Re: [Openvpn-devel] [PATCH 2/2] Implement using --peer-fingerprint without CA certificates
Am 30.06.23 um 15:31 schrieb Maximilian Fillinger:
The grammar in the 3rd sentence in the comment below is messed up. (I think I
understand it, but I'm not sure.)
+if (session->opt->verify_hash_no_ca)
+{
+/*
+ * If we decide to verify the peer certificate based on the fingerprint
+ * we ignore wrong dates and the certificate not being trusted.
+ * Any other problem with the certificate (wrong key, bad cert,...)
+ * will still trigger an error.
+ * Clearing these flags relies on verify_cert will later rejecting a
+ * certificate that has no matching fingerprint.
+ */
+uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED
+| MBEDTLS_X509_BADCERT_EXPIRED
+| MBEDTLS_X509_BADCERT_FUTURE;
+*flags = *flags & ~flags_ignore;
+}
+
Also, this comment is copied verbatim from Jason's commit 423ced962d which has
been reverted. I'm not a lawyer, but since comments are relatively easy to
rephrase, I think it's better to do that. My suggestion:
The comment is already mine. Jason never included an mBed TLS
implementation. I attributed the commit to Jason but some of the code
and this comment is already written by me.
Arne
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2/2] Implement using --peer-fingerprint without CA certificates
The grammar in the 3rd sentence in the comment below is messed up. (I think I
understand it, but I'm not sure.)
> +if (session->opt->verify_hash_no_ca)
> +{
> +/*
> + * If we decide to verify the peer certificate based on the
> fingerprint
> + * we ignore wrong dates and the certificate not being trusted.
> + * Any other problem with the certificate (wrong key, bad cert,...)
> + * will still trigger an error.
> + * Clearing these flags relies on verify_cert will later rejecting a
> + * certificate that has no matching fingerprint.
> + */
> +uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED
> +| MBEDTLS_X509_BADCERT_EXPIRED
> +| MBEDTLS_X509_BADCERT_FUTURE;
> +*flags = *flags & ~flags_ignore;
> +}
> +
Also, this comment is copied verbatim from Jason's commit 423ced962d which has
been reverted. I'm not a lawyer, but since comments are relatively easy to
rephrase, I think it's better to do that. My suggestion:
/*
* If we verify the peer certificate based only on the fingerprint,
* we ignore flags regarding the certificate's validity period and
* the certificate being untrusted (because we don't have a CA to
* check against).
* Any other flags will still trigger an error.
*
* If the certificate's fingerprint doesn't match, it will be rejected
* by verify_cert later.
*/
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] test_tls_crypt: Improve mock() usage to be more portable
Use the casting variants of mock(). Using the mock_ptr_type
fixes an existing bug where test_tls_crypt.c couldn't
build in MinGW 32bit:
test_tls_crypt.c:127:27: error:
cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
127 | const char *pem_str = (const char *) mock();
Change-Id: I6c03313b8677fa07c07e718b1f85f7efd3c4dea8
Signed-off-by: Frank Lichtenheld
---
tests/unit_tests/openvpn/test_tls_crypt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/unit_tests/openvpn/test_tls_crypt.c
b/tests/unit_tests/openvpn/test_tls_crypt.c
index 8bed042f..ed7c7948 100644
--- a/tests/unit_tests/openvpn/test_tls_crypt.c
+++ b/tests/unit_tests/openvpn/test_tls_crypt.c
@@ -116,7 +116,7 @@ __wrap_buffer_write_file(const char *filename, const struct
buffer *buf)
check_expected(filename);
check_expected(pem);
-return mock();
+return mock_type(bool);
}
struct buffer
@@ -124,7 +124,7 @@ __wrap_buffer_read_from_file(const char *filename, struct
gc_arena *gc)
{
check_expected(filename);
-const char *pem_str = (const char *) mock();
+const char *pem_str = mock_ptr_type(const char *);
struct buffer ret = alloc_buf_gc(strlen(pem_str) + 1, gc);
buf_write(&ret, pem_str, strlen(pem_str) + 1);
--
2.34.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/4] Do not blindly assume python3 is also the interpreter that runs rst2html
On Thu, Jun 29, 2023 at 11:56:07PM +0200, Arne Schwabe wrote: > On my system python3 is the macOS system python3 while rst2html has > >#!/opt/homebrew/opt/python@3.9/bin/python3.9 > > as its first line. Running that with a different python results in missing > python modules. So directly execute the rst2html script instead. Acked-By: Frank Lichtenheld -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 4/4] Avoid unused function warning/error on FreeBSD
On Thu, Jun 29, 2023 at 11:56:11PM +0200, Arne Schwabe wrote:
> the funktion is_on_link is not used on FreeBSD and triggers a
> warning/error (-Werror) on FreeBSD.
>
> Change-Id: I6757d6509ff3ff522d6de417372a21e73ccca3ba
> Signed-off-by: Arne Schwabe
> ---
> src/openvpn/route.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/src/openvpn/route.c b/src/openvpn/route.c
> index d18acd016..2180b7d1a 100644
> --- a/src/openvpn/route.c
> +++ b/src/openvpn/route.c
> @@ -1541,13 +1541,15 @@ local_route(in_addr_t network,
> return LR_NOMATCH;
> }
>
> -/* Return true if the "on-link" form of the route should be used. This is
> when the gateway for a
> +/* Return true if the "on-link" form of the route should be used. This is
> when the gateway for
> * a route is specified as an interface rather than an address. */
> +#ifndef TARGET_FREEBSD
The actual condition seems to be
#if defined(TARGET_LINUX) || defined(_WIN32) || defined(TARGET_DARWIN)
> static inline bool
> is_on_link(const int is_local_route, const unsigned int flags, const struct
> route_gateway_info *rgi)
> {
> return rgi && (is_local_route == LR_MATCH || ((flags & ROUTE_REF_GW) &&
> (rgi->flags & RGI_ON_LINK)));
> }
> +#endif
>
> bool
> add_route(struct route_ipv4 *r,
Regards,
--
Frank Lichtenheld
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2/4] [CMake] Only add -Wno-stringop-truncation on supported compilers
On Thu, Jun 29, 2023 at 11:56:08PM +0200, Arne Schwabe wrote: > The -Wno-stringop-truncation flag is only supported by some GCC versions > and not by Clang (macOS, FreeBSD) at all. > > Move the includes to the top the file to have them available when running > the check_c_compiler_flag. Acked-by: Frank Lichtenheld -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/4] Check if the -wrap argument is actually supported by the platform's ld
On Thu, Jun 29, 2023 at 11:56:10PM +0200, Arne Schwabe wrote: > This avoids build errors on macOS. Also the test_tls_crypt command works > just fine on FreeBSD with its linkers, so do not make that test Linux only. NAK. Breaks build on mingw. Will investigate why. Regards, -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
