diff options
72 files changed, 790 insertions, 1929 deletions
@@ -51,10 +51,9 @@ msvc-env-local.bat config-msvc-local.h config-msvc-version.h doc/openvpn.8.html -distro/rpm/openvpn.spec distro/systemd/*.service sample/sample-keys/sample-ca/ -vendor/.build +vendor/cmocka_build vendor/dist build/msvc/msvc-generate/version.m4 @@ -1,6 +1,67 @@ OpenVPN Change Log Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> +2019.10.30 -- Version 2.4.8 +Antonio Quartulli (1): + mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free() + +Arne Schwabe (1): + Remove -no-cpp-precomp flag from Darwin builds + +David Sommerseth (3): + cleanup: Remove RPM openvpn.spec build approach + docs: Update INSTALL + build: Package missing mock_msg.h + +Gert Doering (4): + repair windows builds (2.4) + Increase listen() backlog queue to 32 + Force combinationation of --socks-proxy and --proto UDP to use IPv4. + Fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana + +Gisle Vanem (1): + Wrong FILETYPE in .rc files + +Hilko Bengen (1): + Do not set pkcs11-helper 'safe fork mode' + +Ilya Shipitsin (2): + travis-ci: add "linux-ppc64le" to build matrix, change trusty image to xenial, update osx to xcode9.4 and modernize brew management + travis-ci: fix osx builds + +Kyle Evans (1): + tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex. + +Lev Stipakov (1): + Fix various compiler warnings + +Matthias Andree (1): + Fix regression, reinstate LibreSSL support. + +Michal Soltys (1): + man: correct the description of --capath and --crl-verify regarding CRLs + +Mykola Baibuz (1): + Fix typo in NTLM proxy debug message + +Richard Bonhomme (1): + Ignore --pull-filter for --mode server + +Rosen Penev (1): + openssl: Fix compilation without deprecated OpenSSL 1.1 APIs + +Selva Nair (3): + Better error message when script fails due to script-security setting + Correct the return value of cryptoapi RSA signature callbacks + Handle PSS padding in cryptoapicert + +Steffan Karger (1): + cmocka: use relative paths + +Thomas Quinot (1): + Fix documentation of tls-verify script argument + + 2019.02.18 -- Version 2.4.7 Adam Ciarcin?ski (1): Fix subnet topology on NetBSD (2.4). diff --git a/Changes.rst b/Changes.rst index 21960f5..65d1eb3 100644 --- a/Changes.rst +++ b/Changes.rst @@ -321,6 +321,48 @@ Maintainer-visible changes i386/i686 builds on RHEL5. +Version 2.4.8 +============= +This is primarily a maintenance release with minor bugfixes and improvements. + +New features +------------ +- Support compiling with OpenSSL 1.1 without deprecated APIs + +- handle PSS padding in cryptoapicert (necessary for TLS >= 1.2) + + +User visible changes +-------------------- +- do not abort when hitting the combination of "--pull-filter" and + "--mode server" (this got hit when starting OpenVPN servers using + the windows GUI which installs a pull-filter to force ip-win32) + +- increase listen() backlog queue to 32 (improve response behaviour + on openvpn servers using TCP that get portscanned) + +- fix and enhance documentation (INSTALL, man page, ...) + + +Bug fixes +--------- +- the combination "IPv6 and proto UDP and SOCKS proxy" did not work - as + a workaround, force IPv4 in this case until a full implementation for + IPv6-UDP-SOCKS can be made. + +- fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana + +- fix building with LibreSSL + +- do not set pkcs11-helper 'safe fork mode' (should fix PIN querying in + systemd environments) + +- repair windows builds + +- repair Darwin builds (remove -no-cpp-precomp flag) + + + Version 2.4.7 ============= This is primarily a maintenance release with minor bugfixes and improvements. @@ -1,6 +1,6 @@ Installation instructions for OpenVPN, a Secure Tunneling Daemon -Copyright (C) 2002-2018 OpenVPN Inc. This program is free software; +Copyright (C) 2002-2019 OpenVPN Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. @@ -10,25 +10,29 @@ as published by the Free Software Foundation. QUICK START: Unix: - ./configure && make && make-install + ./configure && make && make install ************************************************************************* -To download OpenVPN, go to: +To download OpenVPN source code of releases, go to: - http://openvpn.net/download.html + https://openvpn.net/community-downloads/ OpenVPN releases are also available as Debian/RPM packages: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos -To download easy-rsa go to: +OpenVPN development versions can be found here: - https://github.com/OpenVPN/easy-rsa + https://github.com/OpenVPN/openvpn + https://gitlab.com/OpenVPN/openvpn + https://sourceforge.net/p/openvpn/openvpn/ci/master/tree/ -To download tap-windows (NDIS 5) driver source code go to: +They should all be in sync at any time. - https://github.com/OpenVPN/tap-windows +To download easy-rsa go to: + + https://github.com/OpenVPN/easy-rsa To download tap-windows (NDIS 6) driver source code go to: @@ -40,15 +44,11 @@ To get the cross-compilation environment go to: For step-by-step instructions with real-world examples see: - http://openvpn.net/howto.html + https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN https://community.openvpn.net/openvpn/wiki + https://openvpn.net/community-resources/ -For examples see: - - http://openvpn.net/examples.html - -Also see the man page for more information, usage examples, and information on -firewall configuration. +Also see the man page for more information. ************************************************************************* @@ -100,11 +100,12 @@ CHECK OUT SOURCE FROM SOURCE REPOSITORY: Clone the repository: git clone https://github.com/OpenVPN/openvpn + git clone https://gitlab.com/OpenVPN/openvpn git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn Check out stable version: - git checkout -b 2.2 remotes/origin/release/2.2 + git checkout release/2.4 Check out master (unstable) branch: @@ -134,7 +135,7 @@ BUILD A TARBALL FROM SOURCE REPOSITORY CHECKOUT: autoreconf -i -v -f ./configure - make dist + make distcheck ************************************************************************* @@ -160,24 +161,19 @@ environment. See tests/t_client.rc-sample for details. OPTIONS for ./configure: --disable-lzo disable LZO compression support [default=yes] - --enable-lzo-stub don't compile LZO compression support but still - allow limited interoperability with LZO-enabled - peers [default=no] + --disable-lz4 Disable LZ4 compression support + --enable-comp-stub Don't compile compression support but still allow limited interoperability with compression-enabled peers --disable-crypto disable crypto support [default=yes] - --disable-ssl disable SSL support for TLS-based key exchange + --disable-ofb-cfb disable support for OFB and CFB cipher modes [default=yes] --enable-x509-alt-username enable the --x509-username-field feature [default=no] - --disable-multi disable client/server support (--mode server + - client mode) [default=yes] --disable-server disable server support only (but retain client support) [default=yes] --disable-plugins disable plug-in support [default=yes] --disable-management disable management server support [default=yes] --enable-pkcs11 enable pkcs11 support [default=no] - --disable-socks disable Socks support [default=yes] - --disable-http-proxy disable HTTP proxy support [default=yes] --disable-fragment disable internal fragmentation support (--fragment) [default=yes] --disable-multihome disable multi-homed UDP server support (--multihome) @@ -187,73 +183,112 @@ OPTIONS for ./configure: --disable-debug disable debugging support (disable gremlin and verb 7+ messages) [default=yes] --enable-small enable smaller executable size (disable OCC, usage - message, and verb 4 parm list) [default=yes] - --enable-password-save allow --askpass and --auth-user-pass passwords to be - read from a file [default=yes] + message, and verb 4 parm list) [default=no] --enable-iproute2 enable support for iproute2 [default=no] --disable-def-auth disable deferred authentication [default=yes] --disable-pf disable internal packet filter [default=yes] + --disable-plugin-auth-pam + disable auth-pam plugin [default=platform specific] + --disable-plugin-down-root + disable down-root plugin [default=platform specific] + --enable-pam-dlopen dlopen libpam [default=no] --enable-strict enable strict compiler warnings (debugging option) [default=no] --enable-pedantic enable pedantic compiler warnings, will not generate a working executable (debugging option) [default=no] + --enable-werror promote compiler warnings to errors, will cause + builds to fail if the compiler issues warnings + (debugging option) [default=no] --enable-strict-options enable strict options check between peers (debugging option) [default=no] --enable-selinux enable SELinux support [default=no] - --enable-systemd enable systemd suppport [default=no] + --enable-systemd enable systemd support [default=no] + --enable-async-push enable async-push support for plugins providing + deferred authentication [default=no] ENVIRONMENT for ./configure: + PLUGINDIR Path of plug-in directory [default=LIBDIR/openvpn/plugins] IFCONFIG full path to ipconfig utility ROUTE full path to route utility IPROUTE full path to ip utility NETSTAT path to netstat utility MAN2HTML path to man2html utility GIT path to git utility + SYSTEMD_ASK_PASSWORD + path to systemd-ask-password utility + SYSTEMD_UNIT_DIR + Path of systemd unit directory [default=LIBDIR/systemd/system] + TMPFILES_DIR + Path of tmpfiles directory [default=LIBDIR/tmpfiles.d] + +ENVIRONMENT variables adjusting parameters related to dependencies + TAP_CFLAGS C compiler flags for tap - OPENSSL_CFLAGS - C compiler flags for OpenSSL, overriding pkg-config - OPENSSL_LIBS - linker flags for OpenSSL, overriding pkg-config - POLARSSL_CFLAGS - C compiler flags for polarssl - POLARSSL_LIBS - linker flags for polarssl - LZO_CFLAGS C compiler flags for lzo - LZO_LIBS linker flags for lzo + LIBPAM_CFLAGS + C compiler flags for libpam + LIBPAM_LIBS linker flags for libpam PKCS11_HELPER_CFLAGS C compiler flags for PKCS11_HELPER, overriding pkg-config PKCS11_HELPER_LIBS linker flags for PKCS11_HELPER, overriding pkg-config + OPENSSL_CFLAGS + C compiler flags for OpenSSL + OPENSSL_LIBS + linker flags for OpenSSL + MBEDTLS_CFLAGS + C compiler flags for mbedtls + MBEDTLS_LIBS + linker flags for mbedtls + LZO_CFLAGS C compiler flags for lzo + LZO_LIBS linker flags for lzo + LZ4_CFLAGS C compiler flags for lz4 + LZ4_LIBS linker flags for lz4 + libsystemd_CFLAGS + C compiler flags for libsystemd, overriding pkg-config + libsystemd_LIBS + linker flags for libsystemd, overriding pkg-config + P11KIT_CFLAGS + C compiler flags for P11KIT, overriding pkg-config + P11KIT_LIBS linker flags for P11KIT, overriding pkg-config ************************************************************************* -BUILDING ON LINUX 2.6+ FROM RPM +Linux distribution packaging: + +Each Linux distribution has their own way of doing packaging and their +own set of guidelines of how proper packaging should be done. It +is therefore recommended to reach out to the Linux distributions you +want to have OpenVPN packaged for directly. The OpenVPN project wants +to focus more on the OpenVPN development and less on the packaging +and how packaging is done in all various distributions. + +For more details: -You can build a binary RPM directly from the OpenVPN tarball file: +* Arch Linux + https://www.archlinux.org/packages/?name=openvpn - rpmbuild -tb [tarball] +* Debian + https://packages.debian.org/search?keywords=openvpn&searchon=names + https://tracker.debian.org/pkg/openvpn -This command will build a binary RPM file and place it in the system -RPM directory. You can then install the RPM with the standard RPM -install command: +* Fedora / Fedora EPEL (Red Hat Enterprise Linux/CentOS/Scientific Linux) + https://apps.fedoraproject.org/packages/openvpn/overview/ + https://src.fedoraproject.org/rpms/openvpn - rpm -ivh [binary-rpm] +* Gentoo + https://packages.gentoo.org/packages/net-vpn/openvpn + https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/openvpn -When you install the binary RPM, it will install -sample-scripts/openvpn.init, which can be used to -automatically start or stop one or more OpenVPN tunnels on system -startup or shutdown, based on OpenVPN .conf files in /etc/openvpn. -See the comments in openvpn.init for more information. +* openSUSE + https://build.opensuse.org/package/show/network:vpn/openvpn -Installing the RPM will also configure the TUN/TAP device node -for linux 2.6. +* Ubuntu + https://packages.ubuntu.com/search?keywords=openvpn -Note that the current openvpn.spec file, which instructs the rpm tool -how to build a package, will build OpenVPN with all options enabled, -including OpenSSL, LZO, and pthread linkage. Therefore all of -these packages will need to be present prior to the RPM build, unless -you edit the openvpn.spec file. +In addition, the OpenVPN community provides a best-effort APT repository +for Debian and Ubuntu: +https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos ************************************************************************* diff --git a/Makefile.in b/Makefile.in index 19ebefd..e8e891e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -384,9 +384,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/build/Makefile.in b/build/Makefile.in index f4a32b2..e6ecafb 100644 --- a/build/Makefile.in +++ b/build/Makefile.in @@ -313,9 +313,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/build/msvc/Makefile.in b/build/msvc/Makefile.in index c4abcbd..ac18cae 100644 --- a/build/msvc/Makefile.in +++ b/build/msvc/Makefile.in @@ -314,9 +314,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/build/msvc/msvc-generate/Makefile.in b/build/msvc/msvc-generate/Makefile.in index 01ecc6f..867e37f 100644 --- a/build/msvc/msvc-generate/Makefile.in +++ b/build/msvc/msvc-generate/Makefile.in @@ -257,9 +257,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/config.h.in b/config.h.in index 8a267d6..b8a48d5 100644 --- a/config.h.in +++ b/config.h.in @@ -223,6 +223,9 @@ /* Define to 1 if you have the `EVP_aes_256_gcm' function. */ #undef HAVE_EVP_AES_256_GCM +/* Define to 1 if you have the `EVP_CIPHER_CTX_reset' function. */ +#undef HAVE_EVP_CIPHER_CTX_RESET + /* Define to 1 if you have the `EVP_CIPHER_CTX_set_key_length' function. */ #undef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH @@ -686,6 +689,12 @@ /* Define to 1 if you have the <ws2tcpip.h> header file. */ #undef HAVE_WS2TCPIP_H +/* Define to 1 if you have the `X509_get0_notAfter' function. */ +#undef HAVE_X509_GET0_NOTAFTER + +/* Define to 1 if you have the `X509_get0_notBefore' function. */ +#undef HAVE_X509_GET0_NOTBEFORE + /* Define to 1 if you have the `X509_get0_pubkey' function. */ #undef HAVE_X509_GET0_PUBKEY @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for OpenVPN 2.4.7. +# Generated by GNU Autoconf 2.69 for OpenVPN 2.4.8. # # Report bugs to <openvpn-users@lists.sourceforge.net>. # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='OpenVPN' PACKAGE_TARNAME='openvpn' -PACKAGE_VERSION='2.4.7' -PACKAGE_STRING='OpenVPN 2.4.7' +PACKAGE_VERSION='2.4.8' +PACKAGE_STRING='OpenVPN 2.4.8' PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net' PACKAGE_URL='' @@ -641,9 +641,6 @@ CMOCKA_INITIALIZED_TRUE CMAKE TEST_CFLAGS TEST_LDFLAGS -VENDOR_DIST_ROOT -VENDOR_BUILD_ROOT -VENDOR_SRC_ROOT tmpfilesdir systemdunitdir sampledir @@ -1454,7 +1451,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenVPN 2.4.7 to adapt to many kinds of systems. +\`configure' configures OpenVPN 2.4.8 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1524,7 +1521,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenVPN 2.4.7:";; + short | recursive ) echo "Configuration of OpenVPN 2.4.8:";; esac cat <<\_ACEOF @@ -1731,7 +1728,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -OpenVPN configure 2.4.7 +OpenVPN configure 2.4.8 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2570,7 +2567,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenVPN $as_me 2.4.7, which was +It was created by OpenVPN $as_me 2.4.8, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2934,13 +2931,13 @@ if test -z "${htmldir}"; then fi -$as_echo "#define OPENVPN_VERSION_RESOURCE 2,4,7,0" >>confdefs.h +$as_echo "#define OPENVPN_VERSION_RESOURCE 2,4,8,0" >>confdefs.h OPENVPN_VERSION_MAJOR=2 OPENVPN_VERSION_MINOR=4 -OPENVPN_VERSION_PATCH=.7 +OPENVPN_VERSION_PATCH=.8 $as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h @@ -2949,7 +2946,7 @@ $as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h $as_echo "#define OPENVPN_VERSION_MINOR 4" >>confdefs.h -$as_echo "#define OPENVPN_VERSION_PATCH \".7\"" >>confdefs.h +$as_echo "#define OPENVPN_VERSION_PATCH \".8\"" >>confdefs.h ac_aux_dir= @@ -3473,7 +3470,7 @@ fi # Define the identity of the package. PACKAGE='openvpn' - VERSION='2.4.7' + VERSION='2.4.8' cat >>confdefs.h <<_ACEOF @@ -5514,7 +5511,6 @@ cat >>confdefs.h <<_ACEOF _ACEOF have_tap_header="yes" - CPPFLAGS="$CPPFLAGS -no-cpp-precomp" ac_cv_type_struct_in_pktinfo=no ;; *-mingw*) @@ -16629,9 +16625,12 @@ done EVP_MD_CTX_new \ EVP_MD_CTX_free \ EVP_MD_CTX_reset \ + EVP_CIPHER_CTX_reset \ SSL_CTX_get_default_passwd_cb \ SSL_CTX_get_default_passwd_cb_userdata \ SSL_CTX_set_security_level \ + X509_get0_notBefore \ + X509_get0_notAfter \ X509_get0_pubkey \ X509_STORE_get0_objects \ X509_OBJECT_free \ @@ -18040,15 +18039,8 @@ sampledir="\$(docdir)/sample" -VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/" -VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist" -VENDOR_BUILD_ROOT="\$(abs_top_builddir)/vendor/.build" - - - - -TEST_LDFLAGS="-lcmocka -L\$(abs_top_builddir)/vendor/dist/lib -Wl,-rpath,\$(abs_top_builddir)/vendor/dist/lib" -TEST_CFLAGS="-I\$(top_srcdir)/include -I\$(abs_top_builddir)/vendor/dist/include" +TEST_LDFLAGS="${OPTIONAL_CRYPTO_LIBS} ${OPTIONAL_PKCS11_HELPER_LIBS} -lcmocka -L\$(top_builddir)/vendor/dist/lib -Wl,-rpath,\$(top_builddir)/vendor/dist/lib" +TEST_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${OPTIONAL_PKCS11_HELPER_CFLAGS} -I\$(top_srcdir)/include -I\$(top_builddir)/vendor/dist/include" @@ -18133,7 +18125,7 @@ fi fi -ac_config_files="$ac_config_files version.sh Makefile build/Makefile build/msvc/Makefile build/msvc/msvc-generate/Makefile distro/Makefile distro/rpm/Makefile distro/rpm/openvpn.spec distro/systemd/Makefile include/Makefile src/Makefile src/compat/Makefile src/openvpn/Makefile src/openvpnserv/Makefile src/plugins/Makefile src/plugins/auth-pam/Makefile src/plugins/down-root/Makefile tests/Makefile tests/unit_tests/Makefile tests/unit_tests/example_test/Makefile tests/unit_tests/openvpn/Makefile tests/unit_tests/plugins/Makefile tests/unit_tests/plugins/auth-pam/Makefile vendor/Makefile sample/Makefile doc/Makefile" +ac_config_files="$ac_config_files version.sh Makefile build/Makefile build/msvc/Makefile build/msvc/msvc-generate/Makefile distro/Makefile distro/systemd/Makefile include/Makefile src/Makefile src/compat/Makefile src/openvpn/Makefile src/openvpnserv/Makefile src/plugins/Makefile src/plugins/auth-pam/Makefile src/plugins/down-root/Makefile tests/Makefile tests/unit_tests/Makefile tests/unit_tests/example_test/Makefile tests/unit_tests/openvpn/Makefile tests/unit_tests/plugins/Makefile tests/unit_tests/plugins/auth-pam/Makefile vendor/Makefile sample/Makefile doc/Makefile" ac_config_files="$ac_config_files tests/t_client.sh" @@ -18707,7 +18699,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by OpenVPN $as_me 2.4.7, which was +This file was extended by OpenVPN $as_me 2.4.8, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -18773,7 +18765,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -OpenVPN config.status 2.4.7 +OpenVPN config.status 2.4.8 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -19271,8 +19263,6 @@ do "build/msvc/Makefile") CONFIG_FILES="$CONFIG_FILES build/msvc/Makefile" ;; "build/msvc/msvc-generate/Makefile") CONFIG_FILES="$CONFIG_FILES build/msvc/msvc-generate/Makefile" ;; "distro/Makefile") CONFIG_FILES="$CONFIG_FILES distro/Makefile" ;; - "distro/rpm/Makefile") CONFIG_FILES="$CONFIG_FILES distro/rpm/Makefile" ;; - "distro/rpm/openvpn.spec") CONFIG_FILES="$CONFIG_FILES distro/rpm/openvpn.spec" ;; "distro/systemd/Makefile") CONFIG_FILES="$CONFIG_FILES distro/systemd/Makefile" ;; "include/Makefile") CONFIG_FILES="$CONFIG_FILES include/Makefile" ;; "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;; diff --git a/configure.ac b/configure.ac index 9d5fc3f..e45ce2f 100644 --- a/configure.ac +++ b/configure.ac @@ -327,8 +327,6 @@ case "$host" in AC_DEFINE([TARGET_DARWIN], [1], [Are we running on Mac OS X?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["M"], [Target prefix]) have_tap_header="yes" - dnl some Mac OS X tendering (we use vararg macros...) - CPPFLAGS="$CPPFLAGS -no-cpp-precomp" ac_cv_type_struct_in_pktinfo=no ;; *-mingw*) @@ -905,9 +903,12 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then EVP_MD_CTX_new \ EVP_MD_CTX_free \ EVP_MD_CTX_reset \ + EVP_CIPHER_CTX_reset \ SSL_CTX_get_default_passwd_cb \ SSL_CTX_get_default_passwd_cb_userdata \ SSL_CTX_set_security_level \ + X509_get0_notBefore \ + X509_get0_notAfter \ X509_get0_pubkey \ X509_STORE_get0_objects \ X509_OBJECT_free \ @@ -1376,15 +1377,8 @@ AC_SUBST([sampledir]) AC_SUBST([systemdunitdir]) AC_SUBST([tmpfilesdir]) -VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/" -VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist" -VENDOR_BUILD_ROOT="\$(abs_top_builddir)/vendor/.build" -AC_SUBST([VENDOR_SRC_ROOT]) -AC_SUBST([VENDOR_BUILD_ROOT]) -AC_SUBST([VENDOR_DIST_ROOT]) - -TEST_LDFLAGS="-lcmocka -L\$(abs_top_builddir)/vendor/dist/lib -Wl,-rpath,\$(abs_top_builddir)/vendor/dist/lib" -TEST_CFLAGS="-I\$(top_srcdir)/include -I\$(abs_top_builddir)/vendor/dist/include" +TEST_LDFLAGS="${OPTIONAL_CRYPTO_LIBS} ${OPTIONAL_PKCS11_HELPER_LIBS} -lcmocka -L\$(top_builddir)/vendor/dist/lib -Wl,-rpath,\$(top_builddir)/vendor/dist/lib" +TEST_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${OPTIONAL_PKCS11_HELPER_CFLAGS} -I\$(top_srcdir)/include -I\$(top_builddir)/vendor/dist/include" AC_SUBST([TEST_LDFLAGS]) AC_SUBST([TEST_CFLAGS]) @@ -1412,8 +1406,6 @@ AC_CONFIG_FILES([ build/msvc/Makefile build/msvc/msvc-generate/Makefile distro/Makefile - distro/rpm/Makefile - distro/rpm/openvpn.spec distro/systemd/Makefile include/Makefile src/Makefile diff --git a/distro/Makefile.am b/distro/Makefile.am index e2098c8..a6795c4 100644 --- a/distro/Makefile.am +++ b/distro/Makefile.am @@ -12,4 +12,4 @@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in -SUBDIRS = rpm systemd +SUBDIRS = systemd diff --git a/distro/Makefile.in b/distro/Makefile.in index 2c01315..d15717f 100644 --- a/distro/Makefile.in +++ b/distro/Makefile.in @@ -314,9 +314,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ @@ -379,7 +376,7 @@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in -SUBDIRS = rpm systemd +SUBDIRS = systemd all: all-recursive .SUFFIXES: diff --git a/distro/rpm/Makefile.am b/distro/rpm/Makefile.am deleted file mode 100644 index d16a5ac..0000000 --- a/distro/rpm/Makefile.am +++ /dev/null @@ -1,18 +0,0 @@ -# -# OpenVPN -- An application to securely tunnel IP networks -# over a single UDP port, with support for SSL/TLS-based -# session authentication and key exchange, -# packet encryption, packet authentication, and -# packet compression. -# -# Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> -# Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com> -# - -MAINTAINERCLEANFILES = \ - $(srcdir)/Makefile.in - -dist_noinst_DATA = \ - openvpn.spec \ - openvpn.init.d.rhel \ - openvpn.init.d.suse diff --git a/distro/rpm/Makefile.in b/distro/rpm/Makefile.in deleted file mode 100644 index 9a71d31..0000000 --- a/distro/rpm/Makefile.in +++ /dev/null @@ -1,530 +0,0 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994-2018 Free Software Foundation, Inc. - -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# -# OpenVPN -- An application to securely tunnel IP networks -# over a single UDP port, with support for SSL/TLS-based -# session authentication and key exchange, -# packet encryption, packet authentication, and -# packet compression. -# -# Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> -# Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com> -# - -VPATH = @srcdir@ -am__is_gnu_make = { \ - if test -z '$(MAKELEVEL)'; then \ - false; \ - elif test -n '$(MAKE_HOST)'; then \ - true; \ - elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ - true; \ - else \ - false; \ - fi; \ -} -am__make_running_with_option = \ - case $${target_option-} in \ - ?) ;; \ - *) echo "am__make_running_with_option: internal error: invalid" \ - "target option '$${target_option-}' specified" >&2; \ - exit 1;; \ - esac; \ - has_opt=no; \ - sane_makeflags=$$MAKEFLAGS; \ - if $(am__is_gnu_make); then \ - sane_makeflags=$$MFLAGS; \ - else \ - case $$MAKEFLAGS in \ - *\\[\ \ ]*) \ - bs=\\; \ - sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ - | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ - esac; \ - fi; \ - skip_next=no; \ - strip_trailopt () \ - { \ - flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ - }; \ - for flg in $$sane_makeflags; do \ - test $$skip_next = yes && { skip_next=no; continue; }; \ - case $$flg in \ - *=*|--*) continue;; \ - -*I) strip_trailopt 'I'; skip_next=yes;; \ - -*I?*) strip_trailopt 'I';; \ - -*O) strip_trailopt 'O'; skip_next=yes;; \ - -*O?*) strip_trailopt 'O';; \ - -*l) strip_trailopt 'l'; skip_next=yes;; \ - -*l?*) strip_trailopt 'l';; \ - -[dEDm]) skip_next=yes;; \ - -[JT]) skip_next=yes;; \ - esac; \ - case $$flg in \ - *$$target_option*) has_opt=yes; break;; \ - esac; \ - done; \ - test $$has_opt = yes -am__make_dryrun = (target_option=n; $(am__make_running_with_option)) -am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) -pkgdatadir = $(datadir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkglibexecdir = $(libexecdir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -subdir = distro/rpm -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ - $(top_srcdir)/m4/ax_socklen_t.m4 \ - $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ - $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ - $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ - $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am $(dist_noinst_DATA) \ - $(am__DIST_COMMON) -mkinstalldirs = $(install_sh) -d -CONFIG_HEADER = $(top_builddir)/config.h \ - $(top_builddir)/include/openvpn-plugin.h -CONFIG_CLEAN_FILES = openvpn.spec -CONFIG_CLEAN_VPATH_FILES = -AM_V_P = $(am__v_P_@AM_V@) -am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) -am__v_P_0 = false -am__v_P_1 = : -AM_V_GEN = $(am__v_GEN_@AM_V@) -am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) -am__v_GEN_0 = @echo " GEN " $@; -am__v_GEN_1 = -AM_V_at = $(am__v_at_@AM_V@) -am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) -am__v_at_0 = @ -am__v_at_1 = -SOURCES = -DIST_SOURCES = -am__can_run_installinfo = \ - case $$AM_UPDATE_INFO_DIR in \ - n|no|NO) false;; \ - *) (install-info --version) >/dev/null 2>&1;; \ - esac -DATA = $(dist_noinst_DATA) -am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) -am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/openvpn.spec.in -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AMTAR = @AMTAR@ -AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ -AR = @AR@ -AS = @AS@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -CMAKE = @CMAKE@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -DLLTOOL = @DLLTOOL@ -DL_LIBS = @DL_LIBS@ -DSYMUTIL = @DSYMUTIL@ -DUMPBIN = @DUMPBIN@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -FGREP = @FGREP@ -GIT = @GIT@ -GREP = @GREP@ -IFCONFIG = @IFCONFIG@ -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IPROUTE = @IPROUTE@ -LD = @LD@ -LDFLAGS = @LDFLAGS@ -LIBOBJS = @LIBOBJS@ -LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ -LIBPAM_LIBS = @LIBPAM_LIBS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIPO = @LIPO@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ -LZ4_CFLAGS = @LZ4_CFLAGS@ -LZ4_LIBS = @LZ4_LIBS@ -LZO_CFLAGS = @LZO_CFLAGS@ -LZO_LIBS = @LZO_LIBS@ -MAKEINFO = @MAKEINFO@ -MAN2HTML = @MAN2HTML@ -MANIFEST_TOOL = @MANIFEST_TOOL@ -MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ -MBEDTLS_LIBS = @MBEDTLS_LIBS@ -MKDIR_P = @MKDIR_P@ -NETSTAT = @NETSTAT@ -NM = @NM@ -NMEDIT = @NMEDIT@ -OBJDUMP = @OBJDUMP@ -OBJEXT = @OBJEXT@ -OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ -OPENSSL_LIBS = @OPENSSL_LIBS@ -OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ -OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ -OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ -OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ -OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ -OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ -OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ -OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ -OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ -OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ -OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ -OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ -OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ -OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ -OTOOL = @OTOOL@ -OTOOL64 = @OTOOL64@ -P11KIT_CFLAGS = @P11KIT_CFLAGS@ -P11KIT_LIBS = @P11KIT_LIBS@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ -PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ -PKG_CONFIG = @PKG_CONFIG@ -PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ -PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ -PLUGINDIR = @PLUGINDIR@ -PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ -PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ -RANLIB = @RANLIB@ -RC = @RC@ -ROUTE = @ROUTE@ -SED = @SED@ -SELINUX_LIBS = @SELINUX_LIBS@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -SOCKETS_LIBS = @SOCKETS_LIBS@ -STRIP = @STRIP@ -SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ -SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ -TAP_CFLAGS = @TAP_CFLAGS@ -TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ -TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ -TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ -TEST_CFLAGS = @TEST_CFLAGS@ -TEST_LDFLAGS = @TEST_LDFLAGS@ -TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ -VERSION = @VERSION@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -datadir = @datadir@ -datarootdir = @datarootdir@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -libsystemd_CFLAGS = @libsystemd_CFLAGS@ -libsystemd_LIBS = @libsystemd_LIBS@ -localedir = @localedir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -pdfdir = @pdfdir@ -plugindir = @plugindir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -sampledir = @sampledir@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -srcdir = @srcdir@ -sysconfdir = @sysconfdir@ -systemdunitdir = @systemdunitdir@ -target_alias = @target_alias@ -tmpfilesdir = @tmpfilesdir@ -top_build_prefix = @top_build_prefix@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -MAINTAINERCLEANFILES = \ - $(srcdir)/Makefile.in - -dist_noinst_DATA = \ - openvpn.spec \ - openvpn.init.d.rhel \ - openvpn.init.d.suse - -all: all-am - -.SUFFIXES: -$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ - && { if test -f $@; then exit 0; else break; fi; }; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign distro/rpm/Makefile'; \ - $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --foreign distro/rpm/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(am__aclocal_m4_deps): -openvpn.spec: $(top_builddir)/config.status $(srcdir)/openvpn.spec.in - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs -tags TAGS: - -ctags CTAGS: - -cscope cscopelist: - - -distdir: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) distdir-am - -distdir-am: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d "$(distdir)/$$file"; then \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ - else \ - test -f "$(distdir)/$$file" \ - || cp -p $$d/$$file "$(distdir)/$$file" \ - || exit 1; \ - fi; \ - done -check-am: all-am -check: check-am -all-am: Makefile $(DATA) -installdirs: -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - if test -z '$(STRIP)'; then \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - install; \ - else \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ - fi -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-generic - -dvi: dvi-am - -dvi-am: - -html: html-am - -html-am: - -info: info-am - -info-am: - -install-data-am: - -install-dvi: install-dvi-am - -install-dvi-am: - -install-exec-am: - -install-html: install-html-am - -install-html-am: - -install-info: install-info-am - -install-info-am: - -install-man: - -install-pdf: install-pdf-am - -install-pdf-am: - -install-ps: install-ps-am - -install-ps-am: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: - -.MAKE: install-am install-strip - -.PHONY: all all-am check check-am clean clean-generic clean-libtool \ - cscopelist-am ctags-am distclean distclean-generic \ - distclean-libtool distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags-am uninstall uninstall-am - -.PRECIOUS: Makefile - - -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/distro/rpm/openvpn.init.d.rhel b/distro/rpm/openvpn.init.d.rhel deleted file mode 100755 index bfde221..0000000 --- a/distro/rpm/openvpn.init.d.rhel +++ /dev/null @@ -1,244 +0,0 @@ -#!/bin/sh -# -# openvpn This shell script takes care of starting and stopping -# openvpn on RedHat or other chkconfig-based system. -# -# chkconfig: 345 24 76 -# -# description: OpenVPN is a robust and highly flexible tunneling application \ -# that uses all of the encryption, authentication, and \ -# certification features of the OpenSSL library to securely \ -# tunnel IP networks over a single UDP port. -# - -# Contributed to the OpenVPN project by -# Douglas Keller <doug@voidstar.dyndns.org> -# 2002.05.15 - -# To install: -# copy this file to /etc/rc.d/init.d/openvpn -# shell> chkconfig --add openvpn -# shell> mkdir /etc/openvpn -# make .conf or .sh files in /etc/openvpn (see below) - -# To uninstall: -# run: chkconfig --del openvpn - -# Author's Notes: -# -# I have created an /etc/init.d init script and enhanced openvpn.spec to -# automatically register the init script. Once the RPM is installed you -# can start and stop OpenVPN with "service openvpn start" and "service -# openvpn stop". -# -# The init script does the following: -# -# - Starts an openvpn process for each .conf file it finds in -# /etc/openvpn. -# -# - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes -# it before starting openvpn (useful for doing openvpn --mktun...). -# -# - In addition to start/stop you can do: -# -# service openvpn reload - SIGHUP -# service openvpn reopen - SIGUSR1 -# service openvpn status - SIGUSR2 -# -# Modifications: -# -# 2003.05.02 -# * Changed == to = for sh compliance (Bishop Clark). -# * If condrestart|reload|reopen|status, check that we were -# actually started (James Yonan). -# * Added lock, piddir, and work variables (James Yonan). -# * If start is attempted twice, without an intervening stop, or -# if start is attempted when previous start was not properly -# shut down, then kill any previously started processes, before -# commencing new start operation (James Yonan). -# * Do a better job of flagging errors on start, and properly -# returning success or failure status to caller (James Yonan). -# -# 2005.04.04 -# * Added openvpn-startup and openvpn-shutdown script calls -# (James Yonan). -# - -# Location of openvpn binary -openvpn="" -openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn" -for location in $openvpn_locations -do - if [ -f "$location" ] - then - openvpn=$location - fi -done - -# Lockfile -lock="/var/lock/subsys/openvpn" - -# PID directory -piddir="/var/run/openvpn" - -# Our working directory -work=/etc/openvpn - -# Source function library. -. /etc/rc.d/init.d/functions - -# Source networking configuration. -. /etc/sysconfig/network - -# Check that networking is up. -if [ "${NETWORKING}" = "no" ] -then - echo "Networking is down" - exit 0 -fi - -# Check that binary exists -if ! [ -f $openvpn ] -then - echo "openvpn binary not found" - exit 0 -fi - -# See how we were called. -case "$1" in - start) - echo -n $"Starting openvpn: " - - /sbin/modprobe tun >/dev/null 2>&1 - - # From a security perspective, I think it makes - # sense to remove this, and have users who need - # it explictly enable in their --up scripts or - # firewall setups. - - #echo 1 > /proc/sys/net/ipv4/ip_forward - - # Run startup script, if defined - if [ -f $work/openvpn-startup ]; then - $work/openvpn-startup - fi - - if [ ! -d $piddir ]; then - mkdir $piddir - fi - - if [ -f $lock ]; then - # we were not shut down correctly - for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do - if [ -s $pidf ]; then - kill `cat $pidf` >/dev/null 2>&1 - fi - rm -f $pidf - done - rm -f $lock - sleep 2 - fi - - rm -f $piddir/*.pid - cd $work - - # Start every .conf in $work and run .sh if exists - errors=0 - successes=0 - for c in `/bin/ls *.conf 2>/dev/null`; do - bn=${c%%.conf} - if [ -f "$bn.sh" ]; then - . ./$bn.sh - fi - rm -f $piddir/$bn.pid - $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work - if [ $? = 0 ]; then - successes=1 - else - errors=1 - fi - done - - if [ $errors = 1 ]; then - failure; echo - else - success; echo - fi - - if [ $successes = 1 ]; then - touch $lock - fi - ;; - stop) - echo -n $"Shutting down openvpn: " - for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do - if [ -s $pidf ]; then - kill `cat $pidf` >/dev/null 2>&1 - fi - rm -f $pidf - done - - # Run shutdown script, if defined - if [ -f $work/openvpn-shutdown ]; then - $work/openvpn-shutdown - fi - - success; echo - rm -f $lock - ;; - restart) - $0 stop - sleep 2 - $0 start - ;; - reload) - if [ -f $lock ]; then - for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do - if [ -s $pidf ]; then - kill -HUP `cat $pidf` >/dev/null 2>&1 - fi - done - else - echo "openvpn: service not started" - exit 1 - fi - ;; - reopen) - if [ -f $lock ]; then - for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do - if [ -s $pidf ]; then - kill -USR1 `cat $pidf` >/dev/null 2>&1 - fi - done - else - echo "openvpn: service not started" - exit 1 - fi - ;; - condrestart) - if [ -f $lock ]; then - $0 stop - # avoid race - sleep 2 - $0 start - fi - ;; - status) - if [ -f $lock ]; then - for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do - if [ -s $pidf ]; then - kill -USR2 `cat $pidf` >/dev/null 2>&1 - fi - done - echo "Status written to /var/log/messages" - else - echo "openvpn: service not started" - exit 1 - fi - ;; - *) - echo "Usage: openvpn {start|stop|restart|condrestart|reload|reopen|status}" - exit 1 - ;; -esac -exit 0 diff --git a/distro/rpm/openvpn.init.d.suse b/distro/rpm/openvpn.init.d.suse deleted file mode 100644 index 270024e..0000000 --- a/distro/rpm/openvpn.init.d.suse +++ /dev/null @@ -1,264 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: openvpn -# Required-Start: $network -# Required-Stop: $network -# Default-Start: 3 5 -# Default-Stop: 0 1 2 6 -# Short-Description: This shell script takes care of starting and stopping OpenVPN. -# Description: OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP port. -### END INIT INFO - -# Contributed to the OpenVPN project by -# Douglas Keller <doug@voidstar.dyndns.org> -# 2002.05.15 - -# Modified for SuSE by -# Frank Plohmann <openvpn@franks-planet.de> -# 2003.08.24 -# Please feel free to contact me if you have problems or suggestions -# using this script. - -# To install: -# copy this file to /etc/rc.d/init.d/openvpn -# use the runlevel editor in Yast to add it to runlevel 3 and/or 5 -# shell> mkdir /etc/openvpn -# make .conf or .sh files in /etc/openvpn (see below) - -# To uninstall: -# use also Yast and the runlevel editor to uninstall - -# Author's Notes: -# -# I have created an /etc/init.d init script and enhanced openvpn.spec to -# automatically register the init script. Once the RPM is installed you -# can start and stop OpenVPN with "service openvpn start" and "service -# openvpn stop". -# -# The init script does the following: -# -# - Starts an openvpn process for each .conf file it finds in -# /etc/openvpn. -# -# - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes -# it before starting openvpn (useful for doing openvpn --mktun...). -# -# - In addition to start/stop you can do: -# -# /etc/init.d/openvpn reload - SIGHUP -# /etc/init.d/openvpn reopen - SIGUSR1 -# /etc/init.d/openvpn status - SIGUSR2 - -# Modifications 2003.05.02 -# * Changed == to = for sh compliance (Bishop Clark). -# * If condrestart|reload|reopen|status, check that we were -# actually started (James Yonan). -# * Added lock, piddir, and work variables (James Yonan). -# * If start is attempted twice, without an intervening stop, or -# if start is attempted when previous start was not properly -# shut down, then kill any previously started processes, before -# commencing new start operation (James Yonan). -# * Do a better job of flagging errors on start, and properly -# returning success or failure status to caller (James Yonan). -# -# Modifications 2003.08.24 -# * Converted the script for SuSE Linux distribution. -# Tested with version 8.2 (Frank Plohmann). -# - removed "chkconfig" header -# - added Yast header -# - changed installation notes -# - corrected path to openvpn binary -# - removes sourcing "functions" -# - removed sourcing "network" -# - removed network checking. it seemed not to work with SuSE. -# - added sourcing "rc.status", comments and "rc_reset" command -# - removed "succes; echo" and "failure; echo" lines -# - added "rc_status" lines at the end of each section -# - changed "service" to "/etc/init.d/" in "In addition to start/stop" -# section above. -# -# Modifications 2005.04.04 -# * Added openvpn-startup and openvpn-shutdown script calls (James Yonan). -# - -# Location of openvpn binary -openvpn="/usr/sbin/openvpn" - -# Lockfile -lock="/var/lock/subsys/openvpn" - -# PID directory -piddir="/var/run/openvpn" - -# Our working directory -work=/etc/openvpn - -# Source rc functions -. /etc/rc.status - -# Shell functions sourced from /etc/rc.status: -# rc_check check and set local and overall rc status -# rc_status check and set local and overall rc status -# rc_status -v ditto but be verbose in local rc status -# rc_status -v -r ditto and clear the local rc status -# rc_failed set local and overall rc status to failed -# rc_reset clear local rc status (overall remains) -# rc_exit exit appropriate to overall rc status - -# rc_status check and set local and overall rc status -# rc_status -v ditto but be verbose in local rc status -# rc_status -v -r ditto and clear the local rc status -# rc_failed set local and overall rc status to failed -# rc_reset clear local rc status (overall remains) -# rc_exit exit appropriate to overall rc status - -# First reset status of this service -rc_reset - -[ -f $openvpn ] || exit 0 - -# See how we were called. -case "$1" in - start) - echo -n $"Starting openvpn: " - - /sbin/modprobe tun >/dev/null 2>&1 - - # From a security perspective, I think it makes - # sense to remove this, and have users who need - # it explictly enable in their --up scripts or - # firewall setups. - - #echo 1 > /proc/sys/net/ipv4/ip_forward - - # Run startup script, if defined - if [ -f $work/openvpn-startup ]; then - $work/openvpn-startup - fi - - if [ ! -d $piddir ]; then - mkdir $piddir - fi - - if [ -f $lock ]; then - # we were not shut down correctly - for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do - if [ -s $pidf ]; then - kill `cat $pidf` >/dev/null 2>&1 - fi - rm -f $pidf - done - rm -f $lock - sleep 2 - fi - - rm -f $piddir/*.pid - cd $work - - # Start every .conf in $work and run .sh if exists - errors=0 - successes=0 - for c in `/bin/ls *.conf 2>/dev/null`; do - bn=${c%%.conf} - if [ -f "$bn.sh" ]; then - . ./$bn.sh - fi - rm -f $piddir/$bn.pid - $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work - if [ $? = 0 ]; then - successes=1 - else - errors=1 - fi - done - - if [ $successes = 1 ]; then - touch $lock - fi - - rc_status -v - ;; - stop) - echo -n $"Shutting down openvpn: " - for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do - if [ -s $pidf ]; then - kill `cat $pidf` >/dev/null 2>&1 - fi - rm -f $pidf - done - - # Run shutdown script, if defined - if [ -f $work/openvpn-shutdown ]; then - $work/openvpn-shutdown - fi - - rm -f $lock - - rc_status -v - ;; - restart) - $0 stop - sleep 2 - $0 start - - rc_status - ;; - reload) - if [ -f $lock ]; then - for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do - if [ -s $pidf ]; then - kill -HUP `cat $pidf` >/dev/null 2>&1 - fi - done - else - echo "openvpn: service not started" - exit 1 - fi - - rc_status -v - ;; - reopen) - if [ -f $lock ]; then - for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do - if [ -s $pidf ]; then - kill -USR1 `cat $pidf` >/dev/null 2>&1 - fi - done - else - echo "openvpn: service not started" - exit 1 - fi - - rc_status -v - ;; - condrestart) - if [ -f $lock ]; then - $0 stop - # avoid race - sleep 2 - $0 start - fi - - rc_status - ;; - status) - if [ -f $lock ]; then - for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do - if [ -s $pidf ]; then - kill -USR2 `cat $pidf` >/dev/null 2>&1 - fi - done - echo "Status written to /var/log/messages" - else - echo "openvpn: service not started" - exit 1 - fi - - rc_status -v - ;; - *) - echo "Usage: openvpn {start|stop|restart|condrestart|reload|reopen|status}" - exit 1 -esac - -exit 0 diff --git a/distro/rpm/openvpn.spec b/distro/rpm/openvpn.spec deleted file mode 100644 index c0d4354..0000000 --- a/distro/rpm/openvpn.spec +++ /dev/null @@ -1,248 +0,0 @@ -# OpenVPN spec file, used to drive rpmbuild - -# OPTIONS -# -# Disable LZO -# rpmbuild -tb [openvpn.x.tar.gz] --define 'without_lzo 1' -# -# Disable PAM plugin -# rpmbuild -tb [openvpn.x.tar.gz] --define 'without_pam 1' -# -# Allow passwords to be read from files -# rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1' - -Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan. -Name: openvpn -Version: 2.4.7 -Release: 1 -URL: http://openvpn.net/ -Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz - -License: GPL -Group: Applications/Internet -Vendor: James Yonan <jim@yonan.net> -Packager: James Yonan <jim@yonan.net> -BuildRoot: %{_tmppath}/%{name}-%(id -un) - -# -# Include dependencies manually -# - -AutoReq: 0 - -BuildRequires: openssl-devel >= 0.9.7 -Requires: openssl >= 0.9.7 - -%if "%{_vendor}" == "Mandrakesoft" -%{!?without_lzo:BuildRequires: liblzo1-devel >= 1.07} -%{!?without_lzo:Requires: liblzo1 >= 1.07} -%else -%if "%{_vendor}" == "MandrakeSoft" -%{!?without_lzo:BuildRequires: liblzo1-devel >= 1.07} -%{!?without_lzo:Requires: liblzo1 >= 1.07} -%else -%{!?without_lzo:BuildRequires: lzo-devel >= 1.07} -%{!?without_lzo:Requires: lzo >= 1.07} -%endif -%endif - -%{!?without_pam:BuildRequires: pam-devel} -%{!?without_pam:Requires: pam} - -%{?with_pkcs11:BuildRequires: pkcs11-helper-devel} -%{?with_pkcs11:Requires: pkcs11-helper} - -# -# Description -# - -%description -OpenVPN is a robust and highly flexible VPN daemon by James Yonan. -OpenVPN supports SSL/TLS security, -ethernet bridging, -TCP or UDP tunnel transport through proxies or NAT, -support for dynamic IP addresses and DHCP, -scalability to hundreds or thousands of users, -and portability to most major OS platforms. - -%package devel -Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan. -Group: Applications/Internet -Requires: %{name} -%description devel -Development support for OpenVPN. - -# -# Define vendor type -# - -%if "%{_vendor}" == "suse" || "%{_vendor}" == "pc" -%define VENDOR SuSE -%else -%define VENDOR %_vendor -%endif - -# -# Other definitions -# - -%define debug_package %{nil} - -# -# Build OpenVPN binary -# - -%prep -%setup -q - -%build -%configure \ - --disable-dependency-tracking \ - --docdir="%{_docdir}/%{name}-%{version}" \ - %{?with_password_save:--enable-password-save} \ - %{!?without_lzo:--enable-lzo} \ - %{?with_pkcs11:--enable-pkcs11} \ - %{?without_pam:--disable-plugin-auth-pam} -%__make - -# -# Installation section -# - -%install -[ %{buildroot} != "/" ] && rm -rf %{buildroot} -%__make install DESTDIR="%{buildroot}" - -# Install init script -%if "%{VENDOR}" == "SuSE" -%__install -c -d -m 755 "%{buildroot}/etc/init.d" -%__install -c -m 755 "distro/rpm/%{name}.init.d.suse" "%{buildroot}/etc/init.d/%{name}" -%else -%__install -c -d -m 755 "%{buildroot}/etc/rc.d/init.d" -%__install -c -m 755 distro/rpm/%{name}.init.d.rhel "%{buildroot}/etc/rc.d/init.d/%{name}" -%endif - -# Install /etc/openvpn -%__install -c -d -m 755 "%{buildroot}/etc/%{name}" - -# Install extra %doc stuff -cp -r AUTHORS ChangeLog NEWS contrib/ sample/ \ - "%{buildroot}/%{_docdir}/%{name}-%{version}" - -# -# Clean section -# - -%clean -[ %{buildroot} != "/" ] && rm -rf "%{buildroot}" - -# -# On Linux 2.4, make the device node -# - -%post -case "`uname -r`" in -2.4*) - /bin/mkdir /dev/net >/dev/null 2>&1 - /bin/mknod /dev/net/tun c 10 200 >/dev/null 2>&1 - ;; -esac - -# -# Handle the init script -# - -/sbin/chkconfig --add %{name} -%if "%{VENDOR}" == "SuSE" -/etc/init.d/openvpn restart -%else -/sbin/service %{name} condrestart -%endif -%preun -if [ "$1" = 0 ] -then - %if "%{VENDOR}" == "SuSE" - /etc/init.d/openvpn stop - %else - /sbin/service %{name} stop - %endif - /sbin/chkconfig --del %{name} -fi - -# -# Files section -# -# don't use %doc as old rpmbuild removes it[1]. -# [1] http://rpm.org/ticket/836 - -%files -%defattr(-,root,root) -%{_mandir} -%{_sbindir}/%{name} -%{_libdir}/%{name} -%{_docdir}/%{name}-%{version} -%dir /etc/%{name} -%if "%{VENDOR}" == "SuSE" -/etc/init.d/%{name} -%else -/etc/rc.d/init.d/%{name} -%endif - -%files devel -%defattr(-,root,root) -%{_includedir}/* - -%changelog -* Thu Jul 30 2009 David Sommerseth <dazo@users.sourceforge.net> -- Removed management/ directory from %doc - -* Thu Dec 14 2006 Alon Bar-Lev -- Added with_pkcs11 - -* Mon Aug 2 2005 James Yonan -- Fixed build problem with --define 'without_pam 1' - -* Mon Apr 4 2005 James Yonan -- Moved some files from /usr/share/openvpn to %doc for compatibility - with Dag Wieers' RPM repository - -* Sat Mar 12 2005 Tom Walsh -- Added MandrakeSoft liblzo1 require - -* Fri Dec 10 2004 James Yonan -- Added AutoReq: 0 for manual dependencies - -* Fri Dec 10 2004 James Yonan -- Packaged the plugins - -* Sun Nov 7 2004 Umberto Nicoletti -- SuSE support - -* Wed Aug 18 2004 Bishop Clark (LC957) <bishop@platypus.bc.ca> -- restrict what we claim in /etc/ to avoid ownership conflicts - -* Sun Feb 23 2003 Matthias Andree <matthias.andree@gmx.de> 1.3.2.14-1. -- Have the version number filled in by autoconf. - -* Wed Jul 10 2002 James Yonan <jim@yonan.net> 1.3.1-1 -- Fixed %preun to only remove service on final uninstall - -* Mon Jun 17 2002 bishop clark (LC957) <bishop@platypus.bc.ca> 1.2.2-1 -- Added condrestart to openvpn.spec & openvpn.init. - -* Wed May 22 2002 James Yonan <jim@yonan.net> 1.2.0-1 -- Added mknod for Linux 2.4. - -* Wed May 15 2002 Doug Keller <dsk@voidstar.dyndns.org> 1.1.1.16-2 -- Added init scripts -- Added conf file support - -* Mon May 13 2002 bishop clark (LC957) <bishop@platypus.bc.ca> 1.1.1.14-1 -- Added new directories for config examples and such - -* Sun May 12 2002 bishop clark (LC957) <bishop@platypus.bc.ca> 1.1.1.13-1 -- Updated buildroot directive and cleanup command -- added easy-rsa utilities - -* Mon Mar 25 2002 bishop clark (LC957) <bishop@platypus.bc.ca> 1.0-1 -- Initial build. diff --git a/distro/rpm/openvpn.spec.in b/distro/rpm/openvpn.spec.in deleted file mode 100644 index 20a8c89..0000000 --- a/distro/rpm/openvpn.spec.in +++ /dev/null @@ -1,248 +0,0 @@ -# OpenVPN spec file, used to drive rpmbuild - -# OPTIONS -# -# Disable LZO -# rpmbuild -tb [openvpn.x.tar.gz] --define 'without_lzo 1' -# -# Disable PAM plugin -# rpmbuild -tb [openvpn.x.tar.gz] --define 'without_pam 1' -# -# Allow passwords to be read from files -# rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1' - -Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan. -Name: @PACKAGE@ -Version: @VERSION@ -Release: 1 -URL: http://openvpn.net/ -Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz - -License: GPL -Group: Applications/Internet -Vendor: James Yonan <jim@yonan.net> -Packager: James Yonan <jim@yonan.net> -BuildRoot: %{_tmppath}/%{name}-%(id -un) - -# -# Include dependencies manually -# - -AutoReq: 0 - -BuildRequires: openssl-devel >= 0.9.7 -Requires: openssl >= 0.9.7 - -%if "%{_vendor}" == "Mandrakesoft" -%{!?without_lzo:BuildRequires: liblzo1-devel >= 1.07} -%{!?without_lzo:Requires: liblzo1 >= 1.07} -%else -%if "%{_vendor}" == "MandrakeSoft" -%{!?without_lzo:BuildRequires: liblzo1-devel >= 1.07} -%{!?without_lzo:Requires: liblzo1 >= 1.07} -%else -%{!?without_lzo:BuildRequires: lzo-devel >= 1.07} -%{!?without_lzo:Requires: lzo >= 1.07} -%endif -%endif - -%{!?without_pam:BuildRequires: pam-devel} -%{!?without_pam:Requires: pam} - -%{?with_pkcs11:BuildRequires: pkcs11-helper-devel} -%{?with_pkcs11:Requires: pkcs11-helper} - -# -# Description -# - -%description -OpenVPN is a robust and highly flexible VPN daemon by James Yonan. -OpenVPN supports SSL/TLS security, -ethernet bridging, -TCP or UDP tunnel transport through proxies or NAT, -support for dynamic IP addresses and DHCP, -scalability to hundreds or thousands of users, -and portability to most major OS platforms. - -%package devel -Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan. -Group: Applications/Internet -Requires: %{name} -%description devel -Development support for OpenVPN. - -# -# Define vendor type -# - -%if "%{_vendor}" == "suse" || "%{_vendor}" == "pc" -%define VENDOR SuSE -%else -%define VENDOR %_vendor -%endif - -# -# Other definitions -# - -%define debug_package %{nil} - -# -# Build OpenVPN binary -# - -%prep -%setup -q - -%build -%configure \ - --disable-dependency-tracking \ - --docdir="%{_docdir}/%{name}-%{version}" \ - %{?with_password_save:--enable-password-save} \ - %{!?without_lzo:--enable-lzo} \ - %{?with_pkcs11:--enable-pkcs11} \ - %{?without_pam:--disable-plugin-auth-pam} -%__make - -# -# Installation section -# - -%install -[ %{buildroot} != "/" ] && rm -rf %{buildroot} -%__make install DESTDIR="%{buildroot}" - -# Install init script -%if "%{VENDOR}" == "SuSE" -%__install -c -d -m 755 "%{buildroot}/etc/init.d" -%__install -c -m 755 "distro/rpm/%{name}.init.d.suse" "%{buildroot}/etc/init.d/%{name}" -%else -%__install -c -d -m 755 "%{buildroot}/etc/rc.d/init.d" -%__install -c -m 755 distro/rpm/%{name}.init.d.rhel "%{buildroot}/etc/rc.d/init.d/%{name}" -%endif - -# Install /etc/openvpn -%__install -c -d -m 755 "%{buildroot}/etc/%{name}" - -# Install extra %doc stuff -cp -r AUTHORS ChangeLog NEWS contrib/ sample/ \ - "%{buildroot}/%{_docdir}/%{name}-%{version}" - -# -# Clean section -# - -%clean -[ %{buildroot} != "/" ] && rm -rf "%{buildroot}" - -# -# On Linux 2.4, make the device node -# - -%post -case "`uname -r`" in -2.4*) - /bin/mkdir /dev/net >/dev/null 2>&1 - /bin/mknod /dev/net/tun c 10 200 >/dev/null 2>&1 - ;; -esac - -# -# Handle the init script -# - -/sbin/chkconfig --add %{name} -%if "%{VENDOR}" == "SuSE" -/etc/init.d/openvpn restart -%else -/sbin/service %{name} condrestart -%endif -%preun -if [ "$1" = 0 ] -then - %if "%{VENDOR}" == "SuSE" - /etc/init.d/openvpn stop - %else - /sbin/service %{name} stop - %endif - /sbin/chkconfig --del %{name} -fi - -# -# Files section -# -# don't use %doc as old rpmbuild removes it[1]. -# [1] http://rpm.org/ticket/836 - -%files -%defattr(-,root,root) -%{_mandir} -%{_sbindir}/%{name} -%{_libdir}/%{name} -%{_docdir}/%{name}-%{version} -%dir /etc/%{name} -%if "%{VENDOR}" == "SuSE" -/etc/init.d/%{name} -%else -/etc/rc.d/init.d/%{name} -%endif - -%files devel -%defattr(-,root,root) -%{_includedir}/* - -%changelog -* Thu Jul 30 2009 David Sommerseth <dazo@users.sourceforge.net> -- Removed management/ directory from %doc - -* Thu Dec 14 2006 Alon Bar-Lev -- Added with_pkcs11 - -* Mon Aug 2 2005 James Yonan -- Fixed build problem with --define 'without_pam 1' - -* Mon Apr 4 2005 James Yonan -- Moved some files from /usr/share/openvpn to %doc for compatibility - with Dag Wieers' RPM repository - -* Sat Mar 12 2005 Tom Walsh -- Added MandrakeSoft liblzo1 require - -* Fri Dec 10 2004 James Yonan -- Added AutoReq: 0 for manual dependencies - -* Fri Dec 10 2004 James Yonan -- Packaged the plugins - -* Sun Nov 7 2004 Umberto Nicoletti -- SuSE support - -* Wed Aug 18 2004 Bishop Clark (LC957) <bishop@platypus.bc.ca> -- restrict what we claim in /etc/ to avoid ownership conflicts - -* Sun Feb 23 2003 Matthias Andree <matthias.andree@gmx.de> 1.3.2.14-1. -- Have the version number filled in by autoconf. - -* Wed Jul 10 2002 James Yonan <jim@yonan.net> 1.3.1-1 -- Fixed %preun to only remove service on final uninstall - -* Mon Jun 17 2002 bishop clark (LC957) <bishop@platypus.bc.ca> 1.2.2-1 -- Added condrestart to openvpn.spec & openvpn.init. - -* Wed May 22 2002 James Yonan <jim@yonan.net> 1.2.0-1 -- Added mknod for Linux 2.4. - -* Wed May 15 2002 Doug Keller <dsk@voidstar.dyndns.org> 1.1.1.16-2 -- Added init scripts -- Added conf file support - -* Mon May 13 2002 bishop clark (LC957) <bishop@platypus.bc.ca> 1.1.1.14-1 -- Added new directories for config examples and such - -* Sun May 12 2002 bishop clark (LC957) <bishop@platypus.bc.ca> 1.1.1.13-1 -- Updated buildroot directive and cleanup command -- added easy-rsa utilities - -* Mon Mar 25 2002 bishop clark (LC957) <bishop@platypus.bc.ca> 1.0-1 -- Initial build. diff --git a/distro/systemd/Makefile.in b/distro/systemd/Makefile.in index 0458aa3..e023725 100644 --- a/distro/systemd/Makefile.in +++ b/distro/systemd/Makefile.in @@ -286,9 +286,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/doc/Makefile.in b/doc/Makefile.in index 11d3d54..16a7be4 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -292,9 +292,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 7801701..1662006 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4625,11 +4625,8 @@ they are distributed with OpenVPN, they are totally insecure. Directory containing trusted certificates (CAs and CRLs). Not available with mbed TLS. -When using the -.B \-\-capath -option, you are required to supply valid CRLs for the CAs too. CAs in the -capath directory are expected to be named <hash>.<n>. CRLs are expected to -be named <hash>.r<n>. See the +CAs in the capath directory are expected to be named <hash>.<n>. CRLs are +expected to be named <hash>.r<n>. See the .B \-CApath option of .B openssl verify @@ -4640,6 +4637,11 @@ option of and .B openssl crl for more information. + +Similarly to the +.B \-\-crl\-verify +option CRLs are not mandatory \- OpenVPN will log the usual warning in the logs +if the relevant CRL is missing, but the connection will be allowed. .\"********************************************************* .TP .B \-\-dh file @@ -5374,7 +5376,7 @@ is executed two arguments are appended after any arguments specified in .B cmd certificate_depth subject These arguments are, respectively, the current certificate depth and -the X509 common name (cn) of the peer. +the X509 subject distinguished name (dn) of the peer. This feature is useful if the peer you want to trust has a certificate which was signed by a certificate authority who also signed many @@ -5611,6 +5613,10 @@ overall integrity of the PKI. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. +The option is not mandatory \- if the relevant CRL is missing, OpenVPN will log +a warning in the logs \- e.g. "\fIVERIFY WARNING: depth=0, unable to get +certificate CRL\fR" \- but the connection will be allowed. + If the optional .B dir flag is specified, enable a different mode where diff --git a/include/Makefile.in b/include/Makefile.in index 28dff09..133fb6f 100644 --- a/include/Makefile.in +++ b/include/Makefile.in @@ -303,9 +303,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/include/openvpn-plugin.h b/include/openvpn-plugin.h index de9aa9f..5205e78 100644 --- a/include/openvpn-plugin.h +++ b/include/openvpn-plugin.h @@ -55,7 +55,7 @@ extern "C" { */ #define OPENVPN_VERSION_MAJOR 2 #define OPENVPN_VERSION_MINOR 4 -#define OPENVPN_VERSION_PATCH ".7" +#define OPENVPN_VERSION_PATCH ".8" /* * Plug-in types. These types correspond to the set of script callbacks diff --git a/sample/Makefile.in b/sample/Makefile.in index 89367b0..3f94fa7 100644 --- a/sample/Makefile.in +++ b/sample/Makefile.in @@ -284,9 +284,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/src/Makefile.in b/src/Makefile.in index 48ff623..18a8bd3 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -314,9 +314,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/src/compat/Makefile.in b/src/compat/Makefile.in index c0dd30c..e10bbbc 100644 --- a/src/compat/Makefile.in +++ b/src/compat/Makefile.in @@ -310,9 +310,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/src/openvpn/Makefile.in b/src/openvpn/Makefile.in index 6aab503..3db2849 100644 --- a/src/openvpn/Makefile.in +++ b/src/openvpn/Makefile.in @@ -417,9 +417,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 59e5ac5..7e7dead 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -919,7 +919,6 @@ free_key_ctx(struct key_ctx *ctx) { if (ctx->cipher) { - cipher_ctx_cleanup(ctx->cipher); cipher_ctx_free(ctx->cipher); ctx->cipher = NULL; } diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index 1ee2980..b3db925 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -307,7 +307,7 @@ bool cipher_kt_mode_aead(const cipher_kt_t *cipher); cipher_ctx_t *cipher_ctx_new(void); /** - * Free a cipher context + * Cleanup and free a cipher context * * @param ctx Cipher context. */ @@ -327,13 +327,6 @@ void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key, int key_len, const cipher_kt_t *kt, int enc); /** - * Cleanup the specified context. - * - * @param ctx Cipher context to cleanup. - */ -void cipher_ctx_cleanup(cipher_ctx_t *ctx); - -/** * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is * used. * diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 82a92af..748043e 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -519,6 +519,7 @@ cipher_ctx_new(void) void cipher_ctx_free(mbedtls_cipher_context_t *ctx) { + mbedtls_cipher_free(ctx); free(ctx); } @@ -544,12 +545,6 @@ cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key, int key_len, ASSERT(ctx->key_bitlen <= key_len*8); } -void -cipher_ctx_cleanup(mbedtls_cipher_context_t *ctx) -{ - mbedtls_cipher_free(ctx); -} - int cipher_ctx_iv_length(const mbedtls_cipher_context_t *ctx) { diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 71602f3..3abcc99 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -679,7 +679,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, { ASSERT(NULL != kt && NULL != ctx); - EVP_CIPHER_CTX_init(ctx); + EVP_CIPHER_CTX_reset(ctx); if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #1"); @@ -699,12 +699,6 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, ASSERT(EVP_CIPHER_CTX_key_length(ctx) <= key_len); } -void -cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx) -{ - EVP_CIPHER_CTX_cleanup(ctx); -} - int cipher_ctx_iv_length(const EVP_CIPHER_CTX *ctx) { diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 720fce0..7f2c3c0 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -39,6 +39,7 @@ #ifdef ENABLE_CRYPTOAPI #include <openssl/ssl.h> +#include <openssl/evp.h> #include <openssl/err.h> #include <windows.h> #include <wincrypt.h> @@ -101,6 +102,12 @@ static ERR_STRING_DATA CRYPTOAPI_str_functs[] = { { 0, NULL } }; +/* Global EVP_PKEY_METHOD used to override the sign operation */ +static EVP_PKEY_METHOD *pmethod; +static int (*default_pkey_sign_init) (EVP_PKEY_CTX *ctx); +static int (*default_pkey_sign) (EVP_PKEY_CTX *ctx, unsigned char *sig, + size_t *siglen, const unsigned char *tbs, size_t tbslen); + typedef struct _CAPI_DATA { const CERT_CONTEXT *cert_context; HCRYPTPROV_OR_NCRYPT_KEY_HANDLE crypt_prov; @@ -108,6 +115,80 @@ typedef struct _CAPI_DATA { BOOL free_crypt_prov; } CAPI_DATA; +/** + * Translate OpenSSL padding type to CNG padding type + * Returns 0 for unknown/unsupported padding. + */ +static DWORD +cng_padding_type(int padding) +{ + DWORD pad = 0; + + switch (padding) + { + case RSA_NO_PADDING: + pad = BCRYPT_PAD_NONE; + break; + + case RSA_PKCS1_PADDING: + pad = BCRYPT_PAD_PKCS1; + break; + + case RSA_PKCS1_PSS_PADDING: + pad = BCRYPT_PAD_PSS; + break; + + default: + msg(M_WARN|M_INFO, "cryptoapicert: unknown OpenSSL padding type %d.", + padding); + } + + return pad; +} + +/** + * Translate OpenSSL hash OID to CNG algorithm name. Returns + * "UNKNOWN" for unsupported algorithms and NULL for MD5+SHA1 + * mixed hash used in TLS 1.1 and earlier. + */ +static const wchar_t * +cng_hash_algo(int md_type) +{ + const wchar_t *alg = L"UNKNOWN"; + switch (md_type) + { + case NID_md5: + alg = BCRYPT_MD5_ALGORITHM; + break; + + case NID_sha1: + alg = BCRYPT_SHA1_ALGORITHM; + break; + + case NID_sha256: + alg = BCRYPT_SHA256_ALGORITHM; + break; + + case NID_sha384: + alg = BCRYPT_SHA384_ALGORITHM; + break; + + case NID_sha512: + alg = BCRYPT_SHA512_ALGORITHM; + break; + + case NID_md5_sha1: + case 0: + alg = NULL; + break; + + default: + msg(M_WARN|M_INFO, "cryptoapicert: Unknown hash type NID=0x%x", md_type); + break; + } + return alg; +} + static char * ms_error_text(DWORD ms_err) { @@ -217,25 +298,44 @@ rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, in * Sign the hash in 'from' using NCryptSignHash(). This requires an NCRYPT * key handle in cd->crypt_prov. On return the signature is in 'to'. Returns * the length of the signature or 0 on error. + * Only RSA is supported and padding should be BCRYPT_PAD_PKCS1 or + * BCRYPT_PAD_PSS. * If the hash_algo is not NULL, PKCS #1 DigestInfo header gets added - * to 'from', else it is signed as is. - * For now we support only RSA and the padding is assumed to be PKCS1 v1.5 + * to |from|, else it is signed as is. Use NULL for MD5 + SHA1 hash used + * in TLS 1.1 and earlier. + * In case of PSS padding, |saltlen| should specify the size of salt to use. + * If |to| is NULL returns the required buffer size. */ static int priv_enc_CNG(const CAPI_DATA *cd, const wchar_t *hash_algo, const unsigned char *from, - int flen, unsigned char *to, int tlen, int padding) + int flen, unsigned char *to, int tlen, DWORD padding, DWORD saltlen) { NCRYPT_KEY_HANDLE hkey = cd->crypt_prov; DWORD len = 0; ASSERT(cd->key_spec == CERT_NCRYPT_KEY_SPEC); - msg(D_LOW, "Signing hash using CNG: data size = %d", flen); - - BCRYPT_PKCS1_PADDING_INFO padinfo = {hash_algo}; DWORD status; - status = NCryptSignHash(hkey, padding? &padinfo : NULL, (BYTE*) from, flen, - to, tlen, &len, padding? BCRYPT_PAD_PKCS1 : 0); + msg(D_LOW, "Signing hash using CNG: data size = %d padding = %lu", flen, padding); + + if (padding == BCRYPT_PAD_PKCS1) + { + BCRYPT_PKCS1_PADDING_INFO padinfo = {hash_algo}; + status = NCryptSignHash(hkey, &padinfo, (BYTE *)from, flen, + to, tlen, &len, padding); + } + else if (padding == BCRYPT_PAD_PSS) + { + BCRYPT_PSS_PADDING_INFO padinfo = {hash_algo, saltlen}; + status = NCryptSignHash(hkey, &padinfo, (BYTE *)from, flen, + to, tlen, &len, padding); + } + else + { + RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); + return 0; + } + if (status != ERROR_SUCCESS) { SetLastError(status); @@ -261,16 +361,19 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_PASSED_NULL_PARAMETER); return 0; } + + if (cd->key_spec == CERT_NCRYPT_KEY_SPEC) + { + return priv_enc_CNG(cd, NULL, from, flen, to, RSA_size(rsa), + cng_padding_type(padding), 0); + } + if (padding != RSA_PKCS1_PADDING) { /* AFAICS, CryptSignHash() *always* uses PKCS1 padding. */ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); return 0; } - if (cd->key_spec == CERT_NCRYPT_KEY_SPEC) - { - return priv_enc_CNG(cd, NULL, from, flen, to, RSA_size(rsa), padding); - } /* Unfortunately, there is no "CryptSign()" function in CryptoAPI, that would * be way to straightforward for M$, I guess... So we have to do it this @@ -333,12 +436,13 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i return len; } -/* +/** * Sign the hash in |m| and return the signature in |sig|. * Returns 1 on success, 0 on error. * NCryptSignHash() is used to sign and it is instructed to add the * the PKCS #1 DigestInfo header to |m| unless the hash algorithm is * the MD5/SHA1 combination used in TLS 1.1 and earlier versions. + * OpenSSL exercises this callback only when padding is PKCS1 v1.5. */ static int rsa_sign_CNG(int type, const unsigned char *m, unsigned int m_len, @@ -355,45 +459,17 @@ rsa_sign_CNG(int type, const unsigned char *m, unsigned int m_len, return 0; } - switch (type) + alg = cng_hash_algo(type); + if (alg && wcscmp(alg, L"UNKNOWN") == 0) { - case NID_md5: - alg = BCRYPT_MD5_ALGORITHM; - break; - - case NID_sha1: - alg = BCRYPT_SHA1_ALGORITHM; - break; - - case NID_sha256: - alg = BCRYPT_SHA256_ALGORITHM; - break; - - case NID_sha384: - alg = BCRYPT_SHA384_ALGORITHM; - break; - - case NID_sha512: - alg = BCRYPT_SHA512_ALGORITHM; - break; - - case NID_md5_sha1: - if (m_len != SSL_SIG_LENGTH) - { - RSAerr(RSA_F_RSA_SIGN, RSA_R_INVALID_MESSAGE_LENGTH); - return 0; - } - /* No DigestInfo header is required -- set alg-name to NULL */ - alg = NULL; - break; - default: - msg(M_WARN, "cryptoapicert: Unknown hash type NID=0x%x", type); - RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE); - return 0; + RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE); + return 0; } - *siglen = priv_enc_CNG(cd, alg, m, (int)m_len, sig, RSA_size(rsa), padding); - return (siglen == 0) ? 0 : 1; + *siglen = priv_enc_CNG(cd, alg, m, (int)m_len, sig, RSA_size(rsa), + cng_padding_type(padding), 0); + + return (*siglen == 0) ? 0 : 1; } /* decrypt */ @@ -518,6 +594,176 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) return rv; } +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + +static const CAPI_DATA * +retrieve_capi_data(EVP_PKEY *pkey) +{ + const CAPI_DATA *cd = NULL; + + if (pkey && EVP_PKEY_id(pkey) == EVP_PKEY_RSA) + { + RSA *rsa = EVP_PKEY_get0_RSA(pkey); + if (rsa) + { + cd = (CAPI_DATA *)RSA_meth_get0_app_data(RSA_get_method(rsa)); + } + } + return cd; +} + +static int +pkey_rsa_sign_init(EVP_PKEY_CTX *ctx) +{ + EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(ctx); + + if (pkey && retrieve_capi_data(pkey)) + { + return 1; /* Return success */ + } + else if (default_pkey_sign_init) /* Not our key. Call the default method */ + { + return default_pkey_sign_init(ctx); + } + return 1; +} + +/** + * Implementation of EVP_PKEY_sign() using CNG: sign the digest in |tbs| + * and save the the signature in |sig| and its size in |*siglen|. + * If |sig| is NULL the required buffer size is returned in |*siglen|. + * Returns 1 on success, 0 or a negative integer on error. + */ +static int +pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, + const unsigned char *tbs, size_t tbslen) +{ + EVP_PKEY *pkey = NULL; + const CAPI_DATA *cd = NULL; + EVP_MD *md = NULL; + const wchar_t *alg = NULL; + + int padding; + int hashlen; + int saltlen; + + pkey = EVP_PKEY_CTX_get0_pkey(ctx); + if (pkey) + { + cd = retrieve_capi_data(pkey); + } + + /* + * We intercept all sign requests, not just the one's for our key. + * Check the key and call the saved OpenSSL method for unknown keys. + */ + if (!pkey || !cd) + { + if (default_pkey_sign) + { + return default_pkey_sign(ctx, sig, siglen, tbs, tbslen); + } + else /* This should not happen */ + { + msg(M_FATAL, "cryptopaicert: Unknown key and no default sign operation to fallback on"); + return -1; + } + } + + if (!EVP_PKEY_CTX_get_rsa_padding(ctx, &padding)) + { + padding = RSA_PKCS1_PADDING; /* Default padding for RSA */ + } + + if (EVP_PKEY_CTX_get_signature_md(ctx, &md)) + { + hashlen = EVP_MD_size(md); + alg = cng_hash_algo(EVP_MD_type(md)); + + /* + * alg == NULL indicates legacy MD5+SHA1 hash, else alg should be a valid + * digest algorithm. + */ + if (alg && wcscmp(alg, L"UNKNOWN") == 0) + { + RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE); + return -1; + } + } + else + { + msg(M_NONFATAL, "cryptoapicert: could not determine the signature digest algorithm"); + RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE); + return -1; + } + + if (tbslen != (size_t)hashlen) + { + RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); + return -1; + } + + /* If padding is PSS, determine parameters to pass to CNG */ + if (padding == RSA_PKCS1_PSS_PADDING) + { + /* + * Ensure the digest type for signature and mask generation match. + * In CNG there is no option to specify separate hash functions for + * the two, but OpenSSL supports it. However, I have not seen the + * two being different in practice. Also the recommended practice is + * to use the same for both (rfc 8017 sec 8.1). + */ + EVP_MD *mgf1md; + if (!EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, &mgf1md) + || EVP_MD_type(mgf1md) != EVP_MD_type(md)) + { + msg(M_NONFATAL, "cryptoapicert: Unknown MGF1 digest type or does" + " not match the signature digest type."); + RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_UNSUPPORTED_MASK_PARAMETER); + } + + if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, &saltlen)) + { + msg(M_WARN|M_INFO, "cryptoapicert: unable to get the salt length from context." + " Using the default value."); + saltlen = -1; + } + + /* + * In OpenSSL saltlen = -1 indicates to use the size of the digest as + * size of the salt. A value of -2 or -3 indicates maximum salt length + * that will fit. See RSA_padding_add_PKCS1_PSS_mgf1() of OpenSSL. + */ + if (saltlen == -1) + { + saltlen = hashlen; + } + else if (saltlen < 0) + { + const RSA *rsa = EVP_PKEY_get0_RSA(pkey); + saltlen = RSA_size(rsa) - hashlen - 2; /* max salt length for RSASSA-PSS */ + if (RSA_bits(rsa) &0x7) /* number of bits in the key not a multiple of 8 */ + { + saltlen--; + } + } + + if (saltlen < 0) + { + RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); + return -1; + } + msg(D_LOW, "cryptoapicert: PSS padding using saltlen = %d", saltlen); + } + + *siglen = priv_enc_CNG(cd, alg, tbs, (int)tbslen, sig, *siglen, + cng_padding_type(padding), (DWORD)saltlen); + + return (*siglen == 0) ? 0 : 1; +} + +#endif /* OPENSSL_VERSION >= 1.1.0 */ + int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) { @@ -620,10 +866,45 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) /* For CNG, set the RSA_sign method which gets priority over priv_enc(). * This method is called with the raw hash without the digestinfo * header and works better when using NCryptSignHash() with some tokens. + * However, if PSS padding is in use, openssl does not call this + * function but adds the padding and then calls rsa_priv_enc() + * with padding set to NONE which is not supported by CNG. + * So, when posisble (OpenSSL 1.1.0 and up), we hook on to the sign + * operation in EVP_PKEY_METHOD struct. */ if (cd->key_spec == CERT_NCRYPT_KEY_SPEC) { +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) RSA_meth_set_sign(my_rsa_method, rsa_sign_CNG); +#else + /* pmethod is global -- initialize only if NULL */ + if (!pmethod) + { + pmethod = EVP_PKEY_meth_new(EVP_PKEY_RSA, 0); + if (!pmethod) + { + SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_MALLOC_FAILURE); + goto err; + } + const EVP_PKEY_METHOD *default_pmethod = EVP_PKEY_meth_find(EVP_PKEY_RSA); + EVP_PKEY_meth_copy(pmethod, default_pmethod); + + /* We want to override only sign_init() and sign() */ + EVP_PKEY_meth_set_sign(pmethod, pkey_rsa_sign_init, pkey_rsa_sign); + EVP_PKEY_meth_add0(pmethod); + + /* Keep a copy of the default sign and sign_init methods */ + +#if (OPENSSL_VERSION_NUMBER < 0x1010009fL) /* < version 1.1.0i */ + /* The function signature is not const-correct in these versions */ + EVP_PKEY_meth_get_sign((EVP_PKEY_METHOD *)default_pmethod, &default_pkey_sign_init, + &default_pkey_sign); +#else + EVP_PKEY_meth_get_sign(default_pmethod, &default_pkey_sign_init, + &default_pkey_sign); +#endif + } +#endif /* (OPENSSL_VERSION_NUMBER < 0x10100000L) */ } rsa = RSA_new(); diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 8f90418..65f790f 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1037,7 +1037,7 @@ read_incoming_tun(struct context *c) c->c2.buf = c->c2.buffers->read_tun_buf; #ifdef TUN_PASS_BUFFER - read_tun_buffered(c->c1.tuntap, &c->c2.buf, MAX_RW_SIZE_TUN(&c->c2.frame)); + read_tun_buffered(c->c1.tuntap, &c->c2.buf); #else ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame))); ASSERT(buf_safe(&c->c2.buf, MAX_RW_SIZE_TUN(&c->c2.frame))); diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 1cdef31..d3785ca 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3883,7 +3883,7 @@ init_management_callback_p2p(struct context *c) #ifdef ENABLE_MANAGEMENT void -init_management(struct context *c) +init_management(void) { if (!management) { diff --git a/src/openvpn/init.h b/src/openvpn/init.h index c8ebe76..2c846db 100644 --- a/src/openvpn/init.h +++ b/src/openvpn/init.h @@ -119,7 +119,7 @@ void initialization_sequence_completed(struct context *c, const unsigned int fla #ifdef ENABLE_MANAGEMENT -void init_management(struct context *c); +void init_management(void); bool open_management(struct context *c); diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 581a890..f44c65f 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -99,44 +99,57 @@ save_inetd_socket_descriptor(void) } /* - * Print an error message based on the status code returned by system(). + * Generate an error message based on the status code returned by openvpn_execve(). */ const char * system_error_message(int stat, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); -#ifdef _WIN32 - if (stat == -1) + + switch (stat) { - buf_printf(&out, "external program did not execute -- "); - } - buf_printf(&out, "returned error code %d", stat); + case OPENVPN_EXECVE_NOT_ALLOWED: + buf_printf(&out, "disallowed by script-security setting"); + break; + +#ifdef _WIN32 + case OPENVPN_EXECVE_ERROR: + buf_printf(&out, "external program did not execute -- "); + /* fall through */ + + default: + buf_printf(&out, "returned error code %d", stat); + break; #else /* ifdef _WIN32 */ - if (stat == -1) - { - buf_printf(&out, "external program fork failed"); - } - else if (!WIFEXITED(stat)) - { - buf_printf(&out, "external program did not exit normally"); - } - else - { - const int cmd_ret = WEXITSTATUS(stat); - if (!cmd_ret) - { - buf_printf(&out, "external program exited normally"); - } - else if (cmd_ret == 127) - { - buf_printf(&out, "could not execute external program"); - } - else - { - buf_printf(&out, "external program exited with error status: %d", cmd_ret); - } - } + + case OPENVPN_EXECVE_ERROR: + buf_printf(&out, "external program fork failed"); + break; + + default: + if (!WIFEXITED(stat)) + { + buf_printf(&out, "external program did not exit normally"); + } + else + { + const int cmd_ret = WEXITSTATUS(stat); + if (!cmd_ret) + { + buf_printf(&out, "external program exited normally"); + } + else if (cmd_ret == OPENVPN_EXECVE_FAILURE) + { + buf_printf(&out, "could not execute external program"); + } + else + { + buf_printf(&out, "external program exited with error status: %d", cmd_ret); + } + } + break; #endif /* ifdef _WIN32 */ + } return (const char *)out.data; } @@ -186,12 +199,14 @@ openvpn_execve_allowed(const unsigned int flags) * Run execve() inside a fork(). Designed to replicate the semantics of system() but * in a safer way that doesn't require the invocation of a shell or the risks * assocated with formatting and parsing a command line. + * Returns the exit status of child, OPENVPN_EXECVE_NOT_ALLOWED if openvpn_execve_allowed() + * returns false, or OPENVPN_EXECVE_ERROR on other errors. */ int openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags) { struct gc_arena gc = gc_new(); - int ret = -1; + int ret = OPENVPN_EXECVE_ERROR; static bool warn_shown = false; if (a && a->argv[0]) @@ -208,7 +223,7 @@ openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned in if (pid == (pid_t)0) /* child side */ { execve(cmd, argv, envp); - exit(127); + exit(OPENVPN_EXECVE_FAILURE); } else if (pid < (pid_t)0) /* fork failed */ { @@ -218,14 +233,18 @@ openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned in { if (waitpid(pid, &ret, 0) != pid) { - ret = -1; + ret = OPENVPN_EXECVE_ERROR; } } } - else if (!warn_shown && (script_security < SSEC_SCRIPTS)) + else { - msg(M_WARN, SCRIPT_SECURITY_WARNING); - warn_shown = true; + ret = OPENVPN_EXECVE_NOT_ALLOWED; + if (!warn_shown && (script_security < SSEC_SCRIPTS)) + { + msg(M_WARN, SCRIPT_SECURITY_WARNING); + warn_shown = true; + } } #else /* if defined(ENABLE_FEATURE_EXECVE) */ msg(M_WARN, "openvpn_execve: execve function not available"); @@ -272,7 +291,7 @@ openvpn_popen(const struct argv *a, const struct env_set *es) close(pipe_stdout[0]); /* Close read end */ dup2(pipe_stdout[1],1); execve(cmd, argv, envp); - exit(127); + exit(OPENVPN_EXECVE_FAILURE); } else if (pid > (pid_t)0) /* parent side */ { diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index a64ddcc..8a34f43 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -57,6 +57,11 @@ struct env_set { const char *system_error_message(int, struct gc_arena *gc); +/* openvpn_execve return codes */ +#define OPENVPN_EXECVE_ERROR -1 /* generic error while forking to run an external program */ +#define OPENVPN_EXECVE_NOT_ALLOWED -2 /* external program not run due to script security */ +#define OPENVPN_EXECVE_FAILURE 127 /* exit code passed back from child when execve fails */ + /* wrapper around the execve() call */ int openvpn_popen(const struct argv *a, const struct env_set *es); diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c index 3756c27..e8d2add 100644 --- a/src/openvpn/mtcp.c +++ b/src/openvpn/mtcp.c @@ -834,7 +834,7 @@ tunnel_server_tcp(struct context *top) #endif /* shut down management interface */ - uninit_management_callback_multi(&multi); + uninit_management_callback(); /* save ifconfig-pool */ multi_ifconfig_pool_persist(&multi, true); diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index b3690ab..4f63654 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -362,7 +362,7 @@ tunnel_server_udp_single_threaded(struct context *top) #endif /* shut down management interface */ - uninit_management_callback_multi(&multi); + uninit_management_callback(); /* save ifconfig-pool */ multi_ifconfig_pool_persist(&multi, true); diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 28c3b88..baffd74 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -555,8 +555,7 @@ setenv_stats(struct context *c) } static void -multi_client_disconnect_setenv(struct multi_context *m, - struct multi_instance *mi) +multi_client_disconnect_setenv(struct multi_instance *mi) { /* setenv client real IP address */ setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context)); @@ -572,13 +571,12 @@ multi_client_disconnect_setenv(struct multi_context *m, } static void -multi_client_disconnect_script(struct multi_context *m, - struct multi_instance *mi) +multi_client_disconnect_script(struct multi_instance *mi) { if ((mi->context.c2.context_auth == CAS_SUCCEEDED && mi->connection_established_flag) || mi->context.c2.context_auth == CAS_PARTIAL) { - multi_client_disconnect_setenv(m, mi); + multi_client_disconnect_setenv(mi); if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT)) { @@ -685,7 +683,7 @@ multi_close_instance(struct multi_context *m, set_cc_config(mi, NULL); #endif - multi_client_disconnect_script(m, mi); + multi_client_disconnect_script(mi); if (mi->did_open_context) { @@ -1112,7 +1110,7 @@ multi_learn_addr(struct multi_context *m, if (oldroute) /* route already exists? */ { - if (route_quota_test(m, mi) && learn_address_script(m, mi, "update", &newroute->addr)) + if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr)) { learn_succeeded = true; owner = mi; @@ -1129,7 +1127,7 @@ multi_learn_addr(struct multi_context *m, } else { - if (route_quota_test(m, mi) && learn_address_script(m, mi, "add", &newroute->addr)) + if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr)) { learn_succeeded = true; owner = mi; @@ -1579,7 +1577,7 @@ multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi) * Set virtual address environmental variables. */ static void -multi_set_virtual_addr_env(struct multi_context *m, struct multi_instance *mi) +multi_set_virtual_addr_env(struct multi_instance *mi) { setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip"); setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip"); @@ -1658,7 +1656,7 @@ multi_client_connect_post(struct multi_context *m, * directory or any --ifconfig-pool dynamic address. */ multi_select_virtual_addr(m, mi); - multi_set_virtual_addr_env(m, mi); + multi_set_virtual_addr_env(mi); } } @@ -1702,7 +1700,7 @@ multi_client_connect_post_plugin(struct multi_context *m, * directory or any --ifconfig-pool dynamic address. */ multi_select_virtual_addr(m, mi); - multi_set_virtual_addr_env(m, mi); + multi_set_virtual_addr_env(mi); } } @@ -1742,7 +1740,7 @@ multi_client_connect_mda(struct multi_context *m, * directory or any --ifconfig-pool dynamic address. */ multi_select_virtual_addr(m, mi); - multi_set_virtual_addr_env(m, mi); + multi_set_virtual_addr_env(mi); } } @@ -1761,7 +1759,7 @@ multi_client_connect_setenv(struct multi_context *m, setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context)); /* setenv client virtual IP address */ - multi_set_virtual_addr_env(m, mi); + multi_set_virtual_addr_env(mi); /* setenv connection time */ { @@ -2919,7 +2917,7 @@ multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_ */ void -route_quota_exceeded(const struct multi_context *m, const struct multi_instance *mi) +route_quota_exceeded(const struct multi_instance *mi) { struct gc_arena gc = gc_new(); msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)", @@ -3355,12 +3353,6 @@ init_management_callback_multi(struct multi_context *m) #endif /* ifdef ENABLE_MANAGEMENT */ } -void -uninit_management_callback_multi(struct multi_context *m) -{ - uninit_management_callback(); -} - /* * Top level event loop. */ diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index d7e5c29..ebcc22d 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -346,9 +346,6 @@ void multi_close_instance_on_signal(struct multi_context *m, struct multi_instan void init_management_callback_multi(struct multi_context *m); -void uninit_management_callback_multi(struct multi_context *m); - - #ifdef ENABLE_ASYNC_PUSH /** * Called when inotify event is fired, which happens when acf file is closed or deleted. @@ -403,7 +400,7 @@ multi_process_outgoing_link_pre(struct multi_context *m) * Per-client route quota management */ -void route_quota_exceeded(const struct multi_context *m, const struct multi_instance *mi); +void route_quota_exceeded(const struct multi_instance *mi); static inline void route_quota_inc(struct multi_instance *mi) @@ -419,11 +416,11 @@ route_quota_dec(struct multi_instance *mi) /* can we add a new route? */ static inline bool -route_quota_test(const struct multi_context *m, const struct multi_instance *mi) +route_quota_test(const struct multi_instance *mi) { if (mi->route_count >= mi->context.options.max_routes_per_client) { - route_quota_exceeded(m, mi); + route_quota_exceeded(mi); return false; } else diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index e680702..8acc7d1 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -88,6 +88,18 @@ EVP_MD_CTX_new(void) } #endif +#if !defined(HAVE_EVP_CIPHER_CTX_RESET) +#define EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_init +#endif + +#if !defined(HAVE_X509_GET0_NOTBEFORE) +#define X509_get0_notBefore X509_get_notBefore +#endif + +#if !defined(HAVE_X509_GET0_NOTAFTER) +#define X509_get0_notAfter X509_get_notAfter +#endif + #if !defined(HAVE_HMAC_CTX_RESET) /** * Reset a HMAC context diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index 3819889..3d244fc 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -201,7 +201,7 @@ openvpn_main(int argc, char *argv[]) #ifdef ENABLE_MANAGEMENT /* initialize management subsystem */ - init_management(&c); + init_management(); #endif /* initialize options to default state */ diff --git a/src/openvpn/openvpn_win32_resources.rc b/src/openvpn/openvpn_win32_resources.rc index d092e21..e4f1ee9 100644 --- a/src/openvpn/openvpn_win32_resources.rc +++ b/src/openvpn/openvpn_win32_resources.rc @@ -19,7 +19,7 @@ VS_VERSION_INFO VERSIONINFO FILEFLAGS 0x0L #endif FILEOS 0x40004L - FILETYPE 0x2L + FILETYPE VFT_APP FILESUBTYPE 0x0L BEGIN BLOCK "StringFileInfo" diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f951814..de30fcb 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2228,7 +2228,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec } if (options->pull_filter_list) { - msg(M_USAGE, "--pull-filter cannot be used with --mode server"); + msg(M_WARN, "--pull-filter ignored for --mode server"); } if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER)) { @@ -2832,6 +2832,24 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) #endif } + /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not) + * so fall back to IPv4-only (trac #1221) + */ + if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET) + { + if (ce->af == AF_INET6) + { + msg(M_INFO, "WARNING: '--proto udp6' is not compatible with " + "'--socks-proxy' today. Forcing IPv4 mode." ); + } + else + { + msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not " + "work correctly with '--socks-proxy' today. Forcing IPv4." ); + } + ce->af = AF_INET; + } + /* * Set MTU defaults */ diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c index 93f8580..d40ca45 100644 --- a/src/openvpn/pkcs11.c +++ b/src/openvpn/pkcs11.c @@ -312,7 +312,7 @@ pkcs11_initialize( pkcs11h_setLogLevel(_pkcs11_msg_openvpn2pkcs11(get_debug_level())); - if ((rv = pkcs11h_setForkMode(TRUE)) != CKR_OK) + if ((rv = pkcs11h_setForkMode(FALSE)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set fork mode %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 3fdec86..afcca86 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -355,7 +355,7 @@ get_proxy_authenticate(socket_descriptor_t sd, #if NTLM else if (!strncmp(buf+20, "NTLM", 4)) { - msg(D_PROXY, "PROXY AUTH HTLM: '%s'", buf); + msg(D_PROXY, "PROXY AUTH NTLM: '%s'", buf); *data = NULL; ret = HTTP_AUTH_NTLM; } diff --git a/src/openvpn/route.c b/src/openvpn/route.c index 2d6428b..4199da3 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -2038,8 +2038,8 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flag r6->netbits, gateway ); - /* on tun/tap, not "elsewhere"? -> metric 0 */ - if (!r6->iface) + /* on tun (not tap), not "elsewhere"? -> metric 0 */ + if (tt->type == DEV_TYPE_TUN && !r6->iface) { argv_printf_cat(&argv, "0"); } diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index c76d206..9131ec2 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -1170,7 +1170,7 @@ socket_do_listen(socket_descriptor_t sd, ASSERT(local); msg(M_INFO, "Listening for incoming TCP connection on %s", print_sockaddr(local->ai_addr, &gc)); - if (listen(sd, 1)) + if (listen(sd, 32)) { msg(M_ERR, "TCP: listen() failed"); } diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c index c61ef55..ad3a70b 100644 --- a/src/openvpn/socks.c +++ b/src/openvpn/socks.c @@ -414,6 +414,10 @@ recv_socks_reply(socket_descriptor_t sd, { memcpy(&addr->addr.in4.sin_addr, buf + 4, sizeof(addr->addr.in4.sin_addr)); memcpy(&addr->addr.in4.sin_port, buf + 8, sizeof(addr->addr.in4.sin_port)); + struct gc_arena gc = gc_new(); + msg(M_INFO, "SOCKS proxy wants us to send UDP to %s", + print_sockaddr(addr, &gc)); + gc_free(&gc); } diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index a78dae9..6aa3ac3 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -71,12 +71,13 @@ int mydata_index; /* GLOBAL */ void tls_init_lib(void) { +#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) SSL_library_init(); #ifndef ENABLE_SMALL SSL_load_error_strings(); #endif OpenSSL_add_all_algorithms(); - +#endif mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); ASSERT(mydata_index >= 0); } @@ -84,10 +85,12 @@ tls_init_lib(void) void tls_free_lib(void) { +#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) EVP_cleanup(); #ifndef ENABLE_SMALL ERR_free_strings(); #endif +#endif } void @@ -206,7 +209,7 @@ info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret) int tls_version_max(void) { -#if defined(TLS1_3_VERSION) +#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) return TLS_VER_1_3; #elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2) return TLS_VER_1_2; @@ -233,7 +236,7 @@ openssl_tls_version(int ver) { return TLS1_2_VERSION; } -#if defined(TLS1_3_VERSION) +#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) else if (ver == TLS_VER_1_3) { return TLS1_3_VERSION; @@ -459,8 +462,8 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) return; } -#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) - crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. " +#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) || !defined(TLS1_3_VERSION) || defined(OPENSSL_NO_TLS1_3) + crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher, or without TLS 1.3 support. " "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.", ciphers); #else @@ -534,7 +537,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) goto cleanup; /* Nothing to check if there is no certificate */ } - ret = X509_cmp_time(X509_get_notBefore(cert), NULL); + ret = X509_cmp_time(X509_get0_notBefore(cert), NULL); if (ret == 0) { msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field."); @@ -544,7 +547,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) msg(M_WARN, "WARNING: Your certificate is not yet valid!"); } - ret = X509_cmp_time(X509_get_notAfter(cert), NULL); + ret = X509_cmp_time(X509_get0_notAfter(cert), NULL); if (ret == 0) { msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field."); @@ -626,10 +629,13 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name else { #if OPENSSL_VERSION_NUMBER >= 0x10002000L +#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) + /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter * loading */ SSL_CTX_set_ecdh_auto(ctx->ctx, 1); return; +#endif #else /* For older OpenSSL we have to extract the curve from key on our own */ EC_KEY *eckey = NULL; @@ -1846,7 +1852,7 @@ show_available_tls_ciphers_list(const char *cipher_list, crypto_msg(M_FATAL, "Cannot create SSL_CTX object"); } -#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) +#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) && defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) if (tls13) { SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION); diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 63f9d1b..80eaa2c 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -5044,7 +5044,6 @@ void ipconfig_register_dns(const struct env_set *es) { struct argv argv = argv_new(); - bool status; const char err[] = "ERROR: Windows ipconfig command failed"; msg(D_TUNTAP_INFO, "Start ipconfig commands for register-dns..."); @@ -5054,14 +5053,14 @@ ipconfig_register_dns(const struct env_set *es) get_win_sys_path(), WIN_IPCONFIG_PATH_SUFFIX); argv_msg(D_TUNTAP_INFO, &argv); - status = openvpn_execve_check(&argv, es, 0, err); + openvpn_execve_check(&argv, es, 0, err); argv_reset(&argv); argv_printf(&argv, "%s%sc /registerdns", get_win_sys_path(), WIN_IPCONFIG_PATH_SUFFIX); argv_msg(D_TUNTAP_INFO, &argv); - status = openvpn_execve_check(&argv, es, 0, err); + openvpn_execve_check(&argv, es, 0, err); argv_reset(&argv); netcmd_semaphore_release(); @@ -5355,8 +5354,7 @@ netsh_ifconfig(const struct tuntap_options *to, } static void -netsh_enable_dhcp(const struct tuntap_options *to, - const char *actual_name) +netsh_enable_dhcp(const char *actual_name) { struct argv argv = argv_new(); @@ -5902,7 +5900,7 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun } else { - netsh_enable_dhcp(&tt->options, tt->actual_name); + netsh_enable_dhcp(tt->actual_name); } } dhcp_masq = true; diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h index 6c57ad0..54e1dfa 100644 --- a/src/openvpn/tun.h +++ b/src/openvpn/tun.h @@ -452,7 +452,7 @@ tun_write_win32(struct tuntap *tt, struct buffer *buf) } static inline int -read_tun_buffered(struct tuntap *tt, struct buffer *buf, int maxsize) +read_tun_buffered(struct tuntap *tt, struct buffer *buf) { return tun_finalize(tt->hand, &tt->reads, buf); } diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index 29bbb84..f13807f 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -685,11 +685,10 @@ win32_pause(struct win32_signal *ws) { if (ws->mode == WSO_MODE_CONSOLE && HANDLE_DEFINED(ws->in.read)) { - int status; msg(M_INFO|M_NOPREFIX, "Press any key to continue..."); do { - status = WaitForSingleObject(ws->in.read, INFINITE); + WaitForSingleObject(ws->in.read, INFINITE); } while (!win32_keyboard_get(ws)); } } @@ -1088,7 +1087,7 @@ wide_cmd_line(const struct argv *a, struct gc_arena *gc) int openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags) { - int ret = -1; + int ret = OPENVPN_EXECVE_ERROR; static bool exec_warn = false; if (a && a->argv[0]) @@ -1137,10 +1136,14 @@ openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned in free(env); gc_free(&gc); } - else if (!exec_warn && (script_security < SSEC_SCRIPTS)) + else { - msg(M_WARN, SCRIPT_SECURITY_WARNING); - exec_warn = true; + ret = OPENVPN_EXECVE_NOT_ALLOWED; + if (!exec_warn && (script_security < SSEC_SCRIPTS)) + { + msg(M_WARN, SCRIPT_SECURITY_WARNING); + exec_warn = true; + } } } else diff --git a/src/openvpnserv/Makefile.in b/src/openvpnserv/Makefile.in index 68cb4a0..05b2b49 100644 --- a/src/openvpnserv/Makefile.in +++ b/src/openvpnserv/Makefile.in @@ -331,9 +331,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/src/openvpnserv/openvpnserv_resources.rc b/src/openvpnserv/openvpnserv_resources.rc index 7980193..4ea453e 100644 --- a/src/openvpnserv/openvpnserv_resources.rc +++ b/src/openvpnserv/openvpnserv_resources.rc @@ -19,7 +19,7 @@ VS_VERSION_INFO VERSIONINFO FILEFLAGS 0x0L #endif FILEOS 0x40004L - FILETYPE 0x2L + FILETYPE VFT_APP FILESUBTYPE 0x0L BEGIN BLOCK "StringFileInfo" diff --git a/src/plugins/Makefile.in b/src/plugins/Makefile.in index 09a0966..440ce08 100644 --- a/src/plugins/Makefile.in +++ b/src/plugins/Makefile.in @@ -314,9 +314,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/src/plugins/auth-pam/Makefile.in b/src/plugins/auth-pam/Makefile.in index d8f9523..a5dce73 100644 --- a/src/plugins/auth-pam/Makefile.in +++ b/src/plugins/auth-pam/Makefile.in @@ -340,9 +340,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/src/plugins/down-root/Makefile.in b/src/plugins/down-root/Makefile.in index a272d71..a1c69f1 100644 --- a/src/plugins/down-root/Makefile.in +++ b/src/plugins/down-root/Makefile.in @@ -338,9 +338,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/tests/Makefile.in b/tests/Makefile.in index 92efd8a..eb7b89b 100644 --- a/tests/Makefile.in +++ b/tests/Makefile.in @@ -344,9 +344,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/tests/t_lpback.sh b/tests/t_lpback.sh index 2052c62..bb8a1d5 100755 --- a/tests/t_lpback.sh +++ b/tests/t_lpback.sh @@ -26,7 +26,7 @@ trap "rm -f key.$$ log.$$ ; exit 1" 0 3 # Get list of supported ciphers from openvpn --show-ciphers output CIPHERS=$(${top_builddir}/src/openvpn/openvpn --show-ciphers | \ - sed -e '/The following/,/^$/d' -e s'/ .*//' -e '/^\s*$/d') + sed -e '/The following/,/^$/d' -e s'/ .*//' -e '/^[[:space:]]*$/d') # SK, 2014-06-04: currently the DES-EDE3-CFB1 implementation of OpenSSL is # broken (see http://rt.openssl.org/Ticket/Display.html?id=2867), so exclude diff --git a/tests/unit_tests/Makefile.in b/tests/unit_tests/Makefile.in index 5181414..baa11f6 100644 --- a/tests/unit_tests/Makefile.in +++ b/tests/unit_tests/Makefile.in @@ -303,9 +303,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/tests/unit_tests/example_test/Makefile.in b/tests/unit_tests/example_test/Makefile.in index 1c370bd..8f1805c 100644 --- a/tests/unit_tests/example_test/Makefile.in +++ b/tests/unit_tests/example_test/Makefile.in @@ -328,9 +328,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 7b44f42..55e29e4 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -20,14 +20,14 @@ argv_testdriver_CFLAGS = @TEST_CFLAGS@ -I$(openvpn_srcdir) -I$(compat_srcdir) \ $(OPTIONAL_CRYPTO_CFLAGS) argv_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(openvpn_srcdir) -Wl,--wrap=parse_line \ $(OPTIONAL_CRYPTO_LIBS) -argv_testdriver_SOURCES = test_argv.c mock_msg.c \ +argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h \ $(openvpn_srcdir)/platform.c \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/argv.c buffer_testdriver_CFLAGS = @TEST_CFLAGS@ -I$(openvpn_srcdir) -I$(compat_srcdir) buffer_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(openvpn_srcdir) -Wl,--wrap=parse_line -buffer_testdriver_SOURCES = test_buffer.c mock_msg.c \ +buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/platform.c @@ -36,7 +36,7 @@ packet_id_testdriver_CFLAGS = @TEST_CFLAGS@ \ $(OPTIONAL_CRYPTO_CFLAGS) packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ \ $(OPTIONAL_CRYPTO_LIBS) -packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c \ +packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/otime.c \ $(openvpn_srcdir)/packet_id.c \ @@ -47,7 +47,7 @@ tls_crypt_testdriver_CFLAGS = @TEST_CFLAGS@ \ $(OPTIONAL_CRYPTO_CFLAGS) tls_crypt_testdriver_LDFLAGS = @TEST_LDFLAGS@ \ $(OPTIONAL_CRYPTO_LIBS) -tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c \ +tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/crypto.c \ $(openvpn_srcdir)/crypto_mbedtls.c \ diff --git a/tests/unit_tests/openvpn/Makefile.in b/tests/unit_tests/openvpn/Makefile.in index 89a552a..995d950 100644 --- a/tests/unit_tests/openvpn/Makefile.in +++ b/tests/unit_tests/openvpn/Makefile.in @@ -395,9 +395,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ @@ -468,14 +465,14 @@ argv_testdriver_CFLAGS = @TEST_CFLAGS@ -I$(openvpn_srcdir) -I$(compat_srcdir) \ argv_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(openvpn_srcdir) -Wl,--wrap=parse_line \ $(OPTIONAL_CRYPTO_LIBS) -argv_testdriver_SOURCES = test_argv.c mock_msg.c \ +argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h \ $(openvpn_srcdir)/platform.c \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/argv.c buffer_testdriver_CFLAGS = @TEST_CFLAGS@ -I$(openvpn_srcdir) -I$(compat_srcdir) buffer_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(openvpn_srcdir) -Wl,--wrap=parse_line -buffer_testdriver_SOURCES = test_buffer.c mock_msg.c \ +buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/platform.c @@ -486,7 +483,7 @@ packet_id_testdriver_CFLAGS = @TEST_CFLAGS@ \ packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ \ $(OPTIONAL_CRYPTO_LIBS) -packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c \ +packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/otime.c \ $(openvpn_srcdir)/packet_id.c \ @@ -499,7 +496,7 @@ tls_crypt_testdriver_CFLAGS = @TEST_CFLAGS@ \ tls_crypt_testdriver_LDFLAGS = @TEST_LDFLAGS@ \ $(OPTIONAL_CRYPTO_LIBS) -tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c \ +tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/crypto.c \ $(openvpn_srcdir)/crypto_mbedtls.c \ diff --git a/tests/unit_tests/openvpn/mock_msg.h b/tests/unit_tests/openvpn/mock_msg.h new file mode 100644 index 0000000..53cae26 --- /dev/null +++ b/tests/unit_tests/openvpn/mock_msg.h @@ -0,0 +1,34 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2016-2018 Fox Crypto B.V. <openvpn@fox-it.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef MOCK_MSG_H +#define MOCK_MSG_H + +/** + * Mock debug level defaults to 0, which gives clean(-ish) test reports. Call + * this function from your test driver to increase debug output when you + * need debug output. + */ +void mock_set_debug_level(int level); + +#endif /* MOCK_MSG */ diff --git a/tests/unit_tests/plugins/Makefile.in b/tests/unit_tests/plugins/Makefile.in index 41d23f9..fbf9154 100644 --- a/tests/unit_tests/plugins/Makefile.in +++ b/tests/unit_tests/plugins/Makefile.in @@ -303,9 +303,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/tests/unit_tests/plugins/auth-pam/Makefile.in b/tests/unit_tests/plugins/auth-pam/Makefile.in index 9125684..97a0a45 100644 --- a/tests/unit_tests/plugins/auth-pam/Makefile.in +++ b/tests/unit_tests/plugins/auth-pam/Makefile.in @@ -323,9 +323,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/vendor/Makefile.am b/vendor/Makefile.am index 674784a..46072c3 100644 --- a/vendor/Makefile.am +++ b/vendor/Makefile.am @@ -1,18 +1,18 @@ -# needs an absolute path bc. of the cmake invocation -cmockasrc = "@VENDOR_SRC_ROOT@/cmocka" -cmockabuild = "@VENDOR_BUILD_ROOT@/cmocka" -cmockainstall = "@VENDOR_DIST_ROOT@" +cmockasrc = $(srcdir)/cmocka +# Not just '$(builddir)/cmocka', because cmocka requires an out-of-source build +cmockabuild = $(builddir)/cmocka_build +cmockadist = $(builddir)/dist MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in \ "$(cmockabuild)" \ - "$(cmockainstall)" \ - "@VENDOR_BUILD_ROOT@" + "$(cmockadist)" libcmocka: if CMOCKA_INITIALIZED - mkdir -p $(cmockabuild) $(cmockainstall) - (cd $(cmockabuild) && cmake -DCMAKE_INSTALL_PREFIX=$(cmockainstall) $(cmockasrc) && make && make install) + mkdir -p $(cmockabuild) $(cmockadist) + ## Compensate for the cd in the paths + (cd $(cmockabuild) && cmake -DCMAKE_INSTALL_PREFIX=../$(cmockadist) ../$(cmockasrc) && make && make install) endif check: libcmocka diff --git a/vendor/Makefile.in b/vendor/Makefile.in index 8173797..c59046f 100644 --- a/vendor/Makefile.in +++ b/vendor/Makefile.in @@ -243,9 +243,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ @@ -305,16 +302,14 @@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ - -# needs an absolute path bc. of the cmake invocation -cmockasrc = "@VENDOR_SRC_ROOT@/cmocka" -cmockabuild = "@VENDOR_BUILD_ROOT@/cmocka" -cmockainstall = "@VENDOR_DIST_ROOT@" +cmockasrc = $(srcdir)/cmocka +# Not just '$(builddir)/cmocka', because cmocka requires an out-of-source build +cmockabuild = $(builddir)/cmocka_build +cmockadist = $(builddir)/dist MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in \ "$(cmockabuild)" \ - "$(cmockainstall)" \ - "@VENDOR_BUILD_ROOT@" + "$(cmockadist)" all: all-am @@ -511,8 +506,8 @@ uninstall-am: libcmocka: -@CMOCKA_INITIALIZED_TRUE@ mkdir -p $(cmockabuild) $(cmockainstall) -@CMOCKA_INITIALIZED_TRUE@ (cd $(cmockabuild) && cmake -DCMAKE_INSTALL_PREFIX=$(cmockainstall) $(cmockasrc) && make && make install) +@CMOCKA_INITIALIZED_TRUE@ mkdir -p $(cmockabuild) $(cmockadist) +@CMOCKA_INITIALIZED_TRUE@ (cd $(cmockabuild) && cmake -DCMAKE_INSTALL_PREFIX=../$(cmockadist) ../$(cmockasrc) && make && make install) check: libcmocka @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [4]) -define([PRODUCT_VERSION_PATCH], [.7]) +define([PRODUCT_VERSION_PATCH], [.8]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,4,7,0]) +define([PRODUCT_VERSION_RESOURCE], [2,4,8,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) |