Re: [Openvpn-devel] [PATCH 2/2] Implement using --peer-fingerprint without CA certificates
Am 30.06.23 um 15:31 schrieb Maximilian Fillinger: The grammar in the 3rd sentence in the comment below is messed up. (I think I understand it, but I'm not sure.) +if (session->opt->verify_hash_no_ca) +{ +/* + * If we decide to verify the peer certificate based on the fingerprint + * we ignore wrong dates and the certificate not being trusted. + * Any other problem with the certificate (wrong key, bad cert,...) + * will still trigger an error. + * Clearing these flags relies on verify_cert will later rejecting a + * certificate that has no matching fingerprint. + */ +uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED +| MBEDTLS_X509_BADCERT_EXPIRED +| MBEDTLS_X509_BADCERT_FUTURE; +*flags = *flags & ~flags_ignore; +} + Also, this comment is copied verbatim from Jason's commit 423ced962d which has been reverted. I'm not a lawyer, but since comments are relatively easy to rephrase, I think it's better to do that. My suggestion: The comment is already mine. Jason never included an mBed TLS implementation. I attributed the commit to Jason but some of the code and this comment is already written by me. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2/2] Implement using --peer-fingerprint without CA certificates
The grammar in the 3rd sentence in the comment below is messed up. (I think I understand it, but I'm not sure.) > +if (session->opt->verify_hash_no_ca) > +{ > +/* > + * If we decide to verify the peer certificate based on the > fingerprint > + * we ignore wrong dates and the certificate not being trusted. > + * Any other problem with the certificate (wrong key, bad cert,...) > + * will still trigger an error. > + * Clearing these flags relies on verify_cert will later rejecting a > + * certificate that has no matching fingerprint. > + */ > +uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED > +| MBEDTLS_X509_BADCERT_EXPIRED > +| MBEDTLS_X509_BADCERT_FUTURE; > +*flags = *flags & ~flags_ignore; > +} > + Also, this comment is copied verbatim from Jason's commit 423ced962d which has been reverted. I'm not a lawyer, but since comments are relatively easy to rephrase, I think it's better to do that. My suggestion: /* * If we verify the peer certificate based only on the fingerprint, * we ignore flags regarding the certificate's validity period and * the certificate being untrusted (because we don't have a CA to * check against). * Any other flags will still trigger an error. * * If the certificate's fingerprint doesn't match, it will be rejected * by verify_cert later. */ ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] test_tls_crypt: Improve mock() usage to be more portable
Use the casting variants of mock(). Using the mock_ptr_type fixes an existing bug where test_tls_crypt.c couldn't build in MinGW 32bit: test_tls_crypt.c:127:27: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] 127 | const char *pem_str = (const char *) mock(); Change-Id: I6c03313b8677fa07c07e718b1f85f7efd3c4dea8 Signed-off-by: Frank Lichtenheld --- tests/unit_tests/openvpn/test_tls_crypt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/unit_tests/openvpn/test_tls_crypt.c b/tests/unit_tests/openvpn/test_tls_crypt.c index 8bed042f..ed7c7948 100644 --- a/tests/unit_tests/openvpn/test_tls_crypt.c +++ b/tests/unit_tests/openvpn/test_tls_crypt.c @@ -116,7 +116,7 @@ __wrap_buffer_write_file(const char *filename, const struct buffer *buf) check_expected(filename); check_expected(pem); -return mock(); +return mock_type(bool); } struct buffer @@ -124,7 +124,7 @@ __wrap_buffer_read_from_file(const char *filename, struct gc_arena *gc) { check_expected(filename); -const char *pem_str = (const char *) mock(); +const char *pem_str = mock_ptr_type(const char *); struct buffer ret = alloc_buf_gc(strlen(pem_str) + 1, gc); buf_write(&ret, pem_str, strlen(pem_str) + 1); -- 2.34.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/4] Do not blindly assume python3 is also the interpreter that runs rst2html
On Thu, Jun 29, 2023 at 11:56:07PM +0200, Arne Schwabe wrote: > On my system python3 is the macOS system python3 while rst2html has > >#!/opt/homebrew/opt/python@3.9/bin/python3.9 > > as its first line. Running that with a different python results in missing > python modules. So directly execute the rst2html script instead. Acked-By: Frank Lichtenheld -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 4/4] Avoid unused function warning/error on FreeBSD
On Thu, Jun 29, 2023 at 11:56:11PM +0200, Arne Schwabe wrote: > the funktion is_on_link is not used on FreeBSD and triggers a > warning/error (-Werror) on FreeBSD. > > Change-Id: I6757d6509ff3ff522d6de417372a21e73ccca3ba > Signed-off-by: Arne Schwabe > --- > src/openvpn/route.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/src/openvpn/route.c b/src/openvpn/route.c > index d18acd016..2180b7d1a 100644 > --- a/src/openvpn/route.c > +++ b/src/openvpn/route.c > @@ -1541,13 +1541,15 @@ local_route(in_addr_t network, > return LR_NOMATCH; > } > > -/* Return true if the "on-link" form of the route should be used. This is > when the gateway for a > +/* Return true if the "on-link" form of the route should be used. This is > when the gateway for > * a route is specified as an interface rather than an address. */ > +#ifndef TARGET_FREEBSD The actual condition seems to be #if defined(TARGET_LINUX) || defined(_WIN32) || defined(TARGET_DARWIN) > static inline bool > is_on_link(const int is_local_route, const unsigned int flags, const struct > route_gateway_info *rgi) > { > return rgi && (is_local_route == LR_MATCH || ((flags & ROUTE_REF_GW) && > (rgi->flags & RGI_ON_LINK))); > } > +#endif > > bool > add_route(struct route_ipv4 *r, Regards, -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2/4] [CMake] Only add -Wno-stringop-truncation on supported compilers
On Thu, Jun 29, 2023 at 11:56:08PM +0200, Arne Schwabe wrote: > The -Wno-stringop-truncation flag is only supported by some GCC versions > and not by Clang (macOS, FreeBSD) at all. > > Move the includes to the top the file to have them available when running > the check_c_compiler_flag. Acked-by: Frank Lichtenheld -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/4] Check if the -wrap argument is actually supported by the platform's ld
On Thu, Jun 29, 2023 at 11:56:10PM +0200, Arne Schwabe wrote: > This avoids build errors on macOS. Also the test_tls_crypt command works > just fine on FreeBSD with its linkers, so do not make that test Linux only. NAK. Breaks build on mingw. Will investigate why. Regards, -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel