[Openvpn-devel] [PATCH applied] Re: Update documentation references in systemd unit files
Your patch has been applied to the master and release/2.6 branch. commit f65c656ac034a99cca09557eeb9337e7c00a7e73 (master) commit c6a61b84fdec825b0b4855d8cd12afa9ebeec43e (release/2.6) Author: Christoph Schug Date: Fri Mar 8 15:03:46 2024 +0100 Update documentation references in systemd unit files Signed-off-by: Christoph Schug Acked-by: Frank Lichtenheld Message-Id: <20240308140346.4058419-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28369.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: remove repetitive words in documentation and comments
Thanks, well spotted. Having a proper "From:" in the patch would make proper attribution easier, but we'll have to go with what we have. Your patch has been applied to the master and release/2.6 branch (doc). commit ad39f99f27522e622f408cc1a3323ba7d80907e8 (master) commit f6c894bd7db0fdfcb32f6ff9571569c5bff392c6 (release/2.6) Author: wellweek Date: Fri Mar 8 15:01:12 2024 +0100 remove repetitive words in documentation and comments Signed-off-by: wellweek Acked-by: Frank Lichtenheld Message-Id: <20240308140112.4015131-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28368.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Update documentation references in systemd unit files
From: Christoph Schug The systemd unit files for both client and server were referencing outdated documentation as they were hard-coded to the OpenVPN 2.4.x release branch. Change-Id: Iee289aa5df9ee0e9a03c0dc562e45dd39836e794 Signed-off-by: Christoph Schug Acked-by: Frank Lichtenheld --- distro/systemd/Makefile.am| 5 - distro/systemd/openvpn-cli...@.service.in | 2 +- distro/systemd/openvpn-ser...@.service.in | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am index 7e8f4753..d1c903f2 100644 --- a/distro/systemd/Makefile.am +++ b/distro/systemd/Makefile.am @@ -9,7 +9,10 @@ # %.service: %.service.in Makefile - $(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \ + $(AM_V_GEN)sed \ + -e 's|\@OPENVPN_VERSION_MAJOR\@|$(OPENVPN_VERSION_MAJOR)|g' \ + -e 's|\@OPENVPN_VERSION_MINOR\@|$(OPENVPN_VERSION_MINOR)|g' \ + -e 's|\@sbindir\@|$(sbindir)|g' \ $< > $@.tmp && mv $@.tmp $@ EXTRA_DIST = \ diff --git a/distro/systemd/openvpn-cli...@.service.in b/distro/systemd/openvpn-cli...@.service.in index 159fb4dc..15c82fad 100644 --- a/distro/systemd/openvpn-cli...@.service.in +++ b/distro/systemd/openvpn-cli...@.service.in @@ -3,7 +3,7 @@ Description=OpenVPN tunnel for %I After=syslog.target network-online.target Wants=network-online.target Documentation=man:openvpn(8) -Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage +Documentation=https://openvpn.net/community-resources/reference-manual-for-openvpn-@OPENVPN_VERSION_MAJOR@-@OPENVPN_VERSION_MINOR@/ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] diff --git a/distro/systemd/openvpn-ser...@.service.in b/distro/systemd/openvpn-ser...@.service.in index 6e8e7d94..b26d976b 100644 --- a/distro/systemd/openvpn-ser...@.service.in +++ b/distro/systemd/openvpn-ser...@.service.in @@ -3,7 +3,7 @@ Description=OpenVPN service for %I After=syslog.target network-online.target Wants=network-online.target Documentation=man:openvpn(8) -Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage +Documentation=https://openvpn.net/community-resources/reference-manual-for-openvpn-@OPENVPN_VERSION_MAJOR@-@OPENVPN_VERSION_MINOR@/ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] -- 2.34.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] remove repetitive words in documentation and comments
From: wellweek Change-Id: I4f349963b41ebe155d3866da8955f2d7245d0394 Signed-off-by: wellweek Acked-by: Frank Lichtenheld --- Changes.rst | 2 +- contrib/OCSP_check/OCSP_check.sh | 2 +- doc/man-sections/cipher-negotiation.rst | 2 +- doc/man-sections/vpn-network-options.rst | 4 ++-- sample/sample-config-files/server.conf | 2 +- src/openvpn/fragment.h | 2 +- src/openvpn/misc.c | 2 +- src/openvpnserv/interactive.c| 2 +- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Changes.rst b/Changes.rst index 4cded980..54e59809 100644 --- a/Changes.rst +++ b/Changes.rst @@ -794,7 +794,7 @@ Control channel encryption (``--tls-crypt``) Asynchronous push reply Plug-ins providing support for deferred authentication can benefit from a more responsive authentication where the server sends PUSH_REPLY immediately once -the authentication result is ready, instead of waiting for the the client to +the authentication result is ready, instead of waiting for the client to to send PUSH_REQUEST once more. This requires OpenVPN to be built with ``./configure --enable-async-push``. This is a compile-time only switch. diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh index 26757889..e4fec834 100644 --- a/contrib/OCSP_check/OCSP_check.sh +++ b/contrib/OCSP_check/OCSP_check.sh @@ -89,7 +89,7 @@ if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then # # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL # can in some circumstances give a "good" result if it could not -# reach the the OSCP server. In this case, the exit code will indicate +# reach the OSCP server. In this case, the exit code will indicate # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0, # don't trust the OpenSSL status. diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index 888ffa6f..949ff862 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -8,7 +8,7 @@ different backwards compatibility mechanism with older server and clients. OpenVPN 2.5 and later behaviour When both client and server are at least running OpenVPN 2.5, that the order of -the ciphers of the server's ``--data-ciphers`` is used to pick the the data cipher. +the ciphers of the server's ``--data-ciphers`` is used to pick the data cipher. That means that the first cipher in that list that is also in the client's ``--data-ciphers`` list is chosen. If no common cipher is found the client is rejected with a AUTH_FAILED message (as seen in client log): diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 41d367bf..abe474f7 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -235,7 +235,7 @@ routing. address and subnet mask just as a physical ethernet adapter would be similarly configured. If you are attempting to connect to a remote ethernet bridge, the IP address and subnet should be set to values which - would be valid on the the bridged ethernet segment (note also that DHCP + would be valid on the bridged ethernet segment (note also that DHCP can be used for the same purpose). This option, while primarily a proxy for the ``ifconfig``\(8) command, @@ -584,7 +584,7 @@ These two standalone operations will require ``--dev`` and optionally One of the advantages of persistent tunnels is that they eliminate the need for separate ``--up`` and ``--down`` scripts to run the appropriate ``ifconfig``\(8) and ``route``\(8) commands. These commands can be - placed in the the same shell script which starts or terminates an + placed in the same shell script which starts or terminates an OpenVPN session. Another advantage is that open connections through the TUN/TAP-based diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index 009fe56c..97732c62 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -42,7 +42,7 @@ proto udp # and bridged it with your ethernet interface. # If you want to control access policies # over the VPN, you must create firewall -# rules for the the TUN/TAP interface. +# rules for the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. diff --git a/src/openvpn/fragment.h b/src/openvpn/fragment.h index cc6829aa..2d13dbb7 100644 --- a/src/openvpn/fragment.h +++ b/src/openvpn/fragment.h @@ -314,7 +314,7 @@ void fragment_free(struct fragment_master *f); *reassembly buffer. If the incoming part completes the packet being *reassembled, the \a
[Openvpn-devel] [S] Change in openvpn[master]: gerrit-send-mail: add missing Signed-off-by
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/530?usp=email ) Change subject: gerrit-send-mail: add missing Signed-off-by .. gerrit-send-mail: add missing Signed-off-by Our development documentation says we add this automatically when it is missing. So let's do that here as well. Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240308120557.9065-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28362.html Signed-off-by: Gert Doering --- M dev-tools/gerrit-send-mail.py 1 file changed, 13 insertions(+), 0 deletions(-) diff --git a/dev-tools/gerrit-send-mail.py b/dev-tools/gerrit-send-mail.py index 67a2cf1..10305e2 100755 --- a/dev-tools/gerrit-send-mail.py +++ b/dev-tools/gerrit-send-mail.py @@ -50,6 +50,12 @@ ack = f"{reviewer_name} <{reviewer_mail}>" print(f"Acked-by: {ack}") acked_by.append(ack) +# construct Signed-off-by in case it is missing +owner = json_data["owner"] +owner_name = owner.get("display_name", owner["name"]) +owner_mail = owner.get("email", owner["name"]) +sign_off = f"{owner_name} <{owner_mail}>" +print(f"Signed-off-by: {sign_off}") change_id = json_data["change_id"] # assumes that the created date in Gerrit is in UTC utc_stamp = ( @@ -67,6 +73,7 @@ "target": json_data["branch"], "msg_id": msg_id, "acked_by": acked_by, +"sign_off": sign_off, } @@ -81,10 +88,14 @@ def apply_patch_mods(patch_text, details, args): comment_start = patch_text.index("\n---\n") + len("\n---\n") +signed_off_text = "" +signed_off_comment = "" try: signed_off_start = patch_text.rindex("\nSigned-off-by: ") signed_off_end = patch_text.index("\n", signed_off_start + 1) + 1 except ValueError: # Signed-off missing +signed_off_text = f"Signed-off-by: {details['sign_off']}\n" +signed_off_comment = "\nSigned-off-by line for the author was added as per our policy.\n" signed_off_end = patch_text.index("\n---\n") + 1 assert comment_start > signed_off_end acked_by_text = "" @@ -94,6 +105,7 @@ acked_by_names += f"{ack}\n" patch_text_mod = ( patch_text[:signed_off_end] ++ signed_off_text + acked_by_text + patch_text[signed_off_end:comment_start] + f""" @@ -102,6 +114,7 @@ Gerrit URL: {args.url}/c/{details["project"]}/+/{args.changeid} This mail reflects revision {details["revision"]} of this Change. +{signed_off_comment} Acked-by according to Gerrit (reflected above): {acked_by_names} """ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/530?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa Gerrit-Change-Number: 530 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: gerrit-send-mail: add missing Signed-off-by
Your patch has been applied to the master branch. commit bea088cf8ae3382aeed420da2a39f2a9f52df4cd Author: Frank Lichtenheld Date: Fri Mar 8 13:05:57 2024 +0100 gerrit-send-mail: add missing Signed-off-by Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240308120557.9065-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28362.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: gerrit-send-mail: add missing Signed-off-by
cron2 has uploaded a new patch set (#2) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/530?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: gerrit-send-mail: add missing Signed-off-by .. gerrit-send-mail: add missing Signed-off-by Our development documentation says we add this automatically when it is missing. So let's do that here as well. Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240308120557.9065-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28362.html Signed-off-by: Gert Doering --- M dev-tools/gerrit-send-mail.py 1 file changed, 13 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/30/530/2 diff --git a/dev-tools/gerrit-send-mail.py b/dev-tools/gerrit-send-mail.py index 67a2cf1..10305e2 100755 --- a/dev-tools/gerrit-send-mail.py +++ b/dev-tools/gerrit-send-mail.py @@ -50,6 +50,12 @@ ack = f"{reviewer_name} <{reviewer_mail}>" print(f"Acked-by: {ack}") acked_by.append(ack) +# construct Signed-off-by in case it is missing +owner = json_data["owner"] +owner_name = owner.get("display_name", owner["name"]) +owner_mail = owner.get("email", owner["name"]) +sign_off = f"{owner_name} <{owner_mail}>" +print(f"Signed-off-by: {sign_off}") change_id = json_data["change_id"] # assumes that the created date in Gerrit is in UTC utc_stamp = ( @@ -67,6 +73,7 @@ "target": json_data["branch"], "msg_id": msg_id, "acked_by": acked_by, +"sign_off": sign_off, } @@ -81,10 +88,14 @@ def apply_patch_mods(patch_text, details, args): comment_start = patch_text.index("\n---\n") + len("\n---\n") +signed_off_text = "" +signed_off_comment = "" try: signed_off_start = patch_text.rindex("\nSigned-off-by: ") signed_off_end = patch_text.index("\n", signed_off_start + 1) + 1 except ValueError: # Signed-off missing +signed_off_text = f"Signed-off-by: {details['sign_off']}\n" +signed_off_comment = "\nSigned-off-by line for the author was added as per our policy.\n" signed_off_end = patch_text.index("\n---\n") + 1 assert comment_start > signed_off_end acked_by_text = "" @@ -94,6 +105,7 @@ acked_by_names += f"{ack}\n" patch_text_mod = ( patch_text[:signed_off_end] ++ signed_off_text + acked_by_text + patch_text[signed_off_end:comment_start] + f""" @@ -102,6 +114,7 @@ Gerrit URL: {args.url}/c/{details["project"]}/+/{args.changeid} This mail reflects revision {details["revision"]} of this Change. +{signed_off_comment} Acked-by according to Gerrit (reflected above): {acked_by_names} """ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/530?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa Gerrit-Change-Number: 530 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH OpenVPN3] Add 'pull' to ignored options
On Fri, Mar 08, 2024 at 10:47:27AM +0100, Merten Fermont wrote: > Hi Frank, > > Arne has indeed applied a fix based on this patch. > > However, it looks like the case from this issue is not completely solved: > https://github.com/OpenVPN/openvpn3/issues/277 > If you have options "client" and "pull" but no "tls-client" in the config, > the "pull" option will not be touched. True, due to short-circuit logic. I will prepare a fix. Regards, -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: gerrit-send-mail: add missing Signed-off-by
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/530?usp=email ) Change subject: gerrit-send-mail: add missing Signed-off-by .. Patch Set 1: Code-Review+2 (1 comment) Patchset: PS1: looks reasonable. Given that it's a language I refuse to understand I can't say for sure, but good enough still. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/530?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa Gerrit-Change-Number: 530 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Fri, 08 Mar 2024 12:05:36 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] gerrit-send-mail: add missing Signed-off-by
From: Frank Lichtenheld Our development documentation says we add this automatically when it is missing. So let's do that here as well. Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/530 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/dev-tools/gerrit-send-mail.py b/dev-tools/gerrit-send-mail.py index 67a2cf1..10305e2 100755 --- a/dev-tools/gerrit-send-mail.py +++ b/dev-tools/gerrit-send-mail.py @@ -50,6 +50,12 @@ ack = f"{reviewer_name} <{reviewer_mail}>" print(f"Acked-by: {ack}") acked_by.append(ack) +# construct Signed-off-by in case it is missing +owner = json_data["owner"] +owner_name = owner.get("display_name", owner["name"]) +owner_mail = owner.get("email", owner["name"]) +sign_off = f"{owner_name} <{owner_mail}>" +print(f"Signed-off-by: {sign_off}") change_id = json_data["change_id"] # assumes that the created date in Gerrit is in UTC utc_stamp = ( @@ -67,6 +73,7 @@ "target": json_data["branch"], "msg_id": msg_id, "acked_by": acked_by, +"sign_off": sign_off, } @@ -81,10 +88,14 @@ def apply_patch_mods(patch_text, details, args): comment_start = patch_text.index("\n---\n") + len("\n---\n") +signed_off_text = "" +signed_off_comment = "" try: signed_off_start = patch_text.rindex("\nSigned-off-by: ") signed_off_end = patch_text.index("\n", signed_off_start + 1) + 1 except ValueError: # Signed-off missing +signed_off_text = f"Signed-off-by: {details['sign_off']}\n" +signed_off_comment = "\nSigned-off-by line for the author was added as per our policy.\n" signed_off_end = patch_text.index("\n---\n") + 1 assert comment_start > signed_off_end acked_by_text = "" @@ -94,6 +105,7 @@ acked_by_names += f"{ack}\n" patch_text_mod = ( patch_text[:signed_off_end] ++ signed_off_text + acked_by_text + patch_text[signed_off_end:comment_start] + f""" @@ -102,6 +114,7 @@ Gerrit URL: {args.url}/c/{details["project"]}/+/{args.changeid} This mail reflects revision {details["revision"]} of this Change. +{signed_off_comment} Acked-by according to Gerrit (reflected above): {acked_by_names} """ ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: t_client.sh: Allow to skip tests
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/521?usp=email ) Change subject: t_client.sh: Allow to skip tests .. t_client.sh: Allow to skip tests Individual tests can define a script to run to test whether they should be skipped. Included in this commit is an example check which checks whether we can do NTLM checks. This fails e.g. on recent versions of Fedora with mbedTLS (tested with Fedora 39) or when NTLM support is not compiled in. v2: - ntlm_support: - support OpenSSL 3 - allow to build without cmocka v3: - add example to t_client.rc-sample - t_client.sh code style - use syshead.h in error.h v5: - rename SKIP_x to CHECK_SKIP_x Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240308102818.9249-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/search?l=mid=20240308102818.9249-1-g...@greenie.muc.de Signed-off-by: Gert Doering --- M src/openvpn/error.h M tests/Makefile.am A tests/ntlm_support.c M tests/t_client.rc-sample M tests/t_client.sh.in M tests/unit_tests/openvpn/mock_msg.c 6 files changed, 119 insertions(+), 15 deletions(-) diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 1225b13..be3484d 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -25,16 +25,10 @@ #define ERROR_H #include "basic.h" - -#include -#include +#include "syshead.h" #include -#if _WIN32 -#include -#endif - /* #define ABORT_ON_ERROR */ #if defined(ENABLE_PKCS11) || defined(ENABLE_MANAGEMENT) diff --git a/tests/Makefile.am b/tests/Makefile.am index 6c71067..6bc02b4 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -18,6 +18,8 @@ if !WIN32 test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh + +check_PROGRAMS = ntlm_support if HAVE_SITNL test_scripts += t_net.sh endif @@ -35,3 +37,15 @@ dist_noinst_DATA = \ t_client.rc-sample + +ntlm_support_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat -I$(top_srcdir)/tests/unit_tests/openvpn -DNO_CMOCKA @TEST_CFLAGS@ +ntlm_support_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn $(OPTIONAL_CRYPTO_LIBS) +ntlm_support_SOURCES = ntlm_support.c \ + unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \ + $(top_srcdir)/src/openvpn/buffer.c \ + $(top_srcdir)/src/openvpn/crypto.c \ + $(top_srcdir)/src/openvpn/crypto_openssl.c \ + $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ + $(top_srcdir)/src/openvpn/otime.c \ + $(top_srcdir)/src/openvpn/packet_id.c \ + $(top_srcdir)/src/openvpn/platform.c diff --git a/tests/ntlm_support.c b/tests/ntlm_support.c new file mode 100644 index 000..2d7da86 --- /dev/null +++ b/tests/ntlm_support.c @@ -0,0 +1,52 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2023 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "syshead.h" + +#include "crypto.h" +#include "error.h" + +int +main(void) +{ +#if defined(ENABLE_CRYPTO_OPENSSL) +crypto_load_provider("legacy"); +crypto_load_provider("default"); +#endif +#ifdef NTLM +if (!md_valid("MD4")) +{ +msg(M_FATAL, "MD4 not supported"); +} +if (!md_valid("MD5")) +{ +msg(M_FATAL, "MD5 not supported"); +} +#else /* ifdef NTLM */ +msg(M_FATAL, "NTLM support not compiled in"); +#endif +} diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample index 355e8bb..d61ecc4 100644 --- a/tests/t_client.rc-sample +++ b/tests/t_client.rc-sample @@ -27,7 +27,7 @@ # # tests to run (list suffixes for config stanzas below) # -TEST_RUN_LIST="1 2" +TEST_RUN_LIST="1 2 2n" # # use "sudo" (etc) to give openvpn the necessary privileges @@ -53,14 +53,24 @@ # # if something is not defined here, the corresponding test is not run # -# possible test options: +# common test options: # -# RUN_TITLE_x="what is being tested on here" (purely informational) -# OPENVPN_CONF_x = "how to call ./openvpn"
[Openvpn-devel] [M] Change in openvpn[master]: t_client.sh: Allow to skip tests
cron2 has uploaded a new patch set (#6) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/521?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: t_client.sh: Allow to skip tests .. t_client.sh: Allow to skip tests Individual tests can define a script to run to test whether they should be skipped. Included in this commit is an example check which checks whether we can do NTLM checks. This fails e.g. on recent versions of Fedora with mbedTLS (tested with Fedora 39) or when NTLM support is not compiled in. v2: - ntlm_support: - support OpenSSL 3 - allow to build without cmocka v3: - add example to t_client.rc-sample - t_client.sh code style - use syshead.h in error.h v5: - rename SKIP_x to CHECK_SKIP_x Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240308102818.9249-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/search?l=mid=20240308102818.9249-1-g...@greenie.muc.de Signed-off-by: Gert Doering --- M src/openvpn/error.h M tests/Makefile.am A tests/ntlm_support.c M tests/t_client.rc-sample M tests/t_client.sh.in M tests/unit_tests/openvpn/mock_msg.c 6 files changed, 119 insertions(+), 15 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/21/521/6 diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 1225b13..be3484d 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -25,16 +25,10 @@ #define ERROR_H #include "basic.h" - -#include -#include +#include "syshead.h" #include -#if _WIN32 -#include -#endif - /* #define ABORT_ON_ERROR */ #if defined(ENABLE_PKCS11) || defined(ENABLE_MANAGEMENT) diff --git a/tests/Makefile.am b/tests/Makefile.am index 6c71067..6bc02b4 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -18,6 +18,8 @@ if !WIN32 test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh + +check_PROGRAMS = ntlm_support if HAVE_SITNL test_scripts += t_net.sh endif @@ -35,3 +37,15 @@ dist_noinst_DATA = \ t_client.rc-sample + +ntlm_support_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat -I$(top_srcdir)/tests/unit_tests/openvpn -DNO_CMOCKA @TEST_CFLAGS@ +ntlm_support_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn $(OPTIONAL_CRYPTO_LIBS) +ntlm_support_SOURCES = ntlm_support.c \ + unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \ + $(top_srcdir)/src/openvpn/buffer.c \ + $(top_srcdir)/src/openvpn/crypto.c \ + $(top_srcdir)/src/openvpn/crypto_openssl.c \ + $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ + $(top_srcdir)/src/openvpn/otime.c \ + $(top_srcdir)/src/openvpn/packet_id.c \ + $(top_srcdir)/src/openvpn/platform.c diff --git a/tests/ntlm_support.c b/tests/ntlm_support.c new file mode 100644 index 000..2d7da86 --- /dev/null +++ b/tests/ntlm_support.c @@ -0,0 +1,52 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2023 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "syshead.h" + +#include "crypto.h" +#include "error.h" + +int +main(void) +{ +#if defined(ENABLE_CRYPTO_OPENSSL) +crypto_load_provider("legacy"); +crypto_load_provider("default"); +#endif +#ifdef NTLM +if (!md_valid("MD4")) +{ +msg(M_FATAL, "MD4 not supported"); +} +if (!md_valid("MD5")) +{ +msg(M_FATAL, "MD5 not supported"); +} +#else /* ifdef NTLM */ +msg(M_FATAL, "NTLM support not compiled in"); +#endif +} diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample index 355e8bb..d61ecc4 100644 --- a/tests/t_client.rc-sample +++ b/tests/t_client.rc-sample @@ -27,7 +27,7 @@ # # tests to run (list suffixes for config stanzas below) # -TEST_RUN_LIST="1 2" +TEST_RUN_LIST="1 2 2n" # # use "sudo" (etc) to give openvpn the necessary privileges @@ -53,14 +53,24 @@ # # if something is not defined here,
[Openvpn-devel] [PATCH applied] Re: t_client.sh: Allow to skip tests
Thanks. This is a welcome addition for CI tests where we test functionality that might fail "if built with the wrong SSL library" (like, NTLM proxy) - and I could see a few more of this ("compression variants", etc) The test looks larger than the actual t_client.sh(.in) + doc change as it brings an actual "can NTLM proxy work?" test program - as we discussed the handling of mock_msg.c/mock_msg.h could be improved, but we all haven't been able to come up with a really nice way. Tested ntlm_support with an mbedTLS build, works as designed... openvpn$ tests/ntlm_support FATAL ERROR:MD4 not supported openvpn$ echo $? 1 (Building this on top of a tree that has already been built without this patch leads to confused Makefiles and failures to build "ntlm_support" - but this goes away on a fresh checkout / autoreconf, so will not normally hit users) Your patch has been applied to the master branch. commit 0c7cf0694ee6f878168330e9a084c255c51a9e8b Author: Frank Lichtenheld Date: Fri Mar 8 11:28:18 2024 +0100 t_client.sh: Allow to skip tests Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240308102818.9249-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/search?l=mid=20240308102818.9249-1-g...@greenie.muc.de Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: check_compression_settings_valid: Do not test for LZ4 in LZO check
cron2 has uploaded a new patch set (#2) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/526?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: check_compression_settings_valid: Do not test for LZ4 in LZO check .. check_compression_settings_valid: Do not test for LZ4 in LZO check Probably introduced by copy & paste since there is no COMP_ALGV2_LZO. Github: #500 Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240216123037.3670448-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28251.html Signed-off-by: Gert Doering --- M src/openvpn/comp.c 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/26/526/2 diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 6e30369..311f3e9 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -195,7 +195,7 @@ } #endif #ifndef ENABLE_LZO -if (info->alg == COMP_ALG_LZO || info->alg == COMP_ALG_LZ4) +if (info->alg == COMP_ALG_LZO) { msg(msglevel, "OpenVPN is compiled without LZO support. Requested " "compression cannot be enabled."); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/526?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab Gerrit-Change-Number: 526 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Minor fix to process_ip_header
cron2 has uploaded a new patch set (#6) to the change originally created by its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/525?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld, Code-Review+2 by plaisthos Change subject: Minor fix to process_ip_header .. Minor fix to process_ip_header Removed if-guard checking if any feature is enabled before performing per-feature check. It doesn't save us much but instead introduces uneeded complexity. While at it, fixed a typo IMCP -> ICMP for defined PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER macros. Fixes: Trac https://community.openvpn.net/openvpn/ticket/269 Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202 Signed-off-by: Gianmarco De Gregori Acked-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240307124616.16358-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28345.html Signed-off-by: Gert Doering --- M src/openvpn/forward.c M src/openvpn/forward.h M src/openvpn/multi.c 3 files changed, 49 insertions(+), 61 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/25/525/6 diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 0443ca0..556c465 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1460,7 +1460,7 @@ * us to examine the IP header (IPv4 or IPv6). */ unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT - | PIPV6_IMCP_NOHOST_CLIENT; + | PIPV6_ICMP_NOHOST_CLIENT; process_ip_header(c, flags, >c2.buf); #ifdef PACKET_TRUNCATION_CHECK @@ -1644,73 +1644,60 @@ } if (!c->options.block_ipv6) { -flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER); +flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER); } if (buf->len > 0) { -/* - * The --passtos and --mssfix options require - * us to examine the IPv4 header. - */ - -if (flags & (PIP_MSSFIX -#if PASSTOS_CAPABILITY - | PIPV4_PASSTOS -#endif - | PIPV4_CLIENT_NAT - )) +struct buffer ipbuf = *buf; +if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), )) { -struct buffer ipbuf = *buf; -if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), )) -{ #if PASSTOS_CAPABILITY -/* extract TOS from IP header */ -if (flags & PIPV4_PASSTOS) -{ -link_socket_extract_tos(c->c2.link_socket, ); -} +/* extract TOS from IP header */ +if (flags & PIPV4_PASSTOS) +{ +link_socket_extract_tos(c->c2.link_socket, ); +} #endif -/* possibly alter the TCP MSS */ -if (flags & PIP_MSSFIX) -{ -mss_fixup_ipv4(, c->c2.frame.mss_fix); -} - -/* possibly do NAT on packet */ -if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) -{ -const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; -client_nat_transform(c->options.client_nat, , direction); -} -/* possibly extract a DHCP router message */ -if (flags & PIPV4_EXTRACT_DHCP_ROUTER) -{ -const in_addr_t dhcp_router = dhcp_extract_router_msg(); -if (dhcp_router) -{ -route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); -} -} -} -else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), )) +/* possibly alter the TCP MSS */ +if (flags & PIP_MSSFIX) { -/* possibly alter the TCP MSS */ -if (flags & PIP_MSSFIX) -{ -mss_fixup_ipv6(, c->c2.frame.mss_fix); -} -if (!(flags & PIP_OUTGOING) && (flags -&(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER))) -{ -ipv6_send_icmp_unreachable(c, buf, - (bool)(flags & PIPV6_IMCP_NOHOST_CLIENT)); -/* Drop the IPv6 packet */ -buf->len = 0; -} - +mss_fixup_ipv4(, c->c2.frame.mss_fix); } + +/* possibly do NAT on packet */ +if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) +{ +const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; +
[Openvpn-devel] [M] Change in openvpn[master]: Minor fix to process_ip_header
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/525?usp=email ) Change subject: Minor fix to process_ip_header .. Minor fix to process_ip_header Removed if-guard checking if any feature is enabled before performing per-feature check. It doesn't save us much but instead introduces uneeded complexity. While at it, fixed a typo IMCP -> ICMP for defined PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER macros. Fixes: Trac https://community.openvpn.net/openvpn/ticket/269 Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202 Signed-off-by: Gianmarco De Gregori Acked-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240307124616.16358-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28345.html Signed-off-by: Gert Doering --- M src/openvpn/forward.c M src/openvpn/forward.h M src/openvpn/multi.c 3 files changed, 49 insertions(+), 61 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 0443ca0..556c465 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1460,7 +1460,7 @@ * us to examine the IP header (IPv4 or IPv6). */ unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT - | PIPV6_IMCP_NOHOST_CLIENT; + | PIPV6_ICMP_NOHOST_CLIENT; process_ip_header(c, flags, >c2.buf); #ifdef PACKET_TRUNCATION_CHECK @@ -1644,73 +1644,60 @@ } if (!c->options.block_ipv6) { -flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER); +flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER); } if (buf->len > 0) { -/* - * The --passtos and --mssfix options require - * us to examine the IPv4 header. - */ - -if (flags & (PIP_MSSFIX -#if PASSTOS_CAPABILITY - | PIPV4_PASSTOS -#endif - | PIPV4_CLIENT_NAT - )) +struct buffer ipbuf = *buf; +if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), )) { -struct buffer ipbuf = *buf; -if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), )) -{ #if PASSTOS_CAPABILITY -/* extract TOS from IP header */ -if (flags & PIPV4_PASSTOS) -{ -link_socket_extract_tos(c->c2.link_socket, ); -} +/* extract TOS from IP header */ +if (flags & PIPV4_PASSTOS) +{ +link_socket_extract_tos(c->c2.link_socket, ); +} #endif -/* possibly alter the TCP MSS */ -if (flags & PIP_MSSFIX) -{ -mss_fixup_ipv4(, c->c2.frame.mss_fix); -} - -/* possibly do NAT on packet */ -if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) -{ -const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; -client_nat_transform(c->options.client_nat, , direction); -} -/* possibly extract a DHCP router message */ -if (flags & PIPV4_EXTRACT_DHCP_ROUTER) -{ -const in_addr_t dhcp_router = dhcp_extract_router_msg(); -if (dhcp_router) -{ -route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); -} -} -} -else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), )) +/* possibly alter the TCP MSS */ +if (flags & PIP_MSSFIX) { -/* possibly alter the TCP MSS */ -if (flags & PIP_MSSFIX) -{ -mss_fixup_ipv6(, c->c2.frame.mss_fix); -} -if (!(flags & PIP_OUTGOING) && (flags -&(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER))) -{ -ipv6_send_icmp_unreachable(c, buf, - (bool)(flags & PIPV6_IMCP_NOHOST_CLIENT)); -/* Drop the IPv6 packet */ -buf->len = 0; -} - +mss_fixup_ipv4(, c->c2.frame.mss_fix); } + +/* possibly do NAT on packet */ +if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) +{ +const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; +client_nat_transform(c->options.client_nat, , direction); +} +/* possibly extract a DHCP router message */ +if (flags & PIPV4_EXTRACT_DHCP_ROUTER) +{ +const in_addr_t dhcp_router =
[Openvpn-devel] [XS] Change in openvpn[master]: check_compression_settings_valid: Do not test for LZ4 in LZO check
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/526?usp=email ) Change subject: check_compression_settings_valid: Do not test for LZ4 in LZO check .. check_compression_settings_valid: Do not test for LZ4 in LZO check Probably introduced by copy & paste since there is no COMP_ALGV2_LZO. Github: #500 Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240216123037.3670448-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28251.html Signed-off-by: Gert Doering --- M src/openvpn/comp.c 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 6e30369..311f3e9 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -195,7 +195,7 @@ } #endif #ifndef ENABLE_LZO -if (info->alg == COMP_ALG_LZO || info->alg == COMP_ALG_LZ4) +if (info->alg == COMP_ALG_LZO) { msg(msglevel, "OpenVPN is compiled without LZO support. Requested " "compression cannot be enabled."); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/526?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab Gerrit-Change-Number: 526 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Minor fix to process_ip_header
Verified ("git show -w") that this is indeed just removing one level of indentation + ICMP spelling fixes (good catch). Given the sequence of checks, this ordering is indeed a bit more costly for the "no PIP bits are set" (as is_ipv4() has to do more checking than "are we interested in this at all?") - but since we basically always default to having MSSFIX active, this is a bit moot. For good measure, subjected to GHA and server side test run. Your patch has been applied to the master branch. commit 6456d861f3f1006ccee0a7f94a159f4afe1d3178 Author: Gianmarco De Gregori Date: Thu Mar 7 13:46:16 2024 +0100 Minor fix to process_ip_header Signed-off-by: Gianmarco De Gregori Acked-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240307124616.16358-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28345.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: check_compression_settings_valid: Do not test for LZ4 in LZO check
"Makes sense" :-) Your patch has been applied to the master and release/2.6 branch (bugfix). commit 4076d24f2f4adc432753aa62bd8158e3bf89ee21 (master) commit 7a810e64e54eda264c9cf184f442a3bae8df66af (release/2.6) Author: Frank Lichtenheld Date: Fri Feb 16 13:30:37 2024 +0100 check_compression_settings_valid: Do not test for LZ4 in LZO check Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240216123037.3670448-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28251.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v5] t_client.sh: Allow to skip tests
From: Frank Lichtenheld Individual tests can define a script to run to test whether they should be skipped. Included in this commit is an example check which checks whether we can do NTLM checks. This fails e.g. on recent versions of Fedora with mbedTLS (tested with Fedora 39) or when NTLM support is not compiled in. v2: - ntlm_support: - support OpenSSL 3 - allow to build without cmocka v3: - add example to t_client.rc-sample - t_client.sh code style - use syshead.h in error.h v5: - rename SKIP_x to CHECK_SKIP_x Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/521 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 1225b13..be3484d 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -25,16 +25,10 @@ #define ERROR_H #include "basic.h" - -#include -#include +#include "syshead.h" #include -#if _WIN32 -#include -#endif - /* #define ABORT_ON_ERROR */ #if defined(ENABLE_PKCS11) || defined(ENABLE_MANAGEMENT) diff --git a/tests/Makefile.am b/tests/Makefile.am index b3b2d74..13a1013 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -19,6 +19,8 @@ if !WIN32 test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh + +check_PROGRAMS = ntlm_support if HAVE_SITNL test_scripts += t_net.sh endif @@ -36,3 +38,15 @@ dist_noinst_DATA = \ t_client.rc-sample + +ntlm_support_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat -I$(top_srcdir)/tests/unit_tests/openvpn -DNO_CMOCKA @TEST_CFLAGS@ +ntlm_support_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn $(OPTIONAL_CRYPTO_LIBS) +ntlm_support_SOURCES = ntlm_support.c \ + unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \ + $(top_srcdir)/src/openvpn/buffer.c \ + $(top_srcdir)/src/openvpn/crypto.c \ + $(top_srcdir)/src/openvpn/crypto_openssl.c \ + $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ + $(top_srcdir)/src/openvpn/otime.c \ + $(top_srcdir)/src/openvpn/packet_id.c \ + $(top_srcdir)/src/openvpn/platform.c diff --git a/tests/ntlm_support.c b/tests/ntlm_support.c new file mode 100644 index 000..2d7da86 --- /dev/null +++ b/tests/ntlm_support.c @@ -0,0 +1,52 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2023 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "syshead.h" + +#include "crypto.h" +#include "error.h" + +int +main(void) +{ +#if defined(ENABLE_CRYPTO_OPENSSL) +crypto_load_provider("legacy"); +crypto_load_provider("default"); +#endif +#ifdef NTLM +if (!md_valid("MD4")) +{ +msg(M_FATAL, "MD4 not supported"); +} +if (!md_valid("MD5")) +{ +msg(M_FATAL, "MD5 not supported"); +} +#else /* ifdef NTLM */ +msg(M_FATAL, "NTLM support not compiled in"); +#endif +} diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample index 355e8bb..d61ecc4 100644 --- a/tests/t_client.rc-sample +++ b/tests/t_client.rc-sample @@ -27,7 +27,7 @@ # # tests to run (list suffixes for config stanzas below) # -TEST_RUN_LIST="1 2" +TEST_RUN_LIST="1 2 2n" # # use "sudo" (etc) to give openvpn the necessary privileges @@ -53,14 +53,24 @@ # # if something is not defined here, the corresponding test is not run # -# possible test options: +# common test options: # -# RUN_TITLE_x="what is being tested on here" (purely informational) -# OPENVPN_CONF_x = "how to call ./openvpn" [mandatory] +# RUN_TITLE_x= "what is being tested on here" (purely informational) +# OPENVPN_CONF_x = "how to call ./openvpn" [mandatory] # EXPECT_IFCONFIG4_x = "this IPv4 address needs to show up in ifconfig" # EXPECT_IFCONFIG6_x = "this IPv6 address needs to show up in ifconfig" -# PING4_HOSTS_x =
[Openvpn-devel] [M] Change in openvpn[master]: t_client.sh: Allow to skip tests
Attention is currently required from: flichtenheld, ordex, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/521?usp=email ) Change subject: t_client.sh: Allow to skip tests .. Patch Set 5: Code-Review+2 (1 comment) Patchset: PS5: thanks. t_client looks good, ntlm test we agreed on taking as it is and maybe someone will come up with good ideas how to improve later on. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/521?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899 Gerrit-Change-Number: 521 Gerrit-PatchSet: 5 Gerrit-Owner: flichtenheld Gerrit-Reviewer: cron2 Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-CC: ordex Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Attention: ordex Gerrit-Comment-Date: Fri, 08 Mar 2024 10:27:55 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel