Some filesystems don't like ':', which is a path 'make dist' would use
In commit 7a845401043dbd9c the version.m4 was modified to remove the
alpha1 tag. But then Alon Bar-Lev noticed that NTFS wasn't happy about
the ':' character. So let's rather just skip the complete 'git:'
prefix and use just 'master' instead.
Reported-by: Alon Bar-Lev <alon.barlev@gmail.com> Signed-off-by: David Sommerseth <davids@redhat.com>
To avoid confusion between check_file_access() and check_cmd_access() in
the future, remove unneeded arguments from check_cmd_access()
As a command will always be a file, it should always check for CHKACC_FILE
and nothing else. And as the commands always will need X_OK, check only
for that.
One change from earlier behaviour is that R_OK is not checked for. The
reason is that only scripts require R_OK to work. However, a system might
be installed with binaries with only X_OK set. If a script is missing
R_OK, then the execution will fail due to lacking permissions.
Clarified the docs and help screen about what a 'cmd' is
This also changes the descriptions of several options to note that they accept
a "command"; change the description of --client-connect and --client-disconnect
indicate that the temporary file's path is passed as the last argument to the
command, not the first argument; and Adds a description of --route-pre-down to
the descriptions of the other --route options.
[DS: This patch is based on parts of the options.c.diff and the complete
openvpn.8.diff patch sent to the mailing list - where these docs changes
are merged together into this patch]
Signed-off-by: Jonathan K. Bullard <jkbullard@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: CAEsd45RkyJw6yUk1Jwkip70HkCjKYoU+V=do3N7SH7JOaHBZdw@mail.gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6194 Signed-off-by: David Sommerseth <davids@redhat.com>
The current implementation of check_file_access() does not consider that
some options take scripts and executables as input. When some of these
commands are given arguments in the OpenVPN configuration,
check_file_access() would take those arguments as a part of the file name
to the command. Thus the file check would fail.
This patch improves that by introducing a check_cmd_access() function which
first splits out the arguments to the command before checking if the file
with the command is available.
[DS: This patch is splitted out from the options.c.diff patch sent to the
mailing list - where only the function changes is included here]
Signed-off-by: Jonathan K. Bullard <jkbullard@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: CAEsd45RkyJw6yUk1Jwkip70HkCjKYoU+V=do3N7SH7JOaHBZdw@mail.gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6194 Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Mon, 2 Apr 2012 07:28:06 +0000 (09:28 +0200)]
Removed stray "Fox-IT hardening" string.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1333351687-3732-5-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6212 Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Mon, 2 Apr 2012 07:28:07 +0000 (09:28 +0200)]
Updated README.polarssl with build system changes.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1333351687-3732-6-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6209 Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Mon, 2 Apr 2012 07:28:05 +0000 (09:28 +0200)]
Removed support for PolarSSL < 1.1
PolarSSL 1.0 and earlier use only the Havege RNG. Havege is based on timing
certain operations, using the RDTSC instruction. Although this is fine on
bare metal PCs, the RDTSC instruction is virtualised on some virtual
machine implementations. This can result in issues on those virtual
machines. PolarSSL fixes this potential issue by also using platform
entropy.
To ensure that OpenVPN is always built against a decent RNG, PolarSSL <1.1
is therefore no longer supported.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1333351687-3732-4-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6211 Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Mon, 2 Apr 2012 07:28:02 +0000 (09:28 +0200)]
Added support for new PolarSSL 1.1 RNG
This patch, while retaining PolarSSL 1.0 support, introduces the PolarSSL 1.1 DRBG.
This RNG adds a number of features, including support for personalisation strings
and multiple entropy sources.
Personalisation strings have been implemented, based on PID, program name, place
within memory, and a hash of the user's certificate.
The entropy sources used are the platform default ones. Which ones these are
depends on how PolarSSL was built, but usually this includes:
- /dev/urandom or the Windows CryptoAPI RNG
- the HAVEGE RNG
- the output of PolarSSL's hardclock() call (usually RDTSC)
Finally, this patch moves to only one instance of the RNG per OpenVPN instance,
instead of one per keystate
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: Eelse-jan Stutvoet <stutvoet@fox-it.com> Acked-by: James Yonan <james@openvpn.net>
Message-Id: 1333351687-3732-1-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6210 Signed-off-by: David Sommerseth <davids@redhat.com>
Program received signal SIGSEGV, Segmentation fault.
packet_id_debug_print (msglevel=1174405255, p=0xa36bd0718,
pin=0x3de5feec1b0,
message=0xa330dde80 "PID_TEST", value=0) at
../../../src/openvpn/packet_id.c:504
504 for (i = 0; i < sl->x_size; ++i)
David Sommerseth [Fri, 27 Apr 2012 10:10:25 +0000 (12:10 +0200)]
Clean-up: Presume that Linux is always IPv6 capable at build time
These days it is highly unlikely that OpenVPN will be built in a non-IPv6
capable Linux environment. So remove compile-time related macros identifying
that.
This also solves an issue which was introduced in commit 51bd56f46f55177cf0f8b
where HAVE_TUN_PI is no longer detected. The tun_pi struct is defined in
linux/if_tun.h, which will be checked for later on. As this struct has history
in linux/if_tun.h all back to the beginning of the kernel git tree (2.6.12-rc2,
April 2005), it is considered not needed to check for this struct explicit.
[ v2: Commit 7c0a2b5f2b4409 modifies some of the checks this patch touches. This
patch just adopts to those changes ]
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
Message-Id: 1335521425-23391-1-git-send-email-davids@redhat.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6351
cleanup: add .gitattributes to control eol style explicitly
Having the text auto detection is a risk, as the detection may detect
text files that are not text and vise versa.
Having global setting will create confusion and differentiate between
users. So this patch also move this to local repository.
Having git to check out files differently in different OS is also
a not correct, as checkouts may be used in shares or in *NIX emulation
environments, so it have no effect.
Another issue is packaging, if we change out the tree differently
in several OSes, we may have different package content, which is
something that should be avoided.
Currently any editor of MS supports LF end of lines, so there is no
need to convert source files while checking out.
The visual studio files should be stored as CRLF as they are generated
by visual studio every save, in a way that CRLF are added.
I handled only the files that may be touch by MS users.
Adriaan de Jong [Tue, 14 Feb 2012 10:11:26 +0000 (11:11 +0100)]
Migrated x509_get_sha1_hash to use the garbage collector
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Tue, 14 Feb 2012 10:11:25 +0000 (11:11 +0100)]
Migrated x509_get_serial to use the garbage collector
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Tue, 14 Feb 2012 10:11:24 +0000 (11:11 +0100)]
Migrated x509_get_subject to use of the garbage collector
This also cleans up a messy call in pkcs11.c to _openssl_get_subject, as discussed at FOSDEM.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Igor Novgorodov [Tue, 28 Feb 2012 11:16:01 +0000 (15:16 +0400)]
Remove calls to OpenSSL when building with --disable-ssl
Move OpenSSL calls out from the generic crypto layer and into the
OpenSSL specific layer. Also don't load all algortihms if SSL
isn't enabled.
Error strings will also not be loaded into memory if ENABLE_SMALL
is configured.
Signed-off-by: Igor Novgorodov <igor@novg.net> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:12:09 +0000 (22:12 +0200)]
build: proper lzo detection and usage
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:12:04 +0000 (22:12 +0200)]
build: autoconf: minor cleanups
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:12:02 +0000 (22:12 +0200)]
build: libdl usage
1. properly detect.
2. Link only required components.
3. No way we don't have LoadLibrary on Windows.
4. ENABLE_PLUGIN should be controlled in autoconf.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:56 +0000 (22:11 +0200)]
build: autotools: first pass of trivial autotools changes
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:49 +0000 (22:11 +0200)]
Remove tap-win32
Introduce tap-windows.h which is modified tap-win32/common.h.
Except of function rename, it is the same without the tap_id.
This file should be provided as part of tap-win32 MSI.
For now we hold a copy.
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:45 +0000 (22:11 +0200)]
build: plugins: properly use CC, CFLAGS and LDFLAGS
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:40 +0000 (22:11 +0200)]
fixup: init.c: add missing conditional for ENABLE_CLIENT_CR
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:37 +0000 (22:11 +0200)]
cleanup: crypto_openssl.c: remove support for pre-openssl-0.9.6
autoconf rejecting this anyway:
----
AC_MSG_CHECKING([that OpenSSL Library is at least version 0.9.6])
<snip>
AC_MSG_ERROR([OpenSSL crypto Library is too old.])
----
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:35 +0000 (22:11 +0200)]
cleanup: win32.c: wrong printf format
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Heiko Hund [Wed, 17 Aug 2011 15:53:01 +0000 (15:53 +0000)]
remove wrapper code for Windows CryptoAPI function
The CryptoAPI function CryptAcquireCertificatePrivateKey() was previously
unsupported in MinGW. With recent w32api headers it's now defined, mostly.
Since the code used to load the CryptoAPI DLL is prone to a DLL hijacking
attack [1], it's now a good time to get rid of wrapper completely.
Just a few macros left that may still be undefined on some
systems using the original MinGW headers.
[1] http://isc.sans.edu/diary.html?storyid=9445
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: James Yonan <james@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/4979 Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Mon, 20 Feb 2012 09:31:54 +0000 (10:31 +0100)]
Revamp check_file_access() checks in stdin scenarios
It was discovered that --management also can take stdin as argument
instead of a file. Enabled this by revamping the check_file_access()
flags by adding CHKACC_ACPTSTDIN. Setting this flag will then consider
filenames as 'stdin' as always present.
The other place where 'stdin' was accepted is also modified to use this
flag instead.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Sat, 18 Feb 2012 19:44:12 +0000 (20:44 +0100)]
define access mode flag X_OK as 0 on Windows
The _access and _waccess functions in Windows don't know about
X_OK (1). If you pass an uneven mode flag the C runtime's default
invalid parameter handler ends execution of openvpn.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
projects / thirdparty / openvpn.git / log
