From patchwork Fri Mar 7 02:39:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "d12fk (Code Review)" X-Patchwork-Id: 4169 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:b9c6:b0:60a:d70a:d3c7 with SMTP id gh6csp672329mab; Thu, 6 Mar 2025 18:40:09 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCX49BB1FhpDy9QYJoGTip5T98YojhdKoELp8/qTV9o0B6if6CAPT0J+Z5/IvUj/xMken1dalv3y6QA=@openvpn.net X-Google-Smtp-Source: AGHT+IHfI6A5uswhvKbs4XJbIkKgGijD2guPrVmwWVwPhvlzsKe6/swoBIS06jLX0ycL9aRhaovh X-Received: by 2002:a05:6871:5211:b0:2bc:7d6f:fa85 with SMTP id 586e51a60fabf-2c26102ee39mr857313fac.16.1741315209506; Thu, 06 Mar 2025 18:40:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1741315209; cv=none; d=google.com; s=arc-20240605; b=jndvXWEVv0LCO728UfykWC7tsFnuXiBSq+rbetAKJ3fG63HEyxyLPv9ASXk5jg45/T lBf0RxWRgpbk3ns0QSFEqdsEjUkFxQQ5xHUvdmH+EIh3da6MtKuL0ITObK3xGj2j4WJw LIuKeCBH8wpm9PAfS7n+PpcybBH4ycGbBDEkbl4D5BeJRaYTfjXToTU1A3nEI+FxoQSm b+qjh1t1MHGv0340rEEQldp6dHBJyh34rC/KJwsuK2syLHexwgGFKCWfeaTOqTIzxTwI +CGmvbN5egnt2kJn+KsMNikmElaLc1T3rRu/jT8hcaFN712kdQ2uaCrqZGuvtSl6H+FD cE4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=xxAW3dn02mooJIBfa9+JA+RrSxOPXUTlsBikFVA3RJc=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=invfpUyoPxJRwwrM3SjWeWDNL1PuSqkZYvilBWxAVE5Dyo2ZUuWydHowTsed4c8YYJ hyxaVY7BKRxxdpOpydHBSM1CjsjN5pXppmna6EV7i39korKN8fxiwWfuP8OYsn08KXzE +fMEPI0AIuTDdK5TZh8zhYiFxrW72sTsS8kNhtVelbzC6j+LAF2CgaaQ6Ii6fQb4m1iW jstS4AfYFKKczkcuwxd4L3qvia7jHW3/zN9tKWqkx2KFcALa2QhkSs/hM0EwZXgEIbOF 0GVyFwF/uj7WFADLoFqIzoBYTfkCGKWu4G4ppYHqSAxGTNuEcN6wS8lEGEJUp6NuHZlf b8/Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=gYQgI38E; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=BFj4QMA7; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=IlVBdgxk; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-2c2488d24dcsi1926177fac.91.2025.03.06.18.40.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Mar 2025 18:40:09 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=gYQgI38E; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=BFj4QMA7; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=IlVBdgxk; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tqNd7-00077O-22; Fri, 07 Mar 2025 02:40:04 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tqNd5-00077H-FO for openvpn-devel@lists.sourceforge.net; Fri, 07 Mar 2025 02:40:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+HkA6GOt+7h4tyeRk2U0nzwEhIV3YdzjQEs3BjMdmG0=; b=gYQgI38E484E76w/kPsvtRJqLF mBpV5O6GDQjNFfNl+4QpCsk64XhQrJ9FMDUyn9G0STYBXxDE+UVNua7lmmnpURiFxRDsja8EoDrQE b4oO7DzHplVSzpJLBKzyGHkaIqcA5fZMXwNMQ9mz/I6wLUmEEN/31MRqNkXcLfYaBFW4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=+HkA6GOt+7h4tyeRk2U0nzwEhIV3YdzjQEs3BjMdmG0=; b=B Fj4QMA7dmfYNzreHgXkm5zG8cVioORPB4B0M0qJPmYsKk3tPeZNFRJHSTzMREgAZnExMSg4KDQxSd Gh1nHcd+iU2IubvFlHMOavltN0D6yazljYAWH1T5ECStYtOPDmx1wNhDjAMdZfVLoV3Scv/ztakx6 pDWXw1WdEYSp0gsk=; Received: from mail-wr1-f41.google.com ([209.85.221.41]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tqNcy-0007kh-1Y for openvpn-devel@lists.sourceforge.net; Fri, 07 Mar 2025 02:40:02 +0000 Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-390e88caa4dso760416f8f.1 for ; Thu, 06 Mar 2025 18:39:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1741315184; x=1741919984; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=+HkA6GOt+7h4tyeRk2U0nzwEhIV3YdzjQEs3BjMdmG0=; b=IlVBdgxkUXvEM2F9Z1BWLxXbH+t1KNG+Lj7YCF/Fv1W4cEpfCQJFdLPKYLI8kiyiTG PO62TyFPOOLMSrI5IXXd3GRb8q5Blu8Y1cvnMP7jmzvfoAQnPs0CprovxVWNxDlYaidV XHbTFFxHQx9FVOmYxM00clG1vl7JsXRR/k5rwN7hMD+dYEiYs4GbKbQzggrFB65NRy/l byqbkbH8XydezAifwF8hNyRIpnGhY1ReqI8TSvpv0t4sePIqgUZ0222U6jvrNLSzmz6N g1wllt2jntWZzpmXv+Zok0czj6jH3Y/+P0NO3LCCitzXBRHOKJ338fCxEf9ZcQn/ek21 OU1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741315184; x=1741919984; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+HkA6GOt+7h4tyeRk2U0nzwEhIV3YdzjQEs3BjMdmG0=; b=ZiAHP8btq/3Xftq0EOPg8HdAwKTysyjRe5MK2BviSt4ElciuQMB+Yme4F/VkXLwXiD jrWy98c4Q3m8ndC66J2oFE4pa5ujf6uBIwIvNiduyGI+7opCZx1F0WzQnpqXeLlZta5K k6A/8Qx9lZl9qumvclidDklx2SvAaPG8W4IjDaHUo0MrTE+/4sHMaGvynM3mahFYGCLG kpm04qA5Wsb/BSUlWuK8ZymPEZXqZw62nL+2tnnVwJ+3vfAS307VcevZo5JZ9xS6KoFf jIZM93bzknlwoatO+zy94C6q5BSVQ4Vi97HnNKWq9ndHojMArBpUbl9Jtt3zxnusOe7R xwDA== X-Gm-Message-State: AOJu0Yyqc0AazUEhOuW+OtNhiSX0AG/u2BvDMWFxdMtXOPbNw/Uz1WN5 oHuCjKeJam/9jT51yL6LsBdI50TMryfNdl5ZD+7NgPSUJakdzMfB3/koVKJZm7E= X-Gm-Gg: ASbGncvgijX2zVFRUTMpVinGR4QbGrF76jSxKgpLTf4atxqHVo8DcjRPBXS1KBO9qSf nf0k0l76j9cna/rG0UTwbq0P/Cxto7+jtJk8hcPHUw3F3Dnl0Q/lVwLGr0nLh7VadhAlMw0PvbY NX2v2y4UAzDSWRuTe/IIdjSdmln7lD3Vys4JpKi7TUKIXiiYj+5PtPioCH+oa5qtLdy0Zz7yTZD dSHury8X2M1zuFF+7737PLuToD+U6Bp8+/EM1RsBtfQaSjX2Ayvv+jfyOuGROTl9BilGmCNKnL+ YdMQvYXeCRtaLa9qDUZuhLYDKvgHvHPauJnCoJluic/lpNt+jCwA/jzBrBwZ6+bp72BKZ2sifo/ nJ77G+afkbSj09Mzp6rRYJcwfA0acrZ4VlxnQ X-Received: by 2002:a5d:6d8c:0:b0:390:e48a:3869 with SMTP id ffacd0b85a97d-39132d774a1mr906228f8f.11.1741315184418; Thu, 06 Mar 2025 18:39:44 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43bd435c836sm66113605e9.37.2025.03.06.18.39.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 06 Mar 2025 18:39:44 -0800 (PST) From: "d12fk (Code Review)" X-Google-Original-From: "d12fk (Code Review)" X-Gerrit-PatchSet: 1 Date: Fri, 7 Mar 2025 02:39:42 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I4919af2b845a47787c08f454b108ef376ea5c0f6 X-Gerrit-Change-Number: 905 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 5ea5fce99b9d342ed4c59ab7094b5c8723fee38d References: Message-ID: <2609ea882d125e4e86450ea68da0edcaa7823587-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.221.41 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.221.41 listed in sa-accredit.habeas.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.41 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.41 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1tqNcy-0007kh-1Y Subject: [Openvpn-devel] [M] Change in openvpn[master]: win: match search domains when creating exclude rules X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: heiko@openvpn.net, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1825901337036383389?= X-GMAIL-MSGID: =?utf-8?q?1825901337036383389?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/905?usp=email to review the following change. Change subject: win: match search domains when creating exclude rules ...................................................................... win: match search domains when creating exclude rules Compare local domains for exclude rules to search domains and skip matching ones. This prevents the creation of exclude rules when the server indicates that the domain should be resolved via the VPN, by pushing the search domain. Change-Id: I4919af2b845a47787c08f454b108ef376ea5c0f6 Signed-off-by: Heiko Hund --- M src/openvpnserv/interactive.c 1 file changed, 56 insertions(+), 24 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/05/905/1 diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 6097cd0..f725199 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -2163,12 +2163,14 @@ * In case of an error or if no domains are found for the interface * \p size is set to 0 and the contents of \p domains are invalid. * Note that the domains could have been set by DHCP or manually. + * Note that domains are ignored if they match a pushed search domain. * - * @param itf HKEY of the interface to read from - * @param domains PWSTR buffer to return the domain(s) in - * @param size pointer to size of the domains buffer in bytes. Will be - * set to the size of the string returned, including - * the terminating zeros or 0. + * @param itf HKEY of the interface to read from + * @param search_domains optional list of search domains + * @param domains PWSTR buffer to return the domain(s) in + * @param size pointer to size of the domains buffer in bytes. Will be + * set to the size of the string returned, including + * the terminating zeros or 0. * * @return LSTATUS NO_ERROR if the domain suffix(es) were read successfully, * ERROR_FILE_NOT_FOUND if no domain was found for the interface, @@ -2176,7 +2178,7 @@ * any other error indicates an error while reading from the registry. */ static LSTATUS -GetItfDnsDomains(HKEY itf, PWSTR domains, PDWORD size) +GetItfDnsDomains(HKEY itf, PCWSTR search_domains, PWSTR domains, PDWORD size) { if (domains == NULL || size == 0) { @@ -2209,9 +2211,29 @@ *comma = '\0'; } + /* Ignore itf domains which match pushed search domains */ + size_t domain_len = wcslen(pos); + PCWSTR match = wcsstr(search_domains, pos); + if (match && (match == search_domains || *(match - 1) == ',') + && (*(match + domain_len) == ',' || *(match + domain_len) == '\0')) + { + if (comma) + { + pos = comma + 1; + continue; + } + else + { + /* This was the last domain */ + *pos = '\0'; + *size += 1; + return wcslen(domains) ? NO_ERROR : ERROR_FILE_NOT_FOUND; + } + } + /* Check for enough space to convert this domain */ + domain_len += 1; /* leading dot */ size_t converted_size = pos - domains; - size_t domain_len = wcslen(pos) + 1; size_t domain_size = domain_len * one_glyph; size_t extra_size = 2 * one_glyph; if (converted_size + domain_size + extra_size > buf_size) @@ -2292,11 +2314,12 @@ * needed so that local DNS keeps working even when a catch all NRPT rule is * installed by a VPN connection. * - * @param data pointer to the data structures the values are returned in - * @param data_size number of exclude data structures pointed to + * @param search_domains optional list of search domains + * @param data pointer to the data structures the values are returned in + * @param data_size number of exclude data structures pointed to */ static void -GetNrptExcludeData(nrpt_exclude_data_t *data, size_t data_size) +GetNrptExcludeData(PCWSTR search_domains, nrpt_exclude_data_t *data, size_t data_size) { HKEY v4_itfs = INVALID_HANDLE_VALUE; HKEY v6_itfs = INVALID_HANDLE_VALUE; @@ -2342,7 +2365,7 @@ /* Get the DNS domain(s) for exclude routing */ data[i].domains_size = sizeof(data[0].domains); memset(data[i].domains, 0, data[i].domains_size); - err = GetItfDnsDomains(v4_itf, data[i].domains, &data[i].domains_size); + err = GetItfDnsDomains(v4_itf, search_domains, data[i].domains, &data[i].domains_size); if (err) { if (err != ERROR_FILE_NOT_FOUND) @@ -2504,15 +2527,16 @@ * local resolution of names is not interfered with in case the VPN resolves * all names. * - * @param nrpt_key the registry key to set the rules under - * @param ovpn_pid the PID of the openvpn process + * @param nrpt_key the registry key to set the rules under + * @param ovpn_pid the PID of the openvpn process + * @param search_domains optional list of search domains */ static void -SetNrptExcludeRules(HKEY nrpt_key, DWORD ovpn_pid) +SetNrptExcludeRules(HKEY nrpt_key, DWORD ovpn_pid, PCWSTR search_domains) { nrpt_exclude_data_t data[8]; /* data from up to 8 interfaces */ memset(data, 0, sizeof(data)); - GetNrptExcludeData(data, _countof(data)); + GetNrptExcludeData(search_domains, data, _countof(data)); unsigned n = 0; for (int i = 0; i < _countof(data); ++i) @@ -2534,17 +2558,18 @@ /** * Set NRPT rules for a openvpn process * - * @param nrpt_key the registry key to set the rules under - * @param addresses name server addresses - * @param domains optional list of split routing domains - * @param dnssec boolean whether DNSSEC is to be used - * @param ovpn_pid the PID of the openvpn process + * @param nrpt_key the registry key to set the rules under + * @param addresses name server addresses + * @param domains optional list of split routing domains + * @param search_domains optional list of search domains + * @param dnssec boolean whether DNSSEC is to be used + * @param ovpn_pid the PID of the openvpn process * * @return NO_ERROR on success, or a Windows error code */ static DWORD -SetNrptRules(HKEY nrpt_key, const nrpt_address_t *addresses, - const char *domains, BOOL dnssec, DWORD ovpn_pid) +SetNrptRules(HKEY nrpt_key, const nrpt_address_t *addresses, const char *domains, + const char *search_domains, BOOL dnssec, DWORD ovpn_pid) { DWORD err = NO_ERROR; PWSTR wide_domains = L".\0"; /* DNS route everything by default */ @@ -2573,7 +2598,14 @@ } else { - SetNrptExcludeRules(nrpt_key, ovpn_pid); + PWSTR wide_search_domains; + wide_search_domains = utf8to16(search_domains); + if (!wide_search_domains) + { + return ERROR_OUTOFMEMORY; + } + SetNrptExcludeRules(nrpt_key, ovpn_pid, wide_search_domains); + free(wide_search_domains); } /* Create address string list */ @@ -2833,7 +2865,7 @@ /* Set NRPT rules */ BOOL dnssec = (msg->flags & nrpt_dnssec) != 0; - err = SetNrptRules(key, msg->addresses, msg->resolve_domains, dnssec, ovpn_pid); + err = SetNrptRules(key, msg->addresses, msg->resolve_domains, msg->search_domains, dnssec, ovpn_pid); if (err) { goto out;