From patchwork Fri Mar 22 16:00:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3663 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:c315:b0:55c:c090:46f0 with SMTP id jk21csp1061170mab; Fri, 22 Mar 2024 09:00:40 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW7YCmG4XRCoFqaEZPASy3EtL8FhXPfFc/G1LTuBcwAPR3fQDXeSYnC35Z065Ue+9uYHSyLH/T3Xg1kcAvbC91EjWOwwQo= X-Google-Smtp-Source: AGHT+IEqIfBPT0XLdHul14+rPktlBwshphZgQmeC99hdmZpm2Gq7YowjgLSTmPzPMCO2KN/cl1cI X-Received: by 2002:a17:902:aa8c:b0:1dd:a3d6:3aff with SMTP id d12-20020a170902aa8c00b001dda3d63affmr92231plr.3.1711123240340; Fri, 22 Mar 2024 09:00:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711123240; cv=none; d=google.com; s=arc-20160816; b=TfXrWgi7r7eWfFrjumx4KhXJou+438epLqXlWUlnw8v75+MVg82cMzF8F9xi9ztCIx Vk+PbmgY7wRmPi5G5DRbYO+/yXS7FEpo6LrX6AVlOVPyjefjnNqrTbWYYAmsyqf8BQFN h724QdGWFImGQYhXwJ7bt3DV4qcw5IUi39CaxZlFhXhMeXUxVQTKhGuLP9AuWMKe6Fsq qA9JxR2QT/x43R8Eo21PRtELQZn+wkwYNDpx6FFkVZOezhI58kAhgFFEL2WYeOMeOd/x BMcDWppOH3GISvZFYymMfyauuIOK2FPoMOq5NNFKpRTOCqlcDUG2JZc4e6XbDp1HEJns Bo1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=nRlZ9K94TQm6SGEY8mdbu4nPChFHJ3oAKWsRBn3XLPs=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=EaB4fZD1j+vVhbarEm3NrDG9kam7fkX9Jzc6mpGtc5OHzUSG7Xa1VDF/vwxsX964hy XvQ0tdaAlegX3NbGXzarzKZmhpe93fTz8/xjOS0JKuq+x6wpGlMZm6Dy8teIIrp4Cj90 W2DEK0IW4eyq9hwuVeaabcAoBNDJfegzSjG/DCihpPVmx17Oh/S2/8lGrWhMMFV0kqJj EgnMHzDV03ARDboatEirVhrqynLw0w8W3v+wOvqiJgyx4v41RppLVFHaKHE8gxWdehtD cndtGuFD6rKKyts8jUrD+YngjwUvJ01H6oBKc7CQ5znwynLFTKW/Li4SCtyQZwqfsMH/ mV6A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=P8tcMwEm; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=JWfblRuV; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b="C8/aV6AK"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id b18-20020a170902b61200b001dd62fbcf75si2046518pls.536.2024.03.22.09.00.40 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Mar 2024 09:00:40 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=P8tcMwEm; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=JWfblRuV; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b="C8/aV6AK"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rnhJb-0004NV-5B; Fri, 22 Mar 2024 16:00:19 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rnhJZ-0004NP-PW for openvpn-devel@lists.sourceforge.net; Fri, 22 Mar 2024 16:00:18 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ADt9msN7ftTCf+EVPp3fXRVcdNeIAvD3gmyZnrAJ3DU=; b=P8tcMwEmw0DXj+YBW2fBkbKOev O8DD+8GNotsjdVVRt6UnWfAX8ijS3RRvYeyiljsFUl0qaqRgLRRwGnfetcVHUZ9ZfP3OZ70loMg5b laSKD+IMvwowSbK4bND8dCFwJ/nYhiel2Ehik7loXULufG7RhlVeTYU9FomkU2C4+2Jw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=ADt9msN7ftTCf+EVPp3fXRVcdNeIAvD3gmyZnrAJ3DU=; b=J WfblRuVGp3RvyZcS092vfgSYmw9ZiS+hWxHo6CP+OoZHL8pxVuAeCfhM9xIRySN8L3SNZK4tNEm7Z IXQzZ+I9gfy2iZVqI+9qXrl7rNCAvDULvamM5IRckQ0ZBX1XxfwJB/UOb5KDTP+Wpgdivo6AzfWDI G6xcl96qH0rRWtAc=; Received: from mail-wm1-f45.google.com ([209.85.128.45]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1rnhJZ-0003ky-A7 for openvpn-devel@lists.sourceforge.net; Fri, 22 Mar 2024 16:00:18 +0000 Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-41477211086so15222795e9.1 for ; Fri, 22 Mar 2024 09:00:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1711123205; x=1711728005; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=ADt9msN7ftTCf+EVPp3fXRVcdNeIAvD3gmyZnrAJ3DU=; b=C8/aV6AKqvgFZ3NTmguE2ntR+eRWm5moOspNBHAe4budskSRbIoamqxHzGvzp4Hf5d ap4MzZLgPhjRXkbzalJa2ddo0jbvARvxjtZT2Pk1/LZ/U9aRQBdpvkySrJQ/rLyhjbFZ NyJZbx32xvfBHBsuVH2NOdo/cWNiixYN2NQ6RJM4c9e0H7iYUVowVf20gH0YQac/OPjT SokUhkGBzCwzuaJP+gAPMol8Ab6R08Oa5enM+hFS+gsLnUgxbiu2I2VGJas/aqoF14TL PIjZdD3GXkWyv4NonbVuDb8GuAkDVzowCqb0d98UzCvpAMWdH9XAHPCs+0SZ7QIC69ew hW3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711123205; x=1711728005; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ADt9msN7ftTCf+EVPp3fXRVcdNeIAvD3gmyZnrAJ3DU=; b=oMpWkdoXqA5iWEaJNsdspeR7VeCX+IXzzmW7LJdcC3XAipS1jb4jeSxyVSvR0wqU5N AfNQDauhohHyVq1FLIe1j2sJz4nzG9F+KkpT4b/NciSxAxSrkQxo/linrPW6x6LSJapq Vf5Y2m5Ui+2vW3erOEFnIhla7wpkJso0w2IZdKNvd7PUzUhApSdbNc8jFt76RHAyXc8M 3YGjAidGPoBpsaA1vDqbC9li5sjkcGtFSKHWqqntORkUskGSw895a9Yq2wgbKuO9edU8 pxwBxOXxWj+i+nH6kxdvOSVf0D65HxLO2AYx3nL6DIJYhu1MNzs10A+lFkYxHd3Wdnt5 I3bA== X-Gm-Message-State: AOJu0YwiiIpcrdTjf6Vk3h7VW34/tvfjnuMDsjtgzAoD6IeIEbPfo19G pYFNMGNdhAU2AkXJ89RXB4yigehHpHsj7oLLcv+BrYdPZluHZhEn2WbPdH2svPRUD4rs8QbtL+V B X-Received: by 2002:a05:600c:3546:b0:413:2a10:8a29 with SMTP id i6-20020a05600c354600b004132a108a29mr2801147wmq.13.1711123204932; Fri, 22 Mar 2024 09:00:04 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id fs7-20020a05600c3f8700b00414038162e1sm9088575wmb.23.2024.03.22.09.00.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Mar 2024 09:00:03 -0700 (PDT) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Fri, 22 Mar 2024 16:00:02 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781 X-Gerrit-Change-Number: 546 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 7a6084df579b3c0ddd7d1134bf9b5fe4818d40cb References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.45 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.45 listed in wl.mailspike.net] 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1rnhJZ-0003ky-A7 Subject: [Openvpn-devel] [XS] Change in openvpn[master]: Add bracket in fingerprint message and do not warn about missing veri... X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1794242762443259008?= X-GMAIL-MSGID: =?utf-8?q?1794242762443259008?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/546?usp=email to review the following change. Change subject: Add bracket in fingerprint message and do not warn about missing verification ...................................................................... Add bracket in fingerprint message and do not warn about missing verification Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781 --- M src/openvpn/init.c M src/openvpn/ssl_verify.c 2 files changed, 4 insertions(+), 3 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/46/546/1 diff --git a/src/openvpn/init.c b/src/openvpn/init.c index f2ce926..a398920 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3594,7 +3594,8 @@ && !o->tls_verify && o->verify_x509_type == VERIFY_X509_NONE && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) - && !o->remote_cert_eku) + && !o->remote_cert_eku + && !(o->verify_hash_depth ==0 && o->verify_hash)) { msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); } diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index c7d7799..930769b 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -718,8 +718,8 @@ const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp), 0, 1, ":", &gc); msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint" - "certificate hash verification failed. (got " - "fingerprint: %s", hex_fp); + "certificate hash verification failed. (got certificate " + "fingerprint: %s)", hex_fp); goto cleanup; } }