From f2b3dda12a731c2e0971cb7889728edaf23f6cb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Mon, 29 Nov 2021 20:46:00 +0100 Subject: New upstream version 2.5.4 --- .gitignore | 2 + COPYING | 2 +- ChangeLog | 96 ++- Changes.rst | 116 ++++ Makefile.am | 4 +- Makefile.in | 45 +- PORTS | 2 +- aclocal.m4 | 48 +- build/Makefile.am | 2 +- build/Makefile.in | 7 +- build/msvc/Makefile.am | 2 +- build/msvc/Makefile.in | 7 +- build/msvc/msvc-generate/Makefile.am | 2 +- build/msvc/msvc-generate/Makefile.in | 7 +- build/msvc/msvc-generate/Makefile.mak | 9 +- build/msvc/msvc-generate/msvc-generate.vcxproj | 54 +- compile | 6 +- configure | 48 +- configure.ac | 6 +- contrib/vcpkg-ports/openssl/portfile.cmake | 25 + contrib/vcpkg-ports/openssl/unix/CMakeLists.txt | 280 +++++++++ contrib/vcpkg-ports/openssl/unix/portfile.cmake | 49 ++ contrib/vcpkg-ports/openssl/unix/remove-deps.cmake | 7 + .../openssl/unix/vcpkg-cmake-wrapper.cmake | 18 + contrib/vcpkg-ports/openssl/usage | 4 + .../vcpkg-ports/openssl/uwp/EnableUWPSupport.patch | 170 +++++ contrib/vcpkg-ports/openssl/uwp/make-openssl.bat | 16 + contrib/vcpkg-ports/openssl/uwp/portfile.cmake | 156 +++++ contrib/vcpkg-ports/openssl/vcpkg.json | 7 + contrib/vcpkg-ports/openssl/windows/portfile.cmake | 174 ++++++ .../openssl/windows/vcpkg-cmake-wrapper.cmake | 10 + .../0001-nmake-openssl-1.1.1-support.patch | 88 +++ contrib/vcpkg-ports/pkcs11-helper/CONTROL | 4 + .../pkcs11-helper/pkcs11-helper-001-RFC7512.patch | 686 +++++++++++++++++++++ contrib/vcpkg-ports/pkcs11-helper/portfile.cmake | 35 ++ contrib/vcpkg-triplets/arm64-windows-ovpn.cmake | 7 + contrib/vcpkg-triplets/x64-windows-ovpn.cmake | 7 + contrib/vcpkg-triplets/x86-windows-ovpn.cmake | 7 + depcomp | 2 +- distro/Makefile.am | 2 +- distro/Makefile.in | 7 +- distro/systemd/Makefile.am | 2 +- distro/systemd/Makefile.in | 7 +- doc/Makefile.am | 47 +- doc/Makefile.in | 128 ++-- doc/doxygen/Makefile.am | 2 +- doc/doxygen/Makefile.in | 7 +- doc/man-sections/client-options.rst | 8 + doc/man-sections/server-options.rst | 14 +- doc/management-notes.txt | 134 ++-- doc/openvpn-examples.5 | 374 +++++++++++ doc/openvpn-examples.5.html | 582 +++++++++++++++++ doc/openvpn-examples.5.rst | 17 + doc/openvpn.8 | 360 +---------- doc/openvpn.8.html | 227 +------ doc/openvpn.8.rst | 2 +- include/Makefile.am | 2 +- include/Makefile.in | 11 +- include/openvpn-msg.h | 2 +- include/openvpn-plugin.h | 4 +- include/openvpn-plugin.h.in | 2 +- install-sh | 13 +- missing | 2 +- openvpn.sln | 30 +- sample/Makefile.am | 2 +- sample/Makefile.in | 7 +- sample/sample-keys/gen-sample-keys.sh | 2 +- sample/sample-plugins/Makefile | 21 +- sample/sample-plugins/Makefile.am | 2 +- sample/sample-plugins/Makefile.in | 9 +- sample/sample-plugins/Makefile.plugins | 2 +- .../client-connect/sample-client-connect.c | 2 +- sample/sample-plugins/defer/simple.c | 2 +- .../keyingmaterialexporter.c | 2 +- sample/sample-plugins/log/log.c | 2 +- sample/sample-plugins/log/log_v3.c | 4 +- sample/sample-plugins/simple/base64.c | 2 +- sample/sample-plugins/simple/simple.c | 2 +- src/Makefile.am | 2 +- src/Makefile.in | 7 +- src/compat/Makefile.am | 2 +- src/compat/Makefile.in | 7 +- src/compat/compat-gettimeofday.c | 2 +- src/compat/compat-strsep.c | 2 +- src/compat/compat.vcxproj | 65 +- src/compat/compat.vcxproj.filters | 6 - src/openvpn/Makefile.am | 2 +- src/openvpn/Makefile.in | 7 +- src/openvpn/argv.c | 2 +- src/openvpn/argv.h | 2 +- src/openvpn/auth_token.c | 12 +- src/openvpn/auth_token.h | 2 +- src/openvpn/basic.h | 2 +- src/openvpn/block_dns.c | 2 +- src/openvpn/block_dns.h | 2 +- src/openvpn/buffer.c | 3 +- src/openvpn/buffer.h | 2 +- src/openvpn/circ_list.h | 2 +- src/openvpn/clinat.c | 2 +- src/openvpn/clinat.h | 2 +- src/openvpn/common.h | 2 +- src/openvpn/comp-lz4.c | 4 +- src/openvpn/comp-lz4.h | 4 +- src/openvpn/comp.c | 2 +- src/openvpn/comp.h | 2 +- src/openvpn/compstub.c | 2 +- src/openvpn/console.c | 4 +- src/openvpn/console.h | 4 +- src/openvpn/console_builtin.c | 107 ++-- src/openvpn/crypto.c | 4 +- src/openvpn/crypto.h | 4 +- src/openvpn/crypto_backend.h | 4 +- src/openvpn/crypto_mbedtls.c | 4 +- src/openvpn/crypto_mbedtls.h | 4 +- src/openvpn/crypto_openssl.c | 6 +- src/openvpn/crypto_openssl.h | 4 +- src/openvpn/dhcp.c | 2 +- src/openvpn/dhcp.h | 2 +- src/openvpn/env_set.c | 4 +- src/openvpn/env_set.h | 2 +- src/openvpn/errlevel.h | 2 +- src/openvpn/error.c | 30 +- src/openvpn/error.h | 6 +- src/openvpn/event.c | 2 +- src/openvpn/event.h | 2 +- src/openvpn/fdmisc.c | 2 +- src/openvpn/fdmisc.h | 2 +- src/openvpn/forward.c | 12 +- src/openvpn/forward.h | 2 +- src/openvpn/fragment.c | 2 +- src/openvpn/fragment.h | 2 +- src/openvpn/gremlin.c | 2 +- src/openvpn/gremlin.h | 2 +- src/openvpn/helper.c | 2 +- src/openvpn/helper.h | 2 +- src/openvpn/httpdigest.c | 2 +- src/openvpn/httpdigest.h | 2 +- src/openvpn/init.c | 15 +- src/openvpn/init.h | 2 +- src/openvpn/integer.h | 2 +- src/openvpn/interval.c | 2 +- src/openvpn/interval.h | 2 +- src/openvpn/list.c | 2 +- src/openvpn/list.h | 2 +- src/openvpn/lladdr.c | 30 +- src/openvpn/lladdr.h | 3 +- src/openvpn/lzo.c | 2 +- src/openvpn/lzo.h | 2 +- src/openvpn/manage.c | 2 +- src/openvpn/manage.h | 2 +- src/openvpn/mbuf.c | 2 +- src/openvpn/mbuf.h | 2 +- src/openvpn/memdbg.h | 2 +- src/openvpn/misc.c | 52 +- src/openvpn/misc.h | 36 +- src/openvpn/mroute.c | 2 +- src/openvpn/mroute.h | 2 +- src/openvpn/mss.c | 2 +- src/openvpn/mss.h | 2 +- src/openvpn/mstats.c | 2 +- src/openvpn/mstats.h | 2 +- src/openvpn/mtcp.c | 2 +- src/openvpn/mtcp.h | 2 +- src/openvpn/mtu.c | 2 +- src/openvpn/mtu.h | 2 +- src/openvpn/mudp.c | 2 +- src/openvpn/mudp.h | 2 +- src/openvpn/multi.c | 30 +- src/openvpn/multi.h | 2 +- src/openvpn/networking.h | 14 +- src/openvpn/networking_iproute2.c | 25 +- src/openvpn/networking_iproute2.h | 2 +- src/openvpn/networking_sitnl.c | 63 +- src/openvpn/networking_sitnl.h | 2 +- src/openvpn/occ.c | 2 +- src/openvpn/occ.h | 2 +- src/openvpn/openssl_compat.h | 4 +- src/openvpn/openvpn.c | 2 +- src/openvpn/openvpn.h | 16 +- src/openvpn/openvpn.vcxproj | 103 +++- src/openvpn/options.c | 46 +- src/openvpn/options.h | 9 +- src/openvpn/otime.c | 2 +- src/openvpn/otime.h | 2 +- src/openvpn/packet_id.c | 2 +- src/openvpn/packet_id.h | 2 +- src/openvpn/perf.c | 2 +- src/openvpn/perf.h | 2 +- src/openvpn/pf.c | 2 +- src/openvpn/pf.h | 2 +- src/openvpn/ping.c | 2 +- src/openvpn/ping.h | 2 +- src/openvpn/pkcs11.c | 2 +- src/openvpn/pkcs11.h | 2 +- src/openvpn/pkcs11_backend.h | 4 +- src/openvpn/pkcs11_mbedtls.c | 4 +- src/openvpn/pkcs11_openssl.c | 4 +- src/openvpn/platform.c | 2 +- src/openvpn/platform.h | 2 +- src/openvpn/plugin.c | 2 +- src/openvpn/plugin.h | 2 +- src/openvpn/pool.c | 2 +- src/openvpn/pool.h | 2 +- src/openvpn/proto.c | 2 +- src/openvpn/proto.h | 2 +- src/openvpn/proxy.c | 2 +- src/openvpn/proxy.h | 2 +- src/openvpn/ps.c | 2 +- src/openvpn/ps.h | 2 +- src/openvpn/push.c | 9 +- src/openvpn/push.h | 2 +- src/openvpn/pushlist.h | 2 +- src/openvpn/reliable.c | 2 +- src/openvpn/reliable.h | 2 +- src/openvpn/ring_buffer.h | 2 +- src/openvpn/route.c | 6 +- src/openvpn/route.h | 2 +- src/openvpn/run_command.c | 2 +- src/openvpn/run_command.h | 2 +- src/openvpn/schedule.c | 2 +- src/openvpn/schedule.h | 2 +- src/openvpn/session_id.c | 2 +- src/openvpn/session_id.h | 2 +- src/openvpn/shaper.c | 2 +- src/openvpn/shaper.h | 2 +- src/openvpn/sig.c | 2 +- src/openvpn/sig.h | 2 +- src/openvpn/socket.c | 2 +- src/openvpn/socket.h | 2 +- src/openvpn/socks.c | 2 +- src/openvpn/socks.h | 2 +- src/openvpn/ssl.c | 69 ++- src/openvpn/ssl.h | 8 +- src/openvpn/ssl_backend.h | 4 +- src/openvpn/ssl_common.h | 23 +- src/openvpn/ssl_mbedtls.c | 24 +- src/openvpn/ssl_mbedtls.h | 4 +- src/openvpn/ssl_ncp.c | 6 +- src/openvpn/ssl_ncp.h | 4 +- src/openvpn/ssl_openssl.c | 128 ++-- src/openvpn/ssl_openssl.h | 4 +- src/openvpn/ssl_verify.c | 76 ++- src/openvpn/ssl_verify.h | 4 +- src/openvpn/ssl_verify_backend.h | 4 +- src/openvpn/ssl_verify_mbedtls.c | 4 +- src/openvpn/ssl_verify_mbedtls.h | 4 +- src/openvpn/ssl_verify_openssl.c | 4 +- src/openvpn/ssl_verify_openssl.h | 4 +- src/openvpn/status.c | 2 +- src/openvpn/status.h | 2 +- src/openvpn/syshead.h | 2 +- src/openvpn/tls_crypt.c | 2 +- src/openvpn/tls_crypt.h | 2 +- src/openvpn/tun.c | 2 +- src/openvpn/tun.h | 2 +- src/openvpn/vlan.c | 2 +- src/openvpn/vlan.h | 2 +- src/openvpn/win32.c | 2 +- src/openvpn/win32.h | 2 +- src/openvpnmsica/Makefile.am | 4 +- src/openvpnmsica/Makefile.in | 9 +- src/openvpnmsica/dllmain.c | 2 +- src/openvpnmsica/msica_arg.c | 2 +- src/openvpnmsica/msica_arg.h | 2 +- src/openvpnmsica/msiex.c | 2 +- src/openvpnmsica/msiex.h | 2 +- src/openvpnmsica/openvpnmsica.c | 92 ++- src/openvpnmsica/openvpnmsica.h | 15 +- src/openvpnmsica/openvpnmsica.vcxproj | 18 + src/openvpnmsica/openvpnmsica_resources.rc | 2 +- src/openvpnserv/Makefile.am | 2 +- src/openvpnserv/Makefile.in | 7 +- src/openvpnserv/common.c | 8 +- src/openvpnserv/interactive.c | 2 +- src/openvpnserv/openvpnserv.vcxproj | 67 ++ src/openvpnserv/service.h | 2 +- src/openvpnserv/validate.c | 2 +- src/openvpnserv/validate.h | 2 +- src/plugins/Makefile.am | 2 +- src/plugins/Makefile.in | 7 +- src/plugins/auth-pam/Makefile.in | 5 +- src/plugins/auth-pam/auth-pam.c | 4 +- src/plugins/auth-pam/utils.c | 2 +- src/plugins/auth-pam/utils.h | 2 +- src/plugins/down-root/Makefile.in | 5 +- src/plugins/down-root/down-root.c | 2 +- src/tapctl/Makefile.am | 4 +- src/tapctl/Makefile.in | 9 +- src/tapctl/basic.h | 4 +- src/tapctl/error.c | 4 +- src/tapctl/error.h | 4 +- src/tapctl/main.c | 5 +- src/tapctl/tap.h | 2 +- src/tapctl/tapctl.vcxproj | 18 + src/tapctl/tapctl_resources.rc | 2 +- tests/Makefile.am | 2 +- tests/Makefile.in | 7 +- tests/t_net.sh | 2 +- tests/unit_tests/Makefile.in | 5 +- tests/unit_tests/engine-key/Makefile.in | 5 +- tests/unit_tests/example_test/Makefile.in | 5 +- tests/unit_tests/openvpn/Makefile.in | 5 +- tests/unit_tests/openvpn/mock_get_random.c | 2 +- tests/unit_tests/openvpn/mock_msg.c | 2 +- tests/unit_tests/openvpn/mock_msg.h | 2 +- tests/unit_tests/openvpn/test_auth_token.c | 93 +-- tests/unit_tests/openvpn/test_buffer.c | 2 +- tests/unit_tests/openvpn/test_crypto.c | 2 +- tests/unit_tests/openvpn/test_ncp.c | 2 +- tests/unit_tests/openvpn/test_networking.c | 2 +- tests/unit_tests/openvpn/test_packet_id.c | 2 +- tests/unit_tests/openvpn/test_tls_crypt.c | 2 +- tests/unit_tests/plugins/Makefile.in | 5 +- tests/unit_tests/plugins/auth-pam/Makefile.in | 5 +- version.m4 | 4 +- 315 files changed, 4751 insertions(+), 1395 deletions(-) create mode 100644 contrib/vcpkg-ports/openssl/portfile.cmake create mode 100644 contrib/vcpkg-ports/openssl/unix/CMakeLists.txt create mode 100644 contrib/vcpkg-ports/openssl/unix/portfile.cmake create mode 100644 contrib/vcpkg-ports/openssl/unix/remove-deps.cmake create mode 100644 contrib/vcpkg-ports/openssl/unix/vcpkg-cmake-wrapper.cmake create mode 100644 contrib/vcpkg-ports/openssl/usage create mode 100644 contrib/vcpkg-ports/openssl/uwp/EnableUWPSupport.patch create mode 100644 contrib/vcpkg-ports/openssl/uwp/make-openssl.bat create mode 100644 contrib/vcpkg-ports/openssl/uwp/portfile.cmake create mode 100644 contrib/vcpkg-ports/openssl/vcpkg.json create mode 100644 contrib/vcpkg-ports/openssl/windows/portfile.cmake create mode 100644 contrib/vcpkg-ports/openssl/windows/vcpkg-cmake-wrapper.cmake create mode 100644 contrib/vcpkg-ports/pkcs11-helper/0001-nmake-openssl-1.1.1-support.patch create mode 100644 contrib/vcpkg-ports/pkcs11-helper/CONTROL create mode 100644 contrib/vcpkg-ports/pkcs11-helper/pkcs11-helper-001-RFC7512.patch create mode 100644 contrib/vcpkg-ports/pkcs11-helper/portfile.cmake create mode 100644 contrib/vcpkg-triplets/arm64-windows-ovpn.cmake create mode 100644 contrib/vcpkg-triplets/x64-windows-ovpn.cmake create mode 100644 contrib/vcpkg-triplets/x86-windows-ovpn.cmake create mode 100644 doc/openvpn-examples.5 create mode 100644 doc/openvpn-examples.5.html create mode 100644 doc/openvpn-examples.5.rst diff --git a/.gitignore b/.gitignore index 25d0623..178076e 100644 --- a/.gitignore +++ b/.gitignore @@ -49,6 +49,8 @@ version.sh msvc-env-local.bat config-msvc-local.h config-msvc-version.h +doc/openvpn-examples.5 +doc/openvpn-examples.5.html doc/openvpn.8 doc/openvpn.8.html /doc/doxygen/html/ diff --git a/COPYING b/COPYING index 9c21c17..9044a39 100644 --- a/COPYING +++ b/COPYING @@ -1,6 +1,6 @@ OpenVPN (TM) -- An Open Source VPN daemon -Copyright (C) 2002-2018 OpenVPN Inc +Copyright (C) 2002-2021 OpenVPN Inc This distribution contains multiple components, some of which fall under different licenses. By using OpenVPN diff --git a/ChangeLog b/ChangeLog index 1b26873..b0ee674 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,99 @@ OpenVPN Change Log -Copyright (C) 2002-2020 OpenVPN Inc +Copyright (C) 2002-2021 OpenVPN Inc + +2021.10.04 -- Version 2.5.4 + +Antonio Quartulli (3): + route.c: pass the right parameter to IN6_IS_ADDR_UNSPECIFIED + configure: search also for rst2{man, html}.py + networking: add networking API net_addr_ll_set() and use it on Linux + +Arne Schwabe (1): + Move examples into openvpn-examples(5) man page + +David Korczynski (1): + Fix argv leaks in add_route() and add_route_ipv6() + +David Sommerseth (2): + doc: Use generic rules for man/html generation + man: Clarify IV_HWADDR + +Gert Doering (1): + Add error reporting to get_console_input_win32(). + +Lev Stipakov (3): + Fix console prompts with redirected log + Add building man page on Windows + GitHub Actions: remove Ubuntu 16.04 environment + +Max Fillinger (1): + Update Fox e-mail address in copyright notices + +Selva Nair (1): + Minor doc correction: tls-crypt-v2 key generation + + +2021.06.17 -- Version 2.5.3 + +Arne Schwabe (3): + Add missing free_key_ctx for auth_token + Add github actions + Implement auth-token-user + +David Sommerseth (1): + Update copyrights + +Lev Stipakov (8): + openvpnmsica: properly schedule reboot in the end of installation + msvc: add ARM64 configuration + msvc: standalone building + contrib/vcpkg-ports: add pkcs11-helper port + vcpkg-ports: restore trailing whitespaces in .patch files + GitHub actions: add MSVC build + crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606) + contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606) + +Matthias Andree (1): + Fix SIGSEGV (NULL deref) receiving push "echo" + +Max Fillinger (1): + Fix build with mbedtls w/o SSL renegotiation support + +Selva Nair (2): + Improve documentation of AUTH_PENDING related directives + Apply the connect-retry backoff to only one side of a connection + + +2021.04.20 -- Version 2.5.2 + +Arne Schwabe (10): + Avoid generating unecessary mbed debug messages + Restore also ping related options on a reconnect + Cleanup print_details and add signature/ED certificate print + Always disable TLS renegotiations + Also restore/save route-gateway options on SIGUSR1 reconnects + Move context_auth from context_2 to tls_multi and name it multi_state + Fix condition to generate session keys + Move auth_token_state from multi to key_state + Ensure auth-token is only sent on a fully authenticated session + Ensure key state is authenticated before sending push reply + +Gert Doering (2): + Fix potential NULL ptr crash if compiled with DMALLOC + +Max Fillinger (2): + In init_ssl, open the correct CRL path pre-chroot + Abort if CRL file can't be stat-ed in ssl_init + +Richard Bonhomme (1): + Do not print Diffie Hellman parameters file to log file + +Simon Rozman (1): + openvpnserv: Cache last error before it is overridden + +Vladislav Grishenko (1): + Fix IPv4 default gateway with multiple route tables + 2021.02.24 -- Version 2.5.1 diff --git a/Changes.rst b/Changes.rst index 6128275..ba5ee1a 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,119 @@ +Overview of changes in 2.5.4 +============================ +Bugfixes +-------- +- fix prompting for password on windows console if stderr redirection + is in use - this breaks 2.5.x on Win11/ARM, and might also break + on Win11/adm64 when released. + +- fix setting MAC address on TAP adapters (--lladdr) to use sitnl + (was overlooked, and still used "ifconfig" calls) + +- various improvements for man page building (rst2man/rst2html etc) + +- minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on + at least one platform strictly checking this) + +- fix minor memory leak under certain conditions in add_route() and + add_route_ipv6() + +User-visible Changes +-------------------- +- documentation improvements + +- copyright updates where needed + +- better error reporting when win32 console access fails + +New features +------------ +- also build man page on Windows builds + + +Overview of changes in 2.5.3 +============================ +Bugfixes +-------- +- CVE-2121-3606 + see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements + + OpenVPN windows builds could possibly load OpenSSL Config files from + world writeable locations, thus posing a security risk to OpenVPN. + + As a fix, disable OpenSSL config loading completely on Windows. + +- disable connect-retry backoff for p2p (--secret) instances + (Trac #1010, #1384) + +- fix build with mbedtls w/o SSL renegotiation support + +- Fix SIGSEGV (NULL deref) receiving push "echo" (Trac #1409) + +- MSI installers: properly schedule reboot in the end of installation + +- fix small memory leak in free_key_ctx for auth_token + + +User-visible Changes +-------------------- +- update copyright messages in files and --version output + +New features +------------ +- add --auth-token-user option (for --auth-token deployments without + --auth-user-pass in client config) + +- improve MSVC building for Windows + +- official MSI installers will now contain arm64 drivers and binaries + (x86, amd64, arm64) + + +Overview of changes in 2.5.2 +============================ + +Bugfixes +-------- +- CVE-2020-15078 + see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements + + This bug allows - under very specific circumstances - to trick a + server using delayed authentication (plugin or management) into + returning a PUSH_REPLY before the AUTH_FAILED message, which can + possibly be used to gather information about a VPN setup. + + In combination with "--auth-gen-token" or an user-specific token auth + solution it can be possible to get access to a VPN with an + otherwise-invalid account. + +- restore pushed "ping" settings correctly on a SIGUSR1 restart + +- avoid generating unecessary mbed debug messages - this is actually + a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448 + ED curves - mbedTLS crashes on preparing debug infos that we do not + actually need unless running with "--verb 8" + +- do not print inlined (...) Diffie Hellman parameters to log file + +- fix Linux/SITNL default route lookup in case of multiple routing tables + with more than one default route present (always use "main table" for now) + +- Fix CRL file handling in combination with chroot + +User-visible Changes +-------------------- + +- OpenVPN will now refuse to start if CRL file is not present at startup + time. At "reload time" absense of the CRL file is still OK (and the + in memory copy is used) but at startup it is now considered an error. + + +New features +------------ +- printing of the TLS ciphers negotiated has been extended, especially + displaying TLS 1.3 and EC certificates more correctly. + + Overview of changes in 2.5.1 ============================ diff --git a/Makefile.am b/Makefile.am index d1c10fc..8092448 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5,8 +5,8 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2018 OpenVPN Inc -# Copyright (C) 2010 David Sommerseth +# Copyright (C) 2002-2021 OpenVPN Inc +# Copyright (C) 2010-2021 David Sommerseth # Copyright (C) 2006-2012 Alon Bar-Lev # # This program is free software; you can redistribute it and/or modify diff --git a/Makefile.in b/Makefile.in index 675d4e3..7df8d07 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.2 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -21,8 +21,8 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2018 OpenVPN Inc -# Copyright (C) 2010 David Sommerseth +# Copyright (C) 2002-2021 OpenVPN Inc +# Copyright (C) 2010-2021 David Sommerseth # Copyright (C) 2006-2012 Alon Bar-Lev # # This program is free software; you can redistribute it and/or modify @@ -199,8 +199,8 @@ am__recursive_targets = \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ cscope distdir distdir-am dist dist-all distcheck -am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) \ - $(LISP)config.h.in +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) \ + config.h.in # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. @@ -437,6 +437,7 @@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ @@ -791,6 +792,10 @@ dist-xz: distdir tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz $(am__post_remove_distdir) +dist-zstd: distdir + tardir=$(distdir) && $(am__tar) | zstd -c $${ZSTD_CLEVEL-$${ZSTD_OPT--19}} >$(distdir).tar.zst + $(am__post_remove_distdir) + dist-tarZ: distdir @echo WARNING: "Support for distribution archives compressed with" \ "legacy program 'compress' is deprecated." >&2 @@ -833,6 +838,8 @@ distcheck: dist eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ + *.tar.zst*) \ + zstd -dc $(distdir).tar.zst | $(am__untar) ;;\ esac chmod -R a-w $(distdir) chmod u+w $(distdir) @@ -1019,19 +1026,19 @@ uninstall-am: uninstall-dist_docDATA uninstall-rootDATA am--refresh check check-am clean clean-cscope clean-generic \ clean-libtool cscope cscopelist-am ctags ctags-am dist \ dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \ - dist-xz dist-zip distcheck distclean distclean-generic \ - distclean-hdr distclean-libtool distclean-tags distcleancheck \ - distdir distuninstallcheck dvi dvi-am html html-am info \ - info-am install install-am install-data install-data-am \ - install-dist_docDATA install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-rootDATA install-strip \ - installcheck installcheck-am installdirs installdirs-am \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags tags-am uninstall uninstall-am uninstall-dist_docDATA \ - uninstall-rootDATA + dist-xz dist-zip dist-zstd distcheck distclean \ + distclean-generic distclean-hdr distclean-libtool \ + distclean-tags distcleancheck distdir distuninstallcheck dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dist_docDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-rootDATA install-strip installcheck installcheck-am \ + installdirs installdirs-am maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-dist_docDATA uninstall-rootDATA .PRECIOUS: Makefile diff --git a/PORTS b/PORTS index 1d8d5e0..d158e1f 100644 --- a/PORTS +++ b/PORTS @@ -1,5 +1,5 @@ OpenVPN -Copyright (C) 2002-2018 OpenVPN Inc +Copyright (C) 2002-2021 OpenVPN Inc OpenVPN has been written to try to avoid features that are not standardized well across different diff --git a/aclocal.m4 b/aclocal.m4 index 2cc1c34..ee51d3d 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,6 +1,6 @@ -# generated automatically by aclocal 1.16.1 -*- Autoconf -*- +# generated automatically by aclocal 1.16.2 -*- Autoconf -*- -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,7 @@ You have another version of autoconf. It may work, but is not guaranteed to. If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.])]) -# Copyright (C) 2002-2018 Free Software Foundation, Inc. +# Copyright (C) 2002-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -35,7 +35,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version='1.16' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.16.1], [], +m4_if([$1], [1.16.2], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -51,14 +51,14 @@ m4_define([_AM_AUTOCONF_VERSION], []) # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.16.1])dnl +[AM_AUTOMAKE_VERSION([1.16.2])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -110,7 +110,7 @@ am_aux_dir=`cd "$ac_aux_dir" && pwd` # AM_CONDITIONAL -*- Autoconf -*- -# Copyright (C) 1997-2018 Free Software Foundation, Inc. +# Copyright (C) 1997-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -141,7 +141,7 @@ AC_CONFIG_COMMANDS_PRE( Usually this means the macro was only invoked conditionally.]]) fi])]) -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -332,7 +332,7 @@ _AM_SUBST_NOTMAKE([am__nodep])dnl # Generate code to set up dependency tracking. -*- Autoconf -*- -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -371,7 +371,9 @@ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], done if test $am_rc -ne 0; then AC_MSG_FAILURE([Something went wrong bootstrapping makefile fragments - for automatic dependency tracking. Try re-running configure with the + for automatic dependency tracking. If GNU make was not used, consider + re-running the configure script with MAKE="gmake" (or whatever is + necessary). You can also try re-running configure with the '--disable-dependency-tracking' option to at least be able to build the package (albeit without support for automatic dependency tracking).]) fi @@ -398,7 +400,7 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], # Do all the work for Automake. -*- Autoconf -*- -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -595,7 +597,7 @@ for _am_header in $config_headers :; do done echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -616,7 +618,7 @@ if test x"${install_sh+set}" != xset; then fi AC_SUBST([install_sh])]) -# Copyright (C) 2003-2018 Free Software Foundation, Inc. +# Copyright (C) 2003-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -637,7 +639,7 @@ AC_SUBST([am__leading_dot])]) # Check to see how 'make' treats includes. -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -680,7 +682,7 @@ AC_SUBST([am__quote])]) # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- -# Copyright (C) 1997-2018 Free Software Foundation, Inc. +# Copyright (C) 1997-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -719,7 +721,7 @@ fi # Helper functions for option handling. -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -748,7 +750,7 @@ AC_DEFUN([_AM_SET_OPTIONS], AC_DEFUN([_AM_IF_OPTION], [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -795,7 +797,7 @@ AC_LANG_POP([C])]) # For backward compatibility. AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])]) -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -814,7 +816,7 @@ AC_DEFUN([AM_RUN_LOG], # Check to make sure that the build environment is sane. -*- Autoconf -*- -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -895,7 +897,7 @@ AC_CONFIG_COMMANDS_PRE( rm -f conftest.file ]) -# Copyright (C) 2009-2018 Free Software Foundation, Inc. +# Copyright (C) 2009-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -955,7 +957,7 @@ AC_SUBST([AM_BACKSLASH])dnl _AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl ]) -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -983,7 +985,7 @@ fi INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST([INSTALL_STRIP_PROGRAM])]) -# Copyright (C) 2006-2018 Free Software Foundation, Inc. +# Copyright (C) 2006-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1002,7 +1004,7 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)]) # Check how to create a tarball. -*- Autoconf -*- -# Copyright (C) 2004-2018 Free Software Foundation, Inc. +# Copyright (C) 2004-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, diff --git a/build/Makefile.am b/build/Makefile.am index b011141..46973b4 100644 --- a/build/Makefile.am +++ b/build/Makefile.am @@ -5,7 +5,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2018 OpenVPN Inc +# Copyright (C) 2002-2021 OpenVPN Inc # MAINTAINERCLEANFILES = \ diff --git a/build/Makefile.in b/build/Makefile.in index 727a8d1..a3fb154 100644 --- a/build/Makefile.in +++ b/build/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.2 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -21,7 +21,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2018 OpenVPN Inc +# Copyright (C) 2002-2021 OpenVPN Inc # VPATH = @srcdir@ am__is_gnu_make = { \ @@ -366,6 +366,7 @@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ diff --git a/build/msvc/Makefile.am b/build/msvc/Makefile.am index 3e9c3fe..820e312 100644 --- a/build/msvc/Makefile.am +++ b/build/msvc/Makefile.am @@ -5,7 +5,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2018 OpenVPN Inc +# Copyright (C) 2002-2021 OpenVPN Inc # Copyright (C) 2006-2012 Alon Bar-Lev # diff --git a/build/msvc/Makefile.in b/build/msvc/Makefile.in index c55b593..7aa8bd1 100644 --- a/build/msvc/Makefile.in +++ b/build/msvc/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.2 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -21,7 +21,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2018 OpenVPN Inc +# Copyright (C) 2002-2021 OpenVPN Inc # Copyright (C) 2006-2012 Alon Bar-Lev # VPATH = @srcdir@ @@ -367,6 +367,7 @@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ diff --git a/build/msvc/msvc-generate/Makefile.am b/build/msvc/msvc-generate/Makefile.am index 4ae850f..3f189cf 100644 --- a/build/msvc/msvc-generate/Makefile.am +++ b/build/msvc/msvc-generate/Makefile.am @@ -5,7 +5,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2018 OpenVPN Inc +# Copyright (C) 2002-2021 OpenVPN Inc # Copyright (C) 2006-2012 Alon Bar-Lev # diff --git a/build/msvc/msvc-generate/Makefile.in b/build/msvc/msvc-generate/Makefile.in index cbcd587..80e9bca 100644 --- a/build/msvc/msvc-generate/Makefile.in +++ b/build/msvc/msvc-generate/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.2 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -21,7 +21,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2018 OpenVPN Inc +# Copyright (C) 2002-2021 OpenVPN Inc # Copyright (C) 2006-2012 Alon Bar-Lev # @@ -310,6 +310,7 @@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ diff --git a/build/msvc/msvc-generate/Makefile.mak b/build/msvc/msvc-generate/Makefile.mak index 59fc9f0..6da859e 100644 --- a/build/msvc/msvc-generate/Makefile.mak +++ b/build/msvc/msvc-generate/Makefile.mak @@ -11,7 +11,10 @@ OUTPUT_PLUGIN=$(SOURCEBASE)/include/openvpn-plugin.h INPUT_PLUGIN_CONFIG=version.m4.in OUTPUT_PLUGIN_CONFIG=version.m4 -all: $(OUTPUT_MSVC_VER) $(OUTPUT_PLUGIN) +INPUT_MAN=$(SOURCEBASE)/doc/openvpn.8.rst +OUTPUT_MAN=$(SOURCEBASE)/doc/openvpn.8.html + +all: $(OUTPUT_MSVC_VER) $(OUTPUT_PLUGIN) $(OUTPUT_MAN) $(OUTPUT_MSVC_VER): $(INPUT_MSVC_VER) $(CONFIG) cscript //nologo msvc-generate.js --config="$(CONFIG)" --input="$(INPUT_MSVC_VER)" --output="$(OUTPUT_MSVC_VER)" @@ -22,7 +25,11 @@ $(OUTPUT_PLUGIN_CONFIG): $(INPUT_PLUGIN_CONFIG) $(OUTPUT_PLUGIN): $(INPUT_PLUGIN) $(OUTPUT_PLUGIN_CONFIG) cscript //nologo msvc-generate.js --config="$(OUTPUT_PLUGIN_CONFIG)" --input="$(INPUT_PLUGIN)" --output="$(OUTPUT_PLUGIN)" +$(OUTPUT_MAN): $(INPUT_MAN) + -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" "$(OUTPUT_MAN)" + clean: -del "$(OUTPUT_MSVC_VER)" -del "$(OUTPUT_PLUGIN)" -del "$(OUTPUT_PLUGIN_CONFIG)" + -del "$(OUTPUT_MAN)" diff --git a/build/msvc/msvc-generate/msvc-generate.vcxproj b/build/msvc/msvc-generate/msvc-generate.vcxproj index 72d310a..dda8b05 100644 --- a/build/msvc/msvc-generate/msvc-generate.vcxproj +++ b/build/msvc/msvc-generate/msvc-generate.vcxproj @@ -1,6 +1,10 @@  + + Debug + ARM64 + Debug Win32 @@ -9,6 +13,10 @@ Debug x64 + + Release + ARM64 + Release Win32 @@ -22,24 +30,32 @@ {8598C2C8-34C4-47A1-99B0-7C295A890615} msvc-generate MakeFileProj - 10.0.17134.0 + 10.0 Makefile - v141 + v142 Makefile - v141 + v142 + + + Makefile + v142 Makefile - v141 + v142 Makefile - v141 + v142 + + + Makefile + v142 @@ -52,6 +68,10 @@ + + + + @@ -60,6 +80,10 @@ + + + + <_ProjectFileVersion>10.0.30319.1 @@ -67,42 +91,60 @@ $(Configuration)\ nmake -f Makefile.mak all nmake -f Makefile.mak all + nmake -f Makefile.mak all nmake -f Makefile.mak clean all nmake -f Makefile.mak clean all + nmake -f Makefile.mak clean all nmake -f Makefile.mak clean nmake -f Makefile.mak clean + nmake -f Makefile.mak clean config-msvc-version.h config-msvc-version.h + config-msvc-version.h WIN32;_DEBUG;$(NMakePreprocessorDefinitions) WIN32;_DEBUG;$(NMakePreprocessorDefinitions) + WIN32;_DEBUG;$(NMakePreprocessorDefinitions) $(NMakeIncludeSearchPath) $(NMakeIncludeSearchPath) + $(NMakeIncludeSearchPath) $(NMakeForcedIncludes) $(NMakeForcedIncludes) + $(NMakeForcedIncludes) $(NMakeAssemblySearchPath) $(NMakeAssemblySearchPath) + $(NMakeAssemblySearchPath) $(NMakeForcedUsingAssemblies) $(NMakeForcedUsingAssemblies) + $(NMakeForcedUsingAssemblies) $(Configuration)\ $(Configuration)\ nmake -f Makefile.mak all nmake -f Makefile.mak all + nmake -f Makefile.mak all nmake -f Makefile.mak clean all nmake -f Makefile.mak clean all + nmake -f Makefile.mak clean all nmake -f Makefile.mak clean nmake -f Makefile.mak clean + nmake -f Makefile.mak clean config-msvc-version.h config-msvc-version.h + config-msvc-version.h WIN32;NDEBUG;$(NMakePreprocessorDefinitions) WIN32;NDEBUG;$(NMakePreprocessorDefinitions) + WIN32;NDEBUG;$(NMakePreprocessorDefinitions) $(NMakeIncludeSearchPath) $(NMakeIncludeSearchPath) + $(NMakeIncludeSearchPath) $(NMakeForcedIncludes) $(NMakeForcedIncludes) + $(NMakeForcedIncludes) $(NMakeAssemblySearchPath) $(NMakeAssemblySearchPath) + $(NMakeAssemblySearchPath) $(NMakeForcedUsingAssemblies) $(NMakeForcedUsingAssemblies) + $(NMakeForcedUsingAssemblies) @@ -113,4 +155,4 @@ - + \ No newline at end of file diff --git a/compile b/compile index 99e5052..23fcba0 100755 --- a/compile +++ b/compile @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # Written by Tom Tromey . # # This program is free software; you can redistribute it and/or modify @@ -53,7 +53,7 @@ func_file_conv () MINGW*) file_conv=mingw ;; - CYGWIN*) + CYGWIN* | MSYS*) file_conv=cygwin ;; *) @@ -67,7 +67,7 @@ func_file_conv () mingw/*) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; - cygwin/*) + cygwin/* | msys/*) file=`cygpath -m "$file" || echo "$file"` ;; wine/*) diff --git a/configure b/configure index 8c3e35e..2fa8d28 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for OpenVPN 2.5.1. +# Generated by GNU Autoconf 2.69 for OpenVPN 2.5.4. # # Report bugs to . # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='OpenVPN' PACKAGE_TARNAME='openvpn' -PACKAGE_VERSION='2.5.1' -PACKAGE_STRING='OpenVPN 2.5.1' +PACKAGE_VERSION='2.5.4' +PACKAGE_STRING='OpenVPN 2.5.4' PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net' PACKAGE_URL='' @@ -817,6 +817,7 @@ infodir docdir oldincludedir includedir +runstatedir localstatedir sharedstatedir sysconfdir @@ -964,6 +965,7 @@ datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' +runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1216,6 +1218,15 @@ do | -silent | --silent | --silen | --sile | --sil) silent=yes ;; + -runstatedir | --runstatedir | --runstatedi | --runstated \ + | --runstate | --runstat | --runsta | --runst | --runs \ + | --run | --ru | --r) + ac_prev=runstatedir ;; + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ + | --run=* | --ru=* | --r=*) + runstatedir=$ac_optarg ;; + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1353,7 +1364,7 @@ fi for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir + libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1466,7 +1477,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenVPN 2.5.1 to adapt to many kinds of systems. +\`configure' configures OpenVPN 2.5.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1506,6 +1517,7 @@ Fine tuning of the installation directories: --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -1536,7 +1548,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenVPN 2.5.1:";; + short | recursive ) echo "Configuration of OpenVPN 2.5.4:";; esac cat <<\_ACEOF @@ -1749,7 +1761,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -OpenVPN configure 2.5.1 +OpenVPN configure 2.5.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2588,7 +2600,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenVPN $as_me 2.5.1, which was +It was created by OpenVPN $as_me 2.5.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2952,13 +2964,13 @@ if test -z "${htmldir}"; then fi -$as_echo "#define OPENVPN_VERSION_RESOURCE 2,5,1,0" >>confdefs.h +$as_echo "#define OPENVPN_VERSION_RESOURCE 2,5,4,0" >>confdefs.h OPENVPN_VERSION_MAJOR=2 OPENVPN_VERSION_MINOR=5 -OPENVPN_VERSION_PATCH=.1 +OPENVPN_VERSION_PATCH=.4 $as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h @@ -2967,7 +2979,7 @@ $as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h $as_echo "#define OPENVPN_VERSION_MINOR 5" >>confdefs.h -$as_echo "#define OPENVPN_VERSION_PATCH \".1\"" >>confdefs.h +$as_echo "#define OPENVPN_VERSION_PATCH \".4\"" >>confdefs.h ac_aux_dir= @@ -3493,7 +3505,7 @@ fi # Define the identity of the package. PACKAGE='openvpn' - VERSION='2.5.1' + VERSION='2.5.4' cat >>confdefs.h <<_ACEOF @@ -6256,7 +6268,7 @@ _ACEOF # -for ac_prog in rst2man +for ac_prog in rst2man rst2man.py do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 @@ -6298,7 +6310,7 @@ fi test -n "$RST2MAN" && break done -for ac_prog in rst2html +for ac_prog in rst2html rst2html.py do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 @@ -18946,7 +18958,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by OpenVPN $as_me 2.5.1, which was +This file was extended by OpenVPN $as_me 2.5.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19012,7 +19024,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -OpenVPN config.status 2.5.1 +OpenVPN config.status 2.5.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -20211,7 +20223,9 @@ $as_echo X/"$am_mf" | { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "Something went wrong bootstrapping makefile fragments - for automatic dependency tracking. Try re-running configure with the + for automatic dependency tracking. If GNU make was not used, consider + re-running the configure script with MAKE=\"gmake\" (or whatever is + necessary). You can also try re-running configure with the '--disable-dependency-tracking' option to at least be able to build the package (albeit without support for automatic dependency tracking). See \`config.log' for more details" "$LINENO" 5; } diff --git a/configure.ac b/configure.ac index ebb3220..1f166c0 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ dnl session authentication and key exchange, dnl packet encryption, packet authentication, and dnl packet compression. dnl -dnl Copyright (C) 2002-2018 OpenVPN Inc +dnl Copyright (C) 2002-2021 OpenVPN Inc dnl Copyright (C) 2006-2012 Alon Bar-Lev dnl dnl This program is free software; you can redistribute it and/or modify @@ -376,8 +376,8 @@ AC_DEFINE_UNQUOTED([SYSTEMD_ASK_PASSWORD_PATH], ["$SYSTEMD_ASK_PASSWORD"], [Path # AC_ARG_VAR([RST2MAN], [path to rst2man utility]) AC_ARG_VAR([RST2HTML], [path to rst2html utility]) -AC_CHECK_PROGS([RST2MAN], [rst2man]) -AC_CHECK_PROGS([RST2HTML], [rst2html]) +AC_CHECK_PROGS([RST2MAN], [rst2man rst2man.py]) +AC_CHECK_PROGS([RST2HTML], [rst2html rst2html.py]) AM_CONDITIONAL([HAVE_PYDOCUTILS], [test "${RST2MAN}" -a "${RST2HTML}"]) # Set -std=c99 unless user already specified a -std= diff --git a/contrib/vcpkg-ports/openssl/portfile.cmake b/contrib/vcpkg-ports/openssl/portfile.cmake new file mode 100644 index 0000000..9b59a3c --- /dev/null +++ b/contrib/vcpkg-ports/openssl/portfile.cmake @@ -0,0 +1,25 @@ +if(EXISTS "${CURRENT_INSTALLED_DIR}/include/openssl/ssl.h") + message(FATAL_ERROR "Can't build openssl if libressl/boringssl is installed. Please remove libressl/boringssl, and try install openssl again if you need it.") +endif() + +set(OPENSSL_VERSION 1.1.1k) +vcpkg_download_distfile(ARCHIVE + URLS "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" "https://www.openssl.org/source/old/1.1.1/openssl-${OPENSSL_VERSION}.tar.gz" + FILENAME "openssl-${OPENSSL_VERSION}.tar.gz" + SHA512 73cd042d4056585e5a9dd7ab68e7c7310a3a4c783eafa07ab0b560e7462b924e4376436a6d38a155c687f6942a881cfc0c1b9394afcde1d8c46bf396e7d51121 +) + +vcpkg_find_acquire_program(PERL) +get_filename_component(PERL_EXE_PATH ${PERL} DIRECTORY) +vcpkg_add_to_path("${PERL_EXE_PATH}") + +if(VCPKG_TARGET_IS_UWP) + include("${CMAKE_CURRENT_LIST_DIR}/uwp/portfile.cmake") +elseif(VCPKG_TARGET_IS_WINDOWS AND NOT VCPKG_TARGET_IS_MINGW) + include("${CMAKE_CURRENT_LIST_DIR}/windows/portfile.cmake") +else() + include("${CMAKE_CURRENT_LIST_DIR}/unix/portfile.cmake") +endif() + + +file(INSTALL "${CMAKE_CURRENT_LIST_DIR}/usage" DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}") diff --git a/contrib/vcpkg-ports/openssl/unix/CMakeLists.txt b/contrib/vcpkg-ports/openssl/unix/CMakeLists.txt new file mode 100644 index 0000000..fd84816 --- /dev/null +++ b/contrib/vcpkg-ports/openssl/unix/CMakeLists.txt @@ -0,0 +1,280 @@ +cmake_minimum_required(VERSION 3.9) +project(openssl C) + +if(NOT SOURCE_PATH) + message(FATAL_ERROR "Requires SOURCE_PATH") +endif() + +if(CMAKE_SYSTEM_NAME STREQUAL "Android" OR CMAKE_SYSTEM_NAME STREQUAL "Linux") + if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64") + set(PLATFORM linux-x86_64) + else() + set(PLATFORM linux-generic32) + endif() +elseif(CMAKE_SYSTEM_NAME STREQUAL "iOS") + if(VCPKG_TARGET_ARCHITECTURE MATCHES "arm64") + set(PLATFORM ios64-xcrun) + elseif(VCPKG_TARGET_ARCHITECTURE MATCHES "arm") + set(PLATFORM ios-xcrun) + elseif(VCPKG_TARGET_ARCHITECTURE MATCHES "x86" OR + VCPKG_TARGET_ARCHITECTURE MATCHES "x64") + set(PLATFORM iossimulator-xcrun) + else() + message(FATAL_ERROR "Unknown iOS target architecture: ${VCPKG_TARGET_ARCHITECTURE}") + endif() + # disable that makes linkage error (e.g. require stderr usage) + list(APPEND DISABLES no-stdio no-ui no-asm) +elseif(CMAKE_SYSTEM_NAME STREQUAL "Darwin") + if(VCPKG_TARGET_ARCHITECTURE MATCHES "arm64") + set(PLATFORM darwin64-arm64-cc) + else() + set(PLATFORM darwin64-x86_64-cc) + endif() +elseif(CMAKE_SYSTEM_NAME STREQUAL "FreeBSD") + set(PLATFORM BSD-generic64) +elseif(CMAKE_SYSTEM_NAME STREQUAL "OpenBSD") + set(PLATFORM BSD-generic64) +elseif(MINGW) + if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64") + set(PLATFORM mingw64) + else() + set(PLATFORM mingw) + endif() +elseif(EMSCRIPTEN) + set(MAKE $ENV{EMSDK}/upstream/emscripten/emmake) + set(ENV{MAKE} $ENV{EMSDK}/upstream/emscripten/emmake) +else() + message(FATAL_ERROR "Unknown platform") +endif() + +get_filename_component(COMPILER_ROOT "${CMAKE_C_COMPILER}" DIRECTORY) + +message("CMAKE_C_COMPILER=${CMAKE_C_COMPILER}") +message("COMPILER_ROOT=${COMPILER_ROOT}") +message("CMAKE_SYSROOT=${CMAKE_SYSROOT}") +message("CMAKE_OSX_SYSROOT=${CMAKE_OSX_SYSROOT}") +message("CMAKE_OSX_DEPLOYMENT_TARGET=${CMAKE_OSX_DEPLOYMENT_TARGET}") +message("CMAKE_C_FLAGS=${CMAKE_C_FLAGS}") +message("CMAKE_C_FLAGS_RELEASE=${CMAKE_C_FLAGS_RELEASE}") +message("CMAKE_C_FLAGS_DEBUG=${CMAKE_C_FLAGS_DEBUG}") +message("CMAKE_INCLUDE_SYSTEM_FLAG_C=${CMAKE_INCLUDE_SYSTEM_FLAG_C}") +message("CMAKE_C_OSX_DEPLOYMENT_TARGET_FLAG=${CMAKE_C_OSX_DEPLOYMENT_TARGET_FLAG}") + +set(CFLAGS "${CMAKE_C_FLAGS}") +if(CMAKE_CXX_COMPILER_ID STREQUAL "Clang") + set(CFLAGS "-Wno-error=unused-command-line-argument ${CMAKE_C_FLAGS}") +endif() +if(CMAKE_C_COMPILER_TARGET AND CMAKE_C_COMPILE_OPTIONS_TARGET) + set(CFLAGS "${CFLAGS} ${CMAKE_C_COMPILE_OPTIONS_TARGET}${CMAKE_C_COMPILER_TARGET}") +endif() +if(CMAKE_C_COMPILER_EXTERNAL_TOOLCHAIN AND CMAKE_C_COMPILE_OPTIONS_EXTERNAL_TOOLCHAIN) + set(CFLAGS "${CFLAGS} ${CMAKE_C_COMPILE_OPTIONS_EXTERNAL_TOOLCHAIN}${CMAKE_C_COMPILER_EXTERNAL_TOOLCHAIN}") +endif() +if(CMAKE_SYSROOT AND CMAKE_C_COMPILE_OPTIONS_SYSROOT) + set(CFLAGS "${CFLAGS} ${CMAKE_C_COMPILE_OPTIONS_SYSROOT}${CMAKE_SYSROOT}") +elseif(CMAKE_OSX_SYSROOT AND CMAKE_C_COMPILE_OPTIONS_SYSROOT) + set(CFLAGS "${CFLAGS} ${CMAKE_C_COMPILE_OPTIONS_SYSROOT}${CMAKE_OSX_SYSROOT}") +endif() +if (CMAKE_OSX_DEPLOYMENT_TARGET AND CMAKE_C_OSX_DEPLOYMENT_TARGET_FLAG) + set(CFLAGS "${CFLAGS} ${CMAKE_C_OSX_DEPLOYMENT_TARGET_FLAG}${CMAKE_OSX_DEPLOYMENT_TARGET}") +endif() + +string(REGEX REPLACE "^ " "" CFLAGS "${CFLAGS}") + +if(CMAKE_HOST_WIN32) + file(TO_NATIVE_PATH ENV_PATH "${COMPILER_ROOT};$ENV{PATH}") +else() + file(TO_NATIVE_PATH ENV_PATH "${COMPILER_ROOT}:$ENV{PATH}") +endif() +set(ENV{ANDROID_DEV} "${CMAKE_SYSROOT}/usr") + +if(NOT IOS) + set(ENV{CC} "${CMAKE_C_COMPILER}") +endif() + +message("ENV{ANDROID_DEV}=$ENV{ANDROID_DEV}") + +get_filename_component(SOURCE_PATH_NAME "${SOURCE_PATH}" NAME) +set(BUILDDIR "${CMAKE_CURRENT_BINARY_DIR}/${SOURCE_PATH_NAME}") + +if(NOT EXISTS "${BUILDDIR}") + file(COPY ${SOURCE_PATH} DESTINATION ${CMAKE_CURRENT_BINARY_DIR}) +endif() + +get_filename_component(MSYS_BIN_DIR "${MAKE}" DIRECTORY) + +if(BUILD_SHARED_LIBS) + set(SHARED shared) + file(STRINGS "${BUILDDIR}/include/openssl/opensslv.h" SHLIB_VERSION + REGEX "^#[\t ]*define[\t ]+SHLIB_VERSION_NUMBER[\t ]+\".*\".*") + string(REGEX REPLACE "^.*SHLIB_VERSION_NUMBER[\t ]+\"([^\"]*)\".*$" "\\1" + SHLIB_VERSION "${SHLIB_VERSION}") + if(CMAKE_SYSTEM_NAME STREQUAL "Darwin" OR CMAKE_SYSTEM_NAME STREQUAL "iOS") + set(LIB_EXT dylib) + set(LIB_EXTS ${SHLIB_VERSION}.${LIB_EXT}) + elseif(MINGW) + string(REPLACE "." "_" SHLIB_VERSION "${SHLIB_VERSION}") + set(BIN_EXT dll) + set(LIB_EXT dll.a) + else() + set(LIB_EXT so) + set(LIB_EXTS ${LIB_EXT}.${SHLIB_VERSION}) + endif() + list(APPEND BIN_EXTS ${BIN_EXT}) + list(APPEND LIB_EXTS ${LIB_EXT}) +else() + set(SHARED no-shared) + set(LIB_EXTS a) +endif() +foreach(lib ssl crypto) + foreach(ext ${LIB_EXTS}) + list(APPEND INSTALL_LIBS "${BUILDDIR}/lib${lib}.${ext}") + list(APPEND INSTALL_PKG_CONFIGS "${BUILDDIR}/lib${lib}.pc") + endforeach() + foreach(ext ${BIN_EXTS}) + # This might be wrong for targets which don't follow this naming scheme, but I'm not aware of any + if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64") + list(APPEND INSTALL_BINS "${BUILDDIR}/lib${lib}-${SHLIB_VERSION}-x64.${ext}") + else() + list(APPEND INSTALL_BINS "${BUILDDIR}/lib${lib}-${SHLIB_VERSION}.${ext}") + endif() + endforeach() +endforeach() + +if(CMAKE_HOST_WIN32) + set(ENV_COMMAND set) + set(PATH_VAR ";%PATH%") +else() + set(ENV_COMMAND export) + set(PATH_VAR ":$ENV{PATH}") +endif() + +add_custom_command( + OUTPUT "${BUILDDIR}/Makefile" + COMMAND ${ENV_COMMAND} "PATH=${MSYS_BIN_DIR}${PATH_VAR}" + VERBATIM + WORKING_DIRECTORY "${BUILDDIR}" +) + +if(NOT IOS) + add_custom_command( + OUTPUT "${BUILDDIR}/Makefile" + COMMAND ${ENV_COMMAND} CC=${CMAKE_C_COMPILER} + COMMAND ${ENV_COMMAND} AR=${CMAKE_AR} + COMMAND ${ENV_COMMAND} LD=${CMAKE_LINKER} + COMMAND ${ENV_COMMAND} RANLIB=${CMAKE_RANLIB} + COMMAND ${ENV_COMMAND} MAKE=${MAKE} + COMMAND ${ENV_COMMAND} MAKEDEPPROG=${CMAKE_C_COMPILER} + VERBATIM + APPEND + ) + + if(EMSCRIPTEN) + list(APPEND DISABLES + threads + no-engine + no-dso + no-asm + no-shared + no-sse2 + no-srtp + ) + else() + list(APPEND DISABLES + enable-static-engine + no-zlib + no-ssl2 + no-idea + no-cast + no-seed + no-md2 + no-tests) + endif() +endif() + +if(EMSCRIPTEN) + add_custom_command( + OUTPUT "${BUILDDIR}/Makefile" + COMMAND "$ENV{EMSDK}/upstream/emscripten/emconfigure" ./config + ${SHARED} + ${DISABLES} + "--prefix=${CMAKE_INSTALL_PREFIX}" + "--openssldir=/etc/ssl" + "--cross-compile-prefix=\"/\"" + VERBATIM + APPEND + ) + + add_custom_target(build_libs ALL + COMMAND ${ENV_COMMAND} "PATH=${MSYS_BIN_DIR}${PATH_VAR}" + COMMAND "${CMAKE_COMMAND}" -E touch "${BUILDDIR}/krb5.h" + COMMAND "${MAKE}" make build_libs + VERBATIM + WORKING_DIRECTORY "${BUILDDIR}" + DEPENDS "${BUILDDIR}/Makefile" + BYPRODUCTS ${INSTALL_LIBS} + ) +else() + add_custom_command( + OUTPUT "${BUILDDIR}/Makefile" + COMMAND "${PERL}" Configure + ${SHARED} + ${DISABLES} + ${PLATFORM} + "--prefix=${CMAKE_INSTALL_PREFIX}" + "--openssldir=/etc/ssl" + ${CFLAGS} + VERBATIM + APPEND + ) + + add_custom_target(build_libs ALL + COMMAND ${ENV_COMMAND} "PATH=${MSYS_BIN_DIR}${PATH_VAR}" + COMMAND "${CMAKE_COMMAND}" -E touch "${BUILDDIR}/krb5.h" + COMMAND "${MAKE}" -j ${VCPKG_CONCURRENCY} build_libs + VERBATIM + WORKING_DIRECTORY "${BUILDDIR}" + DEPENDS "${BUILDDIR}/Makefile" + BYPRODUCTS ${INSTALL_LIBS} + ) +endif() + +add_custom_command( + OUTPUT "${BUILDDIR}/Makefile" + COMMAND "${CMAKE_COMMAND}" "-DDIR=${BUILDDIR}" -P "${CMAKE_CURRENT_LIST_DIR}/remove-deps.cmake" + VERBATIM + APPEND +) + +if((CMAKE_SYSTEM_NAME STREQUAL "Darwin" OR CMAKE_SYSTEM_NAME STREQUAL "iOS") AND BUILD_SHARED_LIBS) + if(DEFINED CMAKE_INSTALL_NAME_DIR) + set(ID_PREFIX "${CMAKE_INSTALL_NAME_DIR}") + else() + set(ID_PREFIX "@rpath") + endif() + + add_custom_command( + TARGET build_libs + COMMAND /usr/bin/install_name_tool -id "${ID_PREFIX}/libssl.${SHLIB_VERSION}.dylib" + "${BUILDDIR}/libssl.${SHLIB_VERSION}.dylib" + COMMAND /usr/bin/install_name_tool -id "${ID_PREFIX}/libcrypto.${SHLIB_VERSION}.dylib" + "${BUILDDIR}/libcrypto.1.1.dylib" + COMMAND /usr/bin/install_name_tool -change "${CMAKE_INSTALL_PREFIX}/lib/libcrypto.${SHLIB_VERSION}.dylib" + "${ID_PREFIX}/libcrypto.${SHLIB_VERSION}.dylib" + "${BUILDDIR}/libssl.${SHLIB_VERSION}.dylib" + VERBATIM + ) +endif() + +install( + FILES ${INSTALL_LIBS} + DESTINATION lib +) +install( + FILES ${INSTALL_BINS} + DESTINATION bin +) +install( + FILES ${INSTALL_PKG_CONFIGS} + DESTINATION lib/pkgconfig +) diff --git a/contrib/vcpkg-ports/openssl/unix/portfile.cmake b/contrib/vcpkg-ports/openssl/unix/portfile.cmake new file mode 100644 index 0000000..9122349 --- /dev/null +++ b/contrib/vcpkg-ports/openssl/unix/portfile.cmake @@ -0,0 +1,49 @@ +if (NOT VCPKG_TARGET_IS_MINGW) + vcpkg_fail_port_install(MESSAGE "${PORT} is only for openssl on Unix-like systems" ON_TARGET "UWP" "Windows") +endif() + +vcpkg_extract_source_archive_ex( + OUT_SOURCE_PATH MASTER_COPY_SOURCE_PATH + ARCHIVE "${ARCHIVE}" + REF ${OPENSSL_VERSION} +) + +if(CMAKE_HOST_WIN32) + vcpkg_acquire_msys(MSYS_ROOT PACKAGES make perl) + set(MAKE ${MSYS_ROOT}/usr/bin/make.exe) + set(PERL ${MSYS_ROOT}/usr/bin/perl.exe) +else() + find_program(MAKE make) + if(NOT MAKE) + message(FATAL_ERROR "Could not find make. Please install it through your package manager.") + endif() +endif() + +vcpkg_configure_cmake( + SOURCE_PATH ${CMAKE_CURRENT_LIST_DIR} + PREFER_NINJA + OPTIONS + -DSOURCE_PATH=${MASTER_COPY_SOURCE_PATH} + -DPERL=${PERL} + -DMAKE=${MAKE} + -DVCPKG_CONCURRENCY=${VCPKG_CONCURRENCY} + OPTIONS_RELEASE + -DINSTALL_HEADERS=ON +) + +vcpkg_install_cmake() +vcpkg_fixup_pkgconfig() + +file(GLOB HEADERS ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel/*/include/openssl/*.h) +set(RESOLVED_HEADERS) +foreach(HEADER ${HEADERS}) + get_filename_component(X "${HEADER}" REALPATH) + list(APPEND RESOLVED_HEADERS "${X}") +endforeach() + +file(INSTALL ${RESOLVED_HEADERS} DESTINATION ${CURRENT_PACKAGES_DIR}/include/openssl) +file(INSTALL ${MASTER_COPY_SOURCE_PATH}/LICENSE DESTINATION ${CURRENT_PACKAGES_DIR}/share/${PORT} RENAME copyright) + +if(VCPKG_LIBRARY_LINKAGE STREQUAL "static") + file(COPY ${CMAKE_CURRENT_LIST_DIR}/vcpkg-cmake-wrapper.cmake DESTINATION ${CURRENT_PACKAGES_DIR}/share/openssl) +endif() diff --git a/contrib/vcpkg-ports/openssl/unix/remove-deps.cmake b/contrib/vcpkg-ports/openssl/unix/remove-deps.cmake new file mode 100644 index 0000000..53ad6ef --- /dev/null +++ b/contrib/vcpkg-ports/openssl/unix/remove-deps.cmake @@ -0,0 +1,7 @@ +file(GLOB_RECURSE MAKEFILES ${DIR}/*/Makefile) +foreach(MAKEFILE ${MAKEFILES}) + message("removing deps from ${MAKEFILE}") + file(READ "${MAKEFILE}" _contents) + string(REGEX REPLACE "\n# DO NOT DELETE THIS LINE.*" "" _contents "${_contents}") + file(WRITE "${MAKEFILE}" "${_contents}") +endforeach() diff --git a/contrib/vcpkg-ports/openssl/unix/vcpkg-cmake-wrapper.cmake b/contrib/vcpkg-ports/openssl/unix/vcpkg-cmake-wrapper.cmake new file mode 100644 index 0000000..f36b687 --- /dev/null +++ b/contrib/vcpkg-ports/openssl/unix/vcpkg-cmake-wrapper.cmake @@ -0,0 +1,18 @@ +_find_package(${ARGS}) +if(OPENSSL_FOUND) + find_library(OPENSSL_DL_LIBRARY NAMES dl) + if(OPENSSL_DL_LIBRARY) + list(APPEND OPENSSL_LIBRARIES "dl") + if(TARGET OpenSSL::Crypto) + set_property(TARGET OpenSSL::Crypto APPEND PROPERTY INTERFACE_LINK_LIBRARIES "dl") + endif() + endif() + find_package(Threads REQUIRED) + list(APPEND OPENSSL_LIBRARIES ${CMAKE_THREAD_LIBS_INIT}) + if(TARGET OpenSSL::Crypto) + set_property(TARGET OpenSSL::Crypto APPEND PROPERTY INTERFACE_LINK_LIBRARIES "Threads::Threads") + endif() + if(TARGET OpenSSL::SSL) + set_property(TARGET OpenSSL::SSL APPEND PROPERTY INTERFACE_LINK_LIBRARIES "Threads::Threads") + endif() +endif() diff --git a/contrib/vcpkg-ports/openssl/usage b/contrib/vcpkg-ports/openssl/usage new file mode 100644 index 0000000..cf83f33 --- /dev/null +++ b/contrib/vcpkg-ports/openssl/usage @@ -0,0 +1,4 @@ +The package openssl is compatible with built-in CMake targets: + + find_package(OpenSSL REQUIRED) + target_link_libraries(main PRIVATE OpenSSL::SSL OpenSSL::Crypto) diff --git a/contrib/vcpkg-ports/openssl/uwp/EnableUWPSupport.patch b/contrib/vcpkg-ports/openssl/uwp/EnableUWPSupport.patch new file mode 100644 index 0000000..fe78374 --- /dev/null +++ b/contrib/vcpkg-ports/openssl/uwp/EnableUWPSupport.patch @@ -0,0 +1,170 @@ +diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf +index 3c4299d264..99fcb1f713 100644 +--- a/Configurations/10-main.conf ++++ b/Configurations/10-main.conf +@@ -1287,7 +1287,7 @@ my %targets = ( + }, + "VC-WIN64I" => { + inherit_from => [ "VC-WIN64-common", asm("ia64_asm"), +- sub { $disabled{shared} ? () : "ia64_uplink" } ], ++ sub { $disabled{uplink} ? () : "ia64_uplink" } ], + AS => "ias", + ASFLAGS => "-d debug", + asoutflag => "-o ", +@@ -1299,7 +1299,7 @@ my %targets = ( + }, + "VC-WIN64A" => { + inherit_from => [ "VC-WIN64-common", asm("x86_64_asm"), +- sub { $disabled{shared} ? () : "x86_64_uplink" } ], ++ sub { $disabled{uplink} ? () : "x86_64_uplink" } ], + AS => sub { vc_win64a_info()->{AS} }, + ASFLAGS => sub { vc_win64a_info()->{ASFLAGS} }, + asoutflag => sub { vc_win64a_info()->{asoutflag} }, +@@ -1312,7 +1312,7 @@ my %targets = ( + }, + "VC-WIN32" => { + inherit_from => [ "VC-noCE-common", asm("x86_asm"), +- sub { $disabled{shared} ? () : "uplink_common" } ], ++ sub { $disabled{uplink} ? () : "uplink_common" } ], + AS => sub { vc_win32_info()->{AS} }, + ASFLAGS => sub { vc_win32_info()->{ASFLAGS} }, + asoutflag => sub { vc_win32_info()->{asoutflag} }, +@@ -1374,7 +1374,7 @@ my %targets = ( + #### MinGW + "mingw" => { + inherit_from => [ "BASE_unix", asm("x86_asm"), +- sub { $disabled{shared} ? () : "x86_uplink" } ], ++ sub { $disabled{uplink} ? () : "x86_uplink" } ], + CC => "gcc", + CFLAGS => picker(default => "-Wall", + debug => "-g -O0", +diff --git a/Configurations/50-win-onecore.conf b/Configurations/50-win-onecore.conf +index d478f42b0f..e0fb70daca 100644 +--- a/Configurations/50-win-onecore.conf ++++ b/Configurations/50-win-onecore.conf +@@ -1,3 +1,4 @@ ++## -*- mode: perl; -*- + # Windows OneCore targets. + # + # OneCore is new API stability "contract" that transcends Desktop, IoT and +@@ -10,6 +11,25 @@ + # TODO: extend error handling to use ETW based eventing + # (Or rework whole error messaging) + ++my $UWP_info = {}; ++sub UWP_info { ++ unless (%$UWP_info) { ++ my $SDKver = `pwsh.exe -Command \"& {\$(Get-Item \\\"hklm:\\SOFTWARE\\WOW6432Node\\Microsoft\\Microsoft SDKs\\Windows\\\").GetValue(\\\"CurrentVersion\\\")}\"`; ++ $SDKver =~ s|\R$||; ++ my @SDKver_split = split(/\./, $SDKver); ++ # SDK version older than 10.0.17763 don't support our ASM builds ++ if ($SDKver_split[0] < 10 ++ || ($SDKver_split[0] == 10 ++ && $SDKver_split[1] == 0 ++ && $SDKver_split[2] < 17763)) { ++ $UWP_info->{disable} = [ 'asm' ]; ++ } else { ++ $UWP_info->{disable} = [ ]; ++ } ++ } ++ return $UWP_info; ++} ++ + my %targets = ( + "VC-WIN32-ONECORE" => { + inherit_from => [ "VC-WIN32" ], +@@ -61,4 +81,57 @@ my %targets = ( + ex_libs => "onecore.lib", + multilib => "-arm64", + }, ++ ++ # Universal Windows Platform (UWP) App Support ++ ++ # TODO ++ # ++ # The 'disable' attribute should have 'uplink'. ++ # however, these are checked in some 'inherit_from', which is processed ++ # very early, before the 'disable' attributes are seen. ++ # This is a problem that needs to be resolved in Configure first. ++ # ++ # But if you want to build library with Windows 10 Version 1809 SDK or ++ # earlier, the 'disable' attribute should also have 'asm'. ++ ++ "VC-WIN32-UWP" => { ++ inherit_from => [ "VC-WIN32-ONECORE" ], ++ lflags => add("/APPCONTAINER"), ++ defines => add("WINAPI_FAMILY=WINAPI_FAMILY_APP", ++ "_WIN32_WINNT=0x0A00"), ++ dso_scheme => "", ++ disable => sub { [ 'ui-console', 'stdio', 'async', 'uplink', ++ @{ UWP_info()->{disable} } ] }, ++ ex_libs => "WindowsApp.lib", ++ }, ++ "VC-WIN64A-UWP" => { ++ inherit_from => [ "VC-WIN64A-ONECORE" ], ++ lflags => add("/APPCONTAINER"), ++ defines => add("WINAPI_FAMILY=WINAPI_FAMILY_APP", ++ "_WIN32_WINNT=0x0A00"), ++ dso_scheme => "", ++ disable => sub { [ 'ui-console', 'stdio', 'async', 'uplink', ++ @{ UWP_info()->{disable} } ] }, ++ ex_libs => "WindowsApp.lib", ++ }, ++ "VC-WIN32-ARM-UWP" => { ++ inherit_from => [ "VC-WIN32-ARM" ], ++ lflags => add("/APPCONTAINER"), ++ defines => add("WINAPI_FAMILY=WINAPI_FAMILY_APP", ++ "_WIN32_WINNT=0x0A00"), ++ dso_scheme => "", ++ disable => sub { [ 'ui-console', 'stdio', 'async', 'uplink', ++ @{ UWP_info()->{disable} } ] }, ++ ex_libs => "WindowsApp.lib", ++ }, ++ "VC-WIN64-ARM-UWP" => { ++ inherit_from => [ "VC-WIN64-ARM" ], ++ lflags => add("/APPCONTAINER"), ++ defines => add("WINAPI_FAMILY=WINAPI_FAMILY_APP", ++ "_WIN32_WINNT=0x0A00"), ++ dso_scheme => "", ++ disable => sub { [ 'ui-console', 'stdio', 'async', 'uplink', ++ @{ UWP_info()->{disable} } ] }, ++ ex_libs => "WindowsApp.lib", ++ }, + ); +diff --git a/Configure b/Configure +index 5a699836f3..de45f1e299 100755 +--- a/Configure ++++ b/Configure +@@ -407,6 +408,7 @@ my @disablables = ( + "ubsan", + "ui-console", + "unit-test", ++ "uplink", + "whirlpool", + "weak-ssl-ciphers", + "zlib", +@@ -491,8 +493,8 @@ my @disable_cascades = ( + + # Without position independent code, there can be no shared libraries or DSOs + "pic" => [ "shared" ], +- "shared" => [ "dynamic-engine" ], ++ "shared" => [ "dynamic-engine", "uplink" ], + "dso" => [ "dynamic-engine" ], + "engine" => [ "afalgeng", "devcryptoeng" ], + + # no-autoalginit is only useful when building non-shared +diff --git a/INSTALL b/INSTALL +index 2119cbae9e..ee54e8c215 100644 +--- a/INSTALL ++++ b/INSTALL +@@ -560,6 +560,10 @@ + likely to complement configuration command line with + suitable compiler-specific option. + ++ no-uplink ++ Don't build support for UPLINK interface. ++ ++ + no- + Don't build support for negotiating the specified SSL/TLS + protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2, diff --git a/contrib/vcpkg-ports/openssl/uwp/make-openssl.bat b/contrib/vcpkg-ports/openssl/uwp/make-openssl.bat new file mode 100644 index 0000000..6f6166a --- /dev/null +++ b/contrib/vcpkg-ports/openssl/uwp/make-openssl.bat @@ -0,0 +1,16 @@ +set build=%1 + +perl Configure no-asm no-hw no-dso VC-WINUNIVERSAL -FS -FIWindows.h + +for /D %%f in ("%WindowsSdkDir%References\%WindowsSDKLibVersion%Windows.Foundation.FoundationContract\*") do set LibPath=%LibPath%;%%f\ +for /D %%f in ("%WindowsSdkDir%References\%WindowsSDKLibVersion%Windows.Foundation.UniversalApiContract\*") do set LibPath=%LibPath%;%%f\ +for /D %%f in ("%WindowsSdkDir%References\Windows.Foundation.FoundationContract\*") do set LibPath=%LibPath%;%%f\ +for /D %%f in ("%WindowsSdkDir%References\Windows.Foundation.UniversalApiContract\*") do set LibPath=%LibPath%;%%f\ + +call ms\do_winuniversal.bat + +mkdir inc32\openssl + +jom -j %NUMBER_OF_PROCESSORS% -k -f ms\ntdll.mak +REM due to a race condition in the build, we need to have a second single-threaded pass. +nmake -f ms\ntdll.mak diff --git a/contrib/vcpkg-ports/openssl/uwp/portfile.cmake b/contrib/vcpkg-ports/openssl/uwp/portfile.cmake new file mode 100644 index 0000000..08a523c --- /dev/null +++ b/contrib/vcpkg-ports/openssl/uwp/portfile.cmake @@ -0,0 +1,156 @@ +vcpkg_fail_port_install(MESSAGE "${PORT} is only for Windows Universal Platform" ON_TARGET "Linux" "OSX") + +vcpkg_check_linkage(ONLY_DYNAMIC_LIBRARY) + +vcpkg_find_acquire_program(JOM) +get_filename_component(JOM_EXE_PATH ${JOM} DIRECTORY) +vcpkg_add_to_path("${PERL_EXE_PATH}") + +vcpkg_extract_source_archive_ex( + OUT_SOURCE_PATH SOURCE_PATH + ARCHIVE ${ARCHIVE} + PATCHES + uwp/EnableUWPSupport.patch +) + +vcpkg_find_acquire_program(NASM) +get_filename_component(NASM_EXE_PATH ${NASM} DIRECTORY) +vcpkg_add_to_path(PREPEND "${NASM_EXE_PATH}") + +set(CONFIGURE_COMMAND ${PERL} Configure + enable-static-engine + enable-capieng + no-unit-test + no-ssl2 + no-asm + no-uplink + no-tests + -utf-8 + shared +) + +if(VCPKG_TARGET_ARCHITECTURE STREQUAL "x86") + set(OPENSSL_ARCH VC-WIN32-UWP) +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x64") + set(OPENSSL_ARCH VC-WIN64A-UWP) +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm") + set(OPENSSL_ARCH VC-WIN32-ARM-UWP) +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64") + set(OPENSSL_ARCH VC-WIN64-ARM-UWP) +else() + message(FATAL_ERROR "Unsupported target architecture: ${VCPKG_TARGET_ARCHITECTURE}") +endif() + +set(OPENSSL_MAKEFILE "makefile") + +file(REMOVE_RECURSE ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg) + + +if(NOT DEFINED VCPKG_BUILD_TYPE OR VCPKG_BUILD_TYPE STREQUAL "release") + + # Copy openssl sources. + message(STATUS "Copying openssl release source files...") + file(GLOB OPENSSL_SOURCE_FILES "${SOURCE_PATH}/*") + foreach(SOURCE_FILE ${OPENSSL_SOURCE_FILES}) + file(COPY ${SOURCE_FILE} DESTINATION "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel") + endforeach() + message(STATUS "Copying openssl release source files... done") + set(SOURCE_PATH_RELEASE "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel") + + set(OPENSSLDIR_RELEASE "${CURRENT_PACKAGES_DIR}") + + message(STATUS "Configure ${TARGET_TRIPLET}-rel") + vcpkg_execute_required_process( + COMMAND ${CONFIGURE_COMMAND} ${OPENSSL_ARCH} "--prefix=${OPENSSLDIR_RELEASE}" "--openssldir=${OPENSSLDIR_RELEASE}" -FS + WORKING_DIRECTORY "${SOURCE_PATH_RELEASE}" + LOGNAME configure-perl-${TARGET_TRIPLET}-${VCPKG_BUILD_TYPE}-rel + ) + message(STATUS "Configure ${TARGET_TRIPLET}-rel done") + + message(STATUS "Build ${TARGET_TRIPLET}-rel") + # Openssl's buildsystem has a race condition which will cause JOM to fail at some point. + # This is ok; we just do as much work as we can in parallel first, then follow up with a single-threaded build. + make_directory(${SOURCE_PATH_RELEASE}/inc32/openssl) + execute_process( + COMMAND "${JOM}" -k -j ${VCPKG_CONCURRENCY} -f "${OPENSSL_MAKEFILE}" build_libs + WORKING_DIRECTORY "${SOURCE_PATH_RELEASE}" + OUTPUT_FILE "${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-rel-0-out.log" + ERROR_FILE "${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-rel-0-err.log" + ) + vcpkg_execute_required_process( + COMMAND nmake -f "${OPENSSL_MAKEFILE}" install_dev + WORKING_DIRECTORY "${SOURCE_PATH_RELEASE}" + LOGNAME build-${TARGET_TRIPLET}-rel-1) + + message(STATUS "Build ${TARGET_TRIPLET}-rel done") +endif() + + +if(NOT DEFINED VCPKG_BUILD_TYPE OR VCPKG_BUILD_TYPE STREQUAL "debug") + # Copy openssl sources. + message(STATUS "Copying openssl debug source files...") + file(GLOB OPENSSL_SOURCE_FILES ${SOURCE_PATH}/*) + foreach(SOURCE_FILE ${OPENSSL_SOURCE_FILES}) + file(COPY "${SOURCE_FILE}" DESTINATION "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg") + endforeach() + message(STATUS "Copying openssl debug source files... done") + set(SOURCE_PATH_DEBUG "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg") + + set(OPENSSLDIR_DEBUG "${CURRENT_PACKAGES_DIR}/debug") + + message(STATUS "Configure ${TARGET_TRIPLET}-dbg") + vcpkg_execute_required_process( + COMMAND ${CONFIGURE_COMMAND} debug-${OPENSSL_ARCH} "--prefix=${OPENSSLDIR_DEBUG}" "--openssldir=${OPENSSLDIR_DEBUG}" -FS + WORKING_DIRECTORY "${SOURCE_PATH_DEBUG}" + LOGNAME configure-perl-${TARGET_TRIPLET}-${VCPKG_BUILD_TYPE}-dbg + ) + message(STATUS "Configure ${TARGET_TRIPLET}-dbg done") + + message(STATUS "Build ${TARGET_TRIPLET}-dbg") + make_directory("${SOURCE_PATH_DEBUG}/inc32/openssl") + execute_process( + COMMAND "${JOM}" -k -j ${VCPKG_CONCURRENCY} -f "${OPENSSL_MAKEFILE}" build_libs + WORKING_DIRECTORY "${SOURCE_PATH_DEBUG}" + OUTPUT_FILE "${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-dbg-0-out.log" + ERROR_FILE "${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-dbg-0-err.log" + ) + vcpkg_execute_required_process( + COMMAND nmake -f "${OPENSSL_MAKEFILE}" install_dev + WORKING_DIRECTORY "${SOURCE_PATH_DEBUG}" + LOGNAME build-${TARGET_TRIPLET}-dbg-1) + + message(STATUS "Build ${TARGET_TRIPLET}-dbg done") +endif() + +file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/certs") +file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/private") +file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/lib/engines-1_1") +file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/certs") +file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/lib/engines-1_1") +file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/private") +file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/include") + +file(REMOVE + "${CURRENT_PACKAGES_DIR}/bin/openssl.exe" + "${CURRENT_PACKAGES_DIR}/debug/bin/openssl.exe" + "${CURRENT_PACKAGES_DIR}/debug/openssl.cnf" + "${CURRENT_PACKAGES_DIR}/openssl.cnf" + "${CURRENT_PACKAGES_DIR}/ct_log_list.cnf" + "${CURRENT_PACKAGES_DIR}/ct_log_list.cnf.dist" + "${CURRENT_PACKAGES_DIR}/openssl.cnf.dist" + "${CURRENT_PACKAGES_DIR}/debug/ct_log_list.cnf" + "${CURRENT_PACKAGES_DIR}/debug/ct_log_list.cnf.dist" + "${CURRENT_PACKAGES_DIR}/debug/openssl.cnf.dist" +) + +file(READ "${CURRENT_PACKAGES_DIR}/include/openssl/dtls1.h" _contents) +string(REPLACE "" "" _contents "${_contents}") +file(WRITE "${CURRENT_PACKAGES_DIR}/include/openssl/dtls1.h" "${_contents}") + +file(READ "${CURRENT_PACKAGES_DIR}/include/openssl/rand.h" _contents) +string(REPLACE "# include " "#ifndef _WINSOCKAPI_\n#define _WINSOCKAPI_\n#endif\n# include " _contents "${_contents}") +file(WRITE "${CURRENT_PACKAGES_DIR}/include/openssl/rand.h" "${_contents}") + +vcpkg_copy_pdbs() + +file(INSTALL "${SOURCE_PATH}/LICENSE" DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}" RENAME copyright) diff --git a/contrib/vcpkg-ports/openssl/vcpkg.json b/contrib/vcpkg-ports/openssl/vcpkg.json new file mode 100644 index 0000000..2d0eb13 --- /dev/null +++ b/contrib/vcpkg-ports/openssl/vcpkg.json @@ -0,0 +1,7 @@ +{ + "name": "openssl", + "version-string": "1.1.1k", + "port-version": 4, + "description": "OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.", + "homepage": "https://www.openssl.org" +} diff --git a/contrib/vcpkg-ports/openssl/windows/portfile.cmake b/contrib/vcpkg-ports/openssl/windows/portfile.cmake new file mode 100644 index 0000000..c873eb7 --- /dev/null +++ b/contrib/vcpkg-ports/openssl/windows/portfile.cmake @@ -0,0 +1,174 @@ +vcpkg_fail_port_install(MESSAGE "${PORT} is only for Windows Desktop" ON_TARGET "UWP" "Linux" "OSX") + +vcpkg_extract_source_archive_ex( + OUT_SOURCE_PATH SOURCE_PATH + ARCHIVE ${ARCHIVE} +) + +vcpkg_find_acquire_program(NASM) +get_filename_component(NASM_EXE_PATH "${NASM}" DIRECTORY) +vcpkg_add_to_path(PREPEND "${NASM_EXE_PATH}") + +vcpkg_find_acquire_program(JOM) + +set(OPENSSL_SHARED no-shared) +if(VCPKG_LIBRARY_LINKAGE STREQUAL dynamic) + set(OPENSSL_SHARED shared) +endif() + +set(CONFIGURE_OPTIONS + enable-static-engine + enable-capieng + no-ssl2 + no-tests + no-autoload-config + -utf-8 + ${OPENSSL_SHARED} +) + +if(DEFINED OPENSSL_USE_NOPINSHARED) + set(CONFIGURE_OPTIONS ${CONFIGURE_OPTIONS} no-pinshared) +endif() + +set(CONFIGURE_COMMAND "${PERL}" Configure ${CONFIGURE_OPTIONS}) + +if(VCPKG_TARGET_ARCHITECTURE STREQUAL "x86") + set(OPENSSL_ARCH VC-WIN32) +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x64") + set(OPENSSL_ARCH VC-WIN64A) +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm") + set(OPENSSL_ARCH VC-WIN32-ARM) +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64") + set(OPENSSL_ARCH VC-WIN64-ARM) +else() + message(FATAL_ERROR "Unsupported target architecture: ${VCPKG_TARGET_ARCHITECTURE}") +endif() + +set(OPENSSL_MAKEFILE "makefile") + +file(REMOVE_RECURSE "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel" + "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg") + +if(NOT DEFINED VCPKG_BUILD_TYPE OR VCPKG_BUILD_TYPE STREQUAL "release") + + # Copy openssl sources. + message(STATUS "Copying openssl release source files...") + file(GLOB OPENSSL_SOURCE_FILES ${SOURCE_PATH}/*) + foreach(SOURCE_FILE ${OPENSSL_SOURCE_FILES}) + file(COPY ${SOURCE_FILE} DESTINATION "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel") + endforeach() + message(STATUS "Copying openssl release source files... done") + set(SOURCE_PATH_RELEASE "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel") + + set(OPENSSLDIR_RELEASE ${CURRENT_PACKAGES_DIR}) + + message(STATUS "Configure ${TARGET_TRIPLET}-rel") + vcpkg_execute_required_process( + COMMAND ${CONFIGURE_COMMAND} ${OPENSSL_ARCH} "--prefix=${OPENSSLDIR_RELEASE}" "--openssldir=${OPENSSLDIR_RELEASE}" -FS + WORKING_DIRECTORY ${SOURCE_PATH_RELEASE} + LOGNAME configure-perl-${TARGET_TRIPLET}-rel + ) + message(STATUS "Configure ${TARGET_TRIPLET}-rel done") + + message(STATUS "Build ${TARGET_TRIPLET}-rel") + # Openssl's buildsystem has a race condition which will cause JOM to fail at some point. + # This is ok; we just do as much work as we can in parallel first, then follow up with a single-threaded build. + make_directory(${SOURCE_PATH_RELEASE}/inc32/openssl) + execute_process( + COMMAND ${JOM} -k -j $ENV{NUMBER_OF_PROCESSORS} -f ${OPENSSL_MAKEFILE} + WORKING_DIRECTORY ${SOURCE_PATH_RELEASE} + OUTPUT_FILE ${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-rel-0-out.log + ERROR_FILE ${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-rel-0-err.log + ) + vcpkg_execute_required_process( + COMMAND nmake -f ${OPENSSL_MAKEFILE} install_sw install_ssldirs + WORKING_DIRECTORY ${SOURCE_PATH_RELEASE} + LOGNAME build-${TARGET_TRIPLET}-rel-1) + + message(STATUS "Build ${TARGET_TRIPLET}-rel done") +endif() + + +if(NOT DEFINED VCPKG_BUILD_TYPE OR VCPKG_BUILD_TYPE STREQUAL "debug") + # Copy openssl sources. + message(STATUS "Copying openssl debug source files...") + file(GLOB OPENSSL_SOURCE_FILES ${SOURCE_PATH}/*) + foreach(SOURCE_FILE ${OPENSSL_SOURCE_FILES}) + file(COPY ${SOURCE_FILE} DESTINATION "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg") + endforeach() + message(STATUS "Copying openssl debug source files... done") + set(SOURCE_PATH_DEBUG "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg") + + set(OPENSSLDIR_DEBUG ${CURRENT_PACKAGES_DIR}/debug) + + message(STATUS "Configure ${TARGET_TRIPLET}-dbg") + vcpkg_execute_required_process( + COMMAND ${CONFIGURE_COMMAND} debug-${OPENSSL_ARCH} "--prefix=${OPENSSLDIR_DEBUG}" "--openssldir=${OPENSSLDIR_DEBUG}" -FS + WORKING_DIRECTORY ${SOURCE_PATH_DEBUG} + LOGNAME configure-perl-${TARGET_TRIPLET}-dbg + ) + message(STATUS "Configure ${TARGET_TRIPLET}-dbg done") + + message(STATUS "Build ${TARGET_TRIPLET}-dbg") + make_directory(${SOURCE_PATH_DEBUG}/inc32/openssl) + execute_process( + COMMAND "${JOM}" -k -j ${VCPKG_CONCURRENCY} -f "${OPENSSL_MAKEFILE}" + WORKING_DIRECTORY ${SOURCE_PATH_DEBUG} + OUTPUT_FILE ${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-dbg-0-out.log + ERROR_FILE ${CURRENT_BUILDTREES_DIR}/build-${TARGET_TRIPLET}-dbg-0-err.log + ) + vcpkg_execute_required_process( + COMMAND nmake -f "${OPENSSL_MAKEFILE}" install_sw install_ssldirs + WORKING_DIRECTORY ${SOURCE_PATH_DEBUG} + LOGNAME build-${TARGET_TRIPLET}-dbg-1) + + message(STATUS "Build ${TARGET_TRIPLET}-dbg done") +endif() + +file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/certs") +file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/private") +file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/lib/engines-1_1") +file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/certs") +file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/lib/engines-1_1") +file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/private") +file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/include") + +file(REMOVE + "${CURRENT_PACKAGES_DIR}/ct_log_list.cnf" + "${CURRENT_PACKAGES_DIR}/ct_log_list.cnf.dist" + "${CURRENT_PACKAGES_DIR}/openssl.cnf.dist" + "${CURRENT_PACKAGES_DIR}/debug/bin/openssl.exe" + "${CURRENT_PACKAGES_DIR}/debug/ct_log_list.cnf" + "${CURRENT_PACKAGES_DIR}/debug/ct_log_list.cnf.dist" + "${CURRENT_PACKAGES_DIR}/debug/openssl.cnf" + "${CURRENT_PACKAGES_DIR}/debug/openssl.cnf.dist" +) + +file(MAKE_DIRECTORY "${CURRENT_PACKAGES_DIR}/tools/openssl/") +file(RENAME "${CURRENT_PACKAGES_DIR}/bin/openssl.exe" "${CURRENT_PACKAGES_DIR}/tools/openssl/openssl.exe") +file(RENAME "${CURRENT_PACKAGES_DIR}/openssl.cnf" "${CURRENT_PACKAGES_DIR}/tools/openssl/openssl.cnf") + +vcpkg_copy_tool_dependencies("${CURRENT_PACKAGES_DIR}/tools/openssl") + +if(VCPKG_LIBRARY_LINKAGE STREQUAL static) + # They should be empty, only the exes deleted above were in these directories + file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/debug/bin/") + file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/bin/") +endif() + +vcpkg_replace_string("${CURRENT_PACKAGES_DIR}/include/openssl/dtls1.h" + "" + "" +) + +vcpkg_replace_string("${CURRENT_PACKAGES_DIR}/include/openssl/rand.h" + "# include " + "#ifndef _WINSOCKAPI_\n#define _WINSOCKAPI_\n#endif\n# include " +) + +vcpkg_copy_pdbs() + +file(INSTALL "${SOURCE_PATH}/LICENSE" DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}" RENAME copyright) +if(VCPKG_LIBRARY_LINKAGE STREQUAL "static") + file(COPY "${CMAKE_CURRENT_LIST_DIR}/vcpkg-cmake-wrapper.cmake" DESTINATION "${CURRENT_PACKAGES_DIR}/share/openssl") +endif() diff --git a/contrib/vcpkg-ports/openssl/windows/vcpkg-cmake-wrapper.cmake b/contrib/vcpkg-ports/openssl/windows/vcpkg-cmake-wrapper.cmake new file mode 100644 index 0000000..1e3b837 --- /dev/null +++ b/contrib/vcpkg-ports/openssl/windows/vcpkg-cmake-wrapper.cmake @@ -0,0 +1,10 @@ +_find_package(${ARGS}) +if(OPENSSL_FOUND) + list(APPEND OPENSSL_LIBRARIES Crypt32.lib ws2_32.lib) + if(TARGET OpenSSL::Crypto) + set_property(TARGET OpenSSL::Crypto APPEND PROPERTY INTERFACE_LINK_LIBRARIES "Crypt32.lib;ws2_32.lib") + endif() + if(TARGET OpenSSL::SSL) + set_property(TARGET OpenSSL::SSL APPEND PROPERTY INTERFACE_LINK_LIBRARIES "Crypt32.lib;ws2_32.lib") + endif() +endif() diff --git a/contrib/vcpkg-ports/pkcs11-helper/0001-nmake-openssl-1.1.1-support.patch b/contrib/vcpkg-ports/pkcs11-helper/0001-nmake-openssl-1.1.1-support.patch new file mode 100644 index 0000000..d1942a9 --- /dev/null +++ b/contrib/vcpkg-ports/pkcs11-helper/0001-nmake-openssl-1.1.1-support.patch @@ -0,0 +1,88 @@ +From 324026ce179468fcea348e59259dbc5456438ead Mon Sep 17 00:00:00 2001 +From: Lev Stipakov +Date: Fri, 14 May 2021 14:35:53 +0300 +Subject: [PATCH] nmake: openssl 1.1.1 support + +Starting from version 1.1.1, OpenSSL includes routines +like RSA_meth_xxx and DSA_meth_xxx. pkcs11-helper includes +implementation of those routines. That code is compiled if +they're missing from OpenSSL. + +nmake build uses pre-generated config-w32-vc.h, which lacks +defines which indicate that OpenSSL includes above routines, +which causes pkcs11's own implementaion to be compiled. However, +pkcs11-helper implementation is not compatible with OpenSSL 1.1.1 - +for example, it takes size of opaque struct RSA_METHOD, which +has become internal in OpenSSL. + +This adds necessary defines to config header used by nmake build +so that pkcs11-helper code, which is not compatible with OpenSSL 1.1.1, +is not compiled. + +Also libeay is changed to libcrypto. + +Signed-off-by: Lev Stipakov +--- + config-w32-vc.h.in | 33 +++++++++++++++++++++++++++++++++ + lib/Makefile.w32-vc | 4 ++-- + 2 files changed, 35 insertions(+), 2 deletions(-) + +diff --git a/config-w32-vc.h b/config-w32-vc.h +index 6346f02..102b2e3 100644 +--- a/config-w32-vc.h ++++ b/config-w32-vc.h +@@ -185,3 +185,36 @@ + #if _MSC_VER >= 1400 + #define HAVE_CPP_VARARG_MACRO_ISO 1 + #endif ++ ++/* Define to 1 if you have the `RSA_meth_dup' function. */ ++#define HAVE_RSA_METH_DUP 1 ++ ++/* Define to 1 if you have the `RSA_meth_free' function. */ ++#define HAVE_RSA_METH_FREE 1 ++ ++/* Define to 1 if you have the `RSA_meth_set1_name' function. */ ++#define HAVE_RSA_METH_SET1_NAME 1 ++ ++/* Define to 1 if you have the `RSA_meth_set_flags' function. */ ++#define HAVE_RSA_METH_SET_FLAGS 1 ++ ++/* Define to 1 if you have the `RSA_meth_set_priv_dec' function. */ ++#define HAVE_RSA_METH_SET_PRIV_DEC 1 ++ ++/* Define to 1 if you have the `RSA_meth_set_priv_enc' function. */ ++#define HAVE_RSA_METH_SET_PRIV_ENC 1 ++ ++/* Define to 1 if you have the `DSA_meth_dup' function. */ ++#define HAVE_DSA_METH_DUP 1 ++ ++/* Define to 1 if you have the `DSA_meth_free' function. */ ++#define HAVE_DSA_METH_FREE 1 ++ ++/* Define to 1 if you have the `DSA_meth_set1_name' function. */ ++#define HAVE_DSA_METH_SET1_NAME 1 ++ ++/* Define to 1 if you have the `DSA_meth_set_sign' function. */ ++#define HAVE_DSA_METH_SET_SIGN 1 ++ ++/* Define to 1 if you have the `DSA_SIG_set0' function. */ ++#define HAVE_DSA_SIG_SET0 1 +diff --git a/lib/Makefile.w32-vc b/lib/Makefile.w32-vc +index 2edab39..b2ac746 100644 +--- a/lib/Makefile.w32-vc ++++ b/lib/Makefile.w32-vc +@@ -60,9 +60,9 @@ OPENSSL_HOME = ..\..\openssl-0.9.8a + !endif + + !ifdef OPENSSL +-OPENSSL_STATIC = libeay32.lib ++OPENSSL_STATIC = libcrypto.lib + #OPENSSL_STATIC = libeay32sd.lib +-OPENSSL_DYNAMIC = libeay32.lib ++OPENSSL_DYNAMIC = libcrypto.lib + #OPENSSL_DYNAMIC = libeay32d.lib + + OPENSSL_INC=$(OPENSSL_HOME)\include +-- +2.23.0.windows.1 diff --git a/contrib/vcpkg-ports/pkcs11-helper/CONTROL b/contrib/vcpkg-ports/pkcs11-helper/CONTROL new file mode 100644 index 0000000..0183180 --- /dev/null +++ b/contrib/vcpkg-ports/pkcs11-helper/CONTROL @@ -0,0 +1,4 @@ +Source: pkcs11-helper +Version: 1.27-1 +Homepage: https://github.com/OpenSC/pkcs11-helper +Description: pkcs11-helper is a library that simplifies the interaction with PKCS#11 providers for end-user applications. diff --git a/contrib/vcpkg-ports/pkcs11-helper/pkcs11-helper-001-RFC7512.patch b/contrib/vcpkg-ports/pkcs11-helper/pkcs11-helper-001-RFC7512.patch new file mode 100644 index 0000000..84fba08 --- /dev/null +++ b/contrib/vcpkg-ports/pkcs11-helper/pkcs11-helper-001-RFC7512.patch @@ -0,0 +1,686 @@ +commit 90590b02085edc3830bdfe0942a46c4e7bf3f1ab (HEAD -> master) +Author: David Woodhouse +Date: Thu Apr 30 14:58:24 2015 +0100 + + Serialize to RFC7512-compliant PKCS#11 URIs + + Signed-off-by: David Woodhouse + +commit 4d5280da8df591aab701dff4493d13a835a9b29c +Author: David Woodhouse +Date: Wed Dec 10 14:00:21 2014 +0000 + + Accept RFC7512-compliant PKCS#11 URIs as serialized token/certificate IDs + + The old format is still accepted for compatibility. + + Signed-off-by: David Woodhouse + +commit 14e09211c3d50eb06825090c9765e4382cf52f19 +Author: David Woodhouse +Date: Sun Dec 14 19:42:18 2014 +0000 + + Stop _pkcs11h_util_hexToBinary() checking for trailing NUL + + We are going to want to use this for parsing %XX hex escapes in RFC7512 + PKCS#11 URIs, where we cannot expect a trailing NUL. Since there's only + one existing caller at the moment, it's simple just to let the caller + have responsibility for that check. + + Signed-off-by: David Woodhouse +diff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c +index ad275f8..1d077e4 100644 +--- a/lib/pkcs11h-serialization.c ++++ b/lib/pkcs11h-serialization.c +@@ -61,29 +61,127 @@ + + #if defined(ENABLE_PKCS11H_TOKEN) || defined(ENABLE_PKCS11H_CERTIFICATE) + ++#define URI_SCHEME "pkcs11:" ++ ++#define token_field_ofs(field) ((unsigned long)&(((struct pkcs11h_token_id_s *)0)->field)) ++#define token_field_size(field) sizeof((((struct pkcs11h_token_id_s *)0)->field)) ++#define token_field(name, field) { name "=", sizeof(name), \ ++ token_field_ofs(field), token_field_size(field) } ++ ++static struct { ++ const char const *name; ++ size_t namelen; ++ unsigned long field_ofs; ++ size_t field_size; ++} __token_fields[] = { ++ token_field ("model", model), ++ token_field ("token", label), ++ token_field ("manufacturer", manufacturerID ), ++ token_field ("serial", serialNumber ), ++ { NULL }, ++}; ++ ++#define P11_URL_VERBATIM "abcdefghijklmnopqrstuvwxyz" \ ++ "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \ ++ "0123456789_-." ++ ++static ++int ++__token_attr_escape(char *uri, char *attr, size_t attrlen) ++{ ++ int len = 0, i; ++ ++ for (i = 0; i < attrlen; i++) { ++ if ((attr[i] != '\x0') && strchr(P11_URL_VERBATIM, attr[i])) { ++ if (uri) { ++ *(uri++) = attr[i]; ++ } ++ len++; ++ } else { ++ if (uri) { ++ sprintf(uri, "%%%02x", (unsigned char)attr[i]); ++ uri += 3; ++ } ++ len += 3; ++ } ++ } ++ return len; ++} ++ ++static ++CK_RV ++__generate_pkcs11_uri ( ++ OUT char * const sz, ++ IN OUT size_t *max, ++ IN const pkcs11h_certificate_id_t certificate_id, ++ IN const pkcs11h_token_id_t token_id ++) { ++ size_t _max; ++ char *p = sz; ++ int i; ++ ++ _PKCS11H_ASSERT (max!=NULL); ++ _PKCS11H_ASSERT (token_id!=NULL); ++ ++ _max = strlen(URI_SCHEME); ++ for (i = 0; __token_fields[i].name; i++) { ++ char *field = ((char *)token_id) + __token_fields[i].field_ofs; ++ ++ _max += __token_fields[i].namelen; ++ _max += __token_attr_escape (NULL, field, strlen(field)); ++ _max++; /* For a semicolon or trailing NUL */ ++ } ++ if (certificate_id) { ++ _max += strlen (";id="); ++ _max += __token_attr_escape (NULL, ++ (char *)certificate_id->attrCKA_ID, ++ certificate_id->attrCKA_ID_size); ++ } ++ ++ if (!sz) { ++ *max = _max; ++ return CKR_OK; ++ } ++ ++ if (sz && *max < _max) ++ return CKR_ATTRIBUTE_VALUE_INVALID; ++ ++ p += sprintf(p, URI_SCHEME); ++ for (i = 0; __token_fields[i].name; i++) { ++ char *field = ((char *)token_id) + __token_fields[i].field_ofs; ++ ++ p += sprintf (p, "%s", __token_fields[i].name); ++ p += __token_attr_escape (p, field, strlen(field)); ++ *(p++) = ';'; ++ } ++ if (certificate_id) { ++ p += sprintf (p, "id="); ++ p += __token_attr_escape (p, ++ (char *)certificate_id->attrCKA_ID, ++ certificate_id->attrCKA_ID_size); ++ } else { ++ /* Remove the unneeded trailing semicolon */ ++ p--; ++ } ++ *(p++) = 0; ++ ++ *max = _max; ++ ++ return CKR_OK; ++} ++ + CK_RV + pkcs11h_token_serializeTokenId ( + OUT char * const sz, + IN OUT size_t *max, + IN const pkcs11h_token_id_t token_id + ) { +- const char *sources[5]; + CK_RV rv = CKR_FUNCTION_FAILED; +- size_t n; +- int e; + + /*_PKCS11H_ASSERT (sz!=NULL); Not required*/ + _PKCS11H_ASSERT (max!=NULL); + _PKCS11H_ASSERT (token_id!=NULL); + +- { /* Must be after assert */ +- sources[0] = token_id->manufacturerID; +- sources[1] = token_id->model; +- sources[2] = token_id->serialNumber; +- sources[3] = token_id->label; +- sources[4] = NULL; +- } +- + _PKCS11H_DEBUG ( + PKCS11H_LOG_DEBUG2, + "PKCS#11: pkcs11h_token_serializeTokenId entry sz=%p, *max="P_Z", token_id=%p", +@@ -92,67 +190,161 @@ pkcs11h_token_serializeTokenId ( + (void *)token_id + ); + +- n = 0; +- for (e=0;sources[e] != NULL;e++) { +- size_t t; +- if ( +- (rv = _pkcs11h_util_escapeString ( +- NULL, +- sources[e], +- &t, +- __PKCS11H_SERIALIZE_INVALID_CHARS +- )) != CKR_OK +- ) { +- goto cleanup; ++ rv = __generate_pkcs11_uri(sz, max, NULL, token_id); ++ ++ _PKCS11H_DEBUG ( ++ PKCS11H_LOG_DEBUG2, ++ "PKCS#11: pkcs11h_token_serializeTokenId return rv=%lu-'%s', *max="P_Z", sz='%s'", ++ rv, ++ pkcs11h_getMessage (rv), ++ *max, ++ sz ++ ); ++ ++ return rv; ++} ++ ++static ++CK_RV ++__parse_token_uri_attr ( ++ const char *uri, ++ size_t urilen, ++ char *tokstr, ++ size_t toklen, ++ size_t *parsed_len ++) { ++ size_t orig_toklen = toklen; ++ CK_RV rv = CKR_OK; ++ ++ while (urilen && toklen > 1) { ++ if (*uri == '%') { ++ size_t size = 1; ++ ++ if (urilen < 3) { ++ rv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto done; ++ } ++ ++ rv = _pkcs11h_util_hexToBinary ((unsigned char *)tokstr, ++ uri + 1, &size); ++ if (rv != CKR_OK) { ++ goto done; ++ } ++ ++ uri += 2; ++ urilen -= 2; ++ } else { ++ *tokstr = *uri; + } +- n+=t; ++ tokstr++; ++ uri++; ++ toklen--; ++ urilen--; ++ tokstr[0] = 0; + } + +- if (sz != NULL) { +- if (*max < n) { +- rv = CKR_ATTRIBUTE_VALUE_INVALID; +- goto cleanup; ++ if (urilen) { ++ rv = CKR_ATTRIBUTE_VALUE_INVALID; ++ } else if (parsed_len) { ++ *parsed_len = orig_toklen - toklen; ++ } ++ ++ done: ++ return rv; ++} ++ ++static ++CK_RV ++__parse_pkcs11_uri ( ++ OUT pkcs11h_token_id_t token_id, ++ OUT pkcs11h_certificate_id_t certificate_id, ++ IN const char * const sz ++) { ++ const char *end, *p; ++ CK_RV rv = CKR_OK; ++ ++ _PKCS11H_ASSERT (token_id!=NULL); ++ _PKCS11H_ASSERT (sz!=NULL); ++ ++ if (strncmp (sz, URI_SCHEME, strlen (URI_SCHEME))) ++ return CKR_ATTRIBUTE_VALUE_INVALID; ++ ++ end = sz + strlen (URI_SCHEME) - 1; ++ while (rv == CKR_OK && end[0] && end[1]) { ++ int i; ++ ++ p = end + 1; ++ end = strchr (p, ';'); ++ if (!end) ++ end = p + strlen(p); ++ ++ for (i = 0; __token_fields[i].name; i++) { ++ /* Parse the token=, label=, manufacturer= and serial= fields */ ++ if (!strncmp(p, __token_fields[i].name, __token_fields[i].namelen)) { ++ char *field = ((char *)token_id) + __token_fields[i].field_ofs; ++ ++ p += __token_fields[i].namelen; ++ rv = __parse_token_uri_attr (p, end - p, field, ++ __token_fields[i].field_size, ++ NULL); ++ if (rv != CKR_OK) { ++ goto cleanup; ++ } ++ ++ goto matched; ++ } + } ++ if (certificate_id && !strncmp(p, "id=", 3)) { ++ p += 3; ++ ++ rv = _pkcs11h_mem_malloc ((void *)&certificate_id->attrCKA_ID, ++ end - p + 1); ++ if (rv != CKR_OK) { ++ goto cleanup; ++ } + +- n = 0; +- for (e=0;sources[e] != NULL;e++) { +- size_t t = *max-n; +- if ( +- (rv = _pkcs11h_util_escapeString ( +- sz+n, +- sources[e], +- &t, +- __PKCS11H_SERIALIZE_INVALID_CHARS +- )) != CKR_OK +- ) { ++ rv = __parse_token_uri_attr (p, end - p, ++ (char *)certificate_id->attrCKA_ID, ++ end - p + 1, ++ &certificate_id->attrCKA_ID_size); ++ if (rv != CKR_OK) { + goto cleanup; + } +- n+=t; +- sz[n-1] = '/'; ++ ++ goto matched; + } +- sz[n-1] = '\x0'; +- } + +- *max = n; +- rv = CKR_OK; ++ /* We don't parse object= because the match code doesn't support ++ matching by label. */ ++ ++ /* Failed to parse PKCS#11 URI element. */ ++ return CKR_ATTRIBUTE_VALUE_INVALID; + ++ matched: ++ ; ++ } + cleanup: ++ /* The matching code doesn't support support partial matches; it needs ++ * *all* of manufacturer, model, serial and label attributes to be ++ * defined. So reject partial URIs early instead of letting it do the ++ * wrong thing. We can maybe improve this later. */ ++ if (!token_id->model[0] || !token_id->label[0] || ++ !token_id->manufacturerID[0] || !token_id->serialNumber[0]) { ++ return CKR_ATTRIBUTE_VALUE_INVALID; ++ } + +- _PKCS11H_DEBUG ( +- PKCS11H_LOG_DEBUG2, +- "PKCS#11: pkcs11h_token_serializeTokenId return rv=%lu-'%s', *max="P_Z", sz='%s'", +- rv, +- pkcs11h_getMessage (rv), +- *max, +- sz +- ); ++ /* For a certificate ID we need CKA_ID */ ++ if (certificate_id && !certificate_id->attrCKA_ID_size) { ++ return CKR_ATTRIBUTE_VALUE_INVALID; ++ } + + return rv; + } + ++static + CK_RV +-pkcs11h_token_deserializeTokenId ( +- OUT pkcs11h_token_id_t *p_token_id, ++__pkcs11h_token_legacy_deserializeTokenId ( ++ OUT pkcs11h_token_id_t token_id, + IN const char * const sz + ) { + #define __PKCS11H_TARGETS_NUMBER 4 +@@ -161,24 +353,11 @@ pkcs11h_token_deserializeTokenId ( + size_t s; + } targets[__PKCS11H_TARGETS_NUMBER]; + +- pkcs11h_token_id_t token_id = NULL; + char *p1 = NULL; + char *_sz = NULL; + int e; + CK_RV rv = CKR_FUNCTION_FAILED; + +- _PKCS11H_ASSERT (p_token_id!=NULL); +- _PKCS11H_ASSERT (sz!=NULL); +- +- _PKCS11H_DEBUG ( +- PKCS11H_LOG_DEBUG2, +- "PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=%p, sz='%s'", +- (void *)p_token_id, +- sz +- ); +- +- *p_token_id = NULL; +- + if ( + (rv = _pkcs11h_mem_strdup ( + (void *)&_sz, +@@ -190,10 +369,6 @@ pkcs11h_token_deserializeTokenId ( + + p1 = _sz; + +- if ((rv = _pkcs11h_token_newTokenId (&token_id)) != CKR_OK) { +- goto cleanup; +- } +- + targets[0].p = token_id->manufacturerID; + targets[0].s = sizeof (token_id->manufacturerID); + targets[1].p = token_id->model; +@@ -252,6 +427,51 @@ pkcs11h_token_deserializeTokenId ( + p1 = p2+1; + } + ++ rv = CKR_OK; ++ ++cleanup: ++ ++ if (_sz != NULL) { ++ _pkcs11h_mem_free ((void *)&_sz); ++ } ++ ++ return rv; ++#undef __PKCS11H_TARGETS_NUMBER ++} ++ ++CK_RV ++pkcs11h_token_deserializeTokenId ( ++ OUT pkcs11h_token_id_t *p_token_id, ++ IN const char * const sz ++) { ++ pkcs11h_token_id_t token_id = NULL; ++ CK_RV rv = CKR_FUNCTION_FAILED; ++ ++ _PKCS11H_ASSERT (p_token_id!=NULL); ++ _PKCS11H_ASSERT (sz!=NULL); ++ ++ _PKCS11H_DEBUG ( ++ PKCS11H_LOG_DEBUG2, ++ "PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=%p, sz='%s'", ++ (void *)p_token_id, ++ sz ++ ); ++ ++ *p_token_id = NULL; ++ ++ if ((rv = _pkcs11h_token_newTokenId (&token_id)) != CKR_OK) { ++ goto cleanup; ++ } ++ ++ if (!strncmp (sz, URI_SCHEME, strlen (URI_SCHEME))) { ++ rv = __parse_pkcs11_uri(token_id, NULL, sz); ++ } else { ++ rv = __pkcs11h_token_legacy_deserializeTokenId(token_id, sz); ++ } ++ if (rv != CKR_OK) { ++ goto cleanup; ++ } ++ + strncpy ( + token_id->display, + token_id->label, +@@ -264,11 +484,6 @@ pkcs11h_token_deserializeTokenId ( + rv = CKR_OK; + + cleanup: +- +- if (_sz != NULL) { +- _pkcs11h_mem_free ((void *)&_sz); +- } +- + if (token_id != NULL) { + pkcs11h_token_freeTokenId (token_id); + } +@@ -281,7 +496,6 @@ cleanup: + ); + + return rv; +-#undef __PKCS11H_TARGETS_NUMBER + } + + #endif /* ENABLE_PKCS11H_TOKEN || ENABLE_PKCS11H_CERTIFICATE */ +@@ -295,9 +509,6 @@ pkcs11h_certificate_serializeCertificateId ( + IN const pkcs11h_certificate_id_t certificate_id + ) { + CK_RV rv = CKR_FUNCTION_FAILED; +- size_t saved_max = 0; +- size_t n = 0; +- size_t _max = 0; + + /*_PKCS11H_ASSERT (sz!=NULL); Not required */ + _PKCS11H_ASSERT (max!=NULL); +@@ -311,42 +522,7 @@ pkcs11h_certificate_serializeCertificateId ( + (void *)certificate_id + ); + +- if (sz != NULL) { +- saved_max = n = *max; +- } +- *max = 0; +- +- if ( +- (rv = pkcs11h_token_serializeTokenId ( +- sz, +- &n, +- certificate_id->token_id +- )) != CKR_OK +- ) { +- goto cleanup; +- } +- +- _max = n + certificate_id->attrCKA_ID_size*2 + 1; +- +- if (sz != NULL) { +- if (saved_max < _max) { +- rv = CKR_ATTRIBUTE_VALUE_INVALID; +- goto cleanup; +- } +- +- sz[n-1] = '/'; +- rv = _pkcs11h_util_binaryToHex ( +- sz+n, +- saved_max-n, +- certificate_id->attrCKA_ID, +- certificate_id->attrCKA_ID_size +- ); +- } +- +- *max = _max; +- rv = CKR_OK; +- +-cleanup: ++ rv = __generate_pkcs11_uri(sz, max, certificate_id, certificate_id->token_id); + + _PKCS11H_DEBUG ( + PKCS11H_LOG_DEBUG2, +@@ -360,27 +536,16 @@ cleanup: + return rv; + } + ++static + CK_RV +-pkcs11h_certificate_deserializeCertificateId ( +- OUT pkcs11h_certificate_id_t * const p_certificate_id, ++__pkcs11h_certificate_legacy_deserializeCertificateId ( ++ OUT pkcs11h_certificate_id_t certificate_id, + IN const char * const sz + ) { +- pkcs11h_certificate_id_t certificate_id = NULL; + CK_RV rv = CKR_FUNCTION_FAILED; + char *p = NULL; + char *_sz = NULL; +- +- _PKCS11H_ASSERT (p_certificate_id!=NULL); +- _PKCS11H_ASSERT (sz!=NULL); +- +- *p_certificate_id = NULL; +- +- _PKCS11H_DEBUG ( +- PKCS11H_LOG_DEBUG2, +- "PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'", +- (void *)p_certificate_id, +- sz +- ); ++ size_t id_hex_len; + + if ( + (rv = _pkcs11h_mem_strdup ( +@@ -393,10 +558,6 @@ pkcs11h_certificate_deserializeCertificateId ( + + p = _sz; + +- if ((rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) != CKR_OK) { +- goto cleanup; +- } +- + if ((p = strrchr (_sz, '/')) == NULL) { + rv = CKR_ATTRIBUTE_VALUE_INVALID; + goto cleanup; +@@ -414,7 +575,12 @@ pkcs11h_certificate_deserializeCertificateId ( + goto cleanup; + } + +- certificate_id->attrCKA_ID_size = strlen (p)/2; ++ id_hex_len = strlen (p); ++ if (id_hex_len & 1) { ++ rv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto cleanup; ++ } ++ certificate_id->attrCKA_ID_size = id_hex_len/2; + + if ( + (rv = _pkcs11h_mem_malloc ( +@@ -430,21 +596,64 @@ pkcs11h_certificate_deserializeCertificateId ( + goto cleanup; + } + ++ rv = CKR_OK; ++ ++cleanup: ++ ++ if (_sz != NULL) { ++ _pkcs11h_mem_free ((void *)&_sz); ++ } ++ ++ return rv; ++ ++} ++ ++CK_RV ++pkcs11h_certificate_deserializeCertificateId ( ++ OUT pkcs11h_certificate_id_t * const p_certificate_id, ++ IN const char * const sz ++) { ++ pkcs11h_certificate_id_t certificate_id = NULL; ++ CK_RV rv = CKR_FUNCTION_FAILED; ++ ++ _PKCS11H_ASSERT (p_certificate_id!=NULL); ++ _PKCS11H_ASSERT (sz!=NULL); ++ ++ *p_certificate_id = NULL; ++ ++ _PKCS11H_DEBUG ( ++ PKCS11H_LOG_DEBUG2, ++ "PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'", ++ (void *)p_certificate_id, ++ sz ++ ); ++ ++ if ((rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) != CKR_OK) { ++ goto cleanup; ++ } ++ if ((rv = _pkcs11h_token_newTokenId (&certificate_id->token_id)) != CKR_OK) { ++ goto cleanup; ++ } ++ ++ if (!strncmp(sz, URI_SCHEME, strlen (URI_SCHEME))) { ++ rv = __parse_pkcs11_uri (certificate_id->token_id, certificate_id, sz); ++ } else { ++ rv = __pkcs11h_certificate_legacy_deserializeCertificateId (certificate_id, sz); ++ } ++ if (rv != CKR_OK) { ++ goto cleanup; ++ } ++ + *p_certificate_id = certificate_id; + certificate_id = NULL; + rv = CKR_OK; + + cleanup: +- + if (certificate_id != NULL) { + pkcs11h_certificate_freeCertificateId (certificate_id); + certificate_id = NULL; + } + +- if (_sz != NULL) { +- _pkcs11h_mem_free ((void *)&_sz); +- } +- + _PKCS11H_DEBUG ( + PKCS11H_LOG_DEBUG2, + "PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=%lu-'%s'", +diff --git a/lib/pkcs11h-util.c b/lib/pkcs11h-util.c +index 0743fd1..f90e443 100644 +--- a/lib/pkcs11h-util.c ++++ b/lib/pkcs11h-util.c +@@ -110,12 +110,7 @@ _pkcs11h_util_hexToBinary ( + p++; + } + +- if (*p != '\x0') { +- return CKR_ATTRIBUTE_VALUE_INVALID; +- } +- else { +- return CKR_OK; +- } ++ return CKR_OK; + } + + CK_RV diff --git a/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake b/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake new file mode 100644 index 0000000..54a0009 --- /dev/null +++ b/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake @@ -0,0 +1,35 @@ +set(VERSION 1.27) + +vcpkg_download_distfile(ARCHIVE + URLS "https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-${VERSION}/pkcs11-helper-${VERSION}.0.tar.bz2" + FILENAME "pkcs11-helper-${VERSION}.tar.bz2" + SHA512 5799342cb755dae8b7ba0880d652e9d4b4f1e52a74043015e1185e1e059326cb2689bb51957db98060ac2257dee34e2f047dcf3d52ad59fd49b91fedcfc5332b +) + +vcpkg_extract_source_archive_ex( + OUT_SOURCE_PATH SOURCE_PATH + ARCHIVE ${ARCHIVE} + REF ${VERSION} + PATCHES + 0001-nmake-openssl-1.1.1-support.patch + pkcs11-helper-001-RFC7512.patch +) + +vcpkg_build_nmake( + SOURCE_PATH ${SOURCE_PATH} + NO_DEBUG + PROJECT_SUBPATH lib + PROJECT_NAME Makefile.w32-vc + OPTIONS + OPENSSL=1 + OPENSSL_HOME=${CURRENT_PACKAGES_DIR}/../openssl_${TARGET_TRIPLET} +) + +file(INSTALL ${SOURCE_PATH}/include/pkcs11-helper-1.0 DESTINATION ${CURRENT_PACKAGES_DIR}/include/) +file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}/lib/pkcs11-helper.dll.lib DESTINATION ${CURRENT_PACKAGES_DIR}/lib) +file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}/lib/pkcs11-helper.dll.lib DESTINATION ${CURRENT_PACKAGES_DIR}/debug/lib) + +file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}/lib/libpkcs11-helper-1.dll DESTINATION ${CURRENT_PACKAGES_DIR}/bin) +file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}/lib/libpkcs11-helper-1.dll DESTINATION ${CURRENT_PACKAGES_DIR}/debug/bin) + +file(INSTALL ${SOURCE_PATH}/COPYING DESTINATION ${CURRENT_PACKAGES_DIR}/share/${PORT} RENAME copyright) diff --git a/contrib/vcpkg-triplets/arm64-windows-ovpn.cmake b/contrib/vcpkg-triplets/arm64-windows-ovpn.cmake new file mode 100644 index 0000000..dd3c6c0 --- /dev/null +++ b/contrib/vcpkg-triplets/arm64-windows-ovpn.cmake @@ -0,0 +1,7 @@ +set(VCPKG_TARGET_ARCHITECTURE arm64) +set(VCPKG_CRT_LINKAGE dynamic) +set(VCPKG_LIBRARY_LINKAGE dynamic) + +if(PORT STREQUAL "lz4") + set(VCPKG_LIBRARY_LINKAGE static) +endif() diff --git a/contrib/vcpkg-triplets/x64-windows-ovpn.cmake b/contrib/vcpkg-triplets/x64-windows-ovpn.cmake new file mode 100644 index 0000000..7036ed2 --- /dev/null +++ b/contrib/vcpkg-triplets/x64-windows-ovpn.cmake @@ -0,0 +1,7 @@ +set(VCPKG_TARGET_ARCHITECTURE x64) +set(VCPKG_CRT_LINKAGE dynamic) +set(VCPKG_LIBRARY_LINKAGE dynamic) + +if(PORT STREQUAL "lz4") + set(VCPKG_LIBRARY_LINKAGE static) +endif() diff --git a/contrib/vcpkg-triplets/x86-windows-ovpn.cmake b/contrib/vcpkg-triplets/x86-windows-ovpn.cmake new file mode 100644 index 0000000..7d3bf34 --- /dev/null +++ b/contrib/vcpkg-triplets/x86-windows-ovpn.cmake @@ -0,0 +1,7 @@ +set(VCPKG_TARGET_ARCHITECTURE x86) +set(VCPKG_CRT_LINKAGE dynamic) +set(VCPKG_LIBRARY_LINKAGE dynamic) + +if(PORT STREQUAL "lz4") + set(VCPKG_LIBRARY_LINKAGE static) +endif() diff --git a/depcomp b/depcomp index 65cbf70..6b39162 100755 --- a/depcomp +++ b/depcomp @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/distro/Makefile.am b/distro/Makefile.am index a6795c4..1049f00 100644 --- a/distro/Makefile.am +++ b/distro/Makefile.am @@ -5,7 +5,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2018 OpenVPN Inc +# Copyright (C) 2002-2021 OpenVPN Inc # Copyright (C) 2006-2012 Alon Bar-Lev # diff --git a/distro/Makefile.in b/distro/Makefile.in index e5e65b8..a5a39b6 100644 --- a/distro/Makefile.in +++ b/distro/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.2 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -21,7 +21,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2018 OpenVPN Inc +# Copyright (C) 2002-2021 OpenVPN Inc # Copyright (C) 2006-2012 Alon Bar-Lev # VPATH = @srcdir@ @@ -367,6 +367,7 @@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am index 69e1269..59e0994 100644 --- a/distro/systemd/Makefile.am +++ b/distro/systemd/Makefile.am @@ -5,7 +5,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2017-2018 OpenVPN Inc +# Copyright (C) 2017-2021 OpenVPN Inc # %.service: %.service.in Makefile diff --git a/distro/systemd/Makefile.in b/distro/systemd/Makefile.in index 1152620..8fded37 100644 --- a/distro/systemd/Makefile.in +++ b/distro/systemd/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.2 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -21,7 +21,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2017-2018 OpenVPN Inc +# Copyright (C) 2017-2021 OpenVPN Inc # VPATH = @srcdir@ @@ -339,6 +339,7 @@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ diff --git a/doc/Makefile.am b/doc/Makefile.am index e411f5f..1e4fcde 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -5,21 +5,28 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2020 OpenVPN Inc +# Copyright (C) 2002-2021 OpenVPN Inc # Copyright (C) 2006-2012 Alon Bar-Lev # -MAINTAINERCLEANFILES = \ - $(srcdir)/Makefile.in - SUBDIRS = doxygen +# +# List of man and HTML pages we build when rst2man/rst2html is available +# +# NOTE: Remember to add source .rst files to $(dist_noinst_DATA) below +# This could be automated with GNU Make, but we need BSD Make support +# +build_man_pages = openvpn.8 openvpn-examples.5 +build_html_pages = openvpn.8.html openvpn-examples.5.html + dist_doc_DATA = \ management-notes.txt gui-notes.txt dist_noinst_DATA = \ README.plugins interactive-service-notes.rst \ openvpn.8.rst \ + openvpn-examples.5.rst \ man-sections/advanced-options.rst \ man-sections/client-options.rst \ man-sections/connection-profiles.rst \ @@ -45,33 +52,41 @@ dist_noinst_DATA = \ man-sections/vpn-network-options.rst \ man-sections/windows-options.rst -openvpn.8 : + +###### GENERIC RULES ########## + +SUFFIXES = .8.rst .8 .8.html .5.rst .5 .5.html + +MAINTAINERCLEANFILES = \ + $(srcdir)/Makefile.in + +.8.rst.8 .5.rst.5 : if HAVE_PYDOCUTILS - $(RST2MAN) $(srcdir)/$@.rst > $@ + $(RST2MAN) $< > $@ else - @echo "Missing python-docutils - skipping man page generation" + @echo "Missing python-docutils - skipping man page generation ($@)" endif -openvpn.8.html: +.8.rst.8.html .5.rst.5.html : if HAVE_PYDOCUTILS - $(RST2HTML) $(srcdir)/openvpn.8.rst > $@ + $(RST2HTML) $< > $@ else - @echo "Missing python-docutils - skipping man/html page generation" + @echo "Missing python-docutils - skipping html page generation ($@)" endif + if HAVE_PYDOCUTILS -dist_noinst_DATA += openvpn.8 -dist_html_DATA = openvpn.8.html +dist_noinst_DATA += $(build_man_pages) +dist_html_DATA = $(build_html_pages) # Failsafe - do not delete these files unless we can recreate them -CLEANFILES = \ - openvpn.8 openvpn.8.html +CLEANFILES = $(build_man_pages) $(build_html_pages) endif if WIN32 else -dist_man_MANS = openvpn.8 +dist_man_MANS = $(build_man_pages) endif -dist-hook : openvpn.8 openvpn.8.html +dist-hook : $(build_man_pages) $(build_html_pages) diff --git a/doc/Makefile.in b/doc/Makefile.in index 3d1c968..ef41a37 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.2 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -21,7 +21,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2020 OpenVPN Inc +# Copyright (C) 2002-2021 OpenVPN Inc # Copyright (C) 2006-2012 Alon Bar-Lev # @@ -99,7 +99,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@HAVE_PYDOCUTILS_TRUE@am__append_1 = openvpn.8 +@HAVE_PYDOCUTILS_TRUE@am__append_1 = $(build_man_pages) subdir = doc ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ @@ -173,15 +173,16 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } +man5dir = $(mandir)/man5 +am__installdirs = "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" \ + "$(DESTDIR)$(docdir)" "$(DESTDIR)$(htmldir)" man8dir = $(mandir)/man8 -am__installdirs = "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)" \ - "$(DESTDIR)$(htmldir)" NROFF = nroff MANS = $(dist_man_MANS) -am__dist_html_DATA_DIST = openvpn.8.html +am__dist_html_DATA_DIST = openvpn.8.html openvpn-examples.5.html am__dist_noinst_DATA_DIST = README.plugins \ interactive-service-notes.rst openvpn.8.rst \ - man-sections/advanced-options.rst \ + openvpn-examples.5.rst man-sections/advanced-options.rst \ man-sections/client-options.rst \ man-sections/connection-profiles.rst \ man-sections/encryption-options.rst man-sections/examples.rst \ @@ -198,7 +199,7 @@ am__dist_noinst_DATA_DIST = README.plugins \ man-sections/unsupported-options.rst \ man-sections/virtual-routing-and-forwarding.rst \ man-sections/vpn-network-options.rst \ - man-sections/windows-options.rst openvpn.8 + man-sections/windows-options.rst openvpn.8 openvpn-examples.5 DATA = $(dist_doc_DATA) $(dist_html_DATA) $(dist_noinst_DATA) RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive @@ -425,6 +426,7 @@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ @@ -436,15 +438,22 @@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ -MAINTAINERCLEANFILES = \ - $(srcdir)/Makefile.in - SUBDIRS = doxygen + +# +# List of man and HTML pages we build when rst2man/rst2html is available +# +# NOTE: Remember to add source .rst files to $(dist_noinst_DATA) below +# This could be automated with GNU Make, but we need BSD Make support +# +build_man_pages = openvpn.8 openvpn-examples.5 +build_html_pages = openvpn.8.html openvpn-examples.5.html dist_doc_DATA = \ management-notes.txt gui-notes.txt dist_noinst_DATA = README.plugins interactive-service-notes.rst \ - openvpn.8.rst man-sections/advanced-options.rst \ + openvpn.8.rst openvpn-examples.5.rst \ + man-sections/advanced-options.rst \ man-sections/client-options.rst \ man-sections/connection-profiles.rst \ man-sections/encryption-options.rst man-sections/examples.rst \ @@ -462,16 +471,21 @@ dist_noinst_DATA = README.plugins interactive-service-notes.rst \ man-sections/virtual-routing-and-forwarding.rst \ man-sections/vpn-network-options.rst \ man-sections/windows-options.rst $(am__append_1) -@HAVE_PYDOCUTILS_TRUE@dist_html_DATA = openvpn.8.html -# Failsafe - do not delete these files unless we can recreate them -@HAVE_PYDOCUTILS_TRUE@CLEANFILES = \ -@HAVE_PYDOCUTILS_TRUE@ openvpn.8 openvpn.8.html +###### GENERIC RULES ########## +SUFFIXES = .8.rst .8 .8.html .5.rst .5 .5.html +MAINTAINERCLEANFILES = \ + $(srcdir)/Makefile.in + +@HAVE_PYDOCUTILS_TRUE@dist_html_DATA = $(build_html_pages) -@WIN32_FALSE@dist_man_MANS = openvpn.8 +# Failsafe - do not delete these files unless we can recreate them +@HAVE_PYDOCUTILS_TRUE@CLEANFILES = $(build_man_pages) $(build_html_pages) +@WIN32_FALSE@dist_man_MANS = $(build_man_pages) all: all-recursive .SUFFIXES: +.SUFFIXES: .8.rst .8 .8.html .5.rst .5 .5.html $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ @@ -507,6 +521,49 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs +install-man5: $(dist_man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(dist_man_MANS)'; \ + test -n "$(man5dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.5[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ + done; } + +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man5dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ @@ -758,7 +815,7 @@ check: check-recursive all-am: Makefile $(MANS) $(DATA) installdirs: installdirs-recursive installdirs-am: - for dir in "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)" "$(DESTDIR)$(htmldir)"; do \ + for dir in "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)" "$(DESTDIR)$(htmldir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-recursive @@ -830,7 +887,7 @@ install-info: install-info-recursive install-info-am: -install-man: install-man8 +install-man: install-man5 install-man8 install-pdf: install-pdf-recursive @@ -861,7 +918,7 @@ ps-am: uninstall-am: uninstall-dist_docDATA uninstall-dist_htmlDATA \ uninstall-man -uninstall-man: uninstall-man8 +uninstall-man: uninstall-man5 uninstall-man8 .MAKE: $(am__recursive_targets) install-am install-strip @@ -873,26 +930,27 @@ uninstall-man: uninstall-man8 install-data-am install-dist_docDATA install-dist_htmlDATA \ install-dvi install-dvi-am install-exec install-exec-am \ install-html install-html-am install-info install-info-am \ - install-man install-man8 install-pdf install-pdf-am install-ps \ - install-ps-am install-strip installcheck installcheck-am \ - installdirs installdirs-am maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ - uninstall-am uninstall-dist_docDATA uninstall-dist_htmlDATA \ - uninstall-man uninstall-man8 + install-man install-man5 install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs installdirs-am \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am uninstall-dist_docDATA \ + uninstall-dist_htmlDATA uninstall-man uninstall-man5 \ + uninstall-man8 .PRECIOUS: Makefile -openvpn.8 : -@HAVE_PYDOCUTILS_TRUE@ $(RST2MAN) $(srcdir)/$@.rst > $@ -@HAVE_PYDOCUTILS_FALSE@ @echo "Missing python-docutils - skipping man page generation" +.8.rst.8 .5.rst.5 : +@HAVE_PYDOCUTILS_TRUE@ $(RST2MAN) $< > $@ +@HAVE_PYDOCUTILS_FALSE@ @echo "Missing python-docutils - skipping man page generation ($@)" -openvpn.8.html: -@HAVE_PYDOCUTILS_TRUE@ $(RST2HTML) $(srcdir)/openvpn.8.rst > $@ -@HAVE_PYDOCUTILS_FALSE@ @echo "Missing python-docutils - skipping man/html page generation" +.8.rst.8.html .5.rst.5.html : +@HAVE_PYDOCUTILS_TRUE@ $(RST2HTML) $< > $@ +@HAVE_PYDOCUTILS_FALSE@ @echo "Missing python-docutils - skipping html page generation ($@)" -dist-hook : openvpn.8 openvpn.8.html +dist-hook : $(build_man_pages) $(build_html_pages) # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/doc/doxygen/Makefile.am b/doc/doxygen/Makefile.am index 299a76c..82d909d 100644 --- a/doc/doxygen/Makefile.am +++ b/doc/doxygen/Makefile.am @@ -5,7 +5,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2017-2018 Fox-IT B.V. +# Copyright (C) 2017-2021 Fox-IT B.V. # MAINTAINERCLEANFILES = \ diff --git a/doc/doxygen/Makefile.in b/doc/doxygen/Makefile.in index b1f3786..48bd413 100644 --- a/doc/doxygen/Makefile.in +++ b/doc/doxygen/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.2 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -21,7 +21,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2017-2018 Fox-IT B.V. +# Copyright (C) 2017-2021 Fox-IT B.V. # VPATH = @srcdir@ am__is_gnu_make = { \ @@ -306,6 +306,7 @@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index af21fbc..c5b7ad9 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -50,6 +50,14 @@ configuration. after a failed auth. Older clients will keep using the token value and react according to ``--auth-retry`` +--auth-token-user base64username + Companion option to ``--auth-token``. This options allows to override + the username used by the client when reauthenticating with the ``auth-token``. + It also allows to use ``--auth-token`` in setups that normally do not use + username and password. + + The username has to be base64 encoded. + --auth-user-pass Authenticate with server using username/password. diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 5a68945..ac0df55 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -487,11 +487,21 @@ fast hardware. SSL/TLS authentication must be used in this mode. The UI version of a UI if one is running, for example :code:`de.blinkt.openvpn 0.5.47` for the Android app. + :code:`IV_SSO=[crtext,][openurl,][proxy_url]` + Additional authentication methods supported by the client. + This may be set by the client UI/GUI using ``--setenv`` + When ``--push-peer-info`` is enabled the additional information consists of the following data: - :code:`IV_HWADDR=` - The MAC address of clients default gateway + :code:`IV_HWADDR=` + This is intended to be a unique and persistent ID of the client. + The string value can be any readable ASCII string up to 64 bytes. + OpenVPN 2.x and some other implementations use the MAC address of + the client's interface used to reach the default gateway. If this + string is generated by the client, it should be consistent and + preserved across independent session and preferably + re-installations and upgrades. :code:`IV_SSL=` The ssl version used by the client, e.g. diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 50f0f56..c203442 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -199,7 +199,7 @@ Command examples: COMMAND -- kill --------------- -In server mode, kill a particlar client instance. +In server mode, kill a particular client instance. Command examples: @@ -407,6 +407,7 @@ RECONNECTING -- A restart has occurred. EXITING -- A graceful exit is in progress. RESOLVE -- (Client only) DNS lookup TCP_CONNECT -- (Client only) Connecting to TCP server +AUTH_PENDING -- (Client only) Authentication pending Command examples: @@ -437,6 +438,11 @@ Fields (e)-(h) are shown for CONNECTED state, (e) is available starting from OpenVPN 2.1 (f)-(i) are available starting from OpenVPN 2.4 +For AUTH_PENDING, if (c) is present, it would read +as "timeout number" where number is the number of seconds +before authentication will timeout. It is printed as an +unsigned integer (%u). + Real-time state notifications will have a ">STATE:" prefix prepended to them. @@ -608,55 +614,90 @@ COMMAND -- client-pending-auth (OpenVPN 2.5 or higher) Instruct OpenVPN server to send AUTH_PENDING and INFO_PRE message to signal a pending authenticating to the client. A pending auth means that the connecting requires extra authentication like a one time -password or doing a single sign one via web. +password or doing a single sign on via web. + + client-pending-auth {CID} {EXTRA} {TIMEOUT} + +The server will send AUTH_PENDING and INFO_PRE,{EXTRA} to the client. If the +client supports accepting keywords to AUTH_PENDING (announced via IV_PROTO), +TIMEOUT parameter will be also be announced to the client to allow it to modify +its own timeout. The client is expected to inform the user that authentication +is pending and display the extra information and also show the user the +remaining time to complete the auth if applicable. + +Receiving an AUTH_PENDING message will make the client change its timeout to +the timeout proposed by the server, even if the timeout is shorter. +If the client does not receive a packet from the server for hand-window the +connection times out regardless of the timeout. This ensures that the connection +still times out relatively quickly in case of network problems. The client will +continuously send PULL_REQUEST messages to the server until the timeout is reached. +This message also triggers an ACK message from the server that resets the +hand-window based timeout. - client-pending-auth {CID} {EXTRA} +Both client and server limit the maximum timeout to the smaller value of half the +--tls-reneg minimum time and --hand-window time (defaults to 60s). -The server will send AUTH_PENDING and INFO_PRE,{EXTRA} to the client. -The client is expected to inform the user that authentication is pending and -display the extra information. For the format of EXTRA see below -For the OpenVPN server this is stateless operation and needs to be -followed by a client-deny/client-auth[-nt] command (that is the result of the -out of band authentication). +For the format of {EXTRA} see below. For OpenVPN server this is a stateless +operation and needs to be followed by a client-deny/client-auth[-nt] command +(that is the result of the out of band authentication). Before issuing a client-pending-auth to a client instead of a client-auth/client-deny, the server should check the IV_SSO -environment variable if the method is support. The currently -defined method are crtext for challenge/response using text -(e.g. TOTP), openurl and proxy_url for opening an URL in the client to +environment variable for whether the method is supported. Currently +defined methods are crtext for challenge/response using text +(e.g., TOTP), openurl and proxy_url for opening a URL in the client to continue authentication. A client supporting the first two methods would set setenv IV_SSO openurl,crtext The variable name IV_SSO is historic as AUTH_PENDING was first used -to signal single sign on support. To keep compatiblity with existing +to signal single sign on support. To keep compatibility with existing implementations the name IV_SSO is kept in lieu of a better name. +The management interface of the client receives notification of +pending auth via + +>STATE:datetime,AUTH_PENDING,[timeout number] + +If {EXTRA} is present the client is informed using INFOMSG +notification as + +>INFOMSG:{EXTRA} + +where {EXTRA} is formatted as received from the server. +Currently defined formats for {EXTRA} are detailed below. + openurl ======== For a web based extra authentication (like for -SSO/SAML) EXTRA should be +SSO/SAML) {EXTRA} should be OPEN_URL:url -and client should ask to the user to open the URL to continue. +and client should ask the user to open the URL to continue. The space in a control message is limited, so this url should be kept -short to avoid issues. If a loger url is required a URL that redirects +short to avoid issues. If a longer url is required a URL that redirects to the longer URL should be sent instead. -url_proxy +A complete documentation how URLs should be handled on the client is available +in the openvpn3 repository: + +https://github.com/OpenVPN/openvpn3/blob/master/doc/webauth.md + +proxy_url ======== -To avoid issues with OpenVPN connection persist-tun and not able -to reach the web server, a variant of openurl via a HTTPS -Proxy exists. The client should announce url_proxy in its IV_SSO -and parse the PROXY_URL message. The format is +This is a variant of openurl that allows opening a url via an +HTTP proxy. It could be used to avoid issues with OpenVPN connection's +persist-tun that may cause the web server to be unreachable. +The client should announce proxy_url in its IV_SSO and parse the +PROXY_URL message. The format of {EXTRA} in this case is PROXY_URL:::::url -The proxy should be a literal IPv4 address or IPv6 address in [] to avoid -ambiguity in parsing. A literal IP address is preferred as DNS might not be +The proxy should be a literal IPv4 address or IPv6 address enclosed in [] to avoid +ambiguity in parsing. A literal IP address is preferred as DNS might not be available when the client needs to open the url. The IP address will usually be the address that client uses to connect to the VPN server. For dual-homed VPN servers, the server should respond with the same address that the client @@ -664,19 +705,18 @@ connects to. This address is also usually excluded from being redirected over the VPN by a host route. If the platform (like Android) uses another way of protecting -the VPN connection routing loops the client needs to also exclude the +the VPN connection from routing loops, the client needs to also exclude the connection to the proxy in the same manner. Should another IP be used, then the VPN configuration should include a route -statement to exclude that route from being routed over the VPN. +statement to exclude that address from being routed over the VPN. crtext ======= - -The format of EXTRA is similar to the already used two step authentication +The format of {EXTRA} is similar to the already used two step authentication described in Challenge/Response Protocol section of this document. Since -most of the fields are not necessary or can be infered only the -and fields are used: +most of the fields are not necessary or can be inferred, only the +and fields are used: CR_TEXT:: @@ -686,7 +726,8 @@ and fields are used: : the challenge text to be shown to the user. - +The client should return the response to the crtext challenge +using the cr-response command. COMMAND -- client-deny (OpenVPN 2.1 or higher) ----------------------------------------------- @@ -904,17 +945,18 @@ To accept connecting to the host and port directly, use this command: COMMAND -- cr-response (OpenVPN 2.5 or higher) ------------------------------------------------- -Provides support for sending responses a challenge/response -query via INFOMSG,CR_TEXT. The response should be base64 encoded: +Provides support for sending responses to a challenge/response +query via INFOMSG,CR_TEXT (client-only). The response should +be base64 encoded: cr-response SGFsbG8gV2VsdCE= -The document is intended to be used after the client received a -CR_TEXT challenge (see send-pending-auth section). The answer is -the answer to the challenge and depends on the challenge itself -for a TOTP challenge this would the number encoded as base64 or -just a string for a challenge like "what day is it today?". - +This command is intended to be used after the client receives a +CR_TEXT challenge (see client-pending-auth section). The argument +to cr-response is the base64 encoded answer to the challenge and +depends on the challenge itself. For a TOTP challenge this would be +a number encoded as base64; for a challenge like "what day is it today?" +it would be a string encoded as base64. COMMAND -- pk-sig (OpenVPN 2.5 or higher, management version > 1) COMMAND -- rsa-sig (OpenVPN 2.3 or higher, management version <= 1) @@ -1055,6 +1097,9 @@ PASSWORD -- Used to tell the management interface client that OpenVPN STATE -- Shows the current OpenVPN state, as controlled by the "state" command. +INFOMSG -- Authentication related info from server such as + CR_TEXT or OPEN_URL. See description under client-pending-auth + The CLIENT notification ----------------------- @@ -1112,14 +1157,15 @@ CLIENT notification types: >CLIENT:ENV,... >CLIENT:ENV,END - Using the cr-response command on the client side will trigger this + Use of the cr-response command on the client side will trigger this message on the server side. - CR_RESPONSE notification. The >CR_RESPONSE fulfils the same purpose as the + CR_RESPONSE notification fulfills the same purpose as the CRV1 response in the traditional challenge/response. See that section - below for more details. Since this still uses the same cid as the original - response, we do not use the username and opaque session data in this - response but only contains the actual response. + below for more details. Since this uses the same cid as in the original + client-pending-auth challenge, we do not include the username and opaque + session data in this notification. The string {response_base64} only contains + the actual response received from the client. It is important to note that OpenVPN2 merely passes the authentication information and does not do any further checks. (E.g. if a CR was issued @@ -1127,7 +1173,7 @@ CLIENT notification types: data has a valid base64 encoding) This interface should be be sufficient for almost all challenge/response - system that can be implemented with a single round and base64 encoding the + system that can be implemented with a single round and base64 encoding of the response. Mechanisms that need multiple rounds or more complex answers should implement a different response type than CR_RESPONSE. diff --git a/doc/openvpn-examples.5 b/doc/openvpn-examples.5 new file mode 100644 index 0000000..c9d5488 --- /dev/null +++ b/doc/openvpn-examples.5 @@ -0,0 +1,374 @@ +.\" Man page generated from reStructuredText. +. +.TH OPENVPN EXAMPLES 5 "" "" "Configuration files" +.SH NAME +openvpn examples \- Secure IP tunnel daemon +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH INTRODUCTION +.sp +This man page gives a few simple examples to create OpenVPN setups and configuration files. +.SH EXAMPLES +.sp +Prior to running these examples, you should have OpenVPN installed on +two machines with network connectivity between them. If you have not yet +installed OpenVPN, consult the INSTALL file included in the OpenVPN +distribution. +.SS Firewall Setup: +.sp +If firewalls exist between the two machines, they should be set to +forward the port OpenVPN is configured to use, in both directions. +The default for OpenVPN is 1194/udp. If you do not have control +over the firewalls between the two machines, you may still be able to +use OpenVPN by adding \fB\-\-ping 15\fP to each of the \fBopenvpn\fP commands +used below in the examples (this will cause each peer to send out a UDP +ping to its remote peer once every 15 seconds which will cause many +stateful firewalls to forward packets in both directions without an +explicit firewall rule). +.sp +Please see your operating system guides for how to configure the firewall +on your systems. +.SS VPN Address Setup: +.sp +For purposes of our example, our two machines will be called +\fBbob.example.com\fP and \fBalice.example.com\fP\&. If you are constructing a +VPN over the internet, then replace \fBbob.example.com\fP and +\fBalice.example.com\fP with the internet hostname or IP address that each +machine will use to contact the other over the internet. +.sp +Now we will choose the tunnel endpoints. Tunnel endpoints are private IP +addresses that only have meaning in the context of the VPN. Each machine +will use the tunnel endpoint of the other machine to access it over the +VPN. In our example, the tunnel endpoint for bob.example.com will be +10.4.0.1 and for alice.example.com, 10.4.0.2. +.sp +Once the VPN is established, you have essentially created a secure +alternate path between the two hosts which is addressed by using the +tunnel endpoints. You can control which network traffic passes between +the hosts (a) over the VPN or (b) independently of the VPN, by choosing +whether to use (a) the VPN endpoint address or (b) the public internet +address, to access the remote host. For example if you are on +bob.example.com and you wish to connect to \fBalice.example.com\fP via +\fBssh\fP without using the VPN (since \fBssh\fP has its own built\-in security) +you would use the command \fBssh alice.example.com\fP\&. However in the same +scenario, you could also use the command \fBtelnet 10.4.0.2\fP to create a +telnet session with alice.example.com over the VPN, that would use the +VPN to secure the session rather than \fBssh\fP\&. +.sp +You can use any address you wish for the tunnel endpoints but make sure +that they are private addresses (such as those that begin with 10 or +192.168) and that they are not part of any existing subnet on the +networks of either peer, unless you are bridging. If you use an address +that is part of your local subnet for either of the tunnel endpoints, +you will get a weird feedback loop. +.SS Example 1: A simple tunnel without security +.sp +On bob: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +openvpn \-\-remote alice.example.com \-\-dev tun1 \e + \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 9 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +On alice: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +openvpn \-\-remote bob.example.com \-\-dev tun1 \e + \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 9 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Now verify the tunnel is working by pinging across the tunnel. +.sp +On bob: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +ping 10.4.0.2 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +On alice: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +ping 10.4.0.1 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The \fB\-\-verb 9\fP option will produce verbose output, similar to the +\fBtcpdump\fP(8) program. Omit the \fB\-\-verb 9\fP option to have OpenVPN run +quietly. +.SS Example 2: A tunnel with static\-key security (i.e. using a pre\-shared secret) +.sp +First build a static key on bob. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +openvpn \-\-genkey \-\-secret key +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This command will build a key file called \fBkey\fP (in ascii format). Now +copy \fBkey\fP to \fBalice.example.com\fP over a secure medium such as by using +the \fBscp\fP(1) program. +.sp +On bob: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +openvpn \-\-remote alice.example.com \-\-dev tun1 \e + \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 5 \e + \-\-secret key +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +On alice: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +openvpn \-\-remote bob.example.com \-\-dev tun1 \e + \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 5 \e + \-\-secret key +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Now verify the tunnel is working by pinging across the tunnel. +.sp +On bob: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +ping 10.4.0.2 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +On alice: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +ping 10.4.0.1 +.ft P +.fi +.UNINDENT +.UNINDENT +.SS Example 3: A tunnel with full TLS\-based security +.sp +For this test, we will designate \fBbob\fP as the TLS client and \fBalice\fP +as the TLS server. +.INDENT 0.0 +.TP +.B \fINote:\fP +The client or server designation only has +meaning for the TLS subsystem. It has no bearing on OpenVPN\(aqs +peer\-to\-peer, UDP\-based communication model.* +.UNINDENT +.sp +First, build a separate certificate/key pair for both bob and alice (see +above where \fB\-\-cert\fP is discussed for more info). Then construct +Diffie Hellman parameters (see above where \fB\-\-dh\fP is discussed for +more info). You can also use the included test files \fBclient.crt\fP, +\fBclient.key\fP, \fBserver.crt\fP, \fBserver.key\fP and +\fBca.crt\fP\&. The \fB\&.crt\fP files are certificates/public\-keys, the +\fB\&.key\fP files are private keys, and \fBca.crt\fP is a certification +authority who has signed both \fBclient.crt\fP and \fBserver.crt\fP\&. +For Diffie Hellman parameters you can use the included file +\fBdh2048.pem\fP\&. +.INDENT 0.0 +.TP +.B \fIWARNING:\fP +All client, server, and certificate authority certificates +and keys included in the OpenVPN distribution are totally +insecure and should be used for testing only. +.UNINDENT +.sp +On bob: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +openvpn \-\-remote alice.example.com \-\-dev tun1 \e + \-\-ifconfig 10.4.0.1 10.4.0.2 \e + \-\-tls\-client \-\-ca ca.crt \e + \-\-cert client.crt \-\-key client.key \e + \-\-reneg\-sec 60 \-\-verb 5 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +On alice: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +openvpn \-\-remote bob.example.com \-\-dev tun1 \e + \-\-ifconfig 10.4.0.2 10.4.0.1 \e + \-\-tls\-server \-\-dh dh1024.pem \-\-ca ca.crt \e + \-\-cert server.crt \-\-key server.key \e + \-\-reneg\-sec 60 \-\-verb 5 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Now verify the tunnel is working by pinging across the tunnel. +.sp +On bob: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +ping 10.4.0.2 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +On alice: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +ping 10.4.0.1 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Notice the \fB\-\-reneg\-sec 60\fP option we used above. That tells OpenVPN +to renegotiate the data channel keys every minute. Since we used +\fB\-\-verb 5\fP above, you will see status information on each new key +negotiation. +.sp +For production operations, a key renegotiation interval of 60 seconds is +probably too frequent. Omit the \fB\-\-reneg\-sec 60\fP option to use +OpenVPN\(aqs default key renegotiation interval of one hour. +.SS Routing: +.sp +Assuming you can ping across the tunnel, the next step is to route a +real subnet over the secure tunnel. Suppose that bob and alice have two +network interfaces each, one connected to the internet, and the other to +a private network. Our goal is to securely connect both private +networks. We will assume that bob\(aqs private subnet is \fI10.0.0.0/24\fP and +alice\(aqs is \fI10.0.1.0/24\fP\&. +.sp +First, ensure that IP forwarding is enabled on both peers. On Linux, +enable routing: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +echo 1 > /proc/sys/net/ipv4/ip_forward +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This setting is not persistent. Please see your operating systems +documentation how to properly configure IP forwarding, which is also +persistent through system boots. +.sp +If your system is configured with a firewall. Please see your operating +systems guide on how to configure the firewall. You typically want to +allow traffic coming from and going to the tun/tap adapter OpenVPN is +configured to use. +.sp +On bob: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +route add \-net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +On alice: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +route add \-net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Now any machine on the \fI10.0.0.0/24\fP subnet can access any machine on the +\fI10.0.1.0/24\fP subnet over the secure tunnel (or vice versa). +.sp +In a production environment, you could put the route command(s) in a +script and execute with the \fB\-\-up\fP option. +.\" Generated by docutils manpage writer. +. diff --git a/doc/openvpn-examples.5.html b/doc/openvpn-examples.5.html new file mode 100644 index 0000000..a0dac40 --- /dev/null +++ b/doc/openvpn-examples.5.html @@ -0,0 +1,582 @@ + + + + + + +openvpn examples + + + +
+

openvpn examples

+

Secure IP tunnel daemon

+ +++ + + + + + +
Manual section:5
Manual group:Configuration files
+
+

INTRODUCTION

+

This man page gives a few simple examples to create OpenVPN setups and configuration files.

+
+
+

EXAMPLES

+

Prior to running these examples, you should have OpenVPN installed on +two machines with network connectivity between them. If you have not yet +installed OpenVPN, consult the INSTALL file included in the OpenVPN +distribution.

+
+

Firewall Setup:

+

If firewalls exist between the two machines, they should be set to +forward the port OpenVPN is configured to use, in both directions. +The default for OpenVPN is 1194/udp. If you do not have control +over the firewalls between the two machines, you may still be able to +use OpenVPN by adding --ping 15 to each of the openvpn commands +used below in the examples (this will cause each peer to send out a UDP +ping to its remote peer once every 15 seconds which will cause many +stateful firewalls to forward packets in both directions without an +explicit firewall rule).

+

Please see your operating system guides for how to configure the firewall +on your systems.

+
+
+

VPN Address Setup:

+

For purposes of our example, our two machines will be called +bob.example.com and alice.example.com. If you are constructing a +VPN over the internet, then replace bob.example.com and +alice.example.com with the internet hostname or IP address that each +machine will use to contact the other over the internet.

+

Now we will choose the tunnel endpoints. Tunnel endpoints are private IP +addresses that only have meaning in the context of the VPN. Each machine +will use the tunnel endpoint of the other machine to access it over the +VPN. In our example, the tunnel endpoint for bob.example.com will be +10.4.0.1 and for alice.example.com, 10.4.0.2.

+

Once the VPN is established, you have essentially created a secure +alternate path between the two hosts which is addressed by using the +tunnel endpoints. You can control which network traffic passes between +the hosts (a) over the VPN or (b) independently of the VPN, by choosing +whether to use (a) the VPN endpoint address or (b) the public internet +address, to access the remote host. For example if you are on +bob.example.com and you wish to connect to alice.example.com via +ssh without using the VPN (since ssh has its own built-in security) +you would use the command ssh alice.example.com. However in the same +scenario, you could also use the command telnet 10.4.0.2 to create a +telnet session with alice.example.com over the VPN, that would use the +VPN to secure the session rather than ssh.

+

You can use any address you wish for the tunnel endpoints but make sure +that they are private addresses (such as those that begin with 10 or +192.168) and that they are not part of any existing subnet on the +networks of either peer, unless you are bridging. If you use an address +that is part of your local subnet for either of the tunnel endpoints, +you will get a weird feedback loop.

+
+
+

Example 1: A simple tunnel without security

+

On bob:

+
+openvpn --remote alice.example.com --dev tun1 \
+         --ifconfig 10.4.0.1 10.4.0.2 --verb 9
+
+

On alice:

+
+openvpn --remote bob.example.com --dev tun1 \
+         --ifconfig 10.4.0.2 10.4.0.1 --verb 9
+
+

Now verify the tunnel is working by pinging across the tunnel.

+

On bob:

+
+ping 10.4.0.2
+
+

On alice:

+
+ping 10.4.0.1
+
+

The --verb 9 option will produce verbose output, similar to the +tcpdump(8) program. Omit the --verb 9 option to have OpenVPN run +quietly.

+
+
+

Example 2: A tunnel with static-key security (i.e. using a pre-shared secret)

+

First build a static key on bob.

+
+openvpn --genkey --secret key
+
+

This command will build a key file called key (in ascii format). Now +copy key to alice.example.com over a secure medium such as by using +the scp(1) program.

+

On bob:

+
+openvpn --remote alice.example.com --dev tun1  \
+         --ifconfig 10.4.0.1 10.4.0.2 --verb 5 \
+         --secret key
+
+

On alice:

+
+openvpn --remote bob.example.com --dev tun1   \
+        --ifconfig 10.4.0.2 10.4.0.1 --verb 5 \
+        --secret key
+
+

Now verify the tunnel is working by pinging across the tunnel.

+

On bob:

+
+ping 10.4.0.2
+
+

On alice:

+
+ping 10.4.0.1
+
+
+
+

Example 3: A tunnel with full TLS-based security

+

For this test, we will designate bob as the TLS client and alice +as the TLS server.

+
+
Note:
+
The client or server designation only has +meaning for the TLS subsystem. It has no bearing on OpenVPN's +peer-to-peer, UDP-based communication model.*
+
+

First, build a separate certificate/key pair for both bob and alice (see +above where --cert is discussed for more info). Then construct +Diffie Hellman parameters (see above where --dh is discussed for +more info). You can also use the included test files client.crt, +client.key, server.crt, server.key and +ca.crt. The .crt files are certificates/public-keys, the +.key files are private keys, and ca.crt is a certification +authority who has signed both client.crt and server.crt. +For Diffie Hellman parameters you can use the included file +dh2048.pem.

+
+
WARNING:
+
All client, server, and certificate authority certificates +and keys included in the OpenVPN distribution are totally +insecure and should be used for testing only.
+
+

On bob:

+
+openvpn --remote alice.example.com --dev tun1    \
+        --ifconfig 10.4.0.1 10.4.0.2             \
+        --tls-client --ca ca.crt                 \
+        --cert client.crt --key client.key       \
+        --reneg-sec 60 --verb 5
+
+

On alice:

+
+openvpn --remote bob.example.com --dev tun1      \
+        --ifconfig 10.4.0.2 10.4.0.1             \
+        --tls-server --dh dh1024.pem --ca ca.crt \
+        --cert server.crt --key server.key       \
+        --reneg-sec 60 --verb 5
+
+

Now verify the tunnel is working by pinging across the tunnel.

+

On bob:

+
+ping 10.4.0.2
+
+

On alice:

+
+ping 10.4.0.1
+
+

Notice the --reneg-sec 60 option we used above. That tells OpenVPN +to renegotiate the data channel keys every minute. Since we used +--verb 5 above, you will see status information on each new key +negotiation.

+

For production operations, a key renegotiation interval of 60 seconds is +probably too frequent. Omit the --reneg-sec 60 option to use +OpenVPN's default key renegotiation interval of one hour.

+
+
+

Routing:

+

Assuming you can ping across the tunnel, the next step is to route a +real subnet over the secure tunnel. Suppose that bob and alice have two +network interfaces each, one connected to the internet, and the other to +a private network. Our goal is to securely connect both private +networks. We will assume that bob's private subnet is 10.0.0.0/24 and +alice's is 10.0.1.0/24.

+

First, ensure that IP forwarding is enabled on both peers. On Linux, +enable routing:

+
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+

This setting is not persistent. Please see your operating systems +documentation how to properly configure IP forwarding, which is also +persistent through system boots.

+

If your system is configured with a firewall. Please see your operating +systems guide on how to configure the firewall. You typically want to +allow traffic coming from and going to the tun/tap adapter OpenVPN is +configured to use.

+

On bob:

+
+route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
+
+

On alice:

+
+route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
+
+

Now any machine on the 10.0.0.0/24 subnet can access any machine on the +10.0.1.0/24 subnet over the secure tunnel (or vice versa).

+

In a production environment, you could put the route command(s) in a +script and execute with the --up option.

+
+
+
+ + diff --git a/doc/openvpn-examples.5.rst b/doc/openvpn-examples.5.rst new file mode 100644 index 0000000..988b602 --- /dev/null +++ b/doc/openvpn-examples.5.rst @@ -0,0 +1,17 @@ +=============================== + openvpn examples +=============================== +------------------------- + Secure IP tunnel daemon +------------------------- + +:Manual section: 5 +:Manual group: Configuration files + + +INTRODUCTION +============ + +This man page gives a few simple examples to create OpenVPN setups and configuration files. + +.. include:: man-sections/examples.rst diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 57d94ea..ceb6348 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -1031,6 +1031,14 @@ Newer clients (2.4.7+) will fall back to the original password method after a failed auth. Older clients will keep using the token value and react according to \fB\-\-auth\-retry\fP .TP +.BI \-\-auth\-token\-user \ base64username +Companion option to \fB\-\-auth\-token\fP\&. This options allows to override +the username used by the client when reauthenticating with the \fBauth\-token\fP\&. +It also allows to use \fB\-\-auth\-token\fP in setups that normally do not use +username and password. +.sp +The username has to be base64 encoded. +.TP .B \-\-auth\-user\-pass Authenticate with server using username/password. .sp @@ -2076,14 +2084,24 @@ The client announces the list of supported ciphers configured with the .B \fBIV_GUI_VER= \fP The UI version of a UI if one is running, for example \fBde.blinkt.openvpn 0.5.47\fP for the Android app. +.TP +.B \fBIV_SSO=[crtext,][openurl,][proxy_url]\fP +Additional authentication methods supported by the client. +This may be set by the client UI/GUI using \fB\-\-setenv\fP .UNINDENT .sp When \fB\-\-push\-peer\-info\fP is enabled the additional information consists of the following data: .INDENT 7.0 .TP -.B \fBIV_HWADDR=\fP -The MAC address of clients default gateway +.B \fBIV_HWADDR=\fP +This is intended to be a unique and persistent ID of the client. +The string value can be any readable ASCII string up to 64 bytes. +OpenVPN 2.x and some other implementations use the MAC address of +the client\(aqs interface used to reach the default gateway. If this +string is generated by the client, it should be consistent and +preserved across independent session and preferably +re\-installations and upgrades. .TP .B \fBIV_SSL=\fP The ssl version used by the client, e.g. @@ -6637,343 +6655,6 @@ Causes OpenVPN to display its current statistics (to the syslog file if .B \fBSIGINT\fP, \fBSIGTERM\fP Causes OpenVPN to exit gracefully. .UNINDENT -.SH EXAMPLES -.sp -Prior to running these examples, you should have OpenVPN installed on -two machines with network connectivity between them. If you have not yet -installed OpenVPN, consult the INSTALL file included in the OpenVPN -distribution. -.SS Firewall Setup: -.sp -If firewalls exist between the two machines, they should be set to -forward the port OpenVPN is configured to use, in both directions. -The default for OpenVPN is 1194/udp. If you do not have control -over the firewalls between the two machines, you may still be able to -use OpenVPN by adding \fB\-\-ping 15\fP to each of the \fBopenvpn\fP commands -used below in the examples (this will cause each peer to send out a UDP -ping to its remote peer once every 15 seconds which will cause many -stateful firewalls to forward packets in both directions without an -explicit firewall rule). -.sp -Please see your operating system guides for how to configure the firewall -on your systems. -.SS VPN Address Setup: -.sp -For purposes of our example, our two machines will be called -\fBbob.example.com\fP and \fBalice.example.com\fP\&. If you are constructing a -VPN over the internet, then replace \fBbob.example.com\fP and -\fBalice.example.com\fP with the internet hostname or IP address that each -machine will use to contact the other over the internet. -.sp -Now we will choose the tunnel endpoints. Tunnel endpoints are private IP -addresses that only have meaning in the context of the VPN. Each machine -will use the tunnel endpoint of the other machine to access it over the -VPN. In our example, the tunnel endpoint for bob.example.com will be -10.4.0.1 and for alice.example.com, 10.4.0.2. -.sp -Once the VPN is established, you have essentially created a secure -alternate path between the two hosts which is addressed by using the -tunnel endpoints. You can control which network traffic passes between -the hosts (a) over the VPN or (b) independently of the VPN, by choosing -whether to use (a) the VPN endpoint address or (b) the public internet -address, to access the remote host. For example if you are on -bob.example.com and you wish to connect to \fBalice.example.com\fP via -\fBssh\fP without using the VPN (since \fBssh\fP has its own built\-in security) -you would use the command \fBssh alice.example.com\fP\&. However in the same -scenario, you could also use the command \fBtelnet 10.4.0.2\fP to create a -telnet session with alice.example.com over the VPN, that would use the -VPN to secure the session rather than \fBssh\fP\&. -.sp -You can use any address you wish for the tunnel endpoints but make sure -that they are private addresses (such as those that begin with 10 or -192.168) and that they are not part of any existing subnet on the -networks of either peer, unless you are bridging. If you use an address -that is part of your local subnet for either of the tunnel endpoints, -you will get a weird feedback loop. -.SS Example 1: A simple tunnel without security -.sp -On bob: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -openvpn \-\-remote alice.example.com \-\-dev tun1 \e - \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 9 -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -On alice: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -openvpn \-\-remote bob.example.com \-\-dev tun1 \e - \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 9 -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -Now verify the tunnel is working by pinging across the tunnel. -.sp -On bob: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -ping 10.4.0.2 -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -On alice: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -ping 10.4.0.1 -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -The \fB\-\-verb 9\fP option will produce verbose output, similar to the -\fBtcpdump\fP(8) program. Omit the \fB\-\-verb 9\fP option to have OpenVPN run -quietly. -.SS Example 2: A tunnel with static\-key security (i.e. using a pre\-shared secret) -.sp -First build a static key on bob. -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -openvpn \-\-genkey \-\-secret key -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -This command will build a key file called \fBkey\fP (in ascii format). Now -copy \fBkey\fP to \fBalice.example.com\fP over a secure medium such as by using -the \fBscp\fP(1) program. -.sp -On bob: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -openvpn \-\-remote alice.example.com \-\-dev tun1 \e - \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 5 \e - \-\-secret key -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -On alice: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -openvpn \-\-remote bob.example.com \-\-dev tun1 \e - \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 5 \e - \-\-secret key -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -Now verify the tunnel is working by pinging across the tunnel. -.sp -On bob: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -ping 10.4.0.2 -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -On alice: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -ping 10.4.0.1 -.ft P -.fi -.UNINDENT -.UNINDENT -.SS Example 3: A tunnel with full TLS\-based security -.sp -For this test, we will designate \fBbob\fP as the TLS client and \fBalice\fP -as the TLS server. -.INDENT 0.0 -.TP -.B \fINote:\fP -The client or server designation only has -meaning for the TLS subsystem. It has no bearing on OpenVPN\(aqs -peer\-to\-peer, UDP\-based communication model.* -.UNINDENT -.sp -First, build a separate certificate/key pair for both bob and alice (see -above where \fB\-\-cert\fP is discussed for more info). Then construct -Diffie Hellman parameters (see above where \fB\-\-dh\fP is discussed for -more info). You can also use the included test files \fBclient.crt\fP, -\fBclient.key\fP, \fBserver.crt\fP, \fBserver.key\fP and -\fBca.crt\fP\&. The \fB\&.crt\fP files are certificates/public\-keys, the -\fB\&.key\fP files are private keys, and \fBca.crt\fP is a certification -authority who has signed both \fBclient.crt\fP and \fBserver.crt\fP\&. -For Diffie Hellman parameters you can use the included file -\fBdh2048.pem\fP\&. -.INDENT 0.0 -.TP -.B \fIWARNING:\fP -All client, server, and certificate authority certificates -and keys included in the OpenVPN distribution are totally -insecure and should be used for testing only. -.UNINDENT -.sp -On bob: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -openvpn \-\-remote alice.example.com \-\-dev tun1 \e - \-\-ifconfig 10.4.0.1 10.4.0.2 \e - \-\-tls\-client \-\-ca ca.crt \e - \-\-cert client.crt \-\-key client.key \e - \-\-reneg\-sec 60 \-\-verb 5 -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -On alice: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -openvpn \-\-remote bob.example.com \-\-dev tun1 \e - \-\-ifconfig 10.4.0.2 10.4.0.1 \e - \-\-tls\-server \-\-dh dh1024.pem \-\-ca ca.crt \e - \-\-cert server.crt \-\-key server.key \e - \-\-reneg\-sec 60 \-\-verb 5 -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -Now verify the tunnel is working by pinging across the tunnel. -.sp -On bob: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -ping 10.4.0.2 -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -On alice: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -ping 10.4.0.1 -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -Notice the \fB\-\-reneg\-sec 60\fP option we used above. That tells OpenVPN -to renegotiate the data channel keys every minute. Since we used -\fB\-\-verb 5\fP above, you will see status information on each new key -negotiation. -.sp -For production operations, a key renegotiation interval of 60 seconds is -probably too frequent. Omit the \fB\-\-reneg\-sec 60\fP option to use -OpenVPN\(aqs default key renegotiation interval of one hour. -.SS Routing: -.sp -Assuming you can ping across the tunnel, the next step is to route a -real subnet over the secure tunnel. Suppose that bob and alice have two -network interfaces each, one connected to the internet, and the other to -a private network. Our goal is to securely connect both private -networks. We will assume that bob\(aqs private subnet is \fI10.0.0.0/24\fP and -alice\(aqs is \fI10.0.1.0/24\fP\&. -.sp -First, ensure that IP forwarding is enabled on both peers. On Linux, -enable routing: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -echo 1 > /proc/sys/net/ipv4/ip_forward -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -This setting is not persistent. Please see your operating systems -documentation how to properly configure IP forwarding, which is also -persistent through system boots. -.sp -If your system is configured with a firewall. Please see your operating -systems guide on how to configure the firewall. You typically want to -allow traffic coming from and going to the tun/tap adapter OpenVPN is -configured to use. -.sp -On bob: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -route add \-net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2 -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -On alice: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -route add \-net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1 -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -Now any machine on the \fI10.0.0.0/24\fP subnet can access any machine on the -\fI10.0.1.0/24\fP subnet over the secure tunnel (or vice versa). -.sp -In a production environment, you could put the route command(s) in a -script and execute with the \fB\-\-up\fP option. .SH FAQ .sp \fI\%https://community.openvpn.net/openvpn/wiki/FAQ\fP @@ -6998,6 +6679,7 @@ repository. Report all bugs to the OpenVPN team \fI\%info@openvpn.net\fP .SH SEE ALSO .sp +\fBopenvpn\-examples\fP(5), \fBdhcpcd\fP(8), \fBifconfig\fP(8), \fBopenssl\fP(1), diff --git a/doc/openvpn.8.html b/doc/openvpn.8.html index 6ca509d..1c0c65e 100644 --- a/doc/openvpn.8.html +++ b/doc/openvpn.8.html @@ -3,7 +3,7 @@ - + openvpn