Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openvpn for openSUSE:Factory checked
in at 2022-11-24 12:22:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openvpn (Old)
and /work/SRC/openSUSE:Factory/.openvpn.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvpn"
Thu Nov 24 12:22:20 2022 rev:103 rq:1037543 version:2.5.8
Changes:
--------
--- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2022-09-17
20:10:17.265147825 +0200
+++ /work/SRC/openSUSE:Factory/.openvpn.new.1597/openvpn.changes
2022-11-24 12:22:28.577010458 +0100
@@ -1,0 +2,28 @@
+Fri Nov 18 21:40:05 UTC 2022 - Dirk Müller <dmuel...@suse.com>
+
+- update to 2.5.8:
+ * allow running a default configuration with TLS libraries without BF-CBC
+ (even if TLS cipher negotiation would not actually use BF-CBC, the
+ long-term compatibility "default cipher BF-CBC" would trigger an error
+ on such TLS libraries)
+ * ``--auth-nocache'' was not always correctly clearing username+password
+ after a renegotiation
+ * ensure that auth-token received from server is cleared if requested
+ by the management interface ("forget password" or automatically
+ via ``--management-forget-disconnect'')
+ * in a setup without username+password, but with auth-token and
+ auth-token-username pushed by the server, OpenVPN would start asking
+ for username+password on token expiry. Fix.
+ * using ``--auth-token`` together with ``--management-client-auth``
+ (on the server) would lead to TLS keys getting out of sync and client
+ being disconnected. Fix.
+ * management interface would sometimes get stuck if client and server
+ try to write something simultaneously. Fix by allowing a limited
+ level of recursion in virtual_output_callback()
+ * fix management interface not returning ERROR:/SUCCESS: response
+ on "signal SIGxxx" commands when in HOLD state
+ * tls-crypt-v2: abort connection if client-key is too short
+ * make man page agree with actual code on replay-window backtrag log message
+ * remove useless empty line from CR_RESPONSE message
+
+-------------------------------------------------------------------
Old:
----
openvpn-2.5.7.tar.gz
openvpn-2.5.7.tar.gz.asc
New:
----
openvpn-2.5.8.tar.gz
openvpn-2.5.8.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openvpn.spec ++++++
--- /var/tmp/diff_new_pack.7wsmKq/_old 2022-11-24 12:22:29.417015796 +0100
+++ /var/tmp/diff_new_pack.7wsmKq/_new 2022-11-24 12:22:29.421015821 +0100
@@ -24,7 +24,7 @@
%define _rundir %{_localstatedir}/run
%endif
Name: openvpn
-Version: 2.5.7
+Version: 2.5.8
Release: 0
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
License: GPL-2.0-only WITH openvpn-openssl-exception
++++++ openvpn-2.5.7.tar.gz -> openvpn-2.5.8.tar.gz ++++++
++++ 23803 lines of diff (skipped)
++++ retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/ChangeLog new/openvpn-2.5.8/ChangeLog
--- old/openvpn-2.5.7/ChangeLog 2022-05-24 10:48:20.000000000 +0200
+++ new/openvpn-2.5.8/ChangeLog 2022-10-28 10:40:27.000000000 +0200
@@ -1,6 +1,39 @@
OpenVPN Change Log
Copyright (C) 2002-2022 OpenVPN Inc <sa...@openvpn.net>
+2022.10.27 -- Version 2.5.8
+
+Antonio Quartulli (1):
+ tls-crypt-v2: bail out if the client key is too small
+
+Arne Schwabe (4):
+ Remove useless empty line from CR_RESPONSE message
+ Allow running a default configuration with TLS libraries without BF-CBC
+ Change command help to match man page and implementation
+ Fix OpenVPN querying user/password if auth-token with user expires
+
+Frank Lichtenheld (2):
+ t_client: Allow to force FAIL on prerequisite fails
+ t_client.sh: do not require fping6
+
+Gert Doering (1):
+ Preparing release 2.5.8
+
+Lev Stipakov (1):
+ msvc: add branch name and commit hash to version output
+
+Martin Janů (1):
+ Update the replay-window backtrack log message
+
+Selva Nair (5):
+ Do not skip ERROR:/SUCCESS: response from management interface
+ Fix auth-token usage with management-def-auth
+ Allow a few levels of recursion in virtual_output_callback()
+ Ensure --auth-nocache is handled during renegotiation
+ Purge auth-token as well while purging passwords
+ Do not copy auth_token username to itself
+
+
2022.05.24 -- Version 2.5.7
Antonio Quartulli (4):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/Changes.rst new/openvpn-2.5.8/Changes.rst
--- old/openvpn-2.5.7/Changes.rst 2022-05-24 10:48:20.000000000 +0200
+++ new/openvpn-2.5.8/Changes.rst 2022-10-28 10:40:26.000000000 +0200
@@ -1,3 +1,58 @@
+Overview of changes in 2.5.8
+============================
+
+New features
+------------
+- allow running a default configuration with TLS libraries without BF-CBC
+ (even if TLS cipher negotiation would not actually use BF-CBC, the
+ long-term compatibility "default cipher BF-CBC" would trigger an error
+ on such TLS libraries)
+
+User-visible Changes
+--------------------
+- add git branch name + commit ID to OpenVPN version string on
+ MSVC builds (windows)
+
+Testing Enhancements
+--------------------
+- t_client.sh: if fping is found and fping6 is not, assume we have
+ fping 4.0 and up, and call "fping -6" for IPv6 ping tests
+
+- t_client.sh: allow to force FAIL on prerequisite fails, so a CI
+ environment will no longer "silently skip" t_client runs if fping (etc)
+ can not be found, but will error out
+
+Bugfixes
+--------
+- ``--auth-nocache'' was not always correctly clearing username+password
+ after a renegotiation
+
+- ensure that auth-token received from server is cleared if requested
+ by the management interface ("forget password" or automatically
+ via ``--management-forget-disconnect'')
+
+- in a setup without username+password, but with auth-token and
+ auth-token-username pushed by the server, OpenVPN would start asking
+ for username+password on token expiry. Fix.
+
+- using ``--auth-token`` together with ``--management-client-auth``
+ (on the server) would lead to TLS keys getting out of sync and client
+ being disconnected. Fix.
+
+- management interface would sometimes get stuck if client and server
+ try to write something simultaneously. Fix by allowing a limited
+ level of recursion in virtual_output_callback()
+
+- fix management interface not returning ERROR:/SUCCESS: response
+ on "signal SIGxxx" commands when in HOLD state
+
+- tls-crypt-v2: abort connection if client-key is too short
+
+- make man page agree with actual code on replay-window backtrag log message
+
+- remove useless empty line from CR_RESPONSE message
+
+
Overview of changes in 2.5.7
============================
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/build/msvc/msvc-generate/Makefile.mak
new/openvpn-2.5.8/build/msvc/msvc-generate/Makefile.mak
--- old/openvpn-2.5.7/build/msvc/msvc-generate/Makefile.mak 2022-05-24
10:48:18.000000000 +0200
+++ new/openvpn-2.5.8/build/msvc/msvc-generate/Makefile.mak 2022-10-28
10:40:26.000000000 +0200
@@ -1,4 +1,27 @@
-# Copyright (C) 2008-2012 Alon Bar-Lev <alon.bar...@gmail.com>
+#
+# OpenVPN -- An application to securely tunnel IP networks
+# over a single UDP port, with support for SSL/TLS-based
+# session authentication and key exchange,
+# packet encryption, packet authentication, and
+# packet compression.
+#
+# Copyright (C) 2002-2022 OpenVPN Inc <sa...@openvpn.net>
+# Copyright (C) 2008-2012 Alon Bar-Lev <alon.bar...@gmail.com>
+# Copyright (C) 2022-2022 Lev Stipakov <l...@lestisoftware.fi>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
CONFIG=$(SOLUTIONDIR)/version.m4
@@ -14,7 +37,9 @@
INPUT_MAN=$(SOLUTIONDIR)/doc/openvpn.8.rst
OUTPUT_MAN=$(SOLUTIONDIR)/doc/openvpn.8.html
-all: $(OUTPUT_MSVC_VER) $(OUTPUT_PLUGIN) $(OUTPUT_MAN)
+OUTPUT_MSVC_GIT_CONFIG=$(SOLUTIONDIR)/config-version.h
+
+all: $(OUTPUT_MSVC_VER) $(OUTPUT_PLUGIN) $(OUTPUT_MAN)
$(OUTPUT_MSVC_GIT_CONFIG)
$(OUTPUT_MSVC_VER): $(INPUT_MSVC_VER) $(CONFIG)
cscript //nologo msvc-generate.js --config="$(CONFIG)"
--input="$(INPUT_MSVC_VER)" --output="$(OUTPUT_MSVC_VER)"
@@ -28,8 +53,12 @@
$(OUTPUT_MAN): $(INPUT_MAN)
-FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)"
"$(OUTPUT_MAN)"
+$(OUTPUT_MSVC_GIT_CONFIG):
+ python git-version.py $(SOLUTIONDIR)
+
clean:
-del "$(OUTPUT_MSVC_VER)"
-del "$(OUTPUT_PLUGIN)"
-del "$(OUTPUT_PLUGIN_CONFIG)"
-del "$(OUTPUT_MAN)"
+ -del "$(OUTPUT_MSVC_GIT_CONFIG)"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/build/msvc/msvc-generate/msvc-generate.vcxproj
new/openvpn-2.5.8/build/msvc/msvc-generate/msvc-generate.vcxproj
--- old/openvpn-2.5.7/build/msvc/msvc-generate/msvc-generate.vcxproj
2022-05-24 10:48:18.000000000 +0200
+++ new/openvpn-2.5.8/build/msvc/msvc-generate/msvc-generate.vcxproj
2022-10-28 10:40:26.000000000 +0200
@@ -150,7 +150,7 @@
</ItemDefinitionGroup>
<ItemGroup>
<None Include="Makefile.mak" />
- <None Include="msc-generate.js" />
+ <None Include="msvc-generate.js" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/compile new/openvpn-2.5.8/compile
--- old/openvpn-2.5.7/compile 2022-05-24 10:48:29.000000000 +0200
+++ new/openvpn-2.5.8/compile 2022-10-28 10:40:34.000000000 +0200
@@ -3,7 +3,7 @@
scriptversion=2018-03-07.03; # UTC
-# Copyright (C) 1999-2020 Free Software Foundation, Inc.
+# Copyright (C) 1999-2021 Free Software Foundation, Inc.
# Written by Tom Tromey <tro...@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/config-msvc.h new/openvpn-2.5.8/config-msvc.h
--- old/openvpn-2.5.7/config-msvc.h 2022-05-24 10:48:20.000000000 +0200
+++ new/openvpn-2.5.8/config-msvc.h 2022-10-28 10:40:26.000000000 +0200
@@ -177,3 +177,5 @@
#define HAVE_INET_NTOP
#define HAVE_INET_PTON
#endif
+
+#define HAVE_CONFIG_VERSION_H 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/config.h.in new/openvpn-2.5.8/config.h.in
--- old/openvpn-2.5.7/config.h.in 2022-05-24 10:48:28.000000000 +0200
+++ new/openvpn-2.5.8/config.h.in 2022-10-28 10:40:34.000000000 +0200
@@ -373,12 +373,12 @@
/* Define to 1 if you have the `mbedtls_cipher_write_tag' function. */
#undef HAVE_MBEDTLS_CIPHER_WRITE_TAG
-/* Define to 1 if you have the <memory.h> header file. */
-#undef HAVE_MEMORY_H
-
/* Define to 1 if you have the `memset' function. */
#undef HAVE_MEMSET
+/* Define to 1 if you have the <minix/config.h> header file. */
+#undef HAVE_MINIX_CONFIG_H
+
/* Define to 1 if you have the `mlockall' function. */
#undef HAVE_MLOCKALL
@@ -668,6 +668,9 @@
/* Define to 1 if you have the `vsnprintf' function. */
#undef HAVE_VSNPRINTF
+/* Define to 1 if you have the <wchar.h> header file. */
+#undef HAVE_WCHAR_H
+
/* Define to 1 if you have the <windows.h> header file. */
#undef HAVE_WINDOWS_H
@@ -785,7 +788,9 @@
/* The size of `unsigned long', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_LONG
-/* Define to 1 if you have the ANSI C header files. */
+/* Define to 1 if all of the C90 standard headers exist (not just the ones
+ required in a freestanding environment). This macro is provided for
+ backward compatibility; new code need not use it. */
#undef STDC_HEADERS
/* Path to systemd-ask-password tool */
@@ -843,21 +848,87 @@
#ifndef _ALL_SOURCE
# undef _ALL_SOURCE
#endif
+/* Enable general extensions on macOS. */
+#ifndef _DARWIN_C_SOURCE
+# undef _DARWIN_C_SOURCE
+#endif
+/* Enable general extensions on Solaris. */
+#ifndef __EXTENSIONS__
+# undef __EXTENSIONS__
+#endif
/* Enable GNU extensions on systems that have them. */
#ifndef _GNU_SOURCE
# undef _GNU_SOURCE
#endif
-/* Enable threading extensions on Solaris. */
+/* Enable X/Open compliant socket functions that do not require linking
+ with -lxnet on HP-UX 11.11. */
+#ifndef _HPUX_ALT_XOPEN_SOCKET_API
+# undef _HPUX_ALT_XOPEN_SOCKET_API
+#endif
+/* Identify the host operating system as Minix.
+ This macro does not affect the system headers' behavior.
+ A future release of Autoconf may stop defining this macro. */
+#ifndef _MINIX
+# undef _MINIX
+#endif
+/* Enable general extensions on NetBSD.
+ Enable NetBSD compatibility extensions on Minix. */
+#ifndef _NETBSD_SOURCE
+# undef _NETBSD_SOURCE
+#endif
+/* Enable OpenBSD compatibility extensions on NetBSD.
+ Oddly enough, this does nothing on OpenBSD. */
+#ifndef _OPENBSD_SOURCE
+# undef _OPENBSD_SOURCE
+#endif
+/* Define to 1 if needed for POSIX-compatible behavior. */
+#ifndef _POSIX_SOURCE
+# undef _POSIX_SOURCE
+#endif
+/* Define to 2 if needed for POSIX-compatible behavior. */
+#ifndef _POSIX_1_SOURCE
+# undef _POSIX_1_SOURCE
+#endif
+/* Enable POSIX-compatible threading on Solaris. */
#ifndef _POSIX_PTHREAD_SEMANTICS
# undef _POSIX_PTHREAD_SEMANTICS
#endif
+/* Enable extensions specified by ISO/IEC TS 18661-5:2014. */
+#ifndef __STDC_WANT_IEC_60559_ATTRIBS_EXT__
+# undef __STDC_WANT_IEC_60559_ATTRIBS_EXT__
+#endif
+/* Enable extensions specified by ISO/IEC TS 18661-1:2014. */
+#ifndef __STDC_WANT_IEC_60559_BFP_EXT__
+# undef __STDC_WANT_IEC_60559_BFP_EXT__
+#endif
+/* Enable extensions specified by ISO/IEC TS 18661-2:2015. */
+#ifndef __STDC_WANT_IEC_60559_DFP_EXT__
+# undef __STDC_WANT_IEC_60559_DFP_EXT__
+#endif
+/* Enable extensions specified by ISO/IEC TS 18661-4:2015. */
+#ifndef __STDC_WANT_IEC_60559_FUNCS_EXT__
+# undef __STDC_WANT_IEC_60559_FUNCS_EXT__
+#endif
+/* Enable extensions specified by ISO/IEC TS 18661-3:2015. */
+#ifndef __STDC_WANT_IEC_60559_TYPES_EXT__
+# undef __STDC_WANT_IEC_60559_TYPES_EXT__
+#endif
+/* Enable extensions specified by ISO/IEC TR 24731-2:2010. */
+#ifndef __STDC_WANT_LIB_EXT2__
+# undef __STDC_WANT_LIB_EXT2__
+#endif
+/* Enable extensions specified by ISO/IEC 24747:2009. */
+#ifndef __STDC_WANT_MATH_SPEC_FUNCS__
+# undef __STDC_WANT_MATH_SPEC_FUNCS__
+#endif
/* Enable extensions on HP NonStop. */
#ifndef _TANDEM_SOURCE
# undef _TANDEM_SOURCE
#endif
-/* Enable general extensions on Solaris. */
-#ifndef __EXTENSIONS__
-# undef __EXTENSIONS__
+/* Enable X/Open extensions. Define to 500 only if necessary
+ to make mbstate_t available. */
+#ifndef _XOPEN_SOURCE
+# undef _XOPEN_SOURCE
#endif
@@ -867,16 +938,6 @@
/* Version number of package */
#undef VERSION
-/* Define to 1 if on MINIX. */
-#undef _MINIX
-
-/* Define to 2 if the system does not provide POSIX.1 features except with
- this defined. */
-#undef _POSIX_1_SOURCE
-
-/* Define to 1 if you need to in order for `stat' and other things to work. */
-#undef _POSIX_SOURCE
-
/* Define for Solaris 2.5.1 so the uint32_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
#define below would cause a syntax error. */
@@ -929,7 +990,7 @@
/* Define to `long int' if <sys/types.h> does not define. */
#undef off_t
-/* Define to `int' if <sys/types.h> does not define. */
+/* Define as a signed integer type capable of holding a process identifier. */
#undef pid_t
/* Define to `unsigned int' if <sys/types.h> does not define. */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/doc/man-sections/link-options.rst
new/openvpn-2.5.8/doc/man-sections/link-options.rst
--- old/openvpn-2.5.7/doc/man-sections/link-options.rst 2022-05-24
10:48:20.000000000 +0200
+++ new/openvpn-2.5.8/doc/man-sections/link-options.rst 2022-10-28
10:40:26.000000000 +0200
@@ -330,7 +330,7 @@
value for ``n``. Satellite links in particular often require this.
If you run OpenVPN at ``--verb 4``, you will see the message
- "Replay-window backtrack occurred [x]" every time the maximum sequence
+ "PID_ERR replay-window backtrack occurred [x]" every time the maximum
sequence
number backtrack seen thus far increases. This can be used to calibrate
``n``.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/doc/openvpn.8 new/openvpn-2.5.8/doc/openvpn.8
--- old/openvpn-2.5.7/doc/openvpn.8 2022-05-24 10:48:46.000000000 +0200
+++ new/openvpn-2.5.8/doc/openvpn.8 2022-10-28 10:40:46.000000000 +0200
@@ -4154,7 +4154,7 @@
value for \fBn\fP\&. Satellite links in particular often require this.
.sp
If you run OpenVPN at \fB\-\-verb 4\fP, you will see the message
-"Replay\-window backtrack occurred [x]" every time the maximum sequence
+"PID_ERR replay\-window backtrack occurred [x]" every time the maximum sequence
number backtrack seen thus far increases. This can be used to calibrate
\fBn\fP\&.
.sp
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/doc/openvpn.8.html new/openvpn-2.5.8/doc/openvpn.8.html
--- old/openvpn-2.5.7/doc/openvpn.8.html 2022-05-24 10:48:45.000000000
+0200
+++ new/openvpn-2.5.8/doc/openvpn.8.html 2022-10-28 10:40:45.000000000
+0200
@@ -3732,7 +3732,7 @@
product of bandwidth and latency is high), you may want to use a larger
value for <tt class="docutils literal">n</tt>. Satellite links in particular
often require this.</p>
<p>If you run OpenVPN at <tt class="docutils literal"><span
class="pre">--verb</span> 4</tt>, you will see the message
-"Replay-window backtrack occurred [x]" every time the maximum
sequence
+"PID_ERR replay-window backtrack occurred [x]" every time the
maximum sequence
number backtrack seen thus far increases. This can be used to calibrate
<tt class="docutils literal">n</tt>.</p>
<p>There is some controversy on the appropriate method of handling packet
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/include/openvpn-plugin.h
new/openvpn-2.5.8/include/openvpn-plugin.h
--- old/openvpn-2.5.7/include/openvpn-plugin.h 2022-05-24 10:48:42.000000000
+0200
+++ new/openvpn-2.5.8/include/openvpn-plugin.h 2022-10-28 10:40:43.000000000
+0200
@@ -53,7 +53,7 @@
*/
#define OPENVPN_VERSION_MAJOR 2
#define OPENVPN_VERSION_MINOR 5
-#define OPENVPN_VERSION_PATCH ".7"
+#define OPENVPN_VERSION_PATCH ".8"
/*
* Plug-in types. These types correspond to the set of script callbacks
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/m4/libtool.m4 new/openvpn-2.5.8/m4/libtool.m4
--- old/openvpn-2.5.7/m4/libtool.m4 2022-05-24 10:48:25.000000000 +0200
+++ new/openvpn-2.5.8/m4/libtool.m4 2022-10-28 10:40:31.000000000 +0200
@@ -728,7 +728,6 @@
cat <<_LT_EOF >> "$cfgfile"
#! $SHELL
# Generated automatically by $as_me ($PACKAGE) $VERSION
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
# NOTE: Changes made to this file will be lost: look at ltmain.sh.
# Provide generalized library-building support services.
@@ -1042,8 +1041,8 @@
_LT_EOF
echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD
$LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD
- echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
- $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
+ echo "$AR cr libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
+ $AR cr libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD
$RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD
cat > conftest.c << _LT_EOF
@@ -1072,11 +1071,11 @@
# to the OS version, if on x86, and 10.4, the deployment
# target defaults to 10.4. Don't you love it?
case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
- 10.0,*86*-darwin8*|10.0,*-darwin[[91]]*)
+ 10.0,*86*-darwin8*|10.0,*-darwin[[912]]*)
_lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;;
10.[[012]][[,.]]*)
_lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined
${wl}suppress' ;;
- 10.*)
+ 10.*|11.*)
_lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;;
esac
;;
@@ -1493,7 +1492,7 @@
m4_defun([_LT_PROG_AR],
[AC_CHECK_TOOLS(AR, [ar], false)
: ${AR=ar}
-: ${AR_FLAGS=cru}
+: ${AR_FLAGS=cr}
_LT_DECL([], [AR], [1], [The archiver])
_LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive])
@@ -2867,9 +2866,6 @@
# before this can be enabled.
hardcode_into_libs=yes
- # Add ABI-specific directories to the system library path.
- sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
-
# Ideally, we could use ldconfig to report *all* directores which are
# searched for libraries, however this is still not possible. Aside from not
# being certain /sbin/ldconfig is available, command
@@ -2878,7 +2874,7 @@
# appending ld.so.conf contents (and includes) to the search path.
if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s
2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' <
/etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/
/g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
- sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
+ sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
fi
# We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -2890,6 +2886,18 @@
dynamic_linker='GNU/Linux ld.so'
;;
+netbsdelf*-gnu)
+ version_type=linux
+ need_lib_prefix=no
+ need_version=no
+ library_names_spec='${libname}${release}${shared_ext}$versuffix
${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+ soname_spec='${libname}${release}${shared_ext}$major'
+ shlibpath_var=LD_LIBRARY_PATH
+ shlibpath_overrides_runpath=no
+ hardcode_into_libs=yes
+ dynamic_linker='NetBSD ld.elf_so'
+ ;;
+
netbsd*)
version_type=sunos
need_lib_prefix=no
@@ -3549,7 +3557,7 @@
lt_cv_deplibs_check_method=pass_all
;;
-netbsd*)
+netbsd* | netbsdelf*-gnu)
if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
lt_cv_deplibs_check_method='match_pattern
/lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
else
@@ -4055,7 +4063,8 @@
if AC_TRY_EVAL(ac_compile); then
# Now try to grab the symbols.
nlist=conftest.nm
- if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe"
\> $nlist) && test -s "$nlist"; then
+ $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext |
$lt_cv_sys_global_symbol_pipe > $nlist" >&AS_MESSAGE_LOG_FD
+ if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \>
$nlist 2>&AS_MESSAGE_LOG_FD && test -s "$nlist"; then
# Try sorting and uniquifying the output.
if sort "$nlist" | uniq > "$nlist"T; then
mv -f "$nlist"T "$nlist"
@@ -4427,7 +4436,7 @@
;;
esac
;;
- netbsd*)
+ netbsd* | netbsdelf*-gnu)
;;
*qnx* | *nto*)
# QNX uses GNU C++, but need to define -shared option too, otherwise
@@ -4695,6 +4704,12 @@
_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
;;
+ # flang / f18. f95 an alias for gfortran or flang on Debian
+ flang* | f18* | f95*)
+ _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+ _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+ _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+ ;;
# icc used to be incompatible with GCC.
# ICC 10 doesn't accept -KPIC any more.
icc* | ifort*)
@@ -4939,6 +4954,9 @@
;;
esac
;;
+ linux* | k*bsd*-gnu | gnu*)
+ _LT_TAGVAR(link_all_deplibs, $1)=no
+ ;;
*)
_LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience |
$global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
;;
@@ -5001,6 +5019,9 @@
openbsd* | bitrig*)
with_gnu_ld=no
;;
+ linux* | k*bsd*-gnu | gnu*)
+ _LT_TAGVAR(link_all_deplibs, $1)=no
+ ;;
esac
_LT_TAGVAR(ld_shlibs, $1)=yes
@@ -5255,7 +5276,7 @@
fi
;;
- netbsd*)
+ netbsd* | netbsdelf*-gnu)
if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs
$linker_flags -o $lib'
wlarc=
@@ -5776,6 +5797,7 @@
if test yes = "$lt_cv_irix_exported_symbol"; then
_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs
$deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" &&
func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry
$wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
fi
+ _LT_TAGVAR(link_all_deplibs, $1)=no
else
_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs
$compiler_flags -soname $soname `test -n "$verstring" && func_echo_all
"-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs
$compiler_flags -soname $soname `test -n "$verstring" && func_echo_all
"-set_version $verstring"` -update_registry $output_objdir/so_locations
-exports_file $export_symbols -o $lib'
@@ -5797,7 +5819,7 @@
esac
;;
- netbsd*)
+ netbsd* | netbsdelf*-gnu)
if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs
$linker_flags' # a.out
else
@@ -6423,7 +6445,7 @@
# Commands to make compiler produce verbose output that lists
# what "hidden" libraries, object files and flags are used when
# linking a shared library.
- output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 |
$GREP -v "^Configured with:" | $GREP "\-L"'
+ output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 |
$GREP -v "^Configured with:" | $GREP " \-L"'
else
GXX=no
@@ -6798,7 +6820,7 @@
# explicitly linking system object files so we need to strip them
# from the output so that they don't get included in the library
# dependencies.
- output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v
conftest.$objext 2>&1) | $EGREP "\-L"`; list= ; for z in $templist; do case $z
in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac;
done; func_echo_all "$list"'
+ output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v
conftest.$objext 2>&1) | $EGREP " \-L"`; list= ; for z in $templist; do case $z
in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac;
done; func_echo_all "$list"'
;;
*)
if test yes = "$GXX"; then
@@ -6863,7 +6885,7 @@
# explicitly linking system object files so we need to strip them
# from the output so that they don't get included in the library
# dependencies.
- output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v
conftest.$objext 2>&1) | $GREP "\-L"`; list= ; for z in $templist; do case $z
in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac;
done; func_echo_all "$list"'
+ output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v
conftest.$objext 2>&1) | $GREP " \-L"`; list= ; for z in $templist; do case $z
in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac;
done; func_echo_all "$list"'
;;
*)
if test yes = "$GXX"; then
@@ -7202,7 +7224,7 @@
# Commands to make compiler produce verbose output that lists
# what "hidden" libraries, object files and flags are used when
# linking a shared library.
- output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext
2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+ output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext
2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
else
# FIXME: insert proper C++ library support
@@ -7286,7 +7308,7 @@
# Commands to make compiler produce verbose output that lists
# what "hidden" libraries, object files and flags are used when
# linking a shared library.
- output_verbose_link_cmd='$CC -shared $CFLAGS -v
conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+ output_verbose_link_cmd='$CC -shared $CFLAGS -v
conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
else
# g++ 2.7 appears to require '-G' NOT '-shared' on this
# platform.
@@ -7297,7 +7319,7 @@
# Commands to make compiler produce verbose output that lists
# what "hidden" libraries, object files and flags are used when
# linking a shared library.
- output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext
2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+ output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext
2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
fi
_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $wl$libdir'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/missing new/openvpn-2.5.8/missing
--- old/openvpn-2.5.7/missing 2022-05-24 10:48:29.000000000 +0200
+++ new/openvpn-2.5.8/missing 2022-10-28 10:40:34.000000000 +0200
@@ -3,7 +3,7 @@
scriptversion=2018-03-07.03; # UTC
-# Copyright (C) 1996-2020 Free Software Foundation, Inc.
+# Copyright (C) 1996-2021 Free Software Foundation, Inc.
# Originally written by Fran,cois Pinard <pin...@iro.umontreal.ca>, 1996.
# This program is free software; you can redistribute it and/or modify
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/sample/sample-plugins/Makefile
new/openvpn-2.5.8/sample/sample-plugins/Makefile
--- old/openvpn-2.5.7/sample/sample-plugins/Makefile 2022-05-24
10:48:42.000000000 +0200
+++ new/openvpn-2.5.8/sample/sample-plugins/Makefile 2022-10-28
10:40:43.000000000 +0200
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.2 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
# sample/sample-plugins/Makefile. Generated from Makefile.in by configure.
-# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -142,22 +142,24 @@
am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.plugins \
README
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = ${SHELL}
/home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/missing
aclocal-1.16
+ACLOCAL = ${SHELL}
'/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/missing'
aclocal-1.16
AMTAR = $${TAR-tar}
AM_DEFAULT_VERBOSITY = 1
AR = ar
AS = as
-AUTOCONF = ${SHELL}
/home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/missing
autoconf
-AUTOHEADER = ${SHELL}
/home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/missing
autoheader
-AUTOMAKE = ${SHELL}
/home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/missing
automake-1.16
+AUTOCONF = ${SHELL}
'/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/missing'
autoconf
+AUTOHEADER = ${SHELL}
'/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/missing'
autoheader
+AUTOMAKE = ${SHELL}
'/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/missing'
automake-1.16
AWK = gawk
CC = gcc
CCDEPMODE = depmode=gcc3
CFLAGS = -Wall -Wno-stringop-truncation -g -O2 -std=c99
CMOCKA_CFLAGS =
-CMOCKA_LIBS =
+CMOCKA_LIBS = -lcmocka
CPP = gcc -E
CPPFLAGS =
+CSCOPE = cscope
+CTAGS = ctags
CYGPATH_W = echo
DEFS = -DHAVE_CONFIG_H
DEPDIR = .deps
@@ -170,6 +172,7 @@
ECHO_T =
EGREP = /usr/bin/grep -E
ENABLE_UNITTESTS =
+ETAGS = etags
EXEEXT =
FGREP = /usr/bin/grep -F
GIT = git
@@ -193,10 +196,10 @@
LTLIBOBJS =
LT_SYS_LIBRARY_PATH =
LZ4_CFLAGS =
-LZ4_LIBS = -llz4
+LZ4_LIBS = -llz4
LZO_CFLAGS =
LZO_LIBS = -llzo2
-MAKEINFO = ${SHELL}
/home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/missing
makeinfo
+MAKEINFO = ${SHELL}
'/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/missing'
makeinfo
MANIFEST_TOOL = :
MBEDTLS_CFLAGS =
MBEDTLS_LIBS =
@@ -207,17 +210,17 @@
OBJDUMP = objdump
OBJEXT = o
OPENSSL_CFLAGS =
-OPENSSL_LIBS = -lssl -lcrypto
+OPENSSL_LIBS = -lssl -lcrypto
OPENVPN_VERSION_MAJOR = 2
OPENVPN_VERSION_MINOR = 5
-OPENVPN_VERSION_PATCH = .7
+OPENVPN_VERSION_PATCH = .8
OPTIONAL_CRYPTO_CFLAGS =
-OPTIONAL_CRYPTO_LIBS = -lssl -lcrypto
+OPTIONAL_CRYPTO_LIBS = -lssl -lcrypto
OPTIONAL_DL_LIBS = -ldl
OPTIONAL_INOTIFY_CFLAGS =
OPTIONAL_INOTIFY_LIBS =
OPTIONAL_LZ4_CFLAGS =
-OPTIONAL_LZ4_LIBS = -llz4
+OPTIONAL_LZ4_LIBS = -llz4
OPTIONAL_LZO_CFLAGS =
OPTIONAL_LZO_LIBS = -llzo2
OPTIONAL_PKCS11_HELPER_CFLAGS =
@@ -231,10 +234,10 @@
PACKAGE = openvpn
PACKAGE_BUGREPORT = openvpn-us...@lists.sourceforge.net
PACKAGE_NAME = OpenVPN
-PACKAGE_STRING = OpenVPN 2.5.7
+PACKAGE_STRING = OpenVPN 2.5.8
PACKAGE_TARNAME = openvpn
PACKAGE_URL =
-PACKAGE_VERSION = 2.5.7
+PACKAGE_VERSION = 2.5.8
PATH_SEPARATOR = :
PKCS11_HELPER_CFLAGS =
PKCS11_HELPER_LIBS =
@@ -252,8 +255,8 @@
SED = /usr/bin/sed
SELINUX_LIBS = -lselinux
SET_MAKE =
-SHELL = /bin/sh
-SOCKETS_LIBS = -lresolv
+SHELL = /bin/bash
+SOCKETS_LIBS = -lnsl -lresolv
STRIP = strip
SYSTEMD_ASK_PASSWORD = /usr/bin/systemd-ask-password
SYSTEMD_UNIT_DIR =
@@ -262,13 +265,13 @@
TAP_WIN_MIN_MAJOR = 9
TAP_WIN_MIN_MINOR = 9
TEST_CFLAGS = -I$(top_srcdir)/include
-TEST_LDFLAGS = -lssl -lcrypto -llzo2
+TEST_LDFLAGS = -lssl -lcrypto -llzo2 -lcmocka
TMPFILES_DIR =
-VERSION = 2.5.7
-abs_builddir =
/home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/sample/sample-plugins
-abs_srcdir =
/home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/sample/sample-plugins
-abs_top_builddir =
/home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn
-abs_top_srcdir =
/home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn
+VERSION = 2.5.8
+abs_builddir =
/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/sample/sample-plugins
+abs_srcdir =
/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/sample/sample-plugins
+abs_top_builddir =
/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn
+abs_top_srcdir =
/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn
ac_ct_AR = ar
ac_ct_CC = gcc
ac_ct_DUMPBIN =
@@ -297,7 +300,7 @@
htmldir = ${docdir}
includedir = ${prefix}/include
infodir = ${datarootdir}/info
-install_sh = ${SHELL}
/home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/install-sh
+install_sh = ${SHELL}
/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/install-sh
libdir = ${exec_prefix}/lib
libexecdir = ${exec_prefix}/libexec
libsystemd_CFLAGS =
@@ -389,7 +392,6 @@
cscope cscopelist:
-
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/src/openvpn/auth_token.c
new/openvpn-2.5.8/src/openvpn/auth_token.c
--- old/openvpn-2.5.7/src/openvpn/auth_token.c 2022-05-24 10:48:20.000000000
+0200
+++ new/openvpn-2.5.8/src/openvpn/auth_token.c 2022-10-28 10:40:26.000000000
+0200
@@ -349,8 +349,8 @@
return 0;
}
- /* Accept session tokens that not expired are in the acceptable range
- * for renogiations */
+ /* Accept session tokens only if their timestamp is in the acceptable range
+ * for renegotiations */
bool in_renog_time = now >= timestamp
&& now < timestamp + 2 *
session->opt->renegotiate_seconds;
@@ -362,13 +362,15 @@
if (!in_renog_time && !initialtoken)
{
+ msg(M_WARN, "Timestamp (%" PRIu64 ") of auth-token is out of the
renegotiation window",
+ timestamp);
ret |= AUTH_TOKEN_EXPIRED;
}
/* Sanity check the initial timestamp */
if (timestamp < timestamp_initial)
{
- msg(M_WARN, "Initial timestamp (%" PRIu64 " in token from client
earlier than "
+ msg(M_WARN, "Initial timestamp (%" PRIu64 ") in token from client
earlier than "
"current timestamp %" PRIu64 ". Broken/unsynchronised clock?",
timestamp_initial, timestamp);
ret |= AUTH_TOKEN_EXPIRED;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/src/openvpn/crypto_backend.h
new/openvpn-2.5.8/src/openvpn/crypto_backend.h
--- old/openvpn-2.5.7/src/openvpn/crypto_backend.h 2022-05-24
10:48:20.000000000 +0200
+++ new/openvpn-2.5.8/src/openvpn/crypto_backend.h 2022-10-28
10:40:26.000000000 +0200
@@ -256,6 +256,8 @@
* The returned name is normalised to the OpenVPN config name in case the
* name differs from the name used by the crypto library.
*
+ * Returns [null-cipher] in case the cipher_kt is NULL.
+ *
* @param cipher_kt Static cipher parameters
*
* @return a statically allocated string describing the cipher.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/src/openvpn/init.c new/openvpn-2.5.8/src/openvpn/init.c
--- old/openvpn-2.5.7/src/openvpn/init.c 2022-05-24 10:48:20.000000000
+0200
+++ new/openvpn-2.5.8/src/openvpn/init.c 2022-10-28 10:40:26.000000000
+0200
@@ -596,6 +596,7 @@
/* Auth user/pass input */
if (c->options.auth_user_pass_file)
{
+ enable_auth_user_pass();
#ifdef ENABLE_MANAGEMENT
auth_user_pass_setup(c->options.auth_user_pass_file,
&c->options.sc_info);
#else
@@ -1596,19 +1597,6 @@
/* If we delayed UID/GID downgrade or chroot, do it now */
do_uid_gid_chroot(c, true);
-
- /*
- * In some cases (i.e. when receiving auth-token via
- * push-reply) the auth-nocache option configured on the
- * client is overridden; for this reason we have to wait
- * for the push-reply message before attempting to wipe
- * the user/pass entered by the user
- */
- if (c->options.mode == MODE_POINT_TO_POINT)
- {
- ssl_clean_user_pass();
- }
-
/* Test if errors */
if (flags & ISC_ERRORS)
{
@@ -2764,14 +2752,35 @@
#endif /* if P2MP */
}
- /* Do not warn if we only have BF-CBC in options->ciphername
- * because it is still the default cipher */
- bool warn = !streq(options->ciphername, "BF-CBC")
- || options->enable_ncp_fallback;
- /* Get cipher & hash algorithms */
- init_key_type(&c->c1.ks.key_type, options->ciphername,
options->authname,
- options->keysize, true, warn);
-
+ /*
+ * BF-CBC is allowed to be used only when explicitly configured
+ * as NCP-fallback or when NCP has been disabled or explicitly
+ * allowed in the in ncp_ciphers list.
+ * In all other cases do not attempt to initialize BF-CBC as it
+ * may not even be supported by the underlying SSL library.
+ *
+ * Therefore, the key structure has to be initialized when:
+ * - any non-BF-CBC cipher was selected; or
+ * - BF-CBC is selected and NCP is disabled (explicit request to
+ * use the BF-CBC cipher); or
+ * - BF-CBC is selected, NCP is enabled and fallback is enabled
+ * (BF-CBC will be the fallback).
+ * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
+ * If the negotiated cipher and options->ciphername are the
+ * same we do not reinit the cipher
+ *
+ * Note that BF-CBC will still be part of the OCC string to retain
+ * backwards compatibility with older clients.
+ */
+ if (!streq(options->ciphername, "BF-CBC") || !options->ncp_enabled
+ || (options->ncp_enabled && tls_item_in_cipher_list("BF-CBC",
options->ncp_ciphers))
+ || options->enable_ncp_fallback)
+ {
+ /* Do not warn if the if the cipher is used only in OCC */
+ bool warn = !options->ncp_enabled || options->enable_ncp_fallback;
+ init_key_type(&c->c1.ks.key_type, options->ciphername,
options->authname,
+ options->keysize, true, warn);
+ }
/* Initialize PRNG with config-specified digest */
prng_init(options->prng_hash, options->prng_nonce_secret_len);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/src/openvpn/manage.c new/openvpn-2.5.8/src/openvpn/manage.c
--- old/openvpn-2.5.7/src/openvpn/manage.c 2022-05-24 10:48:20.000000000
+0200
+++ new/openvpn-2.5.8/src/openvpn/manage.c 2022-10-28 10:40:26.000000000
+0200
@@ -314,8 +314,7 @@
#define AF_DID_PUSH (1<<0)
#define AF_DID_RESET (1<<1)
-
- if (!recursive_level) /* don't allow recursion */
+ if (recursive_level < 5) /* limit recursion */
{
struct gc_arena gc = gc_new();
struct log_entry e;
@@ -382,6 +381,12 @@
--recursive_level;
}
+ else
+ {
+ /* cannot use msg here */
+ printf("virtual_output: message to management interface "
+ "dropped due to recursion: <%s>\n", str);
+ }
}
/*
@@ -428,14 +433,11 @@
}
else
{
+ msg(M_CLIENT, "ERROR: signal '%s' is currently ignored", name);
if (man->persist.special_state_msg)
{
msg(M_CLIENT, "%s", man->persist.special_state_msg);
}
- else
- {
- msg(M_CLIENT, "ERROR: signal '%s' is currently ignored", name);
- }
}
}
else
@@ -766,6 +768,7 @@
man_forget_passwords(struct management *man)
{
ssl_purge_auth(false);
+ (void)ssl_clean_auth_token();
msg(M_CLIENT, "SUCCESS: Passwords were forgotten");
}
@@ -2005,6 +2008,7 @@
if (man->settings.flags & MF_FORGET_DISCONNECT)
{
ssl_purge_auth(false);
+ (void)ssl_clean_auth_token();
}
if (man->settings.flags & MF_SIGNAL)
@@ -2970,17 +2974,14 @@
{
gc = gc_new();
- struct buffer out = alloc_buf_gc(256, &gc);
msg(M_CLIENT, ">CLIENT:CR_RESPONSE,%lu,%u,%s",
mdac->cid, mda_key_id, response);
man_output_extra_env(management, "CLIENT");
- if (management->connection.env_filter_level>0)
+ if (management->connection.env_filter_level > 0)
{
man_output_peer_info_env(management, mdac);
}
man_output_env(es, true, management->connection.env_filter_level,
"CLIENT");
- management_notify_generic(management, BSTR(&out));
-
gc_free(&gc);
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/src/openvpn/misc.c new/openvpn-2.5.8/src/openvpn/misc.c
--- old/openvpn-2.5.7/src/openvpn/misc.c 2022-05-24 10:48:20.000000000
+0200
+++ new/openvpn-2.5.8/src/openvpn/misc.c 2022-10-28 10:40:26.000000000
+0200
@@ -519,19 +519,13 @@
* --auth-token has no username, so it needs the username
* either already set or copied from up, or later set by
* --auth-token-user
- *
- * Do not overwrite the username if already set to avoid
- * overwriting an username set by --auth-token-user
+ * If already set, tk is fully defined.
*/
- if (up->defined && !tk->defined)
+ if (strlen(tk->username))
{
- strncpynt(tk->username, up->username, USER_PASS_LEN);
tk->defined = true;
}
}
-
- /* Cleans user/pass for nocache */
- purge_user_pass(up, false);
}
void
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/src/openvpn/options.c new/openvpn-2.5.8/src/openvpn/options.c
--- old/openvpn-2.5.7/src/openvpn/options.c 2022-05-24 10:48:20.000000000
+0200
+++ new/openvpn-2.5.8/src/openvpn/options.c 2022-10-28 10:40:26.000000000
+0200
@@ -198,7 +198,7 @@
" is established. Multiple routes can be specified.\n"
" netmask default: 255.255.255.255\n"
" gateway default: taken from --route-gateway or
--ifconfig\n"
- " Specify default by leaving blank or setting to
\"nil\".\n"
+ " Specify default by leaving blank or setting to
\"default\".\n"
"--route-ipv6 network/bits [gateway] [metric] :\n"
" Add IPv6 route to routing table after connection\n"
" is established. Multiple routes can be specified.\n"
@@ -1135,7 +1135,7 @@
#ifndef ENABLE_SMALL
static void
-show_dhcp_option_list(const char *name, const char * const*array, int len)
+show_dhcp_option_list(const char *name, const char *const *array, int len)
{
int i;
for (i = 0; i < len; ++i)
@@ -2288,7 +2288,7 @@
if (options->mode == MODE_SERVER)
{
#define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
- "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
+ "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
#ifdef TARGET_ANDROID
msg(M_FATAL, "--mode server not supported on Android");
#endif
@@ -3103,7 +3103,7 @@
if (!o->ncp_enabled)
{
msg(M_USAGE, "--ncp-disable needs an explicit --cipher or "
- "--data-ciphers-fallback config option");
+ "--data-ciphers-fallback config option");
}
msg(M_WARN, "--cipher is not set. Previous OpenVPN version defaulted
to "
@@ -3681,9 +3681,30 @@
{
struct frame fake_frame = *frame;
struct key_type fake_kt;
- init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true,
- false);
+
frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead());
+
+
+ /* o->ciphername might be BF-CBC even though the underlying SSL library
+ * does not support it. For this reason we workaround this corner case
+ * by pretending to have no encryption enabled and by manually adding
+ * the required packet overhead to the MTU computation.
+ */
+ const char *ciphername = o->ciphername;
+
+ if (strcmp(o->ciphername, "BF-CBC") == 0)
+ {
+ /* none has no overhead, so use this to later add only --auth
+ * overhead */
+
+ /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */
+ frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8);
+ ciphername = "none";
+ }
+
+ init_key_type(&fake_kt, ciphername, o->authname, o->keysize, true,
+ false);
+
crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay,
cipher_kt_mode_ofb_cfb(fake_kt.cipher));
frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
@@ -3853,18 +3874,33 @@
+ (TLS_SERVER == true)
<= 1);
- init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
- false);
+ /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
+ * to work here in the default configuration */
+ const char *ciphername = o->ciphername;
+ int keysize;
+
+ if (strcmp(o->ciphername, "BF-CBC") == 0)
+ {
+ init_key_type(&kt, "none", o->authname, o->keysize, true,
+ false);
+ keysize = 128;
+ }
+ else
+ {
+ init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
+ false);
+ ciphername = cipher_kt_name(kt.cipher);
+ keysize = kt.cipher_length * 8;
+ }
/* Only announce the cipher to our peer if we are willing to
* support it */
- const char *ciphername = cipher_kt_name(kt.cipher);
if (p2p_nopull || !o->ncp_enabled
|| tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
{
buf_printf(&out, ",cipher %s", ciphername);
}
buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
- buf_printf(&out, ",keysize %d", kt.cipher_length * 8);
+ buf_printf(&out, ",keysize %d", keysize);
if (o->shared_secret_file)
{
buf_printf(&out, ",secret");
@@ -6168,9 +6204,9 @@
}
}
#ifdef TARGET_LINUX
- else if (streq (p[0], "bind-dev") && p[1])
+ else if (streq(p[0], "bind-dev") && p[1])
{
- VERIFY_PERMISSION (OPT_P_SOCKFLAGS);
+ VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
options->bind_dev = p[1];
}
#endif
@@ -6248,7 +6284,7 @@
{
int64_t val = atoll(p[2]);
options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
- if ( options->inactivity_minimum_bytes > INT_MAX )
+ if (options->inactivity_minimum_bytes > INT_MAX)
{
msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
" >2 Gbyte was silently ignored in older versions. If "
@@ -8132,7 +8168,7 @@
#endif
else if (streq(p[0], "providers") && p[1])
{
- for (size_t j = 1; j < MAX_PARMS && p[j] != NULL;j++)
+ for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
{
options->providers.names[j] = p[j];
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/src/openvpn/push.c new/openvpn-2.5.8/src/openvpn/push.c
--- old/openvpn-2.5.7/src/openvpn/push.c 2022-05-24 10:48:20.000000000
+0200
+++ new/openvpn-2.5.8/src/openvpn/push.c 2022-10-28 10:40:26.000000000
+0200
@@ -225,7 +225,6 @@
struct env_set *es = session->opt->es;
int key_id = session->key[KS_PRIMARY].key_id;
-
management_notify_client_cr_response(key_id, mda, es, m);
#endif
msg(D_PUSH, "CR response was sent by client ('%s')", m);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/src/openvpn/ssl.c new/openvpn-2.5.8/src/openvpn/ssl.c
--- old/openvpn-2.5.7/src/openvpn/ssl.c 2022-05-24 10:48:20.000000000 +0200
+++ new/openvpn-2.5.8/src/openvpn/ssl.c 2022-10-28 10:40:27.000000000 +0200
@@ -393,9 +393,14 @@
#endif
void
-auth_user_pass_setup(const char *auth_file, const struct static_challenge_info
*sci)
+enable_auth_user_pass()
{
auth_user_pass_enabled = true;
+}
+
+void
+auth_user_pass_setup(const char *auth_file, const struct static_challenge_info
*sci)
+{
if (!auth_user_pass.defined && !auth_token.defined)
{
#ifdef ENABLE_MANAGEMENT
@@ -2386,20 +2391,13 @@
{
goto error;
}
- /* if auth-nocache was specified, the auth_user_pass object reaches
- * a "complete" state only after having received the push-reply
- * message. The push message might contain an auth-token that needs
- * the username of auth_user_pass.
- *
- * For this reason, skip the purge operation here if no push-reply
- * message has been received yet.
- *
- * This normally happens upon first negotiation only.
- */
- if (!session->opt->pull)
+ /* save username for auth-token which may get pushed later */
+ if (session->opt->pull && up != &auth_token)
{
- purge_user_pass(&auth_user_pass, false);
+ strncpynt(auth_token.username, up->username, USER_PASS_LEN);
}
+ /* respect auth-nocache */
+ purge_user_pass(&auth_user_pass, false);
}
else
{
@@ -4138,9 +4136,3 @@
done:
return BSTR(&out);
}
-
-void
-ssl_clean_user_pass(void)
-{
- purge_user_pass(&auth_user_pass, false);
-}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/src/openvpn/ssl.h new/openvpn-2.5.8/src/openvpn/ssl.h
--- old/openvpn-2.5.7/src/openvpn/ssl.h 2022-05-24 10:48:20.000000000 +0200
+++ new/openvpn-2.5.8/src/openvpn/ssl.h 2022-10-28 10:40:26.000000000 +0200
@@ -419,6 +419,9 @@
*/
void pem_password_setup(const char *auth_file);
+/* Enables the use of user/password authentication */
+void enable_auth_user_pass();
+
/*
* Setup authentication username and password. If auth_file is given, use the
* credentials stored in the file.
@@ -433,6 +436,7 @@
/*
* Purge any stored authentication information, both for key files and tunnel
* authentication. If PCKS #11 is enabled, purge authentication for that too.
+ * Note that auth_token is not cleared.
*/
void ssl_purge_auth(const bool auth_user_pass_only);
@@ -600,12 +604,6 @@
*/
bool is_hard_reset_method2(int op);
-/**
- * Cleans the saved user/password unless auth-nocache is in use.
- */
-void ssl_clean_user_pass(void);
-
-
/*
* Show the TLS ciphers that are available for us to use in the SSL
* library with headers hinting their usage and warnings about usage.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/src/openvpn/ssl_verify.c
new/openvpn-2.5.8/src/openvpn/ssl_verify.c
--- old/openvpn-2.5.7/src/openvpn/ssl_verify.c 2022-05-24 10:48:20.000000000
+0200
+++ new/openvpn-2.5.8/src/openvpn/ssl_verify.c 2022-10-28 10:40:26.000000000
+0200
@@ -1397,7 +1397,14 @@
#ifdef MANAGEMENT_DEF_AUTH
if (man_def_auth != KMDA_UNDEF)
{
- ks->authenticated = KS_AUTH_DEFERRED;
+ if (skip_auth)
+ {
+ ks->mda_status = ACF_DISABLED;
+ }
+ else
+ {
+ ks->authenticated = KS_AUTH_DEFERRED;
+ }
}
#endif
if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/src/openvpn/tls_crypt.c
new/openvpn-2.5.8/src/openvpn/tls_crypt.c
--- old/openvpn-2.5.7/src/openvpn/tls_crypt.c 2022-05-24 10:48:20.000000000
+0200
+++ new/openvpn-2.5.8/src/openvpn/tls_crypt.c 2022-10-28 10:40:26.000000000
+0200
@@ -585,7 +585,8 @@
if (BLEN(&wrapped_client_key) < sizeof(net_len))
{
- msg(D_TLS_ERRORS, "failed to read length");
+ msg(D_TLS_ERRORS, "Can not read tls-crypt-v2 client key length");
+ return false;
}
memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len),
sizeof(net_len));
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/tests/t_client.sh new/openvpn-2.5.8/tests/t_client.sh
--- old/openvpn-2.5.7/tests/t_client.sh 2022-05-24 10:48:42.000000000 +0200
+++ new/openvpn-2.5.8/tests/t_client.sh 2022-10-28 10:40:43.000000000 +0200
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
#
# run OpenVPN client against ``test reference'' server
# - check that ping, http, ... via tunnel works
@@ -9,9 +9,13 @@
# - writable current directory to create subdir for logs
# - t_client.rc in current directory OR source dir that specifies tests
# - for "ping4" checks: fping binary in $PATH
-# - for "ping6" checks: fping6 binary in $PATH
+# - for "ping6" checks: fping (4.0+) or fping6 binary in $PATH
#
+# by changing this to 1 we can force automated builds to fail
+# that are expected to have all the prerequisites
+TCLIENT_SKIP_RC="${TCLIENT_SKIP_RC:-77}"
+
srcdir="${srcdir:-.}"
top_builddir="${top_builddir:-..}"
if [ -r "${top_builddir}"/t_client.rc ] ; then
@@ -21,25 +25,28 @@
else
echo "$0: cannot find 't_client.rc' in build dir ('${top_builddir}')" >&2
echo "$0: or source directory ('${srcdir}'). SKIPPING TEST." >&2
- exit 77
+ exit "${TCLIENT_SKIP_RC}"
fi
# Check for external dependencies
+FPING="fping"
+FPING6="fping6"
which fping > /dev/null
if [ $? -ne 0 ]; then
echo "$0: fping is not available in \$PATH" >&2
- exit 77
+ exit "${TCLIENT_SKIP_RC}"
fi
which fping6 > /dev/null
if [ $? -ne 0 ]; then
- echo "$0: fping6 is not available in \$PATH" >&2
- exit 77
+ echo "$0: fping6 is not available in \$PATH, assuming fping 4.0 or later"
>&2
+ FPING="fping -4"
+ FPING6="fping -6"
fi
KILL_EXEC=`which kill`
if [ $? -ne 0 ]; then
echo "$0: kill not found in \$PATH" >&2
- exit 77
+ exit "${TCLIENT_SKIP_RC}"
fi
if [ ! -x "${top_builddir}/src/openvpn/openvpn" ]
@@ -56,12 +63,12 @@
if [ -z "$CA_CERT" ] ; then
echo "CA_CERT not defined in 't_client.rc'. SKIP test." >&2
- exit 77
+ exit "${TCLIENT_SKIP_RC}"
fi
if [ -z "$TEST_RUN_LIST" ] ; then
echo "TEST_RUN_LIST empty, no tests defined. SKIP test." >&2
- exit 77
+ exit "${TCLIENT_SKIP_RC}"
fi
# Ensure PREFER_KSU is in a known state
@@ -91,7 +98,7 @@
then
echo "$0: this test must run be as root, or RUN_SUDO=... " >&2
echo " must be set correctly in 't_client.rc'. SKIP." >&2
- exit 77
+ exit "${TCLIENT_SKIP_RC}"
else
# We have to use sudo. Make sure that we (hopefully) do not have
# to ask the users password during the test. This is done to
@@ -101,7 +108,7 @@
echo "$0: $RUN_SUDO $KILL_EXEC -0 succeeded, good."
else
echo "$0: $RUN_SUDO $KILL_EXEC -0 failed, cannot go on. SKIP." >&2
- exit 77
+ exit "${TCLIENT_SKIP_RC}"
fi
fi
fi
@@ -216,8 +223,8 @@
if [ -z "$targetlist" ] ; then return ; fi
case $proto in
- 4) cmd=fping ;;
- 6) cmd=fping6 ;;
+ 4) cmd="$FPING" ;;
+ 6) cmd="$FPING6" ;;
*) echo "internal error in run_ping_tests arg 1: '$proto'" >&2
exit 1 ;;
esac
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/tests/t_client.sh.in new/openvpn-2.5.8/tests/t_client.sh.in
--- old/openvpn-2.5.7/tests/t_client.sh.in 2022-05-24 10:48:18.000000000
+0200
+++ new/openvpn-2.5.8/tests/t_client.sh.in 2022-10-28 10:40:26.000000000
+0200
@@ -9,9 +9,13 @@
# - writable current directory to create subdir for logs
# - t_client.rc in current directory OR source dir that specifies tests
# - for "ping4" checks: fping binary in $PATH
-# - for "ping6" checks: fping6 binary in $PATH
+# - for "ping6" checks: fping (4.0+) or fping6 binary in $PATH
#
+# by changing this to 1 we can force automated builds to fail
+# that are expected to have all the prerequisites
+TCLIENT_SKIP_RC="${TCLIENT_SKIP_RC:-77}"
+
srcdir="${srcdir:-.}"
top_builddir="${top_builddir:-..}"
if [ -r "${top_builddir}"/t_client.rc ] ; then
@@ -21,25 +25,28 @@
else
echo "$0: cannot find 't_client.rc' in build dir ('${top_builddir}')" >&2
echo "$0: or source directory ('${srcdir}'). SKIPPING TEST." >&2
- exit 77
+ exit "${TCLIENT_SKIP_RC}"
fi
# Check for external dependencies
+FPING="fping"
+FPING6="fping6"
which fping > /dev/null
if [ $? -ne 0 ]; then
echo "$0: fping is not available in \$PATH" >&2
- exit 77
+ exit "${TCLIENT_SKIP_RC}"
fi
which fping6 > /dev/null
if [ $? -ne 0 ]; then
- echo "$0: fping6 is not available in \$PATH" >&2
- exit 77
+ echo "$0: fping6 is not available in \$PATH, assuming fping 4.0 or later"
>&2
+ FPING="fping -4"
+ FPING6="fping -6"
fi
KILL_EXEC=`which kill`
if [ $? -ne 0 ]; then
echo "$0: kill not found in \$PATH" >&2
- exit 77
+ exit "${TCLIENT_SKIP_RC}"
fi
if [ ! -x "${top_builddir}/src/openvpn/openvpn" ]
@@ -56,12 +63,12 @@
if [ -z "$CA_CERT" ] ; then
echo "CA_CERT not defined in 't_client.rc'. SKIP test." >&2
- exit 77
+ exit "${TCLIENT_SKIP_RC}"
fi
if [ -z "$TEST_RUN_LIST" ] ; then
echo "TEST_RUN_LIST empty, no tests defined. SKIP test." >&2
- exit 77
+ exit "${TCLIENT_SKIP_RC}"
fi
# Ensure PREFER_KSU is in a known state
@@ -91,7 +98,7 @@
then
echo "$0: this test must run be as root, or RUN_SUDO=... " >&2
echo " must be set correctly in 't_client.rc'. SKIP." >&2
- exit 77
+ exit "${TCLIENT_SKIP_RC}"
else
# We have to use sudo. Make sure that we (hopefully) do not have
# to ask the users password during the test. This is done to
@@ -101,7 +108,7 @@
echo "$0: $RUN_SUDO $KILL_EXEC -0 succeeded, good."
else
echo "$0: $RUN_SUDO $KILL_EXEC -0 failed, cannot go on. SKIP." >&2
- exit 77
+ exit "${TCLIENT_SKIP_RC}"
fi
fi
fi
@@ -216,8 +223,8 @@
if [ -z "$targetlist" ] ; then return ; fi
case $proto in
- 4) cmd=fping ;;
- 6) cmd=fping6 ;;
+ 4) cmd="$FPING" ;;
+ 6) cmd="$FPING6" ;;
*) echo "internal error in run_ping_tests arg 1: '$proto'" >&2
exit 1 ;;
esac
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/tests/unit_tests/README.md
new/openvpn-2.5.8/tests/unit_tests/README.md
--- old/openvpn-2.5.7/tests/unit_tests/README.md 1970-01-01
01:00:00.000000000 +0100
+++ new/openvpn-2.5.8/tests/unit_tests/README.md 2022-10-28
10:40:26.000000000 +0200
@@ -0,0 +1,40 @@
+Unit Tests
+===========
+
+This directory contains unit tests for openvpn. New features/bugfixes should
be written in a test friendly way and come with corresponding tests.
+
+Run tests
+----------
+
+Tests are run by `make check`. A failed tests stops test execution. To run all
+tests regardless of errors call `make -k check`.
+
+Add new tests to existing test suite
+-------------------------------------
+
+Test suites are organized in directories. [example_test/](example_test/) is an
example
+for a test suite with two test executables. Feel free to use it as a template
for new tests.
+
+Test suites
+--------------------
+
+Test suites live inside a subdirectory of `$ROOT/tests/unit_tests`, e.g.
`$ROOT/tests/unit_tests/my_feature`.
+
+Test suites are configured by a `Makefile.am`. Tests are executed by
testdrivers. One testsuite can contain more than one testdriver.
+
+### Hints
+* Name suites & testdrivers in a way that the name of the driver says
something about which component/feature is tested
+* Name the testdriver executable `*_testdriver`. This way it gets picked up by
the default `.gitignore`
+ * If this is not feasible: Add all output to a `.gitignore`* Use descriptive
test names: `coffee_brewing__with_no_beans__fails` vs. `test34`
+* Testing a configurable feature? Wrap test execution with a conditional (see
[auth_pam](plugins/auth-pam/Makefile.am) for an example)
+* Add multiple test-drivers when one testdriver looks crowded with tests
+
+### New Test Suites
+1. Organize tests in folders for features.
+2. Add the new test directory to `SUBDIRS` in `Makefile.am`
+3. Edit `configure.ac` and add the new `Makefile` to `AC_CONFIG_FILES`
+4. Run `./configure`, and *enable* the feature you'd like to test
+5. Make sure that `make check` runs your tests
+6. Check: Would a stranger be able to easily find your tests by you looking
at the test output?
+7. Run `./configure`, and *disable* the feature you'd like to test
+8. Make sure that `make check` does *not run* your tests
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/tests/unit_tests/example_test/README.md
new/openvpn-2.5.8/tests/unit_tests/example_test/README.md
--- old/openvpn-2.5.7/tests/unit_tests/example_test/README.md 1970-01-01
01:00:00.000000000 +0100
+++ new/openvpn-2.5.8/tests/unit_tests/example_test/README.md 2022-10-28
10:40:26.000000000 +0200
@@ -0,0 +1,3 @@
+This test only checks that test compilation works. This example contains two
test executables.
+
+These tests can be used as template for 'real' tests.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/openvpn-2.5.7/version.m4 new/openvpn-2.5.8/version.m4
--- old/openvpn-2.5.7/version.m4 2022-05-24 10:48:20.000000000 +0200
+++ new/openvpn-2.5.8/version.m4 2022-10-28 10:40:26.000000000 +0200
@@ -3,12 +3,12 @@
define([PRODUCT_TARNAME], [openvpn])
define([PRODUCT_VERSION_MAJOR], [2])
define([PRODUCT_VERSION_MINOR], [5])
-define([PRODUCT_VERSION_PATCH], [.7])
+define([PRODUCT_VERSION_PATCH], [.8])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
define([PRODUCT_BUGREPORT], [openvpn-us...@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,5,7,0])
+define([PRODUCT_VERSION_RESOURCE], [2,5,8,0])
dnl define the TAP version
define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])
