[Openvpn-devel] [XS] Change in openvpn[master]: Log SSL alerts more prominently
cron2 has uploaded a new patch set (#4) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/448?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Log SSL alerts more prominently .. Log SSL alerts more prominently When we receive an SSL alert from a server we currently only log a very cryptic OpenSSL error message: OpenSSL: error:0A00042E:SSL routines::tlsv1 alert protocol version:SSL alert number 70 This also enables logging the much more readable SSL error message: Received fatal SSL alert: protocol version which previously needed --verb 8 to be displayed (now verb 3). Also rework the message to be better readable. Change-Id: I6bdab3028c9bd679c31d4177a746a3ea505dcbbf Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20231121103930.15175-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27523.html Signed-off-by: Gert Doering --- M src/openvpn/ssl_openssl.c 1 file changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/48/448/4 diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 23e7623..82872bf 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -196,8 +196,8 @@ } else if (where & SSL_CB_ALERT) { -dmsg(D_HANDSHAKE_VERBOSE, "SSL alert (%s): %s: %s", - where & SSL_CB_READ ? "read" : "write", +dmsg(D_TLS_DEBUG_LOW, "%s %s SSL alert: %s", + where & SSL_CB_READ ? "Received" : "Sent", SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/448?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6bdab3028c9bd679c31d4177a746a3ea505dcbbf Gerrit-Change-Number: 448 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Log SSL alerts more prominently
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/448?usp=email ) Change subject: Log SSL alerts more prominently .. Log SSL alerts more prominently When we receive an SSL alert from a server we currently only log a very cryptic OpenSSL error message: OpenSSL: error:0A00042E:SSL routines::tlsv1 alert protocol version:SSL alert number 70 This also enables logging the much more readable SSL error message: Received fatal SSL alert: protocol version which previously needed --verb 8 to be displayed (now verb 3). Also rework the message to be better readable. Change-Id: I6bdab3028c9bd679c31d4177a746a3ea505dcbbf Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20231121103930.15175-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27523.html Signed-off-by: Gert Doering --- M src/openvpn/ssl_openssl.c 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 23e7623..82872bf 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -196,8 +196,8 @@ } else if (where & SSL_CB_ALERT) { -dmsg(D_HANDSHAKE_VERBOSE, "SSL alert (%s): %s: %s", - where & SSL_CB_READ ? "read" : "write", +dmsg(D_TLS_DEBUG_LOW, "%s %s SSL alert: %s", + where & SSL_CB_READ ? "Received" : "Sent", SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/448?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6bdab3028c9bd679c31d4177a746a3ea505dcbbf Gerrit-Change-Number: 448 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Log SSL alerts more prominently
Better diagnostics is goood! Your patch has been applied to the master and release/2.6 branch (very basic change, no code flow change, enhanced diagnostics good). We might consider moving from dmsg() to msg() - this is neither very time consuming nor increasing binary size hugely. commit a1cb1b47b138b9f654cd0bca5de6d08dbca61888 (master) commit 94cd53c70e8e8fdd0beac79b17bdb1f912e03cb7 (release/2.6) Author: Arne Schwabe Date: Tue Nov 21 11:39:30 2023 +0100 Log SSL alerts more prominently Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20231121103930.15175-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27523.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email to look at the new patch set (#2). Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs OpenSSL 3.0 introduced a new API for doing key derivation. So this leaves us now with three different implementation for 1.0.2, 1.1.x and 3.x. This was initially done to maybe still have a working TLS 1.0 PRF when using OpenSSL 3.0, it gives the same error as with the older API but since moving to a new API is always good, we use the new API when using OpenSSL 3.0. We also print the internal OpenSSL error message when the KDF fails. Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Signed-off-by: Arne Schwabe --- M src/openvpn/crypto_openssl.c 1 file changed, 50 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/57/457/2 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index fe1254f..7351a5f 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -54,6 +54,7 @@ #endif #if OPENSSL_VERSION_NUMBER >= 0x3000L #include +#include #endif #if defined(_WIN32) && defined(OPENSSL_NO_EC) @@ -1373,8 +1374,56 @@ { return CRYPTO_memcmp(a, b, size); } +#if (OPENSSL_VERSION_NUMBER >= 0x300L) && !defined(LIBRESSL_VERSION_NUMBER) +bool +ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, + int secret_len, uint8_t *output, int output_len) +{ +bool ret = true; +EVP_KDF_CTX *kctx = NULL; -#if (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) + +EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL); +if (!kdf) +{ +goto err; +} + +kctx = EVP_KDF_CTX_new(kdf); + +if (!kctx) +{ +goto err; +} + +OSSL_PARAM params[4]; + +params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_md5_sha1, strlen(SN_md5_sha1)); +params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, + secret, (size_t) secret_len); +params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, + seed, (size_t) seed_len); +params[3] = OSSL_PARAM_construct_end(); + +if (EVP_KDF_derive(kctx, output, output_len, params) <= 0) +{ +crypto_msg(D_TLS_DEBUG_LOW, "Generating TLS 1.0 PRF using " + "EVP_KDF_derive failed"); +goto err; +} + +goto out; + +err: +ret = false; +out: +EVP_KDF_free(kdf); +EVP_KDF_free(kdf); + +return ret; +} +#elif (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email to review the following change. Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs OpenSSL 3.0 introduced a new API for doing key derivation. So this leaves use now with three different implementation for 1.0.2, 1.1.x and 3.x. This was initially done to maybe still have a working TLS 1.0 PRF when using OpenSSL 3.0, it gives the same error as with the older API but since moving to a new API is always good, we use the new API when using OpenSSL 3.0. We also print the internal OpenSSL error message when the KDF fails. Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Signed-off-by: Arne Schwabe --- M src/openvpn/crypto_openssl.c 1 file changed, 50 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/57/457/1 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index fe1254f..7351a5f 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -54,6 +54,7 @@ #endif #if OPENSSL_VERSION_NUMBER >= 0x3000L #include +#include #endif #if defined(_WIN32) && defined(OPENSSL_NO_EC) @@ -1373,8 +1374,56 @@ { return CRYPTO_memcmp(a, b, size); } +#if (OPENSSL_VERSION_NUMBER >= 0x300L) && !defined(LIBRESSL_VERSION_NUMBER) +bool +ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, + int secret_len, uint8_t *output, int output_len) +{ +bool ret = true; +EVP_KDF_CTX *kctx = NULL; -#if (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) + +EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL); +if (!kdf) +{ +goto err; +} + +kctx = EVP_KDF_CTX_new(kdf); + +if (!kctx) +{ +goto err; +} + +OSSL_PARAM params[4]; + +params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_md5_sha1, strlen(SN_md5_sha1)); +params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, + secret, (size_t) secret_len); +params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, + seed, (size_t) seed_len); +params[3] = OSSL_PARAM_construct_end(); + +if (EVP_KDF_derive(kctx, output, output_len, params) <= 0) +{ +crypto_msg(D_TLS_DEBUG_LOW, "Generating TLS 1.0 PRF using " + "EVP_KDF_derive failed"); +goto err; +} + +goto out; + +err: +ret = false; +out: +EVP_KDF_free(kdf); +EVP_KDF_free(kdf); + +return ret; +} +#elif (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-MessageType: newchange ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Extend the error message when TLS 1.0 PRF fails
Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/456?usp=email to look at the new patch set (#2). Change subject: Extend the error message when TLS 1.0 PRF fails .. Extend the error message when TLS 1.0 PRF fails This error will probably become more and more common in the future when more and more system will drop TLS 1.0 PRF support. We are already seeing people stumbling upon this (see GitHub issue #460) The current error messages TLS Error: PRF calcuation failed TLS Error: generate_key_expansion failed are not very helpful for people that do not have deep understanding of TLS or the OpenVPN protocol. Improve a on this message to give a normal user a chance to understand that the peer needs to be OpenVPN 2.6.x or newer. Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3 Signed-off-by: Arne Schwabe --- M src/openvpn/ssl.c 1 file changed, 6 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/56/456/2 diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 400230c..9817b2e 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1641,7 +1641,12 @@ { if (!generate_key_expansion_openvpn_prf(session, )) { -msg(D_TLS_ERRORS, "TLS Error: PRF calcuation failed"); +msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system " +"might not support the old TLS 1.0 PRF calculation anymore or " +"the policy does not allow TLS1 PRF calculation anymore " +"(e.g. running in FIPS mode). The peer did not announce support " +"for the modern TLS Export feature that replaces the TLS 1.0" +"RPF (requires OpenVPN 2.6.x or higher)"); goto exit; } } -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/456?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3 Gerrit-Change-Number: 456 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Introduce report_command_status helper function
Skimmed the code, test compiled, not excercised the management interface. Obvious improvement. "client-auth" morphed into "client_auth" here, which I took the liberty to change back (checked with Arne, avoid a new round). Your patch has been applied to the master branch. commit 57172d84096cc03e4a5a0658b9abb15d4173859d (master) Author: Arne Schwabe Date: Tue Nov 21 11:42:54 2023 +0100 Introduce report_command_status helper function Acked-by: Frank Lichtenheld Signed-off-by: Arne Schwabe Message-Id: <20231121104254.15701-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27525.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Introduce report_command_status helper function
cron2 has uploaded a new patch set (#2) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/450?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Introduce report_command_status helper function .. Introduce report_command_status helper function Instead of repeating near identical code several times in manage.c, use a small helper function instead. Change-Id: I91f739f5cb43386b2ce767cf3603a76e6b93e216 Acked-by: Frank Lichtenheld Signed-off-by: Arne Schwabe Message-Id: <20231121104254.15701-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27525.html Signed-off-by: Gert Doering --- M src/openvpn/manage.c 1 file changed, 21 insertions(+), 24 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/50/450/2 diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index feb62b2..27b6f90 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -284,6 +284,24 @@ #endif } + +/** + * Small function to report the success or failure of a command to + * the management interface + */ +static void +report_command_status(const bool status, const char *command) +{ +if (status) +{ +msg(M_CLIENT, "SUCCESS: %s command succeeded", command); +} +else +{ +msg(M_CLIENT, "ERROR: %s command failed", command); +} +} + static void man_delete_unix_socket(struct management *man) { @@ -974,14 +992,7 @@ NULL, man->connection.in_extra); man->connection.in_extra = NULL; -if (status) -{ -msg(M_CLIENT, "SUCCESS: client-auth command succeeded"); -} -else -{ -msg(M_CLIENT, "ERROR: client-auth command failed"); -} +report_command_status(status, "client-auth"); } else { @@ -1260,14 +1271,7 @@ if (man->persist.callback.proxy_cmd) { const bool status = (*man->persist.callback.proxy_cmd)(man->persist.callback.arg, p); -if (status) -{ -msg(M_CLIENT, "SUCCESS: proxy command succeeded"); -} -else -{ -msg(M_CLIENT, "ERROR: proxy command failed"); -} +report_command_status(status, "proxy"); } else { @@ -1281,14 +1285,7 @@ if (man->persist.callback.remote_cmd) { const bool status = (*man->persist.callback.remote_cmd)(man->persist.callback.arg, p); -if (status) -{ -msg(M_CLIENT, "SUCCESS: remote command succeeded"); -} -else -{ -msg(M_CLIENT, "ERROR: remote command failed"); -} +report_command_status(status, "remote"); } else { -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/450?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I91f739f5cb43386b2ce767cf3603a76e6b93e216 Gerrit-Change-Number: 450 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Introduce report_command_status helper function
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/450?usp=email ) Change subject: Introduce report_command_status helper function .. Introduce report_command_status helper function Instead of repeating near identical code several times in manage.c, use a small helper function instead. Change-Id: I91f739f5cb43386b2ce767cf3603a76e6b93e216 Acked-by: Frank Lichtenheld Signed-off-by: Arne Schwabe Message-Id: <20231121104254.15701-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27525.html Signed-off-by: Gert Doering --- M src/openvpn/manage.c 1 file changed, 21 insertions(+), 24 deletions(-) diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index feb62b2..27b6f90 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -284,6 +284,24 @@ #endif } + +/** + * Small function to report the success or failure of a command to + * the management interface + */ +static void +report_command_status(const bool status, const char *command) +{ +if (status) +{ +msg(M_CLIENT, "SUCCESS: %s command succeeded", command); +} +else +{ +msg(M_CLIENT, "ERROR: %s command failed", command); +} +} + static void man_delete_unix_socket(struct management *man) { @@ -974,14 +992,7 @@ NULL, man->connection.in_extra); man->connection.in_extra = NULL; -if (status) -{ -msg(M_CLIENT, "SUCCESS: client-auth command succeeded"); -} -else -{ -msg(M_CLIENT, "ERROR: client-auth command failed"); -} +report_command_status(status, "client-auth"); } else { @@ -1260,14 +1271,7 @@ if (man->persist.callback.proxy_cmd) { const bool status = (*man->persist.callback.proxy_cmd)(man->persist.callback.arg, p); -if (status) -{ -msg(M_CLIENT, "SUCCESS: proxy command succeeded"); -} -else -{ -msg(M_CLIENT, "ERROR: proxy command failed"); -} +report_command_status(status, "proxy"); } else { @@ -1281,14 +1285,7 @@ if (man->persist.callback.remote_cmd) { const bool status = (*man->persist.callback.remote_cmd)(man->persist.callback.arg, p); -if (status) -{ -msg(M_CLIENT, "SUCCESS: remote command succeeded"); -} -else -{ -msg(M_CLIENT, "ERROR: remote command failed"); -} +report_command_status(status, "remote"); } else { -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/450?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I91f739f5cb43386b2ce767cf3603a76e6b93e216 Gerrit-Change-Number: 450 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Fix unaligned access in macOS/Solaris hwaddr
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/454?usp=email ) Change subject: Fix unaligned access in macOS/Solaris hwaddr .. Patch Set 1: Code-Review-2 (1 comment) Patchset: PS1: this breaks OpenSolaris, as it has no sa_len element. I'll look into a good fix, but things have kept me busy. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/454?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia797c8801fa9a9bc10b6674efde5fdbd7132e4a8 Gerrit-Change-Number: 454 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 21 Nov 2023 18:56:55 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Extend the error message when TLS 1.0 PRF fails
Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/456?usp=email to review the following change. Change subject: Extend the error message when TLS 1.0 PRF fails .. Extend the error message when TLS 1.0 PRF fails This error will probably become more and more common in the future when more and more system will drop TLS 1.0 PRF support. We are already seeing people stumbling upon this (see GitHub issue #460) The current error messages TLS Error: PRF calcuation failed TLS Error: generate_key_expansion failed are not very helpful for people that do not have deep understanding of TLS or the OpenVPN protocol. Improve a on this message to give a normal user a chance to understand that the peer needs to be OpenVPN 2.6.x or newer. Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3 --- M src/openvpn/ssl.c 1 file changed, 6 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/56/456/1 diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 400230c..9817b2e 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1641,7 +1641,12 @@ { if (!generate_key_expansion_openvpn_prf(session, )) { -msg(D_TLS_ERRORS, "TLS Error: PRF calcuation failed"); +msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system " +"might not support the old TLS 1.0 PRF calculation anymore or " +"the policy does not allow TLS1 PRF calculation anymore " +"(e.g. running in FIPS mode). The peer did not announce support " +"for the modern TLS Export feature that replaces the TLS 1.0" +"RPF (requires OpenVPN 2.6.x or higher)"); goto exit; } } -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/456?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3 Gerrit-Change-Number: 456 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-MessageType: newchange ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Add missing check for nl_socket_alloc failure
This can happen if the memory alloc fails. Patch V2: add goto error Patch V3: return -ENOMEM instead of going to error Change-Id: Iee66caa794d267ac5f8bee584633352893047171 Signed-off-by: Arne Schwabe --- src/openvpn/dco_linux.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index b033f8543..3c91606b7 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -81,6 +81,12 @@ resolve_ovpn_netlink_id(int msglevel) int ret; struct nl_sock *nl_sock = nl_socket_alloc(); +if (!nl_sock) +{ +msg(msglevel, "Allocating net link socket failed"); +return -ENOMEM; +} + ret = genl_connect(nl_sock); if (ret) { -- 2.39.3 (Apple Git-145) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Cache mbed TLS dependency and build latest 2.x mbed TLS as well
Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/455?usp=email to review the following change. Change subject: Cache mbed TLS dependency and build latest 2.x mbed TLS as well .. Cache mbed TLS dependency and build latest 2.x mbed TLS as well Change-Id: I39fb3f05b6245af9ae5dd666bfc53ed07e5cfb24 --- M .github/workflows/build.yaml 1 file changed, 23 insertions(+), 7 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/55/455/1 diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index cd72f3d..c1f42dd 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -366,8 +366,8 @@ fail-fast: false matrix: os: [ubuntu-22.04] -ssllib: [mbedtls3] build: [ normal, asan ] +mbedtlsver: [ v3.5.1, v2.28.6 ] include: - build: asan cflags: "-fsanitize=address -fno-sanitize-recover=all -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1" @@ -378,29 +378,45 @@ ldflags: "" cc: gcc -name: "${{matrix.cc}} ${{matrix.build}} - ${{matrix.os}} - ${{matrix.ssllib}}" +name: "${{matrix.cc}} ${{matrix.build}} - ${{matrix.os}} - mbed TLS ${{matrix.mbedtlsver}}" runs-on: ${{matrix.os}} env: CFLAGS: ${{ matrix.cflags }} LDFLAGS: ${{ matrix.ldflags }} CC: ${{matrix.cc}} UBSAN_OPTIONS: print_stacktrace=1 + MBEDTLS_CFLAGS: -I/opt/mbedtls/include + MBEDTLS_LIBS: -L/opt/mbedtls/lib -lmbedtls -lmbedx509 -lmbedcrypto steps: - name: Install dependencies run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev linux-libc-dev man2html clang libcmocka-dev python3-docutils python3-jinja2 python3-jsonschema libtool automake autoconf pkg-config libcap-ng-dev libnl-genl-3-dev - - name: "mbedtls: checkout" + + - name: Cache mbed TLS +id: cache +uses: actions/cache@v3 +with: + path: '/opt/mbedtls' + key: ${{ matrix.build }}-mbedtls-${{matrix.mbedtlsver}}-${{matrix.cmakebuild}} + - name: "Mbed TLS: checkout" uses: actions/checkout@v3 with: path: mbedtls repository: Mbed-TLS/mbedtls - ref: v3.5.0 - - name: "mbedtls: make no_test" + ref: ${{ matrix.mbedtlsver} + if: steps.cache.outputs.cache-hit != 'true' + - name: "Mbed TLS: make no_test" run: make -j3 no_test SHARED=1 working-directory: mbedtls - - name: "mbedtls: make install" -run: sudo make install DESTDIR=/usr +if: steps.cache.outputs.cache-hit != 'true' + - name: "Mbed TLS: make install" +run: sudo make install DESTDIR=/opt/mbedtls working-directory: mbedtls +if: steps.cache.outputs.cache-hit != 'true' + - name: add /opt/mbedtls/lib to ld.so.conf.d +run: echo /opt/mbedtls/lib | sudo tee /etc/ld.so.conf.d/mbedtls.conf + - name: "ldconfig" +run: sudo ldconfig - name: Checkout OpenVPN uses: actions/checkout@v3 - name: autoconf -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/455?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I39fb3f05b6245af9ae5dd666bfc53ed07e5cfb24 Gerrit-Change-Number: 455 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-MessageType: newchange ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Fix unaligned access in macOS/Solaris hwaddr
Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/454?usp=email to review the following change. Change subject: Fix unaligned access in macOS/Solaris hwaddr .. Fix unaligned access in macOS/Solaris hwaddr The undefined behaviour USAN clang checker found this. This fix is a bit messy but so are the original structures. Change-Id: Ia797c8801fa9a9bc10b6674efde5fdbd7132e4a8 --- M src/openvpn/route.c 1 file changed, 33 insertions(+), 8 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/54/454/1 diff --git a/src/openvpn/route.c b/src/openvpn/route.c index ff64938..ab5bff7 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -3643,7 +3643,6 @@ if (rgi->flags & RGI_IFACE_DEFINED) { struct ifconf ifc; -struct ifreq *ifr; const int bufsize = 4096; char *buffer; @@ -3668,22 +3667,48 @@ for (cp = buffer; cp <= buffer + ifc.ifc_len - sizeof(struct ifreq); ) { -ifr = (struct ifreq *)cp; +struct ifreq ifr = { 0 }; +/* this is not always using an 8 byte alignment that struct ifr + * requires */ +memcpy(, cp, sizeof(struct ifreq)); #if defined(TARGET_SOLARIS) -const size_t len = sizeof(ifr->ifr_name) + sizeof(ifr->ifr_addr); +const size_t len = sizeof(ifr.ifr_name) + sizeof(ifr.ifr_addr); #else -const size_t len = sizeof(ifr->ifr_name) + max(sizeof(ifr->ifr_addr), ifr->ifr_addr.sa_len); +const size_t len = sizeof(ifr.ifr_name) + max(sizeof(ifr.ifr_addr), ifr.ifr_addr.sa_len); #endif -if (!ifr->ifr_addr.sa_family) +if (!ifr.ifr_addr.sa_family) { break; } -if (!strncmp(ifr->ifr_name, rgi->iface, IFNAMSIZ)) +if (!strncmp(ifr.ifr_name, rgi->iface, IFNAMSIZ)) { -if (ifr->ifr_addr.sa_family == AF_LINK) +if (ifr.ifr_addr.sa_family == AF_LINK) { -struct sockaddr_dl *sdl = (struct sockaddr_dl *)>ifr_addr; +/* This is a confusing member access on multiple levels. + * + * struct sockaddr_dl is 20 bytes in size and has + * 12 bytes space for the hw address (6 bytes) + * and Ethernet interface name (max 16 bytes) + * + * So if the interface name is more than 6 byte, it + * extends beyond the struct. + * + * This struct is embedded into ifreq that has + * 16 bytes for a sockaddr and also expects this + * struct to potentially extend beyond the bounds of + * the struct. + * + * Since we only copied 32 bytes from cp to ifr but sdl + * might extend after ifr's end, we need to copy from + * cp directly to avoid missing out on extra bytes + * behind the struct + */ +const size_t sock_dl_len = max_int((int) (sizeof(struct sockaddr_dl)), + (int) (ifr.ifr_addr.sa_len)); + +struct sockaddr_dl *sdl = gc_malloc(sock_dl_len, true, ); +memcpy(sdl, cp + offsetof(struct ifreq, ifr_addr), sock_dl_len); memcpy(rgi->hwaddr, LLADDR(sdl), 6); rgi->flags |= RGI_HWADDR_DEFINED; } -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/454?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia797c8801fa9a9bc10b6674efde5fdbd7132e4a8 Gerrit-Change-Number: 454 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-MessageType: newchange ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Rename state_change to continue_tls_process
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/452?usp=email ) Change subject: Rename state_change to continue_tls_process .. Patch Set 3: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/452?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ib6d713f2eb08a4c39d97de3e1a4a832cedc09585 Gerrit-Change-Number: 452 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Comment-Date: Tue, 21 Nov 2023 14:41:04 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Print SSL peer signature information in handshake debug details
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/365?usp=email ) Change subject: Print SSL peer signature information in handshake debug details .. Patch Set 8: (1 comment) File src/openvpn/ssl_openssl.c: http://gerrit.openvpn.net/c/openvpn/+/365/comment/376c7362_26cd0b0d : PS7, Line 2214: const char *peer_sig_type = ""; > With libressl or openssl 1.0.2 this will print "" for now. […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/365?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ib5fc0c4b8f164596681ac5ad73002068ec6de1e5 Gerrit-Change-Number: 365 Gerrit-PatchSet: 8 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 21 Nov 2023 13:13:31 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: configure.ac: Remove unused AC_TYPE_SIGNAL macro
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/453?usp=email ) Change subject: configure.ac: Remove unused AC_TYPE_SIGNAL macro .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/453?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I7da7c2d7d34c7e5efd52d448646b4398a1005e77 Gerrit-Change-Number: 453 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 21 Nov 2023 13:06:36 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: configure: allow to disable NTLM
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/378?usp=email ) Change subject: configure: allow to disable NTLM .. Patch Set 1: (1 comment) Patchset: PS1: Maybe we should add a line in Changes.rst to highlight this feature. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/378?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300 Gerrit-Change-Number: 378 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 21 Nov 2023 13:06:02 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: configure: allow to disable NTLM
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/378?usp=email ) Change subject: configure: allow to disable NTLM .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/378?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300 Gerrit-Change-Number: 378 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 21 Nov 2023 13:05:38 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Remove unused/uneeded defines from configure and cmake config
Attention is currently required from: plaisthos. Hello flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/443?usp=email to look at the new patch set (#3). Change subject: Remove unused/uneeded defines from configure and cmake config .. Remove unused/uneeded defines from configure and cmake config Change-Id: Ifd0376b36d4050dc22bc93b8fcf7ed29faef0021 --- M config.h.cmake.in M configure.ac 2 files changed, 1 insertion(+), 9 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/43/443/3 diff --git a/config.h.cmake.in b/config.h.cmake.in index 19b79bc..85f5fa5 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -139,9 +139,6 @@ /* Define to 1 if you have the `getpwnam' function. */ #cmakedefine HAVE_GETPWNAM -/* Define to 1 if you have the `getrlimit' function. */ -#undef HAVE_GETRLIMIT - /* Define to 1 if you have the `getsockname' function. */ #cmakedefine HAVE_GETSOCKNAME @@ -235,8 +232,6 @@ /* Define to 1 if you have the header file. */ #cmakedefine HAVE_PWD_H -/* Define to 1 if you have the `readv' function. */ -#undef HAVE_READV /* Define to 1 if you have the `recvmsg' function. */ #cmakedefine HAVE_RECVMSG @@ -383,9 +378,6 @@ /* Define to 1 if you have the header file. */ #undef HAVE_VFORK_H -/* Define to 1 if you have the `vsnprintf' function. */ -#undef HAVE_VSNPRINTF - /* we always assume a recent mbed TLS version */ #define HAVE_MBEDTLS_PSA_CRYPTO_H 1 #define HAVE_MBEDTLS_SSL_TLS_PRF 1 diff --git a/configure.ac b/configure.ac index 84eaad6..141acc6 100644 --- a/configure.ac +++ b/configure.ac @@ -655,7 +655,7 @@ AC_CHECK_FUNCS([ \ daemon chroot getpwnam setuid nice system dup dup2 \ syslog openlog mlockall getrlimit getgrnam setgid \ - setgroups flock readv writev time gettimeofday \ + setgroups flock time gettimeofday \ setsid chdir \ chsize ftruncate execve getpeereid basename dirname access \ epoll_create strsep \ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/443?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ifd0376b36d4050dc22bc93b8fcf7ed29faef0021 Gerrit-Change-Number: 443 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: configure.ac: Remove unused AC_TYPE_SIGNAL macro
Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/453?usp=email to review the following change. Change subject: configure.ac: Remove unused AC_TYPE_SIGNAL macro .. configure.ac: Remove unused AC_TYPE_SIGNAL macro Recent autoconf warns: configure.ac:448: warning: The macro `AC_TYPE_SIGNAL' is obsolete. And it turns out that we do not actually use RETSIGTYPE. Additionally, there is no reason to do so since as the autoconf documentation says: "These days, it is portable to assume C89, and that signal handlers return void, without needing to use this macro or RETSIGTYPE." Change-Id: I7da7c2d7d34c7e5efd52d448646b4398a1005e77 Signed-off-by: Frank Lichtenheld --- M configure.ac 1 file changed, 0 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/53/453/1 diff --git a/configure.ac b/configure.ac index 84eaad6..5cc55c3 100644 --- a/configure.ac +++ b/configure.ac @@ -445,7 +445,6 @@ AC_TYPE_PID_T AC_TYPE_SIZE_T AC_TYPE_UID_T -AC_TYPE_SIGNAL AX_TYPE_SOCKLEN_T AC_CHECK_SIZEOF([unsigned int]) AC_CHECK_SIZEOF([unsigned long]) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/453?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I7da7c2d7d34c7e5efd52d448646b4398a1005e77 Gerrit-Change-Number: 453 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-MessageType: newchange ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: sample-keys: renew for the next 10 years
Passes selftests on master and release/2.6, and that's all these keys are there for. A minor script change has made it into the patch (gen-sample-keys.sh) but this is fine as well (and only run for generating these files, not automatically). Your patch has been applied to the master and release/2.6 branch (because we expect 2.6 to be around longer than 2024). commit 78e0c5f2f57a18e8ea60951696a458a4b3ff3621 (master) commit c1a983e8b8815dbc6a4e3aadf159d4cc9205680d (release/2.6) Author: Frank Lichtenheld Date: Tue Nov 21 12:04:30 2023 +0100 sample-keys: renew for the next 10 years Signed-off-by: Frank Lichtenheld Message-Id: <20231121110430.16893-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27530.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] sample-keys: renew for the next 10 years
Old expiration was October 2024, less than a year away. Give everyone the chance to get the new keys before tests start failing. Change-Id: Ie264ec1ec61fd71e8cc87987be3e2adc2735c201 Signed-off-by: Frank Lichtenheld --- sample/sample-config-files/loopback-client | 319 +++-- sample/sample-keys/ca.crt | 67 ++--- sample/sample-keys/ca.key | 100 +++ sample/sample-keys/client-ec.crt | 135 - sample/sample-keys/client-ec.key | 6 +- sample/sample-keys/client-pass.key | 60 ++-- sample/sample-keys/client.crt | 162 +-- sample/sample-keys/client.key | 52 ++-- sample/sample-keys/client.p12 | Bin 4533 -> 4707 bytes sample/sample-keys/dh2048.pem | 12 +- sample/sample-keys/gen-sample-keys.sh | 3 +- sample/sample-keys/server-ec.crt | 146 +- sample/sample-keys/server-ec.key | 6 +- sample/sample-keys/server.crt | 170 +-- sample/sample-keys/server.key | 52 ++-- sample/sample-keys/ta.key | 32 +-- 16 files changed, 663 insertions(+), 659 deletions(-) Resend patch with binary diff. diff --git a/sample/sample-config-files/loopback-client b/sample/sample-config-files/loopback-client index 8ac3d1d7..76157eb8 100644 --- a/sample/sample-config-files/loopback-client +++ b/sample/sample-config-files/loopback-client @@ -24,70 +24,71 @@ remote-cert-tls server #ca sample-keys/ca.crt -BEGIN CERTIFICATE- -MIIGKDCCBBCgAwIBAgIJAKFO3vqQ8q6BMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV -BAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMM -T3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4w -HhcNMTQxMDIyMjE1OTUyWhcNMjQxMDE5MjE1OTUyWjBmMQswCQYDVQQGEwJLRzEL -MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t -VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIICIjANBgkq -hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsJVPCqt3vtoDW2U0DII1QIh2Qs0dqh88 -8nivxAIm2LTq93e9fJhsq3P/UVYAYSeCIrekXypR0EQgSgcNTvGBMe20BoHO5yvb -GjKPmjfLj6XRotCOGy8EDl/hLgRY9efiA8wsVfuvF2q/FblyJQPR/gPiDtTmUiqF -qXa7AJmMrqFsnWppOuGd7Qc6aTsae4TF1e/gUTCTraa7NeHowDaKhdyFmEEnCYR5 -CeUsx2JlFWAH8PCrxBpHYbmGyvS0kH3+rQkaSM/Pzc2bS4ayHaOYRK5XsGq8XiNG -KTTLnSaCdPeHsI+3xMHmEh+u5Og2DFGgvyD22gde6W2ezvEKCUDrzR7bsnYqqyUy -n7LxnkPXGyvR52T06G8KzLKQRmDlPIXhzKMO07qkHmIonXTdF7YI1azwHpAtN4dS -rUe1bvjiTSoEsQPfOAyvD0RMK/CBfgEZUzAB50e/IlbZ84c0DJfUMOm4xCyft1HF -YpYeyCf5dxoIjweCPOoP426+aTXM7kqq0ieIr6YxnKV6OGGLKEY+VNZh1DS7enqV -HP5i8eimyuUYPoQhbK9xtDGMgghnc6Hn8BldPMcvz98HdTEH4rBfA3yNuCxLSNow -4jJuLjNXh2QeiUtWtkXja7ec+P7VqKTduJoRaX7cs+8E3ImigiRnvmK+npk7Nt1y -YE9hBRhSoLsCAwEAAaOB2DCB1TAdBgNVHQ4EFgQUK0DlyX319JY46S/jL9lAZMmO -BZswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJ -BgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UE -ChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h -aW6CCQChTt76kPKugTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG -9w0BAQsFAAOCAgEABc77f4C4P8fIS+V8qCJmVNSDU44UZBc+D+J6ZTgW8JeOHUIj -Bh++XDg3gwat7pIWQ8AU5R7h+fpBI9n3dadyIsMHGwSogHY9Gw7di2RVtSFajEth -rvrq0JbzpwoYedMh84sJ2qI/DGKW9/Is9+O52fR+3z3dY3gNRDPQ5675BQ5CQW9I -AJgLOqzD8Q0qrXYi7HaEqzNx6p7RDTuhFgvTd+vS5d5+28Z5fm2umnq+GKHF8W5P -ylp2Js119FTVO7brusAMKPe5emc7tC2ov8OFFemQvfHR41PLryap2VD81IOgmt/J -kX/j/y5KGux5HZ3lxXqdJbKcAq4NKYQT0mCkRD4l6szaCEJ+k0SiM9DdTcBDefhR -9q+pCOyMh7d8QjQ1075mF7T+PGkZQUW1DUjEfrZhICnKgq+iEoUmM0Ee5WtRqcnu -5BTGQ2mSfc6rV+Vr+eYXqcg7Nxb3vFXYSTod1UhefonVqwdmyJ2sC79zp36Tbo2+ -65NW2WJK7KzPUyOJU0U9bcu0utvDOvGWmG+aHbymJgcoFzvZmlXqMXn97pSFn4jV -y3SLRgJXOw1QLXL2Y5abcuoBVr4gCOxxk2vBeVxOMRXNqSWZOFIF1bu/PxuDA+Sa -hEi44aHbPXt9opdssz/hdGfd8Wo7vEJrbg7c6zR6C/Akav1Rzy9oohIdgOw= +MIIGPjCCBCagAwIBAgIUb1C400ZucjRZvAAz3XyuEusnRgYwDQYJKoZIhvcNAQEL +BQAwZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgMAk5BMRAwDgYDVQQHDAdCSVNIS0VL +MRUwEwYDVQQKDAxPcGVuVlBOLVRFU1QxITAfBgkqhkiG9w0BCQEWEm1lQG15aG9z +dC5teWRvbWFpbjAeFw0yMzExMDcxMjIzMzlaFw0zMzExMDQxMjIzMzlaMGYxCzAJ +BgNVBAYTAktHMQswCQYDVQQIDAJOQTEQMA4GA1UEBwwHQklTSEtFSzEVMBMGA1UE +CgwMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h +aW4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCI+p/ZLGUHCANTTFaK +nw+J3wi+ef2EKJ5WHt5PWMuBeaDpeU4Ghuaow8HlRPjG9lDRHtn+WQgZz9nUejYH ++wtmN2BHwJAM4OeUVoB95tBrxd/VDCrdIvypVKldHsU3VkEbvPAl1jq68WVk+DXM +FZqTUoafDK+irOvL7Z5j2gA3FDzRUQs0L+jCvRTl4omFSjSQwoBCoVXxNEAg9jgy +lNWUHx+JHDB8dk+gEmDai20ggBWeAeThUU9dVZvwjv4E7zMRMx1skCRdWcyALJQf +fjc9q6gnB9X9nPxXdWb/lYKcivJBmBRHLeirnUFL2S2IYRc2H0ZbX1d+WzDJV37+ +DKYy9ehltyHFiaXmZThJ2Kg/mAD55U3NCWNBXmQ0CvzhUh6QIQiOJNQHmK0qxgnc +POJeE4X55dv1nAGD/0fGeHTcuShzUoipCKAd1CZdXK2Ge3gZRH2WUvlQGd5JARd4 +3zbd2wXZX0h0e1/BWQVeXx/Cg6u31B5lll7B3rWeoZHvfV9DSC7e3IEOhgzG5cyA +h+wrtlCszjiMreHSSYCQh9tlyK+ACOJUFtZFGdseBsMxRgXWtHr+ypW2iJI4KsEU +/MNXr1Bqg7FGxIw0Oyc2zyzjgD9aq4CKEy64MYB1ZYf41Rbc2Z+pMx1MW9orsPp7 +qSp6SmpTk0RTHpH0O2wNC9F26wIDAQABo4HjMIHgMB0GA1UdDgQWBBRzsbjWipVr +EuB0fMVXVZiUW6x4XjCBowYDVR0jBIGbMIGYgBRzsbjWipVrEuB0fMVXVZiUW6x4
[Openvpn-devel] [XS] Change in openvpn[master]: Remove unused function prototype crypto_adjust_frame_parameters
cron2 has uploaded a new patch set (#2) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/451?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Remove unused function prototype crypto_adjust_frame_parameters .. Remove unused function prototype crypto_adjust_frame_parameters Change-Id: I1141eb7740d8900ed4af0ff5ff52aa3659df99aa Acked-by: Frank Lichtenheld Message-Id: <20231121104037.15307-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27524.html Signed-off-by: Gert Doering --- M src/openvpn/crypto.h 1 file changed, 0 insertions(+), 6 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/51/451/2 diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index c5fd253..9255d38 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -429,12 +429,6 @@ struct gc_arena *gc); -/** Calculate crypto overhead and adjust frame to account for that */ -void crypto_adjust_frame_parameters(struct frame *frame, -const struct key_type *kt, -bool packet_id, -bool packet_id_long_form); - /** Calculate the maximum overhead that our encryption has * on a packet. This does not include needed additional buffer size * -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/451?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1141eb7740d8900ed4af0ff5ff52aa3659df99aa Gerrit-Change-Number: 451 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Remove unused function prototype crypto_adjust_frame_parameters
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/451?usp=email ) Change subject: Remove unused function prototype crypto_adjust_frame_parameters .. Remove unused function prototype crypto_adjust_frame_parameters Change-Id: I1141eb7740d8900ed4af0ff5ff52aa3659df99aa Acked-by: Frank Lichtenheld Message-Id: <20231121104037.15307-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27524.html Signed-off-by: Gert Doering --- M src/openvpn/crypto.h 1 file changed, 0 insertions(+), 6 deletions(-) diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index c5fd253..9255d38 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -429,12 +429,6 @@ struct gc_arena *gc); -/** Calculate crypto overhead and adjust frame to account for that */ -void crypto_adjust_frame_parameters(struct frame *frame, -const struct key_type *kt, -bool packet_id, -bool packet_id_long_form); - /** Calculate the maximum overhead that our encryption has * on a packet. This does not include needed additional buffer size * -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/451?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1141eb7740d8900ed4af0ff5ff52aa3659df99aa Gerrit-Change-Number: 451 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Remove unused function prototype crypto_adjust_frame_parameters
This was an easy one. Quick local review and test compile, and ship it :-) Your patch has been applied to the master and release/2.6 branch (because it really is no actual *code* change at all, and keeping changes between branches small is desirable). commit 66f109117649237947e3e5cd33a36f81bde71a2b (master) commit d25b408db680be0ffc357126cc421231b880f18b (release/2.6) Author: Arne Schwabe Date: Tue Nov 21 11:40:37 2023 +0100 Remove unused function prototype crypto_adjust_frame_parameters Acked-by: Frank Lichtenheld Message-Id: <20231121104037.15307-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27524.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Remove unused/uneeded defines from configure and cmake config
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/443?usp=email ) Change subject: Remove unused/uneeded defines from configure and cmake config .. Patch Set 2: -Code-Review (2 comments) Commit Message: http://gerrit.openvpn.net/c/openvpn/+/443/comment/8af57972_611b89ce : PS2, Line 11: has become a standard feature so all compilers nowadays support it. Turns out that is not the case since we still build on FreeBSD 7.4 ... Patchset: PS2: Resetting my vote until the topic of very old compilers is discussed. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/443?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ifd0376b36d4050dc22bc93b8fcf7ed29faef0021 Gerrit-Change-Number: 443 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Comment-Date: Tue, 21 Nov 2023 10:47:34 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Introduce report_command_status helper function
From: Arne Schwabe Instead of repeating near identical code several times in manage.c, use a small helper function instead. Change-Id: I91f739f5cb43386b2ce767cf3603a76e6b93e216 Acked-by: Frank Lichtenheld Signed-off-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/450 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index feb62b2..3cf392a 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -284,6 +284,24 @@ #endif } + +/** + * Small function to report the success or failure of a command to + * the management interface + */ +static void +report_command_status(const bool status, const char *command) +{ +if (status) +{ +msg(M_CLIENT, "SUCCESS: %s command succeeded", command); +} +else +{ +msg(M_CLIENT, "ERROR: %s command failed", command); +} +} + static void man_delete_unix_socket(struct management *man) { @@ -974,14 +992,7 @@ NULL, man->connection.in_extra); man->connection.in_extra = NULL; -if (status) -{ -msg(M_CLIENT, "SUCCESS: client-auth command succeeded"); -} -else -{ -msg(M_CLIENT, "ERROR: client-auth command failed"); -} +report_command_status(status, "client_auth"); } else { @@ -1260,14 +1271,7 @@ if (man->persist.callback.proxy_cmd) { const bool status = (*man->persist.callback.proxy_cmd)(man->persist.callback.arg, p); -if (status) -{ -msg(M_CLIENT, "SUCCESS: proxy command succeeded"); -} -else -{ -msg(M_CLIENT, "ERROR: proxy command failed"); -} +report_command_status(status, "proxy"); } else { @@ -1281,14 +1285,7 @@ if (man->persist.callback.remote_cmd) { const bool status = (*man->persist.callback.remote_cmd)(man->persist.callback.arg, p); -if (status) -{ -msg(M_CLIENT, "SUCCESS: remote command succeeded"); -} -else -{ -msg(M_CLIENT, "ERROR: remote command failed"); -} +report_command_status(status, "remote"); } else { ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Remove unused function prototype crypto_adjust_frame_parameters
From: Arne Schwabe Change-Id: I1141eb7740d8900ed4af0ff5ff52aa3659df99aa Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/451 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index c5fd253..9255d38 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -429,12 +429,6 @@ struct gc_arena *gc); -/** Calculate crypto overhead and adjust frame to account for that */ -void crypto_adjust_frame_parameters(struct frame *frame, -const struct key_type *kt, -bool packet_id, -bool packet_id_long_form); - /** Calculate the maximum overhead that our encryption has * on a packet. This does not include needed additional buffer size * ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Log SSL alerts more prominently
From: Arne Schwabe When we receive an SSL alert from a server we currently only log a very cryptic OpenSSL error message: OpenSSL: error:0A00042E:SSL routines::tlsv1 alert protocol version:SSL alert number 70 This also enables logging the much more readable SSL error message: Received fatal SSL alert: protocol version which previously needed --verb 8 to be displayed (now verb 3). Also rework the message to be better readable. Change-Id: I6bdab3028c9bd679c31d4177a746a3ea505dcbbf Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/448 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 23e7623..82872bf 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -196,8 +196,8 @@ } else if (where & SSL_CB_ALERT) { -dmsg(D_HANDSHAKE_VERBOSE, "SSL alert (%s): %s: %s", - where & SSL_CB_READ ? "read" : "write", +dmsg(D_TLS_DEBUG_LOW, "%s %s SSL alert: %s", + where & SSL_CB_READ ? "Received" : "Sent", SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] sample-keys: renew for the next 10 years
Old expiration was October 2024, less than a year away. Give everyone the chance to get the new keys before tests start failing. Change-Id: Ie264ec1ec61fd71e8cc87987be3e2adc2735c201 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/422 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/sample/sample-config-files/loopback-client b/sample/sample-config-files/loopback-client index 8ac3d1d..76157eb 100644 --- a/sample/sample-config-files/loopback-client +++ b/sample/sample-config-files/loopback-client @@ -24,70 +24,71 @@ #ca sample-keys/ca.crt -BEGIN CERTIFICATE- -MIIGKDCCBBCgAwIBAgIJAKFO3vqQ8q6BMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV -BAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMM -T3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4w -HhcNMTQxMDIyMjE1OTUyWhcNMjQxMDE5MjE1OTUyWjBmMQswCQYDVQQGEwJLRzEL -MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t -VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIICIjANBgkq -hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsJVPCqt3vtoDW2U0DII1QIh2Qs0dqh88 -8nivxAIm2LTq93e9fJhsq3P/UVYAYSeCIrekXypR0EQgSgcNTvGBMe20BoHO5yvb -GjKPmjfLj6XRotCOGy8EDl/hLgRY9efiA8wsVfuvF2q/FblyJQPR/gPiDtTmUiqF -qXa7AJmMrqFsnWppOuGd7Qc6aTsae4TF1e/gUTCTraa7NeHowDaKhdyFmEEnCYR5 -CeUsx2JlFWAH8PCrxBpHYbmGyvS0kH3+rQkaSM/Pzc2bS4ayHaOYRK5XsGq8XiNG -KTTLnSaCdPeHsI+3xMHmEh+u5Og2DFGgvyD22gde6W2ezvEKCUDrzR7bsnYqqyUy -n7LxnkPXGyvR52T06G8KzLKQRmDlPIXhzKMO07qkHmIonXTdF7YI1azwHpAtN4dS -rUe1bvjiTSoEsQPfOAyvD0RMK/CBfgEZUzAB50e/IlbZ84c0DJfUMOm4xCyft1HF -YpYeyCf5dxoIjweCPOoP426+aTXM7kqq0ieIr6YxnKV6OGGLKEY+VNZh1DS7enqV -HP5i8eimyuUYPoQhbK9xtDGMgghnc6Hn8BldPMcvz98HdTEH4rBfA3yNuCxLSNow -4jJuLjNXh2QeiUtWtkXja7ec+P7VqKTduJoRaX7cs+8E3ImigiRnvmK+npk7Nt1y -YE9hBRhSoLsCAwEAAaOB2DCB1TAdBgNVHQ4EFgQUK0DlyX319JY46S/jL9lAZMmO -BZswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJ -BgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UE -ChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h -aW6CCQChTt76kPKugTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG -9w0BAQsFAAOCAgEABc77f4C4P8fIS+V8qCJmVNSDU44UZBc+D+J6ZTgW8JeOHUIj -Bh++XDg3gwat7pIWQ8AU5R7h+fpBI9n3dadyIsMHGwSogHY9Gw7di2RVtSFajEth -rvrq0JbzpwoYedMh84sJ2qI/DGKW9/Is9+O52fR+3z3dY3gNRDPQ5675BQ5CQW9I -AJgLOqzD8Q0qrXYi7HaEqzNx6p7RDTuhFgvTd+vS5d5+28Z5fm2umnq+GKHF8W5P -ylp2Js119FTVO7brusAMKPe5emc7tC2ov8OFFemQvfHR41PLryap2VD81IOgmt/J -kX/j/y5KGux5HZ3lxXqdJbKcAq4NKYQT0mCkRD4l6szaCEJ+k0SiM9DdTcBDefhR -9q+pCOyMh7d8QjQ1075mF7T+PGkZQUW1DUjEfrZhICnKgq+iEoUmM0Ee5WtRqcnu -5BTGQ2mSfc6rV+Vr+eYXqcg7Nxb3vFXYSTod1UhefonVqwdmyJ2sC79zp36Tbo2+ -65NW2WJK7KzPUyOJU0U9bcu0utvDOvGWmG+aHbymJgcoFzvZmlXqMXn97pSFn4jV -y3SLRgJXOw1QLXL2Y5abcuoBVr4gCOxxk2vBeVxOMRXNqSWZOFIF1bu/PxuDA+Sa -hEi44aHbPXt9opdssz/hdGfd8Wo7vEJrbg7c6zR6C/Akav1Rzy9oohIdgOw= +MIIGPjCCBCagAwIBAgIUb1C400ZucjRZvAAz3XyuEusnRgYwDQYJKoZIhvcNAQEL +BQAwZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgMAk5BMRAwDgYDVQQHDAdCSVNIS0VL +MRUwEwYDVQQKDAxPcGVuVlBOLVRFU1QxITAfBgkqhkiG9w0BCQEWEm1lQG15aG9z +dC5teWRvbWFpbjAeFw0yMzExMDcxMjIzMzlaFw0zMzExMDQxMjIzMzlaMGYxCzAJ +BgNVBAYTAktHMQswCQYDVQQIDAJOQTEQMA4GA1UEBwwHQklTSEtFSzEVMBMGA1UE +CgwMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h +aW4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCI+p/ZLGUHCANTTFaK +nw+J3wi+ef2EKJ5WHt5PWMuBeaDpeU4Ghuaow8HlRPjG9lDRHtn+WQgZz9nUejYH ++wtmN2BHwJAM4OeUVoB95tBrxd/VDCrdIvypVKldHsU3VkEbvPAl1jq68WVk+DXM +FZqTUoafDK+irOvL7Z5j2gA3FDzRUQs0L+jCvRTl4omFSjSQwoBCoVXxNEAg9jgy +lNWUHx+JHDB8dk+gEmDai20ggBWeAeThUU9dVZvwjv4E7zMRMx1skCRdWcyALJQf +fjc9q6gnB9X9nPxXdWb/lYKcivJBmBRHLeirnUFL2S2IYRc2H0ZbX1d+WzDJV37+ +DKYy9ehltyHFiaXmZThJ2Kg/mAD55U3NCWNBXmQ0CvzhUh6QIQiOJNQHmK0qxgnc +POJeE4X55dv1nAGD/0fGeHTcuShzUoipCKAd1CZdXK2Ge3gZRH2WUvlQGd5JARd4 +3zbd2wXZX0h0e1/BWQVeXx/Cg6u31B5lll7B3rWeoZHvfV9DSC7e3IEOhgzG5cyA +h+wrtlCszjiMreHSSYCQh9tlyK+ACOJUFtZFGdseBsMxRgXWtHr+ypW2iJI4KsEU +/MNXr1Bqg7FGxIw0Oyc2zyzjgD9aq4CKEy64MYB1ZYf41Rbc2Z+pMx1MW9orsPp7 +qSp6SmpTk0RTHpH0O2wNC9F26wIDAQABo4HjMIHgMB0GA1UdDgQWBBRzsbjWipVr +EuB0fMVXVZiUW6x4XjCBowYDVR0jBIGbMIGYgBRzsbjWipVrEuB0fMVXVZiUW6x4 +XqFqpGgwZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgMAk5BMRAwDgYDVQQHDAdCSVNI +S0VLMRUwEwYDVQQKDAxPcGVuVlBOLVRFU1QxITAfBgkqhkiG9w0BCQEWEm1lQG15 +aG9zdC5teWRvbWFpboIUb1C400ZucjRZvAAz3XyuEusnRgYwDAYDVR0TBAUwAwEB +/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBABqhFuSPgqplHQtFnWwQ +TKfrElQJ07gF0eaBBijQVSm2MswB2xnWF/S2NRjIpw7k5ZlmZsAbCVcGMwqJOkfJ +yX3Z7gK+yNrZehzNSOCkv+H79ExsS9/HETSqZxMevIIH7O0t/pACv20f85unBzhc +x+980RzufuHK17sG3Z+z+d6i9XDhaZvV/gm6bWTXft1ufRzI5R48xWVAfJd1X9Ln +bZmqF9Ye1GHxka1Xna9nOCgAuYYoGxq2VkUSIjlRCMaLCHlsWEn0JbRnQXPfBts6 +/yQBywcEekKRutCugn5bn625kAJHWGxcb0xIXj+Rqnp2++p33lbE4J09zfIkh5hV +RvCSzaE0Z3Kly9237CV+DyAqzrBJq5HHN/AT6+xFd2yGPMPKH8hKbf3jIprexNEp +oG1XC/dsPFkPLUyeD++kVjzsLiDmYAn2x3Dco6cWD7FfEljb1pHkAp5CctU9TjZH
[Openvpn-devel] [PATCH v2] tun: use is_tun_p2p more consistently
Using "tun" as the variable name for the return of is_tun_p2p is probably a historical accident. But it has actual consequences in that the other code often seems to assume that it does less checks than it actually does. Use "tun_p2p" as the variable name and remove checks that are not required. Also use is_tun_p2p in more places. Change-Id: Ice8b95f953c3f7e71657a78ea12b02a08c60aa67 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/380 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 82ab6c0..7ab51ee 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -507,31 +507,31 @@ static const char ifconfig_warn_how_to_silence[] = "(silence this warning with --ifconfig-nowarn)"; /* - * If !tun, make sure ifconfig_remote_netmask looks + * If !tun_p2p, make sure ifconfig_remote_netmask looks * like a netmask. * - * If tun, make sure ifconfig_remote_netmask looks + * If tun_p2p, make sure ifconfig_remote_netmask looks * like an IPv4 address. */ static void -ifconfig_sanity_check(bool tun, in_addr_t addr, int topology) +ifconfig_sanity_check(bool tun_p2p, in_addr_t addr) { struct gc_arena gc = gc_new(); const bool looks_like_netmask = ((addr & 0xFF00) == 0xFF00); -if (tun) +if (tun_p2p) { -if (looks_like_netmask && (topology == TOP_NET30 || topology == TOP_P2P)) +if (looks_like_netmask) { msg(M_WARN, "WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (%s) that looks more like a netmask. %s", print_in_addr_t(addr, 0, ), ifconfig_warn_how_to_silence); } } -else /* tap */ +else { if (!looks_like_netmask) { -msg(M_WARN, "WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. %s", +msg(M_WARN, "WARNING: Since you are using subnet topology, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. %s", ifconfig_warn_how_to_silence); } } @@ -675,13 +675,13 @@ struct buffer out = alloc_buf_gc(256, gc); if (tt->did_ifconfig_setup && !disable) { -if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)) +if (!is_tun_p2p(tt)) { buf_printf(, "%s %s", print_in_addr_t(tt->local & tt->remote_netmask, 0, gc), print_in_addr_t(tt->remote_netmask, 0, gc)); } -else if (tt->type == DEV_TYPE_TUN) +else if (tt->type == DEV_TYPE_TUN) /* tun p2p topology */ { const char *l, *r; if (remote) @@ -745,24 +745,24 @@ bool is_tun_p2p(const struct tuntap *tt) { -bool tun = false; +bool tun_p2p = false; if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET) || tt->type == DEV_TYPE_NULL) { -tun = false; +tun_p2p = false; } else if (tt->type == DEV_TYPE_TUN) { -tun = true; +tun_p2p = true; } else { msg(M_FATAL, "Error: problem with tun vs. tap setting"); /* JYFIXME -- needs to be caught earlier, in init_tun? */ } -return tun; +return tun_p2p; } /* @@ -839,12 +839,10 @@ if (ifconfig_local_parm && ifconfig_remote_netmask_parm) { -bool tun = false; - /* * We only handle TUN/TAP devices here, not --dev null devices. */ -tun = is_tun_p2p(tt); +bool tun_p2p = is_tun_p2p(tt); /* * Convert arguments to binary IPv4 addresses. @@ -861,7 +859,7 @@ NULL); tt->remote_netmask = getaddr( -(tun ? GETADDR_RESOLVE : 0) +(tun_p2p ? GETADDR_RESOLVE : 0) | GETADDR_HOST_ORDER | GETADDR_FATAL_ON_SIGNAL | GETADDR_FATAL, @@ -876,7 +874,7 @@ if (strict_warn) { struct addrinfo *curele; -ifconfig_sanity_check(tt->type == DEV_TYPE_TUN, tt->remote_netmask, tt->topology); +ifconfig_sanity_check(tun_p2p, tt->remote_netmask); /* * If local_public or remote_public addresses are defined, @@ -907,11 +905,11 @@ } } -if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)) +if (!tun_p2p) { check_subnet_conflict(tt->local,
[Openvpn-devel] [PATCH v5] Various fixes for -Wconversion errors
These are all fixes I considered "safe". They either - Have sufficient checks/shifts for a cast to be safe - Fix the type of a variable without requiring code changes - Are in non-critical unittest code v2: - add min_size instead of abusing min_int Change-Id: I6818b153bdeb1eed65870af99b0531e95807fe0f Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/267 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index 24f1ef2..a32e7d2 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -352,7 +352,7 @@ return false; } -const int size = write(fd, BPTR(buf), BLEN(buf)); +const ssize_t size = write(fd, BPTR(buf), BLEN(buf)); if (size != BLEN(buf)) { msg(M_ERRNO, "Write error on file '%s'", filename); @@ -889,7 +889,7 @@ { break; } -line[n++] = c; +line[n++] = (char)c; } while (c); diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index e4452d7..7768b9e 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -26,6 +26,8 @@ #include "config.h" #endif +#include + #include "syshead.h" #include "crypto.h" @@ -1263,8 +1265,8 @@ hex_byte[hb_index++] = c; if (hb_index == 2) { -unsigned int u; -ASSERT(sscanf((const char *)hex_byte, "%x", ) == 1); +uint8_t u; +ASSERT(sscanf((const char *)hex_byte, "%" SCNx8, ) == 1); *out++ = u; hb_index = 0; if (++count == keylen) @@ -1526,13 +1528,13 @@ ASSERT(cipher_kt_key_size(kt->cipher) <= MAX_CIPHER_KEY_LENGTH && md_kt_size(kt->digest) <= MAX_HMAC_KEY_LENGTH); -const uint8_t cipher_length = cipher_kt_key_size(kt->cipher); +const uint8_t cipher_length = (uint8_t)cipher_kt_key_size(kt->cipher); if (!buf_write(buf, _length, 1)) { return false; } -uint8_t hmac_length = md_kt_size(kt->digest); +uint8_t hmac_length = (uint8_t)md_kt_size(kt->digest); if (!buf_write(buf, _length, 1)) { diff --git a/src/openvpn/integer.h b/src/openvpn/integer.h index a012524..a0e421d 100644 --- a/src/openvpn/integer.h +++ b/src/openvpn/integer.h @@ -28,12 +28,12 @@ #ifndef htonll #define htonll(x) ((1==htonl(1)) ? (x) : \ - ((uint64_t)htonl((x) & 0x) << 32) | htonl((x) >> 32)) + ((uint64_t)htonl((uint32_t)((x) & 0x)) << 32) | htonl((uint32_t)((x) >> 32))) #endif #ifndef ntohll #define ntohll(x) ((1==ntohl(1)) ? (x) : \ - ((uint64_t)ntohl((x) & 0x) << 32) | ntohl((x) >> 32)) + ((uint64_t)ntohl((uint32_t)((x) & 0x)) << 32) | ntohl((uint32_t)((x) >> 32))) #endif static inline int @@ -72,6 +72,19 @@ } } +static inline size_t +min_size(size_t x, size_t y) +{ +if (x < y) +{ +return x; +} +else +{ +return y; +} +} + static inline int max_int(int x, int y) { diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index 1566c64..108b370 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -165,7 +165,7 @@ return; } -for (olen = hlen - sizeof(struct openvpn_tcphdr), +for (olen = hlen - (int) sizeof(struct openvpn_tcphdr), opt = (uint8_t *)(tc + 1); olen > 1; olen -= optlen, opt += optlen) diff --git a/src/openvpn/otime.c b/src/openvpn/otime.c index b28a90f..e751246 100644 --- a/src/openvpn/otime.c +++ b/src/openvpn/otime.c @@ -105,7 +105,7 @@ /* format a time_t as ascii, or use current time if 0 */ const char * -time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc) +time_string(time_t t, long usec, bool show_usec, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(64, gc); struct timeval tv; diff --git a/src/openvpn/otime.h b/src/openvpn/otime.h index c27be89..d795c3c 100644 --- a/src/openvpn/otime.h +++ b/src/openvpn/otime.h @@ -43,7 +43,7 @@ bool frequency_limit_event_allowed(struct frequency_limit *f); /* format a time_t as ascii, or use current time if 0 */ -const char *time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc); +const char *time_string(time_t t, long usec, bool show_usec, struct gc_arena *gc); /* struct timeval functions */ diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c index ef83248..3d6f3ee 100644 --- a/src/openvpn/packet_id.c +++ b/src/openvpn/packet_id.c @@ -588,14 +588,14 @@ } else { -diff = (int) prev_now - v; +diff =