date:20150227

Re: [Openvpn-devel] [PATCH v4] Mac OS X Keychain management client

2015-02-27 Thread Arne Schwabe


>>> (the diff for doc/management-notes.txt is in there twice), and there
>>> is a patch for .gitignore in it as well.
>> I've included .gitignore changes as my patch adds Makefile changes.  It
>> would be rather uncomfortable for openvpn developers to see Makefile and
>> be not able to change it.
> Mmmh.  Actually we don't usually do Makefile changes, as this is always
> generated by configure for us - so normally, it is good to have it in
> .gitignore.  Of course your subdirectory has a Makefile in it for
> MacOS X only...
>
> So - git experts to the rescue - how's this normally done?
>
>
just explicity git add the new Makefile under contrib/keychain-mcd. Git
will then track the new makefile.
(If I am reading the patch right that the mac os x specific keychain-cmd
makefile is not generated by configure)

Arne



signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] [PATCH v4] Mac OS X Keychain management client

2015-02-27 Thread Gert Doering

Hi,

On Fri, Feb 27, 2015 at 10:27:46PM +0300, Vasily Kulikov wrote:
> > Sorry to be nagging...  something in your patch was garbled, it contained
> > stuff like
> > 
> > ---
> > only in patch2:
> > unchanged:
> > --- a/doc/management-notes.txt
> > +++ b/doc/management-notes.txt
> > @@ -777,6 +777,28 @@ correct signature.
> >  This capability is intended to allow the use of arbitrary cryptographic
> >  service providers with OpenVPN via the management interface.
> > ...
> > ---
> 
> This stuff is missing in the patch itself which is in the email text,
> and is contained in the attached interdiff file which contains changes
> between patch v3 and v4.  AFAICS, the patch doesn't contain any garbage.

Looking more closely, I can now see what you did - the patch is in the
mail text, and the actual attachment is not the patch but the diff between
the patches (thus, doc/management-notes.txt appears twice).  Did not 
expect that, and did not look closely enough.

> > (the diff for doc/management-notes.txt is in there twice), and there
> > is a patch for .gitignore in it as well.
> 
> I've included .gitignore changes as my patch adds Makefile changes.  It
> would be rather uncomfortable for openvpn developers to see Makefile and
> be not able to change it.

Mmmh.  Actually we don't usually do Makefile changes, as this is always
generated by configure for us - so normally, it is good to have it in
.gitignore.  Of course your subdirectory has a Makefile in it for
MacOS X only...

So - git experts to the rescue - how's this normally done?

(The textual change for doc/management-notes.txt does not warrant an extra
patch, I'll change that on the fly)

gert


-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpnrV4fdq4Z2.pgp
Description: PGP signature

Re: [Openvpn-devel] [PATCH v4] Mac OS X Keychain management client

2015-02-27 Thread Vasily Kulikov

Hi Gert,

On Fri, Feb 27, 2015 at 19:28 +0100, Gert Doering wrote:
> On Wed, Feb 25, 2015 at 07:07:18PM +0300, Vasily Kulikov wrote:
> > The patch is against commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049.
> > 
> > v4:
> >  - added '--management-external-cert' argument
> >  - keychain-mcd now parses NEED-CERTIFICATE argument if 'auto' is passed
> >as cmdline's identity template
> >  - fixed typo in help output option name
> >  - added '--management-external-cert' info in openvpn(8) manpage
> >  - added 'certificate' command documentation into doc/management-notes.txt
> 
> Sorry to be nagging...  something in your patch was garbled, it contained
> stuff like
> 
> ---
> only in patch2:
> unchanged:
> --- a/doc/management-notes.txt
> +++ b/doc/management-notes.txt
> @@ -777,6 +777,28 @@ correct signature.
>  This capability is intended to allow the use of arbitrary cryptographic
>  service providers with OpenVPN via the management interface.
> ...
> ---

This stuff is missing in the patch itself which is in the email text,
and is contained in the attached interdiff file which contains changes
between patch v3 and v4.  AFAICS, the patch doesn't contain any garbage.

> (the diff for doc/management-notes.txt is in there twice), and there
> is a patch for .gitignore in it as well.

I've included .gitignore changes as my patch adds Makefile changes.  It
would be rather uncomfortable for openvpn developers to see Makefile and
be not able to change it.

> Please generate the patch with "git format-patch", that should avoid 
> spurious stuff.
> 
> 
> Also, in the doc/management-notes.txt, it has
> 
> +COMMAND -- certificate (OpenVPN 2.3 or higher)
> 
> please make that "2.4", as this code change is too large to go into 2.3
> (where we only do bug fixes and long-term stability stuff, but no new
> features generally)

It makes sense.

-- 
Vasily Kulikov
http://www.openwall.com - bringing security into open computing environments

Re: [Openvpn-devel] [PATCH v4] Mac OS X Keychain management client

2015-02-27 Thread Gert Doering

Hi,

On Wed, Feb 25, 2015 at 07:07:18PM +0300, Vasily Kulikov wrote:
> The patch is against commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049.
> 
> v4:
>  - added '--management-external-cert' argument
>  - keychain-mcd now parses NEED-CERTIFICATE argument if 'auto' is passed
>as cmdline's identity template
>  - fixed typo in help output option name
>  - added '--management-external-cert' info in openvpn(8) manpage
>  - added 'certificate' command documentation into doc/management-notes.txt

Sorry to be nagging...  something in your patch was garbled, it contained
stuff like

---
only in patch2:
unchanged:
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -777,6 +777,28 @@ correct signature.
 This capability is intended to allow the use of arbitrary cryptographic
 service providers with OpenVPN via the management interface.
...
---

(the diff for doc/management-notes.txt is in there twice), and there
is a patch for .gitignore in it as well.

Please generate the patch with "git format-patch", that should avoid 
spurious stuff.


Also, in the doc/management-notes.txt, it has

+COMMAND -- certificate (OpenVPN 2.3 or higher)

please make that "2.4", as this code change is too large to go into 2.3
(where we only do bug fixes and long-term stability stuff, but no new
features generally)

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpSHMug6jjwk.pgp
Description: PGP signature

[Openvpn-devel] [PATCH applied] Re: New approach to handle peer-id related changes to link-mtu.

2015-02-27 Thread Gert Doering

Patch has been applied to the release/2.3 branch.

commit 089d63b2d7ffa98bd40ed1d7eb0e625d37b63c1c  (release/2.3)

Author: Gert Doering
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun Feb 8 11:18:45 2015 +0100

 New approach to handle peer-id related changes to link-mtu.

 Signed-off-by: Gert Doering 
 Acked-by: Steffan Karger 
 Message-Id: <1424031695-10218-1-git-send-email-g...@greenie.muc.de>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9458


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH] Notify clients about server's restart/shutdown

2015-02-27 Thread Lev Stipakov

When server gets shutdown signal (SIGUSR1, SIGTERM, SIGHUP, SIGINT), it
broadcasts new OCC_SHUTTING_DOWN command to all clients and reschedules
received signal in 2 secs.

When client receives OCC_SHUTTING_DOWN, it fires SIGUSR1 and switches to
the next remote.
---
 src/openvpn/multi.c | 63 +
 src/openvpn/multi.h | 14 +++-
 src/openvpn/occ.c   |  8 +++
 src/openvpn/occ.h   |  6 +
 4 files changed, 86 insertions(+), 5 deletions(-)

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 4412491..b5f2dd2 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -396,6 +396,8 @@ multi_init (struct multi_context *m, struct context *t, 
bool tcp_mode, int threa
 t->options.stale_routes_check_interval, 
t->options.stale_routes_ageing_time);
   event_timeout_init (>stale_routes_check_et, 
t->options.stale_routes_check_interval, 0);
 }
+
+  m->deferred_signal.signal_received = 0;
 }

 const char *
@@ -603,6 +605,25 @@ multi_close_instance (struct multi_context *m,
   perf_pop ();
 }

+void
+multi_broadcast_shutdown (struct multi_context *m)
+{
+  msg (D_LOW, "multi_broadcast_shutdown");
+
+  struct gc_arena gc = gc_new ();
+  struct buffer buf = alloc_buf_gc (BUF_SIZE (>top.c2.frame), );
+
+  buf_init (, FRAME_HEADROOM (>top.c2.frame));
+  buf_safe (, MAX_RW_SIZE_TUN (>top.c2.frame));
+  buf_write (, occ_magic, OCC_STRING_SIZE);
+
+  buf_write_u8 (, OCC_SHUTTING_DOWN);
+
+  multi_bcast (m, , NULL, NULL);
+
+  gc_free ();
+}
+
 /*
  * Called on shutdown or restart.
  */
@@ -1952,7 +1973,7 @@ multi_unicast (struct multi_context *m,
 /*
  * Broadcast a packet to all clients.
  */
-static void
+void
 multi_bcast (struct multi_context *m,
 const struct buffer *buf,
 const struct multi_instance *sender_instance,
@@ -2571,10 +2592,18 @@ multi_process_timeout (struct multi_context *m, const 
unsigned int mpp_flags)
   /* instance marked for wakeup? */
   if (m->earliest_wakeup)
 {
-  set_prefix (m->earliest_wakeup);
-  ret = multi_process_post (m, m->earliest_wakeup, mpp_flags);
+  if (m->earliest_wakeup == (struct multi_instance*)>deferred_signal)
+   {
+ schedule_remove_entry(m->schedule, (struct schedule_entry*) 
>deferred_signal);
+ throw_signal(m->deferred_signal.signal_received);
+}
+  else
+   {
+ set_prefix (m->earliest_wakeup);
+ ret = multi_process_post (m, m->earliest_wakeup, mpp_flags);
+ clear_prefix ();
+   }
   m->earliest_wakeup = NULL;
-  clear_prefix ();
 }
   return ret;
 }
@@ -2699,6 +2728,10 @@ multi_top_free (struct multi_context *m)
   free_context_buffers (m->top.c2.buffers);
 }

+bool is_shutdown_signal(int sig) {
+return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == 
SIGINT);
+}
+
 /*
  * Return true if event loop should break,
  * false if it should continue.
@@ -2714,6 +2747,28 @@ multi_process_signal (struct multi_context *m)
   m->top.sig->signal_received = 0;
   return false;
 }
+  else if (proto_is_dgram(m->top.options.ce.proto) &&
+  is_shutdown_signal(m->top.sig->signal_received) &&
+  (m->deferred_signal.signal_received == 0))
+{
+  // broadcast OCC_SHUTTING_DOWN to all connected clients
+  multi_broadcast_shutdown(m);
+
+  // schedule signal
+  openvpn_gettimeofday (>deferred_signal.wakeup, NULL);
+  struct timeval tv;
+  tv.tv_sec = 2;
+  tv.tv_usec = 0;
+  tv_add (>deferred_signal.wakeup, );
+
+  m->deferred_signal.signal_received = m->top.sig->signal_received;
+
+  schedule_add_entry (m->schedule, (struct schedule_entry *) 
>deferred_signal,
+ >deferred_signal.wakeup, compute_wakeup_sigma 
(>deferred_signal.wakeup));
+
+  m->top.sig->signal_received = 0;
+  return false;
+  }
   return true;
 }

diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h
index 32b89d2..c9c1940 100644
--- a/src/openvpn/multi.h
+++ b/src/openvpn/multi.h
@@ -57,6 +57,13 @@ struct multi_reap
 };


+struct deferred_signal_schedule_entry
+{
+  struct schedule_entry se;
+  int signal_received;
+  struct timeval wakeup;
+};
+
 /**
  * Server-mode state structure for one single VPN tunnel.
  *
@@ -172,6 +179,8 @@ struct multi_context {
* Timer object for stale route check
*/
   struct event_timeout stale_routes_check_et;
+
+  struct deferred_signal_schedule_entry deferred_signal;
 };

 /*
@@ -190,7 +199,6 @@ struct multi_route
   time_t last_reference;
 };

-
 /**/
 /**
  * Main event loop for OpenVPN in server mode.
@@ -290,6 +298,10 @@ bool multi_process_post (struct multi_context *m, struct 
multi_instance *mi, con
 bool multi_process_incoming_link (struct multi_context *m, struct 
multi_instance *instance, const unsigned int mpp_flags);


+void multi_bcast (struct multi_context *m, const struct buffer *buf,
+

[Openvpn-devel] [PATCH applied] Re: Fix frame size calculation for non-CBC modes.

2015-02-27 Thread Gert Doering

ACK, after discussion on #openvpn-devel.  For CBC (which are the default
modes so far) this is only refactoring, so no compatibility issues are
to be expected.

Your patch has been applied to the master and release/2.3 branches.

commit 669f898b8fcaf7a8d43825fa0255c2791cc0ef89 (master)
commit 6f0ab30d7f034d4f8d7c2ca872cfef066b16c7f0 (release/2.3)

Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Tue Jul 29 22:52:24 2014 +0200

 Fix frame size calculation for non-CBC modes.

 Signed-off-by: Steffan Karger 
 Acked-by: Gert Doering 
 Message-Id: <1406667144-17674-1-git-send-email-stef...@karger.me>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/8952
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

Re: [Openvpn-devel] [PATCH v4] Mac OS X Keychain management client

Re: [Openvpn-devel] [PATCH v4] Mac OS X Keychain management client

Re: [Openvpn-devel] [PATCH v4] Mac OS X Keychain management client

Re: [Openvpn-devel] [PATCH v4] Mac OS X Keychain management client

[Openvpn-devel] [PATCH applied] Re: New approach to handle peer-id related changes to link-mtu.

[Openvpn-devel] [PATCH] Notify clients about server's restart/shutdown

[Openvpn-devel] [PATCH applied] Re: Fix frame size calculation for non-CBC modes.

7 matches

Site Navigation

Mail list logo

Footer information