Menu
▾
▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
(24) |
May
(14) |
Jun
(29) |
Jul
(33) |
Aug
(3) |
Sep
(8) |
Oct
(18) |
Nov
(1) |
Dec
(10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
(33) |
Mar
(7) |
Apr
(28) |
May
(30) |
Jun
(5) |
Jul
(10) |
Aug
(7) |
Sep
(32) |
Oct
(41) |
Nov
(20) |
Dec
(10) |
| 2004 |
Jan
(24) |
Feb
(18) |
Mar
(57) |
Apr
(40) |
May
(55) |
Jun
(48) |
Jul
(77) |
Aug
(15) |
Sep
(56) |
Oct
(80) |
Nov
(74) |
Dec
(52) |
| 2005 |
Jan
(38) |
Feb
(42) |
Mar
(39) |
Apr
(56) |
May
(79) |
Jun
(73) |
Jul
(16) |
Aug
(23) |
Sep
(68) |
Oct
(77) |
Nov
(52) |
Dec
(27) |
| 2006 |
Jan
(27) |
Feb
(18) |
Mar
(51) |
Apr
(62) |
May
(28) |
Jun
(50) |
Jul
(36) |
Aug
(33) |
Sep
(47) |
Oct
(50) |
Nov
(77) |
Dec
(13) |
| 2007 |
Jan
(15) |
Feb
(8) |
Mar
(14) |
Apr
(18) |
May
(25) |
Jun
(16) |
Jul
(16) |
Aug
(19) |
Sep
(32) |
Oct
(17) |
Nov
(5) |
Dec
(5) |
| 2008 |
Jan
(64) |
Feb
(25) |
Mar
(25) |
Apr
(6) |
May
(28) |
Jun
(20) |
Jul
(10) |
Aug
(27) |
Sep
(28) |
Oct
(59) |
Nov
(37) |
Dec
(43) |
| 2009 |
Jan
(40) |
Feb
(25) |
Mar
(12) |
Apr
(57) |
May
(46) |
Jun
(29) |
Jul
(39) |
Aug
(10) |
Sep
(20) |
Oct
(42) |
Nov
(50) |
Dec
(57) |
| 2010 |
Jan
(82) |
Feb
(165) |
Mar
(256) |
Apr
(260) |
May
(36) |
Jun
(87) |
Jul
(53) |
Aug
(89) |
Sep
(107) |
Oct
(51) |
Nov
(88) |
Dec
(117) |
| 2011 |
Jan
(69) |
Feb
(60) |
Mar
(113) |
Apr
(71) |
May
(67) |
Jun
(90) |
Jul
(88) |
Aug
(90) |
Sep
(48) |
Oct
(64) |
Nov
(69) |
Dec
(118) |
| 2012 |
Jan
(49) |
Feb
(528) |
Mar
(351) |
Apr
(190) |
May
(238) |
Jun
(193) |
Jul
(104) |
Aug
(100) |
Sep
(57) |
Oct
(41) |
Nov
(47) |
Dec
(51) |
| 2013 |
Jan
(94) |
Feb
(57) |
Mar
(96) |
Apr
(105) |
May
(77) |
Jun
(102) |
Jul
(27) |
Aug
(81) |
Sep
(32) |
Oct
(53) |
Nov
(127) |
Dec
(65) |
| 2014 |
Jan
(113) |
Feb
(59) |
Mar
(104) |
Apr
(259) |
May
(70) |
Jun
(70) |
Jul
(146) |
Aug
(45) |
Sep
(58) |
Oct
(149) |
Nov
(77) |
Dec
(83) |
| 2015 |
Jan
(53) |
Feb
(66) |
Mar
(86) |
Apr
(50) |
May
(135) |
Jun
(76) |
Jul
(151) |
Aug
(83) |
Sep
(97) |
Oct
(262) |
Nov
(245) |
Dec
(231) |
| 2016 |
Jan
(131) |
Feb
(233) |
Mar
(97) |
Apr
(138) |
May
(221) |
Jun
(254) |
Jul
(92) |
Aug
(248) |
Sep
(168) |
Oct
(275) |
Nov
(477) |
Dec
(445) |
| 2017 |
Jan
(218) |
Feb
(217) |
Mar
(146) |
Apr
(172) |
May
(216) |
Jun
(252) |
Jul
(164) |
Aug
(192) |
Sep
(190) |
Oct
(143) |
Nov
(255) |
Dec
(182) |
| 2018 |
Jan
(295) |
Feb
(164) |
Mar
(113) |
Apr
(147) |
May
(64) |
Jun
(262) |
Jul
(184) |
Aug
(90) |
Sep
(69) |
Oct
(364) |
Nov
(102) |
Dec
(101) |
| 2019 |
Jan
(119) |
Feb
(64) |
Mar
(64) |
Apr
(102) |
May
(57) |
Jun
(154) |
Jul
(84) |
Aug
(81) |
Sep
(76) |
Oct
(102) |
Nov
(233) |
Dec
(89) |
| 2020 |
Jan
(38) |
Feb
(170) |
Mar
(155) |
Apr
(172) |
May
(120) |
Jun
(223) |
Jul
(461) |
Aug
(227) |
Sep
(268) |
Oct
(113) |
Nov
(56) |
Dec
(124) |
| 2021 |
Jan
(121) |
Feb
(48) |
Mar
(334) |
Apr
(345) |
May
(207) |
Jun
(136) |
Jul
(71) |
Aug
(112) |
Sep
(122) |
Oct
(173) |
Nov
(184) |
Dec
(223) |
| 2022 |
Jan
(197) |
Feb
(206) |
Mar
(156) |
Apr
(212) |
May
(192) |
Jun
(170) |
Jul
(143) |
Aug
(380) |
Sep
(182) |
Oct
(148) |
Nov
(128) |
Dec
(269) |
| 2023 |
Jan
(248) |
Feb
(196) |
Mar
(264) |
Apr
(36) |
May
(123) |
Jun
(66) |
Jul
(120) |
Aug
(48) |
Sep
(157) |
Oct
(198) |
Nov
(300) |
Dec
(273) |
| 2024 |
Jan
(271) |
Feb
(147) |
Mar
(207) |
Apr
(78) |
May
(107) |
Jun
(168) |
Jul
(151) |
Aug
(51) |
Sep
(438) |
Oct
(221) |
Nov
(302) |
Dec
(357) |
| 2025 |
Jan
(451) |
Feb
(219) |
Mar
(326) |
Apr
(232) |
May
(306) |
Jun
(181) |
Jul
(452) |
Aug
(282) |
Sep
(620) |
Oct
(793) |
Nov
(300) |
Dec
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-11-14 14:47:22
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1376?usp=email
to review the following change.
Change subject: tun: Change return type of write_tun/read_tun to ssize_t
......................................................................
tun: Change return type of write_tun/read_tun to ssize_t
So we can directly give back the actual return
type from write/read. Even if we then cast it
back to int. The cast should be safe since we
also specify an int as we also put an int in
as length.
Change-Id: I67f5bf53b80f53fd2e349f844479ed172a7b3aa1
Signed-off-by: Frank Lichtenheld <fr...@li...>
---
M src/openvpn/forward.c
M src/openvpn/tun.c
M src/openvpn/tun.h
3 files changed, 28 insertions(+), 56 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/76/1376/5
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index d54c679..ed42960 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1293,11 +1293,6 @@
#endif /* if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD)) */
}
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wconversion"
-#endif
-
/*
* Output: c->c2.buf
*/
@@ -1324,11 +1319,11 @@
if (c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
{
c->c2.buf.len =
- read_tun_afunix(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size);
+ (int)read_tun_afunix(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size);
}
else
{
- c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size);
+ c->c2.buf.len = (int)read_tun(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size);
}
#endif /* ifdef _WIN32 */
@@ -1358,6 +1353,11 @@
check_status(c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap);
}
+#if defined(__GNUC__) || defined(__clang__)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wconversion"
+#endif
+
/**
* Drops UDP packets which OS decided to route via tun.
*
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 90505a0..d1fc442 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -1708,8 +1708,8 @@
#include <netinet/ip.h>
#include <sys/uio.h>
-static inline int
-header_modify_read_write_return(int len)
+static inline ssize_t
+header_modify_read_write_return(ssize_t len)
{
if (len > 0)
{
@@ -1721,12 +1721,7 @@
}
}
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wconversion"
-#endif
-
-static int
+static ssize_t
write_tun_header(struct tuntap *tt, uint8_t *buf, int len)
{
if (tt->type == DEV_TYPE_TUN)
@@ -1757,7 +1752,7 @@
}
}
-static int
+static ssize_t
read_tun_header(struct tuntap *tt, uint8_t *buf, int len)
{
if (tt->type == DEV_TYPE_TUN)
@@ -1778,26 +1773,21 @@
}
}
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic pop
-#endif
-
#if !defined(TARGET_DARWIN)
-int
+ssize_t
write_tun(struct tuntap *tt, uint8_t *buf, int len)
{
return write_tun_header(tt, buf, len);
}
-int
+ssize_t
read_tun(struct tuntap *tt, uint8_t *buf, int len)
{
return read_tun_header(tt, buf, len);
}
#endif
-
-#endif /* defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(TARGET_NETBSD) || if defined (TARGET_OPENBSD) || defined(TARGET_DARWIN) */
+#endif /* if defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(TARGET_NETBSD) || defined (TARGET_OPENBSD) || defined(TARGET_DARWIN) */
bool
tun_name_is_fixed(const char *dev)
@@ -2054,13 +2044,13 @@
free(tt);
}
-int
+ssize_t
write_tun(struct tuntap *tt, uint8_t *buf, int len)
{
return write(tt->fd, buf, len);
}
-int
+ssize_t
read_tun(struct tuntap *tt, uint8_t *buf, int len)
{
return read(tt->fd, buf, len);
@@ -2268,27 +2258,18 @@
free(tt);
}
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wconversion"
-#endif
-
-int
+ssize_t
write_tun(struct tuntap *tt, uint8_t *buf, int len)
{
return write(tt->fd, buf, len);
}
-int
+ssize_t
read_tun(struct tuntap *tt, uint8_t *buf, int len)
{
return read(tt->fd, buf, len);
}
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic pop
-#endif
-
#elif defined(TARGET_SOLARIS)
#ifndef TUNNEWPPA
@@ -2613,7 +2594,7 @@
argv_free(&argv);
}
-int
+ssize_t
write_tun(struct tuntap *tt, uint8_t *buf, int len)
{
struct strbuf sbuf;
@@ -2622,7 +2603,7 @@
return putmsg(tt->fd, NULL, &sbuf, 0) >= 0 ? sbuf.len : -1;
}
-int
+ssize_t
read_tun(struct tuntap *tt, uint8_t *buf, int len)
{
struct strbuf sbuf;
@@ -3097,11 +3078,6 @@
}
}
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wconversion"
-#endif
-
void
close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
{
@@ -3125,7 +3101,7 @@
gc_free(&gc);
}
-int
+ssize_t
write_tun(struct tuntap *tt, uint8_t *buf, int len)
{
if (tt->backend_driver == DRIVER_UTUN)
@@ -3138,7 +3114,7 @@
}
}
-int
+ssize_t
read_tun(struct tuntap *tt, uint8_t *buf, int len)
{
if (tt->backend_driver == DRIVER_UTUN)
@@ -3151,10 +3127,6 @@
}
}
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic pop
-#endif
-
#elif defined(TARGET_AIX)
void
@@ -3277,13 +3249,13 @@
argv_free(&argv);
}
-int
+ssize_t
write_tun(struct tuntap *tt, uint8_t *buf, int len)
{
return write(tt->fd, buf, len);
}
-int
+ssize_t
read_tun(struct tuntap *tt, uint8_t *buf, int len)
{
return read(tt->fd, buf, len);
@@ -6329,13 +6301,13 @@
free(tt);
}
-int
+ssize_t
write_tun(struct tuntap *tt, uint8_t *buf, int len)
{
return write(tt->fd, buf, len);
}
-int
+ssize_t
read_tun(struct tuntap *tt, uint8_t *buf, int len)
{
return read(tt->fd, buf, len);
diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h
index e13f99f..77c3c09 100644
--- a/src/openvpn/tun.h
+++ b/src/openvpn/tun.h
@@ -274,9 +274,9 @@
void close_tun_handle(struct tuntap *tt);
-int write_tun(struct tuntap *tt, uint8_t *buf, int len);
+ssize_t write_tun(struct tuntap *tt, uint8_t *buf, int len);
-int read_tun(struct tuntap *tt, uint8_t *buf, int len);
+ssize_t read_tun(struct tuntap *tt, uint8_t *buf, int len);
void tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode,
const char *username, const char *groupname, const struct tuntap_options *options,
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1376?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I67f5bf53b80f53fd2e349f844479ed172a7b3aa1
Gerrit-Change-Number: 1376
Gerrit-PatchSet: 5
Gerrit-Owner: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-11-14 13:41:48
|
Attention is currently required from: cron2, plaisthos. flichtenheld has posted comments on this change by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/1378?usp=email ) Change subject: tun: Refactor BSD write_tun/read_tun ...................................................................... Patch Set 2: (2 comments) File src/openvpn/tun.c: http://gerrit.openvpn.net/c/openvpn/+/1378/comment/4ca9d7f6_c2a30b9c?usp=email : PS1, Line 1744: #endif > it makes little sense to keep the historic code difference - this basically does the same thing, jus […] Done http://gerrit.openvpn.net/c/openvpn/+/1378/comment/25c2eb38_1e1267b2?usp=email : PS1, Line 1798: } > ah, and this lost the `return` part when being moved... `return write_tun_header... […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1378?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ifd9384287648d1f37a625d9ed6a09733208fa56c Gerrit-Change-Number: 1378 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Comment-Date: Fri, 14 Nov 2025 13:41:34 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: cron2 <ge...@gr...> |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-11-14 13:28:39
|
Attention is currently required from: flichtenheld, plaisthos.
Hello cron2, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1378?usp=email
to look at the new patch set (#2).
Change subject: tun: Refactor BSD write_tun/read_tun
......................................................................
tun: Refactor BSD write_tun/read_tun
There was a lot of duplicated code, merge it together.
Change-Id: Ifd9384287648d1f37a625d9ed6a09733208fa56c
Signed-off-by: Frank Lichtenheld <fr...@li...>
---
M src/openvpn/tun.c
1 file changed, 20 insertions(+), 229 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/78/1378/2
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 06b7ae5..90505a0 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -1685,10 +1685,10 @@
#endif
}
-#if defined(TARGET_OPENBSD) || defined(TARGET_DARWIN)
+#if defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) || defined(TARGET_DARWIN)
/*
- * OpenBSD and Mac OS X when using utun
+ * BSDs and Mac OS X when using utun
* have a slightly incompatible TUN device from
* the rest of the world, in that it prepends a
* uint32 to the beginning of the IP header
@@ -1733,11 +1733,9 @@
{
u_int32_t type;
struct iovec iv[2];
- struct openvpn_iphdr *iph;
+ struct ip *iph = (struct ip *)buf;
- iph = (struct openvpn_iphdr *)buf;
-
- if (OPENVPN_IPH_GET_VER(iph->version_len) == 6)
+ if (iph->ip_v == 6)
{
type = htonl(AF_INET6);
}
@@ -1784,7 +1782,22 @@
#pragma GCC diagnostic pop
#endif
-#endif /* if defined (TARGET_OPENBSD) || defined(TARGET_DARWIN) */
+#if !defined(TARGET_DARWIN)
+int
+write_tun(struct tuntap *tt, uint8_t *buf, int len)
+{
+ return write_tun_header(tt, buf, len);
+}
+
+int
+read_tun(struct tuntap *tt, uint8_t *buf, int len)
+{
+ return read_tun_header(tt, buf, len);
+}
+#endif
+
+
+#endif /* defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(TARGET_NETBSD) || if defined (TARGET_OPENBSD) || defined(TARGET_DARWIN) */
bool
tun_name_is_fixed(const char *dev)
@@ -2688,18 +2701,6 @@
argv_free(&argv);
}
-int
-write_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- return write_tun_header(tt, buf, len);
-}
-
-int
-read_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- return read_tun_header(tt, buf, len);
-}
-
#elif defined(TARGET_NETBSD)
/*
@@ -2801,88 +2802,8 @@
argv_free(&argv);
}
-static inline int
-netbsd_modify_read_write_return(int len)
-{
- if (len > 0)
- {
- return len > sizeof(u_int32_t) ? len - sizeof(u_int32_t) : 0;
- }
- else
- {
- return len;
- }
-}
-
-int
-write_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- if (tt->type == DEV_TYPE_TUN)
- {
- u_int32_t type;
- struct iovec iv[2];
- struct openvpn_iphdr *iph;
-
- iph = (struct openvpn_iphdr *)buf;
-
- if (OPENVPN_IPH_GET_VER(iph->version_len) == 6)
- {
- type = htonl(AF_INET6);
- }
- else
- {
- type = htonl(AF_INET);
- }
-
- iv[0].iov_base = (char *)&type;
- iv[0].iov_len = sizeof(type);
- iv[1].iov_base = buf;
- iv[1].iov_len = len;
-
- return netbsd_modify_read_write_return(writev(tt->fd, iv, 2));
- }
- else
- {
- return write(tt->fd, buf, len);
- }
-}
-
-int
-read_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- if (tt->type == DEV_TYPE_TUN)
- {
- u_int32_t type;
- struct iovec iv[2];
-
- iv[0].iov_base = (char *)&type;
- iv[0].iov_len = sizeof(type);
- iv[1].iov_base = buf;
- iv[1].iov_len = len;
-
- return netbsd_modify_read_write_return(readv(tt->fd, iv, 2));
- }
- else
- {
- return read(tt->fd, buf, len);
- }
-}
-
#elif defined(TARGET_FREEBSD)
-static inline int
-freebsd_modify_read_write_return(int len)
-{
- if (len > 0)
- {
- return len > sizeof(u_int32_t) ? len - sizeof(u_int32_t) : 0;
- }
- else
- {
- return len;
- }
-}
-
void
open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt,
openvpn_net_ctx_t *ctx)
@@ -2955,84 +2876,8 @@
argv_free(&argv);
}
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wconversion"
-#endif
-
-int
-write_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- if (tt->type == DEV_TYPE_TUN)
- {
- u_int32_t type;
- struct iovec iv[2];
- struct ip *iph;
-
- iph = (struct ip *)buf;
-
- if (iph->ip_v == 6)
- {
- type = htonl(AF_INET6);
- }
- else
- {
- type = htonl(AF_INET);
- }
-
- iv[0].iov_base = (char *)&type;
- iv[0].iov_len = sizeof(type);
- iv[1].iov_base = buf;
- iv[1].iov_len = len;
-
- return freebsd_modify_read_write_return(writev(tt->fd, iv, 2));
- }
- else
- {
- return write(tt->fd, buf, len);
- }
-}
-
-int
-read_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- if (tt->type == DEV_TYPE_TUN)
- {
- u_int32_t type;
- struct iovec iv[2];
-
- iv[0].iov_base = (char *)&type;
- iv[0].iov_len = sizeof(type);
- iv[1].iov_base = buf;
- iv[1].iov_len = len;
-
- return freebsd_modify_read_write_return(readv(tt->fd, iv, 2));
- }
- else
- {
- return read(tt->fd, buf, len);
- }
-}
-
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic pop
-#endif
-
#elif defined(TARGET_DRAGONFLY)
-static inline int
-dragonfly_modify_read_write_return(int len)
-{
- if (len > 0)
- {
- return len > sizeof(u_int32_t) ? len - sizeof(u_int32_t) : 0;
- }
- else
- {
- return len;
- }
-}
-
void
open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt,
openvpn_net_ctx_t *ctx)
@@ -3059,60 +2904,6 @@
free(tt);
}
-int
-write_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- if (tt->type == DEV_TYPE_TUN)
- {
- u_int32_t type;
- struct iovec iv[2];
- struct ip *iph;
-
- iph = (struct ip *)buf;
-
- if (iph->ip_v == 6)
- {
- type = htonl(AF_INET6);
- }
- else
- {
- type = htonl(AF_INET);
- }
-
- iv[0].iov_base = (char *)&type;
- iv[0].iov_len = sizeof(type);
- iv[1].iov_base = buf;
- iv[1].iov_len = len;
-
- return dragonfly_modify_read_write_return(writev(tt->fd, iv, 2));
- }
- else
- {
- return write(tt->fd, buf, len);
- }
-}
-
-int
-read_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- if (tt->type == DEV_TYPE_TUN)
- {
- u_int32_t type;
- struct iovec iv[2];
-
- iv[0].iov_base = (char *)&type;
- iv[0].iov_len = sizeof(type);
- iv[1].iov_base = buf;
- iv[1].iov_len = len;
-
- return dragonfly_modify_read_write_return(readv(tt->fd, iv, 2));
- }
- else
- {
- return read(tt->fd, buf, len);
- }
-}
-
#elif defined(TARGET_DARWIN)
/* Darwin (MacOS X) is mostly "just use the generic stuff", but there
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1378?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ifd9384287648d1f37a625d9ed6a09733208fa56c
Gerrit-Change-Number: 1378
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld <fr...@li...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-11-14 12:41:26
|
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/1378?usp=email ) Change subject: tun: Refactor BSD write_tun/read_tun ...................................................................... Patch Set 1: Code-Review-2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1378?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ifd9384287648d1f37a625d9ed6a09733208fa56c Gerrit-Change-Number: 1378 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Fri, 14 Nov 2025 12:41:12 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: cron2 (C. Review) <ge...@op...> - 2025-11-14 12:41:10
|
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/1378?usp=email ) Change subject: tun: Refactor BSD write_tun/read_tun ...................................................................... Patch Set 1: -Code-Review (1 comment) This change is ready for review. File src/openvpn/tun.c: http://gerrit.openvpn.net/c/openvpn/+/1378/comment/ec691247_5975103b?usp=email : PS1, Line 1798: } ah, and this lost the `return` part when being moved... `return write_tun_header...` -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1378?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ifd9384287648d1f37a625d9ed6a09733208fa56c Gerrit-Change-Number: 1378 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Fri, 14 Nov 2025 12:41:01 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-11-14 12:37:38
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1378?usp=email
to review the following change.
Change subject: tun: Refactor BSD write_tun/read_tun
......................................................................
tun: Refactor BSD write_tun/read_tun
There was a lot of duplicated code, merge it together.
Change-Id: Ifd9384287648d1f37a625d9ed6a09733208fa56c
Signed-off-by: Frank Lichtenheld <fr...@li...>
---
M src/openvpn/tun.c
1 file changed, 27 insertions(+), 228 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/78/1378/1
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 06b7ae5..22f0c17 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -1685,10 +1685,10 @@
#endif
}
-#if defined(TARGET_OPENBSD) || defined(TARGET_DARWIN)
+#if defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) || defined(TARGET_DARWIN)
/*
- * OpenBSD and Mac OS X when using utun
+ * BSDs and Mac OS X when using utun
* have a slightly incompatible TUN device from
* the rest of the world, in that it prepends a
* uint32 to the beginning of the IP header
@@ -1733,11 +1733,17 @@
{
u_int32_t type;
struct iovec iv[2];
- struct openvpn_iphdr *iph;
+#if defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
+ struct ip *iph = (struct ip *)buf;
- iph = (struct openvpn_iphdr *)buf;
+ bool is_ipv6 = iph->ip_v == 6;
+#else
+ struct openvpn_iphdr *iph = (struct openvpn_iphdr *)buf;
- if (OPENVPN_IPH_GET_VER(iph->version_len) == 6)
+ bool is_ipv6 = OPENVPN_IPH_GET_VER(iph->version_len) == 6;
+#endif
+
+ if (is_ipv6)
{
type = htonl(AF_INET6);
}
@@ -1784,7 +1790,22 @@
#pragma GCC diagnostic pop
#endif
-#endif /* if defined (TARGET_OPENBSD) || defined(TARGET_DARWIN) */
+#if !defined(TARGET_DARWIN)
+int
+write_tun(struct tuntap *tt, uint8_t *buf, int len)
+{
+ write_tun_header(tt, buf, len);
+}
+
+int
+read_tun(struct tuntap *tt, uint8_t *buf, int len)
+{
+ read_tun_header(tt, buf, len);
+}
+#endif
+
+
+#endif /* defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(TARGET_NETBSD) || if defined (TARGET_OPENBSD) || defined(TARGET_DARWIN) */
bool
tun_name_is_fixed(const char *dev)
@@ -2688,18 +2709,6 @@
argv_free(&argv);
}
-int
-write_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- return write_tun_header(tt, buf, len);
-}
-
-int
-read_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- return read_tun_header(tt, buf, len);
-}
-
#elif defined(TARGET_NETBSD)
/*
@@ -2801,88 +2810,8 @@
argv_free(&argv);
}
-static inline int
-netbsd_modify_read_write_return(int len)
-{
- if (len > 0)
- {
- return len > sizeof(u_int32_t) ? len - sizeof(u_int32_t) : 0;
- }
- else
- {
- return len;
- }
-}
-
-int
-write_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- if (tt->type == DEV_TYPE_TUN)
- {
- u_int32_t type;
- struct iovec iv[2];
- struct openvpn_iphdr *iph;
-
- iph = (struct openvpn_iphdr *)buf;
-
- if (OPENVPN_IPH_GET_VER(iph->version_len) == 6)
- {
- type = htonl(AF_INET6);
- }
- else
- {
- type = htonl(AF_INET);
- }
-
- iv[0].iov_base = (char *)&type;
- iv[0].iov_len = sizeof(type);
- iv[1].iov_base = buf;
- iv[1].iov_len = len;
-
- return netbsd_modify_read_write_return(writev(tt->fd, iv, 2));
- }
- else
- {
- return write(tt->fd, buf, len);
- }
-}
-
-int
-read_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- if (tt->type == DEV_TYPE_TUN)
- {
- u_int32_t type;
- struct iovec iv[2];
-
- iv[0].iov_base = (char *)&type;
- iv[0].iov_len = sizeof(type);
- iv[1].iov_base = buf;
- iv[1].iov_len = len;
-
- return netbsd_modify_read_write_return(readv(tt->fd, iv, 2));
- }
- else
- {
- return read(tt->fd, buf, len);
- }
-}
-
#elif defined(TARGET_FREEBSD)
-static inline int
-freebsd_modify_read_write_return(int len)
-{
- if (len > 0)
- {
- return len > sizeof(u_int32_t) ? len - sizeof(u_int32_t) : 0;
- }
- else
- {
- return len;
- }
-}
-
void
open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt,
openvpn_net_ctx_t *ctx)
@@ -2955,84 +2884,8 @@
argv_free(&argv);
}
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wconversion"
-#endif
-
-int
-write_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- if (tt->type == DEV_TYPE_TUN)
- {
- u_int32_t type;
- struct iovec iv[2];
- struct ip *iph;
-
- iph = (struct ip *)buf;
-
- if (iph->ip_v == 6)
- {
- type = htonl(AF_INET6);
- }
- else
- {
- type = htonl(AF_INET);
- }
-
- iv[0].iov_base = (char *)&type;
- iv[0].iov_len = sizeof(type);
- iv[1].iov_base = buf;
- iv[1].iov_len = len;
-
- return freebsd_modify_read_write_return(writev(tt->fd, iv, 2));
- }
- else
- {
- return write(tt->fd, buf, len);
- }
-}
-
-int
-read_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- if (tt->type == DEV_TYPE_TUN)
- {
- u_int32_t type;
- struct iovec iv[2];
-
- iv[0].iov_base = (char *)&type;
- iv[0].iov_len = sizeof(type);
- iv[1].iov_base = buf;
- iv[1].iov_len = len;
-
- return freebsd_modify_read_write_return(readv(tt->fd, iv, 2));
- }
- else
- {
- return read(tt->fd, buf, len);
- }
-}
-
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic pop
-#endif
-
#elif defined(TARGET_DRAGONFLY)
-static inline int
-dragonfly_modify_read_write_return(int len)
-{
- if (len > 0)
- {
- return len > sizeof(u_int32_t) ? len - sizeof(u_int32_t) : 0;
- }
- else
- {
- return len;
- }
-}
-
void
open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt,
openvpn_net_ctx_t *ctx)
@@ -3059,60 +2912,6 @@
free(tt);
}
-int
-write_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- if (tt->type == DEV_TYPE_TUN)
- {
- u_int32_t type;
- struct iovec iv[2];
- struct ip *iph;
-
- iph = (struct ip *)buf;
-
- if (iph->ip_v == 6)
- {
- type = htonl(AF_INET6);
- }
- else
- {
- type = htonl(AF_INET);
- }
-
- iv[0].iov_base = (char *)&type;
- iv[0].iov_len = sizeof(type);
- iv[1].iov_base = buf;
- iv[1].iov_len = len;
-
- return dragonfly_modify_read_write_return(writev(tt->fd, iv, 2));
- }
- else
- {
- return write(tt->fd, buf, len);
- }
-}
-
-int
-read_tun(struct tuntap *tt, uint8_t *buf, int len)
-{
- if (tt->type == DEV_TYPE_TUN)
- {
- u_int32_t type;
- struct iovec iv[2];
-
- iv[0].iov_base = (char *)&type;
- iv[0].iov_len = sizeof(type);
- iv[1].iov_base = buf;
- iv[1].iov_len = len;
-
- return dragonfly_modify_read_write_return(readv(tt->fd, iv, 2));
- }
- else
- {
- return read(tt->fd, buf, len);
- }
-}
-
#elif defined(TARGET_DARWIN)
/* Darwin (MacOS X) is mostly "just use the generic stuff", but there
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1378?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ifd9384287648d1f37a625d9ed6a09733208fa56c
Gerrit-Change-Number: 1378
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld <fr...@li...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
|
|
From: Gert D. <ge...@gr...> - 2025-11-14 11:50:42
|
From: Lev Stipakov <le...@op...> - get rid of atoi() for getting the remote transport port. It doesn't change, so no point to do in on every packet. In addition, atoi() breaks when we use service names as ports. - ensure we correctly handle IPv4 headers with options - directly use buf parameter in place of c->c2.buf GitHub: #902 Change-Id: I8a0a8029da02fc63adc918e8d98e9f676ff4ea0d Signed-off-by: Lev Stipakov <le...@op...> Acked-by: Frank Lichtenheld <fr...@li...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1377 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1377 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@li...> diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index aa1f858..90e52d2 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1382,15 +1382,24 @@ struct openvpn_sockaddr *link_addr = &c->c2.to_link_addr->dest; struct link_socket_info *lsi = get_link_socket_info(c); - uint16_t link_port = atoi(c->c2.link_sockets[0]->remote_port); int ip_hdr_offset = 0; - int tun_ip_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset); + int tun_ip_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), buf, &ip_hdr_offset); if (tun_ip_ver == 4) { - /* make sure we got whole IP header and TCP/UDP src/dst ports */ - if (BLEN(buf) < ((int)sizeof(struct openvpn_iphdr) + ip_hdr_offset + sizeof(uint16_t) * 2)) + /* Ensure we can safely read the IPv4 header */ + const int min_ip_header = ip_hdr_offset + sizeof(struct openvpn_iphdr); + if (BLEN(buf) < min_ip_header) + { + return; + } + + struct openvpn_iphdr *pip = (struct openvpn_iphdr *)(BPTR(buf) + ip_hdr_offset); + const int ip_hlen = OPENVPN_IPH_GET_LEN(pip->version_len); + /* Reject malformed or truncated headers */ + if (ip_hlen < sizeof(struct openvpn_iphdr) + || BLEN(buf) < (int)(ip_hdr_offset + ip_hlen + sizeof(uint16_t) * 2)) { return; } @@ -1401,8 +1410,6 @@ return; } - struct openvpn_iphdr *pip = (struct openvpn_iphdr *)(BPTR(buf) + ip_hdr_offset); - /* skip if tun protocol doesn't match link protocol */ if ((lsi->proto == PROTO_TCP && pip->protocol != OPENVPN_IPPROTO_TCP) || (lsi->proto == PROTO_UDP && pip->protocol != OPENVPN_IPPROTO_UDP)) @@ -1410,9 +1417,10 @@ return; } - /* drop packets with same dest addr and port as remote */ - uint8_t *l4_hdr = (uint8_t *)pip + sizeof(struct openvpn_iphdr); + uint8_t *l4_hdr = (uint8_t *)pip + ip_hlen; + + uint16_t link_port = ntohs(link_addr->addr.in4.sin_port); /* TCP and UDP ports are at the same place in the header, and other protocols * can not happen here due to the lsi->proto check above */ @@ -1420,7 +1428,7 @@ uint16_t dst_port = ntohs(*(uint16_t *)(l4_hdr + sizeof(uint16_t))); if ((memcmp(&link_addr->addr.in4.sin_addr.s_addr, &pip->daddr, sizeof(pip->daddr)) == 0) && (link_port == dst_port)) { - c->c2.buf.len = 0; + buf->len = 0; struct gc_arena gc = gc_new(); msg(D_LOW, "Recursive routing detected, packet dropped %s:%" PRIu16 " -> %s", @@ -1433,7 +1441,8 @@ else if (tun_ip_ver == 6) { /* make sure we got whole IPv6 header and TCP/UDP src/dst ports */ - if (BLEN(buf) < ((int)sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset + sizeof(uint16_t) * 2)) + const int min_ipv6 = ip_hdr_offset + sizeof(struct openvpn_ipv6hdr) + sizeof(uint16_t) * 2; + if (BLEN(buf) < min_ipv6) { return; } @@ -1453,13 +1462,15 @@ return; } + uint16_t link_port = ntohs(link_addr->addr.in6.sin6_port); + /* drop packets with same dest addr and port as remote */ uint8_t *l4_hdr = (uint8_t *)pip6 + sizeof(struct openvpn_ipv6hdr); uint16_t src_port = ntohs(*(uint16_t *)l4_hdr); uint16_t dst_port = ntohs(*(uint16_t *)(l4_hdr + sizeof(uint16_t))); if ((OPENVPN_IN6_ARE_ADDR_EQUAL(&link_addr->addr.in6.sin6_addr, &pip6->daddr)) && (link_port == dst_port)) { - c->c2.buf.len = 0; + buf->len = 0; struct gc_arena gc = gc_new(); msg(D_LOW, "Recursive routing detected, packet dropped %s:%" PRIu16 " -> %s", |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-11-14 11:38:03
|
Attention is currently required from: plaisthos, stipa. flichtenheld has posted comments on this change by stipa. ( http://gerrit.openvpn.net/c/openvpn/+/1377?usp=email ) Change subject: recursive routing: fixes and clean-ups ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1377?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8a0a8029da02fc63adc918e8d98e9f676ff4ea0d Gerrit-Change-Number: 1377 Gerrit-PatchSet: 2 Gerrit-Owner: stipa <lst...@gm...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Fri, 14 Nov 2025 11:37:53 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: stipa (C. Review) <ge...@op...> - 2025-11-14 11:35:34
|
Attention is currently required from: flichtenheld, plaisthos. stipa has posted comments on this change by stipa. ( http://gerrit.openvpn.net/c/openvpn/+/1377?usp=email ) Change subject: recursive routing: fixes and clean-ups ...................................................................... Patch Set 2: (2 comments) Patchset: PS2: Redundant cast removed. File src/openvpn/forward.c: http://gerrit.openvpn.net/c/openvpn/+/1377/comment/8411f02b_e8b0f841?usp=email : PS1, Line 1393: if (BLEN(buf) < (int)min_ip_header) > redundant cast Acknowledged -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1377?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8a0a8029da02fc63adc918e8d98e9f676ff4ea0d Gerrit-Change-Number: 1377 Gerrit-PatchSet: 2 Gerrit-Owner: stipa <lst...@gm...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Fri, 14 Nov 2025 11:35:19 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld <fr...@li...> |
|
From: stipa (C. Review) <ge...@op...> - 2025-11-14 11:34:17
|
Attention is currently required from: flichtenheld, plaisthos, stipa.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1377?usp=email
to look at the new patch set (#2).
The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld
The change is no longer submittable: Code-Review and checks~ChecksSubmitRule are unsatisfied now.
Change subject: recursive routing: fixes and clean-ups
......................................................................
recursive routing: fixes and clean-ups
- get rid of atoi() for getting the remote transport port.
It doesn't change, so no point to do in on every packet.
In addition, atoi() breaks when we use service names as ports.
- ensure we correctly handle IPv4 headers with options
- directly use buf parameter in place of c->c2.buf
GitHub: #902
Change-Id: I8a0a8029da02fc63adc918e8d98e9f676ff4ea0d
Signed-off-by: Lev Stipakov <le...@op...>
---
M src/openvpn/forward.c
1 file changed, 22 insertions(+), 11 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/77/1377/2
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index aa1f858..90e52d2 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1382,15 +1382,24 @@
struct openvpn_sockaddr *link_addr = &c->c2.to_link_addr->dest;
struct link_socket_info *lsi = get_link_socket_info(c);
- uint16_t link_port = atoi(c->c2.link_sockets[0]->remote_port);
int ip_hdr_offset = 0;
- int tun_ip_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset);
+ int tun_ip_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), buf, &ip_hdr_offset);
if (tun_ip_ver == 4)
{
- /* make sure we got whole IP header and TCP/UDP src/dst ports */
- if (BLEN(buf) < ((int)sizeof(struct openvpn_iphdr) + ip_hdr_offset + sizeof(uint16_t) * 2))
+ /* Ensure we can safely read the IPv4 header */
+ const int min_ip_header = ip_hdr_offset + sizeof(struct openvpn_iphdr);
+ if (BLEN(buf) < min_ip_header)
+ {
+ return;
+ }
+
+ struct openvpn_iphdr *pip = (struct openvpn_iphdr *)(BPTR(buf) + ip_hdr_offset);
+ const int ip_hlen = OPENVPN_IPH_GET_LEN(pip->version_len);
+ /* Reject malformed or truncated headers */
+ if (ip_hlen < sizeof(struct openvpn_iphdr)
+ || BLEN(buf) < (int)(ip_hdr_offset + ip_hlen + sizeof(uint16_t) * 2))
{
return;
}
@@ -1401,8 +1410,6 @@
return;
}
- struct openvpn_iphdr *pip = (struct openvpn_iphdr *)(BPTR(buf) + ip_hdr_offset);
-
/* skip if tun protocol doesn't match link protocol */
if ((lsi->proto == PROTO_TCP && pip->protocol != OPENVPN_IPPROTO_TCP)
|| (lsi->proto == PROTO_UDP && pip->protocol != OPENVPN_IPPROTO_UDP))
@@ -1410,9 +1417,10 @@
return;
}
-
/* drop packets with same dest addr and port as remote */
- uint8_t *l4_hdr = (uint8_t *)pip + sizeof(struct openvpn_iphdr);
+ uint8_t *l4_hdr = (uint8_t *)pip + ip_hlen;
+
+ uint16_t link_port = ntohs(link_addr->addr.in4.sin_port);
/* TCP and UDP ports are at the same place in the header, and other protocols
* can not happen here due to the lsi->proto check above */
@@ -1420,7 +1428,7 @@
uint16_t dst_port = ntohs(*(uint16_t *)(l4_hdr + sizeof(uint16_t)));
if ((memcmp(&link_addr->addr.in4.sin_addr.s_addr, &pip->daddr, sizeof(pip->daddr)) == 0) && (link_port == dst_port))
{
- c->c2.buf.len = 0;
+ buf->len = 0;
struct gc_arena gc = gc_new();
msg(D_LOW, "Recursive routing detected, packet dropped %s:%" PRIu16 " -> %s",
@@ -1433,7 +1441,8 @@
else if (tun_ip_ver == 6)
{
/* make sure we got whole IPv6 header and TCP/UDP src/dst ports */
- if (BLEN(buf) < ((int)sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset + sizeof(uint16_t) * 2))
+ const int min_ipv6 = ip_hdr_offset + sizeof(struct openvpn_ipv6hdr) + sizeof(uint16_t) * 2;
+ if (BLEN(buf) < min_ipv6)
{
return;
}
@@ -1453,13 +1462,15 @@
return;
}
+ uint16_t link_port = ntohs(link_addr->addr.in6.sin6_port);
+
/* drop packets with same dest addr and port as remote */
uint8_t *l4_hdr = (uint8_t *)pip6 + sizeof(struct openvpn_ipv6hdr);
uint16_t src_port = ntohs(*(uint16_t *)l4_hdr);
uint16_t dst_port = ntohs(*(uint16_t *)(l4_hdr + sizeof(uint16_t)));
if ((OPENVPN_IN6_ARE_ADDR_EQUAL(&link_addr->addr.in6.sin6_addr, &pip6->daddr)) && (link_port == dst_port))
{
- c->c2.buf.len = 0;
+ buf->len = 0;
struct gc_arena gc = gc_new();
msg(D_LOW, "Recursive routing detected, packet dropped %s:%" PRIu16 " -> %s",
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1377?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I8a0a8029da02fc63adc918e8d98e9f676ff4ea0d
Gerrit-Change-Number: 1377
Gerrit-PatchSet: 2
Gerrit-Owner: stipa <lst...@gm...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: stipa <lst...@gm...>
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-11-14 11:31:36
|
Attention is currently required from: plaisthos, stipa. flichtenheld has posted comments on this change by stipa. ( http://gerrit.openvpn.net/c/openvpn/+/1377?usp=email ) Change subject: recursive routing: fixes and clean-ups ...................................................................... Patch Set 1: Code-Review+2 (1 comment) File src/openvpn/forward.c: http://gerrit.openvpn.net/c/openvpn/+/1377/comment/2089338d_27510d2a?usp=email : PS1, Line 1393: if (BLEN(buf) < (int)min_ip_header) redundant cast -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1377?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8a0a8029da02fc63adc918e8d98e9f676ff4ea0d Gerrit-Change-Number: 1377 Gerrit-PatchSet: 1 Gerrit-Owner: stipa <lst...@gm...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Fri, 14 Nov 2025 11:31:22 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes |
|
From: Ralf L. <ra...@ma...> - 2025-11-14 10:40:57
|
Currently ovpn uses three separate dynamically allocated structures to
set up cryptographic operations for both encryption and decryption. This
adds overhead to performance-critical paths and contribute to memory
fragmentation.
This commit consolidates those allocations into a single temporary blob,
similar to what esp_alloc_tmp() does.
The resulting performance gain is +7.7% and +4.3% for UDP when using AES
and ChaChaPoly respectively, and +4.3% for TCP.
Signed-off-by: Ralf Lici <ra...@ma...>
Signed-off-by: Antonio Quartulli <an...@op...>
---
Changes since v2:
- Replaced manual multiplication with array_size() helper
- Made ovpn_aead_crypto_tmp_size() less generic by asserting that IV
size equals OVPN_NONCE_SIZE
Changes since v1:
- Fixed typo in commit message
- Adjusted ovpn_aead_crypto_tmp_size comment to follow kdoc style
- Stored allocated blob in the skb control block immediately after
allocation to prevent leakage on failure
- Removed 'inline' from function declarations in crypto_aead.c
drivers/net/ovpn/crypto_aead.c | 160 +++++++++++++++++++++++++--------
drivers/net/ovpn/io.c | 8 +-
drivers/net/ovpn/skb.h | 13 ++-
3 files changed, 135 insertions(+), 46 deletions(-)
diff --git a/drivers/net/ovpn/crypto_aead.c b/drivers/net/ovpn/crypto_aead.c
index cb6cdf8ec317..cd723140c8d0 100644
--- a/drivers/net/ovpn/crypto_aead.c
+++ b/drivers/net/ovpn/crypto_aead.c
@@ -36,6 +36,104 @@ static int ovpn_aead_encap_overhead(const struct ovpn_crypto_key_slot *ks)
crypto_aead_authsize(ks->encrypt); /* Auth Tag */
}
+/**
+ * ovpn_aead_crypto_tmp_size - compute the size of a temporary object containing
+ * an AEAD request structure with extra space for SG
+ * and IV.
+ * @tfm: the AEAD cipher handle
+ * @nfrags: the number of fragments in the skb
+ *
+ * This function calculates the size of a contiguous memory block that includes
+ * the initialization vector (IV), the AEAD request, and an array of scatterlist
+ * entries. For alignment considerations, the IV is placed first, followed by
+ * the request, and then the scatterlist.
+ * Additional alignment is applied according to the requirements of the
+ * underlying structures.
+ *
+ * Return: the size of the temporary memory that needs to be allocated
+ */
+static unsigned int ovpn_aead_crypto_tmp_size(struct crypto_aead *tfm,
+ const unsigned int nfrags)
+{
+ unsigned int len = OVPN_NONCE_SIZE;
+
+ DEBUG_NET_WARN_ON_ONCE(OVPN_NONCE_SIZE != crypto_aead_ivsize(tfm));
+
+ /* min size for a buffer of ivsize, aligned to alignmask */
+ len += crypto_aead_alignmask(tfm) & ~(crypto_tfm_ctx_alignment() - 1);
+ /* round up to the next multiple of the crypto ctx alignment */
+ len = ALIGN(len, crypto_tfm_ctx_alignment());
+
+ /* reserve space for the AEAD request */
+ len += sizeof(struct aead_request) + crypto_aead_reqsize(tfm);
+ /* round up to the next multiple of the scatterlist alignment */
+ len = ALIGN(len, __alignof__(struct scatterlist));
+
+ /* add enough space for nfrags + 2 scatterlist entries */
+ len += array_size(sizeof(struct scatterlist), nfrags + 2);
+ return len;
+}
+
+/**
+ * ovpn_aead_crypto_tmp_iv - retrieve the pointer to the IV within a temporary
+ * buffer allocated using ovpn_aead_crypto_tmp_size
+ * @aead: the AEAD cipher handle
+ * @tmp: a pointer to the beginning of the temporary buffer
+ *
+ * This function retrieves a pointer to the initialization vector (IV) in the
+ * temporary buffer. If the AEAD cipher specifies an IV size, the pointer is
+ * adjusted using the AEAD's alignment mask to ensure proper alignment.
+ *
+ * Returns: a pointer to the IV within the temporary buffer
+ */
+static u8 *ovpn_aead_crypto_tmp_iv(struct crypto_aead *aead, void *tmp)
+{
+ return likely(crypto_aead_ivsize(aead)) ?
+ PTR_ALIGN((u8 *)tmp, crypto_aead_alignmask(aead) + 1) :
+ tmp;
+}
+
+/**
+ * ovpn_aead_crypto_tmp_req - retrieve the pointer to the AEAD request structure
+ * within a temporary buffer allocated using
+ * ovpn_aead_crypto_tmp_size
+ * @aead: the AEAD cipher handle
+ * @iv: a pointer to the initialization vector in the temporary buffer
+ *
+ * This function computes the location of the AEAD request structure that
+ * immediately follows the IV in the temporary buffer and it ensures the request
+ * is aligned to the crypto transform context alignment.
+ *
+ * Returns: a pointer to the AEAD request structure
+ */
+static struct aead_request *ovpn_aead_crypto_tmp_req(struct crypto_aead *aead,
+ const u8 *iv)
+{
+ return (void *)PTR_ALIGN(iv + crypto_aead_ivsize(aead),
+ crypto_tfm_ctx_alignment());
+}
+
+/**
+ * ovpn_aead_crypto_req_sg - locate the scatterlist following the AEAD request
+ * within a temporary buffer allocated using
+ * ovpn_aead_crypto_tmp_size
+ * @aead: the AEAD cipher handle
+ * @req: a pointer to the AEAD request structure in the temporary buffer
+ *
+ * This function computes the starting address of the scatterlist that is
+ * allocated immediately after the AEAD request structure. It aligns the pointer
+ * based on the alignment requirements of the scatterlist structure.
+ *
+ * Returns: a pointer to the scatterlist
+ */
+static struct scatterlist *ovpn_aead_crypto_req_sg(struct crypto_aead *aead,
+ struct aead_request *req)
+{
+ return (void *)ALIGN((unsigned long)(req + 1) +
+ crypto_aead_reqsize(aead),
+ __alignof__(struct scatterlist));
+}
+
int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
struct sk_buff *skb)
{
@@ -45,6 +143,7 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
struct scatterlist *sg;
int nfrags, ret;
u32 pktid, op;
+ void *tmp;
u8 *iv;
ovpn_skb_cb(skb)->peer = peer;
@@ -71,13 +170,17 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
if (unlikely(nfrags + 2 > (MAX_SKB_FRAGS + 2)))
return -ENOSPC;
- /* sg may be required by async crypto */
- ovpn_skb_cb(skb)->sg = kmalloc(sizeof(*ovpn_skb_cb(skb)->sg) *
- (nfrags + 2), GFP_ATOMIC);
- if (unlikely(!ovpn_skb_cb(skb)->sg))
+ /* allocate temporary memory for iv, sg and req */
+ tmp = kmalloc(ovpn_aead_crypto_tmp_size(ks->encrypt, nfrags),
+ GFP_ATOMIC);
+ if (unlikely(!tmp))
return -ENOMEM;
- sg = ovpn_skb_cb(skb)->sg;
+ ovpn_skb_cb(skb)->crypto_tmp = tmp;
+
+ iv = ovpn_aead_crypto_tmp_iv(ks->encrypt, tmp);
+ req = ovpn_aead_crypto_tmp_req(ks->encrypt, iv);
+ sg = ovpn_aead_crypto_req_sg(ks->encrypt, req);
/* sg table:
* 0: op, wire nonce (AD, len=OVPN_OP_SIZE_V2+OVPN_NONCE_WIRE_SIZE),
@@ -105,13 +208,6 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
if (unlikely(ret < 0))
return ret;
- /* iv may be required by async crypto */
- ovpn_skb_cb(skb)->iv = kmalloc(OVPN_NONCE_SIZE, GFP_ATOMIC);
- if (unlikely(!ovpn_skb_cb(skb)->iv))
- return -ENOMEM;
-
- iv = ovpn_skb_cb(skb)->iv;
-
/* concat 4 bytes packet id and 8 bytes nonce tail into 12 bytes
* nonce
*/
@@ -130,12 +226,6 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
/* AEAD Additional data */
sg_set_buf(sg, skb->data, OVPN_AAD_SIZE);
- req = aead_request_alloc(ks->encrypt, GFP_ATOMIC);
- if (unlikely(!req))
- return -ENOMEM;
-
- ovpn_skb_cb(skb)->req = req;
-
/* setup async crypto operation */
aead_request_set_tfm(req, ks->encrypt);
aead_request_set_callback(req, 0, ovpn_encrypt_post, skb);
@@ -156,6 +246,7 @@ int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
struct aead_request *req;
struct sk_buff *trailer;
struct scatterlist *sg;
+ void *tmp;
u8 *iv;
payload_offset = OVPN_AAD_SIZE + tag_size;
@@ -184,13 +275,17 @@ int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
if (unlikely(nfrags + 2 > (MAX_SKB_FRAGS + 2)))
return -ENOSPC;
- /* sg may be required by async crypto */
- ovpn_skb_cb(skb)->sg = kmalloc(sizeof(*ovpn_skb_cb(skb)->sg) *
- (nfrags + 2), GFP_ATOMIC);
- if (unlikely(!ovpn_skb_cb(skb)->sg))
+ /* allocate temporary memory for iv, sg and req */
+ tmp = kmalloc(ovpn_aead_crypto_tmp_size(ks->decrypt, nfrags),
+ GFP_ATOMIC);
+ if (unlikely(!tmp))
return -ENOMEM;
- sg = ovpn_skb_cb(skb)->sg;
+ ovpn_skb_cb(skb)->crypto_tmp = tmp;
+
+ iv = ovpn_aead_crypto_tmp_iv(ks->decrypt, tmp);
+ req = ovpn_aead_crypto_tmp_req(ks->decrypt, iv);
+ sg = ovpn_aead_crypto_req_sg(ks->decrypt, req);
/* sg table:
* 0: op, wire nonce (AD, len=OVPN_OPCODE_SIZE+OVPN_NONCE_WIRE_SIZE),
@@ -213,24 +308,11 @@ int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
/* append auth_tag onto scatterlist */
sg_set_buf(sg + ret + 1, skb->data + OVPN_AAD_SIZE, tag_size);
- /* iv may be required by async crypto */
- ovpn_skb_cb(skb)->iv = kmalloc(OVPN_NONCE_SIZE, GFP_ATOMIC);
- if (unlikely(!ovpn_skb_cb(skb)->iv))
- return -ENOMEM;
-
- iv = ovpn_skb_cb(skb)->iv;
-
/* copy nonce into IV buffer */
memcpy(iv, skb->data + OVPN_OPCODE_SIZE, OVPN_NONCE_WIRE_SIZE);
memcpy(iv + OVPN_NONCE_WIRE_SIZE, ks->nonce_tail_recv,
OVPN_NONCE_TAIL_SIZE);
- req = aead_request_alloc(ks->decrypt, GFP_ATOMIC);
- if (unlikely(!req))
- return -ENOMEM;
-
- ovpn_skb_cb(skb)->req = req;
-
/* setup async crypto operation */
aead_request_set_tfm(req, ks->decrypt);
aead_request_set_callback(req, 0, ovpn_decrypt_post, skb);
@@ -273,7 +355,11 @@ static struct crypto_aead *ovpn_aead_init(const char *title,
goto error;
}
- /* basic AEAD assumption */
+ /* basic AEAD assumption
+ * all current algorithms use OVPN_NONCE_SIZE.
+ * ovpn_aead_crypto_tmp_size and ovpn_aead_encrypt/decrypt
+ * expect this.
+ */
if (crypto_aead_ivsize(aead) != OVPN_NONCE_SIZE) {
pr_err("%s IV size must be %d\n", title, OVPN_NONCE_SIZE);
ret = -EINVAL;
diff --git a/drivers/net/ovpn/io.c b/drivers/net/ovpn/io.c
index 3e9e7f8444b3..2721ee8268b2 100644
--- a/drivers/net/ovpn/io.c
+++ b/drivers/net/ovpn/io.c
@@ -119,9 +119,7 @@ void ovpn_decrypt_post(void *data, int ret)
peer = ovpn_skb_cb(skb)->peer;
/* crypto is done, cleanup skb CB and its members */
- kfree(ovpn_skb_cb(skb)->iv);
- kfree(ovpn_skb_cb(skb)->sg);
- aead_request_free(ovpn_skb_cb(skb)->req);
+ kfree(ovpn_skb_cb(skb)->crypto_tmp);
if (unlikely(ret < 0))
goto drop;
@@ -248,9 +246,7 @@ void ovpn_encrypt_post(void *data, int ret)
peer = ovpn_skb_cb(skb)->peer;
/* crypto is done, cleanup skb CB and its members */
- kfree(ovpn_skb_cb(skb)->iv);
- kfree(ovpn_skb_cb(skb)->sg);
- aead_request_free(ovpn_skb_cb(skb)->req);
+ kfree(ovpn_skb_cb(skb)->crypto_tmp);
if (unlikely(ret == -ERANGE)) {
/* we ran out of IVs and we must kill the key as it can't be
diff --git a/drivers/net/ovpn/skb.h b/drivers/net/ovpn/skb.h
index 64430880f1da..4fb7ea025426 100644
--- a/drivers/net/ovpn/skb.h
+++ b/drivers/net/ovpn/skb.h
@@ -18,12 +18,19 @@
#include <linux/socket.h>
#include <linux/types.h>
+/**
+ * struct ovpn_cb - ovpn skb control block
+ * @peer: the peer this skb was received from/sent to
+ * @ks: the crypto key slot used to encrypt/decrypt this skb
+ * @crypto_tmp: pointer to temporary memory used for crypto operations
+ * containing the IV, the scatter gather list and the aead request
+ * @payload_offset: offset in the skb where the payload starts
+ * @nosignal: whether this skb should be sent with the MSG_NOSIGNAL flag (TCP)
+ */
struct ovpn_cb {
struct ovpn_peer *peer;
struct ovpn_crypto_key_slot *ks;
- struct aead_request *req;
- struct scatterlist *sg;
- u8 *iv;
+ void *crypto_tmp;
unsigned int payload_offset;
bool nosignal;
};
--
2.51.1
|
|
From: Ralf L. <ra...@ma...> - 2025-11-14 10:40:28
|
Send a netlink notification when a client updates its remote UDP
endpoint. The notification includes the new IP address, port, and scope
ID (for IPv6).
Signed-off-by: Ralf Lici <ra...@ma...>
Signed-off-by: Antonio Quartulli <an...@op...>
---
Changes since v1:
- correctly set return value for unsupported AF in
ovpn_nl_peer_float_notify
Documentation/netlink/specs/ovpn.yaml | 6 ++
drivers/net/ovpn/netlink.c | 82 +++++++++++++++++++++
drivers/net/ovpn/netlink.h | 2 +
drivers/net/ovpn/peer.c | 2 +
include/uapi/linux/ovpn.h | 1 +
tools/testing/selftests/net/ovpn/ovpn-cli.c | 3 +
6 files changed, 96 insertions(+)
diff --git a/Documentation/netlink/specs/ovpn.yaml b/Documentation/netlink/specs/ovpn.yaml
index 1b91045cee2e..0d0c028bf96f 100644
--- a/Documentation/netlink/specs/ovpn.yaml
+++ b/Documentation/netlink/specs/ovpn.yaml
@@ -502,6 +502,12 @@ operations:
- ifindex
- keyconf
+ -
+ name: peer-float-ntf
+ doc: Notification about a peer floating (changing its remote UDP endpoint)
+ notify: peer-get
+ mcgrp: peers
+
mcast-groups:
list:
-
diff --git a/drivers/net/ovpn/netlink.c b/drivers/net/ovpn/netlink.c
index fed0e46b32a3..3db056f4cd0a 100644
--- a/drivers/net/ovpn/netlink.c
+++ b/drivers/net/ovpn/netlink.c
@@ -1203,6 +1203,88 @@ int ovpn_nl_peer_del_notify(struct ovpn_peer *peer)
return ret;
}
+/**
+ * ovpn_nl_float_peer_notify - notify userspace about peer floating
+ * @peer: the floated peer
+ * @ss: sockaddr representing the new remote endpoint
+ *
+ * Return: 0 on success or a negative error code otherwise
+ */
+int ovpn_nl_peer_float_notify(struct ovpn_peer *peer,
+ const struct sockaddr_storage *ss)
+{
+ struct ovpn_socket *sock;
+ struct sockaddr_in6 *sa6;
+ struct sockaddr_in *sa;
+ struct sk_buff *msg;
+ struct nlattr *attr;
+ int ret = -EMSGSIZE;
+ void *hdr;
+
+ msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
+ if (!msg)
+ return -ENOMEM;
+
+ hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0,
+ OVPN_CMD_PEER_FLOAT_NTF);
+ if (!hdr) {
+ ret = -ENOBUFS;
+ goto err_free_msg;
+ }
+
+ if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex))
+ goto err_cancel_msg;
+
+ attr = nla_nest_start(msg, OVPN_A_PEER);
+ if (!attr)
+ goto err_cancel_msg;
+
+ if (nla_put_u32(msg, OVPN_A_PEER_ID, peer->id))
+ goto err_cancel_msg;
+
+ if (ss->ss_family == AF_INET) {
+ sa = (struct sockaddr_in *)ss;
+ if (nla_put_in_addr(msg, OVPN_A_PEER_REMOTE_IPV4,
+ sa->sin_addr.s_addr) ||
+ nla_put_net16(msg, OVPN_A_PEER_REMOTE_PORT, sa->sin_port))
+ goto err_cancel_msg;
+ } else if (ss->ss_family == AF_INET6) {
+ sa6 = (struct sockaddr_in6 *)ss;
+ if (nla_put_in6_addr(msg, OVPN_A_PEER_REMOTE_IPV6,
+ &sa6->sin6_addr) ||
+ nla_put_u32(msg, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
+ sa6->sin6_scope_id) ||
+ nla_put_net16(msg, OVPN_A_PEER_REMOTE_PORT, sa6->sin6_port))
+ goto err_cancel_msg;
+ } else {
+ ret = -EAFNOSUPPORT;
+ goto err_cancel_msg;
+ }
+
+ nla_nest_end(msg, attr);
+ genlmsg_end(msg, hdr);
+
+ rcu_read_lock();
+ sock = rcu_dereference(peer->sock);
+ if (!sock) {
+ ret = -EINVAL;
+ goto err_unlock;
+ }
+ genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg,
+ 0, OVPN_NLGRP_PEERS, GFP_ATOMIC);
+ rcu_read_unlock();
+
+ return 0;
+
+err_unlock:
+ rcu_read_unlock();
+err_cancel_msg:
+ genlmsg_cancel(msg, hdr);
+err_free_msg:
+ nlmsg_free(msg);
+ return ret;
+}
+
/**
* ovpn_nl_key_swap_notify - notify userspace peer's key must be renewed
* @peer: the peer whose key needs to be renewed
diff --git a/drivers/net/ovpn/netlink.h b/drivers/net/ovpn/netlink.h
index 8615dfc3c472..11ee7c681885 100644
--- a/drivers/net/ovpn/netlink.h
+++ b/drivers/net/ovpn/netlink.h
@@ -13,6 +13,8 @@ int ovpn_nl_register(void);
void ovpn_nl_unregister(void);
int ovpn_nl_peer_del_notify(struct ovpn_peer *peer);
+int ovpn_nl_peer_float_notify(struct ovpn_peer *peer,
+ const struct sockaddr_storage *ss);
int ovpn_nl_key_swap_notify(struct ovpn_peer *peer, u8 key_id);
#endif /* _NET_OVPN_NETLINK_H_ */
diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c
index 4bfcab0c8652..9ad50f1ac2c3 100644
--- a/drivers/net/ovpn/peer.c
+++ b/drivers/net/ovpn/peer.c
@@ -287,6 +287,8 @@ void ovpn_peer_endpoints_update(struct ovpn_peer *peer, struct sk_buff *skb)
spin_unlock_bh(&peer->lock);
+ ovpn_nl_peer_float_notify(peer, &ss);
+
/* rehashing is required only in MP mode as P2P has one peer
* only and thus there is no hashtable
*/
diff --git a/include/uapi/linux/ovpn.h b/include/uapi/linux/ovpn.h
index 680d1522dc87..b3c9ff0a6849 100644
--- a/include/uapi/linux/ovpn.h
+++ b/include/uapi/linux/ovpn.h
@@ -99,6 +99,7 @@ enum {
OVPN_CMD_KEY_SWAP,
OVPN_CMD_KEY_SWAP_NTF,
OVPN_CMD_KEY_DEL,
+ OVPN_CMD_PEER_FLOAT_NTF,
__OVPN_CMD_MAX,
OVPN_CMD_MAX = (__OVPN_CMD_MAX - 1)
diff --git a/tools/testing/selftests/net/ovpn/ovpn-cli.c b/tools/testing/selftests/net/ovpn/ovpn-cli.c
index 0a5226196a2e..064453d16fdd 100644
--- a/tools/testing/selftests/net/ovpn/ovpn-cli.c
+++ b/tools/testing/selftests/net/ovpn/ovpn-cli.c
@@ -1516,6 +1516,9 @@ static int ovpn_handle_msg(struct nl_msg *msg, void *arg)
case OVPN_CMD_PEER_DEL_NTF:
fprintf(stdout, "received CMD_PEER_DEL_NTF\n");
break;
+ case OVPN_CMD_PEER_FLOAT_NTF:
+ fprintf(stdout, "received CMD_PEER_FLOAT_NTF\n");
+ break;
case OVPN_CMD_KEY_SWAP_NTF:
fprintf(stdout, "received CMD_KEY_SWAP_NTF\n");
break;
--
2.51.1
|
|
From: stipa (C. Review) <ge...@op...> - 2025-11-14 09:24:48
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1377?usp=email
to review the following change.
Change subject: recursive routing: fixes and clean-ups
......................................................................
recursive routing: fixes and clean-ups
- get rid of atoi() for getting the remote transport port.
It doesn't change, so no point to do in on every packet.
In addition, atoi() breaks when we use service names as ports.
- ensure we correctly handle IPv4 headers with options
- directly use buf parameter in place of c->c2.buf
GitHub: #902
Change-Id: I8a0a8029da02fc63adc918e8d98e9f676ff4ea0d
Signed-off-by: Lev Stipakov <le...@op...>
---
M src/openvpn/forward.c
1 file changed, 22 insertions(+), 11 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/77/1377/1
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index aa1f858..d870d48 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1382,15 +1382,24 @@
struct openvpn_sockaddr *link_addr = &c->c2.to_link_addr->dest;
struct link_socket_info *lsi = get_link_socket_info(c);
- uint16_t link_port = atoi(c->c2.link_sockets[0]->remote_port);
int ip_hdr_offset = 0;
- int tun_ip_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset);
+ int tun_ip_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), buf, &ip_hdr_offset);
if (tun_ip_ver == 4)
{
- /* make sure we got whole IP header and TCP/UDP src/dst ports */
- if (BLEN(buf) < ((int)sizeof(struct openvpn_iphdr) + ip_hdr_offset + sizeof(uint16_t) * 2))
+ /* Ensure we can safely read the IPv4 header */
+ const int min_ip_header = ip_hdr_offset + sizeof(struct openvpn_iphdr);
+ if (BLEN(buf) < (int)min_ip_header)
+ {
+ return;
+ }
+
+ struct openvpn_iphdr *pip = (struct openvpn_iphdr *)(BPTR(buf) + ip_hdr_offset);
+ const int ip_hlen = OPENVPN_IPH_GET_LEN(pip->version_len);
+ /* Reject malformed or truncated headers */
+ if (ip_hlen < sizeof(struct openvpn_iphdr)
+ || BLEN(buf) < (int)(ip_hdr_offset + ip_hlen + sizeof(uint16_t) * 2))
{
return;
}
@@ -1401,8 +1410,6 @@
return;
}
- struct openvpn_iphdr *pip = (struct openvpn_iphdr *)(BPTR(buf) + ip_hdr_offset);
-
/* skip if tun protocol doesn't match link protocol */
if ((lsi->proto == PROTO_TCP && pip->protocol != OPENVPN_IPPROTO_TCP)
|| (lsi->proto == PROTO_UDP && pip->protocol != OPENVPN_IPPROTO_UDP))
@@ -1410,9 +1417,10 @@
return;
}
-
/* drop packets with same dest addr and port as remote */
- uint8_t *l4_hdr = (uint8_t *)pip + sizeof(struct openvpn_iphdr);
+ uint8_t *l4_hdr = (uint8_t *)pip + ip_hlen;
+
+ uint16_t link_port = ntohs(link_addr->addr.in4.sin_port);
/* TCP and UDP ports are at the same place in the header, and other protocols
* can not happen here due to the lsi->proto check above */
@@ -1420,7 +1428,7 @@
uint16_t dst_port = ntohs(*(uint16_t *)(l4_hdr + sizeof(uint16_t)));
if ((memcmp(&link_addr->addr.in4.sin_addr.s_addr, &pip->daddr, sizeof(pip->daddr)) == 0) && (link_port == dst_port))
{
- c->c2.buf.len = 0;
+ buf->len = 0;
struct gc_arena gc = gc_new();
msg(D_LOW, "Recursive routing detected, packet dropped %s:%" PRIu16 " -> %s",
@@ -1433,7 +1441,8 @@
else if (tun_ip_ver == 6)
{
/* make sure we got whole IPv6 header and TCP/UDP src/dst ports */
- if (BLEN(buf) < ((int)sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset + sizeof(uint16_t) * 2))
+ const int min_ipv6 = ip_hdr_offset + sizeof(struct openvpn_ipv6hdr) + sizeof(uint16_t) * 2;
+ if (BLEN(buf) < min_ipv6)
{
return;
}
@@ -1453,13 +1462,15 @@
return;
}
+ uint16_t link_port = ntohs(link_addr->addr.in6.sin6_port);
+
/* drop packets with same dest addr and port as remote */
uint8_t *l4_hdr = (uint8_t *)pip6 + sizeof(struct openvpn_ipv6hdr);
uint16_t src_port = ntohs(*(uint16_t *)l4_hdr);
uint16_t dst_port = ntohs(*(uint16_t *)(l4_hdr + sizeof(uint16_t)));
if ((OPENVPN_IN6_ARE_ADDR_EQUAL(&link_addr->addr.in6.sin6_addr, &pip6->daddr)) && (link_port == dst_port))
{
- c->c2.buf.len = 0;
+ buf->len = 0;
struct gc_arena gc = gc_new();
msg(D_LOW, "Recursive routing detected, packet dropped %s:%" PRIu16 " -> %s",
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1377?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I8a0a8029da02fc63adc918e8d98e9f676ff4ea0d
Gerrit-Change-Number: 1377
Gerrit-PatchSet: 1
Gerrit-Owner: stipa <lst...@gm...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-11-14 06:45:33
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1375?usp=email ) Change subject: options: remove --opt-verify functionality ...................................................................... options: remove --opt-verify functionality As previously agreed, the --opt-verify directive is deprecated and can be fully removed as of OpenVPN 2.7.0. GitHub: closes OpenVPN/openvpn#901 Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490 Signed-off-by: Antonio Quartulli <an...@ma...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1375 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34403.html Signed-off-by: Gert Doering <ge...@gr...> --- M Changes.rst M doc/man-sections/server-options.rst M doc/man-sections/unsupported-options.rst M src/openvpn/options.c M src/openvpn/ssl.c M src/openvpn/ssl_common.h 6 files changed, 10 insertions(+), 28 deletions(-) diff --git a/Changes.rst b/Changes.rst index 8bdb2b0..457d3a7 100644 --- a/Changes.rst +++ b/Changes.rst @@ -236,6 +236,9 @@ ``--reneg-bytes`` and ``--reneg-packets`` do not work in DCO mode, and will now print an appropriate warning. +``--opt-verify`` feature removed + This option was already deprecated and it is now being converted to a + no-op. Using this option will only print a warning. User-visible Changes -------------------- diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index ade4d41..5243a06 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -413,19 +413,6 @@ Note that this directive affects OpenVPN's internal routing table, not the kernel routing table. ---opt-verify - **DEPRECATED** Clients that connect with options that are incompatible with - those of the server will be disconnected. - - Options that will be compared for compatibility include ``dev-type``, - ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, - ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``, - ``auth``, ``keysize``, - ``tls-auth``, ``key-method``, ``tls-server`` - and ``tls-client``. - - This option requires that ``--disable-occ`` NOT be used. - --override-username username Sets the username of a connection to the specified username. This username will also be used by ``--auth-gen-token``. However, the overridden diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index 11467ca..e8e76eb 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -44,4 +44,8 @@ Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library. --persist-key - Ignored since OpenVPN 2.7. Keys are now always persisted across restarts. \ No newline at end of file + Ignored since OpenVPN 2.7. Keys are now always persisted across restarts. + +--opt-verify + Removed in OpenVPN 2.7. This option does not make sense anymore as option + strings may not match due to the introduction of parameters negotiation. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ecf9374..683543a 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -472,8 +472,6 @@ " OTP based two-factor auth mechanisms are in use and\n" " --reneg-* options are enabled. Optionally a lifetime in seconds\n" " for generated tokens can be set.\n" - "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n" - " with those of the server will be disconnected.\n" "--auth-user-pass-optional : Allow connections by clients that don't\n" " specify a username/password.\n" "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n" @@ -2666,7 +2664,6 @@ "verify-client-cert"); MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name"); MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional"); - MUST_BE_FALSE(options->ssl_flags & SSLF_OPT_VERIFY, "opt-verify"); if (options->server_flags & SF_TCP_NODELAY_HELPER) { msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not " @@ -7450,9 +7447,7 @@ else if (streq(p[0], "opt-verify") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed " - "in OpenVPN 2.7"); - options->ssl_flags |= SSLF_OPT_VERIFY; + msg(M_INFO, "DEPRECATED OPTION: --opt-verify was removed in OpenVPN 2.7."); } else if (streq(p[0], "auth-user-pass-verify") && p[1]) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index d7f55dd..896fd65 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2334,13 +2334,6 @@ #endif options_warning(options, remote_options); - - if (session->opt->ssl_flags & SSLF_OPT_VERIFY) - { - msg(D_TLS_ERRORS, - "Option inconsistency warnings triggering disconnect due to --opt-verify"); - ks->authenticated = KS_AUTH_FALSE; - } } buf_clear(buf); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index de89d30..23da8cf 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -425,7 +425,7 @@ #define SSLF_CLIENT_CERT_OPTIONAL (1u << 1) #define SSLF_USERNAME_AS_COMMON_NAME (1u << 2) #define SSLF_AUTH_USER_PASS_OPTIONAL (1u << 3) -#define SSLF_OPT_VERIFY (1u << 4) +/* (1u << 4) free for usage */ #define SSLF_CRL_VERIFY_DIR (1u << 5) #define SSLF_TLS_VERSION_MIN_SHIFT 6 #define SSLF_TLS_VERSION_MIN_MASK 0xFu /* (uses bit positions 6 to 9) */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1375?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490 Gerrit-Change-Number: 1375 Gerrit-PatchSet: 3 Gerrit-Owner: ordex <an...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-11-14 06:45:30
|
cron2 has uploaded a new patch set (#3) to the change originally created by ordex. ( http://gerrit.openvpn.net/c/openvpn/+/1375?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: options: remove --opt-verify functionality ...................................................................... options: remove --opt-verify functionality As previously agreed, the --opt-verify directive is deprecated and can be fully removed as of OpenVPN 2.7.0. GitHub: closes OpenVPN/openvpn#901 Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490 Signed-off-by: Antonio Quartulli <an...@ma...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1375 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34403.html Signed-off-by: Gert Doering <ge...@gr...> --- M Changes.rst M doc/man-sections/server-options.rst M doc/man-sections/unsupported-options.rst M src/openvpn/options.c M src/openvpn/ssl.c M src/openvpn/ssl_common.h 6 files changed, 10 insertions(+), 28 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/75/1375/3 diff --git a/Changes.rst b/Changes.rst index 8bdb2b0..457d3a7 100644 --- a/Changes.rst +++ b/Changes.rst @@ -236,6 +236,9 @@ ``--reneg-bytes`` and ``--reneg-packets`` do not work in DCO mode, and will now print an appropriate warning. +``--opt-verify`` feature removed + This option was already deprecated and it is now being converted to a + no-op. Using this option will only print a warning. User-visible Changes -------------------- diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index ade4d41..5243a06 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -413,19 +413,6 @@ Note that this directive affects OpenVPN's internal routing table, not the kernel routing table. ---opt-verify - **DEPRECATED** Clients that connect with options that are incompatible with - those of the server will be disconnected. - - Options that will be compared for compatibility include ``dev-type``, - ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, - ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``, - ``auth``, ``keysize``, - ``tls-auth``, ``key-method``, ``tls-server`` - and ``tls-client``. - - This option requires that ``--disable-occ`` NOT be used. - --override-username username Sets the username of a connection to the specified username. This username will also be used by ``--auth-gen-token``. However, the overridden diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index 11467ca..e8e76eb 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -44,4 +44,8 @@ Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library. --persist-key - Ignored since OpenVPN 2.7. Keys are now always persisted across restarts. \ No newline at end of file + Ignored since OpenVPN 2.7. Keys are now always persisted across restarts. + +--opt-verify + Removed in OpenVPN 2.7. This option does not make sense anymore as option + strings may not match due to the introduction of parameters negotiation. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ecf9374..683543a 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -472,8 +472,6 @@ " OTP based two-factor auth mechanisms are in use and\n" " --reneg-* options are enabled. Optionally a lifetime in seconds\n" " for generated tokens can be set.\n" - "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n" - " with those of the server will be disconnected.\n" "--auth-user-pass-optional : Allow connections by clients that don't\n" " specify a username/password.\n" "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n" @@ -2666,7 +2664,6 @@ "verify-client-cert"); MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name"); MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional"); - MUST_BE_FALSE(options->ssl_flags & SSLF_OPT_VERIFY, "opt-verify"); if (options->server_flags & SF_TCP_NODELAY_HELPER) { msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not " @@ -7450,9 +7447,7 @@ else if (streq(p[0], "opt-verify") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed " - "in OpenVPN 2.7"); - options->ssl_flags |= SSLF_OPT_VERIFY; + msg(M_INFO, "DEPRECATED OPTION: --opt-verify was removed in OpenVPN 2.7."); } else if (streq(p[0], "auth-user-pass-verify") && p[1]) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index d7f55dd..896fd65 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2334,13 +2334,6 @@ #endif options_warning(options, remote_options); - - if (session->opt->ssl_flags & SSLF_OPT_VERIFY) - { - msg(D_TLS_ERRORS, - "Option inconsistency warnings triggering disconnect due to --opt-verify"); - ks->authenticated = KS_AUTH_FALSE; - } } buf_clear(buf); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index de89d30..23da8cf 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -425,7 +425,7 @@ #define SSLF_CLIENT_CERT_OPTIONAL (1u << 1) #define SSLF_USERNAME_AS_COMMON_NAME (1u << 2) #define SSLF_AUTH_USER_PASS_OPTIONAL (1u << 3) -#define SSLF_OPT_VERIFY (1u << 4) +/* (1u << 4) free for usage */ #define SSLF_CRL_VERIFY_DIR (1u << 5) #define SSLF_TLS_VERSION_MIN_SHIFT 6 #define SSLF_TLS_VERSION_MIN_MASK 0xFu /* (uses bit positions 6 to 9) */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1375?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490 Gerrit-Change-Number: 1375 Gerrit-PatchSet: 3 Gerrit-Owner: ordex <an...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: Gert D. <ge...@gr...> - 2025-11-14 06:45:12
|
Out it goes! As it says on the lid, this had a depreciation warning and
"will be removed in 2.7.0" - and there we are.
Stared-at-code and test compiled on FreeBSD (+BB all green).
Your patch has been applied to the master branch.
commit c716b3b8bf5945e326c5ac7a8b04de9c0c6a4c8f
Author: Antonio Quartulli
Date: Thu Nov 13 22:21:38 2025 +0100
options: remove --opt-verify functionality
Signed-off-by: Antonio Quartulli <an...@ma...>
Acked-by: Gert Doering <ge...@gr...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1375
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg34403.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: Gert D. <ge...@gr...> - 2025-11-13 21:21:52
|
From: Antonio Quartulli <an...@ma...> As previously agreed, the --opt-verify directive is deprecated and can be fully removed as of OpenVPN 2.7.0. GitHub: closes OpenVPN/openvpn#901 Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490 Signed-off-by: Antonio Quartulli <an...@ma...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1375 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1375 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/Changes.rst b/Changes.rst index 8bdb2b0..457d3a7 100644 --- a/Changes.rst +++ b/Changes.rst @@ -236,6 +236,9 @@ ``--reneg-bytes`` and ``--reneg-packets`` do not work in DCO mode, and will now print an appropriate warning. +``--opt-verify`` feature removed + This option was already deprecated and it is now being converted to a + no-op. Using this option will only print a warning. User-visible Changes -------------------- diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index ade4d41..5243a06 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -413,19 +413,6 @@ Note that this directive affects OpenVPN's internal routing table, not the kernel routing table. ---opt-verify - **DEPRECATED** Clients that connect with options that are incompatible with - those of the server will be disconnected. - - Options that will be compared for compatibility include ``dev-type``, - ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, - ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``, - ``auth``, ``keysize``, - ``tls-auth``, ``key-method``, ``tls-server`` - and ``tls-client``. - - This option requires that ``--disable-occ`` NOT be used. - --override-username username Sets the username of a connection to the specified username. This username will also be used by ``--auth-gen-token``. However, the overridden diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index 11467ca..e8e76eb 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -44,4 +44,8 @@ Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library. --persist-key - Ignored since OpenVPN 2.7. Keys are now always persisted across restarts. \ No newline at end of file + Ignored since OpenVPN 2.7. Keys are now always persisted across restarts. + +--opt-verify + Removed in OpenVPN 2.7. This option does not make sense anymore as option + strings may not match due to the introduction of parameters negotiation. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ecf9374..683543a 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -472,8 +472,6 @@ " OTP based two-factor auth mechanisms are in use and\n" " --reneg-* options are enabled. Optionally a lifetime in seconds\n" " for generated tokens can be set.\n" - "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n" - " with those of the server will be disconnected.\n" "--auth-user-pass-optional : Allow connections by clients that don't\n" " specify a username/password.\n" "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n" @@ -2666,7 +2664,6 @@ "verify-client-cert"); MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name"); MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional"); - MUST_BE_FALSE(options->ssl_flags & SSLF_OPT_VERIFY, "opt-verify"); if (options->server_flags & SF_TCP_NODELAY_HELPER) { msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not " @@ -7450,9 +7447,7 @@ else if (streq(p[0], "opt-verify") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed " - "in OpenVPN 2.7"); - options->ssl_flags |= SSLF_OPT_VERIFY; + msg(M_INFO, "DEPRECATED OPTION: --opt-verify was removed in OpenVPN 2.7."); } else if (streq(p[0], "auth-user-pass-verify") && p[1]) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index d7f55dd..896fd65 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2334,13 +2334,6 @@ #endif options_warning(options, remote_options); - - if (session->opt->ssl_flags & SSLF_OPT_VERIFY) - { - msg(D_TLS_ERRORS, - "Option inconsistency warnings triggering disconnect due to --opt-verify"); - ks->authenticated = KS_AUTH_FALSE; - } } buf_clear(buf); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index de89d30..23da8cf 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -425,7 +425,7 @@ #define SSLF_CLIENT_CERT_OPTIONAL (1u << 1) #define SSLF_USERNAME_AS_COMMON_NAME (1u << 2) #define SSLF_AUTH_USER_PASS_OPTIONAL (1u << 3) -#define SSLF_OPT_VERIFY (1u << 4) +/* (1u << 4) free for usage */ #define SSLF_CRL_VERIFY_DIR (1u << 5) #define SSLF_TLS_VERSION_MIN_SHIFT 6 #define SSLF_TLS_VERSION_MIN_MASK 0xFu /* (uses bit positions 6 to 9) */ |
|
From: cron2 (C. Review) <ge...@op...> - 2025-11-13 21:21:44
|
Attention is currently required from: ordex, plaisthos. cron2 has posted comments on this change by ordex. ( http://gerrit.openvpn.net/c/openvpn/+/1375?usp=email ) Change subject: options: remove --opt-verify functionality ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1375?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490 Gerrit-Change-Number: 1375 Gerrit-PatchSet: 2 Gerrit-Owner: ordex <an...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: ordex <an...@ma...> Gerrit-Comment-Date: Thu, 13 Nov 2025 21:21:29 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: ordex (C. Review) <ge...@op...> - 2025-11-13 14:04:37
|
Attention is currently required from: cron2, ordex, plaisthos.
Hello cron2, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1375?usp=email
to look at the new patch set (#2).
The following approvals got outdated and were removed:
Code-Review-1 by cron2
Change subject: options: remove --opt-verify functionality
......................................................................
options: remove --opt-verify functionality
As previously agreed, the --opt-verify directive is deprecated
and can be fully removed as of OpenVPN 2.7.0.
GitHub: closes OpenVPN/openvpn#901
Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490
Signed-off-by: Antonio Quartulli <an...@ma...>
---
M Changes.rst
M doc/man-sections/server-options.rst
M doc/man-sections/unsupported-options.rst
M src/openvpn/options.c
M src/openvpn/ssl.c
M src/openvpn/ssl_common.h
6 files changed, 10 insertions(+), 28 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/75/1375/2
diff --git a/Changes.rst b/Changes.rst
index 8bdb2b0..457d3a7 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -236,6 +236,9 @@
``--reneg-bytes`` and ``--reneg-packets`` do not work in DCO mode, and will
now print an appropriate warning.
+``--opt-verify`` feature removed
+ This option was already deprecated and it is now being converted to a
+ no-op. Using this option will only print a warning.
User-visible Changes
--------------------
diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
index ade4d41..5243a06 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -413,19 +413,6 @@
Note that this directive affects OpenVPN's internal routing table, not
the kernel routing table.
---opt-verify
- **DEPRECATED** Clients that connect with options that are incompatible with
- those of the server will be disconnected.
-
- Options that will be compared for compatibility include ``dev-type``,
- ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``,
- ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``,
- ``auth``, ``keysize``,
- ``tls-auth``, ``key-method``, ``tls-server``
- and ``tls-client``.
-
- This option requires that ``--disable-occ`` NOT be used.
-
--override-username username
Sets the username of a connection to the specified username. This username
will also be used by ``--auth-gen-token``. However, the overridden
diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst
index 11467ca..e8e76eb 100644
--- a/doc/man-sections/unsupported-options.rst
+++ b/doc/man-sections/unsupported-options.rst
@@ -44,4 +44,8 @@
Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library.
--persist-key
- Ignored since OpenVPN 2.7. Keys are now always persisted across restarts.
\ No newline at end of file
+ Ignored since OpenVPN 2.7. Keys are now always persisted across restarts.
+
+--opt-verify
+ Removed in OpenVPN 2.7. This option does not make sense anymore as option
+ strings may not match due to the introduction of parameters negotiation.
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index ecf9374..683543a 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -472,8 +472,6 @@
" OTP based two-factor auth mechanisms are in use and\n"
" --reneg-* options are enabled. Optionally a lifetime in seconds\n"
" for generated tokens can be set.\n"
- "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
- " with those of the server will be disconnected.\n"
"--auth-user-pass-optional : Allow connections by clients that don't\n"
" specify a username/password.\n"
"--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
@@ -2666,7 +2664,6 @@
"verify-client-cert");
MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name");
MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional");
- MUST_BE_FALSE(options->ssl_flags & SSLF_OPT_VERIFY, "opt-verify");
if (options->server_flags & SF_TCP_NODELAY_HELPER)
{
msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
@@ -7450,9 +7447,7 @@
else if (streq(p[0], "opt-verify") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
- msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed "
- "in OpenVPN 2.7");
- options->ssl_flags |= SSLF_OPT_VERIFY;
+ msg(M_INFO, "DEPRECATED OPTION: --opt-verify was removed in OpenVPN 2.7.");
}
else if (streq(p[0], "auth-user-pass-verify") && p[1])
{
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index d7f55dd..896fd65 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -2334,13 +2334,6 @@
#endif
options_warning(options, remote_options);
-
- if (session->opt->ssl_flags & SSLF_OPT_VERIFY)
- {
- msg(D_TLS_ERRORS,
- "Option inconsistency warnings triggering disconnect due to --opt-verify");
- ks->authenticated = KS_AUTH_FALSE;
- }
}
buf_clear(buf);
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index de89d30..23da8cf 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -425,7 +425,7 @@
#define SSLF_CLIENT_CERT_OPTIONAL (1u << 1)
#define SSLF_USERNAME_AS_COMMON_NAME (1u << 2)
#define SSLF_AUTH_USER_PASS_OPTIONAL (1u << 3)
-#define SSLF_OPT_VERIFY (1u << 4)
+/* (1u << 4) free for usage */
#define SSLF_CRL_VERIFY_DIR (1u << 5)
#define SSLF_TLS_VERSION_MIN_SHIFT 6
#define SSLF_TLS_VERSION_MIN_MASK 0xFu /* (uses bit positions 6 to 9) */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1375?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490
Gerrit-Change-Number: 1375
Gerrit-PatchSet: 2
Gerrit-Owner: ordex <an...@ma...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: cron2 <ge...@gr...>
Gerrit-Attention: ordex <an...@ma...>
|
|
From: Ralf L. <ra...@ma...> - 2025-11-13 12:40:56
|
Currently ovpn uses three separate dynamically allocated structures to
set up cryptographic operations for both encryption and decryption. This
adds overhead to performance-critical paths and contribute to memory
fragmentation.
This commit consolidates those allocations into a single temporary blob,
similar to what esp_alloc_tmp() does.
The resulting performance gain is +7.7% and +4.3% for UDP when using AES
and ChaChaPoly respectively, and +4.3% for TCP.
Signed-off-by: Ralf Lici <ra...@ma...>
Signed-off-by: Antonio Quartulli <an...@op...>
---
Changes since v1:
- Fixed typo in commit message
- Adjusted ovpn_aead_crypto_tmp_size comment to follow kdoc style
- Stored allocated blob in the skb control block immediately after
allocation to prevent leakage on failure
drivers/net/ovpn/crypto_aead.c | 155 +++++++++++++++++++++++++--------
drivers/net/ovpn/io.c | 8 +-
drivers/net/ovpn/skb.h | 13 ++-
3 files changed, 131 insertions(+), 45 deletions(-)
diff --git a/drivers/net/ovpn/crypto_aead.c b/drivers/net/ovpn/crypto_aead.c
index cb6cdf8ec317..6b55d2e715bc 100644
--- a/drivers/net/ovpn/crypto_aead.c
+++ b/drivers/net/ovpn/crypto_aead.c
@@ -36,6 +36,105 @@ static int ovpn_aead_encap_overhead(const struct ovpn_crypto_key_slot *ks)
crypto_aead_authsize(ks->encrypt); /* Auth Tag */
}
+/**
+ * ovpn_aead_crypto_tmp_size - compute the size of a temporary object containing
+ * an AEAD request structure with extra space for SG
+ * and IV.
+ * @tfm: the AEAD cipher handle
+ * @nfrags: the number of fragments in the skb
+ *
+ * This function calculates the size of a contiguous memory block that includes
+ * the initialization vector (IV), the AEAD request, and an array of scatterlist
+ * entries. For alignment considerations, the IV is placed first, followed by
+ * the request, and then the scatterlist.
+ * Additional alignment is applied according to the requirements of the
+ * underlying structures.
+ *
+ * Return: the size of the temporary memory that needs to be allocated
+ */
+static unsigned int ovpn_aead_crypto_tmp_size(struct crypto_aead *tfm,
+ const unsigned int nfrags)
+{
+ unsigned int len = crypto_aead_ivsize(tfm);
+
+ if (likely(len)) {
+ /* min size for a buffer of ivsize, aligned to alignmask */
+ len += crypto_aead_alignmask(tfm) &
+ ~(crypto_tfm_ctx_alignment() - 1);
+ /* round up to the next multiple of the crypto ctx alignment */
+ len = ALIGN(len, crypto_tfm_ctx_alignment());
+ }
+
+ /* reserve space for the AEAD request */
+ len += sizeof(struct aead_request) + crypto_aead_reqsize(tfm);
+ /* round up to the next multiple of the scatterlist alignment */
+ len = ALIGN(len, __alignof__(struct scatterlist));
+
+ /* add enough space for nfrags + 2 scatterlist entries */
+ len += sizeof(struct scatterlist) * (nfrags + 2);
+ return len;
+}
+
+/**
+ * ovpn_aead_crypto_tmp_iv - retrieve the pointer to the IV within a temporary
+ * buffer allocated using ovpn_aead_crypto_tmp_size
+ * @aead: the AEAD cipher handle
+ * @tmp: a pointer to the beginning of the temporary buffer
+ *
+ * This function retrieves a pointer to the initialization vector (IV) in the
+ * temporary buffer. If the AEAD cipher specifies an IV size, the pointer is
+ * adjusted using the AEAD's alignment mask to ensure proper alignment.
+ *
+ * Returns: a pointer to the IV within the temporary buffer
+ */
+static u8 *ovpn_aead_crypto_tmp_iv(struct crypto_aead *aead, void *tmp)
+{
+ return likely(crypto_aead_ivsize(aead)) ?
+ PTR_ALIGN((u8 *)tmp, crypto_aead_alignmask(aead) + 1) :
+ tmp;
+}
+
+/**
+ * ovpn_aead_crypto_tmp_req - retrieve the pointer to the AEAD request structure
+ * within a temporary buffer allocated using
+ * ovpn_aead_crypto_tmp_size
+ * @aead: the AEAD cipher handle
+ * @iv: a pointer to the initialization vector in the temporary buffer
+ *
+ * This function computes the location of the AEAD request structure that
+ * immediately follows the IV in the temporary buffer and it ensures the request
+ * is aligned to the crypto transform context alignment.
+ *
+ * Returns: a pointer to the AEAD request structure
+ */
+static struct aead_request *ovpn_aead_crypto_tmp_req(struct crypto_aead *aead,
+ const u8 *iv)
+{
+ return (void *)PTR_ALIGN(iv + crypto_aead_ivsize(aead),
+ crypto_tfm_ctx_alignment());
+}
+
+/**
+ * ovpn_aead_crypto_req_sg - locate the scatterlist following the AEAD request
+ * within a temporary buffer allocated using
+ * ovpn_aead_crypto_tmp_size
+ * @aead: the AEAD cipher handle
+ * @req: a pointer to the AEAD request structure in the temporary buffer
+ *
+ * This function computes the starting address of the scatterlist that is
+ * allocated immediately after the AEAD request structure. It aligns the pointer
+ * based on the alignment requirements of the scatterlist structure.
+ *
+ * Returns: a pointer to the scatterlist
+ */
+static struct scatterlist *ovpn_aead_crypto_req_sg(struct crypto_aead *aead,
+ struct aead_request *req)
+{
+ return (void *)ALIGN((unsigned long)(req + 1) +
+ crypto_aead_reqsize(aead),
+ __alignof__(struct scatterlist));
+}
+
int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
struct sk_buff *skb)
{
@@ -45,6 +144,7 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
struct scatterlist *sg;
int nfrags, ret;
u32 pktid, op;
+ void *tmp;
u8 *iv;
ovpn_skb_cb(skb)->peer = peer;
@@ -71,13 +171,17 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
if (unlikely(nfrags + 2 > (MAX_SKB_FRAGS + 2)))
return -ENOSPC;
- /* sg may be required by async crypto */
- ovpn_skb_cb(skb)->sg = kmalloc(sizeof(*ovpn_skb_cb(skb)->sg) *
- (nfrags + 2), GFP_ATOMIC);
- if (unlikely(!ovpn_skb_cb(skb)->sg))
+ /* allocate temporary memory for iv, sg and req */
+ tmp = kmalloc(ovpn_aead_crypto_tmp_size(ks->encrypt, nfrags),
+ GFP_ATOMIC);
+ if (unlikely(!tmp))
return -ENOMEM;
- sg = ovpn_skb_cb(skb)->sg;
+ ovpn_skb_cb(skb)->crypto_tmp = tmp;
+
+ iv = ovpn_aead_crypto_tmp_iv(ks->encrypt, tmp);
+ req = ovpn_aead_crypto_tmp_req(ks->encrypt, iv);
+ sg = ovpn_aead_crypto_req_sg(ks->encrypt, req);
/* sg table:
* 0: op, wire nonce (AD, len=OVPN_OP_SIZE_V2+OVPN_NONCE_WIRE_SIZE),
@@ -105,13 +209,6 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
if (unlikely(ret < 0))
return ret;
- /* iv may be required by async crypto */
- ovpn_skb_cb(skb)->iv = kmalloc(OVPN_NONCE_SIZE, GFP_ATOMIC);
- if (unlikely(!ovpn_skb_cb(skb)->iv))
- return -ENOMEM;
-
- iv = ovpn_skb_cb(skb)->iv;
-
/* concat 4 bytes packet id and 8 bytes nonce tail into 12 bytes
* nonce
*/
@@ -130,12 +227,6 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
/* AEAD Additional data */
sg_set_buf(sg, skb->data, OVPN_AAD_SIZE);
- req = aead_request_alloc(ks->encrypt, GFP_ATOMIC);
- if (unlikely(!req))
- return -ENOMEM;
-
- ovpn_skb_cb(skb)->req = req;
-
/* setup async crypto operation */
aead_request_set_tfm(req, ks->encrypt);
aead_request_set_callback(req, 0, ovpn_encrypt_post, skb);
@@ -156,6 +247,7 @@ int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
struct aead_request *req;
struct sk_buff *trailer;
struct scatterlist *sg;
+ void *tmp;
u8 *iv;
payload_offset = OVPN_AAD_SIZE + tag_size;
@@ -184,13 +276,17 @@ int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
if (unlikely(nfrags + 2 > (MAX_SKB_FRAGS + 2)))
return -ENOSPC;
- /* sg may be required by async crypto */
- ovpn_skb_cb(skb)->sg = kmalloc(sizeof(*ovpn_skb_cb(skb)->sg) *
- (nfrags + 2), GFP_ATOMIC);
- if (unlikely(!ovpn_skb_cb(skb)->sg))
+ /* allocate temporary memory for iv, sg and req */
+ tmp = kmalloc(ovpn_aead_crypto_tmp_size(ks->decrypt, nfrags),
+ GFP_ATOMIC);
+ if (unlikely(!tmp))
return -ENOMEM;
- sg = ovpn_skb_cb(skb)->sg;
+ ovpn_skb_cb(skb)->crypto_tmp = tmp;
+
+ iv = ovpn_aead_crypto_tmp_iv(ks->decrypt, tmp);
+ req = ovpn_aead_crypto_tmp_req(ks->decrypt, iv);
+ sg = ovpn_aead_crypto_req_sg(ks->decrypt, req);
/* sg table:
* 0: op, wire nonce (AD, len=OVPN_OPCODE_SIZE+OVPN_NONCE_WIRE_SIZE),
@@ -213,24 +309,11 @@ int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
/* append auth_tag onto scatterlist */
sg_set_buf(sg + ret + 1, skb->data + OVPN_AAD_SIZE, tag_size);
- /* iv may be required by async crypto */
- ovpn_skb_cb(skb)->iv = kmalloc(OVPN_NONCE_SIZE, GFP_ATOMIC);
- if (unlikely(!ovpn_skb_cb(skb)->iv))
- return -ENOMEM;
-
- iv = ovpn_skb_cb(skb)->iv;
-
/* copy nonce into IV buffer */
memcpy(iv, skb->data + OVPN_OPCODE_SIZE, OVPN_NONCE_WIRE_SIZE);
memcpy(iv + OVPN_NONCE_WIRE_SIZE, ks->nonce_tail_recv,
OVPN_NONCE_TAIL_SIZE);
- req = aead_request_alloc(ks->decrypt, GFP_ATOMIC);
- if (unlikely(!req))
- return -ENOMEM;
-
- ovpn_skb_cb(skb)->req = req;
-
/* setup async crypto operation */
aead_request_set_tfm(req, ks->decrypt);
aead_request_set_callback(req, 0, ovpn_decrypt_post, skb);
diff --git a/drivers/net/ovpn/io.c b/drivers/net/ovpn/io.c
index 3e9e7f8444b3..2721ee8268b2 100644
--- a/drivers/net/ovpn/io.c
+++ b/drivers/net/ovpn/io.c
@@ -119,9 +119,7 @@ void ovpn_decrypt_post(void *data, int ret)
peer = ovpn_skb_cb(skb)->peer;
/* crypto is done, cleanup skb CB and its members */
- kfree(ovpn_skb_cb(skb)->iv);
- kfree(ovpn_skb_cb(skb)->sg);
- aead_request_free(ovpn_skb_cb(skb)->req);
+ kfree(ovpn_skb_cb(skb)->crypto_tmp);
if (unlikely(ret < 0))
goto drop;
@@ -248,9 +246,7 @@ void ovpn_encrypt_post(void *data, int ret)
peer = ovpn_skb_cb(skb)->peer;
/* crypto is done, cleanup skb CB and its members */
- kfree(ovpn_skb_cb(skb)->iv);
- kfree(ovpn_skb_cb(skb)->sg);
- aead_request_free(ovpn_skb_cb(skb)->req);
+ kfree(ovpn_skb_cb(skb)->crypto_tmp);
if (unlikely(ret == -ERANGE)) {
/* we ran out of IVs and we must kill the key as it can't be
diff --git a/drivers/net/ovpn/skb.h b/drivers/net/ovpn/skb.h
index 64430880f1da..4fb7ea025426 100644
--- a/drivers/net/ovpn/skb.h
+++ b/drivers/net/ovpn/skb.h
@@ -18,12 +18,19 @@
#include <linux/socket.h>
#include <linux/types.h>
+/**
+ * struct ovpn_cb - ovpn skb control block
+ * @peer: the peer this skb was received from/sent to
+ * @ks: the crypto key slot used to encrypt/decrypt this skb
+ * @crypto_tmp: pointer to temporary memory used for crypto operations
+ * containing the IV, the scatter gather list and the aead request
+ * @payload_offset: offset in the skb where the payload starts
+ * @nosignal: whether this skb should be sent with the MSG_NOSIGNAL flag (TCP)
+ */
struct ovpn_cb {
struct ovpn_peer *peer;
struct ovpn_crypto_key_slot *ks;
- struct aead_request *req;
- struct scatterlist *sg;
- u8 *iv;
+ void *crypto_tmp;
unsigned int payload_offset;
bool nosignal;
};
--
2.51.1
|
|
From: Gert D. <ge...@gr...> - 2025-11-12 21:51:15
|
From: Heiko Hund <he...@is...> When adding block rules, the interface metric of the VPN adapter is temporarily modified so that an old version of Windows 10 would pick it up first when looking up stuff via DNS. These metrics are reverted to the old value when the block is removed. When reverting them, instead of using the stored interface index where the original values were read from, we were using the interface index passed to the service with the wfp block message. That index could theoretically be different from the one stored, which would result in the metric being set to the wrong interface. Reported-by: st...@sr... Change-Id: Ia74a931c703d594bdf8ccada9b783b94608de278 Signed-off-by: Heiko Hund <he...@is...> Acked-by: Lev Stipakov <lst...@gm...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1363 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1363 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Lev Stipakov <lst...@gm...> diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 0712986..33282c63 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -752,7 +752,7 @@ } static DWORD -DeleteWfpBlock(const wfp_block_message_t *msg, undo_lists_t *lists) +DeleteWfpBlock(undo_lists_t *lists) { DWORD err = 0; wfp_block_data_t *block_data = RemoveListItem(&(*lists)[wfp_block], CmpAny, NULL); @@ -762,11 +762,11 @@ err = delete_wfp_block_filters(block_data->engine); if (block_data->metric_v4 >= 0) { - set_interface_metric(msg->iface.index, AF_INET, block_data->metric_v4); + set_interface_metric(block_data->index, AF_INET, block_data->metric_v4); } if (block_data->metric_v6 >= 0) { - set_interface_metric(msg->iface.index, AF_INET6, block_data->metric_v6); + set_interface_metric(block_data->index, AF_INET6, block_data->metric_v6); } free(block_data); } @@ -829,7 +829,7 @@ if (err) { /* delete the filters, remove undo item and free interface data */ - DeleteWfpBlock(msg, lists); + DeleteWfpBlock(lists); engine = NULL; } } @@ -854,7 +854,7 @@ } else { - return DeleteWfpBlock(msg, lists); + return DeleteWfpBlock(lists); } } |
|
From: stipa (C. Review) <ge...@op...> - 2025-11-12 18:59:30
|
Attention is currently required from: d12fk, flichtenheld, plaisthos. stipa has posted comments on this change by d12fk. ( http://gerrit.openvpn.net/c/openvpn/+/1363?usp=email ) Change subject: iservice: use saved iface index to restore metric ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1363?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia74a931c703d594bdf8ccada9b783b94608de278 Gerrit-Change-Number: 1363 Gerrit-PatchSet: 2 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-Reviewer: stipa <lst...@gm...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Wed, 12 Nov 2025 18:59:15 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: cron2 (C. Review) <ge...@op...> - 2025-11-12 16:13:47
|
cron2 has abandoned this change. ( http://gerrit.openvpn.net/c/openvpn/+/1373?usp=email ) Change subject: Fix construction of invalid pointer in tls_pre_decrypt ...................................................................... Abandoned I ruined the commit by adding a blank line, so Gerrit could not match it anymore. This has been merged as commit 5cdf3f9724c89b278c88fd408714a8d2c1f4d1a1 (master) + cherrypicked to 2.6 and 2.5 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1373?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: abandon Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ided1ac7c804487055b175d8766535bead257b7d5 Gerrit-Change-Number: 1373 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-11-12 15:57:36
|
Attention is currently required from: ordex, plaisthos. cron2 has posted comments on this change by ordex. ( http://gerrit.openvpn.net/c/openvpn/+/1375?usp=email ) Change subject: drop --opt-verify functionality ...................................................................... Patch Set 1: Code-Review-1 (1 comment) Patchset: PS1: taking back the +2, please do take care of the manpage as well -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1375?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490 Gerrit-Change-Number: 1375 Gerrit-PatchSet: 1 Gerrit-Owner: ordex <an...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: ordex <an...@ma...> Gerrit-Comment-Date: Wed, 12 Nov 2025 15:57:21 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes |
154 messages has been excluded from this view by a project administrator.
