[Openvpn-devel] [PATCH applied] Re: Update documentation references in systemd unit files
Your patch has been applied to the master and release/2.6 branch. commit f65c656ac034a99cca09557eeb9337e7c00a7e73 (master) commit c6a61b84fdec825b0b4855d8cd12afa9ebeec43e (release/2.6) Author: Christoph Schug Date: Fri Mar 8 15:03:46 2024 +0100 Update documentation references in systemd unit files Signed-off-by: Christoph Schug Acked-by: Frank Lichtenheld Message-Id: <20240308140346.4058419-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28369.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: remove repetitive words in documentation and comments
Thanks, well spotted. Having a proper "From:" in the patch would make proper attribution easier, but we'll have to go with what we have. Your patch has been applied to the master and release/2.6 branch (doc). commit ad39f99f27522e622f408cc1a3323ba7d80907e8 (master) commit f6c894bd7db0fdfcb32f6ff9571569c5bff392c6 (release/2.6) Author: wellweek Date: Fri Mar 8 15:01:12 2024 +0100 remove repetitive words in documentation and comments Signed-off-by: wellweek Acked-by: Frank Lichtenheld Message-Id: <20240308140112.4015131-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28368.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Update documentation references in systemd unit files
From: Christoph Schug The systemd unit files for both client and server were referencing outdated documentation as they were hard-coded to the OpenVPN 2.4.x release branch. Change-Id: Iee289aa5df9ee0e9a03c0dc562e45dd39836e794 Signed-off-by: Christoph Schug Acked-by: Frank Lichtenheld --- distro/systemd/Makefile.am| 5 - distro/systemd/openvpn-cli...@.service.in | 2 +- distro/systemd/openvpn-ser...@.service.in | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am index 7e8f4753..d1c903f2 100644 --- a/distro/systemd/Makefile.am +++ b/distro/systemd/Makefile.am @@ -9,7 +9,10 @@ # %.service: %.service.in Makefile - $(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \ + $(AM_V_GEN)sed \ + -e 's|\@OPENVPN_VERSION_MAJOR\@|$(OPENVPN_VERSION_MAJOR)|g' \ + -e 's|\@OPENVPN_VERSION_MINOR\@|$(OPENVPN_VERSION_MINOR)|g' \ + -e 's|\@sbindir\@|$(sbindir)|g' \ $< > $@.tmp && mv $@.tmp $@ EXTRA_DIST = \ diff --git a/distro/systemd/openvpn-cli...@.service.in b/distro/systemd/openvpn-cli...@.service.in index 159fb4dc..15c82fad 100644 --- a/distro/systemd/openvpn-cli...@.service.in +++ b/distro/systemd/openvpn-cli...@.service.in @@ -3,7 +3,7 @@ Description=OpenVPN tunnel for %I After=syslog.target network-online.target Wants=network-online.target Documentation=man:openvpn(8) -Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage +Documentation=https://openvpn.net/community-resources/reference-manual-for-openvpn-@OPENVPN_VERSION_MAJOR@-@OPENVPN_VERSION_MINOR@/ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] diff --git a/distro/systemd/openvpn-ser...@.service.in b/distro/systemd/openvpn-ser...@.service.in index 6e8e7d94..b26d976b 100644 --- a/distro/systemd/openvpn-ser...@.service.in +++ b/distro/systemd/openvpn-ser...@.service.in @@ -3,7 +3,7 @@ Description=OpenVPN service for %I After=syslog.target network-online.target Wants=network-online.target Documentation=man:openvpn(8) -Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage +Documentation=https://openvpn.net/community-resources/reference-manual-for-openvpn-@OPENVPN_VERSION_MAJOR@-@OPENVPN_VERSION_MINOR@/ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] -- 2.34.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] remove repetitive words in documentation and comments
From: wellweek Change-Id: I4f349963b41ebe155d3866da8955f2d7245d0394 Signed-off-by: wellweek Acked-by: Frank Lichtenheld --- Changes.rst | 2 +- contrib/OCSP_check/OCSP_check.sh | 2 +- doc/man-sections/cipher-negotiation.rst | 2 +- doc/man-sections/vpn-network-options.rst | 4 ++-- sample/sample-config-files/server.conf | 2 +- src/openvpn/fragment.h | 2 +- src/openvpn/misc.c | 2 +- src/openvpnserv/interactive.c| 2 +- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Changes.rst b/Changes.rst index 4cded980..54e59809 100644 --- a/Changes.rst +++ b/Changes.rst @@ -794,7 +794,7 @@ Control channel encryption (``--tls-crypt``) Asynchronous push reply Plug-ins providing support for deferred authentication can benefit from a more responsive authentication where the server sends PUSH_REPLY immediately once -the authentication result is ready, instead of waiting for the the client to +the authentication result is ready, instead of waiting for the client to to send PUSH_REQUEST once more. This requires OpenVPN to be built with ``./configure --enable-async-push``. This is a compile-time only switch. diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh index 26757889..e4fec834 100644 --- a/contrib/OCSP_check/OCSP_check.sh +++ b/contrib/OCSP_check/OCSP_check.sh @@ -89,7 +89,7 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then # # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL # can in some circumstances give a "good" result if it could not -# reach the the OSCP server. In this case, the exit code will indicate +# reach the OSCP server. In this case, the exit code will indicate # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0, # don't trust the OpenSSL status. diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index 888ffa6f..949ff862 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -8,7 +8,7 @@ different backwards compatibility mechanism with older server and clients. OpenVPN 2.5 and later behaviour When both client and server are at least running OpenVPN 2.5, that the order of -the ciphers of the server's ``--data-ciphers`` is used to pick the the data cipher. +the ciphers of the server's ``--data-ciphers`` is used to pick the data cipher. That means that the first cipher in that list that is also in the client's ``--data-ciphers`` list is chosen. If no common cipher is found the client is rejected with a AUTH_FAILED message (as seen in client log): diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 41d367bf..abe474f7 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -235,7 +235,7 @@ routing. address and subnet mask just as a physical ethernet adapter would be similarly configured. If you are attempting to connect to a remote ethernet bridge, the IP address and subnet should be set to values which - would be valid on the the bridged ethernet segment (note also that DHCP + would be valid on the bridged ethernet segment (note also that DHCP can be used for the same purpose). This option, while primarily a proxy for the ``ifconfig``\(8) command, @@ -584,7 +584,7 @@ These two standalone operations will require ``--dev`` and optionally One of the advantages of persistent tunnels is that they eliminate the need for separate ``--up`` and ``--down`` scripts to run the appropriate ``ifconfig``\(8) and ``route``\(8) commands. These commands can be - placed in the the same shell script which starts or terminates an + placed in the same shell script which starts or terminates an OpenVPN session. Another advantage is that open connections through the TUN/TAP-based diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index 009fe56c..97732c62 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -42,7 +42,7 @@ proto udp # and bridged it with your ethernet interface. # If you want to control access policies # over the VPN, you must create firewall -# rules for the the TUN/TAP interface. +# rules for the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. diff --git a/src/openvpn/fragment.h b/src/openvpn/fragment.h index cc6829aa..2d13dbb7 100644 --- a/src/openvpn/fragment.h +++ b/src/openvpn/fragment.h @@ -314,7 +314,7 @@ void fragment_free(struct fragment_master *f); *reassembly buffer. If the incoming part completes the packet being *reassembled, the \a
[Openvpn-devel] [S] Change in openvpn[master]: gerrit-send-mail: add missing Signed-off-by
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/530?usp=email )
Change subject: gerrit-send-mail: add missing Signed-off-by
..
gerrit-send-mail: add missing Signed-off-by
Our development documentation says we add this
automatically when it is missing. So let's do that
here as well.
Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
Message-Id: <20240308120557.9065-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28362.html
Signed-off-by: Gert Doering
---
M dev-tools/gerrit-send-mail.py
1 file changed, 13 insertions(+), 0 deletions(-)
diff --git a/dev-tools/gerrit-send-mail.py b/dev-tools/gerrit-send-mail.py
index 67a2cf1..10305e2 100755
--- a/dev-tools/gerrit-send-mail.py
+++ b/dev-tools/gerrit-send-mail.py
@@ -50,6 +50,12 @@
ack = f"{reviewer_name} <{reviewer_mail}>"
print(f"Acked-by: {ack}")
acked_by.append(ack)
+# construct Signed-off-by in case it is missing
+owner = json_data["owner"]
+owner_name = owner.get("display_name", owner["name"])
+owner_mail = owner.get("email", owner["name"])
+sign_off = f"{owner_name} <{owner_mail}>"
+print(f"Signed-off-by: {sign_off}")
change_id = json_data["change_id"]
# assumes that the created date in Gerrit is in UTC
utc_stamp = (
@@ -67,6 +73,7 @@
"target": json_data["branch"],
"msg_id": msg_id,
"acked_by": acked_by,
+"sign_off": sign_off,
}
@@ -81,10 +88,14 @@
def apply_patch_mods(patch_text, details, args):
comment_start = patch_text.index("\n---\n") + len("\n---\n")
+signed_off_text = ""
+signed_off_comment = ""
try:
signed_off_start = patch_text.rindex("\nSigned-off-by: ")
signed_off_end = patch_text.index("\n", signed_off_start + 1) + 1
except ValueError: # Signed-off missing
+signed_off_text = f"Signed-off-by: {details['sign_off']}\n"
+signed_off_comment = "\nSigned-off-by line for the author was added as
per our policy.\n"
signed_off_end = patch_text.index("\n---\n") + 1
assert comment_start > signed_off_end
acked_by_text = ""
@@ -94,6 +105,7 @@
acked_by_names += f"{ack}\n"
patch_text_mod = (
patch_text[:signed_off_end]
++ signed_off_text
+ acked_by_text
+ patch_text[signed_off_end:comment_start]
+ f"""
@@ -102,6 +114,7 @@
Gerrit URL: {args.url}/c/{details["project"]}/+/{args.changeid}
This mail reflects revision {details["revision"]} of this Change.
+{signed_off_comment}
Acked-by according to Gerrit (reflected above):
{acked_by_names}
"""
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/530?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa
Gerrit-Change-Number: 530
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld
Gerrit-Reviewer: cron2
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: gerrit-send-mail: add missing Signed-off-by
Your patch has been applied to the master branch. commit bea088cf8ae3382aeed420da2a39f2a9f52df4cd Author: Frank Lichtenheld Date: Fri Mar 8 13:05:57 2024 +0100 gerrit-send-mail: add missing Signed-off-by Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240308120557.9065-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28362.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: gerrit-send-mail: add missing Signed-off-by
cron2 has uploaded a new patch set (#2) to the change originally created by
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/530?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by cron2
Change subject: gerrit-send-mail: add missing Signed-off-by
..
gerrit-send-mail: add missing Signed-off-by
Our development documentation says we add this
automatically when it is missing. So let's do that
here as well.
Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
Message-Id: <20240308120557.9065-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28362.html
Signed-off-by: Gert Doering
---
M dev-tools/gerrit-send-mail.py
1 file changed, 13 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/30/530/2
diff --git a/dev-tools/gerrit-send-mail.py b/dev-tools/gerrit-send-mail.py
index 67a2cf1..10305e2 100755
--- a/dev-tools/gerrit-send-mail.py
+++ b/dev-tools/gerrit-send-mail.py
@@ -50,6 +50,12 @@
ack = f"{reviewer_name} <{reviewer_mail}>"
print(f"Acked-by: {ack}")
acked_by.append(ack)
+# construct Signed-off-by in case it is missing
+owner = json_data["owner"]
+owner_name = owner.get("display_name", owner["name"])
+owner_mail = owner.get("email", owner["name"])
+sign_off = f"{owner_name} <{owner_mail}>"
+print(f"Signed-off-by: {sign_off}")
change_id = json_data["change_id"]
# assumes that the created date in Gerrit is in UTC
utc_stamp = (
@@ -67,6 +73,7 @@
"target": json_data["branch"],
"msg_id": msg_id,
"acked_by": acked_by,
+"sign_off": sign_off,
}
@@ -81,10 +88,14 @@
def apply_patch_mods(patch_text, details, args):
comment_start = patch_text.index("\n---\n") + len("\n---\n")
+signed_off_text = ""
+signed_off_comment = ""
try:
signed_off_start = patch_text.rindex("\nSigned-off-by: ")
signed_off_end = patch_text.index("\n", signed_off_start + 1) + 1
except ValueError: # Signed-off missing
+signed_off_text = f"Signed-off-by: {details['sign_off']}\n"
+signed_off_comment = "\nSigned-off-by line for the author was added as
per our policy.\n"
signed_off_end = patch_text.index("\n---\n") + 1
assert comment_start > signed_off_end
acked_by_text = ""
@@ -94,6 +105,7 @@
acked_by_names += f"{ack}\n"
patch_text_mod = (
patch_text[:signed_off_end]
++ signed_off_text
+ acked_by_text
+ patch_text[signed_off_end:comment_start]
+ f"""
@@ -102,6 +114,7 @@
Gerrit URL: {args.url}/c/{details["project"]}/+/{args.changeid}
This mail reflects revision {details["revision"]} of this Change.
+{signed_off_comment}
Acked-by according to Gerrit (reflected above):
{acked_by_names}
"""
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/530?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa
Gerrit-Change-Number: 530
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld
Gerrit-Reviewer: cron2
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH OpenVPN3] Add 'pull' to ignored options
On Fri, Mar 08, 2024 at 10:47:27AM +0100, Merten Fermont wrote: > Hi Frank, > > Arne has indeed applied a fix based on this patch. > > However, it looks like the case from this issue is not completely solved: > https://github.com/OpenVPN/openvpn3/issues/277 > If you have options "client" and "pull" but no "tls-client" in the config, > the "pull" option will not be touched. True, due to short-circuit logic. I will prepare a fix. Regards, -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: gerrit-send-mail: add missing Signed-off-by
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/530?usp=email ) Change subject: gerrit-send-mail: add missing Signed-off-by .. Patch Set 1: Code-Review+2 (1 comment) Patchset: PS1: looks reasonable. Given that it's a language I refuse to understand I can't say for sure, but good enough still. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/530?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa Gerrit-Change-Number: 530 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Fri, 08 Mar 2024 12:05:36 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] gerrit-send-mail: add missing Signed-off-by
From: Frank Lichtenheld
Our development documentation says we add this
automatically when it is missing. So let's do that
here as well.
Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/530
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/dev-tools/gerrit-send-mail.py b/dev-tools/gerrit-send-mail.py
index 67a2cf1..10305e2 100755
--- a/dev-tools/gerrit-send-mail.py
+++ b/dev-tools/gerrit-send-mail.py
@@ -50,6 +50,12 @@
ack = f"{reviewer_name} <{reviewer_mail}>"
print(f"Acked-by: {ack}")
acked_by.append(ack)
+# construct Signed-off-by in case it is missing
+owner = json_data["owner"]
+owner_name = owner.get("display_name", owner["name"])
+owner_mail = owner.get("email", owner["name"])
+sign_off = f"{owner_name} <{owner_mail}>"
+print(f"Signed-off-by: {sign_off}")
change_id = json_data["change_id"]
# assumes that the created date in Gerrit is in UTC
utc_stamp = (
@@ -67,6 +73,7 @@
"target": json_data["branch"],
"msg_id": msg_id,
"acked_by": acked_by,
+"sign_off": sign_off,
}
@@ -81,10 +88,14 @@
def apply_patch_mods(patch_text, details, args):
comment_start = patch_text.index("\n---\n") + len("\n---\n")
+signed_off_text = ""
+signed_off_comment = ""
try:
signed_off_start = patch_text.rindex("\nSigned-off-by: ")
signed_off_end = patch_text.index("\n", signed_off_start + 1) + 1
except ValueError: # Signed-off missing
+signed_off_text = f"Signed-off-by: {details['sign_off']}\n"
+signed_off_comment = "\nSigned-off-by line for the author was added as
per our policy.\n"
signed_off_end = patch_text.index("\n---\n") + 1
assert comment_start > signed_off_end
acked_by_text = ""
@@ -94,6 +105,7 @@
acked_by_names += f"{ack}\n"
patch_text_mod = (
patch_text[:signed_off_end]
++ signed_off_text
+ acked_by_text
+ patch_text[signed_off_end:comment_start]
+ f"""
@@ -102,6 +114,7 @@
Gerrit URL: {args.url}/c/{details["project"]}/+/{args.changeid}
This mail reflects revision {details["revision"]} of this Change.
+{signed_off_comment}
Acked-by according to Gerrit (reflected above):
{acked_by_names}
"""
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: t_client.sh: Allow to skip tests
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/521?usp=email )
Change subject: t_client.sh: Allow to skip tests
..
t_client.sh: Allow to skip tests
Individual tests can define a script to run to test
whether they should be skipped.
Included in this commit is an example check which
checks whether we can do NTLM checks. This fails
e.g. on recent versions of Fedora with mbedTLS
(tested with Fedora 39) or when NTLM support is not
compiled in.
v2:
- ntlm_support:
- support OpenSSL 3
- allow to build without cmocka
v3:
- add example to t_client.rc-sample
- t_client.sh code style
- use syshead.h in error.h
v5:
- rename SKIP_x to CHECK_SKIP_x
Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
Message-Id: <20240308102818.9249-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/search?l=mid=20240308102818.9249-1-g...@greenie.muc.de
Signed-off-by: Gert Doering
---
M src/openvpn/error.h
M tests/Makefile.am
A tests/ntlm_support.c
M tests/t_client.rc-sample
M tests/t_client.sh.in
M tests/unit_tests/openvpn/mock_msg.c
6 files changed, 119 insertions(+), 15 deletions(-)
diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index 1225b13..be3484d 100644
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -25,16 +25,10 @@
#define ERROR_H
#include "basic.h"
-
-#include
-#include
+#include "syshead.h"
#include
-#if _WIN32
-#include
-#endif
-
/* #define ABORT_ON_ERROR */
#if defined(ENABLE_PKCS11) || defined(ENABLE_MANAGEMENT)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 6c71067..6bc02b4 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -18,6 +18,8 @@
if !WIN32
test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh
+
+check_PROGRAMS = ntlm_support
if HAVE_SITNL
test_scripts += t_net.sh
endif
@@ -35,3 +37,15 @@
dist_noinst_DATA = \
t_client.rc-sample
+
+ntlm_support_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat
-I$(top_srcdir)/tests/unit_tests/openvpn -DNO_CMOCKA @TEST_CFLAGS@
+ntlm_support_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn
$(OPTIONAL_CRYPTO_LIBS)
+ntlm_support_SOURCES = ntlm_support.c \
+ unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \
+ $(top_srcdir)/src/openvpn/buffer.c \
+ $(top_srcdir)/src/openvpn/crypto.c \
+ $(top_srcdir)/src/openvpn/crypto_openssl.c \
+ $(top_srcdir)/src/openvpn/crypto_mbedtls.c \
+ $(top_srcdir)/src/openvpn/otime.c \
+ $(top_srcdir)/src/openvpn/packet_id.c \
+ $(top_srcdir)/src/openvpn/platform.c
diff --git a/tests/ntlm_support.c b/tests/ntlm_support.c
new file mode 100644
index 000..2d7da86
--- /dev/null
+++ b/tests/ntlm_support.c
@@ -0,0 +1,52 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2023 OpenVPN Inc
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "syshead.h"
+
+#include "crypto.h"
+#include "error.h"
+
+int
+main(void)
+{
+#if defined(ENABLE_CRYPTO_OPENSSL)
+crypto_load_provider("legacy");
+crypto_load_provider("default");
+#endif
+#ifdef NTLM
+if (!md_valid("MD4"))
+{
+msg(M_FATAL, "MD4 not supported");
+}
+if (!md_valid("MD5"))
+{
+msg(M_FATAL, "MD5 not supported");
+}
+#else /* ifdef NTLM */
+msg(M_FATAL, "NTLM support not compiled in");
+#endif
+}
diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample
index 355e8bb..d61ecc4 100644
--- a/tests/t_client.rc-sample
+++ b/tests/t_client.rc-sample
@@ -27,7 +27,7 @@
#
# tests to run (list suffixes for config stanzas below)
#
-TEST_RUN_LIST="1 2"
+TEST_RUN_LIST="1 2 2n"
#
# use "sudo" (etc) to give openvpn the necessary privileges
@@ -53,14 +53,24 @@
#
# if something is not defined here, the corresponding test is not run
#
-# possible test options:
+# common test options:
#
-# RUN_TITLE_x="what is being tested on here" (purely informational)
-# OPENVPN_CONF_x = "how to call ./openvpn"
[Openvpn-devel] [M] Change in openvpn[master]: t_client.sh: Allow to skip tests
cron2 has uploaded a new patch set (#6) to the change originally created by
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/521?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by cron2
Change subject: t_client.sh: Allow to skip tests
..
t_client.sh: Allow to skip tests
Individual tests can define a script to run to test
whether they should be skipped.
Included in this commit is an example check which
checks whether we can do NTLM checks. This fails
e.g. on recent versions of Fedora with mbedTLS
(tested with Fedora 39) or when NTLM support is not
compiled in.
v2:
- ntlm_support:
- support OpenSSL 3
- allow to build without cmocka
v3:
- add example to t_client.rc-sample
- t_client.sh code style
- use syshead.h in error.h
v5:
- rename SKIP_x to CHECK_SKIP_x
Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
Message-Id: <20240308102818.9249-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/search?l=mid=20240308102818.9249-1-g...@greenie.muc.de
Signed-off-by: Gert Doering
---
M src/openvpn/error.h
M tests/Makefile.am
A tests/ntlm_support.c
M tests/t_client.rc-sample
M tests/t_client.sh.in
M tests/unit_tests/openvpn/mock_msg.c
6 files changed, 119 insertions(+), 15 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/21/521/6
diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index 1225b13..be3484d 100644
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -25,16 +25,10 @@
#define ERROR_H
#include "basic.h"
-
-#include
-#include
+#include "syshead.h"
#include
-#if _WIN32
-#include
-#endif
-
/* #define ABORT_ON_ERROR */
#if defined(ENABLE_PKCS11) || defined(ENABLE_MANAGEMENT)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 6c71067..6bc02b4 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -18,6 +18,8 @@
if !WIN32
test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh
+
+check_PROGRAMS = ntlm_support
if HAVE_SITNL
test_scripts += t_net.sh
endif
@@ -35,3 +37,15 @@
dist_noinst_DATA = \
t_client.rc-sample
+
+ntlm_support_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat
-I$(top_srcdir)/tests/unit_tests/openvpn -DNO_CMOCKA @TEST_CFLAGS@
+ntlm_support_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn
$(OPTIONAL_CRYPTO_LIBS)
+ntlm_support_SOURCES = ntlm_support.c \
+ unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \
+ $(top_srcdir)/src/openvpn/buffer.c \
+ $(top_srcdir)/src/openvpn/crypto.c \
+ $(top_srcdir)/src/openvpn/crypto_openssl.c \
+ $(top_srcdir)/src/openvpn/crypto_mbedtls.c \
+ $(top_srcdir)/src/openvpn/otime.c \
+ $(top_srcdir)/src/openvpn/packet_id.c \
+ $(top_srcdir)/src/openvpn/platform.c
diff --git a/tests/ntlm_support.c b/tests/ntlm_support.c
new file mode 100644
index 000..2d7da86
--- /dev/null
+++ b/tests/ntlm_support.c
@@ -0,0 +1,52 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2023 OpenVPN Inc
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "syshead.h"
+
+#include "crypto.h"
+#include "error.h"
+
+int
+main(void)
+{
+#if defined(ENABLE_CRYPTO_OPENSSL)
+crypto_load_provider("legacy");
+crypto_load_provider("default");
+#endif
+#ifdef NTLM
+if (!md_valid("MD4"))
+{
+msg(M_FATAL, "MD4 not supported");
+}
+if (!md_valid("MD5"))
+{
+msg(M_FATAL, "MD5 not supported");
+}
+#else /* ifdef NTLM */
+msg(M_FATAL, "NTLM support not compiled in");
+#endif
+}
diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample
index 355e8bb..d61ecc4 100644
--- a/tests/t_client.rc-sample
+++ b/tests/t_client.rc-sample
@@ -27,7 +27,7 @@
#
# tests to run (list suffixes for config stanzas below)
#
-TEST_RUN_LIST="1 2"
+TEST_RUN_LIST="1 2 2n"
#
# use "sudo" (etc) to give openvpn the necessary privileges
@@ -53,14 +53,24 @@
#
# if something is not defined here,
[Openvpn-devel] [PATCH applied] Re: t_client.sh: Allow to skip tests
Thanks. This is a welcome addition for CI tests where we test functionality
that might fail "if built with the wrong SSL library" (like, NTLM proxy) -
and I could see a few more of this ("compression variants", etc)
The test looks larger than the actual t_client.sh(.in) + doc change as
it brings an actual "can NTLM proxy work?" test program - as we discussed
the handling of mock_msg.c/mock_msg.h could be improved, but we all
haven't been able to come up with a really nice way.
Tested ntlm_support with an mbedTLS build, works as designed...
openvpn$ tests/ntlm_support
FATAL ERROR:MD4 not supported
openvpn$ echo $?
1
(Building this on top of a tree that has already been built without this
patch leads to confused Makefiles and failures to build "ntlm_support" -
but this goes away on a fresh checkout / autoreconf, so will not normally
hit users)
Your patch has been applied to the master branch.
commit 0c7cf0694ee6f878168330e9a084c255c51a9e8b
Author: Frank Lichtenheld
Date: Fri Mar 8 11:28:18 2024 +0100
t_client.sh: Allow to skip tests
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
Message-Id: <20240308102818.9249-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/search?l=mid=20240308102818.9249-1-g...@greenie.muc.de
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: check_compression_settings_valid: Do not test for LZ4 in LZO check
cron2 has uploaded a new patch set (#2) to the change originally created by
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/526?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by plaisthos
Change subject: check_compression_settings_valid: Do not test for LZ4 in LZO
check
..
check_compression_settings_valid: Do not test for LZ4 in LZO check
Probably introduced by copy & paste since there is no
COMP_ALGV2_LZO.
Github: #500
Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab
Signed-off-by: Frank Lichtenheld
Acked-by: Arne Schwabe
Message-Id: <20240216123037.3670448-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28251.html
Signed-off-by: Gert Doering
---
M src/openvpn/comp.c
1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/26/526/2
diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c
index 6e30369..311f3e9 100644
--- a/src/openvpn/comp.c
+++ b/src/openvpn/comp.c
@@ -195,7 +195,7 @@
}
#endif
#ifndef ENABLE_LZO
-if (info->alg == COMP_ALG_LZO || info->alg == COMP_ALG_LZ4)
+if (info->alg == COMP_ALG_LZO)
{
msg(msglevel, "OpenVPN is compiled without LZO support. Requested "
"compression cannot be enabled.");
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/526?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab
Gerrit-Change-Number: 526
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Minor fix to process_ip_header
cron2 has uploaded a new patch set (#6) to the change originally created by
its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/525?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld, Code-Review+2 by plaisthos
Change subject: Minor fix to process_ip_header
..
Minor fix to process_ip_header
Removed if-guard checking if any feature is
enabled before performing per-feature check.
It doesn't save us much but instead introduces
uneeded complexity.
While at it, fixed a typo IMCP -> ICMP for defined
PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER
macros.
Fixes: Trac https://community.openvpn.net/openvpn/ticket/269
Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202
Signed-off-by: Gianmarco De Gregori
Acked-by: Arne Schwabe
Acked-by: Frank Lichtenheld
Message-Id: <20240307124616.16358-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28345.html
Signed-off-by: Gert Doering
---
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
3 files changed, 49 insertions(+), 61 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/25/525/6
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 0443ca0..556c465 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1460,7 +1460,7 @@
* us to examine the IP header (IPv4 or IPv6).
*/
unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
- | PIPV6_IMCP_NOHOST_CLIENT;
+ | PIPV6_ICMP_NOHOST_CLIENT;
process_ip_header(c, flags, >c2.buf);
#ifdef PACKET_TRUNCATION_CHECK
@@ -1644,73 +1644,60 @@
}
if (!c->options.block_ipv6)
{
-flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER);
+flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER);
}
if (buf->len > 0)
{
-/*
- * The --passtos and --mssfix options require
- * us to examine the IPv4 header.
- */
-
-if (flags & (PIP_MSSFIX
-#if PASSTOS_CAPABILITY
- | PIPV4_PASSTOS
-#endif
- | PIPV4_CLIENT_NAT
- ))
+struct buffer ipbuf = *buf;
+if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
{
-struct buffer ipbuf = *buf;
-if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
-{
#if PASSTOS_CAPABILITY
-/* extract TOS from IP header */
-if (flags & PIPV4_PASSTOS)
-{
-link_socket_extract_tos(c->c2.link_socket, );
-}
+/* extract TOS from IP header */
+if (flags & PIPV4_PASSTOS)
+{
+link_socket_extract_tos(c->c2.link_socket, );
+}
#endif
-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv4(, c->c2.frame.mss_fix);
-}
-
-/* possibly do NAT on packet */
-if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
-{
-const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING
: CN_OUTGOING;
-client_nat_transform(c->options.client_nat, ,
direction);
-}
-/* possibly extract a DHCP router message */
-if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
-{
-const in_addr_t dhcp_router =
dhcp_extract_router_msg();
-if (dhcp_router)
-{
-route_list_add_vpn_gateway(c->c1.route_list, c->c2.es,
dhcp_router);
-}
-}
-}
-else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), ))
+/* possibly alter the TCP MSS */
+if (flags & PIP_MSSFIX)
{
-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv6(, c->c2.frame.mss_fix);
-}
-if (!(flags & PIP_OUTGOING) && (flags
-&(PIPV6_IMCP_NOHOST_CLIENT |
PIPV6_IMCP_NOHOST_SERVER)))
-{
-ipv6_send_icmp_unreachable(c, buf,
- (bool)(flags &
PIPV6_IMCP_NOHOST_CLIENT));
-/* Drop the IPv6 packet */
-buf->len = 0;
-}
-
+mss_fixup_ipv4(, c->c2.frame.mss_fix);
}
+
+/* possibly do NAT on packet */
+if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
+{
+const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING :
CN_OUTGOING;
+
[Openvpn-devel] [M] Change in openvpn[master]: Minor fix to process_ip_header
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/525?usp=email )
Change subject: Minor fix to process_ip_header
..
Minor fix to process_ip_header
Removed if-guard checking if any feature is
enabled before performing per-feature check.
It doesn't save us much but instead introduces
uneeded complexity.
While at it, fixed a typo IMCP -> ICMP for defined
PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER
macros.
Fixes: Trac https://community.openvpn.net/openvpn/ticket/269
Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202
Signed-off-by: Gianmarco De Gregori
Acked-by: Arne Schwabe
Acked-by: Frank Lichtenheld
Message-Id: <20240307124616.16358-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28345.html
Signed-off-by: Gert Doering
---
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
3 files changed, 49 insertions(+), 61 deletions(-)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 0443ca0..556c465 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1460,7 +1460,7 @@
* us to examine the IP header (IPv4 or IPv6).
*/
unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
- | PIPV6_IMCP_NOHOST_CLIENT;
+ | PIPV6_ICMP_NOHOST_CLIENT;
process_ip_header(c, flags, >c2.buf);
#ifdef PACKET_TRUNCATION_CHECK
@@ -1644,73 +1644,60 @@
}
if (!c->options.block_ipv6)
{
-flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER);
+flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER);
}
if (buf->len > 0)
{
-/*
- * The --passtos and --mssfix options require
- * us to examine the IPv4 header.
- */
-
-if (flags & (PIP_MSSFIX
-#if PASSTOS_CAPABILITY
- | PIPV4_PASSTOS
-#endif
- | PIPV4_CLIENT_NAT
- ))
+struct buffer ipbuf = *buf;
+if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
{
-struct buffer ipbuf = *buf;
-if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
-{
#if PASSTOS_CAPABILITY
-/* extract TOS from IP header */
-if (flags & PIPV4_PASSTOS)
-{
-link_socket_extract_tos(c->c2.link_socket, );
-}
+/* extract TOS from IP header */
+if (flags & PIPV4_PASSTOS)
+{
+link_socket_extract_tos(c->c2.link_socket, );
+}
#endif
-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv4(, c->c2.frame.mss_fix);
-}
-
-/* possibly do NAT on packet */
-if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
-{
-const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING
: CN_OUTGOING;
-client_nat_transform(c->options.client_nat, ,
direction);
-}
-/* possibly extract a DHCP router message */
-if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
-{
-const in_addr_t dhcp_router =
dhcp_extract_router_msg();
-if (dhcp_router)
-{
-route_list_add_vpn_gateway(c->c1.route_list, c->c2.es,
dhcp_router);
-}
-}
-}
-else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), ))
+/* possibly alter the TCP MSS */
+if (flags & PIP_MSSFIX)
{
-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv6(, c->c2.frame.mss_fix);
-}
-if (!(flags & PIP_OUTGOING) && (flags
-&(PIPV6_IMCP_NOHOST_CLIENT |
PIPV6_IMCP_NOHOST_SERVER)))
-{
-ipv6_send_icmp_unreachable(c, buf,
- (bool)(flags &
PIPV6_IMCP_NOHOST_CLIENT));
-/* Drop the IPv6 packet */
-buf->len = 0;
-}
-
+mss_fixup_ipv4(, c->c2.frame.mss_fix);
}
+
+/* possibly do NAT on packet */
+if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
+{
+const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING :
CN_OUTGOING;
+client_nat_transform(c->options.client_nat, , direction);
+}
+/* possibly extract a DHCP router message */
+if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
+{
+const in_addr_t dhcp_router =
[Openvpn-devel] [XS] Change in openvpn[master]: check_compression_settings_valid: Do not test for LZ4 in LZO check
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/526?usp=email )
Change subject: check_compression_settings_valid: Do not test for LZ4 in LZO
check
..
check_compression_settings_valid: Do not test for LZ4 in LZO check
Probably introduced by copy & paste since there is no
COMP_ALGV2_LZO.
Github: #500
Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab
Signed-off-by: Frank Lichtenheld
Acked-by: Arne Schwabe
Message-Id: <20240216123037.3670448-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28251.html
Signed-off-by: Gert Doering
---
M src/openvpn/comp.c
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c
index 6e30369..311f3e9 100644
--- a/src/openvpn/comp.c
+++ b/src/openvpn/comp.c
@@ -195,7 +195,7 @@
}
#endif
#ifndef ENABLE_LZO
-if (info->alg == COMP_ALG_LZO || info->alg == COMP_ALG_LZ4)
+if (info->alg == COMP_ALG_LZO)
{
msg(msglevel, "OpenVPN is compiled without LZO support. Requested "
"compression cannot be enabled.");
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/526?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab
Gerrit-Change-Number: 526
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Minor fix to process_ip_header
Verified ("git show -w") that this is indeed just removing one level of
indentation + ICMP spelling fixes (good catch).
Given the sequence of checks, this ordering is indeed a bit more costly
for the "no PIP bits are set" (as is_ipv4() has to do more checking than
"are we interested in this at all?") - but since we basically always
default to having MSSFIX active, this is a bit moot.
For good measure, subjected to GHA and server side test run.
Your patch has been applied to the master branch.
commit 6456d861f3f1006ccee0a7f94a159f4afe1d3178
Author: Gianmarco De Gregori
Date: Thu Mar 7 13:46:16 2024 +0100
Minor fix to process_ip_header
Signed-off-by: Gianmarco De Gregori
Acked-by: Arne Schwabe
Acked-by: Frank Lichtenheld
Message-Id: <20240307124616.16358-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28345.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: check_compression_settings_valid: Do not test for LZ4 in LZO check
"Makes sense" :-) Your patch has been applied to the master and release/2.6 branch (bugfix). commit 4076d24f2f4adc432753aa62bd8158e3bf89ee21 (master) commit 7a810e64e54eda264c9cf184f442a3bae8df66af (release/2.6) Author: Frank Lichtenheld Date: Fri Feb 16 13:30:37 2024 +0100 check_compression_settings_valid: Do not test for LZ4 in LZO check Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240216123037.3670448-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28251.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v5] t_client.sh: Allow to skip tests
From: Frank Lichtenheld
Individual tests can define a script to run to test
whether they should be skipped.
Included in this commit is an example check which
checks whether we can do NTLM checks. This fails
e.g. on recent versions of Fedora with mbedTLS
(tested with Fedora 39) or when NTLM support is not
compiled in.
v2:
- ntlm_support:
- support OpenSSL 3
- allow to build without cmocka
v3:
- add example to t_client.rc-sample
- t_client.sh code style
- use syshead.h in error.h
v5:
- rename SKIP_x to CHECK_SKIP_x
Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899
Signed-off-by: Frank Lichtenheld
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/521
This mail reflects revision 5 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index 1225b13..be3484d 100644
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -25,16 +25,10 @@
#define ERROR_H
#include "basic.h"
-
-#include
-#include
+#include "syshead.h"
#include
-#if _WIN32
-#include
-#endif
-
/* #define ABORT_ON_ERROR */
#if defined(ENABLE_PKCS11) || defined(ENABLE_MANAGEMENT)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index b3b2d74..13a1013 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -19,6 +19,8 @@
if !WIN32
test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh
+
+check_PROGRAMS = ntlm_support
if HAVE_SITNL
test_scripts += t_net.sh
endif
@@ -36,3 +38,15 @@
dist_noinst_DATA = \
t_client.rc-sample
+
+ntlm_support_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat
-I$(top_srcdir)/tests/unit_tests/openvpn -DNO_CMOCKA @TEST_CFLAGS@
+ntlm_support_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn
$(OPTIONAL_CRYPTO_LIBS)
+ntlm_support_SOURCES = ntlm_support.c \
+ unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \
+ $(top_srcdir)/src/openvpn/buffer.c \
+ $(top_srcdir)/src/openvpn/crypto.c \
+ $(top_srcdir)/src/openvpn/crypto_openssl.c \
+ $(top_srcdir)/src/openvpn/crypto_mbedtls.c \
+ $(top_srcdir)/src/openvpn/otime.c \
+ $(top_srcdir)/src/openvpn/packet_id.c \
+ $(top_srcdir)/src/openvpn/platform.c
diff --git a/tests/ntlm_support.c b/tests/ntlm_support.c
new file mode 100644
index 000..2d7da86
--- /dev/null
+++ b/tests/ntlm_support.c
@@ -0,0 +1,52 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2023 OpenVPN Inc
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "syshead.h"
+
+#include "crypto.h"
+#include "error.h"
+
+int
+main(void)
+{
+#if defined(ENABLE_CRYPTO_OPENSSL)
+crypto_load_provider("legacy");
+crypto_load_provider("default");
+#endif
+#ifdef NTLM
+if (!md_valid("MD4"))
+{
+msg(M_FATAL, "MD4 not supported");
+}
+if (!md_valid("MD5"))
+{
+msg(M_FATAL, "MD5 not supported");
+}
+#else /* ifdef NTLM */
+msg(M_FATAL, "NTLM support not compiled in");
+#endif
+}
diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample
index 355e8bb..d61ecc4 100644
--- a/tests/t_client.rc-sample
+++ b/tests/t_client.rc-sample
@@ -27,7 +27,7 @@
#
# tests to run (list suffixes for config stanzas below)
#
-TEST_RUN_LIST="1 2"
+TEST_RUN_LIST="1 2 2n"
#
# use "sudo" (etc) to give openvpn the necessary privileges
@@ -53,14 +53,24 @@
#
# if something is not defined here, the corresponding test is not run
#
-# possible test options:
+# common test options:
#
-# RUN_TITLE_x="what is being tested on here" (purely informational)
-# OPENVPN_CONF_x = "how to call ./openvpn" [mandatory]
+# RUN_TITLE_x= "what is being tested on here" (purely informational)
+# OPENVPN_CONF_x = "how to call ./openvpn" [mandatory]
# EXPECT_IFCONFIG4_x = "this IPv4 address needs to show up in ifconfig"
# EXPECT_IFCONFIG6_x = "this IPv6 address needs to show up in ifconfig"
-# PING4_HOSTS_x =
[Openvpn-devel] [M] Change in openvpn[master]: t_client.sh: Allow to skip tests
Attention is currently required from: flichtenheld, ordex, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/521?usp=email ) Change subject: t_client.sh: Allow to skip tests .. Patch Set 5: Code-Review+2 (1 comment) Patchset: PS5: thanks. t_client looks good, ntlm test we agreed on taking as it is and maybe someone will come up with good ideas how to improve later on. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/521?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899 Gerrit-Change-Number: 521 Gerrit-PatchSet: 5 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-CC: ordex Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Attention: ordex Gerrit-Comment-Date: Fri, 08 Mar 2024 10:27:55 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
