Menu
▾
▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
(24) |
May
(14) |
Jun
(29) |
Jul
(33) |
Aug
(3) |
Sep
(8) |
Oct
(18) |
Nov
(1) |
Dec
(10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
(33) |
Mar
(7) |
Apr
(28) |
May
(30) |
Jun
(5) |
Jul
(10) |
Aug
(7) |
Sep
(32) |
Oct
(41) |
Nov
(20) |
Dec
(10) |
| 2004 |
Jan
(24) |
Feb
(18) |
Mar
(57) |
Apr
(40) |
May
(55) |
Jun
(48) |
Jul
(77) |
Aug
(15) |
Sep
(56) |
Oct
(80) |
Nov
(74) |
Dec
(52) |
| 2005 |
Jan
(38) |
Feb
(42) |
Mar
(39) |
Apr
(56) |
May
(79) |
Jun
(73) |
Jul
(16) |
Aug
(23) |
Sep
(68) |
Oct
(77) |
Nov
(52) |
Dec
(27) |
| 2006 |
Jan
(27) |
Feb
(18) |
Mar
(51) |
Apr
(62) |
May
(28) |
Jun
(50) |
Jul
(36) |
Aug
(33) |
Sep
(47) |
Oct
(50) |
Nov
(77) |
Dec
(13) |
| 2007 |
Jan
(15) |
Feb
(8) |
Mar
(14) |
Apr
(18) |
May
(25) |
Jun
(16) |
Jul
(16) |
Aug
(19) |
Sep
(32) |
Oct
(17) |
Nov
(5) |
Dec
(5) |
| 2008 |
Jan
(64) |
Feb
(25) |
Mar
(25) |
Apr
(6) |
May
(28) |
Jun
(20) |
Jul
(10) |
Aug
(27) |
Sep
(28) |
Oct
(59) |
Nov
(37) |
Dec
(43) |
| 2009 |
Jan
(40) |
Feb
(25) |
Mar
(12) |
Apr
(57) |
May
(46) |
Jun
(29) |
Jul
(39) |
Aug
(10) |
Sep
(20) |
Oct
(42) |
Nov
(50) |
Dec
(57) |
| 2010 |
Jan
(82) |
Feb
(165) |
Mar
(256) |
Apr
(260) |
May
(36) |
Jun
(87) |
Jul
(53) |
Aug
(89) |
Sep
(107) |
Oct
(51) |
Nov
(88) |
Dec
(117) |
| 2011 |
Jan
(69) |
Feb
(60) |
Mar
(113) |
Apr
(71) |
May
(67) |
Jun
(90) |
Jul
(88) |
Aug
(90) |
Sep
(48) |
Oct
(64) |
Nov
(69) |
Dec
(118) |
| 2012 |
Jan
(49) |
Feb
(528) |
Mar
(351) |
Apr
(190) |
May
(238) |
Jun
(193) |
Jul
(104) |
Aug
(100) |
Sep
(57) |
Oct
(41) |
Nov
(47) |
Dec
(51) |
| 2013 |
Jan
(94) |
Feb
(57) |
Mar
(96) |
Apr
(105) |
May
(77) |
Jun
(102) |
Jul
(27) |
Aug
(81) |
Sep
(32) |
Oct
(53) |
Nov
(127) |
Dec
(65) |
| 2014 |
Jan
(113) |
Feb
(59) |
Mar
(104) |
Apr
(259) |
May
(70) |
Jun
(70) |
Jul
(146) |
Aug
(45) |
Sep
(58) |
Oct
(149) |
Nov
(77) |
Dec
(83) |
| 2015 |
Jan
(53) |
Feb
(66) |
Mar
(86) |
Apr
(50) |
May
(135) |
Jun
(76) |
Jul
(151) |
Aug
(83) |
Sep
(97) |
Oct
(262) |
Nov
(245) |
Dec
(231) |
| 2016 |
Jan
(131) |
Feb
(233) |
Mar
(97) |
Apr
(138) |
May
(221) |
Jun
(254) |
Jul
(92) |
Aug
(248) |
Sep
(168) |
Oct
(275) |
Nov
(477) |
Dec
(445) |
| 2017 |
Jan
(218) |
Feb
(217) |
Mar
(146) |
Apr
(172) |
May
(216) |
Jun
(252) |
Jul
(164) |
Aug
(192) |
Sep
(190) |
Oct
(143) |
Nov
(255) |
Dec
(182) |
| 2018 |
Jan
(295) |
Feb
(164) |
Mar
(113) |
Apr
(147) |
May
(64) |
Jun
(262) |
Jul
(184) |
Aug
(90) |
Sep
(69) |
Oct
(364) |
Nov
(102) |
Dec
(101) |
| 2019 |
Jan
(119) |
Feb
(64) |
Mar
(64) |
Apr
(102) |
May
(57) |
Jun
(154) |
Jul
(84) |
Aug
(81) |
Sep
(76) |
Oct
(102) |
Nov
(233) |
Dec
(89) |
| 2020 |
Jan
(38) |
Feb
(170) |
Mar
(155) |
Apr
(172) |
May
(120) |
Jun
(223) |
Jul
(461) |
Aug
(227) |
Sep
(268) |
Oct
(113) |
Nov
(56) |
Dec
(124) |
| 2021 |
Jan
(121) |
Feb
(48) |
Mar
(334) |
Apr
(345) |
May
(207) |
Jun
(136) |
Jul
(71) |
Aug
(112) |
Sep
(122) |
Oct
(173) |
Nov
(184) |
Dec
(223) |
| 2022 |
Jan
(197) |
Feb
(206) |
Mar
(156) |
Apr
(212) |
May
(192) |
Jun
(170) |
Jul
(143) |
Aug
(380) |
Sep
(182) |
Oct
(148) |
Nov
(128) |
Dec
(269) |
| 2023 |
Jan
(248) |
Feb
(196) |
Mar
(264) |
Apr
(36) |
May
(123) |
Jun
(66) |
Jul
(120) |
Aug
(48) |
Sep
(157) |
Oct
(198) |
Nov
(300) |
Dec
(273) |
| 2024 |
Jan
(271) |
Feb
(147) |
Mar
(207) |
Apr
(78) |
May
(107) |
Jun
(168) |
Jul
(151) |
Aug
(51) |
Sep
(438) |
Oct
(221) |
Nov
(302) |
Dec
(357) |
| 2025 |
Jan
(451) |
Feb
(219) |
Mar
(326) |
Apr
(232) |
May
(306) |
Jun
(181) |
Jul
(452) |
Aug
(171) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: ordex (C. Review) <ge...@op...> - 2025-07-18 15:19:43
|
Attention is currently required from: flichtenheld, plaisthos, ralf_lici, stipa. ordex has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email ) Change subject: dco: Add support for float notifications ...................................................................... Patch Set 6: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Gerrit-Change-Number: 1084 Gerrit-PatchSet: 6 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-Reviewer: stipa <lst...@gm...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ralf_lici <ra...@ma...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Fri, 18 Jul 2025 12:26:51 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: ralf_lici (C. Review) <ge...@op...> - 2025-07-18 15:10:17
|
Attention is currently required from: flichtenheld, plaisthos.
Hello plaisthos, flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1092?usp=email
to review the following change.
Change subject: add flag to print mroute_addr address family
......................................................................
add flag to print mroute_addr address family
Add the MAPF_SHOW_FAMILY flag to prepend the address family to the
address when printing an mroute_addr object, similar to how it's done in
print_sockaddr_ex().
Note that when using this flag with an IPv4-mapped IPv6 address, the
output will look like: [AF_INET6]a.b.c.d
Change-Id: I43cd3d564d8c6ad4e41de5a38130d90cb6778395
Signed-off-by: Ralf Lici <ra...@ma...>
---
M src/openvpn/mroute.c
M src/openvpn/mroute.h
2 files changed, 9 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/92/1092/1
diff --git a/src/openvpn/mroute.c b/src/openvpn/mroute.c
index a617b33..e3b1e9b 100644
--- a/src/openvpn/mroute.c
+++ b/src/openvpn/mroute.c
@@ -415,6 +415,10 @@
{
buf_printf(&out, "%s:", proto2ascii(maddr.proto, AF_INET, false));
}
+ if (flags & MAPF_SHOW_FAMILY)
+ {
+ buf_printf(&out, "[AF_INET]");
+ }
buf_printf(&out, "%s", print_in_addr_t(ntohl(maddr.v4.addr),
(flags & MAPF_IA_EMPTY_IF_UNDEF) ? IA_EMPTY_IF_UNDEF : 0, gc));
if (maddr.type & MR_WITH_NETBITS)
@@ -442,6 +446,10 @@
{
buf_printf(&out, "%s:", proto2ascii(maddr.proto, AF_INET6, false));
}
+ if (flags & MAPF_SHOW_FAMILY)
+ {
+ buf_printf(&out, "[AF_INET6]");
+ }
if (IN6_IS_ADDR_V4MAPPED( &maddr.v6.addr ) )
{
buf_printf(&out, "%s", print_in_addr_t(maddr.v4mappedv6.addr,
diff --git a/src/openvpn/mroute.h b/src/openvpn/mroute.h
index c359fd2..4f9fc03 100644
--- a/src/openvpn/mroute.h
+++ b/src/openvpn/mroute.h
@@ -150,6 +150,7 @@
#define MAPF_SUBNET (1<<0)
#define MAPF_IA_EMPTY_IF_UNDEF (1<<1)
#define MAPF_SHOW_ARP (1<<2)
+#define MAPF_SHOW_FAMILY (1<<3)
const char *mroute_addr_print_ex(const struct mroute_addr *ma,
const unsigned int flags,
struct gc_arena *gc);
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1092?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I43cd3d564d8c6ad4e41de5a38130d90cb6778395
Gerrit-Change-Number: 1092
Gerrit-PatchSet: 1
Gerrit-Owner: ralf_lici <ra...@ma...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newchange
|
|
From: ralf_lici (C. Review) <ge...@op...> - 2025-07-18 15:08:30
|
Attention is currently required from: flichtenheld, plaisthos.
Hello plaisthos, flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1091?usp=email
to review the following change.
Change subject: improve float collision logging
......................................................................
improve float collision logging
Extend the log message printed when an instance floats to an address
already taken by another instance with the same certificate. The updated
message now includes the instance being closed, the reason it's being
closed, and the new instance taking over that address.
Change-Id: I217cfb319b85fd75a88f7d4d50c374d28771df28
Signed-off-by: Ralf Lici <ra...@ma...>
---
M src/openvpn/multi.c
1 file changed, 5 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/91/1091/1
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index ead3dd0..4696686 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3263,7 +3263,11 @@
mroute_addr_print(&mi->real, &gc));
goto done;
}
- msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
+
+ msg(D_MULTI_LOW, "closing instance %s due to float collision with %s "
+ "using the same certificate",
+ multi_instance_string(ex_mi, false, &gc),
+ multi_instance_string(mi, false, &gc));
multi_close_instance(m, ex_mi, false);
}
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1091?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I217cfb319b85fd75a88f7d4d50c374d28771df28
Gerrit-Change-Number: 1091
Gerrit-PatchSet: 1
Gerrit-Owner: ralf_lici <ra...@ma...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newchange
|
|
From: Gert D. <ge...@gr...> - 2025-07-18 15:04:24
|
From: Ralf Lici <ra...@ma...> When a peer changes its UDP endpoint, the DCO module emits a notification to userpace. The message is parsed and the relevant information are extracted in order to process the floating operation. Note that we preserve IPv4-mapped IPv6 addresses in userspace when receiving a pure IPv4 address from the module, otherwise openvpn wouldn't be able to retrieve the multi_instance using the transport address hash table lookup. It may happen that a netlink notification gets lost, causing us to skip a float step. If the peer then floats back to its previous address, userspace closes the only valid instance while trying to process the float, leading to a segfault. To prevent this, we ignore float attempts to an address already taken by a peer with the same peer ID. Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Signed-off-by: Ralf Lici <ra...@ma...> Acked-by: Gert Doering <ge...@gr...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1084 This mail reflects revision 6 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index 22a445a..f04ebfe 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -768,6 +768,44 @@ return ret; } +static bool +ovpn_parse_float_addr(struct nlattr **attrs, struct sockaddr *out) +{ + if (!attrs[OVPN_A_PEER_REMOTE_PORT]) + { + msg(D_DCO, "ovpn-dco: no remote port in PEER_FLOAT_NTF message"); + return false; + } + + if (attrs[OVPN_A_PEER_REMOTE_IPV4]) + { + struct sockaddr_in *addr4 = (struct sockaddr_in *)out; + CLEAR(*addr4); + addr4->sin_family = AF_INET; + addr4->sin_port = nla_get_u16(attrs[OVPN_A_PEER_REMOTE_PORT]); + addr4->sin_addr.s_addr = nla_get_u32(attrs[OVPN_A_PEER_REMOTE_IPV4]); + return true; + } + else if (attrs[OVPN_A_PEER_REMOTE_IPV6] + && nla_len(attrs[OVPN_A_PEER_REMOTE_IPV6]) == sizeof(struct in6_addr)) + { + struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *)out; + CLEAR(*addr6); + addr6->sin6_family = AF_INET6; + addr6->sin6_port = nla_get_u16(attrs[OVPN_A_PEER_REMOTE_PORT]); + memcpy(&addr6->sin6_addr, nla_data(attrs[OVPN_A_PEER_REMOTE_IPV6]), + sizeof(addr6->sin6_addr)); + if (attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) + { + addr6->sin6_scope_id = nla_get_u32(attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]); + } + return true; + } + + msg(D_DCO, "ovpn-dco: no valid remote IP address in PEER_FLOAT_NTF message"); + return false; +} + /* This function parses any netlink message sent by ovpn-dco to userspace */ static int ovpn_handle_msg(struct nl_msg *msg, void *arg) @@ -856,6 +894,45 @@ break; } + case OVPN_CMD_PEER_FLOAT_NTF: + { + if (!attrs[OVPN_A_PEER]) + { + msg(D_DCO, "ovpn-dco: no peer in PEER_FLOAT_NTF message"); + return NL_STOP; + } + + struct nlattr *fp_attrs[OVPN_A_PEER_MAX + 1]; + if (nla_parse_nested(fp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER], + NULL)) + { + msg(D_DCO, "ovpn-dco: can't parse peer in PEER_FLOAT_NTF messsage"); + return NL_STOP; + } + + if (!fp_attrs[OVPN_A_PEER_ID]) + { + msg(D_DCO, "ovpn-dco: no peer-id in PEER_FLOAT_NTF message"); + return NL_STOP; + } + uint32_t peerid = nla_get_u32(fp_attrs[OVPN_A_PEER_ID]); + + if (!ovpn_parse_float_addr(fp_attrs, (struct sockaddr *)&dco->dco_float_peer_ss)) + { + return NL_STOP; + } + + struct gc_arena gc = gc_new(); + msg(D_DCO_DEBUG, + "ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: %u, peer-id %u, address: %s", + ifindex, peerid, print_sockaddr((struct sockaddr *)&dco->dco_float_peer_ss, &gc)); + dco->dco_message_peer_id = (int)peerid; + dco->dco_message_type = OVPN_CMD_PEER_FLOAT_NTF; + + gc_free(&gc); + break; + } + case OVPN_CMD_KEY_SWAP_NTF: { if (!attrs[OVPN_A_KEYCONF]) diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h index 4e441ec..676b8cd 100644 --- a/src/openvpn/dco_linux.h +++ b/src/openvpn/dco_linux.h @@ -34,6 +34,7 @@ /* Defines to avoid mismatching with other platforms */ #define OVPN_CMD_DEL_PEER OVPN_CMD_PEER_DEL_NTF #define OVPN_CMD_SWAP_KEYS OVPN_CMD_KEY_SWAP_NTF +#define OVPN_CMD_FLOAT_PEER OVPN_CMD_PEER_FLOAT_NTF typedef enum ovpn_key_slot dco_key_slot_t; typedef enum ovpn_cipher_alg dco_cipher_t; @@ -75,6 +76,7 @@ int dco_message_peer_id; int dco_message_key_id; int dco_del_peer_reason; + struct sockaddr_storage dco_float_peer_ss; uint64_t dco_read_bytes; uint64_t dco_write_bytes; } dco_context_t; diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c index 2a13658..83db739 100644 --- a/src/openvpn/dco_win.c +++ b/src/openvpn/dco_win.c @@ -663,6 +663,7 @@ dco->dco_message_peer_id = dco->notif_buf.PeerId; dco->dco_message_type = dco->notif_buf.Cmd; dco->dco_del_peer_reason = dco->notif_buf.DelPeerReason; + dco->dco_float_peer_ss = dco->notif_buf.FloatAddress; } else { diff --git a/src/openvpn/dco_win.h b/src/openvpn/dco_win.h index 4513f3f..b9d93fa 100644 --- a/src/openvpn/dco_win.h +++ b/src/openvpn/dco_win.h @@ -52,6 +52,7 @@ int dco_message_peer_id; int dco_message_type; int dco_del_peer_reason; + struct sockaddr_storage dco_float_peer_ss; uint64_t dco_read_bytes; uint64_t dco_write_bytes; diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index a4f260a..dfc6708 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1243,6 +1243,41 @@ perf_pop(); } +void +extract_dco_float_peer_addr(const sa_family_t socket_family, + struct openvpn_sockaddr *out_osaddr, + const struct sockaddr *float_sa) +{ + if (float_sa->sa_family == AF_INET) + { + struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa; + /* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, on a + * dual-stack socket, we need to preserve the mapping otherwise openvpn + * will not be able to find the peer by its transport address. + */ + if (socket_family == AF_INET6) + { + out_osaddr->addr.in6.sin6_family = AF_INET6; + out_osaddr->addr.in6.sin6_port = float4->sin_port; + + memset(&out_osaddr->addr.in6.sin6_addr.s6_addr, 0, 10); + out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff; + out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff; + memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12], + &float4->sin_addr.s_addr, sizeof(in_addr_t)); + } + else + { + memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in)); + } + } + else + { + struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa; + memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6)); + } +} + static void process_incoming_dco(struct context *c) { diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index 318691f..2818fd1 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -196,6 +196,21 @@ void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf); /** + * Transfers \c float_sa data extracted from an incoming DCO + * PEER_FLOAT_NTF to \c out_osaddr for later processing. + * + * @param socket_family - The address family of the socket + * @param out_osaddr - openvpn_sockaddr struct that will be filled the new + * address data + * @param float_sa - The sockaddr struct containing the data received from the + * DCO notification + */ +void +extract_dco_float_peer_addr(sa_family_t socket_family, + struct openvpn_sockaddr *out_osaddr, + const struct sockaddr *float_sa); + +/** * Write a packet to the external network interface. * @ingroup external_multiplexer * diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index a760e07..ead3dd0 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3251,6 +3251,18 @@ goto done; } + /* It doesn't make sense to let a peer float to the address it already + * has, so we disallow it. This can happen if a DCO netlink notification + * gets lost and we miss a floating step. + */ + if (m1->peer_id == m2->peer_id) + { + msg(M_WARN, "disallowing peer %" PRIu32 " (%s) from floating to " + "its own address (%s)", + m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false), + mroute_addr_print(&mi->real, &gc)); + goto done; + } msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc)); multi_close_instance(m, ex_mi, false); } @@ -3384,6 +3396,17 @@ { process_incoming_del_peer(m, mi, dco); } +#if defined(TARGET_LINUX) || defined(TARGET_WIN32) + else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER) + { + ASSERT(mi->context.c2.link_sockets[0]); + extract_dco_float_peer_addr(mi->context.c2.link_sockets[0]->info.af, + &m->top.c2.from.dest, + (struct sockaddr *)&dco->dco_float_peer_ss); + multi_process_float(m, mi, mi->context.c2.link_sockets[0]); + CLEAR(dco->dco_float_peer_ss); + } +#endif /* if defined(TARGET_LINUX) || defined(TARGET_WIN32) */ else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS) { tls_session_soft_reset(mi->context.c2.tls_multi); diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 40f7519..fe9e847 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -322,7 +322,7 @@ /** * Process an incoming DCO message (from kernel space). * - * @param m - The single \c multi_context structur.e + * @param m - The single \c multi_context structure. * * @return * - True, if the message was received correctly. diff --git a/src/openvpn/ovpn_dco_linux.h b/src/openvpn/ovpn_dco_linux.h index 680d152..b3c9ff0 100644 --- a/src/openvpn/ovpn_dco_linux.h +++ b/src/openvpn/ovpn_dco_linux.h @@ -99,6 +99,7 @@ OVPN_CMD_KEY_SWAP, OVPN_CMD_KEY_SWAP_NTF, OVPN_CMD_KEY_DEL, + OVPN_CMD_PEER_FLOAT_NTF, __OVPN_CMD_MAX, OVPN_CMD_MAX = (__OVPN_CMD_MAX - 1) diff --git a/src/openvpn/ovpn_dco_win.h b/src/openvpn/ovpn_dco_win.h index 865bb38..dd6b7ce 100644 --- a/src/openvpn/ovpn_dco_win.h +++ b/src/openvpn/ovpn_dco_win.h @@ -149,7 +149,8 @@ typedef enum { OVPN_CMD_DEL_PEER, - OVPN_CMD_SWAP_KEYS + OVPN_CMD_SWAP_KEYS, + OVPN_CMD_FLOAT_PEER } OVPN_NOTIFY_CMD; typedef enum { @@ -164,6 +165,7 @@ OVPN_NOTIFY_CMD Cmd; int PeerId; OVPN_DEL_PEER_REASON DelPeerReason; + struct sockaddr_storage FloatAddress; } OVPN_NOTIFY_EVENT, * POVPN_NOTIFY_EVENT; typedef struct _OVPN_MP_DEL_PEER { |
|
From: ralf_lici (C. Review) <ge...@op...> - 2025-07-18 10:50:54
|
Attention is currently required from: flichtenheld, ordex, plaisthos, ralf_lici, stipa.
Hello cron2, flichtenheld, ordex, plaisthos, stipa,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email
to look at the new patch set (#6).
Change subject: dco: Add support for float notifications
......................................................................
dco: Add support for float notifications
When a peer changes its UDP endpoint, the DCO module emits a
notification to userpace. The message is parsed and the relevant
information are extracted in order to process the floating operation.
Note that we preserve IPv4-mapped IPv6 addresses in userspace when
receiving a pure IPv4 address from the module, otherwise openvpn
wouldn't be able to retrieve the multi_instance using the transport
address hash table lookup.
It may happen that a netlink notification gets lost, causing us to skip
a float step. If the peer then floats back to its previous address,
userspace closes the only valid instance while trying to process the
float, leading to a segfault. To prevent this, we ignore float attempts
to an address already taken by a peer with the same peer ID.
Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f
Signed-off-by: Ralf Lici <ra...@ma...>
---
M src/openvpn/dco_linux.c
M src/openvpn/dco_linux.h
M src/openvpn/dco_win.c
M src/openvpn/dco_win.h
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
M src/openvpn/multi.h
M src/openvpn/ovpn_dco_linux.h
M src/openvpn/ovpn_dco_win.h
10 files changed, 159 insertions(+), 2 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/84/1084/6
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index 22a445a..f04ebfe 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -768,6 +768,44 @@
return ret;
}
+static bool
+ovpn_parse_float_addr(struct nlattr **attrs, struct sockaddr *out)
+{
+ if (!attrs[OVPN_A_PEER_REMOTE_PORT])
+ {
+ msg(D_DCO, "ovpn-dco: no remote port in PEER_FLOAT_NTF message");
+ return false;
+ }
+
+ if (attrs[OVPN_A_PEER_REMOTE_IPV4])
+ {
+ struct sockaddr_in *addr4 = (struct sockaddr_in *)out;
+ CLEAR(*addr4);
+ addr4->sin_family = AF_INET;
+ addr4->sin_port = nla_get_u16(attrs[OVPN_A_PEER_REMOTE_PORT]);
+ addr4->sin_addr.s_addr = nla_get_u32(attrs[OVPN_A_PEER_REMOTE_IPV4]);
+ return true;
+ }
+ else if (attrs[OVPN_A_PEER_REMOTE_IPV6]
+ && nla_len(attrs[OVPN_A_PEER_REMOTE_IPV6]) == sizeof(struct in6_addr))
+ {
+ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *)out;
+ CLEAR(*addr6);
+ addr6->sin6_family = AF_INET6;
+ addr6->sin6_port = nla_get_u16(attrs[OVPN_A_PEER_REMOTE_PORT]);
+ memcpy(&addr6->sin6_addr, nla_data(attrs[OVPN_A_PEER_REMOTE_IPV6]),
+ sizeof(addr6->sin6_addr));
+ if (attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID])
+ {
+ addr6->sin6_scope_id = nla_get_u32(attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]);
+ }
+ return true;
+ }
+
+ msg(D_DCO, "ovpn-dco: no valid remote IP address in PEER_FLOAT_NTF message");
+ return false;
+}
+
/* This function parses any netlink message sent by ovpn-dco to userspace */
static int
ovpn_handle_msg(struct nl_msg *msg, void *arg)
@@ -856,6 +894,45 @@
break;
}
+ case OVPN_CMD_PEER_FLOAT_NTF:
+ {
+ if (!attrs[OVPN_A_PEER])
+ {
+ msg(D_DCO, "ovpn-dco: no peer in PEER_FLOAT_NTF message");
+ return NL_STOP;
+ }
+
+ struct nlattr *fp_attrs[OVPN_A_PEER_MAX + 1];
+ if (nla_parse_nested(fp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER],
+ NULL))
+ {
+ msg(D_DCO, "ovpn-dco: can't parse peer in PEER_FLOAT_NTF messsage");
+ return NL_STOP;
+ }
+
+ if (!fp_attrs[OVPN_A_PEER_ID])
+ {
+ msg(D_DCO, "ovpn-dco: no peer-id in PEER_FLOAT_NTF message");
+ return NL_STOP;
+ }
+ uint32_t peerid = nla_get_u32(fp_attrs[OVPN_A_PEER_ID]);
+
+ if (!ovpn_parse_float_addr(fp_attrs, (struct sockaddr *)&dco->dco_float_peer_ss))
+ {
+ return NL_STOP;
+ }
+
+ struct gc_arena gc = gc_new();
+ msg(D_DCO_DEBUG,
+ "ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: %u, peer-id %u, address: %s",
+ ifindex, peerid, print_sockaddr((struct sockaddr *)&dco->dco_float_peer_ss, &gc));
+ dco->dco_message_peer_id = (int)peerid;
+ dco->dco_message_type = OVPN_CMD_PEER_FLOAT_NTF;
+
+ gc_free(&gc);
+ break;
+ }
+
case OVPN_CMD_KEY_SWAP_NTF:
{
if (!attrs[OVPN_A_KEYCONF])
diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h
index 4e441ec..676b8cd 100644
--- a/src/openvpn/dco_linux.h
+++ b/src/openvpn/dco_linux.h
@@ -34,6 +34,7 @@
/* Defines to avoid mismatching with other platforms */
#define OVPN_CMD_DEL_PEER OVPN_CMD_PEER_DEL_NTF
#define OVPN_CMD_SWAP_KEYS OVPN_CMD_KEY_SWAP_NTF
+#define OVPN_CMD_FLOAT_PEER OVPN_CMD_PEER_FLOAT_NTF
typedef enum ovpn_key_slot dco_key_slot_t;
typedef enum ovpn_cipher_alg dco_cipher_t;
@@ -75,6 +76,7 @@
int dco_message_peer_id;
int dco_message_key_id;
int dco_del_peer_reason;
+ struct sockaddr_storage dco_float_peer_ss;
uint64_t dco_read_bytes;
uint64_t dco_write_bytes;
} dco_context_t;
diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c
index 2a13658..83db739 100644
--- a/src/openvpn/dco_win.c
+++ b/src/openvpn/dco_win.c
@@ -663,6 +663,7 @@
dco->dco_message_peer_id = dco->notif_buf.PeerId;
dco->dco_message_type = dco->notif_buf.Cmd;
dco->dco_del_peer_reason = dco->notif_buf.DelPeerReason;
+ dco->dco_float_peer_ss = dco->notif_buf.FloatAddress;
}
else
{
diff --git a/src/openvpn/dco_win.h b/src/openvpn/dco_win.h
index 4513f3f..b9d93fa 100644
--- a/src/openvpn/dco_win.h
+++ b/src/openvpn/dco_win.h
@@ -52,6 +52,7 @@
int dco_message_peer_id;
int dco_message_type;
int dco_del_peer_reason;
+ struct sockaddr_storage dco_float_peer_ss;
uint64_t dco_read_bytes;
uint64_t dco_write_bytes;
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index a4f260a..dfc6708 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1243,6 +1243,41 @@
perf_pop();
}
+void
+extract_dco_float_peer_addr(const sa_family_t socket_family,
+ struct openvpn_sockaddr *out_osaddr,
+ const struct sockaddr *float_sa)
+{
+ if (float_sa->sa_family == AF_INET)
+ {
+ struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa;
+ /* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, on a
+ * dual-stack socket, we need to preserve the mapping otherwise openvpn
+ * will not be able to find the peer by its transport address.
+ */
+ if (socket_family == AF_INET6)
+ {
+ out_osaddr->addr.in6.sin6_family = AF_INET6;
+ out_osaddr->addr.in6.sin6_port = float4->sin_port;
+
+ memset(&out_osaddr->addr.in6.sin6_addr.s6_addr, 0, 10);
+ out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff;
+ out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff;
+ memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12],
+ &float4->sin_addr.s_addr, sizeof(in_addr_t));
+ }
+ else
+ {
+ memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in));
+ }
+ }
+ else
+ {
+ struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa;
+ memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6));
+ }
+}
+
static void
process_incoming_dco(struct context *c)
{
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 318691f..2818fd1 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -196,6 +196,21 @@
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf);
/**
+ * Transfers \c float_sa data extracted from an incoming DCO
+ * PEER_FLOAT_NTF to \c out_osaddr for later processing.
+ *
+ * @param socket_family - The address family of the socket
+ * @param out_osaddr - openvpn_sockaddr struct that will be filled the new
+ * address data
+ * @param float_sa - The sockaddr struct containing the data received from the
+ * DCO notification
+ */
+void
+extract_dco_float_peer_addr(sa_family_t socket_family,
+ struct openvpn_sockaddr *out_osaddr,
+ const struct sockaddr *float_sa);
+
+/**
* Write a packet to the external network interface.
* @ingroup external_multiplexer
*
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index a760e07..ead3dd0 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3251,6 +3251,18 @@
goto done;
}
+ /* It doesn't make sense to let a peer float to the address it already
+ * has, so we disallow it. This can happen if a DCO netlink notification
+ * gets lost and we miss a floating step.
+ */
+ if (m1->peer_id == m2->peer_id)
+ {
+ msg(M_WARN, "disallowing peer %" PRIu32 " (%s) from floating to "
+ "its own address (%s)",
+ m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false),
+ mroute_addr_print(&mi->real, &gc));
+ goto done;
+ }
msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
multi_close_instance(m, ex_mi, false);
}
@@ -3384,6 +3396,17 @@
{
process_incoming_del_peer(m, mi, dco);
}
+#if defined(TARGET_LINUX) || defined(TARGET_WIN32)
+ else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER)
+ {
+ ASSERT(mi->context.c2.link_sockets[0]);
+ extract_dco_float_peer_addr(mi->context.c2.link_sockets[0]->info.af,
+ &m->top.c2.from.dest,
+ (struct sockaddr *)&dco->dco_float_peer_ss);
+ multi_process_float(m, mi, mi->context.c2.link_sockets[0]);
+ CLEAR(dco->dco_float_peer_ss);
+ }
+#endif /* if defined(TARGET_LINUX) || defined(TARGET_WIN32) */
else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
{
tls_session_soft_reset(mi->context.c2.tls_multi);
diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h
index 40f7519..fe9e847 100644
--- a/src/openvpn/multi.h
+++ b/src/openvpn/multi.h
@@ -322,7 +322,7 @@
/**
* Process an incoming DCO message (from kernel space).
*
- * @param m - The single \c multi_context structur.e
+ * @param m - The single \c multi_context structure.
*
* @return
* - True, if the message was received correctly.
diff --git a/src/openvpn/ovpn_dco_linux.h b/src/openvpn/ovpn_dco_linux.h
index 680d152..b3c9ff0 100644
--- a/src/openvpn/ovpn_dco_linux.h
+++ b/src/openvpn/ovpn_dco_linux.h
@@ -99,6 +99,7 @@
OVPN_CMD_KEY_SWAP,
OVPN_CMD_KEY_SWAP_NTF,
OVPN_CMD_KEY_DEL,
+ OVPN_CMD_PEER_FLOAT_NTF,
__OVPN_CMD_MAX,
OVPN_CMD_MAX = (__OVPN_CMD_MAX - 1)
diff --git a/src/openvpn/ovpn_dco_win.h b/src/openvpn/ovpn_dco_win.h
index 865bb38..dd6b7ce 100644
--- a/src/openvpn/ovpn_dco_win.h
+++ b/src/openvpn/ovpn_dco_win.h
@@ -149,7 +149,8 @@
typedef enum {
OVPN_CMD_DEL_PEER,
- OVPN_CMD_SWAP_KEYS
+ OVPN_CMD_SWAP_KEYS,
+ OVPN_CMD_FLOAT_PEER
} OVPN_NOTIFY_CMD;
typedef enum {
@@ -164,6 +165,7 @@
OVPN_NOTIFY_CMD Cmd;
int PeerId;
OVPN_DEL_PEER_REASON DelPeerReason;
+ struct sockaddr_storage FloatAddress;
} OVPN_NOTIFY_EVENT, * POVPN_NOTIFY_EVENT;
typedef struct _OVPN_MP_DEL_PEER {
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f
Gerrit-Change-Number: 1084
Gerrit-PatchSet: 6
Gerrit-Owner: ralf_lici <ra...@ma...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: ordex <an...@ma...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-Reviewer: stipa <lst...@gm...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: ordex <an...@ma...>
Gerrit-Attention: ralf_lici <ra...@ma...>
Gerrit-Attention: stipa <lst...@gm...>
Gerrit-MessageType: newpatchset
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-18 08:40:02
|
Attention is currently required from: flichtenheld, ordex, plaisthos, ralf_lici, stipa. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email ) Change subject: dco: Add support for float notifications ...................................................................... Patch Set 5: (1 comment) Patchset: PS5: So, it segfaulted again - which is a different bug than the AF_INET6 thing (which seems fixed). Not sure how to trigger it yet... I had 2 sockets, and 3 clients this time (something stable on the udp6 socket with peer-id 0 + 1, and the floating client on the udp4 socket with peer-id 2). It got confused again about "something", then tried to delete the peer, and segfaulted at the same place (race condition between userspace already having deleted half the peer info and then kernel sending up a message?) Trying to extract the interesting bits ``` 2025-07-18 10:32:39 us=870590 dco_do_read 2025-07-18 10:32:39 us=870769 ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: 5651, peer-id 2, address: [AF_INET]193.149.48.173:62227 2025-07-18 10:32:39 us=870881 peer 2 (cron2-freebsd-tc-amd64) floated from udp4:193.149.48.172:62227 to [AF_INET]193.149.48.173:62227 2025-07-18 10:32:43 us=883102 dco_do_read 2025-07-18 10:32:43 us=883230 ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: 5651, peer-id 2, address: [AF_INET]193.149.48.172:62227 2025-07-18 10:32:43 us=883293 peer 2 (cron2-freebsd-tc-amd64) floated from udp4:193.149.48.173:62227 to [AF_INET]193.149.48.172:62227 (everything fine) 2025-07-18 10:32:55 us=935486 dco_get_peer_stats_multi 2025-07-18 10:32:55 us=935798 dco_parse_peer_multi: parsing message... 2025-07-18 10:32:55 us=935851 dco_update_peer_stat: no link RX bytes provided in reply for peer 2 2025-07-18 10:32:55 us=935881 dco_update_peer_stat: no link TX bytes provided in reply for peer 2 2025-07-18 10:32:55 us=935900 dco_update_peer_stat: no VPN RX bytes provided in reply for peer 2 2025-07-18 10:32:55 us=935919 dco_update_peer_stat: no VPN TX bytes provided in reply for peer 2 2025-07-18 10:32:55 us=937904 dco_parse_peer_multi: parsing message... 2025-07-18 10:32:55 us=937991 dco_update_peer_stat / dco_read_bytes: 976 2025-07-18 10:32:55 us=938052 dco_update_peer_stat / dco_write_bytes: 440 2025-07-18 10:32:55 us=938098 dco_update_peer_stat / tun_read_bytes: 0 2025-07-18 10:32:55 us=938151 dco_update_peer_stat / tun_write_bytes: 0 2025-07-18 10:32:55 us=938212 dco_parse_peer_multi: parsing message... 2025-07-18 10:32:55 us=938270 dco_update_peer_stat / dco_read_bytes: 400 2025-07-18 10:32:55 us=938322 dco_update_peer_stat / dco_write_bytes: 440 2025-07-18 10:32:55 us=938366 dco_update_peer_stat / tun_read_bytes: 0 2025-07-18 10:32:55 us=938425 dco_update_peer_stat / tun_write_bytes: 0 2025-07-18 10:32:55 us=938483 dco_parse_peer_multi: parsing message... 2025-07-18 10:32:55 us=938535 dco_update_peer_stat / dco_read_bytes: 13840 2025-07-18 10:32:55 us=938579 dco_update_peer_stat / dco_write_bytes: 13440 2025-07-18 10:32:55 us=938638 dco_update_peer_stat / tun_read_bytes: 10920 2025-07-18 10:32:55 us=938695 dco_update_peer_stat / tun_write_bytes: 10920 2025-07-18 10:32:55 us=939599 dco_do_read 2025-07-18 10:32:55 us=939755 dco_do_read: netlink reports error (-4): Try again (this "no RX bytes for peer 2" is what I saw yesterday as well, and the "Try again") 2025-07-18 10:33:00 us=100235 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 TLS: soft reset sec=56/56 bytes=0/-1 pkts=0/0 aead_limit_send=0/60129542137 aead_limit_recv=0/60129542137 2025-07-18 10:33:00 us=100434 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 Sent warning SSL alert: close notify 2025-07-18 10:33:00 us=100719 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 dco_del_key: peer-id 2, slot 1 (this still looks normal, skipping the UDP read/write) 2025-07-18 10:33:00 us=132607 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 VERIFY OK: depth=1, C=US, ST=California, L=Pleasanton, O=OpenVPN community project, CN=OpenVPN community project CA, emailAddress=sa...@op... 2025-07-18 10:33:00 us=132851 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 VERIFY OK: depth=0, C=DE, ST=Bavaria, L=Munich, O=OpenVPN community project, OU=Server Testing, CN=cron2-freebsd-tc-amd64, emailAddress=ge...@gr... 2025-07-18 10:33:00 us=133145 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 peer info: IV_VER=2.7_alpha2 2025-07-18 10:33:00 us=133198 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 peer info: IV_PLAT=mac 2025-07-18 10:33:00 us=133238 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 peer info: IV_TCPNL=1 2025-07-18 10:33:00 us=133283 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 peer info: IV_MTU=1600 2025-07-18 10:33:00 us=133315 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 peer info: IV_NCP=2 2025-07-18 10:33:00 us=133348 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 2025-07-18 10:33:00 us=133385 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 peer info: IV_PROTO=3998 2025-07-18 10:33:00 us=133418 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 peer info: IV_LZ4=1 2025-07-18 10:33:00 us=133453 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 peer info: IV_LZ4v2=1 2025-07-18 10:33:00 us=133487 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 peer info: IV_LZO=1 2025-07-18 10:33:00 us=133521 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 peer info: IV_COMP_STUB=1 2025-07-18 10:33:00 us=133553 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 peer info: IV_COMP_STUBv2=1 2025-07-18 10:33:00 us=133592 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 Note: 'compress migrate' detected remote peer with compression enabled. 2025-07-18 10:33:00 us=133743 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 UDPv4 WRITE [236] to [AF_INET]193.149.48.172:62227: P_CONTROL_V1 kid=2 [ ] pid=4456 DATA len=222 2025-07-18 10:33:00 us=133834 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 UDPv4 WRITE [287] to [AF_INET]193.149.48.172:62227: P_CONTROL_V1 kid=2 [ ] pid=4712 DATA len=273 2025-07-18 10:33:00 us=137204 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 UDPv4 READ [78] from [AF_INET]193.149.48.172:62227: P_ACK_V1 kid=2 [ ] DATA len=68 2025-07-18 10:33:00 us=140572 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 UDPv4 READ [82] from [AF_INET]193.149.48.172:62227: P_ACK_V1 kid=2 [ ] DATA len=72 2025-07-18 10:33:00 us=140640 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA1, peer temporary key: 253 bits X25519, peer signing digest/type: SHA256 RSASSA-PSS 2025-07-18 10:33:00 us=140720 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 dco_install_key: peer_id=2 keyid=2, currently 1 keys installed 2025-07-18 10:33:00 us=140767 cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 dco_new_key: slot 1, key-id 2, peer-id 2, cipher AES-256-GCM 2025-07-18 10:33:00 us=951542 dco_do_read 2025-07-18 10:33:00 us=951670 ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: 5651, peer-id 2, address: [AF_INET]193.149.48.172:62227 2025-07-18 10:33:00 us=951736 closing instance cron2-freebsd-tc-amd64/udp4:193.149.48.172:62227 peer-id=2 2025-07-18 10:33:00 us=951806 dco_get_peer_stats_multi 2025-07-18 10:33:00 us=952053 dco_parse_peer_multi: parsing message... 2025-07-18 10:33:00 us=952099 dco_update_peer_stat / dco_read_bytes: 976 2025-07-18 10:33:00 us=952135 dco_update_peer_stat / dco_write_bytes: 440 2025-07-18 10:33:00 us=952169 dco_update_peer_stat / tun_read_bytes: 0 2025-07-18 10:33:00 us=952478 dco_update_peer_stat / tun_write_bytes: 0 2025-07-18 10:33:00 us=952541 dco_parse_peer_multi: parsing message... 2025-07-18 10:33:00 us=952580 dco_update_peer_stat / dco_read_bytes: 400 2025-07-18 10:33:00 us=952614 dco_update_peer_stat / dco_write_bytes: 440 2025-07-18 10:33:00 us=952663 dco_update_peer_stat / tun_read_bytes: 0 2025-07-18 10:33:00 us=952707 dco_update_peer_stat / tun_write_bytes: 0 2025-07-18 10:33:00 us=952754 dco_parse_peer_multi: parsing message... 2025-07-18 10:33:00 us=952791 dco_parse_peer_multi: cannot store DCO stats for peer 2 2025-07-18 10:33:00 us=952892 register signal: SIGTERM (close_context) 2025-07-18 10:33:00 us=952943 dco_del_peer: peer-id 2 2025-07-18 10:33:00 us=972424 Sent warning SSL alert: close notify 2025-07-18 10:33:00 us=972698 Sent warning SSL alert: close notify Program received signal SIGSEGV, Segmentation fault. 0x0000555555599ef3 in multi_process_float (m=m@entry=0x7fffffffbcc0, mi=mi@entry=0x5555556a2050, sock=0x55555564dbe0) at multi.c:3258 3258 msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s", (gdb) list 3253 3254 msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc)); 3255 multi_close_instance(m, ex_mi, false); 3256 } 3257 3258 msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s", 3259 mi->context.c2.tls_multi->peer_id, 3260 tls_common_name(mi->context.c2.tls_multi, false), 3261 mroute_addr_print(&mi->real, &gc), 3262 print_link_socket_actual(&m->top.c2.from, &gc)); (gdb) print mi->context.c2.tls_multi $1 = (struct tls_multi *) 0x0 ``` -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Gerrit-Change-Number: 1084 Gerrit-PatchSet: 5 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-Reviewer: stipa <lst...@gm...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ordex <an...@ma...> Gerrit-Attention: ralf_lici <ra...@ma...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Fri, 18 Jul 2025 08:39:45 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment |
|
From: ralf_lici (C. Review) <ge...@op...> - 2025-07-17 21:08:21
|
Attention is currently required from: cron2, flichtenheld, ordex, plaisthos, ralf_lici, stipa.
Hello cron2, flichtenheld, ordex, plaisthos, stipa,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email
to look at the new patch set (#5).
Change subject: dco: Add support for float notifications
......................................................................
dco: Add support for float notifications
When a peer changes its UDP endpoint, the DCO module emits a
notification to userpace. The message is parsed and the relevant
information are extracted in order to process the floating operation.
Note that we preserve IPv4-mapped IPv6 addresses in userspace when
receiving a pure IPv4 address from the module, otherwise openvpn
wouldn't be able to retrieve the multi_instance using the transport
address hash table lookup.
Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f
Signed-off-by: Ralf Lici <ra...@ma...>
---
M src/openvpn/dco_linux.c
M src/openvpn/dco_linux.h
M src/openvpn/dco_win.c
M src/openvpn/dco_win.h
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
M src/openvpn/multi.h
M src/openvpn/ovpn_dco_linux.h
M src/openvpn/ovpn_dco_win.h
10 files changed, 150 insertions(+), 2 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/84/1084/5
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index 22a445a..f04ebfe 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -768,6 +768,44 @@
return ret;
}
+static bool
+ovpn_parse_float_addr(struct nlattr **attrs, struct sockaddr *out)
+{
+ if (!attrs[OVPN_A_PEER_REMOTE_PORT])
+ {
+ msg(D_DCO, "ovpn-dco: no remote port in PEER_FLOAT_NTF message");
+ return false;
+ }
+
+ if (attrs[OVPN_A_PEER_REMOTE_IPV4])
+ {
+ struct sockaddr_in *addr4 = (struct sockaddr_in *)out;
+ CLEAR(*addr4);
+ addr4->sin_family = AF_INET;
+ addr4->sin_port = nla_get_u16(attrs[OVPN_A_PEER_REMOTE_PORT]);
+ addr4->sin_addr.s_addr = nla_get_u32(attrs[OVPN_A_PEER_REMOTE_IPV4]);
+ return true;
+ }
+ else if (attrs[OVPN_A_PEER_REMOTE_IPV6]
+ && nla_len(attrs[OVPN_A_PEER_REMOTE_IPV6]) == sizeof(struct in6_addr))
+ {
+ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *)out;
+ CLEAR(*addr6);
+ addr6->sin6_family = AF_INET6;
+ addr6->sin6_port = nla_get_u16(attrs[OVPN_A_PEER_REMOTE_PORT]);
+ memcpy(&addr6->sin6_addr, nla_data(attrs[OVPN_A_PEER_REMOTE_IPV6]),
+ sizeof(addr6->sin6_addr));
+ if (attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID])
+ {
+ addr6->sin6_scope_id = nla_get_u32(attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]);
+ }
+ return true;
+ }
+
+ msg(D_DCO, "ovpn-dco: no valid remote IP address in PEER_FLOAT_NTF message");
+ return false;
+}
+
/* This function parses any netlink message sent by ovpn-dco to userspace */
static int
ovpn_handle_msg(struct nl_msg *msg, void *arg)
@@ -856,6 +894,45 @@
break;
}
+ case OVPN_CMD_PEER_FLOAT_NTF:
+ {
+ if (!attrs[OVPN_A_PEER])
+ {
+ msg(D_DCO, "ovpn-dco: no peer in PEER_FLOAT_NTF message");
+ return NL_STOP;
+ }
+
+ struct nlattr *fp_attrs[OVPN_A_PEER_MAX + 1];
+ if (nla_parse_nested(fp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER],
+ NULL))
+ {
+ msg(D_DCO, "ovpn-dco: can't parse peer in PEER_FLOAT_NTF messsage");
+ return NL_STOP;
+ }
+
+ if (!fp_attrs[OVPN_A_PEER_ID])
+ {
+ msg(D_DCO, "ovpn-dco: no peer-id in PEER_FLOAT_NTF message");
+ return NL_STOP;
+ }
+ uint32_t peerid = nla_get_u32(fp_attrs[OVPN_A_PEER_ID]);
+
+ if (!ovpn_parse_float_addr(fp_attrs, (struct sockaddr *)&dco->dco_float_peer_ss))
+ {
+ return NL_STOP;
+ }
+
+ struct gc_arena gc = gc_new();
+ msg(D_DCO_DEBUG,
+ "ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: %u, peer-id %u, address: %s",
+ ifindex, peerid, print_sockaddr((struct sockaddr *)&dco->dco_float_peer_ss, &gc));
+ dco->dco_message_peer_id = (int)peerid;
+ dco->dco_message_type = OVPN_CMD_PEER_FLOAT_NTF;
+
+ gc_free(&gc);
+ break;
+ }
+
case OVPN_CMD_KEY_SWAP_NTF:
{
if (!attrs[OVPN_A_KEYCONF])
diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h
index 4e441ec..676b8cd 100644
--- a/src/openvpn/dco_linux.h
+++ b/src/openvpn/dco_linux.h
@@ -34,6 +34,7 @@
/* Defines to avoid mismatching with other platforms */
#define OVPN_CMD_DEL_PEER OVPN_CMD_PEER_DEL_NTF
#define OVPN_CMD_SWAP_KEYS OVPN_CMD_KEY_SWAP_NTF
+#define OVPN_CMD_FLOAT_PEER OVPN_CMD_PEER_FLOAT_NTF
typedef enum ovpn_key_slot dco_key_slot_t;
typedef enum ovpn_cipher_alg dco_cipher_t;
@@ -75,6 +76,7 @@
int dco_message_peer_id;
int dco_message_key_id;
int dco_del_peer_reason;
+ struct sockaddr_storage dco_float_peer_ss;
uint64_t dco_read_bytes;
uint64_t dco_write_bytes;
} dco_context_t;
diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c
index 2a13658..83db739 100644
--- a/src/openvpn/dco_win.c
+++ b/src/openvpn/dco_win.c
@@ -663,6 +663,7 @@
dco->dco_message_peer_id = dco->notif_buf.PeerId;
dco->dco_message_type = dco->notif_buf.Cmd;
dco->dco_del_peer_reason = dco->notif_buf.DelPeerReason;
+ dco->dco_float_peer_ss = dco->notif_buf.FloatAddress;
}
else
{
diff --git a/src/openvpn/dco_win.h b/src/openvpn/dco_win.h
index 4513f3f..b9d93fa 100644
--- a/src/openvpn/dco_win.h
+++ b/src/openvpn/dco_win.h
@@ -52,6 +52,7 @@
int dco_message_peer_id;
int dco_message_type;
int dco_del_peer_reason;
+ struct sockaddr_storage dco_float_peer_ss;
uint64_t dco_read_bytes;
uint64_t dco_write_bytes;
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index a4f260a..2ef9c2b0 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1243,6 +1243,42 @@
perf_pop();
}
+void
+extract_dco_float_peer_addr(const uint32_t peer_id,
+ const sa_family_t socket_family,
+ struct openvpn_sockaddr *out_osaddr,
+ const struct sockaddr *float_sa)
+{
+ if (float_sa->sa_family == AF_INET)
+ {
+ struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa;
+ /* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, on a
+ * dual-stack socket, we need to preserve the mapping otherwise openvpn
+ * will not be able to find the peer by its transport address.
+ */
+ if (socket_family == AF_INET6)
+ {
+ out_osaddr->addr.in6.sin6_family = AF_INET6;
+ out_osaddr->addr.in6.sin6_port = float4->sin_port;
+
+ memset(&out_osaddr->addr.in6.sin6_addr.s6_addr, 0, 10);
+ out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff;
+ out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff;
+ memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12],
+ &float4->sin_addr.s_addr, sizeof(in_addr_t));
+ }
+ else
+ {
+ memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in));
+ }
+ }
+ else
+ {
+ struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa;
+ memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6));
+ }
+}
+
static void
process_incoming_dco(struct context *c)
{
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 318691f..f835508 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -196,6 +196,22 @@
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf);
/**
+ * Transfers \c float_sa data extracted from an incoming DCO
+ * PEER_FLOAT_NTF to \c out_osaddr for later processing.
+ *
+ * @param peer_id - The id of the floating peer.
+ * @param socket_family - The address family of the socket
+ * @param out_osaddr - openvpn_sockaddr struct that will be filled the new
+ * address data
+ * @param float_sa - The sockaddr struct containing the data received from the
+ * DCO notification
+ */
+void
+extract_dco_float_peer_addr(uint32_t peer_id, sa_family_t socket_family,
+ struct openvpn_sockaddr *out_osaddr,
+ const struct sockaddr *float_sa);
+
+/**
* Write a packet to the external network interface.
* @ingroup external_multiplexer
*
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index a760e07..8cb8aee 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3384,6 +3384,18 @@
{
process_incoming_del_peer(m, mi, dco);
}
+#if defined(TARGET_LINUX) || defined(TARGET_WIN32)
+ else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER)
+ {
+ ASSERT(mi->context.c2.link_sockets[0]);
+ extract_dco_float_peer_addr(peer_id,
+ mi->context.c2.link_sockets[0]->info.af,
+ &m->top.c2.from.dest,
+ (struct sockaddr *)&dco->dco_float_peer_ss);
+ multi_process_float(m, mi, mi->context.c2.link_sockets[0]);
+ CLEAR(dco->dco_float_peer_ss);
+ }
+#endif /* if defined(TARGET_LINUX) || defined(TARGET_WIN32) */
else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
{
tls_session_soft_reset(mi->context.c2.tls_multi);
diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h
index 40f7519..fe9e847 100644
--- a/src/openvpn/multi.h
+++ b/src/openvpn/multi.h
@@ -322,7 +322,7 @@
/**
* Process an incoming DCO message (from kernel space).
*
- * @param m - The single \c multi_context structur.e
+ * @param m - The single \c multi_context structure.
*
* @return
* - True, if the message was received correctly.
diff --git a/src/openvpn/ovpn_dco_linux.h b/src/openvpn/ovpn_dco_linux.h
index 680d152..b3c9ff0 100644
--- a/src/openvpn/ovpn_dco_linux.h
+++ b/src/openvpn/ovpn_dco_linux.h
@@ -99,6 +99,7 @@
OVPN_CMD_KEY_SWAP,
OVPN_CMD_KEY_SWAP_NTF,
OVPN_CMD_KEY_DEL,
+ OVPN_CMD_PEER_FLOAT_NTF,
__OVPN_CMD_MAX,
OVPN_CMD_MAX = (__OVPN_CMD_MAX - 1)
diff --git a/src/openvpn/ovpn_dco_win.h b/src/openvpn/ovpn_dco_win.h
index 865bb38..dd6b7ce 100644
--- a/src/openvpn/ovpn_dco_win.h
+++ b/src/openvpn/ovpn_dco_win.h
@@ -149,7 +149,8 @@
typedef enum {
OVPN_CMD_DEL_PEER,
- OVPN_CMD_SWAP_KEYS
+ OVPN_CMD_SWAP_KEYS,
+ OVPN_CMD_FLOAT_PEER
} OVPN_NOTIFY_CMD;
typedef enum {
@@ -164,6 +165,7 @@
OVPN_NOTIFY_CMD Cmd;
int PeerId;
OVPN_DEL_PEER_REASON DelPeerReason;
+ struct sockaddr_storage FloatAddress;
} OVPN_NOTIFY_EVENT, * POVPN_NOTIFY_EVENT;
typedef struct _OVPN_MP_DEL_PEER {
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f
Gerrit-Change-Number: 1084
Gerrit-PatchSet: 5
Gerrit-Owner: ralf_lici <ra...@ma...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: ordex <an...@ma...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-Reviewer: stipa <lst...@gm...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: cron2 <ge...@gr...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: ordex <an...@ma...>
Gerrit-Attention: ralf_lici <ra...@ma...>
Gerrit-Attention: stipa <lst...@gm...>
Gerrit-MessageType: newpatchset
|
|
From: ralf_lici (C. Review) <ge...@op...> - 2025-07-17 20:10:20
|
Attention is currently required from: cron2, flichtenheld, ordex, plaisthos, ralf_lici, stipa.
Hello cron2, flichtenheld, ordex, plaisthos, stipa,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email
to look at the new patch set (#4).
The following approvals got outdated and were removed:
Code-Review+2 by ordex, Code-Review-1 by cron2
The change is no longer submittable: Code-Review and checks~ChecksSubmitRule are unsatisfied now.
Change subject: dco: Add support for float notifications
......................................................................
dco: Add support for float notifications
When a peer changes its UDP endpoint, the DCO module emits a
notification to userpace. The message is parsed and the relevant
information are extracted in order to process the floating operation.
Note that we preserve IPv4-mapped IPv6 addresses in userspace when
receiving a pure IPv4 address from the module, otherwise openvpn
wouldn't be able to retrieve the multi_instance using the transport
address hash table lookup.
Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f
Signed-off-by: Ralf Lici <ra...@ma...>
---
M src/openvpn/dco_linux.c
M src/openvpn/dco_linux.h
M src/openvpn/dco_win.c
M src/openvpn/dco_win.h
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
M src/openvpn/multi.h
M src/openvpn/ovpn_dco_linux.h
M src/openvpn/ovpn_dco_win.h
10 files changed, 148 insertions(+), 2 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/84/1084/4
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index 22a445a..f04ebfe 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -768,6 +768,44 @@
return ret;
}
+static bool
+ovpn_parse_float_addr(struct nlattr **attrs, struct sockaddr *out)
+{
+ if (!attrs[OVPN_A_PEER_REMOTE_PORT])
+ {
+ msg(D_DCO, "ovpn-dco: no remote port in PEER_FLOAT_NTF message");
+ return false;
+ }
+
+ if (attrs[OVPN_A_PEER_REMOTE_IPV4])
+ {
+ struct sockaddr_in *addr4 = (struct sockaddr_in *)out;
+ CLEAR(*addr4);
+ addr4->sin_family = AF_INET;
+ addr4->sin_port = nla_get_u16(attrs[OVPN_A_PEER_REMOTE_PORT]);
+ addr4->sin_addr.s_addr = nla_get_u32(attrs[OVPN_A_PEER_REMOTE_IPV4]);
+ return true;
+ }
+ else if (attrs[OVPN_A_PEER_REMOTE_IPV6]
+ && nla_len(attrs[OVPN_A_PEER_REMOTE_IPV6]) == sizeof(struct in6_addr))
+ {
+ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *)out;
+ CLEAR(*addr6);
+ addr6->sin6_family = AF_INET6;
+ addr6->sin6_port = nla_get_u16(attrs[OVPN_A_PEER_REMOTE_PORT]);
+ memcpy(&addr6->sin6_addr, nla_data(attrs[OVPN_A_PEER_REMOTE_IPV6]),
+ sizeof(addr6->sin6_addr));
+ if (attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID])
+ {
+ addr6->sin6_scope_id = nla_get_u32(attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]);
+ }
+ return true;
+ }
+
+ msg(D_DCO, "ovpn-dco: no valid remote IP address in PEER_FLOAT_NTF message");
+ return false;
+}
+
/* This function parses any netlink message sent by ovpn-dco to userspace */
static int
ovpn_handle_msg(struct nl_msg *msg, void *arg)
@@ -856,6 +894,45 @@
break;
}
+ case OVPN_CMD_PEER_FLOAT_NTF:
+ {
+ if (!attrs[OVPN_A_PEER])
+ {
+ msg(D_DCO, "ovpn-dco: no peer in PEER_FLOAT_NTF message");
+ return NL_STOP;
+ }
+
+ struct nlattr *fp_attrs[OVPN_A_PEER_MAX + 1];
+ if (nla_parse_nested(fp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER],
+ NULL))
+ {
+ msg(D_DCO, "ovpn-dco: can't parse peer in PEER_FLOAT_NTF messsage");
+ return NL_STOP;
+ }
+
+ if (!fp_attrs[OVPN_A_PEER_ID])
+ {
+ msg(D_DCO, "ovpn-dco: no peer-id in PEER_FLOAT_NTF message");
+ return NL_STOP;
+ }
+ uint32_t peerid = nla_get_u32(fp_attrs[OVPN_A_PEER_ID]);
+
+ if (!ovpn_parse_float_addr(fp_attrs, (struct sockaddr *)&dco->dco_float_peer_ss))
+ {
+ return NL_STOP;
+ }
+
+ struct gc_arena gc = gc_new();
+ msg(D_DCO_DEBUG,
+ "ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: %u, peer-id %u, address: %s",
+ ifindex, peerid, print_sockaddr((struct sockaddr *)&dco->dco_float_peer_ss, &gc));
+ dco->dco_message_peer_id = (int)peerid;
+ dco->dco_message_type = OVPN_CMD_PEER_FLOAT_NTF;
+
+ gc_free(&gc);
+ break;
+ }
+
case OVPN_CMD_KEY_SWAP_NTF:
{
if (!attrs[OVPN_A_KEYCONF])
diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h
index 4e441ec..676b8cd 100644
--- a/src/openvpn/dco_linux.h
+++ b/src/openvpn/dco_linux.h
@@ -34,6 +34,7 @@
/* Defines to avoid mismatching with other platforms */
#define OVPN_CMD_DEL_PEER OVPN_CMD_PEER_DEL_NTF
#define OVPN_CMD_SWAP_KEYS OVPN_CMD_KEY_SWAP_NTF
+#define OVPN_CMD_FLOAT_PEER OVPN_CMD_PEER_FLOAT_NTF
typedef enum ovpn_key_slot dco_key_slot_t;
typedef enum ovpn_cipher_alg dco_cipher_t;
@@ -75,6 +76,7 @@
int dco_message_peer_id;
int dco_message_key_id;
int dco_del_peer_reason;
+ struct sockaddr_storage dco_float_peer_ss;
uint64_t dco_read_bytes;
uint64_t dco_write_bytes;
} dco_context_t;
diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c
index 2a13658..83db739 100644
--- a/src/openvpn/dco_win.c
+++ b/src/openvpn/dco_win.c
@@ -663,6 +663,7 @@
dco->dco_message_peer_id = dco->notif_buf.PeerId;
dco->dco_message_type = dco->notif_buf.Cmd;
dco->dco_del_peer_reason = dco->notif_buf.DelPeerReason;
+ dco->dco_float_peer_ss = dco->notif_buf.FloatAddress;
}
else
{
diff --git a/src/openvpn/dco_win.h b/src/openvpn/dco_win.h
index 4513f3f..b9d93fa 100644
--- a/src/openvpn/dco_win.h
+++ b/src/openvpn/dco_win.h
@@ -52,6 +52,7 @@
int dco_message_peer_id;
int dco_message_type;
int dco_del_peer_reason;
+ struct sockaddr_storage dco_float_peer_ss;
uint64_t dco_read_bytes;
uint64_t dco_write_bytes;
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index a4f260a..18d2325 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1243,6 +1243,40 @@
perf_pop();
}
+void
+extract_dco_float_peer_addr(const uint32_t peer_id,
+ const sa_family_t socket_family,
+ struct openvpn_sockaddr *out_osaddr,
+ const struct sockaddr *float_sa)
+{
+ if (float_sa->sa_family == AF_INET)
+ {
+ struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa;
+ /* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, on a
+ * dual-stack socket, we need to preserve the mapping otherwise openvpn
+ * will not be able to find the peer by its transport address.
+ */
+ if (socket_family == AF_INET6)
+ {
+ out_osaddr->addr.in6.sin6_family = AF_INET6;
+ out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff;
+ out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff;
+ memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12],
+ &float4->sin_addr.s_addr, sizeof(in_addr_t));
+ out_osaddr->addr.in6.sin6_port = float4->sin_port;
+ }
+ else
+ {
+ memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in));
+ }
+ }
+ else
+ {
+ struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa;
+ memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6));
+ }
+}
+
static void
process_incoming_dco(struct context *c)
{
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 318691f..f835508 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -196,6 +196,22 @@
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf);
/**
+ * Transfers \c float_sa data extracted from an incoming DCO
+ * PEER_FLOAT_NTF to \c out_osaddr for later processing.
+ *
+ * @param peer_id - The id of the floating peer.
+ * @param socket_family - The address family of the socket
+ * @param out_osaddr - openvpn_sockaddr struct that will be filled the new
+ * address data
+ * @param float_sa - The sockaddr struct containing the data received from the
+ * DCO notification
+ */
+void
+extract_dco_float_peer_addr(uint32_t peer_id, sa_family_t socket_family,
+ struct openvpn_sockaddr *out_osaddr,
+ const struct sockaddr *float_sa);
+
+/**
* Write a packet to the external network interface.
* @ingroup external_multiplexer
*
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index a760e07..8cb8aee 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3384,6 +3384,18 @@
{
process_incoming_del_peer(m, mi, dco);
}
+#if defined(TARGET_LINUX) || defined(TARGET_WIN32)
+ else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER)
+ {
+ ASSERT(mi->context.c2.link_sockets[0]);
+ extract_dco_float_peer_addr(peer_id,
+ mi->context.c2.link_sockets[0]->info.af,
+ &m->top.c2.from.dest,
+ (struct sockaddr *)&dco->dco_float_peer_ss);
+ multi_process_float(m, mi, mi->context.c2.link_sockets[0]);
+ CLEAR(dco->dco_float_peer_ss);
+ }
+#endif /* if defined(TARGET_LINUX) || defined(TARGET_WIN32) */
else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
{
tls_session_soft_reset(mi->context.c2.tls_multi);
diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h
index 40f7519..fe9e847 100644
--- a/src/openvpn/multi.h
+++ b/src/openvpn/multi.h
@@ -322,7 +322,7 @@
/**
* Process an incoming DCO message (from kernel space).
*
- * @param m - The single \c multi_context structur.e
+ * @param m - The single \c multi_context structure.
*
* @return
* - True, if the message was received correctly.
diff --git a/src/openvpn/ovpn_dco_linux.h b/src/openvpn/ovpn_dco_linux.h
index 680d152..b3c9ff0 100644
--- a/src/openvpn/ovpn_dco_linux.h
+++ b/src/openvpn/ovpn_dco_linux.h
@@ -99,6 +99,7 @@
OVPN_CMD_KEY_SWAP,
OVPN_CMD_KEY_SWAP_NTF,
OVPN_CMD_KEY_DEL,
+ OVPN_CMD_PEER_FLOAT_NTF,
__OVPN_CMD_MAX,
OVPN_CMD_MAX = (__OVPN_CMD_MAX - 1)
diff --git a/src/openvpn/ovpn_dco_win.h b/src/openvpn/ovpn_dco_win.h
index 865bb38..dd6b7ce 100644
--- a/src/openvpn/ovpn_dco_win.h
+++ b/src/openvpn/ovpn_dco_win.h
@@ -149,7 +149,8 @@
typedef enum {
OVPN_CMD_DEL_PEER,
- OVPN_CMD_SWAP_KEYS
+ OVPN_CMD_SWAP_KEYS,
+ OVPN_CMD_FLOAT_PEER
} OVPN_NOTIFY_CMD;
typedef enum {
@@ -164,6 +165,7 @@
OVPN_NOTIFY_CMD Cmd;
int PeerId;
OVPN_DEL_PEER_REASON DelPeerReason;
+ struct sockaddr_storage FloatAddress;
} OVPN_NOTIFY_EVENT, * POVPN_NOTIFY_EVENT;
typedef struct _OVPN_MP_DEL_PEER {
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f
Gerrit-Change-Number: 1084
Gerrit-PatchSet: 4
Gerrit-Owner: ralf_lici <ra...@ma...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: ordex <an...@ma...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-Reviewer: stipa <lst...@gm...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: cron2 <ge...@gr...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: ordex <an...@ma...>
Gerrit-Attention: ralf_lici <ra...@ma...>
Gerrit-Attention: stipa <lst...@gm...>
Gerrit-MessageType: newpatchset
|
|
From: Yuriy D. <yur...@op...> - 2025-07-17 19:10:44
|
OpenVPN 3 Linux v25 (Stable release) The v25 release provides three new features and several enhancements since the previous release. Please notice the deprecation of openvpn3-autoload. * Feature: Live route updates (PUSH_UPDATE) support When connecting to OpenVPN servers capable of pushing new network configurations, such as new network routes, the OpenVPN 3 Linux client will now update the current VPN network setup, including DNS, and replace it with the previous configuration without triggering a reconnect to the server. * Feature: Automatic restart of VPN client processes disappearing When configured, the OpenVPN 3 Linux Session Manager service will now detect if a VPN process unexpectedly disappears and will attempt to restart it automatically. See the --automatic-restart option in the openvpn3 config-manage man page for further details. This feature is disabled by default. * Feature: AWS VPC integration can now use named routing tables When the "route-table-name" setting is configured in the OpenVPN 3 AWS Integration add-on, this add-on will perform a lookup for this AWS VPC routing table and apply the routes here. If this table is not to be found, the add-on will create it on-the-fly as needed. * FEATURE DEPRECATION: openvpn3-autoload The openvpn3-autoload feature was deprecated already in the v20 release. This feature will be removed in a coming stable release. The replacement is the openvpn3-session@.service systemd unit. Please see the openvpn3-systemd man page [1] for more details. If you depend on openvpn3-autoload today, please migrate ASAP to the systemd approach. [1] <https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man/openvpn3-systemd.8.rst> * Improvement: Better error messages for SSL/TLS issues The openvpn3 command will now provide more details on SSL/TLS related issues, due to enhancements in the update OpenVPN 3 Core Library. * Improvement: openvpn3-admin journal shows correct time It has been an open issue for a long time where time zone and the local DST state resulted in the openvpn3-admin journal command presenting the wrong time in the log events. This has been resolved by the conversion taking the current time zone and DST state into consideration. * Improvement: A more resilient systemd-resolved integration The prior systemd-resolved integration could in many cases fail to properly configure the DNS resolver settings. This was often due to the systemd-resolved service responding slower than expected. This could in the most sever situations result in the VPN session failing to properly start. This has been improved by doing all the calls to systemd-resolved in the background, allowing the VPN session to be properly connected while the systemd-resolved integration will be more persistent in allowing the low-level D-Bus calls to complete independently of the main VPN session itself. * OpenVPN 3 Core Library update The OpenVPN 3 Core Library has been updated to version 3.11.3, which also provide new features such as Epoch Data Keys support, Live route updates (PUSH_UPDATE), improved events on TLS alerts, support for more pushed routes, improved --dns and --dhcp-option parsing. Known issues: - The openvpn3-service-netcfg service does not differentiate between --dns server X resolve-domains and --dns search-domains when using the --resolv-conf mode, which is not as this feature is intended to work. This was discovered in the v24 release and is on the schedule to be fixed in the next releases. When this gets fixed, only --dns search-domains will be considered as search domains and --dns server X resolve-domains will enable split-DNS when using --systemd-resolved and otherwise ignored when using --resolv-conf with openvpn3-service-netcfg. Credits ------- Thanks goes to those continuing testing and reporting issues. In particular Razvan Cojocaru, Marc Leeman, Fabio Pedretti, Lev Stipakov, Leonard Ossa, Yuriy Darnobyt, Oleh Salnikov and Nazar Vasiuchyn, Brandon Jimenez and Gabriel Palmar for contributing and improving this release through code changes, documentation, reviewing, testing and making the finished packages available to us all. Supported Linux distributions ----------------------------- - Debian: 12 - Fedora: 41, 42 - Red Hat Enterprise Linux 8, 9, 10[*] - Ubuntu: 22.04, 24.04, 25.05 Installation and getting started instructions can be found here: <https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux> There are in addition other Linux distributions now providing OpenVPN 3 Linux packages. These distributions are primarily supported by their respective distribution communities. We will naturally review and apply fixes deemed needed for any other distributions as they occur. NOTE: Red Hat Enterprise Linux 10 The Fedora Copr repository definition for RHEL+EPEL-10 *may* use a wrong URL. After doing the 'dnf copr enable' step on RHEL-10, please ensure the URL contains 'rhel+epel' and not just 'epel'. This is expected to automatically improve after a bit. The stable repositories provided by OpenVPN Inc should not have this issue. -- kind regards, Yuriy Darnobyt OpenVPN Inc ---- Source tarballs --------------------------------------------------- * OpenVPN 3 Linux v25 <https://swupdate.openvpn.net/community/releases/openvpn3-linux-25.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-25.tar.xz.asc> * GDBus++ v3 <https://swupdate.openvpn.net/community/releases/gdbuspp-3.tar.xz> <https://swupdate.openvpn.net/community/releases/gdbuspp-3.tar.xz.asc> ---- SHA256 Checksums -------------------------------------------------- efccb7958fefcea4e03a9b96e5391c87c7f55bb28ae36782e41e22f7ff6d15b5 openvpn3-linux-25.tar.xz 2ee1f653b8f5d7062d92120a7daa56f97f532e9d4098a56e4dc5a6a616a7e5d0 openvpn3-linux-25.tar.xz.asc c7a053a13c4eb5811a542b747d5fcdb3a8e58a4a42c7237cc5e2e2ca72e0c94e gdbuspp-3.tar.xz b9cf732d7a347f324d6a5532dc48f80c2815dbf6704c169b4ee97a411506a99b gdbuspp-3.tar.xz.asc ---- git references ---------------------------------------------------- git repositories: - OpenVPN 3 Linux <https://codeberg.org/OpenVPN/openvpn3-linux> (PRIMARY) <https://gitlab.com/openvpn/openvpn3-linux> (code-only mirror) <https://github.com/OpenVPN/openvpn3-linux> (code-only mirror) git tag: v25 git commit: f68cacc65bbb5b706de1fee987304e810ed9d3a0 - GDBus++ <https://codeberg.org/OpenVPN/gdbuspp/> (PRIMARY) <https://gitlab.com/openvpn/gdbuspp/> (code-only mirror) <https://github.com/openvpn/gdbuspp/> (code-only mirror) git tag: v3 git commit: 96f7fb688ed2dea3f192c63c5fe283dbe4900f16 ---- Changes from v24 to v25 --------------------------------------- David Sommerseth (79): spelling: Fix various spelling mistakes build: Fix incorrect default value assignment for create_statedir option common: Check if org.freedesktop.hostname1 is available in PlatformInfo client: Handle exceptions in ~BackendStarterSrv tests: Only build journal-log-parse if systemd is present netcfg/resolved: Remove no longer needed service check configmgr: Catch SetOverride issues at JSON config import ovpn3cli: Improve session-start details on successful connection configmgr/proxy: Improve error message on SetOverride() failures tests: Improve config-override-selftest failure situations ovpn3cli/admin: Improve sessionmgr-service verose session list core: Update to OpenVPN 3 Core 3.11 QA/stabilization branch ovpn3cli/init-config: Add --debug argument sessionmgr: Minor log verbosity changes in the session auto-restart feature build: Misc cleanup in Meson build scripts client: Refactor D-Bus initialization during process start configmgr/docs: Update man page for the --automatic-restart feature netcfg: Refactor D-Bus initialization during process start netcfg: Extend NetCfgOptions to handle log settings netcfg: Remove the "default log level" passing netcfg: Use logging settings from NetCfgOptions netcfg: Remove support for --signal-broadcast netcfg: Remove unused NetCfgService member - srv_obj core: Update to final OpenVPN 3 Core Library v3.11 sessionmgr: Ignore Detach() exceptions in SessionManager::~Service() docs: Update build dependencies in BUILD.md log: Add missing cstdint header in logmetadata.hpp sessionmgr: Use Events::Status::operator<<() for tunnel restart info common: Refactor Configuration::File to use std::filesystem ovpn3cli/init-config: Refactor file/directory handling to use std::filesystem ovpn3cli/init-config: Don't follow symlinks setting up state/configs dirs sessionmgr: Catch incorrect log level requests in Session object build: Fix minor meson complaint in addons/aws netcfg/resolved: Add internal error message storage to proxy code netcfg/resolved: Implement base features for background async calls netcfg/resolved: Switch serveral D-Bus calls to async background calls netcfg/resolved: Handle errors from background D-Bus calls netcfg/resolved: Retry if systemd-resolved background calls times out core: Upgrade to OpenVPN 3 Core v3.11.1 build: Improve OpenVPN 3 Core library version extraction events/log: Refactor Events::Log() events/log: Simplify Events::Log::str() methods events/log: Implement character filter in Events::Log log: Extend LogSender with a Debug_wnl() method log/core: Enable multi-line logging via the Core D-Bus logger log/journal: Don't filter newlines from journald entries log: Preserve the newlines in the log when openvpn3-service-log starts tests: Add --allow-newline to logservice1 send subcommand common/cmdargparser: Minor code cleanup in RegisterParsedArgs::register_option() common/cmdargparser: Filter out ASCII control characters from command line common: Merge and move string ctrl char sanitizing to a shared function log: Filter strings coming via D-Bus calls sessionmgr/client: Filter reason string to Pause D-Bus method call common: Filter input value to RequiresQueue::UpdateEntry() tests/request-queue: Remove unused local function configmgr/test: Add tests for control chars in various configuration profiles configmgr: Remove control characters from various user input via D-Bus netcfg: Remove control characters from the D-Bus method inputs python: Add FAT DEPRECATION WARNING in openvpn3-autoload build: Allow version tags to contain dots and minor version digits configmgr/proxy: Ignore minor version number in feature check tests: Upgrade to googletest-1.17.0-1 docs/man: Minor language improvements to the openvpn3-service-aws.8 man page addon/aws: Prepare for bumping the required C++ standard version to C++20 log/journald: Fix wrong timezone/dst handling in journald filter log/journald: Refactor log event sending with better error handling netcfg: Read the config file before parsing options netcfg/proxy: Kick out Device::RemoveDNS() and Device::RemoveDNSSearch() core: Update to OpenVPN 3 Core Library v3.11.2 core: Update to OpenVPN 3 Core Library v3.11.3 log: Extend CoreLog with a more flexible log prefix build: Avoid including build-config.h in header files netcfg/dns/systemd-resolved: Provide alternative logging framework when the signal APIs are unavailable netcfg/dns/systemd-resolved: Ensure the GVariant objects used in background D-Bus calls are freed correctly netcfg/dns/systemd-resolved: Ensure the ASIO background worker thread always runs netcfg/dns/systemd-resolved: Rework the resolved::Link::BackgroundCall() implementation client: Ensure DNS domains pushed via --dhcp-option will not enable split-DNS netcfg/dns/resolved: Avoid race condition in BackgroundCall() client/netcfg: Restore --dns-setup-disabled functionality Fabio Pedretti (1): spelling: Fix systemd-resolved spelling Lev Stipakov (1): addons/aws: Implement support for additional route table Marc Leeman (1): build: Fix incorrect OPENVPN_USERNAME in D-Bus autostart files Razvan Cojocaru (13): configmgr: Fix idle-exit comment signals: Allow signal re-subscription sessionmgr: Expose the method_ready() and method_connect() logic sessionmgr: Allow a Session object to re-associate with a backend process sessionmgr: Add current backend bus name and last event accessors sessionmgr: Restart prematurely stopped backend processes sessionmgr: Only retry to restart backend process a limited number of times sessionmgr: Don't always try to restart a crashed backend process Remove superfluous try block sessionmgr: Reset the log forwarders on client process restart netcfg: Clean up network setup for crashed client processes sessionmgr: Reset the client process restart timer after a while build: Prepare for bumping the required C++ standard version to C++20 -------------------------------------------------------------------- |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-17 16:02:46
|
Attention is currently required from: flichtenheld, plaisthos, ralf_lici, stipa. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email ) Change subject: dco: Add support for float notifications ...................................................................... Patch Set 3: (1 comment) Patchset: PS3: so here's the last successful TLS reneg, one minute earlier ``` 2025-07-17 17:45:02 us=482995 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 TLS: soft reset sec=59/59 bytes=0/-1 pkts=0/0 aead_limit_send=0/60129542137 aead_limit_recv=0/60129542137 2025-07-17 17:45:02 us=483272 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 dco_del_key: peer-id 2, slot 1 2025-07-17 17:45:02 us=483585 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 WRITE [54] to [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_CONTROL_SOFT_RESET_V1 kid=6 [ ] pid=10600 DATA len=40 2025-07-17 17:45:02 us=490075 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 READ [66] from [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_CONTROL_SOFT_RESET_V1 kid=6 [ ] pid=10600 DATA len=52 2025-07-17 17:45:02 us=490260 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 WRITE [62] to [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_ACK_V1 kid=6 [ ] DATA len=52 2025-07-17 17:45:02 us=495340 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 READ [355] from [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_CONTROL_V1 kid=6 [ ] pid=10856 DATA len=341 2025-07-17 17:45:02 us=505576 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 WRITE [1262] to [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_CONTROL_V1 kid=6 [ ] pid=11112 DATA len=1248 2025-07-17 17:45:02 us=505746 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 WRITE [923] to [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_CONTROL_V1 kid=6 [ ] pid=11368 DATA len=909 2025-07-17 17:45:02 us=510213 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 READ [66] from [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_ACK_V1 kid=6 [ ] DATA len=56 2025-07-17 17:45:02 us=519114 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 READ [1262] from [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_CONTROL_V1 kid=6 [ ] pid=11368 DATA len=1248 2025-07-17 17:45:02 us=519243 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 WRITE [70] to [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_ACK_V1 kid=6 [ ] DATA len=60 2025-07-17 17:45:02 us=519353 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 READ [1262] from [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_CONTROL_V1 kid=6 [ ] pid=11624 DATA len=1248 2025-07-17 17:45:02 us=519471 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 WRITE [74] to [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_ACK_V1 kid=6 [ ] DATA len=64 2025-07-17 17:45:02 us=519586 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 READ [753] from [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_CONTROL_V1 kid=6 [ ] pid=11880 DATA len=739 2025-07-17 17:45:02 us=519991 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 VERIFY OK: depth=1, C=US, ST=California, L=Pleasanton, O=OpenVPN community project, CN=OpenVPN community project CA, emailAddress=sa...@op... 2025-07-17 17:45:02 us=520144 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 VERIFY OK: depth=0, C=DE, ST=Bavaria, L=Munich, O=OpenVPN community project, OU=Server Testing, CN=cron2-freebsd-tc-amd64, emailAddress=ge...@gr... 2025-07-17 17:45:02 us=525244 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 WRITE [121] to [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_CONTROL_V1 kid=6 [ ] pid=12136 DATA len=107 2025-07-17 17:45:02 us=530446 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 READ [525] from [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_CONTROL_V1 kid=6 [ ] pid=12136 DATA len=511 2025-07-17 17:45:02 us=530543 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 peer info: IV_VER=2.7_alpha2 2025-07-17 17:45:02 us=530583 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 peer info: IV_PLAT=mac 2025-07-17 17:45:02 us=530619 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 peer info: IV_TCPNL=1 2025-07-17 17:45:02 us=530646 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 peer info: IV_MTU=1600 2025-07-17 17:45:02 us=530666 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 peer info: IV_NCP=2 2025-07-17 17:45:02 us=530687 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 2025-07-17 17:45:02 us=530705 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 peer info: IV_PROTO=3998 2025-07-17 17:45:02 us=530726 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 peer info: IV_LZ4=1 2025-07-17 17:45:02 us=530755 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 peer info: IV_LZ4v2=1 2025-07-17 17:45:02 us=530779 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 peer info: IV_LZO=1 2025-07-17 17:45:02 us=530801 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 peer info: IV_COMP_STUB=1 2025-07-17 17:45:02 us=530821 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 peer info: IV_COMP_STUBv2=1 2025-07-17 17:45:02 us=530859 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 Note: 'compress migrate' detected remote peer with compression enabled. 2025-07-17 17:45:02 us=531008 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 WRITE [286] to [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_CONTROL_V1 kid=6 [ ] pid=12392 DATA len=272 2025-07-17 17:45:02 us=535798 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 UDPv4 READ [78] from [AF_INET]193.149.48.172:63385 (via [AF_INET]195.30.8.84%ens160): P_ACK_V1 kid=6 [ ] DATA len=68 2025-07-17 17:45:02 us=535906 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256, 2048 bit key 2025-07-17 17:45:02 us=536025 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 dco_install_key: peer_id=2 keyid=6, currently 1 keys installed 2025-07-17 17:45:02 us=536058 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 dco_new_key: slot 1, key-id 6, peer-id 2, cipher AES-256-GCM 2025-07-17 17:45:05 us=707606 dco_get_peer_stats_multi 2025-07-17 17:45:05 us=707964 dco_parse_peer_multi: parsing message... 2025-07-17 17:45:05 us=707999 dco_update_peer_stat / dco_read_bytes: 1408 2025-07-17 17:45:05 us=708017 dco_update_peer_stat / dco_write_bytes: 1200 2025-07-17 17:45:05 us=708032 dco_update_peer_stat / tun_read_bytes: 0 2025-07-17 17:45:05 us=708051 dco_update_peer_stat / tun_write_bytes: 0 2025-07-17 17:45:05 us=708071 dco_parse_peer_multi: parsing message... ``` -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Gerrit-Change-Number: 1084 Gerrit-PatchSet: 3 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-Reviewer: stipa <lst...@gm...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ralf_lici <ra...@ma...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Thu, 17 Jul 2025 16:02:30 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-17 15:54:45
|
Attention is currently required from: flichtenheld, plaisthos, ralf_lici, stipa. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email ) Change subject: dco: Add support for float notifications ...................................................................... Patch Set 3: Code-Review-1 (1 comment) Patchset: PS3: *b00m* so this is the testbed: ununtu 20.04 server with backported float notification patch, commit 31aedd7fb plus this patch. one server instance, with 2 UDP sockets (one udp6/dual-stack, one udp4 only). Client connecting to the UDP4 socket (so v6 mapped is not relevant). Server has --reneg-sec 60, and in between renegotiations the client is made to roam between LAN and WiFi (by unplugging and replugging the LAN cable). It floats quite happily, and then explodes - it's something with timing, float, and server-triggered renegotiation, though I do not really know what sequence of things I need. `peer-id 2` is the floating client, `peer-id 1` is just sticking around. ``` 2025-07-17 17:45:32 us=32787 freebsd-74-amd64/udp6:194.97.140.3:61704 peer-id=1 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, 2048 bit key 2025-07-17 17:45:32 us=32932 freebsd-74-amd64/udp6:194.97.140.3:61704 peer-id=1 dco_install_key: peer_id=1 keyid=6, currently 1 keys installed 2025-07-17 17:45:32 us=32963 freebsd-74-amd64/udp6:194.97.140.3:61704 peer-id=1 dco_new_key: slot 1, key-id 6, peer-id 1, cipher AES-256-GCM 2025-07-17 17:45:32 us=658862 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 Swapping primary and secondary keys to primary-id=6 secondary-id=5 2025-07-17 17:45:32 us=658933 cron2-freebsd-tc-amd64/udp4:193.149.48.172:63385 peer-id=2 dco_swap_keys: peer-id 2 2025-07-17 17:45:59 us=350653 dco_do_read 2025-07-17 17:45:59 us=350790 ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: 5501, peer-id 2, address: [AF_INET]193.149.48.173:63385 2025-07-17 17:45:59 us=350937 peer 2 (cron2-freebsd-tc-amd64) floated from udp4:193.149.48.172:63385 to [AF_INET6]::ffff:193.149.48.173:63385 (via ::ffff:195.30.8.84%ens160) 2025-07-17 17:46:02 us=32434 cron2-freebsd-tc-amd64/udp6:193.149.48.173:63385 peer-id=2 TLS: soft reset sec=60/59 bytes=0/-1 pkts=0/0 aead_limit_send=0/60129542137 aead_limit_recv=0/60129542137 2025-07-17 17:46:02 us=32639 cron2-freebsd-tc-amd64/udp6:193.149.48.173:63385 peer-id=2 dco_del_key: peer-id 2, slot 1 2025-07-17 17:46:02 us=32911 cron2-freebsd-tc-amd64/udp6:193.149.48.173:63385 peer-id=2 UDPv4 WRITE [54] to [AF_INET6]::ffff:193.149.48.173:63385 (via ::ffff:195.30.8.84%ens160): P_CONTROL_SOFT_RESET_V1 kid=7 [ ] pid=12648 DATA len=40 2025-07-17 17:46:02 us=32981 cron2-freebsd-tc-amd64/udp6:193.149.48.173:63385 peer-id=2 write UDPv4 []: Address family not supported by protocol (fd=7,code=97) 2025-07-17 17:46:02 us=352420 dco_do_read 2025-07-17 17:46:02 us=352549 ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: 5501, peer-id 2, address: [AF_INET]193.149.48.172:63385 2025-07-17 17:46:02 us=352705 peer 2 (cron2-freebsd-tc-amd64) floated from udp6:193.149.48.173:63385 to [AF_INET6]::ffff:193.149.48.172:63385 (via ::ffff:195.30.8.84%ens160) 2025-07-17 17:46:02 us=529069 freebsd-74-amd64/udp6:194.97.140.3:61704 peer-id=1 Swapping primary and secondary keys to primary-id=6 secondary-id=5 2025-07-17 17:46:02 us=529153 freebsd-74-amd64/udp6:194.97.140.3:61704 peer-id=1 dco_swap_keys: peer-id 1 2025-07-17 17:46:04 us=286241 cron2-freebsd-tc-amd64/udp6:193.149.48.172:63385 peer-id=2 UDPv4 WRITE [54] to [AF_INET6]::ffff:193.149.48.172:63385 (via ::ffff:195.30.8.84%ens160): P_CONTROL_SOFT_RESET_V1 kid=7 [ ] pid=12904 DATA len=40 2025-07-17 17:46:04 us=286325 cron2-freebsd-tc-amd64/udp6:193.149.48.172:63385 peer-id=2 write UDPv4 []: Address family not supported by protocol (fd=7,code=97) 2025-07-17 17:46:05 us=364294 dco_get_peer_stats_multi 2025-07-17 17:46:05 us=364768 dco_parse_peer_multi: parsing message... 2025-07-17 17:46:05 us=364822 dco_update_peer_stat: no link RX bytes provided in reply for peer 2 2025-07-17 17:46:05 us=364854 dco_update_peer_stat: no link TX bytes provided in reply for peer 2 2025-07-17 17:46:05 us=364913 dco_update_peer_stat: no VPN RX bytes provided in reply for peer 2 2025-07-17 17:46:05 us=364931 dco_update_peer_stat: no VPN TX bytes provided in reply for peer 2 2025-07-17 17:46:05 us=364994 dco_parse_peer_multi: parsing message... 2025-07-17 17:46:05 us=365028 dco_update_peer_stat / dco_read_bytes: 1648 2025-07-17 17:46:05 us=365057 dco_update_peer_stat / dco_write_bytes: 1440 2025-07-17 17:46:05 us=365103 dco_update_peer_stat / tun_read_bytes: 0 2025-07-17 17:46:05 us=365129 dco_update_peer_stat / tun_write_bytes: 0 2025-07-17 17:46:05 us=365145 dco_parse_peer_multi: parsing message... 2025-07-17 17:46:05 us=365180 dco_update_peer_stat / dco_read_bytes: 53648 2025-07-17 17:46:05 us=365208 dco_update_peer_stat / dco_write_bytes: 53248 2025-07-17 17:46:05 us=365269 dco_update_peer_stat / tun_read_bytes: 43264 2025-07-17 17:46:05 us=365304 dco_update_peer_stat / tun_write_bytes: 43264 2025-07-17 17:46:05 us=366195 dco_do_read 2025-07-17 17:46:05 us=366301 dco_do_read: netlink reports error (-4): Try again 2025-07-17 17:46:08 us=370284 dco_do_read 2025-07-17 17:46:08 us=370355 ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: 5501, peer-id 2, address: [AF_INET]193.149.48.172:63385 2025-07-17 17:46:08 us=370416 closing instance cron2-freebsd-tc-amd64/udp6:193.149.48.172:63385 peer-id=2 2025-07-17 17:46:08 us=370469 dco_get_peer_stats_multi 2025-07-17 17:46:08 us=370666 dco_parse_peer_multi: parsing message... 2025-07-17 17:46:08 us=370811 dco_update_peer_stat / dco_read_bytes: 1648 2025-07-17 17:46:08 us=370856 dco_update_peer_stat / dco_write_bytes: 1440 2025-07-17 17:46:08 us=370887 dco_update_peer_stat / tun_read_bytes: 0 2025-07-17 17:46:08 us=370918 dco_update_peer_stat / tun_write_bytes: 0 2025-07-17 17:46:08 us=371212 dco_parse_peer_multi: parsing message... 2025-07-17 17:46:08 us=371249 dco_parse_peer_multi: cannot store DCO stats for peer 2 2025-07-17 17:46:08 us=371410 register signal: SIGTERM (close_context) 2025-07-17 17:46:08 us=371534 dco_del_peer: peer-id 2 ``` (why does it want to close peer 2? so something went fishy already at this point) ``` Program received signal SIGSEGV, Segmentation fault. 0x00005555555989b3 in multi_process_float (m=m@entry=0x7fffffffbb90, mi=mi@entry=0x555555772a70, sock=0x5555556c7a20) at multi.c:3258 3258 msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s", (gdb) where #0 0x00005555555989b3 in multi_process_float (m=m@entry=0x7fffffffbb90, mi=mi@entry=0x555555772a70, sock=0x5555556c7a20) at multi.c:3258 #1 0x0000555555598f53 in multi_process_incoming_dco (m=m@entry=0x7fffffffbb90) at multi.c:3393 #2 0x000055555559d7e0 in multi_io_process_io (m=m@entry=0x7fffffffbb90) at multi_io.c:534 #3 0x000055555559c740 in tunnel_server_loop (multi=0x7fffffffbb90) at multi.c:4287 #4 tunnel_server (top=0x7fffffffd0c0) at multi.c:4339 #5 0x00005555555a1f29 in openvpn_main (argc=5, argv=0x7fffffffe598) at openvpn.c:318 #6 0x00007ffff7d72083 in __libc_start_main (main=0x55555555fb70 <main>, argc=5, argv=0x7fffffffe598, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe588) at ../csu/libc-start.c:308 #7 0x000055555555fbae in _start () at openvpn.c:395 (gdb) list 3253 3254 msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc)); 3255 multi_close_instance(m, ex_mi, false); 3256 } 3257 3258 msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s", 3259 mi->context.c2.tls_multi->peer_id, 3260 tls_common_name(mi->context.c2.tls_multi, false), 3261 mroute_addr_print(&mi->real, &gc), 3262 print_link_socket_actual(&m->top.c2.from, &gc)); (gdb) print mi->context.c2.tls_multi $1 = (struct tls_multi *) 0x0 ``` the kernel log around that time says ``` Jul 17 17:46:01 ubuntu2004 kernel: [3570425.002983] tun7: peer 2 floated to 193.149.48.173:63385 Jul 17 17:46:01 ubuntu2004 kernel: [3570426.825096] tun7: sending keepalive to peer 1 Jul 17 17:46:01 ubuntu2004 kernel: [3570426.825119] tun7: scheduling keepalive work: now=1752767170 next_run=1752767161 delta=9 Jul 17 17:46:02 ubuntu2004 kernel: [3570427.685495] deleting key slot 1, key_id=5 Jul 17 17:46:02 ubuntu2004 kernel: [3570428.004618] tun7: peer 2 floated to 193.149.48.172:63385 Jul 17 17:46:02 ubuntu2004 kernel: [3570428.182001] key swapped: (old primary) 5 <-> (new primary) 6 Jul 17 17:46:03 ubuntu2004 kernel: [3570429.235584] tun7: ping received from peer 1 Jul 17 17:46:08 ubuntu2004 kernel: [3570431.015784] tun7: peer 2 floated to 193.149.48.173:63385 Jul 17 17:46:08 ubuntu2004 kernel: [3570434.022364] tun7: peer 2 floated to 193.149.48.172:63385 Jul 17 17:46:08 ubuntu2004 kernel: [3570434.024151] tun7: del peer 2 Jul 17 17:46:08 ubuntu2004 kernel: [3570434.024169] tun7: deleting peer with id 2, reason 1 Jul 17 17:46:10 ubuntu2004 kernel: [3570436.040898] tun7: scheduling keepalive work: now=1752767171 next_run=1752767170 delta=1 Jul 17 17:46:11 ubuntu2004 kernel: [3570437.064852] tun7: sending keepalive to peer 1 ``` -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Gerrit-Change-Number: 1084 Gerrit-PatchSet: 3 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-Reviewer: stipa <lst...@gm...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ralf_lici <ra...@ma...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Thu, 17 Jul 2025 15:54:28 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-17 09:44:05
|
Attention is currently required from: flichtenheld, its_Giaan. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id ...................................................................... Patch Set 2: Code-Review-2 (6 comments) Patchset: PS2: I think there are still some things that need to be fixed. See comments File src/openvpn/multi.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/7be28da8_ce83b435 : PS2, Line 1816: uint32_t peer_id = extract_asymmetric_peer_id(peer_info); I am somehow missing the client side/p2p that does the same and also calls extract_asymmetric_peer_id to figure out what peer-id the server wants to use. File src/openvpn/push.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/ad29de27_05d54fe8 : PS2, Line 657: tls_multi->rx_peer_id); This will instruct the client to use that peer-id on both send/receive. The idea was to *not* push peer-id in this scenario but rather have both sides see that if the other peer has ID= in their peerinfo then they both switch to assymmetric peer-id File src/openvpn/ssl.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/231475b7_833b9982 : PS2, Line 2043: buf_printf(&out, "ID=%x\n", peer_id); This need to be guarded by the actual DCO capability. We cannot announce this if the DCO module/implementation then cannot actually support assymetric ID support. File src/openvpn/ssl_ncp.c: http://gerrit.openvpn.net/c/openvpn/+/1089/comment/5800ddd8_05764f00 : PS2, Line 431: multi->tx_peer_id = 2033; Why the hardcoded 2033 here? Shouldn't be also 0x76706e; /* 'v' 'p' 'n' */ ? http://gerrit.openvpn.net/c/openvpn/+/1089/comment/5a725408_1afd7517 : PS2, Line 474: multi->rx_peer_id = (peerid[0] << 16) + (peerid[1] << 8) + peerid[2]; Shouldn't there be code here -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 2 Gerrit-Owner: its_Giaan <gia...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: its_Giaan <gia...@ma...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Thu, 17 Jul 2025 09:43:55 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: its_Giaan (C. Review) <ge...@op...> - 2025-07-17 09:35:11
|
Attention is currently required from: flichtenheld, its_Giaan, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email
to look at the new patch set (#2).
The following approvals got outdated and were removed:
Code-Review-1 by flichtenheld
Change subject: multipeer: introduce asymmetric peer-id
......................................................................
multipeer: introduce asymmetric peer-id
In order to achieve a multipeer functionality, peers now
use separate IDs for sending (tx_peer_id) and receiving
(rx_peer_id).
Each peer announces its own ID through pushing peer-info
using 'ID=7f1' hex format so identification can still
happen even if IP/port changes.
In P2P mode, peer switch to using the announced IDs after
mutual exchange.
In P2MP mode, clients always announce their ID, and servers
can optionally respond with their own to enable the same
behavior.
Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9
Signed-off-by: Gianmarco De Gregori <gia...@ma...>
---
M src/openvpn/dco.c
M src/openvpn/init.c
M src/openvpn/misc.c
M src/openvpn/multi.c
M src/openvpn/push.c
M src/openvpn/ssl.c
M src/openvpn/ssl_common.h
M src/openvpn/ssl_ncp.c
M src/openvpn/ssl_util.c
M src/openvpn/ssl_util.h
10 files changed, 64 insertions(+), 26 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/89/1089/2
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 98cbb72..3687f4a 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -513,7 +513,7 @@
c->c2.tls_multi->dco_peer_id = -1;
}
#endif
- int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, sock->sd, NULL,
+ int ret = dco_new_peer(&c->c1.tuntap->dco, multi->rx_peer_id, sock->sd, NULL,
proto_is_dgram(sock->info.proto) ? remoteaddr : NULL,
NULL, NULL);
if (ret < 0)
@@ -521,7 +521,7 @@
return ret;
}
- c->c2.tls_multi->dco_peer_id = multi->peer_id;
+ c->c2.tls_multi->dco_peer_id = multi->rx_peer_id;
return 0;
}
@@ -595,7 +595,7 @@
{
struct context *c = &mi->context;
- int peer_id = c->c2.tls_multi->peer_id;
+ int peer_id = c->c2.tls_multi->rx_peer_id;
struct sockaddr *remoteaddr, *localaddr = NULL;
struct sockaddr_storage local = { 0 };
int sd = c->c2.link_sockets[0]->sd;
@@ -667,7 +667,7 @@
if (addrtype == MR_ADDR_IPV6)
{
#if defined(_WIN32)
- dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr, addr->netbits, c->c2.tls_multi->peer_id);
+ dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr, addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
net_route_v6_add(&m->top.net_ctx, &addr->v6.addr, addr->netbits,
&mi->context.c2.push_ifconfig_ipv6_local, c->c1.tuntap->actual_name, 0,
@@ -677,7 +677,7 @@
else if (addrtype == MR_ADDR_IPV4)
{
#if defined(_WIN32)
- dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr, addr->netbits, c->c2.tls_multi->peer_id);
+ dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr, addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
in_addr_t dest = htonl(addr->v4.addr);
net_route_v4_add(&m->top.net_ctx, &dest, addr->netbits,
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 77747a2..543eaf9 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2328,7 +2328,7 @@
if (o->use_peer_id)
{
- buf_printf(&out, ", peer-id: %d", o->peer_id);
+ buf_printf(&out, ", rx_peer-id: %u, tx_peer-id: %u", c->c2.tls_multi->rx_peer_id, c->c2.tls_multi->tx_peer_id);
}
#ifdef USE_COMP
@@ -2778,7 +2778,7 @@
{
msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
c->c2.tls_multi->use_peer_id = true;
- c->c2.tls_multi->peer_id = c->options.peer_id;
+ c->c2.tls_multi->tx_peer_id = c->options.peer_id;
}
/* process (potentially) pushed options */
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 4695700..122ca74 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -777,7 +777,8 @@
{
chomp(line);
if (validate_peer_info_line(line)
- && (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0) )
+ && (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0
+ || strncmp(line, "ID", 2) == 0))
{
msg(M_INFO, "peer info: %s", line);
env_set_add(es, line);
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index a760e07..6987dc5 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -479,7 +479,7 @@
&& check_debug_level(D_DCO_DEBUG)
&& dco_enabled(&mi->context.options))
{
- buf_printf(&out, " peer-id=%d", mi->context.c2.tls_multi->peer_id);
+ buf_printf(&out, " rx_peer-id=%d", mi->context.c2.tls_multi->rx_peer_id);
}
return BSTR(&out);
}
@@ -655,9 +655,9 @@
}
#endif
- if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
+ if (mi->context.c2.tls_multi->rx_peer_id != MAX_PEER_ID)
{
- m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
+ m->instances[mi->context.c2.tls_multi->rx_peer_id] = NULL;
}
schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
@@ -972,7 +972,7 @@
#else
sep,
#endif
- sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
+ sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->rx_peer_id : UINT32_MAX,
sep, translate_cipher_name_to_openvpn(mi->context.options.ciphername));
}
gc_free(&gc);
@@ -1813,6 +1813,12 @@
{
tls_multi->use_peer_id = true;
o->use_peer_id = true;
+ uint32_t peer_id = extract_asymmetric_peer_id(peer_info);
+ if (peer_id)
+ {
+ tls_multi->tx_peer_id = peer_id;
+ tls_multi->use_asymmetric_peer_id = true;
+ }
}
else if (dco_enabled(o))
{
@@ -3256,7 +3262,7 @@
}
msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
- mi->context.c2.tls_multi->peer_id,
+ mi->context.c2.tls_multi->rx_peer_id,
tls_common_name(mi->context.c2.tls_multi, false),
mroute_addr_print(&mi->real, &gc),
print_link_socket_actual(&m->top.c2.from, &gc));
@@ -4235,7 +4241,11 @@
{
if (!m->instances[i])
{
- mi->context.c2.tls_multi->peer_id = i;
+ mi->context.c2.tls_multi->rx_peer_id = i;
+ if (!mi->context.c2.tls_multi->use_asymmetric_peer_id)
+ {
+ mi->context.c2.tls_multi->tx_peer_id = i;
+ }
m->instances[i] = mi;
break;
}
@@ -4243,7 +4253,7 @@
/* should not really end up here, since multi_create_instance returns null
* if amount of clients exceeds max_clients */
- ASSERT(mi->context.c2.tls_multi->peer_id < m->max_clients);
+ ASSERT(mi->context.c2.tls_multi->rx_peer_id < m->max_clients);
}
/**************************************************************************/
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index ad8fa3d7..073e6b6 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -654,7 +654,7 @@
if (tls_multi->use_peer_id)
{
push_option_fmt(gc, push_list, M_USAGE, "peer-id %d",
- tls_multi->peer_id);
+ tls_multi->rx_peer_id);
}
/*
* If server uses --auth-gen-token and we have an auth token
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 9c6616a..edac9aa 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1181,7 +1181,9 @@
/* get command line derived options */
ret->opt = *tls_options;
ret->dco_peer_id = -1;
- ret->peer_id = MAX_PEER_ID;
+ ret->use_asymmetric_peer_id = false;
+ ret->rx_peer_id = MAX_PEER_ID;
+ ret->tx_peer_id = MAX_PEER_ID;
return ret;
}
@@ -1947,7 +1949,7 @@
* @return true if no error was encountered
*/
static bool
-push_peer_info(struct buffer *buf, struct tls_session *session)
+push_peer_info(struct buffer *buf, struct tls_session *session, uint32_t peer_id)
{
struct gc_arena gc = gc_new();
bool ret = false;
@@ -2038,6 +2040,7 @@
iv_proto |= IV_PROTO_DYN_TLS_CRYPT;
buf_printf(&out, "IV_PROTO=%d\n", iv_proto);
+ buf_printf(&out, "ID=%x\n", peer_id);
if (session->opt->push_peer_info_detail > 1)
{
@@ -2221,7 +2224,7 @@
}
}
- if (!push_peer_info(buf, session))
+ if (!push_peer_info(buf, session, multi->rx_peer_id))
{
goto error;
}
@@ -4143,9 +4146,8 @@
msg(D_TLS_DEBUG, __func__);
ASSERT(ks);
-
peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24
- | (multi->peer_id & 0xFFFFFF));
+ | (multi->tx_peer_id & 0xFFFFFF));
ASSERT(buf_write_prepend(buf, &peer, 4));
}
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index e9e50da..1e2f534 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -689,8 +689,10 @@
#define AUTH_TOKEN_VALID_EMPTYUSER (1 << 2)
/* For P_DATA_V2 */
- uint32_t peer_id;
+ uint32_t rx_peer_id;
+ uint32_t tx_peer_id;
bool use_peer_id;
+ bool use_asymmetric_peer_id;
char *remote_ciphername; /**< cipher specified in peer's config file */
bool remote_usescomp; /**< remote announced comp-lzo in OCC string */
diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index 74d7b43..5e0af03 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -426,7 +426,9 @@
if (iv_proto_peer & IV_PROTO_DATA_V2)
{
multi->use_peer_id = true;
- multi->peer_id = 0x76706e; /* 'v' 'p' 'n' */
+ multi->use_asymmetric_peer_id = true;
+ multi->rx_peer_id = 0x76706e; /* 'v' 'p' 'n' */
+ multi->tx_peer_id = 2033;
}
if (iv_proto_peer & IV_PROTO_CC_EXIT_NOTIFY)
@@ -469,7 +471,7 @@
}
else
{
- multi->peer_id = (peerid[0] << 16) + (peerid[1] << 8) + peerid[2];
+ multi->rx_peer_id = (peerid[0] << 16) + (peerid[1] << 8) + peerid[2];
}
}
@@ -513,10 +515,11 @@
}
msg(D_TLS_DEBUG_LOW, "P2P mode NCP negotiation result: "
- "TLS_export=%d, DATA_v2=%d, peer-id %d, epoch=%d, cipher=%s",
+ "TLS_export=%d, DATA_v2=%d, rx-peer-id %d, tx-peer-id %d, epoch=%d, cipher=%s",
(bool)(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT),
multi->use_peer_id,
- multi->peer_id,
+ multi->rx_peer_id,
+ multi->tx_peer_id,
(bool)(session->opt->crypto_flags & CO_EPOCH_DATA_KEY_FORMAT),
common_cipher);
diff --git a/src/openvpn/ssl_util.c b/src/openvpn/ssl_util.c
index d3d7b2c..fde6f7e 100644
--- a/src/openvpn/ssl_util.c
+++ b/src/openvpn/ssl_util.c
@@ -74,6 +74,24 @@
return 0;
}
+uint32_t
+extract_asymmetric_peer_id(const char *peer_info)
+{
+ const char *optstr = peer_info ? strstr(peer_info, "ID=") : NULL;
+ if (optstr)
+ {
+ uint32_t peer_id = 0;
+ int r = sscanf(optstr, "ID=%x", &peer_id);
+ {
+ if (r == 1 && peer_id >= 0)
+ {
+ return peer_id;
+ }
+ }
+ }
+ return 0;
+}
+
const char *
options_string_compat_lzo(const char *options, struct gc_arena *gc)
{
diff --git a/src/openvpn/ssl_util.h b/src/openvpn/ssl_util.h
index e50f899..e9c7ef8 100644
--- a/src/openvpn/ssl_util.h
+++ b/src/openvpn/ssl_util.h
@@ -55,6 +55,8 @@
*/
unsigned int extract_iv_proto(const char *peer_info);
+uint32_t extract_asymmetric_peer_id(const char *peer_info);
+
/**
* Takes a locally produced OCC string for TLS server mode and modifies as
* if the option comp-lzo was enabled. This is to send a client in
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9
Gerrit-Change-Number: 1089
Gerrit-PatchSet: 2
Gerrit-Owner: its_Giaan <gia...@ma...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: its_Giaan <gia...@ma...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newpatchset
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-17 09:33:58
|
Attention is currently required from: its_Giaan, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email ) Change subject: multipeer: introduce asymmetric peer-id ...................................................................... Patch Set 1: Code-Review-1 (1 comment) Patchset: PS1: doesn't build -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9 Gerrit-Change-Number: 1089 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan <gia...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: its_Giaan <gia...@ma...> Gerrit-Comment-Date: Thu, 17 Jul 2025 09:33:43 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: its_Giaan (C. Review) <ge...@op...> - 2025-07-17 09:17:50
|
Attention is currently required from: flichtenheld, plaisthos.
Hello plaisthos, flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email
to review the following change.
Change subject: multipeer: introduce asymmetric peer-id
......................................................................
multipeer: introduce asymmetric peer-id
In order to achieve a multipeer functionality, peers now
use separate IDs for sending (tx_peer_id) and receiving
(rx_peer_id).
Each peer announces its own ID through pushing peer-info
using 'ID=7f1' hex format so identification can still
happen even if IP/port changes.
In P2P mode, peer switch to using the announced IDs after
mutual exchange.
In P2MP mode, clients always announce their ID, and servers
can optionally respond with their own to enable the same
behavior.
Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9
Signed-off-by: Gianmarco De Gregori <gia...@ma...>
---
M src/openvpn/dco.c
M src/openvpn/init.c
M src/openvpn/misc.c
M src/openvpn/multi.c
M src/openvpn/push.c
M src/openvpn/ssl.c
M src/openvpn/ssl_common.h
M src/openvpn/ssl_ncp.c
M src/openvpn/ssl_util.c
M src/openvpn/ssl_util.h
M tests/unit_tests/openvpn/test_crypto.c
11 files changed, 65 insertions(+), 27 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/89/1089/1
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 98cbb72..3687f4a 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -513,7 +513,7 @@
c->c2.tls_multi->dco_peer_id = -1;
}
#endif
- int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, sock->sd, NULL,
+ int ret = dco_new_peer(&c->c1.tuntap->dco, multi->rx_peer_id, sock->sd, NULL,
proto_is_dgram(sock->info.proto) ? remoteaddr : NULL,
NULL, NULL);
if (ret < 0)
@@ -521,7 +521,7 @@
return ret;
}
- c->c2.tls_multi->dco_peer_id = multi->peer_id;
+ c->c2.tls_multi->dco_peer_id = multi->rx_peer_id;
return 0;
}
@@ -595,7 +595,7 @@
{
struct context *c = &mi->context;
- int peer_id = c->c2.tls_multi->peer_id;
+ int peer_id = c->c2.tls_multi->rx_peer_id;
struct sockaddr *remoteaddr, *localaddr = NULL;
struct sockaddr_storage local = { 0 };
int sd = c->c2.link_sockets[0]->sd;
@@ -667,7 +667,7 @@
if (addrtype == MR_ADDR_IPV6)
{
#if defined(_WIN32)
- dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr, addr->netbits, c->c2.tls_multi->peer_id);
+ dco_win_add_iroute_ipv6(&c->c1.tuntap->dco, addr->v6.addr, addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
net_route_v6_add(&m->top.net_ctx, &addr->v6.addr, addr->netbits,
&mi->context.c2.push_ifconfig_ipv6_local, c->c1.tuntap->actual_name, 0,
@@ -677,7 +677,7 @@
else if (addrtype == MR_ADDR_IPV4)
{
#if defined(_WIN32)
- dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr, addr->netbits, c->c2.tls_multi->peer_id);
+ dco_win_add_iroute_ipv4(&c->c1.tuntap->dco, addr->v4.addr, addr->netbits, c->c2.tls_multi->rx_peer_id);
#else
in_addr_t dest = htonl(addr->v4.addr);
net_route_v4_add(&m->top.net_ctx, &dest, addr->netbits,
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 77747a2..543eaf9 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2328,7 +2328,7 @@
if (o->use_peer_id)
{
- buf_printf(&out, ", peer-id: %d", o->peer_id);
+ buf_printf(&out, ", rx_peer-id: %u, tx_peer-id: %u", c->c2.tls_multi->rx_peer_id, c->c2.tls_multi->tx_peer_id);
}
#ifdef USE_COMP
@@ -2778,7 +2778,7 @@
{
msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
c->c2.tls_multi->use_peer_id = true;
- c->c2.tls_multi->peer_id = c->options.peer_id;
+ c->c2.tls_multi->tx_peer_id = c->options.peer_id;
}
/* process (potentially) pushed options */
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 4695700..122ca74 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -777,7 +777,8 @@
{
chomp(line);
if (validate_peer_info_line(line)
- && (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0) )
+ && (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0
+ || strncmp(line, "ID", 2) == 0))
{
msg(M_INFO, "peer info: %s", line);
env_set_add(es, line);
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index a760e07..6987dc5 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -479,7 +479,7 @@
&& check_debug_level(D_DCO_DEBUG)
&& dco_enabled(&mi->context.options))
{
- buf_printf(&out, " peer-id=%d", mi->context.c2.tls_multi->peer_id);
+ buf_printf(&out, " rx_peer-id=%d", mi->context.c2.tls_multi->rx_peer_id);
}
return BSTR(&out);
}
@@ -655,9 +655,9 @@
}
#endif
- if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
+ if (mi->context.c2.tls_multi->rx_peer_id != MAX_PEER_ID)
{
- m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
+ m->instances[mi->context.c2.tls_multi->rx_peer_id] = NULL;
}
schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
@@ -972,7 +972,7 @@
#else
sep,
#endif
- sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
+ sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->rx_peer_id : UINT32_MAX,
sep, translate_cipher_name_to_openvpn(mi->context.options.ciphername));
}
gc_free(&gc);
@@ -1813,6 +1813,12 @@
{
tls_multi->use_peer_id = true;
o->use_peer_id = true;
+ uint32_t peer_id = extract_asymmetric_peer_id(peer_info);
+ if (peer_id)
+ {
+ tls_multi->tx_peer_id = peer_id;
+ tls_multi->use_asymmetric_peer_id = true;
+ }
}
else if (dco_enabled(o))
{
@@ -3256,7 +3262,7 @@
}
msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
- mi->context.c2.tls_multi->peer_id,
+ mi->context.c2.tls_multi->rx_peer_id,
tls_common_name(mi->context.c2.tls_multi, false),
mroute_addr_print(&mi->real, &gc),
print_link_socket_actual(&m->top.c2.from, &gc));
@@ -4235,7 +4241,11 @@
{
if (!m->instances[i])
{
- mi->context.c2.tls_multi->peer_id = i;
+ mi->context.c2.tls_multi->rx_peer_id = i;
+ if (!mi->context.c2.tls_multi->use_asymmetric_peer_id)
+ {
+ mi->context.c2.tls_multi->tx_peer_id = i;
+ }
m->instances[i] = mi;
break;
}
@@ -4243,7 +4253,7 @@
/* should not really end up here, since multi_create_instance returns null
* if amount of clients exceeds max_clients */
- ASSERT(mi->context.c2.tls_multi->peer_id < m->max_clients);
+ ASSERT(mi->context.c2.tls_multi->rx_peer_id < m->max_clients);
}
/**************************************************************************/
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index ad8fa3d7..073e6b6 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -654,7 +654,7 @@
if (tls_multi->use_peer_id)
{
push_option_fmt(gc, push_list, M_USAGE, "peer-id %d",
- tls_multi->peer_id);
+ tls_multi->rx_peer_id);
}
/*
* If server uses --auth-gen-token and we have an auth token
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 9c6616a..edac9aa 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1181,7 +1181,9 @@
/* get command line derived options */
ret->opt = *tls_options;
ret->dco_peer_id = -1;
- ret->peer_id = MAX_PEER_ID;
+ ret->use_asymmetric_peer_id = false;
+ ret->rx_peer_id = MAX_PEER_ID;
+ ret->tx_peer_id = MAX_PEER_ID;
return ret;
}
@@ -1947,7 +1949,7 @@
* @return true if no error was encountered
*/
static bool
-push_peer_info(struct buffer *buf, struct tls_session *session)
+push_peer_info(struct buffer *buf, struct tls_session *session, uint32_t peer_id)
{
struct gc_arena gc = gc_new();
bool ret = false;
@@ -2038,6 +2040,7 @@
iv_proto |= IV_PROTO_DYN_TLS_CRYPT;
buf_printf(&out, "IV_PROTO=%d\n", iv_proto);
+ buf_printf(&out, "ID=%x\n", peer_id);
if (session->opt->push_peer_info_detail > 1)
{
@@ -2221,7 +2224,7 @@
}
}
- if (!push_peer_info(buf, session))
+ if (!push_peer_info(buf, session, multi->rx_peer_id))
{
goto error;
}
@@ -4143,9 +4146,8 @@
msg(D_TLS_DEBUG, __func__);
ASSERT(ks);
-
peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24
- | (multi->peer_id & 0xFFFFFF));
+ | (multi->tx_peer_id & 0xFFFFFF));
ASSERT(buf_write_prepend(buf, &peer, 4));
}
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index e9e50da..1e2f534 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -689,8 +689,10 @@
#define AUTH_TOKEN_VALID_EMPTYUSER (1 << 2)
/* For P_DATA_V2 */
- uint32_t peer_id;
+ uint32_t rx_peer_id;
+ uint32_t tx_peer_id;
bool use_peer_id;
+ bool use_asymmetric_peer_id;
char *remote_ciphername; /**< cipher specified in peer's config file */
bool remote_usescomp; /**< remote announced comp-lzo in OCC string */
diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index 74d7b43..5e0af03 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -426,7 +426,9 @@
if (iv_proto_peer & IV_PROTO_DATA_V2)
{
multi->use_peer_id = true;
- multi->peer_id = 0x76706e; /* 'v' 'p' 'n' */
+ multi->use_asymmetric_peer_id = true;
+ multi->rx_peer_id = 0x76706e; /* 'v' 'p' 'n' */
+ multi->tx_peer_id = 2033;
}
if (iv_proto_peer & IV_PROTO_CC_EXIT_NOTIFY)
@@ -469,7 +471,7 @@
}
else
{
- multi->peer_id = (peerid[0] << 16) + (peerid[1] << 8) + peerid[2];
+ multi->rx_peer_id = (peerid[0] << 16) + (peerid[1] << 8) + peerid[2];
}
}
@@ -513,10 +515,11 @@
}
msg(D_TLS_DEBUG_LOW, "P2P mode NCP negotiation result: "
- "TLS_export=%d, DATA_v2=%d, peer-id %d, epoch=%d, cipher=%s",
+ "TLS_export=%d, DATA_v2=%d, rx-peer-id %d, tx-peer-id %d, epoch=%d, cipher=%s",
(bool)(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT),
multi->use_peer_id,
- multi->peer_id,
+ multi->rx_peer_id,
+ multi->tx_peer_id,
(bool)(session->opt->crypto_flags & CO_EPOCH_DATA_KEY_FORMAT),
common_cipher);
diff --git a/src/openvpn/ssl_util.c b/src/openvpn/ssl_util.c
index d3d7b2c..fde6f7e 100644
--- a/src/openvpn/ssl_util.c
+++ b/src/openvpn/ssl_util.c
@@ -74,6 +74,24 @@
return 0;
}
+uint32_t
+extract_asymmetric_peer_id(const char *peer_info)
+{
+ const char *optstr = peer_info ? strstr(peer_info, "ID=") : NULL;
+ if (optstr)
+ {
+ uint32_t peer_id = 0;
+ int r = sscanf(optstr, "ID=%x", &peer_id);
+ {
+ if (r == 1 && peer_id >= 0)
+ {
+ return peer_id;
+ }
+ }
+ }
+ return 0;
+}
+
const char *
options_string_compat_lzo(const char *options, struct gc_arena *gc)
{
diff --git a/src/openvpn/ssl_util.h b/src/openvpn/ssl_util.h
index e50f899..e9c7ef8 100644
--- a/src/openvpn/ssl_util.h
+++ b/src/openvpn/ssl_util.h
@@ -55,6 +55,8 @@
*/
unsigned int extract_iv_proto(const char *peer_info);
+uint32_t extract_asymmetric_peer_id(const char *peer_info);
+
/**
* Takes a locally produced OCC string for TLS server mode and modifies as
* if the option comp-lzo was enabled. This is to send a client in
diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c
index 5b583c7..9d618ca 100644
--- a/tests/unit_tests/openvpn/test_crypto.c
+++ b/tests/unit_tests/openvpn/test_crypto.c
@@ -437,7 +437,7 @@
o.authname = "SHA1";
o.ciphername = "AES-256-GCM";
o.tls_client = true;
- o.peer_id = 77;
+ o.rx_peer_id = 77;
o.use_peer_id = true;
init_key_type(&kt, o.ciphername, o.authname, true, false);
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1089?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0a13ee90b6706acf20eabcee3bab3f2dff639bf9
Gerrit-Change-Number: 1089
Gerrit-PatchSet: 1
Gerrit-Owner: its_Giaan <gia...@ma...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newchange
|
|
From: mrbff (C. Review) <ge...@op...> - 2025-07-17 05:25:49
|
Attention is currently required from: flichtenheld, mrbff, plaisthos.
Hello flichtenheld, plaisthos, stipa,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/810?usp=email
to look at the new patch set (#20).
The change is no longer submittable: checks~ChecksSubmitRule is unsatisfied now.
Change subject: PUSH_UPDATE: Added update_option() function.
......................................................................
PUSH_UPDATE: Added update_option() function.
When the function receives an option to update, it first checks whether it has
already received an option of the same type within the same update message.
If it has already received it, it simply calls add_option(), otherwise it
deletes all the values already present regarding that option.
Change-Id: Ia45c99e6df7b3ad24020c10b8a9b3577984ecdc2
Signed-off-by: Marco Baffo <ma...@ma...>
---
M src/openvpn/options.c
1 file changed, 247 insertions(+), 10 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/10/810/20
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 22eaa8a..713df52 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5642,6 +5642,13 @@
return options->forward_compatible ? M_WARN : msglevel;
}
+#define RESET_OPTION_ROUTES(option_ptr, field) \
+ if (option_ptr) \
+ { \
+ option_ptr->field = NULL; \
+ option_ptr->flags = 0; \
+ }
+
/**
* @brief Resets options found in the PUSH_UPDATE message that are preceded by the `-` flag.
* This function is used in push-updates to reset specified options.
@@ -5696,11 +5703,7 @@
delete_routes_v4(c->c1.route_list, c->c1.tuntap,
ROUTE_OPTION_FLAGS(&c->options),
es, &c->net_ctx);
- if (options->routes)
- {
- options->routes->routes = NULL;
- options->routes->flags = 0;
- }
+ RESET_OPTION_ROUTES(options->routes, routes);
}
}
else if (streq(p[0], "route-ipv6") && !p[1])
@@ -5711,11 +5714,7 @@
delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap,
ROUTE_OPTION_FLAGS(&c->options),
es, &c->net_ctx);
- if (options->routes_ipv6)
- {
- options->routes_ipv6->routes_ipv6 = NULL;
- options->routes_ipv6->flags = 0;
- }
+ RESET_OPTION_ROUTES(options->routes_ipv6, routes_ipv6);
}
}
else if (streq(p[0], "route-gateway") && !p[1])
@@ -5834,6 +5833,238 @@
err:
msg(msglevel, "Error occurred trying to remove %s option", p[0]);
}
+
+/**
+ * @brief Processes an option to update. It first checks whether it has already
+ * received an option of the same type within the same update message.
+ * If the option has already been received, it calls add_option().
+ * Otherwise, it deletes all existing values related to that option before calling add_option().
+ *
+ * @param c The context structure.
+ * @param options A pointer to the options structure.
+ * @param p An array of strings containing the options and their parameters.
+ * @param is_inline A boolean indicating if the option is inline.
+ * @param file The file where the function is called.
+ * @param line The line number where the function is called.
+ * @param level The level of the option.
+ * @param msglevel The message level for logging.
+ * @param permission_mask The permission mask used by VERIFY_PERMISSION().
+ * @param option_types_found A pointer to the variable where the flags corresponding to the options found are stored.
+ * @param es The environment set structure.
+ * @param update_options_found A pointer to the variable where the flags corresponding to the update options found are stored,
+ * used to check if an option of the same type has already been processed by update_option() within the same push-update message.
+ */
+static void
+update_option(struct context *c,
+ struct options *options,
+ char *p[],
+ bool is_inline,
+ const char *file,
+ int line,
+ const int level,
+ const int msglevel,
+ const unsigned int permission_mask,
+ unsigned int *option_types_found,
+ struct env_set *es,
+ unsigned int *update_options_found)
+{
+ const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
+ ASSERT(MAX_PARMS >= 7);
+
+ if (streq(p[0], "route") && p[1] && !p[5])
+ {
+ if (!(*update_options_found & OPT_P_U_ROUTE))
+ {
+ VERIFY_PERMISSION(OPT_P_ROUTE);
+ rol_check_alloc(options);
+ if (pull_mode)
+ {
+ if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
+ {
+ msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
+ goto err;
+ }
+ if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
+ {
+ msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
+ goto err;
+ }
+ if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
+ {
+ msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
+ goto err;
+ }
+ }
+ if (c->c1.route_list)
+ {
+ delete_routes_v4(c->c1.route_list, c->c1.tuntap,
+ ROUTE_OPTION_FLAGS(&c->options),
+ es, &c->net_ctx);
+ RESET_OPTION_ROUTES(options->routes, routes);
+ }
+ *update_options_found |= OPT_P_U_ROUTE;
+ }
+ }
+ else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
+ {
+ if (!(*update_options_found & OPT_P_U_ROUTE6))
+ {
+ VERIFY_PERMISSION(OPT_P_ROUTE);
+ rol6_check_alloc(options);
+ if (pull_mode)
+ {
+ if (!ipv6_addr_safe_hexplusbits(p[1]))
+ {
+ msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
+ goto err;
+ }
+ if (p[2] && !ipv6_addr_safe(p[2]))
+ {
+ msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
+ goto err;
+ }
+ /* p[3] is metric, if present */
+ }
+ if (c->c1.route_ipv6_list)
+ {
+ delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap,
+ ROUTE_OPTION_FLAGS(&c->options),
+ es, &c->net_ctx);
+ RESET_OPTION_ROUTES(options->routes_ipv6, routes_ipv6);
+ }
+ *update_options_found |= OPT_P_U_ROUTE6;
+ }
+ }
+ else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
+ {
+ if (!(*update_options_found & OPT_P_U_REDIR_GATEWAY))
+ {
+ VERIFY_PERMISSION(OPT_P_ROUTE);
+ if (options->routes)
+ {
+ options->routes->flags = 0;
+ }
+ if (options->routes_ipv6)
+ {
+ options->routes_ipv6->flags = 0;
+ }
+ *update_options_found |= OPT_P_U_REDIR_GATEWAY;
+ }
+ }
+ else if (streq(p[0], "dns") && p[1])
+ {
+ if (!(*update_options_found & OPT_P_U_DNS))
+ {
+ VERIFY_PERMISSION(OPT_P_DHCPDNS);
+ if (streq(p[1], "server") && p[2] && p[3] && p[4])
+ {
+ long priority;
+ if (!dns_server_priority_parse(&priority, p[2], pull_mode))
+ {
+ msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
+ goto err;
+ }
+
+ struct dns_server server;
+ CLEAR(server);
+ if (streq(p[3], "address") && p[4])
+ {
+ for (int i = 4; p[i]; ++i)
+ {
+ if (!dns_server_addr_parse(&server, p[i]))
+ {
+ msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'", priority, p[i]);
+ goto err;
+ }
+ }
+ }
+ else if (streq(p[3], "dnssec") && !p[5])
+ {
+ if (!streq(p[4], "yes") && !streq(p[4], "no") && !streq(p[4], "optional"))
+ {
+ msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
+ goto err;
+ }
+ }
+ else if (streq(p[3], "transport") && !p[5])
+ {
+ if (!streq(p[4], "plain") && !streq(p[4], "DoH") && !streq(p[4], "DoT"))
+ {
+ msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
+ goto err;
+ }
+ }
+ else if (!streq(p[3], "resolve-domains")
+ && !(streq(p[3], "sni") && !p[5]))
+ {
+ msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[3]);
+ goto err;
+ }
+ }
+ else if (!(streq(p[1], "search-domains") && p[2]))
+ {
+ msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
+ goto err;
+ }
+
+ gc_free(&options->dns_options.gc);
+ CLEAR(options->dns_options);
+ *update_options_found |= OPT_P_U_DNS;
+ }
+ }
+#if defined(_WIN32) || defined(TARGET_ANDROID)
+ else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
+ {
+ if (!(*update_options_found & OPT_P_U_DHCP))
+ {
+ struct tuntap_options *o = &options->tuntap_options;
+ VERIFY_PERMISSION(OPT_P_DHCPDNS);
+
+ o->domain = NULL;
+ o->netbios_scope = NULL;
+ o->netbios_node_type = 0;
+ o->dns6_len = 0;
+ CLEAR(o->dns6);
+ o->dns_len = 0;
+ CLEAR(o->dns);
+ o->wins_len = 0;
+ CLEAR(o->wins);
+ o->ntp_len = 0;
+ CLEAR(o->ntp);
+ o->nbdd_len = 0;
+ CLEAR(o->nbdd);
+ while (o->domain_search_list_len-- > 0)
+ {
+ o->domain_search_list[o->domain_search_list_len] = NULL;
+ }
+ o->disable_nbt = 0;
+ o->dhcp_options = 0;
+#if defined(TARGET_ANDROID)
+ o->http_proxy_port = 0;
+ o->http_proxy = NULL;
+#endif
+ *update_options_found |= OPT_P_U_DHCP;
+ }
+ }
+#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
+ else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
+ {
+ if (!(*update_options_found & OPT_P_U_DHCP))
+ {
+ VERIFY_PERMISSION(OPT_P_DHCPDNS);
+ delete_all_dhcp_fo(options, &es->list);
+ *update_options_found |= OPT_P_U_DHCP;
+ }
+ }
+#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
+ add_option(options, p, is_inline, file, line,
+ level, msglevel, permission_mask,
+ option_types_found, es);
+ return;
+err:
+ msg(msglevel, "Error occurred trying to update %s option", p[0]);
+}
+
bool
apply_push_options(struct context *c,
struct options *options,
@@ -5847,6 +6078,7 @@
int line_num = 0;
const char *file = "[PUSH-OPTIONS]";
const int msglevel = D_PUSH_ERRORS|M_OPTERR;
+ unsigned int update_options_found = 0;
while (buf_parse(buf, ',', line, sizeof(line)))
{
@@ -5872,6 +6104,11 @@
remove_option(c, options, p, false, file, line_num, msglevel,
permission_mask, option_types_found, es);
}
+ else
+ {
+ update_option(c, options, p, false, file, line_num, 0, msglevel,
+ permission_mask, option_types_found, es, &update_options_found);
+ }
}
}
return true;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/810?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia45c99e6df7b3ad24020c10b8a9b3577984ecdc2
Gerrit-Change-Number: 810
Gerrit-PatchSet: 20
Gerrit-Owner: mrbff <ma...@ma...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-Reviewer: stipa <lst...@gm...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: mrbff <ma...@ma...>
Gerrit-MessageType: newpatchset
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-16 21:03:00
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1086?usp=email ) Change subject: t_server_null: match test numbers with server numbers ...................................................................... t_server_null: match test numbers with server numbers This makes it obvious which server each test connects to Change-Id: I49c69144ab6dcf1d26c96c2eafc2346ad4e0ca75 Signed-off-by: Samuli Seppänen <sa...@pm...> Acked-by: Gert Doering <ge...@gr...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg32194.html Signed-off-by: Gert Doering <ge...@gr...> --- M tests/t_server_null_default.rc 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/tests/t_server_null_default.rc b/tests/t_server_null_default.rc index a1c68cd..900f189 100755 --- a/tests/t_server_null_default.rc +++ b/tests/t_server_null_default.rc @@ -80,67 +80,67 @@ CLIENT_CIPHER_OPTS="" CLIENT_CERT_OPTS="--ca ${CA} --cert ${CLIENT_CERT} --key ${CLIENT_KEY} --tls-auth ${TA} 1" -TEST_RUN_LIST="1 1L 2 2L 3 4a 4b 4c 5a 5b 5c" +TEST_RUN_LIST="1a 1b 1c 1L 2a 2L 3a 3b 4a 4b 4c" CLIENT_CONF_BASE="${CLIENT_NULL_OPTS} ${CLIENT_BASE_OPTS} ${CLIENT_CIPHER_OPTS} ${CLIENT_CERT_OPTS}" CLIENT_CONF_BASE_LWIP="${CLIENT_LWIP_OPTS} ${CLIENT_BASE_OPTS} ${CLIENT_CIPHER_OPTS} ${CLIENT_CERT_OPTS}" -TEST_NAME_1="t_server_null_client.sh-openvpn_current_udp" -SHOULD_PASS_1="yes" -CLIENT_EXEC_1="${CLIENT_EXEC}" -CLIENT_CONF_1="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp" +TEST_NAME_1a="t_server_null_client.sh-openvpn_current_udp" +SHOULD_PASS_1a="yes" +CLIENT_EXEC_1a="${CLIENT_EXEC}" +CLIENT_CONF_1a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp" + +TEST_NAME_1b="t_server_null_client.sh-openvpn_current_udp_fail" +SHOULD_PASS_1b="no" +CLIENT_EXEC_1b="${CLIENT_EXEC}" +CLIENT_CONF_1b="${CLIENT_CONF_BASE} --remote 127.0.0.1 11194 udp --proto udp" + +# --data-cipher list against server with defaults +# --cipher ignored +TEST_NAME_1c="t_server_null_client.sh-openvpn_current_udp_dc1" +SHOULD_PASS_1c="yes" +CLIENT_EXEC_1c="${CLIENT_EXEC}" +CLIENT_CONF_1c="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC:DEFAULT" TEST_NAME_1L="t_server_null_client.sh-openvpn_current_udp_lwip" SHOULD_PASS_1L="yes" CLIENT_EXEC_1L="${CLIENT_EXEC}" CLIENT_CONF_1L="${CLIENT_CONF_BASE_LWIP} --remote 127.0.0.1 1194 udp --proto udp" -TEST_NAME_2="t_server_null_client.sh-openvpn_current_tcp" -SHOULD_PASS_2="yes" -CLIENT_EXEC_2="${CLIENT_EXEC}" -CLIENT_CONF_2="${CLIENT_CONF_BASE} --remote 127.0.0.1 1195 tcp --proto tcp" +TEST_NAME_2a="t_server_null_client.sh-openvpn_current_tcp" +SHOULD_PASS_2a="yes" +CLIENT_EXEC_2a="${CLIENT_EXEC}" +CLIENT_CONF_2a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1195 tcp --proto tcp" TEST_NAME_2L="t_server_null_client.sh-openvpn_current_tcp_lwip" SHOULD_PASS_2L="yes" CLIENT_EXEC_2L="${CLIENT_EXEC}" CLIENT_CONF_2L="${CLIENT_CONF_BASE_LWIP} --remote 127.0.0.1 1195 tcp --proto tcp" -TEST_NAME_3="t_server_null_client.sh-openvpn_current_udp_fail" -SHOULD_PASS_3="no" -CLIENT_EXEC_3="${CLIENT_EXEC}" -CLIENT_CONF_3="${CLIENT_CONF_BASE} --remote 127.0.0.1 11194 udp --proto udp" - -# --data-cipher list against server with defaults -# --cipher ignored -TEST_NAME_4a="t_server_null_client.sh-openvpn_current_udp_dc1" -SHOULD_PASS_4a="yes" -CLIENT_EXEC_4a="${CLIENT_EXEC}" -CLIENT_CONF_4a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC:DEFAULT" - # specific --data-cipher against server that supports that cipher # --cipher ignored -TEST_NAME_4b="t_server_null_client.sh-openvpn_current_udp_dc3" -SHOULD_PASS_4b="yes" -CLIENT_EXEC_4b="${CLIENT_EXEC}" -CLIENT_CONF_4b="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC" +TEST_NAME_3a="t_server_null_client.sh-openvpn_current_udp_dc3" +SHOULD_PASS_3a="yes" +CLIENT_EXEC_3a="${CLIENT_EXEC}" +CLIENT_CONF_3a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC" # specific --data-cipher against server that doesn't support that cipher # --cipher ignored -TEST_NAME_4c="t_server_null_client.sh-openvpn_current_udp_dc3_fail" +TEST_NAME_3b="t_server_null_client.sh-openvpn_current_udp_dc3_fail" +SHOULD_PASS_3b="no" +CLIENT_EXEC_3b="${CLIENT_EXEC}" +CLIENT_CONF_3b="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-192-CBC --data-ciphers AES-128-CBC" + +TEST_NAME_4a="t_server_null_client.sh-openvpn_current_multisocket_ipv4_tcp" +SHOULD_PASS_4a="yes" +CLIENT_EXEC_4a="${CLIENT_EXEC}" +CLIENT_CONF_4a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1197 tcp" + +TEST_NAME_4b="t_server_null_client.sh-openvpn_current_multisocket_ipv6_udp" +SHOULD_PASS_4b="yes" +CLIENT_EXEC_4b="${CLIENT_EXEC}" +CLIENT_CONF_4b="${CLIENT_CONF_BASE} --remote ::1 1197 udp" + +TEST_NAME_4c="t_server_null_client.sh-openvpn_current_multisocket_ipv6_tcp_fail" SHOULD_PASS_4c="no" CLIENT_EXEC_4c="${CLIENT_EXEC}" -CLIENT_CONF_4c="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-192-CBC --data-ciphers AES-128-CBC" - -TEST_NAME_5a="t_server_null_client.sh-openvpn_current_multisocket_ipv4_tcp" -SHOULD_PASS_5a="yes" -CLIENT_EXEC_5a="${CLIENT_EXEC}" -CLIENT_CONF_5a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1197 tcp" - -TEST_NAME_5b="t_server_null_client.sh-openvpn_current_multisocket_ipv6_udp" -SHOULD_PASS_5b="yes" -CLIENT_EXEC_5b="${CLIENT_EXEC}" -CLIENT_CONF_5b="${CLIENT_CONF_BASE} --remote ::1 1197 udp" - -TEST_NAME_5c="t_server_null_client.sh-openvpn_current_multisocket_ipv6_tcp_fail" -SHOULD_PASS_5c="no" -CLIENT_EXEC_5c="${CLIENT_EXEC}" -CLIENT_CONF_5c="${CLIENT_CONF_BASE} --remote ::1 1197 tcp" +CLIENT_CONF_4c="${CLIENT_CONF_BASE} --remote ::1 1197 tcp" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1086?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I49c69144ab6dcf1d26c96c2eafc2346ad4e0ca75 Gerrit-Change-Number: 1086 Gerrit-PatchSet: 3 Gerrit-Owner: mattock <sa...@pr...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-16 21:02:59
|
cron2 has uploaded a new patch set (#3) to the change originally created by mattock. ( http://gerrit.openvpn.net/c/openvpn/+/1086?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: t_server_null: match test numbers with server numbers ...................................................................... t_server_null: match test numbers with server numbers This makes it obvious which server each test connects to Change-Id: I49c69144ab6dcf1d26c96c2eafc2346ad4e0ca75 Signed-off-by: Samuli Seppänen <sa...@pm...> Acked-by: Gert Doering <ge...@gr...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg32194.html Signed-off-by: Gert Doering <ge...@gr...> --- M tests/t_server_null_default.rc 1 file changed, 42 insertions(+), 42 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/86/1086/3 diff --git a/tests/t_server_null_default.rc b/tests/t_server_null_default.rc index a1c68cd..900f189 100755 --- a/tests/t_server_null_default.rc +++ b/tests/t_server_null_default.rc @@ -80,67 +80,67 @@ CLIENT_CIPHER_OPTS="" CLIENT_CERT_OPTS="--ca ${CA} --cert ${CLIENT_CERT} --key ${CLIENT_KEY} --tls-auth ${TA} 1" -TEST_RUN_LIST="1 1L 2 2L 3 4a 4b 4c 5a 5b 5c" +TEST_RUN_LIST="1a 1b 1c 1L 2a 2L 3a 3b 4a 4b 4c" CLIENT_CONF_BASE="${CLIENT_NULL_OPTS} ${CLIENT_BASE_OPTS} ${CLIENT_CIPHER_OPTS} ${CLIENT_CERT_OPTS}" CLIENT_CONF_BASE_LWIP="${CLIENT_LWIP_OPTS} ${CLIENT_BASE_OPTS} ${CLIENT_CIPHER_OPTS} ${CLIENT_CERT_OPTS}" -TEST_NAME_1="t_server_null_client.sh-openvpn_current_udp" -SHOULD_PASS_1="yes" -CLIENT_EXEC_1="${CLIENT_EXEC}" -CLIENT_CONF_1="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp" +TEST_NAME_1a="t_server_null_client.sh-openvpn_current_udp" +SHOULD_PASS_1a="yes" +CLIENT_EXEC_1a="${CLIENT_EXEC}" +CLIENT_CONF_1a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp" + +TEST_NAME_1b="t_server_null_client.sh-openvpn_current_udp_fail" +SHOULD_PASS_1b="no" +CLIENT_EXEC_1b="${CLIENT_EXEC}" +CLIENT_CONF_1b="${CLIENT_CONF_BASE} --remote 127.0.0.1 11194 udp --proto udp" + +# --data-cipher list against server with defaults +# --cipher ignored +TEST_NAME_1c="t_server_null_client.sh-openvpn_current_udp_dc1" +SHOULD_PASS_1c="yes" +CLIENT_EXEC_1c="${CLIENT_EXEC}" +CLIENT_CONF_1c="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC:DEFAULT" TEST_NAME_1L="t_server_null_client.sh-openvpn_current_udp_lwip" SHOULD_PASS_1L="yes" CLIENT_EXEC_1L="${CLIENT_EXEC}" CLIENT_CONF_1L="${CLIENT_CONF_BASE_LWIP} --remote 127.0.0.1 1194 udp --proto udp" -TEST_NAME_2="t_server_null_client.sh-openvpn_current_tcp" -SHOULD_PASS_2="yes" -CLIENT_EXEC_2="${CLIENT_EXEC}" -CLIENT_CONF_2="${CLIENT_CONF_BASE} --remote 127.0.0.1 1195 tcp --proto tcp" +TEST_NAME_2a="t_server_null_client.sh-openvpn_current_tcp" +SHOULD_PASS_2a="yes" +CLIENT_EXEC_2a="${CLIENT_EXEC}" +CLIENT_CONF_2a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1195 tcp --proto tcp" TEST_NAME_2L="t_server_null_client.sh-openvpn_current_tcp_lwip" SHOULD_PASS_2L="yes" CLIENT_EXEC_2L="${CLIENT_EXEC}" CLIENT_CONF_2L="${CLIENT_CONF_BASE_LWIP} --remote 127.0.0.1 1195 tcp --proto tcp" -TEST_NAME_3="t_server_null_client.sh-openvpn_current_udp_fail" -SHOULD_PASS_3="no" -CLIENT_EXEC_3="${CLIENT_EXEC}" -CLIENT_CONF_3="${CLIENT_CONF_BASE} --remote 127.0.0.1 11194 udp --proto udp" - -# --data-cipher list against server with defaults -# --cipher ignored -TEST_NAME_4a="t_server_null_client.sh-openvpn_current_udp_dc1" -SHOULD_PASS_4a="yes" -CLIENT_EXEC_4a="${CLIENT_EXEC}" -CLIENT_CONF_4a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC:DEFAULT" - # specific --data-cipher against server that supports that cipher # --cipher ignored -TEST_NAME_4b="t_server_null_client.sh-openvpn_current_udp_dc3" -SHOULD_PASS_4b="yes" -CLIENT_EXEC_4b="${CLIENT_EXEC}" -CLIENT_CONF_4b="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC" +TEST_NAME_3a="t_server_null_client.sh-openvpn_current_udp_dc3" +SHOULD_PASS_3a="yes" +CLIENT_EXEC_3a="${CLIENT_EXEC}" +CLIENT_CONF_3a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC" # specific --data-cipher against server that doesn't support that cipher # --cipher ignored -TEST_NAME_4c="t_server_null_client.sh-openvpn_current_udp_dc3_fail" +TEST_NAME_3b="t_server_null_client.sh-openvpn_current_udp_dc3_fail" +SHOULD_PASS_3b="no" +CLIENT_EXEC_3b="${CLIENT_EXEC}" +CLIENT_CONF_3b="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-192-CBC --data-ciphers AES-128-CBC" + +TEST_NAME_4a="t_server_null_client.sh-openvpn_current_multisocket_ipv4_tcp" +SHOULD_PASS_4a="yes" +CLIENT_EXEC_4a="${CLIENT_EXEC}" +CLIENT_CONF_4a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1197 tcp" + +TEST_NAME_4b="t_server_null_client.sh-openvpn_current_multisocket_ipv6_udp" +SHOULD_PASS_4b="yes" +CLIENT_EXEC_4b="${CLIENT_EXEC}" +CLIENT_CONF_4b="${CLIENT_CONF_BASE} --remote ::1 1197 udp" + +TEST_NAME_4c="t_server_null_client.sh-openvpn_current_multisocket_ipv6_tcp_fail" SHOULD_PASS_4c="no" CLIENT_EXEC_4c="${CLIENT_EXEC}" -CLIENT_CONF_4c="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-192-CBC --data-ciphers AES-128-CBC" - -TEST_NAME_5a="t_server_null_client.sh-openvpn_current_multisocket_ipv4_tcp" -SHOULD_PASS_5a="yes" -CLIENT_EXEC_5a="${CLIENT_EXEC}" -CLIENT_CONF_5a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1197 tcp" - -TEST_NAME_5b="t_server_null_client.sh-openvpn_current_multisocket_ipv6_udp" -SHOULD_PASS_5b="yes" -CLIENT_EXEC_5b="${CLIENT_EXEC}" -CLIENT_CONF_5b="${CLIENT_CONF_BASE} --remote ::1 1197 udp" - -TEST_NAME_5c="t_server_null_client.sh-openvpn_current_multisocket_ipv6_tcp_fail" -SHOULD_PASS_5c="no" -CLIENT_EXEC_5c="${CLIENT_EXEC}" -CLIENT_CONF_5c="${CLIENT_CONF_BASE} --remote ::1 1197 tcp" +CLIENT_CONF_4c="${CLIENT_CONF_BASE} --remote ::1 1197 tcp" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1086?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I49c69144ab6dcf1d26c96c2eafc2346ad4e0ca75 Gerrit-Change-Number: 1086 Gerrit-PatchSet: 3 Gerrit-Owner: mattock <sa...@pr...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
|
From: Gert D. <ge...@gr...> - 2025-07-16 21:02:45
|
Basically just shuffling numbers around, but making future modifications
of the .rc files easier, because it's easier to see which client tests
talks to what server instance. Thanks.
Buildbot-tested and no fails :-)
Your patch has been applied to the master branch.
commit 31aedd7fbfd9d4856a5ae7085d15228ec57fb2a1
Author: Samuli Seppänen
Date: Wed Jul 16 18:56:49 2025 +0200
t_server_null: match test numbers with server numbers
Signed-off-by: Samuli Seppänen <sa...@pm...>
Acked-by: Gert Doering <ge...@gr...>
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg32194.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: Gert D. <ge...@gr...> - 2025-07-16 16:57:10
|
From: Samuli Seppänen <sa...@pm...> This makes it obvious which server each test connects to Change-Id: I49c69144ab6dcf1d26c96c2eafc2346ad4e0ca75 Signed-off-by: Samuli Seppänen <sa...@pm...> Acked-by: Gert Doering <ge...@gr...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1086 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/tests/t_server_null_default.rc b/tests/t_server_null_default.rc index a1c68cd..900f189 100755 --- a/tests/t_server_null_default.rc +++ b/tests/t_server_null_default.rc @@ -80,67 +80,67 @@ CLIENT_CIPHER_OPTS="" CLIENT_CERT_OPTS="--ca ${CA} --cert ${CLIENT_CERT} --key ${CLIENT_KEY} --tls-auth ${TA} 1" -TEST_RUN_LIST="1 1L 2 2L 3 4a 4b 4c 5a 5b 5c" +TEST_RUN_LIST="1a 1b 1c 1L 2a 2L 3a 3b 4a 4b 4c" CLIENT_CONF_BASE="${CLIENT_NULL_OPTS} ${CLIENT_BASE_OPTS} ${CLIENT_CIPHER_OPTS} ${CLIENT_CERT_OPTS}" CLIENT_CONF_BASE_LWIP="${CLIENT_LWIP_OPTS} ${CLIENT_BASE_OPTS} ${CLIENT_CIPHER_OPTS} ${CLIENT_CERT_OPTS}" -TEST_NAME_1="t_server_null_client.sh-openvpn_current_udp" -SHOULD_PASS_1="yes" -CLIENT_EXEC_1="${CLIENT_EXEC}" -CLIENT_CONF_1="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp" +TEST_NAME_1a="t_server_null_client.sh-openvpn_current_udp" +SHOULD_PASS_1a="yes" +CLIENT_EXEC_1a="${CLIENT_EXEC}" +CLIENT_CONF_1a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp" + +TEST_NAME_1b="t_server_null_client.sh-openvpn_current_udp_fail" +SHOULD_PASS_1b="no" +CLIENT_EXEC_1b="${CLIENT_EXEC}" +CLIENT_CONF_1b="${CLIENT_CONF_BASE} --remote 127.0.0.1 11194 udp --proto udp" + +# --data-cipher list against server with defaults +# --cipher ignored +TEST_NAME_1c="t_server_null_client.sh-openvpn_current_udp_dc1" +SHOULD_PASS_1c="yes" +CLIENT_EXEC_1c="${CLIENT_EXEC}" +CLIENT_CONF_1c="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC:DEFAULT" TEST_NAME_1L="t_server_null_client.sh-openvpn_current_udp_lwip" SHOULD_PASS_1L="yes" CLIENT_EXEC_1L="${CLIENT_EXEC}" CLIENT_CONF_1L="${CLIENT_CONF_BASE_LWIP} --remote 127.0.0.1 1194 udp --proto udp" -TEST_NAME_2="t_server_null_client.sh-openvpn_current_tcp" -SHOULD_PASS_2="yes" -CLIENT_EXEC_2="${CLIENT_EXEC}" -CLIENT_CONF_2="${CLIENT_CONF_BASE} --remote 127.0.0.1 1195 tcp --proto tcp" +TEST_NAME_2a="t_server_null_client.sh-openvpn_current_tcp" +SHOULD_PASS_2a="yes" +CLIENT_EXEC_2a="${CLIENT_EXEC}" +CLIENT_CONF_2a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1195 tcp --proto tcp" TEST_NAME_2L="t_server_null_client.sh-openvpn_current_tcp_lwip" SHOULD_PASS_2L="yes" CLIENT_EXEC_2L="${CLIENT_EXEC}" CLIENT_CONF_2L="${CLIENT_CONF_BASE_LWIP} --remote 127.0.0.1 1195 tcp --proto tcp" -TEST_NAME_3="t_server_null_client.sh-openvpn_current_udp_fail" -SHOULD_PASS_3="no" -CLIENT_EXEC_3="${CLIENT_EXEC}" -CLIENT_CONF_3="${CLIENT_CONF_BASE} --remote 127.0.0.1 11194 udp --proto udp" - -# --data-cipher list against server with defaults -# --cipher ignored -TEST_NAME_4a="t_server_null_client.sh-openvpn_current_udp_dc1" -SHOULD_PASS_4a="yes" -CLIENT_EXEC_4a="${CLIENT_EXEC}" -CLIENT_CONF_4a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC:DEFAULT" - # specific --data-cipher against server that supports that cipher # --cipher ignored -TEST_NAME_4b="t_server_null_client.sh-openvpn_current_udp_dc3" -SHOULD_PASS_4b="yes" -CLIENT_EXEC_4b="${CLIENT_EXEC}" -CLIENT_CONF_4b="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC" +TEST_NAME_3a="t_server_null_client.sh-openvpn_current_udp_dc3" +SHOULD_PASS_3a="yes" +CLIENT_EXEC_3a="${CLIENT_EXEC}" +CLIENT_CONF_3a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC" # specific --data-cipher against server that doesn't support that cipher # --cipher ignored -TEST_NAME_4c="t_server_null_client.sh-openvpn_current_udp_dc3_fail" +TEST_NAME_3b="t_server_null_client.sh-openvpn_current_udp_dc3_fail" +SHOULD_PASS_3b="no" +CLIENT_EXEC_3b="${CLIENT_EXEC}" +CLIENT_CONF_3b="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-192-CBC --data-ciphers AES-128-CBC" + +TEST_NAME_4a="t_server_null_client.sh-openvpn_current_multisocket_ipv4_tcp" +SHOULD_PASS_4a="yes" +CLIENT_EXEC_4a="${CLIENT_EXEC}" +CLIENT_CONF_4a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1197 tcp" + +TEST_NAME_4b="t_server_null_client.sh-openvpn_current_multisocket_ipv6_udp" +SHOULD_PASS_4b="yes" +CLIENT_EXEC_4b="${CLIENT_EXEC}" +CLIENT_CONF_4b="${CLIENT_CONF_BASE} --remote ::1 1197 udp" + +TEST_NAME_4c="t_server_null_client.sh-openvpn_current_multisocket_ipv6_tcp_fail" SHOULD_PASS_4c="no" CLIENT_EXEC_4c="${CLIENT_EXEC}" -CLIENT_CONF_4c="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-192-CBC --data-ciphers AES-128-CBC" - -TEST_NAME_5a="t_server_null_client.sh-openvpn_current_multisocket_ipv4_tcp" -SHOULD_PASS_5a="yes" -CLIENT_EXEC_5a="${CLIENT_EXEC}" -CLIENT_CONF_5a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1197 tcp" - -TEST_NAME_5b="t_server_null_client.sh-openvpn_current_multisocket_ipv6_udp" -SHOULD_PASS_5b="yes" -CLIENT_EXEC_5b="${CLIENT_EXEC}" -CLIENT_CONF_5b="${CLIENT_CONF_BASE} --remote ::1 1197 udp" - -TEST_NAME_5c="t_server_null_client.sh-openvpn_current_multisocket_ipv6_tcp_fail" -SHOULD_PASS_5c="no" -CLIENT_EXEC_5c="${CLIENT_EXEC}" -CLIENT_CONF_5c="${CLIENT_CONF_BASE} --remote ::1 1197 tcp" +CLIENT_CONF_4c="${CLIENT_CONF_BASE} --remote ::1 1197 tcp" |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-16 16:56:52
|
Attention is currently required from: flichtenheld, mattock, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1086?usp=email ) Change subject: t_server_null: match test numbers with server numbers ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1086?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I49c69144ab6dcf1d26c96c2eafc2346ad4e0ca75 Gerrit-Change-Number: 1086 Gerrit-PatchSet: 2 Gerrit-Owner: mattock <sa...@pr...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: mattock <sa...@pr...> Gerrit-Comment-Date: Wed, 16 Jul 2025 16:56:42 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: Gert D. <ge...@gr...> - 2025-07-16 16:29:31
|
From: Ralf Lici <ra...@ma...> When a peer changes its UDP endpoint, the DCO module emits a notification to userpace. The message is parsed and the relevant information are extracted in order to process the floating operation. Note that we preserve IPv4-mapped IPv6 addresses in userspace when receiving a pure IPv4 address from the module, otherwise openvpn wouldn't be able to retrieve the multi_instance using the transport address hash table lookup. Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Signed-off-by: Ralf Lici <ra...@ma...> Acked-by: Antonio Quartulli <an...@ma...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1084 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Antonio Quartulli <an...@ma...> diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index 22a445a..f04ebfe 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -768,6 +768,44 @@ return ret; } +static bool +ovpn_parse_float_addr(struct nlattr **attrs, struct sockaddr *out) +{ + if (!attrs[OVPN_A_PEER_REMOTE_PORT]) + { + msg(D_DCO, "ovpn-dco: no remote port in PEER_FLOAT_NTF message"); + return false; + } + + if (attrs[OVPN_A_PEER_REMOTE_IPV4]) + { + struct sockaddr_in *addr4 = (struct sockaddr_in *)out; + CLEAR(*addr4); + addr4->sin_family = AF_INET; + addr4->sin_port = nla_get_u16(attrs[OVPN_A_PEER_REMOTE_PORT]); + addr4->sin_addr.s_addr = nla_get_u32(attrs[OVPN_A_PEER_REMOTE_IPV4]); + return true; + } + else if (attrs[OVPN_A_PEER_REMOTE_IPV6] + && nla_len(attrs[OVPN_A_PEER_REMOTE_IPV6]) == sizeof(struct in6_addr)) + { + struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *)out; + CLEAR(*addr6); + addr6->sin6_family = AF_INET6; + addr6->sin6_port = nla_get_u16(attrs[OVPN_A_PEER_REMOTE_PORT]); + memcpy(&addr6->sin6_addr, nla_data(attrs[OVPN_A_PEER_REMOTE_IPV6]), + sizeof(addr6->sin6_addr)); + if (attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) + { + addr6->sin6_scope_id = nla_get_u32(attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]); + } + return true; + } + + msg(D_DCO, "ovpn-dco: no valid remote IP address in PEER_FLOAT_NTF message"); + return false; +} + /* This function parses any netlink message sent by ovpn-dco to userspace */ static int ovpn_handle_msg(struct nl_msg *msg, void *arg) @@ -856,6 +894,45 @@ break; } + case OVPN_CMD_PEER_FLOAT_NTF: + { + if (!attrs[OVPN_A_PEER]) + { + msg(D_DCO, "ovpn-dco: no peer in PEER_FLOAT_NTF message"); + return NL_STOP; + } + + struct nlattr *fp_attrs[OVPN_A_PEER_MAX + 1]; + if (nla_parse_nested(fp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER], + NULL)) + { + msg(D_DCO, "ovpn-dco: can't parse peer in PEER_FLOAT_NTF messsage"); + return NL_STOP; + } + + if (!fp_attrs[OVPN_A_PEER_ID]) + { + msg(D_DCO, "ovpn-dco: no peer-id in PEER_FLOAT_NTF message"); + return NL_STOP; + } + uint32_t peerid = nla_get_u32(fp_attrs[OVPN_A_PEER_ID]); + + if (!ovpn_parse_float_addr(fp_attrs, (struct sockaddr *)&dco->dco_float_peer_ss)) + { + return NL_STOP; + } + + struct gc_arena gc = gc_new(); + msg(D_DCO_DEBUG, + "ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: %u, peer-id %u, address: %s", + ifindex, peerid, print_sockaddr((struct sockaddr *)&dco->dco_float_peer_ss, &gc)); + dco->dco_message_peer_id = (int)peerid; + dco->dco_message_type = OVPN_CMD_PEER_FLOAT_NTF; + + gc_free(&gc); + break; + } + case OVPN_CMD_KEY_SWAP_NTF: { if (!attrs[OVPN_A_KEYCONF]) diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h index 4e441ec..676b8cd 100644 --- a/src/openvpn/dco_linux.h +++ b/src/openvpn/dco_linux.h @@ -34,6 +34,7 @@ /* Defines to avoid mismatching with other platforms */ #define OVPN_CMD_DEL_PEER OVPN_CMD_PEER_DEL_NTF #define OVPN_CMD_SWAP_KEYS OVPN_CMD_KEY_SWAP_NTF +#define OVPN_CMD_FLOAT_PEER OVPN_CMD_PEER_FLOAT_NTF typedef enum ovpn_key_slot dco_key_slot_t; typedef enum ovpn_cipher_alg dco_cipher_t; @@ -75,6 +76,7 @@ int dco_message_peer_id; int dco_message_key_id; int dco_del_peer_reason; + struct sockaddr_storage dco_float_peer_ss; uint64_t dco_read_bytes; uint64_t dco_write_bytes; } dco_context_t; diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c index 2a13658..83db739 100644 --- a/src/openvpn/dco_win.c +++ b/src/openvpn/dco_win.c @@ -663,6 +663,7 @@ dco->dco_message_peer_id = dco->notif_buf.PeerId; dco->dco_message_type = dco->notif_buf.Cmd; dco->dco_del_peer_reason = dco->notif_buf.DelPeerReason; + dco->dco_float_peer_ss = dco->notif_buf.FloatAddress; } else { diff --git a/src/openvpn/dco_win.h b/src/openvpn/dco_win.h index 4513f3f..b9d93fa 100644 --- a/src/openvpn/dco_win.h +++ b/src/openvpn/dco_win.h @@ -52,6 +52,7 @@ int dco_message_peer_id; int dco_message_type; int dco_del_peer_reason; + struct sockaddr_storage dco_float_peer_ss; uint64_t dco_read_bytes; uint64_t dco_write_bytes; diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index a4f260a..0b4ceae 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1243,6 +1243,37 @@ perf_pop(); } +void +extract_dco_float_peer_addr(const uint32_t peer_id, + struct openvpn_sockaddr *out_osaddr, + const struct sockaddr *float_sa) +{ + if (float_sa->sa_family == AF_INET) + { + struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa; + /* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, we need + * to preserve the mapping, otherwise openvpn will not be able to find + * the peer by its trasnport address. + */ + if (out_osaddr->addr.sa.sa_family == AF_INET6 + && IN6_IS_ADDR_V4MAPPED(&out_osaddr->addr.in6.sin6_addr)) + { + memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12], + &float4->sin_addr.s_addr, sizeof(in_addr_t)); + out_osaddr->addr.in6.sin6_port = float4->sin_port; + } + else + { + memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in)); + } + } + else + { + struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa; + memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6)); + } +} + static void process_incoming_dco(struct context *c) { diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index 318691f..4f3d81e 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -196,6 +196,21 @@ void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf); /** + * Transfers \c float_sa data extracted from an incoming DCO + * PEER_FLOAT_NTF to \c out_osaddr for later processing. + * + * @param peer_id - The id of the floating peer. + * @param out_osaddr - openvpn_sockaddr struct that will be filled the new + * address data + * @param float_sa - The sockaddr struct containing the data received from the + * DCO notification + * + */ +void +extract_dco_float_peer_addr(uint32_t peer_id, struct openvpn_sockaddr *out_osaddr, + const struct sockaddr *float_sa); + +/** * Write a packet to the external network interface. * @ingroup external_multiplexer * diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index a760e07..5030faa 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3384,6 +3384,16 @@ { process_incoming_del_peer(m, mi, dco); } +#if defined(TARGET_LINUX) || defined(TARGET_WIN32) + else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER) + { + extract_dco_float_peer_addr(peer_id, &m->top.c2.from.dest, + (struct sockaddr *)&dco->dco_float_peer_ss); + ASSERT(mi->context.c2.link_sockets[0]); + multi_process_float(m, mi, mi->context.c2.link_sockets[0]); + CLEAR(dco->dco_float_peer_ss); + } +#endif /* if defined(TARGET_LINUX) || defined(TARGET_WIN32) */ else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS) { tls_session_soft_reset(mi->context.c2.tls_multi); diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 40f7519..fe9e847 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -322,7 +322,7 @@ /** * Process an incoming DCO message (from kernel space). * - * @param m - The single \c multi_context structur.e + * @param m - The single \c multi_context structure. * * @return * - True, if the message was received correctly. diff --git a/src/openvpn/ovpn_dco_linux.h b/src/openvpn/ovpn_dco_linux.h index 680d152..b3c9ff0 100644 --- a/src/openvpn/ovpn_dco_linux.h +++ b/src/openvpn/ovpn_dco_linux.h @@ -99,6 +99,7 @@ OVPN_CMD_KEY_SWAP, OVPN_CMD_KEY_SWAP_NTF, OVPN_CMD_KEY_DEL, + OVPN_CMD_PEER_FLOAT_NTF, __OVPN_CMD_MAX, OVPN_CMD_MAX = (__OVPN_CMD_MAX - 1) diff --git a/src/openvpn/ovpn_dco_win.h b/src/openvpn/ovpn_dco_win.h index 865bb38..dd6b7ce 100644 --- a/src/openvpn/ovpn_dco_win.h +++ b/src/openvpn/ovpn_dco_win.h @@ -149,7 +149,8 @@ typedef enum { OVPN_CMD_DEL_PEER, - OVPN_CMD_SWAP_KEYS + OVPN_CMD_SWAP_KEYS, + OVPN_CMD_FLOAT_PEER } OVPN_NOTIFY_CMD; typedef enum { @@ -164,6 +165,7 @@ OVPN_NOTIFY_CMD Cmd; int PeerId; OVPN_DEL_PEER_REASON DelPeerReason; + struct sockaddr_storage FloatAddress; } OVPN_NOTIFY_EVENT, * POVPN_NOTIFY_EVENT; typedef struct _OVPN_MP_DEL_PEER { |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-16 16:26:33
|
cron2 has uploaded a new patch set (#2) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/1088?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks ...................................................................... configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks This code was copied over and over since many years, since commit 9a3f670248d6f519a399e65a7232e2196b5115db ("Fixed autoconf script to properly detect missing pkcs11 with polarssl"). It is unclear what exact purpose it served back then but probably it is obsolete. It is definitely wrong since it means that you get PKCS11_HELPER_LIBS even if you do not specify --enable-pkcs11. Change-Id: I317be5253d6563906dd3826421dc81f737beba76 Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Arne Schwabe <arn...@rf...> Message-Id: <202...@li...> URL: https://www.mail-archive.com/ope...@li.../msg32187.html Signed-off-by: Gert Doering <ge...@gr...> --- M configure.ac 1 file changed, 8 insertions(+), 12 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/88/1088/2 diff --git a/configure.ac b/configure.ac index 8fc48ba..66cb79b 100644 --- a/configure.ac +++ b/configure.ac @@ -798,14 +798,6 @@ ;; esac -PKG_CHECK_MODULES( - [PKCS11_HELPER], - [libpkcs11-helper-1 >= 1.11], - [have_pkcs11_helper="yes"], - [] -) - - if test "$enable_dco" != "no"; then enable_dco_arg="$enable_dco" if test "${enable_iproute2}" = "yes"; then @@ -1014,13 +1006,12 @@ [mbedtls_ssl_init], [MBEDTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto"], [AC_MSG_ERROR([Could not find mbed TLS.])], - [${PKCS11_HELPER_LIBS}] ) fi fi - CFLAGS="${MBEDTLS_CFLAGS} ${PKCS11_HELPER_CFLAGS} ${CFLAGS}" - LIBS="${MBEDTLS_LIBS} ${PKCS11_HELPER_LIBS} ${LIBS}" + CFLAGS="${MBEDTLS_CFLAGS} ${CFLAGS}" + LIBS="${MBEDTLS_LIBS} ${LIBS}" AC_MSG_CHECKING([mbedtls version]) AC_COMPILE_IFELSE( @@ -1359,7 +1350,12 @@ AM_CONDITIONAL([HAVE_SOFTHSM2], [false]) if test "${enable_pkcs11}" = "yes"; then - test "${have_pkcs11_helper}" != "yes" && AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing]) + PKG_CHECK_MODULES( + [PKCS11_HELPER], + [libpkcs11-helper-1 >= 1.11], + [have_pkcs11_helper="yes"], + [AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing])] + ) OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}" OPTIONAL_PKCS11_HELPER_LIBS="${PKCS11_HELPER_LIBS}" AC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11]) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1088?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I317be5253d6563906dd3826421dc81f737beba76 Gerrit-Change-Number: 1088 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-16 16:26:29
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1088?usp=email ) Change subject: configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks ...................................................................... configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks This code was copied over and over since many years, since commit 9a3f670248d6f519a399e65a7232e2196b5115db ("Fixed autoconf script to properly detect missing pkcs11 with polarssl"). It is unclear what exact purpose it served back then but probably it is obsolete. It is definitely wrong since it means that you get PKCS11_HELPER_LIBS even if you do not specify --enable-pkcs11. Change-Id: I317be5253d6563906dd3826421dc81f737beba76 Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Arne Schwabe <arn...@rf...> Message-Id: <202...@li...> URL: https://www.mail-archive.com/ope...@li.../msg32187.html Signed-off-by: Gert Doering <ge...@gr...> --- M configure.ac 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/configure.ac b/configure.ac index 8fc48ba..66cb79b 100644 --- a/configure.ac +++ b/configure.ac @@ -798,14 +798,6 @@ ;; esac -PKG_CHECK_MODULES( - [PKCS11_HELPER], - [libpkcs11-helper-1 >= 1.11], - [have_pkcs11_helper="yes"], - [] -) - - if test "$enable_dco" != "no"; then enable_dco_arg="$enable_dco" if test "${enable_iproute2}" = "yes"; then @@ -1014,13 +1006,12 @@ [mbedtls_ssl_init], [MBEDTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto"], [AC_MSG_ERROR([Could not find mbed TLS.])], - [${PKCS11_HELPER_LIBS}] ) fi fi - CFLAGS="${MBEDTLS_CFLAGS} ${PKCS11_HELPER_CFLAGS} ${CFLAGS}" - LIBS="${MBEDTLS_LIBS} ${PKCS11_HELPER_LIBS} ${LIBS}" + CFLAGS="${MBEDTLS_CFLAGS} ${CFLAGS}" + LIBS="${MBEDTLS_LIBS} ${LIBS}" AC_MSG_CHECKING([mbedtls version]) AC_COMPILE_IFELSE( @@ -1359,7 +1350,12 @@ AM_CONDITIONAL([HAVE_SOFTHSM2], [false]) if test "${enable_pkcs11}" = "yes"; then - test "${have_pkcs11_helper}" != "yes" && AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing]) + PKG_CHECK_MODULES( + [PKCS11_HELPER], + [libpkcs11-helper-1 >= 1.11], + [have_pkcs11_helper="yes"], + [AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing])] + ) OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}" OPTIONAL_PKCS11_HELPER_LIBS="${PKCS11_HELPER_LIBS}" AC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11]) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1088?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I317be5253d6563906dd3826421dc81f737beba76 Gerrit-Change-Number: 1088 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged |
|
From: Gert D. <ge...@gr...> - 2025-07-16 16:26:26
|
Nice and simple alternative to #1085... and the buildbots like it as well :-)
Your patch has been applied to the master branch.
commit ed690d1d58792f70b86b75b00c09df2ad96babca
Author: Frank Lichtenheld
Date: Wed Jul 16 17:18:57 2025 +0200
configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks
Signed-off-by: Frank Lichtenheld <fr...@li...>
Acked-by: Arne Schwabe <arn...@rf...>
Message-Id: <202...@li...>
URL: https://www.mail-archive.com/ope...@li.../msg32187.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
153 messages has been excluded from this view by a project administrator.
