[Openvpn-devel] [PATCH 2/4] [CMake] Only add -Wno-stringop-truncation on supported compilers

2023-06-29 Thread Arne Schwabe 
The -Wno-stringop-truncation flag is only supported by some GCC versions
and not by Clang (macOS, FreeBSD) at all.

Move the includes to the top the file to have them available when running
the check_c_compiler_flag.

Change-Id: I452bc4ee935d13f8e9095d0a31805a3bbaff0cec
Signed-off-by: Arne Schwabe 
---
 CMakeLists.txt | 22 ++
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3cbba5a38..acebbb73c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -12,6 +12,14 @@ project(openvpn)
 # and OpenSSL having version 1.1.1+ and generally does not offer the same
 # configurability like autoconf
 
+find_package(PkgConfig REQUIRED)
+include(CheckSymbolExists)
+include(CheckIncludeFiles)
+include(CheckCCompilerFlag)
+include(CheckTypeSize)
+include(CheckStructHasMember)
+include(CTest)
+
 option(UNSUPPORTED_BUILDS "Allow unsupported builds" OFF)
 
 if (NOT WIN32 AND NOT ${UNSUPPORTED_BUILDS})
@@ -70,7 +78,12 @@ else ()
 set(CMAKE_CXX_FLAGS_RELEASE "-O2")
 set(CMAKE_C_FLAGS_DEBUG "-g -O1")
 set(CMAKE_CXX_FLAGS_DEBUG "-g -O1")
-add_compile_options(-Wall -Wuninitialized -Wno-stringop-truncation)
+add_compile_options(-Wall -Wuninitialized)
+check_c_compiler_flag(-Wno-stringop-truncation NoStringOpTruncation)
+
+if (${NoStringOpTruncation})
+add_compile_options(-Wno-stringop-truncation)
+endif()
 # We are not ready for this
 #add_compile_options(-Wconversion -Wno-sign-conversion -Wsign-compare)
 if (USE_WERROR)
@@ -78,13 +91,6 @@ else ()
 endif ()
 endif ()
 
-find_package(PkgConfig REQUIRED)
-include(CheckSymbolExists)
-include(CheckIncludeFiles)
-include(CheckTypeSize)
-include(CheckStructHasMember)
-include(CTest)
-
 find_program(PYTHON NAMES python3 python)
 execute_process(
 COMMAND ${PYTHON} 
${CMAKE_CURRENT_SOURCE_DIR}/contrib/cmake/parse-version.m4.py 
${CMAKE_CURRENT_SOURCE_DIR}/version.m4
-- 
2.39.2 (Apple Git-143)



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/4] Do not blindly assume python3 is also the interpreter that runs rst2html

2023-06-29 Thread Arne Schwabe 
On my system python3 is the macOS system python3 while rst2html has

   #!/opt/homebrew/opt/python@3.9/bin/python3.9

as its first line. Running that with a different python results in missing
python modules. So directly execute the rst2html script instead.

Change-Id: I7e27ae031179c91cc1bca8122caf2453d6396ec0
Signed-off-by: Arne Schwabe 
---
 doc/CMakeLists.txt | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
index d38805513..2fba80bbd 100644
--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@@ -50,13 +50,13 @@ if (_GENERATE_HTML_DOC)
 list(APPEND ALL_DOCS openvpn.8.html openvpn-examples.5.html)
 add_custom_command(
 OUTPUT openvpn.8.html
-COMMAND ${PYTHON} ${RST2HTML} ${RST_FLAGS} 
${CMAKE_CURRENT_SOURCE_DIR}/openvpn.8.rst 
${CMAKE_CURRENT_BINARY_DIR}/openvpn.8.html
+COMMAND ${RST2HTML} ${RST_FLAGS} 
${CMAKE_CURRENT_SOURCE_DIR}/openvpn.8.rst 
${CMAKE_CURRENT_BINARY_DIR}/openvpn.8.html
 MAIN_DEPENDENCY openvpn.8.rst
 DEPENDS ${OPENVPN_SECTIONS}
 )
 add_custom_command(
 OUTPUT openvpn-examples.5.html
-COMMAND ${PYTHON} ${RST2HTML} ${RST_FLAGS} 
${CMAKE_CURRENT_SOURCE_DIR}/openvpn-examples.5.rst 
${CMAKE_CURRENT_BINARY_DIR}/openvpn-examples.5.html
+COMMAND ${RST2HTML} ${RST_FLAGS} 
${CMAKE_CURRENT_SOURCE_DIR}/openvpn-examples.5.rst 
${CMAKE_CURRENT_BINARY_DIR}/openvpn-examples.5.html
 MAIN_DEPENDENCY openvpn-examples.5.rst
 DEPENDS ${OPENVPN_EXAMPLES_SECTIONS}
 )
@@ -65,13 +65,13 @@ if (_GENERATE_MAN_DOC)
 list(APPEND ALL_DOCS openvpn.8 openvpn-examples.5)
 add_custom_command(
 OUTPUT openvpn.8
-COMMAND ${PYTHON} ${RST2MAN} ${RST_FLAGS} 
${CMAKE_CURRENT_SOURCE_DIR}/openvpn.8.rst ${CMAKE_CURRENT_BINARY_DIR}/openvpn.8
+COMMAND ${RST2MAN} ${RST_FLAGS} 
${CMAKE_CURRENT_SOURCE_DIR}/openvpn.8.rst ${CMAKE_CURRENT_BINARY_DIR}/openvpn.8
 MAIN_DEPENDENCY openvpn.8.rst
 DEPENDS ${OPENVPN_SECTIONS}
 )
 add_custom_command(
 OUTPUT openvpn-examples.5
-COMMAND ${PYTHON} ${RST2MAN} ${RST_FLAGS} 
${CMAKE_CURRENT_SOURCE_DIR}/openvpn-examples.5.rst 
${CMAKE_CURRENT_BINARY_DIR}/openvpn-examples.5
+COMMAND ${RST2MAN} ${RST_FLAGS} 
${CMAKE_CURRENT_SOURCE_DIR}/openvpn-examples.5.rst 
${CMAKE_CURRENT_BINARY_DIR}/openvpn-examples.5
 MAIN_DEPENDENCY openvpn-examples.5.rst
 DEPENDS ${OPENVPN_EXAMPLES_SECTIONS}
 )
-- 
2.39.2 (Apple Git-143)



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 4/4] Avoid unused function warning/error on FreeBSD

2023-06-29 Thread Arne Schwabe 
the funktion is_on_link is not used on FreeBSD and triggers a
warning/error (-Werror) on FreeBSD.

Change-Id: I6757d6509ff3ff522d6de417372a21e73ccca3ba
Signed-off-by: Arne Schwabe 
---
 src/openvpn/route.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index d18acd016..2180b7d1a 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -1541,13 +1541,15 @@ local_route(in_addr_t network,
 return LR_NOMATCH;
 }
 
-/* Return true if the "on-link" form of the route should be used.  This is 
when the gateway for a
+/* Return true if the "on-link" form of the route should be used.  This is 
when the gateway for
  * a route is specified as an interface rather than an address. */
+#ifndef TARGET_FREEBSD
 static inline bool
 is_on_link(const int is_local_route, const unsigned int flags, const struct 
route_gateway_info *rgi)
 {
 return rgi && (is_local_route == LR_MATCH || ((flags & ROUTE_REF_GW) && 
(rgi->flags & RGI_ON_LINK)));
 }
+#endif
 
 bool
 add_route(struct route_ipv4 *r,
-- 
2.39.2 (Apple Git-143)



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 3/4] Check if the -wrap argument is actually supported by the platform's ld

2023-06-29 Thread Arne Schwabe 
This avoids build errors on macOS. Also the test_tls_crypt command works
just fine on FreeBSD with its linkers, so do not make that test Linux only.

Change-Id: Id26676bdc576c7d3d6726afa43fe6c7a397c579b
Signed-off-by: Arne Schwabe 
---
 CMakeLists.txt | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index acebbb73c..d2445b414 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -16,6 +16,7 @@ find_package(PkgConfig REQUIRED)
 include(CheckSymbolExists)
 include(CheckIncludeFiles)
 include(CheckCCompilerFlag)
+include(CheckLinkerFlag)
 include(CheckTypeSize)
 include(CheckStructHasMember)
 include(CTest)
@@ -560,18 +561,20 @@ if (BUILD_TESTING)
 )
 endif ()
 
-if (NOT MSVC)
-# MSVC does not support --wrap
+# MSVC and Apple's LLVM ld do not support --wrap
+check_linker_flag(C -Wl,--wrap=parse_line LD_SUPPORTS_WRAP)
+
+if (${LD_SUPPORTS_WRAP})
 list(APPEND unit_tests
 "test_argv"
+"test_tls_crypt"
 )
 endif ()
 
-# These tests work on only on Linux since they depend on special linker 
features
+# These tests work on only on Linux since they depend on special Linux 
features
 if (${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
 list(APPEND unit_tests
 "test_networking"
-"test_tls_crypt"
 )
 endif ()
 
-- 
2.39.2 (Apple Git-143)



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 0/4] Restore ability to compile on macOS/FreeBSD with Cmake

2023-06-29 Thread Arne Schwabe 
The patches to the cmake files did a lot of improvements but broke compiling
on macOS and FreeBSD. This patch set restores the ability to compile again
with these two platforms.

Arne Schwabe (4):
  Do not blindly assume python3 is also the interpreter that runs
rst2html
  [CMake] Only add -Wno-stringop-truncation on supported compilers
  Check if the -wrap argument is actually supported by the platform's ld
  Avoid unused function warning/error on FreeBSD

 CMakeLists.txt  | 33 +
 doc/CMakeLists.txt  |  8 
 src/openvpn/route.c |  4 +++-
 3 files changed, 28 insertions(+), 17 deletions(-)

-- 
2.39.2 (Apple Git-143)



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 2/2] Implement using --peer-fingerprint without CA certificates

2023-06-29 Thread Arne Schwabe 
This is implements --peer-fingerprint command to support OpenVPN authentication
without involving a PKI.

The current implementation in OpenVPN for peer fingerprint has been already
extensively rewritten from the original submission from Jason [1]. The commit
preserved the original author since it was based on Jason code/idea.

The current code uses two commits to prepare the --peer-fingerprint solution
as which choose to use a simple to use --peer-fingerprint directive instead
of using using a --tls-verify script like the v1 of the patch proposed.
The two commit preparing this are:

 - Extend verify-hash to allow multiple hashes
 - Implement peer-fingerprint to check fingerprint of peer certificate

This perparing patches make this actual patch quite short. There are some
lines in this patch that bear some similarity to the ones like

if (!preverify_ok && !session->opt->verify_hash_no_ca)

vs

if (!preverify_ok && !session->opt->ca_file_none)

But these similarities are one line fragments and dictated by the
surrounding style and program flow, so even a complete black box
implementation will likely end up with the same lines.

[1] 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16781.html

Change-Id: Ie74c3d606c5429455c293c367462244566a936e3
Signed-off-by: Arne Schwabe 
---
 src/openvpn/init.c   |  1 +
 src/openvpn/options.c| 26 +-
 src/openvpn/options.h|  1 +
 src/openvpn/ssl_common.h |  1 +
 src/openvpn/ssl_verify_mbedtls.c | 16 
 src/openvpn/ssl_verify_openssl.c |  2 +-
 6 files changed, 33 insertions(+), 14 deletions(-)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index c023b33c6..d358ad003 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3347,6 +3347,7 @@ do_init_crypto_tls(struct context *c, const unsigned int 
flags)
 to.verify_hash = options->verify_hash;
 to.verify_hash_algo = options->verify_hash_algo;
 to.verify_hash_depth = options->verify_hash_depth;
+to.verify_hash_no_ca = options->verify_hash_no_ca;
 #ifdef ENABLE_X509ALTUSERNAME
 memcpy(to.x509_username_field, options->x509_username_field, 
sizeof(to.x509_username_field));
 #else
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index fe9285384..e4c596b89 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2991,21 +2991,11 @@ options_postprocess_verify_ce(const struct options 
*options,
 else
 {
 #ifdef ENABLE_CRYPTO_MBEDTLS
-if (!(options->ca_file))
-{
-msg(M_USAGE, "You must define CA file (--ca)");
-}
-
 if (options->ca_path)
 {
 msg(M_USAGE, "Parameter --capath cannot be used with the mbed 
TLS version version of OpenVPN.");
 }
-#else  /* ifdef ENABLE_CRYPTO_MBEDTLS */
-if ((!(options->ca_file)) && (!(options->ca_path)))
-{
-msg(M_USAGE, "You must define CA file (--ca) or CA path 
(--capath)");
-}
-#endif
+#endif  /* ifdef ENABLE_CRYPTO_MBEDTLS */
 if (pull)
 {
 
@@ -3737,6 +3727,13 @@ options_postprocess_mutate(struct options *o, struct 
env_set *es)
 options_postprocess_http_proxy_override(o);
 }
 #endif
+if (!o->ca_file && !o->ca_path && o->verify_hash
+&& o->verify_hash_depth == 0)
+{
+msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
+"option set). ");
+o->verify_hash_no_ca = true;
+}
 
 if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
 {
@@ -4032,8 +4029,11 @@ options_postprocess_filechecks(struct options *options)
 errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
  options->dh_file, R_OK, "--dh");
 
-errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
- options->ca_file, R_OK, "--ca");
+if (!options->verify_hash_no_ca)
+{
+errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
+ options->ca_file, R_OK, "--ca");
+}
 
 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
  options->ca_path, R_OK, "--capath");
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 95f1158a4..f5890b90f 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -604,6 +604,7 @@ struct options
 struct verify_hash_list *verify_hash;
 hash_algo_type verify_hash_algo;
 int verify_hash_depth;
+bool verify_hash_no_ca;
 unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */
 
 #ifdef ENABLE_PKCS11
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index c0b3caa71..27b029479 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -345,6 +345,7 @@ struct tls_options

Re: [Openvpn-devel] [PATCH] [CMake] Only add -Wno-stringop-truncation on supported compilers

2023-06-29 Thread Arne Schwabe 

Am 29.06.23 um 13:39 schrieb Arne Schwabe:

The -Wno-stringop-truncation flag is only supported by some GCC versions
and not by Clang (macOS, FreeBSD) at all.

Change-Id: I452bc4ee935d13f8e9095d0a31805a3bbaff0cec



Ingore this version.



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] [CMake] Only add -Wno-stringop-truncation on supported compilers

2023-06-29 Thread Arne Schwabe 
The -Wno-stringop-truncation flag is only supported by some GCC versions
and not by Clang (macOS, FreeBSD) at all.

Change-Id: I452bc4ee935d13f8e9095d0a31805a3bbaff0cec
Signed-off-by: Arne Schwabe 
---
 CMakeLists.txt | 20 
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3cbba5a38..ec0915bb0 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -12,6 +12,14 @@ project(openvpn)
 # and OpenSSL having version 1.1.1+ and generally does not offer the same
 # configurability like autoconf
 
+find_package(PkgConfig REQUIRED)
+include(CheckSymbolExists)
+include(CheckIncludeFiles)
+include(CheckCCompilerFlag)
+include(CheckTypeSize)
+include(CheckStructHasMember)
+include(CTest)
+
 option(UNSUPPORTED_BUILDS "Allow unsupported builds" OFF)
 
 if (NOT WIN32 AND NOT ${UNSUPPORTED_BUILDS})
@@ -70,7 +78,10 @@ else ()
 set(CMAKE_CXX_FLAGS_RELEASE "-O2")
 set(CMAKE_C_FLAGS_DEBUG "-g -O1")
 set(CMAKE_CXX_FLAGS_DEBUG "-g -O1")
-add_compile_options(-Wall -Wuninitialized -Wno-stringop-truncation)
+check_c_compiler_flag(-Wno-stringop-truncation NoStringOpTruncation)
+if (${NoStringOpTruncation})
+add_compile_options(-Wall -Wuninitialized )
+endif()
 # We are not ready for this
 #add_compile_options(-Wconversion -Wno-sign-conversion -Wsign-compare)
 if (USE_WERROR)
@@ -78,13 +89,6 @@ else ()
 endif ()
 endif ()
 
-find_package(PkgConfig REQUIRED)
-include(CheckSymbolExists)
-include(CheckIncludeFiles)
-include(CheckTypeSize)
-include(CheckStructHasMember)
-include(CTest)
-
 find_program(PYTHON NAMES python3 python)
 execute_process(
 COMMAND ${PYTHON} 
${CMAKE_CURRENT_SOURCE_DIR}/contrib/cmake/parse-version.m4.py 
${CMAKE_CURRENT_SOURCE_DIR}/version.m4
-- 
2.39.2 (Apple Git-143)



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel