[Openvpn-devel] [S] Change in openvpn[release/2.6]: Mock openvpn_exece on win32 also for test_tls_crypt
Attention is currently required from: flichtenheld. d12fk has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/313?usp=email ) Change subject: Mock openvpn_exece on win32 also for test_tls_crypt .. Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/313?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: release/2.6 Gerrit-Change-Id: I8c8fe298eb30e211279f3fc010584b9d3bc14b4a Gerrit-Change-Number: 313 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: d12fk Gerrit-CC: openvpn-devel Gerrit-CC: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Fri, 22 Sep 2023 20:00:53 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[release/2.6]: Mock openvpn_exece on win32 also for test_tls_crypt
Attention is currently required from: d12fk. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/313?usp=email ) Change subject: Mock openvpn_exece on win32 also for test_tls_crypt .. Patch Set 2: (1 comment) Patchset: PS2: Merged the fixup from master -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/313?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: release/2.6 Gerrit-Change-Id: I8c8fe298eb30e211279f3fc010584b9d3bc14b4a Gerrit-Change-Number: 313 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: d12fk Gerrit-CC: openvpn-devel Gerrit-CC: plaisthos Gerrit-Attention: d12fk Gerrit-Comment-Date: Fri, 22 Sep 2023 16:30:35 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[release/2.6]: buffer: use memcpy in buf_catrunc
Attention is currently required from: cron2, flichtenheld. Hello cron2, d12fk, ordex, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/314?usp=email to look at the new patch set (#2). The change is no longer submittable: checks~ChecksSubmitRule is unsatisfied now. Change subject: buffer: use memcpy in buf_catrunc .. buffer: use memcpy in buf_catrunc Since we use strlen() to determine the length and then check it ourselves, there is really no point in using strncpy. But the compiler might complain that we use the output of strlen() for the length of strncpy which is usually a sign for bugs: error: ‘strncpy’ specified bound depends on the length of the source argument [-Werror=stringop-overflow=] Warning was at least triggered for mingw-gcc version 10-win32 20220113. Also change the type of len to size_t which avoids potential problems with signed overflow. v2: - make len size_t and change code to avoid any theoretical overflows - remove useless casts v3: - fix off-by-one introduced by v2 %) v4: - ignore unsigned overflow to simplify code Change-Id: If4a67adac4d2e870fd719b58075d39efcd67c671 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering (cherry picked from commit c89a97e449baaf60924a362555d35184f188a646) --- M src/openvpn/buffer.c 1 file changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/14/314/2 diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index d099795..7725438 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -316,10 +316,10 @@ { if (buf_forward_capacity(buf) <= 1) { -int len = (int) strlen(str) + 1; +size_t len = strlen(str) + 1; if (len < buf_forward_capacity_total(buf)) { -strncpynt((char *)(buf->data + buf->capacity - len), str, len); +memcpy(buf->data + buf->capacity - len, str, len); } } } -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/314?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: release/2.6 Gerrit-Change-Id: If4a67adac4d2e870fd719b58075d39efcd67c671 Gerrit-Change-Number: 314 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: d12fk Gerrit-Reviewer: ordex Gerrit-CC: openvpn-devel Gerrit-Attention: cron2 Gerrit-Attention: flichtenheld Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[release/2.6]: Mock openvpn_exece on win32 also for test_tls_crypt
Attention is currently required from: d12fk. Hello plaisthos, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/313?usp=email to look at the new patch set (#2). Change subject: Mock openvpn_exece on win32 also for test_tls_crypt .. Mock openvpn_exece on win32 also for test_tls_crypt This function is needed to commpile on win32 as run_command.c defines it on Unix Linux but on windows it is defined in win32.c which pulls in too many other unresolvable symbols. Patch v2: Also add mock_win32_execve.c to automake files Change-Id: I8c8fe298eb30e211279f3fc010584b9d3bc14b4a Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld (cherry picked from commit ede590e57c96c2b16d9bf462c4b1dd967b37c432) --- M tests/unit_tests/openvpn/Makefile.am A tests/unit_tests/openvpn/mock_win32_execve.c M tests/unit_tests/openvpn/test_pkt.c 3 files changed, 39 insertions(+), 9 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/13/313/2 diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 650126c..dd3985d 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -77,7 +77,7 @@ pkt_testdriver_CFLAGS = @TEST_CFLAGS@ \ -I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn pkt_testdriver_LDFLAGS = @TEST_LDFLAGS@ -pkt_testdriver_SOURCES = test_pkt.c mock_msg.c mock_msg.h \ +pkt_testdriver_SOURCES = test_pkt.c mock_msg.c mock_msg.h mock_win32_execve.c \ $(top_srcdir)/src/openvpn/argv.c \ $(top_srcdir)/src/openvpn/base64.c \ $(top_srcdir)/src/openvpn/buffer.c \ @@ -104,6 +104,7 @@ -Wl,--wrap=parse_line \ -Wl,--wrap=rand_bytes tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h \ + mock_win32_execve.c \ $(top_srcdir)/src/openvpn/argv.c \ $(top_srcdir)/src/openvpn/base64.c \ $(top_srcdir)/src/openvpn/buffer.c \ diff --git a/tests/unit_tests/openvpn/mock_win32_execve.c b/tests/unit_tests/openvpn/mock_win32_execve.c new file mode 100644 index 000..4d37ebe --- /dev/null +++ b/tests/unit_tests/openvpn/mock_win32_execve.c @@ -0,0 +1,37 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2023 OpenVPN Inc + * Copyright (C) 2023 Arne Schwabe + * + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include "config.h" +#include "syshead.h" + +#include "win32.h" + +#ifdef _WIN32 +int +openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags) +{ +ASSERT(0); +} +#endif diff --git a/tests/unit_tests/openvpn/test_pkt.c b/tests/unit_tests/openvpn/test_pkt.c index 736f131..eb69829 100644 --- a/tests/unit_tests/openvpn/test_pkt.c +++ b/tests/unit_tests/openvpn/test_pkt.c @@ -71,14 +71,6 @@ return "dummy print_link_socket_actual from unit test"; } -#ifdef _WIN32 -int -openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags) -{ -ASSERT(0); -} -#endif - struct test_pkt_context { struct tls_auth_standalone tas_tls_auth; struct tls_auth_standalone tas_crypt; -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/313?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: release/2.6 Gerrit-Change-Id: I8c8fe298eb30e211279f3fc010584b9d3bc14b4a Gerrit-Change-Number: 313 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-CC: d12fk Gerrit-CC: openvpn-devel Gerrit-CC: plaisthos Gerrit-Attention: d12fk Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: GHA: new workflow to submit scan to Coverity Scan service
Acked-by: Gert Doering I'm not sure how that works, and how to test it - but the description matches what we agreed as being useful ("run the test each night, but only if something new was pushed this day"). Your patch has been applied to the master and release/2.6 branch. commit 607ae9b821665dadb6bd0a3ceb6288bda10d5e67 (master) commit 36605648a8974f1f7151a5842e94c75d08410fd0 (release/2.6) Author: Frank Lichtenheld Date: Mon Sep 11 13:07:35 2023 +0200 GHA: new workflow to submit scan to Coverity Scan service Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <2023090735.34491-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27001.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] buffer: use memcpy in buf_catrunc
Since we use strlen() to determine the length and then check it ourselves, there is really no point in using strncpy. But the compiler might complain that we use the output of strlen() for the length of strncpy which is usually a sign for bugs: error: ‘strncpy’ specified bound depends on the length of the source argument [-Werror=stringop-overflow=] Warning was at least triggered for mingw-gcc version 10-win32 20220113. Also change the type of len to size_t which avoids potential problems with signed overflow. v2: - make len size_t and change code to avoid any theoretical overflows - remove useless casts v3: - fix off-by-one introduced by v2 %) v4: - ignore unsigned overflow to simplify code Change-Id: If4a67adac4d2e870fd719b58075d39efcd67c671 Signed-off-by: Frank Lichtenheld Acked-by: Antonio Quartulli Acked-by: Heiko Hund Acked-by: Gert Doering (cherry picked from commit c89a97e449baaf60924a362555d35184f188a646) --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/314 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Antonio Quartulli Heiko Hund diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index d099795..7725438 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -316,10 +316,10 @@ { if (buf_forward_capacity(buf) <= 1) { -int len = (int) strlen(str) + 1; +size_t len = strlen(str) + 1; if (len < buf_forward_capacity_total(buf)) { -strncpynt((char *)(buf->data + buf->capacity - len), str, len); +memcpy(buf->data + buf->capacity - len, str, len); } } } ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant
From: Selva Nair - Do not use non-literal initializers for static objects - Replace empty initializer {} by {0} Change-Id: Ifb961a4df2b8b8300633192e1a268669f6f41a35 Signed-off-by: Selva Nair Acked-by: Heiko Hund Acked-by: Selva Nair Acked-by: Lev Stipakov Co-authored-by: Frank Lichtenheld Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/312 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Heiko Hund Selva Nair Lev Stipakov diff --git a/tests/unit_tests/openvpn/cert_data.h b/tests/unit_tests/openvpn/cert_data.h index 33de35e..0886b07 100644 --- a/tests/unit_tests/openvpn/cert_data.h +++ b/tests/unit_tests/openvpn/cert_data.h @@ -79,7 +79,7 @@ "HeTsAlHjfFEReVDiNCI9vMQLKFKKWnAorT2+iyRueA3bt2gchf863BBhZvJddL7Q\n" "KBa0osXw+eGBRAwsm7m1qCho3b3fN2nFAa+k07ptRkOeablmFdXE81nVlA==\n" "-END CERTIFICATE-\n"; -static const char *const key2 = key1; +#define key2 key1 static const char *const hash2 = "FA18FD34BAABE47D6E2910E080F421C109CA97F5"; static const char *const cname2 = "ovpn-test-ec2"; @@ -159,8 +159,8 @@ "353PpJJ9s2b/Fqoc4d7udqhQogA7jqbayTKhJxbT134l2NzqDROzuS0kXbX8bXCi\n" "mXSa4c8=\n" "-END CERTIFICATE-\n"; -static const char *const key4 = key3; +#define key4 key3 static const char *const hash4 = "E1401D4497C944783E3D62CDBD2A1F69F5E5071E"; -static const char *const cname4 = cname3; /* same CN as that of cert3 */ +#define cname4 cname3 /* same CN as that of cert3 */ #endif /* CERT_DATA_H */ diff --git a/tests/unit_tests/openvpn/test_cryptoapi.c b/tests/unit_tests/openvpn/test_cryptoapi.c index e64a1de..0859b58 100644 --- a/tests/unit_tests/openvpn/test_cryptoapi.c +++ b/tests/unit_tests/openvpn/test_cryptoapi.c @@ -104,17 +104,26 @@ const char *const friendly_name;/* identifies certs loaded to the store -- keep unique */ const char *hash; /* SHA1 fingerprint */ int valid; /* nonzero if certificate has not expired */ -} certs[] = { -{cert1, key1, cname1, "OVPN TEST CA1", "OVPN Test Cert 1", hash1, 1}, -{cert2, key2, cname2, "OVPN TEST CA2", "OVPN Test Cert 2", hash2, 1}, -{cert3, key3, cname3, "OVPN TEST CA1", "OVPN Test Cert 3", hash3, 1}, -{cert4, key4, cname4, "OVPN TEST CA2", "OVPN Test Cert 4", hash4, 0}, -{} -}; +} certs[5]; static bool certs_loaded; static HCERTSTORE user_store; +/* Fill-in certs[] array */ +void +init_cert_data() +{ +struct test_cert certs_local[] = { +{cert1, key1, cname1, "OVPN TEST CA1", "OVPN Test Cert 1", hash1, 1}, +{cert2, key2, cname2, "OVPN TEST CA2", "OVPN Test Cert 2", hash2, 1}, +{cert3, key3, cname3, "OVPN TEST CA1", "OVPN Test Cert 3", hash3, 1}, +{cert4, key4, cname4, "OVPN TEST CA2", "OVPN Test Cert 4", hash4, 0}, +{0} +}; +assert(sizeof(certs_local) == sizeof(certs)); +memcpy(certs, certs_local, sizeof(certs_local)); +} + /* Lookup a certificate in our certificate/key db */ static struct test_cert * lookup_cert(const char *friendly_name) @@ -136,6 +145,7 @@ { return; } +init_cert_data(); user_store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER |CERT_STORE_OPEN_EXISTING_FLAG, L"MY"); assert_non_null(user_store); ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] vcpkg-ports/pkcs11-helper: Backport MinGW series from master to release/2.6
Contains the following commits: - Make compatible with mingw build (commit 17746e53f65249b42017256056c5415099df288d) - Convert CONTROL to vcpkg.json (commit a2160d3e42a1eff59aee3d984fd3354907f4379f) - reference upstream PRs in patches (commit 9577ffe92f033d8452cff0a3dbdfdc943655c5b8) - rename patches to make file names shorter (commit 0c25a5462e945f537d1836b47a5f147a2132875c) Change-Id: Ie61fed8758e44576939a8bb0a04bc95245a3ce18 Signed-off-by: Frank Lichtenheld Acked-by: Heiko Hund --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/311 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Heiko Hund diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4766efd..8a80c67 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -441,6 +441,7 @@ uses: lukka/run-vcpkg@v10 with: vcpkgGitCommitId: 'd10d511f25620ca0f315cd83dcef6485efc63010' + vcpkgJsonGlob: '**/openvpn/vcpkg.json' appendedCacheKey: '${{matrix.triplet}}' - name: Run MSBuild consuming vcpkg.json diff --git a/contrib/vcpkg-ports/pkcs11-helper/0001-nmake-compatibility-with-vcpkg-nmake.patch b/contrib/vcpkg-ports/pkcs11-helper/0001-nmake-compatibility-with-vcpkg-nmake.patch deleted file mode 100644 index add4709..000 --- a/contrib/vcpkg-ports/pkcs11-helper/0001-nmake-compatibility-with-vcpkg-nmake.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 2d3a2c05383f653544b9c7194dd1349c6d5f3067 Mon Sep 17 00:00:00 2001 -From: Lev Stipakov -Date: Tue, 11 Jan 2022 13:24:51 +0200 -Subject: [PATCH] nmake: compatibility with vcpkg nmake - -Remove options which contradict or already set -by vcpkg nmake scripts. - -Signed-off-by: Lev Stipakov - lib/Makefile.w32-vc | 8 ++-- - 1 file changed, 2 insertions(+), 6 deletions(-) - -diff --git a/lib/Makefile.w32-vc b/lib/Makefile.w32-vc -index 96f1f89..be68a00 100644 a/lib/Makefile.w32-vc -+++ b/lib/Makefile.w32-vc -@@ -75,15 +75,11 @@ OPENSSL_LIBS=-LIBPATH:$(OPENSSL_LIB) user32.lib advapi32.lib $(OPENSSL_STATIC) - CFLAGS = -I../include $(OPENSSL_CFLAGS) -DWIN32 -DWIN32_LEAN_AND_MEAN -D_MBCS -D_CRT_SECURE_NO_DEPRECATE -D_WIN32_WINNT=0x0400 - CC=cl.exe - RC=rc.exe --CCPARAMS=/nologo /W3 /O2 /FD /c -- --CCPARAMS=$(CCPARAMS) /MD --CFLAGS=$(CFLAGS) -DNDEBUG -+CCPARAMS=/c - - LINK32=link.exe - LIB32=lib.exe --LINK32_FLAGS=/nologo /subsystem:windows /dll /incremental:no /release --LIB32_FLAGS=/nologo -+LINK32_FLAGS=/dll - - HEADERS = \ - config.h \ --- -2.23.0.windows.1 - diff --git a/contrib/vcpkg-ports/pkcs11-helper/0002-config-w32-vc.h.in-indicate-OpenSSL.patch b/contrib/vcpkg-ports/pkcs11-helper/0002-config-w32-vc.h.in-indicate-OpenSSL.patch deleted file mode 100644 index 212181a..000 --- a/contrib/vcpkg-ports/pkcs11-helper/0002-config-w32-vc.h.in-indicate-OpenSSL.patch +++ /dev/null @@ -1,33 +0,0 @@ -From c2293864de70fec322fe7e559055530ef56b9641 Mon Sep 17 00:00:00 2001 -From: Lev Stipakov -Date: Tue, 11 Jan 2022 13:35:42 +0200 -Subject: [PATCH] config-w32-vc.h.in: indicate OpenSSL EC support - -Signed-off-by: Lev Stipakov - config-w32-vc.h.in | 12 - 1 file changed, 12 insertions(+) - -diff --git a/config-w32-vc.h b/config-w32-vc.h -index 6d94841..db83825 100644 a/config-w32-vc.h -+++ b/config-w32-vc.h -@@ -218,3 +218,15 @@ - - /* Define to 1 if you have the `DSA_SIG_set0' function. */ - #define HAVE_DSA_SIG_SET0 1 -+ -+/* Define to 1 if you have the `ECDSA_SIG_set0' function. */ -+#define HAVE_ECDSA_SIG_SET0 1 -+ -+/* Define to 1 if you have the `EC_KEY_METHOD_get_sign' function. */ -+#define HAVE_EC_KEY_METHOD_GET_SIGN 1 -+ -+/* Define to 1 if you have the `EC_KEY_METHOD_set_sign' function. */ -+#define HAVE_EC_KEY_METHOD_SET_SIGN 1 -+ -+/* Define to 1 if OpenSSL has EC support. */ -+#define ENABLE_PKCS11H_OPENSSL_EC 1 --- -2.23.0.windows.1 - diff --git a/contrib/vcpkg-ports/pkcs11-helper/CONTROL b/contrib/vcpkg-ports/pkcs11-helper/CONTROL deleted file mode 100644 index 1ead697..000 --- a/contrib/vcpkg-ports/pkcs11-helper/CONTROL +++ /dev/null @@ -1,4 +0,0 @@ -Source: pkcs11-helper -Version: 1.29-1 -Homepage: https://github.com/OpenSC/pkcs11-helper -Description: pkcs11-helper is a library that simplifies the interaction with PKCS#11 providers for end-user applications. diff --git a/contrib/vcpkg-ports/pkcs11-helper/Fix-build-with-disable-shared.patch b/contrib/vcpkg-ports/pkcs11-helper/Fix-build-with-disable-shared.patch new file mode 100644 index 000..16fa704 --- /dev/null +++ b/contrib/vcpkg-ports/pkcs11-helper/Fix-build-with-disable-shared.patch @@ -0,0 +1,48 @@ +From 7171396a151a2edb3474c7a321b7ae4ff7e171fc Mon Sep 17 00:00:00 2001 +From: Frank Lichtenheld +Date: Wed, 29 Mar 2023 12:44:44 +0200 +Subject: [PATCH] Allow the build to succeed if configured with + --dis
[Openvpn-devel] [NoOp] Change in openvpn[master]: Improve description of compat-mode
flichtenheld has abandoned this change. ( http://gerrit.openvpn.net/c/openvpn/+/34?usp=email ) Change subject: Improve description of compat-mode .. Abandoned merged with wrong Change-Id -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/34?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3bd27a8d34d8cb4896a3b78508b7d16911571543 Gerrit-Change-Number: 34 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: abandon ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Improve description of compat-mode
Hi, On Fri, Sep 22, 2023 at 03:48:00PM +0200, Frank Lichtenheld wrote: > From: Arne Schwabe > > Explicitly say that the version specified is the one of the peer and not > the version we try to emulate. This has been merged ages ago ;-) commit daf66f4013d8facc085ea6cfaaf8a42f4d45a461 Author: Arne Schwabe Date: Mon Mar 20 17:55:38 2023 +0100 Improve description of compat-mode Explicitly say that the version specified is the one of the peer and not the version we try to emulate. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Improve description of compat-mode
From: Arne Schwabe Explicitly say that the version specified is the one of the peer and not the version we try to emulate. Change-Id: I3bd27a8d34d8cb4896a3b78508b7d16911571543 Acked-by: Frank Lichtenheld Signed-off-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/34 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index c827651..97e1b5a 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -53,10 +53,17 @@ need for /dev/urandom to be available. --compat-mode version - This option provides a way to alter the default of OpenVPN to be more - compatible with the version ``version`` specified. All of the changes - this option does can also be achieved using individual configuration - options. + This option provides a convenient way to alter the defaults of OpenVPN + to be more compatible with the version ``version`` specified. All of + the changes this option applies can also be achieved using individual + configuration options. + + The version specified with this option is the version of OpenVPN peer + OpenVPN should try to be compatible with. In general OpenVPN should be + compatible with the last two previous version without this option. E.g. + OpenVPN 2.6.0 should be compatible with 2.5.x and 2.4.x without this option. + However, there might be some edge cases that still require this option even + in these cases. Note: Using this option reverts defaults to no longer recommended values and should be avoided if possible. @@ -67,12 +74,15 @@ - 2.5.x or lower: ``--allow-compression asym`` is automatically added to the configuration if no other compression options are present. - 2.4.x or lower: The cipher in ``--cipher`` is appended to -``--data-ciphers`` +``--data-ciphers``. - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with -the same cipher as ``--cipher`` +the same cipher as ``--cipher``. - 2.3.6 or lower: ``--tls-version-min 1.0`` is added to the configuration when ``--tls-version-min`` is not explicitly set. + If not required, this is option should be avoided. Setting this option can + lower security or disable features like data-channel offloading. + --config file Load additional config options from ``file`` where each line corresponds to one command line option, but with the leading :code:`--` removed. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: dns option: remove support for exclude-domains
cron2 has uploaded a new patch set (#7) to the change originally created by d12fk. ( http://gerrit.openvpn.net/c/openvpn/+/39?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by stipa Change subject: dns option: remove support for exclude-domains .. dns option: remove support for exclude-domains No DNS resolver currently supports this and it is not possible to emulate the behavior without the chance of errors. Finding the effective default system DNS server(s) to specify the exclude DNS routes is not trivial and cannot be verified to be correct without resolver internal knowledge. So, it is better to not support this instead of supporting it, but incorrectly. Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb Signed-off-by: Heiko Hund Acked-by: Lev Stipakov Message-Id: <20230922104334.37619-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27008.html Signed-off-by: Gert Doering --- M doc/man-sections/client-options.rst M doc/man-sections/script-options.rst M src/openvpn/dns.c M src/openvpn/dns.h M src/openvpn/options.c 5 files changed, 7 insertions(+), 45 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/39/39/7 diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index fe9ffa6..3616ed7 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -169,7 +169,7 @@ dns search-domains domain [domain ...] dns server n address addr[:port] [addr[:port] ...] - dns server n resolve-domains|exclude-domains domain [domain ...] + dns server n resolve-domains domain [domain ...] dns server n dnssec yes|optional|no dns server n transport DoH|DoT|plain dns server n sni server-name @@ -191,14 +191,10 @@ Optionally a port can be appended after a colon. IPv6 addresses need to be enclosed in brackets if a port is appended. - The ``resolve-domains`` and ``exclude-domains`` options take one or - more DNS domains which are explicitly resolved or explicitly not resolved - by a server. Only one of the options can be configured for a server. - ``resolve-domains`` is used to define a split-dns setup, where only - given domains are resolved by a server. ``exclude-domains`` is used to - define domains which will never be resolved by a server (e.g. domains - which can only be resolved locally). Systems which do not support fine - grained DNS domain configuration, will ignore these settings. + The ``resolve-domains`` option takes one or more DNS domains used to define + a split-dns or dns-routing setup, where only the given domains are resolved + by the server. Systems which do not support fine grained DNS domain + configuration will ignore this setting. The ``dnssec`` option is used to configure validation of DNSSEC records. While the exact semantics may differ for resolvers on different systems, diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index d73231e..8c0be0c 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -663,7 +663,6 @@ dns_server_{n}_address_{m} dns_server_{n}_port_{m} dns_server_{n}_resolve_domain_{m} - dns_server_{n}_exclude_domain_{m} dns_server_{n}_dnssec dns_server_{n}_transport dns_server_{n}_sni diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 530e6d5..e073d0e 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -400,11 +400,9 @@ if (s->domains) { -const char *format = s->domain_type == DNS_RESOLVE_DOMAINS ? - "dns_server_%d_resolve_domain_%d" : "dns_server_%d_exclude_domain_%d"; for (j = 1, d = s->domains; d != NULL; j++, d = d->next) { -setenv_dns_option(es, format, i, j, d->name); +setenv_dns_option(es, "dns_server_%d_resolve_domain_%d", i, j, d->name); } } @@ -482,14 +480,7 @@ struct dns_domain *domain = server->domains; if (domain) { -if (server->domain_type == DNS_RESOLVE_DOMAINS) -{ -msg(D_SHOW_PARMS, "resolve domains:"); -} -else -{ -msg(D_SHOW_PARMS, "exclude domains:"); -} +msg(D_SHOW_PARMS, "resolve domains:"); while (domain) { msg(D_SHOW_PARMS, " %s", domain->name); diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h index 162dec1..e497857 100644 --- a/src/openvpn/dns.h +++ b/src/openvpn/dns.h @@ -27,12 +27,6 @@ #include "buffer.h" #include "env_set.h" -enum dns_domain_type { -DNS_DOMAINS_UNSET, -DNS_RESOLVE_DOMAINS, -DNS_EXCLUDE_DOMAINS -}; - enum dns_security { DNS_SECURITY
[Openvpn-devel] [M] Change in openvpn[master]: dns option: remove support for exclude-domains
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/39?usp=email ) Change subject: dns option: remove support for exclude-domains .. dns option: remove support for exclude-domains No DNS resolver currently supports this and it is not possible to emulate the behavior without the chance of errors. Finding the effective default system DNS server(s) to specify the exclude DNS routes is not trivial and cannot be verified to be correct without resolver internal knowledge. So, it is better to not support this instead of supporting it, but incorrectly. Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb Signed-off-by: Heiko Hund Acked-by: Lev Stipakov Message-Id: <20230922104334.37619-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27008.html Signed-off-by: Gert Doering --- M doc/man-sections/client-options.rst M doc/man-sections/script-options.rst M src/openvpn/dns.c M src/openvpn/dns.h M src/openvpn/options.c 5 files changed, 7 insertions(+), 45 deletions(-) diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index fe9ffa6..3616ed7 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -169,7 +169,7 @@ dns search-domains domain [domain ...] dns server n address addr[:port] [addr[:port] ...] - dns server n resolve-domains|exclude-domains domain [domain ...] + dns server n resolve-domains domain [domain ...] dns server n dnssec yes|optional|no dns server n transport DoH|DoT|plain dns server n sni server-name @@ -191,14 +191,10 @@ Optionally a port can be appended after a colon. IPv6 addresses need to be enclosed in brackets if a port is appended. - The ``resolve-domains`` and ``exclude-domains`` options take one or - more DNS domains which are explicitly resolved or explicitly not resolved - by a server. Only one of the options can be configured for a server. - ``resolve-domains`` is used to define a split-dns setup, where only - given domains are resolved by a server. ``exclude-domains`` is used to - define domains which will never be resolved by a server (e.g. domains - which can only be resolved locally). Systems which do not support fine - grained DNS domain configuration, will ignore these settings. + The ``resolve-domains`` option takes one or more DNS domains used to define + a split-dns or dns-routing setup, where only the given domains are resolved + by the server. Systems which do not support fine grained DNS domain + configuration will ignore this setting. The ``dnssec`` option is used to configure validation of DNSSEC records. While the exact semantics may differ for resolvers on different systems, diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index d73231e..8c0be0c 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -663,7 +663,6 @@ dns_server_{n}_address_{m} dns_server_{n}_port_{m} dns_server_{n}_resolve_domain_{m} - dns_server_{n}_exclude_domain_{m} dns_server_{n}_dnssec dns_server_{n}_transport dns_server_{n}_sni diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 530e6d5..e073d0e 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -400,11 +400,9 @@ if (s->domains) { -const char *format = s->domain_type == DNS_RESOLVE_DOMAINS ? - "dns_server_%d_resolve_domain_%d" : "dns_server_%d_exclude_domain_%d"; for (j = 1, d = s->domains; d != NULL; j++, d = d->next) { -setenv_dns_option(es, format, i, j, d->name); +setenv_dns_option(es, "dns_server_%d_resolve_domain_%d", i, j, d->name); } } @@ -482,14 +480,7 @@ struct dns_domain *domain = server->domains; if (domain) { -if (server->domain_type == DNS_RESOLVE_DOMAINS) -{ -msg(D_SHOW_PARMS, "resolve domains:"); -} -else -{ -msg(D_SHOW_PARMS, "exclude domains:"); -} +msg(D_SHOW_PARMS, "resolve domains:"); while (domain) { msg(D_SHOW_PARMS, " %s", domain->name); diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h index 162dec1..e497857 100644 --- a/src/openvpn/dns.h +++ b/src/openvpn/dns.h @@ -27,12 +27,6 @@ #include "buffer.h" #include "env_set.h" -enum dns_domain_type { -DNS_DOMAINS_UNSET, -DNS_RESOLVE_DOMAINS, -DNS_EXCLUDE_DOMAINS -}; - enum dns_security { DNS_SECURITY_UNSET, DNS_SECURITY_NO, @@ -68,7 +62,6 @@ size_t addr_count; struct dns_server_addr addr[8]; struct dns_domain *domains; -enum dns_domain_type domain_type; enum dns_secur
[Openvpn-devel] [PATCH applied] Re: dns option: remove support for exclude-domains
Change makes sense, and doesn't break any of the GH tests :-) I have applied this to 2.6 as well, as it doesn't really make sense to keep these options, pretending "an implementation might come" when we already know they are going away. Something strange has happened to the mailing list archive - it pretends that *this* patch e-mail just never arrived there, while the original patch is there - so I've pointed "URL:" there. Your patch has been applied to the master and release/2.6 branch. commit b7eea48708ee73a5999f98626fb8d31d8f88ea6f (master) commit b033683bf982200471e53b18600e3a2f541ab3f2 (release/2.6) Author: Heiko Hund Date: Fri Sep 22 12:43:34 2023 +0200 dns option: remove support for exclude-domains Signed-off-by: Heiko Hund Acked-by: Lev Stipakov Message-Id: <20230922104334.37619-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27008.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Remove --no-replay option
Given that people are supposed to use AEAD ciphers, and this was incompatible all along, time to rip it out. Yes, someone will complain, but there is no way around that Subjected to my torture chamber, for good measure :-) Your patch has been applied to the master branch. commit 6d76218dd68dfa930d98f1cc7dcdc59c3bfbf5ce (master) Author: Frank Lichtenheld Date: Fri Sep 22 12:38:30 2023 +0200 Remove --no-replay option Signed-off-by: Frank Lichtenheld Acked-by: Heiko Hund Message-Id: <20230922103830.37151-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27059.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Remove --no-replay option
flichtenheld has uploaded this change for review. ( http://gerrit.openvpn.net/c/openvpn/+/281?usp=email ) Change subject: Remove --no-replay option .. Remove --no-replay option Officially deprecated since v2.4. We have warned about using this forever. It is time to pull the plug. Change-Id: I58706019add6d348483ba222dd74e1466ff6c709 Signed-off-by: Frank Lichtenheld Acked-by: Heiko Hund Message-Id: <20230922103830.37151-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27059.html Signed-off-by: Gert Doering --- M doc/man-sections/link-options.rst M doc/man-sections/server-options.rst M doc/man-sections/unsupported-options.rst M src/openvpn/crypto.c M src/openvpn/crypto.h M src/openvpn/init.c M src/openvpn/mtu.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl.c M src/openvpn/ssl_common.h M tests/unit_tests/openvpn/test_crypto.c 12 files changed, 22 insertions(+), 90 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/281/4 diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 14e76b4..675fee4 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -366,8 +366,7 @@ order they were received to the TCP/IP protocol stack, provided they satisfy several constraints. - (a) The packet cannot be a replay (unless ``--no-replay`` is -specified, which disables replay protection altogether). + (a) The packet cannot be a replay. (b) If a packet arrives out of order, it will only be accepted if the difference between its sequence number and the highest sequence diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 6b9ad21..80dc77d 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -406,7 +406,7 @@ Options that will be compared for compatibility include ``dev-type``, ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``, - ``auth``, ``keysize``, ``secret``, ``no-replay``, + ``auth``, ``keysize``, ``secret``, ``tls-auth``, ``key-method``, ``tls-server`` and ``tls-client``. diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index 5c4e3a0..a0c1232 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -30,8 +30,9 @@ VPN tunnel security. This has been a NOOP option since OpenVPN 2.4. --no-replay - Removed in OpenVPN 2.5. This option should not be used as it weakens the - VPN tunnel security. + Removed in OpenVPN 2.7. This option should not be used as it weakens the + VPN tunnel security. Previously we claimed to have removed this in + OpenVPN 2.5, but this wasn't actually the case. --ns-cert-type Removed in OpenVPN 2.5. The ``nsCertType`` field is no longer supported diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index a77b5a1..e4452d7 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -328,7 +328,7 @@ if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS)) { msg(D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- " -"see the man page entry for --no-replay and --replay-window for " +"see the man page entry for --replay-window for " "more info or silence this warning with --mute-replay-warnings", error_prefix, packet_id_net_print(pin, true, gc)); } @@ -942,18 +942,6 @@ return true; } -void -check_replay_consistency(const struct key_type *kt, bool packet_id) -{ -ASSERT(kt); - -if (!packet_id && (cipher_kt_mode_ofb_cfb(kt->cipher) - || cipher_kt_mode_aead(kt->cipher))) -{ -msg(M_FATAL, "--no-replay cannot be used with a CFB, OFB or AEAD mode cipher"); -} -} - /* * Generate a random key. */ diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 88f8f44..c5fd253 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -40,7 +40,7 @@ *HMAC at all. * - \b Ciphertext \b IV. The IV size depends on the \c \-\-cipher option. * - \b Packet \b ID, a 32-bit incrementing packet counter that provides replay - *protection (if not disabled by \c \-\-no-replay). + *protection. * - \b Timestamp, a 32-bit timestamp of the current time. * - \b Payload, the plain text network packet to be encrypted (unless *encryption is disabled by using \c \-\-cipher \c none). The payload might @@ -304,8 +304,6 @@ */ int write_key_file(const int nkeys, const char *filename); -void check_replay_consistency(const struct key_type *kt, bool packet_id); - bool check_key(struct key *key, const struct key_type *kt); bool write_key(const struct key *key, const struct key_type *kt, @@ -445,7 +443,7 @
[Openvpn-devel] [M] Change in openvpn[master]: Remove --no-replay option
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/281?usp=email ) Change subject: Remove --no-replay option .. Remove --no-replay option Officially deprecated since v2.4. We have warned about using this forever. It is time to pull the plug. Change-Id: I58706019add6d348483ba222dd74e1466ff6c709 Signed-off-by: Frank Lichtenheld Acked-by: Heiko Hund Message-Id: <20230922103830.37151-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27059.html Signed-off-by: Gert Doering --- M doc/man-sections/link-options.rst M doc/man-sections/server-options.rst M doc/man-sections/unsupported-options.rst M src/openvpn/crypto.c M src/openvpn/crypto.h M src/openvpn/init.c M src/openvpn/mtu.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl.c M src/openvpn/ssl_common.h M tests/unit_tests/openvpn/test_crypto.c 12 files changed, 22 insertions(+), 90 deletions(-) diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 14e76b4..675fee4 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -366,8 +366,7 @@ order they were received to the TCP/IP protocol stack, provided they satisfy several constraints. - (a) The packet cannot be a replay (unless ``--no-replay`` is -specified, which disables replay protection altogether). + (a) The packet cannot be a replay. (b) If a packet arrives out of order, it will only be accepted if the difference between its sequence number and the highest sequence diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 6b9ad21..80dc77d 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -406,7 +406,7 @@ Options that will be compared for compatibility include ``dev-type``, ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``, - ``auth``, ``keysize``, ``secret``, ``no-replay``, + ``auth``, ``keysize``, ``secret``, ``tls-auth``, ``key-method``, ``tls-server`` and ``tls-client``. diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index 5c4e3a0..a0c1232 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -30,8 +30,9 @@ VPN tunnel security. This has been a NOOP option since OpenVPN 2.4. --no-replay - Removed in OpenVPN 2.5. This option should not be used as it weakens the - VPN tunnel security. + Removed in OpenVPN 2.7. This option should not be used as it weakens the + VPN tunnel security. Previously we claimed to have removed this in + OpenVPN 2.5, but this wasn't actually the case. --ns-cert-type Removed in OpenVPN 2.5. The ``nsCertType`` field is no longer supported diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index a77b5a1..e4452d7 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -328,7 +328,7 @@ if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS)) { msg(D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- " -"see the man page entry for --no-replay and --replay-window for " +"see the man page entry for --replay-window for " "more info or silence this warning with --mute-replay-warnings", error_prefix, packet_id_net_print(pin, true, gc)); } @@ -942,18 +942,6 @@ return true; } -void -check_replay_consistency(const struct key_type *kt, bool packet_id) -{ -ASSERT(kt); - -if (!packet_id && (cipher_kt_mode_ofb_cfb(kt->cipher) - || cipher_kt_mode_aead(kt->cipher))) -{ -msg(M_FATAL, "--no-replay cannot be used with a CFB, OFB or AEAD mode cipher"); -} -} - /* * Generate a random key. */ diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 88f8f44..c5fd253 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -40,7 +40,7 @@ *HMAC at all. * - \b Ciphertext \b IV. The IV size depends on the \c \-\-cipher option. * - \b Packet \b ID, a 32-bit incrementing packet counter that provides replay - *protection (if not disabled by \c \-\-no-replay). + *protection. * - \b Timestamp, a 32-bit timestamp of the current time. * - \b Payload, the plain text network packet to be encrypted (unless *encryption is disabled by using \c \-\-cipher \c none). The payload might @@ -304,8 +304,6 @@ */ int write_key_file(const int nkeys, const char *filename); -void check_replay_consistency(const struct key_type *kt, bool packet_id); - bool check_key(struct key *key, const struct key_type *kt); bool write_key(const struct key *key, const struct key_type *kt, @@ -445,7 +443,7 @@ * this and add it themselves. * * @param ktStruct with the crypto algo
[Openvpn-devel] [PATCH applied] Re: CMake: fix HAVE_DAEMON detection on Linux
As discussed on IRC - the previous "cmake related" patch related to "compat-daemon.c" was triggered by cmake not finding daemon() on Linux, and this is fixing it. Your patch has been applied to the master branch. commit e363b393f2d1b72590666554e17d928c1603f8d5 (master) Author: Lev Stipakov Date: Fri Sep 22 12:39:00 2023 +0200 CMake: fix HAVE_DAEMON detection on Linux Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20230922103900.37205-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27058.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: CMake: fix HAVE_DAEMON detection on Linux
cron2 has uploaded a new patch set (#2) to the change originally created by stipa. ( http://gerrit.openvpn.net/c/openvpn/+/362?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: CMake: fix HAVE_DAEMON detection on Linux .. CMake: fix HAVE_DAEMON detection on Linux On Linux, daemon() is defined in unistd.h, not in stdlib.h like in MacOS or FreeBSD. Change-Id: I30f4ea502a36eca155cbc79b89c0d18ee3419877 Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20230922103900.37205-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27058.html Signed-off-by: Gert Doering --- M CMakeLists.txt 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/62/362/2 diff --git a/CMakeLists.txt b/CMakeLists.txt index 454ef62..376a060 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -158,7 +158,7 @@ check_symbol_exists(gettimeofday sys/time.h HAVE_GETTIMEOFDAY) check_symbol_exists(basename libgen.h HAVE_BASENAME) check_symbol_exists(chsize io.h HAVE_CHSIZE) -check_symbol_exists(daemon stdlib.h HAVE_DAEMON) +check_symbol_exists(daemon "unistd.h;stdlib.h" HAVE_DAEMON) check_symbol_exists(dirname libgen.h HAVE_DIRNAME) check_symbol_exists(getrlimit sys/resource.h HAVE_GETRLIMIT) check_symbol_exists(mlockall sys/mman.h HAVE_MLOCKALL) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/362?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I30f4ea502a36eca155cbc79b89c0d18ee3419877 Gerrit-Change-Number: 362 Gerrit-PatchSet: 2 Gerrit-Owner: stipa Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: CMake: fix HAVE_DAEMON detection on Linux
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/362?usp=email ) Change subject: CMake: fix HAVE_DAEMON detection on Linux .. CMake: fix HAVE_DAEMON detection on Linux On Linux, daemon() is defined in unistd.h, not in stdlib.h like in MacOS or FreeBSD. Change-Id: I30f4ea502a36eca155cbc79b89c0d18ee3419877 Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20230922103900.37205-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27058.html Signed-off-by: Gert Doering --- M CMakeLists.txt 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 454ef62..376a060 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -158,7 +158,7 @@ check_symbol_exists(gettimeofday sys/time.h HAVE_GETTIMEOFDAY) check_symbol_exists(basename libgen.h HAVE_BASENAME) check_symbol_exists(chsize io.h HAVE_CHSIZE) -check_symbol_exists(daemon stdlib.h HAVE_DAEMON) +check_symbol_exists(daemon "unistd.h;stdlib.h" HAVE_DAEMON) check_symbol_exists(dirname libgen.h HAVE_DIRNAME) check_symbol_exists(getrlimit sys/resource.h HAVE_GETRLIMIT) check_symbol_exists(mlockall sys/mman.h HAVE_MLOCKALL) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/362?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I30f4ea502a36eca155cbc79b89c0d18ee3419877 Gerrit-Change-Number: 362 Gerrit-PatchSet: 2 Gerrit-Owner: stipa Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: GHA: do not trigger builds in openvpn-build anymore
cron2 has uploaded a new patch set (#2) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/328?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by stipa Change subject: GHA: do not trigger builds in openvpn-build anymore .. GHA: do not trigger builds in openvpn-build anymore We do this via explicit PRs now, generated by renovate. This allows much better control over what state of the code gets built. Change-Id: I8b00d7d79a26ad4aaae529cb496e125398169b50 Signed-off-by: Frank Lichtenheld Acked-by: Lev Stipakov Message-Id: <20230922103936.37230-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27060.html Signed-off-by: Gert Doering --- M .github/workflows/build.yaml 1 file changed, 0 insertions(+), 13 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/28/328/2 diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1b75a1a..58fbc29 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -290,19 +290,6 @@ !${{ github.workspace }}/out/**/CMakeFiles/** !${{ github.workspace }}/out/**/vcpkg_installed/** - trigger_openvpn_build: -runs-on: windows-latest -needs: [checkuncrustify, mingw, ubuntu, ubuntu-clang-asan, macos, msvc] -if: ${{ github.event_name != 'pull_request' && github.repository == 'openvpn/openvpn' && github.ref == 'refs/heads/master' }} - -steps: -- name: Repository Dispatch - uses: peter-evans/repository-dispatch@v2 - with: -token: ${{ secrets.OPENVPN_BUILD_REPO_DISPATCH }} -repository: openvpn/openvpn-build -event-type: openvpn-commit - libressl: strategy: fail-fast: false -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/328?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8b00d7d79a26ad4aaae529cb496e125398169b50 Gerrit-Change-Number: 328 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: stipa Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: GHA: do not trigger builds in openvpn-build anymore
.. as discussed on the list and on IRC, yes. *second attempt*, fixing the URL: in both commits, so new commit IDs... Your patch has been applied to the master and release/2.6 branch. commit 37d6c61a3decf64d0db1cd3d033483c9db5c4c91 (master) commit 1782daa48e782469550e37e7cd7dab2ba4e4be8b (HEAD -> release/2.6) Author: Frank Lichtenheld Date: Fri Sep 22 12:39:36 2023 +0200 GHA: do not trigger builds in openvpn-build anymore Signed-off-by: Frank Lichtenheld Acked-by: Lev Stipakov Message-Id: <20230922103936.37230-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27060.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: GHA: do not trigger builds in openvpn-build anymore
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/328?usp=email ) Change subject: GHA: do not trigger builds in openvpn-build anymore .. GHA: do not trigger builds in openvpn-build anymore We do this via explicit PRs now, generated by renovate. This allows much better control over what state of the code gets built. Change-Id: I8b00d7d79a26ad4aaae529cb496e125398169b50 Signed-off-by: Frank Lichtenheld Acked-by: Lev Stipakov Message-Id: <20230922103936.37230-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27060.html Signed-off-by: Gert Doering --- M .github/workflows/build.yaml 1 file changed, 0 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1b75a1a..58fbc29 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -290,19 +290,6 @@ !${{ github.workspace }}/out/**/CMakeFiles/** !${{ github.workspace }}/out/**/vcpkg_installed/** - trigger_openvpn_build: -runs-on: windows-latest -needs: [checkuncrustify, mingw, ubuntu, ubuntu-clang-asan, macos, msvc] -if: ${{ github.event_name != 'pull_request' && github.repository == 'openvpn/openvpn' && github.ref == 'refs/heads/master' }} - -steps: -- name: Repository Dispatch - uses: peter-evans/repository-dispatch@v2 - with: -token: ${{ secrets.OPENVPN_BUILD_REPO_DISPATCH }} -repository: openvpn/openvpn-build -event-type: openvpn-commit - libressl: strategy: fail-fast: false -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/328?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8b00d7d79a26ad4aaae529cb496e125398169b50 Gerrit-Change-Number: 328 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: stipa Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: GHA: do not trigger builds in openvpn-build anymore
.. as discussed on the list and on IRC, yes. Your patch has been applied to the master and release/2.6 branch. commit 1864a19e85d89bc0b34cb1c6eac186f3fe323c0b (master) commit cd09e073752fbad5d70adc2af66a29c7ed99a9e9 (release/2.6) Author: Frank Lichtenheld Date: Fri Sep 22 12:39:36 2023 +0200 GHA: do not trigger builds in openvpn-build anymore Signed-off-by: Frank Lichtenheld Acked-by: Lev Stipakov Message-Id: <20230922103936.37230-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/search?l=mid&q=20230922103936.37230-1-fr...@lichtenheld.com Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[release/2.6]: Warn user if INFO control command is too long
cron2 has uploaded a new patch set (#2) to the change originally created by stipa. ( http://gerrit.openvpn.net/c/openvpn/+/329?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Warn user if INFO control command is too long .. Warn user if INFO control command is too long "INFO_PRE,..." command length is limited to 256 bytes. If the server implementation pushes command which is too long, warn the user and don't send the truncated command to a management client. Change-Id: If3c27a2a2ba24f2af0e3e3c95eea57ed420b2542 Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld Message-Id: <20230922105055.37969-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27062.html Signed-off-by: Gert Doering (cherry picked from commit df624fb6d63db6b2a3b0c40597cee74c61b8ab2c) --- M src/openvpn/push.c 1 file changed, 8 insertions(+), 2 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/29/329/2 diff --git a/src/openvpn/push.c b/src/openvpn/push.c index d468211..19849c5 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -244,8 +244,14 @@ * for management greeting and we don't want to confuse the client */ struct buffer out = alloc_buf_gc(256, &gc); -buf_printf(&out, ">%s:%s", "INFOMSG", m); -management_notify_generic(management, BSTR(&out)); +if (buf_printf(&out, ">%s:%s", "INFOMSG", m)) +{ +management_notify_generic(management, BSTR(&out)); +} +else +{ +msg(D_PUSH_ERRORS, "WARNING: Received INFO command is too long, won't notify management client."); +} gc_free(&gc); } -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/329?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: release/2.6 Gerrit-Change-Id: If3c27a2a2ba24f2af0e3e3c95eea57ed420b2542 Gerrit-Change-Number: 329 Gerrit-PatchSet: 2 Gerrit-Owner: stipa Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[release/2.6]: Warn user if INFO control command is too long
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/329?usp=email ) Change subject: Warn user if INFO control command is too long .. Warn user if INFO control command is too long "INFO_PRE,..." command length is limited to 256 bytes. If the server implementation pushes command which is too long, warn the user and don't send the truncated command to a management client. Change-Id: If3c27a2a2ba24f2af0e3e3c95eea57ed420b2542 Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld Message-Id: <20230922105055.37969-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27062.html Signed-off-by: Gert Doering (cherry picked from commit df624fb6d63db6b2a3b0c40597cee74c61b8ab2c) --- M src/openvpn/push.c 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index d468211..19849c5 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -244,8 +244,14 @@ * for management greeting and we don't want to confuse the client */ struct buffer out = alloc_buf_gc(256, &gc); -buf_printf(&out, ">%s:%s", "INFOMSG", m); -management_notify_generic(management, BSTR(&out)); +if (buf_printf(&out, ">%s:%s", "INFOMSG", m)) +{ +management_notify_generic(management, BSTR(&out)); +} +else +{ +msg(D_PUSH_ERRORS, "WARNING: Received INFO command is too long, won't notify management client."); +} gc_free(&gc); } -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/329?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: release/2.6 Gerrit-Change-Id: If3c27a2a2ba24f2af0e3e3c95eea57ed420b2542 Gerrit-Change-Number: 329 Gerrit-PatchSet: 2 Gerrit-Owner: stipa Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Warn user if INFO control command is too long
Have not tested it beyond "test compile", but change looks reasonable. Your patch has been applied to the master and release/2.6 branch ("make things more robust"). commit df624fb6d63db6b2a3b0c40597cee74c61b8ab2c (master) commit 785b50127ecf0c440c016f85cef0c59f56894fc4 (release/2.6) Author: Lev Stipakov Date: Fri Sep 22 12:50:55 2023 +0200 Warn user if INFO control command is too long Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld Message-Id: <20230922105055.37969-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27062.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: dev-tools/gerrit-send-mail.py: tool to send Gerrit patchsets to Patch...
Attention is currently required from: cron2. Hello cron2, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/361?usp=email to look at the new patch set (#3). Change subject: dev-tools/gerrit-send-mail.py: tool to send Gerrit patchsets to Patchwork .. dev-tools/gerrit-send-mail.py: tool to send Gerrit patchsets to Patchwork Since we're trying to use Gerrit for patch reviews, but the actual merge process is still implemented against the ML and Patchwork, I wrote a script that attempts to bridge the gap. It extracts all relevant information about a patch from Gerrit and converts it into a mail compatible to git-am. Mostly this work is done by Gerrit already, since we can get the original patch in git format-patch format. But we add Acked-by information according to the approvals in Gerrit and some other metadata. This should allow the merge to happen based on this one mail alone. v3: - handle missing display_name and email fields for reviewers gracefully - handle missing Signed-off-by line gracefully Change-Id: If4e9c2e58441efb3fd00872cd62d1cc6c607f160 Signed-off-by: Frank Lichtenheld --- A dev-tools/gerrit-send-mail.py 1 file changed, 136 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/61/361/3 diff --git a/dev-tools/gerrit-send-mail.py b/dev-tools/gerrit-send-mail.py new file mode 100755 index 000..3cb05d8 --- /dev/null +++ b/dev-tools/gerrit-send-mail.py @@ -0,0 +1,136 @@ +#!/usr/bin/env python3 + +# Copyright (C) 2023 OpenVPN Inc +# Copyright (C) 2023 Frank Lichtenheld +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +# Extract a patch from Gerrit and transform it in a file suitable as input +# for git send-email. + +import argparse +import base64 +from datetime import timezone +import json +import sys +from urllib.parse import urlparse + +import dateutil.parser +import requests + + +def get_details(args): +params = {"o": ["CURRENT_REVISION", "LABELS", "DETAILED_ACCOUNTS"]} +r = requests.get(args.url + "/changes/" + args.changeid, params=params) +print(r.url) +json_txt = r.text.removeprefix(")]}'\n") +json_data = json.loads(json_txt) +assert len(json_data["revisions"]) == 1 # CURRENT_REVISION works as expected +revision = json_data["revisions"].popitem()[1]["_number"] +assert "Code-Review" in json_data["labels"] +acked_by = [] +for reviewer in json_data["labels"]["Code-Review"]["all"]: +if "value" in reviewer: +assert reviewer["value"] >= 0 # no NACK +if reviewer["value"] == 2: +ack = "{} <{}>".format(reviewer.get("display_name", reviewer["name"]), reviewer.get("email", reviewer["name"])) +print("Acked-by: " + ack) +acked_by.append(ack) +change_id = json_data["change_id"] +# assumes that the created date in Gerrit is in UTC +utc_stamp = ( +dateutil.parser.parse(json_data["created"]) +.replace(tzinfo=timezone.utc) +.timestamp() +) +# convert to milliseconds as used in message id +created_stamp = int(utc_stamp * 1000) +hostname = urlparse(args.url).hostname +msg_id = f"gerrit.{created_stamp}.{change_id}@{hostname}" +return { +"revision": revision, +"project": json_data["project"], +"target": json_data["branch"], +"msg_id": msg_id, +"acked_by": acked_by, +} + + +def get_patch(details, args): +r = requests.get( +"{}/changes/{}/revisions/{}/patch?download".format( +args.url, args.changeid, details["revision"] +) +) +print(r.url) +patch_text = base64.b64decode(r.text).decode() +return patch_text + + +def apply_patch_mods(patch_text, details, args): +comment_start = patch_text.index("\n---\n") + len("\n---\n") +try: +signed_off_start = patch_text.rindex("\nSigned-off-by: ") +signed_off_end = patch_text.index("\n", signed_off_start + 1) + 1 +except ValueError: # Signed-off missing +signed_off_end = patch_text.index("\n---\n") + 1 +assert comment_start > signed_off_end +acked_by_text = "" +acked_by_names = "" +for ack in details["acked_by"]: +acked_by_text += f"Acked-by: {ack}\n" +acked_by_n
[Openvpn-devel] [PATCH] Warn user if INFO control command is too long
From: Lev Stipakov "INFO_PRE,..." command length is limited to 256 bytes. If the server implementation pushes command which is too long, warn the user and don't send the truncated command to a management client. Change-Id: If3c27a2a2ba24f2af0e3e3c95eea57ed420b2542 Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/329 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/push.c b/src/openvpn/push.c index d468211..19849c5 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -244,8 +244,14 @@ * for management greeting and we don't want to confuse the client */ struct buffer out = alloc_buf_gc(256, &gc); -buf_printf(&out, ">%s:%s", "INFOMSG", m); -management_notify_generic(management, BSTR(&out)); +if (buf_printf(&out, ">%s:%s", "INFOMSG", m)) +{ +management_notify_generic(management, BSTR(&out)); +} +else +{ +msg(D_PUSH_ERRORS, "WARNING: Received INFO command is too long, won't notify management client."); +} gc_free(&gc); } ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] dns option: remove support for exclude-domains
From: Heiko Hund No DNS resolver currently supports this and it is not possible to emulate the behavior without the chance of errors. Finding the effective default system DNS server(s) to specify the exclude DNS routes is not trivial and cannot be verified to be correct without resolver internal knowledge. So, it is better to not support this instead of supporting it, but incorrectly. Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb Signed-off-by: Heiko Hund Acked-by: Lev Stipakov --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/39 This mail reflects revision 6 of this Change. Acked-by according to Gerrit (reflected above): lstipakov Submitter note: Manually removed comma in documentation according to https://gerrit.openvpn.net/c/openvpn/+/39/comment/c2458c42_e3d89d93/ diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index fe9ffa6..434 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -169,7 +169,7 @@ dns search-domains domain [domain ...] dns server n address addr[:port] [addr[:port] ...] - dns server n resolve-domains|exclude-domains domain [domain ...] + dns server n resolve-domains domain [domain ...] dns server n dnssec yes|optional|no dns server n transport DoH|DoT|plain dns server n sni server-name @@ -191,14 +191,10 @@ Optionally a port can be appended after a colon. IPv6 addresses need to be enclosed in brackets if a port is appended. - The ``resolve-domains`` and ``exclude-domains`` options take one or - more DNS domains which are explicitly resolved or explicitly not resolved - by a server. Only one of the options can be configured for a server. - ``resolve-domains`` is used to define a split-dns setup, where only - given domains are resolved by a server. ``exclude-domains`` is used to - define domains which will never be resolved by a server (e.g. domains - which can only be resolved locally). Systems which do not support fine - grained DNS domain configuration, will ignore these settings. + The ``resolve-domains`` option takes one or more DNS domains used to define + a split-dns or dns-routing setup, where only the given domains are resolved + by the server. Systems which do not support fine grained DNS domain + configuration will ignore this setting. The ``dnssec`` option is used to configure validation of DNSSEC records. While the exact semantics may differ for resolvers on different systems, diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index d73231e..8c0be0c 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -663,7 +663,6 @@ dns_server_{n}_address_{m} dns_server_{n}_port_{m} dns_server_{n}_resolve_domain_{m} - dns_server_{n}_exclude_domain_{m} dns_server_{n}_dnssec dns_server_{n}_transport dns_server_{n}_sni diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index b7808db..51fca2f 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -402,11 +402,9 @@ if (s->domains) { -const char *format = s->domain_type == DNS_RESOLVE_DOMAINS ? - "dns_server_%d_resolve_domain_%d" : "dns_server_%d_exclude_domain_%d"; for (j = 1, d = s->domains; d != NULL; j++, d = d->next) { -setenv_dns_option(es, format, i, j, d->name); +setenv_dns_option(es, "dns_server_%d_resolve_domain_%d", i, j, d->name); } } @@ -484,14 +482,7 @@ struct dns_domain *domain = server->domains; if (domain) { -if (server->domain_type == DNS_RESOLVE_DOMAINS) -{ -msg(D_SHOW_PARMS, "resolve domains:"); -} -else -{ -msg(D_SHOW_PARMS, "exclude domains:"); -} +msg(D_SHOW_PARMS, "resolve domains:"); while (domain) { msg(D_SHOW_PARMS, " %s", domain->name); diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h index 162dec1..e497857 100644 --- a/src/openvpn/dns.h +++ b/src/openvpn/dns.h @@ -27,12 +27,6 @@ #include "buffer.h" #include "env_set.h" -enum dns_domain_type { -DNS_DOMAINS_UNSET, -DNS_RESOLVE_DOMAINS, -DNS_EXCLUDE_DOMAINS -}; - enum dns_security { DNS_SECURITY_UNSET, DNS_SECURITY_NO, @@ -68,7 +62,6 @@ size_t addr_count; struct dns_server_addr addr[8]; struct dns_domain *domains; -enum dns_domain_type domain_type; enum dns_security dnssec; enum dns_server_transport transport; const char *sni; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 17ce2b0..3e0cb62 100644 --- a/src/openvpn/options.c +++
[Openvpn-devel] [PATCH] GHA: do not trigger builds in openvpn-build anymore
We do this via explicit PRs now, generated by renovate. This allows much better control over what state of the code gets built. Change-Id: I8b00d7d79a26ad4aaae529cb496e125398169b50 Signed-off-by: Frank Lichtenheld Acked-by: Lev Stipakov --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/328 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): lstipakov diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1b75a1a..58fbc29 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -290,19 +290,6 @@ !${{ github.workspace }}/out/**/CMakeFiles/** !${{ github.workspace }}/out/**/vcpkg_installed/** - trigger_openvpn_build: -runs-on: windows-latest -needs: [checkuncrustify, mingw, ubuntu, ubuntu-clang-asan, macos, msvc] -if: ${{ github.event_name != 'pull_request' && github.repository == 'openvpn/openvpn' && github.ref == 'refs/heads/master' }} - -steps: -- name: Repository Dispatch - uses: peter-evans/repository-dispatch@v2 - with: -token: ${{ secrets.OPENVPN_BUILD_REPO_DISPATCH }} -repository: openvpn/openvpn-build -event-type: openvpn-commit - libressl: strategy: fail-fast: false ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Remove --no-replay option
Officially deprecated since v2.4. We have warned about using this forever. It is time to pull the plug. Change-Id: I58706019add6d348483ba222dd74e1466ff6c709 Signed-off-by: Frank Lichtenheld Acked-by: Heiko Hund --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/281 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Heiko Hund diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 14e76b4..675fee4 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -366,8 +366,7 @@ order they were received to the TCP/IP protocol stack, provided they satisfy several constraints. - (a) The packet cannot be a replay (unless ``--no-replay`` is -specified, which disables replay protection altogether). + (a) The packet cannot be a replay. (b) If a packet arrives out of order, it will only be accepted if the difference between its sequence number and the highest sequence diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 6b9ad21..80dc77d 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -406,7 +406,7 @@ Options that will be compared for compatibility include ``dev-type``, ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``, - ``auth``, ``keysize``, ``secret``, ``no-replay``, + ``auth``, ``keysize``, ``secret``, ``tls-auth``, ``key-method``, ``tls-server`` and ``tls-client``. diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index 5c4e3a0..a0c1232 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -30,8 +30,9 @@ VPN tunnel security. This has been a NOOP option since OpenVPN 2.4. --no-replay - Removed in OpenVPN 2.5. This option should not be used as it weakens the - VPN tunnel security. + Removed in OpenVPN 2.7. This option should not be used as it weakens the + VPN tunnel security. Previously we claimed to have removed this in + OpenVPN 2.5, but this wasn't actually the case. --ns-cert-type Removed in OpenVPN 2.5. The ``nsCertType`` field is no longer supported diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index a77b5a1..e4452d7 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -328,7 +328,7 @@ if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS)) { msg(D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- " -"see the man page entry for --no-replay and --replay-window for " +"see the man page entry for --replay-window for " "more info or silence this warning with --mute-replay-warnings", error_prefix, packet_id_net_print(pin, true, gc)); } @@ -942,18 +942,6 @@ return true; } -void -check_replay_consistency(const struct key_type *kt, bool packet_id) -{ -ASSERT(kt); - -if (!packet_id && (cipher_kt_mode_ofb_cfb(kt->cipher) - || cipher_kt_mode_aead(kt->cipher))) -{ -msg(M_FATAL, "--no-replay cannot be used with a CFB, OFB or AEAD mode cipher"); -} -} - /* * Generate a random key. */ diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 88f8f44..c5fd253 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -40,7 +40,7 @@ *HMAC at all. * - \b Ciphertext \b IV. The IV size depends on the \c \-\-cipher option. * - \b Packet \b ID, a 32-bit incrementing packet counter that provides replay - *protection (if not disabled by \c \-\-no-replay). + *protection. * - \b Timestamp, a 32-bit timestamp of the current time. * - \b Payload, the plain text network packet to be encrypted (unless *encryption is disabled by using \c \-\-cipher \c none). The payload might @@ -304,8 +304,6 @@ */ int write_key_file(const int nkeys, const char *filename); -void check_replay_consistency(const struct key_type *kt, bool packet_id); - bool check_key(struct key *key, const struct key_type *kt); bool write_key(const struct key *key, const struct key_type *kt, @@ -445,7 +443,7 @@ * this and add it themselves. * * @param ktStruct with the crypto algorithm to use - * @param packet_id_size Size of the packet id, can be 0 if no-replay is used + * @param packet_id_size Size of the packet id * @param occ if true calculates the overhead for crypto in the same * incorrect way as all previous OpenVPN versions did, to * end up with identical numbers for OCC compatibility diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 6fb6900..1fe56a2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@
[Openvpn-devel] [PATCH] CMake: fix HAVE_DAEMON detection on Linux
From: Lev Stipakov On Linux, daemon() is defined in unistd.h, not in stdlib.h like in MacOS or FreeBSD. Change-Id: I30f4ea502a36eca155cbc79b89c0d18ee3419877 Signed-off-by: Lev Stipakov Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/362 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): cron2 diff --git a/CMakeLists.txt b/CMakeLists.txt index 9de6aba..76351c1 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -158,7 +158,7 @@ check_symbol_exists(gettimeofday sys/time.h HAVE_GETTIMEOFDAY) check_symbol_exists(basename libgen.h HAVE_BASENAME) check_symbol_exists(chsize io.h HAVE_CHSIZE) -check_symbol_exists(daemon stdlib.h HAVE_DAEMON) +check_symbol_exists(daemon "unistd.h;stdlib.h" HAVE_DAEMON) check_symbol_exists(dirname libgen.h HAVE_DIRNAME) check_symbol_exists(getrlimit sys/resource.h HAVE_GETRLIMIT) check_symbol_exists(mlockall sys/mman.h HAVE_MLOCKALL) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: CMake: fix HAVE_DAEMON detection on Linux
Attention is currently required from: flichtenheld, stipa. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/362?usp=email ) Change subject: CMake: fix HAVE_DAEMON detection on Linux .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/362?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I30f4ea502a36eca155cbc79b89c0d18ee3419877 Gerrit-Change-Number: 362 Gerrit-PatchSet: 1 Gerrit-Owner: stipa Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Attention: stipa Gerrit-Comment-Date: Fri, 22 Sep 2023 10:07:29 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel