Re: [Openvpn-devel] [PATCH] plugins, down-root: Code style clean-up
ACK -Steffan On 08-12-14 23:45, David Sommerseth wrote: > From: David Sommerseth> > The coding style was somewhat chaotic. Cleaning it up using the astyle > tool. The style parameters are coherent to what was agreed upon at the > Munich Hackathon 2014 [1]. > > astyle --style=allman --indent=spaces=4 -c > > Also included a "Local variables" section which some editors may pick > up automatically. > > Signed-off-by: David Sommerseth > --- > src/plugins/down-root/down-root.c | 630 > +++--- > 1 file changed, 323 insertions(+), 307 deletions(-) > > diff --git a/src/plugins/down-root/down-root.c > b/src/plugins/down-root/down-root.c > index f7a49a0..6931bec 100644 > --- a/src/plugins/down-root/down-root.c > +++ b/src/plugins/down-root/down-root.c > @@ -66,17 +66,17 @@ static void down_root_server (const int fd, char * const > * argv, char * const *e > */ > struct down_root_context > { > - /* Foreground's socket to background process */ > - int foreground_fd; > +/* Foreground's socket to background process */ > +int foreground_fd; > > - /* Process ID of background process */ > - pid_t background_pid; > +/* Process ID of background process */ > +pid_t background_pid; > > - /* Verbosity level of OpenVPN */ > - int verb; > +/* Verbosity level of OpenVPN */ > +int verb; > > - /* down command */ > - char **command; > +/* down command */ > +char **command; > }; > > /* > @@ -87,21 +87,21 @@ struct down_root_context > static const char * > get_env (const char *name, const char *envp[]) > { > - if (envp) > +if (envp) > { > - int i; > - const int namelen = strlen (name); > - for (i = 0; envp[i]; ++i) > - { > - if (!strncmp (envp[i], name, namelen)) > - { > - const char *cp = envp[i] + namelen; > - if (*cp == '=') > - return cp + 1; > - } > - } > +int i; > +const int namelen = strlen (name); > +for (i = 0; envp[i]; ++i) > +{ > +if (!strncmp (envp[i], name, namelen)) > +{ > +const char *cp = envp[i] + namelen; > +if (*cp == '=') > +return cp + 1; > +} > +} > } > - return NULL; > +return NULL; > } > > /* > @@ -110,13 +110,13 @@ get_env (const char *name, const char *envp[]) > static int > string_array_len (const char *array[]) > { > - int i = 0; > - if (array) > +int i = 0; > +if (array) > { > - while (array[i]) > - ++i; > +while (array[i]) > +++i; > } > - return i; > +return i; > } > > /* > @@ -126,23 +126,23 @@ string_array_len (const char *array[]) > static int > recv_control (int fd) > { > - unsigned char c; > - const ssize_t size = read (fd, , sizeof (c)); > - if (size == sizeof (c)) > -return c; > - else > -return -1; > +unsigned char c; > +const ssize_t size = read (fd, , sizeof (c)); > +if (size == sizeof (c)) > +return c; > +else > +return -1; > } > > static int > send_control (int fd, int code) > { > - unsigned char c = (unsigned char) code; > - const ssize_t size = write (fd, , sizeof (c)); > - if (size == sizeof (c)) > -return (int) size; > - else > -return -1; > +unsigned char c = (unsigned char) code; > +const ssize_t size = write (fd, , sizeof (c)); > +if (size == sizeof (c)) > +return (int) size; > +else > +return -1; > } > > /* > @@ -153,22 +153,22 @@ send_control (int fd, int code) > static void > daemonize (const char *envp[]) > { > - const char *daemon_string = get_env ("daemon", envp); > - if (daemon_string && daemon_string[0] == '1') > +const char *daemon_string = get_env ("daemon", envp); > +if (daemon_string && daemon_string[0] == '1') > { > - const char *log_redirect = get_env ("daemon_log_redirect", envp); > - int fd = -1; > - if (log_redirect && log_redirect[0] == '1') > - fd = dup (2); > - if (daemon (0, 0) < 0) > - { > - warn ("DOWN-ROOT: daemonization failed"); > - } > - else if (fd >= 3) > - { > - dup2 (fd, 2); > - close (fd); > - } > +const char *log_redirect = get_env ("daemon_log_redirect", envp); > +int fd = -1; > +if (log_redirect && log_redirect[0] == '1') > +fd = dup (2); > +if (daemon (0, 0) < 0) > +{ > +warn ("DOWN-ROOT: daemonization failed"); > +} > +else if (fd >= 3) > +{ > +dup2 (fd, 2); > +close (fd); > +} > } > } > > @@ -185,12 +185,12 @@ daemonize (const char *envp[]) > static void > close_fds_except (int keep) > { > - int i; > - closelog (); > - for (i = 3; i <= 100; ++i) > +int i; > +closelog (); > +for (i = 3; i <= 100; ++i)
[Openvpn-devel] [PATCH] plugins, down-root: Code style clean-up
From: David SommersethThe coding style was somewhat chaotic. Cleaning it up using the astyle tool. The style parameters are coherent to what was agreed upon at the Munich Hackathon 2014 [1]. astyle --style=allman --indent=spaces=4 -c Also included a "Local variables" section which some editors may pick up automatically. Signed-off-by: David Sommerseth --- src/plugins/down-root/down-root.c | 630 +++--- 1 file changed, 323 insertions(+), 307 deletions(-) diff --git a/src/plugins/down-root/down-root.c b/src/plugins/down-root/down-root.c index f7a49a0..6931bec 100644 --- a/src/plugins/down-root/down-root.c +++ b/src/plugins/down-root/down-root.c @@ -66,17 +66,17 @@ static void down_root_server (const int fd, char * const * argv, char * const *e */ struct down_root_context { - /* Foreground's socket to background process */ - int foreground_fd; +/* Foreground's socket to background process */ +int foreground_fd; - /* Process ID of background process */ - pid_t background_pid; +/* Process ID of background process */ +pid_t background_pid; - /* Verbosity level of OpenVPN */ - int verb; +/* Verbosity level of OpenVPN */ +int verb; - /* down command */ - char **command; +/* down command */ +char **command; }; /* @@ -87,21 +87,21 @@ struct down_root_context static const char * get_env (const char *name, const char *envp[]) { - if (envp) +if (envp) { - int i; - const int namelen = strlen (name); - for (i = 0; envp[i]; ++i) - { - if (!strncmp (envp[i], name, namelen)) - { - const char *cp = envp[i] + namelen; - if (*cp == '=') - return cp + 1; - } - } +int i; +const int namelen = strlen (name); +for (i = 0; envp[i]; ++i) +{ +if (!strncmp (envp[i], name, namelen)) +{ +const char *cp = envp[i] + namelen; +if (*cp == '=') +return cp + 1; +} +} } - return NULL; +return NULL; } /* @@ -110,13 +110,13 @@ get_env (const char *name, const char *envp[]) static int string_array_len (const char *array[]) { - int i = 0; - if (array) +int i = 0; +if (array) { - while (array[i]) - ++i; +while (array[i]) +++i; } - return i; +return i; } /* @@ -126,23 +126,23 @@ string_array_len (const char *array[]) static int recv_control (int fd) { - unsigned char c; - const ssize_t size = read (fd, , sizeof (c)); - if (size == sizeof (c)) -return c; - else -return -1; +unsigned char c; +const ssize_t size = read (fd, , sizeof (c)); +if (size == sizeof (c)) +return c; +else +return -1; } static int send_control (int fd, int code) { - unsigned char c = (unsigned char) code; - const ssize_t size = write (fd, , sizeof (c)); - if (size == sizeof (c)) -return (int) size; - else -return -1; +unsigned char c = (unsigned char) code; +const ssize_t size = write (fd, , sizeof (c)); +if (size == sizeof (c)) +return (int) size; +else +return -1; } /* @@ -153,22 +153,22 @@ send_control (int fd, int code) static void daemonize (const char *envp[]) { - const char *daemon_string = get_env ("daemon", envp); - if (daemon_string && daemon_string[0] == '1') +const char *daemon_string = get_env ("daemon", envp); +if (daemon_string && daemon_string[0] == '1') { - const char *log_redirect = get_env ("daemon_log_redirect", envp); - int fd = -1; - if (log_redirect && log_redirect[0] == '1') - fd = dup (2); - if (daemon (0, 0) < 0) - { - warn ("DOWN-ROOT: daemonization failed"); - } - else if (fd >= 3) - { - dup2 (fd, 2); - close (fd); - } +const char *log_redirect = get_env ("daemon_log_redirect", envp); +int fd = -1; +if (log_redirect && log_redirect[0] == '1') +fd = dup (2); +if (daemon (0, 0) < 0) +{ +warn ("DOWN-ROOT: daemonization failed"); +} +else if (fd >= 3) +{ +dup2 (fd, 2); +close (fd); +} } } @@ -185,12 +185,12 @@ daemonize (const char *envp[]) static void close_fds_except (int keep) { - int i; - closelog (); - for (i = 3; i <= 100; ++i) +int i; +closelog (); +for (i = 3; i <= 100; ++i) { - if (i != keep) - close (i); +if (i != keep) +close (i); } } @@ -201,26 +201,26 @@ close_fds_except (int keep) static void set_signals (void) { - signal (SIGTERM, SIG_DFL); +signal (SIGTERM, SIG_DFL); - signal (SIGINT, SIG_IGN); - signal (SIGHUP, SIG_IGN); - signal (SIGUSR1, SIG_IGN); - signal (SIGUSR2, SIG_IGN); - signal (SIGPIPE, SIG_IGN); +
Re: [Openvpn-devel] [PATCH applied] plugin, down-root: Fix compiler warnings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/12/14 22:40, David Sommerseth wrote: > From: David Sommerseth> > > Your patch has been applied to the master branch. > > commit 7dd51f6f50b17ab91cbb724e2d5e96657fab834a Author: David > Sommerseth Date: Mon Dec 8 22:31:15 2014 +0100 > > plugin, down-root: Fix compiler warnings > > Signed-off-by: David Sommerseth Acked-by: > Steffan Karger Message-Id: > 1418074541-24987-1-git-send-email-openvpn.l...@topphemmelig.net > URL: http://article.gmane.org/gmane.network.openvpn.devel/9327 > > Also applied to release/2.3 as commit e2983bf2db3593ee5711066196f8cae5f5e91013 - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlSGG6UACgkQDC186MBRfrpIOgCfZrawi69OZngyOFtZYXLk433q vcQAnjx5Tn51VtBLieWCSkJzoERyvvRN =ehog -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH applied] plugin, down-root: Fix compiler warnings
From: David Sommerseth-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your patch has been applied to the master branch. commit 7dd51f6f50b17ab91cbb724e2d5e96657fab834a Author: David Sommerseth List-Post: openvpn-devel@lists.sourceforge.net Date: Mon Dec 8 22:31:15 2014 +0100 plugin, down-root: Fix compiler warnings Signed-off-by: David Sommerseth Acked-by: Steffan Karger Message-Id: 1418074541-24987-1-git-send-email-openvpn.l...@topphemmelig.net URL: http://article.gmane.org/gmane.network.openvpn.devel/9327 - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlSGGtAACgkQDC186MBRfrqmCACghKg9mQ/hyQi3G7QyvuKCc7BK AhYAnj4SMJthWUPXCld6nLrKUUbJROc7 =JMTV -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH] plugin, down-root: Fix compiler warnings
ACK -Steffan On 08-12-14 22:35, David Sommerseth wrote: > From: David Sommerseth> > Removed a few compiler warnings: > down-root.c:164:4: warning: implicit declaration of function 'warn' > [-Wimplicit-function-declaration] > down-root.c:239:5: warning: implicit declaration of function 'err' > [-Wimplicit-function-declaration] > down-root.c:461:7: warning: unused variable 'i' [-Wunused-variable] > down-root.c:460:15: warning: unused variable 'p' [-Wunused-variable] > > Signed-off-by: David Sommerseth > --- > src/plugins/down-root/down-root.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/src/plugins/down-root/down-root.c > b/src/plugins/down-root/down-root.c > index ed2636a..f7a49a0 100644 > --- a/src/plugins/down-root/down-root.c > +++ b/src/plugins/down-root/down-root.c > @@ -42,6 +42,7 @@ > #include > #include > #include > +#include > > #include > > @@ -457,9 +458,6 @@ openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle) > static void > down_root_server (const int fd, char * const *argv, char * const *envp, > const int verb) > { > - const char *p[3]; > - int i; > - >/* > * Do initialization > */ >
[Openvpn-devel] [PATCH] plugin, down-root: Fix compiler warnings
From: David SommersethRemoved a few compiler warnings: down-root.c:164:4: warning: implicit declaration of function 'warn' [-Wimplicit-function-declaration] down-root.c:239:5: warning: implicit declaration of function 'err' [-Wimplicit-function-declaration] down-root.c:461:7: warning: unused variable 'i' [-Wunused-variable] down-root.c:460:15: warning: unused variable 'p' [-Wunused-variable] Signed-off-by: David Sommerseth --- src/plugins/down-root/down-root.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/plugins/down-root/down-root.c b/src/plugins/down-root/down-root.c index ed2636a..f7a49a0 100644 --- a/src/plugins/down-root/down-root.c +++ b/src/plugins/down-root/down-root.c @@ -42,6 +42,7 @@ #include #include #include +#include #include @@ -457,9 +458,6 @@ openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle) static void down_root_server (const int fd, char * const *argv, char * const *envp, const int verb) { - const char *p[3]; - int i; - /* * Do initialization */ -- 1.8.3.1
Re: [Openvpn-devel] [PATCH applied] Prevent memory drain for long lasting floating sessions
From: David Sommerseth-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your patch has been applied to the master branch. commit 09cf2ec5c09d35c72f2af0d988de8152378a182a Author: Lev Stipakov List-Post: openvpn-devel@lists.sourceforge.net Date: Mon Dec 8 18:48:45 2014 +0200 Prevent memory drain for long lasting floating sessions Signed-off-by: Lev Stipakov Acked-by: Steffan Karger Message-Id: 1418057325-13265-1-git-send-email-lstipa...@gmail.com URL: http://article.gmane.org/gmane.network.openvpn.devel/9321 Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlSGFlQACgkQDC186MBRfrpbEACcDIQR605xTIzgJLxwzV2hG3Rx cncAoJaAZqt+Gt6p7NCzm99FARAZ4a3i =K+KE -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH applied] Add the peer-id to the output of the status command
From: David Sommerseth-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your patch has been applied to the master branch. commit 1b9541922ad6ff6ee46c84f43cd23b7064f7919d Author: Lev Stipakov List-Post: openvpn-devel@lists.sourceforge.net Date: Mon Dec 8 19:06:02 2014 +0200 Add the peer-id to the output of the status command Signed-off-by: Lev Stipakov Acked-by: Arne Schwabe Message-Id: 1418058362-13480-1-git-send-email-lstipa...@gmail.com URL: http://article.gmane.org/gmane.network.openvpn.devel/9322 Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlSGFW8ACgkQDC186MBRfrqyqgCfeJe5//dyIZzizLLzV5m8dF93 IicAoIeTGMryxmM/zf/RqtMIUoAQ2k3W =zZN8 -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH] Prevent memory drain for long lasting floating sessions
ACK. Less memory usage (even without float), and got rid of a dynamic allocation, nice! Code looks good and passes my local tests. -Steffan On 08-12-14 17:48, Lev Stipakov wrote: > For every float event we generate prefix, which allocates 256 + 64 > bytes. That memory is reclaimed when client disconnects, so long lasting > and constantly floating sessions drain memory. > > As a fix use preallocated buffer inside multi_instance for storing > multi_prefix. > > Signed-off-by: Lev Stipakov> --- > src/openvpn/mudp.c | 4 > src/openvpn/multi.c | 14 ++ > src/openvpn/multi.h | 8 +--- > 3 files changed, 19 insertions(+), 7 deletions(-) > > diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c > index 853c08c..3e3f750 100644 > --- a/src/openvpn/mudp.c > +++ b/src/openvpn/mudp.c > @@ -111,6 +111,10 @@ multi_get_create_instance_udp (struct multi_context *m, > bool *floated) > break; > } > } > + > + /* should not really end up here, since > multi_create_instance returns null > +* if amount of clients exceeds max_clients */ > + ASSERT(i < m->max_clients); > } > } > else > diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c > index 538f4f1..fd0d0fe 100644 > --- a/src/openvpn/multi.c > +++ b/src/openvpn/multi.c > @@ -403,7 +403,7 @@ multi_instance_string (const struct multi_instance *mi, > bool null, struct gc_are > { >if (mi) > { > - struct buffer out = alloc_buf_gc (256, gc); > + struct buffer out = alloc_buf_gc (MULTI_PREFIX_MAX_LENGTH, gc); >const char *cn = tls_common_name (mi->context.c2.tls_multi, true); > >if (cn) > @@ -420,21 +420,27 @@ multi_instance_string (const struct multi_instance *mi, > bool null, struct gc_are > void > generate_prefix (struct multi_instance *mi) > { > - mi->msg_prefix = multi_instance_string (mi, true, >gc); > + struct gc_arena gc = gc_new(); > + const char *prefix = multi_instance_string (mi, true, ); > + if (prefix) > +strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix)); > + else > +mi->msg_prefix[0] = '\0'; >set_prefix (mi); > + gc_free(); > } > > void > ungenerate_prefix (struct multi_instance *mi) > { > - mi->msg_prefix = NULL; > + mi->msg_prefix[0] = '\0'; >set_prefix (mi); > } > > static const char * > mi_prefix (const struct multi_instance *mi) > { > - if (mi && mi->msg_prefix) > + if (mi && mi->msg_prefix[0]) > return mi->msg_prefix; >else > return "UNDEF_I"; > diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h > index ad7f700..32b89d2 100644 > --- a/src/openvpn/multi.h > +++ b/src/openvpn/multi.h > @@ -42,6 +42,8 @@ > #include "mtcp.h" > #include "perf.h" > > +#define MULTI_PREFIX_MAX_LENGTH 256 > + > /* > * Walk (don't run) through the routing table, > * deleting old entries, and possibly multi_instance > @@ -80,7 +82,7 @@ struct multi_instance { >struct mroute_addr real; /**< External network address of the > * remote peer. */ >ifconfig_pool_handle vaddr_handle; > - const char *msg_prefix; > + char msg_prefix[MULTI_PREFIX_MAX_LENGTH]; > >/* queued outgoing data in Server/TCP mode */ >unsigned int tcp_rwflags; > @@ -445,10 +447,10 @@ static inline void > set_prefix (struct multi_instance *mi) > { > #ifdef MULTI_DEBUG_EVENT_LOOP > - if (mi->msg_prefix) > + if (mi->msg_prefix[0]) > printf ("[%s]\n", mi->msg_prefix); > #endif > - msg_set_prefix (mi->msg_prefix); > + msg_set_prefix (mi->msg_prefix[0] ? mi->msg_prefix : NULL); > } > > static inline void >
Re: [Openvpn-devel] [PATCH] Add the peer-id to the output of the status command
Am 08.12.14 18:06, schrieb Lev Stipakov: > This adds peer-id to the status output which might help analyze floating > logs. This will change the output of status in the same way commit > 662ce6acc065bddf6490b3494725b8b3987b7def did. > > ACK. Arne
[Openvpn-devel] [PATCH] Add the peer-id to the output of the status command
This adds peer-id to the status output which might help analyze floating logs. This will change the output of status in the same way commit 662ce6acc065bddf6490b3494725b8b3987b7def did. Signed-off-by: Lev Stipakov--- src/openvpn/multi.c | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 538f4f1..b7785c1 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -815,8 +815,8 @@ multi_print_status (struct multi_context *m, struct status_output *so, const int */ status_printf (so, "TITLE%c%s", sep, title_string); status_printf (so, "TIME%c%s%c%u", sep, time_string (now, 0, false, _top), sep, (unsigned int)now); - status_printf (so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID", -sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep); + status_printf (so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID", +sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep); hash_iterator_init (m->hash, ); while ((he = hash_iterator_next ())) { @@ -827,10 +827,11 @@ multi_print_status (struct multi_context *m, struct status_output *so, const int { status_printf (so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c" #ifdef MANAGEMENT_DEF_AUTH -"%lu", +"%lu" #else -"", +"" #endif +"%c%"PRIu32, sep, tls_common_name (mi->context.c2.tls_multi, false), sep, mroute_addr_print (>real, ), sep, print_in_addr_t (mi->reporting_addr, IA_EMPTY_IF_UNDEF, ), @@ -841,10 +842,11 @@ multi_print_status (struct multi_context *m, struct status_output *so, const int sep, (unsigned int)mi->created, sep, tls_username (mi->context.c2.tls_multi, false), #ifdef MANAGEMENT_DEF_AUTH -sep, mi->context.c2.mda_context.cid); +sep, mi->context.c2.mda_context.cid, #else -sep); +sep, #endif +sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX); } gc_free (); } -- 1.9.1
[Openvpn-devel] [PATCH] Prevent memory drain for long lasting floating sessions
For every float event we generate prefix, which allocates 256 + 64 bytes. That memory is reclaimed when client disconnects, so long lasting and constantly floating sessions drain memory. As a fix use preallocated buffer inside multi_instance for storing multi_prefix. Signed-off-by: Lev Stipakov--- src/openvpn/mudp.c | 4 src/openvpn/multi.c | 14 ++ src/openvpn/multi.h | 8 +--- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 853c08c..3e3f750 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -111,6 +111,10 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) break; } } + + /* should not really end up here, since multi_create_instance returns null + * if amount of clients exceeds max_clients */ + ASSERT(i < m->max_clients); } } else diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 538f4f1..fd0d0fe 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -403,7 +403,7 @@ multi_instance_string (const struct multi_instance *mi, bool null, struct gc_are { if (mi) { - struct buffer out = alloc_buf_gc (256, gc); + struct buffer out = alloc_buf_gc (MULTI_PREFIX_MAX_LENGTH, gc); const char *cn = tls_common_name (mi->context.c2.tls_multi, true); if (cn) @@ -420,21 +420,27 @@ multi_instance_string (const struct multi_instance *mi, bool null, struct gc_are void generate_prefix (struct multi_instance *mi) { - mi->msg_prefix = multi_instance_string (mi, true, >gc); + struct gc_arena gc = gc_new(); + const char *prefix = multi_instance_string (mi, true, ); + if (prefix) +strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix)); + else +mi->msg_prefix[0] = '\0'; set_prefix (mi); + gc_free(); } void ungenerate_prefix (struct multi_instance *mi) { - mi->msg_prefix = NULL; + mi->msg_prefix[0] = '\0'; set_prefix (mi); } static const char * mi_prefix (const struct multi_instance *mi) { - if (mi && mi->msg_prefix) + if (mi && mi->msg_prefix[0]) return mi->msg_prefix; else return "UNDEF_I"; diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index ad7f700..32b89d2 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -42,6 +42,8 @@ #include "mtcp.h" #include "perf.h" +#define MULTI_PREFIX_MAX_LENGTH 256 + /* * Walk (don't run) through the routing table, * deleting old entries, and possibly multi_instance @@ -80,7 +82,7 @@ struct multi_instance { struct mroute_addr real; /**< External network address of the * remote peer. */ ifconfig_pool_handle vaddr_handle; - const char *msg_prefix; + char msg_prefix[MULTI_PREFIX_MAX_LENGTH]; /* queued outgoing data in Server/TCP mode */ unsigned int tcp_rwflags; @@ -445,10 +447,10 @@ static inline void set_prefix (struct multi_instance *mi) { #ifdef MULTI_DEBUG_EVENT_LOOP - if (mi->msg_prefix) + if (mi->msg_prefix[0]) printf ("[%s]\n", mi->msg_prefix); #endif - msg_set_prefix (mi->msg_prefix); + msg_set_prefix (mi->msg_prefix[0] ? mi->msg_prefix : NULL); } static inline void -- 1.9.1
[Openvpn-devel] [PATCH] Add Mac OS X keychain support
This patch adds support for using certificates stored in the Mac OSX Keychain to authenticate with the OpenVPN server. This works with certificates stored on the computer as well as certificates on hardware tokens that support Apple's tokend interface. The patch is very similar to, and also based on, the Windows Crypto API certificate functionality that currently exists in OpenVPN. The previous version of the patch was sent by Brian Raderman (http://thread.gmane.org/gmane.network.openvpn.devel/3631). The current version uses autoconf, doesn't use printf, fixes several small bugs like ignoring errors, and it now works with Tunnelblick. The previous version has been tested with an Aladdin eToken on Mac OSX Leopard and with software only certificates on Mac OSX Leopard and Snow Leopard, as reported by Brian Raderman in his email. The current version of the patch was tested in Yandex company on ~3000 hosts using several Mac OS X versions (10.7, 10.8. 10.9. 10.10) using Tunnelblick. It was tested both on OpenVPN started from the terminal and using Tunnelblick. Renegotiation was tested too. There are several warnings on Mac OS X related to functions deprecation like RSA_new() and similar. However, they are used in other OpenVPN code, so I decided not to touch it. The patch is against commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049. Signed-off-by: Vasily Kulikov-- diff --git a/configure.ac b/configure.ac index 608ab6d..127e173 100644 --- a/configure.ac +++ b/configure.ac @@ -258,6 +258,13 @@ AC_ARG_ENABLE( ) AC_ARG_ENABLE( + [macosx-keychain], + [AS_HELP_STRING([--enable-macosx-keychain], [enable MAC OS X keychain support @<:@default=yes@:>@])], + , + [enable_keychain="no"] +) + +AC_ARG_ENABLE( [systemd], [AS_HELP_STRING([--enable-systemd], [enable systemd suppport @<:@default=no@:>@])], , @@ -330,6 +337,7 @@ case "$host" in have_tap_header="yes" dnl some Mac OS X tendering (we use vararg macros...) CPPFLAGS="$CPPFLAGS -no-cpp-precomp" + MACOSX=yes ;; *-mingw*) AC_DEFINE([TARGET_WIN32], [1], [Are we running WIN32?]) @@ -1088,6 +1096,11 @@ if test "${enable_ssl}" = "yes"; then AC_DEFINE([ENABLE_SSL], [1], [Enable ssl library]) fi +if test "${enable_macosx_keychain}" = "yes"; then + test "${MACOSX}" != "yes" && AC_MSG_ERROR([keychain is available on MAC OS X only]) + AC_DEFINE([ENABLE_KEYCHAIN], [1], [Enable MAC OS X keychain support]) +fi + if test "${enable_crypto}" = "yes"; then test "${have_crypto_crypto}" != "yes" && AC_MSG_ERROR([${with_crypto_library} crypto is required but missing]) test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes]) @@ -1199,6 +1212,7 @@ AC_SUBST([PLUGIN_AUTH_PAM_CFLAGS]) AC_SUBST([PLUGIN_AUTH_PAM_LIBS]) AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"]) +AM_CONDITIONAL([MACOSX], [test "${MACOSX}" = "yes"]) AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"]) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 96ba555..a23d950 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4450,6 +4450,77 @@ Certificate Store GUI. .\"* .TP +.B --keychaincert select-string +Load the certificate and private key from the +Mac OSX Keychain (Mac OSX Only). + +Use this option instead of +.B --cert +and +.B --key. + +This makes it possible to use any smart card supported by Mac OSX using the tokend interface, but also any +kind of certificate, residing in the Keychain, where you have access to +the private key. This option has been tested on the client side with an Aladdin eToken +on Mac OSX Leopard and with software certificates stored in the Keychain on Mac OSX Leopard and +Mac OSX Snow Leopard. As of this writing (4/27/10) Aladdin has not yet released Snow Leopard drivers. + +To select a certificate based on a string search in the +certificate's subject and/or issuer: + +.B --keychaincert +"SUBJECT:c=US/o=Apple Inc./ou=me.com/cn=username ISSUER:c=US/o=Apple Computer, Inc./ou=Apple Computer Certificate Authority/cn=Apple .Mac Certificate Authority" + +.I "Distinguished Name Component Abbreviations:" +.br +o = organization +.br +ou = organizational unit +.br +c = country +.br +l = locality +.br +st = state +.br +cn = common name +.br +e = email +.br + +All of the distinguished name components are optional, although you do need to specify at least one of them. You can +add spaces around the '/' and '=' characters, e.g. "SUBJECT: c = US / o = Apple Inc.". You do not need to specify +both the subject and the issuer, one or the other will work fine. +The identity