From: Selva Nair
Commits 7d48d31b, 39619b7f added support for inlining username
and, optionally, password.
Add a description of its usage in the man page.
Github: resolves OpenVPN/openvpn#370
Change-Id: I7a1765661f7676eeba8016024080fd1026220ced
Signed-off-by: Selva Nair
---
v2: Add
From: Selva Nair
Commits 7d48d31b, 39619b7f added support for inlining username
and, optionally, password.
Add a description of its usage in the man page.
Change-Id: I7a1765661f7676eeba8016024080fd1026220ced
Signed-off-by: Selva Nair
---
Does this have to go through gerrit?
doc/man-sections
Hi,
On Tue, Sep 5, 2023 at 5:41 PM Antonio Quartulli wrote:
> From: Antonio Quartulli
>
> Add an important detail about the DNS configured via this option
> to be an "interface-specific" DNS. This detail is important when
> troubleshooting DNS issues since this logic will bypass the
> routing
From: Selva Nair
Currently we log a bogus error message saying private key password verification
failed when SSL_CTX_use_cert_and_key() fails in pkcs11_openssl.c. Instead print
OpenSSL error queue and exit promptly.
Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in cryptoapi.c
>
>
>
> > Good point. But, unless the config has "tls-cert-profile foo", we still
> > default to legacy and call SSL_CTX_set_security_level(ctx, 1), isn't it?
> > Wouldn't that allow SHA1 with 3.1.x ?
>
> For SHA1 you need security 0 aka tls-cert-profile insecure.
>
> But we might update OpenVPN
Hi Mike
I misunderstood Arne's comment. We default to security level 1 but that
forbids SHA1 signatures in OpenSSL 3.0+.
Could you test with "tls-cert-profile Insecure" in the config file? It's
not recommended but useful to check.
Thanks,
Selva
On Thu, Sep 28, 2023 at 7:08 PM mike tancsa
On Thu, Sep 28, 2023 at 8:55 PM Arne Schwabe wrote:
>
> Am 29.09.2023 um 01:08 schrieb mike tancsa:
>
> Hi Selva,
>
> Thank you for looking!
>
> My guess is that something in the certificate or private key is not to
> OpenSSL 3.1's liking and it rejects it. Is there any way for you to check
Hi Mike,
On Thu, Sep 28, 2023 at 5:28 PM mike tancsa wrote:
> I am starting to test out 2.6.6 with a config that worked in 2.5.4 but
> am getting a failure con connect. I did have a look through the
> Changes.rst file but didnt see anything different ? The only pkcs11 bits
> I have in the
func,
> + const char **data, int *flags)
> +{
> +static const char *empty = "";
> +*func = empty;
> +long err = ERR_get_error_line_data(file, line, data, flags);
>
I think you missed to change that to "unsigned long err = "
+return err;
> +}
> +
> #endif /* OPENSSL_VERSION_NUMBER < 0x3000L */
>
> #endif /* OPENSSL_COMPAT_H_ */
> --
> 2.39.2 (Apple Git-143)
>
The above could be handled at merge time, so:
Acked-by: Selva Nair
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
On Tue, Jul 25, 2023 at 6:18 AM Frank Lichtenheld
wrote:
> On Sat, Jan 28, 2023 at 04:59:01PM -0500, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > - "if (sig == X) signal_reset(sig)" now becomes
> > "signal_reset(sig, X)" so that th
On Sun, Jul 23, 2023 at 5:28 AM Gert Doering wrote:
>
> The actual "change to POSIX ways" part of this is fairly trivial
> and easy to understand :-) - though I do wonder why you're using
> an extra variable for block_mask -> sa.sa_mask, and not using
> sigfillset(_mask) - at least on BSD on
Hi,
This looks good except that the format of the log could be kept closer to
the current one:
On Fri, Jul 7, 2023 at 2:59 PM Arne Schwabe wrote:
> This also shows the extra data from the OpenSSL error function that
> can contain extra information. For example, the command
>
> openvpn
o>bar' vs "foo>bar").
That said, for valid domain names, the only expected characters are
alpha-numeric, hyphen and period, and single quotes should work. I have
only tested this using wmic command line, not the resulting openvpn.exe.
Acked-by: Selva Nair
P.S.
We probably need
_multi *multi,
> unsigned int mda_key_id)
> for (int i = 0; i < KEY_SCAN_SIZE; ++i)
> {
> struct key_state *ks = get_key_scan(multi, i);
> -if (ks->mda_key_id == mda_key_id)
> +if (ks->mda_key_id == mda_key_id && ks->state >
On Mon, May 29, 2023 at 3:07 PM Gert Doering wrote:
> Hi,
>
> On Thu, May 25, 2023 at 02:41:10PM -0400, Selva Nair wrote:
> > Now that 2.6 appears to have reached a fairly stable state, may I request
> > you to look into this patch for 2.7 -- this one has an ACK (thanks t
down into the details to resolve them. Right now it looks like no
one has yet touched related chunks.
Thanks,
Selva
On Tue, Jan 31, 2023 at 5:48 AM Frank Lichtenheld
wrote:
> On Sat, Jan 28, 2023 at 04:59:00PM -0500, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
>
Acked-by: Selva Nair
On Fri, May 19, 2023 at 4:27 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> At the moment if --name is not specified, adapter names
> are generated by Windows and they look a bit confusing
> like "Local Area Connection 2".
>
> This is also
Hi,
While this bugfix should be merged, I'm a conflicted about the way these
two patches are split up. It just makes reviewing harder than it should be.
They actually form two independent changes but with one half intersecting
with the other for no reason.
On Wed, May 17, 2023 at 7:03 AM Arne
Hi,
On Thu, May 18, 2023 at 12:25 PM Lev Stipakov wrote:
> From: Lev Stipakov
>
> At the moment if --name is not specified, adapter names
> are generated by Windows and they look a bit confusing
> like "Local Area Connection 2".
>
> This is also behavior of "Add a new virtual network
>
From: Selva Nair
Setting the desktop as "winsta0\default" does not always work when run
from a non-interactive session which may not have access to the
the window station "Winsta0". Leave this as NULL to let the system
automatically assign a window station and desktop.
Hi,
Is this dependent on some patch not yet merged? See missing context below.
On Tue, May 16, 2023 at 12:36 PM Arne Schwabe wrote:
> the management interface expects the management key id instead
> of the openvpn key id. In the past they often were the same for low ids
> which hid the bug
From: Selva Nair
Currently we use the ANSI version of CreateEvent causing name of the
exit event to be interpreted differently depending on the code page
in effect. Internally all strings parsed from command line and config
file are stored as UTF8-encoded Uniode. When passed to Windows API calls
From: Selva Nair
Github: Fixes OpenVPN/openvpn#323
Signed-off-by: Selva Nair
---
This will fix #323 is my best guess, untested as yet..
This is a bug that needs fixing, regardless.
src/openvpn/pkcs11_openssl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn
Hi,
On Tue, Apr 25, 2023 at 6:22 AM Arne Schwabe wrote:
> After first round of mailing people with more than 10 commits we have
> almost all committers have agreed. This put this license in the realm
> of having a realistic change to work. Had any of these contributers
> disagreed, rewriting
exemption -> exception in a number of places below
Though similar in meaning, better to use the standard wording here.
On Fri, Apr 21, 2023 at 11:02 AM Arne Schwabe wrote:
> After first round of mailing people with more than 10 commits we have
> almost all committers have agreed. This put this
From: Selva Nair
- We assume that all text passed to the management interface
and written to log file are in Unicode (UTF-8). This is broken by
the use of the ANSI version of FormatMessage() for Windows error
messages. Fix by using FormatMessageW() and converting the UTF-16
result to UTF
From: Selva Nair
- We assume that all text passed to the management interface
and written to log file are in Unicode (UTF-8). This is broken by
the use of the ANSI version of FormatMessage() for Windows error
messages. Fix by using FormatMessageW() and converting the UTF-16
result to UTF
else
> {
> -netsh_delete_address_dns(tt, false, );
> + do_dns_domain_wmic(false, tt);
> +
> +if (tt->options.ip_win32_type == IPW32_SET_NETSH)
> +{
> +netsh_delete_address_dns(tt, false, );
> +}
&g
Hi,
On Tue, Apr 4, 2023 at 4:01 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> We set DNS domain either via interactve service or DHCP.
> When interactive service is not used, for example,
> when profiles are started by OpenVPNService, this option
> is not working for DCO and wintun.
>
> This
On Tue, Mar 28, 2023 at 3:25 AM Gert Doering wrote:
> Acked-by: Antonio Quartulli
>
> Thanks for the good find. Since I could reproduce the crash yesterday
> (and I do need management for it) I can verify that it does no longer
> crash with the patch.
>
> (For whatever reason,
inux), too much to
ask the caller to check that a valid dco handle is available.
Selva
On Mon, Mar 27, 2023 at 4:42 PM Selva Nair wrote:
>
>
> On Mon, Mar 27, 2023 at 4:30 PM Antonio Quartulli wrote:
>
>> Hi,
>>
>> On 27/03/2023 19:12, selva.n...@gmail.com wrote
On Mon, Mar 27, 2023 at 4:30 PM Antonio Quartulli wrote:
> Hi,
>
> On 27/03/2023 19:12, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> >We persist peer-stats when restarting, but an early restart
> >before open_tun results in
From: Selva Nair
We persist peer-stats when restarting, but an early restart
before open_tun results in a segfault in dco_get_peer_stats().
To reproduce, trigger a TLS handshake error due to lack of common
protocols, for example.
Fix by checking that tuntap is defined before
Hi,
On Mon, Mar 27, 2023 at 9:59 AM Matthias Andree
wrote:
> Am 27.03.23 um 13:49 schrieb selva.n...@gmail.com:
> > From: Selva Nair
> >
> > - Do not use non-literal initializers for static objects
> > - Replace empty initializer {} by {0}
>
> Should we
On Mon, Mar 27, 2023 at 8:09 AM Frank Lichtenheld
wrote:
> On Mon, Mar 27, 2023 at 07:49:37AM -0400, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > - Do not use non-literal initializers for static objects
> > - Replace empty initializer {} by {0}
> &
From: Selva Nair
- Do not use non-literal initializers for static objects
- Replace empty initializer {} by {0}
Signed-off-by: Selva Nair
---
To be applied after the test-pkcs11 patch set
tests/unit_tests/openvpn/cert_data.h | 6 ++---
tests/unit_tests/openvpn/test_cryptoapi.c | 24
On Mon, Mar 27, 2023 at 4:49 AM Frank Lichtenheld
wrote:
> On Fri, Mar 24, 2023 at 01:13:22PM -0400, Selva Nair wrote:
> > Would the attached small patch be acceptable instead? It covers only
> > test_cryptoapi --- if this will do, I can incorporate similar changes for
> >
Hi,
On Fri, Mar 24, 2023 at 4:18 PM Matthias Andree
wrote:
> Am 23.03.23 um 15:31 schrieb Frank Lichtenheld:
> > Currently this is not obvious since we never build the
> > UTs with MSVC, but it doesn't like the initializers with
> > "const" variables. They cause
> > error C2099: initializer is
d in an initializer.
> So change all of them to preprocessor defines instead.
>
> It also doesn't like the empty initializer.
> error C2059: syntax error: '}'
>
> CC: Selva Nair
> Signed-off-by: Frank Lichtenheld
> ---
> tests/unit_tests/openvpn/cert_data.h | 24
I didn't realize it until Lev pointed out that this reply yesterday
didn't go to the list. FTR, copying to the list.
-- Forwarded message -
From: Selva Nair
Date: Wed, Mar 22, 2023 at 9:42 AM
Subject: Re: [Openvpn-devel] [PATCH] Print DCO client stats on SIGUSR2
To: Lev Stipakov
From: Selva Nair
- Enabled for the Ubuntu 22.04 build (OpenSSL 3) and one of the
Ubuntu 20.04 builds (OpenSSL 1.1.1).
Signed-off-by: Selva Nair
---
.github/workflows/build.yaml | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/build.yaml b/.github
From: Selva Nair
- This function will be reused for testing pkcs11
Signed-off-by: Selva Nair
---
tests/unit_tests/openvpn/Makefile.am | 1 +
tests/unit_tests/openvpn/pkey_test_utils.c | 141 +
tests/unit_tests/openvpn/test_cryptoapi.c | 98 +-
3 files
From: Selva Nair
- Load some test certificate/key pairs into a temporary softhsm2 token
and enumerate available objects through pkcs11-helper interface
- For each object, load it into SSL_CTX and test sign (if using OpenSSL 3)
or check the certificate and public-key match (if using OpenSSl
From: Selva Nair
- Unfortunately there are still users out there who disable IPv6
on tun/tap/dco interfaces or even system-wide.
Fixes: Github issue #294
Signed-off-by: Selva Nair
---
src/openvpnserv/interactive.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src
Hi,
On Wed, Mar 22, 2023 at 7:34 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Change-Id: I465febdf7ee5fe573e88255844f718efb60f8e8a
> Signed-off-by: Lev Stipakov
> ---
> src/openvpn/sig.c | 13 +
> src/openvpn/sig.h | 2 +-
> 2 files changed, 10 insertions(+), 5 deletions(-)
>
>
>
>
> Thanks, this change makes sense. I have not actively tried to provoke
> it (like, by connecting to a "fake SOCKS server" that will trigger it),
> but the change is obviously an improvement to "if it's not ==1, it
> must be a TCP error!").
>
An easy way to "provoke" this is to use openssh
From: Selva Nair
- This is the only remaining function in cryptoapi.c that has no
direct or indirect test.
This test confirms that an SSL_CTX context gets a certificate and
private key loaded into it and the public key in the certificate
matches the private key. As signing
From: Selva Nair
Change-Id: Id6bf8ea705d02eff2cbfba7d841e1cdb6ae1
Signed-off-by: Selva Nair
---
src/openvpn/socks.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index 6a672c25..2cf0cc9f 100644
--- a/src/openvpn/socks.c
>
>
> I have tried testing this on a "real" Win10 VM, but I am missing some
> intricacies with the cert store - I wanted to see if certs are properly
> cleaned up, but I can't even see my own .p12 I have imported, so I am
> doing something wrong...
This works for me:
Run "certmgr" from a user
On Wed, Mar 15, 2023 at 4:30 AM Gert Doering wrote:
> Hi,
>
> On Tue, Mar 14, 2023 at 09:35:12PM -0400, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > Import some sample certificates into Windows store for testing
> > - 4 test ce
From: Selva Nair
- A few sample certificates are defined and imported into
Windows certificate store (user store).
This only tests the import process. Use of these certs to test the
core functionality of 'cryptoapicert' are in following commits.
Change-Id
From: Selva Nair
- For each sample certificate/key pair imported into the store,
load the key into xkey-provider and sign a test message.
As the key is "provided", signing will use appropriate
backend (Windows CNG in this case).
The signature is then verified using OpenSSL.
From: Selva Nair
- find_certificate_in_store tested using 'SUBJ:', 'THUMB:'
and 'ISSUER:' select strings. Uses test certificates
imported into the store during the import test.
Change-Id: Ib5138465e6228538af592ca98b3d877277355f59
Signed-off-by: Selva Nair
---
tests/unit_tests/openvpn
From: Selva Nair
- Loading the certificate and key into the provider is split out of
setting up the SSL context. This allows testing of signing by
cryptoapi-provider interface without dependence on SSL context
or link-time wrapping.
Change-Id: I269b94589636425e1ba9bf953047d238fa830376
From: Selva Nair
Import some sample certificates into Windows store for testing
- 4 test certificates imported to user store
and removed at the end.
Add tests for finding certificates in Windows certficate store
- test using SUBJ:, THUMB: and ISSUER: select-strings
Refactor
Hi,
On Tue, Mar 14, 2023 at 5:54 AM David Sommerseth
wrote:
>
>
> Just got feedback from the reporter in the Fedora bugzilla; this patch
> works well on Fedora 38.
>
> I suggest adding this tag to the commit log. Feel free to add the URL
> tag to the bugzilla ticket too.
>
> Tested-by:
From: Selva Nair
- With OpenSSL 3.0 and xkey-provider, we use pkcs11h_certificate_signAny_ex()
which returns EC signature as raw r|s concatenated. But OpenSSL expects
a DER encoded ASN.1 structure.
Do this conversion as done in cryptoapi.c. For code re-use, ecdsa_bin2sig
From: Selva Nair
- With OpenSSL 3.0 and xkey-provider, we use pkcs11h_certificate_signAny_ex()
which returns EC signature as raw r|s concatenated. But OpenSSL expects
a DER encoded ASN.1 structure.
Do this conversion as done in cryptoapi.c. For code re-use, ecdsa_bin2sig
cannot figure arbitrary variable
expansion won't work as expected for out-of-tree builds with read-only
sources. But testing does show only $(srcdir) and $(top_srcdir) get
correctly handled, and the fix below appears to be a reasonable way out.
Tested "make distcheck" and also compared
Hi
FTR, I just noticed that the patch is missing an endgrent() call:
On Mon, Mar 6, 2023 at 12:33 AM wrote:
>
> +struct group *gr = getgrent();
> +char **members = NULL;
> +while (gr)
> +{
> +if (gr->gr_gid == gid)
> +{
> +/* found the group -- check
Hi,
On Mon, Mar 6, 2023 at 3:24 AM Gert Doering wrote:
> Hi,
>
> On Mon, Mar 06, 2023 at 12:33:46AM -0500, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > - When management-client-group is in use, allow access if any of
> > the supplementary groups
From: Selva Nair
- When management-client-group is in use, allow access if any of
the supplementary groups of the user matches the specified group.
Currently only the effective gid of the peer socket is checked
which is normally the primary group of user. As unprivileged users
have
From: Selva Nair
- This pointer is to a static area which can change on further
calls to getpwnam, getpwuid etc.
Same with struct group returned by getgrnam.
As the only field later referred to is uid or gid, fix
by saving them instead.
Signed-off-by: Selva Nair
---
Though we call
Hi
On Sat, Feb 25, 2023 at 11:29 AM Gert Doering wrote:
> Acked-by: Gert Doering
>
> Thanks for the v4. This enabled me to just push to GH to have
> to build and run the tests, without having to bother myself with
> copying binaries around :-)
>
> OTOH, there might be a bit of polishing
From: Selva Nair
- Though named cryptoapi_testdriver, right now this only tests
parsing of thumbprint specified as a selector for --cryptioapicert
option. More tests coming..
v2: a line that belongs here was mistakenly included in the previous
commit. Corrected.
v3: add to list of tests run
From: Selva Nair
- Though named cryptoapi_testdriver, right now this only tests
parsing of thumbprint specified as a selector for --cryptioapicert
option. More tests coming..
v2: a line that belongs here was mistakenly included in the previous
commit. Corrected.
v3: add to list of tests run
Hi,
On Sat, Feb 11, 2023 at 1:32 PM Gert Doering wrote:
>
>
> /bin/bash ../../../libtool --tag=CC --mode=link i686-w64-mingw32-gcc
This is a 32 bit build which I never tried. Maybe cmocka is not built for
32 bit?
> -I/home/gert/mingw/opt/include -I/home/gert/mingw/opt/include
>
Hi
On Fri, Feb 10, 2023 at 4:13 PM Gert Doering wrote:
> Hi,
>
> On Tue, Feb 07, 2023 at 07:59:25PM -0500, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > - Minor changes to the build system to include some
> > dependencies for Windows build
&
On Fri, Feb 10, 2023 at 4:13 PM Gert Doering wrote:
> Hi,
>
> On Tue, Feb 07, 2023 at 07:59:25PM -0500, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > - Minor changes to the build system to include some
> > dependencies for Windows build
&
ints hex, and INVALID_SOCKET looks a bit nicer:
> >
> >2023-02-10 15:17:11 us=828000 write to TUN/TAP : Jrjestelmkutsulle
> > annettu data-alue on liian pieni. (fd=,code=122)
> >
> > Reported-by: Selva Nair
> > Signed-off-by: Lev Stipakov
Hi,
On Tue, Feb 7, 2023 at 7:19 PM Arne Schwabe wrote:
> Signed-off-by: Arne Schwabe
> ---
> tests/unit_tests/engine-key/Makefile.am | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/tests/unit_tests/engine-key/Makefile.am
> b/tests/unit_tests/engine-key/Makefile.am
> index
CC: list
-- Forwarded message -
From: Selva Nair
Date: Tue, Feb 7, 2023 at 11:57 AM
Subject: Re: [Openvpn-devel] [PATCH v2 3/5] Windows: fix wrong printf
format in x_check_status
To: Frank Lichtenheld
Nitpicking:
> - use PRIuPTR as discussed on IRC (added relevant defi
CC: list
-- Forwarded message -
From: Selva Nair
Date: Wed, Feb 8, 2023 at 11:34 PM
Subject: Re: [Openvpn-devel] [PATCH 4/5] Add missing stdint.h includes in
unit tests files
To: Arne Schwabe
Hi,
On Tue, Feb 7, 2023 at 7:19 PM Arne Schwabe wrote:
> My mingw compiler/head
CC: list was missed..
-- Forwarded message -
From: Selva Nair
Date: Thu, Feb 9, 2023 at 2:54 PM
Subject: Re: [Openvpn-devel] [PATCH v2 5/5] Add building unit tests with
mingw to github actions
To: Arne Schwabe
Hi,
Thanks, this is much better with tests grouped together.
Some
Hi,
It's "absolutely splendid" to see cross-compiled tests running in GHA!
Some issues below:
On Tue, Feb 7, 2023 at 7:19 PM Arne Schwabe wrote:
> Signed-off-by: Arne Schwabe
> ---
> .github/workflows/build.yaml | 110 ++-
> 1 file changed, 108 insertions(+),
On Wed, Feb 8, 2023 at 6:16 AM Arne Schwabe wrote:
> Am 08.02.23 um 02:05 schrieb Selva Nair:
> > Hi,
> >
> > On Tue, Feb 7, 2023 at 7:18 PM Arne Schwabe > <mailto:a...@rfc2549.org>> wrote:
> >
> > Am 04.02.23 um 07:40 schrieb selva.n...@g
Hi,
On Tue, Feb 7, 2023 at 7:18 PM Arne Schwabe wrote:
> Am 04.02.23 um 07:40 schrieb selva.n...@gmail.com:
> > From: Selva Nair
> >
> > - Though named cryptoapi_testdriver, right now this only tests
> >parsing of thumbprint specified as a selector for --cryptio
From: Selva Nair
- Minor changes to the build system to include some
dependencies for Windows build
- test_tls_crypt not built as it will pull in win32.c and
its dependencies
- If cross-compiling, "make check" will only build the tests but not
run any. Copy to Windows and ru
On Tue, Feb 7, 2023 at 7:18 PM Arne Schwabe wrote:
> From: Selva Nair
>
> - Eliminates repeated warnings such as
> warning: source file '$(openvpn_srcdir)/env_set.c' is in a subdirectory,
> but option 'subdir-objects' is disabled
> - Enabled only for automake >= 1.16 a
Hi,
On Tue, Feb 7, 2023 at 6:59 AM Arne Schwabe wrote:
> Am 04.02.23 um 07:40 schrieb selva.n...@gmail.com:
> > From: Selva Nair
> >
> > - Minor changes to the build system to include some
> >dependencies for Windows build
> >
> > - test_tls_cry
AC_MSG_WARN([Name/Value pair library not
> found.])
> + ]
> + )
> + if test "$enable_dco" = "no"; then
> + if test "$enable_dco_arg" = "auto"; then
> + AC_MSG_WARN([DCO support disabled])
> + else
> + AC_MSG_ERROR([DCO support can't be
> enabled])
> + fi
> + fi
> ;;
> *-mingw*)
> AC_MSG_NOTICE([NOTE: --enable-dco ignored on
> Windows because it's always enabled])
>
Looks good to me.
Acked-by: Selva Nair
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Hi,
On Mon, Feb 6, 2023 at 6:24 AM Frank Lichtenheld
wrote:
> Automatically disabled when
> - iproute2 is enabled
> (Don't want to force people specifying --disable-dco explicitely)
> - libnv is missing on FreeBSD
> (FreeBSD version too old anyway)
>
> Will still error out if libnl-genl is
From: Selva Nair
- Minor changes to the build system to include some
dependencies for Windows build
- test_tls_crypt not built as it will pull in win32.c and
its dependencies
- If cross-compiling, "make check" will only build the tests but not
run any. Copy to Windows and ru
From: Selva Nair
- Though named cryptoapi_testdriver, right now this only tests
parsing of thumbprint specified as a selector for --cryptioapicert
option. More tests coming..
v2: a line that belongs here was mistakenly included in the previous
commit. Corrected.
Signed-off-by: Selva Nair
From: Selva Nair
- Though named cryptoapi_testdriver, right now this only tests
parsing of thumbprint specified as a selector for --cryptioapicert
option. More cryptoapi tests coming..
Signed-off-by: Selva Nair
---
As requested during review of the 4/4 patch of cryptoapi series.
Note
From: Selva Nair
- Minor changes to the build system to include some
dependencies for Windows build
- test_tls_crypt not built as it will pull in win32.c and
its dependencies
- If cross-compiling, "make check" will only build the tests but not
run any. Copy to Windows and ru
From: Selva Nair
- Eliminates repeated warnings such as
warning: source file '$(openvpn_srcdir)/env_set.c' is in a subdirectory,
but option 'subdir-objects' is disabled
- Enabled only for automake >= 1.16 as older versions have a buggy
implementation
of this option
Main side eff
From: Selva Nair
v2: Moved the "parse_hexstring" chunk to a function for clarity
and to permit unit-testing.
A test is submitted as a follow up patch.
Signed-off-by: Selva Nair
---
src/openvpn/cryptoapi.c | 77 -
1 file changed, 37 inserti
On Fri, Feb 3, 2023 at 5:25 AM Arne Schwabe wrote:
>
> > Well, replying to myself:
> >
> > I tried building the unit tests using cmocka for Windows
> > (cross-compiling using mingw-w64 with locally built cmocka).
> > Unfortunately, none of the tests could be built out of the box because
> > of
Hi
>
> On Wed, Feb 1, 2023 at 6:56 AM Frank Lichtenheld
> wrote:
>
>> On Sat, Jan 28, 2023 at 05:34:21PM -0500, selva.n...@gmail.com wrote:
>> > From: Selva Nair
>> >
>> > Signed-off-by: Selva Nair
>> > ---
>> > src/openvpn/cry
Hi,
On Wed, Feb 1, 2023 at 6:56 AM Frank Lichtenheld
wrote:
> On Sat, Jan 28, 2023 at 05:34:21PM -0500, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > Signed-off-by: Selva Nair
> > ---
> > src/openvpn/cryptoapi.c | 44 +++-
From: Selva Nair
- Require xkey-provider (thus OpenSSL 3.01+) for --cryptoapicert
Note:
Ideally we should also make ENABLE_CRYPTOAPI conditional
on HAVE_XKEY_PROVIDER but that looks hard unless we can agree
to move HAVE_XKEY_PROVIDER to configure/config.h.
v2: use "binary&quo
From: Selva Nair
- An item added to undo-list was not removed on error, causing
attempt to free again in Undo().
Also fix a memory leak possibility in the same context.
Github: fixes OpenVPN/openvpn#232
v2: Split add and delete functions and reuse the delete
function for cleanup.
Signed
>
>
> Also I replaced 0x%x with %u in win_block_dns_service() for
> consistency. You may want to do it in your patch too :)
>
We have at least another place where it's %x, so will leave that for
another day. btw, shouldn't it be %d?
Selva
___
Hi,
On Wed, Feb 1, 2023 at 4:37 AM Lev Stipakov wrote:
> Hi,
>
> I made a slightly different fix but then noticed your mail.
>
> Indeed the problem is that get/set_interface_metric fails,
> and we call FwpmEngineClose0 after updating the undo list. When
> openvpn process exits, we execute
From: Selva Nair
- An item added to undo-list was not removed on error, causing
attempt to free again in Undo().
Also fix a memory leak possibility in the same context.
Github: fixes OpenVPN/openvpn#232
Signed-off-by: Selva Nair
---
src/openvpnserv/interactive.c | 17 ++---
1
From: Selva Nair
- With various ways of specifying the selector-string to the
"--cryptoapicert" option, its not immediately obvious
which certificate gets selected from the store. Log it.
The "name" logged is a friendly name (if present), or a
representative el
From: Selva Nair
- Certificate selection string can now specify a partial
issuer name string as "--cryptoapicert ISSUER:" where
is matched as a substring of the issuer (CA) name in
the certificate.
Partial case-insensitive matching against the "issuer name" is
use
From: Selva Nair
Signed-off-by: Selva Nair
---
src/openvpn/cryptoapi.c | 44 +++--
1 file changed, 12 insertions(+), 32 deletions(-)
diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index 6ff4fcb5..9fd5aea9 100644
--- a/src/openvpn/cryptoapi.c
From: Selva Nair
1. Support selecting certificate using issuer name
(goal: "planned obsolescence" of 2.6, already :)
2. Log the selected certificate's name
3. Remove Pre OpenSSL-3.01 support
(goal: leaner and meaner)
4. Simplify parsing of thumbprint hex string
doc/ma
1 - 100 of 1356 matches
Mail list logo
