[Openvpn-devel] [PATCH 2/4] [CMake] Only add -Wno-stringop-truncation on supported compilers
The -Wno-stringop-truncation flag is only supported by some GCC versions and not by Clang (macOS, FreeBSD) at all. Move the includes to the top the file to have them available when running the check_c_compiler_flag. Change-Id: I452bc4ee935d13f8e9095d0a31805a3bbaff0cec Signed-off-by: Arne Schwabe --- CMakeLists.txt | 22 ++ 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 3cbba5a38..acebbb73c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -12,6 +12,14 @@ project(openvpn) # and OpenSSL having version 1.1.1+ and generally does not offer the same # configurability like autoconf +find_package(PkgConfig REQUIRED) +include(CheckSymbolExists) +include(CheckIncludeFiles) +include(CheckCCompilerFlag) +include(CheckTypeSize) +include(CheckStructHasMember) +include(CTest) + option(UNSUPPORTED_BUILDS "Allow unsupported builds" OFF) if (NOT WIN32 AND NOT ${UNSUPPORTED_BUILDS}) @@ -70,7 +78,12 @@ else () set(CMAKE_CXX_FLAGS_RELEASE "-O2") set(CMAKE_C_FLAGS_DEBUG "-g -O1") set(CMAKE_CXX_FLAGS_DEBUG "-g -O1") -add_compile_options(-Wall -Wuninitialized -Wno-stringop-truncation) +add_compile_options(-Wall -Wuninitialized) +check_c_compiler_flag(-Wno-stringop-truncation NoStringOpTruncation) + +if (${NoStringOpTruncation}) +add_compile_options(-Wno-stringop-truncation) +endif() # We are not ready for this #add_compile_options(-Wconversion -Wno-sign-conversion -Wsign-compare) if (USE_WERROR) @@ -78,13 +91,6 @@ else () endif () endif () -find_package(PkgConfig REQUIRED) -include(CheckSymbolExists) -include(CheckIncludeFiles) -include(CheckTypeSize) -include(CheckStructHasMember) -include(CTest) - find_program(PYTHON NAMES python3 python) execute_process( COMMAND ${PYTHON} ${CMAKE_CURRENT_SOURCE_DIR}/contrib/cmake/parse-version.m4.py ${CMAKE_CURRENT_SOURCE_DIR}/version.m4 -- 2.39.2 (Apple Git-143) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 1/4] Do not blindly assume python3 is also the interpreter that runs rst2html
On my system python3 is the macOS system python3 while rst2html has #!/opt/homebrew/opt/python@3.9/bin/python3.9 as its first line. Running that with a different python results in missing python modules. So directly execute the rst2html script instead. Change-Id: I7e27ae031179c91cc1bca8122caf2453d6396ec0 Signed-off-by: Arne Schwabe --- doc/CMakeLists.txt | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt index d38805513..2fba80bbd 100644 --- a/doc/CMakeLists.txt +++ b/doc/CMakeLists.txt @@ -50,13 +50,13 @@ if (_GENERATE_HTML_DOC) list(APPEND ALL_DOCS openvpn.8.html openvpn-examples.5.html) add_custom_command( OUTPUT openvpn.8.html -COMMAND ${PYTHON} ${RST2HTML} ${RST_FLAGS} ${CMAKE_CURRENT_SOURCE_DIR}/openvpn.8.rst ${CMAKE_CURRENT_BINARY_DIR}/openvpn.8.html +COMMAND ${RST2HTML} ${RST_FLAGS} ${CMAKE_CURRENT_SOURCE_DIR}/openvpn.8.rst ${CMAKE_CURRENT_BINARY_DIR}/openvpn.8.html MAIN_DEPENDENCY openvpn.8.rst DEPENDS ${OPENVPN_SECTIONS} ) add_custom_command( OUTPUT openvpn-examples.5.html -COMMAND ${PYTHON} ${RST2HTML} ${RST_FLAGS} ${CMAKE_CURRENT_SOURCE_DIR}/openvpn-examples.5.rst ${CMAKE_CURRENT_BINARY_DIR}/openvpn-examples.5.html +COMMAND ${RST2HTML} ${RST_FLAGS} ${CMAKE_CURRENT_SOURCE_DIR}/openvpn-examples.5.rst ${CMAKE_CURRENT_BINARY_DIR}/openvpn-examples.5.html MAIN_DEPENDENCY openvpn-examples.5.rst DEPENDS ${OPENVPN_EXAMPLES_SECTIONS} ) @@ -65,13 +65,13 @@ if (_GENERATE_MAN_DOC) list(APPEND ALL_DOCS openvpn.8 openvpn-examples.5) add_custom_command( OUTPUT openvpn.8 -COMMAND ${PYTHON} ${RST2MAN} ${RST_FLAGS} ${CMAKE_CURRENT_SOURCE_DIR}/openvpn.8.rst ${CMAKE_CURRENT_BINARY_DIR}/openvpn.8 +COMMAND ${RST2MAN} ${RST_FLAGS} ${CMAKE_CURRENT_SOURCE_DIR}/openvpn.8.rst ${CMAKE_CURRENT_BINARY_DIR}/openvpn.8 MAIN_DEPENDENCY openvpn.8.rst DEPENDS ${OPENVPN_SECTIONS} ) add_custom_command( OUTPUT openvpn-examples.5 -COMMAND ${PYTHON} ${RST2MAN} ${RST_FLAGS} ${CMAKE_CURRENT_SOURCE_DIR}/openvpn-examples.5.rst ${CMAKE_CURRENT_BINARY_DIR}/openvpn-examples.5 +COMMAND ${RST2MAN} ${RST_FLAGS} ${CMAKE_CURRENT_SOURCE_DIR}/openvpn-examples.5.rst ${CMAKE_CURRENT_BINARY_DIR}/openvpn-examples.5 MAIN_DEPENDENCY openvpn-examples.5.rst DEPENDS ${OPENVPN_EXAMPLES_SECTIONS} ) -- 2.39.2 (Apple Git-143) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 4/4] Avoid unused function warning/error on FreeBSD
the funktion is_on_link is not used on FreeBSD and triggers a warning/error (-Werror) on FreeBSD. Change-Id: I6757d6509ff3ff522d6de417372a21e73ccca3ba Signed-off-by: Arne Schwabe --- src/openvpn/route.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/openvpn/route.c b/src/openvpn/route.c index d18acd016..2180b7d1a 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -1541,13 +1541,15 @@ local_route(in_addr_t network, return LR_NOMATCH; } -/* Return true if the "on-link" form of the route should be used. This is when the gateway for a +/* Return true if the "on-link" form of the route should be used. This is when the gateway for * a route is specified as an interface rather than an address. */ +#ifndef TARGET_FREEBSD static inline bool is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi) { return rgi && (is_local_route == LR_MATCH || ((flags & ROUTE_REF_GW) && (rgi->flags & RGI_ON_LINK))); } +#endif bool add_route(struct route_ipv4 *r, -- 2.39.2 (Apple Git-143) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 3/4] Check if the -wrap argument is actually supported by the platform's ld
This avoids build errors on macOS. Also the test_tls_crypt command works just fine on FreeBSD with its linkers, so do not make that test Linux only. Change-Id: Id26676bdc576c7d3d6726afa43fe6c7a397c579b Signed-off-by: Arne Schwabe --- CMakeLists.txt | 11 +++ 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index acebbb73c..d2445b414 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -16,6 +16,7 @@ find_package(PkgConfig REQUIRED) include(CheckSymbolExists) include(CheckIncludeFiles) include(CheckCCompilerFlag) +include(CheckLinkerFlag) include(CheckTypeSize) include(CheckStructHasMember) include(CTest) @@ -560,18 +561,20 @@ if (BUILD_TESTING) ) endif () -if (NOT MSVC) -# MSVC does not support --wrap +# MSVC and Apple's LLVM ld do not support --wrap +check_linker_flag(C -Wl,--wrap=parse_line LD_SUPPORTS_WRAP) + +if (${LD_SUPPORTS_WRAP}) list(APPEND unit_tests "test_argv" +"test_tls_crypt" ) endif () -# These tests work on only on Linux since they depend on special linker features +# These tests work on only on Linux since they depend on special Linux features if (${CMAKE_SYSTEM_NAME} STREQUAL "Linux") list(APPEND unit_tests "test_networking" -"test_tls_crypt" ) endif () -- 2.39.2 (Apple Git-143) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 0/4] Restore ability to compile on macOS/FreeBSD with Cmake
The patches to the cmake files did a lot of improvements but broke compiling on macOS and FreeBSD. This patch set restores the ability to compile again with these two platforms. Arne Schwabe (4): Do not blindly assume python3 is also the interpreter that runs rst2html [CMake] Only add -Wno-stringop-truncation on supported compilers Check if the -wrap argument is actually supported by the platform's ld Avoid unused function warning/error on FreeBSD CMakeLists.txt | 33 + doc/CMakeLists.txt | 8 src/openvpn/route.c | 4 +++- 3 files changed, 28 insertions(+), 17 deletions(-) -- 2.39.2 (Apple Git-143) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 2/2] Implement using --peer-fingerprint without CA certificates
This is implements --peer-fingerprint command to support OpenVPN authentication without involving a PKI. The current implementation in OpenVPN for peer fingerprint has been already extensively rewritten from the original submission from Jason [1]. The commit preserved the original author since it was based on Jason code/idea. The current code uses two commits to prepare the --peer-fingerprint solution as which choose to use a simple to use --peer-fingerprint directive instead of using using a --tls-verify script like the v1 of the patch proposed. The two commit preparing this are: - Extend verify-hash to allow multiple hashes - Implement peer-fingerprint to check fingerprint of peer certificate This perparing patches make this actual patch quite short. There are some lines in this patch that bear some similarity to the ones like if (!preverify_ok && !session->opt->verify_hash_no_ca) vs if (!preverify_ok && !session->opt->ca_file_none) But these similarities are one line fragments and dictated by the surrounding style and program flow, so even a complete black box implementation will likely end up with the same lines. [1] https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16781.html Change-Id: Ie74c3d606c5429455c293c367462244566a936e3 Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 1 + src/openvpn/options.c| 26 +- src/openvpn/options.h| 1 + src/openvpn/ssl_common.h | 1 + src/openvpn/ssl_verify_mbedtls.c | 16 src/openvpn/ssl_verify_openssl.c | 2 +- 6 files changed, 33 insertions(+), 14 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index c023b33c6..d358ad003 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3347,6 +3347,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.verify_hash = options->verify_hash; to.verify_hash_algo = options->verify_hash_algo; to.verify_hash_depth = options->verify_hash_depth; +to.verify_hash_no_ca = options->verify_hash_no_ca; #ifdef ENABLE_X509ALTUSERNAME memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field)); #else diff --git a/src/openvpn/options.c b/src/openvpn/options.c index fe9285384..e4c596b89 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2991,21 +2991,11 @@ options_postprocess_verify_ce(const struct options *options, else { #ifdef ENABLE_CRYPTO_MBEDTLS -if (!(options->ca_file)) -{ -msg(M_USAGE, "You must define CA file (--ca)"); -} - if (options->ca_path) { msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN."); } -#else /* ifdef ENABLE_CRYPTO_MBEDTLS */ -if ((!(options->ca_file)) && (!(options->ca_path))) -{ -msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); -} -#endif +#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */ if (pull) { @@ -3737,6 +3727,13 @@ options_postprocess_mutate(struct options *o, struct env_set *es) options_postprocess_http_proxy_override(o); } #endif +if (!o->ca_file && !o->ca_path && o->verify_hash +&& o->verify_hash_depth == 0) +{ +msg(M_INFO, "Using certificate fingerprint to verify peer (no CA " +"option set). "); +o->verify_hash_no_ca = true; +} if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP) { @@ -4032,8 +4029,11 @@ options_postprocess_filechecks(struct options *options) errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, options->dh_file, R_OK, "--dh"); -errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, - options->ca_file, R_OK, "--ca"); +if (!options->verify_hash_no_ca) +{ +errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, + options->ca_file, R_OK, "--ca"); +} errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath"); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 95f1158a4..f5890b90f 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -604,6 +604,7 @@ struct options struct verify_hash_list *verify_hash; hash_algo_type verify_hash_algo; int verify_hash_depth; +bool verify_hash_no_ca; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index c0b3caa71..27b029479 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -345,6 +345,7 @@ struct tls_options
Re: [Openvpn-devel] [PATCH] [CMake] Only add -Wno-stringop-truncation on supported compilers
Am 29.06.23 um 13:39 schrieb Arne Schwabe: The -Wno-stringop-truncation flag is only supported by some GCC versions and not by Clang (macOS, FreeBSD) at all. Change-Id: I452bc4ee935d13f8e9095d0a31805a3bbaff0cec Ingore this version. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] [CMake] Only add -Wno-stringop-truncation on supported compilers
The -Wno-stringop-truncation flag is only supported by some GCC versions and not by Clang (macOS, FreeBSD) at all. Change-Id: I452bc4ee935d13f8e9095d0a31805a3bbaff0cec Signed-off-by: Arne Schwabe --- CMakeLists.txt | 20 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 3cbba5a38..ec0915bb0 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -12,6 +12,14 @@ project(openvpn) # and OpenSSL having version 1.1.1+ and generally does not offer the same # configurability like autoconf +find_package(PkgConfig REQUIRED) +include(CheckSymbolExists) +include(CheckIncludeFiles) +include(CheckCCompilerFlag) +include(CheckTypeSize) +include(CheckStructHasMember) +include(CTest) + option(UNSUPPORTED_BUILDS "Allow unsupported builds" OFF) if (NOT WIN32 AND NOT ${UNSUPPORTED_BUILDS}) @@ -70,7 +78,10 @@ else () set(CMAKE_CXX_FLAGS_RELEASE "-O2") set(CMAKE_C_FLAGS_DEBUG "-g -O1") set(CMAKE_CXX_FLAGS_DEBUG "-g -O1") -add_compile_options(-Wall -Wuninitialized -Wno-stringop-truncation) +check_c_compiler_flag(-Wno-stringop-truncation NoStringOpTruncation) +if (${NoStringOpTruncation}) +add_compile_options(-Wall -Wuninitialized ) +endif() # We are not ready for this #add_compile_options(-Wconversion -Wno-sign-conversion -Wsign-compare) if (USE_WERROR) @@ -78,13 +89,6 @@ else () endif () endif () -find_package(PkgConfig REQUIRED) -include(CheckSymbolExists) -include(CheckIncludeFiles) -include(CheckTypeSize) -include(CheckStructHasMember) -include(CTest) - find_program(PYTHON NAMES python3 python) execute_process( COMMAND ${PYTHON} ${CMAKE_CURRENT_SOURCE_DIR}/contrib/cmake/parse-version.m4.py ${CMAKE_CURRENT_SOURCE_DIR}/version.m4 -- 2.39.2 (Apple Git-143) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel