Menu
▾
▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
(24) |
May
(14) |
Jun
(29) |
Jul
(33) |
Aug
(3) |
Sep
(8) |
Oct
(18) |
Nov
(1) |
Dec
(10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
(33) |
Mar
(7) |
Apr
(28) |
May
(30) |
Jun
(5) |
Jul
(10) |
Aug
(7) |
Sep
(32) |
Oct
(41) |
Nov
(20) |
Dec
(10) |
| 2004 |
Jan
(24) |
Feb
(18) |
Mar
(57) |
Apr
(40) |
May
(55) |
Jun
(48) |
Jul
(77) |
Aug
(15) |
Sep
(56) |
Oct
(80) |
Nov
(74) |
Dec
(52) |
| 2005 |
Jan
(38) |
Feb
(42) |
Mar
(39) |
Apr
(56) |
May
(79) |
Jun
(73) |
Jul
(16) |
Aug
(23) |
Sep
(68) |
Oct
(77) |
Nov
(52) |
Dec
(27) |
| 2006 |
Jan
(27) |
Feb
(18) |
Mar
(51) |
Apr
(62) |
May
(28) |
Jun
(50) |
Jul
(36) |
Aug
(33) |
Sep
(47) |
Oct
(50) |
Nov
(77) |
Dec
(13) |
| 2007 |
Jan
(15) |
Feb
(8) |
Mar
(14) |
Apr
(18) |
May
(25) |
Jun
(16) |
Jul
(16) |
Aug
(19) |
Sep
(32) |
Oct
(17) |
Nov
(5) |
Dec
(5) |
| 2008 |
Jan
(64) |
Feb
(25) |
Mar
(25) |
Apr
(6) |
May
(28) |
Jun
(20) |
Jul
(10) |
Aug
(27) |
Sep
(28) |
Oct
(59) |
Nov
(37) |
Dec
(43) |
| 2009 |
Jan
(40) |
Feb
(25) |
Mar
(12) |
Apr
(57) |
May
(46) |
Jun
(29) |
Jul
(39) |
Aug
(10) |
Sep
(20) |
Oct
(42) |
Nov
(50) |
Dec
(57) |
| 2010 |
Jan
(82) |
Feb
(165) |
Mar
(256) |
Apr
(260) |
May
(36) |
Jun
(87) |
Jul
(53) |
Aug
(89) |
Sep
(107) |
Oct
(51) |
Nov
(88) |
Dec
(117) |
| 2011 |
Jan
(69) |
Feb
(60) |
Mar
(113) |
Apr
(71) |
May
(67) |
Jun
(90) |
Jul
(88) |
Aug
(90) |
Sep
(48) |
Oct
(64) |
Nov
(69) |
Dec
(118) |
| 2012 |
Jan
(49) |
Feb
(528) |
Mar
(351) |
Apr
(190) |
May
(238) |
Jun
(193) |
Jul
(104) |
Aug
(100) |
Sep
(57) |
Oct
(41) |
Nov
(47) |
Dec
(51) |
| 2013 |
Jan
(94) |
Feb
(57) |
Mar
(96) |
Apr
(105) |
May
(77) |
Jun
(102) |
Jul
(27) |
Aug
(81) |
Sep
(32) |
Oct
(53) |
Nov
(127) |
Dec
(65) |
| 2014 |
Jan
(113) |
Feb
(59) |
Mar
(104) |
Apr
(259) |
May
(70) |
Jun
(70) |
Jul
(146) |
Aug
(45) |
Sep
(58) |
Oct
(149) |
Nov
(77) |
Dec
(83) |
| 2015 |
Jan
(53) |
Feb
(66) |
Mar
(86) |
Apr
(50) |
May
(135) |
Jun
(76) |
Jul
(151) |
Aug
(83) |
Sep
(97) |
Oct
(262) |
Nov
(245) |
Dec
(231) |
| 2016 |
Jan
(131) |
Feb
(233) |
Mar
(97) |
Apr
(138) |
May
(221) |
Jun
(254) |
Jul
(92) |
Aug
(248) |
Sep
(168) |
Oct
(275) |
Nov
(477) |
Dec
(445) |
| 2017 |
Jan
(218) |
Feb
(217) |
Mar
(146) |
Apr
(172) |
May
(216) |
Jun
(252) |
Jul
(164) |
Aug
(192) |
Sep
(190) |
Oct
(143) |
Nov
(255) |
Dec
(182) |
| 2018 |
Jan
(295) |
Feb
(164) |
Mar
(113) |
Apr
(147) |
May
(64) |
Jun
(262) |
Jul
(184) |
Aug
(90) |
Sep
(69) |
Oct
(364) |
Nov
(102) |
Dec
(101) |
| 2019 |
Jan
(119) |
Feb
(64) |
Mar
(64) |
Apr
(102) |
May
(57) |
Jun
(154) |
Jul
(84) |
Aug
(81) |
Sep
(76) |
Oct
(102) |
Nov
(233) |
Dec
(89) |
| 2020 |
Jan
(38) |
Feb
(170) |
Mar
(155) |
Apr
(172) |
May
(120) |
Jun
(223) |
Jul
(461) |
Aug
(227) |
Sep
(268) |
Oct
(113) |
Nov
(56) |
Dec
(124) |
| 2021 |
Jan
(121) |
Feb
(48) |
Mar
(334) |
Apr
(345) |
May
(207) |
Jun
(136) |
Jul
(71) |
Aug
(112) |
Sep
(122) |
Oct
(173) |
Nov
(184) |
Dec
(223) |
| 2022 |
Jan
(197) |
Feb
(206) |
Mar
(156) |
Apr
(212) |
May
(192) |
Jun
(170) |
Jul
(143) |
Aug
(380) |
Sep
(182) |
Oct
(148) |
Nov
(128) |
Dec
(269) |
| 2023 |
Jan
(248) |
Feb
(196) |
Mar
(264) |
Apr
(36) |
May
(123) |
Jun
(66) |
Jul
(120) |
Aug
(48) |
Sep
(157) |
Oct
(198) |
Nov
(300) |
Dec
(273) |
| 2024 |
Jan
(271) |
Feb
(147) |
Mar
(207) |
Apr
(78) |
May
(107) |
Jun
(168) |
Jul
(151) |
Aug
(51) |
Sep
(438) |
Oct
(221) |
Nov
(302) |
Dec
(357) |
| 2025 |
Jan
(451) |
Feb
(219) |
Mar
(326) |
Apr
(232) |
May
(306) |
Jun
(181) |
Jul
(452) |
Aug
(282) |
Sep
(620) |
Oct
(694) |
Nov
|
Dec
|
|
From: Gert D. <ge...@gr...> - 2025-10-28 14:05:59
|
ACK from Arne, extra check from Lev, BB all green, so let's see if the
windows t_client test (run by github magic only after pushing to the official
repo...) finds something else.
Also, as Lev remarked, we might want to apply this to 2.6 "if 2.6 is broken
on windows 7 anyway" or see what to do about the original report on Win7,
if anything at all.
Your patch has been applied to the master branch.
commit 05a8ba8080c7a7c3dc6cc681b3fc3cf8c559e053
Author: Selva Nair
Date: Tue Oct 28 11:16:36 2025 +0100
Canonicalize config_dir before comparing with the config file location
Signed-off-by: Selva Nair <sel...@gm...>
Acked-by: Arne Schwabe <arn...@rf...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1318
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg33923.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-28 13:55:26
|
Attention is currently required from: d12fk, flichtenheld, ordex, plaisthos. cron2 has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1192?usp=email ) Change subject: Install host routes for ifconfig-push routes when DCO is enabled ...................................................................... Patch Set 13: (6 comments) Patchset: PS8: > Yeah not really sure what happend there during my rebase. […] Done Patchset: PS11: > This is not working right yet. […] Done Commit Message: http://gerrit.openvpn.net/c/openvpn/+/1192/comment/4477c2fa_904f1747?usp=email : PS4, Line 7: Install host routes with onlink scope iroutes for ifconfig-push routes > how about: […] Done http://gerrit.openvpn.net/c/openvpn/+/1192/comment/f9794219_e00d035b?usp=email : PS4, Line 10: of the configured device need to be added to the operating system to > I agree with that, but what I meant in my comment is that we "need *routes* to be added" not IPs. […] Done http://gerrit.openvpn.net/c/openvpn/+/1192/comment/220f5023_3980d1f4?usp=email : PS4, Line 15: iroute, will not work. > should we add "because the server does not have an address in the same network as these IPs assigned […] Done File src/openvpn/multi.c: http://gerrit.openvpn.net/c/openvpn/+/1192/comment/02b58eff_bb2dd3f8?usp=email : PS11, Line 4377: &o->push_ifconfig_ipv6_local)); > Maybe it would also be an idea to change `multi_check_push_ifconfig_ipv6_extra_route()` to not be pa […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1192?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I83295e00d1a756dfa44050b0a4493095fb050fff Gerrit-Change-Number: 1192 Gerrit-PatchSet: 13 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ordex <an...@ma...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Tue, 28 Oct 2025 13:55:11 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: plaisthos <arn...@rf...> Comment-In-Reply-To: cron2 <ge...@gr...> Comment-In-Reply-To: ordex <an...@ma...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-28 13:54:28
|
Attention is currently required from: d12fk, flichtenheld, ordex, plaisthos. cron2 has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1192?usp=email ) Change subject: Install host routes for ifconfig-push routes when DCO is enabled ...................................................................... Patch Set 13: (2 comments) Patchset: PS13: found it, `htonl()` again, the two calls are not symmetric wrt byte order - so the check works correctly for IPv4 add and fails for IPv4 delete. Patch suggestion in the comment. File src/openvpn/dco.c: http://gerrit.openvpn.net/c/openvpn/+/1192/comment/9082ac20_ae5adc12?usp=email : PS13, Line 743: if (multi_check_push_ifconfig_extra_route(mi, ifconfig_local)) with patch v12, multi_check_push_ifconfig_extra_route() lost an htonl(), and the *other* caller has a `htonl(a)`, so this one needs a `htonl(ifconfig_local)` to make it symmetric, or change it everywhere. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1192?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I83295e00d1a756dfa44050b0a4493095fb050fff Gerrit-Change-Number: 1192 Gerrit-PatchSet: 13 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ordex <an...@ma...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Tue, 28 Oct 2025 13:54:18 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No |
|
From: stipa (C. Review) <ge...@op...> - 2025-10-28 13:39:27
|
Attention is currently required from: flichtenheld, selvanair. stipa has posted comments on this change by selvanair. ( http://gerrit.openvpn.net/c/openvpn/+/1318?usp=email ) Change subject: Canonicalize config_dir before comparing with the config file location ...................................................................... Patch Set 1: Code-Review+2 (1 comment) Patchset: PS1: Looks good, but this API (PathCchCanonicalizeEx) is available starting from Windows 8. Let's merge it for master only - by default config_dir comes from the installer and terminates with "\", and you need admin rights to change it. So I think it is not that critical. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1318?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8e884c00cb94f97a612056e8dca74d821a6d6386 Gerrit-Change-Number: 1318 Gerrit-PatchSet: 1 Gerrit-Owner: selvanair <sel...@gm...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-Reviewer: stipa <lst...@gm...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: selvanair <sel...@gm...> Gerrit-Comment-Date: Tue, 28 Oct 2025 13:39:17 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-28 13:33:05
|
Attention is currently required from: d12fk, flichtenheld, ordex, plaisthos. cron2 has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1192?usp=email ) Change subject: Install host routes for ifconfig-push routes when DCO is enabled ...................................................................... Patch Set 13: Code-Review-2 (1 comment) Patchset: PS13: We are getting there, but the journey is not over, alas. Now installation/removal of routes "according to what we want" in general works fine, but we *always* try to remove the IPv4 host route at the end - here's for a regular pool IP: ``` Oct 28 14:25:08 fbsd14 tun-udp-p2mp[12610]: MULTI_sva: pool returned IPv4=10.114.2.3, IPv6=fd00:abcd:114:2::1001 Oct 28 14:25:08 fbsd14 tun-udp-p2mp[12610]: MULTI: Learn: 10.114.2.3 -> cron2-ubuntu-2004-amd64/udp6:195.30.8.84:44555 peer-id=1 Oct 28 14:25:08 fbsd14 tun-udp-p2mp[12610]: MULTI: primary virtual IP for cron2-ubuntu-2004-amd64/udp6:195.30.8.84:44555 peer-id=1: 10.114.2.3 ... Oct 28 14:26:25 fbsd14 tun-udp-p2mp[12610]: /sbin/route del -net 10.114.2.3/32 -iface tun0 -fib 0 -weight 16777115 Oct 28 14:26:25 fbsd14 tun-udp-p2mp[12610]: ERROR: FreeBSD route command failed: external program exited with error status: 1 ``` which obviously is not the way to go forward. Need to look what changed in IPv4 land here. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1192?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I83295e00d1a756dfa44050b0a4493095fb050fff Gerrit-Change-Number: 1192 Gerrit-PatchSet: 13 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ordex <an...@ma...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Tue, 28 Oct 2025 13:32:29 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-28 12:34:02
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1309?usp=email ) Change subject: mroute: Remove unused mask argument of mroute_get_in* ...................................................................... mroute: Remove unused mask argument of mroute_get_in* These are obsolete since the removal of pf feature. Avoids spurious conversion warnings. Change-Id: I501bf780957a9c685eed5994a15de09c28efc3f0 Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1309 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg33939.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/mroute.c 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/src/openvpn/mroute.c b/src/openvpn/mroute.c index 88ea647..b50d48f 100644 --- a/src/openvpn/mroute.c +++ b/src/openvpn/mroute.c @@ -103,17 +103,12 @@ return true; } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wconversion" -#endif - static inline void -mroute_get_in_addr_t(struct mroute_addr *ma, const in_addr_t src, unsigned int mask) +mroute_get_in_addr_t(struct mroute_addr *ma, const in_addr_t src) { if (ma) { - ma->type = MR_ADDR_IPV4 | mask; + ma->type = MR_ADDR_IPV4; ma->netbits = 0; ma->len = 4; ma->v4.addr = src; @@ -121,11 +116,11 @@ } static inline void -mroute_get_in6_addr(struct mroute_addr *ma, const struct in6_addr src, unsigned int mask) +mroute_get_in6_addr(struct mroute_addr *ma, const struct in6_addr src) { if (ma) { - ma->type = MR_ADDR_IPV6 | mask; + ma->type = MR_ADDR_IPV6; ma->netbits = 0; ma->len = 16; ma->v6.addr = src; @@ -161,8 +156,8 @@ { const struct openvpn_iphdr *ip = (const struct openvpn_iphdr *)BPTR(buf); - mroute_get_in_addr_t(src, ip->saddr, 0); - mroute_get_in_addr_t(dest, ip->daddr, 0); + mroute_get_in_addr_t(src, ip->saddr); + mroute_get_in_addr_t(dest, ip->daddr); /* multicast packet? */ if (mroute_is_mcast(ip->daddr)) @@ -192,8 +187,8 @@ gc_free(&gc); #endif - mroute_get_in6_addr(src, ipv6->saddr, 0); - mroute_get_in6_addr(dest, ipv6->daddr, 0); + mroute_get_in6_addr(src, ipv6->saddr); + mroute_get_in6_addr(dest, ipv6->daddr); if (mroute_is_mcast_ipv6(ipv6->daddr)) { @@ -342,7 +337,7 @@ } else { - ma->v6.addr.s6_addr[byte--] &= (IPV4_NETMASK_HOST << bits_to_clear); + ma->v6.addr.s6_addr[byte--] &= (0xFF << bits_to_clear); bits_to_clear = 0; } } @@ -552,10 +547,6 @@ } } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic pop -#endif - void mroute_helper_free(struct mroute_helper *mh) { -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1309?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I501bf780957a9c685eed5994a15de09c28efc3f0 Gerrit-Change-Number: 1309 Gerrit-PatchSet: 3 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: Gert D. <ge...@gr...> - 2025-10-28 12:33:56
|
The "mask" bit is trivial (I have wondered a few times what it is for,
seems "for nothing" - out it goes!). The 0xff bit needed a bit more
thinking, but indeed, since we're only masking single-bytes at a time
here, and shift left, 0xffffff and 0xff is the same thing - and not
using an IPv4 constant for IPv6 seems like a proper thing to do!
Your patch has been applied to the master branch.
commit 2ae18239c30d96a4d16bc75a0204c4895e6cbce3
Author: Frank Lichtenheld
Date: Tue Oct 28 13:20:23 2025 +0100
mroute: Remove unused mask argument of mroute_get_in*
Signed-off-by: Frank Lichtenheld <fr...@li...>
Acked-by: Gert Doering <ge...@gr...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1309
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg33939.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-28 12:33:55
|
cron2 has uploaded a new patch set (#3) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/1309?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: mroute: Remove unused mask argument of mroute_get_in* ...................................................................... mroute: Remove unused mask argument of mroute_get_in* These are obsolete since the removal of pf feature. Avoids spurious conversion warnings. Change-Id: I501bf780957a9c685eed5994a15de09c28efc3f0 Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1309 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg33939.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/mroute.c 1 file changed, 9 insertions(+), 18 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/09/1309/3 diff --git a/src/openvpn/mroute.c b/src/openvpn/mroute.c index 88ea647..b50d48f 100644 --- a/src/openvpn/mroute.c +++ b/src/openvpn/mroute.c @@ -103,17 +103,12 @@ return true; } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wconversion" -#endif - static inline void -mroute_get_in_addr_t(struct mroute_addr *ma, const in_addr_t src, unsigned int mask) +mroute_get_in_addr_t(struct mroute_addr *ma, const in_addr_t src) { if (ma) { - ma->type = MR_ADDR_IPV4 | mask; + ma->type = MR_ADDR_IPV4; ma->netbits = 0; ma->len = 4; ma->v4.addr = src; @@ -121,11 +116,11 @@ } static inline void -mroute_get_in6_addr(struct mroute_addr *ma, const struct in6_addr src, unsigned int mask) +mroute_get_in6_addr(struct mroute_addr *ma, const struct in6_addr src) { if (ma) { - ma->type = MR_ADDR_IPV6 | mask; + ma->type = MR_ADDR_IPV6; ma->netbits = 0; ma->len = 16; ma->v6.addr = src; @@ -161,8 +156,8 @@ { const struct openvpn_iphdr *ip = (const struct openvpn_iphdr *)BPTR(buf); - mroute_get_in_addr_t(src, ip->saddr, 0); - mroute_get_in_addr_t(dest, ip->daddr, 0); + mroute_get_in_addr_t(src, ip->saddr); + mroute_get_in_addr_t(dest, ip->daddr); /* multicast packet? */ if (mroute_is_mcast(ip->daddr)) @@ -192,8 +187,8 @@ gc_free(&gc); #endif - mroute_get_in6_addr(src, ipv6->saddr, 0); - mroute_get_in6_addr(dest, ipv6->daddr, 0); + mroute_get_in6_addr(src, ipv6->saddr); + mroute_get_in6_addr(dest, ipv6->daddr); if (mroute_is_mcast_ipv6(ipv6->daddr)) { @@ -342,7 +337,7 @@ } else { - ma->v6.addr.s6_addr[byte--] &= (IPV4_NETMASK_HOST << bits_to_clear); + ma->v6.addr.s6_addr[byte--] &= (0xFF << bits_to_clear); bits_to_clear = 0; } } @@ -552,10 +547,6 @@ } } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic pop -#endif - void mroute_helper_free(struct mroute_helper *mh) { -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1309?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I501bf780957a9c685eed5994a15de09c28efc3f0 Gerrit-Change-Number: 1309 Gerrit-PatchSet: 3 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: Gert D. <ge...@gr...> - 2025-10-28 12:20:41
|
From: Frank Lichtenheld <fr...@li...> These are obsolete since the removal of pf feature. Avoids spurious conversion warnings. Change-Id: I501bf780957a9c685eed5994a15de09c28efc3f0 Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1309 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1309 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/src/openvpn/mroute.c b/src/openvpn/mroute.c index 88ea647..b50d48f 100644 --- a/src/openvpn/mroute.c +++ b/src/openvpn/mroute.c @@ -103,17 +103,12 @@ return true; } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wconversion" -#endif - static inline void -mroute_get_in_addr_t(struct mroute_addr *ma, const in_addr_t src, unsigned int mask) +mroute_get_in_addr_t(struct mroute_addr *ma, const in_addr_t src) { if (ma) { - ma->type = MR_ADDR_IPV4 | mask; + ma->type = MR_ADDR_IPV4; ma->netbits = 0; ma->len = 4; ma->v4.addr = src; @@ -121,11 +116,11 @@ } static inline void -mroute_get_in6_addr(struct mroute_addr *ma, const struct in6_addr src, unsigned int mask) +mroute_get_in6_addr(struct mroute_addr *ma, const struct in6_addr src) { if (ma) { - ma->type = MR_ADDR_IPV6 | mask; + ma->type = MR_ADDR_IPV6; ma->netbits = 0; ma->len = 16; ma->v6.addr = src; @@ -161,8 +156,8 @@ { const struct openvpn_iphdr *ip = (const struct openvpn_iphdr *)BPTR(buf); - mroute_get_in_addr_t(src, ip->saddr, 0); - mroute_get_in_addr_t(dest, ip->daddr, 0); + mroute_get_in_addr_t(src, ip->saddr); + mroute_get_in_addr_t(dest, ip->daddr); /* multicast packet? */ if (mroute_is_mcast(ip->daddr)) @@ -192,8 +187,8 @@ gc_free(&gc); #endif - mroute_get_in6_addr(src, ipv6->saddr, 0); - mroute_get_in6_addr(dest, ipv6->daddr, 0); + mroute_get_in6_addr(src, ipv6->saddr); + mroute_get_in6_addr(dest, ipv6->daddr); if (mroute_is_mcast_ipv6(ipv6->daddr)) { @@ -342,7 +337,7 @@ } else { - ma->v6.addr.s6_addr[byte--] &= (IPV4_NETMASK_HOST << bits_to_clear); + ma->v6.addr.s6_addr[byte--] &= (0xFF << bits_to_clear); bits_to_clear = 0; } } @@ -552,10 +547,6 @@ } } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic pop -#endif - void mroute_helper_free(struct mroute_helper *mh) { |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-28 12:20:27
|
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/1309?usp=email ) Change subject: mroute: Remove unused mask argument of mroute_get_in* ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1309?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I501bf780957a9c685eed5994a15de09c28efc3f0 Gerrit-Change-Number: 1309 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Tue, 28 Oct 2025 12:20:12 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-28 12:18:31
|
cron2 has uploaded a new patch set (#3) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1320?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: Add ASSERT to afunix code that dev_node is always set up the way we expect ...................................................................... Add ASSERT to afunix code that dev_node is always set up the way we expect The calling code only calls tun_afunix_exec_child if is_tun_afunix is true, which checks that the path is having unix: as prefix. But since adding an ASSERT here to ensure that it is really the case does not cost us anything, just add the ASSERT. Reported-By: Joshua Rogers <co...@jo...> Found-By: Zeropath Change-Id: Idbb7bf279eb467fc1d56ab75a50b5eb2c8d0a57e Signed-off-by: Arne Schwabe <arn...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1320 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg33934.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/tun_afunix.c 1 file changed, 2 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/20/1320/3 diff --git a/src/openvpn/tun_afunix.c b/src/openvpn/tun_afunix.c index 124db6d..42bcd0d 100644 --- a/src/openvpn/tun_afunix.c +++ b/src/openvpn/tun_afunix.c @@ -53,6 +53,8 @@ const char *msgprefix = "ERROR: failure executing process for tun:"; struct argv argv = argv_new(); + /* we should always called with a proper unix: dev node string */ + ASSERT(dev_node && strncmp(dev_node, "unix:", strlen("unix:")) == 0); /* since we know that dev-node starts with unix: we can just skip that * to get the program name */ const char *program = dev_node + strlen("unix:"); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1320?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Idbb7bf279eb467fc1d56ab75a50b5eb2c8d0a57e Gerrit-Change-Number: 1320 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-28 12:18:27
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1320?usp=email ) Change subject: Add ASSERT to afunix code that dev_node is always set up the way we expect ...................................................................... Add ASSERT to afunix code that dev_node is always set up the way we expect The calling code only calls tun_afunix_exec_child if is_tun_afunix is true, which checks that the path is having unix: as prefix. But since adding an ASSERT here to ensure that it is really the case does not cost us anything, just add the ASSERT. Reported-By: Joshua Rogers <co...@jo...> Found-By: Zeropath Change-Id: Idbb7bf279eb467fc1d56ab75a50b5eb2c8d0a57e Signed-off-by: Arne Schwabe <arn...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1320 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg33934.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/tun_afunix.c 1 file changed, 2 insertions(+), 0 deletions(-) diff --git a/src/openvpn/tun_afunix.c b/src/openvpn/tun_afunix.c index 124db6d..42bcd0d 100644 --- a/src/openvpn/tun_afunix.c +++ b/src/openvpn/tun_afunix.c @@ -53,6 +53,8 @@ const char *msgprefix = "ERROR: failure executing process for tun:"; struct argv argv = argv_new(); + /* we should always called with a proper unix: dev node string */ + ASSERT(dev_node && strncmp(dev_node, "unix:", strlen("unix:")) == 0); /* since we know that dev-node starts with unix: we can just skip that * to get the program name */ const char *program = dev_node + strlen("unix:"); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1320?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Idbb7bf279eb467fc1d56ab75a50b5eb2c8d0a57e Gerrit-Change-Number: 1320 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: Gert D. <ge...@gr...> - 2025-10-28 12:18:15
|
Looks reasonable, BB is happy, and the unit tests excercising tun_afunix
(t_server_null) still pass. Also, I have a t_client test excercising
this, which still works :-)
I have updated the commit message a bit (language, Reported-By:), and
for one decided to try doing this in gerrit - it works, but is not the
best way to do it (it then does a "v2" of the patch, which hides the
test result of the actual patch, and creates extra noise on the list).
Your patch has been applied to the master branch.
commit 5bc0eae87ccf1abd6c400cb27d8e51819feb2036
Author: Arne Schwabe
Date: Tue Oct 28 12:59:47 2025 +0100
Add ASSERT to afunix code that dev_node is always set up the way we expect
Signed-off-by: Arne Schwabe <arn...@rf...>
Acked-by: Gert Doering <ge...@gr...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1320
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg33934.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: Gert D. <ge...@gr...> - 2025-10-28 12:00:07
|
From: Arne Schwabe <ar...@rf...> The calling code only calls tun_afunix_exec_child if is_tun_afunix is true, which checks that the path is having unix: as prefix. But since adding an ASSERT here to ensure that it is really the case does not cost us anything, just add the ASSERT. Reported-By: Joshua Rogers <co...@jo...> Found-By: Zeropath Change-Id: Idbb7bf279eb467fc1d56ab75a50b5eb2c8d0a57e Signed-off-by: Arne Schwabe <arn...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1320 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1320 This mail reflects revision 2 of this Change. Signed-off-by line for the author was added as per our policy. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/src/openvpn/tun_afunix.c b/src/openvpn/tun_afunix.c index 4d48a31..e6f2be1 100644 --- a/src/openvpn/tun_afunix.c +++ b/src/openvpn/tun_afunix.c @@ -53,6 +53,8 @@ const char *msgprefix = "ERROR: failure executing process for tun:"; struct argv argv = argv_new(); + /* we should always called with a proper unix: dev node string */ + ASSERT(dev_node && strncmp(dev_node, "unix:", strlen("unix:")) == 0); /* since we know that dev-node starts with unix: we can just skip that * to get the program name */ const char *program = dev_node + strlen("unix:"); |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-28 11:59:52
|
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1320?usp=email ) Change subject: Add ASSERT to afunix code that dev_node is always set up the way we expect ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1320?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Idbb7bf279eb467fc1d56ab75a50b5eb2c8d0a57e Gerrit-Change-Number: 1320 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Tue, 28 Oct 2025 11:59:38 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-28 11:59:46
|
Attention is currently required from: flichtenheld. cron2 has uploaded a new patch set (#2) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1320?usp=email ) Change subject: Add ASSERT to afunix code that dev_node is always set up the way we expect ...................................................................... Add ASSERT to afunix code that dev_node is always set up the way we expect The calling code only calls tun_afunix_exec_child if is_tun_afunix is true, which checks that the path is having unix: as prefix. But since adding an ASSERT here to ensure that it is really the case does not cost us anything, just add the ASSERT. Reported-By: Joshua Rogers <co...@jo...> Found-By: Zeropath Change-Id: Idbb7bf279eb467fc1d56ab75a50b5eb2c8d0a57e --- M src/openvpn/tun_afunix.c 1 file changed, 2 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/20/1320/2 diff --git a/src/openvpn/tun_afunix.c b/src/openvpn/tun_afunix.c index 4d48a31..e6f2be1 100644 --- a/src/openvpn/tun_afunix.c +++ b/src/openvpn/tun_afunix.c @@ -53,6 +53,8 @@ const char *msgprefix = "ERROR: failure executing process for tun:"; struct argv argv = argv_new(); + /* we should always called with a proper unix: dev node string */ + ASSERT(dev_node && strncmp(dev_node, "unix:", strlen("unix:")) == 0); /* since we know that dev-node starts with unix: we can just skip that * to get the program name */ const char *program = dev_node + strlen("unix:"); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1320?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Idbb7bf279eb467fc1d56ab75a50b5eb2c8d0a57e Gerrit-Change-Number: 1320 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-28 11:55:58
|
Attention is currently required from: flichtenheld, plaisthos. cron2 has uploaded a new patch set (#2) to the change originally created by MaxF. ( http://gerrit.openvpn.net/c/openvpn/+/1315?usp=email ) Change subject: Zeroize tls-crypt-v2 client keys ...................................................................... Zeroize tls-crypt-v2 client keys Joshua Rogers sent in a bug report generated with ZeroPath that the tls-crypt-v2 client key is loaded before running the verify script. If the verify script fails, the key is not zeroized. While investigating this report, I found that free_tls_pre_decrypt_state never zeroizes tls_wrap_tmp.original_wrap_keydata. So also when the check is successful, key data will remain in memory when it is no longer needed. This commit moves the tls-crypt-v2-verify check before loading the key. If it fails, original_wrap_keydata is zeroized. Also, in free_tls_pre_decrypt_state, if a key has been loaded, original_wrap_keydata is zeroized. Reported-By: Joshua Rogers <co...@jo...> Found-By: Zeropath Change-Id: Icfcbf8ee20c1c0016eb98b570f24b9325b157c5c Signed-off-by: Max Fillinger <ma...@ma...> --- M src/openvpn/ssl_pkt.c M src/openvpn/tls_crypt.c 2 files changed, 7 insertions(+), 5 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/15/1315/2 diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c index 825719c..d7f7ac3 100644 --- a/src/openvpn/ssl_pkt.c +++ b/src/openvpn/ssl_pkt.c @@ -280,6 +280,7 @@ if (state->tls_wrap_tmp.cleanup_key_ctx) { free_key_ctx_bi(&state->tls_wrap_tmp.opt.key_ctx_bi); + secure_memzero(&state->tls_wrap_tmp.original_wrap_keydata, sizeof(state->tls_wrap_tmp.original_wrap_keydata)); } } diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 51b4eb3..a808de3 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -642,6 +642,12 @@ return false; } + if (opt && opt->tls_crypt_v2_verify_script && !tls_crypt_v2_verify_metadata(ctx, opt)) + { + secure_memzero(&ctx->original_wrap_keydata, sizeof(ctx->original_wrap_keydata)); + return false; + } + /* Load the decrypted key */ ctx->mode = TLS_WRAP_CRYPT; ctx->cleanup_key_ctx = true; @@ -652,11 +658,6 @@ /* Remove client key from buffer so tls-crypt code can unwrap message */ ASSERT(buf_inc_len(buf, -(BLEN(&wrapped_client_key)))); - if (opt && opt->tls_crypt_v2_verify_script) - { - return tls_crypt_v2_verify_metadata(ctx, opt); - } - return true; } -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1315?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Icfcbf8ee20c1c0016eb98b570f24b9325b157c5c Gerrit-Change-Number: 1315 Gerrit-PatchSet: 2 Gerrit-Owner: MaxF <ma...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-28 11:46:36
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1290?usp=email ) Change subject: dco-freebsd: fix peer stats storage on client instances ...................................................................... dco-freebsd: fix peer stats storage on client instances Commit bf01a96 introduced a bug in the dco-freebsd path by attempting to store peer statistics in a structure that only exists on server instances. This leads to a SIGSEGV on non-server instances due to a NULL multi_context pointer. Resolve this by checking what mode the current instance is running in and storing peer stats accordingly. Fixes: https://github.com/OpenVPN/openvpn/issues/875 Change-Id: I92b5f3996f2a2180fa5e94719603078c1fc2f7f6 Signed-off-by: Ralf Lici <ra...@ma...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1290 Message-Id: <202...@gr...> Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/dco_freebsd.c 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index e51f8dd..3521fca 100644 --- a/src/openvpn/dco_freebsd.c +++ b/src/openvpn/dco_freebsd.c @@ -634,7 +634,17 @@ if (nvlist_exists_nvlist(nvl, "bytes")) { - dco_update_peer_stat(dco->c->multi, dco->dco_message_peer_id, nvlist_get_nvlist(nvl, "bytes")); + const nvlist_t *bytes = nvlist_get_nvlist(nvl, "bytes"); + + if (dco->c->mode == CM_TOP) + { + dco_update_peer_stat(dco->c->multi, dco->dco_message_peer_id, bytes); + } + else + { + dco->c->c2.dco_read_bytes = nvlist_get_number(bytes, "in"); + dco->c->c2.dco_write_bytes = nvlist_get_number(bytes, "out"); + } } dco->dco_message_type = OVPN_CMD_DEL_PEER; -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1290?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I92b5f3996f2a2180fa5e94719603078c1fc2f7f6 Gerrit-Change-Number: 1290 Gerrit-PatchSet: 2 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: mrbff <ma...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-28 11:46:34
|
cron2 has uploaded a new patch set (#2) to the change originally created by ralf_lici. ( http://gerrit.openvpn.net/c/openvpn/+/1290?usp=email ) The following approvals got outdated and were removed: Code-Review+1 by mrbff, Code-Review+2 by cron2 Change subject: dco-freebsd: fix peer stats storage on client instances ...................................................................... dco-freebsd: fix peer stats storage on client instances Commit bf01a96 introduced a bug in the dco-freebsd path by attempting to store peer statistics in a structure that only exists on server instances. This leads to a SIGSEGV on non-server instances due to a NULL multi_context pointer. Resolve this by checking what mode the current instance is running in and storing peer stats accordingly. Fixes: https://github.com/OpenVPN/openvpn/issues/875 Change-Id: I92b5f3996f2a2180fa5e94719603078c1fc2f7f6 Signed-off-by: Ralf Lici <ra...@ma...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1290 Message-Id: <202...@gr...> Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/dco_freebsd.c 1 file changed, 11 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/90/1290/2 diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index e51f8dd..3521fca 100644 --- a/src/openvpn/dco_freebsd.c +++ b/src/openvpn/dco_freebsd.c @@ -634,7 +634,17 @@ if (nvlist_exists_nvlist(nvl, "bytes")) { - dco_update_peer_stat(dco->c->multi, dco->dco_message_peer_id, nvlist_get_nvlist(nvl, "bytes")); + const nvlist_t *bytes = nvlist_get_nvlist(nvl, "bytes"); + + if (dco->c->mode == CM_TOP) + { + dco_update_peer_stat(dco->c->multi, dco->dco_message_peer_id, bytes); + } + else + { + dco->c->c2.dco_read_bytes = nvlist_get_number(bytes, "in"); + dco->c->c2.dco_write_bytes = nvlist_get_number(bytes, "out"); + } } dco->dco_message_type = OVPN_CMD_DEL_PEER; -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1290?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I92b5f3996f2a2180fa5e94719603078c1fc2f7f6 Gerrit-Change-Number: 1290 Gerrit-PatchSet: 2 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: mrbff <ma...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: Gert D. <ge...@gr...> - 2025-10-28 11:46:17
|
Marco, thanks for the review, and for finding the problem in the first
place :-)
I have tested this on FreeBSD 14 + DCO, and both the client and the server
side are now well-behaved and put the counter values in a nice place and
do not crash (I might have found a new bug - GH #881 - but that's not
directly related to the counter stuff).
Your patch has been applied to the master branch.
commit dc6b75788c626add84384ac121e11b65f9e02a6a
Author: Ralf Lici
Date: Tue Oct 28 12:33:05 2025 +0100
dco-freebsd: fix peer stats storage on client instances
Signed-off-by: Ralf Lici <ra...@ma...>
Acked-by: Gert Doering <ge...@gr...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1290
Message-Id: <202...@gr...>
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: Gert D. <ge...@gr...> - 2025-10-28 11:33:29
|
From: Ralf Lici <ra...@ma...> Commit bf01a96 introduced a bug in the dco-freebsd path by attempting to store peer statistics in a structure that only exists on server instances. This leads to a SIGSEGV on non-server instances due to a NULL multi_context pointer. Resolve this by checking what mode the current instance is running in and storing peer stats accordingly. Fixes: https://github.com/OpenVPN/openvpn/issues/875 Change-Id: I92b5f3996f2a2180fa5e94719603078c1fc2f7f6 Signed-off-by: Ralf Lici <ra...@ma...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1290 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1290 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index e51f8dd..3521fca 100644 --- a/src/openvpn/dco_freebsd.c +++ b/src/openvpn/dco_freebsd.c @@ -634,7 +634,17 @@ if (nvlist_exists_nvlist(nvl, "bytes")) { - dco_update_peer_stat(dco->c->multi, dco->dco_message_peer_id, nvlist_get_nvlist(nvl, "bytes")); + const nvlist_t *bytes = nvlist_get_nvlist(nvl, "bytes"); + + if (dco->c->mode == CM_TOP) + { + dco_update_peer_stat(dco->c->multi, dco->dco_message_peer_id, bytes); + } + else + { + dco->c->c2.dco_read_bytes = nvlist_get_number(bytes, "in"); + dco->c->c2.dco_write_bytes = nvlist_get_number(bytes, "out"); + } } dco->dco_message_type = OVPN_CMD_DEL_PEER; |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-28 11:33:10
|
Attention is currently required from: flichtenheld, plaisthos, ralf_lici. cron2 has posted comments on this change by ralf_lici. ( http://gerrit.openvpn.net/c/openvpn/+/1290?usp=email ) Change subject: dco-freebsd: fix peer stats storage on client instances ...................................................................... Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1290?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I92b5f3996f2a2180fa5e94719603078c1fc2f7f6 Gerrit-Change-Number: 1290 Gerrit-PatchSet: 1 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: mrbff <ma...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ralf_lici <ra...@ma...> Gerrit-Comment-Date: Tue, 28 Oct 2025 11:32:55 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-10-28 10:45:18
|
Attention is currently required from: mrbff, plaisthos. flichtenheld has posted comments on this change by mrbff. ( http://gerrit.openvpn.net/c/openvpn/+/1316?usp=email ) Change subject: PUSH_UPDATE server: added new unit tests and improved documentation ...................................................................... Patch Set 1: Code-Review-2 (1 comment) Patchset: PS1: Actually on second thought this whole code should be replaced with "check_expected". This is exactly what it is intended for. See my recent test_options_parse.c for example -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1316?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Idba419681fe3ccc4e6e2f6ce7592332dcff62cd9 Gerrit-Change-Number: 1316 Gerrit-PatchSet: 1 Gerrit-Owner: mrbff <ma...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: mrbff <ma...@ma...> Gerrit-Comment-Date: Tue, 28 Oct 2025 10:45:04 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-10-28 10:39:21
|
Attention is currently required from: mrbff, plaisthos. flichtenheld has posted comments on this change by mrbff. ( http://gerrit.openvpn.net/c/openvpn/+/1316?usp=email ) Change subject: PUSH_UPDATE server: added new unit tests and improved documentation ...................................................................... Patch Set 1: Code-Review-1 (1 comment) File tests/unit_tests/openvpn/test_push_update_msg.c: http://gerrit.openvpn.net/c/openvpn/+/1316/comment/c3c8a28a_a6ce6843?usp=email : PS1, Line 147: printf("\n\nexpected_size: %lu\n actual_size: %lu", res_len, str_len); ```suggestion printf("\n\nexpected_size: %zu\n actual_size: %zu", res_len, str_len); ``` -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1316?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Idba419681fe3ccc4e6e2f6ce7592332dcff62cd9 Gerrit-Change-Number: 1316 Gerrit-PatchSet: 1 Gerrit-Owner: mrbff <ma...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: mrbff <ma...@ma...> Gerrit-Comment-Date: Tue, 28 Oct 2025 10:39:06 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes |
|
From: Gert D. <ge...@gr...> - 2025-10-28 10:16:50
|
From: Selva Nair <sel...@gm...> Found by ZeroPath Change-Id: I8e884c00cb94f97a612056e8dca74d821a6d6386 Signed-off-by: Selva Nair <sel...@gm...> Acked-by: Arne Schwabe <arn...@rf...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1318 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1318 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe <arn...@rf...> diff --git a/src/openvpnserv/CMakeLists.txt b/src/openvpnserv/CMakeLists.txt index 340b904..a92ee08 100644 --- a/src/openvpnserv/CMakeLists.txt +++ b/src/openvpnserv/CMakeLists.txt @@ -6,6 +6,11 @@ add_executable(openvpnserv) +include(CheckSymbolExists) + +# Some old versions of mingw does not have PATHCCH_OPTIONS enums -- add a check +check_symbol_exists(PATHCCH_ENSURE_TRAILING_SLASH pathcch.h HAVE_PATHCCH_ENSURE_TRAILING_SLASH) + set(MC_GEN_DIR ${CMAKE_CURRENT_BINARY_DIR}/mc) target_include_directories(openvpnserv PRIVATE @@ -31,7 +36,7 @@ ) target_link_libraries(openvpnserv advapi32.lib userenv.lib iphlpapi.lib fwpuclnt.lib rpcrt4.lib - shlwapi.lib netapi32.lib ws2_32.lib ntdll.lib ole32.lib) + shlwapi.lib netapi32.lib ws2_32.lib ntdll.lib ole32.lib pathcch.lib) if (MINGW) target_compile_options(openvpnserv PRIVATE -municode) target_link_options(openvpnserv PRIVATE -municode) diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c index 59d5b86..2187fb5 100644 --- a/src/openvpnserv/validate.c +++ b/src/openvpnserv/validate.c @@ -25,6 +25,11 @@ #include <lmaccess.h> #include <shlwapi.h> #include <lm.h> +#include <pathcch.h> + +#ifndef HAVE_PATHCCH_ENSURE_TRAILING_SLASH +#define PATHCCH_ENSURE_TRAILING_SLASH 0x20 +#endif static const WCHAR *white_list[] = { L"auth-retry", @@ -61,7 +66,7 @@ { WCHAR tmp[MAX_PATH]; const WCHAR *config_file = NULL; - const WCHAR *config_dir = NULL; + WCHAR config_dir[MAX_PATH]; /* convert fname to full path */ if (PathIsRelativeW(fname)) @@ -74,9 +79,12 @@ config_file = fname; } - config_dir = s->config_dir; + /* canonicalize config_dir and add trailing slash before comparison */ + HRESULT res = PathCchCanonicalizeEx(config_dir, _countof(config_dir), s->config_dir, + PATHCCH_ENSURE_TRAILING_SLASH); - if (wcsncmp(config_dir, config_file, wcslen(config_dir)) == 0 + if (res == S_OK + && wcsncmp(config_dir, config_file, wcslen(config_dir)) == 0 && wcsstr(config_file + wcslen(config_dir), L"..") == NULL) { return TRUE; |
154 messages has been excluded from this view by a project administrator.
