[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature

2023-12-12 Thread plaisthos (Code Review) 
Attention is currently required from: cron2, flichtenheld.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/466?usp=email )

Change subject: Implement the --tls-export-cert feature
..


Patch Set 4:

(2 comments)

File doc/man-sections/script-options.rst:

http://gerrit.openvpn.net/c/openvpn/+/466/comment/f51f4a78_549de142 :
PS4, Line 427:   Adds an environment variables ``peer_cert_{x}`` (and an alias
> "variable" or remove "an"
Done


http://gerrit.openvpn.net/c/openvpn/+/466/comment/eed49c31_f5661e3b :
PS4, Line 780: :code:`peer_cert` identical to `peer_cert_0` for compatibility 
with older
> Missing line break before "identical". […]
Done



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2
Gerrit-Change-Number: 466
Gerrit-PatchSet: 4
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: cron2 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: cron2 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Tue, 12 Dec 2023 18:24:05 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: flichtenheld 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature

2023-12-12 Thread plaisthos (Code Review) 
Attention is currently required from: cron2, flichtenheld, plaisthos.

Hello flichtenheld,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/466?usp=email

to look at the new patch set (#5).

The following approvals got outdated and were removed:
Code-Review-1 by flichtenheld


Change subject: Implement the --tls-export-cert feature
..

Implement the --tls-export-cert feature

This is a re-implementation of the --tls-export-cert feature. This
was necessary to due to missing approval to re-license the old
(now removed) code. The re-implementation is based on the following
description of the feature provided by David:

  Add an option to export certificate in PEM format of the remote
  peer to a given directory.

  For example: --tls-export-cert /var/tmp

  This option should use a randomised filename, which is provided via a
  "peer_cert" environment variable for the --tls-verify script or the
  OPENVPN_PLUGIN_TLS_VERIFY plug-in hook.

Once the script or plugin call has completed, OpenVPN should delete
this file.

Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2
Signed-off-by: Arne Schwabe 
---
M doc/man-sections/script-options.rst
M src/openvpn/init.c
M src/openvpn/options.c
M src/openvpn/options.h
M src/openvpn/ssl_common.h
M src/openvpn/ssl_verify.c
M src/openvpn/ssl_verify_backend.h
M src/openvpn/ssl_verify_mbedtls.c
M src/openvpn/ssl_verify_openssl.c
9 files changed, 151 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/66/466/5

diff --git a/doc/man-sections/script-options.rst 
b/doc/man-sections/script-options.rst
index 38dcfa2..ba700a0 100644
--- a/doc/man-sections/script-options.rst
+++ b/doc/man-sections/script-options.rst
@@ -423,6 +423,15 @@
   See the `Environmental Variables`_ section below for additional
   parameters passed as environmental variables.

+--tls-export-cert-path dir
+  Adds an environment variable ``peer_cert_{x}`` (and an alias
+  ``peer_cert`` for ``peer_cert_0`` for compatibility)  when calling the
+  ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin
+  hook to verify the certificate.
+
+  The environment variable contains the path to a PEM encoded certificate
+  of the current peer certificate in the directory ``dir``.
+
 --up cmd
   Run command ``cmd`` after successful TUN/TAP device open (pre ``--user``
   UID change).
@@ -763,6 +772,15 @@
 modifier is specified, and deleted from the environment after the script
 returns.

+:code:`peer_cert_{n}`
+If the option ``--tls-export-cert`` is enabled, this option contains
+the path to the current peer certificate to be verified in PEM format
+where ``n`` is the verification level.
+
+:code:`peer_cert`
+Identical to `peer_cert_0` for compatibility with older
+versions.
+
 :code:`proto`
 The ``--proto`` parameter. Set on program initiation and reset on
 SIGHUP.
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 9e2b3845..917ae33 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3336,6 +3336,7 @@
 to.auth_user_pass_verify_script_via_file = 
options->auth_user_pass_verify_script_via_file;
 to.client_crresponse_script = options->client_crresponse_script;
 to.tmp_dir = options->tmp_dir;
+to.export_peer_cert_dir = options->tls_export_peer_cert_path;
 if (options->ccd_exclusive)
 {
 to.client_config_dir_exclusive = options->client_config_dir;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 1521872..503e832 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1986,6 +1986,7 @@
 SHOW_STR(cipher_list_tls13);
 SHOW_STR(tls_cert_profile);
 SHOW_STR(tls_verify);
+SHOW_STR(tls_export_peer_cert_path);
 SHOW_INT(verify_x509_type);
 SHOW_STR(verify_x509_name);
 SHOW_STR_INLINE(crl_file);
@@ -3048,6 +3049,7 @@
 MUST_BE_UNDEF(cipher_list_tls13);
 MUST_BE_UNDEF(tls_cert_profile);
 MUST_BE_UNDEF(tls_verify);
+MUST_BE_UNDEF(tls_export_peer_cert_path);
 MUST_BE_UNDEF(verify_x509_name);
 MUST_BE_UNDEF(tls_timeout);
 MUST_BE_UNDEF(renegotiate_bytes);
@@ -4053,6 +4055,13 @@
 R_OK, "--crl-verify");
 }
 
+if (options->tls_export_peer_cert_path)
+{
+errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
+ options->tls_export_peer_cert_path,
+ W_OK, "--tls-export-cert");
+}
+
 ASSERT(options->connection_list);
 for (int i = 0; i < options->connection_list->len; ++i)
 {
@@ -8998,6 +9007,11 @@
 string_substitute(p[1], ',', ' ', >gc),
 "tls-verify", true);
 }
+else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
+{
+

Re: [Openvpn-devel] OpenVPN data channel format using 64bit IV

2023-12-12 Thread Steffan Karger 

Hi,

I've been just lurking for a while, but you've managed to nerd-snipe me 
in responding.


On 11-12-2023 13:31, Arne Schwabe wrote:
with DCO and possible future hardware assisted OpenVPN acceleration we 
are approaching the point where 32 bit IVs are not cutting it any more.


Agreed. Though to be precise, we use 96-bit IVs in our AEAD mode, which 
include a 32-bit packet counter.



To illustrate the problem, some back of the envelope math here:

If we want to keep the current 3600s renogotiation interval and have a 
safety margin of 30% we have about 3 million packets (2*32 * 0.7) to 
work with. That translates to about 835k packets per second.


Nitpicking, but we currently maintain a reneg threshold at 75% (pid >= 
0xFF00).


With 1300 Byte packets that translates into 8-9 Gbit/s. That is from 
unrealistic any more. Current DCO implementations are already in 
spitting distance to that or might even reach (for a single client 
connection) that if you have extremely fast single core performance CPU.


Agreed. Though it seems to me that with so much processing power and 
network throughput, it wouldn't be much of an issue to renegotiate 
slightly more often.



So I think we need to consider adding 64bit IV now rather than later.


Even considering my remarks above, I do agree it's time.

But, we will also need to make sure that we won't exceed the limits of 
the ciphers we use, which might need additional logic. I don't have time 
right now to dig up all the specifics, but this IRTF draft might serve 
as a good starting point for reading: 
https://www.ietf.org/archive/id/draft-irtf-cfrg-aead-limits-07.html



So the proposal is the following:

- add IV_PACKET_FORMAT_AEAD_V2 flag to the protocol flags. This signal 
that the other side supports the new AEAD data channel packet format 
that supports 64 bit IVs.


I don't think we need to extend this feature to the CBC data channel 
format. I just don't see a use case where people would be able to 
upgrade to a new OpenVPN version to use 64 bit IVs but not to also 
change to use AEAD ciphers.


Ack. Do note that CBC has a random IV per packet, so this doesn't apply 
to the IV in CBC, just the packet counter.


- add protocol-flag aead-packet-format-v2 This signals the client to 
switch to the new data channel format.



And finally have the data channel format. Since this format is 
negotiated like the cipher, there is no need to use another opcode if 
keep the peer id to just 24 bit. But we might want to extend the format 
to have it 8 byte aligned to also allow peer-id to be extended in the 
future.


I'd at least consider to not send the upper 32 bits of the counter over 
the wire. With some simple arithmetic you can detect the counter 
overflow and keep the high bits internal to the application. I'd expect 
such per-packet arithmetic to be much cheaper than transmitting 4 bytes 
extra for each packet.


If you take that approach, you would not even need to change the wire 
format.


Even more, you might not even have to negotiate the option with the 
peer, because the peer will initiate a renegotiation after 0xFF00 
packets if it doesn't support the "implicit long PID". New peers will 
postpone the reneg to 0xFF00 packets.


Regardless of what choice we take, this is a good opportunity to rectify 
the position of the AEAD tag in our packet. Especially for hardware 
implementations it is quite advantageous to have the AEAD at the end of 
the packet instead of the beginning and since we need to have a new data 
format, there is no reason to keep the tag at the start of the packet.


Agreed (as I already stated in 2015: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg09879.html).




So the choice is basically

Variant A:

Bytes

  1  234    5-13  13- (n+13) (n+14) - (n+30)

[OP_CODE_DATA_V2][peerid]   [64 bit IV] [  payload  ][ 16 byte auth tag]


Variant B:

    1    3-8
[OP_CODE_DATA_V3] [ peer-id/padding] [rest identical]


or:

Variant C:

Leave the on-the-wire PID as-is. Just move the auth tag to the end of 
the packet.


variant D:

Keep wire format as-is.

-Steffan


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature

2023-12-12 Thread flichtenheld (Code Review) 
Attention is currently required from: cron2, plaisthos.

flichtenheld has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/466?usp=email )

Change subject: Implement the --tls-export-cert feature
..


Patch Set 4: Code-Review-1

(2 comments)

File doc/man-sections/script-options.rst:

http://gerrit.openvpn.net/c/openvpn/+/466/comment/36b80616_1a510d1a :
PS4, Line 427:   Adds an environment variables ``peer_cert_{x}`` (and an alias
"variable" or remove "an"


http://gerrit.openvpn.net/c/openvpn/+/466/comment/42a94055_6568f3e0 :
PS4, Line 780: :code:`peer_cert` identical to `peer_cert_0` for compatibility 
with older
Missing line break before "identical". Breaks formatting



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2
Gerrit-Change-Number: 466
Gerrit-PatchSet: 4
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: cron2 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: cron2 
Gerrit-Comment-Date: Tue, 12 Dec 2023 14:39:26 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [L] Change in openvpn[master]: test_user_pass: new UT for get_user_pass

2023-12-12 Thread flichtenheld (Code Review) 
Attention is currently required from: plaisthos.

flichtenheld has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/468?usp=email )

Change subject: test_user_pass: new UT for get_user_pass
..


Patch Set 4:

(1 comment)

File tests/unit_tests/openvpn/test_user_pass.c:

http://gerrit.openvpn.net/c/openvpn/+/468/comment/4030de4e_a0b3b845 :
PS3, Line 86: }
> I think we should be consistent here. Either do the (void) var; in all mocked 
> functions or none. […]
Done



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/468?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I193aef06912f01426dd4ac298aadfab97dd75a35
Gerrit-Change-Number: 468
Gerrit-PatchSet: 4
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Comment-Date: Tue, 12 Dec 2023 13:58:18 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: plaisthos 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: misc: make get_auth_challenge static

2023-12-12 Thread flichtenheld (Code Review) 
Attention is currently required from: flichtenheld, plaisthos.

Hello plaisthos,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/476?usp=email

to look at the new patch set (#3).

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: misc: make get_auth_challenge static
..

misc: make get_auth_challenge static

Not used outside of misc.c.

Rename to parse_auth_challenge since it really just parses
the string that you put in into the struct.

Add doxygen documentation.

v2:
 - change if(auth_challenge) to ASSERT(auth_challenge)

Change-Id: I0abeec9f862aea1f6a8fdf350fa0008cf2e5d613
Signed-off-by: Frank Lichtenheld 
---
M src/openvpn/misc.c
M src/openvpn/misc.h
M src/openvpn/ssl.h
3 files changed, 98 insertions(+), 85 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/76/476/3

diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index bce63ed..08f274d 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -124,6 +124,83 @@
 }
 return true;
 }
+
+/**
+ * Parses an authentication challenge string and returns an 
auth_challenge_info structure.
+ * The authentication challenge string should follow the dynamic 
challenge/response protocol.
+ *
+ * See doc/management-notes.txt for more info on the the dynamic 
challenge/response protocol
+ * implemented here.
+ *
+ * @param auth_challenge The authentication challenge string to parse. Can't 
be NULL.
+ * @param gc The gc_arena structure for memory allocation.
+ *
+ * @return   A pointer to the parsed auth_challenge_info 
structure, or NULL if parsing fails.
+ */
+static struct auth_challenge_info *
+parse_auth_challenge(const char *auth_challenge, struct gc_arena *gc)
+{
+ASSERT(auth_challenge);
+
+struct auth_challenge_info *ac;
+const int len = strlen(auth_challenge);
+char *work = (char *) gc_malloc(len+1, false, gc);
+char *cp;
+
+struct buffer b;
+buf_set_read(, (const uint8_t *)auth_challenge, len);
+
+ALLOC_OBJ_CLEAR_GC(ac, struct auth_challenge_info, gc);
+
+/* parse prefix */
+if (!buf_parse(, ':', work, len))
+{
+return NULL;
+}
+if (strcmp(work, "CRV1"))
+{
+return NULL;
+}
+
+/* parse flags */
+if (!buf_parse(, ':', work, len))
+{
+return NULL;
+}
+for (cp = work; *cp != '\0'; ++cp)
+{
+const char c = *cp;
+if (c == 'E')
+{
+ac->flags |= CR_ECHO;
+}
+else if (c == 'R')
+{
+ac->flags |= CR_RESPONSE;
+}
+}
+
+/* parse state ID */
+if (!buf_parse(, ':', work, len))
+{
+return NULL;
+}
+ac->state_id = string_alloc(work, gc);
+
+/* parse user name */
+if (!buf_parse(, ':', work, len))
+{
+return NULL;
+}
+ac->user = (char *) gc_malloc(strlen(work)+1, true, gc);
+openvpn_base64_decode(work, (void *)ac->user, -1);
+
+/* parse challenge text */
+ac->challenge_text = string_alloc(BSTR(), gc);
+
+return ac;
+}
+
 #endif /* ifdef ENABLE_MANAGEMENT */

 /*
@@ -287,7 +364,7 @@
 #ifdef ENABLE_MANAGEMENT
 if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE) && 
response_from_stdin)
 {
-struct auth_challenge_info *ac = 
get_auth_challenge(auth_challenge, );
+struct auth_challenge_info *ac = 
parse_auth_challenge(auth_challenge, );
 if (ac)
 {
 char *response = (char *) gc_malloc(USER_PASS_LEN, false, 
);
@@ -392,83 +469,6 @@
 return true;
 }

-#ifdef ENABLE_MANAGEMENT
-
-/*
- * See management/management-notes.txt for more info on the
- * the dynamic challenge/response protocol implemented here.
- */
-struct auth_challenge_info *
-get_auth_challenge(const char *auth_challenge, struct gc_arena *gc)
-{
-if (auth_challenge)
-{
-struct auth_challenge_info *ac;
-const int len = strlen(auth_challenge);
-char *work = (char *) gc_malloc(len+1, false, gc);
-char *cp;
-
-struct buffer b;
-buf_set_read(, (const uint8_t *)auth_challenge, len);
-
-ALLOC_OBJ_CLEAR_GC(ac, struct auth_challenge_info, gc);
-
-/* parse prefix */
-if (!buf_parse(, ':', work, len))
-{
-return NULL;
-}
-if (strcmp(work, "CRV1"))
-{
-return NULL;
-}
-
-/* parse flags */
-if (!buf_parse(, ':', work, len))
-{
-return NULL;
-}
-for (cp = work; *cp != '\0'; ++cp)
-{
-const char c = *cp;
-if (c == 'E')
-{
-ac->flags |= CR_ECHO;
-}
-else if (c == 'R')
-{
-ac->flags |= CR_RESPONSE;
-}
-}
-
-

[Openvpn-devel] [M] Change in openvpn[master]: misc: make get_auth_challenge static

2023-12-12 Thread flichtenheld (Code Review) 
Attention is currently required from: cron2, plaisthos.

flichtenheld has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/476?usp=email )

Change subject: misc: make get_auth_challenge static
..


Patch Set 3:

(1 comment)

File src/openvpn/misc.c:

http://gerrit.openvpn.net/c/openvpn/+/476/comment/74d2e778_f96f18de :
PS2, Line 143: if (auth_challenge)
> If moving this around anyway, we could convert this function to early-return, 
> or even make it an ASS […]
Done



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/476?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0abeec9f862aea1f6a8fdf350fa0008cf2e5d613
Gerrit-Change-Number: 476
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: cron2 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: cron2 
Gerrit-Comment-Date: Tue, 12 Dec 2023 13:56:40 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: cron2 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: test_user_pass: add basic tests for static/dynamic challenges

2023-12-12 Thread flichtenheld (Code Review) 
Attention is currently required from: flichtenheld, plaisthos.

Hello plaisthos,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/475?usp=email

to look at the new patch set (#3).

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: test_user_pass: add basic tests for static/dynamic challenges
..

test_user_pass: add basic tests for static/dynamic challenges

Change-Id: I8b5570f6314e917f92dce072279efe415d79b22a
Signed-off-by: Frank Lichtenheld 
---
M tests/unit_tests/openvpn/test_user_pass.c
1 file changed, 61 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/75/475/3

diff --git a/tests/unit_tests/openvpn/test_user_pass.c 
b/tests/unit_tests/openvpn/test_user_pass.c
index d6e5650..743a006 100644
--- a/tests/unit_tests/openvpn/test_user_pass.c
+++ b/tests/unit_tests/openvpn/test_user_pass.c
@@ -364,6 +364,63 @@
 }
 #endif /* ifndef _MSC_VER */

+#ifdef ENABLE_MANAGEMENT
+static void
+test_get_user_pass_dynamic_challenge(void **state)
+{
+struct user_pass up = { 0 };
+reset_user_pass();
+const char *challenge = 
"CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN";
+unsigned int flags = GET_USER_PASS_DYNAMIC_CHALLENGE;
+
+expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: 
Please enter token PIN");
+will_return(query_user_exec_builtin, "challenge_response");
+will_return(query_user_exec_builtin, true);
+assert_true(get_user_pass_cr(, NULL, "UT", flags, challenge));
+assert_true(up.defined);
+assert_string_equal(up.username, "cr1");
+assert_string_equal(up.password, 
"CRV1::Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l::challenge_response");
+}
+
+static void
+test_get_user_pass_static_challenge(void **state)
+{
+struct user_pass up = { 0 };
+reset_user_pass();
+const char *challenge = "Please enter token PIN";
+unsigned int flags = GET_USER_PASS_STATIC_CHALLENGE;
+
+expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT 
Username:");
+will_return(query_user_exec_builtin, "cuser");
+expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT 
Password:");
+will_return(query_user_exec_builtin, "cpassword");
+will_return(query_user_exec_builtin, true);
+expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: 
Please enter token PIN");
+will_return(query_user_exec_builtin, "challenge_response");
+will_return(query_user_exec_builtin, true);
+assert_true(get_user_pass_cr(, NULL, "UT", flags, challenge));
+assert_true(up.defined);
+assert_string_equal(up.username, "cuser");
+/* SCRV1:cpassword:challenge_response but base64-encoded */
+assert_string_equal(up.password, 
"SCRV1:Y3Bhc3N3b3Jk:Y2hhbGxlbmdlX3Jlc3BvbnNl");
+
+reset_user_pass();
+
+flags |= GET_USER_PASS_INLINE_CREDS;
+
+/*FIXME: query_user_exec() called even though nothing queued */
+will_return(query_user_exec_builtin, true);
+expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: 
Please enter token PIN");
+will_return(query_user_exec_builtin, "challenge_response");
+will_return(query_user_exec_builtin, true);
+assert_true(get_user_pass_cr(, "iuser\nipassword", "UT", flags, 
challenge));
+assert_true(up.defined);
+assert_string_equal(up.username, "iuser");
+/* SCRV1:ipassword:challenge_response but base64-encoded */
+assert_string_equal(up.password, 
"SCRV1:aXBhc3N3b3Jk:Y2hhbGxlbmdlX3Jlc3BvbnNl");
+}
+#endif /* ENABLE_MANAGEMENT */
+
 const struct CMUnitTest user_pass_tests[] = {
 cmocka_unit_test(test_get_user_pass_defined),
 cmocka_unit_test(test_get_user_pass_needok),
@@ -375,6 +432,10 @@
 cmocka_unit_test(test_get_user_pass_authfile_stdin_assertions),
 cmocka_unit_test(test_get_user_pass_authfile_file_assertions),
 #endif
+#ifdef ENABLE_MANAGEMENT
+cmocka_unit_test(test_get_user_pass_dynamic_challenge),
+cmocka_unit_test(test_get_user_pass_static_challenge),
+#endif /* ENABLE_MANAGEMENT */
 };

 int

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/475?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I8b5570f6314e917f92dce072279efe415d79b22a
Gerrit-Change-Number: 475
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: test_user_pass: Check fatal errors for empty username/password

2023-12-12 Thread flichtenheld (Code Review) 
Attention is currently required from: plaisthos.

Hello plaisthos,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/474?usp=email

to look at the new patch set (#3).

The following approvals got outdated and were removed:
Code-Review-1 by plaisthos


Change subject: test_user_pass: Check fatal errors for empty username/password
..

test_user_pass: Check fatal errors for empty username/password

Required a fix to mock_msg to make tests of M_FATAL
possible at all.
This also tests some cases which arguably should throw
a fatal error but do not.

v2:
 - Suppress LeakSanitizer errors for fatal error tests.
   Due to aborting the function, the memory will not be
   cleaned up, but that is expected.
v3:
 - Disable assert tests with MSVC. Does not seem to catch
   the error correctly.
 - Rebase on top of parallel-tests series to get
   AM_TESTS_ENVIRONMENT.

Change-Id: Icabc8acf75638c86c8c395e9ffecba7a7226cd97
Signed-off-by: Frank Lichtenheld 
---
M CMakeLists.txt
M tests/unit_tests/openvpn/Makefile.am
A tests/unit_tests/openvpn/input/appears_empty.txt
A tests/unit_tests/openvpn/input/empty.txt
A tests/unit_tests/openvpn/input/leak_suppr.txt
M tests/unit_tests/openvpn/mock_msg.c
M tests/unit_tests/openvpn/test_user_pass.c
7 files changed, 112 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/74/474/3

diff --git a/CMakeLists.txt b/CMakeLists.txt
index af891a5..bbbf683 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -649,7 +649,7 @@
 # for compat with autotools make check
 set(_UT_SOURCE_DIR 
${CMAKE_CURRENT_SOURCE_DIR}/tests/unit_tests/openvpn)
 set_tests_properties(${test_name} PROPERTIES
-ENVIRONMENT "srcdir=${_UT_SOURCE_DIR}")
+ENVIRONMENT 
"srcdir=${_UT_SOURCE_DIR};LSAN_OPTIONS=suppressions=${_UT_SOURCE_DIR}/input/leak_suppr.txt")
 endif ()
 add_executable(${test_name}
 tests/unit_tests/openvpn/${test_name}.c
diff --git a/tests/unit_tests/openvpn/Makefile.am 
b/tests/unit_tests/openvpn/Makefile.am
index 342f428..5d95c7b 100644
--- a/tests/unit_tests/openvpn/Makefile.am
+++ b/tests/unit_tests/openvpn/Makefile.am
@@ -4,6 +4,8 @@

 AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING) Unit-Tests'

+AM_TESTS_ENVIRONMENT = export 
LSAN_OPTIONS=suppressions=$(srcdir)/input/leak_suppr.txt;
+
 test_binaries=

 if HAVE_LD_WRAP_SUPPORT
diff --git a/tests/unit_tests/openvpn/input/appears_empty.txt 
b/tests/unit_tests/openvpn/input/appears_empty.txt
new file mode 100644
index 000..ffb749a
--- /dev/null
+++ b/tests/unit_tests/openvpn/input/appears_empty.txt
@@ -0,0 +1,3 @@
+
+
+(contains \t\n\t\n)
diff --git a/tests/unit_tests/openvpn/input/empty.txt 
b/tests/unit_tests/openvpn/input/empty.txt
new file mode 100644
index 000..e69de29
--- /dev/null
+++ b/tests/unit_tests/openvpn/input/empty.txt
diff --git a/tests/unit_tests/openvpn/input/leak_suppr.txt 
b/tests/unit_tests/openvpn/input/leak_suppr.txt
new file mode 100644
index 000..72ebfe0
--- /dev/null
+++ b/tests/unit_tests/openvpn/input/leak_suppr.txt
@@ -0,0 +1 @@
+leak:_assertions$
diff --git a/tests/unit_tests/openvpn/mock_msg.c 
b/tests/unit_tests/openvpn/mock_msg.c
index d74efaa..2fcad9d 100644
--- a/tests/unit_tests/openvpn/mock_msg.c
+++ b/tests/unit_tests/openvpn/mock_msg.c
@@ -38,7 +38,6 @@
 #include "error.h"

 unsigned int x_debug_level = 0; /* Default to (almost) no debugging output */
-bool fatal_error_triggered = false;

 void
 mock_set_debug_level(int level)
@@ -58,11 +57,14 @@
 {
 if (flags & M_FATAL)
 {
-fatal_error_triggered = true;
 printf("FATAL ERROR:");
 }
 vprintf(format, arglist);
 printf("\n");
+if (flags & M_FATAL)
+{
+mock_assert(false, "FATAL ERROR", __FILE__, __LINE__);
+}
 }

 void
diff --git a/tests/unit_tests/openvpn/test_user_pass.c 
b/tests/unit_tests/openvpn/test_user_pass.c
index 277cb1d..d6e5650 100644
--- a/tests/unit_tests/openvpn/test_user_pass.c
+++ b/tests/unit_tests/openvpn/test_user_pass.c
@@ -164,6 +164,16 @@

 reset_user_pass();

+/*FIXME: query_user_exec() called even though nothing queued */
+will_return(query_user_exec_builtin, true);
+/*FIXME: silently removes control characters but does not error out */
+assert_true(get_user_pass_cr(, "\t\n\t", "UT", flags, NULL));
+assert_true(up.defined);
+assert_string_equal(up.username, "");
+assert_string_equal(up.password, "");
+
+reset_user_pass();
+
 expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT 
Password:");
 will_return(query_user_exec_builtin, "cpassword");
 will_return(query_user_exec_builtin, true);
@@ -196,6 +206,25 @@
 assert_string_equal(up.password, "cpassword");
 }

+/* NOTE: expect_assert_failure does not seem to work with MSVC */
+#ifndef _MSC_VER
+/* NOTE: leaks gc memory

[Openvpn-devel] [S] Change in openvpn[master]: test_user_pass: Add UTs for character filtering

2023-12-12 Thread flichtenheld (Code Review) 
Attention is currently required from: flichtenheld.

Hello plaisthos,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/473?usp=email

to look at the new patch set (#2).

The change is no longer submittable: checks~ChecksSubmitRule is unsatisfied now.


Change subject: test_user_pass: Add UTs for character filtering
..

test_user_pass: Add UTs for character filtering

For simplicity I implemented them only with the
inline method, but they actually apply to all methods.

Change-Id: Ie8d2d5f6f58679baaf5eb817a7e2ca1afcb8c4db
Signed-off-by: Frank Lichtenheld 
---
M tests/unit_tests/openvpn/test_user_pass.c
1 file changed, 23 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/73/473/2

diff --git a/tests/unit_tests/openvpn/test_user_pass.c 
b/tests/unit_tests/openvpn/test_user_pass.c
index ab4dfe4..277cb1d 100644
--- a/tests/unit_tests/openvpn/test_user_pass.c
+++ b/tests/unit_tests/openvpn/test_user_pass.c
@@ -141,6 +141,29 @@

 reset_user_pass();

+/* Test various valid characters */
+/*FIXME: query_user_exec() called even though nothing queued */
+will_return(query_user_exec_builtin, true);
+/* FIXME? content after first two lines just ignored */
+assert_true(get_user_pass_cr(, "#iuser and 커뮤니티\n//ipasswörd!\nsome 
other content\nnot relevant", "UT", flags, NULL));
+assert_true(up.defined);
+assert_string_equal(up.username, "#iuser and 커뮤니티");
+assert_string_equal(up.password, "//ipasswörd!");
+
+reset_user_pass();
+
+/* Test various invalid characters */
+/*FIXME: query_user_exec() called even though nothing queued */
+will_return(query_user_exec_builtin, true);
+/*FIXME? allows arbitrary crap if c > 127 */
+/*FIXME? silently removes control characters */
+assert_true(get_user_pass_cr(, "\tiuser\r\nipass\xffwo\x1erd", "UT", 
flags, NULL));
+assert_true(up.defined);
+assert_string_equal(up.username, "iuser");
+assert_string_equal(up.password, "ipass\xffword");
+
+reset_user_pass();
+
 expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT 
Password:");
 will_return(query_user_exec_builtin, "cpassword");
 will_return(query_user_exec_builtin, true);

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/473?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie8d2d5f6f58679baaf5eb817a7e2ca1afcb8c4db
Gerrit-Change-Number: 473
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: flichtenheld 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [L] Change in openvpn[master]: test_user_pass: new UT for get_user_pass

2023-12-12 Thread flichtenheld (Code Review) 
Attention is currently required from: plaisthos.

Hello plaisthos,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/468?usp=email

to look at the new patch set (#4).


Change subject: test_user_pass: new UT for get_user_pass
..

test_user_pass: new UT for get_user_pass

UTs for basic functionality, without management functions.

v2:
 - add CMake support
 - add GHA support for both MSVC and mingw
v3:
 - fix distcheck by adding input/ directory to dist

Change-Id: I193aef06912f01426dd4ac298aadfab97dd75a35
Signed-off-by: Frank Lichtenheld 
---
M .github/workflows/build.yaml
M CMakeLists.txt
M src/openvpn/syshead.h
M tests/unit_tests/openvpn/Makefile.am
A tests/unit_tests/openvpn/input/user_only.txt
A tests/unit_tests/openvpn/input/user_pass.txt
A tests/unit_tests/openvpn/test_user_pass.c
7 files changed, 308 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/68/468/4

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 4393f5c..784a844 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -85,11 +85,13 @@
   fail-fast: false
   matrix:
 arch: [x86, x64]
-test: [argv, auth_token, buffer, cryptoapi, crypto, misc, ncp, 
packet_id, pkt, provider, tls_crypt]
+test: [argv, auth_token, buffer, cryptoapi, crypto, misc, ncp, 
packet_id, pkt, provider, tls_crypt, user_pass]

 runs-on: windows-latest
 name: "mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - OSSL"
 steps:
+  - name: Checkout OpenVPN
+uses: actions/checkout@v3
   - name: Retrieve mingw unittest
 uses: actions/download-artifact@v3
 with:
@@ -97,6 +99,8 @@
   path: unittests
   - name: Run ${{ matrix.test }} unit test
 run: ./unittests/test_${{ matrix.test }}.exe
+env:
+  srcdir: "${{ github.workspace }}/tests/unit_tests/openvpn"

   ubuntu:
 strategy:
@@ -279,6 +283,7 @@
   configurePreset: win-${{ matrix.arch }}-release
   buildPreset: win-${{ matrix.arch }}-release
   testPreset: win-${{ matrix.arch }}-release
+  testPresetAdditionalArgs: "['--output-on-failure']"

   - uses: actions/upload-artifact@v3
 with:
diff --git a/CMakeLists.txt b/CMakeLists.txt
index d40b213..af891a5 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -587,6 +587,7 @@
 "test_packet_id"
 "test_pkt"
 "test_provider"
+"test_user_pass"
 )

 if (WIN32)
@@ -645,6 +646,10 @@
 # test_networking needs special environment
 if (NOT ${test_name} STREQUAL "test_networking")
 add_test(${test_name} ${test_name})
+# for compat with autotools make check
+set(_UT_SOURCE_DIR 
${CMAKE_CURRENT_SOURCE_DIR}/tests/unit_tests/openvpn)
+set_tests_properties(${test_name} PROPERTIES
+ENVIRONMENT "srcdir=${_UT_SOURCE_DIR}")
 endif ()
 add_executable(${test_name}
 tests/unit_tests/openvpn/${test_name}.c
@@ -739,6 +744,15 @@
 src/openvpn/base64.c
 )

+target_sources(test_user_pass PRIVATE
+tests/unit_tests/openvpn/mock_get_random.c
+tests/unit_tests/openvpn/mock_win32_execve.c
+src/openvpn/base64.c
+src/openvpn/console.c
+src/openvpn/env_set.c
+src/openvpn/run_command.c
+)
+
 if (TARGET test_argv)
 target_link_options(test_argv PRIVATE -Wl,--wrap=parse_line)
 target_sources(test_argv PRIVATE
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 7181b94..d89d2b5 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -522,4 +522,10 @@
 #define ENABLE_MEMSTATS
 #endif

+#ifdef _MSC_VER
+#ifndef PATH_MAX
+#define PATH_MAX MAX_PATH
+#endif
+#endif
+
 #endif /* ifndef SYSHEAD_H */
diff --git a/tests/unit_tests/openvpn/Makefile.am 
b/tests/unit_tests/openvpn/Makefile.am
index cecf4dc..342f428 100644
--- a/tests/unit_tests/openvpn/Makefile.am
+++ b/tests/unit_tests/openvpn/Makefile.am
@@ -1,5 +1,7 @@
 AUTOMAKE_OPTIONS = foreign

+EXTRA_DIST = input
+
 AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING) Unit-Tests'

 test_binaries=
@@ -9,7 +11,7 @@
 endif

 test_binaries += crypto_testdriver packet_id_testdriver auth_token_testdriver 
ncp_testdriver misc_testdriver \
-   pkt_testdriver
+   pkt_testdriver user_pass_testdriver
 if HAVE_LD_WRAP_SUPPORT
 if !WIN32
 test_binaries += tls_crypt_testdriver
@@ -216,6 +218,22 @@
$(top_srcdir)/src/openvpn/base64.c


+user_pass_testdriver_CFLAGS  = @TEST_CFLAGS@ \
+   -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 
-I$(top_srcdir)/src/openvpn
+user_pass_testdriver_LDFLAGS = @TEST_LDFLAGS@
+
+user_pass_testdriver_SOURCES = test_user_pass.c mock_msg.c \
+   $(top_srcdir)/src/openvpn/buffer.c \
+

[Openvpn-devel] [L] Change in openvpn[master]: test_user_pass: new UT for get_user_pass

2023-12-12 Thread flichtenheld (Code Review) 
Attention is currently required from: plaisthos.

flichtenheld has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/468?usp=email )

Change subject: test_user_pass: new UT for get_user_pass
..


Patch Set 3:

(1 comment)

File CMakeLists.txt:

http://gerrit.openvpn.net/c/openvpn/+/468/comment/dee6622f_63f1197f :
PS3, Line 625: ENVIRONMENT 
"srcdir=${CMAKE_CURRENT_SOURCE_DIR}/tests/unit_tests/openvpn")
> srcdir environment variable is the official interface for automake test suite 
> which is why I used it […]
Using a define breaks the mingw unit tests so still looking into this.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/468?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I193aef06912f01426dd4ac298aadfab97dd75a35
Gerrit-Change-Number: 468
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Comment-Date: Tue, 12 Dec 2023 13:34:07 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: plaisthos 
Comment-In-Reply-To: flichtenheld 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: tests: fork default automake test-driver

2023-12-12 Thread flichtenheld (Code Review) 
Attention is currently required from: plaisthos.

Hello plaisthos,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/478?usp=email

to look at the new patch set (#2).


Change subject: tests: fork default automake test-driver
..

tests: fork default automake test-driver

For some of the test we don't like the default log behavior
and there seems no easy way to change that except to fork
the driver. The license seems unproblematic since we're
GPL anyway.

v2:
 - Do not use forked-test-driver for UTs. Default behavior
   is fine for those.

Change-Id: I67d461afbcc9c06b1fc5ab4477141d7b8bd9ba8e
Signed-off-by: Frank Lichtenheld 
---
M Makefile.am
A forked-test-driver
M tests/Makefile.am
3 files changed, 156 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/78/478/2

diff --git a/Makefile.am b/Makefile.am
index 2305ab4..6deecf3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -44,7 +44,8 @@
debug \
CMakeLists.txt \
CMakePresets.json \
-   config.h.cmake.in
+   config.h.cmake.in \
+   forked-test-driver

 .PHONY: config-version.h doxygen

diff --git a/forked-test-driver b/forked-test-driver
new file mode 100755
index 000..be73b80
--- /dev/null
+++ b/forked-test-driver
@@ -0,0 +1,153 @@
+#! /bin/sh
+# test-driver - basic testsuite driver script.
+
+scriptversion=2018-03-07.03; # UTC
+
+# Copyright (C) 2011-2021 Free Software Foundation, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# This file is maintained in Automake, please report
+# bugs to  or send patches to
+# .
+
+# Make unconditional expansion of undefined variables an error.  This
+# helps a lot in preventing typo-related bugs.
+set -u
+
+usage_error ()
+{
+  echo "$0: $*" >&2
+  print_usage >&2
+  exit 2
+}
+
+print_usage ()
+{
+  cat <"$log_file"
+"$@" >>"$log_file" 2>&1
+estatus=$?
+
+if test $enable_hard_errors = no && test $estatus -eq 99; then
+  tweaked_estatus=1
+else
+  tweaked_estatus=$estatus
+fi
+
+case $tweaked_estatus:$expect_failure in
+  0:yes) col=$red res=XPASS recheck=yes gcopy=yes;;
+  0:*)   col=$grn res=PASS  recheck=no  gcopy=no;;
+  77:*)  col=$blu res=SKIP  recheck=no  gcopy=yes;;
+  99:*)  col=$mgn res=ERROR recheck=yes gcopy=yes;;
+  *:yes) col=$lgn res=XFAIL recheck=no  gcopy=yes;;
+  *:*)   col=$red res=FAIL  recheck=yes gcopy=yes;;
+esac
+
+# Report the test outcome and exit status in the logs, so that one can
+# know whether the test passed or failed simply by looking at the '.log'
+# file, without the need of also peaking into the corresponding '.trs'
+# file (automake bug#11814).
+echo "$res $test_name (exit status: $estatus)" >>"$log_file"
+
+# Report outcome to console.
+echo "${col}${res}${std}: $test_name"
+
+# Register the test result, and other relevant metadata.
+echo ":test-result: $res" > $trs_file
+echo ":global-test-result: $res" >> $trs_file
+echo ":recheck: $recheck" >> $trs_file
+echo ":copy-in-global-log: $gcopy" >> $trs_file
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'before-save-hook 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-time-zone: "UTC0"
+# time-stamp-end: "; # UTC"
+# End:
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 6c71067..b3b2d74 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -15,6 +15,7 @@
 SUBDIRS = unit_tests

 AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING) System Tests'
+LOG_DRIVER = $(SHELL) $(top_srcdir)/forked-test-driver

 if !WIN32
 test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/478?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I67d461afbcc9c06b1fc5ab4477141d7b8bd9ba8e
Gerrit-Change-Number: 478
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos

[Openvpn-devel] [XS] Change in openvpn[master]: configure: enable silent rules by default

2023-12-12 Thread flichtenheld (Code Review) 
Attention is currently required from: plaisthos.

Hello plaisthos,

I'd like you to do a code review.
Please visit

http://gerrit.openvpn.net/c/openvpn/+/480?usp=email

to review the following change.


Change subject: configure: enable silent rules by default
..

configure: enable silent rules by default

The default build log is big and basically
unreadable.

Go the way of other build systems and do not
print compile commands by default. Verbose
output can always be enabled with make V=1.

Change-Id: Ib226079d1543209e08e5fdcf7344cd20850bea9d
Signed-off-by: Frank Lichtenheld 
---
M configure.ac
1 file changed, 1 insertion(+), 0 deletions(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/80/480/1

diff --git a/configure.ac b/configure.ac
index 2823f04..9bc4d64 100644
--- a/configure.ac
+++ b/configure.ac
@@ -56,6 +56,7 @@
 # This foreign option prevents autoreconf from overriding our COPYING and
 # INSTALL targets:
 AM_INIT_AUTOMAKE(foreign subdir_objects 1.9) dnl NB: Do not [quote] this 
parameter.
+AM_SILENT_RULES([yes])
 AC_CANONICAL_HOST
 AC_USE_SYSTEM_EXTENSIONS


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/480?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ib226079d1543209e08e5fdcf7344cd20850bea9d
Gerrit-Change-Number: 480
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-MessageType: newchange
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: forked-test-driver: Show test output always

2023-12-12 Thread flichtenheld (Code Review) 
Attention is currently required from: plaisthos.

flichtenheld has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/479?usp=email )

Change subject: forked-test-driver: Show test output always
..


Patch Set 1:

(1 comment)

File forked-test-driver:

http://gerrit.openvpn.net/c/openvpn/+/479/comment/f56067ca_738d3288 :
PS1, Line 112: "$@" 2>&1 | tee -a "$log_file"
breaks exit status without set -o pipefail. Which is probably not portable... 
Setting to WIP until I have figured out a solution for that.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/479?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I11e0091482d9acee89ca018374cb8d96d22f8514
Gerrit-Change-Number: 479
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Comment-Date: Tue, 12 Dec 2023 13:16:32 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [L] Change in openvpn[master]: Add test_ssl unit test and test export of PEM to file

2023-12-12 Thread flichtenheld (Code Review) 
Attention is currently required from: plaisthos.

flichtenheld has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/471?usp=email )

Change subject: Add test_ssl unit test and test export of PEM to file
..


Patch Set 2: Code-Review-1

(3 comments)

File tests/unit_tests/openvpn/Makefile.am:

http://gerrit.openvpn.net/c/openvpn/+/471/comment/0c7d5a64_4d9a9d5c :
PS2, Line 86: $(top_srcdir)/src/openvpn/xkey_provider.c \
indent


File tests/unit_tests/openvpn/mock_management.c:

http://gerrit.openvpn.net/c/openvpn/+/471/comment/1c9c81df_b412d262 :
PS2, Line 49: (void) man;
inconsistent (void), used it in one function, but not the other


File tests/unit_tests/openvpn/test_ssl.c:

http://gerrit.openvpn.net/c/openvpn/+/471/comment/f87f0957_64554c69 :
PS2, Line 47: /* Mock function to be allowed to include win32.c which is 
required for
You originally created win32-util.c for the purpose of UT (see commit 
5a571fb0f68ce6961cddfa495af2cedf3ee0e216). Maybe just move the win_get_tempdir 
to that?



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/471?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie248d35d063bb6878f3dd42840c77ba0d6fa3381
Gerrit-Change-Number: 471
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Comment-Date: Tue, 12 Dec 2023 13:10:50 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Cache mbed TLS dependency and build latest 2.x mbed TLS as well

2023-12-12 Thread plaisthos (Code Review) 
Attention is currently required from: flichtenheld.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/455?usp=email )

Change subject: Cache mbed TLS dependency and build latest 2.x mbed TLS as well
..


Patch Set 4:

(1 comment)

File .github/workflows/build.yaml:

http://gerrit.openvpn.net/c/openvpn/+/455/comment/5076711d_e7be7ada :
PS4, Line 389:   key: ${{ matrix.build 
}}-mbedtls-${{matrix.mbedtlsver}}-${{matrix.cmakebuild}}
> matrix.cmakebuild seems undefined? Did you maybe mean matrix. […]
That is a leftover of my own patch. I built mbed TLS with cmake instead of 
configure/make and then would pick either debug or asan for mbed TLS as well. 
But it seems not to be possible to pick that with configure/make. Will just 
remove it.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/455?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I39fb3f05b6245af9ae5dd666bfc53ed07e5cfb24
Gerrit-Change-Number: 455
Gerrit-PatchSet: 4
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Tue, 12 Dec 2023 12:13:28 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: flichtenheld 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Check PRF availability on initialisation and add --force-tls-key-mate...

2023-12-12 Thread plaisthos (Code Review) 
Attention is currently required from: cron2, flichtenheld.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/460?usp=email )

Change subject: Check PRF availability on initialisation and add 
--force-tls-key-material-export
..


Patch Set 6:

(2 comments)

File src/openvpn/multi.c:

http://gerrit.openvpn.net/c/openvpn/+/460/comment/09e5b596_0004b9ee :
PS5, Line 1841: return false;
> there is whitespace missing at the first and second line wrap ("thisserver" 
> and "(RFC 5705)support"
Done


File src/openvpn/options.c:

http://gerrit.openvpn.net/c/openvpn/+/460/comment/4bde8b54_2a323d2b :
PS5, Line 3661: }
> D'oh. Sorry for missing that.
whoops sorry for that. My bash history also shows that I still had the option 
on the command line, so I totally missed that. 



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/460?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70
Gerrit-Change-Number: 460
Gerrit-PatchSet: 6
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: cron2 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Tue, 12 Dec 2023 12:11:27 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: cron2 
Comment-In-Reply-To: flichtenheld 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Check PRF availability on initialisation and add --force-tls-key-mate...

2023-12-12 Thread plaisthos (Code Review) 
Attention is currently required from: cron2, plaisthos.

Hello cron2, flichtenheld,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/460?usp=email

to look at the new patch set (#7).


Change subject: Check PRF availability on initialisation and add 
--force-tls-key-material-export
..

Check PRF availability on initialisation and add --force-tls-key-material-export

We now warn a user if the TLS 1.0 PRF is not supported by the cryptographic
library of the system. Also add the option --force-tls-key-material-export
that automatically rejects clients that do not support TLS Keying Material
Export and automatically enable it when TLS 1.0 PRF support is not available.

Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70
Signed-off-by: Arne Schwabe 
---
M doc/man-sections/protocol-options.rst
M src/openvpn/crypto.c
M src/openvpn/crypto.h
M src/openvpn/multi.c
M src/openvpn/options.c
M src/openvpn/options.h
6 files changed, 83 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/60/460/7

diff --git a/doc/man-sections/protocol-options.rst 
b/doc/man-sections/protocol-options.rst
index 948c0c8..8b061d2 100644
--- a/doc/man-sections/protocol-options.rst
+++ b/doc/man-sections/protocol-options.rst
@@ -242,3 +242,11 @@
   a key renegotiation begins (default :code:`3600` seconds). This feature
   allows for a graceful transition from old to new key, and removes the key
   renegotiation sequence from the critical path of tunnel data forwarding.
+
+--force-tls-key-material-export
+  This option is only available in --mode server and forces to use
+  Keying Material Exporters (RFC 5705) for clients. This can be used to
+  simulate an environment where the cryptographic library does not support
+  the older method to generate data channel keys anymore. This option is
+  intended to be a test option and might be removed in a future OpenVPN
+  version without notice.
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index e4452d7..8c17f2a 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1789,3 +1789,22 @@
 gc_free();
 return ret;
 }
+
+bool
+check_tls_prf_working(void)
+{
+/* Modern TLS libraries might no longer support the TLS 1.0 PRF with
+ * MD5+SHA1. This allows us to establish connections only
+ * with other 2.6.0+ OpenVPN peers.
+ * Do a simple dummy test here to see if it works. */
+const char *seed = "tls1-prf-test";
+const char *secret = "tls1-prf-test-secret";
+uint8_t out[8];
+uint8_t expected_out[] = { 0xe0, 0x5f, 0x1f, 1, 0, 0, 0, 0};
+
+int ret = ssl_tls1_PRF((uint8_t *)seed, (int) strlen(seed),
+   (uint8_t *)secret, (int) strlen(secret),
+   out, sizeof(out));
+
+return (ret && memcmp(out, expected_out, sizeof(out)) != 0);
+}
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 9255d38..4201524 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -593,4 +593,12 @@
 return kt;
 }

+/**
+ * Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1
+ * that OpenVPN uses when TLS Keying Material Export is not available.
+ *
+ * @return  true if supported, false otherwise.
+ */
+bool check_tls_prf_working(void);
+
 #endif /* CRYPTO_H */
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 8b490ed..e70ad91 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1830,6 +1830,16 @@
 {
 o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
 }
+else if (o->force_key_material_export)
+{
+msg(M_INFO, "PUSH: client does not support TLS key material export"
+"but --force-tls-key-material-export is enabled.");
+auth_set_client_reason(tls_multi, "Client incompatible with this"
+   "server. Keying Material Exporters (RFC 5705) "
+   "support missing. Upgrade to a client that "
+   "supports this feature (OpenVPN 2.6.0+).");
+return false;
+}
 if (proto & IV_PROTO_DYN_TLS_CRYPT)
 {
 o->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 1521872..6f98362 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1561,6 +1561,7 @@
 SHOW_STR(auth_user_pass_verify_script);
 SHOW_BOOL(auth_user_pass_verify_script_via_file);
 SHOW_BOOL(auth_token_generate);
+SHOW_BOOL(force_key_material_export);
 SHOW_INT(auth_token_lifetime);
 SHOW_STR_INLINE(auth_token_secret_file);
 #if PORT_SHARE
@@ -2802,6 +2803,11 @@
 {
 msg(M_USAGE, "--vlan-tagging requires --mode server");
 }
+
+if (options->force_key_material_export)
+{
+msg(M_USAGE, "--force-tls-key-material-export requires --mode 
server");
+

[Openvpn-devel] [M] Change in openvpn[master]: Check PRF availability on initialisation and add --force-tls-key-mate...

2023-12-12 Thread plaisthos (Code Review) 
Attention is currently required from: cron2, plaisthos.

Hello cron2, flichtenheld,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/460?usp=email

to look at the new patch set (#6).


Change subject: Check PRF availability on initialisation and add 
--force-tls-key-material-export
..

Check PRF availability on initialisation and add --force-tls-key-material-export

We now warn a user if the TLS 1.0 PRF is not supported by the cryptographic
library of the system. Also add the option --force-tls-key-material-export
that automatically rejects clients that do not support TLS Keying Material
Export and automatically enable it when TLS 1.0 PRF support is not available.

Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70
Signed-off-by: Arne Schwabe 
---
M doc/man-sections/protocol-options.rst
M src/openvpn/crypto.c
M src/openvpn/crypto.h
M src/openvpn/multi.c
M src/openvpn/options.c
M src/openvpn/options.h
6 files changed, 83 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/60/460/6

diff --git a/doc/man-sections/protocol-options.rst 
b/doc/man-sections/protocol-options.rst
index 948c0c8..8b061d2 100644
--- a/doc/man-sections/protocol-options.rst
+++ b/doc/man-sections/protocol-options.rst
@@ -242,3 +242,11 @@
   a key renegotiation begins (default :code:`3600` seconds). This feature
   allows for a graceful transition from old to new key, and removes the key
   renegotiation sequence from the critical path of tunnel data forwarding.
+
+--force-tls-key-material-export
+  This option is only available in --mode server and forces to use
+  Keying Material Exporters (RFC 5705) for clients. This can be used to
+  simulate an environment where the cryptographic library does not support
+  the older method to generate data channel keys anymore. This option is
+  intended to be a test option and might be removed in a future OpenVPN
+  version without notice.
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index e4452d7..8c17f2a 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1789,3 +1789,22 @@
 gc_free();
 return ret;
 }
+
+bool
+check_tls_prf_working(void)
+{
+/* Modern TLS libraries might no longer support the TLS 1.0 PRF with
+ * MD5+SHA1. This allows us to establish connections only
+ * with other 2.6.0+ OpenVPN peers.
+ * Do a simple dummy test here to see if it works. */
+const char *seed = "tls1-prf-test";
+const char *secret = "tls1-prf-test-secret";
+uint8_t out[8];
+uint8_t expected_out[] = { 0xe0, 0x5f, 0x1f, 1, 0, 0, 0, 0};
+
+int ret = ssl_tls1_PRF((uint8_t *)seed, (int) strlen(seed),
+   (uint8_t *)secret, (int) strlen(secret),
+   out, sizeof(out));
+
+return (ret && memcmp(out, expected_out, sizeof(out)) != 0);
+}
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 9255d38..4201524 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -593,4 +593,12 @@
 return kt;
 }

+/**
+ * Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1
+ * that OpenVPN uses when TLS Keying Material Export is not available.
+ *
+ * @return  true if supported, false otherwise.
+ */
+bool check_tls_prf_working(void);
+
 #endif /* CRYPTO_H */
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 8b490ed..82122f5 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1830,6 +1830,16 @@
 {
 o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
 }
+else if (o->force_key_material_export)
+{
+msg(M_INFO, "PUSH: client does not support TLS key material export"
+"but --force-tls-key-material-export is enabled.");
+auth_set_client_reason(tls_multi, "Client incompatible with this"
+   "server. Keying Material Exporters (RFC 5705)"
+   "support missing. Upgrade to a client that "
+   "supports this feature (OpenVPN 2.6.0+).");
+return false;
+}
 if (proto & IV_PROTO_DYN_TLS_CRYPT)
 {
 o->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 1521872..6f98362 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1561,6 +1561,7 @@
 SHOW_STR(auth_user_pass_verify_script);
 SHOW_BOOL(auth_user_pass_verify_script_via_file);
 SHOW_BOOL(auth_token_generate);
+SHOW_BOOL(force_key_material_export);
 SHOW_INT(auth_token_lifetime);
 SHOW_STR_INLINE(auth_token_secret_file);
 #if PORT_SHARE
@@ -2802,6 +2803,11 @@
 {
 msg(M_USAGE, "--vlan-tagging requires --mode server");
 }
+
+if (options->force_key_material_export)
+{
+msg(M_USAGE, "--force-tls-key-material-export requires --mode 
server");
+

[Openvpn-devel] [M] Change in openvpn[master]: Check PRF availability on initialisation and add --force-tls-key-mate...

2023-12-12 Thread flichtenheld (Code Review) 
Attention is currently required from: cron2, plaisthos.

flichtenheld has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/460?usp=email )

Change subject: Check PRF availability on initialisation and add 
--force-tls-key-material-export
..


Patch Set 5: -Code-Review

(1 comment)

File src/openvpn/options.c:

http://gerrit.openvpn.net/c/openvpn/+/460/comment/c97bbfa5_d626d157 :
PS5, Line 3661: }
> I might need new glasses, but as far as I can see, this code does all the 
> checks, and *claims* to en […]
D'oh. Sorry for missing that.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/460?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70
Gerrit-Change-Number: 460
Gerrit-PatchSet: 5
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: cron2 
Gerrit-Comment-Date: Tue, 12 Dec 2023 10:41:31 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Comment-In-Reply-To: cron2 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel