[Openvpn-devel] [PATCH v2] Exclude peer-id from pulled options digest
v2: - Move digest update to separate method Peer-id might change on restart and this should not trigger reopening tun. Trac #649 --- src/openvpn/push.c | 45 ++--- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index a1b999e..c0c78a0 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -597,6 +597,20 @@ process_incoming_push_request (struct context *c) } #endif +static void +push_update_digest(md_ctx_t *ctx, struct buffer *buf) +{ + char line[OPTION_PARM_SIZE]; + while (buf_parse (buf, ',', line, sizeof (line))) +{ + /* peer-id might change on restart and this should not trigger reopening tun */ + if (strstr (line, "peer-id ") != line) + { + md_ctx_update (ctx, (const uint8_t *) line, strlen(line)); + } +} +} + int process_incoming_push_msg (struct context *c, const struct buffer *buffer, @@ -636,21 +650,22 @@ process_incoming_push_msg (struct context *c, permission_mask, option_types_found, c->c2.es)) - switch (c->options.push_continuation) - { - case 0: - case 1: - md_ctx_update (>c2.pulled_options_state, BPTR(_orig), BLEN(_orig)); - md_ctx_final (>c2.pulled_options_state, c->c2.pulled_options_digest.digest); - md_ctx_cleanup (>c2.pulled_options_state); - c->c2.pulled_options_md5_init_done = false; - ret = PUSH_MSG_REPLY; - break; - case 2: - md_ctx_update (>c2.pulled_options_state, BPTR(_orig), BLEN(_orig)); - ret = PUSH_MSG_CONTINUATION; - break; - } + { + push_update_digest (>c2.pulled_options_state, _orig); + switch (c->options.push_continuation) + { + case 0: + case 1: + md_ctx_final (>c2.pulled_options_state, c->c2.pulled_options_digest.digest); + md_ctx_cleanup (>c2.pulled_options_state); + c->c2.pulled_options_md5_init_done = false; + ret = PUSH_MSG_REPLY; + break; + case 2: + ret = PUSH_MSG_CONTINUATION; + break; + } + } } else if (ch == '\0') { -- 1.9.1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2 2.3] Exclude peer-id from pulled options digest
v2: - Use md5_* methods - Move digest update to separate method Peer-id might change on restart and this should not trigger reopening tun. Trac #649 --- src/openvpn/push.c | 43 +-- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 71f39c1..402c158 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -407,6 +407,20 @@ push_reset (struct options *o) } #endif +static void +push_update_digest(struct md5_state *ctx, struct buffer *buf) +{ + char line[OPTION_PARM_SIZE]; + while (buf_parse (buf, ',', line, sizeof (line))) +{ + /* peer-id might change on restart and this should not trigger reopening tun */ + if (strstr (line, "peer-id ") != line) + { + md5_state_update (ctx, line, strlen(line)); + } +} +} + int process_incoming_push_msg (struct context *c, const struct buffer *buffer, @@ -473,20 +487,21 @@ process_incoming_push_msg (struct context *c, permission_mask, option_types_found, c->c2.es)) - switch (c->options.push_continuation) - { - case 0: - case 1: - md5_state_update (>c2.pulled_options_state, BPTR(_orig), BLEN(_orig)); - md5_state_final (>c2.pulled_options_state, >c2.pulled_options_digest); - c->c2.pulled_options_md5_init_done = false; - ret = PUSH_MSG_REPLY; - break; - case 2: - md5_state_update (>c2.pulled_options_state, BPTR(_orig), BLEN(_orig)); - ret = PUSH_MSG_CONTINUATION; - break; - } + { + push_update_digest (>c2.pulled_options_state, _orig); + switch (c->options.push_continuation) + { + case 0: + case 1: + md5_state_final (>c2.pulled_options_state, >c2.pulled_options_digest); + c->c2.pulled_options_md5_init_done = false; + ret = PUSH_MSG_REPLY; + break; + case 2: + ret = PUSH_MSG_CONTINUATION; + break; + } + } } else if (ch == '\0') { -- 1.9.1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH master] Exclude peer-id from pulled options digest
Hi, On 24-09-16 17:54, Lev Stipakov wrote: > Peer-id might change on restart and this should not trigger reopening > tun. > > Trac #649 Feature-ACK. The same holds for ncp stuff though, so I think we should do the same for cipher, auth and keysize. Unless those change the tun-mtu, hmm... That might need further investigation, so maybe keep that separate from the peer-id issue. > + char line[OPTION_PARM_SIZE]; > + while (buf_parse (_orig, ',', line, sizeof (line))) > + { > + /* peer-id might change on restart and this should not > trigger reopening tun */ > + if (strstr (line, "peer-id ") != line) > + { > + md_ctx_update (>c2.pulled_options_state, (const > uint8_t *) line, strlen(line)); > + } > + } This looks like it should be a separate (static) function 'push_update_digest(state, msg)', or something like that. > + md_ctx_cleanup (>c2.pulled_options_state); Are you sure? I don't see a "-md_ctx_cleanup (...)" in the patch for master (there is in 2.3 though). Do you fix a bug here, or is this a cherry-picking mistake? -Steffan -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] add POSTINIT_CMD_suf to t_client.sh and sample config
Your patch has been applied to the following branches commit bae1ad7005fd9a1fadeed56370a9ac5422a33fee (master) commit 7891c8ce93b33749ee75ab579aa391bc5eab6e2f (release/2.3) Author: Gert Doering Date: Tue Oct 4 13:38:54 2016 +0200 add POSTINIT_CMD_suf to t_client.sh and sample config Signed-off-by: Gert DoeringAcked-by: Arne Schwabe Message-Id: <20161004113854.42470-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12594.html Signed-off-by: Gert Doering Also(!), I had to cherry-pick 8fedf86abaf8fca8d0e9e81f70d7a5888a98b9ee into 2.3 as 6ac1cf103e77b0d2aa3360c4373099bf4d9f1919: commit 6ac1cf103e77b0d2aa3360c4373099bf4d9f1919 Author: David Sommerseth Date: Sat Nov 16 16:17:54 2013 +0100 t_client.sh: Add prepare/cleanup possibilties for each test case By adding PREPARE_$NUM and CLEANUP_$NUM variables containing command lines to execute before and after the test case is run. otherwise, this patch did not apply - and it doesn't really make sense to have only the POSTINIT_CMD_ and not PREPARE/CLEANUP. Tested :-) -- kind regards, Gert Doering -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] add POSTINIT_CMD_suf to t_client.sh and sample config
Am 04.10.16 um 13:38 schrieb Gert Doering: > We have pre-init and cleanup commands, but some test cases might need > or want to run a shell script after openvpn has initialized, but before > executing any tests (ifconfig comparison and ping). > > Example: POSTINIT_CMD_4="sleep 5" on MacOS X for tap tests (IPv6 DAD) > > Signed-off-by: Gert Doering> --- > tests/t_client.rc-sample | 3 +++ > tests/t_client.sh.in | 7 +++ > 2 files changed, 10 insertions(+) > > diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample > index fb2abfa..59f34c7 100644 > --- a/tests/t_client.rc-sample > +++ b/tests/t_client.rc-sample > @@ -75,6 +75,9 @@ RUN_TITLE_2="testing tun/tcp/ipv4+ipv6" > OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto tcp --remote $REMOTE > --port 51194" > PING4_HOSTS_2="10.100.51.1 10.100.0.1" > PING6_HOSTS_2="2001:db8::1 2001:db8:a051::1" > +# > +# run command after openvpn initialization is done - here: delay 5 seconds > +POSTINIT_CMD_2="sleep 5" ACK. Also workaround/fixes the DAD problem on OS X for tap. Arne -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] add POSTINIT_CMD_suf to t_client.sh and sample config
We have pre-init and cleanup commands, but some test cases might need or want to run a shell script after openvpn has initialized, but before executing any tests (ifconfig comparison and ping). Example: POSTINIT_CMD_4="sleep 5" on MacOS X for tap tests (IPv6 DAD) Signed-off-by: Gert Doering--- tests/t_client.rc-sample | 3 +++ tests/t_client.sh.in | 7 +++ 2 files changed, 10 insertions(+) diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample index fb2abfa..59f34c7 100644 --- a/tests/t_client.rc-sample +++ b/tests/t_client.rc-sample @@ -75,6 +75,9 @@ RUN_TITLE_2="testing tun/tcp/ipv4+ipv6" OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto tcp --remote $REMOTE --port 51194" PING4_HOSTS_2="10.100.51.1 10.100.0.1" PING6_HOSTS_2="2001:db8::1 2001:db8:a051::1" +# +# run command after openvpn initialization is done - here: delay 5 seconds +POSTINIT_CMD_2="sleep 5" # Test 3: UDP / p2p tun # ... diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in index b2428b9..6c81bc4 100755 --- a/tests/t_client.sh.in +++ b/tests/t_client.sh.in @@ -263,6 +263,7 @@ for SUF in $TEST_RUN_LIST do # get config variables eval test_prep=\"\$PREPARE_$SUF\" +eval test_postinit=\"\$POSTINIT_CMD_$SUF\" eval test_cleanup=\"\$CLEANUP_$SUF\" eval test_run_title=\"\$RUN_TITLE_$SUF\" eval openvpn_conf=\"\$OPENVPN_CONF_$SUF\" @@ -362,6 +363,12 @@ do echo -e " OK!\n" fi +# post init script needed? +if [ -n "$test_postinit" ]; then +echo -e "running post-init cmd: '$test_postinit'" +eval $test_postinit +fi + # expected ifconfig values in there? check_ifconfig 4 "$expect_ifconfig4" check_ifconfig 6 "$expect_ifconfig6" -- 2.9.0 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] make t_client robust against sudoers misconfiguration
Patch has been applied to the following branches commit 8ca29af7c6d4759ce019ec9d0cd3eae4511a6804 (master) commit 0bd4ef0a18c65bfbd4e5b08735d7bb67dd010b97 (release/2.3) Author: Gert Doering Date: Sun Oct 2 15:19:23 2016 +0200 make t_client robust against sudoers misconfiguration Signed-off-by: Gert DoeringAcked-by: Arne Schwabe Message-Id: <20161002131923.36681-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12585.html Signed-off-by: Gert Doering -- kind regards, Gert Doering -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Automatically cache expected IPs for t_client.sh on the first run
Your patch has been applied to the following branches commit df0b00c253e41cce9567be79dbd3faa14c60473b (master) commit beca355525fd250f660b5c400edd3ba83d25f171 (release/2.3) Author: Samuli Sepp�nen Date: Mon Oct 3 13:51:27 2016 +0300 Automatically cache expected IPs for t_client.sh on the first run Signed-off-by: Samuli Sepp�nenAcked-by: Arne Schwabe Message-Id: <1475491887-740-1-git-send-email-sam...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12587.html Signed-off-by: Gert Doering -- kind regards, Gert Doering -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] make t_client robust against sudoers misconfiguration
Am 02.10.16 um 15:19 schrieb Gert Doering: > Instead of testing (and priming) sudo with "true", prime with > "kill -0 $$" (just test signalling ourselves). If this fails, > we won't be able to kill the openvpn process we're going to > start later on -> thus, SKIP on failure. > > This helps with misconfigured setups (especially on the buildbots) > that can correctly start openvpn but then not stop it later on - > leaving openvpn processes dangling around, requiring manual > intervention. > > Signed-off-by: Gert Doering> --- > tests/t_client.sh.in | 14 +++--- > 1 file changed, 7 insertions(+), 7 deletions(-) > > diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in > index 2b9bacf..a97e9be 100755 > --- a/tests/t_client.sh.in > +++ b/tests/t_client.sh.in > @@ -42,12 +42,6 @@ if [ $? -ne 0 ]; then > exit 77 > fi > > -TRUE_EXEC=`which true` > -if [ $? -ne 0 ]; then > -echo "$0: true not found in \$PATH" >&2 > -exit 77 > -fi > - > if [ ! -x "${top_builddir}/src/openvpn/openvpn" ] > then > echo "no (executable) openvpn binary in current build tree. FAIL." >&2 > @@ -102,7 +96,13 @@ else > # We have to use sudo. Make sure that we (hopefully) do not have > # to ask the users password during the test. This is done to > # prevent timing issues, e.g. when the waits for openvpn to start > -$RUN_SUDO $TRUE_EXEC > + if $RUN_SUDO $KILL_EXEC -0 $$ > + then > + echo "$0: $RUN_SUDO $KILL_EXEC -0 succeeded, good." > + else > + echo "$0: $RUN_SUDO $KILL_EXEC -0 failed, cannot go on. SKIP." >&2 > + exit 77 > + fi > fi > fi > Looks good, ACK from me. Arne -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Automatically cache expected IPs for t_client.sh on the first run
Am 03.10.16 um 12:51 schrieb sam...@openvpn.net: > From: Samuli Seppänen> > Previously one had to manually define correct values for the EXPECT_IFCONFIG* > variables based on what IPv4 and IPv6 addresses the test VPN server handed > out. > This was a tedious process especially with large number of tests, as the IPs > changed for every test client and for every test. With this patch t_client.sh > figures out the correct IP addresses using an --up script and caches them to a > separate file for later use. > > I removed all EXPECT_IFCONFIG for test 1-6 from my config and it worked. Also the code looks fine, so ack from me. (If we later add a test with --up we can figure that out later. Currently the added comfort is great) Arne -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel