Re: [Openvpn-devel] [PATCH] plugins, down-root: Code style clean-up

[Steffan Karger]

ACK

-Steffan

On 08-12-14 23:45, David Sommerseth wrote:
> From: David Sommerseth 
> 
> The coding style was somewhat chaotic.  Cleaning it up using the astyle
> tool.  The style parameters are coherent to what was agreed upon at the
> Munich Hackathon 2014 [1].
> 
>  astyle --style=allman --indent=spaces=4 -c
> 
> Also included a "Local variables" section which some editors may pick
> up automatically.
> 
> Signed-off-by: David Sommerseth 
> ---
>  src/plugins/down-root/down-root.c | 630 
> +++---
>  1 file changed, 323 insertions(+), 307 deletions(-)
> 
> diff --git a/src/plugins/down-root/down-root.c 
> b/src/plugins/down-root/down-root.c
> index f7a49a0..6931bec 100644
> --- a/src/plugins/down-root/down-root.c
> +++ b/src/plugins/down-root/down-root.c
> @@ -66,17 +66,17 @@ static void down_root_server (const int fd, char * const 
> * argv, char * const *e
>   */
>  struct down_root_context
>  {
> -  /* Foreground's socket to background process */
> -  int foreground_fd;
> +/* Foreground's socket to background process */
> +int foreground_fd;
>  
> -  /* Process ID of background process */
> -  pid_t background_pid;
> +/* Process ID of background process */
> +pid_t background_pid;
>  
> -  /* Verbosity level of OpenVPN */
> -  int verb;
> +/* Verbosity level of OpenVPN */
> +int verb;
>  
> -  /* down command */
> -  char **command;
> +/* down command */
> +char **command;
>  };
>  
>  /*
> @@ -87,21 +87,21 @@ struct down_root_context
>  static const char *
>  get_env (const char *name, const char *envp[])
>  {
> -  if (envp)
> +if (envp)
>  {
> -  int i;
> -  const int namelen = strlen (name);
> -  for (i = 0; envp[i]; ++i)
> - {
> -   if (!strncmp (envp[i], name, namelen))
> - {
> -   const char *cp = envp[i] + namelen;
> -   if (*cp == '=')
> - return cp + 1;
> - }
> - }
> +int i;
> +const int namelen = strlen (name);
> +for (i = 0; envp[i]; ++i)
> +{
> +if (!strncmp (envp[i], name, namelen))
> +{
> +const char *cp = envp[i] + namelen;
> +if (*cp == '=')
> +return cp + 1;
> +}
> +}
>  }
> -  return NULL;
> +return NULL;
>  }
>  
>  /*
> @@ -110,13 +110,13 @@ get_env (const char *name, const char *envp[])
>  static int
>  string_array_len (const char *array[])
>  {
> -  int i = 0;
> -  if (array)
> +int i = 0;
> +if (array)
>  {
> -  while (array[i])
> - ++i;
> +while (array[i])
> +++i;
>  }
> -  return i;
> +return i;
>  }
>  
>  /*
> @@ -126,23 +126,23 @@ string_array_len (const char *array[])
>  static int
>  recv_control (int fd)
>  {
> -  unsigned char c;
> -  const ssize_t size = read (fd, , sizeof (c));
> -  if (size == sizeof (c))
> -return c;
> -  else
> -return -1;
> +unsigned char c;
> +const ssize_t size = read (fd, , sizeof (c));
> +if (size == sizeof (c))
> +return c;
> +else
> +return -1;
>  }
>  
>  static int
>  send_control (int fd, int code)
>  {
> -  unsigned char c = (unsigned char) code;
> -  const ssize_t size = write (fd, , sizeof (c));
> -  if (size == sizeof (c))
> -return (int) size;
> -  else
> -return -1;
> +unsigned char c = (unsigned char) code;
> +const ssize_t size = write (fd, , sizeof (c));
> +if (size == sizeof (c))
> +return (int) size;
> +else
> +return -1;
>  }
>  
>  /*
> @@ -153,22 +153,22 @@ send_control (int fd, int code)
>  static void
>  daemonize (const char *envp[])
>  {
> -  const char *daemon_string = get_env ("daemon", envp);
> -  if (daemon_string && daemon_string[0] == '1')
> +const char *daemon_string = get_env ("daemon", envp);
> +if (daemon_string && daemon_string[0] == '1')
>  {
> -  const char *log_redirect = get_env ("daemon_log_redirect", envp);
> -  int fd = -1;
> -  if (log_redirect && log_redirect[0] == '1')
> - fd = dup (2);
> -  if (daemon (0, 0) < 0)
> - {
> -   warn ("DOWN-ROOT: daemonization failed");
> - }
> -  else if (fd >= 3)
> - {
> -   dup2 (fd, 2);
> -   close (fd);
> - }
> +const char *log_redirect = get_env ("daemon_log_redirect", envp);
> +int fd = -1;
> +if (log_redirect && log_redirect[0] == '1')
> +fd = dup (2);
> +if (daemon (0, 0) < 0)
> +{
> +warn ("DOWN-ROOT: daemonization failed");
> +}
> +else if (fd >= 3)
> +{
> +dup2 (fd, 2);
> +close (fd);
> +}
>  }
>  }
>  
> @@ -185,12 +185,12 @@ daemonize (const char *envp[])
>  static void
>  close_fds_except (int keep)
>  {
> -  int i;
> -  closelog ();
> -  for (i = 3; i <= 100; ++i)
> +int i;
> +closelog ();
> +for (i = 3; i <= 100; ++i)

[Openvpn-devel] [PATCH] plugins, down-root: Code style clean-up

[David Sommerseth]

From: David Sommerseth 

The coding style was somewhat chaotic.  Cleaning it up using the astyle
tool.  The style parameters are coherent to what was agreed upon at the
Munich Hackathon 2014 [1].

 astyle --style=allman --indent=spaces=4 -c

Also included a "Local variables" section which some editors may pick
up automatically.

Signed-off-by: David Sommerseth 
---
 src/plugins/down-root/down-root.c | 630 +++---
 1 file changed, 323 insertions(+), 307 deletions(-)

diff --git a/src/plugins/down-root/down-root.c 
b/src/plugins/down-root/down-root.c
index f7a49a0..6931bec 100644
--- a/src/plugins/down-root/down-root.c
+++ b/src/plugins/down-root/down-root.c
@@ -66,17 +66,17 @@ static void down_root_server (const int fd, char * const * 
argv, char * const *e
  */
 struct down_root_context
 {
-  /* Foreground's socket to background process */
-  int foreground_fd;
+/* Foreground's socket to background process */
+int foreground_fd;

-  /* Process ID of background process */
-  pid_t background_pid;
+/* Process ID of background process */
+pid_t background_pid;

-  /* Verbosity level of OpenVPN */
-  int verb;
+/* Verbosity level of OpenVPN */
+int verb;

-  /* down command */
-  char **command;
+/* down command */
+char **command;
 };

 /*
@@ -87,21 +87,21 @@ struct down_root_context
 static const char *
 get_env (const char *name, const char *envp[])
 {
-  if (envp)
+if (envp)
 {
-  int i;
-  const int namelen = strlen (name);
-  for (i = 0; envp[i]; ++i)
-   {
- if (!strncmp (envp[i], name, namelen))
-   {
- const char *cp = envp[i] + namelen;
- if (*cp == '=')
-   return cp + 1;
-   }
-   }
+int i;
+const int namelen = strlen (name);
+for (i = 0; envp[i]; ++i)
+{
+if (!strncmp (envp[i], name, namelen))
+{
+const char *cp = envp[i] + namelen;
+if (*cp == '=')
+return cp + 1;
+}
+}
 }
-  return NULL;
+return NULL;
 }

 /*
@@ -110,13 +110,13 @@ get_env (const char *name, const char *envp[])
 static int
 string_array_len (const char *array[])
 {
-  int i = 0;
-  if (array)
+int i = 0;
+if (array)
 {
-  while (array[i])
-   ++i;
+while (array[i])
+++i;
 }
-  return i;
+return i;
 }

 /*
@@ -126,23 +126,23 @@ string_array_len (const char *array[])
 static int
 recv_control (int fd)
 {
-  unsigned char c;
-  const ssize_t size = read (fd, , sizeof (c));
-  if (size == sizeof (c))
-return c;
-  else
-return -1;
+unsigned char c;
+const ssize_t size = read (fd, , sizeof (c));
+if (size == sizeof (c))
+return c;
+else
+return -1;
 }

 static int
 send_control (int fd, int code)
 {
-  unsigned char c = (unsigned char) code;
-  const ssize_t size = write (fd, , sizeof (c));
-  if (size == sizeof (c))
-return (int) size;
-  else
-return -1;
+unsigned char c = (unsigned char) code;
+const ssize_t size = write (fd, , sizeof (c));
+if (size == sizeof (c))
+return (int) size;
+else
+return -1;
 }

 /*
@@ -153,22 +153,22 @@ send_control (int fd, int code)
 static void
 daemonize (const char *envp[])
 {
-  const char *daemon_string = get_env ("daemon", envp);
-  if (daemon_string && daemon_string[0] == '1')
+const char *daemon_string = get_env ("daemon", envp);
+if (daemon_string && daemon_string[0] == '1')
 {
-  const char *log_redirect = get_env ("daemon_log_redirect", envp);
-  int fd = -1;
-  if (log_redirect && log_redirect[0] == '1')
-   fd = dup (2);
-  if (daemon (0, 0) < 0)
-   {
- warn ("DOWN-ROOT: daemonization failed");
-   }
-  else if (fd >= 3)
-   {
- dup2 (fd, 2);
- close (fd);
-   }
+const char *log_redirect = get_env ("daemon_log_redirect", envp);
+int fd = -1;
+if (log_redirect && log_redirect[0] == '1')
+fd = dup (2);
+if (daemon (0, 0) < 0)
+{
+warn ("DOWN-ROOT: daemonization failed");
+}
+else if (fd >= 3)
+{
+dup2 (fd, 2);
+close (fd);
+}
 }
 }

@@ -185,12 +185,12 @@ daemonize (const char *envp[])
 static void
 close_fds_except (int keep)
 {
-  int i;
-  closelog ();
-  for (i = 3; i <= 100; ++i)
+int i;
+closelog ();
+for (i = 3; i <= 100; ++i)
 {
-  if (i != keep)
-   close (i);
+if (i != keep)
+close (i);
 }
 }

@@ -201,26 +201,26 @@ close_fds_except (int keep)
 static void
 set_signals (void)
 {
-  signal (SIGTERM, SIG_DFL);
+signal (SIGTERM, SIG_DFL);

-  signal (SIGINT, SIG_IGN);
-  signal (SIGHUP, SIG_IGN);
-  signal (SIGUSR1, SIG_IGN);
-  signal (SIGUSR2, SIG_IGN);
-  signal (SIGPIPE, SIG_IGN);
+   

Re: [Openvpn-devel] [PATCH applied] plugin, down-root: Fix compiler warnings

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 08/12/14 22:40, David Sommerseth wrote:
> From: David Sommerseth 
> 
> 
> Your patch has been applied to the master branch.
> 
> commit 7dd51f6f50b17ab91cbb724e2d5e96657fab834a Author: David
> Sommerseth Date:   Mon Dec 8 22:31:15 2014 +0100
> 
> plugin, down-root: Fix compiler warnings
> 
> Signed-off-by: David Sommerseth  Acked-by:
> Steffan Karger  Message-Id:
> 1418074541-24987-1-git-send-email-openvpn.l...@topphemmelig.net 
> URL: http://article.gmane.org/gmane.network.openvpn.devel/9327
> 
> 

Also applied to release/2.3 as commit
e2983bf2db3593ee5711066196f8cae5f5e91013

- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlSGG6UACgkQDC186MBRfrpIOgCfZrawi69OZngyOFtZYXLk433q
vcQAnjx5Tn51VtBLieWCSkJzoERyvvRN
=ehog
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH applied] plugin, down-root: Fix compiler warnings

[David Sommerseth]

From: David Sommerseth 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Your patch has been applied to the master branch.

commit 7dd51f6f50b17ab91cbb724e2d5e96657fab834a
Author: David Sommerseth
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Mon Dec 8 22:31:15 2014 +0100

 plugin, down-root: Fix compiler warnings

 Signed-off-by: David Sommerseth 
 Acked-by: Steffan Karger 
 Message-Id: 1418074541-24987-1-git-send-email-openvpn.l...@topphemmelig.net
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9327


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlSGGtAACgkQDC186MBRfrqmCACghKg9mQ/hyQi3G7QyvuKCc7BK
AhYAnj4SMJthWUPXCld6nLrKUUbJROc7
=JMTV
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH] plugin, down-root: Fix compiler warnings

[Steffan Karger]

ACK

-Steffan

On 08-12-14 22:35, David Sommerseth wrote:
> From: David Sommerseth 
> 
> Removed a few compiler warnings:
>   down-root.c:164:4: warning: implicit declaration of function 'warn' 
> [-Wimplicit-function-declaration]
>   down-root.c:239:5: warning: implicit declaration of function 'err' 
> [-Wimplicit-function-declaration]
>   down-root.c:461:7: warning: unused variable 'i' [-Wunused-variable]
>   down-root.c:460:15: warning: unused variable 'p' [-Wunused-variable]
> 
> Signed-off-by: David Sommerseth 
> ---
>  src/plugins/down-root/down-root.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/src/plugins/down-root/down-root.c 
> b/src/plugins/down-root/down-root.c
> index ed2636a..f7a49a0 100644
> --- a/src/plugins/down-root/down-root.c
> +++ b/src/plugins/down-root/down-root.c
> @@ -42,6 +42,7 @@
>  #include 
>  #include 
>  #include 
> +#include 
>  
>  #include 
>  
> @@ -457,9 +458,6 @@ openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle)
>  static void
>  down_root_server (const int fd, char * const *argv, char * const *envp, 
> const int verb)
>  {
> -  const char *p[3];
> -  int i;
> -
>/*
> * Do initialization
> */
> 

[Openvpn-devel] [PATCH] plugin, down-root: Fix compiler warnings

[David Sommerseth]

From: David Sommerseth 

Removed a few compiler warnings:
  down-root.c:164:4: warning: implicit declaration of function 'warn' 
[-Wimplicit-function-declaration]
  down-root.c:239:5: warning: implicit declaration of function 'err' 
[-Wimplicit-function-declaration]
  down-root.c:461:7: warning: unused variable 'i' [-Wunused-variable]
  down-root.c:460:15: warning: unused variable 'p' [-Wunused-variable]

Signed-off-by: David Sommerseth 
---
 src/plugins/down-root/down-root.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/plugins/down-root/down-root.c 
b/src/plugins/down-root/down-root.c
index ed2636a..f7a49a0 100644
--- a/src/plugins/down-root/down-root.c
+++ b/src/plugins/down-root/down-root.c
@@ -42,6 +42,7 @@
 #include 
 #include 
 #include 
+#include 

 #include 

@@ -457,9 +458,6 @@ openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle)
 static void
 down_root_server (const int fd, char * const *argv, char * const *envp, const 
int verb)
 {
-  const char *p[3];
-  int i;
-
   /*
* Do initialization
*/
-- 
1.8.3.1

Re: [Openvpn-devel] [PATCH applied] Prevent memory drain for long lasting floating sessions

[David Sommerseth]

From: David Sommerseth 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Your patch has been applied to the master branch.

commit 09cf2ec5c09d35c72f2af0d988de8152378a182a
Author: Lev Stipakov
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Mon Dec 8 18:48:45 2014 +0200

 Prevent memory drain for long lasting floating sessions

 Signed-off-by: Lev Stipakov 
 Acked-by: Steffan Karger 
 Message-Id: 1418057325-13265-1-git-send-email-lstipa...@gmail.com
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9321
 Signed-off-by: David Sommerseth 


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlSGFlQACgkQDC186MBRfrpbEACcDIQR605xTIzgJLxwzV2hG3Rx
cncAoJaAZqt+Gt6p7NCzm99FARAZ4a3i
=K+KE
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH applied] Add the peer-id to the output of the status command

[David Sommerseth]

From: David Sommerseth 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Your patch has been applied to the master branch.

commit 1b9541922ad6ff6ee46c84f43cd23b7064f7919d
Author: Lev Stipakov
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Mon Dec 8 19:06:02 2014 +0200

 Add the peer-id to the output of the status command

 Signed-off-by: Lev Stipakov 
 Acked-by: Arne Schwabe 
 Message-Id: 1418058362-13480-1-git-send-email-lstipa...@gmail.com
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9322
 Signed-off-by: David Sommerseth 


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlSGFW8ACgkQDC186MBRfrqyqgCfeJe5//dyIZzizLLzV5m8dF93
IicAoIeTGMryxmM/zf/RqtMIUoAQ2k3W
=zZN8
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH] Prevent memory drain for long lasting floating sessions

[Steffan Karger]

ACK. Less memory usage (even without float), and got rid of a dynamic
allocation, nice! Code looks good and passes my local tests.

-Steffan

On 08-12-14 17:48, Lev Stipakov wrote:
> For every float event we generate prefix, which allocates 256 + 64
> bytes. That memory is reclaimed when client disconnects, so long lasting
> and constantly floating sessions drain memory.
> 
> As a fix use preallocated buffer inside multi_instance for storing
> multi_prefix.
> 
> Signed-off-by: Lev Stipakov 
> ---
>  src/openvpn/mudp.c  |  4 
>  src/openvpn/multi.c | 14 ++
>  src/openvpn/multi.h |  8 +---
>  3 files changed, 19 insertions(+), 7 deletions(-)
> 
> diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
> index 853c08c..3e3f750 100644
> --- a/src/openvpn/mudp.c
> +++ b/src/openvpn/mudp.c
> @@ -111,6 +111,10 @@ multi_get_create_instance_udp (struct multi_context *m, 
> bool *floated)
> break;
>   }
>   }
> +
> +   /* should not really end up here, since 
> multi_create_instance returns null
> +* if amount of clients exceeds max_clients */
> +   ASSERT(i < m->max_clients);
>   }
>   }
> else
> diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
> index 538f4f1..fd0d0fe 100644
> --- a/src/openvpn/multi.c
> +++ b/src/openvpn/multi.c
> @@ -403,7 +403,7 @@ multi_instance_string (const struct multi_instance *mi, 
> bool null, struct gc_are
>  {
>if (mi)
>  {
> -  struct buffer out = alloc_buf_gc (256, gc);
> +  struct buffer out = alloc_buf_gc (MULTI_PREFIX_MAX_LENGTH, gc);
>const char *cn = tls_common_name (mi->context.c2.tls_multi, true);
>  
>if (cn)
> @@ -420,21 +420,27 @@ multi_instance_string (const struct multi_instance *mi, 
> bool null, struct gc_are
>  void
>  generate_prefix (struct multi_instance *mi)
>  {
> -  mi->msg_prefix = multi_instance_string (mi, true, >gc);
> +  struct gc_arena gc = gc_new();
> +  const char *prefix = multi_instance_string (mi, true, );
> +  if (prefix)
> +strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
> +  else
> +mi->msg_prefix[0] = '\0';
>set_prefix (mi);
> +  gc_free();
>  }
>  
>  void
>  ungenerate_prefix (struct multi_instance *mi)
>  {
> -  mi->msg_prefix = NULL;
> +  mi->msg_prefix[0] = '\0';
>set_prefix (mi);
>  }
>  
>  static const char *
>  mi_prefix (const struct multi_instance *mi)
>  {
> -  if (mi && mi->msg_prefix)
> +  if (mi && mi->msg_prefix[0])
>  return mi->msg_prefix;
>else
>  return "UNDEF_I";
> diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h
> index ad7f700..32b89d2 100644
> --- a/src/openvpn/multi.h
> +++ b/src/openvpn/multi.h
> @@ -42,6 +42,8 @@
>  #include "mtcp.h"
>  #include "perf.h"
>  
> +#define MULTI_PREFIX_MAX_LENGTH 256
> +
>  /*
>   * Walk (don't run) through the routing table,
>   * deleting old entries, and possibly multi_instance
> @@ -80,7 +82,7 @@ struct multi_instance {
>struct mroute_addr real;  /**< External network address of the
>   *   remote peer. */
>ifconfig_pool_handle vaddr_handle;
> -  const char *msg_prefix;
> +  char msg_prefix[MULTI_PREFIX_MAX_LENGTH];
>  
>/* queued outgoing data in Server/TCP mode */
>unsigned int tcp_rwflags;
> @@ -445,10 +447,10 @@ static inline void
>  set_prefix (struct multi_instance *mi)
>  {
>  #ifdef MULTI_DEBUG_EVENT_LOOP
> -  if (mi->msg_prefix)
> +  if (mi->msg_prefix[0])
>  printf ("[%s]\n", mi->msg_prefix);
>  #endif
> -  msg_set_prefix (mi->msg_prefix);
> +  msg_set_prefix (mi->msg_prefix[0] ? mi->msg_prefix : NULL);
>  }
>  
>  static inline void
> 

Re: [Openvpn-devel] [PATCH] Add the peer-id to the output of the status command

[Arne Schwabe]

Am 08.12.14 18:06, schrieb Lev Stipakov:
> This adds peer-id to the status output which might help analyze floating
> logs. This will change the output of status in the same way commit
> 662ce6acc065bddf6490b3494725b8b3987b7def did.
>
>
ACK.

Arne

[Openvpn-devel] [PATCH] Add the peer-id to the output of the status command

[Lev Stipakov]

This adds peer-id to the status output which might help analyze floating
logs. This will change the output of status in the same way commit
662ce6acc065bddf6490b3494725b8b3987b7def did.

Signed-off-by: Lev Stipakov 
---
 src/openvpn/multi.c | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 538f4f1..b7785c1 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -815,8 +815,8 @@ multi_print_status (struct multi_context *m, struct 
status_output *so, const int
   */
  status_printf (so, "TITLE%c%s", sep, title_string);
  status_printf (so, "TIME%c%s%c%u", sep, time_string (now, 0, false, 
_top), sep, (unsigned int)now);
- status_printf (so, "HEADER%cCLIENT_LIST%cCommon Name%cReal 
Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes 
Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID",
-sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
+ status_printf (so, "HEADER%cCLIENT_LIST%cCommon Name%cReal 
Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes 
Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID",
+sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, 
sep);
  hash_iterator_init (m->hash, );
  while ((he = hash_iterator_next ()))
{
@@ -827,10 +827,11 @@ multi_print_status (struct multi_context *m, struct 
status_output *so, const int
{
  status_printf (so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" 
counter_format "%c" counter_format "%c%s%c%u%c%s%c"
 #ifdef MANAGEMENT_DEF_AUTH
-"%lu",
+"%lu"
 #else
-"",
+""
 #endif
+"%c%"PRIu32,
 sep, tls_common_name 
(mi->context.c2.tls_multi, false),
 sep, mroute_addr_print (>real, ),
 sep, print_in_addr_t (mi->reporting_addr, 
IA_EMPTY_IF_UNDEF, ),
@@ -841,10 +842,11 @@ multi_print_status (struct multi_context *m, struct 
status_output *so, const int
 sep, (unsigned int)mi->created,
 sep, tls_username (mi->context.c2.tls_multi, 
false),
 #ifdef MANAGEMENT_DEF_AUTH
-sep, mi->context.c2.mda_context.cid);
+sep, mi->context.c2.mda_context.cid,
 #else
-sep);
+sep,
 #endif
+sep, mi->context.c2.tls_multi ? 
mi->context.c2.tls_multi->peer_id : UINT32_MAX);
}
  gc_free ();
}
-- 
1.9.1

[Openvpn-devel] [PATCH] Prevent memory drain for long lasting floating sessions

[Lev Stipakov]

For every float event we generate prefix, which allocates 256 + 64
bytes. That memory is reclaimed when client disconnects, so long lasting
and constantly floating sessions drain memory.

As a fix use preallocated buffer inside multi_instance for storing
multi_prefix.

Signed-off-by: Lev Stipakov 
---
 src/openvpn/mudp.c  |  4 
 src/openvpn/multi.c | 14 ++
 src/openvpn/multi.h |  8 +---
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 853c08c..3e3f750 100644
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
@@ -111,6 +111,10 @@ multi_get_create_instance_udp (struct multi_context *m, 
bool *floated)
  break;
}
}
+
+ /* should not really end up here, since 
multi_create_instance returns null
+  * if amount of clients exceeds max_clients */
+ ASSERT(i < m->max_clients);
}
}
  else
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 538f4f1..fd0d0fe 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -403,7 +403,7 @@ multi_instance_string (const struct multi_instance *mi, 
bool null, struct gc_are
 {
   if (mi)
 {
-  struct buffer out = alloc_buf_gc (256, gc);
+  struct buffer out = alloc_buf_gc (MULTI_PREFIX_MAX_LENGTH, gc);
   const char *cn = tls_common_name (mi->context.c2.tls_multi, true);

   if (cn)
@@ -420,21 +420,27 @@ multi_instance_string (const struct multi_instance *mi, 
bool null, struct gc_are
 void
 generate_prefix (struct multi_instance *mi)
 {
-  mi->msg_prefix = multi_instance_string (mi, true, >gc);
+  struct gc_arena gc = gc_new();
+  const char *prefix = multi_instance_string (mi, true, );
+  if (prefix)
+strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
+  else
+mi->msg_prefix[0] = '\0';
   set_prefix (mi);
+  gc_free();
 }

 void
 ungenerate_prefix (struct multi_instance *mi)
 {
-  mi->msg_prefix = NULL;
+  mi->msg_prefix[0] = '\0';
   set_prefix (mi);
 }

 static const char *
 mi_prefix (const struct multi_instance *mi)
 {
-  if (mi && mi->msg_prefix)
+  if (mi && mi->msg_prefix[0])
 return mi->msg_prefix;
   else
 return "UNDEF_I";
diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h
index ad7f700..32b89d2 100644
--- a/src/openvpn/multi.h
+++ b/src/openvpn/multi.h
@@ -42,6 +42,8 @@
 #include "mtcp.h"
 #include "perf.h"

+#define MULTI_PREFIX_MAX_LENGTH 256
+
 /*
  * Walk (don't run) through the routing table,
  * deleting old entries, and possibly multi_instance
@@ -80,7 +82,7 @@ struct multi_instance {
   struct mroute_addr real;  /**< External network address of the
  *   remote peer. */
   ifconfig_pool_handle vaddr_handle;
-  const char *msg_prefix;
+  char msg_prefix[MULTI_PREFIX_MAX_LENGTH];

   /* queued outgoing data in Server/TCP mode */
   unsigned int tcp_rwflags;
@@ -445,10 +447,10 @@ static inline void
 set_prefix (struct multi_instance *mi)
 {
 #ifdef MULTI_DEBUG_EVENT_LOOP
-  if (mi->msg_prefix)
+  if (mi->msg_prefix[0])
 printf ("[%s]\n", mi->msg_prefix);
 #endif
-  msg_set_prefix (mi->msg_prefix);
+  msg_set_prefix (mi->msg_prefix[0] ? mi->msg_prefix : NULL);
 }

 static inline void
-- 
1.9.1

[Openvpn-devel] [PATCH] Add Mac OS X keychain support

[Vasily Kulikov]

This patch adds support for using certificates stored in the Mac OSX
Keychain to authenticate with the OpenVPN server.  This works with
certificates stored on the computer as well as certificates on hardware
tokens that support Apple's tokend interface.  The patch is very similar
to, and also based on, the Windows Crypto API certificate functionality
that currently exists in OpenVPN.

The previous version of the patch was sent by Brian Raderman
(http://thread.gmane.org/gmane.network.openvpn.devel/3631).  The current
version uses autoconf, doesn't use printf, fixes several small bugs like
ignoring errors, and it now works with Tunnelblick.  The previous version
has been tested with an Aladdin eToken on Mac OSX Leopard and with
software only certificates on Mac OSX Leopard and Snow Leopard, as
reported by Brian Raderman in his email.  The current version of the
patch was tested in Yandex company on ~3000 hosts using several Mac OS X
versions (10.7, 10.8. 10.9. 10.10) using Tunnelblick.

It was tested both on OpenVPN started from the terminal and using
Tunnelblick.  Renegotiation was tested too.

There are several warnings on Mac OS X related to functions deprecation
like RSA_new() and similar.  However, they are used in other OpenVPN
code, so I decided not to touch it.

The patch is against commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049.

Signed-off-by: Vasily Kulikov 
--

diff --git a/configure.ac b/configure.ac
index 608ab6d..127e173 100644
--- a/configure.ac
+++ b/configure.ac
@@ -258,6 +258,13 @@ AC_ARG_ENABLE(
 )

 AC_ARG_ENABLE(
+   [macosx-keychain],
+   [AS_HELP_STRING([--enable-macosx-keychain], [enable MAC OS X keychain 
support @<:@default=yes@:>@])],
+   ,
+   [enable_keychain="no"]
+)
+
+AC_ARG_ENABLE(
[systemd],
[AS_HELP_STRING([--enable-systemd], [enable systemd suppport 
@<:@default=no@:>@])],
,
@@ -330,6 +337,7 @@ case "$host" in
have_tap_header="yes"
dnl some Mac OS X tendering (we use vararg macros...)
CPPFLAGS="$CPPFLAGS -no-cpp-precomp"
+   MACOSX=yes
;;
*-mingw*)
AC_DEFINE([TARGET_WIN32], [1], [Are we running WIN32?])
@@ -1088,6 +1096,11 @@ if test "${enable_ssl}" = "yes"; then
AC_DEFINE([ENABLE_SSL], [1], [Enable ssl library])
 fi

+if test "${enable_macosx_keychain}" = "yes"; then
+   test "${MACOSX}" != "yes" && AC_MSG_ERROR([keychain is available on MAC 
OS X only])
+   AC_DEFINE([ENABLE_KEYCHAIN], [1], [Enable MAC OS X keychain support])
+fi
+
 if test "${enable_crypto}" = "yes"; then
test "${have_crypto_crypto}" != "yes" && 
AC_MSG_ERROR([${with_crypto_library} crypto is required but missing])
test "${enable_crypto_ofb_cfb}" = "yes" && 
AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])
@@ -1199,6 +1212,7 @@ AC_SUBST([PLUGIN_AUTH_PAM_CFLAGS])
 AC_SUBST([PLUGIN_AUTH_PAM_LIBS])

 AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
+AM_CONDITIONAL([MACOSX], [test "${MACOSX}" = "yes"])
 AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"])
 AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = 
"yes"])
 AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = 
"yes"])
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 96ba555..a23d950 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4450,6 +4450,77 @@ Certificate Store GUI.

 .\"*
 .TP
+.B --keychaincert select-string
+Load the certificate and private key from the
+Mac OSX Keychain (Mac OSX Only).
+
+Use this option instead of
+.B --cert
+and
+.B --key.
+
+This makes it possible to use any smart card supported by Mac OSX using the 
tokend interface, but also any
+kind of certificate, residing in the Keychain, where you have access to
+the private key.  This option has been tested on the client side with an 
Aladdin eToken
+on Mac OSX Leopard and with software certificates stored in the Keychain on 
Mac OSX Leopard and
+Mac OSX Snow Leopard.  As of this writing (4/27/10) Aladdin has not yet 
released Snow Leopard drivers.
+
+To select a certificate based on a string search in the
+certificate's subject and/or issuer:
+
+.B --keychaincert
+"SUBJECT:c=US/o=Apple Inc./ou=me.com/cn=username ISSUER:c=US/o=Apple Computer, 
Inc./ou=Apple Computer Certificate Authority/cn=Apple .Mac Certificate 
Authority"
+
+.I "Distinguished Name Component Abbreviations:" 
+.br
+o = organization
+.br
+ou = organizational unit
+.br
+c = country
+.br
+l = locality
+.br
+st = state
+.br
+cn = common name
+.br
+e = email
+.br
+
+All of the distinguished name components are optional, although you do need to 
specify at least one of them.  You can 
+add spaces around the '/' and '=' characters, e.g. "SUBJECT: c = US / o = 
Apple Inc.".  You do not need to specify
+both the subject and the issuer, one or the other will work fine.
+The identity