Hello community,
here is the log from the commit of package openvpn
checked in at Fri Jun 23 17:11:59 CEST 2006.
--------
--- openvpn/openvpn.changes 2006-04-19 13:11:40.000000000 +0200
+++ openvpn/openvpn.changes 2006-06-23 11:55:17.000000000 +0200
@@ -1,0 +2,28 @@
+Fri Jun 23 11:55:10 CEST 2006 - poeml@suse.de
+
+- upstream 2.0.7, with bug fixes:
+* When deleting routes under Linux, use the route metric
+ as a differentiator to ensure that the route teardown
+ process only deletes the identical route which was originally
+ added via the "route" directive (Roy Marples).
+* Fixed bug where --server directive in --dev tap mode
+ claimed that it would support subnets of /30 or less
+ but actually would only accept /29 or less.
+* Extend byte counters to 64 bits (M. van Cuijk).
+* Better sanity checking of --server and --server-bridge
+ IP pool ranges, so as not to hit the assertion at
+ pool.c:119 (2.0.5).
+* Fixed bug where --daemon and --management-query-passwords
+ used together would cause OpenVPN to block prior to
+ daemonization.
+* Fixed client/server race condition which could occur
+ when --auth-retry interact is set and the initially
+ provided auth-user-pass credentials are incorrect,
+ forcing a username/password re-query.
+* Fixed bug where if --daemon and --management-hold are
+ used together, --user or --group options would be ignored.
+* fix for CVE-2006-1629 integrated (disallow "setenv" to be pushed
+ to clients from the server)
+- build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
+
+-------------------------------------------------------------------
Old:
----
openvpn-2.0.5-CVE-2006-1629.dif
openvpn-2.0.5.tar.bz2
New:
----
openvpn-2.0.7.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openvpn.spec ++++++
--- /var/tmp/diff_new_pack.DJvlhv/_old 2006-06-23 17:11:24.000000000 +0200
+++ /var/tmp/diff_new_pack.DJvlhv/_new 2006-06-23 17:11:24.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package openvpn (Version 2.0.5)
+# spec file for package openvpn (Version 2.0.7)
#
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@@ -16,14 +16,15 @@
License: GPL, LGPL
Group: Productivity/Networking/Security
Autoreqprov: on
+%if 0%{?suse_version}
PreReq: %insserv_prereq %fillup_prereq
-Version: 2.0.5
-Release: 11
+%endif
+Version: 2.0.7
+Release: 1
Summary: Create VPN over Wireless and Ethernet Networks using a Tun Device
Source: http://openvpn.net/release/openvpn-%{version}.tar.bz2
Source2: openvpn.init
Source3: openvpn-README.SUSE
-Patch1: openvpn-2.0.5-CVE-2006-1629.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -37,12 +38,16 @@
%prep
%setup
-%patch1 -p1
%build
autoreconf -fi
-export CFLAGS="$RPM_OPT_FLAGS -Wall -fPIE"
-export LDFLAGS="-pie"
+export CFLAGS="$RPM_OPT_FLAGS -Wall"
+export LDFLAGS=
+# build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
+%if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930
+CFLAGS="$CFLAGS -fPIE"
+LDFLAGS="$LDFLAGS -pie"
+%endif
./configure --prefix=/usr --enable-pthread \
--mandir=%_mandir --with-lzo-headers=%_includedir/lzo
make
@@ -62,14 +67,14 @@
%post
%{fillup_and_insserv -f}
-%if %suse_version > 820
+%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820
%preun
%stop_on_removal openvpn
%endif
%postun
-%if %suse_version > 820
+%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820
%restart_on_update openvpn
%endif
%insserv_cleanup
@@ -93,6 +98,31 @@
%dir /var/run/openvpn
%changelog -n openvpn
+* Fri Jun 23 2006 - poeml@suse.de
+- upstream 2.0.7, with bug fixes:
+ * When deleting routes under Linux, use the route metric
+ as a differentiator to ensure that the route teardown
+ process only deletes the identical route which was originally
+ added via the "route" directive (Roy Marples).
+ * Fixed bug where --server directive in --dev tap mode
+ claimed that it would support subnets of /30 or less
+ but actually would only accept /29 or less.
+ * Extend byte counters to 64 bits (M. van Cuijk).
+ * Better sanity checking of --server and --server-bridge
+ IP pool ranges, so as not to hit the assertion at
+ pool.c:119 (2.0.5).
+ * Fixed bug where --daemon and --management-query-passwords
+ used together would cause OpenVPN to block prior to
+ daemonization.
+ * Fixed client/server race condition which could occur
+ when --auth-retry interact is set and the initially
+ provided auth-user-pass credentials are incorrect,
+ forcing a username/password re-query.
+ * Fixed bug where if --daemon and --management-hold are
+ used together, --user or --group options would be ignored.
+ * fix for CVE-2006-1629 integrated (disallow "setenv" to be pushed
+ to clients from the server)
+- build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
* Wed Apr 19 2006 - poeml@suse.de
- security fix (CVE-2006-1629): disallow "setenv" to be pushed to
clients from the server [#165123]
++++++ openvpn-2.0.5.tar.bz2 -> openvpn-2.0.7.tar.bz2 ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/ChangeLog new/openvpn-2.0.7/ChangeLog
--- old/openvpn-2.0.5/ChangeLog 2005-11-03 07:39:36.000000000 +0100
+++ new/openvpn-2.0.7/ChangeLog 2006-04-12 11:30:56.000000000 +0200
@@ -1,8 +1,77 @@
OpenVPN
Copyright (C) 2002-2005 OpenVPN Solutions LLC
-$Id: ChangeLog 765 2005-11-03 01:21:44Z james $
+$Id: ChangeLog 999 2006-04-12 09:07:59Z james $
+2006.04.12 -- Version 2.0.7
+
+* Code added in 2.0.6-rc1 to extend byte counters
+ to 64 bits caused a bug in the Windows version which has now
+ been fixed. The bug could cause intermittent crashes.
+
+2006.04.05 -- Version 2.0.6
+
+* Security Vulnerability affecting OpenVPN 2.0 through 2.0.5.
+ An OpenVPN client connecting to a
+ malicious or compromised server could potentially receive
+ "setenv" configuration directives from the server which could
+ cause arbitrary code execution on the client via a LD_PRELOAD
+ attack. A successful attack appears to require that (a) the
+ client has agreed to allow the server to push configuration
+ directives to it by including "pull" or the macro "client" in
+ its configuration file, (b) the client configuration file uses
+ a scripting directive such as "up" or "down", (c) the client
+ succesfully authenticates the server, (d) the server is
+ malicious or has been compromised and is under the control of
+ the attacker, and (e) the attacker has at least some level of
+ pre-existing control over files on the client (this might be
+ accomplished by having the server respond to a client web
+ request with a specially crafted file). Credit: Hendrik Weimer.
+ CVE-2006-1629.
+
+ The fix is to disallow "setenv" to be pushed to clients from
+ the server. For those who need this capability, OpenVPN
+ 2.1 supports a new "setenv-safe" directive which is free
+ of this vulnerability.
+
+* When deleting routes under Linux, use the route metric
+ as a differentiator to ensure that the route teardown
+ process only deletes the identical route which was originally
+ added via the "route" directive (Roy Marples).
+
+* Fix the t_cltsrv.sh file in FreeBSD 4 jails
+ (Matthias Andree, Dirk Meyer, Vasil Dimov).
+
+* Extended tun device configure code to support ethernet
+ bridging on NetBSD (Emmanuel Kasper).
+
+2006.01.03 -- Version 2.0.6-rc1
+
+* Fixed bug where "make check" inside a FreeBSD "jail"
+ would never complete (Matthias Andree).
+* Fixed bug where --server directive in --dev tap mode
+ claimed that it would support subnets of /30 or less
+ but actually would only accept /29 or less.
+* Extend byte counters to 64 bits (M. van Cuijk).
+* Fixed bug in acinclude.m4 where capability of compiler
+ to handle zero-length arrays in structs is tested
+ (David Stipp).
+* Fixed typo in manage.c where inline function declaration
+ was declared without the "static" keyword (David Stipp).
+* Removed redundant base64 code.
+* Better sanity checking of --server and --server-bridge
+ IP pool ranges, so as not to hit the assertion at
+ pool.c:119 (2.0.5).
+* Fixed bug where --daemon and --management-query-passwords
+ used together would cause OpenVPN to block prior to
+ daemonization.
+* Fixed client/server race condition which could occur
+ when --auth-retry interact is set and the initially
+ provided auth-user-pass credentials are incorrect,
+ forcing a username/password re-query.
+* Fixed bug where if --daemon and --management-hold are
+ used together, --user or --group options would be ignored.
+
2005.11.02 -- Version 2.0.5
* Fixed bug in Linux get_default_gateway function
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/INSTALL new/openvpn-2.0.7/INSTALL
--- old/openvpn-2.0.5/INSTALL 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/INSTALL 2005-12-29 03:08:32.000000000 +0100
@@ -179,6 +179,14 @@
http://vtun.sourceforge.net/tun/
and follow the installation instructions.
+ If you use OpenVPN on Linux 2.2 or 2.4 or Solaris, you may be
+ suffering from a bug which causes connections to hang under heavy load.
+ The symptoms are very similar to the MTU problems discussed frequently
+ in the OpenVPN mailing lists. But it turns out that this bug is not caused by
+ MTU problems. It's a bug in the tun/tap driver. A patch is provided here:
+
+ http://openvpn.net/patch/tun-sb.patch
+
* Solaris
For 64 bit, I used the tun-1.1.tar.gz source and compiled it.
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/acinclude.m4 new/openvpn-2.0.7/acinclude.m4
--- old/openvpn-2.0.5/acinclude.m4 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/acinclude.m4 2005-11-24 19:16:50.000000000 +0100
@@ -19,13 +19,13 @@
AC_MSG_RESULT([checking for C compiler empty array support])
AC_COMPILE_IFELSE(
[
- struct { int foo; int bar[0]; } mystruct;
+ struct { int foo; int bar[[0]]; } mystruct;
], [
AC_DEFINE_UNQUOTED(EMPTY_ARRAY_SIZE, 0, [Dimension to use for empty array declaration])
], [
AC_COMPILE_IFELSE(
[
- struct { int foo; int bar[]; } mystruct;
+ struct { int foo; int bar[[]]; } mystruct;
], [
AC_DEFINE_UNQUOTED(EMPTY_ARRAY_SIZE,, [Dimension to use for empty array declaration])
], [
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/base64.c new/openvpn-2.0.7/base64.c
--- old/openvpn-2.0.5/base64.c 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/base64.c 2005-12-12 18:09:42.000000000 +0100
@@ -39,7 +39,7 @@
#include "syshead.h"
-#if NTLM
+#ifdef ENABLE_HTTP_PROXY
#include "base64.h"
@@ -48,16 +48,6 @@
static char base64_chars[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-static int
-pos(char c)
-{
- char *p;
- for (p = base64_chars; *p; p++)
- if (*p == c)
- return p - base64_chars;
- return -1;
-}
-
int
base64_encode(const void *data, int size, char **str)
{
@@ -96,6 +86,18 @@
return strlen(s);
}
+#if NTLM
+
+static int
+pos(char c)
+{
+ char *p;
+ for (p = base64_chars; *p; p++)
+ if (*p == c)
+ return p - base64_chars;
+ return -1;
+}
+
#define DECODE_ERROR 0xffffffff
static unsigned int
@@ -141,6 +143,8 @@
return q - (unsigned char *) data;
}
+#endif /* NTLM */
+
#else
static void dummy(void) {}
#endif
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/base64.h new/openvpn-2.0.7/base64.h
--- old/openvpn-2.0.5/base64.h 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/base64.h 2005-12-12 18:09:44.000000000 +0100
@@ -31,12 +31,10 @@
* SUCH DAMAGE.
*/
-/* $KTH: base64.h,v 1.2 1999/12/02 16:58:45 joda Exp $ */
-
#ifndef _BASE64_H_
#define _BASE64_H_
-#if NTLM
+#ifdef ENABLE_HTTP_PROXY
int base64_encode(const void *data, int size, char **str);
int base64_decode(const char *str, void *data);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/common.h new/openvpn-2.0.7/common.h
--- old/openvpn-2.0.5/common.h 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/common.h 2006-04-12 11:08:03.000000000 +0200
@@ -26,9 +26,19 @@
#define COMMON_H
/*
- * Statistics counters.
+ * Statistics counters and associated printf formats.
*/
-typedef unsigned long counter_type;
+#ifdef USE_64_BIT_COUNTERS
+ typedef unsigned long long int counter_type;
+# ifdef WIN32
+# define counter_format "%I64u"
+# else
+# define counter_format "%llu"
+# endif
+#else
+ typedef unsigned int counter_type;
+# define counter_format "%u"
+#endif
/*
* Time intervals
@@ -43,7 +53,6 @@
/*
* Printf formats for special types
*/
-#define counter_format "%lu"
#define ptr_format "0x%08lx"
#define time_format "%lu"
#define fragment_header_format "0x%08x"
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/config-win32.h new/openvpn-2.0.7/config-win32.h
--- old/openvpn-2.0.5/config-win32.h 2005-11-03 07:40:24.000000000 +0100
+++ new/openvpn-2.0.7/config-win32.h 2006-04-12 11:33:09.000000000 +0200
@@ -221,7 +221,7 @@
#define PACKAGE_TARNAME "openvpn"
/* Define to the version of this package. */
-#define PACKAGE_VERSION "2.0.5" /* AUTO_VERSION */
+#define PACKAGE_VERSION "2.0.7" /* AUTO_VERSION */
/* Define to the full name and version of this package. */
#ifdef DEBUG_LABEL
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/configure new/openvpn-2.0.7/configure
--- old/openvpn-2.0.5/configure 2005-11-03 07:40:00.000000000 +0100
+++ new/openvpn-2.0.7/configure 2006-04-12 11:32:25.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59 for OpenVPN 2.0.5.
+# Generated by GNU Autoconf 2.59 for OpenVPN 2.0.7.
#
# Report bugs to .
#
@@ -269,8 +269,8 @@
# Identity of this package.
PACKAGE_NAME='OpenVPN'
PACKAGE_TARNAME='openvpn'
-PACKAGE_VERSION='2.0.5'
-PACKAGE_STRING='OpenVPN 2.0.5'
+PACKAGE_VERSION='2.0.7'
+PACKAGE_STRING='OpenVPN 2.0.7'
PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net'
ac_unique_file="syshead.h"
@@ -780,7 +780,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures OpenVPN 2.0.5 to adapt to many kinds of systems.
+\`configure' configures OpenVPN 2.0.7 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -847,7 +847,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of OpenVPN 2.0.5:";;
+ short | recursive ) echo "Configuration of OpenVPN 2.0.7:";;
esac
cat <<\_ACEOF
@@ -996,7 +996,7 @@
test -n "$ac_init_help" && exit 0
if $ac_init_version; then
cat <<\_ACEOF
-OpenVPN configure 2.0.5
+OpenVPN configure 2.0.7
generated by GNU Autoconf 2.59
Copyright (C) 2003 Free Software Foundation, Inc.
@@ -1010,7 +1010,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by OpenVPN $as_me 2.0.5, which was
+It was created by OpenVPN $as_me 2.0.7, which was
generated by GNU Autoconf 2.59. Invocation command line was
$ $0 $@
@@ -4684,7 +4684,7 @@
echo "${ECHO_T}checking for C compiler empty array support" >&6
cat >conftest.$ac_ext <<_ACEOF
- struct { int foo; int bar0; } mystruct;
+ struct { int foo; int bar[0]; } mystruct;
_ACEOF
rm -f conftest.$ac_objext
@@ -4723,7 +4723,7 @@
cat >conftest.$ac_ext <<_ACEOF
- struct { int foo; int bar; } mystruct;
+ struct { int foo; int bar[]; } mystruct;
_ACEOF
rm -f conftest.$ac_objext
@@ -11265,7 +11265,7 @@
} >&5
cat >&5 <<_CSEOF
-This file was extended by OpenVPN $as_me 2.0.5, which was
+This file was extended by OpenVPN $as_me 2.0.7, which was
generated by GNU Autoconf 2.59. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -11328,7 +11328,7 @@
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-OpenVPN config.status 2.0.5
+OpenVPN config.status 2.0.7
configured by $0, generated by GNU Autoconf 2.59,
with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/configure.ac new/openvpn-2.0.7/configure.ac
--- old/openvpn-2.0.5/configure.ac 2005-11-03 07:39:53.000000000 +0100
+++ new/openvpn-2.0.7/configure.ac 2006-04-12 11:32:17.000000000 +0200
@@ -25,7 +25,7 @@
AC_PREREQ(2.50)
-AC_INIT([OpenVPN], [2.0.5], [openvpn-users@lists.sourceforge.net], [openvpn])
+AC_INIT([OpenVPN], [2.0.7], [openvpn-users@lists.sourceforge.net], [openvpn])
AM_CONFIG_HEADER(config.h)
AC_CONFIG_SRCDIR(syshead.h)
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/easy-rsa/2.0/README new/openvpn-2.0.7/easy-rsa/2.0/README
--- old/openvpn-2.0.5/easy-rsa/2.0/README 2005-11-02 19:42:39.000000000 +0100
+++ new/openvpn-2.0.7/easy-rsa/2.0/README 2006-01-07 08:31:22.000000000 +0100
@@ -47,6 +47,20 @@
* This release only affects the Linux/Unix version of easy-rsa.
The Windows version (written to use the Windows shell) is unchanged.
+* Use the revoke-full script to revoke a certificate, and generate
+ (or update) the crl.pem file in the keys directory (as set by the
+ vars script). Then use "crl-verify crl.pem" in your OpenVPN server
+ config file, so that OpenVPN can reject any connections coming from
+ clients which present a revoked certificate. Usage for the script is:
+
+ revoke-full <common-name>
+
+ Note this this procedure is primarily designed to revoke client
+ certificates. You could theoretically use this method to revoke
+ server certificates as well, but then you would need to propagate
+ the crl.pem file to all clients as well, and have them include
+ "crl-verify crl.pem" in their configuration files.
+
INSTALL easy-rsa
1. Edit vars.
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/easy-rsa/2.0/openssl.cnf new/openvpn-2.0.7/easy-rsa/2.0/openssl.cnf
--- old/openvpn-2.0.5/easy-rsa/2.0/openssl.cnf 2005-11-02 19:42:39.000000000 +0100
+++ new/openvpn-2.0.7/easy-rsa/2.0/openssl.cnf 2005-11-13 03:17:49.000000000 +0100
@@ -207,6 +207,8 @@
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
[ v3_req ]
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/forward.c new/openvpn-2.0.7/forward.c
--- old/openvpn-2.0.5/forward.c 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/forward.c 2005-12-13 18:09:13.000000000 +0100
@@ -297,6 +297,7 @@
void
schedule_exit (struct context *c, const int n_seconds)
{
+ tls_set_single_session (c->c2.tls_multi);
update_time ();
reset_coarse_timers (c);
event_timeout_init (&c->c2.scheduled_exit, n_seconds, now);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/helper.c new/openvpn-2.0.7/helper.c
--- old/openvpn-2.0.5/helper.c 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/helper.c 2005-12-13 00:50:42.000000000 +0100
@@ -202,6 +202,7 @@
o->ifconfig_pool_defined = true;
o->ifconfig_pool_start = o->server_network + 4;
o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - pool_end_reserve;
+ ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
helper_add_route (o->server_network, o->server_netmask, o);
if (o->enable_c2c)
push_option (o, print_opt_route (o->server_network, o->server_netmask, &o->gc), M_USAGE);
@@ -210,7 +211,7 @@
}
else if (dev == DEV_TYPE_TAP)
{
- if (netbits >= 30)
+ if (netbits > 30)
msg (M_USAGE, "--server directive when used with --dev tap must define a subnet of %s or lower",
print_netmask (30, &gc));
@@ -221,6 +222,7 @@
o->ifconfig_pool_defined = true;
o->ifconfig_pool_start = o->server_network + 2;
o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1;
+ ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
o->ifconfig_pool_netmask = o->server_netmask;
push_option (o, print_opt_route_gateway (o->server_network + 1, &o->gc), M_USAGE);
}
@@ -269,6 +271,7 @@
o->ifconfig_pool_defined = true;
o->ifconfig_pool_start = o->server_bridge_pool_start;
o->ifconfig_pool_end = o->server_bridge_pool_end;
+ ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
o->ifconfig_pool_netmask = o->server_bridge_netmask;
push_option (o, print_opt_route_gateway (o->server_bridge_ip, &o->gc), M_USAGE);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/init.c new/openvpn-2.0.7/init.c
--- old/openvpn-2.0.5/init.c 2005-11-01 20:27:45.000000000 +0100
+++ new/openvpn-2.0.7/init.c 2006-04-05 08:42:32.000000000 +0200
@@ -98,14 +98,12 @@
}
}
-void
-context_init_1 (struct context *c)
+/*
+ * Query for private key and auth-user-pass username/passwords
+ */
+static void
+init_query_passwords (struct context *c)
{
- context_clear_1 (c);
-
- packet_id_persist_init (&c->c1.pid_persist);
- init_remote_list (c);
-
#if defined(USE_CRYPTO) && defined(USE_SSL)
/* Certificate password input */
if (c->options.key_pass_file)
@@ -114,11 +112,22 @@
#if P2MP
/* Auth user/pass input */
- if (c->options.auth_user_pass_file)
- {
- auth_user_pass_setup (c->options.auth_user_pass_file);
- }
+ {
+ if (c->options.auth_user_pass_file)
+ auth_user_pass_setup (c->options.auth_user_pass_file);
+ }
#endif
+}
+
+void
+context_init_1 (struct context *c)
+{
+ context_clear_1 (c);
+
+ packet_id_persist_init (&c->c1.pid_persist);
+ init_remote_list (c);
+
+ init_query_passwords (c);
#ifdef ENABLE_HTTP_PROXY
if (c->options.http_proxy_options)
@@ -372,8 +381,9 @@
do_uid_gid_chroot (struct context *c, bool no_delay)
{
static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
+ struct context_0 *c0 = c->c0;
- if (c->first_time && !c->c2.uid_gid_set)
+ if (c->first_time && c0 && !c0->uid_gid_set)
{
/* chroot if requested */
if (c->options.chroot_dir)
@@ -387,11 +397,11 @@
/* set user and/or group that we want to setuid/setgid to */
if (no_delay)
{
- set_group (&c->c2.group_state);
- set_user (&c->c2.user_state);
- c->c2.uid_gid_set = true;
+ set_group (&c0->group_state);
+ set_user (&c0->user_state);
+ c0->uid_gid_set = true;
}
- else if (c->c2.uid_gid_specified)
+ else if (c0->uid_gid_specified)
{
msg (M_INFO, "NOTE: UID/GID downgrade %s", why_not);
}
@@ -951,7 +961,6 @@
return ( OPT_P_UP
| OPT_P_ROUTE
| OPT_P_IPWIN32
- | OPT_P_SETENV
| OPT_P_SHAPER
| OPT_P_TIMER
| OPT_P_PERSIST
@@ -1018,7 +1027,7 @@
if (management)
{
/* if c is defined, daemonize before hold */
- if (c && c->options.daemon && management_would_hold (management))
+ if (c && c->options.daemon && management_should_daemonize (management))
do_init_first_time (c);
/* block until management hold is released */
@@ -1804,15 +1813,20 @@
static void
do_init_first_time (struct context *c)
{
- if (c->first_time && !c->did_we_daemonize)
+ if (c->first_time && !c->did_we_daemonize && !c->c0)
{
+ struct context_0 *c0;
+
+ ALLOC_OBJ_CLEAR_GC (c->c0, struct context_0, &c->gc);
+ c0 = c->c0;
+
/* get user and/or group that we want to setuid/setgid to */
- c->c2.uid_gid_specified =
- get_group (c->options.groupname, &c->c2.group_state) |
- get_user (c->options.username, &c->c2.user_state);
+ c0->uid_gid_specified =
+ get_group (c->options.groupname, &c0->group_state) |
+ get_user (c->options.username, &c0->user_state);
/* get --writepid file descriptor */
- get_pid_file (c->options.writepid, &c->c2.pid_state);
+ get_pid_file (c->options.writepid, &c0->pid_state);
/* become a daemon if --daemon */
c->did_we_daemonize = possibly_become_daemon (&c->options, c->first_time);
@@ -1822,7 +1836,7 @@
do_mlockall (true); /* call again in case we daemonized */
/* save process ID in a file */
- write_pid (&c->c2.pid_state);
+ write_pid (&c0->pid_state);
/* should we change scheduling priority? */
set_nice (c->options.nice);
@@ -2284,6 +2298,12 @@
goto sig;
}
+#if P2MP
+ /* get passwords if undefined */
+ if (auth_retry_get () == AR_INTERACT)
+ init_query_passwords (c);
+#endif
+
/* initialize context level 2 --verb/--mute parms */
init_verb_mute (c, IVM_LEVEL_2);
@@ -2507,8 +2527,6 @@
ASSERT (0);
}
- dest->first_time = false;
-
dest->gc = gc_new ();
ALLOC_OBJ_CLEAR_GC (dest->sig, struct signal_info, &dest->gc);
@@ -2584,6 +2602,7 @@
dest->mode = CM_TOP_CLONE;
dest->first_time = false;
+ dest->c0 = NULL;
options_detach (&dest->options);
gc_detach (&dest->gc);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/install-win32/openvpn.nsi new/openvpn-2.0.7/install-win32/openvpn.nsi
--- old/openvpn-2.0.5/install-win32/openvpn.nsi 2005-11-03 07:40:24.000000000 +0100
+++ new/openvpn-2.0.7/install-win32/openvpn.nsi 2006-04-12 11:33:09.000000000 +0200
@@ -14,7 +14,7 @@
!define BIN "${HOME}\bin"
!define PRODUCT_NAME "OpenVPN"
-!define VERSION "2.0.5" # AUTO_VERSION
+!define VERSION "2.0.7" # AUTO_VERSION
!define TAP "tap0801"
!define TAPDRV "${TAP}.sys"
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/lzo.c new/openvpn-2.0.7/lzo.c
--- old/openvpn-2.0.5/lzo.c 2005-11-01 12:06:10.000000000 +0100
+++ new/openvpn-2.0.7/lzo.c 2005-11-24 06:56:02.000000000 +0100
@@ -81,7 +81,7 @@
return !ac->compress_state;
}
-inline static void
+static inline void
lzo_adaptive_compress_data (struct lzo_adaptive_compress *ac, int n_total, int n_comp)
{
if (ac->enabled)
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/manage.c new/openvpn-2.0.7/manage.c
--- old/openvpn-2.0.5/manage.c 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/manage.c 2005-12-13 15:15:55.000000000 +0100
@@ -1564,7 +1564,7 @@
#endif
-inline bool
+static inline bool
man_standalone_ok (const struct management *man)
{
return !man->settings.management_over_tunnel && man->connection.state != MS_INITIAL;
@@ -1797,6 +1797,16 @@
}
/*
+ * Return true if (from the management interface's perspective) OpenVPN should
+ * daemonize.
+ */
+bool
+management_should_daemonize (struct management *man)
+{
+ return management_would_hold (man) || man->settings.up_query_passwords;
+}
+
+/*
* If the hold flag is enabled, hibernate until a management client releases the hold.
* Return true if the caller should not sleep for an additional time interval.
*/
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/manage.h new/openvpn-2.0.7/manage.h
--- old/openvpn-2.0.5/manage.h 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/manage.h 2005-12-13 15:15:56.000000000 +0100
@@ -281,6 +281,7 @@
bool management_query_user_pass (struct management *man, struct user_pass *up, const char *type, const bool password_only);
+bool management_should_daemonize (struct management *man);
bool management_would_hold (struct management *man);
bool management_hold (struct management *man);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/misc.c new/openvpn-2.0.7/misc.c
--- old/openvpn-2.0.5/misc.c 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/misc.c 2005-11-05 08:04:22.000000000 +0100
@@ -843,6 +843,14 @@
/* add/modify/delete environmental strings */
void
+setenv_counter (struct env_set *es, const char *name, counter_type value)
+{
+ char buf[64];
+ openvpn_snprintf (buf, sizeof(buf), counter_format, value);
+ setenv_str (es, name, buf);
+}
+
+void
setenv_int (struct env_set *es, const char *name, int value)
{
char buf[64];
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/misc.h new/openvpn-2.0.7/misc.h
--- old/openvpn-2.0.5/misc.h 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/misc.h 2005-11-05 08:04:22.000000000 +0100
@@ -158,6 +158,7 @@
const unsigned int value_exclude,
const char value_replace);
+void setenv_counter (struct env_set *es, const char *name, counter_type value);
void setenv_int (struct env_set *es, const char *name, int value);
void setenv_str (struct env_set *es, const char *name, const char *value);
void setenv_del (struct env_set *es, const char *name);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/multi.c new/openvpn-2.0.7/multi.c
--- old/openvpn-2.0.5/multi.c 2005-11-01 19:21:15.000000000 +0100
+++ new/openvpn-2.0.7/multi.c 2005-11-05 08:04:22.000000000 +0100
@@ -396,8 +396,8 @@
setenv_trusted (mi->context.c2.es, get_link_socket_info (&mi->context));
/* setenv stats */
- setenv_int (mi->context.c2.es, "bytes_received", mi->context.c2.link_read_bytes);
- setenv_int (mi->context.c2.es, "bytes_sent", mi->context.c2.link_write_bytes);
+ setenv_counter (mi->context.c2.es, "bytes_received", mi->context.c2.link_read_bytes);
+ setenv_counter (mi->context.c2.es, "bytes_sent", mi->context.c2.link_write_bytes);
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/occ.c new/openvpn-2.0.7/occ.c
--- old/openvpn-2.0.5/occ.c 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/occ.c 2005-11-05 08:04:22.000000000 +0100
@@ -161,13 +161,16 @@
* Give up.
*/
msg (D_SHOW_OCC,
- "NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of "
+ "NOTE: failed to obtain options consistency info from peer -- "
+ "this could occur if the remote peer is running a version of "
PACKAGE_NAME
" before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent "
PACKAGE_NAME
- " from running (%u bytes received from peer, %u bytes authenticated data channel traffic) -- you can disable the options consistency check with --disable-occ.",
- (unsigned int) c->c2.link_read_bytes,
- (unsigned int) c->c2.link_read_bytes_auth);
+ " from running (" counter_format " bytes received from peer, " counter_format
+ " bytes authenticated data channel traffic) -- you can disable the options consistency "
+ "check with --disable-occ.",
+ c->c2.link_read_bytes,
+ c->c2.link_read_bytes_auth);
event_timeout_clear (&c->c2.occ_interval);
}
else
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/openvpn.h new/openvpn-2.0.7/openvpn.h
--- old/openvpn-2.0.5/openvpn.h 2005-11-01 13:42:42.000000000 +0100
+++ new/openvpn-2.0.7/openvpn.h 2005-12-14 00:48:31.000000000 +0100
@@ -117,6 +117,23 @@
struct buffer read_tun_buf;
};
+/*
+ * level 0 context contains data related to
+ * once-per OpenVPN instantiation events
+ * such as daemonization.
+ */
+struct context_0
+{
+ /* workspace for get_pid_file/write_pid */
+ struct pid_state pid_state;
+
+ /* workspace for --user/--group */
+ bool uid_gid_specified;
+ bool uid_gid_set;
+ struct user_state user_state;
+ struct group_state group_state;
+};
+
/*
* Contains the persist-across-restart OpenVPN tunnel instance state.
* Reset only for SIGHUP restarts.
@@ -335,15 +352,6 @@
*/
bool ipv4_tun;
- /* workspace for get_pid_file/write_pid */
- struct pid_state pid_state;
-
- /* workspace for --user/--group */
- bool uid_gid_specified;
- bool uid_gid_set;
- struct user_state user_state;
- struct group_state group_state;
-
/* should we print R|W|r|w to console on packet transfers? */
bool log_rw;
@@ -447,6 +455,11 @@
/* set to true after we daemonize */
bool did_we_daemonize;
+ /* level 0 context contains data related to
+ once-per OpenVPN instantiation events
+ such as daemonization */
+ struct context_0 *c0;
+
/* level 1 context is preserved for
SIGUSR1 restarts, but initialized
for SIGHUP restarts */
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/openvpn.spec new/openvpn-2.0.7/openvpn.spec
--- old/openvpn-2.0.5/openvpn.spec 2005-11-03 07:40:24.000000000 +0100
+++ new/openvpn-2.0.7/openvpn.spec 2006-04-12 11:33:09.000000000 +0200
@@ -16,7 +16,7 @@
Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan.
Name: openvpn
-Version: 2.0.5
+Version: 2.0.7
Release: 1
URL: http://openvpn.net/
Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/options.c new/openvpn-2.0.7/options.c
--- old/openvpn-2.0.5/options.c 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/options.c 2005-12-13 00:50:43.000000000 +0100
@@ -881,7 +881,7 @@
}
#endif
-#if defined(ENABLE_HTTP_PROXY) && defined (ENABLE_DEBUG)
+#if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_DEBUG)
static void
show_http_proxy_options (const struct http_proxy_options *o)
{
@@ -3659,17 +3659,8 @@
msg (msglevel, "error parsing --ifconfig-pool parameters");
goto err;
}
- if (start > end)
- {
- msg (msglevel, "--ifconfig-pool start IP is greater than end IP");
- goto err;
- }
- if (end - start >= IFCONFIG_POOL_MAX)
- {
- msg (msglevel, "--ifconfig-pool address range is too large. Current maximum is %d addresses.",
- IFCONFIG_POOL_MAX);
- goto err;
- }
+ if (!ifconfig_pool_verify_range (msglevel, start, end))
+ goto err;
options->ifconfig_pool_defined = true;
options->ifconfig_pool_start = start;
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/pool.c new/openvpn-2.0.7/pool.c
--- old/openvpn-2.0.5/pool.c 2005-11-01 12:06:10.000000000 +0100
+++ new/openvpn-2.0.7/pool.c 2005-12-13 00:58:51.000000000 +0100
@@ -109,6 +109,33 @@
return -1;
}
+/*
+ * Verify start/end range
+ */
+bool
+ifconfig_pool_verify_range (const int msglevel, const in_addr_t start, const in_addr_t end)
+{
+ struct gc_arena gc = gc_new ();
+ bool ret = true;
+
+ if (start > end)
+ {
+ msg (msglevel, "--ifconfig-pool start IP [%s] is greater than end IP [%s]",
+ print_in_addr_t (start, 0, &gc),
+ print_in_addr_t (end, 0, &gc));
+ ret = false;
+ }
+ if (end - start >= IFCONFIG_POOL_MAX)
+ {
+ msg (msglevel, "--ifconfig-pool address range is too large [%s -> %s]. Current maximum is %d addresses, as defined by IFCONFIG_POOL_MAX variable.",
+ print_in_addr_t (start, 0, &gc),
+ print_in_addr_t (end, 0, &gc),
+ IFCONFIG_POOL_MAX);
+ ret = false;
+ }
+ gc_free (&gc);
+ return ret;
+}
struct ifconfig_pool *
ifconfig_pool_init (int type, in_addr_t start, in_addr_t end, const bool duplicate_cn)
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/pool.h new/openvpn-2.0.7/pool.h
--- old/openvpn-2.0.5/pool.h 2005-11-01 12:06:10.000000000 +0100
+++ new/openvpn-2.0.7/pool.h 2005-12-13 00:51:40.000000000 +0100
@@ -68,6 +68,8 @@
void ifconfig_pool_free (struct ifconfig_pool *pool);
+bool ifconfig_pool_verify_range (const int msglevel, const in_addr_t start, const in_addr_t end);
+
ifconfig_pool_handle ifconfig_pool_acquire (struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, const char *common_name);
bool ifconfig_pool_release (struct ifconfig_pool* pool, ifconfig_pool_handle hand, const bool hard);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/proxy.c new/openvpn-2.0.7/proxy.c
--- old/openvpn-2.0.5/proxy.c 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/proxy.c 2005-12-12 18:30:25.000000000 +0100
@@ -38,6 +38,7 @@
#include "socket.h"
#include "fdmisc.h"
#include "proxy.h"
+#include "base64.h"
#include "ntlm.h"
#include "memdbg.h"
@@ -192,42 +193,12 @@
uint8_t *
make_base64_string2 (const uint8_t *str, int src_len, struct gc_arena *gc)
{
- static const char base64_table[] =
- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-
- uint8_t *buf;
- const uint8_t *src;
- uint8_t *dst;
- int bits, data, dst_len;
-
- /* make base64 string */
- dst_len = (src_len + 2) / 3 * 4;
- buf = gc_malloc (dst_len + 1, false, gc);
- bits = data = 0;
- src = str;
- dst = buf;
- while (dst_len--)
- {
- if (bits < 6)
- {
- data = (data << 8) | *src;
- bits += 8;
- src++;
- }
- *dst++ = base64_table[0x3F & (data >> (bits - 6))];
- bits -= 6;
- }
- *dst = '\0';
-
- /* fix-up tail padding */
- switch (src_len % 3)
- {
- case 1:
- *--dst = '=';
- case 2:
- *--dst = '=';
- }
- return buf;
+ uint8_t *ret = NULL;
+ char *b64out = NULL;
+ ASSERT (base64_encode ((const void *)str, src_len, &b64out) >= 0);
+ ret = (uint8_t *) string_alloc (b64out, gc);
+ free (b64out);
+ return ret;
}
uint8_t *
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/route.c new/openvpn-2.0.7/route.c
--- old/openvpn-2.0.5/route.c 2005-11-03 01:51:57.000000000 +0100
+++ new/openvpn-2.0.7/route.c 2006-04-05 08:13:55.000000000 +0200
@@ -832,6 +832,8 @@
network,
netmask);
#endif /*CONFIG_FEATURE_IPROUTE*/
+ if (r->metric_defined)
+ buf_printf (&buf, " metric %d", r->metric);
msg (D_ROUTE, "%s", BSTR (&buf));
system_check (BSTR (&buf), es, 0, "ERROR: Linux route delete command failed");
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/sample-config-files/server.conf new/openvpn-2.0.7/sample-config-files/server.conf
--- old/openvpn-2.0.5/sample-config-files/server.conf 2005-11-01 12:06:10.000000000 +0100
+++ new/openvpn-2.0.7/sample-config-files/server.conf 2006-01-06 22:49:27.000000000 +0100
@@ -37,7 +37,9 @@
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
-# Use "dev tap" if you are ethernet bridging.
+# Use "dev tap0" if you are ethernet bridging
+# and have precreated a tap0 virtual interface
+# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/service-win32/mkpatch new/openvpn-2.0.7/service-win32/mkpatch
--- old/openvpn-2.0.5/service-win32/mkpatch 2005-11-01 12:06:09.000000000 +0100
+++ new/openvpn-2.0.7/service-win32/mkpatch 2006-01-30 18:30:53.000000000 +0100
@@ -1,4 +1,4 @@
# build service.[ch] patch against original
# SDK sample
-diff -u service.c.orig service.c >service.patch
-diff -u service.h.orig service.h >>service.patch
+diff -ub service.c.orig service.c >service.patch
+diff -ub service.h.orig service.h >>service.patch
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/service-win32/service.patch new/openvpn-2.0.7/service-win32/service.patch
--- old/openvpn-2.0.5/service-win32/service.patch 2005-11-01 12:06:09.000000000 +0100
+++ new/openvpn-2.0.7/service-win32/service.patch 2006-02-03 10:05:29.000000000 +0100
@@ -1,5 +1,5 @@
---- service.c.orig Sat Jan 15 17:39:20 2005
-+++ service.c Sun Feb 20 11:28:30 2005
+--- service.c.orig Mon Jan 30 10:24:07 2006
++++ service.c Mon Jan 30 10:26:22 2006
@@ -16,6 +16,7 @@
service_main(DWORD dwArgc, LPTSTR *lpszArgv);
CmdInstallService();
@@ -29,7 +29,7 @@
{
SERVICE_TABLE_ENTRY dispatchTable[] =
{
-@@ -77,12 +79,16 @@
+@@ -77,11 +79,15 @@
{
if ( _stricmp( "install", argv[1]+1 ) == 0 )
{
@@ -40,14 +40,13 @@
{
- CmdRemoveService();
+ return CmdRemoveService();
- }
++ }
+ else if ( _stricmp( "start", argv[1]+1 ) == 0)
+ {
+ return CmdStartService();
-+ }
+ }
else if ( _stricmp( "debug", argv[1]+1 ) == 0 )
{
- bDebug = TRUE;
@@ -92,7 +98,7 @@
{
goto dispatch;
@@ -98,9 +97,8 @@
if ( !bDebug )
{
-- dwErr = GetLastError();
+ if (flags & MSG_FLAGS_SYS_CODE)
-+ dwErr = GetLastError();
+ dwErr = GetLastError();
+ else
+ dwErr = 0;
@@ -163,40 +161,16 @@
}
schSCManager = OpenSCManager(
-@@ -366,19 +384,19 @@
- if ( schSCManager )
- {
- schService = CreateService(
-- schSCManager, // SCManager database
-- TEXT(SZSERVICENAME), // name of service
-- TEXT(SZSERVICEDISPLAYNAME), // name to display
-- SERVICE_QUERY_STATUS, // desired access
-- SERVICE_WIN32_OWN_PROCESS, // service type
+@@ -371,7 +389,7 @@
+ TEXT(SZSERVICEDISPLAYNAME), // name to display
+ SERVICE_QUERY_STATUS, // desired access
+ SERVICE_WIN32_OWN_PROCESS, // service type
- SERVICE_DEMAND_START, // start type
-- SERVICE_ERROR_NORMAL, // error control type
-- szPath, // service's binary
-- NULL, // no load ordering group
-- NULL, // no tag identifier
-- TEXT(SZDEPENDENCIES), // dependencies
-- NULL, // LocalSystem account
-- NULL); // no password
-+ schSCManager, // SCManager database
-+ TEXT(SZSERVICENAME), // name of service
-+ TEXT(SZSERVICEDISPLAYNAME), // name to display
-+ SERVICE_QUERY_STATUS, // desired access
-+ SERVICE_WIN32_OWN_PROCESS, // service type
+ SERVICE_DEMAND_START, // start type -- alternative: SERVICE_AUTO_START
-+ SERVICE_ERROR_NORMAL, // error control type
-+ szPath, // service's binary
-+ NULL, // no load ordering group
-+ NULL, // no tag identifier
-+ TEXT(SZDEPENDENCIES), // dependencies
-+ NULL, // LocalSystem account
-+ NULL); // no password
-
- if ( schService )
- {
-@@ -388,15 +406,78 @@
+ SERVICE_ERROR_NORMAL, // error control type
+ szPath, // service's binary
+ NULL, // no load ordering group
+@@ -388,16 +406,79 @@
else
{
_tprintf(TEXT("CreateService failed - %s\n"), GetLastErrorText(szErr, 256));
@@ -206,9 +180,8 @@
CloseServiceHandle(schSCManager);
}
else
-- _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText(szErr,256));
+ {
-+ _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText(szErr,256));
+ _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText(szErr,256));
+ ret = 1;
+ }
+ return ret;
@@ -233,7 +206,7 @@
+
+ SC_HANDLE schSCManager;
+ SC_HANDLE schService;
-+
+
+ // Open a handle to the SC Manager database.
+ schSCManager = OpenSCManager(
@@ -248,7 +221,7 @@
+
+ schService = OpenService(
+ schSCManager, // SCM database
-+ "MeetrixService", // service name
++ SZSERVICENAME, // service name
+ SERVICE_ALL_ACCESS);
+
+ if (schService == NULL) {
@@ -273,9 +246,10 @@
+ CloseServiceHandle(schSCManager);
+ return ret;
+}
-
++
//
// FUNCTION: CmdRemoveService()
+ //
@@ -407,15 +488,17 @@
// none
//
@@ -300,9 +274,8 @@
if ( ssStatus.dwCurrentState == SERVICE_STOPPED )
_tprintf(TEXT("\n%s stopped.\n"), TEXT(SZSERVICEDISPLAYNAME) );
else
-- _tprintf(TEXT("\n%s failed to stop.\n"), TEXT(SZSERVICEDISPLAYNAME) );
+ {
-+ _tprintf(TEXT("\n%s failed to stop.\n"), TEXT(SZSERVICEDISPLAYNAME) );
+ _tprintf(TEXT("\n%s failed to stop.\n"), TEXT(SZSERVICEDISPLAYNAME) );
+ ret = 1;
+ }
@@ -312,9 +285,8 @@
if ( DeleteService(schService) )
_tprintf(TEXT("%s removed.\n"), TEXT(SZSERVICEDISPLAYNAME) );
else
-- _tprintf(TEXT("DeleteService failed - %s\n"), GetLastErrorText(szErr,256));
+ {
-+ _tprintf(TEXT("DeleteService failed - %s\n"), GetLastErrorText(szErr,256));
+ _tprintf(TEXT("DeleteService failed - %s\n"), GetLastErrorText(szErr,256));
+ ret = 1;
+ }
@@ -322,18 +294,16 @@
CloseServiceHandle(schService);
}
else
-- _tprintf(TEXT("OpenService failed - %s\n"), GetLastErrorText(szErr,256));
+ {
-+ _tprintf(TEXT("OpenService failed - %s\n"), GetLastErrorText(szErr,256));
+ _tprintf(TEXT("OpenService failed - %s\n"), GetLastErrorText(szErr,256));
+ ret = 1;
+ }
CloseServiceHandle(schSCManager);
}
else
-- _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText(szErr,256));
+ {
-+ _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText(szErr,256));
+ _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText(szErr,256));
+ ret = 1;
+ }
+ return ret;
@@ -349,8 +319,8 @@
}
if ( lpszTemp )
---- service.h.orig Sat Jan 15 17:39:20 2005
-+++ service.h Mon Feb 7 17:24:04 2005
+--- service.h.orig Mon Jan 30 10:24:07 2006
++++ service.h Mon Jan 30 10:24:07 2006
@@ -62,13 +62,13 @@
//// todo: change to desired strings
////
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/socket.c new/openvpn-2.0.7/socket.c
--- old/openvpn-2.0.5/socket.c 2005-11-01 20:28:32.000000000 +0100
+++ new/openvpn-2.0.7/socket.c 2005-11-04 20:28:42.000000000 +0100
@@ -525,6 +525,15 @@
new_sd = accept (sd, (struct sockaddr *) remote, &remote_len);
}
+#if 0 /* For debugging only, test the effect of accept() failures */
+ {
+ static int foo = 0;
+ ++foo;
+ if (foo & 1)
+ new_sd = -1;
+ }
+#endif
+
if (!socket_defined (new_sd))
{
msg (D_LINK_ERRORS | M_ERRNO_SOCK, "TCP: accept(%d) failed", sd);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/ssl.c new/openvpn-2.0.7/ssl.c
--- old/openvpn-2.0.5/ssl.c 2005-11-01 12:06:10.000000000 +0100
+++ new/openvpn-2.0.7/ssl.c 2005-12-13 18:10:01.000000000 +0100
@@ -3501,7 +3501,7 @@
if (multi->opt.single_session && multi->n_sessions)
{
msg (D_TLS_ERRORS,
- "TLS Error: Cannot accept new session request from %s due to --single-session [1]",
+ "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]",
print_sockaddr (from, &gc));
goto error;
}
@@ -3543,7 +3543,7 @@
if (multi->opt.single_session)
{
msg (D_TLS_ERRORS,
- "TLS Error: Cannot accept new session request from %s due to --single-session [2]",
+ "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]",
print_sockaddr (from, &gc));
goto error;
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/ssl.h new/openvpn-2.0.7/ssl.h
--- old/openvpn-2.0.5/ssl.h 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/ssl.h 2005-12-13 18:10:00.000000000 +0100
@@ -655,6 +655,13 @@
return 0;
}
+static inline void
+tls_set_single_session (struct tls_multi *multi)
+{
+ if (multi)
+ multi->opt.single_session = true;
+}
+
/*
* protocol_dump() flags
*/
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/syshead.h new/openvpn-2.0.7/syshead.h
--- old/openvpn-2.0.5/syshead.h 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/syshead.h 2006-04-12 11:08:10.000000000 +0200
@@ -366,6 +366,11 @@
}
/*
+ * Should statistics counters be 64 bits?
+ */
+#define USE_64_BIT_COUNTERS
+
+/*
* Do we have point-to-multipoint capability?
*/
@@ -416,7 +421,7 @@
/*
* Should we include NTLM proxy functionality
*/
-#if defined(USE_CRYPTO) && defined (ENABLE_HTTP_PROXY)
+#if defined(USE_CRYPTO) && defined(ENABLE_HTTP_PROXY)
#define NTLM 1
#else
#define NTLM 0
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/t_cltsrv.sh new/openvpn-2.0.7/t_cltsrv.sh
--- old/openvpn-2.0.5/t_cltsrv.sh 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/t_cltsrv.sh 2006-04-05 08:22:08.000000000 +0200
@@ -1,7 +1,7 @@
#! /bin/sh
#
# t_cltsrv.sh - script to test OpenVPN's crypto loopback
-# Copyright (C) 2005 Matthias Andree
+# Copyright (C) 2005,2006 Matthias Andree
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -19,20 +19,41 @@
# 02110-1301, USA.
set -e
-echo "the following test will run about two minutes..." >&2
-trap "rm -f log.$$ ; false" 1 2 3 15
+trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15
+trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3
+addopts=
+case `uname -s` in
+ FreeBSD)
+ # FreeBSD jails map the outgoing IP to the jail IP - we need to
+ # allow the real IP unless we want the test to run forever.
+ if test "`sysctl 2>/dev/null -n security.jail.jailed`" = 1 \
+ || ps -ostate= -p $$ | grep -q J; then
+ addopts="--float"
+ if test "x`ifconfig | grep inet`" = x ; then
+ echo "###"
+ echo "### To run the test in a FreeBSD jail, you MUST add an IP alias for the jail's IP."
+ echo "###"
+ exit 1
+ fi
+ fi
+ ;;
+esac
+echo "the following test will take about two minutes..." >&2
set +e
(
-./openvpn --cd "${srcdir}" --config sample-config-files/loopback-server &
-./openvpn --cd "${srcdir}" --config sample-config-files/loopback-client
-) >log.$$ 2>&1
+./openvpn --cd "${srcdir}" ${addopts} --down 'echo "srv:${signal}" >&3 ; : #' --tls-exit --ping-exit 180 --config sample-config-files/loopback-server &
+./openvpn --cd "${srcdir}" ${addopts} --down 'echo "clt:${signal}" >&3 ; : #' --tls-exit --ping-exit 180 --config sample-config-files/loopback-client
+) 3>log.$$.signal >log.$$ 2>&1
e1=$?
wait $!
e2=$?
+grep -v ":inactive$" log.$$.signal >/dev/null && { cat log.$$.signal ; echo ; cat log.$$ ; exit 1 ; }
+
set -e
if [ $e1 != 0 ] || [ $e2 != 0 ] ; then
cat log.$$
exit 1
fi
-rm log.$$
+rm log.$$ log.$$.signal
+trap 0
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/t_lpback.sh new/openvpn-2.0.7/t_lpback.sh
--- old/openvpn-2.0.5/t_lpback.sh 2005-11-01 12:06:11.000000000 +0100
+++ new/openvpn-2.0.7/t_lpback.sh 2005-11-04 20:32:50.000000000 +0100
@@ -19,11 +19,13 @@
# 02110-1301, USA.
set -e
-trap "rm -f key.$$ log.$$ ; false" 1 2 3 15
+trap "rm -f key.$$ log.$$ ; trap 0 ; exit 77" 1 2 15
+trap "rm -f key.$$ log.$$ ; exit 1" 0 3
./openvpn --genkey --secret key.$$
set +e
( ./openvpn --test-crypto --secret key.$$ ) >log.$$ 2>&1
e=$?
if [ $e != 0 ] ; then cat log.$$ ; fi
-rm key.$$
+rm key.$$ log.$$
+trap 0
exit $e
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/tun.c new/openvpn-2.0.7/tun.c
--- old/openvpn-2.0.5/tun.c 2005-11-01 12:06:10.000000000 +0100
+++ new/openvpn-2.0.7/tun.c 2006-04-05 08:29:24.000000000 +0200
@@ -690,7 +690,19 @@
tun_mtu
);
else
- no_tap_ifconfig ();
+ /*
+ * NetBSD has distinct tun and tap devices
+ * so we don't need the "link0" extra parameter to specify we want to do
+ * tunneling at the ethernet level
+ */
+ openvpn_snprintf (command_line, sizeof (command_line),
+ IFCONFIG_PATH " %s %s netmask %s mtu %d broadcast %s",
+ actual,
+ ifconfig_local,
+ ifconfig_remote_netmask,
+ tun_mtu,
+ ifconfig_broadcast
+ );
msg (M_INFO, "%s", command_line);
system_check (command_line, es, S_FATAL, "NetBSD ifconfig failed");
tt->did_ifconfig = true;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit-unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit-help@opensuse.org