Re: [Openvpn-devel] [PATCH v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins

> Antonio Quartulli hat am 15.03.2022 16:11 geschrieben: > Frank reported that we should use double space after the full-stop. > Honestly I'd prefer just single-space everywhere as it is more > "traditional". Yeah, I also prefer one space but I actually grepped the code and while it is somew

[Openvpn-devel] [PATCH applied] Re: plug-ins: Disallow multiple deferred authentication plug-ins

I have not done formal testing, just verified that the code change is the same and that it compiles. The "plugin.c" module did change quite a bit since 2.4 (PF removal, argv overhaul, ENABLE_CRYPTO, etc.) but the code patched here - plugin_call_ssl() - is identical. Your patch has been applied t

Re: [Openvpn-devel] [PATCH v2.4 v5 3/3] plug-ins: Remove defer/simple.c sample plugin

Hi, On Tue, Mar 15, 2022 at 04:53:44PM +0100, David Sommerseth wrote: > From: David Sommerseth > > The use case for this plug-in is dubious now with the new multi-auth.c > plugin available. This new plugin is based on simple.c, but allows > far more flexibility for testing. As for 1/3 v5, we d

Re: [Openvpn-devel] [PATCH v2.4 v5 1/3] sample-plugin: New plugin for testing multiple auth plugins

Hi, On Tue, Mar 15, 2022 at 04:53:42PM +0100, David Sommerseth wrote: > From: David Sommerseth > > This plugin allows setting username/passwords as well as configure > deferred authentication behaviour as part of the runtime initialization. > > With this plug-in it is easier to test various sce

[Openvpn-devel] [PATCH applied] Re: plug-ins: Disallow multiple deferred authentication plug-ins

This is the same patch that Antonio tested when it was still only discussed on the security@ list (except for the "two spaces" comment fix). Also, fixed a "do" -> "does" in plugin-options.rst. As discussed before, I still think that "aborting the server process" is excessive and we should just r

[Openvpn-devel] [PATCH v2.4 v5 1/3] sample-plugin: New plugin for testing multiple auth plugins

From: David Sommerseth This plugin allows setting username/passwords as well as configure deferred authentication behaviour as part of the runtime initialization. With this plug-in it is easier to test various scenarios where multiple authentication plug-ins are active on the server side. A tes

[Openvpn-devel] [PATCH v2.4 v5 2/3] plug-ins: Disallow multiple deferred authentication plug-ins

From: David Sommerseth The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we bail out when this discovered with an error in the log. CVE: 2022-0547 Si

[Openvpn-devel] [PATCH v2.4 v5 3/3] plug-ins: Remove defer/simple.c sample plugin

From: David Sommerseth The use case for this plug-in is dubious now with the new multi-auth.c plugin available. This new plugin is based on simple.c, but allows far more flexibility for testing. Signed-off-by: David Sommerseth --- sample/sample-plugins/defer/README | 3 - sample/sample-

[Openvpn-devel] [PATCH v2.4 v5 0/3] Disable multiple deferred authentication plug-ins

From: David Sommerseth This is the same patch set as the v4 [1] patch set, just without the embarrassing syntax error in the second patch. [1] Message-Id: 20220313200715.13518-1-open...@sf.lists.topphemmelig.ne

[Openvpn-devel] [PATCH applied] Re: sample-plugin: New plugin for testing multiple auth plugins

Diffing the patch against the previous one only circulated on the seclist shows no differences except "mail headers", and I have reviewed and tested that plugin for my "multiple deferred auth" (draft) patch. So, today only tested that it builds on both branches (it does). If someone wants to spen

[Openvpn-devel] [PATCH applied] Re: plugins: Remove defer/simple.c sample plugin

This one does not need much brains to review - "does it apply" and "does it break 'make distcheck'" (yes, and no). The reason why this plugin is deleted is because the new multi-auth plugin does mostly the same thing, "but more" - and it's 90% the same code, so not much to be learned from the olde

Re: [Openvpn-devel] [PATCH v2.4 v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins

Hi, On Sun, Mar 13, 2022 at 09:07:14PM +0100, David Sommerseth wrote: > case OPENVPN_PLUGIN_FUNC_DEFERRED: > -deferred = true; > +if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY > +&& deferred_auth_done) > +

Re: [Openvpn-devel] [PATCH v2.4 v4 1/3] sample-plugin: New plugin for testing multiple auth plugins

Hi, On Sun, Mar 13, 2022 at 09:07:13PM +0100, David Sommerseth wrote: > From: David Sommerseth > > This plugin allows setting username/passwords as well as configure > deferred authentication behaviour as part of the runtime initialization. > > With this plug-in it is easier to test various sce

Re: [Openvpn-devel] [PATCH v4 3/3] plugins: Remove defer/simple.c sample plugin

Hi, On 13/03/2022 20:31, David Sommerseth wrote: From: David Sommerseth The use case for this plug-in is dubious now with the new multi-auth.c plugin available. This new plugin is based on simple.c, but allows far more flexibility for testing. Signed-off-by: David Sommerseth Same as the p

Re: [Openvpn-devel] [PATCH v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins

Hi, On 13/03/2022 20:31, David Sommerseth wrote: From: David Sommerseth The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we bail out when this dis

Re: [Openvpn-devel] [PATCH v4 1/3] sample-plugin: New plugin for testing multiple auth plugins

Hi, On 13/03/2022 20:31, David Sommerseth wrote: From: David Sommerseth This plugin allows setting username/passwords as well as configure deferred authentication behaviour as part of the runtime initialization. With this plug-in it is easier to test various scenarios where multiple authentic

Re: [Openvpn-devel] [PATCH v2.4 v4 3/3] plug-ins: Remove defer/simple.c sample plugin

Hi, On 13/03/2022 21:07, David Sommerseth wrote: From: David Sommerseth The use case for this plug-in is dubious now with the new multi-auth.c plugin available. This new plugin is based on simple.c, but allows far more flexibility for testing. Signed-off-by: David Sommerseth Does nothing

Re: [Openvpn-devel] [PATCH v2.4 v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins

Hi, On 13/03/2022 21:07, David Sommerseth wrote: From: David Sommerseth The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we bail out when this dis

Re: [Openvpn-devel] [PATCH v2.4 v4 1/3] sample-plugin: New plugin for testing multiple auth plugins

Hi, On 13/03/2022 21:07, David Sommerseth wrote: From: David Sommerseth This plugin allows setting username/passwords as well as configure deferred authentication behaviour as part of the runtime initialization. With this plug-in it is easier to test various scenarios where multiple authentic

Re: [Openvpn-devel] [PATCH v2 release/2.5] msvc: adjust build options to harden binaries

Acked-by: Frank Lichtenheld Build tested on Win10 VS 2019. See notes below about the patch dependency. > Lev Stipakov hat am 19.02.2022 00:52 geschrieben: > > > From: Lev Stipakov > > - enable hardware-enforced stack protection on > compatible hardware/software (/CETCOMPAT linker option)

Re: [Openvpn-devel] [PATCH v2] msvc: adjust build options to harden binaries

Acked-By: Frank Lichtenheld Build-tested on Win 10 with VS 2019. > Lev Stipakov hat am 19.02.2022 00:50 geschrieben: > > > From: Lev Stipakov > > - enable hardware-enforced stack protection on > compatible hardware/software (/CETCOMPAT linker option) > > - hash object files with SHA256

Re: [Openvpn-devel] [PATCH master+release/2.5] vcpkg-ports/pkcs11-helper: adapt to new upstream URL

Based on my testing this fixes the Windows build issues. ACK. Il 14.3.2022 14.03, Lev Stipakov ha scritto: From: Lev Stipakov Signed-off-by: Lev Stipakov --- contrib/vcpkg-ports/pkcs11-helper/CONTROL| 2 +- contrib/vcpkg-ports/pkcs11-helper/portfile.cmake | 8 2 files ch