On 21/03/2021 13:56, Arne Schwabe wrote:
Am 20.03.21 um 14:20 schrieb David Sommerseth:
On 19/03/2021 16:31, Arne Schwabe wrote:
This option allow migration to a non compression server config while
still retraining compatibility with client that have a compression
setting in their config.
For
Hi,
On 21/03/2021 18:38, Arne Schwabe wrote:
> This patch conflicts since the grammar in the previous patch was fixed.
> If there is nothing else wrong with it I can resend a rebased v3.
That was it. Feel free to send v3.
Cheers,
--
Antonio Quartulli
_
Your patch has been applied to the master branch.
I have moved the Changes.rst hunk to the "new in 2.6" section, as my
time machine is broken and this won't make 2.5.1 anymore :-)
I have not tested this feature itself, just stared at the code + docs
(seems to make sense) and ran the client side t
Your patch has been applied to the master branch.
I have not really tested it, but stared a bit at code and documentation,
and done a basic t_client test. Haven't set up anything that could
thoroughly test this (yet!).
As discussed on IRC, I have removed the "return NULL" as suggested,
and there
Am 21.03.21 um 18:22 schrieb Antonio Quartulli:
> Hi,
>
> On 19/03/2021 15:20, Arne Schwabe wrote:
>> Despite trying to figure out with multiple people what the use case for
>> this option is, we could not come up with a good one. Checking that only
>> a specific CA is used can be also done by onl
Hi,
On 19/03/2021 15:20, Arne Schwabe wrote:
> Despite trying to figure out with multiple people what the use case for
> this option is, we could not come up with a good one. Checking that only
> a specific CA is used can be also done by only using that CA in the --ca
> directive.
>
> Although it
Tested on Ubuntu 18 / MinGW, compiles.
Checked with the MSVC documentation, seems to make sense :-) - I do notice
that we use wcscat_s() in one of these hunks, and _tcscat_s() in another,
which seems to be the same thing if _UNICODE is defined (which, I think
we do). Maybe an opportunity for anot
Hi,
On 19/03/2021 15:20, Arne Schwabe wrote:
> From: "Jason A. Donenfeld"
>
> OpenVPN traditionally works around CAs. However many TLS-based protocols also
> allow an alternative simpler mode in which rather than verify certificates
> against CAs, the certificate itself is hashed and compared ag
Hi,
On Sun, Mar 21, 2021 at 06:05:19PM +0100, Gert Doering wrote:
> commit 709c3810a1d67e2c4049e852529a0a0d1338c797
> Author: Simon Rozman via Openvpn-devel
Yeah. Right.
So, apologies for not catching this in time and fixing the Author: line,
but this is exactly why I brought up the DMARC issue
I seem to remember we had that discussion in the context of openpvpn-gui
already - Problems with the "POSIX compatible" function names, which end
up acting on narrow or wide strings depending on compiler settings, compiler
version, phase of the moon... can't find that commit, but if MS docs says
"
Your patch has been applied to the master branch.
"Trivially correct" :-) - but since Windows keeps biting me these
days, test built with Ubuntu/MinGW. Just to be sure.
commit 26540310efa8c8955f38974969b317460c075dd4
Author: Simon Rozman via Openvpn-devel
Date: Sun Mar 21 15:46:24 2021 +0100
Hi,
On Sun, Mar 21, 2021 at 03:46:23PM +0100, Simon Rozman via Openvpn-devel wrote:
> Commit 24596b25 ("build: Remove compat-lz4") removed lz4 compat layer,
> but openvpn-build\msvc doesn't provide LZ4 library either.
What would be needed to actually *build* with LZ4 on MSVC? That is,
build it a
Am 21.03.21 um 17:37 schrieb Simon Rozman:
> Hi,
>
>>> -73,14 +73,13 @@ find_function(const WCHAR *libname, const char
>> *funcname, HMODULE *m)
>>> return NULL;
>>> }
>>>
>>> -size_t len = _countof(libpath) - wcslen(libpath) - 1;
>>> -if (len < wcslen(libname) + 1)
>>> +i
Hi,
On 21/03/2021 15:33, Arne Schwabe wrote:
> This option allows to pin one or more more peer certificates. It also
> prepares for doing TLS authentication without a CA and just
> self-signed certificates.
>
> Patch V2: Allow peer-fingerprint to be specified multiple times
> to allow m
Am 21.03.21 um 15:46 schrieb Simon Rozman via Openvpn-devel:
> It's about using a standard recommended alias for the wcsdup():
>
>> warning C4996: 'wcsdup': The POSIX name for this item is deprecated.
>> Instead, use the ISO C and C++ conformant name: _wcsdup. See online
>> help for details.
>
>
Hi,
> > -73,14 +73,13 @@ find_function(const WCHAR *libname, const char
> *funcname, HMODULE *m)
> > return NULL;
> > }
> >
> > -size_t len = _countof(libpath) - wcslen(libpath) - 1;
> > -if (len < wcslen(libname) + 1)
> > +if (wcslen(libpath) + 1 /*\*/ + wcslen(libname) >
Am 21.03.21 um 15:46 schrieb Simon Rozman via Openvpn-devel:
> wcsncat() was declared unsafe in favour of wcsncat_s(). However, the
> string concatenation follows the string length check, making wcsncat()
> safe too. Code analysis is just not smart enough (yet) to detect this.
>
> The code was ref
Am 21.03.21 um 15:46 schrieb Simon Rozman via Openvpn-devel:
> Signed-off-by: Simon Rozman
> ---
> src/openvpn/tun.c | 34 --
> 1 file changed, 34 deletions(-)
>
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Am 21.03.21 um 15:46 schrieb Simon Rozman via Openvpn-devel:
> Commit 24596b25 ("build: Remove compat-lz4") removed lz4 compat layer,
> but openvpn-build\msvc doesn't provide LZ4 library either.
We should either add lz4 to openvpn-build or change the default of lz4
to disabled in all variant. I do
Hi,
This patch looks good to me.
There is just one minor note below:
On 21/03/2021 15:25, Arne Schwabe wrote:
> This patch introduces support for verify-hash inlining.
> When inlined, this options now allows to specify multiple fingerprints,
> one per line.
>
> Since this is a new syntax, there
Am 21.03.21 um 15:46 schrieb Simon Rozman via Openvpn-devel:
> Lots of string functions were declared unsafe in favor of ..._s()
> counterparts. However, the code already is careful about the buffer
> size. Code analysis is just not smart enough (yet) to detect this.
>
> The code was refactored to
It's about using a standard recommended alias for the wcsdup():
> warning C4996: 'wcsdup': The POSIX name for this item is deprecated.
> Instead, use the ISO C and C++ conformant name: _wcsdup. See online
> help for details.
And the documentation says:
> The Microsoft-implemented POSIX function
Commit 24596b25 ("build: Remove compat-lz4") removed lz4 compat layer,
but openvpn-build\msvc doesn't provide LZ4 library either.
Signed-off-by: Simon Rozman
---
config-msvc.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/config-msvc.h b/config-msvc.h
index e430ca96..53d97902 100644
--- a/c
wcsncat() was declared unsafe in favour of wcsncat_s(). However, the
string concatenation follows the string length check, making wcsncat()
safe too. Code analysis is just not smart enough (yet) to detect this.
The code was refactored to use wcscat_s() MSVC is considering as "safe".
Signed-off-by
Signed-off-by: Simon Rozman
---
src/openvpn/tun.c | 34 --
1 file changed, 34 deletions(-)
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 6c51a52d..6b7c8ef1 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -85,8 +85,6 @@ static void netsh_comman
Lots of string functions were declared unsafe in favor of ..._s()
counterparts. However, the code already is careful about the buffer
size. Code analysis is just not smart enough (yet) to detect this.
The code was refactored to use ..._s() variants MSVC is considering as
"safe".
Signed-off-by: Si
This option allows to pin one or more more peer certificates. It also
prepares for doing TLS authentication without a CA and just
self-signed certificates.
Patch V2: Allow peer-fingerprint to be specified multiple times
to allow multiple peers without needing to use inline
synt
This patch introduces support for verify-hash inlining.
When inlined, this options now allows to specify multiple fingerprints,
one per line.
Since this is a new syntax, there is no backwards compatibility to take
care of, therefore we can drop support for SHA1. Inlined fingerprints
are assumed be
Am 20.03.21 um 14:20 schrieb David Sommerseth:
> On 19/03/2021 16:31, Arne Schwabe wrote:
>> This option allow migration to a non compression server config while
>> still retraining compatibility with client that have a compression
>> setting in their config.
>>
>> For existing setups that used to
29 matches
Mail list logo
