proxy: fix bug preventing proxy credentials caching Caching proxy credentials was not working due to the lack of handling already defined creds in get_user_pass(), which prevented the caching from working properly. Fix this issue by getting the value of c->first_time, that indicates if we're at the first iteration of the main loop and use it as second argument of the get_user_pass_http(). Otherwise, on SIGUSR1 or SIGHUP upon instance context restart credentials would be erased every time. The nocache member has been added to the struct http_proxy_options and also a getter method to retrieve that option from ssl has been added, by doing this we're able to erase previous queried user credentials to ensure correct operation. Fixes: Trac #1187 Signed-off-by: Gianmarco De Gregori Acked-by: Gert Doering Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a Acked-by: Frank Lichtenheld Message-Id: <20240623200551.20092-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28835.html Signed-off-by: Gert Doering --- M doc/man-sections/generic-options.rst M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/proxy.c M src/openvpn/proxy.h M src/openvpn/ssl.c M src/openvpn/ssl.h 7 files changed, 38 insertions(+), 14 deletions(-) diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index eb9cf28..ba9376b 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -19,9 +19,6 @@ When using ``--auth-nocache`` in combination with a user/password file and ``--chroot`` or ``--daemon``, make sure to use an absolute path. - This directive does not affect the ``--http-proxy`` username/password. - It is always cached. - --cd dir Change directory to ``dir`` prior to reading any files such as configuration files, key files, scripts, etc. ``dir`` should be an diff --git a/src/openvpn/init.c b/src/openvpn/init.c index b081b2f..a49e563 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -691,6 +691,8 @@ if (c->options.ce.http_proxy_options) { +c->options.ce.http_proxy_options->first_time = c->first_time; + /* Possible HTTP proxy user/pass input */ c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options); if (c->c1.http_proxy) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f2c7536..dbe1425 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1650,6 +1650,7 @@ SHOW_STR(auth_file); SHOW_STR(auth_file_up); SHOW_BOOL(inline_creds); +SHOW_BOOL(nocache); SHOW_STR(http_version); SHOW_STR(user_agent); for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++) @@ -3151,6 +3152,11 @@ ce->flags |= CE_DISABLED; } +if (ce->http_proxy_options) +{ +ce->http_proxy_options->nocache = ssl_get_auth_nocache(); +} + /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not) * so fall back to IPv4-only (trac #1221) */ diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index ba3d87c..5de0da4 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -276,7 +276,7 @@ { auth_file = p->options.auth_file_up; } -if (p->queried_creds) +if (p->queried_creds && !static_proxy_user_pass.nocache) { flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED; } @@ -288,9 +288,14 @@ auth_file, UP_TYPE_PROXY, flags); -p->queried_creds = true; -p->up = static_proxy_user_pass; +static_proxy_user_pass.nocache = p->options.nocache; } + +/* + * Using cached credentials + */ +p->queried_creds = true; +p->up = static_proxy_user_pass; } #if 0 @@ -542,7 +547,7 @@ * we know whether we need any. */ if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2) { -get_user_pass_http(p, true); +get_user_pass_http(p, p->options.first_time); } #if !NTLM @@ -656,6 +661,11 @@ || p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http(p, false); + +if (p->up.nocache) +{ +clear_user_pass_http(); +} } /* are we being called again after getting the digest server nonce in the previous transaction? */ @@ -1036,13 +1046,6 @@ } goto error; } - -/* clear state */ -if (p->options.auth_retry) -{ -clear_user_pass_http(); -} -store_proxy_authenticate(p, NULL); } /* check return code, success = 200 */ diff --gi
[Openvpn-devel] [M] Change in openvpn[master]: Http-proxy: fix bug preventing proxy credentials caching
cron2 has uploaded a new patch set (#11) to the change originally created by its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/523?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: Http-proxy: fix bug preventing proxy credentials caching .. Http-proxy: fix bug preventing proxy credentials caching Caching proxy credentials was not working due to the lack of handling already defined creds in get_user_pass(), which prevented the caching from working properly. Fix this issue by getting the value of c->first_time, that indicates if we're at the first iteration of the main loop and use it as second argument of the get_user_pass_http(). Otherwise, on SIGUSR1 or SIGHUP upon instance context restart credentials would be erased every time. The nocache member has been added to the struct http_proxy_options and also a getter method to retrieve that option from ssl has been added, by doing this we're able to erase previous queried user credentials to ensure correct operation. Fixes: Trac #1187 Signed-off-by: Gianmarco De Gregori Acked-by: Gert Doering Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a Acked-by: Frank Lichtenheld Message-Id: <20240623200551.20092-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28835.html Signed-off-by: Gert Doering --- M doc/man-sections/generic-options.rst M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/proxy.c M src/openvpn/proxy.h M src/openvpn/ssl.c M src/openvpn/ssl.h 7 files changed, 38 insertions(+), 14 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/23/523/11 diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index eb9cf28..ba9376b 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -19,9 +19,6 @@ When using ``--auth-nocache`` in combination with a user/password file and ``--chroot`` or ``--daemon``, make sure to use an absolute path. - This directive does not affect the ``--http-proxy`` username/password. - It is always cached. - --cd dir Change directory to ``dir`` prior to reading any files such as configuration files, key files, scripts, etc. ``dir`` should be an diff --git a/src/openvpn/init.c b/src/openvpn/init.c index b081b2f..a49e563 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -691,6 +691,8 @@ if (c->options.ce.http_proxy_options) { +c->options.ce.http_proxy_options->first_time = c->first_time; + /* Possible HTTP proxy user/pass input */ c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options); if (c->c1.http_proxy) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f2c7536..dbe1425 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1650,6 +1650,7 @@ SHOW_STR(auth_file); SHOW_STR(auth_file_up); SHOW_BOOL(inline_creds); +SHOW_BOOL(nocache); SHOW_STR(http_version); SHOW_STR(user_agent); for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++) @@ -3151,6 +3152,11 @@ ce->flags |= CE_DISABLED; } +if (ce->http_proxy_options) +{ +ce->http_proxy_options->nocache = ssl_get_auth_nocache(); +} + /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not) * so fall back to IPv4-only (trac #1221) */ diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index ba3d87c..5de0da4 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -276,7 +276,7 @@ { auth_file = p->options.auth_file_up; } -if (p->queried_creds) +if (p->queried_creds && !static_proxy_user_pass.nocache) { flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED; } @@ -288,9 +288,14 @@ auth_file, UP_TYPE_PROXY, flags); -p->queried_creds = true; -p->up = static_proxy_user_pass; +static_proxy_user_pass.nocache = p->options.nocache; } + +/* + * Using cached credentials + */ +p->queried_creds = true; +p->up = static_proxy_user_pass; } #if 0 @@ -542,7 +547,7 @@ * we know whether we need any. */ if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2) { -get_user_pass_http(p, true); +get_user_pass_http(p, p->options.first_time); } #if !NTLM @@ -656,6 +661,11 @@ || p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http(p, false); + +if (p->up.nocache) +{ +clear_user_pass_http(); +} } /* are we being called again after getting the digest server nonce in the previous transaction? */ @@ -1036,13 +1046,6 @@ } goto error; } - -/* clear st
[Openvpn-devel] [M] Change in openvpn[master]: Http-proxy: fix bug preventing proxy credentials caching
Attention is currently required from: flichtenheld, its_Giaan, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/523?usp=email ) Change subject: Http-proxy: fix bug preventing proxy credentials caching .. Patch Set 10: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/523?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a Gerrit-Change-Number: 523 Gerrit-PatchSet: 10 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Sun, 23 Jun 2024 20:05:16 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: configure: Add -Wstrict-prototypes and -Wold-style-definition
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/667?usp=email ) Change subject: configure: Add -Wstrict-prototypes and -Wold-style-definition .. configure: Add -Wstrict-prototypes and -Wold-style-definition These are not covered by -Wall (nor -Wextra) but we want to enforce them. Change-Id: I6e08920e4cf4762b9f14a7461a29fa77df15255c Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240620144230.19586-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28823.html Signed-off-by: Gert Doering --- M configure.ac M src/openvpn/dco.h M src/openvpn/dco_freebsd.c M src/openvpn/dco_linux.c M src/openvpn/pkcs11.h M src/openvpn/sig.c M src/openvpn/ssl.c M src/openvpn/ssl.h M src/openvpn/xkey_helper.c M src/openvpn/xkey_provider.c M tests/unit_tests/openvpn/test_common.h M tests/unit_tests/openvpn/test_pkcs11.c M tests/unit_tests/openvpn/test_provider.c M tests/unit_tests/openvpn/test_ssl.c M tests/unit_tests/plugins/auth-pam/test_search_and_replace.c 15 files changed, 25 insertions(+), 23 deletions(-) diff --git a/configure.ac b/configure.ac index 2e5ab6a..c01ad09 100644 --- a/configure.ac +++ b/configure.ac @@ -1408,6 +1408,8 @@ ) ACL_CHECK_ADD_COMPILE_FLAGS([-Wno-stringop-truncation]) +ACL_CHECK_ADD_COMPILE_FLAGS([-Wstrict-prototypes]) +ACL_CHECK_ADD_COMPILE_FLAGS([-Wold-style-definition]) ACL_CHECK_ADD_COMPILE_FLAGS([-Wall]) if test "${enable_pedantic}" = "yes"; then diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h index 50ebb35..035474f 100644 --- a/src/openvpn/dco.h +++ b/src/openvpn/dco.h @@ -247,7 +247,7 @@ * * @return list of colon-separated ciphers */ -const char *dco_get_supported_ciphers(); +const char *dco_get_supported_ciphers(void); #else /* if defined(ENABLE_DCO) */ @@ -375,7 +375,7 @@ } static inline const char * -dco_get_supported_ciphers() +dco_get_supported_ciphers(void) { return ""; } diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index 7c8b29c..9a90f5c 100644 --- a/src/openvpn/dco_freebsd.c +++ b/src/openvpn/dco_freebsd.c @@ -773,7 +773,7 @@ } const char * -dco_get_supported_ciphers() +dco_get_supported_ciphers(void) { return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305"; } diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index b2584b9..277cd64 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -1053,7 +1053,7 @@ } const char * -dco_get_supported_ciphers() +dco_get_supported_ciphers(void) { return "AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305"; } diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h index 3caedc0..772fa4e 100644 --- a/src/openvpn/pkcs11.h +++ b/src/openvpn/pkcs11.h @@ -35,7 +35,7 @@ ); void -pkcs11_terminate(); +pkcs11_terminate(void); bool pkcs11_addProvider( @@ -46,10 +46,10 @@ ); int -pkcs11_logout(); +pkcs11_logout(void); int -pkcs11_management_id_count(); +pkcs11_management_id_count(void); bool pkcs11_management_id_get( diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c index cfbd942..8323f0d 100644 --- a/src/openvpn/sig.c +++ b/src/openvpn/sig.c @@ -448,7 +448,7 @@ } void -halt_low_priority_signals() +halt_low_priority_signals(void) { #ifndef _WIN32 struct sigaction sa; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 2054eb4..17078c9 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -277,7 +277,7 @@ #endif void -enable_auth_user_pass() +enable_auth_user_pass(void) { auth_user_pass_enabled = true; } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 98e59e8..0e2a43f 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -381,7 +381,7 @@ void pem_password_setup(const char *auth_file); /* Enables the use of user/password authentication */ -void enable_auth_user_pass(); +void enable_auth_user_pass(void); /* * Setup authentication username and password. If auth_file is given, use the diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c index 283c95d..b68fb43 100644 --- a/src/openvpn/xkey_helper.c +++ b/src/openvpn/xkey_helper.c @@ -49,7 +49,7 @@ XKEY_EXTERNAL_SIGN_fn xkey_management_sign; static void -print_openssl_errors() +print_openssl_errors(void) { unsigned long e; while ((e = ERR_get_error())) diff --git a/src/openvpn/xkey_provider.c b/src/openvpn/xkey_provider.c index f5fc956..964d2eb 100644 --- a/src/openvpn/xkey_provider.c +++ b/src/openvpn/xkey_provider.c @@ -155,7 +155,7 @@ keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM params[]); static XKEY_KEYDATA * -keydata_new() +keydata_new(void) { xkey_dmsg(D_XKEY, "entry"); diff --git a/tests/unit_tests/openvpn/test_common.h b/tests/unit_tests/openvpn/test_common.h index f219e93..52503c6 100644 --- a/tests/unit_tests/openvpn/test_common.h +++ b/tests/unit_tests/openvpn/test_common.h @@ -33,7 +33
[Openvpn-devel] [S] Change in openvpn[master]: configure: Add -Wstrict-prototypes and -Wold-style-definition
cron2 has uploaded a new patch set (#5) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/667?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: configure: Add -Wstrict-prototypes and -Wold-style-definition .. configure: Add -Wstrict-prototypes and -Wold-style-definition These are not covered by -Wall (nor -Wextra) but we want to enforce them. Change-Id: I6e08920e4cf4762b9f14a7461a29fa77df15255c Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240620144230.19586-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28823.html Signed-off-by: Gert Doering --- M configure.ac M src/openvpn/dco.h M src/openvpn/dco_freebsd.c M src/openvpn/dco_linux.c M src/openvpn/pkcs11.h M src/openvpn/sig.c M src/openvpn/ssl.c M src/openvpn/ssl.h M src/openvpn/xkey_helper.c M src/openvpn/xkey_provider.c M tests/unit_tests/openvpn/test_common.h M tests/unit_tests/openvpn/test_pkcs11.c M tests/unit_tests/openvpn/test_provider.c M tests/unit_tests/openvpn/test_ssl.c M tests/unit_tests/plugins/auth-pam/test_search_and_replace.c 15 files changed, 25 insertions(+), 23 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/67/667/5 diff --git a/configure.ac b/configure.ac index 2e5ab6a..c01ad09 100644 --- a/configure.ac +++ b/configure.ac @@ -1408,6 +1408,8 @@ ) ACL_CHECK_ADD_COMPILE_FLAGS([-Wno-stringop-truncation]) +ACL_CHECK_ADD_COMPILE_FLAGS([-Wstrict-prototypes]) +ACL_CHECK_ADD_COMPILE_FLAGS([-Wold-style-definition]) ACL_CHECK_ADD_COMPILE_FLAGS([-Wall]) if test "${enable_pedantic}" = "yes"; then diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h index 50ebb35..035474f 100644 --- a/src/openvpn/dco.h +++ b/src/openvpn/dco.h @@ -247,7 +247,7 @@ * * @return list of colon-separated ciphers */ -const char *dco_get_supported_ciphers(); +const char *dco_get_supported_ciphers(void); #else /* if defined(ENABLE_DCO) */ @@ -375,7 +375,7 @@ } static inline const char * -dco_get_supported_ciphers() +dco_get_supported_ciphers(void) { return ""; } diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index 7c8b29c..9a90f5c 100644 --- a/src/openvpn/dco_freebsd.c +++ b/src/openvpn/dco_freebsd.c @@ -773,7 +773,7 @@ } const char * -dco_get_supported_ciphers() +dco_get_supported_ciphers(void) { return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305"; } diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index b2584b9..277cd64 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -1053,7 +1053,7 @@ } const char * -dco_get_supported_ciphers() +dco_get_supported_ciphers(void) { return "AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305"; } diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h index 3caedc0..772fa4e 100644 --- a/src/openvpn/pkcs11.h +++ b/src/openvpn/pkcs11.h @@ -35,7 +35,7 @@ ); void -pkcs11_terminate(); +pkcs11_terminate(void); bool pkcs11_addProvider( @@ -46,10 +46,10 @@ ); int -pkcs11_logout(); +pkcs11_logout(void); int -pkcs11_management_id_count(); +pkcs11_management_id_count(void); bool pkcs11_management_id_get( diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c index cfbd942..8323f0d 100644 --- a/src/openvpn/sig.c +++ b/src/openvpn/sig.c @@ -448,7 +448,7 @@ } void -halt_low_priority_signals() +halt_low_priority_signals(void) { #ifndef _WIN32 struct sigaction sa; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 2054eb4..17078c9 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -277,7 +277,7 @@ #endif void -enable_auth_user_pass() +enable_auth_user_pass(void) { auth_user_pass_enabled = true; } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 98e59e8..0e2a43f 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -381,7 +381,7 @@ void pem_password_setup(const char *auth_file); /* Enables the use of user/password authentication */ -void enable_auth_user_pass(); +void enable_auth_user_pass(void); /* * Setup authentication username and password. If auth_file is given, use the diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c index 283c95d..b68fb43 100644 --- a/src/openvpn/xkey_helper.c +++ b/src/openvpn/xkey_helper.c @@ -49,7 +49,7 @@ XKEY_EXTERNAL_SIGN_fn xkey_management_sign; static void -print_openssl_errors() +print_openssl_errors(void) { unsigned long e; while ((e = ERR_get_error())) diff --git a/src/openvpn/xkey_provider.c b/src/openvpn/xkey_provider.c index f5fc956..964d2eb 100644 --- a/src/openvpn/xkey_provider.c +++ b/src/openvpn/xkey_provider.c @@ -155,7 +155,7 @@ keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM params[]); static XKEY_KEYDATA * -keydata_new() +keydata_new(void) { xkey_dmsg(D_XKEY, "entry"); diff --git a/tests
[Openvpn-devel] [S] Change in openvpn[master]: configure: Add -Wstrict-prototypes and -Wold-style-definition
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/667?usp=email ) Change subject: configure: Add -Wstrict-prototypes and -Wold-style-definition .. Patch Set 4: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/667?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6e08920e4cf4762b9f14a7461a29fa77df15255c Gerrit-Change-Number: 667 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Thu, 20 Jun 2024 14:42:16 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: t_server_null.sh: Fix failure case
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/668?usp=email ) Change subject: t_server_null.sh: Fix failure case .. t_server_null.sh: Fix failure case The changes for POSIX shell compatibility and parallel make compatibility broke actually failing the test when a subtest fails. Change-Id: I35f7cf84e035bc793d6f0f59e46edf1a2efe0391 Signed-off-by: Frank Lichtenheld Acked-by: Samuli Seppänen Message-Id: <20240620103749.7923-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28815.html Signed-off-by: Gert Doering --- M tests/t_server_null.sh M tests/t_server_null_client.sh 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/t_server_null.sh b/tests/t_server_null.sh index cfca5ee..0e53ba4 100755 --- a/tests/t_server_null.sh +++ b/tests/t_server_null.sh @@ -64,9 +64,12 @@ fi "${srcdir}/t_server_null_client.sh" +retval=$? # When running make jobs in parallel ("make -j check") we need to ensure # that this script does not exit before all --dev null servers are dead and # their network interfaces are gone. Otherwise t_client.sh will fail because # pre and post ifconfig output does not match. wait + +exit $retval diff --git a/tests/t_server_null_client.sh b/tests/t_server_null_client.sh index 5d5542b..8890007 100755 --- a/tests/t_server_null_client.sh +++ b/tests/t_server_null_client.sh @@ -130,7 +130,7 @@ eval test_name=\"\$TEST_NAME_$SUF\" eval should_pass=\"\$SHOULD_PASS_$SUF\" -(get_client_test_result "${test_name}" "${should_pass}") +get_client_test_result "${test_name}" "${should_pass}" done exit $retval -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/668?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I35f7cf84e035bc793d6f0f59e46edf1a2efe0391 Gerrit-Change-Number: 668 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: mattock Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: t_server_null.sh: Fix failure case
cron2 has uploaded a new patch set (#2) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/668?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by mattock Change subject: t_server_null.sh: Fix failure case .. t_server_null.sh: Fix failure case The changes for POSIX shell compatibility and parallel make compatibility broke actually failing the test when a subtest fails. Change-Id: I35f7cf84e035bc793d6f0f59e46edf1a2efe0391 Signed-off-by: Frank Lichtenheld Acked-by: Samuli Seppänen Message-Id: <20240620103749.7923-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28815.html Signed-off-by: Gert Doering --- M tests/t_server_null.sh M tests/t_server_null_client.sh 2 files changed, 4 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/68/668/2 diff --git a/tests/t_server_null.sh b/tests/t_server_null.sh index cfca5ee..0e53ba4 100755 --- a/tests/t_server_null.sh +++ b/tests/t_server_null.sh @@ -64,9 +64,12 @@ fi "${srcdir}/t_server_null_client.sh" +retval=$? # When running make jobs in parallel ("make -j check") we need to ensure # that this script does not exit before all --dev null servers are dead and # their network interfaces are gone. Otherwise t_client.sh will fail because # pre and post ifconfig output does not match. wait + +exit $retval diff --git a/tests/t_server_null_client.sh b/tests/t_server_null_client.sh index 5d5542b..8890007 100755 --- a/tests/t_server_null_client.sh +++ b/tests/t_server_null_client.sh @@ -130,7 +130,7 @@ eval test_name=\"\$TEST_NAME_$SUF\" eval should_pass=\"\$SHOULD_PASS_$SUF\" -(get_client_test_result "${test_name}" "${should_pass}") +get_client_test_result "${test_name}" "${should_pass}" done exit $retval -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/668?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I35f7cf84e035bc793d6f0f59e46edf1a2efe0391 Gerrit-Change-Number: 668 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: mattock Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: configure: Add -Wstrict-prototypes and -Wold-style-definition
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/667?usp=email ) Change subject: configure: Add -Wstrict-prototypes and -Wold-style-definition .. Patch Set 2: Code-Review+2 (1 comment) Patchset: PS2: changes look good, more places caught :-) - let's see if the buildbots find more. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/667?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6e08920e4cf4762b9f14a7461a29fa77df15255c Gerrit-Change-Number: 667 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Wed, 19 Jun 2024 14:28:16 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: configure: Add -Wstrict-prototypes and -Wold-style-definition
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/667?usp=email ) Change subject: configure: Add -Wstrict-prototypes and -Wold-style-definition .. Patch Set 1: Code-Review+2 (1 comment) Patchset: PS1: Looks good, thanks. Now waiting for the buildbots to express their happiness... -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/667?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6e08920e4cf4762b9f14a7461a29fa77df15255c Gerrit-Change-Number: 667 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Wed, 19 Jun 2024 11:05:33 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Http-proxy: fix bug preventing proxy credentials caching
Attention is currently required from: its_Giaan, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/523?usp=email ) Change subject: Http-proxy: fix bug preventing proxy credentials caching .. Patch Set 8: Code-Review-1 (3 comments) Patchset: PS8: Minor nitpick: function call and prototype having empty brackets `()` instead of proper `(void)`. This needs to be fixed, and I can't do code changes on merge. File src/openvpn/ssl.h: http://gerrit.openvpn.net/c/openvpn/+/523/comment/5680c4c5_ce81e31d : PS8, Line 402: bool ssl_get_auth_nocache(); this needs to have a `(void)` there. File src/openvpn/ssl.c: http://gerrit.openvpn.net/c/openvpn/+/523/comment/7c301b9f_a12ccb3f : PS8, Line 341: ssl_get_auth_nocache() this needs to have a `(void)` there. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/523?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a Gerrit-Change-Number: 523 Gerrit-PatchSet: 8 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Comment-Date: Wed, 19 Jun 2024 10:17:14 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Route: add support for user defined routing table
Attention is currently required from: its_Giaan, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/524?usp=email ) Change subject: Route: add support for user defined routing table .. Patch Set 4: Code-Review-1 (1 comment) Patchset: PS4: Sorry for being late to the party - I have looked at it, and while the general code works, I find it a bit excessive in lines of code. Namely, I would opt for "do not support route-table as an extra argument to `route`", as this + the checks really makes up half the code - for little value. Since it's not supposed to be pushable, routes-with-table need to be in the client config, and in that case, I could just put ``` route-table 123 route route route-table 456 route route route-table 999 # for everything that comes in pushed ``` into my config. If I ever really need more than 1-2 route tables. Also, we shouldn't have `#ifdef ENABLE_SITNL` in the parser for `route` and `route-ipv6`... Further, the hunk ``` +int table_id = 0; /* unspec table */ ... +if (options->route_default_table_id) +{ +table_id = options->route_default_table_id; +} ``` is sort of semi-useful - if route_default_table_id is 0, we do not assign it to table_id, which is also 0. Why bother with an extra variable here that will have the same value as the `options` variable, at all times? I'd just pass `options->route_default_table_id` downwards, and be done with it. The `do_init_route_ipv6_list()` code also does the `table_id = ...` dance, but then passes NULL towards `add_route_ipv6_to_option_list()`, which does not look intentional... -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/524?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Gerrit-Change-Number: 524 Gerrit-PatchSet: 4 Gerrit-Owner: its_Giaan Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Comment-Date: Wed, 19 Jun 2024 09:13:14 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [L] Change in openvpn[master]: Add t_server_null test suite
cron2 has uploaded a new patch set (#3) to the change originally created by mattock. ( http://gerrit.openvpn.net/c/openvpn/+/663?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Add t_server_null test suite .. Add t_server_null test suite Change-Id: I1b54da258c7d15551b6c3de7522a0d19afdb66de Signed-off-by: Samuli Seppänen Acked-by: Frank Lichtenheld Message-Id: <20240613081422.139493-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28750.html Signed-off-by: Gert Doering --- M .gitignore A doc/t_server_null.rst M tests/Makefile.am A tests/null_client_up.sh A tests/t_server_null.rc-sample A tests/t_server_null.sh A tests/t_server_null_client.sh A tests/t_server_null_default.rc A tests/t_server_null_server.sh A tests/t_server_null_stress.sh 10 files changed, 568 insertions(+), 2 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/63/663/3 diff --git a/.gitignore b/.gitignore index 92d65bf..db8bb73 100644 --- a/.gitignore +++ b/.gitignore @@ -55,6 +55,7 @@ tests/t_client.sh tests/t_client-*-20??-??/ +tests/t_server_null.rc t_client.rc t_client_ips.rc tests/unit_tests/**/*_testdriver diff --git a/doc/t_server_null.rst b/doc/t_server_null.rst new file mode 100644 index 000..e3a098a --- /dev/null +++ b/doc/t_server_null.rst @@ -0,0 +1,147 @@ +Notes for the --dev null test suite +=== + +Introduction + + +The *--dev null test suite* is primary targeted at testing client connections +to the "just compiled" version of OpenVPN. The name is derived from "null" +device type in OpenVPN. In particular, when *--dev null --ifconfig-noexec* is +used in OpenVPN client configuration one does not need to run OpenVPN with root +privileges because interface, routing, etc. configuration is not done at all. +This is still enough to ensure that the OpenVPN client can connect to a server +instance. + +The main features of the test suite: + +* Parallelized for fairly high performance +* Mostly operating-system agnostic +* Tested on Fedora Linux 38/39/40 and FreeBSD 14 +* POSIX-compliant +* Tested and known to work with Bash, Dash, Ksh, Yash and FreeBSD's default /bin/sh +* Uses the sample certificates and keys +* Supports running multiple servers and clients +* Supports running servers directly as root and with sudo +* Supports using different OpenVPN client versions + + * The "current" (just compiled) version + * Any other OpenVPN versions that is present on the filesystem + +* Support testing for success as well as failure +* Test cases (client configurations) and server setups (server configurations) are stored in a configuration file, i.e. data and code have been separated +* Configuration file format is nearly identical to t_client.rc configuration +* Supports a set of default tests, overriding default test settings and adding local tests + +Prerequisites +- + +Running the test suite requires the following: + +* *bash* for running the tests +* root-level privileges for launching the servers + + * run as root + * a privilege escalation tool (sudo, doas, su) and the permission to become root + +Technical implementation + + +The test suite is completely parallelized to allow running a large number of +server and client combinations quickly. + +A normal test run looks like this: + +#. Server instances start +#. Brief wait +#. Client instances start +#. Tests run +#. Client instances stop +#. Brief wait +#. Server instances stop + +The tests suite is launched via "make check": + +* make check + + * t_server_null.sh + +* t_server_null_server.sh + + * Launches the compiled OpenVPN server instances as root (if necessary with sudo or su) in the background. The servers are killed using their management interface once all clients have exited. + +* t_server_null_client.sh + + * Waits until servers have launched. Then launch all clients, wait for them to exit and then check test results by parsing the client log files. Each client kills itself after some delay using an "--up" script. + +Note that "make check" moves on once *t_server_null_client.sh* has exited. At +that point *t_server_null_server.sh* is still running, because it exists only +after waiting a few seconds for more client connections to potentially appear. +This is a feature and not a bug, but means that launching "make check" runs too +quickly might cause test failures or unexpected behavior such as leftover +OpenVPN server processes. + +Configuration +- + +The test suite reads its configuration from two files: + +* *tests/t_server_null_defaults.rc:* default test configuration that should work on any system +* *tests/t_server_null.rc:* a local configuration file; can be used to add additional tests or override settings from t
[Openvpn-devel] [L] Change in openvpn[master]: Add t_server_null test suite
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/663?usp=email ) Change subject: Add t_server_null test suite .. Add t_server_null test suite Change-Id: I1b54da258c7d15551b6c3de7522a0d19afdb66de Signed-off-by: Samuli Seppänen Acked-by: Frank Lichtenheld Message-Id: <20240613081422.139493-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28750.html Signed-off-by: Gert Doering --- M .gitignore A doc/t_server_null.rst M tests/Makefile.am A tests/null_client_up.sh A tests/t_server_null.rc-sample A tests/t_server_null.sh A tests/t_server_null_client.sh A tests/t_server_null_default.rc A tests/t_server_null_server.sh A tests/t_server_null_stress.sh 10 files changed, 568 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 92d65bf..db8bb73 100644 --- a/.gitignore +++ b/.gitignore @@ -55,6 +55,7 @@ tests/t_client.sh tests/t_client-*-20??-??/ +tests/t_server_null.rc t_client.rc t_client_ips.rc tests/unit_tests/**/*_testdriver diff --git a/doc/t_server_null.rst b/doc/t_server_null.rst new file mode 100644 index 000..e3a098a --- /dev/null +++ b/doc/t_server_null.rst @@ -0,0 +1,147 @@ +Notes for the --dev null test suite +=== + +Introduction + + +The *--dev null test suite* is primary targeted at testing client connections +to the "just compiled" version of OpenVPN. The name is derived from "null" +device type in OpenVPN. In particular, when *--dev null --ifconfig-noexec* is +used in OpenVPN client configuration one does not need to run OpenVPN with root +privileges because interface, routing, etc. configuration is not done at all. +This is still enough to ensure that the OpenVPN client can connect to a server +instance. + +The main features of the test suite: + +* Parallelized for fairly high performance +* Mostly operating-system agnostic +* Tested on Fedora Linux 38/39/40 and FreeBSD 14 +* POSIX-compliant +* Tested and known to work with Bash, Dash, Ksh, Yash and FreeBSD's default /bin/sh +* Uses the sample certificates and keys +* Supports running multiple servers and clients +* Supports running servers directly as root and with sudo +* Supports using different OpenVPN client versions + + * The "current" (just compiled) version + * Any other OpenVPN versions that is present on the filesystem + +* Support testing for success as well as failure +* Test cases (client configurations) and server setups (server configurations) are stored in a configuration file, i.e. data and code have been separated +* Configuration file format is nearly identical to t_client.rc configuration +* Supports a set of default tests, overriding default test settings and adding local tests + +Prerequisites +- + +Running the test suite requires the following: + +* *bash* for running the tests +* root-level privileges for launching the servers + + * run as root + * a privilege escalation tool (sudo, doas, su) and the permission to become root + +Technical implementation + + +The test suite is completely parallelized to allow running a large number of +server and client combinations quickly. + +A normal test run looks like this: + +#. Server instances start +#. Brief wait +#. Client instances start +#. Tests run +#. Client instances stop +#. Brief wait +#. Server instances stop + +The tests suite is launched via "make check": + +* make check + + * t_server_null.sh + +* t_server_null_server.sh + + * Launches the compiled OpenVPN server instances as root (if necessary with sudo or su) in the background. The servers are killed using their management interface once all clients have exited. + +* t_server_null_client.sh + + * Waits until servers have launched. Then launch all clients, wait for them to exit and then check test results by parsing the client log files. Each client kills itself after some delay using an "--up" script. + +Note that "make check" moves on once *t_server_null_client.sh* has exited. At +that point *t_server_null_server.sh* is still running, because it exists only +after waiting a few seconds for more client connections to potentially appear. +This is a feature and not a bug, but means that launching "make check" runs too +quickly might cause test failures or unexpected behavior such as leftover +OpenVPN server processes. + +Configuration +- + +The test suite reads its configuration from two files: + +* *tests/t_server_null_defaults.rc:* default test configuration that should work on any system +* *tests/t_server_null.rc:* a local configuration file; can be used to add additional tests or override settings from the default test configuration. Must be present or tests will be skipped, but can be an empty file. + +The configuration syntax is very similar to *t_client.rc*. New server instances can be +defined like this:
[Openvpn-devel] [XS] Change in openvpn[master]: Remove "experimental" denotation for --fast-io
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/664?usp=email ) Change subject: Remove "experimental" denotation for --fast-io .. Remove "experimental" denotation for --fast-io This option is very old (from SVN days) and has been used by Access Server for many years. I don't think it makes sense to claim that it is "experimental" at this point. Change-Id: I913bb70c5e527e78e7cdb43110e23a8944f35a22 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240618120156.4836-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28772.html Signed-off-by: Gert Doering --- M doc/man-sections/generic-options.rst M src/openvpn/options.c 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index f8a0f48..eb9cf28 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -215,7 +215,7 @@ are supported by OpenSSL. --fast-io - (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to + Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. The purpose of such a call would normally be to block until the device or socket is ready to accept the write. Such blocking is unnecessary on some platforms which diff --git a/src/openvpn/options.c b/src/openvpn/options.c index abcde89..f2c7536 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -268,7 +268,7 @@ #if ENABLE_IP_PKTINFO "--multihome : Configure a multi-homed UDP server.\n" #endif -"--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n" +"--fast-io : Optimize TUN/TAP/UDP writes.\n" "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n" "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n" "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/664?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I913bb70c5e527e78e7cdb43110e23a8944f35a22 Gerrit-Change-Number: 664 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Remove "experimental" denotation for --fast-io
cron2 has uploaded a new patch set (#2) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/664?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: Remove "experimental" denotation for --fast-io .. Remove "experimental" denotation for --fast-io This option is very old (from SVN days) and has been used by Access Server for many years. I don't think it makes sense to claim that it is "experimental" at this point. Change-Id: I913bb70c5e527e78e7cdb43110e23a8944f35a22 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240618120156.4836-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28772.html Signed-off-by: Gert Doering --- M doc/man-sections/generic-options.rst M src/openvpn/options.c 2 files changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/64/664/2 diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index f8a0f48..eb9cf28 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -215,7 +215,7 @@ are supported by OpenSSL. --fast-io - (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to + Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. The purpose of such a call would normally be to block until the device or socket is ready to accept the write. Such blocking is unnecessary on some platforms which diff --git a/src/openvpn/options.c b/src/openvpn/options.c index abcde89..f2c7536 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -268,7 +268,7 @@ #if ENABLE_IP_PKTINFO "--multihome : Configure a multi-homed UDP server.\n" #endif -"--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n" +"--fast-io : Optimize TUN/TAP/UDP writes.\n" "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n" "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n" "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/664?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I913bb70c5e527e78e7cdb43110e23a8944f35a22 Gerrit-Change-Number: 664 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement Windows CA template match for Crypto-API selector
cron2 has uploaded a new patch set (#3) to the change originally created by ssbssa. ( http://gerrit.openvpn.net/c/openvpn/+/621?usp=email ) Change subject: Implement Windows CA template match for Crypto-API selector .. Implement Windows CA template match for Crypto-API selector The certificate selection process for the Crypto API certificates is currently fixed to match on subject or identifier. Especially if certificates that are used for OpenVPN are managed by a Windows CA, it is appropriate to select the certificate to use by the template that it is generated from, especially on domain-joined clients which automatically acquire/renew the corresponding certificate. The attached match implements the match on TMPL: with either a template name (which is looked up through CryptFindOIDInfo) or by specifying the OID of the template directly, which then is matched against the corresponding X509 extensions specifying the template that the certificate was generated from. The logic requires to walk all certificates in the underlying store and to match the certificate extensions directly. The hook which is implemented in the certificate selection logic is generic to allow other Crypto-API certificate matches to also be implemented at some point in the future. The logic to match the certificate template is taken from the implementation in the .NET core runtime, see Pal.Windows/FindPal.cs in in the implementation of System.Security.Cryptography.X509Certificates. Change-Id: Ia2c3e4c5c83ee1618c43b489dbe811de5351 Signed-off-by: Heiko Wundram Signed-off-by: Hannes Domani Acked-by: Selva Nair Message-Id: <20240606103441.26598-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28726.html Signed-off-by: Gert Doering --- M doc/man-sections/windows-options.rst M src/openvpn/cryptoapi.c 2 files changed, 105 insertions(+), 3 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/21/621/3 diff --git a/doc/man-sections/windows-options.rst b/doc/man-sections/windows-options.rst index e87291f..1955869 100644 --- a/doc/man-sections/windows-options.rst +++ b/doc/man-sections/windows-options.rst @@ -55,6 +55,13 @@ cryptoapicert "ISSUER:Sample CA" + To select a certificate based on a certificate's template name or + OID of the template: + :: + + cryptoapicert "TMPL:Name of Template" + cryptoapicert "TMPL:1.3.6.1.4..." + The first non-expired certificate found in the user's store or the machine store that matches the select-string is used. diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index f7e5b67..67dc382 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -178,6 +178,87 @@ return i; } +static void * +decode_object(struct gc_arena *gc, LPCSTR struct_type, + const CRYPT_OBJID_BLOB *val, DWORD flags, DWORD *cb) +{ +/* get byte count for decoding */ +BYTE *buf; +if (!CryptDecodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, struct_type, + val->pbData, val->cbData, flags, NULL, cb)) +{ +return NULL; +} + +/* do the actual decode */ +buf = gc_malloc(*cb, false, gc); +if (!CryptDecodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, struct_type, + val->pbData, val->cbData, flags, buf, cb)) +{ +return NULL; +} + +return buf; +} + +static const CRYPT_OID_INFO * +find_oid(DWORD keytype, const void *key, DWORD groupid) +{ +const CRYPT_OID_INFO *info = NULL; + +/* try proper resolve, also including AD */ +info = CryptFindOIDInfo(keytype, (void *)key, groupid); + +/* fall back to all groups if not found yet */ +if (!info && groupid) +{ +info = CryptFindOIDInfo(keytype, (void *)key, 0); +} + +return info; +} + +static bool +test_certificate_template(const char *cert_prop, const CERT_CONTEXT *cert_ctx) +{ +const CERT_INFO *info = cert_ctx->pCertInfo; +const CERT_EXTENSION *ext; +DWORD cbext; +void *pvext; +struct gc_arena gc = gc_new(); +const WCHAR *tmpl_name = wide_string(cert_prop, &gc); + +/* check for V2 extension (Windows 2003+) */ +ext = CertFindExtension(szOID_CERTIFICATE_TEMPLATE, info->cExtension, info->rgExtension); +if (ext) +{ +pvext = decode_object(&gc, X509_CERTIFICATE_TEMPLATE, &ext->Value, 0, &cbext); +if (pvext && cbext >= sizeof(CERT_TEMPLATE_EXT)) +{ +const CERT_TEMPLATE_EXT *cte = (const CERT_TEMPLATE_EXT *)pvext; +if (!stricmp(cert_prop, cte->pszObjId)) +{ +/* found direct OID match with certificate property specified */ +gc_free(&gc); +return true; +} + +const CRYPT_OID_INFO *tmpl_oid = find_oid(CRYPT_OID_INFO_NAME_KEY, tmpl_name, +
[Openvpn-devel] [L] Change in openvpn[master]: Windows: enforce 'block-local' with WFP filters
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/489?usp=email ) Change subject: Windows: enforce 'block-local' with WFP filters .. Windows: enforce 'block-local' with WFP filters In an attempt to better defend against the TunnelCrack attacks, enforce that no traffic can pass to anything else than the VPN interface when the 'block-local' flags is given with either --redirect-gateway or --redirect-private. Reuse much of the existing --block-outside-dns code, but make it more general, so that it can also block any traffic, not just port 53. Uses the Windows Filtering Platform for enforcement in addition to the routes redirecting the networks into the tunnel. Change-Id: Ic9bf797bfc7e2d471998a84cb0f071db3e4832ba Signed-off-by: Heiko Hund Acked-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20240605123856.26267-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28717.html Signed-off-by: Gert Doering --- M CMakeLists.txt M doc/man-sections/vpn-network-options.rst M include/openvpn-msg.h M src/openvpn/Makefile.am M src/openvpn/init.c M src/openvpn/route.c M src/openvpn/route.h M src/openvpn/tun.c R src/openvpn/wfp_block.c R src/openvpn/wfp_block.h M src/openvpn/win32.c M src/openvpn/win32.h M src/openvpnserv/CMakeLists.txt M src/openvpnserv/Makefile.am M src/openvpnserv/interactive.c 15 files changed, 365 insertions(+), 243 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index f8b37a9..096837d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -369,8 +369,6 @@ src/openvpn/base64.c src/openvpn/base64.h src/openvpn/basic.h -src/openvpn/block_dns.h -src/openvpn/block_dns.c src/openvpn/buffer.c src/openvpn/buffer.h src/openvpn/circ_list.h @@ -550,6 +548,8 @@ src/openvpn/ssl_util.h src/openvpn/vlan.c src/openvpn/vlan.h +src/openvpn/wfp_block.c +src/openvpn/wfp_block.h src/openvpn/win32.c src/openvpn/win32-util.c src/openvpn/win32.h diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 98b4971..84d4273 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -352,6 +352,10 @@ Block access to local LAN when the tunnel is active, except for the LAN gateway itself. This is accomplished by routing the local LAN (except for the LAN gateway address) into the tunnel. + On Windows WFP filters are added in addition to the routes which + block access to resources not routed through the VPN adapter. + Push this flag to protect against TunnelCrack type of attacks + (see: https://tunnelcrack.mathyvanhoef.com/). :code:`ipv6` Redirect IPv6 routing into the tunnel. This works similar to diff --git a/include/openvpn-msg.h b/include/openvpn-msg.h index 657eb5e..7a99335 100644 --- a/include/openvpn-msg.h +++ b/include/openvpn-msg.h @@ -24,6 +24,9 @@ #ifndef OPENVPN_MSG_H_ #define OPENVPN_MSG_H_ +#include +#include + typedef enum { msg_acknowledgement, msg_add_address, @@ -35,8 +38,8 @@ msg_add_nbt_cfg, msg_del_nbt_cfg, msg_flush_neighbors, -msg_add_block_dns, -msg_del_block_dns, +msg_add_wfp_block, +msg_del_wfp_block, msg_register_dns, msg_enable_dhcp, msg_register_ring_buffers, @@ -61,6 +64,11 @@ char name[256]; } interface_t; +typedef enum { +wfp_block_local = 1<<0, +wfp_block_dns = 1<<1 +} wfp_block_flags_t; + typedef struct { message_header_t header; short family; @@ -120,8 +128,9 @@ typedef struct { message_header_t header; +wfp_block_flags_t flags; interface_t iface; -} block_dns_message_t; +} wfp_block_message_t; typedef struct { message_header_t header; diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 7ceec0c..56cce9d 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -156,6 +156,6 @@ $(OPTIONAL_DL_LIBS) \ $(OPTIONAL_INOTIFY_LIBS) if WIN32 -openvpn_SOURCES += openvpn_win32_resources.rc block_dns.c block_dns.h ring_buffer.h +openvpn_SOURCES += openvpn_win32_resources.rc wfp_block.c wfp_block.h ring_buffer.h openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm -lfwpuclnt -lrpcrt4 -lncrypt -lsetupapi -lbcrypt endif diff --git a/src/openvpn/init.c b/src/openvpn/init.c index ec0c309..b081b2f 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1782,6 +1782,54 @@ #endif } +/** + * Add WFP filters to block traffic to local networks. + * Depending on the configuration all or just DNS is filtered. + * This functionality is only available on Windows on all other + * systems this function is a noop. + * + * @param c pointer to the connection context + */ +static void +add_wfp_block(struct context *c) +{ +#if defined(_WIN32) +/* Fortify 'redirect-gate
[Openvpn-devel] [M] Change in openvpn[master]: Implement Windows CA template match for Crypto-API selector
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/621?usp=email ) Change subject: Implement Windows CA template match for Crypto-API selector .. Implement Windows CA template match for Crypto-API selector The certificate selection process for the Crypto API certificates is currently fixed to match on subject or identifier. Especially if certificates that are used for OpenVPN are managed by a Windows CA, it is appropriate to select the certificate to use by the template that it is generated from, especially on domain-joined clients which automatically acquire/renew the corresponding certificate. The attached match implements the match on TMPL: with either a template name (which is looked up through CryptFindOIDInfo) or by specifying the OID of the template directly, which then is matched against the corresponding X509 extensions specifying the template that the certificate was generated from. The logic requires to walk all certificates in the underlying store and to match the certificate extensions directly. The hook which is implemented in the certificate selection logic is generic to allow other Crypto-API certificate matches to also be implemented at some point in the future. The logic to match the certificate template is taken from the implementation in the .NET core runtime, see Pal.Windows/FindPal.cs in in the implementation of System.Security.Cryptography.X509Certificates. Change-Id: Ia2c3e4c5c83ee1618c43b489dbe811de5351 Signed-off-by: Heiko Wundram Signed-off-by: Hannes Domani Acked-by: Selva Nair Message-Id: <20240606103441.26598-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28726.html Signed-off-by: Gert Doering --- M doc/man-sections/windows-options.rst M src/openvpn/cryptoapi.c 2 files changed, 105 insertions(+), 3 deletions(-) diff --git a/doc/man-sections/windows-options.rst b/doc/man-sections/windows-options.rst index e87291f..1955869 100644 --- a/doc/man-sections/windows-options.rst +++ b/doc/man-sections/windows-options.rst @@ -55,6 +55,13 @@ cryptoapicert "ISSUER:Sample CA" + To select a certificate based on a certificate's template name or + OID of the template: + :: + + cryptoapicert "TMPL:Name of Template" + cryptoapicert "TMPL:1.3.6.1.4..." + The first non-expired certificate found in the user's store or the machine store that matches the select-string is used. diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index f7e5b67..67dc382 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -178,6 +178,87 @@ return i; } +static void * +decode_object(struct gc_arena *gc, LPCSTR struct_type, + const CRYPT_OBJID_BLOB *val, DWORD flags, DWORD *cb) +{ +/* get byte count for decoding */ +BYTE *buf; +if (!CryptDecodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, struct_type, + val->pbData, val->cbData, flags, NULL, cb)) +{ +return NULL; +} + +/* do the actual decode */ +buf = gc_malloc(*cb, false, gc); +if (!CryptDecodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, struct_type, + val->pbData, val->cbData, flags, buf, cb)) +{ +return NULL; +} + +return buf; +} + +static const CRYPT_OID_INFO * +find_oid(DWORD keytype, const void *key, DWORD groupid) +{ +const CRYPT_OID_INFO *info = NULL; + +/* try proper resolve, also including AD */ +info = CryptFindOIDInfo(keytype, (void *)key, groupid); + +/* fall back to all groups if not found yet */ +if (!info && groupid) +{ +info = CryptFindOIDInfo(keytype, (void *)key, 0); +} + +return info; +} + +static bool +test_certificate_template(const char *cert_prop, const CERT_CONTEXT *cert_ctx) +{ +const CERT_INFO *info = cert_ctx->pCertInfo; +const CERT_EXTENSION *ext; +DWORD cbext; +void *pvext; +struct gc_arena gc = gc_new(); +const WCHAR *tmpl_name = wide_string(cert_prop, &gc); + +/* check for V2 extension (Windows 2003+) */ +ext = CertFindExtension(szOID_CERTIFICATE_TEMPLATE, info->cExtension, info->rgExtension); +if (ext) +{ +pvext = decode_object(&gc, X509_CERTIFICATE_TEMPLATE, &ext->Value, 0, &cbext); +if (pvext && cbext >= sizeof(CERT_TEMPLATE_EXT)) +{ +const CERT_TEMPLATE_EXT *cte = (const CERT_TEMPLATE_EXT *)pvext; +if (!stricmp(cert_prop, cte->pszObjId)) +{ +/* found direct OID match with certificate property specified */ +gc_free(&gc); +return true; +} + +const CRYPT_OID_INFO *tmpl_oid = find_oid(CRYPT_OID_INFO_NAME_KEY, tmpl_name, + CRYPT_TEMPLATE_OID_GROUP_ID); +if (tmpl_oid && !stricmp(tmpl_oid->pszOID, cte->pszObjId)) +