[Openvpn-devel] [M] Change in openvpn[master]: Check PRF availability on initialisation and add --force-tls-key-mate...

[cron2 (Code Review)]

Attention is currently required from: flichtenheld, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/460?usp=email )

Change subject: Check PRF availability on initialisation and add 
--force-tls-key-material-export
..


Patch Set 7: Code-Review-2

(2 comments)

File src/openvpn/multi.c:

http://gerrit.openvpn.net/c/openvpn/+/460/comment/336c9224_c681507d :
PS5, Line 1841: return false;
> Done
done for "(RFC 5705)support", not done for "thisserver" (first line).


File src/openvpn/options.c:

http://gerrit.openvpn.net/c/openvpn/+/460/comment/850dc22b_4f3310f4 :
PS5, Line 3649: "by TLS library. Your system does not support this 
calculation "
the change v5->v7 brought in a new whitespace error here, "(FIPS 140-2)forbids".



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/460?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70
Gerrit-Change-Number: 460
Gerrit-PatchSet: 7
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Wed, 13 Dec 2023 17:42:09 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Comment-In-Reply-To: plaisthos 
Comment-In-Reply-To: cron2 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: tests: disable automake serial_tests

[plaisthos (Code Review)]

Attention is currently required from: flichtenheld.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/477?usp=email )

Change subject: tests: disable automake serial_tests
..


Patch Set 2: Code-Review+2


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/477?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ic7265d89142637b0963a6847c6beb06d9163bbb1
Gerrit-Change-Number: 477
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Wed, 13 Dec 2023 15:18:23 +
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: tests: fork default automake test-driver

[plaisthos (Code Review)]

Attention is currently required from: flichtenheld.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/478?usp=email )

Change subject: tests: fork default automake test-driver
..


Patch Set 2:

(1 comment)

Patchset:

PS2:
is there a way to include a diff from the default test-driver
  in the commit message or a short summary what the actual 
change is?



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/478?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I67d461afbcc9c06b1fc5ab4477141d7b8bd9ba8e
Gerrit-Change-Number: 478
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Wed, 13 Dec 2023 15:17:40 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Move get_tmp_dir to win32-util.c and error out on failure

[flichtenheld (Code Review)]

Attention is currently required from: plaisthos.

flichtenheld has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/481?usp=email )

Change subject: Move get_tmp_dir to win32-util.c and error out on failure
..


Patch Set 1: Code-Review-1

(2 comments)

File src/openvpn/options.c:

http://gerrit.openvpn.net/c/openvpn/+/481/comment/466d524c_f6e1e499 :
PS1, Line 891: /* Warn if we can't find a valid temporary directory, 
which should
M_USAGE is not really "Warn"


File src/openvpn/win32-util.h:

http://gerrit.openvpn.net/c/openvpn/+/481/comment/14243ada_3a632f04 :
PS1, Line 44: const char *win_get_tempdir(void);
corresponding removal from win32.h is missing?



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/481?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I525ccf7872880367b248ebebb0ddc83551498042
Gerrit-Change-Number: 481
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Comment-Date: Wed, 13 Dec 2023 14:57:14 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [L] Change in openvpn[release/2.6]: Backport mbed TLS 3 support to OpenVPN 2.6

[plaisthos (Code Review)]

Attention is currently required from: MaxF, flichtenheld.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/404?usp=email )

Change subject: Backport mbed TLS 3 support to OpenVPN 2.6
..


Patch Set 3:

(1 comment)

Patchset:

PS3:
So this is just the same as the cherry-pick of the four mentioned commits in 
the commit message and those apply without problems. @g...@greenie.muc.de can 
we just do a cherry pick of those 4 commits? That would make it also clearer in 
the commit history that this is exactly the same as in master.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/404?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: release/2.6
Gerrit-Change-Id: Icb4ae73741dc84ef0ff7ef72721cc12b999f4d03
Gerrit-Change-Number: 404
Gerrit-PatchSet: 3
Gerrit-Owner: MaxF 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: cron2 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: flichtenheld 
Gerrit-Attention: MaxF 
Gerrit-Comment-Date: Wed, 13 Dec 2023 14:51:28 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] documentation: improve documentation of --x509-track

[Frank Lichtenheld]

In the current state it was completely unclear to me how you
would use this. Extended the description based on reading the
code and experimentation.

Change-Id: Ibf728f9d624e64ecda094d66fa562bd3916829d2
Signed-off-by: Frank Lichtenheld 
---
 doc/man-sections/script-options.rst |  3 +++
 doc/man-sections/tls-options.rst| 23 +--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/doc/man-sections/script-options.rst 
b/doc/man-sections/script-options.rst
index ba700a04..0e60ab5a 100644
--- a/doc/man-sections/script-options.rst
+++ b/doc/man-sections/script-options.rst
@@ -934,6 +934,9 @@ instances.
 verification level is 0 for the client certificate and 1 for the CA
 certificate.
 
+You can use the ``--x509-track`` option to export more or less information
+from the certificates.
+
 ::
 
X509_0_emailAddress=me@myhost.mydomain
diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
index 266167f2..4c45b10f 100644
--- a/doc/man-sections/tls-options.rst
+++ b/doc/man-sections/tls-options.rst
@@ -695,10 +695,29 @@ If the option is inlined, ``algo`` is always 
:code:`SHA256`.
 --x509-track attribute
   Save peer X509 **attribute** value in environment for use by plugins and
   management interface. Prepend a :code:`+` to ``attribute`` to save values
-  from full cert chain. Values will be encoded as
-  :code:`X509__=`. Multiple ``--x509-track``
+  from full cert chain. Otherwise the attribute will only be exported for
+  the leaf cert (i.e. depth :code:`0` of the cert chain). Values will be
+  encoded as :code:`X509__=`. Multiple 
``--x509-track``
   options can be defined to track multiple attributes.
 
+  ``attribute`` can be any part of the X509 Subject field or any X509v3
+  extension (RFC 3280). X509v3 extensions might not be supported when
+  not using the default TLS backend library (OpenSSL). You can also
+  request the ``SHA1`` and ``SHA256`` fingerprints of the cert,
+  but that is always exported as :code:`tls_digest_{n}` and
+  :code:`tls_digest_sha256_{n}` anyway.
+
+  Note that by default **all** parts of the X509 Subject field are exported in
+  the environment for the whole cert chain. If you use ``--x509-track`` at 
least
+  once **only** the attributes specified by these options are exported.
+
+  Examples::
+
+x509-track CN   # exports only X509_0_CN
+x509-track +CN  # exports X509_{n}_CN for chain
+x509-track basicConstraints # exports value of "X509v3 Basic Constraints"
+x509-track SHA256   # exports SHA256 fingerprint
+
 --x509-username-field args
   Fields in the X.509 certificate subject to be used as the username
   (default :code:`CN`). If multiple fields are specified their values
-- 
2.34.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature

[flichtenheld (Code Review)]

Attention is currently required from: cron2, plaisthos.

flichtenheld has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/466?usp=email )

Change subject: Implement the --tls-export-cert feature
..


Patch Set 6: Code-Review+2

(1 comment)

Patchset:

PS5:
Did some basic testing with both OpenSSL and mbedTLS. Looks good to me.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2
Gerrit-Change-Number: 466
Gerrit-PatchSet: 6
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: cron2 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: cron2 
Gerrit-Comment-Date: Wed, 13 Dec 2023 14:29:01 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Move get_tmp_dir to win32-util.c and error out on failure

[plaisthos (Code Review)]

Attention is currently required from: flichtenheld.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/481?usp=email )

Change subject: Move get_tmp_dir to win32-util.c and error out on failure
..


Patch Set 1:

(1 comment)

Patchset:

PS1:
Note that we will actually not be broken when tmp_dir is NULL but you end up 
with tmporary files being created in whatever the current directory is.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/481?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I525ccf7872880367b248ebebb0ddc83551498042
Gerrit-Change-Number: 481
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Wed, 13 Dec 2023 14:25:28 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [L] Change in openvpn[master]: Add test_ssl unit test and test export of PEM to file

[plaisthos (Code Review)]

Attention is currently required from: flichtenheld.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/471?usp=email )

Change subject: Add test_ssl unit test and test export of PEM to file
..


Patch Set 2:

(3 comments)

File tests/unit_tests/openvpn/Makefile.am:

http://gerrit.openvpn.net/c/openvpn/+/471/comment/2bd17b5f_bc89de26 :
PS2, Line 86: $(top_srcdir)/src/openvpn/xkey_provider.c \
> indent
Done


File tests/unit_tests/openvpn/mock_management.c:

http://gerrit.openvpn.net/c/openvpn/+/471/comment/2c367b9e_17b39eb9 :
PS2, Line 49: (void) man;
> inconsistent (void), used it in one function, but not the other
Done


File tests/unit_tests/openvpn/test_ssl.c:

http://gerrit.openvpn.net/c/openvpn/+/471/comment/1f8780a6_702527f1 :
PS2, Line 47: /* Mock function to be allowed to include win32.c which is 
required for
> You originally created win32-util. […]
I didn't like the idea of pulling the dependency of msg() to that file. 
Currently that util file is standalone. I modified the approach to avoid that 
dependency.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/471?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie248d35d063bb6878f3dd42840c77ba0d6fa3381
Gerrit-Change-Number: 471
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Wed, 13 Dec 2023 14:11:20 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: flichtenheld 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [L] Change in openvpn[master]: Add test_ssl unit test and test export of PEM to file

[plaisthos (Code Review)]

Attention is currently required from: flichtenheld, plaisthos.

Hello flichtenheld,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/471?usp=email

to look at the new patch set (#3).

The following approvals got outdated and were removed:
Code-Review-1 by flichtenheld


Change subject: Add test_ssl unit test and test export of PEM to file
..

Add test_ssl unit test and test export of PEM to file

This introduces a number of mock function to be able to compile
ssl_verify_*.c and ssl_mbedtls.c/ssl_openssl.c into a unit and adds
quite a number of files to that unit. But it allows similar unit tests
(in term of dependencies) to be added in the future.

Change-Id: Ie248d35d063bb6878f3dd42840c77ba0d6fa3381
Signed-off-by: Arne Schwabe 
---
M .github/workflows/build.yaml
M CMakeLists.txt
M tests/unit_tests/openvpn/Makefile.am
A tests/unit_tests/openvpn/mock_management.c
A tests/unit_tests/openvpn/mock_ssl_dependencies.c
A tests/unit_tests/openvpn/test_ssl.c
6 files changed, 311 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/71/471/3

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 4393f5c..bdb30c8 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -85,7 +85,7 @@
   fail-fast: false
   matrix:
 arch: [x86, x64]
-test: [argv, auth_token, buffer, cryptoapi, crypto, misc, ncp, 
packet_id, pkt, provider, tls_crypt]
+test: [argv, auth_token, buffer, cryptoapi, crypto, misc, ncp, 
packet_id, pkt, provider, ssl, tls_crypt]

 runs-on: windows-latest
 name: "mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - OSSL"
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6cbee56..6ac453c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -588,6 +588,7 @@
 "test_packet_id"
 "test_pkt"
 "test_provider"
+"test_ssl"
 )

 if (WIN32)
@@ -697,6 +698,34 @@
 src/openvpn/mss.c
 )

+target_sources(test_ssl PRIVATE
+tests/unit_tests/openvpn/mock_management.c
+tests/unit_tests/openvpn/mock_ssl_dependencies.c
+tests/unit_tests/openvpn/mock_win32_execve.c
+src/openvpn/argv.c
+src/openvpn/base64.c
+src/openvpn/block_dns.c
+src/openvpn/crypto.c
+src/openvpn/crypto_mbedtls.c
+src/openvpn/crypto_openssl.c
+src/openvpn/cryptoapi.c
+src/openvpn/env_set.c
+src/openvpn/env_set.c
+src/openvpn/mss.c
+src/openvpn/mtu.c
+src/openvpn/options_util.c
+src/openvpn/otime.c
+src/openvpn/packet_id.c
+src/openvpn/run_command.c
+src/openvpn/ssl_mbedtls.c
+src/openvpn/ssl_openssl.c
+src/openvpn/ssl_util.c
+src/openvpn/ssl_verify_mbedtls.c
+src/openvpn/ssl_verify_openssl.c
+src/openvpn/xkey_helper.c
+src/openvpn/xkey_provider.c
+)
+
 target_sources(test_misc PRIVATE
 tests/unit_tests/openvpn/mock_get_random.c
 src/openvpn/options_util.c
diff --git a/tests/unit_tests/openvpn/Makefile.am 
b/tests/unit_tests/openvpn/Makefile.am
index ef45b11..eb8ccc8 100644
--- a/tests/unit_tests/openvpn/Makefile.am
+++ b/tests/unit_tests/openvpn/Makefile.am
@@ -7,7 +7,8 @@
 endif

 test_binaries += crypto_testdriver packet_id_testdriver auth_token_testdriver 
ncp_testdriver misc_testdriver \
-   pkt_testdriver
+   pkt_testdriver ssl_testdriver
+
 if HAVE_LD_WRAP_SUPPORT
 if !WIN32
 test_binaries += tls_crypt_testdriver
@@ -67,6 +68,28 @@
$(top_srcdir)/src/openvpn/win32-util.c \
$(top_srcdir)/src/openvpn/mss.c

+ssl_testdriver_CFLAGS  = @TEST_CFLAGS@ \
+   -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 
-I$(top_srcdir)/src/openvpn
+ssl_testdriver_LDFLAGS = @TEST_LDFLAGS@
+ssl_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h \
+   mock_management.c mock_ssl_dependencies.c mock_win32_execve.c \
+   $(top_srcdir)/src/openvpn/buffer.c \
+   $(top_srcdir)/src/openvpn/crypto.c \
+   $(top_srcdir)/src/openvpn/crypto_mbedtls.c \
+   $(top_srcdir)/src/openvpn/crypto_openssl.c \
+   $(top_srcdir)/src/openvpn/otime.c \
+   $(top_srcdir)/src/openvpn/packet_id.c \
+   $(top_srcdir)/src/openvpn/platform.c \
+   $(top_srcdir)/src/openvpn/mtu.c \
+   $(top_srcdir)/src/openvpn/win32-util.c \
+   $(top_srcdir)/src/openvpn/mss.c \
+   $(top_srcdir)/src/openvpn/xkey_provider.c \
+   $(top_srcdir)/src/openvpn/xkey_helper.c \
+   $(top_srcdir)/src/openvpn/ssl_util.c \
+   $(top_srcdir)/src/openvpn/base64.c \
+   $(top_srcdir)/src/openvpn/cryptoapi.c
+
+
 packet_id_testdriver_CFLAGS  = @TEST_CFLAGS@ \
-I$(top_srcdir)/include -I$(top_srcdir)/src/compat 

[Openvpn-devel] [M] Change in openvpn[master]: Move get_tmp_dir to win32-util.c and error out on failure

[plaisthos (Code Review)]

Attention is currently required from: flichtenheld.

Hello flichtenheld,

I'd like you to do a code review.
Please visit

http://gerrit.openvpn.net/c/openvpn/+/481?usp=email

to review the following change.


Change subject: Move get_tmp_dir to win32-util.c and error out on failure
..

Move get_tmp_dir to win32-util.c and error out on failure

Currently we only warn in get_tmp_dir fails and set o->tmp_dir to
a null pointer. This will not be caught by check_file_access_chroot
either since that ignores NULL pointers but other parts of OpenVPN
will assume that tmp_dir is set to a non-NULL string.

Also move get_tmp_dir to ssl-utils.c to use it in unit tests.

Change-Id: I525ccf7872880367b248ebebb0ddc83551498042
Signed-off-by: Arne Schwabe 
---
M src/openvpn/options.c
M src/openvpn/win32-util.c
M src/openvpn/win32-util.h
M src/openvpn/win32.c
4 files changed, 34 insertions(+), 29 deletions(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/481/1

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 503e832..9863261 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -885,7 +885,15 @@
 #ifdef _WIN32
 /* On Windows, find temp dir via environment variables */
 o->tmp_dir = win_get_tempdir();
-#else
+
+if (!o->tmp_dir)
+{
+/* Warn if we can't find a valid temporary directory, which should
+ * be unlikely. */
+msg(M_USAGE, "Could not find a suitable temporary directory."
+" (GetTempPath() failed).  Consider using --tmp-dir");
+}
+#else  /* ifdef _WIN32 */
 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
 o->tmp_dir = getenv("TMPDIR");
 if (!o->tmp_dir)
diff --git a/src/openvpn/win32-util.c b/src/openvpn/win32-util.c
index 81e504a..c5e7505 100644
--- a/src/openvpn/win32-util.c
+++ b/src/openvpn/win32-util.c
@@ -147,4 +147,26 @@
 }
 return true;
 }
+
+const char *
+win_get_tempdir(void)
+{
+static char tmpdir[MAX_PATH];
+WCHAR wtmpdir[MAX_PATH];
+
+if (!GetTempPathW(_countof(wtmpdir), wtmpdir))
+{
+return NULL;
+}
+
+if (WideCharToMultiByte(CP_UTF8, 0, wtmpdir, -1, NULL, 0, NULL, NULL) > 
sizeof(tmpdir))
+{
+msg(M_WARN, "Could not get temporary directory. Path is too long."
+"  Consider using --tmp-dir");
+return NULL;
+}
+
+WideCharToMultiByte(CP_UTF8, 0, wtmpdir, -1, tmpdir, sizeof(tmpdir), NULL, 
NULL);
+return tmpdir;
+}
 #endif /* _WIN32 */
diff --git a/src/openvpn/win32-util.h b/src/openvpn/win32-util.h
index ac37979..98bf74b 100644
--- a/src/openvpn/win32-util.h
+++ b/src/openvpn/win32-util.h
@@ -40,5 +40,8 @@
 /* return true if filename is safe to be used on Windows */
 bool win_safe_filename(const char *fn);

+/* Find temporary directory */
+const char *win_get_tempdir(void);
+
 #endif /* OPENVPN_WIN32_UTIL_H */
 #endif /* ifdef _WIN32 */
diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index e998d90..6b7ba5e 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
@@ -1137,34 +1137,6 @@
 set_win_sys_path(buf, es);
 }

-
-const char *
-win_get_tempdir(void)
-{
-static char tmpdir[MAX_PATH];
-WCHAR wtmpdir[MAX_PATH];
-
-if (!GetTempPathW(_countof(wtmpdir), wtmpdir))
-{
-/* Warn if we can't find a valid temporary directory, which should
- * be unlikely.
- */
-msg(M_WARN, "Could not find a suitable temporary directory."
-" (GetTempPath() failed).  Consider using --tmp-dir");
-return NULL;
-}
-
-if (WideCharToMultiByte(CP_UTF8, 0, wtmpdir, -1, NULL, 0, NULL, NULL) > 
sizeof(tmpdir))
-{
-msg(M_WARN, "Could not get temporary directory. Path is too long."
-"  Consider using --tmp-dir");
-return NULL;
-}
-
-WideCharToMultiByte(CP_UTF8, 0, wtmpdir, -1, tmpdir, sizeof(tmpdir), NULL, 
NULL);
-return tmpdir;
-}
-
 static bool
 win_block_dns_service(bool add, int index, const HANDLE pipe)
 {

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/481?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I525ccf7872880367b248ebebb0ddc83551498042
Gerrit-Change-Number: 481
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: flichtenheld 
Gerrit-MessageType: newchange
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] IRC community meeting summary

[Johan Draaisma]

Meeting summary for 13 December 2023:

 * *Updated: OpenVPN 2.6.9 release*
   /In discussion with community members looks like next week would be
   a good time for a 2.6.9 release./

 * *Updated: forums topics*
   /Pippin_ and novaflash reported lots of spam on the forums. rob0 got
   into contact with ecrist, looks like anti-spam module had expired.
   It was renewed./
   /ecrist suggests to decouple authentication system for forums from
   community PWM. almost all forum users never use other community
   resources, so it makes sense./
   /There is the pending migration from BSD to Linux for the forums
   machine./
   /In collaboration with ecrist, we'll look into arranging for OpenVPN
   Inc. to provide a new VM and a license for vBulletin. ecrist can
   then convert the existing forums content./
   /RegardingCloudFlare
   ; currently
   not enabled on forums, but we will enable it on the new VM./

 * *New: community funding*
   /ordex has an initiative he wants to bring up regarding dev
   resources to be added to community./
   /This may tie into the donations topic./
   /In short ordex convinced OTF (Open Tech Fund) to provide a "test
   FOSS funding scheme" to OpenVPN./
   /This would for example allow to pay for allocated hours for mattock
   and cron2 to work on OpenVPN community tasks./
   /This is to be worked out more and in collaboration between OpenVPN
   Community, OpenVPN Inc., and OTF./

 * *Updated: Donations for OpenVPN community*
   /There is currently no place to donate money to the community, and
   we do want to allow that./
   /We need to figure out how to deal with that legally, and what
   payment methods to accept and how./
   /Probably credit card is a must. Maybe paypal as well. Bitcoin seems
   to encounter some resistance in the discussions./
   /We definitely do not want the donation thing to be forced - have a
   mechanism to do it, but keep it out of the way./
   /Random things yelled out (to investigate): legal entity? stripe?
   paypal? creditcard? open collective? github sponsors? linux
   foundation? sf conservancy?/
   /ordex suggested that he will take a look in january to figure out
   what legalities etc are involved in getting a legal entity for
   OpenVPN community./

As always you're welcome to join at #openvpn-meeting on Libera IRC 
network every Wednesday at 13:00 Central European Time.


Kind regards,
Johan Draaisma
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2] Make it more explicit and visible when pkg-config is not found

[Frank Lichtenheld]

From: Arne Schwabe 

Users seem to struggle to read the full error message. This adds an
indication if pkg-config is actually found to the warning/error message
that use pkg-config.

When found:

configure: error: libnl-genl-3.0 package not found or too old. Is the 
development package and pkg-config (using /usr/bin/pkg-config) installed? Must 
be version 3.4.0 or newer for DCO

not found:

configure: error: libnl-genl-3.0 package not found or too old. Is the 
development package and pkg-config (not found) installed? Must be version 3.4.0 
or newer for DCO

Change-Id: Iebaa35a23e217a4cd7739af229cbfc08a3d8854a
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/465
This mail reflects revision 2 of this Change.

Acked-by according to Gerrit (reflected above):
Frank Lichtenheld 


diff --git a/configure.ac b/configure.ac
index 54f79ab..a80de7f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -382,6 +382,14 @@
 AM_CONDITIONAL([CROSS_COMPILING], test "${cross_compiling}" = "yes")
 
 PKG_PROG_PKG_CONFIG
+# Add variable to print if pkg-config is found or not. Users often miss that
+if test "${PKG_CONFIG}" = ""; then
+   pkg_config_found="(not found)"
+else
+   pkg_config_found="(using ${PKG_CONFIG})"
+fi
+
+
 AC_PROG_CPP
 AC_PROG_INSTALL
 AC_PROG_LN_S
@@ -816,7 +824,7 @@
  [libnl-genl-3.0 >= 3.4.0],
  [have_libnl="yes"],
  [
-  AC_MSG_ERROR([libnl-genl-3.0 package 
not found or too old. Is the development package and pkg-config installed? Must 
be version 3.4.0 or newer for DCO])
+  AC_MSG_ERROR([libnl-genl-3.0 package 
not found or too old. Is the development package and pkg-config 
${pkg_config_found} installed? Must be version 3.4.0 or newer for DCO])
  ]
)
CFLAGS="${CFLAGS} ${LIBNL_GENL_CFLAGS}"
@@ -860,10 +868,11 @@
 dnl
 case "$host" in
*-*-linux*)
+   # We require pkg-config
PKG_CHECK_MODULES([LIBCAPNG],
  [libcap-ng],
  [],
- [AC_MSG_ERROR([libcap-ng package not found. 
Is the development package and pkg-config installed?])]
+ [AC_MSG_ERROR([libcap-ng package not found. 
Is the development package and pkg-config ${pkg_config_found} installed?])]
)
AC_CHECK_HEADER([sys/prctl.h],,[AC_MSG_ERROR([sys/prctl.h not 
found!])])
 
@@ -884,7 +893,7 @@
[OPENSSL],
[openssl >= 1.0.2],
[have_openssl="yes"],
-   [] # If this fails, we will do another test next
+   [AC_MSG_WARN([OpenSSL not found by pkg-config 
${pkg_config_found}])] # If this fails, we will do another test next
)
OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}
fi
@@ -1089,7 +1098,7 @@
[WOLFSSL],
[wolfssl],
[],
-   [AC_MSG_ERROR([Could not find wolfSSL.])]
+   [AC_MSG_ERROR([Could not find wolfSSL using pkg-config 
${pkg_config_found}])]
)
PKG_CHECK_VAR(
[WOLFSSL_INCLUDEDIR],
@@ -1513,7 +1522,7 @@
 PKG_CHECK_MODULES(
[CMOCKA], [cmocka],
[have_cmocka="yes"],
-   [AC_MSG_WARN([cmocka.pc not found on the system.  Unit tests disabled])]
+   [AC_MSG_WARN([cmocka.pc not found on the system using pkg-config 
${pkg_config_found}.  Unit tests disabled])]
 )
 AM_CONDITIONAL([ENABLE_UNITTESTS], [test "${enable_unit_tests}" = "yes" -a 
"${have_cmocka}" = "yes" ])
 AC_SUBST([ENABLE_UNITTESTS])


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v8] Extend the error message when TLS 1.0 PRF fails

[Frank Lichtenheld]

From: Arne Schwabe 

This error will probably become more and more common in the future when
more and more systems will drop TLS 1.0 PRF support. We are already
seeing people stumbling upon this (see GitHub issue #460)

The current error messages

  TLS Error: PRF calcuation failed
  TLS Error: generate_key_expansion failed

are not very helpful for people that do not have deep understanding
of TLS or the OpenVPN protocol. Improve this message to give a normal
user a chance to understand that the peer needs to be OpenVPN 2.6.x or
newer.

Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/456
This mail reflects revision 8 of this Change.

Acked-by according to Gerrit (reflected above):
Frank Lichtenheld 


diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 6eddb68..7597412 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1477,7 +1477,12 @@
 {
 if (!generate_key_expansion_openvpn_prf(session, ))
 {
-msg(D_TLS_ERRORS, "TLS Error: PRF calcuation failed");
+msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system "
+"might not support the old TLS 1.0 PRF calculation anymore or "
+"the policy does not allow it (e.g. running in FIPS mode). "
+"The peer did not announce support for the modern TLS Export "
+"feature that replaces the TLS 1.0 PRF (requires OpenVPN "
+"2.6.x or higher)");
 goto exit;
 }
 }


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Extend the error message when TLS 1.0 PRF fails

[flichtenheld (Code Review)]

Attention is currently required from: plaisthos.

flichtenheld has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/456?usp=email )

Change subject: Extend the error message when TLS 1.0 PRF fails
..


Patch Set 8: Code-Review+2

(2 comments)

Commit Message:

http://gerrit.openvpn.net/c/openvpn/+/456/comment/885ae8f3_12d97924 :
PS5, Line 10: more and more system will drop TLS 1.0 PRF support. We are 
already seeing
> "systems"
Done


http://gerrit.openvpn.net/c/openvpn/+/456/comment/4bd01855_a7144a45 :
PS5, Line 19: the OpenVPN protocol. Improve a on this message to give a normal 
user a chance
> Remove "a on"
Done



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/456?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3
Gerrit-Change-Number: 456
Gerrit-PatchSet: 8
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Comment-Date: Wed, 13 Dec 2023 10:52:24 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Comment-In-Reply-To: flichtenheld 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: forked-test-driver: Show test output always

[flichtenheld (Code Review)]

Attention is currently required from: plaisthos.

flichtenheld has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/479?usp=email )

Change subject: forked-test-driver: Show test output always
..


Patch Set 3:

(1 comment)

This change is ready for review.

File forked-test-driver:

http://gerrit.openvpn.net/c/openvpn/+/479/comment/bf08f7d3_1455cd09 :
PS1, Line 112: "$@" 2>&1 | tee -a "$log_file"
> breaks exit status without set -o pipefail. Which is probably not portable... 
> […]
Done



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/479?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I11e0091482d9acee89ca018374cb8d96d22f8514
Gerrit-Change-Number: 479
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Comment-Date: Wed, 13 Dec 2023 10:49:18 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: flichtenheld 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel