diff options
author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2015-08-10 16:45:51 +0200 |
---|---|---|
committer | Alberto Gonzalez Iniesta <agi@inittab.org> | 2015-08-10 16:45:51 +0200 |
commit | fd15a53c49ca01530665639f3711604c436601ee (patch) | |
tree | 452c73475f617631e23f13c4d176336939521ad7 | |
parent | d42fbdd9d8dc05868a9ce749fb43a37e6b75b143 (diff) | |
parent | 41ffafc126abd9af67061f4931b7614f3cb898b0 (diff) |
Merge tag 'upstream/2.3.8'
Upstream version 2.3.8
-rw-r--r-- | ChangeLog | 23 | ||||
-rw-r--r-- | aclocal.m4 | 10 | ||||
-rwxr-xr-x | config.sub | 5 | ||||
-rwxr-xr-x | configure | 98 | ||||
-rw-r--r-- | distro/rpm/openvpn.spec | 2 | ||||
-rw-r--r-- | doc/openvpn.8 | 16 | ||||
-rw-r--r-- | ltmain.sh | 32 | ||||
-rw-r--r-- | m4/libtool.m4 | 81 | ||||
-rw-r--r-- | src/openvpn/buffer.h | 5 | ||||
-rw-r--r-- | src/openvpn/crypto.c | 19 | ||||
-rw-r--r-- | src/openvpn/crypto_backend.h | 2 | ||||
-rw-r--r-- | src/openvpn/init.c | 12 | ||||
-rw-r--r-- | src/openvpn/init.h | 5 | ||||
-rw-r--r-- | src/openvpn/misc.c | 33 | ||||
-rw-r--r-- | src/openvpn/misc.h | 9 | ||||
-rw-r--r-- | src/openvpn/openvpn.c | 17 | ||||
-rw-r--r-- | src/openvpn/openvpn.h | 3 | ||||
-rw-r--r-- | src/openvpn/options.c | 15 | ||||
-rw-r--r-- | src/openvpn/syshead.h | 4 | ||||
-rw-r--r-- | src/openvpn/tun.c | 26 | ||||
-rwxr-xr-x | tests/t_client.sh | 18 | ||||
-rw-r--r-- | version.m4 | 4 |
22 files changed, 248 insertions, 191 deletions
@@ -1,6 +1,29 @@ OpenVPN Change Log Copyright (C) 2002-2015 OpenVPN Technologies, Inc. <sales@openvpn.net> +2015.08.03 -- Version 2.3.8 +Arne Schwabe (2): + Report missing endtags of inline files as warnings + Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit + +Gert Doering (2): + Produce a meaningful error message if --daemon gets in the way of asking for passwords. + Document --daemon changes and consequences (--askpass, --auth-nocache). + +Holger Kummert (1): + Del ipv6 addr on close of linux tun interface + +James Geboski (1): + Fix --askpass not allowing for password input via stdin + +Steffan Karger (5): + write pid file immediately after daemonizing + Make __func__ work with Visual Studio too + fix regression: query password before becoming daemon + Fix using management interface to get passwords. + Fix overflow check in openvpn_decrypt() + + 2015.06.02 -- Version 2.3.7 Alexander Pyhalov (1): Default gateway can't be determined on illumos/Solaris platforms @@ -103,9 +103,10 @@ _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # configured tree to be moved without reconfiguration. AC_DEFUN([AM_AUX_DIR_EXPAND], -[AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl -# Expand $ac_aux_dir to an absolute path. -am_aux_dir=`cd "$ac_aux_dir" && pwd` +[dnl Rely on autoconf to set up CDPATH properly. +AC_PREREQ([2.50])dnl +# expand $ac_aux_dir to an absolute path +am_aux_dir=`cd $ac_aux_dir && pwd` ]) # AM_CONDITIONAL -*- Autoconf -*- @@ -572,8 +573,7 @@ to "yes", and re-run configure. END AC_MSG_ERROR([Your 'rm' program is bad, sorry.]) fi -fi -]) +fi]) dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further @@ -2,7 +2,7 @@ # Configuration validation subroutine script. # Copyright 1992-2014 Free Software Foundation, Inc. -timestamp='2014-09-11' +timestamp='2014-07-28' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -302,7 +302,6 @@ case $basic_machine in | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ - | riscv32 | riscv64 \ | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ @@ -1017,7 +1016,7 @@ case $basic_machine in ;; ppc64) basic_machine=powerpc64-unknown ;; - ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` + ppc64-* | ppc64p7-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64le | powerpc64little | ppc64-le | powerpc64-little) basic_machine=powerpc64le-unknown @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for OpenVPN 2.3.7. +# Generated by GNU Autoconf 2.69 for OpenVPN 2.3.8. # # Report bugs to <openvpn-users@lists.sourceforge.net>. # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='OpenVPN' PACKAGE_TARNAME='openvpn' -PACKAGE_VERSION='2.3.7' -PACKAGE_STRING='OpenVPN 2.3.7' +PACKAGE_VERSION='2.3.8' +PACKAGE_STRING='OpenVPN 2.3.8' PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net' PACKAGE_URL='' @@ -1427,7 +1427,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenVPN 2.3.7 to adapt to many kinds of systems. +\`configure' configures OpenVPN 2.3.8 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1497,7 +1497,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenVPN 2.3.7:";; + short | recursive ) echo "Configuration of OpenVPN 2.3.8:";; esac cat <<\_ACEOF @@ -1701,7 +1701,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -OpenVPN configure 2.3.7 +OpenVPN configure 2.3.8 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2483,7 +2483,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenVPN $as_me 2.3.7, which was +It was created by OpenVPN $as_me 2.3.8, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2847,7 +2847,7 @@ if test -z "${htmldir}"; then fi -$as_echo "#define OPENVPN_VERSION_RESOURCE 2,3,7,0" >>confdefs.h +$as_echo "#define OPENVPN_VERSION_RESOURCE 2,3,8,0" >>confdefs.h ac_aux_dir= @@ -3057,8 +3057,8 @@ test "$program_suffix" != NONE && ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` -# Expand $ac_aux_dir to an absolute path. -am_aux_dir=`cd "$ac_aux_dir" && pwd` +# expand $ac_aux_dir to an absolute path +am_aux_dir=`cd $ac_aux_dir && pwd` if test x"${MISSING+set}" != xset; then case $am_aux_dir in @@ -3371,7 +3371,7 @@ fi # Define the identity of the package. PACKAGE='openvpn' - VERSION='2.3.7' + VERSION='2.3.8' cat >>confdefs.h <<_ACEOF @@ -3462,8 +3462,7 @@ to "yes", and re-run configure. END as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5 fi -fi - # Make sure we can run config.sub. +fi # Make sure we can run config.sub. $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5 @@ -6855,8 +6854,7 @@ else ;; *) lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` - if test -n "$lt_cv_sys_max_cmd_len" && \ - test undefined != "$lt_cv_sys_max_cmd_len"; then + if test -n "$lt_cv_sys_max_cmd_len"; then lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` else @@ -7254,6 +7252,10 @@ freebsd* | dragonfly*) fi ;; +gnu*) + lt_cv_deplibs_check_method=pass_all + ;; + haiku*) lt_cv_deplibs_check_method=pass_all ;; @@ -7292,11 +7294,11 @@ irix5* | irix6* | nonstopux*) ;; # This must be glibc/ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) +linux* | k*bsd*-gnu | kopensolaris*-gnu) lt_cv_deplibs_check_method=pass_all ;; -netbsd* | netbsdelf*-gnu) +netbsd*) if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' else @@ -8386,19 +8388,12 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) LD="${LD-ld} -m elf_i386_fbsd" ;; x86_64-*linux*) - case `/usr/bin/file conftest.o` in - *x86-64*) - LD="${LD-ld} -m elf32_x86_64" - ;; - *) - LD="${LD-ld} -m elf_i386" - ;; - esac + LD="${LD-ld} -m elf_i386" ;; - powerpc64le-*) + powerpc64le-*linux*) LD="${LD-ld} -m elf32lppclinux" ;; - powerpc64-*) + powerpc64-*linux*) LD="${LD-ld} -m elf32ppclinux" ;; s390x-*linux*) @@ -8417,10 +8412,10 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) x86_64-*linux*) LD="${LD-ld} -m elf_x86_64" ;; - powerpcle-*) + powerpcle-*linux*) LD="${LD-ld} -m elf64lppc" ;; - powerpc-*) + powerpc-*linux*) LD="${LD-ld} -m elf64ppc" ;; s390*-*linux*|s390*-*tpf*) @@ -10259,7 +10254,7 @@ lt_prog_compiler_static= lt_prog_compiler_static='-non_shared' ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) + linux* | k*bsd*-gnu | kopensolaris*-gnu) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc*) @@ -10737,9 +10732,6 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie openbsd*) with_gnu_ld=no ;; - linux* | k*bsd*-gnu | gnu*) - link_all_deplibs=no - ;; esac ld_shlibs=yes @@ -10961,7 +10953,7 @@ _LT_EOF fi ;; - netbsd* | netbsdelf*-gnu) + netbsd*) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' wlarc= @@ -11138,7 +11130,6 @@ _LT_EOF if test "$aix_use_runtimelinking" = yes; then shared_flag="$shared_flag "'${wl}-G' fi - link_all_deplibs=no else # not using gcc if test "$host_cpu" = ia64; then @@ -11592,7 +11583,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; } link_all_deplibs=yes ;; - netbsd* | netbsdelf*-gnu) + netbsd*) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out else @@ -12429,6 +12420,17 @@ freebsd* | dragonfly*) esac ;; +gnu*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; + haiku*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no @@ -12545,7 +12547,7 @@ linux*oldld* | linux*aout* | linux*coff*) ;; # This must be glibc/ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) +linux* | k*bsd*-gnu | kopensolaris*-gnu) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no @@ -12594,10 +12596,14 @@ fi # before this can be enabled. hardcode_into_libs=yes + # Add ABI-specific directories to the system library path. + sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" + # Append ld.so.conf contents to the search path if test -f /etc/ld.so.conf; then lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" + sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" + fi # We used to test for /lib/ld.so.1 and disable shared libraries on @@ -12609,18 +12615,6 @@ fi dynamic_linker='GNU/Linux ld.so' ;; -netbsdelf*-gnu) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - dynamic_linker='NetBSD ld.elf_so' - ;; - netbsd*) version_type=sunos need_lib_prefix=no @@ -17636,7 +17630,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by OpenVPN $as_me 2.3.7, which was +This file was extended by OpenVPN $as_me 2.3.8, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -17702,7 +17696,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -OpenVPN config.status 2.3.7 +OpenVPN config.status 2.3.8 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/distro/rpm/openvpn.spec b/distro/rpm/openvpn.spec index bd1225e..8f7f3af 100644 --- a/distro/rpm/openvpn.spec +++ b/distro/rpm/openvpn.spec @@ -13,7 +13,7 @@ Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan. Name: openvpn -Version: 2.3.7 +Version: 2.3.8 Release: 1 URL: http://openvpn.net/ Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 9db6409..203dd46 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2198,6 +2198,22 @@ openvpn command for a fairly reliable indication of whether the command has correctly initialized and entered the packet forwarding event loop. In OpenVPN, the vast majority of errors which occur after initialization are non-fatal. + +Note: as soon as OpenVPN has daemonized, it can not ask for usernames, +passwords, or key pass phrases anymore. This has certain consequences, +namely that using a password-protected private key will fail unless the +.B \-\-askpass +option is used to tell OpenVPN to ask for the pass phrase (this +requirement is new in 2.3.7, and is a consequence of calling daemon() +before initializing the crypto layer). + +Further, using +.B \-\-daemon +together with +.B \-\-auth-user-pass +(entered on console) and +.B \-\-auth-nocache +will fail as soon as key renegotiation (and reauthentication) occurs. .\"********************************************************* .TP .B \-\-syslog [progname] @@ -70,7 +70,7 @@ # compiler: $LTCC # compiler flags: $LTCFLAGS # linker: $LD (gnu? $with_gnu_ld) -# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.11 +# $progname: (GNU libtool) 2.4.2 # automake: $automake_version # autoconf: $autoconf_version # @@ -80,7 +80,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.2 Debian-2.4.2-1.11" +VERSION=2.4.2 TIMESTAMP="" package_revision=1.3337 @@ -6124,10 +6124,7 @@ func_mode_link () case $pass in dlopen) libs="$dlfiles" ;; dlpreopen) libs="$dlprefiles" ;; - link) - libs="$deplibs %DEPLIBS%" - test "X$link_all_deplibs" != Xno && libs="$libs $dependency_libs" - ;; + link) libs="$deplibs %DEPLIBS% $dependency_libs" ;; esac fi if test "$linkmode,$pass" = "lib,dlpreopen"; then @@ -6447,19 +6444,19 @@ func_mode_link () # It is a libtool convenience library, so add in its objects. func_append convenience " $ladir/$objdir/$old_library" func_append old_convenience " $ladir/$objdir/$old_library" - tmp_libs= - for deplib in $dependency_libs; do - deplibs="$deplib $deplibs" - if $opt_preserve_dup_deps ; then - case "$tmp_libs " in - *" $deplib "*) func_append specialdeplibs " $deplib" ;; - esac - fi - func_append tmp_libs " $deplib" - done elif test "$linkmode" != prog && test "$linkmode" != lib; then func_fatal_error "\`$lib' is not a convenience library" fi + tmp_libs= + for deplib in $dependency_libs; do + deplibs="$deplib $deplibs" + if $opt_preserve_dup_deps ; then + case "$tmp_libs " in + *" $deplib "*) func_append specialdeplibs " $deplib" ;; + esac + fi + func_append tmp_libs " $deplib" + done continue fi # $pass = conv @@ -7352,9 +7349,6 @@ func_mode_link () revision="$number_minor" lt_irix_increment=no ;; - *) - func_fatal_configuration "$modename: unknown library version type \`$version_type'" - ;; esac ;; no) diff --git a/m4/libtool.m4 b/m4/libtool.m4 index d7c043f..f12cfdf 100644 --- a/m4/libtool.m4 +++ b/m4/libtool.m4 @@ -1324,19 +1324,12 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) LD="${LD-ld} -m elf_i386_fbsd" ;; x86_64-*linux*) - case `/usr/bin/file conftest.o` in - *x86-64*) - LD="${LD-ld} -m elf32_x86_64" - ;; - *) - LD="${LD-ld} -m elf_i386" - ;; - esac + LD="${LD-ld} -m elf_i386" ;; - powerpc64le-*) + powerpc64le-*linux*) LD="${LD-ld} -m elf32lppclinux" ;; - powerpc64-*) + powerpc64-*linux*) LD="${LD-ld} -m elf32ppclinux" ;; s390x-*linux*) @@ -1355,10 +1348,10 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) x86_64-*linux*) LD="${LD-ld} -m elf_x86_64" ;; - powerpcle-*) + powerpcle-*linux*) LD="${LD-ld} -m elf64lppc" ;; - powerpc-*) + powerpc-*linux*) LD="${LD-ld} -m elf64ppc" ;; s390*-*linux*|s390*-*tpf*) @@ -1701,8 +1694,7 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl ;; *) lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` - if test -n "$lt_cv_sys_max_cmd_len" && \ - test undefined != "$lt_cv_sys_max_cmd_len"; then + if test -n "$lt_cv_sys_max_cmd_len"; then lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` else @@ -2526,6 +2518,17 @@ freebsd* | dragonfly*) esac ;; +gnu*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; + haiku*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no @@ -2642,7 +2645,7 @@ linux*oldld* | linux*aout* | linux*coff*) ;; # This must be glibc/ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) +linux* | k*bsd*-gnu | kopensolaris*-gnu) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no @@ -2672,10 +2675,14 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) # before this can be enabled. hardcode_into_libs=yes + # Add ABI-specific directories to the system library path. + sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" + # Append ld.so.conf contents to the search path if test -f /etc/ld.so.conf; then lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" + sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" + fi # We used to test for /lib/ld.so.1 and disable shared libraries on @@ -2687,18 +2694,6 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) dynamic_linker='GNU/Linux ld.so' ;; -netbsdelf*-gnu) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - dynamic_linker='NetBSD ld.elf_so' - ;; - netbsd*) version_type=sunos need_lib_prefix=no @@ -3258,6 +3253,10 @@ freebsd* | dragonfly*) fi ;; +gnu*) + lt_cv_deplibs_check_method=pass_all + ;; + haiku*) lt_cv_deplibs_check_method=pass_all ;; @@ -3296,11 +3295,11 @@ irix5* | irix6* | nonstopux*) ;; # This must be glibc/ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) +linux* | k*bsd*-gnu | kopensolaris*-gnu) lt_cv_deplibs_check_method=pass_all ;; -netbsd* | netbsdelf*-gnu) +netbsd*) if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' else @@ -4048,7 +4047,7 @@ m4_if([$1], [CXX], [ ;; esac ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) + linux* | k*bsd*-gnu | kopensolaris*-gnu) case $cc_basename in KCC*) # KAI C++ Compiler @@ -4112,7 +4111,7 @@ m4_if([$1], [CXX], [ ;; esac ;; - netbsd* | netbsdelf*-gnu) + netbsd*) ;; *qnx* | *nto*) # QNX uses GNU C++, but need to define -shared option too, otherwise @@ -4347,7 +4346,7 @@ m4_if([$1], [CXX], [ _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) + linux* | k*bsd*-gnu | kopensolaris*-gnu) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc*) @@ -4589,9 +4588,6 @@ m4_if([$1], [CXX], [ ;; esac ;; - linux* | k*bsd*-gnu | gnu*) - _LT_TAGVAR(link_all_deplibs, $1)=no - ;; *) _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' ;; @@ -4654,9 +4650,6 @@ dnl Note also adjust exclude_expsyms for C++ above. openbsd*) with_gnu_ld=no ;; - linux* | k*bsd*-gnu | gnu*) - _LT_TAGVAR(link_all_deplibs, $1)=no - ;; esac _LT_TAGVAR(ld_shlibs, $1)=yes @@ -4878,7 +4871,7 @@ _LT_EOF fi ;; - netbsd* | netbsdelf*-gnu) + netbsd*) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' wlarc= @@ -5055,7 +5048,6 @@ _LT_EOF if test "$aix_use_runtimelinking" = yes; then shared_flag="$shared_flag "'${wl}-G' fi - _LT_TAGVAR(link_all_deplibs, $1)=no else # not using gcc if test "$host_cpu" = ia64; then @@ -5360,7 +5352,7 @@ _LT_EOF _LT_TAGVAR(link_all_deplibs, $1)=yes ;; - netbsd* | netbsdelf*-gnu) + netbsd*) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out else @@ -6240,6 +6232,9 @@ if test "$_lt_caught_CXX_error" != yes; then _LT_TAGVAR(ld_shlibs, $1)=yes ;; + gnu*) + ;; + haiku*) _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(link_all_deplibs, $1)=yes @@ -6401,7 +6396,7 @@ if test "$_lt_caught_CXX_error" != yes; then _LT_TAGVAR(inherit_rpath, $1)=yes ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) + linux* | k*bsd*-gnu | kopensolaris*-gnu) case $cc_basename in KCC*) # Kuck and Associates, Inc. (KAI) C++ Compiler diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index 93efb09..d306a04 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -308,7 +308,10 @@ has_digit (const unsigned char* src) } /* - * printf append to a buffer with overflow check + * printf append to a buffer with overflow check, + * due to usage of vsnprintf, it will leave space for + * a final null character and thus use only + * capacity - 1 */ bool buf_printf (struct buffer *buf, const char *format, ...) #ifdef __GNUC__ diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index aa93a7b..c2d5c27 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -166,11 +166,11 @@ openvpn_encrypt (struct buffer *buf, struct buffer work, /* Encrypt packet ID, payload */ ASSERT (cipher_ctx_update (ctx->cipher, BPTR (&work), &outlen, BPTR (buf), BLEN (buf))); - work.len += outlen; + ASSERT (buf_inc_len(&work, outlen)); /* Flush the encryption buffer */ - ASSERT(cipher_ctx_final(ctx->cipher, BPTR (&work) + outlen, &outlen)); - work.len += outlen; + ASSERT (cipher_ctx_final(ctx->cipher, BPTR (&work) + outlen, &outlen)); + ASSERT (buf_inc_len(&work, outlen)); /* For all CBC mode ciphers, check the last block is complete */ ASSERT (cipher_kt_mode (cipher_kt) != OPENVPN_MODE_CBC || @@ -305,18 +305,18 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, CRYPT_ERROR ("cipher init failed"); /* Buffer overflow check (should never happen) */ - if (!buf_safe (&work, buf->len)) - CRYPT_ERROR ("buffer overflow"); + if (!buf_safe (&work, buf->len + cipher_ctx_block_size(ctx->cipher))) + CRYPT_ERROR ("potential buffer overflow"); /* Decrypt packet ID, payload */ if (!cipher_ctx_update (ctx->cipher, BPTR (&work), &outlen, BPTR (buf), BLEN (buf))) CRYPT_ERROR ("cipher update failed"); - work.len += outlen; + ASSERT (buf_inc_len(&work, outlen)); /* Flush the decryption buffer */ if (!cipher_ctx_final (ctx->cipher, BPTR (&work) + outlen, &outlen)) CRYPT_ERROR ("cipher final failed"); - work.len += outlen; + ASSERT (buf_inc_len(&work, outlen)); dmsg (D_PACKET_CONTENT, "DECRYPT TO: %s", format_hex (BPTR (&work), BLEN (&work), 80, &gc)); @@ -413,9 +413,8 @@ crypto_adjust_frame_parameters(struct frame *frame, if (use_iv) crypto_overhead += cipher_kt_iv_size (kt->cipher); - if (cipher_kt_mode_cbc (kt->cipher)) - /* worst case padding expansion */ - crypto_overhead += cipher_kt_block_size (kt->cipher); + /* extra block required by cipher_ctx_update() */ + crypto_overhead += cipher_kt_block_size (kt->cipher); } crypto_overhead += kt->hmac_length; diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index 4e45df0..4c1ce9f 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -333,7 +333,7 @@ int cipher_ctx_reset (cipher_ctx_t *ctx, uint8_t *iv_buf); * Note that if a complete block cannot be written, data is cached in the * context, and emitted at a later call to \c cipher_ctx_update, or by a call * to \c cipher_ctx_final(). This implies that dst should have enough room for - * src_len + \c cipher_ctx_block_size() - 1. + * src_len + \c cipher_ctx_block_size(). * * @param ctx Cipher's context. May not be NULL. * @param dst Destination buffer diff --git a/src/openvpn/init.c b/src/openvpn/init.c index c99e775..71c91a2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -389,8 +389,8 @@ next_connection_entry (struct context *c) /* * Query for private key and auth-user-pass username/passwords */ -static void -init_query_passwords (struct context *c) +void +init_query_passwords (const struct context *c) { #if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) /* Certificate password input */ @@ -520,8 +520,6 @@ context_init_1 (struct context *c) init_connection_list (c); - init_query_passwords (c); - #if defined(ENABLE_PKCS11) if (c->first_time) { int i; @@ -2775,16 +2773,10 @@ do_init_first_time (struct context *c) platform_group_get (c->options.groupname, &c0->platform_state_group) | platform_user_get (c->options.username, &c0->platform_state_user); - /* get --writepid file descriptor */ - get_pid_file (c->options.writepid, &c0->pid_state); - /* perform postponed chdir if --daemon */ if (c->did_we_daemonize && c->options.cd_dir == NULL) platform_chdir("/"); - /* save process ID in a file */ - write_pid (&c0->pid_state); - /* should we change scheduling priority? */ platform_nice (c->options.nice); } diff --git a/src/openvpn/init.h b/src/openvpn/init.h index d1908ed..a819bd2 100644 --- a/src/openvpn/init.h +++ b/src/openvpn/init.h @@ -63,6 +63,11 @@ void init_instance_handle_signals (struct context *c, const struct env_set *env, void init_instance (struct context *c, const struct env_set *env, const unsigned int flags); +/** + * Query for private key and auth-user-pass username/passwords. + */ +void init_query_passwords (const struct context *c); + void do_route (const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 8408438..f20d059 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -127,30 +127,21 @@ run_up_down (const char *command, gc_free (&gc); } -/* Get the file we will later write our process ID to */ +/* Write our PID to a file */ void -get_pid_file (const char* filename, struct pid_state *state) +write_pid (const char *filename) { - CLEAR (*state); if (filename) { - state->fp = platform_fopen (filename, "w"); - if (!state->fp) + unsigned int pid = 0; + FILE *fp = platform_fopen (filename, "w"); + if (!fp) msg (M_ERR, "Open error on pid file %s", filename); - state->filename = filename; - } -} -/* Write our PID to a file */ -void -write_pid (const struct pid_state *state) -{ - if (state->filename && state->fp) - { - unsigned int pid = platform_getpid (); - fprintf(state->fp, "%u\n", pid); - if (fclose (state->fp)) - msg (M_ERR, "Close error on pid file %s", state->filename); + pid = platform_getpid (); + fprintf(fp, "%u\n", pid); + if (fclose (fp)) + msg (M_ERR, "Close error on pid file %s", filename); } } @@ -1097,6 +1088,12 @@ get_user_pass_cr (struct user_pass *up, */ else if (from_stdin) { +#ifndef WIN32 + /* did we --daemon'ize before asking for passwords? */ + if ( !isatty(0) && !isatty(2) ) + { msg(M_FATAL, "neither stdin nor stderr are a tty device, can't ask for %s password. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.", prefix ); } +#endif + #ifdef ENABLE_CLIENT_CR if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE)) { diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 183898e..e67b5e4 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -73,14 +73,7 @@ void run_up_down (const char *command, const char *script_type, struct env_set *es); -/* workspace for get_pid_file/write_pid */ -struct pid_state { - FILE *fp; - const char *filename; -}; - -void get_pid_file (const char* filename, struct pid_state *state); -void write_pid (const struct pid_state *state); +void write_pid (const char *filename); /* check file protections */ void warn_if_group_others_accessible(const char* filename); diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index 2f327f3..32e326e 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -228,15 +228,28 @@ openvpn_main (int argc, char *argv[]) /* test crypto? */ if (do_test_crypto (&c.options)) break; - + + /* Query passwords before becoming a daemon if we don't use the + * management interface to get them. */ +#ifdef ENABLE_MANAGEMENT + if (!(c.options.management_flags & MF_QUERY_PASSWORDS)) +#endif + init_query_passwords (&c); + /* become a daemon if --daemon */ if (c.first_time) - c.did_we_daemonize = possibly_become_daemon (&c.options); + { + c.did_we_daemonize = possibly_become_daemon (&c.options); + write_pid (c.options.writepid); + } #ifdef ENABLE_MANAGEMENT /* open management subsystem */ if (!open_management (&c)) break; + /* query for passwords through management interface, if needed */ + if (c.options.management_flags & MF_QUERY_PASSWORDS) + init_query_passwords (&c); #endif /* set certain options as environmental variables */ diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index bdfa685..10ec859 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -137,9 +137,6 @@ struct context_persist */ struct context_0 { - /* workspace for get_pid_file/write_pid */ - struct pid_state pid_state; - /* workspace for --user/--group */ bool uid_gid_specified; bool uid_gid_set; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ff4b07b..007bd8c 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2774,8 +2774,8 @@ options_postprocess_filechecks (struct options *options) /* ** Password files ** */ #ifdef ENABLE_SSL - errs |= check_file_access (CHKACC_FILE, options->key_pass_file, R_OK, - "--askpass"); + errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN, + options->key_pass_file, R_OK, "--askpass"); #endif /* ENABLE_SSL */ #ifdef ENABLE_MANAGEMENT errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN, @@ -3757,11 +3757,16 @@ read_inline_file (struct in_src *is, const char *close_tag, struct gc_arena *gc) char line[OPTION_LINE_SIZE]; struct buffer buf = alloc_buf (8*OPTION_LINE_SIZE); char *ret; + bool endtagfound = false; + while (in_src_get (is, line, sizeof (line))) { if (!strncmp (line, close_tag, strlen (close_tag))) - break; - if (!buf_safe (&buf, strlen(line))) + { + endtagfound = true; + break; + } + if (!buf_safe (&buf, strlen(line)+1)) { /* Increase buffer size */ struct buffer buf2 = alloc_buf (buf.capacity * 2); @@ -3772,6 +3777,8 @@ read_inline_file (struct in_src *is, const char *close_tag, struct gc_arena *gc) } buf_printf (&buf, "%s", line); } + if (!endtagfound) + msg (M_WARN, "WARNING: Endtag %s missing", close_tag); ret = string_alloc (BSTR (&buf), gc); buf_clear (&buf); free_buf (&buf); diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index 7075b96..ffba4e8 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -45,6 +45,10 @@ #define srandom srand #endif +#ifdef _MSC_VER // Visual Studio +#define __func__ __FUNCTION__ +#endif + #if defined(__APPLE__) #if __ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ >= 1070 #define __APPLE_USE_RFC_3542 1 diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 285e774..3e20215 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -1714,6 +1714,32 @@ close_tun (struct tuntap *tt) argv_msg (M_INFO, &argv); openvpn_execve_check (&argv, NULL, 0, "Linux ip addr del failed"); + if (tt->ipv6 && tt->did_ifconfig_ipv6_setup) + { + const char * ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc); + +#ifdef ENABLE_IPROUTE + argv_printf (&argv, "%s -6 addr del %s/%d dev %s", + iproute_path, + ifconfig_ipv6_local, + tt->netbits_ipv6, + tt->actual_name + ); + argv_msg (M_INFO, &argv); + openvpn_execve_check (&argv, NULL, 0, "Linux ip -6 addr del failed"); +#else + argv_printf (&argv, + "%s %s del %s/%d", + IFCONFIG_PATH, + tt->actual_name, + ifconfig_ipv6_local, + tt->netbits_ipv6 + ); + argv_msg (M_INFO, &argv); + openvpn_execve_check (&argv, NULL, 0, "Linux ifconfig inet6 del failed"); +#endif + } + argv_reset (&argv); gc_free (&gc); } diff --git a/tests/t_client.sh b/tests/t_client.sh index 4a8a30f..38cedb1 100755 --- a/tests/t_client.sh +++ b/tests/t_client.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # # run OpenVPN client against ``test reference'' server # - check that ping, http, ... via tunnel works @@ -86,12 +86,12 @@ fail() get_ifconfig_route() { # linux / iproute2? (-> if configure got a path) - if [ -n "/bin/ip" ] + if [ -n "/usr/sbin/ip" ] then echo "-- linux iproute2 --" - /bin/ip addr show | grep -v valid_lft - /bin/ip route show - /bin/ip -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g' + /usr/sbin/ip addr show | grep -v valid_lft + /usr/sbin/ip route show + /usr/sbin/ip -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g' return fi @@ -99,26 +99,26 @@ get_ifconfig_route() case `uname -s` in Linux) echo "-- linux / ifconfig --" - LANG=C /sbin/ifconfig -a |egrep "( addr:|encap:)" + LANG=C /usr/sbin/ifconfig -a |egrep "( addr:|encap:)" LANG=C netstat -rn -4 -6 return ;; FreeBSD|NetBSD|Darwin) echo "-- FreeBSD/NetBSD/Darwin [MacOS X] --" - /sbin/ifconfig -a | egrep "(flags=|inet)" + /usr/sbin/ifconfig -a | egrep "(flags=|inet)" netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' return ;; OpenBSD) echo "-- OpenBSD --" - /sbin/ifconfig -a | egrep "(flags=|inet)" | \ + /usr/sbin/ifconfig -a | egrep "(flags=|inet)" | \ sed -e 's/pltime [0-9]*//' -e 's/vltime [0-9]*//' netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' return ;; SunOS) echo "-- Solaris --" - /sbin/ifconfig -a | egrep "(flags=|inet)" + /usr/sbin/ifconfig -a | egrep "(flags=|inet)" netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }' return ;; @@ -1,9 +1,9 @@ dnl define the OpenVPN version define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) -define([PRODUCT_VERSION], [2.3.7]) +define([PRODUCT_VERSION], [2.3.8]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,3,7,0]) +define([PRODUCT_VERSION_RESOURCE], [2,3,8,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) |