Menu
▾
▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
(24) |
May
(14) |
Jun
(29) |
Jul
(33) |
Aug
(3) |
Sep
(8) |
Oct
(18) |
Nov
(1) |
Dec
(10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
(33) |
Mar
(7) |
Apr
(28) |
May
(30) |
Jun
(5) |
Jul
(10) |
Aug
(7) |
Sep
(32) |
Oct
(41) |
Nov
(20) |
Dec
(10) |
| 2004 |
Jan
(24) |
Feb
(18) |
Mar
(57) |
Apr
(40) |
May
(55) |
Jun
(48) |
Jul
(77) |
Aug
(15) |
Sep
(56) |
Oct
(80) |
Nov
(74) |
Dec
(52) |
| 2005 |
Jan
(38) |
Feb
(42) |
Mar
(39) |
Apr
(56) |
May
(79) |
Jun
(73) |
Jul
(16) |
Aug
(23) |
Sep
(68) |
Oct
(77) |
Nov
(52) |
Dec
(27) |
| 2006 |
Jan
(27) |
Feb
(18) |
Mar
(51) |
Apr
(62) |
May
(28) |
Jun
(50) |
Jul
(36) |
Aug
(33) |
Sep
(47) |
Oct
(50) |
Nov
(77) |
Dec
(13) |
| 2007 |
Jan
(15) |
Feb
(8) |
Mar
(14) |
Apr
(18) |
May
(25) |
Jun
(16) |
Jul
(16) |
Aug
(19) |
Sep
(32) |
Oct
(17) |
Nov
(5) |
Dec
(5) |
| 2008 |
Jan
(64) |
Feb
(25) |
Mar
(25) |
Apr
(6) |
May
(28) |
Jun
(20) |
Jul
(10) |
Aug
(27) |
Sep
(28) |
Oct
(59) |
Nov
(37) |
Dec
(43) |
| 2009 |
Jan
(40) |
Feb
(25) |
Mar
(12) |
Apr
(57) |
May
(46) |
Jun
(29) |
Jul
(39) |
Aug
(10) |
Sep
(20) |
Oct
(42) |
Nov
(50) |
Dec
(57) |
| 2010 |
Jan
(82) |
Feb
(165) |
Mar
(256) |
Apr
(260) |
May
(36) |
Jun
(87) |
Jul
(53) |
Aug
(89) |
Sep
(107) |
Oct
(51) |
Nov
(88) |
Dec
(117) |
| 2011 |
Jan
(69) |
Feb
(60) |
Mar
(113) |
Apr
(71) |
May
(67) |
Jun
(90) |
Jul
(88) |
Aug
(90) |
Sep
(48) |
Oct
(64) |
Nov
(69) |
Dec
(118) |
| 2012 |
Jan
(49) |
Feb
(528) |
Mar
(351) |
Apr
(190) |
May
(238) |
Jun
(193) |
Jul
(104) |
Aug
(100) |
Sep
(57) |
Oct
(41) |
Nov
(47) |
Dec
(51) |
| 2013 |
Jan
(94) |
Feb
(57) |
Mar
(96) |
Apr
(105) |
May
(77) |
Jun
(102) |
Jul
(27) |
Aug
(81) |
Sep
(32) |
Oct
(53) |
Nov
(127) |
Dec
(65) |
| 2014 |
Jan
(113) |
Feb
(59) |
Mar
(104) |
Apr
(259) |
May
(70) |
Jun
(70) |
Jul
(146) |
Aug
(45) |
Sep
(58) |
Oct
(149) |
Nov
(77) |
Dec
(83) |
| 2015 |
Jan
(53) |
Feb
(66) |
Mar
(86) |
Apr
(50) |
May
(135) |
Jun
(76) |
Jul
(151) |
Aug
(83) |
Sep
(97) |
Oct
(262) |
Nov
(245) |
Dec
(231) |
| 2016 |
Jan
(131) |
Feb
(233) |
Mar
(97) |
Apr
(138) |
May
(221) |
Jun
(254) |
Jul
(92) |
Aug
(248) |
Sep
(168) |
Oct
(275) |
Nov
(477) |
Dec
(445) |
| 2017 |
Jan
(218) |
Feb
(217) |
Mar
(146) |
Apr
(172) |
May
(216) |
Jun
(252) |
Jul
(164) |
Aug
(192) |
Sep
(190) |
Oct
(143) |
Nov
(255) |
Dec
(182) |
| 2018 |
Jan
(295) |
Feb
(164) |
Mar
(113) |
Apr
(147) |
May
(64) |
Jun
(262) |
Jul
(184) |
Aug
(90) |
Sep
(69) |
Oct
(364) |
Nov
(102) |
Dec
(101) |
| 2019 |
Jan
(119) |
Feb
(64) |
Mar
(64) |
Apr
(102) |
May
(57) |
Jun
(154) |
Jul
(84) |
Aug
(81) |
Sep
(76) |
Oct
(102) |
Nov
(233) |
Dec
(89) |
| 2020 |
Jan
(38) |
Feb
(170) |
Mar
(155) |
Apr
(172) |
May
(120) |
Jun
(223) |
Jul
(461) |
Aug
(227) |
Sep
(268) |
Oct
(113) |
Nov
(56) |
Dec
(124) |
| 2021 |
Jan
(121) |
Feb
(48) |
Mar
(334) |
Apr
(345) |
May
(207) |
Jun
(136) |
Jul
(71) |
Aug
(112) |
Sep
(122) |
Oct
(173) |
Nov
(184) |
Dec
(223) |
| 2022 |
Jan
(197) |
Feb
(206) |
Mar
(156) |
Apr
(212) |
May
(192) |
Jun
(170) |
Jul
(143) |
Aug
(380) |
Sep
(182) |
Oct
(148) |
Nov
(128) |
Dec
(269) |
| 2023 |
Jan
(248) |
Feb
(196) |
Mar
(264) |
Apr
(36) |
May
(123) |
Jun
(66) |
Jul
(120) |
Aug
(48) |
Sep
(157) |
Oct
(198) |
Nov
(300) |
Dec
(273) |
| 2024 |
Jan
(271) |
Feb
(147) |
Mar
(207) |
Apr
(78) |
May
(107) |
Jun
(168) |
Jul
(151) |
Aug
(51) |
Sep
(438) |
Oct
(221) |
Nov
(302) |
Dec
(357) |
| 2025 |
Jan
(451) |
Feb
(219) |
Mar
(326) |
Apr
(232) |
May
(306) |
Jun
(181) |
Jul
(452) |
Aug
(171) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-16 15:34:55
|
Attention is currently required from: cron2, ordex, plaisthos.
Hello plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/791?usp=email
to look at the new patch set (#22).
Change subject: Reformat the whole project with clang-format
......................................................................
Reformat the whole project with clang-format
Done with pre-commit run -a, so the version
defined in pre-commit config is used.
Change-Id: I2566ad493629e1f5fdfa6f6483b8973463404e3e
Signed-off-by: Frank Lichtenheld <fr...@li...>
---
M include/openvpn-msg.h
M sample/sample-plugins/client-connect/sample-client-connect.c
M sample/sample-plugins/defer/multi-auth.c
M sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
M sample/sample-plugins/log/log.c
M sample/sample-plugins/log/log_v3.c
M sample/sample-plugins/simple/base64.c
M sample/sample-plugins/simple/simple.c
M src/compat/compat-basename.c
M src/compat/compat-dirname.c
M src/compat/compat-gettimeofday.c
M src/openvpn/argv.c
M src/openvpn/argv.h
M src/openvpn/auth_token.c
M src/openvpn/auth_token.h
M src/openvpn/base64.c
M src/openvpn/base64.h
M src/openvpn/basic.h
M src/openvpn/buffer.c
M src/openvpn/buffer.h
M src/openvpn/circ_list.h
M src/openvpn/clinat.c
M src/openvpn/clinat.h
M src/openvpn/common.h
M src/openvpn/comp-lz4.c
M src/openvpn/comp.c
M src/openvpn/comp.h
M src/openvpn/compstub.c
M src/openvpn/console.c
M src/openvpn/console.h
M src/openvpn/console_builtin.c
M src/openvpn/console_systemd.c
M src/openvpn/crypto.c
M src/openvpn/crypto.h
M src/openvpn/crypto_backend.h
M src/openvpn/crypto_epoch.c
M src/openvpn/crypto_epoch.h
M src/openvpn/crypto_mbedtls.c
M src/openvpn/crypto_mbedtls.h
M src/openvpn/crypto_openssl.c
M src/openvpn/crypto_openssl.h
M src/openvpn/cryptoapi.c
M src/openvpn/dco.c
M src/openvpn/dco.h
M src/openvpn/dco_freebsd.c
M src/openvpn/dco_freebsd.h
M src/openvpn/dco_internal.h
M src/openvpn/dco_linux.c
M src/openvpn/dco_linux.h
M src/openvpn/dco_win.c
M src/openvpn/dco_win.h
M src/openvpn/dhcp.c
M src/openvpn/dhcp.h
M src/openvpn/dns.c
M src/openvpn/dns.h
M src/openvpn/env_set.c
M src/openvpn/env_set.h
M src/openvpn/errlevel.h
M src/openvpn/error.c
M src/openvpn/error.h
M src/openvpn/event.c
M src/openvpn/event.h
M src/openvpn/fdmisc.c
M src/openvpn/fdmisc.h
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/fragment.c
M src/openvpn/fragment.h
M src/openvpn/gremlin.c
M src/openvpn/gremlin.h
M src/openvpn/helper.c
M src/openvpn/httpdigest.c
M src/openvpn/httpdigest.h
M src/openvpn/init.c
M src/openvpn/init.h
M src/openvpn/integer.h
M src/openvpn/interval.c
M src/openvpn/interval.h
M src/openvpn/list.c
M src/openvpn/list.h
M src/openvpn/lladdr.c
M src/openvpn/lzo.c
M src/openvpn/lzo.h
M src/openvpn/manage.c
M src/openvpn/manage.h
M src/openvpn/mbedtls_compat.h
M src/openvpn/mbuf.c
M src/openvpn/mbuf.h
M src/openvpn/memdbg.h
M src/openvpn/misc.c
M src/openvpn/misc.h
M src/openvpn/mroute.c
M src/openvpn/mroute.h
M src/openvpn/mss.c
M src/openvpn/mss.h
M src/openvpn/mstats.c
M src/openvpn/mstats.h
M src/openvpn/mtcp.c
M src/openvpn/mtcp.h
M src/openvpn/mtu.c
M src/openvpn/mtu.h
M src/openvpn/mudp.c
M src/openvpn/multi.c
M src/openvpn/multi.h
M src/openvpn/multi_io.c
M src/openvpn/networking.h
M src/openvpn/networking_freebsd.c
M src/openvpn/networking_iproute2.c
M src/openvpn/networking_sitnl.c
M src/openvpn/ntlm.c
M src/openvpn/occ.c
M src/openvpn/occ.h
M src/openvpn/openssl_compat.h
M src/openvpn/openvpn.c
M src/openvpn/openvpn.h
M src/openvpn/options.c
M src/openvpn/options.h
M src/openvpn/options_util.c
M src/openvpn/options_util.h
M src/openvpn/otime.c
M src/openvpn/otime.h
M src/openvpn/ovpn_dco_freebsd.h
M src/openvpn/packet_id.c
M src/openvpn/packet_id.h
M src/openvpn/perf.c
M src/openvpn/perf.h
M src/openvpn/ping.c
M src/openvpn/ping.h
M src/openvpn/pkcs11.c
M src/openvpn/pkcs11.h
M src/openvpn/pkcs11_backend.h
M src/openvpn/pkcs11_mbedtls.c
M src/openvpn/pkcs11_openssl.c
M src/openvpn/platform.c
M src/openvpn/platform.h
M src/openvpn/plugin.c
M src/openvpn/plugin.h
M src/openvpn/pool.c
M src/openvpn/pool.h
M src/openvpn/proto.c
M src/openvpn/proto.h
M src/openvpn/proxy.c
M src/openvpn/proxy.h
M src/openvpn/ps.c
M src/openvpn/ps.h
M src/openvpn/push.c
M src/openvpn/push.h
M src/openvpn/pushlist.h
M src/openvpn/reflect_filter.c
M src/openvpn/reflect_filter.h
M src/openvpn/reliable.c
M src/openvpn/reliable.h
A src/openvpn/ring_buffer.h
M src/openvpn/route.c
M src/openvpn/route.h
M src/openvpn/run_command.c
M src/openvpn/run_command.h
M src/openvpn/schedule.c
M src/openvpn/schedule.h
M src/openvpn/session_id.h
M src/openvpn/shaper.c
M src/openvpn/shaper.h
M src/openvpn/sig.c
M src/openvpn/sig.h
M src/openvpn/socket.c
M src/openvpn/socket.h
M src/openvpn/socks.c
M src/openvpn/socks.h
M src/openvpn/ssl.c
M src/openvpn/ssl.h
M src/openvpn/ssl_backend.h
M src/openvpn/ssl_common.h
M src/openvpn/ssl_mbedtls.c
M src/openvpn/ssl_mbedtls.h
M src/openvpn/ssl_ncp.c
M src/openvpn/ssl_ncp.h
M src/openvpn/ssl_openssl.c
M src/openvpn/ssl_openssl.h
M src/openvpn/ssl_pkt.c
M src/openvpn/ssl_pkt.h
M src/openvpn/ssl_util.c
M src/openvpn/ssl_util.h
M src/openvpn/ssl_verify.c
M src/openvpn/ssl_verify.h
M src/openvpn/ssl_verify_backend.h
M src/openvpn/ssl_verify_mbedtls.c
M src/openvpn/ssl_verify_mbedtls.h
M src/openvpn/ssl_verify_openssl.c
M src/openvpn/status.c
M src/openvpn/status.h
M src/openvpn/syshead.h
M src/openvpn/tls_crypt.c
M src/openvpn/tls_crypt.h
M src/openvpn/tun.c
M src/openvpn/tun.h
M src/openvpn/tun_afunix.c
M src/openvpn/tun_afunix.h
M src/openvpn/vlan.c
M src/openvpn/vlan.h
M src/openvpn/wfp_block.c
M src/openvpn/wfp_block.h
M src/openvpn/win32-util.c
M src/openvpn/win32.c
M src/openvpn/win32.h
M src/openvpn/xkey_common.h
M src/openvpn/xkey_helper.c
M src/openvpn/xkey_provider.c
M src/openvpnmsica/dllmain.c
M src/openvpnmsica/msica_arg.c
M src/openvpnmsica/msica_arg.h
M src/openvpnmsica/msiex.c
M src/openvpnmsica/msiex.h
M src/openvpnmsica/openvpnmsica.c
M src/openvpnmsica/openvpnmsica.h
M src/openvpnserv/common.c
M src/openvpnserv/interactive.c
M src/openvpnserv/service.c
M src/openvpnserv/service.h
M src/openvpnserv/validate.c
M src/openvpnserv/validate.h
M src/plugins/auth-pam/auth-pam.c
M src/plugins/auth-pam/pamdl.c
M src/plugins/auth-pam/utils.c
M src/plugins/auth-pam/utils.h
M src/plugins/down-root/down-root.c
M src/tapctl/basic.h
M src/tapctl/error.h
M src/tapctl/main.c
M src/tapctl/tap.c
M src/tapctl/tap.h
M tests/ntlm_support.c
M tests/unit_tests/example_test/test.c
M tests/unit_tests/example_test/test2.c
M tests/unit_tests/openvpn/cert_data.h
M tests/unit_tests/openvpn/mock_management.c
M tests/unit_tests/openvpn/mock_msg.c
M tests/unit_tests/openvpn/mock_msg.h
M tests/unit_tests/openvpn/mock_ssl_dependencies.c
M tests/unit_tests/openvpn/pkey_test_utils.c
M tests/unit_tests/openvpn/test_argv.c
M tests/unit_tests/openvpn/test_auth_token.c
M tests/unit_tests/openvpn/test_buffer.c
M tests/unit_tests/openvpn/test_crypto.c
M tests/unit_tests/openvpn/test_cryptoapi.c
M tests/unit_tests/openvpn/test_misc.c
M tests/unit_tests/openvpn/test_ncp.c
M tests/unit_tests/openvpn/test_networking.c
M tests/unit_tests/openvpn/test_packet_id.c
M tests/unit_tests/openvpn/test_pkcs11.c
M tests/unit_tests/openvpn/test_pkt.c
M tests/unit_tests/openvpn/test_provider.c
M tests/unit_tests/openvpn/test_ssl.c
M tests/unit_tests/openvpn/test_tls_crypt.c
M tests/unit_tests/openvpn/test_user_pass.c
M tests/unit_tests/plugins/auth-pam/test_search_and_replace.c
255 files changed, 11,864 insertions(+), 15,015 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/91/791/22
diff --git a/include/openvpn-msg.h b/include/openvpn-msg.h
index e0d0bb0..6e43588 100644
--- a/include/openvpn-msg.h
+++ b/include/openvpn-msg.h
@@ -27,7 +27,8 @@
#include <windef.h>
#include <ws2tcpip.h>
-typedef enum {
+typedef enum
+{
msg_acknowledgement,
msg_add_address,
msg_del_address,
@@ -51,28 +52,33 @@
msg_create_adapter
} message_type_t;
-typedef struct {
+typedef struct
+{
message_type_t type;
size_t size;
int message_id;
} message_header_t;
-typedef union {
+typedef union
+{
struct in_addr ipv4;
struct in6_addr ipv6;
} inet_address_t;
-typedef struct {
+typedef struct
+{
int index;
char name[256];
} interface_t;
-typedef enum {
- wfp_block_local = 1<<0,
- wfp_block_dns = 1<<1
+typedef enum
+{
+ wfp_block_local = 1 << 0,
+ wfp_block_dns = 1 << 1
} wfp_block_flags_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
short family;
inet_address_t address;
@@ -80,7 +86,8 @@
interface_t iface;
} address_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
short family;
inet_address_t prefix;
@@ -90,7 +97,8 @@
int metric;
} route_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
interface_t iface;
char domains[512];
@@ -100,14 +108,16 @@
} dns_cfg_message_t;
-typedef enum {
+typedef enum
+{
nrpt_dnssec
} nrpt_flags_t;
-#define NRPT_ADDR_NUM 8 /* Max. number of addresses */
+#define NRPT_ADDR_NUM 8 /* Max. number of addresses */
#define NRPT_ADDR_SIZE 48 /* Max. address strlen + some */
typedef char nrpt_address_t[NRPT_ADDR_SIZE];
-typedef struct {
+typedef struct
+{
message_header_t header;
interface_t iface;
nrpt_address_t addresses[NRPT_ADDR_NUM];
@@ -116,14 +126,16 @@
nrpt_flags_t flags;
} nrpt_dns_cfg_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
interface_t iface;
int addr_len;
inet_address_t addr[4]; /* support up to 4 dns addresses */
} wins_cfg_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
interface_t iface;
int disable_nbt;
@@ -135,41 +147,48 @@
/* TODO: NTP */
-typedef struct {
+typedef struct
+{
message_header_t header;
short family;
interface_t iface;
} flush_neighbors_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
int error_number;
} ack_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
wfp_block_flags_t flags;
interface_t iface;
} wfp_block_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
interface_t iface;
} enable_dhcp_message_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
interface_t iface;
short family;
int mtu;
} set_mtu_message_t;
-typedef enum {
+typedef enum
+{
ADAPTER_TYPE_DCO,
ADAPTER_TYPE_TAP,
} adapter_type_t;
-typedef struct {
+typedef struct
+{
message_header_t header;
adapter_type_t adapter_type;
} create_adapter_message_t;
diff --git a/sample/sample-plugins/client-connect/sample-client-connect.c b/sample/sample-plugins/client-connect/sample-client-connect.c
index 18c2c6f..b180002 100644
--- a/sample/sample-plugins/client-connect/sample-client-connect.c
+++ b/sample/sample-plugins/client-connect/sample-client-connect.c
@@ -59,8 +59,9 @@
* Our context, where we keep our state.
*/
-struct plugin_context {
- int verb; /* logging verbosity */
+struct plugin_context
+{
+ int verb; /* logging verbosity */
};
/* this is used for the CLIENT_CONNECT_V2 async/deferred handler
@@ -69,8 +70,9 @@
* this, and the "CLIENT_CONNECT_DEFER_V2" handler looks at it to see
* if it's time yet to succeed/fail
*/
-struct plugin_per_client_context {
- time_t sleep_until; /* wakeup time (time() + sleep) */
+struct plugin_per_client_context
+{
+ time_t sleep_until; /* wakeup time (time() + sleep) */
bool want_fail;
bool want_disable;
const char *client_config;
@@ -119,8 +121,7 @@
/* use v3 functions so we can use openvpn's logging and base64 etc. */
OPENVPN_EXPORT int
-openvpn_plugin_open_v3(const int v3structver,
- struct openvpn_plugin_args_open_in const *args,
+openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args,
struct openvpn_plugin_args_open_return *ret)
{
/* const char **argv = args->argv; */ /* command line arguments (unused) */
@@ -129,7 +130,9 @@
/* Check API compatibility -- struct version 5 or higher needed */
if (v3structver < 5)
{
- fprintf(stderr, "sample-client-connect: this plugin is incompatible with the running version of OpenVPN\n");
+ fprintf(
+ stderr,
+ "sample-client-connect: this plugin is incompatible with the running version of OpenVPN\n");
return OPENVPN_PLUGIN_FUNC_ERROR;
}
@@ -145,18 +148,17 @@
/*
* Intercept just about everything...
*/
- ret->type_mask =
- OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
+ ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
/* Save global pointers to functions exported from openvpn */
plugin_log = args->callbacks->plugin_log;
@@ -168,7 +170,7 @@
*/
context->verb = atoi_null0(get_env("verb", envp));
- ret->handle = (openvpn_plugin_handle_t *) context;
+ ret->handle = (openvpn_plugin_handle_t *)context;
plugin_log(PLOG_NOTE, MODULE, "initialization succeeded");
return OPENVPN_PLUGIN_FUNC_SUCCESS;
@@ -244,8 +246,10 @@
const char *ccd_file = get_env("client_connect_deferred_file", envp);
if (!ccd_file)
{
- plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC_ASYNC=%d, but "
- "'client_connect_deferred_file' not set -> fail", seconds);
+ plugin_log(PLOG_NOTE, MODULE,
+ "env has UV_WANT_CC_ASYNC=%d, but "
+ "'client_connect_deferred_file' not set -> fail",
+ seconds);
return OPENVPN_PLUGIN_FUNC_ERROR;
}
@@ -259,13 +263,13 @@
int fd = open(ccd_file, O_WRONLY);
if (fd < 0)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file);
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file);
return OPENVPN_PLUGIN_FUNC_ERROR;
}
if (write(fd, "2", 1) != 1)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file );
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file);
close(fd);
return OPENVPN_PLUGIN_FUNC_ERROR;
}
@@ -279,11 +283,11 @@
/* fork, sleep, succeed/fail according to env vars */
pid_t p1 = fork();
- if (p1 < 0) /* Fork failed */
+ if (p1 < 0) /* Fork failed */
{
return OPENVPN_PLUGIN_FUNC_ERROR;
}
- if (p1 > 0) /* parent process */
+ if (p1 > 0) /* parent process */
{
waitpid(p1, NULL, 0);
return OPENVPN_PLUGIN_FUNC_DEFERRED;
@@ -293,10 +297,10 @@
pid_t p2 = fork();
if (p2 < 0)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed");
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed");
exit(1);
}
- if (p2 > 0) /* new parent: exit right away */
+ if (p2 > 0) /* new parent: exit right away */
{
exit(0);
}
@@ -326,16 +330,16 @@
fd = open(ccd_file, O_WRONLY);
if (fd < 0)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file);
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file);
exit(1);
}
plugin_log(PLOG_NOTE, MODULE, "cc_handle_deferred_v1: done, signalling %s",
- (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) ? "success" : "fail" );
+ (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) ? "success" : "fail");
if (write(fd, (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) ? "1" : "0", 1) != 1)
{
- plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file );
+ plugin_log(PLOG_ERR | PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file);
}
close(fd);
@@ -343,14 +347,12 @@
}
int
-openvpn_plugin_client_connect(struct plugin_context *context,
- const char **argv,
- const char **envp)
+openvpn_plugin_client_connect(struct plugin_context *context, const char **argv, const char **envp)
{
/* log environment variables handed to us by OpenVPN, but
* only if "setenv verb" is 3 or higher (arbitrary number)
*/
- if (context->verb>=3)
+ if (context->verb >= 3)
{
for (int i = 0; argv[i]; i++)
{
@@ -391,8 +393,7 @@
int
openvpn_plugin_client_connect_v2(struct plugin_context *context,
- struct plugin_per_client_context *pcc,
- const char **envp,
+ struct plugin_per_client_context *pcc, const char **envp,
struct openvpn_plugin_string_list **return_list)
{
/* by setting "UV_WANT_CC2_ASYNC" we go to async/deferred mode */
@@ -422,7 +423,8 @@
pcc->want_fail = (want_fail != NULL);
pcc->want_disable = (want_disable != NULL);
pcc->client_config = client_config;
- plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_ASYNC=%s -> set up deferred handler", want_async);
+ plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_ASYNC=%s -> set up deferred handler",
+ want_async);
return OPENVPN_PLUGIN_FUNC_DEFERRED;
}
@@ -433,8 +435,7 @@
return OPENVPN_PLUGIN_FUNC_ERROR;
}
- struct openvpn_plugin_string_list *rl =
- calloc(1, sizeof(struct openvpn_plugin_string_list));
+ struct openvpn_plugin_string_list *rl = calloc(1, sizeof(struct openvpn_plugin_string_list));
if (!rl)
{
plugin_log(PLOG_ERR, MODULE, "malloc(return_list) failed");
@@ -468,12 +469,10 @@
int
openvpn_plugin_client_connect_defer_v2(struct plugin_context *context,
struct plugin_per_client_context *pcc,
- struct openvpn_plugin_string_list
- **return_list)
+ struct openvpn_plugin_string_list **return_list)
{
time_t time_left = pcc->sleep_until - time(NULL);
- plugin_log(PLOG_NOTE, MODULE, "defer_v2: seconds left=%d",
- (int) time_left);
+ plugin_log(PLOG_NOTE, MODULE, "defer_v2: seconds left=%d", (int)time_left);
/* not yet due? */
if (time_left > 0)
@@ -484,15 +483,14 @@
/* client wants fail? */
if (pcc->want_fail)
{
- plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_FAIL -> fail" );
+ plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_FAIL -> fail");
return OPENVPN_PLUGIN_FUNC_ERROR;
}
/* fill in RL according to with-disable / without-disable */
/* TODO: unify this with non-deferred case */
- struct openvpn_plugin_string_list *rl =
- calloc(1, sizeof(struct openvpn_plugin_string_list));
+ struct openvpn_plugin_string_list *rl = calloc(1, sizeof(struct openvpn_plugin_string_list));
if (!rl)
{
plugin_log(PLOG_ERR, MODULE, "malloc(return_list) failed");
@@ -524,15 +522,12 @@
}
OPENVPN_EXPORT int
-openvpn_plugin_func_v2(openvpn_plugin_handle_t handle,
- const int type,
- const char *argv[],
- const char *envp[],
- void *per_client_context,
+openvpn_plugin_func_v2(openvpn_plugin_handle_t handle, const int type, const char *argv[],
+ const char *envp[], void *per_client_context,
struct openvpn_plugin_string_list **return_list)
{
- struct plugin_context *context = (struct plugin_context *) handle;
- struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) per_client_context;
+ struct plugin_context *context = (struct plugin_context *)handle;
+ struct plugin_per_client_context *pcc = (struct plugin_per_client_context *)per_client_context;
/* for most functions, we just "don't do anything" but log the
* event received (so one can follow it in the log and understand
@@ -566,13 +561,11 @@
case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT_V2");
- return openvpn_plugin_client_connect_v2(context, pcc, envp,
- return_list);
+ return openvpn_plugin_client_connect_v2(context, pcc, envp, return_list);
case OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2:
plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
- return openvpn_plugin_client_connect_defer_v2(context, pcc,
- return_list);
+ return openvpn_plugin_client_connect_defer_v2(context, pcc, return_list);
case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_DISCONNECT");
@@ -609,7 +602,7 @@
OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
printf("FUNC: openvpn_plugin_close_v1\n");
free(context);
}
diff --git a/sample/sample-plugins/defer/multi-auth.c b/sample/sample-plugins/defer/multi-auth.c
index 38db07f..9f98391 100644
--- a/sample/sample-plugins/defer/multi-auth.c
+++ b/sample/sample-plugins/defer/multi-auth.c
@@ -63,7 +63,8 @@
* Our context, where we keep our state.
*/
-struct plugin_context {
+struct plugin_context
+{
int test_deferred_auth;
char *authid;
char *test_valid_user;
@@ -104,11 +105,12 @@
* structver '5' here to indicate a desire for modern openvpn, rather
* than a need for any particular feature found in structver beyond '1'.
*/
-#define OPENVPN_PLUGIN_VERSION_MIN 3
+#define OPENVPN_PLUGIN_VERSION_MIN 3
#define OPENVPN_PLUGIN_STRUCTVER_MIN 5
-struct plugin_per_client_context {
+struct plugin_per_client_context
+{
int n_calls;
bool generated_pf_file;
};
@@ -177,13 +179,13 @@
/* use v3 functions so we can use openvpn's logging and base64 etc. */
OPENVPN_EXPORT int
-openvpn_plugin_open_v3(const int v3structver,
- struct openvpn_plugin_args_open_in const *args,
+openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args,
struct openvpn_plugin_args_open_return *ret)
{
if (v3structver < OPENVPN_PLUGIN_STRUCTVER_MIN)
{
- fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n", MODULE);
+ fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n",
+ MODULE);
return OPENVPN_PLUGIN_FUNC_ERROR;
}
@@ -196,7 +198,7 @@
* Allocate our context
*/
struct plugin_context *context = NULL;
- context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context));
+ context = (struct plugin_context *)calloc(1, sizeof(struct plugin_context));
if (!context)
{
goto error;
@@ -240,7 +242,7 @@
* Which callbacks to intercept.
*/
ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
- ret->handle = (openvpn_plugin_handle_t *) context;
+ ret->handle = (openvpn_plugin_handle_t *)context;
plog(context, PLOG_NOTE, "initialization succeeded");
return OPENVPN_PLUGIN_FUNC_SUCCESS;
@@ -255,29 +257,22 @@
}
static bool
-do_auth_user_pass(struct plugin_context *context,
- const char *username, const char *password)
+do_auth_user_pass(struct plugin_context *context, const char *username, const char *password)
{
- plog(context, PLOG_NOTE,
- "expect_user=%s, received_user=%s, expect_passw=%s, received_passw=%s",
- np(context->test_valid_user),
- np(username),
- np(context->test_valid_pass),
- np(password));
+ plog(context, PLOG_NOTE, "expect_user=%s, received_user=%s, expect_passw=%s, received_passw=%s",
+ np(context->test_valid_user), np(username), np(context->test_valid_pass), np(password));
if (context->test_valid_user && context->test_valid_pass)
{
if ((strcmp(context->test_valid_user, username) != 0)
|| (strcmp(context->test_valid_pass, password) != 0))
{
- plog(context, PLOG_ERR,
- "User/Password auth result: FAIL");
+ plog(context, PLOG_ERR, "User/Password auth result: FAIL");
return false;
}
else
{
- plog(context, PLOG_NOTE,
- "User/Password auth result: PASS");
+ plog(context, PLOG_NOTE, "User/Password auth result: PASS");
return true;
}
}
@@ -286,8 +281,7 @@
static int
-auth_user_pass_verify(struct plugin_context *context,
- struct plugin_per_client_context *pcc,
+auth_user_pass_verify(struct plugin_context *context, struct plugin_per_client_context *pcc,
const char *argv[], const char *envp[])
{
/* get username/password from envp string array */
@@ -297,8 +291,8 @@
if (!context->test_deferred_auth)
{
plog(context, PLOG_NOTE, "Direct authentication");
- return do_auth_user_pass(context, username, password) ?
- OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR;
+ return do_auth_user_pass(context, username, password) ? OPENVPN_PLUGIN_FUNC_SUCCESS
+ : OPENVPN_PLUGIN_FUNC_ERROR;
}
/* get auth_control_file filename from envp string array*/
@@ -319,11 +313,11 @@
/* fork, sleep, succeed (no "real" auth done = always succeed) */
pid_t p1 = fork();
- if (p1 < 0) /* Fork failed */
+ if (p1 < 0) /* Fork failed */
{
return OPENVPN_PLUGIN_FUNC_ERROR;
}
- if (p1 > 0) /* parent process */
+ if (p1 > 0) /* parent process */
{
waitpid(p1, NULL, 0);
return OPENVPN_PLUGIN_FUNC_DEFERRED;
@@ -333,11 +327,11 @@
pid_t p2 = fork();
if (p2 < 0)
{
- plog(context, PLOG_ERR|PLOG_ERRNO, "BACKGROUND: fork(2) failed");
+ plog(context, PLOG_ERR | PLOG_ERRNO, "BACKGROUND: fork(2) failed");
exit(1);
}
- if (p2 != 0) /* new parent: exit right away */
+ if (p2 != 0) /* new parent: exit right away */
{
exit(0);
}
@@ -350,15 +344,14 @@
/* do mighty complicated work that will really take time here... */
plog(context, PLOG_NOTE, "in async/deferred handler, usleep(%d)",
- context->test_deferred_auth*1000);
- usleep(context->test_deferred_auth*1000);
+ context->test_deferred_auth * 1000);
+ usleep(context->test_deferred_auth * 1000);
/* now signal success state to openvpn */
int fd = open(auth_control_file, O_WRONLY);
if (fd < 0)
{
- plog(context, PLOG_ERR|PLOG_ERRNO,
- "open('%s') failed", auth_control_file);
+ plog(context, PLOG_ERR | PLOG_ERRNO, "open('%s') failed", auth_control_file);
exit(1);
}
@@ -370,7 +363,7 @@
if (write(fd, result, 1) != 1)
{
- plog(context, PLOG_ERR|PLOG_ERRNO, "write to '%s' failed", auth_control_file );
+ plog(context, PLOG_ERR | PLOG_ERRNO, "write to '%s' failed", auth_control_file);
}
close(fd);
@@ -379,19 +372,20 @@
OPENVPN_EXPORT int
-openvpn_plugin_func_v3(const int v3structver,
- struct openvpn_plugin_args_func_in const *args,
+openvpn_plugin_func_v3(const int v3structver, struct openvpn_plugin_args_func_in const *args,
struct openvpn_plugin_args_func_return *ret)
{
if (v3structver < OPENVPN_PLUGIN_STRUCTVER_MIN)
{
- fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n", MODULE);
+ fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n",
+ MODULE);
return OPENVPN_PLUGIN_FUNC_ERROR;
}
const char **argv = args->argv;
const char **envp = args->envp;
- struct plugin_context *context = (struct plugin_context *) args->handle;
- struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) args->per_client_context;
+ struct plugin_context *context = (struct plugin_context *)args->handle;
+ struct plugin_per_client_context *pcc =
+ (struct plugin_per_client_context *)args->per_client_context;
switch (args->type)
{
case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
@@ -407,7 +401,7 @@
OPENVPN_EXPORT void *
openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
plog(context, PLOG_NOTE, "FUNC: openvpn_plugin_client_constructor_v1");
return calloc(1, sizeof(struct plugin_per_client_context));
}
@@ -415,7 +409,7 @@
OPENVPN_EXPORT void
openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *per_client_context)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
plog(context, PLOG_NOTE, "FUNC: openvpn_plugin_client_destructor_v1");
free(per_client_context);
}
@@ -423,7 +417,7 @@
OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
plog(context, PLOG_NOTE, "FUNC: openvpn_plugin_close_v1");
free(context);
}
diff --git a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
index cc256dd..137cf20 100644
--- a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
+++ b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
@@ -38,22 +38,25 @@
#define MAXPATH 1024
#endif
-#define ovpn_err(fmt, ...) \
- plugin->log(PLOG_ERR, "SSO", fmt, ## __VA_ARGS__)
-#define ovpn_dbg(fmt, ...) \
- plugin->log(PLOG_DEBUG, "SSO", fmt, ## __VA_ARGS__)
-#define ovpn_note(fmt, ...) \
- plugin->log(PLOG_NOTE, "SSO", fmt, ## __VA_ARGS__)
+#define ovpn_err(fmt, ...) plugin->log(PLOG_ERR, "SSO", fmt, ##__VA_ARGS__)
+#define ovpn_dbg(fmt, ...) plugin->log(PLOG_DEBUG, "SSO", fmt, ##__VA_ARGS__)
+#define ovpn_note(fmt, ...) plugin->log(PLOG_NOTE, "SSO", fmt, ##__VA_ARGS__)
-enum endpoint { CLIENT = 1, SERVER = 2 };
+enum endpoint
+{
+ CLIENT = 1,
+ SERVER = 2
+};
-struct plugin {
+struct plugin
+{
plugin_log_t log;
enum endpoint type;
int mask;
};
-struct session {
+struct session
+{
char user[48];
char key[48];
};
@@ -87,8 +90,7 @@
}
OPENVPN_EXPORT int
-openvpn_plugin_open_v3(const int version,
- struct openvpn_plugin_args_open_in const *args,
+openvpn_plugin_open_v3(const int version, struct openvpn_plugin_args_open_in const *args,
struct openvpn_plugin_args_open_return *rv)
{
struct plugin *plugin = calloc(1, sizeof(*plugin));
@@ -100,9 +102,9 @@
}
plugin->type = get_env("remote_1", args->envp) ? CLIENT : SERVER;
- plugin->log = args->callbacks->plugin_log;
+ plugin->log = args->callbacks->plugin_log;
- plugin->mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
+ plugin->mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
plugin->mask |= OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY);
ovpn_note("vpn endpoint type=%s", plugin->type == CLIENT ? "client" : "server");
@@ -165,8 +167,8 @@
static int
tls_verify(struct openvpn_plugin_args_func_in const *args)
{
- struct plugin *plugin = (struct plugin *)args->handle;
- struct session *sess = (struct session *)args->per_client_context;
+ struct plugin *plugin = (struct plugin *)args->handle;
+ struct session *sess = (struct session *)args->per_client_context;
/* we store cert subject for the server end point only */
if (plugin->type != SERVER)
@@ -201,8 +203,8 @@
static void
server_store(struct openvpn_plugin_args_func_in const *args)
{
- struct plugin *plugin = (struct plugin *)args->handle;
- struct session *sess = (struct session *)args->per_client_context;
+ struct plugin *plugin = (struct plugin *)args->handle;
+ struct session *sess = (struct session *)args->per_client_context;
char file[MAXPATH];
snprintf(file, sizeof(file) - 1, "/tmp/openvpn_sso_%s", sess->key);
@@ -213,8 +215,8 @@
static void
client_store(struct openvpn_plugin_args_func_in const *args)
{
- struct plugin *plugin = (struct plugin *)args->handle;
- struct session *sess = (struct session *)args->per_client_context;
+ struct plugin *plugin = (struct plugin *)args->handle;
+ struct session *sess = (struct session *)args->per_client_context;
char *file = "/tmp/openvpn_sso_user";
ovpn_note("app session file: %s", file);
@@ -225,8 +227,8 @@
tls_final(struct openvpn_plugin_args_func_in const *args,
struct openvpn_plugin_args_func_return *rv)
{
- struct plugin *plugin = (struct plugin *)args->handle;
- struct session *sess = (struct session *)args->per_client_context;
+ struct plugin *plugin = (struct plugin *)args->handle;
+ struct session *sess = (struct session *)args->per_client_context;
const char *key;
if (!(key = get_env("exported_keying_material", args->envp)))
@@ -253,8 +255,7 @@
}
OPENVPN_EXPORT int
-openvpn_plugin_func_v3(const int version,
- struct openvpn_plugin_args_func_in const *args,
+openvpn_plugin_func_v3(const int version, struct openvpn_plugin_args_func_in const *args,
struct openvpn_plugin_args_func_return *rv)
{
switch (args->type)
@@ -272,7 +273,7 @@
openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle)
{
struct plugin *plugin = (struct plugin *)handle;
- struct session *sess = calloc(1, sizeof(*sess));
+ struct session *sess = calloc(1, sizeof(*sess));
ovpn_note("app session created");
@@ -283,7 +284,7 @@
openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *ctx)
{
struct plugin *plugin = (struct plugin *)handle;
- struct session *sess = (struct session *)ctx;
+ struct session *sess = (struct session *)ctx;
ovpn_note("app session key: %s", sess->key);
ovpn_note("app session destroyed");
diff --git a/sample/sample-plugins/log/log.c b/sample/sample-plugins/log/log.c
index 82595cf..0a96c63 100644
--- a/sample/sample-plugins/log/log.c
+++ b/sample/sample-plugins/log/log.c
@@ -37,7 +37,8 @@
/*
* Our context, where we keep our state.
*/
-struct plugin_context {
+struct plugin_context
+{
const char *username;
const char *password;
};
@@ -77,7 +78,7 @@
/*
* Allocate our context
*/
- context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context));
+ context = (struct plugin_context *)calloc(1, sizeof(struct plugin_context));
if (context == NULL)
{
printf("PLUGIN: allocating memory for context failed\n");
@@ -93,19 +94,17 @@
/*
* Which callbacks to intercept.
*/
- *type_mask =
- OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
+ *type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP) | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
- return (openvpn_plugin_handle_t) context;
+ return (openvpn_plugin_handle_t)context;
}
void
@@ -173,9 +172,10 @@
}
OPENVPN_EXPORT int
-openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[],
+ const char *envp[])
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
show(type, argv, envp);
@@ -186,8 +186,8 @@
const char *username = get_env("username", envp);
const char *password = get_env("password", envp);
- if (username && !strcmp(username, context->username)
- && password && !strcmp(password, context->password))
+ if (username && !strcmp(username, context->username) && password
+ && !strcmp(password, context->password))
{
return OPENVPN_PLUGIN_FUNC_SUCCESS;
}
@@ -205,6 +205,6 @@
OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
free(context);
}
diff --git a/sample/sample-plugins/log/log_v3.c b/sample/sample-plugins/log/log_v3.c
index c90cc3d..7da49c7 100644
--- a/sample/sample-plugins/log/log_v3.c
+++ b/sample/sample-plugins/log/log_v3.c
@@ -40,7 +40,8 @@
/*
* Our context, where we keep our state.
*/
-struct plugin_context {
+struct plugin_context
+{
const char *username;
const char *password;
};
@@ -73,8 +74,7 @@
}
OPENVPN_EXPORT int
-openvpn_plugin_open_v3(const int v3structver,
- struct openvpn_plugin_args_open_in const *args,
+openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args,
struct openvpn_plugin_args_open_return *ret)
{
struct plugin_context *context = NULL;
@@ -82,7 +82,8 @@
/* Check that we are API compatible */
if (v3structver != OPENVPN_PLUGINv3_STRUCTVER)
{
- printf("log_v3: ** ERROR ** Incompatible plug-in interface between this plug-in and OpenVPN\n");
+ printf(
+ "log_v3: ** ERROR ** Incompatible plug-in interface between this plug-in and OpenVPN\n");
return OPENVPN_PLUGIN_FUNC_ERROR;
}
@@ -93,26 +94,24 @@
}
/* Print some version information about the OpenVPN process using this plug-in */
- printf("log_v3: OpenVPN %s (Major: %i, Minor: %i, Patch: %s)\n",
- args->ovpn_version, args->ovpn_version_major,
- args->ovpn_version_minor, args->ovpn_version_patch);
+ printf("log_v3: OpenVPN %s (Major: %i, Minor: %i, Patch: %s)\n", args->ovpn_version,
+ args->ovpn_version_major, args->ovpn_version_minor, args->ovpn_version_patch);
/* Which callbacks to intercept. */
- ret->type_mask =
- OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
+ ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
/* Allocate our context */
- context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context));
+ context = (struct plugin_context *)calloc(1, sizeof(struct plugin_context));
if (context == NULL)
{
printf("PLUGIN: allocating memory for context failed\n");
@@ -124,7 +123,7 @@
context->password = "bar";
/* Point the global context handle to our newly created context */
- ret->handle = (void *) context;
+ ret->handle = (void *)context;
return OPENVPN_PLUGIN_FUNC_SUCCESS;
}
@@ -245,13 +244,11 @@
}
-
OPENVPN_EXPORT int
-openvpn_plugin_func_v3(const int version,
- struct openvpn_plugin_args_func_in const *args,
+openvpn_plugin_func_v3(const int version, struct openvpn_plugin_args_func_in const *args,
struct openvpn_plugin_args_func_return *retptr)
{
- struct plugin_context *context = (struct plugin_context *) args->handle;
+ struct plugin_context *context = (struct plugin_context *)args->handle;
printf("\nopenvpn_plugin_func_v3() :::::>> ");
show(args->type, args->argv, args->envp);
@@ -272,8 +269,8 @@
const char *username = get_env("username", args->envp);
const char *password = get_env("password", args->envp);
- if (username && !strcmp(username, context->username)
- && password && !strcmp(password, context->password))
+ if (username && !strcmp(username, context->username) && password
+ && !strcmp(password, context->password))
{
return OPENVPN_PLUGIN_FUNC_SUCCESS;
}
@@ -291,6 +288,6 @@
OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
free(context);
}
diff --git a/sample/sample-plugins/simple/base64.c b/sample/sample-plugins/simple/base64.c
index 6855966..5b2cff5 100644
--- a/sample/sample-plugins/simple/base64.c
+++ b/sample/sample-plugins/simple/base64.c
@@ -100,21 +100,20 @@
*
*/
OPENVPN_EXPORT int
-openvpn_plugin_open_v3(const int v3structver,
- struct openvpn_plugin_args_open_in const *args,
+openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args,
struct openvpn_plugin_args_open_return *ret)
{
/* Check that we are API compatible */
if (v3structver != OPENVPN_PLUGINv3_STRUCTVER)
{
- printf("base64.c: ** ERROR ** Incompatible plug-in interface between this plug-in and OpenVPN\n");
+ printf(
+ "base64.c: ** ERROR ** Incompatible plug-in interface between this plug-in and OpenVPN\n");
return OPENVPN_PLUGIN_FUNC_ERROR;
}
/* Which callbacks to intercept. */
- ret->type_mask =
- OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2);
+ ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
+ | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2);
/* we don't need a plug-in context in this example, but OpenVPN expects "something" */
ret->handle = calloc(1, 1);
@@ -127,8 +126,8 @@
/* Print some version information about the OpenVPN process using this plug-in */
ovpn_log(PLOG_NOTE, PLUGIN_NAME, "OpenVPN %s (Major: %i, Minor: %i, Patch: %s)\n",
- args->ovpn_version, args->ovpn_version_major,
- args->ovpn_version_minor, args->ovpn_version_patch);
+ args->ovpn_version, args->ovpn_version_major, args->ovpn_version_minor,
+ args->ovpn_version_patch);
return OPENVPN_PLUGIN_FUNC_SUCCESS;
}
@@ -156,10 +155,10 @@
*/
OPENVPN_EXPORT int
-openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[],
+ const char *envp[])
{
- if (type != OPENVPN_PLUGIN_TLS_VERIFY
- && type != OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
+ if (type != OPENVPN_PLUGIN_TLS_VERIFY && type != OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
{
ovpn_log(PLOG_ERR, PLUGIN_NAME, "Unsupported plug-in hook call attempted");
return OPENVPN_PLUGIN_FUNC_ERROR;
@@ -176,14 +175,13 @@
/* test the BASE64 encode function */
char *buf = NULL;
int r = ovpn_base64_encode(clcert_cn, strlen(clcert_cn), &buf);
- ovpn_log(PLOG_NOTE, PLUGIN_NAME, "BASE64 encoded '%s' (return value %i): '%s'",
- clcert_cn, r, buf);
+ ovpn_log(PLOG_NOTE, PLUGIN_NAME, "BASE64 encoded '%s' (return value %i): '%s'", clcert_cn, r,
+ buf);
/* test the BASE64 decode function */
- char buf2[256] = {0};
+ char buf2[256] = { 0 };
r = ovpn_base64_decode(buf, &buf2, 255);
- ovpn_log(PLOG_NOTE, PLUGIN_NAME, "BASE64 decoded '%s' (return value %i): '%s'",
- buf, r, buf2);
+ ovpn_log(PLOG_NOTE, PLUGIN_NAME, "BASE64 decoded '%s' (return value %i): '%s'", buf, r, buf2);
/* Verify the result, and free the buffer allocated by ovpn_base64_encode() */
r = strcmp(clcert_cn, buf2);
@@ -203,6 +201,6 @@
OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
free(context);
}
diff --git a/sample/sample-plugins/simple/simple.c b/sample/sample-plugins/simple/simple.c
index e17f3fa..2666e2f 100644
--- a/sample/sample-plugins/simple/simple.c
+++ b/sample/sample-plugins/simple/simple.c
@@ -39,7 +39,8 @@
/*
* Our context, where we keep our state.
*/
-struct plugin_context {
+struct plugin_context
+{
const char *username;
const char *password;
};
@@ -79,7 +80,7 @@
/*
* Allocate our context
*/
- context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context));
+ context = (struct plugin_context *)calloc(1, sizeof(struct plugin_context));
if (context == NULL)
{
printf("PLUGIN: allocating memory for context failed\n");
@@ -98,21 +99,22 @@
*/
*type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
- return (openvpn_plugin_handle_t) context;
+ return (openvpn_plugin_handle_t)context;
}
OPENVPN_EXPORT int
-openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[],
+ const char *envp[])
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
/* get username/password from envp string array */
const char *username = get_env("username", envp);
const char *password = get_env("password", envp);
/* check entered username/password against what we require */
- if (username && !strcmp(username, context->username)
- && password && !strcmp(password, context->password))
+ if (username && !strcmp(username, context->username) && password
+ && !strcmp(password, context->password))
{
return OPENVPN_PLUGIN_FUNC_SUCCESS;
}
@@ -125,6 +127,6 @@
OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
- struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_context *context = (struct plugin_context *)handle;
free(context);
}
diff --git a/src/compat/compat-basename.c b/src/compat/compat-basename.c
index abb4f49..ea8bfbb 100644
--- a/src/compat/compat-basename.c
+++ b/src/compat/compat-basename.c
@@ -42,7 +42,7 @@
/* If NULL, check for \ instead ... might be Windows a path */
p = strrchr(filename, '\\');
}
- return p ? p + 1 : (char *) filename;
+ return p ? p + 1 : (char *)filename;
}
#endif /* HAVE_BASENAME */
diff --git a/src/compat/compat-dirname.c b/src/compat/compat-dirname.c
index c131dee..527f252 100644
--- a/src/compat/compat-dirname.c
+++ b/src/compat/compat-dirname.c
@@ -90,7 +90,7 @@
/* The '/' is the last character, we have to look further. */
if (runp != path)
{
- last_slash = (char *) __memrchr(path, separator, runp - path);
+ last_slash = (char *)__memrchr(path, separator, runp - path);
}
}
@@ -135,7 +135,7 @@
/* This assignment is ill-designed but the XPG specs require to
* return a string containing "." in any case no directory part is
* found and so a static and constant string is required. */
- path = (char *) dot;
+ path = (char *)dot;
}
return path;
diff --git a/src/compat/compat-gettimeofday.c b/src/compat/compat-gettimeofday.c
index 997f360..23b5734 100644
--- a/src/compat/compat-gettimeofday.c
+++ b/src/compat/compat-gettimeofday.c
@@ -49,7 +49,7 @@
{
const time_t t = time(NULL);
const DWORD gtc = GetTickCount();
- gtc_base = t - gtc/1000;
+ gtc_base = t - gtc / 1000;
gtc_last = gtc;
}
@@ -113,7 +113,7 @@
return 0;
}
-#else /* ifdef _WIN32 */
+#else /* ifdef _WIN32 */
#include <time.h>
diff --git a/src/openvpn/argv.c b/src/openvpn/argv.c
index 95215c0..78d37c7 100644
--- a/src/openvpn/argv.c
+++ b/src/openvpn/argv.c
@@ -285,8 +285,7 @@
* free()d to avoid memory leaks.
*/
static char *
-argv_prep_format(const char *format, const char delim, size_t *count,
- struct gc_arena *gc)
+argv_prep_format(const char *format, const char delim, size_t *count, struct gc_arena *gc)
{
if (format == NULL)
{
@@ -312,7 +311,7 @@
* the string is empty; the resulting format string
* will never start with a delimiter.
*/
- if (j > 0) /* Has anything been written to the output string? */
+ if (j > 0) /* Has anything been written to the output string? */
{
f[j++] = delim;
}
@@ -348,7 +347,7 @@
static bool
argv_printf_arglist(struct argv *argres, const char *format, va_list arglist)
{
- const char delim = 0x1D; /* ASCII Group Separator (GS) */
+ const char delim = 0x1D; /* ASCII Group Separator (GS) */
bool res = false;
/*
@@ -485,8 +484,8 @@
argv_reset(argres);
char *parms[MAX_PARMS + 1] = { 0 };
- int nparms = parse_line(cmdstr, parms, MAX_PARMS, "SCRIPT-ARGV", 0,
- D_ARGV_PARSE_CMD, &argres->gc);
+ int nparms =
+ parse_line(cmdstr, parms, MAX_PARMS, "SCRIPT-ARGV", 0, D_ARGV_PARSE_CMD, &argres->gc);
if (nparms)
{
int i;
diff --git a/src/openvpn/argv.h b/src/openvpn/argv.h
index 098a1cb..9aaa55b 100644
--- a/src/openvpn/argv.h
+++ b/src/openvpn/argv.h
@@ -32,7 +32,8 @@
#include "buffer.h"
-struct argv {
+struct argv
+{
struct gc_arena gc;
size_t capacity;
size_t argc;
@@ -56,21 +57,21 @@
bool argv_printf(struct argv *a, const char *format, ...)
#ifdef __GNUC__
#if __USE_MINGW_ANSI_STDIO
-__attribute__ ((format(gnu_printf, 2, 3)))
+ __attribute__((format(gnu_printf, 2, 3)))
#else
-__attribute__ ((format(__printf__, 2, 3)))
+ __attribute__((format(__printf__, 2, 3)))
#endif
#endif
-;
+ ;
bool argv_printf_cat(struct argv *a, const char *format, ...)
#ifdef __GNUC__
#if __USE_MINGW_ANSI_STDIO
-__attribute__ ((format(gnu_printf, 2, 3)))
+ __attribute__((format(gnu_printf, 2, 3)))
#else
-__attribute__ ((format(__printf__, 2, 3)))
+ __attribute__((format(__printf__, 2, 3)))
#endif
#endif
-;
+ ;
#endif /* ifndef ARGV_H */
diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c
index 3cf55e8..a694e81 100644
--- a/src/openvpn/auth_token.c
+++ b/src/openvpn/auth_token.c
@@ -18,7 +18,7 @@
const char *auth_token_pem_name = "OpenVPN auth-token server key";
-#define AUTH_TOKEN_SESSION_ID_LEN 12
+#define AUTH_TOKEN_SESSION_ID_LEN 12
#define AUTH_TOKEN_SESSION_ID_BASE64_LEN (AUTH_TOKEN_SESSION_ID_LEN * 8 / 6)
#if AUTH_TOKEN_SESSION_ID_LEN % 3
@@ -53,7 +53,7 @@
}
else if (auth_token_state_flags & AUTH_TOKEN_HMAC_OK)
{
- switch (auth_token_state_flags & (AUTH_TOKEN_VALID_EMPTYUSER|AUTH_TOKEN_EXPIRED))
+ switch (auth_token_state_flags & (AUTH_TOKEN_VALID_EMPTYUSER | AUTH_TOKEN_EXPIRED))
{
case 0:
state = "Authenticated";
@@ -107,9 +107,9 @@
* in the encoding
*/
- char session_id[AUTH_TOKEN_SESSION_ID_LEN*2] = {0};
+ char session_id[AUTH_TOKEN_SESSION_ID_LEN * 2] = { 0 };
memcpy(session_id, session_id_source + strlen(SESSION_ID_PREFIX),
- AUTH_TOKEN_SESSION_ID_LEN*8/6);
+ AUTH_TOKEN_SESSION_ID_LEN * 8 / 6);
setenv_str(session->opt->es, "session_id", session_id);
}
@@ -121,8 +121,7 @@
}
void
-auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file,
- bool key_inline)
+auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline)
{
struct key_type kt = auth_token_kt();
@@ -131,14 +130,12 @@
bool key_loaded = false;
if (key_file)
{
- key_loaded = read_pem_key_file(&server_secret_key,
- auth_token_pem_name,
- key_file, key_inline);
+ key_loaded =
+ read_pem_key_file(&server_secret_key, auth_token_pem_name, key_file, key_inline);
}
else
{
- key_loaded = generate_ephemeral_key(&server_secret_key,
- auth_token_pem_name);
+ key_loaded = generate_ephemeral_key(&server_secret_key, auth_token_pem_name);
}
if (!key_loaded)
@@ -169,7 +166,7 @@
int64_t initial_timestamp = timestamp;
hmac_ctx_t *ctx = multi->opt.auth_token_key.hmac;
- ASSERT(hmac_ctx_size(ctx) == 256/8);
+ ASSERT(hmac_ctx_size(ctx) == 256 / 8);
uint8_t sessid[AUTH_TOKEN_SESSION_ID_LEN];
@@ -185,7 +182,7 @@
char *initial_token_copy = string_alloc(multi->auth_token_initial, &gc);
char *old_sessid = initial_token_copy + strlen(SESSION_ID_PREFIX);
- char *old_tstamp_initial = old_sessid + AUTH_TOKEN_SESSION_ID_LEN*8/6;
+ char *old_tstamp_initial = old_sessid + AUTH_TOKEN_SESSION_ID_LEN * 8 / 6;
/*
* We null terminate the old token just after the session ID to let
@@ -197,12 +194,13 @@
memcpy(&initial_timestamp, &old_tstamp_decode, sizeof(initial_timestamp));
old_tstamp_initial[0] = '\0';
- ASSERT(openvpn_base64_decode(old_sessid, sessid, AUTH_TOKEN_SESSION_ID_LEN) == AUTH_TOKEN_SESSION_ID_LEN);
+ ASSERT(openvpn_base64_decode(old_sessid, sessid, AUTH_TOKEN_SESSION_ID_LEN)
+ == AUTH_TOKEN_SESSION_ID_LEN);
}
else if (!rand_bytes(sessid, AUTH_TOKEN_SESSION_ID_LEN))
{
- msg( M_FATAL, "Failed to get enough randomness for "
- "authentication token");
+ msg(M_FATAL, "Failed to get enough randomness for "
+ "authentication token");
}
/* Calculate the HMAC */
@@ -210,7 +208,7 @@
* with \0 in them is asking for troubles in so many ways anyway that we
* ignore that corner case here
*/
- uint8_t hmac_output[256/8];
+ uint8_t hmac_output[256 / 8];
hmac_ctx_reset(ctx);
@@ -222,20 +220,20 @@
struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY];
if (ks->auth_token_state_flags & AUTH_TOKEN_VALID_EMPTYUSER)
{
- hmac_ctx_update(ctx, (const uint8_t *) "", 0);
+ hmac_ctx_update(ctx, (const uint8_t *)"", 0);
}
else
{
- hmac_ctx_update(ctx, (uint8_t *) up->username, (int) strlen(up->username));
+ hmac_ctx_update(ctx, (uint8_t *)up->username, (int)strlen(up->username));
}
hmac_ctx_update(ctx, sessid, AUTH_TOKEN_SESSION_ID_LEN);
- hmac_ctx_update(ctx, (uint8_t *) &initial_timestamp, sizeof(initial_timestamp));
- hmac_ctx_update(ctx, (uint8_t *) ×tamp, sizeof(timestamp));
+ hmac_ctx_update(ctx, (uint8_t *)&initial_timestamp, sizeof(initial_timestamp));
+ hmac_ctx_update(ctx, (uint8_t *)×tamp, sizeof(timestamp));
hmac_ctx_final(ctx, hmac_output);
/* Construct the unencoded session token */
- struct buffer token = alloc_buf_gc(
- 2*sizeof(uint64_t) + AUTH_TOKEN_SESSION_ID_LEN + 256/8, &gc);
+ struct buffer token =
+ alloc_buf_gc(2 * sizeof(uint64_t) + AUTH_TOKEN_SESSION_ID_LEN + 256 / 8, &gc);
ASSERT(buf_write(&token, sessid, sizeof(sessid)));
ASSERT(buf_write(&token, &initial_timestamp, sizeof(initial_timestamp)));
@@ -245,8 +243,8 @@
char *b64output = NULL;
openvpn_base64_encode(BPTR(&token), BLEN(&token), &b64output);
- struct buffer session_token = alloc_buf_gc(
- strlen(SESSION_ID_PREFIX) + strlen(b64output) + 1, &gc);
+ struct buffer session_token =
+ alloc_buf_gc(strlen(SESSION_ID_PREFIX) + strlen(b64output) + 1, &gc);
ASSERT(buf_write(&session_token, SESSION_ID_PREFIX, strlen(SESSION_ID_PREFIX)));
ASSERT(buf_write(&session_token, b64output, (int)strlen(b64output)));
@@ -258,8 +256,7 @@
free(multi->auth_token);
multi->auth_token = strdup((char *)BPTR(&session_token));
- dmsg(D_SHOW_KEYS, "Generated token for client: %s (%s)",
- multi->auth_token, up->username);
+ dmsg(D_SHOW_KEYS, "Generated token for client: %s (%s)", multi->auth_token, up->username);
if (!multi->auth_token_initial)
{
@@ -277,22 +274,21 @@
static bool
check_hmac_token(hmac_ctx_t *ctx, const uint8_t *b64decoded, const char ...
[truncated message content] |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-16 15:24:40
|
plaisthos has abandoned this change. ( http://gerrit.openvpn.net/c/openvpn/+/1085?usp=email ) Change subject: Do not check for pkcs11-helper when pkcs11 is not enabled ...................................................................... Abandoned In favour of #1088 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1085?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I152577b7d9b3b3a0d298971f47ba412d3f43d50d Gerrit-Change-Number: 1085 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: abandon |
|
From: Frank L. <fr...@li...> - 2025-07-16 15:19:16
|
This code was copied over and over since many years,
since commit 9a3f670248d6f519a399e65a7232e2196b5115db
("Fixed autoconf script to properly detect missing pkcs11
with polarssl"). It is unclear what exact purpose it
served back then but probably it is obsolete. It is
definitely wrong since it means that you get
PKCS11_HELPER_LIBS even if you do not specify
--enable-pkcs11.
Change-Id: I317be5253d6563906dd3826421dc81f737beba76
Signed-off-by: Frank Lichtenheld <fr...@li...>
Acked-by: Arne Schwabe <arn...@rf...>
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1088
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Arne Schwabe <arn...@rf...>
diff --git a/configure.ac b/configure.ac
index 8fc48ba..66cb79b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -798,14 +798,6 @@
;;
esac
-PKG_CHECK_MODULES(
- [PKCS11_HELPER],
- [libpkcs11-helper-1 >= 1.11],
- [have_pkcs11_helper="yes"],
- []
-)
-
-
if test "$enable_dco" != "no"; then
enable_dco_arg="$enable_dco"
if test "${enable_iproute2}" = "yes"; then
@@ -1014,13 +1006,12 @@
[mbedtls_ssl_init],
[MBEDTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto"],
[AC_MSG_ERROR([Could not find mbed TLS.])],
- [${PKCS11_HELPER_LIBS}]
)
fi
fi
- CFLAGS="${MBEDTLS_CFLAGS} ${PKCS11_HELPER_CFLAGS} ${CFLAGS}"
- LIBS="${MBEDTLS_LIBS} ${PKCS11_HELPER_LIBS} ${LIBS}"
+ CFLAGS="${MBEDTLS_CFLAGS} ${CFLAGS}"
+ LIBS="${MBEDTLS_LIBS} ${LIBS}"
AC_MSG_CHECKING([mbedtls version])
AC_COMPILE_IFELSE(
@@ -1359,7 +1350,12 @@
AM_CONDITIONAL([HAVE_SOFTHSM2], [false])
if test "${enable_pkcs11}" = "yes"; then
- test "${have_pkcs11_helper}" != "yes" && AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing])
+ PKG_CHECK_MODULES(
+ [PKCS11_HELPER],
+ [libpkcs11-helper-1 >= 1.11],
+ [have_pkcs11_helper="yes"],
+ [AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing])]
+ )
OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}"
OPTIONAL_PKCS11_HELPER_LIBS="${PKCS11_HELPER_LIBS}"
AC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11])
|
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-16 15:14:14
|
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1088?usp=email ) Change subject: configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks ...................................................................... Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1088?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I317be5253d6563906dd3826421dc81f737beba76 Gerrit-Change-Number: 1088 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Wed, 16 Jul 2025 15:14:00 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-16 14:18:19
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email ) Change subject: README.dco: update Linux instructions ...................................................................... README.dco: update Linux instructions Update the README.dco file by including instructions related to the new 'ovpn' linux kernel module. Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c Signed-off-by: Antonio Quartulli <an...@ma...> Acked-by: Frank Lichtenheld <fr...@li...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg32180.html Signed-off-by: Gert Doering <ge...@gr...> --- M README.dco.md 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/README.dco.md b/README.dco.md index 3f7e00c..a93dc94 100644 --- a/README.dco.md +++ b/README.dco.md @@ -14,26 +14,22 @@ Getting started (Linux) ----------------------- -- Use a recent Linux kernel. Linux 5.4.0 and newer are known to work with - ovpn-dco. +The new DCO linux kernel module (namely `ovpn`) has been merged upstream +as of linux-6.16. From this kernel version onwards you directly get +the DCO module as shipped by your kernel. +NOTE: the new `ovpn` Linux kernel module is compatible only with OpenVPN +2.7 and greater. -Get the ovpn-dco module from one these urls and build it: +Alternatively, if you run an older kernel or if you want to use a more +recent DCO module than the one shipped by your kernel, you need to use +the ovpn-backports project. -* https://gitlab.com/openvpn/ovpn-dco -* https://github.com/OpenVPN/ovpn-dco +To learn how to use the ovpn-backports project and build your own DCO +kernel module, please refer to the README file available at: -e.g. + https://github.com/OpenVPN/ovpn-backports/blob/main/README.md - git clone https://github.com/OpenVPN/ovpn-dco - cd ovpn-dco - make - sudo make install - -If you want to report bugs please ensure to compile ovpn-dco with -`make DEBUG=1` and include any debug message being printed by the -kernel (you can view those messages with `dmesg`). - -Clone and build OpenVPN (or use OpenVPN 2.6+). For example: +Then clone and build OpenVPN (or use OpenVPN 2.7+). For example: git clone https://github.com/openvpn/openvpn.git cd openvpn @@ -48,8 +44,8 @@ data channel offloading, OpenVPN will automatically disable DCO support and warn the user. -Should OpenVPN be configured to use a feature that is not supported by ovpn-dco -or should the ovpn-dco kernel module not be available on the system, you will +Should OpenVPN be configured to use a feature that is not supported by ovpn +or should the ovpn kernel module not be available on the system, you will see a message like Note: Kernel support for ovpn-dco missing, disabling data channel offload. @@ -131,4 +127,3 @@ - `--persist-tun` not tested; - IPv6 mapped IPv4 addresses need Linux 5.4.189+/5.10.110+/5.12+ to work; - some incompatible options may not properly fallback to non-dco; -- no per client statistics. Only total statistics available on the interface. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c Gerrit-Change-Number: 1087 Gerrit-PatchSet: 4 Gerrit-Owner: ordex <an...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-16 14:18:17
|
cron2 has uploaded a new patch set (#4) to the change originally created by ordex. ( http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: README.dco: update Linux instructions ...................................................................... README.dco: update Linux instructions Update the README.dco file by including instructions related to the new 'ovpn' linux kernel module. Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c Signed-off-by: Antonio Quartulli <an...@ma...> Acked-by: Frank Lichtenheld <fr...@li...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg32180.html Signed-off-by: Gert Doering <ge...@gr...> --- M README.dco.md 1 file changed, 14 insertions(+), 19 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/87/1087/4 diff --git a/README.dco.md b/README.dco.md index 3f7e00c..a93dc94 100644 --- a/README.dco.md +++ b/README.dco.md @@ -14,26 +14,22 @@ Getting started (Linux) ----------------------- -- Use a recent Linux kernel. Linux 5.4.0 and newer are known to work with - ovpn-dco. +The new DCO linux kernel module (namely `ovpn`) has been merged upstream +as of linux-6.16. From this kernel version onwards you directly get +the DCO module as shipped by your kernel. +NOTE: the new `ovpn` Linux kernel module is compatible only with OpenVPN +2.7 and greater. -Get the ovpn-dco module from one these urls and build it: +Alternatively, if you run an older kernel or if you want to use a more +recent DCO module than the one shipped by your kernel, you need to use +the ovpn-backports project. -* https://gitlab.com/openvpn/ovpn-dco -* https://github.com/OpenVPN/ovpn-dco +To learn how to use the ovpn-backports project and build your own DCO +kernel module, please refer to the README file available at: -e.g. + https://github.com/OpenVPN/ovpn-backports/blob/main/README.md - git clone https://github.com/OpenVPN/ovpn-dco - cd ovpn-dco - make - sudo make install - -If you want to report bugs please ensure to compile ovpn-dco with -`make DEBUG=1` and include any debug message being printed by the -kernel (you can view those messages with `dmesg`). - -Clone and build OpenVPN (or use OpenVPN 2.6+). For example: +Then clone and build OpenVPN (or use OpenVPN 2.7+). For example: git clone https://github.com/openvpn/openvpn.git cd openvpn @@ -48,8 +44,8 @@ data channel offloading, OpenVPN will automatically disable DCO support and warn the user. -Should OpenVPN be configured to use a feature that is not supported by ovpn-dco -or should the ovpn-dco kernel module not be available on the system, you will +Should OpenVPN be configured to use a feature that is not supported by ovpn +or should the ovpn kernel module not be available on the system, you will see a message like Note: Kernel support for ovpn-dco missing, disabling data channel offload. @@ -131,4 +127,3 @@ - `--persist-tun` not tested; - IPv6 mapped IPv4 addresses need Linux 5.4.189+/5.10.110+/5.12+ to work; - some incompatible options may not properly fallback to non-dco; -- no per client statistics. Only total statistics available on the interface. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c Gerrit-Change-Number: 1087 Gerrit-PatchSet: 4 Gerrit-Owner: ordex <an...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
|
From: Gert D. <ge...@gr...> - 2025-07-16 14:18:05
|
Documentation updates are good :-) - thanks Frank for reviewing.
Your patch has been applied to the master branch.
commit 3fdbad843550372ddaada223ef14dc1d935481d3
Author: Antonio Quartulli
Date: Wed Jul 16 15:54:25 2025 +0200
README.dco: update Linux instructions
Signed-off-by: Antonio Quartulli <an...@ma...>
Acked-by: Frank Lichtenheld <fr...@li...>
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg32180.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-16 14:09:16
|
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1085?usp=email ) Change subject: Do not check for pkcs11-helper when pkcs11 is not enabled ...................................................................... Patch Set 1: (1 comment) Patchset: PS1: > The initial reason for this weird behavior is commit 9a3f670248d6f519a399e65a7232e2196b5115db: "Fixe […] Proposing http://gerrit.openvpn.net/c/openvpn/+/1088 instead. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1085?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I152577b7d9b3b3a0d298971f47ba412d3f43d50d Gerrit-Change-Number: 1085 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Wed, 16 Jul 2025 14:09:02 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld <fr...@li...> Gerrit-MessageType: comment |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-16 14:08:38
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1088?usp=email
to review the following change.
Change subject: configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks
......................................................................
configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks
This code was copied over and over since many years,
since commit 9a3f670248d6f519a399e65a7232e2196b5115db
("Fixed autoconf script to properly detect missing pkcs11
with polarssl"). It is unclear what exact purpose it
served back then but probably it is obsolete. It is
definitely wrong since it means that you get
PKCS11_HELPER_LIBS even if you do not specify
--enable-pkcs11.
Change-Id: I317be5253d6563906dd3826421dc81f737beba76
Signed-off-by: Frank Lichtenheld <fr...@li...>
---
M configure.ac
1 file changed, 8 insertions(+), 12 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/88/1088/1
diff --git a/configure.ac b/configure.ac
index 8fc48ba..66cb79b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -798,14 +798,6 @@
;;
esac
-PKG_CHECK_MODULES(
- [PKCS11_HELPER],
- [libpkcs11-helper-1 >= 1.11],
- [have_pkcs11_helper="yes"],
- []
-)
-
-
if test "$enable_dco" != "no"; then
enable_dco_arg="$enable_dco"
if test "${enable_iproute2}" = "yes"; then
@@ -1014,13 +1006,12 @@
[mbedtls_ssl_init],
[MBEDTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto"],
[AC_MSG_ERROR([Could not find mbed TLS.])],
- [${PKCS11_HELPER_LIBS}]
)
fi
fi
- CFLAGS="${MBEDTLS_CFLAGS} ${PKCS11_HELPER_CFLAGS} ${CFLAGS}"
- LIBS="${MBEDTLS_LIBS} ${PKCS11_HELPER_LIBS} ${LIBS}"
+ CFLAGS="${MBEDTLS_CFLAGS} ${CFLAGS}"
+ LIBS="${MBEDTLS_LIBS} ${LIBS}"
AC_MSG_CHECKING([mbedtls version])
AC_COMPILE_IFELSE(
@@ -1359,7 +1350,12 @@
AM_CONDITIONAL([HAVE_SOFTHSM2], [false])
if test "${enable_pkcs11}" = "yes"; then
- test "${have_pkcs11_helper}" != "yes" && AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing])
+ PKG_CHECK_MODULES(
+ [PKCS11_HELPER],
+ [libpkcs11-helper-1 >= 1.11],
+ [have_pkcs11_helper="yes"],
+ [AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing])]
+ )
OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}"
OPTIONAL_PKCS11_HELPER_LIBS="${PKCS11_HELPER_LIBS}"
AC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11])
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1088?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I317be5253d6563906dd3826421dc81f737beba76
Gerrit-Change-Number: 1088
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-MessageType: newchange
|
|
From: Gert D. <ge...@gr...> - 2025-07-16 13:54:39
|
From: Antonio Quartulli <an...@ma...> Update the README.dco file by including instructions related to the new 'ovpn' linux kernel module. Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c Signed-off-by: Antonio Quartulli <an...@ma...> Acked-by: Frank Lichtenheld <fr...@li...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1087 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@li...> diff --git a/README.dco.md b/README.dco.md index 3f7e00c..a93dc94 100644 --- a/README.dco.md +++ b/README.dco.md @@ -14,26 +14,22 @@ Getting started (Linux) ----------------------- -- Use a recent Linux kernel. Linux 5.4.0 and newer are known to work with - ovpn-dco. +The new DCO linux kernel module (namely `ovpn`) has been merged upstream +as of linux-6.16. From this kernel version onwards you directly get +the DCO module as shipped by your kernel. +NOTE: the new `ovpn` Linux kernel module is compatible only with OpenVPN +2.7 and greater. -Get the ovpn-dco module from one these urls and build it: +Alternatively, if you run an older kernel or if you want to use a more +recent DCO module than the one shipped by your kernel, you need to use +the ovpn-backports project. -* https://gitlab.com/openvpn/ovpn-dco -* https://github.com/OpenVPN/ovpn-dco +To learn how to use the ovpn-backports project and build your own DCO +kernel module, please refer to the README file available at: -e.g. + https://github.com/OpenVPN/ovpn-backports/blob/main/README.md - git clone https://github.com/OpenVPN/ovpn-dco - cd ovpn-dco - make - sudo make install - -If you want to report bugs please ensure to compile ovpn-dco with -`make DEBUG=1` and include any debug message being printed by the -kernel (you can view those messages with `dmesg`). - -Clone and build OpenVPN (or use OpenVPN 2.6+). For example: +Then clone and build OpenVPN (or use OpenVPN 2.7+). For example: git clone https://github.com/openvpn/openvpn.git cd openvpn @@ -48,8 +44,8 @@ data channel offloading, OpenVPN will automatically disable DCO support and warn the user. -Should OpenVPN be configured to use a feature that is not supported by ovpn-dco -or should the ovpn-dco kernel module not be available on the system, you will +Should OpenVPN be configured to use a feature that is not supported by ovpn +or should the ovpn kernel module not be available on the system, you will see a message like Note: Kernel support for ovpn-dco missing, disabling data channel offload. @@ -131,4 +127,3 @@ - `--persist-tun` not tested; - IPv6 mapped IPv4 addresses need Linux 5.4.189+/5.10.110+/5.12+ to work; - some incompatible options may not properly fallback to non-dco; -- no per client statistics. Only total statistics available on the interface. |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-16 13:51:37
|
Attention is currently required from: ordex, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email ) Change subject: README.dco: update Linux instructions ...................................................................... Patch Set 3: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c Gerrit-Change-Number: 1087 Gerrit-PatchSet: 3 Gerrit-Owner: ordex <an...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: ordex <an...@ma...> Gerrit-Comment-Date: Wed, 16 Jul 2025 13:51:22 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: ordex (C. Review) <ge...@op...> - 2025-07-16 13:43:07
|
Attention is currently required from: flichtenheld, ordex, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email
to look at the new patch set (#3).
The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld
The change is no longer submittable: Code-Review and checks~ChecksSubmitRule are unsatisfied now.
Change subject: README.dco: update Linux instructions
......................................................................
README.dco: update Linux instructions
Update the README.dco file by including instructions related
to the new 'ovpn' linux kernel module.
Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c
Signed-off-by: Antonio Quartulli <an...@ma...>
---
M README.dco.md
1 file changed, 14 insertions(+), 19 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/87/1087/3
diff --git a/README.dco.md b/README.dco.md
index 3f7e00c..a93dc94 100644
--- a/README.dco.md
+++ b/README.dco.md
@@ -14,26 +14,22 @@
Getting started (Linux)
-----------------------
-- Use a recent Linux kernel. Linux 5.4.0 and newer are known to work with
- ovpn-dco.
+The new DCO linux kernel module (namely `ovpn`) has been merged upstream
+as of linux-6.16. From this kernel version onwards you directly get
+the DCO module as shipped by your kernel.
+NOTE: the new `ovpn` Linux kernel module is compatible only with OpenVPN
+2.7 and greater.
-Get the ovpn-dco module from one these urls and build it:
+Alternatively, if you run an older kernel or if you want to use a more
+recent DCO module than the one shipped by your kernel, you need to use
+the ovpn-backports project.
-* https://gitlab.com/openvpn/ovpn-dco
-* https://github.com/OpenVPN/ovpn-dco
+To learn how to use the ovpn-backports project and build your own DCO
+kernel module, please refer to the README file available at:
-e.g.
+ https://github.com/OpenVPN/ovpn-backports/blob/main/README.md
- git clone https://github.com/OpenVPN/ovpn-dco
- cd ovpn-dco
- make
- sudo make install
-
-If you want to report bugs please ensure to compile ovpn-dco with
-`make DEBUG=1` and include any debug message being printed by the
-kernel (you can view those messages with `dmesg`).
-
-Clone and build OpenVPN (or use OpenVPN 2.6+). For example:
+Then clone and build OpenVPN (or use OpenVPN 2.7+). For example:
git clone https://github.com/openvpn/openvpn.git
cd openvpn
@@ -48,8 +44,8 @@
data channel offloading, OpenVPN will automatically disable DCO support and
warn the user.
-Should OpenVPN be configured to use a feature that is not supported by ovpn-dco
-or should the ovpn-dco kernel module not be available on the system, you will
+Should OpenVPN be configured to use a feature that is not supported by ovpn
+or should the ovpn kernel module not be available on the system, you will
see a message like
Note: Kernel support for ovpn-dco missing, disabling data channel offload.
@@ -131,4 +127,3 @@
- `--persist-tun` not tested;
- IPv6 mapped IPv4 addresses need Linux 5.4.189+/5.10.110+/5.12+ to work;
- some incompatible options may not properly fallback to non-dco;
-- no per client statistics. Only total statistics available on the interface.
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c
Gerrit-Change-Number: 1087
Gerrit-PatchSet: 3
Gerrit-Owner: ordex <an...@ma...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: ordex <an...@ma...>
Gerrit-MessageType: newpatchset
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-16 13:28:00
|
Attention is currently required from: ordex, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email ) Change subject: README.dco: update Linux instructions ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c Gerrit-Change-Number: 1087 Gerrit-PatchSet: 2 Gerrit-Owner: ordex <an...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: ordex <an...@ma...> Gerrit-Comment-Date: Wed, 16 Jul 2025 13:27:46 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: ordex (C. Review) <ge...@op...> - 2025-07-16 13:20:27
|
Attention is currently required from: flichtenheld, plaisthos. ordex has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email ) Change subject: README.dco: update Linux instructions ...................................................................... Patch Set 2: (1 comment) File README.dco.md: http://gerrit.openvpn.net/c/openvpn/+/1087/comment/73a91b8d_bfd6cc02 : PS1, Line 47: ovpn > makes sense. However, I'll limit the renaming to this section only. […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c Gerrit-Change-Number: 1087 Gerrit-PatchSet: 2 Gerrit-Owner: ordex <an...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Wed, 16 Jul 2025 13:20:18 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld <fr...@li...> Comment-In-Reply-To: ordex <an...@ma...> Gerrit-MessageType: comment |
|
From: ordex (C. Review) <ge...@op...> - 2025-07-16 13:20:18
|
Attention is currently required from: flichtenheld, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email
to look at the new patch set (#2).
The following approvals got outdated and were removed:
Code-Review-1 by flichtenheld
Change subject: README.dco: update Linux instructions
......................................................................
README.dco: update Linux instructions
Update the README.dco file by including instructions related
to the new 'ovpn' linux kernel module.
Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c
Signed-off-by: Antonio Quartulli <an...@ma...>
---
M README.dco.md
1 file changed, 14 insertions(+), 18 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/87/1087/2
diff --git a/README.dco.md b/README.dco.md
index 3f7e00c..fc4334e 100644
--- a/README.dco.md
+++ b/README.dco.md
@@ -14,26 +14,22 @@
Getting started (Linux)
-----------------------
-- Use a recent Linux kernel. Linux 5.4.0 and newer are known to work with
- ovpn-dco.
+The new DCO linux kernel module (namely `ovpn`) has been merged upstream
+as of linux-6.16. From this kernel version onwards you directly get
+the DCO module as shipped by your kernel.
+NOTE: the new `ovpn` Linux kernel module is compatible only with OpenVPN
+2.7 and greater.
-Get the ovpn-dco module from one these urls and build it:
+Alternatively, if you run an older kernel or if you want to use a more
+recent DCO module than the one shipped by your kernel, you need to use
+the ovpn-backports project.
-* https://gitlab.com/openvpn/ovpn-dco
-* https://github.com/OpenVPN/ovpn-dco
+To learn how to use the ovpn-backports project and build your own DCO
+kernel module, please refer to the README file available at:
-e.g.
+ https://github.com/OpenVPN/ovpn-backports/blob/main/README.md
- git clone https://github.com/OpenVPN/ovpn-dco
- cd ovpn-dco
- make
- sudo make install
-
-If you want to report bugs please ensure to compile ovpn-dco with
-`make DEBUG=1` and include any debug message being printed by the
-kernel (you can view those messages with `dmesg`).
-
-Clone and build OpenVPN (or use OpenVPN 2.6+). For example:
+Then clone and build OpenVPN (or use OpenVPN 2.7+). For example:
git clone https://github.com/openvpn/openvpn.git
cd openvpn
@@ -48,8 +44,8 @@
data channel offloading, OpenVPN will automatically disable DCO support and
warn the user.
-Should OpenVPN be configured to use a feature that is not supported by ovpn-dco
-or should the ovpn-dco kernel module not be available on the system, you will
+Should OpenVPN be configured to use a feature that is not supported by ovpn
+or should the ovpn kernel module not be available on the system, you will
see a message like
Note: Kernel support for ovpn-dco missing, disabling data channel offload.
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c
Gerrit-Change-Number: 1087
Gerrit-PatchSet: 2
Gerrit-Owner: ordex <an...@ma...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newpatchset
|
|
From: ordex (C. Review) <ge...@op...> - 2025-07-16 13:16:37
|
Attention is currently required from: flichtenheld, plaisthos. ordex has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email ) Change subject: README.dco: update Linux instructions ...................................................................... Patch Set 1: (1 comment) File README.dco.md: http://gerrit.openvpn.net/c/openvpn/+/1087/comment/d21afb4d_2a0ea7bb : PS1, Line 47: ovpn > Should replace remaining occurrences of "ovpn-dco" makes sense. However, I'll limit the renaming to this section only. Because more in general we still use the term "ovpn-dco" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c Gerrit-Change-Number: 1087 Gerrit-PatchSet: 1 Gerrit-Owner: ordex <an...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Wed, 16 Jul 2025 13:16:27 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld <fr...@li...> Gerrit-MessageType: comment |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-16 13:07:20
|
Attention is currently required from: ordex, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email ) Change subject: README.dco: update Linux instructions ...................................................................... Patch Set 1: Code-Review-1 (1 comment) File README.dco.md: http://gerrit.openvpn.net/c/openvpn/+/1087/comment/7c091c1d_5c4660b7 : PS1, Line 47: ovpn Should replace remaining occurrences of "ovpn-dco" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c Gerrit-Change-Number: 1087 Gerrit-PatchSet: 1 Gerrit-Owner: ordex <an...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: ordex <an...@ma...> Gerrit-Comment-Date: Wed, 16 Jul 2025 13:07:11 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: ordex (C. Review) <ge...@op...> - 2025-07-16 12:41:52
|
Attention is currently required from: flichtenheld, plaisthos.
Hello plaisthos, flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email
to review the following change.
Change subject: README.dco: update Linux instructions
......................................................................
README.dco: update Linux instructions
Update the README.dco file by including instructions related
to the new 'ovpn' linux kernel module.
Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c
Signed-off-by: Antonio Quartulli <an...@ma...>
---
M README.dco.md
1 file changed, 12 insertions(+), 16 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/87/1087/1
diff --git a/README.dco.md b/README.dco.md
index 3f7e00c..8c2ff87 100644
--- a/README.dco.md
+++ b/README.dco.md
@@ -14,26 +14,22 @@
Getting started (Linux)
-----------------------
-- Use a recent Linux kernel. Linux 5.4.0 and newer are known to work with
- ovpn-dco.
+The new DCO linux kernel module (namely `ovpn`) has been merged upstream
+as of linux-6.16. From this kernel version onwards you directly get
+the DCO module as shipped by your kernel.
+NOTE: the new `ovpn` Linux kernel module is compatible only with OpenVPN
+2.7 and greater.
-Get the ovpn-dco module from one these urls and build it:
+Alternatively, if you run an older kernel or if you want to use a more
+recent DCO module than the one shipped by your kernel, you need to use
+the ovpn-backports project.
-* https://gitlab.com/openvpn/ovpn-dco
-* https://github.com/OpenVPN/ovpn-dco
+To learn how to use the ovpn-backports project and build your own DCO
+kernel module, please refer to the README file available at:
-e.g.
+ https://github.com/OpenVPN/ovpn-backports/blob/main/README.md
- git clone https://github.com/OpenVPN/ovpn-dco
- cd ovpn-dco
- make
- sudo make install
-
-If you want to report bugs please ensure to compile ovpn-dco with
-`make DEBUG=1` and include any debug message being printed by the
-kernel (you can view those messages with `dmesg`).
-
-Clone and build OpenVPN (or use OpenVPN 2.6+). For example:
+Then clone and build OpenVPN (or use OpenVPN 2.7+). For example:
git clone https://github.com/openvpn/openvpn.git
cd openvpn
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1087?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I22af9957b27785514d8c6d58fe4f2100d007fa5c
Gerrit-Change-Number: 1087
Gerrit-PatchSet: 1
Gerrit-Owner: ordex <an...@ma...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newchange
|
|
From: mrbff (C. Review) <ge...@op...> - 2025-07-16 10:36:33
|
Attention is currently required from: flichtenheld, mrbff, plaisthos.
Hello flichtenheld, plaisthos, stipa,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/810?usp=email
to look at the new patch set (#19).
The change is no longer submittable: checks~ChecksSubmitRule is unsatisfied now.
Change subject: PUSH_UPDATE: Added update_option() function.
......................................................................
PUSH_UPDATE: Added update_option() function.
When the function receives an option to update, it first checks whether it has
already received an option of the same type within the same update message.
If it has already received it, it simply calls add_option(), otherwise it
deletes all the values already present regarding that option.
Change-Id: Ia45c99e6df7b3ad24020c10b8a9b3577984ecdc2
Signed-off-by: Marco Baffo <ma...@ma...>
---
M src/openvpn/options.c
1 file changed, 247 insertions(+), 10 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/10/810/19
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 22eaa8a..713df52 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5642,6 +5642,13 @@
return options->forward_compatible ? M_WARN : msglevel;
}
+#define RESET_OPTION_ROUTES(option_ptr, field) \
+ if (option_ptr) \
+ { \
+ option_ptr->field = NULL; \
+ option_ptr->flags = 0; \
+ }
+
/**
* @brief Resets options found in the PUSH_UPDATE message that are preceded by the `-` flag.
* This function is used in push-updates to reset specified options.
@@ -5696,11 +5703,7 @@
delete_routes_v4(c->c1.route_list, c->c1.tuntap,
ROUTE_OPTION_FLAGS(&c->options),
es, &c->net_ctx);
- if (options->routes)
- {
- options->routes->routes = NULL;
- options->routes->flags = 0;
- }
+ RESET_OPTION_ROUTES(options->routes, routes);
}
}
else if (streq(p[0], "route-ipv6") && !p[1])
@@ -5711,11 +5714,7 @@
delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap,
ROUTE_OPTION_FLAGS(&c->options),
es, &c->net_ctx);
- if (options->routes_ipv6)
- {
- options->routes_ipv6->routes_ipv6 = NULL;
- options->routes_ipv6->flags = 0;
- }
+ RESET_OPTION_ROUTES(options->routes_ipv6, routes_ipv6);
}
}
else if (streq(p[0], "route-gateway") && !p[1])
@@ -5834,6 +5833,238 @@
err:
msg(msglevel, "Error occurred trying to remove %s option", p[0]);
}
+
+/**
+ * @brief Processes an option to update. It first checks whether it has already
+ * received an option of the same type within the same update message.
+ * If the option has already been received, it calls add_option().
+ * Otherwise, it deletes all existing values related to that option before calling add_option().
+ *
+ * @param c The context structure.
+ * @param options A pointer to the options structure.
+ * @param p An array of strings containing the options and their parameters.
+ * @param is_inline A boolean indicating if the option is inline.
+ * @param file The file where the function is called.
+ * @param line The line number where the function is called.
+ * @param level The level of the option.
+ * @param msglevel The message level for logging.
+ * @param permission_mask The permission mask used by VERIFY_PERMISSION().
+ * @param option_types_found A pointer to the variable where the flags corresponding to the options found are stored.
+ * @param es The environment set structure.
+ * @param update_options_found A pointer to the variable where the flags corresponding to the update options found are stored,
+ * used to check if an option of the same type has already been processed by update_option() within the same push-update message.
+ */
+static void
+update_option(struct context *c,
+ struct options *options,
+ char *p[],
+ bool is_inline,
+ const char *file,
+ int line,
+ const int level,
+ const int msglevel,
+ const unsigned int permission_mask,
+ unsigned int *option_types_found,
+ struct env_set *es,
+ unsigned int *update_options_found)
+{
+ const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
+ ASSERT(MAX_PARMS >= 7);
+
+ if (streq(p[0], "route") && p[1] && !p[5])
+ {
+ if (!(*update_options_found & OPT_P_U_ROUTE))
+ {
+ VERIFY_PERMISSION(OPT_P_ROUTE);
+ rol_check_alloc(options);
+ if (pull_mode)
+ {
+ if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
+ {
+ msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
+ goto err;
+ }
+ if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
+ {
+ msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
+ goto err;
+ }
+ if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
+ {
+ msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
+ goto err;
+ }
+ }
+ if (c->c1.route_list)
+ {
+ delete_routes_v4(c->c1.route_list, c->c1.tuntap,
+ ROUTE_OPTION_FLAGS(&c->options),
+ es, &c->net_ctx);
+ RESET_OPTION_ROUTES(options->routes, routes);
+ }
+ *update_options_found |= OPT_P_U_ROUTE;
+ }
+ }
+ else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
+ {
+ if (!(*update_options_found & OPT_P_U_ROUTE6))
+ {
+ VERIFY_PERMISSION(OPT_P_ROUTE);
+ rol6_check_alloc(options);
+ if (pull_mode)
+ {
+ if (!ipv6_addr_safe_hexplusbits(p[1]))
+ {
+ msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
+ goto err;
+ }
+ if (p[2] && !ipv6_addr_safe(p[2]))
+ {
+ msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
+ goto err;
+ }
+ /* p[3] is metric, if present */
+ }
+ if (c->c1.route_ipv6_list)
+ {
+ delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap,
+ ROUTE_OPTION_FLAGS(&c->options),
+ es, &c->net_ctx);
+ RESET_OPTION_ROUTES(options->routes_ipv6, routes_ipv6);
+ }
+ *update_options_found |= OPT_P_U_ROUTE6;
+ }
+ }
+ else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
+ {
+ if (!(*update_options_found & OPT_P_U_REDIR_GATEWAY))
+ {
+ VERIFY_PERMISSION(OPT_P_ROUTE);
+ if (options->routes)
+ {
+ options->routes->flags = 0;
+ }
+ if (options->routes_ipv6)
+ {
+ options->routes_ipv6->flags = 0;
+ }
+ *update_options_found |= OPT_P_U_REDIR_GATEWAY;
+ }
+ }
+ else if (streq(p[0], "dns") && p[1])
+ {
+ if (!(*update_options_found & OPT_P_U_DNS))
+ {
+ VERIFY_PERMISSION(OPT_P_DHCPDNS);
+ if (streq(p[1], "server") && p[2] && p[3] && p[4])
+ {
+ long priority;
+ if (!dns_server_priority_parse(&priority, p[2], pull_mode))
+ {
+ msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
+ goto err;
+ }
+
+ struct dns_server server;
+ CLEAR(server);
+ if (streq(p[3], "address") && p[4])
+ {
+ for (int i = 4; p[i]; ++i)
+ {
+ if (!dns_server_addr_parse(&server, p[i]))
+ {
+ msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'", priority, p[i]);
+ goto err;
+ }
+ }
+ }
+ else if (streq(p[3], "dnssec") && !p[5])
+ {
+ if (!streq(p[4], "yes") && !streq(p[4], "no") && !streq(p[4], "optional"))
+ {
+ msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
+ goto err;
+ }
+ }
+ else if (streq(p[3], "transport") && !p[5])
+ {
+ if (!streq(p[4], "plain") && !streq(p[4], "DoH") && !streq(p[4], "DoT"))
+ {
+ msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
+ goto err;
+ }
+ }
+ else if (!streq(p[3], "resolve-domains")
+ && !(streq(p[3], "sni") && !p[5]))
+ {
+ msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[3]);
+ goto err;
+ }
+ }
+ else if (!(streq(p[1], "search-domains") && p[2]))
+ {
+ msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
+ goto err;
+ }
+
+ gc_free(&options->dns_options.gc);
+ CLEAR(options->dns_options);
+ *update_options_found |= OPT_P_U_DNS;
+ }
+ }
+#if defined(_WIN32) || defined(TARGET_ANDROID)
+ else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
+ {
+ if (!(*update_options_found & OPT_P_U_DHCP))
+ {
+ struct tuntap_options *o = &options->tuntap_options;
+ VERIFY_PERMISSION(OPT_P_DHCPDNS);
+
+ o->domain = NULL;
+ o->netbios_scope = NULL;
+ o->netbios_node_type = 0;
+ o->dns6_len = 0;
+ CLEAR(o->dns6);
+ o->dns_len = 0;
+ CLEAR(o->dns);
+ o->wins_len = 0;
+ CLEAR(o->wins);
+ o->ntp_len = 0;
+ CLEAR(o->ntp);
+ o->nbdd_len = 0;
+ CLEAR(o->nbdd);
+ while (o->domain_search_list_len-- > 0)
+ {
+ o->domain_search_list[o->domain_search_list_len] = NULL;
+ }
+ o->disable_nbt = 0;
+ o->dhcp_options = 0;
+#if defined(TARGET_ANDROID)
+ o->http_proxy_port = 0;
+ o->http_proxy = NULL;
+#endif
+ *update_options_found |= OPT_P_U_DHCP;
+ }
+ }
+#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
+ else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
+ {
+ if (!(*update_options_found & OPT_P_U_DHCP))
+ {
+ VERIFY_PERMISSION(OPT_P_DHCPDNS);
+ delete_all_dhcp_fo(options, &es->list);
+ *update_options_found |= OPT_P_U_DHCP;
+ }
+ }
+#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
+ add_option(options, p, is_inline, file, line,
+ level, msglevel, permission_mask,
+ option_types_found, es);
+ return;
+err:
+ msg(msglevel, "Error occurred trying to update %s option", p[0]);
+}
+
bool
apply_push_options(struct context *c,
struct options *options,
@@ -5847,6 +6078,7 @@
int line_num = 0;
const char *file = "[PUSH-OPTIONS]";
const int msglevel = D_PUSH_ERRORS|M_OPTERR;
+ unsigned int update_options_found = 0;
while (buf_parse(buf, ',', line, sizeof(line)))
{
@@ -5872,6 +6104,11 @@
remove_option(c, options, p, false, file, line_num, msglevel,
permission_mask, option_types_found, es);
}
+ else
+ {
+ update_option(c, options, p, false, file, line_num, 0, msglevel,
+ permission_mask, option_types_found, es, &update_options_found);
+ }
}
}
return true;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/810?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia45c99e6df7b3ad24020c10b8a9b3577984ecdc2
Gerrit-Change-Number: 810
Gerrit-PatchSet: 19
Gerrit-Owner: mrbff <ma...@ma...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-Reviewer: stipa <lst...@gm...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: mrbff <ma...@ma...>
Gerrit-MessageType: newpatchset
|
|
From: ordex (C. Review) <ge...@op...> - 2025-07-16 09:44:04
|
Attention is currently required from: flichtenheld, plaisthos, ralf_lici, stipa. ordex has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email ) Change subject: dco: Add support for float notifications ...................................................................... Patch Set 3: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Gerrit-Change-Number: 1084 Gerrit-PatchSet: 3 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-Reviewer: stipa <lst...@gm...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ralf_lici <ra...@ma...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Wed, 16 Jul 2025 09:43:49 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: ralf_lici (C. Review) <ge...@op...> - 2025-07-16 09:42:53
|
Attention is currently required from: flichtenheld, ordex, plaisthos, ralf_lici, stipa.
Hello flichtenheld, ordex, plaisthos, stipa,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email
to look at the new patch set (#3).
The following approvals got outdated and were removed:
Code-Review+2 by ordex, Code-Review+2 by stipa
Change subject: dco: Add support for float notifications
......................................................................
dco: Add support for float notifications
When a peer changes its UDP endpoint, the DCO module emits a
notification to userpace. The message is parsed and the relevant
information are extracted in order to process the floating operation.
Note that we preserve IPv4-mapped IPv6 addresses in userspace when
receiving a pure IPv4 address from the module, otherwise openvpn
wouldn't be able to retrieve the multi_instance using the transport
address hash table lookup.
Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f
Signed-off-by: Ralf Lici <ra...@ma...>
---
M src/openvpn/dco_linux.c
M src/openvpn/dco_linux.h
M src/openvpn/dco_win.c
M src/openvpn/dco_win.h
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
M src/openvpn/multi.h
M src/openvpn/ovpn_dco_linux.h
M src/openvpn/ovpn_dco_win.h
10 files changed, 142 insertions(+), 2 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/84/1084/3
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index 22a445a..f04ebfe 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -768,6 +768,44 @@
return ret;
}
+static bool
+ovpn_parse_float_addr(struct nlattr **attrs, struct sockaddr *out)
+{
+ if (!attrs[OVPN_A_PEER_REMOTE_PORT])
+ {
+ msg(D_DCO, "ovpn-dco: no remote port in PEER_FLOAT_NTF message");
+ return false;
+ }
+
+ if (attrs[OVPN_A_PEER_REMOTE_IPV4])
+ {
+ struct sockaddr_in *addr4 = (struct sockaddr_in *)out;
+ CLEAR(*addr4);
+ addr4->sin_family = AF_INET;
+ addr4->sin_port = nla_get_u16(attrs[OVPN_A_PEER_REMOTE_PORT]);
+ addr4->sin_addr.s_addr = nla_get_u32(attrs[OVPN_A_PEER_REMOTE_IPV4]);
+ return true;
+ }
+ else if (attrs[OVPN_A_PEER_REMOTE_IPV6]
+ && nla_len(attrs[OVPN_A_PEER_REMOTE_IPV6]) == sizeof(struct in6_addr))
+ {
+ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *)out;
+ CLEAR(*addr6);
+ addr6->sin6_family = AF_INET6;
+ addr6->sin6_port = nla_get_u16(attrs[OVPN_A_PEER_REMOTE_PORT]);
+ memcpy(&addr6->sin6_addr, nla_data(attrs[OVPN_A_PEER_REMOTE_IPV6]),
+ sizeof(addr6->sin6_addr));
+ if (attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID])
+ {
+ addr6->sin6_scope_id = nla_get_u32(attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]);
+ }
+ return true;
+ }
+
+ msg(D_DCO, "ovpn-dco: no valid remote IP address in PEER_FLOAT_NTF message");
+ return false;
+}
+
/* This function parses any netlink message sent by ovpn-dco to userspace */
static int
ovpn_handle_msg(struct nl_msg *msg, void *arg)
@@ -856,6 +894,45 @@
break;
}
+ case OVPN_CMD_PEER_FLOAT_NTF:
+ {
+ if (!attrs[OVPN_A_PEER])
+ {
+ msg(D_DCO, "ovpn-dco: no peer in PEER_FLOAT_NTF message");
+ return NL_STOP;
+ }
+
+ struct nlattr *fp_attrs[OVPN_A_PEER_MAX + 1];
+ if (nla_parse_nested(fp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER],
+ NULL))
+ {
+ msg(D_DCO, "ovpn-dco: can't parse peer in PEER_FLOAT_NTF messsage");
+ return NL_STOP;
+ }
+
+ if (!fp_attrs[OVPN_A_PEER_ID])
+ {
+ msg(D_DCO, "ovpn-dco: no peer-id in PEER_FLOAT_NTF message");
+ return NL_STOP;
+ }
+ uint32_t peerid = nla_get_u32(fp_attrs[OVPN_A_PEER_ID]);
+
+ if (!ovpn_parse_float_addr(fp_attrs, (struct sockaddr *)&dco->dco_float_peer_ss))
+ {
+ return NL_STOP;
+ }
+
+ struct gc_arena gc = gc_new();
+ msg(D_DCO_DEBUG,
+ "ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: %u, peer-id %u, address: %s",
+ ifindex, peerid, print_sockaddr((struct sockaddr *)&dco->dco_float_peer_ss, &gc));
+ dco->dco_message_peer_id = (int)peerid;
+ dco->dco_message_type = OVPN_CMD_PEER_FLOAT_NTF;
+
+ gc_free(&gc);
+ break;
+ }
+
case OVPN_CMD_KEY_SWAP_NTF:
{
if (!attrs[OVPN_A_KEYCONF])
diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h
index 4e441ec..676b8cd 100644
--- a/src/openvpn/dco_linux.h
+++ b/src/openvpn/dco_linux.h
@@ -34,6 +34,7 @@
/* Defines to avoid mismatching with other platforms */
#define OVPN_CMD_DEL_PEER OVPN_CMD_PEER_DEL_NTF
#define OVPN_CMD_SWAP_KEYS OVPN_CMD_KEY_SWAP_NTF
+#define OVPN_CMD_FLOAT_PEER OVPN_CMD_PEER_FLOAT_NTF
typedef enum ovpn_key_slot dco_key_slot_t;
typedef enum ovpn_cipher_alg dco_cipher_t;
@@ -75,6 +76,7 @@
int dco_message_peer_id;
int dco_message_key_id;
int dco_del_peer_reason;
+ struct sockaddr_storage dco_float_peer_ss;
uint64_t dco_read_bytes;
uint64_t dco_write_bytes;
} dco_context_t;
diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c
index 2a13658..83db739 100644
--- a/src/openvpn/dco_win.c
+++ b/src/openvpn/dco_win.c
@@ -663,6 +663,7 @@
dco->dco_message_peer_id = dco->notif_buf.PeerId;
dco->dco_message_type = dco->notif_buf.Cmd;
dco->dco_del_peer_reason = dco->notif_buf.DelPeerReason;
+ dco->dco_float_peer_ss = dco->notif_buf.FloatAddress;
}
else
{
diff --git a/src/openvpn/dco_win.h b/src/openvpn/dco_win.h
index 4513f3f..b9d93fa 100644
--- a/src/openvpn/dco_win.h
+++ b/src/openvpn/dco_win.h
@@ -52,6 +52,7 @@
int dco_message_peer_id;
int dco_message_type;
int dco_del_peer_reason;
+ struct sockaddr_storage dco_float_peer_ss;
uint64_t dco_read_bytes;
uint64_t dco_write_bytes;
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index a4f260a..0b4ceae 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1243,6 +1243,37 @@
perf_pop();
}
+void
+extract_dco_float_peer_addr(const uint32_t peer_id,
+ struct openvpn_sockaddr *out_osaddr,
+ const struct sockaddr *float_sa)
+{
+ if (float_sa->sa_family == AF_INET)
+ {
+ struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa;
+ /* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, we need
+ * to preserve the mapping, otherwise openvpn will not be able to find
+ * the peer by its trasnport address.
+ */
+ if (out_osaddr->addr.sa.sa_family == AF_INET6
+ && IN6_IS_ADDR_V4MAPPED(&out_osaddr->addr.in6.sin6_addr))
+ {
+ memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12],
+ &float4->sin_addr.s_addr, sizeof(in_addr_t));
+ out_osaddr->addr.in6.sin6_port = float4->sin_port;
+ }
+ else
+ {
+ memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in));
+ }
+ }
+ else
+ {
+ struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa;
+ memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6));
+ }
+}
+
static void
process_incoming_dco(struct context *c)
{
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 318691f..4f3d81e 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -196,6 +196,21 @@
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf);
/**
+ * Transfers \c float_sa data extracted from an incoming DCO
+ * PEER_FLOAT_NTF to \c out_osaddr for later processing.
+ *
+ * @param peer_id - The id of the floating peer.
+ * @param out_osaddr - openvpn_sockaddr struct that will be filled the new
+ * address data
+ * @param float_sa - The sockaddr struct containing the data received from the
+ * DCO notification
+ *
+ */
+void
+extract_dco_float_peer_addr(uint32_t peer_id, struct openvpn_sockaddr *out_osaddr,
+ const struct sockaddr *float_sa);
+
+/**
* Write a packet to the external network interface.
* @ingroup external_multiplexer
*
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index a760e07..5030faa 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3384,6 +3384,16 @@
{
process_incoming_del_peer(m, mi, dco);
}
+#if defined(TARGET_LINUX) || defined(TARGET_WIN32)
+ else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER)
+ {
+ extract_dco_float_peer_addr(peer_id, &m->top.c2.from.dest,
+ (struct sockaddr *)&dco->dco_float_peer_ss);
+ ASSERT(mi->context.c2.link_sockets[0]);
+ multi_process_float(m, mi, mi->context.c2.link_sockets[0]);
+ CLEAR(dco->dco_float_peer_ss);
+ }
+#endif /* if defined(TARGET_LINUX) || defined(TARGET_WIN32) */
else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
{
tls_session_soft_reset(mi->context.c2.tls_multi);
diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h
index 40f7519..fe9e847 100644
--- a/src/openvpn/multi.h
+++ b/src/openvpn/multi.h
@@ -322,7 +322,7 @@
/**
* Process an incoming DCO message (from kernel space).
*
- * @param m - The single \c multi_context structur.e
+ * @param m - The single \c multi_context structure.
*
* @return
* - True, if the message was received correctly.
diff --git a/src/openvpn/ovpn_dco_linux.h b/src/openvpn/ovpn_dco_linux.h
index 680d152..b3c9ff0 100644
--- a/src/openvpn/ovpn_dco_linux.h
+++ b/src/openvpn/ovpn_dco_linux.h
@@ -99,6 +99,7 @@
OVPN_CMD_KEY_SWAP,
OVPN_CMD_KEY_SWAP_NTF,
OVPN_CMD_KEY_DEL,
+ OVPN_CMD_PEER_FLOAT_NTF,
__OVPN_CMD_MAX,
OVPN_CMD_MAX = (__OVPN_CMD_MAX - 1)
diff --git a/src/openvpn/ovpn_dco_win.h b/src/openvpn/ovpn_dco_win.h
index 865bb38..dd6b7ce 100644
--- a/src/openvpn/ovpn_dco_win.h
+++ b/src/openvpn/ovpn_dco_win.h
@@ -149,7 +149,8 @@
typedef enum {
OVPN_CMD_DEL_PEER,
- OVPN_CMD_SWAP_KEYS
+ OVPN_CMD_SWAP_KEYS,
+ OVPN_CMD_FLOAT_PEER
} OVPN_NOTIFY_CMD;
typedef enum {
@@ -164,6 +165,7 @@
OVPN_NOTIFY_CMD Cmd;
int PeerId;
OVPN_DEL_PEER_REASON DelPeerReason;
+ struct sockaddr_storage FloatAddress;
} OVPN_NOTIFY_EVENT, * POVPN_NOTIFY_EVENT;
typedef struct _OVPN_MP_DEL_PEER {
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f
Gerrit-Change-Number: 1084
Gerrit-PatchSet: 3
Gerrit-Owner: ralf_lici <ra...@ma...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: ordex <an...@ma...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-Reviewer: stipa <lst...@gm...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: ordex <an...@ma...>
Gerrit-Attention: ralf_lici <ra...@ma...>
Gerrit-Attention: stipa <lst...@gm...>
Gerrit-MessageType: newpatchset
|
|
From: stipa (C. Review) <ge...@op...> - 2025-07-16 08:59:31
|
Attention is currently required from: flichtenheld, plaisthos, ralf_lici. stipa has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email ) Change subject: dco: Add support for float notifications ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Gerrit-Change-Number: 1084 Gerrit-PatchSet: 2 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-Reviewer: stipa <lst...@gm...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ralf_lici <ra...@ma...> Gerrit-Comment-Date: Wed, 16 Jul 2025 08:59:22 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: ralf_lici (C. Review) <ge...@op...> - 2025-07-16 08:56:51
|
Attention is currently required from: flichtenheld, plaisthos, stipa. ralf_lici has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email ) Change subject: dco: Add support for float notifications ...................................................................... Patch Set 2: (1 comment) File src/openvpn/multi.c: http://gerrit.openvpn.net/c/openvpn/+/1084/comment/ec73084a_1fed51b8 : PS1, Line 3390: if (extract_dco_float_peer_addr(peer_id, &m->top.c2.from.dest, > after discussion on IRC we decided just to remove this "if" and not to add an assert - we'll get a e […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Gerrit-Change-Number: 1084 Gerrit-PatchSet: 2 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-CC: stipa <lst...@gm...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Wed, 16 Jul 2025 08:56:42 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: ordex <an...@ma...> Comment-In-Reply-To: ralf_lici <ra...@ma...> Comment-In-Reply-To: stipa <lst...@gm...> Gerrit-MessageType: comment |
|
From: ordex (C. Review) <ge...@op...> - 2025-07-16 08:56:41
|
Attention is currently required from: flichtenheld, plaisthos, ralf_lici. ordex has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email ) Change subject: dco: Add support for float notifications ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Gerrit-Change-Number: 1084 Gerrit-PatchSet: 2 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-CC: stipa <lst...@gm...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ralf_lici <ra...@ma...> Gerrit-Comment-Date: Wed, 16 Jul 2025 08:56:31 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: ralf_lici (C. Review) <ge...@op...> - 2025-07-16 08:56:09
|
Attention is currently required from: flichtenheld, ordex, plaisthos, ralf_lici.
Hello flichtenheld, ordex, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email
to look at the new patch set (#2).
The following approvals got outdated and were removed:
Code-Review+2 by ordex
Change subject: dco: Add support for float notifications
......................................................................
dco: Add support for float notifications
When a peer changes its UDP endpoint, the DCO module emits a
notification to userpace. The message is parsed and the relevant
information are extracted in order to process the floating operation.
Note that we preserve IPv4-mapped IPv6 addresses in userspace when
receiving a pure IPv4 address from the module, otherwise openvpn
wouldn't be able to retrieve the multi_instance using the transport
address hash table lookup.
Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f
Signed-off-by: Ralf Lici <ra...@ma...>
---
M src/openvpn/dco_linux.c
M src/openvpn/dco_linux.h
M src/openvpn/dco_win.c
M src/openvpn/dco_win.h
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
M src/openvpn/multi.h
M src/openvpn/ovpn_dco_linux.h
M src/openvpn/ovpn_dco_win.h
10 files changed, 142 insertions(+), 2 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/84/1084/2
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index 22a445a..f04ebfe 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -768,6 +768,44 @@
return ret;
}
+static bool
+ovpn_parse_float_addr(struct nlattr **attrs, struct sockaddr *out)
+{
+ if (!attrs[OVPN_A_PEER_REMOTE_PORT])
+ {
+ msg(D_DCO, "ovpn-dco: no remote port in PEER_FLOAT_NTF message");
+ return false;
+ }
+
+ if (attrs[OVPN_A_PEER_REMOTE_IPV4])
+ {
+ struct sockaddr_in *addr4 = (struct sockaddr_in *)out;
+ CLEAR(*addr4);
+ addr4->sin_family = AF_INET;
+ addr4->sin_port = nla_get_u16(attrs[OVPN_A_PEER_REMOTE_PORT]);
+ addr4->sin_addr.s_addr = nla_get_u32(attrs[OVPN_A_PEER_REMOTE_IPV4]);
+ return true;
+ }
+ else if (attrs[OVPN_A_PEER_REMOTE_IPV6]
+ && nla_len(attrs[OVPN_A_PEER_REMOTE_IPV6]) == sizeof(struct in6_addr))
+ {
+ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *)out;
+ CLEAR(*addr6);
+ addr6->sin6_family = AF_INET6;
+ addr6->sin6_port = nla_get_u16(attrs[OVPN_A_PEER_REMOTE_PORT]);
+ memcpy(&addr6->sin6_addr, nla_data(attrs[OVPN_A_PEER_REMOTE_IPV6]),
+ sizeof(addr6->sin6_addr));
+ if (attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID])
+ {
+ addr6->sin6_scope_id = nla_get_u32(attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]);
+ }
+ return true;
+ }
+
+ msg(D_DCO, "ovpn-dco: no valid remote IP address in PEER_FLOAT_NTF message");
+ return false;
+}
+
/* This function parses any netlink message sent by ovpn-dco to userspace */
static int
ovpn_handle_msg(struct nl_msg *msg, void *arg)
@@ -856,6 +894,45 @@
break;
}
+ case OVPN_CMD_PEER_FLOAT_NTF:
+ {
+ if (!attrs[OVPN_A_PEER])
+ {
+ msg(D_DCO, "ovpn-dco: no peer in PEER_FLOAT_NTF message");
+ return NL_STOP;
+ }
+
+ struct nlattr *fp_attrs[OVPN_A_PEER_MAX + 1];
+ if (nla_parse_nested(fp_attrs, OVPN_A_PEER_MAX, attrs[OVPN_A_PEER],
+ NULL))
+ {
+ msg(D_DCO, "ovpn-dco: can't parse peer in PEER_FLOAT_NTF messsage");
+ return NL_STOP;
+ }
+
+ if (!fp_attrs[OVPN_A_PEER_ID])
+ {
+ msg(D_DCO, "ovpn-dco: no peer-id in PEER_FLOAT_NTF message");
+ return NL_STOP;
+ }
+ uint32_t peerid = nla_get_u32(fp_attrs[OVPN_A_PEER_ID]);
+
+ if (!ovpn_parse_float_addr(fp_attrs, (struct sockaddr *)&dco->dco_float_peer_ss))
+ {
+ return NL_STOP;
+ }
+
+ struct gc_arena gc = gc_new();
+ msg(D_DCO_DEBUG,
+ "ovpn-dco: received CMD_PEER_FLOAT_NTF, ifindex: %u, peer-id %u, address: %s",
+ ifindex, peerid, print_sockaddr((struct sockaddr *)&dco->dco_float_peer_ss, &gc));
+ dco->dco_message_peer_id = (int)peerid;
+ dco->dco_message_type = OVPN_CMD_PEER_FLOAT_NTF;
+
+ gc_free(&gc);
+ break;
+ }
+
case OVPN_CMD_KEY_SWAP_NTF:
{
if (!attrs[OVPN_A_KEYCONF])
diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h
index 4e441ec..676b8cd 100644
--- a/src/openvpn/dco_linux.h
+++ b/src/openvpn/dco_linux.h
@@ -34,6 +34,7 @@
/* Defines to avoid mismatching with other platforms */
#define OVPN_CMD_DEL_PEER OVPN_CMD_PEER_DEL_NTF
#define OVPN_CMD_SWAP_KEYS OVPN_CMD_KEY_SWAP_NTF
+#define OVPN_CMD_FLOAT_PEER OVPN_CMD_PEER_FLOAT_NTF
typedef enum ovpn_key_slot dco_key_slot_t;
typedef enum ovpn_cipher_alg dco_cipher_t;
@@ -75,6 +76,7 @@
int dco_message_peer_id;
int dco_message_key_id;
int dco_del_peer_reason;
+ struct sockaddr_storage dco_float_peer_ss;
uint64_t dco_read_bytes;
uint64_t dco_write_bytes;
} dco_context_t;
diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c
index 2a13658..83db739 100644
--- a/src/openvpn/dco_win.c
+++ b/src/openvpn/dco_win.c
@@ -663,6 +663,7 @@
dco->dco_message_peer_id = dco->notif_buf.PeerId;
dco->dco_message_type = dco->notif_buf.Cmd;
dco->dco_del_peer_reason = dco->notif_buf.DelPeerReason;
+ dco->dco_float_peer_ss = dco->notif_buf.FloatAddress;
}
else
{
diff --git a/src/openvpn/dco_win.h b/src/openvpn/dco_win.h
index 4513f3f..b9d93fa 100644
--- a/src/openvpn/dco_win.h
+++ b/src/openvpn/dco_win.h
@@ -52,6 +52,7 @@
int dco_message_peer_id;
int dco_message_type;
int dco_del_peer_reason;
+ struct sockaddr_storage dco_float_peer_ss;
uint64_t dco_read_bytes;
uint64_t dco_write_bytes;
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index a4f260a..0b4ceae 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1243,6 +1243,37 @@
perf_pop();
}
+void
+extract_dco_float_peer_addr(const uint32_t peer_id,
+ struct openvpn_sockaddr *out_osaddr,
+ const struct sockaddr *float_sa)
+{
+ if (float_sa->sa_family == AF_INET)
+ {
+ struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa;
+ /* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, we need
+ * to preserve the mapping, otherwise openvpn will not be able to find
+ * the peer by its trasnport address.
+ */
+ if (out_osaddr->addr.sa.sa_family == AF_INET6
+ && IN6_IS_ADDR_V4MAPPED(&out_osaddr->addr.in6.sin6_addr))
+ {
+ memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12],
+ &float4->sin_addr.s_addr, sizeof(in_addr_t));
+ out_osaddr->addr.in6.sin6_port = float4->sin_port;
+ }
+ else
+ {
+ memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in));
+ }
+ }
+ else
+ {
+ struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa;
+ memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6));
+ }
+}
+
static void
process_incoming_dco(struct context *c)
{
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 318691f..4f3d81e 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -196,6 +196,21 @@
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf);
/**
+ * Transfers \c float_sa data extracted from an incoming DCO
+ * PEER_FLOAT_NTF to \c out_osaddr for later processing.
+ *
+ * @param peer_id - The id of the floating peer.
+ * @param out_osaddr - openvpn_sockaddr struct that will be filled the new
+ * address data
+ * @param float_sa - The sockaddr struct containing the data received from the
+ * DCO notification
+ *
+ */
+void
+extract_dco_float_peer_addr(uint32_t peer_id, struct openvpn_sockaddr *out_osaddr,
+ const struct sockaddr *float_sa);
+
+/**
* Write a packet to the external network interface.
* @ingroup external_multiplexer
*
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index a760e07..e5b817d 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3384,6 +3384,16 @@
{
process_incoming_del_peer(m, mi, dco);
}
+#if defined(TARGET_LINUX) || defined(TARGET_WIN32)
+ else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER)
+ {
+ extract_dco_float_peer_addr(peer_id, &m->top.c2.from.dest,
+ (struct sockaddr*)&dco->dco_float_peer_ss);
+ ASSERT(mi->context.c2.link_sockets[0]);
+ multi_process_float(m, mi, mi->context.c2.link_sockets[0]);
+ CLEAR(dco->dco_float_peer_ss);
+ }
+#endif /* if defined(TARGET_LINUX) || defined(TARGET_WIN32) */
else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
{
tls_session_soft_reset(mi->context.c2.tls_multi);
diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h
index 40f7519..fe9e847 100644
--- a/src/openvpn/multi.h
+++ b/src/openvpn/multi.h
@@ -322,7 +322,7 @@
/**
* Process an incoming DCO message (from kernel space).
*
- * @param m - The single \c multi_context structur.e
+ * @param m - The single \c multi_context structure.
*
* @return
* - True, if the message was received correctly.
diff --git a/src/openvpn/ovpn_dco_linux.h b/src/openvpn/ovpn_dco_linux.h
index 680d152..b3c9ff0 100644
--- a/src/openvpn/ovpn_dco_linux.h
+++ b/src/openvpn/ovpn_dco_linux.h
@@ -99,6 +99,7 @@
OVPN_CMD_KEY_SWAP,
OVPN_CMD_KEY_SWAP_NTF,
OVPN_CMD_KEY_DEL,
+ OVPN_CMD_PEER_FLOAT_NTF,
__OVPN_CMD_MAX,
OVPN_CMD_MAX = (__OVPN_CMD_MAX - 1)
diff --git a/src/openvpn/ovpn_dco_win.h b/src/openvpn/ovpn_dco_win.h
index 865bb38..dd6b7ce 100644
--- a/src/openvpn/ovpn_dco_win.h
+++ b/src/openvpn/ovpn_dco_win.h
@@ -149,7 +149,8 @@
typedef enum {
OVPN_CMD_DEL_PEER,
- OVPN_CMD_SWAP_KEYS
+ OVPN_CMD_SWAP_KEYS,
+ OVPN_CMD_FLOAT_PEER
} OVPN_NOTIFY_CMD;
typedef enum {
@@ -164,6 +165,7 @@
OVPN_NOTIFY_CMD Cmd;
int PeerId;
OVPN_DEL_PEER_REASON DelPeerReason;
+ struct sockaddr_storage FloatAddress;
} OVPN_NOTIFY_EVENT, * POVPN_NOTIFY_EVENT;
typedef struct _OVPN_MP_DEL_PEER {
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f
Gerrit-Change-Number: 1084
Gerrit-PatchSet: 2
Gerrit-Owner: ralf_lici <ra...@ma...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: ordex <an...@ma...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-CC: stipa <lst...@gm...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: ordex <an...@ma...>
Gerrit-Attention: ralf_lici <ra...@ma...>
Gerrit-MessageType: newpatchset
|
153 messages has been excluded from this view by a project administrator.
