diff options
author | Jörg Frings-Fürst <debian@jff.email> | 2022-02-09 16:35:02 +0100 |
---|---|---|
committer | Jörg Frings-Fürst <debian@jff.email> | 2022-02-09 16:35:02 +0100 |
commit | 8e924e2c919e6fbeae0045b67ac54b9697306d7d (patch) | |
tree | 2ddb2a40fd70018ada5fbab576002199771f67c5 | |
parent | f2b3dda12a731c2e0971cb7889728edaf23f6cb0 (diff) |
New upstream version 2.5.5upstream/2.5.5upstream
58 files changed, 592 insertions, 1274 deletions
@@ -1,6 +1,63 @@ OpenVPN Change Log Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net> +2021.12.14 -- Version 2.5.5 + +Adrian (1): + Fix error in example firewall.sh script + +Antonio Quartulli (1): + configure: remove useless -Wno-* from default CFLAGS + +Arne Schwabe (2): + Add argv_insert_head__empty_argv__head_only to argv tests + Move deprecation of SWEET32/64bit block size ciphers to 2.7 + +Gert Doering (3): + Include --push-remove in the output of --help. + Move '--push-peer-info' documentation from 'server' to 'client options' + add test case(s) to notice 'openvpn --show-cipher' crashing + +Ilya Shipitsin (1): + BUILD: enable CFG and Spectre mitigation for MSVC + +Lev Stipakov (12): + Fix loading PKCS12 files on Windows + msvc: fix product version display + msvc: add missing header to project file + config-msvc.h: fix OpenSSL-related defines + contrib/vcpkg-ports: remove openssl port + GitHub Actions: use latest working lukka/run-vcpkg + Use network address for emulated DHCP server as a default + Load OpenSSL config on Windows from trusted location + ring_buffer.h: fix GCC warning about unused function + ssh_openssl.h: remove unused declaration + vcpkg/pkcs11-helper: compatibility with latest vcpkg + config-msvc.h: indicate key material export support + +Max Fillinger (2): + Don't use BF-CBC in unit tests if we don't have it + Define have_blowfish variable in ncp unit tests + +Richard T Bonhomme (1): + doc link-options.rst: Use free open-source dynamic-DNS provider URL + +Selva Nair (3): + Fix some more wrong defines in config-msvc.h + Ensure the current common_name is in the environment for scripts + Require EC key support in Windows builds + +Sergio E. Nemirowski (1): + resolvconf fails with -p + +Todd Zullinger (2): + Update IRC information in CONTRIBUTING.rst + doc/man (vpn-network-options): fix foreign_option_{n} typo + +Ville Skyttä (1): + README.down-root: Fix plugin module name + + 2021.10.04 -- Version 2.5.4 Antonio Quartulli (3): diff --git a/Changes.rst b/Changes.rst index ba5ee1a..b6f98d5 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,71 @@ +Overview of changes in 2.5.5 +============================ + +User-visible Changes +-------------------- +- SWEET32/64bit cipher deprecation change was postponed to 2.7 + +- Windows: use network address for emulated DHCP server as default + this enables use of a /30 subnet, which is needed when connecting + to OpenVPN Cloud. + +- require EC support in windows builds + (this means it's no longer possible to build a Windows OpenVPN binary + with an OpenSSL lib without EC support) + +New features +------------ +- Windows build: use CFG and Spectre mitigations on MSVC builds + +- bring back OpenSSL config loading to Windows builds. + OpenSSL config is loaded from %installdir%\SSL\openssl.cfg + (typically: c:\program files\openvpn\SSL\openssl.cfg) if it exists. + + This is important for some hardware tokens which need special + OpenSSL config for correct operation. Trac #1296 + +Bugfixes +-------- +- Windows build: enable EKM + +- Windows build: improve various vcpkg related build issues + +- Windows build: fix regression related to non-writeable status files + (Trac #1430) + +- Windows build: fix regression that broke OpenSSL EC support + +- Windows build: fix "product version" display (2.5..4 -> 2.5.4) + +- Windows build: fix regression preventing use of PKCS12 files + +- improve "make check" to notice if "openvpn --show-cipher" crashes + +- improve argv unit tests + +- ensure unit tests work with mbedTLS builds without BF-CBC ciphers + +- include "--push-remove" in the output of "openvpn --help" + +- fix error in iptables syntax in example firewall.sh script + +- fix "resolvconf -p" invocation in example "up" script + +- fix "common_name" environment for script calls when + "--username-as-common-name" is in effect (Trac #1434) + +Documentation +------------- +- move "push-peer-info" documentation from "server options" to "client" + (where it belongs) + +- correct "foreign_option_{n}" typo in manpage + +- update IRC information in CONTRIBUTING.rst (libera.chat) + +- README.down-root: fix plugin module name + + Overview of changes in 2.5.4 ============================ Bugfixes diff --git a/config-msvc-version.h.in b/config-msvc-version.h.in index 7977cb8..59ca654 100644 --- a/config-msvc-version.h.in +++ b/config-msvc-version.h.in @@ -5,8 +5,8 @@ #define PRODUCT_VERSION_MAJOR "@PRODUCT_VERSION_MAJOR@" #define PRODUCT_VERSION_MINOR "@PRODUCT_VERSION_MINOR@" #define PRODUCT_VERSION_PATCH "@PRODUCT_VERSION_PATCH@" -#define PACKAGE_VERSION "@PRODUCT_VERSION_MAJOR@.@PRODUCT_VERSION_MINOR@.@PRODUCT_VERSION_PATCH@" -#define PRODUCT_VERSION "@PRODUCT_VERSION_MAJOR@.@PRODUCT_VERSION_MINOR@.@PRODUCT_VERSION_PATCH@" +#define PACKAGE_VERSION "@PRODUCT_VERSION_MAJOR@.@PRODUCT_VERSION_MINOR@@PRODUCT_VERSION_PATCH@" +#define PRODUCT_VERSION "@PRODUCT_VERSION_MAJOR@.@PRODUCT_VERSION_MINOR@@PRODUCT_VERSION_PATCH@" #define PRODUCT_BUGREPORT "@PRODUCT_BUGREPORT@" #define OPENVPN_VERSION_RESOURCE @PRODUCT_VERSION_RESOURCE@ #define TAP_WIN_COMPONENT_ID "@PRODUCT_TAP_WIN_COMPONENT_ID@" diff --git a/config-msvc.h b/config-msvc.h index f199bb2..e7479c8 100644 --- a/config-msvc.h +++ b/config-msvc.h @@ -5,8 +5,6 @@ #define ENABLE_DEF_AUTH 1 #define ENABLE_PF 1 #define ENABLE_CRYPTO_OPENSSL 1 -#define ENABLE_DEBUG 1 -#define ENABLE_EUREPHIA 1 #define ENABLE_FRAGMENT 1 #define ENABLE_HTTP_PROXY 1 #define ENABLE_LZO 1 @@ -84,13 +82,16 @@ #define HAVE_HMAC_CTX_NEW 1 #define HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA 1 #define HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB 1 +#define HAVE_SSL_CTX_NEW 1 +#define HAVE_SSL_CTX_SET_SECURITY_LEVEL 1 #define HAVE_X509_GET0_PUBKEY 1 #define HAVE_X509_STORE_GET0_OBJECTS 1 #define HAVE_X509_OBJECT_FREE 1 #define HAVE_X509_OBJECT_GET_TYPE 1 +#define HAVE_X509_GET0_NOTAFTER 1 +#define HAVE_X509_GET0_NOTBEFORE 1 #define HAVE_EVP_PKEY_GET0_RSA 1 #define HAVE_EVP_PKEY_GET0_EC_KEY 1 -#define HAVE_EVP_PKEY_ID 1 #define HAVE_EVP_PKEY_GET0_DSA 1 #define HAVE_RSA_SET_FLAGS 1 #define HAVE_RSA_GET0_KEY 1 @@ -110,8 +111,10 @@ #define HAVE_RSA_METH_SET0_APP_DATA 1 #define HAVE_RSA_METH_GET0_APP_DATA 1 #define HAVE_EC_GROUP_ORDER_BITS 1 -#define OPENSSL_NO_EC 1 #define HAVE_EVP_CIPHER_CTX_RESET 1 + +#define HAVE_EXPORT_KEYING_MATERIAL 1 + #define HAVE_DIINSTALLDEVICE 1 #define PATH_SEPARATOR '\\' @@ -141,8 +144,9 @@ #define in_addr_t uint32_t #define ssize_t SSIZE_T -#define S_IRUSR 0 -#define S_IWUSR 0 +#define S_IRUSR _S_IREAD +#define S_IWUSR _S_IWRITE +#define S_IRGRP (S_IRUSR >> 3) #define R_OK 4 #define W_OK 2 #define X_OK 1 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for OpenVPN 2.5.4. +# Generated by GNU Autoconf 2.69 for OpenVPN 2.5.5. # # Report bugs to <openvpn-users@lists.sourceforge.net>. # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='OpenVPN' PACKAGE_TARNAME='openvpn' -PACKAGE_VERSION='2.5.4' -PACKAGE_STRING='OpenVPN 2.5.4' +PACKAGE_VERSION='2.5.5' +PACKAGE_STRING='OpenVPN 2.5.5' PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net' PACKAGE_URL='' @@ -1477,7 +1477,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenVPN 2.5.4 to adapt to many kinds of systems. +\`configure' configures OpenVPN 2.5.5 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1548,7 +1548,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenVPN 2.5.4:";; + short | recursive ) echo "Configuration of OpenVPN 2.5.5:";; esac cat <<\_ACEOF @@ -1761,7 +1761,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -OpenVPN configure 2.5.4 +OpenVPN configure 2.5.5 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2600,7 +2600,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenVPN $as_me 2.5.4, which was +It was created by OpenVPN $as_me 2.5.5, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2964,13 +2964,13 @@ if test -z "${htmldir}"; then fi -$as_echo "#define OPENVPN_VERSION_RESOURCE 2,5,4,0" >>confdefs.h +$as_echo "#define OPENVPN_VERSION_RESOURCE 2,5,5,0" >>confdefs.h OPENVPN_VERSION_MAJOR=2 OPENVPN_VERSION_MINOR=5 -OPENVPN_VERSION_PATCH=.4 +OPENVPN_VERSION_PATCH=.5 $as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h @@ -2979,7 +2979,7 @@ $as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h $as_echo "#define OPENVPN_VERSION_MINOR 5" >>confdefs.h -$as_echo "#define OPENVPN_VERSION_PATCH \".4\"" >>confdefs.h +$as_echo "#define OPENVPN_VERSION_PATCH \".5\"" >>confdefs.h ac_aux_dir= @@ -3505,7 +3505,7 @@ fi # Define the identity of the package. PACKAGE='openvpn' - VERSION='2.5.4' + VERSION='2.5.5' cat >>confdefs.h <<_ACEOF @@ -17941,56 +17941,6 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext old_cflags="$CFLAGS" - CFLAGS="-Wno-unused-function -Werror $CFLAGS" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the compiler accepts -Wno-unused-function" >&5 -$as_echo_n "checking whether the compiler accepts -Wno-unused-function... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; }; CFLAGS="-Wno-unused-function $old_cflags" -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; }; CFLAGS="$old_cflags" -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - - - old_cflags="$CFLAGS" - CFLAGS="-Wno-unused-parameter -Werror $CFLAGS" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the compiler accepts -Wno-unused-parameter" >&5 -$as_echo_n "checking whether the compiler accepts -Wno-unused-parameter... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; }; CFLAGS="-Wno-unused-parameter $old_cflags" -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; }; CFLAGS="$old_cflags" -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - - - old_cflags="$CFLAGS" CFLAGS="-Wall -Werror $CFLAGS" { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the compiler accepts -Wall" >&5 $as_echo_n "checking whether the compiler accepts -Wall... " >&6; } @@ -18958,7 +18908,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by OpenVPN $as_me 2.5.4, which was +This file was extended by OpenVPN $as_me 2.5.5, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19024,7 +18974,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -OpenVPN config.status 2.5.4 +OpenVPN config.status 2.5.5 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 1f166c0..7efd710 100644 --- a/configure.ac +++ b/configure.ac @@ -1302,8 +1302,6 @@ AC_DEFUN([ACL_CHECK_ADD_COMPILE_FLAGS], [ ) ACL_CHECK_ADD_COMPILE_FLAGS([-Wno-stringop-truncation]) -ACL_CHECK_ADD_COMPILE_FLAGS([-Wno-unused-function]) -ACL_CHECK_ADD_COMPILE_FLAGS([-Wno-unused-parameter]) ACL_CHECK_ADD_COMPILE_FLAGS([-Wall]) if test "${enable_pedantic}" = "yes"; then diff --git a/contrib/pull-resolv-conf/client.up b/contrib/pull-resolv-conf/client.up index f076974..220aeb7 100644 --- a/contrib/pull-resolv-conf/client.up +++ b/contrib/pull-resolv-conf/client.up @@ -91,7 +91,7 @@ out="# resolv.conf autogenerated by ${0} (${dev})${nl}${dns}${ds}${domains}" # use resolvconf if it's available if type resolvconf >/dev/null 2>&1; then - printf "%s\n" "${out}" | resolvconf -p -a "${dev}" + printf "%s\n" "${out}" | resolvconf -a "${dev}" else # Preserve the existing resolv.conf if [ -e /etc/resolv.conf ] ; then diff --git a/contrib/vcpkg-ports/openssl/portfile.cmake b/contrib/vcpkg-ports/openssl/portfile.cmake deleted file mode 100644 index 9b59a3c..0000000 --- a/contrib/vcpkg-ports/openssl/portfile.cmake +++ /dev/null @@ -1,25 +0,0 @@ -if(EXISTS "${CURRENT_INSTALLED_DIR}/include/openssl/ssl.h") - message(FATAL_ERROR "Can't build openssl if libressl/boringssl is installed. Please remove libressl/boringssl, and try install openssl again if you need it.") -endif() - -set(OPENSSL_VERSION 1.1.1k) -vcpkg_download_distfile(ARCHIVE - URLS "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" "https://www.openssl.org/source/old/1.1.1/openssl-${OPENSSL_VERSION}.tar.gz" - FILENAME "openssl-${OPENSSL_VERSION}.tar.gz" - SHA512 73cd042d4056585e5a9dd7ab68e7c7310a3a4c783eafa07ab0b560e7462b924e4376436a6d38a155c687f6942a881cfc0c1b9394afcde1d8c46bf396e7d51121 -) - -vcpkg_find_acquire_program(PERL) -get_filename_component(PERL_EXE_PATH ${PERL} DIRECTORY) -vcpkg_add_to_path("${PERL_EXE_PATH}") - -if(VCPKG_TARGET_IS_UWP) - include("${CMAKE_CURRENT_LIST_DIR}/uwp/portfile.cmake") -elseif(VCPKG_TARGET_IS_WINDOWS AND NOT VCPKG_TARGET_IS_MINGW) - include("${CMAKE_CURRENT_LIST_DIR}/windows/portfile.cmake") -else() - include("${CMAKE_CURRENT_LIST_DIR}/unix/portfile.cmake") -endif() - - -file(INSTALL "${CMAKE_CURRENT_LIST_DIR}/usage" DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}") diff --git a/contrib/vcpkg-ports/openssl/unix/CMakeLists.txt b/contrib/vcpkg-ports/openssl/unix/CMakeLists.txt deleted file mode 100644 index fd84816..0000000 --- a/contrib/vcpkg-ports/openssl/unix/CMakeLists.txt +++ /dev/null @@ -1,280 +0,0 @@ -cmake_minimum_required(VERSION 3.9) -project(openssl C) - -if(NOT SOURCE_PATH) - message(FATAL_ERROR "Requires SOURCE_PATH") -endif() - -if(CMAKE_SYSTEM_NAME STREQUAL "Android" OR CMAKE_SYSTEM_NAME STREQUAL "Linux") - if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64") - set(PLATFORM linux-x86_64) - else() - set(PLATFORM linux-generic32) - endif() -elseif(CMAKE_SYSTEM_NAME STREQUAL "iOS") - if(VCPKG_TARGET_ARCHITECTURE MATCHES "arm64") - set(PLATFORM ios64-xcrun) - elseif(VCPKG_TARGET_ARCHITECTURE MATCHES "arm") - set(PLATFORM ios-xcrun) - elseif(VCPKG_TARGET_ARCHITECTURE MATCHES "x86" OR - VCPKG_TARGET_ARCHITECTURE MATCHES "x64") - set(PLATFORM iossimulator-xcrun) - else() - message(FATAL_ERROR "Unknown iOS target architecture: ${VCPKG_TARGET_ARCHITECTURE}") - endif() - # disable that makes linkage error (e.g. require stderr usage) - list(APPEND DISABLES no-stdio no-ui no-asm) -elseif(CMAKE_SYSTEM_NAME STREQUAL "Darwin") - if(VCPKG_TARGET_ARCHITECTURE MATCHES "arm64") - set(PLATFORM darwin64-arm64-cc) - else() - set(PLATFORM darwin64-x86_64-cc) - endif() -elseif(CMAKE_SYSTEM_NAME STREQUAL "FreeBSD") - set(PLATFORM BSD-generic64) -elseif(CMAKE_SYSTEM_NAME STREQUAL "OpenBSD") - set(PLATFORM BSD-generic64) -elseif(MINGW) - if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64") - set(PLATFORM mingw64) - else() - set(PLATFORM mingw) - endif() -elseif(EMSCRIPTEN) - set(MAKE $ENV{EMSDK}/upstream/emscripten/emmake) - set(ENV{MAKE} $ENV{EMSDK}/upstream/emscripten/emmake) -else() - message(FATAL_ERROR "Unknown platform") -endif() - -get_filename_component(COMPILER_ROOT "${CMAKE_C_COMPILER}" DIRECTORY) - -message("CMAKE_C_COMPILER=${CMAKE_C_COMPILER}") -message("COMPILER_ROOT=${COMPILER_ROOT}") -message("CMAKE_SYSROOT=${CMAKE_SYSROOT}") -message("CMAKE_OSX_SYSROOT=${CMAKE_OSX_SYSROOT}") -message("CMAKE_OSX_DEPLOYMENT_TARGET=${CMAKE_OSX_DEPLOYMENT_TARGET}") -message("CMAKE_C_FLAGS=${CMAKE_C_FLAGS}") -message("CMAKE_C_FLAGS_RELEASE=${CMAKE_C_FLAGS_RELEASE}") -message("CMAKE_C_FLAGS_DEBUG=${CMAKE_C_FLAGS_DEBUG}") -message("CMAKE_INCLUDE_SYSTEM_FLAG_C=${CMAKE_INCLUDE_SYSTEM_FLAG_C}") -message("CMAKE_C_OSX_DEPLOYMENT_TARGET_FLAG=${CMAKE_C_OSX_DEPLOYMENT_TARGET_FLAG}") - -set(CFLAGS "${CMAKE_C_FLAGS}") -if(CMAKE_CXX_COMPILER_ID STREQUAL "Clang") - set(CFLAGS "-Wno-error=unused-command-line-argument ${CMAKE_C_FLAGS}") -endif() -if(CMAKE_C_COMPILER_TARGET AND CMAKE_C_COMPILE_OPTIONS_TARGET) - set(CFLAGS "${CFLAGS} ${CMAKE_C_COMPILE_OPTIONS_TARGET}${CMAKE_C_COMPILER_TARGET}") -endif() -if(CMAKE_C_COMPILER_EXTERNAL_TOOLCHAIN AND CMAKE_C_COMPILE_OPTIONS_EXTERNAL_TOOLCHAIN) - set(CFLAGS "${CFLAGS} ${CMAKE_C_COMPILE_OPTIONS_EXTERNAL_TOOLCHAIN}${CMAKE_C_COMPILER_EXTERNAL_TOOLCHAIN}") -endif() -if(CMAKE_SYSROOT AND CMAKE_C_COMPILE_OPTIONS_SYSROOT) - set(CFLAGS "${CFLAGS} ${CMAKE_C_COMPILE_OPTIONS_SYSROOT}${CMAKE_SYSROOT}") -elseif(CMAKE_OSX_SYSROOT AND CMAKE_C_COMPILE_OPTIONS_SYSROOT) - set(CFLAGS "${CFLAGS} ${CMAKE_C_COMPILE_OPTIONS_SYSROOT}${CMAKE_OSX_SYSROOT}") -endif() -if (CMAKE_OSX_DEPLOYMENT_TARGET AND CMAKE_C_OSX_DEPLOYMENT_TARGET_FLAG) - set(CFLAGS "${CFLAGS} ${CMAKE_C_OSX_DEPLOYMENT_TARGET_FLAG}${CMAKE_OSX_DEPLOYMENT_TARGET}") -endif() - -string(REGEX REPLACE "^ " "" CFLAGS "${CFLAGS}") - -if(CMAKE_HOST_WIN32) - file(TO_NATIVE_PATH ENV_PATH "${COMPILER_ROOT};$ENV{PATH}") -else() - file(TO_NATIVE_PATH ENV_PATH "${COMPILER_ROOT}:$ENV{PATH}") -endif() -set(ENV{ANDROID_DEV} "${CMAKE_SYSROOT}/usr") - -if(NOT IOS) - set(ENV{CC} "${CMAKE_C_COMPILER}") -endif() - -message("ENV{ANDROID_DEV}=$ENV{ANDROID_DEV}") - -get_filename_component(SOURCE_PATH_NAME "${SOURCE_PATH}" NAME) -set(BUILDDIR "${CMAKE_CURRENT_BINARY_DIR}/${SOURCE_PATH_NAME}") - -if(NOT EXISTS "${BUILDDIR}") - file(COPY ${SOURCE_PATH} DESTINATION ${CMAKE_CURRENT_BINARY_DIR}) -endif() - -get_filename_component(MSYS_BIN_DIR "${MAKE}" DIRECTORY) - -if(BUILD_SHARED_LIBS) - set(SHARED shared) - file(STRINGS "${BUILDDIR}/include/openssl/opensslv.h" SHLIB_VERSION - REGEX "^#[\t ]*define[\t ]+SHLIB_VERSION_NUMBER[\t ]+\".*\".*") - string(REGEX REPLACE "^.*SHLIB_VERSION_NUMBER[\t ]+\"([^\"]*)\".*$" "\\1" - SHLIB_VERSION "${SHLIB_VERSION}") - if(CMAKE_SYSTEM_NAME STREQUAL "Darwin" OR CMAKE_SYSTEM_NAME STREQUAL "iOS") - set(LIB_EXT dylib) - set(LIB_EXTS ${SHLIB_VERSION}.${LIB_EXT}) - elseif(MINGW) - string(REPLACE "." "_" SHLIB_VERSION "${SHLIB_VERSION}") - set(BIN_EXT dll) - set(LIB_EXT dll.a) - else() - set(LIB_EXT so) - set(LIB_EXTS ${LIB_EXT}.${SHLIB_VERSION}) - endif() - list(APPEND BIN_EXTS ${BIN_EXT}) - list(APPEND LIB_EXTS ${LIB_EXT}) -else() - set(SHARED no-shared) - set(LIB_EXTS a) -endif() -foreach(lib ssl crypto) - foreach(ext ${LIB_EXTS}) - list(APPEND INSTALL_LIBS "${BUILDDIR}/lib${lib}.${ext}") - list(APPEND INSTALL_PKG_CONFIGS "${BUILDDIR}/lib${lib}.pc") - endforeach() - foreach(ext ${BIN_EXTS}) - # This might be wrong for targets which don't follow this naming scheme, but I'm not aware of any - if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64") - list(APPEND INSTALL_BINS "${BUILDDIR}/lib${lib}-${SHLIB_VERSION}-x64.${ext}") - else() - list(APPEND INSTALL_BINS "${BUILDDIR}/lib${lib}-${SHLIB_VERSION}.${ext}") - endif() - endforeach() -endforeach() - -if(CMAKE_HOST_WIN32) - set(ENV_COMMAND set) - set(PATH_VAR ";%PATH%") -else() - set(ENV_COMMAND export) - set(PATH_VAR ":$ENV{PATH}") -endif() - -add_custom_command( - OUTPUT "${BUILDDIR}/Makefile" - COMMAND ${ENV_COMMAND} "PATH=${MSYS_BIN_DIR}${PATH_VAR}" - VERBATIM - WORKING_DIRECTORY "${BUILDDIR}" -) - -if(NOT IOS) - add_custom_command( - OUTPUT "${BUILDDIR}/Makefile" - COMMAND ${ENV_COMMAND} CC=${CMAKE_C_COMPILER} - COMMAND ${ENV_COMMAND} AR=${CMAKE_AR} - COMMAND ${ENV_COMMAND} LD=${CMAKE_LINKER} - COMMAND ${ENV_COMMAND} RANLIB=${CMAKE_RANLIB} - COMMAND ${ENV_COMMAND} MAKE=${MAKE} - COMMAND ${ENV_COMMAND} MAKEDEPPROG=${CMAKE_C_COMPILER} - VERBATIM - APPEND - ) - - if(EMSCRIPTEN) - list(APPEND DISABLES - threads - no-engine - no-dso - no-asm - no-shared - no-sse2 - no-srtp - ) - else() - list(APPEND DISABLES - enable-static-engine - no-zlib - no-ssl2 - no-idea - no-cast - no-seed - no-md2 - no-tests) - endif() -endif() - -if(EMSCRIPTEN) - add_custom_command( - OUTPUT "${BUILDDIR}/Makefile" - COMMAND "$ENV{EMSDK}/upstream/emscripten/emconfigure" ./config - ${SHARED} - ${DISABLES} - "--prefix=${CMAKE_INSTALL_PREFIX}" - "--openssldir=/etc/ssl" - "--cross-compile-prefix=\"/\"" - VERBATIM - APPEND - ) - - add_custom_target(build_libs ALL - COMMAND ${ENV_COMMAND} "PATH=${MSYS_BIN_DIR}${PATH_VAR}" - COMMAND "${CMAKE_COMMAND}" -E touch "${BUILDDIR}/krb5.h" - COMMAND "${MAKE}" make build_libs - VERBATIM - WORKING_DIRECTORY "${BUILDDIR}" - DEPENDS "${BUILDDIR}/Makefile" - BYPRODUCTS ${INSTALL_LIBS} - ) -else() - add_custom_command( - OUTPUT "${BUILDDIR}/Makefile" - COMMAND "${PERL}" Configure - ${SHARED} - ${DISABLES} - ${PLATFORM} - "--prefix=${CMAKE_INSTALL_PREFIX}" - "--openssldir=/etc/ssl" - ${CFLAGS} - VERBATIM - APPEND - ) - - add_custom_target(build_libs ALL - COMMAND ${ENV_COMMAND} "PATH=${MSYS_BIN_DIR}${PATH_VAR}" - COMMAND "${CMAKE_COMMAND}" -E touch "${BUILDDIR}/krb5.h" - COMMAND "${MAKE}" -j ${VCPKG_CONCURRENCY} build_libs - VERBATIM - WORKING_DIRECTORY "${BUILDDIR}" - DEPENDS "${BUILDDIR}/Makefile" - BYPRODUCTS ${INSTALL_LIBS} - ) -endif() - -add_custom_command( - OUTPUT "${BUILDDIR}/Makefile" - COMMAND "${CMAKE_COMMAND}" "-DDIR=${BUILDDIR}" -P "${CMAKE_CURRENT_LIST_DIR}/remove-deps.cmake" - VERBATIM - APPEND -) - -if((CMAKE_SYSTEM_NAME STREQUAL "Darwin" OR CMAKE_SYSTEM_NAME STREQUAL "iOS") AND BUILD_SHARED_LIBS) - if(DEFINED CMAKE_INSTALL_NAME_DIR) - set(ID_PREFIX "${CMAKE_INSTALL_NAME_DIR}") - else() - set(ID_PREFIX "@rpath") - endif() - - add_custom_command( - TARGET build_libs - COMMAND /usr/bin/install_name_tool -id "${ID_PREFIX}/libssl.${SHLIB_VERSION}.dylib" - "${BUILDDIR}/libssl.${SHLIB_VERSION}.dylib" - COMMAND /usr/bin/install_name_tool -id "${ID_PREFIX}/libcrypto.${SHLIB_VERSION}.dylib" - "${BUILDDIR}/libcrypto.1.1.dylib" - COMMAND /usr/bin/install_name_tool -change "${CMAKE_INSTALL_PREFIX}/lib/libcrypto.${SHLIB_VERSION}.dylib" - "${ID_PREFIX}/libcrypto.${SHLIB_VERSION}.dylib" - "${BUILDDIR}/libssl.${SHLIB_VERSION}.dylib" - VERBATIM - ) -endif() - -install( - FILES ${INSTALL_LIBS} - DESTINATION lib -) -install( - FILES ${INSTALL_BINS} - DESTINATION bin -) -install( - FILES ${INSTALL_PKG_CONFIGS} - DESTINATION lib/pkgconfig -) diff --git a/contrib/vcpkg-ports/openssl/unix/portfile.cmake b/contrib/vcpkg-ports/openssl/unix/portfile.cmake deleted file mode 100644 index 9122349..0000000 --- a/contrib/vcpkg-ports/openssl/unix/portfile.cmake +++ /dev/null @@ -1,49 +0,0 @@ -if (NOT VCPKG_TARGET_IS_MINGW) - vcpkg_fail_port_install(MESSAGE "${PORT} is only for openssl on Unix-like systems" ON_TARGET "UWP" "Windows") -endif() - -vcpkg_extract_source_archive_ex( - OUT_SOURCE_PATH MASTER_COPY_SOURCE_PATH - ARCHIVE "${ARCHIVE}" - REF ${OPENSSL_VERSION} -) - -if(CMAKE_HOST_WIN32) - vcpkg_acquire_msys(MSYS_ROOT PACKAGES make perl) - set(MAKE ${MSYS_ROOT}/usr/bin/make.exe) - set(PERL ${MSYS_ROOT}/usr/bin/perl.exe) -else() - find_program(MAKE make) - if(NOT MAKE) - message(FATAL_ERROR "Could not find make. Please install it through your package manager.") - endif() -endif() - -vcpkg_configure_cmake( - SOURCE_PATH ${CMAKE_CURRENT_LIST_DIR} - PREFER_NINJA - OPTIONS - -DSOURCE_PATH=${MASTER_COPY_SOURCE_PATH} - -DPERL=${PERL} - -DMAKE=${MAKE} - -DVCPKG_CONCURRENCY=${VCPKG_CONCURRENCY} - OPTIONS_RELEASE - -DINSTALL_HEADERS=ON -) - -vcpkg_install_cmake() -vcpkg_fixup_pkgconfig() - -file(GLOB HEADERS ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel/*/include/openssl/*.h) -set(RESOLVED_HEADERS) -foreach(HEADER ${HEADERS}) - get_filename_component(X "${HEADER}" REALPATH) - list(APPEND RESOLVED_HEADERS "${X}") -endforeach() - -file(INSTALL ${RESOLVED_HEADERS} DESTINATION ${CURRENT_PACKAGES_DIR}/include/openssl) -file(INSTALL ${MASTER_COPY_SOURCE_PATH}/LICENSE DESTINATION ${CURRENT_PACKAGES_DIR}/share/${PORT} RENAME copyright) - -if(VCPKG_LIBRARY_LINKAGE STREQUAL "static") - file(COPY ${CMAKE_CURRENT_LIST_DIR}/vcpkg-cmake-wrapper.cmake DESTINATION ${CURRENT_PACKAGES_DIR}/share/openssl) -endif() diff --git a/contrib/vcpkg-ports/openssl/unix/remove-deps.cmake b/contrib/vcpkg-ports/openssl/unix/remove-deps.cmake deleted file mode 100644 index 53ad6ef..0000000 --- a/contrib/vcpkg-ports/openssl/unix/remove-deps.cmake +++ /dev/null @@ -1,7 +0,0 @@ -file(GLOB_RECURSE MAKEFILES ${DIR}/*/Makefile) -foreach(MAKEFILE ${MAKEFILES}) - message("removing deps from ${MAKEFILE}") - file(READ "${MAKEFILE}" _contents) - string(REGEX REPLACE "\n# DO NOT DELETE THIS LINE.*" "" _contents "${_contents}") - file(WRITE "${MAKEFILE}" "${_contents}") -endforeach() diff --git a/contrib/vcpkg-ports/openssl/unix/vcpkg-cmake-wrapper.cmake b/contrib/vcpkg-ports/openssl/unix/vcpkg-cmake-wrapper.cmake deleted file mode 100644 index f36b687..0000000 --- a/contrib/vcpkg-ports/openssl/unix/vcpkg-cmake-wrapper.cmake +++ /dev/null @@ -1,18 +0,0 @@ -_find_package(${ARGS}) -if(OPENSSL_FOUND) - find_library(OPENSSL_DL_LIBRARY NAMES dl) - if(OPENSSL_DL_LIBRARY) - list(APPEND OPENSSL_LIBRARIES "dl") - if(TARGET OpenSSL::Crypto) - set_property(TARGET OpenSSL::Crypto APPEND PROPERTY INTERFACE_LINK_LIBRARIES "dl") - endif() - endif() - find_package(Threads REQUIRED) - list(APPEND OPENSSL_LIBRARIES ${CMAKE_THREAD_LIBS_INIT}) - if(TARGET OpenSSL::Crypto) - set_property(TARGET OpenSSL::Crypto APPEND PROPERTY INTERFACE_LINK_LIBRARIES "Threads::Threads") - endif() - if(TARGET OpenSSL::SSL) - set_property(TARGET OpenSSL::SSL APPEND PROPERTY INTERFACE_LINK_LIBRARIES "Threads::Threads") - endif() -endif() diff --git a/contrib/vcpkg-ports/openssl/usage b/contrib/vcpkg-ports/openssl/usage deleted file mode 100644 index cf83f33..0000000 --- a/contrib/vcpkg-ports/openssl/usage +++ /dev/null @@ -1,4 +0,0 @@ -The package openssl is compatible with built-in CMake targets: - - find_package(OpenSSL REQUIRED) - target_link_libraries(main PRIVATE OpenSSL::SSL OpenSSL::Crypto) diff --git a/contrib/vcpkg-ports/openssl/uwp/EnableUWPSupport.patch b/contrib/vcpkg-ports/openssl/uwp/EnableUWPSupport.patch deleted file mode 100644 index fe78374..0000000 --- a/contrib/vcpkg-ports/openssl/uwp/EnableUWPSupport.patch +++ /dev/null @@ -1,170 +0,0 @@ -diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf -index 3c4299d264..99fcb1f713 100644 ---- a/Configurations/10-main.conf -+++ b/Configurations/10-main.conf -@@ -1287,7 +1287,7 @@ my %targets = ( - }, - "VC-WIN64I" => { - inherit_from => [ "VC-WIN64-common", asm("ia64_asm"), -- sub { $disabled{shared} ? () : "ia64_uplink" } ], -+ sub { $disabled{uplink} ? () : "ia64_uplink" } ], - AS => "ias", - ASFLAGS => "-d debug", - asoutflag => "-o ", -@@ -1299,7 +1299,7 @@ my %targets = ( - }, - "VC-WIN64A" => { - inherit_from => [ "VC-WIN64-common", asm("x86_64_asm"), -- sub { $disabled{shared} ? () : "x86_64_uplink" } ], -+ sub { $disabled{uplink} ? () : "x86_64_uplink" } ], - AS => sub { vc_win64a_info()->{AS} }, - ASFLAGS => sub { vc_win64a_info()->{ASFLAGS} }, - asoutflag => sub { vc_win64a_info()->{asoutflag} }, -@@ -1312,7 +1312,7 @@ my %targets = ( - }, - "VC-WIN32" => { - inherit_from => [ "VC-noCE-common", asm("x86_asm"), -- sub { $disabled{shared} ? () : "uplink_common" } ], -+ sub { $disabled{uplink} ? () : "uplink_common" } ], - AS => sub { vc_win32_info()->{AS} }, - ASFLAGS => sub { vc_win32_info()->{ASFLAGS} }, - asoutflag => sub { vc_win32_info()->{asoutflag} }, -@@ -1374,7 +1374,7 @@ my %targets = ( - #### MinGW - "mingw" => { - inherit_from => [ "BASE_unix", asm("x86_asm"), -- sub { $disabled{shared} ? () : "x86_uplink" } ], -+ sub { $disabled{uplink} ? () : "x86_uplink" } ], - CC => "gcc", - CFLAGS => picker(default => "-Wall", - debug => "-g -O0", -diff --git a/Configurations/50-win-onecore.conf b/Configurations/50-win-onecore.conf -index d478f42b0f..e0fb70daca 100644 ---- a/Configurations/50-win-onecore.conf -+++ b/Configurations/50-win-onecore.conf -@@ -1,3 +1,4 @@ -+## -*- mode: perl; -*- - # Windows OneCore targets. - # - # OneCore is new API stability "contract" that transcends Desktop, IoT and -@@ -10,6 +11,25 @@ - # TODO: extend error handling to use ETW based eventing - # (Or rework whole error messaging) - -+my $UWP_info = {}; -+sub UWP_info { -+ unless (%$UWP_info) { -+ my $SDKver = `pwsh.exe -Command \"& {\$(Get-Item \\\"hklm:\\SOFTWARE\\WOW6432Node\\Microsoft\\Microsoft SDKs\\Windows\\\").GetValue(\\\"CurrentVersion\\\")}\"`; -+ $SDKver =~ s|\R$||; -+ my @SDKver_split = split(/\./, $SDKver); -+ # SDK version older than 10.0.17763 don't support our ASM builds -+ if ($SDKver_split[0] < 10 -+ || ($SDKver_split[0] == 10 -+ && $SDKver_split[1] == 0 -+ && $SDKver_split[2] < 17763)) { -+ $UWP_info->{disable} = [ 'asm' ]; -+ } else { -+ $UWP_info->{disable} = [ ]; -+ } -+ } -+ return $UWP_info; -+} -+ - my %targets = ( - "VC-WIN32-ONECORE" => { - inherit_from => [ "VC-WIN32" ], -@@ -61,4 +81,57 @@ my %targets = ( - ex_libs => "onecore.lib", - multilib => "-arm64", - }, -+ -+ # Universal Windows Platform (UWP) App Support -+ -+ # TODO -+ # -+ # The 'disable' attribute should have 'uplink'. -+ # however, these are checked in some 'inherit_from', which is processed -+ # very early, before the 'disable' attributes are seen. -+ # This is a problem that needs to be resolved in Configure first. -+ # -+ # But if you want to build library with Windows 10 Version 1809 SDK or -+ # earlier, the 'disable' attribute should also have 'asm'. -+ -+ "VC-WIN32-UWP" => { -+ inherit_from => [ "VC-WIN32-ONECORE" ], -+ lflags => add("/APPCONTAINER"), -+ defines => add("WINAPI_FAMILY=WINAPI_FAMILY_APP", -+ "_WIN32_WINNT=0x0A00"), -+ dso_scheme => "", -+ disable => sub { [ 'ui-console', 'stdio', 'async', 'uplink', -+ @{ UWP_info()->{disable} } ] }, -+ ex_libs => "WindowsApp.lib", -+ }, -+ "VC-WIN64A-UWP" => { -+ inherit_from => [ "VC-WIN64A-ONECORE" ], -+ lflags => add("/APPCONTAINER"), -+ defines => add("WINAPI_FAMILY=WINAPI_FAMILY_APP", -+ "_WIN32_WINNT=0x0A00"), -+ dso_scheme => "", -+ disable => sub { [ 'ui-console', 'stdio', 'async', 'uplink', -+ @{ UWP_info()->{disable} } ] }, -+ ex_libs => "WindowsApp.lib", -+ }, -+ "VC-WIN32-ARM-UWP" => { -+ inherit_from => [ "VC-WIN32-ARM" ], -+ lflags => add("/APPCONTAINER"), -+ defines => add("WINAPI_FAMILY=WINAPI_FAMILY_APP", -+ "_WIN32_WINNT=0x0A00"), -+ dso_scheme => "", -+ disable => sub { [ 'ui-console', 'stdio', 'async', 'uplink', -+ @{ UWP_info()->{disable} } ] }, -+ ex_libs => "WindowsApp.lib", -+ }, -+ "VC-WIN64-ARM-UWP" => { -+ inherit_from => [ "VC-WIN64-ARM" ], -+ lflags => add("/APPCONTAINER"), -+ defines => add("WINAPI_FAMILY=WINAPI_FAMILY_APP", -+ "_WIN32_WINNT=0x0A00"), -+ dso_scheme => "", -+ disable => sub { [ 'ui-console', 'stdio', 'async', 'uplink', -+ @{ UWP_info()->{disable} } ] }, -+ ex_libs => "WindowsApp.lib", -+ }, - ); -diff --git a/Configure b/Configure -index 5a699836f3..de45f1e299 100755 ---- a/Configure -+++ b/Configure -@@ -407,6 +408,7 @@ my @disablables = ( - "ubsan", - "ui-console", - "unit-test", -+ "uplink", - "whirlpool", - "weak-ssl-ciphers", - "zlib", -@@ -491,8 +493,8 @@ my @disable_cascades = ( - - # Without position independent code, there can be no shared libraries or DSOs - "pic" => [ "shared" ], -- "shared" => [ "dynamic-engine" ], -+ "shared" => [ "dynamic-engine", "uplink" ], - "dso" => [ "dynamic-engine" ], - "engine" => [ "afalgeng", "devcryptoeng" ], - - # no-autoalginit is only useful when building non-shared -diff --git a/INSTALL b/INSTALL -index 2119cbae9e..ee54e8c215 100644 ---- a/INSTALL -+++ b/INSTALL -@@ -560,6 +560,10 @@ - likely to complement configuration command line with - suitable compiler-specific option. - -+ no-uplink -+ Don't build support for UPLINK interface. -+ -+ - no-<prot> - Don't build support for negotiating the specified SSL/TLS - protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2, diff --git a/contrib/vcpkg-ports/openssl/uwp/make-openssl.bat b/contrib/vcpkg-ports/openssl/uwp/make-openssl.bat deleted file mode 100644 index 6f6166a..0000000 --- a/contrib/vcpkg-ports/openssl/uwp/make-openssl.bat +++ /dev/null @@ -1,16 +0,0 @@ -set build=%1 - -perl Configure no-asm no-hw no-dso VC-WINUNIVERSAL -FS -FIWindows.h - -for /D %%f in ("%WindowsSdkDir%References\%WindowsSDKLibVersion%Windows.Foundation.FoundationContract\*") do set LibPath=%LibPath%;%%f\ -for /D %%f in ("%WindowsSdkDir%References\%WindowsSDKLibVersion%Windows.Foundation.UniversalApiContract\*") do set LibPath=%LibPath%;%%f\ -for /D %%f in ("%WindowsSdkDir%References\Windows.Foundation.FoundationContract\*") do set LibPath=%LibPath%;%%f\ -for /D %%f in ("%WindowsSdkDir%References\Windows.Foundation.UniversalApiContract\*") do set LibPath=%LibPath%;%%f\ - -call ms\do_winuniversal.bat - -mkdir inc32\openssl - -jom -j %NUMBER_OF_PROCESSORS% -k -f ms\ntdll.mak -REM due to a race condition in the build, we need to have a second single-threaded pass. -nmake -f ms\ntdll.mak diff --git a/contrib/vcpkg-ports/openssl/uwp/portfile.cmake b/contrib/vcpkg-ports/openssl/uwp/portfile.cmake deleted file mode 100644 index 08a523c..0000000 --- a/contrib/vcpkg-ports/openssl/uwp/portfile.cmake +++ /dev/null @@ -1,156 +0,0 @@ -vcpkg_fail_port_install(MESSAGE "${PORT} is only for Windows Universal Platform" ON_TARGET "Linux" "OSX") - -vcpkg_check_linkage(ONLY_DYNAMIC_LIBRARY) - -vcpkg_find_acquire_program(JOM) -get_filename_component(JOM_EXE_PATH ${JOM} DIRECTORY) -vcpkg_add_to_path("${PERL_EXE_PATH}") - -vcpkg_extract_source_archive_ex( - OUT_SOURCE_PATH SOURCE_PATH - ARCHIVE ${ARCHIVE} - PATCHES - uwp/EnableUWPSupport.patch -) - -vcpkg_find_acquire_program(NASM) -get_filename_component(NASM_EXE_PATH ${NASM} DIRECTORY) -vcpkg_add_to_path(PREPEND "${NASM_EXE_PATH}") - -set(CONFIGURE_COMMAND ${PERL} Configure - enable-static-engine - enable-capieng - no-unit-test - no-ssl2 - no-asm - no-uplink - no-tests - -utf-8 - shared -) - -if(VCPKG_TARGET_ARCHITECTURE STREQUAL "x86") - set(OPENSSL_ARCH VC-WIN32-UWP) -elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x64") - set(OPENSSL_ARCH VC-WIN64A-UWP) -elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm") - set(OPENSSL_ARCH VC-WIN32-ARM-UWP) -elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64") - set(OPENSSL_ARCH VC-WIN64-ARM-UWP) -else() - message(FATAL_ERROR "Unsupported target architecture: ${VCPKG_TARGET_ARCHITECTURE}") -endif() - -set(OPENSSL_MAKEFILE "makefile") - -file(REMOVE_RECURSE ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg) - - -if(NOT DEFINED VCPKG_BUILD_TYPE OR VCPKG_BUILD_TYPE STREQUAL "release") - - # Copy openssl sources. - message(STATUS "Copying openssl release source files...") - file(GLOB OPENSSL_SOURCE_FILES "${SOURCE_PATH}/*") - foreach(SOURCE_FILE ${OPENSSL_SOURCE_FILES}) - file(COPY ${SOURCE_FILE} DESTINATION "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel") - endforeach() - message(STATUS "Copying openssl release source files... done") - set(SOURCE_PATH_RELEASE "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel") - - set(OPENSSLDIR_RELEASE "${CURRENT_PACKAGES_DIR}") - - message(STATUS "Configure ${TARGET_TRIPLET}-rel") - vcpkg_execute_required_process( - COMMAND ${CONFIGURE_COMMAND} ${OPENSSL_ARCH} "--prefix=${OPENSSLDIR_RELEASE}" "--openssldir=${OPENSSLDIR_RELEASE}" -FS - WORKING_DIRECTORY "${SOURCE_PATH_RELEASE}" - LOGNAME configure-perl-${TARGET_TRIPLET}-${VCPKG_BUILD_TYPE}-rel - ) - message(STATUS "Configure ${TARGET_TRIPLET}-rel done") - - message(STATUS "Build ${TARGET_TRIPLET}-rel") - # Openssl's buildsystem has a race condition which will cause JOM to fail at some point. - # This is ok; we just do as much work as we can in parallel first, then follow up with a single-threaded build. - make_directory(${SOURCE_PATH_RELEASE}/inc32/openssl) - execute_process( - COMMAND "${JOM}" -k -j ${VCPKG_CONCURRENCY} -f "${OPENSSL_MAKEFILE}" build_libs - WORKING_DIRECTORY "${SOURCE_PATH_RELEASE}" - OUTPUT_FILE "${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-rel-0-out.log" - ERROR_FILE "${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-rel-0-err.log" - ) - vcpkg_execute_required_process( - COMMAND nmake -f "${OPENSSL_MAKEFILE}" install_dev - WORKING_DIRECTORY "${SOURCE_PATH_RELEASE}" - LOGNAME build-${TARGET_TRIPLET}-rel-1) - - message(STATUS "Build ${TARGET_TRIPLET}-rel done") -endif() - - -if(NOT DEFINED VCPKG_BUILD_TYPE OR VCPKG_BUILD_TYPE STREQUAL "debug") - # Copy openssl sources. - message(STATUS "Copying openssl debug source files...") - file(GLOB OPENSSL_SOURCE_FILES ${SOURCE_PATH}/*) - foreach(SOURCE_FILE ${OPENSSL_SOURCE_FILES}) - file(COPY "${SOURCE_FILE}" DESTINATION "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg") - endforeach() - message(STATUS "Copying openssl debug source files... done") - set(SOURCE_PATH_DEBUG "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg") - - set(OPENSSLDIR_DEBUG "${CURRENT_PACKAGES_DIR}/debug") - - message(STATUS "Configure ${TARGET_TRIPLET}-dbg") - vcpkg_execute_required_process( - COMMAND ${CONFIGURE_COMMAND} debug-${OPENSSL_ARCH} "--prefix=${OPENSSLDIR_DEBUG}" "--openssldir=${OPENSSLDIR_DEBUG}" -FS - WORKING_DIRECTORY "${SOURCE_PATH_DEBUG}" - LOGNAME configure-perl-${TARGET_TRIPLET}-${VCPKG_BUILD_TYPE}-dbg - ) - message(STATUS "Configure ${TARGET_TRIPLET}-dbg done") - - message(STATUS "Build ${TARGET_TRIPLET}-dbg") - make_directory("${SOURCE_PATH_DEBUG}/inc32/openssl") - execute_process( - COMMAND "${JOM}" -k -j ${VCPKG_CONCURRENCY} -f "${OPENSSL_MAKEFILE}" build_libs - WORKING_DIRECTORY "${SOURCE_PATH_DEBUG}" - OUTPUT_FILE "${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-dbg-0-out.log" - ERROR_FILE "${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-dbg-0-err.log" - ) - vcpkg_execute_required_process( - COMMAND nmake -f "${OPENSSL_MAKEFILE}" install_dev - WORKING_DIRECTORY "${SOURCE_PATH_DEBUG}" - LOGNAME build-${TARGET_TRIPLET}-dbg-1) - - message(STATUS "Build ${TARGET_TRIPLET}-dbg done") -endif() - -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/certs") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/private") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/lib/engines-1_1") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/certs") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/lib/engines-1_1") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/private") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/include") - -file(REMOVE - "${CURRENT_PACKAGES_DIR}/bin/openssl.exe" - "${CURRENT_PACKAGES_DIR}/debug/bin/openssl.exe" - "${CURRENT_PACKAGES_DIR}/debug/openssl.cnf" - "${CURRENT_PACKAGES_DIR}/openssl.cnf" - "${CURRENT_PACKAGES_DIR}/ct_log_list.cnf" - "${CURRENT_PACKAGES_DIR}/ct_log_list.cnf.dist" - "${CURRENT_PACKAGES_DIR}/openssl.cnf.dist" - "${CURRENT_PACKAGES_DIR}/debug/ct_log_list.cnf" - "${CURRENT_PACKAGES_DIR}/debug/ct_log_list.cnf.dist" - "${CURRENT_PACKAGES_DIR}/debug/openssl.cnf.dist" -) - -file(READ "${CURRENT_PACKAGES_DIR}/include/openssl/dtls1.h" _contents) -string(REPLACE "<winsock.h>" "<winsock2.h>" _contents "${_contents}") -file(WRITE "${CURRENT_PACKAGES_DIR}/include/openssl/dtls1.h" "${_contents}") - -file(READ "${CURRENT_PACKAGES_DIR}/include/openssl/rand.h" _contents) -string(REPLACE "# include <windows.h>" "#ifndef _WINSOCKAPI_\n#define _WINSOCKAPI_\n#endif\n# include <windows.h>" _contents "${_contents}") -file(WRITE "${CURRENT_PACKAGES_DIR}/include/openssl/rand.h" "${_contents}") - -vcpkg_copy_pdbs() - -file(INSTALL "${SOURCE_PATH}/LICENSE" DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}" RENAME copyright) diff --git a/contrib/vcpkg-ports/openssl/vcpkg.json b/contrib/vcpkg-ports/openssl/vcpkg.json deleted file mode 100644 index 2d0eb13..0000000 --- a/contrib/vcpkg-ports/openssl/vcpkg.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "openssl", - "version-string": "1.1.1k", - "port-version": 4, - "description": "OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.", - "homepage": "https://www.openssl.org" -} diff --git a/contrib/vcpkg-ports/openssl/windows/portfile.cmake b/contrib/vcpkg-ports/openssl/windows/portfile.cmake deleted file mode 100644 index c873eb7..0000000 --- a/contrib/vcpkg-ports/openssl/windows/portfile.cmake +++ /dev/null @@ -1,174 +0,0 @@ -vcpkg_fail_port_install(MESSAGE "${PORT} is only for Windows Desktop" ON_TARGET "UWP" "Linux" "OSX") - -vcpkg_extract_source_archive_ex( - OUT_SOURCE_PATH SOURCE_PATH - ARCHIVE ${ARCHIVE} -) - -vcpkg_find_acquire_program(NASM) -get_filename_component(NASM_EXE_PATH "${NASM}" DIRECTORY) -vcpkg_add_to_path(PREPEND "${NASM_EXE_PATH}") - -vcpkg_find_acquire_program(JOM) - -set(OPENSSL_SHARED no-shared) -if(VCPKG_LIBRARY_LINKAGE STREQUAL dynamic) - set(OPENSSL_SHARED shared) -endif() - -set(CONFIGURE_OPTIONS - enable-static-engine - enable-capieng - no-ssl2 - no-tests - no-autoload-config - -utf-8 - ${OPENSSL_SHARED} -) - -if(DEFINED OPENSSL_USE_NOPINSHARED) - set(CONFIGURE_OPTIONS ${CONFIGURE_OPTIONS} no-pinshared) -endif() - -set(CONFIGURE_COMMAND "${PERL}" Configure ${CONFIGURE_OPTIONS}) - -if(VCPKG_TARGET_ARCHITECTURE STREQUAL "x86") - set(OPENSSL_ARCH VC-WIN32) -elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x64") - set(OPENSSL_ARCH VC-WIN64A) -elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm") - set(OPENSSL_ARCH VC-WIN32-ARM) -elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64") - set(OPENSSL_ARCH VC-WIN64-ARM) -else() - message(FATAL_ERROR "Unsupported target architecture: ${VCPKG_TARGET_ARCHITECTURE}") -endif() - -set(OPENSSL_MAKEFILE "makefile") - -file(REMOVE_RECURSE "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel" - "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg") - -if(NOT DEFINED VCPKG_BUILD_TYPE OR VCPKG_BUILD_TYPE STREQUAL "release") - - # Copy openssl sources. - message(STATUS "Copying openssl release source files...") - file(GLOB OPENSSL_SOURCE_FILES ${SOURCE_PATH}/*) - foreach(SOURCE_FILE ${OPENSSL_SOURCE_FILES}) - file(COPY ${SOURCE_FILE} DESTINATION "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel") - endforeach() - message(STATUS "Copying openssl release source files... done") - set(SOURCE_PATH_RELEASE "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel") - - set(OPENSSLDIR_RELEASE ${CURRENT_PACKAGES_DIR}) - - message(STATUS "Configure ${TARGET_TRIPLET}-rel") - vcpkg_execute_required_process( - COMMAND ${CONFIGURE_COMMAND} ${OPENSSL_ARCH} "--prefix=${OPENSSLDIR_RELEASE}" "--openssldir=${OPENSSLDIR_RELEASE}" -FS - WORKING_DIRECTORY ${SOURCE_PATH_RELEASE} - LOGNAME configure-perl-${TARGET_TRIPLET}-rel - ) - message(STATUS "Configure ${TARGET_TRIPLET}-rel done") - - message(STATUS "Build ${TARGET_TRIPLET}-rel") - # Openssl's buildsystem has a race condition which will cause JOM to fail at some point. - # This is ok; we just do as much work as we can in parallel first, then follow up with a single-threaded build. - make_directory(${SOURCE_PATH_RELEASE}/inc32/openssl) - execute_process( - COMMAND ${JOM} -k -j $ENV{NUMBER_OF_PROCESSORS} -f ${OPENSSL_MAKEFILE} - WORKING_DIRECTORY ${SOURCE_PATH_RELEASE} - OUTPUT_FILE ${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-rel-0-out.log - ERROR_FILE ${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-rel-0-err.log - ) - vcpkg_execute_required_process( - COMMAND nmake -f ${OPENSSL_MAKEFILE} install_sw install_ssldirs - WORKING_DIRECTORY ${SOURCE_PATH_RELEASE} - LOGNAME build-${TARGET_TRIPLET}-rel-1) - - message(STATUS "Build ${TARGET_TRIPLET}-rel done") -endif() - - -if(NOT DEFINED VCPKG_BUILD_TYPE OR VCPKG_BUILD_TYPE STREQUAL "debug") - # Copy openssl sources. - message(STATUS "Copying openssl debug source files...") - file(GLOB OPENSSL_SOURCE_FILES ${SOURCE_PATH}/*) - foreach(SOURCE_FILE ${OPENSSL_SOURCE_FILES}) - file(COPY ${SOURCE_FILE} DESTINATION "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg") - endforeach() - message(STATUS "Copying openssl debug source files... done") - set(SOURCE_PATH_DEBUG "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg") - - set(OPENSSLDIR_DEBUG ${CURRENT_PACKAGES_DIR}/debug) - - message(STATUS "Configure ${TARGET_TRIPLET}-dbg") - vcpkg_execute_required_process( - COMMAND ${CONFIGURE_COMMAND} debug-${OPENSSL_ARCH} "--prefix=${OPENSSLDIR_DEBUG}" "--openssldir=${OPENSSLDIR_DEBUG}" -FS - WORKING_DIRECTORY ${SOURCE_PATH_DEBUG} - LOGNAME configure-perl-${TARGET_TRIPLET}-dbg - ) - message(STATUS "Configure ${TARGET_TRIPLET}-dbg done") - - message(STATUS "Build ${TARGET_TRIPLET}-dbg") - make_directory(${SOURCE_PATH_DEBUG}/inc32/openssl) - execute_process( - COMMAND "${JOM}" -k -j ${VCPKG_CONCURRENCY} -f "${OPENSSL_MAKEFILE}" - WORKING_DIRECTORY ${SOURCE_PATH_DEBUG} - OUTPUT_FILE ${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-dbg-0-out.log - ERROR_FILE ${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-dbg-0-err.log - ) - vcpkg_execute_required_process( - COMMAND nmake -f "${OPENSSL_MAKEFILE}" install_sw install_ssldirs - WORKING_DIRECTORY ${SOURCE_PATH_DEBUG} - LOGNAME build-${TARGET_TRIPLET}-dbg-1) - - message(STATUS "Build ${TARGET_TRIPLET}-dbg done") -endif() - -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/certs") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/private") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/lib/engines-1_1") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/certs") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/lib/engines-1_1") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/private") -file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/include") - -file(REMOVE - "${CURRENT_PACKAGES_DIR}/ct_log_list.cnf" - "${CURRENT_PACKAGES_DIR}/ct_log_list.cnf.dist" - "${CURRENT_PACKAGES_DIR}/openssl.cnf.dist" - "${CURRENT_PACKAGES_DIR}/debug/bin/openssl.exe" - "${CURRENT_PACKAGES_DIR}/debug/ct_log_list.cnf" - "${CURRENT_PACKAGES_DIR}/debug/ct_log_list.cnf.dist" - "${CURRENT_PACKAGES_DIR}/debug/openssl.cnf" - "${CURRENT_PACKAGES_DIR}/debug/openssl.cnf.dist" -) - -file(MAKE_DIRECTORY "${CURRENT_PACKAGES_DIR}/tools/openssl/") -file(RENAME "${CURRENT_PACKAGES_DIR}/bin/openssl.exe" "${CURRENT_PACKAGES_DIR}/tools/openssl/openssl.exe") -file(RENAME "${CURRENT_PACKAGES_DIR}/openssl.cnf" "${CURRENT_PACKAGES_DIR}/tools/openssl/openssl.cnf") - -vcpkg_copy_tool_dependencies("${CURRENT_PACKAGES_DIR}/tools/openssl") - -if(VCPKG_LIBRARY_LINKAGE STREQUAL static) - # They should be empty, only the exes deleted above were in these directories - file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/bin/") - file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/bin/") -endif() - -vcpkg_replace_string("${CURRENT_PACKAGES_DIR}/include/openssl/dtls1.h" - "<winsock.h>" - "<winsock2.h>" -) - -vcpkg_replace_string("${CURRENT_PACKAGES_DIR}/include/openssl/rand.h" - "# include <windows.h>" - "#ifndef _WINSOCKAPI_\n#define _WINSOCKAPI_\n#endif\n# include <windows.h>" -) - -vcpkg_copy_pdbs() - -file(INSTALL "${SOURCE_PATH}/LICENSE" DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}" RENAME copyright) -if(VCPKG_LIBRARY_LINKAGE STREQUAL "static") - file(COPY "${CMAKE_CURRENT_LIST_DIR}/vcpkg-cmake-wrapper.cmake" DESTINATION "${CURRENT_PACKAGES_DIR}/share/openssl") -endif() diff --git a/contrib/vcpkg-ports/openssl/windows/vcpkg-cmake-wrapper.cmake b/contrib/vcpkg-ports/openssl/windows/vcpkg-cmake-wrapper.cmake deleted file mode 100644 index 1e3b837..0000000 --- a/contrib/vcpkg-ports/openssl/windows/vcpkg-cmake-wrapper.cmake +++ /dev/null @@ -1,10 +0,0 @@ -_find_package(${ARGS}) -if(OPENSSL_FOUND) - list(APPEND OPENSSL_LIBRARIES Crypt32.lib ws2_32.lib) - if(TARGET OpenSSL::Crypto) - set_property(TARGET OpenSSL::Crypto APPEND PROPERTY INTERFACE_LINK_LIBRARIES "Crypt32.lib;ws2_32.lib") - endif() - if(TARGET OpenSSL::SSL) - set_property(TARGET OpenSSL::SSL APPEND PROPERTY INTERFACE_LINK_LIBRARIES "Crypt32.lib;ws2_32.lib") - endif() -endif() diff --git a/contrib/vcpkg-ports/pkcs11-helper/0002-nmake-compatibility-with-vcpkg-nmake.patch b/contrib/vcpkg-ports/pkcs11-helper/0002-nmake-compatibility-with-vcpkg-nmake.patch new file mode 100644 index 0000000..a6034f7 --- /dev/null +++ b/contrib/vcpkg-ports/pkcs11-helper/0002-nmake-compatibility-with-vcpkg-nmake.patch @@ -0,0 +1,38 @@ +From 68d12f3e955cc9df435e9289b1244a4c1f24b96b Mon Sep 17 00:00:00 2001 +From: Lev Stipakov <lev@openvpn.net> +Date: Wed, 24 Nov 2021 11:21:36 +0200 +Subject: [PATCH] nmake: compatibility with vcpkg nmake + +Remove options which contradict or already set +by vcpkg nmake scripts. + +Signed-off-by: Lev Stipakov <lev@openvpn.net> +--- + lib/Makefile.w32-vc | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/lib/Makefile.w32-vc b/lib/Makefile.w32-vc +index 0e64f42..18af03b 100644 +--- a/lib/Makefile.w32-vc ++++ b/lib/Makefile.w32-vc +@@ -75,15 +75,11 @@ OPENSSL_LIBS=-LIBPATH:$(OPENSSL_LIB) user32.lib advapi32.lib $(OPENSSL_STATIC) + CFLAGS = -I../include $(OPENSSL_CFLAGS) -DWIN32 -DWIN32_LEAN_AND_MEAN -D_MBCS -D_CRT_SECURE_NO_DEPRECATE -D_WIN32_WINNT=0x0400 + CC=cl.exe + RC=rc.exe +-CCPARAMS=/nologo /W3 /O2 /FD /c +- +-CCPARAMS=$(CCPARAMS) /MD +-CFLAGS=$(CFLAGS) -DNDEBUG ++CCPARAMS=/c + + LINK32=link.exe + LIB32=lib.exe +-LINK32_FLAGS=/nologo /subsystem:windows /dll /incremental:no +-LIB32_FLAGS=/nologo ++LINK32_FLAGS=/dll + + HEADERS = \ + config.h \ +-- +2.23.0.windows.1 + diff --git a/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake b/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake index 54a0009..ad19fcc 100644 --- a/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake +++ b/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake @@ -12,12 +12,12 @@ vcpkg_extract_source_archive_ex( REF ${VERSION} PATCHES 0001-nmake-openssl-1.1.1-support.patch + 0002-nmake-compatibility-with-vcpkg-nmake.patch pkcs11-helper-001-RFC7512.patch ) vcpkg_build_nmake( SOURCE_PATH ${SOURCE_PATH} - NO_DEBUG PROJECT_SUBPATH lib PROJECT_NAME Makefile.w32-vc OPTIONS @@ -26,10 +26,10 @@ vcpkg_build_nmake( ) file(INSTALL ${SOURCE_PATH}/include/pkcs11-helper-1.0 DESTINATION ${CURRENT_PACKAGES_DIR}/include/) -file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}/lib/pkcs11-helper.dll.lib DESTINATION ${CURRENT_PACKAGES_DIR}/lib) -file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}/lib/pkcs11-helper.dll.lib DESTINATION ${CURRENT_PACKAGES_DIR}/debug/lib) +file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel/lib/pkcs11-helper.dll.lib DESTINATION ${CURRENT_PACKAGES_DIR}/lib) +file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg/lib/pkcs11-helper.dll.lib DESTINATION ${CURRENT_PACKAGES_DIR}/debug/lib) -file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}/lib/libpkcs11-helper-1.dll DESTINATION ${CURRENT_PACKAGES_DIR}/bin) -file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}/lib/libpkcs11-helper-1.dll DESTINATION ${CURRENT_PACKAGES_DIR}/debug/bin) +file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel/lib/libpkcs11-helper-1.dll DESTINATION ${CURRENT_PACKAGES_DIR}/bin) +file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg/lib/libpkcs11-helper-1.dll DESTINATION ${CURRENT_PACKAGES_DIR}/debug/bin) file(INSTALL ${SOURCE_PATH}/COPYING DESTINATION ${CURRENT_PACKAGES_DIR}/share/${PORT} RENAME copyright) diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index c5b7ad9..92a02e2 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -251,6 +251,75 @@ configuration. next remote succeeds. To silently ignore an option pushed by the server, use :code:`ignore`. +--push-peer-info + Push additional information about the client to server. The following + data is always pushed to the server: + + :code:`IV_VER=<version>` + The client OpenVPN version + + :code:`IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]` + The client OS platform + + :code:`IV_LZO_STUB=1` + If client was built with LZO stub capability + + :code:`IV_LZ4=1` + If the client supports LZ4 compressions. + + :code:`IV_PROTO` + Details about protocol extensions that the peer supports. The + variable is a bitfield and the bits are defined as follows + (starting a bit 0 for the first (unused) bit: + + - bit 1: The peer supports peer-id floating mechanism + - bit 2: The client expects a push-reply and the server may + send this reply without waiting for a push-request first. + - bit 3: The client is capable of doing key derivation using + RFC5705 key material exporter. + - bit 4: The client is capable of accepting additional arguments + to the `AUTH_PENDING` message. + + :code:`IV_NCP=2` + Negotiable ciphers, client supports ``--cipher`` pushed by + the server, a value of 2 or greater indicates client supports + *AES-GCM-128* and *AES-GCM-256*. + + :code:`IV_CIPHERS=<ncp-ciphers>` + The client announces the list of supported ciphers configured with the + ``--data-ciphers`` option to the server. + + :code:`IV_GUI_VER=<gui_id> <version>` + The UI version of a UI if one is running, for example + :code:`de.blinkt.openvpn 0.5.47` for the Android app. + + :code:`IV_SSO=[crtext,][openurl,][proxy_url]` + Additional authentication methods supported by the client. + This may be set by the client UI/GUI using ``--setenv`` + + When ``--push-peer-info`` is enabled the additional information consists + of the following data: + + :code:`IV_HWADDR=<string>` + This is intended to be a unique and persistent ID of the client. + The string value can be any readable ASCII string up to 64 bytes. + OpenVPN 2.x and some other implementations use the MAC address of + the client's interface used to reach the default gateway. If this + string is generated by the client, it should be consistent and + preserved across independent session and preferably + re-installations and upgrades. + + :code:`IV_SSL=<version string>` + The ssl version used by the client, e.g. + :code:`OpenSSL 1.0.2f 28 Jan 2016`. + + :code:`IV_PLAT_VER=x.y` + The version of the operating system, e.g. 6.1 for Windows 7. + + :code:`UV_<name>=<value>` + Client environment variables whose names start with + :code:`UV_` + --remote args Remote host name or IP address, port and protocol. diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index c132a62..ff581cf 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -213,7 +213,7 @@ the local and the remote host. This option is useful in cases where the remote peer has a dynamic IP address and a low-TTL DNS name is used to track the IP address using a - service such as http://dyndns.org/ + a dynamic DNS client such as + service such as https://www.nsupdate.info/ + a dynamic DNS client such as ``ddclient``. If the peer cannot be reached, a restart will be triggered, causing the diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index ac0df55..55c2c30 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -449,71 +449,6 @@ fast hardware. SSL/TLS authentication must be used in this mode. ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf`` ---push-peer-info - Push additional information about the client to server. The following - data is always pushed to the server: - - :code:`IV_VER=<version>` - The client OpenVPN version - - :code:`IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]` - The client OS platform - - :code:`IV_LZO_STUB=1` - If client was built with LZO stub capability - - :code:`IV_LZ4=1` - If the client supports LZ4 compressions. - - :code:`IV_PROTO` - Details about protocol extensions that the peer supports. The - variable is a bitfield and the bits are defined as follows - (starting a bit 0 for the first (unused) bit: - - - bit 1: The peer supports peer-id floating mechanism - - bit 2: The client expects a push-reply and the server may - send this reply without waiting for a push-request first. - - :code:`IV_NCP=2` - Negotiable ciphers, client supports ``--cipher`` pushed by - the server, a value of 2 or greater indicates client supports - *AES-GCM-128* and *AES-GCM-256*. - - :code:`IV_CIPHERS=<ncp-ciphers>` - The client announces the list of supported ciphers configured with the - ``--data-ciphers`` option to the server. - - :code:`IV_GUI_VER=<gui_id> <version>` - The UI version of a UI if one is running, for example - :code:`de.blinkt.openvpn 0.5.47` for the Android app. - - :code:`IV_SSO=[crtext,][openurl,][proxy_url]` - Additional authentication methods supported by the client. - This may be set by the client UI/GUI using ``--setenv`` - - When ``--push-peer-info`` is enabled the additional information consists - of the following data: - - :code:`IV_HWADDR=<string>` - This is intended to be a unique and persistent ID of the client. - The string value can be any readable ASCII string up to 64 bytes. - OpenVPN 2.x and some other implementations use the MAC address of - the client's interface used to reach the default gateway. If this - string is generated by the client, it should be consistent and - preserved across independent session and preferably - re-installations and upgrades. - - :code:`IV_SSL=<version string>` - The ssl version used by the client, e.g. - :code:`OpenSSL 1.0.2f 28 Jan 2016`. - - :code:`IV_PLAT_VER=x.y` - The version of the operating system, e.g. 6.1 for Windows 7. - - :code:`UV_<name>=<value>` - Client environment variables whose names start with - :code:`UV_` - --push-remove opt Selectively remove all ``--push`` options matching "opt" from the option list for a client. ``opt`` is matched as a substring against the whole diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 029834a..25a26b3 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -107,7 +107,7 @@ routing. ``OpenVPN for Android`` client also handles them internally. On all other platforms these options are only saved in the client's - environment under the name :code:`foreign_options_{n}` before the + environment under the name :code:`foreign_option_{n}` before the ``--up`` script is called. A plugin or an ``--up`` script must be used to pick up and interpret these as required. Many Linux distributions include such scripts and some third-party user interfaces such as tunnelblick also diff --git a/doc/man-sections/windows-options.rst b/doc/man-sections/windows-options.rst index eacb9af..c389fbc 100644 --- a/doc/man-sections/windows-options.rst +++ b/doc/man-sections/windows-options.rst @@ -93,7 +93,7 @@ Windows-Specific Options server to masquerade as if it were coming from the remote endpoint. The optional offset parameter is an integer which is > :code:`-256` - and < :code:`256` and which defaults to -1. If offset is positive, + and < :code:`256` and which defaults to 0. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP address at broadcast address + offset. diff --git a/doc/openvpn.8 b/doc/openvpn.8 index ceb6348..6eb6167 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -1282,6 +1282,84 @@ reconnect, unless multiple remotes are specified and connection to the next remote succeeds. To silently ignore an option pushed by the server, use \fBignore\fP\&. .TP +.B \-\-push\-peer\-info +Push additional information about the client to server. The following +data is always pushed to the server: +.INDENT 7.0 +.TP +.B \fBIV_VER=<version>\fP +The client OpenVPN version +.TP +.B \fBIV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]\fP +The client OS platform +.TP +.B \fBIV_LZO_STUB=1\fP +If client was built with LZO stub capability +.TP +.B \fBIV_LZ4=1\fP +If the client supports LZ4 compressions. +.TP +.B \fBIV_PROTO\fP +Details about protocol extensions that the peer supports. The +variable is a bitfield and the bits are defined as follows +(starting a bit 0 for the first (unused) bit: +.INDENT 7.0 +.IP \(bu 2 +bit 1: The peer supports peer\-id floating mechanism +.IP \(bu 2 +bit 2: The client expects a push\-reply and the server may +send this reply without waiting for a push\-request first. +.IP \(bu 2 +bit 3: The client is capable of doing key derivation using +RFC5705 key material exporter. +.IP \(bu 2 +bit 4: The client is capable of accepting additional arguments +to the \fIAUTH_PENDING\fP message. +.UNINDENT +.TP +.B \fBIV_NCP=2\fP +Negotiable ciphers, client supports \fB\-\-cipher\fP pushed by +the server, a value of 2 or greater indicates client supports +\fIAES\-GCM\-128\fP and \fIAES\-GCM\-256\fP\&. +.TP +.B \fBIV_CIPHERS=<ncp\-ciphers>\fP +The client announces the list of supported ciphers configured with the +\fB\-\-data\-ciphers\fP option to the server. +.TP +.B \fBIV_GUI_VER=<gui_id> <version>\fP +The UI version of a UI if one is running, for example +\fBde.blinkt.openvpn 0.5.47\fP for the Android app. +.TP +.B \fBIV_SSO=[crtext,][openurl,][proxy_url]\fP +Additional authentication methods supported by the client. +This may be set by the client UI/GUI using \fB\-\-setenv\fP +.UNINDENT +.sp +When \fB\-\-push\-peer\-info\fP is enabled the additional information consists +of the following data: +.INDENT 7.0 +.TP +.B \fBIV_HWADDR=<string>\fP +This is intended to be a unique and persistent ID of the client. +The string value can be any readable ASCII string up to 64 bytes. +OpenVPN 2.x and some other implementations use the MAC address of +the client\(aqs interface used to reach the default gateway. If this +string is generated by the client, it should be consistent and +preserved across independent session and preferably +re\-installations and upgrades. +.TP +.B \fBIV_SSL=<version string>\fP +The ssl version used by the client, e.g. +\fBOpenSSL 1.0.2f 28 Jan 2016\fP\&. +.TP +.B \fBIV_PLAT_VER=x.y\fP +The version of the operating system, e.g. 6.1 for Windows 7. +.TP +.B \fBUV_<name>=<value>\fP +Client environment variables whose names start with +\fBUV_\fP +.UNINDENT +.TP .BI \-\-remote \ args Remote host name or IP address, port and protocol. .sp @@ -2043,78 +2121,6 @@ This is a partial list of options which can currently be pushed: \fB\-\-echo\fP, \fB\-\-comp\-lzo\fP, \fB\-\-socket\-flags\fP, \fB\-\-sndbuf\fP, \fB\-\-rcvbuf\fP .TP -.B \-\-push\-peer\-info -Push additional information about the client to server. The following -data is always pushed to the server: -.INDENT 7.0 -.TP -.B \fBIV_VER=<version>\fP -The client OpenVPN version -.TP -.B \fBIV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]\fP -The client OS platform -.TP -.B \fBIV_LZO_STUB=1\fP -If client was built with LZO stub capability -.TP -.B \fBIV_LZ4=1\fP -If the client supports LZ4 compressions. -.TP -.B \fBIV_PROTO\fP -Details about protocol extensions that the peer supports. The -variable is a bitfield and the bits are defined as follows -(starting a bit 0 for the first (unused) bit: -.INDENT 7.0 -.IP \(bu 2 -bit 1: The peer supports peer\-id floating mechanism -.IP \(bu 2 -bit 2: The client expects a push\-reply and the server may -send this reply without waiting for a push\-request first. -.UNINDENT -.TP -.B \fBIV_NCP=2\fP -Negotiable ciphers, client supports \fB\-\-cipher\fP pushed by -the server, a value of 2 or greater indicates client supports -\fIAES\-GCM\-128\fP and \fIAES\-GCM\-256\fP\&. -.TP -.B \fBIV_CIPHERS=<ncp\-ciphers>\fP -The client announces the list of supported ciphers configured with the -\fB\-\-data\-ciphers\fP option to the server. -.TP -.B \fBIV_GUI_VER=<gui_id> <version>\fP -The UI version of a UI if one is running, for example -\fBde.blinkt.openvpn 0.5.47\fP for the Android app. -.TP -.B \fBIV_SSO=[crtext,][openurl,][proxy_url]\fP -Additional authentication methods supported by the client. -This may be set by the client UI/GUI using \fB\-\-setenv\fP -.UNINDENT -.sp -When \fB\-\-push\-peer\-info\fP is enabled the additional information consists -of the following data: -.INDENT 7.0 -.TP -.B \fBIV_HWADDR=<string>\fP -This is intended to be a unique and persistent ID of the client. -The string value can be any readable ASCII string up to 64 bytes. -OpenVPN 2.x and some other implementations use the MAC address of -the client\(aqs interface used to reach the default gateway. If this -string is generated by the client, it should be consistent and -preserved across independent session and preferably -re\-installations and upgrades. -.TP -.B \fBIV_SSL=<version string>\fP -The ssl version used by the client, e.g. -\fBOpenSSL 1.0.2f 28 Jan 2016\fP\&. -.TP -.B \fBIV_PLAT_VER=x.y\fP -The version of the operating system, e.g. 6.1 for Windows 7. -.TP -.B \fBUV_<name>=<value>\fP -Client environment variables whose names start with -\fBUV_\fP -.UNINDENT -.TP .BI \-\-push\-remove \ opt Selectively remove all \fB\-\-push\fP options matching "opt" from the option list for a client. \fBopt\fP is matched as a substring against the whole @@ -3988,7 +3994,7 @@ remote. .sp This option is useful in cases where the remote peer has a dynamic IP address and a low\-TTL DNS name is used to track the IP address using a -service such as \fI\%http://dyndns.org/\fP + a dynamic DNS client such as +service such as \fI\%https://www.nsupdate.info/\fP + a dynamic DNS client such as \fBddclient\fP\&. .sp If the peer cannot be reached, a restart will be triggered, causing the @@ -4333,7 +4339,7 @@ if dhcp is disabled or the \fBwintun\fP driver is in use. The \fBOpenVPN for Android\fP client also handles them internally. .sp On all other platforms these options are only saved in the client\(aqs -environment under the name \fBforeign_options_{n}\fP before the +environment under the name \fBforeign_option_{n}\fP before the \fB\-\-up\fP script is called. A plugin or an \fB\-\-up\fP script must be used to pick up and interpret these as required. Many Linux distributions include such scripts and some third\-party user interfaces such as tunnelblick also @@ -6190,7 +6196,7 @@ server address. In \fB\-\-dev tun\fP mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint. .sp The optional offset parameter is an integer which is > \fB\-256\fP -and < \fB256\fP and which defaults to \-1. If offset is positive, +and < \fB256\fP and which defaults to 0. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP address at broadcast address + offset. diff --git a/doc/openvpn.8.html b/doc/openvpn.8.html index 1c0c65e..1dec6f7 100644 --- a/doc/openvpn.8.html +++ b/doc/openvpn.8.html @@ -1436,6 +1436,69 @@ reconnect, unless multiple remotes are specified and connection to the next remote succeeds. To silently ignore an option pushed by the server, use <code>ignore</code>.</p> </td></tr> +<tr><td class="option-group" colspan="2"> +<kbd><span class="option">--push-peer-info</span></kbd></td> +</tr> +<tr><td> </td><td><p class="first">Push additional information about the client to server. The following +data is always pushed to the server:</p> +<dl class="docutils"> +<dt><code>IV_VER=<version></code></dt> +<dd>The client OpenVPN version</dd> +<dt><code>IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]</code></dt> +<dd>The client OS platform</dd> +<dt><code>IV_LZO_STUB=1</code></dt> +<dd>If client was built with LZO stub capability</dd> +<dt><code>IV_LZ4=1</code></dt> +<dd>If the client supports LZ4 compressions.</dd> +<dt><code>IV_PROTO</code></dt> +<dd><p class="first">Details about protocol extensions that the peer supports. The +variable is a bitfield and the bits are defined as follows +(starting a bit 0 for the first (unused) bit:</p> +<ul class="last simple"> +<li>bit 1: The peer supports peer-id floating mechanism</li> +<li>bit 2: The client expects a push-reply and the server may +send this reply without waiting for a push-request first.</li> +<li>bit 3: The client is capable of doing key derivation using +RFC5705 key material exporter.</li> +<li>bit 4: The client is capable of accepting additional arguments +to the <cite>AUTH_PENDING</cite> message.</li> +</ul> +</dd> +<dt><code>IV_NCP=2</code></dt> +<dd>Negotiable ciphers, client supports <tt class="docutils literal"><span class="pre">--cipher</span></tt> pushed by +the server, a value of 2 or greater indicates client supports +<em>AES-GCM-128</em> and <em>AES-GCM-256</em>.</dd> +<dt><code>IV_CIPHERS=<ncp-ciphers></code></dt> +<dd>The client announces the list of supported ciphers configured with the +<tt class="docutils literal"><span class="pre">--data-ciphers</span></tt> option to the server.</dd> +<dt><code>IV_GUI_VER=<gui_id> <version></code></dt> +<dd>The UI version of a UI if one is running, for example +<code>de.blinkt.openvpn 0.5.47</code> for the Android app.</dd> +<dt><code>IV_SSO=[crtext,][openurl,][proxy_url]</code></dt> +<dd>Additional authentication methods supported by the client. +This may be set by the client UI/GUI using <tt class="docutils literal"><span class="pre">--setenv</span></tt></dd> +</dl> +<p>When <tt class="docutils literal"><span class="pre">--push-peer-info</span></tt> is enabled the additional information consists +of the following data:</p> +<dl class="last docutils"> +<dt><code>IV_HWADDR=<string></code></dt> +<dd>This is intended to be a unique and persistent ID of the client. +The string value can be any readable ASCII string up to 64 bytes. +OpenVPN 2.x and some other implementations use the MAC address of +the client's interface used to reach the default gateway. If this +string is generated by the client, it should be consistent and +preserved across independent session and preferably +re-installations and upgrades.</dd> +<dt><code>IV_SSL=<version string></code></dt> +<dd>The ssl version used by the client, e.g. +<code>OpenSSL 1.0.2f 28 Jan 2016</code>.</dd> +<dt><code>IV_PLAT_VER=x.y</code></dt> +<dd>The version of the operating system, e.g. 6.1 for Windows 7.</dd> +<dt><code>UV_<name>=<value></code></dt> +<dd>Client environment variables whose names start with +<code>UV_</code></dd> +</dl> +</td></tr> <tr><td class="option-group"> <kbd><span class="option">--remote <var>args</var></span></kbd></td> <td><p class="first">Remote host name or IP address, port and protocol.</p> @@ -2058,65 +2121,6 @@ server can be initiated.</p> <tt class="docutils literal"><span class="pre">--rcvbuf</span></tt></p> </td></tr> <tr><td class="option-group" colspan="2"> -<kbd><span class="option">--push-peer-info</span></kbd></td> -</tr> -<tr><td> </td><td><p class="first">Push additional information about the client to server. The following -data is always pushed to the server:</p> -<dl class="docutils"> -<dt><code>IV_VER=<version></code></dt> -<dd>The client OpenVPN version</dd> -<dt><code>IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win]</code></dt> -<dd>The client OS platform</dd> -<dt><code>IV_LZO_STUB=1</code></dt> -<dd>If client was built with LZO stub capability</dd> -<dt><code>IV_LZ4=1</code></dt> -<dd>If the client supports LZ4 compressions.</dd> -<dt><code>IV_PROTO</code></dt> -<dd><p class="first">Details about protocol extensions that the peer supports. The -variable is a bitfield and the bits are defined as follows -(starting a bit 0 for the first (unused) bit:</p> -<ul class="last simple"> -<li>bit 1: The peer supports peer-id floating mechanism</li> -<li>bit 2: The client expects a push-reply and the server may -send this reply without waiting for a push-request first.</li> -</ul> -</dd> -<dt><code>IV_NCP=2</code></dt> -<dd>Negotiable ciphers, client supports <tt class="docutils literal"><span class="pre">--cipher</span></tt> pushed by -the server, a value of 2 or greater indicates client supports -<em>AES-GCM-128</em> and <em>AES-GCM-256</em>.</dd> -<dt><code>IV_CIPHERS=<ncp-ciphers></code></dt> -<dd>The client announces the list of supported ciphers configured with the -<tt class="docutils literal"><span class="pre">--data-ciphers</span></tt> option to the server.</dd> -<dt><code>IV_GUI_VER=<gui_id> <version></code></dt> -<dd>The UI version of a UI if one is running, for example -<code>de.blinkt.openvpn 0.5.47</code> for the Android app.</dd> -<dt><code>IV_SSO=[crtext,][openurl,][proxy_url]</code></dt> -<dd>Additional authentication methods supported by the client. -This may be set by the client UI/GUI using <tt class="docutils literal"><span class="pre">--setenv</span></tt></dd> -</dl> -<p>When <tt class="docutils literal"><span class="pre">--push-peer-info</span></tt> is enabled the additional information consists -of the following data:</p> -<dl class="last docutils"> -<dt><code>IV_HWADDR=<string></code></dt> -<dd>This is intended to be a unique and persistent ID of the client. -The string value can be any readable ASCII string up to 64 bytes. -OpenVPN 2.x and some other implementations use the MAC address of -the client's interface used to reach the default gateway. If this -string is generated by the client, it should be consistent and -preserved across independent session and preferably -re-installations and upgrades.</dd> -<dt><code>IV_SSL=<version string></code></dt> -<dd>The ssl version used by the client, e.g. -<code>OpenSSL 1.0.2f 28 Jan 2016</code>.</dd> -<dt><code>IV_PLAT_VER=x.y</code></dt> -<dd>The version of the operating system, e.g. 6.1 for Windows 7.</dd> -<dt><code>UV_<name>=<value></code></dt> -<dd>Client environment variables whose names start with -<code>UV_</code></dd> -</dl> -</td></tr> -<tr><td class="option-group" colspan="2"> <kbd><span class="option">--push-remove <var>opt</var></span></kbd></td> </tr> <tr><td> </td><td><p class="first">Selectively remove all <tt class="docutils literal"><span class="pre">--push</span></tt> options matching "opt" from the option @@ -3602,7 +3606,7 @@ data is exchanged.</p> remote.</p> <p>This option is useful in cases where the remote peer has a dynamic IP address and a low-TTL DNS name is used to track the IP address using a -service such as <a class="reference external" href="http://dyndns.org/">http://dyndns.org/</a> + a dynamic DNS client such as +service such as <a class="reference external" href="https://www.nsupdate.info/">https://www.nsupdate.info/</a> + a dynamic DNS client such as <tt class="docutils literal">ddclient</tt>.</p> <p>If the peer cannot be reached, a restart will be triggered, causing the hostname used with <tt class="docutils literal"><span class="pre">--remote</span></tt> to be re-resolved (if <tt class="docutils literal"><span class="pre">--resolv-retry</span></tt> @@ -3888,7 +3892,7 @@ handled by the <tt class="docutils literal"><span class="pre">tap-windows6</span if dhcp is disabled or the <tt class="docutils literal">wintun</tt> driver is in use. The <tt class="docutils literal">OpenVPN for Android</tt> client also handles them internally.</p> <p>On all other platforms these options are only saved in the client's -environment under the name <code>foreign_options_{n}</code> before the +environment under the name <code>foreign_option_{n}</code> before the <tt class="docutils literal"><span class="pre">--up</span></tt> script is called. A plugin or an <tt class="docutils literal"><span class="pre">--up</span></tt> script must be used to pick up and interpret these as required. Many Linux distributions include such scripts and some third-party user interfaces such as tunnelblick also @@ -5415,7 +5419,7 @@ the IP address <code>192.168.4.0</code> to use as the virtual DHCP server address. In <tt class="docutils literal"><span class="pre">--dev</span> tun</tt> mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint.</p> <p>The optional offset parameter is an integer which is > <code>-256</code> -and < <code>256</code> and which defaults to -1. If offset is positive, +and < <code>256</code> and which defaults to 0. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP address at broadcast address + offset.</p> diff --git a/include/openvpn-plugin.h b/include/openvpn-plugin.h index 934248d..7f25d75 100644 --- a/include/openvpn-plugin.h +++ b/include/openvpn-plugin.h @@ -53,7 +53,7 @@ extern "C" { */ #define OPENVPN_VERSION_MAJOR 2 #define OPENVPN_VERSION_MINOR 5 -#define OPENVPN_VERSION_PATCH ".4" +#define OPENVPN_VERSION_PATCH ".5" /* * Plug-in types. These types correspond to the set of script callbacks diff --git a/sample/sample-config-files/firewall.sh b/sample/sample-config-files/firewall.sh index 19d75ee..456700c 100755 --- a/sample/sample-config-files/firewall.sh +++ b/sample/sample-config-files/firewall.sh @@ -50,7 +50,7 @@ iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP # Check source address validity on packets going out to internet -iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP +iptables -A FORWARD ! -s $PRIVATE -i eth1 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT diff --git a/sample/sample-plugins/Makefile b/sample/sample-plugins/Makefile index 8646832..f795978 100644 --- a/sample/sample-plugins/Makefile +++ b/sample/sample-plugins/Makefile @@ -153,7 +153,7 @@ AUTOMAKE = ${SHELL} /home/samuli/opt/openvpninc/openvpn-release-scripts/release/ AWK = gawk CC = gcc CCDEPMODE = depmode=gcc3 -CFLAGS = -Wall -Wno-unused-parameter -Wno-unused-function -Wno-stringop-truncation -g -O2 -std=c99 +CFLAGS = -Wall -Wno-stringop-truncation -g -O2 -std=c99 CMOCKA_CFLAGS = CMOCKA_LIBS = CPP = gcc -E @@ -210,7 +210,7 @@ OPENSSL_CFLAGS = OPENSSL_LIBS = -lssl -lcrypto OPENVPN_VERSION_MAJOR = 2 OPENVPN_VERSION_MINOR = 5 -OPENVPN_VERSION_PATCH = .4 +OPENVPN_VERSION_PATCH = .5 OPTIONAL_CRYPTO_CFLAGS = OPTIONAL_CRYPTO_LIBS = -lssl -lcrypto OPTIONAL_DL_LIBS = -ldl @@ -231,13 +231,13 @@ P11KIT_LIBS = PACKAGE = openvpn PACKAGE_BUGREPORT = openvpn-users@lists.sourceforge.net PACKAGE_NAME = OpenVPN -PACKAGE_STRING = OpenVPN 2.5.4 +PACKAGE_STRING = OpenVPN 2.5.5 PACKAGE_TARNAME = openvpn PACKAGE_URL = -PACKAGE_VERSION = 2.5.4 +PACKAGE_VERSION = 2.5.5 PATH_SEPARATOR = : PKCS11_HELPER_CFLAGS = -PKCS11_HELPER_LIBS = -lpthread -ldl -lcrypto -lpkcs11-helper +PKCS11_HELPER_LIBS = PKG_CONFIG = /usr/bin/pkg-config PKG_CONFIG_LIBDIR = PKG_CONFIG_PATH = @@ -264,7 +264,7 @@ TAP_WIN_MIN_MINOR = 9 TEST_CFLAGS = -I$(top_srcdir)/include TEST_LDFLAGS = -lssl -lcrypto -llzo2 TMPFILES_DIR = -VERSION = 2.5.4 +VERSION = 2.5.5 abs_builddir = /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/sample/sample-plugins abs_srcdir = /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/sample/sample-plugins abs_top_builddir = /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn diff --git a/src/compat/Release.props b/src/compat/Release.props index 63828b7..50eaa8d 100644 --- a/src/compat/Release.props +++ b/src/compat/Release.props @@ -15,6 +15,7 @@ <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary> <DebugInformationFormat>ProgramDatabase</DebugInformationFormat> <PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <ControlFlowGuard>Guard</ControlFlowGuard> </ClCompile> <Link> <EnableCOMDATFolding>true</EnableCOMDATFolding> diff --git a/src/compat/compat.vcxproj b/src/compat/compat.vcxproj index 14376e4..a1e30da 100644 --- a/src/compat/compat.vcxproj +++ b/src/compat/compat.vcxproj @@ -38,33 +38,39 @@ <CharacterSet>MultiByte</CharacterSet> <WholeProgramOptimization>true</WholeProgramOptimization> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> <ConfigurationType>StaticLibrary</ConfigurationType> <CharacterSet>MultiByte</CharacterSet> <WholeProgramOptimization>true</WholeProgramOptimization> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration"> <ConfigurationType>StaticLibrary</ConfigurationType> <CharacterSet>MultiByte</CharacterSet> <WholeProgramOptimization>true</WholeProgramOptimization> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> <ConfigurationType>StaticLibrary</ConfigurationType> <CharacterSet>MultiByte</CharacterSet> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> <ConfigurationType>StaticLibrary</ConfigurationType> <CharacterSet>MultiByte</CharacterSet> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration"> <ConfigurationType>StaticLibrary</ConfigurationType> <CharacterSet>MultiByte</CharacterSet> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> <ImportGroup Label="ExtensionSettings"> diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index c82d3d4..54e758a 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -311,29 +311,6 @@ openvpn_snprintf(char *str, size_t size, const char *format, ...) } /* - * openvpn_swprintf() is currently only used by Windows code paths - * and when enabled for all platforms it will currently break older - * OpenBSD versions lacking vswprintf(3) support in their libc. - */ - -#ifdef _WIN32 -bool -openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const format, ...) -{ - va_list arglist; - int len = -1; - if (size > 0) - { - va_start(arglist, format); - len = vswprintf(str, size, format, arglist); - va_end(arglist); - str[size - 1] = L'\0'; - } - return (len >= 0 && len < size); -} -#endif - -/* * write a string to the end of a buffer that was * truncated by buf_printf */ diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index fc7909b..1a795d2 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -449,22 +449,6 @@ __attribute__ ((format(__printf__, 3, 4))) ; -#ifdef _WIN32 -/* - * Like swprintf but guarantees null termination for size > 0 - * - * This is under #ifdef because only Windows-specific code in tun.c - * uses this function and its implementation breaks OpenBSD <= 4.9 - */ -bool -openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const format, ...); - -/* - * Unlike in openvpn_snprintf, we cannot use format attributes since - * GCC doesn't support wprintf as archetype. - */ -#endif - /* * remove/add trailing characters */ diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 619cd96..6945cc0 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -729,7 +729,7 @@ warn_insecure_key_type(const char *ciphername, const cipher_kt_t *cipher) " bit (%d bit). This allows attacks like SWEET32. Mitigate by " "using a --cipher with a larger block size (e.g. AES-256-CBC). " "Support for these insecure ciphers will be removed in " - "OpenVPN 2.6.", + "OpenVPN 2.7.", ciphername, cipher_kt_block_size(cipher)*8); } } diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 79fbab4..ef52092 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -51,6 +51,10 @@ #include <openssl/rand.h> #include <openssl/ssl.h> +#if defined(_WIN32) && defined(OPENSSL_NO_EC) +#error Windows build with OPENSSL_NO_EC: disabling EC key is not supported. +#endif + /* * Check for key size creepage. */ @@ -150,13 +154,11 @@ crypto_init_lib_engine(const char *engine_name) void crypto_init_lib(void) { -#ifndef _WIN32 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); #else OPENSSL_config(NULL); #endif -#endif /* _WIN32 */ /* * If you build the OpenSSL library and OpenVPN with * CRYPTO_MDEBUG, you will get a listing of OpenSSL diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 6c4df9e..4becef4 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -537,7 +537,7 @@ finish(RSA *rsa) return 1; } -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(OPENSSL_NO_EC) +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) static EC_KEY_METHOD *ec_method = NULL; @@ -1232,7 +1232,7 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) goto err; } } -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(OPENSSL_NO_EC) +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { if (!ssl_ctx_set_eckey(ssl_ctx, cd, pkey)) diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 67131b5..ebb5142 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -239,7 +239,7 @@ helper_client_server(struct options *o) * if tap OR (tun AND topology == subnet): * ifconfig 10.8.0.1 255.255.255.0 * if !nopool: - * ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0 + * ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 * push "route-gateway 10.8.0.1" * if route-gateway unset: * route-gateway 10.8.0.2 @@ -342,7 +342,7 @@ helper_client_server(struct options *o) { o->ifconfig_pool_defined = true; o->ifconfig_pool_start = o->server_network + 2; - o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 2; + o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1; ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); } o->ifconfig_pool_netmask = o->server_netmask; diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 2144775..33b8f19 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -38,33 +38,39 @@ <WholeProgramOptimization>true</WholeProgramOptimization> <CharacterSet>NotSet</CharacterSet> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> <WholeProgramOptimization>true</WholeProgramOptimization> <CharacterSet>NotSet</CharacterSet> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> <WholeProgramOptimization>true</WholeProgramOptimization> <CharacterSet>NotSet</CharacterSet> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> <CharacterSet>NotSet</CharacterSet> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> <CharacterSet>NotSet</CharacterSet> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> <CharacterSet>NotSet</CharacterSet> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> <ImportGroup Label="ExtensionSettings"> @@ -191,6 +197,7 @@ <WarningLevel>Level2</WarningLevel> <TreatWarningAsError>true</TreatWarningAsError> <AdditionalIncludeDirectories>..\compat;$(SolutionDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <ControlFlowGuard>Guard</ControlFlowGuard> </ClCompile> <ResourceCompile /> <Link> @@ -206,6 +213,7 @@ <WarningLevel>Level2</WarningLevel> <TreatWarningAsError>true</TreatWarningAsError> <AdditionalIncludeDirectories>..\compat;$(SolutionDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <ControlFlowGuard>Guard</ControlFlowGuard> </ClCompile> <ResourceCompile /> <Link> @@ -221,6 +229,7 @@ <WarningLevel>Level2</WarningLevel> <TreatWarningAsError>true</TreatWarningAsError> <AdditionalIncludeDirectories>..\compat;$(SolutionDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <ControlFlowGuard>Guard</ControlFlowGuard> </ClCompile> <ResourceCompile /> <Link> @@ -355,6 +364,7 @@ <ClInclude Include="multi.h" /> <ClInclude Include="ntlm.h" /> <ClInclude Include="occ.h" /> + <ClInclude Include="openssl_compat.h" /> <ClInclude Include="openvpn.h" /> <ClInclude Include="options.h" /> <ClInclude Include="otime.h" /> diff --git a/src/openvpn/openvpn.vcxproj.filters b/src/openvpn/openvpn.vcxproj.filters index cf5748c..bbcbff3 100644 --- a/src/openvpn/openvpn.vcxproj.filters +++ b/src/openvpn/openvpn.vcxproj.filters @@ -509,6 +509,9 @@ <ClInclude Include="ssl_ncp.h"> <Filter>Header Files</Filter> </ClInclude> + <ClInclude Include="openssl_compat.h"> + <Filter>Header Files</Filter> + </ClInclude> </ItemGroup> <ItemGroup> <ResourceCompile Include="openvpn_win32_resources.rc"> diff --git a/src/openvpn/options.c b/src/openvpn/options.c index a536ebe..f88cf2e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -418,6 +418,8 @@ static const char usage_message[] = " execution. Peer must specify --pull in its config file.\n" "--push-reset : Don't inherit global push list for specific\n" " client instance.\n" + "--push-remove opt : Remove options matching 'opt' from the push list for\n" + " a specific client instance.\n" "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n" " to be dynamically allocated to connecting clients.\n" "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n" diff --git a/src/openvpn/ring_buffer.h b/src/openvpn/ring_buffer.h index 77579e3..9661ceb 100644 --- a/src/openvpn/ring_buffer.h +++ b/src/openvpn/ring_buffer.h @@ -94,7 +94,7 @@ struct TUN_PACKET * that data has been written to receive ring * @return true if registration is successful, false otherwise - use GetLastError() */ -static bool +static inline bool register_ring_buffers(HANDLE device, struct tun_ring *send_ring, struct tun_ring *receive_ring, diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 31d94f2..27fb66a 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -65,6 +65,10 @@ #include <openssl/ec.h> #endif +#if defined(_MSC_VER) && !defined(_M_ARM64) +#include <openssl/applink.c> +#endif + /* * Allocate space in SSL objects in which to store a struct tls_session * pointer back to parent. diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h index 2eeb716..46338c2 100644 --- a/src/openvpn/ssl_openssl.h +++ b/src/openvpn/ssl_openssl.h @@ -54,6 +54,4 @@ struct key_state_ssl { */ extern int mydata_index; /* GLOBAL */ -void openssl_set_mydata_index(void); - #endif /* SSL_OPENSSL_H_ */ diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 4f3b61d..0ccd43d 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -116,6 +116,8 @@ set_common_name(struct tls_session *session, const char *common_name) } #endif } + /* update common name in env */ + setenv_str(session->opt->es, "common_name", common_name); } /* diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 512ccba..db8fdec 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -6388,14 +6388,7 @@ tuntap_dhcp_mask(const struct tuntap *tt, const char *device_guid) { if (tt->topology == TOP_SUBNET) { - if (tt->options.dhcp_masq_custom_offset) - { - ep[2] = dhcp_masq_addr(tt->local, tt->remote_netmask, tt->options.dhcp_masq_offset); - } - else - { - ep[2] = dhcp_masq_addr(tt->local, tt->remote_netmask, -1); - } + ep[2] = dhcp_masq_addr(tt->local, tt->remote_netmask, tt->options.dhcp_masq_custom_offset ? tt->options.dhcp_masq_offset : 0); } else { diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index 6cff17b..920a3b3 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -101,6 +101,12 @@ struct semaphore netcmd_semaphore; /* GLOBAL */ */ static char *win_sys_path = NULL; /* GLOBAL */ +/** + * Set OpenSSL environment variables to a safe directory + */ +static void +set_openssl_env_vars(); + void init_win32(void) { @@ -110,6 +116,8 @@ init_win32(void) } window_title_clear(&window_title); win32_signal_clear(&win32_signal); + + set_openssl_env_vars(); } void @@ -1509,4 +1517,84 @@ send_msg_iservice(HANDLE pipe, const void *data, size_t size, return ret; } +bool +openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const format, ...) +{ + va_list arglist; + int len = -1; + if (size > 0) + { + va_start(arglist, format); + len = vswprintf(str, size, format, arglist); + va_end(arglist); + str[size - 1] = L'\0'; + } + return (len >= 0 && len < size); +} + +static BOOL +get_install_path(WCHAR *path, DWORD size) +{ + WCHAR reg_path[256]; + HKEY key; + BOOL res = FALSE; + openvpn_swprintf(reg_path, _countof(reg_path), L"SOFTWARE\\" PACKAGE_NAME); + + LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &key); + if (status != ERROR_SUCCESS) + { + return res; + } + + /* The default value of REG_KEY is the install path */ + status = RegGetValueW(key, NULL, NULL, RRF_RT_REG_SZ, NULL, (LPBYTE)path, &size); + res = status == ERROR_SUCCESS; + + RegCloseKey(key); + + return res; +} + +static void +set_openssl_env_vars() +{ + const WCHAR *ssl_fallback_dir = L"C:\\Windows\\System32"; + + WCHAR install_path[MAX_PATH] = { 0 }; + if (!get_install_path(install_path, _countof(install_path))) + { + /* if we cannot find installation path from the registry, + * use Windows directory as a fallback + */ + openvpn_swprintf(install_path, _countof(install_path), L"%ls", ssl_fallback_dir); + } + + if ((install_path[wcslen(install_path) - 1]) == L'\\') + { + install_path[wcslen(install_path) - 1] = L'\0'; + } + + static struct { + WCHAR *name; + WCHAR *value; + } ossl_env[] = { + {L"OPENSSL_CONF", L"openssl.cnf"}, + {L"OPENSSL_ENGINES", L"engines"}, + {L"OPENSSL_MODULES", L"modules"} + }; + + for (size_t i = 0; i < SIZE(ossl_env); ++i) + { + size_t size = 0; + + _wgetenv_s(&size, NULL, 0, ossl_env[i].name); + if (size == 0) + { + WCHAR val[MAX_PATH] = {0}; + openvpn_swprintf(val, _countof(val), L"%ls\\ssl\\%ls", install_path, ossl_env[i].value); + _wputenv_s(ossl_env[i].name, val); + } + } +} + #endif /* ifdef _WIN32 */ diff --git a/src/openvpn/win32.h b/src/openvpn/win32.h index 5d3371a..5c3bcc3 100644 --- a/src/openvpn/win32.h +++ b/src/openvpn/win32.h @@ -327,7 +327,13 @@ bool send_msg_iservice(HANDLE pipe, const void *data, size_t size, int openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags); -bool impersonate_as_system(); +/* + * openvpn_swprintf() is currently only used by Windows code paths + * and when enabled for all platforms it will currently break older + * OpenBSD versions lacking vswprintf(3) support in their libc. + */ +bool +openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const format, ...); #endif /* ifndef OPENVPN_WIN32_H */ #endif /* ifdef _WIN32 */ diff --git a/src/openvpnmsica/openvpnmsica-Release.props b/src/openvpnmsica/openvpnmsica-Release.props index 848fda8..47727b3 100644 --- a/src/openvpnmsica/openvpnmsica-Release.props +++ b/src/openvpnmsica/openvpnmsica-Release.props @@ -8,6 +8,7 @@ <ItemDefinitionGroup> <ClCompile> <RuntimeLibrary>MultiThreaded</RuntimeLibrary> + <ControlFlowGuard>Guard</ControlFlowGuard> </ClCompile> </ItemDefinitionGroup> <ItemGroup /> diff --git a/src/openvpnmsica/openvpnmsica.vcxproj b/src/openvpnmsica/openvpnmsica.vcxproj index c39b124..11aa78b 100644 --- a/src/openvpnmsica/openvpnmsica.vcxproj +++ b/src/openvpnmsica/openvpnmsica.vcxproj @@ -40,18 +40,21 @@ <PlatformToolset>v142</PlatformToolset> <CharacterSet>Unicode</CharacterSet> <WindowsSDKDesktopARM64Support>true</WindowsSDKDesktopARM64Support> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> <ConfigurationType>DynamicLibrary</ConfigurationType> <UseDebugLibraries>true</UseDebugLibraries> <PlatformToolset>v142</PlatformToolset> <CharacterSet>Unicode</CharacterSet> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> <ConfigurationType>DynamicLibrary</ConfigurationType> <UseDebugLibraries>true</UseDebugLibraries> <PlatformToolset>v142</PlatformToolset> <CharacterSet>Unicode</CharacterSet> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration"> <ConfigurationType>DynamicLibrary</ConfigurationType> @@ -60,6 +63,7 @@ <WholeProgramOptimization>true</WholeProgramOptimization> <CharacterSet>Unicode</CharacterSet> <WindowsSDKDesktopARM64Support>true</WindowsSDKDesktopARM64Support> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> <ConfigurationType>DynamicLibrary</ConfigurationType> @@ -67,6 +71,7 @@ <PlatformToolset>v142</PlatformToolset> <WholeProgramOptimization>true</WholeProgramOptimization> <CharacterSet>Unicode</CharacterSet> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> <ConfigurationType>DynamicLibrary</ConfigurationType> @@ -74,6 +79,7 @@ <PlatformToolset>v142</PlatformToolset> <WholeProgramOptimization>true</WholeProgramOptimization> <CharacterSet>Unicode</CharacterSet> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> <ImportGroup Label="ExtensionSettings"> diff --git a/src/openvpnserv/openvpnserv.vcxproj b/src/openvpnserv/openvpnserv.vcxproj index bcf9d25..520242f 100644 --- a/src/openvpnserv/openvpnserv.vcxproj +++ b/src/openvpnserv/openvpnserv.vcxproj @@ -38,33 +38,39 @@ <CharacterSet>Unicode</CharacterSet> <WholeProgramOptimization>true</WholeProgramOptimization> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> <CharacterSet>Unicode</CharacterSet> <WholeProgramOptimization>true</WholeProgramOptimization> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> <CharacterSet>Unicode</CharacterSet> <WholeProgramOptimization>true</WholeProgramOptimization> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> <CharacterSet>Unicode</CharacterSet> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> <CharacterSet>Unicode</CharacterSet> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> <CharacterSet>Unicode</CharacterSet> <PlatformToolset>v142</PlatformToolset> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> <ImportGroup Label="ExtensionSettings"> diff --git a/src/plugins/down-root/README.down-root b/src/plugins/down-root/README.down-root index d337ffe..98a3ee6 100644 --- a/src/plugins/down-root/README.down-root +++ b/src/plugins/down-root/README.down-root @@ -16,13 +16,13 @@ run in the same execution environment as the up script. BUILD Build this module with the "make" command. The plugin -module will be named openvpn-down-root.so +module will be named openvpn-plugin-down-root.so USAGE To use this module, add to your OpenVPN config file: - plugin openvpn-down-root.so "command ..." + plugin openvpn-plugin-down-root.so "command ..." CAVEATS diff --git a/src/tapctl/tapctl.vcxproj b/src/tapctl/tapctl.vcxproj index ad96f02..79da9d3 100644 --- a/src/tapctl/tapctl.vcxproj +++ b/src/tapctl/tapctl.vcxproj @@ -40,18 +40,21 @@ <PlatformToolset>v142</PlatformToolset> <CharacterSet>Unicode</CharacterSet> <WindowsSDKDesktopARM64Support>true</WindowsSDKDesktopARM64Support> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> <UseDebugLibraries>true</UseDebugLibraries> <PlatformToolset>v142</PlatformToolset> <CharacterSet>Unicode</CharacterSet> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> <UseDebugLibraries>true</UseDebugLibraries> <PlatformToolset>v142</PlatformToolset> <CharacterSet>Unicode</CharacterSet> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> @@ -60,6 +63,7 @@ <WholeProgramOptimization>true</WholeProgramOptimization> <CharacterSet>Unicode</CharacterSet> <WindowsSDKDesktopARM64Support>true</WindowsSDKDesktopARM64Support> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> @@ -67,6 +71,7 @@ <PlatformToolset>v142</PlatformToolset> <WholeProgramOptimization>true</WholeProgramOptimization> <CharacterSet>Unicode</CharacterSet> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> <ConfigurationType>Application</ConfigurationType> @@ -74,6 +79,7 @@ <PlatformToolset>v142</PlatformToolset> <WholeProgramOptimization>true</WholeProgramOptimization> <CharacterSet>Unicode</CharacterSet> + <SpectreMitigation>Spectre</SpectreMitigation> </PropertyGroup> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> <ImportGroup Label="ExtensionSettings"> diff --git a/tests/t_lpback.sh b/tests/t_lpback.sh index 6206899..6795299 100755 --- a/tests/t_lpback.sh +++ b/tests/t_lpback.sh @@ -35,13 +35,18 @@ CIPHERS=$(${top_builddir}/src/openvpn/openvpn --show-ciphers | \ # GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5) CIPHERS=$(echo "$CIPHERS" | egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' ) +e=0 +if [ -z "$CIPHERS" ] ; then + echo "'openvpn --show-ciphers' FAILED (empty list)" + e=1 +fi + # Also test cipher 'none' CIPHERS=${CIPHERS}$(printf "\nnone") "${top_builddir}/src/openvpn/openvpn" --genkey secret key.$$ set +e -e=0 for cipher in ${CIPHERS} do printf "Testing cipher ${cipher}... " diff --git a/tests/unit_tests/openvpn/test_argv.c b/tests/unit_tests/openvpn/test_argv.c index 3dc470a..ea0d367 100644 --- a/tests/unit_tests/openvpn/test_argv.c +++ b/tests/unit_tests/openvpn/test_argv.c @@ -267,6 +267,7 @@ main(void) cmocka_unit_test(argv_str__empty_argv__empty_output), cmocka_unit_test(argv_str__multiple_argv__correct_output), cmocka_unit_test(argv_insert_head__non_empty_argv__head_added), + cmocka_unit_test(argv_insert_head__empty_argv__head_only), }; return cmocka_run_group_tests_name("argv", tests, NULL, NULL); diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c index 494a028..bcafd23 100644 --- a/tests/unit_tests/openvpn/test_ncp.c +++ b/tests/unit_tests/openvpn/test_ncp.c @@ -49,6 +49,7 @@ test_check_ncp_ciphers_list(void **state) { struct gc_arena gc = gc_new(); bool have_chacha = cipher_kt_get("CHACHA20-POLY1305"); + bool have_blowfish = cipher_kt_get("BF-CBC"); assert_string_equal(mutate_ncp_cipher_list("none", &gc), "none"); assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:none", &gc), @@ -56,7 +57,7 @@ test_check_ncp_ciphers_list(void **state) assert_string_equal(mutate_ncp_cipher_list(aes_ciphers, &gc), aes_ciphers); - if (have_chacha) + if (have_chacha && have_blowfish) { assert_string_equal(mutate_ncp_cipher_list(bf_chacha, &gc), bf_chacha); assert_string_equal(mutate_ncp_cipher_list("BF-CBC:CHACHA20-POLY1305", &gc), @@ -89,8 +90,11 @@ test_check_ncp_ciphers_list(void **state) assert_string_equal(mutate_ncp_cipher_list("id-aes128-GCM:id-aes256-GCM", &gc), "AES-128-GCM:AES-256-GCM"); #else - assert_string_equal(mutate_ncp_cipher_list("BLOWFISH-CBC", - &gc), "BF-CBC"); + if (have_blowfish) + { + assert_string_equal(mutate_ncp_cipher_list("BLOWFISH-CBC", + &gc), "BF-CBC"); + } #endif gc_free(&gc); } @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [5]) -define([PRODUCT_VERSION_PATCH], [.4]) +define([PRODUCT_VERSION_PATCH], [.5]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,5,4,0]) +define([PRODUCT_VERSION_RESOURCE], [2,5,5,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) |