from:"cron2 \(Code Review\)"

[Openvpn-devel] [L] Change in openvpn[master]: Windows: enforce 'block-local' with WFP filters

2024-05-18 Thread cron2 (Code Review)

Attention is currently required from: d12fk, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/489?usp=email )

Change subject: Windows: enforce 'block-local' with WFP filters
..


Patch Set 5: Code-Review-1

(2 comments)

Patchset:

PS5:
Overall the patch does what it says, but it is not -Werror clean.

Please fix, rebase (copyright dates have changed for the files renamed and 
commit 989b22cb6e0 moved around "pipe_message_t" + changed indentation).  
Thanks.


File src/openvpn/init.c:

http://gerrit.openvpn.net/c/openvpn/+/489/comment/a60e11c6_446166ef :
PS5, Line 2058: unsigned long adapter_index;
This is not `-Werror` clean.  GH builds complain

```
init.c:2115:26: error: variable 'adapter_index' is uninitialized when used here 
[-Werror,-Wuninitialized]
68
del_wfp_block(c, adapter_index);
69
 ^
70
init.c:2047:32: note: initialize the variable 'adapter_index' to silence this 
warning
71
unsigned long adapter_index;
72
   ^
73
= 0
74
1 error generated.
```

This is trivially adjusted (`=0`) but according to project rules I can't do 
that.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/489?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ic9bf797bfc7e2d471998a84cb0f071db3e4832ba
Gerrit-Change-Number: 489
Gerrit-PatchSet: 5
Gerrit-Owner: d12fk 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-Reviewer: stipa 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: d12fk 
Gerrit-Comment-Date: Sat, 18 May 2024 16:08:30 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Only schedule_exit() once

2024-05-17 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#4) to the change originally created by 
reynir. ( http://gerrit.openvpn.net/c/openvpn/+/555?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: Only schedule_exit() once
..

Only schedule_exit() once

If an exit has already been scheduled we should not schedule it again.
Otherwise, the exit signal is never emitted if the peer reschedules the
exit before the timeout occurs.

schedule_exit() now only takes the context as argument. The signal is
hard coded to SIGTERM, and the interval is read directly from the
context options.

Furthermore, schedule_exit() now returns a bool signifying whether an
exit was scheduled; false if exit is already scheduled. The call sites
are updated accordingly. A notable difference is that management is only
notified *once* when an exit is scheduled - we no longer notify
management on redundant exit.

This patch was assigned a CVE number after already reviewed and ACKed,
because it was discovered that a misbehaving client can use the (now
fixed) server behaviour to avoid being disconnected by means of a
managment interface "client-kill" command - the security issue here is
"client can circumvent security policy set by management interface".

This only affects previously authenticated clients, and only management
client-kill, so normal renegotion / AUTH_FAIL ("your session ends") is not
affected.

CVE: 2024-28882

Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661
Signed-off-by: Reynir Björnsson 
Acked-by: Arne Schwabe 
Message-Id: <20240516120434.23499-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html
Signed-off-by: Gert Doering 
---
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/push.c
3 files changed, 19 insertions(+), 10 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/55/555/4

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 8d10f25..01165b2 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -514,17 +514,24 @@
 }

 /*
- * Schedule a signal n_seconds from now.
+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from 
now.
  */
-void
-schedule_exit(struct context *c, const int n_seconds, const int signal)
+bool
+schedule_exit(struct context *c)
 {
+const int n_seconds = c->options.scheduled_exit_interval;
+/* don't reschedule if already scheduled. */
+if (event_timeout_defined(>c2.scheduled_exit))
+{
+return false;
+}
 tls_set_single_session(c->c2.tls_multi);
 update_time();
 reset_coarse_timers(c);
 event_timeout_init(>c2.scheduled_exit, n_seconds, now);
-c->c2.scheduled_exit_signal = signal;
+c->c2.scheduled_exit_signal = SIGTERM;
 msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
+return true;
 }

 /*
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 6fb5a18..422c591 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -303,7 +303,7 @@

 void process_ip_header(struct context *c, unsigned int flags, struct buffer 
*buf);

-void schedule_exit(struct context *c, const int n_seconds, const int signal);
+bool schedule_exit(struct context *c);

 static inline struct link_socket_info *
 get_link_socket_info(struct context *c)
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 1b406b9..d220eeb 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -204,7 +204,11 @@
  * */
 if (c->options.mode == MODE_SERVER)
 {
-schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+if (!schedule_exit(c))
+{
+/* Return early when we don't need to notify management */
+return;
+}
 }
 else
 {
@@ -391,7 +395,7 @@
 void
 send_auth_failed(struct context *c, const char *client_reason)
 {
-if (event_timeout_defined(>c2.scheduled_exit))
+if (!schedule_exit(c))
 {
 msg(D_TLS_DEBUG, "exit already scheduled for context");
 return;
@@ -401,8 +405,6 @@
 static const char auth_failed[] = "AUTH_FAILED";
 size_t len;

-schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
-
 len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
 if (len > PUSH_BUNDLE_SIZE)
 {
@@ -492,7 +494,7 @@
 void
 send_restart(struct context *c, const char *kill_msg)
 {
-schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+schedule_exit(c);
 send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
 }


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/555?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661
Gerrit-Change-Number: 555
Gerrit-PatchSet: 4

[Openvpn-devel] [S] Change in openvpn[master]: Only schedule_exit() once

2024-05-17 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/555?usp=email )

Change subject: Only schedule_exit() once
..

Only schedule_exit() once

If an exit has already been scheduled we should not schedule it again.
Otherwise, the exit signal is never emitted if the peer reschedules the
exit before the timeout occurs.

schedule_exit() now only takes the context as argument. The signal is
hard coded to SIGTERM, and the interval is read directly from the
context options.

Furthermore, schedule_exit() now returns a bool signifying whether an
exit was scheduled; false if exit is already scheduled. The call sites
are updated accordingly. A notable difference is that management is only
notified *once* when an exit is scheduled - we no longer notify
management on redundant exit.

This patch was assigned a CVE number after already reviewed and ACKed,
because it was discovered that a misbehaving client can use the (now
fixed) server behaviour to avoid being disconnected by means of a
managment interface "client-kill" command - the security issue here is
"client can circumvent security policy set by management interface".

This only affects previously authenticated clients, and only management
client-kill, so normal renegotion / AUTH_FAIL ("your session ends") is not
affected.

CVE: 2024-28882

Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661
Signed-off-by: Reynir Björnsson 
Acked-by: Arne Schwabe 
Message-Id: <20240516120434.23499-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html
Signed-off-by: Gert Doering 
---
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/push.c
3 files changed, 19 insertions(+), 10 deletions(-)




diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 8d10f25..01165b2 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -514,17 +514,24 @@
 }

 /*
- * Schedule a signal n_seconds from now.
+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from 
now.
  */
-void
-schedule_exit(struct context *c, const int n_seconds, const int signal)
+bool
+schedule_exit(struct context *c)
 {
+const int n_seconds = c->options.scheduled_exit_interval;
+/* don't reschedule if already scheduled. */
+if (event_timeout_defined(>c2.scheduled_exit))
+{
+return false;
+}
 tls_set_single_session(c->c2.tls_multi);
 update_time();
 reset_coarse_timers(c);
 event_timeout_init(>c2.scheduled_exit, n_seconds, now);
-c->c2.scheduled_exit_signal = signal;
+c->c2.scheduled_exit_signal = SIGTERM;
 msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
+return true;
 }

 /*
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 6fb5a18..422c591 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -303,7 +303,7 @@

 void process_ip_header(struct context *c, unsigned int flags, struct buffer 
*buf);

-void schedule_exit(struct context *c, const int n_seconds, const int signal);
+bool schedule_exit(struct context *c);

 static inline struct link_socket_info *
 get_link_socket_info(struct context *c)
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 1b406b9..d220eeb 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -204,7 +204,11 @@
  * */
 if (c->options.mode == MODE_SERVER)
 {
-schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+if (!schedule_exit(c))
+{
+/* Return early when we don't need to notify management */
+return;
+}
 }
 else
 {
@@ -391,7 +395,7 @@
 void
 send_auth_failed(struct context *c, const char *client_reason)
 {
-if (event_timeout_defined(>c2.scheduled_exit))
+if (!schedule_exit(c))
 {
 msg(D_TLS_DEBUG, "exit already scheduled for context");
 return;
@@ -401,8 +405,6 @@
 static const char auth_failed[] = "AUTH_FAILED";
 size_t len;

-schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
-
 len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
 if (len > PUSH_BUNDLE_SIZE)
 {
@@ -492,7 +494,7 @@
 void
 send_restart(struct context *c, const char *kill_msg)
 {
-schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+schedule_exit(c);
 send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
 }


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/555?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661
Gerrit-Change-Number: 555
Gerrit-PatchSet: 4
Gerrit-Owner: reynir 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-Reviewer: reynir 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___

[Openvpn-devel] [M] Change in openvpn[master]: Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL

2024-05-15 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/560?usp=email )

Change subject: Remove custom TLS 1.0 PRF implementation only used by 
LibreSSL/wolfSSL
..

Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL

After the removal of the OpenSSL 1.0.2 support, LibreSSL/wolfSSL are the
only libraries that still needs the custom implementation.

Since our LibreSSL/wolfSSL support is always best effort, we can afford to
limit LibreSSL support in this way. If they want to support this, they
should expose the functionality as well.

Change-Id: I5bfa3630ad4dff2807705658bc877c4a429a39ce
Signed-off-by: Arne Schwabe 
Acked-by: Gert Doering 
Message-Id: <20240515100115.11056-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28672.html
Signed-off-by: Gert Doering 
---
M src/openvpn/crypto_openssl.c
M tests/unit_tests/openvpn/test_crypto.c
2 files changed, 16 insertions(+), 180 deletions(-)




diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 0473fad..fbd38f3 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -1397,7 +1397,7 @@

 return ret;
 }
-#elif !defined(LIBRESSL_VERSION_NUMBER)
+#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL)
 bool
 ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
  int secret_len, uint8_t *output, int output_len)
@@ -1444,183 +1444,14 @@
 return ret;
 }
 #else  /* if defined(LIBRESSL_VERSION_NUMBER) */
-/*
- * Generate the hash required by for the \c tls1_PRF function.
- *
- * We cannot use our normal hmac_* function as they do not work
- * in a FIPS environment (no MD5 allowed, which we need). Instead
- * we need to directly use the EVP_MD_* API with the special
- * EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag.
- *
- * The function below is adapted from OpenSSL 1.0.2t
- *
- * @param md_kt Message digest to use
- * @param sec   Secret to base the hash on
- * @param sec_len   Length of the secret
- * @param seed  Seed to hash
- * @param seed_len  Length of the seed
- * @param out   Output buffer
- * @param olen  Length of the output buffer
- */
-static
-bool
-tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
-int sec_len, const void *seed, int seed_len,
-unsigned char *out, int olen)
-{
-int chunk;
-size_t j;
-EVP_MD_CTX *ctx, *ctx_tmp, *ctx_init;
-EVP_PKEY *mac_key;
-unsigned char A1[EVP_MAX_MD_SIZE];
-size_t A1_len = EVP_MAX_MD_SIZE;
-int ret = false;
-
-chunk = EVP_MD_size(md);
-OPENSSL_assert(chunk >= 0);
-
-ctx = md_ctx_new();
-ctx_tmp = md_ctx_new();
-ctx_init = md_ctx_new();
-EVP_MD_CTX_set_flags(ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
-if (!mac_key)
-{
-goto err;
-}
-if (!EVP_DigestSignInit(ctx_init, NULL, md, NULL, mac_key))
-{
-goto err;
-}
-if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
-{
-goto err;
-}
-if (!EVP_DigestSignUpdate(ctx, seed, seed_len))
-{
-goto err;
-}
-if (!EVP_DigestSignFinal(ctx, A1, _len))
-{
-goto err;
-}
-
-for (;; )
-{
-/* Reinit mac contexts */
-if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
-{
-goto err;
-}
-if (!EVP_DigestSignUpdate(ctx, A1, A1_len))
-{
-goto err;
-}
-if (olen > chunk && !EVP_MD_CTX_copy_ex(ctx_tmp, ctx))
-{
-goto err;
-}
-if (!EVP_DigestSignUpdate(ctx, seed, seed_len))
-{
-goto err;
-}
-
-if (olen > chunk)
-{
-j = olen;
-if (!EVP_DigestSignFinal(ctx, out, ))
-{
-goto err;
-}
-out += j;
-olen -= j;
-/* calc the next A1 value */
-if (!EVP_DigestSignFinal(ctx_tmp, A1, _len))
-{
-goto err;
-}
-}
-else
-{
-A1_len = EVP_MAX_MD_SIZE;
-/* last one */
-if (!EVP_DigestSignFinal(ctx, A1, _len))
-{
-goto err;
-}
-memcpy(out, A1, olen);
-break;
-}
-}
-ret = true;
-err:
-EVP_PKEY_free(mac_key);
-EVP_MD_CTX_free(ctx);
-EVP_MD_CTX_free(ctx_tmp);
-EVP_MD_CTX_free(ctx_init);
-OPENSSL_cleanse(A1, sizeof(A1));
-return ret;
-}
-
-/*
- * Use the TLS PRF function for generating data channel keys.
- * This code is based on the OpenSSL library.
- *
- * TLS generates keys as such:
- *
- * master_secret[48] = PRF(pre_master_secret[48], "master secret",
- * ClientHello.random[32] + ServerHello.random[32])

[Openvpn-devel] [M] Change in openvpn[master]: Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL

2024-05-15 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#6) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/560?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by cron2


Change subject: Remove custom TLS 1.0 PRF implementation only used by 
LibreSSL/wolfSSL
..

Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL

After the removal of the OpenSSL 1.0.2 support, LibreSSL/wolfSSL are the
only libraries that still needs the custom implementation.

Since our LibreSSL/wolfSSL support is always best effort, we can afford to
limit LibreSSL support in this way. If they want to support this, they
should expose the functionality as well.

Change-Id: I5bfa3630ad4dff2807705658bc877c4a429a39ce
Signed-off-by: Arne Schwabe 
Acked-by: Gert Doering 
Message-Id: <20240515100115.11056-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28672.html
Signed-off-by: Gert Doering 
---
M src/openvpn/crypto_openssl.c
M tests/unit_tests/openvpn/test_crypto.c
2 files changed, 16 insertions(+), 180 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/60/560/6

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 0473fad..fbd38f3 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -1397,7 +1397,7 @@

 return ret;
 }
-#elif !defined(LIBRESSL_VERSION_NUMBER)
+#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL)
 bool
 ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
  int secret_len, uint8_t *output, int output_len)
@@ -1444,183 +1444,14 @@
 return ret;
 }
 #else  /* if defined(LIBRESSL_VERSION_NUMBER) */
-/*
- * Generate the hash required by for the \c tls1_PRF function.
- *
- * We cannot use our normal hmac_* function as they do not work
- * in a FIPS environment (no MD5 allowed, which we need). Instead
- * we need to directly use the EVP_MD_* API with the special
- * EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag.
- *
- * The function below is adapted from OpenSSL 1.0.2t
- *
- * @param md_kt Message digest to use
- * @param sec   Secret to base the hash on
- * @param sec_len   Length of the secret
- * @param seed  Seed to hash
- * @param seed_len  Length of the seed
- * @param out   Output buffer
- * @param olen  Length of the output buffer
- */
-static
-bool
-tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
-int sec_len, const void *seed, int seed_len,
-unsigned char *out, int olen)
-{
-int chunk;
-size_t j;
-EVP_MD_CTX *ctx, *ctx_tmp, *ctx_init;
-EVP_PKEY *mac_key;
-unsigned char A1[EVP_MAX_MD_SIZE];
-size_t A1_len = EVP_MAX_MD_SIZE;
-int ret = false;
-
-chunk = EVP_MD_size(md);
-OPENSSL_assert(chunk >= 0);
-
-ctx = md_ctx_new();
-ctx_tmp = md_ctx_new();
-ctx_init = md_ctx_new();
-EVP_MD_CTX_set_flags(ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
-if (!mac_key)
-{
-goto err;
-}
-if (!EVP_DigestSignInit(ctx_init, NULL, md, NULL, mac_key))
-{
-goto err;
-}
-if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
-{
-goto err;
-}
-if (!EVP_DigestSignUpdate(ctx, seed, seed_len))
-{
-goto err;
-}
-if (!EVP_DigestSignFinal(ctx, A1, _len))
-{
-goto err;
-}
-
-for (;; )
-{
-/* Reinit mac contexts */
-if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
-{
-goto err;
-}
-if (!EVP_DigestSignUpdate(ctx, A1, A1_len))
-{
-goto err;
-}
-if (olen > chunk && !EVP_MD_CTX_copy_ex(ctx_tmp, ctx))
-{
-goto err;
-}
-if (!EVP_DigestSignUpdate(ctx, seed, seed_len))
-{
-goto err;
-}
-
-if (olen > chunk)
-{
-j = olen;
-if (!EVP_DigestSignFinal(ctx, out, ))
-{
-goto err;
-}
-out += j;
-olen -= j;
-/* calc the next A1 value */
-if (!EVP_DigestSignFinal(ctx_tmp, A1, _len))
-{
-goto err;
-}
-}
-else
-{
-A1_len = EVP_MAX_MD_SIZE;
-/* last one */
-if (!EVP_DigestSignFinal(ctx, A1, _len))
-{
-goto err;
-}
-memcpy(out, A1, olen);
-break;
-}
-}
-ret = true;
-err:
-EVP_PKEY_free(mac_key);
-EVP_MD_CTX_free(ctx);
-EVP_MD_CTX_free(ctx_tmp);
-EVP_MD_CTX_free(ctx_init);
-OPENSSL_cleanse(A1, sizeof(A1));
-return ret;
-}
-
-/*
- * Use the TLS PRF function for generating data channel keys.
- * This code is based on

[Openvpn-devel] [M] Change in openvpn[master]: Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL

2024-05-15 Thread cron2 (Code Review)

Attention is currently required from: plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/560?usp=email )

Change subject: Remove custom TLS 1.0 PRF implementation only used by 
LibreSSL/wolfSSL
..


Patch Set 5:

(1 comment)

Patchset:

PS5:
It makes sense to remove this special code which is basically not exercised for 
most users and platforms these days.  If those platforms want old PRF they can 
add the functionality to their libraries.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/560?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I5bfa3630ad4dff2807705658bc877c4a429a39ce
Gerrit-Change-Number: 560
Gerrit-PatchSet: 5
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Comment-Date: Wed, 15 May 2024 10:00:27 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL

2024-05-15 Thread cron2 (Code Review)

Attention is currently required from: plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/560?usp=email )

Change subject: Remove custom TLS 1.0 PRF implementation only used by 
LibreSSL/wolfSSL
..


Patch Set 5: Code-Review+2


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/560?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I5bfa3630ad4dff2807705658bc877c4a429a39ce
Gerrit-Change-Number: 560
Gerrit-PatchSet: 5
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Comment-Date: Wed, 15 May 2024 09:58:41 +
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [L] Change in openvpn[master]: Remove OpenSSL 1.0.2 support

2024-05-14 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#10) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/559?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by cron2


Change subject: Remove OpenSSL 1.0.2 support
..

Remove OpenSSL 1.0.2 support

With Centos 7/Red Hat Enterprise Linux 7 being EOL this June, the last
distributions that still support OpenSSL 1.0.2 are finally EOL. This
means we no longer need to support OpenSSL 1.0.2

Change-Id: I90875311a4e4c403e77e30b609c1878cbd45
Signed-off-by: Arne Schwabe 
Acked-by: Gert Doering 
Message-Id: <20240514141550.17544-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28665.html
Signed-off-by: Gert Doering 
---
M Changes.rst
M INSTALL
M configure.ac
M src/openvpn/crypto_openssl.c
M src/openvpn/openssl_compat.h
M src/openvpn/ssl_openssl.c
6 files changed, 27 insertions(+), 693 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/59/559/10

diff --git a/Changes.rst b/Changes.rst
index fa0fb22..4bc3bb3 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -33,6 +33,10 @@
 ``--topology net30`` to the config should fix the problem.
 By default ``--topology`` is pushed from server to client.

+OpenSSL 1.0.2 support
+Support for building with OpenSSL 1.0.2 has been removed. The minimum
+supported OpenSSL version is now 1.1.0.
+
 Overview of changes in 2.6
 ==

diff --git a/INSTALL b/INSTALL
index a63bab6..6007338 100644
--- a/INSTALL
+++ b/INSTALL
@@ -66,7 +66,7 @@
   (1) TUN and/or TAP driver to allow user-space programs to control
   a virtual point-to-point IP or Ethernet device.
   See TUN/TAP Driver References section below for more info.
-  (2a) OpenSSL library, necessary for encryption, version 1.0.2 or higher
+  (2a) OpenSSL library, necessary for encryption, version 1.1.0 or higher
   required, available from http://www.openssl.org/
   or
   (2b) mbed TLS library, an alternative for encryption, version 2.0 or higher
diff --git a/configure.ac b/configure.ac
index ce8b2b0..965ed1a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -888,7 +888,7 @@
# if the user did not explicitly specify flags, try to 
autodetect
PKG_CHECK_MODULES(
[OPENSSL],
-   [openssl >= 1.0.2],
+   [openssl >= 1.1.0],
[have_openssl="yes"],
[AC_MSG_WARN([OpenSSL not found by pkg-config 
${pkg_config_found}])] # If this fails, we will do another test next
)
@@ -903,7 +903,7 @@
# If pkgconfig check failed or OPENSSL_CFLAGS/OPENSSL_LIBS env vars
# are used, check the version directly in the OpenSSL include file
if test "${have_openssl}" != "yes"; then
-   AC_MSG_CHECKING([additionally if OpenSSL is available and 
version >= 1.0.2])
+   AC_MSG_CHECKING([additionally if OpenSSL is available and 
version >= 1.1.0])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
@@ -911,7 +911,7 @@
]],
[[
 /*  Version encoding: MNNFFPPS - see opensslv.h for details */
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
+#if OPENSSL_VERSION_NUMBER < 0x1010L
 #error OpenSSL too old
 #endif
]]
@@ -981,7 +981,7 @@
[AC_MSG_ERROR([OpenSSL check for AES-256-GCM support failed])]
)

-   # All supported OpenSSL version (>= 1.0.2)
+   # All supported OpenSSL version (>= 1.1.0)
# have this feature
have_export_keying_material="yes"

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 1649ab7..0473fad 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -49,7 +49,7 @@
 #include 
 #include 

-#if (OPENSSL_VERSION_NUMBER >= 0x1010L) && 
!defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
 #include 
 #endif
 #if OPENSSL_VERSION_NUMBER >= 0x3000L
@@ -193,11 +193,7 @@
 void
 crypto_init_lib(void)
 {
-#if (OPENSSL_VERSION_NUMBER >= 0x1010L)
 OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
-#else
-OPENSSL_config(NULL);
-#endif
 /*
  * If you build the OpenSSL library and OpenVPN with
  * CRYPTO_MDEBUG, you will get a listing of OpenSSL
@@ -1401,7 +1397,7 @@

 return ret;
 }
-#elif (OPENSSL_VERSION_NUMBER >= 0x1010L) && 
!defined(LIBRESSL_VERSION_NUMBER)
+#elif !defined(LIBRESSL_VERSION_NUMBER)
 bool
 ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
  int secret_len, uint8_t *output, int output_len)
@@ -1447,7 +1443,7 @@
 EVP_PKEY_CTX_free(pctx);
 return ret;
 }
-#else  /* if OPENSSL_VERSION_NUMBER >= 0x1010L */

[Openvpn-devel] [L] Change in openvpn[master]: Remove OpenSSL 1.0.2 support

2024-05-14 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/559?usp=email )

Change subject: Remove OpenSSL 1.0.2 support
..

Remove OpenSSL 1.0.2 support

With Centos 7/Red Hat Enterprise Linux 7 being EOL this June, the last
distributions that still support OpenSSL 1.0.2 are finally EOL. This
means we no longer need to support OpenSSL 1.0.2

Change-Id: I90875311a4e4c403e77e30b609c1878cbd45
Signed-off-by: Arne Schwabe 
Acked-by: Gert Doering 
Message-Id: <20240514141550.17544-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28665.html
Signed-off-by: Gert Doering 
---
M Changes.rst
M INSTALL
M configure.ac
M src/openvpn/crypto_openssl.c
M src/openvpn/openssl_compat.h
M src/openvpn/ssl_openssl.c
6 files changed, 27 insertions(+), 693 deletions(-)




diff --git a/Changes.rst b/Changes.rst
index fa0fb22..4bc3bb3 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -33,6 +33,10 @@
 ``--topology net30`` to the config should fix the problem.
 By default ``--topology`` is pushed from server to client.
 
+OpenSSL 1.0.2 support
+Support for building with OpenSSL 1.0.2 has been removed. The minimum
+supported OpenSSL version is now 1.1.0.
+
 Overview of changes in 2.6
 ==

diff --git a/INSTALL b/INSTALL
index a63bab6..6007338 100644
--- a/INSTALL
+++ b/INSTALL
@@ -66,7 +66,7 @@
   (1) TUN and/or TAP driver to allow user-space programs to control
   a virtual point-to-point IP or Ethernet device.
   See TUN/TAP Driver References section below for more info.
-  (2a) OpenSSL library, necessary for encryption, version 1.0.2 or higher
+  (2a) OpenSSL library, necessary for encryption, version 1.1.0 or higher
   required, available from http://www.openssl.org/
   or
   (2b) mbed TLS library, an alternative for encryption, version 2.0 or higher
diff --git a/configure.ac b/configure.ac
index ce8b2b0..965ed1a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -888,7 +888,7 @@
# if the user did not explicitly specify flags, try to 
autodetect
PKG_CHECK_MODULES(
[OPENSSL],
-   [openssl >= 1.0.2],
+   [openssl >= 1.1.0],
[have_openssl="yes"],
[AC_MSG_WARN([OpenSSL not found by pkg-config 
${pkg_config_found}])] # If this fails, we will do another test next
)
@@ -903,7 +903,7 @@
# If pkgconfig check failed or OPENSSL_CFLAGS/OPENSSL_LIBS env vars
# are used, check the version directly in the OpenSSL include file
if test "${have_openssl}" != "yes"; then
-   AC_MSG_CHECKING([additionally if OpenSSL is available and 
version >= 1.0.2])
+   AC_MSG_CHECKING([additionally if OpenSSL is available and 
version >= 1.1.0])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
@@ -911,7 +911,7 @@
]],
[[
 /*  Version encoding: MNNFFPPS - see opensslv.h for details */
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
+#if OPENSSL_VERSION_NUMBER < 0x1010L
 #error OpenSSL too old
 #endif
]]
@@ -981,7 +981,7 @@
[AC_MSG_ERROR([OpenSSL check for AES-256-GCM support failed])]
)

-   # All supported OpenSSL version (>= 1.0.2)
+   # All supported OpenSSL version (>= 1.1.0)
# have this feature
have_export_keying_material="yes"

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 1649ab7..0473fad 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -49,7 +49,7 @@
 #include 
 #include 

-#if (OPENSSL_VERSION_NUMBER >= 0x1010L) && 
!defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
 #include 
 #endif
 #if OPENSSL_VERSION_NUMBER >= 0x3000L
@@ -193,11 +193,7 @@
 void
 crypto_init_lib(void)
 {
-#if (OPENSSL_VERSION_NUMBER >= 0x1010L)
 OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
-#else
-OPENSSL_config(NULL);
-#endif
 /*
  * If you build the OpenSSL library and OpenVPN with
  * CRYPTO_MDEBUG, you will get a listing of OpenSSL
@@ -1401,7 +1397,7 @@

 return ret;
 }
-#elif (OPENSSL_VERSION_NUMBER >= 0x1010L) && 
!defined(LIBRESSL_VERSION_NUMBER)
+#elif !defined(LIBRESSL_VERSION_NUMBER)
 bool
 ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
  int secret_len, uint8_t *output, int output_len)
@@ -1447,7 +1443,7 @@
 EVP_PKEY_CTX_free(pctx);
 return ret;
 }
-#else  /* if OPENSSL_VERSION_NUMBER >= 0x1010L */
+#else  /* if defined(LIBRESSL_VERSION_NUMBER) */
 /*
  * Generate the hash required by for the \c tls1_PRF function.
  *
@@ -1626,5 +1622,5 @@
 gc_free();
 return ret;
 }
-#endif /* if

[Openvpn-devel] [L] Change in openvpn[master]: Remove OpenSSL 1.0.2 support

2024-05-14 Thread cron2 (Code Review)

Attention is currently required from: plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/559?usp=email )

Change subject: Remove OpenSSL 1.0.2 support
..


Patch Set 9: Code-Review+2

(1 comment)

Patchset:

PS9:
Went through the code, the #ifdefs all look good (there is one LibreSSL fix 
that is strictly speaking "not 1.0.2 removal related" but also makes sense).

I expect some conflicts with the recent LibreSSL crash fix patch, but can 
handle that on commit.  So, let's go :-)



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/559?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I90875311a4e4c403e77e30b609c1878cbd45
Gerrit-Change-Number: 559
Gerrit-PatchSet: 9
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Comment-Date: Tue, 14 May 2024 14:15:00 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Workaround issue in LibreSSL crashing when enumerating digests/ciphers

2024-05-13 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/586?usp=email )

Change subject: Workaround issue in LibreSSL crashing when enumerating 
digests/ciphers
..

Workaround issue in LibreSSL crashing when enumerating digests/ciphers

OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname/EVP_get_digestbyname
and broke calling EVP_get_cipherbynid/EVP_get_digestbyname with an
invalid nid in the process so that it would segfault.

Workaround but doing that NULL check in OpenVPN instead of leaving it
to the library.

Github: see also https://github.com/libressl/openbsd/issues/150

Change-Id: Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934
Signed-off-by: Arne Schwabe 
Acked-by: Gert Doering 
Message-Id: <20240508220540.12554-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28649.html
Signed-off-by: Gert Doering 
---
M src/openvpn/crypto_openssl.c
1 file changed, 25 insertions(+), 1 deletion(-)




diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 61c6518..1649ab7 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -387,7 +387,19 @@
 #else
 for (int nid = 0; nid < 1; ++nid)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname and broke
+ * calling EVP_get_cipherbynid with an invalid nid in the process
+ * so that it would segfault. */
+const EVP_CIPHER *cipher = NULL;
+const char *name = OBJ_nid2sn(nid);
+if (name)
+{
+cipher = EVP_get_cipherbyname(name);
+}
+#else  /* if defined(LIBRESSL_VERSION_NUMBER) */
 const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid);
+#endif
 /* We cast the const away so we can keep the function prototype
  * compatible with EVP_CIPHER_do_all_provided */
 collect_ciphers((EVP_CIPHER *) cipher, _list);
@@ -441,7 +453,19 @@
 #else
 for (int nid = 0; nid < 1; ++nid)
 {
+/* OpenBSD/LibreSSL reimplemented EVP_get_digestbyname and broke
+ * calling EVP_get_digestbynid with an invalid nid in the process
+ * so that it would segfault. */
+#ifdef LIBRESSL_VERSION_NUMBER
+const EVP_MD *digest = NULL;
+const char *name = OBJ_nid2sn(nid);
+if (name)
+{
+digest = EVP_get_digestbyname(name);
+}
+#else  /* ifdef LIBRESSL_VERSION_NUMBER */
 const EVP_MD *digest = EVP_get_digestbynid(nid);
+#endif
 if (digest)
 {
 /* We cast the const away so we can keep the function prototype
@@ -449,7 +473,7 @@
 print_digest((EVP_MD *)digest, NULL);
 }
 }
-#endif
+#endif /* if OPENSSL_VERSION_NUMBER >= 0x3000L */
 printf("\n");
 }


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/586?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934
Gerrit-Change-Number: 586
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Workaround issue in LibreSSL crashing when enumerating digests/ciphers

2024-05-13 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/586?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by cron2


Change subject: Workaround issue in LibreSSL crashing when enumerating 
digests/ciphers
..

Workaround issue in LibreSSL crashing when enumerating digests/ciphers

OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname/EVP_get_digestbyname
and broke calling EVP_get_cipherbynid/EVP_get_digestbyname with an
invalid nid in the process so that it would segfault.

Workaround but doing that NULL check in OpenVPN instead of leaving it
to the library.

Github: see also https://github.com/libressl/openbsd/issues/150

Change-Id: Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934
Signed-off-by: Arne Schwabe 
Acked-by: Gert Doering 
Message-Id: <20240508220540.12554-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28649.html
Signed-off-by: Gert Doering 
---
M src/openvpn/crypto_openssl.c
1 file changed, 25 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/86/586/2

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 61c6518..1649ab7 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -387,7 +387,19 @@
 #else
 for (int nid = 0; nid < 1; ++nid)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname and broke
+ * calling EVP_get_cipherbynid with an invalid nid in the process
+ * so that it would segfault. */
+const EVP_CIPHER *cipher = NULL;
+const char *name = OBJ_nid2sn(nid);
+if (name)
+{
+cipher = EVP_get_cipherbyname(name);
+}
+#else  /* if defined(LIBRESSL_VERSION_NUMBER) */
 const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid);
+#endif
 /* We cast the const away so we can keep the function prototype
  * compatible with EVP_CIPHER_do_all_provided */
 collect_ciphers((EVP_CIPHER *) cipher, _list);
@@ -441,7 +453,19 @@
 #else
 for (int nid = 0; nid < 1; ++nid)
 {
+/* OpenBSD/LibreSSL reimplemented EVP_get_digestbyname and broke
+ * calling EVP_get_digestbynid with an invalid nid in the process
+ * so that it would segfault. */
+#ifdef LIBRESSL_VERSION_NUMBER
+const EVP_MD *digest = NULL;
+const char *name = OBJ_nid2sn(nid);
+if (name)
+{
+digest = EVP_get_digestbyname(name);
+}
+#else  /* ifdef LIBRESSL_VERSION_NUMBER */
 const EVP_MD *digest = EVP_get_digestbynid(nid);
+#endif
 if (digest)
 {
 /* We cast the const away so we can keep the function prototype
@@ -449,7 +473,7 @@
 print_digest((EVP_MD *)digest, NULL);
 }
 }
-#endif
+#endif /* if OPENSSL_VERSION_NUMBER >= 0x3000L */
 printf("\n");
 }


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/586?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934
Gerrit-Change-Number: 586
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Support OpenBSD with cmake

2024-05-09 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/585?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: Support OpenBSD with cmake
..

Support OpenBSD with cmake

Change-Id: I85d4d27333773e8df109e42b1fa56ccf57994e57
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240508220512.12362-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28648.html
Signed-off-by: Gert Doering 
---
M CMakeLists.txt
1 file changed, 3 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/85/585/2

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3127611..f8b37a9 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -136,6 +136,8 @@
 set(TARGET_FREEBSD YES)
 set(ENABLE_DCO YES)
 link_libraries(-lnv)
+elseif (${CMAKE_SYSTEM_NAME} STREQUAL "OpenBSD")
+set(TARGET_OPENBSD YES)
 elseif (${CMAKE_SYSTEM_NAME} STREQUAL "SunOS")
 set(TARGET_SOLARIS YES)
 set(HAVE_SYS_SOCKIO_H 1)
@@ -169,7 +171,7 @@
 check_symbol_exists(setgid unistd.h HAVE_SETGID)
 check_symbol_exists(setuid unistd.h HAVE_SETUID)
 check_symbol_exists(setsid unistd.h HAVE_SETSID)
-check_symbol_exists(getpeereid unistd.h HAVE_GETPEEREID)
+check_symbol_exists(getpeereid "unistd.h;sys/socket.h" HAVE_GETPEEREID)

 check_symbol_exists(epoll_create sys/epoll.h HAVE_EPOLL_CREATE)


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/585?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I85d4d27333773e8df109e42b1fa56ccf57994e57
Gerrit-Change-Number: 585
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Support OpenBSD with cmake

2024-05-09 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/585?usp=email )

Change subject: Support OpenBSD with cmake
..

Support OpenBSD with cmake

Change-Id: I85d4d27333773e8df109e42b1fa56ccf57994e57
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240508220512.12362-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28648.html
Signed-off-by: Gert Doering 
---
M CMakeLists.txt
1 file changed, 3 insertions(+), 1 deletion(-)




diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3127611..f8b37a9 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -136,6 +136,8 @@
 set(TARGET_FREEBSD YES)
 set(ENABLE_DCO YES)
 link_libraries(-lnv)
+elseif (${CMAKE_SYSTEM_NAME} STREQUAL "OpenBSD")
+set(TARGET_OPENBSD YES)
 elseif (${CMAKE_SYSTEM_NAME} STREQUAL "SunOS")
 set(TARGET_SOLARIS YES)
 set(HAVE_SYS_SOCKIO_H 1)
@@ -169,7 +171,7 @@
 check_symbol_exists(setgid unistd.h HAVE_SETGID)
 check_symbol_exists(setuid unistd.h HAVE_SETUID)
 check_symbol_exists(setsid unistd.h HAVE_SETSID)
-check_symbol_exists(getpeereid unistd.h HAVE_GETPEEREID)
+check_symbol_exists(getpeereid "unistd.h;sys/socket.h" HAVE_GETPEEREID)

 check_symbol_exists(epoll_create sys/epoll.h HAVE_EPOLL_CREATE)


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/585?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I85d4d27333773e8df109e42b1fa56ccf57994e57
Gerrit-Change-Number: 585
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Workaround issue in LibreSSL crashing when enumerating digests/ciphers

2024-05-08 Thread cron2 (Code Review)

Attention is currently required from: flichtenheld, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/586?usp=email )

Change subject: Workaround issue in LibreSSL crashing when enumerating 
digests/ciphers
..


Patch Set 1: Code-Review+2

(1 comment)

Patchset:

PS1:
fixes the observed crashes `openvpn --show-ciphers` on OpenBSD 7.5



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/586?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934
Gerrit-Change-Number: 586
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Wed, 08 May 2024 18:15:52 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: configure: Try to detect LZO with pkg-config first

2024-05-08 Thread cron2 (Code Review)

Attention is currently required from: flichtenheld, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/556?usp=email )

Change subject: configure: Try to detect LZO with pkg-config first
..


Patch Set 2:

(1 comment)

Patchset:

PS2:
Does not work for me yet.

Applied this to a fresh git checkout on fbsd14, which has pkg-config and 
lzo2.pc, but it still failed.

Relevant parts from config.log:

```
configure:18781: checking for LZO
configure:18788: $PKG_CONFIG --exists --print-errors "lzo2"
configure:18791: $? = 0
configure:18805: $PKG_CONFIG --exists --print-errors "lzo2"
configure:18808: $? = 0
configure:18848: result: yes
configure:18850: checking for lzo1x_1_15_compress in -llzo2
configure:18879: cc -o conftest -g -O2 -std=c99   conftest.c -llzo2   -lnv >&5
ld: error: unable to find library -llzo2
```

and from pkgconf output
```
gert@fbsd14bb $ pkg-config --cflags lzo2
-I/usr/local/include/lzo
gert@fbsd14bb $ pkg-config --libs lzo2
-L/usr/local/lib -llzo2



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/556?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I1c038dc4ec80d3499582d81eee61fee74f26e693
Gerrit-Change-Number: 556
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: cron2 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Wed, 08 May 2024 13:49:12 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: configure: update old copy of pkg.m4

2024-05-06 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/558?usp=email )

Change subject: configure: update old copy of pkg.m4
..

configure: update old copy of pkg.m4

If we copy this code, let's at least make sure we update
it every decade ;)

I also considered removing it. However, then autoconf
can't be run on systems without pkg-config installed
anymore. While that is very unusual, didn't see a good
reason to break that.

Change-Id: I34e96a225446693f401549d86d872c02427ef7d5
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240506160413.7189-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28631.html
Signed-off-by: Gert Doering 
---
M m4/pkg.m4
1 file changed, 173 insertions(+), 57 deletions(-)




diff --git a/m4/pkg.m4 b/m4/pkg.m4
index cca47a7..13a8890 100644
--- a/m4/pkg.m4
+++ b/m4/pkg.m4
@@ -1,29 +1,60 @@
-# pkg.m4 - Macros to locate and utilise pkg-config.-*- Autoconf -*-
-# serial 1 (pkg-config-0.24)
-#
-# Copyright © 2004 Scott James Remnant .
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
+# pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
+# serial 12 (pkg-config-0.29.2)

-# PKG_PROG_PKG_CONFIG([MIN-VERSION])
-# --
+dnl Copyright © 2004 Scott James Remnant .
+dnl Copyright © 2012-2015 Dan Nicholson 
+dnl
+dnl This program is free software; you can redistribute it and/or modify
+dnl it under the terms of the GNU General Public License as published by
+dnl the Free Software Foundation; either version 2 of the License, or
+dnl (at your option) any later version.
+dnl
+dnl This program is distributed in the hope that it will be useful, but
+dnl WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+dnl General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU General Public License
+dnl along with this program; if not, write to the Free Software
+dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+dnl 02111-1307, USA.
+dnl
+dnl As a special exception to the GNU General Public License, if you
+dnl distribute this file as part of a program that contains a
+dnl configuration script generated by Autoconf, you may include it under
+dnl the same distribution terms that you use for the rest of that
+dnl program.
+
+dnl PKG_PREREQ(MIN-VERSION)
+dnl ---
+dnl Since: 0.29
+dnl
+dnl Verify that the version of the pkg-config macros are at least
+dnl MIN-VERSION. Unlike PKG_PROG_PKG_CONFIG, which checks the user's
+dnl installed version of pkg-config, this checks the developer's version
+dnl of pkg.m4 when generating configure.
+dnl
+dnl To ensure that this macro is defined, also add:
+dnl m4_ifndef([PKG_PREREQ],
+dnl [m4_fatal([must install pkg-config 0.29 or later before running 
autoconf/autogen])])
+dnl
+dnl See the "Since" comment for each macro you use to see what version
+dnl of the macros you require.
+m4_defun([PKG_PREREQ],
+[m4_define([PKG_MACROS_VERSION], [0.29.2])
+m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1,
+[m4_fatal([pkg.m4 version $1 or higher is required but 
]PKG_MACROS_VERSION[ found])])
+])dnl PKG_PREREQ
+
+dnl PKG_PROG_PKG_CONFIG([MIN-VERSION])
+dnl --
+dnl Since: 0.16
+dnl
+dnl Search for the pkg-config tool and set the PKG_CONFIG variable to
+dnl first found in the path. Checks that the version of pkg-config found
+dnl is at least MIN-VERSION. If MIN-VERSION is not specified, 0.9.0 is
+dnl used since that's the first version where most current features of
+dnl pkg-config existed.
 AC_DEFUN([PKG_PROG_PKG_CONFIG],
 [m4_pattern_forbid([^_?PKG_[A-Z_]+$])
 
m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$])
@@ -45,18 +76,19 @@
PKG_CONFIG=""
fi
 fi[]dnl
-])# PKG_PROG_PKG_CONFIG
+])dnl

[Openvpn-devel] [M] Change in openvpn[master]: configure: update old copy of pkg.m4

2024-05-06 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#3) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/558?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: configure: update old copy of pkg.m4
..

configure: update old copy of pkg.m4

If we copy this code, let's at least make sure we update
it every decade ;)

I also considered removing it. However, then autoconf
can't be run on systems without pkg-config installed
anymore. While that is very unusual, didn't see a good
reason to break that.

Change-Id: I34e96a225446693f401549d86d872c02427ef7d5
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240506160413.7189-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28631.html
Signed-off-by: Gert Doering 
---
M m4/pkg.m4
1 file changed, 173 insertions(+), 57 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/58/558/3

diff --git a/m4/pkg.m4 b/m4/pkg.m4
index cca47a7..13a8890 100644
--- a/m4/pkg.m4
+++ b/m4/pkg.m4
@@ -1,29 +1,60 @@
-# pkg.m4 - Macros to locate and utilise pkg-config.-*- Autoconf -*-
-# serial 1 (pkg-config-0.24)
-#
-# Copyright © 2004 Scott James Remnant .
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
+# pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
+# serial 12 (pkg-config-0.29.2)

-# PKG_PROG_PKG_CONFIG([MIN-VERSION])
-# --
+dnl Copyright © 2004 Scott James Remnant .
+dnl Copyright © 2012-2015 Dan Nicholson 
+dnl
+dnl This program is free software; you can redistribute it and/or modify
+dnl it under the terms of the GNU General Public License as published by
+dnl the Free Software Foundation; either version 2 of the License, or
+dnl (at your option) any later version.
+dnl
+dnl This program is distributed in the hope that it will be useful, but
+dnl WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+dnl General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU General Public License
+dnl along with this program; if not, write to the Free Software
+dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+dnl 02111-1307, USA.
+dnl
+dnl As a special exception to the GNU General Public License, if you
+dnl distribute this file as part of a program that contains a
+dnl configuration script generated by Autoconf, you may include it under
+dnl the same distribution terms that you use for the rest of that
+dnl program.
+
+dnl PKG_PREREQ(MIN-VERSION)
+dnl ---
+dnl Since: 0.29
+dnl
+dnl Verify that the version of the pkg-config macros are at least
+dnl MIN-VERSION. Unlike PKG_PROG_PKG_CONFIG, which checks the user's
+dnl installed version of pkg-config, this checks the developer's version
+dnl of pkg.m4 when generating configure.
+dnl
+dnl To ensure that this macro is defined, also add:
+dnl m4_ifndef([PKG_PREREQ],
+dnl [m4_fatal([must install pkg-config 0.29 or later before running 
autoconf/autogen])])
+dnl
+dnl See the "Since" comment for each macro you use to see what version
+dnl of the macros you require.
+m4_defun([PKG_PREREQ],
+[m4_define([PKG_MACROS_VERSION], [0.29.2])
+m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1,
+[m4_fatal([pkg.m4 version $1 or higher is required but 
]PKG_MACROS_VERSION[ found])])
+])dnl PKG_PREREQ
+
+dnl PKG_PROG_PKG_CONFIG([MIN-VERSION])
+dnl --
+dnl Since: 0.16
+dnl
+dnl Search for the pkg-config tool and set the PKG_CONFIG variable to
+dnl first found in the path. Checks that the version of pkg-config found
+dnl is at least MIN-VERSION. If MIN-VERSION is not specified, 0.9.0 is
+dnl used since that's the first version where most current features of
+dnl pkg-config existed.
 AC_DEFUN([PKG_PROG_PKG_CONFIG],

[Openvpn-devel] [XS] Change in openvpn[master]: Only run coverity scan in OpenVPN/OpenVPN repository

2024-05-06 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/583?usp=email )

Change subject: Only run coverity scan in OpenVPN/OpenVPN repository
..

Only run coverity scan in OpenVPN/OpenVPN repository

This avoids the error message triggering every night that the run
failed in forked repositories

Change-Id: Id95e0124d943912439c6ec6f562c0eb40d434163
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240506155831.3524-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28627.html
Signed-off-by: Gert Doering 
---
M .github/workflows/coverity-scan.yml
1 file changed, 3 insertions(+), 0 deletions(-)




diff --git a/.github/workflows/coverity-scan.yml 
b/.github/workflows/coverity-scan.yml
index e289746..37b8102 100644
--- a/.github/workflows/coverity-scan.yml
+++ b/.github/workflows/coverity-scan.yml
@@ -6,6 +6,9 @@

 jobs:
   latest:
+# Running coverity requires the secrets.COVERITY_SCAN_TOKEN token
+# which is only available on the main repository
+if: github.repository_owner == 'OpenVPN'
 runs-on: ubuntu-latest
 steps:
   - name: Check submission cache

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/583?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Id95e0124d943912439c6ec6f562c0eb40d434163
Gerrit-Change-Number: 583
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Only run coverity scan in OpenVPN/OpenVPN repository

2024-05-06 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/583?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: Only run coverity scan in OpenVPN/OpenVPN repository
..

Only run coverity scan in OpenVPN/OpenVPN repository

This avoids the error message triggering every night that the run
failed in forked repositories

Change-Id: Id95e0124d943912439c6ec6f562c0eb40d434163
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240506155831.3524-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28627.html
Signed-off-by: Gert Doering 
---
M .github/workflows/coverity-scan.yml
1 file changed, 3 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/83/583/2

diff --git a/.github/workflows/coverity-scan.yml 
b/.github/workflows/coverity-scan.yml
index e289746..37b8102 100644
--- a/.github/workflows/coverity-scan.yml
+++ b/.github/workflows/coverity-scan.yml
@@ -6,6 +6,9 @@

 jobs:
   latest:
+# Running coverity requires the secrets.COVERITY_SCAN_TOKEN token
+# which is only available on the main repository
+if: github.repository_owner == 'OpenVPN'
 runs-on: ubuntu-latest
 steps:
   - name: Check submission cache

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/583?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Id95e0124d943912439c6ec6f562c0eb40d434163
Gerrit-Change-Number: 583
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Repeat the unknown command in errors from management interface

2024-05-06 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/584?usp=email )

Change subject: Repeat the unknown command in errors from management interface
..

Repeat the unknown command in errors from management interface

This help pinpointing errors in logs from my app

Change-Id: Ie2b62bc95371daf7e1eb58e0323835f169399910
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240506142303.13198-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28621.html
Signed-off-by: Gert Doering 
---
M src/openvpn/manage.c
1 file changed, 1 insertion(+), 1 deletion(-)




diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 89591ea..24f3121 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -1663,7 +1663,7 @@
 #endif
 else
 {
-msg(M_CLIENT, "ERROR: unknown command, enter 'help' for more options");
+msg(M_CLIENT, "ERROR: unknown command [%s], enter 'help' for more 
options", p[0]);
 }

 done:

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/584?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie2b62bc95371daf7e1eb58e0323835f169399910
Gerrit-Change-Number: 584
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Repeat the unknown command in errors from management interface

2024-05-06 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/584?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: Repeat the unknown command in errors from management interface
..

Repeat the unknown command in errors from management interface

This help pinpointing errors in logs from my app

Change-Id: Ie2b62bc95371daf7e1eb58e0323835f169399910
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240506142303.13198-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28621.html
Signed-off-by: Gert Doering 
---
M src/openvpn/manage.c
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/84/584/2

diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 89591ea..24f3121 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -1663,7 +1663,7 @@
 #endif
 else
 {
-msg(M_CLIENT, "ERROR: unknown command, enter 'help' for more options");
+msg(M_CLIENT, "ERROR: unknown command [%s], enter 'help' for more 
options", p[0]);
 }

 done:

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/584?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie2b62bc95371daf7e1eb58e0323835f169399910
Gerrit-Change-Number: 584
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Fix 'binary or' vs 'boolean or' related to server_bridge_proxy_dhcp

2024-05-02 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/553?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by cron2


Change subject: Fix 'binary or' vs 'boolean or' related to 
server_bridge_proxy_dhcp
..

Fix 'binary or' vs 'boolean or' related to server_bridge_proxy_dhcp

Both values are boolean so there is no reason to use "|"
and it just confuses the reader whether there is something
more going on here.

Change-Id: Ie61fa6a78875ecbaa9d3d8e7a50603d77c9ce09e
Signed-off-by: Frank Lichtenheld 
Acked-by: Gert Doering 
Message-Id: <20240502095322.9433-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28601.html
Signed-off-by: Gert Doering 
---
M src/openvpn/helper.c
M src/openvpn/init.c
2 files changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/53/553/2

diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 5681718..bbdbc04 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -454,7 +454,7 @@
  * if !nogw:
  *   push "route-gateway dhcp"
  */
-else if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
+else if (o->server_bridge_defined || o->server_bridge_proxy_dhcp)
 {
 if (o->client)
 {
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 02205e7..e67f10e 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3565,7 +3565,7 @@
 msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is 
probably not what you want");
 }

-if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
+if (o->server_bridge_defined || o->server_bridge_proxy_dhcp)
 {
 msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP 
adapter, note that the new bridge adapter will often take on its own IP address 
that is different from what the LAN adapter was previously set to");
 }

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/553?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie61fa6a78875ecbaa9d3d8e7a50603d77c9ce09e
Gerrit-Change-Number: 553
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Fix 'binary or' vs 'boolean or' related to server_bridge_proxy_dhcp

2024-05-02 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/553?usp=email )

Change subject: Fix 'binary or' vs 'boolean or' related to 
server_bridge_proxy_dhcp
..

Fix 'binary or' vs 'boolean or' related to server_bridge_proxy_dhcp

Both values are boolean so there is no reason to use "|"
and it just confuses the reader whether there is something
more going on here.

Change-Id: Ie61fa6a78875ecbaa9d3d8e7a50603d77c9ce09e
Signed-off-by: Frank Lichtenheld 
Acked-by: Gert Doering 
Message-Id: <20240502095322.9433-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28601.html
Signed-off-by: Gert Doering 
---
M src/openvpn/helper.c
M src/openvpn/init.c
2 files changed, 2 insertions(+), 2 deletions(-)




diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 5681718..bbdbc04 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -454,7 +454,7 @@
  * if !nogw:
  *   push "route-gateway dhcp"
  */
-else if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
+else if (o->server_bridge_defined || o->server_bridge_proxy_dhcp)
 {
 if (o->client)
 {
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 02205e7..e67f10e 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3565,7 +3565,7 @@
 msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is 
probably not what you want");
 }

-if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
+if (o->server_bridge_defined || o->server_bridge_proxy_dhcp)
 {
 msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP 
adapter, note that the new bridge adapter will often take on its own IP address 
that is different from what the LAN adapter was previously set to");
 }

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/553?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie61fa6a78875ecbaa9d3d8e7a50603d77c9ce09e
Gerrit-Change-Number: 553
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Replace macos11 with macos14 in github runners

2024-05-02 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/582?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: Replace macos11 with macos14 in github runners
..

Replace macos11 with macos14 in github runners

Github's documentation states:  macos-11 label has been deprecated and
will no longer be available after 6/28/2024. Add macos14 which is nowadays
supported instead.

The github macos-14 runner is using the M1 platform with ARM, so this
requires a bit more adjustment of paths.

Change-Id: Ia70f230b2e9a78939d1875395205c8f48c4944b7
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240502122231.672-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/search?l=mid=20240502122231.672-1-g...@greenie.muc.de
Signed-off-by: Gert Doering 
---
M .github/workflows/build.yaml
1 file changed, 13 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/82/582/2

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index f771f5a..d7c3ecd 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -202,8 +202,16 @@
   matrix:
 ssllib: [ openssl11, openssl3, libressl]
 build: [ normal, asan ]
-os: [macos-11, macos-12, macos-13]
+os: [macos-12, macos-13, macos-14]
 include:
+   # macos14 and newer runners use ARM CPUs and homebrew uses 
/opt/homebrew/
+   # on ARM instead of /usr/local/
+  - os: macos-12
+homebrew: /usr/local/opt
+  - os: macos-13
+homebrew: /usr/local/opt
+  - os: macos-14
+homebrew: /opt/homebrew/opt
   - build: asan
 cflags: "-fsanitize=address,undefined -fno-sanitize-recover=all  
-fno-optimize-sibling-calls -fsanitize-address-use-after-scope 
-fno-omit-frame-pointer -g -O1"
 ldflags: -fsanitize=address,undefined -fno-sanitize-recover=all
@@ -228,8 +236,10 @@
 env:
   CFLAGS: ${{ matrix.cflags }}
   LDFLAGS: ${{ matrix.ldflags }}
-  OPENSSL_CFLAGS: "-I/usr/local/opt/${{matrix.libdir}}/include"
-  OPENSSL_LIBS: "-L/usr/local/opt/${{matrix.libdir}}/lib -lcrypto -lssl"
+  OPENSSL_CFLAGS: "-I${{matrix.homebrew}}/${{matrix.libdir}}/include"
+  OPENSSL_LIBS: "-L${{matrix.homebrew}}/${{matrix.libdir}}/lib -lcrypto 
-lssl"
+  LZO_CFLAGS: "-I${{matrix.homebrew}}/lzo/include"
+  LZO_LIBS: "-L${{matrix.homebrew}}/lzo/lib -llzo2"
   UBSAN_OPTIONS: print_stacktrace=1
 steps:
   - name: Install dependencies

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/582?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia70f230b2e9a78939d1875395205c8f48c4944b7
Gerrit-Change-Number: 582
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Replace macos11 with macos14 in github runners

2024-05-02 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/582?usp=email )

Change subject: Replace macos11 with macos14 in github runners
..

Replace macos11 with macos14 in github runners

Github's documentation states:  macos-11 label has been deprecated and
will no longer be available after 6/28/2024. Add macos14 which is nowadays
supported instead.

The github macos-14 runner is using the M1 platform with ARM, so this
requires a bit more adjustment of paths.

Change-Id: Ia70f230b2e9a78939d1875395205c8f48c4944b7
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240502122231.672-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/search?l=mid=20240502122231.672-1-g...@greenie.muc.de
Signed-off-by: Gert Doering 
---
M .github/workflows/build.yaml
1 file changed, 13 insertions(+), 3 deletions(-)




diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index f771f5a..d7c3ecd 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -202,8 +202,16 @@
   matrix:
 ssllib: [ openssl11, openssl3, libressl]
 build: [ normal, asan ]
-os: [macos-11, macos-12, macos-13]
+os: [macos-12, macos-13, macos-14]
 include:
+   # macos14 and newer runners use ARM CPUs and homebrew uses 
/opt/homebrew/
+   # on ARM instead of /usr/local/
+  - os: macos-12
+homebrew: /usr/local/opt
+  - os: macos-13
+homebrew: /usr/local/opt
+  - os: macos-14
+homebrew: /opt/homebrew/opt
   - build: asan
 cflags: "-fsanitize=address,undefined -fno-sanitize-recover=all  
-fno-optimize-sibling-calls -fsanitize-address-use-after-scope 
-fno-omit-frame-pointer -g -O1"
 ldflags: -fsanitize=address,undefined -fno-sanitize-recover=all
@@ -228,8 +236,10 @@
 env:
   CFLAGS: ${{ matrix.cflags }}
   LDFLAGS: ${{ matrix.ldflags }}
-  OPENSSL_CFLAGS: "-I/usr/local/opt/${{matrix.libdir}}/include"
-  OPENSSL_LIBS: "-L/usr/local/opt/${{matrix.libdir}}/lib -lcrypto -lssl"
+  OPENSSL_CFLAGS: "-I${{matrix.homebrew}}/${{matrix.libdir}}/include"
+  OPENSSL_LIBS: "-L${{matrix.homebrew}}/${{matrix.libdir}}/lib -lcrypto 
-lssl"
+  LZO_CFLAGS: "-I${{matrix.homebrew}}/lzo/include"
+  LZO_LIBS: "-L${{matrix.homebrew}}/lzo/lib -llzo2"
   UBSAN_OPTIONS: print_stacktrace=1
 steps:
   - name: Install dependencies

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/582?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia70f230b2e9a78939d1875395205c8f48c4944b7
Gerrit-Change-Number: 582
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Fix "binary or" vs "boolean or" related to server_bridge_proxy_dhcp

2024-05-02 Thread cron2 (Code Review)

Attention is currently required from: flichtenheld, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/553?usp=email )

Change subject: Fix "binary or" vs "boolean or" related to 
server_bridge_proxy_dhcp
..


Patch Set 1: Code-Review+2

(2 comments)

Patchset:

PS1:
> I find the change very logical, but I'm a bit confused why all my buildbots 
> failed - and I can't see […]
Done


PS1:
patch looks good, and buildbot fail reason has been clarified (external 
infrastructure)



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/553?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie61fa6a78875ecbaa9d3d8e7a50603d77c9ce09e
Gerrit-Change-Number: 553
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Thu, 02 May 2024 08:49:24 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Comment-In-Reply-To: cron2 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Fix "binary or" vs "boolean or" related to server_bridge_proxy_dhcp

2024-05-01 Thread cron2 (Code Review)

Attention is currently required from: flichtenheld, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/553?usp=email )

Change subject: Fix "binary or" vs "boolean or" related to 
server_bridge_proxy_dhcp
..


Patch Set 1: Code-Review-1

(1 comment)

Patchset:

PS1:
I find the change very logical, but I'm a bit confused why all my buildbots 
failed - and I can't seem to make any sense out of the error output...



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/553?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie61fa6a78875ecbaa9d3d8e7a50603d77c9ce09e
Gerrit-Change-Number: 553
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Wed, 01 May 2024 20:20:16 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Use topology default of "subnet" only for server mode

2024-05-01 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/554?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: Use topology default of "subnet" only for server mode
..

Use topology default of "subnet" only for server mode

The setting of --topology changes the syntax of --ifconfig.
So changing the default of --topology breaks all existing
configs that use --ifconfig but not --topology.

For P2P setups that is probably a signification percentage.
For server setups the percentage is hopefully lower since
--ifconfig is implicitly set by --server. Also more people
might have set their topology explicitly since it makes a
much bigger difference. Clients will usually get the
topology and the IP config pushed by the server.

So we decided to not switch the default for everyone to
not affect P2P setups. What we care about is to change
the default for --mode server, so we only do that now. For
people using --server this should be transparent except
for a pool reset.

Github: Openvpn/openvpn#529
Change-Id: Iefd209c0856ef395ab74055496130de00b86ead0
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240501124254.29114-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28592.html
Signed-off-by: Gert Doering 
---
M Changes.rst
M src/openvpn/helper.c
M src/openvpn/helper.h
M src/openvpn/options.c
4 files changed, 49 insertions(+), 16 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/54/554/2

diff --git a/Changes.rst b/Changes.rst
index b2278ab..fa0fb22 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -23,11 +23,12 @@
 ``persist-key`` option has been enabled by default.
 All the keys will be kept in memory across restart.

-Default for ``--topology`` changed to ``subnet``
-Previous releases used ``net30`` as default. This only affects
-configs with ``--dev tun`` and only IPv4. Note that this
-changes the semantics of ``--ifconfig``, so if you have manual
-settings for that in your config but not set ``--topology``
+Default for ``--topology`` changed to ``subnet`` for ``--mode server``
+Previous releases always used ``net30`` as default. This only affects
+configs with ``--mode server`` or ``--server`` (the latter implies the
+former), and ``--dev tun``, and only if IPv4 is enabled.
+Note that this changes the semantics of ``--ifconfig``, so if you have
+manual settings for that in your config but not set ``--topology``
 your config might fail to parse with the new version. Just adding
 ``--topology net30`` to the config should fix the problem.
 By default ``--topology`` is pushed from server to client.
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 1bab84c..5681718 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -137,6 +137,32 @@
 }


+/**
+ * Set --topology default depending on --mode
+ */
+void
+helper_setdefault_topology(struct options *o)
+{
+if (o->topology != TOP_UNDEF)
+{
+return;
+}
+int dev = dev_type_enum(o->dev, o->dev_type);
+if (dev != DEV_TYPE_TUN)
+{
+return;
+}
+if (o->mode == MODE_SERVER)
+{
+o->topology = TOP_SUBNET;
+}
+else
+{
+o->topology = TOP_NET30;
+}
+}
+
+
 /*
  * Process server, server-bridge, and client helper
  * directives after the parameters themselves have been
@@ -151,7 +177,6 @@
  * Get tun/tap/null device type
  */
 const int dev = dev_type_enum(o->dev, o->dev_type);
-const int topology = o->topology;

 /*
  *
@@ -177,11 +202,11 @@

 if (o->server_flags & SF_NOPOOL)
 {
-msg( M_USAGE, "--server-ipv6 is incompatible with 'nopool' option" 
);
+msg(M_USAGE, "--server-ipv6 is incompatible with 'nopool' option");
 }
 if (o->ifconfig_ipv6_pool_defined)
 {
-msg( M_USAGE, "--server-ipv6 already defines an 
ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly");
+msg(M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, 
so you can't also specify --ifconfig-pool explicitly");
 }

 o->mode = MODE_SERVER;
@@ -207,7 +232,7 @@
   o->server_netbits_ipv6 < 112 
? 0x1000 : 2);
 o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6;

-push_option( o, "tun-ipv6", M_USAGE );
+push_option(o, "tun-ipv6", M_USAGE);
 }

 /*
@@ -305,8 +330,10 @@

 o->mode = MODE_SERVER;
 o->tls_server = true;
+/* Need to know topology now */
+helper_setdefault_topology(o);

-if (topology == TOP_NET30 || topology == TOP_P2P)
+if (o->topology == TOP_NET30 ||

[Openvpn-devel] [M] Change in openvpn[master]: Use topology default of "subnet" only for server mode

2024-05-01 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/554?usp=email )

Change subject: Use topology default of "subnet" only for server mode
..

Use topology default of "subnet" only for server mode

The setting of --topology changes the syntax of --ifconfig.
So changing the default of --topology breaks all existing
configs that use --ifconfig but not --topology.

For P2P setups that is probably a signification percentage.
For server setups the percentage is hopefully lower since
--ifconfig is implicitly set by --server. Also more people
might have set their topology explicitly since it makes a
much bigger difference. Clients will usually get the
topology and the IP config pushed by the server.

So we decided to not switch the default for everyone to
not affect P2P setups. What we care about is to change
the default for --mode server, so we only do that now. For
people using --server this should be transparent except
for a pool reset.

Github: Openvpn/openvpn#529
Change-Id: Iefd209c0856ef395ab74055496130de00b86ead0
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240501124254.29114-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28592.html
Signed-off-by: Gert Doering 
---
M Changes.rst
M src/openvpn/helper.c
M src/openvpn/helper.h
M src/openvpn/options.c
4 files changed, 49 insertions(+), 16 deletions(-)




diff --git a/Changes.rst b/Changes.rst
index b2278ab..fa0fb22 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -23,11 +23,12 @@
 ``persist-key`` option has been enabled by default.
 All the keys will be kept in memory across restart.

-Default for ``--topology`` changed to ``subnet``
-Previous releases used ``net30`` as default. This only affects
-configs with ``--dev tun`` and only IPv4. Note that this
-changes the semantics of ``--ifconfig``, so if you have manual
-settings for that in your config but not set ``--topology``
+Default for ``--topology`` changed to ``subnet`` for ``--mode server``
+Previous releases always used ``net30`` as default. This only affects
+configs with ``--mode server`` or ``--server`` (the latter implies the
+former), and ``--dev tun``, and only if IPv4 is enabled.
+Note that this changes the semantics of ``--ifconfig``, so if you have
+manual settings for that in your config but not set ``--topology``
 your config might fail to parse with the new version. Just adding
 ``--topology net30`` to the config should fix the problem.
 By default ``--topology`` is pushed from server to client.
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 1bab84c..5681718 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -137,6 +137,32 @@
 }


+/**
+ * Set --topology default depending on --mode
+ */
+void
+helper_setdefault_topology(struct options *o)
+{
+if (o->topology != TOP_UNDEF)
+{
+return;
+}
+int dev = dev_type_enum(o->dev, o->dev_type);
+if (dev != DEV_TYPE_TUN)
+{
+return;
+}
+if (o->mode == MODE_SERVER)
+{
+o->topology = TOP_SUBNET;
+}
+else
+{
+o->topology = TOP_NET30;
+}
+}
+
+
 /*
  * Process server, server-bridge, and client helper
  * directives after the parameters themselves have been
@@ -151,7 +177,6 @@
  * Get tun/tap/null device type
  */
 const int dev = dev_type_enum(o->dev, o->dev_type);
-const int topology = o->topology;

 /*
  *
@@ -177,11 +202,11 @@

 if (o->server_flags & SF_NOPOOL)
 {
-msg( M_USAGE, "--server-ipv6 is incompatible with 'nopool' option" 
);
+msg(M_USAGE, "--server-ipv6 is incompatible with 'nopool' option");
 }
 if (o->ifconfig_ipv6_pool_defined)
 {
-msg( M_USAGE, "--server-ipv6 already defines an 
ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly");
+msg(M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, 
so you can't also specify --ifconfig-pool explicitly");
 }

 o->mode = MODE_SERVER;
@@ -207,7 +232,7 @@
   o->server_netbits_ipv6 < 112 
? 0x1000 : 2);
 o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6;

-push_option( o, "tun-ipv6", M_USAGE );
+push_option(o, "tun-ipv6", M_USAGE);
 }

 /*
@@ -305,8 +330,10 @@

 o->mode = MODE_SERVER;
 o->tls_server = true;
+/* Need to know topology now */
+helper_setdefault_topology(o);

-if (topology == TOP_NET30 || topology == TOP_P2P)
+if (o->topology == TOP_NET30 || o->topology == TOP_P2P)
 {
 o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, 
>gc);
 o->ifconfig_remote_netmask = print_in_addr_t(o->server_network 
+ 2, 0, >gc);

[Openvpn-devel] [XS] Change in openvpn[master]: Add missing EVP_KDF_CTX_free in ssl_tls1_PRF

2024-05-01 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/581?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: Add missing EVP_KDF_CTX_free in ssl_tls1_PRF
..

Add missing EVP_KDF_CTX_free in ssl_tls1_PRF

This is just missing in the function. Found by clang+ASAN.

Change-Id: I5d70198f6adbee8add619ee8a0bd6b5b1f61e506
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240501121819.12805-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28591.html
Signed-off-by: Gert Doering 
---
M src/openvpn/crypto_openssl.c
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/581/2

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index b2c4eb6..61c6518 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -1372,6 +1372,7 @@
 err:
 ret = false;
 out:
+EVP_KDF_CTX_free(kctx);
 EVP_KDF_free(kdf);

 return ret;

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/581?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I5d70198f6adbee8add619ee8a0bd6b5b1f61e506
Gerrit-Change-Number: 581
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Add missing EVP_KDF_CTX_free in ssl_tls1_PRF

2024-05-01 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/581?usp=email )

Change subject: Add missing EVP_KDF_CTX_free in ssl_tls1_PRF
..

Add missing EVP_KDF_CTX_free in ssl_tls1_PRF

This is just missing in the function. Found by clang+ASAN.

Change-Id: I5d70198f6adbee8add619ee8a0bd6b5b1f61e506
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240501121819.12805-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28591.html
Signed-off-by: Gert Doering 
---
M src/openvpn/crypto_openssl.c
1 file changed, 1 insertion(+), 0 deletions(-)




diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index b2c4eb6..61c6518 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -1372,6 +1372,7 @@
 err:
 ret = false;
 out:
+EVP_KDF_CTX_free(kctx);
 EVP_KDF_free(kdf);

 return ret;

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/581?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I5d70198f6adbee8add619ee8a0bd6b5b1f61e506
Gerrit-Change-Number: 581
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [L] Change in openvpn[master]: Remove OpenSSL 1.0.2 support

2024-04-30 Thread cron2 (Code Review)

Attention is currently required from: plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/559?usp=email )

Change subject: Remove OpenSSL 1.0.2 support
..


Patch Set 1:

(1 comment)

File configure.ac:

http://gerrit.openvpn.net/c/openvpn/+/559/comment/3c1dbe9f_996b70a0 :
PS1, Line 915: #error OpenSSL too old
This check is not working - the centos and fbsd74 buildbots pass the configure 
stage just fine, and later fail compilation.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/559?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I90875311a4e4c403e77e30b609c1878cbd45
Gerrit-Change-Number: 559
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: cron2 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Comment-Date: Tue, 30 Apr 2024 11:07:25 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [L] Change in openvpn[master]: Remove openvpn_snprintf and similar functions

2024-04-08 Thread cron2 (Code Review)

Attention is currently required from: flichtenheld, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/547?usp=email )

Change subject: Remove openvpn_snprintf and similar functions
..


Patch Set 2: Code-Review-1

(3 comments)

Patchset:

PS2:
Unfortunately, this fails -Werror msbuild builds now, see comment in 
interactive.c


File src/openvpn/proxy.c:

http://gerrit.openvpn.net/c/openvpn/+/547/comment/b37effa6_d450b13a :
PS2, Line 962: if (sret >= sizeof(buf))
> if this can truly happen, does it mean that the buffer is undersized compared 
> to the size of all var […]
this code is not part of the actual patchset, but a gerrit artefact due to 
rebasing.  *This* patchset only replaces openvpn_snprintf() with snprintf().


File src/openvpnserv/interactive.c:

http://gerrit.openvpn.net/c/openvpn/+/547/comment/918c9772_0150ba41 :
PS2, Line 2007:  sud.options, svc_pipe);
This makes GHA msbuild build fails now, with

```
 D:\a\openvpn\openvpn\src\openvpnserv\interactive.c(2006,37): warning C4477: 
'swprintf' : format string '%llu' requires an argument of type 'unsigned 
__int64', but variadic argument 2 has type 'HANDLE' 
[D:\a\openvpn\openvpn\out\build\win-amd64-release\src\openvpnserv\openvpnserv.vcxproj]
 ```

 so it seems the cast to something-int (`DWORD`?) is needed.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/547?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I07096977e3b562bcb5d2c6f11673a4175b8e12ac
Gerrit-Change-Number: 547
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: ordex 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Mon, 08 Apr 2024 08:22:27 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Comment-In-Reply-To: ordex 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Change default of "topology" to "subnet"

2024-04-03 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#3) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/421?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: Change default of "topology" to "subnet"
..

Change default of "topology" to "subnet"

Change-Id: Iede3e7c028cbb715e28bc88c7e583f84dadc02c8
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20231201112022.15337-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27627.html
Signed-off-by: Gert Doering 
---
M Changes.rst
M doc/man-sections/vpn-network-options.rst
M src/openvpn/options.c
3 files changed, 19 insertions(+), 11 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/21/421/3

diff --git a/Changes.rst b/Changes.rst
index 54e5980..b2278ab 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -23,6 +23,15 @@
 ``persist-key`` option has been enabled by default.
 All the keys will be kept in memory across restart.

+Default for ``--topology`` changed to ``subnet``
+Previous releases used ``net30`` as default. This only affects
+configs with ``--dev tun`` and only IPv4. Note that this
+changes the semantics of ``--ifconfig``, so if you have manual
+settings for that in your config but not set ``--topology``
+your config might fail to parse with the new version. Just adding
+``--topology net30`` to the config should fix the problem.
+By default ``--topology`` is pushed from server to client.
+
 Overview of changes in 2.6
 ==

diff --git a/doc/man-sections/vpn-network-options.rst 
b/doc/man-sections/vpn-network-options.rst
index abe474f..98b4971 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -495,11 +495,17 @@

   ``mode`` can be one of:

+  :code:`subnet`
+Use a subnet rather than a point-to-point topology by
+configuring the tun interface with a local IP address and subnet mask,
+similar to the topology used in ``--dev tap`` and ethernet bridging
+mode. This mode allocates a single IP address per connecting client and
+works on Windows as well. This is the default.
+
   :code:`net30`
 Use a point-to-point topology, by allocating one /30 subnet
 per client. This is designed to allow point-to-point semantics when some
-or all of the connecting clients might be Windows systems. This is the
-default.
+or all of the connecting clients might be Windows systems.

   :code:`p2p`
 Use a point-to-point topology where the remote endpoint of
@@ -508,15 +514,8 @@
 connecting client. Only use when none of the connecting clients are
 Windows systems.

-  :code:`subnet`
-Use a subnet rather than a point-to-point topology by
-configuring the tun interface with a local IP address and subnet mask,
-similar to the topology used in ``--dev tap`` and ethernet bridging
-mode. This mode allocates a single IP address per connecting client and
-works on Windows as well.
-
   *Note:* Using ``--topology subnet`` changes the interpretation of the
-  arguments of ``--ifconfig`` to mean "address netmask", no longer "local
+  arguments of ``--ifconfig`` to mean "address netmask", and not "local
   remote".

 --tun-mtu args
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 768332d..e2bfe0e 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -796,7 +796,7 @@
 o->gc_owned = true;
 }
 o->mode = MODE_POINT_TO_POINT;
-o->topology = TOP_NET30;
+o->topology = TOP_SUBNET;
 o->ce.proto = PROTO_UDP;
 o->ce.af = AF_UNSPEC;
 o->ce.bind_ipv6_only = false;

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/421?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iede3e7c028cbb715e28bc88c7e583f84dadc02c8
Gerrit-Change-Number: 421
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Change default of "topology" to "subnet"

2024-04-03 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/421?usp=email )

Change subject: Change default of "topology" to "subnet"
..

Change default of "topology" to "subnet"

Change-Id: Iede3e7c028cbb715e28bc88c7e583f84dadc02c8
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20231201112022.15337-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27627.html
Signed-off-by: Gert Doering 
---
M Changes.rst
M doc/man-sections/vpn-network-options.rst
M src/openvpn/options.c
3 files changed, 19 insertions(+), 11 deletions(-)




diff --git a/Changes.rst b/Changes.rst
index 54e5980..b2278ab 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -23,6 +23,15 @@
 ``persist-key`` option has been enabled by default.
 All the keys will be kept in memory across restart.

+Default for ``--topology`` changed to ``subnet``
+Previous releases used ``net30`` as default. This only affects
+configs with ``--dev tun`` and only IPv4. Note that this
+changes the semantics of ``--ifconfig``, so if you have manual
+settings for that in your config but not set ``--topology``
+your config might fail to parse with the new version. Just adding
+``--topology net30`` to the config should fix the problem.
+By default ``--topology`` is pushed from server to client.
+
 Overview of changes in 2.6
 ==

diff --git a/doc/man-sections/vpn-network-options.rst 
b/doc/man-sections/vpn-network-options.rst
index abe474f..98b4971 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -495,11 +495,17 @@

   ``mode`` can be one of:

+  :code:`subnet`
+Use a subnet rather than a point-to-point topology by
+configuring the tun interface with a local IP address and subnet mask,
+similar to the topology used in ``--dev tap`` and ethernet bridging
+mode. This mode allocates a single IP address per connecting client and
+works on Windows as well. This is the default.
+
   :code:`net30`
 Use a point-to-point topology, by allocating one /30 subnet
 per client. This is designed to allow point-to-point semantics when some
-or all of the connecting clients might be Windows systems. This is the
-default.
+or all of the connecting clients might be Windows systems.

   :code:`p2p`
 Use a point-to-point topology where the remote endpoint of
@@ -508,15 +514,8 @@
 connecting client. Only use when none of the connecting clients are
 Windows systems.

-  :code:`subnet`
-Use a subnet rather than a point-to-point topology by
-configuring the tun interface with a local IP address and subnet mask,
-similar to the topology used in ``--dev tap`` and ethernet bridging
-mode. This mode allocates a single IP address per connecting client and
-works on Windows as well.
-
   *Note:* Using ``--topology subnet`` changes the interpretation of the
-  arguments of ``--ifconfig`` to mean "address netmask", no longer "local
+  arguments of ``--ifconfig`` to mean "address netmask", and not "local
   remote".

 --tun-mtu args
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 768332d..e2bfe0e 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -796,7 +796,7 @@
 o->gc_owned = true;
 }
 o->mode = MODE_POINT_TO_POINT;
-o->topology = TOP_NET30;
+o->topology = TOP_SUBNET;
 o->ce.proto = PROTO_UDP;
 o->ce.af = AF_UNSPEC;
 o->ce.bind_ipv6_only = false;

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/421?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iede3e7c028cbb715e28bc88c7e583f84dadc02c8
Gerrit-Change-Number: 421
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: tests: fork default automake test-driver

2024-04-03 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/478?usp=email )

Change subject: tests: fork default automake test-driver
..

tests: fork default automake test-driver

For some of the test we don't like the default log behavior
and there seems no easy way to change that except to fork
the driver. The license seems unproblematic since we're
GPL anyway.

v2:
 - Do not use forked-test-driver for UTs. Default behavior
   is fine for those.

Change-Id: I67d461afbcc9c06b1fc5ab4477141d7b8bd9ba8e
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240125110036.16070-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28132.html
Signed-off-by: Gert Doering 
---
M Makefile.am
A forked-test-driver
M tests/Makefile.am
3 files changed, 156 insertions(+), 1 deletion(-)




diff --git a/Makefile.am b/Makefile.am
index 439346e..87230fe 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -45,7 +45,8 @@
ltrc.inc \
CMakeLists.txt \
CMakePresets.json \
-   config.h.cmake.in
+   config.h.cmake.in \
+   forked-test-driver

 .PHONY: config-version.h doxygen

diff --git a/forked-test-driver b/forked-test-driver
new file mode 100755
index 000..be73b80
--- /dev/null
+++ b/forked-test-driver
@@ -0,0 +1,153 @@
+#! /bin/sh
+# test-driver - basic testsuite driver script.
+
+scriptversion=2018-03-07.03; # UTC
+
+# Copyright (C) 2011-2021 Free Software Foundation, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# This file is maintained in Automake, please report
+# bugs to  or send patches to
+# .
+
+# Make unconditional expansion of undefined variables an error.  This
+# helps a lot in preventing typo-related bugs.
+set -u
+
+usage_error ()
+{
+  echo "$0: $*" >&2
+  print_usage >&2
+  exit 2
+}
+
+print_usage ()
+{
+  cat <"$log_file"
+"$@" >>"$log_file" 2>&1
+estatus=$?
+
+if test $enable_hard_errors = no && test $estatus -eq 99; then
+  tweaked_estatus=1
+else
+  tweaked_estatus=$estatus
+fi
+
+case $tweaked_estatus:$expect_failure in
+  0:yes) col=$red res=XPASS recheck=yes gcopy=yes;;
+  0:*)   col=$grn res=PASS  recheck=no  gcopy=no;;
+  77:*)  col=$blu res=SKIP  recheck=no  gcopy=yes;;
+  99:*)  col=$mgn res=ERROR recheck=yes gcopy=yes;;
+  *:yes) col=$lgn res=XFAIL recheck=no  gcopy=yes;;
+  *:*)   col=$red res=FAIL  recheck=yes gcopy=yes;;
+esac
+
+# Report the test outcome and exit status in the logs, so that one can
+# know whether the test passed or failed simply by looking at the '.log'
+# file, without the need of also peaking into the corresponding '.trs'
+# file (automake bug#11814).
+echo "$res $test_name (exit status: $estatus)" >>"$log_file"
+
+# Report outcome to console.
+echo "${col}${res}${std}: $test_name"
+
+# Register the test result, and other relevant metadata.
+echo ":test-result: $res" > $trs_file
+echo ":global-test-result: $res" >> $trs_file
+echo ":recheck: $recheck" >> $trs_file
+echo ":copy-in-global-log: $gcopy" >> $trs_file
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'before-save-hook 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-time-zone: "UTC0"
+# time-stamp-end: "; # UTC"
+# End:
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 2885752..5e9ad0a 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -15,6 +15,7 @@
 SUBDIRS = unit_tests

 AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING) System Tests'
+LOG_DRIVER = $(SHELL) $(top_srcdir)/forked-test-driver

 if !WIN32
 test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/478?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I67d461afbcc9c06b1fc5ab4477141d7b8bd9ba8e
Gerrit-Change-Number: 478
Gerrit-PatchSet: 11
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType:

[Openvpn-devel] [XS] Change in openvpn[master]: forked-test-driver: Show test output always

2024-04-03 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/479?usp=email )

Change subject: forked-test-driver: Show test output always
..

forked-test-driver: Show test output always

We want to see the progress, at least for slow tests
like t_client.sh.

Change-Id: I11e0091482d9acee89ca018374cb8d96d22f8514
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240125110122.16257-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28133.html
Signed-off-by: Gert Doering 
---
M forked-test-driver
1 file changed, 7 insertions(+), 2 deletions(-)




diff --git a/forked-test-driver b/forked-test-driver
index be73b80..6971dfb 100755
--- a/forked-test-driver
+++ b/forked-test-driver
@@ -108,9 +108,14 @@
 # Test script is run here. We create the file first, then append to it,
 # to ameliorate tests themselves also writing to the log file. Our tests
 # don't, but others can (automake bug#35762).
+# OVPN changes:
+#  - add tee to see output of tests
+#  - needs portable pipefail mechanism
+estatusfile="${trs_file}.exit"
 : >"$log_file"
-"$@" >>"$log_file" 2>&1
-estatus=$?
+("$@" 2>&1; estatus=$?; echo $estatus >"$estatusfile") | tee -a "$log_file"
+estatus=$(cat "$estatusfile")
+rm -f "$estatusfile"

 if test $enable_hard_errors = no && test $estatus -eq 99; then
   tweaked_estatus=1

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/479?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I11e0091482d9acee89ca018374cb8d96d22f8514
Gerrit-Change-Number: 479
Gerrit-PatchSet: 12
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: tests: fork default automake test-driver

2024-04-03 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#11) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/478?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: tests: fork default automake test-driver
..

tests: fork default automake test-driver

For some of the test we don't like the default log behavior
and there seems no easy way to change that except to fork
the driver. The license seems unproblematic since we're
GPL anyway.

v2:
 - Do not use forked-test-driver for UTs. Default behavior
   is fine for those.

Change-Id: I67d461afbcc9c06b1fc5ab4477141d7b8bd9ba8e
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240125110036.16070-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28132.html
Signed-off-by: Gert Doering 
---
M Makefile.am
A forked-test-driver
M tests/Makefile.am
3 files changed, 156 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/78/478/11

diff --git a/Makefile.am b/Makefile.am
index 439346e..87230fe 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -45,7 +45,8 @@
ltrc.inc \
CMakeLists.txt \
CMakePresets.json \
-   config.h.cmake.in
+   config.h.cmake.in \
+   forked-test-driver

 .PHONY: config-version.h doxygen

diff --git a/forked-test-driver b/forked-test-driver
new file mode 100755
index 000..be73b80
--- /dev/null
+++ b/forked-test-driver
@@ -0,0 +1,153 @@
+#! /bin/sh
+# test-driver - basic testsuite driver script.
+
+scriptversion=2018-03-07.03; # UTC
+
+# Copyright (C) 2011-2021 Free Software Foundation, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# This file is maintained in Automake, please report
+# bugs to  or send patches to
+# .
+
+# Make unconditional expansion of undefined variables an error.  This
+# helps a lot in preventing typo-related bugs.
+set -u
+
+usage_error ()
+{
+  echo "$0: $*" >&2
+  print_usage >&2
+  exit 2
+}
+
+print_usage ()
+{
+  cat <"$log_file"
+"$@" >>"$log_file" 2>&1
+estatus=$?
+
+if test $enable_hard_errors = no && test $estatus -eq 99; then
+  tweaked_estatus=1
+else
+  tweaked_estatus=$estatus
+fi
+
+case $tweaked_estatus:$expect_failure in
+  0:yes) col=$red res=XPASS recheck=yes gcopy=yes;;
+  0:*)   col=$grn res=PASS  recheck=no  gcopy=no;;
+  77:*)  col=$blu res=SKIP  recheck=no  gcopy=yes;;
+  99:*)  col=$mgn res=ERROR recheck=yes gcopy=yes;;
+  *:yes) col=$lgn res=XFAIL recheck=no  gcopy=yes;;
+  *:*)   col=$red res=FAIL  recheck=yes gcopy=yes;;
+esac
+
+# Report the test outcome and exit status in the logs, so that one can
+# know whether the test passed or failed simply by looking at the '.log'
+# file, without the need of also peaking into the corresponding '.trs'
+# file (automake bug#11814).
+echo "$res $test_name (exit status: $estatus)" >>"$log_file"
+
+# Report outcome to console.
+echo "${col}${res}${std}: $test_name"
+
+# Register the test result, and other relevant metadata.
+echo ":test-result: $res" > $trs_file
+echo ":global-test-result: $res" >> $trs_file
+echo ":recheck: $recheck" >> $trs_file
+echo ":copy-in-global-log: $gcopy" >> $trs_file
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'before-save-hook 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-time-zone: "UTC0"
+# time-stamp-end: "; # UTC"
+# End:
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 2885752..5e9ad0a 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -15,6 +15,7 @@
 SUBDIRS = unit_tests

 AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING) System Tests'
+LOG_DRIVER = $(SHELL) $(top_srcdir)/forked-test-driver

 if !WIN32
 test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/478?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master

[Openvpn-devel] [XS] Change in openvpn[master]: forked-test-driver: Show test output always

2024-04-03 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#12) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/479?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: forked-test-driver: Show test output always
..

forked-test-driver: Show test output always

We want to see the progress, at least for slow tests
like t_client.sh.

Change-Id: I11e0091482d9acee89ca018374cb8d96d22f8514
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240125110122.16257-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28133.html
Signed-off-by: Gert Doering 
---
M forked-test-driver
1 file changed, 7 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/79/479/12

diff --git a/forked-test-driver b/forked-test-driver
index be73b80..6971dfb 100755
--- a/forked-test-driver
+++ b/forked-test-driver
@@ -108,9 +108,14 @@
 # Test script is run here. We create the file first, then append to it,
 # to ameliorate tests themselves also writing to the log file. Our tests
 # don't, but others can (automake bug#35762).
+# OVPN changes:
+#  - add tee to see output of tests
+#  - needs portable pipefail mechanism
+estatusfile="${trs_file}.exit"
 : >"$log_file"
-"$@" >>"$log_file" 2>&1
-estatus=$?
+("$@" 2>&1; estatus=$?; echo $estatus >"$estatusfile") | tee -a "$log_file"
+estatus=$(cat "$estatusfile")
+rm -f "$estatusfile"

 if test $enable_hard_errors = no && test $estatus -eq 99; then
   tweaked_estatus=1

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/479?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I11e0091482d9acee89ca018374cb8d96d22f8514
Gerrit-Change-Number: 479
Gerrit-PatchSet: 12
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex

2024-04-02 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/552?usp=email )

Change subject: Remove/combine redundant call of EVP_CipherInit before 
EVP_CipherInit_Ex
..

Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex

EVP_CipherInit basically is the same EVP_CipherInit_ex except that it
in some instances it resets/inits the ctx parameter first. We already
call EVP_CIPHER_CTX_reset to reset/init the ctx before. Also ensure that
EVP_CipherInit_Ex gets the cipher to actually be able to initialise the
context.

OpenSSL 1.0.2:

https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/evp/evp_enc.c#L94

EVP_CipherInit calls first EVP_CIPHER_CTX_init and then EVP_CipherInit_ex

Our openssl_compat.h has

for these older OpenSSL versions

OpenSSL 3.0:

https://github.com/openssl/openssl/blob/openssl-3.2/crypto/evp/evp_enc.c#L450

basically the same as 1.0.2. Just that method names have been changed.

Change-Id: I911e25949a8647b567fd4178683534d4404ab469
Signed-off-by: Arne Schwabe 
Acked-by: Gert Doering 
Message-Id: <20240402134909.6340-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28523.html
Signed-off-by: Gert Doering 
---
M src/openvpn/crypto_openssl.c
1 file changed, 1 insertion(+), 5 deletions(-)




diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index bfc5e37..b2c4eb6 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -846,11 +846,7 @@
 evp_cipher_type *kt = cipher_get(ciphername);

 EVP_CIPHER_CTX_reset(ctx);
-if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc))
-{
-crypto_msg(M_FATAL, "EVP cipher init #1");
-}
-if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc))
+if (!EVP_CipherInit_ex(ctx, kt, NULL, key, NULL, enc))
 {
 crypto_msg(M_FATAL, "EVP cipher init #2");
 }

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/552?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I911e25949a8647b567fd4178683534d4404ab469
Gerrit-Change-Number: 552
Gerrit-PatchSet: 4
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex

2024-04-02 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#4) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/552?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by cron2


Change subject: Remove/combine redundant call of EVP_CipherInit before 
EVP_CipherInit_Ex
..

Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex

EVP_CipherInit basically is the same EVP_CipherInit_ex except that it
in some instances it resets/inits the ctx parameter first. We already
call EVP_CIPHER_CTX_reset to reset/init the ctx before. Also ensure that
EVP_CipherInit_Ex gets the cipher to actually be able to initialise the
context.

OpenSSL 1.0.2:

https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/evp/evp_enc.c#L94

EVP_CipherInit calls first EVP_CIPHER_CTX_init and then EVP_CipherInit_ex

Our openssl_compat.h has

for these older OpenSSL versions

OpenSSL 3.0:

https://github.com/openssl/openssl/blob/openssl-3.2/crypto/evp/evp_enc.c#L450

basically the same as 1.0.2. Just that method names have been changed.

Change-Id: I911e25949a8647b567fd4178683534d4404ab469
Signed-off-by: Arne Schwabe 
Acked-by: Gert Doering 
Message-Id: <20240402134909.6340-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28523.html
Signed-off-by: Gert Doering 
---
M src/openvpn/crypto_openssl.c
1 file changed, 1 insertion(+), 5 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/52/552/4

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index bfc5e37..b2c4eb6 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -846,11 +846,7 @@
 evp_cipher_type *kt = cipher_get(ciphername);

 EVP_CIPHER_CTX_reset(ctx);
-if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc))
-{
-crypto_msg(M_FATAL, "EVP cipher init #1");
-}
-if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc))
+if (!EVP_CipherInit_ex(ctx, kt, NULL, key, NULL, enc))
 {
 crypto_msg(M_FATAL, "EVP cipher init #2");
 }

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/552?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I911e25949a8647b567fd4178683534d4404ab469
Gerrit-Change-Number: 552
Gerrit-PatchSet: 4
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex

2024-04-02 Thread cron2 (Code Review)

Attention is currently required from: flichtenheld, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/552?usp=email )

Change subject: Remove/combine redundant call of EVP_CipherInit before 
EVP_CipherInit_Ex
..


Patch Set 3: Code-Review+2

(1 comment)

Patchset:

PS3:
now all tests pass



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/552?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I911e25949a8647b567fd4178683534d4404ab469
Gerrit-Change-Number: 552
Gerrit-PatchSet: 3
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Tue, 02 Apr 2024 13:48:48 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Remove redundant call of EVP_CipherInit before EVP_CipherInit_Ex

2024-04-02 Thread cron2 (Code Review)

Attention is currently required from: flichtenheld, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/552?usp=email )

Change subject: Remove redundant call of EVP_CipherInit before EVP_CipherInit_Ex
..


Patch Set 2: Code-Review-1

(1 comment)

Patchset:

PS2: 
withdrawing the +2 for the time being - it causes failures in ssl_testdriver 
(and possibly others) now, on some platforms



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/552?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I911e25949a8647b567fd4178683534d4404ab469
Gerrit-Change-Number: 552
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Tue, 02 Apr 2024 12:47:19 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Remove redundant call of EVP_CipherInit before EVP_CipherInit_Ex

2024-04-02 Thread cron2 (Code Review)

Attention is currently required from: flichtenheld, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/552?usp=email )

Change subject: Remove redundant call of EVP_CipherInit before EVP_CipherInit_Ex
..


Patch Set 2: Code-Review+2

(1 comment)

Patchset:

PS2: 
The openssl source is very enlightening and makes it very clear that this is 
correct.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/552?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I911e25949a8647b567fd4178683534d4404ab469
Gerrit-Change-Number: 552
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Tue, 02 Apr 2024 12:21:44 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Match ifdef for get_sigtype function with if ifdef of caller

2024-04-02 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/551?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by cron2


Change subject: Match ifdef for get_sigtype function with if ifdef of caller
..

Match ifdef for get_sigtype function with if ifdef of caller

These two ifdef needs to be the same otherwise the compiler will
break with a undefined function.

Change-Id: I5b14bf90bb07935f0bb84373ec4e62352752c03f
Signed-off-by: Arne Schwabe 
Acked-by: Gert Doering 
Message-Id: <20240402063646.25490-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28512.html
Signed-off-by: Gert Doering 
---
M src/openvpn/ssl_openssl.c
1 file changed, 2 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/51/551/2

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 6f29c3d..a158617 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2166,7 +2166,8 @@
 EVP_PKEY_free(pkey);
 }

-#if !defined(LIBRESSL_VERSION_NUMBER)  && OPENSSL_VERSION_NUMBER >= 0x101fL
+#if (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 
0x101fL) \
+|| (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 
0x309fL)
 /**
  * Translate an OpenSSL NID into a more human readable name
  * @param nid

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/551?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I5b14bf90bb07935f0bb84373ec4e62352752c03f
Gerrit-Change-Number: 551
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Match ifdef for get_sigtype function with if ifdef of caller

2024-04-02 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/551?usp=email )

Change subject: Match ifdef for get_sigtype function with if ifdef of caller
..

Match ifdef for get_sigtype function with if ifdef of caller

These two ifdef needs to be the same otherwise the compiler will
break with a undefined function.

Change-Id: I5b14bf90bb07935f0bb84373ec4e62352752c03f
Signed-off-by: Arne Schwabe 
Acked-by: Gert Doering 
Message-Id: <20240402063646.25490-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28512.html
Signed-off-by: Gert Doering 
---
M src/openvpn/ssl_openssl.c
1 file changed, 2 insertions(+), 1 deletion(-)




diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 6f29c3d..a158617 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2166,7 +2166,8 @@
 EVP_PKEY_free(pkey);
 }

-#if !defined(LIBRESSL_VERSION_NUMBER)  && OPENSSL_VERSION_NUMBER >= 0x101fL
+#if (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 
0x101fL) \
+|| (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 
0x309fL)
 /**
  * Translate an OpenSSL NID into a more human readable name
  * @param nid

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/551?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I5b14bf90bb07935f0bb84373ec4e62352752c03f
Gerrit-Change-Number: 551
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Match ifdef for get_sigtype function with if ifdef of caller

2024-04-02 Thread cron2 (Code Review)

Attention is currently required from: flichtenheld, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/551?usp=email )

Change subject: Match ifdef for get_sigtype function with if ifdef of caller
..


Patch Set 1: Code-Review+2

(1 comment)

Patchset:

PS1:
verified, now the #ifdef matches the other one



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/551?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I5b14bf90bb07935f0bb84373ec4e62352752c03f
Gerrit-Change-Number: 551
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Tue, 02 Apr 2024 06:36:22 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: crypto_backend: fix type of enc parameter

2024-03-31 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/548?usp=email )

Change subject: crypto_backend: fix type of enc parameter
..

crypto_backend: fix type of enc parameter

We had parts of a abstraction, but it wasn't consistent.
GCC 13 now complains about the type mismatch with mbedtls now:

crypto_mbedtls.c:568:1: error:
conflicting types for ‘cipher_ctx_init’ due to enum/integer mismatch;
have ‘void(mbedtls_cipher_context_t *, const uint8_t *, const char *, const 
mbedtls_operation_t)’
[...] [-Werror=enum-int-mismatch]
crypto_backend.h:341:6: note:
previous declaration of ‘cipher_ctx_init’ with type
‘void(cipher_ctx_t *, const uint8_t *, const char *, int)’ [...]

Previous compiler versions did not complain.

v2:
 - clean solution instead of quick solution. Fix the actual API
   definition

Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240327162621.1792414-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28498.html
Signed-off-by: Gert Doering 
---
M src/openvpn/crypto_backend.h
M src/openvpn/crypto_mbedtls.c
M src/openvpn/crypto_mbedtls.h
M src/openvpn/crypto_openssl.c
M src/openvpn/crypto_openssl.h
5 files changed, 9 insertions(+), 5 deletions(-)




diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 8d37e64..c454c64 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -336,10 +336,10 @@
  * @param key   Buffer containing the key to use
  * @param ciphernameCiphername of the cipher to use
  * @param enc   Whether to encrypt or decrypt (either
- *  \c MBEDTLS_OP_ENCRYPT or \c MBEDTLS_OP_DECRYPT).
+ *  \c OPENVPN_OP_ENCRYPT or \c OPENVPN_OP_DECRYPT).
  */
 void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key,
- const char *cipername, int enc);
+ const char *cipername, crypto_operation_t enc);

 /**
  * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 1a39752..c230292 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -566,7 +566,7 @@

 void
 cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key,
-const char *ciphername, const mbedtls_operation_t operation)
+const char *ciphername, crypto_operation_t enc)
 {
 ASSERT(NULL != ciphername && NULL != ctx);
 CLEAR(*ctx);
@@ -580,7 +580,7 @@
 msg(M_FATAL, "mbed TLS cipher context init #1");
 }

-if (!mbed_ok(mbedtls_cipher_setkey(ctx, key, (int)key_bitlen, operation)))
+if (!mbed_ok(mbedtls_cipher_setkey(ctx, key, (int)key_bitlen, enc)))
 {
 msg(M_FATAL, "mbed TLS cipher set key");
 }
diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h
index 46f76e2..48d1e20 100644
--- a/src/openvpn/crypto_mbedtls.h
+++ b/src/openvpn/crypto_mbedtls.h
@@ -63,6 +63,8 @@
 /** Cipher is in GCM mode */
 #define OPENVPN_MODE_GCMMBEDTLS_MODE_GCM

+typedef mbedtls_operation_t crypto_operation_t;
+
 /** Cipher should encrypt */
 #define OPENVPN_OP_ENCRYPT  MBEDTLS_ENCRYPT

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 50683b6..bfc5e37 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -840,7 +840,7 @@

 void
 cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
-const char *ciphername, int enc)
+const char *ciphername, crypto_operation_t enc)
 {
 ASSERT(NULL != ciphername && NULL != ctx);
 evp_cipher_type *kt = cipher_get(ciphername);
diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index c0e95b4..4cd988a 100644
--- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h
@@ -85,6 +85,8 @@
 /** Cipher is in GCM mode */
 #define OPENVPN_MODE_GCMEVP_CIPH_GCM_MODE

+typedef int crypto_operation_t;
+
 /** Cipher should encrypt */
 #define OPENVPN_OP_ENCRYPT  1


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/548?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Gerrit-Change-Number: 548
Gerrit-PatchSet: 4
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-CC: ordex 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: crypto_backend: fix type of enc parameter

2024-03-31 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#4) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/548?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: crypto_backend: fix type of enc parameter
..

crypto_backend: fix type of enc parameter

We had parts of a abstraction, but it wasn't consistent.
GCC 13 now complains about the type mismatch with mbedtls now:

crypto_mbedtls.c:568:1: error:
conflicting types for ‘cipher_ctx_init’ due to enum/integer mismatch;
have ‘void(mbedtls_cipher_context_t *, const uint8_t *, const char *, const 
mbedtls_operation_t)’
[...] [-Werror=enum-int-mismatch]
crypto_backend.h:341:6: note:
previous declaration of ‘cipher_ctx_init’ with type
‘void(cipher_ctx_t *, const uint8_t *, const char *, int)’ [...]

Previous compiler versions did not complain.

v2:
 - clean solution instead of quick solution. Fix the actual API
   definition

Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240327162621.1792414-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28498.html
Signed-off-by: Gert Doering 
---
M src/openvpn/crypto_backend.h
M src/openvpn/crypto_mbedtls.c
M src/openvpn/crypto_mbedtls.h
M src/openvpn/crypto_openssl.c
M src/openvpn/crypto_openssl.h
5 files changed, 9 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/48/548/4

diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 8d37e64..c454c64 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -336,10 +336,10 @@
  * @param key   Buffer containing the key to use
  * @param ciphernameCiphername of the cipher to use
  * @param enc   Whether to encrypt or decrypt (either
- *  \c MBEDTLS_OP_ENCRYPT or \c MBEDTLS_OP_DECRYPT).
+ *  \c OPENVPN_OP_ENCRYPT or \c OPENVPN_OP_DECRYPT).
  */
 void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key,
- const char *cipername, int enc);
+ const char *cipername, crypto_operation_t enc);

 /**
  * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 1a39752..c230292 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -566,7 +566,7 @@

 void
 cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key,
-const char *ciphername, const mbedtls_operation_t operation)
+const char *ciphername, crypto_operation_t enc)
 {
 ASSERT(NULL != ciphername && NULL != ctx);
 CLEAR(*ctx);
@@ -580,7 +580,7 @@
 msg(M_FATAL, "mbed TLS cipher context init #1");
 }

-if (!mbed_ok(mbedtls_cipher_setkey(ctx, key, (int)key_bitlen, operation)))
+if (!mbed_ok(mbedtls_cipher_setkey(ctx, key, (int)key_bitlen, enc)))
 {
 msg(M_FATAL, "mbed TLS cipher set key");
 }
diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h
index 46f76e2..48d1e20 100644
--- a/src/openvpn/crypto_mbedtls.h
+++ b/src/openvpn/crypto_mbedtls.h
@@ -63,6 +63,8 @@
 /** Cipher is in GCM mode */
 #define OPENVPN_MODE_GCMMBEDTLS_MODE_GCM

+typedef mbedtls_operation_t crypto_operation_t;
+
 /** Cipher should encrypt */
 #define OPENVPN_OP_ENCRYPT  MBEDTLS_ENCRYPT

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 50683b6..bfc5e37 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -840,7 +840,7 @@

 void
 cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
-const char *ciphername, int enc)
+const char *ciphername, crypto_operation_t enc)
 {
 ASSERT(NULL != ciphername && NULL != ctx);
 evp_cipher_type *kt = cipher_get(ciphername);
diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index c0e95b4..4cd988a 100644
--- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h
@@ -85,6 +85,8 @@
 /** Cipher is in GCM mode */
 #define OPENVPN_MODE_GCMEVP_CIPH_GCM_MODE

+typedef int crypto_operation_t;
+
 /** Cipher should encrypt */
 #define OPENVPN_OP_ENCRYPT  1


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/548?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Gerrit-Change-Number: 548
Gerrit-PatchSet: 4
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-CC: ordex 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net

[Openvpn-devel] [S] Change in openvpn[master]: misc.c: remove unused code

2024-03-29 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
stipa. ( http://gerrit.openvpn.net/c/openvpn/+/550?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: misc.c: remove unused code
..

misc.c: remove unused code

Commit

  3a4fb1 "Ensure --auth-nocache is handled during renegotiation"

has changed the behavior of set_auth_token(), but left unused parameter

  struct user_pass *up

Remove this parameter and amend comments accordingly. Also remove
unused function definition from misc.h.

Signed-off-by: Lev Stipakov 
Acked-by: Frank Lichtenheld 

Change-Id: Ic440f2c8d46dfcb5ff41ba2f33bf28bb7286eec4
Message-Id: <20240329103739.28254-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28503.html
Signed-off-by: Gert Doering 
---
M src/openvpn/misc.c
M src/openvpn/misc.h
M src/openvpn/ssl.c
3 files changed, 5 insertions(+), 17 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/50/550/2

diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 3ff0857..598fbae 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -491,19 +491,15 @@
 }

 void
-set_auth_token(struct user_pass *up, struct user_pass *tk, const char *token)
+set_auth_token(struct user_pass *tk, const char *token)
 {
-
 if (strlen(token))
 {
 strncpynt(tk->password, token, USER_PASS_LEN);
 tk->token_defined = true;

 /*
- * --auth-token has no username, so it needs the username
- * either already set or copied from up, or later set by
- * --auth-token-user
- * If already set, tk is fully defined.
+ * If username already set, tk is fully defined.
  */
 if (strlen(tk->username))
 {
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index cb3bf68..963f3e6 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -152,26 +152,18 @@
 return get_user_pass_cr(up, auth_file, prefix, flags, NULL);
 }

-void fail_user_pass(const char *prefix,
-const unsigned int flags,
-const char *reason);
-
 void purge_user_pass(struct user_pass *up, const bool force);

 /**
- * Sets the auth-token to token. If a username is available from
- * either up or already present in tk that will be used as default
- * username for the token. The method will also purge up if
+ * Sets the auth-token to token. The method will also purge up if
  * the auth-nocache option is active.
  *
- * @param up(non Auth-token) Username/password
  * @param tkauth-token userpass to set
  * @param token token to use as password for the auth-token
  *
  * @noteall parameters to this function must not be null.
  */
-void set_auth_token(struct user_pass *up, struct user_pass *tk,
-const char *token);
+void set_auth_token(struct user_pass *tk, const char *token);

 /**
  * Sets the auth-token username by base64 decoding the passed
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 7895a37..7c49451 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -340,7 +340,7 @@
 void
 ssl_set_auth_token(const char *token)
 {
-set_auth_token(_user_pass, _token, token);
+set_auth_token(_token, token);
 }

 void

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/550?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ic440f2c8d46dfcb5ff41ba2f33bf28bb7286eec4
Gerrit-Change-Number: 550
Gerrit-PatchSet: 2
Gerrit-Owner: stipa 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: misc.c: remove unused code

2024-03-29 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/550?usp=email )

Change subject: misc.c: remove unused code
..

misc.c: remove unused code

Commit

  3a4fb1 "Ensure --auth-nocache is handled during renegotiation"

has changed the behavior of set_auth_token(), but left unused parameter

  struct user_pass *up

Remove this parameter and amend comments accordingly. Also remove
unused function definition from misc.h.

Signed-off-by: Lev Stipakov 
Acked-by: Frank Lichtenheld 

Change-Id: Ic440f2c8d46dfcb5ff41ba2f33bf28bb7286eec4
Message-Id: <20240329103739.28254-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28503.html
Signed-off-by: Gert Doering 
---
M src/openvpn/misc.c
M src/openvpn/misc.h
M src/openvpn/ssl.c
3 files changed, 5 insertions(+), 17 deletions(-)




diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 3ff0857..598fbae 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -491,19 +491,15 @@
 }

 void
-set_auth_token(struct user_pass *up, struct user_pass *tk, const char *token)
+set_auth_token(struct user_pass *tk, const char *token)
 {
-
 if (strlen(token))
 {
 strncpynt(tk->password, token, USER_PASS_LEN);
 tk->token_defined = true;

 /*
- * --auth-token has no username, so it needs the username
- * either already set or copied from up, or later set by
- * --auth-token-user
- * If already set, tk is fully defined.
+ * If username already set, tk is fully defined.
  */
 if (strlen(tk->username))
 {
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index cb3bf68..963f3e6 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -152,26 +152,18 @@
 return get_user_pass_cr(up, auth_file, prefix, flags, NULL);
 }

-void fail_user_pass(const char *prefix,
-const unsigned int flags,
-const char *reason);
-
 void purge_user_pass(struct user_pass *up, const bool force);

 /**
- * Sets the auth-token to token. If a username is available from
- * either up or already present in tk that will be used as default
- * username for the token. The method will also purge up if
+ * Sets the auth-token to token. The method will also purge up if
  * the auth-nocache option is active.
  *
- * @param up(non Auth-token) Username/password
  * @param tkauth-token userpass to set
  * @param token token to use as password for the auth-token
  *
  * @noteall parameters to this function must not be null.
  */
-void set_auth_token(struct user_pass *up, struct user_pass *tk,
-const char *token);
+void set_auth_token(struct user_pass *tk, const char *token);

 /**
  * Sets the auth-token username by base64 decoding the passed
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 7895a37..7c49451 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -340,7 +340,7 @@
 void
 ssl_set_auth_token(const char *token)
 {
-set_auth_token(_user_pass, _token, token);
+set_auth_token(_token, token);
 }

 void

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/550?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ic440f2c8d46dfcb5ff41ba2f33bf28bb7286eec4
Gerrit-Change-Number: 550
Gerrit-PatchSet: 2
Gerrit-Owner: stipa 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Add bracket in fingerprint message and do not warn about missing veri...

2024-03-26 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/546?usp=email )

Change subject: Add bracket in fingerprint message and do not warn about 
missing verification
..

Add bracket in fingerprint message and do not warn about missing verification

Github: fixes OpenVPN/openvpn#516

Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240326103853.494572-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28474.html
Signed-off-by: Gert Doering 
---
M src/openvpn/init.c
M src/openvpn/ssl_verify.c
2 files changed, 4 insertions(+), 3 deletions(-)




diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index f2ce926..02205e7 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3594,7 +3594,8 @@
 && !o->tls_verify
 && o->verify_x509_type == VERIFY_X509_NONE
 && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
-&& !o->remote_cert_eku)
+&& !o->remote_cert_eku
+&& !(o->verify_hash_depth == 0 && o->verify_hash))
 {
 msg(M_WARN, "WARNING: No server certificate verification method has 
been enabled.  See http://openvpn.net/howto.html#mitm for more info.");
 }
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index c7d7799..930769b 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -718,8 +718,8 @@
 const char *hex_fp = format_hex_ex(BPTR(_fp), BLEN(_fp),
0, 1, ":", );
 msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint"
-"certificate hash verification failed. (got "
-"fingerprint: %s", hex_fp);
+"certificate hash verification failed. (got certificate "
+"fingerprint: %s)", hex_fp);
 goto cleanup;
 }
 }

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/546?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781
Gerrit-Change-Number: 546
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-CC: ordex 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Add bracket in fingerprint message and do not warn about missing veri...

2024-03-26 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/546?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: Add bracket in fingerprint message and do not warn about 
missing verification
..

Add bracket in fingerprint message and do not warn about missing verification

Github: fixes OpenVPN/openvpn#516

Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240326103853.494572-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28474.html
Signed-off-by: Gert Doering 
---
M src/openvpn/init.c
M src/openvpn/ssl_verify.c
2 files changed, 4 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/46/546/2

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index f2ce926..02205e7 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3594,7 +3594,8 @@
 && !o->tls_verify
 && o->verify_x509_type == VERIFY_X509_NONE
 && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
-&& !o->remote_cert_eku)
+&& !o->remote_cert_eku
+&& !(o->verify_hash_depth == 0 && o->verify_hash))
 {
 msg(M_WARN, "WARNING: No server certificate verification method has 
been enabled.  See http://openvpn.net/howto.html#mitm for more info.");
 }
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index c7d7799..930769b 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -718,8 +718,8 @@
 const char *hex_fp = format_hex_ex(BPTR(_fp), BLEN(_fp),
0, 1, ":", );
 msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint"
-"certificate hash verification failed. (got "
-"fingerprint: %s", hex_fp);
+"certificate hash verification failed. (got certificate "
+"fingerprint: %s)", hex_fp);
 goto cleanup;
 }
 }

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/546?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781
Gerrit-Change-Number: 546
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-CC: ordex 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Fix snprintf/swnprintf related compiler warnings

2024-03-26 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/549?usp=email )

Change subject: Fix snprintf/swnprintf related compiler warnings
..

Fix snprintf/swnprintf related compiler warnings

When openvpn_snprintf is replaced by snprintf the GCC/MSVC compiler
will perform additional checks that the result is not truncated.

This warning can be avoid by either explicitly checking the return value
of snprintf (proxy) or ensuring that it is never truncated(tls crypt)

Change-Id: If23988a05dd53a519c5e57f2aa3b2d10bd29df1d
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240326104101.531291-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28475.html
Signed-off-by: Gert Doering 
---
M src/openvpn/proxy.c
M src/openvpn/socks.c
M src/openvpn/ssl_openssl.c
M src/openvpn/tls_crypt.c
M src/openvpnserv/interactive.c
5 files changed, 25 insertions(+), 17 deletions(-)




diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index c904301..5c1cdcb 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -948,17 +948,21 @@
 }

 /* send digest response */
-openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization: 
Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s, 
cnonce=\"%s\", response=\"%s\"%s",
- username,
- realm,
- nonce,
- uri,
- qop,
- nonce_count,
- cnonce,
- response,
- opaque_kv
- );
+int sret = openvpn_snprintf(buf, sizeof(buf), 
"Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", 
uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s",
+username,
+realm,
+nonce,
+uri,
+qop,
+nonce_count,
+cnonce,
+response,
+opaque_kv
+);
+if (sret >= sizeof(buf))
+{
+goto error;
+}
 msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
 if (!send_line_crlf(sd, buf))
 {
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index d842666..b046910 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -109,8 +109,11 @@
 "Authentication not possible.");
 goto cleanup;
 }
-openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int) 
strlen(creds.username),
- creds.username, (int) strlen(creds.password), 
creds.password);
+int sret = openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s",
+(int) strlen(creds.username), creds.username,
+(int) strlen(creds.password), creds.password);
+ASSERT(sret <= sizeof(to_send));
+
 size = send(sd, to_send, strlen(to_send), MSG_NOSIGNAL);

 if (size != strlen(to_send))
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 4383e98..6f29c3d 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2069,7 +2069,7 @@
 #endif

 #ifndef OPENSSL_NO_EC
-char groupname[256];
+char groupname[64];
 if (is_ec)
 {
 size_t len;
@@ -2130,7 +2130,7 @@
 print_cert_details(X509 *cert, char *buf, size_t buflen)
 {
 EVP_PKEY *pkey = X509_get_pubkey(cert);
-char pkeybuf[128] = { 0 };
+char pkeybuf[64] = { 0 };
 print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf));

 char sig[128] = { 0 };
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 975d31f..6ef1c7d 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -575,7 +575,7 @@

 char metadata_type_str[4] = { 0 }; /* Max value: 255 */
 openvpn_snprintf(metadata_type_str, sizeof(metadata_type_str),
- "%i", metadata_type);
+ "%i", (uint8_t) metadata_type);
 struct env_set *es = env_set_create(NULL);
 setenv_str(es, "script_type", "tls-crypt-v2-verify");
 setenv_str(es, "metadata_type", metadata_type_str);
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 452633c..d32223c 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -33,6 +33,7 @@
 #include 
 #include 
 #include

[Openvpn-devel] [S] Change in openvpn[master]: Fix snprintf/swnprintf related compiler warnings

2024-03-26 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/549?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: Fix snprintf/swnprintf related compiler warnings
..

Fix snprintf/swnprintf related compiler warnings

When openvpn_snprintf is replaced by snprintf the GCC/MSVC compiler
will perform additional checks that the result is not truncated.

This warning can be avoid by either explicitly checking the return value
of snprintf (proxy) or ensuring that it is never truncated(tls crypt)

Change-Id: If23988a05dd53a519c5e57f2aa3b2d10bd29df1d
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240326104101.531291-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28475.html
Signed-off-by: Gert Doering 
---
M src/openvpn/proxy.c
M src/openvpn/socks.c
M src/openvpn/ssl_openssl.c
M src/openvpn/tls_crypt.c
M src/openvpnserv/interactive.c
5 files changed, 25 insertions(+), 17 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/49/549/2

diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index c904301..5c1cdcb 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -948,17 +948,21 @@
 }

 /* send digest response */
-openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization: 
Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s, 
cnonce=\"%s\", response=\"%s\"%s",
- username,
- realm,
- nonce,
- uri,
- qop,
- nonce_count,
- cnonce,
- response,
- opaque_kv
- );
+int sret = openvpn_snprintf(buf, sizeof(buf), 
"Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", 
uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s",
+username,
+realm,
+nonce,
+uri,
+qop,
+nonce_count,
+cnonce,
+response,
+opaque_kv
+);
+if (sret >= sizeof(buf))
+{
+goto error;
+}
 msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
 if (!send_line_crlf(sd, buf))
 {
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index d842666..b046910 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -109,8 +109,11 @@
 "Authentication not possible.");
 goto cleanup;
 }
-openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int) 
strlen(creds.username),
- creds.username, (int) strlen(creds.password), 
creds.password);
+int sret = openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s",
+(int) strlen(creds.username), creds.username,
+(int) strlen(creds.password), creds.password);
+ASSERT(sret <= sizeof(to_send));
+
 size = send(sd, to_send, strlen(to_send), MSG_NOSIGNAL);

 if (size != strlen(to_send))
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 4383e98..6f29c3d 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2069,7 +2069,7 @@
 #endif

 #ifndef OPENSSL_NO_EC
-char groupname[256];
+char groupname[64];
 if (is_ec)
 {
 size_t len;
@@ -2130,7 +2130,7 @@
 print_cert_details(X509 *cert, char *buf, size_t buflen)
 {
 EVP_PKEY *pkey = X509_get_pubkey(cert);
-char pkeybuf[128] = { 0 };
+char pkeybuf[64] = { 0 };
 print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf));

 char sig[128] = { 0 };
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 975d31f..6ef1c7d 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -575,7 +575,7 @@

 char metadata_type_str[4] = { 0 }; /* Max value: 255 */
 openvpn_snprintf(metadata_type_str, sizeof(metadata_type_str),
- "%i", metadata_type);
+ "%i", (uint8_t) metadata_type);
 struct env_set *es = env_set_create(NULL);
 setenv_str(es, "script_type", "tls-crypt-v2-verify");
 setenv_str(es, "metadata_type", metadata_type_str);
diff --git

[Openvpn-devel] [XS] Change in openvpn[master]: phase2_tcp_server: fix Coverity issue 'Dereference after null check'

2024-03-25 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/490?usp=email )

Change subject: phase2_tcp_server: fix Coverity issue 'Dereference after null 
check'
..

phase2_tcp_server: fix Coverity issue 'Dereference after null check'

As Coverity says:
Either the check against null is unnecessary, or there may be a null
pointer dereference.
In phase2_tcp_server: Pointer is checked against null but then
dereferenced anyway

There is only one caller (link_socket_init_phase2) and it already has
an ASSERT(sig_info). So use that here was well.

v2:
 - fix cleanly by actually asserting that sig_info is defined

Change-Id: I8ef199463d46303129a3f563fd9eace780a58b8a
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240325071448.12143-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28452.html
Signed-off-by: Gert Doering 
---
M src/openvpn/socket.c
1 file changed, 3 insertions(+), 2 deletions(-)




diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 57eaee2..d2b82d5 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -2005,7 +2005,8 @@
 phase2_tcp_server(struct link_socket *sock, const char *remote_dynamic,
   struct signal_info *sig_info)
 {
-volatile int *signal_received = sig_info ? _info->signal_received : 
NULL;
+ASSERT(sig_info);
+volatile int *signal_received = _info->signal_received;
 switch (sock->mode)
 {
 case LS_MODE_DEFAULT:
@@ -2031,7 +2032,7 @@
 false);
 if (!socket_defined(sock->sd))
 {
-register_signal(sig_info, SIGTERM, "socket-undefiled");
+register_signal(sig_info, SIGTERM, "socket-undefined");
 return;
 }
 tcp_connection_established(>info.lsa->actual);

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/490?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I8ef199463d46303129a3f563fd9eace780a58b8a
Gerrit-Change-Number: 490
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: phase2_tcp_server: fix Coverity issue 'Dereference after null check'

2024-03-25 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#3) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/490?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: phase2_tcp_server: fix Coverity issue 'Dereference after null 
check'
..

phase2_tcp_server: fix Coverity issue 'Dereference after null check'

As Coverity says:
Either the check against null is unnecessary, or there may be a null
pointer dereference.
In phase2_tcp_server: Pointer is checked against null but then
dereferenced anyway

There is only one caller (link_socket_init_phase2) and it already has
an ASSERT(sig_info). So use that here was well.

v2:
 - fix cleanly by actually asserting that sig_info is defined

Change-Id: I8ef199463d46303129a3f563fd9eace780a58b8a
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240325071448.12143-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28452.html
Signed-off-by: Gert Doering 
---
M src/openvpn/socket.c
1 file changed, 3 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/90/490/3

diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 57eaee2..d2b82d5 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -2005,7 +2005,8 @@
 phase2_tcp_server(struct link_socket *sock, const char *remote_dynamic,
   struct signal_info *sig_info)
 {
-volatile int *signal_received = sig_info ? _info->signal_received : 
NULL;
+ASSERT(sig_info);
+volatile int *signal_received = _info->signal_received;
 switch (sock->mode)
 {
 case LS_MODE_DEFAULT:
@@ -2031,7 +2032,7 @@
 false);
 if (!socket_defined(sock->sd))
 {
-register_signal(sig_info, SIGTERM, "socket-undefiled");
+register_signal(sig_info, SIGTERM, "socket-undefined");
 return;
 }
 tcp_connection_established(>info.lsa->actual);

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/490?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I8ef199463d46303129a3f563fd9eace780a58b8a
Gerrit-Change-Number: 490
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Use snprintf instead of sprintf for get_ssl_library_version

2024-03-25 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/545?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: Use snprintf instead of sprintf for get_ssl_library_version
..

Use snprintf instead of sprintf for get_ssl_library_version

This is avoid a warning/error (when using -Werror) under current macOS
of sprintf:

   __deprecated_msg("This function is provided for compatibility
   reasons only.  Due to security concerns inherent in the design
   of sprintf(3), it is highly recommended that you use snprintf(3)
   instead.")

Change-Id: I3c6fd36eb9daee9244d6dc6d9f22de1c5cf9d039
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240325125052.14135-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28458.html
Signed-off-by: Gert Doering 
---
M src/openvpn/ssl_mbedtls.c
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/45/545/2

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index b44ddd5..0730d25 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1614,7 +1614,7 @@
 {
 static char mbedtls_version[30];
 unsigned int pv = mbedtls_version_get_number();
-sprintf( mbedtls_version, "mbed TLS %d.%d.%d",
+snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d",
  (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
 return mbedtls_version;
 }

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/545?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I3c6fd36eb9daee9244d6dc6d9f22de1c5cf9d039
Gerrit-Change-Number: 545
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Use snprintf instead of sprintf for get_ssl_library_version

2024-03-25 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/545?usp=email )

Change subject: Use snprintf instead of sprintf for get_ssl_library_version
..

Use snprintf instead of sprintf for get_ssl_library_version

This is avoid a warning/error (when using -Werror) under current macOS
of sprintf:

   __deprecated_msg("This function is provided for compatibility
   reasons only.  Due to security concerns inherent in the design
   of sprintf(3), it is highly recommended that you use snprintf(3)
   instead.")

Change-Id: I3c6fd36eb9daee9244d6dc6d9f22de1c5cf9d039
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240325125052.14135-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28458.html
Signed-off-by: Gert Doering 
---
M src/openvpn/ssl_mbedtls.c
1 file changed, 1 insertion(+), 1 deletion(-)




diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index b44ddd5..0730d25 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1614,7 +1614,7 @@
 {
 static char mbedtls_version[30];
 unsigned int pv = mbedtls_version_get_number();
-sprintf( mbedtls_version, "mbed TLS %d.%d.%d",
+snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d",
  (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
 return mbedtls_version;
 }

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/545?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I3c6fd36eb9daee9244d6dc6d9f22de1c5cf9d039
Gerrit-Change-Number: 545
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: documentation: make section levels consistent

2024-03-25 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/527?usp=email )

Change subject: documentation: make section levels consistent
..

documentation: make section levels consistent

Previously the sections "Encryption Options" and
"Data channel cipher negotiation" were on the same
level as "OPTIONS", which makes no sense. Instead
move them and their subsections one level down.

Use ` since that was already in use in section
"Virtual Routing and Forwarding".

Change-Id: Ib5a7f9a978bda5ad58830e43580232660401f66d
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240325071520.12513-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28453.html
Signed-off-by: Gert Doering 
---
M doc/man-sections/cipher-negotiation.rst
M doc/man-sections/encryption-options.rst
M doc/man-sections/pkcs11-options.rst
M doc/man-sections/renegotiation.rst
M doc/man-sections/tls-options.rst
5 files changed, 14 insertions(+), 14 deletions(-)




diff --git a/doc/man-sections/cipher-negotiation.rst 
b/doc/man-sections/cipher-negotiation.rst
index 949ff86..1285e82 100644
--- a/doc/man-sections/cipher-negotiation.rst
+++ b/doc/man-sections/cipher-negotiation.rst
@@ -1,12 +1,12 @@
 Data channel cipher negotiation
-===
+---

 OpenVPN 2.4 and higher have the capability to negotiate the data cipher that
 is used to encrypt data packets. This section describes the mechanism in more 
detail and the
 different backwards compatibility mechanism with older server and clients.

 OpenVPN 2.5 and later behaviour
-
+```
 When both client and server are at least running OpenVPN 2.5, that the order of
 the ciphers of the server's ``--data-ciphers`` is used to pick the data cipher.
 That means that the first cipher in that list that is also in the client's
@@ -25,7 +25,7 @@
 ``--cipher`` option to this list.

 OpenVPN 2.4 clients

+```
 The negotiation support in OpenVPN 2.4 was the first iteration of the 
implementation
 and still had some quirks. Its main goal was "upgrade to AES-256-GCM when 
possible".
 An OpenVPN 2.4 client that is built against a crypto library that supports AES 
in GCM
@@ -40,7 +40,7 @@
 options to avoid this behaviour.

 OpenVPN 3 clients
--
+`
 Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/)
 do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. 
Newer
 versions by default disable legacy AES-CBC, BF-CBC, and DES-CBC ciphers.
@@ -52,7 +52,7 @@


 OpenVPN 2.3 and older clients (and clients with ``--ncp-disable``)
---
+``
 When a client without cipher negotiation support connects to a server the
 cipher specified with the ``--cipher`` option in the client configuration
 must be included in the ``--data-ciphers`` option of the server to allow
@@ -65,7 +65,7 @@
 cipher used by the client is necessary.

 OpenVPN 2.4 server
---
+``
 When a client indicates support for `AES-128-GCM` and `AES-256-GCM`
 (with ``IV_NCP=2``) an OpenVPN 2.4 server will send the first
 cipher of the ``--ncp-ciphers`` to the OpenVPN client regardless of what
@@ -76,7 +76,7 @@
 those ciphers are present.

 OpenVPN 2.3 and older servers (and servers with ``--ncp-disable``)
---
+``
 The cipher used by the server must be included in ``--data-ciphers`` to
 allow the client connecting to a server without cipher negotiation
 support.
@@ -89,7 +89,7 @@
 cipher used by the server is necessary.

 Blowfish in CBC mode (BF-CBC) deprecation
---
+`
 The ``--cipher`` option defaulted to `BF-CBC` in OpenVPN 2.4 and older
 version. The default was never changed to ensure backwards compatibility.
 In OpenVPN 2.5 this behaviour has now been changed so that if the ``--cipher``
diff --git a/doc/man-sections/encryption-options.rst 
b/doc/man-sections/encryption-options.rst
index 3b26782..49385d6 100644
--- a/doc/man-sections/encryption-options.rst
+++ b/doc/man-sections/encryption-options.rst
@@ -1,8 +1,8 @@
 Encryption Options
-==
+--

 SSL Library information

+```

 --show-ciphers
   (Standalone) Show all cipher algorithms to use with the ``--cipher``
@@ -32,7 +32,7 @@
   ``--ecdh-curve`` and ``tls-groups`` options.

 Generating key material

+```

 --genkey args
   (Standalone) Generate a key to be used of the

[Openvpn-devel] [S] Change in openvpn[master]: documentation: make section levels consistent

2024-03-25 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#3) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/527?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: documentation: make section levels consistent
..

documentation: make section levels consistent

Previously the sections "Encryption Options" and
"Data channel cipher negotiation" were on the same
level as "OPTIONS", which makes no sense. Instead
move them and their subsections one level down.

Use ` since that was already in use in section
"Virtual Routing and Forwarding".

Change-Id: Ib5a7f9a978bda5ad58830e43580232660401f66d
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240325071520.12513-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28453.html
Signed-off-by: Gert Doering 
---
M doc/man-sections/cipher-negotiation.rst
M doc/man-sections/encryption-options.rst
M doc/man-sections/pkcs11-options.rst
M doc/man-sections/renegotiation.rst
M doc/man-sections/tls-options.rst
5 files changed, 14 insertions(+), 14 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/27/527/3

diff --git a/doc/man-sections/cipher-negotiation.rst 
b/doc/man-sections/cipher-negotiation.rst
index 949ff86..1285e82 100644
--- a/doc/man-sections/cipher-negotiation.rst
+++ b/doc/man-sections/cipher-negotiation.rst
@@ -1,12 +1,12 @@
 Data channel cipher negotiation
-===
+---

 OpenVPN 2.4 and higher have the capability to negotiate the data cipher that
 is used to encrypt data packets. This section describes the mechanism in more 
detail and the
 different backwards compatibility mechanism with older server and clients.

 OpenVPN 2.5 and later behaviour
-
+```
 When both client and server are at least running OpenVPN 2.5, that the order of
 the ciphers of the server's ``--data-ciphers`` is used to pick the data cipher.
 That means that the first cipher in that list that is also in the client's
@@ -25,7 +25,7 @@
 ``--cipher`` option to this list.

 OpenVPN 2.4 clients

+```
 The negotiation support in OpenVPN 2.4 was the first iteration of the 
implementation
 and still had some quirks. Its main goal was "upgrade to AES-256-GCM when 
possible".
 An OpenVPN 2.4 client that is built against a crypto library that supports AES 
in GCM
@@ -40,7 +40,7 @@
 options to avoid this behaviour.

 OpenVPN 3 clients
--
+`
 Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/)
 do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. 
Newer
 versions by default disable legacy AES-CBC, BF-CBC, and DES-CBC ciphers.
@@ -52,7 +52,7 @@


 OpenVPN 2.3 and older clients (and clients with ``--ncp-disable``)
---
+``
 When a client without cipher negotiation support connects to a server the
 cipher specified with the ``--cipher`` option in the client configuration
 must be included in the ``--data-ciphers`` option of the server to allow
@@ -65,7 +65,7 @@
 cipher used by the client is necessary.

 OpenVPN 2.4 server
---
+``
 When a client indicates support for `AES-128-GCM` and `AES-256-GCM`
 (with ``IV_NCP=2``) an OpenVPN 2.4 server will send the first
 cipher of the ``--ncp-ciphers`` to the OpenVPN client regardless of what
@@ -76,7 +76,7 @@
 those ciphers are present.

 OpenVPN 2.3 and older servers (and servers with ``--ncp-disable``)
---
+``
 The cipher used by the server must be included in ``--data-ciphers`` to
 allow the client connecting to a server without cipher negotiation
 support.
@@ -89,7 +89,7 @@
 cipher used by the server is necessary.

 Blowfish in CBC mode (BF-CBC) deprecation
---
+`
 The ``--cipher`` option defaulted to `BF-CBC` in OpenVPN 2.4 and older
 version. The default was never changed to ensure backwards compatibility.
 In OpenVPN 2.5 this behaviour has now been changed so that if the ``--cipher``
diff --git a/doc/man-sections/encryption-options.rst 
b/doc/man-sections/encryption-options.rst
index 3b26782..49385d6 100644
--- a/doc/man-sections/encryption-options.rst
+++ b/doc/man-sections/encryption-options.rst
@@ -1,8 +1,8 @@
 Encryption Options
-==
+--

 SSL Library information

+```

 --show-ciphers
   (Standalone) Show all cipher algorithms to use with the

[Openvpn-devel] [M] Change in openvpn[master]: samples: Update sample configurations

2024-03-25 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/532?usp=email )

Change subject: samples: Update sample configurations
..

samples: Update sample configurations

- Remove compression settings. Not recommended anymore.
- Remove old cipher setting. Replaced by data-ciphers negotiation.
- Add comment how to set data-ciphers for very old clients.
- Remove/reword some old comments. e.g. no need to reference
  OpenVPN 1.x anymore.
- Mention peer-fingerprint alternative.
- comment out "tls-auth" as that is not needed for a bare-bones VPN config
  and needs additional setup.

Github: #511
Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240325071320.11348-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28451.html
Signed-off-by: Gert Doering 
---
M sample/sample-config-files/README
M sample/sample-config-files/client.conf
M sample/sample-config-files/server.conf
3 files changed, 33 insertions(+), 43 deletions(-)




diff --git a/sample/sample-config-files/README 
b/sample/sample-config-files/README
index d53ac79..1493dab 100644
--- a/sample/sample-config-files/README
+++ b/sample/sample-config-files/README
@@ -4,3 +4,5 @@
 which is located at:

 http://openvpn.net/howto.html
+
+See also the openvpn-examples man page.
diff --git a/sample/sample-config-files/client.conf 
b/sample/sample-config-files/client.conf
index f51e017..53b8027 100644
--- a/sample/sample-config-files/client.conf
+++ b/sample/sample-config-files/client.conf
@@ -1,5 +1,5 @@
 ##
-# Sample client-side OpenVPN 2.0 config file #
+# Sample client-side OpenVPN 2.6 config file #
 # for connecting to multi-client server. #
 ##
 # This configuration can be used by multiple #
@@ -102,22 +102,15 @@
 # EasyRSA can do this for you.
 remote-cert-tls server

+# Allow to connect to really old OpenVPN versions
+# without AEAD support (OpenVPN 2.3.x or older)
+# This adds AES-256-CBC as fallback cipher and
+# keeps the modern ciphers as well.
+;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC
+
 # If a tls-auth key is used on the server
 # then every client must also have the key.
-tls-auth ta.key 1
-
-# Select a cryptographic cipher.
-# If the cipher option is used on the server
-# then you must also specify it here.
-# Note that v2.4 client/server will automatically
-# negotiate AES-256-GCM in TLS mode.
-# See also the data-ciphers option in the manpage
-cipher AES-256-CBC
-
-# Enable compression on the VPN link.
-# Don't enable this unless it is also
-# enabled in the server config file.
-#comp-lzo
+;tls-auth ta.key 1

 # Set log file verbosity.
 verb 3
diff --git a/sample/sample-config-files/server.conf 
b/sample/sample-config-files/server.conf
index 97732c6..48716a0 100644
--- a/sample/sample-config-files/server.conf
+++ b/sample/sample-config-files/server.conf
@@ -1,5 +1,5 @@
 #
-# Sample OpenVPN 2.0 config file for#
+# Sample OpenVPN 2.6 config file for#
 # multi-client server.  #
 #   #
 # This file is for the server side  #
@@ -47,15 +47,15 @@
 # an explicit unit number, such as tun0.
 # On Windows, use "dev-node" for this.
 # On most systems, the VPN will not function
-# unless you partially or fully disable
+# unless you partially or fully disable/open
 # the firewall for the TUN/TAP interface.
 ;dev tap
 dev tun

 # Windows needs the TAP-Win32 adapter name
 # from the Network Connections panel if you
-# have more than one.  On XP SP2 or higher,
-# you may need to selectively disable the
+# have more than one.
+# You may need to selectively disable the
 # Windows firewall for the TAP adapter.
 # Non-Windows systems usually don't need this.
 ;dev-node MyTap
@@ -66,8 +66,9 @@
 # key file.  The server and all clients will
 # use the same ca file.
 #
-# See the "easy-rsa" directory for a series
-# of scripts for generating RSA certificates
+# See the "easy-rsa" project at
+# https://github.com/OpenVPN/easy-rsa
+# for generating RSA certificates
 # and private keys.  Remember to use
 # a unique Common Name for the server
 # and each of the client certificates.
@@ -75,6 +76,13 @@
 # Any X509 key management system can be used.
 # OpenVPN can also use a PKCS #12 formatted key file
 # (see "pkcs12" directive in man page).
+#
+# If you do not want to maintain a CA
+# and have a small number of clients
+# you can also use self-signed certificates
+# and use the peer-fingerprint option.
+# See openvpn-examples man page for a
+# configuration example.
 ca ca.crt
 cert server.crt
 key server.key  # This file should be kept secret
@@ -84,12 +92,18 @@
 #   openssl dhparam -out dh2048.pem 2048

[Openvpn-devel] [M] Change in openvpn[master]: samples: Update sample configurations

2024-03-25 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#5) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/532?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: samples: Update sample configurations
..

samples: Update sample configurations

- Remove compression settings. Not recommended anymore.
- Remove old cipher setting. Replaced by data-ciphers negotiation.
- Add comment how to set data-ciphers for very old clients.
- Remove/reword some old comments. e.g. no need to reference
  OpenVPN 1.x anymore.
- Mention peer-fingerprint alternative.
- comment out "tls-auth" as that is not needed for a bare-bones VPN config
  and needs additional setup.

Github: #511
Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240325071320.11348-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28451.html
Signed-off-by: Gert Doering 
---
M sample/sample-config-files/README
M sample/sample-config-files/client.conf
M sample/sample-config-files/server.conf
3 files changed, 33 insertions(+), 43 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/32/532/5

diff --git a/sample/sample-config-files/README 
b/sample/sample-config-files/README
index d53ac79..1493dab 100644
--- a/sample/sample-config-files/README
+++ b/sample/sample-config-files/README
@@ -4,3 +4,5 @@
 which is located at:

 http://openvpn.net/howto.html
+
+See also the openvpn-examples man page.
diff --git a/sample/sample-config-files/client.conf 
b/sample/sample-config-files/client.conf
index f51e017..53b8027 100644
--- a/sample/sample-config-files/client.conf
+++ b/sample/sample-config-files/client.conf
@@ -1,5 +1,5 @@
 ##
-# Sample client-side OpenVPN 2.0 config file #
+# Sample client-side OpenVPN 2.6 config file #
 # for connecting to multi-client server. #
 ##
 # This configuration can be used by multiple #
@@ -102,22 +102,15 @@
 # EasyRSA can do this for you.
 remote-cert-tls server

+# Allow to connect to really old OpenVPN versions
+# without AEAD support (OpenVPN 2.3.x or older)
+# This adds AES-256-CBC as fallback cipher and
+# keeps the modern ciphers as well.
+;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC
+
 # If a tls-auth key is used on the server
 # then every client must also have the key.
-tls-auth ta.key 1
-
-# Select a cryptographic cipher.
-# If the cipher option is used on the server
-# then you must also specify it here.
-# Note that v2.4 client/server will automatically
-# negotiate AES-256-GCM in TLS mode.
-# See also the data-ciphers option in the manpage
-cipher AES-256-CBC
-
-# Enable compression on the VPN link.
-# Don't enable this unless it is also
-# enabled in the server config file.
-#comp-lzo
+;tls-auth ta.key 1

 # Set log file verbosity.
 verb 3
diff --git a/sample/sample-config-files/server.conf 
b/sample/sample-config-files/server.conf
index 97732c6..48716a0 100644
--- a/sample/sample-config-files/server.conf
+++ b/sample/sample-config-files/server.conf
@@ -1,5 +1,5 @@
 #
-# Sample OpenVPN 2.0 config file for#
+# Sample OpenVPN 2.6 config file for#
 # multi-client server.  #
 #   #
 # This file is for the server side  #
@@ -47,15 +47,15 @@
 # an explicit unit number, such as tun0.
 # On Windows, use "dev-node" for this.
 # On most systems, the VPN will not function
-# unless you partially or fully disable
+# unless you partially or fully disable/open
 # the firewall for the TUN/TAP interface.
 ;dev tap
 dev tun

 # Windows needs the TAP-Win32 adapter name
 # from the Network Connections panel if you
-# have more than one.  On XP SP2 or higher,
-# you may need to selectively disable the
+# have more than one.
+# You may need to selectively disable the
 # Windows firewall for the TAP adapter.
 # Non-Windows systems usually don't need this.
 ;dev-node MyTap
@@ -66,8 +66,9 @@
 # key file.  The server and all clients will
 # use the same ca file.
 #
-# See the "easy-rsa" directory for a series
-# of scripts for generating RSA certificates
+# See the "easy-rsa" project at
+# https://github.com/OpenVPN/easy-rsa
+# for generating RSA certificates
 # and private keys.  Remember to use
 # a unique Common Name for the server
 # and each of the client certificates.
@@ -75,6 +76,13 @@
 # Any X509 key management system can be used.
 # OpenVPN can also use a PKCS #12 formatted key file
 # (see "pkcs12" directive in man page).
+#
+# If you do not want to maintain a CA
+# and have a small number of clients
+# you can also use self-signed certificates
+# and use the peer-fingerprint

[Openvpn-devel] [S] Change in openvpn[master]: Disable DCO if proxy is set via management

2024-03-19 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
stipa. ( http://gerrit.openvpn.net/c/openvpn/+/543?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: Disable DCO if proxy is set via management
..

Disable DCO if proxy is set via management

Commit

45a1cb2a ("Disable DCO if proxy is set via management")

attempted to disable DCO when proxy is set via management interface. However,
at least on Windows this doesn't work, since:

 - setting tuntap_options->disable_dco to true is not enough to disable DCO
 - at this point it is a bit too late, since we've already done DCO-specific
   adjustments

Since proxy can be set via management only if --management-query-proxy is
specified, the better way is to add a check to dco_check_startup_option().

Github: fixes OpenVPN/openvpn#522

Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8
Signed-off-by: Lev Stipakov 
Acked-by: Frank Lichtenheld 
Message-Id: <20240318181744.20625-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28415.html
Signed-off-by: Gert Doering 
---
M src/openvpn/dco.c
M src/openvpn/init.c
2 files changed, 6 insertions(+), 6 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/43/543/2

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index d7c9d48..78243b1 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -387,6 +387,12 @@
 return false;
 }

+if (o->management_flags & MF_QUERY_PROXY)
+{
+msg(msglevel, "Note: --management-query-proxy disables data channel 
offload.");
+return false;
+}
+
 /* now that all options have been confirmed to be supported, check
  * if DCO is truly available on the system
  */
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 6209fa8..f2ce926 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -221,12 +221,6 @@
 }
 else if (p[2] && p[3])
 {
-if (dco_enabled(>options))
-{
-msg(M_INFO, "Proxy set via management, disabling Data Channel 
Offload.");
-c->options.tuntap_options.disable_dco = true;
-}
-
 if (streq(p[1], "HTTP"))
 {
 struct http_proxy_options *ho;

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/543?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8
Gerrit-Change-Number: 543
Gerrit-PatchSet: 2
Gerrit-Owner: stipa 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Disable DCO if proxy is set via management

2024-03-19 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/543?usp=email )

Change subject: Disable DCO if proxy is set via management
..

Disable DCO if proxy is set via management

Commit

45a1cb2a ("Disable DCO if proxy is set via management")

attempted to disable DCO when proxy is set via management interface. However,
at least on Windows this doesn't work, since:

 - setting tuntap_options->disable_dco to true is not enough to disable DCO
 - at this point it is a bit too late, since we've already done DCO-specific
   adjustments

Since proxy can be set via management only if --management-query-proxy is
specified, the better way is to add a check to dco_check_startup_option().

Github: fixes OpenVPN/openvpn#522

Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8
Signed-off-by: Lev Stipakov 
Acked-by: Frank Lichtenheld 
Message-Id: <20240318181744.20625-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28415.html
Signed-off-by: Gert Doering 
---
M src/openvpn/dco.c
M src/openvpn/init.c
2 files changed, 6 insertions(+), 6 deletions(-)




diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index d7c9d48..78243b1 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -387,6 +387,12 @@
 return false;
 }

+if (o->management_flags & MF_QUERY_PROXY)
+{
+msg(msglevel, "Note: --management-query-proxy disables data channel 
offload.");
+return false;
+}
+
 /* now that all options have been confirmed to be supported, check
  * if DCO is truly available on the system
  */
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 6209fa8..f2ce926 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -221,12 +221,6 @@
 }
 else if (p[2] && p[3])
 {
-if (dco_enabled(>options))
-{
-msg(M_INFO, "Proxy set via management, disabling Data Channel 
Offload.");
-c->options.tuntap_options.disable_dco = true;
-}
-
 if (streq(p[1], "HTTP"))
 {
 struct http_proxy_options *ho;

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/543?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8
Gerrit-Change-Number: 543
Gerrit-PatchSet: 2
Gerrit-Owner: stipa 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: GHA: general update March 2024

2024-03-19 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/544?usp=email )

Change subject: GHA: general update March 2024
..

GHA: general update March 2024

- Update to Node 20 versions of actions to avoid warnings
- Update to current vcpkg
- Update mbedTLS and LibreSSL to latest releases

Change-Id: I1ad6a0b1323ce0872f4a3299c5a9f18a982e0126
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240319154456.2967716-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28422.html
Signed-off-by: Gert Doering 
---
M .github/workflows/build.yaml
M .github/workflows/coverity-scan.yml
2 files changed, 23 insertions(+), 23 deletions(-)




diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index bc937e5..f771f5a 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -13,7 +13,7 @@
   - name: Install dependencies
 run: sudo apt update && sudo apt install -y uncrustify
   - name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
 with:
   path: openvpn
   - name: Show uncrustify version
@@ -27,7 +27,7 @@
   - name: Show changes on standard output
 run: git diff
 working-directory: openvpn
-  - uses: actions/upload-artifact@v3
+  - uses: actions/upload-artifact@v4
 with:
   name: uncrustify-changes.patch
   path: 'openvpn/uncrustify-changes.patch'
@@ -49,12 +49,12 @@
   - name: Install dependencies
 run: sudo apt update && sudo apt install -y mingw-w64 unzip cmake 
ninja-build build-essential wget python3-docutils man2html-base
   - name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4

   - name: Restore from cache and install vcpkg
 uses: lukka/run-vcpkg@v11
 with:
-  vcpkgGitCommitId: '1ba9a2591f15af5900f2ce2b3e2bf31771e3ac48'
+  vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e
   vcpkgJsonGlob: '**/mingw/vcpkg.json'

   - name: Run CMake with vcpkg.json manifest
@@ -64,7 +64,7 @@
   buildPreset: mingw-${{ matrix.arch }}
   buildPresetAdditionalArgs: "['--config Debug']"

-  - uses: actions/upload-artifact@v3
+  - uses: actions/upload-artifact@v4
 with:
   name: openvpn-mingw-${{ matrix.arch }}
   path: |
@@ -72,7 +72,7 @@
 ${{ github.workspace }}/out/build/mingw/${{ matrix.arch 
}}/Debug/*.dll
 !${{ github.workspace }}/out/build/mingw/${{ matrix.arch 
}}/Debug/test_*.exe

-  - uses: actions/upload-artifact@v3
+  - uses: actions/upload-artifact@v4
 with:
   name: openvpn-mingw-${{ matrix.arch }}-tests
   path: |
@@ -91,9 +91,9 @@
 name: "mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - OSSL"
 steps:
   - name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
   - name: Retrieve mingw unittest
-uses: actions/download-artifact@v3
+uses: actions/download-artifact@v4
 with:
   name: openvpn-mingw-${{ matrix.arch }}-tests
   path: unittests
@@ -159,7 +159,7 @@
   - name: Install dependencies
 run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev 
liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev 
python3-docutils libtool automake autoconf ${SSLPKG} ${PKCS11PKG}
   - name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
   - name: autoconf
 run: autoreconf -fvi
   - name: configure
@@ -186,7 +186,7 @@
   - name: Install dependencies
 run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev 
liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html clang 
libcmocka-dev python3-docutils libtool automake autoconf libmbedtls-dev
   - name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
   - name: autoconf
 run: autoreconf -fvi
   - name: configure
@@ -235,7 +235,7 @@
   - name: Install dependencies
 run: brew install openssl@1.1 openssl@3 lzo lz4 man2html cmocka 
libtool automake autoconf libressl
   - name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
   - name: autoconf
 run: autoreconf -fvi
   - name: configure
@@ -257,7 +257,7 @@

   runs-on: windows-latest
   steps:
-  - uses: actions/checkout@v3
+  - uses: actions/checkout@v4
   - uses: lukka/get-cmake@latest

   - name: Install rst2html
@@ -266,7 +266,7 @@
   - name: Restore artifacts, or setup vcpkg (do not install any package)
 uses: lukka/run-vcpkg@v11
 with:
-  vcpkgGitCommitId:

[Openvpn-devel] [S] Change in openvpn[master]: GHA: general update March 2024

2024-03-19 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/544?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: GHA: general update March 2024
..

GHA: general update March 2024

- Update to Node 20 versions of actions to avoid warnings
- Update to current vcpkg
- Update mbedTLS and LibreSSL to latest releases

Change-Id: I1ad6a0b1323ce0872f4a3299c5a9f18a982e0126
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240319154456.2967716-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28422.html
Signed-off-by: Gert Doering 
---
M .github/workflows/build.yaml
M .github/workflows/coverity-scan.yml
2 files changed, 23 insertions(+), 23 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/44/544/2

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index bc937e5..f771f5a 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -13,7 +13,7 @@
   - name: Install dependencies
 run: sudo apt update && sudo apt install -y uncrustify
   - name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
 with:
   path: openvpn
   - name: Show uncrustify version
@@ -27,7 +27,7 @@
   - name: Show changes on standard output
 run: git diff
 working-directory: openvpn
-  - uses: actions/upload-artifact@v3
+  - uses: actions/upload-artifact@v4
 with:
   name: uncrustify-changes.patch
   path: 'openvpn/uncrustify-changes.patch'
@@ -49,12 +49,12 @@
   - name: Install dependencies
 run: sudo apt update && sudo apt install -y mingw-w64 unzip cmake 
ninja-build build-essential wget python3-docutils man2html-base
   - name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4

   - name: Restore from cache and install vcpkg
 uses: lukka/run-vcpkg@v11
 with:
-  vcpkgGitCommitId: '1ba9a2591f15af5900f2ce2b3e2bf31771e3ac48'
+  vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e
   vcpkgJsonGlob: '**/mingw/vcpkg.json'

   - name: Run CMake with vcpkg.json manifest
@@ -64,7 +64,7 @@
   buildPreset: mingw-${{ matrix.arch }}
   buildPresetAdditionalArgs: "['--config Debug']"

-  - uses: actions/upload-artifact@v3
+  - uses: actions/upload-artifact@v4
 with:
   name: openvpn-mingw-${{ matrix.arch }}
   path: |
@@ -72,7 +72,7 @@
 ${{ github.workspace }}/out/build/mingw/${{ matrix.arch 
}}/Debug/*.dll
 !${{ github.workspace }}/out/build/mingw/${{ matrix.arch 
}}/Debug/test_*.exe

-  - uses: actions/upload-artifact@v3
+  - uses: actions/upload-artifact@v4
 with:
   name: openvpn-mingw-${{ matrix.arch }}-tests
   path: |
@@ -91,9 +91,9 @@
 name: "mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - OSSL"
 steps:
   - name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
   - name: Retrieve mingw unittest
-uses: actions/download-artifact@v3
+uses: actions/download-artifact@v4
 with:
   name: openvpn-mingw-${{ matrix.arch }}-tests
   path: unittests
@@ -159,7 +159,7 @@
   - name: Install dependencies
 run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev 
liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev 
python3-docutils libtool automake autoconf ${SSLPKG} ${PKCS11PKG}
   - name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
   - name: autoconf
 run: autoreconf -fvi
   - name: configure
@@ -186,7 +186,7 @@
   - name: Install dependencies
 run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev 
liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html clang 
libcmocka-dev python3-docutils libtool automake autoconf libmbedtls-dev
   - name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
   - name: autoconf
 run: autoreconf -fvi
   - name: configure
@@ -235,7 +235,7 @@
   - name: Install dependencies
 run: brew install openssl@1.1 openssl@3 lzo lz4 man2html cmocka 
libtool automake autoconf libressl
   - name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
   - name: autoconf
 run: autoreconf -fvi
   - name: configure
@@ -257,7 +257,7 @@

   runs-on: windows-latest
   steps:
-  - uses: actions/checkout@v3
+  - uses: actions/checkout@v4
   - uses: lukka/get-cmake@latest

   - name: Install

[Openvpn-devel] [S] Change in openvpn[master]: Remove license warning from README.mbedtls

2024-03-15 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/561?usp=email )

Change subject: Remove license warning from README.mbedtls
..

Remove license warning from README.mbedtls

The licenses are compatible now, so we can remove the warning.

Change-Id: I1879c893ed19b165fd086728fb97951eac251681
Signed-off-by: Max Fillinger 
Acked-by: Gert Doering 
Message-Id: <20240314185527.26803-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28400.html
Signed-off-by: Gert Doering 
---
M README.mbedtls
1 file changed, 0 insertions(+), 16 deletions(-)




diff --git a/README.mbedtls b/README.mbedtls
index 124eaa2..c4f3924 100644
--- a/README.mbedtls
+++ b/README.mbedtls
@@ -11,22 +11,6 @@

 *

-Warning:
-
-As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license.
-That license is incompatible with OpenVPN's GPLv2.
-
-We are currently in the process of resolving this problem, but for now, if you
-wish to distribute OpenVPN linked with mbed TLS, there are two options:
-
- * Ensure that your case falls under the system library exception in GPLv2, or
-
- * Use an earlier version of mbed TLS. Version 2.16.12 is the last release
-   that may be licensed under GPLv2. Unfortunately, this version is
-   unsupported and won't receive any more updates.
-
-*
-
 Due to limitations in the mbed TLS library, the following features are missing
 in the mbed TLS version of OpenVPN:


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/561?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I1879c893ed19b165fd086728fb97951eac251681
Gerrit-Change-Number: 561
Gerrit-PatchSet: 2
Gerrit-Owner: MaxF 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[release/2.6]: Remove license warning from README.mbedtls

2024-03-15 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/562?usp=email )

Change subject: Remove license warning from README.mbedtls
..

Remove license warning from README.mbedtls

The licenses are compatible now, so we can remove the warning.

Change-Id: I1879c893ed19b165fd086728fb97951eac251681
Signed-off-by: Max Fillinger 
Acked-by: Gert Doering 
Message-Id: <20240314185527.26803-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28400.html
Signed-off-by: Gert Doering 
(cherry picked from commit 91eb4606a4a3e8e2a4ed2ac4e2257e7ea44ccc44)
---
M README.mbedtls
1 file changed, 0 insertions(+), 16 deletions(-)




diff --git a/README.mbedtls b/README.mbedtls
index 124eaa2..c4f3924 100644
--- a/README.mbedtls
+++ b/README.mbedtls
@@ -11,22 +11,6 @@

 *

-Warning:
-
-As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license.
-That license is incompatible with OpenVPN's GPLv2.
-
-We are currently in the process of resolving this problem, but for now, if you
-wish to distribute OpenVPN linked with mbed TLS, there are two options:
-
- * Ensure that your case falls under the system library exception in GPLv2, or
-
- * Use an earlier version of mbed TLS. Version 2.16.12 is the last release
-   that may be licensed under GPLv2. Unfortunately, this version is
-   unsupported and won't receive any more updates.
-
-*
-
 Due to limitations in the mbed TLS library, the following features are missing
 in the mbed TLS version of OpenVPN:


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/562?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: release/2.6
Gerrit-Change-Id: I1879c893ed19b165fd086728fb97951eac251681
Gerrit-Change-Number: 562
Gerrit-PatchSet: 2
Gerrit-Owner: MaxF 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[release/2.6]: Remove license warning from README.mbedtls

2024-03-15 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
MaxF. ( http://gerrit.openvpn.net/c/openvpn/+/562?usp=email )


Change subject: Remove license warning from README.mbedtls
..

Remove license warning from README.mbedtls

The licenses are compatible now, so we can remove the warning.

Change-Id: I1879c893ed19b165fd086728fb97951eac251681
Signed-off-by: Max Fillinger 
Acked-by: Gert Doering 
Message-Id: <20240314185527.26803-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28400.html
Signed-off-by: Gert Doering 
(cherry picked from commit 91eb4606a4a3e8e2a4ed2ac4e2257e7ea44ccc44)
---
M README.mbedtls
1 file changed, 0 insertions(+), 16 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/62/562/2

diff --git a/README.mbedtls b/README.mbedtls
index 124eaa2..c4f3924 100644
--- a/README.mbedtls
+++ b/README.mbedtls
@@ -11,22 +11,6 @@

 *

-Warning:
-
-As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license.
-That license is incompatible with OpenVPN's GPLv2.
-
-We are currently in the process of resolving this problem, but for now, if you
-wish to distribute OpenVPN linked with mbed TLS, there are two options:
-
- * Ensure that your case falls under the system library exception in GPLv2, or
-
- * Use an earlier version of mbed TLS. Version 2.16.12 is the last release
-   that may be licensed under GPLv2. Unfortunately, this version is
-   unsupported and won't receive any more updates.
-
-*
-
 Due to limitations in the mbed TLS library, the following features are missing
 in the mbed TLS version of OpenVPN:


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/562?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: release/2.6
Gerrit-Change-Id: I1879c893ed19b165fd086728fb97951eac251681
Gerrit-Change-Number: 562
Gerrit-PatchSet: 2
Gerrit-Owner: MaxF 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Remove license warning from README.mbedtls

2024-03-15 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
MaxF. ( http://gerrit.openvpn.net/c/openvpn/+/561?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by cron2


Change subject: Remove license warning from README.mbedtls
..

Remove license warning from README.mbedtls

The licenses are compatible now, so we can remove the warning.

Change-Id: I1879c893ed19b165fd086728fb97951eac251681
Signed-off-by: Max Fillinger 
Acked-by: Gert Doering 
Message-Id: <20240314185527.26803-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28400.html
Signed-off-by: Gert Doering 
---
M README.mbedtls
1 file changed, 0 insertions(+), 16 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/61/561/2

diff --git a/README.mbedtls b/README.mbedtls
index 124eaa2..c4f3924 100644
--- a/README.mbedtls
+++ b/README.mbedtls
@@ -11,22 +11,6 @@

 *

-Warning:
-
-As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license.
-That license is incompatible with OpenVPN's GPLv2.
-
-We are currently in the process of resolving this problem, but for now, if you
-wish to distribute OpenVPN linked with mbed TLS, there are two options:
-
- * Ensure that your case falls under the system library exception in GPLv2, or
-
- * Use an earlier version of mbed TLS. Version 2.16.12 is the last release
-   that may be licensed under GPLv2. Unfortunately, this version is
-   unsupported and won't receive any more updates.
-
-*
-
 Due to limitations in the mbed TLS library, the following features are missing
 in the mbed TLS version of OpenVPN:


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/561?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I1879c893ed19b165fd086728fb97951eac251681
Gerrit-Change-Number: 561
Gerrit-PatchSet: 2
Gerrit-Owner: MaxF 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Remove license warning from README.mbedtls

2024-03-14 Thread cron2 (Code Review)

Attention is currently required from: MaxF, flichtenheld, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/561?usp=email )

Change subject: Remove license warning from README.mbedtls
..


Patch Set 1: Code-Review+2

(1 comment)

Patchset:

PS1:
makes sense, thanks.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/561?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I1879c893ed19b165fd086728fb97951eac251681
Gerrit-Change-Number: 561
Gerrit-PatchSet: 1
Gerrit-Owner: MaxF 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Attention: MaxF 
Gerrit-Comment-Date: Thu, 14 Mar 2024 18:54:30 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: gerrit-send-mail: add missing Signed-off-by

2024-03-08 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/530?usp=email )

Change subject: gerrit-send-mail: add missing Signed-off-by
..

gerrit-send-mail: add missing Signed-off-by

Our development documentation says we add this
automatically when it is missing. So let's do that
here as well.

Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa
Signed-off-by: Frank Lichtenheld 
Acked-by: Gert Doering 
Message-Id: <20240308120557.9065-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28362.html
Signed-off-by: Gert Doering 
---
M dev-tools/gerrit-send-mail.py
1 file changed, 13 insertions(+), 0 deletions(-)




diff --git a/dev-tools/gerrit-send-mail.py b/dev-tools/gerrit-send-mail.py
index 67a2cf1..10305e2 100755
--- a/dev-tools/gerrit-send-mail.py
+++ b/dev-tools/gerrit-send-mail.py
@@ -50,6 +50,12 @@
 ack = f"{reviewer_name} <{reviewer_mail}>"
 print(f"Acked-by: {ack}")
 acked_by.append(ack)
+# construct Signed-off-by in case it is missing
+owner = json_data["owner"]
+owner_name = owner.get("display_name", owner["name"])
+owner_mail = owner.get("email", owner["name"])
+sign_off = f"{owner_name} <{owner_mail}>"
+print(f"Signed-off-by: {sign_off}")
 change_id = json_data["change_id"]
 # assumes that the created date in Gerrit is in UTC
 utc_stamp = (
@@ -67,6 +73,7 @@
 "target": json_data["branch"],
 "msg_id": msg_id,
 "acked_by": acked_by,
+"sign_off": sign_off,
 }


@@ -81,10 +88,14 @@

 def apply_patch_mods(patch_text, details, args):
 comment_start = patch_text.index("\n---\n") + len("\n---\n")
+signed_off_text = ""
+signed_off_comment = ""
 try:
 signed_off_start = patch_text.rindex("\nSigned-off-by: ")
 signed_off_end = patch_text.index("\n", signed_off_start + 1) + 1
 except ValueError:  # Signed-off missing
+signed_off_text = f"Signed-off-by: {details['sign_off']}\n"
+signed_off_comment = "\nSigned-off-by line for the author was added as 
per our policy.\n"
 signed_off_end = patch_text.index("\n---\n") + 1
 assert comment_start > signed_off_end
 acked_by_text = ""
@@ -94,6 +105,7 @@
 acked_by_names += f"{ack}\n"
 patch_text_mod = (
 patch_text[:signed_off_end]
++ signed_off_text
 + acked_by_text
 + patch_text[signed_off_end:comment_start]
 + f"""
@@ -102,6 +114,7 @@

 Gerrit URL: {args.url}/c/{details["project"]}/+/{args.changeid}
 This mail reflects revision {details["revision"]} of this Change.
+{signed_off_comment}
 Acked-by according to Gerrit (reflected above):
 {acked_by_names}
 """

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/530?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa
Gerrit-Change-Number: 530
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: gerrit-send-mail: add missing Signed-off-by

2024-03-08 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/530?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by cron2


Change subject: gerrit-send-mail: add missing Signed-off-by
..

gerrit-send-mail: add missing Signed-off-by

Our development documentation says we add this
automatically when it is missing. So let's do that
here as well.

Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa
Signed-off-by: Frank Lichtenheld 
Acked-by: Gert Doering 
Message-Id: <20240308120557.9065-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28362.html
Signed-off-by: Gert Doering 
---
M dev-tools/gerrit-send-mail.py
1 file changed, 13 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/30/530/2

diff --git a/dev-tools/gerrit-send-mail.py b/dev-tools/gerrit-send-mail.py
index 67a2cf1..10305e2 100755
--- a/dev-tools/gerrit-send-mail.py
+++ b/dev-tools/gerrit-send-mail.py
@@ -50,6 +50,12 @@
 ack = f"{reviewer_name} <{reviewer_mail}>"
 print(f"Acked-by: {ack}")
 acked_by.append(ack)
+# construct Signed-off-by in case it is missing
+owner = json_data["owner"]
+owner_name = owner.get("display_name", owner["name"])
+owner_mail = owner.get("email", owner["name"])
+sign_off = f"{owner_name} <{owner_mail}>"
+print(f"Signed-off-by: {sign_off}")
 change_id = json_data["change_id"]
 # assumes that the created date in Gerrit is in UTC
 utc_stamp = (
@@ -67,6 +73,7 @@
 "target": json_data["branch"],
 "msg_id": msg_id,
 "acked_by": acked_by,
+"sign_off": sign_off,
 }


@@ -81,10 +88,14 @@

 def apply_patch_mods(patch_text, details, args):
 comment_start = patch_text.index("\n---\n") + len("\n---\n")
+signed_off_text = ""
+signed_off_comment = ""
 try:
 signed_off_start = patch_text.rindex("\nSigned-off-by: ")
 signed_off_end = patch_text.index("\n", signed_off_start + 1) + 1
 except ValueError:  # Signed-off missing
+signed_off_text = f"Signed-off-by: {details['sign_off']}\n"
+signed_off_comment = "\nSigned-off-by line for the author was added as 
per our policy.\n"
 signed_off_end = patch_text.index("\n---\n") + 1
 assert comment_start > signed_off_end
 acked_by_text = ""
@@ -94,6 +105,7 @@
 acked_by_names += f"{ack}\n"
 patch_text_mod = (
 patch_text[:signed_off_end]
++ signed_off_text
 + acked_by_text
 + patch_text[signed_off_end:comment_start]
 + f"""
@@ -102,6 +114,7 @@

 Gerrit URL: {args.url}/c/{details["project"]}/+/{args.changeid}
 This mail reflects revision {details["revision"]} of this Change.
+{signed_off_comment}
 Acked-by according to Gerrit (reflected above):
 {acked_by_names}
 """

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/530?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa
Gerrit-Change-Number: 530
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: gerrit-send-mail: add missing Signed-off-by

2024-03-08 Thread cron2 (Code Review)

Attention is currently required from: flichtenheld, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/530?usp=email )

Change subject: gerrit-send-mail: add missing Signed-off-by
..


Patch Set 1: Code-Review+2

(1 comment)

Patchset:

PS1:
looks reasonable.  Given that it's a language I refuse to understand I can't 
say for sure, but good enough still.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/530?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa
Gerrit-Change-Number: 530
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Fri, 08 Mar 2024 12:05:36 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: t_client.sh: Allow to skip tests

2024-03-08 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/521?usp=email )

Change subject: t_client.sh: Allow to skip tests
..

t_client.sh: Allow to skip tests

Individual tests can define a script to run to test
whether they should be skipped.

Included in this commit is an example check which
checks whether we can do NTLM checks. This fails
e.g. on recent versions of Fedora with mbedTLS
(tested with Fedora 39) or when NTLM support is not
compiled in.

v2:
 - ntlm_support:
   - support OpenSSL 3
   - allow to build without cmocka
v3:
 - add example to t_client.rc-sample
 - t_client.sh code style
 - use syshead.h in error.h
v5:
 - rename SKIP_x to CHECK_SKIP_x

Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899
Signed-off-by: Frank Lichtenheld 
Acked-by: Gert Doering 
Message-Id: <20240308102818.9249-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/search?l=mid=20240308102818.9249-1-g...@greenie.muc.de
Signed-off-by: Gert Doering 
---
M src/openvpn/error.h
M tests/Makefile.am
A tests/ntlm_support.c
M tests/t_client.rc-sample
M tests/t_client.sh.in
M tests/unit_tests/openvpn/mock_msg.c
6 files changed, 119 insertions(+), 15 deletions(-)




diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index 1225b13..be3484d 100644
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -25,16 +25,10 @@
 #define ERROR_H

 #include "basic.h"
-
-#include 
-#include 
+#include "syshead.h"

 #include 

-#if _WIN32
-#include 
-#endif
-
 /* #define ABORT_ON_ERROR */

 #if defined(ENABLE_PKCS11) || defined(ENABLE_MANAGEMENT)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 6c71067..6bc02b4 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -18,6 +18,8 @@

 if !WIN32
 test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh
+
+check_PROGRAMS = ntlm_support
 if HAVE_SITNL
 test_scripts += t_net.sh
 endif
@@ -35,3 +37,15 @@

 dist_noinst_DATA = \
t_client.rc-sample
+
+ntlm_support_CFLAGS  = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat 
-I$(top_srcdir)/tests/unit_tests/openvpn -DNO_CMOCKA @TEST_CFLAGS@
+ntlm_support_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn 
$(OPTIONAL_CRYPTO_LIBS)
+ntlm_support_SOURCES = ntlm_support.c \
+   unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \
+   $(top_srcdir)/src/openvpn/buffer.c \
+   $(top_srcdir)/src/openvpn/crypto.c \
+   $(top_srcdir)/src/openvpn/crypto_openssl.c \
+   $(top_srcdir)/src/openvpn/crypto_mbedtls.c \
+   $(top_srcdir)/src/openvpn/otime.c \
+   $(top_srcdir)/src/openvpn/packet_id.c \
+   $(top_srcdir)/src/openvpn/platform.c
diff --git a/tests/ntlm_support.c b/tests/ntlm_support.c
new file mode 100644
index 000..2d7da86
--- /dev/null
+++ b/tests/ntlm_support.c
@@ -0,0 +1,52 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ * over a single UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2023 OpenVPN Inc 
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "syshead.h"
+
+#include "crypto.h"
+#include "error.h"
+
+int
+main(void)
+{
+#if defined(ENABLE_CRYPTO_OPENSSL)
+crypto_load_provider("legacy");
+crypto_load_provider("default");
+#endif
+#ifdef NTLM
+if (!md_valid("MD4"))
+{
+msg(M_FATAL, "MD4 not supported");
+}
+if (!md_valid("MD5"))
+{
+msg(M_FATAL, "MD5 not supported");
+}
+#else  /* ifdef NTLM */
+msg(M_FATAL, "NTLM support not compiled in");
+#endif
+}
diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample
index 355e8bb..d61ecc4 100644
--- a/tests/t_client.rc-sample
+++ b/tests/t_client.rc-sample
@@ -27,7 +27,7 @@
 #
 # tests to run (list suffixes for config stanzas below)
 #
-TEST_RUN_LIST="1 2"
+TEST_RUN_LIST="1 2 2n"

 #
 # use "sudo" (etc) to give openvpn the necessary privileges
@@ -53,14 +53,24 @@
 #
 # if something is not defined here, the corresponding test is not run
 #
-# possible test options:
+# common test options:
 #
-# RUN_TITLE_x="what is being tested on here" (purely informational)
-# OPENVPN_CONF_x = "how to call ./openvpn"

[Openvpn-devel] [M] Change in openvpn[master]: t_client.sh: Allow to skip tests

2024-03-08 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#6) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/521?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by cron2


Change subject: t_client.sh: Allow to skip tests
..

t_client.sh: Allow to skip tests

Individual tests can define a script to run to test
whether they should be skipped.

Included in this commit is an example check which
checks whether we can do NTLM checks. This fails
e.g. on recent versions of Fedora with mbedTLS
(tested with Fedora 39) or when NTLM support is not
compiled in.

v2:
 - ntlm_support:
   - support OpenSSL 3
   - allow to build without cmocka
v3:
 - add example to t_client.rc-sample
 - t_client.sh code style
 - use syshead.h in error.h
v5:
 - rename SKIP_x to CHECK_SKIP_x

Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899
Signed-off-by: Frank Lichtenheld 
Acked-by: Gert Doering 
Message-Id: <20240308102818.9249-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/search?l=mid=20240308102818.9249-1-g...@greenie.muc.de
Signed-off-by: Gert Doering 
---
M src/openvpn/error.h
M tests/Makefile.am
A tests/ntlm_support.c
M tests/t_client.rc-sample
M tests/t_client.sh.in
M tests/unit_tests/openvpn/mock_msg.c
6 files changed, 119 insertions(+), 15 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/21/521/6

diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index 1225b13..be3484d 100644
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -25,16 +25,10 @@
 #define ERROR_H

 #include "basic.h"
-
-#include 
-#include 
+#include "syshead.h"

 #include 

-#if _WIN32
-#include 
-#endif
-
 /* #define ABORT_ON_ERROR */

 #if defined(ENABLE_PKCS11) || defined(ENABLE_MANAGEMENT)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 6c71067..6bc02b4 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -18,6 +18,8 @@

 if !WIN32
 test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh
+
+check_PROGRAMS = ntlm_support
 if HAVE_SITNL
 test_scripts += t_net.sh
 endif
@@ -35,3 +37,15 @@

 dist_noinst_DATA = \
t_client.rc-sample
+
+ntlm_support_CFLAGS  = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat 
-I$(top_srcdir)/tests/unit_tests/openvpn -DNO_CMOCKA @TEST_CFLAGS@
+ntlm_support_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn 
$(OPTIONAL_CRYPTO_LIBS)
+ntlm_support_SOURCES = ntlm_support.c \
+   unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \
+   $(top_srcdir)/src/openvpn/buffer.c \
+   $(top_srcdir)/src/openvpn/crypto.c \
+   $(top_srcdir)/src/openvpn/crypto_openssl.c \
+   $(top_srcdir)/src/openvpn/crypto_mbedtls.c \
+   $(top_srcdir)/src/openvpn/otime.c \
+   $(top_srcdir)/src/openvpn/packet_id.c \
+   $(top_srcdir)/src/openvpn/platform.c
diff --git a/tests/ntlm_support.c b/tests/ntlm_support.c
new file mode 100644
index 000..2d7da86
--- /dev/null
+++ b/tests/ntlm_support.c
@@ -0,0 +1,52 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ * over a single UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2023 OpenVPN Inc 
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "syshead.h"
+
+#include "crypto.h"
+#include "error.h"
+
+int
+main(void)
+{
+#if defined(ENABLE_CRYPTO_OPENSSL)
+crypto_load_provider("legacy");
+crypto_load_provider("default");
+#endif
+#ifdef NTLM
+if (!md_valid("MD4"))
+{
+msg(M_FATAL, "MD4 not supported");
+}
+if (!md_valid("MD5"))
+{
+msg(M_FATAL, "MD5 not supported");
+}
+#else  /* ifdef NTLM */
+msg(M_FATAL, "NTLM support not compiled in");
+#endif
+}
diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample
index 355e8bb..d61ecc4 100644
--- a/tests/t_client.rc-sample
+++ b/tests/t_client.rc-sample
@@ -27,7 +27,7 @@
 #
 # tests to run (list suffixes for config stanzas below)
 #
-TEST_RUN_LIST="1 2"
+TEST_RUN_LIST="1 2 2n"

 #
 # use "sudo" (etc) to give openvpn the necessary privileges
@@ -53,14 +53,24 @@
 #
 # if something is not defined here,

[Openvpn-devel] [XS] Change in openvpn[master]: check_compression_settings_valid: Do not test for LZ4 in LZO check

2024-03-08 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/526?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: check_compression_settings_valid: Do not test for LZ4 in LZO 
check
..

check_compression_settings_valid: Do not test for LZ4 in LZO check

Probably introduced by copy & paste since there is no
COMP_ALGV2_LZO.

Github: #500
Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240216123037.3670448-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28251.html
Signed-off-by: Gert Doering 
---
M src/openvpn/comp.c
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/26/526/2

diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c
index 6e30369..311f3e9 100644
--- a/src/openvpn/comp.c
+++ b/src/openvpn/comp.c
@@ -195,7 +195,7 @@
 }
 #endif
 #ifndef ENABLE_LZO
-if (info->alg == COMP_ALG_LZO || info->alg == COMP_ALG_LZ4)
+if (info->alg == COMP_ALG_LZO)
 {
 msg(msglevel, "OpenVPN is compiled without LZO support. Requested "
 "compression cannot be enabled.");

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/526?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab
Gerrit-Change-Number: 526
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Minor fix to process_ip_header

2024-03-08 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#6) to the change originally created by 
its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/525?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld, Code-Review+2 by plaisthos


Change subject: Minor fix to process_ip_header
..

Minor fix to process_ip_header

Removed if-guard checking if any feature is
enabled before performing per-feature check.
It doesn't save us much but instead introduces
uneeded complexity.

While at it, fixed a typo IMCP -> ICMP for defined
PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER
macros.

Fixes: Trac https://community.openvpn.net/openvpn/ticket/269
Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202
Signed-off-by: Gianmarco De Gregori 
Acked-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240307124616.16358-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28345.html
Signed-off-by: Gert Doering 
---
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
3 files changed, 49 insertions(+), 61 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/25/525/6

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 0443ca0..556c465 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1460,7 +1460,7 @@
  * us to examine the IP header (IPv4 or IPv6).
  */
 unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
- | PIPV6_IMCP_NOHOST_CLIENT;
+ | PIPV6_ICMP_NOHOST_CLIENT;
 process_ip_header(c, flags, >c2.buf);

 #ifdef PACKET_TRUNCATION_CHECK
@@ -1644,73 +1644,60 @@
 }
 if (!c->options.block_ipv6)
 {
-flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER);
+flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER);
 }

 if (buf->len > 0)
 {
-/*
- * The --passtos and --mssfix options require
- * us to examine the IPv4 header.
- */
-
-if (flags & (PIP_MSSFIX
-#if PASSTOS_CAPABILITY
- | PIPV4_PASSTOS
-#endif
- | PIPV4_CLIENT_NAT
- ))
+struct buffer ipbuf = *buf;
+if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
 {
-struct buffer ipbuf = *buf;
-if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
-{
 #if PASSTOS_CAPABILITY
-/* extract TOS from IP header */
-if (flags & PIPV4_PASSTOS)
-{
-link_socket_extract_tos(c->c2.link_socket, );
-}
+/* extract TOS from IP header */
+if (flags & PIPV4_PASSTOS)
+{
+link_socket_extract_tos(c->c2.link_socket, );
+}
 #endif

-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv4(, c->c2.frame.mss_fix);
-}
-
-/* possibly do NAT on packet */
-if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
-{
-const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING 
: CN_OUTGOING;
-client_nat_transform(c->options.client_nat, , 
direction);
-}
-/* possibly extract a DHCP router message */
-if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
-{
-const in_addr_t dhcp_router = 
dhcp_extract_router_msg();
-if (dhcp_router)
-{
-route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, 
dhcp_router);
-}
-}
-}
-else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), ))
+/* possibly alter the TCP MSS */
+if (flags & PIP_MSSFIX)
 {
-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv6(, c->c2.frame.mss_fix);
-}
-if (!(flags & PIP_OUTGOING) && (flags
-&(PIPV6_IMCP_NOHOST_CLIENT | 
PIPV6_IMCP_NOHOST_SERVER)))
-{
-ipv6_send_icmp_unreachable(c, buf,
-   (bool)(flags & 
PIPV6_IMCP_NOHOST_CLIENT));
-/* Drop the IPv6 packet */
-buf->len = 0;
-}
-
+mss_fixup_ipv4(, c->c2.frame.mss_fix);
 }
+
+/* possibly do NAT on packet */
+if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
+{
+const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : 
CN_OUTGOING;
+

[Openvpn-devel] [M] Change in openvpn[master]: Minor fix to process_ip_header

2024-03-08 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/525?usp=email )

Change subject: Minor fix to process_ip_header
..

Minor fix to process_ip_header

Removed if-guard checking if any feature is
enabled before performing per-feature check.
It doesn't save us much but instead introduces
uneeded complexity.

While at it, fixed a typo IMCP -> ICMP for defined
PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER
macros.

Fixes: Trac https://community.openvpn.net/openvpn/ticket/269
Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202
Signed-off-by: Gianmarco De Gregori 
Acked-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240307124616.16358-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28345.html
Signed-off-by: Gert Doering 
---
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
3 files changed, 49 insertions(+), 61 deletions(-)




diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 0443ca0..556c465 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1460,7 +1460,7 @@
  * us to examine the IP header (IPv4 or IPv6).
  */
 unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
- | PIPV6_IMCP_NOHOST_CLIENT;
+ | PIPV6_ICMP_NOHOST_CLIENT;
 process_ip_header(c, flags, >c2.buf);
 
 #ifdef PACKET_TRUNCATION_CHECK
@@ -1644,73 +1644,60 @@
 }
 if (!c->options.block_ipv6)
 {
-flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER);
+flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER);
 }

 if (buf->len > 0)
 {
-/*
- * The --passtos and --mssfix options require
- * us to examine the IPv4 header.
- */
-
-if (flags & (PIP_MSSFIX
-#if PASSTOS_CAPABILITY
- | PIPV4_PASSTOS
-#endif
- | PIPV4_CLIENT_NAT
- ))
+struct buffer ipbuf = *buf;
+if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
 {
-struct buffer ipbuf = *buf;
-if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
-{
 #if PASSTOS_CAPABILITY
-/* extract TOS from IP header */
-if (flags & PIPV4_PASSTOS)
-{
-link_socket_extract_tos(c->c2.link_socket, );
-}
+/* extract TOS from IP header */
+if (flags & PIPV4_PASSTOS)
+{
+link_socket_extract_tos(c->c2.link_socket, );
+}
 #endif

-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv4(, c->c2.frame.mss_fix);
-}
-
-/* possibly do NAT on packet */
-if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
-{
-const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING 
: CN_OUTGOING;
-client_nat_transform(c->options.client_nat, , 
direction);
-}
-/* possibly extract a DHCP router message */
-if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
-{
-const in_addr_t dhcp_router = 
dhcp_extract_router_msg();
-if (dhcp_router)
-{
-route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, 
dhcp_router);
-}
-}
-}
-else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), ))
+/* possibly alter the TCP MSS */
+if (flags & PIP_MSSFIX)
 {
-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv6(, c->c2.frame.mss_fix);
-}
-if (!(flags & PIP_OUTGOING) && (flags
-&(PIPV6_IMCP_NOHOST_CLIENT | 
PIPV6_IMCP_NOHOST_SERVER)))
-{
-ipv6_send_icmp_unreachable(c, buf,
-   (bool)(flags & 
PIPV6_IMCP_NOHOST_CLIENT));
-/* Drop the IPv6 packet */
-buf->len = 0;
-}
-
+mss_fixup_ipv4(, c->c2.frame.mss_fix);
 }
+
+/* possibly do NAT on packet */
+if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
+{
+const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : 
CN_OUTGOING;
+client_nat_transform(c->options.client_nat, , direction);
+}
+/* possibly extract a DHCP router message */
+if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
+{
+const in_addr_t dhcp_router =

[Openvpn-devel] [XS] Change in openvpn[master]: check_compression_settings_valid: Do not test for LZ4 in LZO check

2024-03-08 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/526?usp=email )

Change subject: check_compression_settings_valid: Do not test for LZ4 in LZO 
check
..

check_compression_settings_valid: Do not test for LZ4 in LZO check

Probably introduced by copy & paste since there is no
COMP_ALGV2_LZO.

Github: #500
Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240216123037.3670448-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28251.html
Signed-off-by: Gert Doering 
---
M src/openvpn/comp.c
1 file changed, 1 insertion(+), 1 deletion(-)




diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c
index 6e30369..311f3e9 100644
--- a/src/openvpn/comp.c
+++ b/src/openvpn/comp.c
@@ -195,7 +195,7 @@
 }
 #endif
 #ifndef ENABLE_LZO
-if (info->alg == COMP_ALG_LZO || info->alg == COMP_ALG_LZ4)
+if (info->alg == COMP_ALG_LZO)
 {
 msg(msglevel, "OpenVPN is compiled without LZO support. Requested "
 "compression cannot be enabled.");

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/526?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab
Gerrit-Change-Number: 526
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: t_client.sh: Allow to skip tests

2024-03-08 Thread cron2 (Code Review)

Attention is currently required from: flichtenheld, ordex, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/521?usp=email )

Change subject: t_client.sh: Allow to skip tests
..


Patch Set 5: Code-Review+2

(1 comment)

Patchset:

PS5:
thanks.  t_client looks good, ntlm test we agreed on taking as it is and maybe 
someone will come up with good ideas how to improve later on.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/521?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899
Gerrit-Change-Number: 521
Gerrit-PatchSet: 5
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-CC: ordex 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Attention: ordex 
Gerrit-Comment-Date: Fri, 08 Mar 2024 10:27:55 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Persist-key: enable persist-key option by default

2024-03-07 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#6) to the change originally created by 
its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/529?usp=email )


Change subject: Persist-key: enable persist-key option by default
..

Persist-key: enable persist-key option by default

Change the default behavior of the OpenVPN configuration
by enabling the persist-key option by default.

This means that all the keys will be kept in memory
across restart.

Trac: #1405
Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff
Signed-off-by: Gianmarco De Gregori 
Message-Id: <20240307140355.32644-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28347.html
Signed-off-by: Gert Doering 
---
M Changes.rst
M doc/man-sections/connection-profiles.rst
M doc/man-sections/generic-options.rst
M doc/man-sections/link-options.rst
M doc/man-sections/server-options.rst
M doc/man-sections/signals.rst
M doc/man-sections/unsupported-options.rst
M sample/sample-config-files/client.conf
M sample/sample-config-files/server.conf
M sample/sample-windows/sample.ovpn
M src/openvpn/init.c
M src/openvpn/openvpn.h
M src/openvpn/options.c
M src/openvpn/options.h
14 files changed, 24 insertions(+), 47 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/29/529/6

diff --git a/Changes.rst b/Changes.rst
index 58cb3db..4cded98 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -20,6 +20,8 @@
 When configured to authenticate with NTLMv1 (``ntlm`` keyword in
 ``--http-proxy``) OpenVPN will try NTLMv2 instead.

+``persist-key`` option has been enabled by default.
+All the keys will be kept in memory across restart.

 Overview of changes in 2.6
 ==
diff --git a/doc/man-sections/connection-profiles.rst 
b/doc/man-sections/connection-profiles.rst
index c8816e1..520bbef 100644
--- a/doc/man-sections/connection-profiles.rst
+++ b/doc/man-sections/connection-profiles.rst
@@ -39,7 +39,6 @@
http-proxy 192.168.0.8 8080


-   persist-key
persist-tun
pkcs12 client.p12
remote-cert-tls server
diff --git a/doc/man-sections/generic-options.rst 
b/doc/man-sections/generic-options.rst
index 30c990d..f8a0f48 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -302,17 +302,6 @@
   Change process priority after initialization (``n`` greater than 0 is
   lower priority, ``n`` less than zero is higher priority).

---persist-key
-  Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``.
-
-  This option can be combined with ``--user`` to allow restarts
-  triggered by the :code:`SIGUSR1` signal. Normally if you drop root
-  privileges in OpenVPN, the daemon cannot be restarted since it will now
-  be unable to re-read protected key files.
-
-  This option solves the problem by persisting keys across :code:`SIGUSR1`
-  resets, so they don't need to be re-read.
-
 --providers providers
   Load the list of (OpenSSL) providers. This is mainly useful for using an
   external provider for key management like tpm2-openssl or to load the
@@ -402,7 +391,7 @@

   Like with chroot, complications can result when scripts or restarts are
   executed after the setcon operation, which is why you should really
-  consider using the ``--persist-key`` and ``--persist-tun`` options.
+  consider using the ``--persist-tun`` option.

 --status args
   Write operational status to ``file`` every ``n`` seconds. ``n`` defaults
diff --git a/doc/man-sections/link-options.rst 
b/doc/man-sections/link-options.rst
index ca26bfe..ca192c3 100644
--- a/doc/man-sections/link-options.rst
+++ b/doc/man-sections/link-options.rst
@@ -283,7 +283,7 @@
   See the signals section below for more information on :code:`SIGUSR1`.

   Note that the behavior of ``SIGUSR1`` can be modified by the
-  ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and
+  ``--persist-tun``, ``--persist-local-ip`` and
   ``--persist-remote-ip`` options.

   Also note that ``--ping-exit`` and ``--ping-restart`` are mutually
diff --git a/doc/man-sections/server-options.rst 
b/doc/man-sections/server-options.rst
index 98f5340..0632e31 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -452,7 +452,7 @@
   ``--route``, ``--route-gateway``, ``--route-delay``,
   ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``,
   ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``,
-  ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``,
+  ``--setenv``, ``--auth-token``, ``--persist-tun``,
   ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``,
   ``--rcvbuf``, ``--session-timeout``

diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst
index 63611b3..01e8e5b 100644
--- a/doc/man-sections/signals.rst
+++ b/doc/man-sections/signals.rst
@@ -10,9 +10,8 @@
 Like :code:`SIGHUP``, except don't re-read

[Openvpn-devel] [M] Change in openvpn[master]: Persist-key: enable persist-key option by default

2024-03-07 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/529?usp=email )

Change subject: Persist-key: enable persist-key option by default
..

Persist-key: enable persist-key option by default

Change the default behavior of the OpenVPN configuration
by enabling the persist-key option by default.

This means that all the keys will be kept in memory
across restart.

Trac: #1405
Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff
Signed-off-by: Gianmarco De Gregori 
Message-Id: <20240307140355.32644-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28347.html
Signed-off-by: Gert Doering 
---
M Changes.rst
M doc/man-sections/connection-profiles.rst
M doc/man-sections/generic-options.rst
M doc/man-sections/link-options.rst
M doc/man-sections/server-options.rst
M doc/man-sections/signals.rst
M doc/man-sections/unsupported-options.rst
M sample/sample-config-files/client.conf
M sample/sample-config-files/server.conf
M sample/sample-windows/sample.ovpn
M src/openvpn/init.c
M src/openvpn/openvpn.h
M src/openvpn/options.c
M src/openvpn/options.h
14 files changed, 24 insertions(+), 47 deletions(-)




diff --git a/Changes.rst b/Changes.rst
index 58cb3db..4cded98 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -20,6 +20,8 @@
 When configured to authenticate with NTLMv1 (``ntlm`` keyword in
 ``--http-proxy``) OpenVPN will try NTLMv2 instead.

+``persist-key`` option has been enabled by default.
+All the keys will be kept in memory across restart.

 Overview of changes in 2.6
 ==
diff --git a/doc/man-sections/connection-profiles.rst 
b/doc/man-sections/connection-profiles.rst
index c8816e1..520bbef 100644
--- a/doc/man-sections/connection-profiles.rst
+++ b/doc/man-sections/connection-profiles.rst
@@ -39,7 +39,6 @@
http-proxy 192.168.0.8 8080


-   persist-key
persist-tun
pkcs12 client.p12
remote-cert-tls server
diff --git a/doc/man-sections/generic-options.rst 
b/doc/man-sections/generic-options.rst
index 30c990d..f8a0f48 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -302,17 +302,6 @@
   Change process priority after initialization (``n`` greater than 0 is
   lower priority, ``n`` less than zero is higher priority).

---persist-key
-  Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``.
-
-  This option can be combined with ``--user`` to allow restarts
-  triggered by the :code:`SIGUSR1` signal. Normally if you drop root
-  privileges in OpenVPN, the daemon cannot be restarted since it will now
-  be unable to re-read protected key files.
-
-  This option solves the problem by persisting keys across :code:`SIGUSR1`
-  resets, so they don't need to be re-read.
-
 --providers providers
   Load the list of (OpenSSL) providers. This is mainly useful for using an
   external provider for key management like tpm2-openssl or to load the
@@ -402,7 +391,7 @@

   Like with chroot, complications can result when scripts or restarts are
   executed after the setcon operation, which is why you should really
-  consider using the ``--persist-key`` and ``--persist-tun`` options.
+  consider using the ``--persist-tun`` option.

 --status args
   Write operational status to ``file`` every ``n`` seconds. ``n`` defaults
diff --git a/doc/man-sections/link-options.rst 
b/doc/man-sections/link-options.rst
index ca26bfe..ca192c3 100644
--- a/doc/man-sections/link-options.rst
+++ b/doc/man-sections/link-options.rst
@@ -283,7 +283,7 @@
   See the signals section below for more information on :code:`SIGUSR1`.

   Note that the behavior of ``SIGUSR1`` can be modified by the
-  ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and
+  ``--persist-tun``, ``--persist-local-ip`` and
   ``--persist-remote-ip`` options.

   Also note that ``--ping-exit`` and ``--ping-restart`` are mutually
diff --git a/doc/man-sections/server-options.rst 
b/doc/man-sections/server-options.rst
index 98f5340..0632e31 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -452,7 +452,7 @@
   ``--route``, ``--route-gateway``, ``--route-delay``,
   ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``,
   ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``,
-  ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``,
+  ``--setenv``, ``--auth-token``, ``--persist-tun``,
   ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``,
   ``--rcvbuf``, ``--session-timeout``

diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst
index 63611b3..01e8e5b 100644
--- a/doc/man-sections/signals.rst
+++ b/doc/man-sections/signals.rst
@@ -10,9 +10,8 @@
 Like :code:`SIGHUP``, except don't re-read configuration file, and
 possibly don't close and reopen TUN/TAP device, re-read key files,
 preserve local IP

[Openvpn-devel] [M] Change in openvpn[master]: t_client.sh: Allow to skip tests

2024-03-06 Thread cron2 (Code Review)

Attention is currently required from: flichtenheld, ordex, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/521?usp=email )

Change subject: t_client.sh: Allow to skip tests
..


Patch Set 4: Code-Review-1

(4 comments)

Patchset:

PS4:
Took me longer than expected after v4, but I do have some more wishes... 
(thanks for bearing with me)


File tests/Makefile.am:

http://gerrit.openvpn.net/c/openvpn/+/521/comment/aabb9cc6_e1155271 :
PS4, Line 45:   unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \
OK, so now I do better understand the -DNO_CMOCKA code in 
unit_tests/openvpn/mock_msg.c - but I'm none the happier.  Unit test code is 
unit test code, and shouldn't be used by something else (= so when trying to 
understand code in unit_tests/ I don't really want to consider "oh, wait, this 
is also used by some other piece of code").

But I can't really can come up with a nice alternative that will not boil down 
to "just add another copy of `msg()` mocking into ntlm_support.c" (because 
`crypto_load_provider()` needs it).


File tests/t_client.rc-sample:

http://gerrit.openvpn.net/c/openvpn/+/521/comment/7c7d3b68_b8417006 :
PS4, Line 67: # SKIP_x= "commands to execute before openvpn, skip 
test on failure"
TBH, I do not like `SKIP_x` because it just tells me "well, yes, skip this 
test".

I'd suggest to rename it to something like `SKIP_CONDITIONAL_x` or `PRE_TEST_x` 
or so which better transports the message "ah, this is a command to run, and 
depending on the outcome, things will be skipped".


http://gerrit.openvpn.net/c/openvpn/+/521/comment/34ed3c96_6462fbf2 :
PS4, Line 70: # CLEANUP_x = "commands to execute after the test"
this is a very welcome addition to the last options that I forgot to properly 
document.  Thanks ;-)



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/521?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899
Gerrit-Change-Number: 521
Gerrit-PatchSet: 4
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-CC: ordex 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Attention: ordex 
Gerrit-Comment-Date: Wed, 06 Mar 2024 09:57:55 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: samples: Remove tls-*.conf

2024-03-05 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/531?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by ordex, Code-Review+2 by plaisthos


Change subject: samples: Remove tls-*.conf
..

samples: Remove tls-*.conf

These are mostly redundant with client/server.conf
Let's try to manage to maintain one set of sample
configurations before we branch out further.

Change-Id: I199541fea5a76c8edef7f67d2dbfc476987dc2f7
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Acked-by: Antonio Quartulli 
Message-Id: <20240304161556.2036270-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28316.html
Signed-off-by: Gert Doering 
---
D sample/sample-config-files/home.up
D sample/sample-config-files/office.up
D sample/sample-config-files/tls-home.conf
D sample/sample-config-files/tls-office.conf
4 files changed, 0 insertions(+), 173 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/31/531/2

diff --git a/sample/sample-config-files/home.up 
b/sample/sample-config-files/home.up
deleted file mode 100755
index 9c347cc..000
--- a/sample/sample-config-files/home.up
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-route add -net 10.0.0.0 netmask 255.255.255.0 gw $5
diff --git a/sample/sample-config-files/office.up 
b/sample/sample-config-files/office.up
deleted file mode 100755
index 74a71a3..000
--- a/sample/sample-config-files/office.up
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-route add -net 10.0.1.0 netmask 255.255.255.0 gw $5
diff --git a/sample/sample-config-files/tls-home.conf 
b/sample/sample-config-files/tls-home.conf
deleted file mode 100644
index ff19d50..000
--- a/sample/sample-config-files/tls-home.conf
+++ /dev/null
@@ -1,83 +0,0 @@
-#
-# Sample OpenVPN configuration file for
-# home using SSL/TLS mode and RSA certificates/keys.
-#
-# '#' or ';' may be used to delimit comments.
-
-# Use a dynamic tun device.  For non-Linux OSes, you may want to use an
-# explicit unit number such as "tun1".
-# OpenVPN also supports virtual ethernet "tap" devices.
-dev tun
-
-# Our OpenVPN peer is the office gateway.
-remote 1.2.3.4
-
-# 10.1.0.2 is our local VPN endpoint (home).
-# 10.1.0.1 is our remote VPN endpoint (office).
-ifconfig 10.1.0.2 10.1.0.1
-
-# Our up script will establish routes
-# once the VPN is alive.
-up ./home.up
-
-# In SSL/TLS key exchange, Office will
-# assume server role and Home
-# will assume client role.
-tls-client
-
-# Certificate Authority file
-ca my-ca.crt
-
-# Our certificate/public key
-cert home.crt
-
-# Our private key
-key home.key
-
-# Our data channel cipher (must match peer config)
-cipher AES-256-GCM
-
-# OpenVPN 2.0 uses UDP port 1194 by default
-# (official port assignment by iana.org 11/04).
-# OpenVPN 1.x uses UDP port 5000 by default.
-# Each OpenVPN tunnel must use
-# a different port number.
-# lport or rport can be used
-# to denote different ports
-# for local and remote.
-; port 1194
-
-# Downgrade UID and GID to an
-# unpriviledged user after initialization
-# for extra security.
-; user openvpn
-; group openvpn
-
-# If you built OpenVPN with
-# LZO compression, uncomment
-# out the following line.
-; comp-lzo
-
-# Send a UDP ping to remote once
-# every 15 seconds to keep
-# stateful firewall connection
-# alive.  Uncomment this
-# out if you are using a stateful
-# firewall.
-; ping 15
-
-# Uncomment this section for a more reliable detection when a system
-# loses its connection.  For example, dial-ups or laptops that
-# travel to other locations.
-; ping 15
-; ping-restart 45
-; ping-timer-rem
-; persist-tun
-; persist-key
-
-# Verbosity level.
-# 0 -- quiet except for fatal errors.
-# 1 -- mostly quiet, but display non-fatal network errors.
-# 3 -- medium output, good for normal operation.
-# 9 -- verbose, good for troubleshooting
-verb 3
diff --git a/sample/sample-config-files/tls-office.conf 
b/sample/sample-config-files/tls-office.conf
deleted file mode 100644
index 152e58a..000
--- a/sample/sample-config-files/tls-office.conf
+++ /dev/null
@@ -1,86 +0,0 @@
-#
-# Sample OpenVPN configuration file for
-# office using SSL/TLS mode and RSA certificates/keys.
-#
-# '#' or ';' may be used to delimit comments.
-
-# Use a dynamic tun device.
-# For Linux 2.2 or non-Linux OSes,
-# you may want to use an explicit
-# unit number such as "tun1".
-# OpenVPN also supports virtual
-# ethernet "tap" devices.
-dev tun
-
-# 10.1.0.1 is our local VPN endpoint (office).
-# 10.1.0.2 is our remote VPN endpoint (home).
-ifconfig 10.1.0.1 10.1.0.2
-
-# Our up script will establish routes
-# once the VPN is alive.
-up ./office.up
-
-# In SSL/TLS key exchange, Office will
-# assume server role and Home
-# will assume client role.
-tls-server
-
-# Diffie-Hellman Parameters (tls-server only)
-dh dh2048.pem
-
-# Certificate

[Openvpn-devel] [M] Change in openvpn[master]: samples: Remove tls-*.conf

2024-03-05 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/531?usp=email )

Change subject: samples: Remove tls-*.conf
..

samples: Remove tls-*.conf

These are mostly redundant with client/server.conf
Let's try to manage to maintain one set of sample
configurations before we branch out further.

Change-Id: I199541fea5a76c8edef7f67d2dbfc476987dc2f7
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Acked-by: Antonio Quartulli 
Message-Id: <20240304161556.2036270-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28316.html
Signed-off-by: Gert Doering 
---
D sample/sample-config-files/home.up
D sample/sample-config-files/office.up
D sample/sample-config-files/tls-home.conf
D sample/sample-config-files/tls-office.conf
4 files changed, 0 insertions(+), 173 deletions(-)




diff --git a/sample/sample-config-files/home.up 
b/sample/sample-config-files/home.up
deleted file mode 100755
index 9c347cc..000
--- a/sample/sample-config-files/home.up
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-route add -net 10.0.0.0 netmask 255.255.255.0 gw $5
diff --git a/sample/sample-config-files/office.up 
b/sample/sample-config-files/office.up
deleted file mode 100755
index 74a71a3..000
--- a/sample/sample-config-files/office.up
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-route add -net 10.0.1.0 netmask 255.255.255.0 gw $5
diff --git a/sample/sample-config-files/tls-home.conf 
b/sample/sample-config-files/tls-home.conf
deleted file mode 100644
index ff19d50..000
--- a/sample/sample-config-files/tls-home.conf
+++ /dev/null
@@ -1,83 +0,0 @@
-#
-# Sample OpenVPN configuration file for
-# home using SSL/TLS mode and RSA certificates/keys.
-#
-# '#' or ';' may be used to delimit comments.
-
-# Use a dynamic tun device.  For non-Linux OSes, you may want to use an
-# explicit unit number such as "tun1".
-# OpenVPN also supports virtual ethernet "tap" devices.
-dev tun
-
-# Our OpenVPN peer is the office gateway.
-remote 1.2.3.4
-
-# 10.1.0.2 is our local VPN endpoint (home).
-# 10.1.0.1 is our remote VPN endpoint (office).
-ifconfig 10.1.0.2 10.1.0.1
-
-# Our up script will establish routes
-# once the VPN is alive.
-up ./home.up
-
-# In SSL/TLS key exchange, Office will
-# assume server role and Home
-# will assume client role.
-tls-client
-
-# Certificate Authority file
-ca my-ca.crt
-
-# Our certificate/public key
-cert home.crt
-
-# Our private key
-key home.key
-
-# Our data channel cipher (must match peer config)
-cipher AES-256-GCM
-
-# OpenVPN 2.0 uses UDP port 1194 by default
-# (official port assignment by iana.org 11/04).
-# OpenVPN 1.x uses UDP port 5000 by default.
-# Each OpenVPN tunnel must use
-# a different port number.
-# lport or rport can be used
-# to denote different ports
-# for local and remote.
-; port 1194
-
-# Downgrade UID and GID to an
-# unpriviledged user after initialization
-# for extra security.
-; user openvpn
-; group openvpn
-
-# If you built OpenVPN with
-# LZO compression, uncomment
-# out the following line.
-; comp-lzo
-
-# Send a UDP ping to remote once
-# every 15 seconds to keep
-# stateful firewall connection
-# alive.  Uncomment this
-# out if you are using a stateful
-# firewall.
-; ping 15
-
-# Uncomment this section for a more reliable detection when a system
-# loses its connection.  For example, dial-ups or laptops that
-# travel to other locations.
-; ping 15
-; ping-restart 45
-; ping-timer-rem
-; persist-tun
-; persist-key
-
-# Verbosity level.
-# 0 -- quiet except for fatal errors.
-# 1 -- mostly quiet, but display non-fatal network errors.
-# 3 -- medium output, good for normal operation.
-# 9 -- verbose, good for troubleshooting
-verb 3
diff --git a/sample/sample-config-files/tls-office.conf 
b/sample/sample-config-files/tls-office.conf
deleted file mode 100644
index 152e58a..000
--- a/sample/sample-config-files/tls-office.conf
+++ /dev/null
@@ -1,86 +0,0 @@
-#
-# Sample OpenVPN configuration file for
-# office using SSL/TLS mode and RSA certificates/keys.
-#
-# '#' or ';' may be used to delimit comments.
-
-# Use a dynamic tun device.
-# For Linux 2.2 or non-Linux OSes,
-# you may want to use an explicit
-# unit number such as "tun1".
-# OpenVPN also supports virtual
-# ethernet "tap" devices.
-dev tun
-
-# 10.1.0.1 is our local VPN endpoint (office).
-# 10.1.0.2 is our remote VPN endpoint (home).
-ifconfig 10.1.0.1 10.1.0.2
-
-# Our up script will establish routes
-# once the VPN is alive.
-up ./office.up
-
-# In SSL/TLS key exchange, Office will
-# assume server role and Home
-# will assume client role.
-tls-server
-
-# Diffie-Hellman Parameters (tls-server only)
-dh dh2048.pem
-
-# Certificate Authority file
-ca my-ca.crt
-
-# Our certificate/public key
-cert office.crt
-
-# Our private key
-key office.key
-
-# Our data channel cipher (must match peer config)
-cipher AES-256-GCM
-
-# OpenVPN 2.0 uses UDP port 1194 by default
-#

[Openvpn-devel] [XS] Change in openvpn[master]: Fix typo --data-cipher-fallback

2024-03-05 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/534?usp=email )

Change subject: Fix typo --data-cipher-fallback
..

Fix typo --data-cipher-fallback

Change-Id: I38e70cb74c10848ab2981efc4c4c8863c5c8785d
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240305082236.17566-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28321.html
Signed-off-by: Gert Doering 
---
M doc/man-sections/generic-options.rst
M src/openvpn/dco.c
2 files changed, 2 insertions(+), 2 deletions(-)




diff --git a/doc/man-sections/generic-options.rst 
b/doc/man-sections/generic-options.rst
index 95e4ca2..30c990d 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -75,7 +75,7 @@
 to the configuration if no other compression options are present.
   - 2.4.x or lower: The cipher in ``--cipher`` is appended to
 ``--data-ciphers``.
-  - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with
+  - 2.3.x or lower: ``--data-ciphers-fallback`` is automatically added with
 the same cipher as ``--cipher``.
   - 2.3.6 or lower: ``--tls-version-min 1.0`` is added to the configuration
 when ``--tls-version-min`` is not explicitly set.
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index cd3e0ad..14430d3 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -400,7 +400,7 @@
 if (o->enable_ncp_fallback
 && !tls_item_in_cipher_list(o->ciphername, 
dco_get_supported_ciphers()))
 {
-msg(msglevel, "Note: --data-cipher-fallback with cipher '%s' "
+msg(msglevel, "Note: --data-ciphers-fallback with cipher '%s' "
 "disables data channel offload.", o->ciphername);
 return false;
 }

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/534?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I38e70cb74c10848ab2981efc4c4c8863c5c8785d
Gerrit-Change-Number: 534
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [XS] Change in openvpn[master]: Fix typo --data-cipher-fallback

2024-03-05 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#2) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/534?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: Fix typo --data-cipher-fallback
..

Fix typo --data-cipher-fallback

Change-Id: I38e70cb74c10848ab2981efc4c4c8863c5c8785d
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240305082236.17566-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28321.html
Signed-off-by: Gert Doering 
---
M doc/man-sections/generic-options.rst
M src/openvpn/dco.c
2 files changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/34/534/2

diff --git a/doc/man-sections/generic-options.rst 
b/doc/man-sections/generic-options.rst
index 95e4ca2..30c990d 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -75,7 +75,7 @@
 to the configuration if no other compression options are present.
   - 2.4.x or lower: The cipher in ``--cipher`` is appended to
 ``--data-ciphers``.
-  - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with
+  - 2.3.x or lower: ``--data-ciphers-fallback`` is automatically added with
 the same cipher as ``--cipher``.
   - 2.3.6 or lower: ``--tls-version-min 1.0`` is added to the configuration
 when ``--tls-version-min`` is not explicitly set.
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index cd3e0ad..14430d3 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -400,7 +400,7 @@
 if (o->enable_ncp_fallback
 && !tls_item_in_cipher_list(o->ciphername, 
dco_get_supported_ciphers()))
 {
-msg(msglevel, "Note: --data-cipher-fallback with cipher '%s' "
+msg(msglevel, "Note: --data-ciphers-fallback with cipher '%s' "
 "disables data channel offload.", o->ciphername);
 return false;
 }

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/534?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I38e70cb74c10848ab2981efc4c4c8863c5c8785d
Gerrit-Change-Number: 534
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: t_client.sh: Allow to skip tests

2024-02-28 Thread cron2 (Code Review)

Attention is currently required from: flichtenheld, ordex, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/521?usp=email )

Change subject: t_client.sh: Allow to skip tests
..


Patch Set 2: Code-Review-1

(5 comments)

Patchset:

PS2:
I think this is a useful patch but there seems to be a bit of friction to 
overcome :-)


File src/openvpn/error.h:

http://gerrit.openvpn.net/c/openvpn/+/521/comment/509f59c6_11cebc44 :
PS2, Line 39: #endif
I don't like this, for two reasons - we protect unistd.h via `HAVE_UNISTD_H`, 
not via "not windows", and also this is really a separate project, moving out 
includes from `"syshead.h"` to the parent C file because some compilers 
complain.


File tests/t_client.sh.in:

http://gerrit.openvpn.net/c/openvpn/+/521/comment/4d712547_a890cc8a :
PS2, Line 301: SKIP_
> Like all the other test settings this is defined in the t_client.rc. […]
Having an example would certainly help people setting this up for their first 
time.


http://gerrit.openvpn.net/c/openvpn/+/521/comment/71a3de91_936dd75e :
PS2, Line 325: eval $test_check_skip || {
while this certainly works, the `|| {` style is quite different from the very 
traditional `if/then/fi` style of the rest of the script.  So I'm a bit 
undecided what to think about it.

```
if eval $test_check_skip ; then :
else
output ...
...
fi
```
is not as compact, but might be easier to grok?


File tests/unit_tests/openvpn/mock_msg.c:

http://gerrit.openvpn.net/c/openvpn/+/521/comment/4daebdcf_1d3501b2 :
PS2, Line 94: endif
> assert_failed is defined in error. […]
Not sure I understand why we have cmocka specific .c files with #ifdef 
NO_CMOCKA?  Is this ever used outside the unit test context?



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/521?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899
Gerrit-Change-Number: 521
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-CC: ordex 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Attention: ordex 
Gerrit-Comment-Date: Wed, 28 Feb 2024 10:01:20 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Comment-In-Reply-To: flichtenheld 
Comment-In-Reply-To: ordex 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [L] Change in openvpn[master]: Turn dead list test code into unit test

2024-02-10 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/446?usp=email )

Change subject: Turn dead list test code into unit test
..

Turn dead list test code into unit test

Change-Id: I7511bc43cd6a0bcb89476f27d5822ab4a78d0d21
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240209105902.14506-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28201.html
Signed-off-by: Gert Doering 
---
M CMakeLists.txt
M src/openvpn/init.c
M src/openvpn/list.c
M src/openvpn/list.h
M tests/unit_tests/openvpn/Makefile.am
M tests/unit_tests/openvpn/test_misc.c
6 files changed, 210 insertions(+), 193 deletions(-)




diff --git a/CMakeLists.txt b/CMakeLists.txt
index fdd2b01..3127611 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -747,6 +747,7 @@
 tests/unit_tests/openvpn/mock_get_random.c
 src/openvpn/options_util.c
 src/openvpn/ssl_util.c
+src/openvpn/list.c
 )

 target_sources(test_ncp PRIVATE
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index c5cc154..52b4308 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -865,11 +865,6 @@
 return false;
 #endif

-#ifdef LIST_TEST
-list_test();
-return false;
-#endif
-
 #ifdef IFCONFIG_POOL_TEST
 ifconfig_pool_test(0x0A010004, 0x0A0100FF);
 return false;
diff --git a/src/openvpn/list.c b/src/openvpn/list.c
index 480f39d..dc4b1df 100644
--- a/src/openvpn/list.c
+++ b/src/openvpn/list.c
@@ -326,185 +326,6 @@
 }


-#ifdef LIST_TEST
-
-/*
- * Test the hash code by implementing a simple
- * word frequency algorithm.
- */
-
-struct word
-{
-const char *word;
-int n;
-};
-
-static uint32_t
-word_hash_function(const void *key, uint32_t iv)
-{
-const char *str = (const char *) key;
-const int len = strlen(str);
-return hash_func((const uint8_t *)str, len, iv);
-}
-
-static bool
-word_compare_function(const void *key1, const void *key2)
-{
-return strcmp((const char *)key1, (const char *)key2) == 0;
-}
-
-static void
-print_nhash(struct hash *hash)
-{
-struct hash_iterator hi;
-struct hash_element *he;
-int count = 0;
-
-hash_iterator_init(hash, , true);
-
-while ((he = hash_iterator_next()))
-{
-printf("%d ", (int) he->value);
-++count;
-}
-printf("\n");
-
-hash_iterator_free();
-ASSERT(count == hash_n_elements(hash));
-}
-
-static void
-rmhash(struct hash *hash, const char *word)
-{
-hash_remove(hash, word);
-}
-
-void
-list_test(void)
-{
-openvpn_thread_init();
-
-{
-struct gc_arena gc = gc_new();
-struct hash *hash = hash_init(1, get_random(), word_hash_function, 
word_compare_function);
-struct hash *nhash = hash_init(256, get_random(), word_hash_function, 
word_compare_function);
-
-printf("hash_init n_buckets=%d mask=0x%08x\n", hash->n_buckets, 
hash->mask);
-
-/* parse words from stdin */
-while (true)
-{
-char buf[256];
-char wordbuf[256];
-int wbi;
-int bi;
-char c;
-
-if (!fgets(buf, sizeof(buf), stdin))
-{
-break;
-}
-
-bi = wbi = 0;
-do
-{
-c = buf[bi++];
-if (isalnum(c) || c == '_')
-{
-ASSERT(wbi < (int) sizeof(wordbuf));
-wordbuf[wbi++] = c;
-}
-else
-{
-if (wbi)
-{
-struct word *w;
-ASSERT(wbi < (int) sizeof(wordbuf));
-wordbuf[wbi++] = '\0';
-
-/* word is parsed from stdin */
-
-/* does it already exist in table? */
-w = (struct word *) hash_lookup(hash, wordbuf);
-
-if (w)
-{
-/* yes, increment count */
-++w->n;
-}
-else
-{
-/* no, make a new object */
-ALLOC_OBJ_GC(w, struct word, );
-w->word = string_alloc(wordbuf, );
-w->n = 1;
-ASSERT(hash_add(hash, w->word, w, false));
-ASSERT(hash_add(nhash, w->word, (void *) 
((random() & 0x0F) + 1), false));
-}
-}
-wbi = 0;
-}
-} while (c);
-}
-
-#if 1
-/* remove some words from the table */
-{
-rmhash(hash, "true");
-rmhash(hash, "false");
-}
-#endif
-
-/* output contents of hash table */
-

[Openvpn-devel] [L] Change in openvpn[master]: Turn dead list test code into unit test

2024-02-10 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#6) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/446?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: Turn dead list test code into unit test
..

Turn dead list test code into unit test

Change-Id: I7511bc43cd6a0bcb89476f27d5822ab4a78d0d21
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240209105902.14506-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28201.html
Signed-off-by: Gert Doering 
---
M CMakeLists.txt
M src/openvpn/init.c
M src/openvpn/list.c
M src/openvpn/list.h
M tests/unit_tests/openvpn/Makefile.am
M tests/unit_tests/openvpn/test_misc.c
6 files changed, 210 insertions(+), 193 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/46/446/6

diff --git a/CMakeLists.txt b/CMakeLists.txt
index fdd2b01..3127611 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -747,6 +747,7 @@
 tests/unit_tests/openvpn/mock_get_random.c
 src/openvpn/options_util.c
 src/openvpn/ssl_util.c
+src/openvpn/list.c
 )

 target_sources(test_ncp PRIVATE
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index c5cc154..52b4308 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -865,11 +865,6 @@
 return false;
 #endif

-#ifdef LIST_TEST
-list_test();
-return false;
-#endif
-
 #ifdef IFCONFIG_POOL_TEST
 ifconfig_pool_test(0x0A010004, 0x0A0100FF);
 return false;
diff --git a/src/openvpn/list.c b/src/openvpn/list.c
index 480f39d..dc4b1df 100644
--- a/src/openvpn/list.c
+++ b/src/openvpn/list.c
@@ -326,185 +326,6 @@
 }


-#ifdef LIST_TEST
-
-/*
- * Test the hash code by implementing a simple
- * word frequency algorithm.
- */
-
-struct word
-{
-const char *word;
-int n;
-};
-
-static uint32_t
-word_hash_function(const void *key, uint32_t iv)
-{
-const char *str = (const char *) key;
-const int len = strlen(str);
-return hash_func((const uint8_t *)str, len, iv);
-}
-
-static bool
-word_compare_function(const void *key1, const void *key2)
-{
-return strcmp((const char *)key1, (const char *)key2) == 0;
-}
-
-static void
-print_nhash(struct hash *hash)
-{
-struct hash_iterator hi;
-struct hash_element *he;
-int count = 0;
-
-hash_iterator_init(hash, , true);
-
-while ((he = hash_iterator_next()))
-{
-printf("%d ", (int) he->value);
-++count;
-}
-printf("\n");
-
-hash_iterator_free();
-ASSERT(count == hash_n_elements(hash));
-}
-
-static void
-rmhash(struct hash *hash, const char *word)
-{
-hash_remove(hash, word);
-}
-
-void
-list_test(void)
-{
-openvpn_thread_init();
-
-{
-struct gc_arena gc = gc_new();
-struct hash *hash = hash_init(1, get_random(), word_hash_function, 
word_compare_function);
-struct hash *nhash = hash_init(256, get_random(), word_hash_function, 
word_compare_function);
-
-printf("hash_init n_buckets=%d mask=0x%08x\n", hash->n_buckets, 
hash->mask);
-
-/* parse words from stdin */
-while (true)
-{
-char buf[256];
-char wordbuf[256];
-int wbi;
-int bi;
-char c;
-
-if (!fgets(buf, sizeof(buf), stdin))
-{
-break;
-}
-
-bi = wbi = 0;
-do
-{
-c = buf[bi++];
-if (isalnum(c) || c == '_')
-{
-ASSERT(wbi < (int) sizeof(wordbuf));
-wordbuf[wbi++] = c;
-}
-else
-{
-if (wbi)
-{
-struct word *w;
-ASSERT(wbi < (int) sizeof(wordbuf));
-wordbuf[wbi++] = '\0';
-
-/* word is parsed from stdin */
-
-/* does it already exist in table? */
-w = (struct word *) hash_lookup(hash, wordbuf);
-
-if (w)
-{
-/* yes, increment count */
-++w->n;
-}
-else
-{
-/* no, make a new object */
-ALLOC_OBJ_GC(w, struct word, );
-w->word = string_alloc(wordbuf, );
-w->n = 1;
-ASSERT(hash_add(hash, w->word, w, false));
-ASSERT(hash_add(nhash, w->word, (void *) 
((random() & 0x0F) + 1), false));
-}
-}
-wbi = 0;
-}
-} while (c);
-}

[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs

2024-02-10 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/457?usp=email )

Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
..

Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs

OpenSSL 3.0 introduced a new API for doing key derivation. So this leaves
us now with three different implementation for 1.0.2, 1.1.x and 3.x.

This was initially done to maybe still have a working TLS 1.0 PRF when
using OpenSSL 3.0 in FIPS but it gives the same error as with the older API.
But since moving to a new API is always good, we use the new API when using
OpenSSL 3.0. We also print the internal OpenSSL error message when
the KDF fails.

This also allows us now to compile an OpenSSL build that has been built with
OPENSSL_NO_MD5. Which is not yet common but might be in the future.

Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240209110629.15364-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28203.html
Signed-off-by: Gert Doering 
---
M src/openvpn/crypto_openssl.c
1 file changed, 51 insertions(+), 1 deletion(-)




diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index e8ddf14..4fd5e6b 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -54,6 +54,7 @@
 #endif
 #if OPENSSL_VERSION_NUMBER >= 0x3000L
 #include 
+#include 
 #endif

 #if defined(_WIN32) && defined(OPENSSL_NO_EC)
@@ -1329,8 +1330,57 @@
 {
 return CRYPTO_memcmp(a, b, size);
 }
+#if (OPENSSL_VERSION_NUMBER >= 0x3000L) && 
!defined(LIBRESSL_VERSION_NUMBER)
+bool
+ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
+ int secret_len, uint8_t *output, int output_len)
+{
+bool ret = true;
+EVP_KDF_CTX *kctx = NULL;

-#if (OPENSSL_VERSION_NUMBER >= 0x1010L) && 
!defined(LIBRESSL_VERSION_NUMBER)
+
+EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL);
+if (!kdf)
+{
+goto err;
+}
+
+kctx = EVP_KDF_CTX_new(kdf);
+
+if (!kctx)
+{
+goto err;
+}
+
+OSSL_PARAM params[4];
+
+/* The OpenSSL APIs require us to cast the const aways even though the
+ * strings are never changed and only read */
+params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+ SN_md5_sha1, 
strlen(SN_md5_sha1));
+params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
+  (uint8_t *) secret, (size_t) 
secret_len);
+params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
+  (uint8_t *) seed, (size_t) 
seed_len);
+params[3] = OSSL_PARAM_construct_end();
+
+if (EVP_KDF_derive(kctx, output, output_len, params) <= 0)
+{
+crypto_msg(D_TLS_DEBUG_LOW, "Generating TLS 1.0 PRF using "
+   "EVP_KDF_derive failed");
+goto err;
+}
+
+goto out;
+
+err:
+ret = false;
+out:
+EVP_KDF_free(kdf);
+
+return ret;
+}
+#elif (OPENSSL_VERSION_NUMBER >= 0x1010L) && 
!defined(LIBRESSL_VERSION_NUMBER)
 bool
 ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
  int secret_len, uint8_t *output, int output_len)

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286
Gerrit-Change-Number: 457
Gerrit-PatchSet: 9
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs

2024-02-10 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#9) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/457?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
..

Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs

OpenSSL 3.0 introduced a new API for doing key derivation. So this leaves
us now with three different implementation for 1.0.2, 1.1.x and 3.x.

This was initially done to maybe still have a working TLS 1.0 PRF when
using OpenSSL 3.0 in FIPS but it gives the same error as with the older API.
But since moving to a new API is always good, we use the new API when using
OpenSSL 3.0. We also print the internal OpenSSL error message when
the KDF fails.

This also allows us now to compile an OpenSSL build that has been built with
OPENSSL_NO_MD5. Which is not yet common but might be in the future.

Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240209110629.15364-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28203.html
Signed-off-by: Gert Doering 
---
M src/openvpn/crypto_openssl.c
1 file changed, 51 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/57/457/9

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index e8ddf14..4fd5e6b 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -54,6 +54,7 @@
 #endif
 #if OPENSSL_VERSION_NUMBER >= 0x3000L
 #include 
+#include 
 #endif

 #if defined(_WIN32) && defined(OPENSSL_NO_EC)
@@ -1329,8 +1330,57 @@
 {
 return CRYPTO_memcmp(a, b, size);
 }
+#if (OPENSSL_VERSION_NUMBER >= 0x3000L) && 
!defined(LIBRESSL_VERSION_NUMBER)
+bool
+ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
+ int secret_len, uint8_t *output, int output_len)
+{
+bool ret = true;
+EVP_KDF_CTX *kctx = NULL;

-#if (OPENSSL_VERSION_NUMBER >= 0x1010L) && 
!defined(LIBRESSL_VERSION_NUMBER)
+
+EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL);
+if (!kdf)
+{
+goto err;
+}
+
+kctx = EVP_KDF_CTX_new(kdf);
+
+if (!kctx)
+{
+goto err;
+}
+
+OSSL_PARAM params[4];
+
+/* The OpenSSL APIs require us to cast the const aways even though the
+ * strings are never changed and only read */
+params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+ SN_md5_sha1, 
strlen(SN_md5_sha1));
+params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
+  (uint8_t *) secret, (size_t) 
secret_len);
+params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
+  (uint8_t *) seed, (size_t) 
seed_len);
+params[3] = OSSL_PARAM_construct_end();
+
+if (EVP_KDF_derive(kctx, output, output_len, params) <= 0)
+{
+crypto_msg(D_TLS_DEBUG_LOW, "Generating TLS 1.0 PRF using "
+   "EVP_KDF_derive failed");
+goto err;
+}
+
+goto out;
+
+err:
+ret = false;
+out:
+EVP_KDF_free(kdf);
+
+return ret;
+}
+#elif (OPENSSL_VERSION_NUMBER >= 0x1010L) && 
!defined(LIBRESSL_VERSION_NUMBER)
 bool
 ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
  int secret_len, uint8_t *output, int output_len)

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286
Gerrit-Change-Number: 457
Gerrit-PatchSet: 9
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Print SSL peer signature information in handshake debug details

2024-02-09 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#10) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/365?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: Print SSL peer signature information in handshake debug details
..

Print SSL peer signature information in handshake debug details

This is more SSL debug information that most people do not really need
or care about. OpenSSL's own s_client also logs them:

Peer signing digest: SHA256
Peer signature type: ECDSA

The complete message looks like this:

   Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer 
certificate: 2048 bits RSA, signature: RSA-SHA256, server temp key: 253 bits 
X25519, peer signing digest/type: SHA256 RSASSA-PSS

or when forcing a specific group via tls-groups X448 with a ECDSA server:

   Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer 
certificate: 384 bits ECsecp384r1, signature: ecdsa-with-SHA256, server temp 
key: 448 bits X448, peer signing digest/type: SHA384 ECDSA

Change-Id: Ib5fc0c4b8f164596681ac5ad73002068ec6de1e5
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240209111000.16258-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28206.html
Signed-off-by: Gert Doering 
---
M src/openvpn/ssl_openssl.c
1 file changed, 81 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/65/365/10

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index c30e6a9..9b6027c 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2166,6 +2166,83 @@
 EVP_PKEY_free(pkey);
 }

+#if !defined(LIBRESSL_VERSION_NUMBER)  && OPENSSL_VERSION_NUMBER >= 0x101fL
+/**
+ * Translate an OpenSSL NID into a more human readable name
+ * @param nid
+ * @return
+ */
+static const char *
+get_sigtype(int nid)
+{
+/* Fix a few OpenSSL names to be better understandable */
+switch (nid)
+{
+case EVP_PKEY_RSA:
+/* will otherwise say rsaEncryption */
+return "RSA";
+
+case EVP_PKEY_DSA:
+/* dsaEncryption otherwise */
+return "DSA";
+
+case EVP_PKEY_EC:
+/* will say id-ecPublicKey */
+return "ECDSA";
+
+case -1:
+return "(error getting name)";
+
+default:
+return OBJ_nid2sn(nid);
+}
+}
+#endif /* ifndef LIBRESSL_VERSION_NUMBER */
+
+/**
+ * Get the type of the signature that is used by the peer during the
+ * TLS handshake
+ */
+static void
+print_peer_signature(SSL *ssl, char *buf, size_t buflen)
+{
+int peer_sig_nid = NID_undef, peer_sig_type_nid = NID_undef;
+const char *peer_sig = "unknown";
+const char *peer_sig_type = "unknown type";
+
+/* Even though these methods use the deprecated NIDs instead of using
+ * string as new OpenSSL APIs do, there seem to be no API that replaces
+ * it yet */
+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL
+if (SSL_get_peer_signature_nid(ssl, _sig_nid)
+&& peer_sig_nid != NID_undef)
+{
+peer_sig = OBJ_nid2sn(peer_sig_nid);
+}
+#endif
+
+#if (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 
0x101fL) \
+|| (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 
0x309fL)
+/* LibreSSL 3.7.x and 3.8.x implement this function but do not export it
+ * and fail linking with an unresolved symbol */
+if (SSL_get_peer_signature_type_nid(ssl, _sig_type_nid)
+&& peer_sig_type_nid != NID_undef)
+{
+peer_sig_type = get_sigtype(peer_sig_type_nid);
+}
+#endif
+
+if (peer_sig_nid == NID_undef && peer_sig_type_nid == NID_undef)
+{
+return;
+}
+
+openvpn_snprintf(buf, buflen, ", peer signing digest/type: %s %s",
+ peer_sig, peer_sig_type);
+}
+
+
+
 /* **
  *
  * Information functions
@@ -2180,8 +2257,9 @@
 char s1[256];
 char s2[256];
 char s3[256];
+char s4[256];

-s1[0] = s2[0] = s3[0] = 0;
+s1[0] = s2[0] = s3[0] = s4[0] = 0;
 ciph = SSL_get_current_cipher(ks_ssl->ssl);
 openvpn_snprintf(s1, sizeof(s1), "%s %s, cipher %s %s",
  prefix,
@@ -2196,8 +2274,9 @@
 X509_free(cert);
 }
 print_server_tempkey(ks_ssl->ssl, s3, sizeof(s3));
+print_peer_signature(ks_ssl->ssl, s4, sizeof(s4));
 
-msg(D_HANDSHAKE, "%s%s%s", s1, s2, s3);
+msg(D_HANDSHAKE, "%s%s%s%s", s1, s2, s3, s4);
 }

 void

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/365?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id:

[Openvpn-devel] [M] Change in openvpn[master]: Print SSL peer signature information in handshake debug details

2024-02-09 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/365?usp=email )

Change subject: Print SSL peer signature information in handshake debug details
..

Print SSL peer signature information in handshake debug details

This is more SSL debug information that most people do not really need
or care about. OpenSSL's own s_client also logs them:

Peer signing digest: SHA256
Peer signature type: ECDSA

The complete message looks like this:

   Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer 
certificate: 2048 bits RSA, signature: RSA-SHA256, server temp key: 253 bits 
X25519, peer signing digest/type: SHA256 RSASSA-PSS

or when forcing a specific group via tls-groups X448 with a ECDSA server:

   Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer 
certificate: 384 bits ECsecp384r1, signature: ecdsa-with-SHA256, server temp 
key: 448 bits X448, peer signing digest/type: SHA384 ECDSA

Change-Id: Ib5fc0c4b8f164596681ac5ad73002068ec6de1e5
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Message-Id: <20240209111000.16258-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28206.html
Signed-off-by: Gert Doering 
---
M src/openvpn/ssl_openssl.c
1 file changed, 81 insertions(+), 2 deletions(-)




diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index c30e6a9..9b6027c 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2166,6 +2166,83 @@
 EVP_PKEY_free(pkey);
 }

+#if !defined(LIBRESSL_VERSION_NUMBER)  && OPENSSL_VERSION_NUMBER >= 0x101fL
+/**
+ * Translate an OpenSSL NID into a more human readable name
+ * @param nid
+ * @return
+ */
+static const char *
+get_sigtype(int nid)
+{
+/* Fix a few OpenSSL names to be better understandable */
+switch (nid)
+{
+case EVP_PKEY_RSA:
+/* will otherwise say rsaEncryption */
+return "RSA";
+
+case EVP_PKEY_DSA:
+/* dsaEncryption otherwise */
+return "DSA";
+
+case EVP_PKEY_EC:
+/* will say id-ecPublicKey */
+return "ECDSA";
+
+case -1:
+return "(error getting name)";
+
+default:
+return OBJ_nid2sn(nid);
+}
+}
+#endif /* ifndef LIBRESSL_VERSION_NUMBER */
+
+/**
+ * Get the type of the signature that is used by the peer during the
+ * TLS handshake
+ */
+static void
+print_peer_signature(SSL *ssl, char *buf, size_t buflen)
+{
+int peer_sig_nid = NID_undef, peer_sig_type_nid = NID_undef;
+const char *peer_sig = "unknown";
+const char *peer_sig_type = "unknown type";
+
+/* Even though these methods use the deprecated NIDs instead of using
+ * string as new OpenSSL APIs do, there seem to be no API that replaces
+ * it yet */
+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL
+if (SSL_get_peer_signature_nid(ssl, _sig_nid)
+&& peer_sig_nid != NID_undef)
+{
+peer_sig = OBJ_nid2sn(peer_sig_nid);
+}
+#endif
+
+#if (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 
0x101fL) \
+|| (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 
0x309fL)
+/* LibreSSL 3.7.x and 3.8.x implement this function but do not export it
+ * and fail linking with an unresolved symbol */
+if (SSL_get_peer_signature_type_nid(ssl, _sig_type_nid)
+&& peer_sig_type_nid != NID_undef)
+{
+peer_sig_type = get_sigtype(peer_sig_type_nid);
+}
+#endif
+
+if (peer_sig_nid == NID_undef && peer_sig_type_nid == NID_undef)
+{
+return;
+}
+
+openvpn_snprintf(buf, buflen, ", peer signing digest/type: %s %s",
+ peer_sig, peer_sig_type);
+}
+
+
+
 /* **
  *
  * Information functions
@@ -2180,8 +2257,9 @@
 char s1[256];
 char s2[256];
 char s3[256];
+char s4[256];

-s1[0] = s2[0] = s3[0] = 0;
+s1[0] = s2[0] = s3[0] = s4[0] = 0;
 ciph = SSL_get_current_cipher(ks_ssl->ssl);
 openvpn_snprintf(s1, sizeof(s1), "%s %s, cipher %s %s",
  prefix,
@@ -2196,8 +2274,9 @@
 X509_free(cert);
 }
 print_server_tempkey(ks_ssl->ssl, s3, sizeof(s3));
+print_peer_signature(ks_ssl->ssl, s4, sizeof(s4));

-msg(D_HANDSHAKE, "%s%s%s", s1, s2, s3);
+msg(D_HANDSHAKE, "%s%s%s%s", s1, s2, s3, s4);
 }

 void

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/365?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ib5fc0c4b8f164596681ac5ad73002068ec6de1e5
Gerrit-Change-Number: 365
Gerrit-PatchSet: 10
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___

[Openvpn-devel] [M] Change in openvpn[master]: Add unit test for encrypting/decrypting data channel

2024-02-08 Thread cron2 (Code Review)

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/505?usp=email )

Change subject: Add unit test for encrypting/decrypting data channel
..

Add unit test for encrypting/decrypting data channel

This test is reusing code from --test-crypto but is modified to not rely
on the static key functionality and also only tests the most common
algorithm. So it does not yet completely replace --test-crypto

Change-Id: Ifa5ae96165d17b3cae4afc53e844bb34d1610e58
Acked-by: Frank Lichtenheld 
Message-Id: <20240208085749.869-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28195.html
Signed-off-by: Gert Doering 
---
M tests/unit_tests/openvpn/test_ssl.c
1 file changed, 223 insertions(+), 2 deletions(-)




diff --git a/tests/unit_tests/openvpn/test_ssl.c 
b/tests/unit_tests/openvpn/test_ssl.c
index 18b9ec8..8c1fb5b 100644
--- a/tests/unit_tests/openvpn/test_ssl.c
+++ b/tests/unit_tests/openvpn/test_ssl.c
@@ -44,6 +44,9 @@
 #include "ssl_verify_backend.h"
 #include "win32.h"
 #include "test_common.h"
+#include "ssl.h"
+#include "buffer.h"
+#include "packet_id.h"

 /* Mock function to be allowed to include win32.c which is required for
  * getting the temp directory */
@@ -120,20 +123,238 @@
 gc_free();
 }

+static void
+init_implicit_iv(struct crypto_options *co)
+{
+cipher_ctx_t *cipher = co->key_ctx_bi.encrypt.cipher;
+
+if (cipher_ctx_mode_aead(cipher))
+{
+size_t impl_iv_len = cipher_ctx_iv_length(cipher) - 
sizeof(packet_id_type);
+ASSERT(cipher_ctx_iv_length(cipher) <= OPENVPN_MAX_IV_LENGTH);
+ASSERT(cipher_ctx_iv_length(cipher) >= OPENVPN_AEAD_MIN_IV_LEN);
+
+/* Generate dummy implicit IV */
+ASSERT(rand_bytes(co->key_ctx_bi.encrypt.implicit_iv,
+  OPENVPN_MAX_IV_LENGTH));
+co->key_ctx_bi.encrypt.implicit_iv_len = impl_iv_len;
+
+memcpy(co->key_ctx_bi.decrypt.implicit_iv,
+   co->key_ctx_bi.encrypt.implicit_iv, OPENVPN_MAX_IV_LENGTH);
+co->key_ctx_bi.decrypt.implicit_iv_len = impl_iv_len;
+}
+}
+
+static void
+init_frame_parameters(struct frame *frame)
+{
+int overhead = 0;
+
+/* tls-auth and tls-crypt */
+overhead += 128;
+
+/* TCP length field and opcode */
+overhead += 3;
+
+/* ACK array and remote SESSION ID (part of the ACK array) */
+overhead += ACK_SIZE(RELIABLE_ACK_SIZE);
+
+/* Previous OpenVPN version calculated the maximum size and buffer of a
+ * control frame depending on the overhead of the data channel frame
+ * overhead and limited its maximum size to 1250. Since control frames
+ * also need to fit into data channel buffer we have the same
+ * default of 1500 + 100 as data channel buffers have. Increasing
+ * control channel mtu beyond this limit also increases the data channel
+ * buffers */
+int tls_mtu = 1500;
+frame->buf.payload_size = tls_mtu + 100;
+
+frame->buf.headroom = overhead;
+frame->buf.tailroom = overhead;
+
+frame->tun_mtu = tls_mtu;
+
+}
+
+static void
+do_data_channel_round_trip(struct crypto_options *co)
+{
+struct gc_arena gc = gc_new();
+
+/* initialise frame for the test */
+struct frame frame;
+init_frame_parameters();
+
+struct buffer src = alloc_buf_gc(frame.buf.payload_size, );
+struct buffer work = alloc_buf_gc(BUF_SIZE(), );
+struct buffer encrypt_workspace = alloc_buf_gc(BUF_SIZE(), );
+struct buffer decrypt_workspace = alloc_buf_gc(BUF_SIZE(), );
+struct buffer buf = clear_buf();
+void *buf_p;
+
+/* init work */
+ASSERT(buf_init(, frame.buf.headroom));
+
+init_implicit_iv(co);
+update_time();
+
+/* Test encryption, decryption for all packet sizes */
+for (int i = 1; i <= frame.buf.payload_size; ++i)
+{
+
+/* msg(M_INFO, "TESTING ENCRYPT/DECRYPT of packet length=%d", i); */
+
+/*
+ * Load src with random data.
+ */
+ASSERT(buf_init(, 0));
+ASSERT(i <= src.capacity);
+src.len = i;
+ASSERT(rand_bytes(BPTR(), BLEN()));
+
+/* copy source to input buf */
+buf = work;
+buf_p = buf_write_alloc(, BLEN());
+ASSERT(buf_p);
+memcpy(buf_p, BPTR(), BLEN());
+
+/* initialize work buffer with buf.headroom bytes of prepend capacity 
*/
+ASSERT(buf_init(_workspace, frame.buf.headroom));
+
+/* encrypt */
+openvpn_encrypt(, encrypt_workspace, co);
+
+/* decrypt */
+openvpn_decrypt(, decrypt_workspace, co, , BPTR());
+
+/* compare */
+assert_int_equal(buf.len, src.len);
+assert_memory_equal(BPTR(), BPTR(), i);
+
+}
+gc_free();
+}
+
+
+
+struct crypto_options
+init_crypto_options(const char *cipher, const char *auth)
+{
+struct key2 key2 = { .n = 2};
+
+ASSERT(rand_bytes(key2.keys[0].cipher,

[Openvpn-devel] [M] Change in openvpn[master]: Add unit test for encrypting/decrypting data channel

2024-02-08 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#4) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/505?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: Add unit test for encrypting/decrypting data channel
..

Add unit test for encrypting/decrypting data channel

This test is reusing code from --test-crypto but is modified to not rely
on the static key functionality and also only tests the most common
algorithm. So it does not yet completely replace --test-crypto

Change-Id: Ifa5ae96165d17b3cae4afc53e844bb34d1610e58
Acked-by: Frank Lichtenheld 
Message-Id: <20240208085749.869-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28195.html
Signed-off-by: Gert Doering 
---
M tests/unit_tests/openvpn/test_ssl.c
1 file changed, 223 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/05/505/4

diff --git a/tests/unit_tests/openvpn/test_ssl.c 
b/tests/unit_tests/openvpn/test_ssl.c
index 18b9ec8..8c1fb5b 100644
--- a/tests/unit_tests/openvpn/test_ssl.c
+++ b/tests/unit_tests/openvpn/test_ssl.c
@@ -44,6 +44,9 @@
 #include "ssl_verify_backend.h"
 #include "win32.h"
 #include "test_common.h"
+#include "ssl.h"
+#include "buffer.h"
+#include "packet_id.h"

 /* Mock function to be allowed to include win32.c which is required for
  * getting the temp directory */
@@ -120,20 +123,238 @@
 gc_free();
 }

+static void
+init_implicit_iv(struct crypto_options *co)
+{
+cipher_ctx_t *cipher = co->key_ctx_bi.encrypt.cipher;
+
+if (cipher_ctx_mode_aead(cipher))
+{
+size_t impl_iv_len = cipher_ctx_iv_length(cipher) - 
sizeof(packet_id_type);
+ASSERT(cipher_ctx_iv_length(cipher) <= OPENVPN_MAX_IV_LENGTH);
+ASSERT(cipher_ctx_iv_length(cipher) >= OPENVPN_AEAD_MIN_IV_LEN);
+
+/* Generate dummy implicit IV */
+ASSERT(rand_bytes(co->key_ctx_bi.encrypt.implicit_iv,
+  OPENVPN_MAX_IV_LENGTH));
+co->key_ctx_bi.encrypt.implicit_iv_len = impl_iv_len;
+
+memcpy(co->key_ctx_bi.decrypt.implicit_iv,
+   co->key_ctx_bi.encrypt.implicit_iv, OPENVPN_MAX_IV_LENGTH);
+co->key_ctx_bi.decrypt.implicit_iv_len = impl_iv_len;
+}
+}
+
+static void
+init_frame_parameters(struct frame *frame)
+{
+int overhead = 0;
+
+/* tls-auth and tls-crypt */
+overhead += 128;
+
+/* TCP length field and opcode */
+overhead += 3;
+
+/* ACK array and remote SESSION ID (part of the ACK array) */
+overhead += ACK_SIZE(RELIABLE_ACK_SIZE);
+
+/* Previous OpenVPN version calculated the maximum size and buffer of a
+ * control frame depending on the overhead of the data channel frame
+ * overhead and limited its maximum size to 1250. Since control frames
+ * also need to fit into data channel buffer we have the same
+ * default of 1500 + 100 as data channel buffers have. Increasing
+ * control channel mtu beyond this limit also increases the data channel
+ * buffers */
+int tls_mtu = 1500;
+frame->buf.payload_size = tls_mtu + 100;
+
+frame->buf.headroom = overhead;
+frame->buf.tailroom = overhead;
+
+frame->tun_mtu = tls_mtu;
+
+}
+
+static void
+do_data_channel_round_trip(struct crypto_options *co)
+{
+struct gc_arena gc = gc_new();
+
+/* initialise frame for the test */
+struct frame frame;
+init_frame_parameters();
+
+struct buffer src = alloc_buf_gc(frame.buf.payload_size, );
+struct buffer work = alloc_buf_gc(BUF_SIZE(), );
+struct buffer encrypt_workspace = alloc_buf_gc(BUF_SIZE(), );
+struct buffer decrypt_workspace = alloc_buf_gc(BUF_SIZE(), );
+struct buffer buf = clear_buf();
+void *buf_p;
+
+/* init work */
+ASSERT(buf_init(, frame.buf.headroom));
+
+init_implicit_iv(co);
+update_time();
+
+/* Test encryption, decryption for all packet sizes */
+for (int i = 1; i <= frame.buf.payload_size; ++i)
+{
+
+/* msg(M_INFO, "TESTING ENCRYPT/DECRYPT of packet length=%d", i); */
+
+/*
+ * Load src with random data.
+ */
+ASSERT(buf_init(, 0));
+ASSERT(i <= src.capacity);
+src.len = i;
+ASSERT(rand_bytes(BPTR(), BLEN()));
+
+/* copy source to input buf */
+buf = work;
+buf_p = buf_write_alloc(, BLEN());
+ASSERT(buf_p);
+memcpy(buf_p, BPTR(), BLEN());
+
+/* initialize work buffer with buf.headroom bytes of prepend capacity 
*/
+ASSERT(buf_init(_workspace, frame.buf.headroom));
+
+/* encrypt */
+openvpn_encrypt(, encrypt_workspace, co);
+
+/* decrypt */
+openvpn_decrypt(, decrypt_workspace, co, , BPTR());
+
+/* compare */
+assert_int_equal(buf.len, src.len);
+assert_memory_equal(BPTR(), BPTR(), i);
+
+

[Openvpn-devel] [M] Change in openvpn[master]: test_user_pass: add basic tests for static/dynamic challenges

2024-02-08 Thread cron2 (Code Review)

cron2 has uploaded a new patch set (#9) to the change originally created by 
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/475?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos


Change subject: test_user_pass: add basic tests for static/dynamic challenges
..

test_user_pass: add basic tests for static/dynamic challenges

Change-Id: I8b5570f6314e917f92dce072279efe415d79b22a
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
Message-Id: <20240207171239.86730-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28191.html
Signed-off-by: Gert Doering 
---
M tests/unit_tests/openvpn/test_user_pass.c
1 file changed, 61 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/75/475/9

diff --git a/tests/unit_tests/openvpn/test_user_pass.c 
b/tests/unit_tests/openvpn/test_user_pass.c
index bd4eb1f..5d3f9b6 100644
--- a/tests/unit_tests/openvpn/test_user_pass.c
+++ b/tests/unit_tests/openvpn/test_user_pass.c
@@ -267,12 +267,73 @@
 assert_string_equal(up.password, "fuser");
 }

+#ifdef ENABLE_MANAGEMENT
+static void
+test_get_user_pass_dynamic_challenge(void **state)
+{
+struct user_pass up = { 0 };
+reset_user_pass();
+const char *challenge = 
"CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN";
+unsigned int flags = GET_USER_PASS_DYNAMIC_CHALLENGE;
+
+expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: 
Please enter token PIN");
+will_return(query_user_exec_builtin, "challenge_response");
+will_return(query_user_exec_builtin, true);
+assert_true(get_user_pass_cr(, NULL, "UT", flags, challenge));
+assert_true(up.defined);
+assert_string_equal(up.username, "cr1");
+assert_string_equal(up.password, 
"CRV1::Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l::challenge_response");
+}
+
+static void
+test_get_user_pass_static_challenge(void **state)
+{
+struct user_pass up = { 0 };
+reset_user_pass();
+const char *challenge = "Please enter token PIN";
+unsigned int flags = GET_USER_PASS_STATIC_CHALLENGE;
+
+expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT 
Username:");
+will_return(query_user_exec_builtin, "cuser");
+expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT 
Password:");
+will_return(query_user_exec_builtin, "cpassword");
+will_return(query_user_exec_builtin, true);
+expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: 
Please enter token PIN");
+will_return(query_user_exec_builtin, "challenge_response");
+will_return(query_user_exec_builtin, true);
+assert_true(get_user_pass_cr(, NULL, "UT", flags, challenge));
+assert_true(up.defined);
+assert_string_equal(up.username, "cuser");
+/* SCRV1:cpassword:challenge_response but base64-encoded */
+assert_string_equal(up.password, 
"SCRV1:Y3Bhc3N3b3Jk:Y2hhbGxlbmdlX3Jlc3BvbnNl");
+
+reset_user_pass();
+
+flags |= GET_USER_PASS_INLINE_CREDS;
+
+/*FIXME: query_user_exec() called even though nothing queued */
+will_return(query_user_exec_builtin, true);
+expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: 
Please enter token PIN");
+will_return(query_user_exec_builtin, "challenge_response");
+will_return(query_user_exec_builtin, true);
+assert_true(get_user_pass_cr(, "iuser\nipassword", "UT", flags, 
challenge));
+assert_true(up.defined);
+assert_string_equal(up.username, "iuser");
+/* SCRV1:ipassword:challenge_response but base64-encoded */
+assert_string_equal(up.password, 
"SCRV1:aXBhc3N3b3Jk:Y2hhbGxlbmdlX3Jlc3BvbnNl");
+}
+#endif /* ENABLE_MANAGEMENT */
+
 const struct CMUnitTest user_pass_tests[] = {
 cmocka_unit_test(test_get_user_pass_defined),
 cmocka_unit_test(test_get_user_pass_needok),
 cmocka_unit_test(test_get_user_pass_inline_creds),
 cmocka_unit_test(test_get_user_pass_authfile_stdin),
 cmocka_unit_test(test_get_user_pass_authfile_file),
+#ifdef ENABLE_MANAGEMENT
+cmocka_unit_test(test_get_user_pass_dynamic_challenge),
+cmocka_unit_test(test_get_user_pass_static_challenge),
+#endif /* ENABLE_MANAGEMENT */
 };

 int

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/475?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I8b5570f6314e917f92dce072279efe415d79b22a
Gerrit-Change-Number: 475
Gerrit-PatchSet: 9
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

1 2 3 4 >

1 - 100 of 340 matches

Mail list logo