Re: [Openvpn-devel] [PATCH 4/4] Normalise ncp-ciphers option and restrict it to 127 bytes

> > Second thing, more of a comment: 127 feels really low.  'AES-256-GCM' is > 11 characters, so 127 / 12 (11 chars and a separator) says you're > limiting to about 10 ciphers.  If I do `openvpn --show-ciphers` there's > a LOT of data there.  I'd think, for future-proofing, you'd want to > allow

[Openvpn-devel] [PATCH 6/4] Add strsep compat function

Some operating system do not have the strsep function. Since this API is more "modern" (4.4BSD) than strtok, add it as compat function. At least Windows is missing strsep. FreeBSD, Linux, macOS and OpenSolaris should not need the compat function. Signed-off-by: Arne Schwabe --- configure.ac

[Openvpn-devel] [PATCH 5/4] Add ncp files to Visual studio print

Signed-off-by: Arne Schwabe --- src/openvpn/openvpn.vcxproj | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 7446d97d..b3d35ba2 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -191,6 +191,7 @@

Re: [Openvpn-devel] [PATCH] Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang

Am 14.11.19 um 22:58 schrieb Selva Nair: > Hi David > > Thanks for the comments > > My idea was just to add -Werror right in the line above, and not > extend the > ACL_CHECK_ADD_COMPILE_FLAGS macro with another argument. > > > I'm fine with that approach as well. Let me know if you

Re: [Openvpn-devel] [PATCH v2] travis: fix CFLAGS assignment error and add -Werror only when compiling on Linux for Linux

Am 10.11.19 um 21:17 schrieb Antonio Quartulli: > CFLAGS may not resolve to anything and the build-check.sh script would > just fail. > > Switch to EXTRA_FLAGS and use proper substitution so that the script won't > error out when EXTRA_FLAGS is uninitialized. > > At the same time ensure that such

[Openvpn-devel] [PATCH 3/4] Move NCP related function into a seperate file and add unit tests

This allows unit test the NCP functions. The ssl.c file has too many dependencies to make unit testing of it viable. Signed-off-by: Arne Schwabe --- src/openvpn/Makefile.am | 1 + src/openvpn/init.c | 1 + src/openvpn/multi.c | 1 + src/openv

[Openvpn-devel] [PATCH 2/4] Implement dynamic NCP negotiation

Our current NCP version is flawed in the way that it can only indicate support for AES-256-GCM and AES-128-GCM. While configuring client and server with different ncp-cipher configuration directive works, the server will blindly push the first cipher of that list to the client if the client sends

[Openvpn-devel] [PATCH 1/4] Only announce IV_NCP=2 when we are willing to support these ciphers

We currently always announce IV_NCP=2 when we support these ciphers even when we do not accept them. This lead to a server pushing a AES-GCM-128 cipher to clients and the client then rejecting it. Signed-off-by: Arne Schwabe --- doc/openvpn.8| 2 ++ src/openvpn/init.c | 4

[Openvpn-devel] [PATCH 4/4] Normalise ncp-ciphers option and restrict it to 127 bytes

In scenarios of mbed TLS vs OpenSSL we already normalise the ciphers that are send via the wire protocol via OCC to not have a mismatch warning between server and client. This is done by translate_cipher_name_from_openvpn. The same applies also to the ncp-ciphers list. Specifying non normalised nam