Re: [Openvpn-devel] [PATCH] dco_freebsd: use m->instances[] instead of m->hash
Am 22.03.23 um 00:10 schrieb Antonio Quartulli: When retrieving the multi_instance of a specific peer, there is no need to peform a linear search across the whole m->hash list. We can directly access the needed object via m->instances[peer-id] in constant time (and just one line of code). Adapt the dco-freebsd code to do so. Acked-By: Arne Schwabe Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] dco_freebsd: use m->instances[] instead of m->hash
Hi, On 22/03/2023 00:10, Antonio Quartulli wrote: When retrieving the multi_instance of a specific peer, there is no need to peform a linear search across the whole m->hash list. We can directly access the needed object via m->instances[peer-id] in constant time (and just one line of code). Adapt the dco-freebsd code to do so. Cc: Kristof Provost If the patch is suitable for merging, please change the above to k...@freebsd.org before moving on. Cheers, Change-Id: I8d8af6f872146604a9710edf443db65df48ac3cb Signed-off-by: Antonio Quartulli --- NOTE: not tested because I have no FreeBSD environment and I can't find how to kick off the buildbot --- src/openvpn/dco_freebsd.c | 22 +- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index 225b3cf8..ae8c1380 100644 --- a/src/openvpn/dco_freebsd.c +++ b/src/openvpn/dco_freebsd.c @@ -674,27 +674,15 @@ dco_event_set(dco_context_t *dco, struct event_set *es, void *arg) static void dco_update_peer_stat(struct multi_context *m, uint32_t peerid, const nvlist_t *nvl) { -struct hash_element *he; -struct hash_iterator hi; - -hash_iterator_init(m->hash, ); - -while ((he = hash_iterator_next())) +struct multi_instance *mi = m->instances[peer_id]; +if (!mi) { -struct multi_instance *mi = (struct multi_instance *) he->value; - -if (mi->context.c2.tls_multi->peer_id != peerid) -{ -continue; -} - -mi->context.c2.dco_read_bytes = nvlist_get_number(nvl, "in"); -mi->context.c2.dco_write_bytes = nvlist_get_number(nvl, "out"); - +msg(M_INFO, "Peer %d returned by kernel, but not found locally", peerid); return; } -msg(M_INFO, "Peer %d returned by kernel, but not found locally", peerid); +mi->context.c2.dco_read_bytes = nvlist_get_number(nvl, "in"); +mi->context.c2.dco_write_bytes = nvlist_get_number(nvl, "out"); } int -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] dco_freebsd: use m->instances[] instead of m->hash
When retrieving the multi_instance of a specific peer, there is no need to peform a linear search across the whole m->hash list. We can directly access the needed object via m->instances[peer-id] in constant time (and just one line of code). Adapt the dco-freebsd code to do so. Cc: Kristof Provost Change-Id: I8d8af6f872146604a9710edf443db65df48ac3cb Signed-off-by: Antonio Quartulli --- NOTE: not tested because I have no FreeBSD environment and I can't find how to kick off the buildbot --- src/openvpn/dco_freebsd.c | 22 +- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index 225b3cf8..ae8c1380 100644 --- a/src/openvpn/dco_freebsd.c +++ b/src/openvpn/dco_freebsd.c @@ -674,27 +674,15 @@ dco_event_set(dco_context_t *dco, struct event_set *es, void *arg) static void dco_update_peer_stat(struct multi_context *m, uint32_t peerid, const nvlist_t *nvl) { -struct hash_element *he; -struct hash_iterator hi; - -hash_iterator_init(m->hash, ); - -while ((he = hash_iterator_next())) +struct multi_instance *mi = m->instances[peer_id]; +if (!mi) { -struct multi_instance *mi = (struct multi_instance *) he->value; - -if (mi->context.c2.tls_multi->peer_id != peerid) -{ -continue; -} - -mi->context.c2.dco_read_bytes = nvlist_get_number(nvl, "in"); -mi->context.c2.dco_write_bytes = nvlist_get_number(nvl, "out"); - +msg(M_INFO, "Peer %d returned by kernel, but not found locally", peerid); return; } -msg(M_INFO, "Peer %d returned by kernel, but not found locally", peerid); +mi->context.c2.dco_read_bytes = nvlist_get_number(nvl, "in"); +mi->context.c2.dco_write_bytes = nvlist_get_number(nvl, "out"); } int -- 2.39.2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] dco-linux: implement dco_get_peer_stats{, multi} API
With this API it is possible to retrieve the stats for a specific peer or for all peers and then update the userspace counters with the value reported by DCO. Change-Id: Ia3990b86b1be7ca844fb1674b39ce0d60528ccff Signed-off-by: Antonio Quartulli --- Changes from v1: * use m->instances[] instead of iterating over m->hash --- src/openvpn/dco_linux.c | 183 --- src/openvpn/ovpn_dco_linux.h | 14 ++- 2 files changed, 179 insertions(+), 18 deletions(-) diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index 47961849..4bbe7e22 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -41,6 +41,7 @@ #include "tun.h" #include "ssl.h" #include "fdmisc.h" +#include "multi.h" #include "ssl_verify.h" #include "ovpn_dco_linux.h" @@ -168,16 +169,17 @@ ovpn_nl_recvmsgs(dco_context_t *dco, const char *prefix) * @param dco The dco context to use * @param nl_msgthe message to use * @param cbAn optional callback if the caller expects an answer + * @param cb_argAn optional param to pass to the callback * @param prefixA prefix to report in the error message to give the user context * @return status of sending the message */ static int ovpn_nl_msg_send(dco_context_t *dco, struct nl_msg *nl_msg, ovpn_nl_cb cb, - const char *prefix) + void *cb_arg, const char *prefix) { dco->status = 1; -nl_cb_set(dco->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, dco); +nl_cb_set(dco->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, cb_arg); nl_send_auto(dco->nl_sock, nl_msg); while (dco->status == 1) @@ -268,7 +270,7 @@ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, } nla_nest_end(nl_msg, attr); -ret = ovpn_nl_msg_send(dco, nl_msg, NULL, __func__); +ret = ovpn_nl_msg_send(dco, nl_msg, NULL, NULL, __func__); nla_put_failure: nlmsg_free(nl_msg); @@ -489,7 +491,7 @@ dco_swap_keys(dco_context_t *dco, unsigned int peerid) NLA_PUT_U32(nl_msg, OVPN_SWAP_KEYS_ATTR_PEER_ID, peerid); nla_nest_end(nl_msg, attr); -ret = ovpn_nl_msg_send(dco, nl_msg, NULL, __func__); +ret = ovpn_nl_msg_send(dco, nl_msg, NULL, NULL, __func__); nla_put_failure: nlmsg_free(nl_msg); @@ -513,7 +515,7 @@ dco_del_peer(dco_context_t *dco, unsigned int peerid) NLA_PUT_U32(nl_msg, OVPN_DEL_PEER_ATTR_PEER_ID, peerid); nla_nest_end(nl_msg, attr); -ret = ovpn_nl_msg_send(dco, nl_msg, NULL, __func__); +ret = ovpn_nl_msg_send(dco, nl_msg, NULL, NULL, __func__); nla_put_failure: nlmsg_free(nl_msg); @@ -539,7 +541,7 @@ dco_del_key(dco_context_t *dco, unsigned int peerid, NLA_PUT_U8(nl_msg, OVPN_DEL_KEY_ATTR_KEY_SLOT, slot); nla_nest_end(nl_msg, attr); -ret = ovpn_nl_msg_send(dco, nl_msg, NULL, __func__); +ret = ovpn_nl_msg_send(dco, nl_msg, NULL, NULL, __func__); nla_put_failure: nlmsg_free(nl_msg); @@ -596,7 +598,7 @@ dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, nla_nest_end(nl_msg, attr); -ret = ovpn_nl_msg_send(dco, nl_msg, NULL, __func__); +ret = ovpn_nl_msg_send(dco, nl_msg, NULL, NULL, __func__); nla_put_failure: nlmsg_free(nl_msg); @@ -625,7 +627,7 @@ dco_set_peer(dco_context_t *dco, unsigned int peerid, keepalive_timeout); nla_nest_end(nl_msg, attr); -ret = ovpn_nl_msg_send(dco, nl_msg, NULL, __func__); +ret = ovpn_nl_msg_send(dco, nl_msg, NULL, NULL, __func__); nla_put_failure: nlmsg_free(nl_msg); @@ -706,7 +708,7 @@ ovpn_get_mcast_id(dco_context_t *dco) int ret = -EMSGSIZE; NLA_PUT_STRING(nl_msg, CTRL_ATTR_FAMILY_NAME, OVPN_NL_NAME); -ret = ovpn_nl_msg_send(dco, nl_msg, mcast_family_handler, __func__); +ret = ovpn_nl_msg_send(dco, nl_msg, mcast_family_handler, dco, __func__); nla_put_failure: nlmsg_free(nl_msg); @@ -819,18 +821,173 @@ dco_do_read(dco_context_t *dco) return ovpn_nl_recvmsgs(dco, __func__); } +static void +dco_update_peer_stat(struct context_2 *c2, struct nlattr *tb[], uint32_t id) +{ +if (tb[OVPN_GET_PEER_RESP_ATTR_LINK_RX_BYTES]) +{ +c2->dco_read_bytes = nla_get_u64(tb[OVPN_GET_PEER_RESP_ATTR_LINK_RX_BYTES]); +msg(D_DCO_DEBUG, "%s / dco_read_bytes: %lu", __func__, +c2->dco_read_bytes); +} +else +{ +msg(M_WARN, "%s: no link RX bytes provided in reply for peer %u", +__func__, id); +} + +if (tb[OVPN_GET_PEER_RESP_ATTR_LINK_TX_BYTES]) +{ +c2->dco_write_bytes = nla_get_u64(tb[OVPN_GET_PEER_RESP_ATTR_LINK_TX_BYTES]); +msg(D_DCO_DEBUG, "%s / dco_write_bytes: %lu", __func__, +c2->dco_write_bytes); +} +else +{ +msg(M_WARN, "%s: no link TX bytes provided in reply for peer %u", +__func__, id); +} + +if (tb[OVPN_GET_PEER_RESP_ATTR_VPN_RX_BYTES]) +{ +c2->tun_read_bytes =
[Openvpn-devel] [PATCH applied] Re: dns option: allow up to eight addresses per server
I've submitted this to "basic client/server testing" plus "GHA build", just to be sure that nothing breaks - but this doesn't excercise the new code at all. Stare-at-code says "it should do what it says on the lid", and the code is actually a bit simpler this way, not having to maintain separate addr4/addr6_defined variables etc. Some basic tests (running openvpn from the cli with --dns option and looking at "show_dns_options()" output) look good. Didn't look at the environment variables or Windows DHCP. The error message for "--dns server 3 address" (with no addresses) is a bit confusing now Options error: --dns: unknown option type 'server' or missing or unknown parameter but it does not crash or otherwise misbehave. Exceeding the number of allowed addresses leads to Options error: --dns server 3: malformed address or maximum exceeded '9.9.9.9' (good). Your patch has been applied to the master and release/2.6 branch. commit 424ae5906388af8769ae448080fa3b7ec266e8d8 (master) commit 3b967e7e05f679203ce26e027fcea5f7b4709eaa (release/2.6) Author: Heiko Hund Date: Fri Mar 10 06:08:12 2023 +0100 dns option: allow up to eight addresses per server Signed-off-by: Heiko Hund Acked-by: Arne Schwabe Message-Id: <20230310050814.67246-1-he...@ist.eigentlich.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26386.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: multi: don't call DCO APIs if DCO is disabled
I have not tested this extensively (as in "instrument the functions not called anymore if --disable-dco is in use"), just ran some basic tests on FreeBSD 14 with DCO, and "counters with DCO" still work, as does --inactive (with a "this many bytes" specification). Your patch has been applied to the master and release/2.6 branch. commit 891c71db5e26291b19885b9a5ae5c72011b86658 (master) commit 8f503708ed954ff3ae43357bd9f59809581a1381 (release/2.6) Author: Antonio Quartulli Date: Tue Mar 21 11:28:42 2023 +0100 multi: don't call DCO APIs if DCO is disabled Signed-off-by: Antonio Quartulli Acked-by: Lev Stipakov Message-Id: <20230321102842.10780-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26458.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Improve description of compat-mode
Nothing to test here :-) Your patch has been applied to the master and release/2.6 branch. commit daf66f4013d8facc085ea6cfaaf8a42f4d45a461 (master) commit 92827ad84eb3a5b7ca70f3e7f34800d25790b10d (release/2.6) Author: Arne Schwabe Date: Mon Mar 20 17:55:38 2023 +0100 Improve description of compat-mode Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20230320165538.902965-1-a...@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26445.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] multi: don't call DCO APIs if DCO is disabled
LGTM. Without this patch and with Linux DCO peer stats openvpn crashes, with this patch it doesn't. Acked-by: Lev Stipakov ti 21. maalisk. 2023 klo 12.30 Antonio Quartulli (a...@unstable.cc) kirjoitti: > > The agreement with the DCO submodule is that no API should be called if > DCO is actually disabled. For this reason, every invocation must happen > only after having checked that dco_enabled() returns true. > > Add missing checks before invoking dco_get_peer_stats_multi() > > Reported-by: Lev Stipakov > Signed-off-by: Antonio Quartulli > --- > src/openvpn/multi.c | 10 -- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c > index 53c17b3a..1f0a9c01 100644 > --- a/src/openvpn/multi.c > +++ b/src/openvpn/multi.c > @@ -549,7 +549,10 @@ multi_del_iroutes(struct multi_context *m, > static void > setenv_stats(struct multi_context *m, struct context *c) > { > -dco_get_peer_stats_multi(>top.c1.tuntap->dco, m); > +if (dco_enabled(>top.options)) > +{ > +dco_get_peer_stats_multi(>top.c1.tuntap->dco, m); > +} > > setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes + > c->c2.dco_read_bytes); > setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes + > c->c2.dco_write_bytes); > @@ -849,7 +852,10 @@ multi_print_status(struct multi_context *m, struct > status_output *so, const int > > status_reset(so); > > -dco_get_peer_stats_multi(>top.c1.tuntap->dco, m); > +if (dco_enabled(>top.options)) > +{ > +dco_get_peer_stats_multi(>top.c1.tuntap->dco, m); > +} > > if (version == 1) > { > -- > 2.39.2 > > > > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -- -Lev ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] multi: don't call DCO APIs if DCO is disabled
The agreement with the DCO submodule is that no API should be called if DCO is actually disabled. For this reason, every invocation must happen only after having checked that dco_enabled() returns true. Add missing checks before invoking dco_get_peer_stats_multi() Reported-by: Lev Stipakov Signed-off-by: Antonio Quartulli --- src/openvpn/multi.c | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 53c17b3a..1f0a9c01 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -549,7 +549,10 @@ multi_del_iroutes(struct multi_context *m, static void setenv_stats(struct multi_context *m, struct context *c) { -dco_get_peer_stats_multi(>top.c1.tuntap->dco, m); +if (dco_enabled(>top.options)) +{ +dco_get_peer_stats_multi(>top.c1.tuntap->dco, m); +} setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes + c->c2.dco_read_bytes); setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes + c->c2.dco_write_bytes); @@ -849,7 +852,10 @@ multi_print_status(struct multi_context *m, struct status_output *so, const int status_reset(so); -dco_get_peer_stats_multi(>top.c1.tuntap->dco, m); +if (dco_enabled(>top.options)) +{ +dco_get_peer_stats_multi(>top.c1.tuntap->dco, m); +} if (version == 1) { -- 2.39.2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] dco-linux: implement dco_get_peer_stats{, multi} API
NAK. When running with --disable-dco: Program received signal SIGUSR2, User defined signal 2. 0x77aee967 in __GI___poll (fds=0x55668ca0, nfds=2, timeout=1) at ../sysdeps/unix/sysv/linux/poll.c:29 29 ../sysdeps/unix/sysv/linux/poll.c: No such file or directory. (gdb) c Continuing. 2023-03-21 11:52:25 us=550135 event_wait : Interrupted system call (fd=-1,code=4) Program received signal SIGSEGV, Segmentation fault. 0x77be46a0 in nl_cb_set () from /lib/x86_64-linux-gnu/libnl-3.so.200 (gdb) bt #0 0x77be46a0 in nl_cb_set () from /lib/x86_64-linux-gnu/libnl-3.so.200 #1 0x5557047a in ovpn_nl_msg_send (dco=dco@entry=0x55656348, nl_msg=0x5566d1b0, cb=cb@entry=0x5556fde0 , cb_arg=cb_arg@entry=0x7fffc100, prefix=prefix@entry=0x555f4050 <__func__.33438> "dco_get_peer_stats_multi") at dco_linux.c:182 #2 0x555715ec in dco_get_peer_stats_multi (dco=dco@entry=0x55656348, m=m@entry=0x7fffc100) at dco_linux.c:939 #3 0x55597c63 in multi_print_status (m=m@entry=0x7fffc100, so=so@entry=0x5564dc90, version=1) at multi.c:852 #4 0x5559c75e in multi_print_status (version=, so=0x5564dc90, m=0x7fffc100) at multi.c:3848 #5 multi_process_signal (m=m@entry=0x7fffc100) at multi.c:3848 #6 0x5559537f in tunnel_server_udp (top=0x7fffd3d0) at mudp.c:506 #7 0x555a1369 in openvpn_main (argc=4, argv=0x7fffe638) at openvpn.c:319 #8 0x77a00083 in __libc_start_main (main=0x55561730 , argc=4, argv=0x7fffe638, init=, fini=, rtld_fini=, stack_end=0x7fffe628) at ../csu/libc-start.c:308 #9 0x5556176e in _start () ti 21. maalisk. 2023 klo 1.22 Antonio Quartulli (a...@unstable.cc) kirjoitti: > > With this API it is possible to retrieve the stats for a specific peer > or for all peers and then update the userspace counters with the value > reported by DCO. > > Change-Id: Ia3990b86b1be7ca844fb1674b39ce0d60528ccff > Signed-off-by: Antonio Quartulli > --- > > Pleas, use the latest ovpn-dco master branch! > > src/openvpn/dco_linux.c | 194 --- > src/openvpn/ovpn_dco_linux.h | 14 ++- > 2 files changed, 190 insertions(+), 18 deletions(-) > > diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c > index 47961849..1f18fa81 100644 > --- a/src/openvpn/dco_linux.c > +++ b/src/openvpn/dco_linux.c > @@ -41,6 +41,7 @@ > #include "tun.h" > #include "ssl.h" > #include "fdmisc.h" > +#include "multi.h" > #include "ssl_verify.h" > > #include "ovpn_dco_linux.h" > @@ -168,16 +169,17 @@ ovpn_nl_recvmsgs(dco_context_t *dco, const char *prefix) > * @param dco The dco context to use > * @param nl_msgthe message to use > * @param cbAn optional callback if the caller expects an answer > + * @param cb_argAn optional param to pass to the callback > * @param prefixA prefix to report in the error message to give the user > context > * @return status of sending the message > */ > static int > ovpn_nl_msg_send(dco_context_t *dco, struct nl_msg *nl_msg, ovpn_nl_cb cb, > - const char *prefix) > + void *cb_arg, const char *prefix) > { > dco->status = 1; > > -nl_cb_set(dco->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, dco); > +nl_cb_set(dco->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, cb_arg); > nl_send_auto(dco->nl_sock, nl_msg); > > while (dco->status == 1) > @@ -268,7 +270,7 @@ dco_new_peer(dco_context_t *dco, unsigned int peerid, int > sd, > } > nla_nest_end(nl_msg, attr); > > -ret = ovpn_nl_msg_send(dco, nl_msg, NULL, __func__); > +ret = ovpn_nl_msg_send(dco, nl_msg, NULL, NULL, __func__); > > nla_put_failure: > nlmsg_free(nl_msg); > @@ -489,7 +491,7 @@ dco_swap_keys(dco_context_t *dco, unsigned int peerid) > NLA_PUT_U32(nl_msg, OVPN_SWAP_KEYS_ATTR_PEER_ID, peerid); > nla_nest_end(nl_msg, attr); > > -ret = ovpn_nl_msg_send(dco, nl_msg, NULL, __func__); > +ret = ovpn_nl_msg_send(dco, nl_msg, NULL, NULL, __func__); > > nla_put_failure: > nlmsg_free(nl_msg); > @@ -513,7 +515,7 @@ dco_del_peer(dco_context_t *dco, unsigned int peerid) > NLA_PUT_U32(nl_msg, OVPN_DEL_PEER_ATTR_PEER_ID, peerid); > nla_nest_end(nl_msg, attr); > > -ret = ovpn_nl_msg_send(dco, nl_msg, NULL, __func__); > +ret = ovpn_nl_msg_send(dco, nl_msg, NULL, NULL, __func__); > > nla_put_failure: > nlmsg_free(nl_msg); > @@ -539,7 +541,7 @@ dco_del_key(dco_context_t *dco, unsigned int peerid, > NLA_PUT_U8(nl_msg, OVPN_DEL_KEY_ATTR_KEY_SLOT, slot); > nla_nest_end(nl_msg, attr); > > -ret = ovpn_nl_msg_send(dco, nl_msg, NULL, __func__); > +ret = ovpn_nl_msg_send(dco, nl_msg, NULL, NULL, __func__); > > nla_put_failure: > nlmsg_free(nl_msg); > @@ -596,7 +598,7 @@ dco_new_key(dco_context_t *dco, unsigned int peerid, int > keyid, > > nla_nest_end(nl_msg, attr); > > -ret = ovpn_nl_msg_send(dco,
Re: [Openvpn-devel] [PATCH applied] Re: using OpenSSL3 API for EVP PKEY type name reporting
Hi Gert, thanks very much! > Have not investigated how to actually trigger these code lines. If you're curious (TL;DR), below's a test FWIW: The fix can be seen "in action" when using OpenVPN with a quantum-safe signature algorithm via oqs-provider: Everything built into docker images: 1) New code in openquantumsafe/openvpn:23903fd579353c98: # openvpn --version OpenVPN 2.7_git [git:master/23903fd579353c98] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] [DCO] built on Mar 21 2023 library versions: OpenSSL 3.2.0-dev , LZO 2.10 2023-03-21 09:08:43 us=455158 10.0.5.3:37633 TLS: tls_multi_process: initial untrusted session promoted to trusted WWRR2023-03-21 09:08:43 us=455383 10.0.5.3:37633 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 192 bit dilithium3, signature: dilithium3 2023-03-21 09:08:43 us=455406 10.0.5.3:37633 [oqsopenvpnclient] Peer Connection Initiated with [AF_INET]10.0.5.3:37633 --> Connection establishment OK 2) Old code in openquantumsafe/openvpn:838474145933199a # openvpn --version OpenVPN 2.7_git [git:master/838474145933199a] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] [DCO] built on Mar 14 2023 library versions: OpenSSL 3.2.0-dev , LZO 2.10 2023-03-21 09:10:59 us=432368 10.0.5.3:40978 TLS: tls_multi_process: initial untrusted session promoted to trusted WWRR2023-03-21 09:10:59 us=432601 10.0.5.3:40978 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 192 bit unknown type, signature: dilithium3 2023-03-21 09:10:59 us=432619 10.0.5.3:40978 [oqsopenvpnclient] Peer Connection Initiated with [AF_INET]10.0.5.3:40978 2023-03-21 09:10:59 us=432634 10.0.5.3:40978 OpenSSL: error:0465:object identifier routines::unknown nid 2023-03-21 09:10:59 us=432640 10.0.5.3:40978 TLS_ERROR: BIO read tls_read_plaintext error 2023-03-21 09:10:59 us=432648 10.0.5.3:40978 TLS Error: TLS object -> incoming plaintext read error 2023-03-21 09:10:59 us=432653 10.0.5.3:40978 TLS Error: TLS handshake failed --> Connection setup failure Regards, --Michael Am 20.03.23 um 14:01 schrieb Gert Doering: I have not tested this extensively, just subjected to GH to compile and run basic checks with OpenSSL 1.1.x and 3.0.x, and ran a few local tests (Linux + OpenSSL 1.1.1). This all passed. Have not investigated how to actually trigger these code lines. Your patch has been applied to the master and release/2.6 branch. commit 6c111be9b109a6dbcd39cac7821ea3dd78ff6adf (master) commit a05ec70edd5178aac7b7432c57878c32aa838013 (release/2.6) Author: Michael Baentsch Date: Sun Mar 19 08:54:41 2023 +0100 using OpenSSL3 API for EVP PKEY type name reporting Signed-off-by: Michael Baentsch Acked-by: Arne Schwabe Message-Id:<20230319075441.13021-1-i...@baentsch.ch> URL:https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26439.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Improve description of compat-mode
On Mon, Mar 20, 2023 at 05:55:38PM +0100, Arne Schwabe wrote: > Explicitly say that the version specified is the one of the peer and not > the version we try to emulate. > > Patch v2: Improve grammar. > Change-Id: I3bd27a8d34d8cb4896a3b78508b7d16911571543 > > Change-Id: If4fb45b3426f5e0dbe6c87d5bd05681b9d733827 How did you end up with two change ids? > Signed-off-by: Arne Schwabe > --- > doc/man-sections/generic-options.rst | 22 -- > 1 file changed, 16 insertions(+), 6 deletions(-) Review happened in Gerrit. Acked-By: Frank Lichtenheld Regards, -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: dco-linux: remove M_ERRNO flag when printing netlink error message
Acked-by: Gert Doering "Trivially correct" :-) - compile-tested on a DCO enabled linux. Your patch has been applied to the master and release/2.6 branch. commit 23903fd579353c9892415a750f17a9832a79cced (master) commit 047f772b84843344b6131e9e915472d14adcea2b (release/2.6) Author: Antonio Quartulli Date: Mon Mar 20 20:58:20 2023 +0100 dco-linux: remove M_ERRNO flag when printing netlink error message Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <20230320195820.6675-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26452.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel