[Openvpn-devel] [PATCH v2] Remove openvpn_snprintf and similar functions
From: Arne Schwabe Old Microsoft versions did strange behaviour but according to the newly added unit test and https://stackoverflow.com/questions/7706936/is-snprintf-always-null-terminating this is now standard conforming and we can use the normal snprintf method. Microsoft own documentation to swprintf also says you nowadays need to define _CRT_NON_CONFORMING_SWPRINTFS to get to non-standard behaviour. Change-Id: I07096977e3b562bcb5d2c6f11673a4175b8e12ac Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/547 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Antonio Quartulli diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index 66fd63f..3a8069c 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -279,32 +279,6 @@ return ret; } - -/* - * This is necessary due to certain buggy implementations of snprintf, - * that don't guarantee null termination for size > 0. - * - * Return false on overflow. - * - * This functionality is duplicated in src/openvpnserv/common.c - * Any modifications here should be done to the other place as well. - */ - -bool -openvpn_snprintf(char *str, size_t size, const char *format, ...) -{ -va_list arglist; -int len = -1; -if (size > 0) -{ -va_start(arglist, format); -len = vsnprintf(str, size, format, arglist); -va_end(arglist); -str[size - 1] = 0; -} -return (len >= 0 && len < size); -} - /* * write a string to the end of a buffer that was * truncated by buf_printf diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index 7c2f75a..27c3199 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -448,19 +448,6 @@ */ bool buf_puts(struct buffer *buf, const char *str); -/* - * Like snprintf but guarantees null termination for size > 0 - */ -bool openvpn_snprintf(char *str, size_t size, const char *format, ...) -#ifdef __GNUC__ -#if __USE_MINGW_ANSI_STDIO -__attribute__ ((format(gnu_printf, 3, 4))) -#else -__attribute__ ((format(__printf__, 3, 4))) -#endif -#endif -; - /* * remove/add trailing characters diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5d05cc4..207f145 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -874,11 +874,11 @@ key_direction_state_init(, key_direction); -openvpn_snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name); +snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name); init_key_ctx(>encrypt, >keys[kds.out_key], kt, OPENVPN_OP_ENCRYPT, log_prefix); -openvpn_snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name); +snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name); init_key_ctx(>decrypt, >keys[kds.in_key], kt, OPENVPN_OP_DECRYPT, log_prefix); diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 1a39752..c806719 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -128,7 +128,7 @@ { char prefix[256]; -if (!openvpn_snprintf(prefix, sizeof(prefix), "%s:%d", func, line)) +if (!snprintf(prefix, sizeof(prefix), "%s:%d", func, line)) { return mbed_log_err(flags, errval, func); } @@ -239,11 +239,11 @@ char header[1000+1] = { 0 }; char footer[1000+1] = { 0 }; -if (!openvpn_snprintf(header, sizeof(header), "-BEGIN %s-\n", name)) +if (!snprintf(header, sizeof(header), "-BEGIN %s-\n", name)) { return false; } -if (!openvpn_snprintf(footer, sizeof(footer), "-END %s-\n", name)) +if (!snprintf(footer, sizeof(footer), "-END %s-\n", name)) { return false; } @@ -278,11 +278,11 @@ char header[1000+1] = { 0 }; char footer[1000+1] = { 0 }; -if (!openvpn_snprintf(header, sizeof(header), "-BEGIN %s-", name)) +if (!snprintf(header, sizeof(header), "-BEGIN %s-", name)) { return false; } -if (!openvpn_snprintf(footer, sizeof(footer), "-END %s-", name)) +if (!snprintf(footer, sizeof(footer), "-END %s-", name)) { return false; } diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 7de3991..0539ca5 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -349,11 +349,11 @@ if (j < 0) { -name_ok = openvpn_snprintf(name, sizeof(name), format, i); +name_ok = snprintf(name, sizeof(name), format, i); } else { -name_ok = openvpn_snprintf(name, sizeof(name), format, i, j); +name_ok = snprintf(name, sizeof(name), format, i, j); } if (!name_ok) diff --git a/src/openvpn/env_set.c b/src/openvpn/env_set.c index b13d01e..81ab59e 100644 --- a/src/openvpn/env_set.c +++
[Openvpn-devel] [PATCH applied] Re: Change default of topology to subnet
Sorry for being so slow in merging this. I had to adjust my testbeds to "not explode" and shied away from doing so :-) (all the server test instances without "topology" defaulted to net30, and just applying this patch would recreate the ip-pool-persist files, breaking t_client EXPECT_IFCONFIG4_... settings). So. Whoever reads this - *THIS CAN BE DISRUPTIVE*. But it's the right way forward, given that DCO (on the server) will only work with "--topology subnet", and it also saves on IPv4 address usage for the pools... and clients have been compatible with "subnet" across all platforms since at least OpenVPN 2.2, so no excuses. NOTE: for --server setups, this will still work, just changing the way the pool is split, thus assigning new IP addresses to clients, and invalidating the --ip-pool-persist file. NOTE2: For p2p setups (no --server, just --tls-server/--tls-client or even --secret) it will break the setup hard, as those usually use "--ifconfig ip1 ip2" and "ip2" will now be parsed as a netmask, with surprising consequences. See GH #529. Your patch has been applied to the master branch. commit 32e6586687a548174b88b64fe54bfae6c74d4c19 Author: Frank Lichtenheld Date: Fri Dec 1 12:20:22 2023 +0100 Change default of topology to subnet Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20231201112022.15337-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27627.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: forked-test-driver: Show test output always
Tested this in various build environments, including Ubuntu/MinGW, and GHA, and things still work & test "as before". Combined with the previous commit, we get useful (for me) "I can see what make check is doing all the time" behaviour back. I'm still not convinced that this is a better way forward than just using the old test-driver and possibly tweaking Makefiles a bit, but "this does work for me", and automake upstream seems to think it's the way to go... thanks, Frank, for doing the actual work :-) Your patch has been applied to the master branch. commit e2ff9161e1b1b3e8c83bf01e3c488e0601834c0c Author: Frank Lichtenheld Date: Thu Jan 25 12:01:22 2024 +0100 forked-test-driver: Show test output always Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240125110122.16257-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28133.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: tests: fork default automake test-driver
Tested this in various build environments, including Ubuntu/MinGW, and GHA, and things still work & test "as before". Combined with the next commit, we get useful (for me) "I can see what make check is doing all the time" behaviour back. Your patch has been applied to the master branch. commit aea6e9aa854b454f98671382eb751662dd9e1e03 Author: Frank Lichtenheld Date: Thu Jan 25 12:00:36 2024 +0100 tests: fork default automake test-driver Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240125110036.16070-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28132.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex
Looking at the OpenSSL implementation for the EVP_CipherInit*() functions makes it really clear that this is, basically, dead code. Of course the "kt" init needs to go to the second call now, because otherwise it will bomb with OpenSSL 3.x ("no default cipher"). Tested with various OpenSSL (and LibreSSL) versions across the buildbot and GHA test bed. Your patch has been applied to the master branch. (Not applied to release/2.6 since it's not actually fixing something, just cleaning up old code - typical "master" material) commit e81e3eb1a4322148b06f353eaa22b0a803fd74f4 Author: Arne Schwabe Date: Tue Apr 2 15:49:09 2024 +0200 Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20240402134909.6340-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28523.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex
From: Arne Schwabe EVP_CipherInit basically is the same EVP_CipherInit_ex except that it in some instances it resets/inits the ctx parameter first. We already call EVP_CIPHER_CTX_reset to reset/init the ctx before. Also ensure that EVP_CipherInit_Ex gets the cipher to actually be able to initialise the context. OpenSSL 1.0.2: https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/evp/evp_enc.c#L94 EVP_CipherInit calls first EVP_CIPHER_CTX_init and then EVP_CipherInit_ex Our openssl_compat.h has for these older OpenSSL versions OpenSSL 3.0: https://github.com/openssl/openssl/blob/openssl-3.2/crypto/evp/evp_enc.c#L450 basically the same as 1.0.2. Just that method names have been changed. Change-Id: I911e25949a8647b567fd4178683534d4404ab469 Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/552 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index bfc5e37..b2c4eb6 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -846,11 +846,7 @@ evp_cipher_type *kt = cipher_get(ciphername); EVP_CIPHER_CTX_reset(ctx); -if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) -{ -crypto_msg(M_FATAL, "EVP cipher init #1"); -} -if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc)) +if (!EVP_CipherInit_ex(ctx, kt, NULL, key, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #2"); } ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] Remove redundant call of EVP_CipherInit before EVP_CipherInit_Ex
From: Arne Schwabe EVP_CipherInit basically is the same EVP_CipherInit_ex except that it in some instances it resets/inits the ctx parameter first. We already call EVP_CIPHER_CTX_reset to reset/init the ctx before so this call does not do anything useful. OpenSSL 1.0.2: https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/evp/evp_enc.c#L94 EVP_CipherInit calls first EVP_CIPHER_CTX_init and then EVP_CipherInit_ex Our openssl_compat.h has for these older OpenSSL versions OpenSSL 3.0: https://github.com/openssl/openssl/blob/openssl-3.2/crypto/evp/evp_enc.c#L450 basically the same as 1.0.2. Just that method names have been changed. Change-Id: I911e25949a8647b567fd4178683534d4404ab469 Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/552 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index bfc5e37..13dfa8c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -846,10 +846,6 @@ evp_cipher_type *kt = cipher_get(ciphername); EVP_CIPHER_CTX_reset(ctx); -if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) -{ -crypto_msg(M_FATAL, "EVP cipher init #1"); -} if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #2"); ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Match ifdef for get_sigtype function with if ifdef of caller
ACK, verified that it fixes the GHA build fails we've seen since the recent LibreSSL upgrade on the MacOS builders. Your patch has been applied to the master branch. Not applicable to release/2.6 as the offending code is not in there. commit ff402c7c2fbc49ff6d352ebdc3cdc4c27c2bbcbb (master) Author: Arne Schwabe Date: Tue Apr 2 08:36:46 2024 +0200 Match ifdef for get_sigtype function with if ifdef of caller Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20240402063646.25490-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28512.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Match ifdef for get_sigtype function with if ifdef of caller
From: Arne Schwabe These two ifdef needs to be the same otherwise the compiler will break with a undefined function. Change-Id: I5b14bf90bb07935f0bb84373ec4e62352752c03f Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/551 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 6f29c3d..a158617 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2166,7 +2166,8 @@ EVP_PKEY_free(pkey); } -#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x101fL +#if (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x101fL) \ +|| (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x309fL) /** * Translate an OpenSSL NID into a more human readable name * @param nid ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: crypto_backend: fix type of enc parameter
Lightly tested on a FreeBSD/MbedTLS 2.28.7, resulting code still works :-) Your patch has been applied to the master branch. commit 4d907bf46a470ccbd2940b9ecb64d6502d9d86bf Author: Frank Lichtenheld Date: Wed Mar 27 17:26:21 2024 +0100 crypto_backend: fix type of enc parameter Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240327162621.1792414-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28498.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: misc.c: remove unused code
Your patch has been applied to the master and release/2.6 branch. (Trivial and obvious removal of dead code, passes all tests, and having the code align can be helpful) commit 4c71e816031f564f834df695b3fa717ea22720d2 (master) commit f50c67707ed033040c93a6b5d4efbbd2c0933459 (release/2.6) Author: Lev Stipakov Date: Fri Mar 29 11:37:39 2024 +0100 misc.c: remove unused code Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld Message-Id: <20240329103739.28254-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28503.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] misc.c: remove unused code
From: Lev Stipakov Commit 3a4fb1 "Ensure --auth-nocache is handled during renegotiation" has changed the behavior of set_auth_token(), but left unused parameter struct user_pass *up Remove this parameter and amend comments accordingly. Also remove unused function definition from misc.h. Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld Change-Id: Ic440f2c8d46dfcb5ff41ba2f33bf28bb7286eec4 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/550 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 3ff0857..598fbae 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -491,19 +491,15 @@ } void -set_auth_token(struct user_pass *up, struct user_pass *tk, const char *token) +set_auth_token(struct user_pass *tk, const char *token) { - if (strlen(token)) { strncpynt(tk->password, token, USER_PASS_LEN); tk->token_defined = true; /* - * --auth-token has no username, so it needs the username - * either already set or copied from up, or later set by - * --auth-token-user - * If already set, tk is fully defined. + * If username already set, tk is fully defined. */ if (strlen(tk->username)) { diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index cb3bf68..963f3e6 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -152,26 +152,18 @@ return get_user_pass_cr(up, auth_file, prefix, flags, NULL); } -void fail_user_pass(const char *prefix, -const unsigned int flags, -const char *reason); - void purge_user_pass(struct user_pass *up, const bool force); /** - * Sets the auth-token to token. If a username is available from - * either up or already present in tk that will be used as default - * username for the token. The method will also purge up if + * Sets the auth-token to token. The method will also purge up if * the auth-nocache option is active. * - * @param up(non Auth-token) Username/password * @param tkauth-token userpass to set * @param token token to use as password for the auth-token * * @noteall parameters to this function must not be null. */ -void set_auth_token(struct user_pass *up, struct user_pass *tk, -const char *token); +void set_auth_token(struct user_pass *tk, const char *token); /** * Sets the auth-token username by base64 decoding the passed diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 7895a37..7c49451 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -340,7 +340,7 @@ void ssl_set_auth_token(const char *token) { -set_auth_token(_user_pass, _token, token); +set_auth_token(_token, token); } void ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: script-options.rst: Update ifconfig_* variables
Acked-by: Gert Doering We're so bad at times at updating documentation... verified that the newly documented options exist and do what it says. Confusing code... Your patch has been applied to the master and release/2.6 branch (doc). commit a94226cdc8ed037a6763675aa47e6c821983f174 (master) commit ea0d9c70a44e3d871136f68bddb0befc299dd692 (release/2.6) Author: Frank Lichtenheld Date: Thu Mar 21 17:16:23 2024 +0100 script-options.rst: Update ifconfig_* variables Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240321161623.2794161-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28438.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Add bracket in fingerprint message and do not warn about missing verification
Added the Github reference to #516 Your patch has been applied to the master and release/2.6 branch (bugfix). commit 4b95656536be1f402a55ef5dffe140fa78e7eb51 (master) commit e36359aa7e5193ad002768e90ae660896a5a0fa6 (release/2.6) Author: Arne Schwabe Date: Tue Mar 26 11:38:53 2024 +0100 Add bracket in fingerprint message and do not warn about missing verification Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240326103853.494572-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28474.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Fix snprintf/swnprintf related compiler warnings
Lightly stared at code and ran client side tests (that excercise proxy). Your patch has been applied to the master branch. commit 6889d9e2f1458272ded4c035df40378ace3d7395 (master) Author: Arne Schwabe Date: Tue Mar 26 11:41:01 2024 +0100 Fix snprintf/swnprintf related compiler warnings Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240326104101.531291-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28475.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: phase2_tcp_server: fix Coverity issue 'Dereference after null check'
This is arguably a correct fix, though we could go a bit further in terms of refactoring and fully get rid of signal_received - if my understanding of the code is correct, it's only passed to a single function (socket_listen_accept()), which is only called from here - so "just pass on sig_info and use that" would be a bit less convoluted. But that's refactoring, so for future master... Lightly tested on the server framework. Your patch has been applied to the master and release/2.6 branch. commit e8c629fe64c67ea0a8454753be99db44df7ce53e (master) commit 5591af17694d98054da2cdf4cfd42508a8a4fb8e (release/2.6) Author: Frank Lichtenheld Date: Mon Mar 25 08:14:48 2024 +0100 phase2_tcp_server: fix Coverity issue 'Dereference after null check' Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240325071448.12143-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28452.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Use snprintf instead of sprintf for get_ssl_library_version
Your patch has been applied to the master and release/2.6 branch (because this is good behaviour, even if we know there can not be an overrun - today). Tested on... Linux, with "library versions: mbed TLS 2.28.7, LZO 2.10" FreeBSD, with "library versions: mbed TLS 3.5.1, LZO 2.10" commit 6a60d1bef424088df55f4d07efd45ce080fc7132 (master) commit 11ca69cfac1c6d3ed34652650688a4b3c99573b0 (release/2.6) Author: Arne Schwabe Date: Mon Mar 25 13:50:52 2024 +0100 Use snprintf instead of sprintf for get_ssl_library_version Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240325125052.14135-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28458.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: documentation: make section levels consistent
Your patch has been applied to the master and release/2.6 branch (doc). commit 3fdf5aa04f7b96a3b7110f75306306ac5d7ed5fd (master) commit 7993084c7f2b537e20a0a0d67385733d7d56688c (release/2.6) Author: Frank Lichtenheld Date: Mon Mar 25 08:15:20 2024 +0100 documentation: make section levels consistent Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240325071520.12513-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28453.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: samples: Update sample configurations
Thanks for the housekeeping... As discussed on IRC, I've added text about tls-auth being commented out to the commit message. Your patch has been applied to the master and release/2.6 branch (relevant documentation update). commit b0fc10abd06fa2307e95c8a60fa94f7ccc08d2ac (master) commit 371cc5874faf67057c9f95796195306beeba0628 (release/2.6) Author: Frank Lichtenheld Date: Mon Mar 25 08:13:20 2024 +0100 samples: Update sample configurations Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240325071320.11348-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28451.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Use snprintf instead of sprintf for get_ssl_library_version
From: Arne Schwabe This is avoid a warning/error (when using -Werror) under current macOS of sprintf: __deprecated_msg("This function is provided for compatibility reasons only. Due to security concerns inherent in the design of sprintf(3), it is highly recommended that you use snprintf(3) instead.") Change-Id: I3c6fd36eb9daee9244d6dc6d9f22de1c5cf9d039 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/545 This mail reflects revision 1 of this Change. Signed-off-by line for the author was added as per our policy. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index b44ddd5..0730d25 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -1614,7 +1614,7 @@ { static char mbedtls_version[30]; unsigned int pv = mbedtls_version_get_number(); -sprintf( mbedtls_version, "mbed TLS %d.%d.%d", +snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d", (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff ); return mbedtls_version; } ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Remove openvpn_snprintf and similar functions
From: Arne Schwabe Old Microsoft versions did strange behaviour but according to the newly added unit test and https://stackoverflow.com/questions/7706936/is-snprintf-always-null-terminating this is now standard conforming and we can use the normal snprintf method. Microsoft own documentation to swprintf also says you nowadays need to define _CRT_NON_CONFORMING_SWPRINTFS to get to non-standard behaviour. Change-Id: I07096977e3b562bcb5d2c6f11673a4175b8e12ac Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/547 This mail reflects revision 1 of this Change. Signed-off-by line for the author was added as per our policy. Acked-by according to Gerrit (reflected above): Antonio Quartulli diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index 66fd63f..3a8069c 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -279,32 +279,6 @@ return ret; } - -/* - * This is necessary due to certain buggy implementations of snprintf, - * that don't guarantee null termination for size > 0. - * - * Return false on overflow. - * - * This functionality is duplicated in src/openvpnserv/common.c - * Any modifications here should be done to the other place as well. - */ - -bool -openvpn_snprintf(char *str, size_t size, const char *format, ...) -{ -va_list arglist; -int len = -1; -if (size > 0) -{ -va_start(arglist, format); -len = vsnprintf(str, size, format, arglist); -va_end(arglist); -str[size - 1] = 0; -} -return (len >= 0 && len < size); -} - /* * write a string to the end of a buffer that was * truncated by buf_printf diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index 7c2f75a..27c3199 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -448,19 +448,6 @@ */ bool buf_puts(struct buffer *buf, const char *str); -/* - * Like snprintf but guarantees null termination for size > 0 - */ -bool openvpn_snprintf(char *str, size_t size, const char *format, ...) -#ifdef __GNUC__ -#if __USE_MINGW_ANSI_STDIO -__attribute__ ((format(gnu_printf, 3, 4))) -#else -__attribute__ ((format(__printf__, 3, 4))) -#endif -#endif -; - /* * remove/add trailing characters diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5d05cc4..207f145 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -874,11 +874,11 @@ key_direction_state_init(, key_direction); -openvpn_snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name); +snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name); init_key_ctx(>encrypt, >keys[kds.out_key], kt, OPENVPN_OP_ENCRYPT, log_prefix); -openvpn_snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name); +snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name); init_key_ctx(>decrypt, >keys[kds.in_key], kt, OPENVPN_OP_DECRYPT, log_prefix); diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 1a39752..c806719 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -128,7 +128,7 @@ { char prefix[256]; -if (!openvpn_snprintf(prefix, sizeof(prefix), "%s:%d", func, line)) +if (!snprintf(prefix, sizeof(prefix), "%s:%d", func, line)) { return mbed_log_err(flags, errval, func); } @@ -239,11 +239,11 @@ char header[1000+1] = { 0 }; char footer[1000+1] = { 0 }; -if (!openvpn_snprintf(header, sizeof(header), "-BEGIN %s-\n", name)) +if (!snprintf(header, sizeof(header), "-BEGIN %s-\n", name)) { return false; } -if (!openvpn_snprintf(footer, sizeof(footer), "-END %s-\n", name)) +if (!snprintf(footer, sizeof(footer), "-END %s-\n", name)) { return false; } @@ -278,11 +278,11 @@ char header[1000+1] = { 0 }; char footer[1000+1] = { 0 }; -if (!openvpn_snprintf(header, sizeof(header), "-BEGIN %s-", name)) +if (!snprintf(header, sizeof(header), "-BEGIN %s-", name)) { return false; } -if (!openvpn_snprintf(footer, sizeof(footer), "-END %s-", name)) +if (!snprintf(footer, sizeof(footer), "-END %s-", name)) { return false; } diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 7de3991..0539ca5 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -349,11 +349,11 @@ if (j < 0) { -name_ok = openvpn_snprintf(name, sizeof(name), format, i); +name_ok = snprintf(name, sizeof(name), format, i); } else { -name_ok = openvpn_snprintf(name, sizeof(name), format, i, j); +name_ok = snprintf(name, sizeof(name), format, i, j); } if (!name_ok) diff --git a/src/openvpn/env_set.c b/src/openvpn/env_set.c index
[Openvpn-devel] [PATCH v2] documentation: make section levels consistent
From: Frank Lichtenheld Previously the sections "Encryption Options" and "Data channel cipher negotiation" were on the same level as "OPTIONS", which makes no sense. Instead move them and their subsections one level down. Use ` since that was already in use in section "Virtual Routing and Forwarding". Change-Id: Ib5a7f9a978bda5ad58830e43580232660401f66d Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/527 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index 949ff86..1285e82 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -1,12 +1,12 @@ Data channel cipher negotiation -=== +--- OpenVPN 2.4 and higher have the capability to negotiate the data cipher that is used to encrypt data packets. This section describes the mechanism in more detail and the different backwards compatibility mechanism with older server and clients. OpenVPN 2.5 and later behaviour - +``` When both client and server are at least running OpenVPN 2.5, that the order of the ciphers of the server's ``--data-ciphers`` is used to pick the data cipher. That means that the first cipher in that list that is also in the client's @@ -25,7 +25,7 @@ ``--cipher`` option to this list. OpenVPN 2.4 clients +``` The negotiation support in OpenVPN 2.4 was the first iteration of the implementation and still had some quirks. Its main goal was "upgrade to AES-256-GCM when possible". An OpenVPN 2.4 client that is built against a crypto library that supports AES in GCM @@ -40,7 +40,7 @@ options to avoid this behaviour. OpenVPN 3 clients -- +` Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/) do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer versions by default disable legacy AES-CBC, BF-CBC, and DES-CBC ciphers. @@ -52,7 +52,7 @@ OpenVPN 2.3 and older clients (and clients with ``--ncp-disable``) --- +`` When a client without cipher negotiation support connects to a server the cipher specified with the ``--cipher`` option in the client configuration must be included in the ``--data-ciphers`` option of the server to allow @@ -65,7 +65,7 @@ cipher used by the client is necessary. OpenVPN 2.4 server --- +`` When a client indicates support for `AES-128-GCM` and `AES-256-GCM` (with ``IV_NCP=2``) an OpenVPN 2.4 server will send the first cipher of the ``--ncp-ciphers`` to the OpenVPN client regardless of what @@ -76,7 +76,7 @@ those ciphers are present. OpenVPN 2.3 and older servers (and servers with ``--ncp-disable``) --- +`` The cipher used by the server must be included in ``--data-ciphers`` to allow the client connecting to a server without cipher negotiation support. @@ -89,7 +89,7 @@ cipher used by the server is necessary. Blowfish in CBC mode (BF-CBC) deprecation --- +` The ``--cipher`` option defaulted to `BF-CBC` in OpenVPN 2.4 and older version. The default was never changed to ensure backwards compatibility. In OpenVPN 2.5 this behaviour has now been changed so that if the ``--cipher`` diff --git a/doc/man-sections/encryption-options.rst b/doc/man-sections/encryption-options.rst index 3b26782..49385d6 100644 --- a/doc/man-sections/encryption-options.rst +++ b/doc/man-sections/encryption-options.rst @@ -1,8 +1,8 @@ Encryption Options -== +-- SSL Library information +``` --show-ciphers (Standalone) Show all cipher algorithms to use with the ``--cipher`` @@ -32,7 +32,7 @@ ``--ecdh-curve`` and ``tls-groups`` options. Generating key material +``` --genkey args (Standalone) Generate a key to be used of the type keytype. if keyfile diff --git a/doc/man-sections/pkcs11-options.rst b/doc/man-sections/pkcs11-options.rst index de1662b..dfc27af 100644 --- a/doc/man-sections/pkcs11-options.rst +++ b/doc/man-sections/pkcs11-options.rst @@ -1,5 +1,5 @@ PKCS#11 / SmartCard options +``` --pkcs11-cert-private args Set if
[Openvpn-devel] [PATCH v2] phase2_tcp_server: fix Coverity issue "Dereference after null check"
From: Frank Lichtenheld As Coverity says: Either the check against null is unnecessary, or there may be a null pointer dereference. In phase2_tcp_server: Pointer is checked against null but then dereferenced anyway There is only one caller (link_socket_init_phase2) and it already has an ASSERT(sig_info). So use that here was well. v2: - fix cleanly by actually asserting that sig_info is defined Change-Id: I8ef199463d46303129a3f563fd9eace780a58b8a Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/490 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 480f4e5..387cb40 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -2005,7 +2005,8 @@ phase2_tcp_server(struct link_socket *sock, const char *remote_dynamic, struct signal_info *sig_info) { -volatile int *signal_received = sig_info ? _info->signal_received : NULL; +ASSERT(sig_info); +volatile int *signal_received = _info->signal_received; switch (sock->mode) { case LS_MODE_DEFAULT: @@ -2031,7 +2032,7 @@ false); if (!socket_defined(sock->sd)) { -register_signal(sig_info, SIGTERM, "socket-undefiled"); +register_signal(sig_info, SIGTERM, "socket-undefined"); return; } tcp_connection_established(>info.lsa->actual); ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v4] samples: Update sample configurations
From: Frank Lichtenheld - Remove compression settings. Not recommended anymore. - Remove old cipher setting. Replaced by data-ciphers negotiation. - Add comment how to set data-ciphers for very old clients. - Remove/reword some old comments. e.g. no need to reference OpenVPN 1.x anymore. - Mention peer-fingerprint alternative. Github: #511 Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/532 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/sample/sample-config-files/README b/sample/sample-config-files/README index d53ac79..1493dab 100644 --- a/sample/sample-config-files/README +++ b/sample/sample-config-files/README @@ -4,3 +4,5 @@ which is located at: http://openvpn.net/howto.html + +See also the openvpn-examples man page. diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index f51e017..53b8027 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -1,5 +1,5 @@ ## -# Sample client-side OpenVPN 2.0 config file # +# Sample client-side OpenVPN 2.6 config file # # for connecting to multi-client server. # ## # This configuration can be used by multiple # @@ -102,22 +102,15 @@ # EasyRSA can do this for you. remote-cert-tls server +# Allow to connect to really old OpenVPN versions +# without AEAD support (OpenVPN 2.3.x or older) +# This adds AES-256-CBC as fallback cipher and +# keeps the modern ciphers as well. +;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC + # If a tls-auth key is used on the server # then every client must also have the key. -tls-auth ta.key 1 - -# Select a cryptographic cipher. -# If the cipher option is used on the server -# then you must also specify it here. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the data-ciphers option in the manpage -cipher AES-256-CBC - -# Enable compression on the VPN link. -# Don't enable this unless it is also -# enabled in the server config file. -#comp-lzo +;tls-auth ta.key 1 # Set log file verbosity. verb 3 diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index 97732c6..48716a0 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -1,5 +1,5 @@ # -# Sample OpenVPN 2.0 config file for# +# Sample OpenVPN 2.6 config file for# # multi-client server. # # # # This file is for the server side # @@ -47,15 +47,15 @@ # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function -# unless you partially or fully disable +# unless you partially or fully disable/open # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the +# have more than one. +# You may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap @@ -66,8 +66,9 @@ # key file. The server and all clients will # use the same ca file. # -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates +# See the "easy-rsa" project at +# https://github.com/OpenVPN/easy-rsa +# for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. @@ -75,6 +76,13 @@ # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). +# +# If you do not want to maintain a CA +# and have a small number of clients +# you can also use self-signed certificates +# and use the peer-fingerprint option. +# See openvpn-examples man page for a +# configuration example. ca ca.crt cert server.crt key server.key # This file should be kept secret @@ -84,12 +92,18 @@ # openssl dhparam -out dh2048.pem 2048 dh dh2048.pem +# Allow to connect to really old OpenVPN versions +# without AEAD support (OpenVPN 2.3.x or older) +# This adds AES-256-CBC as fallback cipher and +# keeps the modern ciphers as well. +;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC + # Network topology # Should be subnet (addressing via IP) # unless Windows clients v2.0.9 and lower have to # be
Re: [Openvpn-devel] [PATCH v2] Implement server_poll_timeout for socks
Hi, On Fri, Mar 15, 2024 at 05:40:02PM +0100, Frank Lichtenheld wrote: > Code looks good and I tested build and default t_client tests. > However, not sure how exactly to verify that it actually works. > The SOCKS proxy I have doesn't exhibit any problems even with > --connect-timeout 1. > > Any ideas for testing welcome. As far as I understand this fix, it's replacing the 5s hard coded timeout for "handshake with the SOCKS proxy" with --connect-timeout. So to exhibit any change in behaviour, you need a slow SOCKs proxy... I have a few ideas how to test this, like - --socks-proxy :10080 (should fail after 5 seconds without the patch, after --connect-timeout with the patch) - hack "something that can speak SOCKS" (like, ssh) to be really slow in answering - like, "add a sleep(15) in the socks handshake path", and point OpenVPN to that. Without the patch, this should fail, with the patch, it should succeeds. (Note: 'ssh -D ' will do SOCKS, but not UDP -> TCP server needed) I have no time just now to go hacking on this, so just putting out the ideas... For our regular testbed, testing all these timeouts is complicated (and even if you succeed, it's sllloowww if you want reproduceable results, so not "milliseconds timers"). gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: interactive.c: Fix potential stack overflow issue
Acked-by: Gert Doering Verified that this is the same conceptual patch as we have in master and release/2.6, just the lines look a bit different because the 2.5 code is different - the union has less members, and there is ring_buffer related stuff in the context that was changed for 2.6 Test compiled on MinGW + GHA. Your patch has been applied to the release/2.5 branch. commit d29496cce2d91a74706e3d5e4c48773715b10812 Author: Lev Stipakov Date: Wed Mar 20 10:19:45 2024 +0200 interactive.c: Fix potential stack overflow issue Signed-off-by: Lev Stipakov Acked-by: Heiko Hund Acked-by: Gert Doering Message-Id: <20240320082000.284-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28433.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Disable DCO if proxy is set via management
Straight and to the point :-) Minimally tested with a linux t_client setup that uses DCO and proxy (but no --managment-query-proxy). Your patch has been applied to the master and release/2.6 branch (bugfix). commit fd6b8395f6cee8a6c28f335ec25ed6db11f7 (master) commit 462fed53c7a5f21c07dafa4910765efe56d7402d (release/2.6) Author: Lev Stipakov Date: Mon Mar 18 19:17:44 2024 +0100 Disable DCO if proxy is set via management Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld Message-Id: <20240318181744.20625-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28415.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: interactive.c: Fix potential stack overflow issue
As for the two previous windows/CVE patches, this patch was sent "with ACK included" to the openvpn-devel@ list because it was developed under embargo (CVE), and reviewed and ACKed in a closed group. I have verified that this patch is identical to the "v2" version that Heiko and the original reporter saw and ACKed. The patch looks larger than the actual code change, because to do the size check the union typedef needs to move outside the function where it was "local" before. The actual check is very straightforward - "if there is more data in the pipe than can fit into a pipe_message_t, log an error and close this thread" (thus, abandon the process on the other end that pretends to be openvpn.exe but is misbehaving). In itself, this bug is annoying, but can not be directly exploited (because you cannot "just talk to this pipe", but you need to be openvpn.exe from the install directory). Combined with other potential flaws that give an attacker the opportunity to swap the openvpn.exe binary or get a malicious plugin loaded, this could end up being a local privilege escalation to SYSTEM. No exploit is known so far - this was found by code inspection for missing bounds checks. I have test compiled this on MinGW and GHA, but did not actually run it. Your patch has been applied to the master and release/2.6 branch (security relevant bugfix). A direct cherrypick to 2.5 fails due to "sufficiently different code and data structures" so I've asked Lev to send a 2.5 version which I could review-and-ACK then. commit 989b22cb6e007fd1addcfaf7d12f4fec9fbc9639 (master) commit 9b2693feff9c49b9485cf94797c1c3502259dbe1 (release/2.6) Author: Lev Stipakov Date: Tue Mar 19 17:27:11 2024 +0200 interactive.c: Fix potential stack overflow issue Signed-off-by: Lev Stipakov Acked-by: Heiko Hund Message-Id: <20240319152803.1801-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28420.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: interactive.c: Fix potential stack overflow issue
As for the two previous windows/CVE patches, this patch was sent "with ACK included" to the openvpn-devel@ list because it was developed under embargo (CVE), and reviewed and ACKed in a closed group. I have verified that this patch is identical to the "v2" version that Heiko and the original reporter saw and ACKed. The patch looks larger than the actual code change, because to do the size check the union typedef needs to move outside the function where it was "local" before. The actual check is very straightforward - "if there is more data in the pipe than can fit into a pipe_message_t, log an error and close this thread" (thus, abandon the process on the other end that pretends to be openvpn.exe but is misbehaving). In itself, this bug is annoying, but can not be directly exploited (because you cannot "just talk to this pipe", but you need to be openvpn.exe from the install directory). Combined with other potential flaws that give an attacker the opportunity to swap the openvpn.exe binary or get a malicious plugin loaded, this could end up being a local privilege escalation to SYSTEM. No exploit is known so far - this was found by code inspection for missing bounds checks. I have test compiled this on MinGW and GHA, but did not actually run it. Your patch has been applied to the master and release/2.6 branch (security relevant bugfix). A direct cherrypick to 2.5 fails due to "sufficiently different code and data structures" so I've asked Lev to send a 2.5 version which I could review-and-ACK then. commit 989b22cb6e007fd1addcfaf7d12f4fec9fbc9639 (master) commit 9b2693feff9c49b9485cf94797c1c3502259dbe1 (release/2.6) Author: Lev Stipakov Date: Tue Mar 19 17:27:11 2024 +0200 interactive.c: Fix potential stack overflow issue Signed-off-by: Lev Stipakov Acked-by: Heiko Hund Message-Id: <20240319152803.1801-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28420.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: interactive.c: disable remote access to the service pipe
As for the "plugin loading", this patch was sent "with ACK included" to the openvpn-devel@ list because it was developed under embargo (CVE), and reviewed and ACKed in a closed group. I have verified that this patch is identical to the that Heiko and the original reporter saw and ACKed. It's not very clear if there is a real attack angle here, but generally speaking this is a local process which only the GUI running on the same machine should be speaking to, so we do not want arbitrary machines in the network to be able to connect to its pipe and "try things". I have test compiled this on MinGW and GHA, but did not actually run it. Your patch has been applied to the master, release/2.6 and release/2.5 branch (security relevant bugfix). commit 2c1de0f0803360c0a6408f754066bd3a6fb28237 (master) commit a95e665041466ec7d4ca6dbf89d22c7950e9ef26 (release/2.6) commit e0775c042c7908a9b315da8092b436d03abea08a (release/2.5) Author: Lev Stipakov Date: Tue Mar 19 17:16:07 2024 +0200 interactive.c: disable remote access to the service pipe Signed-off-by: Lev Stipakov Acked-by: Heiko Hund Message-Id: <20240319151723.936-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28419.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: GHA: general update March 2024
Tested on my GH repo. Works (except as noted for ubuntu/ASAN). Your patch has been applied to the master and release/2.6 branch. (Two merge conflicts, one related to "there is no checkout for mingw-unittests in 2.6 (yet)" and one to "no mbedtls3 tests") commit 36ff5cdb45183c13b0cb084b288b237ad55345cd (master) commit 5afc89ab747cfc8ad6b391f17dca61661e9b9df3 (release/2.6) Author: Frank Lichtenheld Date: Tue Mar 19 16:44:56 2024 +0100 GHA: general update March 2024 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240319154456.2967716-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28422.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: win32: Enforce loading of plugins from a trusted directory
Thanks for that. This patch was sent "with ACK included" to the openvpn-devel@ list because it was developed under embargo (CVE), and reviewed and ACKed in a closed group. I have verified that this patch is identical to the "v4 one" that Selva and the original reporter saw and ACKed. This is related to plugin loading on windows only. We have discussed the topic of "restricting plugin loading on other platforms" but it's more complex to tackle (it starts with "there is no central registry to put restrictions into", but goes on to "on unix, openvpn runs as root anyway, so we expect this to be done by admins who spend some thought on what scripts and plugin they call, and from which paths") - so we haven't done anything there yet. I have test built this on MinGW/Ubuntu, just for completeness, and via GHA. Haven't tested the result myself (no plugin setup on windows). (I do have a few gripes, but these are more cosmetical - like "make get_openvpn_reg_value() static", and "wrap the long if() condition at the '&&', not in the middle of the function call" - but these are all not important for the functionality) Your patch has been applied to the master, release/2.6 and release/2.5 branch (security relevant bugfix). commit aaea545d8a940f761898d736b68bcb067d503b1d (master) commit 05d321ef980734478a86c5241dad7ba26a748a2f (release/2.6) commit 30bddb1a5426523ef1d61c8a5df2c613ba2a47d3 (release/2.5) Author: Lev Stipakov Date: Tue Mar 19 15:53:45 2024 +0200 win32: Enforce loading of plugins from a trusted directory Signed-off-by: Lev Stipakov Acked-by: Selva Nair Message-Id: <20240319135355.1279-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28416.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Disable DCO if proxy is set via management
From: Lev Stipakov Commit 45a1cb2a ("Disable DCO if proxy is set via management") attempted to disable DCO when proxy is set via management interface. However, at least on Windows this doesn't work, since: - setting tuntap_options->disable_dco to true is not enough to disable DCO - at this point it is a bit too late, since we've already done DCO-specific adjustments Since proxy could be set via management only if --management-query-proxy is specified, the better way would be to add a check to dco_check_startup_option(). Github: fixes OpenVPN/openvpn#522 Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8 Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/543 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 14430d3..540b5a8 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -387,6 +387,12 @@ return false; } +if (o->management_flags & MF_QUERY_PROXY) +{ +msg(msglevel, "Note: --management-query-proxy disables data channel offload."); +return false; +} + /* now that all options have been confirmed to be supported, check * if DCO is truly available on the system */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 52b3931..6a3040f 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -221,12 +221,6 @@ } else if (p[2] && p[3]) { -if (dco_enabled(>options)) -{ -msg(M_INFO, "Proxy set via management, disabling Data Channel Offload."); -c->options.tuntap_options.disable_dco = true; -} - if (streq(p[1], "HTTP")) { struct http_proxy_options *ho; ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Update Copyright statements to 2024
Acked-by: Gert Doering Like Christmas... happens every year :-) - verified that this, indeed, only affects copyright lines ("git show -I '^ \* Copyright') - I guess it was produced by update-copyright.sh anyway, but review is what I do... The only actual code change is the msg() in options.c For some unknown reason, the mail-archive.com list archive does not have the original e-mail, but the sourceforge one has - so I'm linking to that URL. Your patch has been applied to the master and release/2.6 branch. Cherry-Picking to 2.6 upset git a bit (conflict in sig.c and lots of complaints about unit test files not existing in release/2.6) - but all quite obvious. commit b25c6d7e861d446b7a2e03cbcfb892d554c1ef73 (master) commit ff06f4ca4290fde46019d61d9c1039ad05b12701 (release/2.6) Author: Frank Lichtenheld Date: Fri Mar 15 18:00:54 2024 +0100 Update Copyright statements to 2024 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240315170054.2368254-1-fr...@lichtenheld.com> URL: https://sourceforge.net/p/openvpn/mailman/message/58749316/ Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Remove license warning from README.mbedtls
Well spotted :-) Your patch has been applied to the master and release/2.6 branch. commit 91eb4606a4a3e8e2a4ed2ac4e2257e7ea44ccc44 (master) commit 366ca5b9b5ec104e0c7ae2f3cf563b9057ee879a (release/2.6) Author: Max Fillinger Date: Thu Mar 14 19:55:27 2024 +0100 Remove license warning from README.mbedtls Signed-off-by: Max Fillinger Acked-by: Gert Doering Message-Id: <20240314185527.26803-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28400.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Remove license warning from README.mbedtls
From: Max Fillinger The licenses are compatible now, so we can remove the warning. Change-Id: I1879c893ed19b165fd086728fb97951eac251681 Signed-off-by: Max Fillinger Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/561 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/README.mbedtls b/README.mbedtls index 124eaa2..c4f3924 100644 --- a/README.mbedtls +++ b/README.mbedtls @@ -11,22 +11,6 @@ * -Warning: - -As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license. -That license is incompatible with OpenVPN's GPLv2. - -We are currently in the process of resolving this problem, but for now, if you -wish to distribute OpenVPN linked with mbed TLS, there are two options: - - * Ensure that your case falls under the system library exception in GPLv2, or - - * Use an earlier version of mbed TLS. Version 2.16.12 is the last release - that may be licensed under GPLv2. Unfortunately, this version is - unsupported and won't receive any more updates. - -* - Due to limitations in the mbed TLS library, the following features are missing in the mbed TLS version of OpenVPN: ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: t_client.sh: Allow to skip tests
Hi, On Mon, Mar 11, 2024 at 12:44:20PM +0100, Frank Lichtenheld wrote: > On Fri, Mar 08, 2024 at 12:51:33PM +0100, Gert Doering wrote: > [...] > > Your patch has been applied to the master branch. > > Could we please cherry-pick this to release/2.6 as well? > > Would make it much easier to use this capability in our buildbot > infrastructure and the patch only affects tests anyway. I did toy with the idea, but was afraid it wouldn't work as so much of the new unit test infra is only in master - the t_client patch is trivial, but ntlm_support + mock_msg. Turns out this went smoothly, so here we go... gert@gentoo ~/openvpn-26.git $ tests/ntlm_support gert@gentoo ~/openvpn-26.git $ echo $? 0 (openssl build) > > commit 0c7cf0694ee6f878168330e9a084c255c51a9e8b > > Author: Frank Lichtenheld > > Date: Fri Mar 8 11:28:18 2024 +0100 > > > > t_client.sh: Allow to skip tests commit bbc77d1719d2d5b33e58abac5eba8b8e409561ab (HEAD -> release/2.6, vweb1/release/2.6) Author: Frank Lichtenheld Date: Fri Mar 8 11:28:18 2024 +0100 t_client.sh: Allow to skip tests (cherry picked from commit 0c7cf0694ee6f878168330e9a084c255c51a9e8b) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Update documentation references in systemd unit files
Your patch has been applied to the master and release/2.6 branch. commit f65c656ac034a99cca09557eeb9337e7c00a7e73 (master) commit c6a61b84fdec825b0b4855d8cd12afa9ebeec43e (release/2.6) Author: Christoph Schug Date: Fri Mar 8 15:03:46 2024 +0100 Update documentation references in systemd unit files Signed-off-by: Christoph Schug Acked-by: Frank Lichtenheld Message-Id: <20240308140346.4058419-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28369.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: remove repetitive words in documentation and comments
Thanks, well spotted. Having a proper "From:" in the patch would make proper attribution easier, but we'll have to go with what we have. Your patch has been applied to the master and release/2.6 branch (doc). commit ad39f99f27522e622f408cc1a3323ba7d80907e8 (master) commit f6c894bd7db0fdfcb32f6ff9571569c5bff392c6 (release/2.6) Author: wellweek Date: Fri Mar 8 15:01:12 2024 +0100 remove repetitive words in documentation and comments Signed-off-by: wellweek Acked-by: Frank Lichtenheld Message-Id: <20240308140112.4015131-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28368.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: gerrit-send-mail: add missing Signed-off-by
Your patch has been applied to the master branch. commit bea088cf8ae3382aeed420da2a39f2a9f52df4cd Author: Frank Lichtenheld Date: Fri Mar 8 13:05:57 2024 +0100 gerrit-send-mail: add missing Signed-off-by Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240308120557.9065-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28362.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] gerrit-send-mail: add missing Signed-off-by
From: Frank Lichtenheld Our development documentation says we add this automatically when it is missing. So let's do that here as well. Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/530 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/dev-tools/gerrit-send-mail.py b/dev-tools/gerrit-send-mail.py index 67a2cf1..10305e2 100755 --- a/dev-tools/gerrit-send-mail.py +++ b/dev-tools/gerrit-send-mail.py @@ -50,6 +50,12 @@ ack = f"{reviewer_name} <{reviewer_mail}>" print(f"Acked-by: {ack}") acked_by.append(ack) +# construct Signed-off-by in case it is missing +owner = json_data["owner"] +owner_name = owner.get("display_name", owner["name"]) +owner_mail = owner.get("email", owner["name"]) +sign_off = f"{owner_name} <{owner_mail}>" +print(f"Signed-off-by: {sign_off}") change_id = json_data["change_id"] # assumes that the created date in Gerrit is in UTC utc_stamp = ( @@ -67,6 +73,7 @@ "target": json_data["branch"], "msg_id": msg_id, "acked_by": acked_by, +"sign_off": sign_off, } @@ -81,10 +88,14 @@ def apply_patch_mods(patch_text, details, args): comment_start = patch_text.index("\n---\n") + len("\n---\n") +signed_off_text = "" +signed_off_comment = "" try: signed_off_start = patch_text.rindex("\nSigned-off-by: ") signed_off_end = patch_text.index("\n", signed_off_start + 1) + 1 except ValueError: # Signed-off missing +signed_off_text = f"Signed-off-by: {details['sign_off']}\n" +signed_off_comment = "\nSigned-off-by line for the author was added as per our policy.\n" signed_off_end = patch_text.index("\n---\n") + 1 assert comment_start > signed_off_end acked_by_text = "" @@ -94,6 +105,7 @@ acked_by_names += f"{ack}\n" patch_text_mod = ( patch_text[:signed_off_end] ++ signed_off_text + acked_by_text + patch_text[signed_off_end:comment_start] + f""" @@ -102,6 +114,7 @@ Gerrit URL: {args.url}/c/{details["project"]}/+/{args.changeid} This mail reflects revision {details["revision"]} of this Change. +{signed_off_comment} Acked-by according to Gerrit (reflected above): {acked_by_names} """ ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: t_client.sh: Allow to skip tests
Thanks. This is a welcome addition for CI tests where we test functionality that might fail "if built with the wrong SSL library" (like, NTLM proxy) - and I could see a few more of this ("compression variants", etc) The test looks larger than the actual t_client.sh(.in) + doc change as it brings an actual "can NTLM proxy work?" test program - as we discussed the handling of mock_msg.c/mock_msg.h could be improved, but we all haven't been able to come up with a really nice way. Tested ntlm_support with an mbedTLS build, works as designed... openvpn$ tests/ntlm_support FATAL ERROR:MD4 not supported openvpn$ echo $? 1 (Building this on top of a tree that has already been built without this patch leads to confused Makefiles and failures to build "ntlm_support" - but this goes away on a fresh checkout / autoreconf, so will not normally hit users) Your patch has been applied to the master branch. commit 0c7cf0694ee6f878168330e9a084c255c51a9e8b Author: Frank Lichtenheld Date: Fri Mar 8 11:28:18 2024 +0100 t_client.sh: Allow to skip tests Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240308102818.9249-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/search?l=mid=20240308102818.9249-1-g...@greenie.muc.de Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Minor fix to process_ip_header
Verified ("git show -w") that this is indeed just removing one level of indentation + ICMP spelling fixes (good catch). Given the sequence of checks, this ordering is indeed a bit more costly for the "no PIP bits are set" (as is_ipv4() has to do more checking than "are we interested in this at all?") - but since we basically always default to having MSSFIX active, this is a bit moot. For good measure, subjected to GHA and server side test run. Your patch has been applied to the master branch. commit 6456d861f3f1006ccee0a7f94a159f4afe1d3178 Author: Gianmarco De Gregori Date: Thu Mar 7 13:46:16 2024 +0100 Minor fix to process_ip_header Signed-off-by: Gianmarco De Gregori Acked-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240307124616.16358-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28345.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: check_compression_settings_valid: Do not test for LZ4 in LZO check
"Makes sense" :-) Your patch has been applied to the master and release/2.6 branch (bugfix). commit 4076d24f2f4adc432753aa62bd8158e3bf89ee21 (master) commit 7a810e64e54eda264c9cf184f442a3bae8df66af (release/2.6) Author: Frank Lichtenheld Date: Fri Feb 16 13:30:37 2024 +0100 check_compression_settings_valid: Do not test for LZ4 in LZO check Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240216123037.3670448-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28251.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v5] t_client.sh: Allow to skip tests
From: Frank Lichtenheld Individual tests can define a script to run to test whether they should be skipped. Included in this commit is an example check which checks whether we can do NTLM checks. This fails e.g. on recent versions of Fedora with mbedTLS (tested with Fedora 39) or when NTLM support is not compiled in. v2: - ntlm_support: - support OpenSSL 3 - allow to build without cmocka v3: - add example to t_client.rc-sample - t_client.sh code style - use syshead.h in error.h v5: - rename SKIP_x to CHECK_SKIP_x Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/521 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 1225b13..be3484d 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -25,16 +25,10 @@ #define ERROR_H #include "basic.h" - -#include -#include +#include "syshead.h" #include -#if _WIN32 -#include -#endif - /* #define ABORT_ON_ERROR */ #if defined(ENABLE_PKCS11) || defined(ENABLE_MANAGEMENT) diff --git a/tests/Makefile.am b/tests/Makefile.am index b3b2d74..13a1013 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -19,6 +19,8 @@ if !WIN32 test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh + +check_PROGRAMS = ntlm_support if HAVE_SITNL test_scripts += t_net.sh endif @@ -36,3 +38,15 @@ dist_noinst_DATA = \ t_client.rc-sample + +ntlm_support_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat -I$(top_srcdir)/tests/unit_tests/openvpn -DNO_CMOCKA @TEST_CFLAGS@ +ntlm_support_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn $(OPTIONAL_CRYPTO_LIBS) +ntlm_support_SOURCES = ntlm_support.c \ + unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \ + $(top_srcdir)/src/openvpn/buffer.c \ + $(top_srcdir)/src/openvpn/crypto.c \ + $(top_srcdir)/src/openvpn/crypto_openssl.c \ + $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ + $(top_srcdir)/src/openvpn/otime.c \ + $(top_srcdir)/src/openvpn/packet_id.c \ + $(top_srcdir)/src/openvpn/platform.c diff --git a/tests/ntlm_support.c b/tests/ntlm_support.c new file mode 100644 index 000..2d7da86 --- /dev/null +++ b/tests/ntlm_support.c @@ -0,0 +1,52 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2023 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "syshead.h" + +#include "crypto.h" +#include "error.h" + +int +main(void) +{ +#if defined(ENABLE_CRYPTO_OPENSSL) +crypto_load_provider("legacy"); +crypto_load_provider("default"); +#endif +#ifdef NTLM +if (!md_valid("MD4")) +{ +msg(M_FATAL, "MD4 not supported"); +} +if (!md_valid("MD5")) +{ +msg(M_FATAL, "MD5 not supported"); +} +#else /* ifdef NTLM */ +msg(M_FATAL, "NTLM support not compiled in"); +#endif +} diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample index 355e8bb..d61ecc4 100644 --- a/tests/t_client.rc-sample +++ b/tests/t_client.rc-sample @@ -27,7 +27,7 @@ # # tests to run (list suffixes for config stanzas below) # -TEST_RUN_LIST="1 2" +TEST_RUN_LIST="1 2 2n" # # use "sudo" (etc) to give openvpn the necessary privileges @@ -53,14 +53,24 @@ # # if something is not defined here, the corresponding test is not run # -# possible test options: +# common test options: # -# RUN_TITLE_x="what is being tested on here" (purely informational) -# OPENVPN_CONF_x = "how to call ./openvpn" [mandatory] +# RUN_TITLE_x= "what is being tested on here" (purely informational) +# OPENVPN_CONF_x = "ho
[Openvpn-devel] [PATCH applied] Re: Persist-key: enable persist-key option by default
Thanks for this. We discussed this and nobody seemed to remember why persist-key was configurable really ("you could swap out the key + cert while openvpn is running and then SIGUSR1 it", but yeah, who does this?) - so thanks for throwing out these extra code paths. Tested with the full server/client rig. Your patch has been applied to the master branch. commit 802fcce5448741bb1e34dd06ac3674b6b6c55a94 Author: Gianmarco De Gregori Date: Thu Mar 7 15:03:55 2024 +0100 Persist-key: enable persist-key option by default Signed-off-by: Gianmarco De Gregori Message-Id: <20240307140355.32644-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28347.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v5] Persist-key: enable persist-key option by default
From: Gianmarco De Gregori Change the default behavior of the OpenVPN configuration by enabling the persist-key option by default. This means that all the keys will be kept in memory across restart. Fixes: Trac #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/529 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): diff --git a/Changes.rst b/Changes.rst index 58cb3db..4cded98 100644 --- a/Changes.rst +++ b/Changes.rst @@ -20,6 +20,8 @@ When configured to authenticate with NTLMv1 (``ntlm`` keyword in ``--http-proxy``) OpenVPN will try NTLMv2 instead. +``persist-key`` option has been enabled by default. +All the keys will be kept in memory across restart. Overview of changes in 2.6 == diff --git a/doc/man-sections/connection-profiles.rst b/doc/man-sections/connection-profiles.rst index c8816e1..520bbef 100644 --- a/doc/man-sections/connection-profiles.rst +++ b/doc/man-sections/connection-profiles.rst @@ -39,7 +39,6 @@ http-proxy 192.168.0.8 8080 - persist-key persist-tun pkcs12 client.p12 remote-cert-tls server diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 30c990d..f8a0f48 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -302,17 +302,6 @@ Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). ---persist-key - Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. - - This option can be combined with ``--user`` to allow restarts - triggered by the :code:`SIGUSR1` signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files. - - This option solves the problem by persisting keys across :code:`SIGUSR1` - resets, so they don't need to be re-read. - --providers providers Load the list of (OpenSSL) providers. This is mainly useful for using an external provider for key management like tpm2-openssl or to load the @@ -402,7 +391,7 @@ Like with chroot, complications can result when scripts or restarts are executed after the setcon operation, which is why you should really - consider using the ``--persist-key`` and ``--persist-tun`` options. + consider using the ``--persist-tun`` option. --status args Write operational status to ``file`` every ``n`` seconds. ``n`` defaults diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index ca26bfe..ca192c3 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -283,7 +283,7 @@ See the signals section below for more information on :code:`SIGUSR1`. Note that the behavior of ``SIGUSR1`` can be modified by the - ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and + ``--persist-tun``, ``--persist-local-ip`` and ``--persist-remote-ip`` options. Also note that ``--ping-exit`` and ``--ping-restart`` are mutually diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 98f5340..0632e31 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -452,7 +452,7 @@ ``--route``, ``--route-gateway``, ``--route-delay``, ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``, ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, - ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, + ``--setenv``, ``--auth-token``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst index 63611b3..01e8e5b 100644 --- a/doc/man-sections/signals.rst +++ b/doc/man-sections/signals.rst @@ -10,9 +10,8 @@ Like :code:`SIGHUP``, except don't re-read configuration file, and possibly don't close and reopen TUN/TAP device, re-read key files, preserve local IP address/port, or preserve most recently authenticated -remote IP address/port based on ``--persist-tun``, ``--persist-key``, -``--persist-local-ip`` and ``--persist-remote-ip`` options respectively -(see above). +remote IP address/port based on ``--persist-tun``, ``--persist-local-ip`` +and ``--persist-remote-ip`` options respectively (see above). This signal may also be internally generated by a timeout condition, governed by the ``--ping-restart`` option. diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index a0c1232..11467ca 100644 ---
[Openvpn-devel] [PATCH v5] Minor fix to process_ip_header
From: Gianmarco De Gregori Removed if-guard checking if any feature is enabled before performing per-feature check. It doesn't save us much but instead introduces uneeded complexity. While at it, fixed a typo IMCP -> ICMP for defined PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER macros. Fixes: Trac https://community.openvpn.net/openvpn/ticket/269 Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202 Signed-off-by: Gianmarco De Gregori Acked-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/525 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe Frank Lichtenheld diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 0443ca0..556c465 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1460,7 +1460,7 @@ * us to examine the IP header (IPv4 or IPv6). */ unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT - | PIPV6_IMCP_NOHOST_CLIENT; + | PIPV6_ICMP_NOHOST_CLIENT; process_ip_header(c, flags, >c2.buf); #ifdef PACKET_TRUNCATION_CHECK @@ -1644,73 +1644,60 @@ } if (!c->options.block_ipv6) { -flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER); +flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER); } if (buf->len > 0) { -/* - * The --passtos and --mssfix options require - * us to examine the IPv4 header. - */ - -if (flags & (PIP_MSSFIX -#if PASSTOS_CAPABILITY - | PIPV4_PASSTOS -#endif - | PIPV4_CLIENT_NAT - )) +struct buffer ipbuf = *buf; +if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), )) { -struct buffer ipbuf = *buf; -if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), )) -{ #if PASSTOS_CAPABILITY -/* extract TOS from IP header */ -if (flags & PIPV4_PASSTOS) -{ -link_socket_extract_tos(c->c2.link_socket, ); -} +/* extract TOS from IP header */ +if (flags & PIPV4_PASSTOS) +{ +link_socket_extract_tos(c->c2.link_socket, ); +} #endif -/* possibly alter the TCP MSS */ -if (flags & PIP_MSSFIX) -{ -mss_fixup_ipv4(, c->c2.frame.mss_fix); -} - -/* possibly do NAT on packet */ -if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) -{ -const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; -client_nat_transform(c->options.client_nat, , direction); -} -/* possibly extract a DHCP router message */ -if (flags & PIPV4_EXTRACT_DHCP_ROUTER) -{ -const in_addr_t dhcp_router = dhcp_extract_router_msg(); -if (dhcp_router) -{ -route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); -} -} -} -else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), )) +/* possibly alter the TCP MSS */ +if (flags & PIP_MSSFIX) { -/* possibly alter the TCP MSS */ -if (flags & PIP_MSSFIX) -{ -mss_fixup_ipv6(, c->c2.frame.mss_fix); -} -if (!(flags & PIP_OUTGOING) && (flags -&(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER))) -{ -ipv6_send_icmp_unreachable(c, buf, - (bool)(flags & PIPV6_IMCP_NOHOST_CLIENT)); -/* Drop the IPv6 packet */ -buf->len = 0; -} - +mss_fixup_ipv4(, c->c2.frame.mss_fix); } + +/* possibly do NAT on packet */ +if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) +{ +const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; +client_nat_transform(c->options.client_nat, , direction); +} +/* possibly extract a DHCP router message */ +if (flags & PIPV4_EXTRACT_DHCP_ROUTER) +{ +const in_addr_t dhcp_router = dhcp_extract_router_msg(); +if (dhcp_router) +{ +route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); +} +} +
[Openvpn-devel] [PATCH v3] Persist-key: enable persist-key option by default
From: itsGiaan Change the default behavior of the OpenVPN configuration by enabling the persist-key option by default. This means that all the keys will be kept in memory across restart. Fixes: Trac #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/529 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/Changes.rst b/Changes.rst index 58cb3db..4cded98 100644 --- a/Changes.rst +++ b/Changes.rst @@ -20,6 +20,8 @@ When configured to authenticate with NTLMv1 (``ntlm`` keyword in ``--http-proxy``) OpenVPN will try NTLMv2 instead. +``persist-key`` option has been enabled by default. +All the keys will be kept in memory across restart. Overview of changes in 2.6 == diff --git a/doc/man-sections/connection-profiles.rst b/doc/man-sections/connection-profiles.rst index c8816e1..520bbef 100644 --- a/doc/man-sections/connection-profiles.rst +++ b/doc/man-sections/connection-profiles.rst @@ -39,7 +39,6 @@ http-proxy 192.168.0.8 8080 - persist-key persist-tun pkcs12 client.p12 remote-cert-tls server diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 95e4ca2..4e2029a 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -302,17 +302,6 @@ Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). ---persist-key - Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. - - This option can be combined with ``--user`` to allow restarts - triggered by the :code:`SIGUSR1` signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files. - - This option solves the problem by persisting keys across :code:`SIGUSR1` - resets, so they don't need to be re-read. - --providers providers Load the list of (OpenSSL) providers. This is mainly useful for using an external provider for key management like tpm2-openssl or to load the @@ -402,7 +391,7 @@ Like with chroot, complications can result when scripts or restarts are executed after the setcon operation, which is why you should really - consider using the ``--persist-key`` and ``--persist-tun`` options. + consider using the ``--persist-tun`` option. --status args Write operational status to ``file`` every ``n`` seconds. ``n`` defaults diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index ca26bfe..ca192c3 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -283,7 +283,7 @@ See the signals section below for more information on :code:`SIGUSR1`. Note that the behavior of ``SIGUSR1`` can be modified by the - ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and + ``--persist-tun``, ``--persist-local-ip`` and ``--persist-remote-ip`` options. Also note that ``--ping-exit`` and ``--ping-restart`` are mutually diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 98f5340..0632e31 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -452,7 +452,7 @@ ``--route``, ``--route-gateway``, ``--route-delay``, ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``, ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, - ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, + ``--setenv``, ``--auth-token``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst index 63611b3..01e8e5b 100644 --- a/doc/man-sections/signals.rst +++ b/doc/man-sections/signals.rst @@ -10,9 +10,8 @@ Like :code:`SIGHUP``, except don't re-read configuration file, and possibly don't close and reopen TUN/TAP device, re-read key files, preserve local IP address/port, or preserve most recently authenticated -remote IP address/port based on ``--persist-tun``, ``--persist-key``, -``--persist-local-ip`` and ``--persist-remote-ip`` options respectively -(see above). +remote IP address/port based on ``--persist-tun``, ``--persist-local-ip`` +and ``--persist-remote-ip`` options respectively (see above). This signal may also be internally generated by a timeout condition, governed by the ``--ping-restart`` option. diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index a0c1232..11467ca 100644 ---
[Openvpn-devel] [PATCH applied] Re: openvpn-[client|server].service: Remove syslog.target
I have no idea and I do not want to know details about systemd, but the explanation "this target has not existed for a long time" makes sense, plus it has an ACK from someone who does understand Linux ;-) Your patch has been applied to the master and release/2.6 branch. commit 15b74036a9b180e862ed4cb23f1e351c08706527 (master) commit 04e682653993212b1b7f9432791e325d92c470b6 (release/2.6) Author: Martin Rys Date: Mon Mar 4 17:33:13 2024 +0100 openvpn-[client|server].service: Remove syslog.target Signed-off-by: Martin Rys Acked-by: Frank Lichtenheld Signed-off-by: Frank Lichtenheld Message-Id: <20240304163313.2326923-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28318.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: samples: Remove tls-*.conf
Indeed, outdated and partially overlapping sample configs help nobody... (especially doing ifconfig via -up is like the 1990s calling :-) ). Your patch has been applied to the master and release/2.6 branch. commit f8a8c7879556d2a5d7231eaa911b1a0ad82730a6 (master) commit 2f20a03b1dc7c6a0d01f7b9eb5dd5dd435abe6b5 (release/2.6) Author: Frank Lichtenheld Date: Mon Mar 4 17:15:56 2024 +0100 samples: Remove tls-*.conf Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Acked-by: Antonio Quartulli Message-Id: <20240304161556.2036270-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28316.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Fix typo --data-cipher-fallback
"git grep" confirms that this is the right spelling :-) Your patch has been applied to the master and release/2.6 branch (bugfix). commit f6608b56e480fea94e2b286c619aa2aa854e15f6 (master) commit 6e3fb0f2187594aa34ae6b4ecda5f60b5efbd137 (release/2.6) Author: Frank Lichtenheld Date: Tue Mar 5 09:22:36 2024 +0100 Fix typo --data-cipher-fallback Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240305082236.17566-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28321.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Fix typo --data-cipher-fallback
From: Frank Lichtenheld Change-Id: I38e70cb74c10848ab2981efc4c4c8863c5c8785d Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/534 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 95e4ca2..30c990d 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -75,7 +75,7 @@ to the configuration if no other compression options are present. - 2.4.x or lower: The cipher in ``--cipher`` is appended to ``--data-ciphers``. - - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with + - 2.3.x or lower: ``--data-ciphers-fallback`` is automatically added with the same cipher as ``--cipher``. - 2.3.6 or lower: ``--tls-version-min 1.0`` is added to the configuration when ``--tls-version-min`` is not explicitly set. diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index cd3e0ad..14430d3 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -400,7 +400,7 @@ if (o->enable_ncp_fallback && !tls_item_in_cipher_list(o->ciphername, dco_get_supported_ciphers())) { -msg(msglevel, "Note: --data-cipher-fallback with cipher '%s' " +msg(msglevel, "Note: --data-ciphers-fallback with cipher '%s' " "disables data channel offload.", o->ciphername); return false; } ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Document that auth-user-pass may be inlined
Thanks for that. Documentation improvements are always welcome :-) Your patch has been applied to the master and releae/2.6 branch (docs). commit fad2d7017eee366317bb18b34416e7788cbe2372 (master) commit 2aac80e4b13d442139f62ed2b35756d1cda44c39 (release/2.6) Author: Selva Nair Date: Tue Feb 20 12:52:15 2024 -0500 Document that auth-user-pass may be inlined Signed-off-by: Selva Nair Acked-by: Antonio Quartulli Message-Id: <20240220175215.2731491-1-selva.n...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28284.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Document that auth-user-pass may be inlined
Hi, On Mon, Feb 19, 2024 at 02:28:22PM -0500, selva.n...@gmail.com wrote: > Does this have to go through gerrit? As of today, there's two ways to inject patches / patch sets for "openvpn main" - the openvpn-devel@ list, "as always", and gerrit. Gerrit is nice for larger and more complex patchsets, because review can happen in pieces (= you can review the first half today, comment on the web, it will remember which parts you have seen already, and do the rest tomorrow), and also gerrit can do stuff like "so what changed from v4 to v5?" meta-diffs. For smaller patches "single file, trivially correct", openvpn-devel@ is less work for me :-) So - what is "better" depends. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [S] Change in openvpn[master]: Minor fix to process_ip_header
Hi, On Mon, Feb 19, 2024 at 02:23:08PM +0100, Antonio Quartulli wrote: > On 19/02/2024 14:12, Gert Doering wrote: > > Maybe that would be a more reasonable approach here... get rid of the > > umbrella if(), and check individual bits inside. It seems to be a > > micro-optimization "skip this branch if we have no single feature active", > > while at least MSSFIX is active by default. > > Technically we still retain the "speed up" when all features are disabled > (i.e. remove this and this from the config and gain some Mbps) "some Mbps" - maybe not... "a few kbit/s" sounds more like it :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [S] Change in openvpn[master]: Minor fix to process_ip_header
Hi, On Mon, Feb 19, 2024 at 02:08:56PM +0100, Antonio Quartulli wrote: > This said, I do believe this patch fixes these issues in one go as the new > PIP_OPT_MASK will match all the flags mentioned above. Yes, but then we do not need that if() anymore at all - if we go in there, no matter if we have anything to do (like, we have v6 bits set, and enter the v4 branch). Maybe that would be a more reasonable approach here... get rid of the umbrella if(), and check individual bits inside. It seems to be a micro-optimization "skip this branch if we have no single feature active", while at least MSSFIX is active by default. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] IRC community meeting summary (Feb 14th)
Hi, On Fri, Feb 16, 2024 at 03:20:25PM +0100, Frank Lichtenheld wrote: > Note that none of this negates the usefulness of easy-rsa. This > is specifically about the usefulness of easy-rsa bundled in the > openvpn Windows installer. Yeah, this. I find easy-rsa very useful - but my CAs are not running on a Windows system (the thought alone makes me shiver) but securely tucked away on a Unix VM, with easy-rsa, of course. So, for my environment (various customer deployments plus my own dabbling) I do not need easy-rsa on Windows, and wouldn't miss it if you (as in "the installer maintaining folks") decided to drop it. I seem to remember that we did this split on the unix side some 100 years ago already - so now distributions have "openvpn" and "easy-rsa" packages, and both can be updated and maintained according to their own needs... gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [S] Change in openvpn[master]: Minor fix to process_ip_header
Hi, On Thu, Feb 15, 2024 at 03:59:02PM +, its_Giaan (Code Review) wrote: > if (buf->len > 0) > { > -/* > - * The --passtos and --mssfix options require > - * us to examine the IPv4 header. > - */ > - > -if (flags & (PIP_MSSFIX > -#if PASSTOS_CAPABILITY > - | PIPV4_PASSTOS > -#endif > - | PIPV4_CLIENT_NAT > - )) > +if (flags & PIP_OPT_MASK) NAK, as this is not the same thing. PIP_OPT_MASK will also match on the IPv6 flags, which are not something we need to test for here (= if only an IPv6 flag is active, why should we enter this branch?). gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Change include order for tests
Thanks for this updated patch, which fixes the issue in a much nicer way. I'm not sure if you observe the problem in release/2.6 as well - if yes, I need a release/2.6-specific patch for that (as half the new test drivers are not in that branch). Quick test with an in-tree build on FreeBSD and GHA builds passes fine. Your patch has been applied to the master branch. commit 54475711eb119f6fbb263880fca08d4b10df752a Author: Juliusz Sosinowicz Date: Mon Feb 12 14:25:22 2024 +0100 Change include order for tests Signed-off-by: Juliusz Sosinowicz Acked-by: Arne Schwabe Message-Id: <20240212132522.125903-1-juli...@wolfssl.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28229.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] wolfssl: include "ssl.h" by "src/openvpn/ssl.h"
Hi, On Mon, Feb 12, 2024 at 10:57:41AM +0100, Juliusz Sosinowicz wrote: > commit 70b39f2bea9fd6e57f31e32b2041246731140cb2 has added the use of > ACK_SIZE and RELIABLE_ACK_SIZE in test_ssl.c. These are defined in > reliable.h which should be included through your ssl.h. Since our ssl.h is > being picked up, these never get defined and make check results in the > following error: Seems the unit test compile flags could use a bit of shuffling to have our local include first... and that should solve it (if nothing else breaks, just test_ssl.c) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Turn dead list test code into unit test
Tested locally and on GHA, with MinGW->Windows and all that. Your patch has been applied to the master branch. commit 91b057a2b5b4d16b64d9d01824a8ec9327a61da1 Author: Arne Schwabe Date: Fri Feb 9 11:59:02 2024 +0100 Turn dead list test code into unit test Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240209105902.14506-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28201.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
Tested locally (FreeBSD / OpenSSL 3.0, OpenBSD / LibreSSL) and via GHA, and things still work. Your patch has been applied to the master branch. commit 7435114d9a979611dfe5ab751c213900cc1773e8 Author: Arne Schwabe Date: Fri Feb 9 12:06:29 2024 +0100 Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240209110629.15364-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28203.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] wolfssl: include "ssl.h" by "src/openvpn/ssl.h"
Hi, On Fri, Feb 09, 2024 at 04:51:09PM +0100, Juliusz Sosinowicz wrote: > Including "ssl.h" conflicts with the wolfSSL ssl.h header file. The > include/wolfssl directory is included before openvpn/src. include/wolfssl > needs to be included so that openvpn can pick up wolfSSL compatibility > headers instead of OpenSSL headers without changing the paths. NAK. All our local includes are included without path, so we're not starting "full path" for a single include now. If this conflicts with WolfSSL, I'd be willing to consider a Makefile patch that puts WolfSSL includes behind openvpn/src (so our ssl.h is picked first). gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Print SSL peer signature information in handshake debug details
Tested on the OpenBSD buildbot (some earlier LibreSSL version) and GHA (different OpenSSL versions). Looks all good. As expected, LibreSSL builds do not provide the new information (neither does mbedTLS), but OpenSSL builds do... 2024-02-09 17:09:00 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA1, peer temporary key: 256 bits ECprime256v1, peer signing digest/type: SHA512 RSA Your patch has been applied to the master branch. commit b431721eb1b676f8e1a1cbcf233507d2dd29f846 Author: Arne Schwabe Date: Fri Feb 9 12:10:00 2024 +0100 Print SSL peer signature information in handshake debug details Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240209111000.16258-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28206.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Add unit test for encrypting/decrypting data channel
Extracting the old test approach out to unit tests is generally a good thing. Plus, it has an ACK :-) - tested locally and via GHA. Your patch has been applied to the master branch. commit 70b39f2bea9fd6e57f31e32b2041246731140cb2 Author: Arne Schwabe Date: Thu Feb 8 09:57:49 2024 +0100 Add unit test for encrypting/decrypting data channel Acked-by: Frank Lichtenheld Message-Id: <20240208085749.869-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28195.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Add unit test for encrypting/decrypting data channel
From: Arne Schwabe This test is reusing code from --test-crypto but is modified to not rely on the static key functionality and also only tests the most common algorithm. So it does not yet completely replace --test-crypto Change-Id: Ifa5ae96165d17b3cae4afc53e844bb34d1610e58 Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/505 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index 18b9ec8..8c1fb5b 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -44,6 +44,9 @@ #include "ssl_verify_backend.h" #include "win32.h" #include "test_common.h" +#include "ssl.h" +#include "buffer.h" +#include "packet_id.h" /* Mock function to be allowed to include win32.c which is required for * getting the temp directory */ @@ -120,20 +123,238 @@ gc_free(); } +static void +init_implicit_iv(struct crypto_options *co) +{ +cipher_ctx_t *cipher = co->key_ctx_bi.encrypt.cipher; + +if (cipher_ctx_mode_aead(cipher)) +{ +size_t impl_iv_len = cipher_ctx_iv_length(cipher) - sizeof(packet_id_type); +ASSERT(cipher_ctx_iv_length(cipher) <= OPENVPN_MAX_IV_LENGTH); +ASSERT(cipher_ctx_iv_length(cipher) >= OPENVPN_AEAD_MIN_IV_LEN); + +/* Generate dummy implicit IV */ +ASSERT(rand_bytes(co->key_ctx_bi.encrypt.implicit_iv, + OPENVPN_MAX_IV_LENGTH)); +co->key_ctx_bi.encrypt.implicit_iv_len = impl_iv_len; + +memcpy(co->key_ctx_bi.decrypt.implicit_iv, + co->key_ctx_bi.encrypt.implicit_iv, OPENVPN_MAX_IV_LENGTH); +co->key_ctx_bi.decrypt.implicit_iv_len = impl_iv_len; +} +} + +static void +init_frame_parameters(struct frame *frame) +{ +int overhead = 0; + +/* tls-auth and tls-crypt */ +overhead += 128; + +/* TCP length field and opcode */ +overhead += 3; + +/* ACK array and remote SESSION ID (part of the ACK array) */ +overhead += ACK_SIZE(RELIABLE_ACK_SIZE); + +/* Previous OpenVPN version calculated the maximum size and buffer of a + * control frame depending on the overhead of the data channel frame + * overhead and limited its maximum size to 1250. Since control frames + * also need to fit into data channel buffer we have the same + * default of 1500 + 100 as data channel buffers have. Increasing + * control channel mtu beyond this limit also increases the data channel + * buffers */ +int tls_mtu = 1500; +frame->buf.payload_size = tls_mtu + 100; + +frame->buf.headroom = overhead; +frame->buf.tailroom = overhead; + +frame->tun_mtu = tls_mtu; + +} + +static void +do_data_channel_round_trip(struct crypto_options *co) +{ +struct gc_arena gc = gc_new(); + +/* initialise frame for the test */ +struct frame frame; +init_frame_parameters(); + +struct buffer src = alloc_buf_gc(frame.buf.payload_size, ); +struct buffer work = alloc_buf_gc(BUF_SIZE(), ); +struct buffer encrypt_workspace = alloc_buf_gc(BUF_SIZE(), ); +struct buffer decrypt_workspace = alloc_buf_gc(BUF_SIZE(), ); +struct buffer buf = clear_buf(); +void *buf_p; + +/* init work */ +ASSERT(buf_init(, frame.buf.headroom)); + +init_implicit_iv(co); +update_time(); + +/* Test encryption, decryption for all packet sizes */ +for (int i = 1; i <= frame.buf.payload_size; ++i) +{ + +/* msg(M_INFO, "TESTING ENCRYPT/DECRYPT of packet length=%d", i); */ + +/* + * Load src with random data. + */ +ASSERT(buf_init(, 0)); +ASSERT(i <= src.capacity); +src.len = i; +ASSERT(rand_bytes(BPTR(), BLEN())); + +/* copy source to input buf */ +buf = work; +buf_p = buf_write_alloc(, BLEN()); +ASSERT(buf_p); +memcpy(buf_p, BPTR(), BLEN()); + +/* initialize work buffer with buf.headroom bytes of prepend capacity */ +ASSERT(buf_init(_workspace, frame.buf.headroom)); + +/* encrypt */ +openvpn_encrypt(, encrypt_workspace, co); + +/* decrypt */ +openvpn_decrypt(, decrypt_workspace, co, , BPTR()); + +/* compare */ +assert_int_equal(buf.len, src.len); +assert_memory_equal(BPTR(), BPTR(), i); + +} +gc_free(); +} + + + +struct crypto_options +init_crypto_options(const char *cipher, const char *auth) +{ +struct key2 key2 = { .n = 2}; + +ASSERT(rand_bytes(key2.keys[0].cipher, sizeof(key2.keys[0].cipher))); +ASSERT(rand_bytes(key2.keys[0].hmac, sizeof(key2.keys[0].hmac))); +ASSERT(rand_bytes(key2.keys[1].cipher, sizeof(key2.keys[1].cipher))); +ASSERT(rand_bytes(key2.keys[1].hmac, sizeof(key2.keys)[1].hmac)); + +
[Openvpn-devel] [PATCH applied] Re: test_user_pass: add basic tests for static/dynamic challenges
Tested on a local build and via GHA. Passes :-) Your patch has been applied to the master branch. commit ca122f990c76090ba90159812e89049810710bfe Author: Frank Lichtenheld Date: Wed Feb 7 18:12:39 2024 +0100 test_user_pass: add basic tests for static/dynamic challenges Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240207171239.86730-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28191.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: dco-freebsd: dynamically re-allocate buffer if it's too small
Acked-by: Gert Doering Stare-at-code looks good :-) - there's one possible catch should realloc() return NULL - in that case we'd pass drv.ifd_data = NULL to the kernel - but I'm reasonably sure the kernel will then not crash but return EINVAL. I do not have a sufficient number of clients on a FreeBSD 14 system today to trigger the original problem, but I can attest that the new dynamic code will do the right thing - I tested this by reducing the start allocation to 1 byte and see it grow to 1024 (test with 2 clients, 512 sufficient for 1 client). (Also, master+patch passes the full server test rig on FreeBSD 14) Your patch has been applied to the master and release/2.6 branch (bugfix) commit 62676935d738f74908845ca96819a36a8c0c230e (master) commit d8faf568d237667c66141e2c3f6df3f999aa02bd (release/2.6) Author: Kristof Provost Date: Wed Jan 24 16:27:39 2024 +0100 dco-freebsd: dynamically re-allocate buffer if it's too small Signed-off-by: Kristof Provost Acked-by: Gert Doering Message-Id: <20240124152739.28248-1-kprov...@netgate.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28128.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: documentation: Fixes for previous fixes to --push-peer-info
Your patch has been applied to the master and release/2.6 branch. commit c1e1d132f6368a6f4b77fe956a9329a60331b63e (master) commit 6bed72d0f2c6860d936b2f3865866c76ef9d18de (release/2.6) Author: Frank Lichtenheld Date: Tue Feb 6 18:47:45 2024 +0100 documentation: Fixes for previous fixes to --push-peer-info Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240206174745.74828-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28184.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] dco-freebsd: dynamically re-allocate buffer if it's too small
Hi, On Tue, Feb 06, 2024 at 09:37:47AM -0700, Kristof Provost wrote: > Ping? > > Does this need anything else before it can land? Just time on my side. Busy weeks, apologies. Will handle tomorrow. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: documentation: Update and fix documentation for --push-peer-info
Hi, On Tue, Feb 06, 2024 at 04:33:44PM +0100, Gert Doering wrote: > Your patch has been applied to the master branch. > > commit b66d545ce25689588c4dbd1fb525204c78871ed0 (master) > commit 18fb30f7ad292f166805138c0ec3c2c920090364 (release/2.6) > Author: Frank Lichtenheld > Date: Tue Feb 6 15:10:57 2024 +0100 > > documentation: Update and fix documentation for --push-peer-info > > Signed-off-by: Frank Lichtenheld > Acked-by: Arne Schwabe Actually Arne did NOT ACK it yet, to the contrary, parts of the change are incorrect. Apologies - my fault, I did not check this as thoroughly as I do for code changes. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: documentation: Update and fix documentation for --push-peer-info
Your patch has been applied to the master branch. commit b66d545ce25689588c4dbd1fb525204c78871ed0 (master) commit 18fb30f7ad292f166805138c0ec3c2c920090364 (release/2.6) Author: Frank Lichtenheld Date: Tue Feb 6 15:10:57 2024 +0100 documentation: Update and fix documentation for --push-peer-info Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240206141057.46249-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28178.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: README.cmake.md: Document minimum required CMake version for --preset
Hi, On Fri, Feb 02, 2024 at 12:27:19PM +0100, Frank Lichtenheld wrote: > On Thu, Feb 01, 2024 at 08:28:21PM +0100, Gert Doering wrote: > > Makes sense (I did read the GH issue). > > > > Your patch has been applied to the master branch. > > I think it would make sense to apply this to release/2.6 as well, since > that uses the same CMake build. Done! commit 9ec524613662989ab165d8ca507c2e0abffc3dff (HEAD -> release/2.6) Author: Frank Lichtenheld Date: Thu Feb 1 13:30:39 2024 +0100 README.cmake.md: Document minimum required CMake version for --preset gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: README.cmake.md: Document minimum required CMake version for --preset
Makes sense (I did read the GH issue). Your patch has been applied to the master branch. commit 53b16d07e889b69128203d3b50ed47ceb77c5771 Author: Frank Lichtenheld Date: Thu Feb 1 13:30:39 2024 +0100 README.cmake.md: Document minimum required CMake version for --preset Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240201123039.174176-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28160.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Allow unit tests to fall back to hard coded location
Tested locally (freebsd, autoconf) and on the GHA builds. Your patch has been applied to the master branch. commit bb0849db20747dc4acea394c4db807a47cbc526b Author: Arne Schwabe Date: Thu Feb 1 15:48:17 2024 +0100 Allow unit tests to fall back to hard coded location Acked-by: Frank Lichtenheld Message-Id: <20240201144817.14-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28161.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: gerrit-send-mail: Make output consistent across systems
Fixes issues with UTF8 in Files (user_pass UT test). For added fanciness, could set charset header in resulting mail, so "git send-email" wouldn't have to ask... but that's less nuisance than "python explodes because UTF8" :-) Your patch has been applied to the master branch. commit e1f8c599aeb840909f5ea8e9ae0bc4dab5bc7deb Author: Frank Lichtenheld Date: Mon Jan 29 15:57:56 2024 +0100 gerrit-send-mail: Make output consistent across systems Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240129145756.769-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28153.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] gerrit-send-mail: Make output consistent across systems
From: Frank Lichtenheld When writing the file specify encoding and newline, so that the local settings (like locale) do not change the output. Change-Id: Id7b4bda38adfbb446bdac635ac5d5207ef3f2f40 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/508 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/dev-tools/gerrit-send-mail.py b/dev-tools/gerrit-send-mail.py index 5429aef..67a2cf1 100755 --- a/dev-tools/gerrit-send-mail.py +++ b/dev-tools/gerrit-send-mail.py @@ -109,7 +109,7 @@ ) filename = f"gerrit-{args.changeid}-{details['revision']}.patch" patch_text_final = patch_text_mod.replace("Subject: [PATCH v1]", f"Subject: [PATCH v{details['revision']}]") -with open(filename, "w") as patch_file: +with open(filename, "w", encoding="utf-8", newline="\n") as patch_file: patch_file.write(patch_text_final) print("send with:") print(f"git send-email --in-reply-to {details['msg_id']} {filename}") ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v7] test_user_pass: add basic tests for static/dynamic challenges
From: Frank Lichtenheld Change-Id: I8b5570f6314e917f92dce072279efe415d79b22a Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/475 This mail reflects revision 7 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/tests/unit_tests/openvpn/test_user_pass.c b/tests/unit_tests/openvpn/test_user_pass.c index d6e5650..743a006 100644 --- a/tests/unit_tests/openvpn/test_user_pass.c +++ b/tests/unit_tests/openvpn/test_user_pass.c @@ -364,6 +364,63 @@ } #endif /* ifndef _MSC_VER */ +#ifdef ENABLE_MANAGEMENT +static void +test_get_user_pass_dynamic_challenge(void **state) +{ +struct user_pass up = { 0 }; +reset_user_pass(); +const char *challenge = "CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN"; +unsigned int flags = GET_USER_PASS_DYNAMIC_CHALLENGE; + +expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: Please enter token PIN"); +will_return(query_user_exec_builtin, "challenge_response"); +will_return(query_user_exec_builtin, true); +assert_true(get_user_pass_cr(, NULL, "UT", flags, challenge)); +assert_true(up.defined); +assert_string_equal(up.username, "cr1"); +assert_string_equal(up.password, "CRV1::Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l::challenge_response"); +} + +static void +test_get_user_pass_static_challenge(void **state) +{ +struct user_pass up = { 0 }; +reset_user_pass(); +const char *challenge = "Please enter token PIN"; +unsigned int flags = GET_USER_PASS_STATIC_CHALLENGE; + +expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT Username:"); +will_return(query_user_exec_builtin, "cuser"); +expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT Password:"); +will_return(query_user_exec_builtin, "cpassword"); +will_return(query_user_exec_builtin, true); +expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: Please enter token PIN"); +will_return(query_user_exec_builtin, "challenge_response"); +will_return(query_user_exec_builtin, true); +assert_true(get_user_pass_cr(, NULL, "UT", flags, challenge)); +assert_true(up.defined); +assert_string_equal(up.username, "cuser"); +/* SCRV1:cpassword:challenge_response but base64-encoded */ +assert_string_equal(up.password, "SCRV1:Y3Bhc3N3b3Jk:Y2hhbGxlbmdlX3Jlc3BvbnNl"); + +reset_user_pass(); + +flags |= GET_USER_PASS_INLINE_CREDS; + +/*FIXME: query_user_exec() called even though nothing queued */ +will_return(query_user_exec_builtin, true); +expect_string(query_user_exec_builtin, query_user[i].prompt, "CHALLENGE: Please enter token PIN"); +will_return(query_user_exec_builtin, "challenge_response"); +will_return(query_user_exec_builtin, true); +assert_true(get_user_pass_cr(, "iuser\nipassword", "UT", flags, challenge)); +assert_true(up.defined); +assert_string_equal(up.username, "iuser"); +/* SCRV1:ipassword:challenge_response but base64-encoded */ +assert_string_equal(up.password, "SCRV1:aXBhc3N3b3Jk:Y2hhbGxlbmdlX3Jlc3BvbnNl"); +} +#endif /* ENABLE_MANAGEMENT */ + const struct CMUnitTest user_pass_tests[] = { cmocka_unit_test(test_get_user_pass_defined), cmocka_unit_test(test_get_user_pass_needok), @@ -375,6 +432,10 @@ cmocka_unit_test(test_get_user_pass_authfile_stdin_assertions), cmocka_unit_test(test_get_user_pass_authfile_file_assertions), #endif +#ifdef ENABLE_MANAGEMENT +cmocka_unit_test(test_get_user_pass_dynamic_challenge), +cmocka_unit_test(test_get_user_pass_static_challenge), +#endif /* ENABLE_MANAGEMENT */ }; int ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: test_user_pass: Add UTs for character filtering
Tested locally and with GHA. I expect the UTF8 codes in our source to create issues at some point (because software is so... helpful), but it's only the test code, and if that happens, we can move to \xbb\xa4 (etc.) in the strings... Your patch has been applied to the master branch. commit 55418bf62eaff1c4323d206181cd8a5f88e7c6c7 Author: Frank Lichtenheld Date: Mon Jan 29 11:53:57 2024 +0100 test_user_pass: Add UTs for character filtering Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20240129105358.11161-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/search?l=mid=20240129105358.11161-1-g...@greenie.muc.de Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v6] test_user_pass: Add UTs for character filtering
From: Frank Lichtenheld For simplicity I implemented them only with the inline method, but they actually apply to all methods. Change-Id: Ie8d2d5f6f58679baaf5eb817a7e2ca1afcb8c4db Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/473 This mail reflects revision 6 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe Gert Doering diff --git a/tests/unit_tests/openvpn/test_user_pass.c b/tests/unit_tests/openvpn/test_user_pass.c index ab4dfe4..277cb1d 100644 --- a/tests/unit_tests/openvpn/test_user_pass.c +++ b/tests/unit_tests/openvpn/test_user_pass.c @@ -141,6 +141,29 @@ reset_user_pass(); +/* Test various valid characters */ +/*FIXME: query_user_exec() called even though nothing queued */ +will_return(query_user_exec_builtin, true); +/* FIXME? content after first two lines just ignored */ +assert_true(get_user_pass_cr(, "#iuser and 커뮤니티\n//ipasswörd!\nsome other content\nnot relevant", "UT", flags, NULL)); +assert_true(up.defined); +assert_string_equal(up.username, "#iuser and 커뮤니티"); +assert_string_equal(up.password, "//ipasswörd!"); + +reset_user_pass(); + +/* Test various invalid characters */ +/*FIXME: query_user_exec() called even though nothing queued */ +will_return(query_user_exec_builtin, true); +/*FIXME? allows arbitrary crap if c > 127 */ +/*FIXME? silently removes control characters */ +assert_true(get_user_pass_cr(, "\tiuser\r\nipass\xffwo\x1erd", "UT", flags, NULL)); +assert_true(up.defined); +assert_string_equal(up.username, "iuser"); +assert_string_equal(up.password, "ipass\xffword"); + +reset_user_pass(); + expect_string(query_user_exec_builtin, query_user[i].prompt, "Enter UT Password:"); will_return(query_user_exec_builtin, "cpassword"); will_return(query_user_exec_builtin, true); ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: test_user_pass: new UT for get_user_pass
Local tests & GHA are now happy. Ship it :-) Your patch has been applied to the master branch. commit b9696ff387c1754d057a3611531b681d14de9105 Author: Frank Lichtenheld Date: Sat Jan 27 21:07:16 2024 +0100 test_user_pass: new UT for get_user_pass Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240127200716.10255-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28138.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v8] test_user_pass: new UT for get_user_pass
From: Frank Lichtenheld UTs for basic functionality, without management functions. v2: - add CMake support - add GHA support for both MSVC and mingw v3: - fix distcheck by adding input/ directory to dist Change-Id: I193aef06912f01426dd4ac298aadfab97dd75a35 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/468 This mail reflects revision 8 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index cc98813..bc937e5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -85,11 +85,13 @@ fail-fast: false matrix: arch: [x86, x64] -test: [argv, auth_token, buffer, cryptoapi, crypto, misc, ncp, packet_id, pkt, provider, ssl, tls_crypt] +test: [argv, auth_token, buffer, cryptoapi, crypto, misc, ncp, packet_id, pkt, provider, ssl, tls_crypt, user_pass] runs-on: windows-latest name: "mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - OSSL" steps: + - name: Checkout OpenVPN +uses: actions/checkout@v3 - name: Retrieve mingw unittest uses: actions/download-artifact@v3 with: @@ -97,6 +99,8 @@ path: unittests - name: Run ${{ matrix.test }} unit test run: ./unittests/test_${{ matrix.test }}.exe +env: + srcdir: "${{ github.workspace }}/tests/unit_tests/openvpn" ubuntu: strategy: @@ -279,6 +283,7 @@ configurePreset: win-${{ matrix.arch }}-release buildPreset: win-${{ matrix.arch }}-release testPreset: win-${{ matrix.arch }}-release + testPresetAdditionalArgs: "['--output-on-failure']" - uses: actions/upload-artifact@v3 with: diff --git a/CMakeLists.txt b/CMakeLists.txt index 5e07d50..be55c60 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -604,6 +604,7 @@ "test_pkt" "test_provider" "test_ssl" +"test_user_pass" ) if (WIN32) @@ -662,6 +663,10 @@ # test_networking needs special environment if (NOT ${test_name} STREQUAL "test_networking") add_test(${test_name} ${test_name}) +# for compat with autotools make check +set(_UT_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/tests/unit_tests/openvpn) +set_tests_properties(${test_name} PROPERTIES +ENVIRONMENT "srcdir=${_UT_SOURCE_DIR}") endif () add_executable(${test_name} tests/unit_tests/openvpn/${test_name}.c @@ -782,6 +787,15 @@ src/openvpn/base64.c ) +target_sources(test_user_pass PRIVATE +tests/unit_tests/openvpn/mock_get_random.c +tests/unit_tests/openvpn/mock_win32_execve.c +src/openvpn/base64.c +src/openvpn/console.c +src/openvpn/env_set.c +src/openvpn/run_command.c +) + if (TARGET test_argv) target_link_options(test_argv PRIVATE -Wl,--wrap=parse_line) target_sources(test_argv PRIVATE diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index d51609d..5ae61b5 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -118,12 +118,31 @@ #define GET_USER_PASS_INLINE_CREDS (1<<10) /* indicates that auth_file is actually inline creds */ +/** + * Retrieves the user credentials from various sources depending on the flags. + * + * @param up The user_pass structure to store the retrieved credentials. + * @param auth_file The path to the authentication file. Might be NULL. + * @param prefix The prefix to prepend to user prompts. + * @param flags Additional flags to control the behavior of the function. + * @param auth_challenge The authentication challenge string. + * @return true if the user credentials were successfully retrieved, false otherwise. + */ bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge); +/** + * Retrieves the user credentials from various sources depending on the flags. + * + * @param up The user_pass structure to store the retrieved credentials. + * @param auth_file The path to the authentication file. Might be NULL. + * @param prefix The prefix to prepend to user prompts. + * @param flags Additional flags to control the behavior of the function. + * @return true if the user credentials were successfully retrieved, false otherwise. + */ static inline bool get_user_pass(struct user_pass *up, const char *auth_file, diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index a021c91..d2859fe 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -524,4 +524,10 @@
[Openvpn-devel] [PATCH applied] Re: Ensure that all unit tests use unbuffered stdout and stderr
Tested on a local "make check" run and on GHA (another option might have been to change our mock x_msg() to use stderr instead, but this way we can also see "if anything else" wants to say something on stdout). Your patch has been applied to the master branch. commit 7869617a0f85089fb5e6fbe2db6f03542a8f33f4 Author: Arne Schwabe Date: Tue Jan 23 11:43:58 2024 +0100 Ensure that all unit tests use unbuffered stdout and stderr Acked-by: Frank Lichtenheld Message-Id: <20240123104358.495517-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28122.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Ensure that all unit tests use unbuffered stdout and stderr
From: Arne Schwabe stderr is normally always unbuffered but stdout can be buffered. Especially, when stdout is redirected it will become buffered while it is normally unbuffered when connected to a terminal. This mean that if the unit exits prematurely, the output in the buffered output will be lost. As the unit test x_msg mock implementation prints even fatal on stdout we ensure with this setup method that stdout is also unbuffered. Change-Id: I5c06dc13e9d8ab73997f79b13c30ee8949e5e993 Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/504 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/tests/unit_tests/openvpn/test_argv.c b/tests/unit_tests/openvpn/test_argv.c index 1b18ac0..33b3dec 100644 --- a/tests/unit_tests/openvpn/test_argv.c +++ b/tests/unit_tests/openvpn/test_argv.c @@ -12,6 +12,7 @@ #include "argv.h" #include "buffer.h" +#include "test_common.h" /* Defines for use in the tests and the mock parse_line() */ #define PATH1 "/s p a c e" @@ -252,6 +253,7 @@ int main(void) { +openvpn_unit_test_setup(); const struct CMUnitTest tests[] = { cmocka_unit_test(argv_printf__multiple_spaces_in_format__parsed_as_one), cmocka_unit_test(argv_printf_cat__multiple_spaces_in_format__parsed_as_one), diff --git a/tests/unit_tests/openvpn/test_auth_token.c b/tests/unit_tests/openvpn/test_auth_token.c index a027330..3a3cb69 100644 --- a/tests/unit_tests/openvpn/test_auth_token.c +++ b/tests/unit_tests/openvpn/test_auth_token.c @@ -35,6 +35,7 @@ #include #include "auth_token.c" +#include "test_common.h" struct test_context { struct tls_multi multi; @@ -407,6 +408,7 @@ int main(void) { +openvpn_unit_test_setup(); const struct CMUnitTest tests[] = { cmocka_unit_test_setup_teardown(auth_token_basic_test, setup, teardown), cmocka_unit_test_setup_teardown(auth_token_fail_invalid_key, setup, teardown), diff --git a/tests/unit_tests/openvpn/test_buffer.c b/tests/unit_tests/openvpn/test_buffer.c index ee84c1f..52ffb54 100644 --- a/tests/unit_tests/openvpn/test_buffer.c +++ b/tests/unit_tests/openvpn/test_buffer.c @@ -32,6 +32,7 @@ #include "buffer.h" #include "buffer.c" +#include "test_common.h" static void test_buffer_strprefix(void **state) @@ -356,6 +357,7 @@ int main(void) { +openvpn_unit_test_setup(); const struct CMUnitTest tests[] = { cmocka_unit_test(test_buffer_strprefix), cmocka_unit_test(test_buffer_printf_catrunc), diff --git a/tests/unit_tests/openvpn/test_common.h b/tests/unit_tests/openvpn/test_common.h new file mode 100644 index 000..ee211bd --- /dev/null +++ b/tests/unit_tests/openvpn/test_common.h @@ -0,0 +1,40 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2016-2021 Fox Crypto B.V. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include +#include +#include + +/** + * Sets up the environment for unit tests like making both stderr and stdout + * non-buffered to avoid messages getting lost if the program exits early. + * + * This has a openvpn prefix to avoid confusion with cmocka's unit_test_setup_* + * methods + */ +void +openvpn_unit_test_setup() +{ +assert_int_equal(setvbuf(stdout, NULL, _IONBF, BUFSIZ), 0); +assert_int_equal(setvbuf(stderr, NULL, _IONBF, BUFSIZ), 0); +} diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c index 08c9c44..01c16c9 100644 --- a/tests/unit_tests/openvpn/test_crypto.c +++ b/tests/unit_tests/openvpn/test_crypto.c @@ -39,6 +39,7 @@ #include "ssl_backend.h" #include "mss.h" +#include "test_common.h" static const char testtext[] = "Dummy text to test PEM encoding"; @@ -445,6 +446,7 @@ int main(void) { +openvpn_unit_test_setup(); const struct CMUnitTest tests[] = { cmocka_unit_test(crypto_pem_encode_decode_loopback),
[Openvpn-devel] [PATCH applied] Re: Fix ssl unit tests on OpenSSL 1.0.2
Good catch, "obviously correct" :-) Your patch has been applied to the master branch. Not applied to 2.6 since these new tests are not in release/2.6 - so, but not present. commit dc4fde8052639ffbc29ccc87130a0ce25f6dcd6c Author: Arne Schwabe Date: Mon Jan 22 14:09:09 2024 +0100 Fix ssl unit tests on OpenSSL 1.0.2 Acked-by: Frank Lichtenheld Message-Id: <20240122130909.10706-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28112.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Fix ssl unit tests on OpenSSL 1.0.2
From: Arne Schwabe OpenSSL 1.1.1 will initialise itself using clever linker magic. For OpenSSL 1.0.2 we need to manually initialise the library. For other unit tests just doing the OpenSSL_add_all_algorithms is enough but this unit test needs a more complete initialisation. Change-Id: I378081f391ad755d0a6fd5613de5c2a8bacc389a Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/503 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index fd2049f..d0c3df7 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -127,13 +127,13 @@ }; #if defined(ENABLE_CRYPTO_OPENSSL) -OpenSSL_add_all_algorithms(); +tls_init_lib(); #endif int ret = cmocka_run_group_tests_name("crypto tests", tests, NULL, NULL); #if defined(ENABLE_CRYPTO_OPENSSL) -EVP_cleanup(); +tls_free_lib(); #endif return ret; ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: --http-proxy-user-pass: allow to specify in either order with --http-proxy
Stared at code, stared at manpage (+changes), patch makes sense. Haven't tested "for real" beyond "passes t_client tests", which do use http-proxy, but which do not use an authenticated proxy (yet -> TBD!). Your patch has been applied to the master and release/2.6 branch ("make behaviour consistent" counts as "bugfix", and it's only a small and localized change). commit a634cc5eccd55f1d14197da7376bb819bdf72cb6 (master) commit 1141e7505747dd6029ac7cf19b6c2de99a685ccc (release/2.6) Author: Frank Lichtenheld Date: Mon Jan 22 10:21:22 2024 +0100 --http-proxy-user-pass: allow to specify in either order with --http-proxy Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240122092122.8591-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28099.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] --http-proxy-user-pass: allow to specify in either order with --http-proxy
From: Frank Lichtenheld Previously, when using a third argument to --http-proxy other than auto/auto-nct, order did matter between --http-proxy and --http-proxy-user-pass. Always prefer --http-proxy-user-pass when given. Change-Id: I6f402db2fb73f1206fbc1139c47d2bf4378376fa Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/499 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f54f276..e393511 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1649,6 +1649,8 @@ SHOW_STR(port); SHOW_STR(auth_method_string); SHOW_STR(auth_file); +SHOW_STR(auth_file_up); +SHOW_BOOL(inline_creds); SHOW_STR(http_version); SHOW_STR(user_agent); for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++) @@ -6824,7 +6826,7 @@ struct http_proxy_options *ho; VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); ho = init_http_proxy_options_once(>ce.http_proxy_options, >gc); -ho->auth_file = p[1]; +ho->auth_file_up = p[1]; ho->inline_creds = is_inline; } else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry")) diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index e081532..e2324f4 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -271,6 +271,11 @@ if (!static_proxy_user_pass.defined) { unsigned int flags = GET_USER_PASS_MANAGEMENT; +const char *auth_file = p->options.auth_file; +if (p->options.auth_file_up) +{ +auth_file = p->options.auth_file_up; +} if (p->queried_creds) { flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED; @@ -280,7 +285,7 @@ flags |= GET_USER_PASS_INLINE_CREDS; } get_user_pass(_proxy_user_pass, - p->options.auth_file, + auth_file, UP_TYPE_PROXY, flags); p->queried_creds = true; diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h index 7900244..4e78772 100644 --- a/src/openvpn/proxy.h +++ b/src/openvpn/proxy.h @@ -52,10 +52,11 @@ const char *auth_method_string; const char *auth_file; +const char *auth_file_up; /* specified with --http-proxy-user-pass */ const char *http_version; const char *user_agent; struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]; -bool inline_creds; +bool inline_creds; /* auth_file_up is inline credentials */ }; struct http_proxy_options_simple { ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'
Arguably coverity is right here :-) Your patch has been applied to the master and release/2.6 branch (bugfix). commit bc29bd6a3376158b73d069758122739fbf93c022 (master) commit 68b00a54e779325f4ac9d9416b4e85261f771c23 (release/2.6) Author: Frank Lichtenheld Date: Fri Jan 19 13:03:41 2024 +0100 buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0' Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240119120341.22933-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28093.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] buf_string_match_head_str: Fix Coverity issue "Unsigned compared against 0"
From: Frank Lichtenheld As Coverity says: An unsigned value can never be negative, so this test will always evaluate the same way. Was changed from int to size_t in commit 7fc608da4ec388c9209bd009cd5053ac0ff7df38 which triggered warning, but the check did not make sense before, either. Change-Id: I64f094eeb0ca8c3953a94d742adf468faf27dab3 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/491 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index 0b94a52..2ad3461 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -822,7 +822,7 @@ buf_string_match_head_str(const struct buffer *src, const char *match) { const size_t size = strlen(match); -if (size < 0 || size > src->len) +if (size > src->len) { return false; } ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: NTLM: when NTLMv1 is requested, try NTLMv2 instead
This is "master only", as it is based on the NTLMv1 removal. Haven't tested it beyond "GHA is happy" and "the code change looks reasonable and matches what the commit message says". Your patch has been applied to the master branch. commit b541a86948d7e9866b33e876fcf070fad00b3dce Author: Frank Lichtenheld Date: Thu Jan 18 16:12:42 2024 +0100 NTLM: when NTLMv1 is requested, try NTLMv2 instead Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240118151242.12169-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/search?l=mid=20240118151242.12169-1-g...@greenie.muc.de Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: proxy-options.rst: Add proper documentation for --http-proxy-user-pass
Your patch has been applied to the master and release/2.6 branch (docs). (2.6 needed conflict resultion because of the "NTLMv1 has been removed" line) commit d3f84afedd33734416704d5d92e8d3ac639ef491 (master) commit 7b1f2009ce9670e2e0ffea0c01b1c4922a2d4369 (release/2.6) Author: Frank Lichtenheld Date: Thu Jan 18 17:49:03 2024 +0100 proxy-options.rst: Add proper documentation for --http-proxy-user-pass Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240118164903.22519-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28083.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] proxy-options.rst: Add proper documentation for --http-proxy-user-pass
From: Frank Lichtenheld And extend examples section for authenticated HTTP proxies because is was misleading. Change-Id: I7a754d0b4a76a9227bf922f65176cd9ec4d7670c Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/498 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/doc/man-sections/proxy-options.rst b/doc/man-sections/proxy-options.rst index 9cf311f..ad49c60 100644 --- a/doc/man-sections/proxy-options.rst +++ b/doc/man-sections/proxy-options.rst @@ -4,7 +4,7 @@ is required, a file name to an ``authfile`` file containing a username and password on 2 lines can be given, or :code:`stdin` to prompt from console. Its content can also be specified in the config file with the - ``--http-proxy-user-pass`` option. (See section on inline files) + ``--http-proxy-user-pass`` option (See `INLINE FILE SUPPORT`_). The last optional argument is an ``auth-method`` which should be one of :code:`none`, :code:`basic`, or :code:`ntlm2`. @@ -25,14 +25,43 @@ Examples: :: + # no authentication http-proxy proxy.example.net 3128 + # basic authentication, load credentials from file http-proxy proxy.example.net 3128 authfile.txt + # basic authentication, ask user for credentials http-proxy proxy.example.net 3128 stdin - http-proxy proxy.example.net 3128 auto basic - http-proxy proxy.example.net 3128 auto-nct ntlm2 + # NTLM authentication, load credentials from file + http-proxy proxy.example.net 3128 authfile.txt ntlm2 + # determine which authentication is required, ask user for credentials + http-proxy proxy.example.net 3128 auto + # determine which authentication is required, but reject basic + http-proxy proxy.example.net 3128 auto-nct + # determine which authentication is required, but set credentials + http-proxy proxy.example.net 3128 auto + http-proxy-user-pass authfile.txt + # basic authentication, specify credentials inline + http-proxy proxy.example.net 3128 "" basic + + username + password + Note that support for NTLMv1 proxies was removed with OpenVPN 2.7. +--http-proxy-user-pass userpass + Overwrite the username/password information for ``--http-proxy``. If specified + as an inline option (see `INLINE FILE SUPPORT`_), it will be interpreted as + username/password separated by a newline. When specified on the command line + it is interpreted as a filename same as the third argument to ``--http-proxy``. + + Example:: + + +username +password + + --http-proxy-option args Set extended HTTP proxy options. Requires an option ``type`` as argument and an optional ``parameter`` to the type. Repeat to set multiple ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] NTLM: when NTLMv1 is requested, try NTLMv2 instead
From: Frank Lichtenheld Commit 21910ebc2ee8a6138eb2af8d38056d2b94e59f9c removed support for NTLMv1 authentication. This adjusts the behavior for existing configurations that specify "ntlm" keyword. Do not error out hard, instead just try to upgrade. This should work fine in many cases and will avoid breaking user configs unnecessarily on upgrade. In addition it fixes an issue with the mentioned patch where "auto" wasn't working correctly for NTLM anymore. Change-Id: Iec74e88f86cd15328f993b6cdd0317ebda81563c Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/500 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/Changes.rst b/Changes.rst index 69c811d..58cb3db 100644 --- a/Changes.rst +++ b/Changes.rst @@ -12,8 +12,13 @@ ``--allow-deprecated-insecure-static-crypto`` but will be removed in OpenVPN 2.8. -NTLMv1 support has been removed because it is completely insecure. -NTLMv2 support is still available, but will removed in a future release. +NTLMv1 authentication support for HTTP proxies has been removed. +This is considered an insecure method of authentication that uses +obsolete crypto algorithms. +NTLMv2 support is still available, but will be removed in a future +release. +When configured to authenticate with NTLMv1 (``ntlm`` keyword in +``--http-proxy``) OpenVPN will try NTLMv2 instead. Overview of changes in 2.6 diff --git a/doc/man-sections/proxy-options.rst b/doc/man-sections/proxy-options.rst index ad49c60..38c4578 100644 --- a/doc/man-sections/proxy-options.rst +++ b/doc/man-sections/proxy-options.rst @@ -48,6 +48,8 @@ Note that support for NTLMv1 proxies was removed with OpenVPN 2.7. + :code:`ntlm` now is an alias for :code:`ntlm2`; i.e. OpenVPN will always + attempt to use NTLMv2 authentication. --http-proxy-user-pass userpass Overwrite the username/password information for ``--http-proxy``. If specified diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index e2324f4..eeb3989 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -502,7 +502,7 @@ msg(M_FATAL, "HTTP_PROXY: server not specified"); } -ASSERT( o->port); +ASSERT(o->port); ALLOC_OBJ_CLEAR(p, struct http_proxy_info); p->options = *o; @@ -522,7 +522,8 @@ #if NTLM else if (!strcmp(o->auth_method_string, "ntlm")) { -msg(M_FATAL, "ERROR: NTLM v1 support has been removed. For now, you can use NTLM v2 by selecting ntlm2 but it is deprecated as well."); +msg(M_WARN, "NTLM v1 authentication has been removed in OpenVPN 2.7. Will try to use NTLM v2 authentication."); +p->auth_method = HTTP_AUTH_NTLM2; } else if (!strcmp(o->auth_method_string, "ntlm2")) { @@ -536,7 +537,9 @@ } } -/* only basic and NTLM/NTLMv2 authentication supported so far */ +/* When basic or NTLMv2 authentication is requested, get credentials now. + * In case of "auto" negotiation credentials will be retrieved later once + * we know whether we need any. */ if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http(p, true); @@ -649,7 +652,8 @@ /* get user/pass if not previously given */ if (p->auth_method == HTTP_AUTH_BASIC -|| p->auth_method == HTTP_AUTH_DIGEST) +|| p->auth_method == HTTP_AUTH_DIGEST +|| p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http(p, false); } @@ -753,7 +757,7 @@ { processed = true; } -else if ((p->auth_method == HTTP_AUTH_NTLM2) && !processed) /* check for NTLM */ +else if (p->auth_method == HTTP_AUTH_NTLM2 && !processed) /* check for NTLM */ { #if NTLM /* look for the phase 2 response */ ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Remove conditional text for Apache2 linking exception
This concludes the changing of our license wrt the Apache2 exception - it was quite a journey... :-) Your patch has been applied to the master and release/2.6 branch. commit 275aa892c30e91adfec9276f6d6845756b141c62 (master) commit 20bc8bd5af9d1ee0489d0ee58ae9c2c2f9b0cf9f (release/2.6) Author: Arne Schwabe Date: Thu Jan 18 14:55:30 2024 +0100 Remove conditional text for Apache2 linking exception Acked-by: dazo Message-Id: <20240118135530.3911-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28077.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Remove conditional text for Apache2 linking exception
From: Arne Schwabe With the reimplementation of the tls-export feature and removal/approval or being trivial of the rest of the code, now all the code falls under new license. Remove the conditional text of the license to be only valid for parts of OpenVPN. Change-Id: Ia9c5453dc08679ffb73a275ddd4f28095ff1c1f8 Acked-by: dazo --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/502 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): dazo diff --git a/COPYING b/COPYING index ab59cef..28525d7 100644 --- a/COPYING +++ b/COPYING @@ -33,11 +33,6 @@ Apache2 linking exception: --- -OpenVPN is currently undergoing a license change to add an exception for -Apache 2 linking. The following exception is only valid for new contributions -after 2023-05-03 and past contribution where the authors have already agreed -to the exception. - In addition, as a special exception, OpenVPN Inc and the contributors give permission to link the code of this program to libraries (the "Libraries") licensed under the Apache License ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v7] test_user_pass: new UT for get_user_pass
From: Frank Lichtenheld UTs for basic functionality, without management functions. v2: - add CMake support - add GHA support for both MSVC and mingw v3: - fix distcheck by adding input/ directory to dist Change-Id: I193aef06912f01426dd4ac298aadfab97dd75a35 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/468 This mail reflects revision 7 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 51100c3..cbe77bc 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -85,11 +85,13 @@ fail-fast: false matrix: arch: [x86, x64] -test: [argv, auth_token, buffer, cryptoapi, crypto, misc, ncp, packet_id, pkt, provider, tls_crypt] +test: [argv, auth_token, buffer, cryptoapi, crypto, misc, ncp, packet_id, pkt, provider, tls_crypt, user_pass] runs-on: windows-latest name: "mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - OSSL" steps: + - name: Checkout OpenVPN +uses: actions/checkout@v3 - name: Retrieve mingw unittest uses: actions/download-artifact@v3 with: @@ -97,6 +99,8 @@ path: unittests - name: Run ${{ matrix.test }} unit test run: ./unittests/test_${{ matrix.test }}.exe +env: + srcdir: "${{ github.workspace }}/tests/unit_tests/openvpn" ubuntu: strategy: @@ -279,6 +283,7 @@ configurePreset: win-${{ matrix.arch }}-release buildPreset: win-${{ matrix.arch }}-release testPreset: win-${{ matrix.arch }}-release + testPresetAdditionalArgs: "['--output-on-failure']" - uses: actions/upload-artifact@v3 with: diff --git a/CMakeLists.txt b/CMakeLists.txt index bc46c27..bc2bb31 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -592,6 +592,7 @@ "test_packet_id" "test_pkt" "test_provider" +"test_user_pass" ) if (WIN32) @@ -650,6 +651,10 @@ # test_networking needs special environment if (NOT ${test_name} STREQUAL "test_networking") add_test(${test_name} ${test_name}) +# for compat with autotools make check +set(_UT_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/tests/unit_tests/openvpn) +set_tests_properties(${test_name} PROPERTIES +ENVIRONMENT "srcdir=${_UT_SOURCE_DIR}") endif () add_executable(${test_name} tests/unit_tests/openvpn/${test_name}.c @@ -744,6 +749,15 @@ src/openvpn/base64.c ) +target_sources(test_user_pass PRIVATE +tests/unit_tests/openvpn/mock_get_random.c +tests/unit_tests/openvpn/mock_win32_execve.c +src/openvpn/base64.c +src/openvpn/console.c +src/openvpn/env_set.c +src/openvpn/run_command.c +) + if (TARGET test_argv) target_link_options(test_argv PRIVATE -Wl,--wrap=parse_line) target_sources(test_argv PRIVATE diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index d51609d..5ae61b5 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -118,12 +118,31 @@ #define GET_USER_PASS_INLINE_CREDS (1<<10) /* indicates that auth_file is actually inline creds */ +/** + * Retrieves the user credentials from various sources depending on the flags. + * + * @param up The user_pass structure to store the retrieved credentials. + * @param auth_file The path to the authentication file. Might be NULL. + * @param prefix The prefix to prepend to user prompts. + * @param flags Additional flags to control the behavior of the function. + * @param auth_challenge The authentication challenge string. + * @return true if the user credentials were successfully retrieved, false otherwise. + */ bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge); +/** + * Retrieves the user credentials from various sources depending on the flags. + * + * @param up The user_pass structure to store the retrieved credentials. + * @param auth_file The path to the authentication file. Might be NULL. + * @param prefix The prefix to prepend to user prompts. + * @param flags Additional flags to control the behavior of the function. + * @return true if the user credentials were successfully retrieved, false otherwise. + */ static inline bool get_user_pass(struct user_pass *up, const char *auth_file, diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index a021c91..d2859fe 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -524,4 +524,10 @@
Re: [Openvpn-devel] [L] Change in openvpn[release/2.6]: Backport mbed TLS 3 support to OpenVPN 2.6
Hi, On Mon, Nov 20, 2023 at 03:35:05PM +, MaxF (Code Review) wrote: > Change subject: Backport mbed TLS 3 support to OpenVPN 2.6 > .. > > Backport mbed TLS 3 support to OpenVPN 2.6 > > Based on commits > - ace7a4f1c271550bb8ad276663e045ab97a46f16 > - f53f06316dbb804128fc5cbee1d8edb274ce81df > - efad93d049c318a3bd9ea5956c6ac8237b8d6d70 > - b5faf1b2e90fd44c5137a2b8f3da98c7ae482fc1 So, after discussion with Arne how to proceed, we decided to not apply this patch from gerrit "as is", but to do explicit cherry-picking of these 4 commits - so git history directly tracks which bits came from where. This brings now 4 new commits in release/2.6: commit 001950d14eefe60fd71b6a7091161b0546ff5a9e (HEAD -> release/2.6) Author: Max Fillinger Date: Fri Nov 17 10:14:01 2023 +0100 Enable key export with mbed TLS 3.x.y (cherry picked from commit b5faf1b2e90fd44c5137a2b8f3da98c7ae482fc1) commit 7fa534dbb81c7e3d526a2e9110f35d11de26105c Author: Max Fillinger Date: Wed Nov 15 16:17:40 2023 +0100 Disable TLS 1.3 support with mbed TLS (cherry picked from commit efad93d049c318a3bd9ea5956c6ac8237b8d6d70) commit 1aa2995ebc06a2b8d6df48eb63eb15482fd07865 Author: Max Fillinger Date: Wed Oct 25 14:19:28 2023 +0200 Update README.mbedtls (cherry picked from commit f53f06316dbb804128fc5cbee1d8edb274ce81df) commit 2942ef5d405413d990d1fc2fa06976bcdd24742e Author: Max Fillinger Date: Wed Oct 25 14:18:30 2023 +0200 Add support for mbedtls 3.X.Y (cherry picked from commit ace7a4f1c271550bb8ad276663e045ab97a46f16) I have tested the resulting source tree with mbedTLS 2.28.6 (FreeBSD package default) and 3.5.1 (latest 3.x, build from source) - t_client only, but that should be sufficient - and the result is satisfactory OpenVPN 2.6.8 [git:release/2.6/001950d14eefe60f] amd64-unknown-freebsd13.2 [SSL (mbed TLS)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 17 2024 library versions: mbed TLS 3.5.1, LZO 2.10 Test sets succeeded: 1 1a 1b 1c 1d 1e 2 2a 2b 2c 2d 2e 2f 3 4 4a 4b 5 6 8 8a 9 9a 9b 9x. ./t_lpback.sh: tests passed: 21 failed: 0 (that is the test result with 2.28.6 - with 3.5.1, all tests involving BF-CBC fail, as that is no longer a supported cipher, but everything else passes just fine) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Fix various 'Uninitialized scalar variable' warnings from Coverity
Generally I'm not a big fan of code changes just to appease a checking tool, but I can see why coverity would warn (we pass on structures that contain possibly-uninitialized data, and the callee "might decide to use them"). Your patch has been applied to the master branch. commit 327355f5174772ad2c788aaeb2a7b4db39cff385 Author: Frank Lichtenheld Date: Sun Oct 8 12:36:41 2023 +0200 Fix various 'Uninitialized scalar variable' warnings from Coverity Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20231008103641.19864-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27157.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel