Menu
▾
▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
(24) |
May
(14) |
Jun
(29) |
Jul
(33) |
Aug
(3) |
Sep
(8) |
Oct
(18) |
Nov
(1) |
Dec
(10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
(33) |
Mar
(7) |
Apr
(28) |
May
(30) |
Jun
(5) |
Jul
(10) |
Aug
(7) |
Sep
(32) |
Oct
(41) |
Nov
(20) |
Dec
(10) |
| 2004 |
Jan
(24) |
Feb
(18) |
Mar
(57) |
Apr
(40) |
May
(55) |
Jun
(48) |
Jul
(77) |
Aug
(15) |
Sep
(56) |
Oct
(80) |
Nov
(74) |
Dec
(52) |
| 2005 |
Jan
(38) |
Feb
(42) |
Mar
(39) |
Apr
(56) |
May
(79) |
Jun
(73) |
Jul
(16) |
Aug
(23) |
Sep
(68) |
Oct
(77) |
Nov
(52) |
Dec
(27) |
| 2006 |
Jan
(27) |
Feb
(18) |
Mar
(51) |
Apr
(62) |
May
(28) |
Jun
(50) |
Jul
(36) |
Aug
(33) |
Sep
(47) |
Oct
(50) |
Nov
(77) |
Dec
(13) |
| 2007 |
Jan
(15) |
Feb
(8) |
Mar
(14) |
Apr
(18) |
May
(25) |
Jun
(16) |
Jul
(16) |
Aug
(19) |
Sep
(32) |
Oct
(17) |
Nov
(5) |
Dec
(5) |
| 2008 |
Jan
(64) |
Feb
(25) |
Mar
(25) |
Apr
(6) |
May
(28) |
Jun
(20) |
Jul
(10) |
Aug
(27) |
Sep
(28) |
Oct
(59) |
Nov
(37) |
Dec
(43) |
| 2009 |
Jan
(40) |
Feb
(25) |
Mar
(12) |
Apr
(57) |
May
(46) |
Jun
(29) |
Jul
(39) |
Aug
(10) |
Sep
(20) |
Oct
(42) |
Nov
(50) |
Dec
(57) |
| 2010 |
Jan
(82) |
Feb
(165) |
Mar
(256) |
Apr
(260) |
May
(36) |
Jun
(87) |
Jul
(53) |
Aug
(89) |
Sep
(107) |
Oct
(51) |
Nov
(88) |
Dec
(117) |
| 2011 |
Jan
(69) |
Feb
(60) |
Mar
(113) |
Apr
(71) |
May
(67) |
Jun
(90) |
Jul
(88) |
Aug
(90) |
Sep
(48) |
Oct
(64) |
Nov
(69) |
Dec
(118) |
| 2012 |
Jan
(49) |
Feb
(528) |
Mar
(351) |
Apr
(190) |
May
(238) |
Jun
(193) |
Jul
(104) |
Aug
(100) |
Sep
(57) |
Oct
(41) |
Nov
(47) |
Dec
(51) |
| 2013 |
Jan
(94) |
Feb
(57) |
Mar
(96) |
Apr
(105) |
May
(77) |
Jun
(102) |
Jul
(27) |
Aug
(81) |
Sep
(32) |
Oct
(53) |
Nov
(127) |
Dec
(65) |
| 2014 |
Jan
(113) |
Feb
(59) |
Mar
(104) |
Apr
(259) |
May
(70) |
Jun
(70) |
Jul
(146) |
Aug
(45) |
Sep
(58) |
Oct
(149) |
Nov
(77) |
Dec
(83) |
| 2015 |
Jan
(53) |
Feb
(66) |
Mar
(86) |
Apr
(50) |
May
(135) |
Jun
(76) |
Jul
(151) |
Aug
(83) |
Sep
(97) |
Oct
(262) |
Nov
(245) |
Dec
(231) |
| 2016 |
Jan
(131) |
Feb
(233) |
Mar
(97) |
Apr
(138) |
May
(221) |
Jun
(254) |
Jul
(92) |
Aug
(248) |
Sep
(168) |
Oct
(275) |
Nov
(477) |
Dec
(445) |
| 2017 |
Jan
(218) |
Feb
(217) |
Mar
(146) |
Apr
(172) |
May
(216) |
Jun
(252) |
Jul
(164) |
Aug
(192) |
Sep
(190) |
Oct
(143) |
Nov
(255) |
Dec
(182) |
| 2018 |
Jan
(295) |
Feb
(164) |
Mar
(113) |
Apr
(147) |
May
(64) |
Jun
(262) |
Jul
(184) |
Aug
(90) |
Sep
(69) |
Oct
(364) |
Nov
(102) |
Dec
(101) |
| 2019 |
Jan
(119) |
Feb
(64) |
Mar
(64) |
Apr
(102) |
May
(57) |
Jun
(154) |
Jul
(84) |
Aug
(81) |
Sep
(76) |
Oct
(102) |
Nov
(233) |
Dec
(89) |
| 2020 |
Jan
(38) |
Feb
(170) |
Mar
(155) |
Apr
(172) |
May
(120) |
Jun
(223) |
Jul
(461) |
Aug
(227) |
Sep
(268) |
Oct
(113) |
Nov
(56) |
Dec
(124) |
| 2021 |
Jan
(121) |
Feb
(48) |
Mar
(334) |
Apr
(345) |
May
(207) |
Jun
(136) |
Jul
(71) |
Aug
(112) |
Sep
(122) |
Oct
(173) |
Nov
(184) |
Dec
(223) |
| 2022 |
Jan
(197) |
Feb
(206) |
Mar
(156) |
Apr
(212) |
May
(192) |
Jun
(170) |
Jul
(143) |
Aug
(380) |
Sep
(182) |
Oct
(148) |
Nov
(128) |
Dec
(269) |
| 2023 |
Jan
(248) |
Feb
(196) |
Mar
(264) |
Apr
(36) |
May
(123) |
Jun
(66) |
Jul
(120) |
Aug
(48) |
Sep
(157) |
Oct
(198) |
Nov
(300) |
Dec
(273) |
| 2024 |
Jan
(271) |
Feb
(147) |
Mar
(207) |
Apr
(78) |
May
(107) |
Jun
(168) |
Jul
(151) |
Aug
(51) |
Sep
(438) |
Oct
(221) |
Nov
(302) |
Dec
(357) |
| 2025 |
Jan
(451) |
Feb
(219) |
Mar
(326) |
Apr
(232) |
May
(306) |
Jun
(181) |
Jul
(452) |
Aug
(171) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: stipa (C. Review) <ge...@op...> - 2025-07-16 08:31:54
|
Attention is currently required from: flichtenheld, ordex, plaisthos, ralf_lici. stipa has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email ) Change subject: dco: Add support for float notifications ...................................................................... Patch Set 1: (1 comment) File src/openvpn/multi.c: http://gerrit.openvpn.net/c/openvpn/+/1084/comment/32317b9e_d8a2c183 : PS1, Line 3390: if (extract_dco_float_peer_addr(peer_id, &m->top.c2.from.dest, > Yeah I would trust the kernel on Windows and add an assert to dco_handle_overlapped_success(). […] after discussion on IRC we decided just to remove this "if" and not to add an assert - we'll get a error later in an improbable cause if dco-win returns invalid AF. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Gerrit-Change-Number: 1084 Gerrit-PatchSet: 1 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-CC: stipa <lst...@gm...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ordex <an...@ma...> Gerrit-Attention: ralf_lici <ra...@ma...> Gerrit-Comment-Date: Wed, 16 Jul 2025 08:31:39 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: ordex <an...@ma...> Comment-In-Reply-To: ralf_lici <ra...@ma...> Comment-In-Reply-To: stipa <lst...@gm...> Gerrit-MessageType: comment |
|
From: stipa (C. Review) <ge...@op...> - 2025-07-16 08:00:57
|
Attention is currently required from: flichtenheld, ordex, plaisthos, ralf_lici. stipa has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email ) Change subject: dco: Add support for float notifications ...................................................................... Patch Set 1: (1 comment) File src/openvpn/multi.c: http://gerrit.openvpn.net/c/openvpn/+/1084/comment/e60039a2_6836322f : PS1, Line 3390: if (extract_dco_float_peer_addr(peer_id, &m->top.c2.from.dest, > This isn’t actually a parsing of the kernel message, but rather a utility function to transpose the […] Yeah I would trust the kernel on Windows and add an assert to dco_handle_overlapped_success(). I think this would make the logic more simple. I could send you the diff and you could squash it into this patch. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Gerrit-Change-Number: 1084 Gerrit-PatchSet: 1 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-CC: stipa <lst...@gm...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ordex <an...@ma...> Gerrit-Attention: ralf_lici <ra...@ma...> Gerrit-Comment-Date: Wed, 16 Jul 2025 08:00:41 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: ordex <an...@ma...> Comment-In-Reply-To: ralf_lici <ra...@ma...> Comment-In-Reply-To: stipa <lst...@gm...> Gerrit-MessageType: comment |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-15 20:05:21
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1083?usp=email ) Change subject: reliable: Review and fix gc_arena usage ...................................................................... reliable: Review and fix gc_arena usage Check for unused objects (in reliable_get_num_output_sequenced_available) and missing free (in reliable_can_get). While looking through the code, modernize the loop variable usage. Change-Id: I8cefa9a406fe90bb3cbe481304782c639691a3a0 Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Arne Schwabe <arn...@rf...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg32157.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/reliable.c 1 file changed, 29 insertions(+), 56 deletions(-) diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c index 424d194..5505f56 100644 --- a/src/openvpn/reliable.c +++ b/src/openvpn/reliable.c @@ -98,8 +98,7 @@ static inline bool reliable_ack_packet_id_present(struct reliable_ack *ack, packet_id_type pid) { - int i; - for (i = 0; i < ack->len; ++i) + for (int i = 0; i < ack->len; ++i) { if (ack->packet_id[i] == pid) { @@ -312,10 +311,7 @@ const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc) { - int i; uint8_t n_ack; - struct session_id sid_ack; - packet_id_type pid; struct buffer out = alloc_buf_gc(256, gc); buf_printf(&out, "["); @@ -323,8 +319,9 @@ { goto done; } - for (i = 0; i < n_ack; ++i) + for (int i = 0; i < n_ack; ++i) { + packet_id_type pid; if (!buf_read(buf, &pid, sizeof(pid))) { goto done; @@ -334,6 +331,7 @@ } if (n_ack) { + struct session_id sid_ack; if (!session_id_read(&sid_ack, buf)) { goto done; @@ -356,14 +354,12 @@ void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold) { - int i; - CLEAR(*rel); ASSERT(array_size > 0 && array_size <= RELIABLE_CAPACITY); rel->hold = hold; rel->size = array_size; rel->offset = offset; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; e->buf = alloc_buf(buf_size); @@ -378,8 +374,7 @@ { return; } - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; free_buf(&e->buf); @@ -391,8 +386,7 @@ bool reliable_empty(const struct reliable *rel) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -407,11 +401,10 @@ void reliable_send_purge(struct reliable *rel, const struct reliable_ack *ack) { - int i, j; - for (i = 0; i < ack->len; ++i) + for (int i = 0; i < ack->len; ++i) { packet_id_type pid = ack->packet_id[i]; - for (j = 0; j < rel->size; ++j) + for (int j = 0; j < rel->size; ++j) { struct reliable_entry *e = &rel->array[j]; if (e->active && e->packet_id == pid) @@ -449,10 +442,9 @@ reliable_print_ids(const struct reliable *rel, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); - int i; buf_printf(&out, "[" packet_id_format "]", (packet_id_print_type)rel->packet_id); - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -468,9 +460,7 @@ bool reliable_can_get(const struct reliable *rel) { - struct gc_arena gc = gc_new(); - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (!e->active) @@ -478,6 +468,7 @@ return true; } } + struct gc_arena gc = gc_new(); dmsg(D_REL_LOW, "ACK no free receive buffer available: %s", reliable_print_ids(rel, &gc)); gc_free(&gc); return false; @@ -488,12 +479,11 @@ reliable_not_replay(const struct reliable *rel, packet_id_type id) { struct gc_arena gc = gc_new(); - int i; if (reliable_pid_min(id, rel->packet_id)) { goto bad; } - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active && e->packet_id == id) @@ -514,19 +504,17 @@ bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id) { - struct gc_arena gc = gc_new(); - const int ret = reliable_pid_in_range2(id, rel->packet_id, rel->size); if (!ret) { + struct gc_arena gc = gc_new(); dmsg(D_REL_LOW, "ACK " packet_id_format " breaks sequentiality: %s", (packet_id_print_type)id, reliable_print_ids(rel, &gc)); + gc_free(&gc); } dmsg(D_REL_DEBUG, "ACK RWBS rel->size=%d rel->packet_id=%08x id=%08x ret=%d", rel->size, rel->packet_id, id, ret); - - gc_free(&gc); return ret; } @@ -534,8 +522,7 @@ struct buffer * reliable_get_buf(struct reliable *rel) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (!e->active) @@ -550,7 +537,6 @@ int reliable_get_num_output_sequenced_available(struct reliable *rel) { - struct gc_arena gc = gc_new(); packet_id_type min_id = 0; bool min_id_defined = false; @@ -573,7 +559,6 @@ { ret -= subtract_pid(rel->packet_id, min_id); } - gc_free(&gc); return ret; } @@ -581,14 +566,12 @@ struct buffer * reliable_get_buf_output_sequenced(struct reliable *rel) { - struct gc_arena gc = gc_new(); - int i; packet_id_type min_id = 0; bool min_id_defined = false; struct buffer *ret = NULL; /* find minimum active packet_id */ - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -607,9 +590,10 @@ } else { + struct gc_arena gc = gc_new(); dmsg(D_REL_LOW, "ACK output sequence broken: %s", reliable_print_ids(rel, &gc)); + gc_free(&gc); } - gc_free(&gc); return ret; } @@ -617,8 +601,7 @@ struct reliable_entry * reliable_get_entry_sequenced(struct reliable *rel) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (e->active && e->packet_id == rel->packet_id) @@ -634,9 +617,8 @@ reliable_can_send(const struct reliable *rel) { struct gc_arena gc = gc_new(); - int i; int n_active = 0, n_current = 0; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -662,11 +644,10 @@ struct buffer * reliable_send(struct reliable *rel, int *opcode) { - int i; struct reliable_entry *best = NULL; const time_t local_now = now; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; @@ -701,10 +682,9 @@ void reliable_schedule_now(struct reliable *rel) { - int i; dmsg(D_REL_DEBUG, "ACK reliable_schedule_now"); rel->hold = false; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -722,10 +702,9 @@ { struct gc_arena gc = gc_new(); interval_t ret = BIG_TIMEOUT; - int i; const time_t local_now = now; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -758,8 +737,7 @@ reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (buf == &e->buf) @@ -790,8 +768,7 @@ void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (buf == &e->buf) @@ -817,8 +794,7 @@ void reliable_mark_deleted(struct reliable *rel, struct buffer *buf) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (buf == &e->buf) @@ -836,10 +812,8 @@ void reliable_ack_debug_print(const struct reliable_ack *ack, char *desc) { - int i; - printf("********* struct reliable_ack %s\n", desc); - for (i = 0; i < ack->len; ++i) + for (int i = 0; i < ack->len; ++i) { printf(" %d: " packet_id_format "\n", i, (packet_id_print_type) ack->packet_id[i]); } @@ -848,14 +822,13 @@ void reliable_debug_print(const struct reliable *rel, char *desc) { - int i; update_time(); printf("********* struct reliable %s\n", desc); printf(" initial_timeout=%d\n", (int)rel->initial_timeout); printf(" packet_id=" packet_id_format "\n", rel->packet_id); printf(" now=%" PRIi64 "\n", (int64_t)now); - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1083?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8cefa9a406fe90bb3cbe481304782c639691a3a0 Gerrit-Change-Number: 1083 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-15 20:05:16
|
cron2 has uploaded a new patch set (#4) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/1083?usp=email ) The following approvals got outdated and were removed: Code-Review+1 by cron2, Code-Review+2 by plaisthos Change subject: reliable: Review and fix gc_arena usage ...................................................................... reliable: Review and fix gc_arena usage Check for unused objects (in reliable_get_num_output_sequenced_available) and missing free (in reliable_can_get). While looking through the code, modernize the loop variable usage. Change-Id: I8cefa9a406fe90bb3cbe481304782c639691a3a0 Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Arne Schwabe <arn...@rf...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg32157.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/reliable.c 1 file changed, 29 insertions(+), 56 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/83/1083/4 diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c index 424d194..5505f56 100644 --- a/src/openvpn/reliable.c +++ b/src/openvpn/reliable.c @@ -98,8 +98,7 @@ static inline bool reliable_ack_packet_id_present(struct reliable_ack *ack, packet_id_type pid) { - int i; - for (i = 0; i < ack->len; ++i) + for (int i = 0; i < ack->len; ++i) { if (ack->packet_id[i] == pid) { @@ -312,10 +311,7 @@ const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc) { - int i; uint8_t n_ack; - struct session_id sid_ack; - packet_id_type pid; struct buffer out = alloc_buf_gc(256, gc); buf_printf(&out, "["); @@ -323,8 +319,9 @@ { goto done; } - for (i = 0; i < n_ack; ++i) + for (int i = 0; i < n_ack; ++i) { + packet_id_type pid; if (!buf_read(buf, &pid, sizeof(pid))) { goto done; @@ -334,6 +331,7 @@ } if (n_ack) { + struct session_id sid_ack; if (!session_id_read(&sid_ack, buf)) { goto done; @@ -356,14 +354,12 @@ void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold) { - int i; - CLEAR(*rel); ASSERT(array_size > 0 && array_size <= RELIABLE_CAPACITY); rel->hold = hold; rel->size = array_size; rel->offset = offset; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; e->buf = alloc_buf(buf_size); @@ -378,8 +374,7 @@ { return; } - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; free_buf(&e->buf); @@ -391,8 +386,7 @@ bool reliable_empty(const struct reliable *rel) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -407,11 +401,10 @@ void reliable_send_purge(struct reliable *rel, const struct reliable_ack *ack) { - int i, j; - for (i = 0; i < ack->len; ++i) + for (int i = 0; i < ack->len; ++i) { packet_id_type pid = ack->packet_id[i]; - for (j = 0; j < rel->size; ++j) + for (int j = 0; j < rel->size; ++j) { struct reliable_entry *e = &rel->array[j]; if (e->active && e->packet_id == pid) @@ -449,10 +442,9 @@ reliable_print_ids(const struct reliable *rel, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); - int i; buf_printf(&out, "[" packet_id_format "]", (packet_id_print_type)rel->packet_id); - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -468,9 +460,7 @@ bool reliable_can_get(const struct reliable *rel) { - struct gc_arena gc = gc_new(); - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (!e->active) @@ -478,6 +468,7 @@ return true; } } + struct gc_arena gc = gc_new(); dmsg(D_REL_LOW, "ACK no free receive buffer available: %s", reliable_print_ids(rel, &gc)); gc_free(&gc); return false; @@ -488,12 +479,11 @@ reliable_not_replay(const struct reliable *rel, packet_id_type id) { struct gc_arena gc = gc_new(); - int i; if (reliable_pid_min(id, rel->packet_id)) { goto bad; } - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active && e->packet_id == id) @@ -514,19 +504,17 @@ bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id) { - struct gc_arena gc = gc_new(); - const int ret = reliable_pid_in_range2(id, rel->packet_id, rel->size); if (!ret) { + struct gc_arena gc = gc_new(); dmsg(D_REL_LOW, "ACK " packet_id_format " breaks sequentiality: %s", (packet_id_print_type)id, reliable_print_ids(rel, &gc)); + gc_free(&gc); } dmsg(D_REL_DEBUG, "ACK RWBS rel->size=%d rel->packet_id=%08x id=%08x ret=%d", rel->size, rel->packet_id, id, ret); - - gc_free(&gc); return ret; } @@ -534,8 +522,7 @@ struct buffer * reliable_get_buf(struct reliable *rel) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (!e->active) @@ -550,7 +537,6 @@ int reliable_get_num_output_sequenced_available(struct reliable *rel) { - struct gc_arena gc = gc_new(); packet_id_type min_id = 0; bool min_id_defined = false; @@ -573,7 +559,6 @@ { ret -= subtract_pid(rel->packet_id, min_id); } - gc_free(&gc); return ret; } @@ -581,14 +566,12 @@ struct buffer * reliable_get_buf_output_sequenced(struct reliable *rel) { - struct gc_arena gc = gc_new(); - int i; packet_id_type min_id = 0; bool min_id_defined = false; struct buffer *ret = NULL; /* find minimum active packet_id */ - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -607,9 +590,10 @@ } else { + struct gc_arena gc = gc_new(); dmsg(D_REL_LOW, "ACK output sequence broken: %s", reliable_print_ids(rel, &gc)); + gc_free(&gc); } - gc_free(&gc); return ret; } @@ -617,8 +601,7 @@ struct reliable_entry * reliable_get_entry_sequenced(struct reliable *rel) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (e->active && e->packet_id == rel->packet_id) @@ -634,9 +617,8 @@ reliable_can_send(const struct reliable *rel) { struct gc_arena gc = gc_new(); - int i; int n_active = 0, n_current = 0; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -662,11 +644,10 @@ struct buffer * reliable_send(struct reliable *rel, int *opcode) { - int i; struct reliable_entry *best = NULL; const time_t local_now = now; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; @@ -701,10 +682,9 @@ void reliable_schedule_now(struct reliable *rel) { - int i; dmsg(D_REL_DEBUG, "ACK reliable_schedule_now"); rel->hold = false; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -722,10 +702,9 @@ { struct gc_arena gc = gc_new(); interval_t ret = BIG_TIMEOUT; - int i; const time_t local_now = now; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -758,8 +737,7 @@ reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (buf == &e->buf) @@ -790,8 +768,7 @@ void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (buf == &e->buf) @@ -817,8 +794,7 @@ void reliable_mark_deleted(struct reliable *rel, struct buffer *buf) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (buf == &e->buf) @@ -836,10 +812,8 @@ void reliable_ack_debug_print(const struct reliable_ack *ack, char *desc) { - int i; - printf("********* struct reliable_ack %s\n", desc); - for (i = 0; i < ack->len; ++i) + for (int i = 0; i < ack->len; ++i) { printf(" %d: " packet_id_format "\n", i, (packet_id_print_type) ack->packet_id[i]); } @@ -848,14 +822,13 @@ void reliable_debug_print(const struct reliable *rel, char *desc) { - int i; update_time(); printf("********* struct reliable %s\n", desc); printf(" initial_timeout=%d\n", (int)rel->initial_timeout); printf(" packet_id=" packet_id_format "\n", rel->packet_id); printf(" now=%" PRIi64 "\n", (int64_t)now); - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1083?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8cefa9a406fe90bb3cbe481304782c639691a3a0 Gerrit-Change-Number: 1083 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
|
From: Gert D. <ge...@gr...> - 2025-07-15 20:05:06
|
Stared hard at the code changes (most of them trivial, but one mem leak
in one branch of reliable_can_get() fixed). Tested on client/server setups.
Your patch has been applied to the master branch.
commit 074bd7451decad407398c59006aa0e24ea1f451c
Author: Frank Lichtenheld
Date: Tue Jul 15 16:37:44 2025 +0200
reliable: Review and fix gc_arena usage
Signed-off-by: Frank Lichtenheld <fr...@li...>
Acked-by: Arne Schwabe <arn...@rf...>
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg32157.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: ralf_lici (C. Review) <ge...@op...> - 2025-07-15 15:36:59
|
Attention is currently required from: flichtenheld, ordex, plaisthos, stipa. ralf_lici has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email ) Change subject: dco: Add support for float notifications ...................................................................... Patch Set 1: (1 comment) File src/openvpn/multi.c: http://gerrit.openvpn.net/c/openvpn/+/1084/comment/347abf04_7c9f0c38 : PS1, Line 3390: if (extract_dco_float_peer_addr(peer_id, &m->top.c2.from.dest, > no, we can't trust the kernel. […] This isn’t actually a parsing of the kernel message, but rather a utility function to transpose the content of dco_float_peer_ss into m->top.c2.from.dest. Since dco_float_peer_ss is constructed by parsing the kernel notification, it would never contain an incorrect address family, thanks to a specific check in the Linux parser (ovpn_parse_float_addr()). OTOH, on Windows, we simply receive the sockaddr object from the kernel (if my understanding is correct), though I assume there’s a similar check in dco-win. So this 'if' statement is probably redundant on Linux but might act as the missing userspace check for Windows. But if you'd rather use an assert (since dco_float_peer_ss should never be ill-formed once we reach this point) we could add a check in dco_handle_overlapped_success() (or somewhere else in the dco_win-specific code) just to be safe. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Gerrit-Change-Number: 1084 Gerrit-PatchSet: 1 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-CC: stipa <lst...@gm...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ordex <an...@ma...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Tue, 15 Jul 2025 15:36:44 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: ordex <an...@ma...> Comment-In-Reply-To: stipa <lst...@gm...> Gerrit-MessageType: comment |
|
From: Gert D. <ge...@gr...> - 2025-07-15 14:38:07
|
From: Frank Lichtenheld <fr...@li...> Check for unused objects (in reliable_get_num_output_sequenced_available) and missing free (in reliable_can_get). While looking through the code, modernize the loop variable usage. Change-Id: I8cefa9a406fe90bb3cbe481304782c639691a3a0 Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Arne Schwabe <arn...@rf...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1083 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe <arn...@rf...> diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c index 424d194..5505f56 100644 --- a/src/openvpn/reliable.c +++ b/src/openvpn/reliable.c @@ -98,8 +98,7 @@ static inline bool reliable_ack_packet_id_present(struct reliable_ack *ack, packet_id_type pid) { - int i; - for (i = 0; i < ack->len; ++i) + for (int i = 0; i < ack->len; ++i) { if (ack->packet_id[i] == pid) { @@ -312,10 +311,7 @@ const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc) { - int i; uint8_t n_ack; - struct session_id sid_ack; - packet_id_type pid; struct buffer out = alloc_buf_gc(256, gc); buf_printf(&out, "["); @@ -323,8 +319,9 @@ { goto done; } - for (i = 0; i < n_ack; ++i) + for (int i = 0; i < n_ack; ++i) { + packet_id_type pid; if (!buf_read(buf, &pid, sizeof(pid))) { goto done; @@ -334,6 +331,7 @@ } if (n_ack) { + struct session_id sid_ack; if (!session_id_read(&sid_ack, buf)) { goto done; @@ -356,14 +354,12 @@ void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold) { - int i; - CLEAR(*rel); ASSERT(array_size > 0 && array_size <= RELIABLE_CAPACITY); rel->hold = hold; rel->size = array_size; rel->offset = offset; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; e->buf = alloc_buf(buf_size); @@ -378,8 +374,7 @@ { return; } - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; free_buf(&e->buf); @@ -391,8 +386,7 @@ bool reliable_empty(const struct reliable *rel) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -407,11 +401,10 @@ void reliable_send_purge(struct reliable *rel, const struct reliable_ack *ack) { - int i, j; - for (i = 0; i < ack->len; ++i) + for (int i = 0; i < ack->len; ++i) { packet_id_type pid = ack->packet_id[i]; - for (j = 0; j < rel->size; ++j) + for (int j = 0; j < rel->size; ++j) { struct reliable_entry *e = &rel->array[j]; if (e->active && e->packet_id == pid) @@ -449,10 +442,9 @@ reliable_print_ids(const struct reliable *rel, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); - int i; buf_printf(&out, "[" packet_id_format "]", (packet_id_print_type)rel->packet_id); - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -468,9 +460,7 @@ bool reliable_can_get(const struct reliable *rel) { - struct gc_arena gc = gc_new(); - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (!e->active) @@ -478,6 +468,7 @@ return true; } } + struct gc_arena gc = gc_new(); dmsg(D_REL_LOW, "ACK no free receive buffer available: %s", reliable_print_ids(rel, &gc)); gc_free(&gc); return false; @@ -488,12 +479,11 @@ reliable_not_replay(const struct reliable *rel, packet_id_type id) { struct gc_arena gc = gc_new(); - int i; if (reliable_pid_min(id, rel->packet_id)) { goto bad; } - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active && e->packet_id == id) @@ -514,19 +504,17 @@ bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id) { - struct gc_arena gc = gc_new(); - const int ret = reliable_pid_in_range2(id, rel->packet_id, rel->size); if (!ret) { + struct gc_arena gc = gc_new(); dmsg(D_REL_LOW, "ACK " packet_id_format " breaks sequentiality: %s", (packet_id_print_type)id, reliable_print_ids(rel, &gc)); + gc_free(&gc); } dmsg(D_REL_DEBUG, "ACK RWBS rel->size=%d rel->packet_id=%08x id=%08x ret=%d", rel->size, rel->packet_id, id, ret); - - gc_free(&gc); return ret; } @@ -534,8 +522,7 @@ struct buffer * reliable_get_buf(struct reliable *rel) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (!e->active) @@ -550,7 +537,6 @@ int reliable_get_num_output_sequenced_available(struct reliable *rel) { - struct gc_arena gc = gc_new(); packet_id_type min_id = 0; bool min_id_defined = false; @@ -573,7 +559,6 @@ { ret -= subtract_pid(rel->packet_id, min_id); } - gc_free(&gc); return ret; } @@ -581,14 +566,12 @@ struct buffer * reliable_get_buf_output_sequenced(struct reliable *rel) { - struct gc_arena gc = gc_new(); - int i; packet_id_type min_id = 0; bool min_id_defined = false; struct buffer *ret = NULL; /* find minimum active packet_id */ - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -607,9 +590,10 @@ } else { + struct gc_arena gc = gc_new(); dmsg(D_REL_LOW, "ACK output sequence broken: %s", reliable_print_ids(rel, &gc)); + gc_free(&gc); } - gc_free(&gc); return ret; } @@ -617,8 +601,7 @@ struct reliable_entry * reliable_get_entry_sequenced(struct reliable *rel) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (e->active && e->packet_id == rel->packet_id) @@ -634,9 +617,8 @@ reliable_can_send(const struct reliable *rel) { struct gc_arena gc = gc_new(); - int i; int n_active = 0, n_current = 0; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -662,11 +644,10 @@ struct buffer * reliable_send(struct reliable *rel, int *opcode) { - int i; struct reliable_entry *best = NULL; const time_t local_now = now; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; @@ -701,10 +682,9 @@ void reliable_schedule_now(struct reliable *rel) { - int i; dmsg(D_REL_DEBUG, "ACK reliable_schedule_now"); rel->hold = false; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -722,10 +702,9 @@ { struct gc_arena gc = gc_new(); interval_t ret = BIG_TIMEOUT; - int i; const time_t local_now = now; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) @@ -758,8 +737,7 @@ reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (buf == &e->buf) @@ -790,8 +768,7 @@ void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (buf == &e->buf) @@ -817,8 +794,7 @@ void reliable_mark_deleted(struct reliable *rel, struct buffer *buf) { - int i; - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (buf == &e->buf) @@ -836,10 +812,8 @@ void reliable_ack_debug_print(const struct reliable_ack *ack, char *desc) { - int i; - printf("********* struct reliable_ack %s\n", desc); - for (i = 0; i < ack->len; ++i) + for (int i = 0; i < ack->len; ++i) { printf(" %d: " packet_id_format "\n", i, (packet_id_print_type) ack->packet_id[i]); } @@ -848,14 +822,13 @@ void reliable_debug_print(const struct reliable *rel, char *desc) { - int i; update_time(); printf("********* struct reliable %s\n", desc); printf(" initial_timeout=%d\n", (int)rel->initial_timeout); printf(" packet_id=" packet_id_format "\n", rel->packet_id); printf(" now=%" PRIi64 "\n", (int64_t)now); - for (i = 0; i < rel->size; ++i) + for (int i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-15 14:32:15
|
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1083?usp=email ) Change subject: reliable: Review and fix gc_arena usage ...................................................................... Patch Set 3: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1083?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8cefa9a406fe90bb3cbe481304782c639691a3a0 Gerrit-Change-Number: 1083 Gerrit-PatchSet: 3 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Tue, 15 Jul 2025 14:32:00 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: ordex (C. Review) <ge...@op...> - 2025-07-15 14:23:16
|
Attention is currently required from: flichtenheld, plaisthos, ralf_lici, stipa. ordex has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email ) Change subject: dco: Add support for float notifications ...................................................................... Patch Set 1: Code-Review+2 (2 comments) Patchset: PS1: looks good to me File src/openvpn/multi.c: http://gerrit.openvpn.net/c/openvpn/+/1084/comment/febbeba3_6cfc1fdf : PS1, Line 3390: if (extract_dco_float_peer_addr(peer_id, &m->top.c2.from.dest, > Do we really need this "if"? Could we trust the kernel and just assert inside `extract_dco_float_pee […] no, we can't trust the kernel. when talking to an external component we can't just assume it will always do the right thing. A bug in the kernel code should not crash userspace. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Gerrit-Change-Number: 1084 Gerrit-PatchSet: 1 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-CC: stipa <lst...@gm...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ralf_lici <ra...@ma...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Tue, 15 Jul 2025 14:23:00 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: stipa <lst...@gm...> Gerrit-MessageType: comment |
|
From: stipa (C. Review) <ge...@op...> - 2025-07-15 14:21:55
|
Attention is currently required from: flichtenheld, plaisthos, ralf_lici. stipa has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email ) Change subject: dco: Add support for float notifications ...................................................................... Patch Set 1: (1 comment) File src/openvpn/multi.c: http://gerrit.openvpn.net/c/openvpn/+/1084/comment/d4327cbe_dc45f82d : PS1, Line 3390: if (extract_dco_float_peer_addr(peer_id, &m->top.c2.from.dest, Do we really need this "if"? Could we trust the kernel and just assert inside `extract_dco_float_peer_addr` on incorrect AF? -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1084?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Gerrit-Change-Number: 1084 Gerrit-PatchSet: 1 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-CC: stipa <lst...@gm...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ralf_lici <ra...@ma...> Gerrit-Comment-Date: Tue, 15 Jul 2025 14:21:46 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-15 14:10:24
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1076?usp=email ) Change subject: mac dns: do not run dns-updown in parallel ...................................................................... mac dns: do not run dns-updown in parallel In case more than one openvpn connection is coming up or going down at the same time, there is potential for breakage, since the operations performed are not atomic. Introduce a locking mechanism, which let's scripts run in sequence, to prevent races between them. Change-Id: I7adfaa08df6a17545cca8264d7230b5e65e49719 Signed-off-by: Heiko Hund <he...@is...> Acked-by: Arne Schwabe <arn...@rf...> Message-Id: <202...@li...> URL: https://www.mail-archive.com/ope...@li.../msg32108.html Signed-off-by: Gert Doering <ge...@gr...> --- M distro/dns-scripts/macos-dns-updown.sh 1 file changed, 17 insertions(+), 0 deletions(-) diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh index 73bbee9..fb17b2b0 100644 --- a/distro/dns-scripts/macos-dns-updown.sh +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -26,6 +26,23 @@ # dns_server_1_sni dns.mycorp.in # +lockdir=/var/lock +if [ ! -d "${lockdir}" ]; then + /bin/mkdir "${lockdir}" + /bin/chmod 1777 "${lockdir}" +fi + +i=1 +lockfile="${lockdir}/openvpn-dns-updown.lock" +while ! /usr/bin/shlock -f $lockfile -p $$; do + if [ $((++i)) -gt 10 ]; then + echo "dns-updown failed, could not acquire lock" + exit 1 + fi + sleep 0.2 +done +trap "/bin/rm -f ${lockfile}" EXIT + [ -z "${dns_vars_file}" ] || . "${dns_vars_file}" itf_dns_key="State:/Network/Service/openvpn-${dev}/DNS" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1076?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I7adfaa08df6a17545cca8264d7230b5e65e49719 Gerrit-Change-Number: 1076 Gerrit-PatchSet: 5 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-15 14:10:23
|
cron2 has uploaded a new patch set (#5) to the change originally created by d12fk. ( http://gerrit.openvpn.net/c/openvpn/+/1076?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: mac dns: do not run dns-updown in parallel ...................................................................... mac dns: do not run dns-updown in parallel In case more than one openvpn connection is coming up or going down at the same time, there is potential for breakage, since the operations performed are not atomic. Introduce a locking mechanism, which let's scripts run in sequence, to prevent races between them. Change-Id: I7adfaa08df6a17545cca8264d7230b5e65e49719 Signed-off-by: Heiko Hund <he...@is...> Acked-by: Arne Schwabe <arn...@rf...> Message-Id: <202...@li...> URL: https://www.mail-archive.com/ope...@li.../msg32108.html Signed-off-by: Gert Doering <ge...@gr...> --- M distro/dns-scripts/macos-dns-updown.sh 1 file changed, 17 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/76/1076/5 diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh index 73bbee9..fb17b2b0 100644 --- a/distro/dns-scripts/macos-dns-updown.sh +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -26,6 +26,23 @@ # dns_server_1_sni dns.mycorp.in # +lockdir=/var/lock +if [ ! -d "${lockdir}" ]; then + /bin/mkdir "${lockdir}" + /bin/chmod 1777 "${lockdir}" +fi + +i=1 +lockfile="${lockdir}/openvpn-dns-updown.lock" +while ! /usr/bin/shlock -f $lockfile -p $$; do + if [ $((++i)) -gt 10 ]; then + echo "dns-updown failed, could not acquire lock" + exit 1 + fi + sleep 0.2 +done +trap "/bin/rm -f ${lockfile}" EXIT + [ -z "${dns_vars_file}" ] || . "${dns_vars_file}" itf_dns_key="State:/Network/Service/openvpn-${dev}/DNS" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1076?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I7adfaa08df6a17545cca8264d7230b5e65e49719 Gerrit-Change-Number: 1076 Gerrit-PatchSet: 5 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
|
From: Gert D. <ge...@gr...> - 2025-07-15 14:10:07
|
Locking good :-) - and the code looks quite reasonable.
Your patch has been applied to the master branch.
commit bc2c74291b8fce3f7a64346753d56f18cd182886
Author: Heiko Hund
Date: Fri Jul 11 12:07:00 2025 +0200
mac dns: do not run dns-updown in parallel
Signed-off-by: Heiko Hund <he...@is...>
Acked-by: Arne Schwabe <arn...@rf...>
Message-Id: <202...@li...>
URL: https://www.mail-archive.com/ope...@li.../msg32108.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-15 14:02:57
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1075?usp=email ) Change subject: mac dns: compare servers before restoring backup ...................................................................... mac dns: compare servers before restoring backup In case anything changed the global DNS server addresses, while the tunnel was connected, do not restore the backup of the global DNS configuration we made when connecting. Doing so would likely change DNS to something unexpected. Instead just clear the backup and leave a message in the log. Change-Id: I1aabd62e60dd18408a57baccbb0f4ebd6d2f8d67 Signed-off-by: Heiko Hund <he...@is...> Acked-by: Frank Lichtenheld <fr...@li...> Message-Id: <202...@li...> URL: https://www.mail-archive.com/ope...@li.../msg32110.html Signed-off-by: Gert Doering <ge...@gr...> --- M distro/dns-scripts/macos-dns-updown.sh 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh index 56f1009..73bbee9 100644 --- a/distro/dns-scripts/macos-dns-updown.sh +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -111,6 +111,10 @@ property_value State:/Network/Global/DNS SearchDomains } +function get_server_addresses { + property_value "$(primary_dns_key)" ServerAddresses +} + function set_search_domains { [ -n "$1" ] || return local dns_key=$(primary_dns_key) @@ -239,11 +243,10 @@ function unset_dns { local n="$(find_compat_profile)" - local addresses="$(addresses_string $n)" - local search_domains="$(search_domains_string $n)" local match_domains="$(match_domains_string $n)" if [ -n "$match_domains" ]; then + local search_domains="$(search_domains_string $n)" echo "remove ${itf_dns_key}" | /usr/sbin/scutil unset_search_domains "$search_domains" else @@ -252,8 +255,15 @@ [[ "${dns_backup_key}" =~ ${dev}/ ]] || return local cmds="" - cmds+="get ${dns_backup_key}\n" - cmds+="set $(primary_dns_key)\n" + local servers="$(get_server_addresses)" + local addresses="$(addresses_string $n)" + # Only restore backup if the server addresses match + if [ "${servers}" = "${addresses}" ]; then + cmds+="get ${dns_backup_key}\n" + cmds+="set $(primary_dns_key)\n" + else + echo "not restoring global DNS configuration, server addresses have changed" + fi cmds+="remove ${dns_backup_key}\n" echo -e "${cmds}" | /usr/sbin/scutil fi -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1075?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1aabd62e60dd18408a57baccbb0f4ebd6d2f8d67 Gerrit-Change-Number: 1075 Gerrit-PatchSet: 5 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-15 14:02:56
|
cron2 has uploaded a new patch set (#5) to the change originally created by d12fk. ( http://gerrit.openvpn.net/c/openvpn/+/1075?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: mac dns: compare servers before restoring backup ...................................................................... mac dns: compare servers before restoring backup In case anything changed the global DNS server addresses, while the tunnel was connected, do not restore the backup of the global DNS configuration we made when connecting. Doing so would likely change DNS to something unexpected. Instead just clear the backup and leave a message in the log. Change-Id: I1aabd62e60dd18408a57baccbb0f4ebd6d2f8d67 Signed-off-by: Heiko Hund <he...@is...> Acked-by: Frank Lichtenheld <fr...@li...> Message-Id: <202...@li...> URL: https://www.mail-archive.com/ope...@li.../msg32110.html Signed-off-by: Gert Doering <ge...@gr...> --- M distro/dns-scripts/macos-dns-updown.sh 1 file changed, 14 insertions(+), 4 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/75/1075/5 diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh index 56f1009..73bbee9 100644 --- a/distro/dns-scripts/macos-dns-updown.sh +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -111,6 +111,10 @@ property_value State:/Network/Global/DNS SearchDomains } +function get_server_addresses { + property_value "$(primary_dns_key)" ServerAddresses +} + function set_search_domains { [ -n "$1" ] || return local dns_key=$(primary_dns_key) @@ -239,11 +243,10 @@ function unset_dns { local n="$(find_compat_profile)" - local addresses="$(addresses_string $n)" - local search_domains="$(search_domains_string $n)" local match_domains="$(match_domains_string $n)" if [ -n "$match_domains" ]; then + local search_domains="$(search_domains_string $n)" echo "remove ${itf_dns_key}" | /usr/sbin/scutil unset_search_domains "$search_domains" else @@ -252,8 +255,15 @@ [[ "${dns_backup_key}" =~ ${dev}/ ]] || return local cmds="" - cmds+="get ${dns_backup_key}\n" - cmds+="set $(primary_dns_key)\n" + local servers="$(get_server_addresses)" + local addresses="$(addresses_string $n)" + # Only restore backup if the server addresses match + if [ "${servers}" = "${addresses}" ]; then + cmds+="get ${dns_backup_key}\n" + cmds+="set $(primary_dns_key)\n" + else + echo "not restoring global DNS configuration, server addresses have changed" + fi cmds+="remove ${dns_backup_key}\n" echo -e "${cmds}" | /usr/sbin/scutil fi -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1075?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1aabd62e60dd18408a57baccbb0f4ebd6d2f8d67 Gerrit-Change-Number: 1075 Gerrit-PatchSet: 5 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
|
From: Gert D. <ge...@gr...> - 2025-07-15 14:02:42
|
This is a very welcome feature (... I regularily bump into this, when
moving "with VPN open" from LTE to wifi, then close VPN, and the restored
DNS is no longer working - Tunnelblick today, but I hear that our script
might become useful there too ;-) ).
I have not tested this, just skimmed the code change.
Your patch has been applied to the master branch.
commit c1f44ea8a24754139beee8758c15657fe367cbb0
Author: Heiko Hund
Date: Fri Jul 11 17:23:09 2025 +0200
mac dns: compare servers before restoring backup
Signed-off-by: Heiko Hund <he...@is...>
Acked-by: Frank Lichtenheld <fr...@li...>
Message-Id: <202...@li...>
URL: https://www.mail-archive.com/ope...@li.../msg32110.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-15 13:53:24
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Cleanup/simplify mbed TLS related define from autoconf ...................................................................... Cleanup/simplify mbed TLS related define from autoconf Instead of a custom logic using 0/1 to be defined when the functions are present or not, use the standard check and adjust the source code accordingly. Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT The helper methods are only used when we don't have MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material. Remove AEAD check that tests for presence of mbedtls_cipher_write_tag and mbedtls_cipher_check_tag. Having an mbed TLS version that does not support that is highly unlikely. It might have been a good check in PolarSSL's time but is not today anymore. This also adds some missing support for mbed 2.x related defines to cmake based build. Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg32145.html Signed-off-by: Gert Doering <ge...@gr...> --- M CMakeLists.txt M config.h.cmake.in M configure.ac M src/openvpn/crypto_mbedtls.c M src/openvpn/mbedtls_compat.h M src/openvpn/ssl_mbedtls.c 6 files changed, 24 insertions(+), 46 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 40bffd4..efb2d2d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -302,7 +302,8 @@ check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) - check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H) + check_symbol_exists(mbedtls_ssl_tls_prf mbedtls/ssl.h HAVE_MBEDTLS_SSL_TLS_PRF) + check_include_files(psa/crypto.h HAVE_PSA_CRYPTO_H) endfunction() if (${MBED}) diff --git a/config.h.cmake.in b/config.h.cmake.in index 5df0ac8..1c443ab 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -370,10 +370,11 @@ #undef HAVE_VFORK_H /* Availability of different mbed TLS features and APIs */ -#cmakedefine01 HAVE_MBEDTLS_PSA_CRYPTO_H -#define HAVE_MBEDTLS_SSL_TLS_PRF 1 -#cmakedefine01 HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB -#cmakedefine01 HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#cmakedefine HAVE_PSA_CRYPTO_H +#cmakedefine HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB +#cmakedefine HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB +#cmakedefine HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#cmakedefine HAVE_MBEDTLS_SSL_TLS_PRF /* Path to ifconfig tool */ #define IFCONFIG_PATH "@IFCONFIG_PATH@" diff --git a/configure.ac b/configure.ac index 02b45f8..8fc48ba 100644 --- a/configure.ac +++ b/configure.ac @@ -1038,38 +1038,12 @@ [AC_MSG_ERROR([mbed TLS version >= 2.0.0 or >= 3.2.1 required])] ) - AC_CHECK_HEADER( - psa/crypto.h, - [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])] - ) + AC_CHECK_HEADERS(psa/crypto.h) - AC_CHECK_FUNCS( - [ \ - mbedtls_cipher_write_tag \ - mbedtls_cipher_check_tag \ - ], - , - [AC_MSG_ERROR([mbed TLS check for AEAD support failed])] - ) + AC_CHECK_FUNCS([mbedtls_ssl_tls_prf mbedtls_ssl_conf_export_keys_ext_cb]) - AC_CHECK_FUNC( - [mbedtls_ssl_tls_prf], - [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])] - ) - - AC_CHECK_FUNC( - [mbedtls_ssl_conf_export_keys_ext_cb], - [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0], [no])] - ) if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then - AC_CHECK_FUNC( - [mbedtls_ssl_set_export_keys_cb], - [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])] - ) + AC_CHECK_FUNCS([mbedtls_ssl_set_export_keys_cb]) if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then AC_CHECK_FUNC([mbedtls_ssl_export_keying_material]) if test "x$ac_cv_func_mbedtls_ssl_export_keying_material" != xyes; then diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index c05902d..1f3dcba 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -981,7 +981,7 @@ } /* mbedtls-2.18.0 or newer implements tls_prf, but prf_tls1 is removed * from recent versions, so we use our own implementation if necessary. */ -#if HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) +#if defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) @@ -990,7 +990,7 @@ secret_len, "", seed, seed_len, output, output_len)); } -#else /* HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */ +#else /* defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */ /* * Generate the hash required by for the \c tls1_PRF function. * diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h index 145a7ae..aeb0c5f 100644 --- a/src/openvpn/mbedtls_compat.h +++ b/src/openvpn/mbedtls_compat.h @@ -48,7 +48,7 @@ #include <mbedtls/version.h> #include <mbedtls/x509_crt.h> -#if HAVE_MBEDTLS_PSA_CRYPTO_H +#ifdef HAVE_PSA_CRYPTO_H #include <psa/crypto.h> #endif @@ -61,14 +61,14 @@ static inline void mbedtls_compat_psa_crypto_init(void) { -#if HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(HAVE_PSA_CRYPTO_H) && defined(MBEDTLS_PSA_CRYPTO_C) if (psa_crypto_init() != PSA_SUCCESS) { msg(M_FATAL, "mbedtls: psa_crypto_init() failed"); } #else return; -#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */ +#endif } static inline mbedtls_compat_group_id @@ -96,7 +96,7 @@ { #if MBEDTLS_VERSION_NUMBER > 0x03000000 return mbedtls_ctr_drbg_update(ctx, additional, add_len); -#elif HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#elif defined(HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len); #else mbedtls_ctr_drbg_update(ctx, additional, add_len); diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index ecccc26..a4bb772 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -173,8 +173,9 @@ ASSERT(NULL != ctx); return ctx->initialised; } - -#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB +#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +/* mbedtls_ssl_export_keying_material does not need helper/callback methods */ +#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) /* * Key export callback for older versions of mbed TLS, to be used with * mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master @@ -205,7 +206,7 @@ return 0; } -#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB +#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) /* * Key export callback for newer versions of mbed TLS, to be used with * mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback @@ -251,10 +252,11 @@ memcpy(cache->master_secret, secret, sizeof(cache->master_secret)); cache->tls_prf_type = tls_prf_type; } -#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#else /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ #error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS #endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ + bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, @@ -1244,7 +1246,7 @@ mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version); } -#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) /* Initialize keying material exporter, old style. */ mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config, mbedtls_ssl_export_keys_cb, session); @@ -1259,7 +1261,7 @@ * verification. */ ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL))); -#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#if defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) /* Initialize keying material exporter, new style. */ mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb, session); #endif -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 10 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-15 13:53:23
|
cron2 has uploaded a new patch set (#10) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Cleanup/simplify mbed TLS related define from autoconf ...................................................................... Cleanup/simplify mbed TLS related define from autoconf Instead of a custom logic using 0/1 to be defined when the functions are present or not, use the standard check and adjust the source code accordingly. Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT The helper methods are only used when we don't have MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material. Remove AEAD check that tests for presence of mbedtls_cipher_write_tag and mbedtls_cipher_check_tag. Having an mbed TLS version that does not support that is highly unlikely. It might have been a good check in PolarSSL's time but is not today anymore. This also adds some missing support for mbed 2.x related defines to cmake based build. Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg32145.html Signed-off-by: Gert Doering <ge...@gr...> --- M CMakeLists.txt M config.h.cmake.in M configure.ac M src/openvpn/crypto_mbedtls.c M src/openvpn/mbedtls_compat.h M src/openvpn/ssl_mbedtls.c 6 files changed, 24 insertions(+), 46 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/1081/10 diff --git a/CMakeLists.txt b/CMakeLists.txt index 40bffd4..efb2d2d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -302,7 +302,8 @@ check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) - check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H) + check_symbol_exists(mbedtls_ssl_tls_prf mbedtls/ssl.h HAVE_MBEDTLS_SSL_TLS_PRF) + check_include_files(psa/crypto.h HAVE_PSA_CRYPTO_H) endfunction() if (${MBED}) diff --git a/config.h.cmake.in b/config.h.cmake.in index 5df0ac8..1c443ab 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -370,10 +370,11 @@ #undef HAVE_VFORK_H /* Availability of different mbed TLS features and APIs */ -#cmakedefine01 HAVE_MBEDTLS_PSA_CRYPTO_H -#define HAVE_MBEDTLS_SSL_TLS_PRF 1 -#cmakedefine01 HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB -#cmakedefine01 HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#cmakedefine HAVE_PSA_CRYPTO_H +#cmakedefine HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB +#cmakedefine HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB +#cmakedefine HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#cmakedefine HAVE_MBEDTLS_SSL_TLS_PRF /* Path to ifconfig tool */ #define IFCONFIG_PATH "@IFCONFIG_PATH@" diff --git a/configure.ac b/configure.ac index 02b45f8..8fc48ba 100644 --- a/configure.ac +++ b/configure.ac @@ -1038,38 +1038,12 @@ [AC_MSG_ERROR([mbed TLS version >= 2.0.0 or >= 3.2.1 required])] ) - AC_CHECK_HEADER( - psa/crypto.h, - [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])] - ) + AC_CHECK_HEADERS(psa/crypto.h) - AC_CHECK_FUNCS( - [ \ - mbedtls_cipher_write_tag \ - mbedtls_cipher_check_tag \ - ], - , - [AC_MSG_ERROR([mbed TLS check for AEAD support failed])] - ) + AC_CHECK_FUNCS([mbedtls_ssl_tls_prf mbedtls_ssl_conf_export_keys_ext_cb]) - AC_CHECK_FUNC( - [mbedtls_ssl_tls_prf], - [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])] - ) - - AC_CHECK_FUNC( - [mbedtls_ssl_conf_export_keys_ext_cb], - [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0], [no])] - ) if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then - AC_CHECK_FUNC( - [mbedtls_ssl_set_export_keys_cb], - [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])] - ) + AC_CHECK_FUNCS([mbedtls_ssl_set_export_keys_cb]) if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then AC_CHECK_FUNC([mbedtls_ssl_export_keying_material]) if test "x$ac_cv_func_mbedtls_ssl_export_keying_material" != xyes; then diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index c05902d..1f3dcba 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -981,7 +981,7 @@ } /* mbedtls-2.18.0 or newer implements tls_prf, but prf_tls1 is removed * from recent versions, so we use our own implementation if necessary. */ -#if HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) +#if defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) @@ -990,7 +990,7 @@ secret_len, "", seed, seed_len, output, output_len)); } -#else /* HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */ +#else /* defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */ /* * Generate the hash required by for the \c tls1_PRF function. * diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h index 145a7ae..aeb0c5f 100644 --- a/src/openvpn/mbedtls_compat.h +++ b/src/openvpn/mbedtls_compat.h @@ -48,7 +48,7 @@ #include <mbedtls/version.h> #include <mbedtls/x509_crt.h> -#if HAVE_MBEDTLS_PSA_CRYPTO_H +#ifdef HAVE_PSA_CRYPTO_H #include <psa/crypto.h> #endif @@ -61,14 +61,14 @@ static inline void mbedtls_compat_psa_crypto_init(void) { -#if HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(HAVE_PSA_CRYPTO_H) && defined(MBEDTLS_PSA_CRYPTO_C) if (psa_crypto_init() != PSA_SUCCESS) { msg(M_FATAL, "mbedtls: psa_crypto_init() failed"); } #else return; -#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */ +#endif } static inline mbedtls_compat_group_id @@ -96,7 +96,7 @@ { #if MBEDTLS_VERSION_NUMBER > 0x03000000 return mbedtls_ctr_drbg_update(ctx, additional, add_len); -#elif HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#elif defined(HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len); #else mbedtls_ctr_drbg_update(ctx, additional, add_len); diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index ecccc26..a4bb772 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -173,8 +173,9 @@ ASSERT(NULL != ctx); return ctx->initialised; } - -#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB +#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +/* mbedtls_ssl_export_keying_material does not need helper/callback methods */ +#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) /* * Key export callback for older versions of mbed TLS, to be used with * mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master @@ -205,7 +206,7 @@ return 0; } -#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB +#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) /* * Key export callback for newer versions of mbed TLS, to be used with * mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback @@ -251,10 +252,11 @@ memcpy(cache->master_secret, secret, sizeof(cache->master_secret)); cache->tls_prf_type = tls_prf_type; } -#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#else /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ #error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS #endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ + bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, @@ -1244,7 +1246,7 @@ mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version); } -#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) /* Initialize keying material exporter, old style. */ mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config, mbedtls_ssl_export_keys_cb, session); @@ -1259,7 +1261,7 @@ * verification. */ ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL))); -#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#if defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) /* Initialize keying material exporter, new style. */ mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb, session); #endif -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 10 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
|
From: Gert D. <ge...@gr...> - 2025-07-15 13:53:06
|
This was slightly painful... but now we're at a point where this is
much simpler than before, arguably correct, and proven to work with
mbedtls 2.24, 2.28.3, 3.6.3 and 3.6.4 (TLS1.3, finally)...
Your patch has been applied to the master branch.
commit 5f34a7a0362ac228787b6d9d0968318132c78276
Author: Arne Schwabe
Date: Tue Jul 15 14:29:49 2025 +0200
Cleanup/simplify mbed TLS related define from autoconf
Signed-off-by: Arne Schwabe <ar...@rf...>
Acked-by: Frank Lichtenheld <fr...@li...>
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg32145.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: Gert D. <ge...@gr...> - 2025-07-15 12:30:11
|
From: Arne Schwabe <ar...@rf...> Instead of a custom logic using 0/1 to be defined when the functions are present or not, use the standard check and adjust the source code accordingly. Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT The helper methods are only used when we don't have MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material. Remove AEAD check that tests for presence of mbedtls_cipher_write_tag and mbedtls_cipher_check_tag. Having an mbed TLS version that does not support that is highly unlikely. It might have been a good check in PolarSSL's time but is not today anymore. This also adds some missing support for mbed 2.x related defines to cmake based build. Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1081 This mail reflects revision 9 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@li...> diff --git a/CMakeLists.txt b/CMakeLists.txt index 40bffd4..efb2d2d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -302,7 +302,8 @@ check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) - check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H) + check_symbol_exists(mbedtls_ssl_tls_prf mbedtls/ssl.h HAVE_MBEDTLS_SSL_TLS_PRF) + check_include_files(psa/crypto.h HAVE_PSA_CRYPTO_H) endfunction() if (${MBED}) diff --git a/config.h.cmake.in b/config.h.cmake.in index 5df0ac8..1c443ab 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -370,10 +370,11 @@ #undef HAVE_VFORK_H /* Availability of different mbed TLS features and APIs */ -#cmakedefine01 HAVE_MBEDTLS_PSA_CRYPTO_H -#define HAVE_MBEDTLS_SSL_TLS_PRF 1 -#cmakedefine01 HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB -#cmakedefine01 HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#cmakedefine HAVE_PSA_CRYPTO_H +#cmakedefine HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB +#cmakedefine HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB +#cmakedefine HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#cmakedefine HAVE_MBEDTLS_SSL_TLS_PRF /* Path to ifconfig tool */ #define IFCONFIG_PATH "@IFCONFIG_PATH@" diff --git a/configure.ac b/configure.ac index 02b45f8..8fc48ba 100644 --- a/configure.ac +++ b/configure.ac @@ -1038,38 +1038,12 @@ [AC_MSG_ERROR([mbed TLS version >= 2.0.0 or >= 3.2.1 required])] ) - AC_CHECK_HEADER( - psa/crypto.h, - [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])] - ) + AC_CHECK_HEADERS(psa/crypto.h) - AC_CHECK_FUNCS( - [ \ - mbedtls_cipher_write_tag \ - mbedtls_cipher_check_tag \ - ], - , - [AC_MSG_ERROR([mbed TLS check for AEAD support failed])] - ) + AC_CHECK_FUNCS([mbedtls_ssl_tls_prf mbedtls_ssl_conf_export_keys_ext_cb]) - AC_CHECK_FUNC( - [mbedtls_ssl_tls_prf], - [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])] - ) - - AC_CHECK_FUNC( - [mbedtls_ssl_conf_export_keys_ext_cb], - [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0], [no])] - ) if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then - AC_CHECK_FUNC( - [mbedtls_ssl_set_export_keys_cb], - [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1], [yes])], - [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])] - ) + AC_CHECK_FUNCS([mbedtls_ssl_set_export_keys_cb]) if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then AC_CHECK_FUNC([mbedtls_ssl_export_keying_material]) if test "x$ac_cv_func_mbedtls_ssl_export_keying_material" != xyes; then diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index c05902d..1f3dcba 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -981,7 +981,7 @@ } /* mbedtls-2.18.0 or newer implements tls_prf, but prf_tls1 is removed * from recent versions, so we use our own implementation if necessary. */ -#if HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) +#if defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) @@ -990,7 +990,7 @@ secret_len, "", seed, seed_len, output, output_len)); } -#else /* HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */ +#else /* defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */ /* * Generate the hash required by for the \c tls1_PRF function. * diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h index 145a7ae..aeb0c5f 100644 --- a/src/openvpn/mbedtls_compat.h +++ b/src/openvpn/mbedtls_compat.h @@ -48,7 +48,7 @@ #include <mbedtls/version.h> #include <mbedtls/x509_crt.h> -#if HAVE_MBEDTLS_PSA_CRYPTO_H +#ifdef HAVE_PSA_CRYPTO_H #include <psa/crypto.h> #endif @@ -61,14 +61,14 @@ static inline void mbedtls_compat_psa_crypto_init(void) { -#if HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(HAVE_PSA_CRYPTO_H) && defined(MBEDTLS_PSA_CRYPTO_C) if (psa_crypto_init() != PSA_SUCCESS) { msg(M_FATAL, "mbedtls: psa_crypto_init() failed"); } #else return; -#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */ +#endif } static inline mbedtls_compat_group_id @@ -96,7 +96,7 @@ { #if MBEDTLS_VERSION_NUMBER > 0x03000000 return mbedtls_ctr_drbg_update(ctx, additional, add_len); -#elif HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET +#elif defined(HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len); #else mbedtls_ctr_drbg_update(ctx, additional, add_len); diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index ecccc26..a4bb772 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -173,8 +173,9 @@ ASSERT(NULL != ctx); return ctx->initialised; } - -#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB +#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +/* mbedtls_ssl_export_keying_material does not need helper/callback methods */ +#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) /* * Key export callback for older versions of mbed TLS, to be used with * mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master @@ -205,7 +206,7 @@ return 0; } -#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB +#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) /* * Key export callback for newer versions of mbed TLS, to be used with * mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback @@ -251,10 +252,11 @@ memcpy(cache->master_secret, secret, sizeof(cache->master_secret)); cache->tls_prf_type = tls_prf_type; } -#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#else /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ #error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS #endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ + bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, @@ -1244,7 +1246,7 @@ mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version); } -#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) /* Initialize keying material exporter, old style. */ mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config, mbedtls_ssl_export_keys_cb, session); @@ -1259,7 +1261,7 @@ * verification. */ ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL))); -#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#if defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) /* Initialize keying material exporter, new style. */ mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb, session); #endif |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-15 12:24:37
|
Attention is currently required from: cron2, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Cleanup/simplify mbed TLS related define from autoconf ...................................................................... Patch Set 9: Code-Review+2 (1 comment) File configure.ac: http://gerrit.openvpn.net/c/openvpn/+/1081/comment/3278c867_05e6ee0b : PS7, Line 1041: AC_CHECK_HEADER(psa/crypto.h) > Sorry, this is still not correct. […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 9 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Comment-Date: Tue, 15 Jul 2025 12:24:28 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: plaisthos <arn...@rf...> Comment-In-Reply-To: flichtenheld <fr...@li...> Gerrit-MessageType: comment |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-15 11:27:53
|
Attention is currently required from: cron2, plaisthos.
Hello cron2, flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
to look at the new patch set (#9).
Change subject: Cleanup/simplify mbed TLS related define from autoconf
......................................................................
Cleanup/simplify mbed TLS related define from autoconf
Instead of a custom logic using 0/1 to be defined when the functions
are present or not, use the standard check and adjust the source code
accordingly.
Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.
Remove AEAD check that tests for presence of mbedtls_cipher_write_tag
and mbedtls_cipher_check_tag. Having an mbed TLS version that does not
support that is highly unlikely. It might have been a good check in
PolarSSL's time but is not today anymore.
This also adds some missing support for mbed 2.x related defines to
cmake based build.
Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M CMakeLists.txt
M config.h.cmake.in
M configure.ac
M src/openvpn/crypto_mbedtls.c
M src/openvpn/mbedtls_compat.h
M src/openvpn/ssl_mbedtls.c
6 files changed, 24 insertions(+), 46 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/1081/9
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 40bffd4..efb2d2d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -302,7 +302,8 @@
check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
- check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H)
+ check_symbol_exists(mbedtls_ssl_tls_prf mbedtls/ssl.h HAVE_MBEDTLS_SSL_TLS_PRF)
+ check_include_files(psa/crypto.h HAVE_PSA_CRYPTO_H)
endfunction()
if (${MBED})
diff --git a/config.h.cmake.in b/config.h.cmake.in
index 5df0ac8..1c443ab 100644
--- a/config.h.cmake.in
+++ b/config.h.cmake.in
@@ -370,10 +370,11 @@
#undef HAVE_VFORK_H
/* Availability of different mbed TLS features and APIs */
-#cmakedefine01 HAVE_MBEDTLS_PSA_CRYPTO_H
-#define HAVE_MBEDTLS_SSL_TLS_PRF 1
-#cmakedefine01 HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
-#cmakedefine01 HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#cmakedefine HAVE_PSA_CRYPTO_H
+#cmakedefine HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#cmakedefine HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#cmakedefine HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#cmakedefine HAVE_MBEDTLS_SSL_TLS_PRF
/* Path to ifconfig tool */
#define IFCONFIG_PATH "@IFCONFIG_PATH@"
diff --git a/configure.ac b/configure.ac
index 02b45f8..8fc48ba 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1038,38 +1038,12 @@
[AC_MSG_ERROR([mbed TLS version >= 2.0.0 or >= 3.2.1 required])]
)
- AC_CHECK_HEADER(
- psa/crypto.h,
- [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])]
- )
+ AC_CHECK_HEADERS(psa/crypto.h)
- AC_CHECK_FUNCS(
- [ \
- mbedtls_cipher_write_tag \
- mbedtls_cipher_check_tag \
- ],
- ,
- [AC_MSG_ERROR([mbed TLS check for AEAD support failed])]
- )
+ AC_CHECK_FUNCS([mbedtls_ssl_tls_prf mbedtls_ssl_conf_export_keys_ext_cb])
- AC_CHECK_FUNC(
- [mbedtls_ssl_tls_prf],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])]
- )
-
- AC_CHECK_FUNC(
- [mbedtls_ssl_conf_export_keys_ext_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0], [no])]
- )
if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then
- AC_CHECK_FUNC(
- [mbedtls_ssl_set_export_keys_cb],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1], [yes])],
- [AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])]
- )
+ AC_CHECK_FUNCS([mbedtls_ssl_set_export_keys_cb])
if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then
AC_CHECK_FUNC([mbedtls_ssl_export_keying_material])
if test "x$ac_cv_func_mbedtls_ssl_export_keying_material" != xyes; then
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index c05902d..1f3dcba 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -981,7 +981,7 @@
}
/* mbedtls-2.18.0 or newer implements tls_prf, but prf_tls1 is removed
* from recent versions, so we use our own implementation if necessary. */
-#if HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1)
+#if defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1)
bool
ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
int secret_len, uint8_t *output, int output_len)
@@ -990,7 +990,7 @@
secret_len, "", seed, seed_len, output,
output_len));
}
-#else /* HAVE_MBEDTLS_SSL_TLS_PRF && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */
+#else /* defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1) */
/*
* Generate the hash required by for the \c tls1_PRF function.
*
diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h
index 145a7ae..aeb0c5f 100644
--- a/src/openvpn/mbedtls_compat.h
+++ b/src/openvpn/mbedtls_compat.h
@@ -48,7 +48,7 @@
#include <mbedtls/version.h>
#include <mbedtls/x509_crt.h>
-#if HAVE_MBEDTLS_PSA_CRYPTO_H
+#ifdef HAVE_PSA_CRYPTO_H
#include <psa/crypto.h>
#endif
@@ -61,14 +61,14 @@
static inline void
mbedtls_compat_psa_crypto_init(void)
{
-#if HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(HAVE_PSA_CRYPTO_H) && defined(MBEDTLS_PSA_CRYPTO_C)
if (psa_crypto_init() != PSA_SUCCESS)
{
msg(M_FATAL, "mbedtls: psa_crypto_init() failed");
}
#else
return;
-#endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */
+#endif
}
static inline mbedtls_compat_group_id
@@ -96,7 +96,7 @@
{
#if MBEDTLS_VERSION_NUMBER > 0x03000000
return mbedtls_ctr_drbg_update(ctx, additional, add_len);
-#elif HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET
+#elif defined(HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len);
#else
mbedtls_ctr_drbg_update(ctx, additional, add_len);
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ecccc26..a4bb772 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -173,8 +173,9 @@
ASSERT(NULL != ctx);
return ctx->initialised;
}
-
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+/* mbedtls_ssl_export_keying_material does not need helper/callback methods */
+#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
/*
* Key export callback for older versions of mbed TLS, to be used with
* mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master
@@ -205,7 +206,7 @@
return 0;
}
-#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
/*
* Key export callback for newer versions of mbed TLS, to be used with
* mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback
@@ -251,10 +252,11 @@
memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
cache->tls_prf_type = tls_prf_type;
}
-#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#else /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */
#error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
+
bool
key_state_export_keying_material(struct tls_session *session,
const char *label, size_t label_size,
@@ -1244,7 +1246,7 @@
mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version);
}
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, old style. */
mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config,
mbedtls_ssl_export_keys_cb, session);
@@ -1259,7 +1261,7 @@
* verification. */
ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL)));
-#if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#if defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Initialize keying material exporter, new style. */
mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb, session);
#endif
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Gerrit-Change-Number: 1081
Gerrit-PatchSet: 9
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: cron2 <ge...@gr...>
Gerrit-MessageType: newpatchset
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-15 11:23:05
|
cron2 has uploaded a new patch set (#4) to the change originally created by d12fk. ( http://gerrit.openvpn.net/c/openvpn/+/1074?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: move macOS dns-updown common code into functions ...................................................................... move macOS dns-updown common code into functions Change-Id: Id6f70237c7205063b001528a40391678b0d093ac Signed-off-by: Heiko Hund <he...@is...> Acked-by: Frank Lichtenheld <fr...@li...> Message-Id: <202...@li...> URL: https://www.mail-archive.com/ope...@li.../msg32105.html Signed-off-by: Gert Doering <ge...@gr...> --- M distro/dns-scripts/macos-dns-updown.sh 1 file changed, 40 insertions(+), 45 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/74/1074/4 diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh index f0640ee..56f1009 100644 --- a/distro/dns-scripts/macos-dns-updown.sh +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -104,7 +104,7 @@ n=$((n+1)) done - return $n + echo $n } function get_search_domains { @@ -157,41 +157,23 @@ echo -e "${cmds}" | /usr/sbin/scutil } -function set_dns { - find_compat_profile - local n=$? - +function addresses_string { + local n=$1 local i=1 - local addrs="" + local addresses="" while :; do local addr_var=dns_server_${n}_address_${i} local addr="${!addr_var}" [ -n "$addr" ] || break - - local port_var=dns_server_${n}_port_${i} - if [ -n "${!port_var}" ]; then - if [[ "$addr" =~ : ]]; then - addr="[$addr]" - fi - addrs+="${addr}:${!port_var}${sni} " - else - addrs+="${addr}${sni} " - fi + addresses+="${addr} " i=$((i+1)) done + echo "$addresses" +} - i=1 - local match_domains="" - while :; do - domain_var=dns_server_${n}_resolve_domain_${i} - [ -n "${!domain_var}" ] || break - # Add as match domain, if it doesn't already exist - [[ "$match_domains" =~ (^| )${!domain_var}( |$) ]] \ - || match_domains+="${!domain_var} " - i=$((i+1)) - done - - i=1 +function search_domains_string { + local n=$1 + local i=1 local search_domains="" while :; do domain_var=dns_search_domain_${i} @@ -201,11 +183,34 @@ || search_domains+="${!domain_var} " i=$((i+1)) done + echo "$search_domains" +} + +function match_domains_string { + local n=$1 + local i=1 + local match_domains="" + while :; do + domain_var=dns_server_${n}_resolve_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as match domain, if it doesn't already exist + [[ "$match_domains" =~ (^| )${!domain_var}( |$) ]] \ + || match_domains+="${!domain_var} " + i=$((i+1)) + done + echo "$match_domains" +} + +function set_dns { + local n="$(find_compat_profile)" + local addresses="$(addresses_string $n)" + local search_domains="$(search_domains_string $n)" + local match_domains="$(match_domains_string $n)" if [ -n "$match_domains" ]; then local cmds="" cmds+="d.init\n" - cmds+="d.add ServerAddresses * ${addrs}\n" + cmds+="d.add ServerAddresses * ${addresses}\n" cmds+="d.add SupplementalMatchDomains * ${match_domains}\n" cmds+="d.add SupplementalMatchDomainsNoSearch # 1\n" cmds+="add ${itf_dns_key}\n" @@ -222,7 +227,7 @@ cmds+="get $(primary_dns_key)\n" cmds+="set ${dns_backup_key}\n" cmds+="d.init\n" - cmds+="d.add ServerAddresses * ${addrs}\n" + cmds+="d.add ServerAddresses * ${addresses}\n" cmds+="d.add SearchDomains * ${search_domains}\n" cmds+="d.add SearchOrder # 5000\n" cmds+="set $(primary_dns_key)\n" @@ -233,22 +238,12 @@ } function unset_dns { - find_compat_profile - local n=$? + local n="$(find_compat_profile)" + local addresses="$(addresses_string $n)" + local search_domains="$(search_domains_string $n)" + local match_domains="$(match_domains_string $n)" - local i=1 - local search_domains="" - while :; do - domain_var=dns_search_domain_${i} - [ -n "${!domain_var}" ] || break - # Add as search domain, if it doesn't already exist - [[ "$search_domains" =~ (^| )${!domain_var}( |$) ]] \ - || search_domains+="${!domain_var} " - i=$((i+1)) - done - - domain_var=dns_server_${n}_resolve_domain_1 - if [ -n "${!domain_var}" ]; then + if [ -n "$match_domains" ]; then echo "remove ${itf_dns_key}" | /usr/sbin/scutil unset_search_domains "$search_domains" else -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1074?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Id6f70237c7205063b001528a40391678b0d093ac Gerrit-Change-Number: 1074 Gerrit-PatchSet: 4 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-15 11:23:02
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1074?usp=email ) Change subject: move macOS dns-updown common code into functions ...................................................................... move macOS dns-updown common code into functions Change-Id: Id6f70237c7205063b001528a40391678b0d093ac Signed-off-by: Heiko Hund <he...@is...> Acked-by: Frank Lichtenheld <fr...@li...> Message-Id: <202...@li...> URL: https://www.mail-archive.com/ope...@li.../msg32105.html Signed-off-by: Gert Doering <ge...@gr...> --- M distro/dns-scripts/macos-dns-updown.sh 1 file changed, 40 insertions(+), 45 deletions(-) diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh index f0640ee..56f1009 100644 --- a/distro/dns-scripts/macos-dns-updown.sh +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -104,7 +104,7 @@ n=$((n+1)) done - return $n + echo $n } function get_search_domains { @@ -157,41 +157,23 @@ echo -e "${cmds}" | /usr/sbin/scutil } -function set_dns { - find_compat_profile - local n=$? - +function addresses_string { + local n=$1 local i=1 - local addrs="" + local addresses="" while :; do local addr_var=dns_server_${n}_address_${i} local addr="${!addr_var}" [ -n "$addr" ] || break - - local port_var=dns_server_${n}_port_${i} - if [ -n "${!port_var}" ]; then - if [[ "$addr" =~ : ]]; then - addr="[$addr]" - fi - addrs+="${addr}:${!port_var}${sni} " - else - addrs+="${addr}${sni} " - fi + addresses+="${addr} " i=$((i+1)) done + echo "$addresses" +} - i=1 - local match_domains="" - while :; do - domain_var=dns_server_${n}_resolve_domain_${i} - [ -n "${!domain_var}" ] || break - # Add as match domain, if it doesn't already exist - [[ "$match_domains" =~ (^| )${!domain_var}( |$) ]] \ - || match_domains+="${!domain_var} " - i=$((i+1)) - done - - i=1 +function search_domains_string { + local n=$1 + local i=1 local search_domains="" while :; do domain_var=dns_search_domain_${i} @@ -201,11 +183,34 @@ || search_domains+="${!domain_var} " i=$((i+1)) done + echo "$search_domains" +} + +function match_domains_string { + local n=$1 + local i=1 + local match_domains="" + while :; do + domain_var=dns_server_${n}_resolve_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as match domain, if it doesn't already exist + [[ "$match_domains" =~ (^| )${!domain_var}( |$) ]] \ + || match_domains+="${!domain_var} " + i=$((i+1)) + done + echo "$match_domains" +} + +function set_dns { + local n="$(find_compat_profile)" + local addresses="$(addresses_string $n)" + local search_domains="$(search_domains_string $n)" + local match_domains="$(match_domains_string $n)" if [ -n "$match_domains" ]; then local cmds="" cmds+="d.init\n" - cmds+="d.add ServerAddresses * ${addrs}\n" + cmds+="d.add ServerAddresses * ${addresses}\n" cmds+="d.add SupplementalMatchDomains * ${match_domains}\n" cmds+="d.add SupplementalMatchDomainsNoSearch # 1\n" cmds+="add ${itf_dns_key}\n" @@ -222,7 +227,7 @@ cmds+="get $(primary_dns_key)\n" cmds+="set ${dns_backup_key}\n" cmds+="d.init\n" - cmds+="d.add ServerAddresses * ${addrs}\n" + cmds+="d.add ServerAddresses * ${addresses}\n" cmds+="d.add SearchDomains * ${search_domains}\n" cmds+="d.add SearchOrder # 5000\n" cmds+="set $(primary_dns_key)\n" @@ -233,22 +238,12 @@ } function unset_dns { - find_compat_profile - local n=$? + local n="$(find_compat_profile)" + local addresses="$(addresses_string $n)" + local search_domains="$(search_domains_string $n)" + local match_domains="$(match_domains_string $n)" - local i=1 - local search_domains="" - while :; do - domain_var=dns_search_domain_${i} - [ -n "${!domain_var}" ] || break - # Add as search domain, if it doesn't already exist - [[ "$search_domains" =~ (^| )${!domain_var}( |$) ]] \ - || search_domains+="${!domain_var} " - i=$((i+1)) - done - - domain_var=dns_server_${n}_resolve_domain_1 - if [ -n "${!domain_var}" ]; then + if [ -n "$match_domains" ]; then echo "remove ${itf_dns_key}" | /usr/sbin/scutil unset_search_domains "$search_domains" else -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1074?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Id6f70237c7205063b001528a40391678b0d093ac Gerrit-Change-Number: 1074 Gerrit-PatchSet: 4 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged |
|
From: Gert D. <ge...@gr...> - 2025-07-15 11:22:48
|
Looks reasonable, and Arne & Heiko confirm that it works. So I've not
done any testing, just skimmed over the change to see what it touches.
Your patch has been applied to the master branch.
commit 022cd3e7fe19e013709ecd3104aaf93b6e6abe89
Author: Heiko Hund
Date: Fri Jul 11 12:08:53 2025 +0200
move macOS dns-updown common code into functions
Signed-off-by: Heiko Hund <he...@is...>
Acked-by: Frank Lichtenheld <fr...@li...>
Message-Id: <202...@li...>
URL: https://www.mail-archive.com/ope...@li.../msg32105.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
153 messages has been excluded from this view by a project administrator.
