Changeset 30881


Ignore:
Timestamp:
Nov 14, 2016, 10:17:58 PM (5 months ago)
Author:
brainslayer
Message:

openvpn update

Location:
src/router/openvpn
Files:
50 edited

Legend:

Unmodified
Added
Removed
  • src/router/openvpn/.gitignore

    r27381 r30881  
    5454tests/t_client.sh
    5555tests/t_client-*-20??????-??????/
     56t_client.rc
     57t_client_ips.rc
    5658src/openvpn/openvpn
    5759config-version.h
  • src/router/openvpn/ChangeLog

    r30487 r30881  
    11OpenVPN Change Log
    22Copyright (C) 2002-2015 OpenVPN Technologies, Inc. <sales@openvpn.net>
     3
     42016.11.02 -- Version 2.3.13
     5Arne Schwabe (2):
     6      Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
     7      Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
     8
     9David Sommerseth (4):
     10      t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
     11      t_client.sh: Add support for Kerberos/ksu
     12      t_client.sh: Improve detection if the OpenVPN process did start during tests
     13      t_client.sh: Add prepare/cleanup possibilties for each test case
     14
     15Gert Doering (5):
     16      Do not abort t_client run if OpenVPN instance does not start.
     17      Fix t_client runs on OpenSolaris
     18      make t_client robust against sudoers misconfiguration
     19      add POSTINIT_CMD_suf to t_client.sh and sample config
     20      Fix --multihome for IPv6 on 64bit BSD systems.
     21
     22Ilya Shipitsin (1):
     23      skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
     24
     25Lev Stipakov (2):
     26      Exclude peer-id from pulled options digest
     27      Fix compilation in pedantic mode
     28
     29Samuli SeppÀnen (1):
     30      Automatically cache expected IPs for t_client.sh on the first run
     31
     32Steffan Karger (6):
     33      Fix unittests for out-of-source builds
     34      Make gnu89 support explicit
     35      cleanup: remove code duplication in msg_test()
     36      Update cipher-related man page text
     37      Limit --reneg-bytes to 64MB when using small block ciphers
     38      Add a revoked cert to the sample keys
     39
    340
    4412016.08.23 -- Version 2.3.12
  • src/router/openvpn/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
     
    114114        $(am__dist_doc_DATA_DIST) $(am__dist_noinst_DATA_DIST) \
    115115        $(dist_noinst_HEADERS) AUTHORS COPYING ChangeLog INSTALL NEWS \
    116         README compile config.guess config.sub install-sh missing \
    117         ltmain.sh
     116        README compile config.guess config.sub depcomp install-sh \
     117        missing ltmain.sh
    118118ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
    119119am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
     
    513513
    514514config.h: stamp-h1
    515         @test -f $@ || rm -f stamp-h1
    516         @test -f $@ || $(MAKE) $(AM_MAKEFLAGS) stamp-h1
     515        @if test ! -f $@; then rm -f stamp-h1; else :; fi
     516        @if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) stamp-h1; else :; fi
    517517
    518518stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status
     
    767767
    768768dist-tarZ: distdir
    769         @echo WARNING: "Support for shar distribution archives is" \
    770                        "deprecated." >&2
    771         @echo WARNING: "It will be removed altogether in Automake 2.0" >&2
    772769        tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
    773770        $(am__post_remove_distdir)
    774771
    775772dist-shar: distdir
    776         @echo WARNING: "Support for distribution archives compressed with" \
    777                        "legacy program 'compress' is deprecated." >&2
    778         @echo WARNING: "It will be removed altogether in Automake 2.0" >&2
    779773        shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
    780774        $(am__post_remove_distdir)
     
    818812          && am__cwd=`pwd` \
    819813          && $(am__cd) $(distdir)/_build \
    820           && ../configure \
     814          && ../configure --srcdir=.. --prefix="$$dc_install_base" \
    821815            $(AM_DISTCHECK_CONFIGURE_FLAGS) \
    822816            $(DISTCHECK_CONFIGURE_FLAGS) \
    823             --srcdir=.. --prefix="$$dc_install_base" \
    824817          && $(MAKE) $(AM_MAKEFLAGS) \
    825818          && $(MAKE) $(AM_MAKEFLAGS) dvi \
  • src/router/openvpn/aclocal.m4

    r30487 r30881  
    1 # generated automatically by aclocal 1.14.1 -*- Autoconf -*-
     1# generated automatically by aclocal 1.13.4 -*- Autoconf -*-
    22
    33# Copyright (C) 1996-2013 Free Software Foundation, Inc.
     
    3333# (This private macro should not be called outside this file.)
    3434AC_DEFUN([AM_AUTOMAKE_VERSION],
    35 [am__api_version='1.14'
     35[am__api_version='1.13'
    3636dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
    3737dnl require some minimum version.  Point them to the right macro.
    38 m4_if([$1], [1.14.1], [],
     38m4_if([$1], [1.13.4], [],
    3939      [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
    4040])
     
    5252# This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
    5353AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
    54 [AM_AUTOMAKE_VERSION([1.14.1])dnl
     54[AM_AUTOMAKE_VERSION([1.13.4])dnl
    5555m4_ifndef([AC_AUTOCONF_VERSION],
    5656  [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
     
    418418# your package does certain things.  But this isn't really a big deal.
    419419
    420 dnl Redefine AC_PROG_CC to automatically invoke _AM_PROG_CC_C_O.
    421 m4_define([AC_PROG_CC],
    422 m4_defn([AC_PROG_CC])
    423 [_AM_PROG_CC_C_O
    424 ])
    425 
    426420# AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE])
    427421# AM_INIT_AUTOMAKE([OPTIONS])
     
    532526[m4_provide_if([_AM_COMPILER_EXEEXT],
    533527  [AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl
    534 
    535 # POSIX will say in a future version that running "rm -f" with no argument
    536 # is OK; and we want to be able to make that assumption in our Makefile
    537 # recipes.  So use an aggressive probe to check that the usage we want is
    538 # actually supported "in the wild" to an acceptable degree.
    539 # See automake bug#10828.
    540 # To make any issue more visible, cause the running configure to be aborted
    541 # by default if the 'rm' program in use doesn't match our expectations; the
    542 # user can still override this though.
    543 if rm -f && rm -fr && rm -rf; then : OK; else
    544   cat >&2 <<'END'
    545 Oops!
    546 
    547 Your 'rm' program seems unable to run without file operands specified
    548 on the command line, even when the '-f' option is present.  This is contrary
    549 to the behaviour of most rm programs out there, and not conforming with
    550 the upcoming POSIX standard: <http://austingroupbugs.net/view.php?id=542>
    551 
    552 Please tell bug-automake@gnu.org about your system, including the value
    553 of your $PATH and any error possibly output before this message.  This
    554 can help us improve future automake versions.
    555 
    556 END
    557   if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then
    558     echo 'Configuration will proceed anyway, since you have set the' >&2
    559     echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2
    560     echo >&2
    561   else
    562     cat >&2 <<'END'
    563 Aborting the configuration process, to ensure you take notice of the issue.
    564 
    565 You can download and install GNU coreutils to get an 'rm' implementation
    566 that behaves properly: <http://www.gnu.org/software/coreutils/>.
    567 
    568 If you want to complete the configuration process using your problematic
    569 'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM
    570 to "yes", and re-run configure.
    571 
    572 END
    573     AC_MSG_ERROR([Your 'rm' program is bad, sorry.])
    574   fi
    575 fi
    576528])
    577529
     
    581533m4_define([_AC_COMPILER_EXEEXT],
    582534m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])])
     535
    583536
    584537# When config.status generates a header, we must update the stamp-h file.
     
    763716[m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
    764717
    765 # Copyright (C) 1999-2013 Free Software Foundation, Inc.
    766 #
    767 # This file is free software; the Free Software Foundation
    768 # gives unlimited permission to copy and/or distribute it,
    769 # with or without modifications, as long as this notice is preserved.
    770 
    771 # _AM_PROG_CC_C_O
    772 # ---------------
    773 # Like AC_PROG_CC_C_O, but changed for automake.  We rewrite AC_PROG_CC
    774 # to automatically call this.
    775 AC_DEFUN([_AM_PROG_CC_C_O],
    776 [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
    777 AC_REQUIRE_AUX_FILE([compile])dnl
    778 AC_LANG_PUSH([C])dnl
    779 AC_CACHE_CHECK(
    780   [whether $CC understands -c and -o together],
    781   [am_cv_prog_cc_c_o],
    782   [AC_LANG_CONFTEST([AC_LANG_PROGRAM([])])
    783   # Make sure it works both with $CC and with simple cc.
    784   # Following AC_PROG_CC_C_O, we do the test twice because some
    785   # compilers refuse to overwrite an existing .o file with -o,
    786   # though they will create one.
    787   am_cv_prog_cc_c_o=yes
    788   for am_i in 1 2; do
    789     if AM_RUN_LOG([$CC -c conftest.$ac_ext -o conftest2.$ac_objext]) \
    790          && test -f conftest2.$ac_objext; then
    791       : OK
    792     else
    793       am_cv_prog_cc_c_o=no
    794       break
    795     fi
    796   done
    797   rm -f core conftest*
    798   unset am_i])
    799 if test "$am_cv_prog_cc_c_o" != yes; then
    800    # Losing compiler, so override with the script.
    801    # FIXME: It is wrong to rewrite CC.
    802    # But if we don't then we get into trouble of one sort or another.
    803    # A longer-term fix would be to have automake use am__CC in this case,
    804    # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
    805    CC="$am_aux_dir/compile $CC"
    806 fi
    807 AC_LANG_POP([C])])
    808 
    809 # For backward compatibility.
    810 AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])])
    811 
    812 # Copyright (C) 2001-2013 Free Software Foundation, Inc.
    813 #
    814 # This file is free software; the Free Software Foundation
    815 # gives unlimited permission to copy and/or distribute it,
    816 # with or without modifications, as long as this notice is preserved.
    817 
    818 # AM_RUN_LOG(COMMAND)
    819 # -------------------
    820 # Run COMMAND, save the exit status in ac_status, and log it.
    821 # (This has been adapted from Autoconf's _AC_RUN_LOG macro.)
    822 AC_DEFUN([AM_RUN_LOG],
    823 [{ echo "$as_me:$LINENO: $1" >&AS_MESSAGE_LOG_FD
    824    ($1) >&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD
    825    ac_status=$?
    826    echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
    827    (exit $ac_status); }])
    828 
    829718# Check to make sure that the build environment is sane.    -*- Autoconf -*-
    830719
  • src/router/openvpn/build/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
  • src/router/openvpn/build/msvc/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
  • src/router/openvpn/build/msvc/msvc-generate/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
  • src/router/openvpn/configure

    r30487 r30881  
    11#! /bin/sh
    22# Guess values for system-dependent variables and create Makefiles.
    3 # Generated by GNU Autoconf 2.69 for OpenVPN 2.3.12.
     3# Generated by GNU Autoconf 2.69 for OpenVPN 2.3.13.
    44#
    55# Report bugs to <openvpn-users@lists.sourceforge.net>.
     
    591591PACKAGE_NAME='OpenVPN'
    592592PACKAGE_TARNAME='openvpn'
    593 PACKAGE_VERSION='2.3.12'
    594 PACKAGE_STRING='OpenVPN 2.3.12'
     593PACKAGE_VERSION='2.3.13'
     594PACKAGE_STRING='OpenVPN 2.3.13'
    595595PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net'
    596596PACKAGE_URL=''
     
    647647sampledir
    648648plugindir
     649ENABLE_CRYPTO_FALSE
     650ENABLE_CRYPTO_TRUE
    649651ENABLE_PLUGIN_DOWN_ROOT_FALSE
    650652ENABLE_PLUGIN_DOWN_ROOT_TRUE
     
    14351437  # This message is too long to be a string in the A/UX 3.1 sh.
    14361438  cat <<_ACEOF
    1437 \`configure' configures OpenVPN 2.3.12 to adapt to many kinds of systems.
     1439\`configure' configures OpenVPN 2.3.13 to adapt to many kinds of systems.
    14381440
    14391441Usage: $0 [OPTION]... [VAR=VALUE]...
     
    15051507if test -n "$ac_init_help"; then
    15061508  case $ac_init_help in
    1507      short | recursive ) echo "Configuration of OpenVPN 2.3.12:";;
     1509     short | recursive ) echo "Configuration of OpenVPN 2.3.13:";;
    15081510   esac
    15091511  cat <<\_ACEOF
     
    17071709if $ac_init_version; then
    17081710  cat <<\_ACEOF
    1709 OpenVPN configure 2.3.12
     1711OpenVPN configure 2.3.13
    17101712generated by GNU Autoconf 2.69
    17111713
     
    24892491running configure, to aid debugging if configure makes a mistake.
    24902492
    2491 It was created by OpenVPN $as_me 2.3.12, which was
     2493It was created by OpenVPN $as_me 2.3.13, which was
    24922494generated by GNU Autoconf 2.69.  Invocation command line was
    24932495
     
    28532855
    28542856
    2855 $as_echo "#define OPENVPN_VERSION_RESOURCE 2,3,12,0" >>confdefs.h
     2857$as_echo "#define OPENVPN_VERSION_RESOURCE 2,3,13,0" >>confdefs.h
    28562858
    28572859
     
    28912893
    28922894
    2893 am__api_version='1.14'
     2895am__api_version='1.13'
    28942896
    28952897# Find a good install program.  We prefer a C program (faster),
     
    33773379# Define the identity of the package.
    33783380 PACKAGE='openvpn'
    3379  VERSION='2.3.12'
     3381 VERSION='2.3.13'
    33803382
    33813383
     
    34273429
    34283430
    3429 
    3430 # POSIX will say in a future version that running "rm -f" with no argument
    3431 # is OK; and we want to be able to make that assumption in our Makefile
    3432 # recipes.  So use an aggressive probe to check that the usage we want is
    3433 # actually supported "in the wild" to an acceptable degree.
    3434 # See automake bug#10828.
    3435 # To make any issue more visible, cause the running configure to be aborted
    3436 # by default if the 'rm' program in use doesn't match our expectations; the
    3437 # user can still override this though.
    3438 if rm -f && rm -fr && rm -rf; then : OK; else
    3439   cat >&2 <<'END'
    3440 Oops!
    3441 
    3442 Your 'rm' program seems unable to run without file operands specified
    3443 on the command line, even when the '-f' option is present.  This is contrary
    3444 to the behaviour of most rm programs out there, and not conforming with
    3445 the upcoming POSIX standard: <http://austingroupbugs.net/view.php?id=542>
    3446 
    3447 Please tell bug-automake@gnu.org about your system, including the value
    3448 of your $PATH and any error possibly output before this message.  This
    3449 can help us improve future automake versions.
    3450 
    3451 END
    3452   if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then
    3453     echo 'Configuration will proceed anyway, since you have set the' >&2
    3454     echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2
    3455     echo >&2
    3456   else
    3457     cat >&2 <<'END'
    3458 Aborting the configuration process, to ensure you take notice of the issue.
    3459 
    3460 You can download and install GNU coreutils to get an 'rm' implementation
    3461 that behaves properly: <http://www.gnu.org/software/coreutils/>.
    3462 
    3463 If you want to complete the configuration process using your problematic
    3464 'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM
    3465 to "yes", and re-run configure.
    3466 
    3467 END
    3468     as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5
    3469   fi
    3470 fi
    34713431 # Make sure we can run config.sub.
    34723432$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
     
    43914351ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
    43924352ac_compiler_gnu=$ac_cv_c_compiler_gnu
    4393 
    4394 ac_ext=c
    4395 ac_cpp='$CPP $CPPFLAGS'
    4396 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
    4397 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
    4398 ac_compiler_gnu=$ac_cv_c_compiler_gnu
    4399 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC understands -c and -o together" >&5
    4400 $as_echo_n "checking whether $CC understands -c and -o together... " >&6; }
    4401 if ${am_cv_prog_cc_c_o+:} false; then :
    4402   $as_echo_n "(cached) " >&6
    4403 else
    4404   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
    4405 /* end confdefs.h.  */
    4406 
    4407 int
    4408 main ()
    4409 {
    4410 
    4411   ;
    4412   return 0;
    4413 }
    4414 _ACEOF
    4415   # Make sure it works both with $CC and with simple cc.
    4416   # Following AC_PROG_CC_C_O, we do the test twice because some
    4417   # compilers refuse to overwrite an existing .o file with -o,
    4418   # though they will create one.
    4419   am_cv_prog_cc_c_o=yes
    4420   for am_i in 1 2; do
    4421     if { echo "$as_me:$LINENO: $CC -c conftest.$ac_ext -o conftest2.$ac_objext" >&5
    4422    ($CC -c conftest.$ac_ext -o conftest2.$ac_objext) >&5 2>&5
    4423    ac_status=$?
    4424    echo "$as_me:$LINENO: \$? = $ac_status" >&5
    4425    (exit $ac_status); } \
    4426          && test -f conftest2.$ac_objext; then
    4427       : OK
    4428     else
    4429       am_cv_prog_cc_c_o=no
    4430       break
    4431     fi
    4432   done
    4433   rm -f core conftest*
    4434   unset am_i
    4435 fi
    4436 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_prog_cc_c_o" >&5
    4437 $as_echo "$am_cv_prog_cc_c_o" >&6; }
    4438 if test "$am_cv_prog_cc_c_o" != yes; then
    4439    # Losing compiler, so override with the script.
    4440    # FIXME: It is wrong to rewrite CC.
    4441    # But if we don't then we get into trouble of one sort or another.
    4442    # A longer-term fix would be to have automake use am__CC in this case,
    4443    # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
    4444    CC="$am_aux_dir/compile $CC"
    4445 fi
    4446 ac_ext=c
    4447 ac_cpp='$CPP $CPPFLAGS'
    4448 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
    4449 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
    4450 ac_compiler_gnu=$ac_cv_c_compiler_gnu
    4451 
    44524353
    44534354depcc="$CC"   am_compiler_list=
     
    1697516876fi
    1697616877
     16878# Set -std=gnu89 unless user already specified a -std=
     16879case "${CFLAGS}" in
     16880  *-std=*) ;;
     16881  *)       CFLAGS="${CFLAGS} -std=gnu89" ;;
     16882esac
     16883
    1697716884if test "${enable_pedantic}" = "yes"; then
    1697816885        enable_strict="yes"
     
    1707316980  ENABLE_PLUGIN_DOWN_ROOT_TRUE='#'
    1707416981  ENABLE_PLUGIN_DOWN_ROOT_FALSE=
     16982fi
     16983
     16984 if test "${enable_crypto}" = "yes"; then
     16985  ENABLE_CRYPTO_TRUE=
     16986  ENABLE_CRYPTO_FALSE='#'
     16987else
     16988  ENABLE_CRYPTO_TRUE='#'
     16989  ENABLE_CRYPTO_FALSE=
    1707516990fi
    1707616991
     
    1713917054
    1714017055if test -n "${CMAKE}"; then
    17141    if test -f vendor/cmocka/CMakeLists.txt; then
     17056   if test -f "${srcdir}/vendor/cmocka/CMakeLists.txt"; then
    1714217057       if true; then
    1714317058  CMOCKA_INITIALIZED_TRUE=
     
    1732717242Usually this means the macro was only invoked conditionally." "$LINENO" 5
    1732817243fi
     17244if test -z "${ENABLE_CRYPTO_TRUE}" && test -z "${ENABLE_CRYPTO_FALSE}"; then
     17245  as_fn_error $? "conditional \"ENABLE_CRYPTO\" was never defined.
     17246Usually this means the macro was only invoked conditionally." "$LINENO" 5
     17247fi
    1732917248if test -z "${CMOCKA_INITIALIZED_TRUE}" && test -z "${CMOCKA_INITIALIZED_FALSE}"; then
    1733017249  as_fn_error $? "conditional \"CMOCKA_INITIALIZED\" was never defined.
     
    1773617655# values after options handling.
    1773717656ac_log="
    17738 This file was extended by OpenVPN $as_me 2.3.12, which was
     17657This file was extended by OpenVPN $as_me 2.3.13, which was
    1773917658generated by GNU Autoconf 2.69.  Invocation command line was
    1774017659
     
    1780217721ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
    1780317722ac_cs_version="\\
    17804 OpenVPN config.status 2.3.12
     17723OpenVPN config.status 2.3.13
    1780517724configured by $0, generated by GNU Autoconf 2.69,
    1780617725  with options \\"\$ac_cs_config\\"
  • src/router/openvpn/configure.ac

    r30487 r30881  
    10601060fi
    10611061
     1062# Set -std=gnu89 unless user already specified a -std=
     1063case "${CFLAGS}" in
     1064  *-std=*) ;;
     1065  *)       CFLAGS="${CFLAGS} -std=gnu89" ;;
     1066esac
     1067
    10621068if test "${enable_pedantic}" = "yes"; then
    10631069        enable_strict="yes"
     
    11141120AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "yes"])
    11151121AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"])
     1122AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"])
    11161123
    11171124plugindir="${with_plugindir}"
     
    11371144AC_CHECK_PROGS([CMAKE], [cmake])
    11381145if test -n "${CMAKE}"; then
    1139    if test -f vendor/cmocka/CMakeLists.txt; then
     1146   if test -f "${srcdir}/vendor/cmocka/CMakeLists.txt"; then
    11401147      AM_CONDITIONAL([CMOCKA_INITIALIZED], [true])
    11411148   else
  • src/router/openvpn/distro/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
  • src/router/openvpn/distro/rpm/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
  • src/router/openvpn/distro/rpm/openvpn.spec

    r30488 r30881  
    1414Summary:        OpenVPN is a robust and highly flexible VPN daemon by James Yonan.
    1515Name:           openvpn
    16 Version:        2.3.12
     16Version:        2.3.13
    1717Release:        1
    1818URL:            http://openvpn.net/
  • src/router/openvpn/doc/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
  • src/router/openvpn/doc/openvpn.8

    r30487 r30881  
    2222.\"
    2323.\" Manual page for openvpn
    24 .\
     24.\"
    2525.\" SH section heading
    2626.\" SS subsection heading
     
    2828.\" IP indented paragraph
    2929.\" TP hanging label
    30 .\
     30.\"
    3131.\" .nf -- no formatting
    3232.\" .fi -- resume formatting
     
    39113911.B BF-CBC,
    39123912an abbreviation for Blowfish in Cipher Block Chaining mode.
    3913 Blowfish has the advantages of being fast, very secure, and allowing key sizes
    3914 of up to 448 bits.  Blowfish is designed to be used in situations where
    3915 keys are changed infrequently.
    3916 
    3917 For more information on blowfish, see
    3918 .I http://www.counterpane.com/blowfish.html
    3919 
    3920 To see other ciphers that are available with
    3921 OpenVPN, use the
     3913
     3914Using BF-CBC is no longer recommended, because of it's 64-bit block size.  This
     3915small block size allows attacks based on collisions, as demonstrated by SWEET32.
     3916See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.
     3917
     3918To see other ciphers that are available with OpenVPN, use the
    39223919.B \-\-show\-ciphers
    39233920option.
    3924 
    3925 OpenVPN supports the CBC, CFB, and OFB cipher modes,
    3926 however CBC is recommended and CFB and OFB should
    3927 be considered advanced modes.
    39283921
    39293922Set
     
    40324025when either
    40334026.B \-\-proto udp
    4034 is specifed, or no
     4027is specified, or no
    40354028.B \-\-proto
    40364029option is specified.
     
    53055298mode, OpenVPN will cause the DHCP server to masquerade as if it were
    53065299coming from the remote endpoint.  The optional offset parameter is
    5307 an integer which is > -256 and < 256 and which defaults to 0.
     5300an integer which is > \-256 and < 256 and which defaults to 0.
    53085301If offset is positive, the DHCP server will masquerade as the IP
    53095302address at network address + offset.
  • src/router/openvpn/include/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
  • src/router/openvpn/install-sh

    r24336 r30881  
    346346            ;;
    347347          *)
     348            # $RANDOM is not portable (e.g. dash);  use it when possible to
     349            # lower collision chance
    348350            tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
    349             trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
    350 
     351            trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
     352
     353             # As "mkdir -p" follows symlinks and we work in /tmp possibly;  so
     354             # create the $tmpdir first (and fail if unsuccessful) to make sure
     355             # that nobody tries to guess the $tmpdir name.
    351356            if (umask $mkdir_umask &&
    352                 exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
     357                $mkdirprog $mkdir_mode "$tmpdir" &&
     358                exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
    353359            then
    354360              if test -z "$dir_arg" || {
     
    357363                   # other-writable bit of parent directory when it shouldn't.
    358364                   # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
    359                    ls_ld_tmpdir=`ls -ld "$tmpdir"`
     365                   test_tmpdir="$tmpdir/a"
     366                   ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
    360367                   case $ls_ld_tmpdir in
    361368                     d????-?r-*) different_mode=700;;
     
    363370                     *) false;;
    364371                   esac &&
    365                    $mkdirprog -m$different_mode -p -- "$tmpdir" && {
    366                      ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
     372                   $mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
     373                     ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
    367374                     test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
    368375                   }
     
    370377              then posix_mkdir=:
    371378              fi
    372               rmdir "$tmpdir/d" "$tmpdir"
     379              rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
    373380            else
    374381              # Remove any dirs left behind by ancient mkdir implementations.
    375               rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
     382              rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
    376383            fi
    377384            trap '' 0;;
  • src/router/openvpn/sample/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
  • src/router/openvpn/sample/sample-config-files/client.conf

    r25524 r30881  
    111111# If the cipher option is used on the server
    112112# then you must also specify it here.
    113 ;cipher x
     113# Note that 2.4 client/server will automatically
     114# negotiate AES-256-GCM in TLS mode.
     115# See also the ncp-cipher option in the manpage
     116cipher AES-256-CBC
     117
    114118
    115119# Enable compression on the VPN link.
    116120# Don't enable this unless it is also
    117121# enabled in the server config file.
    118 comp-lzo
     122#comp-lzo
    119123
    120124# Set log file verbosity.
  • src/router/openvpn/sample/sample-config-files/server.conf

    r25524 r30881  
    247247# This config item must be copied to
    248248# the client config file as well.
    249 ;cipher BF-CBC        # Blowfish (default)
    250 ;cipher AES-128-CBC   # AES
    251 ;cipher DES-EDE3-CBC  # Triple-DES
    252 
    253 # Enable compression on the VPN link.
     249# Note that 2.4 client/server will automatically
     250# negotiate AES-256-GCM in TLS mode.
     251# See also the ncp-cipher option in the manpage
     252cipher AES-256-CBC
     253
     254# Enable compression on the VPN link and push the
     255# option to the client (2.4+ only, for earlier
     256# versions see below)
     257;compress lz4-v2
     258;push "compress lz4-v2"
     259
     260# For compression compatible with older clients use comp-lzo
    254261# If you enable it here, you must also
    255262# enable it in the client config file.
    256 comp-lzo
     263;comp-lzo
    257264
    258265# The maximum number of concurrently connected
     
    303310# category will be output to the log.
    304311;mute 20
     312
     313# Notify the client that when the server restarts so it
     314# can automatically reconnect.
     315explicit-exit-notify 1
  • src/router/openvpn/sample/sample-config-files/static-home.conf

    r24336 r30881  
    2626# Our pre-shared static key
    2727secret static.key
     28
     29# Cipher to use
     30cipher AES-256-CBC
    2831
    2932# OpenVPN 2.0 uses UDP port 1194 by default
  • src/router/openvpn/sample/sample-config-files/static-office.conf

    r24336 r30881  
    2323# Our pre-shared static key
    2424secret static.key
     25
     26# Cipher to use
     27cipher AES-256-CBC
    2528
    2629# OpenVPN 2.0 uses UDP port 1194 by default
  • src/router/openvpn/sample/sample-keys/gen-sample-keys.sh

    r25525 r30881  
    5050    -in sample-ca/client.crt -certfile sample-ca/ca.crt
    5151
     52# Create a client cert, revoke it, generate CRL
     53openssl req -new -nodes -config openssl.cnf \
     54    -keyout sample-ca/client-revoked.key -out sample-ca/client-revoked.csr \
     55    -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=client-revoked/emailAddress=me@myhost.mydomain"
     56openssl ca -batch -config openssl.cnf \
     57    -out sample-ca/client-revoked.crt -in sample-ca/client-revoked.csr
     58openssl ca -config openssl.cnf -revoke sample-ca/client-revoked.crt
     59openssl ca -config openssl.cnf -gencrl -out sample-ca/ca.crl
    5260
    5361# Create EC server and client cert (signed by 'regular' RSA CA)
     
    7482cp sample-ca/*.crt .
    7583cp sample-ca/*.p12 .
     84cp sample-ca/*.crl .
  • src/router/openvpn/src/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
  • src/router/openvpn/src/compat/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
     
    432432@AMDEP_TRUE@@am__fastdepCC_FALSE@       $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
    433433@AMDEP_TRUE@@am__fastdepCC_FALSE@       DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
    434 @am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
     434@am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
    435435
    436436.c.obj:
     
    439439@AMDEP_TRUE@@am__fastdepCC_FALSE@       $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
    440440@AMDEP_TRUE@@am__fastdepCC_FALSE@       DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
    441 @am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
     441@am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
    442442
    443443.c.lo:
  • src/router/openvpn/src/openvpn/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
     
    635635@AMDEP_TRUE@@am__fastdepCC_FALSE@       $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
    636636@AMDEP_TRUE@@am__fastdepCC_FALSE@       DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
    637 @am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
     637@am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
    638638
    639639.c.obj:
     
    642642@AMDEP_TRUE@@am__fastdepCC_FALSE@       $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
    643643@AMDEP_TRUE@@am__fastdepCC_FALSE@       DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
    644 @am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
     644@am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
    645645
    646646.c.lo:
  • src/router/openvpn/src/openvpn/crypto.c

    r30487 r30881  
    497497      if (cipher_kt_block_size(kt->cipher) < 128/8)
    498498        {
    499           msg (M_WARN, "WARNING: this cipher's block size is less than 128 bit "
    500               "(%d bit).  Consider using a --cipher with a larger block size.",
     499          msg (M_WARN, "WARNING: INSECURE cipher with block size less than 128"
     500              " bit (%d bit).  This allows attacks like SWEET32.  Mitigate by "
     501              "using a --cipher with a larger block size (e.g. AES-256-CBC).",
    501502              cipher_kt_block_size(kt->cipher)*8);
    502503        }
  • src/router/openvpn/src/openvpn/crypto_openssl.c

    r30487 r30881  
    279279const char *
    280280translate_cipher_name_from_openvpn (const char *cipher_name) {
    281   // OpenSSL doesn't require any translation
     281  /* OpenSSL doesn't require any translation */
    282282  return cipher_name;
    283283}
     
    285285const char *
    286286translate_cipher_name_to_openvpn (const char *cipher_name) {
    287   // OpenSSL doesn't require any translation
     287  /* OpenSSL doesn't require any translation */
    288288  return cipher_name;
    289289}
  • src/router/openvpn/src/openvpn/error.h

    r29758 r30881  
    138138/** Check muting filter */
    139139bool dont_mute (unsigned int flags);
    140 
    141 /** Return true if flags represent an enabled, not muted log level */
    142 static inline bool msg_test (unsigned int flags)
    143 {
    144   return ((flags & M_DEBUG_LEVEL) <= x_debug_level) && dont_mute (flags);
    145 }
    146140
    147141/* Macro to ensure (and teach static analysis tools) we exit on fatal errors */
     
    236230}
    237231
     232/** Return true if flags represent an enabled, not muted log level */
     233static inline bool msg_test (unsigned int flags)
     234{
     235  return check_debug_level (flags) && dont_mute (flags);
     236}
     237
    238238/* Call if we forked */
    239239void msg_forked (void);
  • src/router/openvpn/src/openvpn/occ.c

    r24336 r30881  
    380380              && (c->c2.max_recv_size_remote < c->c2.max_send_size_local
    381381                  || c->c2.max_recv_size_local < c->c2.max_send_size_remote))
    382             msg (M_INFO, "NOTE: This connection is unable to accomodate a UDP packet size of %d. Consider using --fragment or --mssfix options as a workaround.",
     382            msg (M_INFO, "NOTE: This connection is unable to accommodate a UDP packet size of %d. Consider using --fragment or --mssfix options as a workaround.",
    383383                 c->c2.max_send_size_local);
    384384        }
  • src/router/openvpn/src/openvpn/options.c

    r30487 r30881  
    850850  o->key_method = 2;
    851851  o->tls_timeout = 2;
     852  o->renegotiate_bytes = -1;
    852853  o->renegotiate_seconds = 3600;
    853854  o->handshake_window = 60;
  • src/router/openvpn/src/openvpn/push.c

    r29758 r30881  
    408408#endif
    409409
     410static void
     411push_update_digest(struct md5_state *ctx, struct buffer *buf)
     412{
     413  char line[OPTION_PARM_SIZE];
     414  while (buf_parse (buf, ',', line, sizeof (line)))
     415    {
     416      /* peer-id might change on restart and this should not trigger reopening tun */
     417      if (strstr (line, "peer-id ") != line)
     418        {
     419          md5_state_update (ctx, line, strlen(line));
     420        }
     421    }
     422}
     423
    410424int
    411425process_incoming_push_msg (struct context *c,
     
    474488                                  option_types_found,
    475489                                  c->c2.es))
    476             switch (c->options.push_continuation)
    477               {
    478               case 0:
    479               case 1:
    480                 md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
    481                 md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
    482                 c->c2.pulled_options_md5_init_done = false;
    483                 ret = PUSH_MSG_REPLY;
    484                 break;
    485               case 2:
    486                 md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
    487                 ret = PUSH_MSG_CONTINUATION;
    488                 break;
    489               }
     490            {
     491              push_update_digest (&c->c2.pulled_options_state, &buf_orig);
     492              switch (c->options.push_continuation)
     493                {
     494                  case 0:
     495                  case 1:
     496                    md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
     497                    c->c2.pulled_options_md5_init_done = false;
     498                    ret = PUSH_MSG_REPLY;
     499                    break;
     500                  case 2:
     501                    ret = PUSH_MSG_CONTINUATION;
     502                    break;
     503                }
     504            }
    490505        }
    491506      else if (ch == '\0')
  • src/router/openvpn/src/openvpn/route.c

    r29758 r30881  
    10991099{
    11001100  if (!option)
    1101     return "nil";
     1101    return "default (not set)";
    11021102  else
    11031103    return option;
  • src/router/openvpn/src/openvpn/socket.c

    r30487 r30881  
    26732673#if ENABLE_IP_PKTINFO
    26742674
    2675 #pragma pack(1) /* needed to keep structure size consistent for 32 vs. 64-bit architectures */
    2676 struct openvpn_in4_pktinfo
    2677 {
    2678   struct cmsghdr cmsghdr;
    2679 #ifdef HAVE_IN_PKTINFO
    2680   struct in_pktinfo pi4;
    2681 #elif defined(IP_RECVDSTADDR)
    2682   struct in_addr pi4;
    2683 #endif
    2684 };
    2685 struct openvpn_in6_pktinfo
    2686 {
    2687   struct cmsghdr cmsghdr;
    2688   struct in6_pktinfo pi6;
    2689 };
    2690 
    2691 union openvpn_pktinfo {
    2692         struct openvpn_in4_pktinfo msgpi4;
    2693         struct openvpn_in6_pktinfo msgpi6;
    2694 };
    2695 #pragma pack()
     2675/* make the buffer large enough to handle ancilliary socket data for
     2676 * both IPv4 and IPv6 destination addresses, plus padding (see RFC 2292)
     2677 */
     2678#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
     2679#define PKTINFO_BUF_SIZE max_int( CMSG_SPACE(sizeof (struct in6_pktinfo)), \
     2680                                  CMSG_SPACE(sizeof (struct in_pktinfo)) )
     2681#else
     2682#define PKTINFO_BUF_SIZE max_int( CMSG_SPACE(sizeof (struct in6_pktinfo)), \
     2683                                  CMSG_SPACE(sizeof (struct in_addr)) )
     2684#endif
    26962685
    26972686static socklen_t
     
    27012690{
    27022691  struct iovec iov;
    2703   union openvpn_pktinfo opi;
     2692  uint8_t pktinfo_buf[PKTINFO_BUF_SIZE];
    27042693  struct msghdr mesg;
    27052694  socklen_t fromlen = sizeof (from->dest.addr);
     
    27112700  mesg.msg_name = &from->dest.addr;
    27122701  mesg.msg_namelen = fromlen;
    2713   mesg.msg_control = &opi;
    2714   mesg.msg_controllen = sizeof opi;
     2702  mesg.msg_control = pktinfo_buf;
     2703  mesg.msg_controllen = sizeof pktinfo_buf;
    27152704  buf->len = recvmsg (sock->sd, &mesg, 0);
    27162705  if (buf->len >= 0)
     
    27242713          && cmsg->cmsg_level == SOL_IP
    27252714          && cmsg->cmsg_type == IP_PKTINFO
     2715          && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in_pktinfo)) )
    27262716#elif defined(IP_RECVDSTADDR)
    27272717          && cmsg->cmsg_level == IPPROTO_IP
    27282718          && cmsg->cmsg_type == IP_RECVDSTADDR
     2719          && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in_addr)) )
    27292720#else
    27302721#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h)
    27312722#endif
    2732           && cmsg->cmsg_len >= sizeof (struct openvpn_in4_pktinfo))
    27332723        {
    27342724#ifdef IP_PKTINFO
     
    27462736          && cmsg->cmsg_level == IPPROTO_IPV6
    27472737          && cmsg->cmsg_type == IPV6_PKTINFO
    2748           && cmsg->cmsg_len >= sizeof (struct openvpn_in6_pktinfo))
     2738          && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in6_pktinfo)) )
    27492739        {
    27502740          struct in6_pktinfo *pkti6 = (struct in6_pktinfo *) CMSG_DATA (cmsg);
     
    28112801  struct msghdr mesg;
    28122802  struct cmsghdr *cmsg;
    2813   union openvpn_pktinfo opi;
     2803  uint8_t pktinfo_buf[PKTINFO_BUF_SIZE];
    28142804
    28152805  iov.iov_base = BPTR (buf);
     
    28232813        mesg.msg_name = &to->dest.addr.sa;
    28242814        mesg.msg_namelen = sizeof (struct sockaddr_in);
    2825         mesg.msg_control = &opi;
     2815        mesg.msg_control = pktinfo_buf;
    28262816        mesg.msg_flags = 0;
    28272817#ifdef HAVE_IN_PKTINFO
    2828         mesg.msg_controllen = sizeof (struct openvpn_in4_pktinfo);
     2818        mesg.msg_controllen = CMSG_SPACE(sizeof (struct in_pktinfo));
    28292819        cmsg = CMSG_FIRSTHDR (&mesg);
    2830         cmsg->cmsg_len = sizeof (struct openvpn_in4_pktinfo);
     2820        cmsg->cmsg_len = CMSG_LEN(sizeof (struct in_pktinfo));
    28312821        cmsg->cmsg_level = SOL_IP;
    28322822        cmsg->cmsg_type = IP_PKTINFO;
     
    28392829        }
    28402830#elif defined(IP_RECVDSTADDR)
    2841         ASSERT( CMSG_SPACE(sizeof (struct in_addr)) <= sizeof(opi) );
     2831        ASSERT( CMSG_SPACE(sizeof (struct in_addr)) <= sizeof(pktinfo_buf) );
    28422832        mesg.msg_controllen = CMSG_SPACE(sizeof (struct in_addr));
    28432833        cmsg = CMSG_FIRSTHDR (&mesg);
     
    28562846        mesg.msg_name = &to->dest.addr.sa;
    28572847        mesg.msg_namelen = sizeof (struct sockaddr_in6);
    2858         mesg.msg_control = &opi;
    2859         mesg.msg_controllen = sizeof (struct openvpn_in6_pktinfo);
     2848
     2849        ASSERT( CMSG_SPACE(sizeof (struct in6_pktinfo)) <= sizeof(pktinfo_buf) );
     2850        mesg.msg_control = pktinfo_buf;
     2851        mesg.msg_controllen = CMSG_SPACE(sizeof (struct in6_pktinfo));
    28602852        mesg.msg_flags = 0;
    28612853        cmsg = CMSG_FIRSTHDR (&mesg);
    2862         cmsg->cmsg_len = sizeof (struct openvpn_in6_pktinfo);
     2854        cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
    28632855        cmsg->cmsg_level = IPPROTO_IPV6;
    28642856        cmsg->cmsg_type = IPV6_PKTINFO;
     2857
    28652858        pkti6 = (struct in6_pktinfo *) CMSG_DATA (cmsg);
    28662859        pkti6->ipi6_ifindex = to->pi.in6.ipi6_ifindex;
  • src/router/openvpn/src/openvpn/ssl.c

    r30487 r30881  
    268268  }
    269269
    270   // No entry found, return NULL
     270  /* No entry found, return NULL */
    271271  return NULL;
     272}
     273
     274/**
     275 * Limit the reneg_bytes value when using a small-block (<128 bytes) cipher.
     276 *
     277 * @param cipher        The current cipher (may be NULL).
     278 * @param reneg_bytes   Pointer to the current reneg_bytes, updated if needed.
     279 *                      May *not* be NULL.
     280 */
     281static void
     282tls_limit_reneg_bytes (const cipher_kt_t *cipher, int *reneg_bytes)
     283{
     284  if (cipher && (cipher_kt_block_size(cipher) < 128/8))
     285    {
     286      if (*reneg_bytes == -1) /* Not user-specified */
     287        {
     288          msg (M_WARN, "WARNING: cipher with small block size in use, "
     289               "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
     290          *reneg_bytes = 64 * 1024 * 1024;
     291        }
     292    }
    272293}
    273294
     
    19571978                     
    19581979      CLEAR (*ks->key_src);
     1980      tls_limit_reneg_bytes (session->opt->key_type.cipher,
     1981                             &session->opt->renegotiate_bytes);
    19591982    }
    19601983
     
    22232246      ((session->opt->renegotiate_seconds
    22242247        && now >= ks->established + session->opt->renegotiate_seconds)
    2225        || (session->opt->renegotiate_bytes
     2248       || (session->opt->renegotiate_bytes > 0
    22262249           && ks->n_bytes >= session->opt->renegotiate_bytes)
    22272250       || (session->opt->renegotiate_packets
  • src/router/openvpn/src/openvpn/ssl_openssl.c

    r30487 r30881  
    295295  ASSERT(NULL != ctx);
    296296
    297   // Translate IANA cipher suite names to OpenSSL names
     297  /* Translate IANA cipher suite names to OpenSSL names */
    298298  begin_of_cipher = end_of_cipher = 0;
    299299  for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) {
     
    303303      if (NULL == cipher_pair)
    304304        {
    305           // No translation found, use original
    306           current_cipher = &ciphers[begin_of_cipher];
    307           current_cipher_len = end_of_cipher - begin_of_cipher;
    308 
    309           // Issue warning on missing translation
    310           // %.*s format specifier expects length of type int, so guarantee
    311           // that length is small enough and cast to int.
    312           msg (M_WARN, "No valid translation found for TLS cipher '%.*s'",
    313               (int) MIN(current_cipher_len, 256), current_cipher);
     305          /* No translation found, use original */
     306          current_cipher = &ciphers[begin_of_cipher];
     307          current_cipher_len = end_of_cipher - begin_of_cipher;
     308
     309          /* Issue warning on missing translation
     310           * %.*s format specifier expects length of type int, so guarantee
     311           * that length is small enough and cast to int.
     312           */
     313          msg (M_WARN, "No valid translation found for TLS cipher '%.*s'",
     314              (int) MIN(current_cipher_len, 256), current_cipher);
    314315        }
    315316      else
    316317        {
    317           // Use OpenSSL name
    318           current_cipher = cipher_pair->openssl_name;
    319           current_cipher_len = strlen(current_cipher);
     318          /* Use OpenSSL name */
     319          current_cipher = cipher_pair->openssl_name;
     320          current_cipher_len = strlen(current_cipher);
    320321
    321322          if (end_of_cipher - begin_of_cipher == current_cipher_len &&
    322323              0 == memcmp (&ciphers[begin_of_cipher], cipher_pair->openssl_name, end_of_cipher - begin_of_cipher))
    323324            {
    324               // Non-IANA name used, show warning
     325              /* Non-IANA name used, show warning */
    325326              msg (M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'", cipher_pair->openssl_name, cipher_pair->iana_name);
    326327            }
    327328        }
    328329
    329       // Make sure new cipher name fits in cipher string
     330      /* Make sure new cipher name fits in cipher string */
    330331      if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len)
    331332        {
     
    335336        }
    336337
    337       // Concatenate cipher name to OpenSSL cipher string
     338      /* Concatenate cipher name to OpenSSL cipher string */
    338339      memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, current_cipher_len);
    339340      openssl_ciphers_len += current_cipher_len;
     
    347348    openssl_ciphers[openssl_ciphers_len-1] = '\0';
    348349
    349   // Set OpenSSL cipher list
     350  /* Set OpenSSL cipher list */
    350351  if(!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers))
    351352    crypto_msg (M_FATAL, "Failed to set restricted TLS cipher list: %s", openssl_ciphers);
     
    14081409
    14091410      if (NULL == pair) {
    1410           // No translation found, print warning
     1411          /* No translation found, print warning */
    14111412          printf ("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name);
    14121413      } else {
  • src/router/openvpn/src/openvpnserv/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
     
    475475@AMDEP_TRUE@@am__fastdepCC_FALSE@       $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
    476476@AMDEP_TRUE@@am__fastdepCC_FALSE@       DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
    477 @am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
     477@am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
    478478
    479479.c.obj:
     
    482482@AMDEP_TRUE@@am__fastdepCC_FALSE@       $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
    483483@AMDEP_TRUE@@am__fastdepCC_FALSE@       DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
    484 @am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
     484@am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
    485485
    486486.c.lo:
  • src/router/openvpn/src/plugins/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
  • src/router/openvpn/src/plugins/auth-pam/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
     
    489489@AMDEP_TRUE@@am__fastdepCC_FALSE@       $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
    490490@AMDEP_TRUE@@am__fastdepCC_FALSE@       DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
    491 @am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
     491@am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
    492492
    493493.c.obj:
     
    496496@AMDEP_TRUE@@am__fastdepCC_FALSE@       $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
    497497@AMDEP_TRUE@@am__fastdepCC_FALSE@       DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
    498 @am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
     498@am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
    499499
    500500.c.lo:
  • src/router/openvpn/src/plugins/auth-pam/utils.c

    r30488 r30881  
    6060  }
    6161
    62   // state: all parameters are valid
     62  /* state: all parameters are valid */
    6363
    6464  const char *searching=tosearch;
  • src/router/openvpn/src/plugins/down-root/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
     
    480480@AMDEP_TRUE@@am__fastdepCC_FALSE@       $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
    481481@AMDEP_TRUE@@am__fastdepCC_FALSE@       DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
    482 @am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
     482@am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
    483483
    484484.c.obj:
     
    487487@AMDEP_TRUE@@am__fastdepCC_FALSE@       $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
    488488@AMDEP_TRUE@@am__fastdepCC_FALSE@       DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
    489 @am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
     489@am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
    490490
    491491.c.lo:
  • src/router/openvpn/tests/Makefile.am

    r30487 r30881  
    1515SUBDIRS = unit_tests
    1616
    17 test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh
     17test_scripts = t_client.sh
     18if ENABLE_CRYPTO
     19test_scripts += t_lpback.sh t_cltsrv.sh
     20endif
    1821
    1922TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)"
  • src/router/openvpn/tests/Makefile.in

    r30487 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
     
    9090build_triplet = @build@
    9191host_triplet = @host@
     92@ENABLE_CRYPTO_TRUE@am__append_1 = t_lpback.sh t_cltsrv.sh
    9293subdir = tests
    9394DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
    94         $(srcdir)/t_client.sh.in $(dist_noinst_SCRIPTS)
     95        $(srcdir)/t_client.sh.in $(am__dist_noinst_SCRIPTS_DIST)
    9596ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
    9697am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
     
    107108CONFIG_CLEAN_FILES = t_client.sh
    108109CONFIG_CLEAN_VPATH_FILES =
     110am__dist_noinst_SCRIPTS_DIST = t_client.sh t_lpback.sh t_cltsrv.sh \
     111        t_cltsrv-down.sh
    109112SCRIPTS = $(dist_noinst_SCRIPTS)
    110113AM_V_P = $(am__v_P_@AM_V@)
     
    383386
    384387SUBDIRS = unit_tests
    385 test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh
     388test_scripts = t_client.sh $(am__append_1)
    386389TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)"
    387390TESTS = $(test_scripts)
  • src/router/openvpn/tests/t_client.sh

    r30488 r30881  
    1 #!/bin/bash
     1#!/bin/sh
    22#
    33# run OpenVPN client against ``test reference'' server
     
    2525fi
    2626
     27# Check for external dependencies
     28which fping > /dev/null
     29if [ $? -ne 0 ]; then
     30    echo "$0: fping is not available in \$PATH" >&2
     31    exit 77
     32fi
     33which fping6 > /dev/null
     34if [ $? -ne 0 ]; then
     35    echo "$0: fping6 is not available in \$PATH" >&2
     36    exit 77
     37fi
     38
     39KILL_EXEC=`which kill`
     40if [ $? -ne 0 ]; then
     41    echo "$0: kill not found in \$PATH" >&2
     42    exit 77
     43fi
     44
    2745if [ ! -x "${top_builddir}/src/openvpn/openvpn" ]
    2846then
     
    4664    exit 77
    4765fi
     66
     67# Ensure PREFER_KSU is in a known state
     68PREFER_KSU="${PREFER_KSU:-0}"
    4869
    4970# make sure we have permissions to run ifconfig/route from OpenVPN
     
    5374then :
    5475else
     76    if [ "${PREFER_KSU}" -eq 1 ];
     77    then
     78        # Check if we have a valid kerberos ticket
     79        klist -l 1>/dev/null 2>/dev/null
     80        if [ $? -ne 0 ];
     81        then
     82            # No kerberos ticket found, skip ksu and fallback to RUN_SUDO
     83            PREFER_KSU=0
     84            echo "$0: No Kerberos ticket available.  Will not use ksu."
     85        else
     86            RUN_SUDO="ksu -q -e"
     87        fi
     88    fi
     89
    5590    if [ -z "$RUN_SUDO" ]
    5691    then
     
    5893        echo "      must be set correctly in 't_client.rc'. SKIP." >&2
    5994        exit 77
     95    else
     96        # We have to use sudo. Make sure that we (hopefully) do not have
     97        # to ask the users password during the test. This is done to
     98        # prevent timing issues, e.g. when the waits for openvpn to start
     99        if $RUN_SUDO $KILL_EXEC -0 $$
     100        then
     101            echo "$0: $RUN_SUDO $KILL_EXEC -0 succeeded, good."
     102        else
     103            echo "$0: $RUN_SUDO $KILL_EXEC -0 failed, cannot go on. SKIP." >&2
     104            exit 77
     105        fi
    60106    fi
    61107fi
     
    74120# helper functions
    75121# ----------------------------------------------------------
     122
    76123# print failure message, increase FAIL counter
    77124fail()
     
    87134{
    88135    # linux / iproute2? (-> if configure got a path)
    89     if [ -n "/bin/ip" ]
     136    if [ -n "/sbin/ip" ]
    90137    then
    91138        echo "-- linux iproute2 --"
    92         /bin/ip addr show     | grep -v valid_lft
    93         /bin/ip route show
    94         /bin/ip -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g'
     139        /sbin/ip addr show     | grep -v valid_lft
     140        /sbin/ip route show
     141        /sbin/ip -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g'
    95142        return
    96143    fi
     
    210257do
    211258    # get config variables
     259    eval test_prep=\"\$PREPARE_$SUF\"
     260    eval test_postinit=\"\$POSTINIT_CMD_$SUF\"
     261    eval test_cleanup=\"\$CLEANUP_$SUF\"
    212262    eval test_run_title=\"\$RUN_TITLE_$SUF\"
    213263    eval openvpn_conf=\"\$OPENVPN_CONF_$SUF\"
     
    217267    eval ping6_hosts=\"\$PING6_HOSTS_$SUF\"
    218268
     269    # If EXCEPT_IFCONFIG* variables for this test are missing, run an --up
     270    # script to generate them dynamically.
     271    if [ -z "$expect_ifconfig4" ] || [ -z "$expect_ifconfig6" ]; then
     272        up="--setenv TESTNUM $SUF --setenv TOP_BUILDDIR ${top_builddir} --script-security 2 --up ${top_builddir}/tests/update_t_client_ips.sh"
     273    fi
     274
    219275    echo -e "\n### test run $SUF: '$test_run_title' ###\n"
    220276    fail_count=0
     277
     278    if [ -n "$test_prep" ]; then
     279        echo -e "running preparation: '$test_prep'"
     280        eval $test_prep
     281    fi
    221282
    222283    echo "save pre-openvpn ifconfig + route"
     
    234295    fi
    235296
     297    pidfile="${top_builddir}/tests/$LOGDIR/openvpn-$SUF.pid"
     298    openvpn_conf="$openvpn_conf --writepid $pidfile $up"
    236299    echo " run openvpn $openvpn_conf"
    237300    echo "# src/openvpn/openvpn $openvpn_conf" >$LOGDIR/$SUF:openvpn.log
     301    umask 022
    238302    $RUN_SUDO "${top_builddir}/src/openvpn/openvpn" $openvpn_conf >>$LOGDIR/$SUF:openvpn.log &
    239     opid=$!
     303    sudopid=$!
     304
     305    # Check if OpenVPN has initialized before continuing.  It will check every 3rd second up
     306    # to $ovpn_init_check times.
     307    ovpn_init_check=10
     308    ovpn_init_success=0
     309    while [ $ovpn_init_check -gt 0 ];
     310    do
     311       sleep 3  # Wait for OpenVPN to initialize and have had time to write the pid file
     312       grep "Initialization Sequence Completed" $LOGDIR/$SUF:openvpn.log >/dev/null
     313       if [ $? -eq 0 ]; then
     314           ovpn_init_check=0
     315           ovpn_init_success=1
     316       fi
     317       ovpn_init_check=$(( $ovpn_init_check - 1 ))
     318    done
     319
     320    opid=`cat $pidfile`
     321    if [ -n "$opid" ]; then
     322        echo "  OpenVPN running with PID $opid"
     323    else
     324        echo "  Could not read OpenVPN PID file" >&2
     325    fi
     326
     327    # If OpenVPN did not start
     328    if [ $ovpn_init_success -ne 1 -o -z "$opid" ]; then
     329        echo "$0:  OpenVPN did not initialize in a reasonable time" >&2
     330        if [ -n "$opid" ]; then
     331           $RUN_SUDO $KILL_EXEC $opid
     332        fi
     333        $RUN_SUDO $KILL_EXEC $sudopid
     334        echo "tail -5 $SUF:openvpn.log" >&2
     335        tail -5 $LOGDIR/$SUF:openvpn.log >&2
     336        echo -e "\nFAIL. skip rest of sub-tests for test run $SUF.\n" >&2
     337        trap - 0 1 2 3 15
     338        SUMMARY_FAIL="$SUMMARY_FAIL $SUF"
     339        exit_code=30
     340        continue
     341    fi
    240342
    241343    # make sure openvpn client is terminated in case shell exits
    242     trap "$RUN_SUDO kill $opid" 0
    243     trap "$RUN_SUDO kill $opid ; trap - 0 ; exit 1" 1 2 3 15
    244 
    245     echo "wait for connection to establish..."
    246     sleep ${SETUP_TIME_WAIT:-10}
    247 
    248     # test whether OpenVPN process is still there
    249     if $RUN_SUDO kill -0 $opid
    250     then :
    251     else
    252         echo -e "OpenVPN process has failed to start up, check log ($LOGDIR/$SUF:openvpn.log).  FAIL.\ntail of logfile follows:\n..." >&2
    253         tail $LOGDIR/$SUF:openvpn.log >&2
    254         trap - 0 1 2 3 15
    255         exit 10
    256     fi
     344    trap "$RUN_SUDO $KILL_EXEC $opid" 0
     345    trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15
    257346
    258347    # compare whether anything changed in ifconfig/route setup?
     
    269358    fi
    270359
     360    # post init script needed?
     361    if [ -n "$test_postinit" ]; then
     362        echo -e "running post-init cmd: '$test_postinit'"
     363        eval $test_postinit
     364    fi
     365
    271366    # expected ifconfig values in there?
    272367    check_ifconfig 4 "$expect_ifconfig4"
     
    278373
    279374    echo "stopping OpenVPN"
    280     $RUN_SUDO kill $opid
     375    $RUN_SUDO $KILL_EXEC $opid
    281376    wait $!
    282377    rc=$?
     
    305400        exit_code=30
    306401    fi
     402
     403    if [ -n "$test_cleanup" ]; then
     404        echo -e "cleaning up: '$test_cleanup'"
     405        eval $test_cleanup
     406    fi
     407
    307408done
    308409
  • src/router/openvpn/tests/t_client.sh.in

    r24336 r30881  
    2525fi
    2626
     27# Check for external dependencies
     28which fping > /dev/null
     29if [ $? -ne 0 ]; then
     30    echo "$0: fping is not available in \$PATH" >&2
     31    exit 77
     32fi
     33which fping6 > /dev/null
     34if [ $? -ne 0 ]; then
     35    echo "$0: fping6 is not available in \$PATH" >&2
     36    exit 77
     37fi
     38
     39KILL_EXEC=`which kill`
     40if [ $? -ne 0 ]; then
     41    echo "$0: kill not found in \$PATH" >&2
     42    exit 77
     43fi
     44
    2745if [ ! -x "${top_builddir}/src/openvpn/openvpn" ]
    2846then
     
    4664    exit 77
    4765fi
     66
     67# Ensure PREFER_KSU is in a known state
     68PREFER_KSU="${PREFER_KSU:-0}"
    4869
    4970# make sure we have permissions to run ifconfig/route from OpenVPN
     
    5374then :
    5475else
     76    if [ "${PREFER_KSU}" -eq 1 ];
     77    then
     78        # Check if we have a valid kerberos ticket
     79        klist -l 1>/dev/null 2>/dev/null
     80        if [ $? -ne 0 ];
     81        then
     82            # No kerberos ticket found, skip ksu and fallback to RUN_SUDO
     83            PREFER_KSU=0
     84            echo "$0: No Kerberos ticket available.  Will not use ksu."
     85        else
     86            RUN_SUDO="ksu -q -e"
     87        fi
     88    fi
     89
    5590    if [ -z "$RUN_SUDO" ]
    5691    then
     
    5893        echo "      must be set correctly in 't_client.rc'. SKIP." >&2
    5994        exit 77
     95    else
     96        # We have to use sudo. Make sure that we (hopefully) do not have
     97        # to ask the users password during the test. This is done to
     98        # prevent timing issues, e.g. when the waits for openvpn to start
     99        if $RUN_SUDO $KILL_EXEC -0 $$
     100        then
     101            echo "$0: $RUN_SUDO $KILL_EXEC -0 succeeded, good."
     102        else
     103            echo "$0: $RUN_SUDO $KILL_EXEC -0 failed, cannot go on. SKIP." >&2
     104            exit 77
     105        fi
    60106    fi
    61107fi
     
    74120# helper functions
    75121# ----------------------------------------------------------
     122
    76123# print failure message, increase FAIL counter
    77124fail()
     
    210257do
    211258    # get config variables
     259    eval test_prep=\"\$PREPARE_$SUF\"
     260    eval test_postinit=\"\$POSTINIT_CMD_$SUF\"
     261    eval test_cleanup=\"\$CLEANUP_$SUF\"
    212262    eval test_run_title=\"\$RUN_TITLE_$SUF\"
    213263    eval openvpn_conf=\"\$OPENVPN_CONF_$SUF\"
     
    217267    eval ping6_hosts=\"\$PING6_HOSTS_$SUF\"
    218268
     269    # If EXCEPT_IFCONFIG* variables for this test are missing, run an --up
     270    # script to generate them dynamically.
     271    if [ -z "$expect_ifconfig4" ] || [ -z "$expect_ifconfig6" ]; then
     272        up="--setenv TESTNUM $SUF --setenv TOP_BUILDDIR ${top_builddir} --script-security 2 --up ${top_builddir}/tests/update_t_client_ips.sh"
     273    fi
     274
    219275    echo -e "\n### test run $SUF: '$test_run_title' ###\n"
    220276    fail_count=0
     277
     278    if [ -n "$test_prep" ]; then
     279        echo -e "running preparation: '$test_prep'"
     280        eval $test_prep
     281    fi
    221282
    222283    echo "save pre-openvpn ifconfig + route"
     
    234295    fi
    235296
     297    pidfile="${top_builddir}/tests/$LOGDIR/openvpn-$SUF.pid"
     298    openvpn_conf="$openvpn_conf --writepid $pidfile $up"
    236299    echo " run openvpn $openvpn_conf"
    237300    echo "# src/openvpn/openvpn $openvpn_conf" >$LOGDIR/$SUF:openvpn.log
     301    umask 022
    238302    $RUN_SUDO "${top_builddir}/src/openvpn/openvpn" $openvpn_conf >>$LOGDIR/$SUF:openvpn.log &
    239     opid=$!
     303    sudopid=$!
     304
     305    # Check if OpenVPN has initialized before continuing.  It will check every 3rd second up
     306    # to $ovpn_init_check times.
     307    ovpn_init_check=10
     308    ovpn_init_success=0
     309    while [ $ovpn_init_check -gt 0 ];
     310    do
     311       sleep 3  # Wait for OpenVPN to initialize and have had time to write the pid file
     312       grep "Initialization Sequence Completed" $LOGDIR/$SUF:openvpn.log >/dev/null
     313       if [ $? -eq 0 ]; then
     314           ovpn_init_check=0
     315           ovpn_init_success=1
     316       fi
     317       ovpn_init_check=$(( $ovpn_init_check - 1 ))
     318    done
     319
     320    opid=`cat $pidfile`
     321    if [ -n "$opid" ]; then
     322        echo "  OpenVPN running with PID $opid"
     323    else
     324        echo "  Could not read OpenVPN PID file" >&2
     325    fi
     326
     327    # If OpenVPN did not start
     328    if [ $ovpn_init_success -ne 1 -o -z "$opid" ]; then
     329        echo "$0:  OpenVPN did not initialize in a reasonable time" >&2
     330        if [ -n "$opid" ]; then
     331           $RUN_SUDO $KILL_EXEC $opid
     332        fi
     333        $RUN_SUDO $KILL_EXEC $sudopid
     334        echo "tail -5 $SUF:openvpn.log" >&2
     335        tail -5 $LOGDIR/$SUF:openvpn.log >&2
     336        echo -e "\nFAIL. skip rest of sub-tests for test run $SUF.\n" >&2
     337        trap - 0 1 2 3 15
     338        SUMMARY_FAIL="$SUMMARY_FAIL $SUF"
     339        exit_code=30
     340        continue
     341    fi
    240342
    241343    # make sure openvpn client is terminated in case shell exits
    242     trap "$RUN_SUDO kill $opid" 0
    243     trap "$RUN_SUDO kill $opid ; trap - 0 ; exit 1" 1 2 3 15
    244 
    245     echo "wait for connection to establish..."
    246     sleep ${SETUP_TIME_WAIT:-10}
    247 
    248     # test whether OpenVPN process is still there
    249     if $RUN_SUDO kill -0 $opid
    250     then :
    251     else
    252         echo -e "OpenVPN process has failed to start up, check log ($LOGDIR/$SUF:openvpn.log).  FAIL.\ntail of logfile follows:\n..." >&2
    253         tail $LOGDIR/$SUF:openvpn.log >&2
    254         trap - 0 1 2 3 15
    255         exit 10
    256     fi
     344    trap "$RUN_SUDO $KILL_EXEC $opid" 0
     345    trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15
    257346
    258347    # compare whether anything changed in ifconfig/route setup?
     
    269358    fi
    270359
     360    # post init script needed?
     361    if [ -n "$test_postinit" ]; then
     362        echo -e "running post-init cmd: '$test_postinit'"
     363        eval $test_postinit
     364    fi
     365
    271366    # expected ifconfig values in there?
    272367    check_ifconfig 4 "$expect_ifconfig4"
     
    278373
    279374    echo "stopping OpenVPN"
    280     $RUN_SUDO kill $opid
     375    $RUN_SUDO $KILL_EXEC $opid
    281376    wait $!
    282377    rc=$?
     
    305400        exit_code=30
    306401    fi
     402
     403    if [ -n "$test_cleanup" ]; then
     404        echo -e "cleaning up: '$test_cleanup'"
     405        eval $test_cleanup
     406    fi
     407
    307408done
    308409
  • src/router/openvpn/tests/unit_tests/Makefile.in

    r30488 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
  • src/router/openvpn/tests/unit_tests/example_test/Makefile.in

    r30488 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
     
    441441@AMDEP_TRUE@@am__fastdepCC_FALSE@       $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
    442442@AMDEP_TRUE@@am__fastdepCC_FALSE@       DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
    443 @am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
     443@am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
    444444
    445445.c.obj:
     
    448448@AMDEP_TRUE@@am__fastdepCC_FALSE@       $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
    449449@AMDEP_TRUE@@am__fastdepCC_FALSE@       DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
    450 @am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
     450@am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
    451451
    452452.c.lo:
  • src/router/openvpn/tests/unit_tests/plugins/Makefile.in

    r30488 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
  • src/router/openvpn/tests/unit_tests/plugins/auth-pam/Makefile.in

    r30488 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
     
    429429@AMDEP_TRUE@@am__fastdepCC_FALSE@       $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
    430430@AMDEP_TRUE@@am__fastdepCC_FALSE@       DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
    431 @am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
     431@am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
    432432
    433433.c.obj:
     
    436436@AMDEP_TRUE@@am__fastdepCC_FALSE@       $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
    437437@AMDEP_TRUE@@am__fastdepCC_FALSE@       DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
    438 @am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
     438@am__fastdepCC_FALSE@   $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
    439439
    440440.c.lo:
  • src/router/openvpn/vendor/Makefile.in

    r30488 r30881  
    1 # Makefile.in generated by automake 1.14.1 from Makefile.am.
     1# Makefile.in generated by automake 1.13.4 from Makefile.am.
    22# @configure_input@
    33
  • src/router/openvpn/version.m4

    r30487 r30881  
    22define([PRODUCT_NAME], [OpenVPN])
    33define([PRODUCT_TARNAME], [openvpn])
    4 define([PRODUCT_VERSION], [2.3.12])
     4define([PRODUCT_VERSION], [2.3.13])
    55define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
    6 define([PRODUCT_VERSION_RESOURCE], [2,3,12,0])
     6define([PRODUCT_VERSION_RESOURCE], [2,3,13,0])
    77dnl define the TAP version
    88define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
Note: See TracChangeset for help on using the changeset viewer.