Menu
▾
▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
(24) |
May
(14) |
Jun
(29) |
Jul
(33) |
Aug
(3) |
Sep
(8) |
Oct
(18) |
Nov
(1) |
Dec
(10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
(33) |
Mar
(7) |
Apr
(28) |
May
(30) |
Jun
(5) |
Jul
(10) |
Aug
(7) |
Sep
(32) |
Oct
(41) |
Nov
(20) |
Dec
(10) |
| 2004 |
Jan
(24) |
Feb
(18) |
Mar
(57) |
Apr
(40) |
May
(55) |
Jun
(48) |
Jul
(77) |
Aug
(15) |
Sep
(56) |
Oct
(80) |
Nov
(74) |
Dec
(52) |
| 2005 |
Jan
(38) |
Feb
(42) |
Mar
(39) |
Apr
(56) |
May
(79) |
Jun
(73) |
Jul
(16) |
Aug
(23) |
Sep
(68) |
Oct
(77) |
Nov
(52) |
Dec
(27) |
| 2006 |
Jan
(27) |
Feb
(18) |
Mar
(51) |
Apr
(62) |
May
(28) |
Jun
(50) |
Jul
(36) |
Aug
(33) |
Sep
(47) |
Oct
(50) |
Nov
(77) |
Dec
(13) |
| 2007 |
Jan
(15) |
Feb
(8) |
Mar
(14) |
Apr
(18) |
May
(25) |
Jun
(16) |
Jul
(16) |
Aug
(19) |
Sep
(32) |
Oct
(17) |
Nov
(5) |
Dec
(5) |
| 2008 |
Jan
(64) |
Feb
(25) |
Mar
(25) |
Apr
(6) |
May
(28) |
Jun
(20) |
Jul
(10) |
Aug
(27) |
Sep
(28) |
Oct
(59) |
Nov
(37) |
Dec
(43) |
| 2009 |
Jan
(40) |
Feb
(25) |
Mar
(12) |
Apr
(57) |
May
(46) |
Jun
(29) |
Jul
(39) |
Aug
(10) |
Sep
(20) |
Oct
(42) |
Nov
(50) |
Dec
(57) |
| 2010 |
Jan
(82) |
Feb
(165) |
Mar
(256) |
Apr
(260) |
May
(36) |
Jun
(87) |
Jul
(53) |
Aug
(89) |
Sep
(107) |
Oct
(51) |
Nov
(88) |
Dec
(117) |
| 2011 |
Jan
(69) |
Feb
(60) |
Mar
(113) |
Apr
(71) |
May
(67) |
Jun
(90) |
Jul
(88) |
Aug
(90) |
Sep
(48) |
Oct
(64) |
Nov
(69) |
Dec
(118) |
| 2012 |
Jan
(49) |
Feb
(528) |
Mar
(351) |
Apr
(190) |
May
(238) |
Jun
(193) |
Jul
(104) |
Aug
(100) |
Sep
(57) |
Oct
(41) |
Nov
(47) |
Dec
(51) |
| 2013 |
Jan
(94) |
Feb
(57) |
Mar
(96) |
Apr
(105) |
May
(77) |
Jun
(102) |
Jul
(27) |
Aug
(81) |
Sep
(32) |
Oct
(53) |
Nov
(127) |
Dec
(65) |
| 2014 |
Jan
(113) |
Feb
(59) |
Mar
(104) |
Apr
(259) |
May
(70) |
Jun
(70) |
Jul
(146) |
Aug
(45) |
Sep
(58) |
Oct
(149) |
Nov
(77) |
Dec
(83) |
| 2015 |
Jan
(53) |
Feb
(66) |
Mar
(86) |
Apr
(50) |
May
(135) |
Jun
(76) |
Jul
(151) |
Aug
(83) |
Sep
(97) |
Oct
(262) |
Nov
(245) |
Dec
(231) |
| 2016 |
Jan
(131) |
Feb
(233) |
Mar
(97) |
Apr
(138) |
May
(221) |
Jun
(254) |
Jul
(92) |
Aug
(248) |
Sep
(168) |
Oct
(275) |
Nov
(477) |
Dec
(445) |
| 2017 |
Jan
(218) |
Feb
(217) |
Mar
(146) |
Apr
(172) |
May
(216) |
Jun
(252) |
Jul
(164) |
Aug
(192) |
Sep
(190) |
Oct
(143) |
Nov
(255) |
Dec
(182) |
| 2018 |
Jan
(295) |
Feb
(164) |
Mar
(113) |
Apr
(147) |
May
(64) |
Jun
(262) |
Jul
(184) |
Aug
(90) |
Sep
(69) |
Oct
(364) |
Nov
(102) |
Dec
(101) |
| 2019 |
Jan
(119) |
Feb
(64) |
Mar
(64) |
Apr
(102) |
May
(57) |
Jun
(154) |
Jul
(84) |
Aug
(81) |
Sep
(76) |
Oct
(102) |
Nov
(233) |
Dec
(89) |
| 2020 |
Jan
(38) |
Feb
(170) |
Mar
(155) |
Apr
(172) |
May
(120) |
Jun
(223) |
Jul
(461) |
Aug
(227) |
Sep
(268) |
Oct
(113) |
Nov
(56) |
Dec
(124) |
| 2021 |
Jan
(121) |
Feb
(48) |
Mar
(334) |
Apr
(345) |
May
(207) |
Jun
(136) |
Jul
(71) |
Aug
(112) |
Sep
(122) |
Oct
(173) |
Nov
(184) |
Dec
(223) |
| 2022 |
Jan
(197) |
Feb
(206) |
Mar
(156) |
Apr
(212) |
May
(192) |
Jun
(170) |
Jul
(143) |
Aug
(380) |
Sep
(182) |
Oct
(148) |
Nov
(128) |
Dec
(269) |
| 2023 |
Jan
(248) |
Feb
(196) |
Mar
(264) |
Apr
(36) |
May
(123) |
Jun
(66) |
Jul
(120) |
Aug
(48) |
Sep
(157) |
Oct
(198) |
Nov
(300) |
Dec
(273) |
| 2024 |
Jan
(271) |
Feb
(147) |
Mar
(207) |
Apr
(78) |
May
(107) |
Jun
(168) |
Jul
(151) |
Aug
(51) |
Sep
(438) |
Oct
(221) |
Nov
(302) |
Dec
(357) |
| 2025 |
Jan
(451) |
Feb
(219) |
Mar
(326) |
Apr
(232) |
May
(306) |
Jun
(181) |
Jul
(452) |
Aug
(171) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-14 09:22:17
|
cron2 has uploaded a new patch set (#2) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/1082?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: Fix compiler warning in reliable.c with --disable-debug ...................................................................... Fix compiler warning in reliable.c with --disable-debug Use the easy way out. Using pre-compiler to completely avoid n_active seems like overkill. Change-Id: Icad1a52d14311a6f06bda081cab2f4bded8d47ed Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Arne Schwabe <arn...@rf...> Message-Id: <202...@li...> URL: https://www.mail-archive.com/ope...@li.../msg32107.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/reliable.c 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/82/1082/2 diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c index 6aef112..424d194 100644 --- a/src/openvpn/reliable.c +++ b/src/openvpn/reliable.c @@ -648,6 +648,7 @@ } } } + (void)n_active; /* dmsg might not generate code */ dmsg(D_REL_DEBUG, "ACK reliable_can_send active=%d current=%d : %s", n_active, n_current, -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1082?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Icad1a52d14311a6f06bda081cab2f4bded8d47ed Gerrit-Change-Number: 1082 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-14 09:22:13
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1082?usp=email ) Change subject: Fix compiler warning in reliable.c with --disable-debug ...................................................................... Fix compiler warning in reliable.c with --disable-debug Use the easy way out. Using pre-compiler to completely avoid n_active seems like overkill. Change-Id: Icad1a52d14311a6f06bda081cab2f4bded8d47ed Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Arne Schwabe <arn...@rf...> Message-Id: <202...@li...> URL: https://www.mail-archive.com/ope...@li.../msg32107.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/reliable.c 1 file changed, 1 insertion(+), 0 deletions(-) diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c index 6aef112..424d194 100644 --- a/src/openvpn/reliable.c +++ b/src/openvpn/reliable.c @@ -648,6 +648,7 @@ } } } + (void)n_active; /* dmsg might not generate code */ dmsg(D_REL_DEBUG, "ACK reliable_can_send active=%d current=%d : %s", n_active, n_current, -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1082?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Icad1a52d14311a6f06bda081cab2f4bded8d47ed Gerrit-Change-Number: 1082 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged |
|
From: Gert D. <ge...@gr...> - 2025-07-14 09:22:02
|
Interesting trick :-)
Looking forward to see the first patch come in to remove this "totally
useless line" again. But that's what "git blame" is for...
Since the buildbots are happy and this line explicitly does nothing
I have not tested this further.
Your patch has been applied to the master branch.
commit fcd8f0f9fccdba02ed643dee5df7422ba36ced12
Author: Frank Lichtenheld
Date: Fri Jul 11 12:04:05 2025 +0200
Fix compiler warning in reliable.c with --disable-debug
Signed-off-by: Frank Lichtenheld <fr...@li...>
Acked-by: Arne Schwabe <arn...@rf...>
Message-Id: <202...@li...>
URL: https://www.mail-archive.com/ope...@li.../msg32107.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-07-14 09:14:58
|
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1083?usp=email ) Change subject: reliable: Review and fix gc_arena usage ...................................................................... Patch Set 3: Code-Review+1 (1 comment) Patchset: PS3: This looks generally good to me - move `int i` declarations inside `for (int i;...)` loops, move `gc_arena` declarations into the error case, thus avoiding malloc/free calls in the fast path. The OpenBSD test fails were due to local problems (stuck openvpn process, so t_client failed the "must not ping before OpenVPN is up" check). I would prefer a second pair of eyes on this, though... thus only +1 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1083?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8cefa9a406fe90bb3cbe481304782c639691a3a0 Gerrit-Change-Number: 1083 Gerrit-PatchSet: 3 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Mon, 14 Jul 2025 09:14:44 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: Frank L. <fr...@li...> - 2025-07-11 15:23:26
|
From: Heiko Hund <he...@is...> In case anything changed the global DNS server addresses, while the tunnel was connected, do not restore the backup of the global DNS configuration we made when connecting. Doing so would likely change DNS to something unexpected. Instead just clear the backup and leave a message in the log. Change-Id: I1aabd62e60dd18408a57baccbb0f4ebd6d2f8d67 Signed-off-by: Heiko Hund <he...@is...> Acked-by: Frank Lichtenheld <fr...@li...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1075 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@li...> diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh index 56f1009..73bbee9 100644 --- a/distro/dns-scripts/macos-dns-updown.sh +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -111,6 +111,10 @@ property_value State:/Network/Global/DNS SearchDomains } +function get_server_addresses { + property_value "$(primary_dns_key)" ServerAddresses +} + function set_search_domains { [ -n "$1" ] || return local dns_key=$(primary_dns_key) @@ -239,11 +243,10 @@ function unset_dns { local n="$(find_compat_profile)" - local addresses="$(addresses_string $n)" - local search_domains="$(search_domains_string $n)" local match_domains="$(match_domains_string $n)" if [ -n "$match_domains" ]; then + local search_domains="$(search_domains_string $n)" echo "remove ${itf_dns_key}" | /usr/sbin/scutil unset_search_domains "$search_domains" else @@ -252,8 +255,15 @@ [[ "${dns_backup_key}" =~ ${dev}/ ]] || return local cmds="" - cmds+="get ${dns_backup_key}\n" - cmds+="set $(primary_dns_key)\n" + local servers="$(get_server_addresses)" + local addresses="$(addresses_string $n)" + # Only restore backup if the server addresses match + if [ "${servers}" = "${addresses}" ]; then + cmds+="get ${dns_backup_key}\n" + cmds+="set $(primary_dns_key)\n" + else + echo "not restoring global DNS configuration, server addresses have changed" + fi cmds+="remove ${dns_backup_key}\n" echo -e "${cmds}" | /usr/sbin/scutil fi |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-11 15:22:46
|
Attention is currently required from: d12fk, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1075?usp=email ) Change subject: mac dns: compare servers before restoring backup ...................................................................... Patch Set 4: Code-Review+2 (1 comment) Patchset: PS4: Works in t_client and in manual tests -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1075?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1aabd62e60dd18408a57baccbb0f4ebd6d2f8d67 Gerrit-Change-Number: 1075 Gerrit-PatchSet: 4 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Fri, 11 Jul 2025 15:22:36 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: Frank L. <fr...@li...> - 2025-07-11 10:23:44
|
From: Heiko Hund <he...@is...> In case more than one openvpn connection is coming up or going down at the same time, there is potential for breakage, since the operations performed are not atomic. Introduce a locking mechanism, which let's scripts run in sequence, to prevent races between them. Change-Id: I7adfaa08df6a17545cca8264d7230b5e65e49719 Signed-off-by: Heiko Hund <he...@is...> Acked-by: Arne Schwabe <arn...@rf...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1076 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe <arn...@rf...> diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh index 73bbee9..fb17b2b0 100644 --- a/distro/dns-scripts/macos-dns-updown.sh +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -26,6 +26,23 @@ # dns_server_1_sni dns.mycorp.in # +lockdir=/var/lock +if [ ! -d "${lockdir}" ]; then + /bin/mkdir "${lockdir}" + /bin/chmod 1777 "${lockdir}" +fi + +i=1 +lockfile="${lockdir}/openvpn-dns-updown.lock" +while ! /usr/bin/shlock -f $lockfile -p $$; do + if [ $((++i)) -gt 10 ]; then + echo "dns-updown failed, could not acquire lock" + exit 1 + fi + sleep 0.2 +done +trap "/bin/rm -f ${lockfile}" EXIT + [ -z "${dns_vars_file}" ] || . "${dns_vars_file}" itf_dns_key="State:/Network/Service/openvpn-${dev}/DNS" |
|
From: Frank L. <fr...@li...> - 2025-07-11 10:21:42
|
From: Arne Schwabe <ar...@rf...> The helper methods are only used when we don't have MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material. Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1081 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@li...> diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index ecccc26..569421c 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -173,8 +173,9 @@ ASSERT(NULL != ctx); return ctx->initialised; } - -#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB +#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +/* mbedtls_ssl_export_keying_material does not need helper/callback methods */ +#elif HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB /* * Key export callback for older versions of mbed TLS, to be used with * mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master @@ -205,7 +206,7 @@ return 0; } -#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB +#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) /* * Key export callback for newer versions of mbed TLS, to be used with * mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback @@ -251,10 +252,11 @@ memcpy(cache->master_secret, secret, sizeof(cache->master_secret)); cache->tls_prf_type = tls_prf_type; } -#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#elif /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ #error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS #endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */ + bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, |
|
From: Frank L. <fr...@li...> - 2025-07-11 10:21:37
|
Use the easy way out. Using pre-compiler to completely avoid n_active seems like overkill. Change-Id: Icad1a52d14311a6f06bda081cab2f4bded8d47ed Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Arne Schwabe <arn...@rf...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1082 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe <arn...@rf...> diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c index 6aef112..424d194 100644 --- a/src/openvpn/reliable.c +++ b/src/openvpn/reliable.c @@ -648,6 +648,7 @@ } } } + (void)n_active; /* dmsg might not generate code */ dmsg(D_REL_DEBUG, "ACK reliable_can_send active=%d current=%d : %s", n_active, n_current, |
|
From: Frank L. <fr...@li...> - 2025-07-11 10:17:59
|
From: Heiko Hund <he...@is...> Change-Id: Id6f70237c7205063b001528a40391678b0d093ac Signed-off-by: Heiko Hund <he...@is...> Acked-by: Frank Lichtenheld <fr...@li...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1074 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@li...> diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh index f0640ee..56f1009 100644 --- a/distro/dns-scripts/macos-dns-updown.sh +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -104,7 +104,7 @@ n=$((n+1)) done - return $n + echo $n } function get_search_domains { @@ -157,41 +157,23 @@ echo -e "${cmds}" | /usr/sbin/scutil } -function set_dns { - find_compat_profile - local n=$? - +function addresses_string { + local n=$1 local i=1 - local addrs="" + local addresses="" while :; do local addr_var=dns_server_${n}_address_${i} local addr="${!addr_var}" [ -n "$addr" ] || break - - local port_var=dns_server_${n}_port_${i} - if [ -n "${!port_var}" ]; then - if [[ "$addr" =~ : ]]; then - addr="[$addr]" - fi - addrs+="${addr}:${!port_var}${sni} " - else - addrs+="${addr}${sni} " - fi + addresses+="${addr} " i=$((i+1)) done + echo "$addresses" +} - i=1 - local match_domains="" - while :; do - domain_var=dns_server_${n}_resolve_domain_${i} - [ -n "${!domain_var}" ] || break - # Add as match domain, if it doesn't already exist - [[ "$match_domains" =~ (^| )${!domain_var}( |$) ]] \ - || match_domains+="${!domain_var} " - i=$((i+1)) - done - - i=1 +function search_domains_string { + local n=$1 + local i=1 local search_domains="" while :; do domain_var=dns_search_domain_${i} @@ -201,11 +183,34 @@ || search_domains+="${!domain_var} " i=$((i+1)) done + echo "$search_domains" +} + +function match_domains_string { + local n=$1 + local i=1 + local match_domains="" + while :; do + domain_var=dns_server_${n}_resolve_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as match domain, if it doesn't already exist + [[ "$match_domains" =~ (^| )${!domain_var}( |$) ]] \ + || match_domains+="${!domain_var} " + i=$((i+1)) + done + echo "$match_domains" +} + +function set_dns { + local n="$(find_compat_profile)" + local addresses="$(addresses_string $n)" + local search_domains="$(search_domains_string $n)" + local match_domains="$(match_domains_string $n)" if [ -n "$match_domains" ]; then local cmds="" cmds+="d.init\n" - cmds+="d.add ServerAddresses * ${addrs}\n" + cmds+="d.add ServerAddresses * ${addresses}\n" cmds+="d.add SupplementalMatchDomains * ${match_domains}\n" cmds+="d.add SupplementalMatchDomainsNoSearch # 1\n" cmds+="add ${itf_dns_key}\n" @@ -222,7 +227,7 @@ cmds+="get $(primary_dns_key)\n" cmds+="set ${dns_backup_key}\n" cmds+="d.init\n" - cmds+="d.add ServerAddresses * ${addrs}\n" + cmds+="d.add ServerAddresses * ${addresses}\n" cmds+="d.add SearchDomains * ${search_domains}\n" cmds+="d.add SearchOrder # 5000\n" cmds+="set $(primary_dns_key)\n" @@ -233,22 +238,12 @@ } function unset_dns { - find_compat_profile - local n=$? + local n="$(find_compat_profile)" + local addresses="$(addresses_string $n)" + local search_domains="$(search_domains_string $n)" + local match_domains="$(match_domains_string $n)" - local i=1 - local search_domains="" - while :; do - domain_var=dns_search_domain_${i} - [ -n "${!domain_var}" ] || break - # Add as search domain, if it doesn't already exist - [[ "$search_domains" =~ (^| )${!domain_var}( |$) ]] \ - || search_domains+="${!domain_var} " - i=$((i+1)) - done - - domain_var=dns_server_${n}_resolve_domain_1 - if [ -n "${!domain_var}" ]; then + if [ -n "$match_domains" ]; then echo "remove ${itf_dns_key}" | /usr/sbin/scutil unset_search_domains "$search_domains" else |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-11 10:09:55
|
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1083?usp=email ) Change subject: reliable: Review and fix gc_arena usage ...................................................................... Patch Set 3: This change is ready for review. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1083?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8cefa9a406fe90bb3cbe481304782c639691a3a0 Gerrit-Change-Number: 1083 Gerrit-PatchSet: 3 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Fri, 11 Jul 2025 10:09:41 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: No Gerrit-MessageType: comment |
|
From: mrbff (C. Review) <ge...@op...> - 2025-07-11 06:10:49
|
Attention is currently required from: cron2, flichtenheld, plaisthos, stipa. mrbff has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/869?usp=email ) Change subject: PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages ...................................................................... Patch Set 11: (2 comments) Patchset: PS7: > I did some testing and indeed I was able to send PUSH_UPDATE messages to the client. […] Now it should work, although it might need a patch to improve it. Patchset: PS10: > Fails build with --disable-management Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/869?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ie82bcc7a8e583de9156b185d71d1a323ed8df3fc Gerrit-Change-Number: 869 Gerrit-PatchSet: 11 Gerrit-Owner: mrbff <ma...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-Reviewer: stipa <lst...@gm...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Fri, 11 Jul 2025 06:10:34 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld <fr...@li...> Comment-In-Reply-To: stipa <lst...@gm...> Gerrit-MessageType: comment |
|
From: mrbff (C. Review) <ge...@op...> - 2025-07-10 13:28:40
|
Attention is currently required from: cron2, flichtenheld, mrbff, plaisthos, stipa.
Hello cron2, flichtenheld, plaisthos, stipa,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/869?usp=email
to look at the new patch set (#11).
The following approvals got outdated and were removed:
Code-Review-1 by flichtenheld
Change subject: PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages
......................................................................
PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages
Using the management interface you can now target one or more clients (via broadcast,
via cid, via common name, via address) and send a PUSH_UPDATE control message
to update some options.
Change-Id: Ie82bcc7a8e583de9156b185d71d1a323ed8df3fc
Signed-off-by: Marco Baffo <ma...@ma...>
---
M CMakeLists.txt
M doc/management-notes.txt
M src/openvpn/manage.c
M src/openvpn/manage.h
M src/openvpn/multi.c
M src/openvpn/multi.h
M src/openvpn/push.h
M src/openvpn/push_util.c
M tests/unit_tests/openvpn/Makefile.am
M tests/unit_tests/openvpn/test_push_update_msg.c
10 files changed, 893 insertions(+), 6 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/69/869/11
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 54cf503..1381e03 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -861,6 +861,7 @@
src/openvpn/push_util.c
src/openvpn/options_util.c
src/openvpn/otime.c
+ src/openvpn/list.c
)
if (TARGET test_argv)
diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index f1d2930..58393da 100644
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -1028,6 +1028,51 @@
stored outside of the filesystem (e.g. in Mac OS X Keychain)
with OpenVPN via the management interface.
+COMMAND -- push-update-broad (OpenVPN 2.7 or higher)
+----------------------------------------------------
+Send a message to every connected client to update options at runtime.
+The updatable options are: "block-ipv6", "block-outside-dns", "dhcp-option",
+"dns", "ifconfig", "ifconfig-ipv6", "redirect-gateway", "redirect-private",
+"route", "route-gateway", "route-ipv6", "route-metric", "topology",
+"tun-mtu", "keepalive". When a valid option is pushed, the receiving client will
+delete every previous value and set new value, so the update of the option will
+not be incremental even when theoretically possible (ex. with "redirect-gateway").
+The '-' symbol in front of an option means the option should be removed.
+When an option is used with '-', it cannot take any parameter.
+The '?' symbol in front of an option means the option's update is optional
+so if the client do not support it, that option will just be ignored without
+making fail the entire command. The '-' and '?' symbols can be used together.
+
+Option Format Ex.
+ `-?option`, `-option`, `?option parameters` are valid formats,
+ `?-option` is not a valid format.
+
+Example
+ push-update-broad "route 10.10.10.1 255.255.255.255, -dns, ?tun-mtu 1400"
+
+COMMAND -- push-update-cid (OpenVPN 2.7 or higher)
+----------------------------------------------------
+Same as push-update-broad but you must target a single client using client id.
+
+Example
+ push-update-cid 42 "route 10.10.10.1 255.255.255.255, -dns, ?tun-mtu 1400"
+
+COMMAND -- push-update-cn (OpenVPN 2.7 or higher)
+----------------------------------------------------
+Same as push-update-broad but target the clients based on the provided common name
+(usually just one client per common name is permitted except if "duplicate-cn" option is used).
+
+Example
+ push-update-cid Client0 "route 10.10.10.1 255.255.255.255, -dns, ?tun-mtu 1400"
+
+COMMAND -- push-update-addr (OpenVPN 2.7 or higher)
+----------------------------------------------------
+Same as push-update-broad but target only the client(s) connecting from the
+provided address (real address). Support both IPv4 and IPv6.
+
+Example
+ push-update-addr 9.9.9.9 1234 "route 10.10.10.1 255.255.255.255, -dns, ?tun-mtu 1400"
+
OUTPUT FORMAT
-------------
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 8836e79..251b076 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -24,7 +24,6 @@
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
-
#include "syshead.h"
#ifdef ENABLE_MANAGEMENT
@@ -42,6 +41,7 @@
#include "manage.h"
#include "openvpn.h"
#include "dco.h"
+#include "push.h"
#include "memdbg.h"
@@ -124,6 +124,11 @@
msg(M_CLIENT, "username type u : Enter username u for a queried OpenVPN username.");
msg(M_CLIENT, "verb [n] : Set log verbosity level to n, or show if n is absent.");
msg(M_CLIENT, "version [n] : Set client's version to n or show current version of daemon.");
+ msg(M_CLIENT, "push-update-broad options : Broadcast a message to update the specified options.");
+ msg(M_CLIENT, " Ex. push-update-broad \"route something, -dns\"");
+ msg(M_CLIENT, "push-update-cid CID options : Send an update message to the client identified by CID.");
+ msg(M_CLIENT, "push-update-cn CN options : Send an update message to the client(s) with the specified Common Name.");
+ msg(M_CLIENT, "push-update-addr ip port options : Send an update message to the client(s) connecting from the provided address.");
msg(M_CLIENT, "END");
}
@@ -1335,6 +1340,154 @@
}
static void
+man_push_update(struct management *man, const char **p, const push_update_type type)
+{
+ if (type == UPT_BROADCAST)
+ {
+ if (!man->persist.callback.push_update_broadcast)
+ {
+ man_command_unsupported("push-update-broad");
+ return;
+ }
+
+ const bool status = (*man->persist.callback.push_update_broadcast)(man->persist.callback.arg, p[1]);
+
+ if (status)
+ {
+ msg(M_CLIENT, "SUCCESS: push-update-broad command succeeded");
+ }
+ else
+ {
+ msg(M_CLIENT, "ERROR: push-update-broad command failed");
+ }
+ }
+ else if (type == UPT_BY_CID)
+ {
+ if (!man->persist.callback.push_update_by_cid)
+ {
+ man_command_unsupported("push-update-cid");
+ return;
+ }
+
+ unsigned long cid = 0;
+
+ if (!parse_cid(p[1], &cid))
+ {
+ msg(M_CLIENT, "ERROR: push-update-cid fail during cid parsing");
+ return;
+ }
+
+ const bool status = (*man->persist.callback.push_update_by_cid)(man->persist.callback.arg, cid, p[2]);
+
+ if (status)
+ {
+ msg(M_CLIENT, "SUCCESS: push-update-cid command succeeded");
+ }
+ else
+ {
+ msg(M_CLIENT, "ERROR: push-update-cid command failed");
+ }
+ }
+ else if (type == UPT_BY_CN)
+ {
+ if (!man->persist.callback.push_update_by_cn)
+ {
+ man_command_unsupported("push-update-cn");
+ return;
+ }
+
+ const bool status = (*man->persist.callback.push_update_by_cn)(man->persist.callback.arg, p[1], p[2]);
+
+ if (status)
+ {
+ msg(M_CLIENT, "SUCCESS: push-update-cn command succeeded");
+ }
+ else
+ {
+ msg(M_CLIENT, "ERROR: push-update-cn command failed");
+ }
+ }
+ else if (type == UPT_BY_ADDR)
+ {
+ if (!man->persist.callback.push_update_by_addr)
+ {
+ man_command_unsupported("push-update-addr");
+ return;
+ }
+
+ const char *ip_str = p[1];
+ const char *port_str = p[2];
+ const char *options = p[3];
+
+ if (!strlen(ip_str) || !strlen(port_str))
+ {
+ msg(M_CLIENT, "ERROR: push-update-addr parse");
+ return;
+ }
+
+ struct addrinfo *res = NULL;
+ int port = atoi(port_str);
+
+ if (port < 1 || port > 65535)
+ {
+ msg(M_CLIENT, "ERROR: port number is out of range: %s", port_str);
+ return;
+ }
+
+ int status = openvpn_getaddrinfo(GETADDR_MSG_VIRT_OUT, ip_str, port_str, 0, NULL, AF_UNSPEC, &res);
+
+ if (status != 0 || !res)
+ {
+ msg(M_CLIENT, "ERROR: error resolving address: %s (%s)", ip_str, gai_strerror(status));
+ return;
+ }
+
+ struct addrinfo *rp;
+ bool found_client = false;
+
+ /* Iterate through resolved addresses */
+ for (rp = res; rp != NULL; rp = rp->ai_next)
+ {
+ struct openvpn_sockaddr saddr;
+ struct mroute_addr maddr;
+
+ CLEAR(saddr);
+ switch (rp->ai_family)
+ {
+ case AF_INET:
+ saddr.addr.in4 = *((struct sockaddr_in *)rp->ai_addr);
+ break;
+
+ case AF_INET6:
+ saddr.addr.in6 = *((struct sockaddr_in6 *)rp->ai_addr);
+ break;
+
+ default:
+ continue;
+ }
+
+ if (!mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
+ {
+ continue;
+ }
+
+ if ((*man->persist.callback.push_update_by_addr)(man->persist.callback.arg, &maddr, options))
+ {
+ msg(M_CLIENT, "SUCCESS: push-update sent to %s:%d", ip_str, port);
+ found_client = true;
+ break;
+ }
+ }
+
+ if (!found_client)
+ {
+ msg(M_CLIENT, "ERROR: no client found at address %s:%d", ip_str, port);
+ }
+ freeaddrinfo(res);
+ }
+}
+
+static void
man_dispatch_command(struct management *man, struct status_output *so, const char **p, const int nparms)
{
struct gc_arena gc = gc_new();
@@ -1656,6 +1809,34 @@
man_remote(man, p);
}
}
+ else if (streq(p[0], "push-update-broad"))
+ {
+ if (man_need(man, p, 1, 0))
+ {
+ man_push_update(man, p, UPT_BROADCAST);
+ }
+ }
+ else if (streq(p[0], "push-update-cid"))
+ {
+ if (man_need(man, p, 2, 0))
+ {
+ man_push_update(man, p, UPT_BY_CID);
+ }
+ }
+ else if (streq(p[0], "push-update-cn"))
+ {
+ if (man_need(man, p, 2, 0))
+ {
+ man_push_update(man, p, UPT_BY_CN);
+ }
+ }
+ else if (streq(p[0], "push-update-addr"))
+ {
+ if (man_need(man, p, 3, 0))
+ {
+ man_push_update(man, p, UPT_BY_ADDR);
+ }
+ }
#if 1
else if (streq(p[0], "test"))
{
diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h
index eb19a4e..fd7cb11 100644
--- a/src/openvpn/manage.h
+++ b/src/openvpn/manage.h
@@ -44,7 +44,6 @@
#define MF_EXTERNAL_KEY_PSSPAD (1<<16)
#define MF_EXTERNAL_KEY_DIGEST (1<<17)
-
#ifdef ENABLE_MANAGEMENT
#include "misc.h"
@@ -205,6 +204,10 @@
#endif
unsigned int (*remote_entry_count)(void *arg);
bool (*remote_entry_get)(void *arg, unsigned int index, char **remote);
+ bool (*push_update_broadcast)(void *arg, const char *options);
+ bool (*push_update_by_cid)(void *arg, unsigned long cid, const char *options);
+ bool (*push_update_by_cn)(void *arg, const char *cn, const char *options);
+ bool (*push_update_by_addr)(void *arg, const struct mroute_addr *maddr, const char *options);
};
/*
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 7f0d890..985af17 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -4072,7 +4072,7 @@
}
}
-static struct multi_instance *
+struct multi_instance *
lookup_by_cid(struct multi_context *m, const unsigned long cid)
{
if (m)
@@ -4220,6 +4220,10 @@
cb.client_auth = management_client_auth;
cb.client_pending_auth = management_client_pending_auth;
cb.get_peer_info = management_get_peer_info;
+ cb.push_update_broadcast = management_callback_send_push_update_broadcast;
+ cb.push_update_by_cid = management_callback_send_push_update_by_cid;
+ cb.push_update_by_cn = management_callback_send_push_update_by_cn;
+ cb.push_update_by_addr = management_callback_send_push_update_by_addr;
management_set_callback(management, &cb);
}
#endif /* ifdef ENABLE_MANAGEMENT */
@@ -4344,3 +4348,47 @@
close_instance(top);
}
+
+/**
+ * Update the vhash with new IP/IPv6 addresses in the multi_context when a
+ * push-update message containing ifconfig/ifconfig-ipv6 options is sent
+ * from the server. This function should be called after a push-update
+ * and old_ip/old_ipv6 are the previous addresses of the client in
+ * ctx->options.ifconfig_local and ctx->options.ifconfig_ipv6_local.
+ */
+void
+update_vhash(struct multi_context *m, struct multi_instance *mi, const char *old_ip, const char *old_ipv6)
+{
+ struct in_addr addr;
+ struct in6_addr new_ipv6;
+
+ if ((mi->context.options.ifconfig_local && (!old_ip || strcmp(old_ip, mi->context.options.ifconfig_local)))
+ && inet_pton(AF_INET, mi->context.options.ifconfig_local, &addr) == 1)
+ {
+ in_addr_t new_ip = ntohl(addr.s_addr);
+
+ /* Add new, remove old if exist */
+ multi_learn_in_addr_t(m, mi, new_ip, 0, true);
+ }
+
+ /* TO DO:
+ * else if (old_ip && !mi->context.options.ifconfig_local)
+ * {
+ * // remove old ip
+ * }
+ */
+
+ if ((mi->context.options.ifconfig_ipv6_local && (!old_ipv6 || strcmp(old_ipv6, mi->context.options.ifconfig_ipv6_local)))
+ && inet_pton(AF_INET6, mi->context.options.ifconfig_ipv6_local, &new_ipv6) == 1)
+ {
+ /* Add new, remove old if exist */
+ multi_learn_in6_addr(m, mi, new_ipv6, 0, true);
+ }
+
+ /* TO DO:
+ * else if (old_ipv6 && !mi->context.options.ifconfig_ipv6_local)
+ * {
+ * // remove old IPv6
+ * }
+ */
+}
diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h
index 40f7519..4841075 100644
--- a/src/openvpn/multi.h
+++ b/src/openvpn/multi.h
@@ -710,5 +710,13 @@
*/
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi);
+#ifdef ENABLE_MANAGEMENT
+struct multi_instance *
+lookup_by_cid(struct multi_context *m, const unsigned long cid);
+
+#endif
+
+void
+update_vhash(struct multi_context *m, struct multi_instance *mi, const char *old_ip, const char *old_ipv6);
#endif /* MULTI_H */
diff --git a/src/openvpn/push.h b/src/openvpn/push.h
index 18dfcd8..e67c3ac 100644
--- a/src/openvpn/push.h
+++ b/src/openvpn/push.h
@@ -42,6 +42,16 @@
#define PUSH_OPT_TO_REMOVE (1<<0)
#define PUSH_OPT_OPTIONAL (1<<1)
+/* Push-update message sender modes */
+typedef enum {
+ UPT_BROADCAST = 0,
+ UPT_BY_ADDR = 1,
+ UPT_BY_CN = 2,
+#ifdef ENABLE_MANAGEMENT
+ UPT_BY_CID = 3
+#endif
+} push_update_type;
+
int process_incoming_push_request(struct context *c);
/**
@@ -134,4 +144,33 @@
void
receive_auth_pending(struct context *c, const struct buffer *buffer);
+/**
+ * @brief A function to send a PUSH_UPDATE control message from server to client(s).
+ *
+ * @param m the multi_context, contains all the clients connected to this server.
+ * @param target the target to which to send the message. It should be:
+ * `NULL` if `type == UPT_BROADCAST`,
+ * a `mroute_addr *` if `type == UPT_BY_ADDR`,
+ * a `char *` if `type == UPT_BY_CN`,
+ * an `unsigned long *` if `type == UPT_BY_CID`.
+ * @param msg a string containing the options to send.
+ * @param type the way to address the message (broadcast, by cid, by cn, by address).
+ * @param push_bundle_size the maximum size of a bundle of pushed option. Just use PUSH_BUNDLE_SIZE macro.
+ * @return the number of clients to which the message was sent.
+ */
+int
+send_push_update(struct multi_context *m, const void *target, const char *msg, const push_update_type type, const int push_bundle_size);
+
+#ifdef ENABLE_MANAGEMENT
+
+bool management_callback_send_push_update_broadcast(void *arg, const char *options);
+
+bool management_callback_send_push_update_by_cid(void *arg, unsigned long cid, const char *options);
+
+bool management_callback_send_push_update_by_cn(void *arg, const char *cn, const char *options);
+
+bool management_callback_send_push_update_by_addr(void *arg, const struct mroute_addr *maddr, const char *options);
+
+#endif /* ifdef ENABLE_MANAGEMENT*/
+
#endif /* ifndef PUSH_H */
diff --git a/src/openvpn/push_util.c b/src/openvpn/push_util.c
index b4d1e8b..1739510 100644
--- a/src/openvpn/push_util.c
+++ b/src/openvpn/push_util.c
@@ -3,6 +3,8 @@
#endif
#include "push.h"
+#include "multi.h"
+#include "ssl_verify.h"
int
process_incoming_push_update(struct context *c,
@@ -42,3 +44,293 @@
return ret;
}
+
+/**
+ * Return index of last `,` or `0` if it didn't find any.
+ * If there is a comma at index `0` it's an error anyway
+ */
+static int
+find_first_comma_of_next_bundle(const char *str, int ix)
+{
+ while (ix > 0)
+ {
+ if (str[ix] == ',')
+ {
+ return ix;
+ }
+ ix--;
+ }
+ return 0;
+}
+
+/* Allocate memory and asseble the final message */
+static char *
+forge_msg(const char *src, const char *continuation, struct gc_arena *gc)
+{
+ int src_len = strlen(src);
+ int con_len = continuation ? strlen(continuation) : 0;
+ char *ret = gc_malloc((src_len + sizeof(push_update_cmd) + con_len + 2) * sizeof(char), true, gc);
+ int i = sizeof(push_update_cmd) -1;
+
+ strcpy(ret, push_update_cmd);
+ ret[i++] = ',';
+ strcpy(&ret[i], src);
+ if (continuation)
+ {
+ i += src_len;
+ strcpy(&ret[i], continuation);
+ }
+ return ret;
+}
+
+static char *
+gc_strdup(const char *src, struct gc_arena *gc)
+{
+ char *ret = gc_malloc((strlen(src) + 1) * sizeof(char), true, gc);
+
+ strcpy(ret, src);
+ return ret;
+}
+
+/* It split the messagge (if necessay) and fill msgs with the message chunks.
+ * Return `false` on failure an `true` on success.
+ */
+static bool
+message_splitter(char *str, char **msgs, struct gc_arena *gc, const int safe_cap)
+{
+ if (!str || !*str)
+ {
+ return false;
+ }
+
+ int i = 0;
+ int im = 0;
+
+ while (*str)
+ {
+ /* + ',' - '/0' */
+ if (strlen(str) > safe_cap)
+ {
+ int ci = find_first_comma_of_next_bundle(str, safe_cap);
+ if (!ci)
+ {
+ /* if no commas were found go to fail, do not send any message */
+ return false;
+ }
+ str[ci] = '\0';
+ /* copy from i to (ci -1) */
+ msgs[im] = forge_msg(str, ",push-continuation 2", gc);
+ i = ci + 1;
+ }
+ else
+ {
+ if (im)
+ {
+ msgs[im] = forge_msg(str, ",push-continuation 1", gc);
+ }
+ else
+ {
+ msgs[im] = forge_msg(str, NULL, gc);
+ }
+ i = strlen(str);
+ }
+ str = &str[i];
+ im++;
+ }
+ return true;
+}
+
+/* It actually send the already divided messagge to one single client */
+static bool
+send_single_push_update(struct context *c, char **msgs, unsigned int *option_types_found)
+{
+ if (!msgs[0] || !*msgs[0])
+ {
+ return false;
+ }
+ int i = 0;
+ struct gc_arena gc = gc_new();
+
+ while (msgs[i] && *msgs[i])
+ {
+ struct buffer buf = alloc_buf_gc(strlen(msgs[i]), &gc);
+
+ buf_write(&buf, msgs[i], strlen(msgs[i]));
+ if (!send_control_channel_string(c, msgs[i], D_PUSH))
+ {
+ return false;
+ }
+ i++;
+
+ /* After sending the control message, we update the options server-side in the client's context */
+ buf_string_compare_advance(&buf, push_update_cmd);
+ if (process_incoming_push_update(c, pull_permission_mask(c), option_types_found, &buf) == PUSH_MSG_ERROR)
+ {
+ msg(M_WARN, "Failed to process push update message sent to client ID: %u",
+ c->c2.tls_multi ? c->c2.tls_multi->peer_id : UINT32_MAX);
+ continue;
+ }
+ c->options.push_option_types_found |= *option_types_found;
+ if (!options_postprocess_pull(&c->options, c->c2.es))
+ {
+ msg(M_WARN, "Failed to post-process push update message sent to client ID: %u",
+ c->c2.tls_multi ? c->c2.tls_multi->peer_id : UINT32_MAX);
+ }
+ }
+ gc_free(&gc);
+ return true;
+}
+
+int
+send_push_update(struct multi_context *m, const void *target, const char *msg, const push_update_type type, const int push_bundle_size)
+{
+ if (!msg || !*msg || !m
+ || (!target && type != UPT_BROADCAST))
+ {
+ return -EINVAL;
+ }
+
+ struct gc_arena gc = gc_new();
+ /* extra space for possible trailing ifconfig and push-continuation */
+ const int extra = 84 + sizeof(push_update_cmd);
+ /* push_bundle_size is the maximum size of a message, so if the message
+ * we want to send exceeds that size we have to split it into smaller messages */
+ const int safe_cap = push_bundle_size - extra;
+ int msgs_num = (strlen(msg) / safe_cap) + ((strlen(msg) % safe_cap) != 0);
+ char **msgs = gc_malloc(sizeof(char *) * (msgs_num + 1), true, &gc);
+ unsigned int option_types_found = 0;
+
+ msgs[msgs_num] = NULL;
+ if (!message_splitter(gc_strdup(msg, &gc), msgs, &gc, safe_cap))
+ {
+ gc_free(&gc);
+ return -EINVAL;
+ }
+
+#ifdef ENABLE_MANAGEMENT
+ if (type == UPT_BY_CID)
+ {
+ struct multi_instance *mi = lookup_by_cid(m, *((unsigned long *)target));
+
+ if (!mi)
+ {
+ return -ENOENT;
+ }
+
+ const char *old_ip = mi->context.options.ifconfig_local;
+ const char *old_ipv6 = mi->context.options.ifconfig_ipv6_local;
+ if (!mi->halt
+ && send_single_push_update(&mi->context, msgs, &option_types_found))
+ {
+ if (option_types_found & OPT_P_UP)
+ {
+ update_vhash(m, mi, old_ip, old_ipv6);
+ }
+ gc_free(&gc);
+ return 1;
+ }
+ else
+ {
+ gc_free(&gc);
+ return 0;
+ }
+ }
+#endif /* ifdef ENABLE_MANAGEMENT */
+
+ int count = 0;
+ struct hash_iterator hi;
+ const struct hash_element *he;
+
+ hash_iterator_init(m->iter, &hi);
+ while ((he = hash_iterator_next(&hi)))
+ {
+ struct multi_instance *curr_mi = he->value;
+
+ if (curr_mi->halt)
+ {
+ continue;
+ }
+ if (type == UPT_BY_ADDR && !mroute_addr_equal(target, &curr_mi->real))
+ {
+ continue;
+ }
+ else if (type == UPT_BY_CN)
+ {
+ const char *curr_cn = tls_common_name(curr_mi->context.c2.tls_multi, false);
+ if (strcmp(curr_cn, target))
+ {
+ continue;
+ }
+ }
+ /* Either we found a matching client or type is UPT_BROADCAST so we update every client */
+ option_types_found = 0;
+ const char *old_ip = curr_mi->context.options.ifconfig_local;
+ const char *old_ipv6 = curr_mi->context.options.ifconfig_ipv6_local;
+ if (!send_single_push_update(&curr_mi->context, msgs, &option_types_found))
+ {
+ msg(M_CLIENT, "ERROR: Peer ID: %u has not been updated",
+ curr_mi->context.c2.tls_multi ? curr_mi->context.c2.tls_multi->peer_id : UINT32_MAX);
+ continue;
+ }
+ if (option_types_found & OPT_P_UP)
+ {
+ update_vhash(m, curr_mi, old_ip, old_ipv6);
+ }
+ count++;
+ }
+
+ hash_iterator_free(&hi);
+ gc_free(&gc);
+ return count;
+}
+
+#ifdef ENABLE_MANAGEMENT
+#define RETURN_UPDATE_STATUS(n_sent) \
+ do { \
+ if ((n_sent) > 0) { \
+ msg(M_CLIENT, "SUCCESS: %d client(s) updated", (n_sent)); \
+ return true; \
+ } else { \
+ msg(M_CLIENT, "ERROR: no client updated"); \
+ return false; \
+ } \
+ } while (0)
+
+
+bool
+management_callback_send_push_update_broadcast(void *arg, const char *options)
+{
+ int n_sent = send_push_update(arg, NULL, options, UPT_BROADCAST, PUSH_BUNDLE_SIZE);
+
+ RETURN_UPDATE_STATUS(n_sent);
+}
+
+bool
+management_callback_send_push_update_by_cid(void *arg, unsigned long cid, const char *options)
+{
+ int ret = send_push_update(arg, &cid, options, UPT_BY_CID, PUSH_BUNDLE_SIZE);
+
+ if (ret == -ENOENT)
+ {
+ msg(M_CLIENT, "ERROR: no client found with CID: %lu", cid);
+ }
+
+ return (ret > 0);
+}
+
+bool
+management_callback_send_push_update_by_cn(void *arg, const char *cn, const char *options)
+{
+ int n_sent = send_push_update(arg, cn, options, UPT_BY_CN, PUSH_BUNDLE_SIZE);
+
+ RETURN_UPDATE_STATUS(n_sent);
+}
+
+bool
+management_callback_send_push_update_by_addr(void *arg, const struct mroute_addr *maddr, const char *options)
+{
+ int n_sent = send_push_update(arg, maddr, options, UPT_BY_ADDR, PUSH_BUNDLE_SIZE);
+
+ RETURN_UPDATE_STATUS(n_sent);
+}
+#endif /* ifdef ENABLE_MANAGEMENT */
diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am
index b24e03c..9a40512 100644
--- a/tests/unit_tests/openvpn/Makefile.am
+++ b/tests/unit_tests/openvpn/Makefile.am
@@ -343,4 +343,5 @@
$(top_srcdir)/src/openvpn/platform.c \
$(top_srcdir)/src/openvpn/push_util.c \
$(top_srcdir)/src/openvpn/options_util.c \
- $(top_srcdir)/src/openvpn/otime.c
\ No newline at end of file
+ $(top_srcdir)/src/openvpn/otime.c \
+ $(top_srcdir)/src/openvpn/list.c
\ No newline at end of file
diff --git a/tests/unit_tests/openvpn/test_push_update_msg.c b/tests/unit_tests/openvpn/test_push_update_msg.c
index d0876bc..38ea9a6 100644
--- a/tests/unit_tests/openvpn/test_push_update_msg.c
+++ b/tests/unit_tests/openvpn/test_push_update_msg.c
@@ -8,6 +8,7 @@
#include <cmocka.h>
#include "push.h"
#include "options_util.h"
+#include "multi.h"
/* mocks */
@@ -36,6 +37,18 @@
return flags;
}
+void
+update_vhash(struct multi_context *m, struct multi_instance *mi, const char *old_ip, const char *old_ipv6)
+{
+ return;
+}
+
+bool
+options_postprocess_pull(struct options *options, struct env_set *es)
+{
+ return true;
+}
+
bool
apply_push_options(struct context *c,
struct options *options,
@@ -94,6 +107,49 @@
}
}
+const char *
+tls_common_name(const struct tls_multi *multi, const bool null)
+{
+ return NULL;
+}
+
+#ifndef ENABLE_MANAGEMENT
+bool
+send_control_channel_string(struct context *c, const char *str, int msglevel)
+{
+ return true;
+}
+#else /* ifndef ENABLE_MANAGEMENT */
+char **res;
+int i;
+
+bool
+send_control_channel_string(struct context *c, const char *str, int msglevel)
+{
+ if (res && res[i] && strcmp(res[i], str))
+ {
+ printf("\n\nexpected: %s\n\n actual: %s\n\n", res[i], str);
+ return false;
+ }
+ i++;
+ return true;
+}
+
+struct multi_instance *
+lookup_by_cid(struct multi_context *m, const unsigned long cid)
+{
+ return *(m->instances);
+}
+
+bool
+mroute_extract_openvpn_sockaddr(struct mroute_addr *addr,
+ const struct openvpn_sockaddr *osaddr,
+ bool use_port)
+{
+ return true;
+}
+#endif /* ifndef ENABLE_MANAGEMENT */
+
/* tests */
static void
@@ -124,7 +180,6 @@
free_buf(&buf);
}
-
static void
test_incoming_push_message_error2(void **state)
{
@@ -209,6 +264,207 @@
free_buf(&buf);
}
+#ifdef ENABLE_MANAGEMENT
+char *r0[] = {
+ "PUSH_UPDATE,redirect-gateway local,route 192.168.1.0 255.255.255.0"
+};
+char *r1[] = {
+ "PUSH_UPDATE,-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf, dhcp-option DNS 8.8.8.8,redirect-gateway local,push-continuation 2",
+ "PUSH_UPDATE,route 192.168.1.0 255.255.255.0,push-continuation 1"
+};
+char *r3[] = {
+ "PUSH_UPDATE,,,"
+};
+char *r4[] = {
+ "PUSH_UPDATE,-dhcp-option, blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf,dhcp-option DNS 8.8.8.8, redirect-gateway local,push-continuation 2",
+ "PUSH_UPDATE, route 192.168.1.0 255.255.255.0,,push-continuation 1"
+};
+char *r5[] = {
+ "PUSH_UPDATE,,-dhcp-option, blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf,dhcp-option DNS 8.8.8.8, redirect-gateway local,push-continuation 2",
+ "PUSH_UPDATE, route 192.168.1.0 255.255.255.0,push-continuation 1"
+};
+char *r6[] = {
+ "PUSH_UPDATE,-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf, dhcp-option DNS 8.8.8.8, redirect-gateway 10.10.10.10,,push-continuation 2",
+ "PUSH_UPDATE, route 192.168.1.0 255.255.255.0,,push-continuation 1"
+};
+char *r7[] = {
+ "PUSH_UPDATE,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,push-continuation 2",
+ "PUSH_UPDATE,,,,,,,,,,,,,,,,,,,push-continuation 1"
+};
+char *r8[] = {
+ "PUSH_UPDATE,-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf, dhcp-option DNS 8.8.8.8,redirect-gateway\n local,push-continuation 2",
+ "PUSH_UPDATE,route 192.168.1.0 255.255.255.0\n\n\n,push-continuation 1"
+};
+char *r9[] = {
+ "PUSH_UPDATE,,"
+};
+
+
+const char *msg0 = "redirect-gateway local,route 192.168.1.0 255.255.255.0";
+const char *msg1 = "-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,"
+ " akakakakakakakakakakakaf, dhcp-option DNS 8.8.8.8,redirect-gateway local,route 192.168.1.0 255.255.255.0";
+const char *msg2 = "";
+const char *msg3 = ",,";
+const char *msg4 = "-dhcp-option, blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,"
+ " akakakakakakakakakakakaf,dhcp-option DNS 8.8.8.8, redirect-gateway local, route 192.168.1.0 255.255.255.0,";
+const char *msg5 = ",-dhcp-option, blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,"
+ " akakakakakakakakakakakaf,dhcp-option DNS 8.8.8.8, redirect-gateway local, route 192.168.1.0 255.255.255.0";
+const char *msg6 = "-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf, akakakakakakakakakakakaf,"
+ " dhcp-option DNS 8.8.8.8, redirect-gateway 10.10.10.10,, route 192.168.1.0 255.255.255.0,";
+const char *msg7 = ",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,";
+const char *msg8 = "-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf, akakakakakakakakakakakaf,"
+ " dhcp-option DNS 8.8.8.8,redirect-gateway\n local,route 192.168.1.0 255.255.255.0\n\n\n";
+const char *msg9 = ",";
+
+const char *msg10 = "abandon ability able about above absent absorb abstract absurd abuse access accident account accuse achieve"
+ "acid acoustic acquire across act action actor actress actual adapt add addict address adjust"
+ "baby bachelor bacon badge bag balance balcony ball bamboo banana banner bar barely bargain barrel base basic"
+ "basket battle beach bean beauty because become beef before begin behave behind"
+ "cabbage cabin cable cactus cage cake call calm camera camp can canal cancel candy cannon canoe canvas canyon"
+ "capable capital captain car carbon card cargo carpet carry cart case"
+ "daisy damage damp dance danger daring dash daughter dawn day deal debate debris decade december decide decline"
+ "decorate decrease deer defense define defy degree delay deliver demand demise denial";
+
+#define PUSH_BUNDLE_SIZE_TEST 184
+
+static void
+test_send_push_msg0(void **state)
+{
+ i = 0;
+ res = r0;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg0, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+static void
+test_send_push_msg1(void **state)
+{
+ i = 0;
+ res = r1;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg1, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg2(void **state)
+{
+ i = 0;
+ res = NULL;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg2, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), -EINVAL);
+}
+
+static void
+test_send_push_msg3(void **state)
+{
+ i = 0;
+ res = r3;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg3, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg4(void **state)
+{
+ i = 0;
+ res = r4;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg4, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg5(void **state)
+{
+ i = 0;
+ res = r5;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg5, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg6(void **state)
+{
+ i = 0;
+ res = r6;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg6, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg7(void **state)
+{
+ i = 0;
+ res = r7;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg7, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg8(void **state)
+{
+ i = 0;
+ res = r8;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg8, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg9(void **state)
+{
+ i = 0;
+ res = r9;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg9, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg10(void **state)
+{
+ i = 0;
+ res = NULL;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg10, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), -EINVAL);
+}
+
+#undef PUSH_BUNDLE_SIZE_TEST
+
+static int
+setup2(void **state)
+{
+ struct multi_context *m = calloc(1, sizeof(struct multi_context));
+ m->instances = calloc(1, sizeof(struct multi_instance *));
+ struct multi_instance *mi = calloc(1, sizeof(struct multi_instance));
+ *(m->instances) = mi;
+ *state = m;
+ return 0;
+}
+
+static int
+teardown2(void **state)
+{
+ struct multi_context *m = *state;
+ free(*(m->instances));
+ free(m->instances);
+ free(m);
+ return 0;
+}
+#endif /* ifdef ENABLE_MANAGEMENT */
+
static int
setup(void **state)
{
@@ -238,7 +494,20 @@
cmocka_unit_test_setup_teardown(test_incoming_push_message_1, setup, teardown),
cmocka_unit_test_setup_teardown(test_incoming_push_message_bad_format, setup, teardown),
cmocka_unit_test_setup_teardown(test_incoming_push_message_mix, setup, teardown),
- cmocka_unit_test_setup_teardown(test_incoming_push_message_mix2, setup, teardown)
+ cmocka_unit_test_setup_teardown(test_incoming_push_message_mix2, setup, teardown),
+#ifdef ENABLE_MANAGEMENT
+ cmocka_unit_test_setup_teardown(test_send_push_msg0, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg1, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg2, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg3, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg4, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg5, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg6, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg7, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg8, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg9, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg10, setup2, teardown2)
+#endif
};
return cmocka_run_group_tests(tests, NULL, NULL);
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/869?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie82bcc7a8e583de9156b185d71d1a323ed8df3fc
Gerrit-Change-Number: 869
Gerrit-PatchSet: 11
Gerrit-Owner: mrbff <ma...@ma...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-Reviewer: stipa <lst...@gm...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: cron2 <ge...@gr...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: stipa <lst...@gm...>
Gerrit-Attention: mrbff <ma...@ma...>
Gerrit-MessageType: newpatchset
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-10 11:15:03
|
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT ...................................................................... Patch Set 2: Code-Review+2 (1 comment) File src/openvpn/ssl_mbedtls.c: http://gerrit.openvpn.net/c/openvpn/+/1081/comment/7552178f_39f98b2e : PS1, Line 177: #if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) > Change makes sense, but now every clause of the #if .. #elif .. […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Thu, 10 Jul 2025 11:14:48 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: flichtenheld <fr...@li...> Gerrit-MessageType: comment |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-10 10:24:28
|
Attention is currently required from: flichtenheld, plaisthos.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
to look at the new patch set (#2).
The following approvals got outdated and were removed:
Code-Review-1 by flichtenheld
Change subject: Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
......................................................................
Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.
Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M src/openvpn/ssl_mbedtls.c
1 file changed, 6 insertions(+), 4 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/1081/2
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ecccc26..569421c 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -173,8 +173,9 @@
ASSERT(NULL != ctx);
return ctx->initialised;
}
-
-#if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
+#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+/* mbedtls_ssl_export_keying_material does not need helper/callback methods */
+#elif HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB
/*
* Key export callback for older versions of mbed TLS, to be used with
* mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master
@@ -205,7 +206,7 @@
return 0;
}
-#elif HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
+#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
/*
* Key export callback for newer versions of mbed TLS, to be used with
* mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback
@@ -251,10 +252,11 @@
memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
cache->tls_prf_type = tls_prf_type;
}
-#elif !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+#elif /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */
#error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS
#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
+
bool
key_state_export_keying_material(struct tls_session *session,
const char *label, size_t label_size,
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd
Gerrit-Change-Number: 1081
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newpatchset
|
|
From: plaisthos (C. Review) <ge...@op...> - 2025-07-10 10:21:28
|
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1082?usp=email ) Change subject: Fix compiler warning in reliable.c with --disable-debug ...................................................................... Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1082?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Icad1a52d14311a6f06bda081cab2f4bded8d47ed Gerrit-Change-Number: 1082 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Thu, 10 Jul 2025 10:21:18 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-10 09:43:37
|
Attention is currently required from: cron2, mrbff, plaisthos, stipa. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/869?usp=email ) Change subject: PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages ...................................................................... Patch Set 10: Code-Review-1 (1 comment) Patchset: PS10: Fails build with --disable-management -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/869?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ie82bcc7a8e583de9156b185d71d1a323ed8df3fc Gerrit-Change-Number: 869 Gerrit-PatchSet: 10 Gerrit-Owner: mrbff <ma...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-Reviewer: stipa <lst...@gm...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Attention: mrbff <ma...@ma...> Gerrit-Comment-Date: Thu, 10 Jul 2025 09:43:28 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-10 09:40:02
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1083?usp=email
to review the following change.
Change subject: reliable: Move gc_arena inside reliable_print_ids
......................................................................
reliable: Move gc_arena inside reliable_print_ids
There was no user that actually used it for
anything else. But there were some previous
users that generated a now useless gc_arena.
While looking through the code, modernize
the loop variable usage.
Change-Id: I8cefa9a406fe90bb3cbe481304782c639691a3a0
Signed-off-by: Frank Lichtenheld <fr...@li...>
---
M src/openvpn/reliable.c
1 file changed, 25 insertions(+), 56 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/83/1083/1
diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c
index 424d194..6477c45 100644
--- a/src/openvpn/reliable.c
+++ b/src/openvpn/reliable.c
@@ -446,13 +446,13 @@
#ifdef ENABLE_DEBUG
/* print the current sequence of active packet IDs */
static const char *
-reliable_print_ids(const struct reliable *rel, struct gc_arena *gc)
+reliable_print_ids(const struct reliable *rel)
{
- struct buffer out = alloc_buf_gc(256, gc);
- int i;
+ struct gc_arena gc = gc_new();
+ struct buffer out = alloc_buf_gc(256, &gc);
buf_printf(&out, "[" packet_id_format "]", (packet_id_print_type)rel->packet_id);
- for (i = 0; i < rel->size; ++i)
+ for (int i = 0; i < rel->size; ++i)
{
const struct reliable_entry *e = &rel->array[i];
if (e->active)
@@ -460,6 +460,7 @@
buf_printf(&out, " " packet_id_format, (packet_id_print_type)e->packet_id);
}
}
+ gc_free(&gc);
return BSTR(&out);
}
#endif /* ENABLE_DEBUG */
@@ -468,9 +469,7 @@
bool
reliable_can_get(const struct reliable *rel)
{
- struct gc_arena gc = gc_new();
- int i;
- for (i = 0; i < rel->size; ++i)
+ for (int i = 0; i < rel->size; ++i)
{
const struct reliable_entry *e = &rel->array[i];
if (!e->active)
@@ -478,8 +477,7 @@
return true;
}
}
- dmsg(D_REL_LOW, "ACK no free receive buffer available: %s", reliable_print_ids(rel, &gc));
- gc_free(&gc);
+ dmsg(D_REL_LOW, "ACK no free receive buffer available: %s", reliable_print_ids(rel));
return false;
}
@@ -487,13 +485,11 @@
bool
reliable_not_replay(const struct reliable *rel, packet_id_type id)
{
- struct gc_arena gc = gc_new();
- int i;
if (reliable_pid_min(id, rel->packet_id))
{
goto bad;
}
- for (i = 0; i < rel->size; ++i)
+ for (int i = 0; i < rel->size; ++i)
{
const struct reliable_entry *e = &rel->array[i];
if (e->active && e->packet_id == id)
@@ -501,12 +497,10 @@
goto bad;
}
}
- gc_free(&gc);
return true;
bad:
- dmsg(D_REL_DEBUG, "ACK " packet_id_format " is a replay: %s", (packet_id_print_type)id, reliable_print_ids(rel, &gc));
- gc_free(&gc);
+ dmsg(D_REL_DEBUG, "ACK " packet_id_format " is a replay: %s", (packet_id_print_type)id, reliable_print_ids(rel));
return false;
}
@@ -514,19 +508,15 @@
bool
reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id)
{
- struct gc_arena gc = gc_new();
-
const int ret = reliable_pid_in_range2(id, rel->packet_id, rel->size);
if (!ret)
{
dmsg(D_REL_LOW, "ACK " packet_id_format " breaks sequentiality: %s",
- (packet_id_print_type)id, reliable_print_ids(rel, &gc));
+ (packet_id_print_type)id, reliable_print_ids(rel));
}
dmsg(D_REL_DEBUG, "ACK RWBS rel->size=%d rel->packet_id=%08x id=%08x ret=%d", rel->size, rel->packet_id, id, ret);
-
- gc_free(&gc);
return ret;
}
@@ -534,8 +524,7 @@
struct buffer *
reliable_get_buf(struct reliable *rel)
{
- int i;
- for (i = 0; i < rel->size; ++i)
+ for (int i = 0; i < rel->size; ++i)
{
struct reliable_entry *e = &rel->array[i];
if (!e->active)
@@ -550,7 +539,6 @@
int
reliable_get_num_output_sequenced_available(struct reliable *rel)
{
- struct gc_arena gc = gc_new();
packet_id_type min_id = 0;
bool min_id_defined = false;
@@ -573,7 +561,6 @@
{
ret -= subtract_pid(rel->packet_id, min_id);
}
- gc_free(&gc);
return ret;
}
@@ -581,14 +568,12 @@
struct buffer *
reliable_get_buf_output_sequenced(struct reliable *rel)
{
- struct gc_arena gc = gc_new();
- int i;
packet_id_type min_id = 0;
bool min_id_defined = false;
struct buffer *ret = NULL;
/* find minimum active packet_id */
- for (i = 0; i < rel->size; ++i)
+ for (int i = 0; i < rel->size; ++i)
{
const struct reliable_entry *e = &rel->array[i];
if (e->active)
@@ -607,9 +592,8 @@
}
else
{
- dmsg(D_REL_LOW, "ACK output sequence broken: %s", reliable_print_ids(rel, &gc));
+ dmsg(D_REL_LOW, "ACK output sequence broken: %s", reliable_print_ids(rel));
}
- gc_free(&gc);
return ret;
}
@@ -617,8 +601,7 @@
struct reliable_entry *
reliable_get_entry_sequenced(struct reliable *rel)
{
- int i;
- for (i = 0; i < rel->size; ++i)
+ for (int i = 0; i < rel->size; ++i)
{
struct reliable_entry *e = &rel->array[i];
if (e->active && e->packet_id == rel->packet_id)
@@ -633,10 +616,8 @@
bool
reliable_can_send(const struct reliable *rel)
{
- struct gc_arena gc = gc_new();
- int i;
int n_active = 0, n_current = 0;
- for (i = 0; i < rel->size; ++i)
+ for (int i = 0; i < rel->size; ++i)
{
const struct reliable_entry *e = &rel->array[i];
if (e->active)
@@ -652,9 +633,8 @@
dmsg(D_REL_DEBUG, "ACK reliable_can_send active=%d current=%d : %s",
n_active,
n_current,
- reliable_print_ids(rel, &gc));
+ reliable_print_ids(rel));
- gc_free(&gc);
return n_current > 0 && !rel->hold;
}
@@ -662,11 +642,10 @@
struct buffer *
reliable_send(struct reliable *rel, int *opcode)
{
- int i;
struct reliable_entry *best = NULL;
const time_t local_now = now;
- for (i = 0; i < rel->size; ++i)
+ for (int i = 0; i < rel->size; ++i)
{
struct reliable_entry *e = &rel->array[i];
@@ -701,10 +680,9 @@
void
reliable_schedule_now(struct reliable *rel)
{
- int i;
dmsg(D_REL_DEBUG, "ACK reliable_schedule_now");
rel->hold = false;
- for (i = 0; i < rel->size; ++i)
+ for (int i = 0; i < rel->size; ++i)
{
struct reliable_entry *e = &rel->array[i];
if (e->active)
@@ -720,12 +698,10 @@
interval_t
reliable_send_timeout(const struct reliable *rel)
{
- struct gc_arena gc = gc_new();
interval_t ret = BIG_TIMEOUT;
- int i;
const time_t local_now = now;
- for (i = 0; i < rel->size; ++i)
+ for (int i = 0; i < rel->size; ++i)
{
const struct reliable_entry *e = &rel->array[i];
if (e->active)
@@ -744,9 +720,8 @@
dmsg(D_REL_DEBUG, "ACK reliable_send_timeout %d %s",
(int) ret,
- reliable_print_ids(rel, &gc));
+ reliable_print_ids(rel));
- gc_free(&gc);
return ret;
}
@@ -758,8 +733,7 @@
reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf,
packet_id_type pid, int opcode)
{
- int i;
- for (i = 0; i < rel->size; ++i)
+ for (int i = 0; i < rel->size; ++i)
{
struct reliable_entry *e = &rel->array[i];
if (buf == &e->buf)
@@ -790,8 +764,7 @@
void
reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode)
{
- int i;
- for (i = 0; i < rel->size; ++i)
+ for (int i = 0; i < rel->size; ++i)
{
struct reliable_entry *e = &rel->array[i];
if (buf == &e->buf)
@@ -817,8 +790,7 @@
void
reliable_mark_deleted(struct reliable *rel, struct buffer *buf)
{
- int i;
- for (i = 0; i < rel->size; ++i)
+ for (int i = 0; i < rel->size; ++i)
{
struct reliable_entry *e = &rel->array[i];
if (buf == &e->buf)
@@ -836,10 +808,8 @@
void
reliable_ack_debug_print(const struct reliable_ack *ack, char *desc)
{
- int i;
-
printf("********* struct reliable_ack %s\n", desc);
- for (i = 0; i < ack->len; ++i)
+ for (int i = 0; i < ack->len; ++i)
{
printf(" %d: " packet_id_format "\n", i, (packet_id_print_type) ack->packet_id[i]);
}
@@ -848,14 +818,13 @@
void
reliable_debug_print(const struct reliable *rel, char *desc)
{
- int i;
update_time();
printf("********* struct reliable %s\n", desc);
printf(" initial_timeout=%d\n", (int)rel->initial_timeout);
printf(" packet_id=" packet_id_format "\n", rel->packet_id);
printf(" now=%" PRIi64 "\n", (int64_t)now);
- for (i = 0; i < rel->size; ++i)
+ for (int i = 0; i < rel->size; ++i)
{
const struct reliable_entry *e = &rel->array[i];
if (e->active)
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1083?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I8cefa9a406fe90bb3cbe481304782c639691a3a0
Gerrit-Change-Number: 1083
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-MessageType: newchange
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-10 09:39:59
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1082?usp=email
to review the following change.
Change subject: Fix compiler warning in reliable.c with --disable-debug
......................................................................
Fix compiler warning in reliable.c with --disable-debug
Use the easy way out. Using pre-compiler to completely
avoid n_active seems like overkill.
Change-Id: Icad1a52d14311a6f06bda081cab2f4bded8d47ed
Signed-off-by: Frank Lichtenheld <fr...@li...>
---
M src/openvpn/reliable.c
1 file changed, 1 insertion(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/82/1082/1
diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c
index 6aef112..424d194 100644
--- a/src/openvpn/reliable.c
+++ b/src/openvpn/reliable.c
@@ -648,6 +648,7 @@
}
}
}
+ (void)n_active; /* dmsg might not generate code */
dmsg(D_REL_DEBUG, "ACK reliable_can_send active=%d current=%d : %s",
n_active,
n_current,
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1082?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Icad1a52d14311a6f06bda081cab2f4bded8d47ed
Gerrit-Change-Number: 1082
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-MessageType: newchange
|
|
From: mrbff (C. Review) <ge...@op...> - 2025-07-10 08:11:34
|
Attention is currently required from: cron2, flichtenheld, mrbff, plaisthos, stipa.
Hello cron2, flichtenheld, plaisthos, stipa,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/869?usp=email
to look at the new patch set (#10).
Change subject: PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages
......................................................................
PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages
Using the management interface you can now target one or more clients (via broadcast,
via cid, via common name, via address) and send a PUSH_UPDATE control message
to update some options.
Change-Id: Ie82bcc7a8e583de9156b185d71d1a323ed8df3fc
Signed-off-by: Marco Baffo <ma...@ma...>
---
M CMakeLists.txt
M doc/management-notes.txt
M src/openvpn/manage.c
M src/openvpn/manage.h
M src/openvpn/multi.c
M src/openvpn/multi.h
M src/openvpn/push.h
M src/openvpn/push_util.c
M tests/unit_tests/openvpn/Makefile.am
M tests/unit_tests/openvpn/test_push_update_msg.c
10 files changed, 895 insertions(+), 6 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/69/869/10
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 54cf503..1381e03 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -861,6 +861,7 @@
src/openvpn/push_util.c
src/openvpn/options_util.c
src/openvpn/otime.c
+ src/openvpn/list.c
)
if (TARGET test_argv)
diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index f1d2930..58393da 100644
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -1028,6 +1028,51 @@
stored outside of the filesystem (e.g. in Mac OS X Keychain)
with OpenVPN via the management interface.
+COMMAND -- push-update-broad (OpenVPN 2.7 or higher)
+----------------------------------------------------
+Send a message to every connected client to update options at runtime.
+The updatable options are: "block-ipv6", "block-outside-dns", "dhcp-option",
+"dns", "ifconfig", "ifconfig-ipv6", "redirect-gateway", "redirect-private",
+"route", "route-gateway", "route-ipv6", "route-metric", "topology",
+"tun-mtu", "keepalive". When a valid option is pushed, the receiving client will
+delete every previous value and set new value, so the update of the option will
+not be incremental even when theoretically possible (ex. with "redirect-gateway").
+The '-' symbol in front of an option means the option should be removed.
+When an option is used with '-', it cannot take any parameter.
+The '?' symbol in front of an option means the option's update is optional
+so if the client do not support it, that option will just be ignored without
+making fail the entire command. The '-' and '?' symbols can be used together.
+
+Option Format Ex.
+ `-?option`, `-option`, `?option parameters` are valid formats,
+ `?-option` is not a valid format.
+
+Example
+ push-update-broad "route 10.10.10.1 255.255.255.255, -dns, ?tun-mtu 1400"
+
+COMMAND -- push-update-cid (OpenVPN 2.7 or higher)
+----------------------------------------------------
+Same as push-update-broad but you must target a single client using client id.
+
+Example
+ push-update-cid 42 "route 10.10.10.1 255.255.255.255, -dns, ?tun-mtu 1400"
+
+COMMAND -- push-update-cn (OpenVPN 2.7 or higher)
+----------------------------------------------------
+Same as push-update-broad but target the clients based on the provided common name
+(usually just one client per common name is permitted except if "duplicate-cn" option is used).
+
+Example
+ push-update-cid Client0 "route 10.10.10.1 255.255.255.255, -dns, ?tun-mtu 1400"
+
+COMMAND -- push-update-addr (OpenVPN 2.7 or higher)
+----------------------------------------------------
+Same as push-update-broad but target only the client(s) connecting from the
+provided address (real address). Support both IPv4 and IPv6.
+
+Example
+ push-update-addr 9.9.9.9 1234 "route 10.10.10.1 255.255.255.255, -dns, ?tun-mtu 1400"
+
OUTPUT FORMAT
-------------
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 8836e79..251b076 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -24,7 +24,6 @@
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
-
#include "syshead.h"
#ifdef ENABLE_MANAGEMENT
@@ -42,6 +41,7 @@
#include "manage.h"
#include "openvpn.h"
#include "dco.h"
+#include "push.h"
#include "memdbg.h"
@@ -124,6 +124,11 @@
msg(M_CLIENT, "username type u : Enter username u for a queried OpenVPN username.");
msg(M_CLIENT, "verb [n] : Set log verbosity level to n, or show if n is absent.");
msg(M_CLIENT, "version [n] : Set client's version to n or show current version of daemon.");
+ msg(M_CLIENT, "push-update-broad options : Broadcast a message to update the specified options.");
+ msg(M_CLIENT, " Ex. push-update-broad \"route something, -dns\"");
+ msg(M_CLIENT, "push-update-cid CID options : Send an update message to the client identified by CID.");
+ msg(M_CLIENT, "push-update-cn CN options : Send an update message to the client(s) with the specified Common Name.");
+ msg(M_CLIENT, "push-update-addr ip port options : Send an update message to the client(s) connecting from the provided address.");
msg(M_CLIENT, "END");
}
@@ -1335,6 +1340,154 @@
}
static void
+man_push_update(struct management *man, const char **p, const push_update_type type)
+{
+ if (type == UPT_BROADCAST)
+ {
+ if (!man->persist.callback.push_update_broadcast)
+ {
+ man_command_unsupported("push-update-broad");
+ return;
+ }
+
+ const bool status = (*man->persist.callback.push_update_broadcast)(man->persist.callback.arg, p[1]);
+
+ if (status)
+ {
+ msg(M_CLIENT, "SUCCESS: push-update-broad command succeeded");
+ }
+ else
+ {
+ msg(M_CLIENT, "ERROR: push-update-broad command failed");
+ }
+ }
+ else if (type == UPT_BY_CID)
+ {
+ if (!man->persist.callback.push_update_by_cid)
+ {
+ man_command_unsupported("push-update-cid");
+ return;
+ }
+
+ unsigned long cid = 0;
+
+ if (!parse_cid(p[1], &cid))
+ {
+ msg(M_CLIENT, "ERROR: push-update-cid fail during cid parsing");
+ return;
+ }
+
+ const bool status = (*man->persist.callback.push_update_by_cid)(man->persist.callback.arg, cid, p[2]);
+
+ if (status)
+ {
+ msg(M_CLIENT, "SUCCESS: push-update-cid command succeeded");
+ }
+ else
+ {
+ msg(M_CLIENT, "ERROR: push-update-cid command failed");
+ }
+ }
+ else if (type == UPT_BY_CN)
+ {
+ if (!man->persist.callback.push_update_by_cn)
+ {
+ man_command_unsupported("push-update-cn");
+ return;
+ }
+
+ const bool status = (*man->persist.callback.push_update_by_cn)(man->persist.callback.arg, p[1], p[2]);
+
+ if (status)
+ {
+ msg(M_CLIENT, "SUCCESS: push-update-cn command succeeded");
+ }
+ else
+ {
+ msg(M_CLIENT, "ERROR: push-update-cn command failed");
+ }
+ }
+ else if (type == UPT_BY_ADDR)
+ {
+ if (!man->persist.callback.push_update_by_addr)
+ {
+ man_command_unsupported("push-update-addr");
+ return;
+ }
+
+ const char *ip_str = p[1];
+ const char *port_str = p[2];
+ const char *options = p[3];
+
+ if (!strlen(ip_str) || !strlen(port_str))
+ {
+ msg(M_CLIENT, "ERROR: push-update-addr parse");
+ return;
+ }
+
+ struct addrinfo *res = NULL;
+ int port = atoi(port_str);
+
+ if (port < 1 || port > 65535)
+ {
+ msg(M_CLIENT, "ERROR: port number is out of range: %s", port_str);
+ return;
+ }
+
+ int status = openvpn_getaddrinfo(GETADDR_MSG_VIRT_OUT, ip_str, port_str, 0, NULL, AF_UNSPEC, &res);
+
+ if (status != 0 || !res)
+ {
+ msg(M_CLIENT, "ERROR: error resolving address: %s (%s)", ip_str, gai_strerror(status));
+ return;
+ }
+
+ struct addrinfo *rp;
+ bool found_client = false;
+
+ /* Iterate through resolved addresses */
+ for (rp = res; rp != NULL; rp = rp->ai_next)
+ {
+ struct openvpn_sockaddr saddr;
+ struct mroute_addr maddr;
+
+ CLEAR(saddr);
+ switch (rp->ai_family)
+ {
+ case AF_INET:
+ saddr.addr.in4 = *((struct sockaddr_in *)rp->ai_addr);
+ break;
+
+ case AF_INET6:
+ saddr.addr.in6 = *((struct sockaddr_in6 *)rp->ai_addr);
+ break;
+
+ default:
+ continue;
+ }
+
+ if (!mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
+ {
+ continue;
+ }
+
+ if ((*man->persist.callback.push_update_by_addr)(man->persist.callback.arg, &maddr, options))
+ {
+ msg(M_CLIENT, "SUCCESS: push-update sent to %s:%d", ip_str, port);
+ found_client = true;
+ break;
+ }
+ }
+
+ if (!found_client)
+ {
+ msg(M_CLIENT, "ERROR: no client found at address %s:%d", ip_str, port);
+ }
+ freeaddrinfo(res);
+ }
+}
+
+static void
man_dispatch_command(struct management *man, struct status_output *so, const char **p, const int nparms)
{
struct gc_arena gc = gc_new();
@@ -1656,6 +1809,34 @@
man_remote(man, p);
}
}
+ else if (streq(p[0], "push-update-broad"))
+ {
+ if (man_need(man, p, 1, 0))
+ {
+ man_push_update(man, p, UPT_BROADCAST);
+ }
+ }
+ else if (streq(p[0], "push-update-cid"))
+ {
+ if (man_need(man, p, 2, 0))
+ {
+ man_push_update(man, p, UPT_BY_CID);
+ }
+ }
+ else if (streq(p[0], "push-update-cn"))
+ {
+ if (man_need(man, p, 2, 0))
+ {
+ man_push_update(man, p, UPT_BY_CN);
+ }
+ }
+ else if (streq(p[0], "push-update-addr"))
+ {
+ if (man_need(man, p, 3, 0))
+ {
+ man_push_update(man, p, UPT_BY_ADDR);
+ }
+ }
#if 1
else if (streq(p[0], "test"))
{
diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h
index eb19a4e..fd7cb11 100644
--- a/src/openvpn/manage.h
+++ b/src/openvpn/manage.h
@@ -44,7 +44,6 @@
#define MF_EXTERNAL_KEY_PSSPAD (1<<16)
#define MF_EXTERNAL_KEY_DIGEST (1<<17)
-
#ifdef ENABLE_MANAGEMENT
#include "misc.h"
@@ -205,6 +204,10 @@
#endif
unsigned int (*remote_entry_count)(void *arg);
bool (*remote_entry_get)(void *arg, unsigned int index, char **remote);
+ bool (*push_update_broadcast)(void *arg, const char *options);
+ bool (*push_update_by_cid)(void *arg, unsigned long cid, const char *options);
+ bool (*push_update_by_cn)(void *arg, const char *cn, const char *options);
+ bool (*push_update_by_addr)(void *arg, const struct mroute_addr *maddr, const char *options);
};
/*
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 7f0d890..67a7a79 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -4072,7 +4072,7 @@
}
}
-static struct multi_instance *
+struct multi_instance *
lookup_by_cid(struct multi_context *m, const unsigned long cid)
{
if (m)
@@ -4220,6 +4220,10 @@
cb.client_auth = management_client_auth;
cb.client_pending_auth = management_client_pending_auth;
cb.get_peer_info = management_get_peer_info;
+ cb.push_update_broadcast = management_callback_send_push_update_broadcast;
+ cb.push_update_by_cid = management_callback_send_push_update_by_cid;
+ cb.push_update_by_cn = management_callback_send_push_update_by_cn;
+ cb.push_update_by_addr = management_callback_send_push_update_by_addr;
management_set_callback(management, &cb);
}
#endif /* ifdef ENABLE_MANAGEMENT */
@@ -4344,3 +4348,51 @@
close_instance(top);
}
+
+/**
+ * Update the vhash with new IP/IPv6 addresses in the multi_context when a
+ * push-update message containing ifconfig/ifconfig-ipv6 options is sent
+ * from the server. This function should be called after a push-update
+ * and old_ip/old_ipv6 are the previous addresses of the client in
+ * ctx->options.ifconfig_local and ctx->options.ifconfig_ipv6_local.
+ */
+void
+update_vhash(struct multi_context *m, struct multi_instance *mi, const char *old_ip, const char *old_ipv6)
+{
+ struct in_addr addr;
+ struct in6_addr new_ipv6;
+
+ if (inet_pton(AF_INET, mi->context.options.ifconfig_local, &addr) == 1)
+ {
+ in_addr_t new_ip = addr.s_addr;
+
+ if (mi->context.options.ifconfig_local && (!old_ip || strcmp(old_ip, mi->context.options.ifconfig_local)))
+ {
+ /* Add new, remove old if exist */
+ multi_learn_in_addr_t(m, mi, new_ip, 0, true);
+ }
+ }
+
+ /* TO DO:
+ * else if (old_ip && !mi->context.options.ifconfig_local)
+ * {
+ * // remove old ip
+ * }
+ */
+
+ if (inet_pton(AF_INET6, mi->context.options.ifconfig_ipv6_local, &new_ipv6) == 1)
+ {
+ if (mi->context.options.ifconfig_ipv6_local && (!old_ipv6 || strcmp(old_ipv6, mi->context.options.ifconfig_ipv6_local)))
+ {
+ /* Add new, remove old if exist */
+ multi_learn_in6_addr(m, mi, new_ipv6, 0, true);
+ }
+ }
+
+ /* TO DO:
+ * else if (old_ipv6 && !mi->context.options.ifconfig_ipv6_local)
+ * {
+ * // remove old IPv6
+ * }
+ */
+}
diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h
index 40f7519..4841075 100644
--- a/src/openvpn/multi.h
+++ b/src/openvpn/multi.h
@@ -710,5 +710,13 @@
*/
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi);
+#ifdef ENABLE_MANAGEMENT
+struct multi_instance *
+lookup_by_cid(struct multi_context *m, const unsigned long cid);
+
+#endif
+
+void
+update_vhash(struct multi_context *m, struct multi_instance *mi, const char *old_ip, const char *old_ipv6);
#endif /* MULTI_H */
diff --git a/src/openvpn/push.h b/src/openvpn/push.h
index 18dfcd8..e67c3ac 100644
--- a/src/openvpn/push.h
+++ b/src/openvpn/push.h
@@ -42,6 +42,16 @@
#define PUSH_OPT_TO_REMOVE (1<<0)
#define PUSH_OPT_OPTIONAL (1<<1)
+/* Push-update message sender modes */
+typedef enum {
+ UPT_BROADCAST = 0,
+ UPT_BY_ADDR = 1,
+ UPT_BY_CN = 2,
+#ifdef ENABLE_MANAGEMENT
+ UPT_BY_CID = 3
+#endif
+} push_update_type;
+
int process_incoming_push_request(struct context *c);
/**
@@ -134,4 +144,33 @@
void
receive_auth_pending(struct context *c, const struct buffer *buffer);
+/**
+ * @brief A function to send a PUSH_UPDATE control message from server to client(s).
+ *
+ * @param m the multi_context, contains all the clients connected to this server.
+ * @param target the target to which to send the message. It should be:
+ * `NULL` if `type == UPT_BROADCAST`,
+ * a `mroute_addr *` if `type == UPT_BY_ADDR`,
+ * a `char *` if `type == UPT_BY_CN`,
+ * an `unsigned long *` if `type == UPT_BY_CID`.
+ * @param msg a string containing the options to send.
+ * @param type the way to address the message (broadcast, by cid, by cn, by address).
+ * @param push_bundle_size the maximum size of a bundle of pushed option. Just use PUSH_BUNDLE_SIZE macro.
+ * @return the number of clients to which the message was sent.
+ */
+int
+send_push_update(struct multi_context *m, const void *target, const char *msg, const push_update_type type, const int push_bundle_size);
+
+#ifdef ENABLE_MANAGEMENT
+
+bool management_callback_send_push_update_broadcast(void *arg, const char *options);
+
+bool management_callback_send_push_update_by_cid(void *arg, unsigned long cid, const char *options);
+
+bool management_callback_send_push_update_by_cn(void *arg, const char *cn, const char *options);
+
+bool management_callback_send_push_update_by_addr(void *arg, const struct mroute_addr *maddr, const char *options);
+
+#endif /* ifdef ENABLE_MANAGEMENT*/
+
#endif /* ifndef PUSH_H */
diff --git a/src/openvpn/push_util.c b/src/openvpn/push_util.c
index b4d1e8b..1739510 100644
--- a/src/openvpn/push_util.c
+++ b/src/openvpn/push_util.c
@@ -3,6 +3,8 @@
#endif
#include "push.h"
+#include "multi.h"
+#include "ssl_verify.h"
int
process_incoming_push_update(struct context *c,
@@ -42,3 +44,293 @@
return ret;
}
+
+/**
+ * Return index of last `,` or `0` if it didn't find any.
+ * If there is a comma at index `0` it's an error anyway
+ */
+static int
+find_first_comma_of_next_bundle(const char *str, int ix)
+{
+ while (ix > 0)
+ {
+ if (str[ix] == ',')
+ {
+ return ix;
+ }
+ ix--;
+ }
+ return 0;
+}
+
+/* Allocate memory and asseble the final message */
+static char *
+forge_msg(const char *src, const char *continuation, struct gc_arena *gc)
+{
+ int src_len = strlen(src);
+ int con_len = continuation ? strlen(continuation) : 0;
+ char *ret = gc_malloc((src_len + sizeof(push_update_cmd) + con_len + 2) * sizeof(char), true, gc);
+ int i = sizeof(push_update_cmd) -1;
+
+ strcpy(ret, push_update_cmd);
+ ret[i++] = ',';
+ strcpy(&ret[i], src);
+ if (continuation)
+ {
+ i += src_len;
+ strcpy(&ret[i], continuation);
+ }
+ return ret;
+}
+
+static char *
+gc_strdup(const char *src, struct gc_arena *gc)
+{
+ char *ret = gc_malloc((strlen(src) + 1) * sizeof(char), true, gc);
+
+ strcpy(ret, src);
+ return ret;
+}
+
+/* It split the messagge (if necessay) and fill msgs with the message chunks.
+ * Return `false` on failure an `true` on success.
+ */
+static bool
+message_splitter(char *str, char **msgs, struct gc_arena *gc, const int safe_cap)
+{
+ if (!str || !*str)
+ {
+ return false;
+ }
+
+ int i = 0;
+ int im = 0;
+
+ while (*str)
+ {
+ /* + ',' - '/0' */
+ if (strlen(str) > safe_cap)
+ {
+ int ci = find_first_comma_of_next_bundle(str, safe_cap);
+ if (!ci)
+ {
+ /* if no commas were found go to fail, do not send any message */
+ return false;
+ }
+ str[ci] = '\0';
+ /* copy from i to (ci -1) */
+ msgs[im] = forge_msg(str, ",push-continuation 2", gc);
+ i = ci + 1;
+ }
+ else
+ {
+ if (im)
+ {
+ msgs[im] = forge_msg(str, ",push-continuation 1", gc);
+ }
+ else
+ {
+ msgs[im] = forge_msg(str, NULL, gc);
+ }
+ i = strlen(str);
+ }
+ str = &str[i];
+ im++;
+ }
+ return true;
+}
+
+/* It actually send the already divided messagge to one single client */
+static bool
+send_single_push_update(struct context *c, char **msgs, unsigned int *option_types_found)
+{
+ if (!msgs[0] || !*msgs[0])
+ {
+ return false;
+ }
+ int i = 0;
+ struct gc_arena gc = gc_new();
+
+ while (msgs[i] && *msgs[i])
+ {
+ struct buffer buf = alloc_buf_gc(strlen(msgs[i]), &gc);
+
+ buf_write(&buf, msgs[i], strlen(msgs[i]));
+ if (!send_control_channel_string(c, msgs[i], D_PUSH))
+ {
+ return false;
+ }
+ i++;
+
+ /* After sending the control message, we update the options server-side in the client's context */
+ buf_string_compare_advance(&buf, push_update_cmd);
+ if (process_incoming_push_update(c, pull_permission_mask(c), option_types_found, &buf) == PUSH_MSG_ERROR)
+ {
+ msg(M_WARN, "Failed to process push update message sent to client ID: %u",
+ c->c2.tls_multi ? c->c2.tls_multi->peer_id : UINT32_MAX);
+ continue;
+ }
+ c->options.push_option_types_found |= *option_types_found;
+ if (!options_postprocess_pull(&c->options, c->c2.es))
+ {
+ msg(M_WARN, "Failed to post-process push update message sent to client ID: %u",
+ c->c2.tls_multi ? c->c2.tls_multi->peer_id : UINT32_MAX);
+ }
+ }
+ gc_free(&gc);
+ return true;
+}
+
+int
+send_push_update(struct multi_context *m, const void *target, const char *msg, const push_update_type type, const int push_bundle_size)
+{
+ if (!msg || !*msg || !m
+ || (!target && type != UPT_BROADCAST))
+ {
+ return -EINVAL;
+ }
+
+ struct gc_arena gc = gc_new();
+ /* extra space for possible trailing ifconfig and push-continuation */
+ const int extra = 84 + sizeof(push_update_cmd);
+ /* push_bundle_size is the maximum size of a message, so if the message
+ * we want to send exceeds that size we have to split it into smaller messages */
+ const int safe_cap = push_bundle_size - extra;
+ int msgs_num = (strlen(msg) / safe_cap) + ((strlen(msg) % safe_cap) != 0);
+ char **msgs = gc_malloc(sizeof(char *) * (msgs_num + 1), true, &gc);
+ unsigned int option_types_found = 0;
+
+ msgs[msgs_num] = NULL;
+ if (!message_splitter(gc_strdup(msg, &gc), msgs, &gc, safe_cap))
+ {
+ gc_free(&gc);
+ return -EINVAL;
+ }
+
+#ifdef ENABLE_MANAGEMENT
+ if (type == UPT_BY_CID)
+ {
+ struct multi_instance *mi = lookup_by_cid(m, *((unsigned long *)target));
+
+ if (!mi)
+ {
+ return -ENOENT;
+ }
+
+ const char *old_ip = mi->context.options.ifconfig_local;
+ const char *old_ipv6 = mi->context.options.ifconfig_ipv6_local;
+ if (!mi->halt
+ && send_single_push_update(&mi->context, msgs, &option_types_found))
+ {
+ if (option_types_found & OPT_P_UP)
+ {
+ update_vhash(m, mi, old_ip, old_ipv6);
+ }
+ gc_free(&gc);
+ return 1;
+ }
+ else
+ {
+ gc_free(&gc);
+ return 0;
+ }
+ }
+#endif /* ifdef ENABLE_MANAGEMENT */
+
+ int count = 0;
+ struct hash_iterator hi;
+ const struct hash_element *he;
+
+ hash_iterator_init(m->iter, &hi);
+ while ((he = hash_iterator_next(&hi)))
+ {
+ struct multi_instance *curr_mi = he->value;
+
+ if (curr_mi->halt)
+ {
+ continue;
+ }
+ if (type == UPT_BY_ADDR && !mroute_addr_equal(target, &curr_mi->real))
+ {
+ continue;
+ }
+ else if (type == UPT_BY_CN)
+ {
+ const char *curr_cn = tls_common_name(curr_mi->context.c2.tls_multi, false);
+ if (strcmp(curr_cn, target))
+ {
+ continue;
+ }
+ }
+ /* Either we found a matching client or type is UPT_BROADCAST so we update every client */
+ option_types_found = 0;
+ const char *old_ip = curr_mi->context.options.ifconfig_local;
+ const char *old_ipv6 = curr_mi->context.options.ifconfig_ipv6_local;
+ if (!send_single_push_update(&curr_mi->context, msgs, &option_types_found))
+ {
+ msg(M_CLIENT, "ERROR: Peer ID: %u has not been updated",
+ curr_mi->context.c2.tls_multi ? curr_mi->context.c2.tls_multi->peer_id : UINT32_MAX);
+ continue;
+ }
+ if (option_types_found & OPT_P_UP)
+ {
+ update_vhash(m, curr_mi, old_ip, old_ipv6);
+ }
+ count++;
+ }
+
+ hash_iterator_free(&hi);
+ gc_free(&gc);
+ return count;
+}
+
+#ifdef ENABLE_MANAGEMENT
+#define RETURN_UPDATE_STATUS(n_sent) \
+ do { \
+ if ((n_sent) > 0) { \
+ msg(M_CLIENT, "SUCCESS: %d client(s) updated", (n_sent)); \
+ return true; \
+ } else { \
+ msg(M_CLIENT, "ERROR: no client updated"); \
+ return false; \
+ } \
+ } while (0)
+
+
+bool
+management_callback_send_push_update_broadcast(void *arg, const char *options)
+{
+ int n_sent = send_push_update(arg, NULL, options, UPT_BROADCAST, PUSH_BUNDLE_SIZE);
+
+ RETURN_UPDATE_STATUS(n_sent);
+}
+
+bool
+management_callback_send_push_update_by_cid(void *arg, unsigned long cid, const char *options)
+{
+ int ret = send_push_update(arg, &cid, options, UPT_BY_CID, PUSH_BUNDLE_SIZE);
+
+ if (ret == -ENOENT)
+ {
+ msg(M_CLIENT, "ERROR: no client found with CID: %lu", cid);
+ }
+
+ return (ret > 0);
+}
+
+bool
+management_callback_send_push_update_by_cn(void *arg, const char *cn, const char *options)
+{
+ int n_sent = send_push_update(arg, cn, options, UPT_BY_CN, PUSH_BUNDLE_SIZE);
+
+ RETURN_UPDATE_STATUS(n_sent);
+}
+
+bool
+management_callback_send_push_update_by_addr(void *arg, const struct mroute_addr *maddr, const char *options)
+{
+ int n_sent = send_push_update(arg, maddr, options, UPT_BY_ADDR, PUSH_BUNDLE_SIZE);
+
+ RETURN_UPDATE_STATUS(n_sent);
+}
+#endif /* ifdef ENABLE_MANAGEMENT */
diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am
index b24e03c..9a40512 100644
--- a/tests/unit_tests/openvpn/Makefile.am
+++ b/tests/unit_tests/openvpn/Makefile.am
@@ -343,4 +343,5 @@
$(top_srcdir)/src/openvpn/platform.c \
$(top_srcdir)/src/openvpn/push_util.c \
$(top_srcdir)/src/openvpn/options_util.c \
- $(top_srcdir)/src/openvpn/otime.c
\ No newline at end of file
+ $(top_srcdir)/src/openvpn/otime.c \
+ $(top_srcdir)/src/openvpn/list.c
\ No newline at end of file
diff --git a/tests/unit_tests/openvpn/test_push_update_msg.c b/tests/unit_tests/openvpn/test_push_update_msg.c
index d0876bc..c65dd08 100644
--- a/tests/unit_tests/openvpn/test_push_update_msg.c
+++ b/tests/unit_tests/openvpn/test_push_update_msg.c
@@ -8,6 +8,7 @@
#include <cmocka.h>
#include "push.h"
#include "options_util.h"
+#include "multi.h"
/* mocks */
@@ -37,6 +38,12 @@
}
bool
+options_postprocess_pull(struct options *options, struct env_set *es)
+{
+ return true;
+}
+
+bool
apply_push_options(struct context *c,
struct options *options,
struct buffer *buf,
@@ -94,6 +101,49 @@
}
}
+const char *
+tls_common_name(const struct tls_multi *multi, const bool null)
+{
+ return NULL;
+}
+
+#ifndef ENABLE_MANAGEMENT
+bool
+send_control_channel_string(struct context *c, const char *str, int msglevel)
+{
+ return true;
+}
+#else /* ifndef ENABLE_MANAGEMENT */
+char **res;
+int i;
+
+bool
+send_control_channel_string(struct context *c, const char *str, int msglevel)
+{
+ if (res && res[i] && strcmp(res[i], str))
+ {
+ printf("\n\nexpected: %s\n\n actual: %s\n\n", res[i], str);
+ return false;
+ }
+ i++;
+ return true;
+}
+
+struct multi_instance *
+lookup_by_cid(struct multi_context *m, const unsigned long cid)
+{
+ return *(m->instances);
+}
+
+bool
+mroute_extract_openvpn_sockaddr(struct mroute_addr *addr,
+ const struct openvpn_sockaddr *osaddr,
+ bool use_port)
+{
+ return true;
+}
+#endif /* ifndef ENABLE_MANAGEMENT */
+
/* tests */
static void
@@ -124,7 +174,6 @@
free_buf(&buf);
}
-
static void
test_incoming_push_message_error2(void **state)
{
@@ -209,6 +258,211 @@
free_buf(&buf);
}
+#ifdef ENABLE_MANAGEMENT
+char *r0[] = {
+ "PUSH_UPDATE,redirect-gateway local,route 192.168.1.0 255.255.255.0"
+};
+char *r1[] = {
+ "PUSH_UPDATE,-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf, dhcp-option DNS 8.8.8.8,redirect-gateway local,push-continuation 2",
+ "PUSH_UPDATE,route 192.168.1.0 255.255.255.0,push-continuation 1"
+};
+char *r3[] = {
+ "PUSH_UPDATE,,,"
+};
+char *r4[] = {
+ "PUSH_UPDATE,-dhcp-option, blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf,dhcp-option DNS 8.8.8.8, redirect-gateway local,push-continuation 2",
+ "PUSH_UPDATE, route 192.168.1.0 255.255.255.0,,push-continuation 1"
+};
+char *r5[] = {
+ "PUSH_UPDATE,,-dhcp-option, blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf,dhcp-option DNS 8.8.8.8, redirect-gateway local,push-continuation 2",
+ "PUSH_UPDATE, route 192.168.1.0 255.255.255.0,push-continuation 1"
+};
+char *r6[] = {
+ "PUSH_UPDATE,-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf, dhcp-option DNS 8.8.8.8, redirect-gateway 10.10.10.10,,push-continuation 2",
+ "PUSH_UPDATE, route 192.168.1.0 255.255.255.0,,push-continuation 1"
+};
+char *r7[] = {
+ "PUSH_UPDATE,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,push-continuation 2",
+ "PUSH_UPDATE,,,,,,,,,,,,,,,,,,,push-continuation 1"
+};
+char *r8[] = {
+ "PUSH_UPDATE,-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf, dhcp-option DNS 8.8.8.8,redirect-gateway\n local,push-continuation 2",
+ "PUSH_UPDATE,route 192.168.1.0 255.255.255.0\n\n\n,push-continuation 1"
+};
+char *r9[] = {
+ "PUSH_UPDATE,,"
+};
+
+
+const char *msg0 = "redirect-gateway local,route 192.168.1.0 255.255.255.0";
+const char *msg1 = "-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,"
+ " akakakakakakakakakakakaf, dhcp-option DNS 8.8.8.8,redirect-gateway local,route 192.168.1.0 255.255.255.0";
+const char *msg2 = "";
+const char *msg3 = ",,";
+const char *msg4 = "-dhcp-option, blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,"
+ " akakakakakakakakakakakaf,dhcp-option DNS 8.8.8.8, redirect-gateway local, route 192.168.1.0 255.255.255.0,";
+const char *msg5 = ",-dhcp-option, blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,"
+ " akakakakakakakakakakakaf,dhcp-option DNS 8.8.8.8, redirect-gateway local, route 192.168.1.0 255.255.255.0";
+const char *msg6 = "-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf, akakakakakakakakakakakaf,"
+ " dhcp-option DNS 8.8.8.8, redirect-gateway 10.10.10.10,, route 192.168.1.0 255.255.255.0,";
+const char *msg7 = ",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,";
+const char *msg8 = "-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf, akakakakakakakakakakakaf,"
+ " dhcp-option DNS 8.8.8.8,redirect-gateway\n local,route 192.168.1.0 255.255.255.0\n\n\n";
+const char *msg9 = ",";
+const char *msg10 = "Voilà! In view, a humble vaudevillian veteran cast vicariously as both victim and villain by the vicissitudes"
+ " of Fate. This visage no mere veneer of vanity is a vestige of the vox populi now vacant vanished. However this"
+ " valorous visitation of a by-gone vexation stands vivified and has vowed to vanquish these venal and virulent"
+ " vermin vanguarding vice and vouchsafing the violently vicious and voracious violation of volition. The only"
+ " verdict is vengeance; a vendetta held as a votive not in vain for the value and veracity of such shall one"
+ " day vindicate the vigilant and the virtuous. Verily this vichyssoise of verbiage veers most verbose so let"
+ " me simply add that it is my very good honor to meet you and you may call me V.";
+
+#define PUSH_BUNDLE_SIZE_TEST 184
+
+void
+update_vhash(struct multi_context *m, struct multi_instance *mi, const char *old_ip, const char *old_ipv6)
+{
+ /* Just a mock */
+}
+
+static void
+test_send_push_msg0(void **state)
+{
+ i = 0;
+ res = r0;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg0, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+static void
+test_send_push_msg1(void **state)
+{
+ i = 0;
+ res = r1;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg1, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg2(void **state)
+{
+ i = 0;
+ res = NULL;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg2, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), -EINVAL);
+}
+
+static void
+test_send_push_msg3(void **state)
+{
+ i = 0;
+ res = r3;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg3, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg4(void **state)
+{
+ i = 0;
+ res = r4;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg4, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg5(void **state)
+{
+ i = 0;
+ res = r5;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg5, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg6(void **state)
+{
+ i = 0;
+ res = r6;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg6, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg7(void **state)
+{
+ i = 0;
+ res = r7;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg7, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg8(void **state)
+{
+ i = 0;
+ res = r8;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg8, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg9(void **state)
+{
+ i = 0;
+ res = r9;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg9, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg10(void **state)
+{
+ i = 0;
+ res = NULL;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg10, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), -EINVAL);
+}
+
+#undef PUSH_BUNDLE_SIZE_TEST
+
+static int
+setup2(void **state)
+{
+ struct multi_context *m = calloc(1, sizeof(struct multi_context));
+ m->instances = calloc(1, sizeof(struct multi_instance *));
+ struct multi_instance *mi = calloc(1, sizeof(struct multi_instance));
+ *(m->instances) = mi;
+ *state = m;
+ return 0;
+}
+
+static int
+teardown2(void **state)
+{
+ struct multi_context *m = *state;
+ free(*(m->instances));
+ free(m->instances);
+ free(m);
+ return 0;
+}
+#endif /* ifdef ENABLE_MANAGEMENT */
+
static int
setup(void **state)
{
@@ -238,7 +492,20 @@
cmocka_unit_test_setup_teardown(test_incoming_push_message_1, setup, teardown),
cmocka_unit_test_setup_teardown(test_incoming_push_message_bad_format, setup, teardown),
cmocka_unit_test_setup_teardown(test_incoming_push_message_mix, setup, teardown),
- cmocka_unit_test_setup_teardown(test_incoming_push_message_mix2, setup, teardown)
+ cmocka_unit_test_setup_teardown(test_incoming_push_message_mix2, setup, teardown),
+#ifdef ENABLE_MANAGEMENT
+ cmocka_unit_test_setup_teardown(test_send_push_msg0, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg1, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg2, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg3, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg4, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg5, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg6, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg7, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg8, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg9, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg10, setup2, teardown2)
+#endif
};
return cmocka_run_group_tests(tests, NULL, NULL);
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/869?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie82bcc7a8e583de9156b185d71d1a323ed8df3fc
Gerrit-Change-Number: 869
Gerrit-PatchSet: 10
Gerrit-Owner: mrbff <ma...@ma...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-Reviewer: stipa <lst...@gm...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: cron2 <ge...@gr...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: stipa <lst...@gm...>
Gerrit-Attention: mrbff <ma...@ma...>
Gerrit-MessageType: newpatchset
|
|
From: mrbff (C. Review) <ge...@op...> - 2025-07-09 16:30:07
|
Attention is currently required from: cron2, flichtenheld, mrbff, plaisthos, stipa.
Hello cron2, flichtenheld, plaisthos, stipa,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/869?usp=email
to look at the new patch set (#9).
Change subject: PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages
......................................................................
PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages
Using the management interface you can now target one or more clients (via broadcast,
via cid, via common name, via address) and send a PUSH_UPDATE control message
to update some options.
Change-Id: Ie82bcc7a8e583de9156b185d71d1a323ed8df3fc
Signed-off-by: Marco Baffo <ma...@ma...>
---
M CMakeLists.txt
M doc/management-notes.txt
M src/openvpn/manage.c
M src/openvpn/manage.h
M src/openvpn/multi.c
M src/openvpn/multi.h
M src/openvpn/push.h
M src/openvpn/push_util.c
M tests/unit_tests/openvpn/Makefile.am
M tests/unit_tests/openvpn/test_push_update_msg.c
10 files changed, 895 insertions(+), 6 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/69/869/9
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 54cf503..1381e03 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -861,6 +861,7 @@
src/openvpn/push_util.c
src/openvpn/options_util.c
src/openvpn/otime.c
+ src/openvpn/list.c
)
if (TARGET test_argv)
diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index f1d2930..58393da 100644
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -1028,6 +1028,51 @@
stored outside of the filesystem (e.g. in Mac OS X Keychain)
with OpenVPN via the management interface.
+COMMAND -- push-update-broad (OpenVPN 2.7 or higher)
+----------------------------------------------------
+Send a message to every connected client to update options at runtime.
+The updatable options are: "block-ipv6", "block-outside-dns", "dhcp-option",
+"dns", "ifconfig", "ifconfig-ipv6", "redirect-gateway", "redirect-private",
+"route", "route-gateway", "route-ipv6", "route-metric", "topology",
+"tun-mtu", "keepalive". When a valid option is pushed, the receiving client will
+delete every previous value and set new value, so the update of the option will
+not be incremental even when theoretically possible (ex. with "redirect-gateway").
+The '-' symbol in front of an option means the option should be removed.
+When an option is used with '-', it cannot take any parameter.
+The '?' symbol in front of an option means the option's update is optional
+so if the client do not support it, that option will just be ignored without
+making fail the entire command. The '-' and '?' symbols can be used together.
+
+Option Format Ex.
+ `-?option`, `-option`, `?option parameters` are valid formats,
+ `?-option` is not a valid format.
+
+Example
+ push-update-broad "route 10.10.10.1 255.255.255.255, -dns, ?tun-mtu 1400"
+
+COMMAND -- push-update-cid (OpenVPN 2.7 or higher)
+----------------------------------------------------
+Same as push-update-broad but you must target a single client using client id.
+
+Example
+ push-update-cid 42 "route 10.10.10.1 255.255.255.255, -dns, ?tun-mtu 1400"
+
+COMMAND -- push-update-cn (OpenVPN 2.7 or higher)
+----------------------------------------------------
+Same as push-update-broad but target the clients based on the provided common name
+(usually just one client per common name is permitted except if "duplicate-cn" option is used).
+
+Example
+ push-update-cid Client0 "route 10.10.10.1 255.255.255.255, -dns, ?tun-mtu 1400"
+
+COMMAND -- push-update-addr (OpenVPN 2.7 or higher)
+----------------------------------------------------
+Same as push-update-broad but target only the client(s) connecting from the
+provided address (real address). Support both IPv4 and IPv6.
+
+Example
+ push-update-addr 9.9.9.9 1234 "route 10.10.10.1 255.255.255.255, -dns, ?tun-mtu 1400"
+
OUTPUT FORMAT
-------------
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 8836e79..251b076 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -24,7 +24,6 @@
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
-
#include "syshead.h"
#ifdef ENABLE_MANAGEMENT
@@ -42,6 +41,7 @@
#include "manage.h"
#include "openvpn.h"
#include "dco.h"
+#include "push.h"
#include "memdbg.h"
@@ -124,6 +124,11 @@
msg(M_CLIENT, "username type u : Enter username u for a queried OpenVPN username.");
msg(M_CLIENT, "verb [n] : Set log verbosity level to n, or show if n is absent.");
msg(M_CLIENT, "version [n] : Set client's version to n or show current version of daemon.");
+ msg(M_CLIENT, "push-update-broad options : Broadcast a message to update the specified options.");
+ msg(M_CLIENT, " Ex. push-update-broad \"route something, -dns\"");
+ msg(M_CLIENT, "push-update-cid CID options : Send an update message to the client identified by CID.");
+ msg(M_CLIENT, "push-update-cn CN options : Send an update message to the client(s) with the specified Common Name.");
+ msg(M_CLIENT, "push-update-addr ip port options : Send an update message to the client(s) connecting from the provided address.");
msg(M_CLIENT, "END");
}
@@ -1335,6 +1340,154 @@
}
static void
+man_push_update(struct management *man, const char **p, const push_update_type type)
+{
+ if (type == UPT_BROADCAST)
+ {
+ if (!man->persist.callback.push_update_broadcast)
+ {
+ man_command_unsupported("push-update-broad");
+ return;
+ }
+
+ const bool status = (*man->persist.callback.push_update_broadcast)(man->persist.callback.arg, p[1]);
+
+ if (status)
+ {
+ msg(M_CLIENT, "SUCCESS: push-update-broad command succeeded");
+ }
+ else
+ {
+ msg(M_CLIENT, "ERROR: push-update-broad command failed");
+ }
+ }
+ else if (type == UPT_BY_CID)
+ {
+ if (!man->persist.callback.push_update_by_cid)
+ {
+ man_command_unsupported("push-update-cid");
+ return;
+ }
+
+ unsigned long cid = 0;
+
+ if (!parse_cid(p[1], &cid))
+ {
+ msg(M_CLIENT, "ERROR: push-update-cid fail during cid parsing");
+ return;
+ }
+
+ const bool status = (*man->persist.callback.push_update_by_cid)(man->persist.callback.arg, cid, p[2]);
+
+ if (status)
+ {
+ msg(M_CLIENT, "SUCCESS: push-update-cid command succeeded");
+ }
+ else
+ {
+ msg(M_CLIENT, "ERROR: push-update-cid command failed");
+ }
+ }
+ else if (type == UPT_BY_CN)
+ {
+ if (!man->persist.callback.push_update_by_cn)
+ {
+ man_command_unsupported("push-update-cn");
+ return;
+ }
+
+ const bool status = (*man->persist.callback.push_update_by_cn)(man->persist.callback.arg, p[1], p[2]);
+
+ if (status)
+ {
+ msg(M_CLIENT, "SUCCESS: push-update-cn command succeeded");
+ }
+ else
+ {
+ msg(M_CLIENT, "ERROR: push-update-cn command failed");
+ }
+ }
+ else if (type == UPT_BY_ADDR)
+ {
+ if (!man->persist.callback.push_update_by_addr)
+ {
+ man_command_unsupported("push-update-addr");
+ return;
+ }
+
+ const char *ip_str = p[1];
+ const char *port_str = p[2];
+ const char *options = p[3];
+
+ if (!strlen(ip_str) || !strlen(port_str))
+ {
+ msg(M_CLIENT, "ERROR: push-update-addr parse");
+ return;
+ }
+
+ struct addrinfo *res = NULL;
+ int port = atoi(port_str);
+
+ if (port < 1 || port > 65535)
+ {
+ msg(M_CLIENT, "ERROR: port number is out of range: %s", port_str);
+ return;
+ }
+
+ int status = openvpn_getaddrinfo(GETADDR_MSG_VIRT_OUT, ip_str, port_str, 0, NULL, AF_UNSPEC, &res);
+
+ if (status != 0 || !res)
+ {
+ msg(M_CLIENT, "ERROR: error resolving address: %s (%s)", ip_str, gai_strerror(status));
+ return;
+ }
+
+ struct addrinfo *rp;
+ bool found_client = false;
+
+ /* Iterate through resolved addresses */
+ for (rp = res; rp != NULL; rp = rp->ai_next)
+ {
+ struct openvpn_sockaddr saddr;
+ struct mroute_addr maddr;
+
+ CLEAR(saddr);
+ switch (rp->ai_family)
+ {
+ case AF_INET:
+ saddr.addr.in4 = *((struct sockaddr_in *)rp->ai_addr);
+ break;
+
+ case AF_INET6:
+ saddr.addr.in6 = *((struct sockaddr_in6 *)rp->ai_addr);
+ break;
+
+ default:
+ continue;
+ }
+
+ if (!mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
+ {
+ continue;
+ }
+
+ if ((*man->persist.callback.push_update_by_addr)(man->persist.callback.arg, &maddr, options))
+ {
+ msg(M_CLIENT, "SUCCESS: push-update sent to %s:%d", ip_str, port);
+ found_client = true;
+ break;
+ }
+ }
+
+ if (!found_client)
+ {
+ msg(M_CLIENT, "ERROR: no client found at address %s:%d", ip_str, port);
+ }
+ freeaddrinfo(res);
+ }
+}
+
+static void
man_dispatch_command(struct management *man, struct status_output *so, const char **p, const int nparms)
{
struct gc_arena gc = gc_new();
@@ -1656,6 +1809,34 @@
man_remote(man, p);
}
}
+ else if (streq(p[0], "push-update-broad"))
+ {
+ if (man_need(man, p, 1, 0))
+ {
+ man_push_update(man, p, UPT_BROADCAST);
+ }
+ }
+ else if (streq(p[0], "push-update-cid"))
+ {
+ if (man_need(man, p, 2, 0))
+ {
+ man_push_update(man, p, UPT_BY_CID);
+ }
+ }
+ else if (streq(p[0], "push-update-cn"))
+ {
+ if (man_need(man, p, 2, 0))
+ {
+ man_push_update(man, p, UPT_BY_CN);
+ }
+ }
+ else if (streq(p[0], "push-update-addr"))
+ {
+ if (man_need(man, p, 3, 0))
+ {
+ man_push_update(man, p, UPT_BY_ADDR);
+ }
+ }
#if 1
else if (streq(p[0], "test"))
{
diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h
index eb19a4e..fd7cb11 100644
--- a/src/openvpn/manage.h
+++ b/src/openvpn/manage.h
@@ -44,7 +44,6 @@
#define MF_EXTERNAL_KEY_PSSPAD (1<<16)
#define MF_EXTERNAL_KEY_DIGEST (1<<17)
-
#ifdef ENABLE_MANAGEMENT
#include "misc.h"
@@ -205,6 +204,10 @@
#endif
unsigned int (*remote_entry_count)(void *arg);
bool (*remote_entry_get)(void *arg, unsigned int index, char **remote);
+ bool (*push_update_broadcast)(void *arg, const char *options);
+ bool (*push_update_by_cid)(void *arg, unsigned long cid, const char *options);
+ bool (*push_update_by_cn)(void *arg, const char *cn, const char *options);
+ bool (*push_update_by_addr)(void *arg, const struct mroute_addr *maddr, const char *options);
};
/*
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 7f0d890..3a4851d 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -4072,7 +4072,7 @@
}
}
-static struct multi_instance *
+struct multi_instance *
lookup_by_cid(struct multi_context *m, const unsigned long cid)
{
if (m)
@@ -4220,6 +4220,10 @@
cb.client_auth = management_client_auth;
cb.client_pending_auth = management_client_pending_auth;
cb.get_peer_info = management_get_peer_info;
+ cb.push_update_broadcast = management_callback_send_push_update_broadcast;
+ cb.push_update_by_cid = management_callback_send_push_update_by_cid;
+ cb.push_update_by_cn = management_callback_send_push_update_by_cn;
+ cb.push_update_by_addr = management_callback_send_push_update_by_addr;
management_set_callback(management, &cb);
}
#endif /* ifdef ENABLE_MANAGEMENT */
@@ -4344,3 +4348,51 @@
close_instance(top);
}
+
+#ifdef ENABLE_MANAGEMENT
+/**
+ * Update the vhash with new IP/IPv6 addresses in the multi_context when a
+ * push-update message containing ifconfig/ifconfig-ipv6 options is sent
+ * from the server.
+ */
+void
+update_vhash(struct multi_context *m, struct multi_instance *mi, const char *old_ip, const char *old_ipv6)
+{
+ struct in_addr addr;
+ struct in6_addr new_ipv6;
+
+ if (inet_pton(AF_INET, mi->context.options.ifconfig_local, &addr) == 1)
+ {
+ in_addr_t new_ip = addr.s_addr;
+
+ if (mi->context.options.ifconfig_local && (!old_ip || strcmp(old_ip, mi->context.options.ifconfig_local)))
+ {
+ /* Add new, remove old if exist */
+ multi_learn_in_addr_t(m, mi, new_ip, 0, true);
+ }
+ }
+
+ /* TO DO:
+ * else if (old_ip && !mi->context.options.ifconfig_local)
+ * {
+ * // remove old ip
+ * }
+ */
+
+ if (inet_pton(AF_INET6, mi->context.options.ifconfig_ipv6_local, &new_ipv6) == 1)
+ {
+ if (mi->context.options.ifconfig_ipv6_local && (!old_ipv6 || strcmp(old_ipv6, mi->context.options.ifconfig_ipv6_local)))
+ {
+ /* Add new, remove old if exist */
+ multi_learn_in6_addr(m, mi, new_ipv6, 0, true);
+ }
+ }
+
+ /* TO DO:
+ * else if (old_ipv6 && !mi->context.options.ifconfig_ipv6_local)
+ * {
+ * // remove old IPv6
+ * }
+ */
+}
+#endif /* ifdef ENABLE_MANAGEMENT */
diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h
index 40f7519..e0ed00f 100644
--- a/src/openvpn/multi.h
+++ b/src/openvpn/multi.h
@@ -710,5 +710,13 @@
*/
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi);
+#ifdef ENABLE_MANAGEMENT
+struct multi_instance *
+lookup_by_cid(struct multi_context *m, const unsigned long cid);
+
+void
+update_vhash(struct multi_context *m, struct multi_instance *mi, const char *old_ip, const char *old_ipv6);
+
+#endif
#endif /* MULTI_H */
diff --git a/src/openvpn/push.h b/src/openvpn/push.h
index 18dfcd8..e67c3ac 100644
--- a/src/openvpn/push.h
+++ b/src/openvpn/push.h
@@ -42,6 +42,16 @@
#define PUSH_OPT_TO_REMOVE (1<<0)
#define PUSH_OPT_OPTIONAL (1<<1)
+/* Push-update message sender modes */
+typedef enum {
+ UPT_BROADCAST = 0,
+ UPT_BY_ADDR = 1,
+ UPT_BY_CN = 2,
+#ifdef ENABLE_MANAGEMENT
+ UPT_BY_CID = 3
+#endif
+} push_update_type;
+
int process_incoming_push_request(struct context *c);
/**
@@ -134,4 +144,33 @@
void
receive_auth_pending(struct context *c, const struct buffer *buffer);
+/**
+ * @brief A function to send a PUSH_UPDATE control message from server to client(s).
+ *
+ * @param m the multi_context, contains all the clients connected to this server.
+ * @param target the target to which to send the message. It should be:
+ * `NULL` if `type == UPT_BROADCAST`,
+ * a `mroute_addr *` if `type == UPT_BY_ADDR`,
+ * a `char *` if `type == UPT_BY_CN`,
+ * an `unsigned long *` if `type == UPT_BY_CID`.
+ * @param msg a string containing the options to send.
+ * @param type the way to address the message (broadcast, by cid, by cn, by address).
+ * @param push_bundle_size the maximum size of a bundle of pushed option. Just use PUSH_BUNDLE_SIZE macro.
+ * @return the number of clients to which the message was sent.
+ */
+int
+send_push_update(struct multi_context *m, const void *target, const char *msg, const push_update_type type, const int push_bundle_size);
+
+#ifdef ENABLE_MANAGEMENT
+
+bool management_callback_send_push_update_broadcast(void *arg, const char *options);
+
+bool management_callback_send_push_update_by_cid(void *arg, unsigned long cid, const char *options);
+
+bool management_callback_send_push_update_by_cn(void *arg, const char *cn, const char *options);
+
+bool management_callback_send_push_update_by_addr(void *arg, const struct mroute_addr *maddr, const char *options);
+
+#endif /* ifdef ENABLE_MANAGEMENT*/
+
#endif /* ifndef PUSH_H */
diff --git a/src/openvpn/push_util.c b/src/openvpn/push_util.c
index b4d1e8b..1739510 100644
--- a/src/openvpn/push_util.c
+++ b/src/openvpn/push_util.c
@@ -3,6 +3,8 @@
#endif
#include "push.h"
+#include "multi.h"
+#include "ssl_verify.h"
int
process_incoming_push_update(struct context *c,
@@ -42,3 +44,293 @@
return ret;
}
+
+/**
+ * Return index of last `,` or `0` if it didn't find any.
+ * If there is a comma at index `0` it's an error anyway
+ */
+static int
+find_first_comma_of_next_bundle(const char *str, int ix)
+{
+ while (ix > 0)
+ {
+ if (str[ix] == ',')
+ {
+ return ix;
+ }
+ ix--;
+ }
+ return 0;
+}
+
+/* Allocate memory and asseble the final message */
+static char *
+forge_msg(const char *src, const char *continuation, struct gc_arena *gc)
+{
+ int src_len = strlen(src);
+ int con_len = continuation ? strlen(continuation) : 0;
+ char *ret = gc_malloc((src_len + sizeof(push_update_cmd) + con_len + 2) * sizeof(char), true, gc);
+ int i = sizeof(push_update_cmd) -1;
+
+ strcpy(ret, push_update_cmd);
+ ret[i++] = ',';
+ strcpy(&ret[i], src);
+ if (continuation)
+ {
+ i += src_len;
+ strcpy(&ret[i], continuation);
+ }
+ return ret;
+}
+
+static char *
+gc_strdup(const char *src, struct gc_arena *gc)
+{
+ char *ret = gc_malloc((strlen(src) + 1) * sizeof(char), true, gc);
+
+ strcpy(ret, src);
+ return ret;
+}
+
+/* It split the messagge (if necessay) and fill msgs with the message chunks.
+ * Return `false` on failure an `true` on success.
+ */
+static bool
+message_splitter(char *str, char **msgs, struct gc_arena *gc, const int safe_cap)
+{
+ if (!str || !*str)
+ {
+ return false;
+ }
+
+ int i = 0;
+ int im = 0;
+
+ while (*str)
+ {
+ /* + ',' - '/0' */
+ if (strlen(str) > safe_cap)
+ {
+ int ci = find_first_comma_of_next_bundle(str, safe_cap);
+ if (!ci)
+ {
+ /* if no commas were found go to fail, do not send any message */
+ return false;
+ }
+ str[ci] = '\0';
+ /* copy from i to (ci -1) */
+ msgs[im] = forge_msg(str, ",push-continuation 2", gc);
+ i = ci + 1;
+ }
+ else
+ {
+ if (im)
+ {
+ msgs[im] = forge_msg(str, ",push-continuation 1", gc);
+ }
+ else
+ {
+ msgs[im] = forge_msg(str, NULL, gc);
+ }
+ i = strlen(str);
+ }
+ str = &str[i];
+ im++;
+ }
+ return true;
+}
+
+/* It actually send the already divided messagge to one single client */
+static bool
+send_single_push_update(struct context *c, char **msgs, unsigned int *option_types_found)
+{
+ if (!msgs[0] || !*msgs[0])
+ {
+ return false;
+ }
+ int i = 0;
+ struct gc_arena gc = gc_new();
+
+ while (msgs[i] && *msgs[i])
+ {
+ struct buffer buf = alloc_buf_gc(strlen(msgs[i]), &gc);
+
+ buf_write(&buf, msgs[i], strlen(msgs[i]));
+ if (!send_control_channel_string(c, msgs[i], D_PUSH))
+ {
+ return false;
+ }
+ i++;
+
+ /* After sending the control message, we update the options server-side in the client's context */
+ buf_string_compare_advance(&buf, push_update_cmd);
+ if (process_incoming_push_update(c, pull_permission_mask(c), option_types_found, &buf) == PUSH_MSG_ERROR)
+ {
+ msg(M_WARN, "Failed to process push update message sent to client ID: %u",
+ c->c2.tls_multi ? c->c2.tls_multi->peer_id : UINT32_MAX);
+ continue;
+ }
+ c->options.push_option_types_found |= *option_types_found;
+ if (!options_postprocess_pull(&c->options, c->c2.es))
+ {
+ msg(M_WARN, "Failed to post-process push update message sent to client ID: %u",
+ c->c2.tls_multi ? c->c2.tls_multi->peer_id : UINT32_MAX);
+ }
+ }
+ gc_free(&gc);
+ return true;
+}
+
+int
+send_push_update(struct multi_context *m, const void *target, const char *msg, const push_update_type type, const int push_bundle_size)
+{
+ if (!msg || !*msg || !m
+ || (!target && type != UPT_BROADCAST))
+ {
+ return -EINVAL;
+ }
+
+ struct gc_arena gc = gc_new();
+ /* extra space for possible trailing ifconfig and push-continuation */
+ const int extra = 84 + sizeof(push_update_cmd);
+ /* push_bundle_size is the maximum size of a message, so if the message
+ * we want to send exceeds that size we have to split it into smaller messages */
+ const int safe_cap = push_bundle_size - extra;
+ int msgs_num = (strlen(msg) / safe_cap) + ((strlen(msg) % safe_cap) != 0);
+ char **msgs = gc_malloc(sizeof(char *) * (msgs_num + 1), true, &gc);
+ unsigned int option_types_found = 0;
+
+ msgs[msgs_num] = NULL;
+ if (!message_splitter(gc_strdup(msg, &gc), msgs, &gc, safe_cap))
+ {
+ gc_free(&gc);
+ return -EINVAL;
+ }
+
+#ifdef ENABLE_MANAGEMENT
+ if (type == UPT_BY_CID)
+ {
+ struct multi_instance *mi = lookup_by_cid(m, *((unsigned long *)target));
+
+ if (!mi)
+ {
+ return -ENOENT;
+ }
+
+ const char *old_ip = mi->context.options.ifconfig_local;
+ const char *old_ipv6 = mi->context.options.ifconfig_ipv6_local;
+ if (!mi->halt
+ && send_single_push_update(&mi->context, msgs, &option_types_found))
+ {
+ if (option_types_found & OPT_P_UP)
+ {
+ update_vhash(m, mi, old_ip, old_ipv6);
+ }
+ gc_free(&gc);
+ return 1;
+ }
+ else
+ {
+ gc_free(&gc);
+ return 0;
+ }
+ }
+#endif /* ifdef ENABLE_MANAGEMENT */
+
+ int count = 0;
+ struct hash_iterator hi;
+ const struct hash_element *he;
+
+ hash_iterator_init(m->iter, &hi);
+ while ((he = hash_iterator_next(&hi)))
+ {
+ struct multi_instance *curr_mi = he->value;
+
+ if (curr_mi->halt)
+ {
+ continue;
+ }
+ if (type == UPT_BY_ADDR && !mroute_addr_equal(target, &curr_mi->real))
+ {
+ continue;
+ }
+ else if (type == UPT_BY_CN)
+ {
+ const char *curr_cn = tls_common_name(curr_mi->context.c2.tls_multi, false);
+ if (strcmp(curr_cn, target))
+ {
+ continue;
+ }
+ }
+ /* Either we found a matching client or type is UPT_BROADCAST so we update every client */
+ option_types_found = 0;
+ const char *old_ip = curr_mi->context.options.ifconfig_local;
+ const char *old_ipv6 = curr_mi->context.options.ifconfig_ipv6_local;
+ if (!send_single_push_update(&curr_mi->context, msgs, &option_types_found))
+ {
+ msg(M_CLIENT, "ERROR: Peer ID: %u has not been updated",
+ curr_mi->context.c2.tls_multi ? curr_mi->context.c2.tls_multi->peer_id : UINT32_MAX);
+ continue;
+ }
+ if (option_types_found & OPT_P_UP)
+ {
+ update_vhash(m, curr_mi, old_ip, old_ipv6);
+ }
+ count++;
+ }
+
+ hash_iterator_free(&hi);
+ gc_free(&gc);
+ return count;
+}
+
+#ifdef ENABLE_MANAGEMENT
+#define RETURN_UPDATE_STATUS(n_sent) \
+ do { \
+ if ((n_sent) > 0) { \
+ msg(M_CLIENT, "SUCCESS: %d client(s) updated", (n_sent)); \
+ return true; \
+ } else { \
+ msg(M_CLIENT, "ERROR: no client updated"); \
+ return false; \
+ } \
+ } while (0)
+
+
+bool
+management_callback_send_push_update_broadcast(void *arg, const char *options)
+{
+ int n_sent = send_push_update(arg, NULL, options, UPT_BROADCAST, PUSH_BUNDLE_SIZE);
+
+ RETURN_UPDATE_STATUS(n_sent);
+}
+
+bool
+management_callback_send_push_update_by_cid(void *arg, unsigned long cid, const char *options)
+{
+ int ret = send_push_update(arg, &cid, options, UPT_BY_CID, PUSH_BUNDLE_SIZE);
+
+ if (ret == -ENOENT)
+ {
+ msg(M_CLIENT, "ERROR: no client found with CID: %lu", cid);
+ }
+
+ return (ret > 0);
+}
+
+bool
+management_callback_send_push_update_by_cn(void *arg, const char *cn, const char *options)
+{
+ int n_sent = send_push_update(arg, cn, options, UPT_BY_CN, PUSH_BUNDLE_SIZE);
+
+ RETURN_UPDATE_STATUS(n_sent);
+}
+
+bool
+management_callback_send_push_update_by_addr(void *arg, const struct mroute_addr *maddr, const char *options)
+{
+ int n_sent = send_push_update(arg, maddr, options, UPT_BY_ADDR, PUSH_BUNDLE_SIZE);
+
+ RETURN_UPDATE_STATUS(n_sent);
+}
+#endif /* ifdef ENABLE_MANAGEMENT */
diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am
index b24e03c..9a40512 100644
--- a/tests/unit_tests/openvpn/Makefile.am
+++ b/tests/unit_tests/openvpn/Makefile.am
@@ -343,4 +343,5 @@
$(top_srcdir)/src/openvpn/platform.c \
$(top_srcdir)/src/openvpn/push_util.c \
$(top_srcdir)/src/openvpn/options_util.c \
- $(top_srcdir)/src/openvpn/otime.c
\ No newline at end of file
+ $(top_srcdir)/src/openvpn/otime.c \
+ $(top_srcdir)/src/openvpn/list.c
\ No newline at end of file
diff --git a/tests/unit_tests/openvpn/test_push_update_msg.c b/tests/unit_tests/openvpn/test_push_update_msg.c
index d0876bc..c65dd08 100644
--- a/tests/unit_tests/openvpn/test_push_update_msg.c
+++ b/tests/unit_tests/openvpn/test_push_update_msg.c
@@ -8,6 +8,7 @@
#include <cmocka.h>
#include "push.h"
#include "options_util.h"
+#include "multi.h"
/* mocks */
@@ -37,6 +38,12 @@
}
bool
+options_postprocess_pull(struct options *options, struct env_set *es)
+{
+ return true;
+}
+
+bool
apply_push_options(struct context *c,
struct options *options,
struct buffer *buf,
@@ -94,6 +101,49 @@
}
}
+const char *
+tls_common_name(const struct tls_multi *multi, const bool null)
+{
+ return NULL;
+}
+
+#ifndef ENABLE_MANAGEMENT
+bool
+send_control_channel_string(struct context *c, const char *str, int msglevel)
+{
+ return true;
+}
+#else /* ifndef ENABLE_MANAGEMENT */
+char **res;
+int i;
+
+bool
+send_control_channel_string(struct context *c, const char *str, int msglevel)
+{
+ if (res && res[i] && strcmp(res[i], str))
+ {
+ printf("\n\nexpected: %s\n\n actual: %s\n\n", res[i], str);
+ return false;
+ }
+ i++;
+ return true;
+}
+
+struct multi_instance *
+lookup_by_cid(struct multi_context *m, const unsigned long cid)
+{
+ return *(m->instances);
+}
+
+bool
+mroute_extract_openvpn_sockaddr(struct mroute_addr *addr,
+ const struct openvpn_sockaddr *osaddr,
+ bool use_port)
+{
+ return true;
+}
+#endif /* ifndef ENABLE_MANAGEMENT */
+
/* tests */
static void
@@ -124,7 +174,6 @@
free_buf(&buf);
}
-
static void
test_incoming_push_message_error2(void **state)
{
@@ -209,6 +258,211 @@
free_buf(&buf);
}
+#ifdef ENABLE_MANAGEMENT
+char *r0[] = {
+ "PUSH_UPDATE,redirect-gateway local,route 192.168.1.0 255.255.255.0"
+};
+char *r1[] = {
+ "PUSH_UPDATE,-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf, dhcp-option DNS 8.8.8.8,redirect-gateway local,push-continuation 2",
+ "PUSH_UPDATE,route 192.168.1.0 255.255.255.0,push-continuation 1"
+};
+char *r3[] = {
+ "PUSH_UPDATE,,,"
+};
+char *r4[] = {
+ "PUSH_UPDATE,-dhcp-option, blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf,dhcp-option DNS 8.8.8.8, redirect-gateway local,push-continuation 2",
+ "PUSH_UPDATE, route 192.168.1.0 255.255.255.0,,push-continuation 1"
+};
+char *r5[] = {
+ "PUSH_UPDATE,,-dhcp-option, blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf,dhcp-option DNS 8.8.8.8, redirect-gateway local,push-continuation 2",
+ "PUSH_UPDATE, route 192.168.1.0 255.255.255.0,push-continuation 1"
+};
+char *r6[] = {
+ "PUSH_UPDATE,-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf, dhcp-option DNS 8.8.8.8, redirect-gateway 10.10.10.10,,push-continuation 2",
+ "PUSH_UPDATE, route 192.168.1.0 255.255.255.0,,push-continuation 1"
+};
+char *r7[] = {
+ "PUSH_UPDATE,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,push-continuation 2",
+ "PUSH_UPDATE,,,,,,,,,,,,,,,,,,,push-continuation 1"
+};
+char *r8[] = {
+ "PUSH_UPDATE,-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,push-continuation 2",
+ "PUSH_UPDATE, akakakakakakakakakakakaf, dhcp-option DNS 8.8.8.8,redirect-gateway\n local,push-continuation 2",
+ "PUSH_UPDATE,route 192.168.1.0 255.255.255.0\n\n\n,push-continuation 1"
+};
+char *r9[] = {
+ "PUSH_UPDATE,,"
+};
+
+
+const char *msg0 = "redirect-gateway local,route 192.168.1.0 255.255.255.0";
+const char *msg1 = "-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,"
+ " akakakakakakakakakakakaf, dhcp-option DNS 8.8.8.8,redirect-gateway local,route 192.168.1.0 255.255.255.0";
+const char *msg2 = "";
+const char *msg3 = ",,";
+const char *msg4 = "-dhcp-option, blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,"
+ " akakakakakakakakakakakaf,dhcp-option DNS 8.8.8.8, redirect-gateway local, route 192.168.1.0 255.255.255.0,";
+const char *msg5 = ",-dhcp-option, blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf,"
+ " akakakakakakakakakakakaf,dhcp-option DNS 8.8.8.8, redirect-gateway local, route 192.168.1.0 255.255.255.0";
+const char *msg6 = "-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf, akakakakakakakakakakakaf,"
+ " dhcp-option DNS 8.8.8.8, redirect-gateway 10.10.10.10,, route 192.168.1.0 255.255.255.0,";
+const char *msg7 = ",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,";
+const char *msg8 = "-dhcp-option,blablalalalalalalalalalalalalf, lalalalalalalalalalalalalalaf, akakakakakakakakakakakaf,"
+ " dhcp-option DNS 8.8.8.8,redirect-gateway\n local,route 192.168.1.0 255.255.255.0\n\n\n";
+const char *msg9 = ",";
+const char *msg10 = "Voilà! In view, a humble vaudevillian veteran cast vicariously as both victim and villain by the vicissitudes"
+ " of Fate. This visage no mere veneer of vanity is a vestige of the vox populi now vacant vanished. However this"
+ " valorous visitation of a by-gone vexation stands vivified and has vowed to vanquish these venal and virulent"
+ " vermin vanguarding vice and vouchsafing the violently vicious and voracious violation of volition. The only"
+ " verdict is vengeance; a vendetta held as a votive not in vain for the value and veracity of such shall one"
+ " day vindicate the vigilant and the virtuous. Verily this vichyssoise of verbiage veers most verbose so let"
+ " me simply add that it is my very good honor to meet you and you may call me V.";
+
+#define PUSH_BUNDLE_SIZE_TEST 184
+
+void
+update_vhash(struct multi_context *m, struct multi_instance *mi, const char *old_ip, const char *old_ipv6)
+{
+ /* Just a mock */
+}
+
+static void
+test_send_push_msg0(void **state)
+{
+ i = 0;
+ res = r0;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg0, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+static void
+test_send_push_msg1(void **state)
+{
+ i = 0;
+ res = r1;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg1, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg2(void **state)
+{
+ i = 0;
+ res = NULL;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg2, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), -EINVAL);
+}
+
+static void
+test_send_push_msg3(void **state)
+{
+ i = 0;
+ res = r3;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg3, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg4(void **state)
+{
+ i = 0;
+ res = r4;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg4, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg5(void **state)
+{
+ i = 0;
+ res = r5;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg5, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg6(void **state)
+{
+ i = 0;
+ res = r6;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg6, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg7(void **state)
+{
+ i = 0;
+ res = r7;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg7, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg8(void **state)
+{
+ i = 0;
+ res = r8;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg8, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg9(void **state)
+{
+ i = 0;
+ res = r9;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg9, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), 1);
+}
+
+static void
+test_send_push_msg10(void **state)
+{
+ i = 0;
+ res = NULL;
+ struct multi_context *m = *state;
+ const unsigned long cid = 0;
+ assert_int_equal(send_push_update(m, &cid, msg10, UPT_BY_CID, PUSH_BUNDLE_SIZE_TEST), -EINVAL);
+}
+
+#undef PUSH_BUNDLE_SIZE_TEST
+
+static int
+setup2(void **state)
+{
+ struct multi_context *m = calloc(1, sizeof(struct multi_context));
+ m->instances = calloc(1, sizeof(struct multi_instance *));
+ struct multi_instance *mi = calloc(1, sizeof(struct multi_instance));
+ *(m->instances) = mi;
+ *state = m;
+ return 0;
+}
+
+static int
+teardown2(void **state)
+{
+ struct multi_context *m = *state;
+ free(*(m->instances));
+ free(m->instances);
+ free(m);
+ return 0;
+}
+#endif /* ifdef ENABLE_MANAGEMENT */
+
static int
setup(void **state)
{
@@ -238,7 +492,20 @@
cmocka_unit_test_setup_teardown(test_incoming_push_message_1, setup, teardown),
cmocka_unit_test_setup_teardown(test_incoming_push_message_bad_format, setup, teardown),
cmocka_unit_test_setup_teardown(test_incoming_push_message_mix, setup, teardown),
- cmocka_unit_test_setup_teardown(test_incoming_push_message_mix2, setup, teardown)
+ cmocka_unit_test_setup_teardown(test_incoming_push_message_mix2, setup, teardown),
+#ifdef ENABLE_MANAGEMENT
+ cmocka_unit_test_setup_teardown(test_send_push_msg0, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg1, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg2, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg3, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg4, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg5, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg6, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg7, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg8, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg9, setup2, teardown2),
+ cmocka_unit_test_setup_teardown(test_send_push_msg10, setup2, teardown2)
+#endif
};
return cmocka_run_group_tests(tests, NULL, NULL);
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/869?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie82bcc7a8e583de9156b185d71d1a323ed8df3fc
Gerrit-Change-Number: 869
Gerrit-PatchSet: 9
Gerrit-Owner: mrbff <ma...@ma...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-Reviewer: stipa <lst...@gm...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: cron2 <ge...@gr...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: stipa <lst...@gm...>
Gerrit-Attention: mrbff <ma...@ma...>
Gerrit-MessageType: newpatchset
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-09 16:18:37
|
Attention is currently required from: d12fk, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1074?usp=email ) Change subject: move macOS dns-updown common code into functions ...................................................................... Patch Set 3: Code-Review-1 (2 comments) Patchset: PS3: generally lgtm File distro/dns-scripts/macos-dns-updown.sh: http://gerrit.openvpn.net/c/openvpn/+/1074/comment/3d691171_78bf5722 : PS3, Line 242: local addresses="$(addresses_string $n)" addresses seems to be unused? -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1074?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Id6f70237c7205063b001528a40391678b0d093ac Gerrit-Change-Number: 1074 Gerrit-PatchSet: 3 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Wed, 09 Jul 2025 12:14:54 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-09 15:58:14
|
Attention is currently required from: d12fk, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1074?usp=email ) Change subject: move macOS dns-updown common code into functions ...................................................................... Patch Set 3: Code-Review+2 (1 comment) File distro/dns-scripts/macos-dns-updown.sh: http://gerrit.openvpn.net/c/openvpn/+/1074/comment/1f19ccff_a61045e6 : PS3, Line 242: local addresses="$(addresses_string $n)" > Yeah, it will get used in #1075, slipped through. […] fair enough -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1074?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Id6f70237c7205063b001528a40391678b0d093ac Gerrit-Change-Number: 1074 Gerrit-PatchSet: 3 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Wed, 09 Jul 2025 12:50:57 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: flichtenheld <fr...@li...> Comment-In-Reply-To: d12fk <he...@op...> Gerrit-MessageType: comment |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-09 15:45:50
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1079?usp=email
to look at the new patch set (#2).
Change subject: GHA: Dependency updates July 2025
......................................................................
GHA: Dependency updates July 2025
chore(deps): update dependency aws/aws-lc to v1.55.0
chore(deps): update lukka/get-cmake action to v4.0.3
chore(deps): update vcpkg digest to f33cc49
chore(deps): update dependency mbed-tls/mbedtls to v3.6.4
Change-Id: I6122225cc12c4f299a2a48db24bc7379ac6c5921
Signed-off-by: Frank Lichtenheld <fr...@li...>
---
M .github/workflows/build.yaml
1 file changed, 9 insertions(+), 9 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/79/1079/2
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index d4fdc9d..bd5895b 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -54,11 +54,11 @@
steps:
- name: Checkout OpenVPN
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - uses: lukka/get-cmake@57c20a23a6cac5b90f31864439996e5b206df9dc # v4.0.1
+ - uses: lukka/get-cmake@6b3e96a9bc9976b8b546346fdd102effedae0ca8 # v4.0.3
- name: Install vcpkg
uses: lukka/run-vcpkg@5e0cab206a5ea620130caf672fce3e4a6b5666a1 # v11.5
with:
- vcpkgGitCommitId: b12aa38a44a29bd8461404f2514e4c7cf00e1fc5
+ vcpkgGitCommitId: f33cc491c85a7d643c5ab6da1667c1458e6d7abf
- name: Install dependencies
run: ${VCPKG_ROOT}/vcpkg install openssl lz4 cmocka
- name: configure OpenVPN with cmake
@@ -88,11 +88,11 @@
- name: Checkout OpenVPN
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - uses: lukka/get-cmake@57c20a23a6cac5b90f31864439996e5b206df9dc # v4.0.1
+ - uses: lukka/get-cmake@6b3e96a9bc9976b8b546346fdd102effedae0ca8 # v4.0.3
- name: Restore from cache and install vcpkg
uses: lukka/run-vcpkg@5e0cab206a5ea620130caf672fce3e4a6b5666a1 # v11.5
with:
- vcpkgGitCommitId: b12aa38a44a29bd8461404f2514e4c7cf00e1fc5
+ vcpkgGitCommitId: f33cc491c85a7d643c5ab6da1667c1458e6d7abf
vcpkgJsonGlob: '**/mingw/vcpkg.json'
- name: Run CMake with vcpkg.json manifest
@@ -276,7 +276,7 @@
runs-on: windows-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - uses: lukka/get-cmake@57c20a23a6cac5b90f31864439996e5b206df9dc # v4.0.1
+ - uses: lukka/get-cmake@6b3e96a9bc9976b8b546346fdd102effedae0ca8 # v4.0.3
- name: Install rst2html
run: python -m pip install --upgrade pip docutils
@@ -284,7 +284,7 @@
- name: Restore artifacts, or setup vcpkg (do not install any package)
uses: lukka/run-vcpkg@5e0cab206a5ea620130caf672fce3e4a6b5666a1 # v11.5
with:
- vcpkgGitCommitId: b12aa38a44a29bd8461404f2514e4c7cf00e1fc5
+ vcpkgGitCommitId: f33cc491c85a7d643c5ab6da1667c1458e6d7abf
vcpkgJsonGlob: '**/windows/vcpkg.json'
- name: Run CMake with vcpkg.json manifest (NO TESTS)
@@ -413,7 +413,7 @@
submodules: true
# versioning=semver-coerced
repository: Mbed-TLS/mbedtls
- ref: v3.6.3
+ ref: v3.6.4
- name: "mbedtls: make no_test"
run: make -j3 no_test SHARED=1
working-directory: mbedtls
@@ -471,8 +471,8 @@
path: aws-lc
# versioning=semver-coerced
repository: aws/aws-lc
- ref: v1.51.2
- - uses: lukka/get-cmake@57c20a23a6cac5b90f31864439996e5b206df9dc # v4.0.1
+ ref: v1.55.0
+ - uses: lukka/get-cmake@6b3e96a9bc9976b8b546346fdd102effedae0ca8 # v4.0.3
- name: "AWS-LC: build"
run: |
mkdir build
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1079?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I6122225cc12c4f299a2a48db24bc7379ac6c5921
Gerrit-Change-Number: 1079
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-MessageType: newpatchset
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-07-09 15:41:24
|
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email ) Change subject: Do not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT ...................................................................... Patch Set 1: Code-Review-1 (1 comment) Patchset: PS1: Can we include the GHA update to 3.6.4 in this patch, please? -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1081?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Gerrit-Change-Number: 1081 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Wed, 09 Jul 2025 12:40:12 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
153 messages has been excluded from this view by a project administrator.
