Details about protocol extensions that the peer supports. The
+variable is a bitfield and the bits are defined as follows
+(starting a bit 0 for the first (unused) bit:
+
+
bit 1: The peer supports peer-id floating mechanism
+
bit 2: The client expects a push-reply and the server may
+send this reply without waiting for a push-request first.
+
bit 3: The client is capable of doing key derivation using
+RFC5705 key material exporter.
+
bit 4: The client is capable of accepting additional arguments
+to the AUTH_PENDING message.
+
+
+
IV_NCP=2
+
Negotiable ciphers, client supports --cipher pushed by
+the server, a value of 2 or greater indicates client supports
+AES-GCM-128 and AES-GCM-256.
+
IV_CIPHERS=<ncp-ciphers>
+
The client announces the list of supported ciphers configured with the
+--data-ciphers option to the server.
+
IV_GUI_VER=<gui_id> <version>
+
The UI version of a UI if one is running, for example
+de.blinkt.openvpn 0.5.47 for the Android app.
+
IV_SSO=[crtext,][openurl,][proxy_url]
+
Additional authentication methods supported by the client.
+This may be set by the client UI/GUI using --setenv
+
+
When --push-peer-info is enabled the additional information consists
+of the following data:
+
+
IV_HWADDR=<string>
+
This is intended to be a unique and persistent ID of the client.
+The string value can be any readable ASCII string up to 64 bytes.
+OpenVPN 2.x and some other implementations use the MAC address of
+the client's interface used to reach the default gateway. If this
+string is generated by the client, it should be consistent and
+preserved across independent session and preferably
+re-installations and upgrades.
+
IV_SSL=<version string>
+
The ssl version used by the client, e.g.
+OpenSSL 1.0.2f 28 Jan 2016.
+
IV_PLAT_VER=x.y
+
The version of the operating system, e.g. 6.1 for Windows 7.
+
UV_<name>=<value>
+
Client environment variables whose names start with
+UV_
+
+
--remote args
Remote host name or IP address, port and protocol.
@@ -2058,65 +2121,6 @@ server can be initiated.
--rcvbuf
---push-peer-info
-
-
Push additional information about the client to server. The following
-data is always pushed to the server:
Details about protocol extensions that the peer supports. The
-variable is a bitfield and the bits are defined as follows
-(starting a bit 0 for the first (unused) bit:
-
-
bit 1: The peer supports peer-id floating mechanism
-
bit 2: The client expects a push-reply and the server may
-send this reply without waiting for a push-request first.
-
-
-
IV_NCP=2
-
Negotiable ciphers, client supports --cipher pushed by
-the server, a value of 2 or greater indicates client supports
-AES-GCM-128 and AES-GCM-256.
-
IV_CIPHERS=<ncp-ciphers>
-
The client announces the list of supported ciphers configured with the
---data-ciphers option to the server.
-
IV_GUI_VER=<gui_id> <version>
-
The UI version of a UI if one is running, for example
-de.blinkt.openvpn 0.5.47 for the Android app.
-
IV_SSO=[crtext,][openurl,][proxy_url]
-
Additional authentication methods supported by the client.
-This may be set by the client UI/GUI using --setenv
-
-
When --push-peer-info is enabled the additional information consists
-of the following data:
-
-
IV_HWADDR=<string>
-
This is intended to be a unique and persistent ID of the client.
-The string value can be any readable ASCII string up to 64 bytes.
-OpenVPN 2.x and some other implementations use the MAC address of
-the client's interface used to reach the default gateway. If this
-string is generated by the client, it should be consistent and
-preserved across independent session and preferably
-re-installations and upgrades.
-
IV_SSL=<version string>
-
The ssl version used by the client, e.g.
-OpenSSL 1.0.2f 28 Jan 2016.
-
IV_PLAT_VER=x.y
-
The version of the operating system, e.g. 6.1 for Windows 7.
-
UV_<name>=<value>
-
Client environment variables whose names start with
-UV_
-
-
-
--push-remove opt
Selectively remove all --push options matching "opt" from the option
@@ -3602,7 +3606,7 @@ data is exchanged.
remote.
This option is useful in cases where the remote peer has a dynamic IP
address and a low-TTL DNS name is used to track the IP address using a
-service such as http://dyndns.org/ + a dynamic DNS client such as
+service such as https://www.nsupdate.info/ + a dynamic DNS client such as
ddclient.
If the peer cannot be reached, a restart will be triggered, causing the
hostname used with --remote to be re-resolved (if --resolv-retry
@@ -3888,7 +3892,7 @@ handled by the tap-windows6wintun driver is in use. The
OpenVPN for Android client also handles them internally.
On all other platforms these options are only saved in the client's
-environment under the name foreign_options_{n} before the
+environment under the name foreign_option_{n} before the
--up script is called. A plugin or an --up script must be used to
pick up and interpret these as required. Many Linux distributions include
such scripts and some third-party user interfaces such as tunnelblick also
@@ -5415,7 +5419,7 @@ the IP address 192.168.4.0 to use as the virtual DHCP
server address. In --dev tun mode, OpenVPN will cause the DHCP
server to masquerade as if it were coming from the remote endpoint.
The optional offset parameter is an integer which is > -256
-and < 256 and which defaults to -1. If offset is positive,
+and < 256 and which defaults to 0. If offset is positive,
the DHCP server will masquerade as the IP address at network
address + offset. If offset is negative, the DHCP server will
masquerade as the IP address at broadcast address + offset.
diff --git a/include/openvpn-plugin.h b/include/openvpn-plugin.h
index 934248d..7f25d75 100644
--- a/include/openvpn-plugin.h
+++ b/include/openvpn-plugin.h
@@ -53,7 +53,7 @@ extern "C" {
*/
#define OPENVPN_VERSION_MAJOR 2
#define OPENVPN_VERSION_MINOR 5
-#define OPENVPN_VERSION_PATCH ".4"
+#define OPENVPN_VERSION_PATCH ".5"
/*
* Plug-in types. These types correspond to the set of script callbacks
diff --git a/sample/sample-config-files/firewall.sh b/sample/sample-config-files/firewall.sh
index 19d75ee..456700c 100755
--- a/sample/sample-config-files/firewall.sh
+++ b/sample/sample-config-files/firewall.sh
@@ -50,7 +50,7 @@ iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
# Check source address validity on packets going out to internet
-iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP
+iptables -A FORWARD ! -s $PRIVATE -i eth1 -j DROP
# Allow local loopback
iptables -A INPUT -s $LOOP -j ACCEPT
diff --git a/sample/sample-plugins/Makefile b/sample/sample-plugins/Makefile
index 8646832..f795978 100644
--- a/sample/sample-plugins/Makefile
+++ b/sample/sample-plugins/Makefile
@@ -153,7 +153,7 @@ AUTOMAKE = ${SHELL} /home/samuli/opt/openvpninc/openvpn-release-scripts/release/
AWK = gawk
CC = gcc
CCDEPMODE = depmode=gcc3
-CFLAGS = -Wall -Wno-unused-parameter -Wno-unused-function -Wno-stringop-truncation -g -O2 -std=c99
+CFLAGS = -Wall -Wno-stringop-truncation -g -O2 -std=c99
CMOCKA_CFLAGS =
CMOCKA_LIBS =
CPP = gcc -E
@@ -210,7 +210,7 @@ OPENSSL_CFLAGS =
OPENSSL_LIBS = -lssl -lcrypto
OPENVPN_VERSION_MAJOR = 2
OPENVPN_VERSION_MINOR = 5
-OPENVPN_VERSION_PATCH = .4
+OPENVPN_VERSION_PATCH = .5
OPTIONAL_CRYPTO_CFLAGS =
OPTIONAL_CRYPTO_LIBS = -lssl -lcrypto
OPTIONAL_DL_LIBS = -ldl
@@ -231,13 +231,13 @@ P11KIT_LIBS =
PACKAGE = openvpn
PACKAGE_BUGREPORT = openvpn-users@lists.sourceforge.net
PACKAGE_NAME = OpenVPN
-PACKAGE_STRING = OpenVPN 2.5.4
+PACKAGE_STRING = OpenVPN 2.5.5
PACKAGE_TARNAME = openvpn
PACKAGE_URL =
-PACKAGE_VERSION = 2.5.4
+PACKAGE_VERSION = 2.5.5
PATH_SEPARATOR = :
PKCS11_HELPER_CFLAGS =
-PKCS11_HELPER_LIBS = -lpthread -ldl -lcrypto -lpkcs11-helper
+PKCS11_HELPER_LIBS =
PKG_CONFIG = /usr/bin/pkg-config
PKG_CONFIG_LIBDIR =
PKG_CONFIG_PATH =
@@ -264,7 +264,7 @@ TAP_WIN_MIN_MINOR = 9
TEST_CFLAGS = -I$(top_srcdir)/include
TEST_LDFLAGS = -lssl -lcrypto -llzo2
TMPFILES_DIR =
-VERSION = 2.5.4
+VERSION = 2.5.5
abs_builddir = /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/sample/sample-plugins
abs_srcdir = /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/sample/sample-plugins
abs_top_builddir = /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn
diff --git a/src/compat/Release.props b/src/compat/Release.props
index 63828b7..50eaa8d 100644
--- a/src/compat/Release.props
+++ b/src/compat/Release.props
@@ -15,6 +15,7 @@
MultiThreadedDLLProgramDatabaseNDEBUG;%(PreprocessorDefinitions)
+ Guardtrue
diff --git a/src/compat/compat.vcxproj b/src/compat/compat.vcxproj
index 14376e4..a1e30da 100644
--- a/src/compat/compat.vcxproj
+++ b/src/compat/compat.vcxproj
@@ -38,33 +38,39 @@
MultiBytetruev142
+ SpectreStaticLibraryMultiBytetruev142
+ SpectreStaticLibraryMultiBytetruev142
+ SpectreStaticLibraryMultiBytev142
+ SpectreStaticLibraryMultiBytev142
+ SpectreStaticLibraryMultiBytev142
+ Spectre
diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c
index c82d3d4..54e758a 100644
--- a/src/openvpn/buffer.c
+++ b/src/openvpn/buffer.c
@@ -310,29 +310,6 @@ openvpn_snprintf(char *str, size_t size, const char *format, ...)
return (len >= 0 && len < size);
}
-/*
- * openvpn_swprintf() is currently only used by Windows code paths
- * and when enabled for all platforms it will currently break older
- * OpenBSD versions lacking vswprintf(3) support in their libc.
- */
-
-#ifdef _WIN32
-bool
-openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const format, ...)
-{
- va_list arglist;
- int len = -1;
- if (size > 0)
- {
- va_start(arglist, format);
- len = vswprintf(str, size, format, arglist);
- va_end(arglist);
- str[size - 1] = L'\0';
- }
- return (len >= 0 && len < size);
-}
-#endif
-
/*
* write a string to the end of a buffer that was
* truncated by buf_printf
diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h
index fc7909b..1a795d2 100644
--- a/src/openvpn/buffer.h
+++ b/src/openvpn/buffer.h
@@ -449,22 +449,6 @@ __attribute__ ((format(__printf__, 3, 4)))
;
-#ifdef _WIN32
-/*
- * Like swprintf but guarantees null termination for size > 0
- *
- * This is under #ifdef because only Windows-specific code in tun.c
- * uses this function and its implementation breaks OpenBSD <= 4.9
- */
-bool
-openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const format, ...);
-
-/*
- * Unlike in openvpn_snprintf, we cannot use format attributes since
- * GCC doesn't support wprintf as archetype.
- */
-#endif
-
/*
* remove/add trailing characters
*/
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 619cd96..6945cc0 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -729,7 +729,7 @@ warn_insecure_key_type(const char *ciphername, const cipher_kt_t *cipher)
" bit (%d bit). This allows attacks like SWEET32. Mitigate by "
"using a --cipher with a larger block size (e.g. AES-256-CBC). "
"Support for these insecure ciphers will be removed in "
- "OpenVPN 2.6.",
+ "OpenVPN 2.7.",
ciphername, cipher_kt_block_size(cipher)*8);
}
}
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 79fbab4..ef52092 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -51,6 +51,10 @@
#include
#include
+#if defined(_WIN32) && defined(OPENSSL_NO_EC)
+#error Windows build with OPENSSL_NO_EC: disabling EC key is not supported.
+#endif
+
/*
* Check for key size creepage.
*/
@@ -150,13 +154,11 @@ crypto_init_lib_engine(const char *engine_name)
void
crypto_init_lib(void)
{
-#ifndef _WIN32
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
#else
OPENSSL_config(NULL);
#endif
-#endif /* _WIN32 */
/*
* If you build the OpenSSL library and OpenVPN with
* CRYPTO_MDEBUG, you will get a listing of OpenSSL
diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index 6c4df9e..4becef4 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -537,7 +537,7 @@ finish(RSA *rsa)
return 1;
}
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(OPENSSL_NO_EC)
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
static EC_KEY_METHOD *ec_method = NULL;
@@ -1232,7 +1232,7 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
goto err;
}
}
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(OPENSSL_NO_EC)
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
{
if (!ssl_ctx_set_eckey(ssl_ctx, cd, pkey))
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 67131b5..ebb5142 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -239,7 +239,7 @@ helper_client_server(struct options *o)
* if tap OR (tun AND topology == subnet):
* ifconfig 10.8.0.1 255.255.255.0
* if !nopool:
- * ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
+ * ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
* push "route-gateway 10.8.0.1"
* if route-gateway unset:
* route-gateway 10.8.0.2
@@ -342,7 +342,7 @@ helper_client_server(struct options *o)
{
o->ifconfig_pool_defined = true;
o->ifconfig_pool_start = o->server_network + 2;
- o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 2;
+ o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1;
ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
}
o->ifconfig_pool_netmask = o->server_netmask;
diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj
index 2144775..33b8f19 100644
--- a/src/openvpn/openvpn.vcxproj
+++ b/src/openvpn/openvpn.vcxproj
@@ -38,33 +38,39 @@
trueNotSetv142
+ SpectreApplicationtrueNotSetv142
+ SpectreApplicationtrueNotSetv142
+ SpectreApplicationNotSetv142
+ SpectreApplicationNotSetv142
+ SpectreApplicationNotSetv142
+ Spectre
@@ -191,6 +197,7 @@
Level2true..\compat;$(SolutionDir);%(AdditionalIncludeDirectories)
+ Guard
@@ -206,6 +213,7 @@
Level2true..\compat;$(SolutionDir);%(AdditionalIncludeDirectories)
+ Guard
@@ -221,6 +229,7 @@
Level2true..\compat;$(SolutionDir);%(AdditionalIncludeDirectories)
+ Guard
@@ -355,6 +364,7 @@
+
diff --git a/src/openvpn/openvpn.vcxproj.filters b/src/openvpn/openvpn.vcxproj.filters
index cf5748c..bbcbff3 100644
--- a/src/openvpn/openvpn.vcxproj.filters
+++ b/src/openvpn/openvpn.vcxproj.filters
@@ -509,6 +509,9 @@
Header Files
+
+ Header Files
+
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index a536ebe..f88cf2e 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -418,6 +418,8 @@ static const char usage_message[] =
" execution. Peer must specify --pull in its config file.\n"
"--push-reset : Don't inherit global push list for specific\n"
" client instance.\n"
+ "--push-remove opt : Remove options matching 'opt' from the push list for\n"
+ " a specific client instance.\n"
"--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
" to be dynamically allocated to connecting clients.\n"
"--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
diff --git a/src/openvpn/ring_buffer.h b/src/openvpn/ring_buffer.h
index 77579e3..9661ceb 100644
--- a/src/openvpn/ring_buffer.h
+++ b/src/openvpn/ring_buffer.h
@@ -94,7 +94,7 @@ struct TUN_PACKET
* that data has been written to receive ring
* @return true if registration is successful, false otherwise - use GetLastError()
*/
-static bool
+static inline bool
register_ring_buffers(HANDLE device,
struct tun_ring *send_ring,
struct tun_ring *receive_ring,
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 31d94f2..27fb66a 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -65,6 +65,10 @@
#include
#endif
+#if defined(_MSC_VER) && !defined(_M_ARM64)
+#include
+#endif
+
/*
* Allocate space in SSL objects in which to store a struct tls_session
* pointer back to parent.
diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h
index 2eeb716..46338c2 100644
--- a/src/openvpn/ssl_openssl.h
+++ b/src/openvpn/ssl_openssl.h
@@ -54,6 +54,4 @@ struct key_state_ssl {
*/
extern int mydata_index; /* GLOBAL */
-void openssl_set_mydata_index(void);
-
#endif /* SSL_OPENSSL_H_ */
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 4f3b61d..0ccd43d 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -116,6 +116,8 @@ set_common_name(struct tls_session *session, const char *common_name)
}
#endif
}
+ /* update common name in env */
+ setenv_str(session->opt->es, "common_name", common_name);
}
/*
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 512ccba..db8fdec 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -6388,14 +6388,7 @@ tuntap_dhcp_mask(const struct tuntap *tt, const char *device_guid)
{
if (tt->topology == TOP_SUBNET)
{
- if (tt->options.dhcp_masq_custom_offset)
- {
- ep[2] = dhcp_masq_addr(tt->local, tt->remote_netmask, tt->options.dhcp_masq_offset);
- }
- else
- {
- ep[2] = dhcp_masq_addr(tt->local, tt->remote_netmask, -1);
- }
+ ep[2] = dhcp_masq_addr(tt->local, tt->remote_netmask, tt->options.dhcp_masq_custom_offset ? tt->options.dhcp_masq_offset : 0);
}
else
{
diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index 6cff17b..920a3b3 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
@@ -101,6 +101,12 @@ struct semaphore netcmd_semaphore; /* GLOBAL */
*/
static char *win_sys_path = NULL; /* GLOBAL */
+/**
+ * Set OpenSSL environment variables to a safe directory
+ */
+static void
+set_openssl_env_vars();
+
void
init_win32(void)
{
@@ -110,6 +116,8 @@ init_win32(void)
}
window_title_clear(&window_title);
win32_signal_clear(&win32_signal);
+
+ set_openssl_env_vars();
}
void
@@ -1509,4 +1517,84 @@ send_msg_iservice(HANDLE pipe, const void *data, size_t size,
return ret;
}
+bool
+openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const format, ...)
+{
+ va_list arglist;
+ int len = -1;
+ if (size > 0)
+ {
+ va_start(arglist, format);
+ len = vswprintf(str, size, format, arglist);
+ va_end(arglist);
+ str[size - 1] = L'\0';
+ }
+ return (len >= 0 && len < size);
+}
+
+static BOOL
+get_install_path(WCHAR *path, DWORD size)
+{
+ WCHAR reg_path[256];
+ HKEY key;
+ BOOL res = FALSE;
+ openvpn_swprintf(reg_path, _countof(reg_path), L"SOFTWARE\\" PACKAGE_NAME);
+
+ LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &key);
+ if (status != ERROR_SUCCESS)
+ {
+ return res;
+ }
+
+ /* The default value of REG_KEY is the install path */
+ status = RegGetValueW(key, NULL, NULL, RRF_RT_REG_SZ, NULL, (LPBYTE)path, &size);
+ res = status == ERROR_SUCCESS;
+
+ RegCloseKey(key);
+
+ return res;
+}
+
+static void
+set_openssl_env_vars()
+{
+ const WCHAR *ssl_fallback_dir = L"C:\\Windows\\System32";
+
+ WCHAR install_path[MAX_PATH] = { 0 };
+ if (!get_install_path(install_path, _countof(install_path)))
+ {
+ /* if we cannot find installation path from the registry,
+ * use Windows directory as a fallback
+ */
+ openvpn_swprintf(install_path, _countof(install_path), L"%ls", ssl_fallback_dir);
+ }
+
+ if ((install_path[wcslen(install_path) - 1]) == L'\\')
+ {
+ install_path[wcslen(install_path) - 1] = L'\0';
+ }
+
+ static struct {
+ WCHAR *name;
+ WCHAR *value;
+ } ossl_env[] = {
+ {L"OPENSSL_CONF", L"openssl.cnf"},
+ {L"OPENSSL_ENGINES", L"engines"},
+ {L"OPENSSL_MODULES", L"modules"}
+ };
+
+ for (size_t i = 0; i < SIZE(ossl_env); ++i)
+ {
+ size_t size = 0;
+
+ _wgetenv_s(&size, NULL, 0, ossl_env[i].name);
+ if (size == 0)
+ {
+ WCHAR val[MAX_PATH] = {0};
+ openvpn_swprintf(val, _countof(val), L"%ls\\ssl\\%ls", install_path, ossl_env[i].value);
+ _wputenv_s(ossl_env[i].name, val);
+ }
+ }
+}
+
#endif /* ifdef _WIN32 */
diff --git a/src/openvpn/win32.h b/src/openvpn/win32.h
index 5d3371a..5c3bcc3 100644
--- a/src/openvpn/win32.h
+++ b/src/openvpn/win32.h
@@ -327,7 +327,13 @@ bool send_msg_iservice(HANDLE pipe, const void *data, size_t size,
int
openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags);
-bool impersonate_as_system();
+/*
+ * openvpn_swprintf() is currently only used by Windows code paths
+ * and when enabled for all platforms it will currently break older
+ * OpenBSD versions lacking vswprintf(3) support in their libc.
+ */
+bool
+openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const format, ...);
#endif /* ifndef OPENVPN_WIN32_H */
#endif /* ifdef _WIN32 */
diff --git a/src/openvpnmsica/openvpnmsica-Release.props b/src/openvpnmsica/openvpnmsica-Release.props
index 848fda8..47727b3 100644
--- a/src/openvpnmsica/openvpnmsica-Release.props
+++ b/src/openvpnmsica/openvpnmsica-Release.props
@@ -8,6 +8,7 @@
MultiThreaded
+ Guard
diff --git a/src/openvpnmsica/openvpnmsica.vcxproj b/src/openvpnmsica/openvpnmsica.vcxproj
index c39b124..11aa78b 100644
--- a/src/openvpnmsica/openvpnmsica.vcxproj
+++ b/src/openvpnmsica/openvpnmsica.vcxproj
@@ -40,18 +40,21 @@
v142Unicodetrue
+ SpectreDynamicLibrarytruev142Unicode
+ SpectreDynamicLibrarytruev142Unicode
+ SpectreDynamicLibrary
@@ -60,6 +63,7 @@
trueUnicodetrue
+ SpectreDynamicLibrary
@@ -67,6 +71,7 @@
v142trueUnicode
+ SpectreDynamicLibrary
@@ -74,6 +79,7 @@
v142trueUnicode
+ Spectre
diff --git a/src/openvpnserv/openvpnserv.vcxproj b/src/openvpnserv/openvpnserv.vcxproj
index bcf9d25..520242f 100644
--- a/src/openvpnserv/openvpnserv.vcxproj
+++ b/src/openvpnserv/openvpnserv.vcxproj
@@ -38,33 +38,39 @@
Unicodetruev142
+ SpectreApplicationUnicodetruev142
+ SpectreApplicationUnicodetruev142
+ SpectreApplicationUnicodev142
+ SpectreApplicationUnicodev142
+ SpectreApplicationUnicodev142
+ Spectre
diff --git a/src/plugins/down-root/README.down-root b/src/plugins/down-root/README.down-root
index d337ffe..98a3ee6 100644
--- a/src/plugins/down-root/README.down-root
+++ b/src/plugins/down-root/README.down-root
@@ -16,13 +16,13 @@ run in the same execution environment as the up script.
BUILD
Build this module with the "make" command. The plugin
-module will be named openvpn-down-root.so
+module will be named openvpn-plugin-down-root.so
USAGE
To use this module, add to your OpenVPN config file:
- plugin openvpn-down-root.so "command ..."
+ plugin openvpn-plugin-down-root.so "command ..."
CAVEATS
diff --git a/src/tapctl/tapctl.vcxproj b/src/tapctl/tapctl.vcxproj
index ad96f02..79da9d3 100644
--- a/src/tapctl/tapctl.vcxproj
+++ b/src/tapctl/tapctl.vcxproj
@@ -40,18 +40,21 @@
v142Unicodetrue
+ SpectreApplicationtruev142Unicode
+ SpectreApplicationtruev142Unicode
+ SpectreApplication
@@ -60,6 +63,7 @@
trueUnicodetrue
+ SpectreApplication
@@ -67,6 +71,7 @@
v142trueUnicode
+ SpectreApplication
@@ -74,6 +79,7 @@
v142trueUnicode
+ Spectre
diff --git a/tests/t_lpback.sh b/tests/t_lpback.sh
index 6206899..6795299 100755
--- a/tests/t_lpback.sh
+++ b/tests/t_lpback.sh
@@ -35,13 +35,18 @@ CIPHERS=$(${top_builddir}/src/openvpn/openvpn --show-ciphers | \
# GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5)
CIPHERS=$(echo "$CIPHERS" | egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' )
+e=0
+if [ -z "$CIPHERS" ] ; then
+ echo "'openvpn --show-ciphers' FAILED (empty list)"
+ e=1
+fi
+
# Also test cipher 'none'
CIPHERS=${CIPHERS}$(printf "\nnone")
"${top_builddir}/src/openvpn/openvpn" --genkey secret key.$$
set +e
-e=0
for cipher in ${CIPHERS}
do
printf "Testing cipher ${cipher}... "
diff --git a/tests/unit_tests/openvpn/test_argv.c b/tests/unit_tests/openvpn/test_argv.c
index 3dc470a..ea0d367 100644
--- a/tests/unit_tests/openvpn/test_argv.c
+++ b/tests/unit_tests/openvpn/test_argv.c
@@ -267,6 +267,7 @@ main(void)
cmocka_unit_test(argv_str__empty_argv__empty_output),
cmocka_unit_test(argv_str__multiple_argv__correct_output),
cmocka_unit_test(argv_insert_head__non_empty_argv__head_added),
+ cmocka_unit_test(argv_insert_head__empty_argv__head_only),
};
return cmocka_run_group_tests_name("argv", tests, NULL, NULL);
diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c
index 494a028..bcafd23 100644
--- a/tests/unit_tests/openvpn/test_ncp.c
+++ b/tests/unit_tests/openvpn/test_ncp.c
@@ -49,6 +49,7 @@ test_check_ncp_ciphers_list(void **state)
{
struct gc_arena gc = gc_new();
bool have_chacha = cipher_kt_get("CHACHA20-POLY1305");
+ bool have_blowfish = cipher_kt_get("BF-CBC");
assert_string_equal(mutate_ncp_cipher_list("none", &gc), "none");
assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:none", &gc),
@@ -56,7 +57,7 @@ test_check_ncp_ciphers_list(void **state)
assert_string_equal(mutate_ncp_cipher_list(aes_ciphers, &gc), aes_ciphers);
- if (have_chacha)
+ if (have_chacha && have_blowfish)
{
assert_string_equal(mutate_ncp_cipher_list(bf_chacha, &gc), bf_chacha);
assert_string_equal(mutate_ncp_cipher_list("BF-CBC:CHACHA20-POLY1305", &gc),
@@ -89,8 +90,11 @@ test_check_ncp_ciphers_list(void **state)
assert_string_equal(mutate_ncp_cipher_list("id-aes128-GCM:id-aes256-GCM",
&gc), "AES-128-GCM:AES-256-GCM");
#else
- assert_string_equal(mutate_ncp_cipher_list("BLOWFISH-CBC",
- &gc), "BF-CBC");
+ if (have_blowfish)
+ {
+ assert_string_equal(mutate_ncp_cipher_list("BLOWFISH-CBC",
+ &gc), "BF-CBC");
+ }
#endif
gc_free(&gc);
}
diff --git a/version.m4 b/version.m4
index f47b4bf..a94177e 100644
--- a/version.m4
+++ b/version.m4
@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
define([PRODUCT_TARNAME], [openvpn])
define([PRODUCT_VERSION_MAJOR], [2])
define([PRODUCT_VERSION_MINOR], [5])
-define([PRODUCT_VERSION_PATCH], [.4])
+define([PRODUCT_VERSION_PATCH], [.5])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,5,4,0])
+define([PRODUCT_VERSION_RESOURCE], [2,5,5,0])
dnl define the TAP version
define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])
--
cgit v1.2.3