Hello community, here is the log from the commit of package openvpn checked in at Fri Jun 23 17:11:59 CEST 2006. -------- --- openvpn/openvpn.changes 2006-04-19 13:11:40.000000000 +0200 +++ openvpn/openvpn.changes 2006-06-23 11:55:17.000000000 +0200 @@ -1,0 +2,28 @@ +Fri Jun 23 11:55:10 CEST 2006 - poeml@suse.de + +- upstream 2.0.7, with bug fixes: +* When deleting routes under Linux, use the route metric + as a differentiator to ensure that the route teardown + process only deletes the identical route which was originally + added via the "route" directive (Roy Marples). +* Fixed bug where --server directive in --dev tap mode + claimed that it would support subnets of /30 or less + but actually would only accept /29 or less. +* Extend byte counters to 64 bits (M. van Cuijk). +* Better sanity checking of --server and --server-bridge + IP pool ranges, so as not to hit the assertion at + pool.c:119 (2.0.5). +* Fixed bug where --daemon and --management-query-passwords + used together would cause OpenVPN to block prior to + daemonization. +* Fixed client/server race condition which could occur + when --auth-retry interact is set and the initially + provided auth-user-pass credentials are incorrect, + forcing a username/password re-query. +* Fixed bug where if --daemon and --management-hold are + used together, --user or --group options would be ignored. +* fix for CVE-2006-1629 integrated (disallow "setenv" to be pushed + to clients from the server) +- build with fPIE/pie on SUSE 10.0 or newer, or on any other platform + +------------------------------------------------------------------- Old: ---- openvpn-2.0.5-CVE-2006-1629.dif openvpn-2.0.5.tar.bz2 New: ---- openvpn-2.0.7.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openvpn.spec ++++++ --- /var/tmp/diff_new_pack.DJvlhv/_old 2006-06-23 17:11:24.000000000 +0200 +++ /var/tmp/diff_new_pack.DJvlhv/_new 2006-06-23 17:11:24.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package openvpn (Version 2.0.5) +# spec file for package openvpn (Version 2.0.7) # # Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -16,14 +16,15 @@ License: GPL, LGPL Group: Productivity/Networking/Security Autoreqprov: on +%if 0%{?suse_version} PreReq: %insserv_prereq %fillup_prereq -Version: 2.0.5 -Release: 11 +%endif +Version: 2.0.7 +Release: 1 Summary: Create VPN over Wireless and Ethernet Networks using a Tun Device Source: http://openvpn.net/release/openvpn-%{version}.tar.bz2 Source2: openvpn.init Source3: openvpn-README.SUSE -Patch1: openvpn-2.0.5-CVE-2006-1629.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -37,12 +38,16 @@ %prep %setup -%patch1 -p1 %build autoreconf -fi -export CFLAGS="$RPM_OPT_FLAGS -Wall -fPIE" -export LDFLAGS="-pie" +export CFLAGS="$RPM_OPT_FLAGS -Wall" +export LDFLAGS= +# build with fPIE/pie on SUSE 10.0 or newer, or on any other platform +%if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930 +CFLAGS="$CFLAGS -fPIE" +LDFLAGS="$LDFLAGS -pie" +%endif ./configure --prefix=/usr --enable-pthread \ --mandir=%_mandir --with-lzo-headers=%_includedir/lzo make @@ -62,14 +67,14 @@ %post %{fillup_and_insserv -f} -%if %suse_version > 820 +%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820 %preun %stop_on_removal openvpn %endif %postun -%if %suse_version > 820 +%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820 %restart_on_update openvpn %endif %insserv_cleanup @@ -93,6 +98,31 @@ %dir /var/run/openvpn %changelog -n openvpn +* Fri Jun 23 2006 - poeml@suse.de +- upstream 2.0.7, with bug fixes: + * When deleting routes under Linux, use the route metric + as a differentiator to ensure that the route teardown + process only deletes the identical route which was originally + added via the "route" directive (Roy Marples). + * Fixed bug where --server directive in --dev tap mode + claimed that it would support subnets of /30 or less + but actually would only accept /29 or less. + * Extend byte counters to 64 bits (M. van Cuijk). + * Better sanity checking of --server and --server-bridge + IP pool ranges, so as not to hit the assertion at + pool.c:119 (2.0.5). + * Fixed bug where --daemon and --management-query-passwords + used together would cause OpenVPN to block prior to + daemonization. + * Fixed client/server race condition which could occur + when --auth-retry interact is set and the initially + provided auth-user-pass credentials are incorrect, + forcing a username/password re-query. + * Fixed bug where if --daemon and --management-hold are + used together, --user or --group options would be ignored. + * fix for CVE-2006-1629 integrated (disallow "setenv" to be pushed + to clients from the server) +- build with fPIE/pie on SUSE 10.0 or newer, or on any other platform * Wed Apr 19 2006 - poeml@suse.de - security fix (CVE-2006-1629): disallow "setenv" to be pushed to clients from the server [#165123] ++++++ openvpn-2.0.5.tar.bz2 -> openvpn-2.0.7.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/ChangeLog new/openvpn-2.0.7/ChangeLog --- old/openvpn-2.0.5/ChangeLog 2005-11-03 07:39:36.000000000 +0100 +++ new/openvpn-2.0.7/ChangeLog 2006-04-12 11:30:56.000000000 +0200 @@ -1,8 +1,77 @@ OpenVPN Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net> -$Id: ChangeLog 765 2005-11-03 01:21:44Z james $ +$Id: ChangeLog 999 2006-04-12 09:07:59Z james $ +2006.04.12 -- Version 2.0.7 + +* Code added in 2.0.6-rc1 to extend byte counters + to 64 bits caused a bug in the Windows version which has now + been fixed. The bug could cause intermittent crashes. + +2006.04.05 -- Version 2.0.6 + +* Security Vulnerability affecting OpenVPN 2.0 through 2.0.5. + An OpenVPN client connecting to a + malicious or compromised server could potentially receive + "setenv" configuration directives from the server which could + cause arbitrary code execution on the client via a LD_PRELOAD + attack. A successful attack appears to require that (a) the + client has agreed to allow the server to push configuration + directives to it by including "pull" or the macro "client" in + its configuration file, (b) the client configuration file uses + a scripting directive such as "up" or "down", (c) the client + succesfully authenticates the server, (d) the server is + malicious or has been compromised and is under the control of + the attacker, and (e) the attacker has at least some level of + pre-existing control over files on the client (this might be + accomplished by having the server respond to a client web + request with a specially crafted file). Credit: Hendrik Weimer. + CVE-2006-1629. + + The fix is to disallow "setenv" to be pushed to clients from + the server. For those who need this capability, OpenVPN + 2.1 supports a new "setenv-safe" directive which is free + of this vulnerability. + +* When deleting routes under Linux, use the route metric + as a differentiator to ensure that the route teardown + process only deletes the identical route which was originally + added via the "route" directive (Roy Marples). + +* Fix the t_cltsrv.sh file in FreeBSD 4 jails + (Matthias Andree, Dirk Meyer, Vasil Dimov). + +* Extended tun device configure code to support ethernet + bridging on NetBSD (Emmanuel Kasper). + +2006.01.03 -- Version 2.0.6-rc1 + +* Fixed bug where "make check" inside a FreeBSD "jail" + would never complete (Matthias Andree). +* Fixed bug where --server directive in --dev tap mode + claimed that it would support subnets of /30 or less + but actually would only accept /29 or less. +* Extend byte counters to 64 bits (M. van Cuijk). +* Fixed bug in acinclude.m4 where capability of compiler + to handle zero-length arrays in structs is tested + (David Stipp). +* Fixed typo in manage.c where inline function declaration + was declared without the "static" keyword (David Stipp). +* Removed redundant base64 code. +* Better sanity checking of --server and --server-bridge + IP pool ranges, so as not to hit the assertion at + pool.c:119 (2.0.5). +* Fixed bug where --daemon and --management-query-passwords + used together would cause OpenVPN to block prior to + daemonization. +* Fixed client/server race condition which could occur + when --auth-retry interact is set and the initially + provided auth-user-pass credentials are incorrect, + forcing a username/password re-query. +* Fixed bug where if --daemon and --management-hold are + used together, --user or --group options would be ignored. + 2005.11.02 -- Version 2.0.5 * Fixed bug in Linux get_default_gateway function diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/INSTALL new/openvpn-2.0.7/INSTALL --- old/openvpn-2.0.5/INSTALL 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/INSTALL 2005-12-29 03:08:32.000000000 +0100 @@ -179,6 +179,14 @@ http://vtun.sourceforge.net/tun/ and follow the installation instructions. + If you use OpenVPN on Linux 2.2 or 2.4 or Solaris, you may be + suffering from a bug which causes connections to hang under heavy load. + The symptoms are very similar to the MTU problems discussed frequently + in the OpenVPN mailing lists. But it turns out that this bug is not caused by + MTU problems. It's a bug in the tun/tap driver. A patch is provided here: + + http://openvpn.net/patch/tun-sb.patch + * Solaris For 64 bit, I used the tun-1.1.tar.gz source and compiled it. diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/acinclude.m4 new/openvpn-2.0.7/acinclude.m4 --- old/openvpn-2.0.5/acinclude.m4 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/acinclude.m4 2005-11-24 19:16:50.000000000 +0100 @@ -19,13 +19,13 @@ AC_MSG_RESULT([checking for C compiler empty array support]) AC_COMPILE_IFELSE( [ - struct { int foo; int bar[0]; } mystruct; + struct { int foo; int bar[[0]]; } mystruct; ], [ AC_DEFINE_UNQUOTED(EMPTY_ARRAY_SIZE, 0, [Dimension to use for empty array declaration]) ], [ AC_COMPILE_IFELSE( [ - struct { int foo; int bar[]; } mystruct; + struct { int foo; int bar[[]]; } mystruct; ], [ AC_DEFINE_UNQUOTED(EMPTY_ARRAY_SIZE,, [Dimension to use for empty array declaration]) ], [ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/base64.c new/openvpn-2.0.7/base64.c --- old/openvpn-2.0.5/base64.c 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/base64.c 2005-12-12 18:09:42.000000000 +0100 @@ -39,7 +39,7 @@ #include "syshead.h" -#if NTLM +#ifdef ENABLE_HTTP_PROXY #include "base64.h" @@ -48,16 +48,6 @@ static char base64_chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; -static int -pos(char c) -{ - char *p; - for (p = base64_chars; *p; p++) - if (*p == c) - return p - base64_chars; - return -1; -} - int base64_encode(const void *data, int size, char **str) { @@ -96,6 +86,18 @@ return strlen(s); } +#if NTLM + +static int +pos(char c) +{ + char *p; + for (p = base64_chars; *p; p++) + if (*p == c) + return p - base64_chars; + return -1; +} + #define DECODE_ERROR 0xffffffff static unsigned int @@ -141,6 +143,8 @@ return q - (unsigned char *) data; } +#endif /* NTLM */ + #else static void dummy(void) {} #endif diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/base64.h new/openvpn-2.0.7/base64.h --- old/openvpn-2.0.5/base64.h 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/base64.h 2005-12-12 18:09:44.000000000 +0100 @@ -31,12 +31,10 @@ * SUCH DAMAGE. */ -/* $KTH: base64.h,v 1.2 1999/12/02 16:58:45 joda Exp $ */ - #ifndef _BASE64_H_ #define _BASE64_H_ -#if NTLM +#ifdef ENABLE_HTTP_PROXY int base64_encode(const void *data, int size, char **str); int base64_decode(const char *str, void *data); diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/common.h new/openvpn-2.0.7/common.h --- old/openvpn-2.0.5/common.h 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/common.h 2006-04-12 11:08:03.000000000 +0200 @@ -26,9 +26,19 @@ #define COMMON_H /* - * Statistics counters. + * Statistics counters and associated printf formats. */ -typedef unsigned long counter_type; +#ifdef USE_64_BIT_COUNTERS + typedef unsigned long long int counter_type; +# ifdef WIN32 +# define counter_format "%I64u" +# else +# define counter_format "%llu" +# endif +#else + typedef unsigned int counter_type; +# define counter_format "%u" +#endif /* * Time intervals @@ -43,7 +53,6 @@ /* * Printf formats for special types */ -#define counter_format "%lu" #define ptr_format "0x%08lx" #define time_format "%lu" #define fragment_header_format "0x%08x" diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/config-win32.h new/openvpn-2.0.7/config-win32.h --- old/openvpn-2.0.5/config-win32.h 2005-11-03 07:40:24.000000000 +0100 +++ new/openvpn-2.0.7/config-win32.h 2006-04-12 11:33:09.000000000 +0200 @@ -221,7 +221,7 @@ #define PACKAGE_TARNAME "openvpn" /* Define to the version of this package. */ -#define PACKAGE_VERSION "2.0.5" /* AUTO_VERSION */ +#define PACKAGE_VERSION "2.0.7" /* AUTO_VERSION */ /* Define to the full name and version of this package. */ #ifdef DEBUG_LABEL diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/configure new/openvpn-2.0.7/configure --- old/openvpn-2.0.5/configure 2005-11-03 07:40:00.000000000 +0100 +++ new/openvpn-2.0.7/configure 2006-04-12 11:32:25.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.59 for OpenVPN 2.0.5. +# Generated by GNU Autoconf 2.59 for OpenVPN 2.0.7. # # Report bugs to <openvpn-users@lists.sourceforge.net>. # @@ -269,8 +269,8 @@ # Identity of this package. PACKAGE_NAME='OpenVPN' PACKAGE_TARNAME='openvpn' -PACKAGE_VERSION='2.0.5' -PACKAGE_STRING='OpenVPN 2.0.5' +PACKAGE_VERSION='2.0.7' +PACKAGE_STRING='OpenVPN 2.0.7' PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net' ac_unique_file="syshead.h" @@ -780,7 +780,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenVPN 2.0.5 to adapt to many kinds of systems. +\`configure' configures OpenVPN 2.0.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -847,7 +847,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenVPN 2.0.5:";; + short | recursive ) echo "Configuration of OpenVPN 2.0.7:";; esac cat <<\_ACEOF @@ -996,7 +996,7 @@ test -n "$ac_init_help" && exit 0 if $ac_init_version; then cat <<\_ACEOF -OpenVPN configure 2.0.5 +OpenVPN configure 2.0.7 generated by GNU Autoconf 2.59 Copyright (C) 2003 Free Software Foundation, Inc. @@ -1010,7 +1010,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenVPN $as_me 2.0.5, which was +It was created by OpenVPN $as_me 2.0.7, which was generated by GNU Autoconf 2.59. Invocation command line was $ $0 $@ @@ -4684,7 +4684,7 @@ echo "${ECHO_T}checking for C compiler empty array support" >&6 cat >conftest.$ac_ext <<_ACEOF - struct { int foo; int bar0; } mystruct; + struct { int foo; int bar[0]; } mystruct; _ACEOF rm -f conftest.$ac_objext @@ -4723,7 +4723,7 @@ cat >conftest.$ac_ext <<_ACEOF - struct { int foo; int bar; } mystruct; + struct { int foo; int bar[]; } mystruct; _ACEOF rm -f conftest.$ac_objext @@ -11265,7 +11265,7 @@ } >&5 cat >&5 <<_CSEOF -This file was extended by OpenVPN $as_me 2.0.5, which was +This file was extended by OpenVPN $as_me 2.0.7, which was generated by GNU Autoconf 2.59. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -11328,7 +11328,7 @@ cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -OpenVPN config.status 2.0.5 +OpenVPN config.status 2.0.7 configured by $0, generated by GNU Autoconf 2.59, with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\" diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/configure.ac new/openvpn-2.0.7/configure.ac --- old/openvpn-2.0.5/configure.ac 2005-11-03 07:39:53.000000000 +0100 +++ new/openvpn-2.0.7/configure.ac 2006-04-12 11:32:17.000000000 +0200 @@ -25,7 +25,7 @@ AC_PREREQ(2.50) -AC_INIT([OpenVPN], [2.0.5], [openvpn-users@lists.sourceforge.net], [openvpn]) +AC_INIT([OpenVPN], [2.0.7], [openvpn-users@lists.sourceforge.net], [openvpn]) AM_CONFIG_HEADER(config.h) AC_CONFIG_SRCDIR(syshead.h) diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/easy-rsa/2.0/README new/openvpn-2.0.7/easy-rsa/2.0/README --- old/openvpn-2.0.5/easy-rsa/2.0/README 2005-11-02 19:42:39.000000000 +0100 +++ new/openvpn-2.0.7/easy-rsa/2.0/README 2006-01-07 08:31:22.000000000 +0100 @@ -47,6 +47,20 @@ * This release only affects the Linux/Unix version of easy-rsa. The Windows version (written to use the Windows shell) is unchanged. +* Use the revoke-full script to revoke a certificate, and generate + (or update) the crl.pem file in the keys directory (as set by the + vars script). Then use "crl-verify crl.pem" in your OpenVPN server + config file, so that OpenVPN can reject any connections coming from + clients which present a revoked certificate. Usage for the script is: + + revoke-full <common-name> + + Note this this procedure is primarily designed to revoke client + certificates. You could theoretically use this method to revoke + server certificates as well, but then you would need to propagate + the crl.pem file to all clients as well, and have them include + "crl-verify crl.pem" in their configuration files. + INSTALL easy-rsa 1. Edit vars. diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/easy-rsa/2.0/openssl.cnf new/openvpn-2.0.7/easy-rsa/2.0/openssl.cnf --- old/openvpn-2.0.5/easy-rsa/2.0/openssl.cnf 2005-11-02 19:42:39.000000000 +0100 +++ new/openvpn-2.0.7/easy-rsa/2.0/openssl.cnf 2005-11-13 03:17:49.000000000 +0100 @@ -207,6 +207,8 @@ nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment [ v3_req ] diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/forward.c new/openvpn-2.0.7/forward.c --- old/openvpn-2.0.5/forward.c 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/forward.c 2005-12-13 18:09:13.000000000 +0100 @@ -297,6 +297,7 @@ void schedule_exit (struct context *c, const int n_seconds) { + tls_set_single_session (c->c2.tls_multi); update_time (); reset_coarse_timers (c); event_timeout_init (&c->c2.scheduled_exit, n_seconds, now); diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/helper.c new/openvpn-2.0.7/helper.c --- old/openvpn-2.0.5/helper.c 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/helper.c 2005-12-13 00:50:42.000000000 +0100 @@ -202,6 +202,7 @@ o->ifconfig_pool_defined = true; o->ifconfig_pool_start = o->server_network + 4; o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - pool_end_reserve; + ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); helper_add_route (o->server_network, o->server_netmask, o); if (o->enable_c2c) push_option (o, print_opt_route (o->server_network, o->server_netmask, &o->gc), M_USAGE); @@ -210,7 +211,7 @@ } else if (dev == DEV_TYPE_TAP) { - if (netbits >= 30) + if (netbits > 30) msg (M_USAGE, "--server directive when used with --dev tap must define a subnet of %s or lower", print_netmask (30, &gc)); @@ -221,6 +222,7 @@ o->ifconfig_pool_defined = true; o->ifconfig_pool_start = o->server_network + 2; o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1; + ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); o->ifconfig_pool_netmask = o->server_netmask; push_option (o, print_opt_route_gateway (o->server_network + 1, &o->gc), M_USAGE); } @@ -269,6 +271,7 @@ o->ifconfig_pool_defined = true; o->ifconfig_pool_start = o->server_bridge_pool_start; o->ifconfig_pool_end = o->server_bridge_pool_end; + ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); o->ifconfig_pool_netmask = o->server_bridge_netmask; push_option (o, print_opt_route_gateway (o->server_bridge_ip, &o->gc), M_USAGE); diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/init.c new/openvpn-2.0.7/init.c --- old/openvpn-2.0.5/init.c 2005-11-01 20:27:45.000000000 +0100 +++ new/openvpn-2.0.7/init.c 2006-04-05 08:42:32.000000000 +0200 @@ -98,14 +98,12 @@ } } -void -context_init_1 (struct context *c) +/* + * Query for private key and auth-user-pass username/passwords + */ +static void +init_query_passwords (struct context *c) { - context_clear_1 (c); - - packet_id_persist_init (&c->c1.pid_persist); - init_remote_list (c); - #if defined(USE_CRYPTO) && defined(USE_SSL) /* Certificate password input */ if (c->options.key_pass_file) @@ -114,11 +112,22 @@ #if P2MP /* Auth user/pass input */ - if (c->options.auth_user_pass_file) - { - auth_user_pass_setup (c->options.auth_user_pass_file); - } + { + if (c->options.auth_user_pass_file) + auth_user_pass_setup (c->options.auth_user_pass_file); + } #endif +} + +void +context_init_1 (struct context *c) +{ + context_clear_1 (c); + + packet_id_persist_init (&c->c1.pid_persist); + init_remote_list (c); + + init_query_passwords (c); #ifdef ENABLE_HTTP_PROXY if (c->options.http_proxy_options) @@ -372,8 +381,9 @@ do_uid_gid_chroot (struct context *c, bool no_delay) { static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay"; + struct context_0 *c0 = c->c0; - if (c->first_time && !c->c2.uid_gid_set) + if (c->first_time && c0 && !c0->uid_gid_set) { /* chroot if requested */ if (c->options.chroot_dir) @@ -387,11 +397,11 @@ /* set user and/or group that we want to setuid/setgid to */ if (no_delay) { - set_group (&c->c2.group_state); - set_user (&c->c2.user_state); - c->c2.uid_gid_set = true; + set_group (&c0->group_state); + set_user (&c0->user_state); + c0->uid_gid_set = true; } - else if (c->c2.uid_gid_specified) + else if (c0->uid_gid_specified) { msg (M_INFO, "NOTE: UID/GID downgrade %s", why_not); } @@ -951,7 +961,6 @@ return ( OPT_P_UP | OPT_P_ROUTE | OPT_P_IPWIN32 - | OPT_P_SETENV | OPT_P_SHAPER | OPT_P_TIMER | OPT_P_PERSIST @@ -1018,7 +1027,7 @@ if (management) { /* if c is defined, daemonize before hold */ - if (c && c->options.daemon && management_would_hold (management)) + if (c && c->options.daemon && management_should_daemonize (management)) do_init_first_time (c); /* block until management hold is released */ @@ -1804,15 +1813,20 @@ static void do_init_first_time (struct context *c) { - if (c->first_time && !c->did_we_daemonize) + if (c->first_time && !c->did_we_daemonize && !c->c0) { + struct context_0 *c0; + + ALLOC_OBJ_CLEAR_GC (c->c0, struct context_0, &c->gc); + c0 = c->c0; + /* get user and/or group that we want to setuid/setgid to */ - c->c2.uid_gid_specified = - get_group (c->options.groupname, &c->c2.group_state) | - get_user (c->options.username, &c->c2.user_state); + c0->uid_gid_specified = + get_group (c->options.groupname, &c0->group_state) | + get_user (c->options.username, &c0->user_state); /* get --writepid file descriptor */ - get_pid_file (c->options.writepid, &c->c2.pid_state); + get_pid_file (c->options.writepid, &c0->pid_state); /* become a daemon if --daemon */ c->did_we_daemonize = possibly_become_daemon (&c->options, c->first_time); @@ -1822,7 +1836,7 @@ do_mlockall (true); /* call again in case we daemonized */ /* save process ID in a file */ - write_pid (&c->c2.pid_state); + write_pid (&c0->pid_state); /* should we change scheduling priority? */ set_nice (c->options.nice); @@ -2284,6 +2298,12 @@ goto sig; } +#if P2MP + /* get passwords if undefined */ + if (auth_retry_get () == AR_INTERACT) + init_query_passwords (c); +#endif + /* initialize context level 2 --verb/--mute parms */ init_verb_mute (c, IVM_LEVEL_2); @@ -2507,8 +2527,6 @@ ASSERT (0); } - dest->first_time = false; - dest->gc = gc_new (); ALLOC_OBJ_CLEAR_GC (dest->sig, struct signal_info, &dest->gc); @@ -2584,6 +2602,7 @@ dest->mode = CM_TOP_CLONE; dest->first_time = false; + dest->c0 = NULL; options_detach (&dest->options); gc_detach (&dest->gc); diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/install-win32/openvpn.nsi new/openvpn-2.0.7/install-win32/openvpn.nsi --- old/openvpn-2.0.5/install-win32/openvpn.nsi 2005-11-03 07:40:24.000000000 +0100 +++ new/openvpn-2.0.7/install-win32/openvpn.nsi 2006-04-12 11:33:09.000000000 +0200 @@ -14,7 +14,7 @@ !define BIN "${HOME}\bin" !define PRODUCT_NAME "OpenVPN" -!define VERSION "2.0.5" # AUTO_VERSION +!define VERSION "2.0.7" # AUTO_VERSION !define TAP "tap0801" !define TAPDRV "${TAP}.sys" diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/lzo.c new/openvpn-2.0.7/lzo.c --- old/openvpn-2.0.5/lzo.c 2005-11-01 12:06:10.000000000 +0100 +++ new/openvpn-2.0.7/lzo.c 2005-11-24 06:56:02.000000000 +0100 @@ -81,7 +81,7 @@ return !ac->compress_state; } -inline static void +static inline void lzo_adaptive_compress_data (struct lzo_adaptive_compress *ac, int n_total, int n_comp) { if (ac->enabled) diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/manage.c new/openvpn-2.0.7/manage.c --- old/openvpn-2.0.5/manage.c 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/manage.c 2005-12-13 15:15:55.000000000 +0100 @@ -1564,7 +1564,7 @@ #endif -inline bool +static inline bool man_standalone_ok (const struct management *man) { return !man->settings.management_over_tunnel && man->connection.state != MS_INITIAL; @@ -1797,6 +1797,16 @@ } /* + * Return true if (from the management interface's perspective) OpenVPN should + * daemonize. + */ +bool +management_should_daemonize (struct management *man) +{ + return management_would_hold (man) || man->settings.up_query_passwords; +} + +/* * If the hold flag is enabled, hibernate until a management client releases the hold. * Return true if the caller should not sleep for an additional time interval. */ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/manage.h new/openvpn-2.0.7/manage.h --- old/openvpn-2.0.5/manage.h 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/manage.h 2005-12-13 15:15:56.000000000 +0100 @@ -281,6 +281,7 @@ bool management_query_user_pass (struct management *man, struct user_pass *up, const char *type, const bool password_only); +bool management_should_daemonize (struct management *man); bool management_would_hold (struct management *man); bool management_hold (struct management *man); diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/misc.c new/openvpn-2.0.7/misc.c --- old/openvpn-2.0.5/misc.c 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/misc.c 2005-11-05 08:04:22.000000000 +0100 @@ -843,6 +843,14 @@ /* add/modify/delete environmental strings */ void +setenv_counter (struct env_set *es, const char *name, counter_type value) +{ + char buf[64]; + openvpn_snprintf (buf, sizeof(buf), counter_format, value); + setenv_str (es, name, buf); +} + +void setenv_int (struct env_set *es, const char *name, int value) { char buf[64]; diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/misc.h new/openvpn-2.0.7/misc.h --- old/openvpn-2.0.5/misc.h 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/misc.h 2005-11-05 08:04:22.000000000 +0100 @@ -158,6 +158,7 @@ const unsigned int value_exclude, const char value_replace); +void setenv_counter (struct env_set *es, const char *name, counter_type value); void setenv_int (struct env_set *es, const char *name, int value); void setenv_str (struct env_set *es, const char *name, const char *value); void setenv_del (struct env_set *es, const char *name); diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/multi.c new/openvpn-2.0.7/multi.c --- old/openvpn-2.0.5/multi.c 2005-11-01 19:21:15.000000000 +0100 +++ new/openvpn-2.0.7/multi.c 2005-11-05 08:04:22.000000000 +0100 @@ -396,8 +396,8 @@ setenv_trusted (mi->context.c2.es, get_link_socket_info (&mi->context)); /* setenv stats */ - setenv_int (mi->context.c2.es, "bytes_received", mi->context.c2.link_read_bytes); - setenv_int (mi->context.c2.es, "bytes_sent", mi->context.c2.link_write_bytes); + setenv_counter (mi->context.c2.es, "bytes_received", mi->context.c2.link_read_bytes); + setenv_counter (mi->context.c2.es, "bytes_sent", mi->context.c2.link_write_bytes); } diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/occ.c new/openvpn-2.0.7/occ.c --- old/openvpn-2.0.5/occ.c 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/occ.c 2005-11-05 08:04:22.000000000 +0100 @@ -161,13 +161,16 @@ * Give up. */ msg (D_SHOW_OCC, - "NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of " + "NOTE: failed to obtain options consistency info from peer -- " + "this could occur if the remote peer is running a version of " PACKAGE_NAME " before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent " PACKAGE_NAME - " from running (%u bytes received from peer, %u bytes authenticated data channel traffic) -- you can disable the options consistency check with --disable-occ.", - (unsigned int) c->c2.link_read_bytes, - (unsigned int) c->c2.link_read_bytes_auth); + " from running (" counter_format " bytes received from peer, " counter_format + " bytes authenticated data channel traffic) -- you can disable the options consistency " + "check with --disable-occ.", + c->c2.link_read_bytes, + c->c2.link_read_bytes_auth); event_timeout_clear (&c->c2.occ_interval); } else diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/openvpn.h new/openvpn-2.0.7/openvpn.h --- old/openvpn-2.0.5/openvpn.h 2005-11-01 13:42:42.000000000 +0100 +++ new/openvpn-2.0.7/openvpn.h 2005-12-14 00:48:31.000000000 +0100 @@ -117,6 +117,23 @@ struct buffer read_tun_buf; }; +/* + * level 0 context contains data related to + * once-per OpenVPN instantiation events + * such as daemonization. + */ +struct context_0 +{ + /* workspace for get_pid_file/write_pid */ + struct pid_state pid_state; + + /* workspace for --user/--group */ + bool uid_gid_specified; + bool uid_gid_set; + struct user_state user_state; + struct group_state group_state; +}; + /* * Contains the persist-across-restart OpenVPN tunnel instance state. * Reset only for SIGHUP restarts. @@ -335,15 +352,6 @@ */ bool ipv4_tun; - /* workspace for get_pid_file/write_pid */ - struct pid_state pid_state; - - /* workspace for --user/--group */ - bool uid_gid_specified; - bool uid_gid_set; - struct user_state user_state; - struct group_state group_state; - /* should we print R|W|r|w to console on packet transfers? */ bool log_rw; @@ -447,6 +455,11 @@ /* set to true after we daemonize */ bool did_we_daemonize; + /* level 0 context contains data related to + once-per OpenVPN instantiation events + such as daemonization */ + struct context_0 *c0; + /* level 1 context is preserved for SIGUSR1 restarts, but initialized for SIGHUP restarts */ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/openvpn.spec new/openvpn-2.0.7/openvpn.spec --- old/openvpn-2.0.5/openvpn.spec 2005-11-03 07:40:24.000000000 +0100 +++ new/openvpn-2.0.7/openvpn.spec 2006-04-12 11:33:09.000000000 +0200 @@ -16,7 +16,7 @@ Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan. Name: openvpn -Version: 2.0.5 +Version: 2.0.7 Release: 1 URL: http://openvpn.net/ Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/options.c new/openvpn-2.0.7/options.c --- old/openvpn-2.0.5/options.c 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/options.c 2005-12-13 00:50:43.000000000 +0100 @@ -881,7 +881,7 @@ } #endif -#if defined(ENABLE_HTTP_PROXY) && defined (ENABLE_DEBUG) +#if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_DEBUG) static void show_http_proxy_options (const struct http_proxy_options *o) { @@ -3659,17 +3659,8 @@ msg (msglevel, "error parsing --ifconfig-pool parameters"); goto err; } - if (start > end) - { - msg (msglevel, "--ifconfig-pool start IP is greater than end IP"); - goto err; - } - if (end - start >= IFCONFIG_POOL_MAX) - { - msg (msglevel, "--ifconfig-pool address range is too large. Current maximum is %d addresses.", - IFCONFIG_POOL_MAX); - goto err; - } + if (!ifconfig_pool_verify_range (msglevel, start, end)) + goto err; options->ifconfig_pool_defined = true; options->ifconfig_pool_start = start; diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/pool.c new/openvpn-2.0.7/pool.c --- old/openvpn-2.0.5/pool.c 2005-11-01 12:06:10.000000000 +0100 +++ new/openvpn-2.0.7/pool.c 2005-12-13 00:58:51.000000000 +0100 @@ -109,6 +109,33 @@ return -1; } +/* + * Verify start/end range + */ +bool +ifconfig_pool_verify_range (const int msglevel, const in_addr_t start, const in_addr_t end) +{ + struct gc_arena gc = gc_new (); + bool ret = true; + + if (start > end) + { + msg (msglevel, "--ifconfig-pool start IP [%s] is greater than end IP [%s]", + print_in_addr_t (start, 0, &gc), + print_in_addr_t (end, 0, &gc)); + ret = false; + } + if (end - start >= IFCONFIG_POOL_MAX) + { + msg (msglevel, "--ifconfig-pool address range is too large [%s -> %s]. Current maximum is %d addresses, as defined by IFCONFIG_POOL_MAX variable.", + print_in_addr_t (start, 0, &gc), + print_in_addr_t (end, 0, &gc), + IFCONFIG_POOL_MAX); + ret = false; + } + gc_free (&gc); + return ret; +} struct ifconfig_pool * ifconfig_pool_init (int type, in_addr_t start, in_addr_t end, const bool duplicate_cn) diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/pool.h new/openvpn-2.0.7/pool.h --- old/openvpn-2.0.5/pool.h 2005-11-01 12:06:10.000000000 +0100 +++ new/openvpn-2.0.7/pool.h 2005-12-13 00:51:40.000000000 +0100 @@ -68,6 +68,8 @@ void ifconfig_pool_free (struct ifconfig_pool *pool); +bool ifconfig_pool_verify_range (const int msglevel, const in_addr_t start, const in_addr_t end); + ifconfig_pool_handle ifconfig_pool_acquire (struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, const char *common_name); bool ifconfig_pool_release (struct ifconfig_pool* pool, ifconfig_pool_handle hand, const bool hard); diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/proxy.c new/openvpn-2.0.7/proxy.c --- old/openvpn-2.0.5/proxy.c 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/proxy.c 2005-12-12 18:30:25.000000000 +0100 @@ -38,6 +38,7 @@ #include "socket.h" #include "fdmisc.h" #include "proxy.h" +#include "base64.h" #include "ntlm.h" #include "memdbg.h" @@ -192,42 +193,12 @@ uint8_t * make_base64_string2 (const uint8_t *str, int src_len, struct gc_arena *gc) { - static const char base64_table[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; - - uint8_t *buf; - const uint8_t *src; - uint8_t *dst; - int bits, data, dst_len; - - /* make base64 string */ - dst_len = (src_len + 2) / 3 * 4; - buf = gc_malloc (dst_len + 1, false, gc); - bits = data = 0; - src = str; - dst = buf; - while (dst_len--) - { - if (bits < 6) - { - data = (data << 8) | *src; - bits += 8; - src++; - } - *dst++ = base64_table[0x3F & (data >> (bits - 6))]; - bits -= 6; - } - *dst = '\0'; - - /* fix-up tail padding */ - switch (src_len % 3) - { - case 1: - *--dst = '='; - case 2: - *--dst = '='; - } - return buf; + uint8_t *ret = NULL; + char *b64out = NULL; + ASSERT (base64_encode ((const void *)str, src_len, &b64out) >= 0); + ret = (uint8_t *) string_alloc (b64out, gc); + free (b64out); + return ret; } uint8_t * diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/route.c new/openvpn-2.0.7/route.c --- old/openvpn-2.0.5/route.c 2005-11-03 01:51:57.000000000 +0100 +++ new/openvpn-2.0.7/route.c 2006-04-05 08:13:55.000000000 +0200 @@ -832,6 +832,8 @@ network, netmask); #endif /*CONFIG_FEATURE_IPROUTE*/ + if (r->metric_defined) + buf_printf (&buf, " metric %d", r->metric); msg (D_ROUTE, "%s", BSTR (&buf)); system_check (BSTR (&buf), es, 0, "ERROR: Linux route delete command failed"); diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/sample-config-files/server.conf new/openvpn-2.0.7/sample-config-files/server.conf --- old/openvpn-2.0.5/sample-config-files/server.conf 2005-11-01 12:06:10.000000000 +0100 +++ new/openvpn-2.0.7/sample-config-files/server.conf 2006-01-06 22:49:27.000000000 +0100 @@ -37,7 +37,9 @@ # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. -# Use "dev tap" if you are ethernet bridging. +# Use "dev tap0" if you are ethernet bridging +# and have precreated a tap0 virtual interface +# and bridged it with your ethernet interface. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/service-win32/mkpatch new/openvpn-2.0.7/service-win32/mkpatch --- old/openvpn-2.0.5/service-win32/mkpatch 2005-11-01 12:06:09.000000000 +0100 +++ new/openvpn-2.0.7/service-win32/mkpatch 2006-01-30 18:30:53.000000000 +0100 @@ -1,4 +1,4 @@ # build service.[ch] patch against original # SDK sample -diff -u service.c.orig service.c >service.patch -diff -u service.h.orig service.h >>service.patch +diff -ub service.c.orig service.c >service.patch +diff -ub service.h.orig service.h >>service.patch diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/service-win32/service.patch new/openvpn-2.0.7/service-win32/service.patch --- old/openvpn-2.0.5/service-win32/service.patch 2005-11-01 12:06:09.000000000 +0100 +++ new/openvpn-2.0.7/service-win32/service.patch 2006-02-03 10:05:29.000000000 +0100 @@ -1,5 +1,5 @@ ---- service.c.orig Sat Jan 15 17:39:20 2005 -+++ service.c Sun Feb 20 11:28:30 2005 +--- service.c.orig Mon Jan 30 10:24:07 2006 ++++ service.c Mon Jan 30 10:26:22 2006 @@ -16,6 +16,7 @@ service_main(DWORD dwArgc, LPTSTR *lpszArgv); CmdInstallService(); @@ -29,7 +29,7 @@ { SERVICE_TABLE_ENTRY dispatchTable[] = { -@@ -77,12 +79,16 @@ +@@ -77,11 +79,15 @@ { if ( _stricmp( "install", argv[1]+1 ) == 0 ) { @@ -40,14 +40,13 @@ { - CmdRemoveService(); + return CmdRemoveService(); - } ++ } + else if ( _stricmp( "start", argv[1]+1 ) == 0) + { + return CmdStartService(); -+ } + } else if ( _stricmp( "debug", argv[1]+1 ) == 0 ) { - bDebug = TRUE; @@ -92,7 +98,7 @@ { goto dispatch; @@ -98,9 +97,8 @@ if ( !bDebug ) { -- dwErr = GetLastError(); + if (flags & MSG_FLAGS_SYS_CODE) -+ dwErr = GetLastError(); + dwErr = GetLastError(); + else + dwErr = 0; @@ -163,40 +161,16 @@ } schSCManager = OpenSCManager( -@@ -366,19 +384,19 @@ - if ( schSCManager ) - { - schService = CreateService( -- schSCManager, // SCManager database -- TEXT(SZSERVICENAME), // name of service -- TEXT(SZSERVICEDISPLAYNAME), // name to display -- SERVICE_QUERY_STATUS, // desired access -- SERVICE_WIN32_OWN_PROCESS, // service type +@@ -371,7 +389,7 @@ + TEXT(SZSERVICEDISPLAYNAME), // name to display + SERVICE_QUERY_STATUS, // desired access + SERVICE_WIN32_OWN_PROCESS, // service type - SERVICE_DEMAND_START, // start type -- SERVICE_ERROR_NORMAL, // error control type -- szPath, // service's binary -- NULL, // no load ordering group -- NULL, // no tag identifier -- TEXT(SZDEPENDENCIES), // dependencies -- NULL, // LocalSystem account -- NULL); // no password -+ schSCManager, // SCManager database -+ TEXT(SZSERVICENAME), // name of service -+ TEXT(SZSERVICEDISPLAYNAME), // name to display -+ SERVICE_QUERY_STATUS, // desired access -+ SERVICE_WIN32_OWN_PROCESS, // service type + SERVICE_DEMAND_START, // start type -- alternative: SERVICE_AUTO_START -+ SERVICE_ERROR_NORMAL, // error control type -+ szPath, // service's binary -+ NULL, // no load ordering group -+ NULL, // no tag identifier -+ TEXT(SZDEPENDENCIES), // dependencies -+ NULL, // LocalSystem account -+ NULL); // no password - - if ( schService ) - { -@@ -388,15 +406,78 @@ + SERVICE_ERROR_NORMAL, // error control type + szPath, // service's binary + NULL, // no load ordering group +@@ -388,16 +406,79 @@ else { _tprintf(TEXT("CreateService failed - %s\n"), GetLastErrorText(szErr, 256)); @@ -206,9 +180,8 @@ CloseServiceHandle(schSCManager); } else -- _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText(szErr,256)); + { -+ _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText(szErr,256)); + _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText(szErr,256)); + ret = 1; + } + return ret; @@ -233,7 +206,7 @@ + + SC_HANDLE schSCManager; + SC_HANDLE schService; -+ + + // Open a handle to the SC Manager database. + schSCManager = OpenSCManager( @@ -248,7 +221,7 @@ + + schService = OpenService( + schSCManager, // SCM database -+ "MeetrixService", // service name ++ SZSERVICENAME, // service name + SERVICE_ALL_ACCESS); + + if (schService == NULL) { @@ -273,9 +246,10 @@ + CloseServiceHandle(schSCManager); + return ret; +} - ++ // // FUNCTION: CmdRemoveService() + // @@ -407,15 +488,17 @@ // none // @@ -300,9 +274,8 @@ if ( ssStatus.dwCurrentState == SERVICE_STOPPED ) _tprintf(TEXT("\n%s stopped.\n"), TEXT(SZSERVICEDISPLAYNAME) ); else -- _tprintf(TEXT("\n%s failed to stop.\n"), TEXT(SZSERVICEDISPLAYNAME) ); + { -+ _tprintf(TEXT("\n%s failed to stop.\n"), TEXT(SZSERVICEDISPLAYNAME) ); + _tprintf(TEXT("\n%s failed to stop.\n"), TEXT(SZSERVICEDISPLAYNAME) ); + ret = 1; + } @@ -312,9 +285,8 @@ if ( DeleteService(schService) ) _tprintf(TEXT("%s removed.\n"), TEXT(SZSERVICEDISPLAYNAME) ); else -- _tprintf(TEXT("DeleteService failed - %s\n"), GetLastErrorText(szErr,256)); + { -+ _tprintf(TEXT("DeleteService failed - %s\n"), GetLastErrorText(szErr,256)); + _tprintf(TEXT("DeleteService failed - %s\n"), GetLastErrorText(szErr,256)); + ret = 1; + } @@ -322,18 +294,16 @@ CloseServiceHandle(schService); } else -- _tprintf(TEXT("OpenService failed - %s\n"), GetLastErrorText(szErr,256)); + { -+ _tprintf(TEXT("OpenService failed - %s\n"), GetLastErrorText(szErr,256)); + _tprintf(TEXT("OpenService failed - %s\n"), GetLastErrorText(szErr,256)); + ret = 1; + } CloseServiceHandle(schSCManager); } else -- _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText(szErr,256)); + { -+ _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText(szErr,256)); + _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText(szErr,256)); + ret = 1; + } + return ret; @@ -349,8 +319,8 @@ } if ( lpszTemp ) ---- service.h.orig Sat Jan 15 17:39:20 2005 -+++ service.h Mon Feb 7 17:24:04 2005 +--- service.h.orig Mon Jan 30 10:24:07 2006 ++++ service.h Mon Jan 30 10:24:07 2006 @@ -62,13 +62,13 @@ //// todo: change to desired strings //// diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/socket.c new/openvpn-2.0.7/socket.c --- old/openvpn-2.0.5/socket.c 2005-11-01 20:28:32.000000000 +0100 +++ new/openvpn-2.0.7/socket.c 2005-11-04 20:28:42.000000000 +0100 @@ -525,6 +525,15 @@ new_sd = accept (sd, (struct sockaddr *) remote, &remote_len); } +#if 0 /* For debugging only, test the effect of accept() failures */ + { + static int foo = 0; + ++foo; + if (foo & 1) + new_sd = -1; + } +#endif + if (!socket_defined (new_sd)) { msg (D_LINK_ERRORS | M_ERRNO_SOCK, "TCP: accept(%d) failed", sd); diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/ssl.c new/openvpn-2.0.7/ssl.c --- old/openvpn-2.0.5/ssl.c 2005-11-01 12:06:10.000000000 +0100 +++ new/openvpn-2.0.7/ssl.c 2005-12-13 18:10:01.000000000 +0100 @@ -3501,7 +3501,7 @@ if (multi->opt.single_session && multi->n_sessions) { msg (D_TLS_ERRORS, - "TLS Error: Cannot accept new session request from %s due to --single-session [1]", + "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]", print_sockaddr (from, &gc)); goto error; } @@ -3543,7 +3543,7 @@ if (multi->opt.single_session) { msg (D_TLS_ERRORS, - "TLS Error: Cannot accept new session request from %s due to --single-session [2]", + "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]", print_sockaddr (from, &gc)); goto error; } diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/ssl.h new/openvpn-2.0.7/ssl.h --- old/openvpn-2.0.5/ssl.h 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/ssl.h 2005-12-13 18:10:00.000000000 +0100 @@ -655,6 +655,13 @@ return 0; } +static inline void +tls_set_single_session (struct tls_multi *multi) +{ + if (multi) + multi->opt.single_session = true; +} + /* * protocol_dump() flags */ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/syshead.h new/openvpn-2.0.7/syshead.h --- old/openvpn-2.0.5/syshead.h 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/syshead.h 2006-04-12 11:08:10.000000000 +0200 @@ -366,6 +366,11 @@ } /* + * Should statistics counters be 64 bits? + */ +#define USE_64_BIT_COUNTERS + +/* * Do we have point-to-multipoint capability? */ @@ -416,7 +421,7 @@ /* * Should we include NTLM proxy functionality */ -#if defined(USE_CRYPTO) && defined (ENABLE_HTTP_PROXY) +#if defined(USE_CRYPTO) && defined(ENABLE_HTTP_PROXY) #define NTLM 1 #else #define NTLM 0 diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/t_cltsrv.sh new/openvpn-2.0.7/t_cltsrv.sh --- old/openvpn-2.0.5/t_cltsrv.sh 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/t_cltsrv.sh 2006-04-05 08:22:08.000000000 +0200 @@ -1,7 +1,7 @@ #! /bin/sh # # t_cltsrv.sh - script to test OpenVPN's crypto loopback -# Copyright (C) 2005 Matthias Andree +# Copyright (C) 2005,2006 Matthias Andree # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -19,20 +19,41 @@ # 02110-1301, USA. set -e -echo "the following test will run about two minutes..." >&2 -trap "rm -f log.$$ ; false" 1 2 3 15 +trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15 +trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3 +addopts= +case `uname -s` in + FreeBSD) + # FreeBSD jails map the outgoing IP to the jail IP - we need to + # allow the real IP unless we want the test to run forever. + if test "`sysctl 2>/dev/null -n security.jail.jailed`" = 1 \ + || ps -ostate= -p $$ | grep -q J; then + addopts="--float" + if test "x`ifconfig | grep inet`" = x ; then + echo "###" + echo "### To run the test in a FreeBSD jail, you MUST add an IP alias for the jail's IP." + echo "###" + exit 1 + fi + fi + ;; +esac +echo "the following test will take about two minutes..." >&2 set +e ( -./openvpn --cd "${srcdir}" --config sample-config-files/loopback-server & -./openvpn --cd "${srcdir}" --config sample-config-files/loopback-client -) >log.$$ 2>&1 +./openvpn --cd "${srcdir}" ${addopts} --down 'echo "srv:${signal}" >&3 ; : #' --tls-exit --ping-exit 180 --config sample-config-files/loopback-server & +./openvpn --cd "${srcdir}" ${addopts} --down 'echo "clt:${signal}" >&3 ; : #' --tls-exit --ping-exit 180 --config sample-config-files/loopback-client +) 3>log.$$.signal >log.$$ 2>&1 e1=$? wait $! e2=$? +grep -v ":inactive$" log.$$.signal >/dev/null && { cat log.$$.signal ; echo ; cat log.$$ ; exit 1 ; } + set -e if [ $e1 != 0 ] || [ $e2 != 0 ] ; then cat log.$$ exit 1 fi -rm log.$$ +rm log.$$ log.$$.signal +trap 0 diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/t_lpback.sh new/openvpn-2.0.7/t_lpback.sh --- old/openvpn-2.0.5/t_lpback.sh 2005-11-01 12:06:11.000000000 +0100 +++ new/openvpn-2.0.7/t_lpback.sh 2005-11-04 20:32:50.000000000 +0100 @@ -19,11 +19,13 @@ # 02110-1301, USA. set -e -trap "rm -f key.$$ log.$$ ; false" 1 2 3 15 +trap "rm -f key.$$ log.$$ ; trap 0 ; exit 77" 1 2 15 +trap "rm -f key.$$ log.$$ ; exit 1" 0 3 ./openvpn --genkey --secret key.$$ set +e ( ./openvpn --test-crypto --secret key.$$ ) >log.$$ 2>&1 e=$? if [ $e != 0 ] ; then cat log.$$ ; fi -rm key.$$ +rm key.$$ log.$$ +trap 0 exit $e diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/openvpn-2.0.5/tun.c new/openvpn-2.0.7/tun.c --- old/openvpn-2.0.5/tun.c 2005-11-01 12:06:10.000000000 +0100 +++ new/openvpn-2.0.7/tun.c 2006-04-05 08:29:24.000000000 +0200 @@ -690,7 +690,19 @@ tun_mtu ); else - no_tap_ifconfig (); + /* + * NetBSD has distinct tun and tap devices + * so we don't need the "link0" extra parameter to specify we want to do + * tunneling at the ethernet level + */ + openvpn_snprintf (command_line, sizeof (command_line), + IFCONFIG_PATH " %s %s netmask %s mtu %d broadcast %s", + actual, + ifconfig_local, + ifconfig_remote_netmask, + tun_mtu, + ifconfig_broadcast + ); msg (M_INFO, "%s", command_line); system_check (command_line, es, S_FATAL, "NetBSD ifconfig failed"); tt->did_ifconfig = true; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit-help@opensuse.org