[Openvpn-devel] [PATCH v2] Exclude peer-id from pulled options digest

2016-10-04 Thread Lev Stipakov 
v2:
 - Move digest update to separate method

Peer-id might change on restart and this should not trigger reopening
tun.

Trac #649
---
 src/openvpn/push.c | 45 ++---
 1 file changed, 30 insertions(+), 15 deletions(-)

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index a1b999e..c0c78a0 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -597,6 +597,20 @@ process_incoming_push_request (struct context *c)
 }
 #endif
 
+static void
+push_update_digest(md_ctx_t *ctx, struct buffer *buf)
+{
+  char line[OPTION_PARM_SIZE];
+  while (buf_parse (buf, ',', line, sizeof (line)))
+{
+  /* peer-id might change on restart and this should not trigger reopening 
tun */
+  if (strstr (line, "peer-id ") != line)
+   {
+ md_ctx_update (ctx, (const uint8_t *) line, strlen(line));
+   }
+}
+}
+
 int
 process_incoming_push_msg (struct context *c,
   const struct buffer *buffer,
@@ -636,21 +650,22 @@ process_incoming_push_msg (struct context *c,
  permission_mask,
  option_types_found,
  c->c2.es))
-   switch (c->options.push_continuation)
- {
- case 0:
- case 1:
-   md_ctx_update (>c2.pulled_options_state, BPTR(_orig), 
BLEN(_orig));
-   md_ctx_final (>c2.pulled_options_state, 
c->c2.pulled_options_digest.digest);
-   md_ctx_cleanup (>c2.pulled_options_state);
-   c->c2.pulled_options_md5_init_done = false;
-   ret = PUSH_MSG_REPLY;
-   break;
- case 2:
-   md_ctx_update (>c2.pulled_options_state, BPTR(_orig), 
BLEN(_orig));
-   ret = PUSH_MSG_CONTINUATION;
-   break;
- }
+   {
+ push_update_digest (>c2.pulled_options_state, _orig);
+ switch (c->options.push_continuation)
+   {
+ case 0:
+ case 1:
+   md_ctx_final (>c2.pulled_options_state, 
c->c2.pulled_options_digest.digest);
+   md_ctx_cleanup (>c2.pulled_options_state);
+   c->c2.pulled_options_md5_init_done = false;
+   ret = PUSH_MSG_REPLY;
+   break;
+ case 2:
+   ret = PUSH_MSG_CONTINUATION;
+   break;
+   }
+   }
}
   else if (ch == '\0')
{
-- 
1.9.1


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2 2.3] Exclude peer-id from pulled options digest

2016-10-04 Thread Lev Stipakov 
v2:
 - Use md5_* methods
 - Move digest update to separate method

Peer-id might change on restart and this should not trigger reopening
tun.

Trac #649
---
 src/openvpn/push.c | 43 +--
 1 file changed, 29 insertions(+), 14 deletions(-)

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 71f39c1..402c158 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -407,6 +407,20 @@ push_reset (struct options *o)
 }
 #endif
 
+static void
+push_update_digest(struct md5_state *ctx, struct buffer *buf)
+{
+  char line[OPTION_PARM_SIZE];
+  while (buf_parse (buf, ',', line, sizeof (line)))
+{
+  /* peer-id might change on restart and this should not trigger reopening 
tun */
+  if (strstr (line, "peer-id ") != line)
+   {
+ md5_state_update (ctx, line, strlen(line));
+   }
+}
+}
+
 int
 process_incoming_push_msg (struct context *c,
   const struct buffer *buffer,
@@ -473,20 +487,21 @@ process_incoming_push_msg (struct context *c,
  permission_mask,
  option_types_found,
  c->c2.es))
-   switch (c->options.push_continuation)
- {
- case 0:
- case 1:
-   md5_state_update (>c2.pulled_options_state, BPTR(_orig), 
BLEN(_orig));
-   md5_state_final (>c2.pulled_options_state, 
>c2.pulled_options_digest);
-   c->c2.pulled_options_md5_init_done = false;
-   ret = PUSH_MSG_REPLY;
-   break;
- case 2:
-   md5_state_update (>c2.pulled_options_state, BPTR(_orig), 
BLEN(_orig));
-   ret = PUSH_MSG_CONTINUATION;
-   break;
- }
+   {
+ push_update_digest (>c2.pulled_options_state, _orig);
+ switch (c->options.push_continuation)
+   {
+ case 0:
+ case 1:
+   md5_state_final (>c2.pulled_options_state, 
>c2.pulled_options_digest);
+   c->c2.pulled_options_md5_init_done = false;
+   ret = PUSH_MSG_REPLY;
+   break;
+ case 2:
+   ret = PUSH_MSG_CONTINUATION;
+   break;
+   }
+   }
}
   else if (ch == '\0')
{
-- 
1.9.1


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH master] Exclude peer-id from pulled options digest

2016-10-04 Thread Steffan Karger 
Hi,

On 24-09-16 17:54, Lev Stipakov wrote:
> Peer-id might change on restart and this should not trigger reopening
> tun.
> 
> Trac #649

Feature-ACK.

The same holds for ncp stuff though, so I think we should do the same
for cipher, auth and keysize.  Unless those change the tun-mtu, hmm...
That might need further investigation, so maybe keep that separate from
the peer-id issue.

> +   char line[OPTION_PARM_SIZE];
> +   while (buf_parse (_orig, ',', line, sizeof (line)))
> + {
> +   /* peer-id might change on restart and this should not 
> trigger reopening tun */
> +   if (strstr (line, "peer-id ") != line)
> + {
> +   md_ctx_update (>c2.pulled_options_state, (const 
> uint8_t *) line, strlen(line));
> + }
> + }

This looks like it should be a separate (static) function
'push_update_digest(state, msg)', or something like that.

> + md_ctx_cleanup (>c2.pulled_options_state);

Are you sure?  I don't see a "-md_ctx_cleanup (...)" in the patch
for master (there is in 2.3 though).  Do you fix a bug here, or is this
a cherry-picking mistake?

-Steffan

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] add POSTINIT_CMD_suf to t_client.sh and sample config

2016-10-04 Thread Gert Doering 
Your patch has been applied to the following branches

commit bae1ad7005fd9a1fadeed56370a9ac5422a33fee  (master)
commit 7891c8ce93b33749ee75ab579aa391bc5eab6e2f  (release/2.3)
Author: Gert Doering
Date:   Tue Oct 4 13:38:54 2016 +0200

 add POSTINIT_CMD_suf to t_client.sh and sample config

 Signed-off-by: Gert Doering 
 Acked-by: Arne Schwabe 
 Message-Id: <20161004113854.42470-1-g...@greenie.muc.de>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12594.html
 Signed-off-by: Gert Doering 


Also(!), I had to cherry-pick 8fedf86abaf8fca8d0e9e81f70d7a5888a98b9ee
into 2.3 as 6ac1cf103e77b0d2aa3360c4373099bf4d9f1919:

commit 6ac1cf103e77b0d2aa3360c4373099bf4d9f1919
Author: David Sommerseth 
Date:   Sat Nov 16 16:17:54 2013 +0100

t_client.sh: Add prepare/cleanup possibilties for each test case

By adding PREPARE_$NUM and CLEANUP_$NUM variables containing command lines
to execute before and after the test case is run.


otherwise, this patch did not apply - and it doesn't really make sense
to have only the POSTINIT_CMD_ and not PREPARE/CLEANUP.  Tested :-)
--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] add POSTINIT_CMD_suf to t_client.sh and sample config

2016-10-04 Thread Arne Schwabe 


Am 04.10.16 um 13:38 schrieb Gert Doering:
> We have pre-init and cleanup commands, but some test cases might need
> or want to run a shell script after openvpn has initialized, but before
> executing any tests (ifconfig comparison and ping).
>
> Example: POSTINIT_CMD_4="sleep 5" on MacOS X for tap tests (IPv6 DAD)
>
> Signed-off-by: Gert Doering 
> ---
>  tests/t_client.rc-sample | 3 +++
>  tests/t_client.sh.in | 7 +++
>  2 files changed, 10 insertions(+)
>
> diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample
> index fb2abfa..59f34c7 100644
> --- a/tests/t_client.rc-sample
> +++ b/tests/t_client.rc-sample
> @@ -75,6 +75,9 @@ RUN_TITLE_2="testing tun/tcp/ipv4+ipv6"
>  OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto tcp --remote $REMOTE 
> --port 51194"
>  PING4_HOSTS_2="10.100.51.1 10.100.0.1"
>  PING6_HOSTS_2="2001:db8::1 2001:db8:a051::1"
> +#
> +# run command after openvpn initialization is done - here: delay 5 seconds
> +POSTINIT_CMD_2="sleep 5"

ACK. Also workaround/fixes the DAD problem on OS X for tap.

Arne

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] add POSTINIT_CMD_suf to t_client.sh and sample config

2016-10-04 Thread Gert Doering 
We have pre-init and cleanup commands, but some test cases might need
or want to run a shell script after openvpn has initialized, but before
executing any tests (ifconfig comparison and ping).

Example: POSTINIT_CMD_4="sleep 5" on MacOS X for tap tests (IPv6 DAD)

Signed-off-by: Gert Doering 
---
 tests/t_client.rc-sample | 3 +++
 tests/t_client.sh.in | 7 +++
 2 files changed, 10 insertions(+)

diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample
index fb2abfa..59f34c7 100644
--- a/tests/t_client.rc-sample
+++ b/tests/t_client.rc-sample
@@ -75,6 +75,9 @@ RUN_TITLE_2="testing tun/tcp/ipv4+ipv6"
 OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto tcp --remote $REMOTE 
--port 51194"
 PING4_HOSTS_2="10.100.51.1 10.100.0.1"
 PING6_HOSTS_2="2001:db8::1 2001:db8:a051::1"
+#
+# run command after openvpn initialization is done - here: delay 5 seconds
+POSTINIT_CMD_2="sleep 5"
 
 # Test 3: UDP / p2p tun
 # ...
diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in
index b2428b9..6c81bc4 100755
--- a/tests/t_client.sh.in
+++ b/tests/t_client.sh.in
@@ -263,6 +263,7 @@ for SUF in $TEST_RUN_LIST
 do
 # get config variables
 eval test_prep=\"\$PREPARE_$SUF\"
+eval test_postinit=\"\$POSTINIT_CMD_$SUF\"
 eval test_cleanup=\"\$CLEANUP_$SUF\"
 eval test_run_title=\"\$RUN_TITLE_$SUF\"
 eval openvpn_conf=\"\$OPENVPN_CONF_$SUF\"
@@ -362,6 +363,12 @@ do
echo -e " OK!\n"
 fi
 
+# post init script needed?
+if [ -n "$test_postinit" ]; then
+echo -e "running post-init cmd: '$test_postinit'"
+eval $test_postinit
+fi
+
 # expected ifconfig values in there?
 check_ifconfig 4 "$expect_ifconfig4"
 check_ifconfig 6 "$expect_ifconfig6"
-- 
2.9.0


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] make t_client robust against sudoers misconfiguration

2016-10-04 Thread Gert Doering 
Patch has been applied to the following branches

commit 8ca29af7c6d4759ce019ec9d0cd3eae4511a6804  (master)
commit 0bd4ef0a18c65bfbd4e5b08735d7bb67dd010b97  (release/2.3)
Author: Gert Doering
Date:   Sun Oct 2 15:19:23 2016 +0200

 make t_client robust against sudoers misconfiguration

 Signed-off-by: Gert Doering 
 Acked-by: Arne Schwabe 
 Message-Id: <20161002131923.36681-1-g...@greenie.muc.de>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12585.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Automatically cache expected IPs for t_client.sh on the first run

2016-10-04 Thread Gert Doering 
Your patch has been applied to the following branches

commit df0b00c253e41cce9567be79dbd3faa14c60473b  (master)
commit beca355525fd250f660b5c400edd3ba83d25f171  (release/2.3)
Author: Samuli Sepp�nen
Date:   Mon Oct 3 13:51:27 2016 +0300

 Automatically cache expected IPs for t_client.sh on the first run

 Signed-off-by: Samuli Sepp�nen 
 Acked-by: Arne Schwabe 
 Message-Id: <1475491887-740-1-git-send-email-sam...@openvpn.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12587.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] make t_client robust against sudoers misconfiguration

2016-10-04 Thread Arne Schwabe 


Am 02.10.16 um 15:19 schrieb Gert Doering:
> Instead of testing (and priming) sudo with "true", prime with
> "kill -0 $$" (just test signalling ourselves).  If this fails,
> we won't be able to kill the openvpn process we're going to
> start later on -> thus, SKIP on failure.
>
> This helps with misconfigured setups (especially on the buildbots)
> that can correctly start openvpn but then not stop it later on -
> leaving openvpn processes dangling around, requiring manual
> intervention.
>
> Signed-off-by: Gert Doering 
> ---
>  tests/t_client.sh.in | 14 +++---
>  1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in
> index 2b9bacf..a97e9be 100755
> --- a/tests/t_client.sh.in
> +++ b/tests/t_client.sh.in
> @@ -42,12 +42,6 @@ if [ $? -ne 0 ]; then
>  exit 77
>  fi
>  
> -TRUE_EXEC=`which true`
> -if [ $? -ne 0 ]; then
> -echo "$0: true not found in \$PATH" >&2
> -exit 77
> -fi
> -
>  if [ ! -x "${top_builddir}/src/openvpn/openvpn" ]
>  then
>  echo "no (executable) openvpn binary in current build tree. FAIL." >&2
> @@ -102,7 +96,13 @@ else
>  # We have to use sudo. Make sure that we (hopefully) do not have
>  # to ask the users password during the test. This is done to
>  # prevent timing issues, e.g. when the waits for openvpn to start
> -$RUN_SUDO $TRUE_EXEC
> + if $RUN_SUDO $KILL_EXEC -0 $$
> + then
> + echo "$0: $RUN_SUDO $KILL_EXEC -0 succeeded, good."
> + else
> + echo "$0: $RUN_SUDO $KILL_EXEC -0 failed, cannot go on. SKIP." >&2
> + exit 77
> + fi
>  fi
>  fi
>  

Looks good, ACK from me.

Arne


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Automatically cache expected IPs for t_client.sh on the first run

2016-10-04 Thread Arne Schwabe 


Am 03.10.16 um 12:51 schrieb sam...@openvpn.net:
> From: Samuli Seppänen 
>
> Previously one had to manually define correct values for the EXPECT_IFCONFIG*
> variables based on what IPv4 and IPv6 addresses the test VPN server handed 
> out.
> This was a tedious process especially with large number of tests, as the IPs
> changed for every test client and for every test. With this patch t_client.sh
> figures out the correct IP addresses using an --up script and caches them to a
> separate file for later use.
>
>
I removed all EXPECT_IFCONFIG for test 1-6 from my config and it worked.
Also the code looks fine, so ack from me.

(If we later add a test with --up we can figure that out later.
Currently the added comfort is great)

Arne

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel