summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2015-08-10 16:45:51 +0200
committerAlberto Gonzalez Iniesta <agi@inittab.org>2015-08-10 16:45:51 +0200
commitfd15a53c49ca01530665639f3711604c436601ee (patch)
tree452c73475f617631e23f13c4d176336939521ad7
parentd42fbdd9d8dc05868a9ce749fb43a37e6b75b143 (diff)
parent41ffafc126abd9af67061f4931b7614f3cb898b0 (diff)
Merge tag 'upstream/2.3.8'
Upstream version 2.3.8
-rw-r--r--ChangeLog23
-rw-r--r--aclocal.m410
-rwxr-xr-xconfig.sub5
-rwxr-xr-xconfigure98
-rw-r--r--distro/rpm/openvpn.spec2
-rw-r--r--doc/openvpn.816
-rw-r--r--ltmain.sh32
-rw-r--r--m4/libtool.m481
-rw-r--r--src/openvpn/buffer.h5
-rw-r--r--src/openvpn/crypto.c19
-rw-r--r--src/openvpn/crypto_backend.h2
-rw-r--r--src/openvpn/init.c12
-rw-r--r--src/openvpn/init.h5
-rw-r--r--src/openvpn/misc.c33
-rw-r--r--src/openvpn/misc.h9
-rw-r--r--src/openvpn/openvpn.c17
-rw-r--r--src/openvpn/openvpn.h3
-rw-r--r--src/openvpn/options.c15
-rw-r--r--src/openvpn/syshead.h4
-rw-r--r--src/openvpn/tun.c26
-rwxr-xr-xtests/t_client.sh18
-rw-r--r--version.m44
22 files changed, 248 insertions, 191 deletions
diff --git a/ChangeLog b/ChangeLog
index 0f091bb..b6a235f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,29 @@
OpenVPN Change Log
Copyright (C) 2002-2015 OpenVPN Technologies, Inc. <sales@openvpn.net>
+2015.08.03 -- Version 2.3.8
+Arne Schwabe (2):
+ Report missing endtags of inline files as warnings
+ Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
+
+Gert Doering (2):
+ Produce a meaningful error message if --daemon gets in the way of asking for passwords.
+ Document --daemon changes and consequences (--askpass, --auth-nocache).
+
+Holger Kummert (1):
+ Del ipv6 addr on close of linux tun interface
+
+James Geboski (1):
+ Fix --askpass not allowing for password input via stdin
+
+Steffan Karger (5):
+ write pid file immediately after daemonizing
+ Make __func__ work with Visual Studio too
+ fix regression: query password before becoming daemon
+ Fix using management interface to get passwords.
+ Fix overflow check in openvpn_decrypt()
+
+
2015.06.02 -- Version 2.3.7
Alexander Pyhalov (1):
Default gateway can't be determined on illumos/Solaris platforms
diff --git a/aclocal.m4 b/aclocal.m4
index 0651eb9..c4b5b0b 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -103,9 +103,10 @@ _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
# configured tree to be moved without reconfiguration.
AC_DEFUN([AM_AUX_DIR_EXPAND],
-[AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl
-# Expand $ac_aux_dir to an absolute path.
-am_aux_dir=`cd "$ac_aux_dir" && pwd`
+[dnl Rely on autoconf to set up CDPATH properly.
+AC_PREREQ([2.50])dnl
+# expand $ac_aux_dir to an absolute path
+am_aux_dir=`cd $ac_aux_dir && pwd`
])
# AM_CONDITIONAL -*- Autoconf -*-
@@ -572,8 +573,7 @@ to "yes", and re-run configure.
END
AC_MSG_ERROR([Your 'rm' program is bad, sorry.])
fi
-fi
-])
+fi])
dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not
dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further
diff --git a/config.sub b/config.sub
index bba4efb..66c5074 100755
--- a/config.sub
+++ b/config.sub
@@ -2,7 +2,7 @@
# Configuration validation subroutine script.
# Copyright 1992-2014 Free Software Foundation, Inc.
-timestamp='2014-09-11'
+timestamp='2014-07-28'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@@ -302,7 +302,6 @@ case $basic_machine in
| pdp10 | pdp11 | pj | pjl \
| powerpc | powerpc64 | powerpc64le | powerpcle \
| pyramid \
- | riscv32 | riscv64 \
| rl78 | rx \
| score \
| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
@@ -1017,7 +1016,7 @@ case $basic_machine in
;;
ppc64) basic_machine=powerpc64-unknown
;;
- ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+ ppc64-* | ppc64p7-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
ppc64le | powerpc64little | ppc64-le | powerpc64-little)
basic_machine=powerpc64le-unknown
diff --git a/configure b/configure
index 1156c4b..881769d 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for OpenVPN 2.3.7.
+# Generated by GNU Autoconf 2.69 for OpenVPN 2.3.8.
#
# Report bugs to <openvpn-users@lists.sourceforge.net>.
#
@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='OpenVPN'
PACKAGE_TARNAME='openvpn'
-PACKAGE_VERSION='2.3.7'
-PACKAGE_STRING='OpenVPN 2.3.7'
+PACKAGE_VERSION='2.3.8'
+PACKAGE_STRING='OpenVPN 2.3.8'
PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net'
PACKAGE_URL=''
@@ -1427,7 +1427,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures OpenVPN 2.3.7 to adapt to many kinds of systems.
+\`configure' configures OpenVPN 2.3.8 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1497,7 +1497,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of OpenVPN 2.3.7:";;
+ short | recursive ) echo "Configuration of OpenVPN 2.3.8:";;
esac
cat <<\_ACEOF
@@ -1701,7 +1701,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-OpenVPN configure 2.3.7
+OpenVPN configure 2.3.8
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2483,7 +2483,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by OpenVPN $as_me 2.3.7, which was
+It was created by OpenVPN $as_me 2.3.8, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2847,7 +2847,7 @@ if test -z "${htmldir}"; then
fi
-$as_echo "#define OPENVPN_VERSION_RESOURCE 2,3,7,0" >>confdefs.h
+$as_echo "#define OPENVPN_VERSION_RESOURCE 2,3,8,0" >>confdefs.h
ac_aux_dir=
@@ -3057,8 +3057,8 @@ test "$program_suffix" != NONE &&
ac_script='s/[\\$]/&&/g;s/;s,x,x,$//'
program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"`
-# Expand $ac_aux_dir to an absolute path.
-am_aux_dir=`cd "$ac_aux_dir" && pwd`
+# expand $ac_aux_dir to an absolute path
+am_aux_dir=`cd $ac_aux_dir && pwd`
if test x"${MISSING+set}" != xset; then
case $am_aux_dir in
@@ -3371,7 +3371,7 @@ fi
# Define the identity of the package.
PACKAGE='openvpn'
- VERSION='2.3.7'
+ VERSION='2.3.8'
cat >>confdefs.h <<_ACEOF
@@ -3462,8 +3462,7 @@ to "yes", and re-run configure.
END
as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5
fi
-fi
- # Make sure we can run config.sub.
+fi # Make sure we can run config.sub.
$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5
@@ -6855,8 +6854,7 @@ else
;;
*)
lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
- if test -n "$lt_cv_sys_max_cmd_len" && \
- test undefined != "$lt_cv_sys_max_cmd_len"; then
+ if test -n "$lt_cv_sys_max_cmd_len"; then
lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
else
@@ -7254,6 +7252,10 @@ freebsd* | dragonfly*)
fi
;;
+gnu*)
+ lt_cv_deplibs_check_method=pass_all
+ ;;
+
haiku*)
lt_cv_deplibs_check_method=pass_all
;;
@@ -7292,11 +7294,11 @@ irix5* | irix6* | nonstopux*)
;;
# This must be glibc/ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+linux* | k*bsd*-gnu | kopensolaris*-gnu)
lt_cv_deplibs_check_method=pass_all
;;
-netbsd* | netbsdelf*-gnu)
+netbsd*)
if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
else
@@ -8386,19 +8388,12 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
LD="${LD-ld} -m elf_i386_fbsd"
;;
x86_64-*linux*)
- case `/usr/bin/file conftest.o` in
- *x86-64*)
- LD="${LD-ld} -m elf32_x86_64"
- ;;
- *)
- LD="${LD-ld} -m elf_i386"
- ;;
- esac
+ LD="${LD-ld} -m elf_i386"
;;
- powerpc64le-*)
+ powerpc64le-*linux*)
LD="${LD-ld} -m elf32lppclinux"
;;
- powerpc64-*)
+ powerpc64-*linux*)
LD="${LD-ld} -m elf32ppclinux"
;;
s390x-*linux*)
@@ -8417,10 +8412,10 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
x86_64-*linux*)
LD="${LD-ld} -m elf_x86_64"
;;
- powerpcle-*)
+ powerpcle-*linux*)
LD="${LD-ld} -m elf64lppc"
;;
- powerpc-*)
+ powerpc-*linux*)
LD="${LD-ld} -m elf64ppc"
;;
s390*-*linux*|s390*-*tpf*)
@@ -10259,7 +10254,7 @@ lt_prog_compiler_static=
lt_prog_compiler_static='-non_shared'
;;
- linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+ linux* | k*bsd*-gnu | kopensolaris*-gnu)
case $cc_basename in
# old Intel for x86_64 which still supported -KPIC.
ecc*)
@@ -10737,9 +10732,6 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
openbsd*)
with_gnu_ld=no
;;
- linux* | k*bsd*-gnu | gnu*)
- link_all_deplibs=no
- ;;
esac
ld_shlibs=yes
@@ -10961,7 +10953,7 @@ _LT_EOF
fi
;;
- netbsd* | netbsdelf*-gnu)
+ netbsd*)
if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
wlarc=
@@ -11138,7 +11130,6 @@ _LT_EOF
if test "$aix_use_runtimelinking" = yes; then
shared_flag="$shared_flag "'${wl}-G'
fi
- link_all_deplibs=no
else
# not using gcc
if test "$host_cpu" = ia64; then
@@ -11592,7 +11583,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
link_all_deplibs=yes
;;
- netbsd* | netbsdelf*-gnu)
+ netbsd*)
if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out
else
@@ -12429,6 +12420,17 @@ freebsd* | dragonfly*)
esac
;;
+gnu*)
+ version_type=linux # correct to gnu/linux during the next big refactor
+ need_lib_prefix=no
+ need_version=no
+ library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+ soname_spec='${libname}${release}${shared_ext}$major'
+ shlibpath_var=LD_LIBRARY_PATH
+ shlibpath_overrides_runpath=no
+ hardcode_into_libs=yes
+ ;;
+
haiku*)
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
@@ -12545,7 +12547,7 @@ linux*oldld* | linux*aout* | linux*coff*)
;;
# This must be glibc/ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+linux* | k*bsd*-gnu | kopensolaris*-gnu)
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
@@ -12594,10 +12596,14 @@ fi
# before this can be enabled.
hardcode_into_libs=yes
+ # Add ABI-specific directories to the system library path.
+ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
+
# Append ld.so.conf contents to the search path
if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
+
fi
# We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -12609,18 +12615,6 @@ fi
dynamic_linker='GNU/Linux ld.so'
;;
-netbsdelf*-gnu)
- version_type=linux
- need_lib_prefix=no
- need_version=no
- library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
- soname_spec='${libname}${release}${shared_ext}$major'
- shlibpath_var=LD_LIBRARY_PATH
- shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
- dynamic_linker='NetBSD ld.elf_so'
- ;;
-
netbsd*)
version_type=sunos
need_lib_prefix=no
@@ -17636,7 +17630,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by OpenVPN $as_me 2.3.7, which was
+This file was extended by OpenVPN $as_me 2.3.8, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -17702,7 +17696,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-OpenVPN config.status 2.3.7
+OpenVPN config.status 2.3.8
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff --git a/distro/rpm/openvpn.spec b/distro/rpm/openvpn.spec
index bd1225e..8f7f3af 100644
--- a/distro/rpm/openvpn.spec
+++ b/distro/rpm/openvpn.spec
@@ -13,7 +13,7 @@
Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan.
Name: openvpn
-Version: 2.3.7
+Version: 2.3.8
Release: 1
URL: http://openvpn.net/
Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 9db6409..203dd46 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2198,6 +2198,22 @@ openvpn command for a fairly reliable indication of whether the command
has correctly initialized and entered the packet forwarding event loop.
In OpenVPN, the vast majority of errors which occur after initialization are non-fatal.
+
+Note: as soon as OpenVPN has daemonized, it can not ask for usernames,
+passwords, or key pass phrases anymore. This has certain consequences,
+namely that using a password-protected private key will fail unless the
+.B \-\-askpass
+option is used to tell OpenVPN to ask for the pass phrase (this
+requirement is new in 2.3.7, and is a consequence of calling daemon()
+before initializing the crypto layer).
+
+Further, using
+.B \-\-daemon
+together with
+.B \-\-auth-user-pass
+(entered on console) and
+.B \-\-auth-nocache
+will fail as soon as key renegotiation (and reauthentication) occurs.
.\"*********************************************************
.TP
.B \-\-syslog [progname]
diff --git a/ltmain.sh b/ltmain.sh
index bffda54..63ae69d 100644
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -70,7 +70,7 @@
# compiler: $LTCC
# compiler flags: $LTCFLAGS
# linker: $LD (gnu? $with_gnu_ld)
-# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.11
+# $progname: (GNU libtool) 2.4.2
# automake: $automake_version
# autoconf: $autoconf_version
#
@@ -80,7 +80,7 @@
PROGRAM=libtool
PACKAGE=libtool
-VERSION="2.4.2 Debian-2.4.2-1.11"
+VERSION=2.4.2
TIMESTAMP=""
package_revision=1.3337
@@ -6124,10 +6124,7 @@ func_mode_link ()
case $pass in
dlopen) libs="$dlfiles" ;;
dlpreopen) libs="$dlprefiles" ;;
- link)
- libs="$deplibs %DEPLIBS%"
- test "X$link_all_deplibs" != Xno && libs="$libs $dependency_libs"
- ;;
+ link) libs="$deplibs %DEPLIBS% $dependency_libs" ;;
esac
fi
if test "$linkmode,$pass" = "lib,dlpreopen"; then
@@ -6447,19 +6444,19 @@ func_mode_link ()
# It is a libtool convenience library, so add in its objects.
func_append convenience " $ladir/$objdir/$old_library"
func_append old_convenience " $ladir/$objdir/$old_library"
- tmp_libs=
- for deplib in $dependency_libs; do
- deplibs="$deplib $deplibs"
- if $opt_preserve_dup_deps ; then
- case "$tmp_libs " in
- *" $deplib "*) func_append specialdeplibs " $deplib" ;;
- esac
- fi
- func_append tmp_libs " $deplib"
- done
elif test "$linkmode" != prog && test "$linkmode" != lib; then
func_fatal_error "\`$lib' is not a convenience library"
fi
+ tmp_libs=
+ for deplib in $dependency_libs; do
+ deplibs="$deplib $deplibs"
+ if $opt_preserve_dup_deps ; then
+ case "$tmp_libs " in
+ *" $deplib "*) func_append specialdeplibs " $deplib" ;;
+ esac
+ fi
+ func_append tmp_libs " $deplib"
+ done
continue
fi # $pass = conv
@@ -7352,9 +7349,6 @@ func_mode_link ()
revision="$number_minor"
lt_irix_increment=no
;;
- *)
- func_fatal_configuration "$modename: unknown library version type \`$version_type'"
- ;;
esac
;;
no)
diff --git a/m4/libtool.m4 b/m4/libtool.m4
index d7c043f..f12cfdf 100644
--- a/m4/libtool.m4
+++ b/m4/libtool.m4
@@ -1324,19 +1324,12 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
LD="${LD-ld} -m elf_i386_fbsd"
;;
x86_64-*linux*)
- case `/usr/bin/file conftest.o` in
- *x86-64*)
- LD="${LD-ld} -m elf32_x86_64"
- ;;
- *)
- LD="${LD-ld} -m elf_i386"
- ;;
- esac
+ LD="${LD-ld} -m elf_i386"
;;
- powerpc64le-*)
+ powerpc64le-*linux*)
LD="${LD-ld} -m elf32lppclinux"
;;
- powerpc64-*)
+ powerpc64-*linux*)
LD="${LD-ld} -m elf32ppclinux"
;;
s390x-*linux*)
@@ -1355,10 +1348,10 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
x86_64-*linux*)
LD="${LD-ld} -m elf_x86_64"
;;
- powerpcle-*)
+ powerpcle-*linux*)
LD="${LD-ld} -m elf64lppc"
;;
- powerpc-*)
+ powerpc-*linux*)
LD="${LD-ld} -m elf64ppc"
;;
s390*-*linux*|s390*-*tpf*)
@@ -1701,8 +1694,7 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
;;
*)
lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
- if test -n "$lt_cv_sys_max_cmd_len" && \
- test undefined != "$lt_cv_sys_max_cmd_len"; then
+ if test -n "$lt_cv_sys_max_cmd_len"; then
lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
else
@@ -2526,6 +2518,17 @@ freebsd* | dragonfly*)
esac
;;
+gnu*)
+ version_type=linux # correct to gnu/linux during the next big refactor
+ need_lib_prefix=no
+ need_version=no
+ library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+ soname_spec='${libname}${release}${shared_ext}$major'
+ shlibpath_var=LD_LIBRARY_PATH
+ shlibpath_overrides_runpath=no
+ hardcode_into_libs=yes
+ ;;
+
haiku*)
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
@@ -2642,7 +2645,7 @@ linux*oldld* | linux*aout* | linux*coff*)
;;
# This must be glibc/ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+linux* | k*bsd*-gnu | kopensolaris*-gnu)
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
@@ -2672,10 +2675,14 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
# before this can be enabled.
hardcode_into_libs=yes
+ # Add ABI-specific directories to the system library path.
+ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
+
# Append ld.so.conf contents to the search path
if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
+
fi
# We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -2687,18 +2694,6 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
dynamic_linker='GNU/Linux ld.so'
;;
-netbsdelf*-gnu)
- version_type=linux
- need_lib_prefix=no
- need_version=no
- library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
- soname_spec='${libname}${release}${shared_ext}$major'
- shlibpath_var=LD_LIBRARY_PATH
- shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
- dynamic_linker='NetBSD ld.elf_so'
- ;;
-
netbsd*)
version_type=sunos
need_lib_prefix=no
@@ -3258,6 +3253,10 @@ freebsd* | dragonfly*)
fi
;;
+gnu*)
+ lt_cv_deplibs_check_method=pass_all
+ ;;
+
haiku*)
lt_cv_deplibs_check_method=pass_all
;;
@@ -3296,11 +3295,11 @@ irix5* | irix6* | nonstopux*)
;;
# This must be glibc/ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+linux* | k*bsd*-gnu | kopensolaris*-gnu)
lt_cv_deplibs_check_method=pass_all
;;
-netbsd* | netbsdelf*-gnu)
+netbsd*)
if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
else
@@ -4048,7 +4047,7 @@ m4_if([$1], [CXX], [
;;
esac
;;
- linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+ linux* | k*bsd*-gnu | kopensolaris*-gnu)
case $cc_basename in
KCC*)
# KAI C++ Compiler
@@ -4112,7 +4111,7 @@ m4_if([$1], [CXX], [
;;
esac
;;
- netbsd* | netbsdelf*-gnu)
+ netbsd*)
;;
*qnx* | *nto*)
# QNX uses GNU C++, but need to define -shared option too, otherwise
@@ -4347,7 +4346,7 @@ m4_if([$1], [CXX], [
_LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
;;
- linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+ linux* | k*bsd*-gnu | kopensolaris*-gnu)
case $cc_basename in
# old Intel for x86_64 which still supported -KPIC.
ecc*)
@@ -4589,9 +4588,6 @@ m4_if([$1], [CXX], [
;;
esac
;;
- linux* | k*bsd*-gnu | gnu*)
- _LT_TAGVAR(link_all_deplibs, $1)=no
- ;;
*)
_LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
;;
@@ -4654,9 +4650,6 @@ dnl Note also adjust exclude_expsyms for C++ above.
openbsd*)
with_gnu_ld=no
;;
- linux* | k*bsd*-gnu | gnu*)
- _LT_TAGVAR(link_all_deplibs, $1)=no
- ;;
esac
_LT_TAGVAR(ld_shlibs, $1)=yes
@@ -4878,7 +4871,7 @@ _LT_EOF
fi
;;
- netbsd* | netbsdelf*-gnu)
+ netbsd*)
if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
wlarc=
@@ -5055,7 +5048,6 @@ _LT_EOF
if test "$aix_use_runtimelinking" = yes; then
shared_flag="$shared_flag "'${wl}-G'
fi
- _LT_TAGVAR(link_all_deplibs, $1)=no
else
# not using gcc
if test "$host_cpu" = ia64; then
@@ -5360,7 +5352,7 @@ _LT_EOF
_LT_TAGVAR(link_all_deplibs, $1)=yes
;;
- netbsd* | netbsdelf*-gnu)
+ netbsd*)
if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out
else
@@ -6240,6 +6232,9 @@ if test "$_lt_caught_CXX_error" != yes; then
_LT_TAGVAR(ld_shlibs, $1)=yes
;;
+ gnu*)
+ ;;
+
haiku*)
_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
_LT_TAGVAR(link_all_deplibs, $1)=yes
@@ -6401,7 +6396,7 @@ if test "$_lt_caught_CXX_error" != yes; then
_LT_TAGVAR(inherit_rpath, $1)=yes
;;
- linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+ linux* | k*bsd*-gnu | kopensolaris*-gnu)
case $cc_basename in
KCC*)
# Kuck and Associates, Inc. (KAI) C++ Compiler
diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h
index 93efb09..d306a04 100644
--- a/src/openvpn/buffer.h
+++ b/src/openvpn/buffer.h
@@ -308,7 +308,10 @@ has_digit (const unsigned char* src)
}
/*
- * printf append to a buffer with overflow check
+ * printf append to a buffer with overflow check,
+ * due to usage of vsnprintf, it will leave space for
+ * a final null character and thus use only
+ * capacity - 1
*/
bool buf_printf (struct buffer *buf, const char *format, ...)
#ifdef __GNUC__
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index aa93a7b..c2d5c27 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -166,11 +166,11 @@ openvpn_encrypt (struct buffer *buf, struct buffer work,
/* Encrypt packet ID, payload */
ASSERT (cipher_ctx_update (ctx->cipher, BPTR (&work), &outlen, BPTR (buf), BLEN (buf)));
- work.len += outlen;
+ ASSERT (buf_inc_len(&work, outlen));
/* Flush the encryption buffer */
- ASSERT(cipher_ctx_final(ctx->cipher, BPTR (&work) + outlen, &outlen));
- work.len += outlen;
+ ASSERT (cipher_ctx_final(ctx->cipher, BPTR (&work) + outlen, &outlen));
+ ASSERT (buf_inc_len(&work, outlen));
/* For all CBC mode ciphers, check the last block is complete */
ASSERT (cipher_kt_mode (cipher_kt) != OPENVPN_MODE_CBC ||
@@ -305,18 +305,18 @@ openvpn_decrypt (struct buffer *buf, struct buffer work,
CRYPT_ERROR ("cipher init failed");
/* Buffer overflow check (should never happen) */
- if (!buf_safe (&work, buf->len))
- CRYPT_ERROR ("buffer overflow");
+ if (!buf_safe (&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+ CRYPT_ERROR ("potential buffer overflow");
/* Decrypt packet ID, payload */
if (!cipher_ctx_update (ctx->cipher, BPTR (&work), &outlen, BPTR (buf), BLEN (buf)))
CRYPT_ERROR ("cipher update failed");
- work.len += outlen;
+ ASSERT (buf_inc_len(&work, outlen));
/* Flush the decryption buffer */
if (!cipher_ctx_final (ctx->cipher, BPTR (&work) + outlen, &outlen))
CRYPT_ERROR ("cipher final failed");
- work.len += outlen;
+ ASSERT (buf_inc_len(&work, outlen));
dmsg (D_PACKET_CONTENT, "DECRYPT TO: %s",
format_hex (BPTR (&work), BLEN (&work), 80, &gc));
@@ -413,9 +413,8 @@ crypto_adjust_frame_parameters(struct frame *frame,
if (use_iv)
crypto_overhead += cipher_kt_iv_size (kt->cipher);
- if (cipher_kt_mode_cbc (kt->cipher))
- /* worst case padding expansion */
- crypto_overhead += cipher_kt_block_size (kt->cipher);
+ /* extra block required by cipher_ctx_update() */
+ crypto_overhead += cipher_kt_block_size (kt->cipher);
}
crypto_overhead += kt->hmac_length;
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 4e45df0..4c1ce9f 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -333,7 +333,7 @@ int cipher_ctx_reset (cipher_ctx_t *ctx, uint8_t *iv_buf);
* Note that if a complete block cannot be written, data is cached in the
* context, and emitted at a later call to \c cipher_ctx_update, or by a call
* to \c cipher_ctx_final(). This implies that dst should have enough room for
- * src_len + \c cipher_ctx_block_size() - 1.
+ * src_len + \c cipher_ctx_block_size().
*
* @param ctx Cipher's context. May not be NULL.
* @param dst Destination buffer
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index c99e775..71c91a2 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -389,8 +389,8 @@ next_connection_entry (struct context *c)
/*
* Query for private key and auth-user-pass username/passwords
*/
-static void
-init_query_passwords (struct context *c)
+void
+init_query_passwords (const struct context *c)
{
#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
/* Certificate password input */
@@ -520,8 +520,6 @@ context_init_1 (struct context *c)
init_connection_list (c);
- init_query_passwords (c);
-
#if defined(ENABLE_PKCS11)
if (c->first_time) {
int i;
@@ -2775,16 +2773,10 @@ do_init_first_time (struct context *c)
platform_group_get (c->options.groupname, &c0->platform_state_group) |
platform_user_get (c->options.username, &c0->platform_state_user);
- /* get --writepid file descriptor */
- get_pid_file (c->options.writepid, &c0->pid_state);
-
/* perform postponed chdir if --daemon */
if (c->did_we_daemonize && c->options.cd_dir == NULL)
platform_chdir("/");
- /* save process ID in a file */
- write_pid (&c0->pid_state);
-
/* should we change scheduling priority? */
platform_nice (c->options.nice);
}
diff --git a/src/openvpn/init.h b/src/openvpn/init.h
index d1908ed..a819bd2 100644
--- a/src/openvpn/init.h
+++ b/src/openvpn/init.h
@@ -63,6 +63,11 @@ void init_instance_handle_signals (struct context *c, const struct env_set *env,
void init_instance (struct context *c, const struct env_set *env, const unsigned int flags);
+/**
+ * Query for private key and auth-user-pass username/passwords.
+ */
+void init_query_passwords (const struct context *c);
+
void do_route (const struct options *options,
struct route_list *route_list,
struct route_ipv6_list *route_ipv6_list,
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 8408438..f20d059 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -127,30 +127,21 @@ run_up_down (const char *command,
gc_free (&gc);
}
-/* Get the file we will later write our process ID to */
+/* Write our PID to a file */
void
-get_pid_file (const char* filename, struct pid_state *state)
+write_pid (const char *filename)
{
- CLEAR (*state);
if (filename)
{
- state->fp = platform_fopen (filename, "w");
- if (!state->fp)
+ unsigned int pid = 0;
+ FILE *fp = platform_fopen (filename, "w");
+ if (!fp)
msg (M_ERR, "Open error on pid file %s", filename);
- state->filename = filename;
- }
-}
-/* Write our PID to a file */
-void
-write_pid (const struct pid_state *state)
-{
- if (state->filename && state->fp)
- {
- unsigned int pid = platform_getpid ();
- fprintf(state->fp, "%u\n", pid);
- if (fclose (state->fp))
- msg (M_ERR, "Close error on pid file %s", state->filename);
+ pid = platform_getpid ();
+ fprintf(fp, "%u\n", pid);
+ if (fclose (fp))
+ msg (M_ERR, "Close error on pid file %s", filename);
}
}
@@ -1097,6 +1088,12 @@ get_user_pass_cr (struct user_pass *up,
*/
else if (from_stdin)
{
+#ifndef WIN32
+ /* did we --daemon'ize before asking for passwords? */
+ if ( !isatty(0) && !isatty(2) )
+ { msg(M_FATAL, "neither stdin nor stderr are a tty device, can't ask for %s password. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.", prefix ); }
+#endif
+
#ifdef ENABLE_CLIENT_CR
if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE))
{
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index 183898e..e67b5e4 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -73,14 +73,7 @@ void run_up_down (const char *command,
const char *script_type,
struct env_set *es);
-/* workspace for get_pid_file/write_pid */
-struct pid_state {
- FILE *fp;
- const char *filename;
-};
-
-void get_pid_file (const char* filename, struct pid_state *state);
-void write_pid (const struct pid_state *state);
+void write_pid (const char *filename);
/* check file protections */
void warn_if_group_others_accessible(const char* filename);
diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
index 2f327f3..32e326e 100644
--- a/src/openvpn/openvpn.c
+++ b/src/openvpn/openvpn.c
@@ -228,15 +228,28 @@ openvpn_main (int argc, char *argv[])
/* test crypto? */
if (do_test_crypto (&c.options))
break;
-
+
+ /* Query passwords before becoming a daemon if we don't use the
+ * management interface to get them. */
+#ifdef ENABLE_MANAGEMENT
+ if (!(c.options.management_flags & MF_QUERY_PASSWORDS))
+#endif
+ init_query_passwords (&c);
+
/* become a daemon if --daemon */
if (c.first_time)
- c.did_we_daemonize = possibly_become_daemon (&c.options);
+ {
+ c.did_we_daemonize = possibly_become_daemon (&c.options);
+ write_pid (c.options.writepid);
+ }
#ifdef ENABLE_MANAGEMENT
/* open management subsystem */
if (!open_management (&c))
break;
+ /* query for passwords through management interface, if needed */
+ if (c.options.management_flags & MF_QUERY_PASSWORDS)
+ init_query_passwords (&c);
#endif
/* set certain options as environmental variables */
diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
index bdfa685..10ec859 100644
--- a/src/openvpn/openvpn.h
+++ b/src/openvpn/openvpn.h
@@ -137,9 +137,6 @@ struct context_persist
*/
struct context_0
{
- /* workspace for get_pid_file/write_pid */
- struct pid_state pid_state;
-
/* workspace for --user/--group */
bool uid_gid_specified;
bool uid_gid_set;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index ff4b07b..007bd8c 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2774,8 +2774,8 @@ options_postprocess_filechecks (struct options *options)
/* ** Password files ** */
#ifdef ENABLE_SSL
- errs |= check_file_access (CHKACC_FILE, options->key_pass_file, R_OK,
- "--askpass");
+ errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN,
+ options->key_pass_file, R_OK, "--askpass");
#endif /* ENABLE_SSL */
#ifdef ENABLE_MANAGEMENT
errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN,
@@ -3757,11 +3757,16 @@ read_inline_file (struct in_src *is, const char *close_tag, struct gc_arena *gc)
char line[OPTION_LINE_SIZE];
struct buffer buf = alloc_buf (8*OPTION_LINE_SIZE);
char *ret;
+ bool endtagfound = false;
+
while (in_src_get (is, line, sizeof (line)))
{
if (!strncmp (line, close_tag, strlen (close_tag)))
- break;
- if (!buf_safe (&buf, strlen(line)))
+ {
+ endtagfound = true;
+ break;
+ }
+ if (!buf_safe (&buf, strlen(line)+1))
{
/* Increase buffer size */
struct buffer buf2 = alloc_buf (buf.capacity * 2);
@@ -3772,6 +3777,8 @@ read_inline_file (struct in_src *is, const char *close_tag, struct gc_arena *gc)
}
buf_printf (&buf, "%s", line);
}
+ if (!endtagfound)
+ msg (M_WARN, "WARNING: Endtag %s missing", close_tag);
ret = string_alloc (BSTR (&buf), gc);
buf_clear (&buf);
free_buf (&buf);
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 7075b96..ffba4e8 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -45,6 +45,10 @@
#define srandom srand
#endif
+#ifdef _MSC_VER // Visual Studio
+#define __func__ __FUNCTION__
+#endif
+
#if defined(__APPLE__)
#if __ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ >= 1070
#define __APPLE_USE_RFC_3542 1
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 285e774..3e20215 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -1714,6 +1714,32 @@ close_tun (struct tuntap *tt)
argv_msg (M_INFO, &argv);
openvpn_execve_check (&argv, NULL, 0, "Linux ip addr del failed");
+ if (tt->ipv6 && tt->did_ifconfig_ipv6_setup)
+ {
+ const char * ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc);
+
+#ifdef ENABLE_IPROUTE
+ argv_printf (&argv, "%s -6 addr del %s/%d dev %s",
+ iproute_path,
+ ifconfig_ipv6_local,
+ tt->netbits_ipv6,
+ tt->actual_name
+ );
+ argv_msg (M_INFO, &argv);
+ openvpn_execve_check (&argv, NULL, 0, "Linux ip -6 addr del failed");
+#else
+ argv_printf (&argv,
+ "%s %s del %s/%d",
+ IFCONFIG_PATH,
+ tt->actual_name,
+ ifconfig_ipv6_local,
+ tt->netbits_ipv6
+ );
+ argv_msg (M_INFO, &argv);
+ openvpn_execve_check (&argv, NULL, 0, "Linux ifconfig inet6 del failed");
+#endif
+ }
+
argv_reset (&argv);
gc_free (&gc);
}
diff --git a/tests/t_client.sh b/tests/t_client.sh
index 4a8a30f..38cedb1 100755
--- a/tests/t_client.sh
+++ b/tests/t_client.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
#
# run OpenVPN client against ``test reference'' server
# - check that ping, http, ... via tunnel works
@@ -86,12 +86,12 @@ fail()
get_ifconfig_route()
{
# linux / iproute2? (-> if configure got a path)
- if [ -n "/bin/ip" ]
+ if [ -n "/usr/sbin/ip" ]
then
echo "-- linux iproute2 --"
- /bin/ip addr show | grep -v valid_lft
- /bin/ip route show
- /bin/ip -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g'
+ /usr/sbin/ip addr show | grep -v valid_lft
+ /usr/sbin/ip route show
+ /usr/sbin/ip -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g'
return
fi
@@ -99,26 +99,26 @@ get_ifconfig_route()
case `uname -s` in
Linux)
echo "-- linux / ifconfig --"
- LANG=C /sbin/ifconfig -a |egrep "( addr:|encap:)"
+ LANG=C /usr/sbin/ifconfig -a |egrep "( addr:|encap:)"
LANG=C netstat -rn -4 -6
return
;;
FreeBSD|NetBSD|Darwin)
echo "-- FreeBSD/NetBSD/Darwin [MacOS X] --"
- /sbin/ifconfig -a | egrep "(flags=|inet)"
+ /usr/sbin/ifconfig -a | egrep "(flags=|inet)"
netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }'
return
;;
OpenBSD)
echo "-- OpenBSD --"
- /sbin/ifconfig -a | egrep "(flags=|inet)" | \
+ /usr/sbin/ifconfig -a | egrep "(flags=|inet)" | \
sed -e 's/pltime [0-9]*//' -e 's/vltime [0-9]*//'
netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }'
return
;;
SunOS)
echo "-- Solaris --"
- /sbin/ifconfig -a | egrep "(flags=|inet)"
+ /usr/sbin/ifconfig -a | egrep "(flags=|inet)"
netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }'
return
;;
diff --git a/version.m4 b/version.m4
index eacf8a1..6b26239 100644
--- a/version.m4
+++ b/version.m4
@@ -1,9 +1,9 @@
dnl define the OpenVPN version
define([PRODUCT_NAME], [OpenVPN])
define([PRODUCT_TARNAME], [openvpn])
-define([PRODUCT_VERSION], [2.3.7])
+define([PRODUCT_VERSION], [2.3.8])
define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,3,7,0])
+define([PRODUCT_VERSION_RESOURCE], [2,3,8,0])
dnl define the TAP version
define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])