[Openvpn-devel] [PATCH applied] Re: dco: support float notifications on FreeBSD

[Gert Doering]

So, this is the second part of the "make float notifications on FreeBSD
for the 2.6 tree work" patch series, see
  https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289303

It's a squash of two patches from master - because the first patch
introduced autoconf changes + #ifdefs that the second one then removed
again (because we decided that "nah, making this conditional does not
really help anyone").  No need to track that in release/2.6 - the 
"master" commit IDs are linked.

Both original patches are from Kristof, so recording him as author
of the squashed patch.  I did the work, Ralf verified that I got it
right :-)

Two assert() have been pointed out as "this is questionable", and the
next patch will replace these and all others in the code with OpenVPN
ASSERT(), plus explaining more background.


This patch affects only FreeBSD (dco_freebsd.h and #ifdef TARGET_FREEBSD),
and has been tested there, confirming that DCO float now works and nothing
else breaks.

Your patch has been applied to the release/2.6 branch (bugfix-ish).

commit 3c9fe881207df94e938ba7325a0cd46765d6ba6c
Author: Kristof Provost
Date:   Mon Sep 8 10:33:49 2025 +0200

 dco: support float notifications on FreeBSD

 Signed-off-by: Kristof Provost 
 Signed-off-by: Gert Doering 
 Acked-by: Ralf Lici 
 Message-Id: <20250908083354.19811-1-g...@greenie.muc.de>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32827.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Switch test_ssl certificate from RSA 2048 to secp384r1

[cron2 (Code Review)]

Attention is currently required from: flichtenheld, plaisthos.

cron2 has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/1172?usp=email )

Change subject: Switch test_ssl certificate from RSA 2048 to secp384r1
..


Patch Set 2: Code-Review+2

(1 comment)

Patchset:

PS2:
Also

20:01 < m-a> cron2: new ssl_testdriver passes at SECLEVEL=3 and SECLEVEL=4, but
 still barfs at SECLEVEL=5.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1172?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I327ecc9a85dd906517c28e71fe500883bfa028a4
Gerrit-Change-Number: 1172
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: mandree 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Mon, 08 Sep 2025 18:17:05 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[release/2.6]: dco: backport OS-independent part of peer float support

[ralf_lici (Code Review)]

Attention is currently required from: cron2, flichtenheld, plaisthos.

ralf_lici has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/1169?usp=email )

Change subject: dco: backport OS-independent part of peer float support
..


Patch Set 1: Code-Review+2


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1169?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: release/2.6
Gerrit-Change-Id: Ib748e726eb84dcbe8a48b297d165dec80c0e578d
Gerrit-Change-Number: 1169
Gerrit-PatchSet: 1
Gerrit-Owner: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-Reviewer: ralf_lici 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: cron2 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Mon, 08 Sep 2025 08:10:27 +
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[release/2.6]: dco: support float notifications on FreeBSD

[ralf_lici (Code Review)]

Attention is currently required from: cron2, flichtenheld, plaisthos.

ralf_lici has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/1170?usp=email )

Change subject: dco: support float notifications on FreeBSD
..


Patch Set 1: Code-Review+2

(1 comment)

Patchset:

PS1:
As discussed on IRC, this LGTM, it just needs the assert() fix included in 
change #1171.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1170?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: release/2.6
Gerrit-Change-Id: I53e6d1b31c4f673cb646716dce774ef3210f36bd
Gerrit-Change-Number: 1170
Gerrit-PatchSet: 1
Gerrit-Owner: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: mandree 
Gerrit-Reviewer: plaisthos 
Gerrit-Reviewer: ralf_lici 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: cron2 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Mon, 08 Sep 2025 08:13:33 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v1] dco: support float notifications on FreeBSD

[Gert Doering]

From: Kristof Provost 

this is a backport of commit b66b80b2ab and 796ad2c559
(squashed, as the second commit undoes quite a bit of #ifdef from the first)

Change-Id: I53e6d1b31c4f673cb646716dce774ef3210f36bd
Signed-off-by: Kristof Provost 
Signed-off-by: Gert Doering 
Acked-by: Ralf Lici 
(cherry picked from commit b66b80b2ab73bb422826911b675798e6b789ef03)
(cherry picked from commit 796ad2c55951635382e48ea5b71d13bbb83ebfb1)
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to release/2.6.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1170
This mail reflects revision 1 of this Change.

Acked-by according to Gerrit (reflected above):
Ralf Lici 


diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index ed7ea92..25532d4 100644
--- a/src/openvpn/dco_freebsd.c
+++ b/src/openvpn/dco_freebsd.c
@@ -72,6 +72,61 @@
 return (nvl);
 }
 
+static bool
+nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *ss)
+{
+if (!nvlist_exists_number(nvl, "af"))
+{
+return (false);
+}
+if (!nvlist_exists_binary(nvl, "address"))
+{
+return (false);
+}
+if (!nvlist_exists_number(nvl, "port"))
+{
+return (false);
+}
+
+ss->ss_family = nvlist_get_number(nvl, "af");
+
+switch (ss->ss_family)
+{
+case AF_INET:
+{
+struct sockaddr_in *in = (struct sockaddr_in *)ss;
+const void *data;
+size_t len;
+
+in->sin_len = sizeof(*in);
+data = nvlist_get_binary(nvl, "address", &len);
+assert(len == sizeof(in->sin_addr));
+memcpy(&in->sin_addr, data, sizeof(in->sin_addr));
+in->sin_port = nvlist_get_number(nvl, "port");
+break;
+}
+
+case AF_INET6:
+{
+struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)ss;
+const void *data;
+size_t len;
+
+in6->sin6_len = sizeof(*in6);
+data = nvlist_get_binary(nvl, "address", &len);
+assert(len == sizeof(in6->sin6_addr));
+memcpy(&in6->sin6_addr, data, sizeof(in6->sin6_addr));
+in6->sin6_port = nvlist_get_number(nvl, "port");
+break;
+}
+
+default:
+return (false);
+}
+
+return (true);
+}
+
 int
 dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
  struct sockaddr *localaddr, struct sockaddr *remoteaddr,
@@ -571,6 +626,25 @@
 dco->dco_message_type = OVPN_CMD_SWAP_KEYS;
 break;
 
+case OVPN_NOTIF_FLOAT: {
+const nvlist_t *address;
+
+if (!nvlist_exists_nvlist(nvl, "address"))
+{
+msg(M_WARN, "Float notification without address");
+break;
+}
+
+address = nvlist_get_nvlist(nvl, "address");
+if (!nvlist_to_sockaddr(address, &dco->dco_float_peer_ss))
+{
+msg(M_WARN, "Failed to parse float notification");
+break;
+}
+dco->dco_message_type = OVPN_CMD_FLOAT_PEER;
+break;
+}
+
 default:
 msg(M_WARN, "Unknown kernel notification %d", type);
 break;
diff --git a/src/openvpn/dco_freebsd.h b/src/openvpn/dco_freebsd.h
index e1a054e..ab5891e 100644
--- a/src/openvpn/dco_freebsd.h
+++ b/src/openvpn/dco_freebsd.h
@@ -36,6 +36,7 @@
 OVPN_CMD_DEL_PEER,
 OVPN_CMD_PACKET,
 OVPN_CMD_SWAP_KEYS,
+OVPN_CMD_FLOAT_PEER,
 };
 
 enum ovpn_del_reason_t {
@@ -55,6 +56,7 @@
 int dco_message_type;
 int dco_message_peer_id;
 int dco_del_peer_reason;
+struct sockaddr_storage dco_float_peer_ss;
 uint64_t dco_read_bytes;
 uint64_t dco_write_bytes;
 } dco_context_t;
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index eb5f932..310211c 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3313,7 +3313,7 @@
 {
 process_incoming_del_peer(m, mi, dco);
 }
-#if 0
+#if defined(TARGET_FREEBSD)
 else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER)
 {
 ASSERT(mi->context.c2.link_socket);
diff --git a/src/openvpn/ovpn_dco_freebsd.h b/src/openvpn/ovpn_dco_freebsd.h
index 53f94df..7eb643b 100644
--- a/src/openvpn/ovpn_dco_freebsd.h
+++ b/src/openvpn/ovpn_dco_freebsd.h
@@ -37,6 +37,7 @@
 enum ovpn_notif_type {
 OVPN_NOTIF_DEL_PEER,
 OVPN_NOTIF_ROTATE_KEY,
+OVPN_NOTIF_FLOAT,
 };
 
 enum ovpn_del_reason {


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[release/2.6]: dco: support float notifications on FreeBSD

[cron2 (Code Review)]

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/1170?usp=email )

Change subject: dco: support float notifications on FreeBSD
..

dco: support float notifications on FreeBSD

this is a backport of commit b66b80b2ab and 796ad2c559
(squashed, as the second commit undoes quite a bit of #ifdef from the first)

See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289303 for all
the epic details...

Change-Id: I53e6d1b31c4f673cb646716dce774ef3210f36bd
Signed-off-by: Kristof Provost 
Signed-off-by: Gert Doering 
Acked-by: Ralf Lici 
(cherry picked from commit b66b80b2ab73bb422826911b675798e6b789ef03)
(cherry picked from commit 796ad2c55951635382e48ea5b71d13bbb83ebfb1)
Message-Id: <20250908083354.19811-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32827.html
Signed-off-by: Gert Doering 
---
M src/openvpn/dco_freebsd.c
M src/openvpn/dco_freebsd.h
M src/openvpn/multi.c
M src/openvpn/ovpn_dco_freebsd.h
4 files changed, 78 insertions(+), 1 deletion(-)




diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index ed7ea92..25532d4 100644
--- a/src/openvpn/dco_freebsd.c
+++ b/src/openvpn/dco_freebsd.c
@@ -72,6 +72,61 @@
 return (nvl);
 }

+static bool
+nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *ss)
+{
+if (!nvlist_exists_number(nvl, "af"))
+{
+return (false);
+}
+if (!nvlist_exists_binary(nvl, "address"))
+{
+return (false);
+}
+if (!nvlist_exists_number(nvl, "port"))
+{
+return (false);
+}
+
+ss->ss_family = nvlist_get_number(nvl, "af");
+
+switch (ss->ss_family)
+{
+case AF_INET:
+{
+struct sockaddr_in *in = (struct sockaddr_in *)ss;
+const void *data;
+size_t len;
+
+in->sin_len = sizeof(*in);
+data = nvlist_get_binary(nvl, "address", &len);
+assert(len == sizeof(in->sin_addr));
+memcpy(&in->sin_addr, data, sizeof(in->sin_addr));
+in->sin_port = nvlist_get_number(nvl, "port");
+break;
+}
+
+case AF_INET6:
+{
+struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)ss;
+const void *data;
+size_t len;
+
+in6->sin6_len = sizeof(*in6);
+data = nvlist_get_binary(nvl, "address", &len);
+assert(len == sizeof(in6->sin6_addr));
+memcpy(&in6->sin6_addr, data, sizeof(in6->sin6_addr));
+in6->sin6_port = nvlist_get_number(nvl, "port");
+break;
+}
+
+default:
+return (false);
+}
+
+return (true);
+}
+
 int
 dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
  struct sockaddr *localaddr, struct sockaddr *remoteaddr,
@@ -571,6 +626,25 @@
 dco->dco_message_type = OVPN_CMD_SWAP_KEYS;
 break;

+case OVPN_NOTIF_FLOAT: {
+const nvlist_t *address;
+
+if (!nvlist_exists_nvlist(nvl, "address"))
+{
+msg(M_WARN, "Float notification without address");
+break;
+}
+
+address = nvlist_get_nvlist(nvl, "address");
+if (!nvlist_to_sockaddr(address, &dco->dco_float_peer_ss))
+{
+msg(M_WARN, "Failed to parse float notification");
+break;
+}
+dco->dco_message_type = OVPN_CMD_FLOAT_PEER;
+break;
+}
+
 default:
 msg(M_WARN, "Unknown kernel notification %d", type);
 break;
diff --git a/src/openvpn/dco_freebsd.h b/src/openvpn/dco_freebsd.h
index e1a054e..ab5891e 100644
--- a/src/openvpn/dco_freebsd.h
+++ b/src/openvpn/dco_freebsd.h
@@ -36,6 +36,7 @@
 OVPN_CMD_DEL_PEER,
 OVPN_CMD_PACKET,
 OVPN_CMD_SWAP_KEYS,
+OVPN_CMD_FLOAT_PEER,
 };

 enum ovpn_del_reason_t {
@@ -55,6 +56,7 @@
 int dco_message_type;
 int dco_message_peer_id;
 int dco_del_peer_reason;
+struct sockaddr_storage dco_float_peer_ss;
 uint64_t dco_read_bytes;
 uint64_t dco_write_bytes;
 } dco_context_t;
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index eb5f932..310211c 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3313,7 +3313,7 @@
 {
 process_incoming_del_peer(m, mi, dco);
 }
-#if 0
+#if defined(TARGET_FREEBSD)
 else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER)
 {
 ASSERT(mi->context.c2.link_socket);
diff --git a/src/openvpn/ovpn_dco_freebsd.h b/src/openvpn/ovpn_dco_freebsd.h
index 53f94df..7eb643b 100644
--- a/src/openvpn/ovpn_dco_freebsd.h
+++ b/src/openvpn/ovpn_dco_freebsd.h
@@ -37,6 +37,7 @@
 enum ovpn_notif_type {
 OVPN_NOTIF_DEL_PEER,
 OVPN_NOTIF_ROTATE_KEY,
+OVPN_NOTIF_FLOAT,
 };

 enum ovpn_del_reason {

--
To view, visit http://gerrit.openvp

[Openvpn-devel] [S] Change in openvpn[master]: replace assert() calls with ASSERT()

[cron2 (Code Review)]

Hello flichtenheld, mandree, plaisthos,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/1171?usp=email

to look at the new patch set (#2).

The following approvals got outdated and were removed:
Code-Review+2 by mandree


Change subject: replace assert() calls with ASSERT()
..

replace assert() calls with ASSERT()

OpenVPN's ASSERT() macro will do a bit more than the standard-libc
assert() call, namely print out which function and what expression
failed, before calling _exit(1).  Also, it can not be accidentially
compiled-away (-DNDEBUG).

Use of ASSERT() is generally only advised in cases of "this must not
happen, but if it does, it's a programming or state corruption error
that we must know about".  Use of assert() is lacking the extra debug
info, and as such, not advised at all.

Change-Id: I6480d6f741c2368a0d951004b91167d5943f8f9d
Signed-off-by: Gert Doering 
Acked-by: mandree 
Message-Id: <20250907211252.23924-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32824.html
Signed-off-by: Gert Doering 
---
M src/openvpn/dco_freebsd.c
M src/openvpn/init.c
M src/openvpn/options.c
3 files changed, 8 insertions(+), 8 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/71/1171/2

diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index 931f9f6..65303cd 100644
--- a/src/openvpn/dco_freebsd.c
+++ b/src/openvpn/dco_freebsd.c
@@ -100,7 +100,7 @@

 in->sin_len = sizeof(*in);
 data = nvlist_get_binary(nvl, "address", &len);
-assert(len == sizeof(in->sin_addr));
+ASSERT(len == sizeof(in->sin_addr));
 memcpy(&in->sin_addr, data, sizeof(in->sin_addr));
 in->sin_port = nvlist_get_number(nvl, "port");
 break;
@@ -114,7 +114,7 @@

 in6->sin6_len = sizeof(*in6);
 data = nvlist_get_binary(nvl, "address", &len);
-assert(len == sizeof(in6->sin6_addr));
+ASSERT(len == sizeof(in6->sin6_addr));
 memcpy(&in6->sin6_addr, data, sizeof(in6->sin6_addr));
 in6->sin6_port = nvlist_get_number(nvl, "port");

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 39ea8e4..2821cd4 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -319,7 +319,7 @@
 static unsigned int
 management_callback_remote_entry_count(void *arg)
 {
-assert(arg);
+ASSERT(arg);
 struct context *c = (struct context *)arg;
 struct connection_list *l = c->options.connection_list;

@@ -329,8 +329,8 @@
 static bool
 management_callback_remote_entry_get(void *arg, unsigned int index, char 
**remote)
 {
-assert(arg);
-assert(remote);
+ASSERT(arg);
+ASSERT(remote);

 struct context *c = (struct context *)arg;
 struct connection_list *l = c->options.connection_list;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 0616a17..6858a69 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3486,9 +3486,9 @@
 {
 /* Copy --dhcp-options to tuntap_options */
 struct dhcp_options *dhcp = &dns->from_dhcp;
-assert(sizeof(dhcp->dns) == sizeof(tt->dns));
-assert(sizeof(dhcp->dns6) == sizeof(tt->dns6));
-assert(sizeof(dhcp->domain_search_list) == 
sizeof(tt->domain_search_list));
+ASSERT(sizeof(dhcp->dns) == sizeof(tt->dns));
+ASSERT(sizeof(dhcp->dns6) == sizeof(tt->dns6));
+ASSERT(sizeof(dhcp->domain_search_list) == 
sizeof(tt->domain_search_list));

 tt->domain = dhcp->domain;
 tt->dns_len = dhcp->dns_len;

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1171?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I6480d6f741c2368a0d951004b91167d5943f8f9d
Gerrit-Change-Number: 1171
Gerrit-PatchSet: 2
Gerrit-Owner: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: mandree 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: replace assert() calls with ASSERT()

[cron2 (Code Review)]

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/1171?usp=email )

Change subject: replace assert() calls with ASSERT()
..

replace assert() calls with ASSERT()

OpenVPN's ASSERT() macro will do a bit more than the standard-libc
assert() call, namely print out which function and what expression
failed, before calling _exit(1).  Also, it can not be accidentially
compiled-away (-DNDEBUG).

Use of ASSERT() is generally only advised in cases of "this must not
happen, but if it does, it's a programming or state corruption error
that we must know about".  Use of assert() is lacking the extra debug
info, and as such, not advised at all.

Change-Id: I6480d6f741c2368a0d951004b91167d5943f8f9d
Signed-off-by: Gert Doering 
Acked-by: mandree 
Message-Id: <20250907211252.23924-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32824.html
Signed-off-by: Gert Doering 
---
M src/openvpn/dco_freebsd.c
M src/openvpn/init.c
M src/openvpn/options.c
3 files changed, 8 insertions(+), 8 deletions(-)




diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index 931f9f6..65303cd 100644
--- a/src/openvpn/dco_freebsd.c
+++ b/src/openvpn/dco_freebsd.c
@@ -100,7 +100,7 @@

 in->sin_len = sizeof(*in);
 data = nvlist_get_binary(nvl, "address", &len);
-assert(len == sizeof(in->sin_addr));
+ASSERT(len == sizeof(in->sin_addr));
 memcpy(&in->sin_addr, data, sizeof(in->sin_addr));
 in->sin_port = nvlist_get_number(nvl, "port");
 break;
@@ -114,7 +114,7 @@

 in6->sin6_len = sizeof(*in6);
 data = nvlist_get_binary(nvl, "address", &len);
-assert(len == sizeof(in6->sin6_addr));
+ASSERT(len == sizeof(in6->sin6_addr));
 memcpy(&in6->sin6_addr, data, sizeof(in6->sin6_addr));
 in6->sin6_port = nvlist_get_number(nvl, "port");

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 39ea8e4..2821cd4 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -319,7 +319,7 @@
 static unsigned int
 management_callback_remote_entry_count(void *arg)
 {
-assert(arg);
+ASSERT(arg);
 struct context *c = (struct context *)arg;
 struct connection_list *l = c->options.connection_list;

@@ -329,8 +329,8 @@
 static bool
 management_callback_remote_entry_get(void *arg, unsigned int index, char 
**remote)
 {
-assert(arg);
-assert(remote);
+ASSERT(arg);
+ASSERT(remote);

 struct context *c = (struct context *)arg;
 struct connection_list *l = c->options.connection_list;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 0616a17..6858a69 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3486,9 +3486,9 @@
 {
 /* Copy --dhcp-options to tuntap_options */
 struct dhcp_options *dhcp = &dns->from_dhcp;
-assert(sizeof(dhcp->dns) == sizeof(tt->dns));
-assert(sizeof(dhcp->dns6) == sizeof(tt->dns6));
-assert(sizeof(dhcp->domain_search_list) == 
sizeof(tt->domain_search_list));
+ASSERT(sizeof(dhcp->dns) == sizeof(tt->dns));
+ASSERT(sizeof(dhcp->dns6) == sizeof(tt->dns6));
+ASSERT(sizeof(dhcp->domain_search_list) == 
sizeof(tt->domain_search_list));

 tt->domain = dhcp->domain;
 tt->dns_len = dhcp->dns_len;

-- 
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1171?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I6480d6f741c2368a0d951004b91167d5943f8f9d
Gerrit-Change-Number: 1171
Gerrit-PatchSet: 2
Gerrit-Owner: cron2 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: mandree 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[master]: Switch test_ssl certificate from RSA 2048 to secp384r1

[plaisthos (Code Review)]

Attention is currently required from: flichtenheld.

Hello flichtenheld,

I'd like you to do a code review.
Please visit

http://gerrit.openvpn.net/c/openvpn/+/1172?usp=email

to review the following change.


Change subject: Switch test_ssl certificate from RSA 2048 to secp384r1
..

Switch test_ssl certificate from RSA 2048 to secp384r1

This allow the unit test to also run in environments that have seclevel
(SSL_CTX_set_security_level) set to 3.

Closes: openvpn/openvpn#830
Change-Id: I327ecc9a85dd906517c28e71fe500883bfa028a4
---
M tests/unit_tests/openvpn/test_ssl.c
1 file changed, 23 insertions(+), 46 deletions(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/72/1172/1

diff --git a/tests/unit_tests/openvpn/test_ssl.c 
b/tests/unit_tests/openvpn/test_ssl.c
index 7bf5396..894d332 100644
--- a/tests/unit_tests/openvpn/test_ssl.c
+++ b/tests/unit_tests/openvpn/test_ssl.c
@@ -83,58 +83,35 @@
 return;
 }

+/* generated using
+ * openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout - 
\
+ * -noenc -sha256 -days 3650 -subj '/CN=ovpn-test-secp384r1'  -nodes \
+ * -addext 'subjectAltName=DNS:unittest.example.com' \
+ * -addext 'extendedKeyUsage=clientAuth'
+ */
 static const char *const unittest_cert =
 "-BEGIN CERTIFICATE-\n"
-"MIIDYzCCAkugAwIBAgIRALrXTx4lqa8QgF7uGjISxmcwDQYJKoZIhvcNAQELBQAw\n"
-"GDEWMBQGA1UEAwwNT1ZQTiBURVNUIENBMTAgFw0yMzAzMTMxNjA5MThaGA8yMTIz\n"
-"MDIxNzE2MDkxOFowGTEXMBUGA1UEAwwOb3Zwbi10ZXN0LXJzYTEwggEiMA0GCSqG\n"
-"SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7xFoR6fmoyfsJIQDKKgbYgFw0MzVuDAmp\n"
-"Rx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/4dRR3skisBug6Vd5LXeB\n"
-"GZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159x9FBDl5A3sLP18ubeex0\n"
-"pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwTPnS+CRXrSq4JjGDJLsXl\n"
-"0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIhLbG2DcIv8l29EuEj2w3j\n"
-"u/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJcDjOZVCArAgMBAAGjgaQw\n"
-"gaEwCQYDVR0TBAIwADAdBgNVHQ4EFgQUqYnRaBHrZmKLtMZES5AuwqzJkGYwUwYD\n"
-"VR0jBEwwSoAU3MLDNDOK13DqflQ8ra7FeGBXK06hHKQaMBgxFjAUBgNVBAMMDU9W\n"
-"UE4gVEVTVCBDQTGCFD55ErHXpK2JXS3WkfBm0NB1r3vKMBMGA1UdJQQMMAoGCCsG\n"
-"AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAZVcXrezA9Aby\n"
-"sfUNHAsMxrex/EO0PrIPSrmSmc9sCiD8cCIeB6kL8c5iPPigoWW0uLA9zteDRFes\n"
-"ez+Z8wBY6g8VQ0tFPURDooUg5011GZPDcuw7/PsI4+I2J9q6LHEp+6Oo4faSn/kl\n"
-"yWYCLjM4FZdGXbOijDacQJiN6HcRv0UdodBrEVRf7YHJJmMCbCI7ZUGW2zef/+rO\n"
-"e4Lkxh0MLYqCkNKH5ZfoGTC4Oeb0xKykswAanqgR60r+upaLU8PFuI2L9M3vc6KU\n"
-"F6MgVGSxl6eylJgDYckvJiAbmcp2PD/LRQQOxQA0yqeAMg2cbdvclETuYD6zoFfu\n"
-"Y8aO7dvDlw==\n"
+"MIICBjCCAYygAwIBAgIUFoXgpP4beykV7tpgrjHQTWPGi4cwCgYIKoZIzj0EAwIw\n"
+"HjEcMBoGA1UEAwwTb3Zwbi10ZXN0LXNlY3AzODRyMTAeFw0yNTA5MDgxMzExNTBa\n"
+"Fw0zNTA5MDYxMzExNTBaMB4xHDAaBgNVBAMME292cG4tdGVzdC1zZWNwMzg0cjEw\n"
+"djAQBgcqhkjOPQIBBgUrgQQAIgNiAAQVDmf+TZB3rW6zqWFox606u/PhA93ysX/h\n"
+"1s2xyq9+QGzIdE/hks6p/Yzyu7RLOUjxvO0J45RHcYmo67DlvSOi496T3zrgvp1H\n"
+"KfHD5ohMyvzw0+e8lmjJqJjn+PegMkOjgYowgYcwHQYDVR0OBBYEFCH1eYnaV8fh\n"
+"E3Bv7lyrlYu24eoVMB8GA1UdIwQYMBaAFCH1eYnaV8fhE3Bv7lyrlYu24eoVMA8G\n"
+"A1UdEwEB/wQFMAMBAf8wHwYDVR0RBBgwFoIUdW5pdHRlc3QuZXhhbXBsZS5jb20w\n"
+"EwYDVR0lBAwwCgYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDaAAwZQIxAL7q7jcwTOuq\n"
+"5sp0Beq81Vnznd3gsDZYNs1OYRWH33xergDVKlBb6kCwus0dhghtVAIwIgT4ytkY\n"
+"oAPx8LB3oP8ubEu1ue6V9jZln/cCiLyXDDtaiJOZHtDqHGfHqvc6rAok\n"
 "-END CERTIFICATE-\n";

 static const char *const unittest_key =
 "-BEGIN PRIVATE KEY-\n"
-"MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7xFoR6fmoyfsJ\n"
-"IQDKKgbYgFw0MzVuDAmpRx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/\n"
-"4dRR3skisBug6Vd5LXeBGZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159\n"
-"x9FBDl5A3sLP18ubeex0pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwT\n"
-"PnS+CRXrSq4JjGDJLsXl0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIh\n"
-"LbG2DcIv8l29EuEj2w3ju/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJc\n"
-"DjOZVCArAgMBAAECggEACqkuWAAJ3cyCBVWrXs8eDmLTWV9i9DmYvtS75ixIn2rf\n"
-"v3cl12YevN0f6FgKLuqZT3Vqdqq+DCVhuIIQ9QkKMH8BQpSdE9NCCsFyZ23o8Gtr\n"
-"EQ7ymfecb+RFwYx7NpqWrvZI32VJGArgPZH/zorLTTGYrAZbmBtHEqRsXOuEDw97\n"
-"slwwcWaa9ztaYC8/N/7fgsnydaCFSaOByRlWuyvSmHvn6ZwLv8ANOshY6fstC0Jb\n"
-"BW0GpSe9eZPjpl71VT2RtpghqLV5+iAoFDHoT+eZvBospcUGtfcZSU7RrBjKB8+a\n"
-"U1d6hwKhduVs2peIQzl+FiOSdWriLcsZv79q4sBhsQKBgQDUDVTf5BGJ8apOs/17\n"
-"YVk+Ad8Ey8sXvsfk49psmlCRa8Z4g0LVXfrP94qzhtl8U5kE9hs3nEF4j/kX1ZWG\n"
-"k11tdsNTZN5x5bbAgEgPA6Ap6J/uto0HS8G0vSv0lyBymdKA3p/i5Dx+8Nc9cGns\n"
-"LGI9MvviLX7pQFIkvbaCkdKwYwKBgQDirowjWZnm7BgVhF0G1m3DY9nQTYYU185W\n"
-"UESaO5/nVzwUrA+FypJamD+AvmlSuY8rJeQAGAS6nQr9G8/617r+GwJnzRtxC6Vl\n"
-"4OF5BJRsD70oX4CFOOlycMoJ8tzcYVH7NI8KVocjxb+QW82hqSvEwSsvnwwn3eOW\n"
-"nr5u5vIHmQKBgCuc3lL6Dl1ntdZgEIdau0cUjXDoFUo589TwxBDIID/4gaZxoMJP\n"
-"hPFXAVDxMDPw4az

Re: [Openvpn-devel] [PATCH] dco_freebsd: replace assert() by if...return

[Gert Doering]

Hi,

On Sat, Sep 06, 2025 at 03:54:13PM +0200, Matthias Andree via Openvpn-devel 
wrote:
> The assert() check might be optimized away in Release builds,
> and killing the process through abort() when input formats are
> bad when we already have an error message in place does not seem right.
> 
> Suggested by: Ralf Lici 
> 
> Signed-off-by: Matthias Andree 

Thanks for the patch.  There has been lots of parallel work going on
this weekend, and in the end it was decided to go for OpenVPN ASSERT()
instead.

(Committed in master and release/2.6 as of "just now")

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [M] Change in openvpn[release/2.6]: dco: backport OS-independent part of peer float support

[cron2 (Code Review)]

Hello flichtenheld, plaisthos, ralf_lici,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/1169?usp=email

to look at the new patch set (#2).

The following approvals got outdated and were removed:
Code-Review+2 by ralf_lici


Change subject: dco: backport OS-independent part of peer float support
..

dco: backport OS-independent part of peer float support

This is a backport of commit cb8a0f6f5741d102b667d98370ab4d553503d0b5,
which introduces float support for DCO linux, Windows, and the
OS-independent parts.

DCO linux/windows in 2.6 has no float support kernel-side, so this
ignores all OS dependent parts, backporting just enough to add
FreeBSD support in the next patch.

One notable difference in the backport is that 2.6 has no multi-socket
support, so all the "link_sockets[0]" occurances need to be changed back
to "link_socket".

See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289303 for all
the epic details...

Change-Id: Ib748e726eb84dcbe8a48b297d165dec80c0e578d
Signed-off-by: Ralf Lici 
Signed-off-by: Gert Doering 
Acked-by: Ralf Lici 
(cherry picked from commit cb8a0f6f5741d102b667d98370ab4d553503d0b5)
Message-Id: <20250908081124.17933-1-g...@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59230454/
Signed-off-by: Gert Doering 
---
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
3 files changed, 73 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/69/1169/2

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 0f2ec07..ab5ebda 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1234,6 +1234,41 @@
 perf_pop();
 }

+void
+extract_dco_float_peer_addr(const sa_family_t socket_family,
+struct openvpn_sockaddr *out_osaddr,
+const struct sockaddr *float_sa)
+{
+if (float_sa->sa_family == AF_INET)
+{
+struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa;
+/* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, on a
+ * dual-stack socket, we need to preserve the mapping otherwise openvpn
+ * will not be able to find the peer by its transport address.
+ */
+if (socket_family == AF_INET6)
+{
+out_osaddr->addr.in6.sin6_family = AF_INET6;
+out_osaddr->addr.in6.sin6_port = float4->sin_port;
+
+memset(&out_osaddr->addr.in6.sin6_addr.s6_addr, 0, 10);
+out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff;
+out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff;
+memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12],
+   &float4->sin_addr.s_addr, sizeof(in_addr_t));
+}
+else
+{
+memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in));
+}
+}
+else
+{
+struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa;
+memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6));
+}
+}
+
 static void
 process_incoming_dco(struct context *c)
 {
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 245a802..3d0abd5 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -189,6 +189,21 @@
 void process_incoming_link_part2(struct context *c, struct link_socket_info 
*lsi, const uint8_t *orig_buf);

 /**
+ * Transfers \c float_sa data extracted from an incoming DCO
+ * PEER_FLOAT_NTF to \c out_osaddr for later processing.
+ *
+ * @param socket_family - The address family of the socket
+ * @param out_osaddr - openvpn_sockaddr struct that will be filled the new
+ *  address data
+ * @param float_sa - The sockaddr struct containing the data received from the
+ *  DCO notification
+ */
+void
+extract_dco_float_peer_addr(sa_family_t socket_family,
+struct openvpn_sockaddr *out_osaddr,
+const struct sockaddr *float_sa);
+
+/**
  * Write a packet to the external network interface.
  * @ingroup external_multiplexer
  *
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 199f655..eb5f932 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3169,6 +3169,18 @@
 goto done;
 }

+/* It doesn't make sense to let a peer float to the address it already
+ * has, so we disallow it. This can happen if a DCO netlink 
notification
+ * gets lost and we miss a floating step.
+ */
+if (m1->peer_id == m2->peer_id)
+{
+msg(M_WARN, "disallowing peer %" PRIu32 " (%s) from floating to "
+"its own address (%s)",
+m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false),
+mroute_addr_print(&mi->real, &gc));
+goto done;
+}
 msg(D_MULTI_MEDIUM, "closing instance %s", 

[Openvpn-devel] [M] Change in openvpn[release/2.6]: dco: backport OS-independent part of peer float support

[cron2 (Code Review)]

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/1169?usp=email )

Change subject: dco: backport OS-independent part of peer float support
..

dco: backport OS-independent part of peer float support

This is a backport of commit cb8a0f6f5741d102b667d98370ab4d553503d0b5,
which introduces float support for DCO linux, Windows, and the
OS-independent parts.

DCO linux/windows in 2.6 has no float support kernel-side, so this
ignores all OS dependent parts, backporting just enough to add
FreeBSD support in the next patch.

One notable difference in the backport is that 2.6 has no multi-socket
support, so all the "link_sockets[0]" occurances need to be changed back
to "link_socket".

See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289303 for all
the epic details...

Change-Id: Ib748e726eb84dcbe8a48b297d165dec80c0e578d
Signed-off-by: Ralf Lici 
Signed-off-by: Gert Doering 
Acked-by: Ralf Lici 
(cherry picked from commit cb8a0f6f5741d102b667d98370ab4d553503d0b5)
Message-Id: <20250908081124.17933-1-g...@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59230454/
Signed-off-by: Gert Doering 
---
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
3 files changed, 73 insertions(+), 0 deletions(-)




diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 0f2ec07..ab5ebda 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1234,6 +1234,41 @@
 perf_pop();
 }

+void
+extract_dco_float_peer_addr(const sa_family_t socket_family,
+struct openvpn_sockaddr *out_osaddr,
+const struct sockaddr *float_sa)
+{
+if (float_sa->sa_family == AF_INET)
+{
+struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa;
+/* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, on a
+ * dual-stack socket, we need to preserve the mapping otherwise openvpn
+ * will not be able to find the peer by its transport address.
+ */
+if (socket_family == AF_INET6)
+{
+out_osaddr->addr.in6.sin6_family = AF_INET6;
+out_osaddr->addr.in6.sin6_port = float4->sin_port;
+
+memset(&out_osaddr->addr.in6.sin6_addr.s6_addr, 0, 10);
+out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff;
+out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff;
+memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12],
+   &float4->sin_addr.s_addr, sizeof(in_addr_t));
+}
+else
+{
+memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in));
+}
+}
+else
+{
+struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa;
+memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6));
+}
+}
+
 static void
 process_incoming_dco(struct context *c)
 {
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 245a802..3d0abd5 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -189,6 +189,21 @@
 void process_incoming_link_part2(struct context *c, struct link_socket_info 
*lsi, const uint8_t *orig_buf);

 /**
+ * Transfers \c float_sa data extracted from an incoming DCO
+ * PEER_FLOAT_NTF to \c out_osaddr for later processing.
+ *
+ * @param socket_family - The address family of the socket
+ * @param out_osaddr - openvpn_sockaddr struct that will be filled the new
+ *  address data
+ * @param float_sa - The sockaddr struct containing the data received from the
+ *  DCO notification
+ */
+void
+extract_dco_float_peer_addr(sa_family_t socket_family,
+struct openvpn_sockaddr *out_osaddr,
+const struct sockaddr *float_sa);
+
+/**
  * Write a packet to the external network interface.
  * @ingroup external_multiplexer
  *
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 199f655..eb5f932 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3169,6 +3169,18 @@
 goto done;
 }

+/* It doesn't make sense to let a peer float to the address it already
+ * has, so we disallow it. This can happen if a DCO netlink 
notification
+ * gets lost and we miss a floating step.
+ */
+if (m1->peer_id == m2->peer_id)
+{
+msg(M_WARN, "disallowing peer %" PRIu32 " (%s) from floating to "
+"its own address (%s)",
+m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false),
+mroute_addr_print(&mi->real, &gc));
+goto done;
+}
 msg(D_MULTI_MEDIUM, "closing instance %s", 
multi_instance_string(ex_mi, false, &gc));
 multi_close_instance(m, ex_mi, false);
 }
@@ -3301,6 +3313,17 @@
 {
 process_incoming_del_peer(m, mi, dco);
 }
+#if 0
+else if (dco->dco_message_type == OVPN_

[Openvpn-devel] [M] Change in openvpn[master]: Switch test_ssl certificate from RSA 2048 to secp384r1

[plaisthos (Code Review)]

Attention is currently required from: flichtenheld.

Hello flichtenheld, 

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/1172?usp=email

to look at the new patch set (#2).


Change subject: Switch test_ssl certificate from RSA 2048 to secp384r1
..

Switch test_ssl certificate from RSA 2048 to secp384r1

This allow the unit test to also run in environments that have seclevel
(SSL_CTX_set_security_level) set to 3.

Closes: openvpn/openvpn#830
Change-Id: I327ecc9a85dd906517c28e71fe500883bfa028a4
---
M tests/unit_tests/openvpn/test_ssl.c
1 file changed, 22 insertions(+), 45 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/72/1172/2

diff --git a/tests/unit_tests/openvpn/test_ssl.c 
b/tests/unit_tests/openvpn/test_ssl.c
index 7bf5396..bb02fcc 100644
--- a/tests/unit_tests/openvpn/test_ssl.c
+++ b/tests/unit_tests/openvpn/test_ssl.c
@@ -83,59 +83,36 @@
 return;
 }

+/* generated using
+ * openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout - 
\
+ * -noenc -sha256 -days 3650 -subj '/CN=ovpn-test-secp384r1'  -nodes \
+ * -addext 'subjectAltName=DNS:unittest.example.com' \
+ * -addext 'extendedKeyUsage=clientAuth'
+ */
 static const char *const unittest_cert =
 "-BEGIN CERTIFICATE-\n"
-"MIIDYzCCAkugAwIBAgIRALrXTx4lqa8QgF7uGjISxmcwDQYJKoZIhvcNAQELBQAw\n"
-"GDEWMBQGA1UEAwwNT1ZQTiBURVNUIENBMTAgFw0yMzAzMTMxNjA5MThaGA8yMTIz\n"
-"MDIxNzE2MDkxOFowGTEXMBUGA1UEAwwOb3Zwbi10ZXN0LXJzYTEwggEiMA0GCSqG\n"
-"SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7xFoR6fmoyfsJIQDKKgbYgFw0MzVuDAmp\n"
-"Rx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/4dRR3skisBug6Vd5LXeB\n"
-"GZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159x9FBDl5A3sLP18ubeex0\n"
-"pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwTPnS+CRXrSq4JjGDJLsXl\n"
-"0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIhLbG2DcIv8l29EuEj2w3j\n"
-"u/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJcDjOZVCArAgMBAAGjgaQw\n"
-"gaEwCQYDVR0TBAIwADAdBgNVHQ4EFgQUqYnRaBHrZmKLtMZES5AuwqzJkGYwUwYD\n"
-"VR0jBEwwSoAU3MLDNDOK13DqflQ8ra7FeGBXK06hHKQaMBgxFjAUBgNVBAMMDU9W\n"
-"UE4gVEVTVCBDQTGCFD55ErHXpK2JXS3WkfBm0NB1r3vKMBMGA1UdJQQMMAoGCCsG\n"
-"AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAZVcXrezA9Aby\n"
-"sfUNHAsMxrex/EO0PrIPSrmSmc9sCiD8cCIeB6kL8c5iPPigoWW0uLA9zteDRFes\n"
-"ez+Z8wBY6g8VQ0tFPURDooUg5011GZPDcuw7/PsI4+I2J9q6LHEp+6Oo4faSn/kl\n"
-"yWYCLjM4FZdGXbOijDacQJiN6HcRv0UdodBrEVRf7YHJJmMCbCI7ZUGW2zef/+rO\n"
-"e4Lkxh0MLYqCkNKH5ZfoGTC4Oeb0xKykswAanqgR60r+upaLU8PFuI2L9M3vc6KU\n"
-"F6MgVGSxl6eylJgDYckvJiAbmcp2PD/LRQQOxQA0yqeAMg2cbdvclETuYD6zoFfu\n"
-"Y8aO7dvDlw==\n"
+"MIICBjCCAYygAwIBAgIUFoXgpP4beykV7tpgrjHQTWPGi4cwCgYIKoZIzj0EAwIw\n"
+"HjEcMBoGA1UEAwwTb3Zwbi10ZXN0LXNlY3AzODRyMTAeFw0yNTA5MDgxMzExNTBa\n"
+"Fw0zNTA5MDYxMzExNTBaMB4xHDAaBgNVBAMME292cG4tdGVzdC1zZWNwMzg0cjEw\n"
+"djAQBgcqhkjOPQIBBgUrgQQAIgNiAAQVDmf+TZB3rW6zqWFox606u/PhA93ysX/h\n"
+"1s2xyq9+QGzIdE/hks6p/Yzyu7RLOUjxvO0J45RHcYmo67DlvSOi496T3zrgvp1H\n"
+"KfHD5ohMyvzw0+e8lmjJqJjn+PegMkOjgYowgYcwHQYDVR0OBBYEFCH1eYnaV8fh\n"
+"E3Bv7lyrlYu24eoVMB8GA1UdIwQYMBaAFCH1eYnaV8fhE3Bv7lyrlYu24eoVMA8G\n"
+"A1UdEwEB/wQFMAMBAf8wHwYDVR0RBBgwFoIUdW5pdHRlc3QuZXhhbXBsZS5jb20w\n"
+"EwYDVR0lBAwwCgYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDaAAwZQIxAL7q7jcwTOuq\n"
+"5sp0Beq81Vnznd3gsDZYNs1OYRWH33xergDVKlBb6kCwus0dhghtVAIwIgT4ytkY\n"
+"oAPx8LB3oP8ubEu1ue6V9jZln/cCiLyXDDtaiJOZHtDqHGfHqvc6rAok\n"
 "-END CERTIFICATE-\n";

 static const char *const unittest_key =
 "-BEGIN PRIVATE KEY-\n"
-"MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7xFoR6fmoyfsJ\n"
-"IQDKKgbYgFw0MzVuDAmpRx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/\n"
-"4dRR3skisBug6Vd5LXeBGZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159\n"
-"x9FBDl5A3sLP18ubeex0pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwT\n"
-"PnS+CRXrSq4JjGDJLsXl0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIh\n"
-"LbG2DcIv8l29EuEj2w3ju/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJc\n"
-"DjOZVCArAgMBAAECggEACqkuWAAJ3cyCBVWrXs8eDmLTWV9i9DmYvtS75ixIn2rf\n"
-"v3cl12YevN0f6FgKLuqZT3Vqdqq+DCVhuIIQ9QkKMH8BQpSdE9NCCsFyZ23o8Gtr\n"
-"EQ7ymfecb+RFwYx7NpqWrvZI32VJGArgPZH/zorLTTGYrAZbmBtHEqRsXOuEDw97\n"
-"slwwcWaa9ztaYC8/N/7fgsnydaCFSaOByRlWuyvSmHvn6ZwLv8ANOshY6fstC0Jb\n"
-"BW0GpSe9eZPjpl71VT2RtpghqLV5+iAoFDHoT+eZvBospcUGtfcZSU7RrBjKB8+a\n"
-"U1d6hwKhduVs2peIQzl+FiOSdWriLcsZv79q4sBhsQKBgQDUDVTf5BGJ8apOs/17\n"
-"YVk+Ad8Ey8sXvsfk49psmlCRa8Z4g0LVXfrP94qzhtl8U5kE9hs3nEF4j/kX1ZWG\n"
-"k11tdsNTZN5x5bbAgEgPA6Ap6J/uto0HS8G0vSv0lyBymdKA3p/i5Dx+8Nc9cGns\n"
-"LGI9MvviLX7pQFIkvbaCkdKwYwKBgQDirowjWZnm7BgVhF0G1m3DY9nQTYYU185W\n"
-"UESaO5/nVzwUrA+FypJamD+AvmlSuY8rJeQAGAS6nQr9G8/617r+GwJnzRtxC6Vl\n"
-"4OF5BJRsD70oX4CFOOlycMoJ8tzcYVH7NI8KVocjxb+QW82hqSvEwSsvnwwn3eOW\n"
-"nr5u5vIHmQKBgCuc3lL6Dl1ntdZgEIdau0cUjXDoFUo589TwxBDIID/4gaZxoMJP\n"
-"hPFXAVDxMD

[Openvpn-devel] [PATCH applied] Re: dco: backport OS-independent part of peer float support

[Gert Doering]

For the sake of the archives... this is a slightly complicated patch - Ralf
did the "master" patch, which added "backend independent" code + Linux +
Windows.  It wasn't backported to 2.6, because there was no need, as 
"the DCO implementations on Linux and Windows that 2.6 supports" do not
support float notifications, and it will not be added.

Later, FreeBSD DCO learned to send float notifications, and since there
is no difference in kernel API, this can happen to a 2.6.14 server running
on a very recent FreeBSD 14-STABLE system - leading to unexpected issues
(see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289303).

So I backported the "backend independent" parts of Ralf's patch, with
an "#if 0" (no backend uses this) - so this patch really does not much
yet (it adds the "do not let an instance float to itself" crashbug fix),
but does so with the same code as in master.  Ralf verified that I got
all the bits right.

Your patch has been applied to the release/2.6 branch.

commit b0b123b3a7d6b64e236bc0b9836cb73d76c130e2 (release/2.6)
Author: Ralf Lici
Date:   Mon Sep 8 10:11:18 2025 +0200

 dco: backport OS-independent part of peer float support

 Signed-off-by: Ralf Lici 
 Signed-off-by: Gert Doering 
 Acked-by: Ralf Lici 
 Message-Id: <20250908081124.17933-1-g...@greenie.muc.de>
 URL: https://sourceforge.net/p/openvpn/mailman/message/59230454/
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2] Switch test_ssl certificate from RSA 2048 to secp384r1

[Gert Doering]

From: Arne Schwabe 

This allow the unit test to also run in environments that have seclevel
(SSL_CTX_set_security_level) set to 3.

Closes: openvpn/openvpn#830
Change-Id: I327ecc9a85dd906517c28e71fe500883bfa028a4
Signed-off-by: Arne Schwabe 
Acked-by: Gert Doering 
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1172
This mail reflects revision 2 of this Change.

Signed-off-by line for the author was added as per our policy.

Acked-by according to Gerrit (reflected above):
Gert Doering 


diff --git a/tests/unit_tests/openvpn/test_ssl.c 
b/tests/unit_tests/openvpn/test_ssl.c
index 7bf5396..bb02fcc 100644
--- a/tests/unit_tests/openvpn/test_ssl.c
+++ b/tests/unit_tests/openvpn/test_ssl.c
@@ -83,59 +83,36 @@
 return;
 }
 
+/* generated using
+ * openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout - 
\
+ * -noenc -sha256 -days 3650 -subj '/CN=ovpn-test-secp384r1'  -nodes \
+ * -addext 'subjectAltName=DNS:unittest.example.com' \
+ * -addext 'extendedKeyUsage=clientAuth'
+ */
 static const char *const unittest_cert =
 "-BEGIN CERTIFICATE-\n"
-"MIIDYzCCAkugAwIBAgIRALrXTx4lqa8QgF7uGjISxmcwDQYJKoZIhvcNAQELBQAw\n"
-"GDEWMBQGA1UEAwwNT1ZQTiBURVNUIENBMTAgFw0yMzAzMTMxNjA5MThaGA8yMTIz\n"
-"MDIxNzE2MDkxOFowGTEXMBUGA1UEAwwOb3Zwbi10ZXN0LXJzYTEwggEiMA0GCSqG\n"
-"SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7xFoR6fmoyfsJIQDKKgbYgFw0MzVuDAmp\n"
-"Rx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/4dRR3skisBug6Vd5LXeB\n"
-"GZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159x9FBDl5A3sLP18ubeex0\n"
-"pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwTPnS+CRXrSq4JjGDJLsXl\n"
-"0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIhLbG2DcIv8l29EuEj2w3j\n"
-"u/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJcDjOZVCArAgMBAAGjgaQw\n"
-"gaEwCQYDVR0TBAIwADAdBgNVHQ4EFgQUqYnRaBHrZmKLtMZES5AuwqzJkGYwUwYD\n"
-"VR0jBEwwSoAU3MLDNDOK13DqflQ8ra7FeGBXK06hHKQaMBgxFjAUBgNVBAMMDU9W\n"
-"UE4gVEVTVCBDQTGCFD55ErHXpK2JXS3WkfBm0NB1r3vKMBMGA1UdJQQMMAoGCCsG\n"
-"AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAZVcXrezA9Aby\n"
-"sfUNHAsMxrex/EO0PrIPSrmSmc9sCiD8cCIeB6kL8c5iPPigoWW0uLA9zteDRFes\n"
-"ez+Z8wBY6g8VQ0tFPURDooUg5011GZPDcuw7/PsI4+I2J9q6LHEp+6Oo4faSn/kl\n"
-"yWYCLjM4FZdGXbOijDacQJiN6HcRv0UdodBrEVRf7YHJJmMCbCI7ZUGW2zef/+rO\n"
-"e4Lkxh0MLYqCkNKH5ZfoGTC4Oeb0xKykswAanqgR60r+upaLU8PFuI2L9M3vc6KU\n"
-"F6MgVGSxl6eylJgDYckvJiAbmcp2PD/LRQQOxQA0yqeAMg2cbdvclETuYD6zoFfu\n"
-"Y8aO7dvDlw==\n"
+"MIICBjCCAYygAwIBAgIUFoXgpP4beykV7tpgrjHQTWPGi4cwCgYIKoZIzj0EAwIw\n"
+"HjEcMBoGA1UEAwwTb3Zwbi10ZXN0LXNlY3AzODRyMTAeFw0yNTA5MDgxMzExNTBa\n"
+"Fw0zNTA5MDYxMzExNTBaMB4xHDAaBgNVBAMME292cG4tdGVzdC1zZWNwMzg0cjEw\n"
+"djAQBgcqhkjOPQIBBgUrgQQAIgNiAAQVDmf+TZB3rW6zqWFox606u/PhA93ysX/h\n"
+"1s2xyq9+QGzIdE/hks6p/Yzyu7RLOUjxvO0J45RHcYmo67DlvSOi496T3zrgvp1H\n"
+"KfHD5ohMyvzw0+e8lmjJqJjn+PegMkOjgYowgYcwHQYDVR0OBBYEFCH1eYnaV8fh\n"
+"E3Bv7lyrlYu24eoVMB8GA1UdIwQYMBaAFCH1eYnaV8fhE3Bv7lyrlYu24eoVMA8G\n"
+"A1UdEwEB/wQFMAMBAf8wHwYDVR0RBBgwFoIUdW5pdHRlc3QuZXhhbXBsZS5jb20w\n"
+"EwYDVR0lBAwwCgYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDaAAwZQIxAL7q7jcwTOuq\n"
+"5sp0Beq81Vnznd3gsDZYNs1OYRWH33xergDVKlBb6kCwus0dhghtVAIwIgT4ytkY\n"
+"oAPx8LB3oP8ubEu1ue6V9jZln/cCiLyXDDtaiJOZHtDqHGfHqvc6rAok\n"
 "-END CERTIFICATE-\n";
 
 static const char *const unittest_key =
 "-BEGIN PRIVATE KEY-\n"
-"MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7xFoR6fmoyfsJ\n"
-"IQDKKgbYgFw0MzVuDAmpRx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/\n"
-"4dRR3skisBug6Vd5LXeBGZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159\n"
-"x9FBDl5A3sLP18ubeex0pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwT\n"
-"PnS+CRXrSq4JjGDJLsXl0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIh\n"
-"LbG2DcIv8l29EuEj2w3ju/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJc\n"
-"DjOZVCArAgMBAAECggEACqkuWAAJ3cyCBVWrXs8eDmLTWV9i9DmYvtS75ixIn2rf\n"
-"v3cl12YevN0f6FgKLuqZT3Vqdqq+DCVhuIIQ9QkKMH8BQpSdE9NCCsFyZ23o8Gtr\n"
-"EQ7ymfecb+RFwYx7NpqWrvZI32VJGArgPZH/zorLTTGYrAZbmBtHEqRsXOuEDw97\n"
-"slwwcWaa9ztaYC8/N/7fgsnydaCFSaOByRlWuyvSmHvn6ZwLv8ANOshY6fstC0Jb\n"
-"BW0GpSe9eZPjpl71VT2RtpghqLV5+iAoFDHoT+eZvBospcUGtfcZSU7RrBjKB8+a\n"
-"U1d6hwKhduVs2peIQzl+FiOSdWriLcsZv79q4sBhsQKBgQDUDVTf5BGJ8apOs/17\n"
-"YVk+Ad8Ey8sXvsfk49psmlCRa8Z4g0LVXfrP94qzhtl8U5kE9hs3nEF4j/kX1ZWG\n"
-"k11tdsNTZN5x5bbAgEgPA6Ap6J/uto0HS8G0vSv0lyBymdKA3p/i5Dx+8Nc9cGns\n"
-"LGI9MvviLX7pQFIkvbaCkdKwYwKBgQDirowjWZnm7BgVhF0G1m3DY9nQTYYU185W\n"
-"UESaO5/nVzwUrA+FypJamD+AvmlSuY8rJeQAGAS6nQr9G8/617r+GwJnzRtxC6Vl\n"
-"4OF5BJRsD70oX4CFOOlycMoJ8tzcYVH7NI8KVocjxb+QW82hqSvEwSsvnwwn3eOW\n"
-"nr5u5vIHmQKBgCuc3lL6Dl1ntdZgEIdau0cUjXDoFUo589TwxBDIID/4gaZxoMJP\n"
-"hPFXAVDxMDPw4azyjSB/47tPKTUsuYcnMfT8kynIujOEwnSPLcLgxQU5kgM/ynuw\n"
-"qhNpQOwaVRMc7f2RTCMXPBYDpNE/GJn5eu8JWGLpZovEreBeoHX0VffvAoGAVrWn\n"
-"+3mxykhzaf+oyg3KDNys

[Openvpn-devel] [M] Change in openvpn[master]: Switch test_ssl certificate from RSA 2048 to secp384r1

[mandree (Code Review)]

Attention is currently required from: flichtenheld, plaisthos.

mandree has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/1172?usp=email )

Change subject: Switch test_ssl certificate from RSA 2048 to secp384r1
..


Patch Set 2: Code-Review+1

(1 comment)

Patchset:

PS2:
On my FreeBSD 14.3-RELEASE-p2 amd64, with OpenSSL 3.5 installed from ports,
the self-test suite, in particular ssl_testdriver, now passes with openssl.cnf
raising the ciphersuite to SECLEVEL=3 or SECLEVEL=4, but SECLEVEL=5 still bombs 
out
with "ee key too small". So: ACK because it's an improvement.

Not sure if the purpose of the test is "test that our own TLS stuff works",
or by contrast "test that the system's default OpenSSL setting works".
  In the former case, it might be suitable to ship an openssl.cnf for the test
that gets us a defined environment, or maybe run the test twice once with system
default settings and once with an override to see if _todays_ zealous SECLEVEL 
is it.

Of course the operating system or OpenSSL distro might kill our favorite cipher 
altogether, in which case we're dead unless we override - but then the isolated
test case bears no relevance for practical applicability of its results.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1172?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I327ecc9a85dd906517c28e71fe500883bfa028a4
Gerrit-Change-Number: 1172
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: mandree 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Mon, 08 Sep 2025 18:15:43 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel