Re: [Openvpn-devel] [PATCH v4] Mac OS X Keychain management client
>>> (the diff for doc/management-notes.txt is in there twice), and there >>> is a patch for .gitignore in it as well. >> I've included .gitignore changes as my patch adds Makefile changes. It >> would be rather uncomfortable for openvpn developers to see Makefile and >> be not able to change it. > Mmmh. Actually we don't usually do Makefile changes, as this is always > generated by configure for us - so normally, it is good to have it in > .gitignore. Of course your subdirectory has a Makefile in it for > MacOS X only... > > So - git experts to the rescue - how's this normally done? > > just explicity git add the new Makefile under contrib/keychain-mcd. Git will then track the new makefile. (If I am reading the patch right that the mac os x specific keychain-cmd makefile is not generated by configure) Arne signature.asc Description: OpenPGP digital signature
Re: [Openvpn-devel] [PATCH v4] Mac OS X Keychain management client
Hi, On Fri, Feb 27, 2015 at 10:27:46PM +0300, Vasily Kulikov wrote: > > Sorry to be nagging... something in your patch was garbled, it contained > > stuff like > > > > --- > > only in patch2: > > unchanged: > > --- a/doc/management-notes.txt > > +++ b/doc/management-notes.txt > > @@ -777,6 +777,28 @@ correct signature. > > This capability is intended to allow the use of arbitrary cryptographic > > service providers with OpenVPN via the management interface. > > ... > > --- > > This stuff is missing in the patch itself which is in the email text, > and is contained in the attached interdiff file which contains changes > between patch v3 and v4. AFAICS, the patch doesn't contain any garbage. Looking more closely, I can now see what you did - the patch is in the mail text, and the actual attachment is not the patch but the diff between the patches (thus, doc/management-notes.txt appears twice). Did not expect that, and did not look closely enough. > > (the diff for doc/management-notes.txt is in there twice), and there > > is a patch for .gitignore in it as well. > > I've included .gitignore changes as my patch adds Makefile changes. It > would be rather uncomfortable for openvpn developers to see Makefile and > be not able to change it. Mmmh. Actually we don't usually do Makefile changes, as this is always generated by configure for us - so normally, it is good to have it in .gitignore. Of course your subdirectory has a Makefile in it for MacOS X only... So - git experts to the rescue - how's this normally done? (The textual change for doc/management-notes.txt does not warrant an extra patch, I'll change that on the fly) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpnrV4fdq4Z2.pgp Description: PGP signature
Re: [Openvpn-devel] [PATCH v4] Mac OS X Keychain management client
Hi Gert, On Fri, Feb 27, 2015 at 19:28 +0100, Gert Doering wrote: > On Wed, Feb 25, 2015 at 07:07:18PM +0300, Vasily Kulikov wrote: > > The patch is against commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049. > > > > v4: > > - added '--management-external-cert' argument > > - keychain-mcd now parses NEED-CERTIFICATE argument if 'auto' is passed > >as cmdline's identity template > > - fixed typo in help output option name > > - added '--management-external-cert' info in openvpn(8) manpage > > - added 'certificate' command documentation into doc/management-notes.txt > > Sorry to be nagging... something in your patch was garbled, it contained > stuff like > > --- > only in patch2: > unchanged: > --- a/doc/management-notes.txt > +++ b/doc/management-notes.txt > @@ -777,6 +777,28 @@ correct signature. > This capability is intended to allow the use of arbitrary cryptographic > service providers with OpenVPN via the management interface. > ... > --- This stuff is missing in the patch itself which is in the email text, and is contained in the attached interdiff file which contains changes between patch v3 and v4. AFAICS, the patch doesn't contain any garbage. > (the diff for doc/management-notes.txt is in there twice), and there > is a patch for .gitignore in it as well. I've included .gitignore changes as my patch adds Makefile changes. It would be rather uncomfortable for openvpn developers to see Makefile and be not able to change it. > Please generate the patch with "git format-patch", that should avoid > spurious stuff. > > > Also, in the doc/management-notes.txt, it has > > +COMMAND -- certificate (OpenVPN 2.3 or higher) > > please make that "2.4", as this code change is too large to go into 2.3 > (where we only do bug fixes and long-term stability stuff, but no new > features generally) It makes sense. -- Vasily Kulikov http://www.openwall.com - bringing security into open computing environments
Re: [Openvpn-devel] [PATCH v4] Mac OS X Keychain management client
Hi, On Wed, Feb 25, 2015 at 07:07:18PM +0300, Vasily Kulikov wrote: > The patch is against commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049. > > v4: > - added '--management-external-cert' argument > - keychain-mcd now parses NEED-CERTIFICATE argument if 'auto' is passed >as cmdline's identity template > - fixed typo in help output option name > - added '--management-external-cert' info in openvpn(8) manpage > - added 'certificate' command documentation into doc/management-notes.txt Sorry to be nagging... something in your patch was garbled, it contained stuff like --- only in patch2: unchanged: --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -777,6 +777,28 @@ correct signature. This capability is intended to allow the use of arbitrary cryptographic service providers with OpenVPN via the management interface. ... --- (the diff for doc/management-notes.txt is in there twice), and there is a patch for .gitignore in it as well. Please generate the patch with "git format-patch", that should avoid spurious stuff. Also, in the doc/management-notes.txt, it has +COMMAND -- certificate (OpenVPN 2.3 or higher) please make that "2.4", as this code change is too large to go into 2.3 (where we only do bug fixes and long-term stability stuff, but no new features generally) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpSHMug6jjwk.pgp Description: PGP signature
[Openvpn-devel] [PATCH applied] Re: New approach to handle peer-id related changes to link-mtu.
Patch has been applied to the release/2.3 branch. commit 089d63b2d7ffa98bd40ed1d7eb0e625d37b63c1c (release/2.3) Author: Gert Doering List-Post: openvpn-devel@lists.sourceforge.net Date: Sun Feb 8 11:18:45 2015 +0100 New approach to handle peer-id related changes to link-mtu. Signed-off-by: Gert DoeringAcked-by: Steffan Karger Message-Id: <1424031695-10218-1-git-send-email-g...@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/9458 -- kind regards, Gert Doering
[Openvpn-devel] [PATCH] Notify clients about server's restart/shutdown
When server gets shutdown signal (SIGUSR1, SIGTERM, SIGHUP, SIGINT), it broadcasts new OCC_SHUTTING_DOWN command to all clients and reschedules received signal in 2 secs. When client receives OCC_SHUTTING_DOWN, it fires SIGUSR1 and switches to the next remote. --- src/openvpn/multi.c | 63 + src/openvpn/multi.h | 14 +++- src/openvpn/occ.c | 8 +++ src/openvpn/occ.h | 6 + 4 files changed, 86 insertions(+), 5 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 4412491..b5f2dd2 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -396,6 +396,8 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa t->options.stale_routes_check_interval, t->options.stale_routes_ageing_time); event_timeout_init (>stale_routes_check_et, t->options.stale_routes_check_interval, 0); } + + m->deferred_signal.signal_received = 0; } const char * @@ -603,6 +605,25 @@ multi_close_instance (struct multi_context *m, perf_pop (); } +void +multi_broadcast_shutdown (struct multi_context *m) +{ + msg (D_LOW, "multi_broadcast_shutdown"); + + struct gc_arena gc = gc_new (); + struct buffer buf = alloc_buf_gc (BUF_SIZE (>top.c2.frame), ); + + buf_init (, FRAME_HEADROOM (>top.c2.frame)); + buf_safe (, MAX_RW_SIZE_TUN (>top.c2.frame)); + buf_write (, occ_magic, OCC_STRING_SIZE); + + buf_write_u8 (, OCC_SHUTTING_DOWN); + + multi_bcast (m, , NULL, NULL); + + gc_free (); +} + /* * Called on shutdown or restart. */ @@ -1952,7 +1973,7 @@ multi_unicast (struct multi_context *m, /* * Broadcast a packet to all clients. */ -static void +void multi_bcast (struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, @@ -2571,10 +2592,18 @@ multi_process_timeout (struct multi_context *m, const unsigned int mpp_flags) /* instance marked for wakeup? */ if (m->earliest_wakeup) { - set_prefix (m->earliest_wakeup); - ret = multi_process_post (m, m->earliest_wakeup, mpp_flags); + if (m->earliest_wakeup == (struct multi_instance*)>deferred_signal) + { + schedule_remove_entry(m->schedule, (struct schedule_entry*) >deferred_signal); + throw_signal(m->deferred_signal.signal_received); +} + else + { + set_prefix (m->earliest_wakeup); + ret = multi_process_post (m, m->earliest_wakeup, mpp_flags); + clear_prefix (); + } m->earliest_wakeup = NULL; - clear_prefix (); } return ret; } @@ -2699,6 +2728,10 @@ multi_top_free (struct multi_context *m) free_context_buffers (m->top.c2.buffers); } +bool is_shutdown_signal(int sig) { +return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT); +} + /* * Return true if event loop should break, * false if it should continue. @@ -2714,6 +2747,28 @@ multi_process_signal (struct multi_context *m) m->top.sig->signal_received = 0; return false; } + else if (proto_is_dgram(m->top.options.ce.proto) && + is_shutdown_signal(m->top.sig->signal_received) && + (m->deferred_signal.signal_received == 0)) +{ + // broadcast OCC_SHUTTING_DOWN to all connected clients + multi_broadcast_shutdown(m); + + // schedule signal + openvpn_gettimeofday (>deferred_signal.wakeup, NULL); + struct timeval tv; + tv.tv_sec = 2; + tv.tv_usec = 0; + tv_add (>deferred_signal.wakeup, ); + + m->deferred_signal.signal_received = m->top.sig->signal_received; + + schedule_add_entry (m->schedule, (struct schedule_entry *) >deferred_signal, + >deferred_signal.wakeup, compute_wakeup_sigma (>deferred_signal.wakeup)); + + m->top.sig->signal_received = 0; + return false; + } return true; } diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 32b89d2..c9c1940 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -57,6 +57,13 @@ struct multi_reap }; +struct deferred_signal_schedule_entry +{ + struct schedule_entry se; + int signal_received; + struct timeval wakeup; +}; + /** * Server-mode state structure for one single VPN tunnel. * @@ -172,6 +179,8 @@ struct multi_context { * Timer object for stale route check */ struct event_timeout stale_routes_check_et; + + struct deferred_signal_schedule_entry deferred_signal; }; /* @@ -190,7 +199,6 @@ struct multi_route time_t last_reference; }; - /**/ /** * Main event loop for OpenVPN in server mode. @@ -290,6 +298,10 @@ bool multi_process_post (struct multi_context *m, struct multi_instance *mi, con bool multi_process_incoming_link (struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags); +void multi_bcast (struct multi_context *m, const struct buffer *buf, +
[Openvpn-devel] [PATCH applied] Re: Fix frame size calculation for non-CBC modes.
ACK, after discussion on #openvpn-devel. For CBC (which are the default modes so far) this is only refactoring, so no compatibility issues are to be expected. Your patch has been applied to the master and release/2.3 branches. commit 669f898b8fcaf7a8d43825fa0255c2791cc0ef89 (master) commit 6f0ab30d7f034d4f8d7c2ca872cfef066b16c7f0 (release/2.3) Author: Steffan Karger List-Post: openvpn-devel@lists.sourceforge.net Date: Tue Jul 29 22:52:24 2014 +0200 Fix frame size calculation for non-CBC modes. Signed-off-by: Steffan KargerAcked-by: Gert Doering Message-Id: <1406667144-17674-1-git-send-email-stef...@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8952 Signed-off-by: Gert Doering -- kind regards, Gert Doering