Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openfortivpn for openSUSE:Factory checked in at 2023-12-28 23:03:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openfortivpn (Old)
and /work/SRC/openSUSE:Factory/.openfortivpn.new.28375 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openfortivpn"
Thu Dec 28 23:03:04 2023 rev:26 rq:1135396 version:1.21.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/openfortivpn/openfortivpn.changes 2023-09-15 22:09:46.538360948 +0200
+++ /work/SRC/openSUSE:Factory/.openfortivpn.new.28375/openfortivpn.changes 2023-12-28 23:04:49.469812844 +0100
@@ -1,0 +2,8 @@
+Thu Dec 14 20:53:26 UTC 2023 - Martin Hauke
+
+- Update to version 1.21.0
+ * fix "Peer refused to agree to his IP address" message, again.
+ * deprecate option --plugin.
+ * better masking of password in logs.
+
+-------------------------------------------------------------------
Old:
----
openfortivpn-1.20.5.tar.gz
New:
----
openfortivpn-1.21.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openfortivpn.spec ++++++
--- /var/tmp/diff_new_pack.M97N7H/_old 2023-12-28 23:04:49.877827755 +0100
+++ /var/tmp/diff_new_pack.M97N7H/_new 2023-12-28 23:04:49.881827901 +0100
@@ -17,7 +17,7 @@
Name: openfortivpn
-Version: 1.20.5
+Version: 1.21.0
Release: 0
Summary: Client for PPP+SSL VPN tunnel services
License: GPL-3.0-or-later
++++++ openfortivpn-1.20.5.tar.gz -> openfortivpn-1.21.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/.github/workflows/codeql-analysis.yml new/openfortivpn-1.21.0/.github/workflows/codeql-analysis.yml
--- old/openfortivpn-1.20.5/.github/workflows/codeql-analysis.yml 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/.github/workflows/codeql-analysis.yml 2023-11-08 07:42:39.000000000 +0100
@@ -33,7 +33,7 @@
steps:
- name: Checkout repository
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/.github/workflows/codespell.yml new/openfortivpn-1.21.0/.github/workflows/codespell.yml
--- old/openfortivpn-1.20.5/.github/workflows/codespell.yml 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/.github/workflows/codespell.yml 2023-11-08 07:42:39.000000000 +0100
@@ -14,7 +14,7 @@
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- uses: codespell-project/actions-codespell@master
with:
skip: .git,checkpatch.pl,spelling.txt,LICENSE.OpenSSL
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/.github/workflows/coverity-scan.yml new/openfortivpn-1.21.0/.github/workflows/coverity-scan.yml
--- old/openfortivpn-1.20.5/.github/workflows/coverity-scan.yml 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/.github/workflows/coverity-scan.yml 2023-11-08 07:42:39.000000000 +0100
@@ -12,7 +12,7 @@
steps:
- name: Checkout Code
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
- name: Download the Coverity Scan Build Tool
run: |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/.github/workflows/openfortivpn.yml new/openfortivpn-1.21.0/.github/workflows/openfortivpn.yml
--- old/openfortivpn-1.20.5/.github/workflows/openfortivpn.yml 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/.github/workflows/openfortivpn.yml 2023-11-08 07:42:39.000000000 +0100
@@ -18,7 +18,7 @@
steps:
- name: Checkout Code
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
- name: Install Dependencies
run: sudo apt-get install -y astyle
@@ -41,7 +41,7 @@
steps:
- name: Checkout Code
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
- name: Install Dependencies
run: |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/CHANGELOG.md new/openfortivpn-1.21.0/CHANGELOG.md
--- old/openfortivpn-1.20.5/CHANGELOG.md 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/CHANGELOG.md 2023-11-08 07:42:39.000000000 +0100
@@ -14,6 +14,13 @@
This high level changelog is usually updated when a release is tagged.
On the master branch there may be changes that are not (yet) described here.
+### 1.21.0
+
+* [~] fix "Peer refused to agree to his IP address" message, again
+* [~] deprecate option --plugin
+* [-] better masking of password in logs
+* [-] break on reading 0 from ppp pty, for non-Linux systems
+
### 1.20.5
* [-] revert previous fix from 1.20.4, make it optional
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/README.md new/openfortivpn-1.21.0/README.md
--- old/openfortivpn-1.20.5/README.md 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/README.md 2023-11-08 07:42:39.000000000 +0100
@@ -101,7 +101,7 @@
* [openSUSE / SLE](https://software.opensuse.org/package/openfortivpn)
* [Gentoo](https://packages.gentoo.org/packages/net-vpn/openfortivpn)
* [NixOS](https://github.com/NixOS/nixpkgs/tree/master/pkgs/tools/networking/openforti...)
-* [Arch Linux](https://www.archlinux.org/packages/community/x86_64/openfortivpn)
+* [Arch Linux](https://archlinux.org/packages/extra/x86_64/openfortivpn)
* [Debian](https://packages.debian.org/stable/openfortivpn)
* [Ubuntu](https://packages.ubuntu.com/search?keywords=openfortivpn)
* [Solus](https://dev.getsol.us/source/openfortivpn/)
@@ -168,6 +168,16 @@
make
sudo make install
```
+
+ If targeting platforms with pppd < 2.5.0 such as current version of macOS,
+ we suggest you configure with option --enable-legacy-pppd:
+
+ ```shell
+ ./autogen.sh
+ ./configure --prefix=/usr/local --sysconfdir=/etc --enable-legacy-pppd
+ make
+ sudo make install
+ ```
If you need to specify the openssl location you can set the `$PKG_CONFIG_PATH`
environment variable. For fine-tuning check the available configure arguments
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/configure.ac new/openfortivpn-1.21.0/configure.ac
--- old/openfortivpn-1.20.5/configure.ac 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/configure.ac 2023-11-08 07:42:39.000000000 +0100
@@ -2,7 +2,7 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ([2.63])
-AC_INIT([openfortivpn], [1.20.5])
+AC_INIT([openfortivpn], [1.21.0])
AC_CONFIG_SRCDIR([src/main.c])
AM_INIT_AUTOMAKE([foreign subdir-objects])
@@ -215,7 +215,7 @@
# prepare possibility to override default locations
AC_ARG_WITH([netstat],
AS_HELP_STRING([--with-netstat],
- [set the path to the netstat executable on MacOSX or FreeBSD]),
+ [set the path to the netstat executable on MacOS or FreeBSD]),
NETSTAT_PATH="$withval"
)
# this is for the pppd daemon executable
@@ -228,7 +228,11 @@
with_ppp="no"
])
)
-# and this is for the ppp user space client on FreeBSD
+# support pppd < 2.5.0 by default instead of pppd >= 2.5.0
+AC_ARG_ENABLE([legacy_pppd],
+ AS_HELP_STRING([--enable-legacy-pppd],
+ [support pppd < 2.5.0 by default instead of pppd >= 2.5.0]))
+# this is for the ppp user space client on FreeBSD
AC_ARG_WITH([ppp],
AS_HELP_STRING([--with-ppp],
[set the path to the ppp userspace client on FreeBSD]),
@@ -324,6 +328,13 @@
AC_DEFINE(HAVE_USR_SBIN_PPPD, 0)
AC_MSG_NOTICE([HAVE_USR_SBIN_PPPD... 0])
])
+AS_IF([test "x$enable_legacy_pppd" = "xyes"], [
+ AC_DEFINE(LEGACY_PPPD, 1)
+ AC_MSG_NOTICE([LEGACY_PPPD... 1])
+],[
+ AC_DEFINE(LEGACY_PPPD, 0)
+ AC_MSG_NOTICE([LEGACY_PPPD... 0])
+])
AS_IF([test "x$enable_proc" = "xyes"], [
AC_DEFINE(HAVE_PROC_NET_ROUTE, 1)
AC_MSG_NOTICE([HAVE_PROC_NET_ROUTE... 1])
@@ -346,10 +357,9 @@
# allow override at configure time
AC_ARG_WITH([resolvconf],
AS_HELP_STRING([--with-resolvconf],
- [Set the path to the resolvconf executable. \
- Set this to "DISABLED" to fully disable resolvconf support. \
- In that case it will not be compiled in and therefore be \
- unavailable at runtime.]),
+ [set the path to the resolvconf executable, \
+ with special value "DISABLED" fully disabling \
+ resolvconf support at build-time]),
RESOLVCONF_PATH="$withval"
)
@@ -368,10 +378,10 @@
# the default for the --use-resolvconf runtime command line option
AC_ARG_ENABLE([resolvconf],
AS_HELP_STRING([--enable-resolvconf],
- [Enable usage of resolvconf at runtime by default. \
- Use --disable-resolvconf for the opposite, note that \
- resolvconf support will still be compilled in, but \
- disabled if not explicitly enabled at runtime.]))
+ [enable usage of resolvconf at runtime by default \
+ (please note that resolvconf support will still \
+ be compiled in with --disable-resolvconf but \
+ disabled unless explicitly enabled at runtime)]))
# Determine how resolvconf works at build-time if it is installed:
# * openresolv supports option -l that lists active configurations and returns 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/doc/openfortivpn.1.in new/openfortivpn-1.21.0/doc/openfortivpn.1.in
--- old/openfortivpn-1.20.5/doc/openfortivpn.1.in 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/doc/openfortivpn.1.in 2023-11-08 07:42:39.000000000 +0100
@@ -17,11 +17,11 @@
[\fB\-\-no\-ftm\-push\fR]
[\fB\-\-realm=\fI<realm>\fR]
[\fB\-\-ifname=\fI<interface>\fR]
-[\fB\-\-set\-routes=<bool>\fR]
+[\fB\-\-set\-routes=\fI<bool>\fR]
[\fB\-\-no\-routes\fR]
-[\fB\-\-set\-dns=<bool>\fR]
+[\fB\-\-set\-dns=\fI<bool>\fR]
[\fB\-\-no\-dns\fR]
-[\fB\-\-half\-internet\-routes=<bool>\fR]
+[\fB\-\-half\-internet\-routes=\fI<bool>\fR]
[\fB\-\-ca\-file=\fI<file>\fR]
[\fB\-\-user\-cert=\fI<file>\fR]
[\fB\-\-user-cert=\fIpkcs11:\fR]
@@ -32,13 +32,14 @@
[\fB\-\-cipher\-list=\fI<ciphers>\fR]
[\fB\-\-min\-tls=\fI<version>\fR]
[\fB\-\-seclevel\-1\fR]
-[\fB\-\-pppd\-use\-peerdns=<bool>\fR]
+[\fB\-\-pppd\-use\-peerdns=\fI<bool>\fR]
[\fB\-\-pppd\-no\-peerdns\fR]
[\fB\-\-pppd\-log=\fI<file>\fR]
[\fB\-\-pppd\-plugin=\fI<file>\fR]
[\fB\-\-pppd\-ipparam=\fI<string>\fR]
[\fB\-\-pppd\-ifname=\fI<string>\fR]
[\fB\-\-pppd\-call=\fI<name>\fR]
+[\fB\-\-pppd\-accept\-remote=\fI<bool>\fR]
[\fB\-\-ppp\-system=\fI<string>\fR]
[\fB\-\-use\-resolvconf=\fI<bool>\fR]
[\fB\-\-persistent=\fI<interval>\fR]
@@ -227,6 +228,10 @@
group `dip' can invoke `pppd call <name>' to make pppd read and apply
options from /etc/ppp/peers/<name> (including privileged ones).
.TP
+\fB\-\-pppd\-accept\-remote=\fI<bool>\fR
+Whether to invoke pppd with `ipcp-accept-remote'. Enabling this option breaks
+pppd < 2.5.0 but is required by newer pppd versions.
+.TP
\fB\-\-ppp\-system=\fI<string>\fR
Only available if compiled for ppp user space client (e.g. on FreeBSD).
Connect to the specified system as defined in /etc/ppp/ppp.conf
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/etc/ppp/ip-down.local.example new/openfortivpn-1.21.0/etc/ppp/ip-down.local.example
--- old/openfortivpn-1.20.5/etc/ppp/ip-down.local.example 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/etc/ppp/ip-down.local.example 2023-11-08 07:42:39.000000000 +0100
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
case "$PPP_IPPARAM" in
openfortivpn*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/etc/ppp/ip-up.local.example new/openfortivpn-1.21.0/etc/ppp/ip-up.local.example
--- old/openfortivpn-1.20.5/etc/ppp/ip-up.local.example 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/etc/ppp/ip-up.local.example 2023-11-08 07:42:39.000000000 +0100
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
case "$PPP_IPPARAM" in
openfortivpn*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/src/config.c new/openfortivpn-1.21.0/src/config.c
--- old/openfortivpn-1.20.5/src/config.c 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/src/config.c 2023-11-08 07:42:39.000000000 +0100
@@ -350,6 +350,15 @@
} else if (strcmp(key, "pppd-call") == 0) {
free(cfg->pppd_call);
cfg->pppd_call = strdup(val);
+ } else if (strcmp(key, "pppd-accept-remote") == 0) {
+ int pppd_accept_remote = strtob(val);
+
+ if (pppd_accept_remote < 0) {
+ log_warn("Bad pppd-accept-remote in configuration file: \"%s\".\n",
+ val);
+ continue;
+ }
+ cfg->pppd_accept_remote = pppd_accept_remote;
#else
} else if (strcmp(key, "pppd") == 0) {
log_warn("Ignoring pppd option \"%s\" in the config file.\n",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/src/http.c new/openfortivpn-1.21.0/src/http.c
--- old/openfortivpn-1.20.5/src/http.c 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/src/http.c 2023-11-08 07:42:39.000000000 +0100
@@ -90,13 +90,12 @@
char password[3 * PASSWORD_SIZE + 1];
url_encode(password, tunnel->config->password);
- pwstart = strstr(logbuffer, password);
- if (pwstart != NULL) {
+ while ((pwstart = strstr(logbuffer, password))) {
int pos, pwlen, i;
pos = pwstart - logbuffer;
- pwlen = strlen(tunnel->config->password);
+ pwlen = strlen(password);
for (i = pos; i < pos + pwlen; i++)
logbuffer[i] = '*';
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/src/io.c new/openfortivpn-1.21.0/src/io.c
--- old/openfortivpn-1.20.5/src/io.c 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/src/io.c 2023-11-08 07:42:39.000000000 +0100
@@ -104,6 +104,7 @@
for (i = 0; i < CRYPTO_num_locks(); i++)
pthread_mutex_destroy(&lockarray[i]);
OPENSSL_free(lockarray);
+ lockarray = NULL;
}
#else
static void init_ssl_locks(void)
@@ -212,7 +213,7 @@
break;
} else if (n == 0) {
log_warn("read returned %ld\n", n);
- continue;
+ break;
} else if (first_time) {
// pppd did talk, now we can write to it if we want
SEM_POST(&sem_pppd_ready);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/src/ipv4.c new/openfortivpn-1.21.0/src/ipv4.c
--- old/openfortivpn-1.20.5/src/ipv4.c 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/src/ipv4.c 2023-11-08 07:42:39.000000000 +0100
@@ -116,7 +116,7 @@
static int ipv4_get_route(struct rtentry *route)
{
size_t buffer_size = IPV4_GET_ROUTE_BUFFER_CHUNK_SIZE;
- char *buffer = malloc(buffer_size);
+ char *buffer;
char *realloc_buffer;
int err = 0;
char *start, *line;
@@ -124,11 +124,6 @@
uint32_t rtdest, rtmask, rtgtw;
int rtfound = 0;
- if (!buffer) {
- err = ERR_IPV4_SEE_ERRNO;
- goto end;
- }
-
/*
* initialize the buffer with zeroes, aiming to address the
* coverity issue "TAINTED_SCALAR passed to a tainted sink"
@@ -148,7 +143,12 @@
* that there is a delimiting '\0' character by proper
* initialization. We ensure this also when growing the buffer.
*/
- memset(buffer, '\0', IPV4_GET_ROUTE_BUFFER_CHUNK_SIZE);
+ buffer = calloc(1, buffer_size);
+ if (!buffer) {
+ err = ERR_IPV4_SEE_ERRNO;
+ goto end;
+ }
+
log_debug("ip route show %s\n", ipv4_show_route(route));
// store what we are looking for
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/src/main.c new/openfortivpn-1.21.0/src/main.c
--- old/openfortivpn-1.20.5/src/main.c 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/src/main.c 2023-11-08 07:42:39.000000000 +0100
@@ -37,8 +37,7 @@
" [--pppd-use-peerdns=<0|1>] [--pppd-log=<file>]\n" \
" [--pppd-ifname=<string>] [--pppd-ipparam=<string>]\n" \
" [--pppd-call=<name>] [--pppd-plugin=<file>]\n" \
-" [--pppd-accept-remote]\n"
-
+" [--pppd-accept-remote=<0|1>]\n"
#define PPPD_HELP \
" --pppd-use-peerdns=[01] Whether to ask peer ppp server for DNS server\n" \
" addresses and make pppd rewrite /etc/resolv.conf.\n" \
@@ -54,8 +53,8 @@
" --pppd-call=<name> Move most pppd options from pppd cmdline to\n" \
" /etc/ppp/peers/<name> and invoke pppd with\n" \
" 'call <name>'.\n" \
-" --pppd-accept-remote Invoke pppd with option 'ipcp-accept-remote'." \
-" It might help avoid errors with PPP 2.5.0.\n"
+" --pppd-accept-remote=[01] Whether to invoke pppd with 'ipcp-accept-remote'.\n" \
+" Disable for pppd < 2.5.0.\n"
#elif HAVE_USR_SBIN_PPP
#define PPPD_USAGE \
" [--ppp-system=<system>]\n"
@@ -246,7 +245,11 @@
.pppd_ipparam = NULL,
.pppd_ifname = NULL,
.pppd_call = NULL,
+#if LEGACY_PPPD
.pppd_accept_remote = 0,
+#else
+ .pppd_accept_remote = 1,
+#endif
#endif
#if HAVE_USR_SBIN_PPP
.ppp_system = NULL,
@@ -309,14 +312,14 @@
{"pppd-ipparam", required_argument, NULL, 0},
{"pppd-ifname", required_argument, NULL, 0},
{"pppd-call", required_argument, NULL, 0},
- {"pppd-accept-remote", no_argument, &cli_cfg.pppd_accept_remote, 1},
+ {"pppd-accept-remote", optional_argument, NULL, 0},
{"plugin", required_argument, NULL, 0}, // deprecated
#endif
#if HAVE_USR_SBIN_PPP
- {"ppp-system", required_argument, NULL, 0},
+ {"ppp-system", required_argument, NULL, 0},
#endif
#if HAVE_RESOLVCONF
- {"use-resolvconf", required_argument, NULL, 0},
+ {"use-resolvconf", required_argument, NULL, 0},
#endif
{NULL, 0, NULL, 0}
};
@@ -390,10 +393,28 @@
cli_cfg.pppd_call = strdup(optarg);
break;
}
+ if (strcmp(long_options[option_index].name,
+ "pppd-accept-remote") == 0) {
+ if (optarg) {
+ int pppd_accept_remote = strtob(optarg);
+
+ if (pppd_accept_remote < 0) {
+ log_warn("Bad pppd-accept-remote option: \"%s\"\n",
+ optarg);
+ break;
+ }
+ cli_cfg.pppd_accept_remote = pppd_accept_remote;
+ } else {
+ cli_cfg.pppd_accept_remote = 1;
+ }
+ break;
+ }
// --plugin is deprecated, use --pppd-plugin
if (cli_cfg.pppd_plugin == NULL &&
strcmp(long_options[option_index].name,
"plugin") == 0) {
+ log_warn("Option --%s is deprecated, use --pppd-plugin\n",
+ long_options[option_index].name);
free(cli_cfg.pppd_plugin);
cli_cfg.pppd_plugin = strdup(optarg);
break;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/src/tunnel.c new/openfortivpn-1.21.0/src/tunnel.c
--- old/openfortivpn-1.20.5/src/tunnel.c 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/src/tunnel.c 2023-11-08 07:42:39.000000000 +0100
@@ -270,11 +270,13 @@
* of our local IP address, even if the local IP address
* was specified in an option.
*
- * This option attempts to fix this:
+ * pppd < 2.5.0 requires this option to avoid this error:
* Peer refused to agree to our IP address
- *
- * Yet, this doesn't make sense: we do not specify
- * a local IP address, and we use noipdefault.
+ * This doesn't make sense to me. I feel it should be the
+ * default because:
+ * 1. we do not specify a local IP address,
+ * 2. we use option noipdefault to specifically ask the
+ * peer to supply the local IP address.
*/
"ipcp-accept-local",
"noaccomp",
@@ -293,6 +295,23 @@
return 1;
}
}
+ if (tunnel->config->pppd_accept_remote)
+ /*
+ * With this option, pppd will accept the peer's idea of its
+ * (remote) IP address, even if the remote IP address was
+ * specified in an option.
+ *
+ * pppd ≥ 2.5.0 requires this option to avoid this error:
+ * Peer refused to agree to his IP address
+ * This makes sense.
+ *
+ * Unfortunately, pppd < 2.5.0 does not like this option.
+ * Again, this doesn't make sense to me.
+ */
+ if (ofv_append_varr(&pppd_args, "ipcp-accept-remote")) {
+ free(pppd_args.data);
+ return 1;
+ }
if (tunnel->config->pppd_use_peerdns)
if (ofv_append_varr(&pppd_args, "usepeerdns")) {
free(pppd_args.data);
@@ -355,25 +374,6 @@
return 1;
}
}
- if (tunnel->config->pppd_accept_remote)
- /*
- * With this option, pppd will accept the peer's idea of
- * its (remote) IP address, even if the remote IP address
- * was specified in an option.
- *
- * This option attempts to fix this with PPP 2.5.0:
- * Peer refused to agree to his IP address
- *
- * Currently (always?) breaks on macOS with:
- * Could not get current default route
- * (Parsing /proc/net/route failed).
- * Protecting tunnel route has failed.
- * But this can be working except for some cases.
- */
- if (ofv_append_varr(&pppd_args, "ipcp-accept-remote")) {
- free(pppd_args.data);
- return 1;
- }
#endif
#if HAVE_USR_SBIN_PPP
if (tunnel->config->ppp_system) {
@@ -808,7 +808,7 @@
log_debug("server_addr: %s\n", inet_ntoa(server.sin_addr));
log_debug("server_port: %u\n", ntohs(server.sin_port));
server.sin_family = AF_INET;
- memset(&(server.sin_zero), '\0', 8);
+ memset(&(server.sin_zero), 0, sizeof(server.sin_zero));
log_debug("gateway_ip: %s\n", inet_ntoa(tunnel->config->gateway_ip));
log_debug("gateway_port: %u\n", tunnel->config->gateway_port);
@@ -840,7 +840,7 @@
// be careful not to fetch too many bytes at once
const char *response = NULL;
- memset(&(request), '\0', sizeof(request));
+ memset(&(request), 0, sizeof(request));
for (int j = 0; response == NULL; j++) {
if (j >= ARRAY_SIZE(request) - 1) {
log_error("Proxy response is unexpectedly large and cannot fit in the %lu-bytes buffer.\n",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/tests/ci/checkpatch/checkpatch.pl new/openfortivpn-1.21.0/tests/ci/checkpatch/checkpatch.pl
--- old/openfortivpn-1.20.5/tests/ci/checkpatch/checkpatch.pl 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/tests/ci/checkpatch/checkpatch.pl 2023-11-08 07:42:39.000000000 +0100
@@ -74,6 +74,8 @@
my $tabsize = 8;
my ${CONFIG_} = "CONFIG_";
+my %maybe_linker_symbol; # for externs in c exceptions, when seen in *vmlinux.lds.h
+
sub help {
my ($exitcode) = @_;
@@ -3270,7 +3272,7 @@
# A Fixes:, link or signature tag line
$commit_log_possible_stack_dump)) {
WARN("COMMIT_LOG_LONG_LINE",
- "Possible unwrapped commit description (prefer a maximum 75 chars per line)\n" . $herecurr);
+ "Prefer a maximum 75 chars per line (possible unwrapped commit description?)\n" . $herecurr);
$commit_log_long_line = 1;
}
@@ -5046,7 +5048,7 @@
if|for|while|switch|return|case|
volatile|__volatile__|
__attribute__|format|__extension__|
- asm|__asm__)$/x)
+ asm|__asm__|scoped_guard)$/x)
{
# cpp #define statements have non-optional spaces, ie
# if there is a space between the name and the open
@@ -6051,6 +6053,9 @@
# check for line continuations outside of #defines, preprocessor #, and asm
+ } elsif ($realfile =~ m@/vmlinux.lds.h$@) {
+ $line =~ s/(\w+)/$maybe_linker_symbol{$1}++/ge;
+ #print "REAL: $realfile\nln: $line\nkeys:", sort keys %maybe_linker_symbol;
} else {
if ($prevline !~ /^..*\\$/ &&
$line !~ /^\+\s*\#.*\\$/ && # preprocessor
@@ -6997,10 +7002,22 @@
# }
# }
+# strcpy uses that should likely be strscpy
+ if ($line =~ /\bstrcpy\s*\(/) {
+ WARN("STRCPY",
+ "Prefer strscpy over strcpy - see: https://github.com/KSPP/linux/issues/88\n" . $herecurr);
+ }
+
# strlcpy uses that should likely be strscpy
if ($line =~ /\bstrlcpy\s*\(/) {
WARN("STRLCPY",
- "Prefer strscpy over strlcpy - see: https://lore.kernel.org/r/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw\@mail.gmail.com/\n" . $herecurr);
+ "Prefer strscpy over strlcpy - see: https://github.com/KSPP/linux/issues/89\n" . $herecurr);
+ }
+
+# strncpy uses that should likely be strscpy or strscpy_pad
+ if ($line =~ /\bstrncpy\s*\(/) {
+ WARN("STRNCPY",
+ "Prefer strscpy, strscpy_pad, or __nonstring over strncpy - see: https://github.com/KSPP/linux/issues/90\n" . $herecurr);
}
# typecasts on min/max could be min_t/max_t
@@ -7108,6 +7125,21 @@
}
} elsif ($realfile =~ /\.c$/ && defined $stat &&
+ $stat =~ /^\+extern struct\s+(\w+)\s+(\w+)\[\];/)
+ {
+ my ($st_type, $st_name) = ($1, $2);
+
+ for my $s (keys %maybe_linker_symbol) {
+ #print "Linker symbol? $st_name : $s\n";
+ goto LIKELY_LINKER_SYMBOL
+ if $st_name =~ /$s/;
+ }
+ WARN("AVOID_EXTERNS",
+ "found a file-scoped extern type:$st_type name:$st_name in .c file\n"
+ . "is this a linker symbol ?\n" . $herecurr);
+ LIKELY_LINKER_SYMBOL:
+
+ } elsif ($realfile =~ /\.c$/ && defined $stat &&
$stat =~ /^.\s*extern\s+/)
{
WARN("AVOID_EXTERNS",
@@ -7418,6 +7450,16 @@
}
}
+# check for array definition/declarations that should use flexible arrays instead
+ if ($sline =~ /^[\+ ]\s*\}(?:\s*__packed)?\s*;\s*$/ &&
+ $prevline =~ /^\+\s*(?:\}(?:\s*__packed\s*)?|$Type)\s*$Ident\s*\[\s*(0|1)\s*\]\s*;\s*$/) {
+ if (ERROR("FLEXIBLE_ARRAY",
+ "Use C99 flexible arrays - see https://docs.kernel.org/process/deprecated.html#zero-length-and-one-element-arrays\n" . $hereprev) &&
+ $1 == '0' && $fix) {
+ $fixed[$fixlinenr - 1] =~ s/\[\s*0\s*\]/[]/;
+ }
+ }
+
# nested likely/unlikely calls
if ($line =~ /\b(?:(?:un)?likely)\s*\(\s*!?\s*(IS_ERR(?:_OR_NULL|_VALUE)?|WARN)/) {
WARN("LIKELY_MISUSE",
@@ -7435,6 +7477,30 @@
}
}
+# Complain about RCU Tasks Trace used outside of BPF (and of course, RCU).
+ our $rcu_trace_funcs = qr{(?x:
+ rcu_read_lock_trace |
+ rcu_read_lock_trace_held |
+ rcu_read_unlock_trace |
+ call_rcu_tasks_trace |
+ synchronize_rcu_tasks_trace |
+ rcu_barrier_tasks_trace |
+ rcu_request_urgent_qs_task
+ )};
+ our $rcu_trace_paths = qr{(?x:
+ kernel/bpf/ |
+ include/linux/bpf |
+ net/bpf/ |
+ kernel/rcu/ |
+ include/linux/rcu
+ )};
+ if ($line =~ /\b($rcu_trace_funcs)\s*\(/) {
+ if ($realfile !~ m{^$rcu_trace_paths}) {
+ WARN("RCU_TASKS_TRACE",
+ "use of RCU tasks trace is incorrect outside BPF or core RCU code\n" . $herecurr);
+ }
+ }
+
# check for lockdep_set_novalidate_class
if ($line =~ /^.\s*lockdep_set_novalidate_class\s*\(/ ||
$line =~ /__lockdep_no_validate__\s*\)/ ) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/tests/ci/checkpatch/spelling.txt new/openfortivpn-1.21.0/tests/ci/checkpatch/spelling.txt
--- old/openfortivpn-1.20.5/tests/ci/checkpatch/spelling.txt 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/tests/ci/checkpatch/spelling.txt 2023-11-08 07:42:39.000000000 +0100
@@ -155,6 +155,7 @@
aquisition||acquisition
arbitary||arbitrary
architechture||architecture
+archtecture||architecture
arguement||argument
arguements||arguments
arithmatic||arithmetic
@@ -279,6 +280,7 @@
canot||cannot
cann't||can't
cannnot||cannot
+capabiity||capability
capabilites||capabilities
capabilties||capabilities
capabilty||capability
@@ -426,6 +428,7 @@
cound||could
couter||counter
coutner||counter
+creationg||creating
cryptocraphic||cryptographic
cummulative||cumulative
cunter||counter
@@ -492,6 +495,7 @@
destroied||destroyed
detabase||database
deteced||detected
+detecion||detection
detectt||detect
detroyed||destroyed
develope||develop
@@ -513,6 +517,7 @@
differrence||difference
diffrent||different
differenciate||differentiate
+diffreential||differential
diffrentiate||differentiate
difinition||definition
digial||digital
@@ -617,6 +622,7 @@
evalutes||evaluates
evalution||evaluation
excecutable||executable
+excceed||exceed
exceded||exceeded
exceds||exceeds
exceeed||exceed
@@ -632,6 +638,7 @@
exixt||exist
exsits||exists
exlcude||exclude
+exlcuding||excluding
exlcusive||exclusive
exlusive||exclusive
exmaple||example
@@ -726,6 +733,8 @@
genereate||generate
genereted||generated
genric||generic
+gerenal||general
+geting||getting
globel||global
grabing||grabbing
grahical||graphical
@@ -899,6 +908,7 @@
iternations||iterations
itertation||iteration
itslef||itself
+ivalid||invalid
jave||java
jeffies||jiffies
jumpimng||jumping
@@ -977,6 +987,7 @@
migrateable||migratable
millenium||millennium
milliseonds||milliseconds
+minimim||minimum
minium||minimum
minimam||minimum
minimun||minimum
@@ -1042,6 +1053,7 @@
notity||notify
nubmer||number
numebr||number
+numer||number
numner||number
nunber||number
obtaion||obtain
@@ -1061,6 +1073,7 @@
offlaod||offload
offloded||offloaded
offseting||offsetting
+oflload||offload
omited||omitted
omiting||omitting
omitt||omit
@@ -1105,6 +1118,7 @@
paket||packet
pallette||palette
paln||plan
+palne||plane
paramameters||parameters
paramaters||parameters
paramater||parameter
@@ -1181,12 +1195,14 @@
primative||primitive
princliple||principle
priorty||priority
+priting||printing
privilaged||privileged
privilage||privilege
priviledge||privilege
priviledges||privileges
privleges||privileges
probaly||probably
+probabalistic||probabilistic
procceed||proceed
proccesors||processors
procesed||processed
@@ -1460,6 +1476,7 @@
submition||submission
succeded||succeeded
suceed||succeed
+succesfuly||successfully
succesfully||successfully
succesful||successful
successed||succeeded
@@ -1503,6 +1520,7 @@
synax||syntax
synchonized||synchronized
sychronization||synchronization
+sychronously||synchronously
synchronuously||synchronously
syncronize||synchronize
syncronized||synchronized
@@ -1523,7 +1541,6 @@
temorary||temporary
temproarily||temporarily
temperture||temperature
-thead||thread
theads||threads
therfore||therefore
thier||their
@@ -1532,6 +1549,7 @@
threshhold||threshold
thresold||threshold
throught||through
+tansition||transition
trackling||tracking
troughput||throughput
trys||tries
@@ -1611,6 +1629,7 @@
unnecesary||unnecessary
unneedingly||unnecessarily
unnsupported||unsupported
+unuspported||unsupported
unmached||unmatched
unprecise||imprecise
unpriviledged||unprivileged
@@ -1657,6 +1676,7 @@
veriosn||version
verisons||versions
verison||version
+veritical||vertical
verson||version
vicefersa||vice-versa
virtal||virtual
@@ -1677,6 +1697,7 @@
wheter||whether
whe||when
wierd||weird
+wihout||without
wiil||will
wirte||write
withing||within
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/tests/lint/astyle.sh new/openfortivpn-1.21.0/tests/lint/astyle.sh
--- old/openfortivpn-1.20.5/tests/lint/astyle.sh 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/tests/lint/astyle.sh 2023-11-08 07:42:39.000000000 +0100
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
# Copyright (c) 2015 Adrien Vergé
# Check that astyle is installed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/tests/lint/checkpatch.sh new/openfortivpn-1.21.0/tests/lint/checkpatch.sh
--- old/openfortivpn-1.20.5/tests/lint/checkpatch.sh 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/tests/lint/checkpatch.sh 2023-11-08 07:42:39.000000000 +0100
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
# Copyright (c) 2020 Dimitri Papadopoulos
# Path to checkpatch.pl
@@ -11,7 +11,7 @@
tmp=$(mktemp)
"$checkpatch_path" --no-tree --terse \
- --ignore LEADING_SPACE,SPDX_LICENSE_TAG,CODE_INDENT,NAKED_SSCANF,VOLATILE,NEW_TYPEDEFS,LONG_LINE,LONG_LINE_STRING,QUOTED_WHITESPACE_BEFORE_NEWLINE,STRLCPY \
+ --ignore LEADING_SPACE,SPDX_LICENSE_TAG,CODE_INDENT,NAKED_SSCANF,VOLATILE,NEW_TYPEDEFS,LONG_LINE,LONG_LINE_STRING,QUOTED_WHITESPACE_BEFORE_NEWLINE,STRCPY,STRLCPY,STRNCPY \
-f "$file" | tee "$tmp"
if [ -s "$tmp" ]; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/tests/lint/eol-at-eof.sh new/openfortivpn-1.21.0/tests/lint/eol-at-eof.sh
--- old/openfortivpn-1.20.5/tests/lint/eol-at-eof.sh 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/tests/lint/eol-at-eof.sh 2023-11-08 07:42:39.000000000 +0100
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
# Copyright (c) 2015 Adrien Vergé
rc=0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/tests/lint/line_length.py new/openfortivpn-1.21.0/tests/lint/line_length.py
--- old/openfortivpn-1.20.5/tests/lint/line_length.py 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/tests/lint/line_length.py 2023-11-08 07:42:39.000000000 +0100
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/env python3
# Copyright (c) 2015 Adrien Vergé
"""Enforce maximum line length in openfortivpn C source code.
@@ -38,12 +38,11 @@
True if line ends with string, False otherwise.
"""
- return any(line.endswith(end)
- for end in ('"', '",', '");', '";', '" \\', '];'))
+ return any(line.endswith(end) for end in ('"', '",', '");', '";', '" \\', '];'))
def main():
- """Check each file provided as a command line parameter
+ """Check each file provided as a command line parameter.
Returns
-------
@@ -55,7 +54,7 @@
for arg in sys.argv[1:]:
with open(arg, "r") as source_file:
- for i, line in enumerate(source_file):
+ for i, line in enumerate(source_file, start=1):
line = line.rstrip()
# Lines that end with a string are exempted
if endswithstring(line):
@@ -64,7 +63,10 @@
line = line.replace("\t", " ")
# Lines longer than MAX are reported as an error
if len(line) > MAX:
- print(f"{arg}: {i}: line too long ({len(line)} characters)")
+ print(
+ f"{arg}: {i}: line too long ({len(line)} characters)",
+ file=sys.stderr,
+ )
exit_status = 1
sys.exit(exit_status)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.20.5/tests/lint/run.sh new/openfortivpn-1.21.0/tests/lint/run.sh
--- old/openfortivpn-1.20.5/tests/lint/run.sh 2023-06-23 08:20:36.000000000 +0200
+++ new/openfortivpn-1.21.0/tests/lint/run.sh 2023-11-08 07:42:39.000000000 +0100
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
# Copyright (c) 2015 Adrien Vergé
rc=0