Re: [Openvpn-devel] RFC: tchar removal patch series

2025-01-08 Thread Selva Nair
Hi, I think the use of tchar is outdated and I'm all for purging it. best, Selva On Wed, Jan 8, 2025 at 8:57 AM Frank Lichtenheld wrote: > Hi. > > Today I submitted a patch series that removes all usages of > tchar.h from the OpenVPN 2 code base. You can see the full > series here: https://ge

Re: [Openvpn-devel] [PATCH] Allow setting an empty auth-token in push replies

2024-10-23 Thread Selva Nair
On Wed, Oct 23, 2024 at 11:47 AM Razvan Cojocaru wrote: > On 10/23/24 18:25, Selva Nair wrote: > > Wouldn't pushing "HALT" instead of "AUTH_FAILED" work in this case? > > As in the management command "client-kill {cid} HALT" which calls >

Re: [Openvpn-devel] [PATCH] Allow setting an empty auth-token in push replies

2024-10-23 Thread Selva Nair
On Wed, Oct 23, 2024 at 11:03 AM Razvan Cojocaru wrote: > On 10/23/24 17:50, Gert Doering wrote: > > OK, so I see what is happening - you're sending an AUTH_FAILED "out of > > the blue", not in response to a client handshake, right? > > Exactly. In response to a client handshake there's no proble

Re: [Openvpn-devel] [PATCH applied] Re: Interpret --key and --cert option argument as URI

2024-09-10 Thread Selva Nair
Hi, On Tue, Sep 10, 2024 at 5:48 PM Arne Schwabe wrote: > > > > > Your patch has been applied to the master branch. > > > > commit 3512e8d3ada4fa7d04925a89fd9f3669655c7887 (master) > > Author: Selva Nair > > Date: Fri Sep 6 12:37:34 2024 +0200 > >

[Openvpn-devel] [PATCH] Fix more of uninitialized struct user_pass local vars

2024-09-09 Thread selva . nair
From: Selva Nair Not all of these touch uninitialzed members of the struct, but that could change in future. Change-Id: I71bc847b48da54b70f60ccd7c4521ec699daf9cb Signed-off-by: Selva Nair --- There is an unused & uninitialized struct user_pass in tun.c for ANDROID. Could be removed?

Re: [Openvpn-devel] [PATCH applied] Re: Static-challenge concatenation option

2024-09-09 Thread Selva Nair
> > Is the GUI support already committed? I seem to remember seeing a PR > for that "weeks ago"... and someone needs to bring Tunnelblick on board. > GUI patch is still in a private branch -- will submit a PR soon. I've sent a note to Jon about the change. Selva ___

Re: [Openvpn-devel] [PATCH applied] Re: Interpret --key and --cert option argument as URI

2024-09-08 Thread Selva Nair
> > > But anyway, there might be an undefined variable lurking > in > > /* If pkcs#11 Use custom prompt similar to pkcs11-helper */ > if (strstr(prompt, "PKCS#11")) > { > struct user_pass up; > get_user_pass(&up, NULL, "PKCS#11 token", ... > > "up"

[Openvpn-devel] [PATCH] Initialize before use struct user_pass in ui_reader()

2024-09-08 Thread selva . nair
From: Selva Nair This was missed in commit 3512e8d3ad Also add a comment to clarify how pem_password_callback is accessed in ui_reader(). Change-Id: I82835ff8e1e31e067efd81bfb6e8cd19ee004d9c Signed-off-by: Selva Nair --- src/openvpn/ssl_openssl.c | 5 - 1 file changed, 4 insertions(+), 1

[Openvpn-devel] [PATCH v1] Add test for static-challenge concatenation option

2024-08-30 Thread selva . nair
From: Selva Nair Change-Id: I41f6c1f7acb58f30fc4db0e32505018f64fcad28 Signed-off-by: Selva Nair Acked-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https

[Openvpn-devel] [PATCH] test_pkcs11.c: set file offset to 0 after ftruncate

2024-08-12 Thread selva . nair
From: Selva Nair Currently key and cert file fd's are reused after ftruncate() without setting the offset to zero. This causes subsequent data to be written at some finite offset with the hole in the file automatically filled by zeros. Fix it by calling lseek() to set the offset to zero.

Re: [Openvpn-devel] [PATCH v3] interactive.c: Improve access control for gui<->service pipe

2024-06-19 Thread Selva Nair
{ > -MsgToEventLog(M_SYSERR, TEXT("Could not set entries in new acl")); > -return CloseHandleEx(&pipe); > -} > - > -if (SetSecurityInfo(pipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, > -NULL, NULL, new_dacl, NULL) !

Re: [Openvpn-devel] [PATCH] interactive.c: Improve access control for gui<->service pipe

2024-06-19 Thread Selva Nair
Forgot to add: This applies only to 2.6 -- for master we'll need a rebased version. On Wed, Jun 19, 2024 at 9:51 AM Selva Nair wrote: > > > On Wed, Jun 19, 2024 at 9:47 AM Lev Stipakov wrote: > >> At the moment everyone but anonymous are permitted >> to create

Re: [Openvpn-devel] [PATCH] interactive.c: Improve access control for gui<->service pipe

2024-06-19 Thread Selva Nair
I35e783b79a332d247606e05a39e41b4d35d39b5d > Reported by: Zeze with TeamT5 > Signed-off-by: Lev Stipakov > --- > v2: > - ensure that sd is freed even if pipe creation failed > - added Reported-By > Acked-by: Selva Nair ___

[Openvpn-devel] [PATCH v2] Document that auth-user-pass may be inlined

2024-02-20 Thread selva . nair
From: Selva Nair Commits 7d48d31b, 39619b7f added support for inlining username and, optionally, password. Add a description of its usage in the man page. Github: resolves OpenVPN/openvpn#370 Change-Id: I7a1765661f7676eeba8016024080fd1026220ced Signed-off-by: Selva Nair --- v2: Add

[Openvpn-devel] [PATCH] Document that auth-user-pass may be inlined

2024-02-19 Thread selva . nair
From: Selva Nair Commits 7d48d31b, 39619b7f added support for inlining username and, optionally, password. Add a description of its usage in the man page. Change-Id: I7a1765661f7676eeba8016024080fd1026220ced Signed-off-by: Selva Nair --- Does this have to go through gerrit? doc/man-sections

Re: [Openvpn-devel] [PATCH] man: extend description for "dhcp-option DNS" on Windows

2023-10-05 Thread Selva Nair
Hi, On Tue, Sep 5, 2023 at 5:41 PM Antonio Quartulli wrote: > From: Antonio Quartulli > > Add an important detail about the DNS configured via this option > to be an "interface-specific" DNS. This detail is important when > troubleshooting DNS issues since this logic will bypass the > routing t

[Openvpn-devel] [PATCH] Log OpenSSL errors on failure to set certificate

2023-10-01 Thread selva . nair
From: Selva Nair Currently we log a bogus error message saying private key password verification failed when SSL_CTX_use_cert_and_key() fails in pkcs11_openssl.c. Instead print OpenSSL error queue and exit promptly. Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in cryptoapi.c and

Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?

2023-09-29 Thread Selva Nair
> > > > > Good point. But, unless the config has "tls-cert-profile foo", we still > > default to legacy and call SSL_CTX_set_security_level(ctx, 1), isn't it? > > Wouldn't that allow SHA1 with 3.1.x ? > > For SHA1 you need security 0 aka tls-cert-profile insecure. > > But we might update OpenVPN to

Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?

2023-09-28 Thread Selva Nair
Hi Mike I misunderstood Arne's comment. We default to security level 1 but that forbids SHA1 signatures in OpenSSL 3.0+. Could you test with "tls-cert-profile Insecure" in the config file? It's not recommended but useful to check. Thanks, Selva On Thu, Sep 28, 2023 at 7:08 PM mike tancsa wrot

Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?

2023-09-28 Thread Selva Nair
On Thu, Sep 28, 2023 at 8:55 PM Arne Schwabe wrote: > > Am 29.09.2023 um 01:08 schrieb mike tancsa: > > Hi Selva, > > Thank you for looking! > > My guess is that something in the certificate or private key is not to > OpenSSL 3.1's liking and it rejects it. Is there any way for you to check >

Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?

2023-09-28 Thread Selva Nair
Hi Mike, On Thu, Sep 28, 2023 at 5:28 PM mike tancsa wrote: > I am starting to test out 2.6.6 with a config that worked in 2.5.4 but > am getting a failure con connect. I did have a look through the > Changes.rst file but didnt see anything different ? The only pkcs11 bits > I have in the confi

Re: [Openvpn-devel] [PATCH v2] show extra info for OpenSSL errors

2023-08-11 Thread Selva Nair
all(const char **file, int *line, > + const char **func, > + const char **data, int *flags) > +{ > +static const char *empty = ""; > +*func = empty; > +long err = ERR_get_error_line_data(file, line, data, flags); > I think you missed to change that to "unsigned long err = " +return err; > +} > + > #endif /* OPENSSL_VERSION_NUMBER < 0x3000L */ > > #endif /* OPENSSL_COMPAT_H_ */ > -- > 2.39.2 (Apple Git-143) > The above could be handled at merge time, so: Acked-by: Selva Nair ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 2/2] signal_reset(): combine check and reset operations

2023-07-25 Thread Selva Nair
On Tue, Jul 25, 2023 at 6:18 AM Frank Lichtenheld wrote: > On Sat, Jan 28, 2023 at 04:59:01PM -0500, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > - "if (sig == X) signal_reset(sig)" now becomes > > "signal_reset(sig, X)" so that th

Re: [Openvpn-devel] [PATCH applied] Re: Improve signal handling using POSIX sigaction

2023-07-23 Thread Selva Nair
On Sun, Jul 23, 2023 at 5:28 AM Gert Doering wrote: > > The actual "change to POSIX ways" part of this is fairly trivial > and easy to understand :-) - though I do wonder why you're using > an extra variable for block_mask -> sa.sa_mask, and not using > sigfillset(&sa.sa_mask) - at least on BSD o

Re: [Openvpn-devel] [PATCH] show extra info for OpenSSL errors

2023-07-12 Thread Selva Nair
Hi, This looks good except that the format of the log could be kept closer to the current one: On Fri, Jul 7, 2023 at 2:59 PM Arne Schwabe wrote: > This also shows the extra data from the OpenSSL error function that > can contain extra information. For example, the command > > openvpn --pro

[Openvpn-devel] Fwd: [PATCH] tun.c: enclose DNS domain in single quotes in WMIC call

2023-07-10 Thread Selva Nair
es get interpreted special (like 'foo>bar' vs "foo>bar"). That said, for valid domain names, the only expected characters are alpha-numeric, hyphen and period, and single quotes should work. I have only tested this using wmic command line, not the resulting openvpn.exe. Acked-

Re: [Openvpn-devel] [PATCH v2 2/2] Fix CR_RESPONSE mangaement message using wrong key_id

2023-07-04 Thread Selva Nair
struct tls_multi *multi, > unsigned int mda_key_id) > for (int i = 0; i < KEY_SCAN_SIZE; ++i) > { > struct key_state *ks = get_key_scan(multi, i); > -if (ks->mda_key_id == mda_key_id) > +if (ks->mda_key_id == mda_key_id && ks->st

Re: [Openvpn-devel] [PATCH 1/2] Improve signal handling using POSIX sigaction

2023-06-26 Thread Selva Nair
On Mon, May 29, 2023 at 3:07 PM Gert Doering wrote: > Hi, > > On Thu, May 25, 2023 at 02:41:10PM -0400, Selva Nair wrote: > > Now that 2.6 appears to have reached a fairly stable state, may I request > > you to look into this patch for 2.7 -- this one has an ACK (thanks t

Re: [Openvpn-devel] [PATCH 1/2] Improve signal handling using POSIX sigaction

2023-05-25 Thread Selva Nair
down into the details to resolve them. Right now it looks like no one has yet touched related chunks. Thanks, Selva On Tue, Jan 31, 2023 at 5:48 AM Frank Lichtenheld wrote: > On Sat, Jan 28, 2023 at 04:59:00PM -0500, selva.n...@gmail.com wrote: > > From: Selva Nair > > >

Re: [Openvpn-devel] [PATCH v3] tapctl: generate driver-specific adapter names

2023-05-19 Thread Selva Nair
Acked-by: Selva Nair On Fri, May 19, 2023 at 4:27 AM Lev Stipakov wrote: > From: Lev Stipakov > > At the moment if --name is not specified, adapter names > are generated by Windows and they look a bit confusing > like "Local Area Connection 2". > > This is also

Re: [Openvpn-devel] [PATCH 2/2] Fix CR_RESPONSE mangaement message using wrong key_id

2023-05-19 Thread Selva Nair
Hi, While this bugfix should be merged, I'm a conflicted about the way these two patches are split up. It just makes reviewing harder than it should be. They actually form two independent changes but with one half intersecting with the other for no reason. On Wed, May 17, 2023 at 7:03 AM Arne Sch

Re: [Openvpn-devel] [PATCH v2] tapctl: generate driver-specific adapter names

2023-05-18 Thread Selva Nair
Hi, On Thu, May 18, 2023 at 12:25 PM Lev Stipakov wrote: > From: Lev Stipakov > > At the moment if --name is not specified, adapter names > are generated by Windows and they look a bit confusing > like "Local Area Connection 2". > > This is also behavior of "Add a new virtual network > adapter

[Openvpn-devel] [PATCH] Interactive service: do not force a target desktop for openvpn.exe

2023-05-18 Thread selva . nair
From: Selva Nair Setting the desktop as "winsta0\default" does not always work when run from a non-interactive session which may not have access to the the window station "Winsta0". Leave this as NULL to let the system automatically assign a window station and desktop.

Re: [Openvpn-devel] [PATCH] Fix CR_RESPONSE mangaement message using wrong key_id

2023-05-16 Thread Selva Nair
Hi, Is this dependent on some patch not yet merged? See missing context below. On Tue, May 16, 2023 at 12:36 PM Arne Schwabe wrote: > the management interface expects the management key id instead > of the openvpn key id. In the past they often were the same for low ids > which hid the bug quit

[Openvpn-devel] [PATCH] Correctly handle Unicode names for exit event

2023-05-15 Thread selva . nair
From: Selva Nair Currently we use the ANSI version of CreateEvent causing name of the exit event to be interpreted differently depending on the code page in effect. Internally all strings parsed from command line and config file are stored as UTF8-encoded Uniode. When passed to Windows API calls

[Openvpn-devel] [PATCH] Bugfix: dangling pointer passed to pkcs11-helper

2023-05-09 Thread selva . nair
From: Selva Nair Github: Fixes OpenVPN/openvpn#323 Signed-off-by: Selva Nair --- This will fix #323 is my best guess, untested as yet.. This is a bug that needs fixing, regardless. src/openvpn/pkcs11_openssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn

Re: [Openvpn-devel] [PATCH v2] Add Apache2 linking with for new commits

2023-04-25 Thread Selva Nair
Hi, On Tue, Apr 25, 2023 at 6:22 AM Arne Schwabe wrote: > After first round of mailing people with more than 10 commits we have > almost all committers have agreed. This put this license in the realm > of having a realistic change to work. Had any of these contributers > disagreed, rewriting all

Re: [Openvpn-devel] [PATCH] Add Apache2 linking with for new commits

2023-04-21 Thread Selva Nair
exemption -> exception in a number of places below Though similar in meaning, better to use the standard wording here. On Fri, Apr 21, 2023 at 11:02 AM Arne Schwabe wrote: > After first round of mailing people with more than 10 commits we have > almost all committers have agreed. This put this

[Openvpn-devel] [PATCH v2] Format Windows error message in Unicode

2023-04-18 Thread selva . nair
From: Selva Nair - We assume that all text passed to the management interface and written to log file are in Unicode (UTF-8). This is broken by the use of the ANSI version of FormatMessage() for Windows error messages. Fix by using FormatMessageW() and converting the UTF-16 result to UTF

[Openvpn-devel] [PATCH] Format Windows error message in Unicode

2023-04-18 Thread selva . nair
From: Selva Nair - We assume that all text passed to the management interface and written to log file are in Unicode (UTF-8). This is broken by the use of the ANSI version of FormatMessage() for Windows error messages. Fix by using FormatMessageW() and converting the UTF-16 result to UTF

Re: [Openvpn-devel] [PATCH v2] Support of DNS domain for DHCP-less drivers

2023-04-06 Thread Selva Nair
lse if (tt->options.ip_win32_type == IPW32_SET_NETSH) > +else > { > - netsh_delete_address_dns(tt, false, &gc); > +do_dns_domain_wmic(false, tt); > + > +if (tt->options.ip_win32_type == IPW32_SET_NETSH) > +{ > +

Re: [Openvpn-devel] [PATCH] Support of DNS domain for DHCP-less drivers

2023-04-05 Thread Selva Nair
Hi, On Tue, Apr 4, 2023 at 4:01 AM Lev Stipakov wrote: > From: Lev Stipakov > > We set DNS domain either via interactve service or DHCP. > When interactive service is not used, for example, > when profiles are started by OpenVPNService, this option > is not working for DCO and wintun. > > This

Re: [Openvpn-devel] [PATCH applied] Re: Bug-fix: segfault in dco_get_peer_stats()

2023-03-28 Thread Selva Nair
On Tue, Mar 28, 2023 at 3:25 AM Gert Doering wrote: > Acked-by: Antonio Quartulli > > Thanks for the good find. Since I could reproduce the crash yesterday > (and I do need management for it) I can verify that it does no longer > crash with the patch. > > (For whatever reason, --tls-version-max

Re: [Openvpn-devel] [PATCH] Bug-fix: segfault in dco_get_peer_stats()

2023-03-27 Thread Selva Nair
inux), too much to ask the caller to check that a valid dco handle is available. Selva On Mon, Mar 27, 2023 at 4:42 PM Selva Nair wrote: > > > On Mon, Mar 27, 2023 at 4:30 PM Antonio Quartulli wrote: > >> Hi, >> >> On 27/03/2023 19:12, selva.n...@gmail.com wrote

Re: [Openvpn-devel] [PATCH] Bug-fix: segfault in dco_get_peer_stats()

2023-03-27 Thread Selva Nair
On Mon, Mar 27, 2023 at 4:30 PM Antonio Quartulli wrote: > Hi, > > On 27/03/2023 19:12, selva.n...@gmail.com wrote: > > From: Selva Nair > > > >We persist peer-stats when restarting, but an early restart > >before open_tun results in a segfault i

[Openvpn-devel] [PATCH] Bug-fix: segfault in dco_get_peer_stats()

2023-03-27 Thread selva . nair
From: Selva Nair We persist peer-stats when restarting, but an early restart before open_tun results in a segfault in dco_get_peer_stats(). To reproduce, trigger a TLS handshake error due to lack of common protocols, for example. Fix by checking that tuntap is defined before

Re: [Openvpn-devel] [PATCH] Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant

2023-03-27 Thread Selva Nair
Hi, On Mon, Mar 27, 2023 at 9:59 AM Matthias Andree wrote: > Am 27.03.23 um 13:49 schrieb selva.n...@gmail.com: > > From: Selva Nair > > > > - Do not use non-literal initializers for static objects > > - Replace empty initializer {} by {0} > > Should we go to a

Re: [Openvpn-devel] [PATCH] Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant

2023-03-27 Thread Selva Nair
On Mon, Mar 27, 2023 at 8:09 AM Frank Lichtenheld wrote: > On Mon, Mar 27, 2023 at 07:49:37AM -0400, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > - Do not use non-literal initializers for static objects > > - Replace empty initializer {} by {0} > &

[Openvpn-devel] [PATCH] Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant

2023-03-27 Thread selva . nair
From: Selva Nair - Do not use non-literal initializers for static objects - Replace empty initializer {} by {0} Signed-off-by: Selva Nair --- To be applied after the test-pkcs11 patch set tests/unit_tests/openvpn/cert_data.h | 6 ++--- tests/unit_tests/openvpn/test_cryptoapi.c | 24

Re: [Openvpn-devel] [PATCH] unit_tests: make cert_data.h compile with MSVC

2023-03-27 Thread Selva Nair
On Mon, Mar 27, 2023 at 4:49 AM Frank Lichtenheld wrote: > On Fri, Mar 24, 2023 at 01:13:22PM -0400, Selva Nair wrote: > > Would the attached small patch be acceptable instead? It covers only > > test_cryptoapi --- if this will do, I can incorporate similar changes for > >

Re: [Openvpn-devel] [PATCH] unit_tests: make cert_data.h compile with MSVC

2023-03-24 Thread Selva Nair
Hi, On Fri, Mar 24, 2023 at 4:18 PM Matthias Andree wrote: > Am 23.03.23 um 15:31 schrieb Frank Lichtenheld: > > Currently this is not obvious since we never build the > > UTs with MSVC, but it doesn't like the initializers with > > "const" variables. They cause > > error C2099: initializer is n

Re: [Openvpn-devel] [PATCH] unit_tests: make cert_data.h compile with MSVC

2023-03-24 Thread Selva Nair
n used in an initializer. > So change all of them to preprocessor defines instead. > > It also doesn't like the empty initializer. > error C2059: syntax error: '}' > > CC: Selva Nair > Signed-off-by: Frank Lichtenheld > --- > tests/unit_tests/openvpn/c

[Openvpn-devel] Fwd: [PATCH] Print DCO client stats on SIGUSR2

2023-03-23 Thread Selva Nair
I didn't realize it until Lev pointed out that this reply yesterday didn't go to the list. FTR, copying to the list. -- Forwarded message ----- From: Selva Nair Date: Wed, Mar 22, 2023 at 9:42 AM Subject: Re: [Openvpn-devel] [PATCH] Print DCO client stats on SIGUSR2 To: Le

[Openvpn-devel] [PATCH 3/3] Enable pkcs11 an dtest_pkcs11 in github actions

2023-03-22 Thread selva . nair
From: Selva Nair - Enabled for the Ubuntu 22.04 build (OpenSSL 3) and one of the Ubuntu 20.04 builds (OpenSSL 1.1.1). Signed-off-by: Selva Nair --- .github/workflows/build.yaml | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github

[Openvpn-devel] [PATCH 1/3] Move digest_sign_verify out of test_cryptoapi.c

2023-03-22 Thread selva . nair
From: Selva Nair - This function will be reused for testing pkcs11 Signed-off-by: Selva Nair --- tests/unit_tests/openvpn/Makefile.am | 1 + tests/unit_tests/openvpn/pkey_test_utils.c | 141 + tests/unit_tests/openvpn/test_cryptoapi.c | 98 +- 3 files

[Openvpn-devel] [PATCH 2/3] Unit tests: Test for PKCS#11 using a softhsm2 token

2023-03-22 Thread selva . nair
From: Selva Nair - Load some test certificate/key pairs into a temporary softhsm2 token and enumerate available objects through pkcs11-helper interface - For each object, load it into SSL_CTX and test sign (if using OpenSSL 3) or check the certificate and public-key match (if using OpenSSl

[Openvpn-devel] [PATCH] Make error in setting metric for IPv6 interface non-fatal

2023-03-22 Thread selva . nair
From: Selva Nair - Unfortunately there are still users out there who disable IPv6 on tun/tap/dco interfaces or even system-wide. Fixes: Github issue #294 Signed-off-by: Selva Nair --- src/openvpnserv/interactive.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src

Re: [Openvpn-devel] [PATCH] Print DCO client stats on SIGUSR2

2023-03-22 Thread Selva Nair
Hi, On Wed, Mar 22, 2023 at 7:34 AM Lev Stipakov wrote: > From: Lev Stipakov > > Change-Id: I465febdf7ee5fe573e88255844f718efb60f8e8a > Signed-off-by: Lev Stipakov > --- > src/openvpn/sig.c | 13 + > src/openvpn/sig.h | 2 +- > 2 files changed, 10 insertions(+), 5 deletions(-) >

Re: [Openvpn-devel] [PATCH applied] Re: Improve error message on short read from socks proxy

2023-03-20 Thread Selva Nair
> > > > Thanks, this change makes sense. I have not actively tried to provoke > it (like, by connecting to a "fake SOCKS server" that will trigger it), > but the change is obviously an improvement to "if it's not ==1, it > must be a TCP error!"). > An easy way to "provoke" this is to use openssh

[Openvpn-devel] [PATCH] Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate()

2023-03-18 Thread selva . nair
From: Selva Nair - This is the only remaining function in cryptoapi.c that has no direct or indirect test. This test confirms that an SSL_CTX context gets a certificate and private key loaded into it and the public key in the certificate matches the private key. As signing with

[Openvpn-devel] [PATCH] Improve error message on short read from socks proxy

2023-03-18 Thread selva . nair
From: Selva Nair Change-Id: Id6bf8ea705d02eff2cbfba7d841e1cdb6ae1 Signed-off-by: Selva Nair --- src/openvpn/socks.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c index 6a672c25..2cf0cc9f 100644 --- a/src/openvpn/socks.c

Re: [Openvpn-devel] [PATCH applied] Re: Import some sample certificates into Windows store for testing

2023-03-16 Thread Selva Nair
> > > I have tried testing this on a "real" Win10 VM, but I am missing some > intricacies with the cert store - I wanted to see if certs are properly > cleaned up, but I can't even see my own .p12 I have imported, so I am > doing something wrong... This works for me: Run "certmgr" from a user com

Re: [Openvpn-devel] [PATCH 0/4] Add some tests for cryptoapi.c functions

2023-03-15 Thread Selva Nair
On Wed, Mar 15, 2023 at 4:30 AM Gert Doering wrote: > Hi, > > On Tue, Mar 14, 2023 at 09:35:12PM -0400, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > Import some sample certificates into Windows store for testing > > - 4 test certifi

[Openvpn-devel] [PATCH 1/4] Import some sample certificates into Windows store for testing

2023-03-14 Thread selva . nair
From: Selva Nair - A few sample certificates are defined and imported into Windows certificate store (user store). This only tests the import process. Use of these certs to test the core functionality of 'cryptoapicert' are in following commits.

[Openvpn-devel] [PATCH 4/4] Add a test for signing with certificates in Windows store

2023-03-14 Thread selva . nair
From: Selva Nair - For each sample certificate/key pair imported into the store, load the key into xkey-provider and sign a test message. As the key is "provided", signing will use appropriate backend (Windows CNG in this case). The signature is then verified using OpenSSL.

[Openvpn-devel] [PATCH 2/4] Add tests for finding certificates in Windows cert store

2023-03-14 Thread selva . nair
From: Selva Nair - find_certificate_in_store tested using 'SUBJ:', 'THUMB:' and 'ISSUER:' select strings. Uses test certificates imported into the store during the import test. Change-Id: Ib5138465e6228538af592ca98b3d877277355f59 Signed-off-by: Selva Nair

[Openvpn-devel] [PATCH 3/4] Refactor SSL_CTX_use_CryptoAPI_certificate()

2023-03-14 Thread selva . nair
From: Selva Nair - Loading the certificate and key into the provider is split out of setting up the SSL context. This allows testing of signing by cryptoapi-provider interface without dependence on SSL context or link-time wrapping. Change-Id: I269b94589636425e1ba9bf953047d238fa830376

[Openvpn-devel] [PATCH 0/4] Add some tests for cryptoapi.c functions

2023-03-14 Thread selva . nair
From: Selva Nair Import some sample certificates into Windows store for testing - 4 test certificates&keys imported to user store and removed at the end. Add tests for finding certificates in Windows certficate store - test using SUBJ:, THUMB: and ISSUER: select-str

Re: [Openvpn-devel] [PATCH] Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form

2023-03-14 Thread Selva Nair
Hi, On Tue, Mar 14, 2023 at 5:54 AM David Sommerseth wrote: > > > Just got feedback from the reporter in the Fedora bugzilla; this patch > works well on Fedora 38. > > I suggest adding this tag to the commit log. Feel free to add the URL > tag to the bugzilla ticket too. > > Tested-by: flor...@

[Openvpn-devel] [PATCH v2] Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form

2023-03-14 Thread selva . nair
From: Selva Nair - With OpenSSL 3.0 and xkey-provider, we use pkcs11h_certificate_signAny_ex() which returns EC signature as raw r|s concatenated. But OpenSSL expects a DER encoded ASN.1 structure. Do this conversion as done in cryptoapi.c. For code re-use, ecdsa_bin2sig() is

[Openvpn-devel] [PATCH] Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form

2023-03-10 Thread selva . nair
From: Selva Nair - With OpenSSL 3.0 and xkey-provider, we use pkcs11h_certificate_signAny_ex() which returns EC signature as raw r|s concatenated. But OpenSSL expects a DER encoded ASN.1 structure. Do this conversion as done in cryptoapi.c. For code re-use, ecdsa_bin2sig() is

Re: [Openvpn-devel] [PATCH] tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled

2023-03-08 Thread Selva Nair
ake a dozen times, I cannot figure arbitrary variable expansion won't work as expected for out-of-tree builds with read-only sources. But testing does show only $(srcdir) and $(top_srcdir) get correctly handled, and the fix below appears to be a reasonable way out. Tested "make distchec

Re: [Openvpn-devel] [PATCH 2/2] Include supplementary groups when checking management-client-group

2023-03-06 Thread Selva Nair
Hi FTR, I just noticed that the patch is missing an endgrent() call: On Mon, Mar 6, 2023 at 12:33 AM wrote: > > +struct group *gr = getgrent(); > +char **members = NULL; > +while (gr) > +{ > +if (gr->gr_gid == gid) > +{ > +/* found the group -- check

Re: [Openvpn-devel] [PATCH 2/2] Include supplementary groups when checking management-client-group

2023-03-06 Thread Selva Nair
Hi, On Mon, Mar 6, 2023 at 3:24 AM Gert Doering wrote: > Hi, > > On Mon, Mar 06, 2023 at 12:33:46AM -0500, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > - When management-client-group is in use, allow access if any of > > the supplementary groups

[Openvpn-devel] [PATCH 2/2] Include supplementary groups when checking management-client-group

2023-03-05 Thread selva . nair
From: Selva Nair - When management-client-group is in use, allow access if any of the supplementary groups of the user matches the specified group. Currently only the effective gid of the peer socket is checked which is normally the primary group of user. As unprivileged users have no

[Openvpn-devel] [PATCH 1/2] Do not save pointer to 'struct passwd' returned by getpwnam etc.

2023-03-05 Thread selva . nair
From: Selva Nair - This pointer is to a static area which can change on further calls to getpwnam, getpwuid etc. Same with struct group returned by getgrnam. As the only field later referred to is uid or gid, fix by saving them instead. Signed-off-by: Selva Nair --- Though we call

Re: [Openvpn-devel] [PATCH applied] Re: Add a unit test for functions in cryptoapi.c

2023-02-25 Thread Selva Nair
Hi On Sat, Feb 25, 2023 at 11:29 AM Gert Doering wrote: > Acked-by: Gert Doering > > Thanks for the v4. This enabled me to just push to GH to have > to build and run the tests, without having to bother myself with > copying binaries around :-) > > OTOH, there might be a bit of polishing needed

[Openvpn-devel] [PATCH v4 3/3] Add a unit test for functions in cryptoapi.c

2023-02-14 Thread selva . nair
From: Selva Nair - Though named cryptoapi_testdriver, right now this only tests parsing of thumbprint specified as a selector for --cryptioapicert option. More tests coming.. v2: a line that belongs here was mistakenly included in the previous commit. Corrected. v3: add to list of tests run

[Openvpn-devel] [PATCH v3 3/3] Add a unit test for functions in cryptoapi.c

2023-02-14 Thread selva . nair
From: Selva Nair - Though named cryptoapi_testdriver, right now this only tests parsing of thumbprint specified as a selector for --cryptioapicert option. More tests coming.. v2: a line that belongs here was mistakenly included in the previous commit. Corrected. v3: add to list of tests run

Re: [Openvpn-devel] [PATCH v3 2/3] Build unit tests in mingw Windows build

2023-02-11 Thread Selva Nair
Hi, On Sat, Feb 11, 2023 at 1:32 PM Gert Doering wrote: > > > /bin/bash ../../../libtool --tag=CC --mode=link i686-w64-mingw32-gcc This is a 32 bit build which I never tried. Maybe cmocka is not built for 32 bit? > -I/home/gert/mingw/opt/include -I/home/gert/mingw/opt/include > -I../../.

Re: [Openvpn-devel] [PATCH v3 2/3] Build unit tests in mingw Windows build

2023-02-10 Thread Selva Nair
Hi On Fri, Feb 10, 2023 at 4:13 PM Gert Doering wrote: > Hi, > > On Tue, Feb 07, 2023 at 07:59:25PM -0500, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > - Minor changes to the build system to include some > > dependencies for Windows build > &g

Re: [Openvpn-devel] [PATCH v3 2/3] Build unit tests in mingw Windows build

2023-02-10 Thread Selva Nair
On Fri, Feb 10, 2023 at 4:13 PM Gert Doering wrote: > Hi, > > On Tue, Feb 07, 2023 at 07:59:25PM -0500, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > - Minor changes to the build system to include some > > dependencies for Windows build > > &g

Re: [Openvpn-devel] [PATCH] Improve format specifier for socket handle in Windows

2023-02-10 Thread Selva Nair
ints hex, and INVALID_SOCKET looks a bit nicer: > > > >2023-02-10 15:17:11 us=828000 write to TUN/TAP : Jrjestelmkutsulle > > annettu data-alue on liian pieni. (fd=,code=122) > > > > Reported-by: Selva Nair > > Signed-off-by: Lev Stipakov

Re: [Openvpn-devel] [PATCH 3/5] Do not run check_engine test when crosscompiling

2023-02-09 Thread Selva Nair
Hi, On Tue, Feb 7, 2023 at 7:19 PM Arne Schwabe wrote: > Signed-off-by: Arne Schwabe > --- > tests/unit_tests/engine-key/Makefile.am | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/tests/unit_tests/engine-key/Makefile.am > b/tests/unit_tests/engine-key/Makefile.am > index 246222514.

[Openvpn-devel] Fwd: [PATCH v2 3/5] Windows: fix wrong printf format in x_check_status

2023-02-09 Thread Selva Nair
CC: list -- Forwarded message - From: Selva Nair Date: Tue, Feb 7, 2023 at 11:57 AM Subject: Re: [Openvpn-devel] [PATCH v2 3/5] Windows: fix wrong printf format in x_check_status To: Frank Lichtenheld Nitpicking: > - use PRIuPTR as discussed on IRC (added relevant defi

[Openvpn-devel] Fwd: [PATCH 4/5] Add missing stdint.h includes in unit tests files

2023-02-09 Thread Selva Nair
CC: list -- Forwarded message - From: Selva Nair Date: Wed, Feb 8, 2023 at 11:34 PM Subject: Re: [Openvpn-devel] [PATCH 4/5] Add missing stdint.h includes in unit tests files To: Arne Schwabe Hi, On Tue, Feb 7, 2023 at 7:19 PM Arne Schwabe wrote: > My mingw compiler/head

[Openvpn-devel] Fwd: [PATCH v2 5/5] Add building unit tests with mingw to github actions

2023-02-09 Thread Selva Nair
CC: list was missed.. -- Forwarded message - From: Selva Nair Date: Thu, Feb 9, 2023 at 2:54 PM Subject: Re: [Openvpn-devel] [PATCH v2 5/5] Add building unit tests with mingw to github actions To: Arne Schwabe Hi, Thanks, this is much better with tests grouped together. Some

Re: [Openvpn-devel] [PATCH 5/5] Add building and running mingw unittests to github actions

2023-02-08 Thread Selva Nair
Hi, It's "absolutely splendid" to see cross-compiled tests running in GHA! Some issues below: On Tue, Feb 7, 2023 at 7:19 PM Arne Schwabe wrote: > Signed-off-by: Arne Schwabe > --- > .github/workflows/build.yaml | 110 ++- > 1 file changed, 108 insertions(+),

Re: [Openvpn-devel] [PATCH v2 3/3] Add a unit test for functions in cryptoapi.c

2023-02-08 Thread Selva Nair
On Wed, Feb 8, 2023 at 6:16 AM Arne Schwabe wrote: > Am 08.02.23 um 02:05 schrieb Selva Nair: > > Hi, > > > > On Tue, Feb 7, 2023 at 7:18 PM Arne Schwabe > <mailto:a...@rfc2549.org>> wrote: > > > > Am 04.02.23 um 07:40 schrieb selva.n...@g

Re: [Openvpn-devel] [PATCH v2 3/3] Add a unit test for functions in cryptoapi.c

2023-02-07 Thread Selva Nair
Hi, On Tue, Feb 7, 2023 at 7:18 PM Arne Schwabe wrote: > Am 04.02.23 um 07:40 schrieb selva.n...@gmail.com: > > From: Selva Nair > > > > - Though named cryptoapi_testdriver, right now this only tests > >parsing of thumbprint specified as a selector for --cryptio

[Openvpn-devel] [PATCH v3 2/3] Build unit tests in mingw Windows build

2023-02-07 Thread selva . nair
From: Selva Nair - Minor changes to the build system to include some dependencies for Windows build - test_tls_crypt not built as it will pull in win32.c and its dependencies - If cross-compiling, "make check" will only build the tests but not run any. Copy to Windows and ru

Re: [Openvpn-devel] [PATCH 1/5] Conditionally add subdir-objects option to automake

2023-02-07 Thread Selva Nair
On Tue, Feb 7, 2023 at 7:18 PM Arne Schwabe wrote: > From: Selva Nair > > - Eliminates repeated warnings such as > warning: source file '$(openvpn_srcdir)/env_set.c' is in a subdirectory, > but option 'subdir-objects' is disabled > - Enabled only for a

Re: [Openvpn-devel] [PATCH v2 2/3] Build unit tests in mingw Windows build

2023-02-07 Thread Selva Nair
Hi, On Tue, Feb 7, 2023 at 6:59 AM Arne Schwabe wrote: > Am 04.02.23 um 07:40 schrieb selva.n...@gmail.com: > > From: Selva Nair > > > > - Minor changes to the build system to include some > >dependencies for Windows build > > > > - test_tls_crypt n

Re: [Openvpn-devel] [PATCH v3] configure: enable DCO by default on FreeBSD/Linux

2023-02-07 Thread Selva Nair
uot; > + AC_MSG_WARN([Name/Value pair library not > found.]) > + ] > + ) > + if test "$enable_dco" = "no"; then > + if test "$enable_dco_arg" = "auto"; then > + AC_MSG_WARN([DCO support disabled]) > + else > + AC_MSG_ERROR([DCO support can't be > enabled]) > + fi > + fi > ;; > *-mingw*) > AC_MSG_NOTICE([NOTE: --enable-dco ignored on > Windows because it's always enabled]) > Looks good to me. Acked-by: Selva Nair Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] configure: enable DCO by default on FreeBSD/Linux

2023-02-06 Thread Selva Nair
Hi, On Mon, Feb 6, 2023 at 6:24 AM Frank Lichtenheld wrote: > Automatically disabled when > - iproute2 is enabled > (Don't want to force people specifying --disable-dco explicitely) > - libnv is missing on FreeBSD > (FreeBSD version too old anyway) > > Will still error out if libnl-genl is m

[Openvpn-devel] [PATCH v2 2/3] Build unit tests in mingw Windows build

2023-02-03 Thread selva . nair
From: Selva Nair - Minor changes to the build system to include some dependencies for Windows build - test_tls_crypt not built as it will pull in win32.c and its dependencies - If cross-compiling, "make check" will only build the tests but not run any. Copy to Windows and ru

[Openvpn-devel] [PATCH v2 3/3] Add a unit test for functions in cryptoapi.c

2023-02-03 Thread selva . nair
From: Selva Nair - Though named cryptoapi_testdriver, right now this only tests parsing of thumbprint specified as a selector for --cryptioapicert option. More tests coming.. v2: a line that belongs here was mistakenly included in the previous commit. Corrected. Signed-off-by: Selva Nair

[Openvpn-devel] [PATCH 3/3] Add a unit test for functions in cryptoapi.c

2023-02-03 Thread selva . nair
From: Selva Nair - Though named cryptoapi_testdriver, right now this only tests parsing of thumbprint specified as a selector for --cryptioapicert option. More cryptoapi tests coming.. Signed-off-by: Selva Nair --- As requested during review of the 4/4 patch of cryptoapi series. Note that

[Openvpn-devel] [PATCH 2/3] Build unit tests in mingw Windows build

2023-02-03 Thread selva . nair
From: Selva Nair - Minor changes to the build system to include some dependencies for Windows build - test_tls_crypt not built as it will pull in win32.c and its dependencies - If cross-compiling, "make check" will only build the tests but not run any. Copy to Windows and ru

[Openvpn-devel] [PATCH 1/3] Conditionally add subdir-objects option to automake

2023-02-03 Thread selva . nair
From: Selva Nair - Eliminates repeated warnings such as warning: source file '$(openvpn_srcdir)/env_set.c' is in a subdirectory, but option 'subdir-objects' is disabled - Enabled only for automake >= 1.16 as older versions have a buggy implementation of this opti

  1   2   3   4   5   6   7   8   9   10   >