pax_global_header00006660000000000000000000000064131643434400014514gustar00rootroot0000000000000052 comment=a6daf938f5f616a4a67caa6580b0c99e9a8c3779 openvpn-2.4.4/000077500000000000000000000000001316434344000132105ustar00rootroot00000000000000openvpn-2.4.4/.gitattributes000066400000000000000000000001371316434344000161040ustar00rootroot00000000000000*.c eol=lf *.h eol=lf *.rc eol=lf *.txt eol=lf *.bat eol=lf *.vc*proj* eol=crlf *.sln eol=crlf openvpn-2.4.4/.gitignore000066400000000000000000000015341316434344000152030ustar00rootroot00000000000000*.[oa] *.l[oa] *.dll *.exe *.exe.* *.obj *.pyc *.so *~ *.idb *.suo *.ncb *.vcproj.* *.vcxproj.user *.sln.cache *.log Release Debug Win32-Output .deps .libs Makefile Makefile.in aclocal.m4 autodefs.h autom4te.cache config.guess config.h config.h.in config.log config.status config.sub configure configure.h depcomp doxygen/ stamp-h1 install-sh missing ltmain.sh libtool m4/libtool.m4 m4/ltoptions.m4 m4/ltsugar.m4 m4/ltversion.m4 m4/lt~obsolete.m4 version.sh msvc-env-local.bat config-msvc-local.h config-msvc-version.h doc/openvpn.8.html distro/rpm/openvpn.spec distro/systemd/*.service sample/sample-keys/sample-ca/ vendor/.build vendor/dist tests/t_client.sh tests/t_client-*-20??????-??????/ t_client.rc t_client_ips.rc tests/unit_tests/**/*_testdriver src/openvpn/openvpn include/openvpn-plugin.h config-version.h nbproject test-driver compile stamp-h2 openvpn-2.4.4/AUTHORS000066400000000000000000000000341316434344000142550ustar00rootroot00000000000000James Yonan openvpn-2.4.4/COPYING000066400000000000000000000224021316434344000142430ustar00rootroot00000000000000OpenVPN (TM) -- An Open Source VPN daemon Copyright (C) 2002-2017 OpenVPN Technologies, Inc. This distribution contains multiple components, some of which fall under different licenses. By using OpenVPN or any of the bundled components enumerated below, you agree to be bound by the conditions of the license for each respective component. OpenVPN trademark ----------------- "OpenVPN" is a trademark of OpenVPN Technologies, Inc. OpenVPN license: ---------------- OpenVPN is distributed under the GPL license version 2 (see Below). Special exception for linking OpenVPN with OpenSSL: In addition, as a special exception, OpenVPN Technologies, Inc. gives permission to link the code of this program with the OpenSSL library (or with modified versions of OpenSSL that use the same license as OpenSSL), and distribute linked combinations including the two. You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL. If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. LZO license: ------------ LZO is Copyright (C) Markus F.X.J. Oberhumer, and is licensed under the GPL. Special exception for linking OpenVPN with both OpenSSL and LZO: Hereby I grant a special exception to the OpenVPN project (http://openvpn.net/) to link the LZO library with the OpenSSL library (http://www.openssl.org). Markus F.X.J. Oberhumer TAP-Win32/TAP-Win64 Driver license: ----------------------------------- This device driver was inspired by the CIPE-Win32 driver by Damion K. Wilson. The source and object code of the TAP-Win32/TAP-Win64 driver is Copyright (C) 2002-2010 OpenVPN Technologies, Inc., and is released under the GPL version 2. Windows DDK Samples: -------------------- The Windows binary distribution includes devcon.exe, a Microsoft DDK sample which is redistributed under the terms of the DDK EULA. NSIS License: ------------- Copyright (C) 2002-2003 Joost Verburg This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any distribution. OpenSSL License: ---------------- The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org. /* ==================================================================== * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ Original SSLeay License ----------------------- /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ GNU Public License (GPL) ------------------------ OpenVPN, LZO, and the TAP-Win32 distributions are licensed under the GPL version 2 (see COPYRIGHT.GPL). In the Windows binary distribution of OpenVPN, the GPL is reproduced below. openvpn-2.4.4/COPYRIGHT.GPL000066400000000000000000000431521316434344000151310ustar00rootroot00000000000000 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. openvpn-2.4.4/ChangeLog000066400000000000000000006704321316434344000147760ustar00rootroot00000000000000OpenVPN Change Log Copyright (C) 2002-2017 OpenVPN Technologies, Inc. 2017.09.25 -- Version 2.4.4 Antonio Quartulli (23): crypto: correct typ0 in error message use M_ERRNO instead of explicitly printing errno don't print errno twice ntlm: avoid useless cast ntlm: unwrap multiple function calls route: improve error message management: preserve wait_for_push field when asking for user/pass tls-crypt: avoid warnings when --disable-crypto is used ntlm: convert binary buffers to uint8_t * ntlm: restyle compressed multiple function calls ntlm: improve code style and readability OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey() make function declarations C99 compliant remove unused functions use NULL instead of 0 when assigning pointers add missing static attribute to functions ntlm: avoid breaking anti-aliasing rules remove the --disable-multi config switch rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip route: avoid definition of unused variables in certain configurations fix a couple of typ0s in comments and strings fragment.c: simplify boolean expression tcp-server: ensure AF family is propagated to child context Arne Schwabe (2): Set tls-cipher restriction before loading certificates Print ec bit details, refuse management-external-key if key is not RSA Conrad Hoffmann (2): Use provided env vars in up/down script. Document down-root plugin usage in client.down David Sommerseth (11): doc: The CRL processing is not a deprecated feature cleanup: Move write_pid() to where it is being used contrib: Remove keychain-mcd code cleanup: Move init_random_seed() to where it is being used sample-plugins: fix ASN1_STRING_to_UTF8 return value checks Highlight deprecated features Use consistent version references docs: Replace all PolarSSL references to mbed TLS systemd: Ensure systemd shuts down OpenVPN in a proper way systemd: Enable systemd's auto-restart feature for server profiles lz4: Move towards a newer LZ4 API Emmanuel Deloget (3): OpenSSL: remove pre-1.1 function from the OpenSSL compat interface OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer Gert van Dijk (1): Warn that DH config option is only meaningful in a tls-server context Ilya Shipitsin (3): travis-ci: add 3 missing patches from master to release/2.4 travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1 travis-ci: update pkcs11-helper to 1.22 Richard Bonhomme (1): man: Corrections to doc/openvpn.8 Steffan Karger (17): Fix typo in extract_x509_extension() debug message Move adjust_power_of_2() to integer.h Undo cipher push in client options state if cipher is rejected Remove strerror_ts() Move openvpn_sleep() to manage.c fixup: also change missed openvpn_sleep() occurrences Always use default keysize for NCP'd ciphers Move create_temp_file() out of #ifdef ENABLE_CRYPTO Deprecate --keysize Deprecate --no-replay Move run_up_down() to init.c tls-crypt: introduce tls_crypt_kt() crypto: create function to initialize encrypt and decrypt key Add coverity static analysis to Travis CI config tls-crypt: don't leak memory for incorrect tls-crypt messages travis: reorder matrix to speed up build Fix bounds check in read_key() Szilárd Pfeiffer (1): OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag Thomas Veerman via Openvpn-devel (1): Fix socks_proxy_port pointing to invalid data 2017.06.21 -- Version 2.4.3 Antonio Quartulli (1): Ignore auth-nocache for auth-user-pass if auth-token is pushed David Sommerseth (3): crypto: Enable SHA256 fingerprint checking in --verify-hash copyright: Update GPLv2 license texts auth-token with auth-nocache fix broke --disable-crypto builds Emmanuel Deloget (8): OpenSSL: don't use direct access to the internal of X509 OpenSSL: don't use direct access to the internal of EVP_PKEY OpenSSL: don't use direct access to the internal of RSA OpenSSL: don't use direct access to the internal of DSA OpenSSL: force meth->name as non-const when we free() it OpenSSL: don't use direct access to the internal of EVP_MD_CTX OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX OpenSSL: don't use direct access to the internal of HMAC_CTX Gert Doering (6): Fix NCP behaviour on TLS reconnect. Remove erroneous limitation on max number of args for --plugin Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. Fix potential 1-byte overread in TCP option parsing. Fix remotely-triggerable ASSERT() on malformed IPv6 packet. Update Changes.rst with relevant info for 2.4.3 release. Guido Vranken (6): refactor my_strupr Fix 2 memory leaks in proxy authentication routine Fix memory leak in add_option() for option 'connection' Ensure option array p[] is always NULL-terminated Fix a null-pointer dereference in establish_http_proxy_passthru() Prevent two kinds of stack buffer OOB reads and a crash for invalid input data Jérémie Courrèges-Anglas (2): Fix an unaligned access on OpenBSD/sparc64 Missing include for socket-flags TCP_NODELAY on OpenBSD Matthias Andree (1): Make openvpn-plugin.h self-contained again. Selva Nair (1): Pass correct buffer size to GetModuleFileNameW() Steffan Karger (11): Log the negotiated (NCP) cipher Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) Skip tls-crypt unit tests if required crypto mode not supported openssl: fix overflow check for long --tls-cipher option Add a DSA test key/cert pair to sample-keys Fix mbedtls fingerprint calculation mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) mbedtls: require C-string compatible types for --x509-username-field Fix remote-triggerable memory leaks (CVE-2017-7521) Restrict --x509-alt-username extension types Fix potential double-free in --x509-alt-username (CVE-2017-7521) Steven McDonald (1): Fix gateway detection with OpenBSD routing domains 2017.05.11 -- Version 2.4.2 David Sommerseth (5): auth-token: Ensure tokens are always wiped on de-auth docs: Fixed man-page warnings discoverd by rpmlint Make --cipher/--auth none more explicit on the risks plugin: Fix documentation typo for type_mask plugin: Export secure_memzero() to plug-ins Hristo Venev (1): Fix extract_x509_field_ssl for external objects, v2 Selva Nair (1): In auth-pam plugin clear the password after use Steffan Karger (10): cleanup: merge packet_id_alloc_outgoing() into packet_id_write() Don't run packet_id unit tests for --disable-crypto builds Fix Changes.rst layout Fix memory leak in x509_verify_cert_ku() mbedtls: correctly check return value in pkcs11_certificate_dn() Restore pre-NCP frame parameters for new sessions Always clear username/password from memory on error Document tls-crypt security considerations in man page Don't assert out on receiving too-large control packets (CVE-2017-7478) Drop packets instead of assert out if packet id rolls over (CVE-2017-7479) ValdikSS (1): Set a low interface metric for tap adapter when block-outside-dns is in use 2017.03.21 -- Version 2.4.1 Antonio Quartulli (4): attempt to add IPv6 route even when no IPv6 address was configured fix redirect-gateway behaviour when an IPv4 default route does not exist CRL: use time_t instead of struct timespec to store last mtime ignore remote-random-hostname if a numeric host is provided Christian Hesse (7): man: fix formatting for alternative option systemd: Use automake tools to install unit files systemd: Do not race on RuntimeDirectory systemd: Add more security feature for systemd units Clean up plugin path handling plugin: Remove GNUism in openvpn-plugin.h generation fix typo in notification message David Sommerseth (6): management: >REMOTE operation would overwrite ce change indicator management: Remove a redundant #ifdef block git: Merge .gitignore files into a single file systemd: Move the READY=1 signalling to an earlier point plugin: Improve the handling of default plug-in directory cleanup: Remove faulty env processing functions Emmanuel Deloget (8): OpenSSL: check for the SSL reason, not the full error OpenSSL: don't use direct access to the internal of X509_STORE_CTX OpenSSL: don't use direct access to the internal of SSL_CTX OpenSSL: don't use direct access to the internal of X509_STORE OpenSSL: don't use direct access to the internal of X509_OBJECT OpenSSL: don't use direct access to the internal of RSA_METHOD OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1 OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit() Eric Thorpe (1): Fix Building Using MSVC Gert Doering (4): Add openssl_compat.h to openvpn_SOURCES Fix '--dev null' Fix installation of IPv6 host route to VPN server when using iservice. Make ENABLE_OCC no longer depend on !ENABLE_SMALL Gisle Vanem (1): Crash in options.c Ilya Shipitsin (2): Resolve several travis-ci issues travis-ci: remove unused files Olivier Wahrenberger (1): Fix building with LibreSSL 2.5.1 by cleaning a hack. Selva Nair (4): Fix push options digest update Always release dhcp address in close_tun() on Windows. Add a check for -Wl, --wrap support in linker Fix user's group membership check in interactive service to work with domains Simon Matter (1): Fix segfault when using crypto lib without AES-256-CTR or SHA256 Steffan Karger (8): More broadly enforce Allman style and braces-around-conditionals Use SHA256 for the internal digest, instead of MD5 OpenSSL: 1.1 fallout - fix configure on old autoconf Fix types in WIN32 socket_listen_accept() Remove duplicate X509 env variables Fix non-C99-compliant builds: don't use const size_t as array length Deprecate --ns-cert-type Be less picky about keyUsage extensions 2016.12.26 -- Version 2.4.0 David Sommerseth (5): dev-tools: Added script for updating copyright years in files Update copyrights docs: Further enhance the documentation related to SWEET32 man: Remove references to no longer present IV_RGI6 peer-info build: Ensure Changes.rst is shipped and installed as a doc file Gert Doering (1): Remove IV_RGI6=1 peer-info signalling. Steffan Karger (3): Document that RSA_SIGN can also request TLS 1.2 signatures man: encourage user to read on about --tls-crypt Textual fixes for Changes.rst 2016.12.16 -- Version 2.4_rc2 David Sommerseth (9): Fix wrong configure.ac parsing of --enable-async-push Changes: Further improve systemd unit file updates systemd: Intermediate --chroot fix with the new sd_notify() implementation Further enhance async-push feature description Changes.rst: Mainatiner update on C99 dev-tools: Add reformat-all.sh for code style unification The Great Reformatting - first phase Merge 'reformatting' branch into master auth-gen-token: Hardening memory cleanup on auth-token failuers Gert Doering (1): Refactor setting close-on-exec for socket FDs Lev Stipakov (2): Arm inotify only in server mode Add "async push" feature to Changes.rst Magnus Kroken (1): mbedtls: include correct net/net_sockets header according to version Selva Nair (2): Correctly state the default dhcp server address in man page Unhide a line in man page by fixing a typo Steffan Karger (4): Fix (and cleanup) crypto flags in combination with NCP Deprecate --no-iv man: mention that --ecdh-curve does not work on mbed TLS builds Don't reopen tun if cipher changes 2016.12.01 -- Version 2.4_rc1 Antonio Quartulli (1): reload CRL only if file was modified Christian Hesse (3): update year in copyright message Use systemd service manager notification Refuse to daemonize when running from systemd Gert Doering (1): Fix windows path in Changes.rst Samuli Seppänen (1): Mention that OpenVPN 2.4 requires Windows Vista or higher Selva Nair (4): Map restart signals from event loop to SIGTERM during exit-notification wait When parsing '--setenv opt xx ..' make sure a third parameter is present Force 'def1' method when --redirect-gateway is done through service Do not restart dns client service as a part of --register-dns processing Steffan Karger (4): tls_process: don't set variable that's never read Unconditionally enable TLS_AGGREGATE_ACK Clean up format_hex_ex() Introduce and use secure_memzero() to erase secrets 2016.11.24 -- Version 2.4_beta2 Arne Schwabe (5): Document that tls-crypt also supports inline Fix warning that RAND_bytes is undeclared Remove compat-stdbool.h. Fix various compiler warnings Handle DNS6 option on Android David Sommerseth (2): Changes.rst: Fixing wrong formatting Document the --auth-token option Gert Doering (2): Remove remaining traces of compat-stdbool.h Stub implementation of "--dhcp-option DNS6 " Selva Nair (3): Do not set ipv6 address if '--ip-win32 manual' is used Handle --dhcp-option DNS6 on Windows using netsh Set IPv6 DNS servers using interactive service Steffan Karger (6): multi_process_float: revert part of c14c4a9e --tls-crypt fixes Change cmocka remote to use https in stead of git protocol generate_key_expansion: make assumption explicit, use C99 features Poor man's NCP for non-NCP peers Refactor data channel key generation API 2016.11.17 -- Version 2.4_beta1 Arne Schwabe (1): Make Changes.rst nicer for 2.4 release David Sommerseth (16): Update .mailmap to unify and clean up odd names and e-mail addresses cleanup: Remove NOP code sections in ssl.c:tls_process() Remove last rest of INSTALL-win32.txt references auth-gen-token: Add --auth-gen-token option auth-gen-token: Generate an auth-token per client auth-gen-token: Push generated auth-tokens to the client auth-gen-token: Authenticate generated auth-tokens when client re-authenticates Fix builds with --disable-crypto man: Improve the --keepalive section console: Fix compiler warning systemd: Improve the systemd unit files tun: Fix compiler warnings file checks: Merge warn_if_group_others_accessible() into check_file_access() tun: Fix weird commit error causing a double assignment options: Remove --tls-remote Remove unused variable in argv_printf_arglist() Gert Doering (10): openvpn version line: remove [IPv6], add [AEAD] if available clean up *sig_info handling in link_socket_init_phase2() check c->c2.link_socket before calling do_init_route_ipv6_list() Check previously-unchecked buf_alloc_write() call in crypto self-test. Fix potential division by zero in shaper_reset() Repair topology subnet on FreeBSD 11 Repair topology subnet on OpenBSD Add in_port_t check to configure.ac Fix compilation on MinGW with -std=c99 Replace WIN32 by _WIN32 Heiko Hund (4): put argv_* functions into own file, add unit tests Remove unused and unecessary argv interfaces remove unused system_str from struct argv Factor out %sc handling from argv_printf() Lev Stipakov (1): Drop recursively routed packets Samuli Seppänen (6): Remove INSTALL-win32.txt that is now hosted in openvpn-build Fix update_t_client_ips.sh for out of tree builds Make sure that all relevant files under test go to release tarballs Allow passing extra arguments to fping/fping6 in t_client.rc Prevent generation of duplicate EXPECT_IFCONFIG entries Fix a logic problem in handling of --up scripts in t_client.sh Selva Nair (2): Support --block-outside-dns on multiple tunnels Unbreak windows build Steffan Karger (19): Fix use-after-free bug in prepare_push_reply() Remove verbose msg() from send_push_reply() Limit --reneg-bytes to 64MB when using small block ciphers Add a revoked cert to the sample keys Fix --tls-version-max in mbed TLS builds Don't deference type-punned pointers Fix builds on compilers without anonymous union support Refactor static/tls-auth key loading Add missing includes in error.h Make argv unit tests obey {MBEDTLS, OPENSSL}_{LIBS, CFLAGS} Move private file access checks to options_postprocess_filechecks() Deprecate key-method 1 Refactor CRL handling Remove unneeded check for extra_certs_file_inline Fix missing return value checks in multi_process_float() Restore pre-NCP cipher options on SIGUSR1 Remove unused variables from do_init_crypto_static() Add control channel encryption (--tls-crypt) Add --tls-crypt unit tests 2016.10.19 -- Version 2.4_alpha2 David Sommerseth (1): Update .mailmap to unify and clean up odd names and e-mail addresses Steffan Karger (1): Fix use-after-free bug in prepare_push_reply() 2016.10.17 -- Version 2.4_alpha1 Adriaan de Jong (2): Fixed a bug where PolarSSL gave an error when using an inline file tag. Fix --show-pkcs11-ids (Bug #239) Alexander Pyhalov (1): Default gateway can't be determined on illumos/Solaris platforms Alon Bar-Lev (1): pkcs11: use generic evp key instead of rsa Andris Kalnozols (3): Fix some typos in the man page. Do not upcase x509-username-field for mixed-case arguments. extract_x509_extension(): hide status message during normal operation. Arne Schwabe (100): Document man agent-external-key Options parsing demands unnecessary configuration if PKCS11 is used Error message if max-routes used incorrectly Properly require --key even if defined(MANAGMENT_EXTERNAL_KEY) Remove dnsflags_to_socktype, it is not used anywhere Fix the proto is used inconsistently warning Remove dead code path and putenv functionality Remove unused function xor Move static prototype definition from header into c file Remove unused function no_tap_ifconfig Add the client id (CID) to the output of the status command Print client id only if compiled with man agent support. Otherwise print an empty string. Allow routes to be set before opening tun, similar to ifconfig before opening tun Add ability to send/receive file descriptors via management interface Android platform specific changes. Emulate persist-tun on Android Document the Android implementation in OpenVPN Only print script warnings when a script is used. Remove stray mention of script-security system. Fix #ifdefs for P2MP_SERVER Move settings of user script into set_user_script function Move checking of script file access into set_user_script Fix another #ifdef/#if P2MP_SERVER PATCHv3 Remove unused variables or put them to the defines they are being used in Add support of utun devices under Mac OS X Add support to ignore specific options. Add a note what setenv opt does for OpenVPN < 2.3.3 Implement custom HTTP header for http-proxy, and always send user-agent: Add reporting of UI version to basic push-peer-info set. Change the type of all ports in openvpn to const char* and let getaddrinfo resolve the port together with the hostname. Fix compile error in ssl_openssl introduced by polar external-management patch Simplify print_sockaddr_ex function, merge duplicate ipv4/ipv6 logic. Split the PROTO_UDP_xx options into AF_INET/AF_INET6 and PROTO_TCP/PROTO_UDP part. Fix two instances of asserting AF_INET Fix assertion when SIGUSR1 is received while getaddrinfo is successful Split link_socket_init_phase1 and link_socket_init_phase2 into smaller more managable/readable functions. No functional changes Change proto_remote() function to return a constant string Remove the ip-remote-hint option. change the type of 'remote' to addrinfo*, and rename to 'remote_list'. When resolving fails print the error message from socket layer Implement dual stack client support for OpenVPN Move ASSERT so external-key with OpenSSL works again Implement listing on IPv4/IPv6 dual socket on all platform Add warning for using connection block variables after connection blocks Update IPv6 related readme files Introduce safety check for http proxy options Fix warning for max-routes: do not quit when parsing an old configuration. Format the message to be more like the other deprecated options Fix connecting to localhost on Android Move the initialization of the environment to the top so c2.es is initialized Workaround broken Android 4.4 VpnService API for persist-tun mode Implement an easy parsable log output that allows access to flags of the log message Introduce an option to resolve dns names in advance for --remote, --local and --http-proxy Fix for server selecting address family Don't show the connection profile store in options->ce if there is a connection_list defined. Add gateway and device to android control messages Clean up of socket code. Fix assert when using port-share Work around Solaris getaddrinfo() returing ai_protocol=0 Fix man page and OSCP script: tls_serial_{n} is decimal Remove ENABLE_BUFFER_LIST Fix server routes not working in topology subnet with --server [v3] Always enable http-proxy and socks-proxy Remove deprecated --max-routes option from manual Add documentation for PERSIST_TUN_ACTION (Android specific) Remove possibility of using --tls-auth with non OpenVPN Static key files Remove unused function sock_addr_set Document the default for tls-cipher. Report missing end-tags of inline files as errors Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit Show extra-certs in current parameters, fix clang warning and logic error in preresolve Remove unused function h_errno_msg Add support for requesting the fd again to rebind to the next interface. Don't redirect the gateway on Android even if requested Fix loglevel of protect socket message Extend network-change command to allow reprotecting on the same network (for short connection losses) Use pseudo gw as default gw on Android as a workaround for not being able to read /proc/net/route Remove #ifdefs for client nat support. Do not install a host route for the VPN on Android Fix commit c67acea173dc9ee37220f5b9ff14ede081181992 Do not set the buffer size by default but rely on the operation system default. Start Changes.rst that lists changes in 2.4.0 Remove --enable-password-save option Reflect enable-password-save change in documentation Also remove second instance of enable-password-save in the man page Detect config lines that are too long and give a warning/error Implement the compression V2 data format for stub and lz4. Fix assert when comp is called with unknown algorithm, always call comp init method Ignore stamp-h2 we generate during build process Implement inlining of crl files Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it. Remove http-proxy-timeout, socks timeout and set default of server-poll-timeout to 120s Add documentation for http-proxy-user-pass option Remove http-proxy-retry and socks-proxy-retry. Update android documentation to match source code Use AES ciphers in our sample configuration files and add a few modern 2.4 examples Fix ENABLE_CRYPTO_OPENSSL set to YES even with --disable-crypto set Prefer RECVDSTADDR to PKTINFO for IPv4 in OS X since it actually works (unlike PKTINFO) Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer Enable TCP non-linear packet ID Change the hold command to communicate the time that OpenVPN would wait to the UI. Remove tun-ipv6 Option. Instead assume that IPv6 is always supported. Boris Lytochkin (1): Log serial number of revoked certificate Christian Hesse (1): fix build with automake 1.13(.1) Christian Niessner (1): Fix corner case in NTLM authentication (trac #172) Christos Trochalakis (1): Adjust server-ipv6 documentation Cristian Rodriguez (1): Use SSL_MODE_RELEASE_BUFFERS if available Daniel Hahler (1): options: fix option check for "plugin" Daniel Kubec (4): Added support for TLS Keying Material Exporters [RFC-5705] Added document for TLS Keying Material Exporters [RFC-5705] sample-plugin: TLS Keying Material Exporter [RFC-5705] demonstration plug-in Fix buffer size parameter for exported keying material. David Sommerseth (44): Make git ignore some more files Remove the support for using system() when executing external programs or scripts Fix double-free issue in pf_destroy_context() Reset the version.m4 version for the master branch Avoid recursion in virtual_output_callback_func() The get_default_gateway() function uses warn() instead of msg() Improve the git revision tracking man page: Update man page about the tls_digest_{n} environment variable Remove the --disable-eurephia configure option plugin: Extend the plug-in v3 API to identify the SSL implementation used autoconf: Fix typo t_client.sh: Check for fping/fping6 availability t_client.sh: Write errors to stderr and document requirements t_client.sh: Add prepare/cleanup possibilties for each test case Fix file checks when --chroot is being used Adjusted autotools files to build more cleanly on newer autoconf/automake versions Improve error reporting on file access to --client-config-dir and --ccd-exclusive Don't let openvpn_popen() keep zombies around Don't try to use systemd-ask-password if it is not available Clean up the pipe closing in openvpn_popen() Add systemd unit file for OpenVPN systemd: Use systemd functions to consider systemd availability systemd: Reworked the systemd unit file to handle server and client configs better autotools: Fix wrong ./configure help screen default values down-root plugin: Replaced system() calls with execve() down-root: Improve error messages plugin, down-root: Fix compiler warnings sockets: Remove the limitation of --tcp-nodelay to be server-only plugins, down-root: Code style clean-up Provide compile time OpenVPN version information to plug-ins Provide OpenVPN runtime version information to plug-ins Avoid partial authentication state when using --disabled in CCD configs Only build and run cmocka unit tests if its submodule is initialized Another fix related to unit test framework Remove NOP function and callers Revert "Drop recursively routed packets" Fix client connection instant timeout t_client.sh: Make OpenVPN write PID file to avoid various sudo issues t_client.sh: Add support for Kerberos/ksu t_client.sh: Improve detection if the OpenVPN process did start during tests Rework the user input interface to make it more modular Re-implement the systemd support using the new query user API systemd: Do not mask usernames when querying for it via systemd-ask-password Move memcmp_constant_time() to crypto.h David Woodhouse (2): pkcs11: Load p11-kit-proxy.so module by default Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present Davide Brini (2): Provide more accurate warning message Document authfile for socks server Dmitrij Tejblum (1): Fix is_ipv6 in case of tap interface. Dorian Harmans (1): Add CHACHA20-POLY1305 ciphersuite IANA name translations. Felix Janda (1): Use OPENVPN_ETH_P_* so that is unecessary Fish (1): Add lz4 support to MSVC. Gert Doering (110): Implement --mssfix handling for IPv6 packets. Fix option inconsistency warnings about "proto" and "tun-ipv6" Fix parameter type for IP_TOS setsockopt on non-Linux systems. Fix client crash on double PUSH_REPLY. Update README.IPv6 to match what is in 2.3.0 Repair "tcp server queue overflow" brokenness, more fallout. Permit pool size of /64.../112 for ifconfig-ipv6-pool Add MIN() compatibility macro Fix directly connected routes for "topology subnet" on Solaris. Print "Virtual IPv6 Address" on management interface queries [v4] Use constrain_int() instead of MIN()+syshead.c compat definition - v2. Fix NULL-pointer crash in route_list_add_vpn_gateway(). Fix usage of 'compression ...' from global config. Make push-peer-info visible in "normal" per-instance environment. Fix problem with UDP tunneling due to mishandled pktinfo structures. Improve documentation and help text for --route-ipv6. Fix argument type warning introduced by http extra proxy header patch. Fix IPv6 examples in t_client.rc-sample Fix slow memory drain on each client renegotiation. t_client.sh: ignore fields from "ip -6 route show" output that distort results. Fix IPv6_V6ONLY logic. Implement LZ4 compression. Provide LZ4 sources in src/compat/ and use if no system lz4 library found. Document "lz4" argument to "compress" config option. Make code and documentation for --remote-random-hostname consistent. Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER= remove some 'unused variable' warnings Cleanup ir6->netbits handling. Document issue with --chroot, /dev/urandom and PolarSSL. Rename 'struct route' to 'struct route_ipv4' Replace copied structure elements with including Add "test-driver" and "compile" to .gitignore Fix crash when using --inetd. IPv6 address/route delete fix for Win8 Add SSL library version reporting. Minor t_client.sh cleanups Repair --multihome on FreeBSD for IPv4 sockets. Rewrite manpage section about --multihome More IPv6-related updates to the openvpn man page. Conditionalize calls to print_default_gateway on !ENABLE_SMALL Merge get_default_gateway() implementation for all 4+1 BSD variants. Drop incoming fe80:: packets silently now. Recognize AIX, define TARGET_AIX Add tap driver initialization and ifconfig for AIX. implement adding/deleting routes on AIX, for IPv4 and IPv6 Make t_client.sh work on AIX. Fix t_lpback.sh platform-dependent failures Call init script helpers with explicit path (./) Fix windows build on older mingw versions. New approach to handle peer-id related changes to link-mtu. Print remote IPv4 address on a dual-stack v6 socket in IPv4 format Fix incorrect use of get_ipv6_addr() for iroute options. Remove count_netmask_bits(), convert users to use netmask_to_netbits2() Fix leftover 'if (false) ;' statements Print helpful error message on --mktun/--rmtun if not available. explain effect of --topology subnet on --ifconfig Add note about file permissions and --crl-verify to manpage. repair --dev null breakage caused by db950be85d37 assume res_init() is always there. Correct note about DNS randomization in openvpn.8 Disallow usage of --server-poll-timeout in --secret key mode. slightly enhance documentation about --cipher Enforce "serial-tests" behaviour for tests/Makefile Revert "Enforce "serial-tests" behaviour for tests/Makefile" On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo(). Use configure.ac hack to apply serial_test AM option only if supported. Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo(). Move res_init() call to inner openvpn_getaddrinfo() loop Fix FreeBSD ifconfig for topology subnet tunnels. Produce a meaningful error message if --daemon gets in the way of asking for passwords. Document --daemon changes and consequences (--askpass, --auth-nocache). Fix build on OpenSolaris (non-gmake) Un-break --auth-user-pass on windows refactor struct route_ipv6, bring in line with struct route_ipv4 again refactor struct route_ipv6_list, bring in line with struct route_list again Add route_ipv6_gateway* data structures for rgi6 support. Create basic infrastructure for IPv6 default gateway handling / redirection. Make client delay less before sending PUSH_REQUEST get_default_gateway_ipv6(): Linux / Netlink implementation. Implement handling of overlapping IPv6 routes with IPv6 remote VPN server address Implement '--redirect-gateway ipv6' get_default_gateway_ipv6(): *BSD / MacOS / Solaris PF_ROUTE implementation Fix IPv6 host routes to LAN gateway on OpenSolaris Replace unaligned 16bit access to TCP MSS value with bytewise access Repair test_local_addr() on WIN32 Add custom check for inet_pton()/inet_ntop() on MinGW/WIN32 get_default_gateway_ipv6(): Win32 implementation using GetBestRoute2() Remove support for snappy compression. Fix info.af == AF_UNSPEC case for server with --mtu-disc Fix FreeBSD-specific mishandling of gc arena pointer in create_arbitrary_remote() remove unused gc_arena in FreeBSD close_tun() Un-break compilation on *BSD Fix isatty() check for good. Fix openserv/validate.o linking issues on mingw. Fix library order in -lmbedtls test. Implement push-remove option to selectively remove pushed options. Upgrade bundled compat-lz4 to upstream release r131. Change --enable-pedantic to use -std=c99 and not -ansi (C90). Fix problems with NCP and --inetd. Do not abort t_client run if OpenVPN instance does not start. Fix IP_PKTINFO related compilation failure on NetBSD 7.0 Show compile-time variant for --multihome in --version output. Fix win32 building with C99 mode Fix t_client runs on OpenSolaris make t_client robust against sudoers misconfiguration add POSTINIT_CMD_suf to t_client.sh and sample config Fix --multihome for IPv6 on 64bit BSD systems. Enable -D_SVR4_2 for compilation on Solaris Revert "Enable -D_SVR4_2 for compilation on Solaris" Enable -D_XPG4_2 for compilation on Solaris Guy Yur (1): Fix --redirect-private in --dev tap mode. Heikki Hannikainen (1): Always load intermediate certificates from a PKCS#12 file Heiko Hund (20): Fix display of plugin hook types Support UTF-8 --client-config-dir close more file descriptors on exec Ignore UTF-8 byte order mark reintroduce --no-name-remapping option make --tls-remote compatible with pre 2.3 configs add new option for X.509 name verification Support non-ASCII TAP adapter names on Windows Support non-ASCII characters in Windows tmp path make sure sa_family_t is defined convert struct signal_info element grow route lists dynamically fix route struct name refine assertion to allow other modes than CBC Fix compilation on Windows fix warnings on Windows extend management interface command "state" put virtual IPv6 addresses into env interactive service v3 Windows: do_ifconfig() after open_tun() Holger Kummert (1): Del ipv6 addr on close of linux tun interface Hubert Kario (2): ocsp_check - signature verification and cert staus results are separate ocsp_check - double check if ocsp didn't report any errors in execution Ilya Shipitsin (3): initial travis-ci support skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto enable "--disable-crypto" build configuration for travis Ivo Manca (1): Plug memory leak in mbedTLS backend James Bekkema (1): Fix socket-flag/TCP_NODELAY on Mac OS X James Geboski (1): Fix --askpass not allowing for password input via stdin James Yonan (14): Added support for the Snappy compression algorithm Always push basic set of peer info values to server. TLS version negotiation Added "setenv opt" directive prefix. If present, and if the directive that follows is recognized, it will be processed as if the "setenv opt" prefix was absent. If present and if the directive that follows is not recognized, the directive will be ignored rather than cause a fatal error. MSVC fixes Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption. Use native strtoull() with MSVC 2013. Define PATH_SEPARATOR for MSVC builds. Fixed some compile issues with show_library_versions() Added flags parameter to format_hex_ex. Extended x509-track for OpenSSL to report SHA1 fingerprint. Fixed port-share bug with DoS potential Added directive to specify HTTP proxy credentials in config. Bind to local socket before dropping privileges Jan Just Keijser (5): man page patch for missing options make 'explicit-exit-notify' pullable again include ifconfig_ environment variables in --up-restart env set Author: Jan Just Keijser Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier. Jann Horn (1): Remove quadratic complexity from openvpn_base64_decode() Jeffrey Cutter (1): Update contrib/pull-resolv-conf/client.up for no DOMAIN Jens Neuhalfen (6): Make intent of utun device name validation clear Fix buffer overflow by user supplied data ignore the local config file t_client.rc in git Prevent integration test timeout bc. of sudo Add unit testing support via cmocka Add a test for auth-pam searchandreplace Jens Wagner (1): Fix spurious ignoring of pushed config options (trac#349). Jesse Glick (1): Allow use of NetBeans without saving nbproject/ directory. Joachim Schipper (5): doc/management-notes.txt: fix typo Fix typo in ./configure message Refactor tls_ctx_use_external_private_key() --management-external-key for PolarSSL external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids Jonathan K. Bullard (3): Fix mismatch of fprintf format specifier and argument type Fix null pointer dereference in options.c Fail if options have extra parameters [v2] Josh Cepek (7): Fix parameter listing in non-debug builds at verb 4 (updated) [PATCH] Warn when using verb levels >=7 without debug Fix proto tcp6 for server & non-P2MP modes Fix Windows script execution when called from script hooks Correct error text when no Windows TAP device is present Require a 1.2.x PolarSSL version Push an IPv6 CIDR mask used by the server, not the pool's size Julien Muchembled (1): Fix --mtu-disc option with IPv6 transport Kenneth Rose (1): Fix v3 plugins to support returning values back to OpenVPN. Klee Dienes (1): tls_ctx_load_ca: Improve certificate error messages Leon Klingele (1): Add link to bug tracker Leonardo Basilio (1): Correctly report TCP connection timeout on windows. Lev Stipakov (26): Peer-id patch v7 Add the peer-id to the output of the status command Prevent memory drain for long lasting floating sessions Disallow lameduck's float to an address taken by another client Fix NULL dereferencing Fix mssfix default value in connection_list context This fixes MSVS 2013 compilation. Continuation of MSVS fixes Fast recovery when host is in unreachable network Fix compilation error with --disable-crypto Send push reply right after async auth complete Fix compilation with --disable-server Refine float logging Generate openvpn-plugin.h for MSVC build Replace variable length array with malloc Use adapter index instead of name for windows IPv6 interface config Notify clients about server's exit/restart Use adapter index for add/delete_route_ipv6 Pass adapter index to up/down scripts Detecting and logging Windows versions Report Windows bitness Fix "implicit declaration" compiler warning Drop recursively routed packets Support for disabled peer-id Exclude peer-id from pulled options digest Use separate list for per-client push options Lukasz Kutyla (1): Fix privilege drop if first connection attempt fails Matthias Andree (1): Enable TCP_NODELAY configuration on FreeBSD. Max Muster (1): Remove duplicate cipher entries from TLS translation table. Michael McConville (1): Fix undefined signed shift overflow Michal Ludvig (1): Support for username-only auth file. Mike Gilbert (2): Add configure check for the path to systemd-ask-password Include systemd units in the source tarball (make dist) Niels Ole Salscheider (1): Fix build with libressl Peter Sagerson (1): Fix configure interaction with static OpenSSL libraries Philipp Hagemeister (2): Add topology in sample server configuration file Implement on-link route adding for iproute2 Phillip Smith (1): Use bob.example.com and alice.example.com to improve clarity of documentation Robert Fischer (1): Updated manpage for --rport and --lport Samuel Thibault (1): Ensure that client-connect files are always deleted Samuli Seppänen (15): Removed ChangeLog.IPv6 Added cross-compilation information INSTALL-win32.txt Updated README Cleaned up and updated INSTALL Fix to --shaper documentation on the man-page Properly escape dashes on the man-page Improve documentation in --script-security section of the man-page Add CONTRIBUTING.rst Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes Clarify the fact that build instructions in README are for release tarballs Mention tap-windows6 in INSTALL file Use an up-to-date easy-rsa URL on the man-page Clarify which Windows versions require which TUN/TAP driver Deprecate the automatic part of openvpnserv.exe in favor of openvpnserv2.exe Automatically cache expected IPs for t_client.sh on the first run Selva Nair (26): Fix termination when windows suspends/sleeps Do not hard-code windows systemroot in env_block Handle ctrl-C and ctrl-break events on Windows Unbreak read username password from management Restrict options/configs for startup through interactive service Send stdout and stderr of OpenVPN started by interactive service to NUL Handle localized Administrators group name in windows Fix interactive service ignoring stop command if openvpn is running Use appropriate buffer size for WideCharToMultiByte output in interactive.c Refactor and move the block-outside-dns code to a new file (block_dns.[ch]) Add support for block-outside-dns through the interactive service Ensure input read using systemd-ask-password is null terminated Support reading the challenge-response from console Make error non-fatal while deleting address using netsh Add support for register-dns through interactive service Fix handling of out of memory error in interactive service Fix the comparison of pull options hash on restart Set WFP engine handle to NULL in win_wfp_uninit() Make block-outside-dns work with persist-tun Add an option to filter options received from server Ignore SIGUSR1/SIGHUP during exit notification Fix management-external-cert option parsing error Return process id of openvpn from interactive service to client Exponentially back off on repeated connect retries Promptly close the netcmd_semaphore handle after use Avoid format specifier %zu for Windows compatibility Steffan Karger (180): PolarSSL-1.2 support Improve PolarSSL key_state_read_{cipher, plain}text messages Improve verify_callback messages Config compatibility patch. Added translate_cipher_name. Switch to IANA names for TLS ciphers. Fixed autoconf script to properly detect missing pkcs11 with polarssl. Use constant time memcmp when comparing HMACs in openvpn_decrypt. Fixed tls-cipher translation bug in openssl-build Fixed usage of stale define USE_SSL to ENABLE_SSL Do not pass struct tls_session* as void* in key_state_ssl_init(). Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915. Also update TLSv1_method() calls in support code to SSLv23_method() calls. Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98 If --tls-cipher is supplied, make --show-tls parse the list. Remove OpenSSL tmp_rsa_callback. Removes support for ephemeral RSA in TLS. Make tls_ctx_restrict_ciphers accept NULL as char *cipher_list. Disable export ciphers by default for OpenSSL builds. Fix compiler warning for unused result of write() Remove unused variables from ssl_verify_polarssl.c's x509_get_serial() Fix compiler warnings in ssl_polarssl.c Bump minimum OpenSSL version to 0.9.8 Add openssl-specific common cipher list names to ssl.c. Disable unsupported TLS cipher modes by default, cleans --show-tls output. configure.ac: check for SSL_OP_NO_TICKET flag in OpenSSL configure.ac: use CPPFLAGS for SSL_OP_NO_TICKET check Upgrade to PolarSSL 1.3 Improve error reporting during key/cert loading with PolarSSL. Update openvpn-plugin.h for PolarSSL 1.3. Add support for elliptic curve diffie-hellmann key exchange (ECDH) Add an elliptic curve testing cert chain to the sample keys Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning. Fix OCSP_check.sh to also use decimal for stdout verification. Make serial env exporting consistent amongst OpenSSL and PolarSSL builds. Fix build system to accept non-system crypto library locations for plugins. Remove function without effect (cipher_ok() always returned true). Remove unneeded wrapper functions in crypto_openssl.c Remove unneeded defines (were needed for pre-0.9.7 OpenSSL). Fix merge error in a6c573d, the ssl ctx is now abstracted. Use generic openvpn_x509_cert_t in ssl_verify_polarssl.c Fix ssl.c, ssl_verify_* includes Move #include "ssl_verify.h" from ssl.h to the source files that need it. Remove dependency on manage.h from ssl_verify.h Remove unused variable 'proxy' from socket_restart_pause() Add (default disabled) --enable-werror option to configure Fix --disable-ssl builds, were broken by cleanup in 63dc03d. configure.ac: fix SSL_OP_NO_TICKET check Fix bug that incorrectly refuses oid representation eku's in polar builds Update README.polarssl cleanup: remove #if 0'ed function initiate_untrusted_session() from ssl.c. Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure. Add proper check for crypto modes (CBC or OFB/CFB) Improve --show-ciphers to show if a cipher can be used in static key mode Extend t_lpback tests to test all ciphers reported by --show-ciphers Don't issue warning for 'translate to self' tls-ciphers Don't exit daemon if opening or parsing the CRL fails. Define dummy SSL_OP_NO_TICKET flag if not present in OpenSSL. Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen. Fix some unintialized variable warnings Fix clang warning in options.c Fix compiler warnings in ssl_polarssl.c. Fix regression with password protected private keys (polarssl) Remove unused variables from ssl_verify_openssl.c extract_x509_extension() Fix assertion error when using --cipher none Add --tls-version-max Modernize sample keys and sample configs Drop too-short control channel packets instead of asserting out. Really fix '--cipher none' regression Update doxygen (a bit) Set tls-version-max to 1.1 if cryptoapicert is used openssl: add crypto_msg(), to easily log openssl errors openssl: add more descriptive message for 'no shared cipher' error Remove ENABLE_SSL define (and --disable-ssl configure option) openssl: use crypto_msg(), get rid of openssl-specific code in error.c Add option to disable Diffie Hellman key exchange by setting '--dh none' Account for peer-id in frame size calculation Disable SSL compression Use tls-auth in sample config files Fix frame size calculation for non-CBC modes. Get rid of old OpenSSL workarounds. polarssl: make sure to always null-terminate the cn Allow for CN/username of 64 characters (fixes off-by-one) Change float log message to include common name, if available. Remove unneeded parameter 'first_time' from possibly_become_daemon() Remove size limit for files inlined in config polarssl: remove code duplication in key_state_write_plaintext{, _const}() Improve --tls-cipher and --show-tls man page description polarssl: disable 1/n-1 record splitting cleanup: remove md5 helper functions Re-read auth-user-pass file on (re)connect if required Clarify --capath option in manpage Call daemon() before initializing crypto library write pid file immediately after daemonizing Increase control channel packet size for faster handshakes Make __func__ work with Visual Studio too fix regression: query password before becoming daemon Fix using management interface to get passwords. reintroduce md5_digest wrapper struct to fix gcc warnings Fix out-of-tree builds; openvpn-plugin.h should be in AC_CONFIG_HEADERS Fix overflow check in openvpn_decrypt() Replace strdup() calls for string_alloc() calls Check return value of ms_error_text() polarssl: add easy logging for PolarSSL errors polarssl: Improve PolarSSL logging openssl: be less verbose about cipher translation errors hardening: add insurance to exit on a failed ASSERT() Fix memory leak in auth-pam plugin openssl: remove usage of OPENSSL_malloc() from show_available_curves polarssl: fix --client-cert-not-required polarssl: add --verify-client-cert optional support Fix (potential) memory leak in init_route_list() Add macro to ensure we exit on fatal errors polarssl: also allocate PKCS#11 certificate object on demand polarssl: don't use deprecated functions anymore polarssl: require >= 1.3.8 Fix memory leak in add_option() by simplifying get_ipv6_addr remove nonsense const specifier in nonfatal() return value openssl: properly check return value of RAND_bytes() Fix rand_bytes return value checking Fix openssl builds with custom-built library: specify most-dependent first Support duplicate x509 field values in environment Warn user if their certificate has expired Disable certificate notBefore/notAfter sanity check on OpenSSL < 1.0.2 Make assert_failed() print the failed condition cleanup: get rid of httpdigest.c type warnings Fix regression in setups without a client certificate polarssl: actually use polarssl debug logging polarssl: optimize polar_ok() for non-errors Update manpage: OpenSSL might also need /dev/urandom inside chroot polarssl: use wrappers to access md_info_t member functions polarssl: remove now redundant 128-bit blowfish key override socks.c: fix check on get_user_pass() return value(s) configure.ac: simplify crypto library configuration configure.ac: fix polarssl autodetection Allow NULL argument in cipher_ctx_get_cipher_kt() Remove reuse of key_type during init of data channel auth and tls-auth Move crypto_options into key_state and stop using context in SSL-mode. Move key_ctx_bi into crypto_options Move packet_id into crypto_options Change openvpn_encrypt() to append to work buffer only Create separate function for replay check Add AEAD cipher support (GCM) Add cipher name translation for OpenSSL. Add preliminary server-side support for negotiable crypto parameters Minor AEAD patch cleanup Clean up get_tls_handhake_key() Fix OCSP_check.sh Make AEAD modes work with OpenSSL 1.0.1-1.0.1c hardening: add safe FD_SET() wrapper openvpn_fd_set() Only include aead encrypt/decrypt functions if AEAD modes are supported Fix potential null-pointer dereference Fix memory leak in argv_extract_cmd_name() Replace MSG_TEST() macro for static inline msg_test() fixup: change init_key_type() param name in declaration too Further restrict default cipher list PolarSSL x509_get_sha1_hash now returns correct SHA1 fingerprint. Implemented x509-track for PolarSSL. Migrate to mbed TLS 2.x Rename files with 'polarssl' in the name to 'mbedtls' configure.ac: link to all mbed TLS libs during library detection mbedtls: check that private key and certificate match on start mbedtls: improve error reporting in tls verify callback Remove trailing newline from verify callback error messages Don't limit max incoming message size based on c2->frame cleanup: remove alloc_buffers argument from multi_top_init() mbedtls: don't set debug threshold if compiled without MBEDTLS_DEBUG_C Add client-side support for cipher negotiation Add options to restrict cipher negotiation Add server-side support for cipher negotiation Allow ncp-disable and ncp-ciphers to be specified in ccd files Fix '--cipher none --cipher' crash Discourage using 64-bit block ciphers Fix unittests for out-of-source builds Fix --mssfix when using NCP Drop gnu89/c89 support, switch to c99 cleanup: remove code duplication in msg_test() Add SHA256 fingerprint support Make sure options->ciphername and options->authname are always defined Update cipher-related man page text Fix duplicate PUSH_REPLY options Check --ncp-ciphers list on startup TDivine (1): Fix "code=995" bug with windows NDIS6 tap driver. Tamas TEVESZ (1): Add support for client-cert-not-required for PolarSSL. Thomas Veerman (2): Fix "." in description of utun. Update expiry date in management event loop ValdikSS (4): Add Windows DNS Leak fix using WFP ('block-outside-dns') Clarify mssfix documentation Clarify --block-outside-dns documentation Update --block-outside-dns to work on Windows Vista Vasily Kulikov (1): Mac OS X Keychain management client Yawning Angel (1): Fix SOCKSv5 method selection Yegor Yefremov (3): socket: remove duplicate expression polarssl: fix unreachable code cert_data: fix memory leak janjust (1): Fix "White space before end tags can break the config parser" kangsterizer (1): Fix typo in sample build script to use LDFLAGS svimik (1): Fix segfault when enabling pf plug-ins 2012.09.12 -- Version 2.3_beta1 Arne Schwabe (7): Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or directory if --management-external-key is used Merge almost identical create_socket_tcp and create_socket_tcp6 Document the inlining of files in openvpn and document key-direction Merge getaddr_multi and getaddr6 into one function Document --management-client and --management-signal a bit better Document that keep alive will double the second value in server mode and give a short explanation why the value is chosen. Add checks for external-key-managements David Sommerseth (1): Fix reconnect issues when --push and UDP is used on the server Gert Doering (4): Reduce --version string detail about IPv6 to just "[IPv6]". Put actual OpenVPN command line on top of corresponding log file. Keep pre-existing tun/tap devices around on *BSD make "ipv6 ifconfig" on linux compatible with busybox ifconfig Heiko Hund (6): fix regression with --http-proxy[-*] options add x_msg_va() log function add API for plug-ins to write to openvpn log remove stale _openssl_get_subject() prototype remove unused flag SSLF_NO_NAME_REMAPPING Add --compat-names option 2012.07.20 -- Version 2.3_alpha3 Arne Schwabe (1): Fix compiling with --disable-management Gert Doering (1): Repair "tap server" mode brokenness caused by fallout Heiko Hund (4): make non-blocking connect work on Windows don't treat socket related errors special anymore remove unused show_connection_list debug function add option --management-query-proxy 2012.06.29 -- Version 2.3_alpha2 Adriaan de Jong (11): Fixed off-by-one in serial length calculation Migrated x509_get_subject to use of the garbage collector Migrated x509_get_serial to use the garbage collector Migrated x509_get_sha1_hash to use the garbage collector Ensure sys/un.h autoconf detection includes sys/socket.h Added support for new PolarSSL 1.1 RNG Added a configuration option to enable prediction resistance in the PolarSSL random number generator. Use POLARSSL_CFLAGS instead of POLARSSL_CRYPTO_CFLAGS in configure.ac Removed support for PolarSSL < 1.1 Updated README.polarssl with build system changes. Removed stray "Fox-IT hardening" string. Alon Bar-Lev (94): build: version should not contain '-' package: rpm: strip should be handled by package management cleanup: options.c: remove redundant include cleanup: remove C++ warnings cleanup: win32.c: wrong printf format cleanup: remove redundant ';' cleanup: crypto_openssl.c: remove support for pre-openssl-0.9.6 cleanup: tun.c: fix incorrect option in message (ip-win32) cleanup: memcmp.c: remove unused source fixup: init.c: add missing conditional for ENABLE_CLIENT_CR build: correct place to alter WINVER is at build system Update .gitignore build: handle printf style format in mingw build: rename plugin directory to plugins build: plugins: properly use CC, CFLAGS and LDFLAGS build: we need the sample.ovpn in future Remove install-win32 Remove easy-rsa Remove tap-win32 cleanup: rename tap-windows function from win32 to win build: remove windows specific build system build: split acinclude.m4 into m4/* build: m4/ax_varargs.m4: cleanup build: m4/ax_emptyarray.m4: cleanup build: m4/ax_socklen_t.m4: cleanup build: autotools: first pass of trivial autotools changes build: autoconf: remove OPENVPN_ADD_LIBS useless macro build: remove awk and non-standard autoconf output processing build: standard directory layout build: add libtool + windows resources for executables build: autoconf: commands as environment build: libdl usage build: properly detect and use socket libs build: autoconf: minor cleanups build: proper selinux detection and usage build: distribute pkg.m4 build: proper pkcs11-helper detection and usage build: properly process lzo-stub build: proper lzo detection and usage build: proper crypto detection and usage build: autoconf: update defaults for options build: win-msvc: msbuild format build: move out config.h include from syshead build: split out compat build: move gettimeofday() emulation to compat build: move daemon() emulation into compat build: move inet_ntop(), inet_pton() emulation into compat cleanup: move console related function into its own module build: move wrappers into platform module build: windows: install version.sh to allow installer read version build: distribute samples in windows build: use tap-windows.h as external dependency build: ax_varargs.m4: fixups build: autoconf: misc sockets fixups build: enable lzo by default build: windows: set vendor to openvpn project + cleanups build: assume dlfcn is available on all supported platforms build: openbsd: detect netinet/ip.h correctly build: tap: search for tap header build: msvc: upgrade to Visual Studio 2010 + fixups Enable pedantic in windows compilation cleanup: flags should not be bool cleanup: avoid using ~0 - generic cleanup: avoid using ~0 - ipv6 cleanup: avoid using ~0 - netmask cleanup: avoid using ~0 - windows cleanup: gc usage build: fix some statement left from conversion build: properly detect netinet/ip.h structs build: properly detect TUNSETPERSIST cleanup: plugin: support C++ plugin cleanup: remove C++ comments cleanup: add .gitattributes to control eol style explicitly crash: packet_id_debug_print: sl may be null build: use stdbool.h if available build: fix typo in --enable-save-password build: windows: convert resources to UTF-8 build: check minimum polarssl version cleanup: update .gitignore cleanup: spec: make space/tab consistent build: spec: we support openssl >= 0.9.7 build: insall README* document using build system build: detect sys/wait.h required for *bsd build: add git revision to --version output if build from git repository build: cleanup: yet another forgotten brackets build: update INSTALL to recent changes build: support platforms that does not need explicit tun headers build: do not support authenticated in verify_user_pass Moved gc_new and gc_free to begin end of function Fixed a bug in the return value of ssl_verify when pre_verify failed Unified verification function return values: Removed a stray Fox-IT tag Fixed a typo: print the subject instead of the serial for verification errors Made SSL_CIPHER const in print_details, to fix warning Moved to PolarSSL 1.0.0: Added missing #ifdef to allow --disable-managent to work again Fixed disabling crypto and SSL Got rid of a few magic numbers in ntlm.c Removed obsolete des_cblock and des_keyschedule Further removal of des_old.h based calls Fixed missing comma in plugin.h Moved prng_uninit out of crypto_uninit_lib Moved CryptoAPI header include to the ssl_openssl.c Reordered functions to ensure warning-free Windows build Added options to switch between OpenSSL and PolarSSL and PKCS11... Moved from strsep to strtok, for Windows compatibility Minor cleanup to enable warning-free Windows build: Fixed a typo when initialising cryptoapi certs Minor code cleanup: cleaned up error handling in verify_cert. Moved out of memory prototype to error.h, as the definition is in error.c Removed support for calling gc_malloc with a NULL gc_arena struct (The follwing patches from Adriaan was mistakenly merged with the wrong commit author in the git tree) Doxygen: Added data channel crypto docs Added control channel crypto docs Added compression docs Added reliability layer documentation Added memory management documentation Added data channel fragmentation docs Added main/control docs Moved doxygen-specific files to a separate directory Byron Ellacott (1): autoconf fixes for building on OSX David Sommerseth (50): Provide 'dev_type' environment variable to plug-ins and script hooks Define the new openvpn_plugin_{open,func}_v3() API Implement the core v3 plug-in function calls. Extend the v3 plug-in API to send over X509 certificates Added a simple plug-in demonstrating the v3 plug-in API. Separate the general plug-in version constant and v3 plug-in structs version Use a version-less version identifier on the master branch Fix the --client-cert-not-required feature Change the default --tmp-dir path to a more suitable path Improve the mysprintf() issue in openvpnserv.c Add a simple comment regarding openvpn_snprintf() is duplicated Merge branch 'feat_ipv6_transport' Merge branch 'feat_ipv6_payload' Merge branch 'svn-branch-2.1' into merge Solved hidden merge conflicts between master and svn-branch-2.1 Fix const declarations in plug-in v3 structs Merge remote-tracking branch 'cron2/feat_ipv6_payload_2.3' Don't define ENABLE_PUSH_PEER_INFO if SSL is not available Fix compiling issues with pkcs11 when --disable-management is configured Remove support for Linux 2.2 configuration fallback Revert "Add new openssl.cnf to easy-rsa/Windows" Merge remote branch SVN 2.1 into the git tree Merge branch 'svn-merger' Fix Microsoft Visual Studio incompatibility in plugin.c Fixed compile issues on FreeBSD and Solaris Fix PolarSSL and --pkcs12 option issues Fix FreeBSD/OpenBSD/NetBSD compiler warnings in get_default_gateway() Make '--win-sys env' default Do some file/directory tests before really starting openvpn Fix bug after removing Linux 2.2 support Don't look for 'stdin' file when using --auth-user-pass Fix compiling with --disable-crypto and/or --disable-ssl Fix a couple of issues in openvpn_execve() Move away from openvpn_basename() over to platform provided basename() Enable access() when building in Visual Studio New Windows build fixes Fix compilation errors on Linux platforms without SO_MARK autotools ./configure don't like compat.h Fix pool logging when IPv6 is not enabled Don't check for file presence on inline files Add --route-pre-down/OPENVPN_PLUGIN_ROUTE_PREDOWN script/plug-in hook Enhance the error handling in _openssl_get_subject() Fix assert() situations where gc_malloc() is called without a gc_arena object Fix compile issues when plug-ins are disabled. Remove --show-gateway if debug info is not enabled (--disable-debug) Fix compile issues with status.c Connection entry {tun,link}_mtu_defined not set correctly Makefile.am referenced a now non-existing config-win32.h Makefile.am was missing ssl_common.h Revamp check_file_access() checks in stdin scenarios Davide Guerri (1): New feauture: Add --stale-routes-check Frank de Brabander (1): Fixed wrong return type of cipher_kt_mode Frederic Crozat (1): Add support to forward console query to systemd Gert Doering (45): Add more detailed explanation regarding the function of "--rdns-internal" Enable IPv6 Payload in OpenVPN p2mp tun server mode. 20100104-1 release. remove NOTES file from commit - private scribbling NetBSD fixes - on 4.0 and up, use multi-af mode. new feature: "ifconfig-ipv6-push" (from ccd/ config) add some TODOs to TODO.IPv6 undo accidential duplication of existing "--iroute" line in the help text basic documentation of IPv6 related options and their syntax Enable IPv6 Payload in OpenVPN p2mp tun server mode. remove NOTES file from commit - private scribbling env_block(): if PATH is not set, add standard PATH setting to env add IPv6 route add / route delete code for windows (using "netsh") - Win32 IPv6 ifconfig support, using "netsh" calls drop "book ipv6" from open_tun() and tuncfg() prototypes document recent changes and open TODOs, adapt --version info, tag release Win32: set next-hop for IPv6 routes according to TUN/TAP mode when deleting a route on win32, also add gateway address WIN32: if IPv6 requested in TUN mode, check if TUN/TAP driver < 9.7 revert unconditionally-enabling of setenv_es() logging implement IPv6 ifconfig + route setup/deletion on OpenBSD full "VPN client connect" test framework for OpenVPN t_client.rc-sample renamed t_client.sh to t_client.sh.in 2.2-beta3 has a signed TAP driver with the IPv6 code - test for 9.8 correct URL for "more information about IPv6 patch is *here*" bugfix for linux/iproute2: IPv6 ifconfig code block was not called for "dev tun"+"topology subnet" bump IPv6 version number (openvpn --version) to 20100922-1 Implement "ipv6 ifconfig" for TAP interfaces on Solaris interfaces rebased to 2.2RC2 (beta 2.2 branch) Windows IPv6 cleanup - properly remove IPv6 routes and interface config For all accesses to "struct route_list * rl", check first that rl is non-NULL Replace 32-bit-based add_in6_addr() implementation by an 8-bit based one Platform cleanup for NetBSD Move block for "stale-routes-check" config inside #ifdef P2MP_SERVER block add missing break between "case IPv4" and "case IPv6" bump tap driver version from 9.8 to 9.9 log error message and exit for "win32, tun mode, tap driver version 9.8" work around inet_ntop/inet_pton problems for MSVC builds on WinXP Fix build-up of duplicate IPv6 routes on reconnect. Fix list-overrun checks in copy_route_[ipv6_]option_list() add "print test titles" and "use sudo" functionality to t_client.rc Platform cleanup for FreeBSD Implement IPv6 interface config with non-/64 prefix lengths. Fix RUN_SUDO functionality for t_client.sh Document IPv6-related environment variables. Platform cleanup for OpenBSD Gisle Vanem (1): Avoid re-defining uint32_t when using mingw compiler Gustavo Zacarias (1): Fix compile issues when using --enable-small and --disable-ssl/--disable-crypto Heiko Hund (16): add .gitignore to official repository remove function is_proto_tcp() remove legacy code to query IE proxy information lowercase include header name in syshead.h define IN6_ARE_ADDR_EQUAL macro for WIN32 add --mark option to set SO_MARK sockopt Windows UTF-8 input/output UTF-8 X.509 distinguished names set Windows environment variables as UCS-2 handle Windows unicode paths replace check for TARGET_WIN32 with WIN32 do not use mode_t on Windows use the underscore version of stat on Windows make MSVC link against shell32 as well move variable declaration to top of function define access mode flag X_OK as 0 on Windows Igor Novgorodov (1): The code blocks enabled by ENABLE_CLIENT_CR depends on management James Yonan (57): Added "management-external-key" option. Minor addition of logging info before and after execution of Windows net commands. Misc fixes to r6708. Added --x509-track option. * added --management-up-down option to allow management interface to be notified of tunnel up/down events. Fixed minor compile issue triggered on builds where MANAGEMENT_DEF_AUTH is not enabled. Implemented get_default_gateway_mac_addr for Mac OS X Fixes to r6925. Properly handle certificate serial numbers > 32 bits. Added "client-nat" option for stateless, one-to-one NAT on the client side. Renamed branch to reflect that it is no longer beta. env_filter_match now includes the serial number of all certs Fixed issue where a client might receive multiple push replies from a server Fixed bug introduced in r7031 that might cause this error message: Extended "client-kill" management interface command (server-side) Client will now try to reconnect if no push reply received within handshake-window seconds. Version 2.1.3n Fixed compiling issues when using --disable-crypto Added "management-external-key" option. Misc fixes to r6708. win/sign.py now accepts an optional tap-dir argument. Added "auth-token" client directive Added ./configure --enable-osxipconfig option for Mac OS X Added more packet ID debug info at debug level 3 for debugging false positive packet replays. Fixed bug that incorrectly placed stricter TCP packet replay rules on UDP sessions Fixed bug in port-share that could cause port share process to crash For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig command on failure Version 2.1.3t Revert r7092 and r7151, i.e. remove --enable-osxipconfig configure option. Added 'dir' flag to "crl-verify" (see man page for info). Added new "extra-certs" and "verify-hash" options Fixed compile issues on Windows. Added --enable-lzo-stub configure option to build an OpenVPN client without LZO Added optional journal directory argument to "port-share" directive Reduce log verbosity at level 3, with a focus on removing excessive log verbosity generated by port-share activity. env_filter_match now includes the serial number of all certs in chain Added support for static challenge/response protocol. r7316 fixes. Added redirect-gateway block-local flag, with support for Linux, Mac OS X Extended x509-track to allow SHA1 certificate hash to be extracted Added "management-query-remote" directive (client) to allow the management interface to override the "remote" directive. Version 2.1.5. Fixed MSVC compile error related to r7408. Redact "echo" directive strings from log, since these strings (going forward) could conceivably contain security-sensitive data. Modified sanitize_control_message to remove redacted data from control string rather than blotting it out with "_" chars. Changed CC_PRINT character class to allow UTF-8 chars. Increased the --verb threshold for "PID_ERR replay" messages to 4 from 3. Fixed issue where redirect-gateway block-local code was not correctly calculating... CC_PRINT character class now allows any 8-bit character value >= 32. "status" management interface command (version >= 2) will now include the username for each connected user. Minor fix to CC_PRINT char class Fixed management interface bug where >FATAL notifications were not being output properly Raised D_PID_DEBUG_LOW from level 3 to 4 to reduce replay error verbosity at level 3. Added "memstats" option to maintain real-time operating stats in a memory-mapped file. Fixed client issues with DHCP Router option extraction/deletion when using layer 2 with DHCP proxy: Allow "tap-win32 dynamic " to be used in topology subnet mode. Added support for "on-link" routes on Linux client Jan Just Keijser (1): Made some options connection-entry specific Joe Patterson (1): common_name passing in auth_pam plugin JuanJo Ciarlante (40): * rebased openvpn-2.1_rc1b.jjo.20061206.d.patch * created getaddr6(), use it from resolve_remote() * migrated all getaddrinfo() to getaddr6 * socket.c: use USE_PF_INET6 in switch constructs to actually toss them out, * support --disable-ipv6 build properly: * important fix for tcp6 reconnection was incorrectly creating a PF_INET socket * added README.ipv6.txt * fixed win32 non-ipv6 build * ipv6 on win32 "milestone": 1st snapshot that passes all unittests * document ipv6 milestone status * doc update w/unittests results * make possible to x-compile openvpn/win32 in Linux * correctly setup hints.ai_socktype for getaddrinfo(), althought sorta hacky, see TODO.ipv6. * renamed README.ipv6{.txt,} * updated {README,TODO}.ipv6 from feedback at openvpn-devel mlist * init.c: document the ENABLE_MANAGEMENT place to work on * init.c: small in-doc tweaks * fix multi-tcp crash (corrected assertion) * TODO.ipv6 update * socket.c: better buf logic in print_sockaddr_ex * fixed segfault for undef address family in print_sockaddr_ex (thanks Marcel!) * doc updates * openbsd: no IFF_MULTICAST, #ifdef around it * no new funcionality, just small cleanups * (prototype) fix for supporting "redirect-gateway" for tunneled ipv4 over ipv6 endpoints * polished redirect-gateway (ipv4 on ipv6 endpoints) support * updated doc * fix --disable-ipv6 build * doc updates * rebased to v2.1.1 release * undo mroute.c changes related to ipv6 payload * fix --multihome for ipv4 * fix --multihome for ipv6 * ipv6-0.4.14: fix xinetd usage * ipv6-0.4.15: add --multihome support to xBSD * ipv6-0.4.15b: rebase over openvpn-testing-master * ipv6-0.4.16: fix mingw32 build * make ipv6_payload compile under windowze USE_PF_INET6 by default for v2.3 fix ipv6 compilation under macosx >= 1070 - v3 Markus Koetter (1): Add extv3 X509 field support to --x509-username-field Matthew L. Creech (1): Fix 2.2.0 build failure when management interface disabled Matthias Andree (1): Skip rather than fail test in addressless FreeBSD jails. Robert Fischer (8): Update man page with info about --capath Update man page with info about --connect-timeout Added info about --show-proxy-settings Documented --x509-username-field option Documented --errors-to-stderr option Documented --push-peer-info option Update man page with info about --remote-random-hostname Added man page entry for --management-client Samuli Seppänen (19): Add man page entry for --redirect-private Change all CRLF linefeeds to LF linefeeds Fix a bug in devcon source code handling Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsi Fixed copying of tapinstall.exe to dist/bin when using prebuilt TAP-drivers Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier Fix a build-ca issue on Windows Add new openssl.cnf to easy-rsa/Windows Updated "easy-rsa" for OpenSSL 1.0.0 Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf Fixes to easy-rsa/2.0 Merged TODO.IPv6 with TODO.ipv6 and README.IPv6 with README.ipv6 Fixed a number of fatal build errors on Visual Studio 2008 Fix a Visual Studio 2008 build issue in socket.c Additional Visual Studio 2008 build fixes to tun.c Fixed a typo in win32.h that prevented building with Visual Studio Fixed a regression causing VS2008/Python build failure Fix a Visual Studio 2008 build error in tun.c Fix a Visual Studio 2008 build error in options.c Simon Matter (1): Fix issues with some older GCC compilers Stefan Hellermann (2): plugin.h: update prototype of plugin_call dummy in !ENABLE_PLUGIN case Fixed typo in plugin.h chantra (1): Clarify --tmp-dir option smos (1): Change the netsh.exe command from "add" to "set". 2011.12.25 -- Version 2.x-master James Yonan (1): Added support for "on-link" routes on Linux client -- these are routes where the gateway is specified as an interface rather than an address. This allows redirect-gateway to work on Linux clients whose connection to the internet is via a point-to-point link such as PPP. Note that at the moment, this capability is incompatible with the "redirect-gateway block-local" directive -- this is because the block-local directive blocks all traffic from the local LAN except for the local and gateway addresses. Since a PPP link is essentially a subnet of two addresses, local and remote (i.e. gateway), the set of addresses that would be blocked by block-local is empty. Therefore, the "redirect-gateway block-local" directive will be ignored on PPP links. To view the OpenVPN client's current determination of the default gateway, use this command: ./openvpn --show-gateway 2011.03.24 -- Version 2.2-RC2 Alon Bar-Lev (1): Windows cross-compile cleanup David Sommerseth (2): Open log files as text files on Windows Clarify default value for the --inactive option. Gert Doering (1): Implement IPv6 in TUN mode for Windows TAP driver. Samuli Seppänen (6): Added support for prebuilt TAP-drivers. Automated embedding manifests. Fixes to win/openvpn.nsi Replaced config-win32.h with win/config.h.in Updated INSTALL-win32.txt Fixes to Makefile.am Clarified --client-config-dir section on the man-page. Ville Skyttä (1): Fix line continuation in chkconfig init script description. 2011.02.28 -- Version 2.2-RC David Sommerseth (3): Make the --x509-username-field feature an opt-in feature Fix compiler warning when compiling against OpenSSL 1.0.0 Fix packaging of config-win32.h and service-win32/msvc.mak James Yonan (1): Minor addition of logging info before and after execution of Windows net commands. Matthias Andree (1): Change variadic macros to C99 style. Samuli Seppänen (15): Added ENABLE_PASSWORD_SAVE to config-win32.h Added a nmake makefile for openvpnserv.exe building Moved TAP-driver version info to version.m4. Cleaned up win/settings.in. Added helper functionality to win/wb.py Added support for viewing config-win32.h paramters to win/show.py Added comments and made small modifications to win/msvc.mak.in Added command-line switch to win/build_all.py to skip TAP driver building Added configure.h and version.m4 variable parsing to win/config.py Added openvpnserv.exe building to win/build.py Added comments to win/build_ddk.py Several modifications to win/make_dist.py to allow building the NSI installer Copied install-win32/setpath.nsi to win/setpath.nsi Added first version of NSI installer script to win/openvpn.nsi Changes to buildsystem patchset Temporary snprintf-related fix to service-win32/openvpnserv.c 2010.11.25 -- Version 2.2-beta5 Samuli Seppänen (1): Fixed an issue causing a build failure with MS Visual Studio 2008. 2010.11.18 -- Version 2.2-beta4 David Sommerseth (10): Clarified --explicit-exit-notify man page entry Clean-up: Remove pthread and mutex locking code Clean-up: Remove more dead and inactive code paths Clean-up: Removing useless code - hash related functions Use stricter snprintf() formatting in socks_username_password_auth() (v3) Fix compiler warnings about not used dummy() functions Fixed potential misinterpretation of boolean logic Only add some functions when really needed Removed functions not being used anywhere Merged add_bypass_address() and add_host_route_if_nonlocal() Gert Doering (3): Integrate support for TAP mode on Solaris, written by Kazuyoshi Aizawa . Make "topology subnet" work on Solaris Improved man page entry for script_type James Yonan (5): Fixed initialization bug in route_list_add_default_gateway (Gert Doering). Implement challenge/response authentication support in client mode Make base64.h have the same conditional compilation expression as base64.c. Fixed compiling issues when using --disable-crypto In verify_callback, the subject var should be freed by OPENSSL_free, not free Jesse Young (1): Remove hardcoded path to resolvconf Lars Hupel (1): Add HTTP/1.1 Host header Pierre Bourdon (1): Adding support for SOCKS plain text authentication Samuli Seppänen (2): Added check for variable CONFIGURE_DEFINES into options.c Added command-line option parser and an unsigned build option to build_all.py 2010.08.21 -- Version 2.2-beta3 * Attempt to fix issue where domake-win build system was not properly signing drivers and .exe files. Added win/tap_span.py for building multiple versions of the TAP driver and tapinstall binaries using different DDK versions to span from Win2K to Win7 and beyond. * Community patches David Sommerseth (2): Test framework improvment - Do not FAIL if t_client.rc is missing More t_client.sh updates - exit with SKIP when we want to skip Gert Doering (4): Fix compile problems on NetBSD and OpenBSD Fix compile time problems on OpenBSD for good full "VPN client connect" test framework for OpenVPN Build t_client.sh by configure at run-time. chantra (1): Fixes openssl-1.0.0 compilation warning 2010.08.16 -- Version 2.2-beta2 * Windows security issue: Fixed potential local privilege escalation vulnerability in Windows service. The Windows service did not properly quote the executable filename passed to CreateService. A local attacker with write access to the root directory C:\ could create an executable that would be run with the same privilege level as the OpenVPN Windows service. However, since non-Administrative users normally lack write permission on C:\, this vulnerability is generally not exploitable except on older versions of Windows (such as Win2K) where the default permissions on C:\ would allow any user to create files there. Credit: Scott Laurie, MWR InfoSecurity * Added Python-based based alternative build system for Windows using Visual Studio 2008 (in win directory). * When aborting in a non-graceful way, try to execute do_close_tun in init.c prior to daemon exit to ensure that the tun/tap interface is closed and any added routes are deleted. * Fixed an issue where AUTH_FAILED was not being properly delivered to the client when a bad password is given for mid-session reauth, causing the connection to fail without an error indication. * Don't advance to the next connection profile on AUTH_FAILED errors. * Fixed an issue in the Management Interface that could cause a process hang with 100% CPU utilization in --management-client mode if the management interface client disconnected at the point where credentials are queried. * Fixed an issue where if reneg-sec was set to 0 on the client, so that the server-side value would take precedence, the auth_deferred_expire_window function would incorrectly return a window period of 0 seconds. In this case, the correct window period should be the handshake window period. * Modified ">PASSWORD:Verification Failed" management interface notification to include a client reason string: >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] * Enable exponential backoff in reliability layer retransmits. * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after socket is created rather than waiting until after connect/listen. * Management interface performance optimizations: 1. Added env-filter MI command to perform filtering on env vars passed through as a part of --management-client-auth 2. man_write will now try to aggregate output into larger blocks (up to 1024 bytes) for more efficient i/o * Fixed minor issue in Windows TAP driver DEBUG builds where non-null-terminated unicode strings were being printed incorrectly. * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support was not being compiled in. * Proxy improvements: Improved the ability of http-auth "auto" flag to dynamically detect the auth method required by the proxy. Added http-auth "auto-nct" flag to reject weak proxy auth methods. Added HTTP proxy digest authentication method. Removed extraneous openvpn_sleep calls from proxy.c. * Implemented http-proxy-override and http-proxy-fallback directives to make it easier for OpenVPN client UIs to start a pre-existing client config file with proxy options, or to adaptively fall back to a proxy connection if a direct connection fails. * Implemented a key/value auth channel from client to server. * Fixed issue where bad creds provided by the management interface for HTTP Proxy Basic Authentication would go into an infinite retry-fail loop instead of requerying the management interface for new creds. * Added support for MSVC debugging of openvpn.exe in settings.in: # Build debugging version of openvpn.exe !define PRODUCT_OPENVPN_DEBUG * Implemented multi-address DNS expansion on the network field of route commands. When only a single IP address is desired from a multi-address DNS expansion, use the first address rather than a random selection. * Added --register-dns option for Windows. Fixed some issues on Windows with --log, subprocess creation for command execution, and stdout/stderr redirection. * Fixed an issue where application payload transmissions on the TLS control channel (such as AUTH_FAILED) that occur during or immediately after a TLS renegotiation might be dropped. * Added warning about tls-remote option in man page. 2009.12.11 -- Version 2.1.1 * Fixed some breakage in openvpn.spec (which is required to build an RPM distribution) where it was referencing a non-existent subdirectory in the tarball, causing it to fail (patch from David Sommerseth). 2009.12.11 -- Version 2.1.0 * Fixed a couple issues in sample plugins auth-pam.c and down-root.c. (1) Fail gracefully rather than segfault if calloc returns NULL. (2) The openvpn_plugin_abort_v1 function can potentially be called with handle == NULL. Add code to detect this case, and if so, avoid dereferencing pointers derived from handle (Thanks to David Sommerseth for finding this bug). * Documented "multihome" option in the man page. 2009.11.20 -- Version 2.1_rc22 * Fixed a client-side bug on Windows that occurred when the "dhcp-pre-release" or "dhcp-renew" options were combined with "route-gateway dhcp". The release/renew would not occur because the Windows DHCP renew function is blocking and therefore must be called from another process or thread so as not to stall the tunnel. * Added a hard failure when peer provides a certificate chain with depth > 16. Previously, a warning was issued. 2009.11.12 -- Version 2.1_rc21 * Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address CVE-2009-3555. Note that OpenVPN has never relied on the session renegotiation capabilities that are built into the SSL/TLS protocol, therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation completely) will not adversely affect OpenVPN mid-session SSL/TLS renegotation or any other OpenVPN capabilities. * Added additional session renegotiation hardening. OpenVPN has always required that mid-session renegotiations build up a new SSL/TLS session from scratch. While the client certificate common name is already locked against changes in mid-session TLS renegotiations, we now extend this locking to the auth-user-pass username as well as all certificate content in the full client certificate chain. 2009.10.01 -- Version 2.1_rc20 * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the redirect-gateway option by itself, without any extra parameters, would cause the option to be ignored. * Fixed build problem when ./configure --disable-server is used. * Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke). * Added --remote-random-hostname option. * Added "load-stats" management interface command to get global server load statistics. * Added new ./configure flags: --disable-def-auth Disable deferred authentication --disable-pf Disable internal packet filter * Added "setcon" directive for interoperability with SELinux (Sebastien Raveau). * Optimized PUSH_REQUEST handshake sequence to shave several seconds off of a typical client connection initiation. * The maximum number of "route" directives (specified in the config file or pulled from a server) can now be configured via the new "max-routes" directive. * Eliminated the limitation on the number of options that can be pushed to clients, including routes. Previously, all pushed options needed to fit within a 1024 byte options string. * Added --server-poll-timeout option : when polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. * Added the ability for the server to provide a custom reason string when an AUTH_FAILED message is returned to the client. This string can be set by the server-side managment interface and read by the client-side management interface. * client-kill management interface command, when issued on server, will now send a RESTART message to client. This feature is intended to make UDP clients respond the same as TCP clients in the case where the server issues a RESTART message in order to force the client to reconnect and pull a new options/route list. 2009.07.16 -- Version 2.1_rc19 * In Windows TAP driver, refactor DHCP/ARP packet injection code to use a DPC (deferred procedure call) to defer packet injection until IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive in the context of AdapterTransmit. This is an attempt to reduce kernel stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been observed on Vista. Updated TAP driver version number to 9.6. * In configure.ac, use datadir instead of datarootdir for compatibility with CLIENT:ESTABLISHED" notification. * Build fixes: 1. Fixed some issues with C++ style comments that leaked into the code. 2. Updated configure.ac to work on MinGW64. 3. Updated common.h types for _WIN64. 4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc compilers. 5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to OpenVPNCryptAcquireCertificatePrivateKey to work around a symbol conflict in MinGW-5.1.4. 2008.11.19 -- Version 2.1_rc15 * Fixed issue introduced in 2.1_rc14 that may cause a segfault when a --plugin module is used. * Added server-side --opt-verify option: clients that connect with options that are incompatible with those of the server will be disconnected (without this option, incompatible clients would trigger a warning message in the server log but would not be disconnected). * Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket flag on the server as well as pushes it to connecting clients. * Minor options check fix: --no-name-remapping is a server-only option and should therefore generate an error when used on the client. * Added --prng option to control PRNG (pseudo-random number generator) parameters. In previous OpenVPN versions, the PRNG was hardcoded to use the SHA1 hash. Now any OpenSSL hash may be used. This is part of an effort to remove hardcoded references to a specific cipher or cryptographic hash algorithm. * Cleaned up man page synopsis. 2008.11.16 -- Version 2.1_rc14 * Added AC_GNU_SOURCE to configure.ac to enable struct ucred, with the goal of fixing a build issue on Fedora 9 that was introduced in 2.1_rc13. * Added additional method parameter to --script-security to preserve backward compatibility with system() call semantics used in OpenVPN 2.1_rc8 and earlier. To preserve backward compatibility use: script-security 3 system * Added additional warning messages about --script-security 2 or higher being required to execute user-defined scripts or executables. * Windows build system changes: Modified Windows domake-win build system to write all openvpn.nsi input files to gen, so that gen can be disconnected from the rest of the source tree and makensis openvpn.nsi will still function correctly. Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in (commented out by default). Added optional files SAMPCONF_CONF2 (second sample configuration file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows build system, and may be defined in settings.in. * Extended Management Interface "bytecount" command to work when OpenVPN is running as a server. Documented Management Interface "bytecount" command in management/management-notes.txt. * Fixed informational message in ssl.c to properly indicate deferred authentication. * Added server-side --auth-user-pass-optional directive, to allow connections by clients that do not specify a username/password, when a user-defined authentication script/module is in place (via --auth-user-pass-verify, --management-client-auth, or a plugin module). * Changes to easy-rsa/2.0/pkitool and related openssl.cnf: Calling scripts can set the KEY_NAME environmental variable to set the "name" X509 subject field in generated certificates. Modified pkitool to allow flexibility in separating the Common Name convention from the cert/key filename convention. For example: KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james will create a client certificate/key pair of james.crt/james.key having a Common Name of "James's Laptop" and a Name of "james". * Added --no-name-remapping option to allow Common Name, X509 Subject, and username strings to include any printable character including space, but excluding control characters such as tab, newline, and carriage-return (this is important for compatibility with external authentication systems). As a related change, added --status-version 3 format (and "status 3" in the management interface) which uses the version 2 format except that tabs are used as delimiters instead of commas so that there is no ambiguity when parsing a Common Name that contains a comma. Also, save X509 Subject fields to environment, using the naming convention: X509_{cert_depth}_{name}={value} This is to avoid ambiguities when parsing out the X509 subject string since "/" characters could potentially be used in the common name. * Fixed some ifconfig-pool issues that precluded it from being combined with --server directive. Now, for example, we can configure thusly: server 10.8.0.0 255.255.255.0 nopool ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0 to have ifconfig-pool manage only a subset of the VPN subnet. * Added config file option "setenv FORWARD_COMPATIBLE 1" to relax config file syntax checking to allow directives for future OpenVPN versions to be ignored. 2008.10.07 -- Version 2.1_rc13 * Bundled OpenSSL 0.9.8i with Windows installer. * Management interface can now listen on a unix domain socket, for example: management /tmp/openvpn unix Also added management-client-user and management-client-group directives to control which processes are allowed to connect to the socket. * Copyright change to OpenVPN Technologies, Inc. 2008.09.23 -- Version 2.1_rc12 * Patched Makefile.am so that the new t_cltsrv-down.sh script becomes part of the tarball (Matthias Andree). * Fixed --lladdr bug introduced in 2.1-rc9 where input validation code was incorrectly expecting the lladdr parameter to be an IP address when it is actually a MAC address (HoverHell). 2008.09.14 -- Version 2.1_rc11 * Fixed a bug that can cause SSL/TLS negotiations in UDP mode to fail if UDP packets are dropped. 2008.09.10 -- Version 2.1_rc10 * Added "--server-bridge" (without parameters) to enable DHCP proxy mode: Configure server mode for ethernet bridging using a DHCP-proxy, where clients talk to the OpenVPN server-side DHCP server to receive their IP address allocation and DNS server addresses. * Added "--route-gateway dhcp", to enable the extraction of the gateway address from a DHCP negotiation with the OpenVPN server-side LAN. * Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255, ignore it. * Warn when ethernet bridging that the IP address of the bridge adapter is probably not the same address that the LAN adapter was set to previously. * When running as a server, warn if the LAN network address is the all-popular 192.168.[0|1].x, since this condition commonly leads to subnet conflicts down the road. * Primarily on the client, check for subnet conflicts between the local LAN and the VPN subnet. * Added a 'netmask' parameter to get_default_gateway, to return the netmask of the adapter containing the default gateway. Only implemented on Windows so far. Other platforms will return 255.255.255.0. Currently the netmask information is only used to warn about subnet conflicts. * Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO and USE_SSL flags are enabled (Alon Bar-Lev). * Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new --script-security rules. Also adds retrying if the addresses are in use (Matthias Andree). * Fixed build issue with ./configure --disable-socks --disable-http. * Fixed separate compile errors in options.c and ntlm.c that occur on strict C compilers (such as old versions of gcc) that require that C variable declarations occur at the start of a {} block, not in the middle. * Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which the new implementation of extract_x509_field_ssl depends on. * LZO compression buffer overflow errors will now invalidate the packet rather than trigger a fatal assertion. * Fixed minor compile issue in ntlm.c (mid-block declaration). * Added --allow-pull-fqdn option which allows client to pull DNS names from server (rather than only IP address) for --ifconfig, --route, and --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names for these options to be pulled and translated to IP addresses by default. Now --allow-pull-fqdn will be explicitly required on the client to enable DNS-name-to-IP-address translation of pulled options. * 2.1_rc8 and earlier did implicit shell expansion on script arguments since all scripts were called by system(). The security hardening changes made to 2.1_rc9 no longer use system(), but rather use the safer execve or CreateProcess system calls. The security hardening also introduced a backward incompatibility with 2.1_rc8 and earlier in that script parameters were no longer shell-expanded, so for example: client-connect "docc CLIENT-CONNECT" would fail to work because execve would try to execute a script called "docc CLIENT-CONNECT" instead of "docc" with "CLIENT-CONNECT" as the first argument. This patch fixes the issue, bringing the script argument semantics back to pre 2.1_rc9 behavior in order to preserve backward compatibility while still using execve or CreateProcess to execute the script/executable. * Modified ip_or_dns_addr_safe, which validates pulled DNS names, to more closely conform to RFC 3696: (1) DNS name length must not exceed 255 characters (2) DNS name characters must be limited to alphanumeric, dash ('-'), and dot ('.') * Fixed bug in intra-session TLS key rollover that was introduced with deferred authentication features in 2.1_rc8. 2008.07.31 -- Version 2.1_rc9 * Security Fix -- affects non-Windows OpenVPN clients running OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT vulnerable nor are any versions of the OpenVPN server vulnerable). An OpenVPN client connecting to a malicious or compromised server could potentially receive an "lladdr" or "iproute" configuration directive from the server which could cause arbitrary code execution on the client. A successful attack requires that (a) the client has agreed to allow the server to push configuration directives to it by including "pull" or the macro "client" in its configuration file, (b) the client successfully authenticates the server, (c) the server is malicious or has been compromised and is under the control of the attacker, and (d) the client is running a non-Windows OS. Credit: David Wagner. CVE-2008-3459 * Miscellaneous defensive programming changes to multiple areas of the code. In particular, use of the system() call for calling executables such as ifconfig, route, and user-defined scripts has been completely revamped in favor of execve() on unix and CreateProcess() on Windows. * In Windows build, package a statically linked openssl.exe to work around observed instabilities in the dynamic build since the migration to OpenSSL 0.9.8h. 2008.06.11 -- Version 2.1_rc8 * Added client authentication and packet filtering capability to management interface. In addition, allow OpenVPN plugins to take advantage of deferred authentication and packet filtering capability. * Added support for client-side connection profiles. * Fixed unbounded memory growth bug in environmental variable code that could have caused long-running OpenVPN sessions with many TLS renegotiations to incrementally increase memory usage over time. * Windows release now packages openssl-0.9.8h. * Build system changes -- allow building on Windows using autoconf/automake scripts (Alon Bar-Lev). * Changes to Windows build system to make it easier to do partial builds, with a reduced set of prerequisites, where only a subset of OpenVPN installer components are built. See ./domake-win comments. * Cleanup IP address for persistence interfaces for tap and also using ifconfig, gentoo#209055 (Alon Bar-Lev). * Fall back to old version of extract_x509_field for OpenSSL 0.9.6. * Clarified tcp-queue-limit man page entry (Matti Linnanvuori). * Added new OpenVPN icon and installer graphic. * Minor pkitool changes. * Added --pkcs11-id-management option, which will cause OpenVPN to query the management interface via the new NEED-STR asynchronous notification query to get additional PKCS#11 options (Alon Bar-Lev). * Added NEED-STR management interface asynchronous query and "needstr" management interface command to respond to the query (Alon Bar-Lev). * Added Dragonfly BSD support (Francis-Gudin). * Quote device names before passing to up/down script (Josh Cepek). * Bracketed struct openvpn_pktinfo with #pragma pack(1) to prevent structure padding from causing an incorrect length to be returned by sizeof (struct openvpn_pktinfo) on 64-bit platforms. * On systems that support res_init, always call it before calling gethostbyname to ensure that resolver configuration state is current. * Added NTLMv2 proxy support (Miroslav Zajic). * Fixed an issue in extract_x509_field_ssl where the extraction would fail on the first field of the subject name, such as the common name in: /CN=foo/emailAddress=foo@bar.com * Made "Linux ip addr del failed" error nonfatal. * Amplified --client-cert-not-required warning. * Added #pragma pack to proto.h. 2008.01.29 -- Version 2.1_rc7 * Added a few extra files that exist in the svn repo but were not being copied into the tarball by make dist. * Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev). 2008.01.24 -- Version 2.1_rc6 * Fixed options checking bug introduced in rc5 where legitimate configuration files might elicit the error: "Options error: Parameter pkcs11_private_mode can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified." 2008.01.23 -- Version 2.1_rc5 * Fixed Win2K TAP driver bug that was introduced by Vista fixes, incremented driver version to 9.4. * Windows build system changes: Incremented included OpenSSL version to openssl-0.9.7m. Updated openssl.patch for openssl-0.9.7m and added some brief usage comments to the head of the patch. Added build-pkcs11-helper.sh for building the pkcs11-helper library. Integrated inclusion of pkcs11-helper into Windows build system. Upgraded TAP build scripts to use WDK 6001.17121 (Windows 2008 Server pre-RTM). * Windows installer changes: Clean up the start menu folder. Allow for a site-specific sample configuration file and keys to be included in a custom installer (see SAMPCONF macros in settings.in). New icon (temporary). * Added "forget-passwords" command to the management interface (Alon Bar-Lev). * Added --management-signal option to signal SIGUSR1 when the management interface disconnects (Alon Bar-Lev). * Modified command line and config file parser to allow quoted strings using single quotes ('') (Alon Bar-Lev). * Use pkcs11-helper as external library, can be downloaded from https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev). * Fixed interim memory growth issue in TCP connect loop where "TCP: connect to %s failed, will try again in %d seconds: %s" is output. * Fixed bug in epoll driver in event.c, where the lack of a handler for EPOLLHUP could cause 99% CPU usage. * Defined ALLOW_NON_CBC_CIPHERS for people who don't want to use a CBC cipher for OpenVPN's data channel. * Added PLUGIN_LIBDIR preprocessor string to prepend a default plugin directory to the dlopen search list when the user specifies the basename of the plugin only (Marius Tomaschewski). * Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS to allow forward slash characters ("/") in the X509 common name (Pavel Shramov). * Allow OpenVPN to run completely unprivileged under Linux by allowing openvpn --mktun to be used with --user and --group to set the UID/GID of the tun device node. Also added --iproute option to allow an alternative command to be executed in place of the default iproute2 command (Alon Bar-Lev). * Fixed --disable-iproute2 in ./configure to actually disable iproute2 usage (Alon Bar-Lev). * Added --management-forget-disconnect option -- forget passwords when management session disconnects (Alon Bar-Lev). 2007.04.25 -- Version 2.1_rc4 * Worked out remaining issues with TAP driver signing on Vista x64. OpenVPN will now run on Vista x64 with driver signing enforcement enabled. * Fixed 64-bit portability bug in time_string function (Thomas Habets). 2007.04.22 -- Version 2.1_rc3 * Additional fixes to TAP driver for Windows x64. Driver now runs successfully on Vista x64 if driver signing enforcement is disabled. * The Windows Installer and TAP driver are now signed by OpenVPN Solutions LLC (in addition to the usual GnuPG signatures). * Added OpenVPN GUI (Mathias Sundman version) as install option in Windows installer. * Clean up configure on FreeBSD for recent autotool versions that require that all .h files have to be compiled. Also, FreeBSD install does not support GNU long options which the Makefile in easy-rsa/2.0 uses (not checked the others as we don't install those on Gentoo) (Roy Marples). * Added additional scripts to easy-rsa/Windows for working with password-protected keys; also add -extensions server option when generating server cert via build-key-server-pass.bat (Daniel Zauft). 2007.02.27 -- Version 2.1_rc2 * auth-pam change: link with -lpam rather than dlopen (Roy Marples). * Prevent SIGUSR1 or SIGHUP from causing program exit from initial management hold. * SO_REUSEADDR should not be set on Windows TCP sockets because it will cause bind to succeed on port conflicts. * Added time_ascii, time_duration, and time_unix environmental variables for plugins and callback scripts. * Fixed issue where OpenVPN does not apply the --txqueuelen option to persistent interfaces made with --mktun (Roy Marples). * Attempt at rational signal handling when in the management hold state. During management hold, ignore SIGUSR1/SIGHUP signals thrown with the "signal" command. Also, "signal" command will now apply remapping as specified with the --remap-usr1 option. When a signal entered using the "signal" command from a management hold is ignored, output: >HOLD:Waiting for hold release * Fixed issue where struct env_set methods that change the value of an existing name=value pair would delay the freeing of the memory held by the previous name=value pair until the underlying client instance object is closed. This could cause a server that handles long-term client connections, resulting in many periodic calls to verify_callback, to needlessly grow the env_set memory allocation until the underlying client instance object is closed. * Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys to reflect the fact that Vista has blacklisted the tap0801.sys file name due to previous compatibility issues which have now been resolved. TAP-Win32 major/minor version number is now 9/1. * Windows installer will delete a previously installed tap0801.sys TAP driver before installing tap0901.sys. * Added code to Windows installer to fail gracefully on 64 bit installs until 64-bit TAP driver issues can be resolved. * Added code to Windows installer to fail gracefully on versions of Windows which are not explicitly supported. * The Windows version will now use a default route-delay of 5 seconds to deal with an apparent routing table race condition on Vista. * Worked around an incompatibility in the Windows Vista version of CreateIpForwardEntry as described in http://www.nynaeve.net/?p=59 This issue would cause route additions using the IP Helper API to fail on Vista. * On Windows, revert to "ip-win32 dynamic" as the default. 2006.10.31 -- Version 2.1_rc1 * Support recovery (return to hold) from signal at management password prompt. * Added workaround for OpenSC PKCS#11 bug#108 (Alon Bar-Lev). 2006.10.01 -- Version 2.1-beta16 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix published vulnerabilities. * Fixed TAP-Win32 bug that caused BSOD on Windows Vista (Henry Nestler). * Autodetect 32/64 bit Windows in installer and install appropriate TAP driver (Mathias Sundman, Hypherion). * Fixed bug in loopback self-test introduced in 2.1-beta15 where self test as invoked by "make check" would not properly exit after 2 minutes (Paul Howarth). 2006.09.12 -- Version 2.1-beta15 * Windows installer updated with OpenSSL 0.9.7k DLLs to fix RSA Signature Forgery (CVE-2006-4339). * Fixed bug introduced with the --port-share directive (back in 2.1-beta9 which causes TLS soft resets (1 per hour by default) in TCP server mode to force a blockage of tunnel packets and later time-out and restart the connection. * easy-rsa update (Alon Bar-Lev) Makefile (install) is now available so that distribs will be able to install it safely. * PKCS#11 changes: (Alon Bar-Lev) - Modified ssl.c to not FATAL and return to init.c so auth-retry will work. - Modifed pkcs11-helper.c to fix some problem with multiple providers. - Added retry counter to PKCS#11 PIN hook. - Modified PKCS#11 PIN retry loop to return correct error code when PIN is incorrect. - Fix handling (ignoring) zero sized attributes. - Fix gcc-2 issues. - Fix openssl 0.9.6 (first version) issues. * Minor fixes of lladdr (Alon Bar-Lev) Updated makefile.w32-vc to include lladdr.*, updated linkage libraries. Modified lladdr.c to be compiled under visual C. * Added two new management states: OPENVPN_STATE_RESOLVE -- DNS lookup OPENVPN_STATE_TCP_CONNECT -- Connecting to TCP server * Echo management state change to log. * Minor syshead.h change for NetBSD to allow TCP_NODELAY flag to work. * Modified --port-share code to remove the assumption that CMSG_SPACE always evaluates to a constant, to enable compilation on NetBSD and possibly other BSDs as well. * Eliminated gcc 3.3.3 warnings on NetBSD when ./configure --enable-strict is used. * Added optional minimum-number-of-bytes parameter to --inactive directive. 2006.04.13 -- Version 2.1-beta14 * Fixed Windows server bug in time backtrack handling code which could cause TLS negotiation failures on legitimate clients. * Rewrote gettimeofday function for Windows to be simpler and more efficient. * Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev). * Added --route-metric option to set a default route metric for --route (Roy Marples). * Added --lladdr option to specify the link layer (MAC) address for the tap interface on non-Windows platforms (Roy Marples). 2006.04.12 -- Version 2.1-beta13 * Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters to 64 bits caused a bug in the Windows version which has now been fixed. The bug could cause intermittent crashes. 2006.04.05 -- Version 2.1-beta12 * Security Vulnerability -- An OpenVPN client connecting to a malicious or compromised server could potentially receive "setenv" configuration directives from the server which could cause arbitrary code execution on the client via a LD_PRELOAD attack. A successful attack appears to require that (a) the client has agreed to allow the server to push configuration directives to it by including "pull" or the macro "client" in its configuration file, (b) the client configuration file uses a scripting directive such as "up" or "down", (c) the client succesfully authenticates the server, (d) the server is malicious or has been compromised and is under the control of the attacker, and (e) the attacker has at least some level of pre-existing control over files on the client (this might be accomplished by having the server respond to a client web request with a specially crafted file). Credit: Hendrik Weimer. CVE-2006-1629. The fix is to disallow "setenv" to be pushed to clients from the server, and to add a new directive "setenv-safe" which is pushable from the server, but which appends "OPENVPN_" to the name of each remotely set environmental variable. * "topology subnet" fix for FreeBSD (Benoit Bourdin). * PKCS11 fixes (Alon Bar-Lev). For full description: svn log -r990 http://svn.openvpn.net/projects/openvpn/branches/BETA21 * When deleting routes under Linux, use the route metric as a differentiator to ensure that the route teardown process only deletes the identical route which was originally added via the "route" directive (Roy Marples). * Fix the t_cltsrv.sh file in FreeBSD 4 jails (Matthias Andree, Dirk Meyer, Vasil Dimov). * Extended tun device configure code to support ethernet bridging on NetBSD (Emmanuel Kasper). 2006.02.19 -- Version 2.1-beta11 * Fixed --port-share bug that caused premature closing of proxied sessions. 2006.02.17 -- Version 2.1-beta10 * Fixed --port-share breakage introduced in 2.1-beta9. 2006.02.16 -- Version 2.1-beta9 * Added --port-share option for allowing OpenVPN and HTTPS server to share the same port number. * Added --management-client option to connect as a client to management GUI app rather than be connected to as a server. * Added "bytecount" command to management interface. * --remote-cert-tls fixes (Alon Bar-Lev). 2006.01.03 -- Version 2.1-beta8 * --remap-usr1 will now also remap signals thrown during initialization. * Added --connect-timeout option to control the timeout on TCP client connection attempts (doesn't work on all OSes). This patch also makes OpenVPN signalable during TCP connection attempts. * Fixed bug in acinclude.m4 where capability of compiler to handle zero-length arrays in structs is tested (David Stipp). * Fixed typo in manage.c where inline function declaration was declared without the "static" keyword (David Stipp). * Patch to support --topology subnet on Mac OS X (Mathias Sundman). * Added --auto-proxy directive to auto-detect HTTP or SOCKS proxy settings (currently Windows only). * Removed redundant base64 code. * Better sanity checking of --server and --server-bridge IP pool ranges, so as not to hit the assertion at pool.c:119 (2.0.5). * Fixed bug where --daemon and --management-query-passwords used together would cause OpenVPN to block prior to daemonization. * Fixed client/server race condition which could occur when --auth-retry interact is set and the initially provided auth-user-pass credentials are incorrect, forcing a username/password re-query. * Fixed bug where if --daemon and --management-hold are used together, --user or --group options would be ignored. * --ip-win32 adaptive is now the default. * --ip-win32 netsh (or --ip-win32 adaptive when in netsh mode) can now set DNS/WINS addresses on the TAP-Win32 adapter. * Added new option --route-method adaptive (Win32) which tries IP helper API first, then falls back to route.exe. * Made --route-method adaptive the default. 2005.11.12 -- Version 2.1-beta7 * Allow blank passwords to be passed via the management interface. * Fixed bug where "make check" inside a FreeBSD "jail" would never complete (Matthias Andree). * Fixed bug where --server directive in --dev tap mode claimed that it would support subnets of /30 or less but actually would only accept /29 or less. * Extend byte counters to 64 bits (M. van Cuijk). * Fixed bug in Linux get_default_gateway function introduced in 2.0.4, which would cause redirect-gateway on Linux clients to fail. * Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to be compatible with 2.0.x distribution. * Documented --route-nopull. * Documented --ip-win32 adaptive. * Windows build now linked with LZO2. * Allow ca, cert, key, and dh files to be specified inline via XML-like syntax without needing to reference an explicit file. For example: data here... * Allow plugin and push directives to have multi-line parameter lists such as: my-plugin.so parm1 parm2 * Added connect-retry-max option (Alon Bar-Lev). * Fixed problems where signals thrown during initialization were not returning to a management-hold state. * Added a backtrack-hardened system time algorithm. * Added --remote-cert-ku, --remote-cert-eku, and --remote-cert-tls options for verifying certificate attributes (Alon Bar-Lev). * For Windows, reverted --ip-win32 default back to "dynamic". To use new adaptive mode, set explicitly. 2005.11.01 -- Version 2.1-beta6 * Security fix (merged from 2.0.4) -- Affects non-Windows OpenVPN clients of version 2.0 or higher which connect to a malicious or compromised server. A format string vulnerability in the foreign_option function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if (a) the client's TLS negotiation with the server succeeds, (b) the server is malicious or has been compromised such that it is configured to push a maliciously crafted options string to the client, and (c) the client indicates its willingness to accept pushed options from the server by having "pull" or "client" in its configuration file (Credit: Vade79). CVE-2005-3393 * Security fix -- (merged from 2.0.4) Potential DoS vulnerability on the server in TCP mode. If the TCP server accept() call returns an error status, the resulting exception handler may attempt to indirect through a NULL pointer, causing a segfault. Affects all OpenVPN 2.0 versions. CVE-2005-3409 * Fix attempt of assertion at multi.c:1586 (note that this precise line number will vary across different versions of OpenVPN). * Windows reliability changes: (a) Added code to make sure that the local PATH environmental variable points to the Windows system32 directory. (b) Added new --ip-win32 adaptive mode which tries 'dynamic' and then fails over to 'netsh' if the DHCP negotiation fails. (c) Made --ip-win32 adaptive the default. * More PKCS#11 additions/changes (Alon Bar-Lev). * Added ".PHONY: plugin" to Makefile.am to work around "make dist" issue. * Fixed double fork issue that occurs when --management-hold is used. * Moved TUN/TAP read/write log messages from --verb 8 to 6. * Warn when multiple clients having the same common name or username usurp each other when --duplicate-cn is not used. * Modified Windows and Linux versions of get_default_gateway to return the route with the smallest metric if multiple 0.0.0.0/0.0.0.0 entries are present. * Added ">NEED-OK" alert and "needok" command to management interface to provide a general interface for sending alerts to the end-user. Used by the PKCS#11 code to send Token Insertion Requests to the user. * Added actual remote address used to the ">STATE" alert in the management interface (Rolf Fokkens). 2005.10.17 -- Version 2.1-beta4 * Fixed bug introduced in 2.1-beta3 where management socket bind would fail. * --capath fix in ssl.c (Zhuang Yuyao). * Added ".PHONY: plugin" to Makefile.am, reverted location of "plugin" directory (thanks to Matthias Andree for figuring this out). 2005.10.16 -- Version 2.1-beta3 * Added PKCS#11 support (Alon Bar-Lev). * Enable the use of --ca together with --pkcs12. If --ca is used at the same time as --pkcs12, the CA certificate is loaded from the file specified by --ca regardless if the pkcs12 file contains a CA cert or not (Mathias Sundman). * Merged --capath patch (Thomas Noel). * Merged --multihome patch. * Added --bind option for TCP client connections (Ewan Bhamrah Harley). * Moved "plugin" directory to "plugins" to deal with strange automake problem that ended up being also fixable with ".PHONY: plugin" in Makefile.am. 2005.10.13 -- Version 2.1-beta2 * Made --sndbuf and --rcvbuf pushable. 2005.10.01 -- Version 2.1-beta1 * Made LZO setting pushable. * Renamed sample-keys/tmp-ca.crt to ca.crt. * Fixed bug where remove_iroutes_from_push_route_list was missing routes if those routes had an implied netmask (by omission) of 255.255.255.255. * Merged with 2.0.3-rc1 * easy-rsa/2.0 moved to easy-rsa * old easy-rsa moved to easy-rsa/1.0 2005.09.23 -- Version 2.0.2-TO4 * Added feature to TAP-Win32 adapter to allow it to be opened from non-administrator mode. This feature is enabled by default, and can be enabled/disabled in the adapter advanced properties dialog. * Added --allow-nonadmin standalone option for Windows to set TAP adapter to allow non-admin access. This is a user-mode version of the code, and duplicates the same feature as the above entry. * Added fix that attempts to solve corner case of tunnel not forwarding packets when system clock is reset to an earlier time. * Added --redirect-gateway bypass-dns option. (Developers: To add bypass-dhcp or bypass-dns support to other OSes, add a get_bypass_addresses function to route.c for your OS.) * Added OPENVPN_PLUGIN_CLIENT_CONNECT_V2 plugin callback, which allows a client-connect plugin to return configuration text in memory, rather than via a file. * Fixed a bug where --mode server --proto tcp-server --cipher none operation could cause tunnel packet truncation. * openvpn --version will show [LZO1] or [LZO2], depending on version that was linked. 2005.09.07 -- Version 2.0.2-TO1 * Added --topology directive. See man page. * Added --redirect-gateway bypass-dhcp option to add a route allowing DHCP packets to bypass the tunnel, when the DHCP server is non-local. Currently only implemented on Windows clients. * Modified OpenVPN Service on Windows to declare the DHCP client service as a dependency. * Extended the plugin interface to allow plugins to declare per-client constructor and destructor functions, to make it simpler for plugins to maintain per-client state. 2005.09.25 -- Version 2.0.3-rc1 * openvpn_plugin_abort_v1 function wasn't being properly registered on Windows. * Fixed a bug where --mode server --proto tcp-server --cipher none operation could cause tunnel packet truncation. 2005.08.25 -- Version 2.0.2 * No change from 2.0.2-rc1. 2005.08.24 -- Version 2.0.2-rc1 * Fixed regression bug in Win32 installer, introduced in 2.0.1, which incorrectly set OpenVPN service to autostart. * Don't package source code zip file in Windows installer in order to reduce the size of the installer. The source zip file can always be downloaded separately if needed. * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD version of get_default_gateway. Allocated socket for route manipulation is never freed so number of mbufs continuously grow and exhaust system resources after a while (Jaroslav Klaus). * Fixed bug where "--proto tcp-server --mode p2p --management host port" would cause the management port to not respond until the OpenVPN peer connects. * Modified pkitool script to be /bin/sh compatible (Johnny Lam). 2005.08.16 -- Version 2.0.1 * Security Fix -- DoS attack against server when run with "verb 0" and without "tls-auth". If a client connection to the server fails certificate verification, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error and responding to it, resulting in disconnection of the unrelated client (CAN-2005-2531). * Security Fix -- DoS attack against server by authenticated client. This bug presents a potential DoS attack vector against the server which can only be initiated by a connected and authenticated client. If the client sends a packet which fails to decrypt on the server, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error and responding to it, resulting in disconnection of the unrelated client (CAN-2005-2532). Credit: Mike Ireton. * Security Fix -- DoS attack against server by authenticated client. A malicious client in "dev tap" ethernet bridging mode could theoretically flood the server with packets appearing to come from hundreds of thousands of different MAC addresses, causing the OpenVPN process to deplete system virtual memory as it expands its internal routing table. A --max-routes-per-client directive has been added (default=256) to limit the maximum number of routes in OpenVPN's internal routing table which can be associated with a given client (CAN-2005-2533). * Security Fix -- DoS attack against server by authenticated client. If two or more client machines try to connect to the server at the same time via TCP, using the same client certificate, and when --duplicate-cn is not enabled on the server, a race condition can crash the server with "Assertion failed at mtcp.c:411" (CAN-2005-2534). * Fixed server bug where under certain circumstances, the client instance object deletion function would try to delete iroutes which had never been added in the first place, triggering "Assertion failed at mroute.c:349". * Added --auth-retry option to prevent auth errors from being fatal on the client side, and to permit username/password requeries in case of error. Also controllable via new "auth-retry" management interface command. See man page for more info. * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0 * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1' would fail to build. * Implement "make check" to perform loopback tests (Matthias Andree). 2005.07.21 -- Version 2.0.1-rc7 * Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree). * Include linux/types.h before checking for linux/errqueue.h (Matthias Andree). 2005.07.15 -- Version 2.0.1-rc6 * Commented out "user nobody" and "group nobody" in sample client/server config files. * Allow '@' character to be used in --client-config-dir file names. 2005.07.04 -- Version 2.0.1-rc5 * Windows version will log a for-further-info URL when initialization sequence is completed with errors. * Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile to control whether auth-pam plugin links to PAM via dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing behavior should be preserved. DLOPEN_PAM=0 is the preferred setting to link via -lpam, but DLOPEN_PAM=1 works around a bug in SuSE 9.1 (and possibly other distros as well) where the PAM modules are not linked with -lpam. See thread on openvpn-devel for more discussion about this patch (Simon Perreault). 2005.06.15 -- Version 2.0.1-rc4 * Support LZO 2.00, including changes to configure script to autodetect LZO version. 2005.06.12 -- Version 2.0.1-rc3 * Fixed a bug which caused standard file handles to not be closed after daemonization when --plugin and --daemon are used together, and if the plugin initialization function forks (as does auth-pam and down-root) (Simon Perreault). * Added client-side up/down scripts in contrib/pull-resolv-conf for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS" on Linux/Unix systems (Jesse Adelman). * Fixed bug where if client-connect scripts/plugins were cascaded, and one (but not all) of them returned an error status, there might be cases where for an individual script/plugin, client-connect was called but not client-disconnect. The goal of this fix is to ensure that if client-connect is called on a given client instance, then client-disconnect will definitely be called. A potential complication of this fix is that when client-connect functions are cascaded, it's possible that the client-disconnect function would be called in cases where the related client-connect function returned an error status. This fix should not alter OpenVPN behavior when scripts/plugins are not cascaded. * Changed the hard-to-reproduce "Assertion failed at fragment.c:312" fatal error to a warning: "FRAG: outgoing buffer is not empty". Need more info on how to reproduce this one. * When --duplicate-cn is used, the --ifconfig-pool allocation algorithm will now allocate the first available IP address. * When --daemon and --management-hold are used together, OpenVPN will daemonize before it enters the management hold state. 2005.05.16 -- Version 2.0.1-rc2 * Modified vendor test in openvpn.spec file to match against "Mandrakesoft" in addition to "MandrakeSoft". * Using --iroute in a --client-config-dir file while in --dev tap mode is not currently supported and will produce a warning message. Fixed bug where in certain cases, in addition to generating a warning message, this combination of options would also produce a fatal assertion in mroute.c. * Pass --auth-user-pass username to server-side plugin without performing any string remapping (plugins, unlike scripts, don't get any security benefit from string remapping). This is intended to fix an issue with openvpn-auth-pam/pam_winbind where backslash characters in a username ('\') were being remapped to underscore ('_'). * Updated OpenSSL DLLs in Windows build to 0.9.7g. * Documented --explicit-exit-notify in man page. * --explicit-exit-notify seconds parameter defaults to 1 if unspecified. 2005.04.30 -- Version 2.0.1-rc1 * Fixed bug where certain kinds of fatal errors after initialization (such as port in use) would leave plugin processes (such as openvpn-auth-pam) still running. * Added optional openvpn_plugin_abort_v1 plugin function for closing initialized plugin objects in the event of a fatal error by main OpenVPN process. * When the --remote list is > 1, and --resolv-retry is not specified (meaning that it defaults to "infinite"), apply the infinite timeout to the --remote list as a whole, but try each list item only once before moving on to the next item. * Added new --syslog directive which redirects output to syslog without requiring the use of the --daemon or --inetd directives. * Added openvpn.spec option to allow RPM to be built with support for passwords read from a file: rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1' 2005.04.17 -- Version 2.0 * Fixed minor options string typo in options.c. 2005.04.10 -- Version 2.0-rc21 * Change license description from "GPL Version 2 or (at your option) any later version" to just "GPL Version 2". 2005.04.04 -- Version 2.0-rc20 * Dag Wieers has put together an OpenVPN/LZO binary RPM set with excellent distro/version coverage for RH/EL/Fedora, though using his own SPEC. I modified openvpn.spec to follow some of the same conventions such as putting sample scripts and doc files in %doc rather than /usr/share/openvpn. * Minor change to init scripts to run the user-defined script /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN configs are started, and to run /etc/openvpn/openvpn-shutdown after all OpenVPN configs have been stopped. The openvpn-startup script can be used for stuff like insmod tun.o, setting up firewall rules, or starting ethernet bridges. 2005.03.29 -- Version 2.0-rc19 * Omit additions of routes where the network and gateway are equal and the netmask is 255.255.255.255. This can come up if you are using both server/ifconfig-pool and client-config-dir with ifconfig-push static addresses for some subset of clients which directly reference the server IP address as the remote endpoint. 2005.03.28 -- Version 2.0-rc18 * Packaged Windows installer with OpenSSL 0.9.7f. * Built Windows installer with NSIS 2.06. 2005.03.12 -- Version 2.0-rc17 * "MANAGEMENT: CMD" log file output will now only occur at --verb 7 or greater. * Added an optional name/value configuration list to the openvpn-auth-pam plugin module argument list. See plugin/auth-pam/README for documentation. This is necessary in order for openvpn-auth-pam to work with queries generated by arbitrary PAM modules. * In both auth-pam and down-root plugins, in the forked process, a read error on the parent process socket is no longer fatal. * MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'. A conditional test of the vendor has been added to Require the appropriately named 'lzo' (liblzo1 / lzo). (Tom Walsh - http://openhardware.net) 2005.02.20 -- Version 2.0-rc16 * Fixed bug introduced in rc13 where Windows service wrapper would be installed with a startup type of Automatic. This fix restores the previous behavior of installing with a startup type of Manual. 2005.02.19 -- Version 2.0-rc15 * Added warning when --keepalive is not used in a server configuration. * Don't include OpenSSL md4.h file if we are not building NTLM proxy support (Waldemar Brodkorb). * Added easy-rsa/build-key-pkcs12 and easy-rsa/Windows/build-key-pkcs12.bat scripts (Mathias Sundman). 2005.02.16 -- Version 2.0-rc14 * Fixed small memory leak that occurs when --crl-verify is used. * Upgraded Windows installer and .nsi script to NSIS 2.05 (Mathias Sundman). * Changed #include backslash usage in cryptoapi.c to use forward slashes instead (Gisle Vanem). * Created easy-rsa/revoke-full to handle revocations in a single step: (a) revoke crt, (b) regenerate CRL, and (c) verify that revocation succeeded. * Renamed easy-rsa/Windows/revoke-key to revoke-full so that both *nix and Windows scripts are equivalent. 2005.02.11 -- Version 2.0-rc13 * Improve human-readability of local/remote options diff, when inconsistencies are present. * For Windows easy-rsa, distribute vars.bat.sample and openssl.cnf.sample, then copy them to their normal filenames (without the .sample) when init-config.bat is run. This is to prevent OpenVPN upgrades from wiping out vars.bat and openssl.cnf edits. * Modified service wrapper (Windows) to use a case-insensitive search when scanning for .ovpn files in \Program Files\OpenVPN\config. Prior versions required an all-lower-case .ovpn file extension. * Miscellaneous service wrapper code cleanup. * If --user/--group is used on Windows, treat it as a no-op with a warning (this makes it easier to distribute the same client config file to Windows and *nix users). * Warn if --ifconfig-pool-persist is used with --duplicate-cn. 2005.02.05 -- Version 2.0-rc12 * Removed some debugging code inadvertently included in rc11 which would print the --auth-user-pass username/password provided by clients in the server logfile. * Client code for cycling through --remote list will retry the last address which successfully authenticated before moving on through the list. * Windows installer will now install sample configuration files in \Program Files\OpenVPN\sample-configs as well as generate a start menu shortcut to this directory. * Minor type change in buffer.[ch] to work around char-type ambiguity bug. Caused management interface lock-ups on ARM when building with armv4b-hardhat-linux-gcc 2.95.3. 2005.02.03 -- Version 2.0-rc11 * Windows installer will now install easy-rsa directory in \Program Files\OpenVPN * Allow syslog facility to be controlled at compile time, e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern). * Changed certain shell scripts in distribution to use #!/bin/sh rather than #!/bin/bash for better portability. * If --ifconfig-pool-persist seconds parameter is 0, treat persist file as an allocation of fixed IP addresses (previous versions took IP-to-common-name associations from this list as hints, not mandatory static allocations). * Fixed bug on *nix where if --auth-user-pass and --log were used together, the username prompt would be sent to the log file rather than /dev/tty. * Spurious text in openvpn.8 detected by doclifter (Eric S. Raymond). * Call closelog later on daemon kill so that process exit message is written to syslog. 2005.01.27 -- Version 2.0-rc10 * When ./configure is run with plugins enabled (the default), check whether or not dlopen exists in libc before testing for libdl. This is to fix an issue on FreeBSD and possibly other OSes which bundle libdl functions in libc. * On Windows, filter initial WSAEINVAL warning which occurs on the initial read attempt of an unbound socket. * The easy-rsa scripts build-key, build-key-pass, and build-key-server will now chmod the .key file to 0600. This is in addition to the fact the generated keys directory has always been similarly protected (Pete Harlan). 2005.01.23 -- Version 2.0-rc9 * Fixed error "ROUTE: route addition failed using CreateIpForwardEntry ..." on Windows when --redirect-gateway is used over a RRAS internet link. * When using --route-method exe on Windows, include the gateway parameter on route delete commands (Mathias Sundman). * Try not to do a hard reset (i.e. SIGHUP) when two SIGUSR1 signals are received in close succession. * If the push list tries to grow beyond its buffer capacity, the resulting error will be non-fatal. * To increase the push list capacity (must be done on both client and server), increase TLS_CHANNEL_BUF_SIZE in common.h (default=1024). 2005.01.15 -- Version 2.0-rc8 * Fixed bug introduced in rc7 where options error "--auth-user-pass requires --pull" might occur even if --pull was correctly specified. * Changed management interface code to bind once to TCP socket, rather than rebinding after every client disconnect. * Added "disable" directive for client-config-dir files. * Windows binary install is now distributed with OpenSSL 0.9.7e. * Query the management interface for --http-proxy username/password if authfile is set to "stdin". * Added current OpenVPN version number to "Unrecognized option or missing parameter" error message. * Added "-extensions server" to "openssl req" command in easy-rsa/build-key-server (Nir Yeffet). 2005.01.10 -- Version 2.0-rc7 * Fixed bug in management interface which could cause 100% CPU utilization in --proto tcp-server mode on all *nix OSes except for Linux 2.6. * --ifconfig-push now accepts DNS names as well as IP addresses. * Added sanity check errors when --pull or --auth-user-pass is used in an incorrect mode. * Updated man page entries for --client-connect and --ifconfig-push. * Added "String Types and Remapping" section to man page to consisely document the way which OpenVPN may convert certain types of characters in strings to ('_'). * Modified bridging description in HOWTO to emphasize the fact that bridging allows Windows file and print sharing without a WINS server (Charles Duffy). 2004.12.20 -- Version 2.0-rc6 * Improved checking for epoll support in ./configure to fix false positive on RH9 (Jan Just Keijser). * Made the "MULTI TCP: I/O wait required blocking in multi_tcp_action, action=7" error nonfatal and replaced with "MULTI: Outgoing TUN queue full, dropped packet". So far the issue only seems to occur on Linux 2.2 in --mode server --proto tcp mode. It occurs when the TUN/TAP driver locks up and refuses to accept new packet writes for a second or more. * Fixed bug where if a --client-config-dir file tried to include another file using "config", and if that include failed, OpenVPN would abort with a fatal error. Now such inclusion failures will be logged but are no longer fatal. * Global changes to the way that packet buffer alignment is handled. Previously we didn't care about alignment and took care, when handling 16 and 32 bit words in buffers, to always use alignment-safe transfers. This approach appears to be inadequate on some architectures such as alpha. The new approach is to initialize packet buffers in a way that anticipates how component structures will be allocated within them, to maintain correct alignment. * Added --dhcp-option DISABLE-NBT to disable NetBIOS over TCP (Jan Just Keijser). * Added --http-proxy-option directive for controlling miscellaneous HTTP proxy options. * Management state will no longer transition to "WAIT" during TLS renegotiations. 2004.12.16 -- Version 2.0-rc5 * The --client-config-dir option will now try to open a default file called "DEFAULT" if no file matching the common name of the incoming client was found. * The --client-connect script/plugin can now veto client authentication by returning a failure code. * The --learn-address script/plugin can now prevent a client-instance/address association from being learned by returning a failure code. * Changed RPM group in .spec file to Applications/Internet. 2004.12.14 -- Version 2.0-rc4 * SuSE only -- Fixed interaction between openvpn.spec and suse/openvpn.init where the .spec file was writing the OpenVPN binary to a different location than where the .init script was referencing it (Stefan Engel). * Solaris only -- Split Solaris ifconfig command into two parts (Jan Just Keijser). * Some cleanup in add_option(). * Better error checking on input dotted quad IP addresses. * Verify that --push argument is quoted, if there is more than one. * More miscellaneous option sanity checks. 2004.12.13 -- Version 2.0-rc3 * On Windows, when --log or --log-append is used, save the original stderr for username and password prompts. * Fixed a bug introduced in the late 2.0 betas where if a "verb" parameter >= 16 was used, it would be ignored and the actual verb level would remain at 1. * Fixed a bug mostly seen on OS X where --management-hold or --management-query-passwords would cause the management interface to be unresponsive to incoming client connections. * Trigger an options error if one of the management-modifying options is used without "management" itself. 2004.12.12 -- Version 2.0-rc2 * Amplified warnings in documentation about possible man-in-the-middle attack when clients do not properly verify server certificate. Changes to easy-rsa README, FAQ, HOWTO, man page, and sample client config file. * Added a warning message if --tls-client or --client is used without also specifying one of either --ns-cert-type, --tls-remote, or --tls-verify. * status_open() fixes for MSVC builds (Blaine Fleming). * Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared" compiler error which has been reported on some platforms. * The openvpn.spec file for rpmbuild has several new build-time options. See comments in the file. * Plugins are now built and packaged in the RPM and will be saved in /usr/share/openvpn/plugin/lib. * Added --management-hold directive to start OpenVPN in a hibernating state until released by the management interface. Also added "hold" command to the management interface. 2004.12.07 -- Version 2.0-rc1 * openvpn.spec workaround for SuSE confusion regarding /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel). 2004.12.05 -- Version 2.0-beta20 * The ability to read --askpass and --auth-user-pass passwords from a file has been disabled by default. To re-enable, use ./configure --enable-password-save. * Added additional pre-connected states to management interface. See management/management-notes.txt for more info. * State history is now recorded by the management interface, and the "state" command now works like the log or echo commands. * State history and real-time state change notifications are now prepended with an integer unix timestamp. * Added --http-proxy-timeout option, previously the timeout was hardcoded to 5 seconds. 2004.12.02 -- Version 2.0-beta19 * Fixed bug in management interface line termination where output lines incorrectly contained a \00 char after the customary \0d \0a. * Fixed bug introduced in beta18 where Windows version would segfault on options errors. * Fixed bug in management interface where an empty quoted string ("") entered as a parameter would cause a segfault. * Fixed bug where --resolv-retry was not working properly with multiple --remote hosts. * Added additional ./configure options to reduce executable size for embedded applications. See ./configure --help. 2004.11.28 -- Version 2.0-beta18 * Added management interface. See new --management-* options or the full management interface documentation in management/management-notes.txt in the tarball. Management interface inclusion can be disabled by ./configure --disable-management. * Added two new plugin modules: auth-pam and down-root. Auth-pam supports pam-based authentication using a split privilege execution model, while down-root enables a down script to be executed with root privileges, even when --user/--group is used to drop root privileges. See the plugin directory in the tarball for READMEs, source code, and Makefiles. * Plugin developers should note that some changes were made to the plugin interface since beta17. See openvpn-plugin.h for details. Plugin interface inclusion can be disabled with ./configure --disable-plugins * Added easy-rsa/build-key-server script which will build a certificate with with nsCertType=server. * Added --ns-cert-type option for verification of nsCertType field in peer certificate. * If --fragment n is specified and --mssfix is specified without a parameter, default --mssfix to n. This restores the 1.6 behavior when using --mssfix without a parameter. * Fixed SSL context initialization bug introduced in beta14 where this error might occur on restarts: "Cannot load certificate chain ... PEM_read_bio:no start line". 2004.11.11 -- Version 2.0-beta17 * Changed default port number to 1194 per IANA official port number assignment. * Added --plugin directive which allows compiled modules to intercept script callbacks. See plugin folder in tarball for more info. * Fixed bug introduced in beta12 where --key-method 1 authentications which should have succeeded would fail. * Ignore SIGUSR1 during DNS resolution. * Added SuSE support to openvpn.spec (Umberto Nicoletti). * Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna' Runestig). 2004.11.07 -- Version 2.0-beta16 * Modified sample-scripts/auth-pam.pl to get username and password from OpenVPN via a file rather than via environmental variables. * Added bytes_sent and bytes_received environmental variables to be set prior to client-disconnect script. * Changed client virtual IP derivation precedence: (1) use --ifconfig-push directive from --client-connect script, (2) use --ifconfig-push directive from --client-config-dir, and (3) use --ifconfig-pool address. * If a --client-config-dir file specifies --ifconfig-push, it will be visible to the --client-connect-script in the ifconfig_pool_remote_ip environmental variable. * For tun-style tunnels, the ifconfig_pool_local_ip environmental variable will be set, while for tap-style tunnels, the ifconfig_pool_netmask variable will be set. * Added intelligence to autoconf script to test compiler for the accepted form of zero-length arrays. * Fixed a bug introduced in beta12 where --ip-win32 netsh would fail if --dev-node was not explicitly specified. * --ip-win32 netsh will now work on hidden adapters. * Fix attempt of "Assertion failed at crypto.c:149". This assertion has also been reported on 1.x with a slightly different line number. The fix is twofold: (1) In previous releases, --mtu-test may trigger this assertion -- this bug has been fixed. (2) If something else causes the assertion to be thrown, don't panic, just output a nonfatal warning to the log and drop the packet which generated the error. * Support TAP interfaces on Mac OS X (Waldemar Brodkorb). * Added --echo directive. * Added --auth-nocache directive. 2004.10.28 -- Version 2.0-beta15 * Changed environmental variable character classes so that names must consist of alphanumeric or underbar chars and values must consist of printable characters. Illegal chars will be deleted. Versions prior to 2.0-beta12 were more restrictive and would map spaces to '.'. * On Windows, when the TAP adapter fails to initialize with the correct IP address, output "Initialization Sequence Completed with Errors" to the console or log file. * Added a warning when user/group/chroot is used without persist-tun and persist-key. * Added cryptoapi.[ch] to tarball and source zip. * --tls-remote option now works with common name prefixes as well as with the full X509 subject string. This is a useful alternative to using a CRL on the client. * common names associated with a static --ifconfig-push setting will no longer leave any state in the --ifconfig-pool-persist file. * Hard TLS errors (TLS handshake failed) will now trigger either a SIGUSR1 signal by default or SIGTERM (if --tls-exit is specified). In TCP mode, all TLS errors are considered to be hard. In server mode, the signal will be local to the client instance. * Added method parameter to --auth-user-pass-verify directive to select whether username/password is passed to script via environment or a temporary file. * Added --status-version option to control format of --status file. The --mode server --status-version 2 format now includes a line type token, the virtual IP address is shown in the client list (even in --dev tap mode), and the integer time_t value is shown anywhere an ascii-formatted time/date is also shown. * Added --remap-usr1 directive which can be used to control whether internally or externally generated SIGUSR1 signals are remapped to SIGHUP (restart without persisting state) or SIGTERM (exit). * When running as a Windows service (using --service option), check the exit event before and after reading one line of input from stdin, when reading username/password info. * For developers: Extended the --gremlin function to better stress-test the new 2.0 features, added Valgrind support on Linux and Dmalloc support on Windows. 2004.10.19 -- Version 2.0-beta14 * Fixed a bug introduced in Beta12 that would occur if you use a --client-connect script without also defining --tmp-dir. * Fixed a bug introduced in Beta12 where a learn-address script might segfault on the delete method. * Added Crypto API support in Windows version via the --cryptoapicert option (Peter 'Luna' Runestig). 2004.10.18 -- Version 2.0-beta13 * Fixed an issue introduced in Beta12 where the private key password would not be prompted for unless --askpass was explicitly specified in the config. 2004.10.17 -- Version 2.0-beta12 * Added support for username/password-based authentication. Clients can now authentication themselves with the server using either a certificate, a username/password, or both. New directives: --auth-user-pass, --auth-user-pass-verify, --client-cert-not-required, and --username-as-common-name. * Added NTLM proxy patch (William Preston). * Added --ifconfig-pool-linear server flag to allocate individual tun addresses for clients rather than /30 subnets (won't work with Windows clients). * Modified --http-proxy code to cache username/password across restarts. * Modified --http-proxy code to read username/password from the console when the auth file is given as "stdin". * Modified --askpass to take an optional filename argument. * --persist-tun and --persist-key now work in client mode and can be pushed to clients as well. * Added --ifconfig-pool-persist directive, to maintain ifconfig-pool info in a file which is persistent across daemon instantiations. * --user and --group privilege downgrades as well as --chroot now also work in client mode (the dowgrade/chroot will be delayed until the initialization sequence is completed). * Added --show-engines standalone directive to show available OpenSSL crypto accelerator engine support. * --engine directive now accepts an optional engine-ID parameter to control which engine is used. * "Connection reset, restarting" log message now shows which client is being reset. * Added --dhcp-pre-release directive in Windows version. * Second parm to --ip-win32 can be "default", e.g. --ip-win32 dynamic default 60. * Fixed documentation bug regarding environmental variable settings for --ifconfig-pool IP addresses. The correct environmental variable names are: ifconfig_pool_local_ip and ifconfig_pool_remote_ip. * ifconfig_pool_local_ip and ifconfig_pool_remote_ip environmental variables are now passed to the client-disconnect script. * In server mode, environmental variables are now scoped according to the client they are associated with, to solve the problem of "crosstalk" between different client's environmental variable sets. * Added --down-pre flag to cause --down script to be called before TUN/TAP close (rather than after). * Added --tls-exit flag which will cause OpenVPN to exit on any TLS errors. * Don't push a route to a client if it exactly matches an iroute (this lets you push routes to all clients, and OpenVPN will automatically remove the route from the route push list only for that client which the route actually belongs to). * Made '--resolv-retry infinite' the default. --resolv-retry can be disabled by using a parameter of 0. * For clients which plan to pull config info from server, set an initial default ping-restart of 60 seconds. * Optimized mute code to lessen the load on the processor when messages are being muted at a higher frequency. * Made route log messages non-mutable. * Silence the Linux "No buffer space available" message. * Added miscellaneous additional option sanity checks. * Added Windows version of easy-rsa scripts in easy-rsa/Windows directory (Andrew J. Richardson). * Added NetBSD route patch (Ed Ravin). * Added OpenBSD patch for TAP + --redirect-gateway (Waldemar Brodkorb). * Directives which prompt for a username and/or password will now work with --daemon (OpenVPN will prompt before forking). * Warn if CRL is from a different issuer than the issuer of the peer certificate (Bernhard Weisshuhn). * Changed init script chkconfig parameters to start OpenVPN daemon(s) before NFS. * Bug fix attempt of "too many I/O wait events" which occurs on OSes which prefer select() over poll() such as Mac OS X. * Added --ccd-exclusive flag. This flag will require, as a condition of authentication, that a connecting client has a --client-config-dir file. * TAP-Win32 open code will attempt to open a free adapter if --dev-node is not specified (Mathias Sundman). * Resequenced --nice and --chroot ordering so that --nice occurs first. * Added --suppress-timestamps flag (Charles Duffy). * Source code changes to allow compilation by MSVC (Peter 'Luna' Runestig). * Added experimental --fast-io flag which optimizes TUN/TAP/UDP writes on non-Windows systems. 2004.08.18 -- Version 2.0-beta11 * Added --server, --server-bridge, --client, and --keepalive helper directives. See client.conf and server.conf in sample-config-files for sample configurations which use the new directives. * On Windows, added --route-method to control whether IP Helper API or route.exe is used to add/delete routes. * On Windows, added a second parameter to --route-delay to control the maximum time period to wait for the TAP-Win32 adapter to come up before adding routes. * Fixed bug in Windows version where configurations which omit --ifconfig might fail to recognize when the TAP adapter is up. * Proxy connection failures will now retry according to the --connect-retry parameter. * Fixed --dev null handling on Windows so that TLS loopback test described in INSTALL file works correctly on Windows. * Added "Initialization Sequence Completed" message after all initialization steps have been completed and the VPN can be considered "up". * Better sanity-checking on --ifconfig-pool parameters. * Added --tcp-queue-limit option to control TUN/TAP -> TCP socket overflow. * --ifconfig-nowarn flag will now silence general warnings about possible --ifconfig address conflicts, including the warning about --ifconfig and --remote addresses being in same /24 subnet. * Fixed case where server mode did not correctly identify certain types of ethernet multicast packets (Marcel de Kogel). * Added --explicit-exit-notify option (experimental). 2004.08.02 -- Version 2.0-beta10 * Fixed possible reference after free of option strings after a restart, bug was introduced in beta8. * Fixed segfault at route.c:919 in the beta9 Windows version that was being caused by indirection through a NULL pointer. * Mistakenly built debug version of TAP-Win32 driver for beta9. Beta10 has correct release build. 2004.07.30 -- Version 2.0-beta9 * Fixed --route issue on Windows that was introduced with the new beta8 route implementation based on the IP Helper API. 2004.07.27 -- Version 2.0-beta8 * Added TCP support in server mode. * Added PKCS #12 support (Mathias Sundman). * Added patch to make revoke-crt and make-crl work seamlessly within the easy-rsa environment (Jan Kiszka). * Modified --mode server ethernet bridge code to forward special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX. * Added --dhcp-renew and --dhcp-release flags to Windows version. Normally DHCP renewal and release on the TAP adapter occurs automatically under Windows, however if you set the TAP-Win32 adapter Media Status property to "Always Connected", you may need these flags. * Added --show-net standalone flag to Windows version to show OpenVPN's view of the system adapter and routing tables. * Added --show-net-up flag to Windows version to output the system routing table and network adapter list to the log file after the TAP-Win32 adapter has been brought up and any routes have been added. * Modified Windows version to add routes using the IP Helper API rather than by calling route.exe. * Fixed bug where --route-up script was not being called if no --route options were specified. * Added --mute-replay-warnings to suppress packet replay warnings. This is a common false alarm on WiFi nets. * Added "def1" flag to --redirect-gateway option to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. (Thanks to Jim Carter for pointing out this idea). * You can now run OpenVPN with a single config file argument. For example, you can now say "openvpn config.conf" rather than "openvpn --config config.conf". * On Windows, made --route and --route-delay more adaptive with respect to waiting for interfaces referenced by the route destination to come up. Routes added by --route should now be added as soon as the interface comes up, rather than after an obligatory 10 second delay. The way this works internally is that --route-delay now defaults to 0 on Windows. Previous versions would wait for --route-delay seconds then add the routes. This version will wait --route-delay seconds and then test the routing table at one second intervals for the next 30 seconds and will not add the routes until they can be added without errors. * On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by default on TCP/UDP socket in light of reports that this action can have undesirable global side effects on the MTU settings of other adapters. These parameters can still be set, but you need to explicitly specify --sndbuf and/or --rcvbuf. * Added --max-clients option to limit the maximum number of simultaneously connected clients in server mode. * Added error message to illuminate shell escape gotcha when single backslashes are used in Windows path names. * Added optional netmask parm to --ifconfig-pool. * Fixed bug where http-proxy connect retry attempts were incorrectly going to the remote OpenVPN server, not to the HTTP proxy server. 2004.06.29 -- Version 2.0-beta7 * Fixed bug in link_socket_verify_incoming_addr() which under certain circumstances could have caused --float behavior even if --float was not specified. * --tls-auth option now works with --mode server. All clients and the server should use the same --tls-auth key when operating in client/server mode. * Added --engine option to make use of OpenSSL-supported crypto acceleration hardware. * Fixed some high verbosity print format size issues in event.c for 64 bit platforms (Janne Johansson). * Made failure to open --log or --log-append file a non-fatal error. 2004.06.23 -- Version 2.0-beta6 * Fixed Windows installer to intelligently put up a reboot dialog only if tapinstall tells us that it's really necessary. * Fixed "Assertion failed at fragment.c:309" bug when --mode server and --fragment are used together. * Ignore HUP, USR1, and USR2 signals during initialization. Prior versions would abort. * Fixed bug on OS X: "Assertion failed at event.c:406". * Added --service option to Windows version, for use when OpenVPN is being programmatically instantiated by another process (see man page for info). * --log and --log-append options now work on Windows. * Update OpenBSD INSTALL notes (Janne Johansson). * Enable multicast on tun interface when running on OpenBSD (Pavlin Radoslavov). * Fixed recent --test-crypto breakage, where options such as --cipher were not being parsed correctly. * Modified options compatibility string by removing ifconfig substring if it is empty. Incremented options compatibility string version number to 4. * Fixed typo in --tls-timeout option parsing (Mikael Lonnroth). 2004.06.13 -- Version 2.0-beta5 * Fixed rare --mode server crash that could occur if data was being routed to a client at high bandwidth at the precise moment that the client instance object on the server was being deleted. * Fixed issue on machines which have epoll.h and the epoll_create glibc call defined, but which don't actually implement epoll in the kernel. OpenVPN will now gracefully fall back to the poll API in this case. * Fixed Windows bug which would cause the following error in a --mode server --dev tap configuration: "resource limit WSA_MAXIMUM_WAIT_EVENTS has been exceeded". * Added CRL (certificate revocation list) management scripts to easy-rsa directory (Jon Bendtsen). * Do a better job of getting the ifconfig component of the options consistency check to work correctly when --up-delay is used. * De-inlined some functions which were too complex to be inlined anyway with gcc. * If a --dhcp-option option is pushed to a non-windows client, the option will be saved in the client's environment before the --up script is called, under the name "foreign_option_{n}". * Added --learn-address script (see man page) which allows for firewall access through the VPN to be controlled based on the client common name. * In mode --server mode, when a client connects to the server, the server will disconnect any still-active clients which use the same common name. Use --duplicate-cn flag to revert to previous behavior of allowing multiple clients to concurrently connect with the same common name. 2004.06.08 -- Version 2.0-beta4 * Fixed issue with beta3 where Win32 service wrapper was keying off of old TAP HWID as a dependency. To ensure that the new service wrapper is correctly installed, the Windows install script will uninstall the old wrapper before installing the new one, causing a reset of service properties. * Fixed permissions issue on --status output file, with default access permissions of owner read/write only (default permissions can be changed of course with chmod). 2004.06.05 -- Version 2.0-beta3 * More changes to TAP-Win32 driver's INF file which affects the placement of the driver in the Windows device namespace. This is done to work around an apparent bug in Windows when short HWIDs are used, and will also ease the upgrade from 1.x to 2.0 by reducing the chances that a reboot will be needed on upgrade. Like beta2, this upgrade will delete existing TAP-Win32 interfaces, and reinstall a single new interface with default properties. * Major rewrite of I/O event wait layer in the style of libevent. This is a precursor to TCP support in --mode server. * New feature: --status. Outputs a SIGUSR2-like status summary to a given file, updated once per n seconds. The status file is comma delimited for easy machine parsing. * --ifconfig-pool now remembers common names and will try to assign a consistent IP to a given common name. Still to do: persist --ifconfig-pool memory across restarts by saving state in file. * Fixed bug in event timer queue which could cause recurring timer events such as --ping to not correctly schedule again after firing. This in turn would cause spurrious ping restarts and possible connection outages. Thanks to Denis Vlasenko for tracking this down. * Possible fix to reported bug where --daemon argument was not printing to syslog correctly after restart. * Fixed bug where pulling --route or --dhcp-option directives from a server would problematically interact with --persist-tun on the client. * Updated contrib/multilevel-init.patch (Farkas Levente). * Added RPM build option to .spec and .spec.in files to optionally disable LZO inclusion (Ian Pilcher). * The latest MingW runtime and headers define 'ssize_t', so a patch is needed (Gisle Vanem). 2004.05.14 -- Version 2.0-beta2 * Fixed signal handling bug in --mode server, where SIGHUP and SIGUSR1 were treated as SIGTERM. * Changed the TAP-Win32 HWID from "TAP" to "TAPDEV". Apparently the larger string may work around a problem where the TAP adapter is sometimes missing from the network connections panel, especially under XP SP2. Also note that installing this upgrade will uninstall any pre-existing TAP-Win32 adapters, and then install a single new adapter, meaning that old adapter properties will be lost. Thanks to Md5Chap for solving this one. * For --mode server --dev tap, the options --ifconfig and --ifconfig-pool are now optional. This allows address assignment via DHCP or use of a TAP VPN without IP support, as has always been possible with 1.x. * Fixed bug where --ifconfig may not work correctly on Linux 2.2. * Added 'local' flag to --redirect-gateway for use on networks where both OpenVPN daemons are connected to a shared subnet, such as wireless. 2004.05.09 -- Version 2.0-beta1 * Unchanged from test29 except for version number upgrade. 2004.05.08 -- Version 2.0-test29 * Modified --dev-node on Windows to accept a TAP-Win32 GUID name. In addition, --show-adapters will now display the high-level name and GUID of each adapter. This is an attempt to work around an issue in Windows where sometimes the TAP-Win32 adapter installs correctly but has no icon in the network connections control panel. In such cases, being able to specify --dev-node {TAP-GUID} can work around the missing icon. 2004.05.07 -- Version 2.0-test28 * Fixed bug which could cause segfault on program shutdown if --route and --persist-tun are used together. 2004.05.06 -- Version 2.0-test27 * Fixed bug in close_instance() which might cause memory to be accessed after it had already been freed. * Fixed bug in verify_callback() that might have caused uninitialized data to be referenced. * --iroute now allows full CIDR subnet routing. * In "--mode server --dev tun" usage, source addresses on VPN packets coming from a particular client must be associated with that client in the OpenVPN internal routing table. 2004.04.28 -- Version 2.0-test26 * Optimized broadcast path in multi-client mode. * Added socket buffer size options --rcvbuf & --sndbuf. * Configure Linux tun/tap driver to use a more sensible txqueuelen default. Also allow explicit setting via --txqueuelen option (Harald Roelle). * The --remote option now allows the port number to be specified as the second parameter. If unspecified, the port number defaults to the --rport value. * Multiple --remote options on the client can now be specified for load balancing and failover. The --remote-random flag can be used to initially randomize the --remote list for basic load balancing. * If a remote DNS name resolves to multiple DNS addresses, one will be chosen by random as a kind of basic load-balancing feature if --remote-random is used. * Added --connect-freq option to control maximum new connection frequency in multi-client mode. * In multi-client mode, all syslog messages associated with a specific client now include a client-ID prefix. * For Windows, use a gettimeofday() function based on QueryPerformanceCounter (Derek Burdick). * Fixed bug in interaction between --key-method 2 and DES ciphers, where dynamic keys would be generated with bad parity and then be rejected. 2004.04.17 -- Version 2.0-test24 * Reworked multi-client broadcast handling. 2004.04.13 -- Version 2.0-test23 * Fixed bug in --dev tun --client-to-client routing. * Fixed a potential deadlock in --pull. * Fixed a problem with select() usage which could cause a repeating sequence of "select : Invalid argument (code=22)" 2004.04.11 -- Version 2.0-test22 * Fixed bug where --mode server + --daemon was prematurely closing syslog connection. * Added support for --redirect-gateway on Mac OS X (Jeremy Apple). * Minor changes to TAP-Win32 driver based on feedback from the NDISTest tool. 2004.04.11 -- Version 2.0-test21 * Optimizations in multi-client server event loop. 2004.04.10 -- Version 2.0-test20 * --mode server capability now works with either tun or tap interfaces. When used with tap interfaces, OpenVPN will internally bridge all client tap interfaces with the server tap interface. * Connecting clients can now have a client-specific configuration on the server, based on the client common name embedded in the client certificate. See --client-config-dir and --client-connect. These options can be used to configure client-specific routes. * Added an option --client-to-client that enables internal client-to-client routing or bridging. Otherwise, clients will only "see" the server, not other connected clients. * Fixed bug in route scheduling which would have caused --mode server to not work on Windows in test18 and test19 with the sample config file. * Man page is up to date with all new options. * OpenVPN 2.0 release notes on web site updated with tap-style tunnel examples. 2004.04.02 -- Version 2.0-test19 * Fixed bug where routes pushed from server were not working correctly on Windows clients. * Added Mac OS X route patch (Jeremy Apple). 2004.03.30 -- Version 2.0-test18 * Minor fixes + Windows self-install modified to use OpenSSL 0.9.7d. 2004.03.29 -- Version 2.0-test17 * Fixed some bugs related to instance timeout and deletion. * Extended --push/--pull option to support additional option classes. 2004.03.28 -- Version 2.0-test16 * Successful test of --mode udp-server, --push, --pull, and --ifconfig-pool with server on Linux 2.4 and clients on Linux and Windows. 2004.03.25 -- Version 2.0-test15 * Implemented hash-table lookup of client instances based either on remote UDP address/port or remote ifconfig endpoint. * Implemented a randomized binary tree based scheduler for scalably scheduling a large number of client instance events. Uses the treap data structure and node rotation algorithm to keep the tree balanced. * Initial implementation of ifconfig-pool. * Made --key-method 2 the default. 2004.03.20 -- Version 2.0-test14 * Implemented --push and --pull. 2004.03.20 -- Version 2.0-test13 * Reduced struct tls_multi and --single-session memory footprint. * Modified --single-session flag to be used in multi-client UDP server client instances. 2004.03.19 -- Version 2.0-test12 * Added the key multi-client UDP server options, --mode, --push, --pull, and --ifconfig-pool. * Revamped GC (garbage collection) code to not rely on any global data. * Modifications to thread.[ch] to allow a more flexible thread model. 2004.03.16 -- Version 2.0-test11 * Moved all timer code to interval.h, added new file interval.c. * Fixed missing include. 2004.03.16 -- Version 2.0-test10 * More TAP-Win32 fixes. * Initial debugging and testing of multi.[ch]. 2004.03.14 -- Version 2.0-test9 * Branch merge with 1.6-rc3 * More point-to-multipoint work in multi.[ch]. * Major TAP-Win32 driver restructuring to use NdisMRegisterDevice instead of IoCreateDevice/IoCreateSymbolicLink. * Changed TAP-Win32 symbolic links to use \DosDevices\Global\ pathname prefix. * In the majority of cases, TAP-Win32 should now be able to install and uninstall on Win2K without requiring a reboot. * TAP-Win32 MAC address can now be explicitly set in the adapter advanced properties page. 2004.03.04 -- Version 2.0-test8 * Branch merge with 1.6-rc2. 2004.03.03 -- Version 2.0-test7 * Branch merge with 1.6-rc1.2. 2004.03.02 -- Version 2.0-test6 * Branch merge with 1.6-rc1. 2004.03.02 -- Version 2.0-test5 * Move Socks5 UDP header append/remove to socks.c, and is called from forward.c. * Moved verify statics from ssl.c into struct tls_session. * Wrote multi.[ch] to handle top level of point-to-multipoint mode. * Wrote some code to allow a struct link_socket in a child context to be slaved to the parent context. * Broke up packet read and process functions in forward.c (from socket or tuntap) into separate functions for read and process, so that point-to-point and point-to-multipoint can share the same code. * Expand TLS control channel to allow the passing of configuration commands. * Wrote mroute.[ch] to handle internal packet routing for point-to-multipoint mode. 2004.02.22 -- Version 2.0-test3 * Initial work on UDP multi-client server. * Branch merge of 1.6-beta7 2004.02.14 -- Version 2.0-test2 * Refactorization of openvpn.c into openvpn.[ch] init.[ch] forward.[ch] forward-inline.h occ.[ch] occ-inline.h ping.[ch] ping-inline.h sig.[ch]. Created a master per-tunnel struct context in openvpn.h. * Branch merge of 1.6-beta6.2 2003.11.06 -- Version 2.0-test1 * Initial testbed for 2.0. 2004.05.09 -- Version 1.6.0 * Unchanged from 1.6-rc4 except for version number upgrade. 2004.04.01 -- Version 1.6-rc4 * Made minor customizations to devcon and renamed as tapinstall.exe for Windows version. * Fixed "storage size of `iv' isn't known" build problem on FreeBSD. * OpenSSL 0.9.7d bundled with Windows self-install. 2004.03.13 -- Version 1.6-rc3 * Minor Windows fixes for --ip-win32 dynamic, relating to the way the TAP-Win32 driver responds to a DHCP request from the Windows DHCP client. * The net_gateway environmental variable wasn't being set correctly for called scripts (Paul Zuber). * Added code to determine the default gateway on FreeBSD, allowing the --redirect-gateway option to work (Juan Rodriguez Hervella). 2004.03.04 -- Version 1.6-rc2 * Fixed bug in Windows version where the NetBIOS node-type DHCP option might have been passed even if it was not specified. * Fixed bug in Windows version introduced in 1.6-rc1, where DHCP timeout would be set to 0 seconds if --ifconfig option was used and --ip-win32 option was not explicitly specified. * Added some new --dhcp-option types for Windows version. 2004.03.02 -- Version 1.6-rc1 * For Windows, make "--ip-win32 dynamic" the default. * For Windows, make "--route-delay 10" the default unless --ip-win32 dynamic is not used or --route-delay is explicitly specified. * L_TLS mutex could have been left in a locked state for certain kinds of TLS errors. 2004.02.22 -- Version 1.6-beta7 * Allow scheduling priority increase (--nice) together with UID/GID downgrade (--user/--group). * Code that causes SIGUSR1 restart on TLS errors in TCP mode was not activated in pthread builds. * Save the certificate serial number in an environmental variable called tls_serial_{n} prior to calling the --tls-verify script. n is the current cert chain level. * Added NetBSD IPv6 tunnel capability (also requires a kernel patch) (Horst Laschinsky). * Fixed bug in checking the return value of the nice() function (Ian Pilcher). * Bug fix in new FreeBSD IPv6 over TUN code which was originally added in 1.6-beta5 (Nathanael Rensen). * More Socks5 fixes -- extended the struct frame infrastructure to accomodate proxy-based encapsulation overhead. * Added --dhcp-option to Windows version for setting adapter properties such as WINS & DNS servers. * Use a default route-delay of 5 seconds when --ip-win32 dynamic is specified (only applicable when --route-delay is not explicitly specified). * Added "log_append" registry variable to control whether the OpenVPN service wrapper on Windows opens log files in append (log_append="1") or truncate (log_append="0") mode. The default is truncate. 2004.02.05 -- Version 1.6-beta6 * UDP over Socks5 fix to accomodate Socks5 encapsulation overhead (Christof Meerwald). * Minor --ip-win32 dynamic tweaks (use long lease time, invalidate existing lease with DHCPNAK). 2004.02.01 -- Version 1.6-beta5 * Added Socks5 proxy support (Christof Meerwald). * IPv6 tun support for FreeBSD (Thomas Glanzmann). * Special TAP-Win32 debug mode for Windows self-install that was enabled in beta4 is now turned off. * Added some new Solaris notes to INSTALL (Koen Maris). * More work on --ip-win32 dynamic. 2004.01.27 -- Version 1.6-beta4 * For this beta, the Windows self-install is a debug version and will run slower -- use only for testing. * Reverted the --ip-win32 default back to 'ipapi' from 'dynamic'. * Added the offset parameter to '--ip-win32 dynamic' which can be used to control the address of the masqueraded DHCP server which replies to Windows DHCP requests. * Added a wait/nowait option to --inetd (nowait can only be used with TCP sockets, TLS authentication, and over a bridged configuration -- see FAQ for more info) (Stefan `Sec` Zehl). * Added a build-time capability where TAP-Win32 driver debug messages can be output by OpenVPN at --verb 6 or higher. 2004.01.20 -- Version 1.6-beta2 * Added ./configure --enable-iproute2 flag which uses iproute2 instead of route + ifconfig -- this is necessary for the LEAF Linux distro (Martin Hejl). * Added renewal-time and rebind-time to set of DHCP options returned by the TAP-Win32 driver when "--ip-win32 dynamic" is used. 2004.01.14 -- Version 1.6-beta1 * Fixed --proxy bug that sometimes caused plaintext control info generated by the proxy prior to http CONNECT method establishment to be incorrectly parsed as OpenVPN data. * For Windows version, implemented the "--ip-win32 dynamic" method and made it the default. This method sets the TAP-Win32 adapter IP address and netmask by replying to the kernel's DHCP queries. See the man page for more detailed info. * Added --connect-retry parameter which controls the time interval (in seconds) between connect() retries when --proto tcp-client is used. Previously, this value was hardcoded to 5 seconds, and still defaults as such. * --resolv-retry can now be used with a parameter of "infinite" to retry indefinitely. * Added SSL_CTX_use_certificate_chain_file() to ssl.c for support of multi-level certificate chains (Sten Kalenda). * Fixed --tls-auth incompatibility with 1.4.x and earlier versions of OpenVPN when the passphrase file is an OpenVPN static key file (as generated by --genkey). * Added shell-escape support in config files using the backslash character ("\") so that (for example) double quotes can be passed to the shell. * Added "contrib" subdirectory on tarball, source zip, and CVS containing user-submitted contributions. * Added an optional patch to the Redhat init script to allow the configuration file directory to be a multi-level directory hierarchy (Farkas Levente). See contrib/multilevel-init.patch * Added some scripts and documentation on using Linux "fwmark" iptables rules to enable fine-grained routing control over the VPN (Sean Reifschneider, ). See contrib/openvpn-fwmarkroute-1.00 2003.11.20 -- Version 1.5.0 * Minor documentation changes. 2003.11.04 -- Version 1.5-beta14 * Fixed build problem with ./configure --disable-ssl that was reported on Debian woody. * Fixed bug where --redirect-gateway could not be used together with --resolv-retry. 2003.11.03 -- Version 1.5-beta13 * Added CRL (certificate revocation list) capability using --crl-verify option (Stefano Bracalenti). * Added --replay-window option for variable replay-protection window sizes. * Fixed --fragment bug which might have caused certain large packets to be sent unfragmented. * Modified --secret and --tls-auth to permit different cipher and HMAC keys to be used for each data flow direction. Also increased static key file size generated by --genkey from 1024 to 2048 bits, where 512 bits each are reserved for send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward and backward compatibility is maintained. See --secret option documentation on the man page for more info. * Added --tls-remote option (Teemu Kiviniemi). * Fixed --tls-cipher documention regarding correct delimiter usage (Teemu Kiviniemi). * Added --key-method option for selecting alternative data channel key negotiation methods. Method 1 is the default. Method 2 has been added (see man page for more info). * Added French translation of HOWTO to web site (Guillaume Lehmann). * Fixed problem caused by late resolver library load on certain platforms when --resolv-retry and --chroot are used together (Teemu Kiviniemi). * In TCP mode, all decryption or TLS errors will abort the current connection (this is not done in UDP mode because UDP is "connectionless"). * Fixed a TCP client reconnect bug that only occurs on the BSDs, where connect() fails with an invalid argument. This bug was partially (but not completely) fixed in beta7. * Added "route_net_gateway" environmental variable which contains the pre-existing default gateway address from the routing table (there's no standard API for getting the default gateway, so right now this feature only works on Windows or Linux). * Renamed the "route_default_gateway" enviromental variable to "route_vpn_gateway" -- this is the remote VPN endpoint. * The special keywords vpn_gateway, net_gateway, and remote_host can now be used for the network or gateway components of the --route option. See the man page for more info. * Added the --redirect-gateway option to configure the VPN as the default gateway (implemented on Linux and Windows only). * Added the --http-proxy option with basic authentication support for use in TCP client mode. Successfully tested using Squid as the HTTP proxy, with and without authentication. 2003.10.12 -- Version 1.5-beta12 * Fixed Linux-only bug in --mktun and --rmtun which was introduced around beta8 or so, which would cause an error such as "I don't recognize device tun0 as a tun or tap device1". * Added --ifconfig-nowarn option to disable options consistency warnings about --ifconfig parameters. * Don't allow any kind of sequence number backtracking or message reordering when in TCP mode. * Changed beta naming convention to use '_' (underscore) rather than '-' (dash) to pacify rpmbuild. 2003.10.08 -- Version 1.5-beta11 * Modified code in the Windows version which sets the IP address and netmask of the TAP-Win32 adapter using the IP Helper API. Most of the changes involve better error recovery when the IP Helper API returns an error status. See the manual page entry on --ip-win32 for more info. 2003.10.08 -- Version 1.5-beta10 * Added getpass() function for Windows version so that --askpass option works correctly (Stefano Bracalenti). * Added reboot advisory to end of Win32 install script. * Changed crypto code to use pseudo-random IVs rather than carrying forward the IV state from the previous packet. This is in response to item 2 in the following document: http://www.openssl.org/~bodo/tls-cbc.txt which points out weaknesses in TLS's use of the same IV carryforward approach. This change does not break protocol compatibility with previous versions of OpenVPN. * Made a change to the crypto replay protection code to also protect against certain kinds of packet reordering attacks. This change does not break protocol compatibility with previous versions of OpenVPN. * Added --ip-win32 option to provide several choices for setting the IP address on the TAP-Win32 adapter. * #ifdefed out non-CBC crypto modes by default. * Added --up-delay option to delay TUN/TAP open and --up script execution until after connection establishment. This option replaces the earlier windows-only option --tap-delay. 2003.10.01 -- Version 1.5-beta9 * Fixed --route-noexec bug where option was not parsed correctly. * Complain if --dev tun is specified without --ifconfig on Windows. * Fixed bug where TCP connections on windows would sometimes cause an assertion failure. * Added a new flag to TAP-Win32 advanced properties that allows one to set the adapter to be always "connected" even when an OpenVPN process doesn't have it open. The default behavior is to report a media status of connected only when an OpenVPN process has the adapter open. * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c DLLs in response to an OpenSSL security advisory. 2003.09.30 -- Version 1.5-beta8 * Extended the --ifconfig option to work on tap devices as well as tun devices. * Implemented the --ifconfig option for Windows, by calling the netsh tool. * By default, do an "arp -d *" on Windows after TAP-Win32 open to refresh the MAC cache. This behaviour can be disabled with --no-arp-del. * On Windows, allow the --dev-node parameter (which specifies the name of the TAP-Win32 adapter) to be omitted in cases where there is a single TAP-Win32 adapter on the system which can be assumed to be the default. * Modified the diagnostic --verb 5 debugging level to print 'R' for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read, and 'w' for TUN/TAP write. * Conditionalize OpenBSD read_tun and write_tun based on tun or tap mode. * Added IPv6 tun support to OpenBSD (Thomas Glanzmann). * Make the --enable-mtu-dynamic ./configure option enabled by default. * Deprecated the --mtu-dynamic run-time option, in favor of --fragment. * DNS names can now be used as --ifconfig parameters. * Significant work on TAP-Win32 driver to bring up to SMP standards. * On Windows, fixed dangling IRP problem if TAP-Win32 driver is unloaded or disabled, while a user-space process has it open. * On Windows, if --tun-mtu is not specified, it will be read from the TAP-Win32 driver via ioctl. * On Windows, added TAP-Win32 driver status info to "F2" keyboard signal (only when run from a console window). * Added --mssfix option to control TCP MSS size (YANO Hirokuni). * Renamed --mtu-dynamic option to --fragment to more accurately reflect its function. Fragment accepts a single parameter which is the upper limit on acceptable UDP packet size. * Changed default --tun-mtu-extra parameter to 32 from 64. * Eliminated reference to malloc.o in configure.ac. * Added tun device emulation to the TAP-Win32 driver. * Added --route and related options. * Added init script for SuSE Linux (Frank Plohmann). * Extended option consistency check between peers to function in all crypto modes, including static-key and cleartext modes. Previously only TLS mode was supported. Disable with --disable-occ. * Overall, increased the amount of configuration option sanity checking, especially of networking parameters. * Added --mtu-test option for empirical MTU measurement. * Added Windows-only option --tap-delay to not set the TAP-Win32 adapter media state to 'connected' until TCP/UDP connection establishment with peer. * Slightly modified --route/--route-delay semantics so that when --route is given without --route-delay, routes are added immediately after tun/tap device open. When --route-delay is specified, routes will be added n seconds after connection initiation, where n is the --route-delay parameter (which can be set to 0). * Made TCP framing error into a non-fatal error that triggers a connection reset. 2003.08.28 -- Version 1.5-beta7 * Fixed bug that caused OpenVPN not to respond to exit/restart signals when --resolv-retry is used and a local or remote DNS name cannot be resolved. * Exported a series of environmental variables with useful info for scripts. See man page for more info. Based on a suggestion by Anthony Ciaravalo. * Moved TCP/UDP socket bind to a point in the initialization before the --up script gets called. This is desirable because (a) a socket bind failure will happen before daemonization, allowing an error status code to be returned to the shell and (b) the possibility is eliminated of a socket bind failure causing the --up script to be run but not the --down script. This change has a side effect that --resolv-retry will no longer work with --local. * Fixed bug where if an OpenVPN TCP server went down and back up again, Solaris or FreeBSD clients would fail to reconnect to it. * Fixed bug that prevented OpenVPN from being run by inetd/xinetd in TCP mode. * Added --log and --log-append options for logging messages to a file. * On Windows, check that the current user is a member of the Administrator group before attempting install or uninstall. 2003.08.16 -- Version 1.5-beta6 * Fixed TAP-Win32 driver to properly increment the Rx/Tx count. 2003.08.14 -- Version 1.5-beta5 * Added user-configurability of the TAP-Win32 adapter MTU through the adapter advanced properties page. * Added Windows Service support. * On Windows, added file association and right-clickability for .ovpn files (OpenVPN config files). 2003.08.05 -- Version 1.5-beta4 * Extra refinements and error checking added to Windows NSIS install script. 2003.08.05 -- Version 1.5-beta3 * Added md5.h include to crypto.c to fix build problem on OpenBSD. * Created a Win32 installer using NSIS. * Removed DelService command from TAP-Win32 INF file. It appears to be not necessary and it interfered with the ability to uninstall and reinstall the driver without needing to reboot. * On Windows version, added "addtap" and "deltapall" batch files to add and delete TAP-Win32 adapter instances. 2003.07.31 -- Version 1.5-beta2 * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted in Windows ASCII so it's easier to click and view. * Added postscript and PDF versions of the HOWTO to the web site (C R Zamana). * Merged Michael Clarke's stability patch into TAP-Win32 driver which appears to fix the suspend/resume driver bug and significantly improve driver stability. * Added Christof Meerwald's Media Status patch to the TAP-Win32 driver which shows the TAP adapter to be disconnected when OpenVPN is not running. * Moved socket connect and TCP server listen code to a later point in openvpn() function so that the TCP server listen state is entered after daemonization. * Added keyboard shortcuts to simulate signals in the Windows version, see the window title bar for descriptions. 2003.07.24 -- Version 1.5-beta1 * Added TCP support via the new --proto option. * Renamed udp-centric options such as --udp-mtu to --link-mtu (old option names preserved for compatibility). * Ported to Windows 2000 + XP using mingw and a TAP driver derived from the Cipe-Win32 project by Damion K. Wilson. * Added --show-adapters flag for windows version. * Reworked the SSL/TLS packet acknowledge code to better handle certain corner cases. * Turned off the default enabling of IP forwarding in the sample-scripts/openvpn.init script for Redhat. Forwarding can be enabled by users in their --up scripts or firewall config. * Added --up-restart option based on suggestion from Sean Reifschneider. * If --dev tap or --dev-type tap is specified, --tun-mtu defaults to 1500 and --tun-mtu-extra defaults to 64. * Enabled --verb 5 debugging mode that prints 'R' and 'W' for each packet read or write on the TCP/UDP socket. 2003.08.04 -- Version 1.4.3 * Added md5.h include to crypto.c to fix build problem on OpenBSD. 2003.07.15 -- Version 1.4.2 * Removed adaptive bandwidth from --mtu-dynamic -- its absence appears to work better than its existence (1.4.1.2). * Minor changes to --shaper to fix long retransmit timeouts at low bandwidth (1.4.1.2). * Added LOG_RW flag to openvpn.h for debugging (1.4.1.2). * Silenced spurious configure warnings (1.4.1.2). * Backed out --dev-name patch, modified --dev to offer equivalent functionality (1.4.1.4). * Added an optional parameter to --daemon and --inetd to support the passing of a custom program name to the system logger (1.4.1.5). * Add compiled-in options to the program title (1.4.1.5). * Coded the beginnings of a WIN32 port (1.4.1.5). * Succeeded in porting to Win32 Mingw environment and running loopback tests (1.4.1.6). Still need a kernel driver for full Win32 functionality. * Fixed a bug in error.h where HAVE_CPP_VARARG_MACRO_GCC was misspelled. This would have caused a significant slowdown of OpenVPN when built by compilers that lack ISO C99 vararg macros (1.4.1.6). * Created an init script for Gentoo Linux in ./gentoo directory (1.4.1.6). 2003.05.15 -- Version 1.4.1 * Modified the Linux 2.4 TUN/TAP open code to fall back to the 2.2 TUN/TAP interface if the open or ioctl fails. * Fixed bug when --verb is set to 0 and non-fatal socket errors occur, causing 100% CPU utilization. Occurs on platorms where EXTENDED_SOCKET_ERROR_CAPABILITY is defined, such as Linux 2.4. * Fixed typo in tun.c that was preventing OpenBSD build. * Added --enable-mtu-dynamic configure option to enable --mtu-dynamic experimental option. 2003.05.07 -- Version 1.4.0 * Added --replay-persist feature to allow replay protection across sessions. * Fixed bug where --ifconfig could not be used with --tun-mtu. * Added --tun-mtu-extra parameter to deal with the situation where a read on a TUN/TAP device returns more data than the device's MTU size. * Fixed bug where some IPv6 support code for Linux was not being properly ifdefed out for Linux 2.2, causing compile errors. * Added OPENVPN_EXIT_STATUS_x codes to openvpn.h to control which status value openvpn returns to its caller (such as a shell or inetd/xinetd) for various conditions. * Added OPENVPN_DEBUG_COMMAND_LINE flag to openvpn.h to allow debugging in situations where stdout, stderr, and syslog cannot be used for message output, such as when OpenVPN is instantiated by inetd/xinetd. * Removed owner-execute permission from file created by static key generator (Herbert Xu and Alberto Gonzalez Iniesta). * Added --passtos option to allow IPv4 TOS bits to be passed from TUN/TAP input packets to the outgoing UDP socket (Craig Knox). * Added code to prevent open socket file descriptors from being accessible to called scripts. * Added --dev-name option (Christian Lademann). * Added --mtu-disc option for manual control over MTU options. * Show OS MTU value on UDP socket write failures (linux only). * Numerous build system and portability fixes (Matthias Andree). * Added better sensing of compiler support for variable argument macros, including (a) gcc style, (b) ISO C 1999 style, and (c) no support. * Removed generated files from CVS. Note INSTALL file for new CVS build commands. * Changed certain internal symbol names for C standards compliance. * Added TUN/TAP open code to cycle dynamically through unit numbers until it finds a free unit (based on code from Thomas Gielfeldt and VTun). * Added dynamic MTU and fragmenting infrastructure (Experimental). Rebuild with FRAGMENT_ENABLE defined to enable. * Minor changes to SSL/TLS negotiation, use exponential backoff on retransmits, and use a smaller MTU size (note that no protocol changes have been made which would break compatibility with 1.3.x). * Added --enable-strict-options flag to ./configure. This option will cause a more strict check for options compatibility between peers when SSL/TLS negotiation is used, but should only be used when both OpenVPN peers are of the same version. * Reorganization of debugging levels. * Added a workaround in configure.ac for default SSL header location on Linux to fix RH9 build problem. * Fixed potential deadlock when pthread support is used on OSes that allocate a small socketpair() message buffer. * Fixed openvpn.init to be sh compliant (Bishop Clark). * Changed --daemon to wait until all initialization is finished before becoming a daemon, for the benefit of initialization scripts that want a useful return status from the openvpn command. * Made openvpn.init script more robust, including positive indication of initialization errors in the openvpn daemon and better sanity checks. * Changed --chroot to wait until initialization is finished before calling chroot(), and allow the use of --user and --group with --chroot. * When syslog logging is enabled (--daemon or --inetd), set stdin/stdout/stderr to point to /dev/null. * For inetd instantiations, dup socket descriptor to a >2 value. * Fixed bug in verify-cn script, where test would incorrectly fail if CN=x was the last component of the X509 composite string (Anonymous). * Added Markus F.X.J. Oberhumer's special license exception to COPYING. 2002.10.23 -- Version 1.3.2 * Added SSL_CTX_set_client_CA_list call to follow the canonical form for TLS initialization recommended by the OpenSSL docs. This change allows better support for intermediate CAs and has no impact on security. * Added build-inter script to easy-rsa package, to facilitate the generation of intermediate CAs. * Ported to NetBSD (Dimitri Goldin). * Fixed minor bug in easy-rsa/sign-req. It refers to openssl.cnf file, instead of $KEY_CONFIG, like all other scripts (Ernesto Baschny). * Added --days 3650 to the root CA generation command in the HOWTO to override the woefully small 30 day default (Dominik 'Aeneas' Schnitzer). * Fixed bug where --ping-restart would sometimes not re-resolve remote DNS hostname. * Added --tun-ipv6 option and related infrastructure support for IPv6 over tun. * Added IPv6 over tun support for Linux (Aaron Sethman). * Added FreeBSD 4.1.1+ TUN/TAP driver notes to INSTALL (Matthias Andree). * Added inetd/xinetd support (--inetd) including documentation in the HOWTO. * Added "Important Note on the use of commercial certificate authorities (CAs) with OpenVPN" to HOWTO based on issues raised on the openvpn-users list. 2002.07.10 -- Version 1.3.1 * Fixed bug in openvpn.spec and openvpn.init which caused RPM upgrade to fail. 2002.07.10 -- Version 1.3.0 * Added --dev-node option to allow explicit selection of tun/tap device node. * Removed mlockall call from child thread, as it doesn't appear to be necessary (child thread inherits mlockall state from parent). * Added --ping-timer-rem which causes timer for --ping-exit and --ping-restart not to run unless we have a remote IP address. * Added condrestart to openvpn.init and openvpn.spec (Bishop Clark). * Added --ifconfig case for FreeBSD (Matthias Andree). * Call openlog with facility=LOG_DAEMON (Matthias Andree). * Changed LOG_INFO messages to LOG_NOTICE. * Added warning when key files are group/others accessible. * Added --single-session flag for TLS mode. * Fixed bug where --writepid would segfault if used with an invalid filename. * Fixed bug where --ipchange status message was formatted incorrectly. * Print more concise error message when system() call fails. * Added --disable-occ option. * Added --local, --remote, and --ifconfig options sanity check. * Changed default UDP MTU to 1300 and TUN/TAP MTU to 1300. * Successfully tested with OpenSSL 0.9.7 Beta 2. * Broke out debug level definitions to errlevel.h * Minor documentation and web site changes. * All changes maintain protocol compatibility with OpenVPN versions since 1.1.0, however default MTU changes will require setting the MTU explicitly by command line option, if you want 1.3.0 to communicate with previous versions. 2002.06.12 -- Version 1.2.1 * Added --ping-restart option to restart connection on ping timeout using SIGUSR1 logic (Matthias Andree). * Added --persist-tun, --persist-key, --persist-local-ip, and --persist-remote-ip options for finer-grained control over SIGUSR1 and --ping-restart restarts. To replicate previous SIGUSR1 functionality, use --persist-remote-ip. * Changed residual IV fetching code to take IV from tail of ciphertext. * Added check to make sure that CFB or OFB cipher modes are only used with SSL/TLS authentication mode, and added a caveat to INSTALL. * Changed signal handling during initialization (including re-initialization during restarts) to exit on SIGTERM or SIGINT and ignore other signals which would ordinarily be caught. * Added --resolv-retry option to allow retries on hostname resolution. * Expanded the --float option to also allow dynamic changes in source port number on incoming datagrams. * Added --mute option to limit repetitive logging of similar message types. * Added --group option to downgrade GID after initialization. * Try to set ifconfig path automatically in configure. * Added --ifconfig code for Mac OS X (Christoph Pfisterer). * Moved "Peer Connection Initiated" message to --verb level 1. * Successfully tested with OpenSSL 0.9.7 Beta 1 and AES cipher. * Added RPM notes to INSTALL. * Added ACX_PTHREAD (from the autoconf macro archive) to configure.ac to figure out the right pthread options for a given platform. * Broke out macro definitions from configure.ac to acinclude.m4. * Minor changes to docs and HOWTO. * All changes maintain protocol compatibility with OpenVPN versions since 1.1.0. 2002.05.22 -- Version 1.2.0 * Added configuration file support via the --config option. * Added pthread support to improve latency. With pthread support, OpenVPN will offload CPU-intensive tasks such as RSA key number crunching to a background thread to improve tunnel packet forwarding latency. pthread support can be enabled with the --enable-pthread configure option. Pthread support is currently available only for Linux and Solaris. * Added --dev-type option so that tun/tap device names don't need to begin with "tun" or "tap". * Added --writepid option to write main process ID to a file. * Numerous portability fixes to ease porting to other OSes including changing all network types to uint8_t and uint32_t, and not assuming that time_t is 32 bits. * Backported to OpenSSL 0.9.5. * Ported to Solaris. * Finished OpenBSD port except for pthread support. * Added initialization script: sample-scripts/openvpn.init (Douglas Keller) * Ported to Mac OS X (Christoph Pfisterer). * Improved resilience to DoS attacks when TLS mode is used without --remote or --tls-auth, or when --float is used with --remote. Note however that the best defense against DoS attacks in TLS mode is to use --tls-auth. * Eliminated automake/autoconf dependency for non-developers. * Ported configure.in to configure.ac and autoconf 2.50+. * SIGHUP signal now causes OpenVPN to restart and re-read command line and or config file, in conformance with canonical daemon behaviour. * SIGUSR1 now does what SIGHUP did in version 1.1.1 and earlier -- close and reopen the UDP socket for use when DHCP changes host's IP address and preserve most recently authenticated peer address without rereading config file. * SIGUSR2 added -- outputs current statistics, including compression statistics. * All changes maintain protocol compatibility with 1.1.1 and 1.1.0. 2002.04.22 -- Version 1.1.1 * Added --ifconfig option to automatically configure TUN device. * Added inactivity disconnect (--inactive and --ping-exit options). * Added --ping option to keep stateful firewalls from timing out. * Added sanity check to command line parser to err if any TLS options are used in non-TLS mode. * Fixed build problem with compiler environments that define printf as a macro. * Fixed build problem on linux systems that have an integrated TUN/TAP driver but lack the persistent tunnel feature (TUNSETPERSIST). Some linux kernels >= 2.4.0 and < 2.4.7 fall into this category. * Changed all calls to EVP_CipherInit to use explicit encrypt/decrypt mode in order to fix problem with IDEA-CBC and AES-256-CBC ciphers. * Minor changes to control channel transmit limiter algorithm to fix problem where TLS control channel might not renegotiate within the default 60 second window. * Simplified man page examples by taking advantage of the new --ifconfig option. * Minor changes to configure.in to check more rigourously for OpenSSL 0.9.6 or greater. * Put back openvpn.spec, eliminated openvpn.spec.in. * Modified openvpn.spec to reflect new automake-based build environment (Bishop Clark). * Other documentation changes. * Added --test-crypto option for debugging. * Added "missing" and "mkinstalldirs" automake support files. 2002.04.09 -- Version 1.1.0 * Strengthened replay protection and IV handling, extending it fully to both static key and TLS dynamic key exchange modes. * Added --mlock option to disable paging and ensure that key material and tunnel data is never paged to disk. * Added optional traffic shaping feature to cap the maximum data rate of the tunnel. * Converted to automake (The Platypus Brothers 2002-04-01). * Ported to OpenBSD by Janne Johansson. * Added --tun-af-inet option to work around an incompatibility between Linux and BSD tun drivers. * Sequence number-based replay protection using the IPSec sliding window model is now the default, disable with --no-replay. * Explicit IV is now the default, disable with --no-iv. * Disabled all cipher modes except CBC, CFB, and OFB. * In CBC mode, use explicit IV and carry forward residuals, using IPSec model. * In CFB/OFB mode, IV is timestamp, sequence number. * Eliminated --packet-id, --timestamp, and max-delta parameter to the --tls-auth option as they are now supplanted by improved replay code which is enabled by default. * Eliminated --rand-iv as it is now obsolete with improved IV code. * Eliminated --reneg-err option as it increases vulnerability to DoS attacks. * Added weak key check for DES ciphers. * --tls-freq option is no longer specified on the command line, instead it now inherits its parameter from the --tls-timeout option. * Fixed bug that would try to free memory on exit that was never malloced if --comp-lzo was not specified. * Errata fixed in the man page examples: "test-ca" should be "tmp-ca". * Updated manual page. * Preliminary work in porting to OpenSSL 0.9.7. * Changed license to allowing linking with OpenSSL. 2002.03.29 -- Version 1.0.3 * Fixed a problem in configure with library ordering on the command line. 2002.03.28 -- Version 1.0.2 * Improved the efficiency of the inner event loop. * Fixed a minor bug with timeout handling. * Improved the build system to build on RH 6.2 through 7.2. * Added an openvpn.spec file for RPM builders (Bishop Clark). 2002.03.23 -- Version 1.0 * Added TLS-based authentication and key exchange. * Added gremlin mode to stress test. * Wrote man page. 2001.12.26 -- Version 0.91 * Added any choice of cipher or HMAC digest. 2001.5.13 -- Version 0.90 * Initial release. * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature. openvpn-2.4.4/Changes.rst000066400000000000000000000572131316434344000153220ustar00rootroot00000000000000Overview of changes in 2.4 ========================== New features ------------ Seamless client IP/port floating Added new packet format P_DATA_V2, which includes peer-id. If both the server and client support it, the client sends all data packets in the new format. When a data packet arrives, the server identifies peer by peer-id. If peer's ip/port has changed, server assumes that client has floated, verifies HMAC and updates ip/port in internal structs. This allows the connection to be immediatly restored, instead of requiring a TLS handshake before the server accepts packets from the new client ip/port. Data channel cipher negotiation Data channel ciphers (``--cipher``) are now by default negotiated. If a client advertises support for Negotiable Crypto Parameters (NCP), the server will choose a cipher (by default AES-256-GCM) for the data channel, and tell the client to use that cipher. Data channel cipher negotiation can be controlled using ``--ncp-ciphers`` and ``--ncp-disable``. A more limited version also works in client-to-server and server-to-client scenarios where one of the end points uses a v2.4 client or server and the other side uses an older version. In such scenarios the v2.4 side will change to the ``--cipher`` set by the remote side, if permitted by by ``--ncp-ciphers``. For example, a v2.4 client with ``--cipher BF-CBC`` and ``ncp-ciphers AES-256-GCM:AES-256-CBC`` can connect to both a v2.3 server with ``cipher BF-CBC`` as well as a server with ``cipher AES-256-CBC`` in its config. The other way around, a v2.3 client with either ``cipher BF-CBC`` or ``cipher AES-256-CBC`` can connect to a v2.4 server with e.g. ``cipher BF-CBC`` and ``ncp-ciphers AES-256-GCM:AES-256-CBC`` in its config. For this to work it requires that OpenVPN was built without disabling OCC support. AEAD (GCM) data channel cipher support The data channel now supports AEAD ciphers (currently only GCM). The AEAD packet format has a smaller crypto overhead than the CBC packet format, (e.g. 20 bytes per packet for AES-128-GCM instead of 36 bytes per packet for AES-128-CBC + HMAC-SHA1). ECDH key exchange The TLS control channel now supports for elliptic curve diffie-hellmann key exchange (ECDH). Improved Certificate Revocation List (CRL) processing CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead of inside OpenVPN itself. The crypto library implementations are more strict than the OpenVPN implementation was. This might reject peer certificates that would previously be accepted. If this occurs, OpenVPN will log the crypto library's error description. Dualstack round-robin DNS client connect Instead of only using the first address of each ``--remote`` OpenVPN will now try all addresses (IPv6 and IPv4) of a ``--remote`` entry. Support for providing IPv6 DNS servers A new DHCP sub-option ``DNS6`` is added alongside with the already existing ``DNS`` sub-option. This is used to provide DNS resolvers available over IPv6. This may be pushed to clients where `` --up`` scripts and ``--plugin`` can act upon it through the ``foreign_option_`` environment variables. Support for the Windows client picking up this new sub-option is added, however IPv6 DNS resolvers need to be configured via ``netsh`` which requires administrator privileges unless the new interactive services on Windows is being used. If the interactive service is used, this service will execute ``netsh`` in the background with the proper privileges. New improved Windows Background service The new OpenVPNService is based on openvpnserv2, a complete rewrite of the OpenVPN service wrapper. It is intended for launching OpenVPN instances that should be up at all times, instead of being manually launched by a user. OpenVPNService is able to restart individual OpenVPN processes if they crash, and it also works properly on recent Windows versions. OpenVPNServiceLegacy tends to work poorly, if at all, on newer Windows versions (8+) and its use is not recommended. New interactive Windows service The installer starts OpenVPNServiceInteractive automatically and configures it to start at system startup. The interactive Windows service allows unprivileged users to start OpenVPN connections in the global config directory (usually C:\\Program Files\\OpenVPN\\config) using OpenVPN GUI without any extra configuration. Users who belong to the built-in Administrator group or to the local "OpenVPN Administrator" group can also store configuration files under %USERPROFILE%\\OpenVPN\\config for use with the interactive service. redirect-gateway ipv6 OpenVPN has now feature parity between IPv4 and IPv6 for redirect gateway including the handling of overlapping IPv6 routes with IPv6 remote VPN server address. LZ4 Compression and pushable compression Additionally to LZO compression OpenVPN now also supports LZ4 compression. Compression options are now pushable from the server. Filter pulled options client-side: pull-filter New option to explicitly allow or reject options pushed by the server. May be used multiple times and is applied in the order specified. Per-client remove push options: push-remove New option to remove options on a per-client basis from the "push" list (more fine-grained than ``--push-reset``). Http proxy password inside config file Http proxy passwords can be specified with the inline file option ```` .. ```` Windows version detection Windows version is detected, logged and possibly signalled to server (IV_PLAT_VER= if ``--push-peer-info`` is set on client). Authentication tokens In situations where it is not suitable to save user passwords on the client, OpenVPN has support for pushing a --auth-token since v2.3. This option is pushed from the server to the client with a token value to be used instead of the users password. For this to work, the authentication plug-in would need to implement this support as well. In OpenVPN 2.4 --auth-gen-token is introduced, which will allow the OpenVPN server to generate a random token and push it to the client without any changes to the authentication modules. When the clients need to re-authenticate the OpenVPN server will do the authentication internally, instead of sending the re-authentication request to the authentication module . This feature is especially useful in configurations which use One Time Password (OTP) authentication schemes, as this allows the tunnel keys to be renegotiated regularly without any need to supply new OTP codes. keying-material-exporter Keying Material Exporter [RFC-5705] allow additional keying material to be derived from existing TLS channel. Mac OS X Keychain management client Added contrib/keychain-mcd which allows to use Mac OS X keychain certificates with OpenVPN. Android platform support Support for running on Android using Android's VPNService API has been added. See doc/android.txt for more details. This support is primarily used in the OpenVPN for Android app (https://github.com/schwabe/ics-openvpn) AIX platform support AIX platform support has been added. The support only includes tap devices since AIX does not provide tun interface. Control channel encryption (``--tls-crypt``) Use a pre-shared static key (like the ``--tls-auth`` key) to encrypt control channel packets. Provides more privacy, some obfuscation and poor-man's post-quantum security. Asynchronous push reply Plug-ins providing support for deferred authentication can benefit from a more responsive authentication where the server sends PUSH_REPLY immediately once the authentication result is ready, instead of waiting for the the client to to send PUSH_REQUEST once more. This requires OpenVPN to be built with ``./configure --enable-async-push``. This is a compile-time only switch. Deprecated features ------------------- For an up-to-date list of all deprecated options, see this wiki page: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions - ``--key-method 1`` is deprecated in OpenVPN 2.4 and will be removed in v2.5. Migrate away from ``--key-method 1`` as soon as possible. The recommended approach is to remove the ``--key-method`` option from the configuration files, OpenVPN will then use ``--key-method 2`` by default. Note that this requires changing the option in both the client and server side configs. - ``--tls-remote`` is removed in OpenVPN 2.4, as indicated in the v2.3 man-pages. Similar functionality is provided via ``--verify-x509-name``, which does the same job in a better way. - ``--compat-names`` and ``--no-name-remapping`` were deprecated in OpenVPN 2.3 and will be removed in v2.5. All scripts and plug-ins depending on the old non-standard X.509 subject formatting must be updated to the standardized formatting. See the man page for more information. - ``--no-iv`` is deprecated in OpenVPN 2.4 and will be removed in v2.5. - ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6 together with the support of ciphers with cipher block size less than 128-bits. - ``--comp-lzo`` is deprecated in OpenVPN 2.4. Use ``--compress`` instead. - ``--ifconfig-pool-linear`` has been deprecated since OpenVPN 2.1 and will be removed in v2.5. Use ``--topology p2p`` instead. - ``--client-cert-not-required`` is deprecated in OpenVPN 2.4 and will be removed in v2.5. Use ``--verify-client-cert none`` for a functional equivalent. - ``--ns-cert-type`` is deprecated in OpenVPN 2.3.18 and v2.4. It will be removed in v2.5. Use the far better ``--remote-cert-tls`` option which replaces this feature. User-visible Changes -------------------- - When using ciphers with cipher blocks less than 128-bits, OpenVPN will complain loudly if the configuration uses ciphers considered weak, such as the SWEET32 attack vector. In such scenarios, OpenVPN will by default renegotiate for each 64MB of transported data (``--reneg-bytes``). This renegotiation can be disabled, but is HIGHLY DISCOURAGED. - For certificate DNs with duplicate fields, e.g. "OU=one,OU=two", both fields are now exported to the environment, where each second and later occurrence of a field get _$N appended to it's field name, starting at N=1. For the example above, that would result in e.g. X509_0_OU=one, X509_0_OU_1=two. Note that this breaks setups that rely on the fact that OpenVPN would previously (incorrectly) only export the last occurence of a field. - ``proto udp`` and ``proto tcp`` now use both IPv4 and IPv6. The new options ``proto udp4`` and ``proto tcp4`` use IPv4 only. - ``--sndbuf`` and ``--recvbuf`` default now to OS defaults instead of 64k - OpenVPN exits with an error if an option has extra parameters; previously they were silently ignored - ``--tls-auth`` always requires OpenVPN static key files and will no longer work with free form files - ``--proto udp6/tcp6`` in server mode will now try to always listen to both IPv4 and IPv6 on platforms that allow it. Use ``--bind ipv6only`` to explicitly listen only on IPv6. - Removed ``--enable-password-save`` from configure. This option is now always enabled. - Stricter default TLS cipher list (override with ``--tls-cipher``), that now also disables: * Non-ephemeral key exchange using static (EC)DH keys * DSS private keys - mbed TLS builds: changed the tls_digest_N values exported to the script environment to be equal to the ones exported by OpenSSL builds, namely the certificate fingerprint (was the hash of the 'to be signed' data). - mbed TLS builds: minimum RSA key size is now 2048 bits. Shorter keys will not be accepted, both local and from the peer. - ``--connect-timeout`` now specifies the timeout until the first TLS packet is received (identical to ``--server-poll-timeout``) and this timeout now includes the removed socks proxy timeout and http proxy timeout. In ``--static`` mode ``connect-timeout`` specifies the timeout for TCP and proxy connection establishment - ``--connect-retry-max`` now specifies the maximum number of unsuccessful attempts of each remote/connection entry before exiting. - ``--http-proxy-timeout`` and the static non-changeable socks timeout (5s) have been folded into a "unified" ``--connect-timeout`` which covers all steps needed to connect to the server, up to the start of the TLS exchange. The default value has been raised to 120s, to handle slow http/socks proxies graciously. The old "fail TCP fast" behaviour can be achieved by adding "``--connect-timeout 10``" to the client config. - ``--http-proxy-retry`` and ``--sock-proxy-retry`` have been removed. Proxy connections will now behave like regular connection entries and generate a USR1 on failure. - ``--connect-retry`` gets an optional second argument that specifies the maximum time in seconds to wait between reconnection attempts when an exponential backoff is triggered due to repeated retries. Default = 300 seconds. - Data channel cipher negotiation (see New features section) can override ciphers configured in the config file. Use ``--ncp-disable`` if you do not want this behavior. - All tun devices on all platforms are always considered to be IPv6 capable. The ``--tun-ipv6`` option is ignored (behaves like it is always on). - On the client side recursively routed packets, which have the same destination as the VPN server, are dropped. This can be disabled with --allow-recursive-routing option. - On Windows, when the ``--register-dns`` option is set, OpenVPN no longer restarts the ``dnscache`` service - this had unwanted side effects, and seems to be no longer necessary with currently supported Windows versions. - If no flags are given, and the interactive Windows service is used, "def1" is implicitly set (because "delete and later reinstall the existing default route" does not work well here). If not using the service, the old behaviour is kept. - OpenVPN now reloads a CRL only if the modication time or file size has changed, instead of for each new connection. This reduces the connection setup time, in particular when using large CRLs. - OpenVPN now ships with more up-to-date systemd unit files which take advantage of the improved service management as well as some hardening steps. The configuration files are picked up from the /etc/openvpn/server/ and /etc/openvpn/client/ directories (depending on unit file). This also avoids these new unit files and how they work to collide with older pre-existing unit files. - Using ``--no-iv`` (which is generally not a recommended setup) will require explicitly disabling NCP with ``--disable-ncp``. This is intentional because NCP will by default use AES-GCM, which requires an IV - so we want users of that option to consciously reconsider. Maintainer-visible changes -------------------------- - OpenVPN no longer supports building with crypto support, but without TLS support. As a consequence, OPENSSL_CRYPTO_{CFLAGS,LIBS} and OPENSSL_SSL_{CFLAGS,LIBS} have been merged into OPENSSL_{CFLAGS,LIBS}. This is particularly relevant for maintainers who build their own OpenSSL library, e.g. when cross-compiling. - Linux distributions using systemd is highly encouraged to ship these new unit files instead of older ones, to provide a unified behaviour across systemd based Linux distributions. - With OpenVPN 2.4, the project has moved over to depend on and actively use the official C99 standard (-std=c99). This may fail on some older compiler/libc header combinations. In most of these situations it is recommended to use -std=gnu99 in CFLAGS. This is known to be needed when doing i386/i686 builds on RHEL5. Version 2.4.4 ============= This is primarily a maintenance release, with further improved OpenSSL 1.1 integration, several minor bug fixes and other minor improvements. Bug fixes --------- - Fix issues when a pushed cipher via the Negotiable Crypto Parameters (NCP) is rejected by the remote side - Ignore ``--keysize`` when NCP have resulted in a changed cipher. - Configurations using ``--auth-nocache`` and the management interface to provide user credentials (like NetworkManager on Linux) on client side with servers implementing authentication tokens (for example, using ``--auth-gen-token``) will now behave correctly and not query the user for an, to them, unknown authentication token on renegotiations of the tunnel. - Fix bug causing invalid or corrupt SOCKS port number when changing the proxy via the management interface. - The man page should now have proper escaping of hyphens/minus characters and have seen some minor corrections. User-visible Changes -------------------- - Linux servers with systemd which uses the ``openvpn-server@.service`` unit file for server configurations will now utilize the automatic restart feature in systemd. If the OpenVPN server process dies unexpectedly, systemd will ensure the OpenVPN configuration will be restarted without any user interaction. Deprecated features ------------------- - ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5. - ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6 Security -------- - CVE-2017-12166: Fix bounds check for configurations using ``--key-method 1``. Before this fix, it could allow an attacker to send a malformed packet to trigger a stack overflow. This is considered to be a low risk issue, as ``--key-method 2`` has been the default since OpenVPN 2.0 (released on 2005-04-17). This option is already deprecated in v2.4 and will be completely removed in v2.5. Version 2.4.3 ============= New features ------------ - Support building with OpenSSL 1.1 now (in addition to older versions) - On Win10, set low interface metric for TAP adapter when block-outside-dns is in use, to make Windows prefer the TAP adapter for DNS queries (avoiding large delays) Security -------- - CVE-2017-7522: Fix ``--x509-track`` post-authentication remote DoS A client could crash a v2.4+ mbedtls server, if that server uses the ``--x509-track`` option and the client has a correct, signed and unrevoked certificate that contains an embedded NUL in the certificate subject. Discovered and reported to the OpenVPN security team by Guido Vranken. - CVE-2017-7521: Fix post-authentication remote-triggerable memory leaks A client could cause a server to leak a few bytes each time it connects to the server. That can eventuall cause the server to run out of memory, and thereby causing the server process to terminate. Discovered and reported to the OpenVPN security team by Guido Vranken. (OpenSSL builds only.) - CVE-2017-7521: Fix a potential post-authentication remote code execution attack on servers that use the ``--x509-username-field`` option with an X.509 extension field (option argument prefixed with ``ext:``). A client that can cause a server to run out-of-memory (see above) might be able to cause the server to double free, which in turn might lead to remote code execution. Discovered and reported to the OpenVPN security team by Guido Vranken. (OpenSSL builds only.) - CVE-2017-7520: Pre-authentication remote crash/information disclosure for clients. If clients use a HTTP proxy with NTLM authentication (i.e. ``--http-proxy [|'auto'|'auto-nct'] ntlm2``), a man-in-the-middle attacker between the client and the proxy can cause the client to crash or disclose at most 96 bytes of stack memory. The disclosed stack memory is likely to contain the proxy password. If the proxy password is not reused, this is unlikely to compromise the security of the OpenVPN tunnel itself. Clients who do not use the ``--http-proxy`` option with ntlm2 authentication are not affected. - CVE-2017-7508: Fix remotely-triggerable ASSERT() on malformed IPv6 packet. This can be used to remotely shutdown an openvpn server or client, if IPv6 and ``--mssfix`` are enabled and the IPv6 networks used inside the VPN are known. - Fix null-pointer dereference when talking to a malicious http proxy that returns a malformed Proxy-Authenticate: headers for digest auth. - Fix overflow check for long ``--tls-cipher`` option - Windows: Pass correct buffer size to ``GetModuleFileNameW()`` (OSTIF/Quarkslabs audit, finding 5.6) User-visible Changes -------------------- - ``--verify-hash`` can now take an optional flag which changes the hashing algorithm. It can be either SHA1 or SHA256. The default if not provided is SHA1 to preserve backwards compatibility with existing configurations. - Restrict the supported ``--x509-username-field`` extension fields to subjectAltName and issuerAltName. Other extensions probably didn't work anyway, and would cause OpenVPN to crash when a client connects. Bugfixes -------- - Fix fingerprint calculation in mbed TLS builds. This means that mbed TLS users of OpenVPN 2.4.0, v2.4.1 and v2.4.2 that rely on the values of the ``tls_digest_*`` env vars, or that use ``--verify-hash`` will have to change the fingerprint values they check against. The security impact of the incorrect calculation is very minimal; the last few bytes (max 4, typically 4) are not verified by the fingerprint. We expect no real-world impact, because users that used this feature before will notice that it has suddenly stopped working, and users that didn't will notice that connection setup fails if they specify correct fingerprints. - Fix edge case with NCP when the server sends an empty PUSH_REPLY message back, and the client would not initialize it's data channel crypto layer properly (trac #903) - Fix SIGSEGV on unaligned buffer access on OpenBSD/Sparc64 - Fix TCP_NODELAY on OpenBSD - Remove erroneous limitation on max number of args for --plugin - Fix NCP behaviour on TLS reconnect (Server would not send a proper "cipher ..." message back to the client, leading to client and server using different ciphers) (trac #887) Version 2.4.2 ============= Bugfixes -------- - Fix memory leak introduced in OpenVPN 2.4.1: if ``--remote-cert-tls`` is used, we leaked some memory on each TLS (re)negotiation. Security -------- - Fix a pre-authentication denial-of-service attack on both clients and servers. By sending a too-large control packet, OpenVPN 2.4.0 or v2.4.1 can be forced to hit an ASSERT() and stop the process. If ``--tls-auth`` or ``--tls-crypt`` is used, only attackers that have the ``--tls-auth`` or ``--tls-crypt`` key can mount an attack. (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478) - Fix an authenticated remote DoS vulnerability that could be triggered by causing a packet id roll over. An attack is rather inefficient; a peer would need to get us to send at least about 196 GB of data. (OSTIF/Quarkslab audit finding 5.2, CVE-2017-7479) Version 2.4.1 ============= - ``--remote-cert-ku`` now only requires the certificate to have at least the bits set of one of the values in the supplied list, instead of requiring an exact match to one of the values in the list. - ``--remote-cert-tls`` now only requires that a keyUsage is present in the certificate, and leaves the verification of the value up to the crypto library, which has more information (i.e. the key exchange method in use) to verify that the keyUsage is correct. - ``--ns-cert-type`` is deprecated. Use ``--remote-cert-tls`` instead. The nsCertType x509 extension is very old, and barely used. ``--remote-cert-tls`` uses the far more common keyUsage and extendedKeyUsage extension instead. Make sure your certificates carry these to be able to use ``--remote-cert-tls``. openvpn-2.4.4/INSTALL000066400000000000000000000302541316434344000142450ustar00rootroot00000000000000Installation instructions for OpenVPN, a Secure Tunneling Daemon Copyright (C) 2002-2010 OpenVPN Technologies, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. ************************************************************************* QUICK START: Unix: ./configure && make && make-install ************************************************************************* To download OpenVPN, go to: http://openvpn.net/download.html OpenVPN releases are also available as Debian/RPM packages: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos To download easy-rsa go to: https://github.com/OpenVPN/easy-rsa To download tap-windows (NDIS 5) driver source code go to: https://github.com/OpenVPN/tap-windows To download tap-windows (NDIS 6) driver source code go to: https://github.com/OpenVPN/tap-windows6 To get the cross-compilation environment go to: https://github.com/OpenVPN/openvpn-build For step-by-step instructions with real-world examples see: http://openvpn.net/howto.html https://community.openvpn.net/openvpn/wiki For examples see: http://openvpn.net/examples.html Also see the man page for more information, usage examples, and information on firewall configuration. ************************************************************************* SUPPORTED PLATFORMS: (1) Linux (kernel 2.6+) (2) Solaris (3) OpenBSD 5.1+ (4) Mac OS X Darwin 10.5+ (5) FreeBSD 7.4+ (6) NetBSD 5.0+ (7) Windows Vista or later for OpenVPN 2.4 (8) Windows XP or later for OpenVPN 2.3 SUPPORTED PROCESSOR ARCHITECTURES: In general, OpenVPN is word size and endian independent, so most processors should be supported. Architectures known to work include Intel x86, Alpha, Sparc, Amd64, and ARM. REQUIRES: (1) TUN and/or TAP driver to allow user-space programs to control a virtual point-to-point IP or Ethernet device. See TUN/TAP Driver Configuration section below for more info. OPTIONAL (but recommended): (1) OpenSSL library, necessary for encryption, version 0.9.8 or higher required, available from http://www.openssl.org/ (2) mbed TLS library, an alternative for encryption, version 2.0 or higher required, available from https://tls.mbed.org/ (3) LZO real-time compression library, required for link compression, available from http://www.oberhumer.com/opensource/lzo/ OpenBSD users can use ports or packages to install lzo, but remember to add CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" directives to "configure", since gcc will not find them otherwise. OPTIONAL (for developers only): (1) Autoconf 2.59 or higher + Automake 1.9 or higher -- available from http://www.gnu.org/software/software.html (2) Dmalloc library -- available from http://dmalloc.com/ (3) If using t_client.sh test framework, fping/fping6 is needed -- Available from http://www.fping.org/ Note: t_client.sh needs an external configured OpenVPN server. See t_client.rc-sample for more info. ************************************************************************* CHECK OUT SOURCE FROM SOURCE REPOSITORY: Clone the repository: git clone https://github.com/OpenVPN/openvpn git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn Check out stable version: git checkout -b 2.2 remotes/origin/release/2.2 Check out master (unstable) branch: git checkout master ************************************************************************* BUILD COMMANDS FROM TARBALL: ./configure make make install ************************************************************************* BUILD COMMANDS FROM SOURCE REPOSITORY CHECKOUT: autoreconf -i -v -f ./configure make make install ************************************************************************* BUILD A TARBALL FROM SOURCE REPOSITORY CHECKOUT: autoreconf -i -v -f ./configure make dist ************************************************************************* TESTS (after BUILD): make check (Run all tests below) Test Crypto: ./openvpn --genkey --secret key ./openvpn --test-crypto --secret key Test SSL/TLS negotiations (runs for 2 minutes): ./openvpn --config sample/sample-config-files/loopback-client (In one window) ./openvpn --config sample/sample-config-files/loopback-server (Simultaneously in another window) For more thorough client-server tests you can configure your own, private test environment. See tests/t_client.rc-sample for details. ************************************************************************* OPTIONS for ./configure: --disable-lzo disable LZO compression support [default=yes] --enable-lzo-stub don't compile LZO compression support but still allow limited interoperability with LZO-enabled peers [default=no] --disable-crypto disable crypto support [default=yes] --disable-ssl disable SSL support for TLS-based key exchange [default=yes] --enable-x509-alt-username enable the --x509-username-field feature [default=no] --disable-multi disable client/server support (--mode server + client mode) [default=yes] --disable-server disable server support only (but retain client support) [default=yes] --disable-plugins disable plug-in support [default=yes] --disable-management disable management server support [default=yes] --enable-pkcs11 enable pkcs11 support [default=no] --disable-socks disable Socks support [default=yes] --disable-http-proxy disable HTTP proxy support [default=yes] --disable-fragment disable internal fragmentation support (--fragment) [default=yes] --disable-multihome disable multi-homed UDP server support (--multihome) [default=yes] --disable-port-share disable TCP server port-share support (--port-share) [default=yes] --disable-debug disable debugging support (disable gremlin and verb 7+ messages) [default=yes] --enable-small enable smaller executable size (disable OCC, usage message, and verb 4 parm list) [default=yes] --enable-password-save allow --askpass and --auth-user-pass passwords to be read from a file [default=yes] --enable-iproute2 enable support for iproute2 [default=no] --disable-def-auth disable deferred authentication [default=yes] --disable-pf disable internal packet filter [default=yes] --enable-strict enable strict compiler warnings (debugging option) [default=no] --enable-pedantic enable pedantic compiler warnings, will not generate a working executable (debugging option) [default=no] --enable-strict-options enable strict options check between peers (debugging option) [default=no] --enable-selinux enable SELinux support [default=no] --enable-systemd enable systemd suppport [default=no] ENVIRONMENT for ./configure: IFCONFIG full path to ipconfig utility ROUTE full path to route utility IPROUTE full path to ip utility NETSTAT path to netstat utility MAN2HTML path to man2html utility GIT path to git utility TAP_CFLAGS C compiler flags for tap OPENSSL_CFLAGS C compiler flags for OpenSSL, overriding pkg-config OPENSSL_LIBS linker flags for OpenSSL, overriding pkg-config POLARSSL_CFLAGS C compiler flags for polarssl POLARSSL_LIBS linker flags for polarssl LZO_CFLAGS C compiler flags for lzo LZO_LIBS linker flags for lzo PKCS11_HELPER_CFLAGS C compiler flags for PKCS11_HELPER, overriding pkg-config PKCS11_HELPER_LIBS linker flags for PKCS11_HELPER, overriding pkg-config ************************************************************************* BUILDING ON LINUX 2.6+ FROM RPM You can build a binary RPM directly from the OpenVPN tarball file: rpmbuild -tb [tarball] This command will build a binary RPM file and place it in the system RPM directory. You can then install the RPM with the standard RPM install command: rpm -ivh [binary-rpm] When you install the binary RPM, it will install sample-scripts/openvpn.init, which can be used to automatically start or stop one or more OpenVPN tunnels on system startup or shutdown, based on OpenVPN .conf files in /etc/openvpn. See the comments in openvpn.init for more information. Installing the RPM will also configure the TUN/TAP device node for linux 2.6. Note that the current openvpn.spec file, which instructs the rpm tool how to build a package, will build OpenVPN with all options enabled, including OpenSSL, LZO, and pthread linkage. Therefore all of these packages will need to be present prior to the RPM build, unless you edit the openvpn.spec file. ************************************************************************* TUN/TAP Driver Configuration: * Linux 2.6 or higher (with integrated TUN/TAP driver): (1) load driver: modprobe tun (2) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward Note that (1) needs to be done once per reboot. If you install from RPM (see above) and use the openvpn.init script, these steps are taken care of for you. * FreeBSD: FreeBSD ships with the TUN/TAP driver, and the device nodes for tap0, tap1, tap2, tap3, tun0, tun1, tun2 and tun3 are made by default. However, only the TUN driver is linked into the GENERIC kernel. To load the TAP driver, enter: kldload if_tap See man rc(8) to find out how you can do this at boot time. The easiest way is to install OpenVPN from the FreeBSD ports system, the port includes a sample script to automatically load the TAP driver at boot-up time. * OpenBSD: OpenBSD has dynamically created tun* devices so you only need to create an empty /etc/hostname.tun0 (tun1, tun2 and so on) for each tun you plan to use to create the device(s) at boot. * Solaris: You need a TUN/TAP kernel driver for OpenVPN to work: http://www.whiteboard.ne.jp/~admin2/tuntap/ * Windows OpenVPN on Windows needs a TUN/TAP kernel driver to work. OpenVPN installers include this driver, so installing it separately is not usually required. Windows XP/2003 must use the NDIS 5 (tap-windows) driver, whereas on more recent Windows versions it is recommended to use the NDIS 6 driver (tap-windows6) instead. ************************************************************************* CAVEATS & BUGS: * I have noticed cases where TCP sessions tunneled over the Linux TAP driver (kernel 2.4.21 and 2.4.22) stall when lower --mssfix values are used. The TCP sessions appear to unstall and resume normally when the remote VPN endpoint is pinged. * If run through a firewall using OpenBSDs packet filter PF and the filter rules include a "scrub" directive, you may get problems talking to Linux hosts over the tunnel, since the scrubbing will kill packets sent from Linux hosts if they are fragmented. This is usually seen as tunnels where small packets and pings get through but large packets and "regular traffic" don't. To circumvent this, add "no-df" to the scrub directive so that the packet filter will let fragments with the "dont fragment"-flag set through anyway. * Mixing OFB or CFB cipher modes with static key mode is not recommended, and is flagged as an error on OpenVPN versions 1.2.1 and greater. If you use the --cipher option to explicitly select an OFB or CFB cipher AND you are using static key mode, it is possible that there could be an IV collision if the OpenVPN daemons on both sides of the connection are started at exactly the same time, since OpenVPN uses a timestamp combined with a sequence number as the cipher IV for OFB and CFB modes. This is not an issue if you are using CBC cipher mode (the default), or if you are using OFB or CFB cipher mode with SSL/TLS authentication. openvpn-2.4.4/Makefile.am000066400000000000000000000063061316434344000152510ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2010 David Sommerseth # Copyright (C) 2006-2012 Alon Bar-Lev # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # This option prevents autoreconf from overriding our COPYING and # INSTALL targets: AUTOMAKE_OPTIONS = foreign 1.9 ACLOCAL_AMFLAGS = -I m4 MAINTAINERCLEANFILES = \ config.log config.status \ $(srcdir)/Makefile.in \ $(srcdir)/config.h.in $(srcdir)/config.h.in~ $(srcdir)/configure \ $(srcdir)/install-sh $(srcdir)/ltmain.sh $(srcdir)/missing \ $(srcdir)/m4/libtool.m4 $(srcdir)/m4/lt~obsolete.m4 \ $(srcdir)/m4/ltoptions.m4 $(srcdir)/m4/ltsugar.m4 \ $(srcdir)/m4/ltversion.m4 \ $(srcdir)/depcomp $(srcdir)/aclocal.m4 \ $(srcdir)/config.guess $(srcdir)/config.sub CLEANFILES = \ config-version.h tests/t_client.sh EXTRA_DIST = \ contrib \ debug .PHONY: config-version.h if GIT_CHECKOUT BUILT_SOURCES = \ config-version.h endif SUBDIRS = build distro include src sample doc vendor tests dist_doc_DATA = \ README \ README.IPv6 \ README.mbedtls \ Changes.rst \ COPYRIGHT.GPL \ COPYING dist_noinst_DATA = \ .gitignore \ .gitattributes \ PORTS \ README.IPv6 TODO.IPv6 \ README.mbedtls \ openvpn.sln \ msvc-env.bat \ msvc-dev.bat \ msvc-build.bat dist_noinst_HEADERS = \ config-msvc.h \ config-msvc-version.h.in if WIN32 rootdir=$(prefix) root_DATA = version.sh endif config-version.h: @CONFIGURE_GIT_CHFILES="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-files --name-status -r --ignore-submodules --quiet -- || echo \"+\"`"; \ CONFIGURE_GIT_UNCOMMITTED="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-index --cached --quiet --ignore-submodules HEAD || echo \"*\"`"; \ CONFIGURE_GIT_REVISION="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) rev-parse --symbolic-full-name HEAD | cut -d/ -f3-`/`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) rev-parse --short=16 HEAD`"; \ echo "#define CONFIGURE_GIT_REVISION \"$${CONFIGURE_GIT_REVISION}\"" > config-version.h.tmp; \ echo "#define CONFIGURE_GIT_FLAGS \"$${CONFIGURE_GIT_CHFILES}$${CONFIGURE_GIT_UNCOMMITTED}\"" >> config-version.h.tmp @if ! [ -f config-version.h ] || ! cmp -s config-version.h.tmp config-version.h; then \ echo "replacing config-version.h"; \ mv config-version.h.tmp config-version.h; \ else \ rm -f config-version.h.tmp; \ fi openvpn-2.4.4/Makefile.in000066400000000000000000001030421316434344000152550ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2010 David Sommerseth # Copyright (C) 2006-2012 Alon Bar-Lev # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = . DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/configure $(am__configure_deps) \ $(srcdir)/config.h.in $(srcdir)/version.sh.in $(dist_doc_DATA) \ $(dist_noinst_DATA) $(dist_noinst_HEADERS) AUTHORS COPYING \ ChangeLog INSTALL NEWS README compile config.guess config.sub \ install-sh missing ltmain.sh ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ configure.lineno config.status.lineno mkinstalldirs = $(install_sh) -d CONFIG_HEADER = config.h $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = version.sh CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ install-exec-recursive install-html-recursive \ install-info-recursive install-pdf-recursive \ install-ps-recursive install-recursive installcheck-recursive \ installdirs-recursive pdf-recursive ps-recursive \ tags-recursive uninstall-recursive am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(docdir)" "$(DESTDIR)$(rootdir)" DATA = $(dist_doc_DATA) $(dist_noinst_DATA) $(root_DATA) HEADERS = $(dist_noinst_HEADERS) RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive am__recursive_targets = \ $(RECURSIVE_TARGETS) \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ cscope distdir dist dist-all distcheck am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) \ $(LISP)config.h.in # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags CSCOPE = cscope DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) am__remove_distdir = \ if test -d "$(distdir)"; then \ find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \ && rm -rf "$(distdir)" \ || { sleep 5 && rm -rf "$(distdir)"; }; \ else :; fi am__post_remove_distdir = $(am__remove_distdir) am__relativize = \ dir0=`pwd`; \ sed_first='s,^\([^/]*\)/.*$$,\1,'; \ sed_rest='s,^[^/]*/*,,'; \ sed_last='s,^.*/\([^/]*\)$$,\1,'; \ sed_butlast='s,/*[^/]*$$,,'; \ while test -n "$$dir1"; do \ first=`echo "$$dir1" | sed -e "$$sed_first"`; \ if test "$$first" != "."; then \ if test "$$first" = ".."; then \ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ else \ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ if test "$$first2" = "$$first"; then \ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ else \ dir2="../$$dir2"; \ fi; \ dir0="$$dir0"/"$$first"; \ fi; \ fi; \ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" DIST_ARCHIVES = $(distdir).tar.gz GZIP_ENV = --best DIST_TARGETS = dist-gzip distuninstallcheck_listfiles = find . -type f -print am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \ | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$' distcleancheck_listfiles = find . -type f -print ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ # This option prevents autoreconf from overriding our COPYING and # INSTALL targets: AUTOMAKE_OPTIONS = foreign 1.9 ACLOCAL_AMFLAGS = -I m4 MAINTAINERCLEANFILES = \ config.log config.status \ $(srcdir)/Makefile.in \ $(srcdir)/config.h.in $(srcdir)/config.h.in~ $(srcdir)/configure \ $(srcdir)/install-sh $(srcdir)/ltmain.sh $(srcdir)/missing \ $(srcdir)/m4/libtool.m4 $(srcdir)/m4/lt~obsolete.m4 \ $(srcdir)/m4/ltoptions.m4 $(srcdir)/m4/ltsugar.m4 \ $(srcdir)/m4/ltversion.m4 \ $(srcdir)/depcomp $(srcdir)/aclocal.m4 \ $(srcdir)/config.guess $(srcdir)/config.sub CLEANFILES = \ config-version.h tests/t_client.sh EXTRA_DIST = \ contrib \ debug @GIT_CHECKOUT_TRUE@BUILT_SOURCES = \ @GIT_CHECKOUT_TRUE@ config-version.h SUBDIRS = build distro include src sample doc vendor tests dist_doc_DATA = \ README \ README.IPv6 \ README.mbedtls \ Changes.rst \ COPYRIGHT.GPL \ COPYING dist_noinst_DATA = \ .gitignore \ .gitattributes \ PORTS \ README.IPv6 TODO.IPv6 \ README.mbedtls \ openvpn.sln \ msvc-env.bat \ msvc-dev.bat \ msvc-build.bat dist_noinst_HEADERS = \ config-msvc.h \ config-msvc-version.h.in @WIN32_TRUE@rootdir = $(prefix) @WIN32_TRUE@root_DATA = version.sh all: $(BUILT_SOURCES) config.h $(MAKE) $(AM_MAKEFLAGS) all-recursive .SUFFIXES: am--refresh: Makefile @: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ echo ' cd $(srcdir) && $(AUTOMAKE) --foreign'; \ $(am__cd) $(srcdir) && $(AUTOMAKE) --foreign \ && exit 0; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ echo ' $(SHELL) ./config.status'; \ $(SHELL) ./config.status;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) $(SHELL) ./config.status --recheck $(top_srcdir)/configure: $(am__configure_deps) $(am__cd) $(srcdir) && $(AUTOCONF) $(ACLOCAL_M4): $(am__aclocal_m4_deps) $(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS) $(am__aclocal_m4_deps): config.h: stamp-h1 @test -f $@ || rm -f stamp-h1 @test -f $@ || $(MAKE) $(AM_MAKEFLAGS) stamp-h1 stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status @rm -f stamp-h1 cd $(top_builddir) && $(SHELL) ./config.status config.h $(srcdir)/config.h.in: $(am__configure_deps) ($(am__cd) $(top_srcdir) && $(AUTOHEADER)) rm -f stamp-h1 touch $@ distclean-hdr: -rm -f config.h stamp-h1 version.sh: $(top_builddir)/config.status $(srcdir)/version.sh.in cd $(top_builddir) && $(SHELL) ./config.status $@ mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs distclean-libtool: -rm -f libtool config.lt install-dist_docDATA: $(dist_doc_DATA) @$(NORMAL_INSTALL) @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ done uninstall-dist_docDATA: @$(NORMAL_UNINSTALL) @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir) install-rootDATA: $(root_DATA) @$(NORMAL_INSTALL) @list='$(root_DATA)'; test -n "$(rootdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(rootdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(rootdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(rootdir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(rootdir)" || exit $$?; \ done uninstall-rootDATA: @$(NORMAL_UNINSTALL) @list='$(root_DATA)'; test -n "$(rootdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(rootdir)'; $(am__uninstall_files_from_dir) # This directory's subdirectories are mostly independent; you can cd # into them and run 'make' without going through this Makefile. # To change the values of 'make' variables: instead of editing Makefiles, # (1) if the variable is set in 'config.status', edit 'config.status' # (which will cause the Makefiles to be regenerated when you run 'make'); # (2) otherwise, pass the desired values on the 'make' command line. $(am__recursive_targets): @fail=; \ if $(am__make_keepgoing); then \ failcom='fail=yes'; \ else \ failcom='exit 1'; \ fi; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ case "$@" in \ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ *) list='$(SUBDIRS)' ;; \ esac; \ for subdir in $$list; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ dot_seen=yes; \ local_target="$$target-am"; \ else \ local_target="$$target"; \ fi; \ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-recursive TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ empty_fix=.; \ else \ include_option=--include; \ empty_fix=; \ fi; \ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-recursive CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscope: cscope.files test ! -s cscope.files \ || $(CSCOPE) -b -q $(AM_CSCOPEFLAGS) $(CSCOPEFLAGS) -i cscope.files $(CSCOPE_ARGS) clean-cscope: -rm -f cscope.files cscope.files: clean-cscope cscopelist cscopelist: cscopelist-recursive cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags -rm -f cscope.out cscope.in.out cscope.po.out cscope.files distdir: $(DISTFILES) $(am__remove_distdir) test -d "$(distdir)" || mkdir "$(distdir)" @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ $(am__make_dryrun) \ || test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ dir1=$$subdir; dir2="$(top_distdir)"; \ $(am__relativize); \ new_top_distdir=$$reldir; \ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ top_distdir="$$new_top_distdir" \ distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ done -test -n "$(am__skip_mode_fix)" \ || find "$(distdir)" -type d ! -perm -755 \ -exec chmod u+rwx,go+rx {} \; -o \ ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \ ! -type d ! -perm -400 -exec chmod a+r {} \; -o \ ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ || chmod -R a+r "$(distdir)" dist-gzip: distdir tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz $(am__post_remove_distdir) dist-bzip2: distdir tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2 $(am__post_remove_distdir) dist-lzip: distdir tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz $(am__post_remove_distdir) dist-xz: distdir tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz $(am__post_remove_distdir) dist-tarZ: distdir @echo WARNING: "Support for shar distribution archives is" \ "deprecated." >&2 @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z $(am__post_remove_distdir) dist-shar: distdir @echo WARNING: "Support for distribution archives compressed with" \ "legacy program 'compress' is deprecated." >&2 @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz $(am__post_remove_distdir) dist-zip: distdir -rm -f $(distdir).zip zip -rq $(distdir).zip $(distdir) $(am__post_remove_distdir) dist dist-all: $(MAKE) $(AM_MAKEFLAGS) $(DIST_TARGETS) am__post_remove_distdir='@:' $(am__post_remove_distdir) # This target untars the dist file and tries a VPATH configuration. Then # it guarantees that the distribution is self-contained by making another # tarfile. distcheck: dist case '$(DIST_ARCHIVES)' in \ *.tar.gz*) \ GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\ *.tar.bz2*) \ bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ *.tar.lz*) \ lzip -dc $(distdir).tar.lz | $(am__untar) ;;\ *.tar.xz*) \ xz -dc $(distdir).tar.xz | $(am__untar) ;;\ *.tar.Z*) \ uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ *.shar.gz*) \ GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ esac chmod -R a-w $(distdir) chmod u+w $(distdir) mkdir $(distdir)/_build $(distdir)/_inst chmod a-w $(distdir) test -d $(distdir)/_build || exit 0; \ dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ && am__cwd=`pwd` \ && $(am__cd) $(distdir)/_build \ && ../configure \ $(AM_DISTCHECK_CONFIGURE_FLAGS) \ $(DISTCHECK_CONFIGURE_FLAGS) \ --srcdir=.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ && $(MAKE) $(AM_MAKEFLAGS) dvi \ && $(MAKE) $(AM_MAKEFLAGS) check \ && $(MAKE) $(AM_MAKEFLAGS) install \ && $(MAKE) $(AM_MAKEFLAGS) installcheck \ && $(MAKE) $(AM_MAKEFLAGS) uninstall \ && $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \ distuninstallcheck \ && chmod -R a-w "$$dc_install_base" \ && ({ \ (cd ../.. && umask 077 && mkdir "$$dc_destdir") \ && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \ && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \ && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \ distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \ } || { rm -rf "$$dc_destdir"; exit 1; }) \ && rm -rf "$$dc_destdir" \ && $(MAKE) $(AM_MAKEFLAGS) dist \ && rm -rf $(DIST_ARCHIVES) \ && $(MAKE) $(AM_MAKEFLAGS) distcleancheck \ && cd "$$am__cwd" \ || exit 1 $(am__post_remove_distdir) @(echo "$(distdir) archives ready for distribution: "; \ list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \ sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x' distuninstallcheck: @test -n '$(distuninstallcheck_dir)' || { \ echo 'ERROR: trying to run $@ with an empty' \ '$$(distuninstallcheck_dir)' >&2; \ exit 1; \ }; \ $(am__cd) '$(distuninstallcheck_dir)' || { \ echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \ exit 1; \ }; \ test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \ || { echo "ERROR: files left after uninstall:" ; \ if test -n "$(DESTDIR)"; then \ echo " (check DESTDIR support)"; \ fi ; \ $(distuninstallcheck_listfiles) ; \ exit 1; } >&2 distcleancheck: distclean @if test '$(srcdir)' = . ; then \ echo "ERROR: distcleancheck can only run from a VPATH build" ; \ exit 1 ; \ fi @test `$(distcleancheck_listfiles) | wc -l` -eq 0 \ || { echo "ERROR: files left in build directory after distclean:" ; \ $(distcleancheck_listfiles) ; \ exit 1; } >&2 check-am: all-am check: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) check-recursive all-am: Makefile $(DATA) $(HEADERS) config.h installdirs: installdirs-recursive installdirs-am: for dir in "$(DESTDIR)$(docdir)" "$(DESTDIR)$(rootdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) install-recursive install-exec: install-exec-recursive install-data: install-data-recursive uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-recursive install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-recursive clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-recursive -rm -f $(am__CONFIG_DISTCLEAN_FILES) -rm -f Makefile distclean-am: clean-am distclean-generic distclean-hdr \ distclean-libtool distclean-tags dvi: dvi-recursive dvi-am: html: html-recursive html-am: info: info-recursive info-am: install-data-am: install-dist_docDATA install-rootDATA install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: install-html: install-html-recursive install-html-am: install-info: install-info-recursive install-info-am: install-man: install-pdf: install-pdf-recursive install-pdf-am: install-ps: install-ps-recursive install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive -rm -f $(am__CONFIG_DISTCLEAN_FILES) -rm -rf $(top_srcdir)/autom4te.cache -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-recursive pdf-am: ps: ps-recursive ps-am: uninstall-am: uninstall-dist_docDATA uninstall-rootDATA .MAKE: $(am__recursive_targets) all check install install-am \ install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \ am--refresh check check-am clean clean-cscope clean-generic \ clean-libtool cscope cscopelist-am ctags ctags-am dist \ dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \ dist-xz dist-zip distcheck distclean distclean-generic \ distclean-hdr distclean-libtool distclean-tags distcleancheck \ distdir distuninstallcheck dvi dvi-am html html-am info \ info-am install install-am install-data install-data-am \ install-dist_docDATA install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-man install-pdf install-pdf-am \ install-ps install-ps-am install-rootDATA install-strip \ installcheck installcheck-am installdirs installdirs-am \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am uninstall-dist_docDATA \ uninstall-rootDATA .PHONY: config-version.h config-version.h: @CONFIGURE_GIT_CHFILES="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-files --name-status -r --ignore-submodules --quiet -- || echo \"+\"`"; \ CONFIGURE_GIT_UNCOMMITTED="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) diff-index --cached --quiet --ignore-submodules HEAD || echo \"*\"`"; \ CONFIGURE_GIT_REVISION="`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) rev-parse --symbolic-full-name HEAD | cut -d/ -f3-`/`GIT_DIR=\"$(top_srcdir)/.git\" $(GIT) rev-parse --short=16 HEAD`"; \ echo "#define CONFIGURE_GIT_REVISION \"$${CONFIGURE_GIT_REVISION}\"" > config-version.h.tmp; \ echo "#define CONFIGURE_GIT_FLAGS \"$${CONFIGURE_GIT_CHFILES}$${CONFIGURE_GIT_UNCOMMITTED}\"" >> config-version.h.tmp @if ! [ -f config-version.h ] || ! cmp -s config-version.h.tmp config-version.h; then \ echo "replacing config-version.h"; \ mv config-version.h.tmp config-version.h; \ else \ rm -f config-version.h.tmp; \ fi # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/NEWS000066400000000000000000000000001316434344000136750ustar00rootroot00000000000000openvpn-2.4.4/PORTS000066400000000000000000000074151316434344000140510ustar00rootroot00000000000000OpenVPN Copyright (C) 2002-2017 OpenVPN Technologies, Inc. OpenVPN has been written to try to avoid features that are not standardized well across different OSes, so porting OpenVPN itself will probably be straightforward if a tun or tap driver already exists. Where special OS features are used, they are usually bracketed with #ifdef HAVE_SOME_FUNCTION. PLATFORM STATUS: * Linux 2.2+ (supported) * Solaris (supported) * OpenBSD 3.0 (supported but pthreads are broken) * Max OS X Darwin * FreeBSD * NetBSD * Windows * 64 bit platforms -- I have heard reports that OpenVPN runs on Alpha Linux and FreeBSD. * ARM -- I have heard of at least one case where OpenVPN was successfully built and run on the ARM architecture. PORTING NOTES: * Make sure that OpenSSL will build on your platform. * Make sure that a tun or tap virtual device driver exists for your platform. See http://vtun.sourceforge.net/tun/ for examples of tun and tap drivers that have been written for Linux, Solaris, and FreeBSD. * Make sure you have autoconf 2.50+ and automake 1.6+. * Edit configure.ac, adding platform specific config code, and a TARGET_YOUROS define. * Add platform-specific includes to syshead.h. * Add an #ifdef TARGET_YOUROS to the do_ifconfig() function in tun.c to generate a correct "ifconfig" command for your platform. Note that OpenVPN determines the ifconfig path at ./configure time. * Add an ifconfig_order() variant for your OS so openvpn knows whether to call ifconfig before or after tun/tap dev open. * Add an #ifdef TARGET_YOUROS block in tun.c and define the open_tun, close_tun, read_tun, and write_tun functions. If your tun/tap virtual device is sufficiently generic, you may be able to use the default case. * Add appropriate code to route.c to handle the route command on your platform. This is necessary for the --route option to work correctly. * After you successfully build OpenVPN, run the loopback tests as described in INSTALL. * For the next test, confirm that the UDP socket functionality is working independently of the tun device, by doing something like: ./openvpn --remote localhost --verb 9 --ping 1 --dev null * Now try with --remote [a real host] * Now try with a real tun/tap device, you will need to figure out the appropriate ifconfig command to use once openvpn has opened the tun/tap device. * Once you have simple tests working on the tun device, try more complex tests such as using TLS mode. * Stress test the link by doing ping -f across it. * Make sure that packet fragmenting is happening correctly by doing a ping -s 2000 or higher. * Ensure that OpenVPN on your platform will talk to OpenVPN on other platforms such as Linux. Some tun/tap driver implementations will prepend unnecessary stuff onto the datagram that must be disabled with an explicit ioctl call if cross-platform compatibility is to be preserved. You can see some examples of this in tun.c. * If your system supports pthreads, try building with ./configure --enable-pthread and do a stress test in TLS mode. * Try the ultimate stress test which is --gremlin --reneg-sec 10 in TLS mode (preferably with pthreads enabled), then do a flood ping across the tunnel (ping -f remote-endpoint) in both directions and let it run overnight. --gremlin will induce massive corruption and packet loss, but you win if you wake up the next morning and both peers are still running and occasionally even succeeding in their attempted once-per-10-seconds TLS handshake. * When it's working, submit your patch to and rejoice :) openvpn-2.4.4/README000066400000000000000000000042111316434344000140660ustar00rootroot00000000000000OpenVPN -- A Secure tunneling daemon Copyright (C) 2002-2010 OpenVPN Technologies, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. ************************************************************************* To get the latest release of OpenVPN, go to: https://openvpn.net/index.php/download/community-downloads.html To Build and Install, tar -zxf openvpn-.tar.gz cd openvpn- ./configure make make install or see the file INSTALL for more info. ************************************************************************* For detailed information on OpenVPN, including examples, see the man page http://openvpn.net/man.html For a sample VPN configuration, see http://openvpn.net/howto.html To report an issue, see https://community.openvpn.net/openvpn/report For a description of OpenVPN's underlying protocol, see the file ssl.h included in the source distribution. ************************************************************************* Other Files & Directories: * configure.ac -- script to rebuild our configure script and makefile. * sample/sample-scripts/verify-cn A sample perl script which can be used with OpenVPN's --tls-verify option to provide a customized authentication test on embedded X509 certificate fields. * sample/sample-keys/ Sample RSA keys and certificates. DON'T USE THESE FILES FOR ANYTHING OTHER THAN TESTING BECAUSE THEY ARE TOTALLY INSECURE. * sample/sample-config-files/ A collection of OpenVPN config files and scripts from the HOWTO at http://openvpn.net/howto.html ************************************************************************* Note that easy-rsa and tap-windows are now maintained in their own subprojects. Their source code is available here: https://github.com/OpenVPN/easy-rsa https://github.com/OpenVPN/tap-windows The old cross-compilation environment (domake-win) and the Python-based buildsystem have been replaced with openvpn-build: https://github.com/OpenVPN/openvpn-build See the INSTALL file for usage information. openvpn-2.4.4/README.IPv6000066400000000000000000000034551316434344000146620ustar00rootroot00000000000000Since 2.3.0, OpenVPN officially supports IPv6, and all widely used patches floating around for older versions have been integrated. IPv6 payload support -------------------- This is for "IPv6 inside OpenVPN", with server-pushed IPv6 configuration on the client, and support for IPv6 configuration on the tun/tap interface from within the openvpn config. The code in 2.3.0 supersedes the IPv6 payload patches from Gert Doering, formerly located at http://www.greenie.net/ipv6/openvpn.html The following options have been added to handle IPv6 configuration, analogous to their IPv4 counterparts (--server <-> --server-ipv6, etc.) - server-ipv6 - ifconfig-ipv6 - ifconfig-ipv6-pool - ifconfig-ipv6-push - route-ipv6 - iroute-ipv6 see "man openvpn" for details how they are used. IPv6 transport support ---------------------- This is to enable OpenVPN peers or client/servers to talk to each other over an IPv6 network ("OpenVPN over IPv6"). The code in 2.3.0 supersedes the IPv6 transport patches from JuanJo Ciarlante, formerly located at http://github.com/jjo/openvpn-ipv6 OpenVPN 2.4.0 includes a big overhaul of the IPv6 transport patches originally implemented for the Android client (ics-openvpn) IPv4/IPv6 transport is automatically is selected when resolving addresses. Use a 6 or 4 suffix to force IPv6/IPv4: --proto udp6 --proto tcp4 --proto tcp6-client --proto tcp4-server --proto tcp6 --client / --proto tcp6 --server On systems that allow IPv4 connections on IPv6 sockets (all systems supporting IPV6_V6ONLY setsockopt), an OpenVPN server can handle IPv4 connections on the IPv6 socket as well, making it a true dual-stacked server. Use bind ipv6only to disable this behaviour. On other systems, as of 2.3.0, you need to run separate server instances for IPv4 and IPv6. openvpn-2.4.4/README.mbedtls000066400000000000000000000014241316434344000155220ustar00rootroot00000000000000This version of OpenVPN has mbed TLS support. To enable follow the following instructions: To Build and Install, ./configure --with-crypto-library=mbedtls make make install This version depends on mbed TLS 2.0 (and requires at least 2.0.0). ************************************************************************* Due to limitations in the mbed TLS library, the following features are missing in the mbed TLS version of OpenVPN: * PKCS#12 file support * --capath support - Loading certificate authorities from a directory * Windows CryptoAPI support * X.509 alternative username fields (must be "CN") Plugin/Script features: * X.509 subject line has a different format than the OpenSSL subject line * X.509 certificate export does not work * X.509 certificate tracking openvpn-2.4.4/TODO.IPv6000066400000000000000000000170151316434344000144670ustar00rootroot00000000000000TODO for IPv6 payload support ----------------------------- 1.) "--topology subnet" doesn't work together with IPv6 payload on FreeBSD (verified for FreeBSD server, Linux/ifconfig client, problems with ICMP6 neighbor solicitations from BSD not being answered by Linux) * 2012-01-22 fixed in platform cleanup, commit 62c613d46dc495d74 2.) NetBSD IPv6 support doesn't work ("connected" route is not auto-created, "route-ipv6" adding fails) * fixed, 3.1.10 * 3.) route deletion for IPv6 routes is not yet done * fixed for configured routes, 3.1.10 * * missing for manual-ifconfig-connected (NetBSD, Darwin, Win32) * 2012-06-10 - fixed somewhere in 2010 4.) do "ifconfig tun0 inet6 unplumb" or "ifconfig tun0 destroy" for Solaris, *BSD, ... at program termination time, to clean up leftovers (unless tunnel persistance is desired). For Solaris, only the "ipv6 tun0" is affected, for the *BSDs all tun0 stay around. * 2012-06-10 - fixed in individual platform cleanups early-2012 4a.) deconfigure IPv6 on tun interface on session termination, otherwise one could end up with something like this (on NetBSD): tun0: flags=8051 mtu 1500 inet 10.9.0.18 -> 10.9.0.17 netmask 0xffffffff inet6 fe80::a00:20ff:fece:d299%tun0 -> prefixlen 64 scopeid 0x3 inet6 2001:608:4:eff::2000:3 -> prefixlen 64 inet6 2001:608:4:eff::1:3 -> prefixlen 64 (pool was changed, previous address still active on tun0, breakage) * semi-fixed for NetBSD, 28.2.10, always do tun0 destroy / tun0 create before actual ifconfig -- tunnel still lingers after OpenVPN quits * 2011-09-16 fixed in platform cleanup, commit 8ca19c014c149cf69 4b.) verify this - on FreeBSD, tun0 is auto-destroyed if created by opening /dev/tun (and lingers if created by "ifconfig tun0 create") -> use for persistant tunnels on not-linux? * 2012-06-10 tun interface behaviour is documented in "man tun(4)" 5.) add new option "ifconfig-ipv6-push" (per-client static IPv6 assignment, -> radiusplugin, etc) * implemented, 14.1.10 * 6.) add new option "route-ipv6-gateway" * 2012-06-09 - decided there is no current need (but fairly trivial) 7.) add "full" gateway handling for IPv6 in route.c (right now, the routes are just sent down the tun interface, if the operating system in questions supports that, without care for the gateway address - which does not work for gateways that are supposed to point elsewhere. Also, it doesn't work for TAP interfaces. * 2012-06-09 use "dev tun" for tun devices, "via $gateway" for tap (and purposely do not support off-link routes) 8.) full IPv6 support for TAP interfaces (main issue should be routes+gateway - and testing :-) ) test 2010/09/24: TAP itself works on linux/ifconfig+iproute2, but route-via-tap doesn't work at all (route points to "tap0" which fails) 17:51:14.075412 fe:ab:6e:c5:53:71 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2001:608:4:a053::1:0 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2001:608:4:a001::1, length 32 * 2012-06-09 missing gateway support implemented 8a.) how is iroute-via-tap supposed to work?? * 2012-06-10 - answer: not at all, OpenVPN doesn't do "iroute" in tap mode - set up "route-ipv6" with gateway address = individual client's tap0 address to get the per-client routes 9.) verify that iroute-ipv6 and route-ipv6 interact in the same way as documented for iroute/route: A's subnet, OpenVPN must push this route to all clients EXCEPT for A, since the subnet is already owned by A. OpenVPN accomplishes this by not not pushing a route to a client if it matches one of the client's iroutes. 10.) extend "ifconfig-ipv6" to handle specification of /netbits, pushing of /netbits, and correctly ifconfig'ing this (default, if not specified: /64) * done * 2012-02-03 11.) do not add ipv6-routes if tun-ipv6 is not set - complain instead * done * 12.1.10 12.) handle incoming [::] and [fe80:...] packets in tun-p2mp MULTI mode (most likely those are DAD packets) silently ignore DAD? Or accept-and-forward iff (multicast && client2client)? handle NS/NA 13.) from Martin List-Petersen: One thing, and I guess this requires modifications in network-manager-openvpn: It also works, BUT ignores "push route-ipv6-gateway" and "push route-ipv6 ...." (obviously routes pushed from the server) entirely. 14.) from ##openvpn-discussion: new features should be #ifdef'ed (check whether this is feasible at all) 15.) IPv6 related environment variables - document all of them in openvpn.8 - make sure that all existing IPv4 stuff has IPv6 counterparts 16.) OpenBSD - implement ifconfig/route for IPv6 - revert ifconfig/open_tun order to "normal" (separate commit!!!) (openvpn-devel, Subject: OpenBSD) - test * 2012-02-05 platform cleanup, commit 82d4e12068774b0a6ca 17.) client-option (Elwood) - ignore-v6-push-options yes/no - ignore-v6-route-push ("as for IPv4 routes") 18.) fail-save? "what if 'ip -6 addr add' fails" -> fail, or fallback to v4? (-> recomment setting "ignore-v6-push-options yes") 19.) safety check: if connecting over IPv6 (v6 transport) and the pushed route-ipv6 network encompasses the server IPv6 address, make sure we at least log a warning (until we can fiddle with external routing to make this work correctly). 20.) show "route add" / "route delete" commands for IPv6 in log file (we show the "ifconfig" commands, so why not the routes?) 2010-08-07: this is a null-feature - it's already there, but with different debug level (M_INFO vs. D_ROUTE) so user didn't notice 21.) enable ipv6-only server operations - decouple ipv6 pool handling from ipv4 pool - make sure Rest of OpenVPN doesn't assume "there will always be IPv4" 22.) implement --learn-address for IPv6 23.) FreeBSD 8 seems to require explicit setting of the "ifconfig" IPv6 route, while FreeBSD 6+7 don't --> more testing, and code fix workaround for the time being: just add server-ipv6 2001:608:4:a051::/64 route-ipv6 2001:608:4:a051::/64 to the config (problem + workaround applies both to tun and tap style devices) * 2012-06-09 - this got fixed in one of the platform cleanups TODO for IPv6 transport support ------------------------------- [ Last updated: 2014-01-03. ] * All platforms: o mgmt console: as currently passes straight in_addr_t bits around o make possible to get AF from getaddrinfo() answer, ie allow openvpn to use ipv4/6 if DNS returns A/AAAA without specifying protocol. Hard: requires deep changes in initialization/calling logic - Done by dual stack patches o use AI_PASSIVE - Done by dual stack patches o the getaddr()/getaddr6() interface is not prepared for handling socktype "tagging", currently I abuse the sockflags bits for getting the ai_socktype downstream. - Still done by flags, seems clean enough. o implement comparison for mapped addesses: server in dual stack listening IPv6 must permit incoming streams from allowed IPv4 peer, currently you need to pass eg: --remote ffff::1.2.3.4 - OpenVPN will compare all address of a remote but will still fail on mapped addresses * win32: o find out about mapped addresses, as I can't make it work with bound at ::1 and connect to 127.0.0.1 - Should be fixed by 8832c6c - "Implement listing on IPv4/IPv6 dual socket on all platform" openvpn-2.4.4/aclocal.m4000066400000000000000000001222771316434344000150630ustar00rootroot00000000000000# generated automatically by aclocal 1.14.1 -*- Autoconf -*- # Copyright (C) 1996-2013 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])]) m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.69],, [m4_warning([this file was generated for autoconf 2.69. You have another version of autoconf. It may work, but is not guaranteed to. If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.])]) # Copyright (C) 2002-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_AUTOMAKE_VERSION(VERSION) # ---------------------------- # Automake X.Y traces this macro to ensure aclocal.m4 has been # generated from the m4 files accompanying Automake X.Y. # (This private macro should not be called outside this file.) AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version='1.14' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. m4_if([$1], [1.14.1], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) # _AM_AUTOCONF_VERSION(VERSION) # ----------------------------- # aclocal traces this macro to find the Autoconf version. # This is a private macro too. Using m4_define simplifies # the logic in aclocal, which can simply ignore this definition. m4_define([_AM_AUTOCONF_VERSION], []) # AM_SET_CURRENT_AUTOMAKE_VERSION # ------------------------------- # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], [AM_AUTOMAKE_VERSION([1.14.1])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- # Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets # $ac_aux_dir to '$srcdir/foo'. In other projects, it is set to # '$srcdir', '$srcdir/..', or '$srcdir/../..'. # # Of course, Automake must honor this variable whenever it calls a # tool from the auxiliary directory. The problem is that $srcdir (and # therefore $ac_aux_dir as well) can be either absolute or relative, # depending on how configure is run. This is pretty annoying, since # it makes $ac_aux_dir quite unusable in subdirectories: in the top # source directory, any form will work fine, but in subdirectories a # relative path needs to be adjusted first. # # $ac_aux_dir/missing # fails when called from a subdirectory if $ac_aux_dir is relative # $top_srcdir/$ac_aux_dir/missing # fails if $ac_aux_dir is absolute, # fails when called from a subdirectory in a VPATH build with # a relative $ac_aux_dir # # The reason of the latter failure is that $top_srcdir and $ac_aux_dir # are both prefixed by $srcdir. In an in-source build this is usually # harmless because $srcdir is '.', but things will broke when you # start a VPATH build or use an absolute $srcdir. # # So we could use something similar to $top_srcdir/$ac_aux_dir/missing, # iff we strip the leading $srcdir from $ac_aux_dir. That would be: # am_aux_dir='\$(top_srcdir)/'`expr "$ac_aux_dir" : "$srcdir//*\(.*\)"` # and then we would define $MISSING as # MISSING="\${SHELL} $am_aux_dir/missing" # This will work as long as MISSING is not called from configure, because # unfortunately $(top_srcdir) has no meaning in configure. # However there are other variables, like CC, which are often used in # configure, and could therefore not use this "fixed" $ac_aux_dir. # # Another solution, used here, is to always expand $ac_aux_dir to an # absolute PATH. The drawback is that using absolute paths prevent a # configured tree to be moved without reconfiguration. AC_DEFUN([AM_AUX_DIR_EXPAND], [AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl # Expand $ac_aux_dir to an absolute path. am_aux_dir=`cd "$ac_aux_dir" && pwd` ]) # AM_CONDITIONAL -*- Autoconf -*- # Copyright (C) 1997-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_CONDITIONAL(NAME, SHELL-CONDITION) # ------------------------------------- # Define a conditional. AC_DEFUN([AM_CONDITIONAL], [AC_PREREQ([2.52])dnl m4_if([$1], [TRUE], [AC_FATAL([$0: invalid condition: $1])], [$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl AC_SUBST([$1_TRUE])dnl AC_SUBST([$1_FALSE])dnl _AM_SUBST_NOTMAKE([$1_TRUE])dnl _AM_SUBST_NOTMAKE([$1_FALSE])dnl m4_define([_AM_COND_VALUE_$1], [$2])dnl if $2; then $1_TRUE= $1_FALSE='#' else $1_TRUE='#' $1_FALSE= fi AC_CONFIG_COMMANDS_PRE( [if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then AC_MSG_ERROR([[conditional "$1" was never defined. Usually this means the macro was only invoked conditionally.]]) fi])]) # Copyright (C) 1999-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # There are a few dirty hacks below to avoid letting 'AC_PROG_CC' be # written in clear, in which case automake, when reading aclocal.m4, # will think it sees a *use*, and therefore will trigger all it's # C support machinery. Also note that it means that autoscan, seeing # CC etc. in the Makefile, will ask for an AC_PROG_CC use... # _AM_DEPENDENCIES(NAME) # ---------------------- # See how the compiler implements dependency checking. # NAME is "CC", "CXX", "OBJC", "OBJCXX", "UPC", or "GJC". # We try a few techniques and use that to set a single cache variable. # # We don't AC_REQUIRE the corresponding AC_PROG_CC since the latter was # modified to invoke _AM_DEPENDENCIES(CC); we would have a circular # dependency, and given that the user is not expected to run this macro, # just rely on AC_PROG_CC. AC_DEFUN([_AM_DEPENDENCIES], [AC_REQUIRE([AM_SET_DEPDIR])dnl AC_REQUIRE([AM_OUTPUT_DEPENDENCY_COMMANDS])dnl AC_REQUIRE([AM_MAKE_INCLUDE])dnl AC_REQUIRE([AM_DEP_TRACK])dnl m4_if([$1], [CC], [depcc="$CC" am_compiler_list=], [$1], [CXX], [depcc="$CXX" am_compiler_list=], [$1], [OBJC], [depcc="$OBJC" am_compiler_list='gcc3 gcc'], [$1], [OBJCXX], [depcc="$OBJCXX" am_compiler_list='gcc3 gcc'], [$1], [UPC], [depcc="$UPC" am_compiler_list=], [$1], [GCJ], [depcc="$GCJ" am_compiler_list='gcc3 gcc'], [depcc="$$1" am_compiler_list=]) AC_CACHE_CHECK([dependency style of $depcc], [am_cv_$1_dependencies_compiler_type], [if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then # We make a subdir and do the tests there. Otherwise we can end up # making bogus files that we don't know about and never remove. For # instance it was reported that on HP-UX the gcc test will end up # making a dummy file named 'D' -- because '-MD' means "put the output # in D". rm -rf conftest.dir mkdir conftest.dir # Copy depcomp to subdir because otherwise we won't find it if we're # using a relative directory. cp "$am_depcomp" conftest.dir cd conftest.dir # We will build objects and dependencies in a subdirectory because # it helps to detect inapplicable dependency modes. For instance # both Tru64's cc and ICC support -MD to output dependencies as a # side effect of compilation, but ICC will put the dependencies in # the current directory while Tru64 will put them in the object # directory. mkdir sub am_cv_$1_dependencies_compiler_type=none if test "$am_compiler_list" = ""; then am_compiler_list=`sed -n ['s/^#*\([a-zA-Z0-9]*\))$/\1/p'] < ./depcomp` fi am__universal=false m4_case([$1], [CC], [case " $depcc " in #( *\ -arch\ *\ -arch\ *) am__universal=true ;; esac], [CXX], [case " $depcc " in #( *\ -arch\ *\ -arch\ *) am__universal=true ;; esac]) for depmode in $am_compiler_list; do # Setup a source with many dependencies, because some compilers # like to wrap large dependency lists on column 80 (with \), and # we should not choose a depcomp mode which is confused by this. # # We need to recreate these files for each test, as the compiler may # overwrite some of them when testing with obscure command lines. # This happens at least with the AIX C compiler. : > sub/conftest.c for i in 1 2 3 4 5 6; do echo '#include "conftst'$i'.h"' >> sub/conftest.c # Using ": > sub/conftst$i.h" creates only sub/conftst1.h with # Solaris 10 /bin/sh. echo '/* dummy */' > sub/conftst$i.h done echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf # We check with '-c' and '-o' for the sake of the "dashmstdout" # mode. It turns out that the SunPro C++ compiler does not properly # handle '-M -o', and we need to detect this. Also, some Intel # versions had trouble with output in subdirs. am__obj=sub/conftest.${OBJEXT-o} am__minus_obj="-o $am__obj" case $depmode in gcc) # This depmode causes a compiler race in universal mode. test "$am__universal" = false || continue ;; nosideeffect) # After this tag, mechanisms are not by side-effect, so they'll # only be used when explicitly requested. if test "x$enable_dependency_tracking" = xyes; then continue else break fi ;; msvc7 | msvc7msys | msvisualcpp | msvcmsys) # This compiler won't grok '-c -o', but also, the minuso test has # not run yet. These depmodes are late enough in the game, and # so weak that their functioning should not be impacted. am__obj=conftest.${OBJEXT-o} am__minus_obj= ;; none) break ;; esac if depmode=$depmode \ source=sub/conftest.c object=$am__obj \ depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \ >/dev/null 2>conftest.err && grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && grep $am__obj sub/conftest.Po > /dev/null 2>&1 && ${MAKE-make} -s -f confmf > /dev/null 2>&1; then # icc doesn't choke on unknown options, it will just issue warnings # or remarks (even with -Werror). So we grep stderr for any message # that says an option was ignored or not supported. # When given -MP, icc 7.0 and 7.1 complain thusly: # icc: Command line warning: ignoring option '-M'; no argument required # The diagnosis changed in icc 8.0: # icc: Command line remark: option '-MP' not supported if (grep 'ignoring option' conftest.err || grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else am_cv_$1_dependencies_compiler_type=$depmode break fi fi done cd .. rm -rf conftest.dir else am_cv_$1_dependencies_compiler_type=none fi ]) AC_SUBST([$1DEPMODE], [depmode=$am_cv_$1_dependencies_compiler_type]) AM_CONDITIONAL([am__fastdep$1], [ test "x$enable_dependency_tracking" != xno \ && test "$am_cv_$1_dependencies_compiler_type" = gcc3]) ]) # AM_SET_DEPDIR # ------------- # Choose a directory name for dependency files. # This macro is AC_REQUIREd in _AM_DEPENDENCIES. AC_DEFUN([AM_SET_DEPDIR], [AC_REQUIRE([AM_SET_LEADING_DOT])dnl AC_SUBST([DEPDIR], ["${am__leading_dot}deps"])dnl ]) # AM_DEP_TRACK # ------------ AC_DEFUN([AM_DEP_TRACK], [AC_ARG_ENABLE([dependency-tracking], [dnl AS_HELP_STRING( [--enable-dependency-tracking], [do not reject slow dependency extractors]) AS_HELP_STRING( [--disable-dependency-tracking], [speeds up one-time build])]) if test "x$enable_dependency_tracking" != xno; then am_depcomp="$ac_aux_dir/depcomp" AMDEPBACKSLASH='\' am__nodep='_no' fi AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno]) AC_SUBST([AMDEPBACKSLASH])dnl _AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl AC_SUBST([am__nodep])dnl _AM_SUBST_NOTMAKE([am__nodep])dnl ]) # Generate code to set up dependency tracking. -*- Autoconf -*- # Copyright (C) 1999-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # _AM_OUTPUT_DEPENDENCY_COMMANDS # ------------------------------ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], [{ # Older Autoconf quotes --file arguments for eval, but not when files # are listed without --file. Let's play safe and only enable the eval # if we detect the quoting. case $CONFIG_FILES in *\'*) eval set x "$CONFIG_FILES" ;; *) set x $CONFIG_FILES ;; esac shift for mf do # Strip MF so we end up with the name of the file. mf=`echo "$mf" | sed -e 's/:.*$//'` # Check whether this is an Automake generated Makefile or not. # We used to match only the files named 'Makefile.in', but # some people rename them; so instead we look at the file content. # Grep'ing the first line is not enough: some people post-process # each Makefile.in and add a new line on top of each file to say so. # Grep'ing the whole file is not good either: AIX grep has a line # limit of 2048, but all sed's we know have understand at least 4000. if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then dirpart=`AS_DIRNAME("$mf")` else continue fi # Extract the definition of DEPDIR, am__include, and am__quote # from the Makefile without running 'make'. DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` test -z "$DEPDIR" && continue am__include=`sed -n 's/^am__include = //p' < "$mf"` test -z "$am__include" && continue am__quote=`sed -n 's/^am__quote = //p' < "$mf"` # Find all dependency output files, they are included files with # $(DEPDIR) in their names. We invoke sed twice because it is the # simplest approach to changing $(DEPDIR) to its actual value in the # expansion. for file in `sed -n " s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g'`; do # Make sure the directory exists. test -f "$dirpart/$file" && continue fdir=`AS_DIRNAME(["$file"])` AS_MKDIR_P([$dirpart/$fdir]) # echo "creating $dirpart/$file" echo '# dummy' > "$dirpart/$file" done done } ])# _AM_OUTPUT_DEPENDENCY_COMMANDS # AM_OUTPUT_DEPENDENCY_COMMANDS # ----------------------------- # This macro should only be invoked once -- use via AC_REQUIRE. # # This code is only required when automatic dependency tracking # is enabled. FIXME. This creates each '.P' file that we will # need in order to bootstrap the dependency handling code. AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], [AC_CONFIG_COMMANDS([depfiles], [test x"$AMDEP_TRUE" != x"" || _AM_OUTPUT_DEPENDENCY_COMMANDS], [AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"]) ]) # Do all the work for Automake. -*- Autoconf -*- # Copyright (C) 1996-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This macro actually does too much. Some checks are only needed if # your package does certain things. But this isn't really a big deal. dnl Redefine AC_PROG_CC to automatically invoke _AM_PROG_CC_C_O. m4_define([AC_PROG_CC], m4_defn([AC_PROG_CC]) [_AM_PROG_CC_C_O ]) # AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE]) # AM_INIT_AUTOMAKE([OPTIONS]) # ----------------------------------------------- # The call with PACKAGE and VERSION arguments is the old style # call (pre autoconf-2.50), which is being phased out. PACKAGE # and VERSION should now be passed to AC_INIT and removed from # the call to AM_INIT_AUTOMAKE. # We support both call styles for the transition. After # the next Automake release, Autoconf can make the AC_INIT # arguments mandatory, and then we can depend on a new Autoconf # release and drop the old call support. AC_DEFUN([AM_INIT_AUTOMAKE], [AC_PREREQ([2.65])dnl dnl Autoconf wants to disallow AM_ names. We explicitly allow dnl the ones we care about. m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl AC_REQUIRE([AM_SET_CURRENT_AUTOMAKE_VERSION])dnl AC_REQUIRE([AC_PROG_INSTALL])dnl if test "`cd $srcdir && pwd`" != "`pwd`"; then # Use -I$(srcdir) only when $(srcdir) != ., so that make's output # is not polluted with repeated "-I." AC_SUBST([am__isrc], [' -I$(srcdir)'])_AM_SUBST_NOTMAKE([am__isrc])dnl # test to see if srcdir already configured if test -f $srcdir/config.status; then AC_MSG_ERROR([source directory already configured; run "make distclean" there first]) fi fi # test whether we have cygpath if test -z "$CYGPATH_W"; then if (cygpath --version) >/dev/null 2>/dev/null; then CYGPATH_W='cygpath -w' else CYGPATH_W=echo fi fi AC_SUBST([CYGPATH_W]) # Define the identity of the package. dnl Distinguish between old-style and new-style calls. m4_ifval([$2], [AC_DIAGNOSE([obsolete], [$0: two- and three-arguments forms are deprecated.]) m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl AC_SUBST([PACKAGE], [$1])dnl AC_SUBST([VERSION], [$2])], [_AM_SET_OPTIONS([$1])dnl dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT. m4_if( m4_ifdef([AC_PACKAGE_NAME], [ok]):m4_ifdef([AC_PACKAGE_VERSION], [ok]), [ok:ok],, [m4_fatal([AC_INIT should be called with package and version arguments])])dnl AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl _AM_IF_OPTION([no-define],, [AC_DEFINE_UNQUOTED([PACKAGE], ["$PACKAGE"], [Name of package]) AC_DEFINE_UNQUOTED([VERSION], ["$VERSION"], [Version number of package])])dnl # Some tools Automake needs. AC_REQUIRE([AM_SANITY_CHECK])dnl AC_REQUIRE([AC_ARG_PROGRAM])dnl AM_MISSING_PROG([ACLOCAL], [aclocal-${am__api_version}]) AM_MISSING_PROG([AUTOCONF], [autoconf]) AM_MISSING_PROG([AUTOMAKE], [automake-${am__api_version}]) AM_MISSING_PROG([AUTOHEADER], [autoheader]) AM_MISSING_PROG([MAKEINFO], [makeinfo]) AC_REQUIRE([AM_PROG_INSTALL_SH])dnl AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl AC_REQUIRE([AC_PROG_MKDIR_P])dnl # For better backward compatibility. To be removed once Automake 1.9.x # dies out for good. For more background, see: # # AC_SUBST([mkdir_p], ['$(MKDIR_P)']) # We need awk for the "check" target. The system "awk" is bad on # some platforms. AC_REQUIRE([AC_PROG_AWK])dnl AC_REQUIRE([AC_PROG_MAKE_SET])dnl AC_REQUIRE([AM_SET_LEADING_DOT])dnl _AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])], [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])], [_AM_PROG_TAR([v7])])]) _AM_IF_OPTION([no-dependencies],, [AC_PROVIDE_IFELSE([AC_PROG_CC], [_AM_DEPENDENCIES([CC])], [m4_define([AC_PROG_CC], m4_defn([AC_PROG_CC])[_AM_DEPENDENCIES([CC])])])dnl AC_PROVIDE_IFELSE([AC_PROG_CXX], [_AM_DEPENDENCIES([CXX])], [m4_define([AC_PROG_CXX], m4_defn([AC_PROG_CXX])[_AM_DEPENDENCIES([CXX])])])dnl AC_PROVIDE_IFELSE([AC_PROG_OBJC], [_AM_DEPENDENCIES([OBJC])], [m4_define([AC_PROG_OBJC], m4_defn([AC_PROG_OBJC])[_AM_DEPENDENCIES([OBJC])])])dnl AC_PROVIDE_IFELSE([AC_PROG_OBJCXX], [_AM_DEPENDENCIES([OBJCXX])], [m4_define([AC_PROG_OBJCXX], m4_defn([AC_PROG_OBJCXX])[_AM_DEPENDENCIES([OBJCXX])])])dnl ]) AC_REQUIRE([AM_SILENT_RULES])dnl dnl The testsuite driver may need to know about EXEEXT, so add the dnl 'am__EXEEXT' conditional if _AM_COMPILER_EXEEXT was seen. This dnl macro is hooked onto _AC_COMPILER_EXEEXT early, see below. AC_CONFIG_COMMANDS_PRE(dnl [m4_provide_if([_AM_COMPILER_EXEEXT], [AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl # POSIX will say in a future version that running "rm -f" with no argument # is OK; and we want to be able to make that assumption in our Makefile # recipes. So use an aggressive probe to check that the usage we want is # actually supported "in the wild" to an acceptable degree. # See automake bug#10828. # To make any issue more visible, cause the running configure to be aborted # by default if the 'rm' program in use doesn't match our expectations; the # user can still override this though. if rm -f && rm -fr && rm -rf; then : OK; else cat >&2 <<'END' Oops! Your 'rm' program seems unable to run without file operands specified on the command line, even when the '-f' option is present. This is contrary to the behaviour of most rm programs out there, and not conforming with the upcoming POSIX standard: Please tell bug-automake@gnu.org about your system, including the value of your $PATH and any error possibly output before this message. This can help us improve future automake versions. END if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then echo 'Configuration will proceed anyway, since you have set the' >&2 echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2 echo >&2 else cat >&2 <<'END' Aborting the configuration process, to ensure you take notice of the issue. You can download and install GNU coreutils to get an 'rm' implementation that behaves properly: . If you want to complete the configuration process using your problematic 'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM to "yes", and re-run configure. END AC_MSG_ERROR([Your 'rm' program is bad, sorry.]) fi fi ]) dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further dnl mangled by Autoconf and run in a shell conditional statement. m4_define([_AC_COMPILER_EXEEXT], m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])]) # When config.status generates a header, we must update the stamp-h file. # This file resides in the same directory as the config header # that is generated. The stamp files are numbered to have different names. # Autoconf calls _AC_AM_CONFIG_HEADER_HOOK (when defined) in the # loop where config.status creates the headers, so we can generate # our stamp files there. AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK], [# Compute $1's index in $config_headers. _am_arg=$1 _am_stamp_count=1 for _am_header in $config_headers :; do case $_am_header in $_am_arg | $_am_arg:* ) break ;; * ) _am_stamp_count=`expr $_am_stamp_count + 1` ;; esac done echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) # Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_PROG_INSTALL_SH # ------------------ # Define $install_sh. AC_DEFUN([AM_PROG_INSTALL_SH], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl if test x"${install_sh}" != xset; then case $am_aux_dir in *\ * | *\ *) install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; *) install_sh="\${SHELL} $am_aux_dir/install-sh" esac fi AC_SUBST([install_sh])]) # Copyright (C) 2003-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # Check whether the underlying file-system supports filenames # with a leading dot. For instance MS-DOS doesn't. AC_DEFUN([AM_SET_LEADING_DOT], [rm -rf .tst 2>/dev/null mkdir .tst 2>/dev/null if test -d .tst; then am__leading_dot=. else am__leading_dot=_ fi rmdir .tst 2>/dev/null AC_SUBST([am__leading_dot])]) # Check to see how 'make' treats includes. -*- Autoconf -*- # Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_MAKE_INCLUDE() # ----------------- # Check to see how make treats includes. AC_DEFUN([AM_MAKE_INCLUDE], [am_make=${MAKE-make} cat > confinc << 'END' am__doit: @echo this is the am__doit target .PHONY: am__doit END # If we don't find an include directive, just comment out the code. AC_MSG_CHECKING([for style of include used by $am_make]) am__include="#" am__quote= _am_result=none # First try GNU make style include. echo "include confinc" > confmf # Ignore all kinds of additional output from 'make'. case `$am_make -s -f confmf 2> /dev/null` in #( *the\ am__doit\ target*) am__include=include am__quote= _am_result=GNU ;; esac # Now try BSD make style include. if test "$am__include" = "#"; then echo '.include "confinc"' > confmf case `$am_make -s -f confmf 2> /dev/null` in #( *the\ am__doit\ target*) am__include=.include am__quote="\"" _am_result=BSD ;; esac fi AC_SUBST([am__include]) AC_SUBST([am__quote]) AC_MSG_RESULT([$_am_result]) rm -f confinc confmf ]) # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- # Copyright (C) 1997-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_MISSING_PROG(NAME, PROGRAM) # ------------------------------ AC_DEFUN([AM_MISSING_PROG], [AC_REQUIRE([AM_MISSING_HAS_RUN]) $1=${$1-"${am_missing_run}$2"} AC_SUBST($1)]) # AM_MISSING_HAS_RUN # ------------------ # Define MISSING if not defined so far and test if it is modern enough. # If it is, set am_missing_run to use it, otherwise, to nothing. AC_DEFUN([AM_MISSING_HAS_RUN], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl AC_REQUIRE_AUX_FILE([missing])dnl if test x"${MISSING+set}" != xset; then case $am_aux_dir in *\ * | *\ *) MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; *) MISSING="\${SHELL} $am_aux_dir/missing" ;; esac fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then am_missing_run="$MISSING " else am_missing_run= AC_MSG_WARN(['missing' script is too old or missing]) fi ]) # Helper functions for option handling. -*- Autoconf -*- # Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # _AM_MANGLE_OPTION(NAME) # ----------------------- AC_DEFUN([_AM_MANGLE_OPTION], [[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])]) # _AM_SET_OPTION(NAME) # -------------------- # Set option NAME. Presently that only means defining a flag for this option. AC_DEFUN([_AM_SET_OPTION], [m4_define(_AM_MANGLE_OPTION([$1]), [1])]) # _AM_SET_OPTIONS(OPTIONS) # ------------------------ # OPTIONS is a space-separated list of Automake options. AC_DEFUN([_AM_SET_OPTIONS], [m4_foreach_w([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])]) # _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET]) # ------------------------------------------- # Execute IF-SET if OPTION is set, IF-NOT-SET otherwise. AC_DEFUN([_AM_IF_OPTION], [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) # Copyright (C) 1999-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # _AM_PROG_CC_C_O # --------------- # Like AC_PROG_CC_C_O, but changed for automake. We rewrite AC_PROG_CC # to automatically call this. AC_DEFUN([_AM_PROG_CC_C_O], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl AC_REQUIRE_AUX_FILE([compile])dnl AC_LANG_PUSH([C])dnl AC_CACHE_CHECK( [whether $CC understands -c and -o together], [am_cv_prog_cc_c_o], [AC_LANG_CONFTEST([AC_LANG_PROGRAM([])]) # Make sure it works both with $CC and with simple cc. # Following AC_PROG_CC_C_O, we do the test twice because some # compilers refuse to overwrite an existing .o file with -o, # though they will create one. am_cv_prog_cc_c_o=yes for am_i in 1 2; do if AM_RUN_LOG([$CC -c conftest.$ac_ext -o conftest2.$ac_objext]) \ && test -f conftest2.$ac_objext; then : OK else am_cv_prog_cc_c_o=no break fi done rm -f core conftest* unset am_i]) if test "$am_cv_prog_cc_c_o" != yes; then # Losing compiler, so override with the script. # FIXME: It is wrong to rewrite CC. # But if we don't then we get into trouble of one sort or another. # A longer-term fix would be to have automake use am__CC in this case, # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)" CC="$am_aux_dir/compile $CC" fi AC_LANG_POP([C])]) # For backward compatibility. AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])]) # Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_RUN_LOG(COMMAND) # ------------------- # Run COMMAND, save the exit status in ac_status, and log it. # (This has been adapted from Autoconf's _AC_RUN_LOG macro.) AC_DEFUN([AM_RUN_LOG], [{ echo "$as_me:$LINENO: $1" >&AS_MESSAGE_LOG_FD ($1) >&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD ac_status=$? echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD (exit $ac_status); }]) # Check to make sure that the build environment is sane. -*- Autoconf -*- # Copyright (C) 1996-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_SANITY_CHECK # --------------- AC_DEFUN([AM_SANITY_CHECK], [AC_MSG_CHECKING([whether build environment is sane]) # Reject unsafe characters in $srcdir or the absolute working directory # name. Accept space and tab only in the latter. am_lf=' ' case `pwd` in *[[\\\"\#\$\&\'\`$am_lf]]*) AC_MSG_ERROR([unsafe absolute working directory name]);; esac case $srcdir in *[[\\\"\#\$\&\'\`$am_lf\ \ ]]*) AC_MSG_ERROR([unsafe srcdir value: '$srcdir']);; esac # Do 'set' in a subshell so we don't clobber the current shell's # arguments. Must try -L first in case configure is actually a # symlink; some systems play weird games with the mod time of symlinks # (eg FreeBSD returns the mod time of the symlink's containing # directory). if ( am_has_slept=no for am_try in 1 2; do echo "timestamp, slept: $am_has_slept" > conftest.file set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` if test "$[*]" = "X"; then # -L didn't work. set X `ls -t "$srcdir/configure" conftest.file` fi if test "$[*]" != "X $srcdir/configure conftest.file" \ && test "$[*]" != "X conftest.file $srcdir/configure"; then # If neither matched, then we have a broken ls. This can happen # if, for instance, CONFIG_SHELL is bash and it inherits a # broken ls alias from the environment. This has actually # happened. Such a system could not be considered "sane". AC_MSG_ERROR([ls -t appears to fail. Make sure there is not a broken alias in your environment]) fi if test "$[2]" = conftest.file || test $am_try -eq 2; then break fi # Just in case. sleep 1 am_has_slept=yes done test "$[2]" = conftest.file ) then # Ok. : else AC_MSG_ERROR([newly created file is older than distributed files! Check your system clock]) fi AC_MSG_RESULT([yes]) # If we didn't sleep, we still need to ensure time stamps of config.status and # generated files are strictly newer. am_sleep_pid= if grep 'slept: no' conftest.file >/dev/null 2>&1; then ( sleep 1 ) & am_sleep_pid=$! fi AC_CONFIG_COMMANDS_PRE( [AC_MSG_CHECKING([that generated files are newer than configure]) if test -n "$am_sleep_pid"; then # Hide warnings about reused PIDs. wait $am_sleep_pid 2>/dev/null fi AC_MSG_RESULT([done])]) rm -f conftest.file ]) # Copyright (C) 2009-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_SILENT_RULES([DEFAULT]) # -------------------------- # Enable less verbose build rules; with the default set to DEFAULT # ("yes" being less verbose, "no" or empty being verbose). AC_DEFUN([AM_SILENT_RULES], [AC_ARG_ENABLE([silent-rules], [dnl AS_HELP_STRING( [--enable-silent-rules], [less verbose build output (undo: "make V=1")]) AS_HELP_STRING( [--disable-silent-rules], [verbose build output (undo: "make V=0")])dnl ]) case $enable_silent_rules in @%:@ ((( yes) AM_DEFAULT_VERBOSITY=0;; no) AM_DEFAULT_VERBOSITY=1;; *) AM_DEFAULT_VERBOSITY=m4_if([$1], [yes], [0], [1]);; esac dnl dnl A few 'make' implementations (e.g., NonStop OS and NextStep) dnl do not support nested variable expansions. dnl See automake bug#9928 and bug#10237. am_make=${MAKE-make} AC_CACHE_CHECK([whether $am_make supports nested variables], [am_cv_make_support_nested_variables], [if AS_ECHO([['TRUE=$(BAR$(V)) BAR0=false BAR1=true V=1 am__doit: @$(TRUE) .PHONY: am__doit']]) | $am_make -f - >/dev/null 2>&1; then am_cv_make_support_nested_variables=yes else am_cv_make_support_nested_variables=no fi]) if test $am_cv_make_support_nested_variables = yes; then dnl Using '$V' instead of '$(V)' breaks IRIX make. AM_V='$(V)' AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)' else AM_V=$AM_DEFAULT_VERBOSITY AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY fi AC_SUBST([AM_V])dnl AM_SUBST_NOTMAKE([AM_V])dnl AC_SUBST([AM_DEFAULT_V])dnl AM_SUBST_NOTMAKE([AM_DEFAULT_V])dnl AC_SUBST([AM_DEFAULT_VERBOSITY])dnl AM_BACKSLASH='\' AC_SUBST([AM_BACKSLASH])dnl _AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl ]) # Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_PROG_INSTALL_STRIP # --------------------- # One issue with vendor 'install' (even GNU) is that you can't # specify the program used to strip binaries. This is especially # annoying in cross-compiling environments, where the build's strip # is unlikely to handle the host's binaries. # Fortunately install-sh will honor a STRIPPROG variable, so we # always use install-sh in "make install-strip", and initialize # STRIPPROG with the value of the STRIP variable (set by the user). AC_DEFUN([AM_PROG_INSTALL_STRIP], [AC_REQUIRE([AM_PROG_INSTALL_SH])dnl # Installed binaries are usually stripped using 'strip' when the user # run "make install-strip". However 'strip' might not be the right # tool to use in cross-compilation environments, therefore Automake # will honor the 'STRIP' environment variable to overrule this program. dnl Don't test for $cross_compiling = yes, because it might be 'maybe'. if test "$cross_compiling" != no; then AC_CHECK_TOOL([STRIP], [strip], :) fi INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST([INSTALL_STRIP_PROGRAM])]) # Copyright (C) 2006-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # _AM_SUBST_NOTMAKE(VARIABLE) # --------------------------- # Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in. # This macro is traced by Automake. AC_DEFUN([_AM_SUBST_NOTMAKE]) # AM_SUBST_NOTMAKE(VARIABLE) # -------------------------- # Public sister of _AM_SUBST_NOTMAKE. AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)]) # Check how to create a tarball. -*- Autoconf -*- # Copyright (C) 2004-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # _AM_PROG_TAR(FORMAT) # -------------------- # Check how to create a tarball in format FORMAT. # FORMAT should be one of 'v7', 'ustar', or 'pax'. # # Substitute a variable $(am__tar) that is a command # writing to stdout a FORMAT-tarball containing the directory # $tardir. # tardir=directory && $(am__tar) > result.tar # # Substitute a variable $(am__untar) that extract such # a tarball read from stdin. # $(am__untar) < result.tar # AC_DEFUN([_AM_PROG_TAR], [# Always define AMTAR for backward compatibility. Yes, it's still used # in the wild :-( We should find a proper way to deprecate it ... AC_SUBST([AMTAR], ['$${TAR-tar}']) # We'll loop over all known methods to create a tar archive until one works. _am_tools='gnutar m4_if([$1], [ustar], [plaintar]) pax cpio none' m4_if([$1], [v7], [am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -'], [m4_case([$1], [ustar], [# The POSIX 1988 'ustar' format is defined with fixed-size fields. # There is notably a 21 bits limit for the UID and the GID. In fact, # the 'pax' utility can hang on bigger UID/GID (see automake bug#8343 # and bug#13588). am_max_uid=2097151 # 2^21 - 1 am_max_gid=$am_max_uid # The $UID and $GID variables are not portable, so we need to resort # to the POSIX-mandated id(1) utility. Errors in the 'id' calls # below are definitely unexpected, so allow the users to see them # (that is, avoid stderr redirection). am_uid=`id -u || echo unknown` am_gid=`id -g || echo unknown` AC_MSG_CHECKING([whether UID '$am_uid' is supported by ustar format]) if test $am_uid -le $am_max_uid; then AC_MSG_RESULT([yes]) else AC_MSG_RESULT([no]) _am_tools=none fi AC_MSG_CHECKING([whether GID '$am_gid' is supported by ustar format]) if test $am_gid -le $am_max_gid; then AC_MSG_RESULT([yes]) else AC_MSG_RESULT([no]) _am_tools=none fi], [pax], [], [m4_fatal([Unknown tar format])]) AC_MSG_CHECKING([how to create a $1 tar archive]) # Go ahead even if we have the value already cached. We do so because we # need to set the values for the 'am__tar' and 'am__untar' variables. _am_tools=${am_cv_prog_tar_$1-$_am_tools} for _am_tool in $_am_tools; do case $_am_tool in gnutar) for _am_tar in tar gnutar gtar; do AM_RUN_LOG([$_am_tar --version]) && break done am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"' am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"' am__untar="$_am_tar -xf -" ;; plaintar) # Must skip GNU tar: if it does not support --format= it doesn't create # ustar tarball either. (tar --version) >/dev/null 2>&1 && continue am__tar='tar chf - "$$tardir"' am__tar_='tar chf - "$tardir"' am__untar='tar xf -' ;; pax) am__tar='pax -L -x $1 -w "$$tardir"' am__tar_='pax -L -x $1 -w "$tardir"' am__untar='pax -r' ;; cpio) am__tar='find "$$tardir" -print | cpio -o -H $1 -L' am__tar_='find "$tardir" -print | cpio -o -H $1 -L' am__untar='cpio -i -H $1 -d' ;; none) am__tar=false am__tar_=false am__untar=false ;; esac # If the value was cached, stop now. We just wanted to have am__tar # and am__untar set. test -n "${am_cv_prog_tar_$1}" && break # tar/untar a dummy directory, and stop if the command works. rm -rf conftest.dir mkdir conftest.dir echo GrepMe > conftest.dir/file AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar]) rm -rf conftest.dir if test -s conftest.tar; then AM_RUN_LOG([$am__untar /dev/null 2>&1 && break fi done rm -rf conftest.dir AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool]) AC_MSG_RESULT([$am_cv_prog_tar_$1])]) AC_SUBST([am__tar]) AC_SUBST([am__untar]) ]) # _AM_PROG_TAR m4_include([m4/ax_emptyarray.m4]) m4_include([m4/ax_socklen_t.m4]) m4_include([m4/ax_varargs.m4]) m4_include([m4/libtool.m4]) m4_include([m4/ltoptions.m4]) m4_include([m4/ltsugar.m4]) m4_include([m4/ltversion.m4]) m4_include([m4/lt~obsolete.m4]) m4_include([m4/pkg.m4]) openvpn-2.4.4/build/000077500000000000000000000000001316434344000143075ustar00rootroot00000000000000openvpn-2.4.4/build/Makefile.am000066400000000000000000000007011316434344000163410ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in EXTRA_DIST = \ ltrc.inc SUBDIRS = msvc openvpn-2.4.4/build/Makefile.in000066400000000000000000000507211316434344000163610ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = build DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ install-exec-recursive install-html-recursive \ install-info-recursive install-pdf-recursive \ install-ps-recursive install-recursive installcheck-recursive \ installdirs-recursive pdf-recursive ps-recursive \ tags-recursive uninstall-recursive am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive am__recursive_targets = \ $(RECURSIVE_TARGETS) \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ distdir am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ sed_first='s,^\([^/]*\)/.*$$,\1,'; \ sed_rest='s,^[^/]*/*,,'; \ sed_last='s,^.*/\([^/]*\)$$,\1,'; \ sed_butlast='s,/*[^/]*$$,,'; \ while test -n "$$dir1"; do \ first=`echo "$$dir1" | sed -e "$$sed_first"`; \ if test "$$first" != "."; then \ if test "$$first" = ".."; then \ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ else \ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ if test "$$first2" = "$$first"; then \ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ else \ dir2="../$$dir2"; \ fi; \ dir0="$$dir0"/"$$first"; \ fi; \ fi; \ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in EXTRA_DIST = \ ltrc.inc SUBDIRS = msvc all: all-recursive .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign build/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign build/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs # This directory's subdirectories are mostly independent; you can cd # into them and run 'make' without going through this Makefile. # To change the values of 'make' variables: instead of editing Makefiles, # (1) if the variable is set in 'config.status', edit 'config.status' # (which will cause the Makefiles to be regenerated when you run 'make'); # (2) otherwise, pass the desired values on the 'make' command line. $(am__recursive_targets): @fail=; \ if $(am__make_keepgoing); then \ failcom='fail=yes'; \ else \ failcom='exit 1'; \ fi; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ case "$@" in \ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ *) list='$(SUBDIRS)' ;; \ esac; \ for subdir in $$list; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ dot_seen=yes; \ local_target="$$target-am"; \ else \ local_target="$$target"; \ fi; \ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-recursive TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ empty_fix=.; \ else \ include_option=--include; \ empty_fix=; \ fi; \ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-recursive CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-recursive cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ $(am__make_dryrun) \ || test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ dir1=$$subdir; dir2="$(top_distdir)"; \ $(am__relativize); \ new_top_distdir=$$reldir; \ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ top_distdir="$$new_top_distdir" \ distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ done check-am: all-am check: check-recursive all-am: Makefile installdirs: installdirs-recursive installdirs-am: install: install-recursive install-exec: install-exec-recursive install-data: install-data-recursive uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-recursive install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-recursive clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-recursive -rm -f Makefile distclean-am: clean-am distclean-generic distclean-tags dvi: dvi-recursive dvi-am: html: html-recursive html-am: info: info-recursive info-am: install-data-am: install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: install-html: install-html-recursive install-html-am: install-info: install-info-recursive install-info-am: install-man: install-pdf: install-pdf-recursive install-pdf-am: install-ps: install-ps-recursive install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-recursive pdf-am: ps: ps-recursive ps-am: uninstall-am: .MAKE: $(am__recursive_targets) install-am install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \ check-am clean clean-generic clean-libtool cscopelist-am ctags \ ctags-am distclean distclean-generic distclean-libtool \ distclean-tags distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ installdirs-am maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ ps ps-am tags tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/build/ltrc.inc000066400000000000000000000012051316434344000157440ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2008-2012 Alon Bar-Lev # # Required to build Windows resource file RCCOMPILE = $(RC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ $(AM_CPPFLAGS) $(CPPFLAGS) LTRCCOMPILE = $(LIBTOOL) --mode=compile --tag=RC $(RCCOMPILE) .rc.lo: $(LTRCCOMPILE) -i "$<" -o "$@" .rc.o: $(RCCOMPILE) -i "$<" -o "$@" .mc.rc: $(WINDMC) "$<" openvpn-2.4.4/build/msvc/000077500000000000000000000000001316434344000152575ustar00rootroot00000000000000openvpn-2.4.4/build/msvc/Makefile.am000066400000000000000000000007601316434344000173160ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in SUBDIRS = msvc-generate openvpn-2.4.4/build/msvc/Makefile.in000066400000000000000000000510171316434344000173300ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = build/msvc DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ install-exec-recursive install-html-recursive \ install-info-recursive install-pdf-recursive \ install-ps-recursive install-recursive installcheck-recursive \ installdirs-recursive pdf-recursive ps-recursive \ tags-recursive uninstall-recursive am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive am__recursive_targets = \ $(RECURSIVE_TARGETS) \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ distdir am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ sed_first='s,^\([^/]*\)/.*$$,\1,'; \ sed_rest='s,^[^/]*/*,,'; \ sed_last='s,^.*/\([^/]*\)$$,\1,'; \ sed_butlast='s,/*[^/]*$$,,'; \ while test -n "$$dir1"; do \ first=`echo "$$dir1" | sed -e "$$sed_first"`; \ if test "$$first" != "."; then \ if test "$$first" = ".."; then \ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ else \ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ if test "$$first2" = "$$first"; then \ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ else \ dir2="../$$dir2"; \ fi; \ dir0="$$dir0"/"$$first"; \ fi; \ fi; \ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in SUBDIRS = msvc-generate all: all-recursive .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign build/msvc/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign build/msvc/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs # This directory's subdirectories are mostly independent; you can cd # into them and run 'make' without going through this Makefile. # To change the values of 'make' variables: instead of editing Makefiles, # (1) if the variable is set in 'config.status', edit 'config.status' # (which will cause the Makefiles to be regenerated when you run 'make'); # (2) otherwise, pass the desired values on the 'make' command line. $(am__recursive_targets): @fail=; \ if $(am__make_keepgoing); then \ failcom='fail=yes'; \ else \ failcom='exit 1'; \ fi; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ case "$@" in \ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ *) list='$(SUBDIRS)' ;; \ esac; \ for subdir in $$list; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ dot_seen=yes; \ local_target="$$target-am"; \ else \ local_target="$$target"; \ fi; \ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-recursive TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ empty_fix=.; \ else \ include_option=--include; \ empty_fix=; \ fi; \ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-recursive CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-recursive cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ $(am__make_dryrun) \ || test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ dir1=$$subdir; dir2="$(top_distdir)"; \ $(am__relativize); \ new_top_distdir=$$reldir; \ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ top_distdir="$$new_top_distdir" \ distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ done check-am: all-am check: check-recursive all-am: Makefile installdirs: installdirs-recursive installdirs-am: install: install-recursive install-exec: install-exec-recursive install-data: install-data-recursive uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-recursive install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-recursive clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-recursive -rm -f Makefile distclean-am: clean-am distclean-generic distclean-tags dvi: dvi-recursive dvi-am: html: html-recursive html-am: info: info-recursive info-am: install-data-am: install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: install-html: install-html-recursive install-html-am: install-info: install-info-recursive install-info-am: install-man: install-pdf: install-pdf-recursive install-pdf-am: install-ps: install-ps-recursive install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-recursive pdf-am: ps: ps-recursive ps-am: uninstall-am: .MAKE: $(am__recursive_targets) install-am install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \ check-am clean clean-generic clean-libtool cscopelist-am ctags \ ctags-am distclean distclean-generic distclean-libtool \ distclean-tags distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ installdirs-am maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ ps ps-am tags tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/build/msvc/msvc-generate/000077500000000000000000000000001316434344000200175ustar00rootroot00000000000000openvpn-2.4.4/build/msvc/msvc-generate/Makefile.am000066400000000000000000000010501316434344000220470ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in dist_noinst_DATA = \ msvc-generate.vcxproj \ Makefile.mak \ msvc-generate.js openvpn-2.4.4/build/msvc/msvc-generate/Makefile.in000066400000000000000000000347001316434344000220700ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = build/msvc/msvc-generate DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(dist_noinst_DATA) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in dist_noinst_DATA = \ msvc-generate.vcxproj \ Makefile.mak \ msvc-generate.js all: all-am .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign build/msvc/msvc-generate/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign build/msvc/msvc-generate/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs tags TAGS: ctags CTAGS: cscope cscopelist: distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(DATA) installdirs: install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic clean-libtool \ cscopelist-am ctags-am distclean distclean-generic \ distclean-libtool distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/build/msvc/msvc-generate/Makefile.mak000066400000000000000000000020101316434344000222170ustar00rootroot00000000000000# Copyright (C) 2008-2012 Alon Bar-Lev CONFIG=$(SOURCEBASE)/version.m4 INPUT_MSVC_VER=$(SOURCEBASE)/config-msvc-version.h.in OUTPUT_MSVC_VER=$(SOURCEBASE)/config-msvc-version.h INPUT_PLUGIN=$(SOURCEBASE)/include/openvpn-plugin.h.in OUTPUT_PLUGIN=$(SOURCEBASE)/include/openvpn-plugin.h INPUT_PLUGIN_CONFIG=version.m4.in OUTPUT_PLUGIN_CONFIG=version.m4 all: $(OUTPUT_MSVC_VER) $(OUTPUT_PLUGIN) $(OUTPUT_MSVC_VER): $(INPUT_MSVC_VER) $(CONFIG) cscript //nologo msvc-generate.js --config="$(CONFIG)" --input="$(INPUT_MSVC_VER)" --output="$(OUTPUT_MSVC_VER)" $(OUTPUT_PLUGIN_CONFIG): $(INPUT_PLUGIN_CONFIG) cscript //nologo msvc-generate.js --config="$(CONFIG)" --input="$(INPUT_PLUGIN_CONFIG)" --output="$(OUTPUT_PLUGIN_CONFIG)" $(OUTPUT_PLUGIN): $(INPUT_PLUGIN) $(OUTPUT_PLUGIN_CONFIG) cscript //nologo msvc-generate.js --config="$(OUTPUT_PLUGIN_CONFIG)" --input="$(INPUT_PLUGIN)" --output="$(OUTPUT_PLUGIN)" clean: -del "$(OUTPUT_MSVC_VER)" -del "$(OUTPUT_PLUGIN)" -del "$(OUTPUT_PLUGIN_CONFIG)" openvpn-2.4.4/build/msvc/msvc-generate/msvc-generate.js000066400000000000000000000063631316434344000231250ustar00rootroot00000000000000/* * msvc-generate.js - string transformation * * Copyright (C) 2008-2012 Alon Bar-Lev * * BSD License * ============ * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * o Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * o Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * o Neither the name of the Alon Bar-Lev nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * */ var ForReading = 1; var fso = new ActiveXObject("Scripting.FileSystemObject"); var input = "nul"; var output = "nul"; var files = new Array(); var env = new Array(); function initialize() { for (var i=0;i Debug Win32 Release Win32 {8598C2C8-34C4-47A1-99B0-7C295A890615} msvc-generate MakeFileProj Makefile Makefile <_ProjectFileVersion>10.0.30319.1 $(Configuration)\ $(Configuration)\ nmake -f Makefile.mak all nmake -f Makefile.mak clean all nmake -f Makefile.mak clean config-msvc-version.h WIN32;_DEBUG;$(NMakePreprocessorDefinitions) $(NMakeIncludeSearchPath) $(NMakeForcedIncludes) $(NMakeAssemblySearchPath) $(NMakeForcedUsingAssemblies) $(Configuration)\ $(Configuration)\ nmake -f Makefile.mak all nmake -f Makefile.mak clean all nmake -f Makefile.mak clean config-msvc-version.h WIN32;NDEBUG;$(NMakePreprocessorDefinitions) $(NMakeIncludeSearchPath) $(NMakeForcedIncludes) $(NMakeAssemblySearchPath) $(NMakeForcedUsingAssemblies) openvpn-2.4.4/compat.m4000066400000000000000000000042231316434344000147360ustar00rootroot00000000000000dnl OpenVPN -- An application to securely tunnel IP networks dnl over a single UDP port, with support for SSL/TLS-based dnl session authentication and key exchange, dnl packet encryption, packet authentication, and dnl packet compression. dnl dnl Copyright (C) 2008-2012 Alon Bar-Lev dnl dnl This program is free software; you can redistribute it and/or modify dnl it under the terms of the GNU General Public License as published by dnl the Free Software Foundation; either version 2 of the License, or dnl (at your option) any later version. dnl dnl This program is distributed in the hope that it will be useful, dnl but WITHOUT ANY WARRANTY; without even the implied warranty of dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the dnl GNU General Public License for more details. dnl dnl You should have received a copy of the GNU General Public License along dnl with this program; if not, write to the Free Software Foundation, Inc., dnl 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. dnl Compatibility layer for . # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. # This file is maintained in Automake, please report # bugs to or send patches to # . nl=' ' # We need space, tab and new line, in precisely that order. Quoting is # there to prevent tools from complaining about whitespace usage. IFS=" "" $nl" file_conv= # func_file_conv build_file lazy # Convert a $build file to $host form and store it in $file # Currently only supports Windows hosts. If the determined conversion # type is listed in (the comma separated) LAZY, no conversion will # take place. func_file_conv () { file=$1 case $file in / | /[!/]*) # absolute file, and not a UNC file if test -z "$file_conv"; then # lazily determine how to convert abs files case `uname -s` in MINGW*) file_conv=mingw ;; CYGWIN*) file_conv=cygwin ;; *) file_conv=wine ;; esac fi case $file_conv/,$2, in *,$file_conv,*) ;; mingw/*) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; cygwin/*) file=`cygpath -m "$file" || echo "$file"` ;; wine/*) file=`winepath -w "$file" || echo "$file"` ;; esac ;; esac } # func_cl_dashL linkdir # Make cl look for libraries in LINKDIR func_cl_dashL () { func_file_conv "$1" if test -z "$lib_path"; then lib_path=$file else lib_path="$lib_path;$file" fi linker_opts="$linker_opts -LIBPATH:$file" } # func_cl_dashl library # Do a library search-path lookup for cl func_cl_dashl () { lib=$1 found=no save_IFS=$IFS IFS=';' for dir in $lib_path $LIB do IFS=$save_IFS if $shared && test -f "$dir/$lib.dll.lib"; then found=yes lib=$dir/$lib.dll.lib break fi if test -f "$dir/$lib.lib"; then found=yes lib=$dir/$lib.lib break fi if test -f "$dir/lib$lib.a"; then found=yes lib=$dir/lib$lib.a break fi done IFS=$save_IFS if test "$found" != yes; then lib=$lib.lib fi } # func_cl_wrapper cl arg... # Adjust compile command to suit cl func_cl_wrapper () { # Assume a capable shell lib_path= shared=: linker_opts= for arg do if test -n "$eat"; then eat= else case $1 in -o) # configure might choose to run compile as 'compile cc -o foo foo.c'. eat=1 case $2 in *.o | *.[oO][bB][jJ]) func_file_conv "$2" set x "$@" -Fo"$file" shift ;; *) func_file_conv "$2" set x "$@" -Fe"$file" shift ;; esac ;; -I) eat=1 func_file_conv "$2" mingw set x "$@" -I"$file" shift ;; -I*) func_file_conv "${1#-I}" mingw set x "$@" -I"$file" shift ;; -l) eat=1 func_cl_dashl "$2" set x "$@" "$lib" shift ;; -l*) func_cl_dashl "${1#-l}" set x "$@" "$lib" shift ;; -L) eat=1 func_cl_dashL "$2" ;; -L*) func_cl_dashL "${1#-L}" ;; -static) shared=false ;; -Wl,*) arg=${1#-Wl,} save_ifs="$IFS"; IFS=',' for flag in $arg; do IFS="$save_ifs" linker_opts="$linker_opts $flag" done IFS="$save_ifs" ;; -Xlinker) eat=1 linker_opts="$linker_opts $2" ;; -*) set x "$@" "$1" shift ;; *.cc | *.CC | *.cxx | *.CXX | *.[cC]++) func_file_conv "$1" set x "$@" -Tp"$file" shift ;; *.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO]) func_file_conv "$1" mingw set x "$@" "$file" shift ;; *) set x "$@" "$1" shift ;; esac fi shift done if test -n "$linker_opts"; then linker_opts="-link$linker_opts" fi exec "$@" $linker_opts exit 1 } eat= case $1 in '') echo "$0: No command. Try '$0 --help' for more information." 1>&2 exit 1; ;; -h | --h*) cat <<\EOF Usage: compile [--help] [--version] PROGRAM [ARGS] Wrapper for compilers which do not understand '-c -o'. Remove '-o dest.o' from ARGS, run PROGRAM with the remaining arguments, and rename the output as expected. If you are trying to build a whole package this is not the right script to run: please start by reading the file 'INSTALL'. Report bugs to . EOF exit $? ;; -v | --v*) echo "compile $scriptversion" exit $? ;; cl | *[/\\]cl | cl.exe | *[/\\]cl.exe ) func_cl_wrapper "$@" # Doesn't return... ;; esac ofile= cfile= for arg do if test -n "$eat"; then eat= else case $1 in -o) # configure might choose to run compile as 'compile cc -o foo foo.c'. # So we strip '-o arg' only if arg is an object. eat=1 case $2 in *.o | *.obj) ofile=$2 ;; *) set x "$@" -o "$2" shift ;; esac ;; *.c) cfile=$1 set x "$@" "$1" shift ;; *) set x "$@" "$1" shift ;; esac fi shift done if test -z "$ofile" || test -z "$cfile"; then # If no '-o' option was seen then we might have been invoked from a # pattern rule where we don't need one. That is ok -- this is a # normal compilation that the losing compiler can handle. If no # '.c' file was seen then we are probably linking. That is also # ok. exec "$@" fi # Name of file we expect compiler to create. cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'` # Create the lock directory. # Note: use '[/\\:.-]' here to ensure that we don't use the same name # that we are using for the .o file. Also, base the name on the expected # object file name, since that is what matters with a parallel build. lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d while true; do if mkdir "$lockdir" >/dev/null 2>&1; then break fi sleep 1 done # FIXME: race condition here if user kills between mkdir and trap. trap "rmdir '$lockdir'; exit 1" 1 2 15 # Run the compile. "$@" ret=$? if test -f "$cofile"; then test "$cofile" = "$ofile" || mv "$cofile" "$ofile" elif test -f "${cofile}bj"; then test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile" fi rmdir "$lockdir" exit $ret # Local Variables: # mode: shell-script # sh-indentation: 2 # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: openvpn-2.4.4/config-msvc-version.h.in000066400000000000000000000015471316434344000176730ustar00rootroot00000000000000#define PACKAGE_NAME "@PRODUCT_NAME@" #define PACKAGE_STRING "@PRODUCT_NAME@ @PRODUCT_VERSION_MAJOR@.@PRODUCT_VERSION_MINOR@@PRODUCT_VERSION_PATCH@" #define PACKAGE_TARNAME "@PRODUCT_TARNAME@" #define PACKAGE "@PRODUCT_TARNAME@" #define PRODUCT_VERSION_MAJOR "@PRODUCT_VERSION_MAJOR@" #define PRODUCT_VERSION_MINOR "@PRODUCT_VERSION_MINOR@" #define PRODUCT_VERSION_PATCH "@PRODUCT_VERSION_PATCH@" #define PACKAGE_VERSION "@PRODUCT_VERSION_MAJOR@.@PRODUCT_VERSION_MINOR@.@PRODUCT_VERSION_PATCH@" #define PRODUCT_VERSION "@PRODUCT_VERSION_MAJOR@.@PRODUCT_VERSION_MINOR@.@PRODUCT_VERSION_PATCH@" #define PRODUCT_BUGREPORT "@PRODUCT_BUGREPORT@" #define OPENVPN_VERSION_RESOURCE @PRODUCT_VERSION_RESOURCE@ #define TAP_WIN_COMPONENT_ID "@PRODUCT_TAP_WIN_COMPONENT_ID@" #define TAP_WIN_MIN_MAJOR @PRODUCT_TAP_WIN_MIN_MAJOR@ #define TAP_WIN_MIN_MINOR @PRODUCT_TAP_WIN_MIN_MINOR@ openvpn-2.4.4/config-msvc.h000066400000000000000000000055741316434344000156070ustar00rootroot00000000000000#include #define CONFIGURE_DEFINES "N/A" #define ENABLE_DEF_AUTH 1 #define ENABLE_PF 1 #define ENABLE_CRYPTO 1 #define ENABLE_CRYPTO_OPENSSL 1 #define ENABLE_DEBUG 1 #define ENABLE_EUREPHIA 1 #define ENABLE_FRAGMENT 1 #define ENABLE_HTTP_PROXY 1 #define ENABLE_LZO 1 #define ENABLE_LZ4 1 #define NEED_COMPAT_LZ4 1 #define ENABLE_MANAGEMENT 1 #define ENABLE_MULTIHOME 1 #define ENABLE_PKCS11 1 #define ENABLE_PLUGIN 1 #define ENABLE_PORT_SHARE 1 #define ENABLE_SOCKS 1 #define HAVE_ERRNO_H 1 #define HAVE_FCNTL_H 1 #define HAVE_CTYPE_H 1 #define HAVE_STDARG_H 1 #define HAVE_STDIO_H 1 #define HAVE_STDLIB_H 1 #define HAVE_STRDUP 1 #define HAVE_STRERROR 1 #define HAVE_STRINGS_H 1 #define HAVE_STRING_H 1 #define HAVE_LIMITS_H 1 #define HAVE_SYSTEM 1 #define HAVE_TIME 1 #define HAVE_TIME_H 1 #define HAVE_UNLINK 1 #define HAVE_VSNPRINTF 1 #define HAVE_WINDOWS_H 1 #define HAVE_WINSOCK2_H 1 #define HAVE_WS2TCPIP_H 1 #define HAVE_IO_H 1 #define HAVE_DIRECT_H 1 #define HAVE_SYS_TYPES_H 1 #define HAVE_SYS_STAT_H 1 #define HAVE_LZO_LZO1X_H 1 #define HAVE_LZO_LZOUTIL_H 1 #define HAVE_VERSIONHELPERS_H 1 #define HAVE_ACCESS 1 #define HAVE_CHDIR 1 #define HAVE_CHSIZE 1 #define HAVE_CPP_VARARG_MACRO_ISO 1 #define HAVE_CTIME 1 #define HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH 1 #define HAVE_IN_PKTINFO 1 #define HAVE_MEMSET 1 #define HAVE_PUTENV 1 #define HAVE_STAT 1 #define HAVE_SOCKET 1 #define HAVE_RECV 1 #define HAVE_RECVFROM 1 #define HAVE_SEND 1 #define HAVE_SENDTO 1 #define HAVE_LISTEN 1 #define HAVE_ACCEPT 1 #define HAVE_CONNECT 1 #define HAVE_BIND 1 #define HAVE_SELECT 1 #define HAVE_GETHOSTBYNAME 1 #define HAVE_INET_NTOA 1 #define HAVE_SETSOCKOPT 1 #define HAVE_GETSOCKOPT 1 #define HAVE_GETSOCKNAME 1 #define HAVE_POLL 1 #define HAVE_OPENSSL_ENGINE 1 #define PATH_SEPARATOR '\\' #define PATH_SEPARATOR_STR "\\" #ifndef __cplusplus #define inline __inline #endif #define EMPTY_ARRAY_SIZE 0 #define TARGET_WIN32 1 #define TARGET_ALIAS "Windows-MSVC" #define HAVE_DECL_SO_MARK 0 #define strncasecmp strnicmp #define strcasecmp _stricmp #if _MSC_VER<1900 #define snprintf _snprintf #endif #if _MSC_VER < 1800 #define strtoull strtoul #endif #define in_addr_t uint32_t #define ssize_t SSIZE_T #define S_IRUSR 0 #define S_IWUSR 0 #define R_OK 4 #define W_OK 2 #define X_OK 1 #define F_OK 0 #define SIGHUP 1 #define SIGINT 2 #define SIGUSR1 10 #define SIGUSR2 12 #define SIGTERM 15 typedef unsigned __int64 uint64_t; typedef unsigned __int32 uint32_t; typedef unsigned __int16 uint16_t; typedef unsigned __int8 uint8_t; typedef __int64 int64_t; typedef __int32 int32_t; typedef __int16 int16_t; typedef __int8 int8_t; typedef uint16_t in_port_t; #ifdef HAVE_CONFIG_MSVC_LOCAL_H #include #endif /* Vista and above has implementation of inet_ntop / inet_pton */ #if _WIN32_WINNT >= _WIN32_WINNT_VISTA #define HAVE_INET_NTOP #define HAVE_INET_PTON #endif openvpn-2.4.4/config.guess000077500000000000000000001235501316434344000155360ustar00rootroot00000000000000#! /bin/sh # Attempt to guess a canonical system name. # Copyright 1992-2014 Free Software Foundation, Inc. timestamp='2014-03-23' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # # Originally written by Per Bothner. # # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD # # Please send patches with a ChangeLog entry to config-patches@gnu.org. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] Output the configuration name of the system \`$me' is run on. Operation modes: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try \`$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" >&2 exit 1 ;; * ) break ;; esac done if test $# != 0; then echo "$me: too many arguments$help" >&2 exit 1 fi trap 'exit 1' 1 2 15 # CC_FOR_BUILD -- compiler used by this script. Note that the use of a # compiler to aid in system detection is discouraged as it requires # temporary files to be created and, as you can see below, it is a # headache to deal with in a portable fashion. # Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still # use `HOST_CC' if defined, but it is deprecated. # Portable tmp directory creation inspired by the Autoconf team. set_cc_for_build=' trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; : ${TMPDIR=/tmp} ; { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; dummy=$tmp/dummy ; tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; case $CC_FOR_BUILD,$HOST_CC,$CC in ,,) echo "int x;" > $dummy.c ; for c in cc gcc c89 c99 ; do if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then CC_FOR_BUILD="$c"; break ; fi ; done ; if test x"$CC_FOR_BUILD" = x ; then CC_FOR_BUILD=no_compiler_found ; fi ;; ,,*) CC_FOR_BUILD=$CC ;; ,*,*) CC_FOR_BUILD=$HOST_CC ;; esac ; set_cc_for_build= ;' # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) if (test -f /.attbin/uname) >/dev/null 2>&1 ; then PATH=$PATH:/.attbin ; export PATH fi UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown case "${UNAME_SYSTEM}" in Linux|GNU|GNU/*) # If the system lacks a compiler, then just pick glibc. # We could probably try harder. LIBC=gnu eval $set_cc_for_build cat <<-EOF > $dummy.c #include #if defined(__UCLIBC__) LIBC=uclibc #elif defined(__dietlibc__) LIBC=dietlibc #else LIBC=gnu #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` ;; esac # Note: order is significant - the case branches are not exclusive. case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward # compatibility and a consistent mechanism for selecting the # object file format. # # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". sysctl="sysctl -n hw.machine_arch" UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ /usr/sbin/$sysctl 2>/dev/null || echo unknown)` case "${UNAME_MACHINE_ARCH}" in armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently, or will in the future. case "${UNAME_MACHINE_ARCH}" in arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ then # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). # Return netbsd for either. FIX? os=netbsd else os=netbsdelf fi ;; *) os=netbsd ;; esac # The OS release # Debian GNU/NetBSD machines have a different userland, and # thus, need a distinct triplet. However, they do not need # kernel version information, so it can be replaced with a # suitable tag, in the style of linux-gnu. case "${UNAME_VERSION}" in Debian*) release='-gnu' ;; *) release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; *:SolidBSD:*:*) echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} exit ;; macppc:MirBSD:*:*) echo powerpc-unknown-mirbsd${UNAME_RELEASE} exit ;; *:MirBSD:*:*) echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in *4.0) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` ;; *5.*) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` ;; esac # According to Compaq, /usr/sbin/psrinfo has been available on # OSF/1 and Tru64 systems produced since 1995. I hope that # covers most systems running today. This code pipes the CPU # types through head -n 1, so we only detect the type of CPU 0. ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case "$ALPHA_CPU_TYPE" in "EV4 (21064)") UNAME_MACHINE="alpha" ;; "EV4.5 (21064)") UNAME_MACHINE="alpha" ;; "LCA4 (21066/21068)") UNAME_MACHINE="alpha" ;; "EV5 (21164)") UNAME_MACHINE="alphaev5" ;; "EV5.6 (21164A)") UNAME_MACHINE="alphaev56" ;; "EV5.6 (21164PC)") UNAME_MACHINE="alphapca56" ;; "EV5.7 (21164PC)") UNAME_MACHINE="alphapca57" ;; "EV6 (21264)") UNAME_MACHINE="alphaev6" ;; "EV6.7 (21264A)") UNAME_MACHINE="alphaev67" ;; "EV6.8CB (21264C)") UNAME_MACHINE="alphaev68" ;; "EV6.8AL (21264B)") UNAME_MACHINE="alphaev68" ;; "EV6.8CX (21264D)") UNAME_MACHINE="alphaev68" ;; "EV6.9A (21264/EV69A)") UNAME_MACHINE="alphaev69" ;; "EV7 (21364)") UNAME_MACHINE="alphaev7" ;; "EV7.9 (21364A)") UNAME_MACHINE="alphaev79" ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 exit $exitcode ;; Alpha\ *:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # Should we change UNAME_MACHINE based on the output of uname instead # of the specific Alpha model? echo alpha-pc-interix exit ;; 21064:Windows_NT:50:3) echo alpha-dec-winnt3.5 exit ;; Amiga*:UNIX_System_V:4.0:*) echo m68k-unknown-sysv4 exit ;; *:[Aa]miga[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-amigaos exit ;; *:[Mm]orph[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-morphos exit ;; *:OS/390:*:*) echo i370-ibm-openedition exit ;; *:z/VM:*:*) echo s390-ibm-zvmoe exit ;; *:OS400:*:*) echo powerpc-ibm-os400 exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} exit ;; arm*:riscos:*:*|arm*:RISCOS:*:*) echo arm-unknown-riscos exit ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) echo hppa1.1-hitachi-hiuxmpp exit ;; Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. if test "`(/bin/universe) 2>/dev/null`" = att ; then echo pyramid-pyramid-sysv3 else echo pyramid-pyramid-bsd fi exit ;; NILE*:*:*:dcosx) echo pyramid-pyramid-svr4 exit ;; DRS?6000:unix:4.0:6*) echo sparc-icl-nx6 exit ;; DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) case `/usr/bin/uname -p` in sparc) echo sparc-icl-nx7; exit ;; esac ;; s390x:SunOS:*:*) echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4H:SunOS:5.*:*) echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) echo i386-pc-auroraux${UNAME_RELEASE} exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) eval $set_cc_for_build SUN_ARCH="i386" # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then SUN_ARCH="x86_64" fi fi echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize # SunOS6. Hard to guess exactly what SunOS6 will be like, but # it's likely to be more like Solaris than SunOS4. echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:*:*) case "`/usr/bin/arch -k`" in Series*|S4*) UNAME_RELEASE=`uname -v` ;; esac # Japanese Language versions have a version number like `4.1.3-JL'. echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` exit ;; sun3*:SunOS:*:*) echo m68k-sun-sunos${UNAME_RELEASE} exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) echo m68k-sun-sunos${UNAME_RELEASE} ;; sun4) echo sparc-sun-sunos${UNAME_RELEASE} ;; esac exit ;; aushp:SunOS:*:*) echo sparc-auspex-sunos${UNAME_RELEASE} exit ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not # "atarist" or "atariste" at least should have a processor # > m68000). The system name ranges from "MiNT" over "FreeMiNT" # to the lowercase version "mint" (or "freemint"). Finally # the system name "TOS" denotes a system which is actually not # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) echo m68k-milan-mint${UNAME_RELEASE} exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) echo m68k-hades-mint${UNAME_RELEASE} exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) echo m68k-unknown-mint${UNAME_RELEASE} exit ;; m68k:machten:*:*) echo m68k-apple-machten${UNAME_RELEASE} exit ;; powerpc:machten:*:*) echo powerpc-apple-machten${UNAME_RELEASE} exit ;; RISC*:Mach:*:*) echo mips-dec-mach_bsd4.3 exit ;; RISC*:ULTRIX:*:*) echo mips-dec-ultrix${UNAME_RELEASE} exit ;; VAX*:ULTRIX*:*:*) echo vax-dec-ultrix${UNAME_RELEASE} exit ;; 2020:CLIX:*:* | 2430:CLIX:*:*) echo clipper-intergraph-clix${UNAME_RELEASE} exit ;; mips:*:*:UMIPS | mips:*:*:RISCos) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #ifdef __cplusplus #include /* for printf() prototype */ int main (int argc, char *argv[]) { #else int main (argc, argv) int argc; char *argv[]; { #endif #if defined (host_mips) && defined (MIPSEB) #if defined (SYSTYPE_SYSV) printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_SVR4) printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); #endif #endif exit (-1); } EOF $CC_FOR_BUILD -o $dummy $dummy.c && dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && SYSTEM_NAME=`$dummy $dummyarg` && { echo "$SYSTEM_NAME"; exit; } echo mips-mips-riscos${UNAME_RELEASE} exit ;; Motorola:PowerMAX_OS:*:*) echo powerpc-motorola-powermax exit ;; Motorola:*:4.3:PL8-*) echo powerpc-harris-powermax exit ;; Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) echo powerpc-harris-powermax exit ;; Night_Hawk:Power_UNIX:*:*) echo powerpc-harris-powerunix exit ;; m88k:CX/UX:7*:*) echo m88k-harris-cxux7 exit ;; m88k:*:4*:R4*) echo m88k-motorola-sysv4 exit ;; m88k:*:3*:R3*) echo m88k-motorola-sysv3 exit ;; AViiON:dgux:*:*) # DG/UX returns AViiON for all architectures UNAME_PROCESSOR=`/usr/bin/uname -p` if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] then if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ [ ${TARGET_BINARY_INTERFACE}x = x ] then echo m88k-dg-dgux${UNAME_RELEASE} else echo m88k-dg-dguxbcs${UNAME_RELEASE} fi else echo i586-dg-dgux${UNAME_RELEASE} fi exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) echo m88k-dolphin-sysv3 exit ;; M88*:*:R3*:*) # Delta 88k system running SVR3 echo m88k-motorola-sysv3 exit ;; XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) echo m88k-tektronix-sysv3 exit ;; Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) echo m68k-tektronix-bsd exit ;; *:IRIX*:*:*) echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` exit ;; ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id exit ;; # Note that: echo "'`uname -s`'" gives 'AIX ' i*86:AIX:*:*) echo i386-ibm-aix exit ;; ia64:AIX:*:*) if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} exit ;; *:AIX:2:3) if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #include main() { if (!__power_pc()) exit(1); puts("powerpc-ibm-aix3.2.5"); exit(0); } EOF if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` then echo "$SYSTEM_NAME" else echo rs6000-ibm-aix3.2.5 fi elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then echo rs6000-ibm-aix3.2.4 else echo rs6000-ibm-aix3.2 fi exit ;; *:AIX:*:[4567]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else IBM_ARCH=powerpc fi if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi echo ${IBM_ARCH}-ibm-aix${IBM_REV} exit ;; *:AIX:*:*) echo rs6000-ibm-aix exit ;; ibmrt:4.4BSD:*|romp-ibm:BSD:*) echo romp-ibm-bsd4.4 exit ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to exit ;; # report: romp-ibm BSD 4.3 *:BOSX:*:*) echo rs6000-bull-bosx exit ;; DPX/2?00:B.O.S.:*:*) echo m68k-bull-sysv3 exit ;; 9000/[34]??:4.3bsd:1.*:*) echo m68k-hp-bsd exit ;; hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) echo m68k-hp-bsd4.4 exit ;; 9000/[34678]??:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` case "${UNAME_MACHINE}" in 9000/31? ) HP_ARCH=m68000 ;; 9000/[34]?? ) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case "${sc_cpu_version}" in 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 case "${sc_kernel_bits}" in 32) HP_ARCH="hppa2.0n" ;; 64) HP_ARCH="hppa2.0w" ;; '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 esac ;; esac fi if [ "${HP_ARCH}" = "" ]; then eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #define _HPUX_SOURCE #include #include int main () { #if defined(_SC_KERNEL_BITS) long bits = sysconf(_SC_KERNEL_BITS); #endif long cpu = sysconf (_SC_CPU_VERSION); switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0"); break; case CPU_PA_RISC1_1: puts ("hppa1.1"); break; case CPU_PA_RISC2_0: #if defined(_SC_KERNEL_BITS) switch (bits) { case 64: puts ("hppa2.0w"); break; case 32: puts ("hppa2.0n"); break; default: puts ("hppa2.0"); break; } break; #else /* !defined(_SC_KERNEL_BITS) */ puts ("hppa2.0"); break; #endif default: puts ("hppa1.0"); break; } exit (0); } EOF (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac if [ ${HP_ARCH} = "hppa2.0w" ] then eval $set_cc_for_build # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler # generating 64-bit code. GNU and HP use different nomenclature: # # $ CC_FOR_BUILD=cc ./config.guess # => hppa2.0w-hp-hpux11.23 # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then HP_ARCH="hppa2.0w" else HP_ARCH="hppa64" fi fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} exit ;; ia64:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` echo ia64-hp-hpux${HPUX_REV} exit ;; 3050*:HI-UX:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #include int main () { long cpu = sysconf (_SC_CPU_VERSION); /* The order matters, because CPU_IS_HP_MC68K erroneously returns true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct results, however. */ if (CPU_IS_PA_RISC (cpu)) { switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; default: puts ("hppa-hitachi-hiuxwe2"); break; } } else if (CPU_IS_HP_MC68K (cpu)) puts ("m68k-hitachi-hiuxwe2"); else puts ("unknown-hitachi-hiuxwe2"); exit (0); } EOF $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && { echo "$SYSTEM_NAME"; exit; } echo unknown-hitachi-hiuxwe2 exit ;; 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) echo hppa1.1-hp-bsd exit ;; 9000/8??:4.3bsd:*:*) echo hppa1.0-hp-bsd exit ;; *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) echo hppa1.0-hp-mpeix exit ;; hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) echo hppa1.1-hp-osf exit ;; hp8??:OSF1:*:*) echo hppa1.0-hp-osf exit ;; i*86:OSF1:*:*) if [ -x /usr/sbin/sysversion ] ; then echo ${UNAME_MACHINE}-unknown-osf1mk else echo ${UNAME_MACHINE}-unknown-osf1 fi exit ;; parisc*:Lites*:*:*) echo hppa1.1-hp-lites exit ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) echo c1-convex-bsd exit ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi exit ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) echo c34-convex-bsd exit ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) echo c38-convex-bsd exit ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) echo c4-convex-bsd exit ;; CRAY*Y-MP:*:*:*) echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*[A-Z]90:*:*:*) echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ -e 's/\.[^.]*$/.X/' exit ;; CRAY*TS:*:*:*) echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*T3E:*:*:*) echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*SV1:*:*:*) echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; *:UNICOS/mp:*:*) echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} exit ;; sparc*:BSD/OS:*:*) echo sparc-unknown-bsdi${UNAME_RELEASE} exit ;; *:BSD/OS:*:*) echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} exit ;; *:FreeBSD:*:*) UNAME_PROCESSOR=`/usr/bin/uname -p` case ${UNAME_PROCESSOR} in amd64) echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; *) echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; esac exit ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit ;; *:MINGW64*:*) echo ${UNAME_MACHINE}-pc-mingw64 exit ;; *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; *:MSYS*:*) echo ${UNAME_MACHINE}-pc-msys exit ;; i*:windows32*:*) # uname -m includes "-pc" on this system. echo ${UNAME_MACHINE}-mingw32 exit ;; i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; *:Interix*:*) case ${UNAME_MACHINE} in x86) echo i586-pc-interix${UNAME_RELEASE} exit ;; authenticamd | genuineintel | EM64T) echo x86_64-unknown-interix${UNAME_RELEASE} exit ;; IA64) echo ia64-unknown-interix${UNAME_RELEASE} exit ;; esac ;; [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) echo i${UNAME_MACHINE}-pc-mks exit ;; 8664:Windows_NT:*) echo x86_64-pc-mks exit ;; i*:Windows_NT*:* | Pentium*:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we # UNAME_MACHINE based on the output of uname instead of i386? echo i586-pc-interix exit ;; i*:UWIN*:*) echo ${UNAME_MACHINE}-pc-uwin exit ;; amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) echo x86_64-unknown-cygwin exit ;; p*:CYGWIN*:*) echo powerpcle-unknown-cygwin exit ;; prep*:SunOS:5.*:*) echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; *:GNU:*:*) # the GNU system echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; aarch64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; aarch64_be:Linux:*:*) UNAME_MACHINE=aarch64_be echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in EV5) UNAME_MACHINE=alphaev5 ;; EV56) UNAME_MACHINE=alphaev56 ;; PCA56) UNAME_MACHINE=alphapca56 ;; PCA57) UNAME_MACHINE=alphapca56 ;; EV6) UNAME_MACHINE=alphaev6 ;; EV67) UNAME_MACHINE=alphaev67 ;; EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC="gnulibc1" ; fi echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arc:Linux:*:* | arceb:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arm*:Linux:*:*) eval $set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then echo ${UNAME_MACHINE}-unknown-linux-${LIBC} else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi else echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf fi fi exit ;; avr32*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; cris:Linux:*:*) echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; crisv32:Linux:*:*) echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; frv:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; hexagon:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; i*86:Linux:*:*) echo ${UNAME_MACHINE}-pc-linux-${LIBC} exit ;; ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; m32r*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; m68*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; mips:Linux:*:* | mips64:Linux:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #undef CPU #undef ${UNAME_MACHINE} #undef ${UNAME_MACHINE}el #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) CPU=${UNAME_MACHINE}el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) CPU=${UNAME_MACHINE} #else CPU= #endif #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; openrisc*:Linux:*:*) echo or1k-unknown-linux-${LIBC} exit ;; or32:Linux:*:* | or1k*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; padre:Linux:*:*) echo sparc-unknown-linux-${LIBC} exit ;; parisc64:Linux:*:* | hppa64:Linux:*:*) echo hppa64-unknown-linux-${LIBC} exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in PA7*) echo hppa1.1-unknown-linux-${LIBC} ;; PA8*) echo hppa2.0-unknown-linux-${LIBC} ;; *) echo hppa-unknown-linux-${LIBC} ;; esac exit ;; ppc64:Linux:*:*) echo powerpc64-unknown-linux-${LIBC} exit ;; ppc:Linux:*:*) echo powerpc-unknown-linux-${LIBC} exit ;; ppc64le:Linux:*:*) echo powerpc64le-unknown-linux-${LIBC} exit ;; ppcle:Linux:*:*) echo powerpcle-unknown-linux-${LIBC} exit ;; s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux-${LIBC} exit ;; sh64*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; sh*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; sparc:Linux:*:* | sparc64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; tile*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; vax:Linux:*:*) echo ${UNAME_MACHINE}-dec-linux-${LIBC} exit ;; x86_64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; xtensa*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. # earlier versions are messed up and put the nodename in both # sysname and nodename. echo i386-sequent-sysv4 exit ;; i*86:UNIX_SV:4.2MP:2.*) # Unixware is an offshoot of SVR4, but it has its own version # number series starting with 2... # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} exit ;; i*86:OS/2:*:*) # If we were able to find `uname', then EMX Unix compatibility # is probably installed. echo ${UNAME_MACHINE}-pc-os2-emx exit ;; i*86:XTS-300:*:STOP) echo ${UNAME_MACHINE}-unknown-stop exit ;; i*86:atheos:*:*) echo ${UNAME_MACHINE}-unknown-atheos exit ;; i*86:syllable:*:*) echo ${UNAME_MACHINE}-pc-syllable exit ;; i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) echo i386-unknown-lynxos${UNAME_RELEASE} exit ;; i*86:*DOS:*:*) echo ${UNAME_MACHINE}-pc-msdosdjgpp exit ;; i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} else echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} fi exit ;; i*86:*:5:[678]*) # UnixWare 7.x, OpenUNIX and OpenServer 6. case `/bin/uname -X | grep "^Machine"` in *486*) UNAME_MACHINE=i486 ;; *Pentium) UNAME_MACHINE=i586 ;; *Pent*|*Celeron) UNAME_MACHINE=i686 ;; esac echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} exit ;; i*86:*:3.2:*) if test -f /usr/options/cb.name; then UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ && UNAME_MACHINE=i586 (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ && UNAME_MACHINE=i686 (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 echo ${UNAME_MACHINE}-pc-sco$UNAME_REL else echo ${UNAME_MACHINE}-pc-sysv32 fi exit ;; pc:*:*:*) # Left here for compatibility: # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub # prints for the "djgpp" host, or else GDB configury will decide that # this is a cross-build. echo i586-pc-msdosdjgpp exit ;; Intel:Mach:3*:*) echo i386-pc-mach3 exit ;; paragon:*:*:*) echo i860-intel-osf1 exit ;; i860:*:4.*:*) # i860-SVR4 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 else # Add other i860-SVR4 vendors below as they are discovered. echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 fi exit ;; mini*:CTIX:SYS*5:*) # "miniframe" echo m68010-convergent-sysv exit ;; mc68k:UNIX:SYSTEM5:3.51m) echo m68k-convergent-sysv exit ;; M680?0:D-NIX:5.3:*) echo m68k-diab-dnix exit ;; M68*:*:R3V[5678]*:*) test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) OS_REL='' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4; exit; } ;; NCR*:*:4.2:* | MPRAS*:*:4.2:*) OS_REL='.3' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) echo m68k-unknown-lynxos${UNAME_RELEASE} exit ;; mc68030:UNIX_System_V:4.*:*) echo m68k-atari-sysv4 exit ;; TSUNAMI:LynxOS:2.*:*) echo sparc-unknown-lynxos${UNAME_RELEASE} exit ;; rs6000:LynxOS:2.*:*) echo rs6000-unknown-lynxos${UNAME_RELEASE} exit ;; PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) echo powerpc-unknown-lynxos${UNAME_RELEASE} exit ;; SM[BE]S:UNIX_SV:*:*) echo mips-dde-sysv${UNAME_RELEASE} exit ;; RM*:ReliantUNIX-*:*:*) echo mips-sni-sysv4 exit ;; RM*:SINIX-*:*:*) echo mips-sni-sysv4 exit ;; *:SINIX-*:*:*) if uname -p 2>/dev/null >/dev/null ; then UNAME_MACHINE=`(uname -p) 2>/dev/null` echo ${UNAME_MACHINE}-sni-sysv4 else echo ns32k-sni-sysv fi exit ;; PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort # says echo i586-unisys-sysv4 exit ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm echo hppa1.1-stratus-sysv4 exit ;; *:*:*:FTX*) # From seanf@swdc.stratus.com. echo i860-stratus-sysv4 exit ;; i*86:VOS:*:*) # From Paul.Green@stratus.com. echo ${UNAME_MACHINE}-stratus-vos exit ;; *:VOS:*:*) # From Paul.Green@stratus.com. echo hppa1.1-stratus-vos exit ;; mc68*:A/UX:*:*) echo m68k-apple-aux${UNAME_RELEASE} exit ;; news*:NEWS-OS:6*:*) echo mips-sony-newsos6 exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then echo mips-nec-sysv${UNAME_RELEASE} else echo mips-unknown-sysv${UNAME_RELEASE} fi exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. echo powerpc-be-beos exit ;; BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. echo powerpc-apple-beos exit ;; BePC:BeOS:*:*) # BeOS running on Intel PC compatible. echo i586-pc-beos exit ;; BePC:Haiku:*:*) # Haiku running on Intel PC compatible. echo i586-pc-haiku exit ;; x86_64:Haiku:*:*) echo x86_64-unknown-haiku exit ;; SX-4:SUPER-UX:*:*) echo sx4-nec-superux${UNAME_RELEASE} exit ;; SX-5:SUPER-UX:*:*) echo sx5-nec-superux${UNAME_RELEASE} exit ;; SX-6:SUPER-UX:*:*) echo sx6-nec-superux${UNAME_RELEASE} exit ;; SX-7:SUPER-UX:*:*) echo sx7-nec-superux${UNAME_RELEASE} exit ;; SX-8:SUPER-UX:*:*) echo sx8-nec-superux${UNAME_RELEASE} exit ;; SX-8R:SUPER-UX:*:*) echo sx8r-nec-superux${UNAME_RELEASE} exit ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit ;; *:Rhapsody:*:*) echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} exit ;; *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown eval $set_cc_for_build if test "$UNAME_PROCESSOR" = unknown ; then UNAME_PROCESSOR=powerpc fi if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in i386) UNAME_PROCESSOR=x86_64 ;; powerpc) UNAME_PROCESSOR=powerpc64 ;; esac fi fi elif test "$UNAME_PROCESSOR" = i386 ; then # Avoid executing cc on OS X 10.9, as it ships with a stub # that puts up a graphical alert prompting to install # developer tools. Any system running Mac OS X 10.7 or # later (Darwin 11 and later) is required to have a 64-bit # processor. This is not true of the ARM version of Darwin # that Apple uses in portable devices. UNAME_PROCESSOR=x86_64 fi echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` if test "$UNAME_PROCESSOR" = "x86"; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} exit ;; *:QNX:*:4*) echo i386-pc-qnx exit ;; NEO-?:NONSTOP_KERNEL:*:*) echo neo-tandem-nsk${UNAME_RELEASE} exit ;; NSE-*:NONSTOP_KERNEL:*:*) echo nse-tandem-nsk${UNAME_RELEASE} exit ;; NSR-?:NONSTOP_KERNEL:*:*) echo nsr-tandem-nsk${UNAME_RELEASE} exit ;; *:NonStop-UX:*:*) echo mips-compaq-nonstopux exit ;; BS2000:POSIX*:*:*) echo bs2000-siemens-sysv exit ;; DS/*:UNIX_System_V:*:*) echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} exit ;; *:Plan9:*:*) # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. if test "$cputype" = "386"; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" fi echo ${UNAME_MACHINE}-unknown-plan9 exit ;; *:TOPS-10:*:*) echo pdp10-unknown-tops10 exit ;; *:TENEX:*:*) echo pdp10-unknown-tenex exit ;; KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) echo pdp10-dec-tops20 exit ;; XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) echo pdp10-xkl-tops20 exit ;; *:TOPS-20:*:*) echo pdp10-unknown-tops20 exit ;; *:ITS:*:*) echo pdp10-unknown-its exit ;; SEI:*:*:SEIUX) echo mips-sei-seiux${UNAME_RELEASE} exit ;; *:DragonFly:*:*) echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit ;; *:*VMS:*:*) UNAME_MACHINE=`(uname -p) 2>/dev/null` case "${UNAME_MACHINE}" in A*) echo alpha-dec-vms ; exit ;; I*) echo ia64-dec-vms ; exit ;; V*) echo vax-dec-vms ; exit ;; esac ;; *:XENIX:*:SysV) echo i386-pc-xenix exit ;; i*86:skyos:*:*) echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' exit ;; i*86:rdos:*:*) echo ${UNAME_MACHINE}-pc-rdos exit ;; i*86:AROS:*:*) echo ${UNAME_MACHINE}-pc-aros exit ;; x86_64:VMkernel:*:*) echo ${UNAME_MACHINE}-unknown-esx exit ;; esac cat >&2 < in order to provide the needed information to handle your system. config.guess timestamp = $timestamp uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` /bin/uname -X = `(/bin/uname -X) 2>/dev/null` hostinfo = `(hostinfo) 2>/dev/null` /bin/universe = `(/bin/universe) 2>/dev/null` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` /bin/arch = `(/bin/arch) 2>/dev/null` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` UNAME_MACHINE = ${UNAME_MACHINE} UNAME_RELEASE = ${UNAME_RELEASE} UNAME_SYSTEM = ${UNAME_SYSTEM} UNAME_VERSION = ${UNAME_VERSION} EOF exit 1 # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: openvpn-2.4.4/config.h.in000066400000000000000000000606151316434344000152430ustar00rootroot00000000000000/* config.h.in. Generated from configure.ac by autoheader. */ /* Configuration settings */ #undef CONFIGURE_DEFINES /* special build string */ #undef CONFIGURE_SPECIAL_BUILD /* Use memory debugging function in OpenSSL */ #undef CRYPTO_MDEBUG /* p11-kit proxy */ #undef DEFAULT_PKCS11_MODULE /* Use dmalloc memory debugging library */ #undef DMALLOC /* Dimension to use for empty array declaration */ #undef EMPTY_ARRAY_SIZE /* Enable async push */ #undef ENABLE_ASYNC_PUSH /* Enable client capability only */ #undef ENABLE_CLIENT_ONLY /* Enable compression stub capability */ #undef ENABLE_COMP_STUB /* Enable crypto library */ #undef ENABLE_CRYPTO /* Use mbed TLS library */ #undef ENABLE_CRYPTO_MBEDTLS /* Use OpenSSL library */ #undef ENABLE_CRYPTO_OPENSSL /* Enable debugging support */ #undef ENABLE_DEBUG /* Enable deferred authentication */ #undef ENABLE_DEF_AUTH /* We have persist tun capability */ #undef ENABLE_FEATURE_TUN_PERSIST /* Enable internal fragmentation support */ #undef ENABLE_FRAGMENT /* enable iproute2 support */ #undef ENABLE_IPROUTE /* Enable LZ4 compression library */ #undef ENABLE_LZ4 /* Enable LZO compression library */ #undef ENABLE_LZO /* Enable management server capability */ #undef ENABLE_MANAGEMENT /* Enable multi-homed UDP server capability */ #undef ENABLE_MULTIHOME /* Enable OFB and CFB cipher modes */ #undef ENABLE_OFB_CFB_MODE /* Enable internal packet filter */ #undef ENABLE_PF /* Enable PKCS11 */ #undef ENABLE_PKCS11 /* Enable plug-in support */ #undef ENABLE_PLUGIN /* Enable TCP Server port sharing */ #undef ENABLE_PORT_SHARE /* SELinux support */ #undef ENABLE_SELINUX /* Enable smaller executable size */ #undef ENABLE_SMALL /* Enable strict options check between peers */ #undef ENABLE_STRICT_OPTIONS_CHECK /* Enable systemd integration */ #undef ENABLE_SYSTEMD /* Enable --x509-username-field feature */ #undef ENABLE_X509ALTUSERNAME /* Define to 1 if you have the `accept' function. */ #undef HAVE_ACCEPT /* Define to 1 if you have the `access' function. */ #undef HAVE_ACCESS /* Use crypto library */ #undef HAVE_AEAD_CIPHER_MODES /* Compiler supports anonymous unions */ #undef HAVE_ANONYMOUS_UNION_SUPPORT /* Define to 1 if you have the header file. */ #undef HAVE_ARPA_INET_H /* Define to 1 if you have the `basename' function. */ #undef HAVE_BASENAME /* Define to 1 if you have the `bind' function. */ #undef HAVE_BIND /* Define to 1 if you have the `chdir' function. */ #undef HAVE_CHDIR /* Define to 1 if you have the `chroot' function. */ #undef HAVE_CHROOT /* Define to 1 if you have the `chsize' function. */ #undef HAVE_CHSIZE /* struct cmsghdr needed for extended socket error support */ #undef HAVE_CMSGHDR /* extra version available in config-version.h */ #undef HAVE_CONFIG_VERSION_H /* Define to 1 if you have the `connect' function. */ #undef HAVE_CONNECT /* Define to 1 if your compiler supports GNU GCC-style variadic macros */ #undef HAVE_CPP_VARARG_MACRO_GCC /* Define to 1 if your compiler supports ISO C99 variadic macros */ #undef HAVE_CPP_VARARG_MACRO_ISO /* Define to 1 if you have the `ctime' function. */ #undef HAVE_CTIME /* Define to 1 if you have the header file. */ #undef HAVE_CTYPE_H /* Define to 1 if you have the `daemon' function. */ #undef HAVE_DAEMON /* Define to 1 if you have the declaration of `SIGHUP', and to 0 if you don't. */ #undef HAVE_DECL_SIGHUP /* Define to 1 if you have the declaration of `SIGINT', and to 0 if you don't. */ #undef HAVE_DECL_SIGINT /* Define to 1 if you have the declaration of `SIGTERM', and to 0 if you don't. */ #undef HAVE_DECL_SIGTERM /* Define to 1 if you have the declaration of `SIGUSR1', and to 0 if you don't. */ #undef HAVE_DECL_SIGUSR1 /* Define to 1 if you have the declaration of `SIGUSR2', and to 0 if you don't. */ #undef HAVE_DECL_SIGUSR2 /* Define to 1 if you have the declaration of `SO_MARK', and to 0 if you don't. */ #undef HAVE_DECL_SO_MARK /* Define to 1 if you have the declaration of `TUNSETPERSIST', and to 0 if you don't. */ #undef HAVE_DECL_TUNSETPERSIST /* Define to 1 if you have the header file. */ #undef HAVE_DIRECT_H /* Define to 1 if you have the `dirname' function. */ #undef HAVE_DIRNAME /* Define to 1 if you have the header file. */ #undef HAVE_DLFCN_H /* Define to 1 if you have the header file. */ #undef HAVE_DMALLOC_H /* Define to 1 if you have the `DSA_bits' function. */ #undef HAVE_DSA_BITS /* Define to 1 if you have the `DSA_get0_pqg' function. */ #undef HAVE_DSA_GET0_PQG /* Define to 1 if you have the `dup' function. */ #undef HAVE_DUP /* Define to 1 if you have the `dup2' function. */ #undef HAVE_DUP2 /* Define to 1 if you have the `EC_GROUP_order_bits' function. */ #undef HAVE_EC_GROUP_ORDER_BITS /* Define to 1 if you have the `ENGINE_cleanup' function. */ #undef HAVE_ENGINE_CLEANUP /* Define to 1 if you have the `ENGINE_load_builtin_engines' function. */ #undef HAVE_ENGINE_LOAD_BUILTIN_ENGINES /* Define to 1 if you have the `ENGINE_register_all_complete' function. */ #undef HAVE_ENGINE_REGISTER_ALL_COMPLETE /* Define to 1 if you have the `epoll_create' function. */ #undef HAVE_EPOLL_CREATE /* Define to 1 if you have the header file. */ #undef HAVE_ERRNO_H /* Define to 1 if you have the header file. */ #undef HAVE_ERR_H /* Define to 1 if you have the `EVP_aes_256_gcm' function. */ #undef HAVE_EVP_AES_256_GCM /* Define to 1 if you have the `EVP_CIPHER_CTX_set_key_length' function. */ #undef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH /* Define to 1 if you have the `EVP_MD_CTX_free' function. */ #undef HAVE_EVP_MD_CTX_FREE /* Define to 1 if you have the `EVP_MD_CTX_new' function. */ #undef HAVE_EVP_MD_CTX_NEW /* Define to 1 if you have the `EVP_MD_CTX_reset' function. */ #undef HAVE_EVP_MD_CTX_RESET /* Define to 1 if you have the `EVP_PKEY_get0_DSA' function. */ #undef HAVE_EVP_PKEY_GET0_DSA /* Define to 1 if you have the `EVP_PKEY_get0_EC_KEY' function. */ #undef HAVE_EVP_PKEY_GET0_EC_KEY /* Define to 1 if you have the `EVP_PKEY_get0_RSA' function. */ #undef HAVE_EVP_PKEY_GET0_RSA /* Define to 1 if you have the `EVP_PKEY_id' function. */ #undef HAVE_EVP_PKEY_ID /* Define to 1 if you have the `execve' function. */ #undef HAVE_EXECVE /* Define to 1 if you have the header file. */ #undef HAVE_FCNTL_H /* Define to 1 if you have the `flock' function. */ #undef HAVE_FLOCK /* Define to 1 if you have the `fork' function. */ #undef HAVE_FORK /* Define to 1 if you have the `ftruncate' function. */ #undef HAVE_FTRUNCATE /* Define to 1 if you have the `getgrnam' function. */ #undef HAVE_GETGRNAM /* Define to 1 if you have the `gethostbyname' function. */ #undef HAVE_GETHOSTBYNAME /* Define to 1 if you have the `getpass' function. */ #undef HAVE_GETPASS /* Define to 1 if you have the `getpeereid' function. */ #undef HAVE_GETPEEREID /* Define to 1 if you have the `getpeername' function. */ #undef HAVE_GETPEERNAME /* Define to 1 if you have the `getpid' function. */ #undef HAVE_GETPID /* Define to 1 if you have the `getpwnam' function. */ #undef HAVE_GETPWNAM /* Define to 1 if you have the `getsockname' function. */ #undef HAVE_GETSOCKNAME /* Define to 1 if you have the `getsockopt' function. */ #undef HAVE_GETSOCKOPT /* Define to 1 if you have the `gettimeofday' function. */ #undef HAVE_GETTIMEOFDAY /* Define to 1 if you have the header file. */ #undef HAVE_GRP_H /* Define to 1 if you have the `HMAC_CTX_free' function. */ #undef HAVE_HMAC_CTX_FREE /* Define to 1 if you have the `HMAC_CTX_new' function. */ #undef HAVE_HMAC_CTX_NEW /* Define to 1 if you have the `HMAC_CTX_reset' function. */ #undef HAVE_HMAC_CTX_RESET /* Define to 1 if you have the `inet_ntoa' function. */ #undef HAVE_INET_NTOA /* Define to 1 if you have the `inet_ntop' function. */ #undef HAVE_INET_NTOP /* Define to 1 if you have the `inet_pton' function. */ #undef HAVE_INET_PTON /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H /* Define to 1 if the system has the type `in_addr_t'. */ #undef HAVE_IN_ADDR_T /* struct in_pktinfo needed for IP_PKTINFO support */ #undef HAVE_IN_PKTINFO /* Define to 1 if the system has the type `in_port_t'. */ #undef HAVE_IN_PORT_T /* struct iovec needed for IPv6 support */ #undef HAVE_IOVEC /* Define to 1 if you have the header file. */ #undef HAVE_IO_H /* struct iphdr needed for IPv6 support */ #undef HAVE_IPHDR /* struct in_pktinfo.ipi_spec_dst needed for IP_PKTINFO support */ #undef HAVE_IPI_SPEC_DST /* Define to 1 if you have the header file. */ #undef HAVE_LIBGEN_H /* Define to 1 if you have the header file. */ #undef HAVE_LIMITS_H /* Define to 1 if you have the header file. */ #undef HAVE_LINUX_IF_TUN_H /* Define to 1 if you have the header file. */ #undef HAVE_LINUX_SOCKIOS_H /* Define to 1 if you have the header file. */ #undef HAVE_LINUX_TYPES_H /* Define to 1 if you have the `listen' function. */ #undef HAVE_LISTEN /* Define to 1 if you have the header file. */ #undef HAVE_LZ4_H /* Define to 1 if you have the header file. */ #undef HAVE_LZO1X_H /* Define to 1 if you have the header file. */ #undef HAVE_LZOUTIL_H /* Define to 1 if you have the header file. */ #undef HAVE_LZO_LZO1X_H /* Define to 1 if you have the header file. */ #undef HAVE_LZO_LZOUTIL_H /* Define to 1 if you have the `mbedtls_cipher_check_tag' function. */ #undef HAVE_MBEDTLS_CIPHER_CHECK_TAG /* Define to 1 if you have the `mbedtls_cipher_write_tag' function. */ #undef HAVE_MBEDTLS_CIPHER_WRITE_TAG /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H /* Define to 1 if you have the `memset' function. */ #undef HAVE_MEMSET /* Define to 1 if you have the `mlockall' function. */ #undef HAVE_MLOCKALL /* struct msghdr needed for extended socket error support */ #undef HAVE_MSGHDR /* Define to 1 if you have the header file. */ #undef HAVE_NETDB_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IN_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IN_SYSTM_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IP_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_TCP_H /* Define to 1 if you have the header file. */ #undef HAVE_NET_IF_H /* Define to 1 if you have the header file. */ #undef HAVE_NET_IF_TUN_H /* Define to 1 if you have the header file. */ #undef HAVE_NET_IF_UTUN_H /* Define to 1 if you have the header file. */ #undef HAVE_NET_TUN_IF_TUN_H /* Define to 1 if you have the `nice' function. */ #undef HAVE_NICE /* Define to 1 if you have the `openlog' function. */ #undef HAVE_OPENLOG /* OpenSSL engine support available */ #undef HAVE_OPENSSL_ENGINE /* Define to 1 if you have the `poll' function. */ #undef HAVE_POLL /* Define to 1 if you have the `putenv' function. */ #undef HAVE_PUTENV /* Define to 1 if you have the header file. */ #undef HAVE_PWD_H /* Define to 1 if you have the `readv' function. */ #undef HAVE_READV /* Define to 1 if you have the `recv' function. */ #undef HAVE_RECV /* Define to 1 if you have the `recvfrom' function. */ #undef HAVE_RECVFROM /* Define to 1 if you have the `recvmsg' function. */ #undef HAVE_RECVMSG /* Define to 1 if you have the header file. */ #undef HAVE_RESOLV_H /* Define to 1 if you have the `RSA_bits' function. */ #undef HAVE_RSA_BITS /* Define to 1 if you have the `RSA_get0_key' function. */ #undef HAVE_RSA_GET0_KEY /* Define to 1 if you have the `RSA_meth_free' function. */ #undef HAVE_RSA_METH_FREE /* Define to 1 if you have the `RSA_meth_new' function. */ #undef HAVE_RSA_METH_NEW /* Define to 1 if you have the `RSA_meth_set0_app_data' function. */ #undef HAVE_RSA_METH_SET0_APP_DATA /* Define to 1 if you have the `RSA_meth_set_finish' function. */ #undef HAVE_RSA_METH_SET_FINISH /* Define to 1 if you have the `RSA_meth_set_init' function. */ #undef HAVE_RSA_METH_SET_INIT /* Define to 1 if you have the `RSA_meth_set_priv_dec' function. */ #undef HAVE_RSA_METH_SET_PRIV_DEC /* Define to 1 if you have the `RSA_meth_set_priv_enc' function. */ #undef HAVE_RSA_METH_SET_PRIV_ENC /* Define to 1 if you have the `RSA_meth_set_pub_dec' function. */ #undef HAVE_RSA_METH_SET_PUB_DEC /* Define to 1 if you have the `RSA_meth_set_pub_enc' function. */ #undef HAVE_RSA_METH_SET_PUB_ENC /* Define to 1 if you have the `RSA_set0_key' function. */ #undef HAVE_RSA_SET0_KEY /* Define to 1 if you have the `RSA_set_flags' function. */ #undef HAVE_RSA_SET_FLAGS /* sa_family_t, needed to hold AF_* info */ #undef HAVE_SA_FAMILY_T /* Define to 1 if you have the `sd_booted' function. */ #undef HAVE_SD_BOOTED /* Define to 1 if you have the `select' function. */ #undef HAVE_SELECT /* Define to 1 if you have the `send' function. */ #undef HAVE_SEND /* Define to 1 if you have the `sendmsg' function. */ #undef HAVE_SENDMSG /* Define to 1 if you have the `sendto' function. */ #undef HAVE_SENDTO /* Define to 1 if you have the `setgid' function. */ #undef HAVE_SETGID /* Define to 1 if you have the `setgroups' function. */ #undef HAVE_SETGROUPS /* Define to 1 if you have the `setsid' function. */ #undef HAVE_SETSID /* Define to 1 if you have the `setsockopt' function. */ #undef HAVE_SETSOCKOPT /* Define to 1 if you have the `setuid' function. */ #undef HAVE_SETUID /* Define to 1 if you have the header file. */ #undef HAVE_SIGNAL_H /* Define to 1 if you have the `socket' function. */ #undef HAVE_SOCKET /* struct sock_extended_err needed for extended socket error support */ #undef HAVE_SOCK_EXTENDED_ERR /* Define to 1 if you have the `SSL_CTX_get_default_passwd_cb' function. */ #undef HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB /* Define to 1 if you have the `SSL_CTX_get_default_passwd_cb_userdata' function. */ #undef HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA /* Define to 1 if you have the `SSL_CTX_new' function. */ #undef HAVE_SSL_CTX_NEW /* Define to 1 if you have the `stat' function. */ #undef HAVE_STAT /* Define to 1 if you have the header file. */ #undef HAVE_STDARG_H /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H /* Define to 1 if you have the header file. */ #undef HAVE_STDIO_H /* Define to 1 if you have the header file. */ #undef HAVE_STDLIB_H /* Define to 1 if you have the `strdup' function. */ #undef HAVE_STRDUP /* Define to 1 if you have the header file. */ #undef HAVE_STRINGS_H /* Define to 1 if you have the header file. */ #undef HAVE_STRING_H /* Define to 1 if you have the header file. */ #undef HAVE_STROPTS_H /* Define to 1 if you have the `syslog' function. */ #undef HAVE_SYSLOG /* Define to 1 if you have the header file. */ #undef HAVE_SYSLOG_H /* Define to 1 if you have the `system' function. */ #undef HAVE_SYSTEM /* Define to 1 if you have the header file. */ #undef HAVE_SYSTEMD_SD_DAEMON_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_EPOLL_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_FILE_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_INOTIFY_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_IOCTL_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_KERN_CONTROL_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_MMAN_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_POLL_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SOCKET_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SOCKIO_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TIME_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_UIO_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_UN_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_WAIT_H /* Define to 1 if you have the header file. */ #undef HAVE_TAP_WINDOWS_H /* Define to 1 if you have the `time' function. */ #undef HAVE_TIME /* Define to 1 if you have the header file. */ #undef HAVE_TIME_H /* Define to 1 if you have the `umask' function. */ #undef HAVE_UMASK /* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H /* Define to 1 if you have the `unlink' function. */ #undef HAVE_UNLINK /* Define to 1 if you have the header file. */ #undef HAVE_VALGRIND_MEMCHECK_H /* Define to 1 if you have the header file. */ #undef HAVE_VERSIONHELPERS_H /* Define to 1 if you have the `vfork' function. */ #undef HAVE_VFORK /* Define to 1 if you have the header file. */ #undef HAVE_VFORK_H /* Define to 1 if you have the `vsnprintf' function. */ #undef HAVE_VSNPRINTF /* Define to 1 if you have the header file. */ #undef HAVE_WINDOWS_H /* Define to 1 if you have the header file. */ #undef HAVE_WINSOCK2_H /* Define to 1 if `fork' works. */ #undef HAVE_WORKING_FORK /* Define to 1 if `vfork' works. */ #undef HAVE_WORKING_VFORK /* Define to 1 if you have the `writev' function. */ #undef HAVE_WRITEV /* Define to 1 if you have the header file. */ #undef HAVE_WS2TCPIP_H /* Define to 1 if you have the `X509_get0_pubkey' function. */ #undef HAVE_X509_GET0_PUBKEY /* Define to 1 if you have the `X509_OBJECT_free' function. */ #undef HAVE_X509_OBJECT_FREE /* Define to 1 if you have the `X509_OBJECT_get_type' function. */ #undef HAVE_X509_OBJECT_GET_TYPE /* Define to 1 if you have the `X509_STORE_get0_objects' function. */ #undef HAVE_X509_STORE_GET0_OBJECTS /* Path to ifconfig tool */ #undef IFCONFIG_PATH /* Path to iproute tool */ #undef IPROUTE_PATH /* Define to the sub-directory in which libtool stores uninstalled libraries. */ #undef LT_OBJDIR /* use copy of LZ4 source in compat/ */ #undef NEED_COMPAT_LZ4 /* OpenVPN major version - integer */ #undef OPENVPN_VERSION_MAJOR /* OpenVPN minor version - integer */ #undef OPENVPN_VERSION_MINOR /* OpenVPN patch level - may be a string or integer */ #undef OPENVPN_VERSION_PATCH /* Version in windows resource format */ #undef OPENVPN_VERSION_RESOURCE /* Name of package */ #undef PACKAGE /* Define to the address where bug reports for this package should be sent. */ #undef PACKAGE_BUGREPORT /* Define to the full name of this package. */ #undef PACKAGE_NAME /* Define to the full name and version of this package. */ #undef PACKAGE_STRING /* Define to the one symbol short name of this package. */ #undef PACKAGE_TARNAME /* Define to the home page for this package. */ #undef PACKAGE_URL /* Define to the version of this package. */ #undef PACKAGE_VERSION /* Path separator */ #undef PATH_SEPARATOR /* Path separator */ #undef PATH_SEPARATOR_STR /* Enable pedantic mode */ #undef PEDANTIC /* Define as the return type of signal handlers (`int' or `void'). */ #undef RETSIGTYPE /* Path to route tool */ #undef ROUTE_PATH /* SIGHUP replacement */ #undef SIGHUP /* SIGINT replacement */ #undef SIGINT /* SIGTERM replacement */ #undef SIGTERM /* SIGUSR1 replacement */ #undef SIGUSR1 /* SIGUSR2 replacement */ #undef SIGUSR2 /* The size of `unsigned int', as computed by sizeof. */ #undef SIZEOF_UNSIGNED_INT /* The size of `unsigned long', as computed by sizeof. */ #undef SIZEOF_UNSIGNED_LONG /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS /* Path to systemd-ask-password tool */ #undef SYSTEMD_ASK_PASSWORD_PATH /* systemd is newer than v216 */ #undef SYSTEMD_NEWER_THAN_216 /* The tap-windows id */ #undef TAP_WIN_COMPONENT_ID /* The tap-windows version number is required for OpenVPN */ #undef TAP_WIN_MIN_MAJOR /* The tap-windows version number is required for OpenVPN */ #undef TAP_WIN_MIN_MINOR /* Are we running AIX? */ #undef TARGET_AIX /* A string representing our host */ #undef TARGET_ALIAS /* Are we running on Mac OS X? */ #undef TARGET_DARWIN /* Are we running on DragonFlyBSD? */ #undef TARGET_DRAGONFLY /* Are we running on FreeBSD? */ #undef TARGET_FREEBSD /* Are we running on Linux? */ #undef TARGET_LINUX /* Are we running NetBSD? */ #undef TARGET_NETBSD /* Are we running on OpenBSD? */ #undef TARGET_OPENBSD /* Target prefix */ #undef TARGET_PREFIX /* Are we running on Solaris? */ #undef TARGET_SOLARIS /* Are we running WIN32? */ #undef TARGET_WIN32 /* dlopen libpam */ #undef USE_PAM_DLOPEN /* Enable extensions on AIX 3, Interix. */ #ifndef _ALL_SOURCE # undef _ALL_SOURCE #endif /* Enable GNU extensions on systems that have them. */ #ifndef _GNU_SOURCE # undef _GNU_SOURCE #endif /* Enable threading extensions on Solaris. */ #ifndef _POSIX_PTHREAD_SEMANTICS # undef _POSIX_PTHREAD_SEMANTICS #endif /* Enable extensions on HP NonStop. */ #ifndef _TANDEM_SOURCE # undef _TANDEM_SOURCE #endif /* Enable general extensions on Solaris. */ #ifndef __EXTENSIONS__ # undef __EXTENSIONS__ #endif /* Use valgrind memory debugging library */ #undef USE_VALGRIND /* Version number of package */ #undef VERSION /* Define to 1 if on MINIX. */ #undef _MINIX /* Define to 2 if the system does not provide POSIX.1 features except with this defined. */ #undef _POSIX_1_SOURCE /* Define to 1 if you need to in order for `stat' and other things to work. */ #undef _POSIX_SOURCE /* Define for Solaris 2.5.1 so the uint32_t typedef from , , or is not used. If the typedef were allowed, the #define below would cause a syntax error. */ #undef _UINT32_T /* Define for Solaris 2.5.1 so the uint64_t typedef from , , or is not used. If the typedef were allowed, the #define below would cause a syntax error. */ #undef _UINT64_T /* Define for Solaris 2.5.1 so the uint8_t typedef from , , or is not used. If the typedef were allowed, the #define below would cause a syntax error. */ #undef _UINT8_T /* Define to empty if `const' does not conform to ANSI C. */ #undef const /* Define to `int' if doesn't define. */ #undef gid_t /* Workaround missing in_addr_t */ #undef in_addr_t /* Workaround missing in_port_t */ #undef in_port_t /* Define to `__inline__' or `__inline' if that's what the C compiler calls it, or to nothing if 'inline' is not supported under any name. */ #ifndef __cplusplus #undef inline #endif /* Define to the type of a signed integer type of width exactly 16 bits if such a type exists and the standard includes do not define it. */ #undef int16_t /* Define to the type of a signed integer type of width exactly 32 bits if such a type exists and the standard includes do not define it. */ #undef int32_t /* Define to the type of a signed integer type of width exactly 64 bits if such a type exists and the standard includes do not define it. */ #undef int64_t /* Define to the type of a signed integer type of width exactly 8 bits if such a type exists and the standard includes do not define it. */ #undef int8_t /* Define to `long int' if does not define. */ #undef off_t /* Define to `int' if does not define. */ #undef pid_t /* Define to `unsigned int' if does not define. */ #undef size_t /* type to use in place of socklen_t if not defined */ #undef socklen_t /* Define to `int' if doesn't define. */ #undef uid_t /* Define to the type of an unsigned integer type of width exactly 16 bits if such a type exists and the standard includes do not define it. */ #undef uint16_t /* Define to the type of an unsigned integer type of width exactly 32 bits if such a type exists and the standard includes do not define it. */ #undef uint32_t /* Define to the type of an unsigned integer type of width exactly 64 bits if such a type exists and the standard includes do not define it. */ #undef uint64_t /* Define to the type of an unsigned integer type of width exactly 8 bits if such a type exists and the standard includes do not define it. */ #undef uint8_t /* Define as `fork' if `vfork' does not work. */ #undef vfork /* Define to empty if the keyword `volatile' does not work. Warning: valid code using `volatile' can become incorrect without. Disable with care. */ #undef volatile openvpn-2.4.4/config.sub000077500000000000000000001057751316434344000152120ustar00rootroot00000000000000#! /bin/sh # Configuration validation subroutine script. # Copyright 1992-2014 Free Software Foundation, Inc. timestamp='2014-09-11' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # Please send patches with a ChangeLog entry to config-patches@gnu.org. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. # If it is invalid, we print an error message on stderr and exit with code 1. # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases # that are meaningful with *any* GNU software. # Each package is responsible for reporting which valid configurations # it does not support. The user should be able to distinguish # a failure to support a valid configuration from a meaningless # configuration. # The goal of this file is to map all the various variations of a given # machine specification into a single specification in the form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM # or in some cases, the newer four-part form: # CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM # It is wrong to echo any other type of specification. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] CPU-MFR-OPSYS $0 [OPTION] ALIAS Canonicalize a configuration name. Operation modes: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.sub ($timestamp) Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try \`$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" exit 1 ;; *local*) # First pass through any local machine types. echo $1 exit ;; * ) break ;; esac done case $# in 0) echo "$me: missing argument$help" >&2 exit 1;; 1) ;; *) echo "$me: too many arguments$help" >&2 exit 1;; esac # Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). # Here we must recognize all the valid KERNEL-OS combinations. maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ knetbsd*-gnu* | netbsd*-gnu* | \ kopensolaris*-gnu* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; android-linux) os=-linux-android basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown ;; *) basic_machine=`echo $1 | sed 's/-[^-]*$//'` if [ $basic_machine != $1 ] then os=`echo $1 | sed 's/.*-/-/'` else os=; fi ;; esac ### Let's recognize common machines as not being operating systems so ### that things like config.sub decstation-3100 work. We also ### recognize some manufacturers as not being operating systems, so we ### can provide default operating systems below. case $os in -sun*os*) # Prevent following clause from handling this invalid input. ;; -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ -apple | -axis | -knuth | -cray | -microblaze*) os= basic_machine=$1 ;; -bluegene*) os=-cnk ;; -sim | -cisco | -oki | -wec | -winbond) os= basic_machine=$1 ;; -scout) ;; -wrs) os=-vxworks basic_machine=$1 ;; -chorusos*) os=-chorusos basic_machine=$1 ;; -chorusrdb) os=-chorusrdb basic_machine=$1 ;; -hiux*) os=-hiuxwe2 ;; -sco6) os=-sco5v6 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco5) os=-sco3.2v5 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco4) os=-sco3.2v4 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco3.2.[4-9]*) os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco3.2v[4-9]*) # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco5v6*) # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco*) os=-sco3.2v2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -udk*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -isc) os=-isc2.2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -clix*) basic_machine=clipper-intergraph ;; -isc*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -lynx*178) os=-lynxos178 ;; -lynx*5) os=-lynxos5 ;; -lynx*) os=-lynxos ;; -ptx*) basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` ;; -windowsnt*) os=`echo $os | sed -e 's/windowsnt/winnt/'` ;; -psos*) os=-psos ;; -mint | -mint[0-9]*) basic_machine=m68k-atari os=-mint ;; esac # Decode aliases for certain CPU-COMPANY combinations. case $basic_machine in # Recognize the basic CPU types without company name. # Some are omitted here because they have special meanings below. 1750a | 580 \ | a29k \ | aarch64 | aarch64_be \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ | arc | arceb \ | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ | avr | avr32 \ | be32 | be64 \ | bfin \ | c4x | c8051 | clipper \ | d10v | d30v | dlx | dsp16xx \ | epiphany \ | fido | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ | k1om \ | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ | mips64octeon | mips64octeonel \ | mips64orion | mips64orionel \ | mips64r5900 | mips64r5900el \ | mips64vr | mips64vrel \ | mips64vr4100 | mips64vr4100el \ | mips64vr4300 | mips64vr4300el \ | mips64vr5000 | mips64vr5000el \ | mips64vr5900 | mips64vr5900el \ | mipsisa32 | mipsisa32el \ | mipsisa32r2 | mipsisa32r2el \ | mipsisa32r6 | mipsisa32r6el \ | mipsisa64 | mipsisa64el \ | mipsisa64r2 | mipsisa64r2el \ | mipsisa64r6 | mipsisa64r6el \ | mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sr71k | mipsisa64sr71kel \ | mipsr5900 | mipsr5900el \ | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ | moxie \ | mt \ | msp430 \ | nds32 | nds32le | nds32be \ | nios | nios2 | nios2eb | nios2el \ | ns16k | ns32k \ | open8 | or1k | or1knd | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ | riscv32 | riscv64 \ | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ | spu \ | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ | ubicom32 \ | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ | we32k \ | x86 | xc16x | xstormy16 | xtensa \ | z8k | z80) basic_machine=$basic_machine-unknown ;; c54x) basic_machine=tic54x-unknown ;; c55x) basic_machine=tic55x-unknown ;; c6x) basic_machine=tic6x-unknown ;; m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) basic_machine=$basic_machine-unknown os=-none ;; m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) ;; ms1) basic_machine=mt-unknown ;; strongarm | thumb | xscale) basic_machine=arm-unknown ;; xgate) basic_machine=$basic_machine-unknown os=-none ;; xscaleeb) basic_machine=armeb-unknown ;; xscaleel) basic_machine=armel-unknown ;; # We use `pc' rather than `unknown' # because (1) that's what they normally are, and # (2) the word "unknown" tends to confuse beginning users. i*86 | x86_64) basic_machine=$basic_machine-pc ;; # Object if more than one company name word. *-*-*) echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 exit 1 ;; # Recognize the basic CPU types with company name. 580-* \ | a29k-* \ | aarch64-* | aarch64_be-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ | c8051-* | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ | elxsi-* \ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ | k1om-* \ | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ | microblaze-* | microblazeel-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ | mips64octeon-* | mips64octeonel-* \ | mips64orion-* | mips64orionel-* \ | mips64r5900-* | mips64r5900el-* \ | mips64vr-* | mips64vrel-* \ | mips64vr4100-* | mips64vr4100el-* \ | mips64vr4300-* | mips64vr4300el-* \ | mips64vr5000-* | mips64vr5000el-* \ | mips64vr5900-* | mips64vr5900el-* \ | mipsisa32-* | mipsisa32el-* \ | mipsisa32r2-* | mipsisa32r2el-* \ | mipsisa32r6-* | mipsisa32r6el-* \ | mipsisa64-* | mipsisa64el-* \ | mipsisa64r2-* | mipsisa64r2el-* \ | mipsisa64r6-* | mipsisa64r6el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ | mipsr5900-* | mipsr5900el-* \ | mipstx39-* | mipstx39el-* \ | mmix-* \ | mt-* \ | msp430-* \ | nds32-* | nds32le-* | nds32be-* \ | nios-* | nios2-* | nios2eb-* | nios2el-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | open8-* \ | or1k*-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ | pyramid-* \ | rl78-* | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ | sparclite-* \ | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ | tahoe-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ | tile*-* \ | tron-* \ | ubicom32-* \ | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ | vax-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* \ | xstormy16-* | xtensa*-* \ | ymp-* \ | z8k-* | z80-*) ;; # Recognize the basic CPU types without company name, with glob match. xtensa*) basic_machine=$basic_machine-unknown ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. 386bsd) basic_machine=i386-unknown os=-bsd ;; 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) basic_machine=m68000-att ;; 3b*) basic_machine=we32k-att ;; a29khif) basic_machine=a29k-amd os=-udi ;; abacus) basic_machine=abacus-unknown ;; adobe68k) basic_machine=m68010-adobe os=-scout ;; alliant | fx80) basic_machine=fx80-alliant ;; altos | altos3068) basic_machine=m68k-altos ;; am29k) basic_machine=a29k-none os=-bsd ;; amd64) basic_machine=x86_64-pc ;; amd64-*) basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; amdahl) basic_machine=580-amdahl os=-sysv ;; amiga | amiga-*) basic_machine=m68k-unknown ;; amigaos | amigados) basic_machine=m68k-unknown os=-amigaos ;; amigaunix | amix) basic_machine=m68k-unknown os=-sysv4 ;; apollo68) basic_machine=m68k-apollo os=-sysv ;; apollo68bsd) basic_machine=m68k-apollo os=-bsd ;; aros) basic_machine=i386-pc os=-aros ;; aux) basic_machine=m68k-apple os=-aux ;; balance) basic_machine=ns32k-sequent os=-dynix ;; blackfin) basic_machine=bfin-unknown os=-linux ;; blackfin-*) basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; bluegene*) basic_machine=powerpc-ibm os=-cnk ;; c54x-*) basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c55x-*) basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c6x-*) basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c90) basic_machine=c90-cray os=-unicos ;; cegcc) basic_machine=arm-unknown os=-cegcc ;; convex-c1) basic_machine=c1-convex os=-bsd ;; convex-c2) basic_machine=c2-convex os=-bsd ;; convex-c32) basic_machine=c32-convex os=-bsd ;; convex-c34) basic_machine=c34-convex os=-bsd ;; convex-c38) basic_machine=c38-convex os=-bsd ;; cray | j90) basic_machine=j90-cray os=-unicos ;; craynv) basic_machine=craynv-cray os=-unicosmp ;; cr16 | cr16-*) basic_machine=cr16-unknown os=-elf ;; crds | unos) basic_machine=m68k-crds ;; crisv32 | crisv32-* | etraxfs*) basic_machine=crisv32-axis ;; cris | cris-* | etrax*) basic_machine=cris-axis ;; crx) basic_machine=crx-unknown os=-elf ;; da30 | da30-*) basic_machine=m68k-da30 ;; decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) basic_machine=mips-dec ;; decsystem10* | dec10*) basic_machine=pdp10-dec os=-tops10 ;; decsystem20* | dec20*) basic_machine=pdp10-dec os=-tops20 ;; delta | 3300 | motorola-3300 | motorola-delta \ | 3300-motorola | delta-motorola) basic_machine=m68k-motorola ;; delta88) basic_machine=m88k-motorola os=-sysv3 ;; dicos) basic_machine=i686-pc os=-dicos ;; djgpp) basic_machine=i586-pc os=-msdosdjgpp ;; dpx20 | dpx20-*) basic_machine=rs6000-bull os=-bosx ;; dpx2* | dpx2*-bull) basic_machine=m68k-bull os=-sysv3 ;; ebmon29k) basic_machine=a29k-amd os=-ebmon ;; elxsi) basic_machine=elxsi-elxsi os=-bsd ;; encore | umax | mmax) basic_machine=ns32k-encore ;; es1800 | OSE68k | ose68k | ose | OSE) basic_machine=m68k-ericsson os=-ose ;; fx2800) basic_machine=i860-alliant ;; genix) basic_machine=ns32k-ns ;; gmicro) basic_machine=tron-gmicro os=-sysv ;; go32) basic_machine=i386-pc os=-go32 ;; h3050r* | hiux*) basic_machine=hppa1.1-hitachi os=-hiuxwe2 ;; h8300hms) basic_machine=h8300-hitachi os=-hms ;; h8300xray) basic_machine=h8300-hitachi os=-xray ;; h8500hms) basic_machine=h8500-hitachi os=-hms ;; harris) basic_machine=m88k-harris os=-sysv3 ;; hp300-*) basic_machine=m68k-hp ;; hp300bsd) basic_machine=m68k-hp os=-bsd ;; hp300hpux) basic_machine=m68k-hp os=-hpux ;; hp3k9[0-9][0-9] | hp9[0-9][0-9]) basic_machine=hppa1.0-hp ;; hp9k2[0-9][0-9] | hp9k31[0-9]) basic_machine=m68000-hp ;; hp9k3[2-9][0-9]) basic_machine=m68k-hp ;; hp9k6[0-9][0-9] | hp6[0-9][0-9]) basic_machine=hppa1.0-hp ;; hp9k7[0-79][0-9] | hp7[0-79][0-9]) basic_machine=hppa1.1-hp ;; hp9k78[0-9] | hp78[0-9]) # FIXME: really hppa2.0-hp basic_machine=hppa1.1-hp ;; hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) # FIXME: really hppa2.0-hp basic_machine=hppa1.1-hp ;; hp9k8[0-9][13679] | hp8[0-9][13679]) basic_machine=hppa1.1-hp ;; hp9k8[0-9][0-9] | hp8[0-9][0-9]) basic_machine=hppa1.0-hp ;; hppa-next) os=-nextstep3 ;; hppaosf) basic_machine=hppa1.1-hp os=-osf ;; hppro) basic_machine=hppa1.1-hp os=-proelf ;; i370-ibm* | ibm*) basic_machine=i370-ibm ;; i*86v32) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv32 ;; i*86v4*) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv4 ;; i*86v) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv ;; i*86sol2) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-solaris2 ;; i386mach) basic_machine=i386-mach os=-mach ;; i386-vsta | vsta) basic_machine=i386-unknown os=-vsta ;; iris | iris4d) basic_machine=mips-sgi case $os in -irix*) ;; *) os=-irix4 ;; esac ;; isi68 | isi) basic_machine=m68k-isi os=-sysv ;; m68knommu) basic_machine=m68k-unknown os=-linux ;; m68knommu-*) basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; m88k-omron*) basic_machine=m88k-omron ;; magnum | m3230) basic_machine=mips-mips os=-sysv ;; merlin) basic_machine=ns32k-utek os=-sysv ;; microblaze*) basic_machine=microblaze-xilinx ;; mingw64) basic_machine=x86_64-pc os=-mingw64 ;; mingw32) basic_machine=i686-pc os=-mingw32 ;; mingw32ce) basic_machine=arm-unknown os=-mingw32ce ;; miniframe) basic_machine=m68000-convergent ;; *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) basic_machine=m68k-atari os=-mint ;; mips3*-*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` ;; mips3*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown ;; monitor) basic_machine=m68k-rom68k os=-coff ;; morphos) basic_machine=powerpc-unknown os=-morphos ;; moxiebox) basic_machine=moxie-unknown os=-moxiebox ;; msdos) basic_machine=i386-pc os=-msdos ;; ms1-*) basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` ;; msys) basic_machine=i686-pc os=-msys ;; mvs) basic_machine=i370-ibm os=-mvs ;; nacl) basic_machine=le32-unknown os=-nacl ;; ncr3000) basic_machine=i486-ncr os=-sysv4 ;; netbsd386) basic_machine=i386-unknown os=-netbsd ;; netwinder) basic_machine=armv4l-rebel os=-linux ;; news | news700 | news800 | news900) basic_machine=m68k-sony os=-newsos ;; news1000) basic_machine=m68030-sony os=-newsos ;; news-3600 | risc-news) basic_machine=mips-sony os=-newsos ;; necv70) basic_machine=v70-nec os=-sysv ;; next | m*-next ) basic_machine=m68k-next case $os in -nextstep* ) ;; -ns2*) os=-nextstep2 ;; *) os=-nextstep3 ;; esac ;; nh3000) basic_machine=m68k-harris os=-cxux ;; nh[45]000) basic_machine=m88k-harris os=-cxux ;; nindy960) basic_machine=i960-intel os=-nindy ;; mon960) basic_machine=i960-intel os=-mon960 ;; nonstopux) basic_machine=mips-compaq os=-nonstopux ;; np1) basic_machine=np1-gould ;; neo-tandem) basic_machine=neo-tandem ;; nse-tandem) basic_machine=nse-tandem ;; nsr-tandem) basic_machine=nsr-tandem ;; op50n-* | op60c-*) basic_machine=hppa1.1-oki os=-proelf ;; openrisc | openrisc-*) basic_machine=or32-unknown ;; os400) basic_machine=powerpc-ibm os=-os400 ;; OSE68000 | ose68000) basic_machine=m68000-ericsson os=-ose ;; os68k) basic_machine=m68k-none os=-os68k ;; pa-hitachi) basic_machine=hppa1.1-hitachi os=-hiuxwe2 ;; paragon) basic_machine=i860-intel os=-osf ;; parisc) basic_machine=hppa-unknown os=-linux ;; parisc-*) basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; pbd) basic_machine=sparc-tti ;; pbb) basic_machine=m68k-tti ;; pc532 | pc532-*) basic_machine=ns32k-pc532 ;; pc98) basic_machine=i386-pc ;; pc98-*) basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentium | p5 | k5 | k6 | nexgen | viac3) basic_machine=i586-pc ;; pentiumpro | p6 | 6x86 | athlon | athlon_*) basic_machine=i686-pc ;; pentiumii | pentium2 | pentiumiii | pentium3) basic_machine=i686-pc ;; pentium4) basic_machine=i786-pc ;; pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumpro-* | p6-* | 6x86-* | athlon-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentium4-*) basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pn) basic_machine=pn-gould ;; power) basic_machine=power-ibm ;; ppc | ppcbe) basic_machine=powerpc-unknown ;; ppc-* | ppcbe-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown ;; ppcle-* | powerpclittle-*) basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64) basic_machine=powerpc64-unknown ;; ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64le | powerpc64little | ppc64-le | powerpc64-little) basic_machine=powerpc64le-unknown ;; ppc64le-* | powerpc64little-*) basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ps2) basic_machine=i386-ibm ;; pw32) basic_machine=i586-unknown os=-pw32 ;; rdos | rdos64) basic_machine=x86_64-pc os=-rdos ;; rdos32) basic_machine=i386-pc os=-rdos ;; rom68k) basic_machine=m68k-rom68k os=-coff ;; rm[46]00) basic_machine=mips-siemens ;; rtpc | rtpc-*) basic_machine=romp-ibm ;; s390 | s390-*) basic_machine=s390-ibm ;; s390x | s390x-*) basic_machine=s390x-ibm ;; sa29200) basic_machine=a29k-amd os=-udi ;; sb1) basic_machine=mipsisa64sb1-unknown ;; sb1el) basic_machine=mipsisa64sb1el-unknown ;; sde) basic_machine=mipsisa32-sde os=-elf ;; sei) basic_machine=mips-sei os=-seiux ;; sequent) basic_machine=i386-sequent ;; sh) basic_machine=sh-hitachi os=-hms ;; sh5el) basic_machine=sh5le-unknown ;; sh64) basic_machine=sh64-unknown ;; sparclite-wrs | simso-wrs) basic_machine=sparclite-wrs os=-vxworks ;; sps7) basic_machine=m68k-bull os=-sysv2 ;; spur) basic_machine=spur-unknown ;; st2000) basic_machine=m68k-tandem ;; stratus) basic_machine=i860-stratus os=-sysv4 ;; strongarm-* | thumb-*) basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` ;; sun2) basic_machine=m68000-sun ;; sun2os3) basic_machine=m68000-sun os=-sunos3 ;; sun2os4) basic_machine=m68000-sun os=-sunos4 ;; sun3os3) basic_machine=m68k-sun os=-sunos3 ;; sun3os4) basic_machine=m68k-sun os=-sunos4 ;; sun4os3) basic_machine=sparc-sun os=-sunos3 ;; sun4os4) basic_machine=sparc-sun os=-sunos4 ;; sun4sol2) basic_machine=sparc-sun os=-solaris2 ;; sun3 | sun3-*) basic_machine=m68k-sun ;; sun4) basic_machine=sparc-sun ;; sun386 | sun386i | roadrunner) basic_machine=i386-sun ;; sv1) basic_machine=sv1-cray os=-unicos ;; symmetry) basic_machine=i386-sequent os=-dynix ;; t3e) basic_machine=alphaev5-cray os=-unicos ;; t90) basic_machine=t90-cray os=-unicos ;; tile*) basic_machine=$basic_machine-unknown os=-linux-gnu ;; tx39) basic_machine=mipstx39-unknown ;; tx39el) basic_machine=mipstx39el-unknown ;; toad1) basic_machine=pdp10-xkl os=-tops20 ;; tower | tower-32) basic_machine=m68k-ncr ;; tpf) basic_machine=s390x-ibm os=-tpf ;; udi29k) basic_machine=a29k-amd os=-udi ;; ultra3) basic_machine=a29k-nyu os=-sym1 ;; v810 | necv810) basic_machine=v810-nec os=-none ;; vaxv) basic_machine=vax-dec os=-sysv ;; vms) basic_machine=vax-dec os=-vms ;; vpp*|vx|vx-*) basic_machine=f301-fujitsu ;; vxworks960) basic_machine=i960-wrs os=-vxworks ;; vxworks68) basic_machine=m68k-wrs os=-vxworks ;; vxworks29k) basic_machine=a29k-wrs os=-vxworks ;; w65*) basic_machine=w65-wdc os=-none ;; w89k-*) basic_machine=hppa1.1-winbond os=-proelf ;; xbox) basic_machine=i686-pc os=-mingw32 ;; xps | xps100) basic_machine=xps100-honeywell ;; xscale-* | xscalee[bl]-*) basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` ;; ymp) basic_machine=ymp-cray os=-unicos ;; z8k-*-coff) basic_machine=z8k-unknown os=-sim ;; z80-*-coff) basic_machine=z80-unknown os=-sim ;; none) basic_machine=none-none os=-none ;; # Here we handle the default manufacturer of certain CPU types. It is in # some cases the only manufacturer, in others, it is the most popular. w89k) basic_machine=hppa1.1-winbond ;; op50n) basic_machine=hppa1.1-oki ;; op60c) basic_machine=hppa1.1-oki ;; romp) basic_machine=romp-ibm ;; mmix) basic_machine=mmix-knuth ;; rs6000) basic_machine=rs6000-ibm ;; vax) basic_machine=vax-dec ;; pdp10) # there are many clones, so DEC is not a safe bet basic_machine=pdp10-unknown ;; pdp11) basic_machine=pdp11-dec ;; we32k) basic_machine=we32k-att ;; sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele) basic_machine=sh-unknown ;; sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v) basic_machine=sparc-sun ;; cydra) basic_machine=cydra-cydrome ;; orion) basic_machine=orion-highlevel ;; orion105) basic_machine=clipper-highlevel ;; mac | mpw | mac-mpw) basic_machine=m68k-apple ;; pmac | pmac-mpw) basic_machine=powerpc-apple ;; *-unknown) # Make sure to match an already-canonicalized machine name. ;; *) echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 exit 1 ;; esac # Here we canonicalize certain aliases for manufacturers. case $basic_machine in *-digital*) basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` ;; *-commodore*) basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` ;; *) ;; esac # Decode manufacturer-specific aliases for certain operating systems. if [ x"$os" != x"" ] then case $os in # First match some system type aliases # that might get confused with valid system types. # -solaris* is a basic system type, with this one exception. -auroraux) os=-auroraux ;; -solaris1 | -solaris1.*) os=`echo $os | sed -e 's|solaris1|sunos4|'` ;; -solaris) os=-solaris2 ;; -svr4*) os=-sysv4 ;; -unixware*) os=-sysv4.2uw ;; -gnu/linux*) os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` ;; # First accept the basic system types. # The portable systems comes first. # Each alternative MUST END IN A *, to match a version number. # -sysv* is not here because it comes later, after sysvr4. -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ | -sym* | -kopensolaris* | -plan9* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ | -aos* | -aros* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ | -bitrig* | -openbsd* | -solidbsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) case $basic_machine in x86-* | i*86-*) ;; *) os=-nto$os ;; esac ;; -nto-qnx*) ;; -nto*) os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) ;; -mac*) os=`echo $os | sed -e 's|mac|macos|'` ;; -linux-dietlibc) os=-linux-dietlibc ;; -linux*) os=`echo $os | sed -e 's|linux|linux-gnu|'` ;; -sunos5*) os=`echo $os | sed -e 's|sunos5|solaris2|'` ;; -sunos6*) os=`echo $os | sed -e 's|sunos6|solaris3|'` ;; -opened*) os=-openedition ;; -os400*) os=-os400 ;; -wince*) os=-wince ;; -osfrose*) os=-osfrose ;; -osf*) os=-osf ;; -utek*) os=-bsd ;; -dynix*) os=-bsd ;; -acis*) os=-aos ;; -atheos*) os=-atheos ;; -syllable*) os=-syllable ;; -386bsd) os=-bsd ;; -ctix* | -uts*) os=-sysv ;; -nova*) os=-rtmk-nova ;; -ns2 ) os=-nextstep2 ;; -nsk*) os=-nsk ;; # Preserve the version number of sinix5. -sinix5.*) os=`echo $os | sed -e 's|sinix|sysv|'` ;; -sinix*) os=-sysv4 ;; -tpf*) os=-tpf ;; -triton*) os=-sysv3 ;; -oss*) os=-sysv3 ;; -svr4) os=-sysv4 ;; -svr3) os=-sysv3 ;; -sysvr4) os=-sysv4 ;; # This must come after -sysvr4. -sysv*) ;; -ose*) os=-ose ;; -es1800*) os=-ose ;; -xenix) os=-xenix ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) os=-mint ;; -aros*) os=-aros ;; -zvmoe) os=-zvmoe ;; -dicos*) os=-dicos ;; -nacl*) ;; -none) ;; *) # Get rid of the `-' at the beginning of $os. os=`echo $os | sed 's/[^-]*-//'` echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 exit 1 ;; esac else # Here we handle the default operating systems that come with various machines. # The value should be what the vendor currently ships out the door with their # machine or put another way, the most popular os provided with the machine. # Note that if you're going to try to match "-MANUFACTURER" here (say, # "-sun"), then you have to tell the case statement up towards the top # that MANUFACTURER isn't an operating system. Otherwise, code above # will signal an error saying that MANUFACTURER isn't an operating # system, and we'll never get to this point. case $basic_machine in score-*) os=-elf ;; spu-*) os=-elf ;; *-acorn) os=-riscix1.2 ;; arm*-rebel) os=-linux ;; arm*-semi) os=-aout ;; c4x-* | tic4x-*) os=-coff ;; c8051-*) os=-elf ;; hexagon-*) os=-elf ;; tic54x-*) os=-coff ;; tic55x-*) os=-coff ;; tic6x-*) os=-coff ;; # This must come before the *-dec entry. pdp10-*) os=-tops20 ;; pdp11-*) os=-none ;; *-dec | vax-*) os=-ultrix4.2 ;; m68*-apollo) os=-domain ;; i386-sun) os=-sunos4.0.2 ;; m68000-sun) os=-sunos3 ;; m68*-cisco) os=-aout ;; mep-*) os=-elf ;; mips*-cisco) os=-elf ;; mips*-*) os=-elf ;; or32-*) os=-coff ;; *-tti) # must be before sparc entry or we get the wrong os. os=-sysv3 ;; sparc-* | *-sun) os=-sunos4.1.1 ;; *-be) os=-beos ;; *-haiku) os=-haiku ;; *-ibm) os=-aix ;; *-knuth) os=-mmixware ;; *-wec) os=-proelf ;; *-winbond) os=-proelf ;; *-oki) os=-proelf ;; *-hp) os=-hpux ;; *-hitachi) os=-hiux ;; i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) os=-sysv ;; *-cbm) os=-amigaos ;; *-dg) os=-dgux ;; *-dolphin) os=-sysv3 ;; m68k-ccur) os=-rtu ;; m88k-omron*) os=-luna ;; *-next ) os=-nextstep ;; *-sequent) os=-ptx ;; *-crds) os=-unos ;; *-ns) os=-genix ;; i370-*) os=-mvs ;; *-next) os=-nextstep3 ;; *-gould) os=-sysv ;; *-highlevel) os=-bsd ;; *-encore) os=-bsd ;; *-sgi) os=-irix ;; *-siemens) os=-sysv4 ;; *-masscomp) os=-rtu ;; f30[01]-fujitsu | f700-fujitsu) os=-uxpv ;; *-rom68k) os=-coff ;; *-*bug) os=-coff ;; *-apple) os=-macos ;; *-atari*) os=-mint ;; *) os=-none ;; esac fi # Here we handle the case where we know the os, and the CPU type, but not the # manufacturer. We pick the logical manufacturer. vendor=unknown case $basic_machine in *-unknown) case $os in -riscix*) vendor=acorn ;; -sunos*) vendor=sun ;; -cnk*|-aix*) vendor=ibm ;; -beos*) vendor=be ;; -hpux*) vendor=hp ;; -mpeix*) vendor=hp ;; -hiux*) vendor=hitachi ;; -unos*) vendor=crds ;; -dgux*) vendor=dg ;; -luna*) vendor=omron ;; -genix*) vendor=ns ;; -mvs* | -opened*) vendor=ibm ;; -os400*) vendor=ibm ;; -ptx*) vendor=sequent ;; -tpf*) vendor=ibm ;; -vxsim* | -vxworks* | -windiss*) vendor=wrs ;; -aux*) vendor=apple ;; -hms*) vendor=hitachi ;; -mpw* | -macos*) vendor=apple ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) vendor=atari ;; -vos*) vendor=stratus ;; esac basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` ;; esac echo $basic_machine$os exit # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: openvpn-2.4.4/configure000077500000000000000000021522071316434344000151300ustar00rootroot00000000000000#! /bin/sh # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.69 for OpenVPN 2.4.4. # # Report bugs to . # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. # # # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi as_nl=' ' export as_nl # Printing a long string crashes Solaris 7 /usr/bin/printf. as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo # Prefer a ksh shell builtin over an external printf program on Solaris, # but without wasting forks for bash or zsh. if test -z "$BASH_VERSION$ZSH_VERSION" \ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='print -r --' as_echo_n='print -rn --' elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' as_echo_n='/usr/ucb/echo -n' else as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; esac; expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" ' export as_echo_n_body as_echo_n='sh -c $as_echo_n_body as_echo' fi export as_echo_body as_echo='sh -c $as_echo_body as_echo' fi # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # IFS # We need space, tab and new line, in precisely that order. Quoting is # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Unset variables that we do not need and which cause bugs (e.g. in # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" # suppresses any "Segmentation fault" message there. '((' could # trigger a bug in pdksh 5.2.14. for as_var in BASH_ENV ENV MAIL MAILPATH do eval test x\${$as_var+set} = xset \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' PS4='+ ' # NLS nuisances. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH # Use a proper internal environment variable to ensure we don't fall # into an infinite loop, continuously re-executing ourselves. if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then _as_can_reexec=no; export _as_can_reexec; # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. $as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 as_fn_exit 255 fi # We don't want this to propagate to other subprocesses. { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which # is contrary to our usage. Disable this feature. alias -g '\${1+\"\$@\"}'='\"\$@\"' setopt NO_GLOB_SUBST else case \`(set -o) 2>/dev/null\` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi " as_required="as_fn_return () { (exit \$1); } as_fn_success () { as_fn_return 0; } as_fn_failure () { as_fn_return 1; } as_fn_ret_success () { return 0; } as_fn_ret_failure () { return 1; } exitcode=0 as_fn_success || { exitcode=1; echo as_fn_success failed.; } as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : else exitcode=1; echo positional parameters were not saved. fi test x\$exitcode = x0 || exit 1 test -x / || exit 1" as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 test \$(( 1 + 1 )) = 2 || exit 1 test -n \"\${ZSH_VERSION+set}\${BASH_VERSION+set}\" || ( ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' ECHO=\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO ECHO=\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO PATH=/empty FPATH=/empty; export PATH FPATH test \"X\`printf %s \$ECHO\`\" = \"X\$ECHO\" \\ || test \"X\`print -r -- \$ECHO\`\" = \"X\$ECHO\" ) || exit 1" if (eval "$as_required") 2>/dev/null; then : as_have_required=yes else as_have_required=no fi if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_found=false for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. as_found=: case $as_dir in #( /*) for as_base in sh bash ksh sh5; do # Try only shells that exist, to save several forks. as_shell=$as_dir/$as_base if { test -f "$as_shell" || test -f "$as_shell.exe"; } && { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : CONFIG_SHELL=$as_shell as_have_required=yes if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : break 2 fi fi done;; esac as_found=false done $as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : CONFIG_SHELL=$SHELL as_have_required=yes fi; } IFS=$as_save_IFS if test "x$CONFIG_SHELL" != x; then : export CONFIG_SHELL # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. $as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 exit 255 fi if test x$as_have_required = xno; then : $as_echo "$0: This script requires a shell more modern than all" $as_echo "$0: the shells that I found on your system." if test x${ZSH_VERSION+set} = xset ; then $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" $as_echo "$0: be upgraded to zsh 4.3.4 or later." else $as_echo "$0: Please tell bug-autoconf@gnu.org and openvpn-users@lists.sourceforge.net $0: about your system, including any error possibly output $0: before this message. Then install a modern shell, or $0: manually run the script under such a shell if you do $0: have one." fi exit 1 fi fi fi SHELL=${CONFIG_SHELL-/bin/sh} export SHELL # Unset more variables known to interfere with behavior of common tools. CLICOLOR_FORCE= GREP_OPTIONS= unset CLICOLOR_FORCE GREP_OPTIONS ## --------------------- ## ## M4sh Shell Functions. ## ## --------------------- ## # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : eval 'as_fn_append () { eval $1+=\$2 }' else as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : eval 'as_fn_arith () { as_val=$(( $* )) }' else as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi $as_echo "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || $as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits as_lineno_1=$LINENO as_lineno_1a=$LINENO as_lineno_2=$LINENO as_lineno_2a=$LINENO eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) sed -n ' p /[$]LINENO/= ' <$as_myself | sed ' s/[$]LINENO.*/&-/ t lineno b :lineno N :loop s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ t loop s/-\n.*// ' >$as_me.lineno && chmod +x "$as_me.lineno" || { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } # If we had to re-execute with $CONFIG_SHELL, we're ensured to have # already done that, so ensure we don't try to do so again and fall # in an infinite loop. This has already happened in practice. _as_can_reexec=no; export _as_can_reexec # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the # original and so on. Autoconf is especially sensitive to this). . "./$as_me.lineno" # Exit status is that of the last command. exit } ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" SHELL=${CONFIG_SHELL-/bin/sh} test -n "$DJDIR" || exec 7<&0 &1 # Name of the host. # hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, # so uname gets run too. ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` # # Initializations. # ac_default_prefix=/usr/local ac_clean_files= ac_config_libobj_dir=. LIBOBJS= cross_compiling=no subdirs= MFLAGS= MAKEFLAGS= # Identity of this package. PACKAGE_NAME='OpenVPN' PACKAGE_TARNAME='openvpn' PACKAGE_VERSION='2.4.4' PACKAGE_STRING='OpenVPN 2.4.4' PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net' PACKAGE_URL='' ac_unique_file="src/openvpn/syshead.h" # Factoring default headers for most tests. ac_includes_default="\ #include #ifdef HAVE_SYS_TYPES_H # include #endif #ifdef HAVE_SYS_STAT_H # include #endif #ifdef STDC_HEADERS # include # include #else # ifdef HAVE_STDLIB_H # include # endif #endif #ifdef HAVE_STRING_H # if !defined STDC_HEADERS && defined HAVE_MEMORY_H # include # endif # include #endif #ifdef HAVE_STRINGS_H # include #endif #ifdef HAVE_INTTYPES_H # include #endif #ifdef HAVE_STDINT_H # include #endif #ifdef HAVE_UNISTD_H # include #endif" ac_subst_vars='am__EXEEXT_FALSE am__EXEEXT_TRUE LTLIBOBJS LIBOBJS CMOCKA_INITIALIZED_FALSE CMOCKA_INITIALIZED_TRUE CMAKE TEST_CFLAGS TEST_LDFLAGS VENDOR_DIST_ROOT VENDOR_BUILD_ROOT VENDOR_SRC_ROOT tmpfilesdir systemdunitdir sampledir plugindir HAVE_LD_WRAP_SUPPORT_FALSE HAVE_LD_WRAP_SUPPORT_TRUE ENABLE_CRYPTO_FALSE ENABLE_CRYPTO_TRUE ENABLE_PLUGIN_DOWN_ROOT_FALSE ENABLE_PLUGIN_DOWN_ROOT_TRUE ENABLE_PLUGIN_AUTH_PAM_FALSE ENABLE_PLUGIN_AUTH_PAM_TRUE GIT_CHECKOUT_FALSE GIT_CHECKOUT_TRUE WIN32_FALSE WIN32_TRUE PLUGIN_AUTH_PAM_LIBS PLUGIN_AUTH_PAM_CFLAGS OPTIONAL_PKCS11_HELPER_LIBS OPTIONAL_PKCS11_HELPER_CFLAGS OPTIONAL_SYSTEMD_LIBS OPTIONAL_LZ4_LIBS OPTIONAL_LZ4_CFLAGS OPTIONAL_LZO_LIBS OPTIONAL_LZO_CFLAGS OPTIONAL_CRYPTO_LIBS OPTIONAL_CRYPTO_CFLAGS OPTIONAL_SELINUX_LIBS OPTIONAL_DL_LIBS TAP_WIN_MIN_MINOR TAP_WIN_MIN_MAJOR TAP_WIN_COMPONENT_ID P11KIT_LIBS P11KIT_CFLAGS libsystemd_LIBS libsystemd_CFLAGS ENABLE_SYSTEMD_FALSE ENABLE_SYSTEMD_TRUE LZ4_LIBS LZ4_CFLAGS LZO_LIBS LZO_CFLAGS MBEDTLS_LIBS MBEDTLS_CFLAGS OPENSSL_LIBS OPENSSL_CFLAGS PKCS11_HELPER_LIBS PKCS11_HELPER_CFLAGS LIBPAM_LIBS LIBPAM_CFLAGS SELINUX_LIBS TAP_CFLAGS SOCKETS_LIBS DL_LIBS RC OTOOL64 OTOOL LIPO NMEDIT DSYMUTIL MANIFEST_TOOL RANLIB ac_ct_AR AR NM ac_ct_DUMPBIN DUMPBIN LD FGREP LIBTOOL OBJDUMP DLLTOOL AS TMPFILES_DIR SYSTEMD_UNIT_DIR SYSTEMD_ASK_PASSWORD GIT MAN2HTML NETSTAT IPROUTE ROUTE IFCONFIG SED LN_S PKG_CONFIG_LIBDIR PKG_CONFIG_PATH PKG_CONFIG PLUGINDIR EGREP GREP CPP am__fastdepCC_FALSE am__fastdepCC_TRUE CCDEPMODE am__nodep AMDEPBACKSLASH AMDEP_FALSE AMDEP_TRUE am__quote am__include DEPDIR OBJEXT EXEEXT ac_ct_CC CPPFLAGS LDFLAGS CFLAGS CC host_os host_vendor host_cpu host build_os build_vendor build_cpu build AM_BACKSLASH AM_DEFAULT_VERBOSITY AM_DEFAULT_V AM_V am__untar am__tar AMTAR am__leading_dot SET_MAKE AWK mkdir_p MKDIR_P INSTALL_STRIP_PROGRAM STRIP install_sh MAKEINFO AUTOHEADER AUTOMAKE AUTOCONF ACLOCAL VERSION PACKAGE CYGPATH_W am__isrc INSTALL_DATA INSTALL_SCRIPT INSTALL_PROGRAM OPENVPN_VERSION_PATCH OPENVPN_VERSION_MINOR OPENVPN_VERSION_MAJOR target_alias host_alias build_alias LIBS ECHO_T ECHO_N ECHO_C DEFS mandir localedir libdir psdir pdfdir dvidir htmldir infodir docdir oldincludedir includedir localstatedir sharedstatedir sysconfdir datadir datarootdir libexecdir sbindir bindir program_transform_name prefix exec_prefix PACKAGE_URL PACKAGE_BUGREPORT PACKAGE_STRING PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_NAME PATH_SEPARATOR SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking enable_silent_rules enable_dependency_tracking enable_lzo enable_lz4 enable_comp_stub enable_crypto enable_ofb_cfb enable_x509_alt_username enable_server enable_plugins enable_management enable_pkcs11 enable_fragment enable_multihome enable_port_share enable_debug enable_small enable_iproute2 enable_def_auth enable_pf enable_plugin_auth_pam enable_plugin_down_root enable_pam_dlopen enable_strict enable_pedantic enable_werror enable_strict_options enable_selinux enable_systemd enable_async_push with_special_build with_mem_check with_crypto_library enable_shared enable_static with_pic enable_fast_install with_gnu_ld with_sysroot enable_libtool_lock ' ac_precious_vars='build_alias host_alias target_alias CC CFLAGS LDFLAGS LIBS CPPFLAGS CPP PLUGINDIR PKG_CONFIG PKG_CONFIG_PATH PKG_CONFIG_LIBDIR IFCONFIG ROUTE IPROUTE NETSTAT MAN2HTML GIT SYSTEMD_ASK_PASSWORD SYSTEMD_UNIT_DIR TMPFILES_DIR TAP_CFLAGS LIBPAM_CFLAGS LIBPAM_LIBS PKCS11_HELPER_CFLAGS PKCS11_HELPER_LIBS OPENSSL_CFLAGS OPENSSL_LIBS MBEDTLS_CFLAGS MBEDTLS_LIBS LZO_CFLAGS LZO_LIBS LZ4_CFLAGS LZ4_LIBS libsystemd_CFLAGS libsystemd_LIBS P11KIT_CFLAGS P11KIT_LIBS' # Initialize some variables set by options. ac_init_help= ac_init_version=false ac_unrecognized_opts= ac_unrecognized_sep= # The variables have the same names as the options, with # dashes changed to underlines. cache_file=/dev/null exec_prefix=NONE no_create= no_recursion= prefix=NONE program_prefix=NONE program_suffix=NONE program_transform_name=s,x,x, silent= site= srcdir= verbose= x_includes=NONE x_libraries=NONE # Installation directory options. # These are left unexpanded so users can "make install exec_prefix=/foo" # and all the variables that are supposed to be based on exec_prefix # by default will actually change. # Use braces instead of parens because sh, perl, etc. also accept them. # (The list follows the same order as the GNU Coding Standards.) bindir='${exec_prefix}/bin' sbindir='${exec_prefix}/sbin' libexecdir='${exec_prefix}/libexec' datarootdir='${prefix}/share' datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' infodir='${datarootdir}/info' htmldir='${docdir}' dvidir='${docdir}' pdfdir='${docdir}' psdir='${docdir}' libdir='${exec_prefix}/lib' localedir='${datarootdir}/locale' mandir='${datarootdir}/man' ac_prev= ac_dashdash= for ac_option do # If the previous option needs an argument, assign it. if test -n "$ac_prev"; then eval $ac_prev=\$ac_option ac_prev= continue fi case $ac_option in *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; *=) ac_optarg= ;; *) ac_optarg=yes ;; esac # Accept the important Cygnus configure options, so we can diagnose typos. case $ac_dashdash$ac_option in --) ac_dashdash=yes ;; -bindir | --bindir | --bindi | --bind | --bin | --bi) ac_prev=bindir ;; -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) bindir=$ac_optarg ;; -build | --build | --buil | --bui | --bu) ac_prev=build_alias ;; -build=* | --build=* | --buil=* | --bui=* | --bu=*) build_alias=$ac_optarg ;; -cache-file | --cache-file | --cache-fil | --cache-fi \ | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) ac_prev=cache_file ;; -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) cache_file=$ac_optarg ;; --config-cache | -C) cache_file=config.cache ;; -datadir | --datadir | --datadi | --datad) ac_prev=datadir ;; -datadir=* | --datadir=* | --datadi=* | --datad=*) datadir=$ac_optarg ;; -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ | --dataroo | --dataro | --datar) ac_prev=datarootdir ;; -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) datarootdir=$ac_optarg ;; -disable-* | --disable-*) ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=no ;; -docdir | --docdir | --docdi | --doc | --do) ac_prev=docdir ;; -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) docdir=$ac_optarg ;; -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) ac_prev=dvidir ;; -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) dvidir=$ac_optarg ;; -enable-* | --enable-*) ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=\$ac_optarg ;; -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ | --exec | --exe | --ex) ac_prev=exec_prefix ;; -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ | --exec=* | --exe=* | --ex=*) exec_prefix=$ac_optarg ;; -gas | --gas | --ga | --g) # Obsolete; use --with-gas. with_gas=yes ;; -help | --help | --hel | --he | -h) ac_init_help=long ;; -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) ac_init_help=recursive ;; -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) ac_init_help=short ;; -host | --host | --hos | --ho) ac_prev=host_alias ;; -host=* | --host=* | --hos=* | --ho=*) host_alias=$ac_optarg ;; -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) ac_prev=htmldir ;; -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ | --ht=*) htmldir=$ac_optarg ;; -includedir | --includedir | --includedi | --included | --include \ | --includ | --inclu | --incl | --inc) ac_prev=includedir ;; -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ | --includ=* | --inclu=* | --incl=* | --inc=*) includedir=$ac_optarg ;; -infodir | --infodir | --infodi | --infod | --info | --inf) ac_prev=infodir ;; -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) infodir=$ac_optarg ;; -libdir | --libdir | --libdi | --libd) ac_prev=libdir ;; -libdir=* | --libdir=* | --libdi=* | --libd=*) libdir=$ac_optarg ;; -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ | --libexe | --libex | --libe) ac_prev=libexecdir ;; -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ | --libexe=* | --libex=* | --libe=*) libexecdir=$ac_optarg ;; -localedir | --localedir | --localedi | --localed | --locale) ac_prev=localedir ;; -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) localedir=$ac_optarg ;; -localstatedir | --localstatedir | --localstatedi | --localstated \ | --localstate | --localstat | --localsta | --localst | --locals) ac_prev=localstatedir ;; -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) localstatedir=$ac_optarg ;; -mandir | --mandir | --mandi | --mand | --man | --ma | --m) ac_prev=mandir ;; -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) mandir=$ac_optarg ;; -nfp | --nfp | --nf) # Obsolete; use --without-fp. with_fp=no ;; -no-create | --no-create | --no-creat | --no-crea | --no-cre \ | --no-cr | --no-c | -n) no_create=yes ;; -no-recursion | --no-recursion | --no-recursio | --no-recursi \ | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) no_recursion=yes ;; -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ | --oldin | --oldi | --old | --ol | --o) ac_prev=oldincludedir ;; -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) oldincludedir=$ac_optarg ;; -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) ac_prev=prefix ;; -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) prefix=$ac_optarg ;; -program-prefix | --program-prefix | --program-prefi | --program-pref \ | --program-pre | --program-pr | --program-p) ac_prev=program_prefix ;; -program-prefix=* | --program-prefix=* | --program-prefi=* \ | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) program_prefix=$ac_optarg ;; -program-suffix | --program-suffix | --program-suffi | --program-suff \ | --program-suf | --program-su | --program-s) ac_prev=program_suffix ;; -program-suffix=* | --program-suffix=* | --program-suffi=* \ | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) program_suffix=$ac_optarg ;; -program-transform-name | --program-transform-name \ | --program-transform-nam | --program-transform-na \ | --program-transform-n | --program-transform- \ | --program-transform | --program-transfor \ | --program-transfo | --program-transf \ | --program-trans | --program-tran \ | --progr-tra | --program-tr | --program-t) ac_prev=program_transform_name ;; -program-transform-name=* | --program-transform-name=* \ | --program-transform-nam=* | --program-transform-na=* \ | --program-transform-n=* | --program-transform-=* \ | --program-transform=* | --program-transfor=* \ | --program-transfo=* | --program-transf=* \ | --program-trans=* | --program-tran=* \ | --progr-tra=* | --program-tr=* | --program-t=*) program_transform_name=$ac_optarg ;; -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) ac_prev=pdfdir ;; -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) pdfdir=$ac_optarg ;; -psdir | --psdir | --psdi | --psd | --ps) ac_prev=psdir ;; -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) psdir=$ac_optarg ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ | --sbi=* | --sb=*) sbindir=$ac_optarg ;; -sharedstatedir | --sharedstatedir | --sharedstatedi \ | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ | --sharedst | --shareds | --shared | --share | --shar \ | --sha | --sh) ac_prev=sharedstatedir ;; -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ | --sha=* | --sh=*) sharedstatedir=$ac_optarg ;; -site | --site | --sit) ac_prev=site ;; -site=* | --site=* | --sit=*) site=$ac_optarg ;; -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) ac_prev=srcdir ;; -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) srcdir=$ac_optarg ;; -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ | --syscon | --sysco | --sysc | --sys | --sy) ac_prev=sysconfdir ;; -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) sysconfdir=$ac_optarg ;; -target | --target | --targe | --targ | --tar | --ta | --t) ac_prev=target_alias ;; -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) target_alias=$ac_optarg ;; -v | -verbose | --verbose | --verbos | --verbo | --verb) verbose=yes ;; -version | --version | --versio | --versi | --vers | -V) ac_init_version=: ;; -with-* | --with-*) ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=\$ac_optarg ;; -without-* | --without-*) ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=no ;; --x) # Obsolete; use --with-x. with_x=yes ;; -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ | --x-incl | --x-inc | --x-in | --x-i) ac_prev=x_includes ;; -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) x_includes=$ac_optarg ;; -x-libraries | --x-libraries | --x-librarie | --x-librari \ | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) ac_prev=x_libraries ;; -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) x_libraries=$ac_optarg ;; -*) as_fn_error $? "unrecognized option: \`$ac_option' Try \`$0 --help' for more information" ;; *=*) ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` # Reject names that are not valid shell variable names. case $ac_envvar in #( '' | [0-9]* | *[!_$as_cr_alnum]* ) as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; esac eval $ac_envvar=\$ac_optarg export $ac_envvar ;; *) # FIXME: should be removed in autoconf 3.0. $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" ;; esac done if test -n "$ac_prev"; then ac_option=--`echo $ac_prev | sed 's/_/-/g'` as_fn_error $? "missing argument to $ac_option" fi if test -n "$ac_unrecognized_opts"; then case $enable_option_checking in no) ;; fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; esac fi # Check all directory arguments for consistency. for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ libdir localedir mandir do eval ac_val=\$$ac_var # Remove trailing slashes. case $ac_val in */ ) ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` eval $ac_var=\$ac_val;; esac # Be sure to have absolute directory names. case $ac_val in [\\/$]* | ?:[\\/]* ) continue;; NONE | '' ) case $ac_var in *prefix ) continue;; esac;; esac as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" done # There might be people who depend on the old broken behavior: `$host' # used to hold the argument of --host etc. # FIXME: To remove some day. build=$build_alias host=$host_alias target=$target_alias # FIXME: To remove some day. if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi fi ac_tool_prefix= test -n "$host_alias" && ac_tool_prefix=$host_alias- test "$silent" = yes && exec 6>/dev/null ac_pwd=`pwd` && test -n "$ac_pwd" && ac_ls_di=`ls -di .` && ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || as_fn_error $? "working directory cannot be determined" test "X$ac_ls_di" = "X$ac_pwd_ls_di" || as_fn_error $? "pwd does not report name of working directory" # Find the source files, if location was not specified. if test -z "$srcdir"; then ac_srcdir_defaulted=yes # Try the directory containing this script, then the parent directory. ac_confdir=`$as_dirname -- "$as_myself" || $as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_myself" : 'X\(//\)[^/]' \| \ X"$as_myself" : 'X\(//\)$' \| \ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_myself" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` srcdir=$ac_confdir if test ! -r "$srcdir/$ac_unique_file"; then srcdir=.. fi else ac_srcdir_defaulted=no fi if test ! -r "$srcdir/$ac_unique_file"; then test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" fi ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" ac_abs_confdir=`( cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" pwd)` # When building in place, set srcdir=. if test "$ac_abs_confdir" = "$ac_pwd"; then srcdir=. fi # Remove unnecessary trailing slashes from srcdir. # Double slashes in file names in object file debugging info # mess up M-x gdb in Emacs. case $srcdir in */) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; esac for ac_var in $ac_precious_vars; do eval ac_env_${ac_var}_set=\${${ac_var}+set} eval ac_env_${ac_var}_value=\$${ac_var} eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} eval ac_cv_env_${ac_var}_value=\$${ac_var} done # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF \`configure' configures OpenVPN 2.4.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. Configuration: -h, --help display this help and exit --help=short display options specific to this package --help=recursive display the short help of all the included packages -V, --version display version information and exit -q, --quiet, --silent do not print \`checking ...' messages --cache-file=FILE cache test results in FILE [disabled] -C, --config-cache alias for \`--cache-file=config.cache' -n, --no-create do not create output files --srcdir=DIR find the sources in DIR [configure dir or \`..'] Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [$ac_default_prefix] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] By default, \`make install' will install all the files in \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify an installation prefix other than \`$ac_default_prefix' using \`--prefix', for instance \`--prefix=\$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] --datadir=DIR read-only architecture-independent data [DATAROOTDIR] --infodir=DIR info documentation [DATAROOTDIR/info] --localedir=DIR locale-dependent data [DATAROOTDIR/locale] --mandir=DIR man documentation [DATAROOTDIR/man] --docdir=DIR documentation root [DATAROOTDIR/doc/openvpn] --htmldir=DIR html documentation [DOCDIR] --dvidir=DIR dvi documentation [DOCDIR] --pdfdir=DIR pdf documentation [DOCDIR] --psdir=DIR ps documentation [DOCDIR] _ACEOF cat <<\_ACEOF Program names: --program-prefix=PREFIX prepend PREFIX to installed program names --program-suffix=SUFFIX append SUFFIX to installed program names --program-transform-name=PROGRAM run sed PROGRAM on installed program names System types: --build=BUILD configure for building on BUILD [guessed] --host=HOST cross-compile to build programs to run on HOST [BUILD] _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in short | recursive ) echo "Configuration of OpenVPN 2.4.4:";; esac cat <<\_ACEOF Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-silent-rules less verbose build output (undo: "make V=1") --disable-silent-rules verbose build output (undo: "make V=0") --enable-dependency-tracking do not reject slow dependency extractors --disable-dependency-tracking speeds up one-time build --disable-lzo disable LZO compression support [default=yes] --disable-lz4 Disable LZ4 compression support --enable-comp-stub Don't compile compression support but still allow limited interoperability with compression-enabled peers --disable-crypto disable crypto support [default=yes] --disable-ofb-cfb disable support for OFB and CFB cipher modes [default=yes] --enable-x509-alt-username enable the --x509-username-field feature [default=no] --disable-server disable server support only (but retain client support) [default=yes] --disable-plugins disable plug-in support [default=yes] --disable-management disable management server support [default=yes] --enable-pkcs11 enable pkcs11 support [default=no] --disable-fragment disable internal fragmentation support (--fragment) [default=yes] --disable-multihome disable multi-homed UDP server support (--multihome) [default=yes] --disable-port-share disable TCP server port-share support (--port-share) [default=yes] --disable-debug disable debugging support (disable gremlin and verb 7+ messages) [default=yes] --enable-small enable smaller executable size (disable OCC, usage message, and verb 4 parm list) [default=no] --enable-iproute2 enable support for iproute2 [default=no] --disable-def-auth disable deferred authentication [default=yes] --disable-pf disable internal packet filter [default=yes] --disable-plugin-auth-pam disable auth-pam plugin [default=platform specific] --disable-plugin-down-root disable down-root plugin [default=platform specific] --enable-pam-dlopen dlopen libpam [default=no] --enable-strict enable strict compiler warnings (debugging option) [default=no] --enable-pedantic enable pedantic compiler warnings, will not generate a working executable (debugging option) [default=no] --enable-werror promote compiler warnings to errors, will cause builds to fail if the compiler issues warnings (debugging option) [default=no] --enable-strict-options enable strict options check between peers (debugging option) [default=no] --enable-selinux enable SELinux support [default=no] --enable-systemd enable systemd suppport [default=no] --enable-async-push enable async-push support for plugins providing deferred authentication [default=no] --enable-shared[=PKGS] build shared libraries [default=yes] --enable-static[=PKGS] build static libraries [default=yes] --enable-fast-install[=PKGS] optimize for fast installation [default=yes] --disable-libtool-lock avoid locking (might break parallel builds) Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) --with-special-build=STRING specify special build string --with-mem-check=TYPE build with debug memory checking, TYPE=no|dmalloc|valgrind|ssl [default=no] --with-crypto-library=library build with the given crypto library, TYPE=openssl|mbedtls [default=openssl] --with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use both] --with-gnu-ld assume the C compiler uses GNU ld [default=no] --with-sysroot=DIR Search for dependent libraries within DIR (or the compiler's sysroot if not specified). Some influential environment variables: CC C compiler command CFLAGS C compiler flags LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory LIBS libraries to pass to the linker, e.g. -l CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if you have headers in a nonstandard directory CPP C preprocessor PLUGINDIR Path of plug-in directory [default=LIBDIR/openvpn/plugins] PKG_CONFIG path to pkg-config utility PKG_CONFIG_PATH directories to add to pkg-config's search path PKG_CONFIG_LIBDIR path overriding pkg-config's built-in search path IFCONFIG full path to ipconfig utility ROUTE full path to route utility IPROUTE full path to ip utility NETSTAT path to netstat utility MAN2HTML path to man2html utility GIT path to git utility SYSTEMD_ASK_PASSWORD path to systemd-ask-password utility SYSTEMD_UNIT_DIR Path of systemd unit directory [default=LIBDIR/systemd/system] TMPFILES_DIR Path of tmpfiles directory [default=LIBDIR/tmpfiles.d] TAP_CFLAGS C compiler flags for tap LIBPAM_CFLAGS C compiler flags for libpam LIBPAM_LIBS linker flags for libpam PKCS11_HELPER_CFLAGS C compiler flags for PKCS11_HELPER, overriding pkg-config PKCS11_HELPER_LIBS linker flags for PKCS11_HELPER, overriding pkg-config OPENSSL_CFLAGS C compiler flags for OpenSSL OPENSSL_LIBS linker flags for OpenSSL MBEDTLS_CFLAGS C compiler flags for mbedtls MBEDTLS_LIBS linker flags for mbedtls LZO_CFLAGS C compiler flags for lzo LZO_LIBS linker flags for lzo LZ4_CFLAGS C compiler flags for lz4 LZ4_LIBS linker flags for lz4 libsystemd_CFLAGS C compiler flags for libsystemd, overriding pkg-config libsystemd_LIBS linker flags for libsystemd, overriding pkg-config P11KIT_CFLAGS C compiler flags for P11KIT, overriding pkg-config P11KIT_LIBS linker flags for P11KIT, overriding pkg-config Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. Report bugs to . _ACEOF ac_status=$? fi if test "$ac_init_help" = "recursive"; then # If there are subdirs, report their specific --help. for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue test -d "$ac_dir" || { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || continue ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix cd "$ac_dir" || { ac_status=$?; continue; } # Check for guested configure. if test -f "$ac_srcdir/configure.gnu"; then echo && $SHELL "$ac_srcdir/configure.gnu" --help=recursive elif test -f "$ac_srcdir/configure"; then echo && $SHELL "$ac_srcdir/configure" --help=recursive else $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 fi || ac_status=$? cd "$ac_pwd" || { ac_status=$?; break; } done fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF OpenVPN configure 2.4.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF exit fi ## ------------------------ ## ## Autoconf initialization. ## ## ------------------------ ## # ac_fn_c_try_compile LINENO # -------------------------- # Try to compile conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_compile # ac_fn_c_try_cpp LINENO # ---------------------- # Try to preprocess conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_cpp () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_cpp conftest.$ac_ext" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } > conftest.i && { test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || test ! -s conftest.err }; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_cpp # ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES # ------------------------------------------------------- # Tests whether HEADER exists, giving a warning if it cannot be compiled using # the include files in INCLUDES and setting the cache variable VAR # accordingly. ac_fn_c_check_header_mongrel () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if eval \${$3+:} false; then : { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } else # Is the header compilable? { $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5 $as_echo_n "checking $2 usability... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 #include <$2> _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_header_compiler=yes else ac_header_compiler=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5 $as_echo "$ac_header_compiler" >&6; } # Is the header present? { $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5 $as_echo_n "checking $2 presence... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include <$2> _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : ac_header_preproc=yes else ac_header_preproc=no fi rm -f conftest.err conftest.i conftest.$ac_ext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5 $as_echo "$ac_header_preproc" >&6; } # So? What about this header? case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #(( yes:no: ) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5 $as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} ;; no:yes:* ) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5 $as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: check for missing prerequisite headers?" >&5 $as_echo "$as_me: WARNING: $2: check for missing prerequisite headers?" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5 $as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&5 $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} ( $as_echo "## -------------------------------------------------- ## ## Report this to openvpn-users@lists.sourceforge.net ## ## -------------------------------------------------- ##" ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=\$ac_header_compiler" fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_mongrel # ac_fn_c_try_run LINENO # ---------------------- # Try to link conftest.$ac_ext, and return whether this succeeded. Assumes # that executables *can* be run. ac_fn_c_try_run () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; }; then : ac_retval=0 else $as_echo "$as_me: program exited with status $ac_status" >&5 $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=$ac_status fi rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_run # ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES # ------------------------------------------------------- # Tests whether HEADER exists and can be compiled using the include files in # INCLUDES, setting the cache variable VAR accordingly. ac_fn_c_check_header_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 #include <$2> _ACEOF if ac_fn_c_try_compile "$LINENO"; then : eval "$3=yes" else eval "$3=no" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_compile # ac_fn_c_try_link LINENO # ----------------------- # Try to link conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_link () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext conftest$ac_exeext if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest$ac_exeext && { test "$cross_compiling" = yes || test -x conftest$ac_exeext }; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would # interfere with the next link command; also delete a directory that is # left behind by Apple's compiler. We do this before executing the actions. rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_link # ac_fn_c_check_func LINENO FUNC VAR # ---------------------------------- # Tests whether FUNC exists, setting the cache variable VAR accordingly ac_fn_c_check_func () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Define $2 to an innocuous variant, in case declares $2. For example, HP-UX 11i declares gettimeofday. */ #define $2 innocuous_$2 /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $2 (); below. Prefer to if __STDC__ is defined, since exists even on freestanding compilers. */ #ifdef __STDC__ # include #else # include #endif #undef $2 /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char $2 (); /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined __stub_$2 || defined __stub___$2 choke me #endif int main () { return $2 (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : eval "$3=yes" else eval "$3=no" fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_func # ac_fn_c_check_type LINENO TYPE VAR INCLUDES # ------------------------------------------- # Tests whether TYPE exists after having included INCLUDES, setting cache # variable VAR accordingly. ac_fn_c_check_type () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=no" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { if (sizeof ($2)) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { if (sizeof (($2))) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : else eval "$3=yes" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_type # ac_fn_c_find_intX_t LINENO BITS VAR # ----------------------------------- # Finds a signed integer type with width BITS, setting cache variable VAR # accordingly. ac_fn_c_find_intX_t () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for int$2_t" >&5 $as_echo_n "checking for int$2_t... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=no" # Order is important - never check a type that is potentially smaller # than half of the expected target width. for ac_type in int$2_t 'int' 'long int' \ 'long long int' 'short int' 'signed char'; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default enum { N = $2 / 2 - 1 }; int main () { static int test_array [1 - 2 * !(0 < ($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 1))]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default enum { N = $2 / 2 - 1 }; int main () { static int test_array [1 - 2 * !(($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 1) < ($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 2))]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : else case $ac_type in #( int$2_t) : eval "$3=yes" ;; #( *) : eval "$3=\$ac_type" ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if eval test \"x\$"$3"\" = x"no"; then : else break fi done fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_find_intX_t # ac_fn_c_find_uintX_t LINENO BITS VAR # ------------------------------------ # Finds an unsigned integer type with width BITS, setting cache variable VAR # accordingly. ac_fn_c_find_uintX_t () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uint$2_t" >&5 $as_echo_n "checking for uint$2_t... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=no" # Order is important - never check a type that is potentially smaller # than half of the expected target width. for ac_type in uint$2_t 'unsigned int' 'unsigned long int' \ 'unsigned long long int' 'unsigned short int' 'unsigned char'; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main () { static int test_array [1 - 2 * !((($ac_type) -1 >> ($2 / 2 - 1)) >> ($2 / 2 - 1) == 3)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : case $ac_type in #( uint$2_t) : eval "$3=yes" ;; #( *) : eval "$3=\$ac_type" ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if eval test \"x\$"$3"\" = x"no"; then : else break fi done fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_find_uintX_t # ac_fn_c_compute_int LINENO EXPR ax_cv_socklen_t_equiv INCLUDES # -------------------------------------------------------------- # Tries to find the compile-time value of EXPR in a program that includes # INCLUDES, setting VAR accordingly. Returns whether the value could be # computed ac_fn_c_compute_int () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if test "$cross_compiling" = yes; then # Depending upon the size, compute the lo and hi bounds. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) >= 0)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_lo=0 ac_mid=0 while :; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) <= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_hi=$ac_mid; break else as_fn_arith $ac_mid + 1 && ac_lo=$as_val if test $ac_lo -le $ac_mid; then ac_lo= ac_hi= break fi as_fn_arith 2 '*' $ac_mid + 1 && ac_mid=$as_val fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) < 0)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_hi=-1 ac_mid=-1 while :; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) >= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_lo=$ac_mid; break else as_fn_arith '(' $ac_mid ')' - 1 && ac_hi=$as_val if test $ac_mid -le $ac_hi; then ac_lo= ac_hi= break fi as_fn_arith 2 '*' $ac_mid && ac_mid=$as_val fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done else ac_lo= ac_hi= fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext # Binary search between lo and hi bounds. while test "x$ac_lo" != "x$ac_hi"; do as_fn_arith '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo && ac_mid=$as_val cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) <= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_hi=$ac_mid else as_fn_arith '(' $ac_mid ')' + 1 && ac_lo=$as_val fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done case $ac_lo in #(( ?*) eval "$3=\$ac_lo"; ac_retval=0 ;; '') ac_retval=1 ;; esac else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 static long int longval () { return $2; } static unsigned long int ulongval () { return $2; } #include #include int main () { FILE *f = fopen ("conftest.val", "w"); if (! f) return 1; if (($2) < 0) { long int i = longval (); if (i != ($2)) return 1; fprintf (f, "%ld", i); } else { unsigned long int i = ulongval (); if (i != ($2)) return 1; fprintf (f, "%lu", i); } /* Do not output a trailing newline, as this causes \r\n confusion on some platforms. */ return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : echo >>conftest.val; read $3 &5 $as_echo_n "checking for $2.$3... " >&6; } if eval \${$4+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $5 int main () { static $2 ac_aggr; if (ac_aggr.$3) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : eval "$4=yes" else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $5 int main () { static $2 ac_aggr; if (sizeof ac_aggr.$3) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : eval "$4=yes" else eval "$4=no" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi eval ac_res=\$$4 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_member # ac_fn_c_check_decl LINENO SYMBOL ax_cv_socklen_t_equiv INCLUDES # --------------------------------------------------------------- # Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR # accordingly. ac_fn_c_check_decl () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack as_decl_name=`echo $2|sed 's/ *(.*//'` as_decl_use=`echo $2|sed -e 's/(/((/' -e 's/)/) 0&/' -e 's/,/) 0& (/g'` { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $as_decl_name is declared" >&5 $as_echo_n "checking whether $as_decl_name is declared... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { #ifndef $as_decl_name #ifdef __cplusplus (void) $as_decl_use; #else (void) $as_decl_name; #endif #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : eval "$3=yes" else eval "$3=no" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_decl cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by OpenVPN $as_me 2.4.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ _ACEOF exec 5>>config.log { cat <<_ASUNAME ## --------- ## ## Platform. ## ## --------- ## hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` /bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` /bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` /usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` /bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` /bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` _ASUNAME as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. $as_echo "PATH: $as_dir" done IFS=$as_save_IFS } >&5 cat >&5 <<_ACEOF ## ----------- ## ## Core tests. ## ## ----------- ## _ACEOF # Keep a trace of the command line. # Strip out --no-create and --no-recursion so they do not pile up. # Strip out --silent because we don't want to record it for future runs. # Also quote any args containing shell meta-characters. # Make two passes to allow for proper duplicate-argument suppression. ac_configure_args= ac_configure_args0= ac_configure_args1= ac_must_keep_next=false for ac_pass in 1 2 do for ac_arg do case $ac_arg in -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) continue ;; *\'*) ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac case $ac_pass in 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; 2) as_fn_append ac_configure_args1 " '$ac_arg'" if test $ac_must_keep_next = true; then ac_must_keep_next=false # Got value, back to normal. else case $ac_arg in *=* | --config-cache | -C | -disable-* | --disable-* \ | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ | -with-* | --with-* | -without-* | --without-* | --x) case "$ac_configure_args0 " in "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; esac ;; -* ) ac_must_keep_next=true ;; esac fi as_fn_append ac_configure_args " '$ac_arg'" ;; esac done done { ac_configure_args0=; unset ac_configure_args0;} { ac_configure_args1=; unset ac_configure_args1;} # When interrupted or exit'd, cleanup temporary files, and complete # config.log. We remove comments because anyway the quotes in there # would cause problems or look ugly. # WARNING: Use '\'' to represent an apostrophe within the trap. # WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. trap 'exit_status=$? # Save into config.log some information that might help in debugging. { echo $as_echo "## ---------------- ## ## Cache variables. ## ## ---------------- ##" echo # The following way of writing the cache mishandles newlines in values, ( for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( *${as_nl}ac_space=\ *) sed -n \ "s/'\''/'\''\\\\'\'''\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" ;; #( *) sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) echo $as_echo "## ----------------- ## ## Output variables. ## ## ----------------- ##" echo for ac_var in $ac_subst_vars do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac $as_echo "$ac_var='\''$ac_val'\''" done | sort echo if test -n "$ac_subst_files"; then $as_echo "## ------------------- ## ## File substitutions. ## ## ------------------- ##" echo for ac_var in $ac_subst_files do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac $as_echo "$ac_var='\''$ac_val'\''" done | sort echo fi if test -s confdefs.h; then $as_echo "## ----------- ## ## confdefs.h. ## ## ----------- ##" echo cat confdefs.h echo fi test "$ac_signal" != 0 && $as_echo "$as_me: caught signal $ac_signal" $as_echo "$as_me: exit $exit_status" } >&5 rm -f core *.core core.conftest.* && rm -f -r conftest* confdefs* conf$$* $ac_clean_files && exit $exit_status ' 0 for ac_signal in 1 2 13 15; do trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal done ac_signal=0 # confdefs.h avoids OS command line length limits that DEFS can exceed. rm -f -r conftest* confdefs.h $as_echo "/* confdefs.h */" > confdefs.h # Predefined preprocessor variables. cat >>confdefs.h <<_ACEOF #define PACKAGE_NAME "$PACKAGE_NAME" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_TARNAME "$PACKAGE_TARNAME" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_VERSION "$PACKAGE_VERSION" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_STRING "$PACKAGE_STRING" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_URL "$PACKAGE_URL" _ACEOF # Let the site file select an alternate cache file if it wants to. # Prefer an explicitly selected file to automatically selected ones. ac_site_file1=NONE ac_site_file2=NONE if test -n "$CONFIG_SITE"; then # We do not want a PATH search for config.site. case $CONFIG_SITE in #(( -*) ac_site_file1=./$CONFIG_SITE;; */*) ac_site_file1=$CONFIG_SITE;; *) ac_site_file1=./$CONFIG_SITE;; esac elif test "x$prefix" != xNONE; then ac_site_file1=$prefix/share/config.site ac_site_file2=$prefix/etc/config.site else ac_site_file1=$ac_default_prefix/share/config.site ac_site_file2=$ac_default_prefix/etc/config.site fi for ac_site_file in "$ac_site_file1" "$ac_site_file2" do test "x$ac_site_file" = xNONE && continue if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 $as_echo "$as_me: loading site script $ac_site_file" >&6;} sed 's/^/| /' "$ac_site_file" >&5 . "$ac_site_file" \ || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "failed to load site script $ac_site_file See \`config.log' for more details" "$LINENO" 5; } fi done if test -r "$cache_file"; then # Some versions of bash will fail to source /dev/null (special files # actually), so we avoid doing that. DJGPP emulates it as a regular file. if test /dev/null != "$cache_file" && test -f "$cache_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 $as_echo "$as_me: loading cache $cache_file" >&6;} case $cache_file in [\\/]* | ?:[\\/]* ) . "$cache_file";; *) . "./$cache_file";; esac fi else { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 $as_echo "$as_me: creating cache $cache_file" >&6;} >$cache_file fi # Check that the precious variables saved in the cache have kept the same # value. ac_cache_corrupted=false for ac_var in $ac_precious_vars; do eval ac_old_set=\$ac_cv_env_${ac_var}_set eval ac_new_set=\$ac_env_${ac_var}_set eval ac_old_val=\$ac_cv_env_${ac_var}_value eval ac_new_val=\$ac_env_${ac_var}_value case $ac_old_set,$ac_new_set in set,) { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} ac_cache_corrupted=: ;; ,set) { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} ac_cache_corrupted=: ;; ,);; *) if test "x$ac_old_val" != "x$ac_new_val"; then # differences in whitespace do not lead to failure. ac_old_val_w=`echo x $ac_old_val` ac_new_val_w=`echo x $ac_new_val` if test "$ac_old_val_w" != "$ac_new_val_w"; then { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 $as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} ac_cache_corrupted=: else { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 $as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} eval $ac_var=\$ac_old_val fi { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 $as_echo "$as_me: former value: \`$ac_old_val'" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 $as_echo "$as_me: current value: \`$ac_new_val'" >&2;} fi;; esac # Pass precious variables to config.status. if test "$ac_new_set" = set; then case $ac_new_val in *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; *) ac_arg=$ac_var=$ac_new_val ;; esac case " $ac_configure_args " in *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. *) as_fn_append ac_configure_args " '$ac_arg'" ;; esac fi done if $ac_cache_corrupted; then { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 $as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 fi ## -------------------- ## ## Main body of script. ## ## -------------------- ## ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu if test -z "${docdir}"; then docdir="\$(datadir)/doc/\$(PACKAGE_NAME)" fi if test -z "${htmldir}"; then htmldir="\$(docdir)" fi $as_echo "#define OPENVPN_VERSION_RESOURCE 2,4,4,0" >>confdefs.h OPENVPN_VERSION_MAJOR=2 OPENVPN_VERSION_MINOR=4 OPENVPN_VERSION_PATCH=.4 $as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h $as_echo "#define OPENVPN_VERSION_MINOR 4" >>confdefs.h $as_echo "#define OPENVPN_VERSION_PATCH \".4\"" >>confdefs.h ac_aux_dir= for ac_dir in . "$srcdir"/.; do if test -f "$ac_dir/install-sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install-sh -c" break elif test -f "$ac_dir/install.sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install.sh -c" break elif test -f "$ac_dir/shtool"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/shtool install -c" break fi done if test -z "$ac_aux_dir"; then as_fn_error $? "cannot find install-sh, install.sh, or shtool in . \"$srcdir\"/." "$LINENO" 5 fi # These three variables are undocumented and unsupported, # and are intended to be withdrawn in a future Autoconf release. # They can cause serious problems if a builder's source tree is in a directory # whose full name contains unusual characters. ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var. ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var. ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. ac_config_headers="$ac_config_headers config.h include/openvpn-plugin.h" am__api_version='1.14' # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or # incompatible versions: # SysV /etc/install, /usr/sbin/install # SunOS /usr/etc/install # IRIX /sbin/install # AIX /bin/install # AmigaOS /C/install, which installs bootblocks on floppy discs # AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag # AFS /usr/afsws/bin/install, which mishandles nonexistent args # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # OS/2's system install, which has a completely different semantic # ./install, which can be erroneously created by make from ./install.sh. # Reject install programs that cannot install multiple files. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 $as_echo_n "checking for a BSD-compatible install... " >&6; } if test -z "$INSTALL"; then if ${ac_cv_path_install+:} false; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. # Account for people who put trailing slashes in PATH elements. case $as_dir/ in #(( ./ | .// | /[cC]/* | \ /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ /usr/ucb/* ) ;; *) # OSF1 and SCO ODT 3.0 have their own names for install. # Don't use installbsd from OSF since it installs stuff as root # by default. for ac_prog in ginstall scoinst install; do for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then if test $ac_prog = install && grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # AIX install. It has an incompatible calling convention. : elif test $ac_prog = install && grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # program-specific install script used by HP pwplus--don't use. : else rm -rf conftest.one conftest.two conftest.dir echo one > conftest.one echo two > conftest.two mkdir conftest.dir if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && test -s conftest.one && test -s conftest.two && test -s conftest.dir/conftest.one && test -s conftest.dir/conftest.two then ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" break 3 fi fi fi done done ;; esac done IFS=$as_save_IFS rm -rf conftest.one conftest.two conftest.dir fi if test "${ac_cv_path_install+set}" = set; then INSTALL=$ac_cv_path_install else # As a last resort, use the slow shell script. Don't cache a # value for INSTALL within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. INSTALL=$ac_install_sh fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 $as_echo "$INSTALL" >&6; } # Use test -z because SunOS4 sh mishandles braces in ${var-val}. # It thinks the first close brace ends the variable substitution. test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether build environment is sane" >&5 $as_echo_n "checking whether build environment is sane... " >&6; } # Reject unsafe characters in $srcdir or the absolute working directory # name. Accept space and tab only in the latter. am_lf=' ' case `pwd` in *[\\\"\#\$\&\'\`$am_lf]*) as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5;; esac case $srcdir in *[\\\"\#\$\&\'\`$am_lf\ \ ]*) as_fn_error $? "unsafe srcdir value: '$srcdir'" "$LINENO" 5;; esac # Do 'set' in a subshell so we don't clobber the current shell's # arguments. Must try -L first in case configure is actually a # symlink; some systems play weird games with the mod time of symlinks # (eg FreeBSD returns the mod time of the symlink's containing # directory). if ( am_has_slept=no for am_try in 1 2; do echo "timestamp, slept: $am_has_slept" > conftest.file set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` if test "$*" = "X"; then # -L didn't work. set X `ls -t "$srcdir/configure" conftest.file` fi if test "$*" != "X $srcdir/configure conftest.file" \ && test "$*" != "X conftest.file $srcdir/configure"; then # If neither matched, then we have a broken ls. This can happen # if, for instance, CONFIG_SHELL is bash and it inherits a # broken ls alias from the environment. This has actually # happened. Such a system could not be considered "sane". as_fn_error $? "ls -t appears to fail. Make sure there is not a broken alias in your environment" "$LINENO" 5 fi if test "$2" = conftest.file || test $am_try -eq 2; then break fi # Just in case. sleep 1 am_has_slept=yes done test "$2" = conftest.file ) then # Ok. : else as_fn_error $? "newly created file is older than distributed files! Check your system clock" "$LINENO" 5 fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } # If we didn't sleep, we still need to ensure time stamps of config.status and # generated files are strictly newer. am_sleep_pid= if grep 'slept: no' conftest.file >/dev/null 2>&1; then ( sleep 1 ) & am_sleep_pid=$! fi rm -f conftest.file test "$program_prefix" != NONE && program_transform_name="s&^&$program_prefix&;$program_transform_name" # Use a double $ so make ignores it. test "$program_suffix" != NONE && program_transform_name="s&\$&$program_suffix&;$program_transform_name" # Double any \ or $. # By default was `s,x,x', remove it if useless. ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` # Expand $ac_aux_dir to an absolute path. am_aux_dir=`cd "$ac_aux_dir" && pwd` if test x"${MISSING+set}" != xset; then case $am_aux_dir in *\ * | *\ *) MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; *) MISSING="\${SHELL} $am_aux_dir/missing" ;; esac fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then am_missing_run="$MISSING " else am_missing_run= { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: 'missing' script is too old or missing" >&5 $as_echo "$as_me: WARNING: 'missing' script is too old or missing" >&2;} fi if test x"${install_sh}" != xset; then case $am_aux_dir in *\ * | *\ *) install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; *) install_sh="\${SHELL} $am_aux_dir/install-sh" esac fi # Installed binaries are usually stripped using 'strip' when the user # run "make install-strip". However 'strip' might not be the right # tool to use in cross-compilation environments, therefore Automake # will honor the 'STRIP' environment variable to overrule this program. if test "$cross_compiling" != no; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. set dummy ${ac_tool_prefix}strip; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_STRIP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$STRIP"; then ac_cv_prog_STRIP="$STRIP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_STRIP="${ac_tool_prefix}strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi STRIP=$ac_cv_prog_STRIP if test -n "$STRIP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5 $as_echo "$STRIP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_STRIP"; then ac_ct_STRIP=$STRIP # Extract the first word of "strip", so it can be a program name with args. set dummy strip; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_STRIP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_STRIP"; then ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_STRIP="strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP if test -n "$ac_ct_STRIP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5 $as_echo "$ac_ct_STRIP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_STRIP" = x; then STRIP=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac STRIP=$ac_ct_STRIP fi else STRIP="$ac_cv_prog_STRIP" fi fi INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5 $as_echo_n "checking for a thread-safe mkdir -p... " >&6; } if test -z "$MKDIR_P"; then if ${ac_cv_path_mkdir+:} false; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in mkdir gmkdir; do for ac_exec_ext in '' $ac_executable_extensions; do as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( 'mkdir (GNU coreutils) '* | \ 'mkdir (coreutils) '* | \ 'mkdir (fileutils) '4.1*) ac_cv_path_mkdir=$as_dir/$ac_prog$ac_exec_ext break 3;; esac done done done IFS=$as_save_IFS fi test -d ./--version && rmdir ./--version if test "${ac_cv_path_mkdir+set}" = set; then MKDIR_P="$ac_cv_path_mkdir -p" else # As a last resort, use the slow shell script. Don't cache a # value for MKDIR_P within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. MKDIR_P="$ac_install_sh -d" fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5 $as_echo "$MKDIR_P" >&6; } for ac_prog in gawk mawk nawk awk do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_AWK+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$AWK"; then ac_cv_prog_AWK="$AWK" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_AWK="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi AWK=$ac_cv_prog_AWK if test -n "$AWK"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5 $as_echo "$AWK" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$AWK" && break done { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.make <<\_ACEOF SHELL = /bin/sh all: @echo '@@@%%%=$(MAKE)=@@@%%%' _ACEOF # GNU make sometimes prints "make[1]: Entering ...", which would confuse us. case `${MAKE-make} -f conftest.make 2>/dev/null` in *@@@%%%=?*=@@@%%%*) eval ac_cv_prog_make_${ac_make}_set=yes;; *) eval ac_cv_prog_make_${ac_make}_set=no;; esac rm -f conftest.make fi if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } SET_MAKE= else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } SET_MAKE="MAKE=${MAKE-make}" fi rm -rf .tst 2>/dev/null mkdir .tst 2>/dev/null if test -d .tst; then am__leading_dot=. else am__leading_dot=_ fi rmdir .tst 2>/dev/null # Check whether --enable-silent-rules was given. if test "${enable_silent_rules+set}" = set; then : enableval=$enable_silent_rules; fi case $enable_silent_rules in # ((( yes) AM_DEFAULT_VERBOSITY=0;; no) AM_DEFAULT_VERBOSITY=1;; *) AM_DEFAULT_VERBOSITY=1;; esac am_make=${MAKE-make} { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $am_make supports nested variables" >&5 $as_echo_n "checking whether $am_make supports nested variables... " >&6; } if ${am_cv_make_support_nested_variables+:} false; then : $as_echo_n "(cached) " >&6 else if $as_echo 'TRUE=$(BAR$(V)) BAR0=false BAR1=true V=1 am__doit: @$(TRUE) .PHONY: am__doit' | $am_make -f - >/dev/null 2>&1; then am_cv_make_support_nested_variables=yes else am_cv_make_support_nested_variables=no fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_make_support_nested_variables" >&5 $as_echo "$am_cv_make_support_nested_variables" >&6; } if test $am_cv_make_support_nested_variables = yes; then AM_V='$(V)' AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)' else AM_V=$AM_DEFAULT_VERBOSITY AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY fi AM_BACKSLASH='\' if test "`cd $srcdir && pwd`" != "`pwd`"; then # Use -I$(srcdir) only when $(srcdir) != ., so that make's output # is not polluted with repeated "-I." am__isrc=' -I$(srcdir)' # test to see if srcdir already configured if test -f $srcdir/config.status; then as_fn_error $? "source directory already configured; run \"make distclean\" there first" "$LINENO" 5 fi fi # test whether we have cygpath if test -z "$CYGPATH_W"; then if (cygpath --version) >/dev/null 2>/dev/null; then CYGPATH_W='cygpath -w' else CYGPATH_W=echo fi fi # Define the identity of the package. PACKAGE='openvpn' VERSION='2.4.4' cat >>confdefs.h <<_ACEOF #define PACKAGE "$PACKAGE" _ACEOF cat >>confdefs.h <<_ACEOF #define VERSION "$VERSION" _ACEOF # Some tools Automake needs. ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"} AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"} AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"} AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"} MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"} # For better backward compatibility. To be removed once Automake 1.9.x # dies out for good. For more background, see: # # mkdir_p='$(MKDIR_P)' # We need awk for the "check" target. The system "awk" is bad on # some platforms. # Always define AMTAR for backward compatibility. Yes, it's still used # in the wild :-( We should find a proper way to deprecate it ... AMTAR='$${TAR-tar}' # We'll loop over all known methods to create a tar archive until one works. _am_tools='gnutar pax cpio none' am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -' # POSIX will say in a future version that running "rm -f" with no argument # is OK; and we want to be able to make that assumption in our Makefile # recipes. So use an aggressive probe to check that the usage we want is # actually supported "in the wild" to an acceptable degree. # See automake bug#10828. # To make any issue more visible, cause the running configure to be aborted # by default if the 'rm' program in use doesn't match our expectations; the # user can still override this though. if rm -f && rm -fr && rm -rf; then : OK; else cat >&2 <<'END' Oops! Your 'rm' program seems unable to run without file operands specified on the command line, even when the '-f' option is present. This is contrary to the behaviour of most rm programs out there, and not conforming with the upcoming POSIX standard: Please tell bug-automake@gnu.org about your system, including the value of your $PATH and any error possibly output before this message. This can help us improve future automake versions. END if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then echo 'Configuration will proceed anyway, since you have set the' >&2 echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2 echo >&2 else cat >&2 <<'END' Aborting the configuration process, to ensure you take notice of the issue. You can download and install GNU coreutils to get an 'rm' implementation that behaves properly: . If you want to complete the configuration process using your problematic 'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM to "yes", and re-run configure. END as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5 fi fi # Make sure we can run config.sub. $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5 $as_echo_n "checking build system type... " >&6; } if ${ac_cv_build+:} false; then : $as_echo_n "(cached) " >&6 else ac_build_alias=$build_alias test "x$ac_build_alias" = x && ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"` test "x$ac_build_alias" = x && as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5 ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` || as_fn_error $? "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5 fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5 $as_echo "$ac_cv_build" >&6; } case $ac_cv_build in *-*-*) ;; *) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;; esac build=$ac_cv_build ac_save_IFS=$IFS; IFS='-' set x $ac_cv_build shift build_cpu=$1 build_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: build_os=$* IFS=$ac_save_IFS case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5 $as_echo_n "checking host system type... " >&6; } if ${ac_cv_host+:} false; then : $as_echo_n "(cached) " >&6 else if test "x$host_alias" = x; then ac_cv_host=$ac_cv_build else ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` || as_fn_error $? "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5 fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5 $as_echo "$ac_cv_host" >&6; } case $ac_cv_host in *-*-*) ;; *) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;; esac host=$ac_cv_host ac_save_IFS=$IFS; IFS='-' set x $ac_cv_host shift host_cpu=$1 host_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: host_os=$* IFS=$ac_save_IFS case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac DEPDIR="${am__leading_dot}deps" ac_config_commands="$ac_config_commands depfiles" am_make=${MAKE-make} cat > confinc << 'END' am__doit: @echo this is the am__doit target .PHONY: am__doit END # If we don't find an include directive, just comment out the code. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for style of include used by $am_make" >&5 $as_echo_n "checking for style of include used by $am_make... " >&6; } am__include="#" am__quote= _am_result=none # First try GNU make style include. echo "include confinc" > confmf # Ignore all kinds of additional output from 'make'. case `$am_make -s -f confmf 2> /dev/null` in #( *the\ am__doit\ target*) am__include=include am__quote= _am_result=GNU ;; esac # Now try BSD make style include. if test "$am__include" = "#"; then echo '.include "confinc"' > confmf case `$am_make -s -f confmf 2> /dev/null` in #( *the\ am__doit\ target*) am__include=.include am__quote="\"" _am_result=BSD ;; esac fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $_am_result" >&5 $as_echo "$_am_result" >&6; } rm -f confinc confmf # Check whether --enable-dependency-tracking was given. if test "${enable_dependency_tracking+set}" = set; then : enableval=$enable_dependency_tracking; fi if test "x$enable_dependency_tracking" != xno; then am_depcomp="$ac_aux_dir/depcomp" AMDEPBACKSLASH='\' am__nodep='_no' fi if test "x$enable_dependency_tracking" != xno; then AMDEP_TRUE= AMDEP_FALSE='#' else AMDEP_TRUE='#' AMDEP_FALSE= fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_CC"; then ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi else CC="$ac_cv_prog_CC" fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi fi if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else ac_prog_rejected=no as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue fi ac_cv_prog_CC="cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS if test $ac_prog_rejected = yes; then # We found a bogon in the path, so make sure we never use it. set dummy $ac_cv_prog_CC shift if test $# != 0; then # We chose a different compiler from the bogus one. # However, it has the same basename, so the bogon will be chosen # first if we set CC to just the basename; use the full file name. shift ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" fi fi fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then for ac_prog in cl.exe do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$CC" && break done fi if test -z "$CC"; then ac_ct_CC=$CC for ac_prog in cl.exe do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$ac_ct_CC" && break done if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi fi fi test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "no acceptable C compiler found in \$PATH See \`config.log' for more details" "$LINENO" 5; } # Provide some information about the compiler. $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 for ac_option in --version -v -V -qversion; do { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compiler $ac_option >&5") 2>conftest.err ac_status=$? if test -s conftest.err; then sed '10a\ ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 fi rm -f conftest.er1 conftest.err $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" # Try to create an executable without -o first, disregard a.out. # It will help us diagnose broken compilers, and finding out an intuition # of exeext. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 $as_echo_n "checking whether the C compiler works... " >&6; } ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` # The possible output files: ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" ac_rmfiles= for ac_file in $ac_files do case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; * ) ac_rmfiles="$ac_rmfiles $ac_file";; esac done rm -f $ac_rmfiles if { { ac_try="$ac_link_default" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link_default") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. # So ignore a value of `no', otherwise this would lead to `EXEEXT = no' # in a Makefile. We should not override ac_cv_exeext if it was cached, # so that the user can short-circuit this test for compilers unknown to # Autoconf. for ac_file in $ac_files '' do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; [ab].out ) # We found the default executable, but exeext='' is most # certainly right. break;; *.* ) if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; then :; else ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` fi # We set ac_cv_exeext here because the later test for it is not # safe: cross compilers may not add the suffix if given an `-o' # argument, so we may need to know it at that point already. # Even if this section looks crufty: it has the advantage of # actually working. break;; * ) break;; esac done test "$ac_cv_exeext" = no && ac_cv_exeext= else ac_file='' fi if test -z "$ac_file"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "C compiler cannot create executables See \`config.log' for more details" "$LINENO" 5; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 $as_echo_n "checking for C compiler default output file name... " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 $as_echo "$ac_file" >&6; } ac_exeext=$ac_cv_exeext rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out ac_clean_files=$ac_clean_files_save { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 $as_echo_n "checking for suffix of executables... " >&6; } if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : # If both `conftest.exe' and `conftest' are `present' (well, observable) # catch `conftest.exe'. For instance with Cygwin, `ls conftest' will # work properly (i.e., refer to `conftest.exe'), while it won't with # `rm'. for ac_file in conftest.exe conftest conftest.*; do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` break;; * ) break;; esac done else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of executables: cannot compile and link See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest conftest$ac_cv_exeext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 $as_echo "$ac_cv_exeext" >&6; } rm -f conftest.$ac_ext EXEEXT=$ac_cv_exeext ac_exeext=$EXEEXT cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { FILE *f = fopen ("conftest.out", "w"); return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF ac_clean_files="$ac_clean_files conftest.out" # Check that the compiler produces executables we can run. If not, either # the compiler is broken, or we cross compile. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 $as_echo_n "checking whether we are cross compiling... " >&6; } if test "$cross_compiling" != yes; then { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } if { ac_try='./conftest$ac_cv_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; }; then cross_compiling=no else if test "$cross_compiling" = maybe; then cross_compiling=yes else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot run C compiled programs. If you meant to cross compile, use \`--host'. See \`config.log' for more details" "$LINENO" 5; } fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 $as_echo "$cross_compiling" >&6; } rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out ac_clean_files=$ac_clean_files_save { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 $as_echo_n "checking for suffix of object files... " >&6; } if ${ac_cv_objext+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF rm -f conftest.o conftest.obj if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : for ac_file in conftest.o conftest.obj conftest.*; do test -f "$ac_file" || continue; case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` break;; esac done else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of object files: cannot compile See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest.$ac_cv_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 $as_echo "$ac_cv_objext" >&6; } OBJEXT=$ac_cv_objext ac_objext=$OBJEXT { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; } if ${ac_cv_c_compiler_gnu+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { #ifndef __GNUC__ choke me #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_compiler_gnu=yes else ac_compiler_gnu=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 $as_echo "$ac_cv_c_compiler_gnu" >&6; } if test $ac_compiler_gnu = yes; then GCC=yes else GCC= fi ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 $as_echo_n "checking whether $CC accepts -g... " >&6; } if ${ac_cv_prog_cc_g+:} false; then : $as_echo_n "(cached) " >&6 else ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes else CFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : else ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 $as_echo "$ac_cv_prog_cc_g" >&6; } if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then if test "$GCC" = yes; then CFLAGS="-g -O2" else CFLAGS="-g" fi else if test "$GCC" = yes; then CFLAGS="-O2" else CFLAGS= fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; } if ${ac_cv_prog_cc_c89+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include struct stat; /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ struct buf { int x; }; FILE * (*rcsopen) (struct buf *, struct stat *, int); static char *e (p, i) char **p; int i; { return p[i]; } static char *f (char * (*g) (char **, int), char **p, ...) { char *s; va_list v; va_start (v,p); s = g (p, va_arg (v,int)); va_end (v); return s; } /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has function prototypes and stuff, but not '\xHH' hex character constants. These don't provoke an error unfortunately, instead are silently treated as 'x'. The following induces an error, until -std is added to get proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an array size at least. It's necessary to write '\x00'==0 to get something that's true only with -std. */ int osf4_cc_array ['\x00' == 0 ? 1 : -1]; /* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters inside strings and character constants. */ #define FOO(x) 'x' int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; int test (int i, double x); struct s1 {int (*f) (int a);}; struct s2 {int (*f) (double a);}; int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); int argc; char **argv; int main () { return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; ; return 0; } _ACEOF for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_c89=$ac_arg fi rm -f core conftest.err conftest.$ac_objext test "x$ac_cv_prog_cc_c89" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC fi # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 $as_echo "none needed" >&6; } ;; xno) { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 $as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 $as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac if test "x$ac_cv_prog_cc_c89" != xno; then : fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC understands -c and -o together" >&5 $as_echo_n "checking whether $CC understands -c and -o together... " >&6; } if ${am_cv_prog_cc_c_o+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF # Make sure it works both with $CC and with simple cc. # Following AC_PROG_CC_C_O, we do the test twice because some # compilers refuse to overwrite an existing .o file with -o, # though they will create one. am_cv_prog_cc_c_o=yes for am_i in 1 2; do if { echo "$as_me:$LINENO: $CC -c conftest.$ac_ext -o conftest2.$ac_objext" >&5 ($CC -c conftest.$ac_ext -o conftest2.$ac_objext) >&5 2>&5 ac_status=$? echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } \ && test -f conftest2.$ac_objext; then : OK else am_cv_prog_cc_c_o=no break fi done rm -f core conftest* unset am_i fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_prog_cc_c_o" >&5 $as_echo "$am_cv_prog_cc_c_o" >&6; } if test "$am_cv_prog_cc_c_o" != yes; then # Losing compiler, so override with the script. # FIXME: It is wrong to rewrite CC. # But if we don't then we get into trouble of one sort or another. # A longer-term fix would be to have automake use am__CC in this case, # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)" CC="$am_aux_dir/compile $CC" fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu depcc="$CC" am_compiler_list= { $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5 $as_echo_n "checking dependency style of $depcc... " >&6; } if ${am_cv_CC_dependencies_compiler_type+:} false; then : $as_echo_n "(cached) " >&6 else if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then # We make a subdir and do the tests there. Otherwise we can end up # making bogus files that we don't know about and never remove. For # instance it was reported that on HP-UX the gcc test will end up # making a dummy file named 'D' -- because '-MD' means "put the output # in D". rm -rf conftest.dir mkdir conftest.dir # Copy depcomp to subdir because otherwise we won't find it if we're # using a relative directory. cp "$am_depcomp" conftest.dir cd conftest.dir # We will build objects and dependencies in a subdirectory because # it helps to detect inapplicable dependency modes. For instance # both Tru64's cc and ICC support -MD to output dependencies as a # side effect of compilation, but ICC will put the dependencies in # the current directory while Tru64 will put them in the object # directory. mkdir sub am_cv_CC_dependencies_compiler_type=none if test "$am_compiler_list" = ""; then am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp` fi am__universal=false case " $depcc " in #( *\ -arch\ *\ -arch\ *) am__universal=true ;; esac for depmode in $am_compiler_list; do # Setup a source with many dependencies, because some compilers # like to wrap large dependency lists on column 80 (with \), and # we should not choose a depcomp mode which is confused by this. # # We need to recreate these files for each test, as the compiler may # overwrite some of them when testing with obscure command lines. # This happens at least with the AIX C compiler. : > sub/conftest.c for i in 1 2 3 4 5 6; do echo '#include "conftst'$i'.h"' >> sub/conftest.c # Using ": > sub/conftst$i.h" creates only sub/conftst1.h with # Solaris 10 /bin/sh. echo '/* dummy */' > sub/conftst$i.h done echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf # We check with '-c' and '-o' for the sake of the "dashmstdout" # mode. It turns out that the SunPro C++ compiler does not properly # handle '-M -o', and we need to detect this. Also, some Intel # versions had trouble with output in subdirs. am__obj=sub/conftest.${OBJEXT-o} am__minus_obj="-o $am__obj" case $depmode in gcc) # This depmode causes a compiler race in universal mode. test "$am__universal" = false || continue ;; nosideeffect) # After this tag, mechanisms are not by side-effect, so they'll # only be used when explicitly requested. if test "x$enable_dependency_tracking" = xyes; then continue else break fi ;; msvc7 | msvc7msys | msvisualcpp | msvcmsys) # This compiler won't grok '-c -o', but also, the minuso test has # not run yet. These depmodes are late enough in the game, and # so weak that their functioning should not be impacted. am__obj=conftest.${OBJEXT-o} am__minus_obj= ;; none) break ;; esac if depmode=$depmode \ source=sub/conftest.c object=$am__obj \ depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \ >/dev/null 2>conftest.err && grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && grep $am__obj sub/conftest.Po > /dev/null 2>&1 && ${MAKE-make} -s -f confmf > /dev/null 2>&1; then # icc doesn't choke on unknown options, it will just issue warnings # or remarks (even with -Werror). So we grep stderr for any message # that says an option was ignored or not supported. # When given -MP, icc 7.0 and 7.1 complain thusly: # icc: Command line warning: ignoring option '-M'; no argument required # The diagnosis changed in icc 8.0: # icc: Command line remark: option '-MP' not supported if (grep 'ignoring option' conftest.err || grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else am_cv_CC_dependencies_compiler_type=$depmode break fi fi done cd .. rm -rf conftest.dir else am_cv_CC_dependencies_compiler_type=none fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_CC_dependencies_compiler_type" >&5 $as_echo "$am_cv_CC_dependencies_compiler_type" >&6; } CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type if test "x$enable_dependency_tracking" != xno \ && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then am__fastdepCC_TRUE= am__fastdepCC_FALSE='#' else am__fastdepCC_TRUE='#' am__fastdepCC_FALSE= fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 $as_echo_n "checking how to run the C preprocessor... " >&6; } # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= fi if test -z "$CPP"; then if ${ac_cv_prog_CPP+:} false; then : $as_echo_n "(cached) " >&6 else # Double quotes because CPP needs to be expanded for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" do ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # Prefer to if __STDC__ is defined, since # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __STDC__ # include #else # include #endif Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : else # Broken: fails on valid input. continue fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : # Broken: success on invalid input. continue else # Passes both tests. ac_preproc_ok=: break fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok; then : break fi done ac_cv_prog_CPP=$CPP fi CPP=$ac_cv_prog_CPP else ac_cv_prog_CPP=$CPP fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 $as_echo "$CPP" >&6; } ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # Prefer to if __STDC__ is defined, since # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __STDC__ # include #else # include #endif Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : else # Broken: fails on valid input. continue fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : # Broken: success on invalid input. continue else # Passes both tests. ac_preproc_ok=: break fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok; then : else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "C preprocessor \"$CPP\" fails sanity check See \`config.log' for more details" "$LINENO" 5; } fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 $as_echo_n "checking for grep that handles long lines and -e... " >&6; } if ${ac_cv_path_GREP+:} false; then : $as_echo_n "(cached) " >&6 else if test -z "$GREP"; then ac_path_GREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in grep ggrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_GREP" || continue # Check for GNU ac_path_GREP and select it if it is found. # Check for GNU $ac_path_GREP case `"$ac_path_GREP" --version 2>&1` in *GNU*) ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; *) ac_count=0 $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" $as_echo 'GREP' >> "conftest.nl" "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_GREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_GREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_GREP"; then as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_GREP=$GREP fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 $as_echo "$ac_cv_path_GREP" >&6; } GREP="$ac_cv_path_GREP" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 $as_echo_n "checking for egrep... " >&6; } if ${ac_cv_path_EGREP+:} false; then : $as_echo_n "(cached) " >&6 else if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 then ac_cv_path_EGREP="$GREP -E" else if test -z "$EGREP"; then ac_path_EGREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in egrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_EGREP" || continue # Check for GNU ac_path_EGREP and select it if it is found. # Check for GNU $ac_path_EGREP case `"$ac_path_EGREP" --version 2>&1` in *GNU*) ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; *) ac_count=0 $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" $as_echo 'EGREP' >> "conftest.nl" "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_EGREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_EGREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_EGREP"; then as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_EGREP=$EGREP fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 $as_echo "$ac_cv_path_EGREP" >&6; } EGREP="$ac_cv_path_EGREP" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 $as_echo_n "checking for ANSI C header files... " >&6; } if ${ac_cv_header_stdc+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include #include int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_header_stdc=yes else ac_cv_header_stdc=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test $ac_cv_header_stdc = yes; then # SunOS 4.x string.h does not declare mem*, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "memchr" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "free" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. if test "$cross_compiling" = yes; then : : else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #if ((' ' & 0x0FF) == 0x020) # define ISLOWER(c) ('a' <= (c) && (c) <= 'z') # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) #else # define ISLOWER(c) \ (('a' <= (c) && (c) <= 'i') \ || ('j' <= (c) && (c) <= 'r') \ || ('s' <= (c) && (c) <= 'z')) # define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) #endif #define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) int main () { int i; for (i = 0; i < 256; i++) if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) return 2; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : else ac_cv_header_stdc=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 $as_echo "$ac_cv_header_stdc" >&6; } if test $ac_cv_header_stdc = yes; then $as_echo "#define STDC_HEADERS 1" >>confdefs.h fi # On IRIX 5.3, sys/types and inttypes.h are conflicting. for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ inttypes.h stdint.h unistd.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default " if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done ac_fn_c_check_header_mongrel "$LINENO" "minix/config.h" "ac_cv_header_minix_config_h" "$ac_includes_default" if test "x$ac_cv_header_minix_config_h" = xyes; then : MINIX=yes else MINIX= fi if test "$MINIX" = yes; then $as_echo "#define _POSIX_SOURCE 1" >>confdefs.h $as_echo "#define _POSIX_1_SOURCE 2" >>confdefs.h $as_echo "#define _MINIX 1" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether it is safe to define __EXTENSIONS__" >&5 $as_echo_n "checking whether it is safe to define __EXTENSIONS__... " >&6; } if ${ac_cv_safe_to_define___extensions__+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ # define __EXTENSIONS__ 1 $ac_includes_default int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_safe_to_define___extensions__=yes else ac_cv_safe_to_define___extensions__=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_safe_to_define___extensions__" >&5 $as_echo "$ac_cv_safe_to_define___extensions__" >&6; } test $ac_cv_safe_to_define___extensions__ = yes && $as_echo "#define __EXTENSIONS__ 1" >>confdefs.h $as_echo "#define _ALL_SOURCE 1" >>confdefs.h $as_echo "#define _GNU_SOURCE 1" >>confdefs.h $as_echo "#define _POSIX_PTHREAD_SEMANTICS 1" >>confdefs.h $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h # Check whether --enable-lzo was given. if test "${enable_lzo+set}" = set; then : enableval=$enable_lzo; else enable_lzo="yes" fi # Check whether --enable-lz4 was given. if test "${enable_lz4+set}" = set; then : enableval=$enable_lz4; enable_lz4="$enableval" else enable_lz4="yes" fi # Check whether --enable-comp-stub was given. if test "${enable_comp_stub+set}" = set; then : enableval=$enable_comp_stub; enable_comp_stub="$enableval" else enable_comp_stub="no" fi # Check whether --enable-crypto was given. if test "${enable_crypto+set}" = set; then : enableval=$enable_crypto; else enable_crypto="yes" fi # Check whether --enable-ofb-cfb was given. if test "${enable_ofb_cfb+set}" = set; then : enableval=$enable_ofb_cfb; else enable_crypto_ofb_cfb="yes" fi # Check whether --enable-x509-alt-username was given. if test "${enable_x509_alt_username+set}" = set; then : enableval=$enable_x509_alt_username; else enable_x509_alt_username="no" fi # Check whether --enable-server was given. if test "${enable_server+set}" = set; then : enableval=$enable_server; else enable_server="yes" fi # Check whether --enable-plugins was given. if test "${enable_plugins+set}" = set; then : enableval=$enable_plugins; else enable_plugins="yes" fi # Check whether --enable-management was given. if test "${enable_management+set}" = set; then : enableval=$enable_management; else enable_management="yes" fi # Check whether --enable-pkcs11 was given. if test "${enable_pkcs11+set}" = set; then : enableval=$enable_pkcs11; else enable_pkcs11="no" fi # Check whether --enable-fragment was given. if test "${enable_fragment+set}" = set; then : enableval=$enable_fragment; else enable_fragment="yes" fi # Check whether --enable-multihome was given. if test "${enable_multihome+set}" = set; then : enableval=$enable_multihome; else enable_multihome="yes" fi # Check whether --enable-port-share was given. if test "${enable_port_share+set}" = set; then : enableval=$enable_port_share; else enable_port_share="yes" fi # Check whether --enable-debug was given. if test "${enable_debug+set}" = set; then : enableval=$enable_debug; else enable_debug="yes" fi # Check whether --enable-small was given. if test "${enable_small+set}" = set; then : enableval=$enable_small; else enable_small="no" fi # Check whether --enable-iproute2 was given. if test "${enable_iproute2+set}" = set; then : enableval=$enable_iproute2; else enable_iproute2="no" fi # Check whether --enable-def-auth was given. if test "${enable_def_auth+set}" = set; then : enableval=$enable_def_auth; else enable_def_auth="yes" fi # Check whether --enable-pf was given. if test "${enable_pf+set}" = set; then : enableval=$enable_pf; else enable_pf="yes" fi # Check whether --enable-plugin-auth-pam was given. if test "${enable_plugin_auth_pam+set}" = set; then : enableval=$enable_plugin_auth_pam; else case "$host" in *-*-openbsd*) enable_plugin_auth_pam="no";; *-mingw*) enable_plugin_auth_pam="no";; *) enable_plugin_auth_pam="yes";; esac fi # Check whether --enable-plugin-down-root was given. if test "${enable_plugin_down_root+set}" = set; then : enableval=$enable_plugin_down_root; else case "$host" in *-mingw*) enable_plugin_down_root="no";; *) enable_plugin_down_root="yes";; esac fi # Check whether --enable-pam-dlopen was given. if test "${enable_pam_dlopen+set}" = set; then : enableval=$enable_pam_dlopen; else enable_pam_dlopen="no" fi # Check whether --enable-strict was given. if test "${enable_strict+set}" = set; then : enableval=$enable_strict; else enable_strict="no" fi # Check whether --enable-pedantic was given. if test "${enable_pedantic+set}" = set; then : enableval=$enable_pedantic; else enable_pedantic="no" fi # Check whether --enable-werror was given. if test "${enable_werror+set}" = set; then : enableval=$enable_werror; else enable_werror="no" fi # Check whether --enable-strict-options was given. if test "${enable_strict_options+set}" = set; then : enableval=$enable_strict_options; else enable_strict_options="no" fi # Check whether --enable-selinux was given. if test "${enable_selinux+set}" = set; then : enableval=$enable_selinux; else enable_selinux="no" fi # Check whether --enable-systemd was given. if test "${enable_systemd+set}" = set; then : enableval=$enable_systemd; else enable_systemd="no" fi # Check whether --enable-async-push was given. if test "${enable_async_push+set}" = set; then : enableval=$enable_async_push; else enable_async_push="no" fi # Check whether --with-special-build was given. if test "${with_special_build+set}" = set; then : withval=$with_special_build; test -n "${withval}" && cat >>confdefs.h <<_ACEOF #define CONFIGURE_SPECIAL_BUILD "${withval}" _ACEOF fi # Check whether --with-mem-check was given. if test "${with_mem_check+set}" = set; then : withval=$with_mem_check; case "${withval}" in dmalloc|valgrind|ssl|no) ;; *) as_fn_error $? "bad value ${withval} for --mem-check" "$LINENO" 5 ;; esac else with_mem_check="no" fi # Check whether --with-crypto-library was given. if test "${with_crypto_library+set}" = set; then : withval=$with_crypto_library; case "${withval}" in openssl|mbedtls) ;; *) as_fn_error $? "bad value ${withval} for --with-crypto-library" "$LINENO" 5 ;; esac else with_crypto_library="openssl" fi if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" else plugindir="\${libdir}/openvpn/plugins" fi cat >>confdefs.h <<_ACEOF #define TARGET_ALIAS "${host}" _ACEOF case "$host" in *-*-linux*) $as_echo "#define TARGET_LINUX 1" >>confdefs.h cat >>confdefs.h <<_ACEOF #define TARGET_PREFIX "L" _ACEOF ;; *-*-solaris*) $as_echo "#define TARGET_SOLARIS 1" >>confdefs.h cat >>confdefs.h <<_ACEOF #define TARGET_PREFIX "S" _ACEOF CPPFLAGS="$CPPFLAGS -D_XPG4_2" ;; *-*-openbsd*) $as_echo "#define TARGET_OPENBSD 1" >>confdefs.h cat >>confdefs.h <<_ACEOF #define TARGET_PREFIX "O" _ACEOF ;; *-*-freebsd*) $as_echo "#define TARGET_FREEBSD 1" >>confdefs.h cat >>confdefs.h <<_ACEOF #define TARGET_PREFIX "F" _ACEOF ;; *-*-netbsd*) $as_echo "#define TARGET_NETBSD 1" >>confdefs.h cat >>confdefs.h <<_ACEOF #define TARGET_PREFIX "N" _ACEOF ;; *-*-darwin*) $as_echo "#define TARGET_DARWIN 1" >>confdefs.h cat >>confdefs.h <<_ACEOF #define TARGET_PREFIX "M" _ACEOF have_tap_header="yes" CPPFLAGS="$CPPFLAGS -no-cpp-precomp" ac_cv_type_struct_in_pktinfo=no ;; *-mingw*) $as_echo "#define TARGET_WIN32 1" >>confdefs.h cat >>confdefs.h <<_ACEOF #define TARGET_PREFIX "W" _ACEOF CPPFLAGS="${CPPFLAGS} -DWIN32_LEAN_AND_MEAN" CPPFLAGS="${CPPFLAGS} -DNTDDI_VERSION=NTDDI_VISTA -D_WIN32_WINNT=_WIN32_WINNT_VISTA" WIN32=yes ;; *-*-dragonfly*) $as_echo "#define TARGET_DRAGONFLY 1" >>confdefs.h cat >>confdefs.h <<_ACEOF #define TARGET_PREFIX "D" _ACEOF ;; *-aix*) $as_echo "#define TARGET_AIX 1" >>confdefs.h cat >>confdefs.h <<_ACEOF #define TARGET_PREFIX "A" _ACEOF ROUTE="/usr/sbin/route" have_tap_header="yes" ac_cv_header_net_if_h="no" # exists, but breaks things ;; *) cat >>confdefs.h <<_ACEOF #define TARGET_PREFIX "X" _ACEOF have_tap_header="yes" ;; esac if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_path_PKG_CONFIG+:} false; then : $as_echo_n "(cached) " >&6 else case $PKG_CONFIG in [\\/]* | ?:[\\/]*) ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS ;; esac fi PKG_CONFIG=$ac_cv_path_PKG_CONFIG if test -n "$PKG_CONFIG"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 $as_echo "$PKG_CONFIG" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_path_PKG_CONFIG"; then ac_pt_PKG_CONFIG=$PKG_CONFIG # Extract the first word of "pkg-config", so it can be a program name with args. set dummy pkg-config; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then : $as_echo_n "(cached) " >&6 else case $ac_pt_PKG_CONFIG in [\\/]* | ?:[\\/]*) ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS ;; esac fi ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG if test -n "$ac_pt_PKG_CONFIG"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5 $as_echo "$ac_pt_PKG_CONFIG" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_pt_PKG_CONFIG" = x; then PKG_CONFIG="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac PKG_CONFIG=$ac_pt_PKG_CONFIG fi else PKG_CONFIG="$ac_cv_path_PKG_CONFIG" fi fi if test -n "$PKG_CONFIG"; then _pkg_min_version=0.9.0 { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5 $as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } PKG_CONFIG="" fi fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 $as_echo_n "checking how to run the C preprocessor... " >&6; } # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= fi if test -z "$CPP"; then if ${ac_cv_prog_CPP+:} false; then : $as_echo_n "(cached) " >&6 else # Double quotes because CPP needs to be expanded for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" do ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # Prefer to if __STDC__ is defined, since # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __STDC__ # include #else # include #endif Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : else # Broken: fails on valid input. continue fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : # Broken: success on invalid input. continue else # Passes both tests. ac_preproc_ok=: break fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok; then : break fi done ac_cv_prog_CPP=$CPP fi CPP=$ac_cv_prog_CPP else ac_cv_prog_CPP=$CPP fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 $as_echo "$CPP" >&6; } ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # Prefer to if __STDC__ is defined, since # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __STDC__ # include #else # include #endif Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : else # Broken: fails on valid input. continue fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : # Broken: success on invalid input. continue else # Passes both tests. ac_preproc_ok=: break fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok; then : else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "C preprocessor \"$CPP\" fails sanity check See \`config.log' for more details" "$LINENO" 5; } fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5 $as_echo_n "checking whether ln -s works... " >&6; } LN_S=$as_ln_s if test "$LN_S" = "ln -s"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no, using $LN_S" >&5 $as_echo "no, using $LN_S" >&6; } fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5 $as_echo_n "checking for a sed that does not truncate output... " >&6; } if ${ac_cv_path_SED+:} false; then : $as_echo_n "(cached) " >&6 else ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/ for ac_i in 1 2 3 4 5 6 7; do ac_script="$ac_script$as_nl$ac_script" done echo "$ac_script" 2>/dev/null | sed 99q >conftest.sed { ac_script=; unset ac_script;} if test -z "$SED"; then ac_path_SED_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in sed gsed; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_SED="$as_dir/$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_SED" || continue # Check for GNU ac_path_SED and select it if it is found. # Check for GNU $ac_path_SED case `"$ac_path_SED" --version 2>&1` in *GNU*) ac_cv_path_SED="$ac_path_SED" ac_path_SED_found=:;; *) ac_count=0 $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" $as_echo '' >> "conftest.nl" "$ac_path_SED" -f conftest.sed < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_SED_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_SED="$ac_path_SED" ac_path_SED_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_SED_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_SED"; then as_fn_error $? "no acceptable sed could be found in \$PATH" "$LINENO" 5 fi else ac_cv_path_SED=$SED fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_SED" >&5 $as_echo "$ac_cv_path_SED" >&6; } SED="$ac_cv_path_SED" rm -f conftest.sed { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.make <<\_ACEOF SHELL = /bin/sh all: @echo '@@@%%%=$(MAKE)=@@@%%%' _ACEOF # GNU make sometimes prints "make[1]: Entering ...", which would confuse us. case `${MAKE-make} -f conftest.make 2>/dev/null` in *@@@%%%=?*=@@@%%%*) eval ac_cv_prog_make_${ac_make}_set=yes;; *) eval ac_cv_prog_make_${ac_make}_set=no;; esac rm -f conftest.make fi if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } SET_MAKE= else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } SET_MAKE="MAKE=${MAKE-make}" fi # tests for ac_prog in ifconfig do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_path_IFCONFIG+:} false; then : $as_echo_n "(cached) " >&6 else case $IFCONFIG in [\\/]* | ?:[\\/]*) ac_cv_path_IFCONFIG="$IFCONFIG" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_dummy="$PATH:/usr/local/sbin:/usr/sbin:/sbin" for as_dir in $as_dummy do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_IFCONFIG="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS ;; esac fi IFCONFIG=$ac_cv_path_IFCONFIG if test -n "$IFCONFIG"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $IFCONFIG" >&5 $as_echo "$IFCONFIG" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$IFCONFIG" && break done for ac_prog in route do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_path_ROUTE+:} false; then : $as_echo_n "(cached) " >&6 else case $ROUTE in [\\/]* | ?:[\\/]*) ac_cv_path_ROUTE="$ROUTE" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_dummy="$PATH:/usr/local/sbin:/usr/sbin:/sbin" for as_dir in $as_dummy do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_ROUTE="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS ;; esac fi ROUTE=$ac_cv_path_ROUTE if test -n "$ROUTE"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ROUTE" >&5 $as_echo "$ROUTE" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$ROUTE" && break done for ac_prog in ip do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_path_IPROUTE+:} false; then : $as_echo_n "(cached) " >&6 else case $IPROUTE in [\\/]* | ?:[\\/]*) ac_cv_path_IPROUTE="$IPROUTE" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_dummy="$PATH:/usr/local/sbin:/usr/sbin:/sbin" for as_dir in $as_dummy do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_IPROUTE="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS ;; esac fi IPROUTE=$ac_cv_path_IPROUTE if test -n "$IPROUTE"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $IPROUTE" >&5 $as_echo "$IPROUTE" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$IPROUTE" && break done for ac_prog in systemd-ask-password do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_path_SYSTEMD_ASK_PASSWORD+:} false; then : $as_echo_n "(cached) " >&6 else case $SYSTEMD_ASK_PASSWORD in [\\/]* | ?:[\\/]*) ac_cv_path_SYSTEMD_ASK_PASSWORD="$SYSTEMD_ASK_PASSWORD" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_dummy="$PATH:/usr/local/bin:/usr/bin:/bin" for as_dir in $as_dummy do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_SYSTEMD_ASK_PASSWORD="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS ;; esac fi SYSTEMD_ASK_PASSWORD=$ac_cv_path_SYSTEMD_ASK_PASSWORD if test -n "$SYSTEMD_ASK_PASSWORD"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $SYSTEMD_ASK_PASSWORD" >&5 $as_echo "$SYSTEMD_ASK_PASSWORD" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$SYSTEMD_ASK_PASSWORD" && break done for ac_prog in netstat do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_NETSTAT+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$NETSTAT"; then ac_cv_prog_NETSTAT="$NETSTAT" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_dummy="$PATH:/usr/local/sbin:/usr/sbin:/sbin:/etc" for as_dir in $as_dummy do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_NETSTAT="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi NETSTAT=$ac_cv_prog_NETSTAT if test -n "$NETSTAT"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NETSTAT" >&5 $as_echo "$NETSTAT" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$NETSTAT" && break done test -n "$NETSTAT" || NETSTAT="netstat" # tests for ac_prog in man2html do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_MAN2HTML+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$MAN2HTML"; then ac_cv_prog_MAN2HTML="$MAN2HTML" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_MAN2HTML="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi MAN2HTML=$ac_cv_prog_MAN2HTML if test -n "$MAN2HTML"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAN2HTML" >&5 $as_echo "$MAN2HTML" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$MAN2HTML" && break done for ac_prog in git do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_GIT+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$GIT"; then ac_cv_prog_GIT="$GIT" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_GIT="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi GIT=$ac_cv_prog_GIT if test -n "$GIT"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GIT" >&5 $as_echo "$GIT" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$GIT" && break done # optional cat >>confdefs.h <<_ACEOF #define IFCONFIG_PATH "$IFCONFIG" _ACEOF cat >>confdefs.h <<_ACEOF #define IPROUTE_PATH "$IPROUTE" _ACEOF cat >>confdefs.h <<_ACEOF #define ROUTE_PATH "$ROUTE" _ACEOF cat >>confdefs.h <<_ACEOF #define SYSTEMD_ASK_PASSWORD_PATH "$SYSTEMD_ASK_PASSWORD" _ACEOF # Set -std=c99 unless user already specified a -std= case "${CFLAGS}" in *-std=*) ;; *) CFLAGS="${CFLAGS} -std=c99" ;; esac # # Libtool # case `pwd` in *\ * | *\ *) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5 $as_echo "$as_me: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&2;} ;; esac macro_version='2.4.2' macro_revision='1.3337' ltmain="$ac_aux_dir/ltmain.sh" # Backslashify metacharacters that are still active within # double-quoted strings. sed_quote_subst='s/\(["`$\\]\)/\\\1/g' # Same as above, but do not quote variable references. double_quote_subst='s/\(["`\\]\)/\\\1/g' # Sed substitution to delay expansion of an escaped shell variable in a # double_quote_subst'ed string. delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g' # Sed substitution to delay expansion of an escaped single quote. delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g' # Sed substitution to avoid accidental globbing in evaled expressions no_glob_subst='s/\*/\\\*/g' ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to print strings" >&5 $as_echo_n "checking how to print strings... " >&6; } # Test print first, because it will be a builtin if present. if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \ test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then ECHO='print -r --' elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then ECHO='printf %s\n' else # Use this function as a fallback that always works. func_fallback_echo () { eval 'cat <<_LTECHO_EOF $1 _LTECHO_EOF' } ECHO='func_fallback_echo' fi # func_echo_all arg... # Invoke $ECHO with all args, space-separated. func_echo_all () { $ECHO "" } case "$ECHO" in printf*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: printf" >&5 $as_echo "printf" >&6; } ;; print*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: print -r" >&5 $as_echo "print -r" >&6; } ;; *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: cat" >&5 $as_echo "cat" >&6; } ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5 $as_echo_n "checking for a sed that does not truncate output... " >&6; } if ${ac_cv_path_SED+:} false; then : $as_echo_n "(cached) " >&6 else ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/ for ac_i in 1 2 3 4 5 6 7; do ac_script="$ac_script$as_nl$ac_script" done echo "$ac_script" 2>/dev/null | sed 99q >conftest.sed { ac_script=; unset ac_script;} if test -z "$SED"; then ac_path_SED_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in sed gsed; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_SED="$as_dir/$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_SED" || continue # Check for GNU ac_path_SED and select it if it is found. # Check for GNU $ac_path_SED case `"$ac_path_SED" --version 2>&1` in *GNU*) ac_cv_path_SED="$ac_path_SED" ac_path_SED_found=:;; *) ac_count=0 $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" $as_echo '' >> "conftest.nl" "$ac_path_SED" -f conftest.sed < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_SED_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_SED="$ac_path_SED" ac_path_SED_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_SED_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_SED"; then as_fn_error $? "no acceptable sed could be found in \$PATH" "$LINENO" 5 fi else ac_cv_path_SED=$SED fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_SED" >&5 $as_echo "$ac_cv_path_SED" >&6; } SED="$ac_cv_path_SED" rm -f conftest.sed test -z "$SED" && SED=sed Xsed="$SED -e 1s/^X//" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for fgrep" >&5 $as_echo_n "checking for fgrep... " >&6; } if ${ac_cv_path_FGREP+:} false; then : $as_echo_n "(cached) " >&6 else if echo 'ab*c' | $GREP -F 'ab*c' >/dev/null 2>&1 then ac_cv_path_FGREP="$GREP -F" else if test -z "$FGREP"; then ac_path_FGREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in fgrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_FGREP" || continue # Check for GNU ac_path_FGREP and select it if it is found. # Check for GNU $ac_path_FGREP case `"$ac_path_FGREP" --version 2>&1` in *GNU*) ac_cv_path_FGREP="$ac_path_FGREP" ac_path_FGREP_found=:;; *) ac_count=0 $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" $as_echo 'FGREP' >> "conftest.nl" "$ac_path_FGREP" FGREP < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_FGREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_FGREP="$ac_path_FGREP" ac_path_FGREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_FGREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_FGREP"; then as_fn_error $? "no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_FGREP=$FGREP fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_FGREP" >&5 $as_echo "$ac_cv_path_FGREP" >&6; } FGREP="$ac_cv_path_FGREP" test -z "$GREP" && GREP=grep # Check whether --with-gnu-ld was given. if test "${with_gnu_ld+set}" = set; then : withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes else with_gnu_ld=no fi ac_prog=ld if test "$GCC" = yes; then # Check if gcc -print-prog-name=ld gives a path. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ld used by $CC" >&5 $as_echo_n "checking for ld used by $CC... " >&6; } case $host in *-*-mingw*) # gcc leaves a trailing carriage return which upsets mingw ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;; *) ac_prog=`($CC -print-prog-name=ld) 2>&5` ;; esac case $ac_prog in # Accept absolute paths. [\\/]* | ?:[\\/]*) re_direlt='/[^/][^/]*/\.\./' # Canonicalize the pathname of ld ac_prog=`$ECHO "$ac_prog"| $SED 's%\\\\%/%g'` while $ECHO "$ac_prog" | $GREP "$re_direlt" > /dev/null 2>&1; do ac_prog=`$ECHO $ac_prog| $SED "s%$re_direlt%/%"` done test -z "$LD" && LD="$ac_prog" ;; "") # If it fails, then pretend we aren't using GCC. ac_prog=ld ;; *) # If it is relative, then search for the first ld in PATH. with_gnu_ld=unknown ;; esac elif test "$with_gnu_ld" = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU ld" >&5 $as_echo_n "checking for GNU ld... " >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for non-GNU ld" >&5 $as_echo_n "checking for non-GNU ld... " >&6; } fi if ${lt_cv_path_LD+:} false; then : $as_echo_n "(cached) " >&6 else if test -z "$LD"; then lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR for ac_dir in $PATH; do IFS="$lt_save_ifs" test -z "$ac_dir" && ac_dir=. if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then lt_cv_path_LD="$ac_dir/$ac_prog" # Check to see if the program is GNU ld. I'd rather use --version, # but apparently some variants of GNU ld only accept -v. # Break only if it was the GNU/non-GNU ld that we prefer. case `"$lt_cv_path_LD" -v 2>&1 &5 $as_echo "$LD" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -z "$LD" && as_fn_error $? "no acceptable ld found in \$PATH" "$LINENO" 5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if the linker ($LD) is GNU ld" >&5 $as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; } if ${lt_cv_prog_gnu_ld+:} false; then : $as_echo_n "(cached) " >&6 else # I'd rather use --version here, but apparently some GNU lds only accept -v. case `$LD -v 2>&1 &5 $as_echo "$lt_cv_prog_gnu_ld" >&6; } with_gnu_ld=$lt_cv_prog_gnu_ld { $as_echo "$as_me:${as_lineno-$LINENO}: checking for BSD- or MS-compatible name lister (nm)" >&5 $as_echo_n "checking for BSD- or MS-compatible name lister (nm)... " >&6; } if ${lt_cv_path_NM+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$NM"; then # Let the user override the test. lt_cv_path_NM="$NM" else lt_nm_to_check="${ac_tool_prefix}nm" if test -n "$ac_tool_prefix" && test "$build" = "$host"; then lt_nm_to_check="$lt_nm_to_check nm" fi for lt_tmp_nm in $lt_nm_to_check; do lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do IFS="$lt_save_ifs" test -z "$ac_dir" && ac_dir=. tmp_nm="$ac_dir/$lt_tmp_nm" if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then # Check to see if the nm accepts a BSD-compat flag. # Adding the `sed 1q' prevents false positives on HP-UX, which says: # nm: unknown option "B" ignored # Tru64's nm complains that /dev/null is an invalid object file case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in */dev/null* | *'Invalid file or object type'*) lt_cv_path_NM="$tmp_nm -B" break ;; *) case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in */dev/null*) lt_cv_path_NM="$tmp_nm -p" break ;; *) lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but continue # so that we can try to find one that supports BSD flags ;; esac ;; esac fi done IFS="$lt_save_ifs" done : ${lt_cv_path_NM=no} fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_path_NM" >&5 $as_echo "$lt_cv_path_NM" >&6; } if test "$lt_cv_path_NM" != "no"; then NM="$lt_cv_path_NM" else # Didn't find any BSD compatible name lister, look for dumpbin. if test -n "$DUMPBIN"; then : # Let the user override the test. else if test -n "$ac_tool_prefix"; then for ac_prog in dumpbin "link -dump" do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_DUMPBIN+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$DUMPBIN"; then ac_cv_prog_DUMPBIN="$DUMPBIN" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi DUMPBIN=$ac_cv_prog_DUMPBIN if test -n "$DUMPBIN"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DUMPBIN" >&5 $as_echo "$DUMPBIN" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$DUMPBIN" && break done fi if test -z "$DUMPBIN"; then ac_ct_DUMPBIN=$DUMPBIN for ac_prog in dumpbin "link -dump" do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_DUMPBIN+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_DUMPBIN"; then ac_cv_prog_ac_ct_DUMPBIN="$ac_ct_DUMPBIN" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_DUMPBIN="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_DUMPBIN=$ac_cv_prog_ac_ct_DUMPBIN if test -n "$ac_ct_DUMPBIN"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DUMPBIN" >&5 $as_echo "$ac_ct_DUMPBIN" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$ac_ct_DUMPBIN" && break done if test "x$ac_ct_DUMPBIN" = x; then DUMPBIN=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac DUMPBIN=$ac_ct_DUMPBIN fi fi case `$DUMPBIN -symbols /dev/null 2>&1 | sed '1q'` in *COFF*) DUMPBIN="$DUMPBIN -symbols" ;; *) DUMPBIN=: ;; esac fi if test "$DUMPBIN" != ":"; then NM="$DUMPBIN" fi fi test -z "$NM" && NM=nm { $as_echo "$as_me:${as_lineno-$LINENO}: checking the name lister ($NM) interface" >&5 $as_echo_n "checking the name lister ($NM) interface... " >&6; } if ${lt_cv_nm_interface+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 (eval echo "\"\$as_me:$LINENO: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" fi rm -f conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_nm_interface" >&5 $as_echo "$lt_cv_nm_interface" >&6; } # find the maximum length of command line arguments { $as_echo "$as_me:${as_lineno-$LINENO}: checking the maximum length of command line arguments" >&5 $as_echo_n "checking the maximum length of command line arguments... " >&6; } if ${lt_cv_sys_max_cmd_len+:} false; then : $as_echo_n "(cached) " >&6 else i=0 teststring="ABCD" case $build_os in msdosdjgpp*) # On DJGPP, this test can blow up pretty badly due to problems in libc # (any single argument exceeding 2000 bytes causes a buffer overrun # during glob expansion). Even if it were fixed, the result of this # check would be larger than it should be. lt_cv_sys_max_cmd_len=12288; # 12K is about right ;; gnu*) # Under GNU Hurd, this test is not required because there is # no limit to the length of command line arguments. # Libtool will interpret -1 as no limit whatsoever lt_cv_sys_max_cmd_len=-1; ;; cygwin* | mingw* | cegcc*) # On Win9x/ME, this test blows up -- it succeeds, but takes # about 5 minutes as the teststring grows exponentially. # Worse, since 9x/ME are not pre-emptively multitasking, # you end up with a "frozen" computer, even though with patience # the test eventually succeeds (with a max line length of 256k). # Instead, let's just punt: use the minimum linelength reported by # all of the supported platforms: 8192 (on NT/2K/XP). lt_cv_sys_max_cmd_len=8192; ;; mint*) # On MiNT this can take a long time and run out of memory. lt_cv_sys_max_cmd_len=8192; ;; amigaos*) # On AmigaOS with pdksh, this test takes hours, literally. # So we just punt and use a minimum line length of 8192. lt_cv_sys_max_cmd_len=8192; ;; netbsd* | freebsd* | openbsd* | darwin* | dragonfly*) # This has been around since 386BSD, at least. Likely further. if test -x /sbin/sysctl; then lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax` elif test -x /usr/sbin/sysctl; then lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax` else lt_cv_sys_max_cmd_len=65536 # usable default for all BSDs fi # And add a safety zone lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` ;; interix*) # We know the value 262144 and hardcode it with a safety zone (like BSD) lt_cv_sys_max_cmd_len=196608 ;; os2*) # The test takes a long time on OS/2. lt_cv_sys_max_cmd_len=8192 ;; osf*) # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not # nice to cause kernel panics so lets avoid the loop below. # First set a reasonable default. lt_cv_sys_max_cmd_len=16384 # if test -x /sbin/sysconfig; then case `/sbin/sysconfig -q proc exec_disable_arg_limit` in *1*) lt_cv_sys_max_cmd_len=-1 ;; esac fi ;; sco3.2v5*) lt_cv_sys_max_cmd_len=102400 ;; sysv5* | sco5v6* | sysv4.2uw2*) kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null` if test -n "$kargmax"; then lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[ ]//'` else lt_cv_sys_max_cmd_len=32768 fi ;; *) lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` if test -n "$lt_cv_sys_max_cmd_len" && \ test undefined != "$lt_cv_sys_max_cmd_len"; then lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` else # Make teststring a little bigger before we do anything with it. # a 1K string should be a reasonable start. for i in 1 2 3 4 5 6 7 8 ; do teststring=$teststring$teststring done SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}} # If test is not a shell built-in, we'll probably end up computing a # maximum length that is only half of the actual maximum length, but # we can't tell. while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \ = "X$teststring$teststring"; } >/dev/null 2>&1 && test $i != 17 # 1/2 MB should be enough do i=`expr $i + 1` teststring=$teststring$teststring done # Only check the string length outside the loop. lt_cv_sys_max_cmd_len=`expr "X$teststring" : ".*" 2>&1` teststring= # Add a significant safety factor because C++ compilers can tack on # massive amounts of additional arguments before passing them to the # linker. It appears as though 1/2 is a usable value. lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2` fi ;; esac fi if test -n $lt_cv_sys_max_cmd_len ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_sys_max_cmd_len" >&5 $as_echo "$lt_cv_sys_max_cmd_len" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: none" >&5 $as_echo "none" >&6; } fi max_cmd_len=$lt_cv_sys_max_cmd_len : ${CP="cp -f"} : ${MV="mv -f"} : ${RM="rm -f"} { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the shell understands some XSI constructs" >&5 $as_echo_n "checking whether the shell understands some XSI constructs... " >&6; } # Try some XSI features xsi_shell=no ( _lt_dummy="a/b/c" test "${_lt_dummy##*/},${_lt_dummy%/*},${_lt_dummy#??}"${_lt_dummy%"$_lt_dummy"}, \ = c,a/b,b/c, \ && eval 'test $(( 1 + 1 )) -eq 2 \ && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \ && xsi_shell=yes { $as_echo "$as_me:${as_lineno-$LINENO}: result: $xsi_shell" >&5 $as_echo "$xsi_shell" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the shell understands \"+=\"" >&5 $as_echo_n "checking whether the shell understands \"+=\"... " >&6; } lt_shell_append=no ( foo=bar; set foo baz; eval "$1+=\$2" && test "$foo" = barbaz ) \ >/dev/null 2>&1 \ && lt_shell_append=yes { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_shell_append" >&5 $as_echo "$lt_shell_append" >&6; } if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then lt_unset=unset else lt_unset=false fi # test EBCDIC or ASCII case `echo X|tr X '\101'` in A) # ASCII based system # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr lt_SP2NL='tr \040 \012' lt_NL2SP='tr \015\012 \040\040' ;; *) # EBCDIC based system lt_SP2NL='tr \100 \n' lt_NL2SP='tr \r\n \100\100' ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to convert $build file names to $host format" >&5 $as_echo_n "checking how to convert $build file names to $host format... " >&6; } if ${lt_cv_to_host_file_cmd+:} false; then : $as_echo_n "(cached) " >&6 else case $host in *-*-mingw* ) case $build in *-*-mingw* ) # actually msys lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32 ;; *-*-cygwin* ) lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32 ;; * ) # otherwise, assume *nix lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32 ;; esac ;; *-*-cygwin* ) case $build in *-*-mingw* ) # actually msys lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin ;; *-*-cygwin* ) lt_cv_to_host_file_cmd=func_convert_file_noop ;; * ) # otherwise, assume *nix lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin ;; esac ;; * ) # unhandled hosts (and "normal" native builds) lt_cv_to_host_file_cmd=func_convert_file_noop ;; esac fi to_host_file_cmd=$lt_cv_to_host_file_cmd { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_to_host_file_cmd" >&5 $as_echo "$lt_cv_to_host_file_cmd" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to convert $build file names to toolchain format" >&5 $as_echo_n "checking how to convert $build file names to toolchain format... " >&6; } if ${lt_cv_to_tool_file_cmd+:} false; then : $as_echo_n "(cached) " >&6 else #assume ordinary cross tools, or native build. lt_cv_to_tool_file_cmd=func_convert_file_noop case $host in *-*-mingw* ) case $build in *-*-mingw* ) # actually msys lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32 ;; esac ;; esac fi to_tool_file_cmd=$lt_cv_to_tool_file_cmd { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_to_tool_file_cmd" >&5 $as_echo "$lt_cv_to_tool_file_cmd" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $LD option to reload object files" >&5 $as_echo_n "checking for $LD option to reload object files... " >&6; } if ${lt_cv_ld_reload_flag+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_ld_reload_flag='-r' fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_reload_flag" >&5 $as_echo "$lt_cv_ld_reload_flag" >&6; } reload_flag=$lt_cv_ld_reload_flag case $reload_flag in "" | " "*) ;; *) reload_flag=" $reload_flag" ;; esac reload_cmds='$LD$reload_flag -o $output$reload_objs' case $host_os in cygwin* | mingw* | pw32* | cegcc*) if test "$GCC" != yes; then reload_cmds=false fi ;; darwin*) if test "$GCC" = yes; then reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs' else reload_cmds='$LD$reload_flag -o $output$reload_objs' fi ;; esac if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}objdump", so it can be a program name with args. set dummy ${ac_tool_prefix}objdump; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_OBJDUMP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$OBJDUMP"; then ac_cv_prog_OBJDUMP="$OBJDUMP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi OBJDUMP=$ac_cv_prog_OBJDUMP if test -n "$OBJDUMP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OBJDUMP" >&5 $as_echo "$OBJDUMP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_OBJDUMP"; then ac_ct_OBJDUMP=$OBJDUMP # Extract the first word of "objdump", so it can be a program name with args. set dummy objdump; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_OBJDUMP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_OBJDUMP"; then ac_cv_prog_ac_ct_OBJDUMP="$ac_ct_OBJDUMP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_OBJDUMP="objdump" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_OBJDUMP=$ac_cv_prog_ac_ct_OBJDUMP if test -n "$ac_ct_OBJDUMP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OBJDUMP" >&5 $as_echo "$ac_ct_OBJDUMP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_OBJDUMP" = x; then OBJDUMP="false" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac OBJDUMP=$ac_ct_OBJDUMP fi else OBJDUMP="$ac_cv_prog_OBJDUMP" fi test -z "$OBJDUMP" && OBJDUMP=objdump { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to recognize dependent libraries" >&5 $as_echo_n "checking how to recognize dependent libraries... " >&6; } if ${lt_cv_deplibs_check_method+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_file_magic_cmd='$MAGIC_CMD' lt_cv_file_magic_test_file= lt_cv_deplibs_check_method='unknown' # Need to set the preceding variable on all platforms that support # interlibrary dependencies. # 'none' -- dependencies not supported. # `unknown' -- same as none, but documents that we really don't know. # 'pass_all' -- all dependencies passed with no checks. # 'test_compile' -- check by making test program. # 'file_magic [[regex]]' -- check by looking for files in library path # which responds to the $file_magic_cmd with a given extended regex. # If you have `file' or equivalent on your system and you're not sure # whether `pass_all' will *always* work, you probably want this one. case $host_os in aix[4-9]*) lt_cv_deplibs_check_method=pass_all ;; beos*) lt_cv_deplibs_check_method=pass_all ;; bsdi[45]*) lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)' lt_cv_file_magic_cmd='/usr/bin/file -L' lt_cv_file_magic_test_file=/shlib/libc.so ;; cygwin*) # func_win32_libid is a shell function defined in ltmain.sh lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' lt_cv_file_magic_cmd='func_win32_libid' ;; mingw* | pw32*) # Base MSYS/MinGW do not provide the 'file' command needed by # func_win32_libid shell function, so use a weaker test based on 'objdump', # unless we find 'file', for example because we are cross-compiling. # func_win32_libid assumes BSD nm, so disallow it if using MS dumpbin. if ( test "$lt_cv_nm_interface" = "BSD nm" && file / ) >/dev/null 2>&1; then lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' lt_cv_file_magic_cmd='func_win32_libid' else # Keep this pattern in sync with the one in func_win32_libid. lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' lt_cv_file_magic_cmd='$OBJDUMP -f' fi ;; cegcc*) # use the weaker test based on 'objdump'. See mingw*. lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?' lt_cv_file_magic_cmd='$OBJDUMP -f' ;; darwin* | rhapsody*) lt_cv_deplibs_check_method=pass_all ;; freebsd* | dragonfly*) if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then case $host_cpu in i*86 ) # Not sure whether the presence of OpenBSD here was a mistake. # Let's accept both of them until this is cleared up. lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[3-9]86 (compact )?demand paged shared library' lt_cv_file_magic_cmd=/usr/bin/file lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*` ;; esac else lt_cv_deplibs_check_method=pass_all fi ;; haiku*) lt_cv_deplibs_check_method=pass_all ;; hpux10.20* | hpux11*) lt_cv_file_magic_cmd=/usr/bin/file case $host_cpu in ia64*) lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - IA64' lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so ;; hppa*64*) lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]' lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl ;; *) lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9]\.[0-9]) shared library' lt_cv_file_magic_test_file=/usr/lib/libc.sl ;; esac ;; interix[3-9]*) # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|\.a)$' ;; irix5* | irix6* | nonstopux*) case $LD in *-32|*"-32 ") libmagic=32-bit;; *-n32|*"-n32 ") libmagic=N32;; *-64|*"-64 ") libmagic=64-bit;; *) libmagic=never-match;; esac lt_cv_deplibs_check_method=pass_all ;; # This must be glibc/ELF. linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) lt_cv_deplibs_check_method=pass_all ;; netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' else lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|_pic\.a)$' fi ;; newos6*) lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (executable|dynamic lib)' lt_cv_file_magic_cmd=/usr/bin/file lt_cv_file_magic_test_file=/usr/lib/libnls.so ;; *nto* | *qnx*) lt_cv_deplibs_check_method=pass_all ;; openbsd*) if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$' else lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' fi ;; osf3* | osf4* | osf5*) lt_cv_deplibs_check_method=pass_all ;; rdos*) lt_cv_deplibs_check_method=pass_all ;; solaris*) lt_cv_deplibs_check_method=pass_all ;; sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) lt_cv_deplibs_check_method=pass_all ;; sysv4 | sysv4.3*) case $host_vendor in motorola) lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]' lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*` ;; ncr) lt_cv_deplibs_check_method=pass_all ;; sequent) lt_cv_file_magic_cmd='/bin/file' lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' ;; sni) lt_cv_file_magic_cmd='/bin/file' lt_cv_deplibs_check_method="file_magic ELF [0-9][0-9]*-bit [LM]SB dynamic lib" lt_cv_file_magic_test_file=/lib/libc.so ;; siemens) lt_cv_deplibs_check_method=pass_all ;; pc) lt_cv_deplibs_check_method=pass_all ;; esac ;; tpf*) lt_cv_deplibs_check_method=pass_all ;; esac fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_deplibs_check_method" >&5 $as_echo "$lt_cv_deplibs_check_method" >&6; } file_magic_glob= want_nocaseglob=no if test "$build" = "$host"; then case $host_os in mingw* | pw32*) if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then want_nocaseglob=yes else file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[\1]\/[\1]\/g;/g"` fi ;; esac fi file_magic_cmd=$lt_cv_file_magic_cmd deplibs_check_method=$lt_cv_deplibs_check_method test -z "$deplibs_check_method" && deplibs_check_method=unknown if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}dlltool", so it can be a program name with args. set dummy ${ac_tool_prefix}dlltool; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_DLLTOOL+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$DLLTOOL"; then ac_cv_prog_DLLTOOL="$DLLTOOL" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_DLLTOOL="${ac_tool_prefix}dlltool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi DLLTOOL=$ac_cv_prog_DLLTOOL if test -n "$DLLTOOL"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DLLTOOL" >&5 $as_echo "$DLLTOOL" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_DLLTOOL"; then ac_ct_DLLTOOL=$DLLTOOL # Extract the first word of "dlltool", so it can be a program name with args. set dummy dlltool; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_DLLTOOL+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_DLLTOOL"; then ac_cv_prog_ac_ct_DLLTOOL="$ac_ct_DLLTOOL" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_DLLTOOL="dlltool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_DLLTOOL=$ac_cv_prog_ac_ct_DLLTOOL if test -n "$ac_ct_DLLTOOL"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DLLTOOL" >&5 $as_echo "$ac_ct_DLLTOOL" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_DLLTOOL" = x; then DLLTOOL="false" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac DLLTOOL=$ac_ct_DLLTOOL fi else DLLTOOL="$ac_cv_prog_DLLTOOL" fi test -z "$DLLTOOL" && DLLTOOL=dlltool { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to associate runtime and link libraries" >&5 $as_echo_n "checking how to associate runtime and link libraries... " >&6; } if ${lt_cv_sharedlib_from_linklib_cmd+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_sharedlib_from_linklib_cmd='unknown' case $host_os in cygwin* | mingw* | pw32* | cegcc*) # two different shell functions defined in ltmain.sh # decide which to use based on capabilities of $DLLTOOL case `$DLLTOOL --help 2>&1` in *--identify-strict*) lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib ;; *) lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback ;; esac ;; *) # fallback: assume linklib IS sharedlib lt_cv_sharedlib_from_linklib_cmd="$ECHO" ;; esac fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_sharedlib_from_linklib_cmd" >&5 $as_echo "$lt_cv_sharedlib_from_linklib_cmd" >&6; } sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO if test -n "$ac_tool_prefix"; then for ac_prog in ar do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_AR+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$AR"; then ac_cv_prog_AR="$AR" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_AR="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi AR=$ac_cv_prog_AR if test -n "$AR"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AR" >&5 $as_echo "$AR" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$AR" && break done fi if test -z "$AR"; then ac_ct_AR=$AR for ac_prog in ar do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_AR+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_AR"; then ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_AR="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_AR=$ac_cv_prog_ac_ct_AR if test -n "$ac_ct_AR"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AR" >&5 $as_echo "$ac_ct_AR" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$ac_ct_AR" && break done if test "x$ac_ct_AR" = x; then AR="false" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac AR=$ac_ct_AR fi fi : ${AR=ar} : ${AR_FLAGS=cru} { $as_echo "$as_me:${as_lineno-$LINENO}: checking for archiver @FILE support" >&5 $as_echo_n "checking for archiver @FILE support... " >&6; } if ${lt_cv_ar_at_file+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_ar_at_file=no cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : echo conftest.$ac_objext > conftest.lst lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&5' { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$lt_ar_try\""; } >&5 (eval $lt_ar_try) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } if test "$ac_status" -eq 0; then # Ensure the archiver fails upon bogus file names. rm -f conftest.$ac_objext libconftest.a { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$lt_ar_try\""; } >&5 (eval $lt_ar_try) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } if test "$ac_status" -ne 0; then lt_cv_ar_at_file=@ fi fi rm -f conftest.* libconftest.a fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ar_at_file" >&5 $as_echo "$lt_cv_ar_at_file" >&6; } if test "x$lt_cv_ar_at_file" = xno; then archiver_list_spec= else archiver_list_spec=$lt_cv_ar_at_file fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. set dummy ${ac_tool_prefix}strip; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_STRIP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$STRIP"; then ac_cv_prog_STRIP="$STRIP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_STRIP="${ac_tool_prefix}strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi STRIP=$ac_cv_prog_STRIP if test -n "$STRIP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5 $as_echo "$STRIP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_STRIP"; then ac_ct_STRIP=$STRIP # Extract the first word of "strip", so it can be a program name with args. set dummy strip; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_STRIP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_STRIP"; then ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_STRIP="strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP if test -n "$ac_ct_STRIP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5 $as_echo "$ac_ct_STRIP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_STRIP" = x; then STRIP=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac STRIP=$ac_ct_STRIP fi else STRIP="$ac_cv_prog_STRIP" fi test -z "$STRIP" && STRIP=: if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. set dummy ${ac_tool_prefix}ranlib; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_RANLIB+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$RANLIB"; then ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi RANLIB=$ac_cv_prog_RANLIB if test -n "$RANLIB"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 $as_echo "$RANLIB" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_RANLIB"; then ac_ct_RANLIB=$RANLIB # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_RANLIB+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_RANLIB"; then ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_RANLIB="ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB if test -n "$ac_ct_RANLIB"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 $as_echo "$ac_ct_RANLIB" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_RANLIB" = x; then RANLIB=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac RANLIB=$ac_ct_RANLIB fi else RANLIB="$ac_cv_prog_RANLIB" fi test -z "$RANLIB" && RANLIB=: # Determine commands to create old-style static archives. old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs' old_postinstall_cmds='chmod 644 $oldlib' old_postuninstall_cmds= if test -n "$RANLIB"; then case $host_os in openbsd*) old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib" ;; *) old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib" ;; esac old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib" fi case $host_os in darwin*) lock_old_archive_extraction=yes ;; *) lock_old_archive_extraction=no ;; esac # If no C compiler was specified, use CC. LTCC=${LTCC-"$CC"} # If no C compiler flags were specified, use CFLAGS. LTCFLAGS=${LTCFLAGS-"$CFLAGS"} # Allow CC to be a program name with arguments. compiler=$CC # Check for command to grab the raw symbol name followed by C symbol from nm. { $as_echo "$as_me:${as_lineno-$LINENO}: checking command to parse $NM output from $compiler object" >&5 $as_echo_n "checking command to parse $NM output from $compiler object... " >&6; } if ${lt_cv_sys_global_symbol_pipe+:} false; then : $as_echo_n "(cached) " >&6 else # These are sane defaults that work on at least a few old systems. # [They come from Ultrix. What could be older than Ultrix?!! ;)] # Character class describing NM global symbol codes. symcode='[BCDEGRST]' # Regexp to match symbols that can be accessed directly from C. sympat='\([_A-Za-z][_A-Za-z0-9]*\)' # Define system-specific variables. case $host_os in aix*) symcode='[BCDT]' ;; cygwin* | mingw* | pw32* | cegcc*) symcode='[ABCDGISTW]' ;; hpux*) if test "$host_cpu" = ia64; then symcode='[ABCDEGRST]' fi ;; irix* | nonstopux*) symcode='[BCDEGRST]' ;; osf*) symcode='[BCDEGQRST]' ;; solaris*) symcode='[BDRT]' ;; sco3.2v5*) symcode='[DT]' ;; sysv4.2uw2*) symcode='[DT]' ;; sysv5* | sco5v6* | unixware* | OpenUNIX*) symcode='[ABDT]' ;; sysv4) symcode='[DFNSTU]' ;; esac # If we're using GNU nm, then use its standard symbol codes. case `$NM -V 2>&1` in *GNU* | *'with BFD'*) symcode='[ABCDGIRSTW]' ;; esac # Transform an extracted symbol line into a proper C declaration. # Some systems (esp. on ia64) link data and code symbols differently, # so use this general approach. lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" # Transform an extracted symbol line into symbol name and symbol address lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\)[ ]*$/ {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/ {\"\2\", (void *) \&\2},/p'" lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([^ ]*\)[ ]*$/ {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \(lib[^ ]*\)$/ {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/ {\"lib\2\", (void *) \&\2},/p'" # Handle CRLF in mingw tool chain opt_cr= case $build_os in mingw*) opt_cr=`$ECHO 'x\{0,1\}' | tr x '\015'` # option cr in regexp ;; esac # Try without a prefix underscore, then with it. for ac_symprfx in "" "_"; do # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol. symxfrm="\\1 $ac_symprfx\\2 \\2" # Write the raw and C identifiers. if test "$lt_cv_nm_interface" = "MS dumpbin"; then # Fake it for dumpbin and say T for any non-static function # and D for any global variable. # Also find C++ and __fastcall symbols from MSVC++, # which start with @ or ?. lt_cv_sys_global_symbol_pipe="$AWK '"\ " {last_section=section; section=\$ 3};"\ " /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\ " /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\ " \$ 0!~/External *\|/{next};"\ " / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\ " {if(hide[section]) next};"\ " {f=0}; \$ 0~/\(\).*\|/{f=1}; {printf f ? \"T \" : \"D \"};"\ " {split(\$ 0, a, /\||\r/); split(a[2], s)};"\ " s[1]~/^[@?]/{print s[1], s[1]; next};"\ " s[1]~prfx {split(s[1],t,\"@\"); print t[1], substr(t[1],length(prfx))}"\ " ' prfx=^$ac_symprfx" else lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[ ]\($symcode$symcode*\)[ ][ ]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'" fi lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'" # Check to see that the pipe works correctly. pipe_works=no rm -f conftest* cat > conftest.$ac_ext <<_LT_EOF #ifdef __cplusplus extern "C" { #endif char nm_test_var; void nm_test_func(void); void nm_test_func(void){} #ifdef __cplusplus } #endif int main(){nm_test_var='a';nm_test_func();return(0);} _LT_EOF if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then # Now try to grab the symbols. nlist=conftest.nm if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist\""; } >&5 (eval $NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && test -s "$nlist"; then # Try sorting and uniquifying the output. if sort "$nlist" | uniq > "$nlist"T; then mv -f "$nlist"T "$nlist" else rm -f "$nlist"T fi # Make sure that we snagged all the symbols we need. if $GREP ' nm_test_var$' "$nlist" >/dev/null; then if $GREP ' nm_test_func$' "$nlist" >/dev/null; then cat <<_LT_EOF > conftest.$ac_ext /* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests. */ #if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE) /* DATA imports from DLLs on WIN32 con't be const, because runtime relocations are performed -- see ld's documentation on pseudo-relocs. */ # define LT_DLSYM_CONST #elif defined(__osf__) /* This system does not cope well with relocations in const data. */ # define LT_DLSYM_CONST #else # define LT_DLSYM_CONST const #endif #ifdef __cplusplus extern "C" { #endif _LT_EOF # Now generate the symbol file. eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | $GREP -v main >> conftest.$ac_ext' cat <<_LT_EOF >> conftest.$ac_ext /* The mapping between symbol names and symbols. */ LT_DLSYM_CONST struct { const char *name; void *address; } lt__PROGRAM__LTX_preloaded_symbols[] = { { "@PROGRAM@", (void *) 0 }, _LT_EOF $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/ {\"\2\", (void *) \&\2},/" < "$nlist" | $GREP -v main >> conftest.$ac_ext cat <<\_LT_EOF >> conftest.$ac_ext {0, (void *) 0} }; /* This works around a problem in FreeBSD linker */ #ifdef FREEBSD_WORKAROUND static const void *lt_preloaded_setup() { return lt__PROGRAM__LTX_preloaded_symbols; } #endif #ifdef __cplusplus } #endif _LT_EOF # Now try linking the two files. mv conftest.$ac_objext conftstm.$ac_objext lt_globsym_save_LIBS=$LIBS lt_globsym_save_CFLAGS=$CFLAGS LIBS="conftstm.$ac_objext" CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag" if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5 (eval $ac_link) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && test -s conftest${ac_exeext}; then pipe_works=yes fi LIBS=$lt_globsym_save_LIBS CFLAGS=$lt_globsym_save_CFLAGS else echo "cannot find nm_test_func in $nlist" >&5 fi else echo "cannot find nm_test_var in $nlist" >&5 fi else echo "cannot run $lt_cv_sys_global_symbol_pipe" >&5 fi else echo "$progname: failed program was:" >&5 cat conftest.$ac_ext >&5 fi rm -rf conftest* conftst* # Do not use the global_symbol_pipe unless it works. if test "$pipe_works" = yes; then break else lt_cv_sys_global_symbol_pipe= fi done fi if test -z "$lt_cv_sys_global_symbol_pipe"; then lt_cv_sys_global_symbol_to_cdecl= fi if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: failed" >&5 $as_echo "failed" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5 $as_echo "ok" >&6; } fi # Response file support. if test "$lt_cv_nm_interface" = "MS dumpbin"; then nm_file_list_spec='@' elif $NM --help 2>/dev/null | grep '[@]FILE' >/dev/null; then nm_file_list_spec='@' fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sysroot" >&5 $as_echo_n "checking for sysroot... " >&6; } # Check whether --with-sysroot was given. if test "${with_sysroot+set}" = set; then : withval=$with_sysroot; else with_sysroot=no fi lt_sysroot= case ${with_sysroot} in #( yes) if test "$GCC" = yes; then lt_sysroot=`$CC --print-sysroot 2>/dev/null` fi ;; #( /*) lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"` ;; #( no|'') ;; #( *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${with_sysroot}" >&5 $as_echo "${with_sysroot}" >&6; } as_fn_error $? "The sysroot must be an absolute path." "$LINENO" 5 ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${lt_sysroot:-no}" >&5 $as_echo "${lt_sysroot:-no}" >&6; } # Check whether --enable-libtool-lock was given. if test "${enable_libtool_lock+set}" = set; then : enableval=$enable_libtool_lock; fi test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes # Some flags need to be propagated to the compiler or linker for good # libtool support. case $host in ia64-*-hpux*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then case `/usr/bin/file conftest.$ac_objext` in *ELF-32*) HPUX_IA64_MODE="32" ;; *ELF-64*) HPUX_IA64_MODE="64" ;; esac fi rm -rf conftest* ;; *-*-irix6*) # Find out which ABI we are using. echo '#line '$LINENO' "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then if test "$lt_cv_prog_gnu_ld" = yes; then case `/usr/bin/file conftest.$ac_objext` in *32-bit*) LD="${LD-ld} -melf32bsmip" ;; *N32*) LD="${LD-ld} -melf32bmipn32" ;; *64-bit*) LD="${LD-ld} -melf64bmip" ;; esac else case `/usr/bin/file conftest.$ac_objext` in *32-bit*) LD="${LD-ld} -32" ;; *N32*) LD="${LD-ld} -n32" ;; *64-bit*) LD="${LD-ld} -64" ;; esac fi fi rm -rf conftest* ;; x86_64-*kfreebsd*-gnu|x86_64-*linux*|powerpc*-*linux*| \ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then case `/usr/bin/file conftest.o` in *32-bit*) case $host in x86_64-*kfreebsd*-gnu) LD="${LD-ld} -m elf_i386_fbsd" ;; x86_64-*linux*) case `/usr/bin/file conftest.o` in *x86-64*) LD="${LD-ld} -m elf32_x86_64" ;; *) LD="${LD-ld} -m elf_i386" ;; esac ;; powerpc64le-*) LD="${LD-ld} -m elf32lppclinux" ;; powerpc64-*) LD="${LD-ld} -m elf32ppclinux" ;; s390x-*linux*) LD="${LD-ld} -m elf_s390" ;; sparc64-*linux*) LD="${LD-ld} -m elf32_sparc" ;; esac ;; *64-bit*) case $host in x86_64-*kfreebsd*-gnu) LD="${LD-ld} -m elf_x86_64_fbsd" ;; x86_64-*linux*) LD="${LD-ld} -m elf_x86_64" ;; powerpcle-*) LD="${LD-ld} -m elf64lppc" ;; powerpc-*) LD="${LD-ld} -m elf64ppc" ;; s390*-*linux*|s390*-*tpf*) LD="${LD-ld} -m elf64_s390" ;; sparc*-*linux*) LD="${LD-ld} -m elf64_sparc" ;; esac ;; esac fi rm -rf conftest* ;; *-*-sco3.2v5*) # On SCO OpenServer 5, we need -belf to get full-featured binaries. SAVE_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS -belf" { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler needs -belf" >&5 $as_echo_n "checking whether the C compiler needs -belf... " >&6; } if ${lt_cv_cc_needs_belf+:} false; then : $as_echo_n "(cached) " >&6 else ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : lt_cv_cc_needs_belf=yes else lt_cv_cc_needs_belf=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_cc_needs_belf" >&5 $as_echo "$lt_cv_cc_needs_belf" >&6; } if test x"$lt_cv_cc_needs_belf" != x"yes"; then # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf CFLAGS="$SAVE_CFLAGS" fi ;; *-*solaris*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then case `/usr/bin/file conftest.o` in *64-bit*) case $lt_cv_prog_gnu_ld in yes*) case $host in i?86-*-solaris*) LD="${LD-ld} -m elf_x86_64" ;; sparc*-*-solaris*) LD="${LD-ld} -m elf64_sparc" ;; esac # GNU ld 2.21 introduced _sol2 emulations. Use them if available. if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then LD="${LD-ld}_sol2" fi ;; *) if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then LD="${LD-ld} -64" fi ;; esac ;; esac fi rm -rf conftest* ;; esac need_locks="$enable_libtool_lock" if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}mt", so it can be a program name with args. set dummy ${ac_tool_prefix}mt; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_MANIFEST_TOOL+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$MANIFEST_TOOL"; then ac_cv_prog_MANIFEST_TOOL="$MANIFEST_TOOL" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_MANIFEST_TOOL="${ac_tool_prefix}mt" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi MANIFEST_TOOL=$ac_cv_prog_MANIFEST_TOOL if test -n "$MANIFEST_TOOL"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MANIFEST_TOOL" >&5 $as_echo "$MANIFEST_TOOL" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_MANIFEST_TOOL"; then ac_ct_MANIFEST_TOOL=$MANIFEST_TOOL # Extract the first word of "mt", so it can be a program name with args. set dummy mt; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_MANIFEST_TOOL+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_MANIFEST_TOOL"; then ac_cv_prog_ac_ct_MANIFEST_TOOL="$ac_ct_MANIFEST_TOOL" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_MANIFEST_TOOL="mt" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_MANIFEST_TOOL=$ac_cv_prog_ac_ct_MANIFEST_TOOL if test -n "$ac_ct_MANIFEST_TOOL"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_MANIFEST_TOOL" >&5 $as_echo "$ac_ct_MANIFEST_TOOL" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_MANIFEST_TOOL" = x; then MANIFEST_TOOL=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac MANIFEST_TOOL=$ac_ct_MANIFEST_TOOL fi else MANIFEST_TOOL="$ac_cv_prog_MANIFEST_TOOL" fi test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $MANIFEST_TOOL is a manifest tool" >&5 $as_echo_n "checking if $MANIFEST_TOOL is a manifest tool... " >&6; } if ${lt_cv_path_mainfest_tool+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_path_mainfest_tool=no echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&5 $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out cat conftest.err >&5 if $GREP 'Manifest Tool' conftest.out > /dev/null; then lt_cv_path_mainfest_tool=yes fi rm -f conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_path_mainfest_tool" >&5 $as_echo "$lt_cv_path_mainfest_tool" >&6; } if test "x$lt_cv_path_mainfest_tool" != xyes; then MANIFEST_TOOL=: fi case $host_os in rhapsody* | darwin*) if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args. set dummy ${ac_tool_prefix}dsymutil; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_DSYMUTIL+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$DSYMUTIL"; then ac_cv_prog_DSYMUTIL="$DSYMUTIL" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi DSYMUTIL=$ac_cv_prog_DSYMUTIL if test -n "$DSYMUTIL"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DSYMUTIL" >&5 $as_echo "$DSYMUTIL" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_DSYMUTIL"; then ac_ct_DSYMUTIL=$DSYMUTIL # Extract the first word of "dsymutil", so it can be a program name with args. set dummy dsymutil; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_DSYMUTIL+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_DSYMUTIL"; then ac_cv_prog_ac_ct_DSYMUTIL="$ac_ct_DSYMUTIL" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_DSYMUTIL="dsymutil" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL if test -n "$ac_ct_DSYMUTIL"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DSYMUTIL" >&5 $as_echo "$ac_ct_DSYMUTIL" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_DSYMUTIL" = x; then DSYMUTIL=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac DSYMUTIL=$ac_ct_DSYMUTIL fi else DSYMUTIL="$ac_cv_prog_DSYMUTIL" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args. set dummy ${ac_tool_prefix}nmedit; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_NMEDIT+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$NMEDIT"; then ac_cv_prog_NMEDIT="$NMEDIT" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi NMEDIT=$ac_cv_prog_NMEDIT if test -n "$NMEDIT"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NMEDIT" >&5 $as_echo "$NMEDIT" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_NMEDIT"; then ac_ct_NMEDIT=$NMEDIT # Extract the first word of "nmedit", so it can be a program name with args. set dummy nmedit; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_NMEDIT+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_NMEDIT"; then ac_cv_prog_ac_ct_NMEDIT="$ac_ct_NMEDIT" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_NMEDIT="nmedit" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT if test -n "$ac_ct_NMEDIT"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_NMEDIT" >&5 $as_echo "$ac_ct_NMEDIT" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_NMEDIT" = x; then NMEDIT=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac NMEDIT=$ac_ct_NMEDIT fi else NMEDIT="$ac_cv_prog_NMEDIT" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}lipo", so it can be a program name with args. set dummy ${ac_tool_prefix}lipo; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_LIPO+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$LIPO"; then ac_cv_prog_LIPO="$LIPO" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_LIPO="${ac_tool_prefix}lipo" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi LIPO=$ac_cv_prog_LIPO if test -n "$LIPO"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIPO" >&5 $as_echo "$LIPO" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_LIPO"; then ac_ct_LIPO=$LIPO # Extract the first word of "lipo", so it can be a program name with args. set dummy lipo; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_LIPO+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_LIPO"; then ac_cv_prog_ac_ct_LIPO="$ac_ct_LIPO" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_LIPO="lipo" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_LIPO=$ac_cv_prog_ac_ct_LIPO if test -n "$ac_ct_LIPO"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_LIPO" >&5 $as_echo "$ac_ct_LIPO" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_LIPO" = x; then LIPO=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac LIPO=$ac_ct_LIPO fi else LIPO="$ac_cv_prog_LIPO" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}otool", so it can be a program name with args. set dummy ${ac_tool_prefix}otool; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_OTOOL+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$OTOOL"; then ac_cv_prog_OTOOL="$OTOOL" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_OTOOL="${ac_tool_prefix}otool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi OTOOL=$ac_cv_prog_OTOOL if test -n "$OTOOL"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL" >&5 $as_echo "$OTOOL" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_OTOOL"; then ac_ct_OTOOL=$OTOOL # Extract the first word of "otool", so it can be a program name with args. set dummy otool; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_OTOOL+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_OTOOL"; then ac_cv_prog_ac_ct_OTOOL="$ac_ct_OTOOL" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_OTOOL="otool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_OTOOL=$ac_cv_prog_ac_ct_OTOOL if test -n "$ac_ct_OTOOL"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OTOOL" >&5 $as_echo "$ac_ct_OTOOL" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_OTOOL" = x; then OTOOL=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac OTOOL=$ac_ct_OTOOL fi else OTOOL="$ac_cv_prog_OTOOL" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}otool64", so it can be a program name with args. set dummy ${ac_tool_prefix}otool64; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_OTOOL64+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$OTOOL64"; then ac_cv_prog_OTOOL64="$OTOOL64" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi OTOOL64=$ac_cv_prog_OTOOL64 if test -n "$OTOOL64"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL64" >&5 $as_echo "$OTOOL64" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_OTOOL64"; then ac_ct_OTOOL64=$OTOOL64 # Extract the first word of "otool64", so it can be a program name with args. set dummy otool64; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_OTOOL64+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_OTOOL64"; then ac_cv_prog_ac_ct_OTOOL64="$ac_ct_OTOOL64" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_OTOOL64="otool64" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_OTOOL64=$ac_cv_prog_ac_ct_OTOOL64 if test -n "$ac_ct_OTOOL64"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OTOOL64" >&5 $as_echo "$ac_ct_OTOOL64" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_OTOOL64" = x; then OTOOL64=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac OTOOL64=$ac_ct_OTOOL64 fi else OTOOL64="$ac_cv_prog_OTOOL64" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -single_module linker flag" >&5 $as_echo_n "checking for -single_module linker flag... " >&6; } if ${lt_cv_apple_cc_single_mod+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_apple_cc_single_mod=no if test -z "${LT_MULTI_MODULE}"; then # By default we will add the -single_module flag. You can override # by either setting the environment variable LT_MULTI_MODULE # non-empty at configure time, or by adding -multi_module to the # link flags. rm -rf libconftest.dylib* echo "int foo(void){return 1;}" > conftest.c echo "$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ -dynamiclib -Wl,-single_module conftest.c" >&5 $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ -dynamiclib -Wl,-single_module conftest.c 2>conftest.err _lt_result=$? # If there is a non-empty error log, and "single_module" # appears in it, assume the flag caused a linker warning if test -s conftest.err && $GREP single_module conftest.err; then cat conftest.err >&5 # Otherwise, if the output was created with a 0 exit code from # the compiler, it worked. elif test -f libconftest.dylib && test $_lt_result -eq 0; then lt_cv_apple_cc_single_mod=yes else cat conftest.err >&5 fi rm -rf libconftest.dylib* rm -f conftest.* fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_apple_cc_single_mod" >&5 $as_echo "$lt_cv_apple_cc_single_mod" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5 $as_echo_n "checking for -exported_symbols_list linker flag... " >&6; } if ${lt_cv_ld_exported_symbols_list+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_ld_exported_symbols_list=no save_LDFLAGS=$LDFLAGS echo "_main" > conftest.sym LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : lt_cv_ld_exported_symbols_list=yes else lt_cv_ld_exported_symbols_list=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LDFLAGS="$save_LDFLAGS" fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_exported_symbols_list" >&5 $as_echo "$lt_cv_ld_exported_symbols_list" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -force_load linker flag" >&5 $as_echo_n "checking for -force_load linker flag... " >&6; } if ${lt_cv_ld_force_load+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_ld_force_load=no cat > conftest.c << _LT_EOF int forced_loaded() { return 2;} _LT_EOF echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5 $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5 echo "$AR cru libconftest.a conftest.o" >&5 $AR cru libconftest.a conftest.o 2>&5 echo "$RANLIB libconftest.a" >&5 $RANLIB libconftest.a 2>&5 cat > conftest.c << _LT_EOF int main() { return 0;} _LT_EOF echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&5 $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err _lt_result=$? if test -s conftest.err && $GREP force_load conftest.err; then cat conftest.err >&5 elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then lt_cv_ld_force_load=yes else cat conftest.err >&5 fi rm -f conftest.err libconftest.a conftest conftest.c rm -rf conftest.dSYM fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_force_load" >&5 $as_echo "$lt_cv_ld_force_load" >&6; } case $host_os in rhapsody* | darwin1.[012]) _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;; darwin1.*) _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;; darwin*) # darwin 5.x on # if running on 10.5 or later, the deployment target defaults # to the OS version, if on x86, and 10.4, the deployment # target defaults to 10.4. Don't you love it? case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in 10.0,*86*-darwin8*|10.0,*-darwin[91]*) _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;; 10.[012]*) _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;; 10.*) _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;; esac ;; esac if test "$lt_cv_apple_cc_single_mod" = "yes"; then _lt_dar_single_mod='$single_module' fi if test "$lt_cv_ld_exported_symbols_list" = "yes"; then _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym' else _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}' fi if test "$DSYMUTIL" != ":" && test "$lt_cv_ld_force_load" = "no"; then _lt_dsymutil='~$DSYMUTIL $lib || :' else _lt_dsymutil= fi ;; esac for ac_header in dlfcn.h do : ac_fn_c_check_header_compile "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default " if test "x$ac_cv_header_dlfcn_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_DLFCN_H 1 _ACEOF fi done # Set options enable_win32_dll=yes case $host in *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*) if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}as", so it can be a program name with args. set dummy ${ac_tool_prefix}as; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_AS+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$AS"; then ac_cv_prog_AS="$AS" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_AS="${ac_tool_prefix}as" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi AS=$ac_cv_prog_AS if test -n "$AS"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AS" >&5 $as_echo "$AS" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_AS"; then ac_ct_AS=$AS # Extract the first word of "as", so it can be a program name with args. set dummy as; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_AS+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_AS"; then ac_cv_prog_ac_ct_AS="$ac_ct_AS" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_AS="as" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_AS=$ac_cv_prog_ac_ct_AS if test -n "$ac_ct_AS"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AS" >&5 $as_echo "$ac_ct_AS" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_AS" = x; then AS="false" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac AS=$ac_ct_AS fi else AS="$ac_cv_prog_AS" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}dlltool", so it can be a program name with args. set dummy ${ac_tool_prefix}dlltool; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_DLLTOOL+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$DLLTOOL"; then ac_cv_prog_DLLTOOL="$DLLTOOL" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_DLLTOOL="${ac_tool_prefix}dlltool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi DLLTOOL=$ac_cv_prog_DLLTOOL if test -n "$DLLTOOL"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DLLTOOL" >&5 $as_echo "$DLLTOOL" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_DLLTOOL"; then ac_ct_DLLTOOL=$DLLTOOL # Extract the first word of "dlltool", so it can be a program name with args. set dummy dlltool; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_DLLTOOL+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_DLLTOOL"; then ac_cv_prog_ac_ct_DLLTOOL="$ac_ct_DLLTOOL" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_DLLTOOL="dlltool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_DLLTOOL=$ac_cv_prog_ac_ct_DLLTOOL if test -n "$ac_ct_DLLTOOL"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DLLTOOL" >&5 $as_echo "$ac_ct_DLLTOOL" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_DLLTOOL" = x; then DLLTOOL="false" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac DLLTOOL=$ac_ct_DLLTOOL fi else DLLTOOL="$ac_cv_prog_DLLTOOL" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}objdump", so it can be a program name with args. set dummy ${ac_tool_prefix}objdump; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_OBJDUMP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$OBJDUMP"; then ac_cv_prog_OBJDUMP="$OBJDUMP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi OBJDUMP=$ac_cv_prog_OBJDUMP if test -n "$OBJDUMP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OBJDUMP" >&5 $as_echo "$OBJDUMP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_OBJDUMP"; then ac_ct_OBJDUMP=$OBJDUMP # Extract the first word of "objdump", so it can be a program name with args. set dummy objdump; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_OBJDUMP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_OBJDUMP"; then ac_cv_prog_ac_ct_OBJDUMP="$ac_ct_OBJDUMP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_OBJDUMP="objdump" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_OBJDUMP=$ac_cv_prog_ac_ct_OBJDUMP if test -n "$ac_ct_OBJDUMP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OBJDUMP" >&5 $as_echo "$ac_ct_OBJDUMP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_OBJDUMP" = x; then OBJDUMP="false" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac OBJDUMP=$ac_ct_OBJDUMP fi else OBJDUMP="$ac_cv_prog_OBJDUMP" fi ;; esac test -z "$AS" && AS=as test -z "$DLLTOOL" && DLLTOOL=dlltool test -z "$OBJDUMP" && OBJDUMP=objdump enable_dlopen=no # Check whether --enable-shared was given. if test "${enable_shared+set}" = set; then : enableval=$enable_shared; p=${PACKAGE-default} case $enableval in yes) enable_shared=yes ;; no) enable_shared=no ;; *) enable_shared=no # Look at the argument we got. We use all the common list separators. lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," for pkg in $enableval; do IFS="$lt_save_ifs" if test "X$pkg" = "X$p"; then enable_shared=yes fi done IFS="$lt_save_ifs" ;; esac else enable_shared=yes fi # Check whether --enable-static was given. if test "${enable_static+set}" = set; then : enableval=$enable_static; p=${PACKAGE-default} case $enableval in yes) enable_static=yes ;; no) enable_static=no ;; *) enable_static=no # Look at the argument we got. We use all the common list separators. lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," for pkg in $enableval; do IFS="$lt_save_ifs" if test "X$pkg" = "X$p"; then enable_static=yes fi done IFS="$lt_save_ifs" ;; esac else enable_static=yes fi # Check whether --with-pic was given. if test "${with_pic+set}" = set; then : withval=$with_pic; lt_p=${PACKAGE-default} case $withval in yes|no) pic_mode=$withval ;; *) pic_mode=default # Look at the argument we got. We use all the common list separators. lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," for lt_pkg in $withval; do IFS="$lt_save_ifs" if test "X$lt_pkg" = "X$lt_p"; then pic_mode=yes fi done IFS="$lt_save_ifs" ;; esac else pic_mode=default fi test -z "$pic_mode" && pic_mode=default # Check whether --enable-fast-install was given. if test "${enable_fast_install+set}" = set; then : enableval=$enable_fast_install; p=${PACKAGE-default} case $enableval in yes) enable_fast_install=yes ;; no) enable_fast_install=no ;; *) enable_fast_install=no # Look at the argument we got. We use all the common list separators. lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," for pkg in $enableval; do IFS="$lt_save_ifs" if test "X$pkg" = "X$p"; then enable_fast_install=yes fi done IFS="$lt_save_ifs" ;; esac else enable_fast_install=yes fi # This can be used to rebuild libtool when needed LIBTOOL_DEPS="$ltmain" # Always use our own libtool. LIBTOOL='$(SHELL) $(top_builddir)/libtool' test -z "$LN_S" && LN_S="ln -s" if test -n "${ZSH_VERSION+set}" ; then setopt NO_GLOB_SUBST fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for objdir" >&5 $as_echo_n "checking for objdir... " >&6; } if ${lt_cv_objdir+:} false; then : $as_echo_n "(cached) " >&6 else rm -f .libs 2>/dev/null mkdir .libs 2>/dev/null if test -d .libs; then lt_cv_objdir=.libs else # MS-DOS does not allow filenames that begin with a dot. lt_cv_objdir=_libs fi rmdir .libs 2>/dev/null fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_objdir" >&5 $as_echo "$lt_cv_objdir" >&6; } objdir=$lt_cv_objdir cat >>confdefs.h <<_ACEOF #define LT_OBJDIR "$lt_cv_objdir/" _ACEOF case $host_os in aix3*) # AIX sometimes has problems with the GCC collect2 program. For some # reason, if we set the COLLECT_NAMES environment variable, the problems # vanish in a puff of smoke. if test "X${COLLECT_NAMES+set}" != Xset; then COLLECT_NAMES= export COLLECT_NAMES fi ;; esac # Global variables: ofile=libtool can_build_shared=yes # All known linkers require a `.a' archive for static linking (except MSVC, # which needs '.lib'). libext=a with_gnu_ld="$lt_cv_prog_gnu_ld" old_CC="$CC" old_CFLAGS="$CFLAGS" # Set sane defaults for various variables test -z "$CC" && CC=cc test -z "$LTCC" && LTCC=$CC test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS test -z "$LD" && LD=ld test -z "$ac_objext" && ac_objext=o for cc_temp in $compiler""; do case $cc_temp in compile | *[\\/]compile | ccache | *[\\/]ccache ) ;; distcc | *[\\/]distcc | purify | *[\\/]purify ) ;; \-*) ;; *) break;; esac done cc_basename=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"` # Only perform the check for file, if the check method requires it test -z "$MAGIC_CMD" && MAGIC_CMD=file case $deplibs_check_method in file_magic*) if test "$file_magic_cmd" = '$MAGIC_CMD'; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${ac_tool_prefix}file" >&5 $as_echo_n "checking for ${ac_tool_prefix}file... " >&6; } if ${lt_cv_path_MAGIC_CMD+:} false; then : $as_echo_n "(cached) " >&6 else case $MAGIC_CMD in [\\/*] | ?:[\\/]*) lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path. ;; *) lt_save_MAGIC_CMD="$MAGIC_CMD" lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR ac_dummy="/usr/bin$PATH_SEPARATOR$PATH" for ac_dir in $ac_dummy; do IFS="$lt_save_ifs" test -z "$ac_dir" && ac_dir=. if test -f $ac_dir/${ac_tool_prefix}file; then lt_cv_path_MAGIC_CMD="$ac_dir/${ac_tool_prefix}file" if test -n "$file_magic_test_file"; then case $deplibs_check_method in "file_magic "*) file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"` MAGIC_CMD="$lt_cv_path_MAGIC_CMD" if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | $EGREP "$file_magic_regex" > /dev/null; then : else cat <<_LT_EOF 1>&2 *** Warning: the command libtool uses to detect shared libraries, *** $file_magic_cmd, produces output that libtool cannot recognize. *** The result is that libtool may fail to recognize shared libraries *** as such. This will affect the creation of libtool libraries that *** depend on shared libraries, but programs linked with such libtool *** libraries will work regardless of this problem. Nevertheless, you *** may want to report the problem to your system manager and/or to *** bug-libtool@gnu.org _LT_EOF fi ;; esac fi break fi done IFS="$lt_save_ifs" MAGIC_CMD="$lt_save_MAGIC_CMD" ;; esac fi MAGIC_CMD="$lt_cv_path_MAGIC_CMD" if test -n "$MAGIC_CMD"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAGIC_CMD" >&5 $as_echo "$MAGIC_CMD" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test -z "$lt_cv_path_MAGIC_CMD"; then if test -n "$ac_tool_prefix"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for file" >&5 $as_echo_n "checking for file... " >&6; } if ${lt_cv_path_MAGIC_CMD+:} false; then : $as_echo_n "(cached) " >&6 else case $MAGIC_CMD in [\\/*] | ?:[\\/]*) lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path. ;; *) lt_save_MAGIC_CMD="$MAGIC_CMD" lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR ac_dummy="/usr/bin$PATH_SEPARATOR$PATH" for ac_dir in $ac_dummy; do IFS="$lt_save_ifs" test -z "$ac_dir" && ac_dir=. if test -f $ac_dir/file; then lt_cv_path_MAGIC_CMD="$ac_dir/file" if test -n "$file_magic_test_file"; then case $deplibs_check_method in "file_magic "*) file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"` MAGIC_CMD="$lt_cv_path_MAGIC_CMD" if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | $EGREP "$file_magic_regex" > /dev/null; then : else cat <<_LT_EOF 1>&2 *** Warning: the command libtool uses to detect shared libraries, *** $file_magic_cmd, produces output that libtool cannot recognize. *** The result is that libtool may fail to recognize shared libraries *** as such. This will affect the creation of libtool libraries that *** depend on shared libraries, but programs linked with such libtool *** libraries will work regardless of this problem. Nevertheless, you *** may want to report the problem to your system manager and/or to *** bug-libtool@gnu.org _LT_EOF fi ;; esac fi break fi done IFS="$lt_save_ifs" MAGIC_CMD="$lt_save_MAGIC_CMD" ;; esac fi MAGIC_CMD="$lt_cv_path_MAGIC_CMD" if test -n "$MAGIC_CMD"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAGIC_CMD" >&5 $as_echo "$MAGIC_CMD" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi else MAGIC_CMD=: fi fi fi ;; esac # Use C for the default configuration in the libtool script lt_save_CC="$CC" ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu # Source file extension for C test sources. ac_ext=c # Object file extension for compiled C test sources. objext=o objext=$objext # Code to be used in simple compile tests lt_simple_compile_test_code="int some_variable = 0;" # Code to be used in simple link tests lt_simple_link_test_code='int main(){return(0);}' # If no C compiler was specified, use CC. LTCC=${LTCC-"$CC"} # If no C compiler flags were specified, use CFLAGS. LTCFLAGS=${LTCFLAGS-"$CFLAGS"} # Allow CC to be a program name with arguments. compiler=$CC # Save the default compiler, since it gets overwritten when the other # tags are being tested, and _LT_TAGVAR(compiler, []) is a NOP. compiler_DEFAULT=$CC # save warnings/boilerplate of simple test code ac_outfile=conftest.$ac_objext echo "$lt_simple_compile_test_code" >conftest.$ac_ext eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err _lt_compiler_boilerplate=`cat conftest.err` $RM conftest* ac_outfile=conftest.$ac_objext echo "$lt_simple_link_test_code" >conftest.$ac_ext eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err _lt_linker_boilerplate=`cat conftest.err` $RM -r conftest* ## CAVEAT EMPTOR: ## There is no encapsulation within the following macros, do not change ## the running order or otherwise move them around unless you know exactly ## what you are doing... if test -n "$compiler"; then lt_prog_compiler_no_builtin_flag= if test "$GCC" = yes; then case $cc_basename in nvcc*) lt_prog_compiler_no_builtin_flag=' -Xcompiler -fno-builtin' ;; *) lt_prog_compiler_no_builtin_flag=' -fno-builtin' ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 $as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; } if ${lt_cv_prog_compiler_rtti_exceptions+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_rtti_exceptions=no ac_outfile=conftest.$ac_objext echo "$lt_simple_compile_test_code" > conftest.$ac_ext lt_compiler_flag="-fno-rtti -fno-exceptions" # Insert the option either (1) after the last *FLAGS variable, or # (2) before a word containing "conftest.", or (3) at the end. # Note that $ac_compile itself does not contain backslashes and begins # with a dollar sign (not a hyphen), so the echo should work correctly. # The option is referenced via a variable to avoid confusing sed. lt_compile=`echo "$ac_compile" | $SED \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 echo "$as_me:$LINENO: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then lt_cv_prog_compiler_rtti_exceptions=yes fi fi $RM conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_rtti_exceptions" >&5 $as_echo "$lt_cv_prog_compiler_rtti_exceptions" >&6; } if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions" else : fi fi lt_prog_compiler_wl= lt_prog_compiler_pic= lt_prog_compiler_static= if test "$GCC" = yes; then lt_prog_compiler_wl='-Wl,' lt_prog_compiler_static='-static' case $host_os in aix*) # All AIX code is PIC. if test "$host_cpu" = ia64; then # AIX 5 now supports IA64 processor lt_prog_compiler_static='-Bstatic' fi ;; amigaos*) case $host_cpu in powerpc) # see comment about AmigaOS4 .so support lt_prog_compiler_pic='-fPIC' ;; m68k) # FIXME: we need at least 68020 code to build shared libraries, but # adding the `-m68020' flag to GCC prevents building anything better, # like `-m68040'. lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4' ;; esac ;; beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) # PIC is the default for these OSes. ;; mingw* | cygwin* | pw32* | os2* | cegcc*) # This hack is so that the source file can tell whether it is being # built for inclusion in a dll (and should export symbols for example). # Although the cygwin gcc ignores -fPIC, still need this for old-style # (--disable-auto-import) libraries lt_prog_compiler_pic='-DDLL_EXPORT' ;; darwin* | rhapsody*) # PIC is the default on this platform # Common symbols not allowed in MH_DYLIB files lt_prog_compiler_pic='-fno-common' ;; haiku*) # PIC is the default for Haiku. # The "-static" flag exists, but is broken. lt_prog_compiler_static= ;; hpux*) # PIC is the default for 64-bit PA HP-UX, but not for 32-bit # PA HP-UX. On IA64 HP-UX, PIC is the default but the pic flag # sets the default TLS model and affects inlining. case $host_cpu in hppa*64*) # +Z the default ;; *) lt_prog_compiler_pic='-fPIC' ;; esac ;; interix[3-9]*) # Interix 3.x gcc -fpic/-fPIC options generate broken code. # Instead, we relocate shared libraries at runtime. ;; msdosdjgpp*) # Just because we use GCC doesn't mean we suddenly get shared libraries # on systems that don't support them. lt_prog_compiler_can_build_shared=no enable_shared=no ;; *nto* | *qnx*) # QNX uses GNU C++, but need to define -shared option too, otherwise # it will coredump. lt_prog_compiler_pic='-fPIC -shared' ;; sysv4*MP*) if test -d /usr/nec; then lt_prog_compiler_pic=-Kconform_pic fi ;; *) lt_prog_compiler_pic='-fPIC' ;; esac case $cc_basename in nvcc*) # Cuda Compiler Driver 2.2 lt_prog_compiler_wl='-Xlinker ' if test -n "$lt_prog_compiler_pic"; then lt_prog_compiler_pic="-Xcompiler $lt_prog_compiler_pic" fi ;; esac else # PORTME Check for flag to pass linker flags through the system compiler. case $host_os in aix*) lt_prog_compiler_wl='-Wl,' if test "$host_cpu" = ia64; then # AIX 5 now supports IA64 processor lt_prog_compiler_static='-Bstatic' else lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp' fi ;; mingw* | cygwin* | pw32* | os2* | cegcc*) # This hack is so that the source file can tell whether it is being # built for inclusion in a dll (and should export symbols for example). lt_prog_compiler_pic='-DDLL_EXPORT' ;; hpux9* | hpux10* | hpux11*) lt_prog_compiler_wl='-Wl,' # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but # not for PA HP-UX. case $host_cpu in hppa*64*|ia64*) # +Z the default ;; *) lt_prog_compiler_pic='+Z' ;; esac # Is there a better lt_prog_compiler_static that works with the bundled CC? lt_prog_compiler_static='${wl}-a ${wl}archive' ;; irix5* | irix6* | nonstopux*) lt_prog_compiler_wl='-Wl,' # PIC (with -KPIC) is the default. lt_prog_compiler_static='-non_shared' ;; linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc*) lt_prog_compiler_wl='-Wl,' lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-static' ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*) lt_prog_compiler_wl='-Wl,' lt_prog_compiler_pic='-fPIC' lt_prog_compiler_static='-static' ;; # Lahey Fortran 8.1. lf95*) lt_prog_compiler_wl='-Wl,' lt_prog_compiler_pic='--shared' lt_prog_compiler_static='--static' ;; nagfor*) # NAG Fortran compiler lt_prog_compiler_wl='-Wl,-Wl,,' lt_prog_compiler_pic='-PIC' lt_prog_compiler_static='-Bstatic' ;; pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*) # Portland Group compilers (*not* the Pentium gcc compiler, # which looks to be a dead project) lt_prog_compiler_wl='-Wl,' lt_prog_compiler_pic='-fpic' lt_prog_compiler_static='-Bstatic' ;; ccc*) lt_prog_compiler_wl='-Wl,' # All Alpha code is PIC. lt_prog_compiler_static='-non_shared' ;; xl* | bgxl* | bgf* | mpixl*) # IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene lt_prog_compiler_wl='-Wl,' lt_prog_compiler_pic='-qpic' lt_prog_compiler_static='-qstaticlink' ;; *) case `$CC -V 2>&1 | sed 5q` in *Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [1-7].* | *Sun*Fortran*\ 8.[0-3]*) # Sun Fortran 8.3 passes all unrecognized flags to the linker lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-Bstatic' lt_prog_compiler_wl='' ;; *Sun\ F* | *Sun*Fortran*) lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-Bstatic' lt_prog_compiler_wl='-Qoption ld ' ;; *Sun\ C*) # Sun C 5.9 lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-Bstatic' lt_prog_compiler_wl='-Wl,' ;; *Intel*\ [CF]*Compiler*) lt_prog_compiler_wl='-Wl,' lt_prog_compiler_pic='-fPIC' lt_prog_compiler_static='-static' ;; *Portland\ Group*) lt_prog_compiler_wl='-Wl,' lt_prog_compiler_pic='-fpic' lt_prog_compiler_static='-Bstatic' ;; esac ;; esac ;; newsos6) lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-Bstatic' ;; *nto* | *qnx*) # QNX uses GNU C++, but need to define -shared option too, otherwise # it will coredump. lt_prog_compiler_pic='-fPIC -shared' ;; osf3* | osf4* | osf5*) lt_prog_compiler_wl='-Wl,' # All OSF/1 code is PIC. lt_prog_compiler_static='-non_shared' ;; rdos*) lt_prog_compiler_static='-non_shared' ;; solaris*) lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-Bstatic' case $cc_basename in f77* | f90* | f95* | sunf77* | sunf90* | sunf95*) lt_prog_compiler_wl='-Qoption ld ';; *) lt_prog_compiler_wl='-Wl,';; esac ;; sunos4*) lt_prog_compiler_wl='-Qoption ld ' lt_prog_compiler_pic='-PIC' lt_prog_compiler_static='-Bstatic' ;; sysv4 | sysv4.2uw2* | sysv4.3*) lt_prog_compiler_wl='-Wl,' lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-Bstatic' ;; sysv4*MP*) if test -d /usr/nec ;then lt_prog_compiler_pic='-Kconform_pic' lt_prog_compiler_static='-Bstatic' fi ;; sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) lt_prog_compiler_wl='-Wl,' lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-Bstatic' ;; unicos*) lt_prog_compiler_wl='-Wl,' lt_prog_compiler_can_build_shared=no ;; uts4*) lt_prog_compiler_pic='-pic' lt_prog_compiler_static='-Bstatic' ;; *) lt_prog_compiler_can_build_shared=no ;; esac fi case $host_os in # For platforms which do not support PIC, -DPIC is meaningless: *djgpp*) lt_prog_compiler_pic= ;; *) lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC" ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $compiler option to produce PIC" >&5 $as_echo_n "checking for $compiler option to produce PIC... " >&6; } if ${lt_cv_prog_compiler_pic+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_pic=$lt_prog_compiler_pic fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_pic" >&5 $as_echo "$lt_cv_prog_compiler_pic" >&6; } lt_prog_compiler_pic=$lt_cv_prog_compiler_pic # # Check to make sure the PIC flag actually works. # if test -n "$lt_prog_compiler_pic"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5 $as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic works... " >&6; } if ${lt_cv_prog_compiler_pic_works+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_pic_works=no ac_outfile=conftest.$ac_objext echo "$lt_simple_compile_test_code" > conftest.$ac_ext lt_compiler_flag="$lt_prog_compiler_pic -DPIC" # Insert the option either (1) after the last *FLAGS variable, or # (2) before a word containing "conftest.", or (3) at the end. # Note that $ac_compile itself does not contain backslashes and begins # with a dollar sign (not a hyphen), so the echo should work correctly. # The option is referenced via a variable to avoid confusing sed. lt_compile=`echo "$ac_compile" | $SED \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 echo "$as_me:$LINENO: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then lt_cv_prog_compiler_pic_works=yes fi fi $RM conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_pic_works" >&5 $as_echo "$lt_cv_prog_compiler_pic_works" >&6; } if test x"$lt_cv_prog_compiler_pic_works" = xyes; then case $lt_prog_compiler_pic in "" | " "*) ;; *) lt_prog_compiler_pic=" $lt_prog_compiler_pic" ;; esac else lt_prog_compiler_pic= lt_prog_compiler_can_build_shared=no fi fi # # Check to make sure the static flag actually works. # wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\" { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler static flag $lt_tmp_static_flag works" >&5 $as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; } if ${lt_cv_prog_compiler_static_works+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_static_works=no save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS $lt_tmp_static_flag" echo "$lt_simple_link_test_code" > conftest.$ac_ext if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then # The linker can only warn and ignore the option if not recognized # So say no if there are warnings if test -s conftest.err; then # Append any errors to the config.log. cat conftest.err 1>&5 $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 if diff conftest.exp conftest.er2 >/dev/null; then lt_cv_prog_compiler_static_works=yes fi else lt_cv_prog_compiler_static_works=yes fi fi $RM -r conftest* LDFLAGS="$save_LDFLAGS" fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_static_works" >&5 $as_echo "$lt_cv_prog_compiler_static_works" >&6; } if test x"$lt_cv_prog_compiler_static_works" = xyes; then : else lt_prog_compiler_static= fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; } if ${lt_cv_prog_compiler_c_o+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_c_o=no $RM -r conftest 2>/dev/null mkdir conftest cd conftest mkdir out echo "$lt_simple_compile_test_code" > conftest.$ac_ext lt_compiler_flag="-o out/conftest2.$ac_objext" # Insert the option either (1) after the last *FLAGS variable, or # (2) before a word containing "conftest.", or (3) at the end. # Note that $ac_compile itself does not contain backslashes and begins # with a dollar sign (not a hyphen), so the echo should work correctly. lt_compile=`echo "$ac_compile" | $SED \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 echo "$as_me:$LINENO: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then lt_cv_prog_compiler_c_o=yes fi fi chmod u+w . 2>&5 $RM conftest* # SGI C++ compiler will create directory out/ii_files/ for # template instantiation test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files $RM out/* && rmdir out cd .. $RM -r conftest $RM conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_c_o" >&5 $as_echo "$lt_cv_prog_compiler_c_o" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; } if ${lt_cv_prog_compiler_c_o+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_c_o=no $RM -r conftest 2>/dev/null mkdir conftest cd conftest mkdir out echo "$lt_simple_compile_test_code" > conftest.$ac_ext lt_compiler_flag="-o out/conftest2.$ac_objext" # Insert the option either (1) after the last *FLAGS variable, or # (2) before a word containing "conftest.", or (3) at the end. # Note that $ac_compile itself does not contain backslashes and begins # with a dollar sign (not a hyphen), so the echo should work correctly. lt_compile=`echo "$ac_compile" | $SED \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 echo "$as_me:$LINENO: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then lt_cv_prog_compiler_c_o=yes fi fi chmod u+w . 2>&5 $RM conftest* # SGI C++ compiler will create directory out/ii_files/ for # template instantiation test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files $RM out/* && rmdir out cd .. $RM -r conftest $RM conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_c_o" >&5 $as_echo "$lt_cv_prog_compiler_c_o" >&6; } hard_links="nottested" if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then # do not overwrite the value of need_locks provided by the user { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we can lock with hard links" >&5 $as_echo_n "checking if we can lock with hard links... " >&6; } hard_links=yes $RM conftest* ln conftest.a conftest.b 2>/dev/null && hard_links=no touch conftest.a ln conftest.a conftest.b 2>&5 || hard_links=no ln conftest.a conftest.b 2>/dev/null && hard_links=no { $as_echo "$as_me:${as_lineno-$LINENO}: result: $hard_links" >&5 $as_echo "$hard_links" >&6; } if test "$hard_links" = no; then { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5 $as_echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;} need_locks=warn fi else need_locks=no fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the $compiler linker ($LD) supports shared libraries" >&5 $as_echo_n "checking whether the $compiler linker ($LD) supports shared libraries... " >&6; } runpath_var= allow_undefined_flag= always_export_symbols=no archive_cmds= archive_expsym_cmds= compiler_needs_object=no enable_shared_with_static_runtimes=no export_dynamic_flag_spec= export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' hardcode_automatic=no hardcode_direct=no hardcode_direct_absolute=no hardcode_libdir_flag_spec= hardcode_libdir_separator= hardcode_minus_L=no hardcode_shlibpath_var=unsupported inherit_rpath=no link_all_deplibs=unknown module_cmds= module_expsym_cmds= old_archive_from_new_cmds= old_archive_from_expsyms_cmds= thread_safe_flag_spec= whole_archive_flag_spec= # include_expsyms should be a list of space-separated symbols to be *always* # included in the symbol list include_expsyms= # exclude_expsyms can be an extended regexp of symbols to exclude # it will be wrapped by ` (' and `)$', so one must not match beginning or # end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', # as well as any symbol that contains `d'. exclude_expsyms='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*' # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out # platforms (ab)use it in PIC code, but their linkers get confused if # the symbol is explicitly referenced. Since portable code cannot # rely on this symbol name, it's probably fine to never include it in # preloaded symbol tables. # Exclude shared library initialization/finalization symbols. extract_expsyms_cmds= case $host_os in cygwin* | mingw* | pw32* | cegcc*) # FIXME: the MSVC++ port hasn't been tested in a loooong time # When not using gcc, we currently assume that we are using # Microsoft Visual C++. if test "$GCC" != yes; then with_gnu_ld=no fi ;; interix*) # we just hope/assume this is gcc and not c89 (= MSVC++) with_gnu_ld=yes ;; openbsd*) with_gnu_ld=no ;; linux* | k*bsd*-gnu | gnu*) link_all_deplibs=no ;; esac ld_shlibs=yes # On some targets, GNU ld is compatible enough with the native linker # that we're better off using the native interface for both. lt_use_gnu_ld_interface=no if test "$with_gnu_ld" = yes; then case $host_os in aix*) # The AIX port of GNU ld has always aspired to compatibility # with the native linker. However, as the warning in the GNU ld # block says, versions before 2.19.5* couldn't really create working # shared libraries, regardless of the interface used. case `$LD -v 2>&1` in *\ \(GNU\ Binutils\)\ 2.19.5*) ;; *\ \(GNU\ Binutils\)\ 2.[2-9]*) ;; *\ \(GNU\ Binutils\)\ [3-9]*) ;; *) lt_use_gnu_ld_interface=yes ;; esac ;; *) lt_use_gnu_ld_interface=yes ;; esac fi if test "$lt_use_gnu_ld_interface" = yes; then # If archive_cmds runs LD, not CC, wlarc should be empty wlarc='${wl}' # Set some defaults for GNU ld with shared library support. These # are reset later if shared libraries are not supported. Putting them # here allows them to be overridden if necessary. runpath_var=LD_RUN_PATH hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' export_dynamic_flag_spec='${wl}--export-dynamic' # ancient GNU ld didn't support --whole-archive et. al. if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' else whole_archive_flag_spec= fi supports_anon_versioning=no case `$LD -v 2>&1` in *GNU\ gold*) supports_anon_versioning=yes ;; *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11 *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... *\ 2.11.*) ;; # other 2.11 versions *) supports_anon_versioning=yes ;; esac # See if GNU ld supports shared libraries. case $host_os in aix[3-9]*) # On AIX/PPC, the GNU linker is very broken if test "$host_cpu" != ia64; then ld_shlibs=no cat <<_LT_EOF 1>&2 *** Warning: the GNU linker, at least up to release 2.19, is reported *** to be unable to reliably create shared libraries on AIX. *** Therefore, libtool is disabling shared libraries support. If you *** really care for shared libraries, you may want to install binutils *** 2.20 or above, or modify your PATH so that a non-GNU linker is found. *** You will then need to restart the configuration process. _LT_EOF fi ;; amigaos*) case $host_cpu in powerpc) # see comment about AmigaOS4 .so support archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' archive_expsym_cmds='' ;; m68k) archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' hardcode_libdir_flag_spec='-L$libdir' hardcode_minus_L=yes ;; esac ;; beos*) if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then allow_undefined_flag=unsupported # Joseph Beckenbach says some releases of gcc # support --undefined. This deserves some investigation. FIXME archive_cmds='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' else ld_shlibs=no fi ;; cygwin* | mingw* | pw32* | cegcc*) # _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless, # as there is no search path for DLLs. hardcode_libdir_flag_spec='-L$libdir' export_dynamic_flag_spec='${wl}--export-all-symbols' allow_undefined_flag=unsupported always_export_symbols=no enable_shared_with_static_runtimes=yes export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/;s/^.*[ ]__nm__\([^ ]*\)[ ][^ ]*/\1 DATA/;/^I[ ]/d;/^[AITW][ ]/s/.* //'\'' | sort | uniq > $export_symbols' exclude_expsyms='[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname' if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' # If the export-symbols file already is a .def file (1st line # is EXPORTS), use it as is; otherwise, prepend... archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then cp $export_symbols $output_objdir/$soname.def; else echo EXPORTS > $output_objdir/$soname.def; cat $export_symbols >> $output_objdir/$soname.def; fi~ $CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' else ld_shlibs=no fi ;; haiku*) archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' link_all_deplibs=yes ;; interix[3-9]*) hardcode_direct=no hardcode_shlibpath_var=no hardcode_libdir_flag_spec='${wl}-rpath,$libdir' export_dynamic_flag_spec='${wl}-E' # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. # Instead, shared libraries are loaded at an image base (0x10000000 by # default) and relocated if they conflict, which is a slow very memory # consuming and fragmenting process. To avoid this, we pick a random, # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link # time. Moving up from 0x10000000 also allows more sbrk(2) space. archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' archive_expsym_cmds='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' ;; gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu) tmp_diet=no if test "$host_os" = linux-dietlibc; then case $cc_basename in diet\ *) tmp_diet=yes;; # linux-dietlibc with static linking (!diet-dyn) esac fi if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \ && test "$tmp_diet" = no then tmp_addflag=' $pic_flag' tmp_sharedflag='-shared' case $cc_basename,$host_cpu in pgcc*) # Portland Group C compiler whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' tmp_addflag=' $pic_flag' ;; pgf77* | pgf90* | pgf95* | pgfortran*) # Portland Group f77 and f90 compilers whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' tmp_addflag=' $pic_flag -Mnomain' ;; ecc*,ia64* | icc*,ia64*) # Intel C compiler on ia64 tmp_addflag=' -i_dynamic' ;; efc*,ia64* | ifort*,ia64*) # Intel Fortran compiler on ia64 tmp_addflag=' -i_dynamic -nofor_main' ;; ifc* | ifort*) # Intel Fortran compiler tmp_addflag=' -nofor_main' ;; lf95*) # Lahey Fortran 8.1 whole_archive_flag_spec= tmp_sharedflag='--shared' ;; xl[cC]* | bgxl[cC]* | mpixl[cC]*) # IBM XL C 8.0 on PPC (deal with xlf below) tmp_sharedflag='-qmkshrobj' tmp_addflag= ;; nvcc*) # Cuda Compiler Driver 2.2 whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' compiler_needs_object=yes ;; esac case `$CC -V 2>&1 | sed 5q` in *Sun\ C*) # Sun C 5.9 whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' compiler_needs_object=yes tmp_sharedflag='-G' ;; *Sun\ F*) # Sun Fortran 8.3 tmp_sharedflag='-G' ;; esac archive_cmds='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' if test "x$supports_anon_versioning" = xyes; then archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~ cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ echo "local: *; };" >> $output_objdir/$libname.ver~ $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' fi case $cc_basename in xlf* | bgf* | bgxlf* | mpixlf*) # IBM XL Fortran 10.1 on PPC cannot create shared libs itself whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive' hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib' if test "x$supports_anon_versioning" = xyes; then archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~ cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ echo "local: *; };" >> $output_objdir/$libname.ver~ $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib' fi ;; esac else ld_shlibs=no fi ;; netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' wlarc= else archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' fi ;; solaris*) if $LD -v 2>&1 | $GREP 'BFD 2\.8' > /dev/null; then ld_shlibs=no cat <<_LT_EOF 1>&2 *** Warning: The releases 2.8.* of the GNU linker cannot reliably *** create shared libraries on Solaris systems. Therefore, libtool *** is disabling shared libraries support. We urge you to upgrade GNU *** binutils to release 2.9.1 or newer. Another option is to modify *** your PATH or compiler configuration so that the native linker is *** used, and then restart. _LT_EOF elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' else ld_shlibs=no fi ;; sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) case `$LD -v 2>&1` in *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*) ld_shlibs=no cat <<_LT_EOF 1>&2 *** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not *** reliably create shared libraries on SCO systems. Therefore, libtool *** is disabling shared libraries support. We urge you to upgrade GNU *** binutils to release 2.16.91.0.3 or newer. Another option is to modify *** your PATH or compiler configuration so that the native linker is *** used, and then restart. _LT_EOF ;; *) # For security reasons, it is highly recommended that you always # use absolute paths for naming shared libraries, and exclude the # DT_RUNPATH tag from executables and libraries. But doing so # requires that you compile everything twice, which is a pain. if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' else ld_shlibs=no fi ;; esac ;; sunos4*) archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' wlarc= hardcode_direct=yes hardcode_shlibpath_var=no ;; *) if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' else ld_shlibs=no fi ;; esac if test "$ld_shlibs" = no; then runpath_var= hardcode_libdir_flag_spec= export_dynamic_flag_spec= whole_archive_flag_spec= fi else # PORTME fill in a description of your system's linker (not GNU ld) case $host_os in aix3*) allow_undefined_flag=unsupported always_export_symbols=yes archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname' # Note: this linker hardcodes the directories in LIBPATH if there # are no directories specified by -L. hardcode_minus_L=yes if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then # Neither direct hardcoding nor static linking is supported with a # broken collect2. hardcode_direct=unsupported fi ;; aix[4-9]*) if test "$host_cpu" = ia64; then # On IA64, the linker does run time linking by default, so we don't # have to do anything special. aix_use_runtimelinking=no exp_sym_flag='-Bexport' no_entry_flag="" else # If we're using GNU nm, then we don't want the "-C" option. # -C means demangle to AIX nm, but means don't demangle with GNU nm # Also, AIX nm treats weak defined symbols like other global # defined symbols, whereas GNU nm marks them as "W". if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' else export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' fi aix_use_runtimelinking=no # Test if we are trying to use run time linking or normal # AIX style linking. If -brtl is somewhere in LDFLAGS, we # need to do runtime linking. case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*) for ld_flag in $LDFLAGS; do if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then aix_use_runtimelinking=yes break fi done ;; esac exp_sym_flag='-bexport' no_entry_flag='-bnoentry' fi # When large executables or shared objects are built, AIX ld can # have problems creating the table of contents. If linking a library # or program results in "error TOC overflow" add -mminimal-toc to # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. archive_cmds='' hardcode_direct=yes hardcode_direct_absolute=yes hardcode_libdir_separator=':' link_all_deplibs=yes file_list_spec='${wl}-f,' if test "$GCC" = yes; then case $host_os in aix4.[012]|aix4.[012].*) # We only want to do this on AIX 4.2 and lower, the check # below for broken collect2 doesn't work under 4.3+ collect2name=`${CC} -print-prog-name=collect2` if test -f "$collect2name" && strings "$collect2name" | $GREP resolve_lib_name >/dev/null then # We have reworked collect2 : else # We have old collect2 hardcode_direct=unsupported # It fails to find uninstalled libraries when the uninstalled # path is not listed in the libpath. Setting hardcode_minus_L # to unsupported forces relinking hardcode_minus_L=yes hardcode_libdir_flag_spec='-L$libdir' hardcode_libdir_separator= fi ;; esac shared_flag='-shared' if test "$aix_use_runtimelinking" = yes; then shared_flag="$shared_flag "'${wl}-G' fi link_all_deplibs=no else # not using gcc if test "$host_cpu" = ia64; then # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release # chokes on -Wl,-G. The following line is correct: shared_flag='-G' else if test "$aix_use_runtimelinking" = yes; then shared_flag='${wl}-G' else shared_flag='${wl}-bM:SRE' fi fi fi export_dynamic_flag_spec='${wl}-bexpall' # It seems that -bexpall does not export symbols beginning with # underscore (_), so it is better to generate a list of symbols to export. always_export_symbols=yes if test "$aix_use_runtimelinking" = yes; then # Warning - without using the other runtime loading flags (-brtl), # -berok will link without error, but may produce a broken library. allow_undefined_flag='-berok' # Determine the default libpath from the value encoded in an # empty executable. if test "${lt_cv_aix_libpath+set}" = set; then aix_libpath=$lt_cv_aix_libpath else if ${lt_cv_aix_libpath_+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : lt_aix_libpath_sed=' /Import File Strings/,/^$/ { /^0/ { s/^0 *\([^ ]*\) *$/\1/ p } }' lt_cv_aix_libpath_=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` # Check for a 64-bit object if we didn't find anything. if test -z "$lt_cv_aix_libpath_"; then lt_cv_aix_libpath_=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` fi fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext if test -z "$lt_cv_aix_libpath_"; then lt_cv_aix_libpath_="/usr/lib:/lib" fi fi aix_libpath=$lt_cv_aix_libpath_ fi hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" else if test "$host_cpu" = ia64; then hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib' allow_undefined_flag="-z nodefs" archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols" else # Determine the default libpath from the value encoded in an # empty executable. if test "${lt_cv_aix_libpath+set}" = set; then aix_libpath=$lt_cv_aix_libpath else if ${lt_cv_aix_libpath_+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : lt_aix_libpath_sed=' /Import File Strings/,/^$/ { /^0/ { s/^0 *\([^ ]*\) *$/\1/ p } }' lt_cv_aix_libpath_=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` # Check for a 64-bit object if we didn't find anything. if test -z "$lt_cv_aix_libpath_"; then lt_cv_aix_libpath_=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` fi fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext if test -z "$lt_cv_aix_libpath_"; then lt_cv_aix_libpath_="/usr/lib:/lib" fi fi aix_libpath=$lt_cv_aix_libpath_ fi hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" # Warning - without using the other run time loading flags, # -berok will link without error, but may produce a broken library. no_undefined_flag=' ${wl}-bernotok' allow_undefined_flag=' ${wl}-berok' if test "$with_gnu_ld" = yes; then # We only use this code for GNU lds that support --whole-archive. whole_archive_flag_spec='${wl}--whole-archive$convenience ${wl}--no-whole-archive' else # Exported symbols can be pulled into shared objects from archives whole_archive_flag_spec='$convenience' fi archive_cmds_need_lc=yes # This is similar to how AIX traditionally builds its shared libraries. archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' fi fi ;; amigaos*) case $host_cpu in powerpc) # see comment about AmigaOS4 .so support archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' archive_expsym_cmds='' ;; m68k) archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' hardcode_libdir_flag_spec='-L$libdir' hardcode_minus_L=yes ;; esac ;; bsdi[45]*) export_dynamic_flag_spec=-rdynamic ;; cygwin* | mingw* | pw32* | cegcc*) # When not using gcc, we currently assume that we are using # Microsoft Visual C++. # hardcode_libdir_flag_spec is actually meaningless, as there is # no search path for DLLs. case $cc_basename in cl*) # Native MSVC hardcode_libdir_flag_spec=' ' allow_undefined_flag=unsupported always_export_symbols=yes file_list_spec='@' # Tell ltmain to make .lib files, not .a files. libext=lib # Tell ltmain to make .dll files, not .so files. shrext_cmds=".dll" # FIXME: Setting linknames here is a bad hack. archive_cmds='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames=' archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then sed -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp; else sed -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp; fi~ $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~ linknames=' # The linker will not automatically build a static lib if we build a DLL. # _LT_TAGVAR(old_archive_from_new_cmds, )='true' enable_shared_with_static_runtimes=yes exclude_expsyms='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*' export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1,DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols' # Don't use ranlib old_postinstall_cmds='chmod 644 $oldlib' postlink_cmds='lt_outputfile="@OUTPUT@"~ lt_tool_outputfile="@TOOL_OUTPUT@"~ case $lt_outputfile in *.exe|*.EXE) ;; *) lt_outputfile="$lt_outputfile.exe" lt_tool_outputfile="$lt_tool_outputfile.exe" ;; esac~ if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1; $RM "$lt_outputfile.manifest"; fi' ;; *) # Assume MSVC wrapper hardcode_libdir_flag_spec=' ' allow_undefined_flag=unsupported # Tell ltmain to make .lib files, not .a files. libext=lib # Tell ltmain to make .dll files, not .so files. shrext_cmds=".dll" # FIXME: Setting linknames here is a bad hack. archive_cmds='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames=' # The linker will automatically build a .lib file if we build a DLL. old_archive_from_new_cmds='true' # FIXME: Should let the user specify the lib program. old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs' enable_shared_with_static_runtimes=yes ;; esac ;; darwin* | rhapsody*) archive_cmds_need_lc=no hardcode_direct=no hardcode_automatic=yes hardcode_shlibpath_var=unsupported if test "$lt_cv_ld_force_load" = "yes"; then whole_archive_flag_spec='`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`' else whole_archive_flag_spec='' fi link_all_deplibs=yes allow_undefined_flag="$_lt_dar_allow_undefined" case $cc_basename in ifort*) _lt_dar_can_shared=yes ;; *) _lt_dar_can_shared=$GCC ;; esac if test "$_lt_dar_can_shared" = "yes"; then output_verbose_link_cmd=func_echo_all archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}" module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}" archive_expsym_cmds="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}" module_expsym_cmds="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}" else ld_shlibs=no fi ;; dgux*) archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' hardcode_libdir_flag_spec='-L$libdir' hardcode_shlibpath_var=no ;; # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor # support. Future versions do this automatically, but an explicit c++rt0.o # does not break anything, and helps significantly (at the cost of a little # extra space). freebsd2.2*) archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' hardcode_libdir_flag_spec='-R$libdir' hardcode_direct=yes hardcode_shlibpath_var=no ;; # Unfortunately, older versions of FreeBSD 2 do not have this feature. freebsd2.*) archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' hardcode_direct=yes hardcode_minus_L=yes hardcode_shlibpath_var=no ;; # FreeBSD 3 and greater uses gcc -shared to do shared libraries. freebsd* | dragonfly*) archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' hardcode_libdir_flag_spec='-R$libdir' hardcode_direct=yes hardcode_shlibpath_var=no ;; hpux9*) if test "$GCC" = yes; then archive_cmds='$RM $output_objdir/$soname~$CC -shared $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' else archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' fi hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' hardcode_libdir_separator=: hardcode_direct=yes # hardcode_minus_L: Not really in the search PATH, # but as the default location of the library. hardcode_minus_L=yes export_dynamic_flag_spec='${wl}-E' ;; hpux10*) if test "$GCC" = yes && test "$with_gnu_ld" = no; then archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' else archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' fi if test "$with_gnu_ld" = no; then hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' hardcode_libdir_separator=: hardcode_direct=yes hardcode_direct_absolute=yes export_dynamic_flag_spec='${wl}-E' # hardcode_minus_L: Not really in the search PATH, # but as the default location of the library. hardcode_minus_L=yes fi ;; hpux11*) if test "$GCC" = yes && test "$with_gnu_ld" = no; then case $host_cpu in hppa*64*) archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' ;; ia64*) archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' ;; *) archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' ;; esac else case $host_cpu in hppa*64*) archive_cmds='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' ;; ia64*) archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' ;; *) # Older versions of the 11.00 compiler do not understand -b yet # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does) { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC understands -b" >&5 $as_echo_n "checking if $CC understands -b... " >&6; } if ${lt_cv_prog_compiler__b+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler__b=no save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -b" echo "$lt_simple_link_test_code" > conftest.$ac_ext if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then # The linker can only warn and ignore the option if not recognized # So say no if there are warnings if test -s conftest.err; then # Append any errors to the config.log. cat conftest.err 1>&5 $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 if diff conftest.exp conftest.er2 >/dev/null; then lt_cv_prog_compiler__b=yes fi else lt_cv_prog_compiler__b=yes fi fi $RM -r conftest* LDFLAGS="$save_LDFLAGS" fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler__b" >&5 $as_echo "$lt_cv_prog_compiler__b" >&6; } if test x"$lt_cv_prog_compiler__b" = xyes; then archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' else archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' fi ;; esac fi if test "$with_gnu_ld" = no; then hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' hardcode_libdir_separator=: case $host_cpu in hppa*64*|ia64*) hardcode_direct=no hardcode_shlibpath_var=no ;; *) hardcode_direct=yes hardcode_direct_absolute=yes export_dynamic_flag_spec='${wl}-E' # hardcode_minus_L: Not really in the search PATH, # but as the default location of the library. hardcode_minus_L=yes ;; esac fi ;; irix5* | irix6* | nonstopux*) if test "$GCC" = yes; then archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' # Try to use the -exported_symbol ld option, if it does not # work, assume that -exports_file does not work either and # implicitly export all symbols. # This should be the same for all languages, so no per-tag cache variable. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the $host_os linker accepts -exported_symbol" >&5 $as_echo_n "checking whether the $host_os linker accepts -exported_symbol... " >&6; } if ${lt_cv_irix_exported_symbol+:} false; then : $as_echo_n "(cached) " >&6 else save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int foo (void) { return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : lt_cv_irix_exported_symbol=yes else lt_cv_irix_exported_symbol=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LDFLAGS="$save_LDFLAGS" fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_irix_exported_symbol" >&5 $as_echo "$lt_cv_irix_exported_symbol" >&6; } if test "$lt_cv_irix_exported_symbol" = yes; then archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib' fi else archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib' fi archive_cmds_need_lc='no' hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' hardcode_libdir_separator=: inherit_rpath=yes link_all_deplibs=yes ;; netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out else archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF fi hardcode_libdir_flag_spec='-R$libdir' hardcode_direct=yes hardcode_shlibpath_var=no ;; newsos6) archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' hardcode_direct=yes hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' hardcode_libdir_separator=: hardcode_shlibpath_var=no ;; *nto* | *qnx*) ;; openbsd*) if test -f /usr/libexec/ld.so; then hardcode_direct=yes hardcode_shlibpath_var=no hardcode_direct_absolute=yes if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' hardcode_libdir_flag_spec='${wl}-rpath,$libdir' export_dynamic_flag_spec='${wl}-E' else case $host_os in openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' hardcode_libdir_flag_spec='-R$libdir' ;; *) archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' hardcode_libdir_flag_spec='${wl}-rpath,$libdir' ;; esac fi else ld_shlibs=no fi ;; os2*) hardcode_libdir_flag_spec='-L$libdir' hardcode_minus_L=yes allow_undefined_flag=unsupported archive_cmds='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~echo DATA >> $output_objdir/$libname.def~echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def' old_archive_from_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def' ;; osf3*) if test "$GCC" = yes; then allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*' archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' else allow_undefined_flag=' -expect_unresolved \*' archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' fi archive_cmds_need_lc='no' hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' hardcode_libdir_separator=: ;; osf4* | osf5*) # as osf3* with the addition of -msym flag if test "$GCC" = yes; then allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*' archive_cmds='$CC -shared${allow_undefined_flag} $pic_flag $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' else allow_undefined_flag=' -expect_unresolved \*' archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~ $CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp' # Both c and cxx compiler support -rpath directly hardcode_libdir_flag_spec='-rpath $libdir' fi archive_cmds_need_lc='no' hardcode_libdir_separator=: ;; solaris*) no_undefined_flag=' -z defs' if test "$GCC" = yes; then wlarc='${wl}' archive_cmds='$CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ $CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' else case `$CC -V 2>&1` in *"Compilers 5.0"*) wlarc='' archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$RM $lib.exp' ;; *) wlarc='${wl}' archive_cmds='$CC -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $compiler_flags' archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ $CC -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' ;; esac fi hardcode_libdir_flag_spec='-R$libdir' hardcode_shlibpath_var=no case $host_os in solaris2.[0-5] | solaris2.[0-5].*) ;; *) # The compiler driver will combine and reorder linker options, # but understands `-z linker_flag'. GCC discards it without `$wl', # but is careful enough not to reorder. # Supported since Solaris 2.6 (maybe 2.5.1?) if test "$GCC" = yes; then whole_archive_flag_spec='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' else whole_archive_flag_spec='-z allextract$convenience -z defaultextract' fi ;; esac link_all_deplibs=yes ;; sunos4*) if test "x$host_vendor" = xsequent; then # Use $CC to link under sequent, because it throws in some extra .o # files that make .init and .fini sections work. archive_cmds='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags' else archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' fi hardcode_libdir_flag_spec='-L$libdir' hardcode_direct=yes hardcode_minus_L=yes hardcode_shlibpath_var=no ;; sysv4) case $host_vendor in sni) archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' hardcode_direct=yes # is this really true??? ;; siemens) ## LD is ld it makes a PLAMLIB ## CC just makes a GrossModule. archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags' reload_cmds='$CC -r -o $output$reload_objs' hardcode_direct=no ;; motorola) archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' hardcode_direct=no #Motorola manual says yes, but my tests say they lie ;; esac runpath_var='LD_RUN_PATH' hardcode_shlibpath_var=no ;; sysv4.3*) archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' hardcode_shlibpath_var=no export_dynamic_flag_spec='-Bexport' ;; sysv4*MP*) if test -d /usr/nec; then archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' hardcode_shlibpath_var=no runpath_var=LD_RUN_PATH hardcode_runpath_var=yes ld_shlibs=yes fi ;; sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*) no_undefined_flag='${wl}-z,text' archive_cmds_need_lc=no hardcode_shlibpath_var=no runpath_var='LD_RUN_PATH' if test "$GCC" = yes; then archive_cmds='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' else archive_cmds='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' fi ;; sysv5* | sco3.2v5* | sco5v6*) # Note: We can NOT use -z defs as we might desire, because we do not # link with -lc, and that would cause any symbols used from libc to # always be unresolved, which means just about no library would # ever link correctly. If we're not using GNU ld we use -z text # though, which does catch some bad symbols but isn't as heavy-handed # as -z defs. no_undefined_flag='${wl}-z,text' allow_undefined_flag='${wl}-z,nodefs' archive_cmds_need_lc=no hardcode_shlibpath_var=no hardcode_libdir_flag_spec='${wl}-R,$libdir' hardcode_libdir_separator=':' link_all_deplibs=yes export_dynamic_flag_spec='${wl}-Bexport' runpath_var='LD_RUN_PATH' if test "$GCC" = yes; then archive_cmds='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' else archive_cmds='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' fi ;; uts4*) archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' hardcode_libdir_flag_spec='-L$libdir' hardcode_shlibpath_var=no ;; *) ld_shlibs=no ;; esac if test x$host_vendor = xsni; then case $host in sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) export_dynamic_flag_spec='${wl}-Blargedynsym' ;; esac fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ld_shlibs" >&5 $as_echo "$ld_shlibs" >&6; } test "$ld_shlibs" = no && can_build_shared=no with_gnu_ld=$with_gnu_ld # # Do we need to explicitly link libc? # case "x$archive_cmds_need_lc" in x|xyes) # Assume -lc should be added archive_cmds_need_lc=yes if test "$enable_shared" = yes && test "$GCC" = yes; then case $archive_cmds in *'~'*) # FIXME: we may have to deal with multi-command sequences. ;; '$CC '*) # Test whether the compiler implicitly links with -lc since on some # systems, -lgcc has to come before -lc. If gcc already passes -lc # to ld, don't add -lc before -lgcc. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether -lc should be explicitly linked in" >&5 $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; } if ${lt_cv_archive_cmds_need_lc+:} false; then : $as_echo_n "(cached) " >&6 else $RM conftest* echo "$lt_simple_compile_test_code" > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } 2>conftest.err; then soname=conftest lib=conftest libobjs=conftest.$ac_objext deplibs= wl=$lt_prog_compiler_wl pic_flag=$lt_prog_compiler_pic compiler_flags=-v linker_flags=-v verstring= output_objdir=. libname=conftest lt_save_allow_undefined_flag=$allow_undefined_flag allow_undefined_flag= if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\""; } >&5 (eval $archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } then lt_cv_archive_cmds_need_lc=no else lt_cv_archive_cmds_need_lc=yes fi allow_undefined_flag=$lt_save_allow_undefined_flag else cat conftest.err 1>&5 fi $RM conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_archive_cmds_need_lc" >&5 $as_echo "$lt_cv_archive_cmds_need_lc" >&6; } archive_cmds_need_lc=$lt_cv_archive_cmds_need_lc ;; esac fi ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking dynamic linker characteristics" >&5 $as_echo_n "checking dynamic linker characteristics... " >&6; } if test "$GCC" = yes; then case $host_os in darwin*) lt_awk_arg="/^libraries:/,/LR/" ;; *) lt_awk_arg="/^libraries:/" ;; esac case $host_os in mingw* | cegcc*) lt_sed_strip_eq="s,=\([A-Za-z]:\),\1,g" ;; *) lt_sed_strip_eq="s,=/,/,g" ;; esac lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq` case $lt_search_path_spec in *\;*) # if the path contains ";" then we assume it to be the separator # otherwise default to the standard path separator (i.e. ":") - it is # assumed that no part of a normal pathname contains ";" but that should # okay in the real world where ";" in dirpaths is itself problematic. lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'` ;; *) lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"` ;; esac # Ok, now we have the path, separated by spaces, we can step through it # and add multilib dir if necessary. lt_tmp_lt_search_path_spec= lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null` for lt_sys_path in $lt_search_path_spec; do if test -d "$lt_sys_path/$lt_multi_os_dir"; then lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir" else test -d "$lt_sys_path" && \ lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path" fi done lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk ' BEGIN {RS=" "; FS="/|\n";} { lt_foo=""; lt_count=0; for (lt_i = NF; lt_i > 0; lt_i--) { if ($lt_i != "" && $lt_i != ".") { if ($lt_i == "..") { lt_count++; } else { if (lt_count == 0) { lt_foo="/" $lt_i lt_foo; } else { lt_count--; } } } } if (lt_foo != "") { lt_freq[lt_foo]++; } if (lt_freq[lt_foo] == 1) { print lt_foo; } }'` # AWK program above erroneously prepends '/' to C:/dos/paths # for these hosts. case $host_os in mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\ $SED 's,/\([A-Za-z]:\),\1,g'` ;; esac sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP` else sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" fi library_names_spec= libname_spec='lib$name' soname_spec= shrext_cmds=".so" postinstall_cmds= postuninstall_cmds= finish_cmds= finish_eval= shlibpath_var= shlibpath_overrides_runpath=unknown version_type=none dynamic_linker="$host_os ld.so" sys_lib_dlsearch_path_spec="/lib /usr/lib" need_lib_prefix=unknown hardcode_into_libs=no # when you set need_version to no, make sure it does not cause -set_version # flags to be left without arguments need_version=unknown case $host_os in aix3*) version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a' shlibpath_var=LIBPATH # AIX 3 has no versioning support, so we append a major version to the name. soname_spec='${libname}${release}${shared_ext}$major' ;; aix[4-9]*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no hardcode_into_libs=yes if test "$host_cpu" = ia64; then # AIX 5 supports IA64 library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' shlibpath_var=LD_LIBRARY_PATH else # With GCC up to 2.95.x, collect2 would create an import file # for dependence libraries. The import file would start with # the line `#! .'. This would cause the generated library to # depend on `.', always an invalid library. This was fixed in # development snapshots of GCC prior to 3.0. case $host_os in aix4 | aix4.[01] | aix4.[01].*) if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' echo ' yes ' echo '#endif'; } | ${CC} -E - | $GREP yes > /dev/null; then : else can_build_shared=no fi ;; esac # AIX (on Power*) has no versioning support, so currently we can not hardcode correct # soname into executable. Probably we can add versioning support to # collect2, so additional links can be useful in future. if test "$aix_use_runtimelinking" = yes; then # If using run time linking (on AIX 4.2 or later) use lib.so # instead of lib.a to let people know that these are not # typical AIX shared libraries. library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' else # We preserve .a as extension for shared libraries through AIX4.2 # and later when we are not doing run time linking. library_names_spec='${libname}${release}.a $libname.a' soname_spec='${libname}${release}${shared_ext}$major' fi shlibpath_var=LIBPATH fi ;; amigaos*) case $host_cpu in powerpc) # Since July 2007 AmigaOS4 officially supports .so libraries. # When compiling the executable, add -use-dynld -Lsobjs: to the compileline. library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' ;; m68k) library_names_spec='$libname.ixlibrary $libname.a' # Create ${libname}_ixlibrary.a entries in /sys/libs. finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' ;; esac ;; beos*) library_names_spec='${libname}${shared_ext}' dynamic_linker="$host_os ld.so" shlibpath_var=LIBRARY_PATH ;; bsdi[45]*) version_type=linux # correct to gnu/linux during the next big refactor need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir' shlibpath_var=LD_LIBRARY_PATH sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib" sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib" # the default ld.so.conf also contains /usr/contrib/lib and # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow # libtool to hard-code these into programs ;; cygwin* | mingw* | pw32* | cegcc*) version_type=windows shrext_cmds=".dll" need_version=no need_lib_prefix=no case $GCC,$cc_basename in yes,*) # gcc library_names_spec='$libname.dll.a' # DLL is installed to $(libdir)/../bin by postinstall_cmds postinstall_cmds='base_file=`basename \${file}`~ dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~ dldir=$destdir/`dirname \$dlpath`~ test -d \$dldir || mkdir -p \$dldir~ $install_prog $dir/$dlname \$dldir/$dlname~ chmod a+x \$dldir/$dlname~ if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then eval '\''$striplib \$dldir/$dlname'\'' || exit \$?; fi' postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ dlpath=$dir/\$dldll~ $RM \$dlpath' shlibpath_overrides_runpath=yes case $host_os in cygwin*) # Cygwin DLLs use 'cyg' prefix rather than 'lib' soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api" ;; mingw* | cegcc*) # MinGW DLLs use traditional 'lib' prefix soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' ;; pw32*) # pw32 DLLs use 'pw' prefix rather than 'lib' library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' ;; esac dynamic_linker='Win32 ld.exe' ;; *,cl*) # Native MSVC libname_spec='$name' soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' library_names_spec='${libname}.dll.lib' case $build_os in mingw*) sys_lib_search_path_spec= lt_save_ifs=$IFS IFS=';' for lt_path in $LIB do IFS=$lt_save_ifs # Let DOS variable expansion print the short 8.3 style file name. lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"` sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path" done IFS=$lt_save_ifs # Convert to MSYS style. sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([a-zA-Z]\\):| /\\1|g' -e 's|^ ||'` ;; cygwin*) # Convert to unix form, then to dos form, then back to unix form # but this time dos style (no spaces!) so that the unix form looks # like /cygdrive/c/PROGRA~1:/cygdr... sys_lib_search_path_spec=`cygpath --path --unix "$LIB"` sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null` sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` ;; *) sys_lib_search_path_spec="$LIB" if $ECHO "$sys_lib_search_path_spec" | $GREP ';[c-zC-Z]:/' >/dev/null; then # It is most probably a Windows format PATH. sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` else sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` fi # FIXME: find the short name or the path components, as spaces are # common. (e.g. "Program Files" -> "PROGRA~1") ;; esac # DLL is installed to $(libdir)/../bin by postinstall_cmds postinstall_cmds='base_file=`basename \${file}`~ dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~ dldir=$destdir/`dirname \$dlpath`~ test -d \$dldir || mkdir -p \$dldir~ $install_prog $dir/$dlname \$dldir/$dlname' postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ dlpath=$dir/\$dldll~ $RM \$dlpath' shlibpath_overrides_runpath=yes dynamic_linker='Win32 link.exe' ;; *) # Assume MSVC wrapper library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib' dynamic_linker='Win32 ld.exe' ;; esac # FIXME: first we should search . and the directory the executable is in shlibpath_var=PATH ;; darwin* | rhapsody*) dynamic_linker="$host_os dyld" version_type=darwin need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext' soname_spec='${libname}${release}${major}$shared_ext' shlibpath_overrides_runpath=yes shlibpath_var=DYLD_LIBRARY_PATH shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib" sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' ;; dgux*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH ;; freebsd* | dragonfly*) # DragonFly does not have aout. When/if they implement a new # versioning mechanism, adjust this. if test -x /usr/bin/objformat; then objformat=`/usr/bin/objformat` else case $host_os in freebsd[23].*) objformat=aout ;; *) objformat=elf ;; esac fi version_type=freebsd-$objformat case $version_type in freebsd-elf*) library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' need_version=no need_lib_prefix=no ;; freebsd-*) library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix' need_version=yes ;; esac shlibpath_var=LD_LIBRARY_PATH case $host_os in freebsd2.*) shlibpath_overrides_runpath=yes ;; freebsd3.[01]* | freebsdelf3.[01]*) shlibpath_overrides_runpath=yes hardcode_into_libs=yes ;; freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) shlibpath_overrides_runpath=no hardcode_into_libs=yes ;; *) # from 4.6 on, and DragonFly shlibpath_overrides_runpath=yes hardcode_into_libs=yes ;; esac ;; haiku*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no dynamic_linker="$host_os runtime_loader" library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LIBRARY_PATH shlibpath_overrides_runpath=yes sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' hardcode_into_libs=yes ;; hpux9* | hpux10* | hpux11*) # Give a soname corresponding to the major version so that dld.sl refuses to # link against other versions. version_type=sunos need_lib_prefix=no need_version=no case $host_cpu in ia64*) shrext_cmds='.so' hardcode_into_libs=yes dynamic_linker="$host_os dld.so" shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' if test "X$HPUX_IA64_MODE" = X32; then sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib" else sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64" fi sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec ;; hppa*64*) shrext_cmds='.sl' hardcode_into_libs=yes dynamic_linker="$host_os dld.sl" shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64" sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec ;; *) shrext_cmds='.sl' dynamic_linker="$host_os dld.sl" shlibpath_var=SHLIB_PATH shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' ;; esac # HP-UX runs *really* slowly unless shared libraries are mode 555, ... postinstall_cmds='chmod 555 $lib' # or fails outright, so override atomically: install_override_mode=555 ;; interix[3-9]*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no hardcode_into_libs=yes ;; irix5* | irix6* | nonstopux*) case $host_os in nonstopux*) version_type=nonstopux ;; *) if test "$lt_cv_prog_gnu_ld" = yes; then version_type=linux # correct to gnu/linux during the next big refactor else version_type=irix fi ;; esac need_lib_prefix=no need_version=no soname_spec='${libname}${release}${shared_ext}$major' library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}' case $host_os in irix5* | nonstopux*) libsuff= shlibsuff= ;; *) case $LD in # libtool.m4 will add one of these switches to LD *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") libsuff= shlibsuff= libmagic=32-bit;; *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") libsuff=32 shlibsuff=N32 libmagic=N32;; *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") libsuff=64 shlibsuff=64 libmagic=64-bit;; *) libsuff= shlibsuff= libmagic=never-match;; esac ;; esac shlibpath_var=LD_LIBRARY${shlibsuff}_PATH shlibpath_overrides_runpath=no sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" hardcode_into_libs=yes ;; # No shared lib support for Linux oldld, aout, or coff. linux*oldld* | linux*aout* | linux*coff*) dynamic_linker=no ;; # This must be glibc/ELF. linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no # Some binutils ld are patched to set DT_RUNPATH if ${lt_cv_shlibpath_overrides_runpath+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_shlibpath_overrides_runpath=no save_LDFLAGS=$LDFLAGS save_libdir=$libdir eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \ LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\"" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : if ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then : lt_cv_shlibpath_overrides_runpath=yes fi fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LDFLAGS=$save_LDFLAGS libdir=$save_libdir fi shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath # This implies no fast_install, which is unacceptable. # Some rework will be needed to allow for fast_install # before this can be enabled. hardcode_into_libs=yes # Append ld.so.conf contents to the search path if test -f /etc/ld.so.conf; then lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" fi # We used to test for /lib/ld.so.1 and disable shared libraries on # powerpc, because MkLinux only supported shared libraries with the # GNU dynamic linker. Since this was broken with cross compilers, # most powerpc-linux boxes support dynamic linking these days and # people can always --disable-shared, the test was removed, and we # assume the GNU/Linux dynamic linker is in use. dynamic_linker='GNU/Linux ld.so' ;; netbsdelf*-gnu) version_type=linux need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no hardcode_into_libs=yes dynamic_linker='NetBSD ld.elf_so' ;; netbsd*) version_type=sunos need_lib_prefix=no need_version=no if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' dynamic_linker='NetBSD (a.out) ld.so' else library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' dynamic_linker='NetBSD ld.elf_so' fi shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes hardcode_into_libs=yes ;; newsos6) version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes ;; *nto* | *qnx*) version_type=qnx need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no hardcode_into_libs=yes dynamic_linker='ldqnx.so' ;; openbsd*) version_type=sunos sys_lib_dlsearch_path_spec="/usr/lib" need_lib_prefix=no # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs. case $host_os in openbsd3.3 | openbsd3.3.*) need_version=yes ;; *) need_version=no ;; esac library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' shlibpath_var=LD_LIBRARY_PATH if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then case $host_os in openbsd2.[89] | openbsd2.[89].*) shlibpath_overrides_runpath=no ;; *) shlibpath_overrides_runpath=yes ;; esac else shlibpath_overrides_runpath=yes fi ;; os2*) libname_spec='$name' shrext_cmds=".dll" need_lib_prefix=no library_names_spec='$libname${shared_ext} $libname.a' dynamic_linker='OS/2 ld.exe' shlibpath_var=LIBPATH ;; osf3* | osf4* | osf5*) version_type=osf need_lib_prefix=no need_version=no soname_spec='${libname}${release}${shared_ext}$major' library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' shlibpath_var=LD_LIBRARY_PATH sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib" sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" ;; rdos*) dynamic_linker=no ;; solaris*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes hardcode_into_libs=yes # ldd complains unless libraries are executable postinstall_cmds='chmod +x $lib' ;; sunos4*) version_type=sunos library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes if test "$with_gnu_ld" = yes; then need_lib_prefix=no fi need_version=yes ;; sysv4 | sysv4.3*) version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH case $host_vendor in sni) shlibpath_overrides_runpath=no need_lib_prefix=no runpath_var=LD_RUN_PATH ;; siemens) need_lib_prefix=no ;; motorola) need_lib_prefix=no need_version=no shlibpath_overrides_runpath=no sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib' ;; esac ;; sysv4*MP*) if test -d /usr/nec ;then version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}' soname_spec='$libname${shared_ext}.$major' shlibpath_var=LD_LIBRARY_PATH fi ;; sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) version_type=freebsd-elf need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes hardcode_into_libs=yes if test "$with_gnu_ld" = yes; then sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' else sys_lib_search_path_spec='/usr/ccs/lib /usr/lib' case $host_os in sco3.2v5*) sys_lib_search_path_spec="$sys_lib_search_path_spec /lib" ;; esac fi sys_lib_dlsearch_path_spec='/usr/lib' ;; tpf*) # TPF is a cross-target only. Preferred cross-host = GNU/Linux. version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no hardcode_into_libs=yes ;; uts4*) version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH ;; *) dynamic_linker=no ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: result: $dynamic_linker" >&5 $as_echo "$dynamic_linker" >&6; } test "$dynamic_linker" = no && can_build_shared=no variables_saved_for_relink="PATH $shlibpath_var $runpath_var" if test "$GCC" = yes; then variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" fi if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec" fi if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to hardcode library paths into programs" >&5 $as_echo_n "checking how to hardcode library paths into programs... " >&6; } hardcode_action= if test -n "$hardcode_libdir_flag_spec" || test -n "$runpath_var" || test "X$hardcode_automatic" = "Xyes" ; then # We can hardcode non-existent directories. if test "$hardcode_direct" != no && # If the only mechanism to avoid hardcoding is shlibpath_var, we # have to relink, otherwise we might link with an installed library # when we should be linking with a yet-to-be-installed one ## test "$_LT_TAGVAR(hardcode_shlibpath_var, )" != no && test "$hardcode_minus_L" != no; then # Linking always hardcodes the temporary library directory. hardcode_action=relink else # We can link without hardcoding, and we can hardcode nonexisting dirs. hardcode_action=immediate fi else # We cannot hardcode anything, or else we can only hardcode existing # directories. hardcode_action=unsupported fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $hardcode_action" >&5 $as_echo "$hardcode_action" >&6; } if test "$hardcode_action" = relink || test "$inherit_rpath" = yes; then # Fast installation is not supported enable_fast_install=no elif test "$shlibpath_overrides_runpath" = yes || test "$enable_shared" = no; then # Fast installation is not necessary enable_fast_install=needless fi if test "x$enable_dlopen" != xyes; then enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown else lt_cv_dlopen=no lt_cv_dlopen_libs= case $host_os in beos*) lt_cv_dlopen="load_add_on" lt_cv_dlopen_libs= lt_cv_dlopen_self=yes ;; mingw* | pw32* | cegcc*) lt_cv_dlopen="LoadLibrary" lt_cv_dlopen_libs= ;; cygwin*) lt_cv_dlopen="dlopen" lt_cv_dlopen_libs= ;; darwin*) # if libdl is installed we need to link against it { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 $as_echo_n "checking for dlopen in -ldl... " >&6; } if ${ac_cv_lib_dl_dlopen+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char dlopen (); int main () { return dlopen (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_dl_dlopen=yes else ac_cv_lib_dl_dlopen=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 $as_echo "$ac_cv_lib_dl_dlopen" >&6; } if test "x$ac_cv_lib_dl_dlopen" = xyes; then : lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" else lt_cv_dlopen="dyld" lt_cv_dlopen_libs= lt_cv_dlopen_self=yes fi ;; *) ac_fn_c_check_func "$LINENO" "shl_load" "ac_cv_func_shl_load" if test "x$ac_cv_func_shl_load" = xyes; then : lt_cv_dlopen="shl_load" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for shl_load in -ldld" >&5 $as_echo_n "checking for shl_load in -ldld... " >&6; } if ${ac_cv_lib_dld_shl_load+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldld $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char shl_load (); int main () { return shl_load (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_dld_shl_load=yes else ac_cv_lib_dld_shl_load=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_shl_load" >&5 $as_echo "$ac_cv_lib_dld_shl_load" >&6; } if test "x$ac_cv_lib_dld_shl_load" = xyes; then : lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld" else ac_fn_c_check_func "$LINENO" "dlopen" "ac_cv_func_dlopen" if test "x$ac_cv_func_dlopen" = xyes; then : lt_cv_dlopen="dlopen" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 $as_echo_n "checking for dlopen in -ldl... " >&6; } if ${ac_cv_lib_dl_dlopen+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char dlopen (); int main () { return dlopen (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_dl_dlopen=yes else ac_cv_lib_dl_dlopen=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 $as_echo "$ac_cv_lib_dl_dlopen" >&6; } if test "x$ac_cv_lib_dl_dlopen" = xyes; then : lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -lsvld" >&5 $as_echo_n "checking for dlopen in -lsvld... " >&6; } if ${ac_cv_lib_svld_dlopen+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lsvld $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char dlopen (); int main () { return dlopen (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_svld_dlopen=yes else ac_cv_lib_svld_dlopen=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_svld_dlopen" >&5 $as_echo "$ac_cv_lib_svld_dlopen" >&6; } if test "x$ac_cv_lib_svld_dlopen" = xyes; then : lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dld_link in -ldld" >&5 $as_echo_n "checking for dld_link in -ldld... " >&6; } if ${ac_cv_lib_dld_dld_link+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldld $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char dld_link (); int main () { return dld_link (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_dld_dld_link=yes else ac_cv_lib_dld_dld_link=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_dld_link" >&5 $as_echo "$ac_cv_lib_dld_dld_link" >&6; } if test "x$ac_cv_lib_dld_dld_link" = xyes; then : lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld" fi fi fi fi fi fi ;; esac if test "x$lt_cv_dlopen" != xno; then enable_dlopen=yes else enable_dlopen=no fi case $lt_cv_dlopen in dlopen) save_CPPFLAGS="$CPPFLAGS" test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" save_LDFLAGS="$LDFLAGS" wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" save_LIBS="$LIBS" LIBS="$lt_cv_dlopen_libs $LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a program can dlopen itself" >&5 $as_echo_n "checking whether a program can dlopen itself... " >&6; } if ${lt_cv_dlopen_self+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : lt_cv_dlopen_self=cross else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF #line $LINENO "configure" #include "confdefs.h" #if HAVE_DLFCN_H #include #endif #include #ifdef RTLD_GLOBAL # define LT_DLGLOBAL RTLD_GLOBAL #else # ifdef DL_GLOBAL # define LT_DLGLOBAL DL_GLOBAL # else # define LT_DLGLOBAL 0 # endif #endif /* We may have to define LT_DLLAZY_OR_NOW in the command line if we find out it does not work in some platform. */ #ifndef LT_DLLAZY_OR_NOW # ifdef RTLD_LAZY # define LT_DLLAZY_OR_NOW RTLD_LAZY # else # ifdef DL_LAZY # define LT_DLLAZY_OR_NOW DL_LAZY # else # ifdef RTLD_NOW # define LT_DLLAZY_OR_NOW RTLD_NOW # else # ifdef DL_NOW # define LT_DLLAZY_OR_NOW DL_NOW # else # define LT_DLLAZY_OR_NOW 0 # endif # endif # endif # endif #endif /* When -fvisbility=hidden is used, assume the code has been annotated correspondingly for the symbols needed. */ #if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3)) int fnord () __attribute__((visibility("default"))); #endif int fnord () { return 42; } int main () { void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); int status = $lt_dlunknown; if (self) { if (dlsym (self,"fnord")) status = $lt_dlno_uscore; else { if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; else puts (dlerror ()); } /* dlclose (self); */ } else puts (dlerror ()); return status; } _LT_EOF if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5 (eval $ac_link) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && test -s conftest${ac_exeext} 2>/dev/null; then (./conftest; exit; ) >&5 2>/dev/null lt_status=$? case x$lt_status in x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;; x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;; x$lt_dlunknown|x*) lt_cv_dlopen_self=no ;; esac else : # compilation failed lt_cv_dlopen_self=no fi fi rm -fr conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_dlopen_self" >&5 $as_echo "$lt_cv_dlopen_self" >&6; } if test "x$lt_cv_dlopen_self" = xyes; then wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\" { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a statically linked program can dlopen itself" >&5 $as_echo_n "checking whether a statically linked program can dlopen itself... " >&6; } if ${lt_cv_dlopen_self_static+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : lt_cv_dlopen_self_static=cross else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF #line $LINENO "configure" #include "confdefs.h" #if HAVE_DLFCN_H #include #endif #include #ifdef RTLD_GLOBAL # define LT_DLGLOBAL RTLD_GLOBAL #else # ifdef DL_GLOBAL # define LT_DLGLOBAL DL_GLOBAL # else # define LT_DLGLOBAL 0 # endif #endif /* We may have to define LT_DLLAZY_OR_NOW in the command line if we find out it does not work in some platform. */ #ifndef LT_DLLAZY_OR_NOW # ifdef RTLD_LAZY # define LT_DLLAZY_OR_NOW RTLD_LAZY # else # ifdef DL_LAZY # define LT_DLLAZY_OR_NOW DL_LAZY # else # ifdef RTLD_NOW # define LT_DLLAZY_OR_NOW RTLD_NOW # else # ifdef DL_NOW # define LT_DLLAZY_OR_NOW DL_NOW # else # define LT_DLLAZY_OR_NOW 0 # endif # endif # endif # endif #endif /* When -fvisbility=hidden is used, assume the code has been annotated correspondingly for the symbols needed. */ #if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3)) int fnord () __attribute__((visibility("default"))); #endif int fnord () { return 42; } int main () { void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); int status = $lt_dlunknown; if (self) { if (dlsym (self,"fnord")) status = $lt_dlno_uscore; else { if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; else puts (dlerror ()); } /* dlclose (self); */ } else puts (dlerror ()); return status; } _LT_EOF if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5 (eval $ac_link) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && test -s conftest${ac_exeext} 2>/dev/null; then (./conftest; exit; ) >&5 2>/dev/null lt_status=$? case x$lt_status in x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;; x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;; x$lt_dlunknown|x*) lt_cv_dlopen_self_static=no ;; esac else : # compilation failed lt_cv_dlopen_self_static=no fi fi rm -fr conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_dlopen_self_static" >&5 $as_echo "$lt_cv_dlopen_self_static" >&6; } fi CPPFLAGS="$save_CPPFLAGS" LDFLAGS="$save_LDFLAGS" LIBS="$save_LIBS" ;; esac case $lt_cv_dlopen_self in yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; *) enable_dlopen_self=unknown ;; esac case $lt_cv_dlopen_self_static in yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; *) enable_dlopen_self_static=unknown ;; esac fi striplib= old_striplib= { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether stripping libraries is possible" >&5 $as_echo_n "checking whether stripping libraries is possible... " >&6; } if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" test -z "$striplib" && striplib="$STRIP --strip-unneeded" { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else # FIXME - insert some real tests, host_os isn't really good enough case $host_os in darwin*) if test -n "$STRIP" ; then striplib="$STRIP -x" old_striplib="$STRIP -S" { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi ;; *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } ;; esac fi # Report which library types will actually be built { $as_echo "$as_me:${as_lineno-$LINENO}: checking if libtool supports shared libraries" >&5 $as_echo_n "checking if libtool supports shared libraries... " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: $can_build_shared" >&5 $as_echo "$can_build_shared" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build shared libraries" >&5 $as_echo_n "checking whether to build shared libraries... " >&6; } test "$can_build_shared" = "no" && enable_shared=no # On AIX, shared libraries and static libraries use the same namespace, and # are all built from PIC. case $host_os in aix3*) test "$enable_shared" = yes && enable_static=no if test -n "$RANLIB"; then archive_cmds="$archive_cmds~\$RANLIB \$lib" postinstall_cmds='$RANLIB $lib' fi ;; aix[4-9]*) if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then test "$enable_shared" = yes && enable_static=no fi ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_shared" >&5 $as_echo "$enable_shared" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build static libraries" >&5 $as_echo_n "checking whether to build static libraries... " >&6; } # Make sure either enable_shared or enable_static is yes. test "$enable_shared" = yes || enable_static=yes { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_static" >&5 $as_echo "$enable_static" >&6; } fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu CC="$lt_save_CC" ac_config_commands="$ac_config_commands libtool" # Only expand once: if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}windres", so it can be a program name with args. set dummy ${ac_tool_prefix}windres; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_RC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$RC"; then ac_cv_prog_RC="$RC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_RC="${ac_tool_prefix}windres" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi RC=$ac_cv_prog_RC if test -n "$RC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RC" >&5 $as_echo "$RC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_RC"; then ac_ct_RC=$RC # Extract the first word of "windres", so it can be a program name with args. set dummy windres; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_RC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_RC"; then ac_cv_prog_ac_ct_RC="$ac_ct_RC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_RC="windres" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_RC=$ac_cv_prog_ac_ct_RC if test -n "$ac_ct_RC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RC" >&5 $as_echo "$ac_ct_RC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_RC" = x; then RC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac RC=$ac_ct_RC fi else RC="$ac_cv_prog_RC" fi # Source file extension for RC test sources. ac_ext=rc # Object file extension for compiled RC test sources. objext=o objext_RC=$objext # Code to be used in simple compile tests lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }' # Code to be used in simple link tests lt_simple_link_test_code="$lt_simple_compile_test_code" # ltmain only uses $CC for tagged configurations so make sure $CC is set. # If no C compiler was specified, use CC. LTCC=${LTCC-"$CC"} # If no C compiler flags were specified, use CFLAGS. LTCFLAGS=${LTCFLAGS-"$CFLAGS"} # Allow CC to be a program name with arguments. compiler=$CC # save warnings/boilerplate of simple test code ac_outfile=conftest.$ac_objext echo "$lt_simple_compile_test_code" >conftest.$ac_ext eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err _lt_compiler_boilerplate=`cat conftest.err` $RM conftest* ac_outfile=conftest.$ac_objext echo "$lt_simple_link_test_code" >conftest.$ac_ext eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err _lt_linker_boilerplate=`cat conftest.err` $RM -r conftest* # Allow CC to be a program name with arguments. lt_save_CC="$CC" lt_save_CFLAGS=$CFLAGS lt_save_GCC=$GCC GCC= CC=${RC-"windres"} CFLAGS= compiler=$CC compiler_RC=$CC for cc_temp in $compiler""; do case $cc_temp in compile | *[\\/]compile | ccache | *[\\/]ccache ) ;; distcc | *[\\/]distcc | purify | *[\\/]purify ) ;; \-*) ;; *) break;; esac done cc_basename=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"` lt_cv_prog_compiler_c_o_RC=yes if test -n "$compiler"; then : fi GCC=$lt_save_GCC ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu CC=$lt_save_CC CFLAGS=$lt_save_CFLAGS { $as_echo "$as_me:${as_lineno-$LINENO}: checking for an ANSI C-conforming const" >&5 $as_echo_n "checking for an ANSI C-conforming const... " >&6; } if ${ac_cv_c_const+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { #ifndef __cplusplus /* Ultrix mips cc rejects this sort of thing. */ typedef int charset[2]; const charset cs = { 0, 0 }; /* SunOS 4.1.1 cc rejects this. */ char const *const *pcpcc; char **ppc; /* NEC SVR4.0.2 mips cc rejects this. */ struct point {int x, y;}; static struct point const zero = {0,0}; /* AIX XL C 1.02.0.0 rejects this. It does not let you subtract one const X* pointer from another in an arm of an if-expression whose if-part is not a constant expression */ const char *g = "string"; pcpcc = &g + (g ? g-g : 0); /* HPUX 7.0 cc rejects these. */ ++pcpcc; ppc = (char**) pcpcc; pcpcc = (char const *const *) ppc; { /* SCO 3.2v4 cc rejects this sort of thing. */ char tx; char *t = &tx; char const *s = 0 ? (char *) 0 : (char const *) 0; *t++ = 0; if (s) return 0; } { /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ int x[] = {25, 17}; const int *foo = &x[0]; ++foo; } { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ typedef const int *iptr; iptr p = 0; ++p; } { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ struct s { int j; const int *ap[3]; } bx; struct s *b = &bx; b->j = 5; } { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ const int foo = 10; if (!foo) return 0; } return !cs[0] && !zero.x; #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_c_const=yes else ac_cv_c_const=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_const" >&5 $as_echo "$ac_cv_c_const" >&6; } if test $ac_cv_c_const = no; then $as_echo "#define const /**/" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5 $as_echo_n "checking for inline... " >&6; } if ${ac_cv_c_inline+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __cplusplus typedef int foo_t; static $ac_kw foo_t static_foo () {return 0; } $ac_kw foo_t foo () {return 0; } #endif _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_c_inline=$ac_kw fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext test "$ac_cv_c_inline" != no && break done fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_inline" >&5 $as_echo "$ac_cv_c_inline" >&6; } case $ac_cv_c_inline in inline | yes) ;; *) case $ac_cv_c_inline in no) ac_val=;; *) ac_val=$ac_cv_c_inline;; esac cat >>confdefs.h <<_ACEOF #ifndef __cplusplus #define inline $ac_val #endif _ACEOF ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working volatile" >&5 $as_echo_n "checking for working volatile... " >&6; } if ${ac_cv_c_volatile+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { volatile int x; int * volatile y = (int *) 0; return !x && !y; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_c_volatile=yes else ac_cv_c_volatile=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_volatile" >&5 $as_echo "$ac_cv_c_volatile" >&6; } if test $ac_cv_c_volatile = no; then $as_echo "#define volatile /**/" >>confdefs.h fi ac_fn_c_check_type "$LINENO" "off_t" "ac_cv_type_off_t" "$ac_includes_default" if test "x$ac_cv_type_off_t" = xyes; then : else cat >>confdefs.h <<_ACEOF #define off_t long int _ACEOF fi ac_fn_c_check_type "$LINENO" "pid_t" "ac_cv_type_pid_t" "$ac_includes_default" if test "x$ac_cv_type_pid_t" = xyes; then : else cat >>confdefs.h <<_ACEOF #define pid_t int _ACEOF fi ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default" if test "x$ac_cv_type_size_t" = xyes; then : else cat >>confdefs.h <<_ACEOF #define size_t unsigned int _ACEOF fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uid_t in sys/types.h" >&5 $as_echo_n "checking for uid_t in sys/types.h... " >&6; } if ${ac_cv_type_uid_t+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "uid_t" >/dev/null 2>&1; then : ac_cv_type_uid_t=yes else ac_cv_type_uid_t=no fi rm -f conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_uid_t" >&5 $as_echo "$ac_cv_type_uid_t" >&6; } if test $ac_cv_type_uid_t = no; then $as_echo "#define uid_t int" >>confdefs.h $as_echo "#define gid_t int" >>confdefs.h fi ac_fn_c_find_intX_t "$LINENO" "8" "ac_cv_c_int8_t" case $ac_cv_c_int8_t in #( no|yes) ;; #( *) cat >>confdefs.h <<_ACEOF #define int8_t $ac_cv_c_int8_t _ACEOF ;; esac ac_fn_c_find_intX_t "$LINENO" "16" "ac_cv_c_int16_t" case $ac_cv_c_int16_t in #( no|yes) ;; #( *) cat >>confdefs.h <<_ACEOF #define int16_t $ac_cv_c_int16_t _ACEOF ;; esac ac_fn_c_find_intX_t "$LINENO" "32" "ac_cv_c_int32_t" case $ac_cv_c_int32_t in #( no|yes) ;; #( *) cat >>confdefs.h <<_ACEOF #define int32_t $ac_cv_c_int32_t _ACEOF ;; esac ac_fn_c_find_intX_t "$LINENO" "64" "ac_cv_c_int64_t" case $ac_cv_c_int64_t in #( no|yes) ;; #( *) cat >>confdefs.h <<_ACEOF #define int64_t $ac_cv_c_int64_t _ACEOF ;; esac ac_fn_c_find_uintX_t "$LINENO" "8" "ac_cv_c_uint8_t" case $ac_cv_c_uint8_t in #( no|yes) ;; #( *) $as_echo "#define _UINT8_T 1" >>confdefs.h cat >>confdefs.h <<_ACEOF #define uint8_t $ac_cv_c_uint8_t _ACEOF ;; esac ac_fn_c_find_uintX_t "$LINENO" "16" "ac_cv_c_uint16_t" case $ac_cv_c_uint16_t in #( no|yes) ;; #( *) cat >>confdefs.h <<_ACEOF #define uint16_t $ac_cv_c_uint16_t _ACEOF ;; esac ac_fn_c_find_uintX_t "$LINENO" "32" "ac_cv_c_uint32_t" case $ac_cv_c_uint32_t in #( no|yes) ;; #( *) $as_echo "#define _UINT32_T 1" >>confdefs.h cat >>confdefs.h <<_ACEOF #define uint32_t $ac_cv_c_uint32_t _ACEOF ;; esac ac_fn_c_find_uintX_t "$LINENO" "64" "ac_cv_c_uint64_t" case $ac_cv_c_uint64_t in #( no|yes) ;; #( *) $as_echo "#define _UINT64_T 1" >>confdefs.h cat >>confdefs.h <<_ACEOF #define uint64_t $ac_cv_c_uint64_t _ACEOF ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of signal handlers" >&5 $as_echo_n "checking return type of signal handlers... " >&6; } if ${ac_cv_type_signal+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main () { return *(signal (0, 0)) (0) == 1; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_type_signal=int else ac_cv_type_signal=void fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_signal" >&5 $as_echo "$ac_cv_type_signal" >&6; } cat >>confdefs.h <<_ACEOF #define RETSIGTYPE $ac_cv_type_signal _ACEOF { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ISO C 1999 vararg macro support" >&5 $as_echo_n "checking for ISO C 1999 vararg macro support... " >&6; } if ${ax_cv_cpp_vararg_macro_iso+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #define macro(a, ...) func(a, __VA_ARGS__) int func(int a, int b, int c); int main () { int i = macro(1, 2, 3); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ax_cv_cpp_vararg_macro_iso=yes else ax_cv_cpp_vararg_macro_iso=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_cpp_vararg_macro_iso" >&5 $as_echo "$ax_cv_cpp_vararg_macro_iso" >&6; } if test "x$ax_cv_cpp_vararg_macro_iso" = xyes; then : $as_echo "#define HAVE_CPP_VARARG_MACRO_ISO 1" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU GCC vararg macro support" >&5 $as_echo_n "checking for GNU GCC vararg macro support... " >&6; } if ${ax_cv_cpp_vararg_macro_gcc+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #define macro(a, b...) func(a, b) int func(int a, int b, int c); int main () { int i = macro(1, 2, 3); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ax_cv_cpp_vararg_macro_gcc=yes else ax_cv_cpp_vararg_macro_gcc=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_cpp_vararg_macro_gcc" >&5 $as_echo "$ax_cv_cpp_vararg_macro_gcc" >&6; } if test "x$ax_cv_cpp_vararg_macro_gcc" = xyes; then : $as_echo "#define HAVE_CPP_VARARG_MACRO_GCC 1" >>confdefs.h fi ac_fn_c_check_type "$LINENO" "socklen_t" "ac_cv_type_socklen_t" " #include #ifdef _WIN32 #include #else #include #endif " if test "x$ac_cv_type_socklen_t" = xyes; then : else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for socklen_t equivalent" >&5 $as_echo_n "checking for socklen_t equivalent... " >&6; } if ${ax_cv_socklen_t_equiv+:} false; then : $as_echo_n "(cached) " >&6 else #AS_CASE is not supported on conftest.$ac_ext /* end confdefs.h. */ #include #include int getpeername (int, $arg2 *, $t *); int main () { $t len; getpeername(0,0,&len); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ax_cv_socklen_t_equiv="$t"; break fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done test -n "$ax_cv_socklen_t_equiv" && break done ;; esac if ${ax_cv_socklen_t_equiv:+false} :; then : as_fn_error $? "Cannot find a type to use in place of socklen_t" "$LINENO" 5 else cat >>confdefs.h <<_ACEOF #define socklen_t $ax_cv_socklen_t_equiv _ACEOF fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_socklen_t_equiv" >&5 $as_echo "$ax_cv_socklen_t_equiv" >&6; } fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler empty array size" >&5 $as_echo_n "checking for C compiler empty array size... " >&6; } if ${ax_cv_c_empty_array+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { struct { int foo; int bar[0]; } mystruct; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ax_cv_c_empty_array=0 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { struct { int foo; int bar[]; } mystruct; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ax_cv_c_empty_array= else as_fn_error $? "C compiler is unable to creaty empty arrays" "$LINENO" 5 fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_c_empty_array" >&5 $as_echo "$ax_cv_c_empty_array" >&6; } cat >>confdefs.h <<_ACEOF #define EMPTY_ARRAY_SIZE $ax_cv_c_empty_array _ACEOF # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned int" >&5 $as_echo_n "checking size of unsigned int... " >&6; } if ${ac_cv_sizeof_unsigned_int+:} false; then : $as_echo_n "(cached) " >&6 else if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned int))" "ac_cv_sizeof_unsigned_int" "$ac_includes_default"; then : else if test "$ac_cv_type_unsigned_int" = yes; then { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (unsigned int) See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_unsigned_int=0 fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_unsigned_int" >&5 $as_echo "$ac_cv_sizeof_unsigned_int" >&6; } cat >>confdefs.h <<_ACEOF #define SIZEOF_UNSIGNED_INT $ac_cv_sizeof_unsigned_int _ACEOF # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned long" >&5 $as_echo_n "checking size of unsigned long... " >&6; } if ${ac_cv_sizeof_unsigned_long+:} false; then : $as_echo_n "(cached) " >&6 else if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned long))" "ac_cv_sizeof_unsigned_long" "$ac_includes_default"; then : else if test "$ac_cv_type_unsigned_long" = yes; then { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (unsigned long) See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_unsigned_long=0 fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_unsigned_long" >&5 $as_echo "$ac_cv_sizeof_unsigned_long" >&6; } cat >>confdefs.h <<_ACEOF #define SIZEOF_UNSIGNED_LONG $ac_cv_sizeof_unsigned_long _ACEOF for ac_header in \ stdio.h stdarg.h limits.h \ time.h errno.h fcntl.h io.h direct.h \ ctype.h sys/types.h sys/socket.h \ signal.h unistd.h dlfcn.h \ netinet/in.h netinet/in_systm.h \ netinet/tcp.h arpa/inet.h netdb.h \ windows.h winsock2.h ws2tcpip.h \ versionhelpers.h \ do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done for ac_header in \ sys/time.h sys/ioctl.h sys/stat.h \ sys/mman.h sys/file.h sys/wait.h \ unistd.h signal.h libgen.h stropts.h \ syslog.h pwd.h grp.h \ sys/sockio.h sys/uio.h linux/sockios.h \ linux/types.h sys/poll.h sys/epoll.h err.h \ do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done SOCKET_INCLUDES=" #ifdef HAVE_STDLIB_H #include #endif #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NET_IF_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_WINDOWS_H #include #endif #ifdef HAVE_WINSOCK2_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif #ifdef HAVE_NETINET_IN_SYSTM_H #include #endif #ifdef HAVE_NETINET_IP_H #include #endif " for ac_header in net/if.h netinet/ip.h resolv.h sys/un.h net/if_utun.h sys/kern_control.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "${SOCKET_INCLUDES} " if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done ac_fn_c_check_type "$LINENO" "in_addr_t" "ac_cv_type_in_addr_t" "${SOCKET_INCLUDES} " if test "x$ac_cv_type_in_addr_t" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_IN_ADDR_T 1 _ACEOF else $as_echo "#define in_addr_t uint32_t" >>confdefs.h fi ac_fn_c_check_type "$LINENO" "in_port_t" "ac_cv_type_in_port_t" "${SOCKET_INCLUDES} " if test "x$ac_cv_type_in_port_t" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_IN_PORT_T 1 _ACEOF else $as_echo "#define in_port_t uint16_t" >>confdefs.h fi ac_fn_c_check_type "$LINENO" "struct iphdr" "ac_cv_type_struct_iphdr" "${SOCKET_INCLUDES} " if test "x$ac_cv_type_struct_iphdr" = xyes; then : $as_echo "#define HAVE_IPHDR 1" >>confdefs.h fi ac_fn_c_check_type "$LINENO" "struct sock_extended_err" "ac_cv_type_struct_sock_extended_err" "${SOCKET_INCLUDES} " if test "x$ac_cv_type_struct_sock_extended_err" = xyes; then : $as_echo "#define HAVE_SOCK_EXTENDED_ERR 1" >>confdefs.h fi ac_fn_c_check_type "$LINENO" "struct msghdr" "ac_cv_type_struct_msghdr" "${SOCKET_INCLUDES} " if test "x$ac_cv_type_struct_msghdr" = xyes; then : $as_echo "#define HAVE_MSGHDR 1" >>confdefs.h fi ac_fn_c_check_type "$LINENO" "struct cmsghdr" "ac_cv_type_struct_cmsghdr" "${SOCKET_INCLUDES} " if test "x$ac_cv_type_struct_cmsghdr" = xyes; then : $as_echo "#define HAVE_CMSGHDR 1" >>confdefs.h fi ac_fn_c_check_type "$LINENO" "struct in_pktinfo" "ac_cv_type_struct_in_pktinfo" "${SOCKET_INCLUDES} " if test "x$ac_cv_type_struct_in_pktinfo" = xyes; then : $as_echo "#define HAVE_IN_PKTINFO 1" >>confdefs.h fi ac_fn_c_check_type "$LINENO" "sa_family_t" "ac_cv_type_sa_family_t" "${SOCKET_INCLUDES} " if test "x$ac_cv_type_sa_family_t" = xyes; then : $as_echo "#define HAVE_SA_FAMILY_T 1" >>confdefs.h fi ac_fn_c_check_member "$LINENO" "struct in_pktinfo" "ipi_spec_dst" "ac_cv_member_struct_in_pktinfo_ipi_spec_dst" "${SOCKET_INCLUDES} " if test "x$ac_cv_member_struct_in_pktinfo_ipi_spec_dst" = xyes; then : $as_echo "#define HAVE_IPI_SPEC_DST 1" >>confdefs.h fi ac_fn_c_check_type "$LINENO" "struct sockaddr_in6" "ac_cv_type_struct_sockaddr_in6" "${SOCKET_INCLUDES} " if test "x$ac_cv_type_struct_sockaddr_in6" = xyes; then : else as_fn_error $? "struct sockaddr_in6 not found, needed for ipv6 transport support." "$LINENO" 5 fi ac_fn_c_check_decl "$LINENO" "SO_MARK" "ac_cv_have_decl_SO_MARK" "${SOCKET_INCLUDES} " if test "x$ac_cv_have_decl_SO_MARK" = xyes; then : ac_have_decl=1 else ac_have_decl=0 fi cat >>confdefs.h <<_ACEOF #define HAVE_DECL_SO_MARK $ac_have_decl _ACEOF { $as_echo "$as_me:${as_lineno-$LINENO}: checking anonymous union support..." >&5 $as_echo "$as_me: checking anonymous union support..." >&6;} cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ struct mystruct { union { int m1; char m2; }; }; int main () { struct mystruct s; s.m1 = 1; s.m2 = 2; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } $as_echo "#define HAVE_ANONYMOUS_UNION_SUPPORT /**/" >>confdefs.h else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext saved_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -Wl,--wrap=exit" { $as_echo "$as_me:${as_lineno-$LINENO}: checking linker supports --wrap" >&5 $as_echo_n "checking linker supports --wrap... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ void exit(int); void __real_exit(int); void __wrap_exit(int i) { __real_exit(i); } int main () { exit(0); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } have_ld_wrap_support=yes else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LDFLAGS="$saved_LDFLAGS" ac_fn_c_check_decl "$LINENO" "SIGHUP" "ac_cv_have_decl_SIGHUP" " #ifdef HAVE_SIGNAL_H #include #endif " if test "x$ac_cv_have_decl_SIGHUP" = xyes; then : ac_have_decl=1 else ac_have_decl=0 fi cat >>confdefs.h <<_ACEOF #define HAVE_DECL_SIGHUP $ac_have_decl _ACEOF if test $ac_have_decl = 1; then : else $as_echo "#define SIGHUP 1" >>confdefs.h fi ac_fn_c_check_decl "$LINENO" "SIGINT" "ac_cv_have_decl_SIGINT" " #ifdef HAVE_SIGNAL_H #include #endif " if test "x$ac_cv_have_decl_SIGINT" = xyes; then : ac_have_decl=1 else ac_have_decl=0 fi cat >>confdefs.h <<_ACEOF #define HAVE_DECL_SIGINT $ac_have_decl _ACEOF if test $ac_have_decl = 1; then : else $as_echo "#define SIGINT 2" >>confdefs.h fi ac_fn_c_check_decl "$LINENO" "SIGUSR1" "ac_cv_have_decl_SIGUSR1" " #ifdef HAVE_SIGNAL_H #include #endif " if test "x$ac_cv_have_decl_SIGUSR1" = xyes; then : ac_have_decl=1 else ac_have_decl=0 fi cat >>confdefs.h <<_ACEOF #define HAVE_DECL_SIGUSR1 $ac_have_decl _ACEOF if test $ac_have_decl = 1; then : else $as_echo "#define SIGUSR1 10" >>confdefs.h fi ac_fn_c_check_decl "$LINENO" "SIGUSR2" "ac_cv_have_decl_SIGUSR2" " #ifdef HAVE_SIGNAL_H #include #endif " if test "x$ac_cv_have_decl_SIGUSR2" = xyes; then : ac_have_decl=1 else ac_have_decl=0 fi cat >>confdefs.h <<_ACEOF #define HAVE_DECL_SIGUSR2 $ac_have_decl _ACEOF if test $ac_have_decl = 1; then : else $as_echo "#define SIGUSR2 12" >>confdefs.h fi ac_fn_c_check_decl "$LINENO" "SIGTERM" "ac_cv_have_decl_SIGTERM" " #ifdef HAVE_SIGNAL_H #include #endif " if test "x$ac_cv_have_decl_SIGTERM" = xyes; then : ac_have_decl=1 else ac_have_decl=0 fi cat >>confdefs.h <<_ACEOF #define HAVE_DECL_SIGTERM $ac_have_decl _ACEOF if test $ac_have_decl = 1; then : else $as_echo "#define SIGTERM 15" >>confdefs.h fi for ac_header in vfork.h do : ac_fn_c_check_header_mongrel "$LINENO" "vfork.h" "ac_cv_header_vfork_h" "$ac_includes_default" if test "x$ac_cv_header_vfork_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_VFORK_H 1 _ACEOF fi done for ac_func in fork vfork do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done if test "x$ac_cv_func_fork" = xyes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working fork" >&5 $as_echo_n "checking for working fork... " >&6; } if ${ac_cv_func_fork_works+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_fork_works=cross else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main () { /* By Ruediger Kuhlmann. */ return fork () < 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_fork_works=yes else ac_cv_func_fork_works=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_fork_works" >&5 $as_echo "$ac_cv_func_fork_works" >&6; } else ac_cv_func_fork_works=$ac_cv_func_fork fi if test "x$ac_cv_func_fork_works" = xcross; then case $host in *-*-amigaos* | *-*-msdosdjgpp*) # Override, as these systems have only a dummy fork() stub ac_cv_func_fork_works=no ;; *) ac_cv_func_fork_works=yes ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: result $ac_cv_func_fork_works guessed because of cross compilation" >&5 $as_echo "$as_me: WARNING: result $ac_cv_func_fork_works guessed because of cross compilation" >&2;} fi ac_cv_func_vfork_works=$ac_cv_func_vfork if test "x$ac_cv_func_vfork" = xyes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working vfork" >&5 $as_echo_n "checking for working vfork... " >&6; } if ${ac_cv_func_vfork_works+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_vfork_works=cross else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Thanks to Paul Eggert for this test. */ $ac_includes_default #include #ifdef HAVE_VFORK_H # include #endif /* On some sparc systems, changes by the child to local and incoming argument registers are propagated back to the parent. The compiler is told about this with #include , but some compilers (e.g. gcc -O) don't grok . Test for this by using a static variable whose address is put into a register that is clobbered by the vfork. */ static void #ifdef __cplusplus sparc_address_test (int arg) # else sparc_address_test (arg) int arg; #endif { static pid_t child; if (!child) { child = vfork (); if (child < 0) { perror ("vfork"); _exit(2); } if (!child) { arg = getpid(); write(-1, "", 0); _exit (arg); } } } int main () { pid_t parent = getpid (); pid_t child; sparc_address_test (0); child = vfork (); if (child == 0) { /* Here is another test for sparc vfork register problems. This test uses lots of local variables, at least as many local variables as main has allocated so far including compiler temporaries. 4 locals are enough for gcc 1.40.3 on a Solaris 4.1.3 sparc, but we use 8 to be safe. A buggy compiler should reuse the register of parent for one of the local variables, since it will think that parent can't possibly be used any more in this routine. Assigning to the local variable will thus munge parent in the parent process. */ pid_t p = getpid(), p1 = getpid(), p2 = getpid(), p3 = getpid(), p4 = getpid(), p5 = getpid(), p6 = getpid(), p7 = getpid(); /* Convince the compiler that p..p7 are live; otherwise, it might use the same hardware register for all 8 local variables. */ if (p != p1 || p != p2 || p != p3 || p != p4 || p != p5 || p != p6 || p != p7) _exit(1); /* On some systems (e.g. IRIX 3.3), vfork doesn't separate parent from child file descriptors. If the child closes a descriptor before it execs or exits, this munges the parent's descriptor as well. Test for this by closing stdout in the child. */ _exit(close(fileno(stdout)) != 0); } else { int status; struct stat st; while (wait(&status) != child) ; return ( /* Was there some problem with vforking? */ child < 0 /* Did the child fail? (This shouldn't happen.) */ || status /* Did the vfork/compiler bug occur? */ || parent != getpid() /* Did the file descriptor bug occur? */ || fstat(fileno(stdout), &st) != 0 ); } } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_vfork_works=yes else ac_cv_func_vfork_works=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_vfork_works" >&5 $as_echo "$ac_cv_func_vfork_works" >&6; } fi; if test "x$ac_cv_func_fork_works" = xcross; then ac_cv_func_vfork_works=$ac_cv_func_vfork { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: result $ac_cv_func_vfork_works guessed because of cross compilation" >&5 $as_echo "$as_me: WARNING: result $ac_cv_func_vfork_works guessed because of cross compilation" >&2;} fi if test "x$ac_cv_func_vfork_works" = xyes; then $as_echo "#define HAVE_WORKING_VFORK 1" >>confdefs.h else $as_echo "#define vfork fork" >>confdefs.h fi if test "x$ac_cv_func_fork_works" = xyes; then $as_echo "#define HAVE_WORKING_FORK 1" >>confdefs.h fi for ac_func in \ daemon chroot getpwnam setuid nice system getpid dup dup2 \ getpass syslog openlog mlockall getgrnam setgid \ setgroups stat flock readv writev time gettimeofday \ ctime memset vsnprintf strdup \ setsid chdir putenv getpeername unlink \ chsize ftruncate execve getpeereid umask basename dirname access \ epoll_create \ do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 $as_echo_n "checking for dlopen in -ldl... " >&6; } if ${ac_cv_lib_dl_dlopen+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char dlopen (); int main () { return dlopen (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_dl_dlopen=yes else ac_cv_lib_dl_dlopen=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 $as_echo "$ac_cv_lib_dl_dlopen" >&6; } if test "x$ac_cv_lib_dl_dlopen" = xyes; then : DL_LIBS="-ldl" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for inet_ntoa in -lnsl" >&5 $as_echo_n "checking for inet_ntoa in -lnsl... " >&6; } if ${ac_cv_lib_nsl_inet_ntoa+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lnsl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char inet_ntoa (); int main () { return inet_ntoa (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_nsl_inet_ntoa=yes else ac_cv_lib_nsl_inet_ntoa=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nsl_inet_ntoa" >&5 $as_echo "$ac_cv_lib_nsl_inet_ntoa" >&6; } if test "x$ac_cv_lib_nsl_inet_ntoa" = xyes; then : SOCKETS_LIBS="${SOCKETS_LIBS} -lnsl" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for socket in -lsocket" >&5 $as_echo_n "checking for socket in -lsocket... " >&6; } if ${ac_cv_lib_socket_socket+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lsocket $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char socket (); int main () { return socket (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_socket_socket=yes else ac_cv_lib_socket_socket=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_socket" >&5 $as_echo "$ac_cv_lib_socket_socket" >&6; } if test "x$ac_cv_lib_socket_socket" = xyes; then : SOCKETS_LIBS="${SOCKETS_LIBS} -lsocket" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gethostbyname in -lresolv" >&5 $as_echo_n "checking for gethostbyname in -lresolv... " >&6; } if ${ac_cv_lib_resolv_gethostbyname+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lresolv $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char gethostbyname (); int main () { return gethostbyname (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_resolv_gethostbyname=yes else ac_cv_lib_resolv_gethostbyname=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_resolv_gethostbyname" >&5 $as_echo "$ac_cv_lib_resolv_gethostbyname" >&6; } if test "x$ac_cv_lib_resolv_gethostbyname" = xyes; then : SOCKETS_LIBS="${SOCKETS_LIBS} -lresolv" fi old_LIBS="${LIBS}" LIBS="${LIBS} ${SOCKETS_LIBS}" for ac_func in sendmsg recvmsg do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done # Windows use stdcall for winsock so we cannot auto detect these if test "${WIN32}" = "yes"; then # normal autoconf function checking does not find inet_ntop/inet_pton # because they need to include the actual header file and link ws2_32.dll LIBS="${LIBS} -lws2_32" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for MinGW inet_ntop()/inet_pton()" >&5 $as_echo_n "checking for MinGW inet_ntop()/inet_pton()... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { int r = (int) inet_ntop (0, NULL, NULL, 0); r += inet_pton(AF_INET, NULL, NULL); return r; ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: OK" >&5 $as_echo "OK" >&6; } $as_echo "#define HAVE_INET_NTOP 1" >>confdefs.h $as_echo "#define HAVE_INET_PTON 1" >>confdefs.h else { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 $as_echo "not found" >&6; } fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext $as_echo "#define HAVE_SOCKET 1" >>confdefs.h $as_echo "#define HAVE_RECV 1" >>confdefs.h $as_echo "#define HAVE_RECVFROM 1" >>confdefs.h $as_echo "#define HAVE_SEND 1" >>confdefs.h $as_echo "#define HAVE_SENDTO 1" >>confdefs.h $as_echo "#define HAVE_LISTEN 1" >>confdefs.h $as_echo "#define HAVE_ACCEPT 1" >>confdefs.h $as_echo "#define HAVE_CONNECT 1" >>confdefs.h $as_echo "#define HAVE_BIND 1" >>confdefs.h $as_echo "#define HAVE_SELECT 1" >>confdefs.h $as_echo "#define HAVE_GETHOSTBYNAME 1" >>confdefs.h $as_echo "#define HAVE_INET_NTOA 1" >>confdefs.h $as_echo "#define HAVE_SETSOCKOPT 1" >>confdefs.h $as_echo "#define HAVE_GETSOCKOPT 1" >>confdefs.h $as_echo "#define HAVE_GETSOCKNAME 1" >>confdefs.h $as_echo "#define HAVE_POLL 1" >>confdefs.h else for ac_func in inet_ntop inet_pton do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done for ac_func in socket recv recvfrom send sendto listen accept connect bind select gethostbyname inet_ntoa do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF else as_fn_error $? "Required library function not found" "$LINENO" 5 fi done for ac_func in setsockopt getsockopt getsockname poll do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done fi LIBS="${old_LIBS}" # we assume res_init() always exist, but need to find out *where*... { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing __res_init" >&5 $as_echo_n "checking for library containing __res_init... " >&6; } if ${ac_cv_search___res_init+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char __res_init (); int main () { return __res_init (); ; return 0; } _ACEOF for ac_lib in '' resolv bind; do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO"; then : ac_cv_search___res_init=$ac_res fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext if ${ac_cv_search___res_init+:} false; then : break fi done if ${ac_cv_search___res_init+:} false; then : else ac_cv_search___res_init=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search___res_init" >&5 $as_echo "$ac_cv_search___res_init" >&6; } ac_res=$ac_cv_search___res_init if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing res_9_init" >&5 $as_echo_n "checking for library containing res_9_init... " >&6; } if ${ac_cv_search_res_9_init+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char res_9_init (); int main () { return res_9_init (); ; return 0; } _ACEOF for ac_lib in '' resolv bind; do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO"; then : ac_cv_search_res_9_init=$ac_res fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext if ${ac_cv_search_res_9_init+:} false; then : break fi done if ${ac_cv_search_res_9_init+:} false; then : else ac_cv_search_res_9_init=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_res_9_init" >&5 $as_echo "$ac_cv_search_res_9_init" >&6; } ac_res=$ac_cv_search_res_9_init if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing res_init" >&5 $as_echo_n "checking for library containing res_init... " >&6; } if ${ac_cv_search_res_init+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char res_init (); int main () { return res_init (); ; return 0; } _ACEOF for ac_lib in '' resolv bind; do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO"; then : ac_cv_search_res_init=$ac_res fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext if ${ac_cv_search_res_init+:} false; then : break fi done if ${ac_cv_search_res_init+:} false; then : else ac_cv_search_res_init=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_res_init" >&5 $as_echo "$ac_cv_search_res_init" >&6; } ac_res=$ac_cv_search_res_init if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi fi fi old_CFLAGS="${CFLAGS}" CFLAGS="${CFLAGS} ${TAP_CFLAGS}" for ac_header in \ net/if_tun.h net/tun/if_tun.h \ linux/if_tun.h \ tap-windows.h \ do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF have_tap_header="yes" fi done ac_fn_c_check_decl "$LINENO" "TUNSETPERSIST" "ac_cv_have_decl_TUNSETPERSIST" " #ifdef HAVE_LINUX_IF_TUN_H #include #endif " if test "x$ac_cv_have_decl_TUNSETPERSIST" = xyes; then : ac_have_decl=1 else ac_have_decl=0 fi cat >>confdefs.h <<_ACEOF #define HAVE_DECL_TUNSETPERSIST $ac_have_decl _ACEOF if test $ac_have_decl = 1; then : $as_echo "#define ENABLE_FEATURE_TUN_PERSIST 1" >>confdefs.h fi CFLAGS="${old_CFLAGS}" test "${have_tap_header}" = "yes" || as_fn_error $? "no tap header could be found" "$LINENO" 5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for setcon in -lselinux" >&5 $as_echo_n "checking for setcon in -lselinux... " >&6; } if ${ac_cv_lib_selinux_setcon+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lselinux $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char setcon (); int main () { return setcon (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_selinux_setcon=yes else ac_cv_lib_selinux_setcon=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_selinux_setcon" >&5 $as_echo "$ac_cv_lib_selinux_setcon" >&6; } if test "x$ac_cv_lib_selinux_setcon" = xyes; then : SELINUX_LIBS="-lselinux" fi if test -z "${LIBPAM_LIBS}"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5 $as_echo_n "checking for pam_start in -lpam... " >&6; } if ${ac_cv_lib_pam_pam_start+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lpam $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char pam_start (); int main () { return pam_start (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_pam_pam_start=yes else ac_cv_lib_pam_pam_start=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_pam_start" >&5 $as_echo "$ac_cv_lib_pam_pam_start" >&6; } if test "x$ac_cv_lib_pam_pam_start" = xyes; then : LIBPAM_LIBS="-lpam" fi fi case "${with_mem_check}" in valgrind) for ac_header in valgrind/memcheck.h do : ac_fn_c_check_header_mongrel "$LINENO" "valgrind/memcheck.h" "ac_cv_header_valgrind_memcheck_h" "$ac_includes_default" if test "x$ac_cv_header_valgrind_memcheck_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_VALGRIND_MEMCHECK_H 1 _ACEOF CFLAGS="${CFLAGS} -g -fno-inline" $as_echo "#define USE_VALGRIND 1" >>confdefs.h else as_fn_error $? "valgrind headers not found." "$LINENO" 5 fi done ;; dmalloc) for ac_header in dmalloc.h do : ac_fn_c_check_header_mongrel "$LINENO" "dmalloc.h" "ac_cv_header_dmalloc_h" "$ac_includes_default" if test "x$ac_cv_header_dmalloc_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_DMALLOC_H 1 _ACEOF { $as_echo "$as_me:${as_lineno-$LINENO}: checking for malloc in -ldmalloc" >&5 $as_echo_n "checking for malloc in -ldmalloc... " >&6; } if ${ac_cv_lib_dmalloc_malloc+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldmalloc $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char malloc (); int main () { return malloc (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_dmalloc_malloc=yes else ac_cv_lib_dmalloc_malloc=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dmalloc_malloc" >&5 $as_echo "$ac_cv_lib_dmalloc_malloc" >&6; } if test "x$ac_cv_lib_dmalloc_malloc" = xyes; then : LIBS="${LIBS} -ldmalloc" $as_echo "#define DMALLOC 1" >>confdefs.h else as_fn_error $? "dmalloc library not found." "$LINENO" 5 fi else as_fn_error $? "dmalloc headers not found." "$LINENO" 5 fi done ;; ssl) { $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_mem_ctrl in -lssl" >&5 $as_echo_n "checking for CRYPTO_mem_ctrl in -lssl... " >&6; } if ${ac_cv_lib_ssl_CRYPTO_mem_ctrl+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lssl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char CRYPTO_mem_ctrl (); int main () { return CRYPTO_mem_ctrl (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_ssl_CRYPTO_mem_ctrl=yes else ac_cv_lib_ssl_CRYPTO_mem_ctrl=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_CRYPTO_mem_ctrl" >&5 $as_echo "$ac_cv_lib_ssl_CRYPTO_mem_ctrl" >&6; } if test "x$ac_cv_lib_ssl_CRYPTO_mem_ctrl" = xyes; then : $as_echo "#define CRYPTO_MDEBUG 1" >>confdefs.h { $as_echo "$as_me:${as_lineno-$LINENO}: NOTE: OpenSSL library must be compiled with CRYPTO_MDEBUG" >&5 $as_echo "$as_me: NOTE: OpenSSL library must be compiled with CRYPTO_MDEBUG" >&6;} else as_fn_error $? "Memory Debugging function in OpenSSL library not found." "$LINENO" 5 fi ;; esac pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11_HELPER" >&5 $as_echo_n "checking for PKCS11_HELPER... " >&6; } if test -n "$PKCS11_HELPER_CFLAGS"; then pkg_cv_PKCS11_HELPER_CFLAGS="$PKCS11_HELPER_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libpkcs11-helper-1 >= 1.11\""; } >&5 ($PKG_CONFIG --exists --print-errors "libpkcs11-helper-1 >= 1.11") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_PKCS11_HELPER_CFLAGS=`$PKG_CONFIG --cflags "libpkcs11-helper-1 >= 1.11" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test -n "$PKCS11_HELPER_LIBS"; then pkg_cv_PKCS11_HELPER_LIBS="$PKCS11_HELPER_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libpkcs11-helper-1 >= 1.11\""; } >&5 ($PKG_CONFIG --exists --print-errors "libpkcs11-helper-1 >= 1.11") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_PKCS11_HELPER_LIBS=`$PKG_CONFIG --libs "libpkcs11-helper-1 >= 1.11" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test $pkg_failed = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then PKCS11_HELPER_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libpkcs11-helper-1 >= 1.11" 2>&1` else PKCS11_HELPER_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libpkcs11-helper-1 >= 1.11" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$PKCS11_HELPER_PKG_ERRORS" >&5 elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } else PKCS11_HELPER_CFLAGS=$pkg_cv_PKCS11_HELPER_CFLAGS PKCS11_HELPER_LIBS=$pkg_cv_PKCS11_HELPER_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } have_pkcs11_helper="yes" fi if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then if test -z "${OPENSSL_CFLAGS}" -a -z "${OPENSSL_LIBS}"; then # if the user did not explicitly specify flags, try to autodetect pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OPENSSL" >&5 $as_echo_n "checking for OPENSSL... " >&6; } if test -n "$OPENSSL_CFLAGS"; then pkg_cv_OPENSSL_CFLAGS="$OPENSSL_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libcrypto >= 0.9.8, libssl >= 0.9.8\""; } >&5 ($PKG_CONFIG --exists --print-errors "libcrypto >= 0.9.8, libssl >= 0.9.8") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_OPENSSL_CFLAGS=`$PKG_CONFIG --cflags "libcrypto >= 0.9.8, libssl >= 0.9.8" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test -n "$OPENSSL_LIBS"; then pkg_cv_OPENSSL_LIBS="$OPENSSL_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libcrypto >= 0.9.8, libssl >= 0.9.8\""; } >&5 ($PKG_CONFIG --exists --print-errors "libcrypto >= 0.9.8, libssl >= 0.9.8") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_OPENSSL_LIBS=`$PKG_CONFIG --libs "libcrypto >= 0.9.8, libssl >= 0.9.8" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test $pkg_failed = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then OPENSSL_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libcrypto >= 0.9.8, libssl >= 0.9.8" 2>&1` else OPENSSL_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libcrypto >= 0.9.8, libssl >= 0.9.8" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$OPENSSL_PKG_ERRORS" >&5 have_openssl="no" # Provide if-not-found to prevent erroring out elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } have_openssl="no" # Provide if-not-found to prevent erroring out else OPENSSL_CFLAGS=$pkg_cv_OPENSSL_CFLAGS OPENSSL_LIBS=$pkg_cv_OPENSSL_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } have_openssl="yes" fi OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto} fi saved_CFLAGS="${CFLAGS}" saved_LIBS="${LIBS}" CFLAGS="${CFLAGS} ${OPENSSL_CFLAGS}" LIBS="${LIBS} ${OPENSSL_LIBS}" for ac_func in SSL_CTX_new EVP_CIPHER_CTX_set_key_length do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF else as_fn_error $? "openssl check failed" "$LINENO" 5 fi done have_openssl_engine="yes" for ac_func in \ ENGINE_load_builtin_engines \ ENGINE_register_all_complete \ ENGINE_cleanup \ do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF else have_openssl_engine="no"; break fi done if test "${have_openssl_engine}" = "yes"; then $as_echo "#define HAVE_OPENSSL_ENGINE 1" >>confdefs.h fi have_crypto_aead_modes="yes" for ac_func in EVP_aes_256_gcm do : ac_fn_c_check_func "$LINENO" "EVP_aes_256_gcm" "ac_cv_func_EVP_aes_256_gcm" if test "x$ac_cv_func_EVP_aes_256_gcm" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_EVP_AES_256_GCM 1 _ACEOF else have_crypto_aead_modes="no"; break fi done for ac_func in \ HMAC_CTX_new \ HMAC_CTX_free \ HMAC_CTX_reset \ EVP_MD_CTX_new \ EVP_MD_CTX_free \ EVP_MD_CTX_reset \ SSL_CTX_get_default_passwd_cb \ SSL_CTX_get_default_passwd_cb_userdata \ X509_get0_pubkey \ X509_STORE_get0_objects \ X509_OBJECT_free \ X509_OBJECT_get_type \ EVP_PKEY_id \ EVP_PKEY_get0_RSA \ EVP_PKEY_get0_DSA \ EVP_PKEY_get0_EC_KEY \ RSA_set_flags \ RSA_bits \ RSA_get0_key \ RSA_set0_key \ DSA_get0_pqg \ DSA_bits \ RSA_meth_new \ RSA_meth_free \ RSA_meth_set_pub_enc \ RSA_meth_set_pub_dec \ RSA_meth_set_priv_enc \ RSA_meth_set_priv_dec \ RSA_meth_set_init \ RSA_meth_set_finish \ RSA_meth_set0_app_data \ EC_GROUP_order_bits do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done CFLAGS="${saved_CFLAGS}" LIBS="${saved_LIBS}" have_crypto="yes" $as_echo "#define ENABLE_CRYPTO_OPENSSL 1" >>confdefs.h CRYPTO_CFLAGS="${OPENSSL_CFLAGS}" CRYPTO_LIBS="${OPENSSL_LIBS}" elif test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "mbedtls"; then saved_CFLAGS="${CFLAGS}" saved_LIBS="${LIBS}" if test -z "${MBEDTLS_CFLAGS}" -a -z "${MBEDTLS_LIBS}"; then # if the user did not explicitly specify flags, try to autodetect LIBS="${LIBS} -lmbedtls -lmbedx509 -lmbedcrypto" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mbedtls_ssl_init in -lmbedtls" >&5 $as_echo_n "checking for mbedtls_ssl_init in -lmbedtls... " >&6; } if ${ac_cv_lib_mbedtls_mbedtls_ssl_init+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lmbedtls ${PKCS11_HELPER_LIBS} $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char mbedtls_ssl_init (); int main () { return mbedtls_ssl_init (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_mbedtls_mbedtls_ssl_init=yes else ac_cv_lib_mbedtls_mbedtls_ssl_init=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mbedtls_mbedtls_ssl_init" >&5 $as_echo "$ac_cv_lib_mbedtls_mbedtls_ssl_init" >&6; } if test "x$ac_cv_lib_mbedtls_mbedtls_ssl_init" = xyes; then : MBEDTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto" else as_fn_error $? "Could not find mbed TLS." "$LINENO" 5 fi fi CFLAGS="${MBEDTLS_CFLAGS} ${PKCS11_HELPER_CFLAGS} ${CFLAGS}" LIBS="${MBEDTLS_LIBS} ${PKCS11_HELPER_LIBS} ${LIBS}" { $as_echo "$as_me:${as_lineno-$LINENO}: checking mbedtls version" >&5 $as_echo_n "checking mbedtls version... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { #if MBEDTLS_VERSION_NUMBER < 0x02000000 || MBEDTLS_VERSION_NUMBER >= 0x03000000 #error invalid version #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5 $as_echo "ok" >&6; } else as_fn_error $? "mbed TLS 2.y.z required" "$LINENO" 5 fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext mbedtls_with_pkcs11="no" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { #ifndef MBEDTLS_PKCS11_C #error pkcs11 wrapper missing #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : mbedtls_with_pkcs11="yes" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext { $as_echo "$as_me:${as_lineno-$LINENO}: checking mbedtls pkcs11 support" >&5 $as_echo_n "checking mbedtls pkcs11 support... " >&6; } if test "${enable_pkcs11}" = "yes"; then if test "${mbedtls_with_pkcs11}" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5 $as_echo "ok" >&6; } else as_fn_error $? "mbedtls has no pkcs11 wrapper compiled in" "$LINENO" 5 fi else if test "${mbedtls_with_pkcs11}" != "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5 $as_echo "ok" >&6; } else as_fn_error $? "mbed TLS compiled with PKCS11, while OpenVPN is not" "$LINENO" 5 fi fi have_crypto_aead_modes="yes" for ac_func in \ mbedtls_cipher_write_tag \ mbedtls_cipher_check_tag \ do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF else have_crypto_aead_modes="no"; break fi done CFLAGS="${saved_CFLAGS}" LIBS="${saved_LIBS}" have_crypto="yes" $as_echo "#define ENABLE_CRYPTO_MBEDTLS 1" >>confdefs.h CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" CRYPTO_LIBS="${MBEDTLS_LIBS}" elif test "${enable_crypto}" = "yes"; then as_fn_error $? "Invalid crypto library: ${with_crypto_library}" "$LINENO" 5 fi have_lzo="yes" if test -z "${LZO_LIBS}"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for lzo1x_1_15_compress in -llzo2" >&5 $as_echo_n "checking for lzo1x_1_15_compress in -llzo2... " >&6; } if ${ac_cv_lib_lzo2_lzo1x_1_15_compress+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-llzo2 $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char lzo1x_1_15_compress (); int main () { return lzo1x_1_15_compress (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_lzo2_lzo1x_1_15_compress=yes else ac_cv_lib_lzo2_lzo1x_1_15_compress=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lzo2_lzo1x_1_15_compress" >&5 $as_echo "$ac_cv_lib_lzo2_lzo1x_1_15_compress" >&6; } if test "x$ac_cv_lib_lzo2_lzo1x_1_15_compress" = xyes; then : LZO_LIBS="-llzo2" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for lzo1x_1_15_compress in -llzo" >&5 $as_echo_n "checking for lzo1x_1_15_compress in -llzo... " >&6; } if ${ac_cv_lib_lzo_lzo1x_1_15_compress+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-llzo $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char lzo1x_1_15_compress (); int main () { return lzo1x_1_15_compress (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_lzo_lzo1x_1_15_compress=yes else ac_cv_lib_lzo_lzo1x_1_15_compress=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lzo_lzo1x_1_15_compress" >&5 $as_echo "$ac_cv_lib_lzo_lzo1x_1_15_compress" >&6; } if test "x$ac_cv_lib_lzo_lzo1x_1_15_compress" = xyes; then : LZO_LIBS="-llzo" else have_lzo="no" fi fi fi if test "${have_lzo}" = "yes"; then saved_CFLAGS="${CFLAGS}" CFLAGS="${CFLAGS} ${LZO_CFLAGS}" for ac_header in lzo/lzoutil.h do : ac_fn_c_check_header_mongrel "$LINENO" "lzo/lzoutil.h" "ac_cv_header_lzo_lzoutil_h" "$ac_includes_default" if test "x$ac_cv_header_lzo_lzoutil_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LZO_LZOUTIL_H 1 _ACEOF else for ac_header in lzoutil.h do : ac_fn_c_check_header_mongrel "$LINENO" "lzoutil.h" "ac_cv_header_lzoutil_h" "$ac_includes_default" if test "x$ac_cv_header_lzoutil_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LZOUTIL_H 1 _ACEOF else as_fn_error $? "lzoutil.h is missing" "$LINENO" 5 fi done fi done for ac_header in lzo/lzo1x.h do : ac_fn_c_check_header_mongrel "$LINENO" "lzo/lzo1x.h" "ac_cv_header_lzo_lzo1x_h" "$ac_includes_default" if test "x$ac_cv_header_lzo_lzo1x_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LZO_LZO1X_H 1 _ACEOF else for ac_header in lzo1x.h do : ac_fn_c_check_header_mongrel "$LINENO" "lzo1x.h" "ac_cv_header_lzo1x_h" "$ac_includes_default" if test "x$ac_cv_header_lzo1x_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LZO1X_H 1 _ACEOF else as_fn_error $? "lzo1x.h is missing" "$LINENO" 5 fi done fi done CFLAGS="${saved_CFLAGS}" fi if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then if test -z "${LZ4_CFLAGS}" -a -z "${LZ4_LIBS}"; then # if the user did not explicitly specify flags, try to autodetect pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LZ4" >&5 $as_echo_n "checking for LZ4... " >&6; } if test -n "$LZ4_CFLAGS"; then pkg_cv_LZ4_CFLAGS="$LZ4_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"liblz4 >= 1.7.1\""; } >&5 ($PKG_CONFIG --exists --print-errors "liblz4 >= 1.7.1") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_LZ4_CFLAGS=`$PKG_CONFIG --cflags "liblz4 >= 1.7.1" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test -n "$LZ4_LIBS"; then pkg_cv_LZ4_LIBS="$LZ4_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"liblz4 >= 1.7.1\""; } >&5 ($PKG_CONFIG --exists --print-errors "liblz4 >= 1.7.1") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_LZ4_LIBS=`$PKG_CONFIG --libs "liblz4 >= 1.7.1" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test $pkg_failed = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then LZ4_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "liblz4 >= 1.7.1" 2>&1` else LZ4_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "liblz4 >= 1.7.1" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$LZ4_PKG_ERRORS" >&5 # If this fails, we will do another test next elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } # If this fails, we will do another test next else LZ4_CFLAGS=$pkg_cv_LZ4_CFLAGS LZ4_LIBS=$pkg_cv_LZ4_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } have_lz4="yes" fi fi saved_CFLAGS="${CFLAGS}" saved_LIBS="${LIBS}" CFLAGS="${CFLAGS} ${LZ4_CFLAGS}" LIBS="${LIBS} ${LZ4_LIBS}" # If pkgconfig check failed or LZ4_CFLAGS/LZ4_LIBS env vars # are used, check the version directly in the LZ4 include file if test "${have_lz4}" != "yes"; then for ac_header in lz4.h do : ac_fn_c_check_header_mongrel "$LINENO" "lz4.h" "ac_cv_header_lz4_h" "$ac_includes_default" if test "x$ac_cv_header_lz4_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LZ4_H 1 _ACEOF have_lz4h="yes" fi done if test "${have_lz4h}" = "yes" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking additionally if system LZ4 version >= 1.7.1" >&5 $as_echo_n "checking additionally if system LZ4 version >= 1.7.1... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { /* Version encoding: MMNNPP (Major miNor Patch) - see lz4.h for details */ #if LZ4_VERSION_NUMBER < 10701L #error LZ4 is too old #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5 $as_echo "ok" >&6; } have_lz4="yes" else { $as_echo "$as_me:${as_lineno-$LINENO}: result: system LZ4 library is too old" >&5 $as_echo "system LZ4 library is too old" >&6; } fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi fi # if LZ4_LIBS is set, we assume it will work, otherwise test if test -z "${LZ4_LIBS}"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LZ4_compress in -llz4" >&5 $as_echo_n "checking for LZ4_compress in -llz4... " >&6; } if ${ac_cv_lib_lz4_LZ4_compress+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-llz4 $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char LZ4_compress (); int main () { return LZ4_compress (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_lz4_LZ4_compress=yes else ac_cv_lib_lz4_LZ4_compress=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lz4_LZ4_compress" >&5 $as_echo "$ac_cv_lib_lz4_LZ4_compress" >&6; } if test "x$ac_cv_lib_lz4_LZ4_compress" = xyes; then : LZ4_LIBS="-llz4" else have_lz4="no" fi fi if test "${have_lz4}" != "yes" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: usuable LZ4 library or header not found, using version in src/compat/compat-lz4.*" >&5 $as_echo " usuable LZ4 library or header not found, using version in src/compat/compat-lz4.*" >&6; } $as_echo "#define NEED_COMPAT_LZ4 1" >>confdefs.h LZ4_LIBS="" fi OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}" OPTIONAL_LZ4_LIBS="${LZ4_LIBS}" $as_echo "#define ENABLE_LZ4 1" >>confdefs.h CFLAGS="${saved_CFLAGS}" LIBS="${saved_LIBS}" fi if test "${enable_systemd}" = "yes"; then ENABLE_SYSTEMD_TRUE= ENABLE_SYSTEMD_FALSE='#' else ENABLE_SYSTEMD_TRUE='#' ENABLE_SYSTEMD_FALSE= fi if test "$enable_systemd" = "yes" ; then pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libsystemd" >&5 $as_echo_n "checking for libsystemd... " >&6; } if test -n "$libsystemd_CFLAGS"; then pkg_cv_libsystemd_CFLAGS="$libsystemd_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"systemd libsystemd\""; } >&5 ($PKG_CONFIG --exists --print-errors "systemd libsystemd") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_libsystemd_CFLAGS=`$PKG_CONFIG --cflags "systemd libsystemd" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test -n "$libsystemd_LIBS"; then pkg_cv_libsystemd_LIBS="$libsystemd_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"systemd libsystemd\""; } >&5 ($PKG_CONFIG --exists --print-errors "systemd libsystemd") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_libsystemd_LIBS=`$PKG_CONFIG --libs "systemd libsystemd" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test $pkg_failed = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then libsystemd_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "systemd libsystemd" 2>&1` else libsystemd_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "systemd libsystemd" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$libsystemd_PKG_ERRORS" >&5 pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libsystemd" >&5 $as_echo_n "checking for libsystemd... " >&6; } if test -n "$libsystemd_CFLAGS"; then pkg_cv_libsystemd_CFLAGS="$libsystemd_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-daemon\""; } >&5 ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_libsystemd_CFLAGS=`$PKG_CONFIG --cflags "libsystemd-daemon" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test -n "$libsystemd_LIBS"; then pkg_cv_libsystemd_LIBS="$libsystemd_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-daemon\""; } >&5 ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_libsystemd_LIBS=`$PKG_CONFIG --libs "libsystemd-daemon" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test $pkg_failed = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then libsystemd_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd-daemon" 2>&1` else libsystemd_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd-daemon" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$libsystemd_PKG_ERRORS" >&5 as_fn_error $? "Package requirements (libsystemd-daemon) were not met: $libsystemd_PKG_ERRORS Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Alternatively, you may set the environment variables libsystemd_CFLAGS and libsystemd_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details." "$LINENO" 5 elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full path to pkg-config. Alternatively, you may set the environment variables libsystemd_CFLAGS and libsystemd_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. To get pkg-config, see . See \`config.log' for more details" "$LINENO" 5; } else libsystemd_CFLAGS=$pkg_cv_libsystemd_CFLAGS libsystemd_LIBS=$pkg_cv_libsystemd_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libsystemd" >&5 $as_echo_n "checking for libsystemd... " >&6; } if test -n "$libsystemd_CFLAGS"; then pkg_cv_libsystemd_CFLAGS="$libsystemd_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-daemon\""; } >&5 ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_libsystemd_CFLAGS=`$PKG_CONFIG --cflags "libsystemd-daemon" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test -n "$libsystemd_LIBS"; then pkg_cv_libsystemd_LIBS="$libsystemd_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-daemon\""; } >&5 ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_libsystemd_LIBS=`$PKG_CONFIG --libs "libsystemd-daemon" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test $pkg_failed = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then libsystemd_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd-daemon" 2>&1` else libsystemd_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd-daemon" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$libsystemd_PKG_ERRORS" >&5 as_fn_error $? "Package requirements (libsystemd-daemon) were not met: $libsystemd_PKG_ERRORS Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Alternatively, you may set the environment variables libsystemd_CFLAGS and libsystemd_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details." "$LINENO" 5 elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full path to pkg-config. Alternatively, you may set the environment variables libsystemd_CFLAGS and libsystemd_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. To get pkg-config, see . See \`config.log' for more details" "$LINENO" 5; } else libsystemd_CFLAGS=$pkg_cv_libsystemd_CFLAGS libsystemd_LIBS=$pkg_cv_libsystemd_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi else libsystemd_CFLAGS=$pkg_cv_libsystemd_CFLAGS libsystemd_LIBS=$pkg_cv_libsystemd_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd > 216\""; } >&5 ($PKG_CONFIG --exists --print-errors "libsystemd > 216") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then $as_echo "#define SYSTEMD_NEWER_THAN_216 1" >>confdefs.h fi for ac_header in systemd/sd-daemon.h do : ac_fn_c_check_header_mongrel "$LINENO" "systemd/sd-daemon.h" "ac_cv_header_systemd_sd_daemon_h" "$ac_includes_default" if test "x$ac_cv_header_systemd_sd_daemon_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_SYSTEMD_SD_DAEMON_H 1 _ACEOF else as_fn_error $? "systemd development headers not found." "$LINENO" 5 fi done saved_LIBS="${LIBS}" LIBS="${LIBS} ${libsystemd_LIBS}" for ac_func in sd_booted do : ac_fn_c_check_func "$LINENO" "sd_booted" "ac_cv_func_sd_booted" if test "x$ac_cv_func_sd_booted" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_SD_BOOTED 1 _ACEOF else as_fn_error $? "systemd library is missing sd_booted()" "$LINENO" 5 fi done OPTIONAL_SYSTEMD_LIBS="${libsystemd_LIBS}" $as_echo "#define ENABLE_SYSTEMD 1" >>confdefs.h LIBS="${saved_LIBS}" if test -n "${SYSTEMD_UNIT_DIR}"; then systemdunitdir="${SYSTEMD_UNIT_DIR}" else systemdunitdir="\${libdir}/systemd/system" fi if test -n "${TMPFILES_DIR}"; then tmpfilesdir="${TMPFILES_DIR}" else tmpfilesdir="\${libdir}/tmpfiles.d" fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking git checkout" >&5 $as_echo_n "checking git checkout... " >&6; } GIT_CHECKOUT="no" if test -n "${GIT}" -a -d "${srcdir}/.git"; then $as_echo "#define HAVE_CONFIG_VERSION_H 1" >>confdefs.h GIT_CHECKOUT="yes" fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${GIT_CHECKOUT}" >&5 $as_echo "${GIT_CHECKOUT}" >&6; } if test -n "${SP_PLATFORM_WINDOWS}"; then cat >>confdefs.h <<_ACEOF #define PATH_SEPARATOR '\\\\' _ACEOF #" cat >>confdefs.h <<_ACEOF #define PATH_SEPARATOR_STR "\\\\" _ACEOF #" else cat >>confdefs.h <<_ACEOF #define PATH_SEPARATOR '/' _ACEOF cat >>confdefs.h <<_ACEOF #define PATH_SEPARATOR_STR "/" _ACEOF fi if test "${enable_x509_alt_username}" = "yes"; then if test "${with_crypto_library}" = "mbedtls" ; then as_fn_error $? "mbed TLS does not support the --x509-username-field feature" "$LINENO" 5 fi $as_echo "#define ENABLE_X509ALTUSERNAME 1" >>confdefs.h fi test "${ac_cv_header_sys_uio_h}" = "yes" && $as_echo "#define HAVE_IOVEC 1" >>confdefs.h test "${enable_server}" = "no" && $as_echo "#define ENABLE_CLIENT_ONLY 1" >>confdefs.h test "${enable_management}" = "yes" && $as_echo "#define ENABLE_MANAGEMENT 1" >>confdefs.h test "${enable_multihome}" = "yes" && $as_echo "#define ENABLE_MULTIHOME 1" >>confdefs.h test "${enable_debug}" = "yes" && $as_echo "#define ENABLE_DEBUG 1" >>confdefs.h test "${enable_small}" = "yes" && $as_echo "#define ENABLE_SMALL 1" >>confdefs.h test "${enable_fragment}" = "yes" && $as_echo "#define ENABLE_FRAGMENT 1" >>confdefs.h test "${enable_port_share}" = "yes" && $as_echo "#define ENABLE_PORT_SHARE 1" >>confdefs.h test "${enable_def_auth}" = "yes" && $as_echo "#define ENABLE_DEF_AUTH 1" >>confdefs.h test "${enable_pf}" = "yes" && $as_echo "#define ENABLE_PF 1" >>confdefs.h test "${enable_strict_options}" = "yes" && $as_echo "#define ENABLE_STRICT_OPTIONS_CHECK 1" >>confdefs.h if test "${enable_crypto}" = "yes"; then test "${have_crypto}" != "yes" && as_fn_error $? "${with_crypto_library} crypto is required but missing" "$LINENO" 5 test "${enable_crypto_ofb_cfb}" = "yes" && $as_echo "#define ENABLE_OFB_CFB_MODE 1" >>confdefs.h test "${have_crypto_aead_modes}" = "yes" && $as_echo "#define HAVE_AEAD_CIPHER_MODES 1" >>confdefs.h OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CFLAGS}" OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_LIBS}" $as_echo "#define ENABLE_CRYPTO 1" >>confdefs.h fi if test "${enable_plugins}" = "yes"; then OPTIONAL_DL_LIBS="${DL_LIBS}" $as_echo "#define ENABLE_PLUGIN 1" >>confdefs.h else enable_plugin_auth_pam="no" enable_plugin_down_root="no" fi if test "${enable_iproute2}" = "yes"; then test -z "${IPROUTE}" && as_fn_error $? "ip utility is required but missing" "$LINENO" 5 $as_echo "#define ENABLE_IPROUTE 1" >>confdefs.h else if test "${WIN32}" != "yes"; then test -z "${ROUTE}" && as_fn_error $? "route utility is required but missing" "$LINENO" 5 test -z "${IFCONFIG}" && as_fn_error $? "ifconfig utility is required but missing" "$LINENO" 5 fi fi if test "${enable_selinux}" = "yes"; then test -z "${SELINUX_LIBS}" && as_fn_error $? "libselinux required but missing" "$LINENO" 5 OPTIONAL_SELINUX_LIBS="${SELINUX_LIBS}" $as_echo "#define ENABLE_SELINUX 1" >>confdefs.h fi if test "${enable_lzo}" = "yes"; then test "${have_lzo}" != "yes" && as_fn_error $? "lzo enabled but missing" "$LINENO" 5 OPTIONAL_LZO_CFLAGS="${LZO_CFLAGS}" OPTIONAL_LZO_LIBS="${LZO_LIBS}" $as_echo "#define ENABLE_LZO 1" >>confdefs.h fi if test "${enable_comp_stub}" = "yes"; then test "${enable_lzo}" = "yes" && as_fn_error $? "Cannot have both comp stub and lzo enabled (use --disable-lzo)" "$LINENO" 5 test "${enable_lz4}" = "yes" && as_fn_error $? "Cannot have both comp stub and LZ4 enabled (use --disable-lz4)" "$LINENO" 5 $as_echo "#define ENABLE_COMP_STUB 1" >>confdefs.h fi if test "${enable_pkcs11}" = "yes"; then test "${have_pkcs11_helper}" != "yes" && as_fn_error $? "PKCS11 enabled but libpkcs11-helper is missing" "$LINENO" 5 test "${enable_crypto}" != "yes" && as_fn_error $? "PKCS11 can be enabled only if crypto is enabled" "$LINENO" 5 OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}" OPTIONAL_PKCS11_HELPER_LIBS="${PKCS11_HELPER_LIBS}" $as_echo "#define ENABLE_PKCS11 1" >>confdefs.h pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for P11KIT" >&5 $as_echo_n "checking for P11KIT... " >&6; } if test -n "$P11KIT_CFLAGS"; then pkg_cv_P11KIT_CFLAGS="$P11KIT_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"p11-kit-1\""; } >&5 ($PKG_CONFIG --exists --print-errors "p11-kit-1") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_P11KIT_CFLAGS=`$PKG_CONFIG --cflags "p11-kit-1" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test -n "$P11KIT_LIBS"; then pkg_cv_P11KIT_LIBS="$P11KIT_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"p11-kit-1\""; } >&5 ($PKG_CONFIG --exists --print-errors "p11-kit-1") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_P11KIT_LIBS=`$PKG_CONFIG --libs "p11-kit-1" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test $pkg_failed = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then P11KIT_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "p11-kit-1" 2>&1` else P11KIT_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "p11-kit-1" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$P11KIT_PKG_ERRORS" >&5 elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } else P11KIT_CFLAGS=$pkg_cv_P11KIT_CFLAGS P11KIT_LIBS=$pkg_cv_P11KIT_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } proxy_module="`$PKG_CONFIG --variable=proxy_module p11-kit-1`" cat >>confdefs.h <<_ACEOF #define DEFAULT_PKCS11_MODULE "${proxy_module}" _ACEOF fi fi if test "${enable_pedantic}" = "yes"; then enable_strict="yes" CFLAGS="${CFLAGS} -pedantic" $as_echo "#define PEDANTIC 1" >>confdefs.h fi if test "${enable_strict}" = "yes"; then CFLAGS="${CFLAGS} -Wall -Wno-unused-parameter -Wno-unused-function" fi if test "${enable_werror}" = "yes"; then CFLAGS="${CFLAGS} -Werror" fi if test "${WIN32}" = "yes"; then test -z "${MAN2HTML}" && as_fn_error $? "man2html is required for win32" "$LINENO" 5 fi if test "${enable_plugin_auth_pam}" = "yes"; then PLUGIN_AUTH_PAM_CFLAGS="${LIBPAM_CFLAGS}" if test "${enable_pam_dlopen}" = "yes"; then $as_echo "#define USE_PAM_DLOPEN 1" >>confdefs.h PLUGIN_AUTH_PAM_LIBS="${DL_LIBS}" else test -z "${LIBPAM_LIBS}" && as_fn_error $? "libpam required but missing" "$LINENO" 5 PLUGIN_AUTH_PAM_LIBS="${LIBPAM_LIBS}" fi fi if test "${enable_async_push}" = "yes"; then for ac_header in sys/inotify.h do : ac_fn_c_check_header_mongrel "$LINENO" "sys/inotify.h" "ac_cv_header_sys_inotify_h" "$ac_includes_default" if test "x$ac_cv_header_sys_inotify_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_SYS_INOTIFY_H 1 _ACEOF $as_echo "#define ENABLE_ASYNC_PUSH 1" >>confdefs.h else as_fn_error $? "inotify.h not found." "$LINENO" 5 fi done fi CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`" cat >>confdefs.h <<_ACEOF #define CONFIGURE_DEFINES "`echo ${CONFIGURE_DEFINES}`" _ACEOF TAP_WIN_COMPONENT_ID="tap0901" TAP_WIN_MIN_MAJOR="9" TAP_WIN_MIN_MINOR="9" cat >>confdefs.h <<_ACEOF #define TAP_WIN_COMPONENT_ID "${TAP_WIN_COMPONENT_ID}" _ACEOF cat >>confdefs.h <<_ACEOF #define TAP_WIN_MIN_MAJOR ${TAP_WIN_MIN_MAJOR} _ACEOF cat >>confdefs.h <<_ACEOF #define TAP_WIN_MIN_MINOR ${TAP_WIN_MIN_MINOR} _ACEOF if test "${WIN32}" = "yes"; then WIN32_TRUE= WIN32_FALSE='#' else WIN32_TRUE='#' WIN32_FALSE= fi if test "${GIT_CHECKOUT}" = "yes"; then GIT_CHECKOUT_TRUE= GIT_CHECKOUT_FALSE='#' else GIT_CHECKOUT_TRUE='#' GIT_CHECKOUT_FALSE= fi if test "${enable_plugin_auth_pam}" = "yes"; then ENABLE_PLUGIN_AUTH_PAM_TRUE= ENABLE_PLUGIN_AUTH_PAM_FALSE='#' else ENABLE_PLUGIN_AUTH_PAM_TRUE='#' ENABLE_PLUGIN_AUTH_PAM_FALSE= fi if test "${enable_plugin_down_root}" = "yes"; then ENABLE_PLUGIN_DOWN_ROOT_TRUE= ENABLE_PLUGIN_DOWN_ROOT_FALSE='#' else ENABLE_PLUGIN_DOWN_ROOT_TRUE='#' ENABLE_PLUGIN_DOWN_ROOT_FALSE= fi if test "${enable_crypto}" = "yes"; then ENABLE_CRYPTO_TRUE= ENABLE_CRYPTO_FALSE='#' else ENABLE_CRYPTO_TRUE='#' ENABLE_CRYPTO_FALSE= fi if test "${have_ld_wrap_support}" = "yes"; then HAVE_LD_WRAP_SUPPORT_TRUE= HAVE_LD_WRAP_SUPPORT_FALSE='#' else HAVE_LD_WRAP_SUPPORT_TRUE='#' HAVE_LD_WRAP_SUPPORT_FALSE= fi sampledir="\$(docdir)/sample" VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/" VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist" VENDOR_BUILD_ROOT="\$(abs_top_builddir)/vendor/.build" TEST_LDFLAGS="-lcmocka -L\$(abs_top_builddir)/vendor/dist/lib -Wl,-rpath,\$(abs_top_builddir)/vendor/dist/lib" TEST_CFLAGS="-I\$(top_srcdir)/include -I\$(abs_top_builddir)/vendor/dist/include" # Check if cmake is available and cmocka git submodule is initialized, # needed for unit testing for ac_prog in cmake do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CMAKE+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CMAKE"; then ac_cv_prog_CMAKE="$CMAKE" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CMAKE="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CMAKE=$ac_cv_prog_CMAKE if test -n "$CMAKE"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CMAKE" >&5 $as_echo "$CMAKE" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$CMAKE" && break done if test -n "${CMAKE}"; then if test -f "${srcdir}/vendor/cmocka/CMakeLists.txt"; then if true; then CMOCKA_INITIALIZED_TRUE= CMOCKA_INITIALIZED_FALSE='#' else CMOCKA_INITIALIZED_TRUE='#' CMOCKA_INITIALIZED_FALSE= fi else if false; then CMOCKA_INITIALIZED_TRUE= CMOCKA_INITIALIZED_FALSE='#' else CMOCKA_INITIALIZED_TRUE='#' CMOCKA_INITIALIZED_FALSE= fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: !! WARNING !! The cmoka git submodule has not been initialized or updated. Unit testing cannot be performed." >&5 $as_echo "!! WARNING !! The cmoka git submodule has not been initialized or updated. Unit testing cannot be performed." >&6; } fi else { $as_echo "$as_me:${as_lineno-$LINENO}: result: !! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&5 $as_echo "!! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&6; } if false; then CMOCKA_INITIALIZED_TRUE= CMOCKA_INITIALIZED_FALSE='#' else CMOCKA_INITIALIZED_TRUE='#' CMOCKA_INITIALIZED_FALSE= fi fi ac_config_files="$ac_config_files version.sh Makefile build/Makefile build/msvc/Makefile build/msvc/msvc-generate/Makefile distro/Makefile distro/rpm/Makefile distro/rpm/openvpn.spec distro/systemd/Makefile include/Makefile src/Makefile src/compat/Makefile src/openvpn/Makefile src/openvpnserv/Makefile src/plugins/Makefile src/plugins/auth-pam/Makefile src/plugins/down-root/Makefile tests/Makefile tests/unit_tests/Makefile tests/unit_tests/example_test/Makefile tests/unit_tests/openvpn/Makefile tests/unit_tests/plugins/Makefile tests/unit_tests/plugins/auth-pam/Makefile vendor/Makefile sample/Makefile doc/Makefile" ac_config_files="$ac_config_files tests/t_client.sh" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure # tests run on this system so they can be shared between configure # scripts and configure runs, see configure's option --config-cache. # It is not useful on other systems. If it contains results you don't # want to keep, you may remove or edit it. # # config.status only pays attention to the cache file if you give it # the --recheck option to rerun configure. # # `ac_cv_env_foo' variables (set or unset) will be overridden when # loading this file, other *unset* `ac_cv_foo' will be assigned the # following values. _ACEOF # The following way of writing the cache mishandles newlines in values, # but we know of no workaround that is simple, portable, and efficient. # So, we kill variables containing newlines. # Ultrix sh set writes to stderr and can't be redirected directly, # and sets the high bit in the cache file unless we assign to the vars. ( for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space=' '; set) 2>&1` in #( *${as_nl}ac_space=\ *) # `set' does not quote correctly, so add quotes: double-quote # substitution turns \\\\ into \\, and sed turns \\ into \. sed -n \ "s/'/'\\\\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" ;; #( *) # `set' quotes correctly as required by POSIX, so do not add quotes. sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) | sed ' /^ac_cv_env_/b end t clear :clear s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ t end s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ :end' >>confcache if diff "$cache_file" confcache >/dev/null 2>&1; then :; else if test -w "$cache_file"; then if test "x$cache_file" != "x/dev/null"; then { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 $as_echo "$as_me: updating cache $cache_file" >&6;} if test ! -f "$cache_file" || test -h "$cache_file"; then cat confcache >"$cache_file" else case $cache_file in #( */* | ?:*) mv -f confcache "$cache_file"$$ && mv -f "$cache_file"$$ "$cache_file" ;; #( *) mv -f confcache "$cache_file" ;; esac fi fi else { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} fi fi rm -f confcache test "x$prefix" = xNONE && prefix=$ac_default_prefix # Let make expand exec_prefix. test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' DEFS=-DHAVE_CONFIG_H ac_libobjs= ac_ltlibobjs= U= for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue # 1. Remove the extension, and $U if already installed. ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' ac_i=`$as_echo "$ac_i" | sed "$ac_script"` # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR # will be set to the directory where LIBOBJS objects are built. as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' done LIBOBJS=$ac_libobjs LTLIBOBJS=$ac_ltlibobjs { $as_echo "$as_me:${as_lineno-$LINENO}: checking that generated files are newer than configure" >&5 $as_echo_n "checking that generated files are newer than configure... " >&6; } if test -n "$am_sleep_pid"; then # Hide warnings about reused PIDs. wait $am_sleep_pid 2>/dev/null fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: done" >&5 $as_echo "done" >&6; } if test -n "$EXEEXT"; then am__EXEEXT_TRUE= am__EXEEXT_FALSE='#' else am__EXEEXT_TRUE='#' am__EXEEXT_FALSE= fi if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then as_fn_error $? "conditional \"AMDEP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then as_fn_error $? "conditional \"am__fastdepCC\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${ENABLE_SYSTEMD_TRUE}" && test -z "${ENABLE_SYSTEMD_FALSE}"; then as_fn_error $? "conditional \"ENABLE_SYSTEMD\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${WIN32_TRUE}" && test -z "${WIN32_FALSE}"; then as_fn_error $? "conditional \"WIN32\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${GIT_CHECKOUT_TRUE}" && test -z "${GIT_CHECKOUT_FALSE}"; then as_fn_error $? "conditional \"GIT_CHECKOUT\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${ENABLE_PLUGIN_AUTH_PAM_TRUE}" && test -z "${ENABLE_PLUGIN_AUTH_PAM_FALSE}"; then as_fn_error $? "conditional \"ENABLE_PLUGIN_AUTH_PAM\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${ENABLE_PLUGIN_DOWN_ROOT_TRUE}" && test -z "${ENABLE_PLUGIN_DOWN_ROOT_FALSE}"; then as_fn_error $? "conditional \"ENABLE_PLUGIN_DOWN_ROOT\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${ENABLE_CRYPTO_TRUE}" && test -z "${ENABLE_CRYPTO_FALSE}"; then as_fn_error $? "conditional \"ENABLE_CRYPTO\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${HAVE_LD_WRAP_SUPPORT_TRUE}" && test -z "${HAVE_LD_WRAP_SUPPORT_FALSE}"; then as_fn_error $? "conditional \"HAVE_LD_WRAP_SUPPORT\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${CMOCKA_INITIALIZED_TRUE}" && test -z "${CMOCKA_INITIALIZED_FALSE}"; then as_fn_error $? "conditional \"CMOCKA_INITIALIZED\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${CMOCKA_INITIALIZED_TRUE}" && test -z "${CMOCKA_INITIALIZED_FALSE}"; then as_fn_error $? "conditional \"CMOCKA_INITIALIZED\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${CMOCKA_INITIALIZED_TRUE}" && test -z "${CMOCKA_INITIALIZED_FALSE}"; then as_fn_error $? "conditional \"CMOCKA_INITIALIZED\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi : "${CONFIG_STATUS=./config.status}" ac_write_fail=0 ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files $CONFIG_STATUS" { $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 $as_echo "$as_me: creating $CONFIG_STATUS" >&6;} as_write_fail=0 cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 #! $SHELL # Generated by $as_me. # Run this file to recreate the current configuration. # Compiler output produced by configure, useful for debugging # configure, is in config.log if it exists. debug=false ac_cs_recheck=false ac_cs_silent=false SHELL=\${CONFIG_SHELL-$SHELL} export SHELL _ASEOF cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi as_nl=' ' export as_nl # Printing a long string crashes Solaris 7 /usr/bin/printf. as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo # Prefer a ksh shell builtin over an external printf program on Solaris, # but without wasting forks for bash or zsh. if test -z "$BASH_VERSION$ZSH_VERSION" \ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='print -r --' as_echo_n='print -rn --' elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' as_echo_n='/usr/ucb/echo -n' else as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; esac; expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" ' export as_echo_n_body as_echo_n='sh -c $as_echo_n_body as_echo' fi export as_echo_body as_echo='sh -c $as_echo_body as_echo' fi # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # IFS # We need space, tab and new line, in precisely that order. Quoting is # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Unset variables that we do not need and which cause bugs (e.g. in # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" # suppresses any "Segmentation fault" message there. '((' could # trigger a bug in pdksh 5.2.14. for as_var in BASH_ENV ENV MAIL MAILPATH do eval test x\${$as_var+set} = xset \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' PS4='+ ' # NLS nuisances. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi $as_echo "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_unset ax_cv_socklen_t_equiv # --------------------------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_append ax_cv_socklen_t_equiv VALUE # ---------------------------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : eval 'as_fn_append () { eval $1+=\$2 }' else as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : eval 'as_fn_arith () { as_val=$(( $* )) }' else as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || $as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" exec 6>&1 ## ----------------------------------- ## ## Main body of $CONFIG_STATUS script. ## ## ----------------------------------- ## _ASEOF test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Save the log message, to keep $0 and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" This file was extended by OpenVPN $as_me 2.4.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS CONFIG_COMMANDS = $CONFIG_COMMANDS $ $0 $@ on `(hostname || uname -n) 2>/dev/null | sed 1q` " _ACEOF case $ac_config_files in *" "*) set x $ac_config_files; shift; ac_config_files=$*;; esac case $ac_config_headers in *" "*) set x $ac_config_headers; shift; ac_config_headers=$*;; esac cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # Files that config.status was made for. config_files="$ac_config_files" config_headers="$ac_config_headers" config_commands="$ac_config_commands" _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ac_cs_usage="\ \`$as_me' instantiates files and other configuration actions from templates according to the current configuration. Unless the files and actions are specified as TAGs, all are instantiated by default. Usage: $0 [OPTION]... [TAG]... -h, --help print this help, then exit -V, --version print version number and configuration settings, then exit --config print configuration, then exit -q, --quiet, --silent do not print progress messages -d, --debug don't remove temporary files --recheck update $as_me by reconfiguring in the same conditions --file=FILE[:TEMPLATE] instantiate the configuration file FILE --header=FILE[:TEMPLATE] instantiate the configuration header FILE Configuration files: $config_files Configuration headers: $config_headers Configuration commands: $config_commands Report bugs to ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ OpenVPN config.status 2.4.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" Copyright (C) 2012 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." ac_pwd='$ac_pwd' srcdir='$srcdir' INSTALL='$INSTALL' MKDIR_P='$MKDIR_P' AWK='$AWK' test -n "\$AWK" || AWK=awk _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # The default lists apply if the user does not specify any file. ac_need_defaults=: while test $# != 0 do case $1 in --*=?*) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` ac_shift=: ;; --*=) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg= ac_shift=: ;; *) ac_option=$1 ac_optarg=$2 ac_shift=shift ;; esac case $ac_option in # Handling of the options. -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) ac_cs_recheck=: ;; --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) $as_echo "$ac_cs_version"; exit ;; --config | --confi | --conf | --con | --co | --c ) $as_echo "$ac_cs_config"; exit ;; --debug | --debu | --deb | --de | --d | -d ) debug=: ;; --file | --fil | --fi | --f ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; '') as_fn_error $? "missing file argument" ;; esac as_fn_append CONFIG_FILES " '$ac_optarg'" ac_need_defaults=false;; --header | --heade | --head | --hea ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; esac as_fn_append CONFIG_HEADERS " '$ac_optarg'" ac_need_defaults=false;; --he | --h) # Conflict between --help and --header as_fn_error $? "ambiguous option: \`$1' Try \`$0 --help' for more information.";; --help | --hel | -h ) $as_echo "$ac_cs_usage"; exit ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil | --si | --s) ac_cs_silent=: ;; # This is an error. -*) as_fn_error $? "unrecognized option: \`$1' Try \`$0 --help' for more information." ;; *) as_fn_append ac_config_targets " $1" ac_need_defaults=false ;; esac shift done ac_configure_extra_args= if $ac_cs_silent; then exec 6>/dev/null ac_configure_extra_args="$ac_configure_extra_args --silent" fi _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 if \$ac_cs_recheck; then set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion shift \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 CONFIG_SHELL='$SHELL' export CONFIG_SHELL exec "\$@" fi _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 exec 5>>config.log { echo sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX ## Running $as_me. ## _ASBOX $as_echo "$ac_log" } >&5 _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # # INIT-COMMANDS # AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir" # The HP-UX ksh and POSIX shell print the target directory to stdout # if CDPATH is set. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH sed_quote_subst='$sed_quote_subst' double_quote_subst='$double_quote_subst' delay_variable_subst='$delay_variable_subst' macro_version='`$ECHO "$macro_version" | $SED "$delay_single_quote_subst"`' macro_revision='`$ECHO "$macro_revision" | $SED "$delay_single_quote_subst"`' AS='`$ECHO "$AS" | $SED "$delay_single_quote_subst"`' DLLTOOL='`$ECHO "$DLLTOOL" | $SED "$delay_single_quote_subst"`' OBJDUMP='`$ECHO "$OBJDUMP" | $SED "$delay_single_quote_subst"`' enable_shared='`$ECHO "$enable_shared" | $SED "$delay_single_quote_subst"`' enable_static='`$ECHO "$enable_static" | $SED "$delay_single_quote_subst"`' pic_mode='`$ECHO "$pic_mode" | $SED "$delay_single_quote_subst"`' enable_fast_install='`$ECHO "$enable_fast_install" | $SED "$delay_single_quote_subst"`' SHELL='`$ECHO "$SHELL" | $SED "$delay_single_quote_subst"`' ECHO='`$ECHO "$ECHO" | $SED "$delay_single_quote_subst"`' PATH_SEPARATOR='`$ECHO "$PATH_SEPARATOR" | $SED "$delay_single_quote_subst"`' host_alias='`$ECHO "$host_alias" | $SED "$delay_single_quote_subst"`' host='`$ECHO "$host" | $SED "$delay_single_quote_subst"`' host_os='`$ECHO "$host_os" | $SED "$delay_single_quote_subst"`' build_alias='`$ECHO "$build_alias" | $SED "$delay_single_quote_subst"`' build='`$ECHO "$build" | $SED "$delay_single_quote_subst"`' build_os='`$ECHO "$build_os" | $SED "$delay_single_quote_subst"`' SED='`$ECHO "$SED" | $SED "$delay_single_quote_subst"`' Xsed='`$ECHO "$Xsed" | $SED "$delay_single_quote_subst"`' GREP='`$ECHO "$GREP" | $SED "$delay_single_quote_subst"`' EGREP='`$ECHO "$EGREP" | $SED "$delay_single_quote_subst"`' FGREP='`$ECHO "$FGREP" | $SED "$delay_single_quote_subst"`' LD='`$ECHO "$LD" | $SED "$delay_single_quote_subst"`' NM='`$ECHO "$NM" | $SED "$delay_single_quote_subst"`' LN_S='`$ECHO "$LN_S" | $SED "$delay_single_quote_subst"`' max_cmd_len='`$ECHO "$max_cmd_len" | $SED "$delay_single_quote_subst"`' ac_objext='`$ECHO "$ac_objext" | $SED "$delay_single_quote_subst"`' exeext='`$ECHO "$exeext" | $SED "$delay_single_quote_subst"`' lt_unset='`$ECHO "$lt_unset" | $SED "$delay_single_quote_subst"`' lt_SP2NL='`$ECHO "$lt_SP2NL" | $SED "$delay_single_quote_subst"`' lt_NL2SP='`$ECHO "$lt_NL2SP" | $SED "$delay_single_quote_subst"`' lt_cv_to_host_file_cmd='`$ECHO "$lt_cv_to_host_file_cmd" | $SED "$delay_single_quote_subst"`' lt_cv_to_tool_file_cmd='`$ECHO "$lt_cv_to_tool_file_cmd" | $SED "$delay_single_quote_subst"`' reload_flag='`$ECHO "$reload_flag" | $SED "$delay_single_quote_subst"`' reload_cmds='`$ECHO "$reload_cmds" | $SED "$delay_single_quote_subst"`' deplibs_check_method='`$ECHO "$deplibs_check_method" | $SED "$delay_single_quote_subst"`' file_magic_cmd='`$ECHO "$file_magic_cmd" | $SED "$delay_single_quote_subst"`' file_magic_glob='`$ECHO "$file_magic_glob" | $SED "$delay_single_quote_subst"`' want_nocaseglob='`$ECHO "$want_nocaseglob" | $SED "$delay_single_quote_subst"`' sharedlib_from_linklib_cmd='`$ECHO "$sharedlib_from_linklib_cmd" | $SED "$delay_single_quote_subst"`' AR='`$ECHO "$AR" | $SED "$delay_single_quote_subst"`' AR_FLAGS='`$ECHO "$AR_FLAGS" | $SED "$delay_single_quote_subst"`' archiver_list_spec='`$ECHO "$archiver_list_spec" | $SED "$delay_single_quote_subst"`' STRIP='`$ECHO "$STRIP" | $SED "$delay_single_quote_subst"`' RANLIB='`$ECHO "$RANLIB" | $SED "$delay_single_quote_subst"`' old_postinstall_cmds='`$ECHO "$old_postinstall_cmds" | $SED "$delay_single_quote_subst"`' old_postuninstall_cmds='`$ECHO "$old_postuninstall_cmds" | $SED "$delay_single_quote_subst"`' old_archive_cmds='`$ECHO "$old_archive_cmds" | $SED "$delay_single_quote_subst"`' lock_old_archive_extraction='`$ECHO "$lock_old_archive_extraction" | $SED "$delay_single_quote_subst"`' CC='`$ECHO "$CC" | $SED "$delay_single_quote_subst"`' CFLAGS='`$ECHO "$CFLAGS" | $SED "$delay_single_quote_subst"`' compiler='`$ECHO "$compiler" | $SED "$delay_single_quote_subst"`' GCC='`$ECHO "$GCC" | $SED "$delay_single_quote_subst"`' lt_cv_sys_global_symbol_pipe='`$ECHO "$lt_cv_sys_global_symbol_pipe" | $SED "$delay_single_quote_subst"`' lt_cv_sys_global_symbol_to_cdecl='`$ECHO "$lt_cv_sys_global_symbol_to_cdecl" | $SED "$delay_single_quote_subst"`' lt_cv_sys_global_symbol_to_c_name_address='`$ECHO "$lt_cv_sys_global_symbol_to_c_name_address" | $SED "$delay_single_quote_subst"`' lt_cv_sys_global_symbol_to_c_name_address_lib_prefix='`$ECHO "$lt_cv_sys_global_symbol_to_c_name_address_lib_prefix" | $SED "$delay_single_quote_subst"`' nm_file_list_spec='`$ECHO "$nm_file_list_spec" | $SED "$delay_single_quote_subst"`' lt_sysroot='`$ECHO "$lt_sysroot" | $SED "$delay_single_quote_subst"`' objdir='`$ECHO "$objdir" | $SED "$delay_single_quote_subst"`' MAGIC_CMD='`$ECHO "$MAGIC_CMD" | $SED "$delay_single_quote_subst"`' lt_prog_compiler_no_builtin_flag='`$ECHO "$lt_prog_compiler_no_builtin_flag" | $SED "$delay_single_quote_subst"`' lt_prog_compiler_pic='`$ECHO "$lt_prog_compiler_pic" | $SED "$delay_single_quote_subst"`' lt_prog_compiler_wl='`$ECHO "$lt_prog_compiler_wl" | $SED "$delay_single_quote_subst"`' lt_prog_compiler_static='`$ECHO "$lt_prog_compiler_static" | $SED "$delay_single_quote_subst"`' lt_cv_prog_compiler_c_o='`$ECHO "$lt_cv_prog_compiler_c_o" | $SED "$delay_single_quote_subst"`' need_locks='`$ECHO "$need_locks" | $SED "$delay_single_quote_subst"`' MANIFEST_TOOL='`$ECHO "$MANIFEST_TOOL" | $SED "$delay_single_quote_subst"`' DSYMUTIL='`$ECHO "$DSYMUTIL" | $SED "$delay_single_quote_subst"`' NMEDIT='`$ECHO "$NMEDIT" | $SED "$delay_single_quote_subst"`' LIPO='`$ECHO "$LIPO" | $SED "$delay_single_quote_subst"`' OTOOL='`$ECHO "$OTOOL" | $SED "$delay_single_quote_subst"`' OTOOL64='`$ECHO "$OTOOL64" | $SED "$delay_single_quote_subst"`' libext='`$ECHO "$libext" | $SED "$delay_single_quote_subst"`' shrext_cmds='`$ECHO "$shrext_cmds" | $SED "$delay_single_quote_subst"`' extract_expsyms_cmds='`$ECHO "$extract_expsyms_cmds" | $SED "$delay_single_quote_subst"`' archive_cmds_need_lc='`$ECHO "$archive_cmds_need_lc" | $SED "$delay_single_quote_subst"`' enable_shared_with_static_runtimes='`$ECHO "$enable_shared_with_static_runtimes" | $SED "$delay_single_quote_subst"`' export_dynamic_flag_spec='`$ECHO "$export_dynamic_flag_spec" | $SED "$delay_single_quote_subst"`' whole_archive_flag_spec='`$ECHO "$whole_archive_flag_spec" | $SED "$delay_single_quote_subst"`' compiler_needs_object='`$ECHO "$compiler_needs_object" | $SED "$delay_single_quote_subst"`' old_archive_from_new_cmds='`$ECHO "$old_archive_from_new_cmds" | $SED "$delay_single_quote_subst"`' old_archive_from_expsyms_cmds='`$ECHO "$old_archive_from_expsyms_cmds" | $SED "$delay_single_quote_subst"`' archive_cmds='`$ECHO "$archive_cmds" | $SED "$delay_single_quote_subst"`' archive_expsym_cmds='`$ECHO "$archive_expsym_cmds" | $SED "$delay_single_quote_subst"`' module_cmds='`$ECHO "$module_cmds" | $SED "$delay_single_quote_subst"`' module_expsym_cmds='`$ECHO "$module_expsym_cmds" | $SED "$delay_single_quote_subst"`' with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`' allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`' no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`' hardcode_libdir_flag_spec='`$ECHO "$hardcode_libdir_flag_spec" | $SED "$delay_single_quote_subst"`' hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`' hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`' hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`' hardcode_minus_L='`$ECHO "$hardcode_minus_L" | $SED "$delay_single_quote_subst"`' hardcode_shlibpath_var='`$ECHO "$hardcode_shlibpath_var" | $SED "$delay_single_quote_subst"`' hardcode_automatic='`$ECHO "$hardcode_automatic" | $SED "$delay_single_quote_subst"`' inherit_rpath='`$ECHO "$inherit_rpath" | $SED "$delay_single_quote_subst"`' link_all_deplibs='`$ECHO "$link_all_deplibs" | $SED "$delay_single_quote_subst"`' always_export_symbols='`$ECHO "$always_export_symbols" | $SED "$delay_single_quote_subst"`' export_symbols_cmds='`$ECHO "$export_symbols_cmds" | $SED "$delay_single_quote_subst"`' exclude_expsyms='`$ECHO "$exclude_expsyms" | $SED "$delay_single_quote_subst"`' include_expsyms='`$ECHO "$include_expsyms" | $SED "$delay_single_quote_subst"`' prelink_cmds='`$ECHO "$prelink_cmds" | $SED "$delay_single_quote_subst"`' postlink_cmds='`$ECHO "$postlink_cmds" | $SED "$delay_single_quote_subst"`' file_list_spec='`$ECHO "$file_list_spec" | $SED "$delay_single_quote_subst"`' variables_saved_for_relink='`$ECHO "$variables_saved_for_relink" | $SED "$delay_single_quote_subst"`' need_lib_prefix='`$ECHO "$need_lib_prefix" | $SED "$delay_single_quote_subst"`' need_version='`$ECHO "$need_version" | $SED "$delay_single_quote_subst"`' version_type='`$ECHO "$version_type" | $SED "$delay_single_quote_subst"`' runpath_var='`$ECHO "$runpath_var" | $SED "$delay_single_quote_subst"`' shlibpath_var='`$ECHO "$shlibpath_var" | $SED "$delay_single_quote_subst"`' shlibpath_overrides_runpath='`$ECHO "$shlibpath_overrides_runpath" | $SED "$delay_single_quote_subst"`' libname_spec='`$ECHO "$libname_spec" | $SED "$delay_single_quote_subst"`' library_names_spec='`$ECHO "$library_names_spec" | $SED "$delay_single_quote_subst"`' soname_spec='`$ECHO "$soname_spec" | $SED "$delay_single_quote_subst"`' install_override_mode='`$ECHO "$install_override_mode" | $SED "$delay_single_quote_subst"`' postinstall_cmds='`$ECHO "$postinstall_cmds" | $SED "$delay_single_quote_subst"`' postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`' sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`' hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`' enable_dlopen='`$ECHO "$enable_dlopen" | $SED "$delay_single_quote_subst"`' enable_dlopen_self='`$ECHO "$enable_dlopen_self" | $SED "$delay_single_quote_subst"`' enable_dlopen_self_static='`$ECHO "$enable_dlopen_self_static" | $SED "$delay_single_quote_subst"`' old_striplib='`$ECHO "$old_striplib" | $SED "$delay_single_quote_subst"`' striplib='`$ECHO "$striplib" | $SED "$delay_single_quote_subst"`' LD_RC='`$ECHO "$LD_RC" | $SED "$delay_single_quote_subst"`' reload_flag_RC='`$ECHO "$reload_flag_RC" | $SED "$delay_single_quote_subst"`' reload_cmds_RC='`$ECHO "$reload_cmds_RC" | $SED "$delay_single_quote_subst"`' old_archive_cmds_RC='`$ECHO "$old_archive_cmds_RC" | $SED "$delay_single_quote_subst"`' compiler_RC='`$ECHO "$compiler_RC" | $SED "$delay_single_quote_subst"`' GCC_RC='`$ECHO "$GCC_RC" | $SED "$delay_single_quote_subst"`' lt_prog_compiler_no_builtin_flag_RC='`$ECHO "$lt_prog_compiler_no_builtin_flag_RC" | $SED "$delay_single_quote_subst"`' lt_prog_compiler_pic_RC='`$ECHO "$lt_prog_compiler_pic_RC" | $SED "$delay_single_quote_subst"`' lt_prog_compiler_wl_RC='`$ECHO "$lt_prog_compiler_wl_RC" | $SED "$delay_single_quote_subst"`' lt_prog_compiler_static_RC='`$ECHO "$lt_prog_compiler_static_RC" | $SED "$delay_single_quote_subst"`' lt_cv_prog_compiler_c_o_RC='`$ECHO "$lt_cv_prog_compiler_c_o_RC" | $SED "$delay_single_quote_subst"`' archive_cmds_need_lc_RC='`$ECHO "$archive_cmds_need_lc_RC" | $SED "$delay_single_quote_subst"`' enable_shared_with_static_runtimes_RC='`$ECHO "$enable_shared_with_static_runtimes_RC" | $SED "$delay_single_quote_subst"`' export_dynamic_flag_spec_RC='`$ECHO "$export_dynamic_flag_spec_RC" | $SED "$delay_single_quote_subst"`' whole_archive_flag_spec_RC='`$ECHO "$whole_archive_flag_spec_RC" | $SED "$delay_single_quote_subst"`' compiler_needs_object_RC='`$ECHO "$compiler_needs_object_RC" | $SED "$delay_single_quote_subst"`' old_archive_from_new_cmds_RC='`$ECHO "$old_archive_from_new_cmds_RC" | $SED "$delay_single_quote_subst"`' old_archive_from_expsyms_cmds_RC='`$ECHO "$old_archive_from_expsyms_cmds_RC" | $SED "$delay_single_quote_subst"`' archive_cmds_RC='`$ECHO "$archive_cmds_RC" | $SED "$delay_single_quote_subst"`' archive_expsym_cmds_RC='`$ECHO "$archive_expsym_cmds_RC" | $SED "$delay_single_quote_subst"`' module_cmds_RC='`$ECHO "$module_cmds_RC" | $SED "$delay_single_quote_subst"`' module_expsym_cmds_RC='`$ECHO "$module_expsym_cmds_RC" | $SED "$delay_single_quote_subst"`' with_gnu_ld_RC='`$ECHO "$with_gnu_ld_RC" | $SED "$delay_single_quote_subst"`' allow_undefined_flag_RC='`$ECHO "$allow_undefined_flag_RC" | $SED "$delay_single_quote_subst"`' no_undefined_flag_RC='`$ECHO "$no_undefined_flag_RC" | $SED "$delay_single_quote_subst"`' hardcode_libdir_flag_spec_RC='`$ECHO "$hardcode_libdir_flag_spec_RC" | $SED "$delay_single_quote_subst"`' hardcode_libdir_separator_RC='`$ECHO "$hardcode_libdir_separator_RC" | $SED "$delay_single_quote_subst"`' hardcode_direct_RC='`$ECHO "$hardcode_direct_RC" | $SED "$delay_single_quote_subst"`' hardcode_direct_absolute_RC='`$ECHO "$hardcode_direct_absolute_RC" | $SED "$delay_single_quote_subst"`' hardcode_minus_L_RC='`$ECHO "$hardcode_minus_L_RC" | $SED "$delay_single_quote_subst"`' hardcode_shlibpath_var_RC='`$ECHO "$hardcode_shlibpath_var_RC" | $SED "$delay_single_quote_subst"`' hardcode_automatic_RC='`$ECHO "$hardcode_automatic_RC" | $SED "$delay_single_quote_subst"`' inherit_rpath_RC='`$ECHO "$inherit_rpath_RC" | $SED "$delay_single_quote_subst"`' link_all_deplibs_RC='`$ECHO "$link_all_deplibs_RC" | $SED "$delay_single_quote_subst"`' always_export_symbols_RC='`$ECHO "$always_export_symbols_RC" | $SED "$delay_single_quote_subst"`' export_symbols_cmds_RC='`$ECHO "$export_symbols_cmds_RC" | $SED "$delay_single_quote_subst"`' exclude_expsyms_RC='`$ECHO "$exclude_expsyms_RC" | $SED "$delay_single_quote_subst"`' include_expsyms_RC='`$ECHO "$include_expsyms_RC" | $SED "$delay_single_quote_subst"`' prelink_cmds_RC='`$ECHO "$prelink_cmds_RC" | $SED "$delay_single_quote_subst"`' postlink_cmds_RC='`$ECHO "$postlink_cmds_RC" | $SED "$delay_single_quote_subst"`' file_list_spec_RC='`$ECHO "$file_list_spec_RC" | $SED "$delay_single_quote_subst"`' hardcode_action_RC='`$ECHO "$hardcode_action_RC" | $SED "$delay_single_quote_subst"`' LTCC='$LTCC' LTCFLAGS='$LTCFLAGS' compiler='$compiler_DEFAULT' # A function that is used when there is no print builtin or printf. func_fallback_echo () { eval 'cat <<_LTECHO_EOF \$1 _LTECHO_EOF' } # Quote evaled strings. for var in AS \ DLLTOOL \ OBJDUMP \ SHELL \ ECHO \ PATH_SEPARATOR \ SED \ GREP \ EGREP \ FGREP \ LD \ NM \ LN_S \ lt_SP2NL \ lt_NL2SP \ reload_flag \ deplibs_check_method \ file_magic_cmd \ file_magic_glob \ want_nocaseglob \ sharedlib_from_linklib_cmd \ AR \ AR_FLAGS \ archiver_list_spec \ STRIP \ RANLIB \ CC \ CFLAGS \ compiler \ lt_cv_sys_global_symbol_pipe \ lt_cv_sys_global_symbol_to_cdecl \ lt_cv_sys_global_symbol_to_c_name_address \ lt_cv_sys_global_symbol_to_c_name_address_lib_prefix \ nm_file_list_spec \ lt_prog_compiler_no_builtin_flag \ lt_prog_compiler_pic \ lt_prog_compiler_wl \ lt_prog_compiler_static \ lt_cv_prog_compiler_c_o \ need_locks \ MANIFEST_TOOL \ DSYMUTIL \ NMEDIT \ LIPO \ OTOOL \ OTOOL64 \ shrext_cmds \ export_dynamic_flag_spec \ whole_archive_flag_spec \ compiler_needs_object \ with_gnu_ld \ allow_undefined_flag \ no_undefined_flag \ hardcode_libdir_flag_spec \ hardcode_libdir_separator \ exclude_expsyms \ include_expsyms \ file_list_spec \ variables_saved_for_relink \ libname_spec \ library_names_spec \ soname_spec \ install_override_mode \ finish_eval \ old_striplib \ striplib \ LD_RC \ reload_flag_RC \ compiler_RC \ lt_prog_compiler_no_builtin_flag_RC \ lt_prog_compiler_pic_RC \ lt_prog_compiler_wl_RC \ lt_prog_compiler_static_RC \ lt_cv_prog_compiler_c_o_RC \ export_dynamic_flag_spec_RC \ whole_archive_flag_spec_RC \ compiler_needs_object_RC \ with_gnu_ld_RC \ allow_undefined_flag_RC \ no_undefined_flag_RC \ hardcode_libdir_flag_spec_RC \ hardcode_libdir_separator_RC \ exclude_expsyms_RC \ include_expsyms_RC \ file_list_spec_RC; do case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in *[\\\\\\\`\\"\\\$]*) eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\"" ;; *) eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" ;; esac done # Double-quote double-evaled strings. for var in reload_cmds \ old_postinstall_cmds \ old_postuninstall_cmds \ old_archive_cmds \ extract_expsyms_cmds \ old_archive_from_new_cmds \ old_archive_from_expsyms_cmds \ archive_cmds \ archive_expsym_cmds \ module_cmds \ module_expsym_cmds \ export_symbols_cmds \ prelink_cmds \ postlink_cmds \ postinstall_cmds \ postuninstall_cmds \ finish_cmds \ sys_lib_search_path_spec \ sys_lib_dlsearch_path_spec \ reload_cmds_RC \ old_archive_cmds_RC \ old_archive_from_new_cmds_RC \ old_archive_from_expsyms_cmds_RC \ archive_cmds_RC \ archive_expsym_cmds_RC \ module_cmds_RC \ module_expsym_cmds_RC \ export_symbols_cmds_RC \ prelink_cmds_RC \ postlink_cmds_RC; do case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in *[\\\\\\\`\\"\\\$]*) eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\"" ;; *) eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" ;; esac done ac_aux_dir='$ac_aux_dir' xsi_shell='$xsi_shell' lt_shell_append='$lt_shell_append' # See if we are running on zsh, and set the options which allow our # commands through without removal of \ escapes INIT. if test -n "\${ZSH_VERSION+set}" ; then setopt NO_GLOB_SUBST fi PACKAGE='$PACKAGE' VERSION='$VERSION' TIMESTAMP='$TIMESTAMP' RM='$RM' ofile='$ofile' _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Handling of arguments. for ac_config_target in $ac_config_targets do case $ac_config_target in "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; "include/openvpn-plugin.h") CONFIG_HEADERS="$CONFIG_HEADERS include/openvpn-plugin.h" ;; "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;; "libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;; "version.sh") CONFIG_FILES="$CONFIG_FILES version.sh" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "build/Makefile") CONFIG_FILES="$CONFIG_FILES build/Makefile" ;; "build/msvc/Makefile") CONFIG_FILES="$CONFIG_FILES build/msvc/Makefile" ;; "build/msvc/msvc-generate/Makefile") CONFIG_FILES="$CONFIG_FILES build/msvc/msvc-generate/Makefile" ;; "distro/Makefile") CONFIG_FILES="$CONFIG_FILES distro/Makefile" ;; "distro/rpm/Makefile") CONFIG_FILES="$CONFIG_FILES distro/rpm/Makefile" ;; "distro/rpm/openvpn.spec") CONFIG_FILES="$CONFIG_FILES distro/rpm/openvpn.spec" ;; "distro/systemd/Makefile") CONFIG_FILES="$CONFIG_FILES distro/systemd/Makefile" ;; "include/Makefile") CONFIG_FILES="$CONFIG_FILES include/Makefile" ;; "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;; "src/compat/Makefile") CONFIG_FILES="$CONFIG_FILES src/compat/Makefile" ;; "src/openvpn/Makefile") CONFIG_FILES="$CONFIG_FILES src/openvpn/Makefile" ;; "src/openvpnserv/Makefile") CONFIG_FILES="$CONFIG_FILES src/openvpnserv/Makefile" ;; "src/plugins/Makefile") CONFIG_FILES="$CONFIG_FILES src/plugins/Makefile" ;; "src/plugins/auth-pam/Makefile") CONFIG_FILES="$CONFIG_FILES src/plugins/auth-pam/Makefile" ;; "src/plugins/down-root/Makefile") CONFIG_FILES="$CONFIG_FILES src/plugins/down-root/Makefile" ;; "tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;; "tests/unit_tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/unit_tests/Makefile" ;; "tests/unit_tests/example_test/Makefile") CONFIG_FILES="$CONFIG_FILES tests/unit_tests/example_test/Makefile" ;; "tests/unit_tests/openvpn/Makefile") CONFIG_FILES="$CONFIG_FILES tests/unit_tests/openvpn/Makefile" ;; "tests/unit_tests/plugins/Makefile") CONFIG_FILES="$CONFIG_FILES tests/unit_tests/plugins/Makefile" ;; "tests/unit_tests/plugins/auth-pam/Makefile") CONFIG_FILES="$CONFIG_FILES tests/unit_tests/plugins/auth-pam/Makefile" ;; "vendor/Makefile") CONFIG_FILES="$CONFIG_FILES vendor/Makefile" ;; "sample/Makefile") CONFIG_FILES="$CONFIG_FILES sample/Makefile" ;; "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;; "tests/t_client.sh") CONFIG_FILES="$CONFIG_FILES tests/t_client.sh" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac done # If the user did not use the arguments to specify the items to instantiate, # then the envvar interface is used. Set only those that are not. # We use the long form for the default assignment because of an extremely # bizarre bug on SunOS 4.1.3. if $ac_need_defaults; then test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands fi # Have a temporary directory for convenience. Make it in the build tree # simply because there is no reason against having it here, and in addition, # creating and moving files from /tmp can sometimes cause problems. # Hook for its removal unless debugging. # Note that there is a small window in which the directory will not be cleaned: # after its creation but before its name has been assigned to `$tmp'. $debug || { tmp= ac_tmp= trap 'exit_status=$? : "${ac_tmp:=$tmp}" { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status ' 0 trap 'as_fn_exit 1' 1 2 13 15 } # Create a (secure) tmp directory for tmp files. { tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && test -d "$tmp" } || { tmp=./conf$$-$RANDOM (umask 077 && mkdir "$tmp") } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 ac_tmp=$tmp # Set up the scripts for CONFIG_FILES section. # No need to generate them if there are no CONFIG_FILES. # This happens for instance with `./config.status config.h'. if test -n "$CONFIG_FILES"; then ac_cr=`echo X | tr X '\015'` # On cygwin, bash can eat \r inside `` if the user requested igncr. # But we know of no other shell where ac_cr would be empty at this # point, so we can use a bashism as a fallback. if test "x$ac_cr" = x; then eval ac_cr=\$\'\\r\' fi ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then ac_cs_awk_cr='\\r' else ac_cs_awk_cr=$ac_cr fi echo 'BEGIN {' >"$ac_tmp/subs1.awk" && _ACEOF { echo "cat >conf$$subs.awk <<_ACEOF" && echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && echo "_ACEOF" } >conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` ac_delim='%!_!# ' for ac_last_try in false false false false false :; do . ./conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` if test $ac_delim_n = $ac_delim_num; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done rm -f conf$$subs.sh cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && _ACEOF sed -n ' h s/^/S["/; s/!.*/"]=/ p g s/^[^!]*!// :repl t repl s/'"$ac_delim"'$// t delim :nl h s/\(.\{148\}\)..*/\1/ t more1 s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ p n b repl :more1 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t nl :delim h s/\(.\{148\}\)..*/\1/ t more2 s/["\\]/\\&/g; s/^/"/; s/$/"/ p b :more2 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t delim ' >$CONFIG_STATUS || ac_write_fail=1 rm -f conf$$subs.awk cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACAWK cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && for (key in S) S_is_set[key] = 1 FS = "" } { line = $ 0 nfields = split(line, field, "@") substed = 0 len = length(field[1]) for (i = 2; i < nfields; i++) { key = field[i] keylen = length(key) if (S_is_set[key]) { value = S[key] line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) len += length(value) + length(field[++i]) substed = 1 } else len += 1 + keylen } print line } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" else cat fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 _ACEOF # VPATH may cause trouble with some makes, so we remove sole $(srcdir), # ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and # trailing colons and then remove the whole line if VPATH becomes empty # (actually we leave an empty line to preserve line numbers). if test "x$srcdir" = x.; then ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ h s/// s/^/:/ s/[ ]*$/:/ s/:\$(srcdir):/:/g s/:\${srcdir}:/:/g s/:@srcdir@:/:/g s/^:*// s/:*$// x s/\(=[ ]*\).*/\1/ G s/\n// s/^[^=]*=[ ]*$// }' fi cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 fi # test -n "$CONFIG_FILES" # Set up the scripts for CONFIG_HEADERS section. # No need to generate them if there are no CONFIG_HEADERS. # This happens for instance with `./config.status Makefile'. if test -n "$CONFIG_HEADERS"; then cat >"$ac_tmp/defines.awk" <<\_ACAWK || BEGIN { _ACEOF # Transform confdefs.h into an awk script `defines.awk', embedded as # here-document in config.status, that substitutes the proper values into # config.h.in to produce config.h. # Create a delimiter string that does not exist in confdefs.h, to ease # handling of long lines. ac_delim='%!_!# ' for ac_last_try in false false :; do ac_tt=`sed -n "/$ac_delim/p" confdefs.h` if test -z "$ac_tt"; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done # For the awk script, D is an array of macro values keyed by name, # likewise P contains macro parameters if any. Preserve backslash # newline sequences. ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* sed -n ' s/.\{148\}/&'"$ac_delim"'/g t rset :rset s/^[ ]*#[ ]*define[ ][ ]*/ / t def d :def s/\\$// t bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3"/p s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p d :bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3\\\\\\n"\\/p t cont s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p t cont d :cont n s/.\{148\}/&'"$ac_delim"'/g t clear :clear s/\\$// t bsnlc s/["\\]/\\&/g; s/^/"/; s/$/"/p d :bsnlc s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p b cont ' >$CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 for (key in D) D_is_set[key] = 1 FS = "" } /^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { line = \$ 0 split(line, arg, " ") if (arg[1] == "#") { defundef = arg[2] mac1 = arg[3] } else { defundef = substr(arg[1], 2) mac1 = arg[2] } split(mac1, mac2, "(") #) macro = mac2[1] prefix = substr(line, 1, index(line, defundef) - 1) if (D_is_set[macro]) { # Preserve the white space surrounding the "#". print prefix "define", macro P[macro] D[macro] next } else { # Replace #undef with comments. This is necessary, for example, # in the case of _POSIX_SOURCE, which is predefined and required # on some systems where configure will not decide to define it. if (defundef == "undef") { print "/*", prefix defundef, macro, "*/" next } } } { print } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 fi # test -n "$CONFIG_HEADERS" eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS :C $CONFIG_COMMANDS" shift for ac_tag do case $ac_tag in :[FHLC]) ac_mode=$ac_tag; continue;; esac case $ac_mode$ac_tag in :[FHL]*:*);; :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; :[FH]-) ac_tag=-:-;; :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; esac ac_save_IFS=$IFS IFS=: set x $ac_tag IFS=$ac_save_IFS shift ac_file=$1 shift case $ac_mode in :L) ac_source=$1;; :[FH]) ac_file_inputs= for ac_f do case $ac_f in -) ac_f="$ac_tmp/stdin";; *) # Look for the file first in the build tree, then in the source tree # (if the path is not absolute). The absolute path cannot be DOS-style, # because $ac_f cannot contain `:'. test -f "$ac_f" || case $ac_f in [\\/$]*) false;; *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; esac || as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; esac case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac as_fn_append ac_file_inputs " '$ac_f'" done # Let's still pretend it is `configure' which instantiates (i.e., don't # use $as_me), people would be surprised to read: # /* config.h. Generated by config.status. */ configure_input='Generated from '` $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' `' by configure.' if test x"$ac_file" != x-; then configure_input="$ac_file. $configure_input" { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 $as_echo "$as_me: creating $ac_file" >&6;} fi # Neutralize special characters interpreted by sed in replacement strings. case $configure_input in #( *\&* | *\|* | *\\* ) ac_sed_conf_input=`$as_echo "$configure_input" | sed 's/[\\\\&|]/\\\\&/g'`;; #( *) ac_sed_conf_input=$configure_input;; esac case $ac_tag in *:-:* | *:-) cat >"$ac_tmp/stdin" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; esac ;; esac ac_dir=`$as_dirname -- "$ac_file" || $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$ac_file" : 'X\(//\)[^/]' \| \ X"$ac_file" : 'X\(//\)$' \| \ X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$ac_file" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` as_dir="$ac_dir"; as_fn_mkdir_p ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix case $ac_mode in :F) # # CONFIG_FILE # case $INSTALL in [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; esac ac_MKDIR_P=$MKDIR_P case $MKDIR_P in [\\/$]* | ?:[\\/]* ) ;; */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;; esac _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # If the template does not know about datarootdir, expand it. # FIXME: This hack should be removed a few years after 2.60. ac_datarootdir_hack=; ac_datarootdir_seen= ac_sed_dataroot=' /datarootdir/ { p q } /@datadir@/p /@docdir@/p /@infodir@/p /@localedir@/p /@mandir@/p' case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in *datarootdir*) ac_datarootdir_seen=yes;; *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 $as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_datarootdir_hack=' s&@datadir@&$datadir&g s&@docdir@&$docdir&g s&@infodir@&$infodir&g s&@localedir@&$localedir&g s&@mandir@&$mandir&g s&\\\${datarootdir}&$datarootdir&g' ;; esac _ACEOF # Neutralize VPATH when `$srcdir' = `.'. # Shell code in configure.ac might set extrasub. # FIXME: do we really want to maintain this feature? cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_sed_extra="$ac_vpsub $extrasub _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 :t /@[a-zA-Z_][a-zA-Z_0-9]*@/!b s|@configure_input@|$ac_sed_conf_input|;t t s&@top_builddir@&$ac_top_builddir_sub&;t t s&@top_build_prefix@&$ac_top_build_prefix&;t t s&@srcdir@&$ac_srcdir&;t t s&@abs_srcdir@&$ac_abs_srcdir&;t t s&@top_srcdir@&$ac_top_srcdir&;t t s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t s&@builddir@&$ac_builddir&;t t s&@abs_builddir@&$ac_abs_builddir&;t t s&@abs_top_builddir@&$ac_abs_top_builddir&;t t s&@INSTALL@&$ac_INSTALL&;t t s&@MKDIR_P@&$ac_MKDIR_P&;t t $ac_datarootdir_hack " eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ "$ac_tmp/out"`; test -z "$ac_out"; } && { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&5 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&2;} rm -f "$ac_tmp/stdin" case $ac_file in -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; esac \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; :H) # # CONFIG_HEADER # if test x"$ac_file" != x-; then { $as_echo "/* $configure_input */" \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" } >"$ac_tmp/config.h" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 $as_echo "$as_me: $ac_file is unchanged" >&6;} else rm -f "$ac_file" mv "$ac_tmp/config.h" "$ac_file" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 fi else $as_echo "/* $configure_input */" \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ || as_fn_error $? "could not create -" "$LINENO" 5 fi # Compute "$ac_file"'s index in $config_headers. _am_arg="$ac_file" _am_stamp_count=1 for _am_header in $config_headers :; do case $_am_header in $_am_arg | $_am_arg:* ) break ;; * ) _am_stamp_count=`expr $_am_stamp_count + 1` ;; esac done echo "timestamp for $_am_arg" >`$as_dirname -- "$_am_arg" || $as_expr X"$_am_arg" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$_am_arg" : 'X\(//\)[^/]' \| \ X"$_am_arg" : 'X\(//\)$' \| \ X"$_am_arg" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$_am_arg" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'`/stamp-h$_am_stamp_count ;; :C) { $as_echo "$as_me:${as_lineno-$LINENO}: executing $ac_file commands" >&5 $as_echo "$as_me: executing $ac_file commands" >&6;} ;; esac case $ac_file$ac_mode in "depfiles":C) test x"$AMDEP_TRUE" != x"" || { # Older Autoconf quotes --file arguments for eval, but not when files # are listed without --file. Let's play safe and only enable the eval # if we detect the quoting. case $CONFIG_FILES in *\'*) eval set x "$CONFIG_FILES" ;; *) set x $CONFIG_FILES ;; esac shift for mf do # Strip MF so we end up with the name of the file. mf=`echo "$mf" | sed -e 's/:.*$//'` # Check whether this is an Automake generated Makefile or not. # We used to match only the files named 'Makefile.in', but # some people rename them; so instead we look at the file content. # Grep'ing the first line is not enough: some people post-process # each Makefile.in and add a new line on top of each file to say so. # Grep'ing the whole file is not good either: AIX grep has a line # limit of 2048, but all sed's we know have understand at least 4000. if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then dirpart=`$as_dirname -- "$mf" || $as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$mf" : 'X\(//\)[^/]' \| \ X"$mf" : 'X\(//\)$' \| \ X"$mf" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$mf" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` else continue fi # Extract the definition of DEPDIR, am__include, and am__quote # from the Makefile without running 'make'. DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` test -z "$DEPDIR" && continue am__include=`sed -n 's/^am__include = //p' < "$mf"` test -z "$am__include" && continue am__quote=`sed -n 's/^am__quote = //p' < "$mf"` # Find all dependency output files, they are included files with # $(DEPDIR) in their names. We invoke sed twice because it is the # simplest approach to changing $(DEPDIR) to its actual value in the # expansion. for file in `sed -n " s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g'`; do # Make sure the directory exists. test -f "$dirpart/$file" && continue fdir=`$as_dirname -- "$file" || $as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$file" : 'X\(//\)[^/]' \| \ X"$file" : 'X\(//\)$' \| \ X"$file" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$file" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` as_dir=$dirpart/$fdir; as_fn_mkdir_p # echo "creating $dirpart/$file" echo '# dummy' > "$dirpart/$file" done done } ;; "libtool":C) # See if we are running on zsh, and set the options which allow our # commands through without removal of \ escapes. if test -n "${ZSH_VERSION+set}" ; then setopt NO_GLOB_SUBST fi cfgfile="${ofile}T" trap "$RM \"$cfgfile\"; exit 1" 1 2 15 $RM "$cfgfile" cat <<_LT_EOF >> "$cfgfile" #! $SHELL # `$ECHO "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services. # Generated automatically by $as_me ($PACKAGE$TIMESTAMP) $VERSION # Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: # NOTE: Changes made to this file will be lost: look at ltmain.sh. # # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, # 2006, 2007, 2008, 2009, 2010, 2011 Free Software # Foundation, Inc. # Written by Gordon Matzigkeit, 1996 # # This file is part of GNU Libtool. # # GNU Libtool is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 2 of # the License, or (at your option) any later version. # # As a special exception to the GNU General Public License, # if you distribute this file as part of a program or library that # is built using GNU Libtool, you may include this file under the # same distribution terms that you use for the rest of that program. # # GNU Libtool is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with GNU Libtool; see the file COPYING. If not, a copy # can be downloaded from http://www.gnu.org/licenses/gpl.html, or # obtained by writing to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # The names of the tagged configurations supported by this script. available_tags="RC " # ### BEGIN LIBTOOL CONFIG # Which release of libtool.m4 was used? macro_version=$macro_version macro_revision=$macro_revision # Assembler program. AS=$lt_AS # DLL creation program. DLLTOOL=$lt_DLLTOOL # Object dumper program. OBJDUMP=$lt_OBJDUMP # Whether or not to build shared libraries. build_libtool_libs=$enable_shared # Whether or not to build static libraries. build_old_libs=$enable_static # What type of objects to build. pic_mode=$pic_mode # Whether or not to optimize for fast installation. fast_install=$enable_fast_install # Shell to use when invoking shell scripts. SHELL=$lt_SHELL # An echo program that protects backslashes. ECHO=$lt_ECHO # The PATH separator for the build system. PATH_SEPARATOR=$lt_PATH_SEPARATOR # The host system. host_alias=$host_alias host=$host host_os=$host_os # The build system. build_alias=$build_alias build=$build build_os=$build_os # A sed program that does not truncate output. SED=$lt_SED # Sed that helps us avoid accidentally triggering echo(1) options like -n. Xsed="\$SED -e 1s/^X//" # A grep program that handles long lines. GREP=$lt_GREP # An ERE matcher. EGREP=$lt_EGREP # A literal string matcher. FGREP=$lt_FGREP # A BSD- or MS-compatible name lister. NM=$lt_NM # Whether we need soft or hard links. LN_S=$lt_LN_S # What is the maximum length of a command? max_cmd_len=$max_cmd_len # Object file suffix (normally "o"). objext=$ac_objext # Executable file suffix (normally ""). exeext=$exeext # whether the shell understands "unset". lt_unset=$lt_unset # turn spaces into newlines. SP2NL=$lt_lt_SP2NL # turn newlines into spaces. NL2SP=$lt_lt_NL2SP # convert \$build file names to \$host format. to_host_file_cmd=$lt_cv_to_host_file_cmd # convert \$build files to toolchain format. to_tool_file_cmd=$lt_cv_to_tool_file_cmd # Method to check whether dependent libraries are shared objects. deplibs_check_method=$lt_deplibs_check_method # Command to use when deplibs_check_method = "file_magic". file_magic_cmd=$lt_file_magic_cmd # How to find potential files when deplibs_check_method = "file_magic". file_magic_glob=$lt_file_magic_glob # Find potential files using nocaseglob when deplibs_check_method = "file_magic". want_nocaseglob=$lt_want_nocaseglob # Command to associate shared and link libraries. sharedlib_from_linklib_cmd=$lt_sharedlib_from_linklib_cmd # The archiver. AR=$lt_AR # Flags to create an archive. AR_FLAGS=$lt_AR_FLAGS # How to feed a file listing to the archiver. archiver_list_spec=$lt_archiver_list_spec # A symbol stripping program. STRIP=$lt_STRIP # Commands used to install an old-style archive. RANLIB=$lt_RANLIB old_postinstall_cmds=$lt_old_postinstall_cmds old_postuninstall_cmds=$lt_old_postuninstall_cmds # Whether to use a lock for old archive extraction. lock_old_archive_extraction=$lock_old_archive_extraction # A C compiler. LTCC=$lt_CC # LTCC compiler flags. LTCFLAGS=$lt_CFLAGS # Take the output of nm and produce a listing of raw symbols and C names. global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe # Transform the output of nm in a proper C declaration. global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl # Transform the output of nm in a C name address pair. global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address # Transform the output of nm in a C name address pair when lib prefix is needed. global_symbol_to_c_name_address_lib_prefix=$lt_lt_cv_sys_global_symbol_to_c_name_address_lib_prefix # Specify filename containing input files for \$NM. nm_file_list_spec=$lt_nm_file_list_spec # The root where to search for dependent libraries,and in which our libraries should be installed. lt_sysroot=$lt_sysroot # The name of the directory that contains temporary libtool files. objdir=$objdir # Used to examine libraries when file_magic_cmd begins with "file". MAGIC_CMD=$MAGIC_CMD # Must we lock files when doing compilation? need_locks=$lt_need_locks # Manifest tool. MANIFEST_TOOL=$lt_MANIFEST_TOOL # Tool to manipulate archived DWARF debug symbol files on Mac OS X. DSYMUTIL=$lt_DSYMUTIL # Tool to change global to local symbols on Mac OS X. NMEDIT=$lt_NMEDIT # Tool to manipulate fat objects and archives on Mac OS X. LIPO=$lt_LIPO # ldd/readelf like tool for Mach-O binaries on Mac OS X. OTOOL=$lt_OTOOL # ldd/readelf like tool for 64 bit Mach-O binaries on Mac OS X 10.4. OTOOL64=$lt_OTOOL64 # Old archive suffix (normally "a"). libext=$libext # Shared library suffix (normally ".so"). shrext_cmds=$lt_shrext_cmds # The commands to extract the exported symbol list from a shared archive. extract_expsyms_cmds=$lt_extract_expsyms_cmds # Variables whose values should be saved in libtool wrapper scripts and # restored at link time. variables_saved_for_relink=$lt_variables_saved_for_relink # Do we need the "lib" prefix for modules? need_lib_prefix=$need_lib_prefix # Do we need a version for libraries? need_version=$need_version # Library versioning type. version_type=$version_type # Shared library runtime path variable. runpath_var=$runpath_var # Shared library path variable. shlibpath_var=$shlibpath_var # Is shlibpath searched before the hard-coded library search path? shlibpath_overrides_runpath=$shlibpath_overrides_runpath # Format of library name prefix. libname_spec=$lt_libname_spec # List of archive names. First name is the real one, the rest are links. # The last name is the one that the linker finds with -lNAME library_names_spec=$lt_library_names_spec # The coded name of the library, if different from the real name. soname_spec=$lt_soname_spec # Permission mode override for installation of shared libraries. install_override_mode=$lt_install_override_mode # Command to use after installation of a shared archive. postinstall_cmds=$lt_postinstall_cmds # Command to use after uninstallation of a shared archive. postuninstall_cmds=$lt_postuninstall_cmds # Commands used to finish a libtool library installation in a directory. finish_cmds=$lt_finish_cmds # As "finish_cmds", except a single script fragment to be evaled but # not shown. finish_eval=$lt_finish_eval # Whether we should hardcode library paths into libraries. hardcode_into_libs=$hardcode_into_libs # Compile-time system search path for libraries. sys_lib_search_path_spec=$lt_sys_lib_search_path_spec # Run-time system search path for libraries. sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec # Whether dlopen is supported. dlopen_support=$enable_dlopen # Whether dlopen of programs is supported. dlopen_self=$enable_dlopen_self # Whether dlopen of statically linked programs is supported. dlopen_self_static=$enable_dlopen_self_static # Commands to strip libraries. old_striplib=$lt_old_striplib striplib=$lt_striplib # The linker used to build libraries. LD=$lt_LD # How to create reloadable object files. reload_flag=$lt_reload_flag reload_cmds=$lt_reload_cmds # Commands used to build an old-style archive. old_archive_cmds=$lt_old_archive_cmds # A language specific compiler. CC=$lt_compiler # Is the compiler the GNU compiler? with_gcc=$GCC # Compiler flag to turn off builtin functions. no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag # Additional compiler flags for building library objects. pic_flag=$lt_lt_prog_compiler_pic # How to pass a linker flag through the compiler. wl=$lt_lt_prog_compiler_wl # Compiler flag to prevent dynamic linking. link_static_flag=$lt_lt_prog_compiler_static # Does compiler simultaneously support -c and -o options? compiler_c_o=$lt_lt_cv_prog_compiler_c_o # Whether or not to add -lc for building shared libraries. build_libtool_need_lc=$archive_cmds_need_lc # Whether or not to disallow shared libs when runtime libs are static. allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes # Compiler flag to allow reflexive dlopens. export_dynamic_flag_spec=$lt_export_dynamic_flag_spec # Compiler flag to generate shared objects directly from archives. whole_archive_flag_spec=$lt_whole_archive_flag_spec # Whether the compiler copes with passing no objects directly. compiler_needs_object=$lt_compiler_needs_object # Create an old-style archive from a shared archive. old_archive_from_new_cmds=$lt_old_archive_from_new_cmds # Create a temporary old-style archive to link instead of a shared archive. old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds # Commands used to build a shared archive. archive_cmds=$lt_archive_cmds archive_expsym_cmds=$lt_archive_expsym_cmds # Commands used to build a loadable module if different from building # a shared archive. module_cmds=$lt_module_cmds module_expsym_cmds=$lt_module_expsym_cmds # Whether we are building with GNU ld or not. with_gnu_ld=$lt_with_gnu_ld # Flag that allows shared libraries with undefined symbols to be built. allow_undefined_flag=$lt_allow_undefined_flag # Flag that enforces no undefined symbols. no_undefined_flag=$lt_no_undefined_flag # Flag to hardcode \$libdir into a binary during linking. # This must work even if \$libdir does not exist hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec # Whether we need a single "-rpath" flag with a separated argument. hardcode_libdir_separator=$lt_hardcode_libdir_separator # Set to "yes" if using DIR/libNAME\${shared_ext} during linking hardcodes # DIR into the resulting binary. hardcode_direct=$hardcode_direct # Set to "yes" if using DIR/libNAME\${shared_ext} during linking hardcodes # DIR into the resulting binary and the resulting library dependency is # "absolute",i.e impossible to change by setting \${shlibpath_var} if the # library is relocated. hardcode_direct_absolute=$hardcode_direct_absolute # Set to "yes" if using the -LDIR flag during linking hardcodes DIR # into the resulting binary. hardcode_minus_L=$hardcode_minus_L # Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR # into the resulting binary. hardcode_shlibpath_var=$hardcode_shlibpath_var # Set to "yes" if building a shared library automatically hardcodes DIR # into the library and all subsequent libraries and executables linked # against it. hardcode_automatic=$hardcode_automatic # Set to yes if linker adds runtime paths of dependent libraries # to runtime path list. inherit_rpath=$inherit_rpath # Whether libtool must link a program against all its dependency libraries. link_all_deplibs=$link_all_deplibs # Set to "yes" if exported symbols are required. always_export_symbols=$always_export_symbols # The commands to list exported symbols. export_symbols_cmds=$lt_export_symbols_cmds # Symbols that should not be listed in the preloaded symbols. exclude_expsyms=$lt_exclude_expsyms # Symbols that must always be exported. include_expsyms=$lt_include_expsyms # Commands necessary for linking programs (against libraries) with templates. prelink_cmds=$lt_prelink_cmds # Commands necessary for finishing linking programs. postlink_cmds=$lt_postlink_cmds # Specify filename containing input files. file_list_spec=$lt_file_list_spec # How to hardcode a shared library path into an executable. hardcode_action=$hardcode_action # ### END LIBTOOL CONFIG _LT_EOF case $host_os in aix3*) cat <<\_LT_EOF >> "$cfgfile" # AIX sometimes has problems with the GCC collect2 program. For some # reason, if we set the COLLECT_NAMES environment variable, the problems # vanish in a puff of smoke. if test "X${COLLECT_NAMES+set}" != Xset; then COLLECT_NAMES= export COLLECT_NAMES fi _LT_EOF ;; esac ltmain="$ac_aux_dir/ltmain.sh" # We use sed instead of cat because bash on DJGPP gets confused if # if finds mixed CR/LF and LF-only lines. Since sed operates in # text mode, it properly converts lines to CR/LF. This bash problem # is reportedly fixed, but why not run on old versions too? sed '$q' "$ltmain" >> "$cfgfile" \ || (rm -f "$cfgfile"; exit 1) if test x"$xsi_shell" = xyes; then sed -e '/^func_dirname ()$/,/^} # func_dirname /c\ func_dirname ()\ {\ \ case ${1} in\ \ */*) func_dirname_result="${1%/*}${2}" ;;\ \ * ) func_dirname_result="${3}" ;;\ \ esac\ } # Extended-shell func_dirname implementation' "$cfgfile" > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: sed -e '/^func_basename ()$/,/^} # func_basename /c\ func_basename ()\ {\ \ func_basename_result="${1##*/}"\ } # Extended-shell func_basename implementation' "$cfgfile" > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: sed -e '/^func_dirname_and_basename ()$/,/^} # func_dirname_and_basename /c\ func_dirname_and_basename ()\ {\ \ case ${1} in\ \ */*) func_dirname_result="${1%/*}${2}" ;;\ \ * ) func_dirname_result="${3}" ;;\ \ esac\ \ func_basename_result="${1##*/}"\ } # Extended-shell func_dirname_and_basename implementation' "$cfgfile" > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: sed -e '/^func_stripname ()$/,/^} # func_stripname /c\ func_stripname ()\ {\ \ # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are\ \ # positional parameters, so assign one to ordinary parameter first.\ \ func_stripname_result=${3}\ \ func_stripname_result=${func_stripname_result#"${1}"}\ \ func_stripname_result=${func_stripname_result%"${2}"}\ } # Extended-shell func_stripname implementation' "$cfgfile" > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: sed -e '/^func_split_long_opt ()$/,/^} # func_split_long_opt /c\ func_split_long_opt ()\ {\ \ func_split_long_opt_name=${1%%=*}\ \ func_split_long_opt_arg=${1#*=}\ } # Extended-shell func_split_long_opt implementation' "$cfgfile" > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: sed -e '/^func_split_short_opt ()$/,/^} # func_split_short_opt /c\ func_split_short_opt ()\ {\ \ func_split_short_opt_arg=${1#??}\ \ func_split_short_opt_name=${1%"$func_split_short_opt_arg"}\ } # Extended-shell func_split_short_opt implementation' "$cfgfile" > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: sed -e '/^func_lo2o ()$/,/^} # func_lo2o /c\ func_lo2o ()\ {\ \ case ${1} in\ \ *.lo) func_lo2o_result=${1%.lo}.${objext} ;;\ \ *) func_lo2o_result=${1} ;;\ \ esac\ } # Extended-shell func_lo2o implementation' "$cfgfile" > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: sed -e '/^func_xform ()$/,/^} # func_xform /c\ func_xform ()\ {\ func_xform_result=${1%.*}.lo\ } # Extended-shell func_xform implementation' "$cfgfile" > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: sed -e '/^func_arith ()$/,/^} # func_arith /c\ func_arith ()\ {\ func_arith_result=$(( $* ))\ } # Extended-shell func_arith implementation' "$cfgfile" > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: sed -e '/^func_len ()$/,/^} # func_len /c\ func_len ()\ {\ func_len_result=${#1}\ } # Extended-shell func_len implementation' "$cfgfile" > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: fi if test x"$lt_shell_append" = xyes; then sed -e '/^func_append ()$/,/^} # func_append /c\ func_append ()\ {\ eval "${1}+=\\${2}"\ } # Extended-shell func_append implementation' "$cfgfile" > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: sed -e '/^func_append_quoted ()$/,/^} # func_append_quoted /c\ func_append_quoted ()\ {\ \ func_quote_for_eval "${2}"\ \ eval "${1}+=\\\\ \\$func_quote_for_eval_result"\ } # Extended-shell func_append_quoted implementation' "$cfgfile" > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: # Save a `func_append' function call where possible by direct use of '+=' sed -e 's%func_append \([a-zA-Z_]\{1,\}\) "%\1+="%g' $cfgfile > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: else # Save a `func_append' function call even when '+=' is not available sed -e 's%func_append \([a-zA-Z_]\{1,\}\) "%\1="$\1%g' $cfgfile > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: fi if test x"$_lt_function_replace_fail" = x":"; then { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Unable to substitute extended shell functions in $ofile" >&5 $as_echo "$as_me: WARNING: Unable to substitute extended shell functions in $ofile" >&2;} fi mv -f "$cfgfile" "$ofile" || (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile") chmod +x "$ofile" cat <<_LT_EOF >> "$ofile" # ### BEGIN LIBTOOL TAG CONFIG: RC # The linker used to build libraries. LD=$lt_LD_RC # How to create reloadable object files. reload_flag=$lt_reload_flag_RC reload_cmds=$lt_reload_cmds_RC # Commands used to build an old-style archive. old_archive_cmds=$lt_old_archive_cmds_RC # A language specific compiler. CC=$lt_compiler_RC # Is the compiler the GNU compiler? with_gcc=$GCC_RC # Compiler flag to turn off builtin functions. no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_RC # Additional compiler flags for building library objects. pic_flag=$lt_lt_prog_compiler_pic_RC # How to pass a linker flag through the compiler. wl=$lt_lt_prog_compiler_wl_RC # Compiler flag to prevent dynamic linking. link_static_flag=$lt_lt_prog_compiler_static_RC # Does compiler simultaneously support -c and -o options? compiler_c_o=$lt_lt_cv_prog_compiler_c_o_RC # Whether or not to add -lc for building shared libraries. build_libtool_need_lc=$archive_cmds_need_lc_RC # Whether or not to disallow shared libs when runtime libs are static. allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_RC # Compiler flag to allow reflexive dlopens. export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_RC # Compiler flag to generate shared objects directly from archives. whole_archive_flag_spec=$lt_whole_archive_flag_spec_RC # Whether the compiler copes with passing no objects directly. compiler_needs_object=$lt_compiler_needs_object_RC # Create an old-style archive from a shared archive. old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_RC # Create a temporary old-style archive to link instead of a shared archive. old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_RC # Commands used to build a shared archive. archive_cmds=$lt_archive_cmds_RC archive_expsym_cmds=$lt_archive_expsym_cmds_RC # Commands used to build a loadable module if different from building # a shared archive. module_cmds=$lt_module_cmds_RC module_expsym_cmds=$lt_module_expsym_cmds_RC # Whether we are building with GNU ld or not. with_gnu_ld=$lt_with_gnu_ld_RC # Flag that allows shared libraries with undefined symbols to be built. allow_undefined_flag=$lt_allow_undefined_flag_RC # Flag that enforces no undefined symbols. no_undefined_flag=$lt_no_undefined_flag_RC # Flag to hardcode \$libdir into a binary during linking. # This must work even if \$libdir does not exist hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_RC # Whether we need a single "-rpath" flag with a separated argument. hardcode_libdir_separator=$lt_hardcode_libdir_separator_RC # Set to "yes" if using DIR/libNAME\${shared_ext} during linking hardcodes # DIR into the resulting binary. hardcode_direct=$hardcode_direct_RC # Set to "yes" if using DIR/libNAME\${shared_ext} during linking hardcodes # DIR into the resulting binary and the resulting library dependency is # "absolute",i.e impossible to change by setting \${shlibpath_var} if the # library is relocated. hardcode_direct_absolute=$hardcode_direct_absolute_RC # Set to "yes" if using the -LDIR flag during linking hardcodes DIR # into the resulting binary. hardcode_minus_L=$hardcode_minus_L_RC # Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR # into the resulting binary. hardcode_shlibpath_var=$hardcode_shlibpath_var_RC # Set to "yes" if building a shared library automatically hardcodes DIR # into the library and all subsequent libraries and executables linked # against it. hardcode_automatic=$hardcode_automatic_RC # Set to yes if linker adds runtime paths of dependent libraries # to runtime path list. inherit_rpath=$inherit_rpath_RC # Whether libtool must link a program against all its dependency libraries. link_all_deplibs=$link_all_deplibs_RC # Set to "yes" if exported symbols are required. always_export_symbols=$always_export_symbols_RC # The commands to list exported symbols. export_symbols_cmds=$lt_export_symbols_cmds_RC # Symbols that should not be listed in the preloaded symbols. exclude_expsyms=$lt_exclude_expsyms_RC # Symbols that must always be exported. include_expsyms=$lt_include_expsyms_RC # Commands necessary for linking programs (against libraries) with templates. prelink_cmds=$lt_prelink_cmds_RC # Commands necessary for finishing linking programs. postlink_cmds=$lt_postlink_cmds_RC # Specify filename containing input files. file_list_spec=$lt_file_list_spec_RC # How to hardcode a shared library path into an executable. hardcode_action=$hardcode_action_RC # ### END LIBTOOL TAG CONFIG: RC _LT_EOF ;; "tests/t_client.sh":F) chmod +x tests/t_client.sh ;; esac done # for ac_tag as_fn_exit 0 _ACEOF ac_clean_files=$ac_clean_files_save test $ac_write_fail = 0 || as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 # configure is writing to config.log, and then calls config.status. # config.status does its own redirection, appending to config.log. # Unfortunately, on DOS this fails, as config.log is still kept open # by configure, so config.status won't be able to write to it; its # output is simply discarded. So we exec the FD to /dev/null, # effectively closing config.log, so it can be properly (re)opened and # appended to by config.status. When coming back to configure, we # need to make the FD available again. if test "$no_create" != yes; then ac_cs_success=: ac_config_status_args= test "$silent" = yes && ac_config_status_args="$ac_config_status_args --quiet" exec 5>/dev/null $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false exec 5>>config.log # Use ||, not &&, to avoid exiting from the if with $? = 1, which # would make configure fail if this is the last instruction. $ac_cs_success || as_fn_exit 1 fi if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} fi openvpn-2.4.4/configure.ac000066400000000000000000001143331316434344000155030ustar00rootroot00000000000000dnl OpenVPN -- An application to securely tunnel IP networks dnl over a single UDP port, with support for SSL/TLS-based dnl session authentication and key exchange, dnl packet encryption, packet authentication, and dnl packet compression. dnl dnl Copyright (C) 2002-2017 OpenVPN Technologies, Inc. dnl Copyright (C) 2006-2012 Alon Bar-Lev dnl dnl This program is free software; you can redistribute it and/or modify dnl it under the terms of the GNU General Public License as published by dnl the Free Software Foundation; either version 2 of the License, or dnl (at your option) any later version. dnl dnl This program is distributed in the hope that it will be useful, dnl but WITHOUT ANY WARRANTY; without even the implied warranty of dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the dnl GNU General Public License for more details. dnl dnl You should have received a copy of the GNU General Public License along dnl with this program; if not, write to the Free Software Foundation, Inc., dnl 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) m4_include(version.m4) AC_INIT([PRODUCT_NAME], [PRODUCT_VERSION], [PRODUCT_BUGREPORT], [PRODUCT_TARNAME]) m4_include(compat.m4) AC_DEFINE([OPENVPN_VERSION_RESOURCE], [PRODUCT_VERSION_RESOURCE], [Version in windows resource format]) AC_SUBST([OPENVPN_VERSION_MAJOR], [PRODUCT_VERSION_MAJOR], [OpenVPN major version]) AC_SUBST([OPENVPN_VERSION_MINOR], [PRODUCT_VERSION_MINOR], [OpenVPN minor version]) AC_SUBST([OPENVPN_VERSION_PATCH], [PRODUCT_VERSION_PATCH], [OpenVPN patch level - may be a string or integer]) AC_DEFINE([OPENVPN_VERSION_MAJOR], [PRODUCT_VERSION_MAJOR], [OpenVPN major version - integer]) AC_DEFINE([OPENVPN_VERSION_MINOR], [PRODUCT_VERSION_MINOR], [OpenVPN minor version - integer]) AC_DEFINE([OPENVPN_VERSION_PATCH], ["PRODUCT_VERSION_PATCH"], [OpenVPN patch level - may be a string or integer]) AC_CONFIG_AUX_DIR([.]) AC_CONFIG_HEADERS([config.h include/openvpn-plugin.h]) AC_CONFIG_SRCDIR([src/openvpn/syshead.h]) AC_CONFIG_MACRO_DIR([m4]) dnl Initialize automake. automake < 1.12 didn't have serial-tests and dnl gives an error if it sees this, but for automake >= 1.13 dnl serial-tests is required so we have to include it. Solution is to dnl test for the version of automake (by running an external command) dnl and provide it if necessary. Note we have to do this entirely using dnl m4 macros since automake queries this macro by running dnl 'autoconf --trace ...'. m4_define([serial_tests], [ m4_esyscmd([automake --version | head -1 | awk '{split ($NF,a,"."); if (a[1] == 1 && a[2] >= 12) { print "serial-tests" }}' ]) ]) AM_INIT_AUTOMAKE(foreign serial_tests) dnl NB: Do not [quote] this parameter. AC_CANONICAL_HOST AC_USE_SYSTEM_EXTENSIONS AC_ARG_ENABLE( [lzo], [AS_HELP_STRING([--disable-lzo], [disable LZO compression support @<:@default=yes@:>@])], , [enable_lzo="yes"] ) AC_ARG_ENABLE(lz4, [ --disable-lz4 Disable LZ4 compression support], [enable_lz4="$enableval"], [enable_lz4="yes"] ) AC_ARG_ENABLE(comp-stub, [ --enable-comp-stub Don't compile compression support but still allow limited interoperability with compression-enabled peers], [enable_comp_stub="$enableval"], [enable_comp_stub="no"] ) AC_ARG_ENABLE( [crypto], [AS_HELP_STRING([--disable-crypto], [disable crypto support @<:@default=yes@:>@])], , [enable_crypto="yes"] ) AC_ARG_ENABLE( [ofb-cfb], [AS_HELP_STRING([--disable-ofb-cfb], [disable support for OFB and CFB cipher modes @<:@default=yes@:>@])], , [enable_crypto_ofb_cfb="yes"] ) AC_ARG_ENABLE( [x509-alt-username], [AS_HELP_STRING([--enable-x509-alt-username], [enable the --x509-username-field feature @<:@default=no@:>@])], , [enable_x509_alt_username="no"] ) AC_ARG_ENABLE( [server], [AS_HELP_STRING([--disable-server], [disable server support only (but retain client support) @<:@default=yes@:>@])], , [enable_server="yes"] ) AC_ARG_ENABLE( [plugins], [AS_HELP_STRING([--disable-plugins], [disable plug-in support @<:@default=yes@:>@])], , [enable_plugins="yes"] ) AC_ARG_ENABLE( [management], [AS_HELP_STRING([--disable-management], [disable management server support @<:@default=yes@:>@])], , [enable_management="yes"] ) AC_ARG_ENABLE( [pkcs11], [AS_HELP_STRING([--enable-pkcs11], [enable pkcs11 support @<:@default=no@:>@])], , [enable_pkcs11="no"] ) AC_ARG_ENABLE( [fragment], [AS_HELP_STRING([--disable-fragment], [disable internal fragmentation support (--fragment) @<:@default=yes@:>@])], , [enable_fragment="yes"] ) AC_ARG_ENABLE( [multihome], [AS_HELP_STRING([--disable-multihome], [disable multi-homed UDP server support (--multihome) @<:@default=yes@:>@])], , [enable_multihome="yes"] ) AC_ARG_ENABLE( [port-share], [AS_HELP_STRING([--disable-port-share], [disable TCP server port-share support (--port-share) @<:@default=yes@:>@])], , [enable_port_share="yes"] ) AC_ARG_ENABLE( [debug], [AS_HELP_STRING([--disable-debug], [disable debugging support (disable gremlin and verb 7+ messages) @<:@default=yes@:>@])], , [enable_debug="yes"] ) AC_ARG_ENABLE( [small], [AS_HELP_STRING([--enable-small], [enable smaller executable size (disable OCC, usage message, and verb 4 parm list) @<:@default=no@:>@])], , [enable_small="no"] ) AC_ARG_ENABLE( [iproute2], [AS_HELP_STRING([--enable-iproute2], [enable support for iproute2 @<:@default=no@:>@])], , [enable_iproute2="no"] ) AC_ARG_ENABLE( [def-auth], [AS_HELP_STRING([--disable-def-auth], [disable deferred authentication @<:@default=yes@:>@])], , [enable_def_auth="yes"] ) AC_ARG_ENABLE( [pf], [AS_HELP_STRING([--disable-pf], [disable internal packet filter @<:@default=yes@:>@])], , [enable_pf="yes"] ) AC_ARG_ENABLE( [plugin-auth-pam], [AS_HELP_STRING([--disable-plugin-auth-pam], [disable auth-pam plugin @<:@default=platform specific@:>@])], , [ case "$host" in *-*-openbsd*) enable_plugin_auth_pam="no";; *-mingw*) enable_plugin_auth_pam="no";; *) enable_plugin_auth_pam="yes";; esac ] ) AC_ARG_ENABLE( [plugin-down-root], [AS_HELP_STRING([--disable-plugin-down-root], [disable down-root plugin @<:@default=platform specific@:>@])], , [ case "$host" in *-mingw*) enable_plugin_down_root="no";; *) enable_plugin_down_root="yes";; esac ] ) AC_ARG_ENABLE( [pam-dlopen], [AS_HELP_STRING([--enable-pam-dlopen], [dlopen libpam @<:@default=no@:>@])], , [enable_pam_dlopen="no"] ) AC_ARG_ENABLE( [strict], [AS_HELP_STRING([--enable-strict], [enable strict compiler warnings (debugging option) @<:@default=no@:>@])], , [enable_strict="no"] ) AC_ARG_ENABLE( [pedantic], [AS_HELP_STRING([--enable-pedantic], [enable pedantic compiler warnings, will not generate a working executable (debugging option) @<:@default=no@:>@])], , [enable_pedantic="no"] ) AC_ARG_ENABLE( [werror], [AS_HELP_STRING([--enable-werror], [promote compiler warnings to errors, will cause builds to fail if the compiler issues warnings (debugging option) @<:@default=no@:>@])], , [enable_werror="no"] ) AC_ARG_ENABLE( [strict-options], [AS_HELP_STRING([--enable-strict-options], [enable strict options check between peers (debugging option) @<:@default=no@:>@])], , [enable_strict_options="no"] ) AC_ARG_ENABLE( [selinux], [AS_HELP_STRING([--enable-selinux], [enable SELinux support @<:@default=no@:>@])], , [enable_selinux="no"] ) AC_ARG_ENABLE( [systemd], [AS_HELP_STRING([--enable-systemd], [enable systemd suppport @<:@default=no@:>@])], , [enable_systemd="no"] ) AC_ARG_ENABLE( [async-push], [AS_HELP_STRING([--enable-async-push], [enable async-push support for plugins providing deferred authentication @<:@default=no@:>@])], , [enable_async_push="no"] ) AC_ARG_WITH( [special-build], [AS_HELP_STRING([--with-special-build=STRING], [specify special build string])], [test -n "${withval}" && AC_DEFINE_UNQUOTED([CONFIGURE_SPECIAL_BUILD], ["${withval}"], [special build string])] ) AC_ARG_WITH( [mem-check], [AS_HELP_STRING([--with-mem-check=TYPE], [build with debug memory checking, TYPE=no|dmalloc|valgrind|ssl @<:@default=no@:>@])], [ case "${withval}" in dmalloc|valgrind|ssl|no) ;; *) AC_MSG_ERROR([bad value ${withval} for --mem-check]) ;; esac ], [with_mem_check="no"] ) AC_ARG_WITH( [crypto-library], [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], [ case "${withval}" in openssl|mbedtls) ;; *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; esac ], [with_crypto_library="openssl"] ) AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" else plugindir="\${libdir}/openvpn/plugins" fi AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our host]) case "$host" in *-*-linux*) AC_DEFINE([TARGET_LINUX], [1], [Are we running on Linux?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["L"], [Target prefix]) ;; *-*-solaris*) AC_DEFINE([TARGET_SOLARIS], [1], [Are we running on Solaris?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["S"], [Target prefix]) CPPFLAGS="$CPPFLAGS -D_XPG4_2" ;; *-*-openbsd*) AC_DEFINE([TARGET_OPENBSD], [1], [Are we running on OpenBSD?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["O"], [Target prefix]) ;; *-*-freebsd*) AC_DEFINE([TARGET_FREEBSD], [1], [Are we running on FreeBSD?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["F"], [Target prefix]) ;; *-*-netbsd*) AC_DEFINE([TARGET_NETBSD], [1], [Are we running NetBSD?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["N"], [Target prefix]) ;; *-*-darwin*) AC_DEFINE([TARGET_DARWIN], [1], [Are we running on Mac OS X?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["M"], [Target prefix]) have_tap_header="yes" dnl some Mac OS X tendering (we use vararg macros...) CPPFLAGS="$CPPFLAGS -no-cpp-precomp" ac_cv_type_struct_in_pktinfo=no ;; *-mingw*) AC_DEFINE([TARGET_WIN32], [1], [Are we running WIN32?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["W"], [Target prefix]) CPPFLAGS="${CPPFLAGS} -DWIN32_LEAN_AND_MEAN" CPPFLAGS="${CPPFLAGS} -DNTDDI_VERSION=NTDDI_VISTA -D_WIN32_WINNT=_WIN32_WINNT_VISTA" WIN32=yes ;; *-*-dragonfly*) AC_DEFINE([TARGET_DRAGONFLY], [1], [Are we running on DragonFlyBSD?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["D"], [Target prefix]) ;; *-aix*) AC_DEFINE([TARGET_AIX], [1], [Are we running AIX?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["A"], [Target prefix]) ROUTE="/usr/sbin/route" have_tap_header="yes" ac_cv_header_net_if_h="no" # exists, but breaks things ;; *) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["X"], [Target prefix]) have_tap_header="yes" ;; esac PKG_PROG_PKG_CONFIG AC_PROG_CPP AC_PROG_INSTALL AC_PROG_LN_S AC_PROG_SED AC_PROG_MAKE_SET AC_ARG_VAR([IFCONFIG], [full path to ipconfig utility]) AC_ARG_VAR([ROUTE], [full path to route utility]) AC_ARG_VAR([IPROUTE], [full path to ip utility]) AC_ARG_VAR([NETSTAT], [path to netstat utility]) # tests AC_ARG_VAR([MAN2HTML], [path to man2html utility]) AC_ARG_VAR([GIT], [path to git utility]) AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility]) AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory @<:@default=LIBDIR/systemd/system@:>@]) AC_ARG_VAR([TMPFILES_DIR], [Path of tmpfiles directory @<:@default=LIBDIR/tmpfiles.d@:>@]) AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) AC_PATH_PROGS([SYSTEMD_ASK_PASSWORD], [systemd-ask-password],, [$PATH:/usr/local/bin:/usr/bin:/bin]) AC_CHECK_PROGS([NETSTAT], [netstat], [netstat], [$PATH:/usr/local/sbin:/usr/sbin:/sbin:/etc]) # tests AC_CHECK_PROGS([MAN2HTML], [man2html]) AC_CHECK_PROGS([GIT], [git]) # optional AC_DEFINE_UNQUOTED([IFCONFIG_PATH], ["$IFCONFIG"], [Path to ifconfig tool]) AC_DEFINE_UNQUOTED([IPROUTE_PATH], ["$IPROUTE"], [Path to iproute tool]) AC_DEFINE_UNQUOTED([ROUTE_PATH], ["$ROUTE"], [Path to route tool]) AC_DEFINE_UNQUOTED([SYSTEMD_ASK_PASSWORD_PATH], ["$SYSTEMD_ASK_PASSWORD"], [Path to systemd-ask-password tool]) # Set -std=c99 unless user already specified a -std= case "${CFLAGS}" in *-std=*) ;; *) CFLAGS="${CFLAGS} -std=c99" ;; esac # # Libtool # ifdef( [LT_INIT], [ LT_INIT([win32-dll]) LT_LANG([Windows Resource]) ], [ AC_LIBTOOL_WIN32_DLL AC_LIBTOOL_RC AC_PROG_LIBTOOL ] ) AC_C_CONST AC_C_INLINE AC_C_VOLATILE AC_TYPE_OFF_T AC_TYPE_PID_T AC_TYPE_SIZE_T AC_TYPE_UID_T AC_TYPE_INT8_T AC_TYPE_INT16_T AC_TYPE_INT32_T AC_TYPE_INT64_T AC_TYPE_UINT8_T AC_TYPE_UINT16_T AC_TYPE_UINT32_T AC_TYPE_UINT64_T AC_TYPE_SIGNAL AX_CPP_VARARG_MACRO_ISO AX_CPP_VARARG_MACRO_GCC AX_TYPE_SOCKLEN_T AX_EMPTY_ARRAY AC_CHECK_SIZEOF([unsigned int]) AC_CHECK_SIZEOF([unsigned long]) AC_CHECK_HEADERS([ \ stdio.h stdarg.h limits.h \ time.h errno.h fcntl.h io.h direct.h \ ctype.h sys/types.h sys/socket.h \ signal.h unistd.h dlfcn.h \ netinet/in.h netinet/in_systm.h \ netinet/tcp.h arpa/inet.h netdb.h \ windows.h winsock2.h ws2tcpip.h \ versionhelpers.h \ ]) AC_CHECK_HEADERS([ \ sys/time.h sys/ioctl.h sys/stat.h \ sys/mman.h sys/file.h sys/wait.h \ unistd.h signal.h libgen.h stropts.h \ syslog.h pwd.h grp.h \ sys/sockio.h sys/uio.h linux/sockios.h \ linux/types.h sys/poll.h sys/epoll.h err.h \ ]) SOCKET_INCLUDES=" #ifdef HAVE_STDLIB_H #include #endif #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_NET_IF_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_WINDOWS_H #include #endif #ifdef HAVE_WINSOCK2_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif #ifdef HAVE_NETINET_IN_SYSTM_H #include #endif #ifdef HAVE_NETINET_IP_H #include #endif " AC_CHECK_HEADERS( [net/if.h netinet/ip.h resolv.h sys/un.h net/if_utun.h sys/kern_control.h], , , [[${SOCKET_INCLUDES}]] ) AC_CHECK_TYPES( [in_addr_t], , [AC_DEFINE([in_addr_t], [uint32_t], [Workaround missing in_addr_t])], [[${SOCKET_INCLUDES}]] ) AC_CHECK_TYPES( [in_port_t], , [AC_DEFINE([in_port_t], [uint16_t], [Workaround missing in_port_t])], [[${SOCKET_INCLUDES}]] ) AC_CHECK_TYPE( [struct iphdr], [AC_DEFINE([HAVE_IPHDR], [1], [struct iphdr needed for IPv6 support])], , [[${SOCKET_INCLUDES}]] ) AC_CHECK_TYPE( [struct sock_extended_err], [AC_DEFINE([HAVE_SOCK_EXTENDED_ERR], [1], [struct sock_extended_err needed for extended socket error support])], , [[${SOCKET_INCLUDES}]] ) AC_CHECK_TYPE( [struct msghdr], [AC_DEFINE([HAVE_MSGHDR], [1], [struct msghdr needed for extended socket error support])], , [[${SOCKET_INCLUDES}]] ) AC_CHECK_TYPE( [struct cmsghdr], [AC_DEFINE([HAVE_CMSGHDR], [1], [struct cmsghdr needed for extended socket error support])], , [[${SOCKET_INCLUDES}]] ) AC_CHECK_TYPE( [struct in_pktinfo], [AC_DEFINE([HAVE_IN_PKTINFO], [1], [struct in_pktinfo needed for IP_PKTINFO support])], , [[${SOCKET_INCLUDES}]] ) AC_CHECK_TYPE( [sa_family_t], [AC_DEFINE([HAVE_SA_FAMILY_T], [1], [sa_family_t, needed to hold AF_* info])], , [[${SOCKET_INCLUDES}]] ) AC_CHECK_MEMBER( [struct in_pktinfo.ipi_spec_dst], [AC_DEFINE([HAVE_IPI_SPEC_DST], [1], [struct in_pktinfo.ipi_spec_dst needed for IP_PKTINFO support])], , [[${SOCKET_INCLUDES}]] ) AC_CHECK_TYPE( [struct sockaddr_in6], , [AC_MSG_ERROR([struct sockaddr_in6 not found, needed for ipv6 transport support.])], [[${SOCKET_INCLUDES}]] ) AC_CHECK_DECLS( [SO_MARK], , , [[${SOCKET_INCLUDES}]] ) AC_CHECKING([anonymous union support]) AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[ struct mystruct { union { int m1; char m2; }; }; ]], [[ struct mystruct s; s.m1 = 1; s.m2 = 2; ]] )], [ AC_MSG_RESULT([yes]) AC_DEFINE([HAVE_ANONYMOUS_UNION_SUPPORT], [], [Compiler supports anonymous unions]) ], [AC_MSG_RESULT([no])] ) saved_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -Wl,--wrap=exit" AC_MSG_CHECKING([linker supports --wrap]) AC_LINK_IFELSE( [AC_LANG_PROGRAM( [[ void exit(int); void __real_exit(int); void __wrap_exit(int i) { __real_exit(i); } ]], [[ exit(0); ]] )], [ AC_MSG_RESULT([yes]) have_ld_wrap_support=yes ], [AC_MSG_RESULT([no])], ) LDFLAGS="$saved_LDFLAGS" dnl We emulate signals in Windows AC_CHECK_DECLS( [SIGHUP], , [AC_DEFINE([SIGHUP], [1], [SIGHUP replacement])], [[ #ifdef HAVE_SIGNAL_H #include #endif ]] ) AC_CHECK_DECLS( [SIGINT], , [AC_DEFINE([SIGINT], [2], [SIGINT replacement])], [[ #ifdef HAVE_SIGNAL_H #include #endif ]] ) AC_CHECK_DECLS( [SIGUSR1], , [AC_DEFINE([SIGUSR1], [10], [SIGUSR1 replacement])], [[ #ifdef HAVE_SIGNAL_H #include #endif ]] ) AC_CHECK_DECLS( [SIGUSR2], , [AC_DEFINE([SIGUSR2], [12], [SIGUSR2 replacement])], [[ #ifdef HAVE_SIGNAL_H #include #endif ]] ) AC_CHECK_DECLS( [SIGTERM], , [AC_DEFINE([SIGTERM], [15], [SIGTERM replacement])], [[ #ifdef HAVE_SIGNAL_H #include #endif ]] ) AC_FUNC_FORK AC_CHECK_FUNCS([ \ daemon chroot getpwnam setuid nice system getpid dup dup2 \ getpass syslog openlog mlockall getgrnam setgid \ setgroups stat flock readv writev time gettimeofday \ ctime memset vsnprintf strdup \ setsid chdir putenv getpeername unlink \ chsize ftruncate execve getpeereid umask basename dirname access \ epoll_create \ ]) AC_CHECK_LIB( [dl], [dlopen], [DL_LIBS="-ldl"] ) AC_SUBST([DL_LIBS]) AC_CHECK_LIB( [nsl], [inet_ntoa], [SOCKETS_LIBS="${SOCKETS_LIBS} -lnsl"] ) AC_CHECK_LIB( [socket], [socket], [SOCKETS_LIBS="${SOCKETS_LIBS} -lsocket"] ) AC_CHECK_LIB( [resolv], [gethostbyname], [SOCKETS_LIBS="${SOCKETS_LIBS} -lresolv"] ) AC_SUBST([SOCKETS_LIBS]) old_LIBS="${LIBS}" LIBS="${LIBS} ${SOCKETS_LIBS}" AC_CHECK_FUNCS([sendmsg recvmsg]) # Windows use stdcall for winsock so we cannot auto detect these m4_define( [SOCKET_FUNCS], [socket recv recvfrom send sendto listen dnl accept connect bind select gethostbyname inet_ntoa]dnl ) m4_define( [SOCKET_OPT_FUNCS], [setsockopt getsockopt getsockname poll]dnl ) if test "${WIN32}" = "yes"; then # normal autoconf function checking does not find inet_ntop/inet_pton # because they need to include the actual header file and link ws2_32.dll LIBS="${LIBS} -lws2_32" AC_MSG_CHECKING([for MinGW inet_ntop()/inet_pton()]) AC_LINK_IFELSE( [AC_LANG_PROGRAM( [[ #include ]], [[ int r = (int) inet_ntop (0, NULL, NULL, 0); r += inet_pton(AF_INET, NULL, NULL); return r; ]] )], [AC_MSG_RESULT([OK]) AC_DEFINE([HAVE_INET_NTOP],[1],[MinGW inet_ntop]) AC_DEFINE([HAVE_INET_PTON],[1],[MinGW inet_pton]) ], [AC_MSG_RESULT([not found])] ) m4_foreach( [F], m4_split(SOCKET_FUNCS SOCKET_OPT_FUNCS), m4_define([UF], [[m4_join([_], [HAVE], m4_toupper(F))]]) AC_DEFINE([UF], [1], [Win32 builtin]) ) else AC_CHECK_FUNCS([inet_ntop inet_pton]) AC_CHECK_FUNCS( SOCKET_FUNCS, , [AC_MSG_ERROR([Required library function not found])] ) AC_CHECK_FUNCS(SOCKET_OPT_FUNCS) fi LIBS="${old_LIBS}" # we assume res_init() always exist, but need to find out *where*... AC_SEARCH_LIBS(__res_init, resolv bind, , AC_SEARCH_LIBS(res_9_init, resolv bind, , AC_SEARCH_LIBS(res_init, resolv bind, , ))) AC_ARG_VAR([TAP_CFLAGS], [C compiler flags for tap]) old_CFLAGS="${CFLAGS}" CFLAGS="${CFLAGS} ${TAP_CFLAGS}" AC_CHECK_HEADERS( [ \ net/if_tun.h net/tun/if_tun.h \ linux/if_tun.h \ tap-windows.h \ ], [have_tap_header="yes"] ) AC_CHECK_DECLS( [TUNSETPERSIST], [AC_DEFINE([ENABLE_FEATURE_TUN_PERSIST], [1], [We have persist tun capability])], , [[ #ifdef HAVE_LINUX_IF_TUN_H #include #endif ]] ) CFLAGS="${old_CFLAGS}" test "${have_tap_header}" = "yes" || AC_MSG_ERROR([no tap header could be found]) AC_CHECK_LIB( [selinux], [setcon], [SELINUX_LIBS="-lselinux"] ) AC_SUBST([SELINUX_LIBS]) AC_ARG_VAR([LIBPAM_CFLAGS], [C compiler flags for libpam]) AC_ARG_VAR([LIBPAM_LIBS], [linker flags for libpam]) if test -z "${LIBPAM_LIBS}"; then AC_CHECK_LIB( [pam], [pam_start], [LIBPAM_LIBS="-lpam"] ) fi case "${with_mem_check}" in valgrind) AC_CHECK_HEADERS( [valgrind/memcheck.h], [ CFLAGS="${CFLAGS} -g -fno-inline" AC_DEFINE( [USE_VALGRIND], [1], [Use valgrind memory debugging library] ) ], [AC_MSG_ERROR([valgrind headers not found.])] ) ;; dmalloc) AC_CHECK_HEADERS( [dmalloc.h], [AC_CHECK_LIB( [dmalloc], [malloc], [ LIBS="${LIBS} -ldmalloc" AC_DEFINE( [DMALLOC], [1], [Use dmalloc memory debugging library] ) ], [AC_MSG_ERROR([dmalloc library not found.])] )], [AC_MSG_ERROR([dmalloc headers not found.])] ) ;; ssl) AC_CHECK_LIB( [ssl], [CRYPTO_mem_ctrl], [ AC_DEFINE( [CRYPTO_MDEBUG], [1], [Use memory debugging function in OpenSSL] ) AC_MSG_NOTICE([NOTE: OpenSSL library must be compiled with CRYPTO_MDEBUG]) ], [AC_MSG_ERROR([Memory Debugging function in OpenSSL library not found.])] ) ;; esac PKG_CHECK_MODULES( [PKCS11_HELPER], [libpkcs11-helper-1 >= 1.11], [have_pkcs11_helper="yes"], [] ) if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then AC_ARG_VAR([OPENSSL_CFLAGS], [C compiler flags for OpenSSL]) AC_ARG_VAR([OPENSSL_LIBS], [linker flags for OpenSSL]) if test -z "${OPENSSL_CFLAGS}" -a -z "${OPENSSL_LIBS}"; then # if the user did not explicitly specify flags, try to autodetect PKG_CHECK_MODULES( [OPENSSL], [libcrypto >= 0.9.8, libssl >= 0.9.8], [have_openssl="yes"], [have_openssl="no"] # Provide if-not-found to prevent erroring out ) OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto} fi saved_CFLAGS="${CFLAGS}" saved_LIBS="${LIBS}" CFLAGS="${CFLAGS} ${OPENSSL_CFLAGS}" LIBS="${LIBS} ${OPENSSL_LIBS}" AC_CHECK_FUNCS([SSL_CTX_new EVP_CIPHER_CTX_set_key_length], , [AC_MSG_ERROR([openssl check failed])] ) have_openssl_engine="yes" AC_CHECK_FUNCS( [ \ ENGINE_load_builtin_engines \ ENGINE_register_all_complete \ ENGINE_cleanup \ ], , [have_openssl_engine="no"; break] ) if test "${have_openssl_engine}" = "yes"; then AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [OpenSSL engine support available]) fi have_crypto_aead_modes="yes" AC_CHECK_FUNCS( [EVP_aes_256_gcm], , [have_crypto_aead_modes="no"; break] ) AC_CHECK_FUNCS( [ \ HMAC_CTX_new \ HMAC_CTX_free \ HMAC_CTX_reset \ EVP_MD_CTX_new \ EVP_MD_CTX_free \ EVP_MD_CTX_reset \ SSL_CTX_get_default_passwd_cb \ SSL_CTX_get_default_passwd_cb_userdata \ X509_get0_pubkey \ X509_STORE_get0_objects \ X509_OBJECT_free \ X509_OBJECT_get_type \ EVP_PKEY_id \ EVP_PKEY_get0_RSA \ EVP_PKEY_get0_DSA \ EVP_PKEY_get0_EC_KEY \ RSA_set_flags \ RSA_bits \ RSA_get0_key \ RSA_set0_key \ DSA_get0_pqg \ DSA_bits \ RSA_meth_new \ RSA_meth_free \ RSA_meth_set_pub_enc \ RSA_meth_set_pub_dec \ RSA_meth_set_priv_enc \ RSA_meth_set_priv_dec \ RSA_meth_set_init \ RSA_meth_set_finish \ RSA_meth_set0_app_data \ EC_GROUP_order_bits ] ) CFLAGS="${saved_CFLAGS}" LIBS="${saved_LIBS}" have_crypto="yes" AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use OpenSSL library]) CRYPTO_CFLAGS="${OPENSSL_CFLAGS}" CRYPTO_LIBS="${OPENSSL_LIBS}" elif test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "mbedtls"; then AC_ARG_VAR([MBEDTLS_CFLAGS], [C compiler flags for mbedtls]) AC_ARG_VAR([MBEDTLS_LIBS], [linker flags for mbedtls]) saved_CFLAGS="${CFLAGS}" saved_LIBS="${LIBS}" if test -z "${MBEDTLS_CFLAGS}" -a -z "${MBEDTLS_LIBS}"; then # if the user did not explicitly specify flags, try to autodetect LIBS="${LIBS} -lmbedtls -lmbedx509 -lmbedcrypto" AC_CHECK_LIB( [mbedtls], [mbedtls_ssl_init], [MBEDTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto"], [AC_MSG_ERROR([Could not find mbed TLS.])], [${PKCS11_HELPER_LIBS}] ) fi CFLAGS="${MBEDTLS_CFLAGS} ${PKCS11_HELPER_CFLAGS} ${CFLAGS}" LIBS="${MBEDTLS_LIBS} ${PKCS11_HELPER_LIBS} ${LIBS}" AC_MSG_CHECKING([mbedtls version]) AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[ #include ]], [[ #if MBEDTLS_VERSION_NUMBER < 0x02000000 || MBEDTLS_VERSION_NUMBER >= 0x03000000 #error invalid version #endif ]] )], [AC_MSG_RESULT([ok])], [AC_MSG_ERROR([mbed TLS 2.y.z required])] ) mbedtls_with_pkcs11="no" AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[ #include ]], [[ #ifndef MBEDTLS_PKCS11_C #error pkcs11 wrapper missing #endif ]] )], mbedtls_with_pkcs11="yes") AC_MSG_CHECKING([mbedtls pkcs11 support]) if test "${enable_pkcs11}" = "yes"; then if test "${mbedtls_with_pkcs11}" = "yes"; then AC_MSG_RESULT([ok]) else AC_MSG_ERROR([mbedtls has no pkcs11 wrapper compiled in]) fi else if test "${mbedtls_with_pkcs11}" != "yes"; then AC_MSG_RESULT([ok]) else AC_MSG_ERROR([mbed TLS compiled with PKCS11, while OpenVPN is not]) fi fi have_crypto_aead_modes="yes" AC_CHECK_FUNCS( [ \ mbedtls_cipher_write_tag \ mbedtls_cipher_check_tag \ ], , [have_crypto_aead_modes="no"; break] ) CFLAGS="${saved_CFLAGS}" LIBS="${saved_LIBS}" have_crypto="yes" AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" CRYPTO_LIBS="${MBEDTLS_LIBS}" elif test "${enable_crypto}" = "yes"; then AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}]) fi AC_ARG_VAR([LZO_CFLAGS], [C compiler flags for lzo]) AC_ARG_VAR([LZO_LIBS], [linker flags for lzo]) have_lzo="yes" if test -z "${LZO_LIBS}"; then AC_CHECK_LIB( [lzo2], [lzo1x_1_15_compress], [LZO_LIBS="-llzo2"], [AC_CHECK_LIB( [lzo], [lzo1x_1_15_compress], [LZO_LIBS="-llzo"], [have_lzo="no"] )] ) fi if test "${have_lzo}" = "yes"; then saved_CFLAGS="${CFLAGS}" CFLAGS="${CFLAGS} ${LZO_CFLAGS}" AC_CHECK_HEADERS( [lzo/lzoutil.h], , [AC_CHECK_HEADERS( [lzoutil.h], , [AC_MSG_ERROR([lzoutil.h is missing])] )] ) AC_CHECK_HEADERS( [lzo/lzo1x.h], , [AC_CHECK_HEADERS( [lzo1x.h], , [AC_MSG_ERROR([lzo1x.h is missing])] )] ) CFLAGS="${saved_CFLAGS}" fi dnl dnl check for LZ4 library dnl AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4]) AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4]) if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then if test -z "${LZ4_CFLAGS}" -a -z "${LZ4_LIBS}"; then # if the user did not explicitly specify flags, try to autodetect PKG_CHECK_MODULES([LZ4], [liblz4 >= 1.7.1], [have_lz4="yes"], [] # If this fails, we will do another test next ) fi saved_CFLAGS="${CFLAGS}" saved_LIBS="${LIBS}" CFLAGS="${CFLAGS} ${LZ4_CFLAGS}" LIBS="${LIBS} ${LZ4_LIBS}" # If pkgconfig check failed or LZ4_CFLAGS/LZ4_LIBS env vars # are used, check the version directly in the LZ4 include file if test "${have_lz4}" != "yes"; then AC_CHECK_HEADERS([lz4.h], [have_lz4h="yes"], []) if test "${have_lz4h}" = "yes" ; then AC_MSG_CHECKING([additionally if system LZ4 version >= 1.7.1]) AC_COMPILE_IFELSE( [AC_LANG_PROGRAM([[ #include ]], [[ /* Version encoding: MMNNPP (Major miNor Patch) - see lz4.h for details */ #if LZ4_VERSION_NUMBER < 10701L #error LZ4 is too old #endif ]] )], [ AC_MSG_RESULT([ok]) have_lz4="yes" ], [AC_MSG_RESULT([system LZ4 library is too old])] ) fi fi # if LZ4_LIBS is set, we assume it will work, otherwise test if test -z "${LZ4_LIBS}"; then AC_CHECK_LIB([lz4], [LZ4_compress], [LZ4_LIBS="-llz4"], [have_lz4="no"]) fi if test "${have_lz4}" != "yes" ; then AC_MSG_RESULT([ usuable LZ4 library or header not found, using version in src/compat/compat-lz4.*]) AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/]) LZ4_LIBS="" fi OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}" OPTIONAL_LZ4_LIBS="${LZ4_LIBS}" AC_DEFINE(ENABLE_LZ4, [1], [Enable LZ4 compression library]) CFLAGS="${saved_CFLAGS}" LIBS="${saved_LIBS}" fi dnl dnl Check for systemd dnl AM_CONDITIONAL([ENABLE_SYSTEMD], [test "${enable_systemd}" = "yes"]) if test "$enable_systemd" = "yes" ; then PKG_CHECK_MODULES([libsystemd], [systemd libsystemd], [], [PKG_CHECK_MODULES([libsystemd], [libsystemd-daemon])] ) PKG_CHECK_EXISTS( [libsystemd > 216], [AC_DEFINE([SYSTEMD_NEWER_THAN_216], [1], [systemd is newer than v216])] ) AC_CHECK_HEADERS(systemd/sd-daemon.h, , [ AC_MSG_ERROR([systemd development headers not found.]) ]) saved_LIBS="${LIBS}" LIBS="${LIBS} ${libsystemd_LIBS}" AC_CHECK_FUNCS([sd_booted], [], [AC_MSG_ERROR([systemd library is missing sd_booted()])]) OPTIONAL_SYSTEMD_LIBS="${libsystemd_LIBS}" AC_DEFINE(ENABLE_SYSTEMD, 1, [Enable systemd integration]) LIBS="${saved_LIBS}" if test -n "${SYSTEMD_UNIT_DIR}"; then systemdunitdir="${SYSTEMD_UNIT_DIR}" else systemdunitdir="\${libdir}/systemd/system" fi if test -n "${TMPFILES_DIR}"; then tmpfilesdir="${TMPFILES_DIR}" else tmpfilesdir="\${libdir}/tmpfiles.d" fi fi AC_MSG_CHECKING([git checkout]) GIT_CHECKOUT="no" if test -n "${GIT}" -a -d "${srcdir}/.git"; then AC_DEFINE([HAVE_CONFIG_VERSION_H], [1], [extra version available in config-version.h]) GIT_CHECKOUT="yes" fi AC_MSG_RESULT([${GIT_CHECKOUT}]) if test -n "${SP_PLATFORM_WINDOWS}"; then AC_DEFINE_UNQUOTED([PATH_SEPARATOR], ['\\\\'], [Path separator]) #" AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], ["\\\\"], [Path separator]) #" else AC_DEFINE_UNQUOTED([PATH_SEPARATOR], ['/'], [Path separator]) AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], ["/"], [Path separator]) fi dnl enable --x509-username-field feature if requested if test "${enable_x509_alt_username}" = "yes"; then if test "${with_crypto_library}" = "mbedtls" ; then AC_MSG_ERROR([mbed TLS does not support the --x509-username-field feature]) fi AC_DEFINE([ENABLE_X509ALTUSERNAME], [1], [Enable --x509-username-field feature]) fi test "${ac_cv_header_sys_uio_h}" = "yes" && AC_DEFINE([HAVE_IOVEC], [1], [struct iovec needed for IPv6 support]) test "${enable_server}" = "no" && AC_DEFINE([ENABLE_CLIENT_ONLY], [1], [Enable client capability only]) test "${enable_management}" = "yes" && AC_DEFINE([ENABLE_MANAGEMENT], [1], [Enable management server capability]) test "${enable_multihome}" = "yes" && AC_DEFINE([ENABLE_MULTIHOME], [1], [Enable multi-homed UDP server capability]) test "${enable_debug}" = "yes" && AC_DEFINE([ENABLE_DEBUG], [1], [Enable debugging support]) test "${enable_small}" = "yes" && AC_DEFINE([ENABLE_SMALL], [1], [Enable smaller executable size]) test "${enable_fragment}" = "yes" && AC_DEFINE([ENABLE_FRAGMENT], [1], [Enable internal fragmentation support]) test "${enable_port_share}" = "yes" && AC_DEFINE([ENABLE_PORT_SHARE], [1], [Enable TCP Server port sharing]) test "${enable_def_auth}" = "yes" && AC_DEFINE([ENABLE_DEF_AUTH], [1], [Enable deferred authentication]) test "${enable_pf}" = "yes" && AC_DEFINE([ENABLE_PF], [1], [Enable internal packet filter]) test "${enable_strict_options}" = "yes" && AC_DEFINE([ENABLE_STRICT_OPTIONS_CHECK], [1], [Enable strict options check between peers]) if test "${enable_crypto}" = "yes"; then test "${have_crypto}" != "yes" && AC_MSG_ERROR([${with_crypto_library} crypto is required but missing]) test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes]) test "${have_crypto_aead_modes}" = "yes" && AC_DEFINE([HAVE_AEAD_CIPHER_MODES], [1], [Use crypto library]) OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CFLAGS}" OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_LIBS}" AC_DEFINE([ENABLE_CRYPTO], [1], [Enable crypto library]) fi if test "${enable_plugins}" = "yes"; then OPTIONAL_DL_LIBS="${DL_LIBS}" AC_DEFINE([ENABLE_PLUGIN], [1], [Enable plug-in support]) else enable_plugin_auth_pam="no" enable_plugin_down_root="no" fi if test "${enable_iproute2}" = "yes"; then test -z "${IPROUTE}" && AC_MSG_ERROR([ip utility is required but missing]) AC_DEFINE([ENABLE_IPROUTE], [1], [enable iproute2 support]) else if test "${WIN32}" != "yes"; then test -z "${ROUTE}" && AC_MSG_ERROR([route utility is required but missing]) test -z "${IFCONFIG}" && AC_MSG_ERROR([ifconfig utility is required but missing]) fi fi if test "${enable_selinux}" = "yes"; then test -z "${SELINUX_LIBS}" && AC_MSG_ERROR([libselinux required but missing]) OPTIONAL_SELINUX_LIBS="${SELINUX_LIBS}" AC_DEFINE([ENABLE_SELINUX], [1], [SELinux support]) fi if test "${enable_lzo}" = "yes"; then test "${have_lzo}" != "yes" && AC_MSG_ERROR([lzo enabled but missing]) OPTIONAL_LZO_CFLAGS="${LZO_CFLAGS}" OPTIONAL_LZO_LIBS="${LZO_LIBS}" AC_DEFINE([ENABLE_LZO], [1], [Enable LZO compression library]) fi if test "${enable_comp_stub}" = "yes"; then test "${enable_lzo}" = "yes" && AC_MSG_ERROR([Cannot have both comp stub and lzo enabled (use --disable-lzo)]) test "${enable_lz4}" = "yes" && AC_MSG_ERROR([Cannot have both comp stub and LZ4 enabled (use --disable-lz4)]) AC_DEFINE([ENABLE_COMP_STUB], [1], [Enable compression stub capability]) fi if test "${enable_pkcs11}" = "yes"; then test "${have_pkcs11_helper}" != "yes" && AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing]) test "${enable_crypto}" != "yes" && AC_MSG_ERROR([PKCS11 can be enabled only if crypto is enabled]) OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}" OPTIONAL_PKCS11_HELPER_LIBS="${PKCS11_HELPER_LIBS}" AC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11]) PKG_CHECK_MODULES( [P11KIT], [p11-kit-1], [proxy_module="`$PKG_CONFIG --variable=proxy_module p11-kit-1`" AC_DEFINE_UNQUOTED([DEFAULT_PKCS11_MODULE], "${proxy_module}", [p11-kit proxy])], [] ) fi if test "${enable_pedantic}" = "yes"; then enable_strict="yes" CFLAGS="${CFLAGS} -pedantic" AC_DEFINE([PEDANTIC], [1], [Enable pedantic mode]) fi if test "${enable_strict}" = "yes"; then CFLAGS="${CFLAGS} -Wall -Wno-unused-parameter -Wno-unused-function" fi if test "${enable_werror}" = "yes"; then CFLAGS="${CFLAGS} -Werror" fi if test "${WIN32}" = "yes"; then test -z "${MAN2HTML}" && AC_MSG_ERROR([man2html is required for win32]) fi if test "${enable_plugin_auth_pam}" = "yes"; then PLUGIN_AUTH_PAM_CFLAGS="${LIBPAM_CFLAGS}" if test "${enable_pam_dlopen}" = "yes"; then AC_DEFINE([USE_PAM_DLOPEN], [1], [dlopen libpam]) PLUGIN_AUTH_PAM_LIBS="${DL_LIBS}" else test -z "${LIBPAM_LIBS}" && AC_MSG_ERROR([libpam required but missing]) PLUGIN_AUTH_PAM_LIBS="${LIBPAM_LIBS}" fi fi if test "${enable_async_push}" = "yes"; then AC_CHECK_HEADERS( [sys/inotify.h], AC_DEFINE([ENABLE_ASYNC_PUSH], [1], [Enable async push]), AC_MSG_ERROR([inotify.h not found.]) ) fi CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`" AC_DEFINE_UNQUOTED([CONFIGURE_DEFINES], ["`echo ${CONFIGURE_DEFINES}`"], [Configuration settings]) TAP_WIN_COMPONENT_ID="PRODUCT_TAP_WIN_COMPONENT_ID" TAP_WIN_MIN_MAJOR="PRODUCT_TAP_WIN_MIN_MAJOR" TAP_WIN_MIN_MINOR="PRODUCT_TAP_WIN_MIN_MINOR" AC_DEFINE_UNQUOTED([TAP_WIN_COMPONENT_ID], ["${TAP_WIN_COMPONENT_ID}"], [The tap-windows id]) AC_DEFINE_UNQUOTED([TAP_WIN_MIN_MAJOR], [${TAP_WIN_MIN_MAJOR}], [The tap-windows version number is required for OpenVPN]) AC_DEFINE_UNQUOTED([TAP_WIN_MIN_MINOR], [${TAP_WIN_MIN_MINOR}], [The tap-windows version number is required for OpenVPN]) AC_SUBST([TAP_WIN_COMPONENT_ID]) AC_SUBST([TAP_WIN_MIN_MAJOR]) AC_SUBST([TAP_WIN_MIN_MINOR]) AC_SUBST([OPTIONAL_DL_LIBS]) AC_SUBST([OPTIONAL_SELINUX_LIBS]) AC_SUBST([OPTIONAL_CRYPTO_CFLAGS]) AC_SUBST([OPTIONAL_CRYPTO_LIBS]) AC_SUBST([OPTIONAL_LZO_CFLAGS]) AC_SUBST([OPTIONAL_LZO_LIBS]) AC_SUBST([OPTIONAL_LZ4_CFLAGS]) AC_SUBST([OPTIONAL_LZ4_LIBS]) AC_SUBST([OPTIONAL_SYSTEMD_LIBS]) AC_SUBST([OPTIONAL_PKCS11_HELPER_CFLAGS]) AC_SUBST([OPTIONAL_PKCS11_HELPER_LIBS]) AC_SUBST([PLUGIN_AUTH_PAM_CFLAGS]) AC_SUBST([PLUGIN_AUTH_PAM_LIBS]) AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"]) AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"]) AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"]) AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = "yes"]) sampledir="\$(docdir)/sample" AC_SUBST([plugindir]) AC_SUBST([sampledir]) AC_SUBST([systemdunitdir]) AC_SUBST([tmpfilesdir]) VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/" VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist" VENDOR_BUILD_ROOT="\$(abs_top_builddir)/vendor/.build" AC_SUBST([VENDOR_SRC_ROOT]) AC_SUBST([VENDOR_BUILD_ROOT]) AC_SUBST([VENDOR_DIST_ROOT]) TEST_LDFLAGS="-lcmocka -L\$(abs_top_builddir)/vendor/dist/lib -Wl,-rpath,\$(abs_top_builddir)/vendor/dist/lib" TEST_CFLAGS="-I\$(top_srcdir)/include -I\$(abs_top_builddir)/vendor/dist/include" AC_SUBST([TEST_LDFLAGS]) AC_SUBST([TEST_CFLAGS]) # Check if cmake is available and cmocka git submodule is initialized, # needed for unit testing AC_CHECK_PROGS([CMAKE], [cmake]) if test -n "${CMAKE}"; then if test -f "${srcdir}/vendor/cmocka/CMakeLists.txt"; then AM_CONDITIONAL([CMOCKA_INITIALIZED], [true]) else AM_CONDITIONAL([CMOCKA_INITIALIZED], [false]) AC_MSG_RESULT([!! WARNING !! The cmoka git submodule has not been initialized or updated. Unit testing cannot be performed.]) fi else AC_MSG_RESULT([!! WARNING !! CMake is NOT available. Unit testing cannot be performed.]) AM_CONDITIONAL([CMOCKA_INITIALIZED], [false]) fi AC_CONFIG_FILES([ version.sh Makefile build/Makefile build/msvc/Makefile build/msvc/msvc-generate/Makefile distro/Makefile distro/rpm/Makefile distro/rpm/openvpn.spec distro/systemd/Makefile include/Makefile src/Makefile src/compat/Makefile src/openvpn/Makefile src/openvpnserv/Makefile src/plugins/Makefile src/plugins/auth-pam/Makefile src/plugins/down-root/Makefile tests/Makefile tests/unit_tests/Makefile tests/unit_tests/example_test/Makefile tests/unit_tests/openvpn/Makefile tests/unit_tests/plugins/Makefile tests/unit_tests/plugins/auth-pam/Makefile vendor/Makefile sample/Makefile doc/Makefile ]) AC_CONFIG_FILES([tests/t_client.sh], [chmod +x tests/t_client.sh]) AC_OUTPUT openvpn-2.4.4/contrib/000077500000000000000000000000001316434344000146505ustar00rootroot00000000000000openvpn-2.4.4/contrib/OCSP_check/000077500000000000000000000000001316434344000165515ustar00rootroot00000000000000openvpn-2.4.4/contrib/OCSP_check/OCSP_check.sh000066400000000000000000000071061316434344000210120ustar00rootroot00000000000000#!/bin/sh # Sample script to perform OCSP queries with OpenSSL # given a certificate serial number. # If you run your own CA, you can set up a very simple # OCSP server using the -port option to "openssl ocsp". # Full documentation and examples: # http://www.openssl.org/docs/apps/ocsp.html # Edit the following values to suit your needs # OCSP responder URL (mandatory) # YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER #ocsp_url="http://ocsp.example.com/" #ocsp_url="https://ocsp.secure.example.com/" # Path to issuer certificate (mandatory) # YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE issuer="/path/to/CAcert.crt" # use a nonce in the query, set to "-no_nonce" to not use it nonce="-nonce" # Verify the response # YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT verify="/path/to/CAcert.crt" # Depth in the certificate chain where the cert to verify is. # Set to -1 to run the verification at every level (NOTE that # in that case you need a more complex script as the various # parameters for the query will likely be different at each level) # "0" is the usual value here, where the client certificate is check_depth=0 cur_depth=$1 # this is the *CURRENT* depth common_name=$2 # CN in case you need it # minimal sanity checks err=0 if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then echo "Error: issuer certificate undefined or not found!" >&2 err=1 fi if [ -z "$verify" ] || [ ! -e "$verify" ]; then echo "Error: verification certificate undefined or not found!" >&2 err=1 fi if [ -z "$ocsp_url" ]; then echo "Error: OCSP server URL not defined!" >&2 err=1 fi if [ $err -eq 1 ]; then echo "Did you forget to customize the variables in the script?" >&2 exit 1 fi # begin if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then eval serial="\$tls_serial_${cur_depth}" # To successfully complete, the following must happen: # # - The serial number must not be empty # - The exit status of "openssl ocsp" must be zero # - The output of the above command must contain the line # "${serial}: good" # # Everything else fails with exit status 1. if [ -n "$serial" ]; then # This is only an example; you are encouraged to run this command (without # redirections) manually against your or your CA's OCSP server to see how # it responds, and adapt accordingly. # Sample output that is assumed here: # # Response verify OK # 4287405: good # This Update: Apr 24 19:38:49 2010 GMT # Next Update: May 2 14:23:42 2010 GMT # # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL # can in some circumstances give a "good" result if it could not # reach the the OSCP server. In this case, the exit code will indicate # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0, # don't trust the OpenSSL status. status=$(openssl ocsp -issuer "$issuer" \ "$nonce" \ -CAfile "$verify" \ -url "$ocsp_url" \ -serial "${serial}" 2>&1) if [ $? -eq 0 ]; then # check if ocsp didn't report any errors if echo "$status" | grep -Eq "(error|fail)"; then exit 1 fi # check that the reported status of certificate is ok if echo "$status" | grep -Eq "^${serial}: good"; then # check if signature on the OCSP response verified correctly if echo "$status" | grep -Eq "^Response verify OK"; then exit 0 fi fi fi fi # if we get here, something was wrong exit 1 fi openvpn-2.4.4/contrib/README000066400000000000000000000001021316434344000155210ustar00rootroot00000000000000This directory contains scripts and patches contributed by users. openvpn-2.4.4/contrib/multilevel-init.patch000066400000000000000000000043021316434344000210130ustar00rootroot00000000000000--- /etc/init.d/openvpn 2004-05-12 20:30:06.000000000 +0200 +++ openvpn 2004-05-12 20:34:33.000000000 +0200 @@ -58,13 +58,13 @@ # returning success or failure status to caller (James Yonan). # Location of openvpn binary -openvpn="/usr/sbin/openvpn" +openvpn=/usr/sbin/openvpn # Lockfile -lock="/var/lock/subsys/openvpn" +lock=/var/lock/subsys/openvpn # PID directory -piddir="/var/run/openvpn" +piddir=/var/run/openvpn # Our working directory work=/etc/openvpn @@ -106,7 +106,7 @@ if [ -f $lock ]; then # we were not shut down correctly - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do if [ -s $pidf ]; then kill `cat $pidf` >/dev/null 2>&1 fi @@ -116,12 +116,12 @@ sleep 2 fi - rm -f $piddir/*.pid $piddir/*/*.pid + find $piddir -name "*.pid"|xargs rm -f # Start every .conf in $work and run .sh if exists errors=0 successes=0 - for c in `/bin/ls *.conf */*.conf 2>/dev/null`; do + for c in `find * -name "*.conf" 2>/dev/null`; do bn=${c%%.conf} if [ -f "$bn.sh" ]; then . $bn.sh @@ -147,7 +147,7 @@ ;; stop) echo -n $"Shutting down openvpn: " - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do if [ -s $pidf ]; then kill `cat $pidf` >/dev/null 2>&1 fi @@ -163,7 +163,7 @@ ;; reload) if [ -f $lock ]; then - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do if [ -s $pidf ]; then kill -HUP `cat $pidf` >/dev/null 2>&1 fi @@ -175,7 +175,7 @@ ;; reopen) if [ -f $lock ]; then - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do if [ -s $pidf ]; then kill -USR1 `cat $pidf` >/dev/null 2>&1 fi @@ -195,7 +195,7 @@ ;; status) if [ -f $lock ]; then - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do if [ -s $pidf ]; then kill -USR2 `cat $pidf` >/dev/null 2>&1 fi openvpn-2.4.4/contrib/openvpn-fwmarkroute-1.00/000077500000000000000000000000001316434344000212555ustar00rootroot00000000000000openvpn-2.4.4/contrib/openvpn-fwmarkroute-1.00/README000066400000000000000000000035021316434344000221350ustar00rootroot00000000000000OpenVPN fwmark Routing Sean Reifschneider, Thursday November 27, 2003 ========================== These scripts can be used with OpenVPN up and down scripts to set up routing on a Linux system such that the VPN traffic is sent via normal network connectivity, but other traffic to that network runs over the VPN. The idea is to allow encryption of data to the network the remote host is on, without interfering with the VPN traffic. You can't simply add a route to the remote network, becaues that will cause the VPN traffic to also try to run over the VPN, and breaks the VPN. These scripts use the Linux "fwmark" iptables rules to specify routing based not only on IP address, but also by port and protocol. This allows you to effectively say "if the packet is to this IP address on this port using this protocol, then use the normal default gateway, otherwise use the VPN gateway. This is set up on the client VPN system, not the VPN server. These scripts also set up all ICMP echo-responses to run across the VPN. You can comment the lines in the scripts to disable this, but I find this useful at coffee shops which have networks that block ICMP. To configure this, you need to set up these scripts as your up and down scripts in the config file. You will need to set these values in the config file: up /etc/openvpn/fwmarkroute.up down /etc/openvpn/fwmarkroute.down up-restart up-delay setenv remote_netmask_bits 24 Note: For this to work, you can't set the "user" or "group" config options, because then the scripts will not run as root. The last setting allows you to control the size of the network the remote system is on. The remote end has to be set up to route, probably with masquerading or NAT. The network this netmask relates to is calculated using the value of "remote" in the conf file. Sean openvpn-2.4.4/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down000077500000000000000000000012421316434344000245160ustar00rootroot00000000000000#!/bin/sh # # Bring down vpn routing. # calculate the network address remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` remote_network="${remote_network#*=}" # clear routing via VPN ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out ip route del table vpnonly.out via "$5" iptables -D OUTPUT -t mangle -p "$proto" \ -d "$remote_network"/"$remote_netmask_bits" \ --dport "$remote_port" -j ACCEPT iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2 # undo the ICMP ping tunneling iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ -j MARK --set-mark 3 # flush route cache ip route flush cache openvpn-2.4.4/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up000077500000000000000000000025601316434344000241770ustar00rootroot00000000000000#!/bin/sh # # Bring up vpn routing. # calculate the network address remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` remote_network="${remote_network#*=}" # add the stuff that doesn't change if it's not already there grep -q '^202 ' /etc/iproute2/rt_tables if [ "$?" -ne 0 ] then echo 202 vpn.out >> /etc/iproute2/rt_tables fi grep -q '^203 ' /etc/iproute2/rt_tables if [ "$?" -ne 0 ] then echo 203 vpnonly.out >> /etc/iproute2/rt_tables fi ip rule ls | grep -q 'lookup vpn.out *$' if [ "$?" -ne 0 ] then ip rule add fwmark 2 table vpn.out fi ip rule ls | grep -q 'lookup vpnonly.out *$' if [ "$?" -ne 0 ] then ip rule add fwmark 3 table vpnonly.out fi # route VPN traffic using the normal table iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \ -j ACCEPT # route all other traffic to that host via VPN iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \ -j MARK --set-mark 2 # route all ICMP pings over the VPN iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ -j MARK --set-mark 3 # NAT traffic going over the VPN, so it doesn't have an unknown address iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4" # add routing commands ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out ip route add table vpnonly.out via "$5" ip route flush cache openvpn-2.4.4/contrib/pull-resolv-conf/000077500000000000000000000000001316434344000200575ustar00rootroot00000000000000openvpn-2.4.4/contrib/pull-resolv-conf/client.down000066400000000000000000000032611316434344000222300ustar00rootroot00000000000000#!/bin/sh # Copyright (c) 2005-2010 OpenVPN Technologies, Inc. # Licensed under the GPL version 2 # First version by Jesse Adelman # someone at boldandbusted dink com # http://www.boldandbusted.com/ # PURPOSE: This script automatically removes the /etc/resolv.conf entries previously # set by the companion script "client.up". # INSTALL NOTES: # Place this in /etc/openvpn/client.down # Then, add the following to your /etc/openvpn/.conf: # client # up /etc/openvpn/client.up # down /etc/openvpn/client.down # Next, "chmod a+x /etc/openvpn/client.down" # USAGE NOTES: # Note that this script is best served with the companion "client.up" # script. # Tested under Debian lenny with OpenVPN 2.1_rc11 # It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf # This runs with the context of the OpenVPN UID/GID # at the time of execution. This generally means that # the client "up" script will run fine, but the "down" script # will require the use of the OpenVPN "down-root" plugin # which is in the plugins/ directory of the OpenVPN source tree # The config example above would have to be changed to: # client # up /etc/openvpn/client.up # plugin openvpn-plugin-down-root.so "/etc/openvpn/client.down" # A horrid work around, from a security perspective, # is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have # been WARNED. PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin if type resolvconf >/dev/null 2>&1; then resolvconf -d "${dev}" -f elif [ -e /etc/resolv.conf.ovpnsave ] ; then # cp + rm rather than mv in case it's a symlink cp /etc/resolv.conf.ovpnsave /etc/resolv.conf rm -f /etc/resolv.conf.ovpnsave fi exit 0 openvpn-2.4.4/contrib/pull-resolv-conf/client.up000066400000000000000000000055771316434344000217210ustar00rootroot00000000000000#!/bin/sh # Copyright (c) 2005-2010 OpenVPN Technologies, Inc. # Licensed under the GPL version 2 # First version by Jesse Adelman # someone at boldandbusted dink com # http://www.boldandbusted.com/ # PURPOSE: This script automatically sets the proper /etc/resolv.conf entries # as pulled down from an OpenVPN server. # INSTALL NOTES: # Place this in /etc/openvpn/client.up # Then, add the following to your /etc/openvpn/.conf: # client # up /etc/openvpn/client.up # Next, "chmod a+x /etc/openvpn/client.up" # USAGE NOTES: # Note that this script is best served with the companion "client.down" # script. # Tested under Debian lenny with OpenVPN 2.1_rc11 # It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf # This runs with the context of the OpenVPN UID/GID # at the time of execution. This generally means that # the client "up" script will run fine, but the "down" script # will require the use of the OpenVPN "down-root" plugin # which is in the plugins/ directory of the OpenVPN source tree # A horrid work around, from a security perspective, # is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have # been WARNED. PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin # init variables i=1 domains= fopt= ndoms=0 nns=0 nl=' ' # $foreign_option_ is something like # "dhcp-option DOMAIN example.com" (multiple allowed) # or # "dhcp-option DNS 10.10.10.10" (multiple allowed) # each DNS option becomes a "nameserver" option in resolv.conf # if we get one DOMAIN, that becomes "domain" in resolv.conf # if we get multiple DOMAINS, those become "search" lines in resolv.conf # if we get no DOMAINS, then don't use either domain or search. while true; do eval fopt=\$foreign_option_${i} [ -z "${fopt}" ] && break case ${fopt} in dhcp-option\ DOMAIN\ *) ndoms=$((ndoms + 1)) domains="${domains} ${fopt#dhcp-option DOMAIN }" ;; dhcp-option\ DNS\ *) nns=$((nns + 1)) if [ $nns -le 3 ]; then dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }" else printf "%s\n" "Too many nameservers - ignoring after third" >&2 fi ;; *) printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2 ;; esac i=$((i + 1)) done ds="" if [ $ndoms -eq 1 ]; then ds="${nl}domain" elif [ $ndoms -gt 1 ]; then ds="${nl}search" fi # This is the complete file - "$domains" has a leading space already out="# resolv.conf autogenerated by ${0} (${dev})${nl}${dns}${ds}${domains}" # use resolvconf if it's available if type resolvconf >/dev/null 2>&1; then printf "%s\n" "${out}" | resolvconf -p -a "${dev}" else # Preserve the existing resolv.conf if [ -e /etc/resolv.conf ] ; then cp /etc/resolv.conf /etc/resolv.conf.ovpnsave fi printf "%s\n" "${out}" > /etc/resolv.conf chmod 644 /etc/resolv.conf fi exit 0 openvpn-2.4.4/debug/000077500000000000000000000000001316434344000142765ustar00rootroot00000000000000openvpn-2.4.4/debug/doval000077500000000000000000000003661316434344000153360ustar00rootroot00000000000000#!/bin/bash PROGDIR=`dirname $0` unset LD_LIBRARY_PATH valgrind --tool=memcheck --error-limit=no --suppressions=$PROGDIR/debug/valgrind-suppress --gen-suppressions=all --leak-check=full --show-reachable=yes --num-callers=32 $PROGDIR/openvpn "$@" openvpn-2.4.4/debug/dovalns000077500000000000000000000002101316434344000156630ustar00rootroot00000000000000#!/bin/bash valgrind --tool=memcheck --error-limit=no --gen-suppressions=all --leak-check=full --show-reachable=yes --num-callers=32 $* openvpn-2.4.4/debug/valgrind-suppress000066400000000000000000000543471316434344000177260ustar00rootroot00000000000000{ Memcheck:Addr8 obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.5.so fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_tcp fun:main } { Memcheck:Addr8 obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.5.so fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_udp fun:main } { Memcheck:Addr8 obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.5.so fun:getpwnam_r fun:getpwnam fun:get_user fun:management_open fun:open_management fun:main } { Memcheck:Addr8 obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function fun:__nss_next fun:gethostbyname_r fun:gethostbyname fun:getaddr fun:resolve_remote fun:link_socket_init_phase1 fun:init_instance fun:init_instance_handle_signals fun:main } { Memcheck:Addr8 obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.5.so fun:gethostbyname_r fun:gethostbyname fun:getaddr fun:resolve_remote fun:link_socket_init_phase1 fun:init_instance fun:init_instance_handle_signals fun:main } { Memcheck:Addr8 obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libdl-2.5.so obj:/lib/ld-2.5.so obj:/lib/libdl-2.5.so fun:dlopen fun:plugin_list_init fun:init_plugins fun:main } { Memcheck:Addr8 obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libdl-2.5.so obj:/lib/ld-2.5.so obj:/lib/libdl-2.5.so fun:dlopen fun:plugin_list_init fun:init_plugins fun:main } { Memcheck:Addr8 obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/libdl-2.5.so obj:/lib/ld-2.5.so obj:/lib/libdl-2.5.so fun:dlsym fun:libdl_resolve_symbol fun:plugin_list_init fun:init_plugins fun:main } { Memcheck:Addr8 obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libdl-2.5.so obj:/lib/ld-2.5.so obj:/lib/libdl-2.5.so fun:dlopen fun:plugin_list_init fun:init_plugins fun:main } { Memcheck:Addr8 obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/libc-2.7.so obj:/lib/ld-2.7.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.7.so fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_tcp fun:main } { Memcheck:Addr8 obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/libc-2.7.so obj:/lib/ld-2.7.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.7.so fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_udp fun:main } { Memcheck:Addr8 obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/libc-2.7.so obj:/lib/ld-2.7.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.7.so fun:getgrnam_r fun:getgrnam fun:get_group fun:management_open fun:open_management fun:main } { Memcheck:Addr8 obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/ld-2.7.so obj:/lib/libc-2.7.so obj:/lib/ld-2.7.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.7.so fun:getpwnam_r fun:getpwnam fun:get_user fun:management_open fun:open_management fun:main } { Memcheck:Cond fun:BN_div fun:BN_MONT_CTX_set fun:BN_MONT_CTX_set_locked obj:/usr/lib/libcrypto.so.0.9.8 fun:RSA_verify fun:EVP_VerifyFinal fun:ASN1_item_verify obj:/usr/lib/libcrypto.so.0.9.8 fun:X509_verify_cert fun:ssl_verify_cert_chain fun:ssl3_get_client_certificate fun:ssl3_accept fun:ssl3_read_bytes fun:ssl3_read obj:/usr/lib/libssl.so.0.9.8 fun:BIO_read fun:bio_read fun:tls_process fun:tls_multi_process fun:check_tls_dowork fun:pre_select fun:multi_process_post fun:multi_process_incoming_link fun:multi_tcp_action } { Memcheck:Cond fun:BN_div fun:BN_MONT_CTX_set fun:BN_MONT_CTX_set_locked obj:/usr/lib/libcrypto.so.0.9.8 fun:ssl3_ctx_ctrl fun:init_ssl fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_tcp fun:main } { Memcheck:Cond fun:BN_div fun:BN_MONT_CTX_set fun:BN_MONT_CTX_set_locked obj:/usr/lib/libcrypto.so.0.9.8 fun:ssl3_ctx_ctrl fun:init_ssl fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_udp fun:main } { Memcheck:Cond fun:BN_div fun:BN_MONT_CTX_set fun:BN_MONT_CTX_set_locked obj:/usr/lib/libcrypto.so.0.9.8 obj:/usr/lib/libcrypto.so.0.9.8 fun:RSA_sign fun:ssl3_send_server_key_exchange fun:ssl3_accept fun:ssl3_read_bytes fun:ssl3_read obj:/usr/lib/libssl.so.0.9.8 fun:BIO_read fun:bio_read fun:tls_process fun:tls_multi_process fun:check_tls_dowork fun:pre_select fun:multi_process_post fun:multi_process_incoming_link fun:multi_tcp_action fun:tunnel_server_tcp fun:main } { Memcheck:Cond fun:BN_div fun:BN_MONT_CTX_set fun:BN_mod_exp_mont fun:BN_BLINDING_create_param fun:RSA_setup_blinding obj:/usr/lib/libcrypto.so.0.9.8 obj:/usr/lib/libcrypto.so.0.9.8 fun:RSA_sign fun:ssl3_send_server_key_exchange fun:ssl3_accept fun:ssl3_read_bytes fun:ssl3_read obj:/usr/lib/libssl.so.0.9.8 fun:BIO_read fun:bio_read fun:tls_process fun:tls_multi_process fun:check_tls_dowork fun:pre_select fun:multi_process_post fun:multi_process_incoming_link fun:multi_tcp_action fun:tunnel_server_tcp fun:main } { Memcheck:Cond fun:BN_div fun:BN_nnmod fun:BN_mod_inverse fun:BN_MONT_CTX_set fun:BN_MONT_CTX_set_locked obj:/usr/lib/libcrypto.so.0.9.8 fun:ssl3_ctx_ctrl fun:init_ssl fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_tcp fun:main } { Memcheck:Cond fun:BN_div fun:BN_nnmod fun:BN_mod_inverse fun:BN_MONT_CTX_set fun:BN_MONT_CTX_set_locked obj:/usr/lib/libcrypto.so.0.9.8 fun:ssl3_ctx_ctrl fun:init_ssl fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_udp fun:main } { Memcheck:Cond fun:BN_mod_inverse fun:BN_MONT_CTX_set fun:BN_MONT_CTX_set_locked obj:/usr/lib/libcrypto.so.0.9.8 fun:RSA_verify fun:EVP_VerifyFinal fun:ASN1_item_verify obj:/usr/lib/libcrypto.so.0.9.8 fun:X509_verify_cert fun:ssl_verify_cert_chain fun:ssl3_get_client_certificate fun:ssl3_accept fun:ssl3_read_bytes fun:ssl3_read obj:/usr/lib/libssl.so.0.9.8 fun:BIO_read fun:bio_read fun:tls_process fun:tls_multi_process fun:check_tls_dowork fun:pre_select fun:multi_process_post fun:multi_process_incoming_link fun:multi_tcp_action } { Memcheck:Cond fun:BN_mod_inverse fun:BN_MONT_CTX_set fun:BN_MONT_CTX_set_locked obj:/usr/lib/libcrypto.so.0.9.8 fun:ssl3_ctx_ctrl fun:init_ssl fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_tcp fun:main } { Memcheck:Cond fun:BN_mod_inverse fun:BN_MONT_CTX_set fun:BN_MONT_CTX_set_locked obj:/usr/lib/libcrypto.so.0.9.8 fun:ssl3_ctx_ctrl fun:init_ssl fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_udp fun:main } { Memcheck:Cond fun:BN_mod_inverse fun:BN_MONT_CTX_set fun:BN_MONT_CTX_set_locked obj:/usr/lib/libcrypto.so.0.9.8 obj:/usr/lib/libcrypto.so.0.9.8 fun:RSA_sign fun:ssl3_send_server_key_exchange fun:ssl3_accept fun:ssl3_read_bytes fun:ssl3_read obj:/usr/lib/libssl.so.0.9.8 fun:BIO_read fun:bio_read fun:tls_process fun:tls_multi_process fun:check_tls_dowork fun:pre_select fun:multi_process_post fun:multi_process_incoming_link fun:multi_tcp_action fun:tunnel_server_tcp fun:main } { Memcheck:Cond fun:BN_mod_inverse fun:BN_MONT_CTX_set fun:BN_mod_exp_mont fun:BN_BLINDING_create_param fun:RSA_setup_blinding obj:/usr/lib/libcrypto.so.0.9.8 obj:/usr/lib/libcrypto.so.0.9.8 fun:RSA_sign fun:ssl3_send_server_key_exchange fun:ssl3_accept fun:ssl3_read_bytes fun:ssl3_read obj:/usr/lib/libssl.so.0.9.8 fun:BIO_read fun:bio_read fun:tls_process fun:tls_multi_process fun:check_tls_dowork fun:pre_select fun:multi_process_post fun:multi_process_incoming_link fun:multi_tcp_action fun:tunnel_server_tcp fun:main } { Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:* obj:* obj:* } { Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function fun:__nss_next fun:gethostbyname_r fun:gethostbyname fun:getaddr fun:resolve_remote fun:link_socket_init_phase1 fun:init_instance fun:init_instance_handle_signals fun:main } { Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.5.so fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_tcp fun:main } { Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.5.so fun:gethostbyname_r fun:gethostbyname fun:getaddr fun:resolve_remote fun:link_socket_init_phase1 fun:init_instance fun:init_instance_handle_signals fun:main } { Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function fun:__nss_next fun:gethostbyname_r fun:gethostbyname fun:getaddr fun:resolve_remote fun:link_socket_init_phase1 fun:init_instance fun:init_instance_handle_signals fun:main } { Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.5.so fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_tcp fun:main } { Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.5.so fun:gethostbyname_r fun:gethostbyname fun:getaddr fun:resolve_remote fun:link_socket_init_phase1 fun:init_instance fun:init_instance_handle_signals fun:main } { Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function fun:__nss_next fun:gethostbyname_r fun:gethostbyname fun:getaddr fun:resolve_remote fun:link_socket_init_phase1 fun:init_instance fun:init_instance_handle_signals fun:main } { Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.5.so fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_tcp fun:main } { Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.5.so fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_udp fun:main } { Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.5.so fun:gethostbyname_r fun:gethostbyname fun:getaddr fun:resolve_remote fun:link_socket_init_phase1 fun:init_instance fun:init_instance_handle_signals fun:main } { Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/ld-2.5.so fun:__libc_dlopen_mode fun:__nss_lookup_function obj:/lib/libc-2.5.so fun:getpwnam_r fun:getpwnam fun:get_user fun:management_open fun:open_management fun:main } { Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libc-2.5.so obj:/lib/libdl-2.5.so obj:/lib/ld-2.5.so obj:/lib/libdl-2.5.so fun:dlsym fun:libdl_resolve_symbol fun:plugin_list_init fun:init_plugins fun:main } { Memcheck:Cond obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/ld-2.5.so obj:/lib/libdl-2.5.so obj:/lib/ld-2.5.so obj:/lib/libdl-2.5.so fun:dlopen fun:plugin_list_init fun:init_plugins fun:main } { Memcheck:Leak fun:malloc fun:CRYPTO_malloc fun:sk_new obj:/usr/lib/libssl.so.0.9.8 fun:SSL_COMP_get_compression_methods fun:SSL_library_init fun:init_ssl_lib fun:init_static fun:main } { Memcheck:Leak fun:malloc fun:__nss_lookup_function obj:* obj:* fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:main } { Memcheck:Leak fun:malloc fun:__nss_lookup_function obj:* obj:* fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_tcp fun:main } { Memcheck:Leak fun:malloc fun:__nss_lookup_function obj:* obj:* fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_udp fun:main } { Memcheck:Leak fun:malloc fun:__nss_lookup_function obj:* obj:* fun:getpwnam_r fun:getpwnam fun:get_user fun:management_open fun:open_management fun:main } { Memcheck:Leak fun:malloc fun:getdelim fun:getpass fun:get_console_input fun:get_user_pass fun:context_init_1 fun:main } { Memcheck:Leak fun:malloc fun:tsearch fun:__nss_lookup_function obj:* obj:* fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:main } { Memcheck:Leak fun:malloc fun:tsearch fun:__nss_lookup_function obj:* obj:* fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_tcp fun:main } { Memcheck:Leak fun:malloc fun:tsearch fun:__nss_lookup_function obj:* obj:* fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_udp fun:main } { Memcheck:Leak fun:malloc fun:tsearch fun:__nss_lookup_function obj:* obj:* fun:getgrnam_r fun:getgrnam fun:get_group fun:management_open fun:open_management fun:main } { Memcheck:Leak fun:malloc fun:tsearch fun:__nss_lookup_function obj:* obj:* fun:getpwnam_r fun:getpwnam fun:get_user fun:management_open fun:open_management fun:main } { Memcheck:Leak fun:malloc obj:/lib/libc-2.5.so fun:__nss_database_lookup obj:* obj:* fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:main } { Memcheck:Leak fun:malloc obj:/lib/libc-2.5.so fun:__nss_database_lookup obj:* obj:* fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_tcp fun:main } { Memcheck:Leak fun:malloc obj:/lib/libc-2.5.so fun:__nss_database_lookup obj:* obj:* fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_udp fun:main } { Memcheck:Leak fun:malloc obj:/lib/libc-2.5.so fun:__nss_database_lookup obj:* obj:* fun:getpwnam_r fun:getpwnam fun:get_user fun:management_open fun:open_management fun:main } { Memcheck:Leak fun:malloc obj:/lib/libc-2.7.so fun:__nss_database_lookup obj:* obj:* fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_tcp fun:main } { Memcheck:Leak fun:malloc obj:/lib/libc-2.7.so fun:__nss_database_lookup obj:* obj:* fun:getgrnam_r fun:getgrnam fun:get_group fun:do_init_first_time fun:init_instance fun:init_instance_handle_signals fun:tunnel_server_udp fun:main } { Memcheck:Leak fun:malloc obj:/lib/libc-2.7.so fun:__nss_database_lookup obj:* obj:* fun:getpwnam_r fun:getpwnam fun:get_user fun:management_open fun:open_management fun:main } { Memcheck:Cond fun:BN_mod_inverse } { Memcheck:Cond fun:BN_div } openvpn-2.4.4/depcomp000077500000000000000000000560161316434344000145750ustar00rootroot00000000000000#! /bin/sh # depcomp - compile a program generating dependencies as side-effects scriptversion=2013-05-30.07; # UTC # Copyright (C) 1999-2013 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. # Originally written by Alexandre Oliva . case $1 in '') echo "$0: No command. Try '$0 --help' for more information." 1>&2 exit 1; ;; -h | --h*) cat <<\EOF Usage: depcomp [--help] [--version] PROGRAM [ARGS] Run PROGRAMS ARGS to compile a file, generating dependencies as side-effects. Environment variables: depmode Dependency tracking mode. source Source file read by 'PROGRAMS ARGS'. object Object file output by 'PROGRAMS ARGS'. DEPDIR directory where to store dependencies. depfile Dependency file to output. tmpdepfile Temporary file to use when outputting dependencies. libtool Whether libtool is used (yes/no). Report bugs to . EOF exit $? ;; -v | --v*) echo "depcomp $scriptversion" exit $? ;; esac # Get the directory component of the given path, and save it in the # global variables '$dir'. Note that this directory component will # be either empty or ending with a '/' character. This is deliberate. set_dir_from () { case $1 in */*) dir=`echo "$1" | sed -e 's|/[^/]*$|/|'`;; *) dir=;; esac } # Get the suffix-stripped basename of the given path, and save it the # global variable '$base'. set_base_from () { base=`echo "$1" | sed -e 's|^.*/||' -e 's/\.[^.]*$//'` } # If no dependency file was actually created by the compiler invocation, # we still have to create a dummy depfile, to avoid errors with the # Makefile "include basename.Plo" scheme. make_dummy_depfile () { echo "#dummy" > "$depfile" } # Factor out some common post-processing of the generated depfile. # Requires the auxiliary global variable '$tmpdepfile' to be set. aix_post_process_depfile () { # If the compiler actually managed to produce a dependency file, # post-process it. if test -f "$tmpdepfile"; then # Each line is of the form 'foo.o: dependency.h'. # Do two passes, one to just change these to # $object: dependency.h # and one to simply output # dependency.h: # which is needed to avoid the deleted-header problem. { sed -e "s,^.*\.[$lower]*:,$object:," < "$tmpdepfile" sed -e "s,^.*\.[$lower]*:[$tab ]*,," -e 's,$,:,' < "$tmpdepfile" } > "$depfile" rm -f "$tmpdepfile" else make_dummy_depfile fi } # A tabulation character. tab=' ' # A newline character. nl=' ' # Character ranges might be problematic outside the C locale. # These definitions help. upper=ABCDEFGHIJKLMNOPQRSTUVWXYZ lower=abcdefghijklmnopqrstuvwxyz digits=0123456789 alpha=${upper}${lower} if test -z "$depmode" || test -z "$source" || test -z "$object"; then echo "depcomp: Variables source, object and depmode must be set" 1>&2 exit 1 fi # Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po. depfile=${depfile-`echo "$object" | sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`} tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`} rm -f "$tmpdepfile" # Avoid interferences from the environment. gccflag= dashmflag= # Some modes work just like other modes, but use different flags. We # parameterize here, but still list the modes in the big case below, # to make depend.m4 easier to write. Note that we *cannot* use a case # here, because this file can only contain one case statement. if test "$depmode" = hp; then # HP compiler uses -M and no extra arg. gccflag=-M depmode=gcc fi if test "$depmode" = dashXmstdout; then # This is just like dashmstdout with a different argument. dashmflag=-xM depmode=dashmstdout fi cygpath_u="cygpath -u -f -" if test "$depmode" = msvcmsys; then # This is just like msvisualcpp but w/o cygpath translation. # Just convert the backslash-escaped backslashes to single forward # slashes to satisfy depend.m4 cygpath_u='sed s,\\\\,/,g' depmode=msvisualcpp fi if test "$depmode" = msvc7msys; then # This is just like msvc7 but w/o cygpath translation. # Just convert the backslash-escaped backslashes to single forward # slashes to satisfy depend.m4 cygpath_u='sed s,\\\\,/,g' depmode=msvc7 fi if test "$depmode" = xlc; then # IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information. gccflag=-qmakedep=gcc,-MF depmode=gcc fi case "$depmode" in gcc3) ## gcc 3 implements dependency tracking that does exactly what ## we want. Yay! Note: for some reason libtool 1.4 doesn't like ## it if -MD -MP comes after the -MF stuff. Hmm. ## Unfortunately, FreeBSD c89 acceptance of flags depends upon ## the command line argument order; so add the flags where they ## appear in depend2.am. Note that the slowdown incurred here ## affects only configure: in makefiles, %FASTDEP% shortcuts this. for arg do case $arg in -c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;; *) set fnord "$@" "$arg" ;; esac shift # fnord shift # $arg done "$@" stat=$? if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi mv "$tmpdepfile" "$depfile" ;; gcc) ## Note that this doesn't just cater to obsosete pre-3.x GCC compilers. ## but also to in-use compilers like IMB xlc/xlC and the HP C compiler. ## (see the conditional assignment to $gccflag above). ## There are various ways to get dependency output from gcc. Here's ## why we pick this rather obscure method: ## - Don't want to use -MD because we'd like the dependencies to end ## up in a subdir. Having to rename by hand is ugly. ## (We might end up doing this anyway to support other compilers.) ## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like ## -MM, not -M (despite what the docs say). Also, it might not be ## supported by the other compilers which use the 'gcc' depmode. ## - Using -M directly means running the compiler twice (even worse ## than renaming). if test -z "$gccflag"; then gccflag=-MD, fi "$@" -Wp,"$gccflag$tmpdepfile" stat=$? if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi rm -f "$depfile" echo "$object : \\" > "$depfile" # The second -e expression handles DOS-style file names with drive # letters. sed -e 's/^[^:]*: / /' \ -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile" ## This next piece of magic avoids the "deleted header file" problem. ## The problem is that when a header file which appears in a .P file ## is deleted, the dependency causes make to die (because there is ## typically no way to rebuild the header). We avoid this by adding ## dummy dependencies for each header file. Too bad gcc doesn't do ## this for us directly. ## Some versions of gcc put a space before the ':'. On the theory ## that the space means something, we add a space to the output as ## well. hp depmode also adds that space, but also prefixes the VPATH ## to the object. Take care to not repeat it in the output. ## Some versions of the HPUX 10.20 sed can't process this invocation ## correctly. Breaking it into two sed invocations is a workaround. tr ' ' "$nl" < "$tmpdepfile" \ | sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \ | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; hp) # This case exists only to let depend.m4 do its work. It works by # looking at the text of this script. This case will never be run, # since it is checked for above. exit 1 ;; sgi) if test "$libtool" = yes; then "$@" "-Wp,-MDupdate,$tmpdepfile" else "$@" -MDupdate "$tmpdepfile" fi stat=$? if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi rm -f "$depfile" if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files echo "$object : \\" > "$depfile" # Clip off the initial element (the dependent). Don't try to be # clever and replace this with sed code, as IRIX sed won't handle # lines with more than a fixed number of characters (4096 in # IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines; # the IRIX cc adds comments like '#:fec' to the end of the # dependency line. tr ' ' "$nl" < "$tmpdepfile" \ | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' \ | tr "$nl" ' ' >> "$depfile" echo >> "$depfile" # The second pass generates a dummy entry for each header file. tr ' ' "$nl" < "$tmpdepfile" \ | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \ >> "$depfile" else make_dummy_depfile fi rm -f "$tmpdepfile" ;; xlc) # This case exists only to let depend.m4 do its work. It works by # looking at the text of this script. This case will never be run, # since it is checked for above. exit 1 ;; aix) # The C for AIX Compiler uses -M and outputs the dependencies # in a .u file. In older versions, this file always lives in the # current directory. Also, the AIX compiler puts '$object:' at the # start of each line; $object doesn't have directory information. # Version 6 uses the directory in both cases. set_dir_from "$object" set_base_from "$object" if test "$libtool" = yes; then tmpdepfile1=$dir$base.u tmpdepfile2=$base.u tmpdepfile3=$dir.libs/$base.u "$@" -Wc,-M else tmpdepfile1=$dir$base.u tmpdepfile2=$dir$base.u tmpdepfile3=$dir$base.u "$@" -M fi stat=$? if test $stat -ne 0; then rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" exit $stat fi for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" do test -f "$tmpdepfile" && break done aix_post_process_depfile ;; tcc) # tcc (Tiny C Compiler) understand '-MD -MF file' since version 0.9.26 # FIXME: That version still under development at the moment of writing. # Make that this statement remains true also for stable, released # versions. # It will wrap lines (doesn't matter whether long or short) with a # trailing '\', as in: # # foo.o : \ # foo.c \ # foo.h \ # # It will put a trailing '\' even on the last line, and will use leading # spaces rather than leading tabs (at least since its commit 0394caf7 # "Emit spaces for -MD"). "$@" -MD -MF "$tmpdepfile" stat=$? if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi rm -f "$depfile" # Each non-empty line is of the form 'foo.o : \' or ' dep.h \'. # We have to change lines of the first kind to '$object: \'. sed -e "s|.*:|$object :|" < "$tmpdepfile" > "$depfile" # And for each line of the second kind, we have to emit a 'dep.h:' # dummy dependency, to avoid the deleted-header problem. sed -n -e 's|^ *\(.*\) *\\$|\1:|p' < "$tmpdepfile" >> "$depfile" rm -f "$tmpdepfile" ;; ## The order of this option in the case statement is important, since the ## shell code in configure will try each of these formats in the order ## listed in this file. A plain '-MD' option would be understood by many ## compilers, so we must ensure this comes after the gcc and icc options. pgcc) # Portland's C compiler understands '-MD'. # Will always output deps to 'file.d' where file is the root name of the # source file under compilation, even if file resides in a subdirectory. # The object file name does not affect the name of the '.d' file. # pgcc 10.2 will output # foo.o: sub/foo.c sub/foo.h # and will wrap long lines using '\' : # foo.o: sub/foo.c ... \ # sub/foo.h ... \ # ... set_dir_from "$object" # Use the source, not the object, to determine the base name, since # that's sadly what pgcc will do too. set_base_from "$source" tmpdepfile=$base.d # For projects that build the same source file twice into different object # files, the pgcc approach of using the *source* file root name can cause # problems in parallel builds. Use a locking strategy to avoid stomping on # the same $tmpdepfile. lockdir=$base.d-lock trap " echo '$0: caught signal, cleaning up...' >&2 rmdir '$lockdir' exit 1 " 1 2 13 15 numtries=100 i=$numtries while test $i -gt 0; do # mkdir is a portable test-and-set. if mkdir "$lockdir" 2>/dev/null; then # This process acquired the lock. "$@" -MD stat=$? # Release the lock. rmdir "$lockdir" break else # If the lock is being held by a different process, wait # until the winning process is done or we timeout. while test -d "$lockdir" && test $i -gt 0; do sleep 1 i=`expr $i - 1` done fi i=`expr $i - 1` done trap - 1 2 13 15 if test $i -le 0; then echo "$0: failed to acquire lock after $numtries attempts" >&2 echo "$0: check lockdir '$lockdir'" >&2 exit 1 fi if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi rm -f "$depfile" # Each line is of the form `foo.o: dependent.h', # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'. # Do two passes, one to just change these to # `$object: dependent.h' and one to simply `dependent.h:'. sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile" # Some versions of the HPUX 10.20 sed can't process this invocation # correctly. Breaking it into two sed invocations is a workaround. sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" \ | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; hp2) # The "hp" stanza above does not work with aCC (C++) and HP's ia64 # compilers, which have integrated preprocessors. The correct option # to use with these is +Maked; it writes dependencies to a file named # 'foo.d', which lands next to the object file, wherever that # happens to be. # Much of this is similar to the tru64 case; see comments there. set_dir_from "$object" set_base_from "$object" if test "$libtool" = yes; then tmpdepfile1=$dir$base.d tmpdepfile2=$dir.libs/$base.d "$@" -Wc,+Maked else tmpdepfile1=$dir$base.d tmpdepfile2=$dir$base.d "$@" +Maked fi stat=$? if test $stat -ne 0; then rm -f "$tmpdepfile1" "$tmpdepfile2" exit $stat fi for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" do test -f "$tmpdepfile" && break done if test -f "$tmpdepfile"; then sed -e "s,^.*\.[$lower]*:,$object:," "$tmpdepfile" > "$depfile" # Add 'dependent.h:' lines. sed -ne '2,${ s/^ *// s/ \\*$// s/$/:/ p }' "$tmpdepfile" >> "$depfile" else make_dummy_depfile fi rm -f "$tmpdepfile" "$tmpdepfile2" ;; tru64) # The Tru64 compiler uses -MD to generate dependencies as a side # effect. 'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'. # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put # dependencies in 'foo.d' instead, so we check for that too. # Subdirectories are respected. set_dir_from "$object" set_base_from "$object" if test "$libtool" = yes; then # Libtool generates 2 separate objects for the 2 libraries. These # two compilations output dependencies in $dir.libs/$base.o.d and # in $dir$base.o.d. We have to check for both files, because # one of the two compilations can be disabled. We should prefer # $dir$base.o.d over $dir.libs/$base.o.d because the latter is # automatically cleaned when .libs/ is deleted, while ignoring # the former would cause a distcleancheck panic. tmpdepfile1=$dir$base.o.d # libtool 1.5 tmpdepfile2=$dir.libs/$base.o.d # Likewise. tmpdepfile3=$dir.libs/$base.d # Compaq CCC V6.2-504 "$@" -Wc,-MD else tmpdepfile1=$dir$base.d tmpdepfile2=$dir$base.d tmpdepfile3=$dir$base.d "$@" -MD fi stat=$? if test $stat -ne 0; then rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" exit $stat fi for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" do test -f "$tmpdepfile" && break done # Same post-processing that is required for AIX mode. aix_post_process_depfile ;; msvc7) if test "$libtool" = yes; then showIncludes=-Wc,-showIncludes else showIncludes=-showIncludes fi "$@" $showIncludes > "$tmpdepfile" stat=$? grep -v '^Note: including file: ' "$tmpdepfile" if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi rm -f "$depfile" echo "$object : \\" > "$depfile" # The first sed program below extracts the file names and escapes # backslashes for cygpath. The second sed program outputs the file # name when reading, but also accumulates all include files in the # hold buffer in order to output them again at the end. This only # works with sed implementations that can handle large buffers. sed < "$tmpdepfile" -n ' /^Note: including file: *\(.*\)/ { s//\1/ s/\\/\\\\/g p }' | $cygpath_u | sort -u | sed -n ' s/ /\\ /g s/\(.*\)/'"$tab"'\1 \\/p s/.\(.*\) \\/\1:/ H $ { s/.*/'"$tab"'/ G p }' >> "$depfile" echo >> "$depfile" # make sure the fragment doesn't end with a backslash rm -f "$tmpdepfile" ;; msvc7msys) # This case exists only to let depend.m4 do its work. It works by # looking at the text of this script. This case will never be run, # since it is checked for above. exit 1 ;; #nosideeffect) # This comment above is used by automake to tell side-effect # dependency tracking mechanisms from slower ones. dashmstdout) # Important note: in order to support this mode, a compiler *must* # always write the preprocessed file to stdout, regardless of -o. "$@" || exit $? # Remove the call to Libtool. if test "$libtool" = yes; then while test "X$1" != 'X--mode=compile'; do shift done shift fi # Remove '-o $object'. IFS=" " for arg do case $arg in -o) shift ;; $object) shift ;; *) set fnord "$@" "$arg" shift # fnord shift # $arg ;; esac done test -z "$dashmflag" && dashmflag=-M # Require at least two characters before searching for ':' # in the target name. This is to cope with DOS-style filenames: # a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise. "$@" $dashmflag | sed "s|^[$tab ]*[^:$tab ][^:][^:]*:[$tab ]*|$object: |" > "$tmpdepfile" rm -f "$depfile" cat < "$tmpdepfile" > "$depfile" # Some versions of the HPUX 10.20 sed can't process this sed invocation # correctly. Breaking it into two sed invocations is a workaround. tr ' ' "$nl" < "$tmpdepfile" \ | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \ | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; dashXmstdout) # This case only exists to satisfy depend.m4. It is never actually # run, as this mode is specially recognized in the preamble. exit 1 ;; makedepend) "$@" || exit $? # Remove any Libtool call if test "$libtool" = yes; then while test "X$1" != 'X--mode=compile'; do shift done shift fi # X makedepend shift cleared=no eat=no for arg do case $cleared in no) set ""; shift cleared=yes ;; esac if test $eat = yes; then eat=no continue fi case "$arg" in -D*|-I*) set fnord "$@" "$arg"; shift ;; # Strip any option that makedepend may not understand. Remove # the object too, otherwise makedepend will parse it as a source file. -arch) eat=yes ;; -*|$object) ;; *) set fnord "$@" "$arg"; shift ;; esac done obj_suffix=`echo "$object" | sed 's/^.*\././'` touch "$tmpdepfile" ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@" rm -f "$depfile" # makedepend may prepend the VPATH from the source file name to the object. # No need to regex-escape $object, excess matching of '.' is harmless. sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile" # Some versions of the HPUX 10.20 sed can't process the last invocation # correctly. Breaking it into two sed invocations is a workaround. sed '1,2d' "$tmpdepfile" \ | tr ' ' "$nl" \ | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \ | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" "$tmpdepfile".bak ;; cpp) # Important note: in order to support this mode, a compiler *must* # always write the preprocessed file to stdout. "$@" || exit $? # Remove the call to Libtool. if test "$libtool" = yes; then while test "X$1" != 'X--mode=compile'; do shift done shift fi # Remove '-o $object'. IFS=" " for arg do case $arg in -o) shift ;; $object) shift ;; *) set fnord "$@" "$arg" shift # fnord shift # $arg ;; esac done "$@" -E \ | sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \ -e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \ | sed '$ s: \\$::' > "$tmpdepfile" rm -f "$depfile" echo "$object : \\" > "$depfile" cat < "$tmpdepfile" >> "$depfile" sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; msvisualcpp) # Important note: in order to support this mode, a compiler *must* # always write the preprocessed file to stdout. "$@" || exit $? # Remove the call to Libtool. if test "$libtool" = yes; then while test "X$1" != 'X--mode=compile'; do shift done shift fi IFS=" " for arg do case "$arg" in -o) shift ;; $object) shift ;; "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI") set fnord "$@" shift shift ;; *) set fnord "$@" "$arg" shift shift ;; esac done "$@" -E 2>/dev/null | sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile" rm -f "$depfile" echo "$object : \\" > "$depfile" sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile" echo "$tab" >> "$depfile" sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile" rm -f "$tmpdepfile" ;; msvcmsys) # This case exists only to let depend.m4 do its work. It works by # looking at the text of this script. This case will never be run, # since it is checked for above. exit 1 ;; none) exec "$@" ;; *) echo "Unknown depmode $depmode" 1>&2 exit 1 ;; esac exit 0 # Local Variables: # mode: shell-script # sh-indentation: 2 # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: openvpn-2.4.4/distro/000077500000000000000000000000001316434344000145145ustar00rootroot00000000000000openvpn-2.4.4/distro/Makefile.am000066400000000000000000000007561316434344000165600ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in SUBDIRS = rpm systemd openvpn-2.4.4/distro/Makefile.in000066400000000000000000000510011316434344000165560ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = distro DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ install-exec-recursive install-html-recursive \ install-info-recursive install-pdf-recursive \ install-ps-recursive install-recursive installcheck-recursive \ installdirs-recursive pdf-recursive ps-recursive \ tags-recursive uninstall-recursive am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive am__recursive_targets = \ $(RECURSIVE_TARGETS) \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ distdir am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ sed_first='s,^\([^/]*\)/.*$$,\1,'; \ sed_rest='s,^[^/]*/*,,'; \ sed_last='s,^.*/\([^/]*\)$$,\1,'; \ sed_butlast='s,/*[^/]*$$,,'; \ while test -n "$$dir1"; do \ first=`echo "$$dir1" | sed -e "$$sed_first"`; \ if test "$$first" != "."; then \ if test "$$first" = ".."; then \ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ else \ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ if test "$$first2" = "$$first"; then \ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ else \ dir2="../$$dir2"; \ fi; \ dir0="$$dir0"/"$$first"; \ fi; \ fi; \ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in SUBDIRS = rpm systemd all: all-recursive .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign distro/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign distro/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs # This directory's subdirectories are mostly independent; you can cd # into them and run 'make' without going through this Makefile. # To change the values of 'make' variables: instead of editing Makefiles, # (1) if the variable is set in 'config.status', edit 'config.status' # (which will cause the Makefiles to be regenerated when you run 'make'); # (2) otherwise, pass the desired values on the 'make' command line. $(am__recursive_targets): @fail=; \ if $(am__make_keepgoing); then \ failcom='fail=yes'; \ else \ failcom='exit 1'; \ fi; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ case "$@" in \ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ *) list='$(SUBDIRS)' ;; \ esac; \ for subdir in $$list; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ dot_seen=yes; \ local_target="$$target-am"; \ else \ local_target="$$target"; \ fi; \ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-recursive TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ empty_fix=.; \ else \ include_option=--include; \ empty_fix=; \ fi; \ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-recursive CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-recursive cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ $(am__make_dryrun) \ || test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ dir1=$$subdir; dir2="$(top_distdir)"; \ $(am__relativize); \ new_top_distdir=$$reldir; \ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ top_distdir="$$new_top_distdir" \ distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ done check-am: all-am check: check-recursive all-am: Makefile installdirs: installdirs-recursive installdirs-am: install: install-recursive install-exec: install-exec-recursive install-data: install-data-recursive uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-recursive install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-recursive clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-recursive -rm -f Makefile distclean-am: clean-am distclean-generic distclean-tags dvi: dvi-recursive dvi-am: html: html-recursive html-am: info: info-recursive info-am: install-data-am: install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: install-html: install-html-recursive install-html-am: install-info: install-info-recursive install-info-am: install-man: install-pdf: install-pdf-recursive install-pdf-am: install-ps: install-ps-recursive install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-recursive pdf-am: ps: ps-recursive ps-am: uninstall-am: .MAKE: $(am__recursive_targets) install-am install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \ check-am clean clean-generic clean-libtool cscopelist-am ctags \ ctags-am distclean distclean-generic distclean-libtool \ distclean-tags distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ installdirs-am maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ ps ps-am tags tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/distro/rpm/000077500000000000000000000000001316434344000153125ustar00rootroot00000000000000openvpn-2.4.4/distro/rpm/Makefile.am000066400000000000000000000010511316434344000173430ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in dist_noinst_DATA = \ openvpn.spec \ openvpn.init.d.rhel \ openvpn.init.d.suse openvpn-2.4.4/distro/rpm/Makefile.in000066400000000000000000000351011316434344000173570ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = distro/rpm DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(srcdir)/openvpn.spec.in $(dist_noinst_DATA) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = openvpn.spec CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in dist_noinst_DATA = \ openvpn.spec \ openvpn.init.d.rhel \ openvpn.init.d.suse all: all-am .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign distro/rpm/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign distro/rpm/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): openvpn.spec: $(top_builddir)/config.status $(srcdir)/openvpn.spec.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs tags TAGS: ctags CTAGS: cscope cscopelist: distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(DATA) installdirs: install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic clean-libtool \ cscopelist-am ctags-am distclean distclean-generic \ distclean-libtool distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/distro/rpm/openvpn.init.d.rhel000077500000000000000000000125531316434344000210500ustar00rootroot00000000000000#!/bin/sh # # openvpn This shell script takes care of starting and stopping # openvpn on RedHat or other chkconfig-based system. # # chkconfig: 345 24 76 # # description: OpenVPN is a robust and highly flexible tunneling application \ # that uses all of the encryption, authentication, and \ # certification features of the OpenSSL library to securely \ # tunnel IP networks over a single UDP port. # # Contributed to the OpenVPN project by # Douglas Keller # 2002.05.15 # To install: # copy this file to /etc/rc.d/init.d/openvpn # shell> chkconfig --add openvpn # shell> mkdir /etc/openvpn # make .conf or .sh files in /etc/openvpn (see below) # To uninstall: # run: chkconfig --del openvpn # Author's Notes: # # I have created an /etc/init.d init script and enhanced openvpn.spec to # automatically register the init script. Once the RPM is installed you # can start and stop OpenVPN with "service openvpn start" and "service # openvpn stop". # # The init script does the following: # # - Starts an openvpn process for each .conf file it finds in # /etc/openvpn. # # - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes # it before starting openvpn (useful for doing openvpn --mktun...). # # - In addition to start/stop you can do: # # service openvpn reload - SIGHUP # service openvpn reopen - SIGUSR1 # service openvpn status - SIGUSR2 # # Modifications: # # 2003.05.02 # * Changed == to = for sh compliance (Bishop Clark). # * If condrestart|reload|reopen|status, check that we were # actually started (James Yonan). # * Added lock, piddir, and work variables (James Yonan). # * If start is attempted twice, without an intervening stop, or # if start is attempted when previous start was not properly # shut down, then kill any previously started processes, before # commencing new start operation (James Yonan). # * Do a better job of flagging errors on start, and properly # returning success or failure status to caller (James Yonan). # # 2005.04.04 # * Added openvpn-startup and openvpn-shutdown script calls # (James Yonan). # # Location of openvpn binary openvpn="" openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn" for location in $openvpn_locations do if [ -f "$location" ] then openvpn=$location fi done # Lockfile lock="/var/lock/subsys/openvpn" # PID directory piddir="/var/run/openvpn" # Our working directory work=/etc/openvpn # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. if [ ${NETWORKING} = "no" ] then echo "Networking is down" exit 0 fi # Check that binary exists if ! [ -f $openvpn ] then echo "openvpn binary not found" exit 0 fi # See how we were called. case "$1" in start) echo -n $"Starting openvpn: " /sbin/modprobe tun >/dev/null 2>&1 # From a security perspective, I think it makes # sense to remove this, and have users who need # it explictly enable in their --up scripts or # firewall setups. #echo 1 > /proc/sys/net/ipv4/ip_forward # Run startup script, if defined if [ -f $work/openvpn-startup ]; then $work/openvpn-startup fi if [ ! -d $piddir ]; then mkdir $piddir fi if [ -f $lock ]; then # we were not shut down correctly for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do if [ -s $pidf ]; then kill `cat $pidf` >/dev/null 2>&1 fi rm -f $pidf done rm -f $lock sleep 2 fi rm -f $piddir/*.pid cd $work # Start every .conf in $work and run .sh if exists errors=0 successes=0 for c in `/bin/ls *.conf 2>/dev/null`; do bn=${c%%.conf} if [ -f "$bn.sh" ]; then . ./$bn.sh fi rm -f $piddir/$bn.pid $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work if [ $? = 0 ]; then successes=1 else errors=1 fi done if [ $errors = 1 ]; then failure; echo else success; echo fi if [ $successes = 1 ]; then touch $lock fi ;; stop) echo -n $"Shutting down openvpn: " for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do if [ -s $pidf ]; then kill `cat $pidf` >/dev/null 2>&1 fi rm -f $pidf done # Run shutdown script, if defined if [ -f $work/openvpn-shutdown ]; then $work/openvpn-shutdown fi success; echo rm -f $lock ;; restart) $0 stop sleep 2 $0 start ;; reload) if [ -f $lock ]; then for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do if [ -s $pidf ]; then kill -HUP `cat $pidf` >/dev/null 2>&1 fi done else echo "openvpn: service not started" exit 1 fi ;; reopen) if [ -f $lock ]; then for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do if [ -s $pidf ]; then kill -USR1 `cat $pidf` >/dev/null 2>&1 fi done else echo "openvpn: service not started" exit 1 fi ;; condrestart) if [ -f $lock ]; then $0 stop # avoid race sleep 2 $0 start fi ;; status) if [ -f $lock ]; then for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do if [ -s $pidf ]; then kill -USR2 `cat $pidf` >/dev/null 2>&1 fi done echo "Status written to /var/log/messages" else echo "openvpn: service not started" exit 1 fi ;; *) echo "Usage: openvpn {start|stop|restart|condrestart|reload|reopen|status}" exit 1 ;; esac exit 0 openvpn-2.4.4/distro/rpm/openvpn.init.d.suse000066400000000000000000000155751316434344000211010ustar00rootroot00000000000000#!/bin/sh ### BEGIN INIT INFO # Provides: openvpn # Required-Start: $network # Required-Stop: $network # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: This shell script takes care of starting and stopping OpenVPN. # Description: OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP port. ### END INIT INFO # Contributed to the OpenVPN project by # Douglas Keller # 2002.05.15 # Modified for SuSE by # Frank Plohmann # 2003.08.24 # Please feel free to contact me if you have problems or suggestions # using this script. # To install: # copy this file to /etc/rc.d/init.d/openvpn # use the runlevel editor in Yast to add it to runlevel 3 and/or 5 # shell> mkdir /etc/openvpn # make .conf or .sh files in /etc/openvpn (see below) # To uninstall: # use also Yast and the runlevel editor to uninstall # Author's Notes: # # I have created an /etc/init.d init script and enhanced openvpn.spec to # automatically register the init script. Once the RPM is installed you # can start and stop OpenVPN with "service openvpn start" and "service # openvpn stop". # # The init script does the following: # # - Starts an openvpn process for each .conf file it finds in # /etc/openvpn. # # - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes # it before starting openvpn (useful for doing openvpn --mktun...). # # - In addition to start/stop you can do: # # /etc/init.d/openvpn reload - SIGHUP # /etc/init.d/openvpn reopen - SIGUSR1 # /etc/init.d/openvpn status - SIGUSR2 # Modifications 2003.05.02 # * Changed == to = for sh compliance (Bishop Clark). # * If condrestart|reload|reopen|status, check that we were # actually started (James Yonan). # * Added lock, piddir, and work variables (James Yonan). # * If start is attempted twice, without an intervening stop, or # if start is attempted when previous start was not properly # shut down, then kill any previously started processes, before # commencing new start operation (James Yonan). # * Do a better job of flagging errors on start, and properly # returning success or failure status to caller (James Yonan). # # Modifications 2003.08.24 # * Converted the script for SuSE Linux distribution. # Tested with version 8.2 (Frank Plohmann). # - removed "chkconfig" header # - added Yast header # - changed installation notes # - corrected path to openvpn binary # - removes sourcing "functions" # - removed sourcing "network" # - removed network checking. it seemed not to work with SuSE. # - added sourcing "rc.status", comments and "rc_reset" command # - removed "succes; echo" and "failure; echo" lines # - added "rc_status" lines at the end of each section # - changed "service" to "/etc/init.d/" in "In addition to start/stop" # section above. # # Modifications 2005.04.04 # * Added openvpn-startup and openvpn-shutdown script calls (James Yonan). # # Location of openvpn binary openvpn="/usr/sbin/openvpn" # Lockfile lock="/var/lock/subsys/openvpn" # PID directory piddir="/var/run/openvpn" # Our working directory work=/etc/openvpn # Source rc functions . /etc/rc.status # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failed set local and overall rc status to failed # rc_reset clear local rc status (overall remains) # rc_exit exit appropriate to overall rc status # rc_status check and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failed set local and overall rc status to failed # rc_reset clear local rc status (overall remains) # rc_exit exit appropriate to overall rc status # First reset status of this service rc_reset [ -f $openvpn ] || exit 0 # See how we were called. case "$1" in start) echo -n $"Starting openvpn: " /sbin/modprobe tun >/dev/null 2>&1 # From a security perspective, I think it makes # sense to remove this, and have users who need # it explictly enable in their --up scripts or # firewall setups. #echo 1 > /proc/sys/net/ipv4/ip_forward # Run startup script, if defined if [ -f $work/openvpn-startup ]; then $work/openvpn-startup fi if [ ! -d $piddir ]; then mkdir $piddir fi if [ -f $lock ]; then # we were not shut down correctly for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do if [ -s $pidf ]; then kill `cat $pidf` >/dev/null 2>&1 fi rm -f $pidf done rm -f $lock sleep 2 fi rm -f $piddir/*.pid cd $work # Start every .conf in $work and run .sh if exists errors=0 successes=0 for c in `/bin/ls *.conf 2>/dev/null`; do bn=${c%%.conf} if [ -f "$bn.sh" ]; then . ./$bn.sh fi rm -f $piddir/$bn.pid $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work if [ $? = 0 ]; then successes=1 else errors=1 fi done if [ $successes = 1 ]; then touch $lock fi rc_status -v ;; stop) echo -n $"Shutting down openvpn: " for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do if [ -s $pidf ]; then kill `cat $pidf` >/dev/null 2>&1 fi rm -f $pidf done # Run shutdown script, if defined if [ -f $work/openvpn-shutdown ]; then $work/openvpn-shutdown fi rm -f $lock rc_status -v ;; restart) $0 stop sleep 2 $0 start rc_status ;; reload) if [ -f $lock ]; then for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do if [ -s $pidf ]; then kill -HUP `cat $pidf` >/dev/null 2>&1 fi done else echo "openvpn: service not started" exit 1 fi rc_status -v ;; reopen) if [ -f $lock ]; then for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do if [ -s $pidf ]; then kill -USR1 `cat $pidf` >/dev/null 2>&1 fi done else echo "openvpn: service not started" exit 1 fi rc_status -v ;; condrestart) if [ -f $lock ]; then $0 stop # avoid race sleep 2 $0 start fi rc_status ;; status) if [ -f $lock ]; then for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do if [ -s $pidf ]; then kill -USR2 `cat $pidf` >/dev/null 2>&1 fi done echo "Status written to /var/log/messages" else echo "openvpn: service not started" exit 1 fi rc_status -v ;; *) echo "Usage: openvpn {start|stop|restart|condrestart|reload|reopen|status}" exit 1 esac exit 0 openvpn-2.4.4/distro/rpm/openvpn.spec000066400000000000000000000131151316434344000176540ustar00rootroot00000000000000# OpenVPN spec file, used to drive rpmbuild # OPTIONS # # Disable LZO # rpmbuild -tb [openvpn.x.tar.gz] --define 'without_lzo 1' # # Disable PAM plugin # rpmbuild -tb [openvpn.x.tar.gz] --define 'without_pam 1' # # Allow passwords to be read from files # rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1' Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan. Name: openvpn Version: 2.4.4 Release: 1 URL: http://openvpn.net/ Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz License: GPL Group: Applications/Internet Vendor: James Yonan Packager: James Yonan BuildRoot: %{_tmppath}/%{name}-%(id -un) # # Include dependencies manually # AutoReq: 0 BuildRequires: openssl-devel >= 0.9.7 Requires: openssl >= 0.9.7 %if "%{_vendor}" == "Mandrakesoft" %{!?without_lzo:BuildRequires: liblzo1-devel >= 1.07} %{!?without_lzo:Requires: liblzo1 >= 1.07} %else %if "%{_vendor}" == "MandrakeSoft" %{!?without_lzo:BuildRequires: liblzo1-devel >= 1.07} %{!?without_lzo:Requires: liblzo1 >= 1.07} %else %{!?without_lzo:BuildRequires: lzo-devel >= 1.07} %{!?without_lzo:Requires: lzo >= 1.07} %endif %endif %{!?without_pam:BuildRequires: pam-devel} %{!?without_pam:Requires: pam} %{?with_pkcs11:BuildRequires: pkcs11-helper-devel} %{?with_pkcs11:Requires: pkcs11-helper} # # Description # %description OpenVPN is a robust and highly flexible VPN daemon by James Yonan. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms. %package devel Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan. Group: Applications/Internet Requires: %{name} %description devel Development support for OpenVPN. # # Define vendor type # %if "%{_vendor}" == "suse" || "%{_vendor}" == "pc" %define VENDOR SuSE %else %define VENDOR %_vendor %endif # # Other definitions # %define debug_package %{nil} # # Build OpenVPN binary # %prep %setup -q %build %configure \ --disable-dependency-tracking \ --docdir="%{_docdir}/%{name}-%{version}" \ %{?with_password_save:--enable-password-save} \ %{!?without_lzo:--enable-lzo} \ %{?with_pkcs11:--enable-pkcs11} \ %{?without_pam:--disable-plugin-auth-pam} %__make # # Installation section # %install [ %{buildroot} != "/" ] && rm -rf %{buildroot} %__make install DESTDIR="%{buildroot}" # Install init script %if "%{VENDOR}" == "SuSE" %__install -c -d -m 755 "%{buildroot}/etc/init.d" %__install -c -m 755 "distro/rpm/%{name}.init.d.suse" "%{buildroot}/etc/init.d/%{name}" %else %__install -c -d -m 755 "%{buildroot}/etc/rc.d/init.d" %__install -c -m 755 distro/rpm/%{name}.init.d.rhel "%{buildroot}/etc/rc.d/init.d/%{name}" %endif # Install /etc/openvpn %__install -c -d -m 755 "%{buildroot}/etc/%{name}" # Install extra %doc stuff cp -r AUTHORS ChangeLog NEWS contrib/ sample/ \ "%{buildroot}/%{_docdir}/%{name}-%{version}" # # Clean section # %clean [ %{buildroot} != "/" ] && rm -rf "%{buildroot}" # # On Linux 2.4, make the device node # %post case "`uname -r`" in 2.4*) /bin/mkdir /dev/net >/dev/null 2>&1 /bin/mknod /dev/net/tun c 10 200 >/dev/null 2>&1 ;; esac # # Handle the init script # /sbin/chkconfig --add %{name} %if "%{VENDOR}" == "SuSE" /etc/init.d/openvpn restart %else /sbin/service %{name} condrestart %endif %preun if [ "$1" = 0 ] then %if "%{VENDOR}" == "SuSE" /etc/init.d/openvpn stop %else /sbin/service %{name} stop %endif /sbin/chkconfig --del %{name} fi # # Files section # # don't use %doc as old rpmbuild removes it[1]. # [1] http://rpm.org/ticket/836 %files %defattr(-,root,root) %{_mandir} %{_sbindir}/%{name} %{_libdir}/%{name} %{_docdir}/%{name}-%{version} %dir /etc/%{name} %if "%{VENDOR}" == "SuSE" /etc/init.d/%{name} %else /etc/rc.d/init.d/%{name} %endif %files devel %defattr(-,root,root) %{_includedir}/* %changelog * Thu Jul 30 2009 David Sommerseth - Removed management/ directory from %doc * Thu Dec 14 2006 Alon Bar-Lev - Added with_pkcs11 * Mon Aug 2 2005 James Yonan - Fixed build problem with --define 'without_pam 1' * Mon Apr 4 2005 James Yonan - Moved some files from /usr/share/openvpn to %doc for compatibility with Dag Wieers' RPM repository * Sat Mar 12 2005 Tom Walsh - Added MandrakeSoft liblzo1 require * Fri Dec 10 2004 James Yonan - Added AutoReq: 0 for manual dependencies * Fri Dec 10 2004 James Yonan - Packaged the plugins * Sun Nov 7 2004 Umberto Nicoletti - SuSE support * Wed Aug 18 2004 Bishop Clark (LC957) - restrict what we claim in /etc/ to avoid ownership conflicts * Sun Feb 23 2003 Matthias Andree 1.3.2.14-1. - Have the version number filled in by autoconf. * Wed Jul 10 2002 James Yonan 1.3.1-1 - Fixed %preun to only remove service on final uninstall * Mon Jun 17 2002 bishop clark (LC957) 1.2.2-1 - Added condrestart to openvpn.spec & openvpn.init. * Wed May 22 2002 James Yonan 1.2.0-1 - Added mknod for Linux 2.4. * Wed May 15 2002 Doug Keller 1.1.1.16-2 - Added init scripts - Added conf file support * Mon May 13 2002 bishop clark (LC957) 1.1.1.14-1 - Added new directories for config examples and such * Sun May 12 2002 bishop clark (LC957) 1.1.1.13-1 - Updated buildroot directive and cleanup command - added easy-rsa utilities * Mon Mar 25 2002 bishop clark (LC957) 1.0-1 - Initial build. openvpn-2.4.4/distro/rpm/openvpn.spec.in000066400000000000000000000131231316434344000202600ustar00rootroot00000000000000# OpenVPN spec file, used to drive rpmbuild # OPTIONS # # Disable LZO # rpmbuild -tb [openvpn.x.tar.gz] --define 'without_lzo 1' # # Disable PAM plugin # rpmbuild -tb [openvpn.x.tar.gz] --define 'without_pam 1' # # Allow passwords to be read from files # rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1' Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan. Name: @PACKAGE@ Version: @VERSION@ Release: 1 URL: http://openvpn.net/ Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz License: GPL Group: Applications/Internet Vendor: James Yonan Packager: James Yonan BuildRoot: %{_tmppath}/%{name}-%(id -un) # # Include dependencies manually # AutoReq: 0 BuildRequires: openssl-devel >= 0.9.7 Requires: openssl >= 0.9.7 %if "%{_vendor}" == "Mandrakesoft" %{!?without_lzo:BuildRequires: liblzo1-devel >= 1.07} %{!?without_lzo:Requires: liblzo1 >= 1.07} %else %if "%{_vendor}" == "MandrakeSoft" %{!?without_lzo:BuildRequires: liblzo1-devel >= 1.07} %{!?without_lzo:Requires: liblzo1 >= 1.07} %else %{!?without_lzo:BuildRequires: lzo-devel >= 1.07} %{!?without_lzo:Requires: lzo >= 1.07} %endif %endif %{!?without_pam:BuildRequires: pam-devel} %{!?without_pam:Requires: pam} %{?with_pkcs11:BuildRequires: pkcs11-helper-devel} %{?with_pkcs11:Requires: pkcs11-helper} # # Description # %description OpenVPN is a robust and highly flexible VPN daemon by James Yonan. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms. %package devel Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan. Group: Applications/Internet Requires: %{name} %description devel Development support for OpenVPN. # # Define vendor type # %if "%{_vendor}" == "suse" || "%{_vendor}" == "pc" %define VENDOR SuSE %else %define VENDOR %_vendor %endif # # Other definitions # %define debug_package %{nil} # # Build OpenVPN binary # %prep %setup -q %build %configure \ --disable-dependency-tracking \ --docdir="%{_docdir}/%{name}-%{version}" \ %{?with_password_save:--enable-password-save} \ %{!?without_lzo:--enable-lzo} \ %{?with_pkcs11:--enable-pkcs11} \ %{?without_pam:--disable-plugin-auth-pam} %__make # # Installation section # %install [ %{buildroot} != "/" ] && rm -rf %{buildroot} %__make install DESTDIR="%{buildroot}" # Install init script %if "%{VENDOR}" == "SuSE" %__install -c -d -m 755 "%{buildroot}/etc/init.d" %__install -c -m 755 "distro/rpm/%{name}.init.d.suse" "%{buildroot}/etc/init.d/%{name}" %else %__install -c -d -m 755 "%{buildroot}/etc/rc.d/init.d" %__install -c -m 755 distro/rpm/%{name}.init.d.rhel "%{buildroot}/etc/rc.d/init.d/%{name}" %endif # Install /etc/openvpn %__install -c -d -m 755 "%{buildroot}/etc/%{name}" # Install extra %doc stuff cp -r AUTHORS ChangeLog NEWS contrib/ sample/ \ "%{buildroot}/%{_docdir}/%{name}-%{version}" # # Clean section # %clean [ %{buildroot} != "/" ] && rm -rf "%{buildroot}" # # On Linux 2.4, make the device node # %post case "`uname -r`" in 2.4*) /bin/mkdir /dev/net >/dev/null 2>&1 /bin/mknod /dev/net/tun c 10 200 >/dev/null 2>&1 ;; esac # # Handle the init script # /sbin/chkconfig --add %{name} %if "%{VENDOR}" == "SuSE" /etc/init.d/openvpn restart %else /sbin/service %{name} condrestart %endif %preun if [ "$1" = 0 ] then %if "%{VENDOR}" == "SuSE" /etc/init.d/openvpn stop %else /sbin/service %{name} stop %endif /sbin/chkconfig --del %{name} fi # # Files section # # don't use %doc as old rpmbuild removes it[1]. # [1] http://rpm.org/ticket/836 %files %defattr(-,root,root) %{_mandir} %{_sbindir}/%{name} %{_libdir}/%{name} %{_docdir}/%{name}-%{version} %dir /etc/%{name} %if "%{VENDOR}" == "SuSE" /etc/init.d/%{name} %else /etc/rc.d/init.d/%{name} %endif %files devel %defattr(-,root,root) %{_includedir}/* %changelog * Thu Jul 30 2009 David Sommerseth - Removed management/ directory from %doc * Thu Dec 14 2006 Alon Bar-Lev - Added with_pkcs11 * Mon Aug 2 2005 James Yonan - Fixed build problem with --define 'without_pam 1' * Mon Apr 4 2005 James Yonan - Moved some files from /usr/share/openvpn to %doc for compatibility with Dag Wieers' RPM repository * Sat Mar 12 2005 Tom Walsh - Added MandrakeSoft liblzo1 require * Fri Dec 10 2004 James Yonan - Added AutoReq: 0 for manual dependencies * Fri Dec 10 2004 James Yonan - Packaged the plugins * Sun Nov 7 2004 Umberto Nicoletti - SuSE support * Wed Aug 18 2004 Bishop Clark (LC957) - restrict what we claim in /etc/ to avoid ownership conflicts * Sun Feb 23 2003 Matthias Andree 1.3.2.14-1. - Have the version number filled in by autoconf. * Wed Jul 10 2002 James Yonan 1.3.1-1 - Fixed %preun to only remove service on final uninstall * Mon Jun 17 2002 bishop clark (LC957) 1.2.2-1 - Added condrestart to openvpn.spec & openvpn.init. * Wed May 22 2002 James Yonan 1.2.0-1 - Added mknod for Linux 2.4. * Wed May 15 2002 Doug Keller 1.1.1.16-2 - Added init scripts - Added conf file support * Mon May 13 2002 bishop clark (LC957) 1.1.1.14-1 - Added new directories for config examples and such * Sun May 12 2002 bishop clark (LC957) 1.1.1.13-1 - Updated buildroot directive and cleanup command - added easy-rsa utilities * Mon Mar 25 2002 bishop clark (LC957) 1.0-1 - Initial build. openvpn-2.4.4/distro/systemd/000077500000000000000000000000001316434344000162045ustar00rootroot00000000000000openvpn-2.4.4/distro/systemd/Makefile.am000066400000000000000000000015361316434344000202450ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2017 OpenVPN Technologies, Inc. # %.service: %.service.in Makefile $(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \ $< > $@.tmp && mv $@.tmp $@ EXTRA_DIST = \ tmpfiles-openvpn.conf \ openvpn-client@.service.in \ openvpn-server@.service.in if ENABLE_SYSTEMD systemdunit_DATA = \ openvpn-client@.service \ openvpn-server@.service tmpfiles_DATA = \ tmpfiles-openvpn.conf install-data-hook: mv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf $(DESTDIR)$(tmpfilesdir)/openvpn.conf endif MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in openvpn-2.4.4/distro/systemd/Makefile.in000066400000000000000000000441661316434344000202640ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2017 OpenVPN Technologies, Inc. # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = distro/systemd DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(systemdunitdir)" \ "$(DESTDIR)$(tmpfilesdir)" DATA = $(systemdunit_DATA) $(tmpfiles_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ EXTRA_DIST = \ tmpfiles-openvpn.conf \ openvpn-client@.service.in \ openvpn-server@.service.in @ENABLE_SYSTEMD_TRUE@systemdunit_DATA = \ @ENABLE_SYSTEMD_TRUE@ openvpn-client@.service \ @ENABLE_SYSTEMD_TRUE@ openvpn-server@.service @ENABLE_SYSTEMD_TRUE@tmpfiles_DATA = \ @ENABLE_SYSTEMD_TRUE@ tmpfiles-openvpn.conf MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in all: all-am .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign distro/systemd/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign distro/systemd/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs install-systemdunitDATA: $(systemdunit_DATA) @$(NORMAL_INSTALL) @list='$(systemdunit_DATA)'; test -n "$(systemdunitdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(systemdunitdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(systemdunitdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(systemdunitdir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(systemdunitdir)" || exit $$?; \ done uninstall-systemdunitDATA: @$(NORMAL_UNINSTALL) @list='$(systemdunit_DATA)'; test -n "$(systemdunitdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(systemdunitdir)'; $(am__uninstall_files_from_dir) install-tmpfilesDATA: $(tmpfiles_DATA) @$(NORMAL_INSTALL) @list='$(tmpfiles_DATA)'; test -n "$(tmpfilesdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(tmpfilesdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(tmpfilesdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(tmpfilesdir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(tmpfilesdir)" || exit $$?; \ done uninstall-tmpfilesDATA: @$(NORMAL_UNINSTALL) @list='$(tmpfiles_DATA)'; test -n "$(tmpfilesdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(tmpfilesdir)'; $(am__uninstall_files_from_dir) tags TAGS: ctags CTAGS: cscope cscopelist: distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(DATA) installdirs: for dir in "$(DESTDIR)$(systemdunitdir)" "$(DESTDIR)$(tmpfilesdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) @ENABLE_SYSTEMD_FALSE@install-data-hook: clean: clean-am clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-systemdunitDATA install-tmpfilesDATA @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) install-data-hook install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-systemdunitDATA uninstall-tmpfilesDATA .MAKE: install-am install-data-am install-strip .PHONY: all all-am check check-am clean clean-generic clean-libtool \ cscopelist-am ctags-am distclean distclean-generic \ distclean-libtool distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am \ install-data-hook install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-man install-pdf install-pdf-am \ install-ps install-ps-am install-strip install-systemdunitDATA \ install-tmpfilesDATA installcheck installcheck-am installdirs \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags-am uninstall uninstall-am uninstall-systemdunitDATA \ uninstall-tmpfilesDATA %.service: %.service.in Makefile $(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \ $< > $@.tmp && mv $@.tmp $@ @ENABLE_SYSTEMD_TRUE@install-data-hook: @ENABLE_SYSTEMD_TRUE@ mv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf $(DESTDIR)$(tmpfilesdir)/openvpn.conf # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/distro/systemd/openvpn-client@.service.in000066400000000000000000000012761316434344000232420ustar00rootroot00000000000000[Unit] Description=OpenVPN tunnel for %I After=syslog.target network-online.target Wants=network-online.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn/client ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true ProtectHome=true KillMode=process [Install] WantedBy=multi-user.target openvpn-2.4.4/distro/systemd/openvpn-server@.service.in000066400000000000000000000014501316434344000232640ustar00rootroot00000000000000[Unit] Description=OpenVPN service for %I After=syslog.target network-online.target Wants=network-online.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn/server ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true ProtectHome=true KillMode=process RestartSec=5s Restart=on-failure [Install] WantedBy=multi-user.target openvpn-2.4.4/distro/systemd/tmpfiles-openvpn.conf000066400000000000000000000001161316434344000223570ustar00rootroot00000000000000d /run/openvpn-client 0710 root root - d /run/openvpn-server 0710 root root - openvpn-2.4.4/doc/000077500000000000000000000000001316434344000137555ustar00rootroot00000000000000openvpn-2.4.4/doc/Makefile.am000066400000000000000000000014131316434344000160100ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in CLEANFILES = openvpn.8.html dist_doc_DATA = \ management-notes.txt dist_noinst_DATA = \ README.plugins if WIN32 dist_noinst_DATA += openvpn.8 nodist_html_DATA = openvpn.8.html openvpn.8.html: $(srcdir)/openvpn.8 $(MAN2HTML) < $(srcdir)/openvpn.8 > openvpn.8.html else dist_man_MANS = openvpn.8 endif openvpn-2.4.4/doc/Makefile.in000066400000000000000000000472701316434344000160340ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @WIN32_TRUE@am__append_1 = openvpn.8 subdir = doc DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(dist_man_MANS) $(dist_doc_DATA) $(am__dist_noinst_DATA_DIST) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } man8dir = $(mandir)/man8 am__installdirs = "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)" \ "$(DESTDIR)$(htmldir)" NROFF = nroff MANS = $(dist_man_MANS) am__dist_noinst_DATA_DIST = README.plugins openvpn.8 DATA = $(dist_doc_DATA) $(dist_noinst_DATA) $(nodist_html_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in CLEANFILES = openvpn.8.html dist_doc_DATA = \ management-notes.txt dist_noinst_DATA = README.plugins $(am__append_1) @WIN32_TRUE@nodist_html_DATA = openvpn.8.html @WIN32_FALSE@dist_man_MANS = openvpn.8 all: all-am .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign doc/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ { for i in $$list1; do echo "$$i"; done; \ if test -n "$$list2"; then \ for i in $$list2; do echo "$$i"; done \ | sed -n '/\.8[a-z]*$$/p'; \ fi; \ } | while read p; do \ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; echo "$$p"; \ done | \ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ sed 'N;N;s,\n, ,g' | { \ list=; while read file base inst; do \ if test "$$base" = "$$inst"; then list="$$list $$file"; else \ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ fi; \ done; \ for i in $$list; do echo "$$i"; done | $(am__base_list) | \ while read files; do \ test -z "$$files" || { \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ done; } uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) install-dist_docDATA: $(dist_doc_DATA) @$(NORMAL_INSTALL) @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ done uninstall-dist_docDATA: @$(NORMAL_UNINSTALL) @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir) install-nodist_htmlDATA: $(nodist_html_DATA) @$(NORMAL_INSTALL) @list='$(nodist_html_DATA)'; test -n "$(htmldir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(htmldir)'"; \ $(MKDIR_P) "$(DESTDIR)$(htmldir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(htmldir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(htmldir)" || exit $$?; \ done uninstall-nodist_htmlDATA: @$(NORMAL_UNINSTALL) @list='$(nodist_html_DATA)'; test -n "$(htmldir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(htmldir)'; $(am__uninstall_files_from_dir) tags TAGS: ctags CTAGS: cscope cscopelist: distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(MANS) $(DATA) installdirs: for dir in "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)" "$(DESTDIR)$(htmldir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dist_docDATA install-man \ install-nodist_htmlDATA install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-man8 install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-dist_docDATA uninstall-man \ uninstall-nodist_htmlDATA uninstall-man: uninstall-man8 .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic clean-libtool \ cscopelist-am ctags-am distclean distclean-generic \ distclean-libtool distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am \ install-dist_docDATA install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-man install-man8 \ install-nodist_htmlDATA install-pdf install-pdf-am install-ps \ install-ps-am install-strip installcheck installcheck-am \ installdirs maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ ps ps-am tags-am uninstall uninstall-am uninstall-dist_docDATA \ uninstall-man uninstall-man8 uninstall-nodist_htmlDATA @WIN32_TRUE@openvpn.8.html: $(srcdir)/openvpn.8 @WIN32_TRUE@ $(MAN2HTML) < $(srcdir)/openvpn.8 > openvpn.8.html # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/doc/README.plugins000066400000000000000000000027531316434344000163240ustar00rootroot00000000000000OpenVPN Plugins --------------- Starting with OpenVPN 2.0-beta17, compiled plugin modules are supported on any *nix OS which includes libdl or on Windows. One or more modules may be loaded into OpenVPN using the --plugin directive, and each plugin module is capable of intercepting any of the script callbacks which OpenVPN supports: (1) up (2) down (3) route-up (4) ipchange (5) tls-verify (6) auth-user-pass-verify (7) client-connect (8) client-disconnect (9) learn-address See the openvpn-plugin.h file in the top-level directory of the OpenVPN source distribution for more detailed information on the plugin interface. Included Plugins ---------------- auth-pam -- Authenticate using PAM and a split privilege execution model which functions even if root privileges or the execution environment have been altered with --user/--group/--chroot. Tested on Linux only. down-root -- Enable the running of down scripts with root privileges even if --user/--group/--chroot have been used to drop root privileges or change the execution environment. Not applicable on Windows. examples -- A simple example that demonstrates a portable plugin, i.e. one which can be built for *nix or Windows from the same source. Building Plugins ---------------- cd to the top-level directory of a plugin, and use the "make" command to build it. The examples plugin is built using a build script, not a makefile. openvpn-2.4.4/doc/management-notes.txt000066400000000000000000001050651316434344000177670ustar00rootroot00000000000000OpenVPN Management Interface Notes ---------------------------------- The OpenVPN Management interface allows OpenVPN to be administratively controlled from an external program via a TCP or unix domain socket. The interface has been specifically designed for developers who would like to programmatically or remotely control an OpenVPN daemon, and can be used when OpenVPN is running as a client or server. The management interface is implemented using a client/server TCP connection or unix domain socket where OpenVPN will listen on a provided IP address and port for incoming management client connections. The management protocol is currently cleartext without an explicit security layer. For this reason, it is recommended that the management interface either listen on a unix domain socket, localhost (127.0.0.1), or on the local VPN address. It's possible to remotely connect to the management interface over the VPN itself, though some capabilities will be limited in this mode, such as the ability to provide private key passwords. The management interface is enabled in the OpenVPN configuration file using the following directive: --management See the man page for documentation on this and related directives. Once OpenVPN has started with the management layer enabled, you can telnet to the management port (make sure to use a telnet client which understands "raw" mode). Once connected to the management port, you can use the "help" command to list all commands. COMMAND -- bytecount -------------------- The bytecount command is used to request real-time notification of OpenVPN bandwidth usage. Command syntax: bytecount n (where n > 0) -- set up automatic notification of bandwidth usage once every n seconds bytecount 0 -- turn off bytecount notifications If OpenVPN is running as a client, the bytecount notification will look like this: >BYTECOUNT:{BYTES_IN},{BYTES_OUT} BYTES_IN is the number of bytes that have been received from the server and BYTES_OUT is the number of bytes that have been sent to the server. If OpenVPN is running as a server, the bytecount notification will look like this: >BYTECOUNT_CLI:{CID},{BYTES_IN},{BYTES_OUT} CID is the Client ID, BYTES_IN is the number of bytes that have been received from the client and BYTES_OUT is the number of bytes that have been sent to the client. Note that when the bytecount command is used on the server, every connected client will report its bandwidth numbers once every n seconds. When the client disconnects, the final bandwidth numbers will be placed in the 'bytes_received' and 'bytes_sent' environmental variables as included in the >CLIENT:DISCONNECT notification. COMMAND -- echo --------------- The echo capability is used to allow GUI-specific parameters to be either embedded in the OpenVPN config file or pushed to an OpenVPN client from a server. Command examples: echo on -- turn on real-time notification of echo messages echo all -- print the current echo history list echo off -- turn off real-time notification of echo messages echo on all -- atomically enable real-time notification, plus show any messages in history buffer For example, suppose you are developing a OpenVPN GUI and you want to give the OpenVPN server the ability to ask the GUI to forget any saved passwords. In the OpenVPN server config file, add: push "echo forget-passwords" When the OpenVPN client receives its pulled list of directives from the server, the "echo forget-passwords" directive will be in the list, and it will cause the management interface to save the "forget-passwords" string in its list of echo parameters. The management client can use "echo all" to output the full list of echoed parameters, "echo on" to turn on real-time notification of echoed parameters via the ">ECHO:" prefix, or "echo off" to turn off real-time notification. When the GUI connects to the OpenVPN management socket, it can issue an "echo all" command, which would produce output like this: 1101519562,forget-passwords END Essentially the echo command allowed us to pass parameters from the OpenVPN server to the OpenVPN client, and then to the management client (such as a GUI). The large integer is the unix date/time when the echo parameter was received. If the management client had issued the command "echo on", it would have enabled real-time notifications of echo parameters. In this case, our "forget-passwords" message would be output like this: >ECHO:1101519562,forget-passwords Like the log command, the echo command can atomically show history while simultaneously activating real-time updates: echo on all The size of the echo buffer is currently hardcoded to 100 messages. COMMAND -- exit, quit --------------------- Close the managment session, and resume listening on the management port for connections from other clients. Currently, the OpenVPN daemon can at most support a single management client any one time. COMMAND -- help --------------- Print a summary of commands. COMMAND -- hold --------------- The hold command can be used to manipulate the hold flag, or release OpenVPN from a hold state. If the hold flag is set on initial startup or restart, OpenVPN will hibernate prior to initializing the tunnel until the management interface receives a "hold release" command. The --management-hold directive of OpenVPN can be used to start OpenVPN with the hold flag set. The hold flag setting is persistent and will not be reset by restarts. OpenVPN will indicate that it is in a hold state by sending a real-time notification to the management client, the parameter indicates how long OpenVPN would wait without UI (as influenced by connect-retry exponential backoff). The UI needs to wait for releasing the hold if it wants similar behavior: >HOLD:Waiting for hold release:10 Command examples: hold -- show current hold flag, 0=off, 1=on. hold on -- turn on hold flag so that future restarts will hold. hold off -- turn off hold flag so that future restarts will not hold. hold release -- leave hold state and start OpenVPN, but do not alter the current hold flag setting. COMMAND -- kill --------------- In server mode, kill a particlar client instance. Command examples: kill Test-Client -- kill the client instance having a common name of "Test-Client". kill 1.2.3.4:4000 -- kill the client instance having a source address and port of 1.2.3.4:4000 Use the "status" command to see which clients are connected. COMMAND -- log -------------- Show the OpenVPN log file. Only the most recent n lines of the log file are cached by the management interface, where n is controlled by the OpenVPN --management-log-cache directive. Command examples: log on -- Enable real-time output of log messages. log all -- Show currently cached log file history. log on all -- Atomically show all currently cached log file history then enable real-time notification of new log file messages. log off -- Turn off real-time notification of log messages. log 20 -- Show the most recent 20 lines of log file history. Real-time notification format: Real-time log messages begin with the ">LOG:" prefix followed by the following comma-separated fields: (a) unix integer date/time, (b) zero or more message flags in a single string: I -- informational F -- fatal error N -- non-fatal error W -- warning D -- debug, and (c) message text. COMMAND -- mute --------------- Change the OpenVPN --mute parameter. The mute parameter is used to silence repeating messages of the same message category. Command examples: mute 40 -- change the mute parameter to 40 mute -- show the current mute setting COMMAND -- net -------------- (Windows Only) Produce output equivalent to the OpenVPN --show-net directive. The output includes OpenVPN's view of the system network adapter list and routing table based on information returned by the Windows IP helper API. COMMAND -- pid -------------- Shows the process ID of the current OpenVPN process. COMMAND -- password and username -------------------------------- The password command is used to pass passwords to OpenVPN. If OpenVPN is run with the --management-query-passwords directive, it will query the management interface for RSA private key passwords and the --auth-user-pass username/password. When OpenVPN needs a password from the management interface, it will produce a real-time ">PASSWORD:" message. Example 1: >PASSWORD:Need 'Private Key' password OpenVPN is indicating that it needs a password of type "Private Key". The management client should respond to this query as follows: password "Private Key" foo Example 2: >PASSWORD:Need 'Auth' username/password OpenVPN needs a --auth-user-pass password. The management client should respond: username "Auth" foo password "Auth" bar The username/password itself can be in quotes, and special characters such as double quote or backslash must be escaped, for example, password "Private Key" "foo\"bar" The escaping rules are the same as for the config file. See the "Command Parsing" section below for more info. The PASSWORD real-time message type can also be used to indicate password or other types of authentication failure: Example 3: The private key password is incorrect and OpenVPN is exiting: >PASSWORD:Verification Failed: 'Private Key' Example 4: The --auth-user-pass username/password failed, and OpenVPN is exiting: >PASSWORD:Verification Failed: 'Auth' Example 5: The --auth-user-pass username/password failed, and the server provided a custom client-reason-text string using the client-deny server-side management interface command. >PASSWORD:Verification Failed: 'custom server-generated string' COMMAND -- forget-passwords --------------------------- The forget-passwords command will cause the daemon to forget passwords entered during the session. Command example: forget-passwords -- forget passwords entered so far. COMMAND -- signal ----------------- The signal command will send a signal to the OpenVPN daemon. The signal can be one of SIGHUP, SIGTERM, SIGUSR1, or SIGUSR2. Command example: signal SIGUSR1 -- send a SIGUSR1 signal to daemon COMMAND -- state ---------------- Show the current OpenVPN state, show state history, or enable real-time notification of state changes. These are the OpenVPN states: CONNECTING -- OpenVPN's initial state. WAIT -- (Client only) Waiting for initial response from server. AUTH -- (Client only) Authenticating with server. GET_CONFIG -- (Client only) Downloading configuration options from server. ASSIGN_IP -- Assigning IP address to virtual network interface. ADD_ROUTES -- Adding routes to system. CONNECTED -- Initialization Sequence Completed. RECONNECTING -- A restart has occurred. EXITING -- A graceful exit is in progress. Command examples: state -- Print current OpenVPN state. state on -- Enable real-time notification of state changes. state off -- Disable real-time notification of state changes. state all -- Print current state history. state 3 -- Print the 3 most recent state transitions. state on all -- Atomically show state history while at the same time enable real-time state notification of future state transitions. The output format consists of up to 9 comma-separated parameters: (a) the integer unix date/time, (b) the state name, (c) optional descriptive string (used mostly on RECONNECTING and EXITING to show the reason for the disconnect), (d) optional TUN/TAP local IPv4 address (e) optional address of remote server, (f) optional port of remote server, (g) optional local address, (h) optional local port, and (i) optional TUN/TAP local IPv6 address. Fields (e)-(h) are shown for CONNECTED state, (d) and (i) are shown for ASSIGN_IP and CONNECTED states. (e) is available starting from OpenVPN 2.1 (f)-(i) are available starting from OpenVPN 2.4 Real-time state notifications will have a ">STATE:" prefix prepended to them. COMMAND -- status ----------------- Show current daemon status information, in the same format as that produced by the OpenVPN --status directive. Command examples: status -- Show status information using the default status format version. status 3 -- Show status information using the format of --status-version 3. COMMAND -- username ------------------- See the "password" section above. COMMAND -- verb --------------- Change the OpenVPN --verb parameter. The verb parameter controls the output verbosity, and may range from 0 (no output) to 15 (maximum output). See the OpenVPN man page for additional info on verbosity levels. Command examples: verb 4 -- change the verb parameter to 4 mute -- show the current verb setting COMMAND -- version ------------------ Show the current OpenVPN and Management Interface versions. COMMAND -- auth-retry --------------------- Set the --auth-retry setting to control how OpenVPN responds to username/password authentication errors. See the manual page for more info. Command examples: auth-retry interact -- Don't exit when bad username/passwords are entered. Query for new input and retry. COMMAND -- needok (OpenVPN 2.1 or higher) ------------------------------------------ Confirm a ">NEED-OK" real-time notification, normally used by OpenVPN to block while waiting for a specific user action. Example: OpenVPN needs the user to insert a cryptographic token, so it sends a real-time notification: >NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert your cryptographic token The management client, if it is a GUI, can flash a dialog box containing the text after the "MSG:" marker to the user. When the user acknowledges the dialog box, the management client can issue this command: needok token-insertion-request ok or needok token-insertion-request cancel COMMAND -- needstr (OpenVPN 2.1 or higher) ------------------------------------------- Confirm a ">NEED-STR" real-time notification, normally used by OpenVPN to block while waiting for a specific user input. Example: OpenVPN needs the user to specify some input, so it sends a real-time notification: >NEED-STR:Need 'name' input MSG:Please specify your name The management client, if it is a GUI, can flash a dialog box containing the text after the "MSG:" marker to the user. When the user acknowledges the dialog box, the management client can issue this command: needstr name "John" COMMAND -- pkcs11-id-count (OpenVPN 2.1 or higher) --------------------------------------------------- Retrieve available number of certificates. Example: pkcs11-id-count >PKCS11ID-COUNT:5 COMMAND -- pkcs11-id-get (OpenVPN 2.1 or higher) ------------------------------------------------- Retrieve certificate by index, the ID string should be provided as PKCS#11 identity, the blob is BASE64 encoded certificate. Example: pkcs11-id-get 1 PKCS11ID-ENTRY:'1', ID:'', BLOB:'' COMMAND -- client-auth (OpenVPN 2.1 or higher) ----------------------------------------------- Authorize a ">CLIENT:CONNECT" or ">CLIENT:REAUTH" request and specify "client-connect" configuration directives in a subsequent text block. The OpenVPN server should have been started with the --management-client-auth directive so that it will ask the management interface to approve client connections. client-auth {CID} {KID} line_1 line_2 ... line_n END CID,KID -- client ID and Key ID. See documentation for ">CLIENT:" notification for more info. line_1 to line_n -- client-connect configuration text block, as would be returned by a --client-connect script. The text block may be null, with "END" immediately following the "client-auth" line (using a null text block is equivalent to using the client-auth-nt command). A client-connect configuration text block contains OpenVPN directives that will be applied to the client instance object representing a newly connected client. COMMAND -- client-auth-nt (OpenVPN 2.1 or higher) -------------------------------------------------- Authorize a ">CLIENT:CONNECT" or ">CLIENT:REAUTH" request without specifying client-connect configuration text. The OpenVPN server should have been started with the --management-client-auth directive so that it will ask the management interface to approve client connections. client-auth-nt {CID} {KID} CID,KID -- client ID and Key ID. See documentation for ">CLIENT:" notification for more info. COMMAND -- client-deny (OpenVPN 2.1 or higher) ----------------------------------------------- Deny a ">CLIENT:CONNECT" or ">CLIENT:REAUTH" request. client-deny {CID} {KID} "reason-text" ["client-reason-text"] CID,KID -- client ID and Key ID. See documentation for ">CLIENT:" notification for more info. reason-text: a human-readable message explaining why the authentication request was denied. This message will be output to the OpenVPN log file or syslog. client-reason-text: a message that will be sent to the client as part of the AUTH_FAILED message. Note that client-deny denies a specific Key ID (pertaining to a TLS renegotiation). A client-deny command issued in response to an initial TLS key negotiation (notified by ">CLIENT:CONNECT") will terminate the client session after returning "AUTH-FAILED" to the client. On the other hand, a client-deny command issued in response to a TLS renegotiation (">CLIENT:REAUTH") will invalidate the renegotiated key, however the TLS session associated with the currently active key will continue to live for up to --tran-window seconds before expiration. To immediately kill a client session, use "client-kill". COMMAND -- client-kill (OpenVPN 2.1 or higher) ----------------------------------------------- Immediately kill a client instance by CID. client-kill {CID} CID -- client ID. See documentation for ">CLIENT:" notification for more info. COMMAND -- client-pf (OpenVPN 2.1 or higher) --------------------------------------------- Push a packet filter file to a specific client. The OpenVPN server should have been started with the --management-client-pf directive so that it will require that VPN tunnel packets sent or received by client instances must conform to that client's packet filter configuration. client-pf {CID} line_1 line_2 ... line_n END CID -- client ID. See documentation for ">CLIENT:" notification for more info. line_1 to line_n -- the packet filter configuration file for this client. Packet filter file grammar: [CLIENTS DROP|ACCEPT] {+|-}common_name1 {+|-}common_name2 . . . [SUBNETS DROP|ACCEPT] {+|-}subnet1 {+|-}subnet2 . . . [END] Subnet: IP-ADDRESS | IP-ADDRESS/NUM_NETWORK_BITS | "unknown" CLIENTS refers to the set of clients (by their common-name) which this instance is allowed ('+') to connect to, or is excluded ('-') from connecting to. Note that in the case of client-to-client connections, such communication must be allowed by the packet filter configuration files of both clients AND the --client-to-client directive must have been specified in the OpenVPN server config. SUBNETS refers to IP addresses or IP address subnets which this client instance may connect to ('+') or is excluded ('-') from connecting to, and applies to IPv4 and ARP packets. The special "unknown" tag refers to packets of unknown type, i.e. a packet that is not IPv4 or ARP. DROP or ACCEPT defines default policy when there is no explicit match for a common-name or subnet. The [END] tag must exist. Notes: * The SUBNETS section currently only supports IPv4 addresses and subnets. * A given client or subnet rule applies to both incoming and outgoing packets. * The CLIENTS list is order-invariant. Because the list is stored as a hash-table, the order of the list does not affect its function. * The SUBNETS table is scanned sequentially, and the first item to match is chosen. Therefore the SUBNETS table is NOT order-invariant. * No client-to-client communication is allowed unless the --client-to-client configuration directive is enabled AND the CLIENTS list of BOTH clients allows the communication. Example packet filter spec, as transmitted to the management interface: client-pf 42 [CLIENTS ACCEPT] -accounting -enigma [SUBNETS DROP] -10.46.79.9 +10.0.0.0/8 [END] END The above example sets the packet filter policy for the client identified by CID=42. This client may connect to all other clients except those having a common name of "accounting" or "enigma". The client may only interact with external IP addresses in the 10.0.0.0/8 subnet, however access to 10.46.79.9 is specifically excluded. Another example packet filter spec, as transmitted to the management interface: client-pf 99 [CLIENTS DENY] +public [SUBNETS ACCEPT] +10.10.0.1 -10.0.0.0/8 -unknown [END] END The above example sets the packet filter policy for the client identified by CID=99. This client may not connect to any other clients except those having a common name of "public". It may interact with any external IP address except those in the 10.0.0.0/8 netblock. However interaction with one address in the 10.0.0.0/8 netblock is allowed: 10.10.0.1. Also, the client may not interact with external IP addresses using an "unknown" protocol (i.e. one that is not IPv4 or ARP). COMMAND -- remote (OpenVPN AS 2.1.5/OpenVPN 2.3 or higher) -------------------------------------------- Provide remote host/port in response to a >REMOTE notification (client only). Requires that the --management-query-remote directive is used. remote ACTION [HOST PORT] The "remote" command should only be given in response to a >REMOTE notification. For example, the following >REMOTE notification indicates that the client config file would ordinarily connect to vpn.example.com port 1194 (UDP): >REMOTE:vpn.example.com,1194,udp Now, suppose we want to override the host and port, connecting instead to vpn.otherexample.com port 1234. After receiving the above notification, use this command: remote MOD vpn.otherexample.com 1234 To accept the same host and port as the client would ordinarily have connected to, use this command: remote ACCEPT To skip the current connection entry and advance to the next one, use this command: remote SKIP COMMAND -- proxy (OpenVPN 2.3 or higher) -------------------------------------------- Provide proxy server host/port and flags in response to a >PROXY notification (client only). Requires that the --management-query-proxy directive is used. proxy TYPE HOST PORT ["nct"] The "proxy" command must only be given in response to a >PROXY notification. Use the "nct" flag if you only want to allow non-cleartext auth with the proxy server. The following >PROXY notification indicates that the client config file would ordinarily connect to the first --remote configured, vpn.example.com using TCP: >PROXY:1,TCP,vpn.example.com Now, suppose we want to connect to the remote host using the proxy server proxy.intranet port 8080 with secure authentication only, if required. After receiving the above notification, use this command: proxy HTTP proxy.intranet 8080 nct You can also use the SOCKS keyword to pass a SOCKS server address, like: proxy SOCKS fe00::1 1080 To accept connecting to the host and port directly, use this command: proxy NONE COMMAND -- rsa-sig (OpenVPN 2.3 or higher) ------------------------------------------ Provides support for external storage of the private key. Requires the --management-external-key option. This option can be used instead of "key" in client mode, and allows the client to run without the need to load the actual private key. When the SSL protocol needs to perform an RSA sign operation, the data to be signed will be sent to the management interface via a notification as follows: >RSA_SIGN:[BASE64_DATA] The management interface client should then create a PKCS#1 v1.5 signature of the (decoded) BASE64_DATA using the private key and return the SSL signature as follows: rsa-sig [BASE64_SIG_LINE] . . . END Base64 encoded output of RSA_private_encrypt() (OpenSSL) or mbedtls_pk_sign() (mbed TLS) will provide a correct signature. This capability is intended to allow the use of arbitrary cryptographic service providers with OpenVPN via the management interface. COMMAND -- certificate (OpenVPN 2.4 or higher) ---------------------------------------------- Provides support for external storage of the certificate. Requires the --management-external-cert option. This option can be used instead of "cert" in client mode. On SSL protocol initialization a notification will be sent to the management interface with a hint as follows: >NEED-CERTIFICATE:macosx-keychain:subject:o=OpenVPN-TEST The management interface client should use the hint to obtain the specific SSL certificate and then return base64 encoded certificate as follows: certificate [BASE64_CERT_LINE] . . . END This capability is intended to allow the use of certificates stored outside of the filesystem (e.g. in Mac OS X Keychain) with OpenVPN via the management interface. OUTPUT FORMAT ------------- (1) Command success/failure indicated by "SUCCESS: [text]" or "ERROR: [text]". (2) For commands which print multiple lines of output, the last line will be "END". (3) Real-time messages will be in the form ">[source]:[text]", where source is "CLIENT", "ECHO", "FATAL", "HOLD", "INFO", "LOG", "NEED-OK", "PASSWORD", or "STATE". REAL-TIME MESSAGE FORMAT ------------------------ The OpenVPN management interface produces two kinds of output: (a) output from a command, or (b) asynchronous, real-time output which can be generated at any time. Real-time messages start with a '>' character in the first column and are immediately followed by a type keyword indicating the type of real-time message. The following types are currently defined: BYTECOUNT -- Real-time bandwidth usage notification, as enabled by "bytecount" command when OpenVPN is running as a client. BYTECOUNT_CLI -- Real-time bandwidth usage notification per-client, as enabled by "bytecount" command when OpenVPN is running as a server. CLIENT -- Notification of client connections and disconnections on an OpenVPN server. Enabled when OpenVPN is started with the --management-client-auth option. CLIENT notifications may be multi-line. See "The CLIENT notification" section below for detailed info. ECHO -- Echo messages as controlled by the "echo" command. FATAL -- A fatal error which is output to the log file just prior to OpenVPN exiting. HOLD -- Used to indicate that OpenVPN is in a holding state and will not start until it receives a "hold release" command. INFO -- Informational messages such as the welcome message. LOG -- Log message output as controlled by the "log" command. NEED-OK -- OpenVPN needs the end user to do something, such as insert a cryptographic token. The "needok" command can be used to tell OpenVPN to continue. NEED-STR -- OpenVPN needs information from end, such as a certificate to use. The "needstr" command can be used to tell OpenVPN to continue. PASSWORD -- Used to tell the management client that OpenVPN needs a password, also to indicate password verification failure. STATE -- Shows the current OpenVPN state, as controlled by the "state" command. The CLIENT notification ----------------------- The ">CLIENT:" notification is enabled by the --management-client-auth OpenVPN configuration directive that gives the management interface client the responsibility to authenticate OpenVPN clients after their client certificate has been verified. CLIENT notifications may be multi-line, and the sequentiality of a given CLIENT notification, its associated environmental variables, and the terminating ">CLIENT:ENV,END" line are guaranteed to be atomic. CLIENT notification types: (1) Notify new client connection ("CONNECT") or existing client TLS session renegotiation ("REAUTH"). Information about the client is provided by a list of environmental variables which are documented in the OpenVPN man page. The environmental variables passed are equivalent to those that would be passed to an --auth-user-pass-verify script. >CLIENT:CONNECT|REAUTH,{CID},{KID} >CLIENT:ENV,name1=val1 >CLIENT:ENV,name2=val2 >CLIENT:ENV,... >CLIENT:ENV,END (2) Notify successful client authentication and session initiation. Called after CONNECT. >CLIENT:ESTABLISHED,{CID} >CLIENT:ENV,name1=val1 >CLIENT:ENV,name2=val2 >CLIENT:ENV,... >CLIENT:ENV,END (3) Notify existing client disconnection. The environmental variables passed are equivalent to those that would be passed to a --client-disconnect script. >CLIENT:DISCONNECT,{CID} >CLIENT:ENV,name1=val1 >CLIENT:ENV,name2=val2 >CLIENT:ENV,... >CLIENT:ENV,END (4) Notify that a particular virtual address or subnet is now associated with a specific client. >CLIENT:ADDRESS,{CID},{ADDR},{PRI} Variables: CID -- Client ID, numerical ID for each connecting client, sequence = 0,1,2,... KID -- Key ID, numerical ID for the key associated with a given client TLS session, sequence = 0,1,2,... PRI -- Primary (1) or Secondary (0) VPN address/subnet. All clients have at least one primary IP address. Secondary address/subnets are associated with client-specific "iroute" directives. ADDR -- IPv4 address/subnet in the form 1.2.3.4 or 1.2.3.0/255.255.255.0 In the unlikely scenario of an extremely long-running OpenVPN server, CID and KID should be assumed to recycle to 0 after (2^32)-1, however this recycling behavior is guaranteed to be collision-free. Command Parsing --------------- The management interface uses the same command line lexical analyzer as is used by the OpenVPN config file parser. Whitespace is a parameter separator. Double quotation or single quotation characters ("", '') can be used to enclose parameters containing whitespace. Backslash-based shell escaping is performed, using the following mappings, when not in single quotations: \\ Maps to a single backslash character (\). \" Pass a literal doublequote character ("), don't interpret it as enclosing a parameter. \[SPACE] Pass a literal space or tab character, don't interpret it as a parameter delimiter. Challenge/Response Protocol --------------------------- The OpenVPN Challenge/Response Protocol allows an OpenVPN server to generate challenge questions that are shown to the user, and to see the user's responses to those challenges. Based on the responses, the server can allow or deny access. In this way, the OpenVPN Challenge/Response Protocol can be used to implement multi-factor authentication. Two different variations on the challenge/response protocol are supported: the "Dynamic" and "Static" protocols. The basic idea of Challenge/Response is that the user must enter an additional piece of information, in addition to the username and password, to successfully authenticate. Normally, this information is used to prove that the user posesses a certain key-like device such as cryptographic token or a particular mobile phone. Dynamic protocol: The OpenVPN dynamic challenge/response protocol works by returning a specially formatted error message after initial successful authentication. This error message contains the challenge question, and is formatted as such: CRV1:::: flags: a series of optional, comma-separated flags: E : echo the response when the user types it R : a response is required state_id: an opaque string that should be returned to the server along with the response. username_base64 : the username formatted as base64 challenge_text : the challenge text to be shown to the user Example challenge: CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN After showing the challenge_text and getting a response from the user (if R flag is specified), the client should submit the following auth creds back to the OpenVPN server: Username: [username decoded from username_base64] Password: CRV1:::: Where state_id is taken from the challenge request and response_text is what the user entered in response to the challenge_text. If the R flag is not present, response_text may be the empty string. Example response (suppose the user enters "8675309" for the token PIN): Username: cr1 ("Y3Ix" base64 decoded) Password: CRV1::Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l::8675309 Static protocol: The static protocol differs from the dynamic protocol in that the challenge question and response field is given to the user in the initial username/password dialog, and the username, password, and response are delivered back to the server in a single transaction. The "static-challenge" directive is used to give the challenge text to OpenVPN and indicate whether or not the response should be echoed. When the "static-challenge" directive is used, the management interface will respond as such when credentials are needed: >PASSWORD:Need 'Auth' username/password SC:, ECHO: "1" if response should be echoed, "0" to not echo TEXT: challenge text that should be shown to the user to facilitate their response For example: >PASSWORD:Need 'Auth' username/password SC:1,Please enter token PIN The above notification indicates that OpenVPN needs a --auth-user-pass password plus a response to a static challenge ("Please enter token PIN"). The "1" after the "SC:" indicates that the response should be echoed. The management interface client in this case should add the static challenge text to the auth dialog followed by a field for the user to enter a response. Then the client should pack the password and response together into an encoded password: username "Auth" foo password "Auth" "SCRV1::" For example, if the user entered "bar" as the password and 8675309 as the PIN, the following management interface commands should be issued: username "Auth" foo password "Auth" "SCRV1:Zm9v:ODY3NTMwOQ==" Client-side support for challenge/response protocol: Currently, the Access Server client and standalone OpenVPN client support both static and dynamic challenge/response protocols. However, any OpenVPN client UI that drives OpenVPN via the management interface needs to add explicit support for the challenge/response protocol. openvpn-2.4.4/doc/openvpn.8000066400000000000000000006771071316434344000155550ustar00rootroot00000000000000.\" OpenVPN -- An application to securely tunnel IP networks .\" over a single TCP/UDP port, with support for SSL/TLS-based .\" session authentication and key exchange, .\" packet encryption, packet authentication, and .\" packet compression. .\" .\" Copyright (C) 2002-2017 OpenVPN Technologies, Inc. .\" .\" This program is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License version 2 .\" as published by the Free Software Foundation. .\" .\" This program is distributed in the hope that it will be useful, .\" but WITHOUT ANY WARRANTY; without even the implied warranty of .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\" GNU General Public License for more details. .\" .\" You should have received a copy of the GNU General Public License along .\" with this program; if not, write to the Free Software Foundation, Inc., .\" 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. .\" .\" Manual page for openvpn .\" .\" SH section heading .\" SS subsection heading .\" LP paragraph .\" IP indented paragraph .\" TP hanging label .\" .\" .nf -- no formatting .\" .fi -- resume formatting .\" .ft 3 -- boldface .\" .ft -- normal face .\" .in +|-{n} -- indent .\" .TH openvpn 8 "25 August 2016" .\"********************************************************* .SH NAME openvpn \- secure IP tunnel daemon. .\"********************************************************* .SH SYNOPSIS .ft 3 openvpn [ options ... ] .ft .\"********************************************************* .SH INTRODUCTION .LP OpenVPN is an open source VPN daemon by James Yonan. Because OpenVPN tries to be a universal VPN tool offering a great deal of flexibility, there are a lot of options on this manual page. If you're new to OpenVPN, you might want to skip ahead to the examples section where you will see how to construct simple VPNs on the command line without even needing a configuration file. Also note that there's more documentation and examples on the OpenVPN web site: .I http://openvpn.net/ And if you would like to see a shorter version of this manual, see the openvpn usage message which can be obtained by running .B openvpn without any parameters. .\"********************************************************* .SH DESCRIPTION .LP OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms. OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it. OpenVPN supports conventional encryption using a pre\-shared secret key .B (Static Key mode) or public key security .B (SSL/TLS mode) using client & server certificates. OpenVPN also supports non\-encrypted TCP/UDP tunnels. OpenVPN is designed to work with the .B TUN/TAP virtual networking interface that exists on most platforms. Overall, OpenVPN aims to offer many of the key features of IPSec but with a relatively lightweight footprint. .\"********************************************************* .SH OPTIONS OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double\-leading\-dash ("\-\-"), this prefix can be removed when an option is placed in a configuration file. .\"********************************************************* .TP .B \-\-help Show options. .\"********************************************************* .TP .B \-\-config file Load additional config options from .B file where each line corresponds to one command line option, but with the leading '\-\-' removed. If .B \-\-config file is the only option to the openvpn command, the .B \-\-config can be removed, and the command can be given as .B openvpn file Note that configuration files can be nested to a reasonable depth. Double quotation or single quotation characters ("", '') can be used to enclose single parameters containing whitespace, and "#" or ";" characters in the first column can be used to denote comments. Note that OpenVPN 2.0 and higher performs backslash\-based shell escaping for characters not in single quotations, so the following mappings should be observed: .nf .ft 3 .in +4 \\\\ Maps to a single backslash character (\\). \\" Pass a literal doublequote character ("), don't interpret it as enclosing a parameter. \\[SPACE] Pass a literal space or tab character, don't interpret it as a parameter delimiter. .in -4 .ft .fi For example on Windows, use double backslashes to represent pathnames: .nf .ft 3 .in +4 secret "c:\\\\OpenVPN\\\\secret.key" .in -4 .ft .fi For examples of configuration files, see .I http://openvpn.net/examples.html Here is an example configuration file: .nf .ft 3 .in +4 # # Sample OpenVPN configuration file for # using a pre\-shared static key. # # '#' or ';' may be used to delimit comments. # Use a dynamic tun device. dev tun # Our remote peer remote mypeer.mydomain # 10.1.0.1 is our local VPN endpoint # 10.1.0.2 is our remote VPN endpoint ifconfig 10.1.0.1 10.1.0.2 # Our pre\-shared static key secret static.key .in -4 .ft .fi .\"********************************************************* .SS Tunnel Options: .TP .B \-\-mode m Set OpenVPN major mode. By default, OpenVPN runs in point\-to\-point mode ("p2p"). OpenVPN 2.0 introduces a new mode ("server") which implements a multi\-client server capability. .\"********************************************************* .TP .B \-\-local host Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces. .\"********************************************************* .TP .B \-\-remote host [port] [proto] Remote host name or IP address. On the client, multiple .B \-\-remote options may be specified for redundancy, each referring to a different OpenVPN server. Specifying multiple .B \-\-remote options for this purpose is a special case of the more general connection\-profile feature. See the .B documentation below. The OpenVPN client will try to connect to a server at .B host:port in the order specified by the list of .B \-\-remote options. .B proto indicates the protocol to use when connecting with the remote, and may be "tcp" or "udp". For forcing IPv4 or IPv6 connection suffix tcp or udp with 4/6 like udp4/udp6/tcp4/tcp6. The client will move on to the next host in the list, in the event of connection failure. Note that at any given time, the OpenVPN client will at most be connected to one server. Note that since UDP is connectionless, connection failure is defined by the .B \-\-ping and .B \-\-ping\-restart options. Note the following corner case: If you use multiple .B \-\-remote options, AND you are dropping root privileges on the client with .B \-\-user and/or .B \-\-group, AND the client is running a non\-Windows OS, if the client needs to switch to a different server, and that server pushes back different TUN/TAP or route settings, the client may lack the necessary privileges to close and reopen the TUN/TAP interface. This could cause the client to exit with a fatal error. If .B \-\-remote is unspecified, OpenVPN will listen for packets from any IP address, but will not act on those packets unless they pass all authentication tests. This requirement for authentication is binding on all potential peers, even those from known and supposedly trusted IP addresses (it is very easy to forge a source IP address on a UDP packet). When used in TCP mode, .B \-\-remote will act as a filter, rejecting connections from any host which does not match .B host. If .B host is a DNS name which resolves to multiple IP addresses, OpenVPN will try them in the order that the system getaddrinfo() presents them, so priorization and DNS randomization is done by the system library. Unless an IP version is forced by the protocol specification (4/6 suffix), OpenVPN will try both IPv4 and IPv6 addresses, in the order getaddrinfo() returns them. .\"********************************************************* .TP .B \-\-remote\-random\-hostname Prepend a random string (6 bytes, 12 hex characters) to hostname to prevent DNS caching. For example, "foo.bar.gov" would be modified to ".foo.bar.gov". .\"********************************************************* .TP .B Define a client connection profile. Client connection profiles are groups of OpenVPN options that describe how to connect to a given OpenVPN server. Client connection profiles are specified within an OpenVPN configuration file, and each profile is bracketed by .B and .B . An OpenVPN client will try each connection profile sequentially until it achieves a successful connection. .B \-\-remote\-random can be used to initially "scramble" the connection list. Here is an example of connection profile usage: .nf .ft 3 .in +4 client dev tun remote 198.19.34.56 1194 udp remote 198.19.34.56 443 tcp remote 198.19.34.56 443 tcp http\-proxy 192.168.0.8 8080 remote 198.19.36.99 443 tcp http\-proxy 192.168.0.8 8080 persist\-key persist\-tun pkcs12 client.p12 remote\-cert\-tls server verb 3 .in -4 .ft .fi First we try to connect to a server at 198.19.34.56:1194 using UDP. If that fails, we then try to connect to 198.19.34.56:443 using TCP. If that also fails, then try connecting through an HTTP proxy at 192.168.0.8:8080 to 198.19.34.56:443 using TCP. Finally, try to connect through the same proxy to a server at 198.19.36.99:443 using TCP. The following OpenVPN options may be used inside of a .B block: .B bind, .B connect\-retry, .B connect\-retry\-max, .B connect\-timeout, .B explicit\-exit\-notify, .B float, .B fragment, .B http\-proxy, .B http\-proxy\-option, .B link\-mtu, .B local, .B lport, .B mssfix, .B mtu\-disc, .B nobind, .B port, .B proto, .B remote, .B rport, .B socks\-proxy, .B tun\-mtu and .B tun\-mtu\-extra. A defaulting mechanism exists for specifying options to apply to all .B profiles. If any of the above options (with the exception of .B remote ) appear outside of a .B block, but in a configuration file which has one or more .B blocks, the option setting will be used as a default for .B blocks which follow it in the configuration file. For example, suppose the .B nobind option were placed in the sample configuration file above, near the top of the file, before the first .B block. The effect would be as if .B nobind were declared in all .B blocks below it. .\"********************************************************* .TP .B \-\-proto\-force p When iterating through connection profiles, only consider profiles using protocol .B p ('tcp'|'udp'). .\"********************************************************* .TP .B \-\-remote\-random When multiple .B \-\-remote address/ports are specified, or if connection profiles are being used, initially randomize the order of the list as a kind of basic load\-balancing measure. .\"********************************************************* .TP .B \-\-proto p Use protocol .B p for communicating with remote host. .B p can be .B udp, .B tcp\-client, or .B tcp\-server. The default protocol is .B udp when .B \-\-proto is not specified. For UDP operation, .B \-\-proto udp should be specified on both peers. For TCP operation, one peer must use .B \-\-proto tcp\-server and the other must use .B \-\-proto tcp\-client. A peer started with .B tcp\-server will wait indefinitely for an incoming connection. A peer started with .B tcp\-client will attempt to connect, and if that fails, will sleep for 5 seconds (adjustable via the .B \-\-connect\-retry option) and try again infinite or up to N retries (adjustable via the .B \-\-connect\-retry\-max option). Both TCP client and server will simulate a SIGUSR1 restart signal if either side resets the connection. OpenVPN is designed to operate optimally over UDP, but TCP capability is provided for situations where UDP cannot be used. In comparison with UDP, TCP will usually be somewhat less efficient and less robust when used over unreliable or congested networks. This article outlines some of problems with tunneling IP over TCP: .I http://sites.inka.de/sites/bigred/devel/tcp\-tcp.html There are certain cases, however, where using TCP may be advantageous from a security and robustness perspective, such as tunneling non\-IP or application\-level UDP protocols, or tunneling protocols which don't possess a built\-in reliability layer. .\"********************************************************* .TP .B \-\-connect\-retry n [max] Wait .B n seconds between connection attempts (default=5). Repeated reconnection attempts are slowed down after 5 retries per remote by doubling the wait time after each unsuccessful attempt. The optional argument .B max specifies the maximum value of wait time in seconds at which it gets capped (default=300). .\"********************************************************* .TP .B \-\-connect\-retry\-max n .B n specifies the number of times each .B \-\-remote or .B entry is tried. Specifying .B n as one would try each entry exactly once. A successful connection resets the counter. (default=unlimited). .\"********************************************************* .TP .B \-\-show\-proxy\-settings Show sensed HTTP or SOCKS proxy settings. Currently, only Windows clients support this option. .\"********************************************************* .TP .B \-\-http\-proxy server port [authfile|'auto'|'auto\-nct'] [auth\-method] Connect to remote host through an HTTP proxy at address .B server and port .B port. If HTTP Proxy\-Authenticate is required, .B authfile is a file containing a username and password on 2 lines, or "stdin" to prompt from console. Its content can also be specified in the config file with the .B \-\-http\-proxy\-user\-pass option. (See section on inline files) .B auth\-method should be one of "none", "basic", or "ntlm". HTTP Digest authentication is supported as well, but only via the .B auto or .B auto\-nct flags (below). The .B auto flag causes OpenVPN to automatically determine the .B auth\-method and query stdin or the management interface for username/password credentials, if required. This flag exists on OpenVPN 2.1 or higher. The .B auto\-nct flag (no clear\-text auth) instructs OpenVPN to automatically determine the authentication method, but to reject weak authentication protocols such as HTTP Basic Authentication. .\"********************************************************* .TP .B \-\-http\-proxy\-option type [parm] Set extended HTTP proxy options. Repeat to set multiple options. .B VERSION version \-\- Set HTTP version number to .B version (default=1.0). .B AGENT user\-agent \-\- Set HTTP "User\-Agent" string to .B user\-agent. .B CUSTOM\-HEADER name content \-\- Adds the custom Header with .B name as name and .B content as the content of the custom HTTP header. .\"********************************************************* .TP .B \-\-socks\-proxy server [port] [authfile] Connect to remote host through a Socks5 proxy at address .B server and port .B port (default=1080). .B authfile (optional) is a file containing a username and password on 2 lines, or "stdin" to prompt from console. .\"********************************************************* .TP .B \-\-resolv\-retry n If hostname resolve fails for .B \-\-remote, retry resolve for .B n seconds before failing. Set .B n to "infinite" to retry indefinitely. By default, .B \-\-resolv\-retry infinite is enabled. You can disable by setting n=0. .\"********************************************************* .TP .B \-\-float Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if .B \-\-remote is not used). .B \-\-float when specified with .B \-\-remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic address such as a dial\-in user or DHCP client. Essentially, .B \-\-float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the .B \-\-remote option. .\"********************************************************* .TP .B \-\-ipchange cmd Run command .B cmd when our remote ip\-address is initially authenticated or changes. .B cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single\- or double\-quoted and/or escaped using a backslash, and should be separated by one or more spaces. When .B cmd is executed two arguments are appended after any arguments specified in .B cmd , as follows: .B cmd ip_address port_number Don't use .B \-\-ipchange in .B \-\-mode server mode. Use a .B \-\-client\-connect script instead. See the "Environmental Variables" section below for additional parameters passed as environmental variables. If you are running in a dynamic IP address environment where the IP addresses of either peer could change without notice, you can use this script, for example, to edit the .I /etc/hosts file with the current address of the peer. The script will be run every time the remote peer changes its IP address. Similarly if .I our IP address changes due to DHCP, we should configure our IP address change script (see man page for .BR dhcpcd (8) ) to deliver a .B SIGHUP or .B SIGUSR1 signal to OpenVPN. OpenVPN will then reestablish a connection with its most recently authenticated peer on its new IP address. .\"********************************************************* .TP .B \-\-port port TCP/UDP port number or port name for both local and remote (sets both .B \-\-lport and .B \-\-rport options to given port). The current default of 1194 represents the official IANA port number assignment for OpenVPN and has been used since version 2.0\-beta17. Previous versions used port 5000 as the default. .\"********************************************************* .TP .B \-\-lport port Set local TCP/UDP port number or name. Cannot be used together with .B \-\-nobind option. .\"********************************************************* .TP .B \-\-rport port Set TCP/UDP port number or name used by the .B \-\-remote option. The port can also be set directly using the .B \-\-remote option. .\"********************************************************* .TP .B \-\-bind [ipv6only] Bind to local address and port. This is the default unless any of .B \-\-proto tcp\-client , .B \-\-http\-proxy or .B \-\-socks\-proxy are used. If the .B ipv6only keyword is present OpenVPN will bind only to IPv6 (as oposed to IPv6 and IPv4) when a IPv6 socket is opened. .\"********************************************************* .TP .B \-\-nobind Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the .B \-\-remote option. .\"********************************************************* .TP .B \-\-dev tunX | tapX | null TUN/TAP virtual network device ( .B X can be omitted for a dynamic device.) See examples section below for an example on setting up a TUN device. You must use either tun devices on both ends of the connection or tap devices on both ends. You cannot mix them, as they represent different underlying network layers. .B tun devices encapsulate IPv4 or IPv6 (OSI Layer 3) while .B tap devices encapsulate Ethernet 802.3 (OSI Layer 2). .\"********************************************************* .TP .B \-\-dev\-type device\-type Which device type are we using? .B device\-type should be .B tun (OSI Layer 3) or .B tap (OSI Layer 2). Use this option only if the TUN/TAP device used with .B \-\-dev does not begin with .B tun or .B tap. .\"********************************************************* .TP .B \-\-topology mode Configure virtual addressing topology when running in .B \-\-dev tun mode. This directive has no meaning in .B \-\-dev tap mode, which always uses a .B subnet topology. If you set this directive on the server, the .B \-\-server and .B \-\-server\-bridge directives will automatically push your chosen topology setting to clients as well. This directive can also be manually pushed to clients. Like the .B \-\-dev directive, this directive must always be compatible between client and server. .B mode can be one of: .B net30 \-\- Use a point\-to\-point topology, by allocating one /30 subnet per client. This is designed to allow point\-to\-point semantics when some or all of the connecting clients might be Windows systems. This is the default on OpenVPN 2.0. .B p2p \-\- Use a point\-to\-point topology where the remote endpoint of the client's tun interface always points to the local endpoint of the server's tun interface. This mode allocates a single IP address per connecting client. Only use when none of the connecting clients are Windows systems. This mode is functionally equivalent to the .B \-\-ifconfig\-pool\-linear directive which is available in OpenVPN 2.0, is deprecated and will be removed in OpenVPN 2.5 .B subnet \-\- Use a subnet rather than a point\-to\-point topology by configuring the tun interface with a local IP address and subnet mask, similar to the topology used in .B \-\-dev tap and ethernet bridging mode. This mode allocates a single IP address per connecting client and works on Windows as well. Only available when server and clients are OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched with the .B \-\-topology directive code. When used on Windows, requires version 8.2 or higher of the TAP\-Win32 driver. When used on *nix, requires that the tun driver supports an .BR ifconfig (8) command which sets a subnet instead of a remote endpoint IP address. This option exists in OpenVPN 2.1 or higher. Note: Using .B \-\-topology subnet changes the interpretation of the arguments of .B \-\-ifconfig to mean "address netmask", no longer "local remote". .\"********************************************************* .TP .B \-\-dev\-node node Explicitly set the device node rather than using /dev/net/tun, /dev/tun, /dev/tap, etc. If OpenVPN cannot figure out whether .B node is a TUN or TAP device based on the name, you should also specify .B \-\-dev\-type tun or .B \-\-dev\-type tap. Under Mac OS X this option can be used to specify the default tun implementation. Using .B \-\-dev\-node utun forces usage of the native Darwin tun kernel support. Use .B \-\-dev\-node utunN to select a specific utun instance. To force using the tun.kext (/dev/tunX) use .B \-\-dev\-node tun\fR. When not specifying a .B \-\-dev\-node option openvpn will first try to open utun, and fall back to tun.kext. On Windows systems, select the TAP\-Win32 adapter which is named .B node in the Network Connections Control Panel or the raw GUID of the adapter enclosed by braces. The .B \-\-show\-adapters option under Windows can also be used to enumerate all available TAP\-Win32 adapters and will show both the network connections control panel name and the GUID for each TAP\-Win32 adapter. .TP .B \-\-lladdr address Specify the link layer address, more commonly known as the MAC address. Only applied to TAP devices. .\"********************************************************* .TP .B \-\-iproute cmd Set alternate command to execute instead of default iproute2 command. May be used in order to execute OpenVPN in unprivileged environment. .\"********************************************************* .TP .B \-\-ifconfig l rn Set TUN/TAP adapter parameters. .B l is the IP address of the local VPN endpoint. For TUN devices in point\-to\-point mode, .B rn is the IP address of the remote VPN endpoint. For TAP devices, or TUN devices used with .B \-\-topology subnet, .B rn is the subnet mask of the virtual network segment which is being created or connected to. For TUN devices, which facilitate virtual point\-to\-point IP connections (when used in .B \-\-topology net30 or .B p2p mode), the proper usage of .B \-\-ifconfig is to use two private IP addresses which are not a member of any existing subnet which is in use. The IP addresses may be consecutive and should have their order reversed on the remote peer. After the VPN is established, by pinging .B rn, you will be pinging across the VPN. For TAP devices, which provide the ability to create virtual ethernet segments, or TUN devices in .B \-\-topology subnet mode (which create virtual "multipoint networks"), .B \-\-ifconfig is used to set an IP address and subnet mask just as a physical ethernet adapter would be similarly configured. If you are attempting to connect to a remote ethernet bridge, the IP address and subnet should be set to values which would be valid on the the bridged ethernet segment (note also that DHCP can be used for the same purpose). This option, while primarily a proxy for the .BR ifconfig (8) command, is designed to simplify TUN/TAP tunnel configuration by providing a standard interface to the different ifconfig implementations on different platforms. .B \-\-ifconfig parameters which are IP addresses can also be specified as a DNS or /etc/hosts file resolvable name. For TAP devices, .B \-\-ifconfig should not be used if the TAP interface will be getting an IP address lease from a DHCP server. .\"********************************************************* .TP .B \-\-ifconfig\-noexec Don't actually execute ifconfig/netsh commands, instead pass .B \-\-ifconfig parameters to scripts using environmental variables. .\"********************************************************* .TP .B \-\-ifconfig\-nowarn Don't output an options consistency check warning if the .B \-\-ifconfig option on this side of the connection doesn't match the remote side. This is useful when you want to retain the overall benefits of the options consistency check (also see .B \-\-disable\-occ option) while only disabling the ifconfig component of the check. For example, if you have a configuration where the local host uses .B \-\-ifconfig but the remote host does not, use .B \-\-ifconfig\-nowarn on the local host. This option will also silence warnings about potential address conflicts which occasionally annoy more experienced users by triggering "false positive" warnings. .\"********************************************************* .TP .B \-\-route network/IP [netmask] [gateway] [metric] Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close. This option is intended as a convenience proxy for the .BR route (8) shell command, while at the same time providing portable semantics across OpenVPN's platform space. .B netmask default \-\- 255.255.255.255 .B gateway default \-\- taken from .B \-\-route\-gateway or the second parameter to .B \-\-ifconfig when .B \-\-dev tun is specified. .B metric default \-\- taken from .B \-\-route\-metric otherwise 0. The default can be specified by leaving an option blank or setting it to "default". The .B network and .B gateway parameters can also be specified as a DNS or /etc/hosts file resolvable name, or as one of three special keywords: .B vpn_gateway \-\- The remote VPN endpoint address (derived either from .B \-\-route\-gateway or the second parameter to .B \-\-ifconfig when .B \-\-dev tun is specified). .B net_gateway \-\- The pre\-existing IP default gateway, read from the routing table (not supported on all OSes). .B remote_host \-\- The .B \-\-remote address if OpenVPN is being run in client mode, and is undefined in server mode. .\"********************************************************* .TP .B \-\-route\-gateway gw|'dhcp' Specify a default gateway .B gw for use with .B \-\-route. If .B dhcp is specified as the parameter, the gateway address will be extracted from a DHCP negotiation with the OpenVPN server\-side LAN. .\"********************************************************* .TP .B \-\-route\-metric m Specify a default metric .B m for use with .B \-\-route. .\"********************************************************* .TP .B \-\-route\-delay [n] [w] Delay .B n seconds (default=0) after connection establishment, before adding routes. If .B n is 0, routes will be added immediately upon connection establishment. If .B \-\-route\-delay is omitted, routes will be added immediately after TUN/TAP device open and .B \-\-up script execution, before any .B \-\-user or .B \-\-group privilege downgrade (or .B \-\-chroot execution.) This option is designed to be useful in scenarios where DHCP is used to set tap adapter addresses. The delay will give the DHCP handshake time to complete before routes are added. On Windows, .B \-\-route\-delay tries to be more intelligent by waiting .B w seconds (w=30 by default) for the TAP\-Win32 adapter to come up before adding routes. .\"********************************************************* .TP .B \-\-route\-up cmd Run command .B cmd after routes are added, subject to .B \-\-route\-delay. .B cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single\- or double\-quoted and/or escaped using a backslash, and should be separated by one or more spaces. See the "Environmental Variables" section below for additional parameters passed as environmental variables. .\"********************************************************* .TP .B \-\-route\-pre\-down cmd Run command .B cmd before routes are removed upon disconnection. .B cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single\- or double\-quoted and/or escaped using a backslash, and should be separated by one or more spaces. See the "Environmental Variables" section below for additional parameters passed as environmental variables. .\"********************************************************* .TP .B \-\-route\-noexec Don't add or remove routes automatically. Instead pass routes to .B \-\-route\-up script using environmental variables. .\"********************************************************* .TP .B \-\-route\-nopull When used with .B \-\-client or .B \-\-pull, accept options pushed by server EXCEPT for routes, block\-outside\-dns and dhcp options like DNS servers. When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface. .\"********************************************************* .TP .B \-\-allow\-pull\-fqdn Allow client to pull DNS names from server (rather than being limited to IP address) for .B \-\-ifconfig, .B \-\-route, and .B \-\-route\-gateway. .\"********************************************************* .TP .B \-\-client\-nat snat|dnat network netmask alias This pushable client option sets up a stateless one\-to\-one NAT rule on packet addresses (not ports), and is useful in cases where routes or ifconfig settings pushed to the client would create an IP numbering conflict. .B network/netmask (for example 192.168.0.0/255.255.0.0) defines the local view of a resource from the client perspective, while .B alias/netmask (for example 10.64.0.0/255.255.0.0) defines the remote view from the server perspective. Use .B snat (source NAT) for resources owned by the client and .B dnat (destination NAT) for remote resources. Set .B \-\-verb 6 for debugging info showing the transformation of src/dest addresses in packets. .\"********************************************************* .TP .B \-\-redirect\-gateway flags... Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. This is a client\-side option. This option performs three steps: .B (1) Create a static route for the .B \-\-remote address which forwards to the pre\-existing default gateway. This is done so that .B (3) will not create a routing loop. .B (2) Delete the default gateway route. .B (3) Set the new default gateway to be the VPN endpoint address (derived either from .B \-\-route\-gateway or the second parameter to .B \-\-ifconfig when .B \-\-dev tun is specified). When the tunnel is torn down, all of the above steps are reversed so that the original default route is restored. Option flags: .B local \-\- Add the .B local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. The .B local flag will cause step .B 1 above to be omitted. .B autolocal \-\- Try to automatically determine whether to enable .B local flag above. .B def1 \-\- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. .B bypass\-dhcp \-\- Add a direct route to the DHCP server (if it is non\-local) which bypasses the tunnel (Available on Windows clients, may not be available on non\-Windows clients). .B bypass\-dns \-\- Add a direct route to the DNS server(s) (if they are non\-local) which bypasses the tunnel (Available on Windows clients, may not be available on non\-Windows clients). .B block\-local \-\- Block access to local LAN when the tunnel is active, except for the LAN gateway itself. This is accomplished by routing the local LAN (except for the LAN gateway address) into the tunnel. .B ipv6 \-\- Redirect IPv6 routing into the tunnel. This works similar to the .B def1 flag, that is, more specific IPv6 routes are added (2000::/4, 3000::/4), covering the whole IPv6 unicast space. .B !ipv4 \-\- Do not redirect IPv4 traffic \- typically used in the flag pair .B "ipv6 !ipv4" to redirect IPv6\-only. .\"********************************************************* .TP .B \-\-link\-mtu n Sets an upper bound on the size of UDP packets which are sent between OpenVPN peers. It's best not to set this parameter unless you know what you're doing. .\"********************************************************* .\"********************************************************* .TP .B \-\-redirect\-private [flags] Like \-\-redirect\-gateway, but omit actually changing the default gateway. Useful when pushing private subnets. .\"********************************************************* .TP .B \-\-tun\-mtu n Take the TUN device MTU to be .B n and derive the link MTU from it (default=1500). In most cases, you will probably want to leave this parameter set to its default value. The MTU (Maximum Transmission Units) is the maximum datagram size in bytes that can be sent unfragmented over a particular network path. OpenVPN requires that packets on the control or data channels be sent unfragmented. MTU problems often manifest themselves as connections which hang during periods of active usage. It's best to use the .B \-\-fragment and/or .B \-\-mssfix options to deal with MTU sizing issues. .\"********************************************************* .TP .B \-\-tun\-mtu\-extra n Assume that the TUN/TAP device might return as many as .B n bytes more than the .B \-\-tun\-mtu size on read. This parameter defaults to 0, which is sufficient for most TUN devices. TAP devices may introduce additional overhead in excess of the MTU size, and a setting of 32 is the default when TAP devices are used. This parameter only controls internal OpenVPN buffer sizing, so there is no transmission overhead associated with using a larger value. .\"********************************************************* .TP .B \-\-mtu\-disc type Should we do Path MTU discovery on TCP/UDP channel? Only supported on OSes such as Linux that supports the necessary system call to set. .B 'no' \-\- Never send DF (Don't Fragment) frames .br .B 'maybe' \-\- Use per\-route hints .br .B 'yes' \-\- Always DF (Don't Fragment) .br .\"********************************************************* .TP .B \-\-mtu\-test To empirically measure MTU on connection startup, add the .B \-\-mtu\-test option to your configuration. OpenVPN will send ping packets of various sizes to the remote peer and measure the largest packets which were successfully received. The .B \-\-mtu\-test process normally takes about 3 minutes to complete. .\"********************************************************* .TP .B \-\-fragment max Enable internal datagram fragmentation so that no UDP datagrams are sent which are larger than .B max bytes. The .B max parameter is interpreted in the same way as the .B \-\-link\-mtu parameter, i.e. the UDP packet size after encapsulation overhead has been added in, but not including the UDP header itself. The .B \-\-fragment option only makes sense when you are using the UDP protocol ( .B \-\-proto udp ). .B \-\-fragment adds 4 bytes of overhead per datagram. See the .B \-\-mssfix option below for an important related option to .B \-\-fragment. It should also be noted that this option is not meant to replace UDP fragmentation at the IP stack level. It is only meant as a last resort when path MTU discovery is broken. Using this option is less efficient than fixing path MTU discovery for your IP link and using native IP fragmentation instead. Having said that, there are circumstances where using OpenVPN's internal fragmentation capability may be your only option, such as tunneling a UDP multicast stream which requires fragmentation. .\"********************************************************* .TP .B \-\-mssfix max Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed .B max bytes. The default value is .B 1450. The .B max parameter is interpreted in the same way as the .B \-\-link\-mtu parameter, i.e. the UDP packet size after encapsulation overhead has been added in, but not including the UDP header itself. Resulting packet would be at most 28 bytes larger for IPv4 and 48 bytes for IPv6 (20/40 bytes for IP header and 8 bytes for UDP header). Default value of 1450 allows IPv4 packets to be transmitted over a link with MTU 1473 or higher without IP level fragmentation. The .B \-\-mssfix option only makes sense when you are using the UDP protocol for OpenVPN peer\-to\-peer communication, i.e. .B \-\-proto udp. .B \-\-mssfix and .B \-\-fragment can be ideally used together, where .B \-\-mssfix will try to keep TCP from needing packet fragmentation in the first place, and if big packets come through anyhow (from protocols other than TCP), .B \-\-fragment will internally fragment them. Both .B \-\-fragment and .B \-\-mssfix are designed to work around cases where Path MTU discovery is broken on the network path between OpenVPN peers. The usual symptom of such a breakdown is an OpenVPN connection which successfully starts, but then stalls during active usage. If .B \-\-fragment and .B \-\-mssfix are used together, .B \-\-mssfix will take its default .B max parameter from the .B \-\-fragment max option. Therefore, one could lower the maximum UDP packet size to 1300 (a good first try for solving MTU\-related connection problems) with the following options: .B \-\-tun\-mtu 1500 \-\-fragment 1300 \-\-mssfix .\"********************************************************* .TP .B \-\-sndbuf size Set the TCP/UDP socket send buffer size. Defaults to operation system default. .\"********************************************************* .TP .B \-\-rcvbuf size Set the TCP/UDP socket receive buffer size. Defaults to operation system default. .\"********************************************************* .TP .B \-\-mark value Mark encrypted packets being sent with value. The mark value can be matched in policy routing and packetfilter rules. This option is only supported in Linux and does nothing on other operating systems. .\"********************************************************* .TP .B \-\-socket\-flags flags... Apply the given flags to the OpenVPN transport socket. Currently, only .B TCP_NODELAY is supported. The .B TCP_NODELAY socket flag is useful in TCP mode, and causes the kernel to send tunnel packets immediately over the TCP connection without trying to group several smaller packets into a larger packet. This can result in a considerably improvement in latency. This option is pushable from server to client, and should be used on both client and server for maximum effect. .\"********************************************************* .TP .B \-\-txqueuelen n (Linux only) Set the TX queue length on the TUN/TAP interface. Currently defaults to 100. .\"********************************************************* .TP .B \-\-shaper n Limit bandwidth of outgoing tunnel data to .B n bytes per second on the TCP/UDP port. Note that this will only work if mode is set to p2p. If you want to limit the bandwidth in both directions, use this option on both peers. OpenVPN uses the following algorithm to implement traffic shaping: Given a shaper rate of .I n bytes per second, after a datagram write of .I b bytes is queued on the TCP/UDP port, wait a minimum of .I (b / n) seconds before queuing the next write. It should be noted that OpenVPN supports multiple tunnels between the same two peers, allowing you to construct full\-speed and reduced bandwidth tunnels at the same time, routing low\-priority data such as off\-site backups over the reduced bandwidth tunnel, and other data over the full\-speed tunnel. Also note that for low bandwidth tunnels (under 1000 bytes per second), you should probably use lower MTU values as well (see above), otherwise the packet latency will grow so large as to trigger timeouts in the TLS layer and TCP connections running over the tunnel. OpenVPN allows .B n to be between 100 bytes/sec and 100 Mbytes/sec. .\"********************************************************* .TP .B \-\-inactive n [bytes] Causes OpenVPN to exit after .B n seconds of inactivity on the TUN/TAP device. The time length of inactivity is measured since the last incoming or outgoing tunnel packet. The default value is 0 seconds, which disables this feature. If the optional .B bytes parameter is included, exit if less than .B bytes of combined in/out traffic are produced on the tun/tap device in .B n seconds. In any case, OpenVPN's internal ping packets (which are just keepalives) and TLS control packets are not considered "activity", nor are they counted as traffic, as they are used internally by OpenVPN and are not an indication of actual user activity. .\"********************************************************* .TP .B \-\-ping n Ping remote over the TCP/UDP control channel if no packets have been sent for at least .B n seconds (specify .B \-\-ping on both peers to cause ping packets to be sent in both directions since OpenVPN ping packets are not echoed like IP ping packets). When used in one of OpenVPN's secure modes (where .B \-\-secret, \-\-tls\-server, or .B \-\-tls\-client is specified), the ping packet will be cryptographically secure. This option has two intended uses: (1) Compatibility with stateful firewalls. The periodic ping will ensure that a stateful firewall rule which allows OpenVPN UDP packets to pass will not time out. (2) To provide a basis for the remote to test the existence of its peer using the .B \-\-ping\-exit option. .\"********************************************************* .TP .B \-\-ping\-exit n Causes OpenVPN to exit after .B n seconds pass without reception of a ping or other packet from remote. This option can be combined with .B \-\-inactive, \-\-ping, and .B \-\-ping\-exit to create a two\-tiered inactivity disconnect. For example, .B openvpn [options...] \-\-inactive 3600 \-\-ping 10 \-\-ping\-exit 60 when used on both peers will cause OpenVPN to exit within 60 seconds if its peer disconnects, but will exit after one hour if no actual tunnel data is exchanged. .\"********************************************************* .TP .B \-\-ping\-restart n Similar to .B \-\-ping\-exit, but trigger a .B SIGUSR1 restart after .B n seconds pass without reception of a ping or other packet from remote. This option is useful in cases where the remote peer has a dynamic IP address and a low\-TTL DNS name is used to track the IP address using a service such as .I http://dyndns.org/ + a dynamic DNS client such as .B ddclient. If the peer cannot be reached, a restart will be triggered, causing the hostname used with .B \-\-remote to be re\-resolved (if .B \-\-resolv\-retry is also specified). In server mode, .B \-\-ping\-restart, \-\-inactive, or any other type of internally generated signal will always be applied to individual client instance objects, never to whole server itself. Note also in server mode that any internally generated signal which would normally cause a restart, will cause the deletion of the client instance object instead. In client mode, the .B \-\-ping\-restart parameter is set to 120 seconds by default. This default will hold until the client pulls a replacement value from the server, based on the .B \-\-keepalive setting in the server configuration. To disable the 120 second default, set .B \-\-ping\-restart 0 on the client. See the signals section below for more information on .B SIGUSR1. Note that the behavior of .B SIGUSR1 can be modified by the .B \-\-persist\-tun, \-\-persist\-key, \-\-persist\-local\-ip, and .B \-\-persist\-remote\-ip options. Also note that .B \-\-ping\-exit and .B \-\-ping\-restart are mutually exclusive and cannot be used together. .\"********************************************************* .TP .B \-\-keepalive interval timeout A helper directive designed to simplify the expression of .B \-\-ping and .B \-\-ping\-restart. This option can be used on both client and server side, but it is in enough to add this on the server side as it will push appropriate .B \-\-ping and .B \-\-ping\-restart options to the client. If used on both server and client, the values pushed from server will override the client local values. The .B timeout argument will be twice as long on the server side. This ensures that a timeout is detected on client side before the server side drops the connection. For example, .B \-\-keepalive 10 60 expands as follows: .nf .ft 3 .in +4 if mode server: ping 10 # Argument: interval ping\-restart 120 # Argument: timeout*2 push "ping 10" # Argument: interval push "ping\-restart 60" # Argument: timeout else ping 10 # Argument: interval ping\-restart 60 # Argument: timeout .in -4 .ft .fi .\"********************************************************* .TP .B \-\-ping\-timer\-rem Run the .B \-\-ping\-exit / .B \-\-ping\-restart timer only if we have a remote address. Use this option if you are starting the daemon in listen mode (i.e. without an explicit .B \-\-remote peer), and you don't want to start clocking timeouts until a remote peer connects. .\"********************************************************* .TP .B \-\-persist\-tun Don't close and reopen TUN/TAP device or run up/down scripts across .B SIGUSR1 or .B \-\-ping\-restart restarts. .B SIGUSR1 is a restart signal similar to .B SIGHUP, but which offers finer\-grained control over reset options. .\"********************************************************* .TP .B \-\-persist\-key Don't re\-read key files across .B SIGUSR1 or .B \-\-ping\-restart. This option can be combined with .B \-\-user nobody to allow restarts triggered by the .B SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot be restarted since it will now be unable to re\-read protected key files. This option solves the problem by persisting keys across .B SIGUSR1 resets, so they don't need to be re\-read. .\"********************************************************* .TP .B \-\-persist\-local\-ip Preserve initially resolved local IP address and port number across .B SIGUSR1 or .B \-\-ping\-restart restarts. .\"********************************************************* .TP .B \-\-persist\-remote\-ip Preserve most recently authenticated remote IP address and port number across .B SIGUSR1 or .B \-\-ping\-restart restarts. .\"********************************************************* .TP .B \-\-mlock Disable paging by calling the POSIX mlockall function. Requires that OpenVPN be initially run as root (though OpenVPN can subsequently downgrade its UID using the .B \-\-user option). Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. It ensures that even if an attacker was able to crack the box running OpenVPN, he would not be able to scan the system swap file to recover previously used ephemeral keys, which are used for a period of time governed by the .B \-\-reneg options (see below), then are discarded. The downside of using .B \-\-mlock is that it will reduce the amount of physical memory available to other applications. .\"********************************************************* .TP .B \-\-up cmd Run command .B cmd after successful TUN/TAP device open (pre .B \-\-user UID change). .B cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single\- or double\-quoted and/or escaped using a backslash, and should be separated by one or more spaces. The up command is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel. For .B \-\-dev tun execute as: .B cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remote_ip [ init | restart ] For .B \-\-dev tap execute as: .B cmd tap_dev tap_mtu link_mtu ifconfig_local_ip ifconfig_netmask [ init | restart ] See the "Environmental Variables" section below for additional parameters passed as environmental variables. Note that if .B cmd includes arguments, all OpenVPN\-generated arguments will be appended to them to build an argument list with which the executable will be called. Typically, .B cmd will run a script to add routes to the tunnel. Normally the up script is called after the TUN/TAP device is opened. In this context, the last command line parameter passed to the script will be .I init. If the .B \-\-up\-restart option is also used, the up script will be called for restarts as well. A restart is considered to be a partial reinitialization of OpenVPN where the TUN/TAP instance is preserved (the .B \-\-persist\-tun option will enable such preservation). A restart can be generated by a SIGUSR1 signal, a .B \-\-ping\-restart timeout, or a connection reset when the TCP protocol is enabled with the .B \-\-proto option. If a restart occurs, and .B \-\-up\-restart has been specified, the up script will be called with .I restart as the last parameter. NOTE: on restart, OpenVPN will not pass the full set of environment variables to the script. Namely, everything related to routing and gateways will not be passed, as nothing needs to be done anyway \- all the routing setup is already in place. Additionally, the up\-restart script will run with the downgraded UID/GID settings (if configured). The following standalone example shows how the .B \-\-up script can be called in both an initialization and restart context. (NOTE: for security reasons, don't run the following example unless UDP port 9999 is blocked by your firewall. Also, the example will run indefinitely, so you should abort with control\-c). .B openvpn \-\-dev tun \-\-port 9999 \-\-verb 4 \-\-ping\-restart 10 \-\-up 'echo up' \-\-down 'echo down' \-\-persist\-tun \-\-up\-restart Note that OpenVPN also provides the .B \-\-ifconfig option to automatically ifconfig the TUN device, eliminating the need to define an .B \-\-up script, unless you also want to configure routes in the .B \-\-up script. If .B \-\-ifconfig is also specified, OpenVPN will pass the ifconfig local and remote endpoints on the command line to the .B \-\-up script so that they can be used to configure routes such as: .B route add \-net 10.0.0.0 netmask 255.255.255.0 gw $5 .\"********************************************************* .TP .B \-\-up\-delay Delay TUN/TAP open and possible .B \-\-up script execution until after TCP/UDP connection establishment with peer. In .B \-\-proto udp mode, this option normally requires the use of .B \-\-ping to allow connection initiation to be sensed in the absence of tunnel data, since UDP is a "connectionless" protocol. On Windows, this option will delay the TAP\-Win32 media state transitioning to "connected" until connection establishment, i.e. the receipt of the first authenticated packet from the peer. .\"********************************************************* .TP .B \-\-down cmd Run command .B cmd after TUN/TAP device close (post .B \-\-user UID change and/or .B \-\-chroot ). .B cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single\- or double\-quoted and/or escaped using a backslash, and should be separated by one or more spaces. Called with the same parameters and environmental variables as the .B \-\-up option above. Note that if you reduce privileges by using .B \-\-user and/or .B \-\-group, your .B \-\-down script will also run at reduced privilege. .\"********************************************************* .TP .B \-\-down\-pre Call .B \-\-down cmd/script before, rather than after, TUN/TAP close. .\"********************************************************* .TP .B \-\-up\-restart Enable the .B \-\-up and .B \-\-down scripts to be called for restarts as well as initial program start. This option is described more fully above in the .B \-\-up option documentation. .\"********************************************************* .TP .B \-\-setenv name value Set a custom environmental variable .B name=value to pass to script. .\"********************************************************* .TP .B \-\-setenv FORWARD_COMPATIBLE 1 Relax config file syntax checking so that unknown directives will trigger a warning but not a fatal error, on the assumption that a given unknown directive might be valid in future OpenVPN versions. This option should be used with caution, as there are good security reasons for having OpenVPN fail if it detects problems in a config file. Having said that, there are valid reasons for wanting new software features to gracefully degrade when encountered by older software versions. It is also possible to tag a single directive so as not to trigger a fatal error if the directive isn't recognized. To do this, prepend the following before the directive: .B setenv opt Versions prior to OpenVPN 2.3.3 will always ignore options set with the .B setenv opt directive. See also .B \-\-ignore\-unknown\-option .\"********************************************************* .TP .B \-\-setenv\-safe name value Set a custom environmental variable .B OPENVPN_name=value to pass to script. This directive is designed to be pushed by the server to clients, and the prepending of "OPENVPN_" to the environmental variable is a safety precaution to prevent a LD_PRELOAD style attack from a malicious or compromised server. .\"********************************************************* .TP .B \-\-ignore\-unknown\-option opt1 opt2 opt3 ... optN When one of options .B opt1 ... optN is encountered in the configuration file the configuration file parsing does not fail if this OpenVPN version does not support the option. Multiple .B \-\-ignore\-unknown\-option options can be given to support a larger number of options to ignore. This option should be used with caution, as there are good security reasons for having OpenVPN fail if it detects problems in a config file. Having said that, there are valid reasons for wanting new software features to gracefully degrade when encountered by older software versions. .B \-\-ignore\-unknown\-option is available since OpenVPN 2.3.3. .\"********************************************************* .TP .B \-\-script\-security level This directive offers policy\-level control over OpenVPN's usage of external programs and scripts. Lower .B level values are more restrictive, higher values are more permissive. Settings for .B level: .B 0 \-\- Strictly no calling of external programs. .br .B 1 \-\- (Default) Only call built\-in executables such as ifconfig, ip, route, or netsh. .br .B 2 \-\- Allow calling of built\-in executables and user\-defined scripts. .br .B 3 \-\- Allow passwords to be passed to scripts via environmental variables (potentially unsafe). OpenVPN releases before v2.3 also supported a .B method flag which indicated how OpenVPN should call external commands and scripts. This could be either .B execve or .B system. As of OpenVPN 2.3, this flag is no longer accepted. In most *nix environments the execve() approach has been used without any issues. Some directives such as \-\-up allow options to be passed to the external script. In these cases make sure the script name does not contain any spaces or the configuration parser will choke because it can't determine where the script name ends and script options start. To run scripts in Windows in earlier OpenVPN versions you needed to either add a full path to the script interpreter which can parse the script or use the .B system flag to run these scripts. As of OpenVPN 2.3 it is now a strict requirement to have full path to the script interpreter when running non\-executables files. This is not needed for executable files, such as .exe, .com, .bat or .cmd files. For example, if you have a Visual Basic script, you must use this syntax now: .nf .ft 3 .in +4 \-\-up 'C:\\\\Windows\\\\System32\\\\wscript.exe C:\\\\Program\\ Files\\\\OpenVPN\\\\config\\\\my\-up\-script.vbs' .in -4 .ft .fi Please note the single quote marks and the escaping of the backslashes (\\) and the space character. The reason the support for the .B system flag was removed is due to the security implications with shell expansions when executing scripts via the system() call. .\"********************************************************* .TP .B \-\-disable\-occ Don't output a warning message if option inconsistencies are detected between peers. An example of an option inconsistency would be where one peer uses .B \-\-dev tun while the other peer uses .B \-\-dev tap. Use of this option is discouraged, but is provided as a temporary fix in situations where a recent version of OpenVPN must connect to an old version. .\"********************************************************* .TP .B \-\-user user Change the user ID of the OpenVPN process to .B user after initialization, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session. Though OpenVPN's security features make this unlikely, it is provided as a second line of defense. By setting .B user to .I nobody or somebody similarly unprivileged, the hostile party would be limited in what damage they could cause. Of course once you take away privileges, you cannot return them to an OpenVPN session. This means, for example, that if you want to reset an OpenVPN daemon with a .B SIGUSR1 signal (for example in response to a DHCP reset), you should make use of one or more of the .B \-\-persist options to ensure that OpenVPN doesn't need to execute any privileged operations in order to restart (such as re\-reading key files or running .BR ifconfig on the TUN device). .\"********************************************************* .TP .B \-\-group group Similar to the .B \-\-user option, this option changes the group ID of the OpenVPN process to .B group after initialization. .\"********************************************************* .TP .B \-\-cd dir Change directory to .B dir prior to reading any files such as configuration files, key files, scripts, etc. .B dir should be an absolute path, with a leading "/", and without any references to the current directory such as "." or "..". This option is useful when you are running OpenVPN in .B \-\-daemon mode, and you want to consolidate all of your OpenVPN control files in one location. .\"********************************************************* .TP .B \-\-chroot dir Chroot to .B dir after initialization. .B \-\-chroot essentially redefines .B dir as being the top level directory tree (/). OpenVPN will therefore be unable to access any files outside this tree. This can be desirable from a security standpoint. Since the chroot operation is delayed until after initialization, most OpenVPN options that reference files will operate in a pre\-chroot context. In many cases, the .B dir parameter can point to an empty directory, however complications can result when scripts or restarts are executed after the chroot operation. Note: The SSL library will probably need /dev/urandom to be available inside the chroot directory .B dir. This is because SSL libraries occasionally need to collect fresh random. Newer linux kernels and some BSDs implement a getrandom() or getentropy() syscall that removes the need for /dev/urandom to be available. .\"********************************************************* .TP .B \-\-setcon context Apply SELinux .B context after initialization. This essentially provides the ability to restrict OpenVPN's rights to only network I/O operations, thanks to SELinux. This goes further than .B \-\-user and .B \-\-chroot in that those two, while being great security features, unfortunately do not protect against privilege escalation by exploitation of a vulnerable system call. You can of course combine all three, but please note that since setcon requires access to /proc you will have to provide it inside the chroot directory (e.g. with mount \-\-bind). Since the setcon operation is delayed until after initialization, OpenVPN can be restricted to just network\-related system calls, whereas by applying the context before startup (such as the OpenVPN one provided in the SELinux Reference Policies) you will have to allow many things required only during initialization. Like with chroot, complications can result when scripts or restarts are executed after the setcon operation, which is why you should really consider using the .B \-\-persist\-key and .B \-\-persist\-tun options. .\"********************************************************* .TP .B \-\-daemon [progname] Become a daemon after all initialization functions are completed. This option will cause all message and error output to be sent to the syslog file (such as /var/log/messages), except for the output of scripts and ifconfig commands, which will go to /dev/null unless otherwise redirected. The syslog redirection occurs immediately at the point that .B \-\-daemon is parsed on the command line even though the daemonization point occurs later. If one of the .B \-\-log options is present, it will supercede syslog redirection. The optional .B progname parameter will cause OpenVPN to report its program name to the system logger as .B progname. This can be useful in linking OpenVPN messages in the syslog file with specific tunnels. When unspecified, .B progname defaults to "openvpn". When OpenVPN is run with the .B \-\-daemon option, it will try to delay daemonization until the majority of initialization functions which are capable of generating fatal errors are complete. This means that initialization scripts can test the return status of the openvpn command for a fairly reliable indication of whether the command has correctly initialized and entered the packet forwarding event loop. In OpenVPN, the vast majority of errors which occur after initialization are non\-fatal. Note: as soon as OpenVPN has daemonized, it can not ask for usernames, passwords, or key pass phrases anymore. This has certain consequences, namely that using a password\-protected private key will fail unless the .B \-\-askpass option is used to tell OpenVPN to ask for the pass phrase (this requirement is new in v2.3.7, and is a consequence of calling daemon() before initializing the crypto layer). Further, using .B \-\-daemon together with .B \-\-auth\-user\-pass (entered on console) and .B \-\-auth\-nocache will fail as soon as key renegotiation (and reauthentication) occurs. .\"********************************************************* .TP .B \-\-syslog [progname] Direct log output to system logger, but do not become a daemon. See .B \-\-daemon directive above for description of .B progname parameter. .TP .B \-\-errors\-to\-stderr Output errors to stderr instead of stdout unless log output is redirected by one of the .B \-\-log options. .\"********************************************************* .TP .B \-\-passtos Set the TOS field of the tunnel packet to what the payload's TOS is. .\"********************************************************* .TP .B \-\-inetd [wait|nowait] [progname] Use this option when OpenVPN is being run from the inetd or .BR xinetd(8) server. The .B wait/nowait option must match what is specified in the inetd/xinetd config file. The .B nowait mode can only be used with .B \-\-proto tcp\-server. The default is .B wait. The .B nowait mode can be used to instantiate the OpenVPN daemon as a classic TCP server, where client connection requests are serviced on a single port number. For additional information on this kind of configuration, see the OpenVPN FAQ: .I http://openvpn.net/faq.html#oneport This option precludes the use of .B \-\-daemon, \-\-local, or .B \-\-remote. Note that this option causes message and error output to be handled in the same way as the .B \-\-daemon option. The optional .B progname parameter is also handled exactly as in .B \-\-daemon. Also note that in .B wait mode, each OpenVPN tunnel requires a separate TCP/UDP port and a separate inetd or xinetd entry. See the OpenVPN 1.x HOWTO for an example on using OpenVPN with xinetd: .I http://openvpn.net/1xhowto.html .\"********************************************************* .TP .B \-\-log file Output logging messages to .B file, including output to stdout/stderr which is generated by called scripts. If .B file already exists it will be truncated. This option takes effect immediately when it is parsed in the command line and will supercede syslog output if .B \-\-daemon or .B \-\-inetd is also specified. This option is persistent over the entire course of an OpenVPN instantiation and will not be reset by SIGHUP, SIGUSR1, or .B \-\-ping\-restart. Note that on Windows, when OpenVPN is started as a service, logging occurs by default without the need to specify this option. .\"********************************************************* .TP .B \-\-log\-append file Append logging messages to .B file. If .B file does not exist, it will be created. This option behaves exactly like .B \-\-log except that it appends to rather than truncating the log file. .\"********************************************************* .TP .B \-\-suppress\-timestamps Avoid writing timestamps to log messages, even when they otherwise would be prepended. In particular, this applies to log messages sent to stdout. .\"********************************************************* .TP .B \-\-machine\-readable\-output Always write timestamps and message flags to log messages, even when they otherwise would not be prefixed. In particular, this applies to log messages sent to stdout. .\"********************************************************* .TP .B \-\-writepid file Write OpenVPN's main process ID to .B file. .\"********************************************************* .TP .B \-\-nice n Change process priority after initialization ( .B n greater than 0 is lower priority, .B n less than zero is higher priority). .\"********************************************************* .\".TP .\".B \-\-nice\-work n .\"Change priority of background TLS work thread. The TLS thread .\"feature is enabled when OpenVPN is built .\"with pthread support, and you are running OpenVPN .\"in TLS mode (i.e. with .\".B \-\-tls\-client .\"or .\".B \-\-tls\-server .\"specified). .\" .\"Using a TLS thread offloads the CPU\-intensive process of SSL/TLS\-based .\"key exchange to a background thread so that it does not become .\"a latency bottleneck in the tunnel packet forwarding process. .\" .\"The parameter .\".B n .\"is interpreted exactly as with the .\".B \-\-nice .\"option above, but in relation to the work thread rather .\"than the main thread. .\"********************************************************* .TP .B \-\-fast\-io (Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. The purpose of such a call would normally be to block until the device or socket is ready to accept the write. Such blocking is unnecessary on some platforms which don't support write blocking on UDP sockets or TUN/TAP devices. In such cases, one can optimize the event loop by avoiding the poll/epoll/select call, improving CPU efficiency by 5% to 10%. This option can only be used on non\-Windows systems, when .B \-\-proto udp is specified, and when .B \-\-shaper is NOT specified. .\"********************************************************* .TP .B \-\-multihome Configure a multi\-homed UDP server. This option needs to be used when a server has more than one IP address (e.g. multiple interfaces, or secondary IP addresses), and is not using .B \-\-local to force binding to one specific address only. This option will add some extra lookups to the packet path to ensure that the UDP reply packets are always sent from the address that the client is talking to. This is not supported on all platforms, and it adds more processing, so it's not enabled by default. Note: this option is only relevant for UDP servers. Note 2: if you do an IPv6+IPv4 dual\-stack bind on a Linux machine with multiple IPv4 address, connections to IPv4 addresses will not work right on kernels before 3.15, due to missing kernel support for the IPv4\-mapped case (some distributions have ported this to earlier kernel versions, though). .\"********************************************************* .TP .B \-\-echo [parms...] Echo .B parms to log output. Designed to be used to send messages to a controlling application which is receiving the OpenVPN log output. .\"********************************************************* .TP .B \-\-remap\-usr1 signal Control whether internally or externally generated SIGUSR1 signals are remapped to SIGHUP (restart without persisting state) or SIGTERM (exit). .B signal can be set to "SIGHUP" or "SIGTERM". By default, no remapping occurs. .\"********************************************************* .TP .B \-\-verb n Set output verbosity to .B n (default=1). Each level shows all info from the previous levels. Level 3 is recommended if you want a good summary of what's happening without being swamped by output. .B 0 \-\- No output except fatal errors. .br .B 1 to 4 \-\- Normal usage range. .br .B 5 \-\- Output .B R and .B W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets. .br .B 6 to 11 \-\- Debug info range (see errlevel.h for additional information on debug levels). .\"********************************************************* .TP .B \-\-status file [n] Write operational status to .B file every .B n seconds. Status can also be written to the syslog by sending a .B SIGUSR2 signal. .\"********************************************************* .TP .B \-\-status\-version [n] Choose the status file format version number. Currently .B n can be 1, 2, or 3 and defaults to 1. .\"********************************************************* .TP .B \-\-mute n Log at most .B n consecutive messages in the same category. This is useful to limit repetitive logging of similar message types. .\"********************************************************* .TP .B \-\-compress [algorithm] Enable a compression algorithm. The .B algorithm parameter may be "lzo", "lz4", or empty. LZO and LZ4 are different compression algorithms, with LZ4 generally offering the best performance with least CPU usage. For backwards compatibility with OpenVPN versions before v2.4, use "lzo" (which is identical to the older option "\-\-comp\-lzo yes"). If the .B algorithm parameter is empty, compression will be turned off, but the packet framing for compression will still be enabled, allowing a different setting to be pushed later. .\"********************************************************* .TP .B \-\-comp\-lzo [mode] .B DEPRECATED This option will be removed in a future OpenVPN release. Use the newer .B \-\-compress instead. Use LZO compression \-\- may add up to 1 byte per packet for incompressible data. .B mode may be "yes", "no", or "adaptive" (default). In a server mode setup, it is possible to selectively turn compression on or off for individual clients. First, make sure the client\-side config file enables selective compression by having at least one .B \-\-comp\-lzo directive, such as .B \-\-comp\-lzo no. This will turn off compression by default, but allow a future directive push from the server to dynamically change the on/off/adaptive setting. Next in a .B \-\-client\-config\-dir file, specify the compression setting for the client, for example: .nf .ft 3 .in +4 comp\-lzo yes push "comp\-lzo yes" .in -4 .ft .fi The first line sets the .B comp\-lzo setting for the server side of the link, the second sets the client side. .\"********************************************************* .TP .B \-\-comp\-noadapt When used in conjunction with .B \-\-comp\-lzo, this option will disable OpenVPN's adaptive compression algorithm. Normally, adaptive compression is enabled with .B \-\-comp\-lzo. Adaptive compression tries to optimize the case where you have compression enabled, but you are sending predominantly incompressible (or pre\-compressed) packets over the tunnel, such as an FTP or rsync transfer of a large, compressed file. With adaptive compression, OpenVPN will periodically sample the compression process to measure its efficiency. If the data being sent over the tunnel is already compressed, the compression efficiency will be very low, triggering openvpn to disable compression for a period of time until the next re\-sample test. .\"********************************************************* .TP .B \-\-management IP port [pw\-file] Enable a TCP server on .B IP:port to handle daemon management functions. .B pw\-file, if specified, is a password file (password on first line) or "stdin" to prompt from standard input. The password provided will set the password which TCP clients will need to provide in order to access management functions. The management interface can also listen on a unix domain socket, for those platforms that support it. To use a unix domain socket, specify the unix socket pathname in place of .B IP and set .B port to 'unix'. While the default behavior is to create a unix domain socket that may be connected to by any process, the .B \-\-management\-client\-user and .B \-\-management\-client\-group directives can be used to restrict access. The management interface provides a special mode where the TCP management link can operate over the tunnel itself. To enable this mode, set .B IP = "tunnel". Tunnel mode will cause the management interface to listen for a TCP connection on the local VPN address of the TUN/TAP interface. While the management port is designed for programmatic control of OpenVPN by other applications, it is possible to telnet to the port, using a telnet client in "raw" mode. Once connected, type "help" for a list of commands. For detailed documentation on the management interface, see the management\-notes.txt file in the .B management folder of the OpenVPN source distribution. It is strongly recommended that .B IP be set to 127.0.0.1 (localhost) to restrict accessibility of the management server to local clients. .TP .B \-\-management\-client Management interface will connect as a TCP/unix domain client to .B IP:port specified by .B \-\-management rather than listen as a TCP server or on a unix domain socket. If the client connection fails to connect or is disconnected, a SIGTERM signal will be generated causing OpenVPN to quit. .\"********************************************************* .TP .B \-\-management\-query\-passwords Query management channel for private key password and .B \-\-auth\-user\-pass username/password. Only query the management channel for inputs which ordinarily would have been queried from the console. .\"********************************************************* .TP .B \-\-management\-query\-proxy Query management channel for proxy server information for a specific .B \-\-remote (client\-only). .\"********************************************************* .TP .B \-\-management\-query\-remote Allow management interface to override .B \-\-remote directives (client\-only). .\"********************************************************* .TP .B \-\-management\-external\-key Allows usage for external private key file instead of .B \-\-key option (client\-only). .\"********************************************************* .TP .B \-\-management\-external\-cert certificate\-hint Allows usage for external certificate instead of .B \-\-cert option (client\-only). .B certificate\-hint is an arbitrary string which is passed to a management interface client as an argument of NEED\-CERTIFICATE notification. Requires \-\-management\-external\-key. .\"********************************************************* .TP .B \-\-management\-forget\-disconnect Make OpenVPN forget passwords when management session disconnects. This directive does not affect the .B \-\-http\-proxy username/password. It is always cached. .\"********************************************************* .TP .B \-\-management\-hold Start OpenVPN in a hibernating state, until a client of the management interface explicitly starts it with the .B hold release command. .\"********************************************************* .TP .B \-\-management\-signal Send SIGUSR1 signal to OpenVPN if management session disconnects. This is useful when you wish to disconnect an OpenVPN session on user logoff. For \-\-management\-client this option is not needed since a disconnect will always generate a SIGTERM. .\"********************************************************* .TP .B \-\-management\-log\-cache n Cache the most recent .B n lines of log file history for usage by the management channel. .\"********************************************************* .TP .B \-\-management\-up\-down Report tunnel up/down events to management interface. .B .\"********************************************************* .TP .B \-\-management\-client\-auth Gives management interface client the responsibility to authenticate clients after their client certificate has been verified. See management\-notes.txt in OpenVPN distribution for detailed notes. .\"********************************************************* .TP .B \-\-management\-client\-pf Management interface clients must specify a packet filter file for each connecting client. See management\-notes.txt in OpenVPN distribution for detailed notes. .\"********************************************************* .TP .B \-\-management\-client\-user u When the management interface is listening on a unix domain socket, only allow connections from user .B u. .\"********************************************************* .TP .B \-\-management\-client\-group g When the management interface is listening on a unix domain socket, only allow connections from group .B g. .\"********************************************************* .TP .B \-\-plugin module\-pathname [init\-string] Load plug\-in module from the file .B module\-pathname, passing .B init\-string as an argument to the module initialization function. Multiple plugin modules may be loaded into one OpenVPN process. The .B module\-pathname argument can be just a filename or a filename with a relative or absolute path. The format of the filename and path defines if the plug\-in will be loaded from a default plug\-in directory or outside this directory. .nf .ft 3 .in +4 .B \-\-plugin path\ \ \ \ \ \ \ \ Effective directory used ==================================================== myplug.so DEFAULT_DIR/myplug.so subdir/myplug.so DEFAULT_DIR/subdir/myplug.so ./subdir/myplug.so CWD/subdir/myplug.so /usr/lib/my/plug.so /usr/lib/my/plug.so .in -4 .fi DEFAULT_DIR is replaced by the default plug\-in directory, which is configured at the build time of OpenVPN. CWD is the current directory where OpenVPN was started or the directory OpenVPN have swithed into via the .B \-\-cd option before the .B \-\-plugin option. For more information and examples on how to build OpenVPN plug\-in modules, see the README file in the .B plugin folder of the OpenVPN source distribution. If you are using an RPM install of OpenVPN, see /usr/share/openvpn/plugin. The documentation is in .B doc and the actual plugin modules are in .B lib. Multiple plugin modules can be cascaded, and modules can be used in tandem with scripts. The modules will be called by OpenVPN in the order that they are declared in the config file. If both a plugin and script are configured for the same callback, the script will be called last. If the return code of the module/script controls an authentication function (such as tls\-verify, auth\-user\-pass\-verify, or client\-connect), then every module and script must return success (0) in order for the connection to be authenticated. .\"********************************************************* .TP .B \-\-keying\-material\-exporter label len Save Exported Keying Material [RFC5705] of len bytes (must be between 16 and 4095 bytes) using label in environment (exported_keying_material) for use by plugins in OPENVPN_PLUGIN_TLS_FINAL callback. Note that exporter labels have the potential to collide with existing PRF labels. In order to prevent this, labels MUST begin with "EXPORTER". This option requires OpenSSL 1.0.1 or newer. .\"********************************************************* .SS Server Mode Starting with OpenVPN 2.0, a multi\-client TCP/UDP server mode is supported, and can be enabled with the .B \-\-mode server option. In server mode, OpenVPN will listen on a single port for incoming client connections. All client connections will be routed through a single tun or tap interface. This mode is designed for scalability and should be able to support hundreds or even thousands of clients on sufficiently fast hardware. SSL/TLS authentication must be used in this mode. .\"********************************************************* .TP .B \-\-server network netmask ['nopool'] A helper directive designed to simplify the configuration of OpenVPN's server mode. This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the ".1" address of the given network for use as the server\-side endpoint of the local TUN/TAP interface. For example, .B \-\-server 10.8.0.0 255.255.255.0 expands as follows: .nf .ft 3 .in +4 mode server tls\-server push "topology [topology]" if dev tun AND (topology == net30 OR topology == p2p): ifconfig 10.8.0.1 10.8.0.2 if !nopool: ifconfig\-pool 10.8.0.4 10.8.0.251 route 10.8.0.0 255.255.255.0 if client\-to\-client: push "route 10.8.0.0 255.255.255.0" else if topology == net30: push "route 10.8.0.1" if dev tap OR (dev tun AND topology == subnet): ifconfig 10.8.0.1 255.255.255.0 if !nopool: ifconfig\-pool 10.8.0.2 10.8.0.253 255.255.255.0 push "route\-gateway 10.8.0.1" if route\-gateway unset: route\-gateway 10.8.0.2 .in -4 .ft .fi Don't use .B \-\-server if you are ethernet bridging. Use .B \-\-server\-bridge instead. .\"********************************************************* .TP .B \-\-server\-bridge gateway netmask pool\-start\-IP pool\-end\-IP .TP .B \-\-server\-bridge ['nogw'] A helper directive similar to .B \-\-server which is designed to simplify the configuration of OpenVPN's server mode in ethernet bridging configurations. If .B \-\-server\-bridge is used without any parameters, it will enable a DHCP\-proxy mode, where connecting OpenVPN clients will receive an IP address for their TAP adapter from the DHCP server running on the OpenVPN server\-side LAN. Note that only clients that support the binding of a DHCP client with the TAP adapter (such as Windows) can support this mode. The optional .B nogw flag (advanced) indicates that gateway information should not be pushed to the client. To configure ethernet bridging, you must first use your OS's bridging capability to bridge the TAP interface with the ethernet NIC interface. For example, on Linux this is done with the .B brctl tool, and with Windows XP it is done in the Network Connections Panel by selecting the ethernet and TAP adapters and right\-clicking on "Bridge Connections". Next you you must manually set the IP/netmask on the bridge interface. The .B gateway and .B netmask parameters to .B \-\-server\-bridge can be set to either the IP/netmask of the bridge interface, or the IP/netmask of the default gateway/router on the bridged subnet. Finally, set aside a IP range in the bridged subnet, denoted by .B pool\-start\-IP and .B pool\-end\-IP, for OpenVPN to allocate to connecting clients. For example, .B server\-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 expands as follows: .nf .ft 3 .in +4 mode server tls\-server ifconfig\-pool 10.8.0.128 10.8.0.254 255.255.255.0 push "route\-gateway 10.8.0.4" .in -4 .ft .fi In another example, .B \-\-server\-bridge (without parameters) expands as follows: .nf .ft 3 .in +4 mode server tls\-server push "route\-gateway dhcp" .in -4 .ft .fi Or .B \-\-server\-bridge nogw expands as follows: .nf .ft 3 .in +4 mode server tls\-server .in -4 .ft .fi .\"********************************************************* .TP .B \-\-push "option" Push a config file option back to the client for remote execution. Note that .B option must be enclosed in double quotes (""). The client must specify .B \-\-pull in its config file. The set of options which can be pushed is limited by both feasibility and security. Some options such as those which would execute scripts are banned, since they would effectively allow a compromised server to execute arbitrary code on the client. Other options such as TLS or MTU parameters cannot be pushed because the client needs to know them before the connection to the server can be initiated. This is a partial list of options which can currently be pushed: .B \-\-route, \-\-route\-gateway, \-\-route\-delay, \-\-redirect\-gateway, .B \-\-ip\-win32, \-\-dhcp\-option, .B \-\-inactive, \-\-ping, \-\-ping\-exit, \-\-ping\-restart, .B \-\-setenv, .B \-\-auth\-token, .B \-\-persist\-key, \-\-persist\-tun, \-\-echo, .B \-\-comp\-lzo, .B \-\-socket\-flags, .B \-\-sndbuf, \-\-rcvbuf .\"********************************************************* .TP .B \-\-push\-reset Don't inherit the global push list for a specific client instance. Specify this option in a client\-specific context such as with a .B \-\-client\-config\-dir configuration file. This option will ignore .B \-\-push options at the global config file level. .\"********************************************************* .TP .B \-\-push\-remove opt selectively remove all .B \-\-push options matching "opt" from the option list for a client. "opt" is matched as a substring against the whole option string to\-be\-pushed to the client, so .B \-\-push\-remove route would remove all .B \-\-push route ... and .B \-\-push route\-ipv6 ... statements, while .B \-\-push\-remove 'route\-ipv6 2001:' would only remove IPv6 routes for 2001:... networks. .B \-\-push\-remove can only be used in a client\-specific context, like in a .B \-\-client\-config\-dir file, or .B \-\-client\-connect script or plugin \-\- similar to .B \-\-push\-reset, just more selective. NOTE: to .I change an option, .B \-\-push\-remove can be used to first remove the old value, and then add a new .B \-\-push option with the new value. .\"********************************************************* .TP .B \-\-push\-peer\-info Push additional information about the client to server. The following data is always pushed to the server: IV_VER= \-\- the client OpenVPN version IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win] \-\- the client OS platform IV_LZO_STUB=1 \-\- if client was built with LZO stub capability IV_LZ4=1 \-\- if the client supports LZ4 compressions. IV_PROTO=2 \-\- if the client supports peer\-id floating mechansim IV_NCP=2 \-\- negotiable ciphers, client supports .B \-\-cipher pushed by the server, a value of 2 or greater indicates client supports AES\-GCM\-128 and AES\-GCM\-256. IV_UI_VER= \-\- the UI version of a UI if one is running, for example "de.blinkt.openvpn 0.5.47" for the Android app. When .B \-\-push\-peer\-info is enabled the additional information consists of the following data: IV_HWADDR= \-\- the MAC address of clients default gateway IV_SSL= \-\- the ssl version used by the client, e.g. "OpenSSL 1.0.2f 28 Jan 2016". IV_PLAT_VER=x.y \- the version of the operating system, e.g. 6.1 for Windows 7. UV_= \-\- client environment variables whose names start with "UV_" .\"********************************************************* .TP .B \-\-disable Disable a particular client (based on the common name) from connecting. Don't use this option to disable a client due to key or password compromise. Use a CRL (certificate revocation list) instead (see the .B \-\-crl\-verify option). This option must be associated with a specific client instance, which means that it must be specified either in a client instance config file using .B \-\-client\-config\-dir or dynamically generated using a .B \-\-client\-connect script. .\"********************************************************* .TP .B \-\-ifconfig\-pool start\-IP end\-IP [netmask] Set aside a pool of subnets to be dynamically allocated to connecting clients, similar to a DHCP server. For tun\-style tunnels, each client will be given a /30 subnet (for interoperability with Windows clients). For tap\-style tunnels, individual addresses will be allocated, and the optional .B netmask parameter will also be pushed to clients. .\"********************************************************* .TP .B \-\-ifconfig\-pool\-persist file [seconds] Persist/unpersist ifconfig\-pool data to .B file, at .B seconds intervals (default=600), as well as on program startup and shutdown. The goal of this option is to provide a long\-term association between clients (denoted by their common name) and the virtual IP address assigned to them from the ifconfig\-pool. Maintaining a long\-term association is good for clients because it allows them to effectively use the .B \-\-persist\-tun option. .B file is a comma\-delimited ASCII file, formatted as ,. If .B seconds = 0, .B file will be treated as read\-only. This is useful if you would like to treat .B file as a configuration file. Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use .B \-\-ifconfig\-push .\"********************************************************* .TP .B \-\-ifconfig\-pool\-linear .B DEPRECATED This option will be removed in OpenVPN 2.5 Modifies the .B \-\-ifconfig\-pool directive to allocate individual TUN interface addresses for clients rather than /30 subnets. NOTE: This option is incompatible with Windows clients. This option is deprecated, and should be replaced with .B \-\-topology p2p which is functionally equivalent. .\"********************************************************* .TP .B \-\-ifconfig\-push local remote\-netmask [alias] Push virtual IP endpoints for client tunnel, overriding the \-\-ifconfig\-pool dynamic allocation. The parameters .B local and .B remote\-netmask are set according to the .B \-\-ifconfig directive which you want to execute on the client machine to configure the remote end of the tunnel. Note that the parameters .B local and .B remote\-netmask are from the perspective of the client, not the server. They may be DNS names rather than IP addresses, in which case they will be resolved on the server at the time of client connection. The optional .B alias parameter may be used in cases where NAT causes the client view of its local endpoint to differ from the server view. In this case .B local/remote\-netmask will refer to the server view while .B alias/remote\-netmask will refer to the client view. This option must be associated with a specific client instance, which means that it must be specified either in a client instance config file using .B \-\-client\-config\-dir or dynamically generated using a .B \-\-client\-connect script. Remember also to include a .B \-\-route directive in the main OpenVPN config file which encloses .B local, so that the kernel will know to route it to the server's TUN/TAP interface. OpenVPN's internal client IP address selection algorithm works as follows: .B 1 \-\- Use .B \-\-client\-connect script generated file for static IP (first choice). .br .B 2 \-\- Use .B \-\-client\-config\-dir file for static IP (next choice). .br .B 3 \-\- Use .B \-\-ifconfig\-pool allocation for dynamic IP (last choice). .br .\"********************************************************* .TP .B \-\-iroute network [netmask] Generate an internal route to a specific client. The .B netmask parameter, if omitted, defaults to 255.255.255.255. This directive can be used to route a fixed subnet from the server to a particular client, regardless of where the client is connecting from. Remember that you must also add the route to the system routing table as well (such as by using the .B \-\-route directive). The reason why two routes are needed is that the .B \-\-route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the .B \-\-iroute directive routes to the specific client. This option must be specified either in a client instance config file using .B \-\-client\-config\-dir or dynamically generated using a .B \-\-client\-connect script. The .B \-\-iroute directive also has an important interaction with .B \-\-push "route ...". .B \-\-iroute essentially defines a subnet which is owned by a particular client (we will call this client A). If you would like other clients to be able to reach A's subnet, you can use .B \-\-push "route ..." together with .B \-\-client\-to\-client to effect this. In order for all clients to see A's subnet, OpenVPN must push this route to all clients EXCEPT for A, since the subnet is already owned by A. OpenVPN accomplishes this by not not pushing a route to a client if it matches one of the client's iroutes. .\"********************************************************* .TP .B \-\-client\-to\-client Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router. The .B \-\-client\-to\-client flag tells OpenVPN to internally route client\-to\-client traffic rather than pushing all client\-originating traffic to the TUN/TAP interface. When this option is used, each client will "see" the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per\-client rules. .\"********************************************************* .TP .B \-\-duplicate\-cn Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. .\"********************************************************* .TP .B \-\-client\-connect cmd Run .B command cmd on client connection. .B cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single\- or double\-quoted and/or escaped using a backslash, and should be separated by one or more spaces. The command is passed the common name and IP address of the just\-authenticated client as environmental variables (see environmental variable section below). The command is also passed the pathname of a freshly created temporary file as the last argument (after any arguments specified in .B cmd ), to be used by the command to pass dynamically generated config file directives back to OpenVPN. If the script wants to generate a dynamic config file to be applied on the server when the client connects, it should write it to the file named by the last argument. See the .B \-\-client\-config\-dir option below for options which can be legally used in a dynamically generated config file. Note that the return value of .B script is significant. If .B script returns a non\-zero error status, it will cause the client to be disconnected. .\"********************************************************* .TP .B \-\-client\-disconnect cmd Like .B \-\-client\-connect but called on client instance shutdown. Will not be called unless the .B \-\-client\-connect script and plugins (if defined) were previously called on this instance with successful (0) status returns. The exception to this rule is if the .B \-\-client\-disconnect command or plugins are cascaded, and at least one client\-connect function succeeded, then ALL of the client\-disconnect functions for scripts and plugins will be called on client instance object deletion, even in cases where some of the related client\-connect functions returned an error status. The .B \-\-client\-disconnect command is passed the same pathname as the corresponding .B \-\-client\-connect command as its last argument. (after any arguments specified in .B cmd ). .B .\"********************************************************* .TP .B \-\-client\-config\-dir dir Specify a directory .B dir for custom client config files. After a connecting client has been authenticated, OpenVPN will look in this directory for a file having the same name as the client's X509 common name. If a matching file exists, it will be opened and parsed for client\-specific configuration options. If no matching file is found, OpenVPN will instead try to open and parse a default file called "DEFAULT", which may be provided but is not required. Note that the configuration files must be readable by the OpenVPN process after it has dropped it's root privileges. This file can specify a fixed IP address for a given client using .B \-\-ifconfig\-push, as well as fixed subnets owned by the client using .B \-\-iroute. One of the useful properties of this option is that it allows client configuration files to be conveniently created, edited, or removed while the server is live, without needing to restart the server. The following options are legal in a client\-specific context: .B \-\-push, \-\-push\-reset, \-\-push\-remove, \-\-iroute, \-\-ifconfig\-push, and .B \-\-config. .\"********************************************************* .TP .B \-\-ccd\-exclusive Require, as a condition of authentication, that a connecting client has a .B \-\-client\-config\-dir file. .\"********************************************************* .TP .B \-\-tmp\-dir dir Specify a directory .B dir for temporary files. This directory will be used by openvpn processes and script to communicate temporary data with openvpn main process. Note that the directory must be writable by the OpenVPN process after it has dropped it's root privileges. This directory will be used by in the following cases: * .B \-\-client\-connect scripts to dynamically generate client\-specific configuration files. * .B OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin hook to return success/failure via auth_control_file when using deferred auth method * .B OPENVPN_PLUGIN_ENABLE_PF plugin hook to pass filtering rules via pf_file .\"********************************************************* .TP .B \-\-hash\-size r v Set the size of the real address hash table to .B r and the virtual address table to .B v. By default, both tables are sized at 256 buckets. .\"********************************************************* .TP .B \-\-bcast\-buffers n Allocate .B n buffers for broadcast datagrams (default=256). .\"********************************************************* .TP .B \-\-tcp\-queue\-limit n Maximum number of output packets queued before TCP (default=64). When OpenVPN is tunneling data from a TUN/TAP device to a remote client over a TCP connection, it is possible that the TUN/TAP device might produce data at a faster rate than the TCP connection can support. When the number of output packets queued before sending to the TCP socket reaches this limit for a given client connection, OpenVPN will start to drop outgoing packets directed at this client. .\"********************************************************* .TP .B \-\-tcp\-nodelay This macro sets the TCP_NODELAY socket flag on the server as well as pushes it to connecting clients. The TCP_NODELAY flag disables the Nagle algorithm on TCP sockets causing packets to be transmitted immediately with low latency, rather than waiting a short period of time in order to aggregate several packets into a larger containing packet. In VPN applications over TCP, TCP_NODELAY is generally a good latency optimization. The macro expands as follows: .nf .ft 3 .in +4 if mode server: socket\-flags TCP_NODELAY push "socket\-flags TCP_NODELAY" .in -4 .ft .fi .\"********************************************************* .TP .B \-\-max\-clients n Limit server to a maximum of .B n concurrent clients. .\"********************************************************* .TP .B \-\-max\-routes\-per\-client n Allow a maximum of .B n internal routes per client (default=256). This is designed to help contain DoS attacks where an authenticated client floods the server with packets appearing to come from many unique MAC addresses, forcing the server to deplete virtual memory as its internal routing table expands. This directive can be used in a .B \-\-client\-config\-dir file or auto\-generated by a .B \-\-client\-connect script to override the global value for a particular client. Note that this directive affects OpenVPN's internal routing table, not the kernel routing table. .\"********************************************************* .TP .B \-\-stale\-routes\-check n [t] Remove routes haven't had activity for .B n seconds (i.e. the ageing time). This check is ran every .B t seconds (i.e. check interval). If .B t is not present it defaults to .B n This option helps to keep the dynamic routing table small. See also .B \-\-max\-routes\-per\-client .\"********************************************************* .TP .B \-\-connect\-freq n sec Allow a maximum of .B n new connections per .B sec seconds from clients. This is designed to contain DoS attacks which flood the server with connection requests using certificates which will ultimately fail to authenticate. This is an imperfect solution however, because in a real DoS scenario, legitimate connections might also be refused. For the best protection against DoS attacks in server mode, use .B \-\-proto udp and either .B \-\-tls\-auth or .B \-\-tls\-crypt\fR. .\"********************************************************* .TP .B \-\-learn\-address cmd Run command .B cmd to validate client virtual addresses or routes. .B cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single\- or double\-quoted and/or escaped using a backslash, and should be separated by one or more spaces. Three arguments will be appended to any arguments in .B cmd as follows: .B [1] operation \-\- "add", "update", or "delete" based on whether or not the address is being added to, modified, or deleted from OpenVPN's internal routing table. .br .B [2] address \-\- The address being learned or unlearned. This can be an IPv4 address such as "198.162.10.14", an IPv4 subnet such as "198.162.10.0/24", or an ethernet MAC address (when .B \-\-dev tap is being used) such as "00:FF:01:02:03:04". .br .B [3] common name \-\- The common name on the certificate associated with the client linked to this address. Only present for "add" or "update" operations, not "delete". On "add" or "update" methods, if the script returns a failure code (non\-zero), OpenVPN will reject the address and will not modify its internal routing table. Normally, the .B cmd script will use the information provided above to set appropriate firewall entries on the VPN TUN/TAP interface. Since OpenVPN provides the association between virtual IP or MAC address and the client's authenticated common name, it allows a user\-defined script to configure firewall access policies with regard to the client's high\-level common name, rather than the low level client virtual addresses. .\"********************************************************* .TP .B \-\-auth\-user\-pass\-verify cmd method Require the client to provide a username/password (possibly in addition to a client certificate) for authentication. OpenVPN will run .B command cmd to validate the username/password provided by the client. .B cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single\- or double\-quoted and/or escaped using a backslash, and should be separated by one or more spaces. If .B method is set to "via\-env", OpenVPN will call .B script with the environmental variables .B username and .B password set to the username/password strings provided by the client. Be aware that this method is insecure on some platforms which make the environment of a process publicly visible to other unprivileged processes. If .B method is set to "via\-file", OpenVPN will write the username and password to the first two lines of a temporary file. The filename will be passed as an argument to .B script, and the file will be automatically deleted by OpenVPN after the script returns. The location of the temporary file is controlled by the .B \-\-tmp\-dir option, and will default to the current directory if unspecified. For security, consider setting .B \-\-tmp\-dir to a volatile storage medium such as .B /dev/shm (if available) to prevent the username/password file from touching the hard drive. The script should examine the username and password, returning a success exit code (0) if the client's authentication request is to be accepted, or a failure code (1) to reject the client. This directive is designed to enable a plugin\-style interface for extending OpenVPN's authentication capabilities. To protect against a client passing a maliciously formed username or password string, the username string must consist only of these characters: alphanumeric, underbar ('_'), dash ('\-'), dot ('.'), or at ('@'). The password string can consist of any printable characters except for CR or LF. Any illegal characters in either the username or password string will be converted to underbar ('_'). Care must be taken by any user\-defined scripts to avoid creating a security vulnerability in the way that these strings are handled. Never use these strings in such a way that they might be escaped or evaluated by a shell interpreter. For a sample script that performs PAM authentication, see .B sample\-scripts/auth\-pam.pl in the OpenVPN source distribution. .\"********************************************************* .TP .B \-\-auth\-gen\-token [lifetime] After successful user/password authentication, the OpenVPN server will with this option generate a temporary authentication token and push that to client. On the following renegotiations, the OpenVPN client will pass this token instead of the users password. On the server side the server will do the token authentication internally and it will NOT do any additional authentications against configured external user/password authentication mechanisms. The .B lifetime argument defines how long the generated token is valid. The lifetime is defined in seconds. If lifetime is not set or it is set to 0, the token will never expire. This feature is useful for environments which is configured to use One Time Passwords (OTP) as part of the user/password authentications and that authentication mechanism does not implement any auth\-token support. .\"********************************************************* .TP .B \-\-opt\-verify Clients that connect with options that are incompatible with those of the server will be disconnected. Options that will be compared for compatibility include dev\-type, link\-mtu, tun\-mtu, proto, ifconfig, comp\-lzo, fragment, keydir, cipher, auth, keysize, secret, no\-replay, no\-iv, tls\-auth, key\-method, tls\-server, and tls\-client. This option requires that .B \-\-disable\-occ NOT be used. .\"********************************************************* .TP .B \-\-auth\-user\-pass\-optional Allow connections by clients that do not specify a username/password. Normally, when .B \-\-auth\-user\-pass\-verify or .B \-\-management\-client\-auth is specified (or an authentication plugin module), the OpenVPN server daemon will require connecting clients to specify a username and password. This option makes the submission of a username/password by clients optional, passing the responsibility to the user\-defined authentication module/script to accept or deny the client based on other factors (such as the setting of X509 certificate fields). When this option is used, and a connecting client does not submit a username/password, the user\-defined authentication module/script will see the username and password as being set to empty strings (""). The authentication module/script MUST have logic to detect this condition and respond accordingly. .\"********************************************************* .TP .B \-\-client\-cert\-not\-required .B DEPRECATED This option will be removed in OpenVPN 2.5 Don't require client certificate, client will authenticate using username/password only. Be aware that using this directive is less secure than requiring certificates from all clients. .B Please note: This is replaced by .B \-\-verify\-client\-cert which allows for more flexibility. The option .B \-\-verify\-client\-cert none is functionally equivalent to .B \-\-client\-cert\-not\-required . .\"********************************************************* .TP .B \-\-verify\-client\-cert none|optional|require Specify whether the client is required to supply a valid certificate. Possible options are .B none : a client certificate is not required. the client need to authenticate using username/password only. Be aware that using this directive is less secure than requiring certificates from all clients. If you use this directive, the entire responsibility of authentication will rest on your .B \-\-auth\-user\-pass\-verify script, so keep in mind that bugs in your script could potentially compromise the security of your VPN. .B \-\-verify\-client\-cert none is functionally equivalent to .B \-\-client\-cert\-not\-required. .B optional : a client may present a certificate but it is not required to do so. When using this directive, you should also use a .B \-\-auth\-user\-pass\-verify script to ensure that clients are authenticated using a certificate, a username and password, or possibly even both. Again, the entire responsibility of authentication will rest on your .B \-\-auth\-user\-pass\-verify script, so keep in mind that bugs in your script could potentially compromise the security of your VPN. .B require : this is the default option. A client is required to present a certificate, otherwise VPN access is refused. If you don't use this directive (or use .B \-\-verify\-client\-cert require ) but you also specify an .B \-\-auth\-user\-pass\-verify script, then OpenVPN will perform double authentication. The client certificate verification AND the .B \-\-auth\-user\-pass\-verify script will need to succeed in order for a client to be authenticated and accepted onto the VPN. .\"********************************************************* .TP .B \-\-username\-as\-common\-name For .B \-\-auth\-user\-pass\-verify authentication, use the authenticated username as the common name, rather than the common name from the client cert. .\"********************************************************* .TP .B \-\-compat\-names [no\-remapping] .B DEPRECATED This option will be removed in OpenVPN 2.5 Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this: .IP .B /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com .IP In addition the old behaviour was to remap any character other than alphanumeric, underscore ('_'), dash ('\-'), dot ('.'), and slash ('/') to underscore ('_'). The X.509 Subject string as returned by the .B tls_id environmental variable, could additionally contain colon (':') or equal ('='). .IP When using the .B \-\-compat\-names option, this old formatting and remapping will be re\-enabled again. This is purely implemented for compatibility reasons when using older plug\-ins or scripts which does not handle the new formatting or UTF\-8 characters. .IP In OpenVPN 2.3 the formatting of these fields changed into a more standardised format. It now looks like: .IP .B C=US, L=Somewhere, CN=John Doe, emailAddress=john@example.com .IP The new default format in OpenVPN 2.3 also does not do the character remapping which happened earlier. This new format enables proper support for UTF\-8 characters in the usernames, X.509 Subject fields and Common Name variables and it complies to the RFC 2253, UTF\-8 String Representation of Distinguished Names. The .B no\-remapping mode flag can be used with the .B \-\-compat\-names option to be compatible with the now deprecated \-\-no\-name\-remapping option. It is only available at the server. When this mode flag is used, the Common Name, Subject, and username strings are allowed to include any printable character including space, but excluding control characters such as tab, newline, and carriage\-return. no\-remapping is only available on the server side. .B Please note: This option is immediately deprecated. It is only implemented to make the transition to the new formatting less intrusive. It will be removed in OpenVPN 2.5. So please update your scripts/plug\-ins where necessary. .\"********************************************************* .TP .B \-\-no\-name\-remapping .B DEPRECATED This option will be removed in OpenVPN 2.5 The .B \-\-no\-name\-remapping option is an alias for .B \-\-compat\-names\ no\-remapping. It ensures compatibility with server configurations using the .B \-\-no\-name\-remapping option. .B Please note: This option is now deprecated. It will be removed in OpenVPN 2.5. So please make sure you support the new X.509 name formatting described with the .B \-\-compat\-names option as soon as possible. .\"********************************************************* .TP .B \-\-port\-share host port [dir] When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non\-OpenVPN protocol, it will proxy the connection to the server at .B host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh. .B dir specifies an optional directory where a temporary file with name N containing content C will be dynamically generated for each proxy connection, where N is the source IP:port of the client connection and C is the source IP:port of the connection to the proxy receiver. This directory can be used as a dictionary by the proxy receiver to determine the origin of the connection. Each generated file will be automatically deleted when the proxied connection is torn down. Not implemented on Windows. .\"********************************************************* .SS Client Mode Use client mode when connecting to an OpenVPN server which has .B \-\-server, \-\-server\-bridge, or .B \-\-mode server in it's configuration. .\"********************************************************* .TP .B \-\-client A helper directive designed to simplify the configuration of OpenVPN's client mode. This directive is equivalent to: .nf .ft 3 .in +4 pull tls\-client .in -4 .ft .fi .\"********************************************************* .TP .B \-\-pull This option must be used on a client which is connecting to a multi\-client server. It indicates to OpenVPN that it should accept options pushed by the server, provided they are part of the legal set of pushable options (note that the .B \-\-pull option is implied by .B \-\-client ). In particular, .B \-\-pull allows the server to push routes to the client, so you should not use .B \-\-pull or .B \-\-client in situations where you don't trust the server to have control over the client's routing table. .\"********************************************************* .TP .B \-\-pull\-filter accept|ignore|reject \fItext\fR Filter options received from the server if the option starts with \fItext\fR. Runs on client. The action flag .B accept allows the option, .B ignore removes it and .B reject flags an error and triggers a SIGUSR1 restart. The filters may be specified multiple times, and each filter is applied in the order it is specified. The filtering of each option stops as soon as a match is found. Unmatched options are accepted by default. Prefix comparison is used to match \fItext\fR against the received option so that .nf .ft 3 .in +4 \-\-pull\-filter ignore "route" .in -4 .ft .fi would remove all pushed options starting with .B route which would include, for example, .B route\-gateway. Enclose \fItext\fR in quotes to embed spaces. .nf .ft 3 .in +4 \-\-pull\-filter accept "route 192.168.1." \-\-pull\-filter ignore "route " .in -4 .ft .fi would remove all routes that do not start with 192.168.1. This option may be used only on clients. Note that .B reject may result in a repeated cycle of failure and reconnect, unless multiple remotes are specified and connection to the next remote succeeds. To silently ignore an option pushed by the server, use .B ignore. .\"********************************************************* .TP .B \-\-auth\-user\-pass [up] Authenticate with server using username/password. .B up is a file containing username/password on 2 lines. If the password line is missing, OpenVPN will prompt for one. If .B up is omitted, username/password will be prompted from the console. The server configuration must specify an .B \-\-auth\-user\-pass\-verify script to verify the username/password provided by the client. .\"********************************************************* .TP .B \-\-auth\-retry type Controls how OpenVPN responds to username/password verification errors such as the client\-side response to an AUTH_FAILED message from the server or verification failure of the private key password. Normally used to prevent auth errors from being fatal on the client side, and to permit username/password requeries in case of error. An AUTH_FAILED message is generated by the server if the client fails .B \-\-auth\-user\-pass authentication, or if the server\-side .B \-\-client\-connect script returns an error status when the client tries to connect. .B type can be one of: .B none \-\- Client will exit with a fatal error (this is the default). .br .B nointeract \-\- Client will retry the connection without requerying for an .B \-\-auth\-user\-pass username/password. Use this option for unattended clients. .br .B interact \-\- Client will requery for an .B \-\-auth\-user\-pass username/password and/or private key password before attempting a reconnection. Note that while this option cannot be pushed, it can be controlled from the management interface. .\"********************************************************* .TP .B \-\-static\-challenge t e Enable static challenge/response protocol using challenge text .B t, with echo flag given by .B e (0|1). The echo flag indicates whether or not the user's response to the challenge should be echoed. See management\-notes.txt in the OpenVPN distribution for a description of the OpenVPN challenge/response protocol. .\"********************************************************* .TP \fB\-\-server\-poll\-timeout n\fR, \fB\-\-connect\-timeout n\fR When connecting to a remote server do not wait for more than .B n seconds waiting for a response before trying the next server. The default value is 120s. This timeout includes proxy and TCP connect timeouts. .\"********************************************************* .TP .B \-\-explicit\-exit\-notify [n] In UDP client mode or point\-to\-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited. In client mode, on exit/restart, this option will tell the server to immediately close its client instance object rather than waiting for a timeout. The .B n parameter (default=1) controls the maximum number of attempts that the client will try to resend the exit notification message. In UDP server mode, send RESTART control channel command to connected clients. The .B n parameter (default=1) controls client behavior. With .B n = 1 client will attempt to reconnect to the same server, with .B n = 2 client will advance to the next server. OpenVPN will not send any exit notifications unless this option is enabled. .TP .B \-\-allow\-recursive\-routing When this option is set, OpenVPN will not drop incoming tun packets with same destination as host. .\"********************************************************* .SS Data Channel Encryption Options: These options are meaningful for both Static & TLS\-negotiated key modes (must be compatible between peers). .\"********************************************************* .TP .B \-\-secret file [direction] Enable Static Key encryption mode (non\-TLS). Use pre\-shared secret .B file which was generated with .B \-\-genkey. The optional .B direction parameter enables the use of 4 distinct keys (HMAC\-send, cipher\-encrypt, HMAC\-receive, cipher\-decrypt), so that each data flow direction has a different set of HMAC and cipher keys. This has a number of desirable security properties including eliminating certain kinds of DoS and message replay attacks. When the .B direction parameter is omitted, 2 keys are used bidirectionally, one for HMAC and the other for encryption/decryption. The .B direction parameter should always be complementary on either side of the connection, i.e. one side should use "0" and the other should use "1", or both sides should omit it altogether. The .B direction parameter requires that .B file contains a 2048 bit key. While pre\-1.5 versions of OpenVPN generate 1024 bit key files, any version of OpenVPN which supports the .B direction parameter, will also support 2048 bit key file generation using the .B \-\-genkey option. Static key encryption mode has certain advantages, the primary being ease of configuration. There are no certificates or certificate authorities or complicated negotiation handshakes and protocols. The only requirement is that you have a pre\-existing secure channel with your peer (such as .B ssh ) to initially copy the key. This requirement, along with the fact that your key never changes unless you manually generate a new one, makes it somewhat less secure than TLS mode (see below). If an attacker manages to steal your key, everything that was ever encrypted with it is compromised. Contrast that to the perfect forward secrecy features of TLS mode (using Diffie Hellman key exchange), where even if an attacker was able to steal your private key, he would gain no information to help him decrypt past sessions. Another advantageous aspect of Static Key encryption mode is that it is a handshake\-free protocol without any distinguishing signature or feature (such as a header or protocol handshake sequence) that would mark the ciphertext packets as being generated by OpenVPN. Anyone eavesdropping on the wire would see nothing but random\-looking data. .\"********************************************************* .TP .B \-\-key\-direction Alternative way of specifying the optional direction parameter for the .B \-\-tls\-auth and .B \-\-secret options. Useful when using inline files (See section on inline files). .\"********************************************************* .TP .B \-\-auth alg Authenticate data channel packets and (if enabled) .B tls\-auth control channel packets with HMAC using message digest algorithm .B alg. (The default is .B SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature. The OpenVPN data channel protocol uses encrypt\-then\-mac (i.e. first encrypt a packet, then HMAC the resulting ciphertext), which prevents padding oracle attacks. If an AEAD cipher mode (e.g. GCM) is chosen, the specified .B \-\-auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that .B alg still specifies the digest used for .B tls\-auth\fR. In static\-key encryption mode, the HMAC key is included in the key file generated by .B \-\-genkey. In TLS mode, the HMAC key is dynamically generated and shared between peers via the TLS control channel. If OpenVPN receives a packet with a bad HMAC it will drop the packet. HMAC usually adds 16 or 20 bytes per packet. Set .B alg=none to disable authentication. For more information on HMAC see .I http://www.cs.ucsd.edu/users/mihir/papers/hmac.html .\"********************************************************* .TP .B \-\-cipher alg Encrypt data channel packets with cipher algorithm .B alg. The default is .B BF\-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. When cipher negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server side will automatically upgrade to .B AES\-256\-GCM. See .B \-\-ncp\-ciphers and .B \-\-ncp\-disable for more details on NCP. Using .B BF\-CBC is no longer recommended, because of its 64\-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details. Due to this, support for .B BF\-CBC, DES, CAST5, IDEA and .B RC2 ciphers will be removed in OpenVPN 2.6. To see other ciphers that are available with OpenVPN, use the .B \-\-show\-ciphers option. Set .B alg=none to disable encryption. .\"********************************************************* .TP .B \-\-ncp\-ciphers cipher_list Restrict the allowed ciphers to be negotiated to the ciphers in .B cipher_list\fR. .B cipher_list is a colon\-separated list of ciphers, and defaults to "AES\-256\-GCM:AES\-128\-GCM". For servers, the first cipher from .B cipher_list will be pushed to clients that support cipher negotiation. Cipher negotiation is enabled in client\-server mode only. I.e. if .B \-\-mode is set to 'server' (server\-side, implied by setting .B \-\-server ), or if .B \-\-pull is specified (client\-side, implied by setting \-\-client). If both peers support and do not disable NCP, the negotiated cipher will override the cipher specified by .B \-\-cipher\fR. Additionally, to allow for more smooth transition, if NCP is enabled, OpenVPN will inherit the cipher of the peer if that cipher is different from the local .B \-\-cipher setting, but the peer cipher is one of the ciphers specified in .B \-\-ncp\-ciphers\fR. E.g. a non\-NCP client (<=v2.3, or with \-\-ncp\-disabled set) connecting to a NCP server (v2.4+) with "\-\-cipher BF\-CBC" and "\-\-ncp\-ciphers AES\-256\-GCM:AES\-256\-CBC" set can either specify "\-\-cipher BF\-CBC" or "\-\-cipher AES\-256\-CBC" and both will work. .\"********************************************************* .TP .B \-\-ncp\-disable Disable "negotiable crypto parameters". This completely disables cipher negotiation. .\"********************************************************* .TP .B \-\-keysize n .B DEPRECATED This option will be removed in OpenVPN 2.6. Size of cipher key in bits (optional). If unspecified, defaults to cipher\-specific default. The .B \-\-show\-ciphers option (see below) shows all available OpenSSL ciphers, their default key sizes, and whether the key size can be changed. Use care in changing a cipher's default key size. Many ciphers have not been extensively cryptanalyzed with non\-standard key lengths, and a larger key may offer no real guarantee of greater security, or may even reduce security. .\"********************************************************* .TP .B \-\-prng alg [nsl] (Advanced) For PRNG (Pseudo\-random number generator), use digest algorithm .B alg (default=sha1), and set .B nsl (default=16) to the size in bytes of the nonce secret length (between 16 and 64). Set .B alg=none to disable the PRNG and use the OpenSSL RAND_bytes function instead for all of OpenVPN's pseudo\-random number needs. .\"********************************************************* .TP .B \-\-engine [engine\-name] Enable OpenSSL hardware\-based crypto engine functionality. If .B engine\-name is specified, use a specific crypto engine. Use the .B \-\-show\-engines standalone option to list the crypto engines which are supported by OpenSSL. .\"********************************************************* .TP .B \-\-no\-replay .B DEPRECATED This option will be removed in OpenVPN 2.5. (Advanced) Disable OpenVPN's protection against replay attacks. Don't use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less security. OpenVPN provides datagram replay protection by default. Replay protection is accomplished by tagging each outgoing datagram with an identifier that is guaranteed to be unique for the key being used. The peer that receives the datagram will check for the uniqueness of the identifier. If the identifier was already received in a previous datagram, OpenVPN will drop the packet. Replay protection is important to defeat attacks such as a SYN flood attack, where the attacker listens in the wire, intercepts a TCP SYN packet (identifying it by the context in which it occurs in relation to other packets), then floods the receiving peer with copies of this packet. OpenVPN's replay protection is implemented in slightly different ways, depending on the key management mode you have selected. In Static Key mode or when using an CFB or OFB mode cipher, OpenVPN uses a 64 bit unique identifier that combines a time stamp with an incrementing sequence number. When using TLS mode for key exchange and a CBC cipher mode, OpenVPN uses only a 32 bit sequence number without a time stamp, since OpenVPN can guarantee the uniqueness of this value for each key. As in IPSec, if the sequence number is close to wrapping back to zero, OpenVPN will trigger a new key exchange. To check for replays, OpenVPN uses the .I sliding window algorithm used by IPSec. .\"********************************************************* .TP .B \-\-replay\-window n [t] Use a replay protection sliding\-window of size .B n and a time window of .B t seconds. By default .B n is 64 (the IPSec default) and .B t is 15 seconds. This option is only relevant in UDP mode, i.e. when either .B \-\-proto udp is specified, or no .B \-\-proto option is specified. When OpenVPN tunnels IP packets over UDP, there is the possibility that packets might be dropped or delivered out of order. Because OpenVPN, like IPSec, is emulating the physical network layer, it will accept an out\-of\-order packet sequence, and will deliver such packets in the same order they were received to the TCP/IP protocol stack, provided they satisfy several constraints. .B (a) The packet cannot be a replay (unless .B \-\-no\-replay is specified, which disables replay protection altogether). .B (b) If a packet arrives out of order, it will only be accepted if the difference between its sequence number and the highest sequence number received so far is less than .B n. .B (c) If a packet arrives out of order, it will only be accepted if it arrives no later than .B t seconds after any packet containing a higher sequence number. If you are using a network link with a large pipeline (meaning that the product of bandwidth and latency is high), you may want to use a larger value for .B n. Satellite links in particular often require this. If you run OpenVPN at .B \-\-verb 4, you will see the message "Replay\-window backtrack occurred [x]" every time the maximum sequence number backtrack seen thus far increases. This can be used to calibrate .B n. There is some controversy on the appropriate method of handling packet reordering at the security layer. Namely, to what extent should the security layer protect the encapsulated protocol from attacks which masquerade as the kinds of normal packet loss and reordering that occur over IP networks? The IPSec and OpenVPN approach is to allow packet reordering within a certain fixed sequence number window. OpenVPN adds to the IPSec model by limiting the window size in time as well as sequence space. OpenVPN also adds TCP transport as an option (not offered by IPSec) in which case OpenVPN can adopt a very strict attitude towards message deletion and reordering: Don't allow it. Since TCP guarantees reliability, any packet loss or reordering event can be assumed to be an attack. In this sense, it could be argued that TCP tunnel transport is preferred when tunneling non\-IP or UDP application protocols which might be vulnerable to a message deletion or reordering attack which falls within the normal operational parameters of IP networks. So I would make the statement that one should never tunnel a non\-IP protocol or UDP application protocol over UDP, if the protocol might be vulnerable to a message deletion or reordering attack that falls within the normal operating parameters of what is to be expected from the physical IP layer. The problem is easily fixed by simply using TCP as the VPN transport layer. .\"********************************************************* .TP .B \-\-mute\-replay\-warnings Silence the output of replay warnings, which are a common false alarm on WiFi networks. This option preserves the security of the replay protection code without the verbosity associated with warnings about duplicate packets. .\"********************************************************* .TP .B \-\-replay\-persist file Persist replay\-protection state across sessions using .B file to save and reload the state. This option will strengthen protection against replay attacks, especially when you are using OpenVPN in a dynamic context (such as with .B \-\-inetd) when OpenVPN sessions are frequently started and stopped. This option will keep a disk copy of the current replay protection state (i.e. the most recent packet timestamp and sequence number received from the remote peer), so that if an OpenVPN session is stopped and restarted, it will reject any replays of packets which were already received by the prior session. This option only makes sense when replay protection is enabled (the default) and you are using either .B \-\-secret (shared\-secret key mode) or TLS mode with .B \-\-tls\-auth. .\"********************************************************* .TP .B \-\-no\-iv .B DEPRECATED This option will be removed in OpenVPN 2.5. (Advanced) Disable OpenVPN's use of IV (cipher initialization vector). Don't use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less security. OpenVPN uses an IV by default, and requires it for CFB and OFB cipher modes (which are totally insecure without it). Using an IV is important for security when multiple messages are being encrypted/decrypted with the same key. IV is implemented differently depending on the cipher mode used. In CBC mode, OpenVPN uses a pseudo\-random IV for each packet. In CFB/OFB mode, OpenVPN uses a unique sequence number and time stamp as the IV. In fact, in CFB/OFB mode, OpenVPN uses a datagram space\-saving optimization that uses the unique identifier for datagram replay protection as the IV. .\"********************************************************* .TP .B \-\-use\-prediction\-resistance Enable prediction resistance on mbed TLS's RNG. Enabling prediction resistance causes the RNG to reseed in each call for random. Reseeding this often can quickly deplete the kernel entropy pool. If you need this option, please consider running a daemon that adds entropy to the kernel pool. .\"********************************************************* .TP .B \-\-test\-crypto Do a self\-test of OpenVPN's crypto options by encrypting and decrypting test packets using the data channel encryption options specified above. This option does not require a peer to function, and therefore can be specified without .B \-\-dev or .B \-\-remote. The typical usage of .B \-\-test\-crypto would be something like this: .B openvpn \-\-test\-crypto \-\-secret key or .B openvpn \-\-test\-crypto \-\-secret key \-\-verb 9 This option is very useful to test OpenVPN after it has been ported to a new platform, or to isolate problems in the compiler, OpenSSL crypto library, or OpenVPN's crypto code. Since it is a self\-test mode, problems with encryption and authentication can be debugged independently of network and tunnel issues. .\"********************************************************* .SS TLS Mode Options: TLS mode is the most powerful crypto mode of OpenVPN in both security and flexibility. TLS mode works by establishing control and data channels which are multiplexed over a single TCP/UDP port. OpenVPN initiates a TLS session over the control channel and uses it to exchange cipher and HMAC keys to protect the data channel. TLS mode uses a robust reliability layer over the UDP connection for all control channel communication, while the data channel, over which encrypted tunnel data passes, is forwarded without any mediation. The result is the best of both worlds: a fast data channel that forwards over UDP with only the overhead of encrypt, decrypt, and HMAC functions, and a control channel that provides all of the security features of TLS, including certificate\-based authentication and Diffie Hellman forward secrecy. To use TLS mode, each peer that runs OpenVPN should have its own local certificate/key pair ( .B \-\-cert and .B \-\-key ), signed by the root certificate which is specified in .B \-\-ca. When two OpenVPN peers connect, each presents its local certificate to the other. Each peer will then check that its partner peer presented a certificate which was signed by the master root certificate as specified in .B \-\-ca. If that check on both peers succeeds, then the TLS negotiation will succeed, both OpenVPN peers will exchange temporary session keys, and the tunnel will begin passing data. The OpenVPN project provides a set of scripts for managing RSA certificates & keys: .I https://github.com/OpenVPN/easy\-rsa .\"********************************************************* .TP .B \-\-tls\-server Enable TLS and assume server role during TLS handshake. Note that OpenVPN is designed as a peer\-to\-peer application. The designation of client or server is only for the purpose of negotiating the TLS control channel. .\"********************************************************* .TP .B \-\-tls\-client Enable TLS and assume client role during TLS handshake. .\"********************************************************* .TP .B \-\-ca file Certificate authority (CA) file in .pem format, also referred to as the .I root certificate. This file can have multiple certificates in .pem format, concatenated together. You can construct your own certificate authority certificate and private key by using a command such as: .B openssl req \-nodes \-new \-x509 \-keyout ca.key \-out ca.crt Then edit your openssl.cnf file and edit the .B certificate variable to point to your new root certificate .B ca.crt. For testing purposes only, the OpenVPN distribution includes a sample CA certificate (ca.crt). Of course you should never use the test certificates and test keys distributed with OpenVPN in a production environment, since by virtue of the fact that they are distributed with OpenVPN, they are totally insecure. .\"********************************************************* .TP .B \-\-capath dir Directory containing trusted certificates (CAs and CRLs). Not available with mbed TLS. When using the .B \-\-capath option, you are required to supply valid CRLs for the CAs too. CAs in the capath directory are expected to be named .. CRLs are expected to be named .r. See the .B \-CApath option of .B openssl verify , and the .B \-hash option of .B openssl x509 and .B openssl crl for more information. .\"********************************************************* .TP .B \-\-dh file File containing Diffie Hellman parameters in .pem format (required for .B \-\-tls\-server only). Set .B file=none to disable Diffie Hellman key exchange (and use ECDH only). Note that this requires peers to be using an SSL library that supports ECDH TLS cipher suites (e.g. OpenSSL 1.0.1+, or mbed TLS 2.0+). Use .B openssl dhparam \-out dh2048.pem 2048 to generate 2048\-bit DH parameters. Diffie Hellman parameters may be considered public. .\"********************************************************* .TP .B \-\-ecdh\-curve name Specify the curve to use for elliptic curve Diffie Hellman. Available curves can be listed with .BR \-\-show\-curves . The specified curve will only be used for ECDH TLS\-ciphers. This option is not supported in mbed TLS builds of OpenVPN. .\"********************************************************* .TP .B \-\-cert file Local peer's signed certificate in .pem format \-\- must be signed by a certificate authority whose certificate is in .B \-\-ca file. Each peer in an OpenVPN link running in TLS mode should have its own certificate and private key file. In addition, each certificate should have been signed by the key of a certificate authority whose public key resides in the .B \-\-ca certificate authority file. You can easily make your own certificate authority (see above) or pay money to use a commercial service such as thawte.com (in which case you will be helping to finance the world's second space tourist :). To generate a certificate, you can use a command such as: .B openssl req \-nodes \-new \-keyout mycert.key \-out mycert.csr If your certificate authority private key lives on another machine, copy the certificate signing request (mycert.csr) to this other machine (this can be done over an insecure channel such as email). Now sign the certificate with a command such as: .B openssl ca \-out mycert.crt \-in mycert.csr Now copy the certificate (mycert.crt) back to the peer which initially generated the .csr file (this can be over a public medium). Note that the .B openssl ca command reads the location of the certificate authority key from its configuration file such as .B /usr/share/ssl/openssl.cnf \-\- note also that for certificate authority functions, you must set up the files .B index.txt (may be empty) and .B serial (initialize to .B 01 ). .\"********************************************************* .TP .B \-\-extra\-certs file Specify a .B file containing one or more PEM certs (concatenated together) that complete the local certificate chain. This option is useful for "split" CAs, where the CA for server certs is different than the CA for client certs. Putting certs in this file allows them to be used to complete the local certificate chain without trusting them to verify the peer\-submitted certificate, as would be the case if the certs were placed in the .B ca file. .\"********************************************************* .TP .B \-\-key file Local peer's private key in .pem format. Use the private key which was generated when you built your peer's certificate (see .B \-\-cert file above). .\"********************************************************* .TP .B \-\-tls\-version\-min version ['or\-highest'] Sets the minimum TLS version we will accept from the peer (default is "1.0"). Examples for version include "1.0", "1.1", or "1.2". If 'or\-highest' is specified and version is not recognized, we will only accept the highest TLS version supported by the local SSL implementation. .\"********************************************************* .TP .B \-\-tls\-version\-max version Set the maximum TLS version we will use (default is the highest version supported). Examples for version include "1.0", "1.1", or "1.2". .\"********************************************************* .TP .B \-\-pkcs12 file Specify a PKCS #12 file containing local private key, local certificate, and root CA certificate. This option can be used instead of .B \-\-ca, \-\-cert, and .B \-\-key. Not available with mbed TLS. .\"********************************************************* .TP .B \-\-verify\-hash hash [algo] Specify SHA1 or SHA256 fingerprint for level\-1 cert. The level\-1 cert is the CA (or intermediate cert) that signs the leaf certificate, and is one removed from the leaf certificate in the direction of the root. When accepting a connection from a peer, the level\-1 cert fingerprint must match .B hash or certificate verification will fail. Hash is specified as XX:XX:... For example: .nf .ft 3 .in +4 AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16 .in -4 .ft .fi The .B algo flag can be either SHA1 or SHA256. If not provided, it defaults to SHA1. .\"********************************************************* .TP .B \-\-pkcs11\-cert\-private [0|1]... Set if access to certificate object should be performed after login. Every provider has its own setting. .\"********************************************************* .TP .B \-\-pkcs11\-id name Specify the serialized certificate id to be used. The id can be gotten by the standalone .B \-\-show\-pkcs11\-ids option. .\"********************************************************* .TP .B \-\-pkcs11\-id\-management Acquire PKCS#11 id from management interface. In this case a NEED\-STR 'pkcs11\-id\-request' real\-time message will be triggered, application may use pkcs11\-id\-count command to retrieve available number of certificates, and pkcs11\-id\-get command to retrieve certificate id and certificate body. .\"********************************************************* .TP .B \-\-pkcs11\-pin\-cache seconds Specify how many seconds the PIN can be cached, the default is until the token is removed. .\"********************************************************* .TP .B \-\-pkcs11\-protected\-authentication [0|1]... Use PKCS#11 protected authentication path, useful for biometric and external keypad devices. Every provider has its own setting. .\"********************************************************* .TP .B \-\-pkcs11\-providers provider... Specify a RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) providers to load. This option can be used instead of .B \-\-cert, \-\-key, and .B \-\-pkcs12. If p11\-kit is present on the system, its .B p11\-kit\-proxy.so module will be loaded by default if either the .B \-\-pkcs11\-id or .B \-\-pkcs11\-id\-management options are specified without .B \-\-pkcs11\-provider being given. .\"********************************************************* .TP .B \-\-pkcs11\-private\-mode mode... Specify which method to use in order to perform private key operations. A different mode can be specified for each provider. Mode is encoded as hex number, and can be a mask one of the following: .B 0 (default) \-\- Try to determine automatically. .br .B 1 \-\- Use sign. .br .B 2 \-\- Use sign recover. .br .B 4 \-\- Use decrypt. .br .B 8 \-\- Use unwrap. .br .\"********************************************************* .TP .B \-\-cryptoapicert select\-string Load the certificate and private key from the Windows Certificate System Store (Windows/OpenSSL Only). Use this option instead of .B \-\-cert and .B \-\-key. This makes it possible to use any smart card, supported by Windows, but also any kind of certificate, residing in the Cert Store, where you have access to the private key. This option has been tested with a couple of different smart cards (GemSAFE, Cryptoflex, and Swedish Post Office eID) on the client side, and also an imported PKCS12 software certificate on the server side. To select a certificate, based on a substring search in the certificate's subject: .B cryptoapicert "SUBJ:Peter Runestig" To select a certificate, based on certificate's thumbprint: .B cryptoapicert "THUMB:f6 49 24 41 01 b4 ..." The thumbprint hex string can easily be copy\-and\-pasted from the Windows Certificate Store GUI. .\"********************************************************* .TP .B \-\-key\-method m .B DEPRECATED This option will be removed in OpenVPN 2.5 Use data channel key negotiation method .B m. The key method must match on both sides of the connection. After OpenVPN negotiates a TLS session, a new set of keys for protecting the tunnel data channel is generated and exchanged over the TLS session. In method 1 (the default for OpenVPN 1.x), both sides generate random encrypt and HMAC\-send keys which are forwarded to the other host over the TLS channel. Method 1 is .B deprecated in OpenVPN 2.4 , and .B will be removed in OpenVPN 2.5\fR. In method 2, (the default for OpenVPN 2.0) the client generates a random key. Both client and server also generate some random seed material. All key source material is exchanged over the TLS channel. The actual keys are generated using the TLS PRF function, taking source entropy from both client and server. Method 2 is designed to closely parallel the key generation process used by TLS 1.0. Note that in TLS mode, two separate levels of keying occur: (1) The TLS connection is initially negotiated, with both sides of the connection producing certificates and verifying the certificate (or other authentication info provided) of the other side. The .B \-\-key\-method parameter has no effect on this process. (2) After the TLS connection is established, the tunnel session keys are separately negotiated over the existing secure TLS channel. Here, .B \-\-key\-method determines the derivation of the tunnel session keys. .\"********************************************************* .TP .B \-\-tls\-cipher l A list .B l of allowable TLS ciphers delimited by a colon (":"). This setting can be used to ensure that certain cipher suites are used (or not used) for the TLS connection. OpenVPN uses TLS to secure the control channel, over which the keys that are used to protect the actual VPN traffic are exchanged. The supplied list of ciphers is (after potential OpenSSL/IANA name translation) simply supplied to the crypto library. Please see the OpenSSL and/or mbed TLS documentation for details on the cipher list interpretation. Use .B \-\-show\-tls to see a list of TLS ciphers supported by your crypto library. Warning! .B \-\-tls\-cipher is an expert feature, which \- if used correcly \- can improve the security of your VPN connection. But it is also easy to unwittingly use it to carefully align a gun with your foot, or just break your connection. Use with care! The default for \-\-tls\-cipher is to use mbed TLS's default cipher list when using mbed TLS or "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA" when using OpenSSL. .\"********************************************************* .TP .B \-\-tls\-timeout n Packet retransmit timeout on TLS control channel if no acknowledgment from remote within .B n seconds (default=2). When OpenVPN sends a control packet to its peer, it will expect to receive an acknowledgement within .B n seconds or it will retransmit the packet, subject to a TCP\-like exponential backoff algorithm. This parameter only applies to control channel packets. Data channel packets (which carry encrypted tunnel data) are never acknowledged, sequenced, or retransmitted by OpenVPN because the higher level network protocols running on top of the tunnel such as TCP expect this role to be left to them. .\"********************************************************* .TP .B \-\-reneg\-bytes n Renegotiate data channel key after .B n bytes sent or received (disabled by default with an exception, see below). OpenVPN allows the lifetime of a key to be expressed as a number of bytes encrypted/decrypted, a number of packets, or a number of seconds. A key renegotiation will be forced if any of these three criteria are met by either peer. If using ciphers with cipher block sizes less than 128\-bits, \-\-reneg\-bytes is set to 64MB by default, unless it is explicitly disabled by setting the value to 0, but this is .B HIGHLY DISCOURAGED as this is designed to add some protection against the SWEET32 attack vector. For more information see the \-\-cipher option. .\"********************************************************* .TP .B \-\-reneg\-pkts n Renegotiate data channel key after .B n packets sent and received (disabled by default). .\"********************************************************* .TP .B \-\-reneg\-sec n Renegotiate data channel key after .B n seconds (default=3600). When using dual\-factor authentication, note that this default value may cause the end user to be challenged to reauthorize once per hour. Also, keep in mind that this option can be used on both the client and server, and whichever uses the lower value will be the one to trigger the renegotiation. A common mistake is to set .B \-\-reneg\-sec to a higher value on either the client or server, while the other side of the connection is still using the default value of 3600 seconds, meaning that the renegotiation will still occur once per 3600 seconds. The solution is to increase \-\-reneg\-sec on both the client and server, or set it to 0 on one side of the connection (to disable), and to your chosen value on the other side. .\"********************************************************* .TP .B \-\-hand\-window n Handshake Window \-\- the TLS\-based key exchange must finalize within .B n seconds of handshake initiation by any peer (default = 60 seconds). If the handshake fails we will attempt to reset our connection with our peer and try again. Even in the event of handshake failure we will still use our expiring key for up to .B \-\-tran\-window seconds to maintain continuity of transmission of tunnel data. .\"********************************************************* .TP .B \-\-tran\-window n Transition window \-\- our old key can live this many seconds after a new a key renegotiation begins (default = 3600 seconds). This feature allows for a graceful transition from old to new key, and removes the key renegotiation sequence from the critical path of tunnel data forwarding. .\"********************************************************* .TP .B \-\-single\-session After initially connecting to a remote peer, disallow any new connections. Using this option means that a remote peer cannot connect, disconnect, and then reconnect. If the daemon is reset by a signal or .B \-\-ping\-restart, it will allow one new connection. .B \-\-single\-session can be used with .B \-\-ping\-exit or .B \-\-inactive to create a single dynamic session that will exit when finished. .\"********************************************************* .TP .B \-\-tls\-exit Exit on TLS negotiation failure. .\"********************************************************* .TP .B \-\-tls\-auth file [direction] Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack. In a nutshell, .B \-\-tls\-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response. .B file (required) is a file in OpenVPN static key format which can be generated by .B \-\-genkey Older versions (up to OpenVPN 2.3) supported a freeform passphrase file. This is no longer supported in newer versions (v2.4+). See the .B \-\-secret option for more information on the optional .B direction parameter. .B \-\-tls\-auth is recommended when you are running OpenVPN in a mode where it is listening for packets from any IP address, such as when .B \-\-remote is not specified, or .B \-\-remote is specified with .B \-\-float. The rationale for this feature is as follows. TLS requires a multi\-packet exchange before it is able to authenticate a peer. During this time before authentication, OpenVPN is allocating resources (memory and CPU) to this potential peer. The potential peer is also exposing many parts of OpenVPN and the OpenSSL library to the packets it is sending. Most successful network attacks today seek to either exploit bugs in programs (such as buffer overflow attacks) or force a program to consume so many resources that it becomes unusable. Of course the first line of defense is always to produce clean, well\-audited code. OpenVPN has been written with buffer overflow attack prevention as a top priority. But as history has shown, many of the most widely used network applications have, from time to time, fallen to buffer overflow attacks. So as a second line of defense, OpenVPN offers this special layer of authentication on top of the TLS control channel so that every packet on the control channel is authenticated by an HMAC signature and a unique ID for replay protection. This signature will also help protect against DoS (Denial of Service) attacks. An important rule of thumb in reducing vulnerability to DoS attacks is to minimize the amount of resources a potential, but as yet unauthenticated, client is able to consume. .B \-\-tls\-auth does this by signing every TLS control channel packet with an HMAC signature, including packets which are sent before the TLS level has had a chance to authenticate the peer. The result is that packets without the correct signature can be dropped immediately upon reception, before they have a chance to consume additional system resources such as by initiating a TLS handshake. .B \-\-tls\-auth can be strengthened by adding the .B \-\-replay\-persist option which will keep OpenVPN's replay protection state in a file so that it is not lost across restarts. It should be emphasized that this feature is optional and that the key file used with .B \-\-tls\-auth gives a peer nothing more than the power to initiate a TLS handshake. It is not used to encrypt or authenticate any tunnel data. Use .B \-\-tls\-crypt instead if you want to use the key file to not only authenticate, but also encrypt the TLS control channel. .\"********************************************************* .TP .B \-\-tls\-crypt keyfile Encrypt and authenticate all control channel packets with the key from .B keyfile. (See .B \-\-tls\-auth for more background.) Encrypting (and authenticating) control channel packets: .RS .IP \[bu] 2 provides more privacy by hiding the certificate used for the TLS connection, .IP \[bu] makes it harder to identify OpenVPN traffic as such, .IP \[bu] provides "poor\-man's" post\-quantum security, against attackers who will never know the pre\-shared key (i.e. no forward secrecy). .RE .IP In contrast to .B \-\-tls\-auth\fR, .B \-\-tls\-crypt does *not* require the user to set .B \-\-key\-direction\fR. .B Security Considerations All peers use the same .B \-\-tls\-crypt pre\-shared group key to authenticate and encrypt control channel messages. To ensure that IV collisions remain unlikely, this key should not be used to encrypt more than 2^48 client\-to\-server or 2^48 server\-to\-client control channel messages. A typical initial negotiation is about 10 packets in each direction. Assuming both initial negotiation and renegotiations are at most 2^16 (65536) packets (to be conservative), and (re)negotiations happen each minute for each user (24/7), this limits the tls\-crypt key lifetime to 8171 years divided by the number of users. So a setup with 1000 users should rotate the key at least once each eight years. (And a setup with 8000 users each year.) If IV collisions were to occur, this could result in the security of .B \-\-tls\-crypt degrading to the same security as using .B \-\-tls\-auth\fR. That is, the control channel still benefits from the extra protection against active man\-in\-the\-middle\-attacks and DoS attacks, but may no longer offer extra privacy and post\-quantum security on top of what TLS itself offers. .\"********************************************************* .TP .B \-\-askpass [file] Get certificate password from console or .B file before we daemonize. For the extremely security conscious, it is possible to protect your private key with a password. Of course this means that every time the OpenVPN daemon is started you must be there to type the password. The .B \-\-askpass option allows you to start OpenVPN from the command line. It will query you for a password before it daemonizes. To protect a private key with a password you should omit the .B \-nodes option when you use the .B openssl command line tool to manage certificates and private keys. If .B file is specified, read the password from the first line of .B file. Keep in mind that storing your password in a file to a certain extent invalidates the extra security provided by using an encrypted key. .\"********************************************************* .TP .B \-\-auth\-nocache Don't cache .B \-\-askpass or .B \-\-auth\-user\-pass username/passwords in virtual memory. If specified, this directive will cause OpenVPN to immediately forget username/password inputs after they are used. As a result, when OpenVPN needs a username/password, it will prompt for input from stdin, which may be multiple times during the duration of an OpenVPN session. When using \-\-auth\-nocache in combination with a user/password file and \-\-chroot or \-\-daemon, make sure to use an absolute path. This directive does not affect the .B \-\-http\-proxy username/password. It is always cached. .\"********************************************************* .TP .B \-\-auth\-token token This is not an option to be used directly in any configuration files, but rather push this option from a .B \-\-client\-connect script or a .B \-\-plugin which hooks into the OPENVPN_PLUGIN_CLIENT_CONNECT or OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls. This option provides a possibility to replace the clients password with an authentication token during the lifetime of the OpenVPN client. Whenever the connection is renegotiated and the .B \-\-auth\-user\-pass\-verify script or .B \-\-plugin making use of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is triggered, it will pass over this token as the password instead of the password the user provided. The authentication token can only be reset by a full reconnect where the server can push new options to the client. The password the user entered is never preserved once an authentication token have been set. If the OpenVPN server side rejects the authentication token, the client will receive an AUTH_FAIL and disconnect. The purpose of this is to enable two factor authentication methods, such as HOTP or TOTP, to be used without needing to retrieve a new OTP code each time the connection is renegotiated. Another use case is to cache authentication data on the client without needing to have the users password cached in memory during the life time of the session. To make use of this feature, the .B \-\-client\-connect script or .B \-\-plugin needs to put .nf .ft 3 .in +4 push "auth\-token UNIQUE_TOKEN_VALUE" .in -4 .ft .fi into the file/buffer for dynamic configuration data. This will then make the OpenVPN server to push this value to the client, which replaces the local password with the UNIQUE_TOKEN_VALUE. .\"********************************************************* .TP .B \-\-tls\-verify cmd Run command .B cmd to verify the X509 name of a pending TLS connection that has otherwise passed all other tests of certification (except for revocation via .B \-\-crl\-verify directive; the revocation test occurs after the .B \-\-tls\-verify test). .B cmd should return 0 to allow the TLS handshake to proceed, or 1 to fail. .B cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single\- or double\-quoted and/or escaped using a backslash, and should be separated by one or more spaces. When .B cmd is executed two arguments are appended after any arguments specified in .B cmd , as follows: .B cmd certificate_depth subject These arguments are, respectively, the current certificate depth and the X509 common name (cn) of the peer. This feature is useful if the peer you want to trust has a certificate which was signed by a certificate authority who also signed many other certificates, where you don't necessarily want to trust all of them, but rather be selective about which peer certificate you will accept. This feature allows you to write a script which will test the X509 name on a certificate and decide whether or not it should be accepted. For a simple perl script which will test the common name field on the certificate, see the file .B verify\-cn in the OpenVPN distribution. See the "Environmental Variables" section below for additional parameters passed as environmental variables. .\"********************************************************* .TP .B \-\-tls\-export\-cert directory Store the certificates the clients uses upon connection to this directory. This will be done before \-\-tls\-verify is called. The certificates will use a temporary name and will be deleted when the tls\-verify script returns. The file name used for the certificate is available via the peer_cert environment variable. .\"********************************************************* .TP .B \-\-x509\-username\-field [ext:\]fieldname Field in the X.509 certificate subject to be used as the username (default=CN). Typically, this option is specified with .B fieldname as either of the following: .B \-\-x509\-username\-field emailAddress .br .B \-\-x509\-username\-field ext:\fRsubjectAltName The first example uses the value of the "emailAddress" attribute in the certificate's Subject field as the username. The second example uses the .B ext: prefix to signify that the X.509 extension .B fieldname "subjectAltName" be searched for an rfc822Name (email) field to be used as the username. In cases where there are multiple email addresses in .B ext:fieldname\fR, the last occurrence is chosen. When this option is used, the .B \-\-verify\-x509\-name option will match against the chosen .B fieldname instead of the Common Name. Only the subjectAltName and issuerAltName X.509 extensions are supported. .B Please note: This option has a feature which will convert an all\-lowercase .B fieldname to uppercase characters, e.g., ou \-> OU. A mixed\-case .B fieldname or one having the .B ext: prefix will be left as\-is. This automatic upcasing feature is deprecated and will be removed in a future release. .\"********************************************************* .TP .B \-\-verify\-x509\-name name type Accept connections only if a host's X.509 name is equal to .B name. The remote host must also pass all other tests of verification. Which X.509 name is compared to .B name depends on the setting of type. .B type can be "subject" to match the complete subject DN (default), "name" to match a subject RDN or "name\-prefix" to match a subject RDN prefix. Which RDN is verified as name depends on the .B \-\-x509\-username\-field option. But it defaults to the common name (CN), e.g. a certificate with a subject DN "C=KG, ST=NA, L=Bishkek, CN=Server\-1" would be matched by: .B \-\-verify\-x509\-name 'C=KG, ST=NA, L=Bishkek, CN=Server\-1' and .B \-\-verify\-x509\-name Server\-1 name or you could use .B \-\-verify\-x509\-name Server\- name\-prefix if you want a client to only accept connections to "Server\-1", "Server\-2", etc. .B \-\-verify\-x509\-name is a useful replacement for the .B \-\-tls\-verify option to verify the remote host, because .B \-\-verify\-x509\-name works in a .B \-\-chroot environment without any dependencies. Using a name prefix is a useful alternative to managing a CRL (Certificate Revocation List) on the client, since it allows the client to refuse all certificates except for those associated with designated servers. .B NOTE: Test against a name prefix only when you are using OpenVPN with a custom CA certificate that is under your control. Never use this option with type "name\-prefix" when your client certificates are signed by a third party, such as a commercial web CA. .\"********************************************************* .TP .B \-\-x509\-track attribute Save peer X509 .B attribute value in environment for use by plugins and management interface. Prepend a '+' to .B attribute to save values from full cert chain. Values will be encoded as X509__=. Multiple .B \-\-x509\-track options can be defined to track multiple attributes. .\"********************************************************* .TP .B \-\-ns\-cert\-type client|server .B DEPRECATED This option will be removed in OpenVPN 2.5. Use the more modern equivalent .B \-\-remote\-cert\-tls instead. This option will be removed in OpenVPN 2.5. Require that peer certificate was signed with an explicit .B nsCertType designation of "client" or "server". This is a useful security option for clients, to ensure that the host they connect with is a designated server. See the easy\-rsa/build\-key\-server script for an example of how to generate a certificate with the .B nsCertType field set to "server". If the server certificate's nsCertType field is set to "server", then the clients can verify this with .B \-\-ns\-cert\-type server. This is an important security precaution to protect against a man\-in\-the\-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of .B \-\-ns\-cert\-type, \-\-verify\-x509\-name, or .B \-\-tls\-verify. .\"********************************************************* .TP .B \-\-remote\-cert\-ku [v...] Require that peer certificate was signed with an explicit .B key usage. If present in the certificate, the keyUsage value is validated by the TLS library during the TLS handshake. Specifying this option without arguments requires this extension to be present (so the TLS library will verify it). If the list .B v... is also supplied, the keyUsage field must have .B at least the same bits set as the bits in .B one of the values supplied in the list .B v... The key usage values in the list must be encoded in hex, e.g. "\-\-remote\-cert\-ku a0" .\"********************************************************* .TP .B \-\-remote\-cert\-eku oid Require that peer certificate was signed with an explicit .B extended key usage. This is a useful security option for clients, to ensure that the host they connect to is a designated server. The extended key usage should be encoded in oid notation, or OpenSSL symbolic representation. .\"********************************************************* .TP .B \-\-remote\-cert\-tls client|server Require that peer certificate was signed with an explicit .B key usage and .B extended key usage based on RFC3280 TLS rules. This is a useful security option for clients, to ensure that the host they connect to is a designated server. Or the other way around; for a server to verify that only hosts with a client certificate can connect. The .B \-\-remote\-cert\-tls client option is equivalent to .B \-\-remote\-cert\-ku \-\-remote\-cert\-eku "TLS Web Client Authentication" The .B \-\-remote\-cert\-tls server option is equivalent to .B \-\-remote\-cert\-ku \-\-remote\-cert\-eku "TLS Web Server Authentication" This is an important security precaution to protect against a man\-in\-the\-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of .B \-\-remote\-cert\-tls, \-\-verify\-x509\-name, or .B \-\-tls\-verify. .\"********************************************************* .TP .B \-\-crl\-verify crl ['dir'] Check peer certificate against the file .B crl in PEM format. A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. Suppose you had a PKI consisting of a CA, root certificate, and a number of client certificates. Suppose a laptop computer containing a client key and certificate was stolen. By adding the stolen certificate to the CRL file, you could reject any connection which attempts to use it, while preserving the overall integrity of the PKI. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. If the optional .B dir flag is specified, enable a different mode where .B crl is a directory containing files named as revoked serial numbers (the files may be empty, the contents are never read). If a client requests a connection, where the client certificate serial number (decimal string) is the name of a file present in the directory, it will be rejected. Note: As the crl file (or directory) is read every time a peer connects, if you are dropping root privileges with .B \-\-user, make sure that this user has sufficient privileges to read the file. .\"********************************************************* .SS SSL Library information: .\"********************************************************* .TP .B \-\-show\-ciphers (Standalone) Show all cipher algorithms to use with the .B \-\-cipher option. .\"********************************************************* .TP .B \-\-show\-digests (Standalone) Show all message digest algorithms to use with the .B \-\-auth option. .\"********************************************************* .TP .B \-\-show\-tls (Standalone) Show all TLS ciphers supported by the crypto library. OpenVPN uses TLS to secure the control channel, over which the keys that are used to protect the actual VPN traffic are exchanged. The TLS ciphers will be sorted from highest preference (most secure) to lowest. Be aware that whether a cipher suite in this list can actually work depends on the specific setup of both peers (e.g. both peers must support the cipher, and an ECDSA cipher suite will not work if you are using an RSA certificate, etc.). .\"********************************************************* .TP .B \-\-show\-engines (Standalone) Show currently available hardware\-based crypto acceleration engines supported by the OpenSSL library. .\"********************************************************* .TP .B \-\-show\-curves (Standalone) Show all available elliptic curves to use with the .B \-\-ecdh\-curve option. .\"********************************************************* .SS Generate a random key: Used only for non\-TLS static key encryption mode. .\"********************************************************* .TP .B \-\-genkey (Standalone) Generate a random key to be used as a shared secret, for use with the .B \-\-secret option. This file must be shared with the peer over a pre\-existing secure channel such as .BR scp (1) . .\"********************************************************* .TP .B \-\-secret file Write key to .B file. .\"********************************************************* .SS TUN/TAP persistent tunnel config mode: Available with Linux 2.4.7+. These options comprise a standalone mode of OpenVPN which can be used to create and delete persistent tunnels. .\"********************************************************* .TP .B \-\-mktun (Standalone) Create a persistent tunnel on platforms which support them such as Linux. Normally TUN/TAP tunnels exist only for the period of time that an application has them open. This option takes advantage of the TUN/TAP driver's ability to build persistent tunnels that live through multiple instantiations of OpenVPN and die only when they are deleted or the machine is rebooted. One of the advantages of persistent tunnels is that they eliminate the need for separate .B \-\-up and .B \-\-down scripts to run the appropriate .BR ifconfig (8) and .BR route (8) commands. These commands can be placed in the the same shell script which starts or terminates an OpenVPN session. Another advantage is that open connections through the TUN/TAP\-based tunnel will not be reset if the OpenVPN peer restarts. This can be useful to provide uninterrupted connectivity through the tunnel in the event of a DHCP reset of the peer's public IP address (see the .B \-\-ipchange option above). One disadvantage of persistent tunnels is that it is harder to automatically configure their MTU value (see .B \-\-link\-mtu and .B \-\-tun\-mtu above). On some platforms such as Windows, TAP\-Win32 tunnels are persistent by default. .\"********************************************************* .TP .B \-\-rmtun (Standalone) Remove a persistent tunnel. .\"********************************************************* .TP .B \-\-dev tunX | tapX TUN/TAP device .\"********************************************************* .TP .B \-\-user user Optional user to be owner of this tunnel. .\"********************************************************* .TP .B \-\-group group Optional group to be owner of this tunnel. .\"********************************************************* .SS Windows\-Specific Options: .\"********************************************************* .TP .B \-\-win\-sys path Set the Windows system directory pathname to use when looking for system executables such as .B route.exe and .B netsh.exe. By default, if this directive is not specified, OpenVPN will use the SystemRoot environment variable. This option have changed behaviour in OpenVPN 2.3. Earlier you had to define .B \-\-win\-sys env to use the SystemRoot environment variable, otherwise it defaulted to C:\\WINDOWS. It is not needed to use the .B env keyword any more, and it will just be ignored. A warning is logged when this is found in the configuration file. .\"********************************************************* .TP .B \-\-ip\-win32 method When using .B \-\-ifconfig on Windows, set the TAP\-Win32 adapter IP address and netmask using .B method. Don't use this option unless you are also using .B \-\-ifconfig. .B manual \-\- Don't set the IP address or netmask automatically. Instead output a message to the console telling the user to configure the adapter manually and indicating the IP/netmask which OpenVPN expects the adapter to be set to. .B dynamic [offset] [lease\-time] \-\- Automatically set the IP address and netmask by replying to DHCP query messages generated by the kernel. This mode is probably the "cleanest" solution for setting the TCP/IP properties since it uses the well\-known DHCP protocol. There are, however, two prerequisites for using this mode: (1) The TCP/IP properties for the TAP\-Win32 adapter must be set to "Obtain an IP address automatically," and (2) OpenVPN needs to claim an IP address in the subnet for use as the virtual DHCP server address. By default in .B \-\-dev tap mode, OpenVPN will take the normally unused first address in the subnet. For example, if your subnet is 192.168.4.0 netmask 255.255.255.0, then OpenVPN will take the IP address 192.168.4.0 to use as the virtual DHCP server address. In .B \-\-dev tun mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint. The optional offset parameter is an integer which is > \-256 and < 256 and which defaults to \-1. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP address at broadcast address + offset. The Windows .B ipconfig /all command can be used to show what Windows thinks the DHCP server address is. OpenVPN will "claim" this address, so make sure to use a free address. Having said that, different OpenVPN instantiations, including different ends of the same connection, can share the same virtual DHCP server address. The .B lease\-time parameter controls the lease time of the DHCP assignment given to the TAP\-Win32 adapter, and is denoted in seconds. Normally a very long lease time is preferred because it prevents routes involving the TAP\-Win32 adapter from being lost when the system goes to sleep. The default lease time is one year. .B netsh \-\- Automatically set the IP address and netmask using the Windows command\-line "netsh" command. This method appears to work correctly on Windows XP but not Windows 2000. .B ipapi \-\- Automatically set the IP address and netmask using the Windows IP Helper API. This approach does not have ideal semantics, though testing has indicated that it works okay in practice. If you use this option, it is best to leave the TCP/IP properties for the TAP\-Win32 adapter in their default state, i.e. "Obtain an IP address automatically." .B adaptive \-\- (Default) Try .B dynamic method initially and fail over to .B netsh if the DHCP negotiation with the TAP\-Win32 adapter does not succeed in 20 seconds. Such failures have been known to occur when certain third\-party firewall packages installed on the client machine block the DHCP negotiation used by the TAP\-Win32 adapter. Note that if the .B netsh failover occurs, the TAP\-Win32 adapter TCP/IP properties will be reset from DHCP to static, and this will cause future OpenVPN startups using the .B adaptive mode to use .B netsh immediately, rather than trying .B dynamic first. To "unstick" the .B adaptive mode from using .B netsh, run OpenVPN at least once using the .B dynamic mode to restore the TAP\-Win32 adapter TCP/IP properties to a DHCP configuration. .\"********************************************************* .TP .B \-\-route\-method m Which method .B m to use for adding routes on Windows? .B adaptive (default) \-\- Try IP helper API first. If that fails, fall back to the route.exe shell command. .br .B ipapi \-\- Use IP helper API. .br .B exe \-\- Call the route.exe shell command. .\"********************************************************* .TP .B \-\-dhcp\-option type [parm] Set extended TAP\-Win32 TCP/IP properties, must be used with .B \-\-ip\-win32 dynamic or .B \-\-ip\-win32 adaptive. This option can be used to set additional TCP/IP properties on the TAP\-Win32 adapter, and is particularly useful for configuring an OpenVPN client to access a Samba server across the VPN. .B DOMAIN name \-\- Set Connection\-specific DNS Suffix. .B DNS addr \-\- Set primary domain name server IPv4 address. Repeat this option to set secondary DNS server addresses. .B DNS6 addr \-\- Set primary domain name server IPv6 address. Repeat this option to set secondary DNS server IPv6 addresses. Note: currently this is handled using netsh (the existing DHCP code can only do IPv4 DHCP, and that protocol only permits IPv4 addresses anywhere). The option will be put into the environment, so an .B \-\-up script could act upon it if needed. .B WINS addr \-\- Set primary WINS server address (NetBIOS over TCP/IP Name Server). Repeat this option to set secondary WINS server addresses. .B NBDD addr \-\- Set primary NBDD server address (NetBIOS over TCP/IP Datagram Distribution Server) Repeat this option to set secondary NBDD server addresses. .B NTP addr \-\- Set primary NTP server address (Network Time Protocol). Repeat this option to set secondary NTP server addresses. .B NBT type \-\- Set NetBIOS over TCP/IP Node type. Possible options: .B 1 = b\-node (broadcasts), .B 2 = p\-node (point\-to\-point name queries to a WINS server), .B 4 = m\-node (broadcast then query name server), and .B 8 = h\-node (query name server, then broadcast). .B NBS scope\-id \-\- Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer name, as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique. (This description of NetBIOS scopes courtesy of NeonSurge@abyss.com) .B DISABLE\-NBT \-\- Disable Netbios\-over\-TCP/IP. Note that if .B \-\-dhcp\-option is pushed via .B \-\-push to a non\-windows client, the option will be saved in the client's environment before the up script is called, under the name "foreign_option_{n}". .\"********************************************************* .TP .B \-\-tap\-sleep n Cause OpenVPN to sleep for .B n seconds immediately after the TAP\-Win32 adapter state is set to "connected". This option is intended to be used to troubleshoot problems with the .B \-\-ifconfig and .B \-\-ip\-win32 options, and is used to give the TAP\-Win32 adapter time to come up before Windows IP Helper API operations are applied to it. .\"********************************************************* .TP .B \-\-show\-net\-up Output OpenVPN's view of the system routing table and network adapter list to the syslog or log file after the TUN/TAP adapter has been brought up and any routes have been added. .\"********************************************************* .TP .B \-\-block\-outside\-dns Block DNS servers on other network adapters to prevent DNS leaks. This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel. It uses Windows Filtering Platform (WFP) and works on Windows Vista or later. This option is considered unknown on non\-Windows platforms and unsupported on Windows XP, resulting in fatal error. You may want to use .B \-\-setenv opt or .B \-\-ignore\-unknown\-option (not suitable for Windows XP) to ignore said error. Note that pushing unknown options from server does not trigger fatal errors. .\"********************************************************* .TP .B \-\-dhcp\-renew Ask Windows to renew the TAP adapter lease on startup. This option is normally unnecessary, as Windows automatically triggers a DHCP renegotiation on the TAP adapter when it comes up, however if you set the TAP\-Win32 adapter Media Status property to "Always Connected", you may need this flag. .\"********************************************************* .TP .B \-\-dhcp\-release Ask Windows to release the TAP adapter lease on shutdown. This option has no effect now, as it is enabled by default starting with OpenVPN 2.4.1. .\"********************************************************* .TP .B \-\-register\-dns Run ipconfig /flushdns and ipconfig /registerdns on connection initiation. This is known to kick Windows into recognizing pushed DNS servers. .\"********************************************************* .TP .B \-\-pause\-exit Put up a "press any key to continue" message on the console prior to OpenVPN program exit. This option is automatically used by the Windows explorer when OpenVPN is run on a configuration file using the right\-click explorer menu. .\"********************************************************* .TP .B \-\-service exit\-event [0|1] Should be used when OpenVPN is being automatically executed by another program in such a context that no interaction with the user via display or keyboard is possible. In general, end\-users should never need to explicitly use this option, as it is automatically added by the OpenVPN service wrapper when a given OpenVPN configuration is being run as a service. .B exit\-event is the name of a Windows global event object, and OpenVPN will continuously monitor the state of this event object and exit when it becomes signaled. The second parameter indicates the initial state of .B exit\-event and normally defaults to 0. Multiple OpenVPN processes can be simultaneously executed with the same .B exit\-event parameter. In any case, the controlling process can signal .B exit\-event, causing all such OpenVPN processes to exit. When executing an OpenVPN process using the .B \-\-service directive, OpenVPN will probably not have a console window to output status/error messages, therefore it is useful to use .B \-\-log or .B \-\-log\-append to write these messages to a file. .\"********************************************************* .TP .B \-\-show\-adapters (Standalone) Show available TAP\-Win32 adapters which can be selected using the .B \-\-dev\-node option. On non\-Windows systems, the .BR ifconfig (8) command provides similar functionality. .\"********************************************************* .TP .B \-\-allow\-nonadmin [TAP\-adapter] (Standalone) Set .B TAP\-adapter to allow access from non\-administrative accounts. If .B TAP\-adapter is omitted, all TAP adapters on the system will be configured to allow non\-admin access. The non\-admin access setting will only persist for the length of time that the TAP\-Win32 device object and driver remain loaded, and will need to be re\-enabled after a reboot, or if the driver is unloaded and reloaded. This directive can only be used by an administrator. .\"********************************************************* .TP .B \-\-show\-valid\-subnets (Standalone) Show valid subnets for .B \-\-dev tun emulation. Since the TAP\-Win32 driver exports an ethernet interface to Windows, and since TUN devices are point\-to\-point in nature, it is necessary for the TAP\-Win32 driver to impose certain constraints on TUN endpoint address selection. Namely, the point\-to\-point endpoints used in TUN device emulation must be the middle two addresses of a /30 subnet (netmask 255.255.255.252). .\"********************************************************* .TP .B \-\-show\-net (Standalone) Show OpenVPN's view of the system routing table and network adapter list. .\"********************************************************* .SS PKCS#11 Standalone Options: .\"********************************************************* .TP .B \-\-show\-pkcs11\-ids [provider] [cert_private] (Standalone) Show PKCS#11 token object list. Specify cert_private as 1 if certificates are stored as private objects. If p11\-kit is present on the system, the .B provider argument is optional; if omitted the default .B p11\-kit\-proxy.so module will be queried. .B \-\-verb option can be used BEFORE this option to produce debugging information. .\"********************************************************* .SS Standalone Debug Options: .\"********************************************************* .TP .B \-\-show\-gateway [v6target] (Standalone) Show current IPv4 and IPv6 default gateway and interface towards the gateway (if the protocol in question is enabled). If an IPv6 address is passed as argument, the IPv6 route for this host is reported. .\"********************************************************* .SS IPv6 Related Options .\"********************************************************* The following options exist to support IPv6 tunneling in peer\-to\-peer and client\-server mode. All options are modeled after their IPv4 counterparts, so more detailed explanations given there apply here as well (except for .B \-\-topology , which has no effect on IPv6). .TP .B \-\-ifconfig\-ipv6 ipv6addr/bits ipv6remote configure IPv6 address .B ipv6addr/bits on the ``tun'' device. The second parameter is used as route target for .B \-\-route\-ipv6 if no gateway is specified. .TP .B \-\-route\-ipv6 ipv6addr/bits [gateway] [metric] setup IPv6 routing in the system to send the specified IPv6 network into OpenVPN's ``tun''. The gateway parameter is only used for IPv6 routes across ``tap'' devices, and if missing, the ``ipv6remote'' field from .B \-\-ifconfig\-ipv6 is used. .TP .B \-\-server\-ipv6 ipv6addr/bits convenience\-function to enable a number of IPv6 related options at once, namely .B \-\-ifconfig\-ipv6, \-\-ifconfig\-ipv6\-pool and .B \-\-push tun\-ipv6 Is only accepted if ``\-\-mode server'' or ``\-\-server'' is set. Pushing of the .B \-\-tun\-ipv6 directive is done for older clients which require an explicit ``\-\-tun\-ipv6'' in their configuration. .TP .B \-\-ifconfig\-ipv6\-pool ipv6addr/bits Specify an IPv6 address pool for dynamic assignment to clients. The pool starts at .B ipv6addr and matches the offset determined from the start of the IPv4 pool. .TP .B \-\-ifconfig\-ipv6\-push ipv6addr/bits ipv6remote for ccd/ per\-client static IPv6 interface configuration, see .B \-\-client\-config\-dir and .B \-\-ifconfig\-push for more details. .TP .B \-\-iroute\-ipv6 ipv6addr/bits for ccd/ per\-client static IPv6 route configuration, see .B \-\-iroute for more details how to setup and use this, and how .B \-\-iroute and .B \-\-route interact. .\"********************************************************* .SH SCRIPTING AND ENVIRONMENTAL VARIABLES OpenVPN exports a series of environmental variables for use by user\-defined scripts. .\"********************************************************* .SS Script Order of Execution .\"********************************************************* .TP .B \-\-up Executed after TCP/UDP socket bind and TUN/TAP open. .\"********************************************************* .TP .B \-\-tls\-verify Executed when we have a still untrusted remote peer. .\"********************************************************* .TP .B \-\-ipchange Executed after connection authentication, or remote IP address change. .\"********************************************************* .TP .B \-\-client\-connect Executed in .B \-\-mode server mode immediately after client authentication. .\"********************************************************* .TP .B \-\-route\-up Executed after connection authentication, either immediately after, or some number of seconds after as defined by the .B \-\-route\-delay option. .\"********************************************************* .TP .B \-\-route\-pre\-down Executed right before the routes are removed. .\"********************************************************* .TP .B \-\-client\-disconnect Executed in .B \-\-mode server mode on client instance shutdown. .\"********************************************************* .TP .B \-\-down Executed after TCP/UDP and TUN/TAP close. .\"********************************************************* .TP .B \-\-learn\-address Executed in .B \-\-mode server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table. .\"********************************************************* .TP .B \-\-auth\-user\-pass\-verify Executed in .B \-\-mode server mode on new client connections, when the client is still untrusted. .\"********************************************************* .SS String Types and Remapping In certain cases, OpenVPN will perform remapping of characters in strings. Essentially, any characters outside the set of permitted characters for each string type will be converted to underbar ('_'). .B Q: Why is string remapping necessary? .B A: It's an important security feature to prevent the malicious coding of strings from untrusted sources to be passed as parameters to scripts, saved in the environment, used as a common name, translated to a filename, etc. .B Q: Can string remapping be disabled? .B A: Yes, by using the .B \-\-no\-name\-remapping option, however this should be considered an advanced option. Here is a brief rundown of OpenVPN's current string types and the permitted character class for each string: .B X509 Names: Alphanumeric, underbar ('_'), dash ('\-'), dot ('.'), at ('@'), colon (':'), slash ('/'), and equal ('='). Alphanumeric is defined as a character which will cause the C library isalnum() function to return true. .B Common Names: Alphanumeric, underbar ('_'), dash ('\-'), dot ('.'), and at ('@'). .B \-\-auth\-user\-pass username: Same as Common Name, with one exception: starting with OpenVPN 2.0.1, the username is passed to the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin in its raw form, without string remapping. .B \-\-auth\-user\-pass password: Any "printable" character except CR or LF. Printable is defined to be a character which will cause the C library isprint() function to return true. .B \-\-client\-config\-dir filename as derived from common name or username: Alphanumeric, underbar ('_'), dash ('\-'), and dot ('.') except for "." or ".." as standalone strings. As of v2.0.1\-rc6, the at ('@') character has been added as well for compatibility with the common name character class. .B Environmental variable names: Alphanumeric or underbar ('_'). .B Environmental variable values: Any printable character. For all cases, characters in a string which are not members of the legal character class for that string type will be remapped to underbar ('_'). .\"********************************************************* .SS Environmental Variables Once set, a variable is persisted indefinitely until it is reset by a new value or a restart, As of OpenVPN 2.0\-beta12, in server mode, environmental variables set by OpenVPN are scoped according to the client objects they are associated with, so there should not be any issues with scripts having access to stale, previously set variables which refer to different client instances. .\"********************************************************* .TP .B bytes_received Total number of bytes received from client during VPN session. Set prior to execution of the .B \-\-client\-disconnect script. .\"********************************************************* .TP .B bytes_sent Total number of bytes sent to client during VPN session. Set prior to execution of the .B \-\-client\-disconnect script. .\"********************************************************* .TP .B common_name The X509 common name of an authenticated client. Set prior to execution of .B \-\-client\-connect, \-\-client\-disconnect, and .B \-\-auth\-user\-pass\-verify scripts. .\"********************************************************* .TP .B config Name of first .B \-\-config file. Set on program initiation and reset on SIGHUP. .\"********************************************************* .TP .B daemon Set to "1" if the .B \-\-daemon directive is specified, or "0" otherwise. Set on program initiation and reset on SIGHUP. .\"********************************************************* .TP .B daemon_log_redirect Set to "1" if the .B \-\-log or .B \-\-log\-append directives are specified, or "0" otherwise. Set on program initiation and reset on SIGHUP. .\"********************************************************* .TP .B dev The actual name of the TUN/TAP device, including a unit number if it exists. Set prior to .B \-\-up or .B \-\-down script execution. .\"********************************************************* .TP .B dev_idx On Windows, the device index of the TUN/TAP adapter (to be used in netsh.exe calls which sometimes just do not work right with interface names). Set prior to .B \-\-up or .B \-\-down script execution. .\"********************************************************* .TP .B foreign_option_{n} An option pushed via .B \-\-push to a client which does not natively support it, such as .B \-\-dhcp\-option on a non\-Windows system, will be recorded to this environmental variable sequence prior to .B \-\-up script execution. .\"********************************************************* .TP .B ifconfig_broadcast The broadcast address for the virtual ethernet segment which is derived from the .B \-\-ifconfig option when .B \-\-dev tap is used. Set prior to OpenVPN calling the .I ifconfig or .I netsh (windows version of ifconfig) commands which normally occurs prior to .B \-\-up script execution. .\"********************************************************* .TP .B ifconfig_ipv6_local The local VPN endpoint IPv6 address specified in the .B \-\-ifconfig\-ipv6 option (first parameter). Set prior to OpenVPN calling the .I ifconfig or .I netsh (windows version of ifconfig) commands which normally occurs prior to .B \-\-up script execution. .\"********************************************************* .TP .B ifconfig_ipv6_netbits The prefix length of the IPv6 network on the VPN interface. Derived from the /nnn parameter of the IPv6 address in the .B \-\-ifconfig\-ipv6 option (first parameter). Set prior to OpenVPN calling the .I ifconfig or .I netsh (windows version of ifconfig) commands which normally occurs prior to .B \-\-up script execution. .\"********************************************************* .TP .B ifconfig_ipv6_remote The remote VPN endpoint IPv6 address specified in the .B \-\-ifconfig\-ipv6 option (second parameter). Set prior to OpenVPN calling the .I ifconfig or .I netsh (windows version of ifconfig) commands which normally occurs prior to .B \-\-up script execution. .\"********************************************************* .TP .B ifconfig_local The local VPN endpoint IP address specified in the .B \-\-ifconfig option (first parameter). Set prior to OpenVPN calling the .I ifconfig or .I netsh (windows version of ifconfig) commands which normally occurs prior to .B \-\-up script execution. .\"********************************************************* .TP .B ifconfig_remote The remote VPN endpoint IP address specified in the .B \-\-ifconfig option (second parameter) when .B \-\-dev tun is used. Set prior to OpenVPN calling the .I ifconfig or .I netsh (windows version of ifconfig) commands which normally occurs prior to .B \-\-up script execution. .\"********************************************************* .TP .B ifconfig_netmask The subnet mask of the virtual ethernet segment that is specified as the second parameter to .B \-\-ifconfig when .B \-\-dev tap is being used. Set prior to OpenVPN calling the .I ifconfig or .I netsh (windows version of ifconfig) commands which normally occurs prior to .B \-\-up script execution. .\"********************************************************* .TP .B ifconfig_pool_local_ip The local virtual IP address for the TUN/TAP tunnel taken from an .B \-\-ifconfig\-push directive if specified, or otherwise from the ifconfig pool (controlled by the .B \-\-ifconfig\-pool config file directive). Only set for .B \-\-dev tun tunnels. This option is set on the server prior to execution of the .B \-\-client\-connect and .B \-\-client\-disconnect scripts. .\"********************************************************* .TP .B ifconfig_pool_netmask The virtual IP netmask for the TUN/TAP tunnel taken from an .B \-\-ifconfig\-push directive if specified, or otherwise from the ifconfig pool (controlled by the .B \-\-ifconfig\-pool config file directive). Only set for .B \-\-dev tap tunnels. This option is set on the server prior to execution of the .B \-\-client\-connect and .B \-\-client\-disconnect scripts. .\"********************************************************* .TP .B ifconfig_pool_remote_ip The remote virtual IP address for the TUN/TAP tunnel taken from an .B \-\-ifconfig\-push directive if specified, or otherwise from the ifconfig pool (controlled by the .B \-\-ifconfig\-pool config file directive). This option is set on the server prior to execution of the .B \-\-client\-connect and .B \-\-client\-disconnect scripts. .\"********************************************************* .TP .B link_mtu The maximum packet size (not including the IP header) of tunnel data in UDP tunnel transport mode. Set prior to .B \-\-up or .B \-\-down script execution. .\"********************************************************* .TP .B local The .B \-\-local parameter. Set on program initiation and reset on SIGHUP. .\"********************************************************* .TP .B local_port The local port number or name, specified by .B \-\-port or .B \-\-lport. Set on program initiation and reset on SIGHUP. .\"********************************************************* .TP .B password The password provided by a connecting client. Set prior to .B \-\-auth\-user\-pass\-verify script execution only when the .B via\-env modifier is specified, and deleted from the environment after the script returns. .\"********************************************************* .TP .B proto The .B \-\-proto parameter. Set on program initiation and reset on SIGHUP. .\"********************************************************* .TP .B remote_{n} The .B \-\-remote parameter. Set on program initiation and reset on SIGHUP. .\"********************************************************* .TP .B remote_port_{n} The remote port number, specified by .B \-\-port or .B \-\-rport. Set on program initiation and reset on SIGHUP. .\"********************************************************* .TP .B route_net_gateway The pre\-existing default IP gateway in the system routing table. Set prior to .B \-\-up script execution. .\"********************************************************* .TP .B route_vpn_gateway The default gateway used by .B \-\-route options, as specified in either the .B \-\-route\-gateway option or the second parameter to .B \-\-ifconfig when .B \-\-dev tun is specified. Set prior to .B \-\-up script execution. .\"********************************************************* .TP .B route_{parm}_{n} A set of variables which define each route to be added, and are set prior to .B \-\-up script execution. .B parm will be one of "network", "netmask", "gateway", or "metric". .B n is the OpenVPN route number, starting from 1. If the network or gateway are resolvable DNS names, their IP address translations will be recorded rather than their names as denoted on the command line or configuration file. .\"********************************************************* .TP .B route_ipv6_{parm}_{n} A set of variables which define each IPv6 route to be added, and are set prior to .B \-\-up script execution. .B parm will be one of "network" or "gateway" ("netmask" is contained as "/nnn" in the route_ipv6_network_{n}, unlike IPv4 where it is passed in a separate environment variable). .B n is the OpenVPN route number, starting from 1. If the network or gateway are resolvable DNS names, their IP address translations will be recorded rather than their names as denoted on the command line or configuration file. .\"********************************************************* .TP .B peer_cert Temporary file name containing the client certificate upon connection. Useful in conjunction with \-\-tls\-verify .\"********************************************************* .TP .B script_context Set to "init" or "restart" prior to up/down script execution. For more information, see documentation for .B \-\-up. .\"********************************************************* .TP .B script_type Prior to execution of any script, this variable is set to the type of script being run. It can be one of the following: .B up, down, ipchange, route\-up, tls\-verify, auth\-user\-pass\-verify, .B client\-connect, client\-disconnect, or .B learn\-address. Set prior to execution of any script. .\"********************************************************* .TP .B signal The reason for exit or restart. Can be one of .B sigusr1, sighup, sigterm, sigint, inactive (controlled by .B \-\-inactive option), .B ping\-exit (controlled by .B \-\-ping\-exit option), .B ping\-restart (controlled by .B \-\-ping\-restart option), .B connection\-reset (triggered on TCP connection reset), .B error, or .B unknown (unknown signal). This variable is set just prior to down script execution. .\"********************************************************* .TP .B time_ascii Client connection timestamp, formatted as a human\-readable time string. Set prior to execution of the .B \-\-client\-connect script. .\"********************************************************* .TP .B time_duration The duration (in seconds) of the client session which is now disconnecting. Set prior to execution of the .B \-\-client\-disconnect script. .\"********************************************************* .TP .B time_unix Client connection timestamp, formatted as a unix integer date/time value. Set prior to execution of the .B \-\-client\-connect script. .\"********************************************************* .TP .B tls_digest_{n} / tls_digest_sha256_{n} Contains the certificate SHA1 / SHA256 fingerprint, where .B n is the verification level. Only set for TLS connections. Set prior to execution of .B \-\-tls\-verify script. .\"********************************************************* .TP .B tls_id_{n} A series of certificate fields from the remote peer, where .B n is the verification level. Only set for TLS connections. Set prior to execution of .B \-\-tls\-verify script. .\"********************************************************* .TP .B tls_serial_{n} The serial number of the certificate from the remote peer, where .B n is the verification level. Only set for TLS connections. Set prior to execution of .B \-\-tls\-verify script. This is in the form of a decimal string like "933971680", which is suitable for doing serial\-based OCSP queries (with OpenSSL, do not prepend "0x" to the string) If something goes wrong while reading the value from the certificate it will be an empty string, so your code should check that. See the contrib/OCSP_check/OCSP_check.sh script for an example. .\"********************************************************* .TP .B tls_serial_hex_{n} Like .B tls_serial_{n}\fR, but in hex form (e.g. "12:34:56:78:9A"). .\"********************************************************* .TP .B tun_mtu The MTU of the TUN/TAP device. Set prior to .B \-\-up or .B \-\-down script execution. .\"********************************************************* .TP .B trusted_ip (or trusted_ip6) Actual IP address of connecting client or peer which has been authenticated. Set prior to execution of .B \-\-ipchange, \-\-client\-connect, and .B \-\-client\-disconnect scripts. If using ipv6 endpoints (udp6, tcp6), .B trusted_ip6 will be set instead. .\"********************************************************* .TP .B trusted_port Actual port number of connecting client or peer which has been authenticated. Set prior to execution of .B \-\-ipchange, \-\-client\-connect, and .B \-\-client\-disconnect scripts. .\"********************************************************* .TP .B untrusted_ip (or untrusted_ip6) Actual IP address of connecting client or peer which has not been authenticated yet. Sometimes used to .B nmap the connecting host in a .B \-\-tls\-verify script to ensure it is firewalled properly. Set prior to execution of .B \-\-tls\-verify and .B \-\-auth\-user\-pass\-verify scripts. If using ipv6 endpoints (udp6, tcp6), .B untrusted_ip6 will be set instead. .\"********************************************************* .TP .B untrusted_port Actual port number of connecting client or peer which has not been authenticated yet. Set prior to execution of .B \-\-tls\-verify and .B \-\-auth\-user\-pass\-verify scripts. .\"********************************************************* .TP .B username The username provided by a connecting client. Set prior to .B \-\-auth\-user\-pass\-verify script execution only when the .B via\-env modifier is specified. .\"********************************************************* .TP .B X509_{n}_{subject_field} An X509 subject field from the remote peer certificate, where .B n is the verification level. Only set for TLS connections. Set prior to execution of .B \-\-tls\-verify script. This variable is similar to .B tls_id_{n} except the component X509 subject fields are broken out, and no string remapping occurs on these field values (except for remapping of control characters to "_"). For example, the following variables would be set on the OpenVPN server using the sample client certificate in sample\-keys (client.crt). Note that the verification level is 0 for the client certificate and 1 for the CA certificate. .nf .ft 3 .in +4 X509_0_emailAddress=me@myhost.mydomain X509_0_CN=Test\-Client X509_0_O=OpenVPN\-TEST X509_0_ST=NA X509_0_C=KG X509_1_emailAddress=me@myhost.mydomain X509_1_O=OpenVPN\-TEST X509_1_L=BISHKEK X509_1_ST=NA X509_1_C=KG .in -4 .ft .fi .\"********************************************************* .SH INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the .B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret, .B \-\-crl\-verify, \-\-http\-proxy\-user\-pass, \-\-tls\-auth and .B \-\-tls\-crypt options. Each inline file started by the line .B Here is an example of an inline file usage .nf .ft 3 .in +4 \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- [...] \-\-\-\-\-END CERTIFICATE\-\-\-\-\- .in -4 .ft .fi When using the inline file feature with .B \-\-pkcs12 the inline file has to be base64 encoded. Encoding of a .p12 file into base64 can be done for example with OpenSSL by running .B openssl base64 \-in input.p12 .SH SIGNALS .TP .B SIGHUP Cause OpenVPN to close all TUN/TAP and network connections, restart, re\-read the configuration file (if any), and reopen TUN/TAP and network connections. .\"********************************************************* .TP .B SIGUSR1 Like .B SIGHUP, except don't re\-read configuration file, and possibly don't close and reopen TUN/TAP device, re\-read key files, preserve local IP address/port, or preserve most recently authenticated remote IP address/port based on .B \-\-persist\-tun, \-\-persist\-key, \-\-persist\-local\-ip, and .B \-\-persist\-remote\-ip options respectively (see above). This signal may also be internally generated by a timeout condition, governed by the .B \-\-ping\-restart option. This signal, when combined with .B \-\-persist\-remote\-ip, may be sent when the underlying parameters of the host's network interface change such as when the host is a DHCP client and is assigned a new IP address. See .B \-\-ipchange above for more information. .\"********************************************************* .TP .B SIGUSR2 Causes OpenVPN to display its current statistics (to the syslog file if .B \-\-daemon is used, or stdout otherwise). .\"********************************************************* .TP .B SIGINT, SIGTERM Causes OpenVPN to exit gracefully. .\"********************************************************* .SH TUN/TAP DRIVER SETUP If you are running Linux 2.4.7 or higher, you probably have the TUN/TAP driver already installed. If so, there are still a few things you need to do: Make device: .B mknod /dev/net/tun c 10 200 Load driver: .B modprobe tun .\"********************************************************* .SH EXAMPLES Prior to running these examples, you should have OpenVPN installed on two machines with network connectivity between them. If you have not yet installed OpenVPN, consult the INSTALL file included in the OpenVPN distribution. .\"********************************************************* .SS TUN/TAP Setup: If you are using Linux 2.4 or higher, make the tun device node and load the tun module: .IP .B mknod /dev/net/tun c 10 200 .LP .IP .B modprobe tun .LP If you installed from RPM, the .B mknod step may be omitted, because the RPM install does that for you. Only Linux 2.4 and newer are supported. For other platforms, consult the INSTALL file at .I http://openvpn.net/install.html for more information. .\"********************************************************* .SS Firewall Setup: If firewalls exist between the two machines, they should be set to forward UDP port 1194 in both directions. If you do not have control over the firewalls between the two machines, you may still be able to use OpenVPN by adding .B \-\-ping 15 to each of the .B openvpn commands used below in the examples (this will cause each peer to send out a UDP ping to its remote peer once every 15 seconds which will cause many stateful firewalls to forward packets in both directions without an explicit firewall rule). If you are using a Linux iptables\-based firewall, you may need to enter the following command to allow incoming packets on the TUN device: .IP .B iptables \-A INPUT \-i tun+ \-j ACCEPT .LP See the firewalls section below for more information on configuring firewalls for use with OpenVPN. .\"********************************************************* .SS VPN Address Setup: For purposes of our example, our two machines will be called .B bob.example.com and .B alice.example.com. If you are constructing a VPN over the internet, then replace .B bob.example.com and .B alice.example.com with the internet hostname or IP address that each machine will use to contact the other over the internet. Now we will choose the tunnel endpoints. Tunnel endpoints are private IP addresses that only have meaning in the context of the VPN. Each machine will use the tunnel endpoint of the other machine to access it over the VPN. In our example, the tunnel endpoint for bob.example.com will be 10.4.0.1 and for alice.example.com, 10.4.0.2. Once the VPN is established, you have essentially created a secure alternate path between the two hosts which is addressed by using the tunnel endpoints. You can control which network traffic passes between the hosts (a) over the VPN or (b) independently of the VPN, by choosing whether to use (a) the VPN endpoint address or (b) the public internet address, to access the remote host. For example if you are on bob.example.com and you wish to connect to alice.example.com via .B ssh without using the VPN (since .B ssh has its own built\-in security) you would use the command .B ssh alice.example.com. However in the same scenario, you could also use the command .B telnet 10.4.0.2 to create a telnet session with alice.example.com over the VPN, that would use the VPN to secure the session rather than .B ssh. You can use any address you wish for the tunnel endpoints but make sure that they are private addresses (such as those that begin with 10 or 192.168) and that they are not part of any existing subnet on the networks of either peer, unless you are bridging. If you use an address that is part of your local subnet for either of the tunnel endpoints, you will get a weird feedback loop. .\"********************************************************* .SS Example 1: A simple tunnel without security .LP On bob: .IP .B openvpn \-\-remote alice.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 9 .LP On alice: .IP .B openvpn \-\-remote bob.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 9 .LP Now verify the tunnel is working by pinging across the tunnel. .LP On bob: .IP .B ping 10.4.0.2 .LP On alice: .IP .B ping 10.4.0.1 .LP The .B \-\-verb 9 option will produce verbose output, similar to the .BR tcpdump (8) program. Omit the .B \-\-verb 9 option to have OpenVPN run quietly. .\"********************************************************* .SS Example 2: A tunnel with static\-key security (i.e. using a pre\-shared secret) First build a static key on bob. .IP .B openvpn \-\-genkey \-\-secret key .LP This command will build a random key file called .B key (in ascii format). Now copy .B key to alice over a secure medium such as by using the .BR scp (1) program. .LP On bob: .IP .B openvpn \-\-remote alice.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-verb 5 \-\-secret key .LP On alice: .IP .B openvpn \-\-remote bob.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-verb 5 \-\-secret key .LP Now verify the tunnel is working by pinging across the tunnel. .LP On bob: .IP .B ping 10.4.0.2 .LP On alice: .IP .B ping 10.4.0.1 .\"********************************************************* .SS Example 3: A tunnel with full TLS\-based security For this test, we will designate .B bob as the TLS client and .B alice as the TLS server. .I Note that client or server designation only has meaning for the TLS subsystem. It has no bearing on OpenVPN's peer\-to\-peer, UDP\-based communication model. First, build a separate certificate/key pair for both bob and alice (see above where .B \-\-cert is discussed for more info). Then construct Diffie Hellman parameters (see above where .B \-\-dh is discussed for more info). You can also use the included test files client.crt, client.key, server.crt, server.key and ca.crt. The .crt files are certificates/public\-keys, the .key files are private keys, and ca.crt is a certification authority who has signed both client.crt and server.crt. For Diffie Hellman parameters you can use the included file dh1024.pem. .I Note that all client, server, and certificate authority certificates and keys included in the OpenVPN distribution are totally insecure and should be used for testing only. .LP On bob: .IP .B openvpn \-\-remote alice.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 \-\-tls\-client \-\-ca ca.crt \-\-cert client.crt \-\-key client.key \-\-reneg\-sec 60 \-\-verb 5 .LP On alice: .IP .B openvpn \-\-remote bob.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 \-\-tls\-server \-\-dh dh1024.pem \-\-ca ca.crt \-\-cert server.crt \-\-key server.key \-\-reneg\-sec 60 \-\-verb 5 .LP Now verify the tunnel is working by pinging across the tunnel. .LP On bob: .IP .B ping 10.4.0.2 .LP On alice: .IP .B ping 10.4.0.1 .LP Notice the .B \-\-reneg\-sec 60 option we used above. That tells OpenVPN to renegotiate the data channel keys every minute. Since we used .B \-\-verb 5 above, you will see status information on each new key negotiation. For production operations, a key renegotiation interval of 60 seconds is probably too frequent. Omit the .B \-\-reneg\-sec 60 option to use OpenVPN's default key renegotiation interval of one hour. .\"********************************************************* .SS Routing: Assuming you can ping across the tunnel, the next step is to route a real subnet over the secure tunnel. Suppose that bob and alice have two network interfaces each, one connected to the internet, and the other to a private network. Our goal is to securely connect both private networks. We will assume that bob's private subnet is 10.0.0.0/24 and alice's is 10.0.1.0/24. .LP First, ensure that IP forwarding is enabled on both peers. On Linux, enable routing: .IP .B echo 1 > /proc/sys/net/ipv4/ip_forward .LP and enable TUN packet forwarding through the firewall: .IP .B iptables \-A FORWARD \-i tun+ \-j ACCEPT .LP On bob: .IP .B route add \-net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2 .LP On alice: .IP .B route add \-net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1 .LP Now any machine on the 10.0.0.0/24 subnet can access any machine on the 10.0.1.0/24 subnet over the secure tunnel (or vice versa). In a production environment, you could put the route command(s) in a script and execute with the .B \-\-up option. .\"********************************************************* .SH FIREWALLS OpenVPN's usage of a single UDP port makes it fairly firewall\-friendly. You should add an entry to your firewall rules to allow incoming OpenVPN packets. On Linux 2.4+: .IP .B iptables \-A INPUT \-p udp \-s 1.2.3.4 \-\-dport 1194 \-j ACCEPT .LP This will allow incoming packets on UDP port 1194 (OpenVPN's default UDP port) from an OpenVPN peer at 1.2.3.4. If you are using HMAC\-based packet authentication (the default in any of OpenVPN's secure modes), having the firewall filter on source address can be considered optional, since HMAC packet authentication is a much more secure method of verifying the authenticity of a packet source. In that case: .IP .B iptables \-A INPUT \-p udp \-\-dport 1194 \-j ACCEPT .LP would be adequate and would not render the host inflexible with respect to its peer having a dynamic IP address. OpenVPN also works well on stateful firewalls. In some cases, you may not need to add any static rules to the firewall list if you are using a stateful firewall that knows how to track UDP connections. If you specify .B \-\-ping n, OpenVPN will be guaranteed to send a packet to its peer at least once every .B n seconds. If .B n is less than the stateful firewall connection timeout, you can maintain an OpenVPN connection indefinitely without explicit firewall rules. You should also add firewall rules to allow incoming IP traffic on TUN or TAP devices such as: .IP .B iptables \-A INPUT \-i tun+ \-j ACCEPT .LP to allow input packets from tun devices, .IP .B iptables \-A FORWARD \-i tun+ \-j ACCEPT .LP to allow input packets from tun devices to be forwarded to other hosts on the local network, .IP .B iptables \-A INPUT \-i tap+ \-j ACCEPT .LP to allow input packets from tap devices, and .IP .B iptables \-A FORWARD \-i tap+ \-j ACCEPT .LP to allow input packets from tap devices to be forwarded to other hosts on the local network. These rules are secure if you use packet authentication, since no incoming packets will arrive on a TUN or TAP virtual device unless they first pass an HMAC authentication test. .\"********************************************************* .SH FAQ .I http://openvpn.net/faq.html .\"********************************************************* .SH HOWTO For a more comprehensive guide to setting up OpenVPN in a production setting, see the OpenVPN HOWTO at .I http://openvpn.net/howto.html .\"********************************************************* .SH PROTOCOL For a description of OpenVPN's underlying protocol, see .I http://openvpn.net/security.html .\"********************************************************* .SH WEB OpenVPN's web site is at .I http://openvpn.net/ Go here to download the latest version of OpenVPN, subscribe to the mailing lists, read the mailing list archives, or browse the SVN repository. .\"********************************************************* .SH BUGS Report all bugs to the OpenVPN team . .\"********************************************************* .SH "SEE ALSO" .BR dhcpcd (8), .BR ifconfig (8), .BR openssl (1), .BR route (8), .BR scp (1) .BR ssh (1) .\"********************************************************* .SH NOTES .LP This product includes software developed by the OpenSSL Project ( .I http://www.openssl.org/ ) For more information on the TLS protocol, see .I http://www.ietf.org/rfc/rfc2246.txt For more information on the LZO real\-time compression library see .I http://www.oberhumer.com/opensource/lzo/ .\"********************************************************* .SH COPYRIGHT Copyright (C) 2002\-2017 OpenVPN Technologies, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. .\"********************************************************* .SH AUTHORS James Yonan openvpn-2.4.4/include/000077500000000000000000000000001316434344000146335ustar00rootroot00000000000000openvpn-2.4.4/include/Makefile.am000066400000000000000000000010601316434344000166640ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in \ $(srcdir)/openvpn-plugin.h.in include_HEADERS = \ openvpn-plugin.h \ openvpn-msg.h openvpn-2.4.4/include/Makefile.in000066400000000000000000000460221316434344000167040ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = include DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(srcdir)/openvpn-plugin.h.in $(include_HEADERS) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(includedir)" HEADERS = $(include_HEADERS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) \ $(LISP)openvpn-plugin.h.in # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in \ $(srcdir)/openvpn-plugin.h.in include_HEADERS = \ openvpn-plugin.h \ openvpn-msg.h all: openvpn-plugin.h $(MAKE) $(AM_MAKEFLAGS) all-am .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign include/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign include/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): openvpn-plugin.h: stamp-h2 @test -f $@ || rm -f stamp-h2 @test -f $@ || $(MAKE) $(AM_MAKEFLAGS) stamp-h2 stamp-h2: $(srcdir)/openvpn-plugin.h.in $(top_builddir)/config.status @rm -f stamp-h2 cd $(top_builddir) && $(SHELL) ./config.status include/openvpn-plugin.h distclean-hdr: -rm -f openvpn-plugin.h stamp-h2 mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs install-includeHEADERS: $(include_HEADERS) @$(NORMAL_INSTALL) @list='$(include_HEADERS)'; test -n "$(includedir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \ $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \ $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \ done uninstall-includeHEADERS: @$(NORMAL_UNINSTALL) @list='$(include_HEADERS)'; test -n "$(includedir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(HEADERS) openvpn-plugin.h installdirs: for dir in "$(DESTDIR)$(includedir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic distclean-hdr distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-includeHEADERS install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-includeHEADERS .MAKE: all install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ clean-libtool cscopelist-am ctags ctags-am distclean \ distclean-generic distclean-hdr distclean-libtool \ distclean-tags distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-includeHEADERS install-info \ install-info-am install-man install-pdf install-pdf-am \ install-ps install-ps-am install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ uninstall-am uninstall-includeHEADERS # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/include/openvpn-msg.h000066400000000000000000000053351316434344000172630ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2013-2017 Heiko Hund * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OPENVPN_MSG_H_ #define OPENVPN_MSG_H_ typedef enum { msg_acknowledgement, msg_add_address, msg_del_address, msg_add_route, msg_del_route, msg_add_dns_cfg, msg_del_dns_cfg, msg_add_nbt_cfg, msg_del_nbt_cfg, msg_flush_neighbors, msg_add_block_dns, msg_del_block_dns, msg_register_dns } message_type_t; typedef struct { message_type_t type; size_t size; int message_id; } message_header_t; typedef union { struct in_addr ipv4; struct in6_addr ipv6; } inet_address_t; typedef struct { int index; char name[256]; } interface_t; typedef struct { message_header_t header; short family; inet_address_t address; int prefix_len; interface_t iface; } address_message_t; typedef struct { message_header_t header; short family; inet_address_t prefix; int prefix_len; inet_address_t gateway; interface_t iface; int metric; } route_message_t; typedef struct { message_header_t header; interface_t iface; char domains[512]; short family; int addr_len; inet_address_t addr[4]; /* support up to 4 dns addresses */ } dns_cfg_message_t; typedef struct { message_header_t header; interface_t iface; int disable_nbt; int nbt_type; char scope_id[256]; struct in_addr primary_nbns; struct in_addr secondary_nbns; } nbt_cfg_message_t; /* TODO: NTP */ typedef struct { message_header_t header; short family; interface_t iface; } flush_neighbors_message_t; typedef struct { message_header_t header; int error_number; } ack_message_t; typedef struct { message_header_t header; interface_t iface; } block_dns_message_t; #endif /* ifndef OPENVPN_MSG_H_ */ openvpn-2.4.4/include/openvpn-plugin.h000066400000000000000000000712731316434344000177770ustar00rootroot00000000000000/* include/openvpn-plugin.h. Generated from openvpn-plugin.h.in by configure. */ /* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OPENVPN_PLUGIN_H_ #define OPENVPN_PLUGIN_H_ #define OPENVPN_PLUGIN_VERSION 3 #ifdef ENABLE_CRYPTO #ifdef ENABLE_CRYPTO_MBEDTLS #include #ifndef __OPENVPN_X509_CERT_T_DECLARED #define __OPENVPN_X509_CERT_T_DECLARED typedef mbedtls_x509_crt openvpn_x509_cert_t; #endif #else /* ifdef ENABLE_CRYPTO_MBEDTLS */ #include #ifndef __OPENVPN_X509_CERT_T_DECLARED #define __OPENVPN_X509_CERT_T_DECLARED typedef X509 openvpn_x509_cert_t; #endif #endif #endif #include #include #ifdef __cplusplus extern "C" { #endif /* Provide some basic version information to plug-ins at OpenVPN compile time * This is will not be the complete version */ #define OPENVPN_VERSION_MAJOR 2 #define OPENVPN_VERSION_MINOR 4 #define OPENVPN_VERSION_PATCH ".4" /* * Plug-in types. These types correspond to the set of script callbacks * supported by OpenVPN. * * This is the general call sequence to expect when running in server mode: * * Initial Server Startup: * * FUNC: openvpn_plugin_open_v1 * FUNC: openvpn_plugin_client_constructor_v1 (this is the top-level "generic" * client template) * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_UP * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_ROUTE_UP * * New Client Connection: * * FUNC: openvpn_plugin_client_constructor_v1 * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_ENABLE_PF * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_VERIFY (called once for every cert * in the server chain) * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_FINAL * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_IPCHANGE * * [If OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY returned OPENVPN_PLUGIN_FUNC_DEFERRED, * we don't proceed until authentication is verified via auth_control_file] * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_CLIENT_CONNECT_V2 * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_LEARN_ADDRESS * * [Client session ensues] * * For each "TLS soft reset", according to reneg-sec option (or similar): * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_ENABLE_PF * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_VERIFY (called once for every cert * in the server chain) * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_FINAL * * [If OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY returned OPENVPN_PLUGIN_FUNC_DEFERRED, * we expect that authentication is verified via auth_control_file within * the number of seconds defined by the "hand-window" option. Data channel traffic * will continue to flow uninterrupted during this period.] * * [Client session continues] * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_CLIENT_DISCONNECT * FUNC: openvpn_plugin_client_destructor_v1 * * [ some time may pass ] * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_LEARN_ADDRESS (this coincides with a * lazy free of initial * learned addr object) * Server Shutdown: * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_DOWN * FUNC: openvpn_plugin_client_destructor_v1 (top-level "generic" client) * FUNC: openvpn_plugin_close_v1 */ #define OPENVPN_PLUGIN_UP 0 #define OPENVPN_PLUGIN_DOWN 1 #define OPENVPN_PLUGIN_ROUTE_UP 2 #define OPENVPN_PLUGIN_IPCHANGE 3 #define OPENVPN_PLUGIN_TLS_VERIFY 4 #define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY 5 #define OPENVPN_PLUGIN_CLIENT_CONNECT 6 #define OPENVPN_PLUGIN_CLIENT_DISCONNECT 7 #define OPENVPN_PLUGIN_LEARN_ADDRESS 8 #define OPENVPN_PLUGIN_CLIENT_CONNECT_V2 9 #define OPENVPN_PLUGIN_TLS_FINAL 10 #define OPENVPN_PLUGIN_ENABLE_PF 11 #define OPENVPN_PLUGIN_ROUTE_PREDOWN 12 #define OPENVPN_PLUGIN_N 13 /* * Build a mask out of a set of plug-in types. */ #define OPENVPN_PLUGIN_MASK(x) (1<<(x)) /* * A pointer to a plugin-defined object which contains * the object state. */ typedef void *openvpn_plugin_handle_t; /* * Return value for openvpn_plugin_func_v1 function */ #define OPENVPN_PLUGIN_FUNC_SUCCESS 0 #define OPENVPN_PLUGIN_FUNC_ERROR 1 #define OPENVPN_PLUGIN_FUNC_DEFERRED 2 /* * For Windows (needs to be modified for MSVC) */ #if defined(_WIN32) && !defined(OPENVPN_PLUGIN_H) #define OPENVPN_EXPORT __declspec(dllexport) #else #define OPENVPN_EXPORT #endif /* * If OPENVPN_PLUGIN_H is defined, we know that we are being * included in an OpenVPN compile, rather than a plugin compile. */ #ifdef OPENVPN_PLUGIN_H /* * We are compiling OpenVPN. */ #define OPENVPN_PLUGIN_DEF typedef #define OPENVPN_PLUGIN_FUNC(name) (*name) #else /* ifdef OPENVPN_PLUGIN_H */ /* * We are compiling plugin. */ #define OPENVPN_PLUGIN_DEF OPENVPN_EXPORT #define OPENVPN_PLUGIN_FUNC(name) name #endif /* * Used by openvpn_plugin_func to return structured * data. The plugin should allocate all structure * instances, name strings, and value strings with * malloc, since OpenVPN will assume that it * can free the list by calling free() over the same. */ struct openvpn_plugin_string_list { struct openvpn_plugin_string_list *next; char *name; char *value; }; /* openvpn_plugin_{open,func}_v3() related structs */ /** * Defines version of the v3 plugin argument structs * * Whenever one or more of these structs are modified, this constant * must be updated. A changelog should be appended in this comment * as well, to make it easier to see what information is available * in the different versions. * * Version Comment * 1 Initial plugin v3 structures providing the same API as * the v2 plugin interface, X509 certificate information + * a logging API for plug-ins. * * 2 Added ssl_api member in struct openvpn_plugin_args_open_in * which identifies the SSL implementation OpenVPN is compiled * against. * * 3 Added ovpn_version, ovpn_version_major, ovpn_version_minor * and ovpn_version_patch to provide the runtime version of * OpenVPN to plug-ins. * * 4 Exported secure_memzero() as plugin_secure_memzero() */ #define OPENVPN_PLUGINv3_STRUCTVER 4 /** * Definitions needed for the plug-in callback functions. */ typedef enum { PLOG_ERR = (1 << 0),/* Error condition message */ PLOG_WARN = (1 << 1),/* General warning message */ PLOG_NOTE = (1 << 2),/* Informational message */ PLOG_DEBUG = (1 << 3),/* Debug message, displayed if verb >= 7 */ PLOG_ERRNO = (1 << 8),/* Add error description to message */ PLOG_NOMUTE = (1 << 9), /* Mute setting does not apply for message */ } openvpn_plugin_log_flags_t; #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO #define _ovpn_chk_fmt(a, b) __attribute__ ((format(gnu_printf, (a), (b)))) #else #define _ovpn_chk_fmt(a, b) __attribute__ ((format(__printf__, (a), (b)))) #endif #else /* ifdef __GNUC__ */ #define _ovpn_chk_fmt(a, b) #endif typedef void (*plugin_log_t)(openvpn_plugin_log_flags_t flags, const char *plugin_name, const char *format, ...) _ovpn_chk_fmt (3, 4); typedef void (*plugin_vlog_t)(openvpn_plugin_log_flags_t flags, const char *plugin_name, const char *format, va_list arglist) _ovpn_chk_fmt (3, 0); /* #undef _ovpn_chk_fmt */ /** * Export of secure_memzero() to be used inside plug-ins * * @param data Pointer to data to zeroise * @param len Length of data, in bytes * */ typedef void (*plugin_secure_memzero_t)(void *data, size_t len); /** * Used by the openvpn_plugin_open_v3() function to pass callback * function pointers to the plug-in. * * plugin_log * plugin_vlog : Use these functions to add information to the OpenVPN log file. * Messages will only be displayed if the plugin_name parameter * is set. PLOG_DEBUG messages will only be displayed with plug-in * debug log verbosity (at the time of writing that's verb >= 7). * * plugin_secure_memzero * : Use this function to securely wipe sensitive information from * memory. This function is declared in a way that the compiler * will not remove these function calls during the compiler * optimization phase. */ struct openvpn_plugin_callbacks { plugin_log_t plugin_log; plugin_vlog_t plugin_vlog; plugin_secure_memzero_t plugin_secure_memzero; }; /** * Used by the openvpn_plugin_open_v3() function to indicate to the * plug-in what kind of SSL implementation OpenVPN uses. This is * to avoid SEGV issues when OpenVPN is complied against mbed TLS * and the plug-in against OpenSSL. */ typedef enum { SSLAPI_NONE, SSLAPI_OPENSSL, SSLAPI_MBEDTLS } ovpnSSLAPI; /** * Arguments used to transport variables to the plug-in. * The struct openvpn_plugin_args_open_in is only used * by the openvpn_plugin_open_v3() function. * * STRUCT MEMBERS * * type_mask : Set by OpenVPN to the logical OR of all script * types which this version of OpenVPN supports. * * argv : a NULL-terminated array of options provided to the OpenVPN * "plug-in" directive. argv[0] is the dynamic library pathname. * * envp : a NULL-terminated array of OpenVPN-set environmental * variables in "name=value" format. Note that for security reasons, * these variables are not actually written to the "official" * environmental variable store of the process. * * callbacks : a pointer to the plug-in callback function struct. * */ struct openvpn_plugin_args_open_in { const int type_mask; const char **const argv; const char **const envp; struct openvpn_plugin_callbacks *callbacks; const ovpnSSLAPI ssl_api; const char *ovpn_version; const unsigned int ovpn_version_major; const unsigned int ovpn_version_minor; const char *const ovpn_version_patch; }; /** * Arguments used to transport variables from the plug-in back * to the OpenVPN process. The struct openvpn_plugin_args_open_return * is only used by the openvpn_plugin_open_v3() function. * * STRUCT MEMBERS * * type_mask : The plug-in should set this value to the logical OR of all script * types which the plug-in wants to intercept. For example, if the * script wants to intercept the client-connect and client-disconnect * script types: * * type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT) * | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) * * *handle : Pointer to a global plug-in context, created by the plug-in. This pointer * is passed on to the other plug-in calls. * * return_list : used to return data back to OpenVPN. * */ struct openvpn_plugin_args_open_return { int type_mask; openvpn_plugin_handle_t *handle; struct openvpn_plugin_string_list **return_list; }; /** * Arguments used to transport variables to and from the * plug-in. The struct openvpn_plugin_args_func is only used * by the openvpn_plugin_func_v3() function. * * STRUCT MEMBERS: * * type : one of the PLUGIN_x types. * * argv : a NULL-terminated array of "command line" options which * would normally be passed to the script. argv[0] is the dynamic * library pathname. * * envp : a NULL-terminated array of OpenVPN-set environmental * variables in "name=value" format. Note that for security reasons, * these variables are not actually written to the "official" * environmental variable store of the process. * * *handle : Pointer to a global plug-in context, created by the plug-in's openvpn_plugin_open_v3(). * * *per_client_context : the per-client context pointer which was returned by * openvpn_plugin_client_constructor_v1, if defined. * * current_cert_depth : Certificate depth of the certificate being passed over (only if compiled with ENABLE_CRYPTO defined) * * *current_cert : X509 Certificate object received from the client (only if compiled with ENABLE_CRYPTO defined) * */ struct openvpn_plugin_args_func_in { const int type; const char **const argv; const char **const envp; openvpn_plugin_handle_t handle; void *per_client_context; #ifdef ENABLE_CRYPTO int current_cert_depth; openvpn_x509_cert_t *current_cert; #else int __current_cert_depth_disabled; /* Unused, for compatibility purposes only */ void *__current_cert_disabled; /* Unused, for compatibility purposes only */ #endif }; /** * Arguments used to transport variables to and from the * plug-in. The struct openvpn_plugin_args_func is only used * by the openvpn_plugin_func_v3() function. * * STRUCT MEMBERS: * * return_list : used to return data back to OpenVPN for further processing/usage by * the OpenVPN executable. * */ struct openvpn_plugin_args_func_return { struct openvpn_plugin_string_list **return_list; }; /* * Multiple plugin modules can be cascaded, and modules can be * used in tandem with scripts. The order of operation is that * the module func() functions are called in the order that * the modules were specified in the config file. If a script * was specified as well, it will be called last. If the * return code of the module/script controls an authentication * function (such as tls-verify or auth-user-pass-verify), then * every module and script must return success (0) in order for * the connection to be authenticated. * * Notes: * * Plugins which use a privilege-separation model (by forking in * their initialization function before the main OpenVPN process * downgrades root privileges and/or executes a chroot) must * daemonize after a fork if the "daemon" environmental variable is * set. In addition, if the "daemon_log_redirect" variable is set, * the plugin should preserve stdout/stderr across the daemon() * syscall. See the daemonize() function in plugin/auth-pam/auth-pam.c * for an example. */ /* * Prototypes for functions which OpenVPN plug-ins must define. */ /* * FUNCTION: openvpn_plugin_open_v2 * * REQUIRED: YES * * Called on initial plug-in load. OpenVPN will preserve plug-in state * across SIGUSR1 restarts but not across SIGHUP restarts. A SIGHUP reset * will cause the plugin to be closed and reopened. * * ARGUMENTS * * *type_mask : Set by OpenVPN to the logical OR of all script * types which this version of OpenVPN supports. The plug-in * should set this value to the logical OR of all script types * which the plug-in wants to intercept. For example, if the * script wants to intercept the client-connect and * client-disconnect script types: * * *type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT) * | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) * * argv : a NULL-terminated array of options provided to the OpenVPN * "plug-in" directive. argv[0] is the dynamic library pathname. * * envp : a NULL-terminated array of OpenVPN-set environmental * variables in "name=value" format. Note that for security reasons, * these variables are not actually written to the "official" * environmental variable store of the process. * * return_list : used to return data back to OpenVPN. * * RETURN VALUE * * An openvpn_plugin_handle_t value on success, NULL on failure */ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_open_v2) (unsigned int *type_mask, const char *argv[], const char *envp[], struct openvpn_plugin_string_list **return_list); /* * FUNCTION: openvpn_plugin_func_v2 * * Called to perform the work of a given script type. * * REQUIRED: YES * * ARGUMENTS * * handle : the openvpn_plugin_handle_t value which was returned by * openvpn_plugin_open. * * type : one of the PLUGIN_x types * * argv : a NULL-terminated array of "command line" options which * would normally be passed to the script. argv[0] is the dynamic * library pathname. * * envp : a NULL-terminated array of OpenVPN-set environmental * variables in "name=value" format. Note that for security reasons, * these variables are not actually written to the "official" * environmental variable store of the process. * * per_client_context : the per-client context pointer which was returned by * openvpn_plugin_client_constructor_v1, if defined. * * return_list : used to return data back to OpenVPN. * * RETURN VALUE * * OPENVPN_PLUGIN_FUNC_SUCCESS on success, OPENVPN_PLUGIN_FUNC_ERROR on failure * * In addition, OPENVPN_PLUGIN_FUNC_DEFERRED may be returned by * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY. This enables asynchronous * authentication where the plugin (or one of its agents) may indicate * authentication success/failure some number of seconds after the return * of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY handler by writing a single * char to the file named by auth_control_file in the environmental variable * list (envp). * * first char of auth_control_file: * '0' -- indicates auth failure * '1' -- indicates auth success * * OpenVPN will delete the auth_control_file after it goes out of scope. * * If an OPENVPN_PLUGIN_ENABLE_PF handler is defined and returns success * for a particular client instance, packet filtering will be enabled for that * instance. OpenVPN will then attempt to read the packet filter configuration * from the temporary file named by the environmental variable pf_file. This * file may be generated asynchronously and may be dynamically updated during the * client session, however the client will be blocked from sending or receiving * VPN tunnel packets until the packet filter file has been generated. OpenVPN * will periodically test the packet filter file over the life of the client * instance and reload when modified. OpenVPN will delete the packet filter file * when the client instance goes out of scope. * * Packet filter file grammar: * * [CLIENTS DROP|ACCEPT] * {+|-}common_name1 * {+|-}common_name2 * . . . * [SUBNETS DROP|ACCEPT] * {+|-}subnet1 * {+|-}subnet2 * . . . * [END] * * Subnet: IP-ADDRESS | IP-ADDRESS/NUM_NETWORK_BITS * * CLIENTS refers to the set of clients (by their common-name) which * this instance is allowed ('+') to connect to, or is excluded ('-') * from connecting to. Note that in the case of client-to-client * connections, such communication must be allowed by the packet filter * configuration files of both clients. * * SUBNETS refers to IP addresses or IP address subnets which this * instance may connect to ('+') or is excluded ('-') from connecting * to. * * DROP or ACCEPT defines default policy when there is no explicit match * for a common-name or subnet. The [END] tag must exist. A special * purpose tag called [KILL] will immediately kill the client instance. * A given client or subnet rule applies to both incoming and outgoing * packets. * * See plugin/defer/simple.c for an example on using asynchronous * authentication and client-specific packet filtering. */ OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v2) (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[], void *per_client_context, struct openvpn_plugin_string_list **return_list); /* * FUNCTION: openvpn_plugin_open_v3 * * REQUIRED: YES * * Called on initial plug-in load. OpenVPN will preserve plug-in state * across SIGUSR1 restarts but not across SIGHUP restarts. A SIGHUP reset * will cause the plugin to be closed and reopened. * * ARGUMENTS * * version : fixed value, defines the API version of the OpenVPN plug-in API. The plug-in * should validate that this value is matching the OPENVPN_PLUGINv3_STRUCTVER * value. * * arguments : Structure with all arguments available to the plug-in. * * retptr : used to return data back to OpenVPN. * * RETURN VALUE * * OPENVPN_PLUGIN_FUNC_SUCCESS on success, OPENVPN_PLUGIN_FUNC_ERROR on failure */ OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_open_v3) (const int version, struct openvpn_plugin_args_open_in const *arguments, struct openvpn_plugin_args_open_return *retptr); /* * FUNCTION: openvpn_plugin_func_v3 * * Called to perform the work of a given script type. * * REQUIRED: YES * * ARGUMENTS * * version : fixed value, defines the API version of the OpenVPN plug-in API. The plug-in * should validate that this value is matching the OPENVPN_PLUGIN_VERSION value. * * handle : the openvpn_plugin_handle_t value which was returned by * openvpn_plugin_open. * * return_list : used to return data back to OpenVPN. * * RETURN VALUE * * OPENVPN_PLUGIN_FUNC_SUCCESS on success, OPENVPN_PLUGIN_FUNC_ERROR on failure * * In addition, OPENVPN_PLUGIN_FUNC_DEFERRED may be returned by * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY. This enables asynchronous * authentication where the plugin (or one of its agents) may indicate * authentication success/failure some number of seconds after the return * of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY handler by writing a single * char to the file named by auth_control_file in the environmental variable * list (envp). * * first char of auth_control_file: * '0' -- indicates auth failure * '1' -- indicates auth success * * OpenVPN will delete the auth_control_file after it goes out of scope. * * If an OPENVPN_PLUGIN_ENABLE_PF handler is defined and returns success * for a particular client instance, packet filtering will be enabled for that * instance. OpenVPN will then attempt to read the packet filter configuration * from the temporary file named by the environmental variable pf_file. This * file may be generated asynchronously and may be dynamically updated during the * client session, however the client will be blocked from sending or receiving * VPN tunnel packets until the packet filter file has been generated. OpenVPN * will periodically test the packet filter file over the life of the client * instance and reload when modified. OpenVPN will delete the packet filter file * when the client instance goes out of scope. * * Packet filter file grammar: * * [CLIENTS DROP|ACCEPT] * {+|-}common_name1 * {+|-}common_name2 * . . . * [SUBNETS DROP|ACCEPT] * {+|-}subnet1 * {+|-}subnet2 * . . . * [END] * * Subnet: IP-ADDRESS | IP-ADDRESS/NUM_NETWORK_BITS * * CLIENTS refers to the set of clients (by their common-name) which * this instance is allowed ('+') to connect to, or is excluded ('-') * from connecting to. Note that in the case of client-to-client * connections, such communication must be allowed by the packet filter * configuration files of both clients. * * SUBNETS refers to IP addresses or IP address subnets which this * instance may connect to ('+') or is excluded ('-') from connecting * to. * * DROP or ACCEPT defines default policy when there is no explicit match * for a common-name or subnet. The [END] tag must exist. A special * purpose tag called [KILL] will immediately kill the client instance. * A given client or subnet rule applies to both incoming and outgoing * packets. * * See plugin/defer/simple.c for an example on using asynchronous * authentication and client-specific packet filtering. */ OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v3) (const int version, struct openvpn_plugin_args_func_in const *arguments, struct openvpn_plugin_args_func_return *retptr); /* * FUNCTION: openvpn_plugin_close_v1 * * REQUIRED: YES * * ARGUMENTS * * handle : the openvpn_plugin_handle_t value which was returned by * openvpn_plugin_open. * * Called immediately prior to plug-in unload. */ OPENVPN_PLUGIN_DEF void OPENVPN_PLUGIN_FUNC(openvpn_plugin_close_v1) (openvpn_plugin_handle_t handle); /* * FUNCTION: openvpn_plugin_abort_v1 * * REQUIRED: NO * * ARGUMENTS * * handle : the openvpn_plugin_handle_t value which was returned by * openvpn_plugin_open. * * Called when OpenVPN is in the process of aborting due to a fatal error. * Will only be called on an open context returned by a prior successful * openvpn_plugin_open callback. */ OPENVPN_PLUGIN_DEF void OPENVPN_PLUGIN_FUNC(openvpn_plugin_abort_v1) (openvpn_plugin_handle_t handle); /* * FUNCTION: openvpn_plugin_client_constructor_v1 * * Called to allocate a per-client memory region, which * is then passed to the openvpn_plugin_func_v2 function. * This function is called every time the OpenVPN server * constructs a client instance object, which normally * occurs when a session-initiating packet is received * by a new client, even before the client has authenticated. * * This function should allocate the private memory needed * by the plugin to track individual OpenVPN clients, and * return a void * to this memory region. * * REQUIRED: NO * * ARGUMENTS * * handle : the openvpn_plugin_handle_t value which was returned by * openvpn_plugin_open. * * RETURN VALUE * * void * pointer to plugin's private per-client memory region, or NULL * if no memory region is required. */ OPENVPN_PLUGIN_DEF void *OPENVPN_PLUGIN_FUNC(openvpn_plugin_client_constructor_v1) (openvpn_plugin_handle_t handle); /* * FUNCTION: openvpn_plugin_client_destructor_v1 * * This function is called on client instance object destruction. * * REQUIRED: NO * * ARGUMENTS * * handle : the openvpn_plugin_handle_t value which was returned by * openvpn_plugin_open. * * per_client_context : the per-client context pointer which was returned by * openvpn_plugin_client_constructor_v1, if defined. */ OPENVPN_PLUGIN_DEF void OPENVPN_PLUGIN_FUNC(openvpn_plugin_client_destructor_v1) (openvpn_plugin_handle_t handle, void *per_client_context); /* * FUNCTION: openvpn_plugin_select_initialization_point_v1 * * Several different points exist in OpenVPN's initialization sequence where * the openvpn_plugin_open function can be called. While the default is * OPENVPN_PLUGIN_INIT_PRE_DAEMON, this function can be used to select a * different initialization point. For example, if your plugin needs to * return configuration parameters to OpenVPN, use * OPENVPN_PLUGIN_INIT_PRE_CONFIG_PARSE. * * REQUIRED: NO * * RETURN VALUE: * * An OPENVPN_PLUGIN_INIT_x value. */ #define OPENVPN_PLUGIN_INIT_PRE_CONFIG_PARSE 1 #define OPENVPN_PLUGIN_INIT_PRE_DAEMON 2 /* default */ #define OPENVPN_PLUGIN_INIT_POST_DAEMON 3 #define OPENVPN_PLUGIN_INIT_POST_UID_CHANGE 4 OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_select_initialization_point_v1) (void); /* * FUNCTION: openvpn_plugin_min_version_required_v1 * * This function is called by OpenVPN to query the minimum * plugin interface version number required by the plugin. * * REQUIRED: NO * * RETURN VALUE * * The minimum OpenVPN plugin interface version number necessary to support * this plugin. */ OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_min_version_required_v1) (void); /* * Deprecated functions which are still supported for backward compatibility. */ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_open_v1) (unsigned int *type_mask, const char *argv[], const char *envp[]); OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v1) (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]); #ifdef __cplusplus } #endif #endif /* OPENVPN_PLUGIN_H_ */ openvpn-2.4.4/include/openvpn-plugin.h.in000066400000000000000000000712431316434344000204010ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OPENVPN_PLUGIN_H_ #define OPENVPN_PLUGIN_H_ #define OPENVPN_PLUGIN_VERSION 3 #ifdef ENABLE_CRYPTO #ifdef ENABLE_CRYPTO_MBEDTLS #include #ifndef __OPENVPN_X509_CERT_T_DECLARED #define __OPENVPN_X509_CERT_T_DECLARED typedef mbedtls_x509_crt openvpn_x509_cert_t; #endif #else /* ifdef ENABLE_CRYPTO_MBEDTLS */ #include #ifndef __OPENVPN_X509_CERT_T_DECLARED #define __OPENVPN_X509_CERT_T_DECLARED typedef X509 openvpn_x509_cert_t; #endif #endif #endif #include #include #ifdef __cplusplus extern "C" { #endif /* Provide some basic version information to plug-ins at OpenVPN compile time * This is will not be the complete version */ #define OPENVPN_VERSION_MAJOR @OPENVPN_VERSION_MAJOR@ #define OPENVPN_VERSION_MINOR @OPENVPN_VERSION_MINOR@ #define OPENVPN_VERSION_PATCH "@OPENVPN_VERSION_PATCH@" /* * Plug-in types. These types correspond to the set of script callbacks * supported by OpenVPN. * * This is the general call sequence to expect when running in server mode: * * Initial Server Startup: * * FUNC: openvpn_plugin_open_v1 * FUNC: openvpn_plugin_client_constructor_v1 (this is the top-level "generic" * client template) * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_UP * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_ROUTE_UP * * New Client Connection: * * FUNC: openvpn_plugin_client_constructor_v1 * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_ENABLE_PF * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_VERIFY (called once for every cert * in the server chain) * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_FINAL * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_IPCHANGE * * [If OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY returned OPENVPN_PLUGIN_FUNC_DEFERRED, * we don't proceed until authentication is verified via auth_control_file] * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_CLIENT_CONNECT_V2 * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_LEARN_ADDRESS * * [Client session ensues] * * For each "TLS soft reset", according to reneg-sec option (or similar): * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_ENABLE_PF * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_VERIFY (called once for every cert * in the server chain) * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_FINAL * * [If OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY returned OPENVPN_PLUGIN_FUNC_DEFERRED, * we expect that authentication is verified via auth_control_file within * the number of seconds defined by the "hand-window" option. Data channel traffic * will continue to flow uninterrupted during this period.] * * [Client session continues] * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_CLIENT_DISCONNECT * FUNC: openvpn_plugin_client_destructor_v1 * * [ some time may pass ] * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_LEARN_ADDRESS (this coincides with a * lazy free of initial * learned addr object) * Server Shutdown: * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_DOWN * FUNC: openvpn_plugin_client_destructor_v1 (top-level "generic" client) * FUNC: openvpn_plugin_close_v1 */ #define OPENVPN_PLUGIN_UP 0 #define OPENVPN_PLUGIN_DOWN 1 #define OPENVPN_PLUGIN_ROUTE_UP 2 #define OPENVPN_PLUGIN_IPCHANGE 3 #define OPENVPN_PLUGIN_TLS_VERIFY 4 #define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY 5 #define OPENVPN_PLUGIN_CLIENT_CONNECT 6 #define OPENVPN_PLUGIN_CLIENT_DISCONNECT 7 #define OPENVPN_PLUGIN_LEARN_ADDRESS 8 #define OPENVPN_PLUGIN_CLIENT_CONNECT_V2 9 #define OPENVPN_PLUGIN_TLS_FINAL 10 #define OPENVPN_PLUGIN_ENABLE_PF 11 #define OPENVPN_PLUGIN_ROUTE_PREDOWN 12 #define OPENVPN_PLUGIN_N 13 /* * Build a mask out of a set of plug-in types. */ #define OPENVPN_PLUGIN_MASK(x) (1<<(x)) /* * A pointer to a plugin-defined object which contains * the object state. */ typedef void *openvpn_plugin_handle_t; /* * Return value for openvpn_plugin_func_v1 function */ #define OPENVPN_PLUGIN_FUNC_SUCCESS 0 #define OPENVPN_PLUGIN_FUNC_ERROR 1 #define OPENVPN_PLUGIN_FUNC_DEFERRED 2 /* * For Windows (needs to be modified for MSVC) */ #if defined(_WIN32) && !defined(OPENVPN_PLUGIN_H) #define OPENVPN_EXPORT __declspec(dllexport) #else #define OPENVPN_EXPORT #endif /* * If OPENVPN_PLUGIN_H is defined, we know that we are being * included in an OpenVPN compile, rather than a plugin compile. */ #ifdef OPENVPN_PLUGIN_H /* * We are compiling OpenVPN. */ #define OPENVPN_PLUGIN_DEF typedef #define OPENVPN_PLUGIN_FUNC(name) (*name) #else /* ifdef OPENVPN_PLUGIN_H */ /* * We are compiling plugin. */ #define OPENVPN_PLUGIN_DEF OPENVPN_EXPORT #define OPENVPN_PLUGIN_FUNC(name) name #endif /* * Used by openvpn_plugin_func to return structured * data. The plugin should allocate all structure * instances, name strings, and value strings with * malloc, since OpenVPN will assume that it * can free the list by calling free() over the same. */ struct openvpn_plugin_string_list { struct openvpn_plugin_string_list *next; char *name; char *value; }; /* openvpn_plugin_{open,func}_v3() related structs */ /** * Defines version of the v3 plugin argument structs * * Whenever one or more of these structs are modified, this constant * must be updated. A changelog should be appended in this comment * as well, to make it easier to see what information is available * in the different versions. * * Version Comment * 1 Initial plugin v3 structures providing the same API as * the v2 plugin interface, X509 certificate information + * a logging API for plug-ins. * * 2 Added ssl_api member in struct openvpn_plugin_args_open_in * which identifies the SSL implementation OpenVPN is compiled * against. * * 3 Added ovpn_version, ovpn_version_major, ovpn_version_minor * and ovpn_version_patch to provide the runtime version of * OpenVPN to plug-ins. * * 4 Exported secure_memzero() as plugin_secure_memzero() */ #define OPENVPN_PLUGINv3_STRUCTVER 4 /** * Definitions needed for the plug-in callback functions. */ typedef enum { PLOG_ERR = (1 << 0),/* Error condition message */ PLOG_WARN = (1 << 1),/* General warning message */ PLOG_NOTE = (1 << 2),/* Informational message */ PLOG_DEBUG = (1 << 3),/* Debug message, displayed if verb >= 7 */ PLOG_ERRNO = (1 << 8),/* Add error description to message */ PLOG_NOMUTE = (1 << 9), /* Mute setting does not apply for message */ } openvpn_plugin_log_flags_t; #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO #define _ovpn_chk_fmt(a, b) __attribute__ ((format(gnu_printf, (a), (b)))) #else #define _ovpn_chk_fmt(a, b) __attribute__ ((format(__printf__, (a), (b)))) #endif #else /* ifdef __GNUC__ */ #define _ovpn_chk_fmt(a, b) #endif typedef void (*plugin_log_t)(openvpn_plugin_log_flags_t flags, const char *plugin_name, const char *format, ...) _ovpn_chk_fmt (3, 4); typedef void (*plugin_vlog_t)(openvpn_plugin_log_flags_t flags, const char *plugin_name, const char *format, va_list arglist) _ovpn_chk_fmt (3, 0); #undef _ovpn_chk_fmt /** * Export of secure_memzero() to be used inside plug-ins * * @param data Pointer to data to zeroise * @param len Length of data, in bytes * */ typedef void (*plugin_secure_memzero_t)(void *data, size_t len); /** * Used by the openvpn_plugin_open_v3() function to pass callback * function pointers to the plug-in. * * plugin_log * plugin_vlog : Use these functions to add information to the OpenVPN log file. * Messages will only be displayed if the plugin_name parameter * is set. PLOG_DEBUG messages will only be displayed with plug-in * debug log verbosity (at the time of writing that's verb >= 7). * * plugin_secure_memzero * : Use this function to securely wipe sensitive information from * memory. This function is declared in a way that the compiler * will not remove these function calls during the compiler * optimization phase. */ struct openvpn_plugin_callbacks { plugin_log_t plugin_log; plugin_vlog_t plugin_vlog; plugin_secure_memzero_t plugin_secure_memzero; }; /** * Used by the openvpn_plugin_open_v3() function to indicate to the * plug-in what kind of SSL implementation OpenVPN uses. This is * to avoid SEGV issues when OpenVPN is complied against mbed TLS * and the plug-in against OpenSSL. */ typedef enum { SSLAPI_NONE, SSLAPI_OPENSSL, SSLAPI_MBEDTLS } ovpnSSLAPI; /** * Arguments used to transport variables to the plug-in. * The struct openvpn_plugin_args_open_in is only used * by the openvpn_plugin_open_v3() function. * * STRUCT MEMBERS * * type_mask : Set by OpenVPN to the logical OR of all script * types which this version of OpenVPN supports. * * argv : a NULL-terminated array of options provided to the OpenVPN * "plug-in" directive. argv[0] is the dynamic library pathname. * * envp : a NULL-terminated array of OpenVPN-set environmental * variables in "name=value" format. Note that for security reasons, * these variables are not actually written to the "official" * environmental variable store of the process. * * callbacks : a pointer to the plug-in callback function struct. * */ struct openvpn_plugin_args_open_in { const int type_mask; const char **const argv; const char **const envp; struct openvpn_plugin_callbacks *callbacks; const ovpnSSLAPI ssl_api; const char *ovpn_version; const unsigned int ovpn_version_major; const unsigned int ovpn_version_minor; const char *const ovpn_version_patch; }; /** * Arguments used to transport variables from the plug-in back * to the OpenVPN process. The struct openvpn_plugin_args_open_return * is only used by the openvpn_plugin_open_v3() function. * * STRUCT MEMBERS * * type_mask : The plug-in should set this value to the logical OR of all script * types which the plug-in wants to intercept. For example, if the * script wants to intercept the client-connect and client-disconnect * script types: * * type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT) * | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) * * *handle : Pointer to a global plug-in context, created by the plug-in. This pointer * is passed on to the other plug-in calls. * * return_list : used to return data back to OpenVPN. * */ struct openvpn_plugin_args_open_return { int type_mask; openvpn_plugin_handle_t *handle; struct openvpn_plugin_string_list **return_list; }; /** * Arguments used to transport variables to and from the * plug-in. The struct openvpn_plugin_args_func is only used * by the openvpn_plugin_func_v3() function. * * STRUCT MEMBERS: * * type : one of the PLUGIN_x types. * * argv : a NULL-terminated array of "command line" options which * would normally be passed to the script. argv[0] is the dynamic * library pathname. * * envp : a NULL-terminated array of OpenVPN-set environmental * variables in "name=value" format. Note that for security reasons, * these variables are not actually written to the "official" * environmental variable store of the process. * * *handle : Pointer to a global plug-in context, created by the plug-in's openvpn_plugin_open_v3(). * * *per_client_context : the per-client context pointer which was returned by * openvpn_plugin_client_constructor_v1, if defined. * * current_cert_depth : Certificate depth of the certificate being passed over (only if compiled with ENABLE_CRYPTO defined) * * *current_cert : X509 Certificate object received from the client (only if compiled with ENABLE_CRYPTO defined) * */ struct openvpn_plugin_args_func_in { const int type; const char **const argv; const char **const envp; openvpn_plugin_handle_t handle; void *per_client_context; #ifdef ENABLE_CRYPTO int current_cert_depth; openvpn_x509_cert_t *current_cert; #else int __current_cert_depth_disabled; /* Unused, for compatibility purposes only */ void *__current_cert_disabled; /* Unused, for compatibility purposes only */ #endif }; /** * Arguments used to transport variables to and from the * plug-in. The struct openvpn_plugin_args_func is only used * by the openvpn_plugin_func_v3() function. * * STRUCT MEMBERS: * * return_list : used to return data back to OpenVPN for further processing/usage by * the OpenVPN executable. * */ struct openvpn_plugin_args_func_return { struct openvpn_plugin_string_list **return_list; }; /* * Multiple plugin modules can be cascaded, and modules can be * used in tandem with scripts. The order of operation is that * the module func() functions are called in the order that * the modules were specified in the config file. If a script * was specified as well, it will be called last. If the * return code of the module/script controls an authentication * function (such as tls-verify or auth-user-pass-verify), then * every module and script must return success (0) in order for * the connection to be authenticated. * * Notes: * * Plugins which use a privilege-separation model (by forking in * their initialization function before the main OpenVPN process * downgrades root privileges and/or executes a chroot) must * daemonize after a fork if the "daemon" environmental variable is * set. In addition, if the "daemon_log_redirect" variable is set, * the plugin should preserve stdout/stderr across the daemon() * syscall. See the daemonize() function in plugin/auth-pam/auth-pam.c * for an example. */ /* * Prototypes for functions which OpenVPN plug-ins must define. */ /* * FUNCTION: openvpn_plugin_open_v2 * * REQUIRED: YES * * Called on initial plug-in load. OpenVPN will preserve plug-in state * across SIGUSR1 restarts but not across SIGHUP restarts. A SIGHUP reset * will cause the plugin to be closed and reopened. * * ARGUMENTS * * *type_mask : Set by OpenVPN to the logical OR of all script * types which this version of OpenVPN supports. The plug-in * should set this value to the logical OR of all script types * which the plug-in wants to intercept. For example, if the * script wants to intercept the client-connect and * client-disconnect script types: * * *type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT) * | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) * * argv : a NULL-terminated array of options provided to the OpenVPN * "plug-in" directive. argv[0] is the dynamic library pathname. * * envp : a NULL-terminated array of OpenVPN-set environmental * variables in "name=value" format. Note that for security reasons, * these variables are not actually written to the "official" * environmental variable store of the process. * * return_list : used to return data back to OpenVPN. * * RETURN VALUE * * An openvpn_plugin_handle_t value on success, NULL on failure */ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_open_v2) (unsigned int *type_mask, const char *argv[], const char *envp[], struct openvpn_plugin_string_list **return_list); /* * FUNCTION: openvpn_plugin_func_v2 * * Called to perform the work of a given script type. * * REQUIRED: YES * * ARGUMENTS * * handle : the openvpn_plugin_handle_t value which was returned by * openvpn_plugin_open. * * type : one of the PLUGIN_x types * * argv : a NULL-terminated array of "command line" options which * would normally be passed to the script. argv[0] is the dynamic * library pathname. * * envp : a NULL-terminated array of OpenVPN-set environmental * variables in "name=value" format. Note that for security reasons, * these variables are not actually written to the "official" * environmental variable store of the process. * * per_client_context : the per-client context pointer which was returned by * openvpn_plugin_client_constructor_v1, if defined. * * return_list : used to return data back to OpenVPN. * * RETURN VALUE * * OPENVPN_PLUGIN_FUNC_SUCCESS on success, OPENVPN_PLUGIN_FUNC_ERROR on failure * * In addition, OPENVPN_PLUGIN_FUNC_DEFERRED may be returned by * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY. This enables asynchronous * authentication where the plugin (or one of its agents) may indicate * authentication success/failure some number of seconds after the return * of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY handler by writing a single * char to the file named by auth_control_file in the environmental variable * list (envp). * * first char of auth_control_file: * '0' -- indicates auth failure * '1' -- indicates auth success * * OpenVPN will delete the auth_control_file after it goes out of scope. * * If an OPENVPN_PLUGIN_ENABLE_PF handler is defined and returns success * for a particular client instance, packet filtering will be enabled for that * instance. OpenVPN will then attempt to read the packet filter configuration * from the temporary file named by the environmental variable pf_file. This * file may be generated asynchronously and may be dynamically updated during the * client session, however the client will be blocked from sending or receiving * VPN tunnel packets until the packet filter file has been generated. OpenVPN * will periodically test the packet filter file over the life of the client * instance and reload when modified. OpenVPN will delete the packet filter file * when the client instance goes out of scope. * * Packet filter file grammar: * * [CLIENTS DROP|ACCEPT] * {+|-}common_name1 * {+|-}common_name2 * . . . * [SUBNETS DROP|ACCEPT] * {+|-}subnet1 * {+|-}subnet2 * . . . * [END] * * Subnet: IP-ADDRESS | IP-ADDRESS/NUM_NETWORK_BITS * * CLIENTS refers to the set of clients (by their common-name) which * this instance is allowed ('+') to connect to, or is excluded ('-') * from connecting to. Note that in the case of client-to-client * connections, such communication must be allowed by the packet filter * configuration files of both clients. * * SUBNETS refers to IP addresses or IP address subnets which this * instance may connect to ('+') or is excluded ('-') from connecting * to. * * DROP or ACCEPT defines default policy when there is no explicit match * for a common-name or subnet. The [END] tag must exist. A special * purpose tag called [KILL] will immediately kill the client instance. * A given client or subnet rule applies to both incoming and outgoing * packets. * * See plugin/defer/simple.c for an example on using asynchronous * authentication and client-specific packet filtering. */ OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v2) (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[], void *per_client_context, struct openvpn_plugin_string_list **return_list); /* * FUNCTION: openvpn_plugin_open_v3 * * REQUIRED: YES * * Called on initial plug-in load. OpenVPN will preserve plug-in state * across SIGUSR1 restarts but not across SIGHUP restarts. A SIGHUP reset * will cause the plugin to be closed and reopened. * * ARGUMENTS * * version : fixed value, defines the API version of the OpenVPN plug-in API. The plug-in * should validate that this value is matching the OPENVPN_PLUGINv3_STRUCTVER * value. * * arguments : Structure with all arguments available to the plug-in. * * retptr : used to return data back to OpenVPN. * * RETURN VALUE * * OPENVPN_PLUGIN_FUNC_SUCCESS on success, OPENVPN_PLUGIN_FUNC_ERROR on failure */ OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_open_v3) (const int version, struct openvpn_plugin_args_open_in const *arguments, struct openvpn_plugin_args_open_return *retptr); /* * FUNCTION: openvpn_plugin_func_v3 * * Called to perform the work of a given script type. * * REQUIRED: YES * * ARGUMENTS * * version : fixed value, defines the API version of the OpenVPN plug-in API. The plug-in * should validate that this value is matching the OPENVPN_PLUGIN_VERSION value. * * handle : the openvpn_plugin_handle_t value which was returned by * openvpn_plugin_open. * * return_list : used to return data back to OpenVPN. * * RETURN VALUE * * OPENVPN_PLUGIN_FUNC_SUCCESS on success, OPENVPN_PLUGIN_FUNC_ERROR on failure * * In addition, OPENVPN_PLUGIN_FUNC_DEFERRED may be returned by * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY. This enables asynchronous * authentication where the plugin (or one of its agents) may indicate * authentication success/failure some number of seconds after the return * of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY handler by writing a single * char to the file named by auth_control_file in the environmental variable * list (envp). * * first char of auth_control_file: * '0' -- indicates auth failure * '1' -- indicates auth success * * OpenVPN will delete the auth_control_file after it goes out of scope. * * If an OPENVPN_PLUGIN_ENABLE_PF handler is defined and returns success * for a particular client instance, packet filtering will be enabled for that * instance. OpenVPN will then attempt to read the packet filter configuration * from the temporary file named by the environmental variable pf_file. This * file may be generated asynchronously and may be dynamically updated during the * client session, however the client will be blocked from sending or receiving * VPN tunnel packets until the packet filter file has been generated. OpenVPN * will periodically test the packet filter file over the life of the client * instance and reload when modified. OpenVPN will delete the packet filter file * when the client instance goes out of scope. * * Packet filter file grammar: * * [CLIENTS DROP|ACCEPT] * {+|-}common_name1 * {+|-}common_name2 * . . . * [SUBNETS DROP|ACCEPT] * {+|-}subnet1 * {+|-}subnet2 * . . . * [END] * * Subnet: IP-ADDRESS | IP-ADDRESS/NUM_NETWORK_BITS * * CLIENTS refers to the set of clients (by their common-name) which * this instance is allowed ('+') to connect to, or is excluded ('-') * from connecting to. Note that in the case of client-to-client * connections, such communication must be allowed by the packet filter * configuration files of both clients. * * SUBNETS refers to IP addresses or IP address subnets which this * instance may connect to ('+') or is excluded ('-') from connecting * to. * * DROP or ACCEPT defines default policy when there is no explicit match * for a common-name or subnet. The [END] tag must exist. A special * purpose tag called [KILL] will immediately kill the client instance. * A given client or subnet rule applies to both incoming and outgoing * packets. * * See plugin/defer/simple.c for an example on using asynchronous * authentication and client-specific packet filtering. */ OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v3) (const int version, struct openvpn_plugin_args_func_in const *arguments, struct openvpn_plugin_args_func_return *retptr); /* * FUNCTION: openvpn_plugin_close_v1 * * REQUIRED: YES * * ARGUMENTS * * handle : the openvpn_plugin_handle_t value which was returned by * openvpn_plugin_open. * * Called immediately prior to plug-in unload. */ OPENVPN_PLUGIN_DEF void OPENVPN_PLUGIN_FUNC(openvpn_plugin_close_v1) (openvpn_plugin_handle_t handle); /* * FUNCTION: openvpn_plugin_abort_v1 * * REQUIRED: NO * * ARGUMENTS * * handle : the openvpn_plugin_handle_t value which was returned by * openvpn_plugin_open. * * Called when OpenVPN is in the process of aborting due to a fatal error. * Will only be called on an open context returned by a prior successful * openvpn_plugin_open callback. */ OPENVPN_PLUGIN_DEF void OPENVPN_PLUGIN_FUNC(openvpn_plugin_abort_v1) (openvpn_plugin_handle_t handle); /* * FUNCTION: openvpn_plugin_client_constructor_v1 * * Called to allocate a per-client memory region, which * is then passed to the openvpn_plugin_func_v2 function. * This function is called every time the OpenVPN server * constructs a client instance object, which normally * occurs when a session-initiating packet is received * by a new client, even before the client has authenticated. * * This function should allocate the private memory needed * by the plugin to track individual OpenVPN clients, and * return a void * to this memory region. * * REQUIRED: NO * * ARGUMENTS * * handle : the openvpn_plugin_handle_t value which was returned by * openvpn_plugin_open. * * RETURN VALUE * * void * pointer to plugin's private per-client memory region, or NULL * if no memory region is required. */ OPENVPN_PLUGIN_DEF void *OPENVPN_PLUGIN_FUNC(openvpn_plugin_client_constructor_v1) (openvpn_plugin_handle_t handle); /* * FUNCTION: openvpn_plugin_client_destructor_v1 * * This function is called on client instance object destruction. * * REQUIRED: NO * * ARGUMENTS * * handle : the openvpn_plugin_handle_t value which was returned by * openvpn_plugin_open. * * per_client_context : the per-client context pointer which was returned by * openvpn_plugin_client_constructor_v1, if defined. */ OPENVPN_PLUGIN_DEF void OPENVPN_PLUGIN_FUNC(openvpn_plugin_client_destructor_v1) (openvpn_plugin_handle_t handle, void *per_client_context); /* * FUNCTION: openvpn_plugin_select_initialization_point_v1 * * Several different points exist in OpenVPN's initialization sequence where * the openvpn_plugin_open function can be called. While the default is * OPENVPN_PLUGIN_INIT_PRE_DAEMON, this function can be used to select a * different initialization point. For example, if your plugin needs to * return configuration parameters to OpenVPN, use * OPENVPN_PLUGIN_INIT_PRE_CONFIG_PARSE. * * REQUIRED: NO * * RETURN VALUE: * * An OPENVPN_PLUGIN_INIT_x value. */ #define OPENVPN_PLUGIN_INIT_PRE_CONFIG_PARSE 1 #define OPENVPN_PLUGIN_INIT_PRE_DAEMON 2 /* default */ #define OPENVPN_PLUGIN_INIT_POST_DAEMON 3 #define OPENVPN_PLUGIN_INIT_POST_UID_CHANGE 4 OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_select_initialization_point_v1) (void); /* * FUNCTION: openvpn_plugin_min_version_required_v1 * * This function is called by OpenVPN to query the minimum * plugin interface version number required by the plugin. * * REQUIRED: NO * * RETURN VALUE * * The minimum OpenVPN plugin interface version number necessary to support * this plugin. */ OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_min_version_required_v1) (void); /* * Deprecated functions which are still supported for backward compatibility. */ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_open_v1) (unsigned int *type_mask, const char *argv[], const char *envp[]); OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v1) (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]); #ifdef __cplusplus } #endif #endif /* OPENVPN_PLUGIN_H_ */ openvpn-2.4.4/install-sh000077500000000000000000000341371316434344000152240ustar00rootroot00000000000000#!/bin/sh # install - install a program, script, or datafile scriptversion=2011-11-20.07; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the # following copyright and license. # # Copyright (C) 1994 X Consortium # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to # deal in the Software without restriction, including without limitation the # rights to use, copy, modify, merge, publish, distribute, sublicense, and/or # sell copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN # AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- # TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. # # Except as contained in this notice, the name of the X Consortium shall not # be used in advertising or otherwise to promote the sale, use or other deal- # ings in this Software without prior written authorization from the X Consor- # tium. # # # FSF changes to this file are in the public domain. # # Calling this script install-sh is preferred over install.sh, to prevent # 'make' implicit rules from creating a file called install from it # when there is no Makefile. # # This script is compatible with the BSD install script, but was written # from scratch. nl=' ' IFS=" "" $nl" # set DOITPROG to echo to test this script # Don't use :- since 4.3BSD and earlier shells don't like it. doit=${DOITPROG-} if test -z "$doit"; then doit_exec=exec else doit_exec=$doit fi # Put in absolute file names if you don't have them in your path; # or use environment vars. chgrpprog=${CHGRPPROG-chgrp} chmodprog=${CHMODPROG-chmod} chownprog=${CHOWNPROG-chown} cmpprog=${CMPPROG-cmp} cpprog=${CPPROG-cp} mkdirprog=${MKDIRPROG-mkdir} mvprog=${MVPROG-mv} rmprog=${RMPROG-rm} stripprog=${STRIPPROG-strip} posix_glob='?' initialize_posix_glob=' test "$posix_glob" != "?" || { if (set -f) 2>/dev/null; then posix_glob= else posix_glob=: fi } ' posix_mkdir= # Desired mode of installed file. mode=0755 chgrpcmd= chmodcmd=$chmodprog chowncmd= mvcmd=$mvprog rmcmd="$rmprog -f" stripcmd= src= dst= dir_arg= dst_arg= copy_on_change=false no_target_directory= usage="\ Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE or: $0 [OPTION]... SRCFILES... DIRECTORY or: $0 [OPTION]... -t DIRECTORY SRCFILES... or: $0 [OPTION]... -d DIRECTORIES... In the 1st form, copy SRCFILE to DSTFILE. In the 2nd and 3rd, copy all SRCFILES to DIRECTORY. In the 4th, create DIRECTORIES. Options: --help display this help and exit. --version display version info and exit. -c (ignored) -C install only if different (preserve the last data modification time) -d create directories instead of installing files. -g GROUP $chgrpprog installed files to GROUP. -m MODE $chmodprog installed files to MODE. -o USER $chownprog installed files to USER. -s $stripprog installed files. -t DIRECTORY install into DIRECTORY. -T report an error if DSTFILE is a directory. Environment variables override the default commands: CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG " while test $# -ne 0; do case $1 in -c) ;; -C) copy_on_change=true;; -d) dir_arg=true;; -g) chgrpcmd="$chgrpprog $2" shift;; --help) echo "$usage"; exit $?;; -m) mode=$2 case $mode in *' '* | *' '* | *' '* | *'*'* | *'?'* | *'['*) echo "$0: invalid mode: $mode" >&2 exit 1;; esac shift;; -o) chowncmd="$chownprog $2" shift;; -s) stripcmd=$stripprog;; -t) dst_arg=$2 # Protect names problematic for 'test' and other utilities. case $dst_arg in -* | [=\(\)!]) dst_arg=./$dst_arg;; esac shift;; -T) no_target_directory=true;; --version) echo "$0 $scriptversion"; exit $?;; --) shift break;; -*) echo "$0: invalid option: $1" >&2 exit 1;; *) break;; esac shift done if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then # When -d is used, all remaining arguments are directories to create. # When -t is used, the destination is already specified. # Otherwise, the last argument is the destination. Remove it from $@. for arg do if test -n "$dst_arg"; then # $@ is not empty: it contains at least $arg. set fnord "$@" "$dst_arg" shift # fnord fi shift # arg dst_arg=$arg # Protect names problematic for 'test' and other utilities. case $dst_arg in -* | [=\(\)!]) dst_arg=./$dst_arg;; esac done fi if test $# -eq 0; then if test -z "$dir_arg"; then echo "$0: no input file specified." >&2 exit 1 fi # It's OK to call 'install-sh -d' without argument. # This can happen when creating conditional directories. exit 0 fi if test -z "$dir_arg"; then do_exit='(exit $ret); exit $ret' trap "ret=129; $do_exit" 1 trap "ret=130; $do_exit" 2 trap "ret=141; $do_exit" 13 trap "ret=143; $do_exit" 15 # Set umask so as not to create temps with too-generous modes. # However, 'strip' requires both read and write access to temps. case $mode in # Optimize common cases. *644) cp_umask=133;; *755) cp_umask=22;; *[0-7]) if test -z "$stripcmd"; then u_plus_rw= else u_plus_rw='% 200' fi cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;; *) if test -z "$stripcmd"; then u_plus_rw= else u_plus_rw=,u+rw fi cp_umask=$mode$u_plus_rw;; esac fi for src do # Protect names problematic for 'test' and other utilities. case $src in -* | [=\(\)!]) src=./$src;; esac if test -n "$dir_arg"; then dst=$src dstdir=$dst test -d "$dstdir" dstdir_status=$? else # Waiting for this to be detected by the "$cpprog $src $dsttmp" command # might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. if test ! -f "$src" && test ! -d "$src"; then echo "$0: $src does not exist." >&2 exit 1 fi if test -z "$dst_arg"; then echo "$0: no destination specified." >&2 exit 1 fi dst=$dst_arg # If destination is a directory, append the input filename; won't work # if double slashes aren't ignored. if test -d "$dst"; then if test -n "$no_target_directory"; then echo "$0: $dst_arg: Is a directory" >&2 exit 1 fi dstdir=$dst dst=$dstdir/`basename "$src"` dstdir_status=0 else # Prefer dirname, but fall back on a substitute if dirname fails. dstdir=` (dirname "$dst") 2>/dev/null || expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$dst" : 'X\(//\)[^/]' \| \ X"$dst" : 'X\(//\)$' \| \ X"$dst" : 'X\(/\)' \| . 2>/dev/null || echo X"$dst" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q' ` test -d "$dstdir" dstdir_status=$? fi fi obsolete_mkdir_used=false if test $dstdir_status != 0; then case $posix_mkdir in '') # Create intermediate dirs using mode 755 as modified by the umask. # This is like FreeBSD 'install' as of 1997-10-28. umask=`umask` case $stripcmd.$umask in # Optimize common cases. *[2367][2367]) mkdir_umask=$umask;; .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; *[0-7]) mkdir_umask=`expr $umask + 22 \ - $umask % 100 % 40 + $umask % 20 \ - $umask % 10 % 4 + $umask % 2 `;; *) mkdir_umask=$umask,go-w;; esac # With -d, create the new directory with the user-specified mode. # Otherwise, rely on $mkdir_umask. if test -n "$dir_arg"; then mkdir_mode=-m$mode else mkdir_mode= fi posix_mkdir=false case $umask in *[123567][0-7][0-7]) # POSIX mkdir -p sets u+wx bits regardless of umask, which # is incompatible with FreeBSD 'install' when (umask & 300) != 0. ;; *) # $RANDOM is not portable (e.g. dash); use it when possible to # lower collision chance tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 # As "mkdir -p" follows symlinks and we work in /tmp possibly; so # create the $tmpdir first (and fail if unsuccessful) to make sure # that nobody tries to guess the $tmpdir name. if (umask $mkdir_umask && $mkdirprog $mkdir_mode "$tmpdir" && exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 then if test -z "$dir_arg" || { # Check for POSIX incompatibilities with -m. # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or # other-writable bit of parent directory when it shouldn't. # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. test_tmpdir="$tmpdir/a" ls_ld_tmpdir=`ls -ld "$test_tmpdir"` case $ls_ld_tmpdir in d????-?r-*) different_mode=700;; d????-?--*) different_mode=755;; *) false;; esac && $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" } } then posix_mkdir=: fi rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" else # Remove any dirs left behind by ancient mkdir implementations. rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null fi trap '' 0;; esac;; esac if $posix_mkdir && ( umask $mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" ) then : else # The umask is ridiculous, or mkdir does not conform to POSIX, # or it failed possibly due to a race condition. Create the # directory the slow way, step by step, checking for races as we go. case $dstdir in /*) prefix='/';; [-=\(\)!]*) prefix='./';; *) prefix='';; esac eval "$initialize_posix_glob" oIFS=$IFS IFS=/ $posix_glob set -f set fnord $dstdir shift $posix_glob set +f IFS=$oIFS prefixes= for d do test X"$d" = X && continue prefix=$prefix$d if test -d "$prefix"; then prefixes= else if $posix_mkdir; then (umask=$mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break # Don't fail if two instances are running concurrently. test -d "$prefix" || exit 1 else case $prefix in *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; *) qprefix=$prefix;; esac prefixes="$prefixes '$qprefix'" fi fi prefix=$prefix/ done if test -n "$prefixes"; then # Don't fail if two instances are running concurrently. (umask $mkdir_umask && eval "\$doit_exec \$mkdirprog $prefixes") || test -d "$dstdir" || exit 1 obsolete_mkdir_used=true fi fi fi if test -n "$dir_arg"; then { test -z "$chowncmd" || $doit $chowncmd "$dst"; } && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } && { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false || test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1 else # Make a couple of temp file names in the proper directory. dsttmp=$dstdir/_inst.$$_ rmtmp=$dstdir/_rm.$$_ # Trap to clean up those temp files at exit. trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 # Copy the file name to the temp name. (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && # and set any options; do chmod last to preserve setuid bits. # # If any of these fail, we abort the whole thing. If we want to # ignore errors from any of these, just make sure not to ignore # errors from the above "$doit $cpprog $src $dsttmp" command. # { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } && { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } && { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } && # If -C, don't bother to copy if it wouldn't change the file. if $copy_on_change && old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` && new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` && eval "$initialize_posix_glob" && $posix_glob set -f && set X $old && old=:$2:$4:$5:$6 && set X $new && new=:$2:$4:$5:$6 && $posix_glob set +f && test "$old" = "$new" && $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1 then rm -f "$dsttmp" else # Rename the file to the real destination. $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || # The rename failed, perhaps because mv can't rename something else # to itself, or perhaps because mv is so ancient that it does not # support -f. { # Now remove or move aside any old file at destination location. # We try this two ways since rm can't unlink itself on some # systems and the destination file might be busy for other # reasons. In this case, the final cleanup might fail but the new # file should still install successfully. { test ! -f "$dst" || $doit $rmcmd -f "$dst" 2>/dev/null || { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } } || { echo "$0: cannot unlink or rename $dst" >&2 (exit 1); exit 1 } } && # Now rename the file to the real destination. $doit $mvcmd "$dsttmp" "$dst" } fi || exit 1 trap '' 0 fi done # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: openvpn-2.4.4/ltmain.sh000066400000000000000000010520301316434344000150310ustar00rootroot00000000000000 # libtool (GNU libtool) 2.4.2 # Written by Gordon Matzigkeit , 1996 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, # 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc. # This is free software; see the source for copying conditions. There is NO # warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # GNU Libtool is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # As a special exception to the GNU General Public License, # if you distribute this file as part of a program or library that # is built using GNU Libtool, you may include this file under the # same distribution terms that you use for the rest of that program. # # GNU Libtool is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with GNU Libtool; see the file COPYING. If not, a copy # can be downloaded from http://www.gnu.org/licenses/gpl.html, # or obtained by writing to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # Usage: $progname [OPTION]... [MODE-ARG]... # # Provide generalized library-building support services. # # --config show all configuration variables # --debug enable verbose shell tracing # -n, --dry-run display commands without modifying any files # --features display basic configuration information and exit # --mode=MODE use operation mode MODE # --preserve-dup-deps don't remove duplicate dependency libraries # --quiet, --silent don't print informational messages # --no-quiet, --no-silent # print informational messages (default) # --no-warn don't display warning messages # --tag=TAG use configuration variables from tag TAG # -v, --verbose print more informational messages than default # --no-verbose don't print the extra informational messages # --version print version information # -h, --help, --help-all print short, long, or detailed help message # # MODE must be one of the following: # # clean remove files from the build directory # compile compile a source file into a libtool object # execute automatically set library path, then run a program # finish complete the installation of libtool libraries # install install libraries or executables # link create a library or an executable # uninstall remove libraries from an installed directory # # MODE-ARGS vary depending on the MODE. When passed as first option, # `--mode=MODE' may be abbreviated as `MODE' or a unique abbreviation of that. # Try `$progname --help --mode=MODE' for a more detailed description of MODE. # # When reporting a bug, please describe a test case to reproduce it and # include the following information: # # host-triplet: $host # shell: $SHELL # compiler: $LTCC # compiler flags: $LTCFLAGS # linker: $LD (gnu? $with_gnu_ld) # $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.11 # automake: $automake_version # autoconf: $autoconf_version # # Report bugs to . # GNU libtool home page: . # General help using GNU software: . PROGRAM=libtool PACKAGE=libtool VERSION="2.4.2 Debian-2.4.2-1.11" TIMESTAMP="" package_revision=1.3337 # Be Bourne compatible if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then emulate sh NULLCMD=: # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac fi BIN_SH=xpg4; export BIN_SH # for Tru64 DUALCASE=1; export DUALCASE # for MKS sh # A function that is used when there is no print builtin or printf. func_fallback_echo () { eval 'cat <<_LTECHO_EOF $1 _LTECHO_EOF' } # NLS nuisances: We save the old values to restore during execute mode. lt_user_locale= lt_safe_locale= for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES do eval "if test \"\${$lt_var+set}\" = set; then save_$lt_var=\$$lt_var $lt_var=C export $lt_var lt_user_locale=\"$lt_var=\\\$save_\$lt_var; \$lt_user_locale\" lt_safe_locale=\"$lt_var=C; \$lt_safe_locale\" fi" done LC_ALL=C LANGUAGE=C export LANGUAGE LC_ALL $lt_unset CDPATH # Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh # is ksh but when the shell is invoked as "sh" and the current value of # the _XPG environment variable is not equal to 1 (one), the special # positional parameter $0, within a function call, is the name of the # function. progpath="$0" : ${CP="cp -f"} test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'} : ${MAKE="make"} : ${MKDIR="mkdir"} : ${MV="mv -f"} : ${RM="rm -f"} : ${SHELL="${CONFIG_SHELL-/bin/sh}"} : ${Xsed="$SED -e 1s/^X//"} # Global variables: EXIT_SUCCESS=0 EXIT_FAILURE=1 EXIT_MISMATCH=63 # $? = 63 is used to indicate version mismatch to missing. EXIT_SKIP=77 # $? = 77 is used to indicate a skipped test to automake. exit_status=$EXIT_SUCCESS # Make sure IFS has a sensible default lt_nl=' ' IFS=" $lt_nl" dirname="s,/[^/]*$,," basename="s,^.*/,," # func_dirname file append nondir_replacement # Compute the dirname of FILE. If nonempty, add APPEND to the result, # otherwise set result to NONDIR_REPLACEMENT. func_dirname () { func_dirname_result=`$ECHO "${1}" | $SED "$dirname"` if test "X$func_dirname_result" = "X${1}"; then func_dirname_result="${3}" else func_dirname_result="$func_dirname_result${2}" fi } # func_dirname may be replaced by extended shell implementation # func_basename file func_basename () { func_basename_result=`$ECHO "${1}" | $SED "$basename"` } # func_basename may be replaced by extended shell implementation # func_dirname_and_basename file append nondir_replacement # perform func_basename and func_dirname in a single function # call: # dirname: Compute the dirname of FILE. If nonempty, # add APPEND to the result, otherwise set result # to NONDIR_REPLACEMENT. # value returned in "$func_dirname_result" # basename: Compute filename of FILE. # value retuned in "$func_basename_result" # Implementation must be kept synchronized with func_dirname # and func_basename. For efficiency, we do not delegate to # those functions but instead duplicate the functionality here. func_dirname_and_basename () { # Extract subdirectory from the argument. func_dirname_result=`$ECHO "${1}" | $SED -e "$dirname"` if test "X$func_dirname_result" = "X${1}"; then func_dirname_result="${3}" else func_dirname_result="$func_dirname_result${2}" fi func_basename_result=`$ECHO "${1}" | $SED -e "$basename"` } # func_dirname_and_basename may be replaced by extended shell implementation # func_stripname prefix suffix name # strip PREFIX and SUFFIX off of NAME. # PREFIX and SUFFIX must not contain globbing or regex special # characters, hashes, percent signs, but SUFFIX may contain a leading # dot (in which case that matches only a dot). # func_strip_suffix prefix name func_stripname () { case ${2} in .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;; *) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;; esac } # func_stripname may be replaced by extended shell implementation # These SED scripts presuppose an absolute path with a trailing slash. pathcar='s,^/\([^/]*\).*$,\1,' pathcdr='s,^/[^/]*,,' removedotparts=':dotsl s@/\./@/@g t dotsl s,/\.$,/,' collapseslashes='s@/\{1,\}@/@g' finalslash='s,/*$,/,' # func_normal_abspath PATH # Remove doubled-up and trailing slashes, "." path components, # and cancel out any ".." path components in PATH after making # it an absolute path. # value returned in "$func_normal_abspath_result" func_normal_abspath () { # Start from root dir and reassemble the path. func_normal_abspath_result= func_normal_abspath_tpath=$1 func_normal_abspath_altnamespace= case $func_normal_abspath_tpath in "") # Empty path, that just means $cwd. func_stripname '' '/' "`pwd`" func_normal_abspath_result=$func_stripname_result return ;; # The next three entries are used to spot a run of precisely # two leading slashes without using negated character classes; # we take advantage of case's first-match behaviour. ///*) # Unusual form of absolute path, do nothing. ;; //*) # Not necessarily an ordinary path; POSIX reserves leading '//' # and for example Cygwin uses it to access remote file shares # over CIFS/SMB, so we conserve a leading double slash if found. func_normal_abspath_altnamespace=/ ;; /*) # Absolute path, do nothing. ;; *) # Relative path, prepend $cwd. func_normal_abspath_tpath=`pwd`/$func_normal_abspath_tpath ;; esac # Cancel out all the simple stuff to save iterations. We also want # the path to end with a slash for ease of parsing, so make sure # there is one (and only one) here. func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \ -e "$removedotparts" -e "$collapseslashes" -e "$finalslash"` while :; do # Processed it all yet? if test "$func_normal_abspath_tpath" = / ; then # If we ascended to the root using ".." the result may be empty now. if test -z "$func_normal_abspath_result" ; then func_normal_abspath_result=/ fi break fi func_normal_abspath_tcomponent=`$ECHO "$func_normal_abspath_tpath" | $SED \ -e "$pathcar"` func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \ -e "$pathcdr"` # Figure out what to do with it case $func_normal_abspath_tcomponent in "") # Trailing empty path component, ignore it. ;; ..) # Parent dir; strip last assembled component from result. func_dirname "$func_normal_abspath_result" func_normal_abspath_result=$func_dirname_result ;; *) # Actual path component, append it. func_normal_abspath_result=$func_normal_abspath_result/$func_normal_abspath_tcomponent ;; esac done # Restore leading double-slash if one was found on entry. func_normal_abspath_result=$func_normal_abspath_altnamespace$func_normal_abspath_result } # func_relative_path SRCDIR DSTDIR # generates a relative path from SRCDIR to DSTDIR, with a trailing # slash if non-empty, suitable for immediately appending a filename # without needing to append a separator. # value returned in "$func_relative_path_result" func_relative_path () { func_relative_path_result= func_normal_abspath "$1" func_relative_path_tlibdir=$func_normal_abspath_result func_normal_abspath "$2" func_relative_path_tbindir=$func_normal_abspath_result # Ascend the tree starting from libdir while :; do # check if we have found a prefix of bindir case $func_relative_path_tbindir in $func_relative_path_tlibdir) # found an exact match func_relative_path_tcancelled= break ;; $func_relative_path_tlibdir*) # found a matching prefix func_stripname "$func_relative_path_tlibdir" '' "$func_relative_path_tbindir" func_relative_path_tcancelled=$func_stripname_result if test -z "$func_relative_path_result"; then func_relative_path_result=. fi break ;; *) func_dirname $func_relative_path_tlibdir func_relative_path_tlibdir=${func_dirname_result} if test "x$func_relative_path_tlibdir" = x ; then # Have to descend all the way to the root! func_relative_path_result=../$func_relative_path_result func_relative_path_tcancelled=$func_relative_path_tbindir break fi func_relative_path_result=../$func_relative_path_result ;; esac done # Now calculate path; take care to avoid doubling-up slashes. func_stripname '' '/' "$func_relative_path_result" func_relative_path_result=$func_stripname_result func_stripname '/' '/' "$func_relative_path_tcancelled" if test "x$func_stripname_result" != x ; then func_relative_path_result=${func_relative_path_result}/${func_stripname_result} fi # Normalisation. If bindir is libdir, return empty string, # else relative path ending with a slash; either way, target # file name can be directly appended. if test ! -z "$func_relative_path_result"; then func_stripname './' '' "$func_relative_path_result/" func_relative_path_result=$func_stripname_result fi } # The name of this program: func_dirname_and_basename "$progpath" progname=$func_basename_result # Make sure we have an absolute path for reexecution: case $progpath in [\\/]*|[A-Za-z]:\\*) ;; *[\\/]*) progdir=$func_dirname_result progdir=`cd "$progdir" && pwd` progpath="$progdir/$progname" ;; *) save_IFS="$IFS" IFS=${PATH_SEPARATOR-:} for progdir in $PATH; do IFS="$save_IFS" test -x "$progdir/$progname" && break done IFS="$save_IFS" test -n "$progdir" || progdir=`pwd` progpath="$progdir/$progname" ;; esac # Sed substitution that helps us do robust quoting. It backslashifies # metacharacters that are still active within double-quoted strings. Xsed="${SED}"' -e 1s/^X//' sed_quote_subst='s/\([`"$\\]\)/\\\1/g' # Same as above, but do not quote variable references. double_quote_subst='s/\(["`\\]\)/\\\1/g' # Sed substitution that turns a string into a regex matching for the # string literally. sed_make_literal_regex='s,[].[^$\\*\/],\\&,g' # Sed substitution that converts a w32 file name or path # which contains forward slashes, into one that contains # (escaped) backslashes. A very naive implementation. lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g' # Re-`\' parameter expansions in output of double_quote_subst that were # `\'-ed in input to the same. If an odd number of `\' preceded a '$' # in input to double_quote_subst, that '$' was protected from expansion. # Since each input `\' is now two `\'s, look for any number of runs of # four `\'s followed by two `\'s and then a '$'. `\' that '$'. bs='\\' bs2='\\\\' bs4='\\\\\\\\' dollar='\$' sed_double_backslash="\ s/$bs4/&\\ /g s/^$bs2$dollar/$bs&/ s/\\([^$bs]\\)$bs2$dollar/\\1$bs2$bs$dollar/g s/\n//g" # Standard options: opt_dry_run=false opt_help=false opt_quiet=false opt_verbose=false opt_warning=: # func_echo arg... # Echo program name prefixed message, along with the current mode # name if it has been set yet. func_echo () { $ECHO "$progname: ${opt_mode+$opt_mode: }$*" } # func_verbose arg... # Echo program name prefixed message in verbose mode only. func_verbose () { $opt_verbose && func_echo ${1+"$@"} # A bug in bash halts the script if the last line of a function # fails when set -e is in force, so we need another command to # work around that: : } # func_echo_all arg... # Invoke $ECHO with all args, space-separated. func_echo_all () { $ECHO "$*" } # func_error arg... # Echo program name prefixed message to standard error. func_error () { $ECHO "$progname: ${opt_mode+$opt_mode: }"${1+"$@"} 1>&2 } # func_warning arg... # Echo program name prefixed warning message to standard error. func_warning () { $opt_warning && $ECHO "$progname: ${opt_mode+$opt_mode: }warning: "${1+"$@"} 1>&2 # bash bug again: : } # func_fatal_error arg... # Echo program name prefixed message to standard error, and exit. func_fatal_error () { func_error ${1+"$@"} exit $EXIT_FAILURE } # func_fatal_help arg... # Echo program name prefixed message to standard error, followed by # a help hint, and exit. func_fatal_help () { func_error ${1+"$@"} func_fatal_error "$help" } help="Try \`$progname --help' for more information." ## default # func_grep expression filename # Check whether EXPRESSION matches any line of FILENAME, without output. func_grep () { $GREP "$1" "$2" >/dev/null 2>&1 } # func_mkdir_p directory-path # Make sure the entire path to DIRECTORY-PATH is available. func_mkdir_p () { my_directory_path="$1" my_dir_list= if test -n "$my_directory_path" && test "$opt_dry_run" != ":"; then # Protect directory names starting with `-' case $my_directory_path in -*) my_directory_path="./$my_directory_path" ;; esac # While some portion of DIR does not yet exist... while test ! -d "$my_directory_path"; do # ...make a list in topmost first order. Use a colon delimited # list incase some portion of path contains whitespace. my_dir_list="$my_directory_path:$my_dir_list" # If the last portion added has no slash in it, the list is done case $my_directory_path in */*) ;; *) break ;; esac # ...otherwise throw away the child directory and loop my_directory_path=`$ECHO "$my_directory_path" | $SED -e "$dirname"` done my_dir_list=`$ECHO "$my_dir_list" | $SED 's,:*$,,'` save_mkdir_p_IFS="$IFS"; IFS=':' for my_dir in $my_dir_list; do IFS="$save_mkdir_p_IFS" # mkdir can fail with a `File exist' error if two processes # try to create one of the directories concurrently. Don't # stop in that case! $MKDIR "$my_dir" 2>/dev/null || : done IFS="$save_mkdir_p_IFS" # Bail out if we (or some other process) failed to create a directory. test -d "$my_directory_path" || \ func_fatal_error "Failed to create \`$1'" fi } # func_mktempdir [string] # Make a temporary directory that won't clash with other running # libtool processes, and avoids race conditions if possible. If # given, STRING is the basename for that directory. func_mktempdir () { my_template="${TMPDIR-/tmp}/${1-$progname}" if test "$opt_dry_run" = ":"; then # Return a directory name, but don't create it in dry-run mode my_tmpdir="${my_template}-$$" else # If mktemp works, use that first and foremost my_tmpdir=`mktemp -d "${my_template}-XXXXXXXX" 2>/dev/null` if test ! -d "$my_tmpdir"; then # Failing that, at least try and use $RANDOM to avoid a race my_tmpdir="${my_template}-${RANDOM-0}$$" save_mktempdir_umask=`umask` umask 0077 $MKDIR "$my_tmpdir" umask $save_mktempdir_umask fi # If we're not in dry-run mode, bomb out on failure test -d "$my_tmpdir" || \ func_fatal_error "cannot create temporary directory \`$my_tmpdir'" fi $ECHO "$my_tmpdir" } # func_quote_for_eval arg # Aesthetically quote ARG to be evaled later. # This function returns two values: FUNC_QUOTE_FOR_EVAL_RESULT # is double-quoted, suitable for a subsequent eval, whereas # FUNC_QUOTE_FOR_EVAL_UNQUOTED_RESULT has merely all characters # which are still active within double quotes backslashified. func_quote_for_eval () { case $1 in *[\\\`\"\$]*) func_quote_for_eval_unquoted_result=`$ECHO "$1" | $SED "$sed_quote_subst"` ;; *) func_quote_for_eval_unquoted_result="$1" ;; esac case $func_quote_for_eval_unquoted_result in # Double-quote args containing shell metacharacters to delay # word splitting, command substitution and and variable # expansion for a subsequent eval. # Many Bourne shells cannot handle close brackets correctly # in scan sets, so we specify it separately. *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") func_quote_for_eval_result="\"$func_quote_for_eval_unquoted_result\"" ;; *) func_quote_for_eval_result="$func_quote_for_eval_unquoted_result" esac } # func_quote_for_expand arg # Aesthetically quote ARG to be evaled later; same as above, # but do not quote variable references. func_quote_for_expand () { case $1 in *[\\\`\"]*) my_arg=`$ECHO "$1" | $SED \ -e "$double_quote_subst" -e "$sed_double_backslash"` ;; *) my_arg="$1" ;; esac case $my_arg in # Double-quote args containing shell metacharacters to delay # word splitting and command substitution for a subsequent eval. # Many Bourne shells cannot handle close brackets correctly # in scan sets, so we specify it separately. *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") my_arg="\"$my_arg\"" ;; esac func_quote_for_expand_result="$my_arg" } # func_show_eval cmd [fail_exp] # Unless opt_silent is true, then output CMD. Then, if opt_dryrun is # not true, evaluate CMD. If the evaluation of CMD fails, and FAIL_EXP # is given, then evaluate it. func_show_eval () { my_cmd="$1" my_fail_exp="${2-:}" ${opt_silent-false} || { func_quote_for_expand "$my_cmd" eval "func_echo $func_quote_for_expand_result" } if ${opt_dry_run-false}; then :; else eval "$my_cmd" my_status=$? if test "$my_status" -eq 0; then :; else eval "(exit $my_status); $my_fail_exp" fi fi } # func_show_eval_locale cmd [fail_exp] # Unless opt_silent is true, then output CMD. Then, if opt_dryrun is # not true, evaluate CMD. If the evaluation of CMD fails, and FAIL_EXP # is given, then evaluate it. Use the saved locale for evaluation. func_show_eval_locale () { my_cmd="$1" my_fail_exp="${2-:}" ${opt_silent-false} || { func_quote_for_expand "$my_cmd" eval "func_echo $func_quote_for_expand_result" } if ${opt_dry_run-false}; then :; else eval "$lt_user_locale $my_cmd" my_status=$? eval "$lt_safe_locale" if test "$my_status" -eq 0; then :; else eval "(exit $my_status); $my_fail_exp" fi fi } # func_tr_sh # Turn $1 into a string suitable for a shell variable name. # Result is stored in $func_tr_sh_result. All characters # not in the set a-zA-Z0-9_ are replaced with '_'. Further, # if $1 begins with a digit, a '_' is prepended as well. func_tr_sh () { case $1 in [0-9]* | *[!a-zA-Z0-9_]*) func_tr_sh_result=`$ECHO "$1" | $SED 's/^\([0-9]\)/_\1/; s/[^a-zA-Z0-9_]/_/g'` ;; * ) func_tr_sh_result=$1 ;; esac } # func_version # Echo version message to standard output and exit. func_version () { $opt_debug $SED -n '/(C)/!b go :more /\./!{ N s/\n# / / b more } :go /^# '$PROGRAM' (GNU /,/# warranty; / { s/^# // s/^# *$// s/\((C)\)[ 0-9,-]*\( [1-9][0-9]*\)/\1\2/ p }' < "$progpath" exit $? } # func_usage # Echo short help message to standard output and exit. func_usage () { $opt_debug $SED -n '/^# Usage:/,/^# *.*--help/ { s/^# // s/^# *$// s/\$progname/'$progname'/ p }' < "$progpath" echo $ECHO "run \`$progname --help | more' for full usage" exit $? } # func_help [NOEXIT] # Echo long help message to standard output and exit, # unless 'noexit' is passed as argument. func_help () { $opt_debug $SED -n '/^# Usage:/,/# Report bugs to/ { :print s/^# // s/^# *$// s*\$progname*'$progname'* s*\$host*'"$host"'* s*\$SHELL*'"$SHELL"'* s*\$LTCC*'"$LTCC"'* s*\$LTCFLAGS*'"$LTCFLAGS"'* s*\$LD*'"$LD"'* s/\$with_gnu_ld/'"$with_gnu_ld"'/ s/\$automake_version/'"`(${AUTOMAKE-automake} --version) 2>/dev/null |$SED 1q`"'/ s/\$autoconf_version/'"`(${AUTOCONF-autoconf} --version) 2>/dev/null |$SED 1q`"'/ p d } /^# .* home page:/b print /^# General help using/b print ' < "$progpath" ret=$? if test -z "$1"; then exit $ret fi } # func_missing_arg argname # Echo program name prefixed message to standard error and set global # exit_cmd. func_missing_arg () { $opt_debug func_error "missing argument for $1." exit_cmd=exit } # func_split_short_opt shortopt # Set func_split_short_opt_name and func_split_short_opt_arg shell # variables after splitting SHORTOPT after the 2nd character. func_split_short_opt () { my_sed_short_opt='1s/^\(..\).*$/\1/;q' my_sed_short_rest='1s/^..\(.*\)$/\1/;q' func_split_short_opt_name=`$ECHO "$1" | $SED "$my_sed_short_opt"` func_split_short_opt_arg=`$ECHO "$1" | $SED "$my_sed_short_rest"` } # func_split_short_opt may be replaced by extended shell implementation # func_split_long_opt longopt # Set func_split_long_opt_name and func_split_long_opt_arg shell # variables after splitting LONGOPT at the `=' sign. func_split_long_opt () { my_sed_long_opt='1s/^\(--[^=]*\)=.*/\1/;q' my_sed_long_arg='1s/^--[^=]*=//' func_split_long_opt_name=`$ECHO "$1" | $SED "$my_sed_long_opt"` func_split_long_opt_arg=`$ECHO "$1" | $SED "$my_sed_long_arg"` } # func_split_long_opt may be replaced by extended shell implementation exit_cmd=: magic="%%%MAGIC variable%%%" magic_exe="%%%MAGIC EXE variable%%%" # Global variables. nonopt= preserve_args= lo2o="s/\\.lo\$/.${objext}/" o2lo="s/\\.${objext}\$/.lo/" extracted_archives= extracted_serial=0 # If this variable is set in any of the actions, the command in it # will be execed at the end. This prevents here-documents from being # left over by shells. exec_cmd= # func_append var value # Append VALUE to the end of shell variable VAR. func_append () { eval "${1}=\$${1}\${2}" } # func_append may be replaced by extended shell implementation # func_append_quoted var value # Quote VALUE and append to the end of shell variable VAR, separated # by a space. func_append_quoted () { func_quote_for_eval "${2}" eval "${1}=\$${1}\\ \$func_quote_for_eval_result" } # func_append_quoted may be replaced by extended shell implementation # func_arith arithmetic-term... func_arith () { func_arith_result=`expr "${@}"` } # func_arith may be replaced by extended shell implementation # func_len string # STRING may not start with a hyphen. func_len () { func_len_result=`expr "${1}" : ".*" 2>/dev/null || echo $max_cmd_len` } # func_len may be replaced by extended shell implementation # func_lo2o object func_lo2o () { func_lo2o_result=`$ECHO "${1}" | $SED "$lo2o"` } # func_lo2o may be replaced by extended shell implementation # func_xform libobj-or-source func_xform () { func_xform_result=`$ECHO "${1}" | $SED 's/\.[^.]*$/.lo/'` } # func_xform may be replaced by extended shell implementation # func_fatal_configuration arg... # Echo program name prefixed message to standard error, followed by # a configuration failure hint, and exit. func_fatal_configuration () { func_error ${1+"$@"} func_error "See the $PACKAGE documentation for more information." func_fatal_error "Fatal configuration error." } # func_config # Display the configuration for all the tags in this script. func_config () { re_begincf='^# ### BEGIN LIBTOOL' re_endcf='^# ### END LIBTOOL' # Default configuration. $SED "1,/$re_begincf CONFIG/d;/$re_endcf CONFIG/,\$d" < "$progpath" # Now print the configurations for the tags. for tagname in $taglist; do $SED -n "/$re_begincf TAG CONFIG: $tagname\$/,/$re_endcf TAG CONFIG: $tagname\$/p" < "$progpath" done exit $? } # func_features # Display the features supported by this script. func_features () { echo "host: $host" if test "$build_libtool_libs" = yes; then echo "enable shared libraries" else echo "disable shared libraries" fi if test "$build_old_libs" = yes; then echo "enable static libraries" else echo "disable static libraries" fi exit $? } # func_enable_tag tagname # Verify that TAGNAME is valid, and either flag an error and exit, or # enable the TAGNAME tag. We also add TAGNAME to the global $taglist # variable here. func_enable_tag () { # Global variable: tagname="$1" re_begincf="^# ### BEGIN LIBTOOL TAG CONFIG: $tagname\$" re_endcf="^# ### END LIBTOOL TAG CONFIG: $tagname\$" sed_extractcf="/$re_begincf/,/$re_endcf/p" # Validate tagname. case $tagname in *[!-_A-Za-z0-9,/]*) func_fatal_error "invalid tag name: $tagname" ;; esac # Don't test for the "default" C tag, as we know it's # there but not specially marked. case $tagname in CC) ;; *) if $GREP "$re_begincf" "$progpath" >/dev/null 2>&1; then taglist="$taglist $tagname" # Evaluate the configuration. Be careful to quote the path # and the sed script, to avoid splitting on whitespace, but # also don't use non-portable quotes within backquotes within # quotes we have to do it in 2 steps: extractedcf=`$SED -n -e "$sed_extractcf" < "$progpath"` eval "$extractedcf" else func_error "ignoring unknown tag $tagname" fi ;; esac } # func_check_version_match # Ensure that we are using m4 macros, and libtool script from the same # release of libtool. func_check_version_match () { if test "$package_revision" != "$macro_revision"; then if test "$VERSION" != "$macro_version"; then if test -z "$macro_version"; then cat >&2 <<_LT_EOF $progname: Version mismatch error. This is $PACKAGE $VERSION, but the $progname: definition of this LT_INIT comes from an older release. $progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION $progname: and run autoconf again. _LT_EOF else cat >&2 <<_LT_EOF $progname: Version mismatch error. This is $PACKAGE $VERSION, but the $progname: definition of this LT_INIT comes from $PACKAGE $macro_version. $progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION $progname: and run autoconf again. _LT_EOF fi else cat >&2 <<_LT_EOF $progname: Version mismatch error. This is $PACKAGE $VERSION, revision $package_revision, $progname: but the definition of this LT_INIT comes from revision $macro_revision. $progname: You should recreate aclocal.m4 with macros from revision $package_revision $progname: of $PACKAGE $VERSION and run autoconf again. _LT_EOF fi exit $EXIT_MISMATCH fi } # Shorthand for --mode=foo, only valid as the first argument case $1 in clean|clea|cle|cl) shift; set dummy --mode clean ${1+"$@"}; shift ;; compile|compil|compi|comp|com|co|c) shift; set dummy --mode compile ${1+"$@"}; shift ;; execute|execut|execu|exec|exe|ex|e) shift; set dummy --mode execute ${1+"$@"}; shift ;; finish|finis|fini|fin|fi|f) shift; set dummy --mode finish ${1+"$@"}; shift ;; install|instal|insta|inst|ins|in|i) shift; set dummy --mode install ${1+"$@"}; shift ;; link|lin|li|l) shift; set dummy --mode link ${1+"$@"}; shift ;; uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u) shift; set dummy --mode uninstall ${1+"$@"}; shift ;; esac # Option defaults: opt_debug=: opt_dry_run=false opt_config=false opt_preserve_dup_deps=false opt_features=false opt_finish=false opt_help=false opt_help_all=false opt_silent=: opt_warning=: opt_verbose=: opt_silent=false opt_verbose=false # Parse options once, thoroughly. This comes as soon as possible in the # script to make things like `--version' happen as quickly as we can. { # this just eases exit handling while test $# -gt 0; do opt="$1" shift case $opt in --debug|-x) opt_debug='set -x' func_echo "enabling shell trace mode" $opt_debug ;; --dry-run|--dryrun|-n) opt_dry_run=: ;; --config) opt_config=: func_config ;; --dlopen|-dlopen) optarg="$1" opt_dlopen="${opt_dlopen+$opt_dlopen }$optarg" shift ;; --preserve-dup-deps) opt_preserve_dup_deps=: ;; --features) opt_features=: func_features ;; --finish) opt_finish=: set dummy --mode finish ${1+"$@"}; shift ;; --help) opt_help=: ;; --help-all) opt_help_all=: opt_help=': help-all' ;; --mode) test $# = 0 && func_missing_arg $opt && break optarg="$1" opt_mode="$optarg" case $optarg in # Valid mode arguments: clean|compile|execute|finish|install|link|relink|uninstall) ;; # Catch anything else as an error *) func_error "invalid argument for $opt" exit_cmd=exit break ;; esac shift ;; --no-silent|--no-quiet) opt_silent=false func_append preserve_args " $opt" ;; --no-warning|--no-warn) opt_warning=false func_append preserve_args " $opt" ;; --no-verbose) opt_verbose=false func_append preserve_args " $opt" ;; --silent|--quiet) opt_silent=: func_append preserve_args " $opt" opt_verbose=false ;; --verbose|-v) opt_verbose=: func_append preserve_args " $opt" opt_silent=false ;; --tag) test $# = 0 && func_missing_arg $opt && break optarg="$1" opt_tag="$optarg" func_append preserve_args " $opt $optarg" func_enable_tag "$optarg" shift ;; -\?|-h) func_usage ;; --help) func_help ;; --version) func_version ;; # Separate optargs to long options: --*=*) func_split_long_opt "$opt" set dummy "$func_split_long_opt_name" "$func_split_long_opt_arg" ${1+"$@"} shift ;; # Separate non-argument short options: -\?*|-h*|-n*|-v*) func_split_short_opt "$opt" set dummy "$func_split_short_opt_name" "-$func_split_short_opt_arg" ${1+"$@"} shift ;; --) break ;; -*) func_fatal_help "unrecognized option \`$opt'" ;; *) set dummy "$opt" ${1+"$@"}; shift; break ;; esac done # Validate options: # save first non-option argument if test "$#" -gt 0; then nonopt="$opt" shift fi # preserve --debug test "$opt_debug" = : || func_append preserve_args " --debug" case $host in *cygwin* | *mingw* | *pw32* | *cegcc*) # don't eliminate duplications in $postdeps and $predeps opt_duplicate_compiler_generated_deps=: ;; *) opt_duplicate_compiler_generated_deps=$opt_preserve_dup_deps ;; esac $opt_help || { # Sanity checks first: func_check_version_match if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then func_fatal_configuration "not configured to build any kind of library" fi # Darwin sucks eval std_shrext=\"$shrext_cmds\" # Only execute mode is allowed to have -dlopen flags. if test -n "$opt_dlopen" && test "$opt_mode" != execute; then func_error "unrecognized option \`-dlopen'" $ECHO "$help" 1>&2 exit $EXIT_FAILURE fi # Change the help message to a mode-specific one. generic_help="$help" help="Try \`$progname --help --mode=$opt_mode' for more information." } # Bail if the options were screwed $exit_cmd $EXIT_FAILURE } ## ----------- ## ## Main. ## ## ----------- ## # func_lalib_p file # True iff FILE is a libtool `.la' library or `.lo' object file. # This function is only a basic sanity check; it will hardly flush out # determined imposters. func_lalib_p () { test -f "$1" && $SED -e 4q "$1" 2>/dev/null \ | $GREP "^# Generated by .*$PACKAGE" > /dev/null 2>&1 } # func_lalib_unsafe_p file # True iff FILE is a libtool `.la' library or `.lo' object file. # This function implements the same check as func_lalib_p without # resorting to external programs. To this end, it redirects stdin and # closes it afterwards, without saving the original file descriptor. # As a safety measure, use it only where a negative result would be # fatal anyway. Works if `file' does not exist. func_lalib_unsafe_p () { lalib_p=no if test -f "$1" && test -r "$1" && exec 5<&0 <"$1"; then for lalib_p_l in 1 2 3 4 do read lalib_p_line case "$lalib_p_line" in \#\ Generated\ by\ *$PACKAGE* ) lalib_p=yes; break;; esac done exec 0<&5 5<&- fi test "$lalib_p" = yes } # func_ltwrapper_script_p file # True iff FILE is a libtool wrapper script # This function is only a basic sanity check; it will hardly flush out # determined imposters. func_ltwrapper_script_p () { func_lalib_p "$1" } # func_ltwrapper_executable_p file # True iff FILE is a libtool wrapper executable # This function is only a basic sanity check; it will hardly flush out # determined imposters. func_ltwrapper_executable_p () { func_ltwrapper_exec_suffix= case $1 in *.exe) ;; *) func_ltwrapper_exec_suffix=.exe ;; esac $GREP "$magic_exe" "$1$func_ltwrapper_exec_suffix" >/dev/null 2>&1 } # func_ltwrapper_scriptname file # Assumes file is an ltwrapper_executable # uses $file to determine the appropriate filename for a # temporary ltwrapper_script. func_ltwrapper_scriptname () { func_dirname_and_basename "$1" "" "." func_stripname '' '.exe' "$func_basename_result" func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper" } # func_ltwrapper_p file # True iff FILE is a libtool wrapper script or wrapper executable # This function is only a basic sanity check; it will hardly flush out # determined imposters. func_ltwrapper_p () { func_ltwrapper_script_p "$1" || func_ltwrapper_executable_p "$1" } # func_execute_cmds commands fail_cmd # Execute tilde-delimited COMMANDS. # If FAIL_CMD is given, eval that upon failure. # FAIL_CMD may read-access the current command in variable CMD! func_execute_cmds () { $opt_debug save_ifs=$IFS; IFS='~' for cmd in $1; do IFS=$save_ifs eval cmd=\"$cmd\" func_show_eval "$cmd" "${2-:}" done IFS=$save_ifs } # func_source file # Source FILE, adding directory component if necessary. # Note that it is not necessary on cygwin/mingw to append a dot to # FILE even if both FILE and FILE.exe exist: automatic-append-.exe # behavior happens only for exec(3), not for open(2)! Also, sourcing # `FILE.' does not work on cygwin managed mounts. func_source () { $opt_debug case $1 in */* | *\\*) . "$1" ;; *) . "./$1" ;; esac } # func_resolve_sysroot PATH # Replace a leading = in PATH with a sysroot. Store the result into # func_resolve_sysroot_result func_resolve_sysroot () { func_resolve_sysroot_result=$1 case $func_resolve_sysroot_result in =*) func_stripname '=' '' "$func_resolve_sysroot_result" func_resolve_sysroot_result=$lt_sysroot$func_stripname_result ;; esac } # func_replace_sysroot PATH # If PATH begins with the sysroot, replace it with = and # store the result into func_replace_sysroot_result. func_replace_sysroot () { case "$lt_sysroot:$1" in ?*:"$lt_sysroot"*) func_stripname "$lt_sysroot" '' "$1" func_replace_sysroot_result="=$func_stripname_result" ;; *) # Including no sysroot. func_replace_sysroot_result=$1 ;; esac } # func_infer_tag arg # Infer tagged configuration to use if any are available and # if one wasn't chosen via the "--tag" command line option. # Only attempt this if the compiler in the base compile # command doesn't match the default compiler. # arg is usually of the form 'gcc ...' func_infer_tag () { $opt_debug if test -n "$available_tags" && test -z "$tagname"; then CC_quoted= for arg in $CC; do func_append_quoted CC_quoted "$arg" done CC_expanded=`func_echo_all $CC` CC_quoted_expanded=`func_echo_all $CC_quoted` case $@ in # Blanks in the command may have been stripped by the calling shell, # but not from the CC environment variable when configure was run. " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \ " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) ;; # Blanks at the start of $base_compile will cause this to fail # if we don't check for them as well. *) for z in $available_tags; do if $GREP "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then # Evaluate the configuration. eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`" CC_quoted= for arg in $CC; do # Double-quote args containing other shell metacharacters. func_append_quoted CC_quoted "$arg" done CC_expanded=`func_echo_all $CC` CC_quoted_expanded=`func_echo_all $CC_quoted` case "$@ " in " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \ " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) # The compiler in the base compile command matches # the one in the tagged configuration. # Assume this is the tagged configuration we want. tagname=$z break ;; esac fi done # If $tagname still isn't set, then no tagged configuration # was found and let the user know that the "--tag" command # line option must be used. if test -z "$tagname"; then func_echo "unable to infer tagged configuration" func_fatal_error "specify a tag with \`--tag'" # else # func_verbose "using $tagname tagged configuration" fi ;; esac fi } # func_write_libtool_object output_name pic_name nonpic_name # Create a libtool object file (analogous to a ".la" file), # but don't create it if we're doing a dry run. func_write_libtool_object () { write_libobj=${1} if test "$build_libtool_libs" = yes; then write_lobj=\'${2}\' else write_lobj=none fi if test "$build_old_libs" = yes; then write_oldobj=\'${3}\' else write_oldobj=none fi $opt_dry_run || { cat >${write_libobj}T </dev/null` if test "$?" -eq 0 && test -n "${func_convert_core_file_wine_to_w32_tmp}"; then func_convert_core_file_wine_to_w32_result=`$ECHO "$func_convert_core_file_wine_to_w32_tmp" | $SED -e "$lt_sed_naive_backslashify"` else func_convert_core_file_wine_to_w32_result= fi fi } # end: func_convert_core_file_wine_to_w32 # func_convert_core_path_wine_to_w32 ARG # Helper function used by path conversion functions when $build is *nix, and # $host is mingw, cygwin, or some other w32 environment. Relies on a correctly # configured wine environment available, with the winepath program in $build's # $PATH. Assumes ARG has no leading or trailing path separator characters. # # ARG is path to be converted from $build format to win32. # Result is available in $func_convert_core_path_wine_to_w32_result. # Unconvertible file (directory) names in ARG are skipped; if no directory names # are convertible, then the result may be empty. func_convert_core_path_wine_to_w32 () { $opt_debug # unfortunately, winepath doesn't convert paths, only file names func_convert_core_path_wine_to_w32_result="" if test -n "$1"; then oldIFS=$IFS IFS=: for func_convert_core_path_wine_to_w32_f in $1; do IFS=$oldIFS func_convert_core_file_wine_to_w32 "$func_convert_core_path_wine_to_w32_f" if test -n "$func_convert_core_file_wine_to_w32_result" ; then if test -z "$func_convert_core_path_wine_to_w32_result"; then func_convert_core_path_wine_to_w32_result="$func_convert_core_file_wine_to_w32_result" else func_append func_convert_core_path_wine_to_w32_result ";$func_convert_core_file_wine_to_w32_result" fi fi done IFS=$oldIFS fi } # end: func_convert_core_path_wine_to_w32 # func_cygpath ARGS... # Wrapper around calling the cygpath program via LT_CYGPATH. This is used when # when (1) $build is *nix and Cygwin is hosted via a wine environment; or (2) # $build is MSYS and $host is Cygwin, or (3) $build is Cygwin. In case (1) or # (2), returns the Cygwin file name or path in func_cygpath_result (input # file name or path is assumed to be in w32 format, as previously converted # from $build's *nix or MSYS format). In case (3), returns the w32 file name # or path in func_cygpath_result (input file name or path is assumed to be in # Cygwin format). Returns an empty string on error. # # ARGS are passed to cygpath, with the last one being the file name or path to # be converted. # # Specify the absolute *nix (or w32) name to cygpath in the LT_CYGPATH # environment variable; do not put it in $PATH. func_cygpath () { $opt_debug if test -n "$LT_CYGPATH" && test -f "$LT_CYGPATH"; then func_cygpath_result=`$LT_CYGPATH "$@" 2>/dev/null` if test "$?" -ne 0; then # on failure, ensure result is empty func_cygpath_result= fi else func_cygpath_result= func_error "LT_CYGPATH is empty or specifies non-existent file: \`$LT_CYGPATH'" fi } #end: func_cygpath # func_convert_core_msys_to_w32 ARG # Convert file name or path ARG from MSYS format to w32 format. Return # result in func_convert_core_msys_to_w32_result. func_convert_core_msys_to_w32 () { $opt_debug # awkward: cmd appends spaces to result func_convert_core_msys_to_w32_result=`( cmd //c echo "$1" ) 2>/dev/null | $SED -e 's/[ ]*$//' -e "$lt_sed_naive_backslashify"` } #end: func_convert_core_msys_to_w32 # func_convert_file_check ARG1 ARG2 # Verify that ARG1 (a file name in $build format) was converted to $host # format in ARG2. Otherwise, emit an error message, but continue (resetting # func_to_host_file_result to ARG1). func_convert_file_check () { $opt_debug if test -z "$2" && test -n "$1" ; then func_error "Could not determine host file name corresponding to" func_error " \`$1'" func_error "Continuing, but uninstalled executables may not work." # Fallback: func_to_host_file_result="$1" fi } # end func_convert_file_check # func_convert_path_check FROM_PATHSEP TO_PATHSEP FROM_PATH TO_PATH # Verify that FROM_PATH (a path in $build format) was converted to $host # format in TO_PATH. Otherwise, emit an error message, but continue, resetting # func_to_host_file_result to a simplistic fallback value (see below). func_convert_path_check () { $opt_debug if test -z "$4" && test -n "$3"; then func_error "Could not determine the host path corresponding to" func_error " \`$3'" func_error "Continuing, but uninstalled executables may not work." # Fallback. This is a deliberately simplistic "conversion" and # should not be "improved". See libtool.info. if test "x$1" != "x$2"; then lt_replace_pathsep_chars="s|$1|$2|g" func_to_host_path_result=`echo "$3" | $SED -e "$lt_replace_pathsep_chars"` else func_to_host_path_result="$3" fi fi } # end func_convert_path_check # func_convert_path_front_back_pathsep FRONTPAT BACKPAT REPL ORIG # Modifies func_to_host_path_result by prepending REPL if ORIG matches FRONTPAT # and appending REPL if ORIG matches BACKPAT. func_convert_path_front_back_pathsep () { $opt_debug case $4 in $1 ) func_to_host_path_result="$3$func_to_host_path_result" ;; esac case $4 in $2 ) func_append func_to_host_path_result "$3" ;; esac } # end func_convert_path_front_back_pathsep ################################################## # $build to $host FILE NAME CONVERSION FUNCTIONS # ################################################## # invoked via `$to_host_file_cmd ARG' # # In each case, ARG is the path to be converted from $build to $host format. # Result will be available in $func_to_host_file_result. # func_to_host_file ARG # Converts the file name ARG from $build format to $host format. Return result # in func_to_host_file_result. func_to_host_file () { $opt_debug $to_host_file_cmd "$1" } # end func_to_host_file # func_to_tool_file ARG LAZY # converts the file name ARG from $build format to toolchain format. Return # result in func_to_tool_file_result. If the conversion in use is listed # in (the comma separated) LAZY, no conversion takes place. func_to_tool_file () { $opt_debug case ,$2, in *,"$to_tool_file_cmd",*) func_to_tool_file_result=$1 ;; *) $to_tool_file_cmd "$1" func_to_tool_file_result=$func_to_host_file_result ;; esac } # end func_to_tool_file # func_convert_file_noop ARG # Copy ARG to func_to_host_file_result. func_convert_file_noop () { func_to_host_file_result="$1" } # end func_convert_file_noop # func_convert_file_msys_to_w32 ARG # Convert file name ARG from (mingw) MSYS to (mingw) w32 format; automatic # conversion to w32 is not available inside the cwrapper. Returns result in # func_to_host_file_result. func_convert_file_msys_to_w32 () { $opt_debug func_to_host_file_result="$1" if test -n "$1"; then func_convert_core_msys_to_w32 "$1" func_to_host_file_result="$func_convert_core_msys_to_w32_result" fi func_convert_file_check "$1" "$func_to_host_file_result" } # end func_convert_file_msys_to_w32 # func_convert_file_cygwin_to_w32 ARG # Convert file name ARG from Cygwin to w32 format. Returns result in # func_to_host_file_result. func_convert_file_cygwin_to_w32 () { $opt_debug func_to_host_file_result="$1" if test -n "$1"; then # because $build is cygwin, we call "the" cygpath in $PATH; no need to use # LT_CYGPATH in this case. func_to_host_file_result=`cygpath -m "$1"` fi func_convert_file_check "$1" "$func_to_host_file_result" } # end func_convert_file_cygwin_to_w32 # func_convert_file_nix_to_w32 ARG # Convert file name ARG from *nix to w32 format. Requires a wine environment # and a working winepath. Returns result in func_to_host_file_result. func_convert_file_nix_to_w32 () { $opt_debug func_to_host_file_result="$1" if test -n "$1"; then func_convert_core_file_wine_to_w32 "$1" func_to_host_file_result="$func_convert_core_file_wine_to_w32_result" fi func_convert_file_check "$1" "$func_to_host_file_result" } # end func_convert_file_nix_to_w32 # func_convert_file_msys_to_cygwin ARG # Convert file name ARG from MSYS to Cygwin format. Requires LT_CYGPATH set. # Returns result in func_to_host_file_result. func_convert_file_msys_to_cygwin () { $opt_debug func_to_host_file_result="$1" if test -n "$1"; then func_convert_core_msys_to_w32 "$1" func_cygpath -u "$func_convert_core_msys_to_w32_result" func_to_host_file_result="$func_cygpath_result" fi func_convert_file_check "$1" "$func_to_host_file_result" } # end func_convert_file_msys_to_cygwin # func_convert_file_nix_to_cygwin ARG # Convert file name ARG from *nix to Cygwin format. Requires Cygwin installed # in a wine environment, working winepath, and LT_CYGPATH set. Returns result # in func_to_host_file_result. func_convert_file_nix_to_cygwin () { $opt_debug func_to_host_file_result="$1" if test -n "$1"; then # convert from *nix to w32, then use cygpath to convert from w32 to cygwin. func_convert_core_file_wine_to_w32 "$1" func_cygpath -u "$func_convert_core_file_wine_to_w32_result" func_to_host_file_result="$func_cygpath_result" fi func_convert_file_check "$1" "$func_to_host_file_result" } # end func_convert_file_nix_to_cygwin ############################################# # $build to $host PATH CONVERSION FUNCTIONS # ############################################# # invoked via `$to_host_path_cmd ARG' # # In each case, ARG is the path to be converted from $build to $host format. # The result will be available in $func_to_host_path_result. # # Path separators are also converted from $build format to $host format. If # ARG begins or ends with a path separator character, it is preserved (but # converted to $host format) on output. # # All path conversion functions are named using the following convention: # file name conversion function : func_convert_file_X_to_Y () # path conversion function : func_convert_path_X_to_Y () # where, for any given $build/$host combination the 'X_to_Y' value is the # same. If conversion functions are added for new $build/$host combinations, # the two new functions must follow this pattern, or func_init_to_host_path_cmd # will break. # func_init_to_host_path_cmd # Ensures that function "pointer" variable $to_host_path_cmd is set to the # appropriate value, based on the value of $to_host_file_cmd. to_host_path_cmd= func_init_to_host_path_cmd () { $opt_debug if test -z "$to_host_path_cmd"; then func_stripname 'func_convert_file_' '' "$to_host_file_cmd" to_host_path_cmd="func_convert_path_${func_stripname_result}" fi } # func_to_host_path ARG # Converts the path ARG from $build format to $host format. Return result # in func_to_host_path_result. func_to_host_path () { $opt_debug func_init_to_host_path_cmd $to_host_path_cmd "$1" } # end func_to_host_path # func_convert_path_noop ARG # Copy ARG to func_to_host_path_result. func_convert_path_noop () { func_to_host_path_result="$1" } # end func_convert_path_noop # func_convert_path_msys_to_w32 ARG # Convert path ARG from (mingw) MSYS to (mingw) w32 format; automatic # conversion to w32 is not available inside the cwrapper. Returns result in # func_to_host_path_result. func_convert_path_msys_to_w32 () { $opt_debug func_to_host_path_result="$1" if test -n "$1"; then # Remove leading and trailing path separator characters from ARG. MSYS # behavior is inconsistent here; cygpath turns them into '.;' and ';.'; # and winepath ignores them completely. func_stripname : : "$1" func_to_host_path_tmp1=$func_stripname_result func_convert_core_msys_to_w32 "$func_to_host_path_tmp1" func_to_host_path_result="$func_convert_core_msys_to_w32_result" func_convert_path_check : ";" \ "$func_to_host_path_tmp1" "$func_to_host_path_result" func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" fi } # end func_convert_path_msys_to_w32 # func_convert_path_cygwin_to_w32 ARG # Convert path ARG from Cygwin to w32 format. Returns result in # func_to_host_file_result. func_convert_path_cygwin_to_w32 () { $opt_debug func_to_host_path_result="$1" if test -n "$1"; then # See func_convert_path_msys_to_w32: func_stripname : : "$1" func_to_host_path_tmp1=$func_stripname_result func_to_host_path_result=`cygpath -m -p "$func_to_host_path_tmp1"` func_convert_path_check : ";" \ "$func_to_host_path_tmp1" "$func_to_host_path_result" func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" fi } # end func_convert_path_cygwin_to_w32 # func_convert_path_nix_to_w32 ARG # Convert path ARG from *nix to w32 format. Requires a wine environment and # a working winepath. Returns result in func_to_host_file_result. func_convert_path_nix_to_w32 () { $opt_debug func_to_host_path_result="$1" if test -n "$1"; then # See func_convert_path_msys_to_w32: func_stripname : : "$1" func_to_host_path_tmp1=$func_stripname_result func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1" func_to_host_path_result="$func_convert_core_path_wine_to_w32_result" func_convert_path_check : ";" \ "$func_to_host_path_tmp1" "$func_to_host_path_result" func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" fi } # end func_convert_path_nix_to_w32 # func_convert_path_msys_to_cygwin ARG # Convert path ARG from MSYS to Cygwin format. Requires LT_CYGPATH set. # Returns result in func_to_host_file_result. func_convert_path_msys_to_cygwin () { $opt_debug func_to_host_path_result="$1" if test -n "$1"; then # See func_convert_path_msys_to_w32: func_stripname : : "$1" func_to_host_path_tmp1=$func_stripname_result func_convert_core_msys_to_w32 "$func_to_host_path_tmp1" func_cygpath -u -p "$func_convert_core_msys_to_w32_result" func_to_host_path_result="$func_cygpath_result" func_convert_path_check : : \ "$func_to_host_path_tmp1" "$func_to_host_path_result" func_convert_path_front_back_pathsep ":*" "*:" : "$1" fi } # end func_convert_path_msys_to_cygwin # func_convert_path_nix_to_cygwin ARG # Convert path ARG from *nix to Cygwin format. Requires Cygwin installed in a # a wine environment, working winepath, and LT_CYGPATH set. Returns result in # func_to_host_file_result. func_convert_path_nix_to_cygwin () { $opt_debug func_to_host_path_result="$1" if test -n "$1"; then # Remove leading and trailing path separator characters from # ARG. msys behavior is inconsistent here, cygpath turns them # into '.;' and ';.', and winepath ignores them completely. func_stripname : : "$1" func_to_host_path_tmp1=$func_stripname_result func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1" func_cygpath -u -p "$func_convert_core_path_wine_to_w32_result" func_to_host_path_result="$func_cygpath_result" func_convert_path_check : : \ "$func_to_host_path_tmp1" "$func_to_host_path_result" func_convert_path_front_back_pathsep ":*" "*:" : "$1" fi } # end func_convert_path_nix_to_cygwin # func_mode_compile arg... func_mode_compile () { $opt_debug # Get the compilation command and the source file. base_compile= srcfile="$nonopt" # always keep a non-empty value in "srcfile" suppress_opt=yes suppress_output= arg_mode=normal libobj= later= pie_flag= for arg do case $arg_mode in arg ) # do not "continue". Instead, add this to base_compile lastarg="$arg" arg_mode=normal ;; target ) libobj="$arg" arg_mode=normal continue ;; normal ) # Accept any command-line options. case $arg in -o) test -n "$libobj" && \ func_fatal_error "you cannot specify \`-o' more than once" arg_mode=target continue ;; -pie | -fpie | -fPIE) func_append pie_flag " $arg" continue ;; -shared | -static | -prefer-pic | -prefer-non-pic) func_append later " $arg" continue ;; -no-suppress) suppress_opt=no continue ;; -Xcompiler) arg_mode=arg # the next one goes into the "base_compile" arg list continue # The current "srcfile" will either be retained or ;; # replaced later. I would guess that would be a bug. -Wc,*) func_stripname '-Wc,' '' "$arg" args=$func_stripname_result lastarg= save_ifs="$IFS"; IFS=',' for arg in $args; do IFS="$save_ifs" func_append_quoted lastarg "$arg" done IFS="$save_ifs" func_stripname ' ' '' "$lastarg" lastarg=$func_stripname_result # Add the arguments to base_compile. func_append base_compile " $lastarg" continue ;; *) # Accept the current argument as the source file. # The previous "srcfile" becomes the current argument. # lastarg="$srcfile" srcfile="$arg" ;; esac # case $arg ;; esac # case $arg_mode # Aesthetically quote the previous argument. func_append_quoted base_compile "$lastarg" done # for arg case $arg_mode in arg) func_fatal_error "you must specify an argument for -Xcompile" ;; target) func_fatal_error "you must specify a target with \`-o'" ;; *) # Get the name of the library object. test -z "$libobj" && { func_basename "$srcfile" libobj="$func_basename_result" } ;; esac # Recognize several different file suffixes. # If the user specifies -o file.o, it is replaced with file.lo case $libobj in *.[cCFSifmso] | \ *.ada | *.adb | *.ads | *.asm | \ *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \ *.[fF][09]? | *.for | *.java | *.go | *.obj | *.sx | *.cu | *.cup) func_xform "$libobj" libobj=$func_xform_result ;; esac case $libobj in *.lo) func_lo2o "$libobj"; obj=$func_lo2o_result ;; *) func_fatal_error "cannot determine name of library object from \`$libobj'" ;; esac func_infer_tag $base_compile for arg in $later; do case $arg in -shared) test "$build_libtool_libs" != yes && \ func_fatal_configuration "can not build a shared library" build_old_libs=no continue ;; -static) build_libtool_libs=no build_old_libs=yes continue ;; -prefer-pic) pic_mode=yes continue ;; -prefer-non-pic) pic_mode=no continue ;; esac done func_quote_for_eval "$libobj" test "X$libobj" != "X$func_quote_for_eval_result" \ && $ECHO "X$libobj" | $GREP '[]~#^*{};<>?"'"'"' &()|`$[]' \ && func_warning "libobj name \`$libobj' may not contain shell special characters." func_dirname_and_basename "$obj" "/" "" objname="$func_basename_result" xdir="$func_dirname_result" lobj=${xdir}$objdir/$objname test -z "$base_compile" && \ func_fatal_help "you must specify a compilation command" # Delete any leftover library objects. if test "$build_old_libs" = yes; then removelist="$obj $lobj $libobj ${libobj}T" else removelist="$lobj $libobj ${libobj}T" fi # On Cygwin there's no "real" PIC flag so we must build both object types case $host_os in cygwin* | mingw* | pw32* | os2* | cegcc*) pic_mode=default ;; esac if test "$pic_mode" = no && test "$deplibs_check_method" != pass_all; then # non-PIC code in shared libraries is not supported pic_mode=default fi # Calculate the filename of the output object if compiler does # not support -o with -c if test "$compiler_c_o" = no; then output_obj=`$ECHO "$srcfile" | $SED 's%^.*/%%; s%\.[^.]*$%%'`.${objext} lockfile="$output_obj.lock" else output_obj= need_locks=no lockfile= fi # Lock this critical section if it is needed # We use this script file to make the link, it avoids creating a new file if test "$need_locks" = yes; then until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do func_echo "Waiting for $lockfile to be removed" sleep 2 done elif test "$need_locks" = warn; then if test -f "$lockfile"; then $ECHO "\ *** ERROR, $lockfile exists and contains: `cat $lockfile 2>/dev/null` This indicates that another process is trying to use the same temporary object file, and libtool could not work around it because your compiler does not support \`-c' and \`-o' together. If you repeat this compilation, it may succeed, by chance, but you had better avoid parallel builds (make -j) in this platform, or get a better compiler." $opt_dry_run || $RM $removelist exit $EXIT_FAILURE fi func_append removelist " $output_obj" $ECHO "$srcfile" > "$lockfile" fi $opt_dry_run || $RM $removelist func_append removelist " $lockfile" trap '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' 1 2 15 func_to_tool_file "$srcfile" func_convert_file_msys_to_w32 srcfile=$func_to_tool_file_result func_quote_for_eval "$srcfile" qsrcfile=$func_quote_for_eval_result # Only build a PIC object if we are building libtool libraries. if test "$build_libtool_libs" = yes; then # Without this assignment, base_compile gets emptied. fbsd_hideous_sh_bug=$base_compile if test "$pic_mode" != no; then command="$base_compile $qsrcfile $pic_flag" else # Don't build PIC code command="$base_compile $qsrcfile" fi func_mkdir_p "$xdir$objdir" if test -z "$output_obj"; then # Place PIC objects in $objdir func_append command " -o $lobj" fi func_show_eval_locale "$command" \ 'test -n "$output_obj" && $RM $removelist; exit $EXIT_FAILURE' if test "$need_locks" = warn && test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then $ECHO "\ *** ERROR, $lockfile contains: `cat $lockfile 2>/dev/null` but it should contain: $srcfile This indicates that another process is trying to use the same temporary object file, and libtool could not work around it because your compiler does not support \`-c' and \`-o' together. If you repeat this compilation, it may succeed, by chance, but you had better avoid parallel builds (make -j) in this platform, or get a better compiler." $opt_dry_run || $RM $removelist exit $EXIT_FAILURE fi # Just move the object if needed, then go on to compile the next one if test -n "$output_obj" && test "X$output_obj" != "X$lobj"; then func_show_eval '$MV "$output_obj" "$lobj"' \ 'error=$?; $opt_dry_run || $RM $removelist; exit $error' fi # Allow error messages only from the first compilation. if test "$suppress_opt" = yes; then suppress_output=' >/dev/null 2>&1' fi fi # Only build a position-dependent object if we build old libraries. if test "$build_old_libs" = yes; then if test "$pic_mode" != yes; then # Don't build PIC code command="$base_compile $qsrcfile$pie_flag" else command="$base_compile $qsrcfile $pic_flag" fi if test "$compiler_c_o" = yes; then func_append command " -o $obj" fi # Suppress compiler output if we already did a PIC compilation. func_append command "$suppress_output" func_show_eval_locale "$command" \ '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' if test "$need_locks" = warn && test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then $ECHO "\ *** ERROR, $lockfile contains: `cat $lockfile 2>/dev/null` but it should contain: $srcfile This indicates that another process is trying to use the same temporary object file, and libtool could not work around it because your compiler does not support \`-c' and \`-o' together. If you repeat this compilation, it may succeed, by chance, but you had better avoid parallel builds (make -j) in this platform, or get a better compiler." $opt_dry_run || $RM $removelist exit $EXIT_FAILURE fi # Just move the object if needed if test -n "$output_obj" && test "X$output_obj" != "X$obj"; then func_show_eval '$MV "$output_obj" "$obj"' \ 'error=$?; $opt_dry_run || $RM $removelist; exit $error' fi fi $opt_dry_run || { func_write_libtool_object "$libobj" "$objdir/$objname" "$objname" # Unlock the critical section if it was locked if test "$need_locks" != no; then removelist=$lockfile $RM "$lockfile" fi } exit $EXIT_SUCCESS } $opt_help || { test "$opt_mode" = compile && func_mode_compile ${1+"$@"} } func_mode_help () { # We need to display help for each of the modes. case $opt_mode in "") # Generic help is extracted from the usage comments # at the start of this file. func_help ;; clean) $ECHO \ "Usage: $progname [OPTION]... --mode=clean RM [RM-OPTION]... FILE... Remove files from the build directory. RM is the name of the program to use to delete files associated with each FILE (typically \`/bin/rm'). RM-OPTIONS are options (such as \`-f') to be passed to RM. If FILE is a libtool library, object or program, all the files associated with it are deleted. Otherwise, only FILE itself is deleted using RM." ;; compile) $ECHO \ "Usage: $progname [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE Compile a source file into a libtool library object. This mode accepts the following additional options: -o OUTPUT-FILE set the output file name to OUTPUT-FILE -no-suppress do not suppress compiler output for multiple passes -prefer-pic try to build PIC objects only -prefer-non-pic try to build non-PIC objects only -shared do not build a \`.o' file suitable for static linking -static only build a \`.o' file suitable for static linking -Wc,FLAG pass FLAG directly to the compiler COMPILE-COMMAND is a command to be used in creating a \`standard' object file from the given SOURCEFILE. The output file name is determined by removing the directory component from SOURCEFILE, then substituting the C source code suffix \`.c' with the library object suffix, \`.lo'." ;; execute) $ECHO \ "Usage: $progname [OPTION]... --mode=execute COMMAND [ARGS]... Automatically set library path, then run a program. This mode accepts the following additional options: -dlopen FILE add the directory containing FILE to the library path This mode sets the library path environment variable according to \`-dlopen' flags. If any of the ARGS are libtool executable wrappers, then they are translated into their corresponding uninstalled binary, and any of their required library directories are added to the library path. Then, COMMAND is executed, with ARGS as arguments." ;; finish) $ECHO \ "Usage: $progname [OPTION]... --mode=finish [LIBDIR]... Complete the installation of libtool libraries. Each LIBDIR is a directory that contains libtool libraries. The commands that this mode executes may require superuser privileges. Use the \`--dry-run' option if you just want to see what would be executed." ;; install) $ECHO \ "Usage: $progname [OPTION]... --mode=install INSTALL-COMMAND... Install executables or libraries. INSTALL-COMMAND is the installation command. The first component should be either the \`install' or \`cp' program. The following components of INSTALL-COMMAND are treated specially: -inst-prefix-dir PREFIX-DIR Use PREFIX-DIR as a staging area for installation The rest of the components are interpreted as arguments to that command (only BSD-compatible install options are recognized)." ;; link) $ECHO \ "Usage: $progname [OPTION]... --mode=link LINK-COMMAND... Link object files or libraries together to form another library, or to create an executable program. LINK-COMMAND is a command using the C compiler that you would use to create a program from several object files. The following components of LINK-COMMAND are treated specially: -all-static do not do any dynamic linking at all -avoid-version do not add a version suffix if possible -bindir BINDIR specify path to binaries directory (for systems where libraries must be found in the PATH setting at runtime) -dlopen FILE \`-dlpreopen' FILE if it cannot be dlopened at runtime -dlpreopen FILE link in FILE and add its symbols to lt_preloaded_symbols -export-dynamic allow symbols from OUTPUT-FILE to be resolved with dlsym(3) -export-symbols SYMFILE try to export only the symbols listed in SYMFILE -export-symbols-regex REGEX try to export only the symbols matching REGEX -LLIBDIR search LIBDIR for required installed libraries -lNAME OUTPUT-FILE requires the installed library libNAME -module build a library that can dlopened -no-fast-install disable the fast-install mode -no-install link a not-installable executable -no-undefined declare that a library does not refer to external symbols -o OUTPUT-FILE create OUTPUT-FILE from the specified objects -objectlist FILE Use a list of object files found in FILE to specify objects -precious-files-regex REGEX don't remove output files matching REGEX -release RELEASE specify package release information -rpath LIBDIR the created library will eventually be installed in LIBDIR -R[ ]LIBDIR add LIBDIR to the runtime path of programs and libraries -shared only do dynamic linking of libtool libraries -shrext SUFFIX override the standard shared library file extension -static do not do any dynamic linking of uninstalled libtool libraries -static-libtool-libs do not do any dynamic linking of libtool libraries -version-info CURRENT[:REVISION[:AGE]] specify library version info [each variable defaults to 0] -weak LIBNAME declare that the target provides the LIBNAME interface -Wc,FLAG -Xcompiler FLAG pass linker-specific FLAG directly to the compiler -Wl,FLAG -Xlinker FLAG pass linker-specific FLAG directly to the linker -XCClinker FLAG pass link-specific FLAG to the compiler driver (CC) All other options (arguments beginning with \`-') are ignored. Every other argument is treated as a filename. Files ending in \`.la' are treated as uninstalled libtool libraries, other files are standard or library object files. If the OUTPUT-FILE ends in \`.la', then a libtool library is created, only library objects (\`.lo' files) may be specified, and \`-rpath' is required, except when creating a convenience library. If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created using \`ar' and \`ranlib', or on Windows using \`lib'. If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file is created, otherwise an executable program is created." ;; uninstall) $ECHO \ "Usage: $progname [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE... Remove libraries from an installation directory. RM is the name of the program to use to delete files associated with each FILE (typically \`/bin/rm'). RM-OPTIONS are options (such as \`-f') to be passed to RM. If FILE is a libtool library, all the files associated with it are deleted. Otherwise, only FILE itself is deleted using RM." ;; *) func_fatal_help "invalid operation mode \`$opt_mode'" ;; esac echo $ECHO "Try \`$progname --help' for more information about other modes." } # Now that we've collected a possible --mode arg, show help if necessary if $opt_help; then if test "$opt_help" = :; then func_mode_help else { func_help noexit for opt_mode in compile link execute install finish uninstall clean; do func_mode_help done } | sed -n '1p; 2,$s/^Usage:/ or: /p' { func_help noexit for opt_mode in compile link execute install finish uninstall clean; do echo func_mode_help done } | sed '1d /^When reporting/,/^Report/{ H d } $x /information about other modes/d /more detailed .*MODE/d s/^Usage:.*--mode=\([^ ]*\) .*/Description of \1 mode:/' fi exit $? fi # func_mode_execute arg... func_mode_execute () { $opt_debug # The first argument is the command name. cmd="$nonopt" test -z "$cmd" && \ func_fatal_help "you must specify a COMMAND" # Handle -dlopen flags immediately. for file in $opt_dlopen; do test -f "$file" \ || func_fatal_help "\`$file' is not a file" dir= case $file in *.la) func_resolve_sysroot "$file" file=$func_resolve_sysroot_result # Check to see that this really is a libtool archive. func_lalib_unsafe_p "$file" \ || func_fatal_help "\`$lib' is not a valid libtool archive" # Read the libtool library. dlname= library_names= func_source "$file" # Skip this library if it cannot be dlopened. if test -z "$dlname"; then # Warn if it was a shared library. test -n "$library_names" && \ func_warning "\`$file' was not linked with \`-export-dynamic'" continue fi func_dirname "$file" "" "." dir="$func_dirname_result" if test -f "$dir/$objdir/$dlname"; then func_append dir "/$objdir" else if test ! -f "$dir/$dlname"; then func_fatal_error "cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" fi fi ;; *.lo) # Just add the directory containing the .lo file. func_dirname "$file" "" "." dir="$func_dirname_result" ;; *) func_warning "\`-dlopen' is ignored for non-libtool libraries and objects" continue ;; esac # Get the absolute pathname. absdir=`cd "$dir" && pwd` test -n "$absdir" && dir="$absdir" # Now add the directory to shlibpath_var. if eval "test -z \"\$$shlibpath_var\""; then eval "$shlibpath_var=\"\$dir\"" else eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\"" fi done # This variable tells wrapper scripts just to set shlibpath_var # rather than running their programs. libtool_execute_magic="$magic" # Check if any of the arguments is a wrapper script. args= for file do case $file in -* | *.la | *.lo ) ;; *) # Do a test to see if this is really a libtool program. if func_ltwrapper_script_p "$file"; then func_source "$file" # Transform arg to wrapped name. file="$progdir/$program" elif func_ltwrapper_executable_p "$file"; then func_ltwrapper_scriptname "$file" func_source "$func_ltwrapper_scriptname_result" # Transform arg to wrapped name. file="$progdir/$program" fi ;; esac # Quote arguments (to preserve shell metacharacters). func_append_quoted args "$file" done if test "X$opt_dry_run" = Xfalse; then if test -n "$shlibpath_var"; then # Export the shlibpath_var. eval "export $shlibpath_var" fi # Restore saved environment variables for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES do eval "if test \"\${save_$lt_var+set}\" = set; then $lt_var=\$save_$lt_var; export $lt_var else $lt_unset $lt_var fi" done # Now prepare to actually exec the command. exec_cmd="\$cmd$args" else # Display what would be done. if test -n "$shlibpath_var"; then eval "\$ECHO \"\$shlibpath_var=\$$shlibpath_var\"" echo "export $shlibpath_var" fi $ECHO "$cmd$args" exit $EXIT_SUCCESS fi } test "$opt_mode" = execute && func_mode_execute ${1+"$@"} # func_mode_finish arg... func_mode_finish () { $opt_debug libs= libdirs= admincmds= for opt in "$nonopt" ${1+"$@"} do if test -d "$opt"; then func_append libdirs " $opt" elif test -f "$opt"; then if func_lalib_unsafe_p "$opt"; then func_append libs " $opt" else func_warning "\`$opt' is not a valid libtool archive" fi else func_fatal_error "invalid argument \`$opt'" fi done if test -n "$libs"; then if test -n "$lt_sysroot"; then sysroot_regex=`$ECHO "$lt_sysroot" | $SED "$sed_make_literal_regex"` sysroot_cmd="s/\([ ']\)$sysroot_regex/\1/g;" else sysroot_cmd= fi # Remove sysroot references if $opt_dry_run; then for lib in $libs; do echo "removing references to $lt_sysroot and \`=' prefixes from $lib" done else tmpdir=`func_mktempdir` for lib in $libs; do sed -e "${sysroot_cmd} s/\([ ']-[LR]\)=/\1/g; s/\([ ']\)=/\1/g" $lib \ > $tmpdir/tmp-la mv -f $tmpdir/tmp-la $lib done ${RM}r "$tmpdir" fi fi if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then for libdir in $libdirs; do if test -n "$finish_cmds"; then # Do each command in the finish commands. func_execute_cmds "$finish_cmds" 'admincmds="$admincmds '"$cmd"'"' fi if test -n "$finish_eval"; then # Do the single finish_eval. eval cmds=\"$finish_eval\" $opt_dry_run || eval "$cmds" || func_append admincmds " $cmds" fi done fi # Exit here if they wanted silent mode. $opt_silent && exit $EXIT_SUCCESS if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then echo "----------------------------------------------------------------------" echo "Libraries have been installed in:" for libdir in $libdirs; do $ECHO " $libdir" done echo echo "If you ever happen to want to link against installed libraries" echo "in a given directory, LIBDIR, you must either use libtool, and" echo "specify the full pathname of the library, or use the \`-LLIBDIR'" echo "flag during linking and do at least one of the following:" if test -n "$shlibpath_var"; then echo " - add LIBDIR to the \`$shlibpath_var' environment variable" echo " during execution" fi if test -n "$runpath_var"; then echo " - add LIBDIR to the \`$runpath_var' environment variable" echo " during linking" fi if test -n "$hardcode_libdir_flag_spec"; then libdir=LIBDIR eval flag=\"$hardcode_libdir_flag_spec\" $ECHO " - use the \`$flag' linker flag" fi if test -n "$admincmds"; then $ECHO " - have your system administrator run these commands:$admincmds" fi if test -f /etc/ld.so.conf; then echo " - have your system administrator add LIBDIR to \`/etc/ld.so.conf'" fi echo echo "See any operating system documentation about shared libraries for" case $host in solaris2.[6789]|solaris2.1[0-9]) echo "more information, such as the ld(1), crle(1) and ld.so(8) manual" echo "pages." ;; *) echo "more information, such as the ld(1) and ld.so(8) manual pages." ;; esac echo "----------------------------------------------------------------------" fi exit $EXIT_SUCCESS } test "$opt_mode" = finish && func_mode_finish ${1+"$@"} # func_mode_install arg... func_mode_install () { $opt_debug # There may be an optional sh(1) argument at the beginning of # install_prog (especially on Windows NT). if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh || # Allow the use of GNU shtool's install command. case $nonopt in *shtool*) :;; *) false;; esac; then # Aesthetically quote it. func_quote_for_eval "$nonopt" install_prog="$func_quote_for_eval_result " arg=$1 shift else install_prog= arg=$nonopt fi # The real first argument should be the name of the installation program. # Aesthetically quote it. func_quote_for_eval "$arg" func_append install_prog "$func_quote_for_eval_result" install_shared_prog=$install_prog case " $install_prog " in *[\\\ /]cp\ *) install_cp=: ;; *) install_cp=false ;; esac # We need to accept at least all the BSD install flags. dest= files= opts= prev= install_type= isdir=no stripme= no_mode=: for arg do arg2= if test -n "$dest"; then func_append files " $dest" dest=$arg continue fi case $arg in -d) isdir=yes ;; -f) if $install_cp; then :; else prev=$arg fi ;; -g | -m | -o) prev=$arg ;; -s) stripme=" -s" continue ;; -*) ;; *) # If the previous option needed an argument, then skip it. if test -n "$prev"; then if test "x$prev" = x-m && test -n "$install_override_mode"; then arg2=$install_override_mode no_mode=false fi prev= else dest=$arg continue fi ;; esac # Aesthetically quote the argument. func_quote_for_eval "$arg" func_append install_prog " $func_quote_for_eval_result" if test -n "$arg2"; then func_quote_for_eval "$arg2" fi func_append install_shared_prog " $func_quote_for_eval_result" done test -z "$install_prog" && \ func_fatal_help "you must specify an install program" test -n "$prev" && \ func_fatal_help "the \`$prev' option requires an argument" if test -n "$install_override_mode" && $no_mode; then if $install_cp; then :; else func_quote_for_eval "$install_override_mode" func_append install_shared_prog " -m $func_quote_for_eval_result" fi fi if test -z "$files"; then if test -z "$dest"; then func_fatal_help "no file or destination specified" else func_fatal_help "you must specify a destination" fi fi # Strip any trailing slash from the destination. func_stripname '' '/' "$dest" dest=$func_stripname_result # Check to see that the destination is a directory. test -d "$dest" && isdir=yes if test "$isdir" = yes; then destdir="$dest" destname= else func_dirname_and_basename "$dest" "" "." destdir="$func_dirname_result" destname="$func_basename_result" # Not a directory, so check to see that there is only one file specified. set dummy $files; shift test "$#" -gt 1 && \ func_fatal_help "\`$dest' is not a directory" fi case $destdir in [\\/]* | [A-Za-z]:[\\/]*) ;; *) for file in $files; do case $file in *.lo) ;; *) func_fatal_help "\`$destdir' must be an absolute directory name" ;; esac done ;; esac # This variable tells wrapper scripts just to set variables rather # than running their programs. libtool_install_magic="$magic" staticlibs= future_libdirs= current_libdirs= for file in $files; do # Do each installation. case $file in *.$libext) # Do the static libraries later. func_append staticlibs " $file" ;; *.la) func_resolve_sysroot "$file" file=$func_resolve_sysroot_result # Check to see that this really is a libtool archive. func_lalib_unsafe_p "$file" \ || func_fatal_help "\`$file' is not a valid libtool archive" library_names= old_library= relink_command= func_source "$file" # Add the libdir to current_libdirs if it is the destination. if test "X$destdir" = "X$libdir"; then case "$current_libdirs " in *" $libdir "*) ;; *) func_append current_libdirs " $libdir" ;; esac else # Note the libdir as a future libdir. case "$future_libdirs " in *" $libdir "*) ;; *) func_append future_libdirs " $libdir" ;; esac fi func_dirname "$file" "/" "" dir="$func_dirname_result" func_append dir "$objdir" if test -n "$relink_command"; then # Determine the prefix the user has applied to our future dir. inst_prefix_dir=`$ECHO "$destdir" | $SED -e "s%$libdir\$%%"` # Don't allow the user to place us outside of our expected # location b/c this prevents finding dependent libraries that # are installed to the same prefix. # At present, this check doesn't affect windows .dll's that # are installed into $libdir/../bin (currently, that works fine) # but it's something to keep an eye on. test "$inst_prefix_dir" = "$destdir" && \ func_fatal_error "error: cannot install \`$file' to a directory not ending in $libdir" if test -n "$inst_prefix_dir"; then # Stick the inst_prefix_dir data into the link command. relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"` else relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%%"` fi func_warning "relinking \`$file'" func_show_eval "$relink_command" \ 'func_fatal_error "error: relink \`$file'\'' with the above command before installing it"' fi # See the names of the shared library. set dummy $library_names; shift if test -n "$1"; then realname="$1" shift srcname="$realname" test -n "$relink_command" && srcname="$realname"T # Install the shared library and build the symlinks. func_show_eval "$install_shared_prog $dir/$srcname $destdir/$realname" \ 'exit $?' tstripme="$stripme" case $host_os in cygwin* | mingw* | pw32* | cegcc*) case $realname in *.dll.a) tstripme="" ;; esac ;; esac if test -n "$tstripme" && test -n "$striplib"; then func_show_eval "$striplib $destdir/$realname" 'exit $?' fi if test "$#" -gt 0; then # Delete the old symlinks, and create new ones. # Try `ln -sf' first, because the `ln' binary might depend on # the symlink we replace! Solaris /bin/ln does not understand -f, # so we also need to try rm && ln -s. for linkname do test "$linkname" != "$realname" \ && func_show_eval "(cd $destdir && { $LN_S -f $realname $linkname || { $RM $linkname && $LN_S $realname $linkname; }; })" done fi # Do each command in the postinstall commands. lib="$destdir/$realname" func_execute_cmds "$postinstall_cmds" 'exit $?' fi # Install the pseudo-library for information purposes. func_basename "$file" name="$func_basename_result" instname="$dir/$name"i func_show_eval "$install_prog $instname $destdir/$name" 'exit $?' # Maybe install the static library, too. test -n "$old_library" && func_append staticlibs " $dir/$old_library" ;; *.lo) # Install (i.e. copy) a libtool object. # Figure out destination file name, if it wasn't already specified. if test -n "$destname"; then destfile="$destdir/$destname" else func_basename "$file" destfile="$func_basename_result" destfile="$destdir/$destfile" fi # Deduce the name of the destination old-style object file. case $destfile in *.lo) func_lo2o "$destfile" staticdest=$func_lo2o_result ;; *.$objext) staticdest="$destfile" destfile= ;; *) func_fatal_help "cannot copy a libtool object to \`$destfile'" ;; esac # Install the libtool object if requested. test -n "$destfile" && \ func_show_eval "$install_prog $file $destfile" 'exit $?' # Install the old object if enabled. if test "$build_old_libs" = yes; then # Deduce the name of the old-style object file. func_lo2o "$file" staticobj=$func_lo2o_result func_show_eval "$install_prog \$staticobj \$staticdest" 'exit $?' fi exit $EXIT_SUCCESS ;; *) # Figure out destination file name, if it wasn't already specified. if test -n "$destname"; then destfile="$destdir/$destname" else func_basename "$file" destfile="$func_basename_result" destfile="$destdir/$destfile" fi # If the file is missing, and there is a .exe on the end, strip it # because it is most likely a libtool script we actually want to # install stripped_ext="" case $file in *.exe) if test ! -f "$file"; then func_stripname '' '.exe' "$file" file=$func_stripname_result stripped_ext=".exe" fi ;; esac # Do a test to see if this is really a libtool program. case $host in *cygwin* | *mingw*) if func_ltwrapper_executable_p "$file"; then func_ltwrapper_scriptname "$file" wrapper=$func_ltwrapper_scriptname_result else func_stripname '' '.exe' "$file" wrapper=$func_stripname_result fi ;; *) wrapper=$file ;; esac if func_ltwrapper_script_p "$wrapper"; then notinst_deplibs= relink_command= func_source "$wrapper" # Check the variables that should have been set. test -z "$generated_by_libtool_version" && \ func_fatal_error "invalid libtool wrapper script \`$wrapper'" finalize=yes for lib in $notinst_deplibs; do # Check to see that each library is installed. libdir= if test -f "$lib"; then func_source "$lib" fi libfile="$libdir/"`$ECHO "$lib" | $SED 's%^.*/%%g'` ### testsuite: skip nested quoting test if test -n "$libdir" && test ! -f "$libfile"; then func_warning "\`$lib' has not been installed in \`$libdir'" finalize=no fi done relink_command= func_source "$wrapper" outputname= if test "$fast_install" = no && test -n "$relink_command"; then $opt_dry_run || { if test "$finalize" = yes; then tmpdir=`func_mktempdir` func_basename "$file$stripped_ext" file="$func_basename_result" outputname="$tmpdir/$file" # Replace the output file specification. relink_command=`$ECHO "$relink_command" | $SED 's%@OUTPUT@%'"$outputname"'%g'` $opt_silent || { func_quote_for_expand "$relink_command" eval "func_echo $func_quote_for_expand_result" } if eval "$relink_command"; then : else func_error "error: relink \`$file' with the above command before installing it" $opt_dry_run || ${RM}r "$tmpdir" continue fi file="$outputname" else func_warning "cannot relink \`$file'" fi } else # Install the binary that we compiled earlier. file=`$ECHO "$file$stripped_ext" | $SED "s%\([^/]*\)$%$objdir/\1%"` fi fi # remove .exe since cygwin /usr/bin/install will append another # one anyway case $install_prog,$host in */usr/bin/install*,*cygwin*) case $file:$destfile in *.exe:*.exe) # this is ok ;; *.exe:*) destfile=$destfile.exe ;; *:*.exe) func_stripname '' '.exe' "$destfile" destfile=$func_stripname_result ;; esac ;; esac func_show_eval "$install_prog\$stripme \$file \$destfile" 'exit $?' $opt_dry_run || if test -n "$outputname"; then ${RM}r "$tmpdir" fi ;; esac done for file in $staticlibs; do func_basename "$file" name="$func_basename_result" # Set up the ranlib parameters. oldlib="$destdir/$name" func_to_tool_file "$oldlib" func_convert_file_msys_to_w32 tool_oldlib=$func_to_tool_file_result func_show_eval "$install_prog \$file \$oldlib" 'exit $?' if test -n "$stripme" && test -n "$old_striplib"; then func_show_eval "$old_striplib $tool_oldlib" 'exit $?' fi # Do each command in the postinstall commands. func_execute_cmds "$old_postinstall_cmds" 'exit $?' done test -n "$future_libdirs" && \ func_warning "remember to run \`$progname --finish$future_libdirs'" if test -n "$current_libdirs"; then # Maybe just do a dry run. $opt_dry_run && current_libdirs=" -n$current_libdirs" exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs' else exit $EXIT_SUCCESS fi } test "$opt_mode" = install && func_mode_install ${1+"$@"} # func_generate_dlsyms outputname originator pic_p # Extract symbols from dlprefiles and create ${outputname}S.o with # a dlpreopen symbol table. func_generate_dlsyms () { $opt_debug my_outputname="$1" my_originator="$2" my_pic_p="${3-no}" my_prefix=`$ECHO "$my_originator" | sed 's%[^a-zA-Z0-9]%_%g'` my_dlsyms= if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then if test -n "$NM" && test -n "$global_symbol_pipe"; then my_dlsyms="${my_outputname}S.c" else func_error "not configured to extract global symbols from dlpreopened files" fi fi if test -n "$my_dlsyms"; then case $my_dlsyms in "") ;; *.c) # Discover the nlist of each of the dlfiles. nlist="$output_objdir/${my_outputname}.nm" func_show_eval "$RM $nlist ${nlist}S ${nlist}T" # Parse the name list into a source file. func_verbose "creating $output_objdir/$my_dlsyms" $opt_dry_run || $ECHO > "$output_objdir/$my_dlsyms" "\ /* $my_dlsyms - symbol resolution table for \`$my_outputname' dlsym emulation. */ /* Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION */ #ifdef __cplusplus extern \"C\" { #endif #if defined(__GNUC__) && (((__GNUC__ == 4) && (__GNUC_MINOR__ >= 4)) || (__GNUC__ > 4)) #pragma GCC diagnostic ignored \"-Wstrict-prototypes\" #endif /* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests. */ #if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE) /* DATA imports from DLLs on WIN32 con't be const, because runtime relocations are performed -- see ld's documentation on pseudo-relocs. */ # define LT_DLSYM_CONST #elif defined(__osf__) /* This system does not cope well with relocations in const data. */ # define LT_DLSYM_CONST #else # define LT_DLSYM_CONST const #endif /* External symbol declarations for the compiler. */\ " if test "$dlself" = yes; then func_verbose "generating symbol list for \`$output'" $opt_dry_run || echo ': @PROGRAM@ ' > "$nlist" # Add our own program objects to the symbol list. progfiles=`$ECHO "$objs$old_deplibs" | $SP2NL | $SED "$lo2o" | $NL2SP` for progfile in $progfiles; do func_to_tool_file "$progfile" func_convert_file_msys_to_w32 func_verbose "extracting global C symbols from \`$func_to_tool_file_result'" $opt_dry_run || eval "$NM $func_to_tool_file_result | $global_symbol_pipe >> '$nlist'" done if test -n "$exclude_expsyms"; then $opt_dry_run || { eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T' eval '$MV "$nlist"T "$nlist"' } fi if test -n "$export_symbols_regex"; then $opt_dry_run || { eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T' eval '$MV "$nlist"T "$nlist"' } fi # Prepare the list of exported symbols if test -z "$export_symbols"; then export_symbols="$output_objdir/$outputname.exp" $opt_dry_run || { $RM $export_symbols eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"' case $host in *cygwin* | *mingw* | *cegcc* ) eval "echo EXPORTS "'> "$output_objdir/$outputname.def"' eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"' ;; esac } else $opt_dry_run || { eval "${SED} -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"' eval '$GREP -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T' eval '$MV "$nlist"T "$nlist"' case $host in *cygwin* | *mingw* | *cegcc* ) eval "echo EXPORTS "'> "$output_objdir/$outputname.def"' eval 'cat "$nlist" >> "$output_objdir/$outputname.def"' ;; esac } fi fi for dlprefile in $dlprefiles; do func_verbose "extracting global C symbols from \`$dlprefile'" func_basename "$dlprefile" name="$func_basename_result" case $host in *cygwin* | *mingw* | *cegcc* ) # if an import library, we need to obtain dlname if func_win32_import_lib_p "$dlprefile"; then func_tr_sh "$dlprefile" eval "curr_lafile=\$libfile_$func_tr_sh_result" dlprefile_dlbasename="" if test -n "$curr_lafile" && func_lalib_p "$curr_lafile"; then # Use subshell, to avoid clobbering current variable values dlprefile_dlname=`source "$curr_lafile" && echo "$dlname"` if test -n "$dlprefile_dlname" ; then func_basename "$dlprefile_dlname" dlprefile_dlbasename="$func_basename_result" else # no lafile. user explicitly requested -dlpreopen . $sharedlib_from_linklib_cmd "$dlprefile" dlprefile_dlbasename=$sharedlib_from_linklib_result fi fi $opt_dry_run || { if test -n "$dlprefile_dlbasename" ; then eval '$ECHO ": $dlprefile_dlbasename" >> "$nlist"' else func_warning "Could not compute DLL name from $name" eval '$ECHO ": $name " >> "$nlist"' fi func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe | $SED -e '/I __imp/d' -e 's/I __nm_/D /;s/_nm__//' >> '$nlist'" } else # not an import lib $opt_dry_run || { eval '$ECHO ": $name " >> "$nlist"' func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'" } fi ;; *) $opt_dry_run || { eval '$ECHO ": $name " >> "$nlist"' func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'" } ;; esac done $opt_dry_run || { # Make sure we have at least an empty file. test -f "$nlist" || : > "$nlist" if test -n "$exclude_expsyms"; then $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T $MV "$nlist"T "$nlist" fi # Try sorting and uniquifying the output. if $GREP -v "^: " < "$nlist" | if sort -k 3 /dev/null 2>&1; then sort -k 3 else sort +2 fi | uniq > "$nlist"S; then : else $GREP -v "^: " < "$nlist" > "$nlist"S fi if test -f "$nlist"S; then eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$my_dlsyms"' else echo '/* NONE */' >> "$output_objdir/$my_dlsyms" fi echo >> "$output_objdir/$my_dlsyms" "\ /* The mapping between symbol names and symbols. */ typedef struct { const char *name; void *address; } lt_dlsymlist; extern LT_DLSYM_CONST lt_dlsymlist lt_${my_prefix}_LTX_preloaded_symbols[]; LT_DLSYM_CONST lt_dlsymlist lt_${my_prefix}_LTX_preloaded_symbols[] = {\ { \"$my_originator\", (void *) 0 }," case $need_lib_prefix in no) eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$my_dlsyms" ;; *) eval "$global_symbol_to_c_name_address_lib_prefix" < "$nlist" >> "$output_objdir/$my_dlsyms" ;; esac echo >> "$output_objdir/$my_dlsyms" "\ {0, (void *) 0} }; /* This works around a problem in FreeBSD linker */ #ifdef FREEBSD_WORKAROUND static const void *lt_preloaded_setup() { return lt_${my_prefix}_LTX_preloaded_symbols; } #endif #ifdef __cplusplus } #endif\ " } # !$opt_dry_run pic_flag_for_symtable= case "$compile_command " in *" -static "*) ;; *) case $host in # compiling the symbol table file with pic_flag works around # a FreeBSD bug that causes programs to crash when -lm is # linked before any other PIC object. But we must not use # pic_flag when linking with -static. The problem exists in # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1. *-*-freebsd2.*|*-*-freebsd3.0*|*-*-freebsdelf3.0*) pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;; *-*-hpux*) pic_flag_for_symtable=" $pic_flag" ;; *) if test "X$my_pic_p" != Xno; then pic_flag_for_symtable=" $pic_flag" fi ;; esac ;; esac symtab_cflags= for arg in $LTCFLAGS; do case $arg in -pie | -fpie | -fPIE) ;; *) func_append symtab_cflags " $arg" ;; esac done # Now compile the dynamic symbol file. func_show_eval '(cd $output_objdir && $LTCC$symtab_cflags -c$no_builtin_flag$pic_flag_for_symtable "$my_dlsyms")' 'exit $?' # Clean up the generated files. func_show_eval '$RM "$output_objdir/$my_dlsyms" "$nlist" "${nlist}S" "${nlist}T"' # Transform the symbol file into the correct name. symfileobj="$output_objdir/${my_outputname}S.$objext" case $host in *cygwin* | *mingw* | *cegcc* ) if test -f "$output_objdir/$my_outputname.def"; then compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"` finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"` else compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"` finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"` fi ;; *) compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"` finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"` ;; esac ;; *) func_fatal_error "unknown suffix for \`$my_dlsyms'" ;; esac else # We keep going just in case the user didn't refer to # lt_preloaded_symbols. The linker will fail if global_symbol_pipe # really was required. # Nullify the symbol file. compile_command=`$ECHO "$compile_command" | $SED "s% @SYMFILE@%%"` finalize_command=`$ECHO "$finalize_command" | $SED "s% @SYMFILE@%%"` fi } # func_win32_libid arg # return the library type of file 'arg' # # Need a lot of goo to handle *both* DLLs and import libs # Has to be a shell function in order to 'eat' the argument # that is supplied when $file_magic_command is called. # Despite the name, also deal with 64 bit binaries. func_win32_libid () { $opt_debug win32_libid_type="unknown" win32_fileres=`file -L $1 2>/dev/null` case $win32_fileres in *ar\ archive\ import\ library*) # definitely import win32_libid_type="x86 archive import" ;; *ar\ archive*) # could be an import, or static # Keep the egrep pattern in sync with the one in _LT_CHECK_MAGIC_METHOD. if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | $EGREP 'file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' >/dev/null; then func_to_tool_file "$1" func_convert_file_msys_to_w32 win32_nmres=`eval $NM -f posix -A \"$func_to_tool_file_result\" | $SED -n -e ' 1,100{ / I /{ s,.*,import, p q } }'` case $win32_nmres in import*) win32_libid_type="x86 archive import";; *) win32_libid_type="x86 archive static";; esac fi ;; *DLL*) win32_libid_type="x86 DLL" ;; *executable*) # but shell scripts are "executable" too... case $win32_fileres in *MS\ Windows\ PE\ Intel*) win32_libid_type="x86 DLL" ;; esac ;; esac $ECHO "$win32_libid_type" } # func_cygming_dll_for_implib ARG # # Platform-specific function to extract the # name of the DLL associated with the specified # import library ARG. # Invoked by eval'ing the libtool variable # $sharedlib_from_linklib_cmd # Result is available in the variable # $sharedlib_from_linklib_result func_cygming_dll_for_implib () { $opt_debug sharedlib_from_linklib_result=`$DLLTOOL --identify-strict --identify "$1"` } # func_cygming_dll_for_implib_fallback_core SECTION_NAME LIBNAMEs # # The is the core of a fallback implementation of a # platform-specific function to extract the name of the # DLL associated with the specified import library LIBNAME. # # SECTION_NAME is either .idata$6 or .idata$7, depending # on the platform and compiler that created the implib. # # Echos the name of the DLL associated with the # specified import library. func_cygming_dll_for_implib_fallback_core () { $opt_debug match_literal=`$ECHO "$1" | $SED "$sed_make_literal_regex"` $OBJDUMP -s --section "$1" "$2" 2>/dev/null | $SED '/^Contents of section '"$match_literal"':/{ # Place marker at beginning of archive member dllname section s/.*/====MARK====/ p d } # These lines can sometimes be longer than 43 characters, but # are always uninteresting /:[ ]*file format pe[i]\{,1\}-/d /^In archive [^:]*:/d # Ensure marker is printed /^====MARK====/p # Remove all lines with less than 43 characters /^.\{43\}/!d # From remaining lines, remove first 43 characters s/^.\{43\}//' | $SED -n ' # Join marker and all lines until next marker into a single line /^====MARK====/ b para H $ b para b :para x s/\n//g # Remove the marker s/^====MARK====// # Remove trailing dots and whitespace s/[\. \t]*$// # Print /./p' | # we now have a list, one entry per line, of the stringified # contents of the appropriate section of all members of the # archive which possess that section. Heuristic: eliminate # all those which have a first or second character that is # a '.' (that is, objdump's representation of an unprintable # character.) This should work for all archives with less than # 0x302f exports -- but will fail for DLLs whose name actually # begins with a literal '.' or a single character followed by # a '.'. # # Of those that remain, print the first one. $SED -e '/^\./d;/^.\./d;q' } # func_cygming_gnu_implib_p ARG # This predicate returns with zero status (TRUE) if # ARG is a GNU/binutils-style import library. Returns # with nonzero status (FALSE) otherwise. func_cygming_gnu_implib_p () { $opt_debug func_to_tool_file "$1" func_convert_file_msys_to_w32 func_cygming_gnu_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $EGREP ' (_head_[A-Za-z0-9_]+_[ad]l*|[A-Za-z0-9_]+_[ad]l*_iname)$'` test -n "$func_cygming_gnu_implib_tmp" } # func_cygming_ms_implib_p ARG # This predicate returns with zero status (TRUE) if # ARG is an MS-style import library. Returns # with nonzero status (FALSE) otherwise. func_cygming_ms_implib_p () { $opt_debug func_to_tool_file "$1" func_convert_file_msys_to_w32 func_cygming_ms_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $GREP '_NULL_IMPORT_DESCRIPTOR'` test -n "$func_cygming_ms_implib_tmp" } # func_cygming_dll_for_implib_fallback ARG # Platform-specific function to extract the # name of the DLL associated with the specified # import library ARG. # # This fallback implementation is for use when $DLLTOOL # does not support the --identify-strict option. # Invoked by eval'ing the libtool variable # $sharedlib_from_linklib_cmd # Result is available in the variable # $sharedlib_from_linklib_result func_cygming_dll_for_implib_fallback () { $opt_debug if func_cygming_gnu_implib_p "$1" ; then # binutils import library sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$7' "$1"` elif func_cygming_ms_implib_p "$1" ; then # ms-generated import library sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$6' "$1"` else # unknown sharedlib_from_linklib_result="" fi } # func_extract_an_archive dir oldlib func_extract_an_archive () { $opt_debug f_ex_an_ar_dir="$1"; shift f_ex_an_ar_oldlib="$1" if test "$lock_old_archive_extraction" = yes; then lockfile=$f_ex_an_ar_oldlib.lock until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do func_echo "Waiting for $lockfile to be removed" sleep 2 done fi func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" \ 'stat=$?; rm -f "$lockfile"; exit $stat' if test "$lock_old_archive_extraction" = yes; then $opt_dry_run || rm -f "$lockfile" fi if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then : else func_fatal_error "object name conflicts in archive: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib" fi } # func_extract_archives gentop oldlib ... func_extract_archives () { $opt_debug my_gentop="$1"; shift my_oldlibs=${1+"$@"} my_oldobjs="" my_xlib="" my_xabs="" my_xdir="" for my_xlib in $my_oldlibs; do # Extract the objects. case $my_xlib in [\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;; *) my_xabs=`pwd`"/$my_xlib" ;; esac func_basename "$my_xlib" my_xlib="$func_basename_result" my_xlib_u=$my_xlib while :; do case " $extracted_archives " in *" $my_xlib_u "*) func_arith $extracted_serial + 1 extracted_serial=$func_arith_result my_xlib_u=lt$extracted_serial-$my_xlib ;; *) break ;; esac done extracted_archives="$extracted_archives $my_xlib_u" my_xdir="$my_gentop/$my_xlib_u" func_mkdir_p "$my_xdir" case $host in *-darwin*) func_verbose "Extracting $my_xabs" # Do not bother doing anything if just a dry run $opt_dry_run || { darwin_orig_dir=`pwd` cd $my_xdir || exit $? darwin_archive=$my_xabs darwin_curdir=`pwd` darwin_base_archive=`basename "$darwin_archive"` darwin_arches=`$LIPO -info "$darwin_archive" 2>/dev/null | $GREP Architectures 2>/dev/null || true` if test -n "$darwin_arches"; then darwin_arches=`$ECHO "$darwin_arches" | $SED -e 's/.*are://'` darwin_arch= func_verbose "$darwin_base_archive has multiple architectures $darwin_arches" for darwin_arch in $darwin_arches ; do func_mkdir_p "unfat-$$/${darwin_base_archive}-${darwin_arch}" $LIPO -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}" cd "unfat-$$/${darwin_base_archive}-${darwin_arch}" func_extract_an_archive "`pwd`" "${darwin_base_archive}" cd "$darwin_curdir" $RM "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" done # $darwin_arches ## Okay now we've a bunch of thin objects, gotta fatten them up :) darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print | $SED -e "$basename" | sort -u` darwin_file= darwin_files= for darwin_file in $darwin_filelist; do darwin_files=`find unfat-$$ -name $darwin_file -print | sort | $NL2SP` $LIPO -create -output "$darwin_file" $darwin_files done # $darwin_filelist $RM -rf unfat-$$ cd "$darwin_orig_dir" else cd $darwin_orig_dir func_extract_an_archive "$my_xdir" "$my_xabs" fi # $darwin_arches } # !$opt_dry_run ;; *) func_extract_an_archive "$my_xdir" "$my_xabs" ;; esac my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP` done func_extract_archives_result="$my_oldobjs" } # func_emit_wrapper [arg=no] # # Emit a libtool wrapper script on stdout. # Don't directly open a file because we may want to # incorporate the script contents within a cygwin/mingw # wrapper executable. Must ONLY be called from within # func_mode_link because it depends on a number of variables # set therein. # # ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR # variable will take. If 'yes', then the emitted script # will assume that the directory in which it is stored is # the $objdir directory. This is a cygwin/mingw-specific # behavior. func_emit_wrapper () { func_emit_wrapper_arg1=${1-no} $ECHO "\ #! $SHELL # $output - temporary wrapper script for $objdir/$outputname # Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION # # The $output program cannot be directly executed until all the libtool # libraries that it depends on are installed. # # This wrapper script should never be moved out of the build directory. # If it is, it will not operate correctly. # Sed substitution that helps us do robust quoting. It backslashifies # metacharacters that are still active within double-quoted strings. sed_quote_subst='$sed_quote_subst' # Be Bourne compatible if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then emulate sh NULLCMD=: # Zsh 3.x and 4.x performs word splitting on \${1+\"\$@\"}, which # is contrary to our usage. Disable this feature. alias -g '\${1+\"\$@\"}'='\"\$@\"' setopt NO_GLOB_SUBST else case \`(set -o) 2>/dev/null\` in *posix*) set -o posix;; esac fi BIN_SH=xpg4; export BIN_SH # for Tru64 DUALCASE=1; export DUALCASE # for MKS sh # The HP-UX ksh and POSIX shell print the target directory to stdout # if CDPATH is set. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH relink_command=\"$relink_command\" # This environment variable determines our operation mode. if test \"\$libtool_install_magic\" = \"$magic\"; then # install mode needs the following variables: generated_by_libtool_version='$macro_version' notinst_deplibs='$notinst_deplibs' else # When we are sourced in execute mode, \$file and \$ECHO are already set. if test \"\$libtool_execute_magic\" != \"$magic\"; then file=\"\$0\"" qECHO=`$ECHO "$ECHO" | $SED "$sed_quote_subst"` $ECHO "\ # A function that is used when there is no print builtin or printf. func_fallback_echo () { eval 'cat <<_LTECHO_EOF \$1 _LTECHO_EOF' } ECHO=\"$qECHO\" fi # Very basic option parsing. These options are (a) specific to # the libtool wrapper, (b) are identical between the wrapper # /script/ and the wrapper /executable/ which is used only on # windows platforms, and (c) all begin with the string "--lt-" # (application programs are unlikely to have options which match # this pattern). # # There are only two supported options: --lt-debug and # --lt-dump-script. There is, deliberately, no --lt-help. # # The first argument to this parsing function should be the # script's $0 value, followed by "$@". lt_option_debug= func_parse_lt_options () { lt_script_arg0=\$0 shift for lt_opt do case \"\$lt_opt\" in --lt-debug) lt_option_debug=1 ;; --lt-dump-script) lt_dump_D=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%/[^/]*$%%'\` test \"X\$lt_dump_D\" = \"X\$lt_script_arg0\" && lt_dump_D=. lt_dump_F=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%^.*/%%'\` cat \"\$lt_dump_D/\$lt_dump_F\" exit 0 ;; --lt-*) \$ECHO \"Unrecognized --lt- option: '\$lt_opt'\" 1>&2 exit 1 ;; esac done # Print the debug banner immediately: if test -n \"\$lt_option_debug\"; then echo \"${outputname}:${output}:\${LINENO}: libtool wrapper (GNU $PACKAGE$TIMESTAMP) $VERSION\" 1>&2 fi } # Used when --lt-debug. Prints its arguments to stdout # (redirection is the responsibility of the caller) func_lt_dump_args () { lt_dump_args_N=1; for lt_arg do \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[\$lt_dump_args_N]: \$lt_arg\" lt_dump_args_N=\`expr \$lt_dump_args_N + 1\` done } # Core function for launching the target application func_exec_program_core () { " case $host in # Backslashes separate directories on plain windows *-*-mingw | *-*-os2* | *-cegcc*) $ECHO "\ if test -n \"\$lt_option_debug\"; then \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir\\\\\$program\" 1>&2 func_lt_dump_args \${1+\"\$@\"} 1>&2 fi exec \"\$progdir\\\\\$program\" \${1+\"\$@\"} " ;; *) $ECHO "\ if test -n \"\$lt_option_debug\"; then \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir/\$program\" 1>&2 func_lt_dump_args \${1+\"\$@\"} 1>&2 fi exec \"\$progdir/\$program\" \${1+\"\$@\"} " ;; esac $ECHO "\ \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2 exit 1 } # A function to encapsulate launching the target application # Strips options in the --lt-* namespace from \$@ and # launches target application with the remaining arguments. func_exec_program () { case \" \$* \" in *\\ --lt-*) for lt_wr_arg do case \$lt_wr_arg in --lt-*) ;; *) set x \"\$@\" \"\$lt_wr_arg\"; shift;; esac shift done ;; esac func_exec_program_core \${1+\"\$@\"} } # Parse options func_parse_lt_options \"\$0\" \${1+\"\$@\"} # Find the directory that this script lives in. thisdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*$%%'\` test \"x\$thisdir\" = \"x\$file\" && thisdir=. # Follow symbolic links until we get to the real thisdir. file=\`ls -ld \"\$file\" | $SED -n 's/.*-> //p'\` while test -n \"\$file\"; do destdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*\$%%'\` # If there was a directory component, then change thisdir. if test \"x\$destdir\" != \"x\$file\"; then case \"\$destdir\" in [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;; *) thisdir=\"\$thisdir/\$destdir\" ;; esac fi file=\`\$ECHO \"\$file\" | $SED 's%^.*/%%'\` file=\`ls -ld \"\$thisdir/\$file\" | $SED -n 's/.*-> //p'\` done # Usually 'no', except on cygwin/mingw when embedded into # the cwrapper. WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_arg1 if test \"\$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR\" = \"yes\"; then # special case for '.' if test \"\$thisdir\" = \".\"; then thisdir=\`pwd\` fi # remove .libs from thisdir case \"\$thisdir\" in *[\\\\/]$objdir ) thisdir=\`\$ECHO \"\$thisdir\" | $SED 's%[\\\\/][^\\\\/]*$%%'\` ;; $objdir ) thisdir=. ;; esac fi # Try to get the absolute directory name. absdir=\`cd \"\$thisdir\" && pwd\` test -n \"\$absdir\" && thisdir=\"\$absdir\" " if test "$fast_install" = yes; then $ECHO "\ program=lt-'$outputname'$exeext progdir=\"\$thisdir/$objdir\" if test ! -f \"\$progdir/\$program\" || { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\ test \"X\$file\" != \"X\$progdir/\$program\"; }; then file=\"\$\$-\$program\" if test ! -d \"\$progdir\"; then $MKDIR \"\$progdir\" else $RM \"\$progdir/\$file\" fi" $ECHO "\ # relink executable if necessary if test -n \"\$relink_command\"; then if relink_command_output=\`eval \$relink_command 2>&1\`; then : else $ECHO \"\$relink_command_output\" >&2 $RM \"\$progdir/\$file\" exit 1 fi fi $MV \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null || { $RM \"\$progdir/\$program\"; $MV \"\$progdir/\$file\" \"\$progdir/\$program\"; } $RM \"\$progdir/\$file\" fi" else $ECHO "\ program='$outputname' progdir=\"\$thisdir/$objdir\" " fi $ECHO "\ if test -f \"\$progdir/\$program\"; then" # fixup the dll searchpath if we need to. # # Fix the DLL searchpath if we need to. Do this before prepending # to shlibpath, because on Windows, both are PATH and uninstalled # libraries must come first. if test -n "$dllsearchpath"; then $ECHO "\ # Add the dll search path components to the executable PATH PATH=$dllsearchpath:\$PATH " fi # Export our shlibpath_var if we have one. if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then $ECHO "\ # Add our own library path to $shlibpath_var $shlibpath_var=\"$temp_rpath\$$shlibpath_var\" # Some systems cannot cope with colon-terminated $shlibpath_var # The second colon is a workaround for a bug in BeOS R4 sed $shlibpath_var=\`\$ECHO \"\$$shlibpath_var\" | $SED 's/::*\$//'\` export $shlibpath_var " fi $ECHO "\ if test \"\$libtool_execute_magic\" != \"$magic\"; then # Run the actual program with our arguments. func_exec_program \${1+\"\$@\"} fi else # The program doesn't exist. \$ECHO \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2 \$ECHO \"This script is just a wrapper for \$program.\" 1>&2 \$ECHO \"See the $PACKAGE documentation for more information.\" 1>&2 exit 1 fi fi\ " } # func_emit_cwrapperexe_src # emit the source code for a wrapper executable on stdout # Must ONLY be called from within func_mode_link because # it depends on a number of variable set therein. func_emit_cwrapperexe_src () { cat < #include #ifdef _MSC_VER # include # include # include #else # include # include # ifdef __CYGWIN__ # include # endif #endif #include #include #include #include #include #include #include #include /* declarations of non-ANSI functions */ #if defined(__MINGW32__) # ifdef __STRICT_ANSI__ int _putenv (const char *); # endif #elif defined(__CYGWIN__) # ifdef __STRICT_ANSI__ char *realpath (const char *, char *); int putenv (char *); int setenv (const char *, const char *, int); # endif /* #elif defined (other platforms) ... */ #endif /* portability defines, excluding path handling macros */ #if defined(_MSC_VER) # define setmode _setmode # define stat _stat # define chmod _chmod # define getcwd _getcwd # define putenv _putenv # define S_IXUSR _S_IEXEC # ifndef _INTPTR_T_DEFINED # define _INTPTR_T_DEFINED # define intptr_t int # endif #elif defined(__MINGW32__) # define setmode _setmode # define stat _stat # define chmod _chmod # define getcwd _getcwd # define putenv _putenv #elif defined(__CYGWIN__) # define HAVE_SETENV # define FOPEN_WB "wb" /* #elif defined (other platforms) ... */ #endif #if defined(PATH_MAX) # define LT_PATHMAX PATH_MAX #elif defined(MAXPATHLEN) # define LT_PATHMAX MAXPATHLEN #else # define LT_PATHMAX 1024 #endif #ifndef S_IXOTH # define S_IXOTH 0 #endif #ifndef S_IXGRP # define S_IXGRP 0 #endif /* path handling portability macros */ #ifndef DIR_SEPARATOR # define DIR_SEPARATOR '/' # define PATH_SEPARATOR ':' #endif #if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \ defined (__OS2__) # define HAVE_DOS_BASED_FILE_SYSTEM # define FOPEN_WB "wb" # ifndef DIR_SEPARATOR_2 # define DIR_SEPARATOR_2 '\\' # endif # ifndef PATH_SEPARATOR_2 # define PATH_SEPARATOR_2 ';' # endif #endif #ifndef DIR_SEPARATOR_2 # define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR) #else /* DIR_SEPARATOR_2 */ # define IS_DIR_SEPARATOR(ch) \ (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2)) #endif /* DIR_SEPARATOR_2 */ #ifndef PATH_SEPARATOR_2 # define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR) #else /* PATH_SEPARATOR_2 */ # define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2) #endif /* PATH_SEPARATOR_2 */ #ifndef FOPEN_WB # define FOPEN_WB "w" #endif #ifndef _O_BINARY # define _O_BINARY 0 #endif #define XMALLOC(type, num) ((type *) xmalloc ((num) * sizeof(type))) #define XFREE(stale) do { \ if (stale) { free ((void *) stale); stale = 0; } \ } while (0) #if defined(LT_DEBUGWRAPPER) static int lt_debug = 1; #else static int lt_debug = 0; #endif const char *program_name = "libtool-wrapper"; /* in case xstrdup fails */ void *xmalloc (size_t num); char *xstrdup (const char *string); const char *base_name (const char *name); char *find_executable (const char *wrapper); char *chase_symlinks (const char *pathspec); int make_executable (const char *path); int check_executable (const char *path); char *strendzap (char *str, const char *pat); void lt_debugprintf (const char *file, int line, const char *fmt, ...); void lt_fatal (const char *file, int line, const char *message, ...); static const char *nonnull (const char *s); static const char *nonempty (const char *s); void lt_setenv (const char *name, const char *value); char *lt_extend_str (const char *orig_value, const char *add, int to_end); void lt_update_exe_path (const char *name, const char *value); void lt_update_lib_path (const char *name, const char *value); char **prepare_spawn (char **argv); void lt_dump_script (FILE *f); EOF cat <= 0) && (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))) return 1; else return 0; } int make_executable (const char *path) { int rval = 0; struct stat st; lt_debugprintf (__FILE__, __LINE__, "(make_executable): %s\n", nonempty (path)); if ((!path) || (!*path)) return 0; if (stat (path, &st) >= 0) { rval = chmod (path, st.st_mode | S_IXOTH | S_IXGRP | S_IXUSR); } return rval; } /* Searches for the full path of the wrapper. Returns newly allocated full path name if found, NULL otherwise Does not chase symlinks, even on platforms that support them. */ char * find_executable (const char *wrapper) { int has_slash = 0; const char *p; const char *p_next; /* static buffer for getcwd */ char tmp[LT_PATHMAX + 1]; int tmp_len; char *concat_name; lt_debugprintf (__FILE__, __LINE__, "(find_executable): %s\n", nonempty (wrapper)); if ((wrapper == NULL) || (*wrapper == '\0')) return NULL; /* Absolute path? */ #if defined (HAVE_DOS_BASED_FILE_SYSTEM) if (isalpha ((unsigned char) wrapper[0]) && wrapper[1] == ':') { concat_name = xstrdup (wrapper); if (check_executable (concat_name)) return concat_name; XFREE (concat_name); } else { #endif if (IS_DIR_SEPARATOR (wrapper[0])) { concat_name = xstrdup (wrapper); if (check_executable (concat_name)) return concat_name; XFREE (concat_name); } #if defined (HAVE_DOS_BASED_FILE_SYSTEM) } #endif for (p = wrapper; *p; p++) if (*p == '/') { has_slash = 1; break; } if (!has_slash) { /* no slashes; search PATH */ const char *path = getenv ("PATH"); if (path != NULL) { for (p = path; *p; p = p_next) { const char *q; size_t p_len; for (q = p; *q; q++) if (IS_PATH_SEPARATOR (*q)) break; p_len = q - p; p_next = (*q == '\0' ? q : q + 1); if (p_len == 0) { /* empty path: current directory */ if (getcwd (tmp, LT_PATHMAX) == NULL) lt_fatal (__FILE__, __LINE__, "getcwd failed: %s", nonnull (strerror (errno))); tmp_len = strlen (tmp); concat_name = XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1); memcpy (concat_name, tmp, tmp_len); concat_name[tmp_len] = '/'; strcpy (concat_name + tmp_len + 1, wrapper); } else { concat_name = XMALLOC (char, p_len + 1 + strlen (wrapper) + 1); memcpy (concat_name, p, p_len); concat_name[p_len] = '/'; strcpy (concat_name + p_len + 1, wrapper); } if (check_executable (concat_name)) return concat_name; XFREE (concat_name); } } /* not found in PATH; assume curdir */ } /* Relative path | not found in path: prepend cwd */ if (getcwd (tmp, LT_PATHMAX) == NULL) lt_fatal (__FILE__, __LINE__, "getcwd failed: %s", nonnull (strerror (errno))); tmp_len = strlen (tmp); concat_name = XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1); memcpy (concat_name, tmp, tmp_len); concat_name[tmp_len] = '/'; strcpy (concat_name + tmp_len + 1, wrapper); if (check_executable (concat_name)) return concat_name; XFREE (concat_name); return NULL; } char * chase_symlinks (const char *pathspec) { #ifndef S_ISLNK return xstrdup (pathspec); #else char buf[LT_PATHMAX]; struct stat s; char *tmp_pathspec = xstrdup (pathspec); char *p; int has_symlinks = 0; while (strlen (tmp_pathspec) && !has_symlinks) { lt_debugprintf (__FILE__, __LINE__, "checking path component for symlinks: %s\n", tmp_pathspec); if (lstat (tmp_pathspec, &s) == 0) { if (S_ISLNK (s.st_mode) != 0) { has_symlinks = 1; break; } /* search backwards for last DIR_SEPARATOR */ p = tmp_pathspec + strlen (tmp_pathspec) - 1; while ((p > tmp_pathspec) && (!IS_DIR_SEPARATOR (*p))) p--; if ((p == tmp_pathspec) && (!IS_DIR_SEPARATOR (*p))) { /* no more DIR_SEPARATORS left */ break; } *p = '\0'; } else { lt_fatal (__FILE__, __LINE__, "error accessing file \"%s\": %s", tmp_pathspec, nonnull (strerror (errno))); } } XFREE (tmp_pathspec); if (!has_symlinks) { return xstrdup (pathspec); } tmp_pathspec = realpath (pathspec, buf); if (tmp_pathspec == 0) { lt_fatal (__FILE__, __LINE__, "could not follow symlinks for %s", pathspec); } return xstrdup (tmp_pathspec); #endif } char * strendzap (char *str, const char *pat) { size_t len, patlen; assert (str != NULL); assert (pat != NULL); len = strlen (str); patlen = strlen (pat); if (patlen <= len) { str += len - patlen; if (strcmp (str, pat) == 0) *str = '\0'; } return str; } void lt_debugprintf (const char *file, int line, const char *fmt, ...) { va_list args; if (lt_debug) { (void) fprintf (stderr, "%s:%s:%d: ", program_name, file, line); va_start (args, fmt); (void) vfprintf (stderr, fmt, args); va_end (args); } } static void lt_error_core (int exit_status, const char *file, int line, const char *mode, const char *message, va_list ap) { fprintf (stderr, "%s:%s:%d: %s: ", program_name, file, line, mode); vfprintf (stderr, message, ap); fprintf (stderr, ".\n"); if (exit_status >= 0) exit (exit_status); } void lt_fatal (const char *file, int line, const char *message, ...) { va_list ap; va_start (ap, message); lt_error_core (EXIT_FAILURE, file, line, "FATAL", message, ap); va_end (ap); } static const char * nonnull (const char *s) { return s ? s : "(null)"; } static const char * nonempty (const char *s) { return (s && !*s) ? "(empty)" : nonnull (s); } void lt_setenv (const char *name, const char *value) { lt_debugprintf (__FILE__, __LINE__, "(lt_setenv) setting '%s' to '%s'\n", nonnull (name), nonnull (value)); { #ifdef HAVE_SETENV /* always make a copy, for consistency with !HAVE_SETENV */ char *str = xstrdup (value); setenv (name, str, 1); #else int len = strlen (name) + 1 + strlen (value) + 1; char *str = XMALLOC (char, len); sprintf (str, "%s=%s", name, value); if (putenv (str) != EXIT_SUCCESS) { XFREE (str); } #endif } } char * lt_extend_str (const char *orig_value, const char *add, int to_end) { char *new_value; if (orig_value && *orig_value) { int orig_value_len = strlen (orig_value); int add_len = strlen (add); new_value = XMALLOC (char, add_len + orig_value_len + 1); if (to_end) { strcpy (new_value, orig_value); strcpy (new_value + orig_value_len, add); } else { strcpy (new_value, add); strcpy (new_value + add_len, orig_value); } } else { new_value = xstrdup (add); } return new_value; } void lt_update_exe_path (const char *name, const char *value) { lt_debugprintf (__FILE__, __LINE__, "(lt_update_exe_path) modifying '%s' by prepending '%s'\n", nonnull (name), nonnull (value)); if (name && *name && value && *value) { char *new_value = lt_extend_str (getenv (name), value, 0); /* some systems can't cope with a ':'-terminated path #' */ int len = strlen (new_value); while (((len = strlen (new_value)) > 0) && IS_PATH_SEPARATOR (new_value[len-1])) { new_value[len-1] = '\0'; } lt_setenv (name, new_value); XFREE (new_value); } } void lt_update_lib_path (const char *name, const char *value) { lt_debugprintf (__FILE__, __LINE__, "(lt_update_lib_path) modifying '%s' by prepending '%s'\n", nonnull (name), nonnull (value)); if (name && *name && value && *value) { char *new_value = lt_extend_str (getenv (name), value, 0); lt_setenv (name, new_value); XFREE (new_value); } } EOF case $host_os in mingw*) cat <<"EOF" /* Prepares an argument vector before calling spawn(). Note that spawn() does not by itself call the command interpreter (getenv ("COMSPEC") != NULL ? getenv ("COMSPEC") : ({ OSVERSIONINFO v; v.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&v); v.dwPlatformId == VER_PLATFORM_WIN32_NT; }) ? "cmd.exe" : "command.com"). Instead it simply concatenates the arguments, separated by ' ', and calls CreateProcess(). We must quote the arguments since Win32 CreateProcess() interprets characters like ' ', '\t', '\\', '"' (but not '<' and '>') in a special way: - Space and tab are interpreted as delimiters. They are not treated as delimiters if they are surrounded by double quotes: "...". - Unescaped double quotes are removed from the input. Their only effect is that within double quotes, space and tab are treated like normal characters. - Backslashes not followed by double quotes are not special. - But 2*n+1 backslashes followed by a double quote become n backslashes followed by a double quote (n >= 0): \" -> " \\\" -> \" \\\\\" -> \\" */ #define SHELL_SPECIAL_CHARS "\"\\ \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037" #define SHELL_SPACE_CHARS " \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037" char ** prepare_spawn (char **argv) { size_t argc; char **new_argv; size_t i; /* Count number of arguments. */ for (argc = 0; argv[argc] != NULL; argc++) ; /* Allocate new argument vector. */ new_argv = XMALLOC (char *, argc + 1); /* Put quoted arguments into the new argument vector. */ for (i = 0; i < argc; i++) { const char *string = argv[i]; if (string[0] == '\0') new_argv[i] = xstrdup ("\"\""); else if (strpbrk (string, SHELL_SPECIAL_CHARS) != NULL) { int quote_around = (strpbrk (string, SHELL_SPACE_CHARS) != NULL); size_t length; unsigned int backslashes; const char *s; char *quoted_string; char *p; length = 0; backslashes = 0; if (quote_around) length++; for (s = string; *s != '\0'; s++) { char c = *s; if (c == '"') length += backslashes + 1; length++; if (c == '\\') backslashes++; else backslashes = 0; } if (quote_around) length += backslashes + 1; quoted_string = XMALLOC (char, length + 1); p = quoted_string; backslashes = 0; if (quote_around) *p++ = '"'; for (s = string; *s != '\0'; s++) { char c = *s; if (c == '"') { unsigned int j; for (j = backslashes + 1; j > 0; j--) *p++ = '\\'; } *p++ = c; if (c == '\\') backslashes++; else backslashes = 0; } if (quote_around) { unsigned int j; for (j = backslashes; j > 0; j--) *p++ = '\\'; *p++ = '"'; } *p = '\0'; new_argv[i] = quoted_string; } else new_argv[i] = (char *) string; } new_argv[argc] = NULL; return new_argv; } EOF ;; esac cat <<"EOF" void lt_dump_script (FILE* f) { EOF func_emit_wrapper yes | $SED -n -e ' s/^\(.\{79\}\)\(..*\)/\1\ \2/ h s/\([\\"]\)/\\\1/g s/$/\\n/ s/\([^\n]*\).*/ fputs ("\1", f);/p g D' cat <<"EOF" } EOF } # end: func_emit_cwrapperexe_src # func_win32_import_lib_p ARG # True if ARG is an import lib, as indicated by $file_magic_cmd func_win32_import_lib_p () { $opt_debug case `eval $file_magic_cmd \"\$1\" 2>/dev/null | $SED -e 10q` in *import*) : ;; *) false ;; esac } # func_mode_link arg... func_mode_link () { $opt_debug case $host in *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) # It is impossible to link a dll without this setting, and # we shouldn't force the makefile maintainer to figure out # which system we are compiling for in order to pass an extra # flag for every libtool invocation. # allow_undefined=no # FIXME: Unfortunately, there are problems with the above when trying # to make a dll which has undefined symbols, in which case not # even a static library is built. For now, we need to specify # -no-undefined on the libtool link line when we can be certain # that all symbols are satisfied, otherwise we get a static library. allow_undefined=yes ;; *) allow_undefined=yes ;; esac libtool_args=$nonopt base_compile="$nonopt $@" compile_command=$nonopt finalize_command=$nonopt compile_rpath= finalize_rpath= compile_shlibpath= finalize_shlibpath= convenience= old_convenience= deplibs= old_deplibs= compiler_flags= linker_flags= dllsearchpath= lib_search_path=`pwd` inst_prefix_dir= new_inherited_linker_flags= avoid_version=no bindir= dlfiles= dlprefiles= dlself=no export_dynamic=no export_symbols= export_symbols_regex= generated= libobjs= ltlibs= module=no no_install=no objs= non_pic_objects= precious_files_regex= prefer_static_libs=no preload=no prev= prevarg= release= rpath= xrpath= perm_rpath= temp_rpath= thread_safe=no vinfo= vinfo_number=no weak_libs= single_module="${wl}-single_module" func_infer_tag $base_compile # We need to know -static, to get the right output filenames. for arg do case $arg in -shared) test "$build_libtool_libs" != yes && \ func_fatal_configuration "can not build a shared library" build_old_libs=no break ;; -all-static | -static | -static-libtool-libs) case $arg in -all-static) if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then func_warning "complete static linking is impossible in this configuration" fi if test -n "$link_static_flag"; then dlopen_self=$dlopen_self_static fi prefer_static_libs=yes ;; -static) if test -z "$pic_flag" && test -n "$link_static_flag"; then dlopen_self=$dlopen_self_static fi prefer_static_libs=built ;; -static-libtool-libs) if test -z "$pic_flag" && test -n "$link_static_flag"; then dlopen_self=$dlopen_self_static fi prefer_static_libs=yes ;; esac build_libtool_libs=no build_old_libs=yes break ;; esac done # See if our shared archives depend on static archives. test -n "$old_archive_from_new_cmds" && build_old_libs=yes # Go through the arguments, transforming them on the way. while test "$#" -gt 0; do arg="$1" shift func_quote_for_eval "$arg" qarg=$func_quote_for_eval_unquoted_result func_append libtool_args " $func_quote_for_eval_result" # If the previous option needs an argument, assign it. if test -n "$prev"; then case $prev in output) func_append compile_command " @OUTPUT@" func_append finalize_command " @OUTPUT@" ;; esac case $prev in bindir) bindir="$arg" prev= continue ;; dlfiles|dlprefiles) if test "$preload" = no; then # Add the symbol object into the linking commands. func_append compile_command " @SYMFILE@" func_append finalize_command " @SYMFILE@" preload=yes fi case $arg in *.la | *.lo) ;; # We handle these cases below. force) if test "$dlself" = no; then dlself=needless export_dynamic=yes fi prev= continue ;; self) if test "$prev" = dlprefiles; then dlself=yes elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then dlself=yes else dlself=needless export_dynamic=yes fi prev= continue ;; *) if test "$prev" = dlfiles; then func_append dlfiles " $arg" else func_append dlprefiles " $arg" fi prev= continue ;; esac ;; expsyms) export_symbols="$arg" test -f "$arg" \ || func_fatal_error "symbol file \`$arg' does not exist" prev= continue ;; expsyms_regex) export_symbols_regex="$arg" prev= continue ;; framework) case $host in *-*-darwin*) case "$deplibs " in *" $qarg.ltframework "*) ;; *) func_append deplibs " $qarg.ltframework" # this is fixed later ;; esac ;; esac prev= continue ;; inst_prefix) inst_prefix_dir="$arg" prev= continue ;; objectlist) if test -f "$arg"; then save_arg=$arg moreargs= for fil in `cat "$save_arg"` do # func_append moreargs " $fil" arg=$fil # A libtool-controlled object. # Check to see that this really is a libtool object. if func_lalib_unsafe_p "$arg"; then pic_object= non_pic_object= # Read the .lo file func_source "$arg" if test -z "$pic_object" || test -z "$non_pic_object" || test "$pic_object" = none && test "$non_pic_object" = none; then func_fatal_error "cannot find name of object for \`$arg'" fi # Extract subdirectory from the argument. func_dirname "$arg" "/" "" xdir="$func_dirname_result" if test "$pic_object" != none; then # Prepend the subdirectory the object is found in. pic_object="$xdir$pic_object" if test "$prev" = dlfiles; then if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then func_append dlfiles " $pic_object" prev= continue else # If libtool objects are unsupported, then we need to preload. prev=dlprefiles fi fi # CHECK ME: I think I busted this. -Ossama if test "$prev" = dlprefiles; then # Preload the old-style object. func_append dlprefiles " $pic_object" prev= fi # A PIC object. func_append libobjs " $pic_object" arg="$pic_object" fi # Non-PIC object. if test "$non_pic_object" != none; then # Prepend the subdirectory the object is found in. non_pic_object="$xdir$non_pic_object" # A standard non-PIC object func_append non_pic_objects " $non_pic_object" if test -z "$pic_object" || test "$pic_object" = none ; then arg="$non_pic_object" fi else # If the PIC object exists, use it instead. # $xdir was prepended to $pic_object above. non_pic_object="$pic_object" func_append non_pic_objects " $non_pic_object" fi else # Only an error if not doing a dry-run. if $opt_dry_run; then # Extract subdirectory from the argument. func_dirname "$arg" "/" "" xdir="$func_dirname_result" func_lo2o "$arg" pic_object=$xdir$objdir/$func_lo2o_result non_pic_object=$xdir$func_lo2o_result func_append libobjs " $pic_object" func_append non_pic_objects " $non_pic_object" else func_fatal_error "\`$arg' is not a valid libtool object" fi fi done else func_fatal_error "link input file \`$arg' does not exist" fi arg=$save_arg prev= continue ;; precious_regex) precious_files_regex="$arg" prev= continue ;; release) release="-$arg" prev= continue ;; rpath | xrpath) # We need an absolute path. case $arg in [\\/]* | [A-Za-z]:[\\/]*) ;; *) func_fatal_error "only absolute run-paths are allowed" ;; esac if test "$prev" = rpath; then case "$rpath " in *" $arg "*) ;; *) func_append rpath " $arg" ;; esac else case "$xrpath " in *" $arg "*) ;; *) func_append xrpath " $arg" ;; esac fi prev= continue ;; shrext) shrext_cmds="$arg" prev= continue ;; weak) func_append weak_libs " $arg" prev= continue ;; xcclinker) func_append linker_flags " $qarg" func_append compiler_flags " $qarg" prev= func_append compile_command " $qarg" func_append finalize_command " $qarg" continue ;; xcompiler) func_append compiler_flags " $qarg" prev= func_append compile_command " $qarg" func_append finalize_command " $qarg" continue ;; xlinker) func_append linker_flags " $qarg" func_append compiler_flags " $wl$qarg" prev= func_append compile_command " $wl$qarg" func_append finalize_command " $wl$qarg" continue ;; *) eval "$prev=\"\$arg\"" prev= continue ;; esac fi # test -n "$prev" prevarg="$arg" case $arg in -all-static) if test -n "$link_static_flag"; then # See comment for -static flag below, for more details. func_append compile_command " $link_static_flag" func_append finalize_command " $link_static_flag" fi continue ;; -allow-undefined) # FIXME: remove this flag sometime in the future. func_fatal_error "\`-allow-undefined' must not be used because it is the default" ;; -avoid-version) avoid_version=yes continue ;; -bindir) prev=bindir continue ;; -dlopen) prev=dlfiles continue ;; -dlpreopen) prev=dlprefiles continue ;; -export-dynamic) export_dynamic=yes continue ;; -export-symbols | -export-symbols-regex) if test -n "$export_symbols" || test -n "$export_symbols_regex"; then func_fatal_error "more than one -exported-symbols argument is not allowed" fi if test "X$arg" = "X-export-symbols"; then prev=expsyms else prev=expsyms_regex fi continue ;; -framework) prev=framework continue ;; -inst-prefix-dir) prev=inst_prefix continue ;; # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:* # so, if we see these flags be careful not to treat them like -L -L[A-Z][A-Z]*:*) case $with_gcc/$host in no/*-*-irix* | /*-*-irix*) func_append compile_command " $arg" func_append finalize_command " $arg" ;; esac continue ;; -L*) func_stripname "-L" '' "$arg" if test -z "$func_stripname_result"; then if test "$#" -gt 0; then func_fatal_error "require no space between \`-L' and \`$1'" else func_fatal_error "need path for \`-L' option" fi fi func_resolve_sysroot "$func_stripname_result" dir=$func_resolve_sysroot_result # We need an absolute path. case $dir in [\\/]* | [A-Za-z]:[\\/]*) ;; *) absdir=`cd "$dir" && pwd` test -z "$absdir" && \ func_fatal_error "cannot determine absolute directory name of \`$dir'" dir="$absdir" ;; esac case "$deplibs " in *" -L$dir "* | *" $arg "*) # Will only happen for absolute or sysroot arguments ;; *) # Preserve sysroot, but never include relative directories case $dir in [\\/]* | [A-Za-z]:[\\/]* | =*) func_append deplibs " $arg" ;; *) func_append deplibs " -L$dir" ;; esac func_append lib_search_path " $dir" ;; esac case $host in *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) testbindir=`$ECHO "$dir" | $SED 's*/lib$*/bin*'` case :$dllsearchpath: in *":$dir:"*) ;; ::) dllsearchpath=$dir;; *) func_append dllsearchpath ":$dir";; esac case :$dllsearchpath: in *":$testbindir:"*) ;; ::) dllsearchpath=$testbindir;; *) func_append dllsearchpath ":$testbindir";; esac ;; esac continue ;; -l*) if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then case $host in *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc* | *-*-haiku*) # These systems don't actually have a C or math library (as such) continue ;; *-*-os2*) # These systems don't actually have a C library (as such) test "X$arg" = "X-lc" && continue ;; *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*) # Do not include libc due to us having libc/libc_r. test "X$arg" = "X-lc" && continue ;; *-*-rhapsody* | *-*-darwin1.[012]) # Rhapsody C and math libraries are in the System framework func_append deplibs " System.ltframework" continue ;; *-*-sco3.2v5* | *-*-sco5v6*) # Causes problems with __ctype test "X$arg" = "X-lc" && continue ;; *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*) # Compiler inserts libc in the correct place for threads to work test "X$arg" = "X-lc" && continue ;; esac elif test "X$arg" = "X-lc_r"; then case $host in *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*) # Do not include libc_r directly, use -pthread flag. continue ;; esac fi func_append deplibs " $arg" continue ;; -module) module=yes continue ;; # Tru64 UNIX uses -model [arg] to determine the layout of C++ # classes, name mangling, and exception handling. # Darwin uses the -arch flag to determine output architecture. -model|-arch|-isysroot|--sysroot) func_append compiler_flags " $arg" func_append compile_command " $arg" func_append finalize_command " $arg" prev=xcompiler continue ;; -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \ |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*) func_append compiler_flags " $arg" func_append compile_command " $arg" func_append finalize_command " $arg" case "$new_inherited_linker_flags " in *" $arg "*) ;; * ) func_append new_inherited_linker_flags " $arg" ;; esac continue ;; -multi_module) single_module="${wl}-multi_module" continue ;; -no-fast-install) fast_install=no continue ;; -no-install) case $host in *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin* | *-cegcc*) # The PATH hackery in wrapper scripts is required on Windows # and Darwin in order for the loader to find any dlls it needs. func_warning "\`-no-install' is ignored for $host" func_warning "assuming \`-no-fast-install' instead" fast_install=no ;; *) no_install=yes ;; esac continue ;; -no-undefined) allow_undefined=no continue ;; -objectlist) prev=objectlist continue ;; -o) prev=output ;; -precious-files-regex) prev=precious_regex continue ;; -release) prev=release continue ;; -rpath) prev=rpath continue ;; -R) prev=xrpath continue ;; -R*) func_stripname '-R' '' "$arg" dir=$func_stripname_result # We need an absolute path. case $dir in [\\/]* | [A-Za-z]:[\\/]*) ;; =*) func_stripname '=' '' "$dir" dir=$lt_sysroot$func_stripname_result ;; *) func_fatal_error "only absolute run-paths are allowed" ;; esac case "$xrpath " in *" $dir "*) ;; *) func_append xrpath " $dir" ;; esac continue ;; -shared) # The effects of -shared are defined in a previous loop. continue ;; -shrext) prev=shrext continue ;; -static | -static-libtool-libs) # The effects of -static are defined in a previous loop. # We used to do the same as -all-static on platforms that # didn't have a PIC flag, but the assumption that the effects # would be equivalent was wrong. It would break on at least # Digital Unix and AIX. continue ;; -thread-safe) thread_safe=yes continue ;; -version-info) prev=vinfo continue ;; -version-number) prev=vinfo vinfo_number=yes continue ;; -weak) prev=weak continue ;; -Wc,*) func_stripname '-Wc,' '' "$arg" args=$func_stripname_result arg= save_ifs="$IFS"; IFS=',' for flag in $args; do IFS="$save_ifs" func_quote_for_eval "$flag" func_append arg " $func_quote_for_eval_result" func_append compiler_flags " $func_quote_for_eval_result" done IFS="$save_ifs" func_stripname ' ' '' "$arg" arg=$func_stripname_result ;; -Wl,*) func_stripname '-Wl,' '' "$arg" args=$func_stripname_result arg= save_ifs="$IFS"; IFS=',' for flag in $args; do IFS="$save_ifs" func_quote_for_eval "$flag" func_append arg " $wl$func_quote_for_eval_result" func_append compiler_flags " $wl$func_quote_for_eval_result" func_append linker_flags " $func_quote_for_eval_result" done IFS="$save_ifs" func_stripname ' ' '' "$arg" arg=$func_stripname_result ;; -Xcompiler) prev=xcompiler continue ;; -Xlinker) prev=xlinker continue ;; -XCClinker) prev=xcclinker continue ;; # -msg_* for osf cc -msg_*) func_quote_for_eval "$arg" arg="$func_quote_for_eval_result" ;; # Flags to be passed through unchanged, with rationale: # -64, -mips[0-9] enable 64-bit mode for the SGI compiler # -r[0-9][0-9]* specify processor for the SGI compiler # -xarch=*, -xtarget=* enable 64-bit mode for the Sun compiler # +DA*, +DD* enable 64-bit mode for the HP compiler # -q* compiler args for the IBM compiler # -m*, -t[45]*, -txscale* architecture-specific flags for GCC # -F/path path to uninstalled frameworks, gcc on darwin # -p, -pg, --coverage, -fprofile-* profiling flags for GCC # @file GCC response files # -tp=* Portland pgcc target processor selection # --sysroot=* for sysroot support # -O*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \ -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \ -O*|-flto*|-fwhopr*|-fuse-linker-plugin) func_quote_for_eval "$arg" arg="$func_quote_for_eval_result" func_append compile_command " $arg" func_append finalize_command " $arg" func_append compiler_flags " $arg" continue ;; # Some other compiler flag. -* | +*) func_quote_for_eval "$arg" arg="$func_quote_for_eval_result" ;; *.$objext) # A standard object. func_append objs " $arg" ;; *.lo) # A libtool-controlled object. # Check to see that this really is a libtool object. if func_lalib_unsafe_p "$arg"; then pic_object= non_pic_object= # Read the .lo file func_source "$arg" if test -z "$pic_object" || test -z "$non_pic_object" || test "$pic_object" = none && test "$non_pic_object" = none; then func_fatal_error "cannot find name of object for \`$arg'" fi # Extract subdirectory from the argument. func_dirname "$arg" "/" "" xdir="$func_dirname_result" if test "$pic_object" != none; then # Prepend the subdirectory the object is found in. pic_object="$xdir$pic_object" if test "$prev" = dlfiles; then if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then func_append dlfiles " $pic_object" prev= continue else # If libtool objects are unsupported, then we need to preload. prev=dlprefiles fi fi # CHECK ME: I think I busted this. -Ossama if test "$prev" = dlprefiles; then # Preload the old-style object. func_append dlprefiles " $pic_object" prev= fi # A PIC object. func_append libobjs " $pic_object" arg="$pic_object" fi # Non-PIC object. if test "$non_pic_object" != none; then # Prepend the subdirectory the object is found in. non_pic_object="$xdir$non_pic_object" # A standard non-PIC object func_append non_pic_objects " $non_pic_object" if test -z "$pic_object" || test "$pic_object" = none ; then arg="$non_pic_object" fi else # If the PIC object exists, use it instead. # $xdir was prepended to $pic_object above. non_pic_object="$pic_object" func_append non_pic_objects " $non_pic_object" fi else # Only an error if not doing a dry-run. if $opt_dry_run; then # Extract subdirectory from the argument. func_dirname "$arg" "/" "" xdir="$func_dirname_result" func_lo2o "$arg" pic_object=$xdir$objdir/$func_lo2o_result non_pic_object=$xdir$func_lo2o_result func_append libobjs " $pic_object" func_append non_pic_objects " $non_pic_object" else func_fatal_error "\`$arg' is not a valid libtool object" fi fi ;; *.$libext) # An archive. func_append deplibs " $arg" func_append old_deplibs " $arg" continue ;; *.la) # A libtool-controlled library. func_resolve_sysroot "$arg" if test "$prev" = dlfiles; then # This library was specified with -dlopen. func_append dlfiles " $func_resolve_sysroot_result" prev= elif test "$prev" = dlprefiles; then # The library was specified with -dlpreopen. func_append dlprefiles " $func_resolve_sysroot_result" prev= else func_append deplibs " $func_resolve_sysroot_result" fi continue ;; # Some other compiler argument. *) # Unknown arguments in both finalize_command and compile_command need # to be aesthetically quoted because they are evaled later. func_quote_for_eval "$arg" arg="$func_quote_for_eval_result" ;; esac # arg # Now actually substitute the argument into the commands. if test -n "$arg"; then func_append compile_command " $arg" func_append finalize_command " $arg" fi done # argument parsing loop test -n "$prev" && \ func_fatal_help "the \`$prevarg' option requires an argument" if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then eval arg=\"$export_dynamic_flag_spec\" func_append compile_command " $arg" func_append finalize_command " $arg" fi oldlibs= # calculate the name of the file, without its directory func_basename "$output" outputname="$func_basename_result" libobjs_save="$libobjs" if test -n "$shlibpath_var"; then # get the directories listed in $shlibpath_var eval shlib_search_path=\`\$ECHO \"\${$shlibpath_var}\" \| \$SED \'s/:/ /g\'\` else shlib_search_path= fi eval sys_lib_search_path=\"$sys_lib_search_path_spec\" eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\" func_dirname "$output" "/" "" output_objdir="$func_dirname_result$objdir" func_to_tool_file "$output_objdir/" tool_output_objdir=$func_to_tool_file_result # Create the object directory. func_mkdir_p "$output_objdir" # Determine the type of output case $output in "") func_fatal_help "you must specify an output file" ;; *.$libext) linkmode=oldlib ;; *.lo | *.$objext) linkmode=obj ;; *.la) linkmode=lib ;; *) linkmode=prog ;; # Anything else should be a program. esac specialdeplibs= libs= # Find all interdependent deplibs by searching for libraries # that are linked more than once (e.g. -la -lb -la) for deplib in $deplibs; do if $opt_preserve_dup_deps ; then case "$libs " in *" $deplib "*) func_append specialdeplibs " $deplib" ;; esac fi func_append libs " $deplib" done if test "$linkmode" = lib; then libs="$predeps $libs $compiler_lib_search_path $postdeps" # Compute libraries that are listed more than once in $predeps # $postdeps and mark them as special (i.e., whose duplicates are # not to be eliminated). pre_post_deps= if $opt_duplicate_compiler_generated_deps; then for pre_post_dep in $predeps $postdeps; do case "$pre_post_deps " in *" $pre_post_dep "*) func_append specialdeplibs " $pre_post_deps" ;; esac func_append pre_post_deps " $pre_post_dep" done fi pre_post_deps= fi deplibs= newdependency_libs= newlib_search_path= need_relink=no # whether we're linking any uninstalled libtool libraries notinst_deplibs= # not-installed libtool libraries notinst_path= # paths that contain not-installed libtool libraries case $linkmode in lib) passes="conv dlpreopen link" for file in $dlfiles $dlprefiles; do case $file in *.la) ;; *) func_fatal_help "libraries can \`-dlopen' only libtool libraries: $file" ;; esac done ;; prog) compile_deplibs= finalize_deplibs= alldeplibs=no newdlfiles= newdlprefiles= passes="conv scan dlopen dlpreopen link" ;; *) passes="conv" ;; esac for pass in $passes; do # The preopen pass in lib mode reverses $deplibs; put it back here # so that -L comes before libs that need it for instance... if test "$linkmode,$pass" = "lib,link"; then ## FIXME: Find the place where the list is rebuilt in the wrong ## order, and fix it there properly tmp_deplibs= for deplib in $deplibs; do tmp_deplibs="$deplib $tmp_deplibs" done deplibs="$tmp_deplibs" fi if test "$linkmode,$pass" = "lib,link" || test "$linkmode,$pass" = "prog,scan"; then libs="$deplibs" deplibs= fi if test "$linkmode" = prog; then case $pass in dlopen) libs="$dlfiles" ;; dlpreopen) libs="$dlprefiles" ;; link) libs="$deplibs %DEPLIBS%" test "X$link_all_deplibs" != Xno && libs="$libs $dependency_libs" ;; esac fi if test "$linkmode,$pass" = "lib,dlpreopen"; then # Collect and forward deplibs of preopened libtool libs for lib in $dlprefiles; do # Ignore non-libtool-libs dependency_libs= func_resolve_sysroot "$lib" case $lib in *.la) func_source "$func_resolve_sysroot_result" ;; esac # Collect preopened libtool deplibs, except any this library # has declared as weak libs for deplib in $dependency_libs; do func_basename "$deplib" deplib_base=$func_basename_result case " $weak_libs " in *" $deplib_base "*) ;; *) func_append deplibs " $deplib" ;; esac done done libs="$dlprefiles" fi if test "$pass" = dlopen; then # Collect dlpreopened libraries save_deplibs="$deplibs" deplibs= fi for deplib in $libs; do lib= found=no case $deplib in -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \ |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*) if test "$linkmode,$pass" = "prog,link"; then compile_deplibs="$deplib $compile_deplibs" finalize_deplibs="$deplib $finalize_deplibs" else func_append compiler_flags " $deplib" if test "$linkmode" = lib ; then case "$new_inherited_linker_flags " in *" $deplib "*) ;; * ) func_append new_inherited_linker_flags " $deplib" ;; esac fi fi continue ;; -l*) if test "$linkmode" != lib && test "$linkmode" != prog; then func_warning "\`-l' is ignored for archives/objects" continue fi func_stripname '-l' '' "$deplib" name=$func_stripname_result if test "$linkmode" = lib; then searchdirs="$newlib_search_path $lib_search_path $compiler_lib_search_dirs $sys_lib_search_path $shlib_search_path" else searchdirs="$newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path" fi for searchdir in $searchdirs; do for search_ext in .la $std_shrext .so .a; do # Search the libtool library lib="$searchdir/lib${name}${search_ext}" if test -f "$lib"; then if test "$search_ext" = ".la"; then found=yes else found=no fi break 2 fi done done if test "$found" != yes; then # deplib doesn't seem to be a libtool library if test "$linkmode,$pass" = "prog,link"; then compile_deplibs="$deplib $compile_deplibs" finalize_deplibs="$deplib $finalize_deplibs" else deplibs="$deplib $deplibs" test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs" fi continue else # deplib is a libtool library # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib, # We need to do some special things here, and not later. if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then case " $predeps $postdeps " in *" $deplib "*) if func_lalib_p "$lib"; then library_names= old_library= func_source "$lib" for l in $old_library $library_names; do ll="$l" done if test "X$ll" = "X$old_library" ; then # only static version available found=no func_dirname "$lib" "" "." ladir="$func_dirname_result" lib=$ladir/$old_library if test "$linkmode,$pass" = "prog,link"; then compile_deplibs="$deplib $compile_deplibs" finalize_deplibs="$deplib $finalize_deplibs" else deplibs="$deplib $deplibs" test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs" fi continue fi fi ;; *) ;; esac fi fi ;; # -l *.ltframework) if test "$linkmode,$pass" = "prog,link"; then compile_deplibs="$deplib $compile_deplibs" finalize_deplibs="$deplib $finalize_deplibs" else deplibs="$deplib $deplibs" if test "$linkmode" = lib ; then case "$new_inherited_linker_flags " in *" $deplib "*) ;; * ) func_append new_inherited_linker_flags " $deplib" ;; esac fi fi continue ;; -L*) case $linkmode in lib) deplibs="$deplib $deplibs" test "$pass" = conv && continue newdependency_libs="$deplib $newdependency_libs" func_stripname '-L' '' "$deplib" func_resolve_sysroot "$func_stripname_result" func_append newlib_search_path " $func_resolve_sysroot_result" ;; prog) if test "$pass" = conv; then deplibs="$deplib $deplibs" continue fi if test "$pass" = scan; then deplibs="$deplib $deplibs" else compile_deplibs="$deplib $compile_deplibs" finalize_deplibs="$deplib $finalize_deplibs" fi func_stripname '-L' '' "$deplib" func_resolve_sysroot "$func_stripname_result" func_append newlib_search_path " $func_resolve_sysroot_result" ;; *) func_warning "\`-L' is ignored for archives/objects" ;; esac # linkmode continue ;; # -L -R*) if test "$pass" = link; then func_stripname '-R' '' "$deplib" func_resolve_sysroot "$func_stripname_result" dir=$func_resolve_sysroot_result # Make sure the xrpath contains only unique directories. case "$xrpath " in *" $dir "*) ;; *) func_append xrpath " $dir" ;; esac fi deplibs="$deplib $deplibs" continue ;; *.la) func_resolve_sysroot "$deplib" lib=$func_resolve_sysroot_result ;; *.$libext) if test "$pass" = conv; then deplibs="$deplib $deplibs" continue fi case $linkmode in lib) # Linking convenience modules into shared libraries is allowed, # but linking other static libraries is non-portable. case " $dlpreconveniencelibs " in *" $deplib "*) ;; *) valid_a_lib=no case $deplibs_check_method in match_pattern*) set dummy $deplibs_check_method; shift match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"` if eval "\$ECHO \"$deplib\"" 2>/dev/null | $SED 10q \ | $EGREP "$match_pattern_regex" > /dev/null; then valid_a_lib=yes fi ;; pass_all) valid_a_lib=yes ;; esac if test "$valid_a_lib" != yes; then echo $ECHO "*** Warning: Trying to link with static lib archive $deplib." echo "*** I have the capability to make that library automatically link in when" echo "*** you link to this library. But I can only do this if you have a" echo "*** shared version of the library, which you do not appear to have" echo "*** because the file extensions .$libext of this argument makes me believe" echo "*** that it is just a static archive that I should not use here." else echo $ECHO "*** Warning: Linking the shared library $output against the" $ECHO "*** static library $deplib is not portable!" deplibs="$deplib $deplibs" fi ;; esac continue ;; prog) if test "$pass" != link; then deplibs="$deplib $deplibs" else compile_deplibs="$deplib $compile_deplibs" finalize_deplibs="$deplib $finalize_deplibs" fi continue ;; esac # linkmode ;; # *.$libext *.lo | *.$objext) if test "$pass" = conv; then deplibs="$deplib $deplibs" elif test "$linkmode" = prog; then if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then # If there is no dlopen support or we're linking statically, # we need to preload. func_append newdlprefiles " $deplib" compile_deplibs="$deplib $compile_deplibs" finalize_deplibs="$deplib $finalize_deplibs" else func_append newdlfiles " $deplib" fi fi continue ;; %DEPLIBS%) alldeplibs=yes continue ;; esac # case $deplib if test "$found" = yes || test -f "$lib"; then : else func_fatal_error "cannot find the library \`$lib' or unhandled argument \`$deplib'" fi # Check to see that this really is a libtool archive. func_lalib_unsafe_p "$lib" \ || func_fatal_error "\`$lib' is not a valid libtool archive" func_dirname "$lib" "" "." ladir="$func_dirname_result" dlname= dlopen= dlpreopen= libdir= library_names= old_library= inherited_linker_flags= # If the library was installed with an old release of libtool, # it will not redefine variables installed, or shouldnotlink installed=yes shouldnotlink=no avoidtemprpath= # Read the .la file func_source "$lib" # Convert "-framework foo" to "foo.ltframework" if test -n "$inherited_linker_flags"; then tmp_inherited_linker_flags=`$ECHO "$inherited_linker_flags" | $SED 's/-framework \([^ $]*\)/\1.ltframework/g'` for tmp_inherited_linker_flag in $tmp_inherited_linker_flags; do case " $new_inherited_linker_flags " in *" $tmp_inherited_linker_flag "*) ;; *) func_append new_inherited_linker_flags " $tmp_inherited_linker_flag";; esac done fi dependency_libs=`$ECHO " $dependency_libs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` if test "$linkmode,$pass" = "lib,link" || test "$linkmode,$pass" = "prog,scan" || { test "$linkmode" != prog && test "$linkmode" != lib; }; then test -n "$dlopen" && func_append dlfiles " $dlopen" test -n "$dlpreopen" && func_append dlprefiles " $dlpreopen" fi if test "$pass" = conv; then # Only check for convenience libraries deplibs="$lib $deplibs" if test -z "$libdir"; then if test -z "$old_library"; then func_fatal_error "cannot find name of link library for \`$lib'" fi # It is a libtool convenience library, so add in its objects. func_append convenience " $ladir/$objdir/$old_library" func_append old_convenience " $ladir/$objdir/$old_library" tmp_libs= for deplib in $dependency_libs; do deplibs="$deplib $deplibs" if $opt_preserve_dup_deps ; then case "$tmp_libs " in *" $deplib "*) func_append specialdeplibs " $deplib" ;; esac fi func_append tmp_libs " $deplib" done elif test "$linkmode" != prog && test "$linkmode" != lib; then func_fatal_error "\`$lib' is not a convenience library" fi continue fi # $pass = conv # Get the name of the library we link against. linklib= if test -n "$old_library" && { test "$prefer_static_libs" = yes || test "$prefer_static_libs,$installed" = "built,no"; }; then linklib=$old_library else for l in $old_library $library_names; do linklib="$l" done fi if test -z "$linklib"; then func_fatal_error "cannot find name of link library for \`$lib'" fi # This library was specified with -dlopen. if test "$pass" = dlopen; then if test -z "$libdir"; then func_fatal_error "cannot -dlopen a convenience library: \`$lib'" fi if test -z "$dlname" || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then # If there is no dlname, no dlopen support or we're linking # statically, we need to preload. We also need to preload any # dependent libraries so libltdl's deplib preloader doesn't # bomb out in the load deplibs phase. func_append dlprefiles " $lib $dependency_libs" else func_append newdlfiles " $lib" fi continue fi # $pass = dlopen # We need an absolute path. case $ladir in [\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;; *) abs_ladir=`cd "$ladir" && pwd` if test -z "$abs_ladir"; then func_warning "cannot determine absolute directory name of \`$ladir'" func_warning "passing it literally to the linker, although it might fail" abs_ladir="$ladir" fi ;; esac func_basename "$lib" laname="$func_basename_result" # Find the relevant object directory and library name. if test "X$installed" = Xyes; then if test ! -f "$lt_sysroot$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then func_warning "library \`$lib' was moved." dir="$ladir" absdir="$abs_ladir" libdir="$abs_ladir" else dir="$lt_sysroot$libdir" absdir="$lt_sysroot$libdir" fi test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes else if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then dir="$ladir" absdir="$abs_ladir" # Remove this search path later func_append notinst_path " $abs_ladir" else dir="$ladir/$objdir" absdir="$abs_ladir/$objdir" # Remove this search path later func_append notinst_path " $abs_ladir" fi fi # $installed = yes func_stripname 'lib' '.la' "$laname" name=$func_stripname_result # This library was specified with -dlpreopen. if test "$pass" = dlpreopen; then if test -z "$libdir" && test "$linkmode" = prog; then func_fatal_error "only libraries may -dlpreopen a convenience library: \`$lib'" fi case "$host" in # special handling for platforms with PE-DLLs. *cygwin* | *mingw* | *cegcc* ) # Linker will automatically link against shared library if both # static and shared are present. Therefore, ensure we extract # symbols from the import library if a shared library is present # (otherwise, the dlopen module name will be incorrect). We do # this by putting the import library name into $newdlprefiles. # We recover the dlopen module name by 'saving' the la file # name in a special purpose variable, and (later) extracting the # dlname from the la file. if test -n "$dlname"; then func_tr_sh "$dir/$linklib" eval "libfile_$func_tr_sh_result=\$abs_ladir/\$laname" func_append newdlprefiles " $dir/$linklib" else func_append newdlprefiles " $dir/$old_library" # Keep a list of preopened convenience libraries to check # that they are being used correctly in the link pass. test -z "$libdir" && \ func_append dlpreconveniencelibs " $dir/$old_library" fi ;; * ) # Prefer using a static library (so that no silly _DYNAMIC symbols # are required to link). if test -n "$old_library"; then func_append newdlprefiles " $dir/$old_library" # Keep a list of preopened convenience libraries to check # that they are being used correctly in the link pass. test -z "$libdir" && \ func_append dlpreconveniencelibs " $dir/$old_library" # Otherwise, use the dlname, so that lt_dlopen finds it. elif test -n "$dlname"; then func_append newdlprefiles " $dir/$dlname" else func_append newdlprefiles " $dir/$linklib" fi ;; esac fi # $pass = dlpreopen if test -z "$libdir"; then # Link the convenience library if test "$linkmode" = lib; then deplibs="$dir/$old_library $deplibs" elif test "$linkmode,$pass" = "prog,link"; then compile_deplibs="$dir/$old_library $compile_deplibs" finalize_deplibs="$dir/$old_library $finalize_deplibs" else deplibs="$lib $deplibs" # used for prog,scan pass fi continue fi if test "$linkmode" = prog && test "$pass" != link; then func_append newlib_search_path " $ladir" deplibs="$lib $deplibs" linkalldeplibs=no if test "$link_all_deplibs" != no || test -z "$library_names" || test "$build_libtool_libs" = no; then linkalldeplibs=yes fi tmp_libs= for deplib in $dependency_libs; do case $deplib in -L*) func_stripname '-L' '' "$deplib" func_resolve_sysroot "$func_stripname_result" func_append newlib_search_path " $func_resolve_sysroot_result" ;; esac # Need to link against all dependency_libs? if test "$linkalldeplibs" = yes; then deplibs="$deplib $deplibs" else # Need to hardcode shared library paths # or/and link against static libraries newdependency_libs="$deplib $newdependency_libs" fi if $opt_preserve_dup_deps ; then case "$tmp_libs " in *" $deplib "*) func_append specialdeplibs " $deplib" ;; esac fi func_append tmp_libs " $deplib" done # for deplib continue fi # $linkmode = prog... if test "$linkmode,$pass" = "prog,link"; then if test -n "$library_names" && { { test "$prefer_static_libs" = no || test "$prefer_static_libs,$installed" = "built,yes"; } || test -z "$old_library"; }; then # We need to hardcode the library path if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then # Make sure the rpath contains only unique directories. case "$temp_rpath:" in *"$absdir:"*) ;; *) func_append temp_rpath "$absdir:" ;; esac fi # Hardcode the library path. # Skip directories that are in the system default run-time # search path. case " $sys_lib_dlsearch_path " in *" $absdir "*) ;; *) case "$compile_rpath " in *" $absdir "*) ;; *) func_append compile_rpath " $absdir" ;; esac ;; esac case " $sys_lib_dlsearch_path " in *" $libdir "*) ;; *) case "$finalize_rpath " in *" $libdir "*) ;; *) func_append finalize_rpath " $libdir" ;; esac ;; esac fi # $linkmode,$pass = prog,link... if test "$alldeplibs" = yes && { test "$deplibs_check_method" = pass_all || { test "$build_libtool_libs" = yes && test -n "$library_names"; }; }; then # We only need to search for static libraries continue fi fi link_static=no # Whether the deplib will be linked statically use_static_libs=$prefer_static_libs if test "$use_static_libs" = built && test "$installed" = yes; then use_static_libs=no fi if test -n "$library_names" && { test "$use_static_libs" = no || test -z "$old_library"; }; then case $host in *cygwin* | *mingw* | *cegcc*) # No point in relinking DLLs because paths are not encoded func_append notinst_deplibs " $lib" need_relink=no ;; *) if test "$installed" = no; then func_append notinst_deplibs " $lib" need_relink=yes fi ;; esac # This is a shared library # Warn about portability, can't link against -module's on some # systems (darwin). Don't bleat about dlopened modules though! dlopenmodule="" for dlpremoduletest in $dlprefiles; do if test "X$dlpremoduletest" = "X$lib"; then dlopenmodule="$dlpremoduletest" break fi done if test -z "$dlopenmodule" && test "$shouldnotlink" = yes && test "$pass" = link; then echo if test "$linkmode" = prog; then $ECHO "*** Warning: Linking the executable $output against the loadable module" else $ECHO "*** Warning: Linking the shared library $output against the loadable module" fi $ECHO "*** $linklib is not portable!" fi if test "$linkmode" = lib && test "$hardcode_into_libs" = yes; then # Hardcode the library path. # Skip directories that are in the system default run-time # search path. case " $sys_lib_dlsearch_path " in *" $absdir "*) ;; *) case "$compile_rpath " in *" $absdir "*) ;; *) func_append compile_rpath " $absdir" ;; esac ;; esac case " $sys_lib_dlsearch_path " in *" $libdir "*) ;; *) case "$finalize_rpath " in *" $libdir "*) ;; *) func_append finalize_rpath " $libdir" ;; esac ;; esac fi if test -n "$old_archive_from_expsyms_cmds"; then # figure out the soname set dummy $library_names shift realname="$1" shift libname=`eval "\\$ECHO \"$libname_spec\""` # use dlname if we got it. it's perfectly good, no? if test -n "$dlname"; then soname="$dlname" elif test -n "$soname_spec"; then # bleh windows case $host in *cygwin* | mingw* | *cegcc*) func_arith $current - $age major=$func_arith_result versuffix="-$major" ;; esac eval soname=\"$soname_spec\" else soname="$realname" fi # Make a new name for the extract_expsyms_cmds to use soroot="$soname" func_basename "$soroot" soname="$func_basename_result" func_stripname 'lib' '.dll' "$soname" newlib=libimp-$func_stripname_result.a # If the library has no export list, then create one now if test -f "$output_objdir/$soname-def"; then : else func_verbose "extracting exported symbol list from \`$soname'" func_execute_cmds "$extract_expsyms_cmds" 'exit $?' fi # Create $newlib if test -f "$output_objdir/$newlib"; then :; else func_verbose "generating import library for \`$soname'" func_execute_cmds "$old_archive_from_expsyms_cmds" 'exit $?' fi # make sure the library variables are pointing to the new library dir=$output_objdir linklib=$newlib fi # test -n "$old_archive_from_expsyms_cmds" if test "$linkmode" = prog || test "$opt_mode" != relink; then add_shlibpath= add_dir= add= lib_linked=yes case $hardcode_action in immediate | unsupported) if test "$hardcode_direct" = no; then add="$dir/$linklib" case $host in *-*-sco3.2v5.0.[024]*) add_dir="-L$dir" ;; *-*-sysv4*uw2*) add_dir="-L$dir" ;; *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \ *-*-unixware7*) add_dir="-L$dir" ;; *-*-darwin* ) # if the lib is a (non-dlopened) module then we can not # link against it, someone is ignoring the earlier warnings if /usr/bin/file -L $add 2> /dev/null | $GREP ": [^:]* bundle" >/dev/null ; then if test "X$dlopenmodule" != "X$lib"; then $ECHO "*** Warning: lib $linklib is a module, not a shared library" if test -z "$old_library" ; then echo echo "*** And there doesn't seem to be a static archive available" echo "*** The link will probably fail, sorry" else add="$dir/$old_library" fi elif test -n "$old_library"; then add="$dir/$old_library" fi fi esac elif test "$hardcode_minus_L" = no; then case $host in *-*-sunos*) add_shlibpath="$dir" ;; esac add_dir="-L$dir" add="-l$name" elif test "$hardcode_shlibpath_var" = no; then add_shlibpath="$dir" add="-l$name" else lib_linked=no fi ;; relink) if test "$hardcode_direct" = yes && test "$hardcode_direct_absolute" = no; then add="$dir/$linklib" elif test "$hardcode_minus_L" = yes; then add_dir="-L$absdir" # Try looking first in the location we're being installed to. if test -n "$inst_prefix_dir"; then case $libdir in [\\/]*) func_append add_dir " -L$inst_prefix_dir$libdir" ;; esac fi add="-l$name" elif test "$hardcode_shlibpath_var" = yes; then add_shlibpath="$dir" add="-l$name" else lib_linked=no fi ;; *) lib_linked=no ;; esac if test "$lib_linked" != yes; then func_fatal_configuration "unsupported hardcode properties" fi if test -n "$add_shlibpath"; then case :$compile_shlibpath: in *":$add_shlibpath:"*) ;; *) func_append compile_shlibpath "$add_shlibpath:" ;; esac fi if test "$linkmode" = prog; then test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs" test -n "$add" && compile_deplibs="$add $compile_deplibs" else test -n "$add_dir" && deplibs="$add_dir $deplibs" test -n "$add" && deplibs="$add $deplibs" if test "$hardcode_direct" != yes && test "$hardcode_minus_L" != yes && test "$hardcode_shlibpath_var" = yes; then case :$finalize_shlibpath: in *":$libdir:"*) ;; *) func_append finalize_shlibpath "$libdir:" ;; esac fi fi fi if test "$linkmode" = prog || test "$opt_mode" = relink; then add_shlibpath= add_dir= add= # Finalize command for both is simple: just hardcode it. if test "$hardcode_direct" = yes && test "$hardcode_direct_absolute" = no; then add="$libdir/$linklib" elif test "$hardcode_minus_L" = yes; then add_dir="-L$libdir" add="-l$name" elif test "$hardcode_shlibpath_var" = yes; then case :$finalize_shlibpath: in *":$libdir:"*) ;; *) func_append finalize_shlibpath "$libdir:" ;; esac add="-l$name" elif test "$hardcode_automatic" = yes; then if test -n "$inst_prefix_dir" && test -f "$inst_prefix_dir$libdir/$linklib" ; then add="$inst_prefix_dir$libdir/$linklib" else add="$libdir/$linklib" fi else # We cannot seem to hardcode it, guess we'll fake it. add_dir="-L$libdir" # Try looking first in the location we're being installed to. if test -n "$inst_prefix_dir"; then case $libdir in [\\/]*) func_append add_dir " -L$inst_prefix_dir$libdir" ;; esac fi add="-l$name" fi if test "$linkmode" = prog; then test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs" test -n "$add" && finalize_deplibs="$add $finalize_deplibs" else test -n "$add_dir" && deplibs="$add_dir $deplibs" test -n "$add" && deplibs="$add $deplibs" fi fi elif test "$linkmode" = prog; then # Here we assume that one of hardcode_direct or hardcode_minus_L # is not unsupported. This is valid on all known static and # shared platforms. if test "$hardcode_direct" != unsupported; then test -n "$old_library" && linklib="$old_library" compile_deplibs="$dir/$linklib $compile_deplibs" finalize_deplibs="$dir/$linklib $finalize_deplibs" else compile_deplibs="-l$name -L$dir $compile_deplibs" finalize_deplibs="-l$name -L$dir $finalize_deplibs" fi elif test "$build_libtool_libs" = yes; then # Not a shared library if test "$deplibs_check_method" != pass_all; then # We're trying link a shared library against a static one # but the system doesn't support it. # Just print a warning and add the library to dependency_libs so # that the program can be linked against the static library. echo $ECHO "*** Warning: This system can not link to static lib archive $lib." echo "*** I have the capability to make that library automatically link in when" echo "*** you link to this library. But I can only do this if you have a" echo "*** shared version of the library, which you do not appear to have." if test "$module" = yes; then echo "*** But as you try to build a module library, libtool will still create " echo "*** a static module, that should work as long as the dlopening application" echo "*** is linked with the -dlopen flag to resolve symbols at runtime." if test -z "$global_symbol_pipe"; then echo echo "*** However, this would only work if libtool was able to extract symbol" echo "*** lists from a program, using \`nm' or equivalent, but libtool could" echo "*** not find such a program. So, this module is probably useless." echo "*** \`nm' from GNU binutils and a full rebuild may help." fi if test "$build_old_libs" = no; then build_libtool_libs=module build_old_libs=yes else build_libtool_libs=no fi fi else deplibs="$dir/$old_library $deplibs" link_static=yes fi fi # link shared/static library? if test "$linkmode" = lib; then if test -n "$dependency_libs" && { test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes || test "$link_static" = yes; }; then # Extract -R from dependency_libs temp_deplibs= for libdir in $dependency_libs; do case $libdir in -R*) func_stripname '-R' '' "$libdir" temp_xrpath=$func_stripname_result case " $xrpath " in *" $temp_xrpath "*) ;; *) func_append xrpath " $temp_xrpath";; esac;; *) func_append temp_deplibs " $libdir";; esac done dependency_libs="$temp_deplibs" fi func_append newlib_search_path " $absdir" # Link against this library test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs" # ... and its dependency_libs tmp_libs= for deplib in $dependency_libs; do newdependency_libs="$deplib $newdependency_libs" case $deplib in -L*) func_stripname '-L' '' "$deplib" func_resolve_sysroot "$func_stripname_result";; *) func_resolve_sysroot "$deplib" ;; esac if $opt_preserve_dup_deps ; then case "$tmp_libs " in *" $func_resolve_sysroot_result "*) func_append specialdeplibs " $func_resolve_sysroot_result" ;; esac fi func_append tmp_libs " $func_resolve_sysroot_result" done if test "$link_all_deplibs" != no; then # Add the search paths of all dependency libraries for deplib in $dependency_libs; do path= case $deplib in -L*) path="$deplib" ;; *.la) func_resolve_sysroot "$deplib" deplib=$func_resolve_sysroot_result func_dirname "$deplib" "" "." dir=$func_dirname_result # We need an absolute path. case $dir in [\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;; *) absdir=`cd "$dir" && pwd` if test -z "$absdir"; then func_warning "cannot determine absolute directory name of \`$dir'" absdir="$dir" fi ;; esac if $GREP "^installed=no" $deplib > /dev/null; then case $host in *-*-darwin*) depdepl= eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib` if test -n "$deplibrary_names" ; then for tmp in $deplibrary_names ; do depdepl=$tmp done if test -f "$absdir/$objdir/$depdepl" ; then depdepl="$absdir/$objdir/$depdepl" darwin_install_name=`${OTOOL} -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'` if test -z "$darwin_install_name"; then darwin_install_name=`${OTOOL64} -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'` fi func_append compiler_flags " ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}" func_append linker_flags " -dylib_file ${darwin_install_name}:${depdepl}" path= fi fi ;; *) path="-L$absdir/$objdir" ;; esac else eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib` test -z "$libdir" && \ func_fatal_error "\`$deplib' is not a valid libtool archive" test "$absdir" != "$libdir" && \ func_warning "\`$deplib' seems to be moved" path="-L$absdir" fi ;; esac case " $deplibs " in *" $path "*) ;; *) deplibs="$path $deplibs" ;; esac done fi # link_all_deplibs != no fi # linkmode = lib done # for deplib in $libs if test "$pass" = link; then if test "$linkmode" = "prog"; then compile_deplibs="$new_inherited_linker_flags $compile_deplibs" finalize_deplibs="$new_inherited_linker_flags $finalize_deplibs" else compiler_flags="$compiler_flags "`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` fi fi dependency_libs="$newdependency_libs" if test "$pass" = dlpreopen; then # Link the dlpreopened libraries before other libraries for deplib in $save_deplibs; do deplibs="$deplib $deplibs" done fi if test "$pass" != dlopen; then if test "$pass" != conv; then # Make sure lib_search_path contains only unique directories. lib_search_path= for dir in $newlib_search_path; do case "$lib_search_path " in *" $dir "*) ;; *) func_append lib_search_path " $dir" ;; esac done newlib_search_path= fi if test "$linkmode,$pass" != "prog,link"; then vars="deplibs" else vars="compile_deplibs finalize_deplibs" fi for var in $vars dependency_libs; do # Add libraries to $var in reverse order eval tmp_libs=\"\$$var\" new_libs= for deplib in $tmp_libs; do # FIXME: Pedantically, this is the right thing to do, so # that some nasty dependency loop isn't accidentally # broken: #new_libs="$deplib $new_libs" # Pragmatically, this seems to cause very few problems in # practice: case $deplib in -L*) new_libs="$deplib $new_libs" ;; -R*) ;; *) # And here is the reason: when a library appears more # than once as an explicit dependence of a library, or # is implicitly linked in more than once by the # compiler, it is considered special, and multiple # occurrences thereof are not removed. Compare this # with having the same library being listed as a # dependency of multiple other libraries: in this case, # we know (pedantically, we assume) the library does not # need to be listed more than once, so we keep only the # last copy. This is not always right, but it is rare # enough that we require users that really mean to play # such unportable linking tricks to link the library # using -Wl,-lname, so that libtool does not consider it # for duplicate removal. case " $specialdeplibs " in *" $deplib "*) new_libs="$deplib $new_libs" ;; *) case " $new_libs " in *" $deplib "*) ;; *) new_libs="$deplib $new_libs" ;; esac ;; esac ;; esac done tmp_libs= for deplib in $new_libs; do case $deplib in -L*) case " $tmp_libs " in *" $deplib "*) ;; *) func_append tmp_libs " $deplib" ;; esac ;; *) func_append tmp_libs " $deplib" ;; esac done eval $var=\"$tmp_libs\" done # for var fi # Last step: remove runtime libs from dependency_libs # (they stay in deplibs) tmp_libs= for i in $dependency_libs ; do case " $predeps $postdeps $compiler_lib_search_path " in *" $i "*) i="" ;; esac if test -n "$i" ; then func_append tmp_libs " $i" fi done dependency_libs=$tmp_libs done # for pass if test "$linkmode" = prog; then dlfiles="$newdlfiles" fi if test "$linkmode" = prog || test "$linkmode" = lib; then dlprefiles="$newdlprefiles" fi case $linkmode in oldlib) if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then func_warning "\`-dlopen' is ignored for archives" fi case " $deplibs" in *\ -l* | *\ -L*) func_warning "\`-l' and \`-L' are ignored for archives" ;; esac test -n "$rpath" && \ func_warning "\`-rpath' is ignored for archives" test -n "$xrpath" && \ func_warning "\`-R' is ignored for archives" test -n "$vinfo" && \ func_warning "\`-version-info/-version-number' is ignored for archives" test -n "$release" && \ func_warning "\`-release' is ignored for archives" test -n "$export_symbols$export_symbols_regex" && \ func_warning "\`-export-symbols' is ignored for archives" # Now set the variables for building old libraries. build_libtool_libs=no oldlibs="$output" func_append objs "$old_deplibs" ;; lib) # Make sure we only generate libraries of the form `libNAME.la'. case $outputname in lib*) func_stripname 'lib' '.la' "$outputname" name=$func_stripname_result eval shared_ext=\"$shrext_cmds\" eval libname=\"$libname_spec\" ;; *) test "$module" = no && \ func_fatal_help "libtool library \`$output' must begin with \`lib'" if test "$need_lib_prefix" != no; then # Add the "lib" prefix for modules if required func_stripname '' '.la' "$outputname" name=$func_stripname_result eval shared_ext=\"$shrext_cmds\" eval libname=\"$libname_spec\" else func_stripname '' '.la' "$outputname" libname=$func_stripname_result fi ;; esac if test -n "$objs"; then if test "$deplibs_check_method" != pass_all; then func_fatal_error "cannot build libtool library \`$output' from non-libtool objects on this host:$objs" else echo $ECHO "*** Warning: Linking the shared library $output against the non-libtool" $ECHO "*** objects $objs is not portable!" func_append libobjs " $objs" fi fi test "$dlself" != no && \ func_warning "\`-dlopen self' is ignored for libtool libraries" set dummy $rpath shift test "$#" -gt 1 && \ func_warning "ignoring multiple \`-rpath's for a libtool library" install_libdir="$1" oldlibs= if test -z "$rpath"; then if test "$build_libtool_libs" = yes; then # Building a libtool convenience library. # Some compilers have problems with a `.al' extension so # convenience libraries should have the same extension an # archive normally would. oldlibs="$output_objdir/$libname.$libext $oldlibs" build_libtool_libs=convenience build_old_libs=yes fi test -n "$vinfo" && \ func_warning "\`-version-info/-version-number' is ignored for convenience libraries" test -n "$release" && \ func_warning "\`-release' is ignored for convenience libraries" else # Parse the version information argument. save_ifs="$IFS"; IFS=':' set dummy $vinfo 0 0 0 shift IFS="$save_ifs" test -n "$7" && \ func_fatal_help "too many parameters to \`-version-info'" # convert absolute version numbers to libtool ages # this retains compatibility with .la files and attempts # to make the code below a bit more comprehensible case $vinfo_number in yes) number_major="$1" number_minor="$2" number_revision="$3" # # There are really only two kinds -- those that # use the current revision as the major version # and those that subtract age and use age as # a minor version. But, then there is irix # which has an extra 1 added just for fun # case $version_type in # correct linux to gnu/linux during the next big refactor darwin|linux|osf|windows|none) func_arith $number_major + $number_minor current=$func_arith_result age="$number_minor" revision="$number_revision" ;; freebsd-aout|freebsd-elf|qnx|sunos) current="$number_major" revision="$number_minor" age="0" ;; irix|nonstopux) func_arith $number_major + $number_minor current=$func_arith_result age="$number_minor" revision="$number_minor" lt_irix_increment=no ;; *) func_fatal_configuration "$modename: unknown library version type \`$version_type'" ;; esac ;; no) current="$1" revision="$2" age="$3" ;; esac # Check that each of the things are valid numbers. case $current in 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; *) func_error "CURRENT \`$current' must be a nonnegative integer" func_fatal_error "\`$vinfo' is not valid version information" ;; esac case $revision in 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; *) func_error "REVISION \`$revision' must be a nonnegative integer" func_fatal_error "\`$vinfo' is not valid version information" ;; esac case $age in 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; *) func_error "AGE \`$age' must be a nonnegative integer" func_fatal_error "\`$vinfo' is not valid version information" ;; esac if test "$age" -gt "$current"; then func_error "AGE \`$age' is greater than the current interface number \`$current'" func_fatal_error "\`$vinfo' is not valid version information" fi # Calculate the version variables. major= versuffix= verstring= case $version_type in none) ;; darwin) # Like Linux, but with the current version available in # verstring for coding it into the library header func_arith $current - $age major=.$func_arith_result versuffix="$major.$age.$revision" # Darwin ld doesn't like 0 for these options... func_arith $current + 1 minor_current=$func_arith_result xlcverstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision" verstring="-compatibility_version $minor_current -current_version $minor_current.$revision" ;; freebsd-aout) major=".$current" versuffix=".$current.$revision"; ;; freebsd-elf) major=".$current" versuffix=".$current" ;; irix | nonstopux) if test "X$lt_irix_increment" = "Xno"; then func_arith $current - $age else func_arith $current - $age + 1 fi major=$func_arith_result case $version_type in nonstopux) verstring_prefix=nonstopux ;; *) verstring_prefix=sgi ;; esac verstring="$verstring_prefix$major.$revision" # Add in all the interfaces that we are compatible with. loop=$revision while test "$loop" -ne 0; do func_arith $revision - $loop iface=$func_arith_result func_arith $loop - 1 loop=$func_arith_result verstring="$verstring_prefix$major.$iface:$verstring" done # Before this point, $major must not contain `.'. major=.$major versuffix="$major.$revision" ;; linux) # correct to gnu/linux during the next big refactor func_arith $current - $age major=.$func_arith_result versuffix="$major.$age.$revision" ;; osf) func_arith $current - $age major=.$func_arith_result versuffix=".$current.$age.$revision" verstring="$current.$age.$revision" # Add in all the interfaces that we are compatible with. loop=$age while test "$loop" -ne 0; do func_arith $current - $loop iface=$func_arith_result func_arith $loop - 1 loop=$func_arith_result verstring="$verstring:${iface}.0" done # Make executables depend on our current version. func_append verstring ":${current}.0" ;; qnx) major=".$current" versuffix=".$current" ;; sunos) major=".$current" versuffix=".$current.$revision" ;; windows) # Use '-' rather than '.', since we only want one # extension on DOS 8.3 filesystems. func_arith $current - $age major=$func_arith_result versuffix="-$major" ;; *) func_fatal_configuration "unknown library version type \`$version_type'" ;; esac # Clear the version info if we defaulted, and they specified a release. if test -z "$vinfo" && test -n "$release"; then major= case $version_type in darwin) # we can't check for "0.0" in archive_cmds due to quoting # problems, so we reset it completely verstring= ;; *) verstring="0.0" ;; esac if test "$need_version" = no; then versuffix= else versuffix=".0.0" fi fi # Remove version info from name if versioning should be avoided if test "$avoid_version" = yes && test "$need_version" = no; then major= versuffix= verstring="" fi # Check to see if the archive will have undefined symbols. if test "$allow_undefined" = yes; then if test "$allow_undefined_flag" = unsupported; then func_warning "undefined symbols not allowed in $host shared libraries" build_libtool_libs=no build_old_libs=yes fi else # Don't allow undefined symbols. allow_undefined_flag="$no_undefined_flag" fi fi func_generate_dlsyms "$libname" "$libname" "yes" func_append libobjs " $symfileobj" test "X$libobjs" = "X " && libobjs= if test "$opt_mode" != relink; then # Remove our outputs, but don't remove object files since they # may have been created when compiling PIC objects. removelist= tempremovelist=`$ECHO "$output_objdir/*"` for p in $tempremovelist; do case $p in *.$objext | *.gcno) ;; $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*) if test "X$precious_files_regex" != "X"; then if $ECHO "$p" | $EGREP -e "$precious_files_regex" >/dev/null 2>&1 then continue fi fi func_append removelist " $p" ;; *) ;; esac done test -n "$removelist" && \ func_show_eval "${RM}r \$removelist" fi # Now set the variables for building old libraries. if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then func_append oldlibs " $output_objdir/$libname.$libext" # Transform .lo files to .o files. oldobjs="$objs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; $lo2o" | $NL2SP` fi # Eliminate all temporary directories. #for path in $notinst_path; do # lib_search_path=`$ECHO "$lib_search_path " | $SED "s% $path % %g"` # deplibs=`$ECHO "$deplibs " | $SED "s% -L$path % %g"` # dependency_libs=`$ECHO "$dependency_libs " | $SED "s% -L$path % %g"` #done if test -n "$xrpath"; then # If the user specified any rpath flags, then add them. temp_xrpath= for libdir in $xrpath; do func_replace_sysroot "$libdir" func_append temp_xrpath " -R$func_replace_sysroot_result" case "$finalize_rpath " in *" $libdir "*) ;; *) func_append finalize_rpath " $libdir" ;; esac done if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then dependency_libs="$temp_xrpath $dependency_libs" fi fi # Make sure dlfiles contains only unique files that won't be dlpreopened old_dlfiles="$dlfiles" dlfiles= for lib in $old_dlfiles; do case " $dlprefiles $dlfiles " in *" $lib "*) ;; *) func_append dlfiles " $lib" ;; esac done # Make sure dlprefiles contains only unique files old_dlprefiles="$dlprefiles" dlprefiles= for lib in $old_dlprefiles; do case "$dlprefiles " in *" $lib "*) ;; *) func_append dlprefiles " $lib" ;; esac done if test "$build_libtool_libs" = yes; then if test -n "$rpath"; then case $host in *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc* | *-*-haiku*) # these systems don't actually have a c library (as such)! ;; *-*-rhapsody* | *-*-darwin1.[012]) # Rhapsody C library is in the System framework func_append deplibs " System.ltframework" ;; *-*-netbsd*) # Don't link with libc until the a.out ld.so is fixed. ;; *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*) # Do not include libc due to us having libc/libc_r. ;; *-*-sco3.2v5* | *-*-sco5v6*) # Causes problems with __ctype ;; *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*) # Compiler inserts libc in the correct place for threads to work ;; *) # Add libc to deplibs on all other systems if necessary. if test "$build_libtool_need_lc" = "yes"; then func_append deplibs " -lc" fi ;; esac fi # Transform deplibs into only deplibs that can be linked in shared. name_save=$name libname_save=$libname release_save=$release versuffix_save=$versuffix major_save=$major # I'm not sure if I'm treating the release correctly. I think # release should show up in the -l (ie -lgmp5) so we don't want to # add it in twice. Is that correct? release="" versuffix="" major="" newdeplibs= droppeddeps=no case $deplibs_check_method in pass_all) # Don't check for shared/static. Everything works. # This might be a little naive. We might want to check # whether the library exists or not. But this is on # osf3 & osf4 and I'm not really sure... Just # implementing what was already the behavior. newdeplibs=$deplibs ;; test_compile) # This code stresses the "libraries are programs" paradigm to its # limits. Maybe even breaks it. We compile a program, linking it # against the deplibs as a proxy for the library. Then we can check # whether they linked in statically or dynamically with ldd. $opt_dry_run || $RM conftest.c cat > conftest.c </dev/null` $nocaseglob else potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null` fi for potent_lib in $potential_libs; do # Follow soft links. if ls -lLd "$potent_lib" 2>/dev/null | $GREP " -> " >/dev/null; then continue fi # The statement above tries to avoid entering an # endless loop below, in case of cyclic links. # We might still enter an endless loop, since a link # loop can be closed while we follow links, # but so what? potlib="$potent_lib" while test -h "$potlib" 2>/dev/null; do potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'` case $potliblink in [\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";; *) potlib=`$ECHO "$potlib" | $SED 's,[^/]*$,,'`"$potliblink";; esac done if eval $file_magic_cmd \"\$potlib\" 2>/dev/null | $SED -e 10q | $EGREP "$file_magic_regex" > /dev/null; then func_append newdeplibs " $a_deplib" a_deplib="" break 2 fi done done fi if test -n "$a_deplib" ; then droppeddeps=yes echo $ECHO "*** Warning: linker path does not have real file for library $a_deplib." echo "*** I have the capability to make that library automatically link in when" echo "*** you link to this library. But I can only do this if you have a" echo "*** shared version of the library, which you do not appear to have" echo "*** because I did check the linker path looking for a file starting" if test -z "$potlib" ; then $ECHO "*** with $libname but no candidates were found. (...for file magic test)" else $ECHO "*** with $libname and none of the candidates passed a file format test" $ECHO "*** using a file magic. Last file checked: $potlib" fi fi ;; *) # Add a -L argument. func_append newdeplibs " $a_deplib" ;; esac done # Gone through all deplibs. ;; match_pattern*) set dummy $deplibs_check_method; shift match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"` for a_deplib in $deplibs; do case $a_deplib in -l*) func_stripname -l '' "$a_deplib" name=$func_stripname_result if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then case " $predeps $postdeps " in *" $a_deplib "*) func_append newdeplibs " $a_deplib" a_deplib="" ;; esac fi if test -n "$a_deplib" ; then libname=`eval "\\$ECHO \"$libname_spec\""` for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do potential_libs=`ls $i/$libname[.-]* 2>/dev/null` for potent_lib in $potential_libs; do potlib="$potent_lib" # see symlink-check above in file_magic test if eval "\$ECHO \"$potent_lib\"" 2>/dev/null | $SED 10q | \ $EGREP "$match_pattern_regex" > /dev/null; then func_append newdeplibs " $a_deplib" a_deplib="" break 2 fi done done fi if test -n "$a_deplib" ; then droppeddeps=yes echo $ECHO "*** Warning: linker path does not have real file for library $a_deplib." echo "*** I have the capability to make that library automatically link in when" echo "*** you link to this library. But I can only do this if you have a" echo "*** shared version of the library, which you do not appear to have" echo "*** because I did check the linker path looking for a file starting" if test -z "$potlib" ; then $ECHO "*** with $libname but no candidates were found. (...for regex pattern test)" else $ECHO "*** with $libname and none of the candidates passed a file format test" $ECHO "*** using a regex pattern. Last file checked: $potlib" fi fi ;; *) # Add a -L argument. func_append newdeplibs " $a_deplib" ;; esac done # Gone through all deplibs. ;; none | unknown | *) newdeplibs="" tmp_deplibs=`$ECHO " $deplibs" | $SED 's/ -lc$//; s/ -[LR][^ ]*//g'` if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then for i in $predeps $postdeps ; do # can't use Xsed below, because $i might contain '/' tmp_deplibs=`$ECHO " $tmp_deplibs" | $SED "s,$i,,"` done fi case $tmp_deplibs in *[!\ \ ]*) echo if test "X$deplibs_check_method" = "Xnone"; then echo "*** Warning: inter-library dependencies are not supported in this platform." else echo "*** Warning: inter-library dependencies are not known to be supported." fi echo "*** All declared inter-library dependencies are being dropped." droppeddeps=yes ;; esac ;; esac versuffix=$versuffix_save major=$major_save release=$release_save libname=$libname_save name=$name_save case $host in *-*-rhapsody* | *-*-darwin1.[012]) # On Rhapsody replace the C library with the System framework newdeplibs=`$ECHO " $newdeplibs" | $SED 's/ -lc / System.ltframework /'` ;; esac if test "$droppeddeps" = yes; then if test "$module" = yes; then echo echo "*** Warning: libtool could not satisfy all declared inter-library" $ECHO "*** dependencies of module $libname. Therefore, libtool will create" echo "*** a static module, that should work as long as the dlopening" echo "*** application is linked with the -dlopen flag." if test -z "$global_symbol_pipe"; then echo echo "*** However, this would only work if libtool was able to extract symbol" echo "*** lists from a program, using \`nm' or equivalent, but libtool could" echo "*** not find such a program. So, this module is probably useless." echo "*** \`nm' from GNU binutils and a full rebuild may help." fi if test "$build_old_libs" = no; then oldlibs="$output_objdir/$libname.$libext" build_libtool_libs=module build_old_libs=yes else build_libtool_libs=no fi else echo "*** The inter-library dependencies that have been dropped here will be" echo "*** automatically added whenever a program is linked with this library" echo "*** or is declared to -dlopen it." if test "$allow_undefined" = no; then echo echo "*** Since this library must not contain undefined symbols," echo "*** because either the platform does not support them or" echo "*** it was explicitly requested with -no-undefined," echo "*** libtool will only create a static version of it." if test "$build_old_libs" = no; then oldlibs="$output_objdir/$libname.$libext" build_libtool_libs=module build_old_libs=yes else build_libtool_libs=no fi fi fi fi # Done checking deplibs! deplibs=$newdeplibs fi # Time to change all our "foo.ltframework" stuff back to "-framework foo" case $host in *-*-darwin*) newdeplibs=`$ECHO " $newdeplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` new_inherited_linker_flags=`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` deplibs=`$ECHO " $deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` ;; esac # move library search paths that coincide with paths to not yet # installed libraries to the beginning of the library search list new_libs= for path in $notinst_path; do case " $new_libs " in *" -L$path/$objdir "*) ;; *) case " $deplibs " in *" -L$path/$objdir "*) func_append new_libs " -L$path/$objdir" ;; esac ;; esac done for deplib in $deplibs; do case $deplib in -L*) case " $new_libs " in *" $deplib "*) ;; *) func_append new_libs " $deplib" ;; esac ;; *) func_append new_libs " $deplib" ;; esac done deplibs="$new_libs" # All the library-specific variables (install_libdir is set above). library_names= old_library= dlname= # Test again, we may have decided not to build it any more if test "$build_libtool_libs" = yes; then # Remove ${wl} instances when linking with ld. # FIXME: should test the right _cmds variable. case $archive_cmds in *\$LD\ *) wl= ;; esac if test "$hardcode_into_libs" = yes; then # Hardcode the library paths hardcode_libdirs= dep_rpath= rpath="$finalize_rpath" test "$opt_mode" != relink && rpath="$compile_rpath$rpath" for libdir in $rpath; do if test -n "$hardcode_libdir_flag_spec"; then if test -n "$hardcode_libdir_separator"; then func_replace_sysroot "$libdir" libdir=$func_replace_sysroot_result if test -z "$hardcode_libdirs"; then hardcode_libdirs="$libdir" else # Just accumulate the unique libdirs. case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) ;; *) func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" ;; esac fi else eval flag=\"$hardcode_libdir_flag_spec\" func_append dep_rpath " $flag" fi elif test -n "$runpath_var"; then case "$perm_rpath " in *" $libdir "*) ;; *) func_append perm_rpath " $libdir" ;; esac fi done # Substitute the hardcoded libdirs into the rpath. if test -n "$hardcode_libdir_separator" && test -n "$hardcode_libdirs"; then libdir="$hardcode_libdirs" eval "dep_rpath=\"$hardcode_libdir_flag_spec\"" fi if test -n "$runpath_var" && test -n "$perm_rpath"; then # We should set the runpath_var. rpath= for dir in $perm_rpath; do func_append rpath "$dir:" done eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var" fi test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs" fi shlibpath="$finalize_shlibpath" test "$opt_mode" != relink && shlibpath="$compile_shlibpath$shlibpath" if test -n "$shlibpath"; then eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var" fi # Get the real and link names of the library. eval shared_ext=\"$shrext_cmds\" eval library_names=\"$library_names_spec\" set dummy $library_names shift realname="$1" shift if test -n "$soname_spec"; then eval soname=\"$soname_spec\" else soname="$realname" fi if test -z "$dlname"; then dlname=$soname fi lib="$output_objdir/$realname" linknames= for link do func_append linknames " $link" done # Use standard objects if they are pic test -z "$pic_flag" && libobjs=`$ECHO "$libobjs" | $SP2NL | $SED "$lo2o" | $NL2SP` test "X$libobjs" = "X " && libobjs= delfiles= if test -n "$export_symbols" && test -n "$include_expsyms"; then $opt_dry_run || cp "$export_symbols" "$output_objdir/$libname.uexp" export_symbols="$output_objdir/$libname.uexp" func_append delfiles " $export_symbols" fi orig_export_symbols= case $host_os in cygwin* | mingw* | cegcc*) if test -n "$export_symbols" && test -z "$export_symbols_regex"; then # exporting using user supplied symfile if test "x`$SED 1q $export_symbols`" != xEXPORTS; then # and it's NOT already a .def file. Must figure out # which of the given symbols are data symbols and tag # them as such. So, trigger use of export_symbols_cmds. # export_symbols gets reassigned inside the "prepare # the list of exported symbols" if statement, so the # include_expsyms logic still works. orig_export_symbols="$export_symbols" export_symbols= always_export_symbols=yes fi fi ;; esac # Prepare the list of exported symbols if test -z "$export_symbols"; then if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then func_verbose "generating symbol list for \`$libname.la'" export_symbols="$output_objdir/$libname.exp" $opt_dry_run || $RM $export_symbols cmds=$export_symbols_cmds save_ifs="$IFS"; IFS='~' for cmd1 in $cmds; do IFS="$save_ifs" # Take the normal branch if the nm_file_list_spec branch # doesn't work or if tool conversion is not needed. case $nm_file_list_spec~$to_tool_file_cmd in *~func_convert_file_noop | *~func_convert_file_msys_to_w32 | ~*) try_normal_branch=yes eval cmd=\"$cmd1\" func_len " $cmd" len=$func_len_result ;; *) try_normal_branch=no ;; esac if test "$try_normal_branch" = yes \ && { test "$len" -lt "$max_cmd_len" \ || test "$max_cmd_len" -le -1; } then func_show_eval "$cmd" 'exit $?' skipped_export=false elif test -n "$nm_file_list_spec"; then func_basename "$output" output_la=$func_basename_result save_libobjs=$libobjs save_output=$output output=${output_objdir}/${output_la}.nm func_to_tool_file "$output" libobjs=$nm_file_list_spec$func_to_tool_file_result func_append delfiles " $output" func_verbose "creating $NM input file list: $output" for obj in $save_libobjs; do func_to_tool_file "$obj" $ECHO "$func_to_tool_file_result" done > "$output" eval cmd=\"$cmd1\" func_show_eval "$cmd" 'exit $?' output=$save_output libobjs=$save_libobjs skipped_export=false else # The command line is too long to execute in one step. func_verbose "using reloadable object file for export list..." skipped_export=: # Break out early, otherwise skipped_export may be # set to false by a later but shorter cmd. break fi done IFS="$save_ifs" if test -n "$export_symbols_regex" && test "X$skipped_export" != "X:"; then func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"' func_show_eval '$MV "${export_symbols}T" "$export_symbols"' fi fi fi if test -n "$export_symbols" && test -n "$include_expsyms"; then tmp_export_symbols="$export_symbols" test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols" $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"' fi if test "X$skipped_export" != "X:" && test -n "$orig_export_symbols"; then # The given exports_symbols file has to be filtered, so filter it. func_verbose "filter symbol list for \`$libname.la' to tag DATA exports" # FIXME: $output_objdir/$libname.filter potentially contains lots of # 's' commands which not all seds can handle. GNU sed should be fine # though. Also, the filter scales superlinearly with the number of # global variables. join(1) would be nice here, but unfortunately # isn't a blessed tool. $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter func_append delfiles " $export_symbols $output_objdir/$libname.filter" export_symbols=$output_objdir/$libname.def $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols fi tmp_deplibs= for test_deplib in $deplibs; do case " $convenience " in *" $test_deplib "*) ;; *) func_append tmp_deplibs " $test_deplib" ;; esac done deplibs="$tmp_deplibs" if test -n "$convenience"; then if test -n "$whole_archive_flag_spec" && test "$compiler_needs_object" = yes && test -z "$libobjs"; then # extract the archives, so we have objects to list. # TODO: could optimize this to just extract one archive. whole_archive_flag_spec= fi if test -n "$whole_archive_flag_spec"; then save_libobjs=$libobjs eval libobjs=\"\$libobjs $whole_archive_flag_spec\" test "X$libobjs" = "X " && libobjs= else gentop="$output_objdir/${outputname}x" func_append generated " $gentop" func_extract_archives $gentop $convenience func_append libobjs " $func_extract_archives_result" test "X$libobjs" = "X " && libobjs= fi fi if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then eval flag=\"$thread_safe_flag_spec\" func_append linker_flags " $flag" fi # Make a backup of the uninstalled library when relinking if test "$opt_mode" = relink; then $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}U && $MV $realname ${realname}U)' || exit $? fi # Do each of the archive commands. if test "$module" = yes && test -n "$module_cmds" ; then if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then eval test_cmds=\"$module_expsym_cmds\" cmds=$module_expsym_cmds else eval test_cmds=\"$module_cmds\" cmds=$module_cmds fi else if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then eval test_cmds=\"$archive_expsym_cmds\" cmds=$archive_expsym_cmds else eval test_cmds=\"$archive_cmds\" cmds=$archive_cmds fi fi if test "X$skipped_export" != "X:" && func_len " $test_cmds" && len=$func_len_result && test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then : else # The command line is too long to link in one step, link piecewise # or, if using GNU ld and skipped_export is not :, use a linker # script. # Save the value of $output and $libobjs because we want to # use them later. If we have whole_archive_flag_spec, we # want to use save_libobjs as it was before # whole_archive_flag_spec was expanded, because we can't # assume the linker understands whole_archive_flag_spec. # This may have to be revisited, in case too many # convenience libraries get linked in and end up exceeding # the spec. if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then save_libobjs=$libobjs fi save_output=$output func_basename "$output" output_la=$func_basename_result # Clear the reloadable object creation command queue and # initialize k to one. test_cmds= concat_cmds= objlist= last_robj= k=1 if test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "$with_gnu_ld" = yes; then output=${output_objdir}/${output_la}.lnkscript func_verbose "creating GNU ld script: $output" echo 'INPUT (' > $output for obj in $save_libobjs do func_to_tool_file "$obj" $ECHO "$func_to_tool_file_result" >> $output done echo ')' >> $output func_append delfiles " $output" func_to_tool_file "$output" output=$func_to_tool_file_result elif test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "X$file_list_spec" != X; then output=${output_objdir}/${output_la}.lnk func_verbose "creating linker input file list: $output" : > $output set x $save_libobjs shift firstobj= if test "$compiler_needs_object" = yes; then firstobj="$1 " shift fi for obj do func_to_tool_file "$obj" $ECHO "$func_to_tool_file_result" >> $output done func_append delfiles " $output" func_to_tool_file "$output" output=$firstobj\"$file_list_spec$func_to_tool_file_result\" else if test -n "$save_libobjs"; then func_verbose "creating reloadable object files..." output=$output_objdir/$output_la-${k}.$objext eval test_cmds=\"$reload_cmds\" func_len " $test_cmds" len0=$func_len_result len=$len0 # Loop over the list of objects to be linked. for obj in $save_libobjs do func_len " $obj" func_arith $len + $func_len_result len=$func_arith_result if test "X$objlist" = X || test "$len" -lt "$max_cmd_len"; then func_append objlist " $obj" else # The command $test_cmds is almost too long, add a # command to the queue. if test "$k" -eq 1 ; then # The first file doesn't have a previous command to add. reload_objs=$objlist eval concat_cmds=\"$reload_cmds\" else # All subsequent reloadable object files will link in # the last one created. reload_objs="$objlist $last_robj" eval concat_cmds=\"\$concat_cmds~$reload_cmds~\$RM $last_robj\" fi last_robj=$output_objdir/$output_la-${k}.$objext func_arith $k + 1 k=$func_arith_result output=$output_objdir/$output_la-${k}.$objext objlist=" $obj" func_len " $last_robj" func_arith $len0 + $func_len_result len=$func_arith_result fi done # Handle the remaining objects by creating one last # reloadable object file. All subsequent reloadable object # files will link in the last one created. test -z "$concat_cmds" || concat_cmds=$concat_cmds~ reload_objs="$objlist $last_robj" eval concat_cmds=\"\${concat_cmds}$reload_cmds\" if test -n "$last_robj"; then eval concat_cmds=\"\${concat_cmds}~\$RM $last_robj\" fi func_append delfiles " $output" else output= fi if ${skipped_export-false}; then func_verbose "generating symbol list for \`$libname.la'" export_symbols="$output_objdir/$libname.exp" $opt_dry_run || $RM $export_symbols libobjs=$output # Append the command to create the export file. test -z "$concat_cmds" || concat_cmds=$concat_cmds~ eval concat_cmds=\"\$concat_cmds$export_symbols_cmds\" if test -n "$last_robj"; then eval concat_cmds=\"\$concat_cmds~\$RM $last_robj\" fi fi test -n "$save_libobjs" && func_verbose "creating a temporary reloadable object file: $output" # Loop through the commands generated above and execute them. save_ifs="$IFS"; IFS='~' for cmd in $concat_cmds; do IFS="$save_ifs" $opt_silent || { func_quote_for_expand "$cmd" eval "func_echo $func_quote_for_expand_result" } $opt_dry_run || eval "$cmd" || { lt_exit=$? # Restore the uninstalled library and exit if test "$opt_mode" = relink; then ( cd "$output_objdir" && \ $RM "${realname}T" && \ $MV "${realname}U" "$realname" ) fi exit $lt_exit } done IFS="$save_ifs" if test -n "$export_symbols_regex" && ${skipped_export-false}; then func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"' func_show_eval '$MV "${export_symbols}T" "$export_symbols"' fi fi if ${skipped_export-false}; then if test -n "$export_symbols" && test -n "$include_expsyms"; then tmp_export_symbols="$export_symbols" test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols" $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"' fi if test -n "$orig_export_symbols"; then # The given exports_symbols file has to be filtered, so filter it. func_verbose "filter symbol list for \`$libname.la' to tag DATA exports" # FIXME: $output_objdir/$libname.filter potentially contains lots of # 's' commands which not all seds can handle. GNU sed should be fine # though. Also, the filter scales superlinearly with the number of # global variables. join(1) would be nice here, but unfortunately # isn't a blessed tool. $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter func_append delfiles " $export_symbols $output_objdir/$libname.filter" export_symbols=$output_objdir/$libname.def $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols fi fi libobjs=$output # Restore the value of output. output=$save_output if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then eval libobjs=\"\$libobjs $whole_archive_flag_spec\" test "X$libobjs" = "X " && libobjs= fi # Expand the library linking commands again to reset the # value of $libobjs for piecewise linking. # Do each of the archive commands. if test "$module" = yes && test -n "$module_cmds" ; then if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then cmds=$module_expsym_cmds else cmds=$module_cmds fi else if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then cmds=$archive_expsym_cmds else cmds=$archive_cmds fi fi fi if test -n "$delfiles"; then # Append the command to remove temporary files to $cmds. eval cmds=\"\$cmds~\$RM $delfiles\" fi # Add any objects from preloaded convenience libraries if test -n "$dlprefiles"; then gentop="$output_objdir/${outputname}x" func_append generated " $gentop" func_extract_archives $gentop $dlprefiles func_append libobjs " $func_extract_archives_result" test "X$libobjs" = "X " && libobjs= fi save_ifs="$IFS"; IFS='~' for cmd in $cmds; do IFS="$save_ifs" eval cmd=\"$cmd\" $opt_silent || { func_quote_for_expand "$cmd" eval "func_echo $func_quote_for_expand_result" } $opt_dry_run || eval "$cmd" || { lt_exit=$? # Restore the uninstalled library and exit if test "$opt_mode" = relink; then ( cd "$output_objdir" && \ $RM "${realname}T" && \ $MV "${realname}U" "$realname" ) fi exit $lt_exit } done IFS="$save_ifs" # Restore the uninstalled library and exit if test "$opt_mode" = relink; then $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}T && $MV $realname ${realname}T && $MV ${realname}U $realname)' || exit $? if test -n "$convenience"; then if test -z "$whole_archive_flag_spec"; then func_show_eval '${RM}r "$gentop"' fi fi exit $EXIT_SUCCESS fi # Create links to the real library. for linkname in $linknames; do if test "$realname" != "$linkname"; then func_show_eval '(cd "$output_objdir" && $RM "$linkname" && $LN_S "$realname" "$linkname")' 'exit $?' fi done # If -module or -export-dynamic was specified, set the dlname. if test "$module" = yes || test "$export_dynamic" = yes; then # On all known operating systems, these are identical. dlname="$soname" fi fi ;; obj) if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then func_warning "\`-dlopen' is ignored for objects" fi case " $deplibs" in *\ -l* | *\ -L*) func_warning "\`-l' and \`-L' are ignored for objects" ;; esac test -n "$rpath" && \ func_warning "\`-rpath' is ignored for objects" test -n "$xrpath" && \ func_warning "\`-R' is ignored for objects" test -n "$vinfo" && \ func_warning "\`-version-info' is ignored for objects" test -n "$release" && \ func_warning "\`-release' is ignored for objects" case $output in *.lo) test -n "$objs$old_deplibs" && \ func_fatal_error "cannot build library object \`$output' from non-libtool objects" libobj=$output func_lo2o "$libobj" obj=$func_lo2o_result ;; *) libobj= obj="$output" ;; esac # Delete the old objects. $opt_dry_run || $RM $obj $libobj # Objects from convenience libraries. This assumes # single-version convenience libraries. Whenever we create # different ones for PIC/non-PIC, this we'll have to duplicate # the extraction. reload_conv_objs= gentop= # reload_cmds runs $LD directly, so let us get rid of # -Wl from whole_archive_flag_spec and hope we can get by with # turning comma into space.. wl= if test -n "$convenience"; then if test -n "$whole_archive_flag_spec"; then eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\" reload_conv_objs=$reload_objs\ `$ECHO "$tmp_whole_archive_flags" | $SED 's|,| |g'` else gentop="$output_objdir/${obj}x" func_append generated " $gentop" func_extract_archives $gentop $convenience reload_conv_objs="$reload_objs $func_extract_archives_result" fi fi # If we're not building shared, we need to use non_pic_objs test "$build_libtool_libs" != yes && libobjs="$non_pic_objects" # Create the old-style object. reload_objs="$objs$old_deplibs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; /\.lib$/d; $lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test output="$obj" func_execute_cmds "$reload_cmds" 'exit $?' # Exit if we aren't doing a library object file. if test -z "$libobj"; then if test -n "$gentop"; then func_show_eval '${RM}r "$gentop"' fi exit $EXIT_SUCCESS fi if test "$build_libtool_libs" != yes; then if test -n "$gentop"; then func_show_eval '${RM}r "$gentop"' fi # Create an invalid libtool object if no PIC, so that we don't # accidentally link it into a program. # $show "echo timestamp > $libobj" # $opt_dry_run || eval "echo timestamp > $libobj" || exit $? exit $EXIT_SUCCESS fi if test -n "$pic_flag" || test "$pic_mode" != default; then # Only do commands if we really have different PIC objects. reload_objs="$libobjs $reload_conv_objs" output="$libobj" func_execute_cmds "$reload_cmds" 'exit $?' fi if test -n "$gentop"; then func_show_eval '${RM}r "$gentop"' fi exit $EXIT_SUCCESS ;; prog) case $host in *cygwin*) func_stripname '' '.exe' "$output" output=$func_stripname_result.exe;; esac test -n "$vinfo" && \ func_warning "\`-version-info' is ignored for programs" test -n "$release" && \ func_warning "\`-release' is ignored for programs" test "$preload" = yes \ && test "$dlopen_support" = unknown \ && test "$dlopen_self" = unknown \ && test "$dlopen_self_static" = unknown && \ func_warning "\`LT_INIT([dlopen])' not used. Assuming no dlopen support." case $host in *-*-rhapsody* | *-*-darwin1.[012]) # On Rhapsody replace the C library is the System framework compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's/ -lc / System.ltframework /'` finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's/ -lc / System.ltframework /'` ;; esac case $host in *-*-darwin*) # Don't allow lazy linking, it breaks C++ global constructors # But is supposedly fixed on 10.4 or later (yay!). if test "$tagname" = CXX ; then case ${MACOSX_DEPLOYMENT_TARGET-10.0} in 10.[0123]) func_append compile_command " ${wl}-bind_at_load" func_append finalize_command " ${wl}-bind_at_load" ;; esac fi # Time to change all our "foo.ltframework" stuff back to "-framework foo" compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` ;; esac # move library search paths that coincide with paths to not yet # installed libraries to the beginning of the library search list new_libs= for path in $notinst_path; do case " $new_libs " in *" -L$path/$objdir "*) ;; *) case " $compile_deplibs " in *" -L$path/$objdir "*) func_append new_libs " -L$path/$objdir" ;; esac ;; esac done for deplib in $compile_deplibs; do case $deplib in -L*) case " $new_libs " in *" $deplib "*) ;; *) func_append new_libs " $deplib" ;; esac ;; *) func_append new_libs " $deplib" ;; esac done compile_deplibs="$new_libs" func_append compile_command " $compile_deplibs" func_append finalize_command " $finalize_deplibs" if test -n "$rpath$xrpath"; then # If the user specified any rpath flags, then add them. for libdir in $rpath $xrpath; do # This is the magic to use -rpath. case "$finalize_rpath " in *" $libdir "*) ;; *) func_append finalize_rpath " $libdir" ;; esac done fi # Now hardcode the library paths rpath= hardcode_libdirs= for libdir in $compile_rpath $finalize_rpath; do if test -n "$hardcode_libdir_flag_spec"; then if test -n "$hardcode_libdir_separator"; then if test -z "$hardcode_libdirs"; then hardcode_libdirs="$libdir" else # Just accumulate the unique libdirs. case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) ;; *) func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" ;; esac fi else eval flag=\"$hardcode_libdir_flag_spec\" func_append rpath " $flag" fi elif test -n "$runpath_var"; then case "$perm_rpath " in *" $libdir "*) ;; *) func_append perm_rpath " $libdir" ;; esac fi case $host in *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) testbindir=`${ECHO} "$libdir" | ${SED} -e 's*/lib$*/bin*'` case :$dllsearchpath: in *":$libdir:"*) ;; ::) dllsearchpath=$libdir;; *) func_append dllsearchpath ":$libdir";; esac case :$dllsearchpath: in *":$testbindir:"*) ;; ::) dllsearchpath=$testbindir;; *) func_append dllsearchpath ":$testbindir";; esac ;; esac done # Substitute the hardcoded libdirs into the rpath. if test -n "$hardcode_libdir_separator" && test -n "$hardcode_libdirs"; then libdir="$hardcode_libdirs" eval rpath=\" $hardcode_libdir_flag_spec\" fi compile_rpath="$rpath" rpath= hardcode_libdirs= for libdir in $finalize_rpath; do if test -n "$hardcode_libdir_flag_spec"; then if test -n "$hardcode_libdir_separator"; then if test -z "$hardcode_libdirs"; then hardcode_libdirs="$libdir" else # Just accumulate the unique libdirs. case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) ;; *) func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" ;; esac fi else eval flag=\"$hardcode_libdir_flag_spec\" func_append rpath " $flag" fi elif test -n "$runpath_var"; then case "$finalize_perm_rpath " in *" $libdir "*) ;; *) func_append finalize_perm_rpath " $libdir" ;; esac fi done # Substitute the hardcoded libdirs into the rpath. if test -n "$hardcode_libdir_separator" && test -n "$hardcode_libdirs"; then libdir="$hardcode_libdirs" eval rpath=\" $hardcode_libdir_flag_spec\" fi finalize_rpath="$rpath" if test -n "$libobjs" && test "$build_old_libs" = yes; then # Transform all the library objects into standard objects. compile_command=`$ECHO "$compile_command" | $SP2NL | $SED "$lo2o" | $NL2SP` finalize_command=`$ECHO "$finalize_command" | $SP2NL | $SED "$lo2o" | $NL2SP` fi func_generate_dlsyms "$outputname" "@PROGRAM@" "no" # template prelinking step if test -n "$prelink_cmds"; then func_execute_cmds "$prelink_cmds" 'exit $?' fi wrappers_required=yes case $host in *cegcc* | *mingw32ce*) # Disable wrappers for cegcc and mingw32ce hosts, we are cross compiling anyway. wrappers_required=no ;; *cygwin* | *mingw* ) if test "$build_libtool_libs" != yes; then wrappers_required=no fi ;; *) if test "$need_relink" = no || test "$build_libtool_libs" != yes; then wrappers_required=no fi ;; esac if test "$wrappers_required" = no; then # Replace the output file specification. compile_command=`$ECHO "$compile_command" | $SED 's%@OUTPUT@%'"$output"'%g'` link_command="$compile_command$compile_rpath" # We have no uninstalled library dependencies, so finalize right now. exit_status=0 func_show_eval "$link_command" 'exit_status=$?' if test -n "$postlink_cmds"; then func_to_tool_file "$output" postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` func_execute_cmds "$postlink_cmds" 'exit $?' fi # Delete the generated files. if test -f "$output_objdir/${outputname}S.${objext}"; then func_show_eval '$RM "$output_objdir/${outputname}S.${objext}"' fi exit $exit_status fi if test -n "$compile_shlibpath$finalize_shlibpath"; then compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command" fi if test -n "$finalize_shlibpath"; then finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command" fi compile_var= finalize_var= if test -n "$runpath_var"; then if test -n "$perm_rpath"; then # We should set the runpath_var. rpath= for dir in $perm_rpath; do func_append rpath "$dir:" done compile_var="$runpath_var=\"$rpath\$$runpath_var\" " fi if test -n "$finalize_perm_rpath"; then # We should set the runpath_var. rpath= for dir in $finalize_perm_rpath; do func_append rpath "$dir:" done finalize_var="$runpath_var=\"$rpath\$$runpath_var\" " fi fi if test "$no_install" = yes; then # We don't need to create a wrapper script. link_command="$compile_var$compile_command$compile_rpath" # Replace the output file specification. link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output"'%g'` # Delete the old output file. $opt_dry_run || $RM $output # Link the executable and exit func_show_eval "$link_command" 'exit $?' if test -n "$postlink_cmds"; then func_to_tool_file "$output" postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` func_execute_cmds "$postlink_cmds" 'exit $?' fi exit $EXIT_SUCCESS fi if test "$hardcode_action" = relink; then # Fast installation is not supported link_command="$compile_var$compile_command$compile_rpath" relink_command="$finalize_var$finalize_command$finalize_rpath" func_warning "this platform does not like uninstalled shared libraries" func_warning "\`$output' will be relinked during installation" else if test "$fast_install" != no; then link_command="$finalize_var$compile_command$finalize_rpath" if test "$fast_install" = yes; then relink_command=`$ECHO "$compile_var$compile_command$compile_rpath" | $SED 's%@OUTPUT@%\$progdir/\$file%g'` else # fast_install is set to needless relink_command= fi else link_command="$compile_var$compile_command$compile_rpath" relink_command="$finalize_var$finalize_command$finalize_rpath" fi fi # Replace the output file specification. link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'` # Delete the old output files. $opt_dry_run || $RM $output $output_objdir/$outputname $output_objdir/lt-$outputname func_show_eval "$link_command" 'exit $?' if test -n "$postlink_cmds"; then func_to_tool_file "$output_objdir/$outputname" postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` func_execute_cmds "$postlink_cmds" 'exit $?' fi # Now create the wrapper script. func_verbose "creating $output" # Quote the relink command for shipping. if test -n "$relink_command"; then # Preserve any variables that may affect compiler behavior for var in $variables_saved_for_relink; do if eval test -z \"\${$var+set}\"; then relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command" elif eval var_value=\$$var; test -z "$var_value"; then relink_command="$var=; export $var; $relink_command" else func_quote_for_eval "$var_value" relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" fi done relink_command="(cd `pwd`; $relink_command)" relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"` fi # Only actually do things if not in dry run mode. $opt_dry_run || { # win32 will think the script is a binary if it has # a .exe suffix, so we strip it off here. case $output in *.exe) func_stripname '' '.exe' "$output" output=$func_stripname_result ;; esac # test for cygwin because mv fails w/o .exe extensions case $host in *cygwin*) exeext=.exe func_stripname '' '.exe' "$outputname" outputname=$func_stripname_result ;; *) exeext= ;; esac case $host in *cygwin* | *mingw* ) func_dirname_and_basename "$output" "" "." output_name=$func_basename_result output_path=$func_dirname_result cwrappersource="$output_path/$objdir/lt-$output_name.c" cwrapper="$output_path/$output_name.exe" $RM $cwrappersource $cwrapper trap "$RM $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15 func_emit_cwrapperexe_src > $cwrappersource # The wrapper executable is built using the $host compiler, # because it contains $host paths and files. If cross- # compiling, it, like the target executable, must be # executed on the $host or under an emulation environment. $opt_dry_run || { $LTCC $LTCFLAGS -o $cwrapper $cwrappersource $STRIP $cwrapper } # Now, create the wrapper script for func_source use: func_ltwrapper_scriptname $cwrapper $RM $func_ltwrapper_scriptname_result trap "$RM $func_ltwrapper_scriptname_result; exit $EXIT_FAILURE" 1 2 15 $opt_dry_run || { # note: this script will not be executed, so do not chmod. if test "x$build" = "x$host" ; then $cwrapper --lt-dump-script > $func_ltwrapper_scriptname_result else func_emit_wrapper no > $func_ltwrapper_scriptname_result fi } ;; * ) $RM $output trap "$RM $output; exit $EXIT_FAILURE" 1 2 15 func_emit_wrapper no > $output chmod +x $output ;; esac } exit $EXIT_SUCCESS ;; esac # See if we need to build an old-fashioned archive. for oldlib in $oldlibs; do if test "$build_libtool_libs" = convenience; then oldobjs="$libobjs_save $symfileobj" addlibs="$convenience" build_libtool_libs=no else if test "$build_libtool_libs" = module; then oldobjs="$libobjs_save" build_libtool_libs=no else oldobjs="$old_deplibs $non_pic_objects" if test "$preload" = yes && test -f "$symfileobj"; then func_append oldobjs " $symfileobj" fi fi addlibs="$old_convenience" fi if test -n "$addlibs"; then gentop="$output_objdir/${outputname}x" func_append generated " $gentop" func_extract_archives $gentop $addlibs func_append oldobjs " $func_extract_archives_result" fi # Do each command in the archive commands. if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then cmds=$old_archive_from_new_cmds else # Add any objects from preloaded convenience libraries if test -n "$dlprefiles"; then gentop="$output_objdir/${outputname}x" func_append generated " $gentop" func_extract_archives $gentop $dlprefiles func_append oldobjs " $func_extract_archives_result" fi # POSIX demands no paths to be encoded in archives. We have # to avoid creating archives with duplicate basenames if we # might have to extract them afterwards, e.g., when creating a # static archive out of a convenience library, or when linking # the entirety of a libtool archive into another (currently # not supported by libtool). if (for obj in $oldobjs do func_basename "$obj" $ECHO "$func_basename_result" done | sort | sort -uc >/dev/null 2>&1); then : else echo "copying selected object files to avoid basename conflicts..." gentop="$output_objdir/${outputname}x" func_append generated " $gentop" func_mkdir_p "$gentop" save_oldobjs=$oldobjs oldobjs= counter=1 for obj in $save_oldobjs do func_basename "$obj" objbase="$func_basename_result" case " $oldobjs " in " ") oldobjs=$obj ;; *[\ /]"$objbase "*) while :; do # Make sure we don't pick an alternate name that also # overlaps. newobj=lt$counter-$objbase func_arith $counter + 1 counter=$func_arith_result case " $oldobjs " in *[\ /]"$newobj "*) ;; *) if test ! -f "$gentop/$newobj"; then break; fi ;; esac done func_show_eval "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj" func_append oldobjs " $gentop/$newobj" ;; *) func_append oldobjs " $obj" ;; esac done fi func_to_tool_file "$oldlib" func_convert_file_msys_to_w32 tool_oldlib=$func_to_tool_file_result eval cmds=\"$old_archive_cmds\" func_len " $cmds" len=$func_len_result if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then cmds=$old_archive_cmds elif test -n "$archiver_list_spec"; then func_verbose "using command file archive linking..." for obj in $oldobjs do func_to_tool_file "$obj" $ECHO "$func_to_tool_file_result" done > $output_objdir/$libname.libcmd func_to_tool_file "$output_objdir/$libname.libcmd" oldobjs=" $archiver_list_spec$func_to_tool_file_result" cmds=$old_archive_cmds else # the command line is too long to link in one step, link in parts func_verbose "using piecewise archive linking..." save_RANLIB=$RANLIB RANLIB=: objlist= concat_cmds= save_oldobjs=$oldobjs oldobjs= # Is there a better way of finding the last object in the list? for obj in $save_oldobjs do last_oldobj=$obj done eval test_cmds=\"$old_archive_cmds\" func_len " $test_cmds" len0=$func_len_result len=$len0 for obj in $save_oldobjs do func_len " $obj" func_arith $len + $func_len_result len=$func_arith_result func_append objlist " $obj" if test "$len" -lt "$max_cmd_len"; then : else # the above command should be used before it gets too long oldobjs=$objlist if test "$obj" = "$last_oldobj" ; then RANLIB=$save_RANLIB fi test -z "$concat_cmds" || concat_cmds=$concat_cmds~ eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\" objlist= len=$len0 fi done RANLIB=$save_RANLIB oldobjs=$objlist if test "X$oldobjs" = "X" ; then eval cmds=\"\$concat_cmds\" else eval cmds=\"\$concat_cmds~\$old_archive_cmds\" fi fi fi func_execute_cmds "$cmds" 'exit $?' done test -n "$generated" && \ func_show_eval "${RM}r$generated" # Now create the libtool archive. case $output in *.la) old_library= test "$build_old_libs" = yes && old_library="$libname.$libext" func_verbose "creating $output" # Preserve any variables that may affect compiler behavior for var in $variables_saved_for_relink; do if eval test -z \"\${$var+set}\"; then relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command" elif eval var_value=\$$var; test -z "$var_value"; then relink_command="$var=; export $var; $relink_command" else func_quote_for_eval "$var_value" relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" fi done # Quote the link command for shipping. relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)" relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"` if test "$hardcode_automatic" = yes ; then relink_command= fi # Only create the output if not a dry run. $opt_dry_run || { for installed in no yes; do if test "$installed" = yes; then if test -z "$install_libdir"; then break fi output="$output_objdir/$outputname"i # Replace all uninstalled libtool libraries with the installed ones newdependency_libs= for deplib in $dependency_libs; do case $deplib in *.la) func_basename "$deplib" name="$func_basename_result" func_resolve_sysroot "$deplib" eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result` test -z "$libdir" && \ func_fatal_error "\`$deplib' is not a valid libtool archive" func_append newdependency_libs " ${lt_sysroot:+=}$libdir/$name" ;; -L*) func_stripname -L '' "$deplib" func_replace_sysroot "$func_stripname_result" func_append newdependency_libs " -L$func_replace_sysroot_result" ;; -R*) func_stripname -R '' "$deplib" func_replace_sysroot "$func_stripname_result" func_append newdependency_libs " -R$func_replace_sysroot_result" ;; *) func_append newdependency_libs " $deplib" ;; esac done dependency_libs="$newdependency_libs" newdlfiles= for lib in $dlfiles; do case $lib in *.la) func_basename "$lib" name="$func_basename_result" eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib` test -z "$libdir" && \ func_fatal_error "\`$lib' is not a valid libtool archive" func_append newdlfiles " ${lt_sysroot:+=}$libdir/$name" ;; *) func_append newdlfiles " $lib" ;; esac done dlfiles="$newdlfiles" newdlprefiles= for lib in $dlprefiles; do case $lib in *.la) # Only pass preopened files to the pseudo-archive (for # eventual linking with the app. that links it) if we # didn't already link the preopened objects directly into # the library: func_basename "$lib" name="$func_basename_result" eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib` test -z "$libdir" && \ func_fatal_error "\`$lib' is not a valid libtool archive" func_append newdlprefiles " ${lt_sysroot:+=}$libdir/$name" ;; esac done dlprefiles="$newdlprefiles" else newdlfiles= for lib in $dlfiles; do case $lib in [\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;; *) abs=`pwd`"/$lib" ;; esac func_append newdlfiles " $abs" done dlfiles="$newdlfiles" newdlprefiles= for lib in $dlprefiles; do case $lib in [\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;; *) abs=`pwd`"/$lib" ;; esac func_append newdlprefiles " $abs" done dlprefiles="$newdlprefiles" fi $RM $output # place dlname in correct position for cygwin # In fact, it would be nice if we could use this code for all target # systems that can't hard-code library paths into their executables # and that have no shared library path variable independent of PATH, # but it turns out we can't easily determine that from inspecting # libtool variables, so we have to hard-code the OSs to which it # applies here; at the moment, that means platforms that use the PE # object format with DLL files. See the long comment at the top of # tests/bindir.at for full details. tdlname=$dlname case $host,$output,$installed,$module,$dlname in *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll) # If a -bindir argument was supplied, place the dll there. if test "x$bindir" != x ; then func_relative_path "$install_libdir" "$bindir" tdlname=$func_relative_path_result$dlname else # Otherwise fall back on heuristic. tdlname=../bin/$dlname fi ;; esac $ECHO > $output "\ # $outputname - a libtool library file # Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION # # Please DO NOT delete this file! # It is necessary for linking the library. # The name that we can dlopen(3). dlname='$tdlname' # Names of this library. library_names='$library_names' # The name of the static archive. old_library='$old_library' # Linker flags that can not go in dependency_libs. inherited_linker_flags='$new_inherited_linker_flags' # Libraries that this one depends upon. dependency_libs='$dependency_libs' # Names of additional weak libraries provided by this library weak_library_names='$weak_libs' # Version information for $libname. current=$current age=$age revision=$revision # Is this an already installed library? installed=$installed # Should we warn about portability when linking against -modules? shouldnotlink=$module # Files to dlopen/dlpreopen dlopen='$dlfiles' dlpreopen='$dlprefiles' # Directory that this library needs to be installed in: libdir='$install_libdir'" if test "$installed" = no && test "$need_relink" = yes; then $ECHO >> $output "\ relink_command=\"$relink_command\"" fi done } # Do a symbolic link so that the libtool archive can be found in # LD_LIBRARY_PATH before the program is installed. func_show_eval '( cd "$output_objdir" && $RM "$outputname" && $LN_S "../$outputname" "$outputname" )' 'exit $?' ;; esac exit $EXIT_SUCCESS } { test "$opt_mode" = link || test "$opt_mode" = relink; } && func_mode_link ${1+"$@"} # func_mode_uninstall arg... func_mode_uninstall () { $opt_debug RM="$nonopt" files= rmforce= exit_status=0 # This variable tells wrapper scripts just to set variables rather # than running their programs. libtool_install_magic="$magic" for arg do case $arg in -f) func_append RM " $arg"; rmforce=yes ;; -*) func_append RM " $arg" ;; *) func_append files " $arg" ;; esac done test -z "$RM" && \ func_fatal_help "you must specify an RM program" rmdirs= for file in $files; do func_dirname "$file" "" "." dir="$func_dirname_result" if test "X$dir" = X.; then odir="$objdir" else odir="$dir/$objdir" fi func_basename "$file" name="$func_basename_result" test "$opt_mode" = uninstall && odir="$dir" # Remember odir for removal later, being careful to avoid duplicates if test "$opt_mode" = clean; then case " $rmdirs " in *" $odir "*) ;; *) func_append rmdirs " $odir" ;; esac fi # Don't error if the file doesn't exist and rm -f was used. if { test -L "$file"; } >/dev/null 2>&1 || { test -h "$file"; } >/dev/null 2>&1 || test -f "$file"; then : elif test -d "$file"; then exit_status=1 continue elif test "$rmforce" = yes; then continue fi rmfiles="$file" case $name in *.la) # Possibly a libtool archive, so verify it. if func_lalib_p "$file"; then func_source $dir/$name # Delete the libtool libraries and symlinks. for n in $library_names; do func_append rmfiles " $odir/$n" done test -n "$old_library" && func_append rmfiles " $odir/$old_library" case "$opt_mode" in clean) case " $library_names " in *" $dlname "*) ;; *) test -n "$dlname" && func_append rmfiles " $odir/$dlname" ;; esac test -n "$libdir" && func_append rmfiles " $odir/$name $odir/${name}i" ;; uninstall) if test -n "$library_names"; then # Do each command in the postuninstall commands. func_execute_cmds "$postuninstall_cmds" 'test "$rmforce" = yes || exit_status=1' fi if test -n "$old_library"; then # Do each command in the old_postuninstall commands. func_execute_cmds "$old_postuninstall_cmds" 'test "$rmforce" = yes || exit_status=1' fi # FIXME: should reinstall the best remaining shared library. ;; esac fi ;; *.lo) # Possibly a libtool object, so verify it. if func_lalib_p "$file"; then # Read the .lo file func_source $dir/$name # Add PIC object to the list of files to remove. if test -n "$pic_object" && test "$pic_object" != none; then func_append rmfiles " $dir/$pic_object" fi # Add non-PIC object to the list of files to remove. if test -n "$non_pic_object" && test "$non_pic_object" != none; then func_append rmfiles " $dir/$non_pic_object" fi fi ;; *) if test "$opt_mode" = clean ; then noexename=$name case $file in *.exe) func_stripname '' '.exe' "$file" file=$func_stripname_result func_stripname '' '.exe' "$name" noexename=$func_stripname_result # $file with .exe has already been added to rmfiles, # add $file without .exe func_append rmfiles " $file" ;; esac # Do a test to see if this is a libtool program. if func_ltwrapper_p "$file"; then if func_ltwrapper_executable_p "$file"; then func_ltwrapper_scriptname "$file" relink_command= func_source $func_ltwrapper_scriptname_result func_append rmfiles " $func_ltwrapper_scriptname_result" else relink_command= func_source $dir/$noexename fi # note $name still contains .exe if it was in $file originally # as does the version of $file that was added into $rmfiles func_append rmfiles " $odir/$name $odir/${name}S.${objext}" if test "$fast_install" = yes && test -n "$relink_command"; then func_append rmfiles " $odir/lt-$name" fi if test "X$noexename" != "X$name" ; then func_append rmfiles " $odir/lt-${noexename}.c" fi fi fi ;; esac func_show_eval "$RM $rmfiles" 'exit_status=1' done # Try to remove the ${objdir}s in the directories where we deleted files for dir in $rmdirs; do if test -d "$dir"; then func_show_eval "rmdir $dir >/dev/null 2>&1" fi done exit $exit_status } { test "$opt_mode" = uninstall || test "$opt_mode" = clean; } && func_mode_uninstall ${1+"$@"} test -z "$opt_mode" && { help="$generic_help" func_fatal_help "you must specify a MODE" } test -z "$exec_cmd" && \ func_fatal_help "invalid operation mode \`$opt_mode'" if test -n "$exec_cmd"; then eval exec "$exec_cmd" exit $EXIT_FAILURE fi exit $exit_status # The TAGs below are defined such that we never get into a situation # in which we disable both kinds of libraries. Given conflicting # choices, we go for a static library, that is the most portable, # since we can't tell whether shared libraries were disabled because # the user asked for that or because the platform doesn't support # them. This is particularly important on AIX, because we don't # support having both static and shared libraries enabled at the same # time on that platform, so we default to a shared-only configuration. # If a disable-shared tag is given, we'll fallback to a static-only # configuration. But we'll never go from static-only to shared-only. # ### BEGIN LIBTOOL TAG CONFIG: disable-shared build_libtool_libs=no build_old_libs=yes # ### END LIBTOOL TAG CONFIG: disable-shared # ### BEGIN LIBTOOL TAG CONFIG: disable-static build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac` # ### END LIBTOOL TAG CONFIG: disable-static # Local Variables: # mode:shell-script # sh-indentation:2 # End: # vi:sw=2 openvpn-2.4.4/m4/000077500000000000000000000000001316434344000135305ustar00rootroot00000000000000openvpn-2.4.4/m4/ax_emptyarray.m4000066400000000000000000000015051316434344000166600ustar00rootroot00000000000000dnl @synopsis AX_EMPTY_ARRAY dnl dnl Define EMPTY_ARRAY_SIZE to be either "0" dnl or "" depending on which syntax the compiler dnl prefers for empty arrays in structs. dnl dnl @version dnl @author James Yonan AC_DEFUN([AX_EMPTY_ARRAY], [ AS_VAR_PUSHDEF([VAR],[ax_cv_c_empty_array])dnl AC_CACHE_CHECK( [for C compiler empty array size], [VAR], [AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( , [[ struct { int foo; int bar[0]; } mystruct; ]] )], [VAR=0], [AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( , [[ struct { int foo; int bar[]; } mystruct; ]] )], [VAR=], [AC_MSG_ERROR([C compiler is unable to creaty empty arrays])] )] )] )dnl AC_DEFINE_UNQUOTED( [EMPTY_ARRAY_SIZE], [$VAR], [Dimension to use for empty array declaration] )dnl AS_VAR_POPDEF([VAR])dnl ]) openvpn-2.4.4/m4/ax_socklen_t.m4000066400000000000000000000027731316434344000164540ustar00rootroot00000000000000dnl -- The following is base of curl's acinclude.m4 -- dnl Check for socklen_t: historically on BSD it is an int, and in dnl POSIX 1g it is a type of its own, but some platforms use different dnl types for the argument to getsockopt, getpeername, etc. So we dnl have to test to find something that will work. AC_DEFUN([AX_TYPE_SOCKLEN_T], [ AC_CHECK_TYPE( [socklen_t], , [ AS_VAR_PUSHDEF([VAR],[ax_cv_socklen_t_equiv])dnl AC_CACHE_CHECK( [for socklen_t equivalent], [VAR], [ #AS_CASE is not supported on #include int getpeername (int, $arg2 *, $t *); ]], [[ $t len; getpeername(0,0,&len); ]] )], [VAR="$t"; break] ) done test -n "$VAR" && break done ;; esac ] AS_VAR_IF( [VAR], [], [AC_MSG_ERROR([Cannot find a type to use in place of socklen_t])], [AC_DEFINE_UNQUOTED( [socklen_t], [$VAR], [type to use in place of socklen_t if not defined] )] ) ) ], [[ #include #ifdef _WIN32 #include #else #include #endif ]] ) ]) openvpn-2.4.4/m4/ax_varargs.m4000066400000000000000000000032011316434344000161230ustar00rootroot00000000000000dnl @synopsis AX_CPP_VARARG_MACRO_GCC dnl dnl Test if the preprocessor understands GNU GCC-style vararg macros. dnl If it does, defines HAVE_CPP_VARARG_MACRO_GCC to 1. dnl dnl @version dnl @author James Yonan , Matthias Andree AC_DEFUN([AX_CPP_VARARG_MACRO_GCC], [dnl AS_VAR_PUSHDEF([VAR], [ax_cv_cpp_vararg_macro_gcc])dnl AC_CACHE_CHECK( [for GNU GCC vararg macro support], [VAR], [AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[ #define macro(a, b...) func(a, b) int func(int a, int b, int c); ]], [[ int i = macro(1, 2, 3); ]] )], [VAR=yes], [VAR=no] )] )dnl AS_VAR_IF( [VAR], [yes], [AC_DEFINE( [HAVE_CPP_VARARG_MACRO_GCC], [1], [Define to 1 if your compiler supports GNU GCC-style variadic macros] )] )dnl AS_VAR_POPDEF([VAR])dnl ]) dnl @synopsis AX_CPP_VARARG_MACRO_ISO dnl dnl Test if the preprocessor understands ISO C 1999 vararg macros. dnl If it does, defines HAVE_CPP_VARARG_MACRO_ISO to 1. dnl dnl @version dnl @author James Yonan , Matthias Andree AC_DEFUN([AX_CPP_VARARG_MACRO_ISO], [dnl AS_VAR_PUSHDEF([VAR],[ax_cv_cpp_vararg_macro_iso])dnl AC_CACHE_CHECK( [for ISO C 1999 vararg macro support], [VAR], [AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[ #define macro(a, ...) func(a, __VA_ARGS__) int func(int a, int b, int c); ]], [[ int i = macro(1, 2, 3); ]] )], [VAR=yes], [VAR=no] )] )dnl AS_VAR_IF( [VAR], [yes], [AC_DEFINE( [HAVE_CPP_VARARG_MACRO_ISO], [1], [Define to 1 if your compiler supports ISO C99 variadic macros] )] )dnl AS_VAR_POPDEF([VAR])dnl ]) openvpn-2.4.4/m4/libtool.m4000066400000000000000000010601111316434344000154360ustar00rootroot00000000000000# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*- # # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, # 2006, 2007, 2008, 2009, 2010, 2011 Free Software # Foundation, Inc. # Written by Gordon Matzigkeit, 1996 # # This file is free software; the Free Software Foundation gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. m4_define([_LT_COPYING], [dnl # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, # 2006, 2007, 2008, 2009, 2010, 2011 Free Software # Foundation, Inc. # Written by Gordon Matzigkeit, 1996 # # This file is part of GNU Libtool. # # GNU Libtool is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 2 of # the License, or (at your option) any later version. # # As a special exception to the GNU General Public License, # if you distribute this file as part of a program or library that # is built using GNU Libtool, you may include this file under the # same distribution terms that you use for the rest of that program. # # GNU Libtool is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with GNU Libtool; see the file COPYING. If not, a copy # can be downloaded from http://www.gnu.org/licenses/gpl.html, or # obtained by writing to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ]) # serial 57 LT_INIT # LT_PREREQ(VERSION) # ------------------ # Complain and exit if this libtool version is less that VERSION. m4_defun([LT_PREREQ], [m4_if(m4_version_compare(m4_defn([LT_PACKAGE_VERSION]), [$1]), -1, [m4_default([$3], [m4_fatal([Libtool version $1 or higher is required], 63)])], [$2])]) # _LT_CHECK_BUILDDIR # ------------------ # Complain if the absolute build directory name contains unusual characters m4_defun([_LT_CHECK_BUILDDIR], [case `pwd` in *\ * | *\ *) AC_MSG_WARN([Libtool does not cope well with whitespace in `pwd`]) ;; esac ]) # LT_INIT([OPTIONS]) # ------------------ AC_DEFUN([LT_INIT], [AC_PREREQ([2.58])dnl We use AC_INCLUDES_DEFAULT AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl AC_BEFORE([$0], [LT_LANG])dnl AC_BEFORE([$0], [LT_OUTPUT])dnl AC_BEFORE([$0], [LTDL_INIT])dnl m4_require([_LT_CHECK_BUILDDIR])dnl dnl Autoconf doesn't catch unexpanded LT_ macros by default: m4_pattern_forbid([^_?LT_[A-Z_]+$])dnl m4_pattern_allow([^(_LT_EOF|LT_DLGLOBAL|LT_DLLAZY_OR_NOW|LT_MULTI_MODULE)$])dnl dnl aclocal doesn't pull ltoptions.m4, ltsugar.m4, or ltversion.m4 dnl unless we require an AC_DEFUNed macro: AC_REQUIRE([LTOPTIONS_VERSION])dnl AC_REQUIRE([LTSUGAR_VERSION])dnl AC_REQUIRE([LTVERSION_VERSION])dnl AC_REQUIRE([LTOBSOLETE_VERSION])dnl m4_require([_LT_PROG_LTMAIN])dnl _LT_SHELL_INIT([SHELL=${CONFIG_SHELL-/bin/sh}]) dnl Parse OPTIONS _LT_SET_OPTIONS([$0], [$1]) # This can be used to rebuild libtool when needed LIBTOOL_DEPS="$ltmain" # Always use our own libtool. LIBTOOL='$(SHELL) $(top_builddir)/libtool' AC_SUBST(LIBTOOL)dnl _LT_SETUP # Only expand once: m4_define([LT_INIT]) ])# LT_INIT # Old names: AU_ALIAS([AC_PROG_LIBTOOL], [LT_INIT]) AU_ALIAS([AM_PROG_LIBTOOL], [LT_INIT]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AC_PROG_LIBTOOL], []) dnl AC_DEFUN([AM_PROG_LIBTOOL], []) # _LT_CC_BASENAME(CC) # ------------------- # Calculate cc_basename. Skip known compiler wrappers and cross-prefix. m4_defun([_LT_CC_BASENAME], [for cc_temp in $1""; do case $cc_temp in compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;; distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;; \-*) ;; *) break;; esac done cc_basename=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"` ]) # _LT_FILEUTILS_DEFAULTS # ---------------------- # It is okay to use these file commands and assume they have been set # sensibly after `m4_require([_LT_FILEUTILS_DEFAULTS])'. m4_defun([_LT_FILEUTILS_DEFAULTS], [: ${CP="cp -f"} : ${MV="mv -f"} : ${RM="rm -f"} ])# _LT_FILEUTILS_DEFAULTS # _LT_SETUP # --------- m4_defun([_LT_SETUP], [AC_REQUIRE([AC_CANONICAL_HOST])dnl AC_REQUIRE([AC_CANONICAL_BUILD])dnl AC_REQUIRE([_LT_PREPARE_SED_QUOTE_VARS])dnl AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])dnl _LT_DECL([], [PATH_SEPARATOR], [1], [The PATH separator for the build system])dnl dnl _LT_DECL([], [host_alias], [0], [The host system])dnl _LT_DECL([], [host], [0])dnl _LT_DECL([], [host_os], [0])dnl dnl _LT_DECL([], [build_alias], [0], [The build system])dnl _LT_DECL([], [build], [0])dnl _LT_DECL([], [build_os], [0])dnl dnl AC_REQUIRE([AC_PROG_CC])dnl AC_REQUIRE([LT_PATH_LD])dnl AC_REQUIRE([LT_PATH_NM])dnl dnl AC_REQUIRE([AC_PROG_LN_S])dnl test -z "$LN_S" && LN_S="ln -s" _LT_DECL([], [LN_S], [1], [Whether we need soft or hard links])dnl dnl AC_REQUIRE([LT_CMD_MAX_LEN])dnl _LT_DECL([objext], [ac_objext], [0], [Object file suffix (normally "o")])dnl _LT_DECL([], [exeext], [0], [Executable file suffix (normally "")])dnl dnl m4_require([_LT_FILEUTILS_DEFAULTS])dnl m4_require([_LT_CHECK_SHELL_FEATURES])dnl m4_require([_LT_PATH_CONVERSION_FUNCTIONS])dnl m4_require([_LT_CMD_RELOAD])dnl m4_require([_LT_CHECK_MAGIC_METHOD])dnl m4_require([_LT_CHECK_SHAREDLIB_FROM_LINKLIB])dnl m4_require([_LT_CMD_OLD_ARCHIVE])dnl m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl m4_require([_LT_WITH_SYSROOT])dnl _LT_CONFIG_LIBTOOL_INIT([ # See if we are running on zsh, and set the options which allow our # commands through without removal of \ escapes INIT. if test -n "\${ZSH_VERSION+set}" ; then setopt NO_GLOB_SUBST fi ]) if test -n "${ZSH_VERSION+set}" ; then setopt NO_GLOB_SUBST fi _LT_CHECK_OBJDIR m4_require([_LT_TAG_COMPILER])dnl case $host_os in aix3*) # AIX sometimes has problems with the GCC collect2 program. For some # reason, if we set the COLLECT_NAMES environment variable, the problems # vanish in a puff of smoke. if test "X${COLLECT_NAMES+set}" != Xset; then COLLECT_NAMES= export COLLECT_NAMES fi ;; esac # Global variables: ofile=libtool can_build_shared=yes # All known linkers require a `.a' archive for static linking (except MSVC, # which needs '.lib'). libext=a with_gnu_ld="$lt_cv_prog_gnu_ld" old_CC="$CC" old_CFLAGS="$CFLAGS" # Set sane defaults for various variables test -z "$CC" && CC=cc test -z "$LTCC" && LTCC=$CC test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS test -z "$LD" && LD=ld test -z "$ac_objext" && ac_objext=o _LT_CC_BASENAME([$compiler]) # Only perform the check for file, if the check method requires it test -z "$MAGIC_CMD" && MAGIC_CMD=file case $deplibs_check_method in file_magic*) if test "$file_magic_cmd" = '$MAGIC_CMD'; then _LT_PATH_MAGIC fi ;; esac # Use C for the default configuration in the libtool script LT_SUPPORTED_TAG([CC]) _LT_LANG_C_CONFIG _LT_LANG_DEFAULT_CONFIG _LT_CONFIG_COMMANDS ])# _LT_SETUP # _LT_PREPARE_SED_QUOTE_VARS # -------------------------- # Define a few sed substitution that help us do robust quoting. m4_defun([_LT_PREPARE_SED_QUOTE_VARS], [# Backslashify metacharacters that are still active within # double-quoted strings. sed_quote_subst='s/\([["`$\\]]\)/\\\1/g' # Same as above, but do not quote variable references. double_quote_subst='s/\([["`\\]]\)/\\\1/g' # Sed substitution to delay expansion of an escaped shell variable in a # double_quote_subst'ed string. delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g' # Sed substitution to delay expansion of an escaped single quote. delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g' # Sed substitution to avoid accidental globbing in evaled expressions no_glob_subst='s/\*/\\\*/g' ]) # _LT_PROG_LTMAIN # --------------- # Note that this code is called both from `configure', and `config.status' # now that we use AC_CONFIG_COMMANDS to generate libtool. Notably, # `config.status' has no value for ac_aux_dir unless we are using Automake, # so we pass a copy along to make sure it has a sensible value anyway. m4_defun([_LT_PROG_LTMAIN], [m4_ifdef([AC_REQUIRE_AUX_FILE], [AC_REQUIRE_AUX_FILE([ltmain.sh])])dnl _LT_CONFIG_LIBTOOL_INIT([ac_aux_dir='$ac_aux_dir']) ltmain="$ac_aux_dir/ltmain.sh" ])# _LT_PROG_LTMAIN ## ------------------------------------- ## ## Accumulate code for creating libtool. ## ## ------------------------------------- ## # So that we can recreate a full libtool script including additional # tags, we accumulate the chunks of code to send to AC_CONFIG_COMMANDS # in macros and then make a single call at the end using the `libtool' # label. # _LT_CONFIG_LIBTOOL_INIT([INIT-COMMANDS]) # ---------------------------------------- # Register INIT-COMMANDS to be passed to AC_CONFIG_COMMANDS later. m4_define([_LT_CONFIG_LIBTOOL_INIT], [m4_ifval([$1], [m4_append([_LT_OUTPUT_LIBTOOL_INIT], [$1 ])])]) # Initialize. m4_define([_LT_OUTPUT_LIBTOOL_INIT]) # _LT_CONFIG_LIBTOOL([COMMANDS]) # ------------------------------ # Register COMMANDS to be passed to AC_CONFIG_COMMANDS later. m4_define([_LT_CONFIG_LIBTOOL], [m4_ifval([$1], [m4_append([_LT_OUTPUT_LIBTOOL_COMMANDS], [$1 ])])]) # Initialize. m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS]) # _LT_CONFIG_SAVE_COMMANDS([COMMANDS], [INIT_COMMANDS]) # ----------------------------------------------------- m4_defun([_LT_CONFIG_SAVE_COMMANDS], [_LT_CONFIG_LIBTOOL([$1]) _LT_CONFIG_LIBTOOL_INIT([$2]) ]) # _LT_FORMAT_COMMENT([COMMENT]) # ----------------------------- # Add leading comment marks to the start of each line, and a trailing # full-stop to the whole comment if one is not present already. m4_define([_LT_FORMAT_COMMENT], [m4_ifval([$1], [ m4_bpatsubst([m4_bpatsubst([$1], [^ *], [# ])], [['`$\]], [\\\&])]m4_bmatch([$1], [[!?.]$], [], [.]) )]) ## ------------------------ ## ## FIXME: Eliminate VARNAME ## ## ------------------------ ## # _LT_DECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION], [IS-TAGGED?]) # ------------------------------------------------------------------- # CONFIGNAME is the name given to the value in the libtool script. # VARNAME is the (base) name used in the configure script. # VALUE may be 0, 1 or 2 for a computed quote escaped value based on # VARNAME. Any other value will be used directly. m4_define([_LT_DECL], [lt_if_append_uniq([lt_decl_varnames], [$2], [, ], [lt_dict_add_subkey([lt_decl_dict], [$2], [libtool_name], [m4_ifval([$1], [$1], [$2])]) lt_dict_add_subkey([lt_decl_dict], [$2], [value], [$3]) m4_ifval([$4], [lt_dict_add_subkey([lt_decl_dict], [$2], [description], [$4])]) lt_dict_add_subkey([lt_decl_dict], [$2], [tagged?], [m4_ifval([$5], [yes], [no])])]) ]) # _LT_TAGDECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION]) # -------------------------------------------------------- m4_define([_LT_TAGDECL], [_LT_DECL([$1], [$2], [$3], [$4], [yes])]) # lt_decl_tag_varnames([SEPARATOR], [VARNAME1...]) # ------------------------------------------------ m4_define([lt_decl_tag_varnames], [_lt_decl_filter([tagged?], [yes], $@)]) # _lt_decl_filter(SUBKEY, VALUE, [SEPARATOR], [VARNAME1..]) # --------------------------------------------------------- m4_define([_lt_decl_filter], [m4_case([$#], [0], [m4_fatal([$0: too few arguments: $#])], [1], [m4_fatal([$0: too few arguments: $#: $1])], [2], [lt_dict_filter([lt_decl_dict], [$1], [$2], [], lt_decl_varnames)], [3], [lt_dict_filter([lt_decl_dict], [$1], [$2], [$3], lt_decl_varnames)], [lt_dict_filter([lt_decl_dict], $@)])[]dnl ]) # lt_decl_quote_varnames([SEPARATOR], [VARNAME1...]) # -------------------------------------------------- m4_define([lt_decl_quote_varnames], [_lt_decl_filter([value], [1], $@)]) # lt_decl_dquote_varnames([SEPARATOR], [VARNAME1...]) # --------------------------------------------------- m4_define([lt_decl_dquote_varnames], [_lt_decl_filter([value], [2], $@)]) # lt_decl_varnames_tagged([SEPARATOR], [VARNAME1...]) # --------------------------------------------------- m4_define([lt_decl_varnames_tagged], [m4_assert([$# <= 2])dnl _$0(m4_quote(m4_default([$1], [[, ]])), m4_ifval([$2], [[$2]], [m4_dquote(lt_decl_tag_varnames)]), m4_split(m4_normalize(m4_quote(_LT_TAGS)), [ ]))]) m4_define([_lt_decl_varnames_tagged], [m4_ifval([$3], [lt_combine([$1], [$2], [_], $3)])]) # lt_decl_all_varnames([SEPARATOR], [VARNAME1...]) # ------------------------------------------------ m4_define([lt_decl_all_varnames], [_$0(m4_quote(m4_default([$1], [[, ]])), m4_if([$2], [], m4_quote(lt_decl_varnames), m4_quote(m4_shift($@))))[]dnl ]) m4_define([_lt_decl_all_varnames], [lt_join($@, lt_decl_varnames_tagged([$1], lt_decl_tag_varnames([[, ]], m4_shift($@))))dnl ]) # _LT_CONFIG_STATUS_DECLARE([VARNAME]) # ------------------------------------ # Quote a variable value, and forward it to `config.status' so that its # declaration there will have the same value as in `configure'. VARNAME # must have a single quote delimited value for this to work. m4_define([_LT_CONFIG_STATUS_DECLARE], [$1='`$ECHO "$][$1" | $SED "$delay_single_quote_subst"`']) # _LT_CONFIG_STATUS_DECLARATIONS # ------------------------------ # We delimit libtool config variables with single quotes, so when # we write them to config.status, we have to be sure to quote all # embedded single quotes properly. In configure, this macro expands # each variable declared with _LT_DECL (and _LT_TAGDECL) into: # # ='`$ECHO "$" | $SED "$delay_single_quote_subst"`' m4_defun([_LT_CONFIG_STATUS_DECLARATIONS], [m4_foreach([_lt_var], m4_quote(lt_decl_all_varnames), [m4_n([_LT_CONFIG_STATUS_DECLARE(_lt_var)])])]) # _LT_LIBTOOL_TAGS # ---------------- # Output comment and list of tags supported by the script m4_defun([_LT_LIBTOOL_TAGS], [_LT_FORMAT_COMMENT([The names of the tagged configurations supported by this script])dnl available_tags="_LT_TAGS"dnl ]) # _LT_LIBTOOL_DECLARE(VARNAME, [TAG]) # ----------------------------------- # Extract the dictionary values for VARNAME (optionally with TAG) and # expand to a commented shell variable setting: # # # Some comment about what VAR is for. # visible_name=$lt_internal_name m4_define([_LT_LIBTOOL_DECLARE], [_LT_FORMAT_COMMENT(m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [description])))[]dnl m4_pushdef([_libtool_name], m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [libtool_name])))[]dnl m4_case(m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [value])), [0], [_libtool_name=[$]$1], [1], [_libtool_name=$lt_[]$1], [2], [_libtool_name=$lt_[]$1], [_libtool_name=lt_dict_fetch([lt_decl_dict], [$1], [value])])[]dnl m4_ifval([$2], [_$2])[]m4_popdef([_libtool_name])[]dnl ]) # _LT_LIBTOOL_CONFIG_VARS # ----------------------- # Produce commented declarations of non-tagged libtool config variables # suitable for insertion in the LIBTOOL CONFIG section of the `libtool' # script. Tagged libtool config variables (even for the LIBTOOL CONFIG # section) are produced by _LT_LIBTOOL_TAG_VARS. m4_defun([_LT_LIBTOOL_CONFIG_VARS], [m4_foreach([_lt_var], m4_quote(_lt_decl_filter([tagged?], [no], [], lt_decl_varnames)), [m4_n([_LT_LIBTOOL_DECLARE(_lt_var)])])]) # _LT_LIBTOOL_TAG_VARS(TAG) # ------------------------- m4_define([_LT_LIBTOOL_TAG_VARS], [m4_foreach([_lt_var], m4_quote(lt_decl_tag_varnames), [m4_n([_LT_LIBTOOL_DECLARE(_lt_var, [$1])])])]) # _LT_TAGVAR(VARNAME, [TAGNAME]) # ------------------------------ m4_define([_LT_TAGVAR], [m4_ifval([$2], [$1_$2], [$1])]) # _LT_CONFIG_COMMANDS # ------------------- # Send accumulated output to $CONFIG_STATUS. Thanks to the lists of # variables for single and double quote escaping we saved from calls # to _LT_DECL, we can put quote escaped variables declarations # into `config.status', and then the shell code to quote escape them in # for loops in `config.status'. Finally, any additional code accumulated # from calls to _LT_CONFIG_LIBTOOL_INIT is expanded. m4_defun([_LT_CONFIG_COMMANDS], [AC_PROVIDE_IFELSE([LT_OUTPUT], dnl If the libtool generation code has been placed in $CONFIG_LT, dnl instead of duplicating it all over again into config.status, dnl then we will have config.status run $CONFIG_LT later, so it dnl needs to know what name is stored there: [AC_CONFIG_COMMANDS([libtool], [$SHELL $CONFIG_LT || AS_EXIT(1)], [CONFIG_LT='$CONFIG_LT'])], dnl If the libtool generation code is destined for config.status, dnl expand the accumulated commands and init code now: [AC_CONFIG_COMMANDS([libtool], [_LT_OUTPUT_LIBTOOL_COMMANDS], [_LT_OUTPUT_LIBTOOL_COMMANDS_INIT])]) ])#_LT_CONFIG_COMMANDS # Initialize. m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS_INIT], [ # The HP-UX ksh and POSIX shell print the target directory to stdout # if CDPATH is set. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH sed_quote_subst='$sed_quote_subst' double_quote_subst='$double_quote_subst' delay_variable_subst='$delay_variable_subst' _LT_CONFIG_STATUS_DECLARATIONS LTCC='$LTCC' LTCFLAGS='$LTCFLAGS' compiler='$compiler_DEFAULT' # A function that is used when there is no print builtin or printf. func_fallback_echo () { eval 'cat <<_LTECHO_EOF \$[]1 _LTECHO_EOF' } # Quote evaled strings. for var in lt_decl_all_varnames([[ \ ]], lt_decl_quote_varnames); do case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in *[[\\\\\\\`\\"\\\$]]*) eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\"" ;; *) eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" ;; esac done # Double-quote double-evaled strings. for var in lt_decl_all_varnames([[ \ ]], lt_decl_dquote_varnames); do case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in *[[\\\\\\\`\\"\\\$]]*) eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\"" ;; *) eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" ;; esac done _LT_OUTPUT_LIBTOOL_INIT ]) # _LT_GENERATED_FILE_INIT(FILE, [COMMENT]) # ------------------------------------ # Generate a child script FILE with all initialization necessary to # reuse the environment learned by the parent script, and make the # file executable. If COMMENT is supplied, it is inserted after the # `#!' sequence but before initialization text begins. After this # macro, additional text can be appended to FILE to form the body of # the child script. The macro ends with non-zero status if the # file could not be fully written (such as if the disk is full). m4_ifdef([AS_INIT_GENERATED], [m4_defun([_LT_GENERATED_FILE_INIT],[AS_INIT_GENERATED($@)])], [m4_defun([_LT_GENERATED_FILE_INIT], [m4_require([AS_PREPARE])]dnl [m4_pushdef([AS_MESSAGE_LOG_FD])]dnl [lt_write_fail=0 cat >$1 <<_ASEOF || lt_write_fail=1 #! $SHELL # Generated by $as_me. $2 SHELL=\${CONFIG_SHELL-$SHELL} export SHELL _ASEOF cat >>$1 <<\_ASEOF || lt_write_fail=1 AS_SHELL_SANITIZE _AS_PREPARE exec AS_MESSAGE_FD>&1 _ASEOF test $lt_write_fail = 0 && chmod +x $1[]dnl m4_popdef([AS_MESSAGE_LOG_FD])])])# _LT_GENERATED_FILE_INIT # LT_OUTPUT # --------- # This macro allows early generation of the libtool script (before # AC_OUTPUT is called), incase it is used in configure for compilation # tests. AC_DEFUN([LT_OUTPUT], [: ${CONFIG_LT=./config.lt} AC_MSG_NOTICE([creating $CONFIG_LT]) _LT_GENERATED_FILE_INIT(["$CONFIG_LT"], [# Run this file to recreate a libtool stub with the current configuration.]) cat >>"$CONFIG_LT" <<\_LTEOF lt_cl_silent=false exec AS_MESSAGE_LOG_FD>>config.log { echo AS_BOX([Running $as_me.]) } >&AS_MESSAGE_LOG_FD lt_cl_help="\ \`$as_me' creates a local libtool stub from the current configuration, for use in further configure time tests before the real libtool is generated. Usage: $[0] [[OPTIONS]] -h, --help print this help, then exit -V, --version print version number, then exit -q, --quiet do not print progress messages -d, --debug don't remove temporary files Report bugs to ." lt_cl_version="\ m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION]) configured by $[0], generated by m4_PACKAGE_STRING. Copyright (C) 2011 Free Software Foundation, Inc. This config.lt script is free software; the Free Software Foundation gives unlimited permision to copy, distribute and modify it." while test $[#] != 0 do case $[1] in --version | --v* | -V ) echo "$lt_cl_version"; exit 0 ;; --help | --h* | -h ) echo "$lt_cl_help"; exit 0 ;; --debug | --d* | -d ) debug=: ;; --quiet | --q* | --silent | --s* | -q ) lt_cl_silent=: ;; -*) AC_MSG_ERROR([unrecognized option: $[1] Try \`$[0] --help' for more information.]) ;; *) AC_MSG_ERROR([unrecognized argument: $[1] Try \`$[0] --help' for more information.]) ;; esac shift done if $lt_cl_silent; then exec AS_MESSAGE_FD>/dev/null fi _LTEOF cat >>"$CONFIG_LT" <<_LTEOF _LT_OUTPUT_LIBTOOL_COMMANDS_INIT _LTEOF cat >>"$CONFIG_LT" <<\_LTEOF AC_MSG_NOTICE([creating $ofile]) _LT_OUTPUT_LIBTOOL_COMMANDS AS_EXIT(0) _LTEOF chmod +x "$CONFIG_LT" # configure is writing to config.log, but config.lt does its own redirection, # appending to config.log, which fails on DOS, as config.log is still kept # open by configure. Here we exec the FD to /dev/null, effectively closing # config.log, so it can be properly (re)opened and appended to by config.lt. lt_cl_success=: test "$silent" = yes && lt_config_lt_args="$lt_config_lt_args --quiet" exec AS_MESSAGE_LOG_FD>/dev/null $SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false exec AS_MESSAGE_LOG_FD>>config.log $lt_cl_success || AS_EXIT(1) ])# LT_OUTPUT # _LT_CONFIG(TAG) # --------------- # If TAG is the built-in tag, create an initial libtool script with a # default configuration from the untagged config vars. Otherwise add code # to config.status for appending the configuration named by TAG from the # matching tagged config vars. m4_defun([_LT_CONFIG], [m4_require([_LT_FILEUTILS_DEFAULTS])dnl _LT_CONFIG_SAVE_COMMANDS([ m4_define([_LT_TAG], m4_if([$1], [], [C], [$1]))dnl m4_if(_LT_TAG, [C], [ # See if we are running on zsh, and set the options which allow our # commands through without removal of \ escapes. if test -n "${ZSH_VERSION+set}" ; then setopt NO_GLOB_SUBST fi cfgfile="${ofile}T" trap "$RM \"$cfgfile\"; exit 1" 1 2 15 $RM "$cfgfile" cat <<_LT_EOF >> "$cfgfile" #! $SHELL # `$ECHO "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services. # Generated automatically by $as_me ($PACKAGE$TIMESTAMP) $VERSION # Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: # NOTE: Changes made to this file will be lost: look at ltmain.sh. # _LT_COPYING _LT_LIBTOOL_TAGS # ### BEGIN LIBTOOL CONFIG _LT_LIBTOOL_CONFIG_VARS _LT_LIBTOOL_TAG_VARS # ### END LIBTOOL CONFIG _LT_EOF case $host_os in aix3*) cat <<\_LT_EOF >> "$cfgfile" # AIX sometimes has problems with the GCC collect2 program. For some # reason, if we set the COLLECT_NAMES environment variable, the problems # vanish in a puff of smoke. if test "X${COLLECT_NAMES+set}" != Xset; then COLLECT_NAMES= export COLLECT_NAMES fi _LT_EOF ;; esac _LT_PROG_LTMAIN # We use sed instead of cat because bash on DJGPP gets confused if # if finds mixed CR/LF and LF-only lines. Since sed operates in # text mode, it properly converts lines to CR/LF. This bash problem # is reportedly fixed, but why not run on old versions too? sed '$q' "$ltmain" >> "$cfgfile" \ || (rm -f "$cfgfile"; exit 1) _LT_PROG_REPLACE_SHELLFNS mv -f "$cfgfile" "$ofile" || (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile") chmod +x "$ofile" ], [cat <<_LT_EOF >> "$ofile" dnl Unfortunately we have to use $1 here, since _LT_TAG is not expanded dnl in a comment (ie after a #). # ### BEGIN LIBTOOL TAG CONFIG: $1 _LT_LIBTOOL_TAG_VARS(_LT_TAG) # ### END LIBTOOL TAG CONFIG: $1 _LT_EOF ])dnl /m4_if ], [m4_if([$1], [], [ PACKAGE='$PACKAGE' VERSION='$VERSION' TIMESTAMP='$TIMESTAMP' RM='$RM' ofile='$ofile'], []) ])dnl /_LT_CONFIG_SAVE_COMMANDS ])# _LT_CONFIG # LT_SUPPORTED_TAG(TAG) # --------------------- # Trace this macro to discover what tags are supported by the libtool # --tag option, using: # autoconf --trace 'LT_SUPPORTED_TAG:$1' AC_DEFUN([LT_SUPPORTED_TAG], []) # C support is built-in for now m4_define([_LT_LANG_C_enabled], []) m4_define([_LT_TAGS], []) # LT_LANG(LANG) # ------------- # Enable libtool support for the given language if not already enabled. AC_DEFUN([LT_LANG], [AC_BEFORE([$0], [LT_OUTPUT])dnl m4_case([$1], [C], [_LT_LANG(C)], [C++], [_LT_LANG(CXX)], [Go], [_LT_LANG(GO)], [Java], [_LT_LANG(GCJ)], [Fortran 77], [_LT_LANG(F77)], [Fortran], [_LT_LANG(FC)], [Windows Resource], [_LT_LANG(RC)], [m4_ifdef([_LT_LANG_]$1[_CONFIG], [_LT_LANG($1)], [m4_fatal([$0: unsupported language: "$1"])])])dnl ])# LT_LANG # _LT_LANG(LANGNAME) # ------------------ m4_defun([_LT_LANG], [m4_ifdef([_LT_LANG_]$1[_enabled], [], [LT_SUPPORTED_TAG([$1])dnl m4_append([_LT_TAGS], [$1 ])dnl m4_define([_LT_LANG_]$1[_enabled], [])dnl _LT_LANG_$1_CONFIG($1)])dnl ])# _LT_LANG m4_ifndef([AC_PROG_GO], [ ############################################################ # NOTE: This macro has been submitted for inclusion into # # GNU Autoconf as AC_PROG_GO. When it is available in # # a released version of Autoconf we should remove this # # macro and use it instead. # ############################################################ m4_defun([AC_PROG_GO], [AC_LANG_PUSH(Go)dnl AC_ARG_VAR([GOC], [Go compiler command])dnl AC_ARG_VAR([GOFLAGS], [Go compiler flags])dnl _AC_ARG_VAR_LDFLAGS()dnl AC_CHECK_TOOL(GOC, gccgo) if test -z "$GOC"; then if test -n "$ac_tool_prefix"; then AC_CHECK_PROG(GOC, [${ac_tool_prefix}gccgo], [${ac_tool_prefix}gccgo]) fi fi if test -z "$GOC"; then AC_CHECK_PROG(GOC, gccgo, gccgo, false) fi ])#m4_defun ])#m4_ifndef # _LT_LANG_DEFAULT_CONFIG # ----------------------- m4_defun([_LT_LANG_DEFAULT_CONFIG], [AC_PROVIDE_IFELSE([AC_PROG_CXX], [LT_LANG(CXX)], [m4_define([AC_PROG_CXX], defn([AC_PROG_CXX])[LT_LANG(CXX)])]) AC_PROVIDE_IFELSE([AC_PROG_F77], [LT_LANG(F77)], [m4_define([AC_PROG_F77], defn([AC_PROG_F77])[LT_LANG(F77)])]) AC_PROVIDE_IFELSE([AC_PROG_FC], [LT_LANG(FC)], [m4_define([AC_PROG_FC], defn([AC_PROG_FC])[LT_LANG(FC)])]) dnl The call to [A][M_PROG_GCJ] is quoted like that to stop aclocal dnl pulling things in needlessly. AC_PROVIDE_IFELSE([AC_PROG_GCJ], [LT_LANG(GCJ)], [AC_PROVIDE_IFELSE([A][M_PROG_GCJ], [LT_LANG(GCJ)], [AC_PROVIDE_IFELSE([LT_PROG_GCJ], [LT_LANG(GCJ)], [m4_ifdef([AC_PROG_GCJ], [m4_define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[LT_LANG(GCJ)])]) m4_ifdef([A][M_PROG_GCJ], [m4_define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[LT_LANG(GCJ)])]) m4_ifdef([LT_PROG_GCJ], [m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])]) AC_PROVIDE_IFELSE([AC_PROG_GO], [LT_LANG(GO)], [m4_define([AC_PROG_GO], defn([AC_PROG_GO])[LT_LANG(GO)])]) AC_PROVIDE_IFELSE([LT_PROG_RC], [LT_LANG(RC)], [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])]) ])# _LT_LANG_DEFAULT_CONFIG # Obsolete macros: AU_DEFUN([AC_LIBTOOL_CXX], [LT_LANG(C++)]) AU_DEFUN([AC_LIBTOOL_F77], [LT_LANG(Fortran 77)]) AU_DEFUN([AC_LIBTOOL_FC], [LT_LANG(Fortran)]) AU_DEFUN([AC_LIBTOOL_GCJ], [LT_LANG(Java)]) AU_DEFUN([AC_LIBTOOL_RC], [LT_LANG(Windows Resource)]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AC_LIBTOOL_CXX], []) dnl AC_DEFUN([AC_LIBTOOL_F77], []) dnl AC_DEFUN([AC_LIBTOOL_FC], []) dnl AC_DEFUN([AC_LIBTOOL_GCJ], []) dnl AC_DEFUN([AC_LIBTOOL_RC], []) # _LT_TAG_COMPILER # ---------------- m4_defun([_LT_TAG_COMPILER], [AC_REQUIRE([AC_PROG_CC])dnl _LT_DECL([LTCC], [CC], [1], [A C compiler])dnl _LT_DECL([LTCFLAGS], [CFLAGS], [1], [LTCC compiler flags])dnl _LT_TAGDECL([CC], [compiler], [1], [A language specific compiler])dnl _LT_TAGDECL([with_gcc], [GCC], [0], [Is the compiler the GNU compiler?])dnl # If no C compiler was specified, use CC. LTCC=${LTCC-"$CC"} # If no C compiler flags were specified, use CFLAGS. LTCFLAGS=${LTCFLAGS-"$CFLAGS"} # Allow CC to be a program name with arguments. compiler=$CC ])# _LT_TAG_COMPILER # _LT_COMPILER_BOILERPLATE # ------------------------ # Check for compiler boilerplate output or warnings with # the simple compiler test code. m4_defun([_LT_COMPILER_BOILERPLATE], [m4_require([_LT_DECL_SED])dnl ac_outfile=conftest.$ac_objext echo "$lt_simple_compile_test_code" >conftest.$ac_ext eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err _lt_compiler_boilerplate=`cat conftest.err` $RM conftest* ])# _LT_COMPILER_BOILERPLATE # _LT_LINKER_BOILERPLATE # ---------------------- # Check for linker boilerplate output or warnings with # the simple link test code. m4_defun([_LT_LINKER_BOILERPLATE], [m4_require([_LT_DECL_SED])dnl ac_outfile=conftest.$ac_objext echo "$lt_simple_link_test_code" >conftest.$ac_ext eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err _lt_linker_boilerplate=`cat conftest.err` $RM -r conftest* ])# _LT_LINKER_BOILERPLATE # _LT_REQUIRED_DARWIN_CHECKS # ------------------------- m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[ case $host_os in rhapsody* | darwin*) AC_CHECK_TOOL([DSYMUTIL], [dsymutil], [:]) AC_CHECK_TOOL([NMEDIT], [nmedit], [:]) AC_CHECK_TOOL([LIPO], [lipo], [:]) AC_CHECK_TOOL([OTOOL], [otool], [:]) AC_CHECK_TOOL([OTOOL64], [otool64], [:]) _LT_DECL([], [DSYMUTIL], [1], [Tool to manipulate archived DWARF debug symbol files on Mac OS X]) _LT_DECL([], [NMEDIT], [1], [Tool to change global to local symbols on Mac OS X]) _LT_DECL([], [LIPO], [1], [Tool to manipulate fat objects and archives on Mac OS X]) _LT_DECL([], [OTOOL], [1], [ldd/readelf like tool for Mach-O binaries on Mac OS X]) _LT_DECL([], [OTOOL64], [1], [ldd/readelf like tool for 64 bit Mach-O binaries on Mac OS X 10.4]) AC_CACHE_CHECK([for -single_module linker flag],[lt_cv_apple_cc_single_mod], [lt_cv_apple_cc_single_mod=no if test -z "${LT_MULTI_MODULE}"; then # By default we will add the -single_module flag. You can override # by either setting the environment variable LT_MULTI_MODULE # non-empty at configure time, or by adding -multi_module to the # link flags. rm -rf libconftest.dylib* echo "int foo(void){return 1;}" > conftest.c echo "$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ -dynamiclib -Wl,-single_module conftest.c" >&AS_MESSAGE_LOG_FD $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ -dynamiclib -Wl,-single_module conftest.c 2>conftest.err _lt_result=$? # If there is a non-empty error log, and "single_module" # appears in it, assume the flag caused a linker warning if test -s conftest.err && $GREP single_module conftest.err; then cat conftest.err >&AS_MESSAGE_LOG_FD # Otherwise, if the output was created with a 0 exit code from # the compiler, it worked. elif test -f libconftest.dylib && test $_lt_result -eq 0; then lt_cv_apple_cc_single_mod=yes else cat conftest.err >&AS_MESSAGE_LOG_FD fi rm -rf libconftest.dylib* rm -f conftest.* fi]) AC_CACHE_CHECK([for -exported_symbols_list linker flag], [lt_cv_ld_exported_symbols_list], [lt_cv_ld_exported_symbols_list=no save_LDFLAGS=$LDFLAGS echo "_main" > conftest.sym LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym" AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])], [lt_cv_ld_exported_symbols_list=yes], [lt_cv_ld_exported_symbols_list=no]) LDFLAGS="$save_LDFLAGS" ]) AC_CACHE_CHECK([for -force_load linker flag],[lt_cv_ld_force_load], [lt_cv_ld_force_load=no cat > conftest.c << _LT_EOF int forced_loaded() { return 2;} _LT_EOF echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD cat > conftest.c << _LT_EOF int main() { return 0;} _LT_EOF echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&AS_MESSAGE_LOG_FD $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err _lt_result=$? if test -s conftest.err && $GREP force_load conftest.err; then cat conftest.err >&AS_MESSAGE_LOG_FD elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then lt_cv_ld_force_load=yes else cat conftest.err >&AS_MESSAGE_LOG_FD fi rm -f conftest.err libconftest.a conftest conftest.c rm -rf conftest.dSYM ]) case $host_os in rhapsody* | darwin1.[[012]]) _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;; darwin1.*) _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;; darwin*) # darwin 5.x on # if running on 10.5 or later, the deployment target defaults # to the OS version, if on x86, and 10.4, the deployment # target defaults to 10.4. Don't you love it? case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in 10.0,*86*-darwin8*|10.0,*-darwin[[91]]*) _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;; 10.[[012]]*) _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;; 10.*) _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;; esac ;; esac if test "$lt_cv_apple_cc_single_mod" = "yes"; then _lt_dar_single_mod='$single_module' fi if test "$lt_cv_ld_exported_symbols_list" = "yes"; then _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym' else _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}' fi if test "$DSYMUTIL" != ":" && test "$lt_cv_ld_force_load" = "no"; then _lt_dsymutil='~$DSYMUTIL $lib || :' else _lt_dsymutil= fi ;; esac ]) # _LT_DARWIN_LINKER_FEATURES([TAG]) # --------------------------------- # Checks for linker and compiler features on darwin m4_defun([_LT_DARWIN_LINKER_FEATURES], [ m4_require([_LT_REQUIRED_DARWIN_CHECKS]) _LT_TAGVAR(archive_cmds_need_lc, $1)=no _LT_TAGVAR(hardcode_direct, $1)=no _LT_TAGVAR(hardcode_automatic, $1)=yes _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported if test "$lt_cv_ld_force_load" = "yes"; then _LT_TAGVAR(whole_archive_flag_spec, $1)='`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`' m4_case([$1], [F77], [_LT_TAGVAR(compiler_needs_object, $1)=yes], [FC], [_LT_TAGVAR(compiler_needs_object, $1)=yes]) else _LT_TAGVAR(whole_archive_flag_spec, $1)='' fi _LT_TAGVAR(link_all_deplibs, $1)=yes _LT_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined" case $cc_basename in ifort*) _lt_dar_can_shared=yes ;; *) _lt_dar_can_shared=$GCC ;; esac if test "$_lt_dar_can_shared" = "yes"; then output_verbose_link_cmd=func_echo_all _LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}" _LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}" _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}" _LT_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}" m4_if([$1], [CXX], [ if test "$lt_cv_apple_cc_single_mod" != "yes"; then _LT_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dsymutil}" _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dar_export_syms}${_lt_dsymutil}" fi ],[]) else _LT_TAGVAR(ld_shlibs, $1)=no fi ]) # _LT_SYS_MODULE_PATH_AIX([TAGNAME]) # ---------------------------------- # Links a minimal program and checks the executable # for the system default hardcoded library path. In most cases, # this is /usr/lib:/lib, but when the MPI compilers are used # the location of the communication and MPI libs are included too. # If we don't find anything, use the default library path according # to the aix ld manual. # Store the results from the different compilers for each TAGNAME. # Allow to override them for all tags through lt_cv_aix_libpath. m4_defun([_LT_SYS_MODULE_PATH_AIX], [m4_require([_LT_DECL_SED])dnl if test "${lt_cv_aix_libpath+set}" = set; then aix_libpath=$lt_cv_aix_libpath else AC_CACHE_VAL([_LT_TAGVAR([lt_cv_aix_libpath_], [$1])], [AC_LINK_IFELSE([AC_LANG_PROGRAM],[ lt_aix_libpath_sed='[ /Import File Strings/,/^$/ { /^0/ { s/^0 *\([^ ]*\) *$/\1/ p } }]' _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` # Check for a 64-bit object if we didn't find anything. if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` fi],[]) if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then _LT_TAGVAR([lt_cv_aix_libpath_], [$1])="/usr/lib:/lib" fi ]) aix_libpath=$_LT_TAGVAR([lt_cv_aix_libpath_], [$1]) fi ])# _LT_SYS_MODULE_PATH_AIX # _LT_SHELL_INIT(ARG) # ------------------- m4_define([_LT_SHELL_INIT], [m4_divert_text([M4SH-INIT], [$1 ])])# _LT_SHELL_INIT # _LT_PROG_ECHO_BACKSLASH # ----------------------- # Find how we can fake an echo command that does not interpret backslash. # In particular, with Autoconf 2.60 or later we add some code to the start # of the generated configure script which will find a shell with a builtin # printf (which we can use as an echo command). m4_defun([_LT_PROG_ECHO_BACKSLASH], [ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO AC_MSG_CHECKING([how to print strings]) # Test print first, because it will be a builtin if present. if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \ test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then ECHO='print -r --' elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then ECHO='printf %s\n' else # Use this function as a fallback that always works. func_fallback_echo () { eval 'cat <<_LTECHO_EOF $[]1 _LTECHO_EOF' } ECHO='func_fallback_echo' fi # func_echo_all arg... # Invoke $ECHO with all args, space-separated. func_echo_all () { $ECHO "$*" } case "$ECHO" in printf*) AC_MSG_RESULT([printf]) ;; print*) AC_MSG_RESULT([print -r]) ;; *) AC_MSG_RESULT([cat]) ;; esac m4_ifdef([_AS_DETECT_SUGGESTED], [_AS_DETECT_SUGGESTED([ test -n "${ZSH_VERSION+set}${BASH_VERSION+set}" || ( ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO PATH=/empty FPATH=/empty; export PATH FPATH test "X`printf %s $ECHO`" = "X$ECHO" \ || test "X`print -r -- $ECHO`" = "X$ECHO" )])]) _LT_DECL([], [SHELL], [1], [Shell to use when invoking shell scripts]) _LT_DECL([], [ECHO], [1], [An echo program that protects backslashes]) ])# _LT_PROG_ECHO_BACKSLASH # _LT_WITH_SYSROOT # ---------------- AC_DEFUN([_LT_WITH_SYSROOT], [AC_MSG_CHECKING([for sysroot]) AC_ARG_WITH([sysroot], [ --with-sysroot[=DIR] Search for dependent libraries within DIR (or the compiler's sysroot if not specified).], [], [with_sysroot=no]) dnl lt_sysroot will always be passed unquoted. We quote it here dnl in case the user passed a directory name. lt_sysroot= case ${with_sysroot} in #( yes) if test "$GCC" = yes; then lt_sysroot=`$CC --print-sysroot 2>/dev/null` fi ;; #( /*) lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"` ;; #( no|'') ;; #( *) AC_MSG_RESULT([${with_sysroot}]) AC_MSG_ERROR([The sysroot must be an absolute path.]) ;; esac AC_MSG_RESULT([${lt_sysroot:-no}]) _LT_DECL([], [lt_sysroot], [0], [The root where to search for ]dnl [dependent libraries, and in which our libraries should be installed.])]) # _LT_ENABLE_LOCK # --------------- m4_defun([_LT_ENABLE_LOCK], [AC_ARG_ENABLE([libtool-lock], [AS_HELP_STRING([--disable-libtool-lock], [avoid locking (might break parallel builds)])]) test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes # Some flags need to be propagated to the compiler or linker for good # libtool support. case $host in ia64-*-hpux*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext if AC_TRY_EVAL(ac_compile); then case `/usr/bin/file conftest.$ac_objext` in *ELF-32*) HPUX_IA64_MODE="32" ;; *ELF-64*) HPUX_IA64_MODE="64" ;; esac fi rm -rf conftest* ;; *-*-irix6*) # Find out which ABI we are using. echo '[#]line '$LINENO' "configure"' > conftest.$ac_ext if AC_TRY_EVAL(ac_compile); then if test "$lt_cv_prog_gnu_ld" = yes; then case `/usr/bin/file conftest.$ac_objext` in *32-bit*) LD="${LD-ld} -melf32bsmip" ;; *N32*) LD="${LD-ld} -melf32bmipn32" ;; *64-bit*) LD="${LD-ld} -melf64bmip" ;; esac else case `/usr/bin/file conftest.$ac_objext` in *32-bit*) LD="${LD-ld} -32" ;; *N32*) LD="${LD-ld} -n32" ;; *64-bit*) LD="${LD-ld} -64" ;; esac fi fi rm -rf conftest* ;; x86_64-*kfreebsd*-gnu|x86_64-*linux*|powerpc*-*linux*| \ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext if AC_TRY_EVAL(ac_compile); then case `/usr/bin/file conftest.o` in *32-bit*) case $host in x86_64-*kfreebsd*-gnu) LD="${LD-ld} -m elf_i386_fbsd" ;; x86_64-*linux*) case `/usr/bin/file conftest.o` in *x86-64*) LD="${LD-ld} -m elf32_x86_64" ;; *) LD="${LD-ld} -m elf_i386" ;; esac ;; powerpc64le-*) LD="${LD-ld} -m elf32lppclinux" ;; powerpc64-*) LD="${LD-ld} -m elf32ppclinux" ;; s390x-*linux*) LD="${LD-ld} -m elf_s390" ;; sparc64-*linux*) LD="${LD-ld} -m elf32_sparc" ;; esac ;; *64-bit*) case $host in x86_64-*kfreebsd*-gnu) LD="${LD-ld} -m elf_x86_64_fbsd" ;; x86_64-*linux*) LD="${LD-ld} -m elf_x86_64" ;; powerpcle-*) LD="${LD-ld} -m elf64lppc" ;; powerpc-*) LD="${LD-ld} -m elf64ppc" ;; s390*-*linux*|s390*-*tpf*) LD="${LD-ld} -m elf64_s390" ;; sparc*-*linux*) LD="${LD-ld} -m elf64_sparc" ;; esac ;; esac fi rm -rf conftest* ;; *-*-sco3.2v5*) # On SCO OpenServer 5, we need -belf to get full-featured binaries. SAVE_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS -belf" AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf, [AC_LANG_PUSH(C) AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],[[]])],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no]) AC_LANG_POP]) if test x"$lt_cv_cc_needs_belf" != x"yes"; then # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf CFLAGS="$SAVE_CFLAGS" fi ;; *-*solaris*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext if AC_TRY_EVAL(ac_compile); then case `/usr/bin/file conftest.o` in *64-bit*) case $lt_cv_prog_gnu_ld in yes*) case $host in i?86-*-solaris*) LD="${LD-ld} -m elf_x86_64" ;; sparc*-*-solaris*) LD="${LD-ld} -m elf64_sparc" ;; esac # GNU ld 2.21 introduced _sol2 emulations. Use them if available. if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then LD="${LD-ld}_sol2" fi ;; *) if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then LD="${LD-ld} -64" fi ;; esac ;; esac fi rm -rf conftest* ;; esac need_locks="$enable_libtool_lock" ])# _LT_ENABLE_LOCK # _LT_PROG_AR # ----------- m4_defun([_LT_PROG_AR], [AC_CHECK_TOOLS(AR, [ar], false) : ${AR=ar} : ${AR_FLAGS=cru} _LT_DECL([], [AR], [1], [The archiver]) _LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive]) AC_CACHE_CHECK([for archiver @FILE support], [lt_cv_ar_at_file], [lt_cv_ar_at_file=no AC_COMPILE_IFELSE([AC_LANG_PROGRAM], [echo conftest.$ac_objext > conftest.lst lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&AS_MESSAGE_LOG_FD' AC_TRY_EVAL([lt_ar_try]) if test "$ac_status" -eq 0; then # Ensure the archiver fails upon bogus file names. rm -f conftest.$ac_objext libconftest.a AC_TRY_EVAL([lt_ar_try]) if test "$ac_status" -ne 0; then lt_cv_ar_at_file=@ fi fi rm -f conftest.* libconftest.a ]) ]) if test "x$lt_cv_ar_at_file" = xno; then archiver_list_spec= else archiver_list_spec=$lt_cv_ar_at_file fi _LT_DECL([], [archiver_list_spec], [1], [How to feed a file listing to the archiver]) ])# _LT_PROG_AR # _LT_CMD_OLD_ARCHIVE # ------------------- m4_defun([_LT_CMD_OLD_ARCHIVE], [_LT_PROG_AR AC_CHECK_TOOL(STRIP, strip, :) test -z "$STRIP" && STRIP=: _LT_DECL([], [STRIP], [1], [A symbol stripping program]) AC_CHECK_TOOL(RANLIB, ranlib, :) test -z "$RANLIB" && RANLIB=: _LT_DECL([], [RANLIB], [1], [Commands used to install an old-style archive]) # Determine commands to create old-style static archives. old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs' old_postinstall_cmds='chmod 644 $oldlib' old_postuninstall_cmds= if test -n "$RANLIB"; then case $host_os in openbsd*) old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib" ;; *) old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib" ;; esac old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib" fi case $host_os in darwin*) lock_old_archive_extraction=yes ;; *) lock_old_archive_extraction=no ;; esac _LT_DECL([], [old_postinstall_cmds], [2]) _LT_DECL([], [old_postuninstall_cmds], [2]) _LT_TAGDECL([], [old_archive_cmds], [2], [Commands used to build an old-style archive]) _LT_DECL([], [lock_old_archive_extraction], [0], [Whether to use a lock for old archive extraction]) ])# _LT_CMD_OLD_ARCHIVE # _LT_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS, # [OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE]) # ---------------------------------------------------------------- # Check whether the given compiler option works AC_DEFUN([_LT_COMPILER_OPTION], [m4_require([_LT_FILEUTILS_DEFAULTS])dnl m4_require([_LT_DECL_SED])dnl AC_CACHE_CHECK([$1], [$2], [$2=no m4_if([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4]) echo "$lt_simple_compile_test_code" > conftest.$ac_ext lt_compiler_flag="$3" # Insert the option either (1) after the last *FLAGS variable, or # (2) before a word containing "conftest.", or (3) at the end. # Note that $ac_compile itself does not contain backslashes and begins # with a dollar sign (not a hyphen), so the echo should work correctly. # The option is referenced via a variable to avoid confusing sed. lt_compile=`echo "$ac_compile" | $SED \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&AS_MESSAGE_LOG_FD echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then $2=yes fi fi $RM conftest* ]) if test x"[$]$2" = xyes; then m4_if([$5], , :, [$5]) else m4_if([$6], , :, [$6]) fi ])# _LT_COMPILER_OPTION # Old name: AU_ALIAS([AC_LIBTOOL_COMPILER_OPTION], [_LT_COMPILER_OPTION]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION], []) # _LT_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS, # [ACTION-SUCCESS], [ACTION-FAILURE]) # ---------------------------------------------------- # Check whether the given linker option works AC_DEFUN([_LT_LINKER_OPTION], [m4_require([_LT_FILEUTILS_DEFAULTS])dnl m4_require([_LT_DECL_SED])dnl AC_CACHE_CHECK([$1], [$2], [$2=no save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS $3" echo "$lt_simple_link_test_code" > conftest.$ac_ext if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then # The linker can only warn and ignore the option if not recognized # So say no if there are warnings if test -s conftest.err; then # Append any errors to the config.log. cat conftest.err 1>&AS_MESSAGE_LOG_FD $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 if diff conftest.exp conftest.er2 >/dev/null; then $2=yes fi else $2=yes fi fi $RM -r conftest* LDFLAGS="$save_LDFLAGS" ]) if test x"[$]$2" = xyes; then m4_if([$4], , :, [$4]) else m4_if([$5], , :, [$5]) fi ])# _LT_LINKER_OPTION # Old name: AU_ALIAS([AC_LIBTOOL_LINKER_OPTION], [_LT_LINKER_OPTION]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AC_LIBTOOL_LINKER_OPTION], []) # LT_CMD_MAX_LEN #--------------- AC_DEFUN([LT_CMD_MAX_LEN], [AC_REQUIRE([AC_CANONICAL_HOST])dnl # find the maximum length of command line arguments AC_MSG_CHECKING([the maximum length of command line arguments]) AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl i=0 teststring="ABCD" case $build_os in msdosdjgpp*) # On DJGPP, this test can blow up pretty badly due to problems in libc # (any single argument exceeding 2000 bytes causes a buffer overrun # during glob expansion). Even if it were fixed, the result of this # check would be larger than it should be. lt_cv_sys_max_cmd_len=12288; # 12K is about right ;; gnu*) # Under GNU Hurd, this test is not required because there is # no limit to the length of command line arguments. # Libtool will interpret -1 as no limit whatsoever lt_cv_sys_max_cmd_len=-1; ;; cygwin* | mingw* | cegcc*) # On Win9x/ME, this test blows up -- it succeeds, but takes # about 5 minutes as the teststring grows exponentially. # Worse, since 9x/ME are not pre-emptively multitasking, # you end up with a "frozen" computer, even though with patience # the test eventually succeeds (with a max line length of 256k). # Instead, let's just punt: use the minimum linelength reported by # all of the supported platforms: 8192 (on NT/2K/XP). lt_cv_sys_max_cmd_len=8192; ;; mint*) # On MiNT this can take a long time and run out of memory. lt_cv_sys_max_cmd_len=8192; ;; amigaos*) # On AmigaOS with pdksh, this test takes hours, literally. # So we just punt and use a minimum line length of 8192. lt_cv_sys_max_cmd_len=8192; ;; netbsd* | freebsd* | openbsd* | darwin* | dragonfly*) # This has been around since 386BSD, at least. Likely further. if test -x /sbin/sysctl; then lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax` elif test -x /usr/sbin/sysctl; then lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax` else lt_cv_sys_max_cmd_len=65536 # usable default for all BSDs fi # And add a safety zone lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` ;; interix*) # We know the value 262144 and hardcode it with a safety zone (like BSD) lt_cv_sys_max_cmd_len=196608 ;; os2*) # The test takes a long time on OS/2. lt_cv_sys_max_cmd_len=8192 ;; osf*) # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not # nice to cause kernel panics so lets avoid the loop below. # First set a reasonable default. lt_cv_sys_max_cmd_len=16384 # if test -x /sbin/sysconfig; then case `/sbin/sysconfig -q proc exec_disable_arg_limit` in *1*) lt_cv_sys_max_cmd_len=-1 ;; esac fi ;; sco3.2v5*) lt_cv_sys_max_cmd_len=102400 ;; sysv5* | sco5v6* | sysv4.2uw2*) kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null` if test -n "$kargmax"; then lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[ ]]//'` else lt_cv_sys_max_cmd_len=32768 fi ;; *) lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` if test -n "$lt_cv_sys_max_cmd_len" && \ test undefined != "$lt_cv_sys_max_cmd_len"; then lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` else # Make teststring a little bigger before we do anything with it. # a 1K string should be a reasonable start. for i in 1 2 3 4 5 6 7 8 ; do teststring=$teststring$teststring done SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}} # If test is not a shell built-in, we'll probably end up computing a # maximum length that is only half of the actual maximum length, but # we can't tell. while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \ = "X$teststring$teststring"; } >/dev/null 2>&1 && test $i != 17 # 1/2 MB should be enough do i=`expr $i + 1` teststring=$teststring$teststring done # Only check the string length outside the loop. lt_cv_sys_max_cmd_len=`expr "X$teststring" : ".*" 2>&1` teststring= # Add a significant safety factor because C++ compilers can tack on # massive amounts of additional arguments before passing them to the # linker. It appears as though 1/2 is a usable value. lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2` fi ;; esac ]) if test -n $lt_cv_sys_max_cmd_len ; then AC_MSG_RESULT($lt_cv_sys_max_cmd_len) else AC_MSG_RESULT(none) fi max_cmd_len=$lt_cv_sys_max_cmd_len _LT_DECL([], [max_cmd_len], [0], [What is the maximum length of a command?]) ])# LT_CMD_MAX_LEN # Old name: AU_ALIAS([AC_LIBTOOL_SYS_MAX_CMD_LEN], [LT_CMD_MAX_LEN]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN], []) # _LT_HEADER_DLFCN # ---------------- m4_defun([_LT_HEADER_DLFCN], [AC_CHECK_HEADERS([dlfcn.h], [], [], [AC_INCLUDES_DEFAULT])dnl ])# _LT_HEADER_DLFCN # _LT_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE, # ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING) # ---------------------------------------------------------------- m4_defun([_LT_TRY_DLOPEN_SELF], [m4_require([_LT_HEADER_DLFCN])dnl if test "$cross_compiling" = yes; then : [$4] else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF [#line $LINENO "configure" #include "confdefs.h" #if HAVE_DLFCN_H #include #endif #include #ifdef RTLD_GLOBAL # define LT_DLGLOBAL RTLD_GLOBAL #else # ifdef DL_GLOBAL # define LT_DLGLOBAL DL_GLOBAL # else # define LT_DLGLOBAL 0 # endif #endif /* We may have to define LT_DLLAZY_OR_NOW in the command line if we find out it does not work in some platform. */ #ifndef LT_DLLAZY_OR_NOW # ifdef RTLD_LAZY # define LT_DLLAZY_OR_NOW RTLD_LAZY # else # ifdef DL_LAZY # define LT_DLLAZY_OR_NOW DL_LAZY # else # ifdef RTLD_NOW # define LT_DLLAZY_OR_NOW RTLD_NOW # else # ifdef DL_NOW # define LT_DLLAZY_OR_NOW DL_NOW # else # define LT_DLLAZY_OR_NOW 0 # endif # endif # endif # endif #endif /* When -fvisbility=hidden is used, assume the code has been annotated correspondingly for the symbols needed. */ #if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3)) int fnord () __attribute__((visibility("default"))); #endif int fnord () { return 42; } int main () { void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); int status = $lt_dlunknown; if (self) { if (dlsym (self,"fnord")) status = $lt_dlno_uscore; else { if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; else puts (dlerror ()); } /* dlclose (self); */ } else puts (dlerror ()); return status; }] _LT_EOF if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null lt_status=$? case x$lt_status in x$lt_dlno_uscore) $1 ;; x$lt_dlneed_uscore) $2 ;; x$lt_dlunknown|x*) $3 ;; esac else : # compilation failed $3 fi fi rm -fr conftest* ])# _LT_TRY_DLOPEN_SELF # LT_SYS_DLOPEN_SELF # ------------------ AC_DEFUN([LT_SYS_DLOPEN_SELF], [m4_require([_LT_HEADER_DLFCN])dnl if test "x$enable_dlopen" != xyes; then enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown else lt_cv_dlopen=no lt_cv_dlopen_libs= case $host_os in beos*) lt_cv_dlopen="load_add_on" lt_cv_dlopen_libs= lt_cv_dlopen_self=yes ;; mingw* | pw32* | cegcc*) lt_cv_dlopen="LoadLibrary" lt_cv_dlopen_libs= ;; cygwin*) lt_cv_dlopen="dlopen" lt_cv_dlopen_libs= ;; darwin*) # if libdl is installed we need to link against it AC_CHECK_LIB([dl], [dlopen], [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[ lt_cv_dlopen="dyld" lt_cv_dlopen_libs= lt_cv_dlopen_self=yes ]) ;; *) AC_CHECK_FUNC([shl_load], [lt_cv_dlopen="shl_load"], [AC_CHECK_LIB([dld], [shl_load], [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"], [AC_CHECK_FUNC([dlopen], [lt_cv_dlopen="dlopen"], [AC_CHECK_LIB([dl], [dlopen], [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"], [AC_CHECK_LIB([svld], [dlopen], [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"], [AC_CHECK_LIB([dld], [dld_link], [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"]) ]) ]) ]) ]) ]) ;; esac if test "x$lt_cv_dlopen" != xno; then enable_dlopen=yes else enable_dlopen=no fi case $lt_cv_dlopen in dlopen) save_CPPFLAGS="$CPPFLAGS" test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" save_LDFLAGS="$LDFLAGS" wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" save_LIBS="$LIBS" LIBS="$lt_cv_dlopen_libs $LIBS" AC_CACHE_CHECK([whether a program can dlopen itself], lt_cv_dlopen_self, [dnl _LT_TRY_DLOPEN_SELF( lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes, lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross) ]) if test "x$lt_cv_dlopen_self" = xyes; then wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\" AC_CACHE_CHECK([whether a statically linked program can dlopen itself], lt_cv_dlopen_self_static, [dnl _LT_TRY_DLOPEN_SELF( lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=no, lt_cv_dlopen_self_static=cross) ]) fi CPPFLAGS="$save_CPPFLAGS" LDFLAGS="$save_LDFLAGS" LIBS="$save_LIBS" ;; esac case $lt_cv_dlopen_self in yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; *) enable_dlopen_self=unknown ;; esac case $lt_cv_dlopen_self_static in yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; *) enable_dlopen_self_static=unknown ;; esac fi _LT_DECL([dlopen_support], [enable_dlopen], [0], [Whether dlopen is supported]) _LT_DECL([dlopen_self], [enable_dlopen_self], [0], [Whether dlopen of programs is supported]) _LT_DECL([dlopen_self_static], [enable_dlopen_self_static], [0], [Whether dlopen of statically linked programs is supported]) ])# LT_SYS_DLOPEN_SELF # Old name: AU_ALIAS([AC_LIBTOOL_DLOPEN_SELF], [LT_SYS_DLOPEN_SELF]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF], []) # _LT_COMPILER_C_O([TAGNAME]) # --------------------------- # Check to see if options -c and -o are simultaneously supported by compiler. # This macro does not hard code the compiler like AC_PROG_CC_C_O. m4_defun([_LT_COMPILER_C_O], [m4_require([_LT_DECL_SED])dnl m4_require([_LT_FILEUTILS_DEFAULTS])dnl m4_require([_LT_TAG_COMPILER])dnl AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext], [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)], [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no $RM -r conftest 2>/dev/null mkdir conftest cd conftest mkdir out echo "$lt_simple_compile_test_code" > conftest.$ac_ext lt_compiler_flag="-o out/conftest2.$ac_objext" # Insert the option either (1) after the last *FLAGS variable, or # (2) before a word containing "conftest.", or (3) at the end. # Note that $ac_compile itself does not contain backslashes and begins # with a dollar sign (not a hyphen), so the echo should work correctly. lt_compile=`echo "$ac_compile" | $SED \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&AS_MESSAGE_LOG_FD echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then _LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes fi fi chmod u+w . 2>&AS_MESSAGE_LOG_FD $RM conftest* # SGI C++ compiler will create directory out/ii_files/ for # template instantiation test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files $RM out/* && rmdir out cd .. $RM -r conftest $RM conftest* ]) _LT_TAGDECL([compiler_c_o], [lt_cv_prog_compiler_c_o], [1], [Does compiler simultaneously support -c and -o options?]) ])# _LT_COMPILER_C_O # _LT_COMPILER_FILE_LOCKS([TAGNAME]) # ---------------------------------- # Check to see if we can do hard links to lock some files if needed m4_defun([_LT_COMPILER_FILE_LOCKS], [m4_require([_LT_ENABLE_LOCK])dnl m4_require([_LT_FILEUTILS_DEFAULTS])dnl _LT_COMPILER_C_O([$1]) hard_links="nottested" if test "$_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then # do not overwrite the value of need_locks provided by the user AC_MSG_CHECKING([if we can lock with hard links]) hard_links=yes $RM conftest* ln conftest.a conftest.b 2>/dev/null && hard_links=no touch conftest.a ln conftest.a conftest.b 2>&5 || hard_links=no ln conftest.a conftest.b 2>/dev/null && hard_links=no AC_MSG_RESULT([$hard_links]) if test "$hard_links" = no; then AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe]) need_locks=warn fi else need_locks=no fi _LT_DECL([], [need_locks], [1], [Must we lock files when doing compilation?]) ])# _LT_COMPILER_FILE_LOCKS # _LT_CHECK_OBJDIR # ---------------- m4_defun([_LT_CHECK_OBJDIR], [AC_CACHE_CHECK([for objdir], [lt_cv_objdir], [rm -f .libs 2>/dev/null mkdir .libs 2>/dev/null if test -d .libs; then lt_cv_objdir=.libs else # MS-DOS does not allow filenames that begin with a dot. lt_cv_objdir=_libs fi rmdir .libs 2>/dev/null]) objdir=$lt_cv_objdir _LT_DECL([], [objdir], [0], [The name of the directory that contains temporary libtool files])dnl m4_pattern_allow([LT_OBJDIR])dnl AC_DEFINE_UNQUOTED(LT_OBJDIR, "$lt_cv_objdir/", [Define to the sub-directory in which libtool stores uninstalled libraries.]) ])# _LT_CHECK_OBJDIR # _LT_LINKER_HARDCODE_LIBPATH([TAGNAME]) # -------------------------------------- # Check hardcoding attributes. m4_defun([_LT_LINKER_HARDCODE_LIBPATH], [AC_MSG_CHECKING([how to hardcode library paths into programs]) _LT_TAGVAR(hardcode_action, $1)= if test -n "$_LT_TAGVAR(hardcode_libdir_flag_spec, $1)" || test -n "$_LT_TAGVAR(runpath_var, $1)" || test "X$_LT_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then # We can hardcode non-existent directories. if test "$_LT_TAGVAR(hardcode_direct, $1)" != no && # If the only mechanism to avoid hardcoding is shlibpath_var, we # have to relink, otherwise we might link with an installed library # when we should be linking with a yet-to-be-installed one ## test "$_LT_TAGVAR(hardcode_shlibpath_var, $1)" != no && test "$_LT_TAGVAR(hardcode_minus_L, $1)" != no; then # Linking always hardcodes the temporary library directory. _LT_TAGVAR(hardcode_action, $1)=relink else # We can link without hardcoding, and we can hardcode nonexisting dirs. _LT_TAGVAR(hardcode_action, $1)=immediate fi else # We cannot hardcode anything, or else we can only hardcode existing # directories. _LT_TAGVAR(hardcode_action, $1)=unsupported fi AC_MSG_RESULT([$_LT_TAGVAR(hardcode_action, $1)]) if test "$_LT_TAGVAR(hardcode_action, $1)" = relink || test "$_LT_TAGVAR(inherit_rpath, $1)" = yes; then # Fast installation is not supported enable_fast_install=no elif test "$shlibpath_overrides_runpath" = yes || test "$enable_shared" = no; then # Fast installation is not necessary enable_fast_install=needless fi _LT_TAGDECL([], [hardcode_action], [0], [How to hardcode a shared library path into an executable]) ])# _LT_LINKER_HARDCODE_LIBPATH # _LT_CMD_STRIPLIB # ---------------- m4_defun([_LT_CMD_STRIPLIB], [m4_require([_LT_DECL_EGREP]) striplib= old_striplib= AC_MSG_CHECKING([whether stripping libraries is possible]) if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" test -z "$striplib" && striplib="$STRIP --strip-unneeded" AC_MSG_RESULT([yes]) else # FIXME - insert some real tests, host_os isn't really good enough case $host_os in darwin*) if test -n "$STRIP" ; then striplib="$STRIP -x" old_striplib="$STRIP -S" AC_MSG_RESULT([yes]) else AC_MSG_RESULT([no]) fi ;; *) AC_MSG_RESULT([no]) ;; esac fi _LT_DECL([], [old_striplib], [1], [Commands to strip libraries]) _LT_DECL([], [striplib], [1]) ])# _LT_CMD_STRIPLIB # _LT_SYS_DYNAMIC_LINKER([TAG]) # ----------------------------- # PORTME Fill in your ld.so characteristics m4_defun([_LT_SYS_DYNAMIC_LINKER], [AC_REQUIRE([AC_CANONICAL_HOST])dnl m4_require([_LT_DECL_EGREP])dnl m4_require([_LT_FILEUTILS_DEFAULTS])dnl m4_require([_LT_DECL_OBJDUMP])dnl m4_require([_LT_DECL_SED])dnl m4_require([_LT_CHECK_SHELL_FEATURES])dnl AC_MSG_CHECKING([dynamic linker characteristics]) m4_if([$1], [], [ if test "$GCC" = yes; then case $host_os in darwin*) lt_awk_arg="/^libraries:/,/LR/" ;; *) lt_awk_arg="/^libraries:/" ;; esac case $host_os in mingw* | cegcc*) lt_sed_strip_eq="s,=\([[A-Za-z]]:\),\1,g" ;; *) lt_sed_strip_eq="s,=/,/,g" ;; esac lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq` case $lt_search_path_spec in *\;*) # if the path contains ";" then we assume it to be the separator # otherwise default to the standard path separator (i.e. ":") - it is # assumed that no part of a normal pathname contains ";" but that should # okay in the real world where ";" in dirpaths is itself problematic. lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'` ;; *) lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"` ;; esac # Ok, now we have the path, separated by spaces, we can step through it # and add multilib dir if necessary. lt_tmp_lt_search_path_spec= lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null` for lt_sys_path in $lt_search_path_spec; do if test -d "$lt_sys_path/$lt_multi_os_dir"; then lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir" else test -d "$lt_sys_path" && \ lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path" fi done lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk ' BEGIN {RS=" "; FS="/|\n";} { lt_foo=""; lt_count=0; for (lt_i = NF; lt_i > 0; lt_i--) { if ($lt_i != "" && $lt_i != ".") { if ($lt_i == "..") { lt_count++; } else { if (lt_count == 0) { lt_foo="/" $lt_i lt_foo; } else { lt_count--; } } } } if (lt_foo != "") { lt_freq[[lt_foo]]++; } if (lt_freq[[lt_foo]] == 1) { print lt_foo; } }'` # AWK program above erroneously prepends '/' to C:/dos/paths # for these hosts. case $host_os in mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\ $SED 's,/\([[A-Za-z]]:\),\1,g'` ;; esac sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP` else sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" fi]) library_names_spec= libname_spec='lib$name' soname_spec= shrext_cmds=".so" postinstall_cmds= postuninstall_cmds= finish_cmds= finish_eval= shlibpath_var= shlibpath_overrides_runpath=unknown version_type=none dynamic_linker="$host_os ld.so" sys_lib_dlsearch_path_spec="/lib /usr/lib" need_lib_prefix=unknown hardcode_into_libs=no # when you set need_version to no, make sure it does not cause -set_version # flags to be left without arguments need_version=unknown case $host_os in aix3*) version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a' shlibpath_var=LIBPATH # AIX 3 has no versioning support, so we append a major version to the name. soname_spec='${libname}${release}${shared_ext}$major' ;; aix[[4-9]]*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no hardcode_into_libs=yes if test "$host_cpu" = ia64; then # AIX 5 supports IA64 library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' shlibpath_var=LD_LIBRARY_PATH else # With GCC up to 2.95.x, collect2 would create an import file # for dependence libraries. The import file would start with # the line `#! .'. This would cause the generated library to # depend on `.', always an invalid library. This was fixed in # development snapshots of GCC prior to 3.0. case $host_os in aix4 | aix4.[[01]] | aix4.[[01]].*) if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' echo ' yes ' echo '#endif'; } | ${CC} -E - | $GREP yes > /dev/null; then : else can_build_shared=no fi ;; esac # AIX (on Power*) has no versioning support, so currently we can not hardcode correct # soname into executable. Probably we can add versioning support to # collect2, so additional links can be useful in future. if test "$aix_use_runtimelinking" = yes; then # If using run time linking (on AIX 4.2 or later) use lib.so # instead of lib.a to let people know that these are not # typical AIX shared libraries. library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' else # We preserve .a as extension for shared libraries through AIX4.2 # and later when we are not doing run time linking. library_names_spec='${libname}${release}.a $libname.a' soname_spec='${libname}${release}${shared_ext}$major' fi shlibpath_var=LIBPATH fi ;; amigaos*) case $host_cpu in powerpc) # Since July 2007 AmigaOS4 officially supports .so libraries. # When compiling the executable, add -use-dynld -Lsobjs: to the compileline. library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' ;; m68k) library_names_spec='$libname.ixlibrary $libname.a' # Create ${libname}_ixlibrary.a entries in /sys/libs. finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' ;; esac ;; beos*) library_names_spec='${libname}${shared_ext}' dynamic_linker="$host_os ld.so" shlibpath_var=LIBRARY_PATH ;; bsdi[[45]]*) version_type=linux # correct to gnu/linux during the next big refactor need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir' shlibpath_var=LD_LIBRARY_PATH sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib" sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib" # the default ld.so.conf also contains /usr/contrib/lib and # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow # libtool to hard-code these into programs ;; cygwin* | mingw* | pw32* | cegcc*) version_type=windows shrext_cmds=".dll" need_version=no need_lib_prefix=no case $GCC,$cc_basename in yes,*) # gcc library_names_spec='$libname.dll.a' # DLL is installed to $(libdir)/../bin by postinstall_cmds postinstall_cmds='base_file=`basename \${file}`~ dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~ dldir=$destdir/`dirname \$dlpath`~ test -d \$dldir || mkdir -p \$dldir~ $install_prog $dir/$dlname \$dldir/$dlname~ chmod a+x \$dldir/$dlname~ if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then eval '\''$striplib \$dldir/$dlname'\'' || exit \$?; fi' postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ dlpath=$dir/\$dldll~ $RM \$dlpath' shlibpath_overrides_runpath=yes case $host_os in cygwin*) # Cygwin DLLs use 'cyg' prefix rather than 'lib' soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' m4_if([$1], [],[ sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api"]) ;; mingw* | cegcc*) # MinGW DLLs use traditional 'lib' prefix soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' ;; pw32*) # pw32 DLLs use 'pw' prefix rather than 'lib' library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' ;; esac dynamic_linker='Win32 ld.exe' ;; *,cl*) # Native MSVC libname_spec='$name' soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' library_names_spec='${libname}.dll.lib' case $build_os in mingw*) sys_lib_search_path_spec= lt_save_ifs=$IFS IFS=';' for lt_path in $LIB do IFS=$lt_save_ifs # Let DOS variable expansion print the short 8.3 style file name. lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"` sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path" done IFS=$lt_save_ifs # Convert to MSYS style. sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([[a-zA-Z]]\\):| /\\1|g' -e 's|^ ||'` ;; cygwin*) # Convert to unix form, then to dos form, then back to unix form # but this time dos style (no spaces!) so that the unix form looks # like /cygdrive/c/PROGRA~1:/cygdr... sys_lib_search_path_spec=`cygpath --path --unix "$LIB"` sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null` sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` ;; *) sys_lib_search_path_spec="$LIB" if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then # It is most probably a Windows format PATH. sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` else sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` fi # FIXME: find the short name or the path components, as spaces are # common. (e.g. "Program Files" -> "PROGRA~1") ;; esac # DLL is installed to $(libdir)/../bin by postinstall_cmds postinstall_cmds='base_file=`basename \${file}`~ dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~ dldir=$destdir/`dirname \$dlpath`~ test -d \$dldir || mkdir -p \$dldir~ $install_prog $dir/$dlname \$dldir/$dlname' postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ dlpath=$dir/\$dldll~ $RM \$dlpath' shlibpath_overrides_runpath=yes dynamic_linker='Win32 link.exe' ;; *) # Assume MSVC wrapper library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib' dynamic_linker='Win32 ld.exe' ;; esac # FIXME: first we should search . and the directory the executable is in shlibpath_var=PATH ;; darwin* | rhapsody*) dynamic_linker="$host_os dyld" version_type=darwin need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext' soname_spec='${libname}${release}${major}$shared_ext' shlibpath_overrides_runpath=yes shlibpath_var=DYLD_LIBRARY_PATH shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' m4_if([$1], [],[ sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"]) sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' ;; dgux*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH ;; freebsd* | dragonfly*) # DragonFly does not have aout. When/if they implement a new # versioning mechanism, adjust this. if test -x /usr/bin/objformat; then objformat=`/usr/bin/objformat` else case $host_os in freebsd[[23]].*) objformat=aout ;; *) objformat=elf ;; esac fi version_type=freebsd-$objformat case $version_type in freebsd-elf*) library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' need_version=no need_lib_prefix=no ;; freebsd-*) library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix' need_version=yes ;; esac shlibpath_var=LD_LIBRARY_PATH case $host_os in freebsd2.*) shlibpath_overrides_runpath=yes ;; freebsd3.[[01]]* | freebsdelf3.[[01]]*) shlibpath_overrides_runpath=yes hardcode_into_libs=yes ;; freebsd3.[[2-9]]* | freebsdelf3.[[2-9]]* | \ freebsd4.[[0-5]] | freebsdelf4.[[0-5]] | freebsd4.1.1 | freebsdelf4.1.1) shlibpath_overrides_runpath=no hardcode_into_libs=yes ;; *) # from 4.6 on, and DragonFly shlibpath_overrides_runpath=yes hardcode_into_libs=yes ;; esac ;; haiku*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no dynamic_linker="$host_os runtime_loader" library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LIBRARY_PATH shlibpath_overrides_runpath=yes sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' hardcode_into_libs=yes ;; hpux9* | hpux10* | hpux11*) # Give a soname corresponding to the major version so that dld.sl refuses to # link against other versions. version_type=sunos need_lib_prefix=no need_version=no case $host_cpu in ia64*) shrext_cmds='.so' hardcode_into_libs=yes dynamic_linker="$host_os dld.so" shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' if test "X$HPUX_IA64_MODE" = X32; then sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib" else sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64" fi sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec ;; hppa*64*) shrext_cmds='.sl' hardcode_into_libs=yes dynamic_linker="$host_os dld.sl" shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64" sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec ;; *) shrext_cmds='.sl' dynamic_linker="$host_os dld.sl" shlibpath_var=SHLIB_PATH shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' ;; esac # HP-UX runs *really* slowly unless shared libraries are mode 555, ... postinstall_cmds='chmod 555 $lib' # or fails outright, so override atomically: install_override_mode=555 ;; interix[[3-9]]*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no hardcode_into_libs=yes ;; irix5* | irix6* | nonstopux*) case $host_os in nonstopux*) version_type=nonstopux ;; *) if test "$lt_cv_prog_gnu_ld" = yes; then version_type=linux # correct to gnu/linux during the next big refactor else version_type=irix fi ;; esac need_lib_prefix=no need_version=no soname_spec='${libname}${release}${shared_ext}$major' library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}' case $host_os in irix5* | nonstopux*) libsuff= shlibsuff= ;; *) case $LD in # libtool.m4 will add one of these switches to LD *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") libsuff= shlibsuff= libmagic=32-bit;; *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") libsuff=32 shlibsuff=N32 libmagic=N32;; *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") libsuff=64 shlibsuff=64 libmagic=64-bit;; *) libsuff= shlibsuff= libmagic=never-match;; esac ;; esac shlibpath_var=LD_LIBRARY${shlibsuff}_PATH shlibpath_overrides_runpath=no sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" hardcode_into_libs=yes ;; # No shared lib support for Linux oldld, aout, or coff. linux*oldld* | linux*aout* | linux*coff*) dynamic_linker=no ;; # This must be glibc/ELF. linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no # Some binutils ld are patched to set DT_RUNPATH AC_CACHE_VAL([lt_cv_shlibpath_overrides_runpath], [lt_cv_shlibpath_overrides_runpath=no save_LDFLAGS=$LDFLAGS save_libdir=$libdir eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \ LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\"" AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])], [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null], [lt_cv_shlibpath_overrides_runpath=yes])]) LDFLAGS=$save_LDFLAGS libdir=$save_libdir ]) shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath # This implies no fast_install, which is unacceptable. # Some rework will be needed to allow for fast_install # before this can be enabled. hardcode_into_libs=yes # Append ld.so.conf contents to the search path if test -f /etc/ld.so.conf; then lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" fi # We used to test for /lib/ld.so.1 and disable shared libraries on # powerpc, because MkLinux only supported shared libraries with the # GNU dynamic linker. Since this was broken with cross compilers, # most powerpc-linux boxes support dynamic linking these days and # people can always --disable-shared, the test was removed, and we # assume the GNU/Linux dynamic linker is in use. dynamic_linker='GNU/Linux ld.so' ;; netbsdelf*-gnu) version_type=linux need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no hardcode_into_libs=yes dynamic_linker='NetBSD ld.elf_so' ;; netbsd*) version_type=sunos need_lib_prefix=no need_version=no if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' dynamic_linker='NetBSD (a.out) ld.so' else library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' dynamic_linker='NetBSD ld.elf_so' fi shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes hardcode_into_libs=yes ;; newsos6) version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes ;; *nto* | *qnx*) version_type=qnx need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no hardcode_into_libs=yes dynamic_linker='ldqnx.so' ;; openbsd*) version_type=sunos sys_lib_dlsearch_path_spec="/usr/lib" need_lib_prefix=no # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs. case $host_os in openbsd3.3 | openbsd3.3.*) need_version=yes ;; *) need_version=no ;; esac library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' shlibpath_var=LD_LIBRARY_PATH if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then case $host_os in openbsd2.[[89]] | openbsd2.[[89]].*) shlibpath_overrides_runpath=no ;; *) shlibpath_overrides_runpath=yes ;; esac else shlibpath_overrides_runpath=yes fi ;; os2*) libname_spec='$name' shrext_cmds=".dll" need_lib_prefix=no library_names_spec='$libname${shared_ext} $libname.a' dynamic_linker='OS/2 ld.exe' shlibpath_var=LIBPATH ;; osf3* | osf4* | osf5*) version_type=osf need_lib_prefix=no need_version=no soname_spec='${libname}${release}${shared_ext}$major' library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' shlibpath_var=LD_LIBRARY_PATH sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib" sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" ;; rdos*) dynamic_linker=no ;; solaris*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes hardcode_into_libs=yes # ldd complains unless libraries are executable postinstall_cmds='chmod +x $lib' ;; sunos4*) version_type=sunos library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes if test "$with_gnu_ld" = yes; then need_lib_prefix=no fi need_version=yes ;; sysv4 | sysv4.3*) version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH case $host_vendor in sni) shlibpath_overrides_runpath=no need_lib_prefix=no runpath_var=LD_RUN_PATH ;; siemens) need_lib_prefix=no ;; motorola) need_lib_prefix=no need_version=no shlibpath_overrides_runpath=no sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib' ;; esac ;; sysv4*MP*) if test -d /usr/nec ;then version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}' soname_spec='$libname${shared_ext}.$major' shlibpath_var=LD_LIBRARY_PATH fi ;; sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) version_type=freebsd-elf need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes hardcode_into_libs=yes if test "$with_gnu_ld" = yes; then sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' else sys_lib_search_path_spec='/usr/ccs/lib /usr/lib' case $host_os in sco3.2v5*) sys_lib_search_path_spec="$sys_lib_search_path_spec /lib" ;; esac fi sys_lib_dlsearch_path_spec='/usr/lib' ;; tpf*) # TPF is a cross-target only. Preferred cross-host = GNU/Linux. version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no hardcode_into_libs=yes ;; uts4*) version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH ;; *) dynamic_linker=no ;; esac AC_MSG_RESULT([$dynamic_linker]) test "$dynamic_linker" = no && can_build_shared=no variables_saved_for_relink="PATH $shlibpath_var $runpath_var" if test "$GCC" = yes; then variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" fi if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec" fi if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec" fi _LT_DECL([], [variables_saved_for_relink], [1], [Variables whose values should be saved in libtool wrapper scripts and restored at link time]) _LT_DECL([], [need_lib_prefix], [0], [Do we need the "lib" prefix for modules?]) _LT_DECL([], [need_version], [0], [Do we need a version for libraries?]) _LT_DECL([], [version_type], [0], [Library versioning type]) _LT_DECL([], [runpath_var], [0], [Shared library runtime path variable]) _LT_DECL([], [shlibpath_var], [0],[Shared library path variable]) _LT_DECL([], [shlibpath_overrides_runpath], [0], [Is shlibpath searched before the hard-coded library search path?]) _LT_DECL([], [libname_spec], [1], [Format of library name prefix]) _LT_DECL([], [library_names_spec], [1], [[List of archive names. First name is the real one, the rest are links. The last name is the one that the linker finds with -lNAME]]) _LT_DECL([], [soname_spec], [1], [[The coded name of the library, if different from the real name]]) _LT_DECL([], [install_override_mode], [1], [Permission mode override for installation of shared libraries]) _LT_DECL([], [postinstall_cmds], [2], [Command to use after installation of a shared archive]) _LT_DECL([], [postuninstall_cmds], [2], [Command to use after uninstallation of a shared archive]) _LT_DECL([], [finish_cmds], [2], [Commands used to finish a libtool library installation in a directory]) _LT_DECL([], [finish_eval], [1], [[As "finish_cmds", except a single script fragment to be evaled but not shown]]) _LT_DECL([], [hardcode_into_libs], [0], [Whether we should hardcode library paths into libraries]) _LT_DECL([], [sys_lib_search_path_spec], [2], [Compile-time system search path for libraries]) _LT_DECL([], [sys_lib_dlsearch_path_spec], [2], [Run-time system search path for libraries]) ])# _LT_SYS_DYNAMIC_LINKER # _LT_PATH_TOOL_PREFIX(TOOL) # -------------------------- # find a file program which can recognize shared library AC_DEFUN([_LT_PATH_TOOL_PREFIX], [m4_require([_LT_DECL_EGREP])dnl AC_MSG_CHECKING([for $1]) AC_CACHE_VAL(lt_cv_path_MAGIC_CMD, [case $MAGIC_CMD in [[\\/*] | ?:[\\/]*]) lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path. ;; *) lt_save_MAGIC_CMD="$MAGIC_CMD" lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR dnl $ac_dummy forces splitting on constant user-supplied paths. dnl POSIX.2 word splitting is done only on the output of word expansions, dnl not every word. This closes a longstanding sh security hole. ac_dummy="m4_if([$2], , $PATH, [$2])" for ac_dir in $ac_dummy; do IFS="$lt_save_ifs" test -z "$ac_dir" && ac_dir=. if test -f $ac_dir/$1; then lt_cv_path_MAGIC_CMD="$ac_dir/$1" if test -n "$file_magic_test_file"; then case $deplibs_check_method in "file_magic "*) file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"` MAGIC_CMD="$lt_cv_path_MAGIC_CMD" if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | $EGREP "$file_magic_regex" > /dev/null; then : else cat <<_LT_EOF 1>&2 *** Warning: the command libtool uses to detect shared libraries, *** $file_magic_cmd, produces output that libtool cannot recognize. *** The result is that libtool may fail to recognize shared libraries *** as such. This will affect the creation of libtool libraries that *** depend on shared libraries, but programs linked with such libtool *** libraries will work regardless of this problem. Nevertheless, you *** may want to report the problem to your system manager and/or to *** bug-libtool@gnu.org _LT_EOF fi ;; esac fi break fi done IFS="$lt_save_ifs" MAGIC_CMD="$lt_save_MAGIC_CMD" ;; esac]) MAGIC_CMD="$lt_cv_path_MAGIC_CMD" if test -n "$MAGIC_CMD"; then AC_MSG_RESULT($MAGIC_CMD) else AC_MSG_RESULT(no) fi _LT_DECL([], [MAGIC_CMD], [0], [Used to examine libraries when file_magic_cmd begins with "file"])dnl ])# _LT_PATH_TOOL_PREFIX # Old name: AU_ALIAS([AC_PATH_TOOL_PREFIX], [_LT_PATH_TOOL_PREFIX]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AC_PATH_TOOL_PREFIX], []) # _LT_PATH_MAGIC # -------------- # find a file program which can recognize a shared library m4_defun([_LT_PATH_MAGIC], [_LT_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH) if test -z "$lt_cv_path_MAGIC_CMD"; then if test -n "$ac_tool_prefix"; then _LT_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH) else MAGIC_CMD=: fi fi ])# _LT_PATH_MAGIC # LT_PATH_LD # ---------- # find the pathname to the GNU or non-GNU linker AC_DEFUN([LT_PATH_LD], [AC_REQUIRE([AC_PROG_CC])dnl AC_REQUIRE([AC_CANONICAL_HOST])dnl AC_REQUIRE([AC_CANONICAL_BUILD])dnl m4_require([_LT_DECL_SED])dnl m4_require([_LT_DECL_EGREP])dnl m4_require([_LT_PROG_ECHO_BACKSLASH])dnl AC_ARG_WITH([gnu-ld], [AS_HELP_STRING([--with-gnu-ld], [assume the C compiler uses GNU ld @<:@default=no@:>@])], [test "$withval" = no || with_gnu_ld=yes], [with_gnu_ld=no])dnl ac_prog=ld if test "$GCC" = yes; then # Check if gcc -print-prog-name=ld gives a path. AC_MSG_CHECKING([for ld used by $CC]) case $host in *-*-mingw*) # gcc leaves a trailing carriage return which upsets mingw ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;; *) ac_prog=`($CC -print-prog-name=ld) 2>&5` ;; esac case $ac_prog in # Accept absolute paths. [[\\/]]* | ?:[[\\/]]*) re_direlt='/[[^/]][[^/]]*/\.\./' # Canonicalize the pathname of ld ac_prog=`$ECHO "$ac_prog"| $SED 's%\\\\%/%g'` while $ECHO "$ac_prog" | $GREP "$re_direlt" > /dev/null 2>&1; do ac_prog=`$ECHO $ac_prog| $SED "s%$re_direlt%/%"` done test -z "$LD" && LD="$ac_prog" ;; "") # If it fails, then pretend we aren't using GCC. ac_prog=ld ;; *) # If it is relative, then search for the first ld in PATH. with_gnu_ld=unknown ;; esac elif test "$with_gnu_ld" = yes; then AC_MSG_CHECKING([for GNU ld]) else AC_MSG_CHECKING([for non-GNU ld]) fi AC_CACHE_VAL(lt_cv_path_LD, [if test -z "$LD"; then lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR for ac_dir in $PATH; do IFS="$lt_save_ifs" test -z "$ac_dir" && ac_dir=. if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then lt_cv_path_LD="$ac_dir/$ac_prog" # Check to see if the program is GNU ld. I'd rather use --version, # but apparently some variants of GNU ld only accept -v. # Break only if it was the GNU/non-GNU ld that we prefer. case `"$lt_cv_path_LD" -v 2>&1 &1 /dev/null 2>&1; then lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' lt_cv_file_magic_cmd='func_win32_libid' else # Keep this pattern in sync with the one in func_win32_libid. lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' lt_cv_file_magic_cmd='$OBJDUMP -f' fi ;; cegcc*) # use the weaker test based on 'objdump'. See mingw*. lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?' lt_cv_file_magic_cmd='$OBJDUMP -f' ;; darwin* | rhapsody*) lt_cv_deplibs_check_method=pass_all ;; freebsd* | dragonfly*) if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then case $host_cpu in i*86 ) # Not sure whether the presence of OpenBSD here was a mistake. # Let's accept both of them until this is cleared up. lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library' lt_cv_file_magic_cmd=/usr/bin/file lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*` ;; esac else lt_cv_deplibs_check_method=pass_all fi ;; haiku*) lt_cv_deplibs_check_method=pass_all ;; hpux10.20* | hpux11*) lt_cv_file_magic_cmd=/usr/bin/file case $host_cpu in ia64*) lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64' lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so ;; hppa*64*) [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]'] lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl ;; *) lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]]\.[[0-9]]) shared library' lt_cv_file_magic_test_file=/usr/lib/libc.sl ;; esac ;; interix[[3-9]]*) # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$' ;; irix5* | irix6* | nonstopux*) case $LD in *-32|*"-32 ") libmagic=32-bit;; *-n32|*"-n32 ") libmagic=N32;; *-64|*"-64 ") libmagic=64-bit;; *) libmagic=never-match;; esac lt_cv_deplibs_check_method=pass_all ;; # This must be glibc/ELF. linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) lt_cv_deplibs_check_method=pass_all ;; netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' else lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$' fi ;; newos6*) lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)' lt_cv_file_magic_cmd=/usr/bin/file lt_cv_file_magic_test_file=/usr/lib/libnls.so ;; *nto* | *qnx*) lt_cv_deplibs_check_method=pass_all ;; openbsd*) if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$' else lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' fi ;; osf3* | osf4* | osf5*) lt_cv_deplibs_check_method=pass_all ;; rdos*) lt_cv_deplibs_check_method=pass_all ;; solaris*) lt_cv_deplibs_check_method=pass_all ;; sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) lt_cv_deplibs_check_method=pass_all ;; sysv4 | sysv4.3*) case $host_vendor in motorola) lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]' lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*` ;; ncr) lt_cv_deplibs_check_method=pass_all ;; sequent) lt_cv_file_magic_cmd='/bin/file' lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )' ;; sni) lt_cv_file_magic_cmd='/bin/file' lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib" lt_cv_file_magic_test_file=/lib/libc.so ;; siemens) lt_cv_deplibs_check_method=pass_all ;; pc) lt_cv_deplibs_check_method=pass_all ;; esac ;; tpf*) lt_cv_deplibs_check_method=pass_all ;; esac ]) file_magic_glob= want_nocaseglob=no if test "$build" = "$host"; then case $host_os in mingw* | pw32*) if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then want_nocaseglob=yes else file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[[\1]]\/[[\1]]\/g;/g"` fi ;; esac fi file_magic_cmd=$lt_cv_file_magic_cmd deplibs_check_method=$lt_cv_deplibs_check_method test -z "$deplibs_check_method" && deplibs_check_method=unknown _LT_DECL([], [deplibs_check_method], [1], [Method to check whether dependent libraries are shared objects]) _LT_DECL([], [file_magic_cmd], [1], [Command to use when deplibs_check_method = "file_magic"]) _LT_DECL([], [file_magic_glob], [1], [How to find potential files when deplibs_check_method = "file_magic"]) _LT_DECL([], [want_nocaseglob], [1], [Find potential files using nocaseglob when deplibs_check_method = "file_magic"]) ])# _LT_CHECK_MAGIC_METHOD # LT_PATH_NM # ---------- # find the pathname to a BSD- or MS-compatible name lister AC_DEFUN([LT_PATH_NM], [AC_REQUIRE([AC_PROG_CC])dnl AC_CACHE_CHECK([for BSD- or MS-compatible name lister (nm)], lt_cv_path_NM, [if test -n "$NM"; then # Let the user override the test. lt_cv_path_NM="$NM" else lt_nm_to_check="${ac_tool_prefix}nm" if test -n "$ac_tool_prefix" && test "$build" = "$host"; then lt_nm_to_check="$lt_nm_to_check nm" fi for lt_tmp_nm in $lt_nm_to_check; do lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do IFS="$lt_save_ifs" test -z "$ac_dir" && ac_dir=. tmp_nm="$ac_dir/$lt_tmp_nm" if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then # Check to see if the nm accepts a BSD-compat flag. # Adding the `sed 1q' prevents false positives on HP-UX, which says: # nm: unknown option "B" ignored # Tru64's nm complains that /dev/null is an invalid object file case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in */dev/null* | *'Invalid file or object type'*) lt_cv_path_NM="$tmp_nm -B" break ;; *) case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in */dev/null*) lt_cv_path_NM="$tmp_nm -p" break ;; *) lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but continue # so that we can try to find one that supports BSD flags ;; esac ;; esac fi done IFS="$lt_save_ifs" done : ${lt_cv_path_NM=no} fi]) if test "$lt_cv_path_NM" != "no"; then NM="$lt_cv_path_NM" else # Didn't find any BSD compatible name lister, look for dumpbin. if test -n "$DUMPBIN"; then : # Let the user override the test. else AC_CHECK_TOOLS(DUMPBIN, [dumpbin "link -dump"], :) case `$DUMPBIN -symbols /dev/null 2>&1 | sed '1q'` in *COFF*) DUMPBIN="$DUMPBIN -symbols" ;; *) DUMPBIN=: ;; esac fi AC_SUBST([DUMPBIN]) if test "$DUMPBIN" != ":"; then NM="$DUMPBIN" fi fi test -z "$NM" && NM=nm AC_SUBST([NM]) _LT_DECL([], [NM], [1], [A BSD- or MS-compatible name lister])dnl AC_CACHE_CHECK([the name lister ($NM) interface], [lt_cv_nm_interface], [lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&AS_MESSAGE_LOG_FD) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&AS_MESSAGE_LOG_FD (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&AS_MESSAGE_LOG_FD (eval echo "\"\$as_me:$LINENO: output\"" >&AS_MESSAGE_LOG_FD) cat conftest.out >&AS_MESSAGE_LOG_FD if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" fi rm -f conftest*]) ])# LT_PATH_NM # Old names: AU_ALIAS([AM_PROG_NM], [LT_PATH_NM]) AU_ALIAS([AC_PROG_NM], [LT_PATH_NM]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AM_PROG_NM], []) dnl AC_DEFUN([AC_PROG_NM], []) # _LT_CHECK_SHAREDLIB_FROM_LINKLIB # -------------------------------- # how to determine the name of the shared library # associated with a specific link library. # -- PORTME fill in with the dynamic library characteristics m4_defun([_LT_CHECK_SHAREDLIB_FROM_LINKLIB], [m4_require([_LT_DECL_EGREP]) m4_require([_LT_DECL_OBJDUMP]) m4_require([_LT_DECL_DLLTOOL]) AC_CACHE_CHECK([how to associate runtime and link libraries], lt_cv_sharedlib_from_linklib_cmd, [lt_cv_sharedlib_from_linklib_cmd='unknown' case $host_os in cygwin* | mingw* | pw32* | cegcc*) # two different shell functions defined in ltmain.sh # decide which to use based on capabilities of $DLLTOOL case `$DLLTOOL --help 2>&1` in *--identify-strict*) lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib ;; *) lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback ;; esac ;; *) # fallback: assume linklib IS sharedlib lt_cv_sharedlib_from_linklib_cmd="$ECHO" ;; esac ]) sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO _LT_DECL([], [sharedlib_from_linklib_cmd], [1], [Command to associate shared and link libraries]) ])# _LT_CHECK_SHAREDLIB_FROM_LINKLIB # _LT_PATH_MANIFEST_TOOL # ---------------------- # locate the manifest tool m4_defun([_LT_PATH_MANIFEST_TOOL], [AC_CHECK_TOOL(MANIFEST_TOOL, mt, :) test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt AC_CACHE_CHECK([if $MANIFEST_TOOL is a manifest tool], [lt_cv_path_mainfest_tool], [lt_cv_path_mainfest_tool=no echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&AS_MESSAGE_LOG_FD $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out cat conftest.err >&AS_MESSAGE_LOG_FD if $GREP 'Manifest Tool' conftest.out > /dev/null; then lt_cv_path_mainfest_tool=yes fi rm -f conftest*]) if test "x$lt_cv_path_mainfest_tool" != xyes; then MANIFEST_TOOL=: fi _LT_DECL([], [MANIFEST_TOOL], [1], [Manifest tool])dnl ])# _LT_PATH_MANIFEST_TOOL # LT_LIB_M # -------- # check for math library AC_DEFUN([LT_LIB_M], [AC_REQUIRE([AC_CANONICAL_HOST])dnl LIBM= case $host in *-*-beos* | *-*-cegcc* | *-*-cygwin* | *-*-haiku* | *-*-pw32* | *-*-darwin*) # These system don't have libm, or don't need it ;; *-ncr-sysv4.3*) AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw") AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm") ;; *) AC_CHECK_LIB(m, cos, LIBM="-lm") ;; esac AC_SUBST([LIBM]) ])# LT_LIB_M # Old name: AU_ALIAS([AC_CHECK_LIBM], [LT_LIB_M]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AC_CHECK_LIBM], []) # _LT_COMPILER_NO_RTTI([TAGNAME]) # ------------------------------- m4_defun([_LT_COMPILER_NO_RTTI], [m4_require([_LT_TAG_COMPILER])dnl _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)= if test "$GCC" = yes; then case $cc_basename in nvcc*) _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -Xcompiler -fno-builtin' ;; *) _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' ;; esac _LT_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions], lt_cv_prog_compiler_rtti_exceptions, [-fno-rtti -fno-exceptions], [], [_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"]) fi _LT_TAGDECL([no_builtin_flag], [lt_prog_compiler_no_builtin_flag], [1], [Compiler flag to turn off builtin functions]) ])# _LT_COMPILER_NO_RTTI # _LT_CMD_GLOBAL_SYMBOLS # ---------------------- m4_defun([_LT_CMD_GLOBAL_SYMBOLS], [AC_REQUIRE([AC_CANONICAL_HOST])dnl AC_REQUIRE([AC_PROG_CC])dnl AC_REQUIRE([AC_PROG_AWK])dnl AC_REQUIRE([LT_PATH_NM])dnl AC_REQUIRE([LT_PATH_LD])dnl m4_require([_LT_DECL_SED])dnl m4_require([_LT_DECL_EGREP])dnl m4_require([_LT_TAG_COMPILER])dnl # Check for command to grab the raw symbol name followed by C symbol from nm. AC_MSG_CHECKING([command to parse $NM output from $compiler object]) AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe], [ # These are sane defaults that work on at least a few old systems. # [They come from Ultrix. What could be older than Ultrix?!! ;)] # Character class describing NM global symbol codes. symcode='[[BCDEGRST]]' # Regexp to match symbols that can be accessed directly from C. sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)' # Define system-specific variables. case $host_os in aix*) symcode='[[BCDT]]' ;; cygwin* | mingw* | pw32* | cegcc*) symcode='[[ABCDGISTW]]' ;; hpux*) if test "$host_cpu" = ia64; then symcode='[[ABCDEGRST]]' fi ;; irix* | nonstopux*) symcode='[[BCDEGRST]]' ;; osf*) symcode='[[BCDEGQRST]]' ;; solaris*) symcode='[[BDRT]]' ;; sco3.2v5*) symcode='[[DT]]' ;; sysv4.2uw2*) symcode='[[DT]]' ;; sysv5* | sco5v6* | unixware* | OpenUNIX*) symcode='[[ABDT]]' ;; sysv4) symcode='[[DFNSTU]]' ;; esac # If we're using GNU nm, then use its standard symbol codes. case `$NM -V 2>&1` in *GNU* | *'with BFD'*) symcode='[[ABCDGIRSTW]]' ;; esac # Transform an extracted symbol line into a proper C declaration. # Some systems (esp. on ia64) link data and code symbols differently, # so use this general approach. lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" # Transform an extracted symbol line into symbol name and symbol address lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\)[[ ]]*$/ {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/ {\"\2\", (void *) \&\2},/p'" lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([[^ ]]*\)[[ ]]*$/ {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \(lib[[^ ]]*\)$/ {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/ {\"lib\2\", (void *) \&\2},/p'" # Handle CRLF in mingw tool chain opt_cr= case $build_os in mingw*) opt_cr=`$ECHO 'x\{0,1\}' | tr x '\015'` # option cr in regexp ;; esac # Try without a prefix underscore, then with it. for ac_symprfx in "" "_"; do # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol. symxfrm="\\1 $ac_symprfx\\2 \\2" # Write the raw and C identifiers. if test "$lt_cv_nm_interface" = "MS dumpbin"; then # Fake it for dumpbin and say T for any non-static function # and D for any global variable. # Also find C++ and __fastcall symbols from MSVC++, # which start with @ or ?. lt_cv_sys_global_symbol_pipe="$AWK ['"\ " {last_section=section; section=\$ 3};"\ " /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\ " /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\ " \$ 0!~/External *\|/{next};"\ " / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\ " {if(hide[section]) next};"\ " {f=0}; \$ 0~/\(\).*\|/{f=1}; {printf f ? \"T \" : \"D \"};"\ " {split(\$ 0, a, /\||\r/); split(a[2], s)};"\ " s[1]~/^[@?]/{print s[1], s[1]; next};"\ " s[1]~prfx {split(s[1],t,\"@\"); print t[1], substr(t[1],length(prfx))}"\ " ' prfx=^$ac_symprfx]" else lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ ]]\($symcode$symcode*\)[[ ]][[ ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'" fi lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'" # Check to see that the pipe works correctly. pipe_works=no rm -f conftest* cat > conftest.$ac_ext <<_LT_EOF #ifdef __cplusplus extern "C" { #endif char nm_test_var; void nm_test_func(void); void nm_test_func(void){} #ifdef __cplusplus } #endif int main(){nm_test_var='a';nm_test_func();return(0);} _LT_EOF if AC_TRY_EVAL(ac_compile); then # Now try to grab the symbols. nlist=conftest.nm if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then # Try sorting and uniquifying the output. if sort "$nlist" | uniq > "$nlist"T; then mv -f "$nlist"T "$nlist" else rm -f "$nlist"T fi # Make sure that we snagged all the symbols we need. if $GREP ' nm_test_var$' "$nlist" >/dev/null; then if $GREP ' nm_test_func$' "$nlist" >/dev/null; then cat <<_LT_EOF > conftest.$ac_ext /* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests. */ #if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE) /* DATA imports from DLLs on WIN32 con't be const, because runtime relocations are performed -- see ld's documentation on pseudo-relocs. */ # define LT@&t@_DLSYM_CONST #elif defined(__osf__) /* This system does not cope well with relocations in const data. */ # define LT@&t@_DLSYM_CONST #else # define LT@&t@_DLSYM_CONST const #endif #ifdef __cplusplus extern "C" { #endif _LT_EOF # Now generate the symbol file. eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | $GREP -v main >> conftest.$ac_ext' cat <<_LT_EOF >> conftest.$ac_ext /* The mapping between symbol names and symbols. */ LT@&t@_DLSYM_CONST struct { const char *name; void *address; } lt__PROGRAM__LTX_preloaded_symbols[[]] = { { "@PROGRAM@", (void *) 0 }, _LT_EOF $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/ {\"\2\", (void *) \&\2},/" < "$nlist" | $GREP -v main >> conftest.$ac_ext cat <<\_LT_EOF >> conftest.$ac_ext {0, (void *) 0} }; /* This works around a problem in FreeBSD linker */ #ifdef FREEBSD_WORKAROUND static const void *lt_preloaded_setup() { return lt__PROGRAM__LTX_preloaded_symbols; } #endif #ifdef __cplusplus } #endif _LT_EOF # Now try linking the two files. mv conftest.$ac_objext conftstm.$ac_objext lt_globsym_save_LIBS=$LIBS lt_globsym_save_CFLAGS=$CFLAGS LIBS="conftstm.$ac_objext" CFLAGS="$CFLAGS$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)" if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then pipe_works=yes fi LIBS=$lt_globsym_save_LIBS CFLAGS=$lt_globsym_save_CFLAGS else echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD fi else echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD fi else echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD fi else echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD cat conftest.$ac_ext >&5 fi rm -rf conftest* conftst* # Do not use the global_symbol_pipe unless it works. if test "$pipe_works" = yes; then break else lt_cv_sys_global_symbol_pipe= fi done ]) if test -z "$lt_cv_sys_global_symbol_pipe"; then lt_cv_sys_global_symbol_to_cdecl= fi if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then AC_MSG_RESULT(failed) else AC_MSG_RESULT(ok) fi # Response file support. if test "$lt_cv_nm_interface" = "MS dumpbin"; then nm_file_list_spec='@' elif $NM --help 2>/dev/null | grep '[[@]]FILE' >/dev/null; then nm_file_list_spec='@' fi _LT_DECL([global_symbol_pipe], [lt_cv_sys_global_symbol_pipe], [1], [Take the output of nm and produce a listing of raw symbols and C names]) _LT_DECL([global_symbol_to_cdecl], [lt_cv_sys_global_symbol_to_cdecl], [1], [Transform the output of nm in a proper C declaration]) _LT_DECL([global_symbol_to_c_name_address], [lt_cv_sys_global_symbol_to_c_name_address], [1], [Transform the output of nm in a C name address pair]) _LT_DECL([global_symbol_to_c_name_address_lib_prefix], [lt_cv_sys_global_symbol_to_c_name_address_lib_prefix], [1], [Transform the output of nm in a C name address pair when lib prefix is needed]) _LT_DECL([], [nm_file_list_spec], [1], [Specify filename containing input files for $NM]) ]) # _LT_CMD_GLOBAL_SYMBOLS # _LT_COMPILER_PIC([TAGNAME]) # --------------------------- m4_defun([_LT_COMPILER_PIC], [m4_require([_LT_TAG_COMPILER])dnl _LT_TAGVAR(lt_prog_compiler_wl, $1)= _LT_TAGVAR(lt_prog_compiler_pic, $1)= _LT_TAGVAR(lt_prog_compiler_static, $1)= m4_if([$1], [CXX], [ # C++ specific cases for pic, static, wl, etc. if test "$GXX" = yes; then _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' case $host_os in aix*) # All AIX code is PIC. if test "$host_cpu" = ia64; then # AIX 5 now supports IA64 processor _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' fi ;; amigaos*) case $host_cpu in powerpc) # see comment about AmigaOS4 .so support _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' ;; m68k) # FIXME: we need at least 68020 code to build shared libraries, but # adding the `-m68020' flag to GCC prevents building anything better, # like `-m68040'. _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4' ;; esac ;; beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) # PIC is the default for these OSes. ;; mingw* | cygwin* | os2* | pw32* | cegcc*) # This hack is so that the source file can tell whether it is being # built for inclusion in a dll (and should export symbols for example). # Although the cygwin gcc ignores -fPIC, still need this for old-style # (--disable-auto-import) libraries m4_if([$1], [GCJ], [], [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) ;; darwin* | rhapsody*) # PIC is the default on this platform # Common symbols not allowed in MH_DYLIB files _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common' ;; *djgpp*) # DJGPP does not support shared libraries at all _LT_TAGVAR(lt_prog_compiler_pic, $1)= ;; haiku*) # PIC is the default for Haiku. # The "-static" flag exists, but is broken. _LT_TAGVAR(lt_prog_compiler_static, $1)= ;; interix[[3-9]]*) # Interix 3.x gcc -fpic/-fPIC options generate broken code. # Instead, we relocate shared libraries at runtime. ;; sysv4*MP*) if test -d /usr/nec; then _LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic fi ;; hpux*) # PIC is the default for 64-bit PA HP-UX, but not for 32-bit # PA HP-UX. On IA64 HP-UX, PIC is the default but the pic flag # sets the default TLS model and affects inlining. case $host_cpu in hppa*64*) ;; *) _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' ;; esac ;; *qnx* | *nto*) # QNX uses GNU C++, but need to define -shared option too, otherwise # it will coredump. _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' ;; *) _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' ;; esac else case $host_os in aix[[4-9]]*) # All AIX code is PIC. if test "$host_cpu" = ia64; then # AIX 5 now supports IA64 processor _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' else _LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp' fi ;; chorus*) case $cc_basename in cxch68*) # Green Hills C++ Compiler # _LT_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a" ;; esac ;; mingw* | cygwin* | os2* | pw32* | cegcc*) # This hack is so that the source file can tell whether it is being # built for inclusion in a dll (and should export symbols for example). m4_if([$1], [GCJ], [], [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) ;; dgux*) case $cc_basename in ec++*) _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' ;; ghcx*) # Green Hills C++ Compiler _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' ;; *) ;; esac ;; freebsd* | dragonfly*) # FreeBSD uses GNU C++ ;; hpux9* | hpux10* | hpux11*) case $cc_basename in CC*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive' if test "$host_cpu" != ia64; then _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z' fi ;; aCC*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive' case $host_cpu in hppa*64*|ia64*) # +Z the default ;; *) _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z' ;; esac ;; *) ;; esac ;; interix*) # This is c89, which is MS Visual C++ (no shared libs) # Anyone wants to do a port? ;; irix5* | irix6* | nonstopux*) case $cc_basename in CC*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' # CC pic flag -KPIC is the default. ;; *) ;; esac ;; linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in KCC*) # KAI C++ Compiler _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' ;; ecpc* ) # old Intel C++ for x86_64 which still supported -KPIC. _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' ;; icpc* ) # Intel C++, used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' ;; pgCC* | pgcpp*) # Portland Group C++ compiler _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' ;; cxx*) # Compaq C++ # Make sure the PIC flag is empty. It appears that all Alpha # Linux and Compaq Tru64 Unix objects are PIC. _LT_TAGVAR(lt_prog_compiler_pic, $1)= _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' ;; xlc* | xlC* | bgxl[[cC]]* | mpixl[[cC]]*) # IBM XL 8.0, 9.0 on PPC and BlueGene _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic' _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink' ;; *) case `$CC -V 2>&1 | sed 5q` in *Sun\ C*) # Sun C++ 5.9 _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' ;; esac ;; esac ;; lynxos*) ;; m88k*) ;; mvs*) case $cc_basename in cxx*) _LT_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall' ;; *) ;; esac ;; netbsd* | netbsdelf*-gnu) ;; *qnx* | *nto*) # QNX uses GNU C++, but need to define -shared option too, otherwise # it will coredump. _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' ;; osf3* | osf4* | osf5*) case $cc_basename in KCC*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,' ;; RCC*) # Rational C++ 2.4.1 _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' ;; cxx*) # Digital/Compaq C++ _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' # Make sure the PIC flag is empty. It appears that all Alpha # Linux and Compaq Tru64 Unix objects are PIC. _LT_TAGVAR(lt_prog_compiler_pic, $1)= _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' ;; *) ;; esac ;; psos*) ;; solaris*) case $cc_basename in CC* | sunCC*) # Sun C++ 4.2, 5.x and Centerline C++ _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' ;; gcx*) # Green Hills C++ Compiler _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' ;; *) ;; esac ;; sunos4*) case $cc_basename in CC*) # Sun C++ 4.x _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' ;; lcc*) # Lucid _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' ;; *) ;; esac ;; sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) case $cc_basename in CC*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' ;; esac ;; tandem*) case $cc_basename in NCC*) # NonStop-UX NCC 3.20 _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' ;; *) ;; esac ;; vxworks*) ;; *) _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no ;; esac fi ], [ if test "$GCC" = yes; then _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' case $host_os in aix*) # All AIX code is PIC. if test "$host_cpu" = ia64; then # AIX 5 now supports IA64 processor _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' fi ;; amigaos*) case $host_cpu in powerpc) # see comment about AmigaOS4 .so support _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' ;; m68k) # FIXME: we need at least 68020 code to build shared libraries, but # adding the `-m68020' flag to GCC prevents building anything better, # like `-m68040'. _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4' ;; esac ;; beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) # PIC is the default for these OSes. ;; mingw* | cygwin* | pw32* | os2* | cegcc*) # This hack is so that the source file can tell whether it is being # built for inclusion in a dll (and should export symbols for example). # Although the cygwin gcc ignores -fPIC, still need this for old-style # (--disable-auto-import) libraries m4_if([$1], [GCJ], [], [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) ;; darwin* | rhapsody*) # PIC is the default on this platform # Common symbols not allowed in MH_DYLIB files _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common' ;; haiku*) # PIC is the default for Haiku. # The "-static" flag exists, but is broken. _LT_TAGVAR(lt_prog_compiler_static, $1)= ;; hpux*) # PIC is the default for 64-bit PA HP-UX, but not for 32-bit # PA HP-UX. On IA64 HP-UX, PIC is the default but the pic flag # sets the default TLS model and affects inlining. case $host_cpu in hppa*64*) # +Z the default ;; *) _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' ;; esac ;; interix[[3-9]]*) # Interix 3.x gcc -fpic/-fPIC options generate broken code. # Instead, we relocate shared libraries at runtime. ;; msdosdjgpp*) # Just because we use GCC doesn't mean we suddenly get shared libraries # on systems that don't support them. _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no enable_shared=no ;; *nto* | *qnx*) # QNX uses GNU C++, but need to define -shared option too, otherwise # it will coredump. _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' ;; sysv4*MP*) if test -d /usr/nec; then _LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic fi ;; *) _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' ;; esac case $cc_basename in nvcc*) # Cuda Compiler Driver 2.2 _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Xlinker ' if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then _LT_TAGVAR(lt_prog_compiler_pic, $1)="-Xcompiler $_LT_TAGVAR(lt_prog_compiler_pic, $1)" fi ;; esac else # PORTME Check for flag to pass linker flags through the system compiler. case $host_os in aix*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' if test "$host_cpu" = ia64; then # AIX 5 now supports IA64 processor _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' else _LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp' fi ;; mingw* | cygwin* | pw32* | os2* | cegcc*) # This hack is so that the source file can tell whether it is being # built for inclusion in a dll (and should export symbols for example). m4_if([$1], [GCJ], [], [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) ;; hpux9* | hpux10* | hpux11*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but # not for PA HP-UX. case $host_cpu in hppa*64*|ia64*) # +Z the default ;; *) _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z' ;; esac # Is there a better lt_prog_compiler_static that works with the bundled CC? _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive' ;; irix5* | irix6* | nonstopux*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' # PIC (with -KPIC) is the default. _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' ;; linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' ;; # Lahey Fortran 8.1. lf95*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='--shared' _LT_TAGVAR(lt_prog_compiler_static, $1)='--static' ;; nagfor*) # NAG Fortran compiler _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,-Wl,,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' ;; pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*) # Portland Group compilers (*not* the Pentium gcc compiler, # which looks to be a dead project) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' ;; ccc*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' # All Alpha code is PIC. _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' ;; xl* | bgxl* | bgf* | mpixl*) # IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic' _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink' ;; *) case `$CC -V 2>&1 | sed 5q` in *Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [[1-7]].* | *Sun*Fortran*\ 8.[[0-3]]*) # Sun Fortran 8.3 passes all unrecognized flags to the linker _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' _LT_TAGVAR(lt_prog_compiler_wl, $1)='' ;; *Sun\ F* | *Sun*Fortran*) _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' ;; *Sun\ C*) # Sun C 5.9 _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' ;; *Intel*\ [[CF]]*Compiler*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' ;; *Portland\ Group*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' ;; esac ;; esac ;; newsos6) _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' ;; *nto* | *qnx*) # QNX uses GNU C++, but need to define -shared option too, otherwise # it will coredump. _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' ;; osf3* | osf4* | osf5*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' # All OSF/1 code is PIC. _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' ;; rdos*) _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' ;; solaris*) _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' case $cc_basename in f77* | f90* | f95* | sunf77* | sunf90* | sunf95*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';; *) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';; esac ;; sunos4*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' ;; sysv4 | sysv4.2uw2* | sysv4.3*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' ;; sysv4*MP*) if test -d /usr/nec ;then _LT_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' fi ;; sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' ;; unicos*) _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no ;; uts4*) _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' ;; *) _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no ;; esac fi ]) case $host_os in # For platforms which do not support PIC, -DPIC is meaningless: *djgpp*) _LT_TAGVAR(lt_prog_compiler_pic, $1)= ;; *) _LT_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])" ;; esac AC_CACHE_CHECK([for $compiler option to produce PIC], [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)], [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_prog_compiler_pic, $1)]) _LT_TAGVAR(lt_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_cv_prog_compiler_pic, $1) # # Check to make sure the PIC flag actually works. # if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then _LT_COMPILER_OPTION([if $compiler PIC flag $_LT_TAGVAR(lt_prog_compiler_pic, $1) works], [_LT_TAGVAR(lt_cv_prog_compiler_pic_works, $1)], [$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])], [], [case $_LT_TAGVAR(lt_prog_compiler_pic, $1) in "" | " "*) ;; *) _LT_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_TAGVAR(lt_prog_compiler_pic, $1)" ;; esac], [_LT_TAGVAR(lt_prog_compiler_pic, $1)= _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no]) fi _LT_TAGDECL([pic_flag], [lt_prog_compiler_pic], [1], [Additional compiler flags for building library objects]) _LT_TAGDECL([wl], [lt_prog_compiler_wl], [1], [How to pass a linker flag through the compiler]) # # Check to make sure the static flag actually works. # wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_TAGVAR(lt_prog_compiler_static, $1)\" _LT_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works], _LT_TAGVAR(lt_cv_prog_compiler_static_works, $1), $lt_tmp_static_flag, [], [_LT_TAGVAR(lt_prog_compiler_static, $1)=]) _LT_TAGDECL([link_static_flag], [lt_prog_compiler_static], [1], [Compiler flag to prevent dynamic linking]) ])# _LT_COMPILER_PIC # _LT_LINKER_SHLIBS([TAGNAME]) # ---------------------------- # See if the linker supports building shared libraries. m4_defun([_LT_LINKER_SHLIBS], [AC_REQUIRE([LT_PATH_LD])dnl AC_REQUIRE([LT_PATH_NM])dnl m4_require([_LT_PATH_MANIFEST_TOOL])dnl m4_require([_LT_FILEUTILS_DEFAULTS])dnl m4_require([_LT_DECL_EGREP])dnl m4_require([_LT_DECL_SED])dnl m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl m4_require([_LT_TAG_COMPILER])dnl AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries]) m4_if([$1], [CXX], [ _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'] case $host_os in aix[[4-9]]*) # If we're using GNU nm, then we don't want the "-C" option. # -C means demangle to AIX nm, but means don't demangle with GNU nm # Also, AIX nm treats weak defined symbols like other global defined # symbols, whereas GNU nm marks them as "W". if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' else _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' fi ;; pw32*) _LT_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds" ;; cygwin* | mingw* | cegcc*) case $cc_basename in cl*) _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*' ;; *) _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols' _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname'] ;; esac ;; linux* | k*bsd*-gnu | gnu*) _LT_TAGVAR(link_all_deplibs, $1)=no ;; *) _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' ;; esac ], [ runpath_var= _LT_TAGVAR(allow_undefined_flag, $1)= _LT_TAGVAR(always_export_symbols, $1)=no _LT_TAGVAR(archive_cmds, $1)= _LT_TAGVAR(archive_expsym_cmds, $1)= _LT_TAGVAR(compiler_needs_object, $1)=no _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no _LT_TAGVAR(export_dynamic_flag_spec, $1)= _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' _LT_TAGVAR(hardcode_automatic, $1)=no _LT_TAGVAR(hardcode_direct, $1)=no _LT_TAGVAR(hardcode_direct_absolute, $1)=no _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= _LT_TAGVAR(hardcode_libdir_separator, $1)= _LT_TAGVAR(hardcode_minus_L, $1)=no _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported _LT_TAGVAR(inherit_rpath, $1)=no _LT_TAGVAR(link_all_deplibs, $1)=unknown _LT_TAGVAR(module_cmds, $1)= _LT_TAGVAR(module_expsym_cmds, $1)= _LT_TAGVAR(old_archive_from_new_cmds, $1)= _LT_TAGVAR(old_archive_from_expsyms_cmds, $1)= _LT_TAGVAR(thread_safe_flag_spec, $1)= _LT_TAGVAR(whole_archive_flag_spec, $1)= # include_expsyms should be a list of space-separated symbols to be *always* # included in the symbol list _LT_TAGVAR(include_expsyms, $1)= # exclude_expsyms can be an extended regexp of symbols to exclude # it will be wrapped by ` (' and `)$', so one must not match beginning or # end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', # as well as any symbol that contains `d'. _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'] # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out # platforms (ab)use it in PIC code, but their linkers get confused if # the symbol is explicitly referenced. Since portable code cannot # rely on this symbol name, it's probably fine to never include it in # preloaded symbol tables. # Exclude shared library initialization/finalization symbols. dnl Note also adjust exclude_expsyms for C++ above. extract_expsyms_cmds= case $host_os in cygwin* | mingw* | pw32* | cegcc*) # FIXME: the MSVC++ port hasn't been tested in a loooong time # When not using gcc, we currently assume that we are using # Microsoft Visual C++. if test "$GCC" != yes; then with_gnu_ld=no fi ;; interix*) # we just hope/assume this is gcc and not c89 (= MSVC++) with_gnu_ld=yes ;; openbsd*) with_gnu_ld=no ;; linux* | k*bsd*-gnu | gnu*) _LT_TAGVAR(link_all_deplibs, $1)=no ;; esac _LT_TAGVAR(ld_shlibs, $1)=yes # On some targets, GNU ld is compatible enough with the native linker # that we're better off using the native interface for both. lt_use_gnu_ld_interface=no if test "$with_gnu_ld" = yes; then case $host_os in aix*) # The AIX port of GNU ld has always aspired to compatibility # with the native linker. However, as the warning in the GNU ld # block says, versions before 2.19.5* couldn't really create working # shared libraries, regardless of the interface used. case `$LD -v 2>&1` in *\ \(GNU\ Binutils\)\ 2.19.5*) ;; *\ \(GNU\ Binutils\)\ 2.[[2-9]]*) ;; *\ \(GNU\ Binutils\)\ [[3-9]]*) ;; *) lt_use_gnu_ld_interface=yes ;; esac ;; *) lt_use_gnu_ld_interface=yes ;; esac fi if test "$lt_use_gnu_ld_interface" = yes; then # If archive_cmds runs LD, not CC, wlarc should be empty wlarc='${wl}' # Set some defaults for GNU ld with shared library support. These # are reset later if shared libraries are not supported. Putting them # here allows them to be overridden if necessary. runpath_var=LD_RUN_PATH _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' # ancient GNU ld didn't support --whole-archive et. al. if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' else _LT_TAGVAR(whole_archive_flag_spec, $1)= fi supports_anon_versioning=no case `$LD -v 2>&1` in *GNU\ gold*) supports_anon_versioning=yes ;; *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11 *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... *\ 2.11.*) ;; # other 2.11 versions *) supports_anon_versioning=yes ;; esac # See if GNU ld supports shared libraries. case $host_os in aix[[3-9]]*) # On AIX/PPC, the GNU linker is very broken if test "$host_cpu" != ia64; then _LT_TAGVAR(ld_shlibs, $1)=no cat <<_LT_EOF 1>&2 *** Warning: the GNU linker, at least up to release 2.19, is reported *** to be unable to reliably create shared libraries on AIX. *** Therefore, libtool is disabling shared libraries support. If you *** really care for shared libraries, you may want to install binutils *** 2.20 or above, or modify your PATH so that a non-GNU linker is found. *** You will then need to restart the configuration process. _LT_EOF fi ;; amigaos*) case $host_cpu in powerpc) # see comment about AmigaOS4 .so support _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='' ;; m68k) _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' _LT_TAGVAR(hardcode_minus_L, $1)=yes ;; esac ;; beos*) if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then _LT_TAGVAR(allow_undefined_flag, $1)=unsupported # Joseph Beckenbach says some releases of gcc # support --undefined. This deserves some investigation. FIXME _LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' else _LT_TAGVAR(ld_shlibs, $1)=no fi ;; cygwin* | mingw* | pw32* | cegcc*) # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless, # as there is no search path for DLLs. _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-all-symbols' _LT_TAGVAR(allow_undefined_flag, $1)=unsupported _LT_TAGVAR(always_export_symbols, $1)=no _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols' _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname'] if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' # If the export-symbols file already is a .def file (1st line # is EXPORTS), use it as is; otherwise, prepend... _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then cp $export_symbols $output_objdir/$soname.def; else echo EXPORTS > $output_objdir/$soname.def; cat $export_symbols >> $output_objdir/$soname.def; fi~ $CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' else _LT_TAGVAR(ld_shlibs, $1)=no fi ;; haiku*) _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(link_all_deplibs, $1)=yes ;; interix[[3-9]]*) _LT_TAGVAR(hardcode_direct, $1)=no _LT_TAGVAR(hardcode_shlibpath_var, $1)=no _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. # Instead, shared libraries are loaded at an image base (0x10000000 by # default) and relocated if they conflict, which is a slow very memory # consuming and fragmenting process. To avoid this, we pick a random, # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link # time. Moving up from 0x10000000 also allows more sbrk(2) space. _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' ;; gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu) tmp_diet=no if test "$host_os" = linux-dietlibc; then case $cc_basename in diet\ *) tmp_diet=yes;; # linux-dietlibc with static linking (!diet-dyn) esac fi if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \ && test "$tmp_diet" = no then tmp_addflag=' $pic_flag' tmp_sharedflag='-shared' case $cc_basename,$host_cpu in pgcc*) # Portland Group C compiler _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' tmp_addflag=' $pic_flag' ;; pgf77* | pgf90* | pgf95* | pgfortran*) # Portland Group f77 and f90 compilers _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' tmp_addflag=' $pic_flag -Mnomain' ;; ecc*,ia64* | icc*,ia64*) # Intel C compiler on ia64 tmp_addflag=' -i_dynamic' ;; efc*,ia64* | ifort*,ia64*) # Intel Fortran compiler on ia64 tmp_addflag=' -i_dynamic -nofor_main' ;; ifc* | ifort*) # Intel Fortran compiler tmp_addflag=' -nofor_main' ;; lf95*) # Lahey Fortran 8.1 _LT_TAGVAR(whole_archive_flag_spec, $1)= tmp_sharedflag='--shared' ;; xl[[cC]]* | bgxl[[cC]]* | mpixl[[cC]]*) # IBM XL C 8.0 on PPC (deal with xlf below) tmp_sharedflag='-qmkshrobj' tmp_addflag= ;; nvcc*) # Cuda Compiler Driver 2.2 _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' _LT_TAGVAR(compiler_needs_object, $1)=yes ;; esac case `$CC -V 2>&1 | sed 5q` in *Sun\ C*) # Sun C 5.9 _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' _LT_TAGVAR(compiler_needs_object, $1)=yes tmp_sharedflag='-G' ;; *Sun\ F*) # Sun Fortran 8.3 tmp_sharedflag='-G' ;; esac _LT_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' if test "x$supports_anon_versioning" = xyes; then _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~ cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ echo "local: *; };" >> $output_objdir/$libname.ver~ $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' fi case $cc_basename in xlf* | bgf* | bgxlf* | mpixlf*) # IBM XL Fortran 10.1 on PPC cannot create shared libs itself _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib' if test "x$supports_anon_versioning" = xyes; then _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~ cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ echo "local: *; };" >> $output_objdir/$libname.ver~ $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib' fi ;; esac else _LT_TAGVAR(ld_shlibs, $1)=no fi ;; netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' wlarc= else _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' fi ;; solaris*) if $LD -v 2>&1 | $GREP 'BFD 2\.8' > /dev/null; then _LT_TAGVAR(ld_shlibs, $1)=no cat <<_LT_EOF 1>&2 *** Warning: The releases 2.8.* of the GNU linker cannot reliably *** create shared libraries on Solaris systems. Therefore, libtool *** is disabling shared libraries support. We urge you to upgrade GNU *** binutils to release 2.9.1 or newer. Another option is to modify *** your PATH or compiler configuration so that the native linker is *** used, and then restart. _LT_EOF elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' else _LT_TAGVAR(ld_shlibs, $1)=no fi ;; sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) case `$LD -v 2>&1` in *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*) _LT_TAGVAR(ld_shlibs, $1)=no cat <<_LT_EOF 1>&2 *** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not *** reliably create shared libraries on SCO systems. Therefore, libtool *** is disabling shared libraries support. We urge you to upgrade GNU *** binutils to release 2.16.91.0.3 or newer. Another option is to modify *** your PATH or compiler configuration so that the native linker is *** used, and then restart. _LT_EOF ;; *) # For security reasons, it is highly recommended that you always # use absolute paths for naming shared libraries, and exclude the # DT_RUNPATH tag from executables and libraries. But doing so # requires that you compile everything twice, which is a pain. if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' else _LT_TAGVAR(ld_shlibs, $1)=no fi ;; esac ;; sunos4*) _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' wlarc= _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_shlibpath_var, $1)=no ;; *) if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' else _LT_TAGVAR(ld_shlibs, $1)=no fi ;; esac if test "$_LT_TAGVAR(ld_shlibs, $1)" = no; then runpath_var= _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= _LT_TAGVAR(export_dynamic_flag_spec, $1)= _LT_TAGVAR(whole_archive_flag_spec, $1)= fi else # PORTME fill in a description of your system's linker (not GNU ld) case $host_os in aix3*) _LT_TAGVAR(allow_undefined_flag, $1)=unsupported _LT_TAGVAR(always_export_symbols, $1)=yes _LT_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname' # Note: this linker hardcodes the directories in LIBPATH if there # are no directories specified by -L. _LT_TAGVAR(hardcode_minus_L, $1)=yes if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then # Neither direct hardcoding nor static linking is supported with a # broken collect2. _LT_TAGVAR(hardcode_direct, $1)=unsupported fi ;; aix[[4-9]]*) if test "$host_cpu" = ia64; then # On IA64, the linker does run time linking by default, so we don't # have to do anything special. aix_use_runtimelinking=no exp_sym_flag='-Bexport' no_entry_flag="" else # If we're using GNU nm, then we don't want the "-C" option. # -C means demangle to AIX nm, but means don't demangle with GNU nm # Also, AIX nm treats weak defined symbols like other global # defined symbols, whereas GNU nm marks them as "W". if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' else _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' fi aix_use_runtimelinking=no # Test if we are trying to use run time linking or normal # AIX style linking. If -brtl is somewhere in LDFLAGS, we # need to do runtime linking. case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*) for ld_flag in $LDFLAGS; do if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then aix_use_runtimelinking=yes break fi done ;; esac exp_sym_flag='-bexport' no_entry_flag='-bnoentry' fi # When large executables or shared objects are built, AIX ld can # have problems creating the table of contents. If linking a library # or program results in "error TOC overflow" add -mminimal-toc to # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. _LT_TAGVAR(archive_cmds, $1)='' _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_direct_absolute, $1)=yes _LT_TAGVAR(hardcode_libdir_separator, $1)=':' _LT_TAGVAR(link_all_deplibs, $1)=yes _LT_TAGVAR(file_list_spec, $1)='${wl}-f,' if test "$GCC" = yes; then case $host_os in aix4.[[012]]|aix4.[[012]].*) # We only want to do this on AIX 4.2 and lower, the check # below for broken collect2 doesn't work under 4.3+ collect2name=`${CC} -print-prog-name=collect2` if test -f "$collect2name" && strings "$collect2name" | $GREP resolve_lib_name >/dev/null then # We have reworked collect2 : else # We have old collect2 _LT_TAGVAR(hardcode_direct, $1)=unsupported # It fails to find uninstalled libraries when the uninstalled # path is not listed in the libpath. Setting hardcode_minus_L # to unsupported forces relinking _LT_TAGVAR(hardcode_minus_L, $1)=yes _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)= fi ;; esac shared_flag='-shared' if test "$aix_use_runtimelinking" = yes; then shared_flag="$shared_flag "'${wl}-G' fi _LT_TAGVAR(link_all_deplibs, $1)=no else # not using gcc if test "$host_cpu" = ia64; then # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release # chokes on -Wl,-G. The following line is correct: shared_flag='-G' else if test "$aix_use_runtimelinking" = yes; then shared_flag='${wl}-G' else shared_flag='${wl}-bM:SRE' fi fi fi _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-bexpall' # It seems that -bexpall does not export symbols beginning with # underscore (_), so it is better to generate a list of symbols to export. _LT_TAGVAR(always_export_symbols, $1)=yes if test "$aix_use_runtimelinking" = yes; then # Warning - without using the other runtime loading flags (-brtl), # -berok will link without error, but may produce a broken library. _LT_TAGVAR(allow_undefined_flag, $1)='-berok' # Determine the default libpath from the value encoded in an # empty executable. _LT_SYS_MODULE_PATH_AIX([$1]) _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" else if test "$host_cpu" = ia64; then _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib' _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs" _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols" else # Determine the default libpath from the value encoded in an # empty executable. _LT_SYS_MODULE_PATH_AIX([$1]) _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" # Warning - without using the other run time loading flags, # -berok will link without error, but may produce a broken library. _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok' _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok' if test "$with_gnu_ld" = yes; then # We only use this code for GNU lds that support --whole-archive. _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive' else # Exported symbols can be pulled into shared objects from archives _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience' fi _LT_TAGVAR(archive_cmds_need_lc, $1)=yes # This is similar to how AIX traditionally builds its shared libraries. _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' fi fi ;; amigaos*) case $host_cpu in powerpc) # see comment about AmigaOS4 .so support _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='' ;; m68k) _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' _LT_TAGVAR(hardcode_minus_L, $1)=yes ;; esac ;; bsdi[[45]]*) _LT_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic ;; cygwin* | mingw* | pw32* | cegcc*) # When not using gcc, we currently assume that we are using # Microsoft Visual C++. # hardcode_libdir_flag_spec is actually meaningless, as there is # no search path for DLLs. case $cc_basename in cl*) # Native MSVC _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' _LT_TAGVAR(allow_undefined_flag, $1)=unsupported _LT_TAGVAR(always_export_symbols, $1)=yes _LT_TAGVAR(file_list_spec, $1)='@' # Tell ltmain to make .lib files, not .a files. libext=lib # Tell ltmain to make .dll files, not .so files. shrext_cmds=".dll" # FIXME: Setting linknames here is a bad hack. _LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames=' _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then sed -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp; else sed -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp; fi~ $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~ linknames=' # The linker will not automatically build a static lib if we build a DLL. # _LT_TAGVAR(old_archive_from_new_cmds, $1)='true' _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*' _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1,DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols' # Don't use ranlib _LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib' _LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~ lt_tool_outputfile="@TOOL_OUTPUT@"~ case $lt_outputfile in *.exe|*.EXE) ;; *) lt_outputfile="$lt_outputfile.exe" lt_tool_outputfile="$lt_tool_outputfile.exe" ;; esac~ if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1; $RM "$lt_outputfile.manifest"; fi' ;; *) # Assume MSVC wrapper _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' _LT_TAGVAR(allow_undefined_flag, $1)=unsupported # Tell ltmain to make .lib files, not .a files. libext=lib # Tell ltmain to make .dll files, not .so files. shrext_cmds=".dll" # FIXME: Setting linknames here is a bad hack. _LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames=' # The linker will automatically build a .lib file if we build a DLL. _LT_TAGVAR(old_archive_from_new_cmds, $1)='true' # FIXME: Should let the user specify the lib program. _LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs' _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes ;; esac ;; darwin* | rhapsody*) _LT_DARWIN_LINKER_FEATURES($1) ;; dgux*) _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' _LT_TAGVAR(hardcode_shlibpath_var, $1)=no ;; # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor # support. Future versions do this automatically, but an explicit c++rt0.o # does not break anything, and helps significantly (at the cost of a little # extra space). freebsd2.2*) _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_shlibpath_var, $1)=no ;; # Unfortunately, older versions of FreeBSD 2 do not have this feature. freebsd2.*) _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_minus_L, $1)=yes _LT_TAGVAR(hardcode_shlibpath_var, $1)=no ;; # FreeBSD 3 and greater uses gcc -shared to do shared libraries. freebsd* | dragonfly*) _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_shlibpath_var, $1)=no ;; hpux9*) if test "$GCC" = yes; then _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' else _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' fi _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=: _LT_TAGVAR(hardcode_direct, $1)=yes # hardcode_minus_L: Not really in the search PATH, # but as the default location of the library. _LT_TAGVAR(hardcode_minus_L, $1)=yes _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' ;; hpux10*) if test "$GCC" = yes && test "$with_gnu_ld" = no; then _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' else _LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' fi if test "$with_gnu_ld" = no; then _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=: _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_direct_absolute, $1)=yes _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' # hardcode_minus_L: Not really in the search PATH, # but as the default location of the library. _LT_TAGVAR(hardcode_minus_L, $1)=yes fi ;; hpux11*) if test "$GCC" = yes && test "$with_gnu_ld" = no; then case $host_cpu in hppa*64*) _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' ;; ia64*) _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' ;; *) _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' ;; esac else case $host_cpu in hppa*64*) _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' ;; ia64*) _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' ;; *) m4_if($1, [], [ # Older versions of the 11.00 compiler do not understand -b yet # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does) _LT_LINKER_OPTION([if $CC understands -b], _LT_TAGVAR(lt_cv_prog_compiler__b, $1), [-b], [_LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'], [_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'])], [_LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags']) ;; esac fi if test "$with_gnu_ld" = no; then _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=: case $host_cpu in hppa*64*|ia64*) _LT_TAGVAR(hardcode_direct, $1)=no _LT_TAGVAR(hardcode_shlibpath_var, $1)=no ;; *) _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_direct_absolute, $1)=yes _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' # hardcode_minus_L: Not really in the search PATH, # but as the default location of the library. _LT_TAGVAR(hardcode_minus_L, $1)=yes ;; esac fi ;; irix5* | irix6* | nonstopux*) if test "$GCC" = yes; then _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' # Try to use the -exported_symbol ld option, if it does not # work, assume that -exports_file does not work either and # implicitly export all symbols. # This should be the same for all languages, so no per-tag cache variable. AC_CACHE_CHECK([whether the $host_os linker accepts -exported_symbol], [lt_cv_irix_exported_symbol], [save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null" AC_LINK_IFELSE( [AC_LANG_SOURCE( [AC_LANG_CASE([C], [[int foo (void) { return 0; }]], [C++], [[int foo (void) { return 0; }]], [Fortran 77], [[ subroutine foo end]], [Fortran], [[ subroutine foo end]])])], [lt_cv_irix_exported_symbol=yes], [lt_cv_irix_exported_symbol=no]) LDFLAGS="$save_LDFLAGS"]) if test "$lt_cv_irix_exported_symbol" = yes; then _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib' fi else _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib' fi _LT_TAGVAR(archive_cmds_need_lc, $1)='no' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=: _LT_TAGVAR(inherit_rpath, $1)=yes _LT_TAGVAR(link_all_deplibs, $1)=yes ;; netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out else _LT_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF fi _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_shlibpath_var, $1)=no ;; newsos6) _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=: _LT_TAGVAR(hardcode_shlibpath_var, $1)=no ;; *nto* | *qnx*) ;; openbsd*) if test -f /usr/libexec/ld.so; then _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_shlibpath_var, $1)=no _LT_TAGVAR(hardcode_direct_absolute, $1)=yes if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' else case $host_os in openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*) _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' ;; *) _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' ;; esac fi else _LT_TAGVAR(ld_shlibs, $1)=no fi ;; os2*) _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' _LT_TAGVAR(hardcode_minus_L, $1)=yes _LT_TAGVAR(allow_undefined_flag, $1)=unsupported _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~echo DATA >> $output_objdir/$libname.def~echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def' _LT_TAGVAR(old_archive_from_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def' ;; osf3*) if test "$GCC" = yes; then _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' else _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' fi _LT_TAGVAR(archive_cmds_need_lc, $1)='no' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=: ;; osf4* | osf5*) # as osf3* with the addition of -msym flag if test "$GCC" = yes; then _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $pic_flag $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' else _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~ $CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp' # Both c and cxx compiler support -rpath directly _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' fi _LT_TAGVAR(archive_cmds_need_lc, $1)='no' _LT_TAGVAR(hardcode_libdir_separator, $1)=: ;; solaris*) _LT_TAGVAR(no_undefined_flag, $1)=' -z defs' if test "$GCC" = yes; then wlarc='${wl}' _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ $CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' else case `$CC -V 2>&1` in *"Compilers 5.0"*) wlarc='' _LT_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$RM $lib.exp' ;; *) wlarc='${wl}' _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $compiler_flags' _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ $CC -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' ;; esac fi _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' _LT_TAGVAR(hardcode_shlibpath_var, $1)=no case $host_os in solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; *) # The compiler driver will combine and reorder linker options, # but understands `-z linker_flag'. GCC discards it without `$wl', # but is careful enough not to reorder. # Supported since Solaris 2.6 (maybe 2.5.1?) if test "$GCC" = yes; then _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' else _LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' fi ;; esac _LT_TAGVAR(link_all_deplibs, $1)=yes ;; sunos4*) if test "x$host_vendor" = xsequent; then # Use $CC to link under sequent, because it throws in some extra .o # files that make .init and .fini sections work. _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags' else _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' fi _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_minus_L, $1)=yes _LT_TAGVAR(hardcode_shlibpath_var, $1)=no ;; sysv4) case $host_vendor in sni) _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' _LT_TAGVAR(hardcode_direct, $1)=yes # is this really true??? ;; siemens) ## LD is ld it makes a PLAMLIB ## CC just makes a GrossModule. _LT_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags' _LT_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs' _LT_TAGVAR(hardcode_direct, $1)=no ;; motorola) _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' _LT_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie ;; esac runpath_var='LD_RUN_PATH' _LT_TAGVAR(hardcode_shlibpath_var, $1)=no ;; sysv4.3*) _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' _LT_TAGVAR(hardcode_shlibpath_var, $1)=no _LT_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport' ;; sysv4*MP*) if test -d /usr/nec; then _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' _LT_TAGVAR(hardcode_shlibpath_var, $1)=no runpath_var=LD_RUN_PATH hardcode_runpath_var=yes _LT_TAGVAR(ld_shlibs, $1)=yes fi ;; sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*) _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' _LT_TAGVAR(archive_cmds_need_lc, $1)=no _LT_TAGVAR(hardcode_shlibpath_var, $1)=no runpath_var='LD_RUN_PATH' if test "$GCC" = yes; then _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' else _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' fi ;; sysv5* | sco3.2v5* | sco5v6*) # Note: We can NOT use -z defs as we might desire, because we do not # link with -lc, and that would cause any symbols used from libc to # always be unresolved, which means just about no library would # ever link correctly. If we're not using GNU ld we use -z text # though, which does catch some bad symbols but isn't as heavy-handed # as -z defs. _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' _LT_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs' _LT_TAGVAR(archive_cmds_need_lc, $1)=no _LT_TAGVAR(hardcode_shlibpath_var, $1)=no _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R,$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=':' _LT_TAGVAR(link_all_deplibs, $1)=yes _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport' runpath_var='LD_RUN_PATH' if test "$GCC" = yes; then _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' else _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' fi ;; uts4*) _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' _LT_TAGVAR(hardcode_shlibpath_var, $1)=no ;; *) _LT_TAGVAR(ld_shlibs, $1)=no ;; esac if test x$host_vendor = xsni; then case $host in sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Blargedynsym' ;; esac fi fi ]) AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)]) test "$_LT_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no _LT_TAGVAR(with_gnu_ld, $1)=$with_gnu_ld _LT_DECL([], [libext], [0], [Old archive suffix (normally "a")])dnl _LT_DECL([], [shrext_cmds], [1], [Shared library suffix (normally ".so")])dnl _LT_DECL([], [extract_expsyms_cmds], [2], [The commands to extract the exported symbol list from a shared archive]) # # Do we need to explicitly link libc? # case "x$_LT_TAGVAR(archive_cmds_need_lc, $1)" in x|xyes) # Assume -lc should be added _LT_TAGVAR(archive_cmds_need_lc, $1)=yes if test "$enable_shared" = yes && test "$GCC" = yes; then case $_LT_TAGVAR(archive_cmds, $1) in *'~'*) # FIXME: we may have to deal with multi-command sequences. ;; '$CC '*) # Test whether the compiler implicitly links with -lc since on some # systems, -lgcc has to come before -lc. If gcc already passes -lc # to ld, don't add -lc before -lgcc. AC_CACHE_CHECK([whether -lc should be explicitly linked in], [lt_cv_]_LT_TAGVAR(archive_cmds_need_lc, $1), [$RM conftest* echo "$lt_simple_compile_test_code" > conftest.$ac_ext if AC_TRY_EVAL(ac_compile) 2>conftest.err; then soname=conftest lib=conftest libobjs=conftest.$ac_objext deplibs= wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1) pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1) compiler_flags=-v linker_flags=-v verstring= output_objdir=. libname=conftest lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1) _LT_TAGVAR(allow_undefined_flag, $1)= if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) then lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=no else lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=yes fi _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag else cat conftest.err 1>&5 fi $RM conftest* ]) _LT_TAGVAR(archive_cmds_need_lc, $1)=$lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1) ;; esac fi ;; esac _LT_TAGDECL([build_libtool_need_lc], [archive_cmds_need_lc], [0], [Whether or not to add -lc for building shared libraries]) _LT_TAGDECL([allow_libtool_libs_with_static_runtimes], [enable_shared_with_static_runtimes], [0], [Whether or not to disallow shared libs when runtime libs are static]) _LT_TAGDECL([], [export_dynamic_flag_spec], [1], [Compiler flag to allow reflexive dlopens]) _LT_TAGDECL([], [whole_archive_flag_spec], [1], [Compiler flag to generate shared objects directly from archives]) _LT_TAGDECL([], [compiler_needs_object], [1], [Whether the compiler copes with passing no objects directly]) _LT_TAGDECL([], [old_archive_from_new_cmds], [2], [Create an old-style archive from a shared archive]) _LT_TAGDECL([], [old_archive_from_expsyms_cmds], [2], [Create a temporary old-style archive to link instead of a shared archive]) _LT_TAGDECL([], [archive_cmds], [2], [Commands used to build a shared archive]) _LT_TAGDECL([], [archive_expsym_cmds], [2]) _LT_TAGDECL([], [module_cmds], [2], [Commands used to build a loadable module if different from building a shared archive.]) _LT_TAGDECL([], [module_expsym_cmds], [2]) _LT_TAGDECL([], [with_gnu_ld], [1], [Whether we are building with GNU ld or not]) _LT_TAGDECL([], [allow_undefined_flag], [1], [Flag that allows shared libraries with undefined symbols to be built]) _LT_TAGDECL([], [no_undefined_flag], [1], [Flag that enforces no undefined symbols]) _LT_TAGDECL([], [hardcode_libdir_flag_spec], [1], [Flag to hardcode $libdir into a binary during linking. This must work even if $libdir does not exist]) _LT_TAGDECL([], [hardcode_libdir_separator], [1], [Whether we need a single "-rpath" flag with a separated argument]) _LT_TAGDECL([], [hardcode_direct], [0], [Set to "yes" if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the resulting binary]) _LT_TAGDECL([], [hardcode_direct_absolute], [0], [Set to "yes" if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the resulting binary and the resulting library dependency is "absolute", i.e impossible to change by setting ${shlibpath_var} if the library is relocated]) _LT_TAGDECL([], [hardcode_minus_L], [0], [Set to "yes" if using the -LDIR flag during linking hardcodes DIR into the resulting binary]) _LT_TAGDECL([], [hardcode_shlibpath_var], [0], [Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into the resulting binary]) _LT_TAGDECL([], [hardcode_automatic], [0], [Set to "yes" if building a shared library automatically hardcodes DIR into the library and all subsequent libraries and executables linked against it]) _LT_TAGDECL([], [inherit_rpath], [0], [Set to yes if linker adds runtime paths of dependent libraries to runtime path list]) _LT_TAGDECL([], [link_all_deplibs], [0], [Whether libtool must link a program against all its dependency libraries]) _LT_TAGDECL([], [always_export_symbols], [0], [Set to "yes" if exported symbols are required]) _LT_TAGDECL([], [export_symbols_cmds], [2], [The commands to list exported symbols]) _LT_TAGDECL([], [exclude_expsyms], [1], [Symbols that should not be listed in the preloaded symbols]) _LT_TAGDECL([], [include_expsyms], [1], [Symbols that must always be exported]) _LT_TAGDECL([], [prelink_cmds], [2], [Commands necessary for linking programs (against libraries) with templates]) _LT_TAGDECL([], [postlink_cmds], [2], [Commands necessary for finishing linking programs]) _LT_TAGDECL([], [file_list_spec], [1], [Specify filename containing input files]) dnl FIXME: Not yet implemented dnl _LT_TAGDECL([], [thread_safe_flag_spec], [1], dnl [Compiler flag to generate thread safe objects]) ])# _LT_LINKER_SHLIBS # _LT_LANG_C_CONFIG([TAG]) # ------------------------ # Ensure that the configuration variables for a C compiler are suitably # defined. These variables are subsequently used by _LT_CONFIG to write # the compiler configuration to `libtool'. m4_defun([_LT_LANG_C_CONFIG], [m4_require([_LT_DECL_EGREP])dnl lt_save_CC="$CC" AC_LANG_PUSH(C) # Source file extension for C test sources. ac_ext=c # Object file extension for compiled C test sources. objext=o _LT_TAGVAR(objext, $1)=$objext # Code to be used in simple compile tests lt_simple_compile_test_code="int some_variable = 0;" # Code to be used in simple link tests lt_simple_link_test_code='int main(){return(0);}' _LT_TAG_COMPILER # Save the default compiler, since it gets overwritten when the other # tags are being tested, and _LT_TAGVAR(compiler, []) is a NOP. compiler_DEFAULT=$CC # save warnings/boilerplate of simple test code _LT_COMPILER_BOILERPLATE _LT_LINKER_BOILERPLATE ## CAVEAT EMPTOR: ## There is no encapsulation within the following macros, do not change ## the running order or otherwise move them around unless you know exactly ## what you are doing... if test -n "$compiler"; then _LT_COMPILER_NO_RTTI($1) _LT_COMPILER_PIC($1) _LT_COMPILER_C_O($1) _LT_COMPILER_FILE_LOCKS($1) _LT_LINKER_SHLIBS($1) _LT_SYS_DYNAMIC_LINKER($1) _LT_LINKER_HARDCODE_LIBPATH($1) LT_SYS_DLOPEN_SELF _LT_CMD_STRIPLIB # Report which library types will actually be built AC_MSG_CHECKING([if libtool supports shared libraries]) AC_MSG_RESULT([$can_build_shared]) AC_MSG_CHECKING([whether to build shared libraries]) test "$can_build_shared" = "no" && enable_shared=no # On AIX, shared libraries and static libraries use the same namespace, and # are all built from PIC. case $host_os in aix3*) test "$enable_shared" = yes && enable_static=no if test -n "$RANLIB"; then archive_cmds="$archive_cmds~\$RANLIB \$lib" postinstall_cmds='$RANLIB $lib' fi ;; aix[[4-9]]*) if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then test "$enable_shared" = yes && enable_static=no fi ;; esac AC_MSG_RESULT([$enable_shared]) AC_MSG_CHECKING([whether to build static libraries]) # Make sure either enable_shared or enable_static is yes. test "$enable_shared" = yes || enable_static=yes AC_MSG_RESULT([$enable_static]) _LT_CONFIG($1) fi AC_LANG_POP CC="$lt_save_CC" ])# _LT_LANG_C_CONFIG # _LT_LANG_CXX_CONFIG([TAG]) # -------------------------- # Ensure that the configuration variables for a C++ compiler are suitably # defined. These variables are subsequently used by _LT_CONFIG to write # the compiler configuration to `libtool'. m4_defun([_LT_LANG_CXX_CONFIG], [m4_require([_LT_FILEUTILS_DEFAULTS])dnl m4_require([_LT_DECL_EGREP])dnl m4_require([_LT_PATH_MANIFEST_TOOL])dnl if test -n "$CXX" && ( test "X$CXX" != "Xno" && ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) || (test "X$CXX" != "Xg++"))) ; then AC_PROG_CXXCPP else _lt_caught_CXX_error=yes fi AC_LANG_PUSH(C++) _LT_TAGVAR(archive_cmds_need_lc, $1)=no _LT_TAGVAR(allow_undefined_flag, $1)= _LT_TAGVAR(always_export_symbols, $1)=no _LT_TAGVAR(archive_expsym_cmds, $1)= _LT_TAGVAR(compiler_needs_object, $1)=no _LT_TAGVAR(export_dynamic_flag_spec, $1)= _LT_TAGVAR(hardcode_direct, $1)=no _LT_TAGVAR(hardcode_direct_absolute, $1)=no _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= _LT_TAGVAR(hardcode_libdir_separator, $1)= _LT_TAGVAR(hardcode_minus_L, $1)=no _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported _LT_TAGVAR(hardcode_automatic, $1)=no _LT_TAGVAR(inherit_rpath, $1)=no _LT_TAGVAR(module_cmds, $1)= _LT_TAGVAR(module_expsym_cmds, $1)= _LT_TAGVAR(link_all_deplibs, $1)=unknown _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds _LT_TAGVAR(reload_flag, $1)=$reload_flag _LT_TAGVAR(reload_cmds, $1)=$reload_cmds _LT_TAGVAR(no_undefined_flag, $1)= _LT_TAGVAR(whole_archive_flag_spec, $1)= _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no # Source file extension for C++ test sources. ac_ext=cpp # Object file extension for compiled C++ test sources. objext=o _LT_TAGVAR(objext, $1)=$objext # No sense in running all these tests if we already determined that # the CXX compiler isn't working. Some variables (like enable_shared) # are currently assumed to apply to all compilers on this platform, # and will be corrupted by setting them based on a non-working compiler. if test "$_lt_caught_CXX_error" != yes; then # Code to be used in simple compile tests lt_simple_compile_test_code="int some_variable = 0;" # Code to be used in simple link tests lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }' # ltmain only uses $CC for tagged configurations so make sure $CC is set. _LT_TAG_COMPILER # save warnings/boilerplate of simple test code _LT_COMPILER_BOILERPLATE _LT_LINKER_BOILERPLATE # Allow CC to be a program name with arguments. lt_save_CC=$CC lt_save_CFLAGS=$CFLAGS lt_save_LD=$LD lt_save_GCC=$GCC GCC=$GXX lt_save_with_gnu_ld=$with_gnu_ld lt_save_path_LD=$lt_cv_path_LD if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx else $as_unset lt_cv_prog_gnu_ld fi if test -n "${lt_cv_path_LDCXX+set}"; then lt_cv_path_LD=$lt_cv_path_LDCXX else $as_unset lt_cv_path_LD fi test -z "${LDCXX+set}" || LD=$LDCXX CC=${CXX-"c++"} CFLAGS=$CXXFLAGS compiler=$CC _LT_TAGVAR(compiler, $1)=$CC _LT_CC_BASENAME([$compiler]) if test -n "$compiler"; then # We don't want -fno-exception when compiling C++ code, so set the # no_builtin_flag separately if test "$GXX" = yes; then _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' else _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)= fi if test "$GXX" = yes; then # Set up default GNU C++ configuration LT_PATH_LD # Check if GNU C++ uses GNU ld as the underlying linker, since the # archiving commands below assume that GNU ld is being used. if test "$with_gnu_ld" = yes; then _LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' # If archive_cmds runs LD, not CC, wlarc should be empty # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to # investigate it a little bit more. (MM) wlarc='${wl}' # ancient GNU ld didn't support --whole-archive et. al. if eval "`$CC -print-prog-name=ld` --help 2>&1" | $GREP 'no-whole-archive' > /dev/null; then _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' else _LT_TAGVAR(whole_archive_flag_spec, $1)= fi else with_gnu_ld=no wlarc= # A generic and very simple default shared library creation # command for GNU C++ for the case where it uses the native # linker, instead of GNU ld. If possible, this setting should # overridden to take advantage of the native linker features on # the platform it is being used on. _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' fi # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' else GXX=no with_gnu_ld=no wlarc= fi # PORTME: fill in a description of your system's C++ link characteristics AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries]) _LT_TAGVAR(ld_shlibs, $1)=yes case $host_os in aix3*) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; aix[[4-9]]*) if test "$host_cpu" = ia64; then # On IA64, the linker does run time linking by default, so we don't # have to do anything special. aix_use_runtimelinking=no exp_sym_flag='-Bexport' no_entry_flag="" else aix_use_runtimelinking=no # Test if we are trying to use run time linking or normal # AIX style linking. If -brtl is somewhere in LDFLAGS, we # need to do runtime linking. case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*) for ld_flag in $LDFLAGS; do case $ld_flag in *-brtl*) aix_use_runtimelinking=yes break ;; esac done ;; esac exp_sym_flag='-bexport' no_entry_flag='-bnoentry' fi # When large executables or shared objects are built, AIX ld can # have problems creating the table of contents. If linking a library # or program results in "error TOC overflow" add -mminimal-toc to # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. _LT_TAGVAR(archive_cmds, $1)='' _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_direct_absolute, $1)=yes _LT_TAGVAR(hardcode_libdir_separator, $1)=':' _LT_TAGVAR(link_all_deplibs, $1)=yes _LT_TAGVAR(file_list_spec, $1)='${wl}-f,' if test "$GXX" = yes; then case $host_os in aix4.[[012]]|aix4.[[012]].*) # We only want to do this on AIX 4.2 and lower, the check # below for broken collect2 doesn't work under 4.3+ collect2name=`${CC} -print-prog-name=collect2` if test -f "$collect2name" && strings "$collect2name" | $GREP resolve_lib_name >/dev/null then # We have reworked collect2 : else # We have old collect2 _LT_TAGVAR(hardcode_direct, $1)=unsupported # It fails to find uninstalled libraries when the uninstalled # path is not listed in the libpath. Setting hardcode_minus_L # to unsupported forces relinking _LT_TAGVAR(hardcode_minus_L, $1)=yes _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)= fi esac shared_flag='-shared' if test "$aix_use_runtimelinking" = yes; then shared_flag="$shared_flag "'${wl}-G' fi else # not using gcc if test "$host_cpu" = ia64; then # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release # chokes on -Wl,-G. The following line is correct: shared_flag='-G' else if test "$aix_use_runtimelinking" = yes; then shared_flag='${wl}-G' else shared_flag='${wl}-bM:SRE' fi fi fi _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-bexpall' # It seems that -bexpall does not export symbols beginning with # underscore (_), so it is better to generate a list of symbols to # export. _LT_TAGVAR(always_export_symbols, $1)=yes if test "$aix_use_runtimelinking" = yes; then # Warning - without using the other runtime loading flags (-brtl), # -berok will link without error, but may produce a broken library. _LT_TAGVAR(allow_undefined_flag, $1)='-berok' # Determine the default libpath from the value encoded in an empty # executable. _LT_SYS_MODULE_PATH_AIX([$1]) _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" else if test "$host_cpu" = ia64; then _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib' _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs" _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols" else # Determine the default libpath from the value encoded in an # empty executable. _LT_SYS_MODULE_PATH_AIX([$1]) _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" # Warning - without using the other run time loading flags, # -berok will link without error, but may produce a broken library. _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok' _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok' if test "$with_gnu_ld" = yes; then # We only use this code for GNU lds that support --whole-archive. _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive' else # Exported symbols can be pulled into shared objects from archives _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience' fi _LT_TAGVAR(archive_cmds_need_lc, $1)=yes # This is similar to how AIX traditionally builds its shared # libraries. _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' fi fi ;; beos*) if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then _LT_TAGVAR(allow_undefined_flag, $1)=unsupported # Joseph Beckenbach says some releases of gcc # support --undefined. This deserves some investigation. FIXME _LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' else _LT_TAGVAR(ld_shlibs, $1)=no fi ;; chorus*) case $cc_basename in *) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; esac ;; cygwin* | mingw* | pw32* | cegcc*) case $GXX,$cc_basename in ,cl* | no,cl*) # Native MSVC # hardcode_libdir_flag_spec is actually meaningless, as there is # no search path for DLLs. _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' _LT_TAGVAR(allow_undefined_flag, $1)=unsupported _LT_TAGVAR(always_export_symbols, $1)=yes _LT_TAGVAR(file_list_spec, $1)='@' # Tell ltmain to make .lib files, not .a files. libext=lib # Tell ltmain to make .dll files, not .so files. shrext_cmds=".dll" # FIXME: Setting linknames here is a bad hack. _LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames=' _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then $SED -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp; else $SED -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp; fi~ $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~ linknames=' # The linker will not automatically build a static lib if we build a DLL. # _LT_TAGVAR(old_archive_from_new_cmds, $1)='true' _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes # Don't use ranlib _LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib' _LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~ lt_tool_outputfile="@TOOL_OUTPUT@"~ case $lt_outputfile in *.exe|*.EXE) ;; *) lt_outputfile="$lt_outputfile.exe" lt_tool_outputfile="$lt_tool_outputfile.exe" ;; esac~ func_to_tool_file "$lt_outputfile"~ if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1; $RM "$lt_outputfile.manifest"; fi' ;; *) # g++ # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless, # as there is no search path for DLLs. _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-all-symbols' _LT_TAGVAR(allow_undefined_flag, $1)=unsupported _LT_TAGVAR(always_export_symbols, $1)=no _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' # If the export-symbols file already is a .def file (1st line # is EXPORTS), use it as is; otherwise, prepend... _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then cp $export_symbols $output_objdir/$soname.def; else echo EXPORTS > $output_objdir/$soname.def; cat $export_symbols >> $output_objdir/$soname.def; fi~ $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' else _LT_TAGVAR(ld_shlibs, $1)=no fi ;; esac ;; darwin* | rhapsody*) _LT_DARWIN_LINKER_FEATURES($1) ;; dgux*) case $cc_basename in ec++*) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; ghcx*) # Green Hills C++ Compiler # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; *) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; esac ;; freebsd2.*) # C++ shared libraries reported to be fairly broken before # switch to ELF _LT_TAGVAR(ld_shlibs, $1)=no ;; freebsd-elf*) _LT_TAGVAR(archive_cmds_need_lc, $1)=no ;; freebsd* | dragonfly*) # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF # conventions _LT_TAGVAR(ld_shlibs, $1)=yes ;; haiku*) _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(link_all_deplibs, $1)=yes ;; hpux9*) _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=: _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH, # but as the default # location of the library. case $cc_basename in CC*) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; aCC*) _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. # # There doesn't appear to be a way to prevent this compiler from # explicitly linking system object files so we need to strip them # from the output so that they don't get included in the library # dependencies. output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' ;; *) if test "$GXX" = yes; then _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' else # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no fi ;; esac ;; hpux10*|hpux11*) if test $with_gnu_ld = no; then _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=: case $host_cpu in hppa*64*|ia64*) ;; *) _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' ;; esac fi case $host_cpu in hppa*64*|ia64*) _LT_TAGVAR(hardcode_direct, $1)=no _LT_TAGVAR(hardcode_shlibpath_var, $1)=no ;; *) _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_direct_absolute, $1)=yes _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH, # but as the default # location of the library. ;; esac case $cc_basename in CC*) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; aCC*) case $host_cpu in hppa*64*) _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' ;; ia64*) _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' ;; *) _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' ;; esac # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. # # There doesn't appear to be a way to prevent this compiler from # explicitly linking system object files so we need to strip them # from the output so that they don't get included in the library # dependencies. output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' ;; *) if test "$GXX" = yes; then if test $with_gnu_ld = no; then case $host_cpu in hppa*64*) _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' ;; ia64*) _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' ;; *) _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' ;; esac fi else # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no fi ;; esac ;; interix[[3-9]]*) _LT_TAGVAR(hardcode_direct, $1)=no _LT_TAGVAR(hardcode_shlibpath_var, $1)=no _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. # Instead, shared libraries are loaded at an image base (0x10000000 by # default) and relocated if they conflict, which is a slow very memory # consuming and fragmenting process. To avoid this, we pick a random, # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link # time. Moving up from 0x10000000 also allows more sbrk(2) space. _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' ;; irix5* | irix6*) case $cc_basename in CC*) # SGI C++ _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' # Archives containing C++ object files must be created using # "CC -ar", where "CC" is the IRIX C++ compiler. This is # necessary to make sure instantiated templates are included # in the archive. _LT_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs' ;; *) if test "$GXX" = yes; then if test "$with_gnu_ld" = no; then _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' else _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` -o $lib' fi fi _LT_TAGVAR(link_all_deplibs, $1)=yes ;; esac _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=: _LT_TAGVAR(inherit_rpath, $1)=yes ;; linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in KCC*) # Kuck and Associates, Inc. (KAI) C++ Compiler # KCC will only create a shared library if the output file # ends with ".so" (or ".sl" for HP-UX), so rename the library # to its proper name (with version) after linking. _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib' # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. # # There doesn't appear to be a way to prevent this compiler from # explicitly linking system object files so we need to strip them # from the output so that they don't get included in the library # dependencies. output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' # Archives containing C++ object files must be created using # "CC -Bstatic", where "CC" is the KAI C++ compiler. _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' ;; icpc* | ecpc* ) # Intel C++ with_gnu_ld=yes # version 8.0 and above of icpc choke on multiply defined symbols # if we add $predep_objects and $postdep_objects, however 7.1 and # earlier do not add the objects themselves. case `$CC -V 2>&1` in *"Version 7."*) _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' ;; *) # Version 8.0 or newer tmp_idyn= case $host_cpu in ia64*) tmp_idyn=' -i_dynamic';; esac _LT_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' ;; esac _LT_TAGVAR(archive_cmds_need_lc, $1)=no _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive' ;; pgCC* | pgcpp*) # Portland Group C++ compiler case `$CC -V` in *pgCC\ [[1-5]].* | *pgcpp\ [[1-5]].*) _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~ rm -rf $tpldir~ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"' _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~ rm -rf $tpldir~ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~ $RANLIB $oldlib' _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~ rm -rf $tpldir~ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~ rm -rf $tpldir~ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib' ;; *) # Version 6 and above use weak symbols _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib' ;; esac _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir' _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' ;; cxx*) # Compaq C++ _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib ${wl}-retain-symbols-file $wl$export_symbols' runpath_var=LD_RUN_PATH _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=: # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. # # There doesn't appear to be a way to prevent this compiler from # explicitly linking system object files so we need to strip them # from the output so that they don't get included in the library # dependencies. output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "X$list" | $Xsed' ;; xl* | mpixl* | bgxl*) # IBM XL 8.0 on PPC, with GNU ld _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' _LT_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' if test "x$supports_anon_versioning" = xyes; then _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~ cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ echo "local: *; };" >> $output_objdir/$libname.ver~ $CC -qmkshrobj $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' fi ;; *) case `$CC -V 2>&1 | sed 5q` in *Sun\ C*) # Sun C++ 5.9 _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs' _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' _LT_TAGVAR(compiler_needs_object, $1)=yes # Not sure whether something based on # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 # would be better. output_verbose_link_cmd='func_echo_all' # Archives containing C++ object files must be created using # "CC -xar", where "CC" is the Sun C++ compiler. This is # necessary to make sure instantiated templates are included # in the archive. _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs' ;; esac ;; esac ;; lynxos*) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; m88k*) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; mvs*) case $cc_basename in cxx*) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; *) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; esac ;; netbsd*) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags' wlarc= _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_shlibpath_var, $1)=no fi # Workaround some broken pre-1.5 toolchains output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"' ;; *nto* | *qnx*) _LT_TAGVAR(ld_shlibs, $1)=yes ;; openbsd2*) # C++ shared libraries are fairly broken _LT_TAGVAR(ld_shlibs, $1)=no ;; openbsd*) if test -f /usr/libexec/ld.so; then _LT_TAGVAR(hardcode_direct, $1)=yes _LT_TAGVAR(hardcode_shlibpath_var, $1)=no _LT_TAGVAR(hardcode_direct_absolute, $1)=yes _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib' _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' fi output_verbose_link_cmd=func_echo_all else _LT_TAGVAR(ld_shlibs, $1)=no fi ;; osf3* | osf4* | osf5*) case $cc_basename in KCC*) # Kuck and Associates, Inc. (KAI) C++ Compiler # KCC will only create a shared library if the output file # ends with ".so" (or ".sl" for HP-UX), so rename the library # to its proper name (with version) after linking. _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo "$lib" | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=: # Archives containing C++ object files must be created using # the KAI C++ compiler. case $host in osf3*) _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' ;; *) _LT_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs' ;; esac ;; RCC*) # Rational C++ 2.4.1 # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; cxx*) case $host in osf3*) _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && func_echo_all "${wl}-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' ;; *) _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~ echo "-hidden">> $lib.exp~ $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname ${wl}-input ${wl}$lib.exp `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~ $RM $lib.exp' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' ;; esac _LT_TAGVAR(hardcode_libdir_separator, $1)=: # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. # # There doesn't appear to be a way to prevent this compiler from # explicitly linking system object files so we need to strip them # from the output so that they don't get included in the library # dependencies. output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' ;; *) if test "$GXX" = yes && test "$with_gnu_ld" = no; then _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' case $host in osf3*) _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' ;; *) _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' ;; esac _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=: # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' else # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no fi ;; esac ;; psos*) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; sunos4*) case $cc_basename in CC*) # Sun C++ 4.x # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; lcc*) # Lucid # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; *) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; esac ;; solaris*) case $cc_basename in CC* | sunCC*) # Sun C++ 4.2, 5.x and Centerline C++ _LT_TAGVAR(archive_cmds_need_lc,$1)=yes _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs' _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ $CC -G${allow_undefined_flag} ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp' _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' _LT_TAGVAR(hardcode_shlibpath_var, $1)=no case $host_os in solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; *) # The compiler driver will combine and reorder linker options, # but understands `-z linker_flag'. # Supported since Solaris 2.6 (maybe 2.5.1?) _LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' ;; esac _LT_TAGVAR(link_all_deplibs, $1)=yes output_verbose_link_cmd='func_echo_all' # Archives containing C++ object files must be created using # "CC -xar", where "CC" is the Sun C++ compiler. This is # necessary to make sure instantiated templates are included # in the archive. _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs' ;; gcx*) # Green Hills C++ Compiler _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' # The C++ compiler must be used to create the archive. _LT_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs' ;; *) # GNU C++ compiler with Solaris linker if test "$GXX" = yes && test "$with_gnu_ld" = no; then _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs' if $CC --version | $GREP -v '^2\.7' > /dev/null; then _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ $CC -shared $pic_flag -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp' # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' else # g++ 2.7 appears to require `-G' NOT `-shared' on this # platform. _LT_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ $CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp' # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' fi _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir' case $host_os in solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; *) _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' ;; esac fi ;; esac ;; sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*) _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' _LT_TAGVAR(archive_cmds_need_lc, $1)=no _LT_TAGVAR(hardcode_shlibpath_var, $1)=no runpath_var='LD_RUN_PATH' case $cc_basename in CC*) _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' ;; *) _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' ;; esac ;; sysv5* | sco3.2v5* | sco5v6*) # Note: We can NOT use -z defs as we might desire, because we do not # link with -lc, and that would cause any symbols used from libc to # always be unresolved, which means just about no library would # ever link correctly. If we're not using GNU ld we use -z text # though, which does catch some bad symbols but isn't as heavy-handed # as -z defs. _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' _LT_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs' _LT_TAGVAR(archive_cmds_need_lc, $1)=no _LT_TAGVAR(hardcode_shlibpath_var, $1)=no _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R,$libdir' _LT_TAGVAR(hardcode_libdir_separator, $1)=':' _LT_TAGVAR(link_all_deplibs, $1)=yes _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport' runpath_var='LD_RUN_PATH' case $cc_basename in CC*) _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' _LT_TAGVAR(old_archive_cmds, $1)='$CC -Tprelink_objects $oldobjs~ '"$_LT_TAGVAR(old_archive_cmds, $1)" _LT_TAGVAR(reload_cmds, $1)='$CC -Tprelink_objects $reload_objs~ '"$_LT_TAGVAR(reload_cmds, $1)" ;; *) _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' ;; esac ;; tandem*) case $cc_basename in NCC*) # NonStop-UX NCC 3.20 # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; *) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; esac ;; vxworks*) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; *) # FIXME: insert proper C++ library support _LT_TAGVAR(ld_shlibs, $1)=no ;; esac AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)]) test "$_LT_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no _LT_TAGVAR(GCC, $1)="$GXX" _LT_TAGVAR(LD, $1)="$LD" ## CAVEAT EMPTOR: ## There is no encapsulation within the following macros, do not change ## the running order or otherwise move them around unless you know exactly ## what you are doing... _LT_SYS_HIDDEN_LIBDEPS($1) _LT_COMPILER_PIC($1) _LT_COMPILER_C_O($1) _LT_COMPILER_FILE_LOCKS($1) _LT_LINKER_SHLIBS($1) _LT_SYS_DYNAMIC_LINKER($1) _LT_LINKER_HARDCODE_LIBPATH($1) _LT_CONFIG($1) fi # test -n "$compiler" CC=$lt_save_CC CFLAGS=$lt_save_CFLAGS LDCXX=$LD LD=$lt_save_LD GCC=$lt_save_GCC with_gnu_ld=$lt_save_with_gnu_ld lt_cv_path_LDCXX=$lt_cv_path_LD lt_cv_path_LD=$lt_save_path_LD lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld fi # test "$_lt_caught_CXX_error" != yes AC_LANG_POP ])# _LT_LANG_CXX_CONFIG # _LT_FUNC_STRIPNAME_CNF # ---------------------- # func_stripname_cnf prefix suffix name # strip PREFIX and SUFFIX off of NAME. # PREFIX and SUFFIX must not contain globbing or regex special # characters, hashes, percent signs, but SUFFIX may contain a leading # dot (in which case that matches only a dot). # # This function is identical to the (non-XSI) version of func_stripname, # except this one can be used by m4 code that may be executed by configure, # rather than the libtool script. m4_defun([_LT_FUNC_STRIPNAME_CNF],[dnl AC_REQUIRE([_LT_DECL_SED]) AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH]) func_stripname_cnf () { case ${2} in .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;; *) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;; esac } # func_stripname_cnf ])# _LT_FUNC_STRIPNAME_CNF # _LT_SYS_HIDDEN_LIBDEPS([TAGNAME]) # --------------------------------- # Figure out "hidden" library dependencies from verbose # compiler output when linking a shared library. # Parse the compiler output and extract the necessary # objects, libraries and library flags. m4_defun([_LT_SYS_HIDDEN_LIBDEPS], [m4_require([_LT_FILEUTILS_DEFAULTS])dnl AC_REQUIRE([_LT_FUNC_STRIPNAME_CNF])dnl # Dependencies to place before and after the object being linked: _LT_TAGVAR(predep_objects, $1)= _LT_TAGVAR(postdep_objects, $1)= _LT_TAGVAR(predeps, $1)= _LT_TAGVAR(postdeps, $1)= _LT_TAGVAR(compiler_lib_search_path, $1)= dnl we can't use the lt_simple_compile_test_code here, dnl because it contains code intended for an executable, dnl not a library. It's possible we should let each dnl tag define a new lt_????_link_test_code variable, dnl but it's only used here... m4_if([$1], [], [cat > conftest.$ac_ext <<_LT_EOF int a; void foo (void) { a = 0; } _LT_EOF ], [$1], [CXX], [cat > conftest.$ac_ext <<_LT_EOF class Foo { public: Foo (void) { a = 0; } private: int a; }; _LT_EOF ], [$1], [F77], [cat > conftest.$ac_ext <<_LT_EOF subroutine foo implicit none integer*4 a a=0 return end _LT_EOF ], [$1], [FC], [cat > conftest.$ac_ext <<_LT_EOF subroutine foo implicit none integer a a=0 return end _LT_EOF ], [$1], [GCJ], [cat > conftest.$ac_ext <<_LT_EOF public class foo { private int a; public void bar (void) { a = 0; } }; _LT_EOF ], [$1], [GO], [cat > conftest.$ac_ext <<_LT_EOF package foo func foo() { } _LT_EOF ]) _lt_libdeps_save_CFLAGS=$CFLAGS case "$CC $CFLAGS " in #( *\ -flto*\ *) CFLAGS="$CFLAGS -fno-lto" ;; *\ -fwhopr*\ *) CFLAGS="$CFLAGS -fno-whopr" ;; *\ -fuse-linker-plugin*\ *) CFLAGS="$CFLAGS -fno-use-linker-plugin" ;; esac dnl Parse the compiler output and extract the necessary dnl objects, libraries and library flags. if AC_TRY_EVAL(ac_compile); then # Parse the compiler output and extract the necessary # objects, libraries and library flags. # Sentinel used to keep track of whether or not we are before # the conftest object file. pre_test_object_deps_done=no for p in `eval "$output_verbose_link_cmd"`; do case ${prev}${p} in -L* | -R* | -l*) # Some compilers place space between "-{L,R}" and the path. # Remove the space. if test $p = "-L" || test $p = "-R"; then prev=$p continue fi # Expand the sysroot to ease extracting the directories later. if test -z "$prev"; then case $p in -L*) func_stripname_cnf '-L' '' "$p"; prev=-L; p=$func_stripname_result ;; -R*) func_stripname_cnf '-R' '' "$p"; prev=-R; p=$func_stripname_result ;; -l*) func_stripname_cnf '-l' '' "$p"; prev=-l; p=$func_stripname_result ;; esac fi case $p in =*) func_stripname_cnf '=' '' "$p"; p=$lt_sysroot$func_stripname_result ;; esac if test "$pre_test_object_deps_done" = no; then case ${prev} in -L | -R) # Internal compiler library paths should come after those # provided the user. The postdeps already come after the # user supplied libs so there is no need to process them. if test -z "$_LT_TAGVAR(compiler_lib_search_path, $1)"; then _LT_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}" else _LT_TAGVAR(compiler_lib_search_path, $1)="${_LT_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}" fi ;; # The "-l" case would never come before the object being # linked, so don't bother handling this case. esac else if test -z "$_LT_TAGVAR(postdeps, $1)"; then _LT_TAGVAR(postdeps, $1)="${prev}${p}" else _LT_TAGVAR(postdeps, $1)="${_LT_TAGVAR(postdeps, $1)} ${prev}${p}" fi fi prev= ;; *.lto.$objext) ;; # Ignore GCC LTO objects *.$objext) # This assumes that the test object file only shows up # once in the compiler output. if test "$p" = "conftest.$objext"; then pre_test_object_deps_done=yes continue fi if test "$pre_test_object_deps_done" = no; then if test -z "$_LT_TAGVAR(predep_objects, $1)"; then _LT_TAGVAR(predep_objects, $1)="$p" else _LT_TAGVAR(predep_objects, $1)="$_LT_TAGVAR(predep_objects, $1) $p" fi else if test -z "$_LT_TAGVAR(postdep_objects, $1)"; then _LT_TAGVAR(postdep_objects, $1)="$p" else _LT_TAGVAR(postdep_objects, $1)="$_LT_TAGVAR(postdep_objects, $1) $p" fi fi ;; *) ;; # Ignore the rest. esac done # Clean up. rm -f a.out a.exe else echo "libtool.m4: error: problem compiling $1 test program" fi $RM -f confest.$objext CFLAGS=$_lt_libdeps_save_CFLAGS # PORTME: override above test on systems where it is broken m4_if([$1], [CXX], [case $host_os in interix[[3-9]]*) # Interix 3.5 installs completely hosed .la files for C++, so rather than # hack all around it, let's just trust "g++" to DTRT. _LT_TAGVAR(predep_objects,$1)= _LT_TAGVAR(postdep_objects,$1)= _LT_TAGVAR(postdeps,$1)= ;; linux*) case `$CC -V 2>&1 | sed 5q` in *Sun\ C*) # Sun C++ 5.9 # The more standards-conforming stlport4 library is # incompatible with the Cstd library. Avoid specifying # it if it's in CXXFLAGS. Ignore libCrun as # -library=stlport4 depends on it. case " $CXX $CXXFLAGS " in *" -library=stlport4 "*) solaris_use_stlport4=yes ;; esac if test "$solaris_use_stlport4" != yes; then _LT_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun' fi ;; esac ;; solaris*) case $cc_basename in CC* | sunCC*) # The more standards-conforming stlport4 library is # incompatible with the Cstd library. Avoid specifying # it if it's in CXXFLAGS. Ignore libCrun as # -library=stlport4 depends on it. case " $CXX $CXXFLAGS " in *" -library=stlport4 "*) solaris_use_stlport4=yes ;; esac # Adding this requires a known-good setup of shared libraries for # Sun compiler versions before 5.6, else PIC objects from an old # archive will be linked into the output, leading to subtle bugs. if test "$solaris_use_stlport4" != yes; then _LT_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun' fi ;; esac ;; esac ]) case " $_LT_TAGVAR(postdeps, $1) " in *" -lc "*) _LT_TAGVAR(archive_cmds_need_lc, $1)=no ;; esac _LT_TAGVAR(compiler_lib_search_dirs, $1)= if test -n "${_LT_TAGVAR(compiler_lib_search_path, $1)}"; then _LT_TAGVAR(compiler_lib_search_dirs, $1)=`echo " ${_LT_TAGVAR(compiler_lib_search_path, $1)}" | ${SED} -e 's! -L! !g' -e 's!^ !!'` fi _LT_TAGDECL([], [compiler_lib_search_dirs], [1], [The directories searched by this compiler when creating a shared library]) _LT_TAGDECL([], [predep_objects], [1], [Dependencies to place before and after the objects being linked to create a shared library]) _LT_TAGDECL([], [postdep_objects], [1]) _LT_TAGDECL([], [predeps], [1]) _LT_TAGDECL([], [postdeps], [1]) _LT_TAGDECL([], [compiler_lib_search_path], [1], [The library search path used internally by the compiler when linking a shared library]) ])# _LT_SYS_HIDDEN_LIBDEPS # _LT_LANG_F77_CONFIG([TAG]) # -------------------------- # Ensure that the configuration variables for a Fortran 77 compiler are # suitably defined. These variables are subsequently used by _LT_CONFIG # to write the compiler configuration to `libtool'. m4_defun([_LT_LANG_F77_CONFIG], [AC_LANG_PUSH(Fortran 77) if test -z "$F77" || test "X$F77" = "Xno"; then _lt_disable_F77=yes fi _LT_TAGVAR(archive_cmds_need_lc, $1)=no _LT_TAGVAR(allow_undefined_flag, $1)= _LT_TAGVAR(always_export_symbols, $1)=no _LT_TAGVAR(archive_expsym_cmds, $1)= _LT_TAGVAR(export_dynamic_flag_spec, $1)= _LT_TAGVAR(hardcode_direct, $1)=no _LT_TAGVAR(hardcode_direct_absolute, $1)=no _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= _LT_TAGVAR(hardcode_libdir_separator, $1)= _LT_TAGVAR(hardcode_minus_L, $1)=no _LT_TAGVAR(hardcode_automatic, $1)=no _LT_TAGVAR(inherit_rpath, $1)=no _LT_TAGVAR(module_cmds, $1)= _LT_TAGVAR(module_expsym_cmds, $1)= _LT_TAGVAR(link_all_deplibs, $1)=unknown _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds _LT_TAGVAR(reload_flag, $1)=$reload_flag _LT_TAGVAR(reload_cmds, $1)=$reload_cmds _LT_TAGVAR(no_undefined_flag, $1)= _LT_TAGVAR(whole_archive_flag_spec, $1)= _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no # Source file extension for f77 test sources. ac_ext=f # Object file extension for compiled f77 test sources. objext=o _LT_TAGVAR(objext, $1)=$objext # No sense in running all these tests if we already determined that # the F77 compiler isn't working. Some variables (like enable_shared) # are currently assumed to apply to all compilers on this platform, # and will be corrupted by setting them based on a non-working compiler. if test "$_lt_disable_F77" != yes; then # Code to be used in simple compile tests lt_simple_compile_test_code="\ subroutine t return end " # Code to be used in simple link tests lt_simple_link_test_code="\ program t end " # ltmain only uses $CC for tagged configurations so make sure $CC is set. _LT_TAG_COMPILER # save warnings/boilerplate of simple test code _LT_COMPILER_BOILERPLATE _LT_LINKER_BOILERPLATE # Allow CC to be a program name with arguments. lt_save_CC="$CC" lt_save_GCC=$GCC lt_save_CFLAGS=$CFLAGS CC=${F77-"f77"} CFLAGS=$FFLAGS compiler=$CC _LT_TAGVAR(compiler, $1)=$CC _LT_CC_BASENAME([$compiler]) GCC=$G77 if test -n "$compiler"; then AC_MSG_CHECKING([if libtool supports shared libraries]) AC_MSG_RESULT([$can_build_shared]) AC_MSG_CHECKING([whether to build shared libraries]) test "$can_build_shared" = "no" && enable_shared=no # On AIX, shared libraries and static libraries use the same namespace, and # are all built from PIC. case $host_os in aix3*) test "$enable_shared" = yes && enable_static=no if test -n "$RANLIB"; then archive_cmds="$archive_cmds~\$RANLIB \$lib" postinstall_cmds='$RANLIB $lib' fi ;; aix[[4-9]]*) if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then test "$enable_shared" = yes && enable_static=no fi ;; esac AC_MSG_RESULT([$enable_shared]) AC_MSG_CHECKING([whether to build static libraries]) # Make sure either enable_shared or enable_static is yes. test "$enable_shared" = yes || enable_static=yes AC_MSG_RESULT([$enable_static]) _LT_TAGVAR(GCC, $1)="$G77" _LT_TAGVAR(LD, $1)="$LD" ## CAVEAT EMPTOR: ## There is no encapsulation within the following macros, do not change ## the running order or otherwise move them around unless you know exactly ## what you are doing... _LT_COMPILER_PIC($1) _LT_COMPILER_C_O($1) _LT_COMPILER_FILE_LOCKS($1) _LT_LINKER_SHLIBS($1) _LT_SYS_DYNAMIC_LINKER($1) _LT_LINKER_HARDCODE_LIBPATH($1) _LT_CONFIG($1) fi # test -n "$compiler" GCC=$lt_save_GCC CC="$lt_save_CC" CFLAGS="$lt_save_CFLAGS" fi # test "$_lt_disable_F77" != yes AC_LANG_POP ])# _LT_LANG_F77_CONFIG # _LT_LANG_FC_CONFIG([TAG]) # ------------------------- # Ensure that the configuration variables for a Fortran compiler are # suitably defined. These variables are subsequently used by _LT_CONFIG # to write the compiler configuration to `libtool'. m4_defun([_LT_LANG_FC_CONFIG], [AC_LANG_PUSH(Fortran) if test -z "$FC" || test "X$FC" = "Xno"; then _lt_disable_FC=yes fi _LT_TAGVAR(archive_cmds_need_lc, $1)=no _LT_TAGVAR(allow_undefined_flag, $1)= _LT_TAGVAR(always_export_symbols, $1)=no _LT_TAGVAR(archive_expsym_cmds, $1)= _LT_TAGVAR(export_dynamic_flag_spec, $1)= _LT_TAGVAR(hardcode_direct, $1)=no _LT_TAGVAR(hardcode_direct_absolute, $1)=no _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= _LT_TAGVAR(hardcode_libdir_separator, $1)= _LT_TAGVAR(hardcode_minus_L, $1)=no _LT_TAGVAR(hardcode_automatic, $1)=no _LT_TAGVAR(inherit_rpath, $1)=no _LT_TAGVAR(module_cmds, $1)= _LT_TAGVAR(module_expsym_cmds, $1)= _LT_TAGVAR(link_all_deplibs, $1)=unknown _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds _LT_TAGVAR(reload_flag, $1)=$reload_flag _LT_TAGVAR(reload_cmds, $1)=$reload_cmds _LT_TAGVAR(no_undefined_flag, $1)= _LT_TAGVAR(whole_archive_flag_spec, $1)= _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no # Source file extension for fc test sources. ac_ext=${ac_fc_srcext-f} # Object file extension for compiled fc test sources. objext=o _LT_TAGVAR(objext, $1)=$objext # No sense in running all these tests if we already determined that # the FC compiler isn't working. Some variables (like enable_shared) # are currently assumed to apply to all compilers on this platform, # and will be corrupted by setting them based on a non-working compiler. if test "$_lt_disable_FC" != yes; then # Code to be used in simple compile tests lt_simple_compile_test_code="\ subroutine t return end " # Code to be used in simple link tests lt_simple_link_test_code="\ program t end " # ltmain only uses $CC for tagged configurations so make sure $CC is set. _LT_TAG_COMPILER # save warnings/boilerplate of simple test code _LT_COMPILER_BOILERPLATE _LT_LINKER_BOILERPLATE # Allow CC to be a program name with arguments. lt_save_CC="$CC" lt_save_GCC=$GCC lt_save_CFLAGS=$CFLAGS CC=${FC-"f95"} CFLAGS=$FCFLAGS compiler=$CC GCC=$ac_cv_fc_compiler_gnu _LT_TAGVAR(compiler, $1)=$CC _LT_CC_BASENAME([$compiler]) if test -n "$compiler"; then AC_MSG_CHECKING([if libtool supports shared libraries]) AC_MSG_RESULT([$can_build_shared]) AC_MSG_CHECKING([whether to build shared libraries]) test "$can_build_shared" = "no" && enable_shared=no # On AIX, shared libraries and static libraries use the same namespace, and # are all built from PIC. case $host_os in aix3*) test "$enable_shared" = yes && enable_static=no if test -n "$RANLIB"; then archive_cmds="$archive_cmds~\$RANLIB \$lib" postinstall_cmds='$RANLIB $lib' fi ;; aix[[4-9]]*) if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then test "$enable_shared" = yes && enable_static=no fi ;; esac AC_MSG_RESULT([$enable_shared]) AC_MSG_CHECKING([whether to build static libraries]) # Make sure either enable_shared or enable_static is yes. test "$enable_shared" = yes || enable_static=yes AC_MSG_RESULT([$enable_static]) _LT_TAGVAR(GCC, $1)="$ac_cv_fc_compiler_gnu" _LT_TAGVAR(LD, $1)="$LD" ## CAVEAT EMPTOR: ## There is no encapsulation within the following macros, do not change ## the running order or otherwise move them around unless you know exactly ## what you are doing... _LT_SYS_HIDDEN_LIBDEPS($1) _LT_COMPILER_PIC($1) _LT_COMPILER_C_O($1) _LT_COMPILER_FILE_LOCKS($1) _LT_LINKER_SHLIBS($1) _LT_SYS_DYNAMIC_LINKER($1) _LT_LINKER_HARDCODE_LIBPATH($1) _LT_CONFIG($1) fi # test -n "$compiler" GCC=$lt_save_GCC CC=$lt_save_CC CFLAGS=$lt_save_CFLAGS fi # test "$_lt_disable_FC" != yes AC_LANG_POP ])# _LT_LANG_FC_CONFIG # _LT_LANG_GCJ_CONFIG([TAG]) # -------------------------- # Ensure that the configuration variables for the GNU Java Compiler compiler # are suitably defined. These variables are subsequently used by _LT_CONFIG # to write the compiler configuration to `libtool'. m4_defun([_LT_LANG_GCJ_CONFIG], [AC_REQUIRE([LT_PROG_GCJ])dnl AC_LANG_SAVE # Source file extension for Java test sources. ac_ext=java # Object file extension for compiled Java test sources. objext=o _LT_TAGVAR(objext, $1)=$objext # Code to be used in simple compile tests lt_simple_compile_test_code="class foo {}" # Code to be used in simple link tests lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }' # ltmain only uses $CC for tagged configurations so make sure $CC is set. _LT_TAG_COMPILER # save warnings/boilerplate of simple test code _LT_COMPILER_BOILERPLATE _LT_LINKER_BOILERPLATE # Allow CC to be a program name with arguments. lt_save_CC=$CC lt_save_CFLAGS=$CFLAGS lt_save_GCC=$GCC GCC=yes CC=${GCJ-"gcj"} CFLAGS=$GCJFLAGS compiler=$CC _LT_TAGVAR(compiler, $1)=$CC _LT_TAGVAR(LD, $1)="$LD" _LT_CC_BASENAME([$compiler]) # GCJ did not exist at the time GCC didn't implicitly link libc in. _LT_TAGVAR(archive_cmds_need_lc, $1)=no _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds _LT_TAGVAR(reload_flag, $1)=$reload_flag _LT_TAGVAR(reload_cmds, $1)=$reload_cmds ## CAVEAT EMPTOR: ## There is no encapsulation within the following macros, do not change ## the running order or otherwise move them around unless you know exactly ## what you are doing... if test -n "$compiler"; then _LT_COMPILER_NO_RTTI($1) _LT_COMPILER_PIC($1) _LT_COMPILER_C_O($1) _LT_COMPILER_FILE_LOCKS($1) _LT_LINKER_SHLIBS($1) _LT_LINKER_HARDCODE_LIBPATH($1) _LT_CONFIG($1) fi AC_LANG_RESTORE GCC=$lt_save_GCC CC=$lt_save_CC CFLAGS=$lt_save_CFLAGS ])# _LT_LANG_GCJ_CONFIG # _LT_LANG_GO_CONFIG([TAG]) # -------------------------- # Ensure that the configuration variables for the GNU Go compiler # are suitably defined. These variables are subsequently used by _LT_CONFIG # to write the compiler configuration to `libtool'. m4_defun([_LT_LANG_GO_CONFIG], [AC_REQUIRE([LT_PROG_GO])dnl AC_LANG_SAVE # Source file extension for Go test sources. ac_ext=go # Object file extension for compiled Go test sources. objext=o _LT_TAGVAR(objext, $1)=$objext # Code to be used in simple compile tests lt_simple_compile_test_code="package main; func main() { }" # Code to be used in simple link tests lt_simple_link_test_code='package main; func main() { }' # ltmain only uses $CC for tagged configurations so make sure $CC is set. _LT_TAG_COMPILER # save warnings/boilerplate of simple test code _LT_COMPILER_BOILERPLATE _LT_LINKER_BOILERPLATE # Allow CC to be a program name with arguments. lt_save_CC=$CC lt_save_CFLAGS=$CFLAGS lt_save_GCC=$GCC GCC=yes CC=${GOC-"gccgo"} CFLAGS=$GOFLAGS compiler=$CC _LT_TAGVAR(compiler, $1)=$CC _LT_TAGVAR(LD, $1)="$LD" _LT_CC_BASENAME([$compiler]) # Go did not exist at the time GCC didn't implicitly link libc in. _LT_TAGVAR(archive_cmds_need_lc, $1)=no _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds _LT_TAGVAR(reload_flag, $1)=$reload_flag _LT_TAGVAR(reload_cmds, $1)=$reload_cmds ## CAVEAT EMPTOR: ## There is no encapsulation within the following macros, do not change ## the running order or otherwise move them around unless you know exactly ## what you are doing... if test -n "$compiler"; then _LT_COMPILER_NO_RTTI($1) _LT_COMPILER_PIC($1) _LT_COMPILER_C_O($1) _LT_COMPILER_FILE_LOCKS($1) _LT_LINKER_SHLIBS($1) _LT_LINKER_HARDCODE_LIBPATH($1) _LT_CONFIG($1) fi AC_LANG_RESTORE GCC=$lt_save_GCC CC=$lt_save_CC CFLAGS=$lt_save_CFLAGS ])# _LT_LANG_GO_CONFIG # _LT_LANG_RC_CONFIG([TAG]) # ------------------------- # Ensure that the configuration variables for the Windows resource compiler # are suitably defined. These variables are subsequently used by _LT_CONFIG # to write the compiler configuration to `libtool'. m4_defun([_LT_LANG_RC_CONFIG], [AC_REQUIRE([LT_PROG_RC])dnl AC_LANG_SAVE # Source file extension for RC test sources. ac_ext=rc # Object file extension for compiled RC test sources. objext=o _LT_TAGVAR(objext, $1)=$objext # Code to be used in simple compile tests lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }' # Code to be used in simple link tests lt_simple_link_test_code="$lt_simple_compile_test_code" # ltmain only uses $CC for tagged configurations so make sure $CC is set. _LT_TAG_COMPILER # save warnings/boilerplate of simple test code _LT_COMPILER_BOILERPLATE _LT_LINKER_BOILERPLATE # Allow CC to be a program name with arguments. lt_save_CC="$CC" lt_save_CFLAGS=$CFLAGS lt_save_GCC=$GCC GCC= CC=${RC-"windres"} CFLAGS= compiler=$CC _LT_TAGVAR(compiler, $1)=$CC _LT_CC_BASENAME([$compiler]) _LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes if test -n "$compiler"; then : _LT_CONFIG($1) fi GCC=$lt_save_GCC AC_LANG_RESTORE CC=$lt_save_CC CFLAGS=$lt_save_CFLAGS ])# _LT_LANG_RC_CONFIG # LT_PROG_GCJ # ----------- AC_DEFUN([LT_PROG_GCJ], [m4_ifdef([AC_PROG_GCJ], [AC_PROG_GCJ], [m4_ifdef([A][M_PROG_GCJ], [A][M_PROG_GCJ], [AC_CHECK_TOOL(GCJ, gcj,) test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2" AC_SUBST(GCJFLAGS)])])[]dnl ]) # Old name: AU_ALIAS([LT_AC_PROG_GCJ], [LT_PROG_GCJ]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([LT_AC_PROG_GCJ], []) # LT_PROG_GO # ---------- AC_DEFUN([LT_PROG_GO], [AC_CHECK_TOOL(GOC, gccgo,) ]) # LT_PROG_RC # ---------- AC_DEFUN([LT_PROG_RC], [AC_CHECK_TOOL(RC, windres,) ]) # Old name: AU_ALIAS([LT_AC_PROG_RC], [LT_PROG_RC]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([LT_AC_PROG_RC], []) # _LT_DECL_EGREP # -------------- # If we don't have a new enough Autoconf to choose the best grep # available, choose the one first in the user's PATH. m4_defun([_LT_DECL_EGREP], [AC_REQUIRE([AC_PROG_EGREP])dnl AC_REQUIRE([AC_PROG_FGREP])dnl test -z "$GREP" && GREP=grep _LT_DECL([], [GREP], [1], [A grep program that handles long lines]) _LT_DECL([], [EGREP], [1], [An ERE matcher]) _LT_DECL([], [FGREP], [1], [A literal string matcher]) dnl Non-bleeding-edge autoconf doesn't subst GREP, so do it here too AC_SUBST([GREP]) ]) # _LT_DECL_OBJDUMP # -------------- # If we don't have a new enough Autoconf to choose the best objdump # available, choose the one first in the user's PATH. m4_defun([_LT_DECL_OBJDUMP], [AC_CHECK_TOOL(OBJDUMP, objdump, false) test -z "$OBJDUMP" && OBJDUMP=objdump _LT_DECL([], [OBJDUMP], [1], [An object symbol dumper]) AC_SUBST([OBJDUMP]) ]) # _LT_DECL_DLLTOOL # ---------------- # Ensure DLLTOOL variable is set. m4_defun([_LT_DECL_DLLTOOL], [AC_CHECK_TOOL(DLLTOOL, dlltool, false) test -z "$DLLTOOL" && DLLTOOL=dlltool _LT_DECL([], [DLLTOOL], [1], [DLL creation program]) AC_SUBST([DLLTOOL]) ]) # _LT_DECL_SED # ------------ # Check for a fully-functional sed program, that truncates # as few characters as possible. Prefer GNU sed if found. m4_defun([_LT_DECL_SED], [AC_PROG_SED test -z "$SED" && SED=sed Xsed="$SED -e 1s/^X//" _LT_DECL([], [SED], [1], [A sed program that does not truncate output]) _LT_DECL([], [Xsed], ["\$SED -e 1s/^X//"], [Sed that helps us avoid accidentally triggering echo(1) options like -n]) ])# _LT_DECL_SED m4_ifndef([AC_PROG_SED], [ ############################################################ # NOTE: This macro has been submitted for inclusion into # # GNU Autoconf as AC_PROG_SED. When it is available in # # a released version of Autoconf we should remove this # # macro and use it instead. # ############################################################ m4_defun([AC_PROG_SED], [AC_MSG_CHECKING([for a sed that does not truncate output]) AC_CACHE_VAL(lt_cv_path_SED, [# Loop through the user's path and test for sed and gsed. # Then use that list of sed's as ones to test for truncation. as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for lt_ac_prog in sed gsed; do for ac_exec_ext in '' $ac_executable_extensions; do if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext" fi done done done IFS=$as_save_IFS lt_ac_max=0 lt_ac_count=0 # Add /usr/xpg4/bin/sed as it is typically found on Solaris # along with /bin/sed that truncates output. for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do test ! -f $lt_ac_sed && continue cat /dev/null > conftest.in lt_ac_count=0 echo $ECHO_N "0123456789$ECHO_C" >conftest.in # Check for GNU sed and select it if it is found. if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then lt_cv_path_SED=$lt_ac_sed break fi while true; do cat conftest.in conftest.in >conftest.tmp mv conftest.tmp conftest.in cp conftest.in conftest.nl echo >>conftest.nl $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break cmp -s conftest.out conftest.nl || break # 10000 chars as input seems more than enough test $lt_ac_count -gt 10 && break lt_ac_count=`expr $lt_ac_count + 1` if test $lt_ac_count -gt $lt_ac_max; then lt_ac_max=$lt_ac_count lt_cv_path_SED=$lt_ac_sed fi done done ]) SED=$lt_cv_path_SED AC_SUBST([SED]) AC_MSG_RESULT([$SED]) ])#AC_PROG_SED ])#m4_ifndef # Old name: AU_ALIAS([LT_AC_PROG_SED], [AC_PROG_SED]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([LT_AC_PROG_SED], []) # _LT_CHECK_SHELL_FEATURES # ------------------------ # Find out whether the shell is Bourne or XSI compatible, # or has some other useful features. m4_defun([_LT_CHECK_SHELL_FEATURES], [AC_MSG_CHECKING([whether the shell understands some XSI constructs]) # Try some XSI features xsi_shell=no ( _lt_dummy="a/b/c" test "${_lt_dummy##*/},${_lt_dummy%/*},${_lt_dummy#??}"${_lt_dummy%"$_lt_dummy"}, \ = c,a/b,b/c, \ && eval 'test $(( 1 + 1 )) -eq 2 \ && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \ && xsi_shell=yes AC_MSG_RESULT([$xsi_shell]) _LT_CONFIG_LIBTOOL_INIT([xsi_shell='$xsi_shell']) AC_MSG_CHECKING([whether the shell understands "+="]) lt_shell_append=no ( foo=bar; set foo baz; eval "$[1]+=\$[2]" && test "$foo" = barbaz ) \ >/dev/null 2>&1 \ && lt_shell_append=yes AC_MSG_RESULT([$lt_shell_append]) _LT_CONFIG_LIBTOOL_INIT([lt_shell_append='$lt_shell_append']) if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then lt_unset=unset else lt_unset=false fi _LT_DECL([], [lt_unset], [0], [whether the shell understands "unset"])dnl # test EBCDIC or ASCII case `echo X|tr X '\101'` in A) # ASCII based system # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr lt_SP2NL='tr \040 \012' lt_NL2SP='tr \015\012 \040\040' ;; *) # EBCDIC based system lt_SP2NL='tr \100 \n' lt_NL2SP='tr \r\n \100\100' ;; esac _LT_DECL([SP2NL], [lt_SP2NL], [1], [turn spaces into newlines])dnl _LT_DECL([NL2SP], [lt_NL2SP], [1], [turn newlines into spaces])dnl ])# _LT_CHECK_SHELL_FEATURES # _LT_PROG_FUNCTION_REPLACE (FUNCNAME, REPLACEMENT-BODY) # ------------------------------------------------------ # In `$cfgfile', look for function FUNCNAME delimited by `^FUNCNAME ()$' and # '^} FUNCNAME ', and replace its body with REPLACEMENT-BODY. m4_defun([_LT_PROG_FUNCTION_REPLACE], [dnl { sed -e '/^$1 ()$/,/^} # $1 /c\ $1 ()\ {\ m4_bpatsubsts([$2], [$], [\\], [^\([ ]\)], [\\\1]) } # Extended-shell $1 implementation' "$cfgfile" > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: ]) # _LT_PROG_REPLACE_SHELLFNS # ------------------------- # Replace existing portable implementations of several shell functions with # equivalent extended shell implementations where those features are available.. m4_defun([_LT_PROG_REPLACE_SHELLFNS], [if test x"$xsi_shell" = xyes; then _LT_PROG_FUNCTION_REPLACE([func_dirname], [dnl case ${1} in */*) func_dirname_result="${1%/*}${2}" ;; * ) func_dirname_result="${3}" ;; esac]) _LT_PROG_FUNCTION_REPLACE([func_basename], [dnl func_basename_result="${1##*/}"]) _LT_PROG_FUNCTION_REPLACE([func_dirname_and_basename], [dnl case ${1} in */*) func_dirname_result="${1%/*}${2}" ;; * ) func_dirname_result="${3}" ;; esac func_basename_result="${1##*/}"]) _LT_PROG_FUNCTION_REPLACE([func_stripname], [dnl # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are # positional parameters, so assign one to ordinary parameter first. func_stripname_result=${3} func_stripname_result=${func_stripname_result#"${1}"} func_stripname_result=${func_stripname_result%"${2}"}]) _LT_PROG_FUNCTION_REPLACE([func_split_long_opt], [dnl func_split_long_opt_name=${1%%=*} func_split_long_opt_arg=${1#*=}]) _LT_PROG_FUNCTION_REPLACE([func_split_short_opt], [dnl func_split_short_opt_arg=${1#??} func_split_short_opt_name=${1%"$func_split_short_opt_arg"}]) _LT_PROG_FUNCTION_REPLACE([func_lo2o], [dnl case ${1} in *.lo) func_lo2o_result=${1%.lo}.${objext} ;; *) func_lo2o_result=${1} ;; esac]) _LT_PROG_FUNCTION_REPLACE([func_xform], [ func_xform_result=${1%.*}.lo]) _LT_PROG_FUNCTION_REPLACE([func_arith], [ func_arith_result=$(( $[*] ))]) _LT_PROG_FUNCTION_REPLACE([func_len], [ func_len_result=${#1}]) fi if test x"$lt_shell_append" = xyes; then _LT_PROG_FUNCTION_REPLACE([func_append], [ eval "${1}+=\\${2}"]) _LT_PROG_FUNCTION_REPLACE([func_append_quoted], [dnl func_quote_for_eval "${2}" dnl m4 expansion turns \\\\ into \\, and then the shell eval turns that into \ eval "${1}+=\\\\ \\$func_quote_for_eval_result"]) # Save a `func_append' function call where possible by direct use of '+=' sed -e 's%func_append \([[a-zA-Z_]]\{1,\}\) "%\1+="%g' $cfgfile > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: else # Save a `func_append' function call even when '+=' is not available sed -e 's%func_append \([[a-zA-Z_]]\{1,\}\) "%\1="$\1%g' $cfgfile > $cfgfile.tmp \ && mv -f "$cfgfile.tmp" "$cfgfile" \ || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") test 0 -eq $? || _lt_function_replace_fail=: fi if test x"$_lt_function_replace_fail" = x":"; then AC_MSG_WARN([Unable to substitute extended shell functions in $ofile]) fi ]) # _LT_PATH_CONVERSION_FUNCTIONS # ----------------------------- # Determine which file name conversion functions should be used by # func_to_host_file (and, implicitly, by func_to_host_path). These are needed # for certain cross-compile configurations and native mingw. m4_defun([_LT_PATH_CONVERSION_FUNCTIONS], [AC_REQUIRE([AC_CANONICAL_HOST])dnl AC_REQUIRE([AC_CANONICAL_BUILD])dnl AC_MSG_CHECKING([how to convert $build file names to $host format]) AC_CACHE_VAL(lt_cv_to_host_file_cmd, [case $host in *-*-mingw* ) case $build in *-*-mingw* ) # actually msys lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32 ;; *-*-cygwin* ) lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32 ;; * ) # otherwise, assume *nix lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32 ;; esac ;; *-*-cygwin* ) case $build in *-*-mingw* ) # actually msys lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin ;; *-*-cygwin* ) lt_cv_to_host_file_cmd=func_convert_file_noop ;; * ) # otherwise, assume *nix lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin ;; esac ;; * ) # unhandled hosts (and "normal" native builds) lt_cv_to_host_file_cmd=func_convert_file_noop ;; esac ]) to_host_file_cmd=$lt_cv_to_host_file_cmd AC_MSG_RESULT([$lt_cv_to_host_file_cmd]) _LT_DECL([to_host_file_cmd], [lt_cv_to_host_file_cmd], [0], [convert $build file names to $host format])dnl AC_MSG_CHECKING([how to convert $build file names to toolchain format]) AC_CACHE_VAL(lt_cv_to_tool_file_cmd, [#assume ordinary cross tools, or native build. lt_cv_to_tool_file_cmd=func_convert_file_noop case $host in *-*-mingw* ) case $build in *-*-mingw* ) # actually msys lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32 ;; esac ;; esac ]) to_tool_file_cmd=$lt_cv_to_tool_file_cmd AC_MSG_RESULT([$lt_cv_to_tool_file_cmd]) _LT_DECL([to_tool_file_cmd], [lt_cv_to_tool_file_cmd], [0], [convert $build files to toolchain format])dnl ])# _LT_PATH_CONVERSION_FUNCTIONS openvpn-2.4.4/m4/ltoptions.m4000066400000000000000000000300731316434344000160300ustar00rootroot00000000000000# Helper functions for option handling. -*- Autoconf -*- # # Copyright (C) 2004, 2005, 2007, 2008, 2009 Free Software Foundation, # Inc. # Written by Gary V. Vaughan, 2004 # # This file is free software; the Free Software Foundation gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. # serial 7 ltoptions.m4 # This is to help aclocal find these macros, as it can't see m4_define. AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])]) # _LT_MANGLE_OPTION(MACRO-NAME, OPTION-NAME) # ------------------------------------------ m4_define([_LT_MANGLE_OPTION], [[_LT_OPTION_]m4_bpatsubst($1__$2, [[^a-zA-Z0-9_]], [_])]) # _LT_SET_OPTION(MACRO-NAME, OPTION-NAME) # --------------------------------------- # Set option OPTION-NAME for macro MACRO-NAME, and if there is a # matching handler defined, dispatch to it. Other OPTION-NAMEs are # saved as a flag. m4_define([_LT_SET_OPTION], [m4_define(_LT_MANGLE_OPTION([$1], [$2]))dnl m4_ifdef(_LT_MANGLE_DEFUN([$1], [$2]), _LT_MANGLE_DEFUN([$1], [$2]), [m4_warning([Unknown $1 option `$2'])])[]dnl ]) # _LT_IF_OPTION(MACRO-NAME, OPTION-NAME, IF-SET, [IF-NOT-SET]) # ------------------------------------------------------------ # Execute IF-SET if OPTION is set, IF-NOT-SET otherwise. m4_define([_LT_IF_OPTION], [m4_ifdef(_LT_MANGLE_OPTION([$1], [$2]), [$3], [$4])]) # _LT_UNLESS_OPTIONS(MACRO-NAME, OPTION-LIST, IF-NOT-SET) # ------------------------------------------------------- # Execute IF-NOT-SET unless all options in OPTION-LIST for MACRO-NAME # are set. m4_define([_LT_UNLESS_OPTIONS], [m4_foreach([_LT_Option], m4_split(m4_normalize([$2])), [m4_ifdef(_LT_MANGLE_OPTION([$1], _LT_Option), [m4_define([$0_found])])])[]dnl m4_ifdef([$0_found], [m4_undefine([$0_found])], [$3 ])[]dnl ]) # _LT_SET_OPTIONS(MACRO-NAME, OPTION-LIST) # ---------------------------------------- # OPTION-LIST is a space-separated list of Libtool options associated # with MACRO-NAME. If any OPTION has a matching handler declared with # LT_OPTION_DEFINE, dispatch to that macro; otherwise complain about # the unknown option and exit. m4_defun([_LT_SET_OPTIONS], [# Set options m4_foreach([_LT_Option], m4_split(m4_normalize([$2])), [_LT_SET_OPTION([$1], _LT_Option)]) m4_if([$1],[LT_INIT],[ dnl dnl Simply set some default values (i.e off) if boolean options were not dnl specified: _LT_UNLESS_OPTIONS([LT_INIT], [dlopen], [enable_dlopen=no ]) _LT_UNLESS_OPTIONS([LT_INIT], [win32-dll], [enable_win32_dll=no ]) dnl dnl If no reference was made to various pairs of opposing options, then dnl we run the default mode handler for the pair. For example, if neither dnl `shared' nor `disable-shared' was passed, we enable building of shared dnl archives by default: _LT_UNLESS_OPTIONS([LT_INIT], [shared disable-shared], [_LT_ENABLE_SHARED]) _LT_UNLESS_OPTIONS([LT_INIT], [static disable-static], [_LT_ENABLE_STATIC]) _LT_UNLESS_OPTIONS([LT_INIT], [pic-only no-pic], [_LT_WITH_PIC]) _LT_UNLESS_OPTIONS([LT_INIT], [fast-install disable-fast-install], [_LT_ENABLE_FAST_INSTALL]) ]) ])# _LT_SET_OPTIONS ## --------------------------------- ## ## Macros to handle LT_INIT options. ## ## --------------------------------- ## # _LT_MANGLE_DEFUN(MACRO-NAME, OPTION-NAME) # ----------------------------------------- m4_define([_LT_MANGLE_DEFUN], [[_LT_OPTION_DEFUN_]m4_bpatsubst(m4_toupper([$1__$2]), [[^A-Z0-9_]], [_])]) # LT_OPTION_DEFINE(MACRO-NAME, OPTION-NAME, CODE) # ----------------------------------------------- m4_define([LT_OPTION_DEFINE], [m4_define(_LT_MANGLE_DEFUN([$1], [$2]), [$3])[]dnl ])# LT_OPTION_DEFINE # dlopen # ------ LT_OPTION_DEFINE([LT_INIT], [dlopen], [enable_dlopen=yes ]) AU_DEFUN([AC_LIBTOOL_DLOPEN], [_LT_SET_OPTION([LT_INIT], [dlopen]) AC_DIAGNOSE([obsolete], [$0: Remove this warning and the call to _LT_SET_OPTION when you put the `dlopen' option into LT_INIT's first parameter.]) ]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AC_LIBTOOL_DLOPEN], []) # win32-dll # --------- # Declare package support for building win32 dll's. LT_OPTION_DEFINE([LT_INIT], [win32-dll], [enable_win32_dll=yes case $host in *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*) AC_CHECK_TOOL(AS, as, false) AC_CHECK_TOOL(DLLTOOL, dlltool, false) AC_CHECK_TOOL(OBJDUMP, objdump, false) ;; esac test -z "$AS" && AS=as _LT_DECL([], [AS], [1], [Assembler program])dnl test -z "$DLLTOOL" && DLLTOOL=dlltool _LT_DECL([], [DLLTOOL], [1], [DLL creation program])dnl test -z "$OBJDUMP" && OBJDUMP=objdump _LT_DECL([], [OBJDUMP], [1], [Object dumper program])dnl ])# win32-dll AU_DEFUN([AC_LIBTOOL_WIN32_DLL], [AC_REQUIRE([AC_CANONICAL_HOST])dnl _LT_SET_OPTION([LT_INIT], [win32-dll]) AC_DIAGNOSE([obsolete], [$0: Remove this warning and the call to _LT_SET_OPTION when you put the `win32-dll' option into LT_INIT's first parameter.]) ]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AC_LIBTOOL_WIN32_DLL], []) # _LT_ENABLE_SHARED([DEFAULT]) # ---------------------------- # implement the --enable-shared flag, and supports the `shared' and # `disable-shared' LT_INIT options. # DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. m4_define([_LT_ENABLE_SHARED], [m4_define([_LT_ENABLE_SHARED_DEFAULT], [m4_if($1, no, no, yes)])dnl AC_ARG_ENABLE([shared], [AS_HELP_STRING([--enable-shared@<:@=PKGS@:>@], [build shared libraries @<:@default=]_LT_ENABLE_SHARED_DEFAULT[@:>@])], [p=${PACKAGE-default} case $enableval in yes) enable_shared=yes ;; no) enable_shared=no ;; *) enable_shared=no # Look at the argument we got. We use all the common list separators. lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," for pkg in $enableval; do IFS="$lt_save_ifs" if test "X$pkg" = "X$p"; then enable_shared=yes fi done IFS="$lt_save_ifs" ;; esac], [enable_shared=]_LT_ENABLE_SHARED_DEFAULT) _LT_DECL([build_libtool_libs], [enable_shared], [0], [Whether or not to build shared libraries]) ])# _LT_ENABLE_SHARED LT_OPTION_DEFINE([LT_INIT], [shared], [_LT_ENABLE_SHARED([yes])]) LT_OPTION_DEFINE([LT_INIT], [disable-shared], [_LT_ENABLE_SHARED([no])]) # Old names: AC_DEFUN([AC_ENABLE_SHARED], [_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[shared]) ]) AC_DEFUN([AC_DISABLE_SHARED], [_LT_SET_OPTION([LT_INIT], [disable-shared]) ]) AU_DEFUN([AM_ENABLE_SHARED], [AC_ENABLE_SHARED($@)]) AU_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AM_ENABLE_SHARED], []) dnl AC_DEFUN([AM_DISABLE_SHARED], []) # _LT_ENABLE_STATIC([DEFAULT]) # ---------------------------- # implement the --enable-static flag, and support the `static' and # `disable-static' LT_INIT options. # DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. m4_define([_LT_ENABLE_STATIC], [m4_define([_LT_ENABLE_STATIC_DEFAULT], [m4_if($1, no, no, yes)])dnl AC_ARG_ENABLE([static], [AS_HELP_STRING([--enable-static@<:@=PKGS@:>@], [build static libraries @<:@default=]_LT_ENABLE_STATIC_DEFAULT[@:>@])], [p=${PACKAGE-default} case $enableval in yes) enable_static=yes ;; no) enable_static=no ;; *) enable_static=no # Look at the argument we got. We use all the common list separators. lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," for pkg in $enableval; do IFS="$lt_save_ifs" if test "X$pkg" = "X$p"; then enable_static=yes fi done IFS="$lt_save_ifs" ;; esac], [enable_static=]_LT_ENABLE_STATIC_DEFAULT) _LT_DECL([build_old_libs], [enable_static], [0], [Whether or not to build static libraries]) ])# _LT_ENABLE_STATIC LT_OPTION_DEFINE([LT_INIT], [static], [_LT_ENABLE_STATIC([yes])]) LT_OPTION_DEFINE([LT_INIT], [disable-static], [_LT_ENABLE_STATIC([no])]) # Old names: AC_DEFUN([AC_ENABLE_STATIC], [_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[static]) ]) AC_DEFUN([AC_DISABLE_STATIC], [_LT_SET_OPTION([LT_INIT], [disable-static]) ]) AU_DEFUN([AM_ENABLE_STATIC], [AC_ENABLE_STATIC($@)]) AU_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AM_ENABLE_STATIC], []) dnl AC_DEFUN([AM_DISABLE_STATIC], []) # _LT_ENABLE_FAST_INSTALL([DEFAULT]) # ---------------------------------- # implement the --enable-fast-install flag, and support the `fast-install' # and `disable-fast-install' LT_INIT options. # DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. m4_define([_LT_ENABLE_FAST_INSTALL], [m4_define([_LT_ENABLE_FAST_INSTALL_DEFAULT], [m4_if($1, no, no, yes)])dnl AC_ARG_ENABLE([fast-install], [AS_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@], [optimize for fast installation @<:@default=]_LT_ENABLE_FAST_INSTALL_DEFAULT[@:>@])], [p=${PACKAGE-default} case $enableval in yes) enable_fast_install=yes ;; no) enable_fast_install=no ;; *) enable_fast_install=no # Look at the argument we got. We use all the common list separators. lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," for pkg in $enableval; do IFS="$lt_save_ifs" if test "X$pkg" = "X$p"; then enable_fast_install=yes fi done IFS="$lt_save_ifs" ;; esac], [enable_fast_install=]_LT_ENABLE_FAST_INSTALL_DEFAULT) _LT_DECL([fast_install], [enable_fast_install], [0], [Whether or not to optimize for fast installation])dnl ])# _LT_ENABLE_FAST_INSTALL LT_OPTION_DEFINE([LT_INIT], [fast-install], [_LT_ENABLE_FAST_INSTALL([yes])]) LT_OPTION_DEFINE([LT_INIT], [disable-fast-install], [_LT_ENABLE_FAST_INSTALL([no])]) # Old names: AU_DEFUN([AC_ENABLE_FAST_INSTALL], [_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[fast-install]) AC_DIAGNOSE([obsolete], [$0: Remove this warning and the call to _LT_SET_OPTION when you put the `fast-install' option into LT_INIT's first parameter.]) ]) AU_DEFUN([AC_DISABLE_FAST_INSTALL], [_LT_SET_OPTION([LT_INIT], [disable-fast-install]) AC_DIAGNOSE([obsolete], [$0: Remove this warning and the call to _LT_SET_OPTION when you put the `disable-fast-install' option into LT_INIT's first parameter.]) ]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AC_ENABLE_FAST_INSTALL], []) dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], []) # _LT_WITH_PIC([MODE]) # -------------------- # implement the --with-pic flag, and support the `pic-only' and `no-pic' # LT_INIT options. # MODE is either `yes' or `no'. If omitted, it defaults to `both'. m4_define([_LT_WITH_PIC], [AC_ARG_WITH([pic], [AS_HELP_STRING([--with-pic@<:@=PKGS@:>@], [try to use only PIC/non-PIC objects @<:@default=use both@:>@])], [lt_p=${PACKAGE-default} case $withval in yes|no) pic_mode=$withval ;; *) pic_mode=default # Look at the argument we got. We use all the common list separators. lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," for lt_pkg in $withval; do IFS="$lt_save_ifs" if test "X$lt_pkg" = "X$lt_p"; then pic_mode=yes fi done IFS="$lt_save_ifs" ;; esac], [pic_mode=default]) test -z "$pic_mode" && pic_mode=m4_default([$1], [default]) _LT_DECL([], [pic_mode], [0], [What type of objects to build])dnl ])# _LT_WITH_PIC LT_OPTION_DEFINE([LT_INIT], [pic-only], [_LT_WITH_PIC([yes])]) LT_OPTION_DEFINE([LT_INIT], [no-pic], [_LT_WITH_PIC([no])]) # Old name: AU_DEFUN([AC_LIBTOOL_PICMODE], [_LT_SET_OPTION([LT_INIT], [pic-only]) AC_DIAGNOSE([obsolete], [$0: Remove this warning and the call to _LT_SET_OPTION when you put the `pic-only' option into LT_INIT's first parameter.]) ]) dnl aclocal-1.4 backwards compatibility: dnl AC_DEFUN([AC_LIBTOOL_PICMODE], []) ## ----------------- ## ## LTDL_INIT Options ## ## ----------------- ## m4_define([_LTDL_MODE], []) LT_OPTION_DEFINE([LTDL_INIT], [nonrecursive], [m4_define([_LTDL_MODE], [nonrecursive])]) LT_OPTION_DEFINE([LTDL_INIT], [recursive], [m4_define([_LTDL_MODE], [recursive])]) LT_OPTION_DEFINE([LTDL_INIT], [subproject], [m4_define([_LTDL_MODE], [subproject])]) m4_define([_LTDL_TYPE], []) LT_OPTION_DEFINE([LTDL_INIT], [installable], [m4_define([_LTDL_TYPE], [installable])]) LT_OPTION_DEFINE([LTDL_INIT], [convenience], [m4_define([_LTDL_TYPE], [convenience])]) openvpn-2.4.4/m4/ltsugar.m4000066400000000000000000000104241316434344000154540ustar00rootroot00000000000000# ltsugar.m4 -- libtool m4 base layer. -*-Autoconf-*- # # Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc. # Written by Gary V. Vaughan, 2004 # # This file is free software; the Free Software Foundation gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. # serial 6 ltsugar.m4 # This is to help aclocal find these macros, as it can't see m4_define. AC_DEFUN([LTSUGAR_VERSION], [m4_if([0.1])]) # lt_join(SEP, ARG1, [ARG2...]) # ----------------------------- # Produce ARG1SEPARG2...SEPARGn, omitting [] arguments and their # associated separator. # Needed until we can rely on m4_join from Autoconf 2.62, since all earlier # versions in m4sugar had bugs. m4_define([lt_join], [m4_if([$#], [1], [], [$#], [2], [[$2]], [m4_if([$2], [], [], [[$2]_])$0([$1], m4_shift(m4_shift($@)))])]) m4_define([_lt_join], [m4_if([$#$2], [2], [], [m4_if([$2], [], [], [[$1$2]])$0([$1], m4_shift(m4_shift($@)))])]) # lt_car(LIST) # lt_cdr(LIST) # ------------ # Manipulate m4 lists. # These macros are necessary as long as will still need to support # Autoconf-2.59 which quotes differently. m4_define([lt_car], [[$1]]) m4_define([lt_cdr], [m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])], [$#], 1, [], [m4_dquote(m4_shift($@))])]) m4_define([lt_unquote], $1) # lt_append(MACRO-NAME, STRING, [SEPARATOR]) # ------------------------------------------ # Redefine MACRO-NAME to hold its former content plus `SEPARATOR'`STRING'. # Note that neither SEPARATOR nor STRING are expanded; they are appended # to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked). # No SEPARATOR is output if MACRO-NAME was previously undefined (different # than defined and empty). # # This macro is needed until we can rely on Autoconf 2.62, since earlier # versions of m4sugar mistakenly expanded SEPARATOR but not STRING. m4_define([lt_append], [m4_define([$1], m4_ifdef([$1], [m4_defn([$1])[$3]])[$2])]) # lt_combine(SEP, PREFIX-LIST, INFIX, SUFFIX1, [SUFFIX2...]) # ---------------------------------------------------------- # Produce a SEP delimited list of all paired combinations of elements of # PREFIX-LIST with SUFFIX1 through SUFFIXn. Each element of the list # has the form PREFIXmINFIXSUFFIXn. # Needed until we can rely on m4_combine added in Autoconf 2.62. m4_define([lt_combine], [m4_if(m4_eval([$# > 3]), [1], [m4_pushdef([_Lt_sep], [m4_define([_Lt_sep], m4_defn([lt_car]))])]]dnl [[m4_foreach([_Lt_prefix], [$2], [m4_foreach([_Lt_suffix], ]m4_dquote(m4_dquote(m4_shift(m4_shift(m4_shift($@)))))[, [_Lt_sep([$1])[]m4_defn([_Lt_prefix])[$3]m4_defn([_Lt_suffix])])])])]) # lt_if_append_uniq(MACRO-NAME, VARNAME, [SEPARATOR], [UNIQ], [NOT-UNIQ]) # ----------------------------------------------------------------------- # Iff MACRO-NAME does not yet contain VARNAME, then append it (delimited # by SEPARATOR if supplied) and expand UNIQ, else NOT-UNIQ. m4_define([lt_if_append_uniq], [m4_ifdef([$1], [m4_if(m4_index([$3]m4_defn([$1])[$3], [$3$2$3]), [-1], [lt_append([$1], [$2], [$3])$4], [$5])], [lt_append([$1], [$2], [$3])$4])]) # lt_dict_add(DICT, KEY, VALUE) # ----------------------------- m4_define([lt_dict_add], [m4_define([$1($2)], [$3])]) # lt_dict_add_subkey(DICT, KEY, SUBKEY, VALUE) # -------------------------------------------- m4_define([lt_dict_add_subkey], [m4_define([$1($2:$3)], [$4])]) # lt_dict_fetch(DICT, KEY, [SUBKEY]) # ---------------------------------- m4_define([lt_dict_fetch], [m4_ifval([$3], m4_ifdef([$1($2:$3)], [m4_defn([$1($2:$3)])]), m4_ifdef([$1($2)], [m4_defn([$1($2)])]))]) # lt_if_dict_fetch(DICT, KEY, [SUBKEY], VALUE, IF-TRUE, [IF-FALSE]) # ----------------------------------------------------------------- m4_define([lt_if_dict_fetch], [m4_if(lt_dict_fetch([$1], [$2], [$3]), [$4], [$5], [$6])]) # lt_dict_filter(DICT, [SUBKEY], VALUE, [SEPARATOR], KEY, [...]) # -------------------------------------------------------------- m4_define([lt_dict_filter], [m4_if([$5], [], [], [lt_join(m4_quote(m4_default([$4], [[, ]])), lt_unquote(m4_split(m4_normalize(m4_foreach(_Lt_key, lt_car([m4_shiftn(4, $@)]), [lt_if_dict_fetch([$1], _Lt_key, [$2], [$3], [_Lt_key ])])))))])[]dnl ]) openvpn-2.4.4/m4/ltversion.m4000066400000000000000000000012621316434344000160200ustar00rootroot00000000000000# ltversion.m4 -- version numbers -*- Autoconf -*- # # Copyright (C) 2004 Free Software Foundation, Inc. # Written by Scott James Remnant, 2004 # # This file is free software; the Free Software Foundation gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. # @configure_input@ # serial 3337 ltversion.m4 # This file is part of GNU Libtool m4_define([LT_PACKAGE_VERSION], [2.4.2]) m4_define([LT_PACKAGE_REVISION], [1.3337]) AC_DEFUN([LTVERSION_VERSION], [macro_version='2.4.2' macro_revision='1.3337' _LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?]) _LT_DECL(, macro_revision, 0) ]) openvpn-2.4.4/m4/lt~obsolete.m4000066400000000000000000000137561316434344000163600ustar00rootroot00000000000000# lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*- # # Copyright (C) 2004, 2005, 2007, 2009 Free Software Foundation, Inc. # Written by Scott James Remnant, 2004. # # This file is free software; the Free Software Foundation gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. # serial 5 lt~obsolete.m4 # These exist entirely to fool aclocal when bootstrapping libtool. # # In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN) # which have later been changed to m4_define as they aren't part of the # exported API, or moved to Autoconf or Automake where they belong. # # The trouble is, aclocal is a bit thick. It'll see the old AC_DEFUN # in /usr/share/aclocal/libtool.m4 and remember it, then when it sees us # using a macro with the same name in our local m4/libtool.m4 it'll # pull the old libtool.m4 in (it doesn't see our shiny new m4_define # and doesn't know about Autoconf macros at all.) # # So we provide this file, which has a silly filename so it's always # included after everything else. This provides aclocal with the # AC_DEFUNs it wants, but when m4 processes it, it doesn't do anything # because those macros already exist, or will be overwritten later. # We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6. # # Anytime we withdraw an AC_DEFUN or AU_DEFUN, remember to add it here. # Yes, that means every name once taken will need to remain here until # we give up compatibility with versions before 1.7, at which point # we need to keep only those names which we still refer to. # This is to help aclocal find these macros, as it can't see m4_define. AC_DEFUN([LTOBSOLETE_VERSION], [m4_if([1])]) m4_ifndef([AC_LIBTOOL_LINKER_OPTION], [AC_DEFUN([AC_LIBTOOL_LINKER_OPTION])]) m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP])]) m4_ifndef([_LT_AC_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH])]) m4_ifndef([_LT_AC_SHELL_INIT], [AC_DEFUN([_LT_AC_SHELL_INIT])]) m4_ifndef([_LT_AC_SYS_LIBPATH_AIX], [AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX])]) m4_ifndef([_LT_PROG_LTMAIN], [AC_DEFUN([_LT_PROG_LTMAIN])]) m4_ifndef([_LT_AC_TAGVAR], [AC_DEFUN([_LT_AC_TAGVAR])]) m4_ifndef([AC_LTDL_ENABLE_INSTALL], [AC_DEFUN([AC_LTDL_ENABLE_INSTALL])]) m4_ifndef([AC_LTDL_PREOPEN], [AC_DEFUN([AC_LTDL_PREOPEN])]) m4_ifndef([_LT_AC_SYS_COMPILER], [AC_DEFUN([_LT_AC_SYS_COMPILER])]) m4_ifndef([_LT_AC_LOCK], [AC_DEFUN([_LT_AC_LOCK])]) m4_ifndef([AC_LIBTOOL_SYS_OLD_ARCHIVE], [AC_DEFUN([AC_LIBTOOL_SYS_OLD_ARCHIVE])]) m4_ifndef([_LT_AC_TRY_DLOPEN_SELF], [AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF])]) m4_ifndef([AC_LIBTOOL_PROG_CC_C_O], [AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O])]) m4_ifndef([AC_LIBTOOL_SYS_HARD_LINK_LOCKS], [AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS])]) m4_ifndef([AC_LIBTOOL_OBJDIR], [AC_DEFUN([AC_LIBTOOL_OBJDIR])]) m4_ifndef([AC_LTDL_OBJDIR], [AC_DEFUN([AC_LTDL_OBJDIR])]) m4_ifndef([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH], [AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH])]) m4_ifndef([AC_LIBTOOL_SYS_LIB_STRIP], [AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP])]) m4_ifndef([AC_PATH_MAGIC], [AC_DEFUN([AC_PATH_MAGIC])]) m4_ifndef([AC_PROG_LD_GNU], [AC_DEFUN([AC_PROG_LD_GNU])]) m4_ifndef([AC_PROG_LD_RELOAD_FLAG], [AC_DEFUN([AC_PROG_LD_RELOAD_FLAG])]) m4_ifndef([AC_DEPLIBS_CHECK_METHOD], [AC_DEFUN([AC_DEPLIBS_CHECK_METHOD])]) m4_ifndef([AC_LIBTOOL_PROG_COMPILER_NO_RTTI], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI])]) m4_ifndef([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE], [AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE])]) m4_ifndef([AC_LIBTOOL_PROG_COMPILER_PIC], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC])]) m4_ifndef([AC_LIBTOOL_PROG_LD_SHLIBS], [AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS])]) m4_ifndef([AC_LIBTOOL_POSTDEP_PREDEP], [AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP])]) m4_ifndef([LT_AC_PROG_EGREP], [AC_DEFUN([LT_AC_PROG_EGREP])]) m4_ifndef([LT_AC_PROG_SED], [AC_DEFUN([LT_AC_PROG_SED])]) m4_ifndef([_LT_CC_BASENAME], [AC_DEFUN([_LT_CC_BASENAME])]) m4_ifndef([_LT_COMPILER_BOILERPLATE], [AC_DEFUN([_LT_COMPILER_BOILERPLATE])]) m4_ifndef([_LT_LINKER_BOILERPLATE], [AC_DEFUN([_LT_LINKER_BOILERPLATE])]) m4_ifndef([_AC_PROG_LIBTOOL], [AC_DEFUN([_AC_PROG_LIBTOOL])]) m4_ifndef([AC_LIBTOOL_SETUP], [AC_DEFUN([AC_LIBTOOL_SETUP])]) m4_ifndef([_LT_AC_CHECK_DLFCN], [AC_DEFUN([_LT_AC_CHECK_DLFCN])]) m4_ifndef([AC_LIBTOOL_SYS_DYNAMIC_LINKER], [AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER])]) m4_ifndef([_LT_AC_TAGCONFIG], [AC_DEFUN([_LT_AC_TAGCONFIG])]) m4_ifndef([AC_DISABLE_FAST_INSTALL], [AC_DEFUN([AC_DISABLE_FAST_INSTALL])]) m4_ifndef([_LT_AC_LANG_CXX], [AC_DEFUN([_LT_AC_LANG_CXX])]) m4_ifndef([_LT_AC_LANG_F77], [AC_DEFUN([_LT_AC_LANG_F77])]) m4_ifndef([_LT_AC_LANG_GCJ], [AC_DEFUN([_LT_AC_LANG_GCJ])]) m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])]) m4_ifndef([_LT_AC_LANG_C_CONFIG], [AC_DEFUN([_LT_AC_LANG_C_CONFIG])]) m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])]) m4_ifndef([_LT_AC_LANG_CXX_CONFIG], [AC_DEFUN([_LT_AC_LANG_CXX_CONFIG])]) m4_ifndef([AC_LIBTOOL_LANG_F77_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG])]) m4_ifndef([_LT_AC_LANG_F77_CONFIG], [AC_DEFUN([_LT_AC_LANG_F77_CONFIG])]) m4_ifndef([AC_LIBTOOL_LANG_GCJ_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG])]) m4_ifndef([_LT_AC_LANG_GCJ_CONFIG], [AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG])]) m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])]) m4_ifndef([_LT_AC_LANG_RC_CONFIG], [AC_DEFUN([_LT_AC_LANG_RC_CONFIG])]) m4_ifndef([AC_LIBTOOL_CONFIG], [AC_DEFUN([AC_LIBTOOL_CONFIG])]) m4_ifndef([_LT_AC_FILE_LTDLL_C], [AC_DEFUN([_LT_AC_FILE_LTDLL_C])]) m4_ifndef([_LT_REQUIRED_DARWIN_CHECKS], [AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS])]) m4_ifndef([_LT_AC_PROG_CXXCPP], [AC_DEFUN([_LT_AC_PROG_CXXCPP])]) m4_ifndef([_LT_PREPARE_SED_QUOTE_VARS], [AC_DEFUN([_LT_PREPARE_SED_QUOTE_VARS])]) m4_ifndef([_LT_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_PROG_ECHO_BACKSLASH])]) m4_ifndef([_LT_PROG_F77], [AC_DEFUN([_LT_PROG_F77])]) m4_ifndef([_LT_PROG_FC], [AC_DEFUN([_LT_PROG_FC])]) m4_ifndef([_LT_PROG_CXX], [AC_DEFUN([_LT_PROG_CXX])]) openvpn-2.4.4/m4/pkg.m4000066400000000000000000000130261316434344000145550ustar00rootroot00000000000000# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- # serial 1 (pkg-config-0.24) # # Copyright © 2004 Scott James Remnant . # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. # PKG_PROG_PKG_CONFIG([MIN-VERSION]) # ---------------------------------- AC_DEFUN([PKG_PROG_PKG_CONFIG], [m4_pattern_forbid([^_?PKG_[A-Z_]+$]) m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$]) m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$]) AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility]) AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path]) AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path]) if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then AC_PATH_TOOL([PKG_CONFIG], [pkg-config]) fi if test -n "$PKG_CONFIG"; then _pkg_min_version=m4_default([$1], [0.9.0]) AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version]) if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then AC_MSG_RESULT([yes]) else AC_MSG_RESULT([no]) PKG_CONFIG="" fi fi[]dnl ])# PKG_PROG_PKG_CONFIG # PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) # # Check to see whether a particular set of modules exists. Similar # to PKG_CHECK_MODULES(), but does not set variables or print errors. # # Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG]) # only at the first occurence in configure.ac, so if the first place # it's called might be skipped (such as if it is within an "if", you # have to call PKG_CHECK_EXISTS manually # -------------------------------------------------------------- AC_DEFUN([PKG_CHECK_EXISTS], [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl if test -n "$PKG_CONFIG" && \ AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then m4_default([$2], [:]) m4_ifvaln([$3], [else $3])dnl fi]) # _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) # --------------------------------------------- m4_define([_PKG_CONFIG], [if test -n "$$1"; then pkg_cv_[]$1="$$1" elif test -n "$PKG_CONFIG"; then PKG_CHECK_EXISTS([$3], [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes ], [pkg_failed=yes]) else pkg_failed=untried fi[]dnl ])# _PKG_CONFIG # _PKG_SHORT_ERRORS_SUPPORTED # ----------------------------- AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED], [AC_REQUIRE([PKG_PROG_PKG_CONFIG]) if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi[]dnl ])# _PKG_SHORT_ERRORS_SUPPORTED # PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], # [ACTION-IF-NOT-FOUND]) # # # Note that if there is a possibility the first call to # PKG_CHECK_MODULES might not happen, you should be sure to include an # explicit call to PKG_PROG_PKG_CONFIG in your configure.ac # # # -------------------------------------------------------------- AC_DEFUN([PKG_CHECK_MODULES], [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl pkg_failed=no AC_MSG_CHECKING([for $1]) _PKG_CONFIG([$1][_CFLAGS], [cflags], [$2]) _PKG_CONFIG([$1][_LIBS], [libs], [$2]) m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS and $1[]_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details.]) if test $pkg_failed = yes; then AC_MSG_RESULT([no]) _PKG_SHORT_ERRORS_SUPPORTED if test $_pkg_short_errors_supported = yes; then $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1` else $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD m4_default([$4], [AC_MSG_ERROR( [Package requirements ($2) were not met: $$1_PKG_ERRORS Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. _PKG_TEXT])[]dnl ]) elif test $pkg_failed = untried; then AC_MSG_RESULT([no]) m4_default([$4], [AC_MSG_FAILURE( [The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full path to pkg-config. _PKG_TEXT To get pkg-config, see .])[]dnl ]) else $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS $1[]_LIBS=$pkg_cv_[]$1[]_LIBS AC_MSG_RESULT([yes]) $3 fi[]dnl ])# PKG_CHECK_MODULES openvpn-2.4.4/missing000077500000000000000000000153301316434344000146110ustar00rootroot00000000000000#! /bin/sh # Common wrapper for a few potentially missing GNU programs. scriptversion=2013-10-28.13; # UTC # Copyright (C) 1996-2013 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard , 1996. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. if test $# -eq 0; then echo 1>&2 "Try '$0 --help' for more information" exit 1 fi case $1 in --is-lightweight) # Used by our autoconf macros to check whether the available missing # script is modern enough. exit 0 ;; --run) # Back-compat with the calling convention used by older automake. shift ;; -h|--h|--he|--hel|--help) echo "\ $0 [OPTION]... PROGRAM [ARGUMENT]... Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due to PROGRAM being missing or too old. Options: -h, --help display this help and exit -v, --version output version information and exit Supported PROGRAM values: aclocal autoconf autoheader autom4te automake makeinfo bison yacc flex lex help2man Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and 'g' are ignored when checking the name. Send bug reports to ." exit $? ;; -v|--v|--ve|--ver|--vers|--versi|--versio|--version) echo "missing $scriptversion (GNU Automake)" exit $? ;; -*) echo 1>&2 "$0: unknown '$1' option" echo 1>&2 "Try '$0 --help' for more information" exit 1 ;; esac # Run the given program, remember its exit status. "$@"; st=$? # If it succeeded, we are done. test $st -eq 0 && exit 0 # Also exit now if we it failed (or wasn't found), and '--version' was # passed; such an option is passed most likely to detect whether the # program is present and works. case $2 in --version|--help) exit $st;; esac # Exit code 63 means version mismatch. This often happens when the user # tries to use an ancient version of a tool on a file that requires a # minimum version. if test $st -eq 63; then msg="probably too old" elif test $st -eq 127; then # Program was missing. msg="missing on your system" else # Program was found and executed, but failed. Give up. exit $st fi perl_URL=http://www.perl.org/ flex_URL=http://flex.sourceforge.net/ gnu_software_URL=http://www.gnu.org/software program_details () { case $1 in aclocal|automake) echo "The '$1' program is part of the GNU Automake package:" echo "<$gnu_software_URL/automake>" echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:" echo "<$gnu_software_URL/autoconf>" echo "<$gnu_software_URL/m4/>" echo "<$perl_URL>" ;; autoconf|autom4te|autoheader) echo "The '$1' program is part of the GNU Autoconf package:" echo "<$gnu_software_URL/autoconf/>" echo "It also requires GNU m4 and Perl in order to run:" echo "<$gnu_software_URL/m4/>" echo "<$perl_URL>" ;; esac } give_advice () { # Normalize program name to check for. normalized_program=`echo "$1" | sed ' s/^gnu-//; t s/^gnu//; t s/^g//; t'` printf '%s\n' "'$1' is $msg." configure_deps="'configure.ac' or m4 files included by 'configure.ac'" case $normalized_program in autoconf*) echo "You should only need it if you modified 'configure.ac'," echo "or m4 files included by it." program_details 'autoconf' ;; autoheader*) echo "You should only need it if you modified 'acconfig.h' or" echo "$configure_deps." program_details 'autoheader' ;; automake*) echo "You should only need it if you modified 'Makefile.am' or" echo "$configure_deps." program_details 'automake' ;; aclocal*) echo "You should only need it if you modified 'acinclude.m4' or" echo "$configure_deps." program_details 'aclocal' ;; autom4te*) echo "You might have modified some maintainer files that require" echo "the 'autom4te' program to be rebuilt." program_details 'autom4te' ;; bison*|yacc*) echo "You should only need it if you modified a '.y' file." echo "You may want to install the GNU Bison package:" echo "<$gnu_software_URL/bison/>" ;; lex*|flex*) echo "You should only need it if you modified a '.l' file." echo "You may want to install the Fast Lexical Analyzer package:" echo "<$flex_URL>" ;; help2man*) echo "You should only need it if you modified a dependency" \ "of a man page." echo "You may want to install the GNU Help2man package:" echo "<$gnu_software_URL/help2man/>" ;; makeinfo*) echo "You should only need it if you modified a '.texi' file, or" echo "any other file indirectly affecting the aspect of the manual." echo "You might want to install the Texinfo package:" echo "<$gnu_software_URL/texinfo/>" echo "The spurious makeinfo call might also be the consequence of" echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might" echo "want to install GNU make:" echo "<$gnu_software_URL/make/>" ;; *) echo "You might have modified some files without having the proper" echo "tools for further handling them. Check the 'README' file, it" echo "often tells you about the needed prerequisites for installing" echo "this package. You may also peek at any GNU archive site, in" echo "case some other package contains this missing '$1' program." ;; esac } give_advice "$1" | sed -e '1s/^/WARNING: /' \ -e '2,$s/^/ /' >&2 # Propagate the correct exit status (expected to be 127 for a program # not found, 63 for a program that failed due to version mismatch). exit $st # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: openvpn-2.4.4/msvc-build.bat000066400000000000000000000017131316434344000157470ustar00rootroot00000000000000@echo off rem Copyright (C) 2008-2012 Alon Bar-Lev @rem this stupid command needed for SetEnv.cmd to operate setlocal ENABLEDELAYEDEXPANSION cd /d %0\.. call msvc-env.bat set PLATFORMS=Win32 set CONFIGURATIONS=Release if exist "%VCHOME%\vcvarsall.bat" ( call "%VCHOME%\vcvarsall.bat" ) else if exist "%VCHOME%\bin\vcvars32.bat" ( call "%VCHOME%\bin\vcvars32.bat" ) else ( echo Cannot detect visual studio goto error ) msbuild /help > nul 2>&1 if errorlevel 1 set DO_VCBUILD=1 for %%p in (%PLATFORMS%) do ( for %%c in (%CONFIGURATIONS%) do ( rmdir /q /s %SOURCEBASE%\%%p\%%c > nul 2>&1 if "%DO_VCBUILD%" NEQ "" ( vcbuild /errfile:error.log /showenv "%SOLUTION%" /rebuild /platform:%%p "%%c|%%p" for %%f in (error.log) do if %%~zf GTR 0 goto error ) else ( msbuild "%SOLUTION%" /p:Configuration="%%c" /p:Platform="%%p" if errorlevel 1 goto error ) ) ) exit /b 0 goto end :error exit /b 1 goto end :end endlocal openvpn-2.4.4/msvc-dev.bat000066400000000000000000000006201316434344000154220ustar00rootroot00000000000000@echo off setlocal cd /d %0\.. call msvc-env.bat if exist "%VSHOME%\Common7\IDE\VCExpress.exe" ( set IDE=%VSHOME%\Common7\IDE\VCExpress.exe ) else if exist "%VSHOME%\Common7\IDE\devenv.exe" ( set IDE=%VSHOME%\Common7\IDE\devenv.exe ) else ( echo "Cannot detect visual studio environment" goto error ) start "" "%IDE%" "%SOLUTION%" exit /b 0 goto end :error exit /b 1 goto end :end endlocal openvpn-2.4.4/msvc-env.bat000066400000000000000000000030021316434344000154310ustar00rootroot00000000000000@echo off rem Put your own settings at msvc-env-local.bat if exist msvc-env-local.bat call msvc-env-local.bat if "%ProgramFiles(x86)%"=="" set ProgramFiles(x86)=%ProgramFiles% if "%VSCOMNTOOLS%"=="" SET VSCOMNTOOLS=%ProgramFiles(x86)%\Microsoft Visual Studio 10.0\Common7\Tools if "%VSCOMNTOOLS%"=="" SET VSCOMNTOOLS=%ProgramFiles(x86)%\Microsoft Visual Studio 9.0\Common7\Tools if "%VSHOME%"=="" SET VSHOME=%VSCOMNTOOLS%\..\.. if "%VCHOME%"=="" SET VCHOME=%VSHOME%\VC set SOURCEBASE=%cd% set SOLUTION=openvpn.sln set CPPFLAGS=%CPPFLAGS%;_CRT_SECURE_NO_WARNINGS;WIN32_LEAN_AND_MEAN;_CRT_NONSTDC_NO_WARNINGS;_CRT_SECURE_NO_WARNINGS set CPPFLAGS=%CPPFLAGS%;NTDDI_VERSION=NTDDI_VISTA;_WIN32_WINNT=_WIN32_WINNT_VISTA set CPPFLAGS=%CPPFLAGS%;_USE_32BIT_TIME_T set CPPFLAGS=%CPPFLAGS%;%EXTRA_CPPFLAGS% if exist config-msvc-local.h set CPPFLAGS="%CPPFLAGS%;HAVE_CONFIG_MSVC_LOCAL_H" if "%OPENVPN_DEPROOT%" == "" set OPENVPN_DEPROOT=c:\Temp\openvpn-deps if "%OPENSSL_HOME%" == "" set OPENSSL_HOME=%OPENVPN_DEPROOT% if "%LZO_HOME%" == "" set LZO_HOME=%OPENVPN_DEPROOT% if "%PKCS11H_HOME%" == "" set PKCS11H_HOME=%OPENVPN_DEPROOT% if "%TAP_WINDOWS_HOME%" == "" set TAP_WINDOWS_HOME=%OPENVPN_DEPROOT% if not exist "%OPENSSL_HOME%" echo WARNING: openssl '%OPENSSL_HOME%' does not exist if not exist "%LZO_HOME%" echo WARNING: lzo '%LZO_HOME%' does not exist if not exist "%PKCS11H_HOME%" echo WARNING: pkcs11-helper '%PKCS11H_HOME%' does not exist if not exist "%TAP_WINDOWS_HOME%" echo WARNING: tap-windows '%TAP_WINDOWS_HOME%' does not exist openvpn-2.4.4/openvpn.sln000066400000000000000000000044231316434344000154160ustar00rootroot00000000000000 Microsoft Visual Studio Solution File, Format Version 11.00 # Visual C++ Express 2010 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "openvpnserv", "src\openvpnserv\openvpnserv.vcxproj", "{9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}" EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "openvpn", "src\openvpn\openvpn.vcxproj", "{29DF226E-4D4E-440F-ADAF-5829CFD4CA94}" EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "msvc-generate", "build\msvc\msvc-generate\msvc-generate.vcxproj", "{8598C2C8-34C4-47A1-99B0-7C295A890615}" EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "compat", "src\compat\compat.vcxproj", "{4B2E2719-E661-45D7-9203-F6F456B22F19}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Win32 = Debug|Win32 Release|Win32 = Release|Win32 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}.Debug|Win32.ActiveCfg = Debug|Win32 {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}.Debug|Win32.Build.0 = Debug|Win32 {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}.Release|Win32.ActiveCfg = Release|Win32 {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}.Release|Win32.Build.0 = Release|Win32 {29DF226E-4D4E-440F-ADAF-5829CFD4CA94}.Debug|Win32.ActiveCfg = Debug|Win32 {29DF226E-4D4E-440F-ADAF-5829CFD4CA94}.Debug|Win32.Build.0 = Debug|Win32 {29DF226E-4D4E-440F-ADAF-5829CFD4CA94}.Release|Win32.ActiveCfg = Release|Win32 {29DF226E-4D4E-440F-ADAF-5829CFD4CA94}.Release|Win32.Build.0 = Release|Win32 {8598C2C8-34C4-47A1-99B0-7C295A890615}.Debug|Win32.ActiveCfg = Debug|Win32 {8598C2C8-34C4-47A1-99B0-7C295A890615}.Debug|Win32.Build.0 = Debug|Win32 {8598C2C8-34C4-47A1-99B0-7C295A890615}.Release|Win32.ActiveCfg = Release|Win32 {8598C2C8-34C4-47A1-99B0-7C295A890615}.Release|Win32.Build.0 = Release|Win32 {4B2E2719-E661-45D7-9203-F6F456B22F19}.Debug|Win32.ActiveCfg = Debug|Win32 {4B2E2719-E661-45D7-9203-F6F456B22F19}.Debug|Win32.Build.0 = Debug|Win32 {4B2E2719-E661-45D7-9203-F6F456B22F19}.Release|Win32.ActiveCfg = Release|Win32 {4B2E2719-E661-45D7-9203-F6F456B22F19}.Release|Win32.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection EndGlobal openvpn-2.4.4/sample/000077500000000000000000000000001316434344000144715ustar00rootroot00000000000000openvpn-2.4.4/sample/Makefile.am000066400000000000000000000016261316434344000165320ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in EXTRA_DIST = \ sample-plugins \ sample-config-files \ sample-windows \ sample-keys \ sample-scripts if WIN32 sample_DATA = \ client.ovpn \ server.ovpn \ sample-windows/sample.ovpn client.ovpn: sample-config-files/client.conf -rm -f client.ovpn cp "$(srcdir)/sample-config-files/client.conf" client.ovpn server.ovpn: sample-config-files/server.conf -rm -f server.ovpn cp "$(srcdir)/sample-config-files/server.conf" server.ovpn endif openvpn-2.4.4/sample/Makefile.in000066400000000000000000000417221316434344000165440ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = sample DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(sampledir)" DATA = $(sample_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in EXTRA_DIST = \ sample-plugins \ sample-config-files \ sample-windows \ sample-keys \ sample-scripts @WIN32_TRUE@sample_DATA = \ @WIN32_TRUE@ client.ovpn \ @WIN32_TRUE@ server.ovpn \ @WIN32_TRUE@ sample-windows/sample.ovpn all: all-am .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign sample/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign sample/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs install-sampleDATA: $(sample_DATA) @$(NORMAL_INSTALL) @list='$(sample_DATA)'; test -n "$(sampledir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(sampledir)'"; \ $(MKDIR_P) "$(DESTDIR)$(sampledir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(sampledir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(sampledir)" || exit $$?; \ done uninstall-sampleDATA: @$(NORMAL_UNINSTALL) @list='$(sample_DATA)'; test -n "$(sampledir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(sampledir)'; $(am__uninstall_files_from_dir) tags TAGS: ctags CTAGS: cscope cscopelist: distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(DATA) installdirs: for dir in "$(DESTDIR)$(sampledir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-sampleDATA install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-sampleDATA .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic clean-libtool \ cscopelist-am ctags-am distclean distclean-generic \ distclean-libtool distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-sampleDATA install-strip installcheck installcheck-am \ installdirs maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ ps ps-am tags-am uninstall uninstall-am uninstall-sampleDATA @WIN32_TRUE@client.ovpn: sample-config-files/client.conf @WIN32_TRUE@ -rm -f client.ovpn @WIN32_TRUE@ cp "$(srcdir)/sample-config-files/client.conf" client.ovpn @WIN32_TRUE@server.ovpn: sample-config-files/server.conf @WIN32_TRUE@ -rm -f server.ovpn @WIN32_TRUE@ cp "$(srcdir)/sample-config-files/server.conf" server.ovpn # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/sample/sample-config-files/000077500000000000000000000000001316434344000203155ustar00rootroot00000000000000openvpn-2.4.4/sample/sample-config-files/README000066400000000000000000000002031316434344000211700ustar00rootroot00000000000000Sample OpenVPN Configuration Files. These files are part of the OpenVPN HOWTO which is located at: http://openvpn.net/howto.html openvpn-2.4.4/sample/sample-config-files/client.conf000066400000000000000000000070011316434344000224400ustar00rootroot00000000000000############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote my-server-1 1194 ;remote my-server-2 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nobody # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert client.crt key client.key # Verify server certificate by checking that the # certicate has the correct key usage set. # This is an important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the keyUsage set to # digitalSignature, keyEncipherment # and the extendedKeyUsage to # serverAuth # EasyRSA can do this for you. remote-cert-tls server # If a tls-auth key is used on the server # then every client must also have the key. tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. # Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. # See also the ncp-cipher option in the manpage cipher AES-256-CBC # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. #comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20 openvpn-2.4.4/sample/sample-config-files/firewall.sh000077500000000000000000000067521316434344000224730ustar00rootroot00000000000000#!/bin/sh # A Sample OpenVPN-aware firewall. # eth0 is connected to the internet. # eth1 is connected to a private subnet. # Change this subnet to correspond to your private # ethernet subnet. Home will use HOME_NET/24 and # Office will use OFFICE_NET/24. PRIVATE=10.0.0.0/24 # Loopback address LOOP=127.0.0.1 # Delete old iptables rules # and temporarily block all traffic. iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F # Set default policies iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP # Prevent external packets from using loopback addr iptables -A INPUT -i eth0 -s $LOOP -j DROP iptables -A FORWARD -i eth0 -s $LOOP -j DROP iptables -A INPUT -i eth0 -d $LOOP -j DROP iptables -A FORWARD -i eth0 -d $LOOP -j DROP # Anything coming from the Internet should have a real Internet address iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP # Block outgoing NetBios (if you have windows machines running # on the private subnet). This will not affect any NetBios # traffic that flows over the VPN tunnel, but it will stop # local windows machines from broadcasting themselves to # the internet. iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP # Check source address validity on packets going out to internet iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT iptables -A INPUT -d $LOOP -j ACCEPT # Allow incoming pings (can be disabled) iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Allow services such as www and ssh (can be disabled) iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT # Allow incoming OpenVPN packets # Duplicate the line below for each # OpenVPN tunnel, changing --dport n # to match the OpenVPN UDP port. # # In OpenVPN, the port number is # controlled by the --port n option. # If you put this option in the config # file, you can remove the leading '--' # # If you taking the stateful firewall # approach (see the OpenVPN HOWTO), # then comment out the line below. iptables -A INPUT -p udp --dport 1194 -j ACCEPT # Allow packets from TUN/TAP devices. # When OpenVPN is run in a secure mode, # it will authenticate packets prior # to their arriving on a tun or tap # interface. Therefore, it is not # necessary to add any filters here, # unless you want to restrict the # type of packets which can flow over # the tunnel. iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT # Allow packets from private subnets iptables -A INPUT -i eth1 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT # Keep state of connections from local machine and private subnets iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Masquerade local subnet iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE openvpn-2.4.4/sample/sample-config-files/home.up000077500000000000000000000000761316434344000216210ustar00rootroot00000000000000#!/bin/sh route add -net 10.0.0.0 netmask 255.255.255.0 gw $5 openvpn-2.4.4/sample/sample-config-files/loopback-client000066400000000000000000000012401316434344000233030ustar00rootroot00000000000000# Perform a TLS loopback test -- client side. # # This test performs a TLS negotiation once every 10 seconds, # and will terminate after 2 minutes. # # From the root directory of the OpenVPN distribution, # after openvpn has been built, run: # # ./openvpn --config sample-config-files/loopback-client (In one window) # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) rport 16000 lport 16001 remote localhost local localhost dev null verb 3 reneg-sec 10 tls-client remote-cert-tls server ca sample-keys/ca.crt key sample-keys/client.key cert sample-keys/client.crt tls-auth sample-keys/ta.key 1 ping 1 inactive 120 10000000 openvpn-2.4.4/sample/sample-config-files/loopback-server000066400000000000000000000012431316434344000233360ustar00rootroot00000000000000# Perform a TLS loopback test -- server side. # # This test performs a TLS negotiation once every 10 seconds, # and will terminate after 2 minutes. # # From the root directory of the OpenVPN distribution, # after openvpn has been built, run: # # ./openvpn --config sample-config-files/loopback-client (In one window) # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) rport 16001 lport 16000 remote localhost local localhost dev null verb 3 reneg-sec 10 tls-server dh sample-keys/dh2048.pem ca sample-keys/ca.crt key sample-keys/server.key cert sample-keys/server.crt tls-auth sample-keys/ta.key 0 ping 1 inactive 120 10000000 openvpn-2.4.4/sample/sample-config-files/office.up000077500000000000000000000000761316434344000221240ustar00rootroot00000000000000#!/bin/sh route add -net 10.0.1.0 netmask 255.255.255.0 gw $5 openvpn-2.4.4/sample/sample-config-files/openvpn-shutdown.sh000077500000000000000000000000771316434344000242160ustar00rootroot00000000000000#!/bin/sh # stop all openvpn processes killall -TERM openvpn openvpn-2.4.4/sample/sample-config-files/openvpn-startup.sh000077500000000000000000000014101316434344000240350ustar00rootroot00000000000000#!/bin/sh # A sample OpenVPN startup script # for Linux. # openvpn config file directory dir=/etc/openvpn # load the firewall $dir/firewall.sh # load TUN/TAP kernel module modprobe tun # enable IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Invoke openvpn for each VPN tunnel # in daemon mode. Alternatively, # you could remove "--daemon" from # the command line and add "daemon" # to the config file. # # Each tunnel should run on a separate # UDP port. Use the "port" option # to control this. Like all of # OpenVPN's options, you can # specify "--port 8000" on the command # line or "port 8000" in the config # file. openvpn --cd $dir --daemon --config vpn1.conf openvpn --cd $dir --daemon --config vpn2.conf openvpn --cd $dir --daemon --config vpn2.conf openvpn-2.4.4/sample/sample-config-files/server.conf000066400000000000000000000250401316434344000224730ustar00rootroot00000000000000################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # # # # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine # # configurations (See the Examples page # # on the web site for more info). # # # # This config should work on Windows # # or Linux/BSD systems. Remember on # # Windows to quote pathnames and use # # double backslashes, e.g.: # # "C:\\Program Files\\OpenVPN\\config\\foo.key" # # # # Comments are preceded with '#' or ';' # ################################################# # Which local IP address should OpenVPN # listen on? (optional) ;local a.b.c.d # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port 1194 # TCP or UDP server? ;proto tcp proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. # Use "dev tap0" if you are ethernet bridging # and have precreated a tap0 virtual interface # and bridged it with your ethernet interface. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you # have more than one. On XP SP2 or higher, # you may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca ca.crt cert server.crt key server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh2048.pem 2048 dh dh2048.pem # Network topology # Should be subnet (addressing via IP) # unless Windows clients v2.0.9 and lower have to # be supported (then net30, i.e. a /30 per client) # Defaults to net30 (not recommended) ;topology subnet # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.8.0.0 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist ipp.txt # Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate # to connecting clients. Leave this line commented # out unless you are ethernet bridging. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 # Configure server mode for ethernet bridging # using a DHCP-proxy, where clients talk # to the OpenVPN server-side DHCP server # to receive their IP address allocation # and DNS server addresses. You must first use # your OS's bridging capability to bridge the TAP # interface with the ethernet NIC interface. # Note: this mode only works on clients (such as # Windows), where the client-side TAP adapter is # bound to a DHCP client. ;server-bridge # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" # To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific # configuration files (see man page for more info). # EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 # Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using "dev tun" and "server" directives. # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2 # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. ;learn-address ./script # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # or bridge the TUN/TAP interface to the internet # in order for this to work properly). ;push "redirect-gateway def1 bypass-dhcp" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats # The addresses below refer to the public # DNS servers provided by opendns.com. ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. ;client-to-client # Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. ;duplicate-cn # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. tls-auth ta.key 0 # This file is secret # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. # Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. # See also the ncp-cipher option in the manpage cipher AES-256-CBC # Enable compression on the VPN link and push the # option to the client (v2.4+ only, for earlier # versions see below) ;compress lz4-v2 ;push "compress lz4-v2" # For compression compatible with older clients use comp-lzo # If you enable it here, you must also # enable it in the client config file. ;comp-lzo # The maximum number of concurrently connected # clients we want to allow. ;max-clients 100 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. ;user nobody ;group nobody # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). ;log openvpn.log ;log-append openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20 # Notify the client that when the server restarts so it # can automatically reconnect. explicit-exit-notify 1openvpn-2.4.4/sample/sample-config-files/static-home.conf000066400000000000000000000033621316434344000234050ustar00rootroot00000000000000# # Sample OpenVPN configuration file for # home using a pre-shared static key. # # '#' or ';' may be used to delimit comments. # Use a dynamic tun device. # For Linux 2.2 or non-Linux OSes, # you may want to use an explicit # unit number such as "tun1". # OpenVPN also supports virtual # ethernet "tap" devices. dev tun # Our OpenVPN peer is the office gateway. remote 1.2.3.4 # 10.1.0.2 is our local VPN endpoint (home). # 10.1.0.1 is our remote VPN endpoint (office). ifconfig 10.1.0.2 10.1.0.1 # Our up script will establish routes # once the VPN is alive. up ./home.up # Our pre-shared static key secret static.key # Cipher to use cipher AES-256-CBC # OpenVPN 2.0 uses UDP port 1194 by default # (official port assignment by iana.org 11/04). # OpenVPN 1.x uses UDP port 5000 by default. # Each OpenVPN tunnel must use # a different port number. # lport or rport can be used # to denote different ports # for local and remote. ; port 1194 # Downgrade UID and GID to # "nobody" after initialization # for extra security. ; user nobody ; group nobody # If you built OpenVPN with # LZO compression, uncomment # out the following line. ; comp-lzo # Send a UDP ping to remote once # every 15 seconds to keep # stateful firewall connection # alive. Uncomment this # out if you are using a stateful # firewall. ; ping 15 # Uncomment this section for a more reliable detection when a system # loses its connection. For example, dial-ups or laptops that # travel to other locations. ; ping 15 ; ping-restart 45 ; ping-timer-rem ; persist-tun ; persist-key # Verbosity level. # 0 -- quiet except for fatal errors. # 1 -- mostly quiet, but display non-fatal network errors. # 3 -- medium output, good for normal operation. # 9 -- verbose, good for troubleshooting verb 3 openvpn-2.4.4/sample/sample-config-files/static-office.conf000066400000000000000000000032741316434344000237120ustar00rootroot00000000000000# # Sample OpenVPN configuration file for # office using a pre-shared static key. # # '#' or ';' may be used to delimit comments. # Use a dynamic tun device. # For Linux 2.2 or non-Linux OSes, # you may want to use an explicit # unit number such as "tun1". # OpenVPN also supports virtual # ethernet "tap" devices. dev tun # 10.1.0.1 is our local VPN endpoint (office). # 10.1.0.2 is our remote VPN endpoint (home). ifconfig 10.1.0.1 10.1.0.2 # Our up script will establish routes # once the VPN is alive. up ./office.up # Our pre-shared static key secret static.key # Cipher to use cipher AES-256-CBC # OpenVPN 2.0 uses UDP port 1194 by default # (official port assignment by iana.org 11/04). # OpenVPN 1.x uses UDP port 5000 by default. # Each OpenVPN tunnel must use # a different port number. # lport or rport can be used # to denote different ports # for local and remote. ; port 1194 # Downgrade UID and GID to # "nobody" after initialization # for extra security. ; user nobody ; group nobody # If you built OpenVPN with # LZO compression, uncomment # out the following line. ; comp-lzo # Send a UDP ping to remote once # every 15 seconds to keep # stateful firewall connection # alive. Uncomment this # out if you are using a stateful # firewall. ; ping 15 # Uncomment this section for a more reliable detection when a system # loses its connection. For example, dial-ups or laptops that # travel to other locations. ; ping 15 ; ping-restart 45 ; ping-timer-rem ; persist-tun ; persist-key # Verbosity level. # 0 -- quiet except for fatal errors. # 1 -- mostly quiet, but display non-fatal network errors. # 3 -- medium output, good for normal operation. # 9 -- verbose, good for troubleshooting verb 3 openvpn-2.4.4/sample/sample-config-files/tls-home.conf000066400000000000000000000036211316434344000227160ustar00rootroot00000000000000# # Sample OpenVPN configuration file for # home using SSL/TLS mode and RSA certificates/keys. # # '#' or ';' may be used to delimit comments. # Use a dynamic tun device. # For Linux 2.2 or non-Linux OSes, # you may want to use an explicit # unit number such as "tun1". # OpenVPN also supports virtual # ethernet "tap" devices. dev tun # Our OpenVPN peer is the office gateway. remote 1.2.3.4 # 10.1.0.2 is our local VPN endpoint (home). # 10.1.0.1 is our remote VPN endpoint (office). ifconfig 10.1.0.2 10.1.0.1 # Our up script will establish routes # once the VPN is alive. up ./home.up # In SSL/TLS key exchange, Office will # assume server role and Home # will assume client role. tls-client # Certificate Authority file ca my-ca.crt # Our certificate/public key cert home.crt # Our private key key home.key # OpenVPN 2.0 uses UDP port 1194 by default # (official port assignment by iana.org 11/04). # OpenVPN 1.x uses UDP port 5000 by default. # Each OpenVPN tunnel must use # a different port number. # lport or rport can be used # to denote different ports # for local and remote. ; port 1194 # Downgrade UID and GID to # "nobody" after initialization # for extra security. ; user nobody ; group nobody # If you built OpenVPN with # LZO compression, uncomment # out the following line. ; comp-lzo # Send a UDP ping to remote once # every 15 seconds to keep # stateful firewall connection # alive. Uncomment this # out if you are using a stateful # firewall. ; ping 15 # Uncomment this section for a more reliable detection when a system # loses its connection. For example, dial-ups or laptops that # travel to other locations. ; ping 15 ; ping-restart 45 ; ping-timer-rem ; persist-tun ; persist-key # Verbosity level. # 0 -- quiet except for fatal errors. # 1 -- mostly quiet, but display non-fatal network errors. # 3 -- medium output, good for normal operation. # 9 -- verbose, good for troubleshooting verb 3 openvpn-2.4.4/sample/sample-config-files/tls-office.conf000066400000000000000000000036341316434344000232250ustar00rootroot00000000000000# # Sample OpenVPN configuration file for # office using SSL/TLS mode and RSA certificates/keys. # # '#' or ';' may be used to delimit comments. # Use a dynamic tun device. # For Linux 2.2 or non-Linux OSes, # you may want to use an explicit # unit number such as "tun1". # OpenVPN also supports virtual # ethernet "tap" devices. dev tun # 10.1.0.1 is our local VPN endpoint (office). # 10.1.0.2 is our remote VPN endpoint (home). ifconfig 10.1.0.1 10.1.0.2 # Our up script will establish routes # once the VPN is alive. up ./office.up # In SSL/TLS key exchange, Office will # assume server role and Home # will assume client role. tls-server # Diffie-Hellman Parameters (tls-server only) dh dh2048.pem # Certificate Authority file ca my-ca.crt # Our certificate/public key cert office.crt # Our private key key office.key # OpenVPN 2.0 uses UDP port 1194 by default # (official port assignment by iana.org 11/04). # OpenVPN 1.x uses UDP port 5000 by default. # Each OpenVPN tunnel must use # a different port number. # lport or rport can be used # to denote different ports # for local and remote. ; port 1194 # Downgrade UID and GID to # "nobody" after initialization # for extra security. ; user nobody ; group nobody # If you built OpenVPN with # LZO compression, uncomment # out the following line. ; comp-lzo # Send a UDP ping to remote once # every 15 seconds to keep # stateful firewall connection # alive. Uncomment this # out if you are using a stateful # firewall. ; ping 15 # Uncomment this section for a more reliable detection when a system # loses its connection. For example, dial-ups or laptops that # travel to other locations. ; ping 15 ; ping-restart 45 ; ping-timer-rem ; persist-tun ; persist-key # Verbosity level. # 0 -- quiet except for fatal errors. # 1 -- mostly quiet, but display non-fatal network errors. # 3 -- medium output, good for normal operation. # 9 -- verbose, good for troubleshooting verb 3 openvpn-2.4.4/sample/sample-config-files/xinetd-client-config000066400000000000000000000003071316434344000242520ustar00rootroot00000000000000# This OpenVPN config file # is the client side counterpart # of xinetd-server-config dev tun ifconfig 10.4.0.1 10.4.0.2 remote my-server port 1194 user nobody secret /root/openvpn/key inactive 600 openvpn-2.4.4/sample/sample-config-files/xinetd-server-config000066400000000000000000000017351316434344000243100ustar00rootroot00000000000000# An xinetd configuration file for OpenVPN. # # This file should be renamed to openvpn or something suitably # descriptive and copied to the /etc/xinetd.d directory. # xinetd can then be made aware of this file by restarting # it or sending it a SIGHUP signal. # # For each potential incoming client, create a separate version # of this configuration file on a unique port number. Also note # that the key file and ifconfig endpoints should be unique for # each client. This configuration assumes that the OpenVPN # executable and key live in /root/openvpn. Change this to fit # your environment. service openvpn_1 { type = UNLISTED port = 1194 socket_type = dgram protocol = udp wait = yes user = root server = /root/openvpn/openvpn server_args = --inetd --dev tun --ifconfig 10.4.0.2 10.4.0.1 --secret /root/openvpn/key --inactive 600 --user nobody } openvpn-2.4.4/sample/sample-keys/000077500000000000000000000000001316434344000167235ustar00rootroot00000000000000openvpn-2.4.4/sample/sample-keys/README000066400000000000000000000013411316434344000176020ustar00rootroot00000000000000Sample RSA and EC keys. Run ./gen-sample-keys.sh to generate fresh test keys. See the examples section of the man page for usage examples. NOTE: THESE KEYS ARE FOR TESTING PURPOSES ONLY. DON'T USE THEM FOR ANY REAL WORK BECAUSE THEY ARE TOTALLY INSECURE! ca.{crt,key} -- sample CA key/cert server.{crt,key} -- sample server key/cert client.{crt,key} -- sample client key/cert client-pass.key -- sample client key with password-encrypted key password = "password" client.p12 -- sample client pkcs12 bundle password = "password" client-ec.{crt,key} -- sample elliptic curve client key/cert server-ec.{crt,key} -- sample elliptic curve server key/cert openvpn-2.4.4/sample/sample-keys/ca.crt000066400000000000000000000042231316434344000200210ustar00rootroot00000000000000-----BEGIN CERTIFICATE----- MIIGKDCCBBCgAwIBAgIJAKFO3vqQ8q6BMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV BAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMM T3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4w HhcNMTQxMDIyMjE1OTUyWhcNMjQxMDE5MjE1OTUyWjBmMQswCQYDVQQGEwJLRzEL MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIICIjANBgkq hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsJVPCqt3vtoDW2U0DII1QIh2Qs0dqh88 8nivxAIm2LTq93e9fJhsq3P/UVYAYSeCIrekXypR0EQgSgcNTvGBMe20BoHO5yvb GjKPmjfLj6XRotCOGy8EDl/hLgRY9efiA8wsVfuvF2q/FblyJQPR/gPiDtTmUiqF qXa7AJmMrqFsnWppOuGd7Qc6aTsae4TF1e/gUTCTraa7NeHowDaKhdyFmEEnCYR5 CeUsx2JlFWAH8PCrxBpHYbmGyvS0kH3+rQkaSM/Pzc2bS4ayHaOYRK5XsGq8XiNG KTTLnSaCdPeHsI+3xMHmEh+u5Og2DFGgvyD22gde6W2ezvEKCUDrzR7bsnYqqyUy n7LxnkPXGyvR52T06G8KzLKQRmDlPIXhzKMO07qkHmIonXTdF7YI1azwHpAtN4dS rUe1bvjiTSoEsQPfOAyvD0RMK/CBfgEZUzAB50e/IlbZ84c0DJfUMOm4xCyft1HF YpYeyCf5dxoIjweCPOoP426+aTXM7kqq0ieIr6YxnKV6OGGLKEY+VNZh1DS7enqV HP5i8eimyuUYPoQhbK9xtDGMgghnc6Hn8BldPMcvz98HdTEH4rBfA3yNuCxLSNow 4jJuLjNXh2QeiUtWtkXja7ec+P7VqKTduJoRaX7cs+8E3ImigiRnvmK+npk7Nt1y YE9hBRhSoLsCAwEAAaOB2DCB1TAdBgNVHQ4EFgQUK0DlyX319JY46S/jL9lAZMmO BZswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJ BgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UE ChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h aW6CCQChTt76kPKugTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG 9w0BAQsFAAOCAgEABc77f4C4P8fIS+V8qCJmVNSDU44UZBc+D+J6ZTgW8JeOHUIj Bh++XDg3gwat7pIWQ8AU5R7h+fpBI9n3dadyIsMHGwSogHY9Gw7di2RVtSFajEth rvrq0JbzpwoYedMh84sJ2qI/DGKW9/Is9+O52fR+3z3dY3gNRDPQ5675BQ5CQW9I AJgLOqzD8Q0qrXYi7HaEqzNx6p7RDTuhFgvTd+vS5d5+28Z5fm2umnq+GKHF8W5P ylp2Js119FTVO7brusAMKPe5emc7tC2ov8OFFemQvfHR41PLryap2VD81IOgmt/J kX/j/y5KGux5HZ3lxXqdJbKcAq4NKYQT0mCkRD4l6szaCEJ+k0SiM9DdTcBDefhR 9q+pCOyMh7d8QjQ1075mF7T+PGkZQUW1DUjEfrZhICnKgq+iEoUmM0Ee5WtRqcnu 5BTGQ2mSfc6rV+Vr+eYXqcg7Nxb3vFXYSTod1UhefonVqwdmyJ2sC79zp36Tbo2+ 65NW2WJK7KzPUyOJU0U9bcu0utvDOvGWmG+aHbymJgcoFzvZmlXqMXn97pSFn4jV y3SLRgJXOw1QLXL2Y5abcuoBVr4gCOxxk2vBeVxOMRXNqSWZOFIF1bu/PxuDA+Sa hEi44aHbPXt9opdssz/hdGfd8Wo7vEJrbg7c6zR6C/Akav1Rzy9oohIdgOw= -----END CERTIFICATE----- openvpn-2.4.4/sample/sample-keys/ca.key000066400000000000000000000063101316434344000200200ustar00rootroot00000000000000-----BEGIN PRIVATE KEY----- MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCwlU8Kq3e+2gNb ZTQMgjVAiHZCzR2qHzzyeK/EAibYtOr3d718mGyrc/9RVgBhJ4Iit6RfKlHQRCBK Bw1O8YEx7bQGgc7nK9saMo+aN8uPpdGi0I4bLwQOX+EuBFj15+IDzCxV+68Xar8V uXIlA9H+A+IO1OZSKoWpdrsAmYyuoWydamk64Z3tBzppOxp7hMXV7+BRMJOtprs1 4ejANoqF3IWYQScJhHkJ5SzHYmUVYAfw8KvEGkdhuYbK9LSQff6tCRpIz8/NzZtL hrIdo5hErlewarxeI0YpNMudJoJ094ewj7fEweYSH67k6DYMUaC/IPbaB17pbZ7O 8QoJQOvNHtuydiqrJTKfsvGeQ9cbK9HnZPTobwrMspBGYOU8heHMow7TuqQeYiid dN0XtgjVrPAekC03h1KtR7Vu+OJNKgSxA984DK8PREwr8IF+ARlTMAHnR78iVtnz hzQMl9Qw6bjELJ+3UcVilh7IJ/l3GgiPB4I86g/jbr5pNczuSqrSJ4ivpjGcpXo4 YYsoRj5U1mHUNLt6epUc/mLx6KbK5Rg+hCFsr3G0MYyCCGdzoefwGV08xy/P3wd1 MQfisF8DfI24LEtI2jDiMm4uM1eHZB6JS1a2ReNrt5z4/tWopN24mhFpftyz7wTc iaKCJGe+Yr6emTs23XJgT2EFGFKguwIDAQABAoICAQCEYPqnihI0PqZjnwQdGIQp g+P8gl7pyY9cS0OhUueicEbyDI8+V9qn0kcmx61zKDY0Jq4QNd6tnlUCijTc6Mot DwF2G1xsC4GvKxZiy89MOkhloanXETEeQZzDbbjvaM4UgL0AHLWPfZQRCjxbKXkE 0A5phgvAr2YSvBLHCVXhGN0fScXnwXouVsvgVdGtpcTWdIUa+KrNdQBGDbz6VCkW 31I76SQFy40d8PPX6ZjUJHDvnM14LycySO6XOkofRIVnXTqaOUiVBb2VKj5fX+Ro ILdWZz4d6J3RiGXYwyTr4SGVKLjgxWfgUGZB7x+NrqgugNzuaLYrkuWKSEN42nWq yoP6x6xtbAsmB6Fvdqwm/d8BmLhUweaVc0L7AYzXNsOBuT3kubJHMmu3Jv4xgyWk l/MAGJQc7i7QQweGgsYZgR8WlbkWkSFpUcgQBDzDibb6nsD2jnYijQrnrrmiEjEI R7MO551V+nFw9utiM8U9WIWwqzY0d98ujWkGjVe7uz9ZBVyg0DEAEj/zRi9T54aG 1V6CB2Cjyw+HzzsDw7yWroWzo4U9YfjbPKCoBsXlqQFLFwY8oL6mEZ7UOobaV1Zl WtuHyYw3UNFxuSGPPyxJkFePIQLLvfKvh2R+V0DrT3UJRoKKlt9RejRSN0tOh0Cm 2YD6d7T/DXnQHomIQKhKEQKCAQEA3sgsDg0eKDK8pUyVE+9wW5kql12nTzpBtnCM eg5J9OJcXKhCD/NIyUTIMXoMvZQpLwGUAYLgu4gE04zKWHDouf7MRSFltD5LJ7F2 7nuYKHZXk0BhgMhdnQot3FKcOMrKCnZcM+RWX9ZJa8wO6whCaYCw7DtS0SSVODQk 9EwAgX6/Hq60V7ujPZJCyNd3o0bIdAA/0AQRTZUADP3AHgUzh71aysYJt+UKt1v0 Xc7l6hn7Dn7Ewzpf+WdZ2pV7d3JUSBVKiTDxLV904nDBNOxjMhz0rW01ojR6bzpn XhkFPqnmh+yEYGRgfSAAzkvSsSJEAtBFSicupA/6n83Lo2YvswKCAQEAyumuxP4Z a7s8x8DFba7vuQ+KVxpkKgEz1sxnGRNQJm18/ss/Y5JiaLFYT3E72VkQfBQ2ngu+ GrJL3OhiNhzy1KLGS6mrwULtKiuud5MMQDL0Pvkncr9NTy4rBnWzhp2XyPeETu8n JpL2i2OK6lY/lgpBckXuap9gAl0fXk+y+BkZ71OoYaGnKpPjs+Xcq/qgPgZ7O3NW 1g+Bd2AVPSxQpXjuy5rgtQURCN733vkNBzFedKREx7Z6l8UPlK/Exuc7BMIHfn5V dd0R3Th+82fkMNVJz6MKmHJ6CJI53M7co/YdAvIkxOFRIPGbO3arL2R69nRgAZBE zLawx1JJTRIG2QKCAQATtZXgMFzopYR3A011FAvWrrhL5+czZS4HG/Hxom38kkIl mGUv0BAybjlf1zJlW0RBelxDvfZv4Nq8dIo6RNLyEY601v2OcqxneJXTB3AwtDeP OXTm1dMiX5IrGcvkYlx5jHsfxCW4GNcqCEWRmYt2lgIRBDaRdjEVZdeXHVo2GqaB 6mbeFCWe/t+VsSpOcaauTI9YseNt/66fd5uVjFRAwAnWQqr9b/AAxMvbuMAyc9X4 NFLoCrQO9ovGgM8JhD3cmrWbaY8MupM2rU8KhZdJCbLD3ROPpCDo0jvu4TvLjXBt ugkEFh1LNJedqKudLDDkJtTaeJjxvtAnbyeC7zltAoIBAC9TIyzUqq8io0FfZ2x2 cXiy9CvuftABKcr+L0l85KOhw5ZVZvpdKNCMFDGrEi9WA28886QWzwbA8Mqb9FP0 mnoXYLJC50kSx+ee+nju9dt/RtHtIFM15N0DwosmJnHODZmUiOo0AuiPPCs0UzDm Xrwqtirlvn5ln2nNuEQxyGbuy8qys0HaBvf6OBA8GySNNpRgxJsQAn+4bBSgdzOm Q0TkmKUqASCXBusPvbXmVjCIRiRkL5p4p8z/6+tct0NAqNYqPr80zc/IeKMkyw8P +vucszNXLmBxyp53JEGoiXNAMnH+ca7tchOB5hePTMun3rneWInk0PcB4OcL/QaZ nrkCggEBAN67+SvcWtM1BoLXSz5/apFAE+DicCv94PrvMBOhfvu1oBrElR1rBjiN 2B83SktkF4WhCXr10GP+RUpjaqPBtT7NW4r3fL5B8EPsHeabL+pg9e6wG1rH8GqG toWecmfC9uqK7l1A59h5Oveq5K19bZTRZRjQtv2e4KQknlJR6cwy+TGUU5kAUlMt vcivyjzxc0UQwq7zKktJq+xW/TZiSLgd3B32p0sXX378qFUJ4SO2UZ1OCh8R7PY1 Fx25K/89Q1yGdbYiXb/Dx0a2WB9rP+b6alMl/dxPdqDKj2QXXkdh8+yvhVpQTyZw B1RaqQXwzqrCH0F/vw3lRceYhcQvzcQ= -----END PRIVATE KEY----- openvpn-2.4.4/sample/sample-keys/client-ec.crt000066400000000000000000000112761316434344000213070ustar00rootroot00000000000000Certificate: Data: Version: 3 (0x2) Serial Number: 4 (0x4) Signature Algorithm: sha256WithRSAEncryption Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain Validity Not Before: Oct 22 21:59:53 2014 GMT Not After : Oct 19 21:59:53 2024 GMT Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client-EC/emailAddress=me@myhost.mydomain Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:3b:ce:62:5d:6f:87:82:75:24:c2:58:f5:0e:88: 4d:57:0d:06:b2:71:88:87:58:19:bb:de:5f:7f:52: 62:51:a2:48:91:83:48:91:90:3e:87:02:0f:15:51: f9:68:97:12:0a:fd:d2:3c:87:83:4b:65:54:00:44: 8d:28:76:49:05 ASN1 OID: secp256k1 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 64:F6:49:88:E7:74:C1:AB:A5:FA:4F:2B:71:3C:25:13:3D:C8:94:C5 X509v3 Authority Key Identifier: keyid:2B:40:E5:C9:7D:F5:F4:96:38:E9:2F:E3:2F:D9:40:64:C9:8E:05:9B DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain serial:A1:4E:DE:FA:90:F2:AE:81 Signature Algorithm: sha256WithRSAEncryption 32:3d:f0:08:67:dd:03:73:76:cc:76:52:0a:f6:97:d1:c6:fa: 5f:d3:e6:28:c9:75:a7:08:a8:34:49:69:cf:eb:ab:da:86:b3: 2e:65:17:ee:7e:b6:b5:6b:15:0b:dc:11:3a:b9:5a:b3:80:b8: bb:f4:6c:cf:88:3a:10:83:7e:10:a0:82:87:6e:06:ec:78:62: d4:d1:44:27:dd:2c:19:d8:1a:a1:ae:f4:a0:00:7f:53:5a:40: 8a:c2:83:77:4b:26:7d:53:b0:d3:0f:2f:7c:28:70:ef:74:58: 5b:de:81:94:4c:63:19:f0:79:cb:6c:b2:ec:32:1b:4b:e4:62: 22:4f:ad:ac:4a:6f:a9:6e:c4:2a:8d:8a:88:19:09:fd:88:93: 3c:27:4d:91:95:ff:57:84:13:fd:4a:68:db:20:df:10:e6:81: 1d:fd:e7:1d:35:fb:19:02:dd:b5:5f:a0:c1:07:ec:74:b4:ef: 8b:f9:33:9a:f2:a6:3b:6e:b6:4a:52:ab:5d:99:76:64:62:c4: d5:3a:c6:81:8d:eb:c8:4b:02:af:e1:ca:60:e9:8d:c7:a9:2b: ea:4f:56:31:d3:9a:11:c2:9c:83:5c:a2:8d:98:fe:cc:a5:ad: 1f:51:c4:6e:cf:ff:a0:51:64:c8:7f:7f:32:05:4c:8d:7f:bf: b8:ed:e5:81:5f:81:bd:1d:9b:3f:8a:83:27:26:b4:69:84:8b: e5:d9:ea:fd:08:a8:aa:e4:3a:dc:29:4d:80:6c:13:f7:45:ce: 92:f2:a9:f3:5f:90:83:d6:23:0f:50:e5:40:09:4c:6b:f2:73: aa:d8:49:a7:a9:81:6e:bb:f2:e4:a5:7f:19:39:1d:65:f3:11: 97:b1:2b:7c:2f:36:77:7f:75:fd:88:44:90:7c:f2:33:8d:cd: 2c:f6:76:60:33:d3:f4:b3:8c:81:d7:85:89:cc:d7:d5:2c:94: a9:31:3f:d3:63:a7:dc:82:3f:0a:d8:c5:71:97:69:3b:c1:69: cb:f0:1b:be:15:c0:be:aa:fd:e8:13:2c:0c:3f:72:7b:7d:9c: 3b:7f:b8:82:36:4b:ad:4d:16:19:b9:1c:b3:2d:d7:5f:8b:f8: 14:ce:d4:13:e5:82:7a:1d:40:28:08:65:4a:19:d7:7a:35:09: db:36:48:4b:96:44:bd:1f:12:b2:39:08:1e:5b:66:25:9b:e0: 16:d3:79:05:e3:f6:90:da:95:95:33:a1:53:a8:3c:a9:f0:b2: f5:d0:aa:80:a0:96:ca:8c:45:62:c2:74:04:91:68:27:fb:e9: 97:be:3a:87:8a:85:28:2d:6e:a9:60:9b:63:ba:65:98:5e:bb: 02:ee:ac:ba:be:f6:42:26 -----BEGIN CERTIFICATE----- MIIESTCCAjGgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE0MTAy MjIxNTk1M1oXDTI0MTAxOTIxNTk1M1owbTELMAkGA1UEBhMCS0cxCzAJBgNVBAgT Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFzAVBgNVBAMTDlRlc3QtQ2xpZW50 LUVDMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wVjAQBgcqhkjO PQIBBgUrgQQACgNCAAQ7zmJdb4eCdSTCWPUOiE1XDQaycYiHWBm73l9/UmJRokiR g0iRkD6HAg8VUflolxIK/dI8h4NLZVQARI0odkkFo4HIMIHFMAkGA1UdEwQCMAAw HQYDVR0OBBYEFGT2SYjndMGrpfpPK3E8JRM9yJTFMIGYBgNVHSMEgZAwgY2AFCtA 5cl99fSWOOkv4y/ZQGTJjgWboWqkaDBmMQswCQYDVQQGEwJLRzELMAkGA1UECBMC TkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4tVEVTVDEhMB8G CSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluggkAoU7e+pDyroEwDQYJKoZI hvcNAQELBQADggIBADI98Ahn3QNzdsx2Ugr2l9HG+l/T5ijJdacIqDRJac/rq9qG sy5lF+5+trVrFQvcETq5WrOAuLv0bM+IOhCDfhCggoduBux4YtTRRCfdLBnYGqGu 9KAAf1NaQIrCg3dLJn1TsNMPL3wocO90WFvegZRMYxnwectssuwyG0vkYiJPraxK b6luxCqNiogZCf2IkzwnTZGV/1eEE/1KaNsg3xDmgR395x01+xkC3bVfoMEH7HS0 74v5M5rypjtutkpSq12ZdmRixNU6xoGN68hLAq/hymDpjcepK+pPVjHTmhHCnINc oo2Y/sylrR9RxG7P/6BRZMh/fzIFTI1/v7jt5YFfgb0dmz+KgycmtGmEi+XZ6v0I qKrkOtwpTYBsE/dFzpLyqfNfkIPWIw9Q5UAJTGvyc6rYSaepgW678uSlfxk5HWXz EZexK3wvNnd/df2IRJB88jONzSz2dmAz0/SzjIHXhYnM19UslKkxP9Njp9yCPwrY xXGXaTvBacvwG74VwL6q/egTLAw/cnt9nDt/uII2S61NFhm5HLMt11+L+BTO1BPl gnodQCgIZUoZ13o1Cds2SEuWRL0fErI5CB5bZiWb4BbTeQXj9pDalZUzoVOoPKnw svXQqoCglsqMRWLCdASRaCf76Ze+OoeKhSgtbqlgm2O6ZZheuwLurLq+9kIm -----END CERTIFICATE----- openvpn-2.4.4/sample/sample-keys/client-ec.key000066400000000000000000000003551316434344000213030ustar00rootroot00000000000000-----BEGIN PRIVATE KEY----- MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQg2RVk/d0yok086M9bLPIi eu4DfcBUwphOnkje1/7VSY+hRANCAAQ7zmJdb4eCdSTCWPUOiE1XDQaycYiHWBm7 3l9/UmJRokiRg0iRkD6HAg8VUflolxIK/dI8h4NLZVQARI0odkkF -----END PRIVATE KEY----- openvpn-2.4.4/sample/sample-keys/client-pass.key000066400000000000000000000033461316434344000216650ustar00rootroot00000000000000-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,ECC1F209896FC2621233FFF6F1FFD045 i6t7VKTyNNELTvrBO464e02nFg9rvYwumxd0sfqcPtaKmRK2mrZmEd/Xh0Nv1WyB PyuJo78qQixAtxObRbkSNINzTr5C8IDrE6+wQYCJinvO54U0o+ksv0tsyLngz1cb is8ZqHXrRgJ3qGFQWmFRtFKFQvSXOTDX3fLkEB53HfeblQCxBCnJ82Sp7ivnVR/j Q8qQRy1RMbzIN0trEGf0Zi4tHEvXL1u7Y+olQzSlmWWaQt20hhXUOMLhMtlRsAo7 AwjlE94JjAfJ1q1dwIcRN4c9Lk8GkiX6w7nDpRACDpk2S8ifCqi69eGe4+g7owhL 74bgs64PmM9a2sNXy1v6WE3c/t6sSrZiMvrGsqMo4sBlrQ9WXe0Naon7heBkPcdS px0YJjnyBXHMIH+ASmALSJ5JXq9vt2xRFf0dOsGapxhP+7bZJ5Pwyk/yUu5uHFbM /aBemlrZJzlKeYiiwpwx2whQAtDwN41zMG+r27EzSU/AaDV40NPiwwycpWt/Bp1e z1ag0JuS0an+PK4jmREtzT5U5BeAVM91x8YttOPpmUIpahAa1zwdYPRAIkbmPJ4z ZH+9YoPH4hoBQKdIhshYktjdI++xNiKXAUGUz5YoX8S68SsLdmKvhnQ7fu5VvOkA 2pb7taXGy7zfn+a/fWauhuceV9HPlAXMIu3GsssODoNly3vpcFeiMySKppygJ3Eg A3o9n8UepD+jXflKG/R/t7U3hT6LqSIvQWqBqYMEVFMCNzSsJ/ce/4veFvx343zT qdxuzYqyiXM74cynpfqHdVa9SFICTesNdVDI0FdOXhSQ4bHJc7Xp9FFJdS0lMRw4 ACwKxvs8lo4Gx1WFyCqH5OxosKtDHQYzdUJfSWVJlhhOFR3GncR9qSe3O5fkhJfs TALnC+xTJyCkSB2k0/bxVLIhlkPdCwzsrN/B6X2CDBdg0mQIo0LaPzGF8VneM20d XebYn751XSiL3HKyq8G5AEFwj9AO3Q8gKuP2fPoWdngJ2GT+mt1m2fIw9Igu39J0 ZMegyUN0wSIiA5AkgryK9U+PJEiJmLzOJ/NGr7E5tPF18eZWapK4KZ8TXC4RNiye g+apGa+xZJz2VQp/Mrcdj9D4UDJFQjrvKaS0PXJDoYUXFBoMv3rxijzRVxlhhuJY yZ0At+UqZD5wpuWW6DRrgJIpy0HNhbaLmgsU0Co0HKviB0x8hvMJbi/uCoPTOdPz sPB7CN2i3oXe7xw1HfSTSFWb4leqjlKwNgfV42ox0QUjkkADeeuY+56g/B2+QmdE vXrc6sDwfNUwRUzeMn8yfum/aW1y/wrqF/qPTBQqFd85vlzS+NfXIKDg04cAljTu +2BLzvizh9Bb68iG4PykNXbjbAir1EbQG1tCzq1eKhERjgrxdv6+XqAmvchMCeL5 L6hvfQFBPCo/4xnMpU5wooFarO/kGdKlGr5rXOydgfL618Td18BIX+FHQFb3zzVU y2NR4++DslJAZgAU+512zzpW1m3JtaRoyqyoLE2YFPlW804Xc1PBB3Ix6Wyzcegy D4qMk5qxjBkXEsBBSCYfVbWoMBeMhnvxkz0b9wkPtAW/jEJCB2Kkn/5yMC0DkePO -----END RSA PRIVATE KEY----- openvpn-2.4.4/sample/sample-keys/client.crt000066400000000000000000000134561316434344000207240ustar00rootroot00000000000000Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain Validity Not Before: Oct 22 21:59:53 2014 GMT Not After : Oct 19 21:59:53 2024 GMT Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client/emailAddress=me@myhost.mydomain Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ec:65:8f:e9:12:c2:1a:5b:e6:56:2a:08:a9:82: 3a:2d:44:78:a3:00:3b:b0:9f:e7:27:10:40:93:ef: f1:cc:3e:a0:aa:04:a2:80:1b:13:a9:e6:fe:81:d6: 70:90:a8:d8:d4:de:30:d8:35:00:d2:be:62:f0:48: da:fc:15:8d:c4:c6:6d:0b:99:f1:2b:83:00:0a:d3: 2a:23:0b:e5:cd:f9:35:df:43:61:15:72:ad:95:98: f6:73:21:41:5e:a0:dd:47:27:a0:d5:9a:d4:41:a8: 1c:1d:57:20:71:17:8f:f7:28:9e:3e:07:ce:ec:d5: 0e:42:4f:1e:74:47:8e:47:9d:d2:14:28:27:2c:14: 10:f5:d1:96:b5:93:74:84:ef:f9:04:de:8d:4a:6f: df:77:ab:ea:d1:58:d3:44:fe:5a:04:01:ff:06:7a: 97:f7:fd:e3:57:48:e1:f0:df:40:13:9f:66:23:5a: e3:55:54:3d:54:39:ee:00:f9:12:f1:d2:df:74:2e: ba:d7:f0:8d:c6:dd:18:58:1c:93:22:0b:75:fa:a8: d6:e0:b5:2f:2d:b9:d4:fe:b9:4f:86:e2:75:48:16: 60:fb:3f:c9:b4:30:42:29:fb:3b:b3:2b:b9:59:81: 6a:46:f3:45:83:bf:fd:d5:1a:ff:37:0c:6f:5b:fd: 61:f1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: D2:B4:36:0F:B1:FC:DD:A5:EA:2A:F7:C7:23:89:FA:E3:FA:7A:44:1D X509v3 Authority Key Identifier: keyid:2B:40:E5:C9:7D:F5:F4:96:38:E9:2F:E3:2F:D9:40:64:C9:8E:05:9B DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain serial:A1:4E:DE:FA:90:F2:AE:81 Signature Algorithm: sha256WithRSAEncryption 7f:e0:fe:84:a7:ec:df:62:a5:cd:3c:c1:e6:42:b1:31:12:f0: b9:da:a7:9e:3f:bd:96:52:b6:fc:55:74:64:3e:e4:ff:7e:aa: f7:3e:06:18:5f:73:85:f8:c8:e0:67:1b:4d:97:ca:05:d0:37: 07:33:64:9b:e6:78:77:14:9a:55:bb:2a:ac:c3:7f:c9:15:08: 83:5c:c8:c2:61:d3:71:4c:05:0b:2b:cb:a3:87:6d:a0:32:ed: b0:b3:27:97:4a:55:8d:01:2a:30:56:68:ab:f2:da:5c:10:73: c9:aa:0a:9c:4b:4c:a0:5b:51:6e:0a:7e:6c:53:80:b0:00:e1: 1e:9a:4c:0a:37:9e:20:89:bc:c5:e5:79:58:b7:45:ff:d3:c4: a1:fd:d9:78:3d:45:16:74:df:82:44:1d:1d:81:50:5a:b9:32: 4c:e2:4f:3f:0e:3a:65:5a:64:83:3b:29:31:c4:99:88:bc:c5: 84:39:f2:19:12:e1:66:d0:ea:fb:75:b1:d2:27:be:91:59:a3: 2b:09:d5:5c:bf:46:8e:d6:67:d6:0b:ec:da:ab:f0:80:19:87: 64:07:a9:77:b1:5e:0c:e2:c5:1d:6a:ac:5d:23:f3:30:75:36: 4e:ca:c3:4e:b0:4d:8c:2c:ce:52:61:63:de:d5:f5:ef:ef:0a: 6b:23:25:26:3c:3a:f2:c3:c2:16:19:3f:a9:32:ba:68:f9:c9: 12:3c:3e:c6:1f:ff:9b:4e:f4:90:b0:63:f5:d1:33:00:30:5a: e8:24:fa:35:44:9b:6a:80:f3:a6:cc:7b:3c:73:5f:50:c4:30: 71:d8:74:90:27:0a:01:4e:a5:5e:b1:f8:da:c2:61:81:11:ae: 29:a3:8f:fa:7e:4c:4e:62:b1:00:de:92:e3:8f:6a:2e:da:d9: 38:5d:6b:7c:0d:e4:01:aa:c8:c6:6d:8b:cd:c0:c8:6e:e4:57: 21:8a:f6:46:30:d9:ad:51:a1:87:96:a6:53:c9:1e:c6:bb:c3: eb:55:fe:8c:d6:5c:d5:c6:f3:ca:b0:60:d2:d4:2a:1f:88:94: d3:4c:1a:da:0c:94:fe:c1:5d:0d:2a:db:99:29:5d:f6:dd:16: c4:c8:4d:74:9e:80:d9:d0:aa:ed:7b:e3:30:e4:47:d8:f5:15: c1:71:b8:c6:fd:ee:fc:9e:b2:5f:b5:b7:92:ed:ff:ca:37:f6: c7:82:b4:54:13:9b:83:cd:87:8b:7e:64:f6:2e:54:3a:22:b1: c5:c1:f4:a5:25:53:9a:4d:a8:0f:e7:35:4b:89:df:19:83:66: 64:d9:db:d1:61:2b:24:1b:1d:44:44:fb:49:30:87:b7:49:23: 08:02:8a:e0:25:f3:f4:43 -----BEGIN CERTIFICATE----- MIIFFDCCAvygAwIBAgIBAjANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE0MTAy MjIxNTk1M1oXDTI0MTAxOTIxNTk1M1owajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtQ2xpZW50 MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDsZY/pEsIaW+ZWKgipgjotRHijADuwn+cnEECT 7/HMPqCqBKKAGxOp5v6B1nCQqNjU3jDYNQDSvmLwSNr8FY3Exm0LmfErgwAK0yoj C+XN+TXfQ2EVcq2VmPZzIUFeoN1HJ6DVmtRBqBwdVyBxF4/3KJ4+B87s1Q5CTx50 R45HndIUKCcsFBD10Za1k3SE7/kE3o1Kb993q+rRWNNE/loEAf8Gepf3/eNXSOHw 30ATn2YjWuNVVD1UOe4A+RLx0t90LrrX8I3G3RhYHJMiC3X6qNbgtS8tudT+uU+G 4nVIFmD7P8m0MEIp+zuzK7lZgWpG80WDv/3VGv83DG9b/WHxAgMBAAGjgcgwgcUw CQYDVR0TBAIwADAdBgNVHQ4EFgQU0rQ2D7H83aXqKvfHI4n64/p6RB0wgZgGA1Ud IwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJBgNVBAYTAktH MQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3BlblZQ Ti1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQChTt76 kPKugTANBgkqhkiG9w0BAQsFAAOCAgEAf+D+hKfs32KlzTzB5kKxMRLwudqnnj+9 llK2/FV0ZD7k/36q9z4GGF9zhfjI4GcbTZfKBdA3BzNkm+Z4dxSaVbsqrMN/yRUI g1zIwmHTcUwFCyvLo4dtoDLtsLMnl0pVjQEqMFZoq/LaXBBzyaoKnEtMoFtRbgp+ bFOAsADhHppMCjeeIIm8xeV5WLdF/9PEof3ZeD1FFnTfgkQdHYFQWrkyTOJPPw46 ZVpkgzspMcSZiLzFhDnyGRLhZtDq+3Wx0ie+kVmjKwnVXL9GjtZn1gvs2qvwgBmH ZAepd7FeDOLFHWqsXSPzMHU2TsrDTrBNjCzOUmFj3tX17+8KayMlJjw68sPCFhk/ qTK6aPnJEjw+xh//m070kLBj9dEzADBa6CT6NUSbaoDzpsx7PHNfUMQwcdh0kCcK AU6lXrH42sJhgRGuKaOP+n5MTmKxAN6S449qLtrZOF1rfA3kAarIxm2LzcDIbuRX IYr2RjDZrVGhh5amU8kexrvD61X+jNZc1cbzyrBg0tQqH4iU00wa2gyU/sFdDSrb mSld9t0WxMhNdJ6A2dCq7XvjMORH2PUVwXG4xv3u/J6yX7W3ku3/yjf2x4K0VBOb g82Hi35k9i5UOiKxxcH0pSVTmk2oD+c1S4nfGYNmZNnb0WErJBsdRET7STCHt0kj CAKK4CXz9EM= -----END CERTIFICATE----- openvpn-2.4.4/sample/sample-keys/client.key000066400000000000000000000032501316434344000207130ustar00rootroot00000000000000-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDsZY/pEsIaW+ZW KgipgjotRHijADuwn+cnEECT7/HMPqCqBKKAGxOp5v6B1nCQqNjU3jDYNQDSvmLw SNr8FY3Exm0LmfErgwAK0yojC+XN+TXfQ2EVcq2VmPZzIUFeoN1HJ6DVmtRBqBwd VyBxF4/3KJ4+B87s1Q5CTx50R45HndIUKCcsFBD10Za1k3SE7/kE3o1Kb993q+rR WNNE/loEAf8Gepf3/eNXSOHw30ATn2YjWuNVVD1UOe4A+RLx0t90LrrX8I3G3RhY HJMiC3X6qNbgtS8tudT+uU+G4nVIFmD7P8m0MEIp+zuzK7lZgWpG80WDv/3VGv83 DG9b/WHxAgMBAAECggEBAIOdaCpUD02trOh8LqZxowJhBOl7z7/ex0uweMPk67LT i5AdVHwOlzwZJ8oSIknoOBEMRBWcLQEojt1JMuL2/R95emzjIKshHHzqZKNulFvB TIUpdnwChTKtH0mqUkLlPU3Ienty4IpNlpmfUKimfbkWHERdBJBHbtDsTABhdo3X 9pCF/yRKqJS2Fy/Mkl3gv1y/NB1OL4Jhl7vQbf+kmgfQN2qdOVe2BOKQ8NlPUDmE /1XNIDaE3s6uvUaoFfwowzsCCwN2/8QrRMMKkjvV+lEVtNmQdYxj5Xj5IwS0vkK0 6icsngW87cpZxxc1zsRWcSTloy5ohub4FgKhlolmigECgYEA+cBlxzLvaMzMlBQY kCac9KQMvVL+DIFHlZA5i5L/9pRVp4JJwj3GUoehFJoFhsxnKr8HZyLwBKlCmUVm VxnshRWiAU18emUmeAtSGawlAS3QXhikVZDdd/L20YusLT+DXV81wlKR97/r9+17 klQOLkSdPm9wcMDOWMNHX8bUg8kCgYEA8k+hQv6+TR/+Beao2IIctFtw/EauaJiJ wW5ql1cpCLPMAOQUvjs0Km3zqctfBF8mUjdkcyJ4uhL9FZtfywY22EtRIXOJ/8VR we65mVo6RLR8YVM54sihanuFOnlyF9LIBWB+9pUfh1/Y7DSebh7W73uxhAxQhi3Y QwfIQIFd8OkCgYBalH4VXhLYhpaYCiXSej6ot6rrK2N6c5Tb2MAWMA1nh+r84tMP gMoh+pDgYPAqMI4mQbxUmqZEeoLuBe6VHpDav7rPECRaW781AJ4ZM4cEQ3Jz/inz 4qOAMn10CF081/Ez9ykPPlU0bsYNWHNd4eB2xWnmUBKOwk7UgJatVPaUiQKBgQCI f18CVGpzG9CHFnaK8FCnMNOm6VIaTcNcGY0mD81nv5Dt943P054BQMsAHTY7SjZW HioRyZtkhonXAB2oSqnekh7zzxgv4sG5k3ct8evdBCcE1FNJc2eqikZ0uDETRoOy s7cRxNNr+QxDkyikM+80HOPU1PMPgwfOSrX90GJQ8QKBgEBKohGMV/sNa4t14Iau qO8aagoqh/68K9GFXljsl3/iCSa964HIEREtW09Qz1w3dotEgp2w8bsDa+OwWrLy 0SY7T5jRViM3cDWRlUBLrGGiL0FiwsfqiRiji60y19erJgrgyGVIb1kIgIBRkgFM 2MMweASzTmZcri4PA/5C0HYb -----END PRIVATE KEY----- openvpn-2.4.4/sample/sample-keys/client.p12000066400000000000000000000106651316434344000205350ustar00rootroot0000000000000000w *H hd0`0  *H  0 0  *H 0 *H  0Ze8 Mn*GuzɹBXep8c4}5\(OW[2v vѳ@Wr@&p&'yLyc#3V d9!e+'i0d>tݝ\o\p`d?͑"H;7g:ޜυ d6(Q{mrBctx%,r5@1:V"(0ȢmXGA$.`?zp&aKMQ %F#% VR<N)t~@gW H![FvbfJHYq!CC{w"ob8UdY2A@C=)N2|0F~񯰳Ro]swbm )-[˖(V s$H拥A7[:i! .X9eMV>XI0˜)0̟I|IZd0DLqVZ"?eS9_2%FO,( g (%_{]Bjƒ*{nW2{H3֌$Gʴ=;NR(v `316͉M]ד@&y$'n HwX]2Hc%XovQr!;B3eGXv/)ppXBO-h{GfH+%$+H6T#0:RՒHn)bPr:*&`fE>.ƁX mW0a:, T<1AOZƧ=|E-Ohy8}ic;vZJ=j Be.zr:DlQ=#-{e͋ oȪ|>:O^WkR`6{f(I}ȇv=+ˇ[V#"y/<)ϊ^@]N[{1^o_ze<뫹Ri[T#7VZqX9yh $w6cU,Et% "m2$ .~NL{;Ɩ;f]H:5Ϭ)DU0/.dt ꔇE{'5v'Io>=Om F dݩca&un<WJ5a'Ȧq5e>?4Zq 8 M={Oٖᗳ r>W ,0 xF`Aj64A )=9g}Z+$ U-]=;Ƕs֮=$B"RvGiyߜHe䶆B8#xq}:)Kٓ3@Y$%Ju_xK ^yBҕڂ&`<ʆr..$S| u -îGRY&q_kry 9=7 »…_AuxæonrScDJ_Z% fBp,ri²Me~.pHn+&vOm1fW{'Vt!(rg!}s$` /Ѕl9uKX"X#&qVLtK ~Ҽ)-Oqzj^W.)ώ ud+UC_Rp [? [ L>ެMӤ9};JUʖjT83q_b=!>`<:y Yo+XD: ) b_sa|.E*[OדYת(m+8JuS,|Ǫ-%ENcJ۱B\#c"F!2xWIzr]oH \&rބ(?Fk-M7%_?K fγzkFABJ.=x⪅ X럽|E#_5WVhep1`w÷6$ OzvP(\2ܧF 4K`kRdF®a,5py9"zDzglFv\1p,EiAv[qNݘC =3Y L-qM (~'􌄰y ]> CaXp}]F.d' q.tNM)Jiw$cɩ)lV\$ytʺ־YjكP:U A@#N9( =[jb'&3'mF̿FñZ֡`H%I̼[ZkGal0A *H 2.0*0& *H  00 *H  0>9*2Țb.dm4OJ %f0\ R]#Yޥ1dQŊNX"r+\%yF6hRe-Hf;_=(ȚYT)*Ӕkgs. E-t#R\K oO}P[胝͞_E MKm sv:.Uբ%kujjY(=!ը:*M\>ZDDpwe%Z EPa=ٴ"xcxtR;Soh/ւ3~ORn#K¼hO#=^HK6YnrJe, ;+On?`(JR. $`%څ -ByLҦׇ%Ohɾt*+0SjHVbl\Ћ?Bh9:=TGn gb%E C1sLs%e!|5UZ "9QQ/۫ ^e5|d J;׽0u*鐀塘r"^YN_Bm ɪֲ]{U}ঃkUNbxuS3Wr |wcگ@)B{^m=yK׃P7&vGaY>h@#…f;z6 9#Fj'3]x~5ƎsPU"iA^I8t#$z[ ddkjwע~'׼1(=[ #ʥۦ{'bZJW Oa6 &t=y&e 8Tg\l%#5h{̂U9I"2Mb\pK rvqD̠_Z t#ÞKsgUi~+VZV4;fn̲%jNsqA,_'@VO]5?'Wt5=%t#OAužuG "߰@ ⠶@JSDZߗ+D֢9hB]+cg z*6V !TcѺs:˔S{Dq8Gz)G/Nn;1UDK I=X~&*RuƒBL;3ryyz1@B(1q6x*r of=G{Fh+f1%0# *H  1V#y}625oO"/010!0 +,݅hN _ zE,__ openvpn-2.4.4/sample/sample-keys/dh2048.pem000066400000000000000000000006501316434344000203400ustar00rootroot00000000000000-----BEGIN DH PARAMETERS----- MIIBCAKCAQEArdnA32xujHPlPI+jPffHSoMUZ+b5gRz1H1Lw9//Gugm5TAsRiYrB t2BDSsMKvAjyqN+i5SJv4TOk98kRRKB27iPvyXmiL945VaDQl/UehCySjYlGFUjW 9nuo+JwQxeSbw0TLiSYoYJZQ8X1CxPl9mgJl277O4cW1Gc8I/bWa+ipU/4K5wv3h GI8nt+6A0jN3M/KebotMP101G4k0l0qsY4oRMTmP+z3oAP0qU9NZ1jiuMFVzRlNp 5FdYF7ctrH+tBF+QmyT4SRKSED4wE4oX6gp420NaBhIEQifIj75wlMDtxQlpkN+x QkjsEbPlaPKHGQ4uupssChVUi8IM2yq5EwIBAg== -----END DH PARAMETERS----- openvpn-2.4.4/sample/sample-keys/gen-sample-keys.sh000077500000000000000000000104331316434344000222640ustar00rootroot00000000000000#!/bin/sh # # Run this script to set up a test CA, and test key-certificate pair for a # server, and various clients. # # Copyright (C) 2014 Steffan Karger set -eu command -v openssl >/dev/null 2>&1 || { echo >&2 "Unable to find openssl. Please make sure openssl is installed and in your path."; exit 1; } if [ ! -f openssl.cnf ] then echo "Please run this script from the sample directory" exit 1 fi # Generate static key for tls-auth (or static key mode) $(dirname ${0})/../../src/openvpn/openvpn --genkey --secret ta.key # Create required directories and files mkdir -p sample-ca rm -f sample-ca/index.txt touch sample-ca/index.txt echo "01" > sample-ca/serial # Generate CA key and cert openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \ -extensions easyrsa_ca -keyout sample-ca/ca.key -out sample-ca/ca.crt \ -subj "/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain" \ -config openssl.cnf # Create server key and cert openssl req -new -nodes -config openssl.cnf -extensions server \ -keyout sample-ca/server.key -out sample-ca/server.csr \ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain" openssl ca -batch -config openssl.cnf -extensions server \ -out sample-ca/server.crt -in sample-ca/server.csr # Create client key and cert openssl req -new -nodes -config openssl.cnf \ -keyout sample-ca/client.key -out sample-ca/client.csr \ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client/emailAddress=me@myhost.mydomain" openssl ca -batch -config openssl.cnf \ -out sample-ca/client.crt -in sample-ca/client.csr # Create password protected key file openssl rsa -aes256 -passout pass:password \ -in sample-ca/client.key -out sample-ca/client-pass.key # Create pkcs#12 client bundle openssl pkcs12 -export -nodes -password pass:password \ -out sample-ca/client.p12 -inkey sample-ca/client.key \ -in sample-ca/client.crt -certfile sample-ca/ca.crt # Create a client cert, revoke it, generate CRL openssl req -new -nodes -config openssl.cnf \ -keyout sample-ca/client-revoked.key -out sample-ca/client-revoked.csr \ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=client-revoked/emailAddress=me@myhost.mydomain" openssl ca -batch -config openssl.cnf \ -out sample-ca/client-revoked.crt -in sample-ca/client-revoked.csr openssl ca -config openssl.cnf -revoke sample-ca/client-revoked.crt openssl ca -config openssl.cnf -gencrl -out sample-ca/ca.crl # Create DSA server and client cert (signed by 'regular' RSA CA) openssl dsaparam -out sample-ca/dsaparams.pem 2048 openssl req -new -newkey dsa:sample-ca/dsaparams.pem -nodes -config openssl.cnf \ -extensions server \ -keyout sample-ca/server-dsa.key -out sample-ca/server-dsa.csr \ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server-DSA/emailAddress=me@myhost.mydomain" openssl ca -batch -config openssl.cnf -extensions server \ -out sample-ca/server-dsa.crt -in sample-ca/server-dsa.csr openssl req -new -newkey dsa:sample-ca/dsaparams.pem -nodes -config openssl.cnf \ -keyout sample-ca/client-dsa.key -out sample-ca/client-dsa.csr \ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client-DSA/emailAddress=me@myhost.mydomain" openssl ca -batch -config openssl.cnf \ -out sample-ca/client-dsa.crt -in sample-ca/client-dsa.csr # Create EC server and client cert (signed by 'regular' RSA CA) openssl ecparam -out sample-ca/secp256k1.pem -name secp256k1 openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \ -extensions server \ -keyout sample-ca/server-ec.key -out sample-ca/server-ec.csr \ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server-EC/emailAddress=me@myhost.mydomain" openssl ca -batch -config openssl.cnf -extensions server \ -out sample-ca/server-ec.crt -in sample-ca/server-ec.csr openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \ -keyout sample-ca/client-ec.key -out sample-ca/client-ec.csr \ -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client-EC/emailAddress=me@myhost.mydomain" openssl ca -batch -config openssl.cnf \ -out sample-ca/client-ec.crt -in sample-ca/client-ec.csr # Generate DH parameters openssl dhparam -out dh2048.pem 2048 # Copy keys and certs to working directory cp sample-ca/*.key . cp sample-ca/*.crt . cp sample-ca/*.p12 . cp sample-ca/*.crl . openvpn-2.4.4/sample/sample-keys/openssl.cnf000066400000000000000000000103301316434344000210730ustar00rootroot00000000000000# Heavily borrowed from EasyRSA 3, for use with OpenSSL 1.0.* #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = sample-ca # Where everything is kept certs = $dir # Where the issued certs are kept crl_dir = $dir # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir # default place for new certs. certificate = $dir/ca.crt # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/ca.key # The private key RANDFILE = $dir/.rand # private random number file x509_extensions = basic_exts # The extentions to add to the cert # This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA # is designed for will. In return, we get the Issuer attached to CRLs. crl_extensions = crl_ext default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_anything # For the 'anything' policy, which defines allowed DN fields [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied name = optional emailAddress = optional #################################################################### # Easy-RSA request handling # We key off $DN_MODE to determine how to format the DN [ req ] default_bits = 2048 default_keyfile = privkey.pem default_md = sha256 distinguished_name = cn_only x509_extensions = easyrsa_ca # The extentions to add to the self signed cert # A placeholder to handle the $EXTRA_EXTS feature: #%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it #################################################################### # Easy-RSA DN (Subject) handling # Easy-RSA DN for cn_only support: [ cn_only ] commonName = Common Name (eg: your user, host, or server name) commonName_max = 64 commonName_default = changeme # Easy-RSA DN for org support: [ org ] countryName = Country Name (2 letter code) countryName_default = KG countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = NA localityName = Locality Name (eg, city) localityName_default = BISHKEK 0.organizationName = Organization Name (eg, company) 0.organizationName_default = OpenVPN-TEST organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = commonName = Common Name (eg: your user, host, or server name) commonName_max = 64 commonName_default = emailAddress = Email Address emailAddress_default = me@myhost.mydomain emailAddress_max = 64 #################################################################### [ basic_exts ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always # The Easy-RSA CA extensions [ easyrsa_ca ] # PKIX recommendations: subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This could be marked critical, but it's nice to support reading by any # broken clients who attempt to do so. basicConstraints = CA:true # Limit key usage to CA tasks. If you really want to use the generated pair as # a self-signed cert, comment this out. keyUsage = cRLSign, keyCertSign # CRL extensions. [ crl_ext ] # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always # Server extensions. [ server ] basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = serverAuth keyUsage = digitalSignature, keyEncipherment openvpn-2.4.4/sample/sample-keys/server-ec.crt000066400000000000000000000122061316434344000213310ustar00rootroot00000000000000Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: sha256WithRSAEncryption Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain Validity Not Before: Oct 22 21:59:53 2014 GMT Not After : Oct 19 21:59:53 2024 GMT Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server-EC/emailAddress=me@myhost.mydomain Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:21:09:ac:27:e6:00:3a:57:f4:f6:c7:78:a9:b1: f4:d7:d7:45:59:39:e4:a3:d3:2c:94:f9:61:4a:e6: b9:e9:87:57:c8:0f:88:03:a0:56:ee:34:e7:e4:4e: 20:63:6c:c1:6e:c1:04:ac:b9:2f:a9:76:69:d3:7d: 49:ff:f1:34:cb ASN1 OID: secp256k1 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 33:1A:42:61:9E:88:08:3F:6F:1F:98:88:3A:DD:2D:C7:07:3D:F6:9B X509v3 Authority Key Identifier: keyid:2B:40:E5:C9:7D:F5:F4:96:38:E9:2F:E3:2F:D9:40:64:C9:8E:05:9B DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain serial:A1:4E:DE:FA:90:F2:AE:81 X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: Digital Signature, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 9d:89:f6:7e:0b:43:05:22:63:e5:b3:45:a8:d9:ef:33:3c:b7: 19:37:28:87:27:43:43:86:a3:3f:b9:23:27:0f:96:4f:de:01: 80:38:6b:d9:c8:94:77:1f:06:08:34:65:77:ad:57:0c:23:99: f1:51:12:5f:32:d8:9c:7c:93:f1:f6:72:2a:05:61:ff:62:aa: 33:aa:ef:a3:4d:d6:93:56:40:ff:38:2e:73:1c:69:fb:71:a1: fa:64:19:6a:04:1c:8b:20:a8:ee:a5:18:63:f8:84:f4:ca:84: 8e:b6:05:48:c6:f3:f7:81:90:4d:9e:00:cd:4a:92:83:d4:93: 67:05:dc:16:8b:78:fa:b1:82:48:c6:86:74:44:b1:06:7e:8a: c8:64:0b:82:3a:e2:f5:56:60:ea:50:70:03:da:9f:fc:28:20: 6b:7d:04:e0:eb:8d:e2:f1:be:82:2f:ba:51:50:2b:6c:d2:fc: 11:cd:69:85:3b:9e:14:19:dd:bc:14:cf:61:b0:7a:07:cb:e8: e0:fc:c3:1f:a4:cb:cf:c1:e9:62:0f:d2:53:f8:ce:06:f4:f8: 2f:55:13:aa:67:44:b6:b8:e8:3e:82:af:66:f5:f0:7c:fe:41: e6:9d:c0:9f:78:fd:00:85:02:40:63:37:fa:00:e6:3c:a6:9f: 35:4f:1d:a6:f1:cb:8b:04:e0:67:98:56:d1:87:58:b6:39:f6: d3:fe:a8:40:50:80:7f:e6:4a:36:d0:c0:a5:61:64:1d:3a:87: ad:78:72:c9:3f:98:44:35:f9:cf:32:b2:18:4c:b0:72:fa:5e: 6c:62:1e:d4:31:0c:c8:9b:74:f0:00:9e:70:c3:1e:c7:a4:9d: 03:a4:ac:1a:09:1f:86:23:65:51:34:50:86:68:1e:68:4d:9a: 4b:78:10:1c:bd:51:09:bb:fe:16:a3:c7:19:b4:05:44:a1:e6: c6:23:76:d5:b8:3a:eb:a5:17:1d:2b:2e:fe:85:7c:88:4f:f1: e8:34:32:e0:c5:96:87:c3:e8:c9:5f:89:24:10:0e:1e:07:0b: 2c:f8:d0:49:1b:63:5e:63:44:e9:2a:43:e2:9c:d6:f2:43:99: 47:f8:9b:49:1a:a7:d1:e0:53:67:1d:cb:14:b6:b0:2c:4d:b3: f2:c5:62:c2:a6:09:7a:c0:6c:59:3e:73:83:0c:6c:de:30:77: 4d:1b:ed:b0:7f:77:87:8d:55:1d:d3:ed:f7:66:bd:06:2a:f8: fd:00:e7:c0:31:e2:ff:53:9e:25:97:c6:64:84:9d:8d:61:8e: c9:1f:6c:55:a1:7c:59:aa:eb:e8:2a:b2:2d:c7:09:cd:b5:3d: d8:74:4f:6e:9c:3b:d5:6d -----BEGIN CERTIFICATE----- MIIEtTCCAp2gAwIBAgIBAzANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE0MTAy MjIxNTk1M1oXDTI0MTAxOTIxNTk1M1owbTELMAkGA1UEBhMCS0cxCzAJBgNVBAgT Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFzAVBgNVBAMTDlRlc3QtU2VydmVy LUVDMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wVjAQBgcqhkjO PQIBBgUrgQQACgNCAAQhCawn5gA6V/T2x3ipsfTX10VZOeSj0yyU+WFK5rnph1fI D4gDoFbuNOfkTiBjbMFuwQSsuS+pdmnTfUn/8TTLo4IBMzCCAS8wCQYDVR0TBAIw ADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2Vu ZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUMxpCYZ6ICD9vH5iI Ot0txwc99pswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRo MGYxCzAJBgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEV MBMGA1UEChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3Qu bXlkb21haW6CCQChTt76kPKugTATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8E BAMCBaAwDQYJKoZIhvcNAQELBQADggIBAJ2J9n4LQwUiY+WzRajZ7zM8txk3KIcn Q0OGoz+5IycPlk/eAYA4a9nIlHcfBgg0ZXetVwwjmfFREl8y2Jx8k/H2cioFYf9i qjOq76NN1pNWQP84LnMcaftxofpkGWoEHIsgqO6lGGP4hPTKhI62BUjG8/eBkE2e AM1KkoPUk2cF3BaLePqxgkjGhnREsQZ+ishkC4I64vVWYOpQcAPan/woIGt9BODr jeLxvoIvulFQK2zS/BHNaYU7nhQZ3bwUz2GwegfL6OD8wx+ky8/B6WIP0lP4zgb0 +C9VE6pnRLa46D6Cr2b18Hz+QeadwJ94/QCFAkBjN/oA5jymnzVPHabxy4sE4GeY VtGHWLY59tP+qEBQgH/mSjbQwKVhZB06h614csk/mEQ1+c8yshhMsHL6XmxiHtQx DMibdPAAnnDDHseknQOkrBoJH4YjZVE0UIZoHmhNmkt4EBy9UQm7/hajxxm0BUSh 5sYjdtW4OuulFx0rLv6FfIhP8eg0MuDFlofD6MlfiSQQDh4HCyz40EkbY15jROkq Q+Kc1vJDmUf4m0kap9HgU2cdyxS2sCxNs/LFYsKmCXrAbFk+c4MMbN4wd00b7bB/ d4eNVR3T7fdmvQYq+P0A58Ax4v9TniWXxmSEnY1hjskfbFWhfFmq6+gqsi3HCc21 Pdh0T26cO9Vt -----END CERTIFICATE----- openvpn-2.4.4/sample/sample-keys/server-ec.key000066400000000000000000000003551316434344000213330ustar00rootroot00000000000000-----BEGIN PRIVATE KEY----- MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQgLHGYqSlzoRaogmJfrC+E ozTothB9bORaQ1C/3FmeQ6ehRANCAAQhCawn5gA6V/T2x3ipsfTX10VZOeSj0yyU +WFK5rnph1fID4gDoFbuNOfkTiBjbMFuwQSsuS+pdmnTfUn/8TTL -----END PRIVATE KEY----- openvpn-2.4.4/sample/sample-keys/server.crt000066400000000000000000000143671316434344000207560ustar00rootroot00000000000000Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain Validity Not Before: Oct 22 21:59:52 2014 GMT Not After : Oct 19 21:59:52 2024 GMT Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server/emailAddress=me@myhost.mydomain Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a5:b8:a2:ee:ce:b1:a6:0f:6a:b2:9f:d3:22:17: 79:de:09:98:71:78:fa:a7:ce:36:51:54:57:c7:31: 99:56:d1:8a:d6:c5:fd:52:e6:88:0e:7b:f9:ea:27: 7a:bf:3f:14:ec:aa:d2:ff:8b:56:58:ac:ca:51:77: c5:3c:b6:e4:83:6f:22:06:2d:5b:eb:e7:59:d4:ab: 42:c8:d5:a9:87:73:b3:73:36:51:2f:a5:d0:90:a2: 87:64:54:6c:12:d3:b8:76:47:69:af:ae:8f:00:b3: 70:b9:e7:67:3f:8c:6a:3d:79:5f:81:27:a3:0e:aa: a7:3d:81:48:10:b1:18:6c:38:2e:8f:7a:7b:c5:3d: 21:c8:f9:a0:7f:17:2b:88:4f:ba:f2:ec:6d:24:8e: 6c:f1:0a:5c:d9:5b:b1:b0:fc:49:cb:4a:d2:58:c6: 2a:25:b0:97:84:c3:9e:ff:34:8c:10:46:7f:0f:fb: 3c:59:7a:a6:29:0c:ae:8e:50:3a:f2:53:84:40:2d: d5:91:7b:0a:37:8e:82:77:ce:66:2f:34:77:5c:a5: 45:3b:00:19:a7:07:d1:92:e6:66:b9:3b:4e:e9:63: fc:33:98:1a:ae:7b:08:7d:0a:df:7a:ba:aa:59:6d: 86:82:0a:64:2b:da:59:a7:4c:4e:ef:3d:bd:04:a2: 4b:31 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: B3:9D:81:E6:16:92:64:C4:86:87:F5:29:10:1B:5E:2F:74:F7:ED:B1 X509v3 Authority Key Identifier: keyid:2B:40:E5:C9:7D:F5:F4:96:38:E9:2F:E3:2F:D9:40:64:C9:8E:05:9B DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain serial:A1:4E:DE:FA:90:F2:AE:81 X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: Digital Signature, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 4e:25:80:1b:cb:b0:42:ff:bb:3f:e8:0d:58:c1:80:db:cf:d0: 90:df:ca:c1:e6:41:e1:48:7f:a7:1e:c7:35:9f:9c:6d:7c:3e: 82:e8:de:7e:ae:82:16:00:33:0f:02:23:f1:9d:fe:2b:06:16: 05:55:16:89:dc:63:ac:5f:1a:31:13:79:21:a3:6e:60:28:e8: e7:6b:54:00:22:a1:b7:69:5a:17:31:ce:0f:c2:a6:dd:a3:6f: de:ea:19:6c:d2:d2:cb:35:9d:dd:87:51:33:68:cd:c3:9b:90: 55:f1:80:3d:5c:b8:09:b6:e1:3c:13:a4:5d:4a:ce:a5:11:9e: f9:08:ee:be:e3:54:1d:06:4c:bb:1b:72:13:ee:7d:a0:45:cc: fe:d1:3b:02:03:c1:d4:ea:45:2d:a8:c9:97:e7:f3:8a:7a:a0: 2f:dd:48:3a:75:c9:42:28:94:fc:af:44:52:16:68:98:d6:ad: a8:65:b1:cd:ac:60:41:70:e5:44:e8:5a:f2:e7:fc:3b:fe:45: 89:17:1d:6d:85:c6:f0:fc:69:87:d1:1d:07:f3:cb:7b:54:8d: aa:a3:cc:e3:c6:fc:d6:05:76:35:d0:26:63:8e:d1:a8:b7:ff: 61:42:8a:2c:63:1f:d4:ec:14:47:6b:1e:e3:81:61:12:3b:8c: 16:b5:cf:87:6a:2d:42:21:83:9c:0e:3a:90:3a:1e:c1:36:61: 41:f9:fb:4e:5d:ea:f4:df:23:92:33:2b:9b:14:9f:a0:f5:d3: c4:f8:1f:2f:9c:11:36:af:2a:22:61:95:32:0b:c4:1c:2d:b1: c1:0a:2a:97:c0:43:4a:6c:3e:db:00:cd:29:15:9e:7e:41:75: 36:a8:56:86:8c:82:9e:46:20:e5:06:1e:60:d2:03:5f:9f:9e: 69:bb:bf:c2:b4:43:e2:7d:85:17:83:18:41:b0:cb:a9:04:1b: 18:52:9f:89:8b:76:9f:94:59:81:4f:60:5b:33:18:fc:c7:52: d0:d2:69:fc:0b:a2:63:32:75:43:99:e9:d7:f8:6d:c7:55:31: 0c:f3:ef:1a:71:e1:0a:57:e1:9d:13:b2:1e:fe:1d:ef:e4:f1: 51:d9:95:b3:fd:28:28:93:91:4a:29:c5:37:0e:ab:d8:85:6a: fe:a8:83:1f:7b:80:5d:1f:04:79:b7:a9:08:6e:0d:d6:2e:aa: 7c:f6:63:7d:41:de:70:13:32:ce:dd:58:cc:a6:73:d4:72:7e: d7:ac:74:a8:35:ba:c3:1b:2a:64:d7:5a:37:97:56:94:34:2b: 2a:71:60:bc:69:ab:00:85:b9:4f:67:32:17:51:c3:da:57:3a: 37:89:66:c4:7a:51:da:5f -----BEGIN CERTIFICATE----- MIIFgDCCA2igAwIBAgIBATANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE0MTAy MjIxNTk1MloXDTI0MTAxOTIxNTk1MlowajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtU2VydmVy MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCluKLuzrGmD2qyn9MiF3neCZhxePqnzjZRVFfH MZlW0YrWxf1S5ogOe/nqJ3q/PxTsqtL/i1ZYrMpRd8U8tuSDbyIGLVvr51nUq0LI 1amHc7NzNlEvpdCQoodkVGwS07h2R2mvro8As3C552c/jGo9eV+BJ6MOqqc9gUgQ sRhsOC6PenvFPSHI+aB/FyuIT7ry7G0kjmzxClzZW7Gw/EnLStJYxiolsJeEw57/ NIwQRn8P+zxZeqYpDK6OUDryU4RALdWRewo3joJ3zmYvNHdcpUU7ABmnB9GS5ma5 O07pY/wzmBquewh9Ct96uqpZbYaCCmQr2lmnTE7vPb0EoksxAgMBAAGjggEzMIIB LzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYk T3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBSz nYHmFpJkxIaH9SkQG14vdPftsTCBmAYDVR0jBIGQMIGNgBQrQOXJffX0ljjpL+Mv 2UBkyY4Fm6FqpGgwZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgTAk5BMRAwDgYDVQQH EwdCSVNIS0VLMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxITAfBgkqhkiG9w0BCQEW Em1lQG15aG9zdC5teWRvbWFpboIJAKFO3vqQ8q6BMBMGA1UdJQQMMAoGCCsGAQUF BwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQsFAAOCAgEATiWAG8uwQv+7P+gN WMGA28/QkN/KweZB4Uh/px7HNZ+cbXw+gujefq6CFgAzDwIj8Z3+KwYWBVUWidxj rF8aMRN5IaNuYCjo52tUACKht2laFzHOD8Km3aNv3uoZbNLSyzWd3YdRM2jNw5uQ VfGAPVy4CbbhPBOkXUrOpRGe+QjuvuNUHQZMuxtyE+59oEXM/tE7AgPB1OpFLajJ l+fzinqgL91IOnXJQiiU/K9EUhZomNatqGWxzaxgQXDlROha8uf8O/5FiRcdbYXG 8Pxph9EdB/PLe1SNqqPM48b81gV2NdAmY47RqLf/YUKKLGMf1OwUR2se44FhEjuM FrXPh2otQiGDnA46kDoewTZhQfn7Tl3q9N8jkjMrmxSfoPXTxPgfL5wRNq8qImGV MgvEHC2xwQoql8BDSmw+2wDNKRWefkF1NqhWhoyCnkYg5QYeYNIDX5+eabu/wrRD 4n2FF4MYQbDLqQQbGFKfiYt2n5RZgU9gWzMY/MdS0NJp/AuiYzJ1Q5np1/htx1Ux DPPvGnHhClfhnROyHv4d7+TxUdmVs/0oKJORSinFNw6r2IVq/qiDH3uAXR8Eebep CG4N1i6qfPZjfUHecBMyzt1YzKZz1HJ+16x0qDW6wxsqZNdaN5dWlDQrKnFgvGmr AIW5T2cyF1HD2lc6N4lmxHpR2l8= -----END CERTIFICATE----- openvpn-2.4.4/sample/sample-keys/server.key000066400000000000000000000032501316434344000207430ustar00rootroot00000000000000-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCluKLuzrGmD2qy n9MiF3neCZhxePqnzjZRVFfHMZlW0YrWxf1S5ogOe/nqJ3q/PxTsqtL/i1ZYrMpR d8U8tuSDbyIGLVvr51nUq0LI1amHc7NzNlEvpdCQoodkVGwS07h2R2mvro8As3C5 52c/jGo9eV+BJ6MOqqc9gUgQsRhsOC6PenvFPSHI+aB/FyuIT7ry7G0kjmzxClzZ W7Gw/EnLStJYxiolsJeEw57/NIwQRn8P+zxZeqYpDK6OUDryU4RALdWRewo3joJ3 zmYvNHdcpUU7ABmnB9GS5ma5O07pY/wzmBquewh9Ct96uqpZbYaCCmQr2lmnTE7v Pb0EoksxAgMBAAECggEAPMOMin+jR75TYxeTNObiunVOPh0b2zeTVxLT9KfND7ZZ cBK8pg79SEJRCnhbW5BnvbeNEkIm8PC6ZlDCM1bkRwUStq0fDUqQ95esLzOYq5/S 5qW98viblszhU/pYfja/Zi8dI1uf96PT63Zbt0NnGQ9N42+DLDeKhtTGdchZqiQA LeSR0bQanY4tUUtCNYvBT8E3pzhoIsUzVwzIK53oovRpcOX3pMXVYZsmNhXdFFRy YkjMXpj7fGyaAJK0QsC+PsgrKuhXDzDttsG2lI/mq9+7RXB3d/pzhmBVWynVH2lw iQ7ONkSz7akDz/4I4WmxJep+FfQJYgK6rnLAlQqauQKBgQDammSAprnvDvNhSEp8 W+xt7jQnFqaENbGgP0/D/OZMXc4khgexqlKFmSnBCRDmQ6JvLTWqDXC4+aqAbFQz zAIjiKaT+so8xvFRob+rBMJY5JLYKNa+zUUanfORUNYLFJPvFqnrWGaJ9uufdaM7 0a5bu95PN74NXee3DBbpBv8HLwKBgQDCEk+IjNbjMT+Neq0ywUeM5rFrUKi92abe AgsVpjbighRV+6jA2lZFJcize+xYJ9wiOR1/TEI9PZ2OtBkqpwVdvTEHTagRLcvd NfGcptREDnNLoNWA22buQpztiEduutACWQsrd+JQmqbUicUdW4zw86/oCMbYCW3V QmYOLns7nwKBgHHUX20WZE91S4pmqFKlUzHTDdkk1ESX6Qx2q0R01j8BwawHFs6O 0DW9EZ7w55nfsh+OPRl1sjK/3ubMgfQO0TZLm+IGf3Sya0qEnVeiPMkpDMX+TgRA wzEe+ou6uho+9uFSvdxMxeglaYA5M2ycvNwLsbEyZ4ZyVYxdgTiKahYFAoGAcIfP iD0qKQiYcj/tB94cz+3AeJqHjbYT1O1YYhBECOkmQ4kuG80+cs/q5W/45lEOiuWV Xgfo7Lu6jVGOujWoneci87oqtvNYH4e09oGh2WiLoBG9Wv9dWtBTUERSLzmxfXsG SAk2uEhEbj8IhfJc8iZLHH9iVUh6YEslBBodqL8CgYEAlAhvcqAvw5SzsfBR5Mcu 4Nql6mXEVhHCvS4hdFCGaNF0z9A6eBORKJpdLWnqhpquDQDsghWE+Ga4QKSNFIi1 fnAaykmZuY3ToqNOIaVlYM6HpMEz0wHQbTWfDLGcTFcElLZgMAk7VlDyiYVOco+E QX9lXOO1PGpLzXhlDxSe63Y= -----END PRIVATE KEY----- openvpn-2.4.4/sample/sample-keys/ta.key000066400000000000000000000011741316434344000200440ustar00rootroot00000000000000# # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- a863b1cbdb911ff4ef3360ce135157e7 241a465f5045f51cf9a92ebc24da34fd 5fc48456778c977e374d55a8a7298aef 40d0ab0c60b5e09838510526b73473a0 8da46a8c352572dd86d4a871700a915b 6aaa58a9dac560db2dfdd7ef15a202e1 fca6913d7ee79c678c5798fbf7bd920c caa7a64720908da7254598b052d07f55 5e31dc5721932cffbdd8965d04107415 46c86823da18b66aab347e4522cc05ff 634968889209c96b1024909cd4ce574c f829aa9c17d5df4a66043182ee23635d 8cabf5a7ba02345ad94a3aa25a63d55c e13f4ad235a0825e3fe17f9419baff1c e73ad1dd652f1e48c7102fe8ee181e54 10a160ae255f63fd01db1f29e6efcb8e -----END OpenVPN Static key V1----- openvpn-2.4.4/sample/sample-plugins/000077500000000000000000000000001316434344000174315ustar00rootroot00000000000000openvpn-2.4.4/sample/sample-plugins/defer/000077500000000000000000000000001316434344000205165ustar00rootroot00000000000000openvpn-2.4.4/sample/sample-plugins/defer/README000066400000000000000000000005311316434344000213750ustar00rootroot00000000000000OpenVPN plugin examples. Examples provided: simple.c -- using the --auth-user-pass-verify callback, test deferred authentication. To build: ./build simple (Linux/BSD/etc.) ./winbuild simple (MinGW on Windows) To use in OpenVPN, add to config file: plugin simple.so (Linux/BSD/etc.) plugin simple.dll (MinGW on Windows) openvpn-2.4.4/sample/sample-plugins/defer/build000077500000000000000000000006251316434344000215460ustar00rootroot00000000000000#!/bin/sh # # Build an OpenVPN plugin module on *nix. The argument should # be the base name of the C source file (without the .c). # # This directory is where we will look for openvpn-plugin.h CPPFLAGS="${CPPFLAGS:--I../../../include}" CC="${CC:-gcc}" CFLAGS="${CFLAGS:--O2 -Wall -g}" $CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \ $CC $CFLAGS -fPIC -shared ${LDFLAGS} -Wl,-soname,$1.so -o $1.so $1.o -lc openvpn-2.4.4/sample/sample-plugins/defer/simple.c000066400000000000000000000233071316434344000221600ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * This file implements a simple OpenVPN plugin module which * will test deferred authentication and packet filtering. * * Will run on Windows or *nix. * * Sample usage: * * setenv test_deferred_auth 20 * setenv test_packet_filter 10 * plugin plugin/defer/simple.so * * This will enable deferred authentication to occur 20 * seconds after the normal TLS authentication process, * and will cause a packet filter file to be generated 10 * seconds after the initial TLS negotiation, using * {common-name}.pf as the source. * * Sample packet filter configuration: * * [CLIENTS DROP] * +otherclient * [SUBNETS DROP] * +10.0.0.0/8 * -10.10.0.8 * [END] * * See the README file for build instructions. */ #include #include #include #include "openvpn-plugin.h" /* bool definitions */ #define bool int #define true 1 #define false 0 /* * Our context, where we keep our state. */ struct plugin_context { int test_deferred_auth; int test_packet_filter; }; struct plugin_per_client_context { int n_calls; bool generated_pf_file; }; /* * Given an environmental variable name, search * the envp array for its value, returning it * if found or NULL otherwise. */ static const char * get_env(const char *name, const char *envp[]) { if (envp) { int i; const int namelen = strlen(name); for (i = 0; envp[i]; ++i) { if (!strncmp(envp[i], name, namelen)) { const char *cp = envp[i] + namelen; if (*cp == '=') { return cp + 1; } } } } return NULL; } /* used for safe printf of possible NULL strings */ static const char * np(const char *str) { if (str) { return str; } else { return "[NULL]"; } } static int atoi_null0(const char *str) { if (str) { return atoi(str); } else { return 0; } } OPENVPN_EXPORT openvpn_plugin_handle_t openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *envp[]) { struct plugin_context *context; printf("FUNC: openvpn_plugin_open_v1\n"); /* * Allocate our context */ context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context)); context->test_deferred_auth = atoi_null0(get_env("test_deferred_auth", envp)); printf("TEST_DEFERRED_AUTH %d\n", context->test_deferred_auth); context->test_packet_filter = atoi_null0(get_env("test_packet_filter", envp)); printf("TEST_PACKET_FILTER %d\n", context->test_packet_filter); /* * Which callbacks to intercept. */ *type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ENABLE_PF); return (openvpn_plugin_handle_t) context; } static int auth_user_pass_verify(struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[]) { if (context->test_deferred_auth) { /* get username/password from envp string array */ const char *username = get_env("username", envp); const char *password = get_env("password", envp); /* get auth_control_file filename from envp string array*/ const char *auth_control_file = get_env("auth_control_file", envp); printf("DEFER u='%s' p='%s' acf='%s'\n", np(username), np(password), np(auth_control_file)); /* Authenticate asynchronously in n seconds */ if (auth_control_file) { char buf[256]; int auth = 2; sscanf(username, "%d", &auth); snprintf(buf, sizeof(buf), "( sleep %d ; echo AUTH %s %d ; echo %d >%s ) &", context->test_deferred_auth, auth_control_file, auth, pcc->n_calls < auth, auth_control_file); printf("%s\n", buf); system(buf); pcc->n_calls++; return OPENVPN_PLUGIN_FUNC_DEFERRED; } else { return OPENVPN_PLUGIN_FUNC_ERROR; } } else { return OPENVPN_PLUGIN_FUNC_SUCCESS; } } static int tls_final(struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[]) { if (context->test_packet_filter) { if (!pcc->generated_pf_file) { const char *pff = get_env("pf_file", envp); const char *cn = get_env("username", envp); if (pff && cn) { char buf[256]; snprintf(buf, sizeof(buf), "( sleep %d ; echo PF %s/%s ; cp \"%s.pf\" \"%s\" ) &", context->test_packet_filter, cn, pff, cn, pff); printf("%s\n", buf); system(buf); pcc->generated_pf_file = true; return OPENVPN_PLUGIN_FUNC_SUCCESS; } else { return OPENVPN_PLUGIN_FUNC_ERROR; } } else { return OPENVPN_PLUGIN_FUNC_ERROR; } } else { return OPENVPN_PLUGIN_FUNC_SUCCESS; } } OPENVPN_EXPORT int openvpn_plugin_func_v2(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[], void *per_client_context, struct openvpn_plugin_string_list **return_list) { struct plugin_context *context = (struct plugin_context *) handle; struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) per_client_context; switch (type) { case OPENVPN_PLUGIN_UP: printf("OPENVPN_PLUGIN_UP\n"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_DOWN: printf("OPENVPN_PLUGIN_DOWN\n"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_ROUTE_UP: printf("OPENVPN_PLUGIN_ROUTE_UP\n"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_IPCHANGE: printf("OPENVPN_PLUGIN_IPCHANGE\n"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_TLS_VERIFY: printf("OPENVPN_PLUGIN_TLS_VERIFY\n"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: printf("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n"); return auth_user_pass_verify(context, pcc, argv, envp); case OPENVPN_PLUGIN_CLIENT_CONNECT_V2: printf("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_CLIENT_DISCONNECT: printf("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_LEARN_ADDRESS: printf("OPENVPN_PLUGIN_LEARN_ADDRESS\n"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_TLS_FINAL: printf("OPENVPN_PLUGIN_TLS_FINAL\n"); return tls_final(context, pcc, argv, envp); case OPENVPN_PLUGIN_ENABLE_PF: printf("OPENVPN_PLUGIN_ENABLE_PF\n"); if (context->test_packet_filter) { return OPENVPN_PLUGIN_FUNC_SUCCESS; } else { return OPENVPN_PLUGIN_FUNC_ERROR; } default: printf("OPENVPN_PLUGIN_?\n"); return OPENVPN_PLUGIN_FUNC_ERROR; } } OPENVPN_EXPORT void * openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle) { printf("FUNC: openvpn_plugin_client_constructor_v1\n"); return calloc(1, sizeof(struct plugin_per_client_context)); } OPENVPN_EXPORT void openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *per_client_context) { printf("FUNC: openvpn_plugin_client_destructor_v1\n"); free(per_client_context); } OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { struct plugin_context *context = (struct plugin_context *) handle; printf("FUNC: openvpn_plugin_close_v1\n"); free(context); } openvpn-2.4.4/sample/sample-plugins/defer/simple.def000077500000000000000000000002621316434344000224720ustar00rootroot00000000000000LIBRARY OpenVPN_PLUGIN_SAMPLE DESCRIPTION "Sample OpenVPN plug-in module." EXPORTS openvpn_plugin_open_v1 @1 openvpn_plugin_func_v1 @2 openvpn_plugin_close_v1 @3 openvpn-2.4.4/sample/sample-plugins/defer/winbuild000077500000000000000000000010751316434344000222640ustar00rootroot00000000000000# # Build an OpenVPN plugin module on Windows/MinGW. # The argument should be the base name of the C source file # (without the .c). # # This directory is where we will look for openvpn-plugin.h INCLUDE="-I../../../build" CC_FLAGS="-O2 -Wall" gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o rm junk.tmp dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def rm base.tmp gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp rm temp.exp openvpn-2.4.4/sample/sample-plugins/keying-material-exporter-demo/000077500000000000000000000000001316434344000253035ustar00rootroot00000000000000openvpn-2.4.4/sample/sample-plugins/keying-material-exporter-demo/README000066400000000000000000000044141316434344000261660ustar00rootroot00000000000000OpenVPN plugin examples. Daniel Kubec Examples provided: keyingmaterialexporter.c -- Example based on TLS Keying Material Exporters over HTTP [RFC-5705] (openvpn/doc/keying-material-exporter.txt) This example demonstrates authenticating a user over HTTP who have already established an OpenVPN connecting using the --keying-material-exporter feature. Requires: OpenVPN RFC-5705 Support, OpenSSL >= 1.0.1 Files: http-server.py -- Example HTTP Server listen 0.0.0.0:8080 http-client.py -- Example HTTP Client connect 10.8.0.1:8080 [GET /$SESSIONID] server.ovpn -- Example HTTP SSO VPN Server configuration client.ovpn -- Example HTTP SSO VPN Client configuration keyingmaterialexporter.c, keyingmaterialexporter.so -- Example OpenVPN Client and Server plugin To build: ./build keyingmaterialexporter To use in OpenVPN: Enter openvpn/sample/sample-plugins/keyingmaterialexporter directory and in separate terminals, start these four processes: $ openvpn --config ./server.ovpn $ openvpn --config ./client.ovpn $ ./http-server.py $ ./http-client.py Test: openvpn --config ./server.ovpn ############################## PLUGIN SSO: app session created PLUGIN_CALL: POST ./keyingmaterialexporter.so/PLUGIN_TLS_VERIFY status=0 PLUGIN SSO: app session key: a5885abc84d361803f58ede1ef9c0adf99e720cd PLUGIN SSO: app session file: /tmp/openvpn_sso_a5885abc84d361803f58ede1ef9c0adf99e720cd PLUGIN SSO: app session user: Test-Client openvpn --config ./client.ovpn ############################## PLUGIN SSO: app session created PLUGIN_CALL: POST ./keyingmaterialexporter.so/PLUGIN_TLS_VERIFY status=0 PLUGIN SSO: app session key: a5885abc84d361803f58ede1ef9c0adf99e720cd PLUGIN SSO: app session file: /tmp/openvpn_sso_user PLUGIN_CALL: POST ./keyingmaterialexporter.so/PLUGIN_TLS_FINAL status=0 HTTP_SERVER: http-server.py ################ http server started session file: /tmp/openvpn_sso_a5885abc84d361803f58ede1ef9c0adf99e720cd 10.8.0.1 - - [02/Apr/2015 15:03:33] "GET /a5885abc84d361803f58ede1ef9c0adf99e720cd HTTP/1.1" 200 - session user: Test-Client session key: a5885abc84d361803f58ede1ef9c0adf99e720cd HTTP_SERVER: http-client.py

Greetings Test-Client. You are authorized

openvpn-2.4.4/sample/sample-plugins/keying-material-exporter-demo/build000077500000000000000000000006131316434344000263300ustar00rootroot00000000000000#!/bin/sh # # Build an OpenVPN plugin module on *nix. The argument should # be the base name of the C source file (without the .c). # # This directory is where we will look for openvpn-plugin.h CPPFLAGS="${CPPFLAGS:--I../../..}" CC="${CC:-gcc}" CFLAGS="${CFLAGS:--O2 -Wall -g}" $CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \ $CC $CFLAGS -fPIC -shared $LDFLAGS -Wl,-soname,$1.so -o $1.so $1.o -lc openvpn-2.4.4/sample/sample-plugins/keying-material-exporter-demo/client.ovpn000066400000000000000000000004221316434344000274630ustar00rootroot00000000000000tls-client pull keying-material-exporter "EXPORTER_SSO_TEST" 16 reneg-sec 0 ca ../../sample-keys/ca.crt cert ../../sample-keys/client.crt key ../../sample-keys/client.key plugin ./keyingmaterialexporter.so remote 127.0.0.1 1194 proto udp dev tun nobind verb 4 openvpn-2.4.4/sample/sample-plugins/keying-material-exporter-demo/http-client.py000077500000000000000000000006441316434344000301170ustar00rootroot00000000000000#!/usr/bin/python import sys import os import httplib f = '/tmp/openvpn_sso_user' with open (f, "r") as myfile: session_key = myfile.read().replace('\n', '') conn = httplib.HTTPConnection("10.8.0.1:8080") conn.request("GET", "/" + session_key) r1 = conn.getresponse() if r1.status == 200: body = r1.read().rstrip() print body elif r1.status == 404: print "Authentication failed" else: print r1.status, r1.reason openvpn-2.4.4/sample/sample-plugins/keying-material-exporter-demo/http-server.py000077500000000000000000000021111316434344000301360ustar00rootroot00000000000000#!/usr/bin/python from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer import os class ExampleHTTPRequestHandler(BaseHTTPRequestHandler): def do_GET(self): session_key = os.path.basename(self.path) file = '/tmp/openvpn_sso_' + session_key print 'session file: ' + file try: f = open(file) #send code 200 response self.send_response(200) #send header first self.send_header('Content-type','text-html') self.end_headers() #send file content to client user = f.read().rstrip() print 'session user: ' + user print 'session key: ' + session_key self.wfile.write('

Greetings ' + user \ + '. You are authorized' \ '

' \ '') f.close() return except IOError: self.send_error(404, 'authentication failed') def run(): #ip and port of servr #by default http server port is 80 server_address = ('0.0.0.0', 8080) httpd = HTTPServer(server_address, ExampleHTTPRequestHandler) print('http server started') httpd.serve_forever() print('http server stopped') if __name__ == '__main__': run() openvpn-2.4.4/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c000066400000000000000000000167131316434344000322550ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * This file implements a Sample (HTTP) SSO OpenVPN plugin module * * See the README file for build instructions. */ #define ENABLE_CRYPTO #include #include #include #include "openvpn-plugin.h" #ifndef MAXPATH #define MAXPATH 1024 #endif #define ovpn_err(fmt, ...) \ plugin->log(PLOG_ERR, "SSO", fmt, ## __VA_ARGS__) #define ovpn_dbg(fmt, ...) \ plugin->log(PLOG_DEBUG, "SSO", fmt, ## __VA_ARGS__) #define ovpn_note(fmt, ...) \ plugin->log(PLOG_NOTE, "SSO", fmt, ## __VA_ARGS__) enum endpoint { CLIENT = 1, SERVER = 2 }; struct plugin { plugin_log_t log; enum endpoint type; int mask; }; struct session { char user[48]; char key [48]; }; /* * Given an environmental variable name, search * the envp array for its value, returning it * if found or NULL otherwise. */ static const char * get_env(const char *name, const char *envp[]) { if (envp) { int i; const int namelen = strlen(name); for (i = 0; envp[i]; ++i) { if (!strncmp(envp[i], name, namelen)) { const char *cp = envp[i] + namelen; if (*cp == '=') { return cp + 1; } } } } return NULL; } OPENVPN_EXPORT int openvpn_plugin_open_v3(const int version, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *rv) { struct plugin *plugin = calloc(1, sizeof(*plugin)); plugin->type = get_env("remote_1", args->envp) ? CLIENT : SERVER; plugin->log = args->callbacks->plugin_log; plugin->mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL); plugin->mask |= OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY); ovpn_note("vpn endpoint type=%s",plugin->type == CLIENT ? "client" : "server"); rv->type_mask = plugin->mask; rv->handle = (void *)plugin; return OPENVPN_PLUGIN_FUNC_SUCCESS; } static void session_user_set(struct session *sess, X509 *x509) { int fn_nid; ASN1_OBJECT *fn; ASN1_STRING *val; X509_NAME *x509_name; X509_NAME_ENTRY *ent; const char *objbuf; x509_name = X509_get_subject_name(x509); int i, n = X509_NAME_entry_count(x509_name); for (i = 0; i < n; ++i) { if (!(ent = X509_NAME_get_entry(x509_name, i))) { continue; } if (!(fn = X509_NAME_ENTRY_get_object(ent))) { continue; } if (!(val = X509_NAME_ENTRY_get_data(ent))) { continue; } if ((fn_nid = OBJ_obj2nid(fn)) == NID_undef) { continue; } if (!(objbuf = OBJ_nid2sn(fn_nid))) { continue; } unsigned char *buf = NULL; if (ASN1_STRING_to_UTF8(&buf, val) < 0) { continue; } if (!strncasecmp(objbuf, "CN", 2)) { snprintf(sess->user, sizeof(sess->user) - 1, (char *)buf); } OPENSSL_free(buf); } } static int tls_verify(struct openvpn_plugin_args_func_in const *args) { struct plugin *plugin = (struct plugin *)args->handle; struct session *sess = (struct session *)args->per_client_context; /* we store cert subject for the server end point only */ if (plugin->type != SERVER) { return OPENVPN_PLUGIN_FUNC_SUCCESS; } if (!args->current_cert) { ovpn_err("this example plugin requires client certificate"); return OPENVPN_PLUGIN_FUNC_ERROR; } session_user_set(sess, args->current_cert); return OPENVPN_PLUGIN_FUNC_SUCCESS; } static void file_store(char *file, char *content) { FILE *f; if (!(f = fopen(file, "w+"))) { return; } fprintf(f, "%s", content); fclose(f); } static void server_store(struct openvpn_plugin_args_func_in const *args) { struct plugin *plugin = (struct plugin *)args->handle; struct session *sess = (struct session *)args->per_client_context; char file[MAXPATH]; snprintf(file, sizeof(file) - 1, "/tmp/openvpn_sso_%s", sess->key); ovpn_note("app session file: %s", file); file_store(file, sess->user); } static void client_store(struct openvpn_plugin_args_func_in const *args) { struct plugin *plugin = (struct plugin *)args->handle; struct session *sess = (struct session *)args->per_client_context; char *file = "/tmp/openvpn_sso_user"; ovpn_note("app session file: %s", file); file_store(file, sess->key); } static int tls_final(struct openvpn_plugin_args_func_in const *args, struct openvpn_plugin_args_func_return *rv) { struct plugin *plugin = (struct plugin *)args->handle; struct session *sess = (struct session *)args->per_client_context; const char *key; if (!(key = get_env("exported_keying_material", args->envp))) { return OPENVPN_PLUGIN_FUNC_ERROR; } snprintf(sess->key, sizeof(sess->key) - 1, "%s", key); ovpn_note("app session key: %s", sess->key); switch (plugin->type) { case SERVER: server_store(args); break; case CLIENT: client_store(args); return OPENVPN_PLUGIN_FUNC_SUCCESS; } ovpn_note("app session user: %s", sess->user); return OPENVPN_PLUGIN_FUNC_SUCCESS; } OPENVPN_EXPORT int openvpn_plugin_func_v3(const int version, struct openvpn_plugin_args_func_in const *args, struct openvpn_plugin_args_func_return *rv) { switch (args->type) { case OPENVPN_PLUGIN_TLS_VERIFY: return tls_verify(args); case OPENVPN_PLUGIN_TLS_FINAL: return tls_final(args, rv); } return OPENVPN_PLUGIN_FUNC_SUCCESS; } OPENVPN_EXPORT void * openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle) { struct plugin *plugin = (struct plugin *)handle; struct session *sess = calloc(1, sizeof(*sess)); ovpn_note("app session created"); return (void *)sess; } OPENVPN_EXPORT void openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *ctx) { struct plugin *plugin = (struct plugin *)handle; struct session *sess = (struct session *)ctx; ovpn_note("app session key: %s", sess->key); ovpn_note("app session destroyed"); free(sess); } OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { struct plugin *plugin = (struct plugin *)handle; free(plugin); } openvpn-2.4.4/sample/sample-plugins/keying-material-exporter-demo/server.ovpn000066400000000000000000000005101316434344000275110ustar00rootroot00000000000000tls-server reneg-sec 0 keying-material-exporter "EXPORTER_SSO_TEST" 16 duplicate-cn plugin ./keyingmaterialexporter.so ca ../../sample-keys/ca.crt cert ../../sample-keys/server.crt key ../../sample-keys/server.key dh ../../sample-keys/dh2048.pem server 10.8.0.0 255.255.255.0 port 1194 proto udp dev tun verb 4 openvpn-2.4.4/sample/sample-plugins/log/000077500000000000000000000000001316434344000202125ustar00rootroot00000000000000openvpn-2.4.4/sample/sample-plugins/log/build000077500000000000000000000006231316434344000212400ustar00rootroot00000000000000#!/bin/sh # # Build an OpenVPN plugin module on *nix. The argument should # be the base name of the C source file (without the .c). # # This directory is where we will look for openvpn-plugin.h CPPFLAGS="${CPPFLAGS:--I../../../include}" CC="${CC:-gcc}" CFLAGS="${CFLAGS:--O2 -Wall -g}" $CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \ $CC $CFLAGS -fPIC -shared $LDFLAGS -Wl,-soname,$1.so -o $1.so $1.o -lc openvpn-2.4.4/sample/sample-plugins/log/log.c000066400000000000000000000131431316434344000211410ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * This plugin is similar to simple.c, except it also logs extra information * to stdout for every plugin method called by OpenVPN. * * See the README file for build instructions. */ #include #include #include #include "openvpn-plugin.h" /* * Our context, where we keep our state. */ struct plugin_context { const char *username; const char *password; }; /* * Given an environmental variable name, search * the envp array for its value, returning it * if found or NULL otherwise. */ static const char * get_env(const char *name, const char *envp[]) { if (envp) { int i; const int namelen = strlen(name); for (i = 0; envp[i]; ++i) { if (!strncmp(envp[i], name, namelen)) { const char *cp = envp[i] + namelen; if (*cp == '=') { return cp + 1; } } } } return NULL; } OPENVPN_EXPORT openvpn_plugin_handle_t openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *envp[]) { struct plugin_context *context; /* * Allocate our context */ context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context)); /* * Set the username/password we will require. */ context->username = "foo"; context->password = "bar"; /* * Which callbacks to intercept. */ *type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL); return (openvpn_plugin_handle_t) context; } void show(const int type, const char *argv[], const char *envp[]) { size_t i; switch (type) { case OPENVPN_PLUGIN_UP: printf("OPENVPN_PLUGIN_UP\n"); break; case OPENVPN_PLUGIN_DOWN: printf("OPENVPN_PLUGIN_DOWN\n"); break; case OPENVPN_PLUGIN_ROUTE_UP: printf("OPENVPN_PLUGIN_ROUTE_UP\n"); break; case OPENVPN_PLUGIN_IPCHANGE: printf("OPENVPN_PLUGIN_IPCHANGE\n"); break; case OPENVPN_PLUGIN_TLS_VERIFY: printf("OPENVPN_PLUGIN_TLS_VERIFY\n"); break; case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: printf("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n"); break; case OPENVPN_PLUGIN_CLIENT_CONNECT_V2: printf("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n"); break; case OPENVPN_PLUGIN_CLIENT_DISCONNECT: printf("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n"); break; case OPENVPN_PLUGIN_LEARN_ADDRESS: printf("OPENVPN_PLUGIN_LEARN_ADDRESS\n"); break; case OPENVPN_PLUGIN_TLS_FINAL: printf("OPENVPN_PLUGIN_TLS_FINAL\n"); break; default: printf("OPENVPN_PLUGIN_?\n"); break; } printf("ARGV\n"); for (i = 0; argv[i] != NULL; ++i) printf("%d '%s'\n", (int)i, argv[i]); printf("ENVP\n"); for (i = 0; envp[i] != NULL; ++i) printf("%d '%s'\n", (int)i, envp[i]); } OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]) { struct plugin_context *context = (struct plugin_context *) handle; show(type, argv, envp); /* check entered username/password against what we require */ if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) { /* get username/password from envp string array */ const char *username = get_env("username", envp); const char *password = get_env("password", envp); if (username && !strcmp(username, context->username) && password && !strcmp(password, context->password)) { return OPENVPN_PLUGIN_FUNC_SUCCESS; } else { return OPENVPN_PLUGIN_FUNC_ERROR; } } else { return OPENVPN_PLUGIN_FUNC_SUCCESS; } } OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { struct plugin_context *context = (struct plugin_context *) handle; free(context); } openvpn-2.4.4/sample/sample-plugins/log/log_v3.c000066400000000000000000000203141316434344000215470ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010 David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * This plugin is similar to simple.c, except it also logs extra information * to stdout for every plugin method called by OpenVPN. The only difference * between this (log_v3.c) and log.c is that this module uses the v3 plug-in * API. * * See the README file for build instructions. */ #include #include #include #define ENABLE_CRYPTO #include "openvpn-plugin.h" /* * Our context, where we keep our state. */ struct plugin_context { const char *username; const char *password; }; /* * Given an environmental variable name, search * the envp array for its value, returning it * if found or NULL otherwise. */ static const char * get_env(const char *name, const char *envp[]) { if (envp) { int i; const int namelen = strlen(name); for (i = 0; envp[i]; ++i) { if (!strncmp(envp[i], name, namelen)) { const char *cp = envp[i] + namelen; if (*cp == '=') { return cp + 1; } } } } return NULL; } OPENVPN_EXPORT int openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *ret) { struct plugin_context *context = NULL; /* Check that we are API compatible */ if (v3structver != OPENVPN_PLUGINv3_STRUCTVER) { printf("log_v3: ** ERROR ** Incompatible plug-in interface between this plug-in and OpenVPN\n"); return OPENVPN_PLUGIN_FUNC_ERROR; } if (args->ssl_api != SSLAPI_OPENSSL) { printf("This plug-in can only be used against OpenVPN with OpenSSL\n"); return OPENVPN_PLUGIN_FUNC_ERROR; } /* Print some version information about the OpenVPN process using this plug-in */ printf("log_v3: OpenVPN %s (Major: %i, Minor: %i, Patch: %s)\n", args->ovpn_version, args->ovpn_version_major, args->ovpn_version_minor, args->ovpn_version_patch); /* Which callbacks to intercept. */ ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL); /* Allocate our context */ context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context)); /* Set the username/password we will require. */ context->username = "foo"; context->password = "bar"; /* Point the global context handle to our newly created context */ ret->handle = (void *) context; return OPENVPN_PLUGIN_FUNC_SUCCESS; } void show(const int type, const char *argv[], const char *envp[]) { size_t i; switch (type) { case OPENVPN_PLUGIN_UP: printf("OPENVPN_PLUGIN_UP\n"); break; case OPENVPN_PLUGIN_DOWN: printf("OPENVPN_PLUGIN_DOWN\n"); break; case OPENVPN_PLUGIN_ROUTE_UP: printf("OPENVPN_PLUGIN_ROUTE_UP\n"); break; case OPENVPN_PLUGIN_IPCHANGE: printf("OPENVPN_PLUGIN_IPCHANGE\n"); break; case OPENVPN_PLUGIN_TLS_VERIFY: printf("OPENVPN_PLUGIN_TLS_VERIFY\n"); break; case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: printf("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n"); break; case OPENVPN_PLUGIN_CLIENT_CONNECT_V2: printf("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n"); break; case OPENVPN_PLUGIN_CLIENT_DISCONNECT: printf("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n"); break; case OPENVPN_PLUGIN_LEARN_ADDRESS: printf("OPENVPN_PLUGIN_LEARN_ADDRESS\n"); break; case OPENVPN_PLUGIN_TLS_FINAL: printf("OPENVPN_PLUGIN_TLS_FINAL\n"); break; default: printf("OPENVPN_PLUGIN_?\n"); break; } printf("ARGV\n"); for (i = 0; argv[i] != NULL; ++i) printf("%d '%s'\n", (int)i, argv[i]); printf("ENVP\n"); for (i = 0; envp[i] != NULL; ++i) printf("%d '%s'\n", (int)i, envp[i]); } static void x509_print_info(X509 *x509crt) { int i, n; int fn_nid; ASN1_OBJECT *fn; ASN1_STRING *val; X509_NAME *x509_name; X509_NAME_ENTRY *ent; const char *objbuf; unsigned char *buf; x509_name = X509_get_subject_name(x509crt); n = X509_NAME_entry_count(x509_name); for (i = 0; i < n; ++i) { ent = X509_NAME_get_entry(x509_name, i); if (!ent) { continue; } fn = X509_NAME_ENTRY_get_object(ent); if (!fn) { continue; } val = X509_NAME_ENTRY_get_data(ent); if (!val) { continue; } fn_nid = OBJ_obj2nid(fn); if (fn_nid == NID_undef) { continue; } objbuf = OBJ_nid2sn(fn_nid); if (!objbuf) { continue; } if (ASN1_STRING_to_UTF8(&buf, val) < 0) { continue; } printf("X509 %s: %s\n", objbuf, (char *)buf); OPENSSL_free(buf); } } OPENVPN_EXPORT int openvpn_plugin_func_v3(const int version, struct openvpn_plugin_args_func_in const *args, struct openvpn_plugin_args_func_return *retptr) { struct plugin_context *context = (struct plugin_context *) args->handle; printf("\nopenvpn_plugin_func_v3() :::::>> "); show(args->type, args->argv, args->envp); /* Dump some X509 information if we're in the TLS_VERIFY phase */ if ((args->type == OPENVPN_PLUGIN_TLS_VERIFY) && args->current_cert) { printf("---- X509 Subject information ----\n"); printf("Certificate depth: %i\n", args->current_cert_depth); x509_print_info(args->current_cert); printf("----------------------------------\n"); } /* check entered username/password against what we require */ if (args->type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) { /* get username/password from envp string array */ const char *username = get_env("username", args->envp); const char *password = get_env("password", args->envp); if (username && !strcmp(username, context->username) && password && !strcmp(password, context->password)) { return OPENVPN_PLUGIN_FUNC_SUCCESS; } else { return OPENVPN_PLUGIN_FUNC_ERROR; } } else { return OPENVPN_PLUGIN_FUNC_SUCCESS; } } OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { struct plugin_context *context = (struct plugin_context *) handle; free(context); } openvpn-2.4.4/sample/sample-plugins/log/winbuild000077500000000000000000000010771316434344000217620ustar00rootroot00000000000000# # Build an OpenVPN plugin module on Windows/MinGW. # The argument should be the base name of the C source file # (without the .c). # # This directory is where we will look for openvpn-plugin.h INCLUDE="-I../../../include" CC_FLAGS="-O2 -Wall" gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o rm junk.tmp dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def rm base.tmp gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp rm temp.exp openvpn-2.4.4/sample/sample-plugins/simple/000077500000000000000000000000001316434344000207225ustar00rootroot00000000000000openvpn-2.4.4/sample/sample-plugins/simple/README000066400000000000000000000005551316434344000216070ustar00rootroot00000000000000OpenVPN plugin examples. Examples provided: simple.c -- using the --auth-user-pass-verify callback, verify that the username/password is "foo"/"bar". To build: ./build simple (Linux/BSD/etc.) ./winbuild simple (MinGW on Windows) To use in OpenVPN, add to config file: plugin simple.so (Linux/BSD/etc.) plugin simple.dll (MinGW on Windows) openvpn-2.4.4/sample/sample-plugins/simple/build000077500000000000000000000006131316434344000217470ustar00rootroot00000000000000#!/bin/sh # # Build an OpenVPN plugin module on *nix. The argument should # be the base name of the C source file (without the .c). # # This directory is where we will look for openvpn-plugin.h CPPFLAGS="${CPPFLAGS:--I../../..}" CC="${CC:-gcc}" CFLAGS="${CFLAGS:--O2 -Wall -g}" $CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \ $CC $CFLAGS -fPIC -shared $LDFLAGS -Wl,-soname,$1.so -o $1.so $1.o -lc openvpn-2.4.4/sample/sample-plugins/simple/simple.c000066400000000000000000000070131316434344000223600ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * This file implements a simple OpenVPN plugin module which * will examine the username/password provided by a client, * and make an accept/deny determination. Will run * on Windows or *nix. * * See the README file for build instructions. */ #include #include #include #include "openvpn-plugin.h" /* * Our context, where we keep our state. */ struct plugin_context { const char *username; const char *password; }; /* * Given an environmental variable name, search * the envp array for its value, returning it * if found or NULL otherwise. */ static const char * get_env(const char *name, const char *envp[]) { if (envp) { int i; const int namelen = strlen(name); for (i = 0; envp[i]; ++i) { if (!strncmp(envp[i], name, namelen)) { const char *cp = envp[i] + namelen; if (*cp == '=') { return cp + 1; } } } } return NULL; } OPENVPN_EXPORT openvpn_plugin_handle_t openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *envp[]) { struct plugin_context *context; /* * Allocate our context */ context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context)); /* * Set the username/password we will require. */ context->username = "foo"; context->password = "bar"; /* * We are only interested in intercepting the * --auth-user-pass-verify callback. */ *type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY); return (openvpn_plugin_handle_t) context; } OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]) { struct plugin_context *context = (struct plugin_context *) handle; /* get username/password from envp string array */ const char *username = get_env("username", envp); const char *password = get_env("password", envp); /* check entered username/password against what we require */ if (username && !strcmp(username, context->username) && password && !strcmp(password, context->password)) { return OPENVPN_PLUGIN_FUNC_SUCCESS; } else { return OPENVPN_PLUGIN_FUNC_ERROR; } } OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { struct plugin_context *context = (struct plugin_context *) handle; free(context); } openvpn-2.4.4/sample/sample-plugins/simple/simple.def000077500000000000000000000002621316434344000226760ustar00rootroot00000000000000LIBRARY OpenVPN_PLUGIN_SAMPLE DESCRIPTION "Sample OpenVPN plug-in module." EXPORTS openvpn_plugin_open_v1 @1 openvpn_plugin_func_v1 @2 openvpn_plugin_close_v1 @3 openvpn-2.4.4/sample/sample-plugins/simple/winbuild000077500000000000000000000010771316434344000224720ustar00rootroot00000000000000# # Build an OpenVPN plugin module on Windows/MinGW. # The argument should be the base name of the C source file # (without the .c). # # This directory is where we will look for openvpn-plugin.h INCLUDE="-I../../../include" CC_FLAGS="-O2 -Wall" gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o rm junk.tmp dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def rm base.tmp gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp rm temp.exp openvpn-2.4.4/sample/sample-scripts/000077500000000000000000000000001316434344000174375ustar00rootroot00000000000000openvpn-2.4.4/sample/sample-scripts/auth-pam.pl000077500000000000000000000045501316434344000215170ustar00rootroot00000000000000#!/usr/bin/perl -t # OpenVPN PAM AUTHENTICATON # This script can be used to add PAM-based authentication # to OpenVPN 2.0. The OpenVPN client must provide # a username/password, using the --auth-user-pass directive. # The OpenVPN server should specify --auth-user-pass-verify # with this script as the argument and the 'via-file' method # specified. The server can also optionally specify # --client-cert-not-required and/or --username-as-common-name. # SCRIPT OPERATION # Return success or failure status based on whether or not a # given username/password authenticates using PAM. # Caller should write username/password as two lines in a file # which is passed to this script as a command line argument. # CAVEATS # * Requires Authen::PAM module, which may also # require the pam-devel package. # * May need to be run as root in order to # access username/password file. # NOTES # * This script is provided mostly as a demonstration of the # --auth-user-pass-verify script capability in OpenVPN. # For real world usage, see the auth-pam module in the plugin # folder. use Authen::PAM; use POSIX; # This "conversation function" will pass # $password to PAM when it asks for it. sub my_conv_func { my @res; while ( @_ ) { my $code = shift; my $msg = shift; my $ans = ""; $ans = $password if $msg =~ /[Pp]assword/; push @res, (PAM_SUCCESS(),$ans); } push @res, PAM_SUCCESS(); return @res; } # Identify service type to PAM $service = "login"; # Get username/password from file if ($ARG = shift @ARGV) { if (!open (UPFILE, "<$ARG")) { print "Could not open username/password file: $ARG\n"; exit 1; } } else { print "No username/password file specified on command line\n"; exit 1; } $username = ; $password = ; if (!$username || !$password) { print "Username/password not found in file: $ARG\n"; exit 1; } chomp $username; chomp $password; close (UPFILE); # Initialize PAM object if (!ref($pamh = new Authen::PAM($service, $username, \&my_conv_func))) { print "Authen::PAM init failed\n"; exit 1; } # Authenticate with PAM $res = $pamh->pam_authenticate; # Return success or failure if ($res == PAM_SUCCESS()) { exit 0; } else { print "Auth '$username' failed, PAM said: ", $pamh->pam_strerror($res), "\n"; exit 1; } openvpn-2.4.4/sample/sample-scripts/bridge-start000077500000000000000000000013451316434344000217570ustar00rootroot00000000000000#!/bin/sh ################################# # Set up Ethernet bridge on Linux # Requires: bridge-utils ################################# # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged, # for example tap="tap0 tap1 tap2". tap="tap0" # Define physical ethernet interface to be bridged # with TAP interface(s) above. eth="eth0" eth_ip="192.168.8.4" eth_netmask="255.255.255.0" eth_broadcast="192.168.8.255" for t in $tap; do openvpn --mktun --dev $t done brctl addbr $br brctl addif $br $eth for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done ifconfig $eth 0.0.0.0 promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast openvpn-2.4.4/sample/sample-scripts/bridge-stop000077500000000000000000000004711316434344000216060ustar00rootroot00000000000000#!/bin/sh #################################### # Tear Down Ethernet bridge on Linux #################################### # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged together tap="tap0" ifconfig $br down brctl delbr $br for t in $tap; do openvpn --rmtun --dev $t done openvpn-2.4.4/sample/sample-scripts/ucn.pl000077500000000000000000000005231316434344000205640ustar00rootroot00000000000000#!/usr/bin/perl -t # OpenVPN --auth-user-pass-verify script. # Only authenticate if username equals common_name. # In OpenVPN config file: # auth-user-pass-verify ./ucn.pl via-env $username = $ENV{'username'}; $common_name = $ENV{'common_name'}; exit !(length($username) > 0 && length($common_name) > 0 && $username eq $common_name); openvpn-2.4.4/sample/sample-scripts/verify-cn000077500000000000000000000042071316434344000212720ustar00rootroot00000000000000#!/usr/bin/perl # verify-cn -- a sample OpenVPN tls-verify script # # Return 0 if cn matches the common name component of # subject, 1 otherwise. # # For example in OpenVPN, you could use the directive: # # tls-verify "./verify-cn /etc/openvpn/allowed_clients" # # This would cause the connection to be dropped unless # the client common name is listed on a line in the # allowed_clients file. die "usage: verify-cn cnfile certificate_depth subject" if (@ARGV != 3); # Parse out arguments: # cnfile -- The file containing the list of common names, one per # line, which the client is required to have, # taken from the argument to the tls-verify directive # in the OpenVPN config file. # The file can have blank lines and comment lines that begin # with the # character. # depth -- The current certificate chain depth. In a typical # bi-level chain, the root certificate will be at level # 1 and the client certificate will be at level 0. # This script will be called separately for each level. # x509 -- the X509 subject string as extracted by OpenVPN from # the client's provided certificate. ($cnfile, $depth, $x509) = @ARGV; if ($depth == 0) { # If depth is zero, we know that this is the final # certificate in the chain (i.e. the client certificate), # and the one we are interested in examining. # If so, parse out the common name substring in # the X509 subject string. if ($x509 =~ / CN=([^,]+)/) { $cn = $1; # Accept the connection if the X509 common name # string matches the passed cn argument. open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates! while (defined($line = )) { if ($line !~ /^[[:space:]]*(#|$)/o) { chop($line); if ($line eq $cn) { exit 0; } } } close(FH); } # Authentication failed -- Either we could not parse # the X509 subject string, or the common name in the # subject string didn't match the passed cn argument. exit 1; } # If depth is nonzero, tell OpenVPN to continue processing # the certificate chain. exit 0; openvpn-2.4.4/sample/sample-windows/000077500000000000000000000000001316434344000174425ustar00rootroot00000000000000openvpn-2.4.4/sample/sample-windows/sample.ovpn000077500000000000000000000056321316434344000216400ustar00rootroot00000000000000# Edit this file, and save to a .ovpn extension # so that OpenVPN will activate it when run # as a service. # Change 'myremote' to be your remote host, # or comment out to enter a listening # server mode. remote myremote # Uncomment this line to use a different # port number than the default of 1194. ; port 1194 # Choose one of three protocols supported by # OpenVPN. If left commented out, defaults # to udp. ; proto [tcp-server | tcp-client | udp] # You must specify one of two possible network # protocols, 'dev tap' or 'dev tun' to be used # on both sides of the connection. 'tap' creates # a VPN using the ethernet protocol while 'tun' # uses the IP protocol. You must use 'tap' # if you are ethernet bridging or want to route # broadcasts. 'tun' is somewhat more efficient # but requires configuration of client software # to not depend on broadcasts. Some platforms # such as Solaris, OpenBSD, and Mac OS X only # support 'tun' interfaces, so if you are # connecting to such a platform, you must also # use a 'tun' interface on the Windows side. # Enable 'dev tap' or 'dev tun' but not both! dev tap # This is a 'dev tap' ifconfig that creates # a virtual ethernet subnet. # 10.3.0.1 is the local VPN IP address # and 255.255.255.0 is the VPN subnet. # Only define this option for 'dev tap'. ifconfig 10.3.0.1 255.255.255.0 # This is a 'dev tun' ifconfig that creates # a point-to-point IP link. # 10.3.0.1 is the local VPN IP address and # 10.3.0.2 is the remote VPN IP address. # Only define this option for 'dev tun'. # Make sure to include the "tun-mtu" option # on the remote machine, but swap the order # of the ifconfig addresses. ;tun-mtu 1500 ;ifconfig 10.3.0.1 10.3.0.2 # If you have fragmentation issues or misconfigured # routers in the path which block Path MTU discovery, # lower the TCP MSS and internally fragment non-TCP # protocols. ;fragment 1300 ;mssfix # If you have set up more than one TAP-Win32 adapter # on your system, you must refer to it by name. ;dev-node my-tap # You can generate a static OpenVPN key # by selecting the Generate Key option # in the start menu. # # You can also generate key.txt manually # with the following command: # openvpn --genkey --secret key.txt # # key must match on both ends of the connection, # so you should generate it on one machine and # copy it to the other over a secure medium. # Place key.txt in the same directory as this # config file. secret key.txt # Uncomment this section for a more reliable # detection when a system loses its connection. # For example, dial-ups or laptops that travel # to other locations. # # If this section is enabled and "myremote" # above is a dynamic DNS name (i.e. dyndns.org), # OpenVPN will dynamically "follow" the IP # address of "myremote" if it changes. ; ping-restart 60 ; ping-timer-rem ; persist-tun ; persist-key ; resolv-retry 86400 # keep-alive ping ping 10 # enable LZO compression comp-lzo # moderate verbosity verb 4 mute 10 openvpn-2.4.4/src/000077500000000000000000000000001316434344000137775ustar00rootroot00000000000000openvpn-2.4.4/src/Makefile.am000066400000000000000000000010051316434344000160270ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in SUBDIRS = compat openvpn openvpnserv plugins openvpn-2.4.4/src/Makefile.in000066400000000000000000000510171316434344000160500ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = src DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ install-exec-recursive install-html-recursive \ install-info-recursive install-pdf-recursive \ install-ps-recursive install-recursive installcheck-recursive \ installdirs-recursive pdf-recursive ps-recursive \ tags-recursive uninstall-recursive am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive am__recursive_targets = \ $(RECURSIVE_TARGETS) \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ distdir am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ sed_first='s,^\([^/]*\)/.*$$,\1,'; \ sed_rest='s,^[^/]*/*,,'; \ sed_last='s,^.*/\([^/]*\)$$,\1,'; \ sed_butlast='s,/*[^/]*$$,,'; \ while test -n "$$dir1"; do \ first=`echo "$$dir1" | sed -e "$$sed_first"`; \ if test "$$first" != "."; then \ if test "$$first" = ".."; then \ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ else \ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ if test "$$first2" = "$$first"; then \ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ else \ dir2="../$$dir2"; \ fi; \ dir0="$$dir0"/"$$first"; \ fi; \ fi; \ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in SUBDIRS = compat openvpn openvpnserv plugins all: all-recursive .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign src/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs # This directory's subdirectories are mostly independent; you can cd # into them and run 'make' without going through this Makefile. # To change the values of 'make' variables: instead of editing Makefiles, # (1) if the variable is set in 'config.status', edit 'config.status' # (which will cause the Makefiles to be regenerated when you run 'make'); # (2) otherwise, pass the desired values on the 'make' command line. $(am__recursive_targets): @fail=; \ if $(am__make_keepgoing); then \ failcom='fail=yes'; \ else \ failcom='exit 1'; \ fi; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ case "$@" in \ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ *) list='$(SUBDIRS)' ;; \ esac; \ for subdir in $$list; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ dot_seen=yes; \ local_target="$$target-am"; \ else \ local_target="$$target"; \ fi; \ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-recursive TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ empty_fix=.; \ else \ include_option=--include; \ empty_fix=; \ fi; \ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-recursive CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-recursive cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ $(am__make_dryrun) \ || test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ dir1=$$subdir; dir2="$(top_distdir)"; \ $(am__relativize); \ new_top_distdir=$$reldir; \ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ top_distdir="$$new_top_distdir" \ distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ done check-am: all-am check: check-recursive all-am: Makefile installdirs: installdirs-recursive installdirs-am: install: install-recursive install-exec: install-exec-recursive install-data: install-data-recursive uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-recursive install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-recursive clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-recursive -rm -f Makefile distclean-am: clean-am distclean-generic distclean-tags dvi: dvi-recursive dvi-am: html: html-recursive html-am: info: info-recursive info-am: install-data-am: install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: install-html: install-html-recursive install-html-am: install-info: install-info-recursive install-info-am: install-man: install-pdf: install-pdf-recursive install-pdf-am: install-ps: install-ps-recursive install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-recursive pdf-am: ps: ps-recursive ps-am: uninstall-am: .MAKE: $(am__recursive_targets) install-am install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \ check-am clean clean-generic clean-libtool cscopelist-am ctags \ ctags-am distclean distclean-generic distclean-libtool \ distclean-tags distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ installdirs-am maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ ps ps-am tags tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/src/compat/000077500000000000000000000000001316434344000152625ustar00rootroot00000000000000openvpn-2.4.4/src/compat/Makefile.am000066400000000000000000000014211316434344000173140ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in EXTRA_DIST = \ compat.vcxproj \ compat.vcxproj.filters noinst_LTLIBRARIES = libcompat.la libcompat_la_SOURCES = \ compat.h \ compat-dirname.c \ compat-basename.c \ compat-gettimeofday.c \ compat-daemon.c \ compat-inet_ntop.c \ compat-inet_pton.c \ compat-lz4.c compat-lz4.h \ compat-versionhelpers.h openvpn-2.4.4/src/compat/Makefile.in000066400000000000000000000507731316434344000173430ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = src/compat DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = LTLIBRARIES = $(noinst_LTLIBRARIES) libcompat_la_LIBADD = am_libcompat_la_OBJECTS = compat-dirname.lo compat-basename.lo \ compat-gettimeofday.lo compat-daemon.lo compat-inet_ntop.lo \ compat-inet_pton.lo compat-lz4.lo libcompat_la_OBJECTS = $(am_libcompat_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -I$(top_builddir)/include depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(libcompat_la_SOURCES) DIST_SOURCES = $(libcompat_la_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in EXTRA_DIST = \ compat.vcxproj \ compat.vcxproj.filters noinst_LTLIBRARIES = libcompat.la libcompat_la_SOURCES = \ compat.h \ compat-dirname.c \ compat-basename.c \ compat-gettimeofday.c \ compat-daemon.c \ compat-inet_ntop.c \ compat-inet_pton.c \ compat-lz4.c compat-lz4.h \ compat-versionhelpers.h all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/compat/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign src/compat/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): clean-noinstLTLIBRARIES: -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) @list='$(noinst_LTLIBRARIES)'; \ locs=`for p in $$list; do echo $$p; done | \ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ sort -u`; \ test -z "$$locs" || { \ echo rm -f $${locs}; \ rm -f $${locs}; \ } libcompat.la: $(libcompat_la_OBJECTS) $(libcompat_la_DEPENDENCIES) $(EXTRA_libcompat_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) $(libcompat_la_OBJECTS) $(libcompat_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/compat-basename.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/compat-daemon.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/compat-dirname.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/compat-gettimeofday.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/compat-inet_ntop.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/compat-inet_pton.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/compat-lz4.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(LTLIBRARIES) installdirs: install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ clean-libtool clean-noinstLTLIBRARIES cscopelist-am ctags \ ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-man install-pdf install-pdf-am \ install-ps install-ps-am install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/src/compat/compat-basename.c000066400000000000000000000031051316434344000204610ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2011 - David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #ifndef HAVE_BASENAME #include "compat.h" #include /* Modified version based on glibc-2.14.1 by Roland McGrath * This version is extended to handle both / and \ in path names */ char * basename(char *filename) { char *p = strrchr(filename, '/'); if (!p) { /* If NULL, check for \ instead ... might be Windows a path */ p = strrchr(filename, '\\'); } return p ? p + 1 : (char *) filename; } #endif /* HAVE_BASENAME */ openvpn-2.4.4/src/compat/compat-daemon.c000066400000000000000000000044611316434344000201570ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2011 - David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #ifndef HAVE_DAEMON #ifdef HAVE_UNISTD_H #include #endif #ifdef HAVE_STDLIB_H #include #endif #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_STAT_H #include #endif #ifdef HAVE_FCNTL_H #include #endif #ifdef HAVE_ERRNO_H #include #endif int daemon(int nochdir, int noclose) { #if defined(HAVE_FORK) && defined(HAVE_SETSID) switch (fork()) { case -1: return (-1); case 0: break; default: exit(0); } if (setsid() == -1) { return (-1); } if (!nochdir) { chdir("/"); } if (!noclose) { #if defined(HAVE_DUP) && defined(HAVE_DUP2) int fd; if ((fd = open("/dev/null", O_RDWR, 0)) != -1) { dup2(fd, 0); dup2(fd, 1); dup2(fd, 2); if (fd > 2) { close(fd); } } #endif } return 0; #else /* if defined(HAVE_FORK) && defined(HAVE_SETSID) */ (void)nochdir; (void)noclose; errno = EFAULT; return -1; #endif /* if defined(HAVE_FORK) && defined(HAVE_SETSID) */ } #endif /* ifndef HAVE_DAEMON */ openvpn-2.4.4/src/compat/compat-dirname.c000066400000000000000000000077311316434344000203360ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2011 - David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #ifndef HAVE_DIRNAME #include "compat.h" #include /* Unoptimised version of glibc memrchr(). * This is considered fast enough, as only this compat * version of dirname() depends on it. */ static const char * __memrchr(const char *str, int c, size_t n) { const char *end = str; end += n - 1; /* Go to the end of the string */ while (end >= str) { if (c == *end) { return end; } else { end--; } } return NULL; } /* Modified version based on glibc-2.14.1 by Ulrich Drepper * This version is extended to handle both / and \ in path names. */ char * dirname(char *path) { static const char dot[] = "."; char *last_slash; char separator = '/'; /* Find last '/'. */ last_slash = path != NULL ? strrchr(path, '/') : NULL; /* If NULL, check for \ instead ... might be Windows a path */ if (!last_slash) { last_slash = path != NULL ? strrchr(path, '\\') : NULL; separator = last_slash ? '\\' : '/'; /* Change the separator if \ was found */ } if (last_slash != NULL && last_slash != path && last_slash[1] == '\0') { /* Determine whether all remaining characters are slashes. */ char *runp; for (runp = last_slash; runp != path; --runp) { if (runp[-1] != separator) { break; } } /* The '/' is the last character, we have to look further. */ if (runp != path) { last_slash = (char *) __memrchr(path, separator, runp - path); } } if (last_slash != NULL) { /* Determine whether all remaining characters are slashes. */ char *runp; for (runp = last_slash; runp != path; --runp) { if (runp[-1] != separator) { break; } } /* Terminate the path. */ if (runp == path) { /* The last slash is the first character in the string. We have to * return "/". As a special case we have to return "//" if there * are exactly two slashes at the beginning of the string. See * XBD 4.10 Path Name Resolution for more information. */ if (last_slash == path + 1) { ++last_slash; } else { last_slash = path + 1; } } else { last_slash = runp; } last_slash[0] = '\0'; } else { /* This assignment is ill-designed but the XPG specs require to * return a string containing "." in any case no directory part is * found and so a static and constant string is required. */ path = (char *) dot; } return path; } #endif /* HAVE_DIRNAME */ openvpn-2.4.4/src/compat/compat-gettimeofday.c000066400000000000000000000062121316434344000213710ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #ifndef HAVE_GETTIMEOFDAY #include "compat.h" #ifdef _WIN32 /* * NOTICE: mingw has much faster gettimeofday! * autoconf will set HAVE_GETTIMEOFDAY */ #include #include static time_t gtc_base = 0; static DWORD gtc_last = 0; static time_t last_sec = 0; static unsigned int last_msec = 0; static int bt_last = 0; static void gettimeofday_calibrate(void) { const time_t t = time(NULL); const DWORD gtc = GetTickCount(); gtc_base = t - gtc/1000; gtc_last = gtc; } /* * Rewritten by JY for OpenVPN 2.1, after I realized that * QueryPerformanceCounter takes nearly 2 orders of magnitude * more processor cycles than GetTickCount. */ int gettimeofday(struct timeval *tv, void *tz) { const DWORD gtc = GetTickCount(); int bt = 0; time_t sec; unsigned int msec; const int backtrack_hold_seconds = 10; (void)tz; /* recalibrate at the dreaded 49.7 day mark */ if (!gtc_base || gtc < gtc_last) { gettimeofday_calibrate(); } gtc_last = gtc; sec = gtc_base + gtc / 1000; msec = gtc % 1000; if (sec == last_sec) { if (msec < last_msec) { msec = last_msec; bt = 1; } } else if (sec < last_sec) { /* We try to dampen out backtracks of less than backtrack_hold_seconds. * Larger backtracks will be passed through and dealt with by the * TIME_BACKTRACK_PROTECTION code (if enabled) */ if (sec > last_sec - backtrack_hold_seconds) { sec = last_sec; msec = last_msec; } bt = 1; } tv->tv_sec = (long)last_sec = (long)sec; tv->tv_usec = (last_msec = msec) * 1000; if (bt && !bt_last) { gettimeofday_calibrate(); } bt_last = bt; return 0; } #else /* ifdef _WIN32 */ #ifdef HAVE_TIME_H #include #endif int gettimeofday(struct timeval *tv, void *tz) { (void)tz; tv->tv_sec = time(NULL); tv->tv_usec = 0; return 0; } #endif /* _WIN32 */ #endif /* HAVE_GETTIMEOFDAY */ openvpn-2.4.4/src/compat/compat-inet_ntop.c000066400000000000000000000042401316434344000207060ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2011 - David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #ifndef HAVE_INET_NTOP #include "compat.h" #ifdef _WIN32 #include /* * inet_ntop() and inet_pton() wrap-implementations using * WSAAddressToString() and WSAStringToAddress() functions * * this is needed as long as we support running OpenVPN on WinXP */ const char * inet_ntop(int af, const void *src, char *dst, socklen_t size) { struct sockaddr_storage ss; unsigned long s = size; ZeroMemory(&ss, sizeof(ss)); ss.ss_family = af; switch (af) { case AF_INET: ((struct sockaddr_in *)&ss)->sin_addr = *(struct in_addr *)src; break; case AF_INET6: ((struct sockaddr_in6 *)&ss)->sin6_addr = *(struct in6_addr *)src; break; default: return NULL; } /* cannot direclty use &size because of strict aliasing rules */ return (WSAAddressToString((struct sockaddr *)&ss, sizeof(ss), NULL, dst, &s) == 0) ? dst : NULL; } #else /* ifdef _WIN32 */ #error no emulation for inet_ntop #endif /* ifdef _WIN32 */ #endif /* ifndef HAVE_INET_NTOP */ openvpn-2.4.4/src/compat/compat-inet_pton.c000066400000000000000000000043251316434344000207120ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2011 - David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #ifndef HAVE_INET_PTON #include "compat.h" #ifdef _WIN32 #include #include /* * inet_ntop() and inet_pton() wrap-implementations using * WSAAddressToString() and WSAStringToAddress() functions * * this is needed as long as we support running OpenVPN on WinXP */ int inet_pton(int af, const char *src, void *dst) { struct sockaddr_storage ss; int size = sizeof(ss); char src_copy[INET6_ADDRSTRLEN+1]; ZeroMemory(&ss, sizeof(ss)); /* stupid non-const API */ strncpy(src_copy, src, INET6_ADDRSTRLEN+1); src_copy[INET6_ADDRSTRLEN] = 0; if (WSAStringToAddress(src_copy, af, NULL, (struct sockaddr *)&ss, &size) == 0) { switch (af) { case AF_INET: *(struct in_addr *)dst = ((struct sockaddr_in *)&ss)->sin_addr; return 1; case AF_INET6: *(struct in6_addr *)dst = ((struct sockaddr_in6 *)&ss)->sin6_addr; return 1; } } return 0; } #else /* ifdef _WIN32 */ #error no emulation for inet_ntop #endif /* ifdef _WIN32 */ #endif /* ifndef HAVE_INET_PTON */ openvpn-2.4.4/src/compat/compat-lz4.c000066400000000000000000001533671316434344000174370ustar00rootroot00000000000000/* LZ4 - Fast LZ compression algorithm Copyright (C) 2011-2015, Yann Collet. BSD 2-Clause License (http://www.opensource.org/licenses/bsd-license.php) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. You can contact the author at : - LZ4 source repository : https://github.com/Cyan4973/lz4 - LZ4 public forum : https://groups.google.com/forum/#!forum/lz4c */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #ifdef NEED_COMPAT_LZ4 /************************************** * Tuning parameters **************************************/ /* * HEAPMODE : * Select how default compression functions will allocate memory for their hash table, * in memory stack (0:default, fastest), or in memory heap (1:requires malloc()). */ #define HEAPMODE 0 /* * ACCELERATION_DEFAULT : * Select "acceleration" for LZ4_compress_fast() when parameter value <= 0 */ #define ACCELERATION_DEFAULT 1 /************************************** * CPU Feature Detection **************************************/ /* * LZ4_FORCE_SW_BITCOUNT * Define this parameter if your target system or compiler does not support hardware bit count */ #if defined(_MSC_VER) && defined(_WIN32_WCE) /* Visual Studio for Windows CE does not support Hardware bit count */ # define LZ4_FORCE_SW_BITCOUNT #endif /************************************** * Includes **************************************/ #include "compat-lz4.h" /************************************** * Compiler Options **************************************/ #ifdef _MSC_VER /* Visual Studio */ # define FORCE_INLINE static __forceinline # include # pragma warning(disable : 4127) /* disable: C4127: conditional expression is constant */ # pragma warning(disable : 4293) /* disable: C4293: too large shift (32-bits) */ #else # if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) /* C99 */ # if defined(__GNUC__) || defined(__clang__) # define FORCE_INLINE static inline __attribute__((always_inline)) # else # define FORCE_INLINE static inline # endif # else # define FORCE_INLINE static # endif /* __STDC_VERSION__ */ #endif /* _MSC_VER */ /* LZ4_GCC_VERSION is defined into lz4.h */ #if (LZ4_GCC_VERSION >= 302) || (__INTEL_COMPILER >= 800) || defined(__clang__) # define expect(expr,value) (__builtin_expect ((expr),(value)) ) #else # define expect(expr,value) (expr) #endif #define likely(expr) expect((expr) != 0, 1) #define unlikely(expr) expect((expr) != 0, 0) /************************************** * Memory routines **************************************/ #include /* malloc, calloc, free */ #define ALLOCATOR(n,s) calloc(n,s) #define FREEMEM free #include /* memset, memcpy */ #define MEM_INIT memset /************************************** * Basic Types **************************************/ #if defined (__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) /* C99 */ # include typedef uint8_t BYTE; typedef uint16_t U16; typedef uint32_t U32; typedef int32_t S32; typedef uint64_t U64; #else typedef unsigned char BYTE; typedef unsigned short U16; typedef unsigned int U32; typedef signed int S32; typedef unsigned long long U64; #endif /************************************** * Reading and writing into memory **************************************/ #define STEPSIZE sizeof(size_t) static unsigned LZ4_64bits(void) { return sizeof(void*)==8; } static unsigned LZ4_isLittleEndian(void) { const union { U32 i; BYTE c[4]; } one = { 1 }; /* don't use static : performance detrimental */ return one.c[0]; } static U16 LZ4_read16(const void* memPtr) { U16 val16; memcpy(&val16, memPtr, 2); return val16; } static U16 LZ4_readLE16(const void* memPtr) { if (LZ4_isLittleEndian()) { return LZ4_read16(memPtr); } else { const BYTE* p = (const BYTE*)memPtr; return (U16)((U16)p[0] + (p[1]<<8)); } } static void LZ4_writeLE16(void* memPtr, U16 value) { if (LZ4_isLittleEndian()) { memcpy(memPtr, &value, 2); } else { BYTE* p = (BYTE*)memPtr; p[0] = (BYTE) value; p[1] = (BYTE)(value>>8); } } static U32 LZ4_read32(const void* memPtr) { U32 val32; memcpy(&val32, memPtr, 4); return val32; } static U64 LZ4_read64(const void* memPtr) { U64 val64; memcpy(&val64, memPtr, 8); return val64; } static size_t LZ4_read_ARCH(const void* p) { if (LZ4_64bits()) return (size_t)LZ4_read64(p); else return (size_t)LZ4_read32(p); } static void LZ4_copy4(void* dstPtr, const void* srcPtr) { memcpy(dstPtr, srcPtr, 4); } static void LZ4_copy8(void* dstPtr, const void* srcPtr) { memcpy(dstPtr, srcPtr, 8); } /* customized version of memcpy, which may overwrite up to 7 bytes beyond dstEnd */ static void LZ4_wildCopy(void* dstPtr, const void* srcPtr, void* dstEnd) { BYTE* d = (BYTE*)dstPtr; const BYTE* s = (const BYTE*)srcPtr; BYTE* e = (BYTE*)dstEnd; do { LZ4_copy8(d,s); d+=8; s+=8; } while (d>3); # elif (defined(__clang__) || (LZ4_GCC_VERSION >= 304)) && !defined(LZ4_FORCE_SW_BITCOUNT) return (__builtin_ctzll((U64)val) >> 3); # else static const int DeBruijnBytePos[64] = { 0, 0, 0, 0, 0, 1, 1, 2, 0, 3, 1, 3, 1, 4, 2, 7, 0, 2, 3, 6, 1, 5, 3, 5, 1, 3, 4, 4, 2, 5, 6, 7, 7, 0, 1, 2, 3, 3, 4, 6, 2, 6, 5, 5, 3, 4, 5, 6, 7, 1, 2, 4, 6, 4, 4, 5, 7, 2, 6, 5, 7, 6, 7, 7 }; return DeBruijnBytePos[((U64)((val & -(long long)val) * 0x0218A392CDABBD3FULL)) >> 58]; # endif } else /* 32 bits */ { # if defined(_MSC_VER) && !defined(LZ4_FORCE_SW_BITCOUNT) unsigned long r; _BitScanForward( &r, (U32)val ); return (int)(r>>3); # elif (defined(__clang__) || (LZ4_GCC_VERSION >= 304)) && !defined(LZ4_FORCE_SW_BITCOUNT) return (__builtin_ctz((U32)val) >> 3); # else static const int DeBruijnBytePos[32] = { 0, 0, 3, 0, 3, 1, 3, 0, 3, 2, 2, 1, 3, 2, 0, 1, 3, 3, 1, 2, 2, 2, 2, 0, 3, 1, 2, 0, 1, 0, 1, 1 }; return DeBruijnBytePos[((U32)((val & -(S32)val) * 0x077CB531U)) >> 27]; # endif } } else /* Big Endian CPU */ { if (LZ4_64bits()) { # if defined(_MSC_VER) && defined(_WIN64) && !defined(LZ4_FORCE_SW_BITCOUNT) unsigned long r = 0; _BitScanReverse64( &r, val ); return (unsigned)(r>>3); # elif (defined(__clang__) || (LZ4_GCC_VERSION >= 304)) && !defined(LZ4_FORCE_SW_BITCOUNT) return (__builtin_clzll((U64)val) >> 3); # else unsigned r; if (!(val>>32)) { r=4; } else { r=0; val>>=32; } if (!(val>>16)) { r+=2; val>>=8; } else { val>>=24; } r += (!val); return r; # endif } else /* 32 bits */ { # if defined(_MSC_VER) && !defined(LZ4_FORCE_SW_BITCOUNT) unsigned long r = 0; _BitScanReverse( &r, (unsigned long)val ); return (unsigned)(r>>3); # elif (defined(__clang__) || (LZ4_GCC_VERSION >= 304)) && !defined(LZ4_FORCE_SW_BITCOUNT) return (__builtin_clz((U32)val) >> 3); # else unsigned r; if (!(val>>16)) { r=2; val>>=8; } else { r=0; val>>=24; } r += (!val); return r; # endif } } } static unsigned LZ4_count(const BYTE* pIn, const BYTE* pMatch, const BYTE* pInLimit) { const BYTE* const pStart = pIn; while (likely(pIn compression run slower on incompressible data */ /************************************** * Local Structures and types **************************************/ typedef struct { U32 hashTable[HASH_SIZE_U32]; U32 currentOffset; U32 initCheck; const BYTE* dictionary; BYTE* bufferStart; /* obsolete, used for slideInputBuffer */ U32 dictSize; } LZ4_stream_t_internal; typedef enum { notLimited = 0, limitedOutput = 1 } limitedOutput_directive; typedef enum { byPtr, byU32, byU16 } tableType_t; typedef enum { noDict = 0, withPrefix64k, usingExtDict } dict_directive; typedef enum { noDictIssue = 0, dictSmall } dictIssue_directive; typedef enum { endOnOutputSize = 0, endOnInputSize = 1 } endCondition_directive; typedef enum { full = 0, partial = 1 } earlyEnd_directive; /************************************** * Local Utils **************************************/ int LZ4_versionNumber (void) { return LZ4_VERSION_NUMBER; } int LZ4_compressBound(int isize) { return LZ4_COMPRESSBOUND(isize); } int LZ4_sizeofState() { return LZ4_STREAMSIZE; } /******************************** * Compression functions ********************************/ static U32 LZ4_hashSequence(U32 sequence, tableType_t const tableType) { if (tableType == byU16) return (((sequence) * 2654435761U) >> ((MINMATCH*8)-(LZ4_HASHLOG+1))); else return (((sequence) * 2654435761U) >> ((MINMATCH*8)-LZ4_HASHLOG)); } static const U64 prime5bytes = 889523592379ULL; static U32 LZ4_hashSequence64(size_t sequence, tableType_t const tableType) { const U32 hashLog = (tableType == byU16) ? LZ4_HASHLOG+1 : LZ4_HASHLOG; const U32 hashMask = (1<> (40 - hashLog)) & hashMask; } static U32 LZ4_hashSequenceT(size_t sequence, tableType_t const tableType) { if (LZ4_64bits()) return LZ4_hashSequence64(sequence, tableType); return LZ4_hashSequence((U32)sequence, tableType); } static U32 LZ4_hashPosition(const void* p, tableType_t tableType) { return LZ4_hashSequenceT(LZ4_read_ARCH(p), tableType); } static void LZ4_putPositionOnHash(const BYTE* p, U32 h, void* tableBase, tableType_t const tableType, const BYTE* srcBase) { switch (tableType) { case byPtr: { const BYTE** hashTable = (const BYTE**)tableBase; hashTable[h] = p; return; } case byU32: { U32* hashTable = (U32*) tableBase; hashTable[h] = (U32)(p-srcBase); return; } case byU16: { U16* hashTable = (U16*) tableBase; hashTable[h] = (U16)(p-srcBase); return; } } } static void LZ4_putPosition(const BYTE* p, void* tableBase, tableType_t tableType, const BYTE* srcBase) { U32 h = LZ4_hashPosition(p, tableType); LZ4_putPositionOnHash(p, h, tableBase, tableType, srcBase); } static const BYTE* LZ4_getPositionOnHash(U32 h, void* tableBase, tableType_t tableType, const BYTE* srcBase) { if (tableType == byPtr) { const BYTE** hashTable = (const BYTE**) tableBase; return hashTable[h]; } if (tableType == byU32) { U32* hashTable = (U32*) tableBase; return hashTable[h] + srcBase; } { U16* hashTable = (U16*) tableBase; return hashTable[h] + srcBase; } /* default, to ensure a return */ } static const BYTE* LZ4_getPosition(const BYTE* p, void* tableBase, tableType_t tableType, const BYTE* srcBase) { U32 h = LZ4_hashPosition(p, tableType); return LZ4_getPositionOnHash(h, tableBase, tableType, srcBase); } FORCE_INLINE int LZ4_compress_generic( void* const ctx, const char* const source, char* const dest, const int inputSize, const int maxOutputSize, const limitedOutput_directive outputLimited, const tableType_t tableType, const dict_directive dict, const dictIssue_directive dictIssue, const U32 acceleration) { LZ4_stream_t_internal* const dictPtr = (LZ4_stream_t_internal*)ctx; const BYTE* ip = (const BYTE*) source; const BYTE* base; const BYTE* lowLimit; const BYTE* const lowRefLimit = ip - dictPtr->dictSize; const BYTE* const dictionary = dictPtr->dictionary; const BYTE* const dictEnd = dictionary + dictPtr->dictSize; const size_t dictDelta = dictEnd - (const BYTE*)source; const BYTE* anchor = (const BYTE*) source; const BYTE* const iend = ip + inputSize; const BYTE* const mflimit = iend - MFLIMIT; const BYTE* const matchlimit = iend - LASTLITERALS; BYTE* op = (BYTE*) dest; BYTE* const olimit = op + maxOutputSize; U32 forwardH; size_t refDelta=0; /* Init conditions */ if ((U32)inputSize > (U32)LZ4_MAX_INPUT_SIZE) return 0; /* Unsupported input size, too large (or negative) */ switch(dict) { case noDict: default: base = (const BYTE*)source; lowLimit = (const BYTE*)source; break; case withPrefix64k: base = (const BYTE*)source - dictPtr->currentOffset; lowLimit = (const BYTE*)source - dictPtr->dictSize; break; case usingExtDict: base = (const BYTE*)source - dictPtr->currentOffset; lowLimit = (const BYTE*)source; break; } if ((tableType == byU16) && (inputSize>=LZ4_64Klimit)) return 0; /* Size too large (not within 64K limit) */ if (inputSize> LZ4_skipTrigger); if (unlikely(forwardIp > mflimit)) goto _last_literals; match = LZ4_getPositionOnHash(h, ctx, tableType, base); if (dict==usingExtDict) { if (match<(const BYTE*)source) { refDelta = dictDelta; lowLimit = dictionary; } else { refDelta = 0; lowLimit = (const BYTE*)source; } } forwardH = LZ4_hashPosition(forwardIp, tableType); LZ4_putPositionOnHash(ip, h, ctx, tableType, base); } while ( ((dictIssue==dictSmall) ? (match < lowRefLimit) : 0) || ((tableType==byU16) ? 0 : (match + MAX_DISTANCE < ip)) || (LZ4_read32(match+refDelta) != LZ4_read32(ip)) ); } /* Catch up */ while ((ip>anchor) && (match+refDelta > lowLimit) && (unlikely(ip[-1]==match[refDelta-1]))) { ip--; match--; } { /* Encode Literal length */ unsigned litLength = (unsigned)(ip - anchor); token = op++; if ((outputLimited) && (unlikely(op + litLength + (2 + 1 + LASTLITERALS) + (litLength/255) > olimit))) return 0; /* Check output limit */ if (litLength>=RUN_MASK) { int len = (int)litLength-RUN_MASK; *token=(RUN_MASK<= 255 ; len-=255) *op++ = 255; *op++ = (BYTE)len; } else *token = (BYTE)(litLength< matchlimit) limit = matchlimit; matchLength = LZ4_count(ip+MINMATCH, match+MINMATCH, limit); ip += MINMATCH + matchLength; if (ip==limit) { unsigned more = LZ4_count(ip, (const BYTE*)source, matchlimit); matchLength += more; ip += more; } } else { matchLength = LZ4_count(ip+MINMATCH, match+MINMATCH, matchlimit); ip += MINMATCH + matchLength; } if ((outputLimited) && (unlikely(op + (1 + LASTLITERALS) + (matchLength>>8) > olimit))) return 0; /* Check output limit */ if (matchLength>=ML_MASK) { *token += ML_MASK; matchLength -= ML_MASK; for (; matchLength >= 510 ; matchLength-=510) { *op++ = 255; *op++ = 255; } if (matchLength >= 255) { matchLength-=255; *op++ = 255; } *op++ = (BYTE)matchLength; } else *token += (BYTE)(matchLength); } anchor = ip; /* Test end of chunk */ if (ip > mflimit) break; /* Fill table */ LZ4_putPosition(ip-2, ctx, tableType, base); /* Test next position */ match = LZ4_getPosition(ip, ctx, tableType, base); if (dict==usingExtDict) { if (match<(const BYTE*)source) { refDelta = dictDelta; lowLimit = dictionary; } else { refDelta = 0; lowLimit = (const BYTE*)source; } } LZ4_putPosition(ip, ctx, tableType, base); if ( ((dictIssue==dictSmall) ? (match>=lowRefLimit) : 1) && (match+MAX_DISTANCE>=ip) && (LZ4_read32(match+refDelta)==LZ4_read32(ip)) ) { token=op++; *token=0; goto _next_match; } /* Prepare next loop */ forwardH = LZ4_hashPosition(++ip, tableType); } _last_literals: /* Encode Last Literals */ { const size_t lastRun = (size_t)(iend - anchor); if ((outputLimited) && ((op - (BYTE*)dest) + lastRun + 1 + ((lastRun+255-RUN_MASK)/255) > (U32)maxOutputSize)) return 0; /* Check output limit */ if (lastRun >= RUN_MASK) { size_t accumulator = lastRun - RUN_MASK; *op++ = RUN_MASK << ML_BITS; for(; accumulator >= 255 ; accumulator-=255) *op++ = 255; *op++ = (BYTE) accumulator; } else { *op++ = (BYTE)(lastRun<= LZ4_compressBound(inputSize)) { if (inputSize < LZ4_64Klimit) return LZ4_compress_generic(state, source, dest, inputSize, 0, notLimited, byU16, noDict, noDictIssue, acceleration); else return LZ4_compress_generic(state, source, dest, inputSize, 0, notLimited, LZ4_64bits() ? byU32 : byPtr, noDict, noDictIssue, acceleration); } else { if (inputSize < LZ4_64Klimit) return LZ4_compress_generic(state, source, dest, inputSize, maxOutputSize, limitedOutput, byU16, noDict, noDictIssue, acceleration); else return LZ4_compress_generic(state, source, dest, inputSize, maxOutputSize, limitedOutput, LZ4_64bits() ? byU32 : byPtr, noDict, noDictIssue, acceleration); } } int LZ4_compress_fast(const char* source, char* dest, int inputSize, int maxOutputSize, int acceleration) { #if (HEAPMODE) void* ctxPtr = ALLOCATOR(1, sizeof(LZ4_stream_t)); /* malloc-calloc always properly aligned */ #else LZ4_stream_t ctx; void* ctxPtr = &ctx; #endif int result = LZ4_compress_fast_extState(ctxPtr, source, dest, inputSize, maxOutputSize, acceleration); #if (HEAPMODE) FREEMEM(ctxPtr); #endif return result; } int LZ4_compress_default(const char* source, char* dest, int inputSize, int maxOutputSize) { return LZ4_compress_fast(source, dest, inputSize, maxOutputSize, 1); } /* hidden debug function */ /* strangely enough, gcc generates faster code when this function is uncommented, even if unused */ int LZ4_compress_fast_force(const char* source, char* dest, int inputSize, int maxOutputSize, int acceleration) { LZ4_stream_t ctx; LZ4_resetStream(&ctx); if (inputSize < LZ4_64Klimit) return LZ4_compress_generic(&ctx, source, dest, inputSize, maxOutputSize, limitedOutput, byU16, noDict, noDictIssue, acceleration); else return LZ4_compress_generic(&ctx, source, dest, inputSize, maxOutputSize, limitedOutput, LZ4_64bits() ? byU32 : byPtr, noDict, noDictIssue, acceleration); } /******************************** * destSize variant ********************************/ static int LZ4_compress_destSize_generic( void* const ctx, const char* const src, char* const dst, int* const srcSizePtr, const int targetDstSize, const tableType_t tableType) { const BYTE* ip = (const BYTE*) src; const BYTE* base = (const BYTE*) src; const BYTE* lowLimit = (const BYTE*) src; const BYTE* anchor = ip; const BYTE* const iend = ip + *srcSizePtr; const BYTE* const mflimit = iend - MFLIMIT; const BYTE* const matchlimit = iend - LASTLITERALS; BYTE* op = (BYTE*) dst; BYTE* const oend = op + targetDstSize; BYTE* const oMaxLit = op + targetDstSize - 2 /* offset */ - 8 /* because 8+MINMATCH==MFLIMIT */ - 1 /* token */; BYTE* const oMaxMatch = op + targetDstSize - (LASTLITERALS + 1 /* token */); BYTE* const oMaxSeq = oMaxLit - 1 /* token */; U32 forwardH; /* Init conditions */ if (targetDstSize < 1) return 0; /* Impossible to store anything */ if ((U32)*srcSizePtr > (U32)LZ4_MAX_INPUT_SIZE) return 0; /* Unsupported input size, too large (or negative) */ if ((tableType == byU16) && (*srcSizePtr>=LZ4_64Klimit)) return 0; /* Size too large (not within 64K limit) */ if (*srcSizePtr> LZ4_skipTrigger); if (unlikely(forwardIp > mflimit)) goto _last_literals; match = LZ4_getPositionOnHash(h, ctx, tableType, base); forwardH = LZ4_hashPosition(forwardIp, tableType); LZ4_putPositionOnHash(ip, h, ctx, tableType, base); } while ( ((tableType==byU16) ? 0 : (match + MAX_DISTANCE < ip)) || (LZ4_read32(match) != LZ4_read32(ip)) ); } /* Catch up */ while ((ip>anchor) && (match > lowLimit) && (unlikely(ip[-1]==match[-1]))) { ip--; match--; } { /* Encode Literal length */ unsigned litLength = (unsigned)(ip - anchor); token = op++; if (op + ((litLength+240)/255) + litLength > oMaxLit) { /* Not enough space for a last match */ op--; goto _last_literals; } if (litLength>=RUN_MASK) { unsigned len = litLength - RUN_MASK; *token=(RUN_MASK<= 255 ; len-=255) *op++ = 255; *op++ = (BYTE)len; } else *token = (BYTE)(litLength< oMaxMatch) { /* Match description too long : reduce it */ matchLength = (15-1) + (oMaxMatch-op) * 255; } //printf("offset %5i, matchLength%5i \n", (int)(ip-match), matchLength + MINMATCH); ip += MINMATCH + matchLength; if (matchLength>=ML_MASK) { *token += ML_MASK; matchLength -= ML_MASK; while (matchLength >= 255) { matchLength-=255; *op++ = 255; } *op++ = (BYTE)matchLength; } else *token += (BYTE)(matchLength); } anchor = ip; /* Test end of block */ if (ip > mflimit) break; if (op > oMaxSeq) break; /* Fill table */ LZ4_putPosition(ip-2, ctx, tableType, base); /* Test next position */ match = LZ4_getPosition(ip, ctx, tableType, base); LZ4_putPosition(ip, ctx, tableType, base); if ( (match+MAX_DISTANCE>=ip) && (LZ4_read32(match)==LZ4_read32(ip)) ) { token=op++; *token=0; goto _next_match; } /* Prepare next loop */ forwardH = LZ4_hashPosition(++ip, tableType); } _last_literals: /* Encode Last Literals */ { size_t lastRunSize = (size_t)(iend - anchor); if (op + 1 /* token */ + ((lastRunSize+240)/255) /* litLength */ + lastRunSize /* literals */ > oend) { /* adapt lastRunSize to fill 'dst' */ lastRunSize = (oend-op) - 1; lastRunSize -= (lastRunSize+240)/255; } ip = anchor + lastRunSize; if (lastRunSize >= RUN_MASK) { size_t accumulator = lastRunSize - RUN_MASK; *op++ = RUN_MASK << ML_BITS; for(; accumulator >= 255 ; accumulator-=255) *op++ = 255; *op++ = (BYTE) accumulator; } else { *op++ = (BYTE)(lastRunSize<= LZ4_compressBound(*srcSizePtr)) /* compression success is guaranteed */ { return LZ4_compress_fast_extState(state, src, dst, *srcSizePtr, targetDstSize, 1); } else { if (*srcSizePtr < LZ4_64Klimit) return LZ4_compress_destSize_generic(state, src, dst, srcSizePtr, targetDstSize, byU16); else return LZ4_compress_destSize_generic(state, src, dst, srcSizePtr, targetDstSize, LZ4_64bits() ? byU32 : byPtr); } } int LZ4_compress_destSize(const char* src, char* dst, int* srcSizePtr, int targetDstSize) { #if (HEAPMODE) void* ctx = ALLOCATOR(1, sizeof(LZ4_stream_t)); /* malloc-calloc always properly aligned */ #else LZ4_stream_t ctxBody; void* ctx = &ctxBody; #endif int result = LZ4_compress_destSize_extState(ctx, src, dst, srcSizePtr, targetDstSize); #if (HEAPMODE) FREEMEM(ctx); #endif return result; } /******************************** * Streaming functions ********************************/ LZ4_stream_t* LZ4_createStream(void) { LZ4_stream_t* lz4s = (LZ4_stream_t*)ALLOCATOR(8, LZ4_STREAMSIZE_U64); LZ4_STATIC_ASSERT(LZ4_STREAMSIZE >= sizeof(LZ4_stream_t_internal)); /* A compilation error here means LZ4_STREAMSIZE is not large enough */ LZ4_resetStream(lz4s); return lz4s; } void LZ4_resetStream (LZ4_stream_t* LZ4_stream) { MEM_INIT(LZ4_stream, 0, sizeof(LZ4_stream_t)); } int LZ4_freeStream (LZ4_stream_t* LZ4_stream) { FREEMEM(LZ4_stream); return (0); } #define HASH_UNIT sizeof(size_t) int LZ4_loadDict (LZ4_stream_t* LZ4_dict, const char* dictionary, int dictSize) { LZ4_stream_t_internal* dict = (LZ4_stream_t_internal*) LZ4_dict; const BYTE* p = (const BYTE*)dictionary; const BYTE* const dictEnd = p + dictSize; const BYTE* base; if ((dict->initCheck) || (dict->currentOffset > 1 GB)) /* Uninitialized structure, or reuse overflow */ LZ4_resetStream(LZ4_dict); if (dictSize < (int)HASH_UNIT) { dict->dictionary = NULL; dict->dictSize = 0; return 0; } if ((dictEnd - p) > 64 KB) p = dictEnd - 64 KB; dict->currentOffset += 64 KB; base = p - dict->currentOffset; dict->dictionary = p; dict->dictSize = (U32)(dictEnd - p); dict->currentOffset += dict->dictSize; while (p <= dictEnd-HASH_UNIT) { LZ4_putPosition(p, dict->hashTable, byU32, base); p+=3; } return dict->dictSize; } static void LZ4_renormDictT(LZ4_stream_t_internal* LZ4_dict, const BYTE* src) { if ((LZ4_dict->currentOffset > 0x80000000) || ((size_t)LZ4_dict->currentOffset > (size_t)src)) /* address space overflow */ { /* rescale hash table */ U32 delta = LZ4_dict->currentOffset - 64 KB; const BYTE* dictEnd = LZ4_dict->dictionary + LZ4_dict->dictSize; int i; for (i=0; ihashTable[i] < delta) LZ4_dict->hashTable[i]=0; else LZ4_dict->hashTable[i] -= delta; } LZ4_dict->currentOffset = 64 KB; if (LZ4_dict->dictSize > 64 KB) LZ4_dict->dictSize = 64 KB; LZ4_dict->dictionary = dictEnd - LZ4_dict->dictSize; } } int LZ4_compress_fast_continue (LZ4_stream_t* LZ4_stream, const char* source, char* dest, int inputSize, int maxOutputSize, int acceleration) { LZ4_stream_t_internal* streamPtr = (LZ4_stream_t_internal*)LZ4_stream; const BYTE* const dictEnd = streamPtr->dictionary + streamPtr->dictSize; const BYTE* smallest = (const BYTE*) source; if (streamPtr->initCheck) return 0; /* Uninitialized structure detected */ if ((streamPtr->dictSize>0) && (smallest>dictEnd)) smallest = dictEnd; LZ4_renormDictT(streamPtr, smallest); if (acceleration < 1) acceleration = ACCELERATION_DEFAULT; /* Check overlapping input/dictionary space */ { const BYTE* sourceEnd = (const BYTE*) source + inputSize; if ((sourceEnd > streamPtr->dictionary) && (sourceEnd < dictEnd)) { streamPtr->dictSize = (U32)(dictEnd - sourceEnd); if (streamPtr->dictSize > 64 KB) streamPtr->dictSize = 64 KB; if (streamPtr->dictSize < 4) streamPtr->dictSize = 0; streamPtr->dictionary = dictEnd - streamPtr->dictSize; } } /* prefix mode : source data follows dictionary */ if (dictEnd == (const BYTE*)source) { int result; if ((streamPtr->dictSize < 64 KB) && (streamPtr->dictSize < streamPtr->currentOffset)) result = LZ4_compress_generic(LZ4_stream, source, dest, inputSize, maxOutputSize, limitedOutput, byU32, withPrefix64k, dictSmall, acceleration); else result = LZ4_compress_generic(LZ4_stream, source, dest, inputSize, maxOutputSize, limitedOutput, byU32, withPrefix64k, noDictIssue, acceleration); streamPtr->dictSize += (U32)inputSize; streamPtr->currentOffset += (U32)inputSize; return result; } /* external dictionary mode */ { int result; if ((streamPtr->dictSize < 64 KB) && (streamPtr->dictSize < streamPtr->currentOffset)) result = LZ4_compress_generic(LZ4_stream, source, dest, inputSize, maxOutputSize, limitedOutput, byU32, usingExtDict, dictSmall, acceleration); else result = LZ4_compress_generic(LZ4_stream, source, dest, inputSize, maxOutputSize, limitedOutput, byU32, usingExtDict, noDictIssue, acceleration); streamPtr->dictionary = (const BYTE*)source; streamPtr->dictSize = (U32)inputSize; streamPtr->currentOffset += (U32)inputSize; return result; } } /* Hidden debug function, to force external dictionary mode */ int LZ4_compress_forceExtDict (LZ4_stream_t* LZ4_dict, const char* source, char* dest, int inputSize) { LZ4_stream_t_internal* streamPtr = (LZ4_stream_t_internal*)LZ4_dict; int result; const BYTE* const dictEnd = streamPtr->dictionary + streamPtr->dictSize; const BYTE* smallest = dictEnd; if (smallest > (const BYTE*) source) smallest = (const BYTE*) source; LZ4_renormDictT((LZ4_stream_t_internal*)LZ4_dict, smallest); result = LZ4_compress_generic(LZ4_dict, source, dest, inputSize, 0, notLimited, byU32, usingExtDict, noDictIssue, 1); streamPtr->dictionary = (const BYTE*)source; streamPtr->dictSize = (U32)inputSize; streamPtr->currentOffset += (U32)inputSize; return result; } int LZ4_saveDict (LZ4_stream_t* LZ4_dict, char* safeBuffer, int dictSize) { LZ4_stream_t_internal* dict = (LZ4_stream_t_internal*) LZ4_dict; const BYTE* previousDictEnd = dict->dictionary + dict->dictSize; if ((U32)dictSize > 64 KB) dictSize = 64 KB; /* useless to define a dictionary > 64 KB */ if ((U32)dictSize > dict->dictSize) dictSize = dict->dictSize; memmove(safeBuffer, previousDictEnd - dictSize, dictSize); dict->dictionary = (const BYTE*)safeBuffer; dict->dictSize = (U32)dictSize; return dictSize; } /******************************* * Decompression functions *******************************/ /* * This generic decompression function cover all use cases. * It shall be instantiated several times, using different sets of directives * Note that it is essential this generic function is really inlined, * in order to remove useless branches during compilation optimization. */ FORCE_INLINE int LZ4_decompress_generic( const char* const source, char* const dest, int inputSize, int outputSize, /* If endOnInput==endOnInputSize, this value is the max size of Output Buffer. */ int endOnInput, /* endOnOutputSize, endOnInputSize */ int partialDecoding, /* full, partial */ int targetOutputSize, /* only used if partialDecoding==partial */ int dict, /* noDict, withPrefix64k, usingExtDict */ const BYTE* const lowPrefix, /* == dest if dict == noDict */ const BYTE* const dictStart, /* only if dict==usingExtDict */ const size_t dictSize /* note : = 0 if noDict */ ) { /* Local Variables */ const BYTE* ip = (const BYTE*) source; const BYTE* const iend = ip + inputSize; BYTE* op = (BYTE*) dest; BYTE* const oend = op + outputSize; BYTE* cpy; BYTE* oexit = op + targetOutputSize; const BYTE* const lowLimit = lowPrefix - dictSize; const BYTE* const dictEnd = (const BYTE*)dictStart + dictSize; const size_t dec32table[] = {4, 1, 2, 1, 4, 4, 4, 4}; const size_t dec64table[] = {0, 0, 0, (size_t)-1, 0, 1, 2, 3}; const int safeDecode = (endOnInput==endOnInputSize); const int checkOffset = ((safeDecode) && (dictSize < (int)(64 KB))); /* Special cases */ if ((partialDecoding) && (oexit> oend-MFLIMIT)) oexit = oend-MFLIMIT; /* targetOutputSize too high => decode everything */ if ((endOnInput) && (unlikely(outputSize==0))) return ((inputSize==1) && (*ip==0)) ? 0 : -1; /* Empty output buffer */ if ((!endOnInput) && (unlikely(outputSize==0))) return (*ip==0?1:-1); /* Main Loop */ while (1) { unsigned token; size_t length; const BYTE* match; /* get literal length */ token = *ip++; if ((length=(token>>ML_BITS)) == RUN_MASK) { unsigned s; do { s = *ip++; length += s; } while (likely((endOnInput)?ip(partialDecoding?oexit:oend-MFLIMIT)) || (ip+length>iend-(2+1+LASTLITERALS))) ) || ((!endOnInput) && (cpy>oend-COPYLENGTH))) { if (partialDecoding) { if (cpy > oend) goto _output_error; /* Error : write attempt beyond end of output buffer */ if ((endOnInput) && (ip+length > iend)) goto _output_error; /* Error : read attempt beyond end of input buffer */ } else { if ((!endOnInput) && (cpy != oend)) goto _output_error; /* Error : block decoding must stop exactly there */ if ((endOnInput) && ((ip+length != iend) || (cpy > oend))) goto _output_error; /* Error : input must be consumed */ } memcpy(op, ip, length); ip += length; op += length; break; /* Necessarily EOF, due to parsing restrictions */ } LZ4_wildCopy(op, ip, cpy); ip += length; op = cpy; /* get offset */ match = cpy - LZ4_readLE16(ip); ip+=2; if ((checkOffset) && (unlikely(match < lowLimit))) goto _output_error; /* Error : offset outside destination buffer */ /* get matchlength */ length = token & ML_MASK; if (length == ML_MASK) { unsigned s; do { if ((endOnInput) && (ip > iend-LASTLITERALS)) goto _output_error; s = *ip++; length += s; } while (s==255); if ((safeDecode) && unlikely((size_t)(op+length)<(size_t)op)) goto _output_error; /* overflow detection */ } length += MINMATCH; /* check external dictionary */ if ((dict==usingExtDict) && (match < lowPrefix)) { if (unlikely(op+length > oend-LASTLITERALS)) goto _output_error; /* doesn't respect parsing restriction */ if (length <= (size_t)(lowPrefix-match)) { /* match can be copied as a single segment from external dictionary */ match = dictEnd - (lowPrefix-match); memmove(op, match, length); op += length; } else { /* match encompass external dictionary and current segment */ size_t copySize = (size_t)(lowPrefix-match); memcpy(op, dictEnd - copySize, copySize); op += copySize; copySize = length - copySize; if (copySize > (size_t)(op-lowPrefix)) /* overlap within current segment */ { BYTE* const endOfMatch = op + copySize; const BYTE* copyFrom = lowPrefix; while (op < endOfMatch) *op++ = *copyFrom++; } else { memcpy(op, lowPrefix, copySize); op += copySize; } } continue; } /* copy repeated sequence */ cpy = op + length; if (unlikely((op-match)<8)) { const size_t dec64 = dec64table[op-match]; op[0] = match[0]; op[1] = match[1]; op[2] = match[2]; op[3] = match[3]; match += dec32table[op-match]; LZ4_copy4(op+4, match); op += 8; match -= dec64; } else { LZ4_copy8(op, match); op+=8; match+=8; } if (unlikely(cpy>oend-12)) { if (cpy > oend-LASTLITERALS) goto _output_error; /* Error : last LASTLITERALS bytes must be literals */ if (op < oend-8) { LZ4_wildCopy(op, match, oend-8); match += (oend-8) - op; op = oend-8; } while (opprefixSize = (size_t) dictSize; lz4sd->prefixEnd = (const BYTE*) dictionary + dictSize; lz4sd->externalDict = NULL; lz4sd->extDictSize = 0; return 1; } /* *_continue() : These decoding functions allow decompression of multiple blocks in "streaming" mode. Previously decoded blocks must still be available at the memory position where they were decoded. If it's not possible, save the relevant part of decoded data into a safe buffer, and indicate where it stands using LZ4_setStreamDecode() */ int LZ4_decompress_safe_continue (LZ4_streamDecode_t* LZ4_streamDecode, const char* source, char* dest, int compressedSize, int maxOutputSize) { LZ4_streamDecode_t_internal* lz4sd = (LZ4_streamDecode_t_internal*) LZ4_streamDecode; int result; if (lz4sd->prefixEnd == (BYTE*)dest) { result = LZ4_decompress_generic(source, dest, compressedSize, maxOutputSize, endOnInputSize, full, 0, usingExtDict, lz4sd->prefixEnd - lz4sd->prefixSize, lz4sd->externalDict, lz4sd->extDictSize); if (result <= 0) return result; lz4sd->prefixSize += result; lz4sd->prefixEnd += result; } else { lz4sd->extDictSize = lz4sd->prefixSize; lz4sd->externalDict = lz4sd->prefixEnd - lz4sd->extDictSize; result = LZ4_decompress_generic(source, dest, compressedSize, maxOutputSize, endOnInputSize, full, 0, usingExtDict, (BYTE*)dest, lz4sd->externalDict, lz4sd->extDictSize); if (result <= 0) return result; lz4sd->prefixSize = result; lz4sd->prefixEnd = (BYTE*)dest + result; } return result; } int LZ4_decompress_fast_continue (LZ4_streamDecode_t* LZ4_streamDecode, const char* source, char* dest, int originalSize) { LZ4_streamDecode_t_internal* lz4sd = (LZ4_streamDecode_t_internal*) LZ4_streamDecode; int result; if (lz4sd->prefixEnd == (BYTE*)dest) { result = LZ4_decompress_generic(source, dest, 0, originalSize, endOnOutputSize, full, 0, usingExtDict, lz4sd->prefixEnd - lz4sd->prefixSize, lz4sd->externalDict, lz4sd->extDictSize); if (result <= 0) return result; lz4sd->prefixSize += originalSize; lz4sd->prefixEnd += originalSize; } else { lz4sd->extDictSize = lz4sd->prefixSize; lz4sd->externalDict = (BYTE*)dest - lz4sd->extDictSize; result = LZ4_decompress_generic(source, dest, 0, originalSize, endOnOutputSize, full, 0, usingExtDict, (BYTE*)dest, lz4sd->externalDict, lz4sd->extDictSize); if (result <= 0) return result; lz4sd->prefixSize = originalSize; lz4sd->prefixEnd = (BYTE*)dest + originalSize; } return result; } /* Advanced decoding functions : *_usingDict() : These decoding functions work the same as "_continue" ones, the dictionary must be explicitly provided within parameters */ FORCE_INLINE int LZ4_decompress_usingDict_generic(const char* source, char* dest, int compressedSize, int maxOutputSize, int safe, const char* dictStart, int dictSize) { if (dictSize==0) return LZ4_decompress_generic(source, dest, compressedSize, maxOutputSize, safe, full, 0, noDict, (BYTE*)dest, NULL, 0); if (dictStart+dictSize == dest) { if (dictSize >= (int)(64 KB - 1)) return LZ4_decompress_generic(source, dest, compressedSize, maxOutputSize, safe, full, 0, withPrefix64k, (BYTE*)dest-64 KB, NULL, 0); return LZ4_decompress_generic(source, dest, compressedSize, maxOutputSize, safe, full, 0, noDict, (BYTE*)dest-dictSize, NULL, 0); } return LZ4_decompress_generic(source, dest, compressedSize, maxOutputSize, safe, full, 0, usingExtDict, (BYTE*)dest, (const BYTE*)dictStart, dictSize); } int LZ4_decompress_safe_usingDict(const char* source, char* dest, int compressedSize, int maxOutputSize, const char* dictStart, int dictSize) { return LZ4_decompress_usingDict_generic(source, dest, compressedSize, maxOutputSize, 1, dictStart, dictSize); } int LZ4_decompress_fast_usingDict(const char* source, char* dest, int originalSize, const char* dictStart, int dictSize) { return LZ4_decompress_usingDict_generic(source, dest, 0, originalSize, 0, dictStart, dictSize); } /* debug function */ int LZ4_decompress_safe_forceExtDict(const char* source, char* dest, int compressedSize, int maxOutputSize, const char* dictStart, int dictSize) { return LZ4_decompress_generic(source, dest, compressedSize, maxOutputSize, endOnInputSize, full, 0, usingExtDict, (BYTE*)dest, (const BYTE*)dictStart, dictSize); } /*************************************************** * Obsolete Functions ***************************************************/ /* obsolete compression functions */ int LZ4_compress_limitedOutput(const char* source, char* dest, int inputSize, int maxOutputSize) { return LZ4_compress_default(source, dest, inputSize, maxOutputSize); } int LZ4_compress(const char* source, char* dest, int inputSize) { return LZ4_compress_default(source, dest, inputSize, LZ4_compressBound(inputSize)); } int LZ4_compress_limitedOutput_withState (void* state, const char* src, char* dst, int srcSize, int dstSize) { return LZ4_compress_fast_extState(state, src, dst, srcSize, dstSize, 1); } int LZ4_compress_withState (void* state, const char* src, char* dst, int srcSize) { return LZ4_compress_fast_extState(state, src, dst, srcSize, LZ4_compressBound(srcSize), 1); } int LZ4_compress_limitedOutput_continue (LZ4_stream_t* LZ4_stream, const char* src, char* dst, int srcSize, int maxDstSize) { return LZ4_compress_fast_continue(LZ4_stream, src, dst, srcSize, maxDstSize, 1); } int LZ4_compress_continue (LZ4_stream_t* LZ4_stream, const char* source, char* dest, int inputSize) { return LZ4_compress_fast_continue(LZ4_stream, source, dest, inputSize, LZ4_compressBound(inputSize), 1); } /* These function names are deprecated and should no longer be used. They are only provided here for compatibility with older user programs. - LZ4_uncompress is totally equivalent to LZ4_decompress_fast - LZ4_uncompress_unknownOutputSize is totally equivalent to LZ4_decompress_safe */ int LZ4_uncompress (const char* source, char* dest, int outputSize) { return LZ4_decompress_fast(source, dest, outputSize); } int LZ4_uncompress_unknownOutputSize (const char* source, char* dest, int isize, int maxOutputSize) { return LZ4_decompress_safe(source, dest, isize, maxOutputSize); } /* Obsolete Streaming functions */ int LZ4_sizeofStreamState() { return LZ4_STREAMSIZE; } static void LZ4_init(LZ4_stream_t_internal* lz4ds, BYTE* base) { MEM_INIT(lz4ds, 0, LZ4_STREAMSIZE); lz4ds->bufferStart = base; } int LZ4_resetStreamState(void* state, char* inputBuffer) { if ((((size_t)state) & 3) != 0) return 1; /* Error : pointer is not aligned on 4-bytes boundary */ LZ4_init((LZ4_stream_t_internal*)state, (BYTE*)inputBuffer); return 0; } void* LZ4_create (char* inputBuffer) { void* lz4ds = ALLOCATOR(8, LZ4_STREAMSIZE_U64); LZ4_init ((LZ4_stream_t_internal*)lz4ds, (BYTE*)inputBuffer); return lz4ds; } char* LZ4_slideInputBuffer (void* LZ4_Data) { LZ4_stream_t_internal* ctx = (LZ4_stream_t_internal*)LZ4_Data; int dictSize = LZ4_saveDict((LZ4_stream_t*)LZ4_Data, (char*)ctx->bufferStart, 64 KB); return (char*)(ctx->bufferStart + dictSize); } /* Obsolete streaming decompression functions */ int LZ4_decompress_safe_withPrefix64k(const char* source, char* dest, int compressedSize, int maxOutputSize) { return LZ4_decompress_generic(source, dest, compressedSize, maxOutputSize, endOnInputSize, full, 0, withPrefix64k, (BYTE*)dest - 64 KB, NULL, 64 KB); } int LZ4_decompress_fast_withPrefix64k(const char* source, char* dest, int originalSize) { return LZ4_decompress_generic(source, dest, 0, originalSize, endOnOutputSize, full, 0, withPrefix64k, (BYTE*)dest - 64 KB, NULL, 64 KB); } #endif /* LZ4_COMMONDEFS_ONLY */ #endif /* NEED_COMPAT_LZ4 */ openvpn-2.4.4/src/compat/compat-lz4.h000066400000000000000000000446161316434344000174400ustar00rootroot00000000000000/* LZ4 - Fast LZ compression algorithm Header File Copyright (C) 2011-2015, Yann Collet. BSD 2-Clause License (http://www.opensource.org/licenses/bsd-license.php) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. You can contact the author at : - LZ4 source repository : https://github.com/Cyan4973/lz4 - LZ4 public forum : https://groups.google.com/forum/#!forum/lz4c */ #pragma once #if defined (__cplusplus) extern "C" { #endif /* * lz4.h provides block compression functions, and gives full buffer control to programmer. * If you need to generate inter-operable compressed data (respecting LZ4 frame specification), * and can let the library handle its own memory, please use lz4frame.h instead. */ /************************************** * Version **************************************/ #define LZ4_VERSION_MAJOR 1 /* for breaking interface changes */ #define LZ4_VERSION_MINOR 7 /* for new (non-breaking) interface capabilities */ #define LZ4_VERSION_RELEASE 1 /* for tweaks, bug-fixes, or development */ #define LZ4_VERSION_NUMBER (LZ4_VERSION_MAJOR *100*100 + LZ4_VERSION_MINOR *100 + LZ4_VERSION_RELEASE) int LZ4_versionNumber (void); /************************************** * Tuning parameter **************************************/ /* * LZ4_MEMORY_USAGE : * Memory usage formula : N->2^N Bytes (examples : 10 -> 1KB; 12 -> 4KB ; 16 -> 64KB; 20 -> 1MB; etc.) * Increasing memory usage improves compression ratio * Reduced memory usage can improve speed, due to cache effect * Default value is 14, for 16KB, which nicely fits into Intel x86 L1 cache */ #define LZ4_MEMORY_USAGE 14 /************************************** * Simple Functions **************************************/ int LZ4_compress_default(const char* source, char* dest, int sourceSize, int maxDestSize); int LZ4_decompress_safe (const char* source, char* dest, int compressedSize, int maxDecompressedSize); /* LZ4_compress_default() : Compresses 'sourceSize' bytes from buffer 'source' into already allocated 'dest' buffer of size 'maxDestSize'. Compression is guaranteed to succeed if 'maxDestSize' >= LZ4_compressBound(sourceSize). It also runs faster, so it's a recommended setting. If the function cannot compress 'source' into a more limited 'dest' budget, compression stops *immediately*, and the function result is zero. As a consequence, 'dest' content is not valid. This function never writes outside 'dest' buffer, nor read outside 'source' buffer. sourceSize : Max supported value is LZ4_MAX_INPUT_VALUE maxDestSize : full or partial size of buffer 'dest' (which must be already allocated) return : the number of bytes written into buffer 'dest' (necessarily <= maxOutputSize) or 0 if compression fails LZ4_decompress_safe() : compressedSize : is the precise full size of the compressed block. maxDecompressedSize : is the size of destination buffer, which must be already allocated. return : the number of bytes decompressed into destination buffer (necessarily <= maxDecompressedSize) If destination buffer is not large enough, decoding will stop and output an error code (<0). If the source stream is detected malformed, the function will stop decoding and return a negative result. This function is protected against buffer overflow exploits, including malicious data packets. It never writes outside output buffer, nor reads outside input buffer. */ /************************************** * Advanced Functions **************************************/ #define LZ4_MAX_INPUT_SIZE 0x7E000000 /* 2 113 929 216 bytes */ #define LZ4_COMPRESSBOUND(isize) ((unsigned)(isize) > (unsigned)LZ4_MAX_INPUT_SIZE ? 0 : (isize) + ((isize)/255) + 16) /* LZ4_compressBound() : Provides the maximum size that LZ4 compression may output in a "worst case" scenario (input data not compressible) This function is primarily useful for memory allocation purposes (destination buffer size). Macro LZ4_COMPRESSBOUND() is also provided for compilation-time evaluation (stack memory allocation for example). Note that LZ4_compress_default() compress faster when dest buffer size is >= LZ4_compressBound(srcSize) inputSize : max supported value is LZ4_MAX_INPUT_SIZE return : maximum output size in a "worst case" scenario or 0, if input size is too large ( > LZ4_MAX_INPUT_SIZE) */ int LZ4_compressBound(int inputSize); /* LZ4_compress_fast() : Same as LZ4_compress_default(), but allows to select an "acceleration" factor. The larger the acceleration value, the faster the algorithm, but also the lesser the compression. It's a trade-off. It can be fine tuned, with each successive value providing roughly +~3% to speed. An acceleration value of "1" is the same as regular LZ4_compress_default() Values <= 0 will be replaced by ACCELERATION_DEFAULT (see lz4.c), which is 1. */ int LZ4_compress_fast (const char* source, char* dest, int sourceSize, int maxDestSize, int acceleration); /* LZ4_compress_fast_extState() : Same compression function, just using an externally allocated memory space to store compression state. Use LZ4_sizeofState() to know how much memory must be allocated, and allocate it on 8-bytes boundaries (using malloc() typically). Then, provide it as 'void* state' to compression function. */ int LZ4_sizeofState(void); int LZ4_compress_fast_extState (void* state, const char* source, char* dest, int inputSize, int maxDestSize, int acceleration); /* LZ4_compress_destSize() : Reverse the logic, by compressing as much data as possible from 'source' buffer into already allocated buffer 'dest' of size 'targetDestSize'. This function either compresses the entire 'source' content into 'dest' if it's large enough, or fill 'dest' buffer completely with as much data as possible from 'source'. *sourceSizePtr : will be modified to indicate how many bytes where read from 'source' to fill 'dest'. New value is necessarily <= old value. return : Nb bytes written into 'dest' (necessarily <= targetDestSize) or 0 if compression fails */ int LZ4_compress_destSize (const char* source, char* dest, int* sourceSizePtr, int targetDestSize); /* LZ4_decompress_fast() : originalSize : is the original and therefore uncompressed size return : the number of bytes read from the source buffer (in other words, the compressed size) If the source stream is detected malformed, the function will stop decoding and return a negative result. Destination buffer must be already allocated. Its size must be a minimum of 'originalSize' bytes. note : This function fully respect memory boundaries for properly formed compressed data. It is a bit faster than LZ4_decompress_safe(). However, it does not provide any protection against intentionally modified data stream (malicious input). Use this function in trusted environment only (data to decode comes from a trusted source). */ int LZ4_decompress_fast (const char* source, char* dest, int originalSize); /* LZ4_decompress_safe_partial() : This function decompress a compressed block of size 'compressedSize' at position 'source' into destination buffer 'dest' of size 'maxDecompressedSize'. The function tries to stop decompressing operation as soon as 'targetOutputSize' has been reached, reducing decompression time. return : the number of bytes decoded in the destination buffer (necessarily <= maxDecompressedSize) Note : this number can be < 'targetOutputSize' should the compressed block to decode be smaller. Always control how many bytes were decoded. If the source stream is detected malformed, the function will stop decoding and return a negative result. This function never writes outside of output buffer, and never reads outside of input buffer. It is therefore protected against malicious data packets */ int LZ4_decompress_safe_partial (const char* source, char* dest, int compressedSize, int targetOutputSize, int maxDecompressedSize); /*********************************************** * Streaming Compression Functions ***********************************************/ #define LZ4_STREAMSIZE_U64 ((1 << (LZ4_MEMORY_USAGE-3)) + 4) #define LZ4_STREAMSIZE (LZ4_STREAMSIZE_U64 * sizeof(long long)) /* * LZ4_stream_t * information structure to track an LZ4 stream. * important : init this structure content before first use ! * note : only allocated directly the structure if you are statically linking LZ4 * If you are using liblz4 as a DLL, please use below construction methods instead. */ typedef struct { long long table[LZ4_STREAMSIZE_U64]; } LZ4_stream_t; /* * LZ4_resetStream * Use this function to init an allocated LZ4_stream_t structure */ void LZ4_resetStream (LZ4_stream_t* streamPtr); /* * LZ4_createStream will allocate and initialize an LZ4_stream_t structure * LZ4_freeStream releases its memory. * In the context of a DLL (liblz4), please use these methods rather than the static struct. * They are more future proof, in case of a change of LZ4_stream_t size. */ LZ4_stream_t* LZ4_createStream(void); int LZ4_freeStream (LZ4_stream_t* streamPtr); /* * LZ4_loadDict * Use this function to load a static dictionary into LZ4_stream. * Any previous data will be forgotten, only 'dictionary' will remain in memory. * Loading a size of 0 is allowed. * Return : dictionary size, in bytes (necessarily <= 64 KB) */ int LZ4_loadDict (LZ4_stream_t* streamPtr, const char* dictionary, int dictSize); /* * LZ4_compress_fast_continue * Compress buffer content 'src', using data from previously compressed blocks as dictionary to improve compression ratio. * Important : Previous data blocks are assumed to still be present and unmodified ! * 'dst' buffer must be already allocated. * If maxDstSize >= LZ4_compressBound(srcSize), compression is guaranteed to succeed, and runs faster. * If not, and if compressed data cannot fit into 'dst' buffer size, compression stops, and function returns a zero. */ int LZ4_compress_fast_continue (LZ4_stream_t* streamPtr, const char* src, char* dst, int srcSize, int maxDstSize, int acceleration); /* * LZ4_saveDict * If previously compressed data block is not guaranteed to remain available at its memory location * save it into a safer place (char* safeBuffer) * Note : you don't need to call LZ4_loadDict() afterwards, * dictionary is immediately usable, you can therefore call LZ4_compress_fast_continue() * Return : saved dictionary size in bytes (necessarily <= dictSize), or 0 if error */ int LZ4_saveDict (LZ4_stream_t* streamPtr, char* safeBuffer, int dictSize); /************************************************ * Streaming Decompression Functions ************************************************/ #define LZ4_STREAMDECODESIZE_U64 4 #define LZ4_STREAMDECODESIZE (LZ4_STREAMDECODESIZE_U64 * sizeof(unsigned long long)) typedef struct { unsigned long long table[LZ4_STREAMDECODESIZE_U64]; } LZ4_streamDecode_t; /* * LZ4_streamDecode_t * information structure to track an LZ4 stream. * init this structure content using LZ4_setStreamDecode or memset() before first use ! * * In the context of a DLL (liblz4) please prefer usage of construction methods below. * They are more future proof, in case of a change of LZ4_streamDecode_t size in the future. * LZ4_createStreamDecode will allocate and initialize an LZ4_streamDecode_t structure * LZ4_freeStreamDecode releases its memory. */ LZ4_streamDecode_t* LZ4_createStreamDecode(void); int LZ4_freeStreamDecode (LZ4_streamDecode_t* LZ4_stream); /* * LZ4_setStreamDecode * Use this function to instruct where to find the dictionary. * Setting a size of 0 is allowed (same effect as reset). * Return : 1 if OK, 0 if error */ int LZ4_setStreamDecode (LZ4_streamDecode_t* LZ4_streamDecode, const char* dictionary, int dictSize); /* *_continue() : These decoding functions allow decompression of multiple blocks in "streaming" mode. Previously decoded blocks *must* remain available at the memory position where they were decoded (up to 64 KB) In the case of a ring buffers, decoding buffer must be either : - Exactly same size as encoding buffer, with same update rule (block boundaries at same positions) In which case, the decoding & encoding ring buffer can have any size, including very small ones ( < 64 KB). - Larger than encoding buffer, by a minimum of maxBlockSize more bytes. maxBlockSize is implementation dependent. It's the maximum size you intend to compress into a single block. In which case, encoding and decoding buffers do not need to be synchronized, and encoding ring buffer can have any size, including small ones ( < 64 KB). - _At least_ 64 KB + 8 bytes + maxBlockSize. In which case, encoding and decoding buffers do not need to be synchronized, and encoding ring buffer can have any size, including larger than decoding buffer. Whenever these conditions are not possible, save the last 64KB of decoded data into a safe buffer, and indicate where it is saved using LZ4_setStreamDecode() */ int LZ4_decompress_safe_continue (LZ4_streamDecode_t* LZ4_streamDecode, const char* source, char* dest, int compressedSize, int maxDecompressedSize); int LZ4_decompress_fast_continue (LZ4_streamDecode_t* LZ4_streamDecode, const char* source, char* dest, int originalSize); /* Advanced decoding functions : *_usingDict() : These decoding functions work the same as a combination of LZ4_setStreamDecode() followed by LZ4_decompress_x_continue() They are stand-alone. They don't need nor update an LZ4_streamDecode_t structure. */ int LZ4_decompress_safe_usingDict (const char* source, char* dest, int compressedSize, int maxDecompressedSize, const char* dictStart, int dictSize); int LZ4_decompress_fast_usingDict (const char* source, char* dest, int originalSize, const char* dictStart, int dictSize); /************************************** * Obsolete Functions **************************************/ /* Deprecate Warnings */ /* Should these warnings messages be a problem, it is generally possible to disable them, with -Wno-deprecated-declarations for gcc or _CRT_SECURE_NO_WARNINGS in Visual for example. You can also define LZ4_DEPRECATE_WARNING_DEFBLOCK. */ #ifndef LZ4_DEPRECATE_WARNING_DEFBLOCK # define LZ4_DEPRECATE_WARNING_DEFBLOCK # define LZ4_GCC_VERSION (__GNUC__ * 100 + __GNUC_MINOR__) # if (LZ4_GCC_VERSION >= 405) || defined(__clang__) # define LZ4_DEPRECATED(message) __attribute__((deprecated(message))) # elif (LZ4_GCC_VERSION >= 301) # define LZ4_DEPRECATED(message) __attribute__((deprecated)) # elif defined(_MSC_VER) # define LZ4_DEPRECATED(message) __declspec(deprecated(message)) # else # pragma message("WARNING: You need to implement LZ4_DEPRECATED for this compiler") # define LZ4_DEPRECATED(message) # endif #endif /* LZ4_DEPRECATE_WARNING_DEFBLOCK */ /* Obsolete compression functions */ /* These functions are planned to start generate warnings by r131 approximately */ int LZ4_compress (const char* source, char* dest, int sourceSize); int LZ4_compress_limitedOutput (const char* source, char* dest, int sourceSize, int maxOutputSize); int LZ4_compress_withState (void* state, const char* source, char* dest, int inputSize); int LZ4_compress_limitedOutput_withState (void* state, const char* source, char* dest, int inputSize, int maxOutputSize); int LZ4_compress_continue (LZ4_stream_t* LZ4_streamPtr, const char* source, char* dest, int inputSize); int LZ4_compress_limitedOutput_continue (LZ4_stream_t* LZ4_streamPtr, const char* source, char* dest, int inputSize, int maxOutputSize); /* Obsolete decompression functions */ /* These function names are completely deprecated and must no longer be used. They are only provided here for compatibility with older programs. - LZ4_uncompress is the same as LZ4_decompress_fast - LZ4_uncompress_unknownOutputSize is the same as LZ4_decompress_safe These function prototypes are now disabled; uncomment them only if you really need them. It is highly recommended to stop using these prototypes and migrate to maintained ones */ /* int LZ4_uncompress (const char* source, char* dest, int outputSize); */ /* int LZ4_uncompress_unknownOutputSize (const char* source, char* dest, int isize, int maxOutputSize); */ /* Obsolete streaming functions; use new streaming interface whenever possible */ LZ4_DEPRECATED("use LZ4_createStream() instead") void* LZ4_create (char* inputBuffer); LZ4_DEPRECATED("use LZ4_createStream() instead") int LZ4_sizeofStreamState(void); LZ4_DEPRECATED("use LZ4_resetStream() instead") int LZ4_resetStreamState(void* state, char* inputBuffer); LZ4_DEPRECATED("use LZ4_saveDict() instead") char* LZ4_slideInputBuffer (void* state); /* Obsolete streaming decoding functions */ LZ4_DEPRECATED("use LZ4_decompress_safe_usingDict() instead") int LZ4_decompress_safe_withPrefix64k (const char* src, char* dst, int compressedSize, int maxDstSize); LZ4_DEPRECATED("use LZ4_decompress_fast_usingDict() instead") int LZ4_decompress_fast_withPrefix64k (const char* src, char* dst, int originalSize); #if defined (__cplusplus) } #endif openvpn-2.4.4/src/compat/compat-versionhelpers.h000066400000000000000000000060451316434344000217710ustar00rootroot00000000000000/** * This file is part of the mingw-w64 runtime package. * No warranty is given; refer to the file DISCLAIMER within this package. */ #ifndef _INC_VERSIONHELPERS #define _INC_VERSIONHELPERS #include #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) && !defined(__WIDL__) #ifdef __cplusplus #define VERSIONHELPERAPI inline bool #else #define VERSIONHELPERAPI FORCEINLINE BOOL #endif #define _WIN32_WINNT_WINBLUE 0x0603 VERSIONHELPERAPI IsWindowsVersionOrGreater(WORD major, WORD minor, WORD servpack) { OSVERSIONINFOEXW vi = {sizeof(vi),major,minor,0,0,{0},servpack}; return VerifyVersionInfoW(&vi, VER_MAJORVERSION|VER_MINORVERSION|VER_SERVICEPACKMAJOR, VerSetConditionMask(VerSetConditionMask(VerSetConditionMask(0, VER_MAJORVERSION,VER_GREATER_EQUAL), VER_MINORVERSION,VER_GREATER_EQUAL), VER_SERVICEPACKMAJOR, VER_GREATER_EQUAL)); } VERSIONHELPERAPI IsWindowsXPOrGreater(void) { return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINXP), LOBYTE(_WIN32_WINNT_WINXP), 0); } VERSIONHELPERAPI IsWindowsXPSP1OrGreater(void) { return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINXP), LOBYTE(_WIN32_WINNT_WINXP), 1); } VERSIONHELPERAPI IsWindowsXPSP2OrGreater(void) { return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINXP), LOBYTE(_WIN32_WINNT_WINXP), 2); } VERSIONHELPERAPI IsWindowsXPSP3OrGreater(void) { return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINXP), LOBYTE(_WIN32_WINNT_WINXP), 3); } VERSIONHELPERAPI IsWindowsVistaOrGreater(void) { return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_VISTA), LOBYTE(_WIN32_WINNT_VISTA), 0); } VERSIONHELPERAPI IsWindowsVistaSP1OrGreater(void) { return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_VISTA), LOBYTE(_WIN32_WINNT_VISTA), 1); } VERSIONHELPERAPI IsWindowsVistaSP2OrGreater(void) { return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_VISTA), LOBYTE(_WIN32_WINNT_VISTA), 2); } VERSIONHELPERAPI IsWindows7OrGreater(void) { return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN7), LOBYTE(_WIN32_WINNT_WIN7), 0); } VERSIONHELPERAPI IsWindows7SP1OrGreater(void) { return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN7), LOBYTE(_WIN32_WINNT_WIN7), 1); } VERSIONHELPERAPI IsWindows8OrGreater(void) { return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN8), LOBYTE(_WIN32_WINNT_WIN8), 0); } VERSIONHELPERAPI IsWindows8Point1OrGreater(void) { return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINBLUE), LOBYTE(_WIN32_WINNT_WINBLUE), 0); } VERSIONHELPERAPI IsWindowsServer(void) { OSVERSIONINFOEXW vi = {sizeof(vi),0,0,0,0,{0},0,0,0,VER_NT_WORKSTATION}; return !VerifyVersionInfoW(&vi, VER_PRODUCT_TYPE, VerSetConditionMask(0, VER_PRODUCT_TYPE, VER_EQUAL)); } #endif /* if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) && !defined(__WIDL__) */ #endif /* ifndef _INC_VERSIONHELPERS */ openvpn-2.4.4/src/compat/compat.h000066400000000000000000000033731316434344000167240ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2011 - David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef COMPAT_H #define COMPAT_H #ifdef HAVE_WINSOCK2_H #include #endif #ifdef HAVE_WS2TCPIP_H #include #endif #ifdef HAVE_SYS_TIME_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifndef HAVE_DIRNAME char *dirname(char *str); #endif /* HAVE_DIRNAME */ #ifndef HAVE_BASENAME char *basename(char *str); #endif /* HAVE_BASENAME */ #ifndef HAVE_GETTIMEOFDAY int gettimeofday(struct timeval *tv, void *tz); #endif #ifndef HAVE_DAEMON int daemon(int nochdir, int noclose); #endif #ifndef HAVE_INET_NTOP const char *inet_ntop(int af, const void *src, char *dst, socklen_t size); #endif #ifndef HAVE_INET_PTON int inet_pton(int af, const char *src, void *dst); #endif #endif /* COMPAT_H */ openvpn-2.4.4/src/compat/compat.vcxproj000066400000000000000000000115701316434344000201660ustar00rootroot00000000000000 Debug Win32 Release Win32 {4B2E2719-E661-45D7-9203-F6F456B22F19} compat Win32Proj StaticLibrary MultiByte true v120 StaticLibrary MultiByte v120 <_ProjectFileVersion>10.0.30319.1 $(SolutionDir)$(Platform)-Output\$(Configuration)\ $(Configuration)\ $(SolutionDir)$(Platform)-Output\$(Configuration)\ $(Configuration)\ Disabled $(SOURCEBASE);$(SOURCEBASE)/include;$(OPENSSL_HOME)/include;$(LZO_HOME)/include;$(PKCS11H_HOME)/include;%(AdditionalIncludeDirectories) WIN32;_DEBUG;_LIB;$(CPPFLAGS);%(PreprocessorDefinitions) true EnableFastChecks MultiThreadedDebugDLL Level3 EditAndContinue MaxSpeed true $(SOURCEBASE);$(SOURCEBASE)/include;$(OPENSSL_HOME)/include;$(LZO_HOME)/include;$(PKCS11H_HOME)/include;%(AdditionalIncludeDirectories) WIN32;NDEBUG;_LIB;$(CPPFLAGS);%(PreprocessorDefinitions) MultiThreadedDLL true Level3 ProgramDatabase openvpn-2.4.4/src/compat/compat.vcxproj.filters000066400000000000000000000032051316434344000216310ustar00rootroot00000000000000 {4FC737F1-C7A5-4376-A066-2A32D752A2FF} cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx {93995380-89BD-4b04-88EB-625FBE52EBFB} h;hpp;hxx;hm;inl;inc;xsd {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav Source Files Source Files Source Files Source Files Source Files Source Files Source Files Header Files openvpn-2.4.4/src/openvpn/000077500000000000000000000000001316434344000154645ustar00rootroot00000000000000openvpn-2.4.4/src/openvpn/Makefile.am000066400000000000000000000063141316434344000175240ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # include $(top_srcdir)/build/ltrc.inc MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in EXTRA_DIST = \ openvpn.vcxproj \ openvpn.vcxproj.filters AM_CPPFLAGS = \ -I$(top_srcdir)/include \ -I$(top_srcdir)/src/compat AM_CFLAGS = \ $(TAP_CFLAGS) \ $(OPTIONAL_CRYPTO_CFLAGS) \ $(OPTIONAL_LZO_CFLAGS) \ $(OPTIONAL_LZ4_CFLAGS) \ $(OPTIONAL_PKCS11_HELPER_CFLAGS) \ -DPLUGIN_LIBDIR=\"${plugindir}\" if WIN32 # we want unicode entry point but not the macro AM_CFLAGS += -municode -UUNICODE endif sbin_PROGRAMS = openvpn openvpn_SOURCES = \ argv.c argv.h \ base64.c base64.h \ basic.h \ buffer.c buffer.h \ circ_list.h \ clinat.c clinat.h \ common.h \ comp.c comp.h compstub.c \ comp-lz4.c comp-lz4.h \ crypto.c crypto.h crypto_backend.h \ crypto_openssl.c crypto_openssl.h \ crypto_mbedtls.c crypto_mbedtls.h \ dhcp.c dhcp.h \ errlevel.h \ error.c error.h \ event.c event.h \ fdmisc.c fdmisc.h \ forward.c forward.h forward-inline.h \ fragment.c fragment.h \ gremlin.c gremlin.h \ helper.c helper.h \ httpdigest.c httpdigest.h \ lladdr.c lladdr.h \ init.c init.h \ integer.h \ interval.c interval.h \ list.c list.h \ lzo.c lzo.h \ manage.c manage.h \ mbuf.c mbuf.h \ memdbg.h \ misc.c misc.h \ platform.c platform.h \ console.c console.h console_builtin.c console_systemd.c \ mroute.c mroute.h \ mss.c mss.h \ mstats.c mstats.h \ mtcp.c mtcp.h \ mtu.c mtu.h \ mudp.c mudp.h \ multi.c multi.h \ ntlm.c ntlm.h \ occ.c occ.h occ-inline.h \ openssl_compat.h \ pkcs11.c pkcs11.h pkcs11_backend.h \ pkcs11_openssl.c \ pkcs11_mbedtls.c \ openvpn.c openvpn.h \ options.c options.h \ otime.c otime.h \ packet_id.c packet_id.h \ perf.c perf.h \ pf.c pf.h pf-inline.h \ ping.c ping.h ping-inline.h \ plugin.c plugin.h \ pool.c pool.h \ proto.c proto.h \ proxy.c proxy.h \ ps.c ps.h \ push.c push.h \ pushlist.h \ reliable.c reliable.h \ route.c route.h \ schedule.c schedule.h \ session_id.c session_id.h \ shaper.c shaper.h \ sig.c sig.h \ socket.c socket.h \ socks.c socks.h \ ssl.c ssl.h ssl_backend.h \ ssl_openssl.c ssl_openssl.h \ ssl_mbedtls.c ssl_mbedtls.h \ ssl_common.h \ ssl_verify.c ssl_verify.h ssl_verify_backend.h \ ssl_verify_openssl.c ssl_verify_openssl.h \ ssl_verify_mbedtls.c ssl_verify_mbedtls.h \ status.c status.h \ syshead.h \ tls_crypt.c tls_crypt.h \ tun.c tun.h \ win32.h win32.c \ cryptoapi.h cryptoapi.c openvpn_LDADD = \ $(top_builddir)/src/compat/libcompat.la \ $(SOCKETS_LIBS) \ $(OPTIONAL_LZO_LIBS) \ $(OPTIONAL_LZ4_LIBS) \ $(OPTIONAL_PKCS11_HELPER_LIBS) \ $(OPTIONAL_CRYPTO_LIBS) \ $(OPTIONAL_SELINUX_LIBS) \ $(OPTIONAL_SYSTEMD_LIBS) \ $(OPTIONAL_DL_LIBS) if WIN32 openvpn_SOURCES += openvpn_win32_resources.rc block_dns.c block_dns.h openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm -lfwpuclnt -lrpcrt4 endif openvpn-2.4.4/src/openvpn/Makefile.in000066400000000000000000001025311316434344000175330ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2008-2012 Alon Bar-Lev # # Required to build Windows resource file VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ DIST_COMMON = $(top_srcdir)/build/ltrc.inc $(srcdir)/Makefile.in \ $(srcdir)/Makefile.am $(top_srcdir)/depcomp # we want unicode entry point but not the macro @WIN32_TRUE@am__append_1 = -municode -UUNICODE sbin_PROGRAMS = openvpn$(EXEEXT) @WIN32_TRUE@am__append_2 = openvpn_win32_resources.rc block_dns.c block_dns.h @WIN32_TRUE@am__append_3 = -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm -lfwpuclnt -lrpcrt4 subdir = src/openvpn ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(sbindir)" PROGRAMS = $(sbin_PROGRAMS) am__openvpn_SOURCES_DIST = argv.c argv.h base64.c base64.h basic.h \ buffer.c buffer.h circ_list.h clinat.c clinat.h common.h \ comp.c comp.h compstub.c comp-lz4.c comp-lz4.h crypto.c \ crypto.h crypto_backend.h crypto_openssl.c crypto_openssl.h \ crypto_mbedtls.c crypto_mbedtls.h dhcp.c dhcp.h errlevel.h \ error.c error.h event.c event.h fdmisc.c fdmisc.h forward.c \ forward.h forward-inline.h fragment.c fragment.h gremlin.c \ gremlin.h helper.c helper.h httpdigest.c httpdigest.h lladdr.c \ lladdr.h init.c init.h integer.h interval.c interval.h list.c \ list.h lzo.c lzo.h manage.c manage.h mbuf.c mbuf.h memdbg.h \ misc.c misc.h platform.c platform.h console.c console.h \ console_builtin.c console_systemd.c mroute.c mroute.h mss.c \ mss.h mstats.c mstats.h mtcp.c mtcp.h mtu.c mtu.h mudp.c \ mudp.h multi.c multi.h ntlm.c ntlm.h occ.c occ.h occ-inline.h \ openssl_compat.h pkcs11.c pkcs11.h pkcs11_backend.h \ pkcs11_openssl.c pkcs11_mbedtls.c openvpn.c openvpn.h \ options.c options.h otime.c otime.h packet_id.c packet_id.h \ perf.c perf.h pf.c pf.h pf-inline.h ping.c ping.h \ ping-inline.h plugin.c plugin.h pool.c pool.h proto.c proto.h \ proxy.c proxy.h ps.c ps.h push.c push.h pushlist.h reliable.c \ reliable.h route.c route.h schedule.c schedule.h session_id.c \ session_id.h shaper.c shaper.h sig.c sig.h socket.c socket.h \ socks.c socks.h ssl.c ssl.h ssl_backend.h ssl_openssl.c \ ssl_openssl.h ssl_mbedtls.c ssl_mbedtls.h ssl_common.h \ ssl_verify.c ssl_verify.h ssl_verify_backend.h \ ssl_verify_openssl.c ssl_verify_openssl.h ssl_verify_mbedtls.c \ ssl_verify_mbedtls.h status.c status.h syshead.h tls_crypt.c \ tls_crypt.h tun.c tun.h win32.h win32.c cryptoapi.h \ cryptoapi.c openvpn_win32_resources.rc block_dns.c block_dns.h @WIN32_TRUE@am__objects_1 = openvpn_win32_resources.$(OBJEXT) \ @WIN32_TRUE@ block_dns.$(OBJEXT) am_openvpn_OBJECTS = argv.$(OBJEXT) base64.$(OBJEXT) buffer.$(OBJEXT) \ clinat.$(OBJEXT) comp.$(OBJEXT) compstub.$(OBJEXT) \ comp-lz4.$(OBJEXT) crypto.$(OBJEXT) crypto_openssl.$(OBJEXT) \ crypto_mbedtls.$(OBJEXT) dhcp.$(OBJEXT) error.$(OBJEXT) \ event.$(OBJEXT) fdmisc.$(OBJEXT) forward.$(OBJEXT) \ fragment.$(OBJEXT) gremlin.$(OBJEXT) helper.$(OBJEXT) \ httpdigest.$(OBJEXT) lladdr.$(OBJEXT) init.$(OBJEXT) \ interval.$(OBJEXT) list.$(OBJEXT) lzo.$(OBJEXT) \ manage.$(OBJEXT) mbuf.$(OBJEXT) misc.$(OBJEXT) \ platform.$(OBJEXT) console.$(OBJEXT) console_builtin.$(OBJEXT) \ console_systemd.$(OBJEXT) mroute.$(OBJEXT) mss.$(OBJEXT) \ mstats.$(OBJEXT) mtcp.$(OBJEXT) mtu.$(OBJEXT) mudp.$(OBJEXT) \ multi.$(OBJEXT) ntlm.$(OBJEXT) occ.$(OBJEXT) pkcs11.$(OBJEXT) \ pkcs11_openssl.$(OBJEXT) pkcs11_mbedtls.$(OBJEXT) \ openvpn.$(OBJEXT) options.$(OBJEXT) otime.$(OBJEXT) \ packet_id.$(OBJEXT) perf.$(OBJEXT) pf.$(OBJEXT) ping.$(OBJEXT) \ plugin.$(OBJEXT) pool.$(OBJEXT) proto.$(OBJEXT) \ proxy.$(OBJEXT) ps.$(OBJEXT) push.$(OBJEXT) reliable.$(OBJEXT) \ route.$(OBJEXT) schedule.$(OBJEXT) session_id.$(OBJEXT) \ shaper.$(OBJEXT) sig.$(OBJEXT) socket.$(OBJEXT) \ socks.$(OBJEXT) ssl.$(OBJEXT) ssl_openssl.$(OBJEXT) \ ssl_mbedtls.$(OBJEXT) ssl_verify.$(OBJEXT) \ ssl_verify_openssl.$(OBJEXT) ssl_verify_mbedtls.$(OBJEXT) \ status.$(OBJEXT) tls_crypt.$(OBJEXT) tun.$(OBJEXT) \ win32.$(OBJEXT) cryptoapi.$(OBJEXT) $(am__objects_1) openvpn_OBJECTS = $(am_openvpn_OBJECTS) am__DEPENDENCIES_1 = openvpn_DEPENDENCIES = $(top_builddir)/src/compat/libcompat.la \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -I$(top_builddir)/include depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(openvpn_SOURCES) DIST_SOURCES = $(am__openvpn_SOURCES_DIST) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ RCCOMPILE = $(RC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ $(AM_CPPFLAGS) $(CPPFLAGS) LTRCCOMPILE = $(LIBTOOL) --mode=compile --tag=RC $(RCCOMPILE) MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in EXTRA_DIST = \ openvpn.vcxproj \ openvpn.vcxproj.filters AM_CPPFLAGS = \ -I$(top_srcdir)/include \ -I$(top_srcdir)/src/compat AM_CFLAGS = $(TAP_CFLAGS) $(OPTIONAL_CRYPTO_CFLAGS) \ $(OPTIONAL_LZO_CFLAGS) $(OPTIONAL_LZ4_CFLAGS) \ $(OPTIONAL_PKCS11_HELPER_CFLAGS) \ -DPLUGIN_LIBDIR=\"${plugindir}\" $(am__append_1) openvpn_SOURCES = argv.c argv.h base64.c base64.h basic.h buffer.c \ buffer.h circ_list.h clinat.c clinat.h common.h comp.c comp.h \ compstub.c comp-lz4.c comp-lz4.h crypto.c crypto.h \ crypto_backend.h crypto_openssl.c crypto_openssl.h \ crypto_mbedtls.c crypto_mbedtls.h dhcp.c dhcp.h errlevel.h \ error.c error.h event.c event.h fdmisc.c fdmisc.h forward.c \ forward.h forward-inline.h fragment.c fragment.h gremlin.c \ gremlin.h helper.c helper.h httpdigest.c httpdigest.h lladdr.c \ lladdr.h init.c init.h integer.h interval.c interval.h list.c \ list.h lzo.c lzo.h manage.c manage.h mbuf.c mbuf.h memdbg.h \ misc.c misc.h platform.c platform.h console.c console.h \ console_builtin.c console_systemd.c mroute.c mroute.h mss.c \ mss.h mstats.c mstats.h mtcp.c mtcp.h mtu.c mtu.h mudp.c \ mudp.h multi.c multi.h ntlm.c ntlm.h occ.c occ.h occ-inline.h \ openssl_compat.h pkcs11.c pkcs11.h pkcs11_backend.h \ pkcs11_openssl.c pkcs11_mbedtls.c openvpn.c openvpn.h \ options.c options.h otime.c otime.h packet_id.c packet_id.h \ perf.c perf.h pf.c pf.h pf-inline.h ping.c ping.h \ ping-inline.h plugin.c plugin.h pool.c pool.h proto.c proto.h \ proxy.c proxy.h ps.c ps.h push.c push.h pushlist.h reliable.c \ reliable.h route.c route.h schedule.c schedule.h session_id.c \ session_id.h shaper.c shaper.h sig.c sig.h socket.c socket.h \ socks.c socks.h ssl.c ssl.h ssl_backend.h ssl_openssl.c \ ssl_openssl.h ssl_mbedtls.c ssl_mbedtls.h ssl_common.h \ ssl_verify.c ssl_verify.h ssl_verify_backend.h \ ssl_verify_openssl.c ssl_verify_openssl.h ssl_verify_mbedtls.c \ ssl_verify_mbedtls.h status.c status.h syshead.h tls_crypt.c \ tls_crypt.h tun.c tun.h win32.h win32.c cryptoapi.h \ cryptoapi.c $(am__append_2) openvpn_LDADD = $(top_builddir)/src/compat/libcompat.la \ $(SOCKETS_LIBS) $(OPTIONAL_LZO_LIBS) $(OPTIONAL_LZ4_LIBS) \ $(OPTIONAL_PKCS11_HELPER_LIBS) $(OPTIONAL_CRYPTO_LIBS) \ $(OPTIONAL_SELINUX_LIBS) $(OPTIONAL_SYSTEMD_LIBS) \ $(OPTIONAL_DL_LIBS) $(am__append_3) all: all-am .SUFFIXES: .SUFFIXES: .c .lo .mc .o .obj .rc $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(top_srcdir)/build/ltrc.inc $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/openvpn/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign src/openvpn/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_srcdir)/build/ltrc.inc: $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-sbinPROGRAMS: $(sbin_PROGRAMS) @$(NORMAL_INSTALL) @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ fi; \ for p in $$list; do echo "$$p $$p"; done | \ sed 's/$(EXEEXT)$$//' | \ while read p p1; do if test -f $$p \ || test -f $$p1 \ ; then echo "$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n;h' \ -e 's|.*|.|' \ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) files[d] = files[d] " " $$1; \ else { print "f", $$3 "/" $$4, $$1; } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ } \ ; done uninstall-sbinPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ -e 's/$$/$(EXEEXT)/' \ `; \ test -n "$$list" || exit 0; \ echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(sbindir)" && rm -f $$files clean-sbinPROGRAMS: @list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \ echo " rm -f" $$list; \ rm -f $$list || exit $$?; \ test -n "$(EXEEXT)" || exit 0; \ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list openvpn$(EXEEXT): $(openvpn_OBJECTS) $(openvpn_DEPENDENCIES) $(EXTRA_openvpn_DEPENDENCIES) @rm -f openvpn$(EXEEXT) $(AM_V_CCLD)$(LINK) $(openvpn_OBJECTS) $(openvpn_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/argv.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/base64.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/block_dns.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/buffer.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/clinat.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/comp-lz4.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/comp.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/compstub.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/console.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/console_builtin.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/console_systemd.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto_mbedtls.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto_openssl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cryptoapi.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcp.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/event.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fdmisc.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/forward.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fragment.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gremlin.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/helper.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/httpdigest.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/init.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/interval.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/list.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lladdr.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lzo.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/manage.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mbuf.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/misc.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mroute.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mss.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mstats.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mtcp.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mtu.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mudp.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/multi.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntlm.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/occ.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openvpn.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/options.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/otime.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet_id.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/perf.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pf.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ping.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_mbedtls.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_openssl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/platform.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plugin.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proto.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proxy.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ps.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/push.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/reliable.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/route.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/schedule.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/session_id.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shaper.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sig.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socks.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_mbedtls.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_openssl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_verify.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_verify_mbedtls.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_verify_openssl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/status.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_crypt.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tun.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/win32.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(PROGRAMS) installdirs: for dir in "$(DESTDIR)$(sbindir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-sbinPROGRAMS install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-sbinPROGRAMS .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ clean-libtool clean-sbinPROGRAMS cscopelist-am ctags ctags-am \ distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-man install-pdf install-pdf-am \ install-ps install-ps-am install-sbinPROGRAMS install-strip \ installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am uninstall-sbinPROGRAMS .rc.lo: $(LTRCCOMPILE) -i "$<" -o "$@" .rc.o: $(RCCOMPILE) -i "$<" -o "$@" .mc.rc: $(WINDMC) "$<" # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/src/openvpn/argv.c000066400000000000000000000176111316434344000165750ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * * * A printf-like function (that only recognizes a subset of standard printf * format operators) that prints arguments to an argv list instead * of a standard string. This is used to build up argv arrays for passing * to execve. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "argv.h" #include "integer.h" #include "options.h" static void argv_init(struct argv *a) { a->capacity = 0; a->argc = 0; a->argv = NULL; } struct argv argv_new(void) { struct argv ret; argv_init(&ret); return ret; } void argv_reset(struct argv *a) { size_t i; for (i = 0; i < a->argc; ++i) { free(a->argv[i]); } free(a->argv); argv_init(a); } static void argv_extend(struct argv *a, const size_t newcap) { if (newcap > a->capacity) { char **newargv; size_t i; ALLOC_ARRAY_CLEAR(newargv, char *, newcap); for (i = 0; i < a->argc; ++i) { newargv[i] = a->argv[i]; } free(a->argv); a->argv = newargv; a->capacity = newcap; } } static void argv_grow(struct argv *a, const size_t add) { const size_t newargc = a->argc + add + 1; ASSERT(newargc > a->argc); argv_extend(a, adjust_power_of_2(newargc)); } static void argv_append(struct argv *a, char *str) /* str must have been malloced or be NULL */ { argv_grow(a, 1); a->argv[a->argc++] = str; } static struct argv argv_clone(const struct argv *a, const size_t headroom) { struct argv r; size_t i; argv_init(&r); for (i = 0; i < headroom; ++i) { argv_append(&r, NULL); } if (a) { for (i = 0; i < a->argc; ++i) { argv_append(&r, string_alloc(a->argv[i], NULL)); } } return r; } struct argv argv_insert_head(const struct argv *a, const char *head) { struct argv r; r = argv_clone(a, 1); r.argv[0] = string_alloc(head, NULL); return r; } static char * argv_term(const char **f) { const char *p = *f; const char *term = NULL; size_t termlen = 0; if (*p == '\0') { return NULL; } while (true) { const int c = *p; if (c == '\0') { break; } if (term) { if (!isspace(c)) { ++termlen; } else { break; } } else { if (!isspace(c)) { term = p; termlen = 1; } } ++p; } *f = p; if (term) { char *ret; ASSERT(termlen > 0); ret = malloc(termlen + 1); check_malloc_return(ret); memcpy(ret, term, termlen); ret[termlen] = '\0'; return ret; } else { return NULL; } } const char * argv_str(const struct argv *a, struct gc_arena *gc, const unsigned int flags) { if (a->argv) { return print_argv((const char **)a->argv, gc, flags); } else { return ""; } } void argv_msg(const int msglev, const struct argv *a) { struct gc_arena gc = gc_new(); msg(msglev, "%s", argv_str(a, &gc, 0)); gc_free(&gc); } void argv_msg_prefix(const int msglev, const struct argv *a, const char *prefix) { struct gc_arena gc = gc_new(); msg(msglev, "%s: %s", prefix, argv_str(a, &gc, 0)); gc_free(&gc); } static void argv_printf_arglist(struct argv *a, const char *format, va_list arglist) { char *term; const char *f = format; argv_extend(a, 1); /* ensure trailing NULL */ while ((term = argv_term(&f)) != NULL) { if (term[0] == '%') { if (!strcmp(term, "%s")) { char *s = va_arg(arglist, char *); if (!s) { s = ""; } argv_append(a, string_alloc(s, NULL)); } else if (!strcmp(term, "%d")) { char numstr[64]; openvpn_snprintf(numstr, sizeof(numstr), "%d", va_arg(arglist, int)); argv_append(a, string_alloc(numstr, NULL)); } else if (!strcmp(term, "%u")) { char numstr[64]; openvpn_snprintf(numstr, sizeof(numstr), "%u", va_arg(arglist, unsigned int)); argv_append(a, string_alloc(numstr, NULL)); } else if (!strcmp(term, "%s/%d")) { char numstr[64]; char *s = va_arg(arglist, char *); if (!s) { s = ""; } openvpn_snprintf(numstr, sizeof(numstr), "%d", va_arg(arglist, int)); { const size_t len = strlen(s) + strlen(numstr) + 2; char *combined = (char *) malloc(len); check_malloc_return(combined); strcpy(combined, s); strcat(combined, "/"); strcat(combined, numstr); argv_append(a, combined); } } else if (!strcmp(term, "%s%sc")) { char *s1 = va_arg(arglist, char *); char *s2 = va_arg(arglist, char *); char *combined; if (!s1) { s1 = ""; } if (!s2) { s2 = ""; } combined = (char *) malloc(strlen(s1) + strlen(s2) + 1); check_malloc_return(combined); strcpy(combined, s1); strcat(combined, s2); argv_append(a, combined); } else { ASSERT(0); } free(term); } else { argv_append(a, term); } } } void argv_printf(struct argv *a, const char *format, ...) { va_list arglist; argv_reset(a); va_start(arglist, format); argv_printf_arglist(a, format, arglist); va_end(arglist); } void argv_printf_cat(struct argv *a, const char *format, ...) { va_list arglist; va_start(arglist, format); argv_printf_arglist(a, format, arglist); va_end(arglist); } void argv_parse_cmd(struct argv *a, const char *s) { int nparms; char *parms[MAX_PARMS + 1]; struct gc_arena gc = gc_new(); argv_reset(a); argv_extend(a, 1); /* ensure trailing NULL */ nparms = parse_line(s, parms, MAX_PARMS, "SCRIPT-ARGV", 0, D_ARGV_PARSE_CMD, &gc); if (nparms) { int i; for (i = 0; i < nparms; ++i) { argv_append(a, string_alloc(parms[i], NULL)); } } else { argv_append(a, string_alloc(s, NULL)); } gc_free(&gc); } openvpn-2.4.4/src/openvpn/argv.h000066400000000000000000000043421316434344000165770ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * * * A printf-like function (that only recognizes a subset of standard printf * format operators) that prints arguments to an argv list instead * of a standard string. This is used to build up argv arrays for passing * to execve. */ #ifndef ARGV_H #define ARGV_H #include "buffer.h" struct argv { size_t capacity; size_t argc; char **argv; }; struct argv argv_new(void); void argv_reset(struct argv *a); const char *argv_str(const struct argv *a, struct gc_arena *gc, const unsigned int flags); struct argv argv_insert_head(const struct argv *a, const char *head); void argv_msg(const int msglev, const struct argv *a); void argv_msg_prefix(const int msglev, const struct argv *a, const char *prefix); void argv_parse_cmd(struct argv *a, const char *s); void argv_printf(struct argv *a, const char *format, ...) #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO __attribute__ ((format(gnu_printf, 2, 3))) #else __attribute__ ((format(__printf__, 2, 3))) #endif #endif ; void argv_printf_cat(struct argv *a, const char *format, ...) #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO __attribute__ ((format(gnu_printf, 2, 3))) #else __attribute__ ((format(__printf__, 2, 3))) #endif #endif ; #endif /* ifndef ARGV_H */ openvpn-2.4.4/src/openvpn/base64.c000066400000000000000000000114661316434344000167240ustar00rootroot00000000000000/* * Copyright (c) 1995-2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "base64.h" #include "memdbg.h" static char base64_chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; /* * base64 encode input data of length size to malloced * buffer which is returned as *str. Returns string * length of *str. */ int openvpn_base64_encode(const void *data, int size, char **str) { char *s, *p; int i; int c; const unsigned char *q; if (size < 0) { return -1; } p = s = (char *) malloc(size * 4 / 3 + 4); if (p == NULL) { return -1; } q = (const unsigned char *) data; i = 0; for (i = 0; i < size; ) { c = q[i++]; c *= 256; if (i < size) { c += q[i]; } i++; c *= 256; if (i < size) { c += q[i]; } i++; p[0] = base64_chars[(c & 0x00fc0000) >> 18]; p[1] = base64_chars[(c & 0x0003f000) >> 12]; p[2] = base64_chars[(c & 0x00000fc0) >> 6]; p[3] = base64_chars[(c & 0x0000003f) >> 0]; if (i > size) { p[3] = '='; } if (i > size + 1) { p[2] = '='; } p += 4; } *p = 0; *str = s; return strlen(s); } static int pos(char c) { char *p; for (p = base64_chars; *p; p++) { if (*p == c) { return p - base64_chars; } } return -1; } #define DECODE_ERROR 0xffffffff static unsigned int token_decode(const char *token) { int i; unsigned int val = 0; int marker = 0; if (!token[0] || !token[1] || !token[2] || !token[3]) { return DECODE_ERROR; } for (i = 0; i < 4; i++) { val *= 64; if (token[i] == '=') { marker++; } else if (marker > 0) { return DECODE_ERROR; } else { val += pos(token[i]); } } if (marker > 2) { return DECODE_ERROR; } return (marker << 24) | val; } /* * Decode base64 str, outputting data to buffer * at data of length size. Return length of * decoded data written or -1 on error or overflow. */ int openvpn_base64_decode(const char *str, void *data, int size) { const char *p; unsigned char *q; unsigned char *e = NULL; q = data; if (size >= 0) { e = q + size; } for (p = str; *p && (*p == '=' || strchr(base64_chars, *p)); p += 4) { unsigned int val = token_decode(p); unsigned int marker = (val >> 24) & 0xff; if (val == DECODE_ERROR) { return -1; } if (e && q >= e) { return -1; } *q++ = (val >> 16) & 0xff; if (marker < 2) { if (e && q >= e) { return -1; } *q++ = (val >> 8) & 0xff; } if (marker < 1) { if (e && q >= e) { return -1; } *q++ = val & 0xff; } } return q - (unsigned char *) data; } openvpn-2.4.4/src/openvpn/base64.h000066400000000000000000000034501316434344000167230ustar00rootroot00000000000000/* * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef _BASE64_H_ #define _BASE64_H_ int openvpn_base64_encode(const void *data, int size, char **str); int openvpn_base64_decode(const char *str, void *data, int size); #endif openvpn-2.4.4/src/openvpn/basic.h000066400000000000000000000025131316434344000167170ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef BASIC_H #define BASIC_H #define BOOL_CAST(x) ((x) ? (true) : (false)) /* size of an array */ #define SIZE(x) (sizeof(x)/sizeof(x[0])) /* clear an object (may be optimized away, use secure_memzero() to erase secrets) */ #define CLEAR(x) memset(&(x), 0, sizeof(x)) #define IPV4_NETMASK_HOST 0xffffffffU #endif openvpn-2.4.4/src/openvpn/block_dns.c000066400000000000000000000302641316434344000175730ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * 2015-2016 * 2016 Selva Nair * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #ifdef HAVE_CONFIG_VERSION_H #include "config-version.h" #endif #include "syshead.h" #ifdef _WIN32 #include #include #include #include #include #include #include "block_dns.h" /* * WFP-related defines and GUIDs not in mingw32 */ #ifndef FWPM_SESSION_FLAG_DYNAMIC #define FWPM_SESSION_FLAG_DYNAMIC 0x00000001 #endif /* c38d57d1-05a7-4c33-904f-7fbceee60e82 */ DEFINE_GUID( FWPM_LAYER_ALE_AUTH_CONNECT_V4, 0xc38d57d1, 0x05a7, 0x4c33, 0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82 ); /* 4a72393b-319f-44bc-84c3-ba54dcb3b6b4 */ DEFINE_GUID( FWPM_LAYER_ALE_AUTH_CONNECT_V6, 0x4a72393b, 0x319f, 0x44bc, 0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4 ); /* d78e1e87-8644-4ea5-9437-d809ecefc971 */ DEFINE_GUID( FWPM_CONDITION_ALE_APP_ID, 0xd78e1e87, 0x8644, 0x4ea5, 0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71 ); /* c35a604d-d22b-4e1a-91b4-68f674ee674b */ DEFINE_GUID( FWPM_CONDITION_IP_REMOTE_PORT, 0xc35a604d, 0xd22b, 0x4e1a, 0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b ); /* 4cd62a49-59c3-4969-b7f3-bda5d32890a4 */ DEFINE_GUID( FWPM_CONDITION_IP_LOCAL_INTERFACE, 0x4cd62a49, 0x59c3, 0x4969, 0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90, 0xa4 ); /* UUID of WFP sublayer used by all instances of openvpn * 2f660d7e-6a37-11e6-a181-001e8c6e04a2 */ DEFINE_GUID( OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER, 0x2f660d7e, 0x6a37, 0x11e6, 0xa1, 0x81, 0x00, 0x1e, 0x8c, 0x6e, 0x04, 0xa2 ); static WCHAR *FIREWALL_NAME = L"OpenVPN"; VOID NETIOAPI_API_ InitializeIpInterfaceEntry(PMIB_IPINTERFACE_ROW Row); /* * Default msg handler does nothing */ static inline void default_msg_handler(DWORD err, const char *msg) { return; } #define CHECK_ERROR(err, msg) \ if (err) { msg_handler(err, msg); goto out; } /* * Add a persistent sublayer with specified uuid. */ static DWORD add_sublayer(GUID uuid) { FWPM_SESSION0 session; HANDLE engine = NULL; DWORD err = 0; FWPM_SUBLAYER0 sublayer; memset(&session, 0, sizeof(session)); memset(&sublayer, 0, sizeof(sublayer)); err = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, &session, &engine); if (err != ERROR_SUCCESS) { goto out; } sublayer.subLayerKey = uuid; sublayer.displayData.name = FIREWALL_NAME; sublayer.displayData.description = FIREWALL_NAME; sublayer.flags = 0; sublayer.weight = 0x100; /* Add sublayer to the session */ err = FwpmSubLayerAdd0(engine, &sublayer, NULL); out: if (engine) { FwpmEngineClose0(engine); } return err; } /* * Block outgoing port 53 traffic except for * (i) adapter with the specified index * OR * (ii) processes with the specified executable path * The firewall filters added here are automatically removed when the process exits or * on calling delete_block_dns_filters(). * Arguments: * engine_handle : On successful return contains the handle for a newly opened fwp session * in which the filters are added. * May be closed by passing to delete_block_dns_filters to remove the filters. * index : The index of adapter for which traffic is permitted. * exe_path : Path of executable for which traffic is permitted. * msg_handler : An optional callback function for error reporting. * Returns 0 on success, a non-zero status code of the last failed action on failure. */ DWORD add_block_dns_filters(HANDLE *engine_handle, int index, const WCHAR *exe_path, block_dns_msg_handler_t msg_handler ) { FWPM_SESSION0 session = {0}; FWPM_SUBLAYER0 *sublayer_ptr = NULL; NET_LUID tapluid; UINT64 filterid; FWP_BYTE_BLOB *openvpnblob = NULL; FWPM_FILTER0 Filter = {0}; FWPM_FILTER_CONDITION0 Condition[2] = {0}; DWORD err = 0; if (!msg_handler) { msg_handler = default_msg_handler; } /* Add temporary filters which don't survive reboots or crashes. */ session.flags = FWPM_SESSION_FLAG_DYNAMIC; *engine_handle = NULL; err = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, &session, engine_handle); CHECK_ERROR(err, "FwpEngineOpen: open fwp session failed"); msg_handler(0, "Block_DNS: WFP engine opened"); /* Check sublayer exists and add one if it does not. */ if (FwpmSubLayerGetByKey0(*engine_handle, &OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER, &sublayer_ptr) == ERROR_SUCCESS) { msg_handler(0, "Block_DNS: Using existing sublayer"); FwpmFreeMemory0((void **)&sublayer_ptr); } else { /* Add a new sublayer -- as another process may add it in the meantime, * do not treat "already exists" as an error */ err = add_sublayer(OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER); if (err == FWP_E_ALREADY_EXISTS || err == ERROR_SUCCESS) { msg_handler(0, "Block_DNS: Added a persistent sublayer with pre-defined UUID"); } else { CHECK_ERROR(err, "add_sublayer: failed to add persistent sublayer"); } } err = ConvertInterfaceIndexToLuid(index, &tapluid); CHECK_ERROR(err, "Convert interface index to luid failed"); err = FwpmGetAppIdFromFileName0(exe_path, &openvpnblob); CHECK_ERROR(err, "Get byte blob for openvpn executable name failed"); /* Prepare filter. */ Filter.subLayerKey = OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER; Filter.displayData.name = FIREWALL_NAME; Filter.weight.type = FWP_UINT8; Filter.weight.uint8 = 0xF; Filter.filterCondition = Condition; Filter.numFilterConditions = 2; /* First filter. Permit IPv4 DNS queries from OpenVPN itself. */ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; Filter.action.type = FWP_ACTION_PERMIT; Condition[0].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT; Condition[0].matchType = FWP_MATCH_EQUAL; Condition[0].conditionValue.type = FWP_UINT16; Condition[0].conditionValue.uint16 = 53; Condition[1].fieldKey = FWPM_CONDITION_ALE_APP_ID; Condition[1].matchType = FWP_MATCH_EQUAL; Condition[1].conditionValue.type = FWP_BYTE_BLOB_TYPE; Condition[1].conditionValue.byteBlob = openvpnblob; err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); CHECK_ERROR(err, "Add filter to permit IPv4 port 53 traffic from OpenVPN failed"); /* Second filter. Permit IPv6 DNS queries from OpenVPN itself. */ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); CHECK_ERROR(err, "Add filter to permit IPv6 port 53 traffic from OpenVPN failed"); msg_handler(0, "Block_DNS: Added permit filters for exe_path"); /* Third filter. Block all IPv4 DNS queries. */ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; Filter.action.type = FWP_ACTION_BLOCK; Filter.weight.type = FWP_EMPTY; Filter.numFilterConditions = 1; err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); CHECK_ERROR(err, "Add filter to block IPv4 DNS traffic failed"); /* Forth filter. Block all IPv6 DNS queries. */ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); CHECK_ERROR(err, "Add filter to block IPv6 DNS traffic failed"); msg_handler(0, "Block_DNS: Added block filters for all interfaces"); /* Fifth filter. Permit IPv4 DNS queries from TAP. * Use a non-zero weight so that the permit filters get higher priority * over the block filter added with automatic weighting */ Filter.weight.type = FWP_UINT8; Filter.weight.uint8 = 0xE; Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; Filter.action.type = FWP_ACTION_PERMIT; Filter.numFilterConditions = 2; Condition[1].fieldKey = FWPM_CONDITION_IP_LOCAL_INTERFACE; Condition[1].matchType = FWP_MATCH_EQUAL; Condition[1].conditionValue.type = FWP_UINT64; Condition[1].conditionValue.uint64 = &tapluid.Value; err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); CHECK_ERROR(err, "Add filter to permit IPv4 DNS traffic through TAP failed"); /* Sixth filter. Permit IPv6 DNS queries from TAP. * Use same weight as IPv4 filter */ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); CHECK_ERROR(err, "Add filter to permit IPv6 DNS traffic through TAP failed"); msg_handler(0, "Block_DNS: Added permit filters for TAP interface"); out: if (openvpnblob) { FwpmFreeMemory0((void **)&openvpnblob); } if (err && *engine_handle) { FwpmEngineClose0(*engine_handle); *engine_handle = NULL; } return err; } DWORD delete_block_dns_filters(HANDLE engine_handle) { DWORD err = 0; /* * For dynamic sessions closing the engine removes all filters added in the session */ if (engine_handle) { err = FwpmEngineClose0(engine_handle); } return err; } /* * Returns interface metric value for specified interface index. * * Arguments: * index : The index of TAP adapter. * family : Address family (AF_INET for IPv4 and AF_INET6 for IPv6). * Returns positive metric value or zero for automatic metric on success, * a less then zero error code on failure. */ int get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family) { DWORD err = 0; MIB_IPINTERFACE_ROW ipiface; InitializeIpInterfaceEntry(&ipiface); ipiface.Family = family; ipiface.InterfaceIndex = index; err = GetIpInterfaceEntry(&ipiface); if (err == NO_ERROR) { if (ipiface.UseAutomaticMetric) { return 0; } return ipiface.Metric; } return -err; } /* * Sets interface metric value for specified interface index. * * Arguments: * index : The index of TAP adapter. * family : Address family (AF_INET for IPv4 and AF_INET6 for IPv6). * metric : Metric value. 0 for automatic metric. * Returns 0 on success, a non-zero status code of the last failed action on failure. */ DWORD set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, const ULONG metric) { DWORD err = 0; MIB_IPINTERFACE_ROW ipiface; InitializeIpInterfaceEntry(&ipiface); ipiface.Family = family; ipiface.InterfaceIndex = index; err = GetIpInterfaceEntry(&ipiface); if (err == NO_ERROR) { if (family == AF_INET) { /* required for IPv4 as per MSDN */ ipiface.SitePrefixLength = 0; } ipiface.Metric = metric; if (metric == 0) { ipiface.UseAutomaticMetric = TRUE; } else { ipiface.UseAutomaticMetric = FALSE; } err = SetIpInterfaceEntry(&ipiface); if (err == NO_ERROR) { return 0; } } return err; } #endif /* ifdef _WIN32 */ openvpn-2.4.4/src/openvpn/block_dns.h000066400000000000000000000044471316434344000176040ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2016 Selva Nair * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef _WIN32 #ifndef OPENVPN_BLOCK_DNS_H #define OPENVPN_BLOCK_DNS_H /* Any value less than 5 should work fine. 3 is chosen without any real reason. */ #define BLOCK_DNS_IFACE_METRIC 3 typedef void (*block_dns_msg_handler_t) (DWORD err, const char *msg); DWORD delete_block_dns_filters(HANDLE engine); DWORD add_block_dns_filters(HANDLE *engine, int iface_index, const WCHAR *exe_path, block_dns_msg_handler_t msg_handler_callback); /** * Returns interface metric value for specified interface index. * * @param index The index of TAP adapter * @param family Address family (AF_INET for IPv4 and AF_INET6 for IPv6) * * @return positive metric value or zero for automatic metric on success, * a less then zero error code on failure. */ int get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family); /** * Sets interface metric value for specified interface index. * * @param index The index of TAP adapter * @param family Address family (AF_INET for IPv4 and AF_INET6 for IPv6) * @param metric Metric value. 0 for automatic metric * * @return 0 on success, a non-zero status code of the last failed action on failure. */ DWORD set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, const ULONG metric); #endif #endif openvpn-2.4.4/src/openvpn/buffer.c000066400000000000000000000642721316434344000171140ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "common.h" #include "buffer.h" #include "error.h" #include "mtu.h" #include "misc.h" #include "memdbg.h" size_t array_mult_safe(const size_t m1, const size_t m2, const size_t extra) { const size_t limit = 0xFFFFFFFF; unsigned long long res = (unsigned long long)m1 * (unsigned long long)m2 + (unsigned long long)extra; if (unlikely(m1 > limit) || unlikely(m2 > limit) || unlikely(extra > limit) || unlikely(res > (unsigned long long)limit)) { msg(M_FATAL, "attemped allocation of excessively large array"); } return (size_t) res; } void buf_size_error(const size_t size) { msg(M_FATAL, "fatal buffer size error, size=%lu", (unsigned long)size); } struct buffer #ifdef DMALLOC alloc_buf_debug(size_t size, const char *file, int line) #else alloc_buf(size_t size) #endif { struct buffer buf; if (!buf_size_valid(size)) { buf_size_error(size); } buf.capacity = (int)size; buf.offset = 0; buf.len = 0; #ifdef DMALLOC buf.data = openvpn_dmalloc(file, line, size); #else buf.data = calloc(1, size); #endif check_malloc_return(buf.data); return buf; } struct buffer #ifdef DMALLOC alloc_buf_gc_debug(size_t size, struct gc_arena *gc, const char *file, int line) #else alloc_buf_gc(size_t size, struct gc_arena *gc) #endif { struct buffer buf; if (!buf_size_valid(size)) { buf_size_error(size); } buf.capacity = (int)size; buf.offset = 0; buf.len = 0; #ifdef DMALLOC buf.data = (uint8_t *) gc_malloc_debug(size, false, gc, file, line); #else buf.data = (uint8_t *) gc_malloc(size, false, gc); #endif if (size) { *buf.data = 0; } return buf; } struct buffer #ifdef DMALLOC clone_buf_debug(const struct buffer *buf, const char *file, int line) #else clone_buf(const struct buffer *buf) #endif { struct buffer ret; ret.capacity = buf->capacity; ret.offset = buf->offset; ret.len = buf->len; #ifdef DMALLOC ret.data = (uint8_t *) openvpn_dmalloc(file, line, buf->capacity); #else ret.data = (uint8_t *) malloc(buf->capacity); #endif check_malloc_return(ret.data); memcpy(BPTR(&ret), BPTR(buf), BLEN(buf)); return ret; } #ifdef BUF_INIT_TRACKING bool buf_init_debug(struct buffer *buf, int offset, const char *file, int line) { buf->debug_file = file; buf->debug_line = line; return buf_init_dowork(buf, offset); } static inline int buf_debug_line(const struct buffer *buf) { return buf->debug_line; } static const char * buf_debug_file(const struct buffer *buf) { return buf->debug_file; } #else /* ifdef BUF_INIT_TRACKING */ #define buf_debug_line(buf) 0 #define buf_debug_file(buf) "[UNDEF]" #endif /* ifdef BUF_INIT_TRACKING */ void buf_clear(struct buffer *buf) { if (buf->capacity > 0) { secure_memzero(buf->data, buf->capacity); } buf->len = 0; buf->offset = 0; } bool buf_assign(struct buffer *dest, const struct buffer *src) { if (!buf_init(dest, src->offset)) { return false; } return buf_write(dest, BPTR(src), BLEN(src)); } struct buffer clear_buf(void) { struct buffer buf; CLEAR(buf); return buf; } void free_buf(struct buffer *buf) { if (buf->data) { free(buf->data); } CLEAR(*buf); } /* * Return a buffer for write that is a subset of another buffer */ struct buffer buf_sub(struct buffer *buf, int size, bool prepend) { struct buffer ret; uint8_t *data; CLEAR(ret); data = prepend ? buf_prepend(buf, size) : buf_write_alloc(buf, size); if (data) { ret.capacity = size; ret.data = data; } return ret; } /* * printf append to a buffer with overflow check */ bool buf_printf(struct buffer *buf, const char *format, ...) { int ret = false; if (buf_defined(buf)) { va_list arglist; uint8_t *ptr = BEND(buf); int cap = buf_forward_capacity(buf); if (cap > 0) { int stat; va_start(arglist, format); stat = vsnprintf((char *)ptr, cap, format, arglist); va_end(arglist); *(buf->data + buf->capacity - 1) = 0; /* windows vsnprintf needs this */ buf->len += (int) strlen((char *)ptr); if (stat >= 0 && stat < cap) { ret = true; } } } return ret; } bool buf_puts(struct buffer *buf, const char *str) { int ret = false; uint8_t *ptr = BEND(buf); int cap = buf_forward_capacity(buf); if (cap > 0) { strncpynt((char *)ptr,str, cap); *(buf->data + buf->capacity - 1) = 0; /* windows vsnprintf needs this */ buf->len += (int) strlen((char *)ptr); ret = true; } return ret; } /* * This is necessary due to certain buggy implementations of snprintf, * that don't guarantee null termination for size > 0. * * Return false on overflow. * * This functionality is duplicated in src/openvpnserv/common.c * Any modifications here should be done to the other place as well. */ bool openvpn_snprintf(char *str, size_t size, const char *format, ...) { va_list arglist; int len = -1; if (size > 0) { va_start(arglist, format); len = vsnprintf(str, size, format, arglist); va_end(arglist); str[size - 1] = 0; } return (len >= 0 && len < size); } /* * write a string to the end of a buffer that was * truncated by buf_printf */ void buf_catrunc(struct buffer *buf, const char *str) { if (buf_forward_capacity(buf) <= 1) { int len = (int) strlen(str) + 1; if (len < buf_forward_capacity_total(buf)) { strncpynt((char *)(buf->data + buf->capacity - len), str, len); } } } /* * convert a multi-line output to one line */ void convert_to_one_line(struct buffer *buf) { uint8_t *cp = BPTR(buf); int len = BLEN(buf); while (len--) { if (*cp == '\n') { *cp = '|'; } ++cp; } } /* NOTE: requires that string be null terminated */ void buf_write_string_file(const struct buffer *buf, const char *filename, int fd) { const int len = strlen((char *) BPTR(buf)); const int size = write(fd, BPTR(buf), len); if (size != len) { msg(M_ERR, "Write error on file '%s'", filename); } } /* * Garbage collection */ void * #ifdef DMALLOC gc_malloc_debug(size_t size, bool clear, struct gc_arena *a, const char *file, int line) #else gc_malloc(size_t size, bool clear, struct gc_arena *a) #endif { void *ret; if (a) { struct gc_entry *e; #ifdef DMALLOC e = (struct gc_entry *) openvpn_dmalloc(file, line, size + sizeof(struct gc_entry)); #else e = (struct gc_entry *) malloc(size + sizeof(struct gc_entry)); #endif check_malloc_return(e); ret = (char *) e + sizeof(struct gc_entry); e->next = a->list; a->list = e; } else { #ifdef DMALLOC ret = openvpn_dmalloc(file, line, size); #else ret = malloc(size); #endif check_malloc_return(ret); } #ifndef ZERO_BUFFER_ON_ALLOC if (clear) #endif memset(ret, 0, size); return ret; } void x_gc_free(struct gc_arena *a) { struct gc_entry *e; e = a->list; a->list = NULL; while (e != NULL) { struct gc_entry *next = e->next; free(e); e = next; } } /* * Functions to handle special objects in gc_entries */ void x_gc_freespecial(struct gc_arena *a) { struct gc_entry_special *e; e = a->list_special; a->list_special = NULL; while (e != NULL) { struct gc_entry_special *next = e->next; e->free_fnc(e->addr); free(e); e = next; } } void gc_addspecial(void *addr, void(free_function)(void *), struct gc_arena *a) { ASSERT(a); struct gc_entry_special *e; #ifdef DMALLOC e = (struct gc_entry_special *) openvpn_dmalloc(file, line, sizeof(struct gc_entry_special)); #else e = (struct gc_entry_special *) malloc(sizeof(struct gc_entry_special)); #endif check_malloc_return(e); e->free_fnc = free_function; e->addr = addr; e->next = a->list_special; a->list_special = e; } /* * Transfer src arena to dest, resetting src to an empty arena. */ void gc_transfer(struct gc_arena *dest, struct gc_arena *src) { if (dest && src) { struct gc_entry *e = src->list; if (e) { while (e->next != NULL) { e = e->next; } e->next = dest->list; dest->list = src->list; src->list = NULL; } } } /* * Hex dump -- Output a binary buffer to a hex string and return it. */ char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc) { const size_t bytes_per_hexblock = space_break_flags & FHE_SPACE_BREAK_MASK; const size_t separator_len = separator ? strlen(separator) : 0; static_assert(INT_MAX <= SIZE_MAX, "Code assumes INT_MAX <= SIZE_MAX"); const size_t out_len = maxoutput > 0 ? maxoutput : ((size * 2) + ((size / bytes_per_hexblock) * separator_len) + 2); struct buffer out = alloc_buf_gc(out_len, gc); for (int i = 0; i < size; ++i) { if (separator && i && !(i % bytes_per_hexblock)) { buf_printf(&out, "%s", separator); } if (space_break_flags & FHE_CAPS) { buf_printf(&out, "%02X", data[i]); } else { buf_printf(&out, "%02x", data[i]); } } buf_catrunc(&out, "[more...]"); return (char *)out.data; } /* * remove specific trailing character */ void buf_rmtail(struct buffer *buf, uint8_t remove) { uint8_t *cp = BLAST(buf); if (cp && *cp == remove) { *cp = '\0'; --buf->len; } } /* * force a null termination even it requires * truncation of the last char. */ void buf_null_terminate(struct buffer *buf) { char *last = (char *) BLAST(buf); if (last && *last == '\0') /* already terminated? */ { return; } if (!buf_safe(buf, 1)) /* make space for trailing null */ { buf_inc_len(buf, -1); } buf_write_u8(buf, 0); } /* * Remove trailing \r and \n chars and ensure * null termination. */ void buf_chomp(struct buffer *buf) { while (true) { char *last = (char *) BLAST(buf); if (!last) { break; } if (char_class(*last, CC_CRLF|CC_NULL)) { if (!buf_inc_len(buf, -1)) { break; } } else { break; } } buf_null_terminate(buf); } const char * skip_leading_whitespace(const char *str) { while (*str) { const char c = *str; if (!(c == ' ' || c == '\t')) { break; } ++str; } return str; } /* * like buf_null_terminate, but operate on strings */ void string_null_terminate(char *str, int len, int capacity) { ASSERT(len >= 0 && len <= capacity && capacity > 0); if (len < capacity) { *(str + len) = '\0'; } else if (len == capacity) { *(str + len - 1) = '\0'; } } /* * Remove trailing \r and \n chars. */ void chomp(char *str) { rm_trailing_chars(str, "\r\n"); } /* * Remove trailing chars */ void rm_trailing_chars(char *str, const char *what_to_delete) { bool modified; do { const int len = strlen(str); modified = false; if (len > 0) { char *cp = str + (len - 1); if (strchr(what_to_delete, *cp) != NULL) { *cp = '\0'; modified = true; } } } while (modified); } /* * Allocate a string */ char * #ifdef DMALLOC string_alloc_debug(const char *str, struct gc_arena *gc, const char *file, int line) #else string_alloc(const char *str, struct gc_arena *gc) #endif { if (str) { const int n = strlen(str) + 1; char *ret; if (gc) { #ifdef DMALLOC ret = (char *) gc_malloc_debug(n, false, gc, file, line); #else ret = (char *) gc_malloc(n, false, gc); #endif } else { /* If there are no garbage collector available, it's expected * that the caller cleans up afterwards. This is coherent with the * earlier behaviour when gc_malloc() would be called with gc == NULL */ #ifdef DMALLOC ret = openvpn_dmalloc(file, line, n); memset(ret, 0, n); #else ret = calloc(1, n); #endif check_malloc_return(ret); } memcpy(ret, str, n); return ret; } else { return NULL; } } /* * Erase all characters in a string */ void string_clear(char *str) { if (str) { secure_memzero(str, strlen(str)); } } /* * Return the length of a string array */ int string_array_len(const char **array) { int i = 0; if (array) { while (array[i]) { ++i; } } return i; } char * print_argv(const char **p, struct gc_arena *gc, const unsigned int flags) { struct buffer out = alloc_buf_gc(256, gc); int i = 0; for (;; ) { const char *cp = *p++; if (!cp) { break; } if (i) { buf_printf(&out, " "); } if (flags & PA_BRACKET) { buf_printf(&out, "[%s]", cp); } else { buf_printf(&out, "%s", cp); } ++i; } return BSTR(&out); } /* * Allocate a string inside a buffer */ struct buffer #ifdef DMALLOC string_alloc_buf_debug(const char *str, struct gc_arena *gc, const char *file, int line) #else string_alloc_buf(const char *str, struct gc_arena *gc) #endif { struct buffer buf; ASSERT(str); #ifdef DMALLOC buf_set_read(&buf, (uint8_t *) string_alloc_debug(str, gc, file, line), strlen(str) + 1); #else buf_set_read(&buf, (uint8_t *) string_alloc(str, gc), strlen(str) + 1); #endif if (buf.len > 0) /* Don't count trailing '\0' as part of length */ { --buf.len; } return buf; } /* * String comparison */ bool buf_string_match_head_str(const struct buffer *src, const char *match) { const int size = strlen(match); if (size < 0 || size > src->len) { return false; } return memcmp(BPTR(src), match, size) == 0; } bool buf_string_compare_advance(struct buffer *src, const char *match) { if (buf_string_match_head_str(src, match)) { buf_advance(src, strlen(match)); return true; } else { return false; } } int buf_substring_len(const struct buffer *buf, int delim) { int i = 0; struct buffer tmp = *buf; int c; while ((c = buf_read_u8(&tmp)) >= 0) { ++i; if (c == delim) { return i; } } return -1; } /* * String parsing */ bool buf_parse(struct buffer *buf, const int delim, char *line, const int size) { bool eol = false; int n = 0; int c; ASSERT(size > 0); do { c = buf_read_u8(buf); if (c < 0) { eol = true; } if (c <= 0 || c == delim) { c = 0; } if (n >= size) { break; } line[n++] = c; } while (c); line[size-1] = '\0'; return !(eol && !strlen(line)); } /* * Print a string which might be NULL */ const char * np(const char *str) { if (str) { return str; } else { return "[NULL]"; } } /* * Classify and mutate strings based on character types. */ bool char_class(const unsigned char c, const unsigned int flags) { if (!flags) { return false; } if (flags & CC_ANY) { return true; } if ((flags & CC_NULL) && c == '\0') { return true; } if ((flags & CC_ALNUM) && isalnum(c)) { return true; } if ((flags & CC_ALPHA) && isalpha(c)) { return true; } if ((flags & CC_ASCII) && isascii(c)) { return true; } if ((flags & CC_CNTRL) && iscntrl(c)) { return true; } if ((flags & CC_DIGIT) && isdigit(c)) { return true; } if ((flags & CC_PRINT) && (c >= 32 && c != 127)) /* allow ascii non-control and UTF-8, consider DEL to be a control */ { return true; } if ((flags & CC_PUNCT) && ispunct(c)) { return true; } if ((flags & CC_SPACE) && isspace(c)) { return true; } if ((flags & CC_XDIGIT) && isxdigit(c)) { return true; } if ((flags & CC_BLANK) && (c == ' ' || c == '\t')) { return true; } if ((flags & CC_NEWLINE) && c == '\n') { return true; } if ((flags & CC_CR) && c == '\r') { return true; } if ((flags & CC_BACKSLASH) && c == '\\') { return true; } if ((flags & CC_UNDERBAR) && c == '_') { return true; } if ((flags & CC_DASH) && c == '-') { return true; } if ((flags & CC_DOT) && c == '.') { return true; } if ((flags & CC_COMMA) && c == ',') { return true; } if ((flags & CC_COLON) && c == ':') { return true; } if ((flags & CC_SLASH) && c == '/') { return true; } if ((flags & CC_SINGLE_QUOTE) && c == '\'') { return true; } if ((flags & CC_DOUBLE_QUOTE) && c == '\"') { return true; } if ((flags & CC_REVERSE_QUOTE) && c == '`') { return true; } if ((flags & CC_AT) && c == '@') { return true; } if ((flags & CC_EQUAL) && c == '=') { return true; } if ((flags & CC_LESS_THAN) && c == '<') { return true; } if ((flags & CC_GREATER_THAN) && c == '>') { return true; } if ((flags & CC_PIPE) && c == '|') { return true; } if ((flags & CC_QUESTION_MARK) && c == '?') { return true; } if ((flags & CC_ASTERISK) && c == '*') { return true; } return false; } static inline bool char_inc_exc(const char c, const unsigned int inclusive, const unsigned int exclusive) { return char_class(c, inclusive) && !char_class(c, exclusive); } bool string_class(const char *str, const unsigned int inclusive, const unsigned int exclusive) { char c; ASSERT(str); while ((c = *str++)) { if (!char_inc_exc(c, inclusive, exclusive)) { return false; } } return true; } /* * Modify string in place. * Guaranteed to not increase string length. */ bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace) { const char *in = str; bool ret = true; ASSERT(str); while (true) { char c = *in++; if (c) { if (!char_inc_exc(c, inclusive, exclusive)) { c = replace; ret = false; } if (c) { *str++ = c; } } else { *str = '\0'; break; } } return ret; } const char * string_mod_const(const char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace, struct gc_arena *gc) { if (str) { char *buf = string_alloc(str, gc); string_mod(buf, inclusive, exclusive, replace); return buf; } else { return NULL; } } void string_replace_leading(char *str, const char match, const char replace) { ASSERT(match != '\0'); while (*str) { if (*str == match) { *str = replace; } else { break; } ++str; } } #ifdef CHARACTER_CLASS_DEBUG #define CC_INCLUDE (CC_PRINT) #define CC_EXCLUDE (0) #define CC_REPLACE ('.') void character_class_debug(void) { char buf[256]; while (fgets(buf, sizeof(buf), stdin) != NULL) { string_mod(buf, CC_INCLUDE, CC_EXCLUDE, CC_REPLACE); printf("%s", buf); } } #endif #ifdef VERIFY_ALIGNMENT void valign4(const struct buffer *buf, const char *file, const int line) { if (buf && buf->len) { int msglevel = D_ALIGN_DEBUG; const unsigned int u = (unsigned int) BPTR(buf); if (u & (PAYLOAD_ALIGN-1)) { msglevel = D_ALIGN_ERRORS; } msg(msglevel, "%sAlignment at %s/%d ptr=" ptr_format " OLC=%d/%d/%d I=%s/%d", (msglevel == D_ALIGN_ERRORS) ? "ERROR: " : "", file, line, (ptr_type)buf->data, buf->offset, buf->len, buf->capacity, buf_debug_file(buf), buf_debug_line(buf)); } } #endif /* ifdef VERIFY_ALIGNMENT */ /* * struct buffer_list */ struct buffer_list * buffer_list_new(const int max_size) { struct buffer_list *ret; ALLOC_OBJ_CLEAR(ret, struct buffer_list); ret->max_size = max_size; ret->size = 0; return ret; } void buffer_list_free(struct buffer_list *ol) { if (ol) { buffer_list_reset(ol); free(ol); } } bool buffer_list_defined(const struct buffer_list *ol) { return ol && ol->head != NULL; } void buffer_list_reset(struct buffer_list *ol) { struct buffer_entry *e = ol->head; while (e) { struct buffer_entry *next = e->next; free_buf(&e->buf); free(e); e = next; } ol->head = ol->tail = NULL; ol->size = 0; } void buffer_list_push(struct buffer_list *ol, const unsigned char *str) { if (str) { const size_t len = strlen((const char *)str); struct buffer_entry *e = buffer_list_push_data(ol, str, len+1); if (e) { e->buf.len = len; /* Don't count trailing '\0' as part of length */ } } } struct buffer_entry * buffer_list_push_data(struct buffer_list *ol, const uint8_t *data, size_t size) { struct buffer_entry *e = NULL; if (data && (!ol->max_size || ol->size < ol->max_size)) { ALLOC_OBJ_CLEAR(e, struct buffer_entry); ++ol->size; if (ol->tail) { ASSERT(ol->head); ol->tail->next = e; } else { ASSERT(!ol->head); ol->head = e; } e->buf = alloc_buf(size); memcpy(e->buf.data, data, size); e->buf.len = (int)size; ol->tail = e; } return e; } struct buffer * buffer_list_peek(struct buffer_list *ol) { if (ol && ol->head) { return &ol->head->buf; } else { return NULL; } } void buffer_list_aggregate_separator(struct buffer_list *bl, const size_t max, const char *sep) { int sep_len = strlen(sep); if (bl->head) { struct buffer_entry *more = bl->head; size_t size = 0; int count = 0; for (count = 0; more && size <= max; ++count) { size += BLEN(&more->buf) + sep_len; more = more->next; } if (count >= 2) { int i; struct buffer_entry *e = bl->head, *f; ALLOC_OBJ_CLEAR(f, struct buffer_entry); f->buf.data = malloc(size); check_malloc_return(f->buf.data); f->buf.capacity = size; for (i = 0; e && i < count; ++i) { struct buffer_entry *next = e->next; buf_copy(&f->buf, &e->buf); buf_write(&f->buf, sep, sep_len); free_buf(&e->buf); free(e); e = next; } bl->head = f; f->next = more; if (!more) { bl->tail = f; } } } } void buffer_list_aggregate(struct buffer_list *bl, const size_t max) { buffer_list_aggregate_separator(bl, max, ""); } void buffer_list_pop(struct buffer_list *ol) { if (ol && ol->head) { struct buffer_entry *e = ol->head->next; free_buf(&ol->head->buf); free(ol->head); ol->head = e; --ol->size; if (!e) { ol->tail = NULL; } } } void buffer_list_advance(struct buffer_list *ol, int n) { if (ol->head) { struct buffer *buf = &ol->head->buf; ASSERT(buf_advance(buf, n)); if (!BLEN(buf)) { buffer_list_pop(ol); } } } struct buffer_list * buffer_list_file(const char *fn, int max_line_len) { FILE *fp = platform_fopen(fn, "r"); struct buffer_list *bl = NULL; if (fp) { char *line = (char *) malloc(max_line_len); if (line) { bl = buffer_list_new(0); while (fgets(line, max_line_len, fp) != NULL) { buffer_list_push(bl, (unsigned char *)line); } free(line); } fclose(fp); } return bl; } openvpn-2.4.4/src/openvpn/buffer.h000066400000000000000000000637061316434344000171220ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef BUFFER_H #define BUFFER_H #include "basic.h" #include "error.h" #define BUF_SIZE_MAX 1000000 /* * Define verify_align function, otherwise * it will be a noop. */ /* #define VERIFY_ALIGNMENT */ /* * Keep track of source file/line of buf_init calls */ #ifdef VERIFY_ALIGNMENT #define BUF_INIT_TRACKING #endif /**************************************************************************/ /** * Wrapper structure for dynamically allocated memory. * * The actual content stored in a \c buffer structure starts at the memory * location \c buffer.data \c + \c buffer.offset, and has a length of \c * buffer.len bytes. This, together with the space available before and * after the content, is represented in the pseudocode below: * @code * uint8_t *content_start = buffer.data + buffer.offset; * uint8_t *content_end = buffer.data + buffer.offset + buffer.len; * int prepend_capacity = buffer.offset; * int append_capacity = buffer.capacity - (buffer.offset + buffer.len); * @endcode */ struct buffer { int capacity; /**< Size in bytes of memory allocated by * \c malloc(). */ int offset; /**< Offset in bytes of the actual content * within the allocated memory. */ int len; /**< Length in bytes of the actual content * within the allocated memory. */ uint8_t *data; /**< Pointer to the allocated memory. */ #ifdef BUF_INIT_TRACKING const char *debug_file; int debug_line; #endif }; /**************************************************************************/ /** * Garbage collection entry for one dynamically allocated block of memory. * * This structure represents one link in the linked list contained in a \c * gc_arena structure. Each time the \c gc_malloc() function is called, * it allocates \c sizeof(gc_entry) + the requested number of bytes. The * \c gc_entry is then stored as a header in front of the memory address * returned to the caller. */ struct gc_entry { struct gc_entry *next; /**< Pointer to the next item in the * linked list. */ }; /** * Garbage collection entry for a specially allocated structure that needs * a custom free function to be freed like struct addrinfo * */ struct gc_entry_special { struct gc_entry_special *next; void (*free_fnc)(void *); void *addr; }; /** * Garbage collection arena used to keep track of dynamically allocated * memory. * * This structure contains a linked list of \c gc_entry structures. When * a block of memory is allocated using the \c gc_malloc() function, the * allocation is registered in the function's \c gc_arena argument. All * the dynamically allocated memory registered in a \c gc_arena can be * freed using the \c gc_free() function. */ struct gc_arena { struct gc_entry *list; /**< First element of the linked list of * \c gc_entry structures. */ struct gc_entry_special *list_special; }; #define BPTR(buf) (buf_bptr(buf)) #define BEND(buf) (buf_bend(buf)) #define BLAST(buf) (buf_blast(buf)) #define BLEN(buf) (buf_len(buf)) #define BDEF(buf) (buf_defined(buf)) #define BSTR(buf) (buf_str(buf)) #define BCAP(buf) (buf_forward_capacity(buf)) void buf_clear(struct buffer *buf); struct buffer clear_buf(void); void free_buf(struct buffer *buf); bool buf_assign(struct buffer *dest, const struct buffer *src); void string_clear(char *str); int string_array_len(const char **array); size_t array_mult_safe(const size_t m1, const size_t m2, const size_t extra); #define PA_BRACKET (1<<0) char *print_argv(const char **p, struct gc_arena *gc, const unsigned int flags); void buf_size_error(const size_t size); /* for dmalloc debugging */ #ifdef DMALLOC #define alloc_buf(size) alloc_buf_debug(size, __FILE__, __LINE__) #define alloc_buf_gc(size, gc) alloc_buf_gc_debug(size, gc, __FILE__, __LINE__); #define clone_buf(buf) clone_buf_debug(buf, __FILE__, __LINE__); #define gc_malloc(size, clear, arena) gc_malloc_debug(size, clear, arena, __FILE__, __LINE__) #define string_alloc(str, gc) string_alloc_debug(str, gc, __FILE__, __LINE__) #define string_alloc_buf(str, gc) string_alloc_buf_debug(str, gc, __FILE__, __LINE__) struct buffer alloc_buf_debug(size_t size, const char *file, int line); struct buffer alloc_buf_gc_debug(size_t size, struct gc_arena *gc, const char *file, int line); struct buffer clone_buf_debug(const struct buffer *buf, const char *file, int line); void *gc_malloc_debug(size_t size, bool clear, struct gc_arena *a, const char *file, int line); char *string_alloc_debug(const char *str, struct gc_arena *gc, const char *file, int line); struct buffer string_alloc_buf_debug(const char *str, struct gc_arena *gc, const char *file, int line); #else /* ifdef DMALLOC */ struct buffer alloc_buf(size_t size); struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc); /* allocate buffer with garbage collection */ struct buffer clone_buf(const struct buffer *buf); void *gc_malloc(size_t size, bool clear, struct gc_arena *a); char *string_alloc(const char *str, struct gc_arena *gc); struct buffer string_alloc_buf(const char *str, struct gc_arena *gc); #endif /* ifdef DMALLOC */ void gc_addspecial(void *addr, void (*free_function)(void *), struct gc_arena *a); #ifdef BUF_INIT_TRACKING #define buf_init(buf, offset) buf_init_debug(buf, offset, __FILE__, __LINE__) bool buf_init_debug(struct buffer *buf, int offset, const char *file, int line); #else #define buf_init(buf, offset) buf_init_dowork(buf, offset) #endif /* inline functions */ inline static void gc_freeaddrinfo_callback(void *addr) { freeaddrinfo((struct addrinfo *) addr); } static inline bool buf_defined(const struct buffer *buf) { return buf->data != NULL; } static inline bool buf_valid(const struct buffer *buf) { return likely(buf->data != NULL) && likely(buf->len >= 0); } static inline uint8_t * buf_bptr(const struct buffer *buf) { if (buf_valid(buf)) { return buf->data + buf->offset; } else { return NULL; } } static int buf_len(const struct buffer *buf) { if (buf_valid(buf)) { return buf->len; } else { return 0; } } static inline uint8_t * buf_bend(const struct buffer *buf) { return buf_bptr(buf) + buf_len(buf); } static inline uint8_t * buf_blast(const struct buffer *buf) { if (buf_len(buf) > 0) { return buf_bptr(buf) + buf_len(buf) - 1; } else { return NULL; } } static inline bool buf_size_valid(const size_t size) { return likely(size < BUF_SIZE_MAX); } static inline bool buf_size_valid_signed(const int size) { return likely(size >= -BUF_SIZE_MAX) && likely(size < BUF_SIZE_MAX); } static inline char * buf_str(const struct buffer *buf) { return (char *)buf_bptr(buf); } static inline void buf_reset(struct buffer *buf) { buf->capacity = 0; buf->offset = 0; buf->len = 0; buf->data = NULL; } static inline void buf_reset_len(struct buffer *buf) { buf->len = 0; buf->offset = 0; } static inline bool buf_init_dowork(struct buffer *buf, int offset) { if (offset < 0 || offset > buf->capacity || buf->data == NULL) { return false; } buf->len = 0; buf->offset = offset; return true; } static inline void buf_set_write(struct buffer *buf, uint8_t *data, int size) { if (!buf_size_valid(size)) { buf_size_error(size); } buf->len = 0; buf->offset = 0; buf->capacity = size; buf->data = data; if (size > 0 && data) { *data = 0; } } static inline void buf_set_read(struct buffer *buf, const uint8_t *data, int size) { if (!buf_size_valid(size)) { buf_size_error(size); } buf->len = buf->capacity = size; buf->offset = 0; buf->data = (uint8_t *)data; } /* Like strncpy but makes sure dest is always null terminated */ static inline void strncpynt(char *dest, const char *src, size_t maxlen) { strncpy(dest, src, maxlen); if (maxlen > 0) { dest[maxlen - 1] = 0; } } /* return true if string contains at least one numerical digit */ static inline bool has_digit(const unsigned char *src) { unsigned char c; while ((c = *src++)) { if (isdigit(c)) { return true; } } return false; } /** * Securely zeroise memory. * * This code and description are based on code supplied by Zhaomo Yang, of the * University of California, San Diego (which was released into the public * domain). * * The secure_memzero function attempts to ensure that an optimizing compiler * does not remove the intended operation if cleared memory is not accessed * again by the program. This code has been tested under Clang 3.9.0 and GCC * 6.2 with optimization flags -O, -Os, -O0, -O1, -O2, and -O3 on * Ubuntu 16.04.1 LTS; under Clang 3.9.0 with optimization flags -O, -Os, * -O0, -O1, -O2, and -O3 on FreeBSD 10.2-RELEASE; under Microsoft Visual Studio * 2015 with optimization flags /O1, /O2 and /Ox on Windows 10. * * Theory of operation: * * 1. On Windows, use the SecureZeroMemory which ensures that data is * overwritten. * 2. Under GCC or Clang, use a memory barrier, which forces the preceding * memset to be carried out. The overhead of a memory barrier is usually * negligible. * 3. If none of the above are available, use the volatile pointer * technique to zero memory one byte at a time. * * @param data Pointer to data to zeroise. * @param len Length of data, in bytes. */ static inline void secure_memzero(void *data, size_t len) { #if defined(_WIN32) SecureZeroMemory(data, len); #elif defined(__GNUC__) || defined(__clang__) memset(data, 0, len); __asm__ __volatile__ ("" : : "r" (data) : "memory"); #else volatile char *p = (volatile char *) data; while (len--) { *p++ = 0; } #endif } /* * printf append to a buffer with overflow check, * due to usage of vsnprintf, it will leave space for * a final null character and thus use only * capacity - 1 */ bool buf_printf(struct buffer *buf, const char *format, ...) #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO __attribute__ ((format(gnu_printf, 2, 3))) #else __attribute__ ((format(__printf__, 2, 3))) #endif #endif ; /* * puts append to a buffer with overflow check */ bool buf_puts(struct buffer *buf, const char *str); /* * Like snprintf but guarantees null termination for size > 0 */ bool openvpn_snprintf(char *str, size_t size, const char *format, ...) #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO __attribute__ ((format(gnu_printf, 3, 4))) #else __attribute__ ((format(__printf__, 3, 4))) #endif #endif ; /* * remove/add trailing characters */ void buf_null_terminate(struct buffer *buf); void buf_chomp(struct buffer *buf); void buf_rmtail(struct buffer *buf, uint8_t remove); /* * non-buffer string functions */ void chomp(char *str); void rm_trailing_chars(char *str, const char *what_to_delete); const char *skip_leading_whitespace(const char *str); void string_null_terminate(char *str, int len, int capacity); /* * Write string in buf to file descriptor fd. * NOTE: requires that string be null terminated. */ void buf_write_string_file(const struct buffer *buf, const char *filename, int fd); /* * write a string to the end of a buffer that was * truncated by buf_printf */ void buf_catrunc(struct buffer *buf, const char *str); /* * convert a multi-line output to one line */ void convert_to_one_line(struct buffer *buf); /* * Parse a string based on a given delimiter char */ bool buf_parse(struct buffer *buf, const int delim, char *line, const int size); /* * Hex dump -- Output a binary buffer to a hex string and return it. */ #define FHE_SPACE_BREAK_MASK 0xFF /* space_break parameter in lower 8 bits */ #define FHE_CAPS 0x100 /* output hex in caps */ char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc); static inline char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc) { return format_hex_ex(data, size, maxoutput, 4, " ", gc); } /* * Return a buffer that is a subset of another buffer. */ struct buffer buf_sub(struct buffer *buf, int size, bool prepend); /* * Check if sufficient space to append to buffer. */ static inline bool buf_safe(const struct buffer *buf, int len) { return buf_valid(buf) && buf_size_valid(len) && buf->offset + buf->len + len <= buf->capacity; } static inline bool buf_safe_bidir(const struct buffer *buf, int len) { if (buf_valid(buf) && buf_size_valid_signed(len)) { const int newlen = buf->len + len; return newlen >= 0 && buf->offset + newlen <= buf->capacity; } else { return false; } } static inline int buf_forward_capacity(const struct buffer *buf) { if (buf_valid(buf)) { int ret = buf->capacity - (buf->offset + buf->len); if (ret < 0) { ret = 0; } return ret; } else { return 0; } } static inline int buf_forward_capacity_total(const struct buffer *buf) { if (buf_valid(buf)) { int ret = buf->capacity - buf->offset; if (ret < 0) { ret = 0; } return ret; } else { return 0; } } static inline int buf_reverse_capacity(const struct buffer *buf) { if (buf_valid(buf)) { return buf->offset; } else { return 0; } } static inline bool buf_inc_len(struct buffer *buf, int inc) { if (!buf_safe_bidir(buf, inc)) { return false; } buf->len += inc; return true; } /* * Make space to prepend to a buffer. * Return NULL if no space. */ static inline uint8_t * buf_prepend(struct buffer *buf, int size) { if (!buf_valid(buf) || size < 0 || size > buf->offset) { return NULL; } buf->offset -= size; buf->len += size; return BPTR(buf); } static inline bool buf_advance(struct buffer *buf, int size) { if (!buf_valid(buf) || size < 0 || buf->len < size) { return false; } buf->offset += size; buf->len -= size; return true; } /* * Return a pointer to allocated space inside a buffer. * Return NULL if no space. */ static inline uint8_t * buf_write_alloc(struct buffer *buf, int size) { uint8_t *ret; if (!buf_safe(buf, size)) { return NULL; } ret = BPTR(buf) + buf->len; buf->len += size; return ret; } static inline uint8_t * buf_write_alloc_prepend(struct buffer *buf, int size, bool prepend) { return prepend ? buf_prepend(buf, size) : buf_write_alloc(buf, size); } static inline uint8_t * buf_read_alloc(struct buffer *buf, int size) { uint8_t *ret; if (size < 0 || buf->len < size) { return NULL; } ret = BPTR(buf); buf->offset += size; buf->len -= size; return ret; } static inline bool buf_write(struct buffer *dest, const void *src, int size) { uint8_t *cp = buf_write_alloc(dest, size); if (!cp) { return false; } memcpy(cp, src, size); return true; } static inline bool buf_write_prepend(struct buffer *dest, const void *src, int size) { uint8_t *cp = buf_prepend(dest, size); if (!cp) { return false; } memcpy(cp, src, size); return true; } static inline bool buf_write_u8(struct buffer *dest, int data) { uint8_t u8 = (uint8_t) data; return buf_write(dest, &u8, sizeof(uint8_t)); } static inline bool buf_write_u16(struct buffer *dest, int data) { uint16_t u16 = htons((uint16_t) data); return buf_write(dest, &u16, sizeof(uint16_t)); } static inline bool buf_write_u32(struct buffer *dest, int data) { uint32_t u32 = htonl((uint32_t) data); return buf_write(dest, &u32, sizeof(uint32_t)); } static inline bool buf_copy(struct buffer *dest, const struct buffer *src) { return buf_write(dest, BPTR(src), BLEN(src)); } static inline bool buf_copy_n(struct buffer *dest, struct buffer *src, int n) { uint8_t *cp = buf_read_alloc(src, n); if (!cp) { return false; } return buf_write(dest, cp, n); } static inline bool buf_copy_range(struct buffer *dest, int dest_index, const struct buffer *src, int src_index, int src_len) { if (src_index < 0 || src_len < 0 || src_index + src_len > src->len || dest_index < 0 || dest->offset + dest_index + src_len > dest->capacity) { return false; } memcpy(dest->data + dest->offset + dest_index, src->data + src->offset + src_index, src_len); if (dest_index + src_len > dest->len) { dest->len = dest_index + src_len; } return true; } /* truncate src to len, copy excess data beyond len to dest */ static inline bool buf_copy_excess(struct buffer *dest, struct buffer *src, int len) { if (len < 0) { return false; } if (src->len > len) { struct buffer b = *src; src->len = len; if (!buf_advance(&b, len)) { return false; } return buf_copy(dest, &b); } else { return true; } } static inline bool buf_read(struct buffer *src, void *dest, int size) { uint8_t *cp = buf_read_alloc(src, size); if (!cp) { return false; } memcpy(dest, cp, size); return true; } static inline int buf_read_u8(struct buffer *buf) { int ret; if (BLEN(buf) < 1) { return -1; } ret = *BPTR(buf); buf_advance(buf, 1); return ret; } static inline int buf_read_u16(struct buffer *buf) { uint16_t ret; if (!buf_read(buf, &ret, sizeof(uint16_t))) { return -1; } return ntohs(ret); } static inline uint32_t buf_read_u32(struct buffer *buf, bool *good) { uint32_t ret; if (!buf_read(buf, &ret, sizeof(uint32_t))) { if (good) { *good = false; } return 0; } else { if (good) { *good = true; } return ntohl(ret); } } /** * Compare src buffer contents with match. * *NOT* constant time. Do not use when comparing HMACs. */ static inline bool buf_string_match(const struct buffer *src, const void *match, int size) { if (size != src->len) { return false; } return memcmp(BPTR(src), match, size) == 0; } /** * Compare first size bytes of src buffer contents with match. * *NOT* constant time. Do not use when comparing HMACs. */ static inline bool buf_string_match_head(const struct buffer *src, const void *match, int size) { if (size < 0 || size > src->len) { return false; } return memcmp(BPTR(src), match, size) == 0; } bool buf_string_match_head_str(const struct buffer *src, const char *match); bool buf_string_compare_advance(struct buffer *src, const char *match); int buf_substring_len(const struct buffer *buf, int delim); /* * Print a string which might be NULL */ const char *np(const char *str); /*#define CHARACTER_CLASS_DEBUG*/ /* character classes */ #define CC_ANY (1<<0) #define CC_NULL (1<<1) #define CC_ALNUM (1<<2) #define CC_ALPHA (1<<3) #define CC_ASCII (1<<4) #define CC_CNTRL (1<<5) #define CC_DIGIT (1<<6) #define CC_PRINT (1<<7) #define CC_PUNCT (1<<8) #define CC_SPACE (1<<9) #define CC_XDIGIT (1<<10) #define CC_BLANK (1<<11) #define CC_NEWLINE (1<<12) #define CC_CR (1<<13) #define CC_BACKSLASH (1<<14) #define CC_UNDERBAR (1<<15) #define CC_DASH (1<<16) #define CC_DOT (1<<17) #define CC_COMMA (1<<18) #define CC_COLON (1<<19) #define CC_SLASH (1<<20) #define CC_SINGLE_QUOTE (1<<21) #define CC_DOUBLE_QUOTE (1<<22) #define CC_REVERSE_QUOTE (1<<23) #define CC_AT (1<<24) #define CC_EQUAL (1<<25) #define CC_LESS_THAN (1<<26) #define CC_GREATER_THAN (1<<27) #define CC_PIPE (1<<28) #define CC_QUESTION_MARK (1<<29) #define CC_ASTERISK (1<<30) /* macro classes */ #define CC_NAME (CC_ALNUM|CC_UNDERBAR) #define CC_CRLF (CC_CR|CC_NEWLINE) bool char_class(const unsigned char c, const unsigned int flags); bool string_class(const char *str, const unsigned int inclusive, const unsigned int exclusive); bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace); const char *string_mod_const(const char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace, struct gc_arena *gc); void string_replace_leading(char *str, const char match, const char replace); /** Return true iff str starts with prefix */ static inline bool strprefix(const char *str, const char *prefix) { return 0 == strncmp(str, prefix, strlen(prefix)); } #ifdef CHARACTER_CLASS_DEBUG void character_class_debug(void); #endif /* * Verify that a pointer is correctly aligned */ #ifdef VERIFY_ALIGNMENT void valign4(const struct buffer *buf, const char *file, const int line); #define verify_align_4(ptr) valign4(buf, __FILE__, __LINE__) #else #define verify_align_4(ptr) #endif /* * Very basic garbage collection, mostly for routines that return * char ptrs to malloced strings. */ void gc_transfer(struct gc_arena *dest, struct gc_arena *src); void x_gc_free(struct gc_arena *a); void x_gc_freespecial(struct gc_arena *a); static inline bool gc_defined(struct gc_arena *a) { return a->list != NULL; } static inline void gc_init(struct gc_arena *a) { a->list = NULL; a->list_special = NULL; } static inline void gc_detach(struct gc_arena *a) { gc_init(a); } static inline struct gc_arena gc_new(void) { struct gc_arena ret; gc_init(&ret); return ret; } static inline void gc_free(struct gc_arena *a) { if (a->list) { x_gc_free(a); } if (a->list_special) { x_gc_freespecial(a); } } static inline void gc_reset(struct gc_arena *a) { gc_free(a); } /* * Allocate memory to hold a structure */ #define ALLOC_OBJ(dptr, type) \ { \ check_malloc_return((dptr) = (type *) malloc(sizeof(type))); \ } #define ALLOC_OBJ_CLEAR(dptr, type) \ { \ ALLOC_OBJ(dptr, type); \ memset((dptr), 0, sizeof(type)); \ } #define ALLOC_ARRAY(dptr, type, n) \ { \ check_malloc_return((dptr) = (type *) malloc(array_mult_safe(sizeof(type), (n), 0))); \ } #define ALLOC_ARRAY_GC(dptr, type, n, gc) \ { \ (dptr) = (type *) gc_malloc(array_mult_safe(sizeof(type), (n), 0), false, (gc)); \ } #define ALLOC_ARRAY_CLEAR(dptr, type, n) \ { \ ALLOC_ARRAY(dptr, type, n); \ memset((dptr), 0, (array_mult_safe(sizeof(type), (n), 0))); \ } #define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc) \ { \ (dptr) = (type *) gc_malloc(array_mult_safe(sizeof(type), (n), 0), true, (gc)); \ } #define ALLOC_VAR_ARRAY_CLEAR_GC(dptr, type, atype, n, gc) \ { \ (dptr) = (type *) gc_malloc(array_mult_safe(sizeof(atype), (n), sizeof(type)), true, (gc)); \ } #define ALLOC_OBJ_GC(dptr, type, gc) \ { \ (dptr) = (type *) gc_malloc(sizeof(type), false, (gc)); \ } #define ALLOC_OBJ_CLEAR_GC(dptr, type, gc) \ { \ (dptr) = (type *) gc_malloc(sizeof(type), true, (gc)); \ } static inline void check_malloc_return(const void *p) { if (!p) { out_of_memory(); } } /* * Manage lists of buffers */ struct buffer_entry { struct buffer buf; struct buffer_entry *next; }; struct buffer_list { struct buffer_entry *head; /* next item to pop/peek */ struct buffer_entry *tail; /* last item pushed */ int size; /* current number of entries */ int max_size; /* maximum size list should grow to */ }; struct buffer_list *buffer_list_new(const int max_size); void buffer_list_free(struct buffer_list *ol); bool buffer_list_defined(const struct buffer_list *ol); void buffer_list_reset(struct buffer_list *ol); void buffer_list_push(struct buffer_list *ol, const unsigned char *str); struct buffer_entry *buffer_list_push_data(struct buffer_list *ol, const uint8_t *data, size_t size); struct buffer *buffer_list_peek(struct buffer_list *ol); void buffer_list_advance(struct buffer_list *ol, int n); void buffer_list_pop(struct buffer_list *ol); void buffer_list_aggregate(struct buffer_list *bl, const size_t max); void buffer_list_aggregate_separator(struct buffer_list *bl, const size_t max, const char *sep); struct buffer_list *buffer_list_file(const char *fn, int max_line_len); #endif /* BUFFER_H */ openvpn-2.4.4/src/openvpn/circ_list.h000066400000000000000000000045241316434344000176150ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef CIRC_LIST_H #define CIRC_LIST_H #include "basic.h" #include "integer.h" #include "error.h" #define CIRC_LIST(name, type) \ struct name { \ int x_head; \ int x_size; \ int x_cap; \ int x_sizeof; \ type x_list[EMPTY_ARRAY_SIZE]; \ } #define CIRC_LIST_PUSH(obj, item) \ { \ (obj)->x_head = modulo_add((obj)->x_head, -1, (obj)->x_cap); \ (obj)->x_list[(obj)->x_head] = (item); \ (obj)->x_size = min_int((obj)->x_size + 1, (obj)->x_cap); \ } #define CIRC_LIST_SIZE(obj) \ ((obj)->x_size) #define CIRC_LIST_INDEX(obj, index) \ modulo_add((obj)->x_head, \ index_verify((index), (obj)->x_size, __FILE__, __LINE__), \ (obj)->x_cap) #define CIRC_LIST_ITEM(obj, index) \ ((obj)->x_list[CIRC_LIST_INDEX((obj), (index))]) #define CIRC_LIST_RESET(obj) \ { \ (obj)->x_head = 0; \ (obj)->x_size = 0; \ } #define CIRC_LIST_ALLOC(dest, list_type, size) \ { \ const int so = sizeof(list_type) + sizeof((dest)->x_list[0]) * (size); \ (dest) = (list_type *) malloc(so); \ check_malloc_return(dest); \ memset((dest), 0, so); \ (dest)->x_cap = size; \ (dest)->x_sizeof = so; \ } #define CIRC_LIST_FREE(dest) \ free(dest) #endif /* ifndef CIRC_LIST_H */ openvpn-2.4.4/src/openvpn/clinat.c000066400000000000000000000161761316434344000171150ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "clinat.h" #include "proto.h" #include "socket.h" #include "memdbg.h" static bool add_entry(struct client_nat_option_list *dest, const struct client_nat_entry *e) { if (dest->n >= MAX_CLIENT_NAT) { msg(M_WARN, "WARNING: client-nat table overflow (max %d entries)", MAX_CLIENT_NAT); return false; } else { dest->entries[dest->n++] = *e; return true; } } void print_client_nat_list(const struct client_nat_option_list *list, int msglevel) { struct gc_arena gc = gc_new(); int i; msg(msglevel, "*** CNAT list"); if (list) { for (i = 0; i < list->n; ++i) { const struct client_nat_entry *e = &list->entries[i]; msg(msglevel, " CNAT[%d] t=%d %s/%s/%s", i, e->type, print_in_addr_t(e->network, IA_NET_ORDER, &gc), print_in_addr_t(e->netmask, IA_NET_ORDER, &gc), print_in_addr_t(e->foreign_network, IA_NET_ORDER, &gc)); } } gc_free(&gc); } struct client_nat_option_list * new_client_nat_list(struct gc_arena *gc) { struct client_nat_option_list *ret; ALLOC_OBJ_CLEAR_GC(ret, struct client_nat_option_list, gc); return ret; } struct client_nat_option_list * clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc) { struct client_nat_option_list *ret; ALLOC_OBJ_GC(ret, struct client_nat_option_list, gc); *ret = *src; return ret; } void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src) { int i; for (i = 0; i < src->n; ++i) { if (!add_entry(dest, &src->entries[i])) { break; } } } void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, int msglevel) { struct client_nat_entry e; bool ok; if (!strcmp(type, "snat")) { e.type = CN_SNAT; } else if (!strcmp(type, "dnat")) { e.type = CN_DNAT; } else { msg(msglevel, "client-nat: type must be 'snat' or 'dnat'"); return; } e.network = getaddr(0, network, 0, &ok, NULL); if (!ok) { msg(msglevel, "client-nat: bad network: %s", network); return; } e.netmask = getaddr(0, netmask, 0, &ok, NULL); if (!ok) { msg(msglevel, "client-nat: bad netmask: %s", netmask); return; } e.foreign_network = getaddr(0, foreign_network, 0, &ok, NULL); if (!ok) { msg(msglevel, "client-nat: bad foreign network: %s", foreign_network); return; } add_entry(dest, &e); } #if 0 static void print_checksum(struct openvpn_iphdr *iph, const char *prefix) { uint16_t *sptr; unsigned int sum = 0; int i = 0; for (sptr = (uint16_t *)iph; (uint8_t *)sptr < (uint8_t *)iph + sizeof(struct openvpn_iphdr); sptr++) { i += 1; sum += *sptr; } msg(M_INFO, "** CKSUM[%d] %s %08x", i, prefix, sum); } #endif static void print_pkt(struct openvpn_iphdr *iph, const char *prefix, const int direction, const int msglevel) { struct gc_arena gc = gc_new(); char *dirstr = "???"; if (direction == CN_OUTGOING) { dirstr = "OUT"; } else if (direction == CN_INCOMING) { dirstr = "IN"; } msg(msglevel, "** CNAT %s %s %s -> %s", dirstr, prefix, print_in_addr_t(iph->saddr, IA_NET_ORDER, &gc), print_in_addr_t(iph->daddr, IA_NET_ORDER, &gc)); gc_free(&gc); } void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction) { struct ip_tcp_udp_hdr *h = (struct ip_tcp_udp_hdr *) BPTR(ipbuf); int i; uint32_t addr, *addr_ptr; const uint32_t *from, *to; int accumulate = 0; unsigned int amask; unsigned int alog = 0; if (check_debug_level(D_CLIENT_NAT)) { print_pkt(&h->ip, "BEFORE", direction, D_CLIENT_NAT); } for (i = 0; i < list->n; ++i) { const struct client_nat_entry *e = &list->entries[i]; /* current NAT rule */ if (e->type ^ direction) { addr = *(addr_ptr = &h->ip.daddr); amask = 2; } else { addr = *(addr_ptr = &h->ip.saddr); amask = 1; } if (direction) { from = &e->foreign_network; to = &e->network; } else { from = &e->network; to = &e->foreign_network; } if (((addr & e->netmask) == *from) && !(amask & alog)) { /* pre-adjust IP checksum */ ADD_CHECKSUM_32(accumulate, addr); /* do NAT transform */ addr = (addr & ~e->netmask) | *to; /* post-adjust IP checksum */ SUB_CHECKSUM_32(accumulate, addr); /* write the modified address to packet */ *addr_ptr = addr; /* mark as modified */ alog |= amask; } } if (alog) { if (check_debug_level(D_CLIENT_NAT)) { print_pkt(&h->ip, "AFTER", direction, D_CLIENT_NAT); } ADJUST_CHECKSUM(accumulate, h->ip.check); if (h->ip.protocol == OPENVPN_IPPROTO_TCP) { if (BLEN(ipbuf) >= sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_tcphdr)) { ADJUST_CHECKSUM(accumulate, h->u.tcp.check); } } else if (h->ip.protocol == OPENVPN_IPPROTO_UDP) { if (BLEN(ipbuf) >= sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_udphdr)) { ADJUST_CHECKSUM(accumulate, h->u.udp.check); } } } } openvpn-2.4.4/src/openvpn/clinat.h000066400000000000000000000045151316434344000171140ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #if !defined(CLINAT_H) #define CLINAT_H #include "buffer.h" #define MAX_CLIENT_NAT 64 #define CN_OUTGOING 0 #define CN_INCOMING 1 struct client_nat_entry { #define CN_SNAT 0 #define CN_DNAT 1 int type; in_addr_t network; in_addr_t netmask; in_addr_t foreign_network; }; struct client_nat_option_list { int n; struct client_nat_entry entries[MAX_CLIENT_NAT]; }; struct client_nat_option_list *new_client_nat_list(struct gc_arena *gc); struct client_nat_option_list *clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc); void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src); void print_client_nat_list(const struct client_nat_option_list *list, int msglevel); void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, int msglevel); void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction); #endif /* if !defined(CLINAT_H) */ openvpn-2.4.4/src/openvpn/common.h000066400000000000000000000055321316434344000171320ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef COMMON_H #define COMMON_H /* * Statistics counters and associated printf formats. */ #ifdef USE_64_BIT_COUNTERS typedef unsigned long long int counter_type; #ifdef _WIN32 #define counter_format "%I64u" #else #define counter_format "%llu" #endif #else /* ifdef USE_64_BIT_COUNTERS */ typedef unsigned int counter_type; #define counter_format "%u" #endif /* * Time intervals */ typedef int interval_t; /* * Used as an upper bound for timeouts. */ #define BIG_TIMEOUT (60*60*24*7) /* one week (in seconds) */ /* * Printf formats for special types */ #ifdef _WIN64 #define ptr_format "0x%I64x" #else #define ptr_format "0x%08lx" #endif #define time_format "%lu" #define fragment_header_format "0x%08x" /* these are used to cast the arguments * and MUST match the formats above */ typedef unsigned long time_type; #ifdef _WIN64 typedef unsigned long long ptr_type; #else typedef unsigned long ptr_type; #endif /* the --client-config-dir default file */ #define CCD_DEFAULT "DEFAULT" /* * This parameter controls the TLS channel buffer size and the * maximum size of a single TLS message (cleartext). * This parameter must be >= PUSH_BUNDLE_SIZE */ #define TLS_CHANNEL_BUF_SIZE 2048 /* * This parameter controls the maximum size of a bundle * of pushed options. */ #define PUSH_BUNDLE_SIZE 1024 /* * In how many seconds does client re-send PUSH_REQUEST if we haven't yet received a reply */ #define PUSH_REQUEST_INTERVAL 5 /* * A sort of pseudo-filename for data provided inline within * the configuration file. */ #define INLINE_FILE_TAG "[[INLINE]]" /* * Script security warning */ #define SCRIPT_SECURITY_WARNING "WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info." #endif /* ifndef COMMON_H */ openvpn-2.4.4/src/openvpn/comp-lz4.c000066400000000000000000000172041316434344000173010ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2013-2017 Gert Doering * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if defined(ENABLE_LZ4) #if defined(NEED_COMPAT_LZ4) #include "compat-lz4.h" #else #include "lz4.h" #endif #include "comp.h" #include "error.h" #include "memdbg.h" static void lz4_compress_init(struct compress_context *compctx) { msg(D_INIT_MEDIUM, "LZ4 compression initializing"); ASSERT(compctx->flags & COMP_F_SWAP); } static void lz4v2_compress_init(struct compress_context *compctx) { msg(D_INIT_MEDIUM, "LZ4v2 compression initializing"); } static void lz4_compress_uninit(struct compress_context *compctx) { } static bool do_lz4_compress(struct buffer *buf, struct buffer *work, struct compress_context *compctx, const struct frame *frame) { /* * In order to attempt compression, length must be at least COMPRESS_THRESHOLD. */ if (buf->len >= COMPRESS_THRESHOLD) { const size_t ps = PAYLOAD_SIZE(frame); int zlen_max = ps + COMP_EXTRA_BUFFER(ps); int zlen; ASSERT(buf_init(work, FRAME_HEADROOM(frame))); ASSERT(buf_safe(work, zlen_max)); if (buf->len > ps) { dmsg(D_COMP_ERRORS, "LZ4 compression buffer overflow"); buf->len = 0; return false; } zlen = LZ4_compress_default((const char *)BPTR(buf), (char *)BPTR(work), BLEN(buf), zlen_max); if (zlen <= 0) { dmsg(D_COMP_ERRORS, "LZ4 compression error"); buf->len = 0; return false; } ASSERT(buf_safe(work, zlen)); work->len = zlen; dmsg(D_COMP, "LZ4 compress %d -> %d", buf->len, work->len); compctx->pre_compress += buf->len; compctx->post_compress += work->len; return true; } return false; } static void lz4_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { bool compressed; if (buf->len <= 0) { return; } compressed = do_lz4_compress(buf, &work, compctx, frame); /* On error do_lz4_compress sets buf len to zero, just return */ if (buf->len == 0) { return; } /* did compression save us anything? */ { uint8_t comp_head_byte = NO_COMPRESS_BYTE_SWAP; if (compressed && work.len < buf->len) { *buf = work; comp_head_byte = LZ4_COMPRESS_BYTE; } { uint8_t *head = BPTR(buf); uint8_t *tail = BEND(buf); ASSERT(buf_safe(buf, 1)); ++buf->len; /* move head byte of payload to tail */ *tail = *head; *head = comp_head_byte; } } } static void lz4v2_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { bool compressed; if (buf->len <= 0) { return; } compressed = do_lz4_compress(buf, &work, compctx, frame); /* On Error just return */ if (buf->len == 0) { return; } /* did compression save us anything? Include 2 byte compression header * in calculation */ if (compressed && work.len + 2 < buf->len) { ASSERT(buf_prepend(&work, 2)); uint8_t *head = BPTR(&work); head[0] = COMP_ALGV2_INDICATOR_BYTE; head[1] = COMP_ALGV2_LZ4_BYTE; *buf = work; } else { compv2_escape_data_ifneeded(buf); } } static void do_lz4_decompress(size_t zlen_max, struct buffer *work, struct buffer *buf, struct compress_context *compctx) { int uncomp_len; ASSERT(buf_safe(work, zlen_max)); uncomp_len = LZ4_decompress_safe((const char *)BPTR(buf), (char *)BPTR(work), (size_t)BLEN(buf), zlen_max); if (uncomp_len <= 0) { dmsg(D_COMP_ERRORS, "LZ4 decompression error: %d", uncomp_len); buf->len = 0; return; } ASSERT(buf_safe(work, uncomp_len)); work->len = uncomp_len; dmsg(D_COMP, "LZ4 decompress %d -> %d", buf->len, work->len); compctx->pre_decompress += buf->len; compctx->post_decompress += work->len; *buf = *work; } static void lz4_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { size_t zlen_max = EXPANDED_SIZE(frame); uint8_t c; /* flag indicating whether or not our peer compressed */ if (buf->len <= 0) { return; } ASSERT(buf_init(&work, FRAME_HEADROOM(frame))); /* do unframing/swap (assumes buf->len > 0) */ { uint8_t *head = BPTR(buf); c = *head; --buf->len; *head = *BEND(buf); } if (c == LZ4_COMPRESS_BYTE) /* packet was compressed */ { do_lz4_decompress(zlen_max, &work, buf, compctx); } else if (c == NO_COMPRESS_BYTE_SWAP) /* packet was not compressed */ { } else { dmsg(D_COMP_ERRORS, "Bad LZ4 decompression header byte: %d", c); buf->len = 0; } } static void lz4v2_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { size_t zlen_max = EXPANDED_SIZE(frame); uint8_t c; /* flag indicating whether or not our peer compressed */ if (buf->len <= 0) { return; } ASSERT(buf_init(&work, FRAME_HEADROOM(frame))); /* do unframing/swap (assumes buf->len > 0) */ uint8_t *head = BPTR(buf); c = *head; /* Not compressed */ if (c != COMP_ALGV2_INDICATOR_BYTE) { return; } /* Packet to short to make sense */ if (buf->len <= 1) { buf->len = 0; return; } c = head[1]; if (c == COMP_ALGV2_LZ4_BYTE) /* packet was compressed */ { buf_advance(buf,2); do_lz4_decompress(zlen_max, &work, buf, compctx); } else if (c == COMP_ALGV2_UNCOMPRESSED_BYTE) { buf_advance(buf,2); } else { dmsg(D_COMP_ERRORS, "Bad LZ4v2 decompression header byte: %d", c); buf->len = 0; } } const struct compress_alg lz4_alg = { "lz4", lz4_compress_init, lz4_compress_uninit, lz4_compress, lz4_decompress }; const struct compress_alg lz4v2_alg = { "lz4v2", lz4v2_compress_init, lz4_compress_uninit, lz4v2_compress, lz4v2_decompress }; #else /* if defined(ENABLE_LZ4) */ static void dummy(void) { } #endif /* ENABLE_LZ4 */ openvpn-2.4.4/src/openvpn/comp-lz4.h000066400000000000000000000025161316434344000173060ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2013-2017 Gert Doering * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OPENVPN_COMP_LZ4_H #define OPENVPN_COMP_LZ4_H #if defined(ENABLE_LZ4) #include "buffer.h" extern const struct compress_alg lz4_alg; extern const struct compress_alg lz4v2_alg; struct lz4_workspace { int dummy; }; #endif /* ENABLE_LZ4 */ #endif openvpn-2.4.4/src/openvpn/comp.c000066400000000000000000000114011316434344000165630ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #ifdef USE_COMP #include "comp.h" #include "error.h" #include "otime.h" #include "memdbg.h" struct compress_context * comp_init(const struct compress_options *opt) { struct compress_context *compctx = NULL; switch (opt->alg) { case COMP_ALG_STUB: ALLOC_OBJ_CLEAR(compctx, struct compress_context); compctx->flags = opt->flags; compctx->alg = comp_stub_alg; break; case COMP_ALGV2_UNCOMPRESSED: ALLOC_OBJ_CLEAR(compctx, struct compress_context); compctx->flags = opt->flags; compctx->alg = compv2_stub_alg; break; #ifdef ENABLE_LZO case COMP_ALG_LZO: ALLOC_OBJ_CLEAR(compctx, struct compress_context); compctx->flags = opt->flags; compctx->alg = lzo_alg; break; #endif #ifdef ENABLE_LZ4 case COMP_ALG_LZ4: ALLOC_OBJ_CLEAR(compctx, struct compress_context); compctx->flags = opt->flags; compctx->alg = lz4_alg; break; case COMP_ALGV2_LZ4: ALLOC_OBJ_CLEAR(compctx, struct compress_context); compctx->flags = opt->flags; compctx->alg = lz4v2_alg; break; #endif } if (compctx) { (*compctx->alg.compress_init)(compctx); } return compctx; } /* In the v2 compression schemes, an uncompressed packet has * has no opcode in front, unless the first byte is 0x50. In this * case the packet needs to be escaped */ void compv2_escape_data_ifneeded(struct buffer *buf) { uint8_t *head = BPTR(buf); if (head[0] != COMP_ALGV2_INDICATOR_BYTE) { return; } /* Header is 0x50 */ ASSERT(buf_prepend(buf, 2)); head = BPTR(buf); head[0] = COMP_ALGV2_INDICATOR_BYTE; head[1] = COMP_ALGV2_UNCOMPRESSED; } void comp_uninit(struct compress_context *compctx) { if (compctx) { (*compctx->alg.compress_uninit)(compctx); free(compctx); } } void comp_add_to_extra_frame(struct frame *frame) { /* Leave room for our one-byte compressed/didn't-compress prefix byte. */ frame_add_to_extra_frame(frame, COMP_PREFIX_LEN); } void comp_add_to_extra_buffer(struct frame *frame) { /* Leave room for compression buffer to expand in worst case scenario * where data is totally uncompressible */ frame_add_to_extra_buffer(frame, COMP_EXTRA_BUFFER(EXPANDED_SIZE(frame))); } void comp_print_stats(const struct compress_context *compctx, struct status_output *so) { if (compctx) { status_printf(so, "pre-compress bytes," counter_format, compctx->pre_compress); status_printf(so, "post-compress bytes," counter_format, compctx->post_compress); status_printf(so, "pre-decompress bytes," counter_format, compctx->pre_decompress); status_printf(so, "post-decompress bytes," counter_format, compctx->post_decompress); } } /* * Tell our peer which compression algorithms we support. */ void comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out) { if (opt) { bool lzo_avail = false; if (!(opt->flags & COMP_F_ADVERTISE_STUBS_ONLY)) { #if defined(ENABLE_LZ4) buf_printf(out, "IV_LZ4=1\n"); buf_printf(out, "IV_LZ4v2=1\n"); #endif #if defined(ENABLE_LZO) buf_printf(out, "IV_LZO=1\n"); lzo_avail = true; #endif } if (!lzo_avail) { buf_printf(out, "IV_LZO_STUB=1\n"); } buf_printf(out, "IV_COMP_STUB=1\n"); buf_printf(out, "IV_COMP_STUBv2=1\n"); buf_printf(out, "IV_TCPNL=1\n"); } } #endif /* USE_COMP */ openvpn-2.4.4/src/openvpn/comp.h000066400000000000000000000125511316434344000165770ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * Generic compression support. Currently we support * LZO 2 and LZ4. */ #ifndef OPENVPN_COMP_H #define OPENVPN_COMP_H #ifdef USE_COMP #include "buffer.h" #include "mtu.h" #include "common.h" #include "status.h" /* algorithms */ #define COMP_ALG_UNDEF 0 #define COMP_ALG_STUB 1 /* support compression command byte and framing without actual compression */ #define COMP_ALG_LZO 2 /* LZO algorithm */ #define COMP_ALG_SNAPPY 3 /* Snappy algorithm (no longer supported) */ #define COMP_ALG_LZ4 4 /* LZ4 algorithm */ /* algorithm v2 */ #define COMP_ALGV2_UNCOMPRESSED 10 #define COMP_ALGV2_LZ4 11 /* #define COMP_ALGV2_LZO 12 #define COMP_ALGV2_SNAPPY 13 */ /* Compression flags */ #define COMP_F_ADAPTIVE (1<<0) /* COMP_ALG_LZO only */ #define COMP_F_ASYM (1<<1) /* only downlink is compressed, not uplink */ #define COMP_F_SWAP (1<<2) /* initial command byte is swapped with last byte in buffer to preserve payload alignment */ #define COMP_F_ADVERTISE_STUBS_ONLY (1<<3) /* tell server that we only support compression stubs */ /* * Length of prepended prefix on compressed packets */ #define COMP_PREFIX_LEN 1 /* * Prefix bytes */ /* V1 on wire codes */ /* Initial command byte to tell our peer if we compressed */ #define LZO_COMPRESS_BYTE 0x66 #define LZ4_COMPRESS_BYTE 0x69 #define NO_COMPRESS_BYTE 0xFA #define NO_COMPRESS_BYTE_SWAP 0xFB /* to maintain payload alignment, replace this byte with last byte of packet */ /* V2 on wire code */ #define COMP_ALGV2_INDICATOR_BYTE 0x50 #define COMP_ALGV2_UNCOMPRESSED_BYTE 0 #define COMP_ALGV2_LZ4_BYTE 1 #define COMP_ALGV2_LZO_BYTE 2 #define COMP_ALGV2_SNAPPY_BYTE 3 /* * Compress worst case size expansion (for any algorithm) * * LZO: len + len/8 + 128 + 3 * Snappy: len + len/6 + 32 * LZ4: len + len/255 + 16 (LZ4_COMPRESSBOUND(len)) */ #define COMP_EXTRA_BUFFER(len) ((len)/6 + 128 + 3 + COMP_PREFIX_LEN) /* * Don't try to compress any packet smaller than this. */ #define COMPRESS_THRESHOLD 100 /* Forward declaration of compression context */ struct compress_context; /* * Virtual methods and other static info for each compression algorithm */ struct compress_alg { const char *name; void (*compress_init)(struct compress_context *compctx); void (*compress_uninit)(struct compress_context *compctx); void (*compress)(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame); void (*decompress)(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame); }; /* * Headers for each compression implementation */ #ifdef ENABLE_LZO #include "lzo.h" #endif #ifdef ENABLE_LZ4 #include "comp-lz4.h" #endif /* * Information that basically identifies a compression * algorithm and related flags. */ struct compress_options { int alg; unsigned int flags; }; /* * Workspace union of all supported compression algorithms */ union compress_workspace_union { #ifdef ENABLE_LZO struct lzo_compress_workspace lzo; #endif #ifdef ENABLE_LZ4 struct lz4_workspace lz4; #endif }; /* * Context for active compression session */ struct compress_context { unsigned int flags; struct compress_alg alg; union compress_workspace_union wu; /* statistics */ counter_type pre_decompress; counter_type post_decompress; counter_type pre_compress; counter_type post_compress; }; extern const struct compress_alg comp_stub_alg; extern const struct compress_alg compv2_stub_alg; struct compress_context *comp_init(const struct compress_options *opt); void comp_uninit(struct compress_context *compctx); void comp_add_to_extra_frame(struct frame *frame); void comp_add_to_extra_buffer(struct frame *frame); void comp_print_stats(const struct compress_context *compctx, struct status_output *so); void comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out); void compv2_escape_data_ifneeded(struct buffer *buf); static inline bool comp_enabled(const struct compress_options *info) { return info->alg != COMP_ALG_UNDEF; } static inline bool comp_unswapped_prefix(const struct compress_options *info) { return !(info->flags & COMP_F_SWAP); } #endif /* USE_COMP */ #endif /* ifndef OPENVPN_COMP_H */ openvpn-2.4.4/src/openvpn/compstub.c000066400000000000000000000102331316434344000174630ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if defined(USE_COMP) #include "comp.h" #include "error.h" #include "otime.h" #include "memdbg.h" static void stub_compress_init(struct compress_context *compctx) { } static void stub_compress_uninit(struct compress_context *compctx) { } static void stub_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { if (buf->len <= 0) { return; } if (compctx->flags & COMP_F_SWAP) { uint8_t *head = BPTR(buf); uint8_t *tail = BEND(buf); ASSERT(buf_safe(buf, 1)); ++buf->len; /* move head byte of payload to tail */ *tail = *head; *head = NO_COMPRESS_BYTE_SWAP; } else { uint8_t *header = buf_prepend(buf, 1); *header = NO_COMPRESS_BYTE; } } static void stub_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { uint8_t c; if (buf->len <= 0) { return; } if (compctx->flags & COMP_F_SWAP) { uint8_t *head = BPTR(buf); c = *head; --buf->len; *head = *BEND(buf); if (c != NO_COMPRESS_BYTE_SWAP) { dmsg(D_COMP_ERRORS, "Bad compression stub (swap) decompression header byte: %d", c); buf->len = 0; } } else { c = *BPTR(buf); ASSERT(buf_advance(buf, 1)); if (c != NO_COMPRESS_BYTE) { dmsg(D_COMP_ERRORS, "Bad compression stub decompression header byte: %d", c); buf->len = 0; } } } static void stubv2_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { if (buf->len <= 0) { return; } compv2_escape_data_ifneeded(buf); } static void stubv2_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { if (buf->len <= 0) { return; } uint8_t *head = BPTR(buf); /* no compression or packet to short*/ if (head[0] != COMP_ALGV2_INDICATOR_BYTE) { return; } /* compression header (0x50) is present */ buf_advance(buf, 1); /* Packet buffer too short (only 1 byte) */ if (buf->len <= 0) { return; } head = BPTR(buf); buf_advance(buf, 1); if (head[0] != COMP_ALGV2_UNCOMPRESSED_BYTE) { dmsg(D_COMP_ERRORS, "Bad compression stubv2 decompression header byte: %d", *head); buf->len = 0; return; } } const struct compress_alg compv2_stub_alg = { "stubv2", stub_compress_init, stub_compress_uninit, stubv2_compress, stubv2_decompress }; const struct compress_alg comp_stub_alg = { "stub", stub_compress_init, stub_compress_uninit, stub_compress, stub_decompress }; #else /* if defined(USE_COMP) */ static void dummy(void) { } #endif /* USE_STUB */ openvpn-2.4.4/src/openvpn/console.c000066400000000000000000000046531316434344000173020ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2014-2015 David Sommerseth * Copyright (C) 2016-2017 David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "console.h" #include "error.h" #include "buffer.h" #include "misc.h" #ifdef ENABLE_SYSTEMD #include #endif struct _query_user query_user[QUERY_USER_NUMSLOTS]; /* GLOBAL */ void query_user_clear(void) { int i; for (i = 0; i < QUERY_USER_NUMSLOTS; i++) { CLEAR(query_user[i]); } } void query_user_add(char *prompt, size_t prompt_len, char *resp, size_t resp_len, bool echo) { int i; /* Ensure input is sane. All these must be present otherwise it is * a programming error. */ ASSERT( prompt_len > 0 && prompt != NULL && resp_len > 0 && resp != NULL ); /* Seek to the last unused slot */ for (i = 0; i < QUERY_USER_NUMSLOTS; i++) { if (query_user[i].prompt == NULL) { break; } } ASSERT( i < QUERY_USER_NUMSLOTS ); /* Unlikely, but we want to panic if it happens */ /* Save the information needed for the user interaction */ query_user[i].prompt = prompt; query_user[i].prompt_len = prompt_len; query_user[i].response = resp; query_user[i].response_len = resp_len; query_user[i].echo = echo; } openvpn-2.4.4/src/openvpn/console.h000066400000000000000000000073501316434344000173040ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2014-2015 David Sommerseth * Copyright (C) 2016-2017 David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef CONSOLE_H #define CONSOLE_H #include "basic.h" /** * Configuration setup for declaring what kind of information to ask a user for */ struct _query_user { char *prompt; /**< Prompt to present to the user */ size_t prompt_len; /**< Lenght of the prompt string */ char *response; /**< The user's response */ size_t response_len; /**< Lenght the of the user reposone */ bool echo; /**< True: The user should see what is being typed, otherwise mask it */ }; #define QUERY_USER_NUMSLOTS 10 extern struct _query_user query_user[]; /**< Global variable, declared in console.c */ /** * Wipes all data put into all of the query_user structs * */ void query_user_clear(void); /** * Adds an item to ask the user for * * @param prompt Prompt to display to the user * @param prompt_len Length of the prompt string * @param resp String containing the user response * @param resp_len Lenght of the response string * @param echo Should the user input be echoed to the user? If False, input will be masked * */ void query_user_add(char *prompt, size_t prompt_len, char *resp, size_t resp_len, bool echo); /** * Executes a configured setup, using the built-in method for querying the user. * This method uses the console/TTY directly. * * @param setup Pointer to the setup defining what to ask the user * * @return True if executing all the defined steps completed successfully */ bool query_user_exec_builtin(void); #if defined(ENABLE_SYSTEMD) /** * Executes a configured setup, using the compiled method for querying the user * * @param setup Pointer to the setup defining what to ask the user * * @return True if executing all the defined steps completed successfully */ bool query_user_exec(void); #else /* ENABLE_SYSTEMD not defined*/ /** * Wrapper function enabling query_user_exec() if no alternative methods have * been enabled * */ static bool query_user_exec(void) { return query_user_exec_builtin(); } #endif /* defined(ENABLE_SYSTEMD) */ /** * A plain "make Gert happy" wrapper. Same arguments as @query_user_add * * FIXME/TODO: Remove this when refactoring the complete user query process * to be called at start-up initialization of OpenVPN. * */ static inline bool query_user_SINGLE(char *prompt, size_t prompt_len, char *resp, size_t resp_len, bool echo) { query_user_clear(); query_user_add(prompt, prompt_len, resp, resp_len, echo); return query_user_exec(); } #endif /* ifndef CONSOLE_H */ openvpn-2.4.4/src/openvpn/console_builtin.c000066400000000000000000000170371316434344000210300ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2014-2015 David Sommerseth * Copyright (C) 2016-2017 David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * These functions covers handing user input/output using the default consoles * */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "console.h" #include "error.h" #include "buffer.h" #include "misc.h" #ifdef _WIN32 #include "win32.h" /** * Get input from a Windows console. * * @param prompt Prompt to display to the user * @param echo Should the user input be displayed in the console * @param input Pointer to the buffer the user input will be saved * @param capacity Size of the buffer for the user input * * @return Return false on input error, or if service * exit event is signaled. */ static bool get_console_input_win32(const char *prompt, const bool echo, char *input, const int capacity) { HANDLE in = INVALID_HANDLE_VALUE; HANDLE err = INVALID_HANDLE_VALUE; DWORD len = 0; ASSERT(prompt); ASSERT(input); ASSERT(capacity > 0); input[0] = '\0'; in = GetStdHandle(STD_INPUT_HANDLE); err = get_orig_stderr(); if (in != INVALID_HANDLE_VALUE && err != INVALID_HANDLE_VALUE && !win32_service_interrupt(&win32_signal) && WriteFile(err, prompt, strlen(prompt), &len, NULL)) { bool is_console = (GetFileType(in) == FILE_TYPE_CHAR); DWORD flags_save = 0; int status = 0; WCHAR *winput; if (is_console) { if (GetConsoleMode(in, &flags_save)) { DWORD flags = ENABLE_LINE_INPUT | ENABLE_PROCESSED_INPUT; if (echo) { flags |= ENABLE_ECHO_INPUT; } SetConsoleMode(in, flags); } else { is_console = 0; } } if (is_console) { winput = malloc(capacity * sizeof(WCHAR)); if (winput == NULL) { return false; } status = ReadConsoleW(in, winput, capacity, &len, NULL); WideCharToMultiByte(CP_UTF8, 0, winput, len, input, capacity, NULL, NULL); free(winput); } else { status = ReadFile(in, input, capacity, &len, NULL); } string_null_terminate(input, (int)len, capacity); chomp(input); if (!echo) { WriteFile(err, "\r\n", 2, &len, NULL); } if (is_console) { SetConsoleMode(in, flags_save); } if (status && !win32_service_interrupt(&win32_signal)) { return true; } } return false; } #endif /* _WIN32 */ #ifdef HAVE_GETPASS /** * Open the current console TTY for read/write operations * * @params write If true, the user wants to write to the console * otherwise read from the console * * @returns Returns a FILE pointer to either the TTY in read or write mode * or stdin/stderr, depending on the write flag * */ static FILE * open_tty(const bool write) { FILE *ret; ret = fopen("/dev/tty", write ? "w" : "r"); if (!ret) { ret = write ? stderr : stdin; } return ret; } /** * Closes the TTY FILE pointer, but only if it is not a stdin/stderr FILE object. * * @params fp FILE pointer to close * */ static void close_tty(FILE *fp) { if (fp != stderr && fp != stdin) { fclose(fp); } } #endif /* HAVE_GETPASS */ /** * Core function for getting input from console * * @params prompt The prompt to present to the user * @params echo Should the user see what is being typed * @params input Pointer to the buffer used to save the user input * @params capacity Size of the input buffer * * @returns Returns True if user input was gathered */ static bool get_console_input(const char *prompt, const bool echo, char *input, const int capacity) { bool ret = false; ASSERT(prompt); ASSERT(input); ASSERT(capacity > 0); input[0] = '\0'; #if defined(_WIN32) return get_console_input_win32(prompt, echo, input, capacity); #elif defined(HAVE_GETPASS) /* did we --daemon'ize before asking for passwords? * (in which case neither stdin or stderr are connected to a tty and * /dev/tty can not be open()ed anymore) */ if (!isatty(0) && !isatty(2) ) { int fd = open( "/dev/tty", O_RDWR ); if (fd < 0) { msg(M_FATAL, "neither stdin nor stderr are a tty device and you have neither a " "controlling tty nor systemd - can't ask for '%s'. If you used --daemon, " "you need to use --askpass to make passphrase-protected keys work, and you " "can not use --auth-nocache.", prompt ); } close(fd); } if (echo) { FILE *fp; fp = open_tty(true); fprintf(fp, "%s", prompt); fflush(fp); close_tty(fp); fp = open_tty(false); if (fgets(input, capacity, fp) != NULL) { chomp(input); ret = true; } close_tty(fp); } else { char *gp = getpass(prompt); if (gp) { strncpynt(input, gp, capacity); secure_memzero(gp, strlen(gp)); ret = true; } } #else /* if defined(_WIN32) */ msg(M_FATAL, "Sorry, but I can't get console input on this OS (%s)", prompt); #endif /* if defined(_WIN32) */ return ret; } /** * @copydoc query_user_exec() * * Default method for querying user using default stdin/stdout on a console. * This needs to be available as a backup interface for the alternative * implementations in case they cannot query through their implementation * specific methods. * * If no alternative implementation is declared, a wrapper in console.h will ensure * query_user_exec() will call this function instead. * */ bool query_user_exec_builtin(void) { bool ret = true; /* Presume everything goes okay */ int i; /* Loop through configured query_user slots */ for (i = 0; i < QUERY_USER_NUMSLOTS && query_user[i].response != NULL; i++) { if (!get_console_input(query_user[i].prompt, query_user[i].echo, query_user[i].response, query_user[i].response_len) ) { /* Force the final result state to failed on failure */ ret = false; } } return ret; } openvpn-2.4.4/src/openvpn/console_systemd.c000066400000000000000000000064441316434344000210520ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2014-2015 David Sommerseth * Copyright (C) 2016 David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Alternative method to query for user input, using systemd * */ #include "config.h" #ifdef ENABLE_SYSTEMD #include "syshead.h" #include "console.h" #include "misc.h" #include /* * is systemd running */ static bool check_systemd_running(void) { struct stat c; /* We simply test whether the systemd cgroup hierarchy is * mounted, as well as the systemd-ask-password executable * being available */ return (sd_booted() > 0) && (stat(SYSTEMD_ASK_PASSWORD_PATH, &c) == 0); } static bool get_console_input_systemd(const char *prompt, const bool echo, char *input, const int capacity) { int std_out; bool ret = false; struct argv argv = argv_new(); argv_printf(&argv, SYSTEMD_ASK_PASSWORD_PATH); #ifdef SYSTEMD_NEWER_THAN_216 /* the --echo support arrived in upstream systemd 217 */ if (echo) { argv_printf_cat(&argv, "--echo"); } #endif argv_printf_cat(&argv, "--icon network-vpn"); argv_printf_cat(&argv, "%s", prompt); if ((std_out = openvpn_popen(&argv, NULL)) < 0) { return false; } memset(input, 0, capacity); if (read(std_out, input, capacity-1) != 0) { chomp(input); ret = true; } close(std_out); argv_reset(&argv); return ret; } /** * Systemd aware implementation of query_user_exec(). If systemd is not running * it will fall back to use query_user_exec_builtin() instead. * */ bool query_user_exec(void) { bool ret = true; /* Presume everything goes okay */ int i; /* If systemd is not available, use the default built-in mechanism */ if (!check_systemd_running()) { return query_user_exec_builtin(); } /* Loop through the complete query setup and when needed, collect the information */ for (i = 0; i < QUERY_USER_NUMSLOTS && query_user[i].response != NULL; i++) { if (!get_console_input_systemd(query_user[i].prompt, query_user[i].echo, query_user[i].response, query_user[i].response_len) ) { /* Force the final result state to failed on failure */ ret = false; } } return ret; } #endif /* ENABLE_SYSTEMD */ openvpn-2.4.4/src/openvpn/crypto.c000066400000000000000000001534561316434344000171660ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #ifdef ENABLE_CRYPTO #include "crypto.h" #include "error.h" #include "integer.h" #include "platform.h" #include "memdbg.h" /* * Encryption and Compression Routines. * * On entry, buf contains the input data and length. * On exit, it should be set to the output data and length. * * If buf->len is <= 0 we should return * If buf->len is set to 0 on exit it tells the caller to ignore the packet. * * work is a workspace buffer we are given of size BUF_SIZE. * work may be used to return output data, or the input buffer * may be modified and returned as output. If output data is * returned in work, the data should start after FRAME_HEADROOM bytes * of padding to leave room for downstream routines to prepend. * * Up to a total of FRAME_HEADROOM bytes may be prepended to the input buf * by all routines (encryption, decryption, compression, and decompression). * * Note that the buf_prepend return will assert if we try to * make a header bigger than FRAME_HEADROOM. This should not * happen unless the frame parameters are wrong. */ static void openvpn_encrypt_aead(struct buffer *buf, struct buffer work, struct crypto_options *opt) { #ifdef HAVE_AEAD_CIPHER_MODES struct gc_arena gc; int outlen = 0; const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; uint8_t *mac_out = NULL; const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher); const int mac_len = cipher_kt_tag_size(cipher_kt); /* IV, packet-ID and implicit IV required for this mode. */ ASSERT(ctx->cipher); ASSERT(cipher_kt_mode_aead(cipher_kt)); ASSERT(opt->flags & CO_USE_IV); ASSERT(packet_id_initialized(&opt->packet_id)); gc_init(&gc); /* Prepare IV */ { struct buffer iv_buffer; uint8_t iv[OPENVPN_MAX_IV_LENGTH] = {0}; const int iv_len = cipher_ctx_iv_length(ctx->cipher); ASSERT(iv_len >= OPENVPN_AEAD_MIN_IV_LEN && iv_len <= OPENVPN_MAX_IV_LENGTH); buf_set_write(&iv_buffer, iv, iv_len); /* IV starts with packet id to make the IV unique for packet */ if (!packet_id_write(&opt->packet_id.send, &iv_buffer, false, false)) { msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); goto err; } /* Remainder of IV consists of implicit part (unique per session) */ ASSERT(buf_write(&iv_buffer, ctx->implicit_iv, ctx->implicit_iv_len)); ASSERT(iv_buffer.len == iv_len); /* Write explicit part of IV to work buffer */ ASSERT(buf_write(&work, iv, iv_len - ctx->implicit_iv_len)); dmsg(D_PACKET_CONTENT, "ENCRYPT IV: %s", format_hex(iv, iv_len, 0, &gc)); /* Init cipher_ctx with IV. key & keylen are already initialized */ ASSERT(cipher_ctx_reset(ctx->cipher, iv)); } /* Reserve space for authentication tag */ mac_out = buf_write_alloc(&work, mac_len); ASSERT(mac_out); dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc)); /* Buffer overflow check */ if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) { msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d", buf->capacity, buf->offset, buf->len, work.capacity, work.offset, work.len); goto err; } /* For AEAD ciphers, authenticate Additional Data, including opcode */ ASSERT(cipher_ctx_update_ad(ctx->cipher, BPTR(&work), BLEN(&work) - mac_len)); dmsg(D_PACKET_CONTENT, "ENCRYPT AD: %s", format_hex(BPTR(&work), BLEN(&work) - mac_len, 0, &gc)); /* Encrypt packet ID, payload */ ASSERT(cipher_ctx_update(ctx->cipher, BEND(&work), &outlen, BPTR(buf), BLEN(buf))); ASSERT(buf_inc_len(&work, outlen)); /* Flush the encryption buffer */ ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen)); ASSERT(buf_inc_len(&work, outlen)); /* Write authentication tag */ ASSERT(cipher_ctx_get_tag(ctx->cipher, mac_out, mac_len)); *buf = work; dmsg(D_PACKET_CONTENT, "ENCRYPT TO: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc)); gc_free(&gc); return; err: crypto_clear_error(); buf->len = 0; gc_free(&gc); return; #else /* HAVE_AEAD_CIPHER_MODES */ ASSERT(0); #endif /* ifdef HAVE_AEAD_CIPHER_MODES */ } static void openvpn_encrypt_v1(struct buffer *buf, struct buffer work, struct crypto_options *opt) { struct gc_arena gc; gc_init(&gc); if (buf->len > 0 && opt) { const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; uint8_t *mac_out = NULL; const uint8_t *hmac_start = NULL; /* Do Encrypt from buf -> work */ if (ctx->cipher) { uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH] = {0}; const int iv_size = cipher_ctx_iv_length(ctx->cipher); const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher); int outlen; /* Reserve space for HMAC */ if (ctx->hmac) { mac_out = buf_write_alloc(&work, hmac_ctx_size(ctx->hmac)); ASSERT(mac_out); hmac_start = BEND(&work); } if (cipher_kt_mode_cbc(cipher_kt)) { /* generate pseudo-random IV */ if (opt->flags & CO_USE_IV) { prng_bytes(iv_buf, iv_size); } /* Put packet ID in plaintext buffer */ if (packet_id_initialized(&opt->packet_id) && !packet_id_write(&opt->packet_id.send, buf, opt->flags & CO_PACKET_ID_LONG_FORM, true)) { msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); goto err; } } else if (cipher_kt_mode_ofb_cfb(cipher_kt)) { struct buffer b; /* IV and packet-ID required for this mode. */ ASSERT(opt->flags & CO_USE_IV); ASSERT(packet_id_initialized(&opt->packet_id)); buf_set_write(&b, iv_buf, iv_size); ASSERT(packet_id_write(&opt->packet_id.send, &b, true, false)); } else /* We only support CBC, CFB, or OFB modes right now */ { ASSERT(0); } /* set the IV pseudo-randomly */ if (opt->flags & CO_USE_IV) { ASSERT(buf_write(&work, iv_buf, iv_size)); dmsg(D_PACKET_CONTENT, "ENCRYPT IV: %s", format_hex(iv_buf, iv_size, 0, &gc)); } dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc)); /* cipher_ctx was already initialized with key & keylen */ ASSERT(cipher_ctx_reset(ctx->cipher, iv_buf)); /* Buffer overflow check */ if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) { msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d", buf->capacity, buf->offset, buf->len, work.capacity, work.offset, work.len, cipher_ctx_block_size(ctx->cipher)); goto err; } /* Encrypt packet ID, payload */ ASSERT(cipher_ctx_update(ctx->cipher, BEND(&work), &outlen, BPTR(buf), BLEN(buf))); ASSERT(buf_inc_len(&work, outlen)); /* Flush the encryption buffer */ ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen)); ASSERT(buf_inc_len(&work, outlen)); /* For all CBC mode ciphers, check the last block is complete */ ASSERT(cipher_kt_mode(cipher_kt) != OPENVPN_MODE_CBC || outlen == iv_size); } else /* No Encryption */ { if (packet_id_initialized(&opt->packet_id) && !packet_id_write(&opt->packet_id.send, buf, opt->flags & CO_PACKET_ID_LONG_FORM, true)) { msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); goto err; } if (ctx->hmac) { hmac_start = BPTR(buf); ASSERT(mac_out = buf_prepend(buf, hmac_ctx_size(ctx->hmac))); } if (BLEN(&work)) { buf_write_prepend(buf, BPTR(&work), BLEN(&work)); } work = *buf; } /* HMAC the ciphertext (or plaintext if !cipher) */ if (ctx->hmac) { hmac_ctx_reset(ctx->hmac); hmac_ctx_update(ctx->hmac, hmac_start, BEND(&work) - hmac_start); hmac_ctx_final(ctx->hmac, mac_out); dmsg(D_PACKET_CONTENT, "ENCRYPT HMAC: %s", format_hex(mac_out, hmac_ctx_size(ctx->hmac), 80, &gc)); } *buf = work; dmsg(D_PACKET_CONTENT, "ENCRYPT TO: %s", format_hex(BPTR(&work), BLEN(&work), 80, &gc)); } gc_free(&gc); return; err: crypto_clear_error(); buf->len = 0; gc_free(&gc); return; } void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt) { if (buf->len > 0 && opt) { const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(opt->key_ctx_bi.encrypt.cipher); if (cipher_kt_mode_aead(cipher_kt)) { openvpn_encrypt_aead(buf, work, opt); } else { openvpn_encrypt_v1(buf, work, opt); } } } bool crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, const char *error_prefix, struct gc_arena *gc) { bool ret = false; packet_id_reap_test(&opt->packet_id.rec); if (packet_id_test(&opt->packet_id.rec, pin)) { packet_id_add(&opt->packet_id.rec, pin); if (opt->pid_persist && (opt->flags & CO_PACKET_ID_LONG_FORM)) { packet_id_persist_save_obj(opt->pid_persist, &opt->packet_id); } ret = true; } else { if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS)) { msg(D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- " "see the man page entry for --no-replay and --replay-window for " "more info or silence this warning with --mute-replay-warnings", error_prefix, packet_id_net_print(pin, true, gc)); } } return ret; } /* * If (opt->flags & CO_USE_IV) is not NULL, we will read an IV from the packet. * * Set buf->len to 0 and return false on decrypt error. * * On success, buf is set to point to plaintext, true * is returned. */ static bool openvpn_decrypt_aead(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start) { #ifdef HAVE_AEAD_CIPHER_MODES static const char error_prefix[] = "AEAD Decrypt error"; struct packet_id_net pin = { 0 }; const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher); uint8_t *tag_ptr = NULL; int tag_size = 0; int outlen; struct gc_arena gc; gc_init(&gc); ASSERT(opt); ASSERT(frame); ASSERT(buf->len > 0); ASSERT(ctx->cipher); ASSERT(cipher_kt_mode_aead(cipher_kt)); dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc)); ASSERT(ad_start >= buf->data && ad_start <= BPTR(buf)); ASSERT(buf_init(&work, FRAME_HEADROOM_ADJ(frame, FRAME_HEADROOM_MARKER_DECRYPT))); /* IV and Packet ID required for this mode */ ASSERT(packet_id_initialized(&opt->packet_id)); ASSERT(opt->flags & CO_USE_IV); /* Combine IV from explicit part from packet and implicit part from context */ { uint8_t iv[OPENVPN_MAX_IV_LENGTH] = { 0 }; const int iv_len = cipher_ctx_iv_length(ctx->cipher); const size_t packet_iv_len = iv_len - ctx->implicit_iv_len; ASSERT(ctx->implicit_iv_len <= iv_len); if (buf->len + ctx->implicit_iv_len < iv_len) { CRYPT_ERROR("missing IV info"); } memcpy(iv, BPTR(buf), packet_iv_len); memcpy(iv + packet_iv_len, ctx->implicit_iv, ctx->implicit_iv_len); dmsg(D_PACKET_CONTENT, "DECRYPT IV: %s", format_hex(iv, iv_len, 0, &gc)); /* Load IV, ctx->cipher was already initialized with key & keylen */ if (!cipher_ctx_reset(ctx->cipher, iv)) { CRYPT_ERROR("cipher init failed"); } } /* Read packet ID from packet */ if (!packet_id_read(&pin, buf, false)) { CRYPT_ERROR("error reading packet-id"); } /* keep the tag value to feed in later */ tag_size = cipher_kt_tag_size(cipher_kt); if (buf->len < tag_size) { CRYPT_ERROR("missing tag"); } tag_ptr = BPTR(buf); ASSERT(buf_advance(buf, tag_size)); dmsg(D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex(tag_ptr, tag_size, 0, &gc)); #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L /* OpenSSL <= 1.0.1c bug requires set tag before processing ciphertext */ if (!EVP_CIPHER_CTX_ctrl(ctx->cipher, EVP_CTRL_GCM_SET_TAG, tag_size, tag_ptr)) { CRYPT_ERROR("setting tag failed"); } #endif if (buf->len < 1) { CRYPT_ERROR("missing payload"); } dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 0, &gc)); /* Buffer overflow check (should never fail) */ if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) { CRYPT_ERROR("potential buffer overflow"); } { /* feed in tag and the authenticated data */ const int ad_size = BPTR(buf) - ad_start - tag_size; ASSERT(cipher_ctx_update_ad(ctx->cipher, ad_start, ad_size)); dmsg(D_PACKET_CONTENT, "DECRYPT AD: %s", format_hex(BPTR(buf) - ad_size - tag_size, ad_size, 0, &gc)); } /* Decrypt and authenticate packet */ if (!cipher_ctx_update(ctx->cipher, BPTR(&work), &outlen, BPTR(buf), BLEN(buf))) { CRYPT_ERROR("cipher update failed"); } ASSERT(buf_inc_len(&work, outlen)); if (!cipher_ctx_final_check_tag(ctx->cipher, BPTR(&work) + outlen, &outlen, tag_ptr, tag_size)) { CRYPT_ERROR("cipher final failed"); } ASSERT(buf_inc_len(&work, outlen)); dmsg(D_PACKET_CONTENT, "DECRYPT TO: %s", format_hex(BPTR(&work), BLEN(&work), 80, &gc)); if (!crypto_check_replay(opt, &pin, error_prefix, &gc)) { goto error_exit; } *buf = work; gc_free(&gc); return true; error_exit: crypto_clear_error(); buf->len = 0; gc_free(&gc); return false; #else /* HAVE_AEAD_CIPHER_MODES */ ASSERT(0); return false; #endif /* ifdef HAVE_AEAD_CIPHER_MODES */ } /* * If (opt->flags & CO_USE_IV) is not NULL, we will read an IV from the packet. * * Set buf->len to 0 and return false on decrypt error. * * On success, buf is set to point to plaintext, true * is returned. */ static bool openvpn_decrypt_v1(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame) { static const char error_prefix[] = "Authenticate/Decrypt packet error"; struct gc_arena gc; gc_init(&gc); if (buf->len > 0 && opt) { const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; struct packet_id_net pin; bool have_pin = false; dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc)); /* Verify the HMAC */ if (ctx->hmac) { int hmac_len; uint8_t local_hmac[MAX_HMAC_KEY_LENGTH]; /* HMAC of ciphertext computed locally */ hmac_ctx_reset(ctx->hmac); /* Assume the length of the input HMAC */ hmac_len = hmac_ctx_size(ctx->hmac); /* Authentication fails if insufficient data in packet for HMAC */ if (buf->len < hmac_len) { CRYPT_ERROR("missing authentication info"); } hmac_ctx_update(ctx->hmac, BPTR(buf) + hmac_len, BLEN(buf) - hmac_len); hmac_ctx_final(ctx->hmac, local_hmac); /* Compare locally computed HMAC with packet HMAC */ if (memcmp_constant_time(local_hmac, BPTR(buf), hmac_len)) { CRYPT_ERROR("packet HMAC authentication failed"); } ASSERT(buf_advance(buf, hmac_len)); } /* Decrypt packet ID + payload */ if (ctx->cipher) { const int iv_size = cipher_ctx_iv_length(ctx->cipher); const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher); uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH] = { 0 }; int outlen; /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */ ASSERT(buf_init(&work, FRAME_HEADROOM_ADJ(frame, FRAME_HEADROOM_MARKER_DECRYPT))); /* use IV if user requested it */ if (opt->flags & CO_USE_IV) { if (buf->len < iv_size) { CRYPT_ERROR("missing IV info"); } memcpy(iv_buf, BPTR(buf), iv_size); ASSERT(buf_advance(buf, iv_size)); } /* show the IV's initial state */ if (opt->flags & CO_USE_IV) { dmsg(D_PACKET_CONTENT, "DECRYPT IV: %s", format_hex(iv_buf, iv_size, 0, &gc)); } if (buf->len < 1) { CRYPT_ERROR("missing payload"); } /* ctx->cipher was already initialized with key & keylen */ if (!cipher_ctx_reset(ctx->cipher, iv_buf)) { CRYPT_ERROR("cipher init failed"); } /* Buffer overflow check (should never happen) */ if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) { CRYPT_ERROR("potential buffer overflow"); } /* Decrypt packet ID, payload */ if (!cipher_ctx_update(ctx->cipher, BPTR(&work), &outlen, BPTR(buf), BLEN(buf))) { CRYPT_ERROR("cipher update failed"); } ASSERT(buf_inc_len(&work, outlen)); /* Flush the decryption buffer */ if (!cipher_ctx_final(ctx->cipher, BPTR(&work) + outlen, &outlen)) { CRYPT_ERROR("cipher final failed"); } ASSERT(buf_inc_len(&work, outlen)); dmsg(D_PACKET_CONTENT, "DECRYPT TO: %s", format_hex(BPTR(&work), BLEN(&work), 80, &gc)); /* Get packet ID from plaintext buffer or IV, depending on cipher mode */ { if (cipher_kt_mode_cbc(cipher_kt)) { if (packet_id_initialized(&opt->packet_id)) { if (!packet_id_read(&pin, &work, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM))) { CRYPT_ERROR("error reading CBC packet-id"); } have_pin = true; } } else if (cipher_kt_mode_ofb_cfb(cipher_kt)) { struct buffer b; /* IV and packet-ID required for this mode. */ ASSERT(opt->flags & CO_USE_IV); ASSERT(packet_id_initialized(&opt->packet_id)); buf_set_read(&b, iv_buf, iv_size); if (!packet_id_read(&pin, &b, true)) { CRYPT_ERROR("error reading CFB/OFB packet-id"); } have_pin = true; } else /* We only support CBC, CFB, or OFB modes right now */ { ASSERT(0); } } } else { work = *buf; if (packet_id_initialized(&opt->packet_id)) { if (!packet_id_read(&pin, &work, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM))) { CRYPT_ERROR("error reading packet-id"); } have_pin = !BOOL_CAST(opt->flags & CO_IGNORE_PACKET_ID); } } if (have_pin && !crypto_check_replay(opt, &pin, error_prefix, &gc)) { goto error_exit; } *buf = work; } gc_free(&gc); return true; error_exit: crypto_clear_error(); buf->len = 0; gc_free(&gc); return false; } bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start) { bool ret = false; if (buf->len > 0 && opt) { const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; if (cipher_kt_mode_aead(cipher_ctx_get_cipher_kt(ctx->cipher))) { ret = openvpn_decrypt_aead(buf, work, opt, frame, ad_start); } else { ret = openvpn_decrypt_v1(buf, work, opt, frame); } } else { ret = true; } return ret; } void crypto_adjust_frame_parameters(struct frame *frame, const struct key_type *kt, bool use_iv, bool packet_id, bool packet_id_long_form) { size_t crypto_overhead = 0; if (packet_id) { crypto_overhead += packet_id_size(packet_id_long_form); } if (kt->cipher) { if (use_iv) { crypto_overhead += cipher_kt_iv_size(kt->cipher); } if (cipher_kt_mode_aead(kt->cipher)) { crypto_overhead += cipher_kt_tag_size(kt->cipher); } /* extra block required by cipher_ctx_update() */ crypto_overhead += cipher_kt_block_size(kt->cipher); } crypto_overhead += kt->hmac_length; frame_add_to_extra_frame(frame, crypto_overhead); msg(D_MTU_DEBUG, "%s: Adjusting frame parameters for crypto by %u bytes", __func__, (unsigned int) crypto_overhead); } size_t crypto_max_overhead(void) { return packet_id_size(true) + OPENVPN_MAX_IV_LENGTH +OPENVPN_MAX_CIPHER_BLOCK_SIZE +max_int(OPENVPN_MAX_HMAC_SIZE, OPENVPN_AEAD_TAG_LENGTH); } /* * Build a struct key_type. */ void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, int keysize, bool tls_mode, bool warn) { bool aead_cipher = false; ASSERT(ciphername); ASSERT(authname); CLEAR(*kt); if (strcmp(ciphername, "none") != 0) { kt->cipher = cipher_kt_get(translate_cipher_name_from_openvpn(ciphername)); if (!kt->cipher) { msg(M_FATAL, "Cipher %s not supported", ciphername); } kt->cipher_length = cipher_kt_key_size(kt->cipher); if (keysize > 0 && keysize <= MAX_CIPHER_KEY_LENGTH) { kt->cipher_length = keysize; } /* check legal cipher mode */ aead_cipher = cipher_kt_mode_aead(kt->cipher); if (!(cipher_kt_mode_cbc(kt->cipher) || (tls_mode && aead_cipher) #ifdef ENABLE_OFB_CFB_MODE || (tls_mode && cipher_kt_mode_ofb_cfb(kt->cipher)) #endif )) { msg(M_FATAL, "Cipher '%s' mode not supported", ciphername); } if (OPENVPN_MAX_CIPHER_BLOCK_SIZE < cipher_kt_block_size(kt->cipher)) { msg(M_FATAL, "Cipher '%s' not allowed: block size too big.", ciphername); } } else { if (warn) { msg(M_WARN, "******* WARNING *******: '--cipher none' was specified. " "This means NO encryption will be performed and tunnelled " "data WILL be transmitted in clear text over the network! " "PLEASE DO RECONSIDER THIS SETTING!"); } } if (strcmp(authname, "none") != 0) { if (!aead_cipher) /* Ignore auth for AEAD ciphers */ { kt->digest = md_kt_get(authname); kt->hmac_length = md_kt_size(kt->digest); if (OPENVPN_MAX_HMAC_SIZE < kt->hmac_length) { msg(M_FATAL, "HMAC '%s' not allowed: digest size too big.", authname); } } } else if (!aead_cipher) { if (warn) { msg(M_WARN, "******* WARNING *******: '--auth none' was specified. " "This means no authentication will be performed on received " "packets, meaning you CANNOT trust that the data received by " "the remote side have NOT been manipulated. " "PLEASE DO RECONSIDER THIS SETTING!"); } } } /* given a key and key_type, build a key_ctx */ void init_key_ctx(struct key_ctx *ctx, struct key *key, const struct key_type *kt, int enc, const char *prefix) { struct gc_arena gc = gc_new(); CLEAR(*ctx); if (kt->cipher && kt->cipher_length > 0) { ctx->cipher = cipher_ctx_new(); cipher_ctx_init(ctx->cipher, key->cipher, kt->cipher_length, kt->cipher, enc); msg(D_HANDSHAKE, "%s: Cipher '%s' initialized with %d bit key", prefix, translate_cipher_name_to_openvpn(cipher_kt_name(kt->cipher)), kt->cipher_length *8); dmsg(D_SHOW_KEYS, "%s: CIPHER KEY: %s", prefix, format_hex(key->cipher, kt->cipher_length, 0, &gc)); dmsg(D_CRYPTO_DEBUG, "%s: CIPHER block_size=%d iv_size=%d", prefix, cipher_kt_block_size(kt->cipher), cipher_kt_iv_size(kt->cipher)); if (cipher_kt_block_size(kt->cipher) < 128/8) { msg(M_WARN, "WARNING: INSECURE cipher with block size less than 128" " bit (%d bit). This allows attacks like SWEET32. Mitigate by " "using a --cipher with a larger block size (e.g. AES-256-CBC).", cipher_kt_block_size(kt->cipher)*8); } } if (kt->digest && kt->hmac_length > 0) { ctx->hmac = hmac_ctx_new(); hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest); msg(D_HANDSHAKE, "%s: Using %d bit message hash '%s' for HMAC authentication", prefix, md_kt_size(kt->digest) * 8, md_kt_name(kt->digest)); dmsg(D_SHOW_KEYS, "%s: HMAC KEY: %s", prefix, format_hex(key->hmac, kt->hmac_length, 0, &gc)); dmsg(D_CRYPTO_DEBUG, "%s: HMAC size=%d block_size=%d", prefix, md_kt_size(kt->digest), hmac_ctx_size(ctx->hmac)); } gc_free(&gc); } void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name) { char log_prefix[128] = { 0 }; struct key_direction_state kds; key_direction_state_init(&kds, key_direction); openvpn_snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name); init_key_ctx(&ctx->encrypt, &key2->keys[kds.out_key], kt, OPENVPN_OP_ENCRYPT, log_prefix); openvpn_snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name); init_key_ctx(&ctx->decrypt, &key2->keys[kds.in_key], kt, OPENVPN_OP_DECRYPT, log_prefix); ctx->initialized = true; } void free_key_ctx(struct key_ctx *ctx) { if (ctx->cipher) { cipher_ctx_cleanup(ctx->cipher); cipher_ctx_free(ctx->cipher); ctx->cipher = NULL; } if (ctx->hmac) { hmac_ctx_cleanup(ctx->hmac); hmac_ctx_free(ctx->hmac); ctx->hmac = NULL; } ctx->implicit_iv_len = 0; } void free_key_ctx_bi(struct key_ctx_bi *ctx) { free_key_ctx(&ctx->encrypt); free_key_ctx(&ctx->decrypt); } static bool key_is_zero(struct key *key, const struct key_type *kt) { int i; for (i = 0; i < kt->cipher_length; ++i) if (key->cipher[i]) { return false; } msg(D_CRYPT_ERRORS, "CRYPTO INFO: WARNING: zero key detected"); return true; } /* * Make sure that cipher key is a valid key for current key_type. */ bool check_key(struct key *key, const struct key_type *kt) { if (kt->cipher) { /* * Check for zero key */ if (key_is_zero(key, kt)) { return false; } /* * Check for weak or semi-weak DES keys. */ { const int ndc = key_des_num_cblocks(kt->cipher); if (ndc) { return key_des_check(key->cipher, kt->cipher_length, ndc); } else { return true; } } } return true; } /* * Make safe mutations to key to ensure it is valid, * such as ensuring correct parity on DES keys. * * This routine cannot guarantee it will generate a good * key. You must always call check_key after this routine * to make sure. */ void fixup_key(struct key *key, const struct key_type *kt) { struct gc_arena gc = gc_new(); if (kt->cipher) { #ifdef ENABLE_DEBUG const struct key orig = *key; #endif const int ndc = key_des_num_cblocks(kt->cipher); if (ndc) { key_des_fixup(key->cipher, kt->cipher_length, ndc); } #ifdef ENABLE_DEBUG if (check_debug_level(D_CRYPTO_DEBUG)) { if (memcmp(orig.cipher, key->cipher, kt->cipher_length)) { dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: fixup_key: before=%s after=%s", format_hex(orig.cipher, kt->cipher_length, 0, &gc), format_hex(key->cipher, kt->cipher_length, 0, &gc)); } } #endif } gc_free(&gc); } void check_replay_iv_consistency(const struct key_type *kt, bool packet_id, bool use_iv) { ASSERT(kt); if (!(packet_id && use_iv) && (cipher_kt_mode_ofb_cfb(kt->cipher) || cipher_kt_mode_aead(kt->cipher))) { msg(M_FATAL, "--no-replay or --no-iv cannot be used with a CFB, OFB or " "AEAD mode cipher"); } } /* * Generate a random key. If key_type is provided, make * sure generated key is valid for key_type. */ void generate_key_random(struct key *key, const struct key_type *kt) { int cipher_len = MAX_CIPHER_KEY_LENGTH; int hmac_len = MAX_HMAC_KEY_LENGTH; struct gc_arena gc = gc_new(); do { CLEAR(*key); if (kt) { if (kt->cipher && kt->cipher_length > 0 && kt->cipher_length <= cipher_len) { cipher_len = kt->cipher_length; } if (kt->digest && kt->hmac_length > 0 && kt->hmac_length <= hmac_len) { hmac_len = kt->hmac_length; } } if (!rand_bytes(key->cipher, cipher_len) || !rand_bytes(key->hmac, hmac_len)) { msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation"); } dmsg(D_SHOW_KEY_SOURCE, "Cipher source entropy: %s", format_hex(key->cipher, cipher_len, 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "HMAC source entropy: %s", format_hex(key->hmac, hmac_len, 0, &gc)); if (kt) { fixup_key(key, kt); } } while (kt && !check_key(key, kt)); gc_free(&gc); } /* * Print key material */ void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1) { struct gc_arena gc = gc_new(); ASSERT(k->n == 2); dmsg(D_SHOW_KEY_SOURCE, "%s (cipher): %s", prefix0, format_hex(k->keys[0].cipher, kt->cipher_length, 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "%s (hmac): %s", prefix0, format_hex(k->keys[0].hmac, kt->hmac_length, 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "%s (cipher): %s", prefix1, format_hex(k->keys[1].cipher, kt->cipher_length, 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "%s (hmac): %s", prefix1, format_hex(k->keys[1].hmac, kt->hmac_length, 0, &gc)); gc_free(&gc); } void test_crypto(struct crypto_options *co, struct frame *frame) { int i, j; struct gc_arena gc = gc_new(); struct buffer src = alloc_buf_gc(TUN_MTU_SIZE(frame), &gc); struct buffer work = alloc_buf_gc(BUF_SIZE(frame), &gc); struct buffer encrypt_workspace = alloc_buf_gc(BUF_SIZE(frame), &gc); struct buffer decrypt_workspace = alloc_buf_gc(BUF_SIZE(frame), &gc); struct buffer buf = clear_buf(); void *buf_p; /* init work */ ASSERT(buf_init(&work, FRAME_HEADROOM(frame))); #ifdef HAVE_AEAD_CIPHER_MODES /* init implicit IV */ { const cipher_kt_t *cipher = cipher_ctx_get_cipher_kt(co->key_ctx_bi.encrypt.cipher); if (cipher_kt_mode_aead(cipher)) { size_t impl_iv_len = cipher_kt_iv_size(cipher) - sizeof(packet_id_type); ASSERT(cipher_kt_iv_size(cipher) <= OPENVPN_MAX_IV_LENGTH); ASSERT(cipher_kt_iv_size(cipher) >= OPENVPN_AEAD_MIN_IV_LEN); /* Generate dummy implicit IV */ ASSERT(rand_bytes(co->key_ctx_bi.encrypt.implicit_iv, OPENVPN_MAX_IV_LENGTH)); co->key_ctx_bi.encrypt.implicit_iv_len = impl_iv_len; memcpy(co->key_ctx_bi.decrypt.implicit_iv, co->key_ctx_bi.encrypt.implicit_iv, OPENVPN_MAX_IV_LENGTH); co->key_ctx_bi.decrypt.implicit_iv_len = impl_iv_len; } } #endif /* ifdef HAVE_AEAD_CIPHER_MODES */ msg(M_INFO, "Entering " PACKAGE_NAME " crypto self-test mode."); for (i = 1; i <= TUN_MTU_SIZE(frame); ++i) { update_time(); msg(M_INFO, "TESTING ENCRYPT/DECRYPT of packet length=%d", i); /* * Load src with random data. */ ASSERT(buf_init(&src, 0)); ASSERT(i <= src.capacity); src.len = i; ASSERT(rand_bytes(BPTR(&src), BLEN(&src))); /* copy source to input buf */ buf = work; buf_p = buf_write_alloc(&buf, BLEN(&src)); ASSERT(buf_p); memcpy(buf_p, BPTR(&src), BLEN(&src)); /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */ ASSERT(buf_init(&encrypt_workspace, FRAME_HEADROOM(frame))); /* encrypt */ openvpn_encrypt(&buf, encrypt_workspace, co); /* decrypt */ openvpn_decrypt(&buf, decrypt_workspace, co, frame, BPTR(&buf)); /* compare */ if (buf.len != src.len) { msg(M_FATAL, "SELF TEST FAILED, src.len=%d buf.len=%d", src.len, buf.len); } for (j = 0; j < i; ++j) { const uint8_t in = *(BPTR(&src) + j); const uint8_t out = *(BPTR(&buf) + j); if (in != out) { msg(M_FATAL, "SELF TEST FAILED, pos=%d in=%d out=%d", j, in, out); } } } msg(M_INFO, PACKAGE_NAME " crypto self-test mode SUCCEEDED."); gc_free(&gc); } void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name) { struct key2 key2; struct key_direction_state kds; if (key_inline) { read_key_file(&key2, key_inline, RKF_MUST_SUCCEED|RKF_INLINE); } else { read_key_file(&key2, key_file, RKF_MUST_SUCCEED); } if (key2.n != 2) { msg(M_ERR, "File '%s' does not have OpenVPN Static Key format. Using " "free-form passphrase file is not supported anymore.", key_file); } /* check for and fix highly unlikely key problems */ verify_fix_key2(&key2, key_type, key_file); /* handle key direction */ key_direction_state_init(&kds, key_direction); must_have_n_keys(key_file, opt_name, &key2, kds.need_keys); /* initialize key in both directions */ init_key_ctx_bi(ctx, &key2, key_direction, key_type, key_name); secure_memzero(&key2, sizeof(key2)); } /* header and footer for static key file */ static const char static_key_head[] = "-----BEGIN OpenVPN Static key V1-----"; static const char static_key_foot[] = "-----END OpenVPN Static key V1-----"; static const char printable_char_fmt[] = "Non-Hex character ('%c') found at line %d in key file '%s' (%d/%d/%d bytes found/min/max)"; static const char unprintable_char_fmt[] = "Non-Hex, unprintable character (0x%02x) found at line %d in key file '%s' (%d/%d/%d bytes found/min/max)"; /* read key from file */ void read_key_file(struct key2 *key2, const char *file, const unsigned int flags) { struct gc_arena gc = gc_new(); struct buffer in; int fd, size; uint8_t hex_byte[3] = {0, 0, 0}; const char *error_filename = file; /* parse info */ const unsigned char *cp; int hb_index = 0; int line_num = 1; int line_index = 0; int match = 0; /* output */ uint8_t *out = (uint8_t *) &key2->keys; const int keylen = sizeof(key2->keys); int count = 0; /* parse states */ #define PARSE_INITIAL 0 #define PARSE_HEAD 1 #define PARSE_DATA 2 #define PARSE_DATA_COMPLETE 3 #define PARSE_FOOT 4 #define PARSE_FINISHED 5 int state = PARSE_INITIAL; /* constants */ const int hlen = strlen(static_key_head); const int flen = strlen(static_key_foot); const int onekeylen = sizeof(key2->keys[0]); CLEAR(*key2); /* * Key can be provided as a filename in 'file' or if RKF_INLINE * is set, the actual key data itself in ascii form. */ if (flags & RKF_INLINE) /* 'file' is a string containing ascii representation of key */ { size = strlen(file) + 1; buf_set_read(&in, (const uint8_t *)file, size); error_filename = INLINE_FILE_TAG; } else /* 'file' is a filename which refers to a file containing the ascii key */ { in = alloc_buf_gc(2048, &gc); fd = platform_open(file, O_RDONLY, 0); if (fd == -1) { msg(M_ERR, "Cannot open key file '%s'", file); } size = read(fd, in.data, in.capacity); if (size < 0) { msg(M_FATAL, "Read error on key file ('%s')", file); } if (size == in.capacity) { msg(M_FATAL, "Key file ('%s') can be a maximum of %d bytes", file, (int)in.capacity); } close(fd); } cp = (unsigned char *)in.data; while (size > 0) { const unsigned char c = *cp; #if 0 msg(M_INFO, "char='%c'[%d] s=%d ln=%d li=%d m=%d c=%d", c, (int)c, state, line_num, line_index, match, count); #endif if (c == '\n') { line_index = match = 0; ++line_num; } else { /* first char of new line */ if (!line_index) { /* first char of line after header line? */ if (state == PARSE_HEAD) { state = PARSE_DATA; } /* first char of footer */ if ((state == PARSE_DATA || state == PARSE_DATA_COMPLETE) && c == '-') { state = PARSE_FOOT; } } /* compare read chars with header line */ if (state == PARSE_INITIAL) { if (line_index < hlen && c == static_key_head[line_index]) { if (++match == hlen) { state = PARSE_HEAD; } } } /* compare read chars with footer line */ if (state == PARSE_FOOT) { if (line_index < flen && c == static_key_foot[line_index]) { if (++match == flen) { state = PARSE_FINISHED; } } } /* reading key */ if (state == PARSE_DATA) { if (isxdigit(c)) { ASSERT(hb_index >= 0 && hb_index < 2); hex_byte[hb_index++] = c; if (hb_index == 2) { unsigned int u; ASSERT(sscanf((const char *)hex_byte, "%x", &u) == 1); *out++ = u; hb_index = 0; if (++count == keylen) { state = PARSE_DATA_COMPLETE; } } } else if (isspace(c)) { } else { msg(M_FATAL, (isprint(c) ? printable_char_fmt : unprintable_char_fmt), c, line_num, error_filename, count, onekeylen, keylen); } } ++line_index; } ++cp; --size; } /* * Normally we will read either 1 or 2 keys from file. */ key2->n = count / onekeylen; ASSERT(key2->n >= 0 && key2->n <= (int) SIZE(key2->keys)); if (flags & RKF_MUST_SUCCEED) { if (!key2->n) { msg(M_FATAL, "Insufficient key material or header text not found in file '%s' (%d/%d/%d bytes found/min/max)", error_filename, count, onekeylen, keylen); } if (state != PARSE_FINISHED) { msg(M_FATAL, "Footer text not found in file '%s' (%d/%d/%d bytes found/min/max)", error_filename, count, onekeylen, keylen); } } /* zero file read buffer if not an inline file */ if (!(flags & RKF_INLINE)) { buf_clear(&in); } #if 0 /* DEBUGGING */ { int i; printf("KEY READ, n=%d\n", key2->n); for (i = 0; i < (int) SIZE(key2->keys); ++i) { /* format key as ascii */ const char *fmt = format_hex_ex((const uint8_t *)&key2->keys[i], sizeof(key2->keys[i]), 0, 16, "\n", &gc); printf("[%d]\n%s\n\n", i, fmt); } } #endif /* pop our garbage collection level */ gc_free(&gc); } /* * Write key to file, return number of random bits * written. */ int write_key_file(const int nkeys, const char *filename) { struct gc_arena gc = gc_new(); int fd, i; int nbits = 0; /* must be large enough to hold full key file */ struct buffer out = alloc_buf_gc(2048, &gc); struct buffer nbits_head_text = alloc_buf_gc(128, &gc); /* how to format the ascii file representation of key */ const int bytes_per_line = 16; /* open key file */ fd = platform_open(filename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR); if (fd == -1) { msg(M_ERR, "Cannot open shared secret file '%s' for write", filename); } buf_printf(&out, "%s\n", static_key_head); for (i = 0; i < nkeys; ++i) { struct key key; char *fmt; /* generate random bits */ generate_key_random(&key, NULL); /* format key as ascii */ fmt = format_hex_ex((const uint8_t *)&key, sizeof(key), 0, bytes_per_line, "\n", &gc); /* increment random bits counter */ nbits += sizeof(key) * 8; /* write to holding buffer */ buf_printf(&out, "%s\n", fmt); /* zero memory which held key component (will be freed by GC) */ secure_memzero(fmt, strlen(fmt)); secure_memzero(&key, sizeof(key)); } buf_printf(&out, "%s\n", static_key_foot); /* write number of bits */ buf_printf(&nbits_head_text, "#\n# %d bit OpenVPN static key\n#\n", nbits); buf_write_string_file(&nbits_head_text, filename, fd); /* write key file, now formatted in out, to file */ buf_write_string_file(&out, filename, fd); if (close(fd)) { msg(M_ERR, "Close error on shared secret file %s", filename); } /* zero memory which held file content (memory will be freed by GC) */ buf_clear(&out); /* pop our garbage collection level */ gc_free(&gc); return nbits; } void must_have_n_keys(const char *filename, const char *option, const struct key2 *key2, int n) { if (key2->n < n) { #ifdef ENABLE_SMALL msg(M_FATAL, "Key file '%s' used in --%s contains insufficient key material [keys found=%d required=%d]", filename, option, key2->n, n); #else msg(M_FATAL, "Key file '%s' used in --%s contains insufficient key material [keys found=%d required=%d] -- try generating a new key file with '" PACKAGE " --genkey --secret [file]', or use the existing key file in bidirectional mode by specifying --%s without a key direction parameter", filename, option, key2->n, n, option); #endif } } int ascii2keydirection(int msglevel, const char *str) { if (!str) { return KEY_DIRECTION_BIDIRECTIONAL; } else if (!strcmp(str, "0")) { return KEY_DIRECTION_NORMAL; } else if (!strcmp(str, "1")) { return KEY_DIRECTION_INVERSE; } else { msg(msglevel, "Unknown key direction '%s' -- must be '0' or '1'", str); return -1; } return KEY_DIRECTION_BIDIRECTIONAL; /* NOTREACHED */ } const char * keydirection2ascii(int kd, bool remote) { if (kd == KEY_DIRECTION_BIDIRECTIONAL) { return NULL; } else if (kd == KEY_DIRECTION_NORMAL) { return remote ? "1" : "0"; } else if (kd == KEY_DIRECTION_INVERSE) { return remote ? "0" : "1"; } else { ASSERT(0); } return NULL; /* NOTREACHED */ } void key_direction_state_init(struct key_direction_state *kds, int key_direction) { CLEAR(*kds); switch (key_direction) { case KEY_DIRECTION_NORMAL: kds->out_key = 0; kds->in_key = 1; kds->need_keys = 2; break; case KEY_DIRECTION_INVERSE: kds->out_key = 1; kds->in_key = 0; kds->need_keys = 2; break; case KEY_DIRECTION_BIDIRECTIONAL: kds->out_key = 0; kds->in_key = 0; kds->need_keys = 1; break; default: ASSERT(0); } } void verify_fix_key2(struct key2 *key2, const struct key_type *kt, const char *shared_secret_file) { int i; for (i = 0; i < key2->n; ++i) { /* Fix parity for DES keys and make sure not a weak key */ fixup_key(&key2->keys[i], kt); /* This should be a very improbable failure */ if (!check_key(&key2->keys[i], kt)) { msg(M_FATAL, "Key #%d in '%s' is bad. Try making a new key with --genkey.", i+1, shared_secret_file); } } } /* given a key and key_type, write key to buffer */ bool write_key(const struct key *key, const struct key_type *kt, struct buffer *buf) { ASSERT(kt->cipher_length <= MAX_CIPHER_KEY_LENGTH && kt->hmac_length <= MAX_HMAC_KEY_LENGTH); if (!buf_write(buf, &kt->cipher_length, 1)) { return false; } if (!buf_write(buf, &kt->hmac_length, 1)) { return false; } if (!buf_write(buf, key->cipher, kt->cipher_length)) { return false; } if (!buf_write(buf, key->hmac, kt->hmac_length)) { return false; } return true; } /* * Given a key_type and buffer, read key from buffer. * Return: 1 on success * -1 read failure * 0 on key length mismatch */ int read_key(struct key *key, const struct key_type *kt, struct buffer *buf) { uint8_t cipher_length; uint8_t hmac_length; CLEAR(*key); if (!buf_read(buf, &cipher_length, 1)) { goto read_err; } if (!buf_read(buf, &hmac_length, 1)) { goto read_err; } if (cipher_length != kt->cipher_length || hmac_length != kt->hmac_length) { goto key_len_err; } if (!buf_read(buf, key->cipher, cipher_length)) { goto read_err; } if (!buf_read(buf, key->hmac, hmac_length)) { goto read_err; } return 1; read_err: msg(D_TLS_ERRORS, "TLS Error: error reading key from remote"); return -1; key_len_err: msg(D_TLS_ERRORS, "TLS Error: key length mismatch, local cipher/hmac %d/%d, remote cipher/hmac %d/%d", kt->cipher_length, kt->hmac_length, cipher_length, hmac_length); return 0; } /* * Random number functions, used in cases where we want * reasonably strong cryptographic random number generation * without depleting our entropy pool. Used for random * IV values and a number of other miscellaneous tasks. */ static uint8_t *nonce_data = NULL; /* GLOBAL */ static const md_kt_t *nonce_md = NULL; /* GLOBAL */ static int nonce_secret_len = 0; /* GLOBAL */ /* Reset the nonce value, also done periodically to refresh entropy */ static void prng_reset_nonce(void) { const int size = md_kt_size(nonce_md) + nonce_secret_len; #if 1 /* Must be 1 for real usage */ if (!rand_bytes(nonce_data, size)) { msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for PRNG"); } #else /* Only for testing -- will cause a predictable PRNG sequence */ { int i; for (i = 0; i < size; ++i) nonce_data[i] = (uint8_t) i; } #endif } void prng_init(const char *md_name, const int nonce_secret_len_parm) { prng_uninit(); nonce_md = md_name ? md_kt_get(md_name) : NULL; if (nonce_md) { ASSERT(nonce_secret_len_parm >= NONCE_SECRET_LEN_MIN && nonce_secret_len_parm <= NONCE_SECRET_LEN_MAX); nonce_secret_len = nonce_secret_len_parm; { const int size = md_kt_size(nonce_md) + nonce_secret_len; dmsg(D_CRYPTO_DEBUG, "PRNG init md=%s size=%d", md_kt_name(nonce_md), size); nonce_data = (uint8_t *) malloc(size); check_malloc_return(nonce_data); prng_reset_nonce(); } } } void prng_uninit(void) { free(nonce_data); nonce_data = NULL; nonce_md = NULL; nonce_secret_len = 0; } void prng_bytes(uint8_t *output, int len) { static size_t processed = 0; if (nonce_md) { const int md_size = md_kt_size(nonce_md); while (len > 0) { const int blen = min_int(len, md_size); md_full(nonce_md, nonce_data, md_size + nonce_secret_len, nonce_data); memcpy(output, nonce_data, blen); output += blen; len -= blen; /* Ensure that random data is reset regularly */ processed += blen; if (processed > PRNG_NONCE_RESET_BYTES) { prng_reset_nonce(); processed = 0; } } } else { ASSERT(rand_bytes(output, len)); } } /* an analogue to the random() function, but use prng_bytes */ long int get_random(void) { long int l; prng_bytes((unsigned char *)&l, sizeof(l)); if (l < 0) { l = -l; } return l; } static const cipher_name_pair * get_cipher_name_pair(const char *cipher_name) { const cipher_name_pair *pair; size_t i = 0; /* Search for a cipher name translation */ for (; i < cipher_name_translation_table_count; i++) { pair = &cipher_name_translation_table[i]; if (0 == strcmp(cipher_name, pair->openvpn_name) || 0 == strcmp(cipher_name, pair->lib_name)) { return pair; } } /* Nothing found, return null */ return NULL; } const char * translate_cipher_name_from_openvpn(const char *cipher_name) { const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); if (NULL == pair) { return cipher_name; } return pair->lib_name; } const char * translate_cipher_name_to_openvpn(const char *cipher_name) { const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); if (NULL == pair) { return cipher_name; } return pair->openvpn_name; } #endif /* ENABLE_CRYPTO */ openvpn-2.4.4/src/openvpn/crypto.h000066400000000000000000000465401316434344000171660ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Data Channel Cryptography Module * * @addtogroup data_crypto Data Channel Crypto module * * @par Crypto packet formats * The Data Channel Crypto module supports a number of crypto modes and * configurable options. The actual packet format depends on these options. A * Data Channel packet can consist of: * - \b Opcode, one byte specifying the packet type (see @ref network_protocol * "Network protocol"). * - \b Peer-id, if using the v2 data channel packet format (see @ref * network_protocol "Network protocol"). * - \b HMAC, covering the ciphertext IV + ciphertext. The HMAC size depends * on the \c \-\-auth option. If \c \-\-auth \c none is specified, there is no * HMAC at all. * - \b Ciphertext \b IV, if not disabled by \c \-\-no-iv. The IV size depends on * the \c \-\-cipher option. * - \b Packet \b ID, a 32-bit incrementing packet counter that provides replay * protection (if not disabled by \c \-\-no-replay). * - \b Timestamp, a 32-bit timestamp of the current time. * - \b Payload, the plain text network packet to be encrypted (unless * encryption is disabled by using \c \-\-cipher \c none). The payload might * already be compressed (see @ref compression "Compression module"). * * @par * This section does not discuss the opcode and peer-id, since those do not * depend on the data channel crypto. See @ref network_protocol * "Network protocol" for more information on those. * * @par * \e Legenda \n * [ xxx ] = unprotected \n * [ - xxx - ] = authenticated \n * [ * xxx * ] = encrypted and authenticated * * @par * CBC data channel cypto format \n * In CBC mode, both TLS-mode and static key mode are supported. The IV * consists of random bits to provide unpredictable IVs. \n * CBC IV format: \n * [ - random - ] \n * CBC data channel crypto format in TLS-mode: \n * [ HMAC ] [ - IV - ] [ * packet ID * ] [ * packet payload * ] \n * CBC data channel crypto format in static key mode: \n * [ HMAC ] [ - IV - ] [ * packet ID * ] [ * timestamp * ] * [ * packet payload * ] * * @par * CFB/OFB data channel crypto format \n * CFB and OFB modes are only supported in TLS mode. In these modes, the IV * consists of the packet counter and a timestamp. If the IV is more than 8 * bytes long, the remaining space is filled with zeroes. The packet counter may * not roll over within a single TLS sessions. This results in a unique IV for * each packet, as required by the CFB and OFB cipher modes. * * @par * CFB/OFB IV format: \n * [ - packet ID - ] [ - timestamp - ] [ - opt: zero-padding - ] \n * CFB/OFB data channel crypto format: \n * [ HMAC ] [ - IV - ] [ * packet payload * ] * * @par * GCM data channel crypto format \n * GCM modes are only supported in TLS mode. In these modes, the IV consists of * the 32-bit packet counter followed by data from the HMAC key. The HMAC key * can be used as IV, since in GCM and CCM modes the HMAC key is not used for * the HMAC. The packet counter may not roll over within a single TLS sessions. * This results in a unique IV for each packet, as required by GCM. * * @par * The HMAC key data is pre-shared during the connection setup, and thus can be * omitted in on-the-wire packets, saving 8 bytes per packet (for GCM and CCM). * * @par * In GCM mode, P_DATA_V2 headers (the opcode and peer-id) are also * authenticated as Additional Data. * * @par * GCM IV format: \n * [ - packet ID - ] [ - HMAC key data - ] \n * P_DATA_V1 GCM data channel crypto format: \n * [ opcode ] [ - packet ID - ] [ TAG ] [ * packet payload * ] * P_DATA_V2 GCM data channel crypto format: \n * [ - opcode/peer-id - ] [ - packet ID - ] [ TAG ] [ * packet payload * ] * * @par * No-crypto data channel format \n * In no-crypto mode (\c \-\-cipher \c none is specified), both TLS-mode and * static key mode are supported. No encryption will be performed on the packet, * but packets can still be authenticated. This mode does not require an IV.\n * No-crypto data channel crypto format in TLS-mode: \n * [ HMAC ] [ - packet ID - ] [ - packet payload - ] \n * No-crypto data channel crypto format in static key mode: \n * [ HMAC ] [ - packet ID - ] [ - timestamp - ] [ - packet payload - ] * */ #ifndef CRYPTO_H #define CRYPTO_H #ifdef ENABLE_CRYPTO #include "crypto_backend.h" #include "basic.h" #include "buffer.h" #include "packet_id.h" #include "mtu.h" /** Wrapper struct to pass around SHA256 digests */ struct sha256_digest { uint8_t digest[SHA256_DIGEST_LENGTH]; }; /* * Defines a key type and key length for both cipher and HMAC. */ struct key_type { uint8_t cipher_length; /**< Cipher length, in bytes */ uint8_t hmac_length; /**< HMAC length, in bytes */ const cipher_kt_t *cipher; /**< Cipher static parameters */ const md_kt_t *digest; /**< Message digest static parameters */ }; /** * Container for unidirectional cipher and HMAC %key material. * @ingroup control_processor */ struct key { uint8_t cipher[MAX_CIPHER_KEY_LENGTH]; /**< %Key material for cipher operations. */ uint8_t hmac[MAX_HMAC_KEY_LENGTH]; /**< %Key material for HMAC operations. */ }; /** * Container for one set of cipher and/or HMAC contexts. * @ingroup control_processor */ struct key_ctx { cipher_ctx_t *cipher; /**< Generic cipher %context. */ hmac_ctx_t *hmac; /**< Generic HMAC %context. */ uint8_t implicit_iv[OPENVPN_MAX_IV_LENGTH]; /**< The implicit part of the IV */ size_t implicit_iv_len; /**< The length of implicit_iv */ }; #define KEY_DIRECTION_BIDIRECTIONAL 0 /* same keys for both directions */ #define KEY_DIRECTION_NORMAL 1 /* encrypt with keys[0], decrypt with keys[1] */ #define KEY_DIRECTION_INVERSE 2 /* encrypt with keys[1], decrypt with keys[0] */ /** * Container for bidirectional cipher and HMAC %key material. * @ingroup control_processor */ struct key2 { int n; /**< The number of \c key objects stored * in the \c key2.keys array. */ struct key keys[2]; /**< Two unidirectional sets of %key * material. */ }; /** * %Key ordering of the \c key2.keys array. * @ingroup control_processor * * This structure takes care of correct ordering when using unidirectional * or bidirectional %key material, and allows the same shared secret %key * file to be loaded in the same way by client and server by having one of * the hosts use an reversed ordering. */ struct key_direction_state { int out_key; /**< Index into the \c key2.keys array for * the sending direction. */ int in_key; /**< Index into the \c key2.keys array for * the receiving direction. */ int need_keys; /**< The number of key objects necessary * to support both sending and * receiving. * * This will be 1 if the same keys are * used in both directions, or 2 if * there are two sets of unidirectional * keys. */ }; /** * Container for two sets of OpenSSL cipher and/or HMAC contexts for both * sending and receiving directions. * @ingroup control_processor */ struct key_ctx_bi { struct key_ctx encrypt; /**< Cipher and/or HMAC contexts for sending * direction. */ struct key_ctx decrypt; /**< cipher and/or HMAC contexts for * receiving direction. */ bool initialized; }; /** * Security parameter state for processing data channel packets. * @ingroup data_crypto */ struct crypto_options { struct key_ctx_bi key_ctx_bi; /**< OpenSSL cipher and HMAC contexts for * both sending and receiving * directions. */ struct packet_id packet_id; /**< Current packet ID state for both * sending and receiving directions. */ struct packet_id_persist *pid_persist; /**< Persistent packet ID state for * keeping state between successive * OpenVPN process startups. */ #define CO_PACKET_ID_LONG_FORM (1<<0) /**< Bit-flag indicating whether to use * OpenVPN's long packet ID format. */ #define CO_USE_IV (1<<1) /**< Bit-flag indicating whether to * generate a pseudo-random IV for each * packet being encrypted. */ #define CO_IGNORE_PACKET_ID (1<<2) /**< Bit-flag indicating whether to ignore * the packet ID of a received packet. * This flag is used during processing * of the first packet received from a * client. */ #define CO_MUTE_REPLAY_WARNINGS (1<<3) /**< Bit-flag indicating not to display * replay warnings. */ unsigned int flags; /**< Bit-flags determining behavior of * security operation functions. */ }; #define CRYPT_ERROR(format) \ do { msg(D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) /** * Minimal IV length for AEAD mode ciphers (in bytes): * 4-byte packet id + 8 bytes implicit IV. */ #define OPENVPN_AEAD_MIN_IV_LEN (sizeof(packet_id_type) + 8) #define RKF_MUST_SUCCEED (1<<0) #define RKF_INLINE (1<<1) void read_key_file(struct key2 *key2, const char *file, const unsigned int flags); int write_key_file(const int nkeys, const char *filename); int read_passphrase_hash(const char *passphrase_file, const md_kt_t *digest, uint8_t *output, int len); void generate_key_random(struct key *key, const struct key_type *kt); void check_replay_iv_consistency(const struct key_type *kt, bool packet_id, bool use_iv); bool check_key(struct key *key, const struct key_type *kt); void fixup_key(struct key *key, const struct key_type *kt); bool write_key(const struct key *key, const struct key_type *kt, struct buffer *buf); int read_key(struct key *key, const struct key_type *kt, struct buffer *buf); /** * Initialize a key_type structure with. * * @param kt The struct key_type to initialize * @param ciphername The name of the cipher to use * @param authname The name of the HMAC digest to use * @param keysize The length of the cipher key to use, in bytes. Only valid * for ciphers that support variable length keys. * @param tls_mode Specifies wether we are running in TLS mode, which allows * more ciphers than static key mode. * @param warn Print warnings when null cipher / auth is used. */ void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, int keysize, bool tls_mode, bool warn); /* * Key context functions */ void init_key_ctx(struct key_ctx *ctx, struct key *key, const struct key_type *kt, int enc, const char *prefix); void free_key_ctx(struct key_ctx *ctx); void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name); void free_key_ctx_bi(struct key_ctx_bi *ctx); /**************************************************************************/ /** @name Functions for performing security operations on data channel packets * @{ */ /** * Encrypt and HMAC sign a packet so that it can be sent as a data channel * VPN tunnel packet to a remote OpenVPN peer. * @ingroup data_crypto * * This function handles encryption and HMAC signing of a data channel * packet before it is sent to its remote OpenVPN peer. It receives the * necessary security parameters in the \a opt argument, which should have * been set to the correct values by the \c tls_pre_encrypt() function. * * This function calls the \c EVP_Cipher* and \c HMAC_* functions of the * OpenSSL library to perform the actual security operations. * * If an error occurs during processing, then the \a buf %buffer is set to * empty. * * @param buf - The %buffer containing the packet on which to * perform security operations. * @param work - An initialized working %buffer. * @param opt - The security parameter state for this VPN tunnel. * * @return This function returns void.\n On return, the \a buf argument * will point to the resulting %buffer. This %buffer will either * contain the processed packet ready for sending, or be empty if an * error occurred. */ void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt); /** * HMAC verify and decrypt a data channel packet received from a remote * OpenVPN peer. * @ingroup data_crypto * * This function handles authenticating and decrypting a data channel * packet received from a remote OpenVPN peer. It receives the necessary * security parameters in the \a opt argument, which should have been set * to the correct values by the \c tls_pre_decrypt() function. * * This function calls the \c EVP_Cipher* and \c HMAC_* functions of the * OpenSSL library to perform the actual security operations. * * If an error occurs during processing, then the \a buf %buffer is set to * empty. * * @param buf - The %buffer containing the packet received from a * remote OpenVPN peer on which to perform security * operations. * @param work - A working %buffer. * @param opt - The security parameter state for this VPN tunnel. * @param frame - The packet geometry parameters for this VPN * tunnel. * @param ad_start - A pointer into buf, indicating from where to start * authenticating additional data (AEAD mode only). * * @return * @li True, if the packet was authenticated and decrypted successfully. * @li False, if an error occurred. \n On return, the \a buf argument will * point to the resulting %buffer. This %buffer will either contain * the plaintext packet ready for further processing, or be empty if * an error occurred. */ bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start); /** @} name Functions for performing security operations on data channel packets */ /** * Check packet ID for replay, and perform replay administration. * * @param opt Crypto options for this packet, contains replay state. * @param pin Packet ID read from packet. * @param error_prefix Prefix to use when printing error messages. * @param gc Garbage collector to use. * * @return true if packet ID is validated to be not a replay, false otherwise. */ bool crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, const char *error_prefix, struct gc_arena *gc); /** Calculate crypto overhead and adjust frame to account for that */ void crypto_adjust_frame_parameters(struct frame *frame, const struct key_type *kt, bool use_iv, bool packet_id, bool packet_id_long_form); /** Return the worst-case OpenVPN crypto overhead (in bytes) */ size_t crypto_max_overhead(void); /* Minimum length of the nonce used by the PRNG */ #define NONCE_SECRET_LEN_MIN 16 /* Maximum length of the nonce used by the PRNG */ #define NONCE_SECRET_LEN_MAX 64 /** Number of bytes of random to allow before resetting the nonce */ #define PRNG_NONCE_RESET_BYTES 1024 /** * Pseudo-random number generator initialisation. * (see \c prng_rand_bytes()) * * @param md_name Name of the message digest to use * @param nonce_secret_len_param Length of the nonce to use */ void prng_init(const char *md_name, const int nonce_secret_len_parm); /* * Message digest-based pseudo random number generator. * * If the PRNG was initialised with a certain message digest, uses the digest * to calculate the next random number, and prevent depletion of the entropy * pool. * * This PRNG is aimed at IV generation and similar miscellaneous tasks. Use * \c rand_bytes() for higher-assurance functionality. * * Retrieves len bytes of pseudo random data, and places it in output. * * @param output Output buffer * @param len Length of the output buffer */ void prng_bytes(uint8_t *output, int len); void prng_uninit(void); void test_crypto(struct crypto_options *co, struct frame *f); /* key direction functions */ void key_direction_state_init(struct key_direction_state *kds, int key_direction); void verify_fix_key2(struct key2 *key2, const struct key_type *kt, const char *shared_secret_file); void must_have_n_keys(const char *filename, const char *option, const struct key2 *key2, int n); int ascii2keydirection(int msglevel, const char *str); const char *keydirection2ascii(int kd, bool remote); /* print keys */ void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1); void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name); /* * Inline functions */ /** * As memcmp(), but constant-time. * Returns 0 when data is equal, non-zero otherwise. */ static inline int memcmp_constant_time(const void *a, const void *b, size_t size) { const uint8_t *a1 = a; const uint8_t *b1 = b; int ret = 0; size_t i; for (i = 0; i < size; i++) { ret |= *a1++ ^ *b1++; } return ret; } static inline bool key_ctx_bi_defined(const struct key_ctx_bi *key) { return key->encrypt.cipher || key->encrypt.hmac || key->decrypt.cipher || key->decrypt.hmac; } #endif /* ENABLE_CRYPTO */ #endif /* CRYPTO_H */ openvpn-2.4.4/src/openvpn/crypto_backend.h000066400000000000000000000465531316434344000206410ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Data Channel Cryptography SSL library-specific backend interface */ #ifndef CRYPTO_BACKEND_H_ #define CRYPTO_BACKEND_H_ #ifdef ENABLE_CRYPTO_OPENSSL #include "crypto_openssl.h" #endif #ifdef ENABLE_CRYPTO_MBEDTLS #include "crypto_mbedtls.h" #endif #include "basic.h" /* TLS uses a tag of 128 bytes, let's do the same for OpenVPN */ #define OPENVPN_AEAD_TAG_LENGTH 16 /* Maximum cipher block size (bytes) */ #define OPENVPN_MAX_CIPHER_BLOCK_SIZE 32 /* Maximum HMAC digest size (bytes) */ #define OPENVPN_MAX_HMAC_SIZE 64 /** Types referencing specific message digest hashing algorithms */ typedef enum { MD_SHA1, MD_SHA256 } hash_algo_type ; /** Struct used in cipher name translation table */ typedef struct { const char *openvpn_name; /**< Cipher name used by OpenVPN */ const char *lib_name; /**< Cipher name used by crypto library */ } cipher_name_pair; /** Cipher name translation table */ extern const cipher_name_pair cipher_name_translation_table[]; extern const size_t cipher_name_translation_table_count; /* * This routine should have additional OpenSSL crypto library initialisations * used by both crypto and ssl components of OpenVPN. */ void crypto_init_lib(void); void crypto_uninit_lib(void); void crypto_clear_error(void); /* * Initialise the given named crypto engine. */ void crypto_init_lib_engine(const char *engine_name); #ifdef DMALLOC /* * OpenSSL memory debugging. If dmalloc debugging is enabled, tell * OpenSSL to use our private malloc/realloc/free functions so that * we can dispatch them to dmalloc. */ void crypto_init_dmalloc(void); #endif /* DMALLOC */ /** * Translate a data channel cipher name from the OpenVPN config file * 'language' to the crypto library specific name. */ const char *translate_cipher_name_from_openvpn(const char *cipher_name); /** * Translate a data channel cipher name from the crypto library specific name * to the OpenVPN config file 'language'. */ const char *translate_cipher_name_from_openvpn(const char *cipher_name); void show_available_ciphers(void); void show_available_digests(void); void show_available_engines(void); /* * * Random number functions, used in cases where we want * reasonably strong cryptographic random number generation * without depleting our entropy pool. Used for random * IV values and a number of other miscellaneous tasks. * */ /** * Wrapper for secure random number generator. Retrieves len bytes of random * data, and places it in output. * * @param output Output buffer * @param len Length of the output buffer, in bytes * * @return \c 1 on success, \c 0 on failure */ int rand_bytes(uint8_t *output, int len); /* * * Key functions, allow manipulation of keys. * */ /** * Return number of DES cblocks (1 cblock = length of a single-DES key) for the * current key type or 0 if not a DES cipher. * * @param kt Type of key * * @return Number of DES cblocks that the key consists of, or 0. */ int key_des_num_cblocks(const cipher_kt_t *kt); /* * Check the given DES key. Checks the given key's length, weakness and parity. * * @param key Key to check * @param key_len Length of the key, in bytes * @param ndc Number of DES cblocks that the key is made up of. * * @return \c true if the key is valid, \c false otherwise. */ bool key_des_check(uint8_t *key, int key_len, int ndc); /* * Fix the given DES key, setting its parity to odd. * * @param key Key to check * @param key_len Length of the key, in bytes * @param ndc Number of DES cblocks that the key is made up of. */ void key_des_fixup(uint8_t *key, int key_len, int ndc); /** * Encrypt the given block, using DES ECB mode * * @param key DES key to use. * @param src Buffer containing the 8-byte source. * @param dst Buffer containing the 8-byte destination */ void cipher_des_encrypt_ecb(const unsigned char key[DES_KEY_LENGTH], unsigned char src[DES_KEY_LENGTH], unsigned char dst[DES_KEY_LENGTH]); /* * * Generic cipher key type functions * */ /* * Max size in bytes of any cipher key that might conceivably be used. * * This value is checked at compile time in crypto.c to make sure * it is always at least EVP_MAX_KEY_LENGTH. * * We define our own value, since this parameter * is used to control the size of static key files. * If the OpenSSL library increases EVP_MAX_KEY_LENGTH, * we don't want our key files to be suddenly rendered * unusable. */ #define MAX_CIPHER_KEY_LENGTH 64 /** * Return cipher parameters, based on the given cipher name. The * contents of these parameters are library-specific, and can be used to * initialise encryption/decryption. * * @param ciphername Name of the cipher to retrieve parameters for (e.g. * \c AES-128-CBC). * * @return A statically allocated structure containing parameters * for the given cipher, or NULL if no matching parameters * were found. */ const cipher_kt_t *cipher_kt_get(const char *ciphername); /** * Retrieve a string describing the cipher (e.g. \c AES-128-CBC). * * @param cipher_kt Static cipher parameters * * @return a statically allocated string describing the cipher. */ const char *cipher_kt_name(const cipher_kt_t *cipher_kt); /** * Returns the size of keys used by the cipher, in bytes. If the cipher has a * variable key size, return the default key size. * * @param cipher_kt Static cipher parameters * * @return (Default) size of keys used by the cipher, in bytes. */ int cipher_kt_key_size(const cipher_kt_t *cipher_kt); /** * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is * used. * * @param cipher_kt Static cipher parameters * * @return Size of the IV, in bytes, or 0 if the cipher does not * use an IV. */ int cipher_kt_iv_size(const cipher_kt_t *cipher_kt); /** * Returns the block size of the cipher, in bytes. * * @param cipher_kt Static cipher parameters * * @return Block size, in bytes. */ int cipher_kt_block_size(const cipher_kt_t *cipher_kt); /** * Returns the MAC tag size of the cipher, in bytes. * * @param ctx Static cipher parameters. * * @return Tag size in bytes, or 0 if the tag size could not be * determined. */ int cipher_kt_tag_size(const cipher_kt_t *cipher_kt); /** * Returns the mode that the cipher runs in. * * @param cipher_kt Static cipher parameters. May not be NULL. * * @return Cipher mode, either \c OPENVPN_MODE_CBC, \c * OPENVPN_MODE_OFB or \c OPENVPN_MODE_CFB */ int cipher_kt_mode(const cipher_kt_t *cipher_kt); /** * Check if the supplied cipher is a supported CBC mode cipher. * * @param cipher Static cipher parameters. * * @return true iff the cipher is a CBC mode cipher. */ bool cipher_kt_mode_cbc(const cipher_kt_t *cipher); /** * Check if the supplied cipher is a supported OFB or CFB mode cipher. * * @param cipher Static cipher parameters. * * @return true iff the cipher is a OFB or CFB mode cipher. */ bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher); /** * Check if the supplied cipher is a supported AEAD mode cipher. * * @param cipher Static cipher parameters. * * @return true iff the cipher is a AEAD mode cipher. */ bool cipher_kt_mode_aead(const cipher_kt_t *cipher); /** * * Generic cipher functions * */ /** * Allocate a new cipher context * * @return a new cipher context */ cipher_ctx_t *cipher_ctx_new(void); /** * Free a cipher context * * @param ctx Cipher context. */ void cipher_ctx_free(cipher_ctx_t *ctx); /** * Initialise a cipher context, based on the given key and key type. * * @param ctx Cipher context. May not be NULL * @param key Buffer containing the key to use * @param key_len Length of the key, in bytes * @param kt Static cipher parameters to use * @param enc Whether to encrypt or decrypt (either * \c MBEDTLS_OP_ENCRYPT or \c MBEDTLS_OP_DECRYPT). */ void cipher_ctx_init(cipher_ctx_t *ctx, uint8_t *key, int key_len, const cipher_kt_t *kt, int enc); /** * Cleanup the specified context. * * @param ctx Cipher context to cleanup. */ void cipher_ctx_cleanup(cipher_ctx_t *ctx); /** * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is * used. * * @param ctx The cipher's context * * @return Size of the IV, in bytes, or \c 0 if the cipher does not * use an IV or ctx was NULL. */ int cipher_ctx_iv_length(const cipher_ctx_t *ctx); /** * Gets the computed message authenticated code (MAC) tag for this cipher. * * @param ctx The cipher's context * @param tag The buffer to write computed tag in. * @param tag_size The tag buffer size, in bytes. */ int cipher_ctx_get_tag(cipher_ctx_t *ctx, uint8_t *tag, int tag_len); /** * Returns the block size of the cipher, in bytes. * * @param ctx The cipher's context * * @return Block size, in bytes, or 0 if ctx was NULL. */ int cipher_ctx_block_size(const cipher_ctx_t *ctx); /** * Returns the mode that the cipher runs in. * * @param ctx Cipher's context. May not be NULL. * * @return Cipher mode, either \c OPENVPN_MODE_CBC, \c * OPENVPN_MODE_OFB or \c OPENVPN_MODE_CFB */ int cipher_ctx_mode(const cipher_ctx_t *ctx); /** * Returns the static cipher parameters for this context. * * @param ctx Cipher's context. * * @return Static cipher parameters for the supplied context, or * NULL if unable to determine cipher parameters. */ const cipher_kt_t *cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx); /** * Resets the given cipher context, setting the IV to the specified value. * Preserves the associated key information. * * @param ctx Cipher's context. May not be NULL. * @param iv_buf The IV to use. * * @return \c 0 on failure, \c 1 on success. */ int cipher_ctx_reset(cipher_ctx_t *ctx, uint8_t *iv_buf); /** * Updates the given cipher context, providing additional data (AD) for * authenticated encryption with additional data (AEAD) cipher modes. * * @param ctx Cipher's context. May not be NULL. * @param src Source buffer * @param src_len Length of the source buffer, in bytes * * @return \c 0 on failure, \c 1 on success. */ int cipher_ctx_update_ad(cipher_ctx_t *ctx, const uint8_t *src, int src_len); /** * Updates the given cipher context, encrypting data in the source buffer, and * placing any complete blocks in the destination buffer. * * Note that if a complete block cannot be written, data is cached in the * context, and emitted at a later call to \c cipher_ctx_update, or by a call * to \c cipher_ctx_final(). This implies that dst should have enough room for * src_len + \c cipher_ctx_block_size(). * * @param ctx Cipher's context. May not be NULL. * @param dst Destination buffer * @param dst_len Length of the destination buffer, in bytes * @param src Source buffer * @param src_len Length of the source buffer, in bytes * * @return \c 0 on failure, \c 1 on success. */ int cipher_ctx_update(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len); /** * Pads the final cipher block using PKCS padding, and output to the destination * buffer. * * @param ctx Cipher's context. May not be NULL. * @param dst Destination buffer * @param dst_len Length of the destination buffer, in bytes * * @return \c 0 on failure, \c 1 on success. */ int cipher_ctx_final(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len); /** * Like \c cipher_ctx_final, but check the computed authentication tag against * the supplied (expected) tag. This function reports failure when the tags * don't match. * * @param ctx Cipher's context. May not be NULL. * @param dst Destination buffer. * @param dst_len Length of the destination buffer, in bytes. * @param tag The expected authentication tag. * @param tag_len The length of tag, in bytes. * * @return \c 0 on failure, \c 1 on success. */ int cipher_ctx_final_check_tag(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, uint8_t *tag, size_t tag_len); /* * * Generic message digest information functions * */ /* * Max size in bytes of any HMAC key that might conceivably be used. * * This value is checked at compile time in crypto.c to make sure * it is always at least EVP_MAX_MD_SIZE. We define our own value * for the same reason as above. */ #define MAX_HMAC_KEY_LENGTH 64 /** * Return message digest parameters, based on the given digest name. The * contents of these parameters are library-specific, and can be used to * initialise HMAC or message digest operations. * * @param digest Name of the digest to retrieve parameters for (e.g. * \c MD5). * * @return A statically allocated structure containing parameters * for the given message digest. */ const md_kt_t *md_kt_get(const char *digest); /** * Retrieve a string describing the digest digest (e.g. \c SHA1). * * @param kt Static message digest parameters * * @return Statically allocated string describing the message * digest. */ const char *md_kt_name(const md_kt_t *kt); /** * Returns the size of the message digest, in bytes. * * @param kt Static message digest parameters * * @return Message digest size, in bytes, or 0 if ctx was NULL. */ int md_kt_size(const md_kt_t *kt); /* * * Generic message digest functions * */ /* * Calculates the message digest for the given buffer. * * @param kt Static message digest parameters * @param src Buffer to digest. May not be NULL. * @param src_len The length of the incoming buffer. * @param dst Buffer to write the message digest to. May not be NULL. * * @return \c 1 on success, \c 0 on failure */ int md_full(const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst); /* * Allocate a new message digest context * * @return a new zeroed MD context */ md_ctx_t *md_ctx_new(void); /* * Free an existing, non-null message digest context * * @param ctx Message digest context */ void md_ctx_free(md_ctx_t *ctx); /* * Initialises the given message digest context. * * @param ctx Message digest context * @param kt Static message digest parameters */ void md_ctx_init(md_ctx_t *ctx, const md_kt_t *kt); /* * Free the given message digest context. * * @param ctx Message digest context */ void md_ctx_cleanup(md_ctx_t *ctx); /* * Returns the size of the message digest output by the given context * * @param ctx Message digest context. * * @return Size of the message digest, or \0 if ctx is NULL. */ int md_ctx_size(const md_ctx_t *ctx); /* * Process the given data for use in the message digest. * * @param ctx Message digest context. May not be NULL. * @param src Buffer to digest. May not be NULL. * @param src_len The length of the incoming buffer. */ void md_ctx_update(md_ctx_t *ctx, const uint8_t *src, int src_len); /* * Output the message digest to the given buffer. * * @param ctx Message digest context. May not be NULL. * @param dst Buffer to write the message digest to. May not be NULL. */ void md_ctx_final(md_ctx_t *ctx, uint8_t *dst); /* * * Generic HMAC functions * */ /* * Create a new HMAC context * * @return A new HMAC context */ hmac_ctx_t *hmac_ctx_new(void); /* * Free an existing HMAC context * * @param ctx HMAC context to free */ void hmac_ctx_free(hmac_ctx_t *ctx); /* * Initialises the given HMAC context, using the given digest * and key. * * @param ctx HMAC context to intialise * @param key The key to use for the HMAC * @param key_len The key length to use * @param kt Static message digest parameters * */ void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, const md_kt_t *kt); /* * Free the given HMAC context. * * @param ctx HMAC context */ void hmac_ctx_cleanup(hmac_ctx_t *ctx); /* * Returns the size of the HMAC output by the given HMAC Context * * @param ctx HMAC context. * * @return Size of the HMAC, or \0 if ctx is NULL. */ int hmac_ctx_size(const hmac_ctx_t *ctx); /* * Resets the given HMAC context, preserving the associated key information * * @param ctx HMAC context. May not be NULL. */ void hmac_ctx_reset(hmac_ctx_t *ctx); /* * Process the given data for use in the HMAC. * * @param ctx HMAC context. May not be NULL. * @param src The buffer to HMAC. May not be NULL. * @param src_len The length of the incoming buffer. */ void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len); /* * Output the HMAC to the given buffer. * * @param ctx HMAC context. May not be NULL. * @param dst buffer to write the HMAC to. May not be NULL. */ void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst); /** * Translate an OpenVPN cipher name to a crypto library cipher name. * * @param cipher_name An OpenVPN cipher name * * @return The corresponding crypto library cipher name, or NULL * if no matching cipher name was found. */ const char *translate_cipher_name_from_openvpn(const char *cipher_name); /** * Translate a crypto library cipher name to an OpenVPN cipher name. * * @param cipher_name A crypto library cipher name * * @return The corresponding OpenVPN cipher name, or NULL if no * matching cipher name was found. */ const char *translate_cipher_name_to_openvpn(const char *cipher_name); #endif /* CRYPTO_BACKEND_H_ */ openvpn-2.4.4/src/openvpn/crypto_mbedtls.c000066400000000000000000000462241316434344000206720ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Data Channel Cryptography mbed TLS-specific backend interface */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) #include "errlevel.h" #include "basic.h" #include "buffer.h" #include "integer.h" #include "crypto_backend.h" #include "otime.h" #include "misc.h" #include #include #include #include #include #include /* * * Hardware engine support. Allows loading/unloading of engines. * */ void crypto_init_lib_engine(const char *engine_name) { msg(M_WARN, "Note: mbed TLS hardware crypto engine functionality is not " "available"); } /* * * Functions related to the core crypto library * */ void crypto_init_lib(void) { } void crypto_uninit_lib(void) { } void crypto_clear_error(void) { } bool mbed_log_err(unsigned int flags, int errval, const char *prefix) { if (0 != errval) { char errstr[256]; mbedtls_strerror(errval, errstr, sizeof(errstr)); if (NULL == prefix) { prefix = "mbed TLS error"; } msg(flags, "%s: %s", prefix, errstr); } return 0 == errval; } bool mbed_log_func_line(unsigned int flags, int errval, const char *func, int line) { char prefix[256]; if (!openvpn_snprintf(prefix, sizeof(prefix), "%s:%d", func, line)) { return mbed_log_err(flags, errval, func); } return mbed_log_err(flags, errval, prefix); } #ifdef DMALLOC void crypto_init_dmalloc(void) { msg(M_ERR, "Error: dmalloc support is not available for mbed TLS."); } #endif /* DMALLOC */ const cipher_name_pair cipher_name_translation_table[] = { { "BF-CBC", "BLOWFISH-CBC" }, { "BF-CFB", "BLOWFISH-CFB64" }, { "CAMELLIA-128-CFB", "CAMELLIA-128-CFB128" }, { "CAMELLIA-192-CFB", "CAMELLIA-192-CFB128" }, { "CAMELLIA-256-CFB", "CAMELLIA-256-CFB128" } }; const size_t cipher_name_translation_table_count = sizeof(cipher_name_translation_table) / sizeof(*cipher_name_translation_table); static void print_cipher(const cipher_kt_t *info) { if (info && (cipher_kt_mode_cbc(info) #ifdef HAVE_AEAD_CIPHER_MODES || cipher_kt_mode_aead(info) #endif )) { const char *ssl_only = cipher_kt_mode_cbc(info) ? "" : ", TLS client/server mode only"; const char *var_key_size = info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ? " by default" : ""; printf("%s (%d bit key%s, %d bit block%s)\n", cipher_kt_name(info), cipher_kt_key_size(info) * 8, var_key_size, cipher_kt_block_size(info) * 8, ssl_only); } } void show_available_ciphers(void) { const int *ciphers = mbedtls_cipher_list(); #ifndef ENABLE_SMALL printf("The following ciphers and cipher modes are available for use\n" "with " PACKAGE_NAME ". Each cipher shown below may be used as a\n" "parameter to the --cipher option. Using a CBC or GCM mode is\n" "recommended. In static key mode only CBC mode is allowed.\n\n"); #endif while (*ciphers != 0) { const cipher_kt_t *info = mbedtls_cipher_info_from_type(*ciphers); if (info && cipher_kt_block_size(info) >= 128/8) { print_cipher(info); } ciphers++; } printf("\nThe following ciphers have a block size of less than 128 bits, \n" "and are therefore deprecated. Do not use unless you have to.\n\n"); ciphers = mbedtls_cipher_list(); while (*ciphers != 0) { const cipher_kt_t *info = mbedtls_cipher_info_from_type(*ciphers); if (info && cipher_kt_block_size(info) < 128/8) { print_cipher(info); } ciphers++; } printf("\n"); } void show_available_digests(void) { const int *digests = mbedtls_md_list(); #ifndef ENABLE_SMALL printf("The following message digests are available for use with\n" PACKAGE_NAME ". A message digest is used in conjunction with\n" "the HMAC function, to authenticate received packets.\n" "You can specify a message digest as parameter to\n" "the --auth option.\n\n"); #endif while (*digests != 0) { const mbedtls_md_info_t *info = mbedtls_md_info_from_type(*digests); if (info) { printf("%s %d bit default key\n", mbedtls_md_get_name(info), mbedtls_md_get_size(info) * 8); } digests++; } printf("\n"); } void show_available_engines(void) { printf("Sorry, mbed TLS hardware crypto engine functionality is not " "available\n"); } /* * * Random number functions, used in cases where we want * reasonably strong cryptographic random number generation * without depleting our entropy pool. Used for random * IV values and a number of other miscellaneous tasks. * */ /* * Initialise the given ctr_drbg context, using a personalisation string and an * entropy gathering function. */ mbedtls_ctr_drbg_context * rand_ctx_get(void) { static mbedtls_entropy_context ec = {0}; static mbedtls_ctr_drbg_context cd_ctx = {0}; static bool rand_initialised = false; if (!rand_initialised) { struct gc_arena gc = gc_new(); struct buffer pers_string = alloc_buf_gc(100, &gc); /* * Personalisation string, should be as unique as possible (see NIST * 800-90 section 8.7.1). We have very little information at this stage. * Include Program Name, memory address of the context and PID. */ buf_printf(&pers_string, "OpenVPN %0u %p %s", platform_getpid(), &cd_ctx, time_string(0, 0, 0, &gc)); /* Initialise mbed TLS RNG, and built-in entropy sources */ mbedtls_entropy_init(&ec); mbedtls_ctr_drbg_init(&cd_ctx); if (!mbed_ok(mbedtls_ctr_drbg_seed(&cd_ctx, mbedtls_entropy_func, &ec, BPTR(&pers_string), BLEN(&pers_string)))) { msg(M_FATAL, "Failed to initialize random generator"); } gc_free(&gc); rand_initialised = true; } return &cd_ctx; } #ifdef ENABLE_PREDICTION_RESISTANCE void rand_ctx_enable_prediction_resistance(void) { mbedtls_ctr_drbg_context *cd_ctx = rand_ctx_get(); mbedtls_ctr_drbg_set_prediction_resistance(cd_ctx, 1); } #endif /* ENABLE_PREDICTION_RESISTANCE */ int rand_bytes(uint8_t *output, int len) { mbedtls_ctr_drbg_context *rng_ctx = rand_ctx_get(); while (len > 0) { const size_t blen = min_int(len, MBEDTLS_CTR_DRBG_MAX_REQUEST); if (0 != mbedtls_ctr_drbg_random(rng_ctx, output, blen)) { return 0; } output += blen; len -= blen; } return 1; } /* * * Key functions, allow manipulation of keys. * */ int key_des_num_cblocks(const mbedtls_cipher_info_t *kt) { int ret = 0; if (kt->type == MBEDTLS_CIPHER_DES_CBC) { ret = 1; } if (kt->type == MBEDTLS_CIPHER_DES_EDE_CBC) { ret = 2; } if (kt->type == MBEDTLS_CIPHER_DES_EDE3_CBC) { ret = 3; } dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret); return ret; } bool key_des_check(uint8_t *key, int key_len, int ndc) { int i; struct buffer b; buf_set_read(&b, key, key_len); for (i = 0; i < ndc; ++i) { unsigned char *key = buf_read_alloc(&b, MBEDTLS_DES_KEY_SIZE); if (!key) { msg(D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: insufficient key material"); goto err; } if (0 != mbedtls_des_key_check_weak(key)) { msg(D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: weak key detected"); goto err; } if (0 != mbedtls_des_key_check_key_parity(key)) { msg(D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: bad parity detected"); goto err; } } return true; err: return false; } void key_des_fixup(uint8_t *key, int key_len, int ndc) { int i; struct buffer b; buf_set_read(&b, key, key_len); for (i = 0; i < ndc; ++i) { unsigned char *key = buf_read_alloc(&b, MBEDTLS_DES_KEY_SIZE); if (!key) { msg(D_CRYPT_ERRORS, "CRYPTO INFO: fixup_key_DES: insufficient key material"); return; } mbedtls_des_key_set_parity(key); } } /* * * Generic cipher key type functions * */ const mbedtls_cipher_info_t * cipher_kt_get(const char *ciphername) { const mbedtls_cipher_info_t *cipher = NULL; ASSERT(ciphername); cipher = mbedtls_cipher_info_from_string(ciphername); if (NULL == cipher) { msg(D_LOW, "Cipher algorithm '%s' not found", ciphername); return NULL; } if (cipher->key_bitlen/8 > MAX_CIPHER_KEY_LENGTH) { msg(D_LOW, "Cipher algorithm '%s' uses a default key size (%d bytes) " "which is larger than " PACKAGE_NAME "'s current maximum key size " "(%d bytes)", ciphername, cipher->key_bitlen/8, MAX_CIPHER_KEY_LENGTH); return NULL; } return cipher; } const char * cipher_kt_name(const mbedtls_cipher_info_t *cipher_kt) { if (NULL == cipher_kt) { return "[null-cipher]"; } return translate_cipher_name_to_openvpn(cipher_kt->name); } int cipher_kt_key_size(const mbedtls_cipher_info_t *cipher_kt) { if (NULL == cipher_kt) { return 0; } return cipher_kt->key_bitlen/8; } int cipher_kt_iv_size(const mbedtls_cipher_info_t *cipher_kt) { if (NULL == cipher_kt) { return 0; } return cipher_kt->iv_size; } int cipher_kt_block_size(const mbedtls_cipher_info_t *cipher_kt) { if (NULL == cipher_kt) { return 0; } return cipher_kt->block_size; } int cipher_kt_tag_size(const mbedtls_cipher_info_t *cipher_kt) { #ifdef HAVE_AEAD_CIPHER_MODES if (cipher_kt && cipher_kt_mode_aead(cipher_kt)) { return OPENVPN_AEAD_TAG_LENGTH; } #endif return 0; } int cipher_kt_mode(const mbedtls_cipher_info_t *cipher_kt) { ASSERT(NULL != cipher_kt); return cipher_kt->mode; } bool cipher_kt_mode_cbc(const cipher_kt_t *cipher) { return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC; } bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) { return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB); } bool cipher_kt_mode_aead(const cipher_kt_t *cipher) { return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_GCM; } /* * * Generic cipher context functions * */ mbedtls_cipher_context_t * cipher_ctx_new(void) { mbedtls_cipher_context_t *ctx; ALLOC_OBJ(ctx, mbedtls_cipher_context_t); return ctx; } void cipher_ctx_free(mbedtls_cipher_context_t *ctx) { free(ctx); } void cipher_ctx_init(mbedtls_cipher_context_t *ctx, uint8_t *key, int key_len, const mbedtls_cipher_info_t *kt, const mbedtls_operation_t operation) { ASSERT(NULL != kt && NULL != ctx); CLEAR(*ctx); if (!mbed_ok(mbedtls_cipher_setup(ctx, kt))) { msg(M_FATAL, "mbed TLS cipher context init #1"); } if (!mbed_ok(mbedtls_cipher_setkey(ctx, key, key_len*8, operation))) { msg(M_FATAL, "mbed TLS cipher set key"); } /* make sure we used a big enough key */ ASSERT(ctx->key_bitlen <= key_len*8); } void cipher_ctx_cleanup(mbedtls_cipher_context_t *ctx) { mbedtls_cipher_free(ctx); } int cipher_ctx_iv_length(const mbedtls_cipher_context_t *ctx) { return mbedtls_cipher_get_iv_size(ctx); } int cipher_ctx_get_tag(cipher_ctx_t *ctx, uint8_t *tag, int tag_len) { #ifdef HAVE_AEAD_CIPHER_MODES if (tag_len > SIZE_MAX) { return 0; } if (!mbed_ok(mbedtls_cipher_write_tag(ctx, (unsigned char *) tag, tag_len))) { return 0; } return 1; #else /* ifdef HAVE_AEAD_CIPHER_MODES */ ASSERT(0); #endif /* HAVE_AEAD_CIPHER_MODES */ } int cipher_ctx_block_size(const mbedtls_cipher_context_t *ctx) { return mbedtls_cipher_get_block_size(ctx); } int cipher_ctx_mode(const mbedtls_cipher_context_t *ctx) { ASSERT(NULL != ctx); return cipher_kt_mode(ctx->cipher_info); } const cipher_kt_t * cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx) { return ctx ? ctx->cipher_info : NULL; } int cipher_ctx_reset(mbedtls_cipher_context_t *ctx, uint8_t *iv_buf) { if (!mbed_ok(mbedtls_cipher_reset(ctx))) { return 0; } if (!mbed_ok(mbedtls_cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size))) { return 0; } return 1; } int cipher_ctx_update_ad(cipher_ctx_t *ctx, const uint8_t *src, int src_len) { #ifdef HAVE_AEAD_CIPHER_MODES if (src_len > SIZE_MAX) { return 0; } if (!mbed_ok(mbedtls_cipher_update_ad(ctx, src, src_len))) { return 0; } return 1; #else /* ifdef HAVE_AEAD_CIPHER_MODES */ ASSERT(0); #endif /* HAVE_AEAD_CIPHER_MODES */ } int cipher_ctx_update(mbedtls_cipher_context_t *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len) { size_t s_dst_len = *dst_len; if (!mbed_ok(mbedtls_cipher_update(ctx, src, (size_t) src_len, dst, &s_dst_len))) { return 0; } *dst_len = s_dst_len; return 1; } int cipher_ctx_final(mbedtls_cipher_context_t *ctx, uint8_t *dst, int *dst_len) { size_t s_dst_len = *dst_len; if (!mbed_ok(mbedtls_cipher_finish(ctx, dst, &s_dst_len))) { return 0; } *dst_len = s_dst_len; return 1; } int cipher_ctx_final_check_tag(mbedtls_cipher_context_t *ctx, uint8_t *dst, int *dst_len, uint8_t *tag, size_t tag_len) { #ifdef HAVE_AEAD_CIPHER_MODES size_t olen = 0; if (MBEDTLS_DECRYPT != ctx->operation) { return 0; } if (tag_len > SIZE_MAX) { return 0; } if (!mbed_ok(mbedtls_cipher_finish(ctx, dst, &olen))) { msg(D_CRYPT_ERRORS, "%s: cipher_ctx_final() failed", __func__); return 0; } if (olen > INT_MAX) { return 0; } *dst_len = olen; if (!mbed_ok(mbedtls_cipher_check_tag(ctx, (const unsigned char *) tag, tag_len))) { return 0; } return 1; #else /* ifdef HAVE_AEAD_CIPHER_MODES */ ASSERT(0); #endif /* HAVE_AEAD_CIPHER_MODES */ } void cipher_des_encrypt_ecb(const unsigned char key[DES_KEY_LENGTH], unsigned char *src, unsigned char *dst) { mbedtls_des_context ctx; ASSERT(mbed_ok(mbedtls_des_setkey_enc(&ctx, key))); ASSERT(mbed_ok(mbedtls_des_crypt_ecb(&ctx, src, dst))); } /* * * Generic message digest information functions * */ const mbedtls_md_info_t * md_kt_get(const char *digest) { const mbedtls_md_info_t *md = NULL; ASSERT(digest); md = mbedtls_md_info_from_string(digest); if (!md) { msg(M_FATAL, "Message hash algorithm '%s' not found", digest); } if (mbedtls_md_get_size(md) > MAX_HMAC_KEY_LENGTH) { msg(M_FATAL, "Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum hash size (%d bytes)", digest, mbedtls_md_get_size(md), MAX_HMAC_KEY_LENGTH); } return md; } const char * md_kt_name(const mbedtls_md_info_t *kt) { if (NULL == kt) { return "[null-digest]"; } return mbedtls_md_get_name(kt); } int md_kt_size(const mbedtls_md_info_t *kt) { if (NULL == kt) { return 0; } return mbedtls_md_get_size(kt); } /* * * Generic message digest functions * */ int md_full(const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst) { return 0 == mbedtls_md(kt, src, src_len, dst); } mbedtls_md_context_t * md_ctx_new(void) { mbedtls_md_context_t *ctx; ALLOC_OBJ_CLEAR(ctx, mbedtls_md_context_t); return ctx; } void md_ctx_free(mbedtls_md_context_t *ctx) { free(ctx); } void md_ctx_init(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *kt) { ASSERT(NULL != ctx && NULL != kt); mbedtls_md_init(ctx); ASSERT(0 == mbedtls_md_setup(ctx, kt, 0)); ASSERT(0 == mbedtls_md_starts(ctx)); } void md_ctx_cleanup(mbedtls_md_context_t *ctx) { } int md_ctx_size(const mbedtls_md_context_t *ctx) { if (NULL == ctx) { return 0; } return mbedtls_md_get_size(ctx->md_info); } void md_ctx_update(mbedtls_md_context_t *ctx, const uint8_t *src, int src_len) { ASSERT(0 == mbedtls_md_update(ctx, src, src_len)); } void md_ctx_final(mbedtls_md_context_t *ctx, uint8_t *dst) { ASSERT(0 == mbedtls_md_finish(ctx, dst)); mbedtls_md_free(ctx); } /* * * Generic HMAC functions * */ /* * TODO: re-enable dmsg for crypto debug */ mbedtls_md_context_t * hmac_ctx_new(void) { mbedtls_md_context_t *ctx; ALLOC_OBJ(ctx, mbedtls_md_context_t); return ctx; } void hmac_ctx_free(mbedtls_md_context_t *ctx) { free(ctx); } void hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len, const mbedtls_md_info_t *kt) { ASSERT(NULL != kt && NULL != ctx); mbedtls_md_init(ctx); ASSERT(0 == mbedtls_md_setup(ctx, kt, 1)); ASSERT(0 == mbedtls_md_hmac_starts(ctx, key, key_len)); /* make sure we used a big enough key */ ASSERT(mbedtls_md_get_size(kt) <= key_len); } void hmac_ctx_cleanup(mbedtls_md_context_t *ctx) { mbedtls_md_free(ctx); } int hmac_ctx_size(const mbedtls_md_context_t *ctx) { if (NULL == ctx) { return 0; } return mbedtls_md_get_size(ctx->md_info); } void hmac_ctx_reset(mbedtls_md_context_t *ctx) { ASSERT(0 == mbedtls_md_hmac_reset(ctx)); } void hmac_ctx_update(mbedtls_md_context_t *ctx, const uint8_t *src, int src_len) { ASSERT(0 == mbedtls_md_hmac_update(ctx, src, src_len)); } void hmac_ctx_final(mbedtls_md_context_t *ctx, uint8_t *dst) { ASSERT(0 == mbedtls_md_hmac_finish(ctx, dst)); } #endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_MBEDTLS */ openvpn-2.4.4/src/openvpn/crypto_mbedtls.h000066400000000000000000000115021316434344000206660ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Data Channel Cryptography mbed TLS-specific backend interface */ #ifndef CRYPTO_MBEDTLS_H_ #define CRYPTO_MBEDTLS_H_ #include #include #include /** Generic cipher key type %context. */ typedef mbedtls_cipher_info_t cipher_kt_t; /** Generic message digest key type %context. */ typedef mbedtls_md_info_t md_kt_t; /** Generic cipher %context. */ typedef mbedtls_cipher_context_t cipher_ctx_t; /** Generic message digest %context. */ typedef mbedtls_md_context_t md_ctx_t; /** Generic HMAC %context. */ typedef mbedtls_md_context_t hmac_ctx_t; /** Maximum length of an IV */ #define OPENVPN_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH /** Cipher is in CBC mode */ #define OPENVPN_MODE_CBC MBEDTLS_MODE_CBC /** Cipher is in OFB mode */ #define OPENVPN_MODE_OFB MBEDTLS_MODE_OFB /** Cipher is in CFB mode */ #define OPENVPN_MODE_CFB MBEDTLS_MODE_CFB /** Cipher is in GCM mode */ #define OPENVPN_MODE_GCM MBEDTLS_MODE_GCM /** Cipher should encrypt */ #define OPENVPN_OP_ENCRYPT MBEDTLS_ENCRYPT /** Cipher should decrypt */ #define OPENVPN_OP_DECRYPT MBEDTLS_DECRYPT #define MD4_DIGEST_LENGTH 16 #define MD5_DIGEST_LENGTH 16 #define SHA_DIGEST_LENGTH 20 #define SHA256_DIGEST_LENGTH 32 #define DES_KEY_LENGTH 8 /** * Returns a singleton instance of the mbed TLS random number generator. * * For PolarSSL/mbed TLS 1.1+, this is the CTR_DRBG random number generator. If it * hasn't been initialised yet, the RNG will be initialised using the default * entropy sources. Aside from the default platform entropy sources, an * additional entropy source, the HAVEGE random number generator will also be * added. During initialisation, a personalisation string will be added based * on the time, the PID, and a pointer to the random context. */ mbedtls_ctr_drbg_context *rand_ctx_get(void); #ifdef ENABLE_PREDICTION_RESISTANCE /** * Enable prediction resistance on the random number generator. */ void rand_ctx_enable_prediction_resistance(void); #endif /** * Log the supplied mbed TLS error, prefixed by supplied prefix. * * @param flags Flags to indicate error type and priority. * @param errval mbed TLS error code to convert to error message. * @param prefix Prefix to mbed TLS error message. * * @returns true if no errors are detected, false otherwise. */ bool mbed_log_err(unsigned int flags, int errval, const char *prefix); /** * Log the supplied mbed TLS error, prefixed by function name and line number. * * @param flags Flags to indicate error type and priority. * @param errval mbed TLS error code to convert to error message. * @param func Function name where error was reported. * @param line Line number where error was reported. * * @returns true if no errors are detected, false otherwise. */ bool mbed_log_func_line(unsigned int flags, int errval, const char *func, int line); /** Wraps mbed_log_func_line() to prevent function calls for non-errors */ static inline bool mbed_log_func_line_lite(unsigned int flags, int errval, const char *func, int line) { if (errval) { return mbed_log_func_line(flags, errval, func, line); } return true; } /** * Check errval and log on error. * * Convenience wrapper to put around mbed TLS library calls, e.g. * if (!mbed_ok (mbedtls_ssl_func())) return 0; * or * ASSERT (mbed_ok (mbedtls_ssl_func())); * * @param errval mbed TLS error code to convert to error message. * * @returns true if no errors are detected, false otherwise. */ #define mbed_ok(errval) \ mbed_log_func_line_lite(D_CRYPT_ERRORS, errval, __func__, __LINE__) #endif /* CRYPTO_MBEDTLS_H_ */ openvpn-2.4.4/src/openvpn/crypto_openssl.c000066400000000000000000000532331316434344000207210ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Data Channel Cryptography OpenSSL-specific backend interface */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) #include "basic.h" #include "buffer.h" #include "integer.h" #include "crypto.h" #include "crypto_backend.h" #include "openssl_compat.h" #include #include #include #include #include #include /* * Check for key size creepage. */ #if MAX_CIPHER_KEY_LENGTH < EVP_MAX_KEY_LENGTH #warning Some OpenSSL EVP ciphers now support key lengths greater than MAX_CIPHER_KEY_LENGTH -- consider increasing MAX_CIPHER_KEY_LENGTH #endif #if MAX_HMAC_KEY_LENGTH < EVP_MAX_MD_SIZE #warning Some OpenSSL HMAC message digests now support key lengths greater than MAX_HMAC_KEY_LENGTH -- consider increasing MAX_HMAC_KEY_LENGTH #endif #if HAVE_OPENSSL_ENGINE #include static bool engine_initialized = false; /* GLOBAL */ static ENGINE *engine_persist = NULL; /* GLOBAL */ /* Try to load an engine in a shareable library */ static ENGINE * try_load_engine(const char *engine) { ENGINE *e = ENGINE_by_id("dynamic"); if (e) { if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0) || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) { ENGINE_free(e); e = NULL; } } return e; } static ENGINE * setup_engine(const char *engine) { ENGINE *e = NULL; ENGINE_load_builtin_engines(); if (engine) { if (strcmp(engine, "auto") == 0) { msg(M_INFO, "Initializing OpenSSL auto engine support"); ENGINE_register_all_complete(); return NULL; } if ((e = ENGINE_by_id(engine)) == NULL && (e = try_load_engine(engine)) == NULL) { crypto_msg(M_FATAL, "OpenSSL error: cannot load engine '%s'", engine); } if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { crypto_msg(M_FATAL, "OpenSSL error: ENGINE_set_default failed on engine '%s'", engine); } msg(M_INFO, "Initializing OpenSSL support for engine '%s'", ENGINE_get_id(e)); } return e; } #endif /* HAVE_OPENSSL_ENGINE */ void crypto_init_lib_engine(const char *engine_name) { #if HAVE_OPENSSL_ENGINE if (!engine_initialized) { ASSERT(engine_name); ASSERT(!engine_persist); engine_persist = setup_engine(engine_name); engine_initialized = true; } #else /* if HAVE_OPENSSL_ENGINE */ msg(M_WARN, "Note: OpenSSL hardware crypto engine functionality is not available"); #endif } /* * * Functions related to the core crypto library * */ void crypto_init_lib(void) { /* * If you build the OpenSSL library and OpenVPN with * CRYPTO_MDEBUG, you will get a listing of OpenSSL * memory leaks on program termination. */ #ifdef CRYPTO_MDEBUG CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #endif } void crypto_uninit_lib(void) { #ifdef CRYPTO_MDEBUG FILE *fp = fopen("sdlog", "w"); ASSERT(fp); CRYPTO_mem_leaks_fp(fp); fclose(fp); #endif #if HAVE_OPENSSL_ENGINE if (engine_initialized) { ENGINE_cleanup(); engine_persist = NULL; engine_initialized = false; } #endif } void crypto_clear_error(void) { ERR_clear_error(); } void crypto_print_openssl_errors(const unsigned int flags) { size_t err = 0; while ((err = ERR_get_error())) { /* Be more clear about frequently occurring "no shared cipher" error */ if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER) { msg(D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites " "in common with the client. Your --tls-cipher setting might be " "too restrictive."); } msg(flags, "OpenSSL: %s", ERR_error_string(err, NULL)); } } /* * * OpenSSL memory debugging. If dmalloc debugging is enabled, tell * OpenSSL to use our private malloc/realloc/free functions so that * we can dispatch them to dmalloc. * */ #ifdef DMALLOC static void * crypto_malloc(size_t size, const char *file, int line) { return dmalloc_malloc(file, line, size, DMALLOC_FUNC_MALLOC, 0, 0); } static void * crypto_realloc(void *ptr, size_t size, const char *file, int line) { return dmalloc_realloc(file, line, ptr, size, DMALLOC_FUNC_REALLOC, 0); } static void crypto_free(void *ptr) { dmalloc_free(__FILE__, __LINE__, ptr, DMALLOC_FUNC_FREE); } void crypto_init_dmalloc(void) { CRYPTO_set_mem_ex_functions(crypto_malloc, crypto_realloc, crypto_free); } #endif /* DMALLOC */ const cipher_name_pair cipher_name_translation_table[] = { { "AES-128-GCM", "id-aes128-GCM" }, { "AES-192-GCM", "id-aes192-GCM" }, { "AES-256-GCM", "id-aes256-GCM" }, }; const size_t cipher_name_translation_table_count = sizeof(cipher_name_translation_table) / sizeof(*cipher_name_translation_table); static int cipher_name_cmp(const void *a, const void *b) { const EVP_CIPHER *const *cipher_a = a; const EVP_CIPHER *const *cipher_b = b; const char *cipher_name_a = translate_cipher_name_to_openvpn(EVP_CIPHER_name(*cipher_a)); const char *cipher_name_b = translate_cipher_name_to_openvpn(EVP_CIPHER_name(*cipher_b)); return strcmp(cipher_name_a, cipher_name_b); } static void print_cipher(const EVP_CIPHER *cipher) { const char *var_key_size = (EVP_CIPHER_flags(cipher) & EVP_CIPH_VARIABLE_LENGTH) ? " by default" : ""; const char *ssl_only = cipher_kt_mode_cbc(cipher) ? "" : ", TLS client/server mode only"; printf("%s (%d bit key%s, %d bit block%s)\n", translate_cipher_name_to_openvpn(EVP_CIPHER_name(cipher)), EVP_CIPHER_key_length(cipher) * 8, var_key_size, cipher_kt_block_size(cipher) * 8, ssl_only); } void show_available_ciphers(void) { int nid; size_t i; /* If we ever exceed this, we must be more selective */ const EVP_CIPHER *cipher_list[1000]; size_t num_ciphers = 0; #ifndef ENABLE_SMALL printf("The following ciphers and cipher modes are available for use\n" "with " PACKAGE_NAME ". Each cipher shown below may be use as a\n" "parameter to the --cipher option. The default key size is\n" "shown as well as whether or not it can be changed with the\n" "--keysize directive. Using a CBC or GCM mode is recommended.\n" "In static key mode only CBC mode is allowed.\n\n"); #endif for (nid = 0; nid < 10000; ++nid) { const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid); if (cipher && (cipher_kt_mode_cbc(cipher) #ifdef ENABLE_OFB_CFB_MODE || cipher_kt_mode_ofb_cfb(cipher) #endif #ifdef HAVE_AEAD_CIPHER_MODES || cipher_kt_mode_aead(cipher) #endif )) { cipher_list[num_ciphers++] = cipher; } if (num_ciphers == (sizeof(cipher_list)/sizeof(*cipher_list))) { msg(M_WARN, "WARNING: Too many ciphers, not showing all"); break; } } qsort(cipher_list, num_ciphers, sizeof(*cipher_list), cipher_name_cmp); for (i = 0; i < num_ciphers; i++) { if (cipher_kt_block_size(cipher_list[i]) >= 128/8) { print_cipher(cipher_list[i]); } } printf("\nThe following ciphers have a block size of less than 128 bits, \n" "and are therefore deprecated. Do not use unless you have to.\n\n"); for (i = 0; i < num_ciphers; i++) { if (cipher_kt_block_size(cipher_list[i]) < 128/8) { print_cipher(cipher_list[i]); } } printf("\n"); } void show_available_digests(void) { int nid; #ifndef ENABLE_SMALL printf("The following message digests are available for use with\n" PACKAGE_NAME ". A message digest is used in conjunction with\n" "the HMAC function, to authenticate received packets.\n" "You can specify a message digest as parameter to\n" "the --auth option.\n\n"); #endif for (nid = 0; nid < 10000; ++nid) { const EVP_MD *digest = EVP_get_digestbynid(nid); if (digest) { printf("%s %d bit digest size\n", OBJ_nid2sn(nid), EVP_MD_size(digest) * 8); } } printf("\n"); } void show_available_engines(void) { #if HAVE_OPENSSL_ENGINE /* Only defined for OpenSSL */ ENGINE *e; printf("OpenSSL Crypto Engines\n\n"); ENGINE_load_builtin_engines(); e = ENGINE_get_first(); while (e) { printf("%s [%s]\n", ENGINE_get_name(e), ENGINE_get_id(e)); e = ENGINE_get_next(e); } ENGINE_cleanup(); #else /* if HAVE_OPENSSL_ENGINE */ printf("Sorry, OpenSSL hardware crypto engine functionality is not available.\n"); #endif } /* * * Random number functions, used in cases where we want * reasonably strong cryptographic random number generation * without depleting our entropy pool. Used for random * IV values and a number of other miscellaneous tasks. * */ int rand_bytes(uint8_t *output, int len) { if (unlikely(1 != RAND_bytes(output, len))) { crypto_msg(D_CRYPT_ERRORS, "RAND_bytes() failed"); return 0; } return 1; } /* * * Key functions, allow manipulation of keys. * */ int key_des_num_cblocks(const EVP_CIPHER *kt) { int ret = 0; const char *name = OBJ_nid2sn(EVP_CIPHER_nid(kt)); if (name) { if (!strncmp(name, "DES-", 4)) { ret = EVP_CIPHER_key_length(kt) / sizeof(DES_cblock); } else if (!strncmp(name, "DESX-", 5)) { ret = 1; } } dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret); return ret; } bool key_des_check(uint8_t *key, int key_len, int ndc) { int i; struct buffer b; buf_set_read(&b, key, key_len); for (i = 0; i < ndc; ++i) { DES_cblock *dc = (DES_cblock *) buf_read_alloc(&b, sizeof(DES_cblock)); if (!dc) { crypto_msg(D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: insufficient key material"); goto err; } if (DES_is_weak_key(dc)) { crypto_msg(D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: weak key detected"); goto err; } if (!DES_check_key_parity(dc)) { crypto_msg(D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: bad parity detected"); goto err; } } return true; err: ERR_clear_error(); return false; } void key_des_fixup(uint8_t *key, int key_len, int ndc) { int i; struct buffer b; buf_set_read(&b, key, key_len); for (i = 0; i < ndc; ++i) { DES_cblock *dc = (DES_cblock *) buf_read_alloc(&b, sizeof(DES_cblock)); if (!dc) { msg(D_CRYPT_ERRORS, "CRYPTO INFO: fixup_key_DES: insufficient key material"); ERR_clear_error(); return; } DES_set_odd_parity(dc); } } /* * * Generic cipher key type functions * */ const EVP_CIPHER * cipher_kt_get(const char *ciphername) { const EVP_CIPHER *cipher = NULL; ASSERT(ciphername); cipher = EVP_get_cipherbyname(ciphername); if (NULL == cipher) { crypto_msg(D_LOW, "Cipher algorithm '%s' not found", ciphername); return NULL; } if (EVP_CIPHER_key_length(cipher) > MAX_CIPHER_KEY_LENGTH) { msg(D_LOW, "Cipher algorithm '%s' uses a default key size (%d bytes) " "which is larger than " PACKAGE_NAME "'s current maximum key size " "(%d bytes)", ciphername, EVP_CIPHER_key_length(cipher), MAX_CIPHER_KEY_LENGTH); return NULL; } return cipher; } const char * cipher_kt_name(const EVP_CIPHER *cipher_kt) { if (NULL == cipher_kt) { return "[null-cipher]"; } return EVP_CIPHER_name(cipher_kt); } int cipher_kt_key_size(const EVP_CIPHER *cipher_kt) { return EVP_CIPHER_key_length(cipher_kt); } int cipher_kt_iv_size(const EVP_CIPHER *cipher_kt) { return EVP_CIPHER_iv_length(cipher_kt); } int cipher_kt_block_size(const EVP_CIPHER *cipher) { /* * OpenSSL reports OFB/CFB/GCM cipher block sizes as '1 byte'. To work * around that, try to replace the mode with 'CBC' and return the block size * reported for that cipher, if possible. If that doesn't work, just return * the value reported by OpenSSL. */ char *name = NULL; char *mode_str = NULL; const char *orig_name = NULL; const EVP_CIPHER *cbc_cipher = NULL; int block_size = EVP_CIPHER_block_size(cipher); orig_name = cipher_kt_name(cipher); if (!orig_name) { goto cleanup; } name = string_alloc(translate_cipher_name_to_openvpn(orig_name), NULL); mode_str = strrchr(name, '-'); if (!mode_str || strlen(mode_str) < 4) { goto cleanup; } strcpy(mode_str, "-CBC"); cbc_cipher = EVP_get_cipherbyname(translate_cipher_name_from_openvpn(name)); if (cbc_cipher) { block_size = EVP_CIPHER_block_size(cbc_cipher); } cleanup: free(name); return block_size; } int cipher_kt_tag_size(const EVP_CIPHER *cipher_kt) { if (cipher_kt_mode_aead(cipher_kt)) { return OPENVPN_AEAD_TAG_LENGTH; } else { return 0; } } int cipher_kt_mode(const EVP_CIPHER *cipher_kt) { ASSERT(NULL != cipher_kt); return EVP_CIPHER_mode(cipher_kt); } bool cipher_kt_mode_cbc(const cipher_kt_t *cipher) { return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC #ifdef EVP_CIPH_FLAG_AEAD_CIPHER /* Exclude AEAD cipher modes, they require a different API */ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) #endif ; } bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) { return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB) #ifdef EVP_CIPH_FLAG_AEAD_CIPHER /* Exclude AEAD cipher modes, they require a different API */ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) #endif ; } bool cipher_kt_mode_aead(const cipher_kt_t *cipher) { #ifdef HAVE_AEAD_CIPHER_MODES return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_GCM); #else return false; #endif } /* * * Generic cipher context functions * */ cipher_ctx_t * cipher_ctx_new(void) { EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); check_malloc_return(ctx); return ctx; } void cipher_ctx_free(EVP_CIPHER_CTX *ctx) { EVP_CIPHER_CTX_free(ctx); } void cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, const EVP_CIPHER *kt, int enc) { ASSERT(NULL != kt && NULL != ctx); EVP_CIPHER_CTX_init(ctx); if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #1"); } #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH if (!EVP_CIPHER_CTX_set_key_length(ctx, key_len)) { crypto_msg(M_FATAL, "EVP set key size"); } #endif if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #2"); } /* make sure we used a big enough key */ ASSERT(EVP_CIPHER_CTX_key_length(ctx) <= key_len); } void cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx) { EVP_CIPHER_CTX_cleanup(ctx); } int cipher_ctx_iv_length(const EVP_CIPHER_CTX *ctx) { return EVP_CIPHER_CTX_iv_length(ctx); } int cipher_ctx_get_tag(EVP_CIPHER_CTX *ctx, uint8_t *tag_buf, int tag_size) { #ifdef HAVE_AEAD_CIPHER_MODES return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, tag_size, tag_buf); #else ASSERT(0); #endif } int cipher_ctx_block_size(const EVP_CIPHER_CTX *ctx) { return EVP_CIPHER_CTX_block_size(ctx); } int cipher_ctx_mode(const EVP_CIPHER_CTX *ctx) { return EVP_CIPHER_CTX_mode(ctx); } const cipher_kt_t * cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx) { return ctx ? EVP_CIPHER_CTX_cipher(ctx) : NULL; } int cipher_ctx_reset(EVP_CIPHER_CTX *ctx, uint8_t *iv_buf) { return EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv_buf, -1); } int cipher_ctx_update_ad(EVP_CIPHER_CTX *ctx, const uint8_t *src, int src_len) { #ifdef HAVE_AEAD_CIPHER_MODES int len; if (!EVP_CipherUpdate(ctx, NULL, &len, src, src_len)) { crypto_msg(M_FATAL, "%s: EVP_CipherUpdate() failed", __func__); } return 1; #else /* ifdef HAVE_AEAD_CIPHER_MODES */ ASSERT(0); #endif } int cipher_ctx_update(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len) { if (!EVP_CipherUpdate(ctx, dst, dst_len, src, src_len)) { crypto_msg(M_FATAL, "%s: EVP_CipherUpdate() failed", __func__); } return 1; } int cipher_ctx_final(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len) { return EVP_CipherFinal(ctx, dst, dst_len); } int cipher_ctx_final_check_tag(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, uint8_t *tag, size_t tag_len) { #ifdef HAVE_AEAD_CIPHER_MODES ASSERT(tag_len < SIZE_MAX); if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, tag_len, tag)) { return 0; } return cipher_ctx_final(ctx, dst, dst_len); #else /* ifdef HAVE_AEAD_CIPHER_MODES */ ASSERT(0); #endif } void cipher_des_encrypt_ecb(const unsigned char key[DES_KEY_LENGTH], unsigned char *src, unsigned char *dst) { DES_key_schedule sched; DES_set_key_unchecked((DES_cblock *)key, &sched); DES_ecb_encrypt((DES_cblock *)src, (DES_cblock *)dst, &sched, DES_ENCRYPT); } /* * * Generic message digest information functions * */ const EVP_MD * md_kt_get(const char *digest) { const EVP_MD *md = NULL; ASSERT(digest); md = EVP_get_digestbyname(digest); if (!md) { crypto_msg(M_FATAL, "Message hash algorithm '%s' not found", digest); } if (EVP_MD_size(md) > MAX_HMAC_KEY_LENGTH) { crypto_msg(M_FATAL, "Message hash algorithm '%s' uses a default hash " "size (%d bytes) which is larger than " PACKAGE_NAME "'s current " "maximum hash size (%d bytes)", digest, EVP_MD_size(md), MAX_HMAC_KEY_LENGTH); } return md; } const char * md_kt_name(const EVP_MD *kt) { if (NULL == kt) { return "[null-digest]"; } return EVP_MD_name(kt); } int md_kt_size(const EVP_MD *kt) { return EVP_MD_size(kt); } /* * * Generic message digest functions * */ int md_full(const EVP_MD *kt, const uint8_t *src, int src_len, uint8_t *dst) { unsigned int in_md_len = 0; return EVP_Digest(src, src_len, dst, &in_md_len, kt, NULL); } EVP_MD_CTX * md_ctx_new(void) { EVP_MD_CTX *ctx = EVP_MD_CTX_new(); check_malloc_return(ctx); return ctx; } void md_ctx_free(EVP_MD_CTX *ctx) { EVP_MD_CTX_free(ctx); } void md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *kt) { ASSERT(NULL != ctx && NULL != kt); EVP_MD_CTX_init(ctx); EVP_DigestInit(ctx, kt); } void md_ctx_cleanup(EVP_MD_CTX *ctx) { EVP_MD_CTX_reset(ctx); } int md_ctx_size(const EVP_MD_CTX *ctx) { return EVP_MD_CTX_size(ctx); } void md_ctx_update(EVP_MD_CTX *ctx, const uint8_t *src, int src_len) { EVP_DigestUpdate(ctx, src, src_len); } void md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst) { unsigned int in_md_len = 0; EVP_DigestFinal(ctx, dst, &in_md_len); } /* * * Generic HMAC functions * */ HMAC_CTX * hmac_ctx_new(void) { HMAC_CTX *ctx = HMAC_CTX_new(); check_malloc_return(ctx); return ctx; } void hmac_ctx_free(HMAC_CTX *ctx) { HMAC_CTX_free(ctx); } void hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, const EVP_MD *kt) { ASSERT(NULL != kt && NULL != ctx); HMAC_CTX_reset(ctx); HMAC_Init_ex(ctx, key, key_len, kt, NULL); /* make sure we used a big enough key */ ASSERT(HMAC_size(ctx) <= key_len); } void hmac_ctx_cleanup(HMAC_CTX *ctx) { HMAC_CTX_reset(ctx); } int hmac_ctx_size(const HMAC_CTX *ctx) { return HMAC_size(ctx); } void hmac_ctx_reset(HMAC_CTX *ctx) { HMAC_Init_ex(ctx, NULL, 0, NULL, NULL); } void hmac_ctx_update(HMAC_CTX *ctx, const uint8_t *src, int src_len) { HMAC_Update(ctx, src, src_len); } void hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst) { unsigned int in_hmac_len = 0; HMAC_Final(ctx, dst, &in_hmac_len); } #endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_OPENSSL */ openvpn-2.4.4/src/openvpn/crypto_openssl.h000066400000000000000000000061151316434344000207230ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Data Channel Cryptography OpenSSL-specific backend interface */ #ifndef CRYPTO_OPENSSL_H_ #define CRYPTO_OPENSSL_H_ #include #include #include #include /** Generic cipher key type %context. */ typedef EVP_CIPHER cipher_kt_t; /** Generic message digest key type %context. */ typedef EVP_MD md_kt_t; /** Generic cipher %context. */ typedef EVP_CIPHER_CTX cipher_ctx_t; /** Generic message digest %context. */ typedef EVP_MD_CTX md_ctx_t; /** Generic HMAC %context. */ typedef HMAC_CTX hmac_ctx_t; /** Maximum length of an IV */ #define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH /** Cipher is in CBC mode */ #define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE /** Cipher is in OFB mode */ #define OPENVPN_MODE_OFB EVP_CIPH_OFB_MODE /** Cipher is in CFB mode */ #define OPENVPN_MODE_CFB EVP_CIPH_CFB_MODE #ifdef HAVE_AEAD_CIPHER_MODES /** Cipher is in GCM mode */ #define OPENVPN_MODE_GCM EVP_CIPH_GCM_MODE #endif /* HAVE_AEAD_CIPHER_MODES */ /** Cipher should encrypt */ #define OPENVPN_OP_ENCRYPT 1 /** Cipher should decrypt */ #define OPENVPN_OP_DECRYPT 0 #define DES_KEY_LENGTH 8 #define MD4_DIGEST_LENGTH 16 /** * Retrieve any occurred OpenSSL errors and print those errors. * * Note that this function uses the not thread-safe OpenSSL error API. * * @param flags Flags to indicate error type and priority. */ void crypto_print_openssl_errors(const unsigned int flags); /** * Retrieve any OpenSSL errors, then print the supplied error message. * * This is just a convenience wrapper for often occurring situations. * * @param flags Flags to indicate error type and priority. * @param format Format string to print. * @param format args (optional) arguments for the format string. */ #define crypto_msg(flags, ...) \ do { \ crypto_print_openssl_errors(nonfatal(flags)); \ msg((flags), __VA_ARGS__); \ } while (false) #endif /* CRYPTO_OPENSSL_H_ */ openvpn-2.4.4/src/openvpn/cryptoapi.c000066400000000000000000000425061316434344000176510ustar00rootroot00000000000000/* * Copyright (c) 2004 Peter 'Luna' Runestig * All rights reserved. * * Redistribution and use in source and binary forms, with or without modifi- * cation, are permitted provided that the following conditions are met: * * o Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * o Redistributions in binary form must reproduce the above copyright no- * tice, this list of conditions and the following disclaimer in the do- * cumentation and/or other materials provided with the distribution. * * o The names of the contributors may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LI- * ABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUEN- * TIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEV- * ER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABI- * LITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #ifdef ENABLE_CRYPTOAPI #include #include #include #include #include #include #include #include "buffer.h" /* MinGW w32api 3.17 is still incomplete when it comes to CryptoAPI while * MinGW32-w64 defines all macros used. This is a hack around that problem. */ #ifndef CERT_SYSTEM_STORE_LOCATION_SHIFT #define CERT_SYSTEM_STORE_LOCATION_SHIFT 16 #endif #ifndef CERT_SYSTEM_STORE_CURRENT_USER_ID #define CERT_SYSTEM_STORE_CURRENT_USER_ID 1 #endif #ifndef CERT_SYSTEM_STORE_CURRENT_USER #define CERT_SYSTEM_STORE_CURRENT_USER (CERT_SYSTEM_STORE_CURRENT_USER_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT) #endif #ifndef CERT_STORE_READONLY_FLAG #define CERT_STORE_READONLY_FLAG 0x00008000 #endif #ifndef CERT_STORE_OPEN_EXISTING_FLAG #define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000 #endif /* Size of an SSL signature: MD5+SHA1 */ #define SSL_SIG_LENGTH 36 /* try to funnel any Windows/CryptoAPI error messages to OpenSSL ERR_... */ #define ERR_LIB_CRYPTOAPI (ERR_LIB_USER + 69) /* 69 is just a number... */ #define CRYPTOAPIerr(f) err_put_ms_error(GetLastError(), (f), __FILE__, __LINE__) #define CRYPTOAPI_F_CERT_OPEN_SYSTEM_STORE 100 #define CRYPTOAPI_F_CERT_FIND_CERTIFICATE_IN_STORE 101 #define CRYPTOAPI_F_CRYPT_ACQUIRE_CERTIFICATE_PRIVATE_KEY 102 #define CRYPTOAPI_F_CRYPT_CREATE_HASH 103 #define CRYPTOAPI_F_CRYPT_GET_HASH_PARAM 104 #define CRYPTOAPI_F_CRYPT_SET_HASH_PARAM 105 #define CRYPTOAPI_F_CRYPT_SIGN_HASH 106 #define CRYPTOAPI_F_LOAD_LIBRARY 107 #define CRYPTOAPI_F_GET_PROC_ADDRESS 108 static ERR_STRING_DATA CRYPTOAPI_str_functs[] = { { ERR_PACK(ERR_LIB_CRYPTOAPI, 0, 0), "microsoft cryptoapi"}, { ERR_PACK(0, CRYPTOAPI_F_CERT_OPEN_SYSTEM_STORE, 0), "CertOpenSystemStore" }, { ERR_PACK(0, CRYPTOAPI_F_CERT_FIND_CERTIFICATE_IN_STORE, 0), "CertFindCertificateInStore" }, { ERR_PACK(0, CRYPTOAPI_F_CRYPT_ACQUIRE_CERTIFICATE_PRIVATE_KEY, 0), "CryptAcquireCertificatePrivateKey" }, { ERR_PACK(0, CRYPTOAPI_F_CRYPT_CREATE_HASH, 0), "CryptCreateHash" }, { ERR_PACK(0, CRYPTOAPI_F_CRYPT_GET_HASH_PARAM, 0), "CryptGetHashParam" }, { ERR_PACK(0, CRYPTOAPI_F_CRYPT_SET_HASH_PARAM, 0), "CryptSetHashParam" }, { ERR_PACK(0, CRYPTOAPI_F_CRYPT_SIGN_HASH, 0), "CryptSignHash" }, { ERR_PACK(0, CRYPTOAPI_F_LOAD_LIBRARY, 0), "LoadLibrary" }, { ERR_PACK(0, CRYPTOAPI_F_GET_PROC_ADDRESS, 0), "GetProcAddress" }, { 0, NULL } }; typedef struct _CAPI_DATA { const CERT_CONTEXT *cert_context; HCRYPTPROV crypt_prov; DWORD key_spec; BOOL free_crypt_prov; } CAPI_DATA; static char * ms_error_text(DWORD ms_err) { LPVOID lpMsgBuf = NULL; char *rv = NULL; FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER |FORMAT_MESSAGE_FROM_SYSTEM |FORMAT_MESSAGE_IGNORE_INSERTS, NULL, ms_err, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), /* Default language */ (LPTSTR) &lpMsgBuf, 0, NULL); if (lpMsgBuf) { char *p; rv = string_alloc(lpMsgBuf, NULL); LocalFree(lpMsgBuf); /* trim to the left */ if (rv) { for (p = rv + strlen(rv) - 1; p >= rv; p--) { if (isspace(*p)) { *p = '\0'; } else { break; } } } } return rv; } static void err_put_ms_error(DWORD ms_err, int func, const char *file, int line) { static int init = 0; #define ERR_MAP_SZ 16 static struct { int err; DWORD ms_err; /* I don't think we get more than 16 *different* errors */ } err_map[ERR_MAP_SZ]; /* in here, before we give up the whole thing... */ int i; if (ms_err == 0) { /* 0 is not an error */ return; } if (!init) { ERR_load_strings(ERR_LIB_CRYPTOAPI, CRYPTOAPI_str_functs); memset(&err_map, 0, sizeof(err_map)); init++; } /* since MS error codes are 32 bit, and the ones in the ERR_... system is * only 12, we must have a mapping table between them. */ for (i = 0; i < ERR_MAP_SZ; i++) { if (err_map[i].ms_err == ms_err) { ERR_PUT_error(ERR_LIB_CRYPTOAPI, func, err_map[i].err, file, line); break; } else if (err_map[i].ms_err == 0) { /* end of table, add new entry */ ERR_STRING_DATA *esd = calloc(2, sizeof(*esd)); if (esd == NULL) { break; } err_map[i].ms_err = ms_err; err_map[i].err = esd->error = i + 100; esd->string = ms_error_text(ms_err); check_malloc_return(esd->string); ERR_load_strings(ERR_LIB_CRYPTOAPI, esd); ERR_PUT_error(ERR_LIB_CRYPTOAPI, func, err_map[i].err, file, line); break; } } } /* encrypt */ static int rsa_pub_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { /* I haven't been able to trigger this one, but I want to know if it happens... */ assert(0); return 0; } /* verify arbitrary data */ static int rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { /* I haven't been able to trigger this one, but I want to know if it happens... */ assert(0); return 0; } /* sign arbitrary data */ static int rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { CAPI_DATA *cd = (CAPI_DATA *) rsa->meth->app_data; HCRYPTHASH hash; DWORD hash_size, len, i; unsigned char *buf; if (cd == NULL) { RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_PASSED_NULL_PARAMETER); return 0; } if (padding != RSA_PKCS1_PADDING) { /* AFAICS, CryptSignHash() *always* uses PKCS1 padding. */ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); return 0; } /* Unfortunately, there is no "CryptSign()" function in CryptoAPI, that would * be way to straightforward for M$, I guess... So we have to do it this * tricky way instead, by creating a "Hash", and load the already-made hash * from 'from' into it. */ /* For now, we only support NID_md5_sha1 */ if (flen != SSL_SIG_LENGTH) { RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_INVALID_MESSAGE_LENGTH); return 0; } if (!CryptCreateHash(cd->crypt_prov, CALG_SSL3_SHAMD5, 0, 0, &hash)) { CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_CREATE_HASH); return 0; } len = sizeof(hash_size); if (!CryptGetHashParam(hash, HP_HASHSIZE, (BYTE *) &hash_size, &len, 0)) { CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_GET_HASH_PARAM); CryptDestroyHash(hash); return 0; } if ((int) hash_size != flen) { RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_INVALID_MESSAGE_LENGTH); CryptDestroyHash(hash); return 0; } if (!CryptSetHashParam(hash, HP_HASHVAL, (BYTE * ) from, 0)) { CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_SET_HASH_PARAM); CryptDestroyHash(hash); return 0; } len = RSA_size(rsa); buf = malloc(len); if (buf == NULL) { RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); CryptDestroyHash(hash); return 0; } if (!CryptSignHash(hash, cd->key_spec, NULL, 0, buf, &len)) { CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_SIGN_HASH); CryptDestroyHash(hash); free(buf); return 0; } /* and now, we have to reverse the byte-order in the result from CryptSignHash()... */ for (i = 0; i < len; i++) { to[i] = buf[len - i - 1]; } free(buf); CryptDestroyHash(hash); return len; } /* decrypt */ static int rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { /* I haven't been able to trigger this one, but I want to know if it happens... */ assert(0); return 0; } /* called at RSA_new */ static int init(RSA *rsa) { return 0; } /* called at RSA_free */ static int finish(RSA *rsa) { CAPI_DATA *cd = (CAPI_DATA *) rsa->meth->app_data; if (cd == NULL) { return 0; } if (cd->crypt_prov && cd->free_crypt_prov) { CryptReleaseContext(cd->crypt_prov, 0); } if (cd->cert_context) { CertFreeCertificateContext(cd->cert_context); } free(rsa->meth->app_data); free((char *) rsa->meth); rsa->meth = NULL; return 1; } static const CERT_CONTEXT * find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) { /* Find, and use, the desired certificate from the store. The * 'cert_prop' certificate search string can look like this: * SUBJ: * THUMB:, e.g. * THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28 */ const CERT_CONTEXT *rv = NULL; if (!strncmp(cert_prop, "SUBJ:", 5)) { /* skip the tag */ cert_prop += 5; rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR_A, cert_prop, NULL); } else if (!strncmp(cert_prop, "THUMB:", 6)) { unsigned char hash[255]; char *p; int i, x = 0; CRYPT_HASH_BLOB blob; /* skip the tag */ cert_prop += 6; for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) { if (*p >= '0' && *p <= '9') { x = (*p - '0') << 4; } else if (*p >= 'A' && *p <= 'F') { x = (*p - 'A' + 10) << 4; } else if (*p >= 'a' && *p <= 'f') { x = (*p - 'a' + 10) << 4; } if (!*++p) /* unexpected end of string */ { break; } if (*p >= '0' && *p <= '9') { x += *p - '0'; } else if (*p >= 'A' && *p <= 'F') { x += *p - 'A' + 10; } else if (*p >= 'a' && *p <= 'f') { x += *p - 'a' + 10; } hash[i] = x; /* skip any space(s) between hex numbers */ for (p++; *p && *p == ' '; p++) { } } blob.cbData = i; blob.pbData = (unsigned char *) &hash; rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_HASH, &blob, NULL); } return rv; } int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) { HCERTSTORE cs; X509 *cert = NULL; RSA *rsa = NULL, *pub_rsa; CAPI_DATA *cd = calloc(1, sizeof(*cd)); RSA_METHOD *my_rsa_method = calloc(1, sizeof(*my_rsa_method)); if (cd == NULL || my_rsa_method == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_MALLOC_FAILURE); goto err; } /* search CURRENT_USER first, then LOCAL_MACHINE */ cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER |CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, L"MY"); if (cs == NULL) { CRYPTOAPIerr(CRYPTOAPI_F_CERT_OPEN_SYSTEM_STORE); goto err; } cd->cert_context = find_certificate_in_store(cert_prop, cs); CertCloseStore(cs, 0); if (!cd->cert_context) { cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_LOCAL_MACHINE |CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, L"MY"); if (cs == NULL) { CRYPTOAPIerr(CRYPTOAPI_F_CERT_OPEN_SYSTEM_STORE); goto err; } cd->cert_context = find_certificate_in_store(cert_prop, cs); CertCloseStore(cs, 0); if (cd->cert_context == NULL) { CRYPTOAPIerr(CRYPTOAPI_F_CERT_FIND_CERTIFICATE_IN_STORE); goto err; } } /* cert_context->pbCertEncoded is the cert X509 DER encoded. */ cert = d2i_X509(NULL, (const unsigned char **) &cd->cert_context->pbCertEncoded, cd->cert_context->cbCertEncoded); if (cert == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_ASN1_LIB); goto err; } /* set up stuff to use the private key */ if (!CryptAcquireCertificatePrivateKey(cd->cert_context, CRYPT_ACQUIRE_COMPARE_KEY_FLAG, NULL, &cd->crypt_prov, &cd->key_spec, &cd->free_crypt_prov)) { /* if we don't have a smart card reader here, and we try to access a * smart card certificate, we get: * "Error 1223: The operation was canceled by the user." */ CRYPTOAPIerr(CRYPTOAPI_F_CRYPT_ACQUIRE_CERTIFICATE_PRIVATE_KEY); goto err; } /* here we don't need to do CryptGetUserKey() or anything; all necessary key * info is in cd->cert_context, and then, in cd->crypt_prov. */ my_rsa_method->name = "Microsoft CryptoAPI RSA Method"; my_rsa_method->rsa_pub_enc = rsa_pub_enc; my_rsa_method->rsa_pub_dec = rsa_pub_dec; my_rsa_method->rsa_priv_enc = rsa_priv_enc; my_rsa_method->rsa_priv_dec = rsa_priv_dec; /* my_rsa_method->init = init; */ my_rsa_method->finish = finish; my_rsa_method->flags = RSA_METHOD_FLAG_NO_CHECK; my_rsa_method->app_data = (char *) cd; rsa = RSA_new(); if (rsa == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_MALLOC_FAILURE); goto err; } /* cert->cert_info->key->pkey is NULL until we call SSL_CTX_use_certificate(), * so we do it here then... */ if (!SSL_CTX_use_certificate(ssl_ctx, cert)) { goto err; } /* the public key */ pub_rsa = cert->cert_info->key->pkey->pkey.rsa; /* SSL_CTX_use_certificate() increased the reference count in 'cert', so * we decrease it here with X509_free(), or it will never be cleaned up. */ X509_free(cert); cert = NULL; /* I'm not sure about what we have to fill in in the RSA, trying out stuff... */ /* rsa->n indicates the key size */ rsa->n = BN_dup(pub_rsa->n); rsa->flags |= RSA_FLAG_EXT_PKEY; if (!RSA_set_method(rsa, my_rsa_method)) { goto err; } if (!SSL_CTX_use_RSAPrivateKey(ssl_ctx, rsa)) { goto err; } /* SSL_CTX_use_RSAPrivateKey() increased the reference count in 'rsa', so * we decrease it here with RSA_free(), or it will never be cleaned up. */ RSA_free(rsa); return 1; err: if (cert) { X509_free(cert); } if (rsa) { RSA_free(rsa); } else { if (my_rsa_method) { free(my_rsa_method); } if (cd) { if (cd->free_crypt_prov && cd->crypt_prov) { CryptReleaseContext(cd->crypt_prov, 0); } if (cd->cert_context) { CertFreeCertificateContext(cd->cert_context); } free(cd); } } return 0; } #else /* ifdef ENABLE_CRYPTOAPI */ #ifdef _MSC_VER /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */ static void dummy(void) { } #endif #endif /* _WIN32 */ openvpn-2.4.4/src/openvpn/cryptoapi.h000066400000000000000000000002331316434344000176450ustar00rootroot00000000000000#ifndef _CRYPTOAPI_H_ #define _CRYPTOAPI_H_ int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop); #endif /* !_CRYPTOAPI_H_ */ openvpn-2.4.4/src/openvpn/dhcp.c000066400000000000000000000160411316434344000165500ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "dhcp.h" #include "socket.h" #include "error.h" #include "memdbg.h" static int get_dhcp_message_type(const struct dhcp *dhcp, const int optlen) { const uint8_t *p = (uint8_t *) (dhcp + 1); int i; for (i = 0; i < optlen; ++i) { const uint8_t type = p[i]; const int room = optlen - i; if (type == DHCP_END) /* didn't find what we were looking for */ { return -1; } else if (type == DHCP_PAD) /* no-operation */ { } else if (type == DHCP_MSG_TYPE) /* what we are looking for */ { if (room >= 3) { if (p[i+1] == 1) /* option length should be 1 */ { return p[i+2]; /* return message type */ } } return -1; } else /* some other option */ { if (room >= 2) { const int len = p[i+1]; /* get option length */ i += (len + 1); /* advance to next option */ } } } return -1; } static in_addr_t do_extract(struct dhcp *dhcp, int optlen) { uint8_t *p = (uint8_t *) (dhcp + 1); int i; in_addr_t ret = 0; for (i = 0; i < optlen; ) { const uint8_t type = p[i]; const int room = optlen - i; if (type == DHCP_END) { break; } else if (type == DHCP_PAD) { ++i; } else if (type == DHCP_ROUTER) { if (room >= 2) { const int len = p[i+1]; /* get option length */ if (len <= (room-2)) { /* get router IP address */ if (!ret && len >= 4 && (len & 3) == 0) { memcpy(&ret, p+i+2, 4); ret = ntohl(ret); } { /* delete the router option */ uint8_t *dest = p + i; const int owlen = len + 2; /* len of data to overwrite */ uint8_t *src = dest + owlen; uint8_t *end = p + optlen; const int movlen = end - src; if (movlen > 0) { memmove(dest, src, movlen); /* overwrite router option */ } memset(end - owlen, DHCP_PAD, owlen); /* pad tail */ } } else { break; } } else { break; } } else /* some other option */ { if (room >= 2) { const int len = p[i+1]; /* get option length */ i += (len + 2); /* advance to next option */ } else { break; } } } return ret; } static uint16_t udp_checksum(const uint8_t *buf, const int len_udp, const uint8_t *src_addr, const uint8_t *dest_addr) { uint16_t word16; uint32_t sum = 0; int i; /* make 16 bit words out of every two adjacent 8 bit words and */ /* calculate the sum of all 16 bit words */ for (i = 0; i < len_udp; i += 2) { word16 = ((buf[i] << 8) & 0xFF00) + ((i + 1 < len_udp) ? (buf[i+1] & 0xFF) : 0); sum += word16; } /* add the UDP pseudo header which contains the IP source and destination addresses */ for (i = 0; i < 4; i += 2) { word16 = ((src_addr[i] << 8) & 0xFF00) + (src_addr[i+1] & 0xFF); sum += word16; } for (i = 0; i < 4; i += 2) { word16 = ((dest_addr[i] << 8) & 0xFF00) + (dest_addr[i+1] & 0xFF); sum += word16; } /* the protocol number and the length of the UDP packet */ sum += (uint16_t) OPENVPN_IPPROTO_UDP + (uint16_t) len_udp; /* keep only the last 16 bits of the 32 bit calculated sum and add the carries */ while (sum >> 16) { sum = (sum & 0xFFFF) + (sum >> 16); } /* Take the one's complement of sum */ return ((uint16_t) ~sum); } in_addr_t dhcp_extract_router_msg(struct buffer *ipbuf) { struct dhcp_full *df = (struct dhcp_full *) BPTR(ipbuf); const int optlen = BLEN(ipbuf) - (sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_udphdr) + sizeof(struct dhcp)); if (optlen >= 0 && df->ip.protocol == OPENVPN_IPPROTO_UDP && df->udp.source == htons(BOOTPS_PORT) && df->udp.dest == htons(BOOTPC_PORT) && df->dhcp.op == BOOTREPLY) { const int message_type = get_dhcp_message_type(&df->dhcp, optlen); if (message_type == DHCPACK || message_type == DHCPOFFER) { /* get the router IP address while padding out all DHCP router options */ const in_addr_t ret = do_extract(&df->dhcp, optlen); /* recompute the UDP checksum */ df->udp.check = 0; df->udp.check = htons(udp_checksum((uint8_t *) &df->udp, sizeof(struct openvpn_udphdr) + sizeof(struct dhcp) + optlen, (uint8_t *)&df->ip.saddr, (uint8_t *)&df->ip.daddr)); /* only return the extracted Router address if DHCPACK */ if (message_type == DHCPACK) { if (ret) { struct gc_arena gc = gc_new(); msg(D_ROUTE, "Extracted DHCP router address: %s", print_in_addr_t(ret, 0, &gc)); gc_free(&gc); } return ret; } } } return 0; } openvpn-2.4.4/src/openvpn/dhcp.h000066400000000000000000000054371316434344000165640ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef DHCP_H #define DHCP_H #include "common.h" #include "buffer.h" #include "proto.h" #pragma pack(1) /* DHCP Option types */ #define DHCP_PAD 0 #define DHCP_ROUTER 3 #define DHCP_MSG_TYPE 53 /* message type (u8) */ #define DHCP_END 255 /* DHCP Messages types */ #define DHCPDISCOVER 1 #define DHCPOFFER 2 #define DHCPREQUEST 3 #define DHCPDECLINE 4 #define DHCPACK 5 #define DHCPNAK 6 #define DHCPRELEASE 7 #define DHCPINFORM 8 /* DHCP UDP port numbers */ #define BOOTPS_PORT 67 #define BOOTPC_PORT 68 struct dhcp { #define BOOTREQUEST 1 #define BOOTREPLY 2 uint8_t op; /* message op */ uint8_t htype; /* hardware address type (e.g. '1' = 10Mb Ethernet) */ uint8_t hlen; /* hardware address length (e.g. '6' for 10Mb Ethernet) */ uint8_t hops; /* client sets to 0, may be used by relay agents */ uint32_t xid; /* transaction ID, chosen by client */ uint16_t secs; /* seconds since request process began, set by client */ uint16_t flags; uint32_t ciaddr; /* client IP address, client sets if known */ uint32_t yiaddr; /* 'your' IP address -- server's response to client */ uint32_t siaddr; /* server IP address */ uint32_t giaddr; /* relay agent IP address */ uint8_t chaddr[16]; /* client hardware address */ uint8_t sname[64]; /* optional server host name */ uint8_t file[128]; /* boot file name */ uint32_t magic; /* must be 0x63825363 (network order) */ }; struct dhcp_full { struct openvpn_iphdr ip; struct openvpn_udphdr udp; struct dhcp dhcp; #define DHCP_OPTIONS_BUFFER_SIZE 256 uint8_t options[DHCP_OPTIONS_BUFFER_SIZE]; }; #pragma pack() in_addr_t dhcp_extract_router_msg(struct buffer *ipbuf); #endif /* ifndef DHCP_H */ openvpn-2.4.4/src/openvpn/errlevel.h000066400000000000000000000270631316434344000174650ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef ERRLEVEL_H #define ERRLEVEL_H #include "error.h" /* * Debug level at and above where we * display time to microsecond resolution. */ #define DEBUG_LEVEL_USEC_TIME 4 /* * In non-server modes, delay n milliseconds after certain kinds * of non-fatal network errors to avoid a barrage of errors. * * To disable all delays, set to 0. */ #define P2P_ERROR_DELAY_MS 0 /* * Enable D_LOG_RW */ #define LOG_RW /* * Debugging levels for various kinds * of output. */ #define M_VERB0 LOGLEV(0, 0, 0) /* Messages displayed even at --verb 0 (fatal errors only) */ #define M_INFO LOGLEV(1, 0, 0) /* default informational messages */ #define D_LINK_ERRORS LOGLEV(1, 1, M_NONFATAL) /* show link errors from main event loop */ #define D_CRYPT_ERRORS LOGLEV(1, 2, M_NONFATAL) /* show errors from encrypt/decrypt */ #define D_TLS_ERRORS LOGLEV(1, 3, M_NONFATAL) /* show TLS control channel errors */ #define D_RESOLVE_ERRORS LOGLEV(1, 4, M_NONFATAL) /* show hostname resolve errors */ #define D_COMP_ERRORS LOGLEV(1, 5, M_NONFATAL) /* show compression errors */ #define D_REPLAY_ERRORS LOGLEV(1, 6, M_NONFATAL) /* show packet replay errors */ #define D_STREAM_ERRORS LOGLEV(1, 7, M_NONFATAL) /* TCP stream error requiring restart */ #define D_IMPORT_ERRORS LOGLEV(1, 8, M_NONFATAL) /* show server import option errors */ #define D_MULTI_ERRORS LOGLEV(1, 9, M_NONFATAL) /* show multi-client server errors */ #define D_EVENT_ERRORS LOGLEV(1, 10, M_NONFATAL) /* show event.[ch] errors */ #define D_PUSH_ERRORS LOGLEV(1, 11, M_NONFATAL) /* show push/pull errors */ #define D_PID_PERSIST LOGLEV(1, 12, M_NONFATAL) /* show packet_id persist errors */ #define D_FRAG_ERRORS LOGLEV(1, 13, M_NONFATAL) /* show fragmentation errors */ #define D_ALIGN_ERRORS LOGLEV(1, 14, M_NONFATAL) /* show bad struct alignments */ #define D_HANDSHAKE LOGLEV(2, 20, 0) /* show data & control channel handshakes */ #define D_CLOSE LOGLEV(2, 22, 0) /* show socket and TUN/TAP close */ #define D_PROXY LOGLEV(2, 24, 0) /* show http proxy control packets */ #define D_ARGV LOGLEV(2, 25, 0) /* show struct argv errors */ #define D_TLS_DEBUG_LOW LOGLEV(3, 20, 0) /* low frequency info from tls_session routines */ #define D_GREMLIN LOGLEV(3, 30, 0) /* show simulated outage info from gremlin module */ #define D_GENKEY LOGLEV(3, 31, 0) /* print message after key generation */ #define D_ROUTE LOGLEV(3, 0, 0) /* show routes added and deleted (don't mute) */ #define D_TUNTAP_INFO LOGLEV(3, 32, 0) /* show debugging info from TUN/TAP driver */ #define D_RESTART LOGLEV(3, 33, 0) /* show certain restart messages */ #define D_PUSH LOGLEV(3, 34, 0) /* show push/pull info */ #define D_IFCONFIG_POOL LOGLEV(3, 35, 0) /* show ifconfig pool info */ #define D_AUTH LOGLEV(3, 37, 0) /* show user/pass auth info */ #define D_MULTI_LOW LOGLEV(3, 38, 0) /* show point-to-multipoint low-freq debug info */ #define D_PLUGIN LOGLEV(3, 39, 0) /* show plugin calls */ #define D_MANAGEMENT LOGLEV(3, 40, 0) /* show --management info */ #define D_SCHED_EXIT LOGLEV(3, 41, 0) /* show arming of scheduled exit */ #define D_ROUTE_QUOTA LOGLEV(3, 42, 0) /* show route quota exceeded messages */ #define D_OSBUF LOGLEV(3, 43, 0) /* show socket/tun/tap buffer sizes */ #define D_PS_PROXY LOGLEV(3, 44, 0) /* messages related to --port-share option */ #define D_PF_INFO LOGLEV(3, 45, 0) /* packet filter informational messages */ #define D_SHOW_PARMS LOGLEV(4, 50, 0) /* show all parameters on program initiation */ #define D_SHOW_OCC LOGLEV(4, 51, 0) /* show options compatibility string */ #define D_LOW LOGLEV(4, 52, 0) /* miscellaneous low-frequency debug info */ #define D_DHCP_OPT LOGLEV(4, 53, 0) /* show DHCP options binary string */ #define D_MBUF LOGLEV(4, 54, 0) /* mbuf.[ch] routines */ #define D_PACKET_TRUNC_ERR LOGLEV(4, 55, 0) /* PACKET_TRUNCATION_CHECK */ #define D_PF_DROPPED LOGLEV(4, 56, 0) /* packet filter dropped a packet */ #define D_MULTI_DROPPED LOGLEV(4, 57, 0) /* show point-to-multipoint packet drops */ #define D_MULTI_MEDIUM LOGLEV(4, 58, 0) /* show medium frequency multi messages */ #define D_X509_ATTR LOGLEV(4, 59, 0) /* show x509-track attributes on connection */ #define D_INIT_MEDIUM LOGLEV(4, 60, 0) /* show medium frequency init messages */ #define D_MTU_INFO LOGLEV(4, 61, 0) /* show terse MTU info */ #define D_PID_DEBUG_LOW LOGLEV(4, 63, 0) /* show low-freq packet-id debugging info */ #define D_PID_DEBUG_MEDIUM LOGLEV(4, 64, 0) /* show medium-freq packet-id debugging info */ #define D_LOG_RW LOGLEV(5, 0, 0) /* Print 'R' or 'W' to stdout for read/write */ #define D_LINK_RW LOGLEV(6, 69, M_DEBUG) /* show TCP/UDP reads/writes (terse) */ #define D_TUN_RW LOGLEV(6, 69, M_DEBUG) /* show TUN/TAP reads/writes */ #define D_TAP_WIN_DEBUG LOGLEV(6, 69, M_DEBUG) /* show TAP-Windows driver debug info */ #define D_CLIENT_NAT LOGLEV(6, 69, M_DEBUG) /* show client NAT debug info */ #define D_SHOW_KEYS LOGLEV(7, 70, M_DEBUG) /* show data channel encryption keys */ #define D_SHOW_KEY_SOURCE LOGLEV(7, 70, M_DEBUG) /* show data channel key source entropy */ #define D_REL_LOW LOGLEV(7, 70, M_DEBUG) /* show low frequency info from reliable layer */ #define D_FRAG_DEBUG LOGLEV(7, 70, M_DEBUG) /* show fragment debugging info */ #define D_WIN32_IO_LOW LOGLEV(7, 70, M_DEBUG) /* low freq win32 I/O debugging info */ #define D_MTU_DEBUG LOGLEV(7, 70, M_DEBUG) /* show MTU debugging info */ #define D_MULTI_DEBUG LOGLEV(7, 70, M_DEBUG) /* show medium-freq multi debugging info */ #define D_MSS LOGLEV(7, 70, M_DEBUG) /* show MSS adjustments */ #define D_COMP_LOW LOGLEV(7, 70, M_DEBUG) /* show adaptive compression state changes */ #define D_CONNECTION_LIST LOGLEV(7, 70, M_DEBUG) /* show list info */ #define D_SCRIPT LOGLEV(7, 70, M_DEBUG) /* show parms & env vars passed to scripts */ #define D_SHOW_NET LOGLEV(7, 70, M_DEBUG) /* show routing table and adapter list */ #define D_ROUTE_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose route.[ch] output */ #define D_TLS_STATE_ERRORS LOGLEV(7, 70, M_DEBUG) /* no TLS state for client */ #define D_SEMAPHORE_LOW LOGLEV(7, 70, M_DEBUG) /* show Win32 semaphore waits (low freq) */ #define D_SEMAPHORE LOGLEV(7, 70, M_DEBUG) /* show Win32 semaphore waits */ #define D_TEST_FILE LOGLEV(7, 70, M_DEBUG) /* show test_file() calls */ #define D_MANAGEMENT_DEBUG LOGLEV(3, 70, M_DEBUG) /* show --management debug info */ #define D_PLUGIN_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose plugin calls */ #define D_SOCKET_DEBUG LOGLEV(7, 70, M_DEBUG) /* show socket.[ch] debugging info */ #define D_SHOW_PKCS11 LOGLEV(7, 70, M_DEBUG) /* show PKCS#11 actions */ #define D_ALIGN_DEBUG LOGLEV(7, 70, M_DEBUG) /* show verbose struct alignment info */ #define D_PACKET_TRUNC_DEBUG LOGLEV(7, 70, M_DEBUG) /* PACKET_TRUNCATION_CHECK verbose */ #define D_PING LOGLEV(7, 70, M_DEBUG) /* PING send/receive messages */ #define D_PS_PROXY_DEBUG LOGLEV(7, 70, M_DEBUG) /* port share proxy debug */ #define D_AUTO_USERID LOGLEV(7, 70, M_DEBUG) /* AUTO_USERID debugging */ #define D_TLS_KEYSELECT LOGLEV(7, 70, M_DEBUG) /* show information on key selection for data channel */ #define D_ARGV_PARSE_CMD LOGLEV(7, 70, M_DEBUG) /* show parse_line() errors in argv_parse_cmd */ #define D_CRYPTO_DEBUG LOGLEV(7, 70, M_DEBUG) /* show detailed info from crypto.c routines */ #define D_PID_DEBUG LOGLEV(7, 70, M_DEBUG) /* show packet-id debugging info */ #define D_PF_DROPPED_BCAST LOGLEV(7, 71, M_DEBUG) /* packet filter dropped a broadcast packet */ #define D_PF_DEBUG LOGLEV(7, 72, M_DEBUG) /* packet filter debugging, must also define PF_DEBUG in pf.h */ #define D_PUSH_DEBUG LOGLEV(7, 73, M_DEBUG) /* show push/pull debugging info */ #define D_HANDSHAKE_VERBOSE LOGLEV(8, 70, M_DEBUG) /* show detailed description of each handshake */ #define D_TLS_DEBUG_MED LOGLEV(8, 70, M_DEBUG) /* limited info from tls_session routines */ #define D_INTERVAL LOGLEV(8, 70, M_DEBUG) /* show interval.h debugging info */ #define D_SCHEDULER LOGLEV(8, 70, M_DEBUG) /* show scheduler debugging info */ #define D_GREMLIN_VERBOSE LOGLEV(8, 70, M_DEBUG) /* show verbose info from gremlin module */ #define D_REL_DEBUG LOGLEV(8, 70, M_DEBUG) /* show detailed info from reliable routines */ #define D_EVENT_WAIT LOGLEV(8, 70, M_DEBUG) /* show detailed info from event waits */ #define D_MULTI_TCP LOGLEV(8, 70, M_DEBUG) /* show debug info from mtcp.c */ #define D_TLS_DEBUG LOGLEV(9, 70, M_DEBUG) /* show detailed info from TLS routines */ #define D_COMP LOGLEV(9, 70, M_DEBUG) /* show compression info */ #define D_READ_WRITE LOGLEV(9, 70, M_DEBUG) /* show all tun/tcp/udp reads/writes/opens */ #define D_PACKET_CONTENT LOGLEV(9, 70, M_DEBUG) /* show before/after encryption packet content */ #define D_TLS_NO_SEND_KEY LOGLEV(9, 70, M_DEBUG) /* show when no data channel send-key exists */ #define D_PID_PERSIST_DEBUG LOGLEV(9, 70, M_DEBUG) /* show packet-id persist debugging info */ #define D_LINK_RW_VERBOSE LOGLEV(9, 70, M_DEBUG) /* show link reads/writes with greater verbosity */ #define D_STREAM_DEBUG LOGLEV(9, 70, M_DEBUG) /* show TCP stream debug info */ #define D_WIN32_IO LOGLEV(9, 70, M_DEBUG) /* win32 I/O debugging info */ #define D_PKCS11_DEBUG LOGLEV(9, 70, M_DEBUG) /* show PKCS#11 debugging */ #define D_SHAPER_DEBUG LOGLEV(10, 70, M_DEBUG) /* show traffic shaper info */ #define D_REGISTRY LOGLEV(11, 70, M_DEBUG) /* win32 registry debugging info */ #define D_OPENSSL_LOCK LOGLEV(11, 70, M_DEBUG) /* show OpenSSL locks */ /*#define D_THREAD_DEBUG LOGLEV(4, 70, M_DEBUG)*/ /* show pthread debug information */ #endif /* ifndef ERRLEVEL_H */ openvpn-2.4.4/src/openvpn/error.c000066400000000000000000000574321316434344000167740ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "error.h" #include "buffer.h" #include "misc.h" #include "win32.h" #include "socket.h" #include "tun.h" #include "otime.h" #include "perf.h" #include "status.h" #include "integer.h" #include "ps.h" #include "mstats.h" #if SYSLOG_CAPABILITY #ifndef LOG_OPENVPN #define LOG_OPENVPN LOG_DAEMON #endif #endif /* Globals */ unsigned int x_debug_level; /* GLOBAL */ /* Mute state */ static int mute_cutoff; /* GLOBAL */ static int mute_count; /* GLOBAL */ static int mute_category; /* GLOBAL */ /* * Output mode priorities are as follows: * * (1) --log-x overrides everything * (2) syslog is used if --daemon or --inetd is defined and not --log-x * (3) if OPENVPN_DEBUG_COMMAND_LINE is defined, output * to constant logfile name. * (4) Output to stdout. */ /* If true, indicates that stdin/stdout/stderr * have been redirected due to --log */ static bool std_redir; /* GLOBAL */ /* Should messages be written to the syslog? */ static bool use_syslog; /* GLOBAL */ /* Should stdout/stderr be be parsable and always be prefixed with time * and message flags */ static bool machine_readable_output; /* GLOBAL */ /* Should timestamps be included on messages to stdout/stderr? */ static bool suppress_timestamps; /* GLOBAL */ /* The program name passed to syslog */ #if SYSLOG_CAPABILITY static char *pgmname_syslog; /* GLOBAL */ #endif /* If non-null, messages should be written here (used for debugging only) */ static FILE *msgfp; /* GLOBAL */ /* If true, we forked from main OpenVPN process */ static bool forked; /* GLOBAL */ /* our default output targets */ static FILE *default_out; /* GLOBAL */ static FILE *default_err; /* GLOBAL */ void msg_forked(void) { forked = true; } bool set_debug_level(const int level, const unsigned int flags) { const int ceiling = 15; if (level >= 0 && level <= ceiling) { x_debug_level = level; return true; } else if (flags & SDL_CONSTRAIN) { x_debug_level = constrain_int(level, 0, ceiling); return true; } return false; } bool set_mute_cutoff(const int cutoff) { if (cutoff >= 0) { mute_cutoff = cutoff; return true; } else { return false; } } int get_debug_level(void) { return x_debug_level; } int get_mute_cutoff(void) { return mute_cutoff; } void set_suppress_timestamps(bool suppressed) { suppress_timestamps = suppressed; } void set_machine_readable_output(bool parsable) { machine_readable_output = parsable; } void error_reset(void) { use_syslog = std_redir = false; suppress_timestamps = false; machine_readable_output = false; x_debug_level = 1; mute_cutoff = 0; mute_count = 0; mute_category = 0; default_out = OPENVPN_MSG_FP; default_err = OPENVPN_MSG_FP; #ifdef OPENVPN_DEBUG_COMMAND_LINE msgfp = fopen(OPENVPN_DEBUG_FILE, "w"); if (!msgfp) { openvpn_exit(OPENVPN_EXIT_STATUS_CANNOT_OPEN_DEBUG_FILE); /* exit point */ } #else /* ifdef OPENVPN_DEBUG_COMMAND_LINE */ msgfp = NULL; #endif } void errors_to_stderr(void) { default_err = OPENVPN_ERROR_FP; } /* * Return a file to print messages to before syslog is opened. */ FILE * msg_fp(const unsigned int flags) { FILE *fp = msgfp; if (!fp) { fp = (flags & (M_FATAL|M_USAGE_SMALL)) ? default_err : default_out; } if (!fp) { openvpn_exit(OPENVPN_EXIT_STATUS_CANNOT_OPEN_DEBUG_FILE); /* exit point */ } return fp; } #define SWAP { tmp = m1; m1 = m2; m2 = tmp; } int x_msg_line_num; /* GLOBAL */ void x_msg(const unsigned int flags, const char *format, ...) { va_list arglist; va_start(arglist, format); x_msg_va(flags, format, arglist); va_end(arglist); } void x_msg_va(const unsigned int flags, const char *format, va_list arglist) { struct gc_arena gc; #if SYSLOG_CAPABILITY int level; #endif char *m1; char *m2; char *tmp; int e; const char *prefix; const char *prefix_sep; void usage_small(void); #ifndef HAVE_VARARG_MACROS /* the macro has checked this otherwise */ if (!msg_test(flags)) { return; } #endif e = openvpn_errno(); /* * Apply muting filter. */ #ifndef HAVE_VARARG_MACROS /* the macro has checked this otherwise */ if (!dont_mute(flags)) { return; } #endif gc_init(&gc); m1 = (char *) gc_malloc(ERR_BUF_SIZE, false, &gc); m2 = (char *) gc_malloc(ERR_BUF_SIZE, false, &gc); vsnprintf(m1, ERR_BUF_SIZE, format, arglist); m1[ERR_BUF_SIZE - 1] = 0; /* windows vsnprintf needs this */ if ((flags & M_ERRNO) && e) { openvpn_snprintf(m2, ERR_BUF_SIZE, "%s: %s (errno=%d)", m1, strerror(e), e); SWAP; } if (flags & M_OPTERR) { openvpn_snprintf(m2, ERR_BUF_SIZE, "Options error: %s", m1); SWAP; } #if SYSLOG_CAPABILITY if (flags & (M_FATAL|M_NONFATAL|M_USAGE_SMALL)) { level = LOG_ERR; } else if (flags & M_WARN) { level = LOG_WARNING; } else { level = LOG_NOTICE; } #endif /* set up client prefix */ if (flags & M_NOIPREFIX) { prefix = NULL; } else { prefix = msg_get_prefix(); } prefix_sep = " "; if (!prefix) { prefix_sep = prefix = ""; } /* virtual output capability used to copy output to management subsystem */ if (!forked) { const struct virtual_output *vo = msg_get_virtual_output(); if (vo) { openvpn_snprintf(m2, ERR_BUF_SIZE, "%s%s%s", prefix, prefix_sep, m1); virtual_output_print(vo, flags, m2); } } if (!(flags & M_MSG_VIRT_OUT)) { if (use_syslog && !std_redir && !forked) { #if SYSLOG_CAPABILITY syslog(level, "%s%s%s", prefix, prefix_sep, m1); #endif } else { FILE *fp = msg_fp(flags); const bool show_usec = check_debug_level(DEBUG_LEVEL_USEC_TIME); if (machine_readable_output) { struct timeval tv; gettimeofday(&tv, NULL); fprintf(fp, "%lu.%06lu %x %s%s%s%s", tv.tv_sec, (unsigned long)tv.tv_usec, flags, prefix, prefix_sep, m1, "\n"); } else if ((flags & M_NOPREFIX) || suppress_timestamps) { fprintf(fp, "%s%s%s%s", prefix, prefix_sep, m1, (flags&M_NOLF) ? "" : "\n"); } else { fprintf(fp, "%s %s%s%s%s", time_string(0, 0, show_usec, &gc), prefix, prefix_sep, m1, (flags&M_NOLF) ? "" : "\n"); } fflush(fp); ++x_msg_line_num; } } if (flags & M_FATAL) { msg(M_INFO, "Exiting due to fatal error"); } if (flags & M_FATAL) { openvpn_exit(OPENVPN_EXIT_STATUS_ERROR); /* exit point */ } if (flags & M_USAGE_SMALL) { usage_small(); } gc_free(&gc); } /* * Apply muting filter. */ bool dont_mute(unsigned int flags) { bool ret = true; if (mute_cutoff > 0 && !(flags & M_NOMUTE)) { const int mute_level = DECODE_MUTE_LEVEL(flags); if (mute_level > 0 && mute_level == mute_category) { if (mute_count == mute_cutoff) { msg(M_INFO | M_NOMUTE, "NOTE: --mute triggered..."); } if (++mute_count > mute_cutoff) { ret = false; } } else { const int suppressed = mute_count - mute_cutoff; if (suppressed > 0) { msg(M_INFO | M_NOMUTE, "%d variation(s) on previous %d message(s) suppressed by --mute", suppressed, mute_cutoff); } mute_count = 1; mute_category = mute_level; } } return ret; } void assert_failed(const char *filename, int line, const char *condition) { if (condition) { msg(M_FATAL, "Assertion failed at %s:%d (%s)", filename, line, condition); } else { msg(M_FATAL, "Assertion failed at %s:%d", filename, line); } _exit(1); } /* * Fail memory allocation. Don't use msg() because it tries * to allocate memory as part of its operation. */ void out_of_memory(void) { fprintf(stderr, PACKAGE_NAME ": Out of Memory\n"); exit(1); } void open_syslog(const char *pgmname, bool stdio_to_null) { #if SYSLOG_CAPABILITY if (!msgfp && !std_redir) { if (!use_syslog) { pgmname_syslog = string_alloc(pgmname ? pgmname : PACKAGE, NULL); openlog(pgmname_syslog, LOG_PID, LOG_OPENVPN); use_syslog = true; /* Better idea: somehow pipe stdout/stderr output to msg() */ if (stdio_to_null) { set_std_files_to_null(false); } } } #else /* if SYSLOG_CAPABILITY */ msg(M_WARN, "Warning on use of --daemon/--inetd: this operating system lacks daemon logging features, therefore when I become a daemon, I won't be able to log status or error messages"); #endif } void close_syslog(void) { #if SYSLOG_CAPABILITY if (use_syslog) { closelog(); use_syslog = false; if (pgmname_syslog) { free(pgmname_syslog); pgmname_syslog = NULL; } } #endif } #ifdef _WIN32 static HANDLE orig_stderr; HANDLE get_orig_stderr(void) { if (orig_stderr) { return orig_stderr; } else { return GetStdHandle(STD_ERROR_HANDLE); } } #endif void redirect_stdout_stderr(const char *file, bool append) { #if defined(_WIN32) if (!std_redir) { struct gc_arena gc = gc_new(); HANDLE log_handle; int log_fd; SECURITY_ATTRIBUTES saAttr; saAttr.nLength = sizeof(SECURITY_ATTRIBUTES); saAttr.bInheritHandle = TRUE; saAttr.lpSecurityDescriptor = NULL; log_handle = CreateFileW(wide_string(file, &gc), GENERIC_WRITE, FILE_SHARE_READ, &saAttr, append ? OPEN_ALWAYS : CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); gc_free(&gc); if (log_handle == INVALID_HANDLE_VALUE) { msg(M_WARN|M_ERRNO, "Warning: cannot open --log file: %s", file); return; } /* append to logfile? */ if (append) { if (SetFilePointer(log_handle, 0, NULL, FILE_END) == INVALID_SET_FILE_POINTER) { msg(M_ERR, "Error: cannot seek to end of --log file: %s", file); } } /* save original stderr for password prompts */ orig_stderr = GetStdHandle(STD_ERROR_HANDLE); #if 0 /* seems not be necessary with stdout/stderr redirection below*/ /* set up for redirection */ if (!SetStdHandle(STD_OUTPUT_HANDLE, log_handle) || !SetStdHandle(STD_ERROR_HANDLE, log_handle)) { msg(M_ERR, "Error: cannot redirect stdout/stderr to --log file: %s", file); } #endif /* direct stdout/stderr to point to log_handle */ log_fd = _open_osfhandle((intptr_t)log_handle, _O_TEXT); if (log_fd == -1) { msg(M_ERR, "Error: --log redirect failed due to _open_osfhandle failure"); } /* open log_handle as FILE stream */ ASSERT(msgfp == NULL); msgfp = _fdopen(log_fd, "wt"); if (msgfp == NULL) { msg(M_ERR, "Error: --log redirect failed due to _fdopen"); } /* redirect C-library stdout/stderr to log file */ if (_dup2(log_fd, 1) == -1 || _dup2(log_fd, 2) == -1) { msg(M_WARN, "Error: --log redirect of stdout/stderr failed"); } std_redir = true; } #elif defined(HAVE_DUP2) if (!std_redir) { int out = open(file, O_CREAT | O_WRONLY | (append ? O_APPEND : O_TRUNC), S_IRUSR | S_IWUSR); if (out < 0) { msg(M_WARN|M_ERRNO, "Warning: Error redirecting stdout/stderr to --log file: %s", file); return; } if (dup2(out, 1) == -1) { msg(M_ERR, "--log file redirection error on stdout"); } if (dup2(out, 2) == -1) { msg(M_ERR, "--log file redirection error on stderr"); } if (out > 2) { close(out); } std_redir = true; } #else /* if defined(_WIN32) */ msg(M_WARN, "WARNING: The --log option is not supported on this OS because it lacks the dup2 function"); #endif /* if defined(_WIN32) */ } /* * Functions used to check return status * of I/O operations. */ unsigned int x_cs_info_level; /* GLOBAL */ unsigned int x_cs_verbose_level; /* GLOBAL */ unsigned int x_cs_err_delay_ms; /* GLOBAL */ void reset_check_status(void) { x_cs_info_level = 0; x_cs_verbose_level = 0; } void set_check_status(unsigned int info_level, unsigned int verbose_level) { x_cs_info_level = info_level; x_cs_verbose_level = verbose_level; } /* * Called after most socket or tun/tap operations, via the inline * function check_status(). * * Decide if we should print an error message, and see if we can * extract any useful info from the error, such as a Path MTU hint * from the OS. */ void x_check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt) { const int my_errno = openvpn_errno(); const char *extended_msg = NULL; msg(x_cs_verbose_level, "%s %s returned %d", sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "", description, status); if (status < 0) { struct gc_arena gc = gc_new(); #if EXTENDED_SOCKET_ERROR_CAPABILITY /* get extended socket error message and possible PMTU hint from OS */ if (sock) { int mtu; extended_msg = format_extended_socket_error(sock->sd, &mtu, &gc); if (mtu > 0 && sock->mtu != mtu) { sock->mtu = mtu; sock->info.mtu_changed = true; } } #elif defined(_WIN32) /* get possible driver error from TAP-Windows driver */ extended_msg = tap_win_getinfo(tt, &gc); #endif if (!ignore_sys_error(my_errno)) { if (extended_msg) { msg(x_cs_info_level, "%s %s [%s]: %s (code=%d)", description, sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "", extended_msg, strerror(my_errno), my_errno); } else { msg(x_cs_info_level, "%s %s: %s (code=%d)", description, sock ? proto2ascii(sock->info.proto, sock->info.af, true) : "", strerror(my_errno), my_errno); } if (x_cs_err_delay_ms) { platform_sleep_milliseconds(x_cs_err_delay_ms); } } gc_free(&gc); } } /* * In multiclient mode, put a client-specific prefix * before each message. */ const char *x_msg_prefix; /* GLOBAL */ /* * Allow MSG to be redirected through a virtual_output object */ const struct virtual_output *x_msg_virtual_output; /* GLOBAL */ /* * Exiting. */ void openvpn_exit(const int status) { if (!forked) { void tun_abort(); #ifdef ENABLE_PLUGIN void plugin_abort(void); #endif tun_abort(); #ifdef _WIN32 uninit_win32(); #endif close_syslog(); #ifdef ENABLE_PLUGIN plugin_abort(); #endif #if PORT_SHARE if (port_share) { port_share_abort(port_share); } #endif #ifdef ENABLE_MEMSTATS mstats_close(); #endif #ifdef ABORT_ON_ERROR if (status == OPENVPN_EXIT_STATUS_ERROR) { abort(); } #endif if (status == OPENVPN_EXIT_STATUS_GOOD) { perf_output_results(); } } exit(status); } /* * Translate msg flags into a string */ const char * msg_flags_string(const unsigned int flags, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(16, gc); if (flags == M_INFO) { buf_printf(&out, "I"); } if (flags & M_FATAL) { buf_printf(&out, "F"); } if (flags & M_NONFATAL) { buf_printf(&out, "N"); } if (flags & M_WARN) { buf_printf(&out, "W"); } if (flags & M_DEBUG) { buf_printf(&out, "D"); } return BSTR(&out); } #ifdef ENABLE_DEBUG void crash(void) { char *null = NULL; *null = 0; } #endif #ifdef _WIN32 const char * strerror_win32(DWORD errnum, struct gc_arena *gc) { /* * This code can be omitted, though often the Windows * WSA error messages are less informative than the * Posix equivalents. */ #if 1 switch (errnum) { /* * When the TAP-Windows driver returns STATUS_UNSUCCESSFUL, this code * gets returned to user space. */ case ERROR_GEN_FAILURE: return "General failure (ERROR_GEN_FAILURE)"; case ERROR_IO_PENDING: return "I/O Operation in progress (ERROR_IO_PENDING)"; case WSA_IO_INCOMPLETE: return "I/O Operation in progress (WSA_IO_INCOMPLETE)"; case WSAEINTR: return "Interrupted system call (WSAEINTR)"; case WSAEBADF: return "Bad file number (WSAEBADF)"; case WSAEACCES: return "Permission denied (WSAEACCES)"; case WSAEFAULT: return "Bad address (WSAEFAULT)"; case WSAEINVAL: return "Invalid argument (WSAEINVAL)"; case WSAEMFILE: return "Too many open files (WSAEMFILE)"; case WSAEWOULDBLOCK: return "Operation would block (WSAEWOULDBLOCK)"; case WSAEINPROGRESS: return "Operation now in progress (WSAEINPROGRESS)"; case WSAEALREADY: return "Operation already in progress (WSAEALREADY)"; case WSAEDESTADDRREQ: return "Destination address required (WSAEDESTADDRREQ)"; case WSAEMSGSIZE: return "Message too long (WSAEMSGSIZE)"; case WSAEPROTOTYPE: return "Protocol wrong type for socket (WSAEPROTOTYPE)"; case WSAENOPROTOOPT: return "Bad protocol option (WSAENOPROTOOPT)"; case WSAEPROTONOSUPPORT: return "Protocol not supported (WSAEPROTONOSUPPORT)"; case WSAESOCKTNOSUPPORT: return "Socket type not supported (WSAESOCKTNOSUPPORT)"; case WSAEOPNOTSUPP: return "Operation not supported on socket (WSAEOPNOTSUPP)"; case WSAEPFNOSUPPORT: return "Protocol family not supported (WSAEPFNOSUPPORT)"; case WSAEAFNOSUPPORT: return "Address family not supported by protocol family (WSAEAFNOSUPPORT)"; case WSAEADDRINUSE: return "Address already in use (WSAEADDRINUSE)"; case WSAENETDOWN: return "Network is down (WSAENETDOWN)"; case WSAENETUNREACH: return "Network is unreachable (WSAENETUNREACH)"; case WSAENETRESET: return "Net dropped connection or reset (WSAENETRESET)"; case WSAECONNABORTED: return "Software caused connection abort (WSAECONNABORTED)"; case WSAECONNRESET: return "Connection reset by peer (WSAECONNRESET)"; case WSAENOBUFS: return "No buffer space available (WSAENOBUFS)"; case WSAEISCONN: return "Socket is already connected (WSAEISCONN)"; case WSAENOTCONN: return "Socket is not connected (WSAENOTCONN)"; case WSAETIMEDOUT: return "Connection timed out (WSAETIMEDOUT)"; case WSAECONNREFUSED: return "Connection refused (WSAECONNREFUSED)"; case WSAELOOP: return "Too many levels of symbolic links (WSAELOOP)"; case WSAENAMETOOLONG: return "File name too long (WSAENAMETOOLONG)"; case WSAEHOSTDOWN: return "Host is down (WSAEHOSTDOWN)"; case WSAEHOSTUNREACH: return "No Route to Host (WSAEHOSTUNREACH)"; case WSAENOTEMPTY: return "Directory not empty (WSAENOTEMPTY)"; case WSAEPROCLIM: return "Too many processes (WSAEPROCLIM)"; case WSAEUSERS: return "Too many users (WSAEUSERS)"; case WSAEDQUOT: return "Disc Quota Exceeded (WSAEDQUOT)"; case WSAESTALE: return "Stale NFS file handle (WSAESTALE)"; case WSASYSNOTREADY: return "Network SubSystem is unavailable (WSASYSNOTREADY)"; case WSAVERNOTSUPPORTED: return "WINSOCK DLL Version out of range (WSAVERNOTSUPPORTED)"; case WSANOTINITIALISED: return "Successful WSASTARTUP not yet performed (WSANOTINITIALISED)"; case WSAEREMOTE: return "Too many levels of remote in path (WSAEREMOTE)"; case WSAHOST_NOT_FOUND: return "Host not found (WSAHOST_NOT_FOUND)"; default: break; } #endif /* if 1 */ /* format a windows error message */ { char message[256]; struct buffer out = alloc_buf_gc(256, gc); const int status = FormatMessage( FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ARGUMENT_ARRAY, NULL, errnum, 0, message, sizeof(message), NULL); if (!status) { buf_printf(&out, "[Unknown Win32 Error]"); } else { char *cp; for (cp = message; *cp != '\0'; ++cp) { if (*cp == '\n' || *cp == '\r') { *cp = ' '; } } buf_printf(&out, "%s", message); } return BSTR(&out); } } #endif /* ifdef _WIN32 */ openvpn-2.4.4/src/openvpn/error.h000066400000000000000000000253671316434344000170030ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef ERROR_H #define ERROR_H #include "basic.h" #include #include #include /* #define ABORT_ON_ERROR */ #ifdef ENABLE_PKCS11 #define ERR_BUF_SIZE 8192 #else #define ERR_BUF_SIZE 1280 #endif struct gc_arena; /* * Where should messages be printed before syslog is opened? * Not used if OPENVPN_DEBUG_COMMAND_LINE is defined. */ #define OPENVPN_MSG_FP stdout #define OPENVPN_ERROR_FP stderr /* * Exit status codes */ #define OPENVPN_EXIT_STATUS_GOOD 0 #define OPENVPN_EXIT_STATUS_ERROR 1 #define OPENVPN_EXIT_STATUS_USAGE 1 #define OPENVPN_EXIT_STATUS_CANNOT_OPEN_DEBUG_FILE 1 /* * Special command line debugging mode. * If OPENVPN_DEBUG_COMMAND_LINE * is defined, contents of argc/argv will * be dumped to OPENVPN_DEBUG_FILE as well * as all other OpenVPN messages. */ /* #define OPENVPN_DEBUG_COMMAND_LINE */ #define OPENVPN_DEBUG_FILE PACKAGE ".log" /* String and Error functions */ #ifdef _WIN32 #define openvpn_errno() GetLastError() #define openvpn_strerror(e, gc) strerror_win32(e, gc) const char *strerror_win32(DWORD errnum, struct gc_arena *gc); #else #define openvpn_errno() errno #define openvpn_strerror(x, gc) strerror(x) #endif /* * These globals should not be accessed directly, * but rather through macros or inline functions defined below. */ extern unsigned int x_debug_level; extern int x_msg_line_num; /* msg() flags */ #define M_DEBUG_LEVEL (0x0F) /* debug level mask */ #define M_FATAL (1<<4) /* exit program */ #define M_NONFATAL (1<<5) /* non-fatal error */ #define M_WARN (1<<6) /* call syslog with LOG_WARNING */ #define M_DEBUG (1<<7) #define M_ERRNO (1<<8) /* show errno description */ #define M_NOMUTE (1<<11) /* don't do mute processing */ #define M_NOPREFIX (1<<12) /* don't show date/time prefix */ #define M_USAGE_SMALL (1<<13) /* fatal options error, call usage_small */ #define M_MSG_VIRT_OUT (1<<14) /* output message through msg_status_output callback */ #define M_OPTERR (1<<15) /* print "Options error:" prefix */ #define M_NOLF (1<<16) /* don't print new line */ #define M_NOIPREFIX (1<<17) /* don't print instance prefix */ /* flag combinations which are frequently used */ #define M_ERR (M_FATAL | M_ERRNO) #define M_USAGE (M_USAGE_SMALL | M_NOPREFIX | M_OPTERR) #define M_CLIENT (M_MSG_VIRT_OUT | M_NOMUTE | M_NOIPREFIX) /* * Mute levels are designed to avoid large numbers of * mostly similar messages clogging the log file. * * A mute level of 0 is always printed. */ #define MUTE_LEVEL_SHIFT 24 #define MUTE_LEVEL_MASK 0xFF #define ENCODE_MUTE_LEVEL(mute_level) (((mute_level) & MUTE_LEVEL_MASK) << MUTE_LEVEL_SHIFT) #define DECODE_MUTE_LEVEL(flags) (((flags) >> MUTE_LEVEL_SHIFT) & MUTE_LEVEL_MASK) /* * log_level: verbosity level n (--verb n) must be >= log_level to print. * mute_level: don't print more than n (--mute n) consecutive messages at * a given mute level, or if 0 disable muting and print everything. * * Mask map: * Bits 0-3: log level * Bits 4-23: M_x flags * Bits 24-31: mute level */ #define LOGLEV(log_level, mute_level, other) ((log_level) | ENCODE_MUTE_LEVEL(mute_level) | other) /* * If compiler supports variable arguments in macros, define * msg() as a macro for optimization win. */ /** Check muting filter */ bool dont_mute(unsigned int flags); /* Macro to ensure (and teach static analysis tools) we exit on fatal errors */ #define EXIT_FATAL(flags) do { if ((flags) & M_FATAL) {_exit(1);}} while (false) #if defined(HAVE_CPP_VARARG_MACRO_ISO) && !defined(__LCLINT__) #define HAVE_VARARG_MACROS #define msg(flags, ...) do { if (msg_test(flags)) {x_msg((flags), __VA_ARGS__);} EXIT_FATAL(flags); } while (false) #ifdef ENABLE_DEBUG #define dmsg(flags, ...) do { if (msg_test(flags)) {x_msg((flags), __VA_ARGS__);} EXIT_FATAL(flags); } while (false) #else #define dmsg(flags, ...) #endif #elif defined(HAVE_CPP_VARARG_MACRO_GCC) && !defined(__LCLINT__) #define HAVE_VARARG_MACROS #define msg(flags, args ...) do { if (msg_test(flags)) {x_msg((flags), args);} EXIT_FATAL(flags); } while (false) #ifdef ENABLE_DEBUG #define dmsg(flags, args ...) do { if (msg_test(flags)) {x_msg((flags), args);} EXIT_FATAL(flags); } while (false) #else #define dmsg(flags, args ...) #endif #else /* if defined(HAVE_CPP_VARARG_MACRO_ISO) && !defined(__LCLINT__) */ #if !PEDANTIC #ifdef _MSC_VER #pragma message("this compiler appears to lack vararg macros which will cause a significant degradation in efficiency") #else #warning this compiler appears to lack vararg macros which will cause a significant degradation in efficiency (you can ignore this warning if you are using LCLINT) #endif #endif #define msg x_msg #define dmsg x_msg #endif /* if defined(HAVE_CPP_VARARG_MACRO_ISO) && !defined(__LCLINT__) */ void x_msg(const unsigned int flags, const char *format, ...) #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO __attribute__ ((format(gnu_printf, 2, 3))) #else __attribute__ ((format(__printf__, 2, 3))) #endif #endif ; /* should be called via msg above */ void x_msg_va(const unsigned int flags, const char *format, va_list arglist); /* * Function prototypes */ void error_reset(void); /* route errors to stderr that would normally go to stdout */ void errors_to_stderr(void); void set_suppress_timestamps(bool suppressed); void set_machine_readable_output(bool parsable); #define SDL_CONSTRAIN (1<<0) bool set_debug_level(const int level, const unsigned int flags); bool set_mute_cutoff(const int cutoff); int get_debug_level(void); int get_mute_cutoff(void); const char *msg_flags_string(const unsigned int flags, struct gc_arena *gc); /* * File to print messages to before syslog is opened. */ FILE *msg_fp(const unsigned int flags); /* Fatal logic errors */ #ifndef ENABLE_SMALL #define ASSERT(x) do { if (!(x)) {assert_failed(__FILE__, __LINE__, #x);}} while (false) #else #define ASSERT(x) do { if (!(x)) {assert_failed(__FILE__, __LINE__, NULL);}} while (false) #endif void assert_failed(const char *filename, int line, const char *condition) __attribute__((__noreturn__)); /* Poor-man's static_assert() for when not supplied by assert.h, taken from * Linux's sys/cdefs.h under GPLv2 */ #ifndef static_assert #define static_assert(expr, diagnostic) \ extern int (*__OpenVPN_static_assert_function(void)) \ [!!sizeof(struct { int __error_if_negative : (expr) ? 2 : -1; })] #endif #ifdef ENABLE_DEBUG void crash(void); /* force a segfault (debugging only) */ #endif /* Inline functions */ static inline bool check_debug_level(unsigned int level) { return (level & M_DEBUG_LEVEL) <= x_debug_level; } /** Return true if flags represent an enabled, not muted log level */ static inline bool msg_test(unsigned int flags) { return check_debug_level(flags) && dont_mute(flags); } /* Call if we forked */ void msg_forked(void); /* syslog output */ void open_syslog(const char *pgmname, bool stdio_to_null); void close_syslog(void); /* log file output */ void redirect_stdout_stderr(const char *file, bool append); #ifdef _WIN32 /* get original stderr handle, even if redirected by --log/--log-append */ HANDLE get_orig_stderr(void); #endif /* exit program */ void openvpn_exit(const int status); /* exit program on out of memory error */ void out_of_memory(void); /* * Check the return status of read/write routines. */ struct link_socket; struct tuntap; extern unsigned int x_cs_info_level; extern unsigned int x_cs_verbose_level; extern unsigned int x_cs_err_delay_ms; void reset_check_status(void); void set_check_status(unsigned int info_level, unsigned int verbose_level); void x_check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt); static inline void check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt) { if (status < 0 || check_debug_level(x_cs_verbose_level)) { x_check_status(status, description, sock, tt); } } static inline void set_check_status_error_delay(unsigned int milliseconds) { x_cs_err_delay_ms = milliseconds; } /* * In multiclient mode, put a client-specific prefix * before each message. * * TODO: x_msg_prefix should be thread-local */ extern const char *x_msg_prefix; void msg_thread_init(void); void msg_thread_uninit(void); static inline void msg_set_prefix(const char *prefix) { x_msg_prefix = prefix; } static inline const char * msg_get_prefix(void) { return x_msg_prefix; } /* * Allow MSG to be redirected through a virtual_output object */ struct virtual_output; extern const struct virtual_output *x_msg_virtual_output; static inline void msg_set_virtual_output(const struct virtual_output *vo) { x_msg_virtual_output = vo; } static inline const struct virtual_output * msg_get_virtual_output(void) { return x_msg_virtual_output; } /* * Return true if this is a system error * which can be safely ignored. */ static inline bool ignore_sys_error(const int err) { /* I/O operation pending */ #ifdef _WIN32 if (err == WSAEWOULDBLOCK || err == WSAEINVAL) { return true; } #else if (err == EAGAIN) { return true; } #endif #if 0 /* if enabled, suppress ENOBUFS errors */ #ifdef ENOBUFS /* No buffer space available */ if (err == ENOBUFS) { return true; } #endif #endif return false; } /** Convert fatal errors to nonfatal, don't touch other errors */ static inline unsigned int nonfatal(const unsigned int err) { return err & M_FATAL ? (err ^ M_FATAL) | M_NONFATAL : err; } #include "errlevel.h" #endif /* ifndef ERROR_H */ openvpn-2.4.4/src/openvpn/event.c000066400000000000000000000701651316434344000167620ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "buffer.h" #include "error.h" #include "integer.h" #include "event.h" #include "fdmisc.h" #include "memdbg.h" /* * Some OSes will prefer select() over poll() * when both are available. */ #if defined(TARGET_DARWIN) #define SELECT_PREFERRED_OVER_POLL #endif /* * All non-windows OSes are assumed to have select() */ #ifdef _WIN32 #define SELECT 0 #else #define SELECT 1 #endif /* * This should be set to the highest file descriptor * which can be used in one of the FD_ macros. */ #ifdef FD_SETSIZE #define SELECT_MAX_FDS FD_SETSIZE #else #define SELECT_MAX_FDS 256 #endif static inline int tv_to_ms_timeout(const struct timeval *tv) { if (tv->tv_sec == 0 && tv->tv_usec == 0) { return 0; } else { return max_int(tv->tv_sec * 1000 + (tv->tv_usec + 500) / 1000, 1); } } #ifdef _WIN32 struct we_set { struct event_set_functions func; bool fast; HANDLE *events; struct event_set_return *esr; int n_events; int capacity; }; static inline void we_set_event(struct we_set *wes, int i, event_t event, unsigned int rwflags, void *arg) { ASSERT(i >= 0 && i < wes->capacity); if (rwflags == EVENT_READ) { ASSERT(event->read != NULL); wes->events[i] = event->read; } else if (rwflags == EVENT_WRITE) { ASSERT(event->write != NULL); wes->events[i] = event->write; } else { msg(M_FATAL, "fatal error in we_set_events: rwflags=%d", rwflags); } wes->esr[i].rwflags = rwflags; wes->esr[i].arg = arg; } static inline bool we_append_event(struct we_set *wes, event_t event, unsigned int rwflags, void *arg) { if (rwflags & EVENT_WRITE) { if (wes->n_events < wes->capacity) { we_set_event(wes, wes->n_events, event, EVENT_WRITE, arg); ++wes->n_events; } else { return false; } } if (rwflags & EVENT_READ) { if (wes->n_events < wes->capacity) { we_set_event(wes, wes->n_events, event, EVENT_READ, arg); ++wes->n_events; } else { return false; } } return true; } static void we_del_event(struct we_set *wes, event_t event) { int i, j = 0; const int len = wes->n_events; for (i = 0; i < len; ++i) { const HANDLE h = wes->events[i]; if (h == event->read || h == event->write) { --wes->n_events; } else { if (i != j) { wes->events[j] = wes->events[i]; wes->esr[j] = wes->esr[i]; } ++j; } } } static void we_del_index(struct we_set *wes, int index) { int i; ASSERT(index >= 0 && index < wes->n_events); for (i = index; i < wes->n_events - 1; ++i) { wes->events[i] = wes->events[i+1]; wes->esr[i] = wes->esr[i+1]; } --wes->n_events; } static void we_get_rw_indices(struct we_set *wes, event_t event, int *ri, int *wi) { int i; *ri = *wi = -1; for (i = 0; i < wes->n_events; ++i) { const HANDLE h = wes->events[i]; if (h == event->read) { ASSERT(*ri == -1); *ri = i; } else if (h == event->write) { ASSERT(*wi == -1); *wi = i; } } } static void we_free(struct event_set *es) { struct we_set *wes = (struct we_set *) es; free(wes->events); free(wes->esr); free(wes); } static void we_reset(struct event_set *es) { struct we_set *wes = (struct we_set *) es; ASSERT(wes->fast); wes->n_events = 0; } static void we_del(struct event_set *es, event_t event) { struct we_set *wes = (struct we_set *) es; ASSERT(!wes->fast); we_del_event(wes, event); } static void we_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg) { struct we_set *wes = (struct we_set *) es; dmsg(D_EVENT_WAIT, "WE_CTL n=%d ev=%p rwflags=0x%04x arg=" ptr_format, wes->n_events, event, rwflags, (ptr_type)arg); if (wes->fast) { if (!we_append_event(wes, event, rwflags, arg)) { goto err; } } else { int ri, wi; int one = -1; int n = 0; we_get_rw_indices(wes, event, &ri, &wi); if (wi >= 0) { one = wi; ++n; } if (ri >= 0) { one = ri; ++n; } switch (rwflags) { case 0: switch (n) { case 0: break; case 1: we_del_index(wes, one); break; case 2: we_del_event(wes, event); break; default: ASSERT(0); } break; case EVENT_READ: switch (n) { case 0: if (!we_append_event(wes, event, EVENT_READ, arg)) { goto err; } break; case 1: we_set_event(wes, one, event, EVENT_READ, arg); break; case 2: we_del_index(wes, wi); break; default: ASSERT(0); } break; case EVENT_WRITE: switch (n) { case 0: if (!we_append_event(wes, event, EVENT_WRITE, arg)) { goto err; } break; case 1: we_set_event(wes, one, event, EVENT_WRITE, arg); break; case 2: we_del_index(wes, ri); break; default: ASSERT(0); } break; case EVENT_READ|EVENT_WRITE: switch (n) { case 0: if (!we_append_event(wes, event, EVENT_READ|EVENT_WRITE, arg)) { goto err; } break; case 1: if (ri == -1) { ASSERT(wi != -1); if (!we_append_event(wes, event, EVENT_READ, arg)) { goto err; } } else if (wi == -1) { if (!we_append_event(wes, event, EVENT_WRITE, arg)) { goto err; } } else { ASSERT(0); } break; case 2: break; default: ASSERT(0); } break; default: msg(M_FATAL, "fatal error in we_ctl: rwflags=%d", rwflags); } } return; err: msg(D_EVENT_ERRORS, "Error: Windows resource limit WSA_MAXIMUM_WAIT_EVENTS (%d) has been exceeded", WSA_MAXIMUM_WAIT_EVENTS); } static int we_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen) { struct we_set *wes = (struct we_set *) es; const int timeout = tv_to_ms_timeout(tv); DWORD status; dmsg(D_EVENT_WAIT, "WE_WAIT enter n=%d to=%d", wes->n_events, timeout); #ifdef ENABLE_DEBUG if (check_debug_level(D_EVENT_WAIT)) { int i; for (i = 0; i < wes->n_events; ++i) { dmsg(D_EVENT_WAIT, "[%d] ev=%p rwflags=0x%04x arg=" ptr_format, i, wes->events[i], wes->esr[i].rwflags, (ptr_type)wes->esr[i].arg); } } #endif /* * First poll our event list with 0 timeout */ status = WSAWaitForMultipleEvents( (DWORD) wes->n_events, wes->events, FALSE, (DWORD) 0, FALSE); /* * If at least one event is already set, we must * individually poll the whole list. */ if (status >= WSA_WAIT_EVENT_0 && status < WSA_WAIT_EVENT_0 + (DWORD) wes->n_events) { int i; int j = 0; for (i = 0; i < wes->n_events; ++i) { if (j >= outlen) { break; } if (WaitForSingleObject(wes->events[i], 0) == WAIT_OBJECT_0) { *out = wes->esr[i]; dmsg(D_EVENT_WAIT, "WE_WAIT leave [%d,%d] rwflags=0x%04x arg=" ptr_format, i, j, out->rwflags, (ptr_type)out->arg); ++j; ++out; } } return j; } else { /* * If caller specified timeout > 0, we know at this point * that no events are set, so wait only for the first event * (or timeout) and return at most one event_set_return object. * * If caller specified timeout == 0, the second call to * WSAWaitForMultipleEvents would be redundant -- just * return 0 indicating timeout. */ if (timeout > 0) { status = WSAWaitForMultipleEvents( (DWORD) wes->n_events, wes->events, FALSE, (DWORD) timeout, FALSE); } if (outlen >= 1 && status >= WSA_WAIT_EVENT_0 && status < WSA_WAIT_EVENT_0 + (DWORD) wes->n_events) { *out = wes->esr[status - WSA_WAIT_EVENT_0]; dmsg(D_EVENT_WAIT, "WE_WAIT leave rwflags=0x%04x arg=" ptr_format, out->rwflags, (ptr_type)out->arg); return 1; } else if (status == WSA_WAIT_TIMEOUT) { return 0; } else { return -1; } } } static struct event_set * we_init(int *maxevents, unsigned int flags) { struct we_set *wes; dmsg(D_EVENT_WAIT, "WE_INIT maxevents=%d flags=0x%08x", *maxevents, flags); ALLOC_OBJ_CLEAR(wes, struct we_set); /* set dispatch functions */ wes->func.free = we_free; wes->func.reset = we_reset; wes->func.del = we_del; wes->func.ctl = we_ctl; wes->func.wait = we_wait; if (flags & EVENT_METHOD_FAST) { wes->fast = true; } wes->n_events = 0; /* Figure our event capacity */ ASSERT(*maxevents > 0); wes->capacity = min_int(*maxevents * 2, WSA_MAXIMUM_WAIT_EVENTS); *maxevents = min_int(*maxevents, WSA_MAXIMUM_WAIT_EVENTS); /* Allocate space for Win32 event handles */ ALLOC_ARRAY_CLEAR(wes->events, HANDLE, wes->capacity); /* Allocate space for event_set_return objects */ ALLOC_ARRAY_CLEAR(wes->esr, struct event_set_return, wes->capacity); dmsg(D_EVENT_WAIT, "WE_INIT maxevents=%d capacity=%d", *maxevents, wes->capacity); return (struct event_set *) wes; } #endif /* _WIN32 */ #if EPOLL struct ep_set { struct event_set_functions func; bool fast; int epfd; int maxevents; struct epoll_event *events; }; static void ep_free(struct event_set *es) { struct ep_set *eps = (struct ep_set *) es; close(eps->epfd); free(eps->events); free(eps); } static void ep_reset(struct event_set *es) { const struct ep_set *eps = (struct ep_set *) es; ASSERT(eps->fast); } static void ep_del(struct event_set *es, event_t event) { struct epoll_event ev; struct ep_set *eps = (struct ep_set *) es; dmsg(D_EVENT_WAIT, "EP_DEL ev=%d", (int)event); ASSERT(!eps->fast); CLEAR(ev); epoll_ctl(eps->epfd, EPOLL_CTL_DEL, event, &ev); } static void ep_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg) { struct ep_set *eps = (struct ep_set *) es; struct epoll_event ev; CLEAR(ev); ev.data.ptr = arg; if (rwflags & EVENT_READ) { ev.events |= EPOLLIN; } if (rwflags & EVENT_WRITE) { ev.events |= EPOLLOUT; } dmsg(D_EVENT_WAIT, "EP_CTL fd=%d rwflags=0x%04x ev=0x%08x arg=" ptr_format, (int)event, rwflags, (unsigned int)ev.events, (ptr_type)ev.data.ptr); if (epoll_ctl(eps->epfd, EPOLL_CTL_MOD, event, &ev) < 0) { if (errno == ENOENT) { if (epoll_ctl(eps->epfd, EPOLL_CTL_ADD, event, &ev) < 0) { msg(M_ERR, "EVENT: epoll_ctl EPOLL_CTL_ADD failed, sd=%d", (int)event); } } else { msg(M_ERR, "EVENT: epoll_ctl EPOLL_CTL_MOD failed, sd=%d", (int)event); } } } static int ep_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen) { struct ep_set *eps = (struct ep_set *) es; int stat; if (outlen > eps->maxevents) { outlen = eps->maxevents; } stat = epoll_wait(eps->epfd, eps->events, outlen, tv_to_ms_timeout(tv)); ASSERT(stat <= outlen); if (stat > 0) { int i; const struct epoll_event *ev = eps->events; struct event_set_return *esr = out; for (i = 0; i < stat; ++i) { esr->rwflags = 0; if (ev->events & (EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP)) { esr->rwflags |= EVENT_READ; } if (ev->events & EPOLLOUT) { esr->rwflags |= EVENT_WRITE; } esr->arg = ev->data.ptr; dmsg(D_EVENT_WAIT, "EP_WAIT[%d] rwflags=0x%04x ev=0x%08x arg=" ptr_format, i, esr->rwflags, ev->events, (ptr_type)ev->data.ptr); ++ev; ++esr; } } return stat; } static struct event_set * ep_init(int *maxevents, unsigned int flags) { struct ep_set *eps; int fd; dmsg(D_EVENT_WAIT, "EP_INIT maxevents=%d flags=0x%08x", *maxevents, flags); /* open epoll file descriptor */ fd = epoll_create(*maxevents); if (fd < 0) { return NULL; } set_cloexec(fd); ALLOC_OBJ_CLEAR(eps, struct ep_set); /* set dispatch functions */ eps->func.free = ep_free; eps->func.reset = ep_reset; eps->func.del = ep_del; eps->func.ctl = ep_ctl; eps->func.wait = ep_wait; /* fast method ("sort of") corresponds to epoll one-shot */ if (flags & EVENT_METHOD_FAST) { eps->fast = true; } /* allocate space for epoll_wait return */ ASSERT(*maxevents > 0); eps->maxevents = *maxevents; ALLOC_ARRAY_CLEAR(eps->events, struct epoll_event, eps->maxevents); /* set epoll control fd */ eps->epfd = fd; return (struct event_set *) eps; } #endif /* EPOLL */ #if POLL struct po_set { struct event_set_functions func; bool fast; struct pollfd *events; void **args; int n_events; int capacity; }; static void po_free(struct event_set *es) { struct po_set *pos = (struct po_set *) es; free(pos->events); free(pos->args); free(pos); } static void po_reset(struct event_set *es) { struct po_set *pos = (struct po_set *) es; ASSERT(pos->fast); pos->n_events = 0; } static void po_del(struct event_set *es, event_t event) { struct po_set *pos = (struct po_set *) es; int i; dmsg(D_EVENT_WAIT, "PO_DEL ev=%d", (int)event); ASSERT(!pos->fast); for (i = 0; i < pos->n_events; ++i) { if (pos->events[i].fd == event) { int j; for (j = i; j < pos->n_events - 1; ++j) { pos->events[j] = pos->events[j+1]; pos->args[j] = pos->args[j+1]; } --pos->n_events; break; } } } static inline void po_set_pollfd_events(struct pollfd *pfdp, unsigned int rwflags) { pfdp->events = 0; if (rwflags & EVENT_WRITE) { pfdp->events |= POLLOUT; } if (rwflags & EVENT_READ) { pfdp->events |= (POLLIN|POLLPRI); } } static inline bool po_append_event(struct po_set *pos, event_t event, unsigned int rwflags, void *arg) { if (pos->n_events < pos->capacity) { struct pollfd *pfdp = &pos->events[pos->n_events]; pfdp->fd = event; pos->args[pos->n_events] = arg; po_set_pollfd_events(pfdp, rwflags); ++pos->n_events; return true; } else { return false; } } static void po_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg) { struct po_set *pos = (struct po_set *) es; dmsg(D_EVENT_WAIT, "PO_CTL rwflags=0x%04x ev=%d arg=" ptr_format, rwflags, (int)event, (ptr_type)arg); if (pos->fast) { if (!po_append_event(pos, event, rwflags, arg)) { goto err; } } else { int i; for (i = 0; i < pos->n_events; ++i) { struct pollfd *pfdp = &pos->events[i]; if (pfdp->fd == event) { pos->args[i] = arg; po_set_pollfd_events(pfdp, rwflags); goto done; } } if (!po_append_event(pos, event, rwflags, arg)) { goto err; } } done: return; err: msg(D_EVENT_ERRORS, "Error: poll: too many I/O wait events"); } static int po_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen) { struct po_set *pos = (struct po_set *) es; int stat; stat = poll(pos->events, pos->n_events, tv_to_ms_timeout(tv)); ASSERT(stat <= pos->n_events); if (stat > 0) { int i, j = 0; const struct pollfd *pfdp = pos->events; for (i = 0; i < pos->n_events && j < outlen; ++i) { if (pfdp->revents & (POLLIN|POLLPRI|POLLERR|POLLHUP|POLLOUT)) { out->rwflags = 0; if (pfdp->revents & (POLLIN|POLLPRI|POLLERR|POLLHUP)) { out->rwflags |= EVENT_READ; } if (pfdp->revents & POLLOUT) { out->rwflags |= EVENT_WRITE; } out->arg = pos->args[i]; dmsg(D_EVENT_WAIT, "PO_WAIT[%d,%d] fd=%d rev=0x%08x rwflags=0x%04x arg=" ptr_format " %s", i, j, pfdp->fd, pfdp->revents, out->rwflags, (ptr_type)out->arg, pos->fast ? "" : "[scalable]"); ++out; ++j; } else if (pfdp->revents) { msg(D_EVENT_ERRORS, "Error: poll: unknown revents=0x%04x", (unsigned int)pfdp->revents); } ++pfdp; } return j; } return stat; } static struct event_set * po_init(int *maxevents, unsigned int flags) { struct po_set *pos; dmsg(D_EVENT_WAIT, "PO_INIT maxevents=%d flags=0x%08x", *maxevents, flags); ALLOC_OBJ_CLEAR(pos, struct po_set); /* set dispatch functions */ pos->func.free = po_free; pos->func.reset = po_reset; pos->func.del = po_del; pos->func.ctl = po_ctl; pos->func.wait = po_wait; if (flags & EVENT_METHOD_FAST) { pos->fast = true; } pos->n_events = 0; /* Figure our event capacity */ ASSERT(*maxevents > 0); pos->capacity = *maxevents; /* Allocate space for pollfd structures to be passed to poll() */ ALLOC_ARRAY_CLEAR(pos->events, struct pollfd, pos->capacity); /* Allocate space for event_set_return objects */ ALLOC_ARRAY_CLEAR(pos->args, void *, pos->capacity); return (struct event_set *) pos; } #endif /* POLL */ #if SELECT struct se_set { struct event_set_functions func; bool fast; fd_set readfds; fd_set writefds; void **args; /* allocated to capacity size */ int maxfd; /* largest fd seen so far, always < capacity */ int capacity; /* fixed largest fd + 1 */ }; static void se_free(struct event_set *es) { struct se_set *ses = (struct se_set *) es; free(ses->args); free(ses); } static void se_reset(struct event_set *es) { struct se_set *ses = (struct se_set *) es; int i; ASSERT(ses->fast); dmsg(D_EVENT_WAIT, "SE_RESET"); FD_ZERO(&ses->readfds); FD_ZERO(&ses->writefds); for (i = 0; i <= ses->maxfd; ++i) { ses->args[i] = NULL; } ses->maxfd = -1; } static void se_del(struct event_set *es, event_t event) { struct se_set *ses = (struct se_set *) es; ASSERT(!ses->fast); dmsg(D_EVENT_WAIT, "SE_DEL ev=%d", (int)event); if (event >= 0 && event < ses->capacity) { FD_CLR(event, &ses->readfds); FD_CLR(event, &ses->writefds); ses->args[event] = NULL; } else { msg(D_EVENT_ERRORS, "Error: select/se_del: too many I/O wait events"); } return; } static void se_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg) { struct se_set *ses = (struct se_set *) es; dmsg(D_EVENT_WAIT, "SE_CTL rwflags=0x%04x ev=%d fast=%d cap=%d maxfd=%d arg=" ptr_format, rwflags, (int)event, (int)ses->fast, ses->capacity, ses->maxfd, (ptr_type)arg); if (event >= 0 && event < ses->capacity) { ses->maxfd = max_int(event, ses->maxfd); ses->args[event] = arg; if (ses->fast) { if (rwflags & EVENT_READ) { openvpn_fd_set(event, &ses->readfds); } if (rwflags & EVENT_WRITE) { openvpn_fd_set(event, &ses->writefds); } } else { if (rwflags & EVENT_READ) { openvpn_fd_set(event, &ses->readfds); } else { FD_CLR(event, &ses->readfds); } if (rwflags & EVENT_WRITE) { openvpn_fd_set(event, &ses->writefds); } else { FD_CLR(event, &ses->writefds); } } } else { msg(D_EVENT_ERRORS, "Error: select: too many I/O wait events, fd=%d cap=%d", (int) event, ses->capacity); } } static int se_wait_return(struct se_set *ses, fd_set *read, fd_set *write, struct event_set_return *out, int outlen) { int i, j = 0; for (i = 0; i <= ses->maxfd && j < outlen; ++i) { const bool r = FD_ISSET(i, read); const bool w = FD_ISSET(i, write); if (r || w) { out->rwflags = 0; if (r) { out->rwflags |= EVENT_READ; } if (w) { out->rwflags |= EVENT_WRITE; } out->arg = ses->args[i]; dmsg(D_EVENT_WAIT, "SE_WAIT[%d,%d] rwflags=0x%04x arg=" ptr_format, i, j, out->rwflags, (ptr_type)out->arg); ++out; ++j; } } return j; } static int se_wait_fast(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen) { struct se_set *ses = (struct se_set *) es; struct timeval tv_tmp = *tv; int stat; dmsg(D_EVENT_WAIT, "SE_WAIT_FAST maxfd=%d tv=%d/%d", ses->maxfd, (int)tv_tmp.tv_sec, (int)tv_tmp.tv_usec); stat = select(ses->maxfd + 1, &ses->readfds, &ses->writefds, NULL, &tv_tmp); if (stat > 0) { stat = se_wait_return(ses, &ses->readfds, &ses->writefds, out, outlen); } return stat; } static int se_wait_scalable(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen) { struct se_set *ses = (struct se_set *) es; struct timeval tv_tmp = *tv; fd_set read = ses->readfds; fd_set write = ses->writefds; int stat; dmsg(D_EVENT_WAIT, "SE_WAIT_SCALEABLE maxfd=%d tv=%d/%d", ses->maxfd, (int)tv_tmp.tv_sec, (int)tv_tmp.tv_usec); stat = select(ses->maxfd + 1, &read, &write, NULL, &tv_tmp); if (stat > 0) { stat = se_wait_return(ses, &read, &write, out, outlen); } return stat; } static struct event_set * se_init(int *maxevents, unsigned int flags) { struct se_set *ses; dmsg(D_EVENT_WAIT, "SE_INIT maxevents=%d flags=0x%08x", *maxevents, flags); ALLOC_OBJ_CLEAR(ses, struct se_set); /* set dispatch functions */ ses->func.free = se_free; ses->func.reset = se_reset; ses->func.del = se_del; ses->func.ctl = se_ctl; ses->func.wait = se_wait_scalable; if (flags & EVENT_METHOD_FAST) { ses->fast = true; ses->func.wait = se_wait_fast; } /* Select needs to be passed this value + 1 */ ses->maxfd = -1; /* Set our event capacity */ ASSERT(*maxevents > 0); *maxevents = min_int(*maxevents, SELECT_MAX_FDS); ses->capacity = SELECT_MAX_FDS; /* Allocate space for event_set_return void * args */ ALLOC_ARRAY_CLEAR(ses->args, void *, ses->capacity); return (struct event_set *) ses; } #endif /* SELECT */ static struct event_set * event_set_init_simple(int *maxevents, unsigned int flags) { struct event_set *ret = NULL; #ifdef _WIN32 ret = we_init(maxevents, flags); #elif POLL && SELECT #if 0 /* Define to 1 if EVENT_METHOD_US_TIMEOUT should cause select to be favored over poll */ if (flags & EVENT_METHOD_US_TIMEOUT) { ret = se_init(maxevents, flags); } #endif #ifdef SELECT_PREFERRED_OVER_POLL if (!ret) { ret = se_init(maxevents, flags); } if (!ret) { ret = po_init(maxevents, flags); } #else /* ifdef SELECT_PREFERRED_OVER_POLL */ if (!ret) { ret = po_init(maxevents, flags); } if (!ret) { ret = se_init(maxevents, flags); } #endif #elif POLL ret = po_init(maxevents, flags); #elif SELECT ret = se_init(maxevents, flags); #else /* ifdef _WIN32 */ #error At least one of poll, select, or WSAWaitForMultipleEvents must be supported by the kernel #endif /* ifdef _WIN32 */ ASSERT(ret); return ret; } static struct event_set * event_set_init_scalable(int *maxevents, unsigned int flags) { struct event_set *ret = NULL; #if EPOLL ret = ep_init(maxevents, flags); if (!ret) { msg(M_WARN, "Note: sys_epoll API is unavailable, falling back to poll/select API"); ret = event_set_init_simple(maxevents, flags); } #else /* if EPOLL */ ret = event_set_init_simple(maxevents, flags); #endif ASSERT(ret); return ret; } struct event_set * event_set_init(int *maxevents, unsigned int flags) { if (flags & EVENT_METHOD_FAST) { return event_set_init_simple(maxevents, flags); } else { return event_set_init_scalable(maxevents, flags); } } openvpn-2.4.4/src/openvpn/event.h000066400000000000000000000073461316434344000167700ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef EVENT_H #define EVENT_H #include "win32.h" #include "sig.h" #include "perf.h" /* * rwflags passed to event_ctl and returned by * struct event_set_return. */ #define EVENT_UNDEF 4 #define EVENT_READ (1<<0) #define EVENT_WRITE (1<<1) /* * Initialization flags passed to event_set_init */ #define EVENT_METHOD_US_TIMEOUT (1<<0) #define EVENT_METHOD_FAST (1<<1) #ifdef _WIN32 typedef const struct rw_handle *event_t; #define UNDEFINED_EVENT (NULL) #else /* ifdef _WIN32 */ typedef int event_t; #define UNDEFINED_EVENT (-1) #endif struct event_set; struct event_set_return; struct event_set_functions { void (*free)(struct event_set *es); void (*reset)(struct event_set *es); void (*del)(struct event_set *es, event_t event); void (*ctl)(struct event_set *es, event_t event, unsigned int rwflags, void *arg); /* * Return status for wait: * -1 on signal or error * 0 on timeout * length of event_set_return if at least 1 event is returned */ int (*wait)(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen); }; struct event_set_return { unsigned int rwflags; void *arg; }; struct event_set { struct event_set_functions func; }; /* * maxevents on input: desired max number of event_t descriptors * simultaneously set with event_ctl * maxevents on output: may be modified down, depending on limitations * of underlying API * flags: EVENT_METHOD_x flags */ struct event_set *event_set_init(int *maxevents, unsigned int flags); static inline void event_free(struct event_set *es) { if (es) { (*es->func.free)(es); } } static inline void event_reset(struct event_set *es) { (*es->func.reset)(es); } static inline void event_del(struct event_set *es, event_t event) { (*es->func.del)(es, event); } static inline void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg) { (*es->func.ctl)(es, event, rwflags, arg); } static inline int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen) { int ret; perf_push(PERF_IO_WAIT); ret = (*es->func.wait)(es, tv, out, outlen); perf_pop(); return ret; } static inline void event_set_return_init(struct event_set_return *esr) { esr->rwflags = 0; esr->arg = NULL; } #ifdef _WIN32 static inline void wait_signal(struct event_set *es, void *arg) { if (HANDLE_DEFINED(win32_signal.in.read)) { event_ctl(es, &win32_signal.in, EVENT_READ, arg); } } #else /* ifdef _WIN32 */ static inline void wait_signal(struct event_set *es, void *arg) { } #endif #endif /* ifndef EVENT_H */ openvpn-2.4.4/src/openvpn/fdmisc.c000066400000000000000000000041211316434344000170730ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "fdmisc.h" #include "error.h" #include "memdbg.h" /* Set a file descriptor to non-blocking */ bool set_nonblock_action(int fd) { #ifdef _WIN32 u_long arg = 1; if (ioctlsocket(fd, FIONBIO, &arg)) { return false; } #else /* ifdef _WIN32 */ if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) { return false; } #endif return true; } /* Set a file descriptor to not be passed across execs */ bool set_cloexec_action(int fd) { #ifndef _WIN32 if (fcntl(fd, F_SETFD, FD_CLOEXEC) < 0) { return false; } #endif return true; } /* Set a file descriptor to non-blocking */ void set_nonblock(int fd) { if (!set_nonblock_action(fd)) { msg(M_ERR, "Set socket to non-blocking mode failed"); } } /* Set a file descriptor to not be passed across execs */ void set_cloexec(int fd) { if (!set_cloexec_action(fd)) { msg(M_ERR, "Set FD_CLOEXEC flag on file descriptor failed"); } } openvpn-2.4.4/src/openvpn/fdmisc.h000066400000000000000000000027761316434344000171160ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef FD_MISC_H #define FD_MISC_H #include "basic.h" #include "error.h" #include "syshead.h" bool set_nonblock_action(int fd); bool set_cloexec_action(int fd); void set_nonblock(int fd); void set_cloexec(int fd); static inline void openvpn_fd_set(int fd, fd_set *setp) { #ifndef _WIN32 /* The Windows FD_SET() implementation does not overflow */ ASSERT(fd >= 0 && fd < FD_SETSIZE); #endif FD_SET(fd, setp); } #undef FD_SET /* prevent direct use of FD_SET() */ #endif /* FD_MISC_H */ openvpn-2.4.4/src/openvpn/forward-inline.h000066400000000000000000000172011316434344000205560ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef FORWARD_INLINE_H #define FORWARD_INLINE_H /* * Inline functions */ /* * Does TLS session need service? */ static inline void check_tls(struct context *c) { #if defined(ENABLE_CRYPTO) void check_tls_dowork(struct context *c); if (c->c2.tls_multi) { check_tls_dowork(c); } #endif } /* * TLS errors are fatal in TCP mode. * Also check for --tls-exit trigger. */ static inline void check_tls_errors(struct context *c) { #if defined(ENABLE_CRYPTO) void check_tls_errors_co(struct context *c); void check_tls_errors_nco(struct context *c); if (c->c2.tls_multi && c->c2.tls_exit_signal) { if (link_socket_connection_oriented(c->c2.link_socket)) { if (c->c2.tls_multi->n_soft_errors) { check_tls_errors_co(c); } } else { if (c->c2.tls_multi->n_hard_errors) { check_tls_errors_nco(c); } } } #endif /* if defined(ENABLE_CRYPTO) */ } /* * Check for possible incoming configuration * messages on the control channel. */ static inline void check_incoming_control_channel(struct context *c) { #if P2MP void check_incoming_control_channel_dowork(struct context *c); if (tls_test_payload_len(c->c2.tls_multi) > 0) { check_incoming_control_channel_dowork(c); } #endif } /* * Options like --up-delay need to be triggered by this function which * checks for connection establishment. */ static inline void check_connection_established(struct context *c) { void check_connection_established_dowork(struct context *c); if (event_timeout_defined(&c->c2.wait_for_connect)) { check_connection_established_dowork(c); } } /* * Should we add routes? */ static inline void check_add_routes(struct context *c) { void check_add_routes_dowork(struct context *c); if (event_timeout_trigger(&c->c2.route_wakeup, &c->c2.timeval, ETT_DEFAULT)) { check_add_routes_dowork(c); } } /* * Should we exit due to inactivity timeout? */ static inline void check_inactivity_timeout(struct context *c) { void check_inactivity_timeout_dowork(struct context *c); if (c->options.inactivity_timeout && event_timeout_trigger(&c->c2.inactivity_interval, &c->c2.timeval, ETT_DEFAULT)) { check_inactivity_timeout_dowork(c); } } #if P2MP static inline void check_server_poll_timeout(struct context *c) { void check_server_poll_timeout_dowork(struct context *c); if (c->options.ce.connect_timeout && event_timeout_trigger(&c->c2.server_poll_interval, &c->c2.timeval, ETT_DEFAULT)) { check_server_poll_timeout_dowork(c); } } /* * Scheduled exit? */ static inline void check_scheduled_exit(struct context *c) { void check_scheduled_exit_dowork(struct context *c); if (event_timeout_defined(&c->c2.scheduled_exit)) { if (event_timeout_trigger(&c->c2.scheduled_exit, &c->c2.timeval, ETT_DEFAULT)) { check_scheduled_exit_dowork(c); } } } #endif /* if P2MP */ /* * Should we write timer-triggered status file. */ static inline void check_status_file(struct context *c) { void check_status_file_dowork(struct context *c); if (c->c1.status_output) { if (status_trigger_tv(c->c1.status_output, &c->c2.timeval)) { check_status_file_dowork(c); } } } #ifdef ENABLE_FRAGMENT /* * Should we deliver a datagram fragment to remote? */ static inline void check_fragment(struct context *c) { void check_fragment_dowork(struct context *c); if (c->c2.fragment) { check_fragment_dowork(c); } } #endif #if P2MP /* * see if we should send a push_request in response to --pull */ static inline void check_push_request(struct context *c) { void check_push_request_dowork(struct context *c); if (event_timeout_trigger(&c->c2.push_request_interval, &c->c2.timeval, ETT_DEFAULT)) { check_push_request_dowork(c); } } #endif #ifdef ENABLE_CRYPTO /* * Should we persist our anti-replay packet ID state to disk? */ static inline void check_packet_id_persist_flush(struct context *c) { if (packet_id_persist_enabled(&c->c1.pid_persist) && event_timeout_trigger(&c->c2.packet_id_persist_interval, &c->c2.timeval, ETT_DEFAULT)) { packet_id_persist_save(&c->c1.pid_persist); } } #endif /* * Set our wakeup to 0 seconds, so we will be rescheduled * immediately. */ static inline void context_immediate_reschedule(struct context *c) { c->c2.timeval.tv_sec = 0; /* ZERO-TIMEOUT */ c->c2.timeval.tv_usec = 0; } static inline void context_reschedule_sec(struct context *c, int sec) { if (sec < 0) { sec = 0; } if (sec < c->c2.timeval.tv_sec) { c->c2.timeval.tv_sec = sec; c->c2.timeval.tv_usec = 0; } } static inline struct link_socket_info * get_link_socket_info(struct context *c) { if (c->c2.link_socket_info) { return c->c2.link_socket_info; } else { return &c->c2.link_socket->info; } } static inline void register_activity(struct context *c, const int size) { if (c->options.inactivity_timeout) { c->c2.inactivity_bytes += size; if (c->c2.inactivity_bytes >= c->options.inactivity_minimum_bytes) { c->c2.inactivity_bytes = 0; event_timeout_reset(&c->c2.inactivity_interval); } } } /* * Return the io_wait() flags appropriate for * a point-to-point tunnel. */ static inline unsigned int p2p_iow_flags(const struct context *c) { unsigned int flags = (IOW_SHAPER|IOW_CHECK_RESIDUAL|IOW_FRAG|IOW_READ|IOW_WAIT_SIGNAL); if (c->c2.to_link.len > 0) { flags |= IOW_TO_LINK; } if (c->c2.to_tun.len > 0) { flags |= IOW_TO_TUN; } return flags; } /* * This is the core I/O wait function, used for all I/O waits except * for TCP in server mode. */ static inline void io_wait(struct context *c, const unsigned int flags) { void io_wait_dowork(struct context *c, const unsigned int flags); if (c->c2.fast_io && (flags & (IOW_TO_TUN|IOW_TO_LINK|IOW_MBUF))) { /* fast path -- only for TUN/TAP/UDP writes */ unsigned int ret = 0; if (flags & IOW_TO_TUN) { ret |= TUN_WRITE; } if (flags & (IOW_TO_LINK|IOW_MBUF)) { ret |= SOCKET_WRITE; } c->c2.event_set_status = ret; } else { /* slow path */ io_wait_dowork(c, flags); } } #define CONNECTION_ESTABLISHED(c) (get_link_socket_info(c)->connection_established) #endif /* EVENT_INLINE_H */ openvpn-2.4.4/src/openvpn/forward.c000066400000000000000000001433021316434344000172770ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "forward.h" #include "init.h" #include "push.h" #include "gremlin.h" #include "mss.h" #include "event.h" #include "ps.h" #include "dhcp.h" #include "common.h" #include "ssl_verify.h" #include "memdbg.h" #include "forward-inline.h" #include "occ-inline.h" #include "ping-inline.h" #include "mstats.h" counter_type link_read_bytes_global; /* GLOBAL */ counter_type link_write_bytes_global; /* GLOBAL */ /* show event wait debugging info */ #ifdef ENABLE_DEBUG const char * wait_status_string(struct context *c, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(64, gc); buf_printf(&out, "I/O WAIT %s|%s|%s|%s %s", tun_stat(c->c1.tuntap, EVENT_READ, gc), tun_stat(c->c1.tuntap, EVENT_WRITE, gc), socket_stat(c->c2.link_socket, EVENT_READ, gc), socket_stat(c->c2.link_socket, EVENT_WRITE, gc), tv_string(&c->c2.timeval, gc)); return BSTR(&out); } void show_wait_status(struct context *c) { struct gc_arena gc = gc_new(); dmsg(D_EVENT_WAIT, "%s", wait_status_string(c, &gc)); gc_free(&gc); } #endif /* ifdef ENABLE_DEBUG */ /* * In TLS mode, let TLS level respond to any control-channel * packets which were received, or prepare any packets for * transmission. * * tmp_int is purely an optimization that allows us to call * tls_multi_process less frequently when there's not much * traffic on the control-channel. * */ #ifdef ENABLE_CRYPTO void check_tls_dowork(struct context *c) { interval_t wakeup = BIG_TIMEOUT; if (interval_test(&c->c2.tmp_int)) { const int tmp_status = tls_multi_process (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr, get_link_socket_info(c), &wakeup); if (tmp_status == TLSMP_ACTIVE) { update_time(); interval_action(&c->c2.tmp_int); } else if (tmp_status == TLSMP_KILL) { register_signal(c, SIGTERM, "auth-control-exit"); } interval_future_trigger(&c->c2.tmp_int, wakeup); } interval_schedule_wakeup(&c->c2.tmp_int, &wakeup); if (wakeup) { context_reschedule_sec(c, wakeup); } } void check_tls_errors_co(struct context *c) { msg(D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting"); register_signal(c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */ } void check_tls_errors_nco(struct context *c) { register_signal(c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */ } #endif /* ENABLE_CRYPTO */ #if P2MP /* * Handle incoming configuration * messages on the control channel. */ void check_incoming_control_channel_dowork(struct context *c) { const int len = tls_test_payload_len(c->c2.tls_multi); if (len) { struct gc_arena gc = gc_new(); struct buffer buf = alloc_buf_gc(len, &gc); if (tls_rec_payload(c->c2.tls_multi, &buf)) { /* force null termination of message */ buf_null_terminate(&buf); /* enforce character class restrictions */ string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0); if (buf_string_match_head_str(&buf, "AUTH_FAILED")) { receive_auth_failed(c, &buf); } else if (buf_string_match_head_str(&buf, "PUSH_")) { incoming_push_message(c, &buf); } else if (buf_string_match_head_str(&buf, "RESTART")) { server_pushed_signal(c, &buf, true, 7); } else if (buf_string_match_head_str(&buf, "HALT")) { server_pushed_signal(c, &buf, false, 4); } else { msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf)); } } else { msg(D_PUSH_ERRORS, "WARNING: Receive control message failed"); } gc_free(&gc); } } /* * Periodically resend PUSH_REQUEST until PUSH message received */ void check_push_request_dowork(struct context *c) { send_push_request(c); /* if no response to first push_request, retry at PUSH_REQUEST_INTERVAL second intervals */ event_timeout_modify_wakeup(&c->c2.push_request_interval, PUSH_REQUEST_INTERVAL); } #endif /* P2MP */ /* * Things that need to happen immediately after connection initiation should go here. */ void check_connection_established_dowork(struct context *c) { if (event_timeout_trigger(&c->c2.wait_for_connect, &c->c2.timeval, ETT_DEFAULT)) { if (CONNECTION_ESTABLISHED(c)) { #if P2MP /* if --pull was specified, send a push request to server */ if (c->c2.tls_multi && c->options.pull) { #ifdef ENABLE_MANAGEMENT if (management) { management_set_state(management, OPENVPN_STATE_GET_CONFIG, NULL, NULL, NULL, NULL, NULL); } #endif /* fire up push request right away (already 1s delayed) */ event_timeout_init(&c->c2.push_request_interval, 0, now); reset_coarse_timers(c); } else #endif /* if P2MP */ { do_up(c, false, 0); } event_timeout_clear(&c->c2.wait_for_connect); } } } /* * Send a string to remote over the TLS control channel. * Used for push/pull messages, passing username/password, * etc. */ bool send_control_channel_string(struct context *c, const char *str, int msglevel) { #ifdef ENABLE_CRYPTO if (c->c2.tls_multi) { struct gc_arena gc = gc_new(); bool stat; /* buffered cleartext write onto TLS control channel */ stat = tls_send_payload(c->c2.tls_multi, (uint8_t *) str, strlen(str) + 1); /* * Reschedule tls_multi_process. * NOTE: in multi-client mode, usually the below two statements are * insufficient to reschedule the client instance object unless * multi_schedule_context_wakeup(m, mi) is also called. */ interval_action(&c->c2.tmp_int); context_immediate_reschedule(c); /* ZERO-TIMEOUT */ msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)", tls_common_name(c->c2.tls_multi, false), sanitize_control_message(str, &gc), (int) stat); gc_free(&gc); return stat; } #endif /* ENABLE_CRYPTO */ return true; } /* * Add routes. */ static void check_add_routes_action(struct context *c, const bool errors) { do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list, c->c1.tuntap, c->plugins, c->c2.es); update_time(); event_timeout_clear(&c->c2.route_wakeup); event_timeout_clear(&c->c2.route_wakeup_expire); initialization_sequence_completed(c, errors ? ISC_ERRORS : 0); /* client/p2p --route-delay was defined */ } void check_add_routes_dowork(struct context *c) { if (test_routes(c->c1.route_list, c->c1.tuntap)) { check_add_routes_action(c, false); } else if (event_timeout_trigger(&c->c2.route_wakeup_expire, &c->c2.timeval, ETT_DEFAULT)) { check_add_routes_action(c, true); } else { msg(D_ROUTE, "Route: Waiting for TUN/TAP interface to come up..."); if (c->c1.tuntap) { if (!tun_standby(c->c1.tuntap)) { register_signal(c, SIGHUP, "ip-fail"); c->persist.restart_sleep_seconds = 10; #ifdef _WIN32 show_routes(M_INFO|M_NOPREFIX); show_adapters(M_INFO|M_NOPREFIX); #endif } } update_time(); if (c->c2.route_wakeup.n != 1) { event_timeout_init(&c->c2.route_wakeup, 1, now); } event_timeout_reset(&c->c2.ping_rec_interval); } } /* * Should we exit due to inactivity timeout? */ void check_inactivity_timeout_dowork(struct context *c) { msg(M_INFO, "Inactivity timeout (--inactive), exiting"); register_signal(c, SIGTERM, "inactive"); } int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout) { update_time(); int remaining = event_timeout_remaining(server_poll_timeout); return max_int(0, remaining); } #if P2MP void check_server_poll_timeout_dowork(struct context *c) { event_timeout_reset(&c->c2.server_poll_interval); ASSERT(c->c2.tls_multi); if (!tls_initial_packet_received(c->c2.tls_multi)) { msg(M_INFO, "Server poll timeout, restarting"); register_signal(c, SIGUSR1, "server_poll"); c->persist.restart_sleep_seconds = -1; } } /* * Schedule a signal n_seconds from now. */ void schedule_exit(struct context *c, const int n_seconds, const int signal) { tls_set_single_session(c->c2.tls_multi); update_time(); reset_coarse_timers(c); event_timeout_init(&c->c2.scheduled_exit, n_seconds, now); c->c2.scheduled_exit_signal = signal; msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds); } /* * Scheduled exit? */ void check_scheduled_exit_dowork(struct context *c) { register_signal(c, c->c2.scheduled_exit_signal, "delayed-exit"); } #endif /* if P2MP */ /* * Should we write timer-triggered status file. */ void check_status_file_dowork(struct context *c) { if (c->c1.status_output) { print_status(c, c->c1.status_output); } } #ifdef ENABLE_FRAGMENT /* * Should we deliver a datagram fragment to remote? */ void check_fragment_dowork(struct context *c) { struct link_socket_info *lsi = get_link_socket_info(c); /* OS MTU Hint? */ if (lsi->mtu_changed) { frame_adjust_path_mtu(&c->c2.frame_fragment, c->c2.link_socket->mtu, c->options.ce.proto); lsi->mtu_changed = false; } if (fragment_outgoing_defined(c->c2.fragment)) { if (!c->c2.to_link.len) { /* encrypt a fragment for output to TCP/UDP port */ ASSERT(fragment_ready_to_send(c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment)); encrypt_sign(c, false); } } fragment_housekeeping(c->c2.fragment, &c->c2.frame_fragment, &c->c2.timeval); } #endif /* ifdef ENABLE_FRAGMENT */ /* * Buffer reallocation, for use with null encryption. */ static inline void buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage) { if (orig_buf == src_stub->data && src_stub->data != storage->data) { buf_assign(storage, src_stub); *dest_stub = *storage; } else { *dest_stub = *src_stub; } } /* * Compress, fragment, encrypt and HMAC-sign an outgoing packet. * Input: c->c2.buf * Output: c->c2.to_link */ void encrypt_sign(struct context *c, bool comp_frag) { struct context_buffers *b = c->c2.buffers; const uint8_t *orig_buf = c->c2.buf.data; struct crypto_options *co = NULL; #if P2MP_SERVER /* * Drop non-TLS outgoing packet if client-connect script/plugin * has not yet succeeded. */ if (c->c2.context_auth != CAS_SUCCEEDED) { c->c2.buf.len = 0; } #endif if (comp_frag) { #ifdef USE_COMP /* Compress the packet. */ if (c->c2.comp_context) { (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context, &c->c2.frame); } #endif #ifdef ENABLE_FRAGMENT if (c->c2.fragment) { fragment_outgoing(c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment); } #endif } #ifdef ENABLE_CRYPTO /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */ ASSERT(buf_init(&b->encrypt_buf, FRAME_HEADROOM(&c->c2.frame))); if (c->c2.tls_multi) { /* Get the key we will use to encrypt the packet. */ tls_pre_encrypt(c->c2.tls_multi, &c->c2.buf, &co); /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the * packet before openvpn_encrypt(), so we can authenticate the opcode too. */ if (c->c2.buf.len > 0 && !c->c2.tls_multi->opt.server && c->c2.tls_multi->use_peer_id) { tls_prepend_opcode_v2(c->c2.tls_multi, &b->encrypt_buf); } } else { co = &c->c2.crypto_options; } /* Encrypt and authenticate the packet */ openvpn_encrypt(&c->c2.buf, b->encrypt_buf, co); /* Do packet administration */ if (c->c2.tls_multi) { if (c->c2.buf.len > 0 && (c->c2.tls_multi->opt.server || !c->c2.tls_multi->use_peer_id)) { tls_prepend_opcode_v1(c->c2.tls_multi, &c->c2.buf); } tls_post_encrypt(c->c2.tls_multi, &c->c2.buf); } #endif /* ifdef ENABLE_CRYPTO */ /* * Get the address we will be sending the packet to. */ link_socket_get_outgoing_addr(&c->c2.buf, get_link_socket_info(c), &c->c2.to_link_addr); /* if null encryption, copy result to read_tun_buf */ buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf); } /* * Coarse timers work to 1 second resolution. */ static void process_coarse_timers(struct context *c) { #ifdef ENABLE_CRYPTO /* flush current packet-id to file once per 60 * seconds if --replay-persist was specified */ check_packet_id_persist_flush(c); #endif /* should we update status file? */ check_status_file(c); /* process connection establishment items */ check_connection_established(c); #if P2MP /* see if we should send a push_request in response to --pull */ check_push_request(c); #endif #ifdef PLUGIN_PF pf_check_reload(c); #endif /* process --route options */ check_add_routes(c); /* possibly exit due to --inactive */ check_inactivity_timeout(c); if (c->sig->signal_received) { return; } /* restart if ping not received */ check_ping_restart(c); if (c->sig->signal_received) { return; } #if P2MP if (c->c2.tls_multi) { check_server_poll_timeout(c); if (c->sig->signal_received) { return; } check_scheduled_exit(c); if (c->sig->signal_received) { return; } } #endif #ifdef ENABLE_OCC /* Should we send an OCC_REQUEST message? */ check_send_occ_req(c); /* Should we send an MTU load test? */ check_send_occ_load_test(c); /* Should we send an OCC_EXIT message to remote? */ if (c->c2.explicit_exit_notification_time_wait) { process_explicit_exit_notification_timer_wakeup(c); } #endif /* Should we ping the remote? */ check_ping_send(c); } static void check_coarse_timers_dowork(struct context *c) { const struct timeval save = c->c2.timeval; c->c2.timeval.tv_sec = BIG_TIMEOUT; c->c2.timeval.tv_usec = 0; process_coarse_timers(c); c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec; dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %d seconds", (int) c->c2.timeval.tv_sec); /* Is the coarse timeout NOT the earliest one? */ if (c->c2.timeval.tv_sec > save.tv_sec) { c->c2.timeval = save; } } static inline void check_coarse_timers(struct context *c) { const time_t local_now = now; if (local_now >= c->c2.coarse_timer_wakeup) { check_coarse_timers_dowork(c); } else { context_reschedule_sec(c, c->c2.coarse_timer_wakeup - local_now); } } static void check_timeout_random_component_dowork(struct context *c) { const int update_interval = 10; /* seconds */ c->c2.update_timeout_random_component = now + update_interval; c->c2.timeout_random_component.tv_usec = (time_t) get_random() & 0x0003FFFF; c->c2.timeout_random_component.tv_sec = 0; dmsg(D_INTERVAL, "RANDOM USEC=%d", (int) c->c2.timeout_random_component.tv_usec); } static inline void check_timeout_random_component(struct context *c) { if (now >= c->c2.update_timeout_random_component) { check_timeout_random_component_dowork(c); } if (c->c2.timeval.tv_sec >= 1) { tv_add(&c->c2.timeval, &c->c2.timeout_random_component); } } /* * Handle addition and removal of the 10-byte Socks5 header * in UDP packets. */ static inline void socks_postprocess_incoming_link(struct context *c) { if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDP) { socks_process_incoming_udp(&c->c2.buf, &c->c2.from); } } static inline void socks_preprocess_outgoing_link(struct context *c, struct link_socket_actual **to_addr, int *size_delta) { if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDP) { *size_delta += socks_process_outgoing_udp(&c->c2.to_link, c->c2.to_link_addr); *to_addr = &c->c2.link_socket->socks_relay; } } /* undo effect of socks_preprocess_outgoing_link */ static inline void link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf) { if (size_delta > 0 && *size > size_delta) { *size -= size_delta; if (!buf_advance(buf, size_delta)) { *size = 0; } } } /* * Output: c->c2.buf */ void read_incoming_link(struct context *c) { /* * Set up for recvfrom call to read datagram * sent to our TCP/UDP port. */ int status; /*ASSERT (!c->c2.to_tun.len);*/ perf_push(PERF_READ_IN_LINK); c->c2.buf = c->c2.buffers->read_link_buf; ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM_ADJ(&c->c2.frame, FRAME_HEADROOM_MARKER_READ_LINK))); status = link_socket_read(c->c2.link_socket, &c->c2.buf, &c->c2.from); if (socket_connection_reset(c->c2.link_socket, status)) { #if PORT_SHARE if (port_share && socket_foreign_protocol_detected(c->c2.link_socket)) { const struct buffer *fbuf = socket_foreign_protocol_head(c->c2.link_socket); const int sd = socket_foreign_protocol_sd(c->c2.link_socket); port_share_redirect(port_share, fbuf, sd); register_signal(c, SIGTERM, "port-share-redirect"); } else #endif { /* received a disconnect from a connection-oriented protocol */ if (c->options.inetd) { register_signal(c, SIGTERM, "connection-reset-inetd"); msg(D_STREAM_ERRORS, "Connection reset, inetd/xinetd exit [%d]", status); } else { #ifdef ENABLE_OCC if (event_timeout_defined(&c->c2.explicit_exit_notification_interval)) { msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status); management_sleep(1); } else #endif { register_signal(c, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */ msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status); } } } perf_pop(); return; } /* check recvfrom status */ check_status(status, "read", c->c2.link_socket, NULL); /* Remove socks header if applicable */ socks_postprocess_incoming_link(c); perf_pop(); } bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated) { struct gc_arena gc = gc_new(); bool decrypt_status = false; if (c->c2.buf.len > 0) { c->c2.link_read_bytes += c->c2.buf.len; link_read_bytes_global += c->c2.buf.len; #ifdef ENABLE_MEMSTATS if (mmap_stats) { mmap_stats->link_read_bytes = link_read_bytes_global; } #endif c->c2.original_recv_size = c->c2.buf.len; #ifdef ENABLE_MANAGEMENT if (management) { management_bytes_in(management, c->c2.buf.len); #ifdef MANAGEMENT_DEF_AUTH management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context); #endif } #endif } else { c->c2.original_recv_size = 0; } #ifdef ENABLE_DEBUG /* take action to corrupt packet if we are in gremlin test mode */ if (c->options.gremlin) { if (!ask_gremlin(c->options.gremlin)) { c->c2.buf.len = 0; } corrupt_gremlin(&c->c2.buf, c->options.gremlin); } #endif /* log incoming packet */ #ifdef LOG_RW if (c->c2.log_rw && c->c2.buf.len > 0) { fprintf(stderr, "R"); } #endif msg(D_LINK_RW, "%s READ [%d] from %s: %s", proto2ascii(lsi->proto, lsi->af, true), BLEN(&c->c2.buf), print_link_socket_actual(&c->c2.from, &gc), PROTO_DUMP(&c->c2.buf, &gc)); /* * Good, non-zero length packet received. * Commence multi-stage processing of packet, * such as authenticate, decrypt, decompress. * If any stage fails, it sets buf.len to 0 or -1, * telling downstream stages to ignore the packet. */ if (c->c2.buf.len > 0) { struct crypto_options *co = NULL; const uint8_t *ad_start = NULL; if (!link_socket_verify_incoming_addr(&c->c2.buf, lsi, &c->c2.from)) { link_socket_bad_incoming_addr(&c->c2.buf, lsi, &c->c2.from); } #ifdef ENABLE_CRYPTO if (c->c2.tls_multi) { /* * If tls_pre_decrypt returns true, it means the incoming * packet was a good TLS control channel packet. If so, TLS code * will deal with the packet and set buf.len to 0 so downstream * stages ignore it. * * If the packet is a data channel packet, tls_pre_decrypt * will load crypto_options with the correct encryption key * and return false. */ uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT; if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, floated, &ad_start)) { /* Restore pre-NCP frame parameters */ if (is_hard_reset(opcode, c->options.key_method)) { c->c2.frame = c->c2.frame_initial; } interval_action(&c->c2.tmp_int); /* reset packet received timer if TLS packet */ if (c->options.ping_rec_timeout) { event_timeout_reset(&c->c2.ping_rec_interval); } } } else { co = &c->c2.crypto_options; } #if P2MP_SERVER /* * Drop non-TLS packet if client-connect script/plugin has not * yet succeeded. */ if (c->c2.context_auth != CAS_SUCCEEDED) { c->c2.buf.len = 0; } #endif /* authenticate and decrypt the incoming packet */ decrypt_status = openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf, co, &c->c2.frame, ad_start); if (!decrypt_status && link_socket_connection_oriented(c->c2.link_socket)) { /* decryption errors are fatal in TCP mode */ register_signal(c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */ msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting"); } #else /* ENABLE_CRYPTO */ decrypt_status = true; #endif /* ENABLE_CRYPTO */ } else { buf_reset(&c->c2.to_tun); } gc_free(&gc); return decrypt_status; } void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf) { if (c->c2.buf.len > 0) { #ifdef ENABLE_FRAGMENT if (c->c2.fragment) { fragment_incoming(c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment); } #endif #ifdef USE_COMP /* decompress the incoming packet */ if (c->c2.comp_context) { (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf, c->c2.comp_context, &c->c2.frame); } #endif #ifdef PACKET_TRUNCATION_CHECK /* if (c->c2.buf.len > 1) --c->c2.buf.len; */ ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap), "POST_DECRYPT", &c->c2.n_trunc_post_decrypt); #endif /* * Set our "official" outgoing address, since * if buf.len is non-zero, we know the packet * authenticated. In TLS mode we do nothing * because TLS mode takes care of source address * authentication. * * Also, update the persisted version of our packet-id. */ if (!TLS_MODE(c)) { link_socket_set_outgoing_addr(&c->c2.buf, lsi, &c->c2.from, NULL, c->c2.es); } /* reset packet received timer */ if (c->options.ping_rec_timeout && c->c2.buf.len > 0) { event_timeout_reset(&c->c2.ping_rec_interval); } /* increment authenticated receive byte count */ if (c->c2.buf.len > 0) { c->c2.link_read_bytes_auth += c->c2.buf.len; c->c2.max_recv_size_local = max_int(c->c2.original_recv_size, c->c2.max_recv_size_local); } /* Did we just receive an openvpn ping packet? */ if (is_ping_msg(&c->c2.buf)) { dmsg(D_PING, "RECEIVED PING PACKET"); c->c2.buf.len = 0; /* drop packet */ } #ifdef ENABLE_OCC /* Did we just receive an OCC packet? */ if (is_occ_msg(&c->c2.buf)) { process_received_occ_msg(c); } #endif buffer_turnover(orig_buf, &c->c2.to_tun, &c->c2.buf, &c->c2.buffers->read_link_buf); /* to_tun defined + unopened tuntap can cause deadlock */ if (!tuntap_defined(c->c1.tuntap)) { c->c2.to_tun.len = 0; } } else { buf_reset(&c->c2.to_tun); } } static void process_incoming_link(struct context *c) { perf_push(PERF_PROC_IN_LINK); struct link_socket_info *lsi = get_link_socket_info(c); const uint8_t *orig_buf = c->c2.buf.data; process_incoming_link_part1(c, lsi, false); process_incoming_link_part2(c, lsi, orig_buf); perf_pop(); } /* * Output: c->c2.buf */ void read_incoming_tun(struct context *c) { /* * Setup for read() call on TUN/TAP device. */ /*ASSERT (!c->c2.to_link.len);*/ perf_push(PERF_READ_IN_TUN); c->c2.buf = c->c2.buffers->read_tun_buf; #ifdef TUN_PASS_BUFFER read_tun_buffered(c->c1.tuntap, &c->c2.buf, MAX_RW_SIZE_TUN(&c->c2.frame)); #else ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame))); ASSERT(buf_safe(&c->c2.buf, MAX_RW_SIZE_TUN(&c->c2.frame))); c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), MAX_RW_SIZE_TUN(&c->c2.frame)); #endif #ifdef PACKET_TRUNCATION_CHECK ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap), "READ_TUN", &c->c2.n_trunc_tun_read); #endif /* Was TUN/TAP interface stopped? */ if (tuntap_stop(c->c2.buf.len)) { register_signal(c, SIGTERM, "tun-stop"); msg(M_INFO, "TUN/TAP interface has been stopped, exiting"); perf_pop(); return; } /* Was TUN/TAP I/O operation aborted? */ if (tuntap_abort(c->c2.buf.len)) { register_signal(c, SIGHUP, "tun-abort"); c->persist.restart_sleep_seconds = 10; msg(M_INFO, "TUN/TAP I/O operation aborted, restarting"); perf_pop(); return; } /* Check the status return from read() */ check_status(c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap); perf_pop(); } /** * Drops UDP packets which OS decided to route via tun. * * On Windows and OS X when netwotk adapter is disabled or * disconnected, platform starts to use tun as external interface. * When packet is sent to tun, it comes to openvpn, encapsulated * and sent to routing table, which sends it again to tun. */ static void drop_if_recursive_routing(struct context *c, struct buffer *buf) { bool drop = false; struct openvpn_sockaddr tun_sa; int ip_hdr_offset = 0; if (c->c2.to_link_addr == NULL) /* no remote addr known */ { return; } tun_sa = c->c2.to_link_addr->dest; int proto_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset); if (proto_ver == 4) { const struct openvpn_iphdr *pip; /* make sure we got whole IP header */ if (BLEN(buf) < ((int) sizeof(struct openvpn_iphdr) + ip_hdr_offset)) { return; } /* skip ipv4 packets for ipv6 tun */ if (tun_sa.addr.sa.sa_family != AF_INET) { return; } pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset); /* drop packets with same dest addr as gateway */ if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr) { drop = true; } } else if (proto_ver == 6) { const struct openvpn_ipv6hdr *pip6; /* make sure we got whole IPv6 header */ if (BLEN(buf) < ((int) sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset)) { return; } /* skip ipv6 packets for ipv4 tun */ if (tun_sa.addr.sa.sa_family != AF_INET6) { return; } /* drop packets with same dest addr as gateway */ pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset); if (IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr)) { drop = true; } } if (drop) { struct gc_arena gc = gc_new(); c->c2.buf.len = 0; msg(D_LOW, "Recursive routing detected, drop tun packet to %s", print_link_socket_actual(c->c2.to_link_addr, &gc)); gc_free(&gc); } } /* * Input: c->c2.buf * Output: c->c2.to_link */ void process_incoming_tun(struct context *c) { struct gc_arena gc = gc_new(); perf_push(PERF_PROC_IN_TUN); if (c->c2.buf.len > 0) { c->c2.tun_read_bytes += c->c2.buf.len; } #ifdef LOG_RW if (c->c2.log_rw && c->c2.buf.len > 0) { fprintf(stderr, "r"); } #endif /* Show packet content */ dmsg(D_TUN_RW, "TUN READ [%d]", BLEN(&c->c2.buf)); if (c->c2.buf.len > 0) { if ((c->options.mode == MODE_POINT_TO_POINT) && (!c->options.allow_recursive_routing)) { drop_if_recursive_routing(c, &c->c2.buf); } /* * The --passtos and --mssfix options require * us to examine the IP header (IPv4 or IPv6). */ process_ip_header(c, PIPV4_PASSTOS|PIP_MSSFIX|PIPV4_CLIENT_NAT, &c->c2.buf); #ifdef PACKET_TRUNCATION_CHECK /* if (c->c2.buf.len > 1) --c->c2.buf.len; */ ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap), "PRE_ENCRYPT", &c->c2.n_trunc_pre_encrypt); #endif encrypt_sign(c, true); } else { buf_reset(&c->c2.to_link); } perf_pop(); gc_free(&gc); } void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf) { if (!c->options.ce.mssfix) { flags &= ~PIP_MSSFIX; } #if PASSTOS_CAPABILITY if (!c->options.passtos) { flags &= ~PIPV4_PASSTOS; } #endif if (!c->options.client_nat) { flags &= ~PIPV4_CLIENT_NAT; } if (!c->options.route_gateway_via_dhcp) { flags &= ~PIPV4_EXTRACT_DHCP_ROUTER; } if (buf->len > 0) { /* * The --passtos and --mssfix options require * us to examine the IPv4 header. */ if (flags & (PIP_MSSFIX #if PASSTOS_CAPABILITY | PIPV4_PASSTOS #endif | PIPV4_CLIENT_NAT )) { struct buffer ipbuf = *buf; if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) { #if PASSTOS_CAPABILITY /* extract TOS from IP header */ if (flags & PIPV4_PASSTOS) { link_socket_extract_tos(c->c2.link_socket, &ipbuf); } #endif /* possibly alter the TCP MSS */ if (flags & PIP_MSSFIX) { mss_fixup_ipv4(&ipbuf, MTU_TO_MSS(TUN_MTU_SIZE_DYNAMIC(&c->c2.frame))); } /* possibly do NAT on packet */ if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) { const int direction = (flags & PIPV4_OUTGOING) ? CN_INCOMING : CN_OUTGOING; client_nat_transform(c->options.client_nat, &ipbuf, direction); } /* possibly extract a DHCP router message */ if (flags & PIPV4_EXTRACT_DHCP_ROUTER) { const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf); if (dhcp_router) { route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); } } } else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) { /* possibly alter the TCP MSS */ if (flags & PIP_MSSFIX) { mss_fixup_ipv6(&ipbuf, MTU_TO_MSS(TUN_MTU_SIZE_DYNAMIC(&c->c2.frame))); } } } } } /* * Input: c->c2.to_link */ void process_outgoing_link(struct context *c) { struct gc_arena gc = gc_new(); int error_code = 0; perf_push(PERF_PROC_OUT_LINK); if (c->c2.to_link.len > 0 && c->c2.to_link.len <= EXPANDED_SIZE(&c->c2.frame)) { /* * Setup for call to send/sendto which will send * packet to remote over the TCP/UDP port. */ int size = 0; ASSERT(link_socket_actual_defined(c->c2.to_link_addr)); #ifdef ENABLE_DEBUG /* In gremlin-test mode, we may choose to drop this packet */ if (!c->options.gremlin || ask_gremlin(c->options.gremlin)) #endif { /* * Let the traffic shaper know how many bytes * we wrote. */ #ifdef ENABLE_FEATURE_SHAPER if (c->options.shaper) { shaper_wrote_bytes(&c->c2.shaper, BLEN(&c->c2.to_link) + datagram_overhead(c->options.ce.proto)); } #endif /* * Let the pinger know that we sent a packet. */ if (c->options.ping_send_timeout) { event_timeout_reset(&c->c2.ping_send_interval); } #if PASSTOS_CAPABILITY /* Set TOS */ link_socket_set_tos(c->c2.link_socket); #endif /* Log packet send */ #ifdef LOG_RW if (c->c2.log_rw) { fprintf(stderr, "W"); } #endif msg(D_LINK_RW, "%s WRITE [%d] to %s: %s", proto2ascii(c->c2.link_socket->info.proto, c->c2.link_socket->info.af, true), BLEN(&c->c2.to_link), print_link_socket_actual(c->c2.to_link_addr, &gc), PROTO_DUMP(&c->c2.to_link, &gc)); /* Packet send complexified by possible Socks5 usage */ { struct link_socket_actual *to_addr = c->c2.to_link_addr; int size_delta = 0; /* If Socks5 over UDP, prepend header */ socks_preprocess_outgoing_link(c, &to_addr, &size_delta); /* Send packet */ size = link_socket_write(c->c2.link_socket, &c->c2.to_link, to_addr); /* Undo effect of prepend */ link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link); } if (size > 0) { c->c2.max_send_size_local = max_int(size, c->c2.max_send_size_local); c->c2.link_write_bytes += size; link_write_bytes_global += size; #ifdef ENABLE_MEMSTATS if (mmap_stats) { mmap_stats->link_write_bytes = link_write_bytes_global; } #endif #ifdef ENABLE_MANAGEMENT if (management) { management_bytes_out(management, size); #ifdef MANAGEMENT_DEF_AUTH management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context); #endif } #endif } } /* Check return status */ error_code = openvpn_errno(); check_status(size, "write", c->c2.link_socket, NULL); if (size > 0) { /* Did we write a different size packet than we intended? */ if (size != BLEN(&c->c2.to_link)) { msg(D_LINK_ERRORS, "TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)", print_link_socket_actual(c->c2.to_link_addr, &gc), BLEN(&c->c2.to_link), size); } } /* if not a ping/control message, indicate activity regarding --inactive parameter */ if (c->c2.buf.len > 0) { register_activity(c, size); } #ifdef ENABLE_CRYPTO /* for unreachable network and "connecting" state switch to the next host */ if (size < 0 && ENETUNREACH == error_code && c->c2.tls_multi && !tls_initial_packet_received(c->c2.tls_multi) && c->options.mode == MODE_POINT_TO_POINT) { msg(M_INFO, "Network unreachable, restarting"); register_signal(c, SIGUSR1, "network-unreachable"); } #endif } else { if (c->c2.to_link.len > 0) { msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)", print_link_socket_actual(c->c2.to_link_addr, &gc), c->c2.to_link.len, EXPANDED_SIZE(&c->c2.frame)); } } buf_reset(&c->c2.to_link); perf_pop(); gc_free(&gc); } /* * Input: c->c2.to_tun */ void process_outgoing_tun(struct context *c) { struct gc_arena gc = gc_new(); /* * Set up for write() call to TUN/TAP * device. */ if (c->c2.to_tun.len <= 0) { return; } perf_push(PERF_PROC_OUT_TUN); /* * The --mssfix option requires * us to examine the IP header (IPv4 or IPv6). */ process_ip_header(c, PIP_MSSFIX|PIPV4_EXTRACT_DHCP_ROUTER|PIPV4_CLIENT_NAT|PIPV4_OUTGOING, &c->c2.to_tun); if (c->c2.to_tun.len <= MAX_RW_SIZE_TUN(&c->c2.frame)) { /* * Write to TUN/TAP device. */ int size; #ifdef LOG_RW if (c->c2.log_rw) { fprintf(stderr, "w"); } #endif dmsg(D_TUN_RW, "TUN WRITE [%d]", BLEN(&c->c2.to_tun)); #ifdef PACKET_TRUNCATION_CHECK ipv4_packet_size_verify(BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun), TUNNEL_TYPE(c->c1.tuntap), "WRITE_TUN", &c->c2.n_trunc_tun_write); #endif #ifdef TUN_PASS_BUFFER size = write_tun_buffered(c->c1.tuntap, &c->c2.to_tun); #else size = write_tun(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun)); #endif if (size > 0) { c->c2.tun_write_bytes += size; } check_status(size, "write to TUN/TAP", NULL, c->c1.tuntap); /* check written packet size */ if (size > 0) { /* Did we write a different size packet than we intended? */ if (size != BLEN(&c->c2.to_tun)) { msg(D_LINK_ERRORS, "TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)", c->c1.tuntap->actual_name, BLEN(&c->c2.to_tun), size); } /* indicate activity regarding --inactive parameter */ register_activity(c, size); } } else { /* * This should never happen, probably indicates some kind * of MTU mismatch. */ msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)", c->c2.to_tun.len, MAX_RW_SIZE_TUN(&c->c2.frame)); } buf_reset(&c->c2.to_tun); perf_pop(); gc_free(&gc); } void pre_select(struct context *c) { /* make sure current time (now) is updated on function entry */ /* * Start with an effectively infinite timeout, then let it * reduce to a timeout that reflects the component which * needs the earliest service. */ c->c2.timeval.tv_sec = BIG_TIMEOUT; c->c2.timeval.tv_usec = 0; #if defined(_WIN32) if (check_debug_level(D_TAP_WIN_DEBUG)) { c->c2.timeval.tv_sec = 1; if (tuntap_defined(c->c1.tuntap)) { tun_show_debug(c->c1.tuntap); } } #endif /* check coarse timers? */ check_coarse_timers(c); if (c->sig->signal_received) { return; } /* Does TLS need service? */ check_tls(c); /* In certain cases, TLS errors will require a restart */ check_tls_errors(c); if (c->sig->signal_received) { return; } /* check for incoming configuration info on the control channel */ check_incoming_control_channel(c); #ifdef ENABLE_OCC /* Should we send an OCC message? */ check_send_occ_msg(c); #endif #ifdef ENABLE_FRAGMENT /* Should we deliver a datagram fragment to remote? */ check_fragment(c); #endif /* Update random component of timeout */ check_timeout_random_component(c); } /* * Wait for I/O events. Used for both TCP & UDP sockets * in point-to-point mode and for UDP sockets in * point-to-multipoint mode. */ void io_wait_dowork(struct context *c, const unsigned int flags) { unsigned int socket = 0; unsigned int tuntap = 0; struct event_set_return esr[4]; /* These shifts all depend on EVENT_READ and EVENT_WRITE */ static int socket_shift = 0; /* depends on SOCKET_READ and SOCKET_WRITE */ static int tun_shift = 2; /* depends on TUN_READ and TUN_WRITE */ static int err_shift = 4; /* depends on ES_ERROR */ #ifdef ENABLE_MANAGEMENT static int management_shift = 6; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */ #endif #ifdef ENABLE_ASYNC_PUSH static int file_shift = 8; /* listening inotify events */ #endif /* * Decide what kind of events we want to wait for. */ event_reset(c->c2.event_set); /* * On win32 we use the keyboard or an event object as a source * of asynchronous signals. */ if (flags & IOW_WAIT_SIGNAL) { wait_signal(c->c2.event_set, (void *)&err_shift); } /* * If outgoing data (for TCP/UDP port) pending, wait for ready-to-send * status from TCP/UDP port. Otherwise, wait for incoming data on * TUN/TAP device. */ if (flags & IOW_TO_LINK) { if (flags & IOW_SHAPER) { /* * If sending this packet would put us over our traffic shaping * quota, don't send -- instead compute the delay we must wait * until it will be OK to send the packet. */ #ifdef ENABLE_FEATURE_SHAPER int delay = 0; /* set traffic shaping delay in microseconds */ if (c->options.shaper) { delay = max_int(delay, shaper_delay(&c->c2.shaper)); } if (delay < 1000) { socket |= EVENT_WRITE; } else { shaper_soonest_event(&c->c2.timeval, delay); } #else /* ENABLE_FEATURE_SHAPER */ socket |= EVENT_WRITE; #endif /* ENABLE_FEATURE_SHAPER */ } else { socket |= EVENT_WRITE; } } else if (!((flags & IOW_FRAG) && TO_LINK_FRAG(c))) { if (flags & IOW_READ_TUN) { tuntap |= EVENT_READ; } } /* * If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status * from device. Otherwise, wait for incoming data on TCP/UDP port. */ if (flags & IOW_TO_TUN) { tuntap |= EVENT_WRITE; } else { if (flags & IOW_READ_LINK) { socket |= EVENT_READ; } } /* * outgoing bcast buffer waiting to be sent? */ if (flags & IOW_MBUF) { socket |= EVENT_WRITE; } /* * Force wait on TUN input, even if also waiting on TCP/UDP output */ if (flags & IOW_READ_TUN_FORCE) { tuntap |= EVENT_READ; } /* * Configure event wait based on socket, tuntap flags. */ socket_set(c->c2.link_socket, c->c2.event_set, socket, (void *)&socket_shift, NULL); tun_set(c->c1.tuntap, c->c2.event_set, tuntap, (void *)&tun_shift, NULL); #ifdef ENABLE_MANAGEMENT if (management) { management_socket_set(management, c->c2.event_set, (void *)&management_shift, NULL); } #endif #ifdef ENABLE_ASYNC_PUSH /* arm inotify watcher */ if (c->options.mode == MODE_SERVER) { event_ctl(c->c2.event_set, c->c2.inotify_fd, EVENT_READ, (void *)&file_shift); } #endif /* * Possible scenarios: * (1) tcp/udp port has data available to read * (2) tcp/udp port is ready to accept more data to write * (3) tun dev has data available to read * (4) tun dev is ready to accept more data to write * (5) we received a signal (handler sets signal_received) * (6) timeout (tv) expired */ c->c2.event_set_status = ES_ERROR; if (!c->sig->signal_received) { if (!(flags & IOW_CHECK_RESIDUAL) || !socket_read_residual(c->c2.link_socket)) { int status; #ifdef ENABLE_DEBUG if (check_debug_level(D_EVENT_WAIT)) { show_wait_status(c); } #endif /* * Wait for something to happen. */ status = event_wait(c->c2.event_set, &c->c2.timeval, esr, SIZE(esr)); check_status(status, "event_wait", NULL, NULL); if (status > 0) { int i; c->c2.event_set_status = 0; for (i = 0; i < status; ++i) { const struct event_set_return *e = &esr[i]; c->c2.event_set_status |= ((e->rwflags & 3) << *((int *)e->arg)); } } else if (status == 0) { c->c2.event_set_status = ES_TIMEOUT; } } else { c->c2.event_set_status = SOCKET_READ; } } /* 'now' should always be a reasonably up-to-date timestamp */ update_time(); /* set signal_received if a signal was received */ if (c->c2.event_set_status & ES_ERROR) { get_signal(&c->sig->signal_received); } dmsg(D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status); } void process_io(struct context *c) { const unsigned int status = c->c2.event_set_status; #ifdef ENABLE_MANAGEMENT if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE)) { ASSERT(management); management_io(management); } #endif /* TCP/UDP port ready to accept write */ if (status & SOCKET_WRITE) { process_outgoing_link(c); } /* TUN device ready to accept write */ else if (status & TUN_WRITE) { process_outgoing_tun(c); } /* Incoming data on TCP/UDP port */ else if (status & SOCKET_READ) { read_incoming_link(c); if (!IS_SIG(c)) { process_incoming_link(c); } } /* Incoming data on TUN device */ else if (status & TUN_READ) { read_incoming_tun(c); if (!IS_SIG(c)) { process_incoming_tun(c); } } } openvpn-2.4.4/src/openvpn/forward.h000066400000000000000000000234201316434344000173020ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file * Interface functions to the internal and external multiplexers. */ #ifndef FORWARD_H #define FORWARD_H #include "openvpn.h" #include "occ.h" #include "ping.h" #define TUN_OUT(c) (BLEN(&(c)->c2.to_tun) > 0) #define LINK_OUT(c) (BLEN(&(c)->c2.to_link) > 0) #define ANY_OUT(c) (TUN_OUT(c) || LINK_OUT(c)) #ifdef ENABLE_FRAGMENT #define TO_LINK_FRAG(c) ((c)->c2.fragment && fragment_outgoing_defined((c)->c2.fragment)) #else #define TO_LINK_FRAG(c) (false) #endif #define TO_LINK_DEF(c) (LINK_OUT(c) || TO_LINK_FRAG(c)) #define IOW_TO_TUN (1<<0) #define IOW_TO_LINK (1<<1) #define IOW_READ_TUN (1<<2) #define IOW_READ_LINK (1<<3) #define IOW_SHAPER (1<<4) #define IOW_CHECK_RESIDUAL (1<<5) #define IOW_FRAG (1<<6) #define IOW_MBUF (1<<7) #define IOW_READ_TUN_FORCE (1<<8) #define IOW_WAIT_SIGNAL (1<<9) #define IOW_READ (IOW_READ_TUN|IOW_READ_LINK) void pre_select(struct context *c); void process_io(struct context *c); const char *wait_status_string(struct context *c, struct gc_arena *gc); void show_wait_status(struct context *c); /**********************************************************************/ /** * Process a data channel packet that will be sent through a VPN tunnel. * @ingroup data_control * * This function controls the processing of a data channel packet which * will be sent through a VPN tunnel to a remote OpenVPN peer. It's * general structure is as follows: * - Check that the client authentication has succeeded; if not, drop the * packet. * - If the \a comp_frag argument is true: * - Call \c lzo_compress() of the \link Data Channel Compression * module\endlink to (possibly) compress the packet. * - Call \c fragment_outgoing() of the \link Data Channel Fragmentation * module\endlink to (possibly) fragment the packet. * - Activate the \link Data Channel Crypto module\endlink to perform * security operations on the packet. * - Call \c tls_pre_encrypt() to choose the appropriate security * parameters for this packet. * - Call \c openvpn_encrypt() to encrypt and HMAC signed the packet. * - Call \c tls_post_encrypt() to prepend the one-byte OpenVPN header * and do some TLS accounting. * - Place the resulting packet in \c c->c2.to_link so that it can be sent * over the external network interface to its remote destination by the * \link external_multiplexer External Multiplexer\endlink. * * @param c - The context structure of the VPN tunnel associated with this * packet. * @param comp_frag - Whether to do packet compression and fragmentation. * This flag is set to true the first time a packet is processed. If * the packet then gets fragmented, this function will be called again * once for each remaining fragment with this parameter set to false. */ void encrypt_sign(struct context *c, bool comp_frag); int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout); /**********************************************************************/ /** * Read a packet from the external network interface. * @ingroup external_multiplexer * * The packet read from the external network interface is stored in \c * c->c2.buf and its source address in \c c->c2.from. If an error * occurred, the length of \c c->c2.buf will be 0. * * OpenVPN running as client or as UDP server only has a single external * network socket, so this function can be called with the single (client * mode) or top level (UDP server) context as its argument. OpenVPN * running as TCP server, on the other hand, has a network socket for each * active VPN tunnel. In that case this function must be called with the * context associated with the appropriate VPN tunnel for which data is * available to be read. * * @param c - The context structure which contains the external * network socket from which to read incoming packets. */ void read_incoming_link(struct context *c); /** * Starts processing a packet read from the external network interface. * @ingroup external_multiplexer * * This function starts the processing of a data channel packet which * has come out of a VPN tunnel. It's high-level structure is as follows: * - Verify that a nonzero length packet has been received from a valid * source address for the given context \a c. * - Call \c tls_pre_decrypt(), which splits data channel and control * channel packets: * - If a data channel packet, the appropriate security parameters are * loaded. * - If a control channel packet, this function process is it and * afterwards sets the packet's buffer length to 0, so that the data * channel processing steps below will ignore it. * - Call \c openvpn_decrypt() of the \link data_crypto Data Channel * Crypto module\endlink to authenticate and decrypt the packet using * the security parameters loaded by \c tls_pre_decrypt() above. * * @param c - The context structure of the VPN tunnel associated with the * packet. * @param lsi - link_socket_info obtained from context before processing. * @param floated - Flag indicates that peer has floated. * * @return true if packet is authenticated, false otherwise. */ bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated); /** * Continues processing a packet read from the external network interface. * @ingroup external_multiplexer * * This function continues the processing of a data channel packet which * has come out of a VPN tunnel. It must be called after * \c process_incoming_link_part1() function. * * It's high-level structure is as follows: * - Call \c fragment_incoming() of the \link fragmentation Data Channel * Fragmentation module\endlink to reassemble the packet if it's * fragmented. * - Call \c lzo_decompress() of the \link compression Data Channel * Compression module\endlink to decompress the packet if it's * compressed. * - Place the resulting packet in \c c->c2.to_tun so that it can be sent * over the virtual tun/tap network interface to its local destination * by the \link internal_multiplexer Internal Multiplexer\endlink. * * @param c - The context structure of the VPN tunnel associated with the * packet. * @param lsi - link_socket_info obtained from context before processing. * @param orig_buf - Pointer to a buffer data. * */ void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf); /** * Write a packet to the external network interface. * @ingroup external_multiplexer * * This function writes the packet stored in \c c->c2.to_link to the * external network device contained within \c c->c1.link_socket. * * If an error occurs, it is logged and the packet is dropped. * * @param c - The context structure of the VPN tunnel associated with the * packet. */ void process_outgoing_link(struct context *c); /**************************************************************************/ /** * Read a packet from the virtual tun/tap network interface. * @ingroup internal_multiplexer * * This function reads a packet from the virtual tun/tap network device \c * c->c1.tuntap and stores it in \c c->c2.buf. * * If an error occurs, it is logged and the packet is dropped. * * @param c - The context structure in which to store the received * packet. */ void read_incoming_tun(struct context *c); /** * Process a packet read from the virtual tun/tap network interface. * @ingroup internal_multiplexer * * This function calls \c encrypt_sign() of the \link data_control Data * Channel Control module\endlink to process the packet. * * If an error occurs, it is logged and the packet is dropped. * * @param c - The context structure of the VPN tunnel associated with the * packet. */ void process_incoming_tun(struct context *c); /** * Write a packet to the virtual tun/tap network interface. * @ingroup internal_multiplexer * * This function writes the packet stored in \c c->c2.to_tun to the * virtual tun/tap network device \c c->c1.tuntap. * * If an error occurs, it is logged and the packet is dropped. * * @param c - The context structure of the VPN tunnel associated with * the packet. */ void process_outgoing_tun(struct context *c); /**************************************************************************/ bool send_control_channel_string(struct context *c, const char *str, int msglevel); #define PIPV4_PASSTOS (1<<0) #define PIP_MSSFIX (1<<1) /* v4 and v6 */ #define PIPV4_OUTGOING (1<<2) #define PIPV4_EXTRACT_DHCP_ROUTER (1<<3) #define PIPV4_CLIENT_NAT (1<<4) void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf); #if P2MP void schedule_exit(struct context *c, const int n_seconds, const int signal); #endif #endif /* FORWARD_H */ openvpn-2.4.4/src/openvpn/fragment.c000066400000000000000000000325361316434344000174440ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #ifdef ENABLE_FRAGMENT #include "misc.h" #include "fragment.h" #include "integer.h" #include "memdbg.h" #define FRAG_ERR(s) { errmsg = s; goto error; } static void fragment_list_buf_init(struct fragment_list *list, const struct frame *frame) { int i; for (i = 0; i < N_FRAG_BUF; ++i) { list->fragments[i].buf = alloc_buf(BUF_SIZE(frame)); } } static void fragment_list_buf_free(struct fragment_list *list) { int i; for (i = 0; i < N_FRAG_BUF; ++i) { free_buf(&list->fragments[i].buf); } } /* * Given a sequence ID number, get a fragment buffer. Use a sliding window, * similar to packet_id code. */ static struct fragment * fragment_list_get_buf(struct fragment_list *list, int seq_id) { int diff; if (abs(diff = modulo_subtract(seq_id, list->seq_id, N_SEQ_ID)) >= N_FRAG_BUF) { int i; for (i = 0; i < N_FRAG_BUF; ++i) { list->fragments[i].defined = false; } list->index = 0; list->seq_id = seq_id; diff = 0; } while (diff > 0) { list->fragments[list->index = modulo_add(list->index, 1, N_FRAG_BUF)].defined = false; list->seq_id = modulo_add(list->seq_id, 1, N_SEQ_ID); --diff; } return &list->fragments[modulo_add(list->index, diff, N_FRAG_BUF)]; } struct fragment_master * fragment_init(struct frame *frame) { struct fragment_master *ret; /* code that initializes other parts of * fragment_master assume an initial CLEAR */ ALLOC_OBJ_CLEAR(ret, struct fragment_master); /* add in the size of our contribution to the expanded frame size */ frame_add_to_extra_frame(frame, sizeof(fragment_header_type)); /* * Outgoing sequence ID is randomized to reduce * the probability of sequence number collisions * when openvpn sessions are restarted. This is * not done out of any need for security, as all * fragmentation control information resides * inside of the encrypted/authenticated envelope. */ ret->outgoing_seq_id = (int)get_random() & (N_SEQ_ID - 1); event_timeout_init(&ret->wakeup, FRAG_WAKEUP_INTERVAL, now); return ret; } void fragment_free(struct fragment_master *f) { fragment_list_buf_free(&f->incoming); free_buf(&f->outgoing); free_buf(&f->outgoing_return); free(f); } void fragment_frame_init(struct fragment_master *f, const struct frame *frame) { fragment_list_buf_init(&f->incoming, frame); f->outgoing = alloc_buf(BUF_SIZE(frame)); f->outgoing_return = alloc_buf(BUF_SIZE(frame)); } /* * Accept an incoming datagram (which may be a fragment) from remote. * If the datagram is whole (i.e not a fragment), pass through. * If the datagram is a fragment, join with other fragments received so far. * If a fragment fully completes the datagram, return the datagram. */ void fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame) { const char *errmsg = NULL; fragment_header_type flags = 0; int frag_type = 0; if (buf->len > 0) { /* get flags from packet head */ if (!buf_read(buf, &flags, sizeof(flags))) { FRAG_ERR("flags not found in packet"); } flags = ntoh_fragment_header_type(flags); /* get fragment type from flags */ frag_type = ((flags >> FRAG_TYPE_SHIFT) & FRAG_TYPE_MASK); #if 0 /* * If you want to extract FRAG_EXTRA_MASK/FRAG_EXTRA_SHIFT bits, * do it here. */ if (frag_type == FRAG_WHOLE || frag_type == FRAG_YES_NOTLAST) { } #endif /* handle the fragment type */ if (frag_type == FRAG_WHOLE) { dmsg(D_FRAG_DEBUG, "FRAG_IN buf->len=%d type=FRAG_WHOLE flags=" fragment_header_format, buf->len, flags); if (flags & (FRAG_SEQ_ID_MASK | FRAG_ID_MASK)) { FRAG_ERR("spurrious FRAG_WHOLE flags"); } } else if (frag_type == FRAG_YES_NOTLAST || frag_type == FRAG_YES_LAST) { const int seq_id = ((flags >> FRAG_SEQ_ID_SHIFT) & FRAG_SEQ_ID_MASK); const int n = ((flags >> FRAG_ID_SHIFT) & FRAG_ID_MASK); const int size = ((frag_type == FRAG_YES_LAST) ? (int)(((flags >> FRAG_SIZE_SHIFT) & FRAG_SIZE_MASK) << FRAG_SIZE_ROUND_SHIFT) : buf->len); /* get the appropriate fragment buffer based on received seq_id */ struct fragment *frag = fragment_list_get_buf(&f->incoming, seq_id); dmsg(D_FRAG_DEBUG, "FRAG_IN len=%d type=%d seq_id=%d frag_id=%d size=%d flags=" fragment_header_format, buf->len, frag_type, seq_id, n, size, flags); /* make sure that size is an even multiple of 1<defined || frag->max_frag_size != size) { frag->defined = true; frag->max_frag_size = size; frag->map = 0; ASSERT(buf_init(&frag->buf, FRAME_HEADROOM_ADJ(frame, FRAME_HEADROOM_MARKER_FRAGMENT))); } /* copy the data to fragment buffer */ if (!buf_copy_range(&frag->buf, n * size, buf, 0, buf->len)) { FRAG_ERR("fragment buffer overflow"); } /* set elements in bit array to reflect which fragments have been received */ frag->map |= (((frag_type == FRAG_YES_LAST) ? FRAG_MAP_MASK : 1) << n); /* update timestamp on partially built datagram */ frag->timestamp = now; /* received full datagram? */ if ((frag->map & FRAG_MAP_MASK) == FRAG_MAP_MASK) { frag->defined = false; *buf = frag->buf; } else { buf->len = 0; } } else if (frag_type == FRAG_TEST) { FRAG_ERR("FRAG_TEST not implemented"); } else { FRAG_ERR("unknown fragment type"); } } return; error: if (errmsg) { msg(D_FRAG_ERRORS, "FRAG_IN error flags=" fragment_header_format ": %s", flags, errmsg); } buf->len = 0; return; } /* pack fragment parms into a uint32_t and prepend to buffer */ static void fragment_prepend_flags(struct buffer *buf, int type, int seq_id, int frag_id, int frag_size) { fragment_header_type flags = ((type & FRAG_TYPE_MASK) << FRAG_TYPE_SHIFT) | ((seq_id & FRAG_SEQ_ID_MASK) << FRAG_SEQ_ID_SHIFT) | ((frag_id & FRAG_ID_MASK) << FRAG_ID_SHIFT); if (type == FRAG_WHOLE || type == FRAG_YES_NOTLAST) { /* * If you want to set FRAG_EXTRA_MASK/FRAG_EXTRA_SHIFT bits, * do it here. */ dmsg(D_FRAG_DEBUG, "FRAG_OUT len=%d type=%d seq_id=%d frag_id=%d frag_size=%d flags=" fragment_header_format, buf->len, type, seq_id, frag_id, frag_size, flags); } else { flags |= (((frag_size >> FRAG_SIZE_ROUND_SHIFT) & FRAG_SIZE_MASK) << FRAG_SIZE_SHIFT); dmsg(D_FRAG_DEBUG, "FRAG_OUT len=%d type=%d seq_id=%d frag_id=%d frag_size=%d flags=" fragment_header_format, buf->len, type, seq_id, frag_id, frag_size, flags); } flags = hton_fragment_header_type(flags); ASSERT(buf_write_prepend(buf, &flags, sizeof(flags))); } /* * Without changing the number of fragments, return a possibly smaller * max fragment size that will allow for the last fragment to be of * similar size as previous fragments. */ static inline int optimal_fragment_size(int len, int max_frag_size) { const int mfs_aligned = (max_frag_size & ~FRAG_SIZE_ROUND_MASK); const int div = len / mfs_aligned; const int mod = len % mfs_aligned; if (div > 0 && mod > 0 && mod < mfs_aligned * 3 / 4) { return min_int(mfs_aligned, (max_frag_size - ((max_frag_size - mod) / (div + 1)) + FRAG_SIZE_ROUND_MASK) & ~FRAG_SIZE_ROUND_MASK); } else { return mfs_aligned; } } /* process an outgoing datagram, possibly breaking it up into fragments */ void fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame) { const char *errmsg = NULL; if (buf->len > 0) { /* The outgoing buffer should be empty so we can put new data in it */ if (f->outgoing.len) { msg(D_FRAG_ERRORS, "FRAG: outgoing buffer is not empty, len=[%d,%d]", buf->len, f->outgoing.len); } if (buf->len > PAYLOAD_SIZE_DYNAMIC(frame)) /* should we fragment? */ { /* * Send the datagram as a series of 2 or more fragments. */ f->outgoing_frag_size = optimal_fragment_size(buf->len, PAYLOAD_SIZE_DYNAMIC(frame)); if (buf->len > f->outgoing_frag_size * MAX_FRAGS) { FRAG_ERR("too many fragments would be required to send datagram"); } ASSERT(buf_init(&f->outgoing, FRAME_HEADROOM(frame))); ASSERT(buf_copy(&f->outgoing, buf)); f->outgoing_seq_id = modulo_add(f->outgoing_seq_id, 1, N_SEQ_ID); f->outgoing_frag_id = 0; buf->len = 0; ASSERT(fragment_ready_to_send(f, buf, frame)); } else { /* * Send the datagram whole. */ fragment_prepend_flags(buf, FRAG_WHOLE, 0, 0, 0); } } return; error: if (errmsg) { msg(D_FRAG_ERRORS, "FRAG_OUT error, len=%d frag_size=%d MAX_FRAGS=%d: %s", buf->len, f->outgoing_frag_size, MAX_FRAGS, errmsg); } buf->len = 0; return; } /* return true (and set buf) if we have an outgoing fragment which is ready to send */ bool fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, const struct frame *frame) { if (fragment_outgoing_defined(f)) { /* get fragment size, and determine if it is the last fragment */ int size = f->outgoing_frag_size; int last = false; if (f->outgoing.len <= size) { size = f->outgoing.len; last = true; } /* initialize return buffer */ *buf = f->outgoing_return; ASSERT(buf_init(buf, FRAME_HEADROOM(frame))); ASSERT(buf_copy_n(buf, &f->outgoing, size)); /* fragment flags differ based on whether or not we are sending the last fragment */ fragment_prepend_flags(buf, last ? FRAG_YES_LAST : FRAG_YES_NOTLAST, f->outgoing_seq_id, f->outgoing_frag_id++, f->outgoing_frag_size); ASSERT(!last || !f->outgoing.len); /* outgoing buffer length should be zero after last fragment sent */ return true; } else { return false; } } static void fragment_ttl_reap(struct fragment_master *f) { int i; for (i = 0; i < N_FRAG_BUF; ++i) { struct fragment *frag = &f->incoming.fragments[i]; if (frag->defined && frag->timestamp + FRAG_TTL_SEC <= now) { msg(D_FRAG_ERRORS, "FRAG TTL expired i=%d", i); frag->defined = false; } } } /* called every FRAG_WAKEUP_INTERVAL seconds */ void fragment_wakeup(struct fragment_master *f, struct frame *frame) { /* delete fragments with expired TTLs */ fragment_ttl_reap(f); } #else /* ifdef ENABLE_FRAGMENT */ static void dummy(void) { } #endif /* ifdef ENABLE_FRAGMENT */ openvpn-2.4.4/src/openvpn/fragment.h000066400000000000000000000461561316434344000174540ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef FRAGMENT_H #define FRAGMENT_H /** * @file * Data Channel Fragmentation module header file. */ #ifdef ENABLE_FRAGMENT /** * @addtogroup fragmentation * @{ */ #include "common.h" #include "buffer.h" #include "interval.h" #include "mtu.h" #include "shaper.h" #include "error.h" #define N_FRAG_BUF 25 /**< Number of packet buffers for * reassembling incoming fragmented * packets. */ #define FRAG_TTL_SEC 10 /**< Time-to-live in seconds for a %fragment. */ #define FRAG_WAKEUP_INTERVAL 5 /**< Interval in seconds between calls to * wakeup code. */ /**************************************************************************/ /** * Structure for reassembling one incoming fragmented packet. */ struct fragment { bool defined; /**< Whether reassembly is currently * taking place in this structure. */ int max_frag_size; /**< Maximum size of each %fragment. */ #define FRAG_MAP_MASK 0xFFFFFFFF /**< Mask for reassembly map. */ #define MAX_FRAGS 32 /**< Maximum number of fragments per packet. */ unsigned int map; /**< Reassembly map for recording which * fragments have been received. * * A bit array where each bit * corresponds to a %fragment. A 1 bit * in element n means that the %fragment * n has been received. Needs to have * at least \c MAX_FRAGS bits. */ time_t timestamp; /**< Timestamp for time-to-live purposes. */ struct buffer buf; /**< Buffer in which received datagrams * are reassembled. */ }; /** * List of fragment structures for reassembling multiple incoming packets * concurrently. */ struct fragment_list { int seq_id; /**< Highest fragmentation sequence ID of * the packets currently being * reassembled. */ int index; /**< Index of the packet being reassembled * with the highest fragmentation * sequence ID into the \c * fragment_list.fragments array. */ /** Array of reassembly structures, each can contain one whole packet. * * The fragmentation sequence IDs of the packets being reassembled in * this array are linearly increasing. \c * fragment_list.fragments[fragment_list.index] has an ID of \c * fragment_list.seq_id. This means that one of these \c fragment_list * structures can at any one time contain at most packets with the * fragmentation sequence IDs in the range \c fragment_list.seq_id \c - * \c N_FRAG_BUF \c + \c 1 to \c fragment_list.seq_id, inclusive. */ struct fragment fragments[N_FRAG_BUF]; }; /** * Fragmentation and reassembly state for one VPN tunnel instance. * * This structure contains all the state necessary for sending and * receiving fragmented data channel packets associated with one VPN * tunnel. * * The fragmented packet currently being sent to a remote OpenVPN peer is * stored in \c fragment_master.outgoing. It is copied into that buffer * by the \c fragment_outgoing() function and the remaining parts to be * sent can be retrieved by successive calls to \c * fragment_ready_to_send(). * * The received packets currently being reassembled are stored in the \c * fragment_master.incoming array of \c fragment structures. The \c * fragment_incoming() function adds newly received parts into this array * and returns the whole packets once reassembly is complete. */ struct fragment_master { struct event_timeout wakeup; /**< Timeout structure used by the main * event loop to know when to do * fragmentation housekeeping. */ bool received_os_mtu_hint; /**< Whether the operating system has * explicitly recommended an MTU value. */ #define N_SEQ_ID 256 /**< One more than the maximum fragment * sequence ID, above which the IDs wrap * to zero. Should be a power of 2. */ int outgoing_seq_id; /**< Fragment sequence ID of the current * fragmented packet waiting to be sent. * * All parts of a fragmented packet * share the same sequence ID, so that * the remote OpenVPN peer can determine * which parts belong to which original * packet. */ #define MAX_FRAG_PKT_SIZE 65536 /**< (Not used) Maximum packet size before * fragmenting. */ int outgoing_frag_size; /**< Size in bytes of each part to be * sent, except for the last part which * may be smaller. * * This value is computed by the \c * optimal_fragment_size() function. Its * value is sent to the remote peer in * the fragmentation header of the last * part (i.e. with %fragment type \c * FRAG_YES_LAST) using the \c * FRAG_SIZE_MASK and \c FRAG_SIZE_SHIFT * bits. */ int outgoing_frag_id; /**< The fragment ID of the next part to * be sent. Must have a value between 0 * and \c MAX_FRAGS-1. */ struct buffer outgoing; /**< Buffer containing the remaining parts * of the fragmented packet being sent. */ struct buffer outgoing_return; /**< Buffer used by \c * fragment_ready_to_send() to return a * part to send. */ struct fragment_list incoming; /**< List of structures for reassembling * incoming packets. */ }; /**************************************************************************/ /** @name Fragment header * @todo Add description of %fragment header format. *//** @{ *//*************************************/ typedef uint32_t fragment_header_type; /**< Fragmentation information is stored in * a 32-bit packet header. */ #define hton_fragment_header_type(x) htonl(x) /**< Convert a fragment_header_type from * host to network order. */ #define ntoh_fragment_header_type(x) ntohl(x) /**< Convert a \c fragment_header_type * from network to host order. */ #define FRAG_TYPE_MASK 0x00000003 /**< Bit mask for %fragment type info. */ #define FRAG_TYPE_SHIFT 0 /**< Bit shift for %fragment type info. */ #define FRAG_WHOLE 0 /**< Fragment type indicating packet is * whole. */ #define FRAG_YES_NOTLAST 1 /**< Fragment type indicating packet is * part of a fragmented packet, but not * the last part in the sequence. */ #define FRAG_YES_LAST 2 /**< Fragment type indicating packet is * the last part in the sequence of * parts. */ #define FRAG_TEST 3 /**< Fragment type not implemented yet. * In the future might be used as a * control packet for establishing MTU * size. */ #define FRAG_SEQ_ID_MASK 0x000000ff /**< Bit mask for %fragment sequence ID. */ #define FRAG_SEQ_ID_SHIFT 2 /**< Bit shift for %fragment sequence ID. */ #define FRAG_ID_MASK 0x0000001f /**< Bit mask for %fragment ID. */ #define FRAG_ID_SHIFT 10 /**< Bit shift for %fragment ID. */ /* * FRAG_SIZE 14 bits * * IF FRAG_YES_LAST (FRAG_SIZE): * The max size of a %fragment. If a %fragment is not the last %fragment in the packet, * then the %fragment size is guaranteed to be equal to the max %fragment size. Therefore, * max_frag_size is only sent over the wire if FRAG_LAST is set. Otherwise it is assumed * to be the actual %fragment size received. */ #define FRAG_SIZE_MASK 0x00003fff /**< Bit mask for %fragment size. */ #define FRAG_SIZE_SHIFT 15 /**< Bit shift for %fragment size. */ #define FRAG_SIZE_ROUND_SHIFT 2 /**< Bit shift for %fragment size rounding. */ #define FRAG_SIZE_ROUND_MASK ((1 << FRAG_SIZE_ROUND_SHIFT) - 1) /**< Bit mask for %fragment size rounding. */ /* * FRAG_EXTRA 16 bits * * IF FRAG_WHOLE or FRAG_YES_NOTLAST, these 16 bits are available (not currently used) */ #define FRAG_EXTRA_MASK 0x0000ffff /**< Bit mask for extra bits. */ #define FRAG_EXTRA_SHIFT 15 /**< Bit shift for extra bits. */ /** @} name Fragment header *//********************************************/ /**************************************************************************/ /** @name Functions for initialization and cleanup *//** @{ *//************/ /** * Allocate and initialize a \c fragment_master structure. * * This function also modifies the \a frame packet geometry parameters to * include space for the fragmentation header. * * @param frame - The packet geometry parameters for this VPN * tunnel, modified by this function to include the * fragmentation header. * * @return A pointer to the new \c fragment_master structure. */ struct fragment_master *fragment_init(struct frame *frame); /** * Allocate internal packet buffers for a \c fragment_master structure. * * @param f - The \c fragment_master structure for which to * allocate the internal buffers. * @param frame - The packet geometry parameters for this VPN * tunnel, used to determine how much memory to * allocate for each packet buffer. */ void fragment_frame_init(struct fragment_master *f, const struct frame *frame); /** * Free a \c fragment_master structure and its internal packet buffers. * * @param f - The \c fragment_master structure to free. */ void fragment_free(struct fragment_master *f); /** @} name Functions for initialization and cleanup *//*******************/ /**************************************************************************/ /** @name Functions for processing packets received from a remote OpenVPN peer */ /** @{ */ /** * Process an incoming packet, which may or may not be fragmented. * * This function inspects the fragmentation header of the incoming packet * and processes the packet accordingly. Depending on the %fragment type * bits (\c FRAG_TYPE_MASK and \c FRAG_TYPE_SHIFT) the packet is processed * in the following ways: * - \c FRAG_WHOLE: the packet is not fragmented, and this function does * not modify its contents, except for removing the fragmentation * header. * - \c FRAG_YES_NOTLAST or \c FRAG_YES_LAST: the packet is part of a * fragmented packet. This function copies the packet into an internal * reassembly buffer. If the incoming part completes the packet being * reassembled, the \a buf argument is modified to point to the fully * reassembled packet. If, on the other hand, reassembly is not yet * complete, then the the \a buf buffer is set to empty. * - Any other value: error. * * If an error occurs during processing, an error message is logged and * the length of \a buf is set to zero. * * @param f - The \c fragment_master structure for this VPN * tunnel. * @param buf - A pointer to the buffer structure containing the * incoming packet. This pointer will have been * modified on return either to point to a * completely reassembled packet, or to have length * set to zero if reassembly is not yet complete. * @param frame - The packet geometry parameters for this VPN * tunnel. * * @return Void.\n On return, the \a buf argument will point to a buffer. * The buffer will have nonzero length if the incoming packet passed * to this function was whole and unfragmented, or if it was the final * part of a fragmented packet thereby completing reassembly. On the * other hand, the buffer will have a length of zero if the incoming * packet was part of a fragmented packet and reassembly is not yet * complete. If an error occurs during processing, the buffer length * is also set to zero. */ void fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame); /** @} name Functions for processing packets received from a VPN tunnel */ /**************************************************************************/ /** @name Functions for processing packets to be sent to a remote OpenVPN peer */ /** @{ */ /** * Process an outgoing packet, which may or may not need to be fragmented. * * This function inspects the outgoing packet, determines whether it needs * to be fragmented, and processes it accordingly. * * Depending on the size of the outgoing packet and the packet geometry * parameters for the VPN tunnel, the packet will or will not be * fragmented. * @li Packet size is less than or equal to the maximum packet size for * this VPN tunnel: fragmentation is not necessary. The \a buf * argument points to a buffer containing the unmodified outgoing * packet with a fragmentation header indicating the packet is whole * (FRAG_WHOLE) prepended. * @li Packet size is greater than the maximum packet size for this VPN * tunnel: fragmentation is necessary. The original outgoing packet * is copied into an internal buffer for fragmentation. The \a buf * argument is modified to point to the first part of the fragmented * packet. The remaining parts remain stored in the internal buffer, * and can be retrieved using the \c fragment_ready_to_send() * function. * * If an error occurs during processing, an error message is logged and * the length of \a buf is set to zero. * * @param f - The \c fragment_master structure for this VPN * tunnel. * @param buf - A pointer to the buffer structure containing the * outgoing packet. This pointer will be modified * to point to a whole unfragmented packet or to the * first part of a fragmented packet on return. * @param frame - The packet geometry parameters for this VPN * tunnel. * * @return Void.\n On return, the \a buf argument will point to a buffer. * This buffer contains either the whole original outgoing packet if * fragmentation was not necessary, or the first part of the * fragmented outgoing packet if fragmentation was necessary. In both * cases a fragmentation header will have been prepended to inform the * remote peer how to handle the packet. */ void fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame); /** * Check whether outgoing fragments are ready to be send, and if so make * one available. * * This function checks whether the internal buffer for fragmenting * outgoing packets contains any unsent parts. If it does not, meaning * there is nothing waiting to be sent, it returns false. Otherwise there * are parts ready to be sent, and it returns true. In that case it also * modifies the \a buf argument to point to a buffer containing the next * part to be sent. * * @param f - The \a fragment_master structure for this VPN * tunnel. * @param buf - A pointer to a buffer structure which on return, * if there are parts waiting to be sent, will point * to the next part to be sent. * @param frame - The packet geometry parameters for this VPN * tunnel. * * @return * @li True, if an outgoing packet has been fragmented and not all parts * have been sent yet. In this case this function will modify the \a * buf argument to point to a buffer containing the next part to be * sent. * @li False, if there are no outgoing fragmented parts waiting to be * sent. */ bool fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, const struct frame *frame); /** * Check whether a \c fragment_master structure contains fragments ready * to be sent. * * @param f - The \c fragment_master structure for this VPN * tunnel. * * @return * @li True, if there are one or more fragments ready to be sent. * @li False, otherwise. */ static inline bool fragment_outgoing_defined(struct fragment_master *f) { return f->outgoing.len > 0; } /** @} name Functions for processing packets going out through a VPN tunnel */ void fragment_wakeup(struct fragment_master *f, struct frame *frame); /**************************************************************************/ /** @name Functions for regular housekeeping *//** @{ *//******************/ /** * Perform housekeeping of a \c fragment_master structure. * * Housekeeping includes scanning incoming packet reassembly buffers for * packets which have not yet been reassembled completely but are already * older than their time-to-live. * * @param f - The \c fragment_master structure for this VPN * tunnel. * @param frame - The packet geometry parameters for this VPN * tunnel. */ static inline void fragment_housekeeping(struct fragment_master *f, struct frame *frame, struct timeval *tv) { if (event_timeout_trigger(&f->wakeup, tv, ETT_DEFAULT)) { fragment_wakeup(f, frame); } } /** @} name Functions for regular housekeeping *//*************************/ /** @} addtogroup fragmentation *//****************************************/ #endif /* ifdef ENABLE_FRAGMENT */ #endif /* ifndef FRAGMENT_H */ openvpn-2.4.4/src/openvpn/gremlin.c000066400000000000000000000137121316434344000172710ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * Test protocol robustness by simulating dropped packets and * network outages when the --gremlin option is used. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #ifdef ENABLE_DEBUG #include "error.h" #include "common.h" #include "misc.h" #include "otime.h" #include "gremlin.h" #include "memdbg.h" /* * Parameters for packet corruption and droppage. * Each parameter has 4 possible levels, 0 = disabled, * while 1, 2, and 3 are enumerated in the below arrays. * The parameter is a 2-bit field within the --gremlin * parameter. */ /* * Probability that we will drop a packet is 1 / n */ static const int drop_freq[] = { 500, 100, 50 }; /* * Probability that we will corrupt a packet is 1 / n */ static const int corrupt_freq[] = { 500, 100, 50 }; /* * When network goes up, it will be up for between * UP_LOW and UP_HIGH seconds. */ static const int up_low[] = { 60, 10, 5 }; static const int up_high[] = { 600, 60, 10 }; /* * When network goes down, it will be down for between * DOWN_LOW and DOWN_HIGH seconds. */ static const int down_low[] = { 5, 10, 10 }; static const int down_high[] = { 10, 60, 120 }; /* * Packet flood levels: * { number of packets, packet size } */ static const struct packet_flood_parms packet_flood_data[] = {{10, 100}, {10, 1500}, {100, 1500}}; struct packet_flood_parms get_packet_flood_parms(int level) { ASSERT(level > 0 && level < 4); return packet_flood_data [level - 1]; } /* * Return true with probability 1/n */ static bool flip(int n) { return (get_random() % n) == 0; } /* * Return uniformly distributed random number between * low and high. */ static int roll(int low, int high) { int ret; ASSERT(low <= high); ret = low + (get_random() % (high - low + 1)); ASSERT(ret >= low && ret <= high); return ret; } static bool initialized; /* GLOBAL */ static bool up; /* GLOBAL */ static time_t next; /* GLOBAL */ /* * Return false if we should drop a packet. */ bool ask_gremlin(int flags) { const int up_down_level = GREMLIN_UP_DOWN_LEVEL(flags); const int drop_level = GREMLIN_DROP_LEVEL(flags); if (!initialized) { initialized = true; if (up_down_level) { up = false; } else { up = true; } next = now; } if (up_down_level) /* change up/down state? */ { if (now >= next) { int delta; if (up) { delta = roll(down_low[up_down_level-1], down_high[up_down_level-1]); up = false; } else { delta = roll(up_low[up_down_level-1], up_high[up_down_level-1]); up = true; } msg(D_GREMLIN, "GREMLIN: CONNECTION GOING %s FOR %d SECONDS", (up ? "UP" : "DOWN"), delta); next = now + delta; } } if (drop_level) { if (up && flip(drop_freq[drop_level-1])) { dmsg(D_GREMLIN_VERBOSE, "GREMLIN: Random packet drop"); return false; } } return up; } /* * Possibly corrupt a packet. */ void corrupt_gremlin(struct buffer *buf, int flags) { const int corrupt_level = GREMLIN_CORRUPT_LEVEL(flags); if (corrupt_level) { if (flip(corrupt_freq[corrupt_level-1])) { do { if (buf->len > 0) { uint8_t r = roll(0, 255); int method = roll(0, 5); switch (method) { case 0: /* corrupt the first byte */ *BPTR(buf) = r; break; case 1: /* corrupt the last byte */ *(BPTR(buf) + buf->len - 1) = r; break; case 2: /* corrupt a random byte */ *(BPTR(buf) + roll(0, buf->len - 1)) = r; break; case 3: /* append a random byte */ buf_write(buf, &r, 1); break; case 4: /* reduce length by 1 */ --buf->len; break; case 5: /* reduce length by a random amount */ buf->len -= roll(0, buf->len - 1); break; } dmsg(D_GREMLIN_VERBOSE, "GREMLIN: Packet Corruption, method=%d", method); } else { break; } } while (flip(2)); /* a 50% chance we will corrupt again */ } } } #else /* ifdef ENABLE_DEBUG */ static void dummy(void) { } #endif /* ifdef ENABLE_DEBUG */ openvpn-2.4.4/src/openvpn/gremlin.h000066400000000000000000000047641316434344000173050ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef GREMLIN_H #define GREMLIN_H #ifdef ENABLE_DEBUG /* * Gremlin options, presented as bitmask argument to --gremlin directive */ #define GREMLIN_CONNECTION_FLOOD_SHIFT (0) #define GREMLIN_CONNECTION_FLOOD_MASK (0x07) #define GREMLIN_PACKET_FLOOD_SHIFT (3) #define GREMLIN_PACKET_FLOOD_MASK (0x03) #define GREMLIN_CORRUPT_SHIFT (5) #define GREMLIN_CORRUPT_MASK (0x03) #define GREMLIN_UP_DOWN_SHIFT (7) #define GREMLIN_UP_DOWN_MASK (0x03) /* 512:1/500 1024:1/100 1536:1/50 */ #define GREMLIN_DROP_SHIFT (9) #define GREMLIN_DROP_MASK (0x03) /* extract gremlin parms */ #define GREMLIN_CONNECTION_FLOOD_LEVEL(x) (((x)>>GREMLIN_CONNECTION_FLOOD_SHIFT) & GREMLIN_CONNECTION_FLOOD_MASK) #define GREMLIN_PACKET_FLOOD_LEVEL(x) (((x)>>GREMLIN_PACKET_FLOOD_SHIFT) & GREMLIN_PACKET_FLOOD_MASK) #define GREMLIN_CORRUPT_LEVEL(x) (((x)>>GREMLIN_CORRUPT_SHIFT) & GREMLIN_CORRUPT_MASK) #define GREMLIN_UP_DOWN_LEVEL(x) (((x)>>GREMLIN_UP_DOWN_SHIFT) & GREMLIN_UP_DOWN_MASK) #define GREMLIN_DROP_LEVEL(x) (((x)>>GREMLIN_DROP_SHIFT) & GREMLIN_DROP_MASK) #include "buffer.h" struct packet_flood_parms { int n_packets; int packet_size; }; bool ask_gremlin(int flags); void corrupt_gremlin(struct buffer *buf, int flags); struct packet_flood_parms get_packet_flood_parms(int level); #endif /* ifdef ENABLE_DEBUG */ #endif /* ifndef GREMLIN_H */ openvpn-2.4.4/src/openvpn/helper.c000066400000000000000000000424331316434344000171150ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "forward.h" #include "helper.h" #include "pool.h" #include "push.h" #include "memdbg.h" #if P2MP_SERVER static const char * print_netmask(int netbits, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(128, gc); const in_addr_t netmask = netbits_to_netmask(netbits); buf_printf(&out, "%s (/%d)", print_in_addr_t(netmask, 0, gc), netbits); return BSTR(&out); } static const char * print_opt_route_gateway(const in_addr_t route_gateway, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(128, gc); ASSERT(route_gateway); buf_printf(&out, "route-gateway %s", print_in_addr_t(route_gateway, 0, gc)); return BSTR(&out); } static const char * print_opt_route_gateway_dhcp(struct gc_arena *gc) { struct buffer out = alloc_buf_gc(32, gc); buf_printf(&out, "route-gateway dhcp"); return BSTR(&out); } static const char * print_opt_route(const in_addr_t network, const in_addr_t netmask, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(128, gc); ASSERT(network); if (netmask) { buf_printf(&out, "route %s %s", print_in_addr_t(network, 0, gc), print_in_addr_t(netmask, 0, gc)); } else { buf_printf(&out, "route %s", print_in_addr_t(network, 0, gc)); } return BSTR(&out); } static const char * print_opt_topology(const int topology, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(128, gc); buf_printf(&out, "topology %s", print_topology(topology)); return BSTR(&out); } static const char * print_str_int(const char *str, const int i, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(128, gc); buf_printf(&out, "%s %d", str, i); return BSTR(&out); } static const char * print_str(const char *str, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(128, gc); buf_printf(&out, "%s", str); return BSTR(&out); } static void helper_add_route(const in_addr_t network, const in_addr_t netmask, struct options *o) { rol_check_alloc(o); add_route_to_option_list(o->routes, print_in_addr_t(network, 0, &o->gc), print_in_addr_t(netmask, 0, &o->gc), NULL, NULL); } static void verify_common_subnet(const char *opt, const in_addr_t a, const in_addr_t b, const in_addr_t subnet) { struct gc_arena gc = gc_new(); if ((a & subnet) != (b & subnet)) { msg(M_USAGE, "%s IP addresses %s and %s are not in the same %s subnet", opt, print_in_addr_t(a, 0, &gc), print_in_addr_t(b, 0, &gc), print_in_addr_t(subnet, 0, &gc)); } gc_free(&gc); } #endif /* if P2MP_SERVER */ /* * Process server, server-bridge, and client helper * directives after the parameters themselves have been * parsed and placed in struct options. */ void helper_client_server(struct options *o) { struct gc_arena gc = gc_new(); #if P2MP #if P2MP_SERVER /* * Get tun/tap/null device type */ const int dev = dev_type_enum(o->dev, o->dev_type); const int topology = o->topology; /* * * HELPER DIRECTIVE for IPv6 * * server-ipv6 2001:db8::/64 * * EXPANDS TO: * * tun-ipv6 * push "tun-ipv6" * ifconfig-ipv6 2001:db8::1 2001:db8::2 * if !nopool: * ifconfig-ipv6-pool 2001:db8::1000/64 * */ if (o->server_ipv6_defined) { if (!o->server_defined) { msg(M_USAGE, "--server-ipv6 must be used together with --server"); } if (o->server_flags & SF_NOPOOL) { msg( M_USAGE, "--server-ipv6 is incompatible with 'nopool' option" ); } if (o->ifconfig_ipv6_pool_defined) { msg( M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly"); } /* local ifconfig is "base address + 1" and "+2" */ o->ifconfig_ipv6_local = print_in6_addr( add_in6_addr( o->server_network_ipv6, 1), 0, &o->gc ); o->ifconfig_ipv6_remote = print_in6_addr( add_in6_addr( o->server_network_ipv6, 2), 0, &o->gc ); o->ifconfig_ipv6_netbits = o->server_netbits_ipv6; /* pool starts at "base address + 0x1000" - leave enough room */ ASSERT( o->server_netbits_ipv6 <= 112 ); /* want 16 bits */ o->ifconfig_ipv6_pool_defined = true; o->ifconfig_ipv6_pool_base = add_in6_addr( o->server_network_ipv6, 0x1000 ); o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6; push_option( o, "tun-ipv6", M_USAGE ); } /* * * HELPER DIRECTIVE: * * server 10.8.0.0 255.255.255.0 * * EXPANDS TO: * * mode server * tls-server * push "topology [topology]" * * if tun AND (topology == net30 OR topology == p2p): * ifconfig 10.8.0.1 10.8.0.2 * if !nopool: * ifconfig-pool 10.8.0.4 10.8.0.251 * route 10.8.0.0 255.255.255.0 * if client-to-client: * push "route 10.8.0.0 255.255.255.0" * else if topology == net30: * push "route 10.8.0.1" * * if tap OR (tun AND topology == subnet): * ifconfig 10.8.0.1 255.255.255.0 * if !nopool: * ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0 * push "route-gateway 10.8.0.1" * if route-gateway unset: * route-gateway 10.8.0.2 */ if (o->server_defined) { int netbits = -2; bool status = false; if (o->client) { msg(M_USAGE, "--server and --client cannot be used together"); } if (o->server_bridge_defined || o->server_bridge_proxy_dhcp) { msg(M_USAGE, "--server and --server-bridge cannot be used together"); } if (o->shared_secret_file) { msg(M_USAGE, "--server and --secret cannot be used together (you must use SSL/TLS keys)"); } if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined) { msg(M_USAGE, "--server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly"); } if (!(dev == DEV_TYPE_TAP || dev == DEV_TYPE_TUN)) { msg(M_USAGE, "--server directive only makes sense with --dev tun or --dev tap"); } status = netmask_to_netbits(o->server_network, o->server_netmask, &netbits); if (!status) { msg(M_USAGE, "--server directive network/netmask combination is invalid"); } if (netbits < 0) { msg(M_USAGE, "--server directive netmask is invalid"); } if (netbits < IFCONFIG_POOL_MIN_NETBITS) { msg(M_USAGE, "--server directive netmask allows for too many host addresses (subnet must be %s or higher)", print_netmask(IFCONFIG_POOL_MIN_NETBITS, &gc)); } if (dev == DEV_TYPE_TUN) { int pool_end_reserve = 4; if (netbits > 29) { msg(M_USAGE, "--server directive when used with --dev tun must define a subnet of %s or lower", print_netmask(29, &gc)); } if (netbits == 29) { pool_end_reserve = 0; } o->mode = MODE_SERVER; o->tls_server = true; if (topology == TOP_NET30 || topology == TOP_P2P) { o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc); o->ifconfig_remote_netmask = print_in_addr_t(o->server_network + 2, 0, &o->gc); if (!(o->server_flags & SF_NOPOOL)) { o->ifconfig_pool_defined = true; o->ifconfig_pool_start = o->server_network + 4; o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - pool_end_reserve; ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); } helper_add_route(o->server_network, o->server_netmask, o); if (o->enable_c2c) { push_option(o, print_opt_route(o->server_network, o->server_netmask, &o->gc), M_USAGE); } else if (topology == TOP_NET30) { push_option(o, print_opt_route(o->server_network + 1, 0, &o->gc), M_USAGE); } } else if (topology == TOP_SUBNET) { o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc); o->ifconfig_remote_netmask = print_in_addr_t(o->server_netmask, 0, &o->gc); if (!(o->server_flags & SF_NOPOOL)) { o->ifconfig_pool_defined = true; o->ifconfig_pool_start = o->server_network + 2; o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 2; ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); } o->ifconfig_pool_netmask = o->server_netmask; push_option(o, print_opt_route_gateway(o->server_network + 1, &o->gc), M_USAGE); if (!o->route_default_gateway) { o->route_default_gateway = print_in_addr_t(o->server_network + 2, 0, &o->gc); } } else { ASSERT(0); } push_option(o, print_opt_topology(topology, &o->gc), M_USAGE); } else if (dev == DEV_TYPE_TAP) { if (netbits > 30) { msg(M_USAGE, "--server directive when used with --dev tap must define a subnet of %s or lower", print_netmask(30, &gc)); } o->mode = MODE_SERVER; o->tls_server = true; o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc); o->ifconfig_remote_netmask = print_in_addr_t(o->server_netmask, 0, &o->gc); if (!(o->server_flags & SF_NOPOOL)) { o->ifconfig_pool_defined = true; o->ifconfig_pool_start = o->server_network + 2; o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1; ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); } o->ifconfig_pool_netmask = o->server_netmask; push_option(o, print_opt_route_gateway(o->server_network + 1, &o->gc), M_USAGE); } else { ASSERT(0); } /* set push-ifconfig-constraint directive */ if ((dev == DEV_TYPE_TAP || topology == TOP_SUBNET)) { o->push_ifconfig_constraint_defined = true; o->push_ifconfig_constraint_network = o->server_network; o->push_ifconfig_constraint_netmask = o->server_netmask; } } /* * HELPER DIRECTIVE: * * server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 * * EXPANDS TO: * * mode server * tls-server * * ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0 * push "route-gateway 10.8.0.4" * * OR * * server-bridge * * EXPANDS TO: * * mode server * tls-server * * if !nogw: * push "route-gateway dhcp" */ else if (o->server_bridge_defined | o->server_bridge_proxy_dhcp) { if (o->client) { msg(M_USAGE, "--server-bridge and --client cannot be used together"); } if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined) { msg(M_USAGE, "--server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly"); } if (o->shared_secret_file) { msg(M_USAGE, "--server-bridge and --secret cannot be used together (you must use SSL/TLS keys)"); } if (dev != DEV_TYPE_TAP) { msg(M_USAGE, "--server-bridge directive only makes sense with --dev tap"); } if (o->server_bridge_defined) { verify_common_subnet("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_start, o->server_bridge_netmask); verify_common_subnet("--server-bridge", o->server_bridge_pool_start, o->server_bridge_pool_end, o->server_bridge_netmask); verify_common_subnet("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_end, o->server_bridge_netmask); } o->mode = MODE_SERVER; o->tls_server = true; if (o->server_bridge_defined) { o->ifconfig_pool_defined = true; o->ifconfig_pool_start = o->server_bridge_pool_start; o->ifconfig_pool_end = o->server_bridge_pool_end; ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); o->ifconfig_pool_netmask = o->server_bridge_netmask; push_option(o, print_opt_route_gateway(o->server_bridge_ip, &o->gc), M_USAGE); } else if (o->server_bridge_proxy_dhcp && !(o->server_flags & SF_NO_PUSH_ROUTE_GATEWAY)) { push_option(o, print_opt_route_gateway_dhcp(&o->gc), M_USAGE); } } else #endif /* P2MP_SERVER */ /* * HELPER DIRECTIVE: * * client * * EXPANDS TO: * * pull * tls-client */ if (o->client) { if (o->key_method != 2) { msg(M_USAGE, "--client requires --key-method 2"); } o->pull = true; o->tls_client = true; } #endif /* P2MP */ gc_free(&gc); } /* * * HELPER DIRECTIVE: * * keepalive 10 60 * * EXPANDS TO: * * if mode server: * ping 10 * ping-restart 120 * push "ping 10" * push "ping-restart 60" * else * ping 10 * ping-restart 60 */ void helper_keepalive(struct options *o) { if (o->keepalive_ping || o->keepalive_timeout) { /* * Sanity checks. */ if (o->keepalive_ping <= 0 || o->keepalive_timeout <= 0) { msg(M_USAGE, "--keepalive parameters must be > 0"); } if (o->keepalive_ping * 2 > o->keepalive_timeout) { msg(M_USAGE, "the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60.", o->keepalive_timeout, o->keepalive_ping); } if (o->ping_send_timeout || o->ping_rec_timeout) { msg(M_USAGE, "--keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives."); } /* * Expand. */ if (o->mode == MODE_POINT_TO_POINT) { o->ping_rec_timeout_action = PING_RESTART; o->ping_send_timeout = o->keepalive_ping; o->ping_rec_timeout = o->keepalive_timeout; } #if P2MP_SERVER else if (o->mode == MODE_SERVER) { o->ping_rec_timeout_action = PING_RESTART; o->ping_send_timeout = o->keepalive_ping; o->ping_rec_timeout = o->keepalive_timeout * 2; push_option(o, print_str_int("ping", o->keepalive_ping, &o->gc), M_USAGE); push_option(o, print_str_int("ping-restart", o->keepalive_timeout, &o->gc), M_USAGE); } #endif else { ASSERT(0); } } } /* * * HELPER DIRECTIVE: * * tcp-nodelay * * EXPANDS TO: * * if mode server: * socket-flags TCP_NODELAY * push "socket-flags TCP_NODELAY" */ void helper_tcp_nodelay(struct options *o) { #if P2MP_SERVER if (o->server_flags & SF_TCP_NODELAY_HELPER) { if (o->mode == MODE_SERVER) { o->sockflags |= SF_TCP_NODELAY; push_option(o, print_str("socket-flags TCP_NODELAY", &o->gc), M_USAGE); } else { o->sockflags |= SF_TCP_NODELAY; } } #endif } openvpn-2.4.4/src/openvpn/helper.h000066400000000000000000000024411316434344000171150ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * Process helper directives such as server, client, and keepalive. */ #ifndef HELPER_H #define HELPER_H #include "options.h" void helper_keepalive(struct options *o); void helper_client_server(struct options *o); void helper_tcp_nodelay(struct options *o); #endif openvpn-2.4.4/src/openvpn/httpdigest.c000066400000000000000000000124131316434344000200100ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if PROXY_DIGEST_AUTH #include "crypto.h" #include "httpdigest.h" static void CvtHex( IN HASH Bin, OUT HASHHEX Hex ) { unsigned short i; unsigned char j; for (i = 0; i < HASHLEN; i++) { j = (Bin[i] >> 4) & 0xf; if (j <= 9) { Hex[i*2] = (j + '0'); } else { Hex[i*2] = (j + 'a' - 10); } j = Bin[i] & 0xf; if (j <= 9) { Hex[i*2+1] = (j + '0'); } else { Hex[i*2+1] = (j + 'a' - 10); } } Hex[HASHHEXLEN] = '\0'; } /* calculate H(A1) as per spec */ void DigestCalcHA1( IN char *pszAlg, IN char *pszUserName, IN char *pszRealm, IN char *pszPassword, IN char *pszNonce, IN char *pszCNonce, OUT HASHHEX SessionKey ) { HASH HA1; md_ctx_t *md5_ctx = md_ctx_new(); const md_kt_t *md5_kt = md_kt_get("MD5"); md_ctx_init(md5_ctx, md5_kt); md_ctx_update(md5_ctx, (const uint8_t *) pszUserName, strlen(pszUserName)); md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); md_ctx_update(md5_ctx, (const uint8_t *) pszRealm, strlen(pszRealm)); md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); md_ctx_update(md5_ctx, (const uint8_t *) pszPassword, strlen(pszPassword)); md_ctx_final(md5_ctx, HA1); if (pszAlg && strcasecmp(pszAlg, "md5-sess") == 0) { md_ctx_init(md5_ctx, md5_kt); md_ctx_update(md5_ctx, HA1, HASHLEN); md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); md_ctx_update(md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); md_ctx_update(md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); md_ctx_final(md5_ctx, HA1); } md_ctx_cleanup(md5_ctx); md_ctx_free(md5_ctx); CvtHex(HA1, SessionKey); } /* calculate request-digest/response-digest as per HTTP Digest spec */ void DigestCalcResponse( IN HASHHEX HA1, /* H(A1) */ IN char *pszNonce, /* nonce from server */ IN char *pszNonceCount, /* 8 hex digits */ IN char *pszCNonce, /* client nonce */ IN char *pszQop, /* qop-value: "", "auth", "auth-int" */ IN char *pszMethod, /* method from the request */ IN char *pszDigestUri, /* requested URL */ IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */ OUT HASHHEX Response /* request-digest or response-digest */ ) { HASH HA2; HASH RespHash; HASHHEX HA2Hex; md_ctx_t *md5_ctx = md_ctx_new(); const md_kt_t *md5_kt = md_kt_get("MD5"); /* calculate H(A2) */ md_ctx_init(md5_ctx, md5_kt); md_ctx_update(md5_ctx, (const uint8_t *) pszMethod, strlen(pszMethod)); md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); md_ctx_update(md5_ctx, (const uint8_t *) pszDigestUri, strlen(pszDigestUri)); if (strcasecmp(pszQop, "auth-int") == 0) { md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); md_ctx_update(md5_ctx, HEntity, HASHHEXLEN); } md_ctx_final(md5_ctx, HA2); CvtHex(HA2, HA2Hex); /* calculate response */ md_ctx_init(md5_ctx, md5_kt); md_ctx_update(md5_ctx, HA1, HASHHEXLEN); md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); md_ctx_update(md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); if (*pszQop) { md_ctx_update(md5_ctx, (const uint8_t *) pszNonceCount, strlen(pszNonceCount)); md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); md_ctx_update(md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); md_ctx_update(md5_ctx, (const uint8_t *) pszQop, strlen(pszQop)); md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); } md_ctx_update(md5_ctx, HA2Hex, HASHHEXLEN); md_ctx_final(md5_ctx, RespHash); md_ctx_cleanup(md5_ctx); md_ctx_free(md5_ctx); CvtHex(RespHash, Response); } #endif /* if PROXY_DIGEST_AUTH */ openvpn-2.4.4/src/openvpn/httpdigest.h000066400000000000000000000041221316434344000200130ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #if PROXY_DIGEST_AUTH #define HASHLEN 16 typedef unsigned char HASH[HASHLEN]; #define HASHHEXLEN 32 typedef unsigned char HASHHEX[HASHHEXLEN+1]; #undef IN #undef OUT #define IN const #define OUT /* calculate H(A1) as per HTTP Digest spec */ void DigestCalcHA1( IN char *pszAlg, IN char *pszUserName, IN char *pszRealm, IN char *pszPassword, IN char *pszNonce, IN char *pszCNonce, OUT HASHHEX SessionKey ); /* calculate request-digest/response-digest as per HTTP Digest spec */ void DigestCalcResponse( IN HASHHEX HA1, /* H(A1) */ IN char *pszNonce, /* nonce from server */ IN char *pszNonceCount, /* 8 hex digits */ IN char *pszCNonce, /* client nonce */ IN char *pszQop, /* qop-value: "", "auth", "auth-int" */ IN char *pszMethod, /* method from the request */ IN char *pszDigestUri, /* requested URL */ IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */ OUT HASHHEX Response /* request-digest or response-digest */ ); #endif /* if PROXY_DIGEST_AUTH */ openvpn-2.4.4/src/openvpn/init.c000066400000000000000000003651721316434344000166110ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #ifdef ENABLE_SYSTEMD #include #endif #include "win32.h" #include "init.h" #include "sig.h" #include "occ.h" #include "list.h" #include "otime.h" #include "pool.h" #include "gremlin.h" #include "pkcs11.h" #include "ps.h" #include "lladdr.h" #include "ping.h" #include "mstats.h" #include "ssl_verify.h" #include "tls_crypt.h" #include "forward-inline.h" #include "memdbg.h" #include "occ-inline.h" static struct context *static_context; /* GLOBAL */ /* * Crypto initialization flags */ #define CF_LOAD_PERSISTED_PACKET_ID (1<<0) #define CF_INIT_TLS_MULTI (1<<1) #define CF_INIT_TLS_AUTH_STANDALONE (1<<2) static void do_init_first_time(struct context *c); void context_clear(struct context *c) { CLEAR(*c); } void context_clear_1(struct context *c) { CLEAR(c->c1); } void context_clear_2(struct context *c) { CLEAR(c->c2); } void context_clear_all_except_first_time(struct context *c) { const bool first_time_save = c->first_time; const struct context_persist cpsave = c->persist; context_clear(c); c->first_time = first_time_save; c->persist = cpsave; } /* * Pass tunnel endpoint and MTU parms to a user-supplied script. * Used to execute the up/down script/plugins. */ static void run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type, const char *arg, #ifdef _WIN32 DWORD adapter_index, #endif const char *dev_type, int tun_mtu, int link_mtu, const char *ifconfig_local, const char *ifconfig_remote, const char *context, const char *signal_text, const char *script_type, struct env_set *es) { struct gc_arena gc = gc_new(); if (signal_text) { setenv_str(es, "signal", signal_text); } setenv_str(es, "script_context", context); setenv_int(es, "tun_mtu", tun_mtu); setenv_int(es, "link_mtu", link_mtu); setenv_str(es, "dev", arg); if (dev_type) { setenv_str(es, "dev_type", dev_type); } #ifdef _WIN32 setenv_int(es, "dev_idx", adapter_index); #endif if (!ifconfig_local) { ifconfig_local = ""; } if (!ifconfig_remote) { ifconfig_remote = ""; } if (!context) { context = ""; } if (plugin_defined(plugins, plugin_type)) { struct argv argv = argv_new(); ASSERT(arg); argv_printf(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu, ifconfig_local, ifconfig_remote, context); if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_FATAL, "ERROR: up/down plugin call failed"); } argv_reset(&argv); } if (command) { struct argv argv = argv_new(); ASSERT(arg); setenv_str(es, "script_type", script_type); argv_parse_cmd(&argv, command); argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu, ifconfig_local, ifconfig_remote, context); argv_msg(M_INFO, &argv); openvpn_run_script(&argv, es, S_FATAL, "--up/--down"); argv_reset(&argv); } gc_free(&gc); } /* * Should be called after options->ce is modified at the top * of a SIGUSR1 restart. */ static void update_options_ce_post(struct options *options) { #if P2MP /* * In pull mode, we usually import --ping/--ping-restart parameters from * the server. However we should also set an initial default --ping-restart * for the period of time before we pull the --ping-restart parameter * from the server. */ if (options->pull && options->ping_rec_timeout_action == PING_UNDEF && proto_is_dgram(options->ce.proto)) { options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART; options->ping_rec_timeout_action = PING_RESTART; } #endif } #ifdef ENABLE_MANAGEMENT static bool management_callback_proxy_cmd(void *arg, const char **p) { struct context *c = arg; struct connection_entry *ce = &c->options.ce; struct gc_arena *gc = &c->c2.gc; bool ret = false; update_time(); if (streq(p[1], "NONE")) { ret = true; } else if (p[2] && p[3]) { if (streq(p[1], "HTTP")) { struct http_proxy_options *ho; if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT) { msg(M_WARN, "HTTP proxy support only works for TCP based connections"); return false; } ho = init_http_proxy_options_once(&ce->http_proxy_options, gc); ho->server = string_alloc(p[2], gc); ho->port = string_alloc(p[3], gc); ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL); ret = true; } else if (streq(p[1], "SOCKS")) { ce->socks_proxy_server = string_alloc(p[2], gc); ce->socks_proxy_port = string_alloc(p[3], gc); ret = true; } } else { msg(M_WARN, "Bad proxy command"); } ce->flags &= ~CE_MAN_QUERY_PROXY; return ret; } static bool ce_management_query_proxy(struct context *c) { const struct connection_list *l = c->options.connection_list; struct connection_entry *ce = &c->options.ce; struct gc_arena gc; bool ret = true; update_time(); if (management) { gc = gc_new(); { struct buffer out = alloc_buf_gc(256, &gc); buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1, (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote)); management_notify_generic(management, BSTR(&out)); } ce->flags |= CE_MAN_QUERY_PROXY; while (ce->flags & CE_MAN_QUERY_PROXY) { management_event_loop_n_seconds(management, 1); if (IS_SIG(c)) { ret = false; break; } } gc_free(&gc); } return ret; } static bool management_callback_remote_cmd(void *arg, const char **p) { struct context *c = (struct context *) arg; struct connection_entry *ce = &c->options.ce; int ret = false; if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) { int flags = 0; if (!strcmp(p[1], "ACCEPT")) { flags = CE_MAN_QUERY_REMOTE_ACCEPT; ret = true; } else if (!strcmp(p[1], "SKIP")) { flags = CE_MAN_QUERY_REMOTE_SKIP; ret = true; } else if (!strcmp(p[1], "MOD") && p[2] && p[3]) { if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN) { struct remote_host_store *rhs = c->options.rh_store; if (!rhs) { ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc); c->options.rh_store = rhs; } strncpynt(rhs->host, p[2], RH_HOST_LEN); strncpynt(rhs->port, p[3], RH_PORT_LEN); ce->remote = rhs->host; ce->remote_port = rhs->port; flags = CE_MAN_QUERY_REMOTE_MOD; ret = true; } } if (ret) { ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<options.ce; int ce_changed = true; /* presume the connection entry will be changed */ update_time(); if (management) { struct buffer out = alloc_buf_gc(256, &gc); buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, ce->af, false)); management_notify_generic(management, BSTR(&out)); ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT); ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT); while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) { management_event_loop_n_seconds(management, 1); if (IS_SIG(c)) { ce_changed = false; /* connection entry have not been set */ break; } } } gc_free(&gc); if (ce_changed) { /* If it is likely a connection entry was modified, * check what changed in the flags and that it was not skipped */ const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK); ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP); } return ce_changed; } #endif /* ENABLE_MANAGEMENT */ /* * Initialize and possibly randomize connection list. */ static void init_connection_list(struct context *c) { struct connection_list *l = c->options.connection_list; l->current = -1; if (c->options.remote_random) { int i; for (i = 0; i < l->len; ++i) { const int j = get_random() % l->len; if (i != j) { struct connection_entry *tmp; tmp = l->array[i]; l->array[i] = l->array[j]; l->array[j] = tmp; } } } } /* * Clear the remote address list */ static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free) { if (lsa->remote_list && free) { freeaddrinfo(lsa->remote_list); } lsa->remote_list = NULL; lsa->current_remote = NULL; } /* * Increment to next connection entry */ static void next_connection_entry(struct context *c) { struct connection_list *l = c->options.connection_list; bool ce_defined; struct connection_entry *ce; int n_cycles = 0; do { ce_defined = true; if (c->options.no_advance && l->current >= 0) { c->options.no_advance = false; } else { /* Check if there is another resolved address to try for * the current connection */ if (c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next) { c->c1.link_socket_addr.current_remote = c->c1.link_socket_addr.current_remote->ai_next; } else { /* FIXME (schwabe) fix the persist-remote-ip option for real, * this is broken probably ever since connection lists and multiple * remote existed */ if (!c->options.persist_remote_ip) { /* close_instance should have cleared the addrinfo objects */ ASSERT(c->c1.link_socket_addr.current_remote == NULL); ASSERT(c->c1.link_socket_addr.remote_list == NULL); } else { c->c1.link_socket_addr.current_remote = c->c1.link_socket_addr.remote_list; } /* * Increase the number of connection attempts * If this is connect-retry-max * size(l) * OpenVPN will quit */ c->options.unsuccessful_attempts++; if (++l->current >= l->len) { l->current = 0; if (++n_cycles >= 2) { msg(M_FATAL, "No usable connection profiles are present"); } } } } ce = l->array[l->current]; if (ce->flags & CE_DISABLED) { ce_defined = false; } c->options.ce = *ce; #ifdef ENABLE_MANAGEMENT if (ce_defined && management && management_query_remote_enabled(management)) { /* allow management interface to override connection entry details */ ce_defined = ce_management_query_remote(c); if (IS_SIG(c)) { break; } } else if (ce_defined && management && management_query_proxy_enabled(management)) { ce_defined = ce_management_query_proxy(c); if (IS_SIG(c)) { break; } } #endif } while (!ce_defined); /* Check if this connection attempt would bring us over the limit */ if (c->options.connect_retry_max > 0 && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max)) { msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting", c->options.connect_retry_max); } update_options_ce_post(&c->options); } /* * Query for private key and auth-user-pass username/passwords */ void init_query_passwords(const struct context *c) { #ifdef ENABLE_CRYPTO /* Certificate password input */ if (c->options.key_pass_file) { pem_password_setup(c->options.key_pass_file); } #endif #if P2MP /* Auth user/pass input */ if (c->options.auth_user_pass_file) { #ifdef ENABLE_CLIENT_CR auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info); #else auth_user_pass_setup(c->options.auth_user_pass_file, NULL); #endif } #endif } /* * Initialize/Uninitialize HTTP or SOCKS proxy */ static void uninit_proxy_dowork(struct context *c) { if (c->c1.http_proxy_owned && c->c1.http_proxy) { http_proxy_close(c->c1.http_proxy); c->c1.http_proxy = NULL; c->c1.http_proxy_owned = false; } if (c->c1.socks_proxy_owned && c->c1.socks_proxy) { socks_proxy_close(c->c1.socks_proxy); c->c1.socks_proxy = NULL; c->c1.socks_proxy_owned = false; } } static void init_proxy_dowork(struct context *c) { bool did_http = false; uninit_proxy_dowork(c); if (c->options.ce.http_proxy_options) { /* Possible HTTP proxy user/pass input */ c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options); if (c->c1.http_proxy) { did_http = true; c->c1.http_proxy_owned = true; } } if (!did_http && c->options.ce.socks_proxy_server) { c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server, c->options.ce.socks_proxy_port, c->options.ce.socks_proxy_authfile); if (c->c1.socks_proxy) { c->c1.socks_proxy_owned = true; } } } static void init_proxy(struct context *c) { init_proxy_dowork(c); } static void uninit_proxy(struct context *c) { uninit_proxy_dowork(c); } void context_init_1(struct context *c) { context_clear_1(c); packet_id_persist_init(&c->c1.pid_persist); init_connection_list(c); #if defined(ENABLE_PKCS11) if (c->first_time) { int i; pkcs11_initialize(true, c->options.pkcs11_pin_cache_period); for (i = 0; ioptions.pkcs11_providers[i] != NULL; i++) { pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i], c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]); } } #endif #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */ { /* * In the management interface, you can okay the request by entering "needok token-insertion-request ok" */ struct user_pass up; CLEAR(up); strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */ get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK); msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface * 'needok' command, usually 'ok' or 'cancel'. */ } #endif #ifdef ENABLE_SYSTEMD /* We can report the PID via getpid() to systemd here as OpenVPN will not * do any fork due to daemon() a future call. * See possibly_become_daemon() [init.c] for more details. */ sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu", (unsigned long) getpid()); #endif } void context_gc_free(struct context *c) { gc_free(&c->c2.gc); gc_free(&c->options.gc); gc_free(&c->gc); } #if PORT_SHARE static void close_port_share(void) { if (port_share) { port_share_close(port_share); port_share = NULL; } } static void init_port_share(struct context *c) { if (!port_share && (c->options.port_share_host && c->options.port_share_port)) { port_share = port_share_open(c->options.port_share_host, c->options.port_share_port, MAX_RW_SIZE_LINK(&c->c2.frame), c->options.port_share_journal_dir); if (port_share == NULL) { msg(M_FATAL, "Fatal error: Port sharing failed"); } } } #endif /* if PORT_SHARE */ bool init_static(void) { /* configure_path (); */ #if defined(ENABLE_CRYPTO) && defined(DMALLOC) crypto_init_dmalloc(); #endif /* * Initialize random number seed. random() is only used * when "weak" random numbers are acceptable. * SSL library routines are always used when cryptographically * strong random numbers are required. */ struct timeval tv; if (!gettimeofday(&tv, NULL)) { const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec; srandom(seed); } error_reset(); /* initialize error.c */ reset_check_status(); /* initialize status check code in socket.c */ #ifdef _WIN32 init_win32(); #endif #ifdef OPENVPN_DEBUG_COMMAND_LINE { int i; for (i = 0; i < argc; ++i) { msg(M_INFO, "argv[%d] = '%s'", i, argv[i]); } } #endif update_time(); #ifdef ENABLE_CRYPTO init_ssl_lib(); /* init PRNG used for IV generation */ /* When forking, copy this to more places in the code to avoid fork * random-state predictability */ prng_init(NULL, 0); #endif #ifdef PID_TEST packet_id_interactive_test(); /* test the sequence number code */ return false; #endif #ifdef SCHEDULE_TEST schedule_test(); return false; #endif #ifdef LIST_TEST list_test(); return false; #endif #ifdef IFCONFIG_POOL_TEST ifconfig_pool_test(0x0A010004, 0x0A0100FF); return false; #endif #ifdef CHARACTER_CLASS_DEBUG character_class_debug(); return false; #endif #ifdef EXTRACT_X509_FIELD_TEST extract_x509_field_test(); return false; #endif #ifdef TIME_TEST time_test(); return false; #endif #ifdef TEST_GET_DEFAULT_GATEWAY { struct route_gateway_info rgi; struct route_ipv6_gateway_info rgi6; get_default_gateway(&rgi); get_default_gateway_ipv6(&rgi6, NULL); print_default_gateway(M_INFO, &rgi, &rgi6); return false; } #endif #ifdef GEN_PATH_TEST { struct gc_arena gc = gc_new(); const char *fn = gen_path("foo", "bar", &gc); printf("%s\n", fn); gc_free(&gc); } return false; #endif #ifdef STATUS_PRINTF_TEST { struct gc_arena gc = gc_new(); const char *tmp_file = create_temp_file("/tmp", "foo", &gc); struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE); status_printf(so, "%s", "foo"); status_printf(so, "%s", "bar"); if (!status_close(so)) { msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file); } gc_free(&gc); } return false; #endif #ifdef ARGV_TEST { void argv_test(void); argv_test(); return false; } #endif #ifdef PRNG_TEST { struct gc_arena gc = gc_new(); uint8_t rndbuf[8]; int i; prng_init("sha1", 16); /*prng_init (NULL, 0);*/ const int factor = 1; for (i = 0; i < factor * 8; ++i) { #if 1 prng_bytes(rndbuf, sizeof(rndbuf)); #else ASSERT(rand_bytes(rndbuf, sizeof(rndbuf))); #endif printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc)); } gc_free(&gc); prng_uninit(); return false; } #endif /* ifdef PRNG_TEST */ #ifdef BUFFER_LIST_AGGREGATE_TEST /* test buffer_list_aggregate function */ { static const char *text[] = { "It was a bright cold day in April, ", "and the clocks were striking ", "thirteen. ", "Winston Smith, ", "his chin nuzzled into his breast in an ", "effort to escape the vile wind, ", "slipped quickly through the glass doors ", "of Victory Mansions, though not quickly ", "enough to prevent a swirl of gritty dust from ", "entering along with him." }; int iter, listcap; for (listcap = 0; listcap < 12; ++listcap) { for (iter = 0; iter < 512; ++iter) { struct buffer_list *bl = buffer_list_new(listcap); { int i; for (i = 0; i < SIZE(text); ++i) { buffer_list_push(bl, (unsigned char *)text[i]); } } printf("[cap=%d i=%d] *************************\n", listcap, iter); if (!(iter & 8)) { buffer_list_aggregate(bl, iter/2); } if (!(iter & 16)) { buffer_list_push(bl, (unsigned char *)"Even more text..."); } buffer_list_aggregate(bl, iter); if (!(iter & 1)) { buffer_list_push(bl, (unsigned char *)"More text..."); } { struct buffer *buf; while ((buf = buffer_list_peek(bl))) { int c; printf("'"); while ((c = buf_read_u8(buf)) >= 0) { putchar(c); } printf("'\n"); buffer_list_advance(bl, 0); } } buffer_list_free(bl); } } return false; } #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */ #ifdef MSTATS_TEST { int i; mstats_open("/dev/shm/mstats.dat"); for (i = 0; i < 30; ++i) { mmap_stats->n_clients += 1; mmap_stats->link_write_bytes += 8; mmap_stats->link_read_bytes += 16; sleep(1); } mstats_close(); return false; } #endif return true; } void uninit_static(void) { #ifdef ENABLE_CRYPTO free_ssl_lib(); #endif #ifdef ENABLE_PKCS11 pkcs11_terminate(); #endif #if PORT_SHARE close_port_share(); #endif #if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO) show_tls_performance_stats(); #endif } void init_verb_mute(struct context *c, unsigned int flags) { if (flags & IVM_LEVEL_1) { /* set verbosity and mute levels */ set_check_status(D_LINK_ERRORS, D_READ_WRITE); set_debug_level(c->options.verbosity, SDL_CONSTRAIN); set_mute_cutoff(c->options.mute); } /* special D_LOG_RW mode */ if (flags & IVM_LEVEL_2) { c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1)); } } /* * Possibly set --dev based on --dev-node. * For example, if --dev-node /tmp/foo/tun, and --dev undefined, * set --dev to tun. */ void init_options_dev(struct options *options) { if (!options->dev && options->dev_node) { char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementaions may modify its arguments */ options->dev = basename(dev_node); } } bool print_openssl_info(const struct options *options) { /* * OpenSSL info print mode? */ #ifdef ENABLE_CRYPTO if (options->show_ciphers || options->show_digests || options->show_engines || options->show_tls_ciphers || options->show_curves) { if (options->show_ciphers) { show_available_ciphers(); } if (options->show_digests) { show_available_digests(); } if (options->show_engines) { show_available_engines(); } if (options->show_tls_ciphers) { show_available_tls_ciphers(options->cipher_list); } if (options->show_curves) { show_available_curves(); } return true; } #endif /* ifdef ENABLE_CRYPTO */ return false; } /* * Static pre-shared key generation mode? */ bool do_genkey(const struct options *options) { #ifdef ENABLE_CRYPTO if (options->genkey) { int nbits_written; notnull(options->shared_secret_file, "shared secret output file (--secret)"); if (options->mlock) /* should we disable paging? */ { platform_mlockall(true); } nbits_written = write_key_file(2, options->shared_secret_file); msg(D_GENKEY | M_NOPREFIX, "Randomly generated %d bit key written to %s", nbits_written, options->shared_secret_file); return true; } #endif return false; } /* * Persistent TUN/TAP device management mode? */ bool do_persist_tuntap(const struct options *options) { if (options->persist_config) { /* sanity check on options for --mktun or --rmtun */ notnull(options->dev, "TUN/TAP device (--dev)"); if (options->ce.remote || options->ifconfig_local || options->ifconfig_remote_netmask #ifdef ENABLE_CRYPTO || options->shared_secret_file || options->tls_server || options->tls_client #endif ) { msg(M_FATAL|M_OPTERR, "options --mktun or --rmtun should only be used together with --dev"); } #ifdef ENABLE_FEATURE_TUN_PERSIST tuncfg(options->dev, options->dev_type, options->dev_node, options->persist_mode, options->username, options->groupname, &options->tuntap_options); if (options->persist_mode && options->lladdr) { set_lladdr(options->dev, options->lladdr, NULL); } return true; #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */ msg( M_FATAL|M_OPTERR, "options --mktun and --rmtun are not available on your operating " "system. Please check 'man tun' (or 'tap'), whether your system " "supports using 'ifconfig %s create' / 'destroy' to create/remove " "persistant tunnel interfaces.", options->dev ); #endif } return false; } /* * Should we become a daemon? * Return true if we did it. */ bool possibly_become_daemon(const struct options *options) { bool ret = false; #ifdef ENABLE_SYSTEMD /* return without forking if we are running from systemd */ if (sd_notify(0, "READY=0") > 0) { return ret; } #endif if (options->daemon) { ASSERT(!options->inetd); /* Don't chdir immediately, but the end of the init sequence, if needed */ if (daemon(1, options->log) < 0) { msg(M_ERR, "daemon() failed or unsupported"); } restore_signal_state(); if (options->log) { set_std_files_to_null(true); } ret = true; } return ret; } /* * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested. */ static void do_uid_gid_chroot(struct context *c, bool no_delay) { static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay"; struct context_0 *c0 = c->c0; if (c0 && !c0->uid_gid_chroot_set) { /* chroot if requested */ if (c->options.chroot_dir) { if (no_delay) { platform_chroot(c->options.chroot_dir); } else if (c->first_time) { msg(M_INFO, "NOTE: chroot %s", why_not); } } /* set user and/or group if we want to setuid/setgid */ if (c0->uid_gid_specified) { if (no_delay) { platform_group_set(&c0->platform_state_group); platform_user_set(&c0->platform_state_user); } else if (c->first_time) { msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not); } } #ifdef ENABLE_MEMSTATS if (c->first_time && c->options.memstats_fn) { mstats_open(c->options.memstats_fn); } #endif #ifdef ENABLE_SELINUX /* Apply a SELinux context in order to restrict what OpenVPN can do * to _only_ what it is supposed to do after initialization is complete * (basically just network I/O operations). Doing it after chroot * requires /proc to be mounted in the chroot (which is annoying indeed * but doing it before requires more complex SELinux policies. */ if (c->options.selinux_context) { if (no_delay) { if (-1 == setcon(c->options.selinux_context)) { msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context); } else { msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context); } } else if (c->first_time) { msg(M_INFO, "NOTE: setcon %s", why_not); } } #endif /* Privileges are going to be dropped by now (if requested), be sure * to prevent any future privilege dropping attempts from now on. */ if (no_delay) { c0->uid_gid_chroot_set = true; } } } /* * Return common name in a way that is formatted for * prepending to msg() output. */ const char * format_common_name(struct context *c, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); #ifdef ENABLE_CRYPTO if (c->c2.tls_multi) { buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false)); } #endif return BSTR(&out); } void pre_setup(const struct options *options) { #ifdef _WIN32 if (options->exit_event_name) { win32_signal_open(&win32_signal, WSO_FORCE_SERVICE, options->exit_event_name, options->exit_event_initial_state); } else { win32_signal_open(&win32_signal, WSO_FORCE_CONSOLE, NULL, false); /* put a title on the top window bar */ if (win32_signal.mode == WSO_MODE_CONSOLE) { window_title_save(&window_title); window_title_generate(options->config); } } #endif /* ifdef _WIN32 */ } void reset_coarse_timers(struct context *c) { c->c2.coarse_timer_wakeup = 0; } /* * Initialise the server poll timeout timer * This timer is used in the http/socks proxy setup so it needs to be setup * before */ static void do_init_server_poll_timeout(struct context *c) { update_time(); if (c->options.ce.connect_timeout) { event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now); } } /* * Initialize timers */ static void do_init_timers(struct context *c, bool deferred) { update_time(); reset_coarse_timers(c); /* initialize inactivity timeout */ if (c->options.inactivity_timeout) { event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now); } /* initialize pings */ if (c->options.ping_send_timeout) { event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0); } if (c->options.ping_rec_timeout) { event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now); } if (!deferred) { /* initialize connection establishment timer */ event_timeout_init(&c->c2.wait_for_connect, 1, now); #ifdef ENABLE_OCC /* initialize occ timers */ if (c->options.occ && !TLS_MODE(c) && c->c2.options_string_local && c->c2.options_string_remote) { event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now); } if (c->options.mtu_test) { event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now); } #endif /* initialize packet_id persistence timer */ #ifdef ENABLE_CRYPTO if (c->options.packet_id_file) { event_timeout_init(&c->c2.packet_id_persist_interval, 60, now); } /* initialize tmp_int optimization that limits the number of times we call * tls_multi_process in the main event loop */ interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH); #endif } } /* * Initialize traffic shaper. */ static void do_init_traffic_shaper(struct context *c) { #ifdef ENABLE_FEATURE_SHAPER /* initialize traffic shaper (i.e. transmit bandwidth limiter) */ if (c->options.shaper) { shaper_init(&c->c2.shaper, c->options.shaper); shaper_msg(&c->c2.shaper); } #endif } /* * Allocate route list structures for IPv4 and IPv6 * (we do this for IPv4 even if no --route option has been seen, as other * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP) */ static void do_alloc_route_list(struct context *c) { if (!c->c1.route_list) { ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc); } if (c->options.routes_ipv6 && !c->c1.route_ipv6_list) { ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc); } } /* * Initialize the route list, resolving any DNS names in route * options and saving routes in the environment. */ static void do_init_route_list(const struct options *options, struct route_list *route_list, const struct link_socket_info *link_socket_info, struct env_set *es) { const char *gw = NULL; int dev = dev_type_enum(options->dev, options->dev_type); int metric = 0; if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P)) { gw = options->ifconfig_remote_netmask; } if (options->route_default_gateway) { gw = options->route_default_gateway; } if (options->route_default_metric) { metric = options->route_default_metric; } if (init_route_list(route_list, options->routes, gw, metric, link_socket_current_remote(link_socket_info), es)) { /* copy routes to environment */ setenv_routes(es, route_list); } } static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es) { const char *gw = NULL; int metric = -1; /* no metric set */ gw = options->ifconfig_ipv6_remote; /* default GW = remote end */ #if 0 /* not yet done for IPv6 - TODO!*/ if (options->route_ipv6_default_gateway) /* override? */ { gw = options->route_ipv6_default_gateway; } #endif if (options->route_default_metric) { metric = options->route_default_metric; } /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics */ if (options->routes_ipv6->flags & RG_REROUTE_GW) { char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL }; int i; for (i = 0; opt_list[i]; i++) { add_route_ipv6_to_option_list( options->routes_ipv6, string_alloc(opt_list[i], options->routes_ipv6->gc), NULL, NULL ); } } if (init_route_ipv6_list(route_ipv6_list, options->routes_ipv6, gw, metric, link_socket_current_remote_ipv6(link_socket_info), es)) { /* copy routes to environment */ setenv_routes_ipv6(es, route_ipv6_list); } } /* * Called after all initialization has been completed. */ void initialization_sequence_completed(struct context *c, const unsigned int flags) { static const char message[] = "Initialization Sequence Completed"; /* Reset the unsuccessful connection counter on complete initialisation */ c->options.unsuccessful_attempts = 0; /* If we delayed UID/GID downgrade or chroot, do it now */ do_uid_gid_chroot(c, true); #ifdef ENABLE_CRYPTO /* * In some cases (i.e. when receiving auth-token via * push-reply) the auth-nocache option configured on the * client is overridden; for this reason we have to wait * for the push-reply message before attempting to wipe * the user/pass entered by the user */ if (c->options.mode == MODE_POINT_TO_POINT) { delayed_auth_pass_purge(); } #endif /* ENABLE_CRYPTO */ /* Test if errors */ if (flags & ISC_ERRORS) { #ifdef _WIN32 show_routes(M_INFO|M_NOPREFIX); show_adapters(M_INFO|M_NOPREFIX); msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message); #else #ifdef ENABLE_SYSTEMD sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message); #endif /* HAVE_SYSTEMD_SD_DAEMON_H */ msg(M_INFO, "%s With Errors", message); #endif } else { #ifdef ENABLE_SYSTEMD sd_notifyf(0, "STATUS=%s", message); #endif msg(M_INFO, "%s", message); } /* Flag that we initialized */ if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0) { c->options.no_advance = true; } #ifdef _WIN32 fork_register_dns_action(c->c1.tuntap); #endif #ifdef ENABLE_MANAGEMENT /* Tell management interface that we initialized */ if (management) { in_addr_t *tun_local = NULL; struct in6_addr *tun_local6 = NULL; struct openvpn_sockaddr local, remote; struct link_socket_actual *actual; socklen_t sa_len = sizeof(local); const char *detail = "SUCCESS"; if (flags & ISC_ERRORS) { detail = "ERROR"; } CLEAR(local); actual = &get_link_socket_info(c)->lsa->actual; remote = actual->dest; getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len); #if ENABLE_IP_PKTINFO if (!addr_defined(&local)) { switch (local.addr.sa.sa_family) { case AF_INET: #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst; #else local.addr.in4.sin_addr = actual->pi.in4; #endif break; case AF_INET6: local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr; break; } } #endif if (c->c1.tuntap) { tun_local = &c->c1.tuntap->local; tun_local6 = &c->c1.tuntap->local_ipv6; } management_set_state(management, OPENVPN_STATE_CONNECTED, detail, tun_local, tun_local6, &local, &remote); if (tun_local) { management_post_tunnel_open(management, *tun_local); } } #endif /* ifdef ENABLE_MANAGEMENT */ } /* * Possibly add routes and/or call route-up script * based on options. */ void do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es) { if (!options->route_noexec && ( route_list || route_ipv6_list ) ) { add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), es); setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list)); } #ifdef ENABLE_MANAGEMENT if (management) { management_up_down(management, "UP", es); } #endif if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP)) { if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: route-up plugin call failed"); } } if (options->route_script) { struct argv argv = argv_new(); setenv_str(es, "script_type", "route-up"); argv_parse_cmd(&argv, options->route_script); openvpn_run_script(&argv, es, 0, "--route-up"); argv_reset(&argv); } #ifdef _WIN32 if (options->show_net_up) { show_routes(M_INFO|M_NOPREFIX); show_adapters(M_INFO|M_NOPREFIX); } else if (check_debug_level(D_SHOW_NET)) { show_routes(D_SHOW_NET|M_NOPREFIX); show_adapters(D_SHOW_NET|M_NOPREFIX); } #endif } /* * initialize tun/tap device object */ static void do_init_tun(struct context *c) { c->c1.tuntap = init_tun(c->options.dev, c->options.dev_type, c->options.topology, c->options.ifconfig_local, c->options.ifconfig_remote_netmask, c->options.ifconfig_ipv6_local, c->options.ifconfig_ipv6_netbits, c->options.ifconfig_ipv6_remote, c->c1.link_socket_addr.bind_local, c->c1.link_socket_addr.remote_list, !c->options.ifconfig_nowarn, c->c2.es); init_tun_post(c->c1.tuntap, &c->c2.frame, &c->options.tuntap_options); c->c1.tuntap_owned = true; } /* * Open tun/tap device, ifconfig, call up script, etc. */ static bool do_open_tun(struct context *c) { struct gc_arena gc = gc_new(); bool ret = false; #ifndef TARGET_ANDROID if (!c->c1.tuntap) { #endif #ifdef TARGET_ANDROID /* If we emulate persist-tun on android we still have to open a new tun and * then close the old */ int oldtunfd = -1; if (c->c1.tuntap) { oldtunfd = c->c1.tuntap->fd; } #endif /* initialize (but do not open) tun/tap object */ do_init_tun(c); #ifdef _WIN32 /* store (hide) interactive service handle in tuntap_options */ c->c1.tuntap->options.msg_channel = c->options.msg_channel; msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel); #endif /* allocate route list structure */ do_alloc_route_list(c); /* parse and resolve the route option list */ ASSERT(c->c2.link_socket); if (c->options.routes && c->c1.route_list) { do_init_route_list(&c->options, c->c1.route_list, &c->c2.link_socket->info, c->c2.es); } if (c->options.routes_ipv6 && c->c1.route_ipv6_list) { do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list, &c->c2.link_socket->info, c->c2.es); } /* do ifconfig */ if (!c->options.ifconfig_noexec && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN) { /* guess actual tun/tap unit number that will be returned * by open_tun */ const char *guess = guess_tuntap_dev(c->options.dev, c->options.dev_type, c->options.dev_node, &gc); do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es); } /* possibly add routes */ if (route_order() == ROUTE_BEFORE_TUN) { /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */ do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list, c->c1.tuntap, c->plugins, c->c2.es); } #ifdef TARGET_ANDROID /* Store the old fd inside the fd so open_tun can use it */ c->c1.tuntap->fd = oldtunfd; #endif /* open the tun device */ open_tun(c->options.dev, c->options.dev_type, c->options.dev_node, c->c1.tuntap); /* set the hardware address */ if (c->options.lladdr) { set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es); } /* do ifconfig */ if (!c->options.ifconfig_noexec && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN) { do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE(&c->c2.frame), c->c2.es); } /* run the up script */ run_up_down(c->options.up_script, c->plugins, OPENVPN_PLUGIN_UP, c->c1.tuntap->actual_name, #ifdef _WIN32 c->c1.tuntap->adapter_index, #endif dev_type_string(c->options.dev, c->options.dev_type), TUN_MTU_SIZE(&c->c2.frame), EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", NULL, "up", c->c2.es); #if defined(_WIN32) if (c->options.block_outside_dns) { dmsg(D_LOW, "Blocking outside DNS"); if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel)) { msg(M_FATAL, "Blocking DNS failed!"); } } #endif /* possibly add routes */ if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined)) { do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list, c->c1.tuntap, c->plugins, c->c2.es); } /* * Did tun/tap driver give us an MTU? */ if (c->c1.tuntap->post_open_mtu) { frame_set_mtu_dynamic(&c->c2.frame, c->c1.tuntap->post_open_mtu, SET_MTU_TUN | SET_MTU_UPPER_BOUND); } ret = true; static_context = c; #ifndef TARGET_ANDROID } else { msg(M_INFO, "Preserving previous TUN/TAP instance: %s", c->c1.tuntap->actual_name); /* explicitly set the ifconfig_* env vars */ do_ifconfig_setenv(c->c1.tuntap, c->c2.es); /* run the up script if user specified --up-restart */ if (c->options.up_restart) { run_up_down(c->options.up_script, c->plugins, OPENVPN_PLUGIN_UP, c->c1.tuntap->actual_name, #ifdef _WIN32 c->c1.tuntap->adapter_index, #endif dev_type_string(c->options.dev, c->options.dev_type), TUN_MTU_SIZE(&c->c2.frame), EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart", NULL, "up", c->c2.es); } #if defined(_WIN32) if (c->options.block_outside_dns) { dmsg(D_LOW, "Blocking outside DNS"); if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel)) { msg(M_FATAL, "Blocking DNS failed!"); } } #endif } #endif /* ifndef TARGET_ANDROID */ gc_free(&gc); return ret; } /* * Close TUN/TAP device */ static void do_close_tun_simple(struct context *c) { msg(D_CLOSE, "Closing TUN/TAP interface"); close_tun(c->c1.tuntap); c->c1.tuntap = NULL; c->c1.tuntap_owned = false; #if P2MP CLEAR(c->c1.pulled_options_digest_save); #endif } static void do_close_tun(struct context *c, bool force) { struct gc_arena gc = gc_new(); if (c->c1.tuntap && c->c1.tuntap_owned) { const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc); #ifdef _WIN32 DWORD adapter_index = c->c1.tuntap->adapter_index; #endif const in_addr_t local = c->c1.tuntap->local; const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask; if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun)) { static_context = NULL; #ifdef ENABLE_MANAGEMENT /* tell management layer we are about to close the TUN/TAP device */ if (management) { management_pre_tunnel_close(management); management_up_down(management, "DOWN", c->c2.es); } #endif /* delete any routes we added */ if (c->c1.route_list || c->c1.route_ipv6_list) { run_up_down(c->options.route_predown_script, c->plugins, OPENVPN_PLUGIN_ROUTE_PREDOWN, tuntap_actual, #ifdef _WIN32 adapter_index, #endif NULL, TUN_MTU_SIZE(&c->c2.frame), EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", signal_description(c->sig->signal_received, c->sig->signal_text), "route-pre-down", c->c2.es); delete_routes(c->c1.route_list, c->c1.route_ipv6_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), c->c2.es); } /* actually close tun/tap device based on --down-pre flag */ if (!c->options.down_pre) { do_close_tun_simple(c); } /* Run the down script -- note that it will run at reduced * privilege if, for example, "--user nobody" was used. */ run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual, #ifdef _WIN32 adapter_index, #endif NULL, TUN_MTU_SIZE(&c->c2.frame), EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init", signal_description(c->sig->signal_received, c->sig->signal_text), "down", c->c2.es); #if defined(_WIN32) if (c->options.block_outside_dns) { if (!win_wfp_uninit(adapter_index, c->options.msg_channel)) { msg(M_FATAL, "Uninitialising WFP failed!"); } } #endif /* actually close tun/tap device based on --down-pre flag */ if (c->options.down_pre) { do_close_tun_simple(c); } } else { /* run the down script on this restart if --up-restart was specified */ if (c->options.up_restart) { run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual, #ifdef _WIN32 adapter_index, #endif NULL, TUN_MTU_SIZE(&c->c2.frame), EXPANDED_SIZE(&c->c2.frame), print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart", signal_description(c->sig->signal_received, c->sig->signal_text), "down", c->c2.es); } #if defined(_WIN32) if (c->options.block_outside_dns) { if (!win_wfp_uninit(adapter_index, c->options.msg_channel)) { msg(M_FATAL, "Uninitialising WFP failed!"); } } #endif } } gc_free(&gc); } void tun_abort(void) { struct context *c = static_context; if (c) { static_context = NULL; do_close_tun(c, true); } } /* * Handle delayed tun/tap interface bringup due to --up-delay or --pull */ #if P2MP /** * Helper for do_up(). Take two option hashes and return true if they are not * equal, or either one is all-zeroes. */ static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b) { const struct sha256_digest zero = {{0}}; return memcmp(a, b, sizeof(struct sha256_digest)) || !memcmp(a, &zero, sizeof(struct sha256_digest)); } #endif /* P2MP */ bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found) { if (!c->c2.do_up_ran) { reset_coarse_timers(c); if (pulled_options) { if (!do_deferred_options(c, option_types_found)) { msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options"); return false; } } /* if --up-delay specified, open tun, do ifconfig, and run up script now */ if (c->options.up_delay || PULL_DEFINED(&c->options)) { c->c2.did_open_tun = do_open_tun(c); update_time(); #if P2MP /* * Was tun interface object persisted from previous restart iteration, * and if so did pulled options string change from previous iteration? */ if (!c->c2.did_open_tun && PULL_DEFINED(&c->options) && c->c1.tuntap && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save, &c->c2.pulled_options_digest)) { /* if so, close tun, delete routes, then reinitialize tun and add routes */ msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device."); do_close_tun(c, true); management_sleep(1); c->c2.did_open_tun = do_open_tun(c); update_time(); } #endif } if (c->c2.did_open_tun) { #if P2MP c->c1.pulled_options_digest_save = c->c2.pulled_options_digest; #endif /* if --route-delay was specified, start timer */ if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined) { event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now); event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now); if (c->c1.tuntap) { tun_standby_init(c->c1.tuntap); } } else { initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */ } } else if (c->options.mode == MODE_POINT_TO_POINT) { initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */ } c->c2.do_up_ran = true; } return true; } /* * These are the option categories which will be accepted by pull. */ unsigned int pull_permission_mask(const struct context *c) { unsigned int flags = OPT_P_UP | OPT_P_ROUTE_EXTRAS | OPT_P_SOCKBUF | OPT_P_SOCKFLAGS | OPT_P_SETENV | OPT_P_SHAPER | OPT_P_TIMER | OPT_P_COMP | OPT_P_PERSIST | OPT_P_MESSAGES | OPT_P_EXPLICIT_NOTIFY | OPT_P_ECHO | OPT_P_PULL_MODE | OPT_P_PEER_ID; if (!c->options.route_nopull) { flags |= (OPT_P_ROUTE | OPT_P_IPWIN32); } #ifdef ENABLE_CRYPTO if (c->options.ncp_enabled) { flags |= OPT_P_NCP; } #endif return flags; } /* * Handle non-tun-related pulled options. */ bool do_deferred_options(struct context *c, const unsigned int found) { if (found & OPT_P_MESSAGES) { init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2); msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed"); } if (found & OPT_P_TIMER) { do_init_timers(c, true); msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified"); } #ifdef ENABLE_OCC if (found & OPT_P_EXPLICIT_NOTIFY) { if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification) { msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp"); c->options.ce.explicit_exit_notification = 0; } else { msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified"); } } #endif #ifdef USE_COMP if (found & OPT_P_COMP) { msg(D_PUSH, "OPTIONS IMPORT: compression parms modified"); comp_uninit(c->c2.comp_context); c->c2.comp_context = comp_init(&c->options.comp); } #endif if (found & OPT_P_SHAPER) { msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled"); do_init_traffic_shaper(c); } if (found & OPT_P_SOCKBUF) { msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified"); link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf); } if (found & OPT_P_SOCKFLAGS) { msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified"); link_socket_update_flags(c->c2.link_socket, c->options.sockflags); } if (found & OPT_P_PERSIST) { msg(D_PUSH, "OPTIONS IMPORT: --persist options modified"); } if (found & OPT_P_UP) { msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified"); } if (found & OPT_P_ROUTE) { msg(D_PUSH, "OPTIONS IMPORT: route options modified"); } if (found & OPT_P_ROUTE_EXTRAS) { msg(D_PUSH, "OPTIONS IMPORT: route-related options modified"); } if (found & OPT_P_IPWIN32) { msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified"); } if (found & OPT_P_SETENV) { msg(D_PUSH, "OPTIONS IMPORT: environment modified"); } #ifdef ENABLE_CRYPTO if (found & OPT_P_PEER_ID) { msg(D_PUSH, "OPTIONS IMPORT: peer-id set"); c->c2.tls_multi->use_peer_id = true; c->c2.tls_multi->peer_id = c->options.peer_id; frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */ if (!c->options.ce.link_mtu_defined) { frame_add_to_link_mtu(&c->c2.frame, +3); msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d", EXPANDED_SIZE(&c->c2.frame)); } else { msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu" " fixed by config - reducing tun-mtu to %d, expect" " MTU problems", TUN_MTU_SIZE(&c->c2.frame) ); } } /* process (potentially pushed) crypto options */ if (c->options.pull) { struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; if (found & OPT_P_NCP) { msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified"); } else if (c->options.ncp_enabled) { tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername); } /* Do not regenerate keys if server sends an extra push reply */ if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame)) { msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); return false; } } #endif /* ifdef ENABLE_CRYPTO */ return true; } /* * Possible hold on initialization, holdtime is the * time OpenVPN would wait without management */ static bool do_hold(int holdtime) { #ifdef ENABLE_MANAGEMENT if (management) { /* block until management hold is released */ if (management_hold(management, holdtime)) { return true; } } #endif return false; } /* * Sleep before restart. */ static void socket_restart_pause(struct context *c) { int sec = 2; int backoff = 0; switch (c->options.ce.proto) { case PROTO_TCP_SERVER: sec = 1; break; case PROTO_UDP: case PROTO_TCP_CLIENT: sec = c->options.ce.connect_retry_seconds; break; } #ifdef ENABLE_DEBUG if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin)) { sec = 0; } #endif #if P2MP if (auth_retry_get() == AR_NOINTERACT) { sec = 10; } #endif /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */ if (c->options.ce.proto != PROTO_TCP_SERVER) { backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4; if (backoff > 0) { /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */ sec = max_int(sec, 1) << min_int(backoff, 15); } if (sec > c->options.ce.connect_retry_seconds_max) { sec = c->options.ce.connect_retry_seconds_max; } } if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec) { sec = c->persist.restart_sleep_seconds; } else if (c->persist.restart_sleep_seconds == -1) { sec = 0; } c->persist.restart_sleep_seconds = 0; /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */ if (do_hold(sec)) { sec = 0; } if (sec) { msg(D_RESTART, "Restart pause, %d second(s)", sec); management_sleep(sec); } } /* * Do a possible pause on context_2 initialization. */ static void do_startup_pause(struct context *c) { if (!c->first_time) { socket_restart_pause(c); } else { do_hold(0); /* do management hold on first context initialization */ } } /* * Finalize MTU parameters based on command line or config file options. */ static void frame_finalize_options(struct context *c, const struct options *o) { if (!o) { o = &c->options; } /* * Set adjustment factor for buffer alignment when no * cipher is used. */ if (!CIPHER_ENABLED(c)) { frame_align_to_extra_frame(&c->c2.frame); frame_or_align_flags(&c->c2.frame, FRAME_HEADROOM_MARKER_FRAGMENT |FRAME_HEADROOM_MARKER_READ_LINK |FRAME_HEADROOM_MARKER_READ_STREAM); } frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN); frame_finalize(&c->c2.frame, o->ce.link_mtu_defined, o->ce.link_mtu, o->ce.tun_mtu_defined, o->ce.tun_mtu); } /* * Free a key schedule, including OpenSSL components. */ static void key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx) { #ifdef ENABLE_CRYPTO free_key_ctx_bi(&ks->static_key); if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx) { tls_ctx_free(&ks->ssl_ctx); free_key_ctx_bi(&ks->tls_wrap_key); } #endif /* ENABLE_CRYPTO */ CLEAR(*ks); } #ifdef ENABLE_CRYPTO static void init_crypto_pre(struct context *c, const unsigned int flags) { if (c->options.engine) { crypto_init_lib_engine(c->options.engine); } if (flags & CF_LOAD_PERSISTED_PACKET_ID) { /* load a persisted packet-id for cross-session replay-protection */ if (c->options.packet_id_file) { packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file); } } #ifdef ENABLE_PREDICTION_RESISTANCE if (c->options.use_prediction_resistance) { rand_ctx_enable_prediction_resistance(); } #endif } /* * Static Key Mode (using a pre-shared key) */ static void do_init_crypto_static(struct context *c, const unsigned int flags) { const struct options *options = &c->options; ASSERT(options->shared_secret_file); init_crypto_pre(c, flags); /* Initialize flags */ if (c->options.use_iv) { c->c2.crypto_options.flags |= CO_USE_IV; } if (c->options.mute_replay_warnings) { c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS; } /* Initialize packet ID tracking */ if (options->replay) { packet_id_init(&c->c2.crypto_options.packet_id, options->replay_window, options->replay_time, "STATIC", 0); c->c2.crypto_options.pid_persist = &c->c1.pid_persist; c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; packet_id_persist_load_obj(&c->c1.pid_persist, &c->c2.crypto_options.packet_id); } if (!key_ctx_bi_defined(&c->c1.ks.static_key)) { /* Get cipher & hash algorithms */ init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, options->keysize, options->test_crypto, true); /* Read cipher and hmac keys from shared secret file */ crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key, options->shared_secret_file, options->shared_secret_file_inline, options->key_direction, "Static Key Encryption", "secret"); } else { msg(M_INFO, "Re-using pre-shared static key"); } /* Get key schedule */ c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key; /* Compute MTU parameters */ crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type, options->use_iv, options->replay, true); /* Sanity check on IV, sequence number, and cipher mode options */ check_replay_iv_consistency(&c->c1.ks.key_type, options->replay, options->use_iv); } /* * Initialize the persistent component of OpenVPN's TLS mode, * which is preserved across SIGUSR1 resets. */ static void do_init_crypto_tls_c1(struct context *c) { const struct options *options = &c->options; if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) { /* * Initialize the OpenSSL library's global * SSL context. */ init_ssl(options, &(c->c1.ks.ssl_ctx)); if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) { #if P2MP switch (auth_retry_get()) { case AR_NONE: msg(M_FATAL, "Error: private key password verification failed"); break; case AR_INTERACT: ssl_purge_auth(false); case AR_NOINTERACT: c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */ break; default: ASSERT(0); } c->sig->signal_text = "private-key-password-failure"; return; #else /* if P2MP */ msg(M_FATAL, "Error: private key password verification failed"); #endif } /* Get cipher & hash algorithms */ init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, options->keysize, true, true); /* Initialize PRNG with config-specified digest */ prng_init(options->prng_hash, options->prng_nonce_secret_len); /* TLS handshake authentication (--tls-auth) */ if (options->tls_auth_file) { /* Initialize key_type for tls-auth with auth only */ CLEAR(c->c1.ks.tls_auth_key_type); if (!streq(options->authname, "none")) { c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname); c->c1.ks.tls_auth_key_type.hmac_length = md_kt_size(c->c1.ks.tls_auth_key_type.digest); } else { msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth " "algorithm specified ('%s')", options->authname); } crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type, &c->c1.ks.tls_wrap_key, options->tls_auth_file, options->tls_auth_file_inline, options->key_direction, "Control Channel Authentication", "tls-auth"); } /* TLS handshake encryption+authentication (--tls-crypt) */ if (options->tls_crypt_file) { tls_crypt_init_key(&c->c1.ks.tls_wrap_key, options->tls_crypt_file, options->tls_crypt_inline, options->tls_server); } c->c1.ciphername = options->ciphername; c->c1.authname = options->authname; c->c1.keysize = options->keysize; #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */ if (options->priv_key_file_inline) { string_clear(c->options.priv_key_file_inline); c->options.priv_key_file_inline = NULL; } #endif } else { msg(D_INIT_MEDIUM, "Re-using SSL/TLS context"); /* Restore pre-NCP cipher options */ c->options.ciphername = c->c1.ciphername; c->options.authname = c->c1.authname; c->options.keysize = c->c1.keysize; } } static void do_init_crypto_tls(struct context *c, const unsigned int flags) { const struct options *options = &c->options; struct tls_options to; bool packet_id_long_form; ASSERT(options->tls_server || options->tls_client); ASSERT(!options->test_crypto); init_crypto_pre(c, flags); /* Make sure we are either a TLS client or server but not both */ ASSERT(options->tls_server == !options->tls_client); /* initialize persistent component */ do_init_crypto_tls_c1(c); if (IS_SIG(c)) { return; } /* Sanity check on IV, sequence number, and cipher mode options */ check_replay_iv_consistency(&c->c1.ks.key_type, options->replay, options->use_iv); /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher); /* Compute MTU parameters (postpone if we push/pull options) */ if (c->options.pull || c->options.mode == MODE_SERVER) { /* Account for worst-case crypto overhead before allocating buffers */ frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead()); } else { crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type, options->use_iv, options->replay, packet_id_long_form); } tls_adjust_frame_parameters(&c->c2.frame); /* Set all command-line TLS-related options */ CLEAR(to); if (options->use_iv) { to.crypto_flags |= CO_USE_IV; } if (options->mute_replay_warnings) { to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS; } to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM); if (packet_id_long_form) { to.crypto_flags |= CO_PACKET_ID_LONG_FORM; } to.ssl_ctx = c->c1.ks.ssl_ctx; to.key_type = c->c1.ks.key_type; to.server = options->tls_server; to.key_method = options->key_method; to.replay = options->replay; to.replay_window = options->replay_window; to.replay_time = options->replay_time; to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto); to.config_ciphername = c->c1.ciphername; to.config_authname = c->c1.authname; to.ncp_enabled = options->ncp_enabled; to.transition_window = options->transition_window; to.handshake_window = options->handshake_window; to.packet_timeout = options->tls_timeout; to.renegotiate_bytes = options->renegotiate_bytes; to.renegotiate_packets = options->renegotiate_packets; to.renegotiate_seconds = options->renegotiate_seconds; to.single_session = options->single_session; to.mode = options->mode; to.pull = options->pull; #ifdef ENABLE_PUSH_PEER_INFO if (options->push_peer_info) /* all there is */ { to.push_peer_info_detail = 2; } else if (options->pull) /* pull clients send some details */ { to.push_peer_info_detail = 1; } else /* default: no peer-info at all */ { to.push_peer_info_detail = 0; } #endif /* should we not xmit any packets until we get an initial * response from client? */ if (to.server && options->ce.proto == PROTO_TCP_SERVER) { to.xmit_hold = true; } #ifdef ENABLE_OCC to.disable_occ = !options->occ; #endif to.verify_command = options->tls_verify; to.verify_export_cert = options->tls_export_cert; to.verify_x509_type = (options->verify_x509_type & 0xff); to.verify_x509_name = options->verify_x509_name; to.crl_file = options->crl_file; to.crl_file_inline = options->crl_file_inline; to.ssl_flags = options->ssl_flags; to.ns_cert_type = options->ns_cert_type; memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku)); to.remote_cert_eku = options->remote_cert_eku; to.verify_hash = options->verify_hash; to.verify_hash_algo = options->verify_hash_algo; #ifdef ENABLE_X509ALTUSERNAME to.x509_username_field = (char *) options->x509_username_field; #else to.x509_username_field = X509_USERNAME_FIELD_DEFAULT; #endif to.es = c->c2.es; #ifdef ENABLE_DEBUG to.gremlin = c->options.gremlin; #endif to.plugins = c->plugins; #ifdef MANAGEMENT_DEF_AUTH to.mda_context = &c->c2.mda_context; #endif #if P2MP_SERVER to.auth_user_pass_verify_script = options->auth_user_pass_verify_script; to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.tmp_dir = options->tmp_dir; if (options->ccd_exclusive) { to.client_config_dir_exclusive = options->client_config_dir; } to.auth_user_pass_file = options->auth_user_pass_file; to.auth_token_generate = options->auth_token_generate; to.auth_token_lifetime = options->auth_token_lifetime; #endif to.x509_track = options->x509_track; #if P2MP #ifdef ENABLE_CLIENT_CR to.sci = &options->sc_info; #endif #endif #ifdef USE_COMP to.comp_options = options->comp; #endif #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 if (options->keying_material_exporter_label) { to.ekm_size = options->keying_material_exporter_length; if (to.ekm_size < 16 || to.ekm_size > 4095) { to.ekm_size = 0; } to.ekm_label = options->keying_material_exporter_label; to.ekm_label_size = strlen(to.ekm_label); } else { to.ekm_size = 0; } #endif /* TLS handshake authentication (--tls-auth) */ if (options->tls_auth_file) { to.tls_wrap.mode = TLS_WRAP_AUTH; to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; to.tls_wrap.opt.pid_persist = &c->c1.pid_persist; to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM; crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type, false, true, true); } /* TLS handshake encryption (--tls-crypt) */ if (options->tls_crypt_file) { to.tls_wrap.mode = TLS_WRAP_CRYPT; to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; to.tls_wrap.opt.pid_persist = &c->c1.pid_persist; to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM; tls_crypt_adjust_frame_parameters(&to.frame); } /* If we are running over TCP, allow for * length prefix */ socket_adjust_frame_parameters(&to.frame, options->ce.proto); /* * Initialize OpenVPN's master TLS-mode object. */ if (flags & CF_INIT_TLS_MULTI) { c->c2.tls_multi = tls_multi_init(&to); } if (flags & CF_INIT_TLS_AUTH_STANDALONE) { c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc); } } static void do_init_finalize_tls_frame(struct context *c) { if (c->c2.tls_multi) { tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame); ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <= EXPANDED_SIZE(&c->c2.frame)); frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, "Control Channel MTU parms"); } if (c->c2.tls_auth_standalone) { tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame); frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO, "TLS-Auth MTU parms"); } } /* * No encryption or authentication. */ static void do_init_crypto_none(const struct context *c) { ASSERT(!c->options.test_crypto); msg(M_WARN, "******* WARNING *******: All encryption and authentication features " "disabled -- All data will be tunnelled as clear text and will not be " "protected against man-in-the-middle changes. " "PLEASE DO RECONSIDER THIS CONFIGURATION!"); } #endif /* ifdef ENABLE_CRYPTO */ static void do_init_crypto(struct context *c, const unsigned int flags) { #ifdef ENABLE_CRYPTO if (c->options.shared_secret_file) { do_init_crypto_static(c, flags); } else if (c->options.tls_server || c->options.tls_client) { do_init_crypto_tls(c, flags); } else /* no encryption or authentication. */ { do_init_crypto_none(c); } #else /* ENABLE_CRYPTO */ msg(M_WARN, "******* WARNING *******: " PACKAGE_NAME " built without crypto library -- encryption and authentication features disabled -- all data will be tunnelled as cleartext"); #endif /* ENABLE_CRYPTO */ } static void do_init_frame(struct context *c) { #ifdef USE_COMP /* * modify frame parameters if compression is enabled */ if (comp_enabled(&c->options.comp)) { comp_add_to_extra_frame(&c->c2.frame); #if !defined(ENABLE_LZ4) /* * Compression usage affects buffer alignment when non-swapped algs * such as LZO is used. * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need * any special alignment because of the control-byte swap approach. * LZO alignment (on the other hand) is problematic because * the presence of the control byte means that either the output of * decryption must be written to an unaligned buffer, or the input * to compression (or packet dispatch if packet is uncompressed) * must be read from an unaligned buffer. * This code tries to align the input to compression (or packet * dispatch if packet is uncompressed) at the cost of requiring * decryption output to be written to an unaligned buffer, so * it's more of a tradeoff than an optimal solution and we don't * include it when we are doing a modern build with LZ4. * Strictly speaking, on the server it would be better to execute * this code for every connection after we decide the compression * method, but currently the frame code doesn't appear to be * flexible enough for this, since the frame is already established * before it is known which compression options will be pushed. */ if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c)) { frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN); frame_or_align_flags(&c->c2.frame, FRAME_HEADROOM_MARKER_FRAGMENT |FRAME_HEADROOM_MARKER_DECRYPT); } #endif #ifdef ENABLE_FRAGMENT comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */ #endif } #endif /* USE_COMP */ /* * Adjust frame size for UDP Socks support. */ if (c->options.ce.socks_proxy_server) { socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto); } /* * Adjust frame size based on the --tun-mtu-extra parameter. */ if (c->options.ce.tun_mtu_extra_defined) { tun_adjust_frame_parameters(&c->c2.frame, c->options.ce.tun_mtu_extra); } /* * Adjust frame size based on link socket parameters. * (Since TCP is a stream protocol, we need to insert * a packet length uint16_t in the buffer.) */ socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto); /* * Fill in the blanks in the frame parameters structure, * make sure values are rational, etc. */ frame_finalize_options(c, NULL); #ifdef USE_COMP /* * Modify frame parameters if compression is compiled in. * Should be called after frame_finalize_options. */ comp_add_to_extra_buffer(&c->c2.frame); #ifdef ENABLE_FRAGMENT comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */ #endif #endif /* USE_COMP */ /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client) * and need link_mtu+3 bytes on socket reception (on server). * * accomodate receive path in f->extra_link, which has the side effect of * also increasing send buffers (BUF_SIZE() macro), which need to be * allocated big enough before receiving peer-id option from server. * * f->extra_frame is adjusted when peer-id option is push-received */ frame_add_to_extra_link(&c->c2.frame, 3); #ifdef ENABLE_FRAGMENT /* * Set frame parameter for fragment code. This is necessary because * the fragmentation code deals with payloads which have already been * passed through the compression code. */ c->c2.frame_fragment = c->c2.frame; frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit); #endif #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC) /* * MTU advisories */ if (c->options.ce.fragment && c->options.mtu_test) { msg(M_WARN, "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result"); } #endif #ifdef ENABLE_FRAGMENT if ((c->options.ce.mssfix || c->options.ce.fragment) && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU) { msg(M_WARN, "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)", ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment)); } #endif } static void do_option_warnings(struct context *c) { const struct options *o = &c->options; if (o->ping_send_timeout && !o->ping_rec_timeout) { msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit"); } if (o->username || o->groupname || o->chroot_dir #ifdef ENABLE_SELINUX || o->selinux_context #endif ) { if (!o->persist_tun) { msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail"); } if (!o->persist_key #ifdef ENABLE_PKCS11 && !o->pkcs11_id #endif ) { msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail"); } } if (o->chroot_dir && !(o->username && o->groupname)) { msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure"); } #if P2MP if (o->pull && o->ifconfig_local && c->first_time) { msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want"); } #if P2MP_SERVER if (o->server_bridge_defined | o->server_bridge_proxy_dhcp) { msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to"); } if (o->mode == MODE_SERVER) { if (o->duplicate_cn && o->client_config_dir) { msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want"); } if (o->duplicate_cn && o->ifconfig_pool_persist_filename) { msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn"); } if (!o->keepalive_ping || !o->keepalive_timeout) { msg(M_WARN, "WARNING: --keepalive option is missing from server config"); } } #endif /* if P2MP_SERVER */ #endif /* if P2MP */ #ifdef ENABLE_CRYPTO if (!o->replay) { msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure"); } if (!o->use_iv) { msg(M_WARN, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME " less secure"); } if (o->tls_server) { warn_on_use_of_common_subnets(); } if (o->tls_client && !o->tls_verify && o->verify_x509_type == VERIFY_X509_NONE && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) && !o->remote_cert_eku) { msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); } if (o->ns_cert_type) { msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead."); } #endif /* ifdef ENABLE_CRYPTO */ /* If a script is used, print appropiate warnings */ if (o->user_script_used) { if (script_security >= SSEC_SCRIPTS) { msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); } else if (script_security >= SSEC_PW_ENV) { msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables"); } else { msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables"); } } } static void do_init_frame_tls(struct context *c) { #ifdef ENABLE_CRYPTO do_init_finalize_tls_frame(c); #endif } struct context_buffers * init_context_buffers(const struct frame *frame) { struct context_buffers *b; ALLOC_OBJ_CLEAR(b, struct context_buffers); b->read_link_buf = alloc_buf(BUF_SIZE(frame)); b->read_tun_buf = alloc_buf(BUF_SIZE(frame)); b->aux_buf = alloc_buf(BUF_SIZE(frame)); #ifdef ENABLE_CRYPTO b->encrypt_buf = alloc_buf(BUF_SIZE(frame)); b->decrypt_buf = alloc_buf(BUF_SIZE(frame)); #endif #ifdef USE_COMP b->compress_buf = alloc_buf(BUF_SIZE(frame)); b->decompress_buf = alloc_buf(BUF_SIZE(frame)); #endif return b; } void free_context_buffers(struct context_buffers *b) { if (b) { free_buf(&b->read_link_buf); free_buf(&b->read_tun_buf); free_buf(&b->aux_buf); #ifdef USE_COMP free_buf(&b->compress_buf); free_buf(&b->decompress_buf); #endif #ifdef ENABLE_CRYPTO free_buf(&b->encrypt_buf); free_buf(&b->decrypt_buf); #endif free(b); } } /* * Now that we know all frame parameters, initialize * our buffers. */ static void do_init_buffers(struct context *c) { c->c2.buffers = init_context_buffers(&c->c2.frame); c->c2.buffers_owned = true; } #ifdef ENABLE_FRAGMENT /* * Fragmenting code has buffers to initialize * once frame parameters are known. */ static void do_init_fragment(struct context *c) { ASSERT(c->options.ce.fragment); frame_set_mtu_dynamic(&c->c2.frame_fragment, c->options.ce.fragment, SET_MTU_UPPER_BOUND); fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment); } #endif /* * Allocate our socket object. */ static void do_link_socket_new(struct context *c) { ASSERT(!c->c2.link_socket); c->c2.link_socket = link_socket_new(); c->c2.link_socket_owned = true; } /* * bind the TCP/UDP socket */ static void do_init_socket_1(struct context *c, const int mode) { unsigned int sockflags = c->options.sockflags; #if PORT_SHARE if (c->options.port_share_host && c->options.port_share_port) { sockflags |= SF_PORT_SHARE; } #endif link_socket_init_phase1(c->c2.link_socket, c->options.ce.local, c->options.ce.local_port, c->options.ce.remote, c->options.ce.remote_port, c->c1.dns_cache, c->options.ce.proto, c->options.ce.af, c->options.ce.bind_ipv6_only, mode, c->c2.accept_from, c->c1.http_proxy, c->c1.socks_proxy, #ifdef ENABLE_DEBUG c->options.gremlin, #endif c->options.ce.bind_local, c->options.ce.remote_float, c->options.inetd, &c->c1.link_socket_addr, c->options.ipchange, c->plugins, c->options.resolve_retry_seconds, c->options.ce.mtu_discover_type, c->options.rcvbuf, c->options.sndbuf, c->options.mark, &c->c2.server_poll_interval, sockflags); } /* * finalize the TCP/UDP socket */ static void do_init_socket_2(struct context *c) { link_socket_init_phase2(c->c2.link_socket, &c->c2.frame, c->sig); } /* * Print MTU INFO */ static void do_print_data_channel_mtu_parms(struct context *c) { frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms"); #ifdef ENABLE_FRAGMENT if (c->c2.fragment) { frame_print(&c->c2.frame_fragment, D_MTU_INFO, "Fragmentation MTU parms"); } #endif } #ifdef ENABLE_OCC /* * Get local and remote options compatibility strings. */ static void do_compute_occ_strings(struct context *c) { struct gc_arena gc = gc_new(); c->c2.options_string_local = options_string(&c->options, &c->c2.frame, c->c1.tuntap, false, &gc); c->c2.options_string_remote = options_string(&c->options, &c->c2.frame, c->c1.tuntap, true, &gc); msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'", options_string_version(c->c2.options_string_local, &gc), c->c2.options_string_local); msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'", options_string_version(c->c2.options_string_remote, &gc), c->c2.options_string_remote); #ifdef ENABLE_CRYPTO if (c->c2.tls_multi) { tls_multi_init_set_options(c->c2.tls_multi, c->c2.options_string_local, c->c2.options_string_remote); } #endif gc_free(&gc); } #endif /* ifdef ENABLE_OCC */ /* * These things can only be executed once per program instantiation. * Set up for possible UID/GID downgrade, but don't do it yet. * Daemonize if requested. */ static void do_init_first_time(struct context *c) { if (c->first_time && !c->c0) { struct context_0 *c0; ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc); c0 = c->c0; /* get user and/or group that we want to setuid/setgid to */ c0->uid_gid_specified = platform_group_get(c->options.groupname, &c0->platform_state_group) |platform_user_get(c->options.username, &c0->platform_state_user); /* perform postponed chdir if --daemon */ if (c->did_we_daemonize && c->options.cd_dir == NULL) { platform_chdir("/"); } /* should we change scheduling priority? */ platform_nice(c->options.nice); } } /* * If xinetd/inetd mode, don't allow restart. */ static void do_close_check_if_restart_permitted(struct context *c) { if (c->options.inetd && (c->sig->signal_received == SIGHUP || c->sig->signal_received == SIGUSR1)) { c->sig->signal_received = SIGTERM; msg(M_INFO, PACKAGE_NAME " started by inetd/xinetd cannot restart... Exiting."); } } /* * free buffers */ static void do_close_free_buf(struct context *c) { if (c->c2.buffers_owned) { free_context_buffers(c->c2.buffers); c->c2.buffers = NULL; c->c2.buffers_owned = false; } } /* * close TLS */ static void do_close_tls(struct context *c) { #ifdef ENABLE_CRYPTO if (c->c2.tls_multi) { tls_multi_free(c->c2.tls_multi, true); c->c2.tls_multi = NULL; } #ifdef ENABLE_OCC /* free options compatibility strings */ if (c->c2.options_string_local) { free(c->c2.options_string_local); } if (c->c2.options_string_remote) { free(c->c2.options_string_remote); } c->c2.options_string_local = c->c2.options_string_remote = NULL; #endif #endif } /* * Free key schedules */ static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) { if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key)) { key_schedule_free(&c->c1.ks, free_ssl_ctx); } } /* * Close TCP/UDP connection */ static void do_close_link_socket(struct context *c) { if (c->c2.link_socket && c->c2.link_socket_owned) { link_socket_close(c->c2.link_socket); c->c2.link_socket = NULL; } /* Preserve the resolved list of remote if the user request to or if we want * reconnect to the same host again or there are still addresses that need * to be tried */ if (!(c->sig->signal_received == SIGUSR1 && ( (c->options.persist_remote_ip) || ( c->sig->source != SIG_SOURCE_HARD && ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next) || c->options.no_advance)) ))) { clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance); } /* Clear the remote actual address when persist_remote_ip is not in use */ if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip)) { CLEAR(c->c1.link_socket_addr.actual); } if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip)) { if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance) { freeaddrinfo(c->c1.link_socket_addr.bind_local); } c->c1.link_socket_addr.bind_local = NULL; } } /* * Close packet-id persistance file */ static void do_close_packet_id(struct context *c) { #ifdef ENABLE_CRYPTO packet_id_free(&c->c2.crypto_options.packet_id); packet_id_persist_save(&c->c1.pid_persist); if (!(c->sig->signal_received == SIGUSR1)) { packet_id_persist_close(&c->c1.pid_persist); } #endif } #ifdef ENABLE_FRAGMENT /* * Close fragmentation handler. */ static void do_close_fragment(struct context *c) { if (c->c2.fragment) { fragment_free(c->c2.fragment); c->c2.fragment = NULL; } } #endif /* * Open and close our event objects. */ static void do_event_set_init(struct context *c, bool need_us_timeout) { unsigned int flags = 0; c->c2.event_set_max = BASE_N_EVENTS; flags |= EVENT_METHOD_FAST; if (need_us_timeout) { flags |= EVENT_METHOD_US_TIMEOUT; } c->c2.event_set = event_set_init(&c->c2.event_set_max, flags); c->c2.event_set_owned = true; } static void do_close_event_set(struct context *c) { if (c->c2.event_set && c->c2.event_set_owned) { event_free(c->c2.event_set); c->c2.event_set = NULL; c->c2.event_set_owned = false; } } /* * Open and close --status file */ static void do_open_status_output(struct context *c) { if (!c->c1.status_output) { c->c1.status_output = status_open(c->options.status_file, c->options.status_file_update_freq, -1, NULL, STATUS_OUTPUT_WRITE); c->c1.status_output_owned = true; } } static void do_close_status_output(struct context *c) { if (!(c->sig->signal_received == SIGUSR1)) { if (c->c1.status_output_owned && c->c1.status_output) { status_close(c->c1.status_output); c->c1.status_output = NULL; c->c1.status_output_owned = false; } } } /* * Handle ifconfig-pool persistance object. */ static void do_open_ifconfig_pool_persist(struct context *c) { #if P2MP_SERVER if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename) { c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename, c->options.ifconfig_pool_persist_refresh_freq); c->c1.ifconfig_pool_persist_owned = true; } #endif } static void do_close_ifconfig_pool_persist(struct context *c) { #if P2MP_SERVER if (!(c->sig->signal_received == SIGUSR1)) { if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned) { ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist); c->c1.ifconfig_pool_persist = NULL; c->c1.ifconfig_pool_persist_owned = false; } } #endif } /* * Inherit environmental variables */ static void do_inherit_env(struct context *c, const struct env_set *src) { c->c2.es = env_set_create(NULL); c->c2.es_owned = true; env_set_inherit(c->c2.es, src); } static void do_env_set_destroy(struct context *c) { if (c->c2.es && c->c2.es_owned) { env_set_destroy(c->c2.es); c->c2.es = NULL; c->c2.es_owned = false; } } /* * Fast I/O setup. Fast I/O is an optimization which only works * if all of the following are true: * * (1) The platform is not Windows * (2) --proto udp is enabled * (3) --shaper is disabled */ static void do_setup_fast_io(struct context *c) { if (c->options.fast_io) { #ifdef _WIN32 msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows"); #else if (!proto_is_udp(c->options.ce.proto)) { msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP"); } else { #ifdef ENABLE_FEATURE_SHAPER if (c->options.shaper) { msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper"); } else #endif { c->c2.fast_io = true; } } #endif } } static void do_signal_on_tls_errors(struct context *c) { #ifdef ENABLE_CRYPTO if (c->options.tls_exit) { c->c2.tls_exit_signal = SIGTERM; } else { c->c2.tls_exit_signal = SIGUSR1; } #endif } #ifdef ENABLE_PLUGIN void init_plugins(struct context *c) { if (c->options.plugin_list && !c->plugins) { c->plugins = plugin_list_init(c->options.plugin_list); c->plugins_owned = true; } } void open_plugins(struct context *c, const bool import_options, int init_point) { if (c->plugins && c->plugins_owned) { if (import_options) { struct plugin_return pr, config; plugin_return_init(&pr); plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point); plugin_return_get_column(&pr, &config, "config"); if (plugin_return_defined(&config)) { int i; for (i = 0; i < config.n; ++i) { unsigned int option_types_found = 0; if (config.list[i] && config.list[i]->value) { options_string_import(&c->options, config.list[i]->value, D_IMPORT_ERRORS|M_OPTERR, OPT_P_DEFAULT & ~OPT_P_PLUGIN, &option_types_found, c->es); } } } plugin_return_free(&pr); } else { plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point); } } } static void do_close_plugins(struct context *c) { if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1)) { plugin_list_close(c->plugins); c->plugins = NULL; c->plugins_owned = false; } } static void do_inherit_plugins(struct context *c, const struct context *src) { if (!c->plugins && src->plugins) { c->plugins = plugin_list_inherit(src->plugins); c->plugins_owned = true; } } #endif /* ifdef ENABLE_PLUGIN */ #ifdef ENABLE_MANAGEMENT static void management_callback_status_p2p(void *arg, const int version, struct status_output *so) { struct context *c = (struct context *) arg; print_status(c, so); } void management_show_net_callback(void *arg, const int msglevel) { #ifdef _WIN32 show_routes(msglevel); show_adapters(msglevel); msg(msglevel, "END"); #else msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows"); #endif } #ifdef TARGET_ANDROID int management_callback_network_change(void *arg, bool samenetwork) { /* Check if the client should translate the network change to a SIGUSR1 to * reestablish the connection or just reprotect the socket * * At the moment just assume that, for all settings that use pull (not * --static) and are not using peer-id reestablishing the connection is * required (unless the network is the same) * * The function returns -1 on invalid fd and -2 if the socket cannot be * reused. On the -2 return value the man_network_change function triggers * a SIGUSR1 to force a reconnect. */ int socketfd = -1; struct context *c = (struct context *) arg; if (!c->c2.link_socket) { return -1; } if (c->c2.link_socket->sd == SOCKET_UNDEFINED) { return -1; } socketfd = c->c2.link_socket->sd; if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork) { return socketfd; } else { return -2; } } #endif /* ifdef TARGET_ANDROID */ #endif /* ifdef ENABLE_MANAGEMENT */ void init_management_callback_p2p(struct context *c) { #ifdef ENABLE_MANAGEMENT if (management) { struct management_callback cb; CLEAR(cb); cb.arg = c; cb.status = management_callback_status_p2p; cb.show_net = management_show_net_callback; cb.proxy_cmd = management_callback_proxy_cmd; cb.remote_cmd = management_callback_remote_cmd; #ifdef TARGET_ANDROID cb.network_change = management_callback_network_change; #endif management_set_callback(management, &cb); } #endif } #ifdef ENABLE_MANAGEMENT void init_management(struct context *c) { if (!management) { management = management_init(); } } bool open_management(struct context *c) { /* initialize management layer */ if (management) { if (c->options.management_addr) { unsigned int flags = c->options.management_flags; if (c->options.mode == MODE_SERVER) { flags |= MF_SERVER; } if (management_open(management, c->options.management_addr, c->options.management_port, c->options.management_user_pass, c->options.management_client_user, c->options.management_client_group, c->options.management_log_history_cache, c->options.management_echo_buffer_size, c->options.management_state_buffer_size, c->options.management_write_peer_info_file, c->options.remap_sigusr1, flags)) { management_set_state(management, OPENVPN_STATE_CONNECTING, NULL, NULL, NULL, NULL, NULL); } /* initial management hold, called early, before first context initialization */ do_hold(0); if (IS_SIG(c)) { msg(M_WARN, "Signal received from management interface, exiting"); return false; } } else { close_management(); } } return true; } void close_management(void) { if (management) { management_close(management); management = NULL; } } #endif /* ifdef ENABLE_MANAGEMENT */ void uninit_management_callback(void) { #ifdef ENABLE_MANAGEMENT if (management) { management_clear_callback(management); } #endif } /* * Initialize a tunnel instance, handle pre and post-init * signal settings. */ void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags) { pre_init_signal_catch(); init_instance(c, env, flags); post_init_signal_catch(); /* * This is done so that signals thrown during * initialization can bring us back to * a management hold. */ if (IS_SIG(c)) { remap_signal(c); uninit_management_callback(); } } /* * Initialize a tunnel instance. */ void init_instance(struct context *c, const struct env_set *env, const unsigned int flags) { const struct options *options = &c->options; const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP); int link_socket_mode = LS_MODE_DEFAULT; /* init garbage collection level */ gc_init(&c->c2.gc); /* inherit environmental variables */ if (env) { do_inherit_env(c, env); } /* signals caught here will abort */ c->sig->signal_received = 0; c->sig->signal_text = NULL; c->sig->source = SIG_SOURCE_SOFT; if (c->mode == CM_P2P) { init_management_callback_p2p(c); } /* possible sleep or management hold if restart */ if (c->mode == CM_P2P || c->mode == CM_TOP) { do_startup_pause(c); if (IS_SIG(c)) { goto sig; } } if (c->options.resolve_in_advance) { do_preresolve(c); if (IS_SIG(c)) { goto sig; } } /* map in current connection entry */ next_connection_entry(c); /* link_socket_mode allows CM_CHILD_TCP * instances to inherit acceptable fds * from a top-level parent */ if (c->options.ce.proto == PROTO_TCP_SERVER) { if (c->mode == CM_TOP) { link_socket_mode = LS_MODE_TCP_LISTEN; } else if (c->mode == CM_CHILD_TCP) { link_socket_mode = LS_MODE_TCP_ACCEPT_FROM; } } /* should we disable paging? */ if (c->first_time && options->mlock) { platform_mlockall(true); } #if P2MP /* get passwords if undefined */ if (auth_retry_get() == AR_INTERACT) { init_query_passwords(c); } #endif /* initialize context level 2 --verb/--mute parms */ init_verb_mute(c, IVM_LEVEL_2); /* set error message delay for non-server modes */ if (c->mode == CM_P2P) { set_check_status_error_delay(P2P_ERROR_DELAY_MS); } /* warn about inconsistent options */ if (c->mode == CM_P2P || c->mode == CM_TOP) { do_option_warnings(c); } #ifdef ENABLE_PLUGIN /* initialize plugins */ if (c->mode == CM_P2P || c->mode == CM_TOP) { open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON); } #endif /* should we enable fast I/O? */ if (c->mode == CM_P2P || c->mode == CM_TOP) { do_setup_fast_io(c); } /* should we throw a signal on TLS errors? */ do_signal_on_tls_errors(c); /* open --status file */ if (c->mode == CM_P2P || c->mode == CM_TOP) { do_open_status_output(c); } /* open --ifconfig-pool-persist file */ if (c->mode == CM_TOP) { do_open_ifconfig_pool_persist(c); } #ifdef ENABLE_OCC /* reset OCC state */ if (c->mode == CM_P2P || child) { c->c2.occ_op = occ_reset_op(); } #endif /* our wait-for-i/o objects, different for posix vs. win32 */ if (c->mode == CM_P2P) { do_event_set_init(c, SHAPER_DEFINED(&c->options)); } else if (c->mode == CM_CHILD_TCP) { do_event_set_init(c, false); } /* initialize HTTP or SOCKS proxy object at scope level 2 */ init_proxy(c); /* allocate our socket object */ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) { do_link_socket_new(c); } #ifdef ENABLE_FRAGMENT /* initialize internal fragmentation object */ if (options->ce.fragment && (c->mode == CM_P2P || child)) { c->c2.fragment = fragment_init(&c->c2.frame); } #endif /* init crypto layer */ { unsigned int crypto_flags = 0; if (c->mode == CM_TOP) { crypto_flags = CF_INIT_TLS_AUTH_STANDALONE; } else if (c->mode == CM_P2P) { crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI; } else if (child) { crypto_flags = CF_INIT_TLS_MULTI; } do_init_crypto(c, crypto_flags); if (IS_SIG(c) && !child) { goto sig; } } #ifdef USE_COMP /* initialize compression library. */ if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child)) { c->c2.comp_context = comp_init(&options->comp); } #endif /* initialize MTU variables */ do_init_frame(c); /* initialize TLS MTU variables */ do_init_frame_tls(c); /* init workspace buffers whose size is derived from frame size */ if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP) { do_init_buffers(c); } #ifdef ENABLE_FRAGMENT /* initialize internal fragmentation capability with known frame size */ if (options->ce.fragment && (c->mode == CM_P2P || child)) { do_init_fragment(c); } #endif /* initialize dynamic MTU variable */ frame_init_mssfix(&c->c2.frame, &c->options); /* bind the TCP/UDP socket */ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) { do_init_socket_1(c, link_socket_mode); } /* initialize tun/tap device object, * open tun/tap device, ifconfig, run up script, etc. */ if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP)) { c->c2.did_open_tun = do_open_tun(c); } c->c2.frame_initial = c->c2.frame; /* print MTU info */ do_print_data_channel_mtu_parms(c); #ifdef ENABLE_OCC /* get local and remote options compatibility strings */ if (c->mode == CM_P2P || child) { do_compute_occ_strings(c); } #endif /* initialize output speed limiter */ if (c->mode == CM_P2P) { do_init_traffic_shaper(c); } /* do one-time inits, and possibily become a daemon here */ do_init_first_time(c); #ifdef ENABLE_PLUGIN /* initialize plugins */ if (c->mode == CM_P2P || c->mode == CM_TOP) { open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON); } #endif /* initialise connect timeout timer */ do_init_server_poll_timeout(c); /* finalize the TCP/UDP socket */ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) { do_init_socket_2(c); } /* * Actually do UID/GID downgrade, and chroot, if requested. * May be delayed by --client, --pull, or --up-delay. */ do_uid_gid_chroot(c, c->c2.did_open_tun); /* initialize timers */ if (c->mode == CM_P2P || child) { do_init_timers(c, false); } #ifdef ENABLE_PLUGIN /* initialize plugins */ if (c->mode == CM_P2P || c->mode == CM_TOP) { open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE); } #endif #if PORT_SHARE /* share OpenVPN port with foreign (such as HTTPS) server */ if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP)) { init_port_share(c); } #endif #ifdef ENABLE_PF if (child) { pf_init_context(c); } #endif /* Check for signals */ if (IS_SIG(c)) { goto sig; } return; sig: if (!c->sig->signal_text) { c->sig->signal_text = "init_instance"; } close_context(c, -1, flags); return; } /* * Close a tunnel instance. */ void close_instance(struct context *c) { /* close event objects */ do_close_event_set(c); if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP || c->mode == CM_TOP) { /* if xinetd/inetd mode, don't allow restart */ do_close_check_if_restart_permitted(c); #ifdef USE_COMP if (c->c2.comp_context) { comp_uninit(c->c2.comp_context); c->c2.comp_context = NULL; } #endif /* free buffers */ do_close_free_buf(c); /* close TLS */ do_close_tls(c); /* free key schedules */ do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP)); /* close TCP/UDP connection */ do_close_link_socket(c); /* close TUN/TAP device */ do_close_tun(c, false); #ifdef MANAGEMENT_DEF_AUTH if (management) { management_notify_client_close(management, &c->c2.mda_context, NULL); } #endif #ifdef ENABLE_PF pf_destroy_context(&c->c2.pf); #endif #ifdef ENABLE_PLUGIN /* call plugin close functions and unload */ do_close_plugins(c); #endif /* close packet-id persistance file */ do_close_packet_id(c); /* close --status file */ do_close_status_output(c); #ifdef ENABLE_FRAGMENT /* close fragmentation handler */ do_close_fragment(c); #endif /* close --ifconfig-pool-persist obj */ do_close_ifconfig_pool_persist(c); /* free up environmental variable store */ do_env_set_destroy(c); /* close HTTP or SOCKS proxy */ uninit_proxy(c); /* garbage collect */ gc_free(&c->c2.gc); } } void inherit_context_child(struct context *dest, const struct context *src) { CLEAR(*dest); /* proto_is_dgram will ASSERT(0) if proto is invalid */ dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP; dest->gc = gc_new(); ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc); /* c1 init */ packet_id_persist_init(&dest->c1.pid_persist); #ifdef ENABLE_CRYPTO dest->c1.ks.key_type = src->c1.ks.key_type; /* inherit SSL context */ dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx; dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key; dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type; /* inherit pre-NCP ciphers */ dest->c1.ciphername = src->c1.ciphername; dest->c1.authname = src->c1.authname; dest->c1.keysize = src->c1.keysize; #endif /* options */ dest->options = src->options; options_detach(&dest->options); if (dest->mode == CM_CHILD_TCP) { /* * The CM_TOP context does the socket listen(), * and the CM_CHILD_TCP context does the accept(). */ dest->c2.accept_from = src->c2.link_socket; } #ifdef ENABLE_PLUGIN /* inherit plugins */ do_inherit_plugins(dest, src); #endif /* context init */ init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP); if (IS_SIG(dest)) { return; } /* inherit tun/tap interface object */ dest->c1.tuntap = src->c1.tuntap; /* UDP inherits some extra things which TCP does not */ if (dest->mode == CM_CHILD_UDP) { /* inherit buffers */ dest->c2.buffers = src->c2.buffers; /* inherit parent link_socket and tuntap */ dest->c2.link_socket = src->c2.link_socket; ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc); *dest->c2.link_socket_info = src->c2.link_socket->info; /* locally override some link_socket_info fields */ dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr; dest->c2.link_socket_info->connection_established = false; } } void inherit_context_top(struct context *dest, const struct context *src) { /* copy parent */ *dest = *src; /* * CM_TOP_CLONE will prevent close_instance from freeing or closing * resources owned by the parent. * * Also note that CM_TOP_CLONE context objects are * closed by multi_top_free in multi.c. */ dest->mode = CM_TOP_CLONE; dest->first_time = false; dest->c0 = NULL; options_detach(&dest->options); gc_detach(&dest->gc); gc_detach(&dest->c2.gc); /* detach plugins */ dest->plugins_owned = false; #ifdef ENABLE_CRYPTO dest->c2.tls_multi = NULL; #endif /* detach c1 ownership */ dest->c1.tuntap_owned = false; dest->c1.status_output_owned = false; #if P2MP_SERVER dest->c1.ifconfig_pool_persist_owned = false; #endif /* detach c2 ownership */ dest->c2.event_set_owned = false; dest->c2.link_socket_owned = false; dest->c2.buffers_owned = false; dest->c2.es_owned = false; dest->c2.event_set = NULL; if (proto_is_dgram(src->options.ce.proto)) { do_event_set_init(dest, false); } #ifdef USE_COMP dest->c2.comp_context = NULL; #endif } void close_context(struct context *c, int sig, unsigned int flags) { ASSERT(c); ASSERT(c->sig); if (sig >= 0) { c->sig->signal_received = sig; } if (c->sig->signal_received == SIGUSR1) { if ((flags & CC_USR1_TO_HUP) || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP))) { c->sig->signal_received = SIGHUP; c->sig->signal_text = "close_context usr1 to hup"; } } if (!(flags & CC_NO_CLOSE)) { close_instance(c); } if (flags & CC_GC_FREE) { context_gc_free(c); } } #ifdef ENABLE_CRYPTO /* * Do a loopback test * on the crypto subsystem. */ static void * test_crypto_thread(void *arg) { struct context *c = (struct context *) arg; const struct options *options = &c->options; ASSERT(options->test_crypto); init_verb_mute(c, IVM_LEVEL_1); context_init_1(c); next_connection_entry(c); do_init_crypto_static(c, 0); frame_finalize_options(c, options); test_crypto(&c->c2.crypto_options, &c->c2.frame); key_schedule_free(&c->c1.ks, true); packet_id_free(&c->c2.crypto_options.packet_id); context_gc_free(c); return NULL; } #endif /* ENABLE_CRYPTO */ bool do_test_crypto(const struct options *o) { #ifdef ENABLE_CRYPTO if (o->test_crypto) { struct context c; /* print version number */ msg(M_INFO, "%s", title_string); context_clear(&c); c.options = *o; options_detach(&c.options); c.first_time = true; test_crypto_thread((void *) &c); return true; } #endif return false; } openvpn-2.4.4/src/openvpn/init.h000066400000000000000000000100601316434344000165750ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef INIT_H #define INIT_H #include "openvpn.h" /* * Baseline maximum number of events * to wait for. */ #define BASE_N_EVENTS 4 void context_clear(struct context *c); void context_clear_1(struct context *c); void context_clear_2(struct context *c); void context_init_1(struct context *c); void context_clear_all_except_first_time(struct context *c); bool init_static(void); void uninit_static(void); #define IVM_LEVEL_1 (1<<0) #define IVM_LEVEL_2 (1<<1) void init_verb_mute(struct context *c, unsigned int flags); void init_options_dev(struct options *options); bool print_openssl_info(const struct options *options); bool do_genkey(const struct options *options); bool do_persist_tuntap(const struct options *options); bool possibly_become_daemon(const struct options *options); void pre_setup(const struct options *options); void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags); void init_instance(struct context *c, const struct env_set *env, const unsigned int flags); /** * Query for private key and auth-user-pass username/passwords. */ void init_query_passwords(const struct context *c); void do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es); void close_instance(struct context *c); bool do_test_crypto(const struct options *o); void context_gc_free(struct context *c); bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found); unsigned int pull_permission_mask(const struct context *c); const char *format_common_name(struct context *c, struct gc_arena *gc); void reset_coarse_timers(struct context *c); bool do_deferred_options(struct context *c, const unsigned int found); void inherit_context_child(struct context *dest, const struct context *src); void inherit_context_top(struct context *dest, const struct context *src); #define CC_GC_FREE (1<<0) #define CC_USR1_TO_HUP (1<<1) #define CC_HARD_USR1_TO_HUP (1<<2) #define CC_NO_CLOSE (1<<3) void close_context(struct context *c, int sig, unsigned int flags); struct context_buffers *init_context_buffers(const struct frame *frame); void free_context_buffers(struct context_buffers *b); #define ISC_ERRORS (1<<0) #define ISC_SERVER (1<<1) void initialization_sequence_completed(struct context *c, const unsigned int flags); #ifdef ENABLE_MANAGEMENT void init_management(struct context *c); bool open_management(struct context *c); void close_management(void); void management_show_net_callback(void *arg, const int msglevel); #endif void init_management_callback_p2p(struct context *c); void uninit_management_callback(void); #ifdef ENABLE_PLUGIN void init_plugins(struct context *c); void open_plugins(struct context *c, const bool import_options, int init_point); #endif #endif /* ifndef INIT_H */ openvpn-2.4.4/src/openvpn/integer.h000066400000000000000000000056371316434344000173050ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef INTEGER_H #define INTEGER_H #include "error.h" /* * min/max functions */ static inline int max_int(int x, int y) { if (x > y) { return x; } else { return y; } } static inline int min_int(int x, int y) { if (x < y) { return x; } else { return y; } } static inline int constrain_int(int x, int min, int max) { if (min > max) { return min; } if (x < min) { return min; } else if (x > max) { return max; } else { return x; } } /* * Functions used for circular buffer index arithmetic. */ /* * Return x - y on a circle of circumference mod by shortest path. * * 0 <= x < mod * 0 <= y < mod */ static inline int modulo_subtract(int x, int y, int mod) { const int d1 = x - y; const int d2 = (x > y ? -mod : mod) + d1; ASSERT(0 <= x && x < mod && 0 <= y && y < mod); return abs(d1) > abs(d2) ? d2 : d1; } /* * Return x + y on a circle of circumference mod. * * 0 <= x < mod * -mod <= y <= mod */ static inline int modulo_add(int x, int y, int mod) { int sum = x + y; ASSERT(0 <= x && x < mod && -mod <= y && y <= mod); if (sum >= mod) { sum -= mod; } if (sum < 0) { sum += mod; } return sum; } /* * Return the next largest power of 2 * or u if u is a power of 2. */ static inline size_t adjust_power_of_2(size_t u) { size_t ret = 1; while (ret < u) { ret <<= 1; ASSERT(ret > 0); } return ret; } static inline int index_verify(int index, int size, const char *file, int line) { if (index < 0 || index >= size) { msg(M_FATAL, "Assertion Failed: Array index=%d out of bounds for array size=%d in %s:%d", index, size, file, line); } return index; } #endif /* ifndef INTEGER_H */ openvpn-2.4.4/src/openvpn/interval.c000066400000000000000000000044301316434344000174550ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "interval.h" #include "memdbg.h" void interval_init(struct interval *top, int horizon, int refresh) { CLEAR(*top); top->refresh = refresh; top->horizon = horizon; } bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry) { bool ret = false; const time_t local_now = now; if (et->defined) { int wakeup = (int) et->last + et->n - local_now; if (wakeup <= 0) { #if INTERVAL_DEBUG dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n, et_const_retry); #endif if (et_const_retry < 0) { et->last = local_now; wakeup = et->n; ret = true; } else { wakeup = et_const_retry; } } if (tv && wakeup < tv->tv_sec) { #if INTERVAL_DEBUG dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d", wakeup, et->n, et_const_retry); #endif tv->tv_sec = wakeup; tv->tv_usec = 0; } } return ret; } openvpn-2.4.4/src/openvpn/interval.h000066400000000000000000000140751316434344000174700ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * The interval_ routines are designed to optimize the calling of a routine * (normally tls_multi_process()) which can be called less frequently * between triggers. */ #ifndef INTERVAL_H #define INTERVAL_H #include "otime.h" #define INTERVAL_DEBUG 0 /* * Designed to limit calls to expensive functions that need to be called * regularly. */ struct interval { interval_t refresh; interval_t horizon; time_t future_trigger; time_t last_action; time_t last_test_true; }; void interval_init(struct interval *top, int horizon, int refresh); /* * IF * last_action less than horizon seconds ago * OR last_test_true more than refresh seconds ago * OR hit future_trigger * THEN * return true * ELSE * set wakeup to the number of seconds until a true return * return false */ static inline bool interval_test(struct interval *top) { bool trigger = false; const time_t local_now = now; if (top->future_trigger && local_now >= top->future_trigger) { trigger = true; top->future_trigger = 0; } if (top->last_action + top->horizon > local_now || top->last_test_true + top->refresh <= local_now || trigger) { top->last_test_true = local_now; #if INTERVAL_DEBUG dmsg(D_INTERVAL, "INTERVAL interval_test true"); #endif return true; } else { return false; } } static inline void interval_schedule_wakeup(struct interval *top, interval_t *wakeup) { const time_t local_now = now; interval_earliest_wakeup(wakeup, top->last_test_true + top->refresh, local_now); interval_earliest_wakeup(wakeup, top->future_trigger, local_now); #if INTERVAL_DEBUG dmsg(D_INTERVAL, "INTERVAL interval_schedule wakeup=%d", (int)*wakeup); #endif } /* * In wakeup seconds, interval_test will return true once. */ static inline void interval_future_trigger(struct interval *top, interval_t wakeup) { if (wakeup) { #if INTERVAL_DEBUG dmsg(D_INTERVAL, "INTERVAL interval_future_trigger %d", (int)wakeup); #endif top->future_trigger = now + wakeup; } } /* * Once an action is triggered, interval_test will remain true for * horizon seconds. */ static inline void interval_action(struct interval *top) { #if INTERVAL_DEBUG dmsg(D_INTERVAL, "INTERVAL action"); #endif top->last_action = now; } /* * Measure when n seconds beyond an event have elapsed */ struct event_timeout { bool defined; interval_t n; time_t last; /* time of last event */ }; static inline bool event_timeout_defined(const struct event_timeout *et) { return et->defined; } static inline void event_timeout_clear(struct event_timeout *et) { et->defined = false; et->n = 0; et->last = 0; } static inline struct event_timeout event_timeout_clear_ret(void) { struct event_timeout ret; event_timeout_clear(&ret); return ret; } static inline void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now) { et->defined = true; et->n = (n >= 0) ? n : 0; et->last = local_now; } static inline void event_timeout_reset(struct event_timeout *et) { if (et->defined) { et->last = now; } } static inline void event_timeout_modify_wakeup(struct event_timeout *et, interval_t n) { /* note that you might need to call reset_coarse_timers after this */ if (et->defined) { et->n = (n >= 0) ? n : 0; } } /* * Will return the time left for a timeout, this function does not check * if the timeout is actually valid */ static inline interval_t event_timeout_remaining(struct event_timeout *et) { return (int) et->last + et->n - now; } /* * This is the principal function for testing and triggering recurring * timers and will return true on a timer signal event. * If et_const_retry == ETT_DEFAULT and a signal occurs, * the function will return true and *et will be armed for the * next event. If et_const_retry >= 0 and a signal occurs, * *et will not be touched, but *tv will be set to * minimum (*tv, et_const_retry) for a future re-test, * and the function will return true. */ #define ETT_DEFAULT (-1) bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry); /* * Measure time intervals in microseconds */ #define USEC_TIMER_MAX 60 /* maximum interval size in seconds */ #define USEC_TIMER_MAX_USEC (USEC_TIMER_MAX * 1000000) struct usec_timer { struct timeval start; struct timeval end; }; #ifdef HAVE_GETTIMEOFDAY static inline void usec_timer_start(struct usec_timer *obj) { CLEAR(*obj); openvpn_gettimeofday(&obj->start, NULL); } static inline void usec_timer_end(struct usec_timer *obj) { openvpn_gettimeofday(&obj->end, NULL); } #endif /* HAVE_GETTIMEOFDAY */ static inline bool usec_timer_interval_defined(struct usec_timer *obj) { return obj->start.tv_sec && obj->end.tv_sec; } static inline int usec_timer_interval(struct usec_timer *obj) { return tv_subtract(&obj->end, &obj->start, USEC_TIMER_MAX); } #endif /* INTERVAL_H */ openvpn-2.4.4/src/openvpn/list.c000066400000000000000000000424561316434344000166160ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if P2MP_SERVER #include "integer.h" #include "list.h" #include "misc.h" #include "memdbg.h" struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t (*hash_function)(const void *key, uint32_t iv), bool (*compare_function)(const void *key1, const void *key2)) { struct hash *h; int i; ASSERT(n_buckets > 0); ALLOC_OBJ_CLEAR(h, struct hash); h->n_buckets = (int) adjust_power_of_2(n_buckets); h->mask = h->n_buckets - 1; h->hash_function = hash_function; h->compare_function = compare_function; h->iv = iv; ALLOC_ARRAY(h->buckets, struct hash_bucket, h->n_buckets); for (i = 0; i < h->n_buckets; ++i) { struct hash_bucket *b = &h->buckets[i]; b->list = NULL; } return h; } void hash_free(struct hash *hash) { int i; for (i = 0; i < hash->n_buckets; ++i) { struct hash_bucket *b = &hash->buckets[i]; struct hash_element *he = b->list; while (he) { struct hash_element *next = he->next; free(he); he = next; } } free(hash->buckets); free(hash); } struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv) { struct hash_element *he; struct hash_element *prev = NULL; he = bucket->list; while (he) { if (hv == he->hash_value && (*hash->compare_function)(key, he->key)) { /* move to head of list */ if (prev) { prev->next = he->next; he->next = bucket->list; bucket->list = he; } return he; } prev = he; he = he->next; } return NULL; } bool hash_remove_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv) { struct hash_element *he; struct hash_element *prev = NULL; he = bucket->list; while (he) { if (hv == he->hash_value && (*hash->compare_function)(key, he->key)) { if (prev) { prev->next = he->next; } else { bucket->list = he->next; } free(he); --hash->n_elements; return true; } prev = he; he = he->next; } return false; } bool hash_add(struct hash *hash, const void *key, void *value, bool replace) { uint32_t hv; struct hash_bucket *bucket; struct hash_element *he; bool ret = false; hv = hash_value(hash, key); bucket = &hash->buckets[hv & hash->mask]; if ((he = hash_lookup_fast(hash, bucket, key, hv))) /* already exists? */ { if (replace) { he->value = value; ret = true; } } else { hash_add_fast(hash, bucket, key, hv, value); ret = true; } return ret; } void hash_remove_by_value(struct hash *hash, void *value) { struct hash_iterator hi; struct hash_element *he; hash_iterator_init(hash, &hi); while ((he = hash_iterator_next(&hi))) { if (he->value == value) { hash_iterator_delete_element(&hi); } } hash_iterator_free(&hi); } static void hash_remove_marked(struct hash *hash, struct hash_bucket *bucket) { struct hash_element *prev = NULL; struct hash_element *he = bucket->list; while (he) { if (!he->key) /* marked? */ { struct hash_element *newhe; if (prev) { newhe = prev->next = he->next; } else { newhe = bucket->list = he->next; } free(he); --hash->n_elements; he = newhe; } else { prev = he; he = he->next; } } } uint32_t void_ptr_hash_function(const void *key, uint32_t iv) { return hash_func((const void *)&key, sizeof(key), iv); } bool void_ptr_compare_function(const void *key1, const void *key2) { return key1 == key2; } void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket) { if (end_bucket > hash->n_buckets) { end_bucket = hash->n_buckets; } ASSERT(start_bucket >= 0 && start_bucket <= end_bucket); hi->hash = hash; hi->elem = NULL; hi->bucket = NULL; hi->last = NULL; hi->bucket_marked = false; hi->bucket_index_start = start_bucket; hi->bucket_index_end = end_bucket; hi->bucket_index = hi->bucket_index_start - 1; } void hash_iterator_init(struct hash *hash, struct hash_iterator *hi) { hash_iterator_init_range(hash, hi, 0, hash->n_buckets); } static inline void hash_iterator_lock(struct hash_iterator *hi, struct hash_bucket *b) { hi->bucket = b; hi->last = NULL; hi->bucket_marked = false; } static inline void hash_iterator_unlock(struct hash_iterator *hi) { if (hi->bucket) { if (hi->bucket_marked) { hash_remove_marked(hi->hash, hi->bucket); hi->bucket_marked = false; } hi->bucket = NULL; hi->last = NULL; } } static inline void hash_iterator_advance(struct hash_iterator *hi) { hi->last = hi->elem; hi->elem = hi->elem->next; } void hash_iterator_free(struct hash_iterator *hi) { hash_iterator_unlock(hi); } struct hash_element * hash_iterator_next(struct hash_iterator *hi) { struct hash_element *ret = NULL; if (hi->elem) { ret = hi->elem; hash_iterator_advance(hi); } else { while (++hi->bucket_index < hi->bucket_index_end) { struct hash_bucket *b; hash_iterator_unlock(hi); b = &hi->hash->buckets[hi->bucket_index]; if (b->list) { hash_iterator_lock(hi, b); hi->elem = b->list; if (hi->elem) { ret = hi->elem; hash_iterator_advance(hi); break; } } } } return ret; } void hash_iterator_delete_element(struct hash_iterator *hi) { ASSERT(hi->last); hi->last->key = NULL; hi->bucket_marked = true; } #ifdef LIST_TEST /* * Test the hash code by implementing a simple * word frequency algorithm. */ struct word { const char *word; int n; }; static uint32_t word_hash_function(const void *key, uint32_t iv) { const char *str = (const char *) key; const int len = strlen(str); return hash_func((const uint8_t *)str, len, iv); } static bool word_compare_function(const void *key1, const void *key2) { return strcmp((const char *)key1, (const char *)key2) == 0; } static void print_nhash(struct hash *hash) { struct hash_iterator hi; struct hash_element *he; int count = 0; hash_iterator_init(hash, &hi, true); while ((he = hash_iterator_next(&hi))) { printf("%d ", (int) he->value); ++count; } printf("\n"); hash_iterator_free(&hi); ASSERT(count == hash_n_elements(hash)); } static void rmhash(struct hash *hash, const char *word) { hash_remove(hash, word); } void list_test(void) { openvpn_thread_init(); { struct gc_arena gc = gc_new(); struct hash *hash = hash_init(10000, get_random(), word_hash_function, word_compare_function); struct hash *nhash = hash_init(256, get_random(), word_hash_function, word_compare_function); printf("hash_init n_buckets=%d mask=0x%08x\n", hash->n_buckets, hash->mask); /* parse words from stdin */ while (true) { char buf[256]; char wordbuf[256]; int wbi; int bi; char c; if (!fgets(buf, sizeof(buf), stdin)) { break; } bi = wbi = 0; do { c = buf[bi++]; if (isalnum(c) || c == '_') { ASSERT(wbi < (int) sizeof(wordbuf)); wordbuf[wbi++] = c; } else { if (wbi) { struct word *w; ASSERT(wbi < (int) sizeof(wordbuf)); wordbuf[wbi++] = '\0'; /* word is parsed from stdin */ /* does it already exist in table? */ w = (struct word *) hash_lookup(hash, wordbuf); if (w) { /* yes, increment count */ ++w->n; } else { /* no, make a new object */ ALLOC_OBJ_GC(w, struct word, &gc); w->word = string_alloc(wordbuf, &gc); w->n = 1; ASSERT(hash_add(hash, w->word, w, false)); ASSERT(hash_add(nhash, w->word, (void *) ((random() & 0x0F) + 1), false)); } } wbi = 0; } } while (c); } #if 1 /* remove some words from the table */ { rmhash(hash, "true"); rmhash(hash, "false"); } #endif /* output contents of hash table */ { int base; int inc = 0; int count = 0; for (base = 0; base < hash_n_buckets(hash); base += inc) { struct hash_iterator hi; struct hash_element *he; inc = (get_random() % 3) + 1; hash_iterator_init_range(hash, &hi, true, base, base + inc); while ((he = hash_iterator_next(&hi))) { struct word *w = (struct word *) he->value; printf("%6d '%s'\n", w->n, w->word); ++count; } hash_iterator_free(&hi); } ASSERT(count == hash_n_elements(hash)); } #if 1 /* test hash_remove_by_value function */ { int i; for (i = 1; i <= 16; ++i) { printf("[%d] ***********************************\n", i); print_nhash(nhash); hash_remove_by_value(nhash, (void *) i, true); } printf("FINAL **************************\n"); print_nhash(nhash); } #endif hash_free(hash); hash_free(nhash); gc_free(&gc); } openvpn_thread_cleanup(); } #endif /* ifdef LIST_TEST */ /* * -------------------------------------------------------------------- * hash() -- hash a variable-length key into a 32-bit value * k : the key (the unaligned variable-length array of bytes) * len : the length of the key, counting by bytes * level : can be any 4-byte value * Returns a 32-bit value. Every bit of the key affects every bit of * the return value. Every 1-bit and 2-bit delta achieves avalanche. * About 36+6len instructions. * * The best hash table sizes are powers of 2. There is no need to do * mod a prime (mod is sooo slow!). If you need less than 32 bits, * use a bitmask. For example, if you need only 10 bits, do * h = (h & hashmask(10)); * In which case, the hash table should have hashsize(10) elements. * * If you are hashing n strings (uint8_t **)k, do it like this: * for (i=0, h=0; i>13); * b -= c; a ^= x; * b -= a; x = (a<<8); * c -= a; b ^= x; * c -= b; x = (b>>13); * ... * Unfortunately, superscalar Pentiums and Sparcs can't take advantage * of that parallelism. They've also turned some of those single-cycle * latency instructions into multi-cycle latency instructions. Still, * this is the fastest good hash I could find. There were about 2^^68 * to choose from. I only looked at a billion or so. * * James Yonan Notes: * * This function is faster than it looks, and appears to be * appropriate for our usage in OpenVPN which is primarily * for hash-table based address lookup (IPv4, IPv6, and Ethernet MAC). * NOTE: This function is never used for cryptographic purposes, only * to produce evenly-distributed indexes into hash tables. * * Benchmark results: 11.39 machine cycles per byte on a P2 266Mhz, * and 12.1 machine cycles per byte on a * 2.2 Ghz P4 when hashing a 6 byte string. * -------------------------------------------------------------------- */ #define mix(a,b,c) \ { \ a -= b; a -= c; a ^= (c>>13); \ b -= c; b -= a; b ^= (a<<8); \ c -= a; c -= b; c ^= (b>>13); \ a -= b; a -= c; a ^= (c>>12); \ b -= c; b -= a; b ^= (a<<16); \ c -= a; c -= b; c ^= (b>>5); \ a -= b; a -= c; a ^= (c>>3); \ b -= c; b -= a; b ^= (a<<10); \ c -= a; c -= b; c ^= (b>>15); \ } uint32_t hash_func(const uint8_t *k, uint32_t length, uint32_t initval) { uint32_t a, b, c, len; /* Set up the internal state */ len = length; a = b = 0x9e3779b9; /* the golden ratio; an arbitrary value */ c = initval; /* the previous hash value */ /*---------------------------------------- handle most of the key */ while (len >= 12) { a += (k[0] + ((uint32_t) k[1] << 8) + ((uint32_t) k[2] << 16) + ((uint32_t) k[3] << 24)); b += (k[4] + ((uint32_t) k[5] << 8) + ((uint32_t) k[6] << 16) + ((uint32_t) k[7] << 24)); c += (k[8] + ((uint32_t) k[9] << 8) + ((uint32_t) k[10] << 16) + ((uint32_t) k[11] << 24)); mix(a, b, c); k += 12; len -= 12; } /*------------------------------------- handle the last 11 bytes */ c += length; switch (len) /* all the case statements fall through */ { case 11: c += ((uint32_t) k[10] << 24); case 10: c += ((uint32_t) k[9] << 16); case 9: c += ((uint32_t) k[8] << 8); /* the first byte of c is reserved for the length */ case 8: b += ((uint32_t) k[7] << 24); case 7: b += ((uint32_t) k[6] << 16); case 6: b += ((uint32_t) k[5] << 8); case 5: b += k[4]; case 4: a += ((uint32_t) k[3] << 24); case 3: a += ((uint32_t) k[2] << 16); case 2: a += ((uint32_t) k[1] << 8); case 1: a += k[0]; /* case 0: nothing left to add */ } mix(a, b, c); /*-------------------------------------- report the result */ return c; } #else /* if P2MP_SERVER */ static void dummy(void) { } #endif /* P2MP_SERVER */ openvpn-2.4.4/src/openvpn/list.h000066400000000000000000000122501316434344000166100ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef LIST_H #define LIST_H /* * This code is a fairly straightforward hash * table implementation using Bob Jenkins' * hash function. * * Hash tables are used in OpenVPN to keep track of * client instances over various key spaces. */ #if P2MP_SERVER /* define this to enable special list test mode */ /*#define LIST_TEST*/ #include "basic.h" #include "buffer.h" #define hashsize(n) ((uint32_t)1<<(n)) #define hashmask(n) (hashsize(n)-1) struct hash_element { void *value; const void *key; unsigned int hash_value; struct hash_element *next; }; struct hash_bucket { struct hash_element *list; }; struct hash { int n_buckets; int n_elements; int mask; uint32_t iv; uint32_t (*hash_function)(const void *key, uint32_t iv); bool (*compare_function)(const void *key1, const void *key2); /* return true if equal */ struct hash_bucket *buckets; }; struct hash *hash_init(const int n_buckets, const uint32_t iv, uint32_t (*hash_function)(const void *key, uint32_t iv), bool (*compare_function)(const void *key1, const void *key2)); void hash_free(struct hash *hash); bool hash_add(struct hash *hash, const void *key, void *value, bool replace); struct hash_element *hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv); bool hash_remove_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv); void hash_remove_by_value(struct hash *hash, void *value); struct hash_iterator { struct hash *hash; int bucket_index; struct hash_bucket *bucket; struct hash_element *elem; struct hash_element *last; bool bucket_marked; int bucket_index_start; int bucket_index_end; }; void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket); void hash_iterator_init(struct hash *hash, struct hash_iterator *iter); struct hash_element *hash_iterator_next(struct hash_iterator *hi); void hash_iterator_delete_element(struct hash_iterator *hi); void hash_iterator_free(struct hash_iterator *hi); uint32_t hash_func(const uint8_t *k, uint32_t length, uint32_t initval); uint32_t void_ptr_hash_function(const void *key, uint32_t iv); bool void_ptr_compare_function(const void *key1, const void *key2); #ifdef LIST_TEST void list_test(void); #endif static inline uint32_t hash_value(const struct hash *hash, const void *key) { return (*hash->hash_function)(key, hash->iv); } static inline int hash_n_elements(const struct hash *hash) { return hash->n_elements; } static inline int hash_n_buckets(const struct hash *hash) { return hash->n_buckets; } static inline struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv) { return &hash->buckets[hv & hash->mask]; } static inline void * hash_lookup(struct hash *hash, const void *key) { void *ret = NULL; struct hash_element *he; uint32_t hv = hash_value(hash, key); struct hash_bucket *bucket = &hash->buckets[hv & hash->mask]; he = hash_lookup_fast(hash, bucket, key, hv); if (he) { ret = he->value; } return ret; } /* NOTE: assumes that key is not a duplicate */ static inline void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value) { struct hash_element *he; ALLOC_OBJ(he, struct hash_element); he->value = value; he->key = key; he->hash_value = hv; he->next = bucket->list; bucket->list = he; ++hash->n_elements; } static inline bool hash_remove(struct hash *hash, const void *key) { uint32_t hv; struct hash_bucket *bucket; bool ret; hv = hash_value(hash, key); bucket = &hash->buckets[hv & hash->mask]; ret = hash_remove_fast(hash, bucket, key, hv); return ret; } #endif /* P2MP_SERVER */ #endif /* LIST */ openvpn-2.4.4/src/openvpn/lladdr.c000066400000000000000000000033641316434344000171000ustar00rootroot00000000000000/* * Support routine for configuring link layer address */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "error.h" #include "misc.h" int set_lladdr(const char *ifname, const char *lladdr, const struct env_set *es) { struct argv argv = argv_new(); int r; if (!ifname || !lladdr) { return -1; } #if defined(TARGET_LINUX) #ifdef ENABLE_IPROUTE argv_printf(&argv, "%s link set addr %s dev %s", iproute_path, lladdr, ifname); #else argv_printf(&argv, "%s %s hw ether %s", IFCONFIG_PATH, ifname, lladdr); #endif #elif defined(TARGET_SOLARIS) argv_printf(&argv, "%s %s ether %s", IFCONFIG_PATH, ifname, lladdr); #elif defined(TARGET_OPENBSD) argv_printf(&argv, "%s %s lladdr %s", IFCONFIG_PATH, ifname, lladdr); #elif defined(TARGET_DARWIN) argv_printf(&argv, "%s %s lladdr %s", IFCONFIG_PATH, ifname, lladdr); #elif defined(TARGET_FREEBSD) argv_printf(&argv, "%s %s ether %s", IFCONFIG_PATH, ifname, lladdr); #else /* if defined(TARGET_LINUX) */ msg(M_WARN, "Sorry, but I don't know how to configure link layer addresses on this operating system."); return -1; #endif /* if defined(TARGET_LINUX) */ argv_msg(M_INFO, &argv); r = openvpn_execve_check(&argv, es, M_WARN, "ERROR: Unable to set link layer address."); if (r) { msg(M_INFO, "TUN/TAP link layer address set to %s", lladdr); } argv_reset(&argv); return r; } openvpn-2.4.4/src/openvpn/lladdr.h000066400000000000000000000002621316434344000170770ustar00rootroot00000000000000/* * Support routine for configuring link layer address */ #include "misc.h" int set_lladdr(const char *ifname, const char *lladdr, const struct env_set *es); openvpn-2.4.4/src/openvpn/lzo.c000066400000000000000000000157311316434344000164430ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Data Channel Compression module function definitions. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if defined(ENABLE_LZO) #include "comp.h" #include "error.h" #include "otime.h" #include "memdbg.h" /** * Perform adaptive compression housekeeping. * * @param ac the adaptive compression state structure. * * @return */ static bool lzo_adaptive_compress_test(struct lzo_adaptive_compress *ac) { const bool save = ac->compress_state; const time_t local_now = now; if (!ac->compress_state) { if (local_now >= ac->next) { if (ac->n_total > AC_MIN_BYTES && (ac->n_total - ac->n_comp) < (ac->n_total / (100 / AC_SAVE_PCT))) { ac->compress_state = true; ac->next = local_now + AC_OFF_SEC; } else { ac->next = local_now + AC_SAMP_SEC; } dmsg(D_COMP, "lzo_adaptive_compress_test: comp=%d total=%d", ac->n_comp, ac->n_total); ac->n_total = ac->n_comp = 0; } } else { if (local_now >= ac->next) { ac->next = local_now + AC_SAMP_SEC; ac->n_total = ac->n_comp = 0; ac->compress_state = false; } } if (ac->compress_state != save) { dmsg(D_COMP_LOW, "Adaptive compression state %s", (ac->compress_state ? "OFF" : "ON")); } return !ac->compress_state; } static inline void lzo_adaptive_compress_data(struct lzo_adaptive_compress *ac, int n_total, int n_comp) { ac->n_total += n_total; ac->n_comp += n_comp; } static void lzo_compress_init(struct compress_context *compctx) { msg(D_INIT_MEDIUM, "LZO compression initializing"); ASSERT(!(compctx->flags & COMP_F_SWAP)); compctx->wu.lzo.wmem_size = LZO_WORKSPACE; if (lzo_init() != LZO_E_OK) { msg(M_FATAL, "Cannot initialize LZO compression library"); } compctx->wu.lzo.wmem = (lzo_voidp) lzo_malloc(compctx->wu.lzo.wmem_size); check_malloc_return(compctx->wu.lzo.wmem); } static void lzo_compress_uninit(struct compress_context *compctx) { lzo_free(compctx->wu.lzo.wmem); compctx->wu.lzo.wmem = NULL; } static inline bool lzo_compression_enabled(struct compress_context *compctx) { if (compctx->flags & COMP_F_ASYM) { return false; } else { if (compctx->flags & COMP_F_ADAPTIVE) { return lzo_adaptive_compress_test(&compctx->wu.lzo.ac); } else { return true; } } } static void lzo_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { lzo_uint zlen = 0; int err; bool compressed = false; if (buf->len <= 0) { return; } /* * In order to attempt compression, length must be at least COMPRESS_THRESHOLD, * and our adaptive level must give the OK. */ if (buf->len >= COMPRESS_THRESHOLD && lzo_compression_enabled(compctx)) { const size_t ps = PAYLOAD_SIZE(frame); ASSERT(buf_init(&work, FRAME_HEADROOM(frame))); ASSERT(buf_safe(&work, ps + COMP_EXTRA_BUFFER(ps))); if (buf->len > ps) { dmsg(D_COMP_ERRORS, "LZO compression buffer overflow"); buf->len = 0; return; } err = LZO_COMPRESS(BPTR(buf), BLEN(buf), BPTR(&work), &zlen, compctx->wu.lzo.wmem); if (err != LZO_E_OK) { dmsg(D_COMP_ERRORS, "LZO compression error: %d", err); buf->len = 0; return; } ASSERT(buf_safe(&work, zlen)); work.len = zlen; compressed = true; dmsg(D_COMP, "LZO compress %d -> %d", buf->len, work.len); compctx->pre_compress += buf->len; compctx->post_compress += work.len; /* tell adaptive level about our success or lack thereof in getting any size reduction */ if (compctx->flags & COMP_F_ADAPTIVE) { lzo_adaptive_compress_data(&compctx->wu.lzo.ac, buf->len, work.len); } } /* did compression save us anything ? */ if (compressed && work.len < buf->len) { uint8_t *header = buf_prepend(&work, 1); *header = LZO_COMPRESS_BYTE; *buf = work; } else { uint8_t *header = buf_prepend(buf, 1); *header = NO_COMPRESS_BYTE; } } static void lzo_decompress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { lzo_uint zlen = EXPANDED_SIZE(frame); int err; uint8_t c; /* flag indicating whether or not our peer compressed */ if (buf->len <= 0) { return; } ASSERT(buf_init(&work, FRAME_HEADROOM(frame))); c = *BPTR(buf); ASSERT(buf_advance(buf, 1)); if (c == LZO_COMPRESS_BYTE) /* packet was compressed */ { ASSERT(buf_safe(&work, zlen)); err = LZO_DECOMPRESS(BPTR(buf), BLEN(buf), BPTR(&work), &zlen, compctx->wu.lzo.wmem); if (err != LZO_E_OK) { dmsg(D_COMP_ERRORS, "LZO decompression error: %d", err); buf->len = 0; return; } ASSERT(buf_safe(&work, zlen)); work.len = zlen; dmsg(D_COMP, "LZO decompress %d -> %d", buf->len, work.len); compctx->pre_decompress += buf->len; compctx->post_decompress += work.len; *buf = work; } else if (c == NO_COMPRESS_BYTE) /* packet was not compressed */ { } else { dmsg(D_COMP_ERRORS, "Bad LZO decompression header byte: %d", c); buf->len = 0; } } const struct compress_alg lzo_alg = { "lzo", lzo_compress_init, lzo_compress_uninit, lzo_compress, lzo_decompress }; #else /* if defined(ENABLE_LZO) */ static void dummy(void) { } #endif /* ENABLE_LZO */ openvpn-2.4.4/src/openvpn/lzo.h000066400000000000000000000100231316434344000164350ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OPENVPN_LZO_H #define OPENVPN_LZO_H /** * @file * Data Channel Compression module header file. */ #if defined(ENABLE_LZO) /** * @addtogroup compression * @{ */ #if defined(HAVE_LZO_LZOUTIL_H) #include "lzo/lzoutil.h" #elif defined(HAVE_LZOUTIL_H) #include "lzoutil.h" #endif #if defined(HAVE_LZO_LZO1X_H) #include "lzo/lzo1x.h" #elif defined(HAVE_LZO1X_H) #include "lzo1x.h" #endif #include "buffer.h" #include "mtu.h" #include "common.h" #include "status.h" extern const struct compress_alg lzo_alg; /**************************************************************************/ /** @name LZO library interface defines *//** @{ *//***********************/ #define LZO_COMPRESS lzo1x_1_15_compress /**< LZO library compression function. * * Use \c lzo1x_1_15_compress because it * is described as faster than the * standard routine, although it does * need a bit more memory. */ #define LZO_WORKSPACE LZO1X_1_15_MEM_COMPRESS /**< The size in bytes of the memory * %buffer required by the LZO library * compression algorithm. */ #define LZO_DECOMPRESS lzo1x_decompress_safe /**< LZO library decompression function. * * Use safe decompress because it * includes checks for possible %buffer * overflows. If speed is essential and * you will always be using a MAC to * verify the integrity of incoming * packets, you might want to consider * using the non-safe version. */ /** @} name LZO library interface *//**************************************/ /**************************************************************************/ /** @name Adaptive compression defines *//** @{ *//************************/ #define AC_SAMP_SEC 2 /**< Number of seconds in a sample period. */ #define AC_MIN_BYTES 1000 /**< Minimum number of bytes a sample * period must contain for it to be * evaluated. */ #define AC_SAVE_PCT 5 /**< Minimum size reduction percentage * below which compression will be * turned off. */ #define AC_OFF_SEC 60 /**< Seconds to wait after compression has * been turned off before retesting. */ /** @} name Adaptive compression defines *//*******************************/ /** * Adaptive compression state. */ struct lzo_adaptive_compress { bool compress_state; time_t next; int n_total; int n_comp; }; /** * State for the compression and decompression routines. * * This structure contains compression module state, such as whether * compression is enabled and the status of the adaptive compression * routines. It also contains an allocated working buffer. * * One of these compression workspace structures is maintained for each * VPN tunnel. */ struct lzo_compress_workspace { lzo_voidp wmem; int wmem_size; struct lzo_adaptive_compress ac; }; /** @} addtogroup compression */ #endif /* ENABLE_LZO && USE_COMP */ #endif /* ifndef OPENVPN_LZO_H */ openvpn-2.4.4/src/openvpn/manage.c000066400000000000000000003220301316434344000170600ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #ifdef ENABLE_MANAGEMENT #include "error.h" #include "fdmisc.h" #include "options.h" #include "sig.h" #include "event.h" #include "otime.h" #include "integer.h" #include "misc.h" #include "ssl.h" #include "common.h" #include "manage.h" #include "memdbg.h" #ifdef ENABLE_PKCS11 #include "pkcs11.h" #endif #define MANAGEMENT_ECHO_PULL_INFO 0 #if MANAGEMENT_ECHO_PULL_INFO #define MANAGEMENT_ECHO_FLAGS LOG_PRINT_INTVAL #else #define MANAGEMENT_ECHO_FLAGS 0 #endif /* tag for blank username/password */ static const char blank_up[] = "[[BLANK]]"; struct management *management; /* GLOBAL */ /* static forward declarations */ static void man_output_standalone(struct management *man, volatile int *signal_received); static void man_reset_client_socket(struct management *man, const bool exiting); static void man_help(void) { msg(M_CLIENT, "Management Interface for %s", title_string); msg(M_CLIENT, "Commands:"); msg(M_CLIENT, "auth-retry t : Auth failure retry mode (none,interact,nointeract)."); msg(M_CLIENT, "bytecount n : Show bytes in/out, update every n secs (0=off)."); msg(M_CLIENT, "echo [on|off] [N|all] : Like log, but only show messages in echo buffer."); msg(M_CLIENT, "exit|quit : Close management session."); msg(M_CLIENT, "forget-passwords : Forget passwords entered so far."); msg(M_CLIENT, "help : Print this message."); msg(M_CLIENT, "hold [on|off|release] : Set/show hold flag to on/off state, or"); msg(M_CLIENT, " release current hold and start tunnel."); msg(M_CLIENT, "kill cn : Kill the client instance(s) having common name cn."); msg(M_CLIENT, "kill IP:port : Kill the client instance connecting from IP:port."); msg(M_CLIENT, "load-stats : Show global server load stats."); msg(M_CLIENT, "log [on|off] [N|all] : Turn on/off realtime log display"); msg(M_CLIENT, " + show last N lines or 'all' for entire history."); msg(M_CLIENT, "mute [n] : Set log mute level to n, or show level if n is absent."); msg(M_CLIENT, "needok type action : Enter confirmation for NEED-OK request of 'type',"); msg(M_CLIENT, " where action = 'ok' or 'cancel'."); msg(M_CLIENT, "needstr type action : Enter confirmation for NEED-STR request of 'type',"); msg(M_CLIENT, " where action is reply string."); msg(M_CLIENT, "net : (Windows only) Show network info and routing table."); msg(M_CLIENT, "password type p : Enter password p for a queried OpenVPN password."); msg(M_CLIENT, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP."); msg(M_CLIENT, "proxy type [host port flags] : Enter dynamic proxy server info."); msg(M_CLIENT, "pid : Show process ID of the current OpenVPN process."); #ifdef ENABLE_PKCS11 msg(M_CLIENT, "pkcs11-id-count : Get number of available PKCS#11 identities."); msg(M_CLIENT, "pkcs11-id-get index : Get PKCS#11 identity at index."); #endif #ifdef MANAGEMENT_DEF_AUTH msg(M_CLIENT, "client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE)"); msg(M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID"); msg(M_CLIENT, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason"); msg(M_CLIENT, " text R and optional client reason text CR"); msg(M_CLIENT, "client-kill CID [M] : Kill client instance CID with message M (def=RESTART)"); msg(M_CLIENT, "env-filter [level] : Set env-var filter level"); #ifdef MANAGEMENT_PF msg(M_CLIENT, "client-pf CID : Define packet filter for client CID (MULTILINE)"); #endif #endif #ifdef MANAGMENT_EXTERNAL_KEY msg(M_CLIENT, "rsa-sig : Enter an RSA signature in response to >RSA_SIGN challenge"); msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge"); msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END"); #endif msg(M_CLIENT, "signal s : Send signal s to daemon,"); msg(M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2."); msg(M_CLIENT, "state [on|off] [N|all] : Like log, but show state history."); msg(M_CLIENT, "status [n] : Show current daemon status info using format #n."); msg(M_CLIENT, "test n : Produce n lines of output for testing/debugging."); msg(M_CLIENT, "username type u : Enter username u for a queried OpenVPN username."); msg(M_CLIENT, "verb [n] : Set log verbosity level to n, or show if n is absent."); msg(M_CLIENT, "version : Show current version number."); msg(M_CLIENT, "END"); } static const char * man_state_name(const int state) { switch (state) { case OPENVPN_STATE_INITIAL: return "INITIAL"; case OPENVPN_STATE_CONNECTING: return "CONNECTING"; case OPENVPN_STATE_WAIT: return "WAIT"; case OPENVPN_STATE_AUTH: return "AUTH"; case OPENVPN_STATE_GET_CONFIG: return "GET_CONFIG"; case OPENVPN_STATE_ASSIGN_IP: return "ASSIGN_IP"; case OPENVPN_STATE_ADD_ROUTES: return "ADD_ROUTES"; case OPENVPN_STATE_CONNECTED: return "CONNECTED"; case OPENVPN_STATE_RECONNECTING: return "RECONNECTING"; case OPENVPN_STATE_EXITING: return "EXITING"; case OPENVPN_STATE_RESOLVE: return "RESOLVE"; case OPENVPN_STATE_TCP_CONNECT: return "TCP_CONNECT"; default: return "?"; } } static void man_welcome(struct management *man) { msg(M_CLIENT, ">INFO:OpenVPN Management Interface Version %d -- type 'help' for more info", MANAGEMENT_VERSION); if (man->persist.special_state_msg) { msg(M_CLIENT, "%s", man->persist.special_state_msg); } } static inline bool man_password_needed(struct management *man) { return man->settings.up.defined && !man->connection.password_verified; } static void man_check_password(struct management *man, const char *line) { if (man_password_needed(man)) { if (streq(line, man->settings.up.password)) { man->connection.password_verified = true; msg(M_CLIENT, "SUCCESS: password is correct"); man_welcome(man); } else { man->connection.password_verified = false; msg(M_CLIENT, "ERROR: bad password"); if (++man->connection.password_tries >= MANAGEMENT_N_PASSWORD_RETRIES) { msg(M_WARN, "MAN: client connection rejected after %d failed password attempts", MANAGEMENT_N_PASSWORD_RETRIES); man->connection.halt = true; } } } } static void man_update_io_state(struct management *man) { if (socket_defined(man->connection.sd_cli)) { if (buffer_list_defined(man->connection.out)) { man->connection.state = MS_CC_WAIT_WRITE; } else { man->connection.state = MS_CC_WAIT_READ; } } } static void man_output_list_push_finalize(struct management *man) { if (management_connected(man)) { man_update_io_state(man); if (!man->persist.standalone_disabled) { volatile int signal_received = 0; man_output_standalone(man, &signal_received); } } } static void man_output_list_push_str(struct management *man, const char *str) { if (management_connected(man) && str) { buffer_list_push(man->connection.out, (const unsigned char *) str); } } static void man_output_list_push(struct management *man, const char *str) { man_output_list_push_str(man, str); man_output_list_push_finalize(man); } static void man_prompt(struct management *man) { if (man_password_needed(man)) { man_output_list_push(man, "ENTER PASSWORD:"); } #if 0 /* should we use prompt? */ else { man_output_list_push(man, ">"); } #endif } static void man_delete_unix_socket(struct management *man) { #if UNIX_SOCK_SUPPORT if ((man->settings.flags & (MF_UNIX_SOCK|MF_CONNECT_AS_CLIENT)) == MF_UNIX_SOCK) { socket_delete_unix(&man->settings.local_unix); } #endif } static void man_close_socket(struct management *man, const socket_descriptor_t sd) { #ifndef _WIN32 /* * Windows doesn't need this because the ne32 event is permanently * enabled at struct management scope. */ if (man->persist.callback.delete_event) { (*man->persist.callback.delete_event)(man->persist.callback.arg, sd); } #endif openvpn_close_socket(sd); } static void virtual_output_callback_func(void *arg, const unsigned int flags, const char *str) { struct management *man = (struct management *) arg; static int recursive_level = 0; /* GLOBAL */ #define AF_DID_PUSH (1<<0) #define AF_DID_RESET (1<<1) if (!recursive_level) /* don't allow recursion */ { struct gc_arena gc = gc_new(); struct log_entry e; const char *out = NULL; unsigned int action_flags = 0; ++recursive_level; CLEAR(e); update_time(); e.timestamp = now; e.u.msg_flags = flags; e.string = str; if (flags & M_FATAL) { man->persist.standalone_disabled = false; } if (flags != M_CLIENT) { log_history_add(man->persist.log, &e); } if (!man_password_needed(man)) { if (flags == M_CLIENT) { out = log_entry_print(&e, LOG_PRINT_CRLF, &gc); } else if (man->connection.log_realtime) { out = log_entry_print(&e, LOG_PRINT_INT_DATE | LOG_PRINT_MSG_FLAGS | LOG_PRINT_LOG_PREFIX | LOG_PRINT_CRLF, &gc); } if (out) { man_output_list_push_str(man, out); action_flags |= AF_DID_PUSH; } if (flags & M_FATAL) { out = log_entry_print(&e, LOG_FATAL_NOTIFY|LOG_PRINT_CRLF, &gc); if (out) { man_output_list_push_str(man, out); action_flags |= (AF_DID_PUSH|AF_DID_RESET); } } } gc_free(&gc); if (action_flags & AF_DID_PUSH) { man_output_list_push_finalize(man); } if (action_flags & AF_DID_RESET) { man_reset_client_socket(man, true); } --recursive_level; } } /* * Given a signal, return the signal with possible remapping applied, * or -1 if the signal should be ignored. */ static int man_mod_signal(const struct management *man, const int signum) { const unsigned int flags = man->settings.mansig; int s = signum; if (s == SIGUSR1) { if (flags & MANSIG_MAP_USR1_TO_HUP) { s = SIGHUP; } if (flags & MANSIG_MAP_USR1_TO_TERM) { s = SIGTERM; } } if (flags & MANSIG_IGNORE_USR1_HUP) { if (s == SIGHUP || s == SIGUSR1) { s = -1; } } return s; } static void man_signal(struct management *man, const char *name) { const int sig = parse_signal(name); if (sig >= 0) { const int sig_mod = man_mod_signal(man, sig); if (sig_mod >= 0) { throw_signal(sig_mod); msg(M_CLIENT, "SUCCESS: signal %s thrown", signal_name(sig_mod, true)); } else { if (man->persist.special_state_msg) { msg(M_CLIENT, "%s", man->persist.special_state_msg); } else { msg(M_CLIENT, "ERROR: signal '%s' is currently ignored", name); } } } else { msg(M_CLIENT, "ERROR: signal '%s' is not a known signal type", name); } } static void man_status(struct management *man, const int version, struct status_output *so) { if (man->persist.callback.status) { (*man->persist.callback.status)(man->persist.callback.arg, version, so); } else { msg(M_CLIENT, "ERROR: The 'status' command is not supported by the current daemon mode"); } } static void man_bytecount(struct management *man, const int update_seconds) { if (update_seconds >= 0) { man->connection.bytecount_update_seconds = update_seconds; } else { man->connection.bytecount_update_seconds = 0; } msg(M_CLIENT, "SUCCESS: bytecount interval changed"); } void man_bytecount_output_client(struct management *man) { char in[32]; char out[32]; /* do in a roundabout way to work around possible mingw or mingw-glibc bug */ openvpn_snprintf(in, sizeof(in), counter_format, man->persist.bytes_in); openvpn_snprintf(out, sizeof(out), counter_format, man->persist.bytes_out); msg(M_CLIENT, ">BYTECOUNT:%s,%s", in, out); man->connection.bytecount_last_update = now; } #ifdef MANAGEMENT_DEF_AUTH void man_bytecount_output_server(struct management *man, const counter_type *bytes_in_total, const counter_type *bytes_out_total, struct man_def_auth_context *mdac) { char in[32]; char out[32]; /* do in a roundabout way to work around possible mingw or mingw-glibc bug */ openvpn_snprintf(in, sizeof(in), counter_format, *bytes_in_total); openvpn_snprintf(out, sizeof(out), counter_format, *bytes_out_total); msg(M_CLIENT, ">BYTECOUNT_CLI:%lu,%s,%s", mdac->cid, in, out); mdac->bytecount_last_update = now; } #endif static void man_kill(struct management *man, const char *victim) { struct gc_arena gc = gc_new(); if (man->persist.callback.kill_by_cn && man->persist.callback.kill_by_addr) { struct buffer buf; char p1[128]; char p2[128]; int n_killed; buf_set_read(&buf, (uint8_t *) victim, strlen(victim) + 1); buf_parse(&buf, ':', p1, sizeof(p1)); buf_parse(&buf, ':', p2, sizeof(p2)); if (strlen(p1) && strlen(p2)) { /* IP:port specified */ bool status; const in_addr_t addr = getaddr(GETADDR_HOST_ORDER|GETADDR_MSG_VIRT_OUT, p1, 0, &status, NULL); if (status) { const int port = atoi(p2); if (port > 0 && port < 65536) { n_killed = (*man->persist.callback.kill_by_addr)(man->persist.callback.arg, addr, port); if (n_killed > 0) { msg(M_CLIENT, "SUCCESS: %d client(s) at address %s:%d killed", n_killed, print_in_addr_t(addr, 0, &gc), port); } else { msg(M_CLIENT, "ERROR: client at address %s:%d not found", print_in_addr_t(addr, 0, &gc), port); } } else { msg(M_CLIENT, "ERROR: port number is out of range: %s", p2); } } else { msg(M_CLIENT, "ERROR: error parsing IP address: %s", p1); } } else if (strlen(p1)) { /* common name specified */ n_killed = (*man->persist.callback.kill_by_cn)(man->persist.callback.arg, p1); if (n_killed > 0) { msg(M_CLIENT, "SUCCESS: common name '%s' found, %d client(s) killed", p1, n_killed); } else { msg(M_CLIENT, "ERROR: common name '%s' not found", p1); } } else { msg(M_CLIENT, "ERROR: kill parse"); } } else { msg(M_CLIENT, "ERROR: The 'kill' command is not supported by the current daemon mode"); } gc_free(&gc); } /* * General-purpose history command handler * for the log and echo commands. */ static void man_history(struct management *man, const char *parm, const char *type, struct log_history *log, bool *realtime, const unsigned int lep_flags) { struct gc_arena gc = gc_new(); int n = 0; if (streq(parm, "on")) { *realtime = true; msg(M_CLIENT, "SUCCESS: real-time %s notification set to ON", type); } else if (streq(parm, "off")) { *realtime = false; msg(M_CLIENT, "SUCCESS: real-time %s notification set to OFF", type); } else if (streq(parm, "all") || (n = atoi(parm)) > 0) { const int size = log_history_size(log); const int start = (n ? n : size) - 1; int i; for (i = start; i >= 0; --i) { const struct log_entry *e = log_history_ref(log, i); if (e) { const char *out = log_entry_print(e, lep_flags, &gc); virtual_output_callback_func(man, M_CLIENT, out); } } msg(M_CLIENT, "END"); } else { msg(M_CLIENT, "ERROR: %s parameter must be 'on' or 'off' or some number n or 'all'", type); } gc_free(&gc); } static void man_log(struct management *man, const char *parm) { man_history(man, parm, "log", man->persist.log, &man->connection.log_realtime, LOG_PRINT_INT_DATE|LOG_PRINT_MSG_FLAGS); } static void man_echo(struct management *man, const char *parm) { man_history(man, parm, "echo", man->persist.echo, &man->connection.echo_realtime, LOG_PRINT_INT_DATE|MANAGEMENT_ECHO_FLAGS); } static void man_state(struct management *man, const char *parm) { man_history(man, parm, "state", man->persist.state, &man->connection.state_realtime, LOG_PRINT_INT_DATE|LOG_PRINT_STATE |LOG_PRINT_LOCAL_IP|LOG_PRINT_REMOTE_IP); } static void man_up_finalize(struct management *man) { switch (man->connection.up_query_mode) { case UP_QUERY_USER_PASS: if (!strlen(man->connection.up_query.username)) { break; } /* fall through */ case UP_QUERY_PASS: case UP_QUERY_NEED_OK: case UP_QUERY_NEED_STR: if (strlen(man->connection.up_query.password)) { man->connection.up_query.defined = true; } break; case UP_QUERY_DISABLED: man->connection.up_query.defined = false; break; default: ASSERT(0); } } static void man_query_user_pass(struct management *man, const char *type, const char *string, const bool needed, const char *prompt, char *dest, int len) { if (needed) { ASSERT(man->connection.up_query_type); if (streq(man->connection.up_query_type, type)) { strncpynt(dest, string, len); man_up_finalize(man); msg(M_CLIENT, "SUCCESS: '%s' %s entered, but not yet verified", type, prompt); } else { msg(M_CLIENT, "ERROR: %s of type '%s' entered, but we need one of type '%s'", prompt, type, man->connection.up_query_type); } } else { msg(M_CLIENT, "ERROR: no %s is currently needed at this time", prompt); } } static void man_query_username(struct management *man, const char *type, const char *string) { const bool needed = ((man->connection.up_query_mode == UP_QUERY_USER_PASS ) && man->connection.up_query_type); man_query_user_pass(man, type, string, needed, "username", man->connection.up_query.username, USER_PASS_LEN); } static void man_query_password(struct management *man, const char *type, const char *string) { const bool needed = ((man->connection.up_query_mode == UP_QUERY_PASS || man->connection.up_query_mode == UP_QUERY_USER_PASS ) && man->connection.up_query_type); if (!string[0]) /* allow blank passwords to be passed through using the blank_up tag */ { string = blank_up; } man_query_user_pass(man, type, string, needed, "password", man->connection.up_query.password, USER_PASS_LEN); } static void man_query_need_ok(struct management *man, const char *type, const char *action) { const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_OK) && man->connection.up_query_type); man_query_user_pass(man, type, action, needed, "needok-confirmation", man->connection.up_query.password, USER_PASS_LEN); } static void man_query_need_str(struct management *man, const char *type, const char *action) { const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_STR) && man->connection.up_query_type); man_query_user_pass(man, type, action, needed, "needstr-string", man->connection.up_query.password, USER_PASS_LEN); } static void man_forget_passwords(struct management *man) { #ifdef ENABLE_CRYPTO ssl_purge_auth(false); msg(M_CLIENT, "SUCCESS: Passwords were forgotten"); #endif } static void man_net(struct management *man) { if (man->persist.callback.show_net) { (*man->persist.callback.show_net)(man->persist.callback.arg, M_CLIENT); } else { msg(M_CLIENT, "ERROR: The 'net' command is not supported by the current daemon mode"); } } #ifdef ENABLE_PKCS11 static void man_pkcs11_id_count(struct management *man) { msg(M_CLIENT, ">PKCS11ID-COUNT:%d", pkcs11_management_id_count()); } static void man_pkcs11_id_get(struct management *man, const int index) { char *id = NULL; char *base64 = NULL; if (pkcs11_management_id_get(index, &id, &base64)) { msg(M_CLIENT, ">PKCS11ID-ENTRY:'%d', ID:'%s', BLOB:'%s'", index, id, base64); } else { msg(M_CLIENT, ">PKCS11ID-ENTRY:'%d'", index); } if (id != NULL) { free(id); } if (base64 != NULL) { free(base64); } } #endif /* ifdef ENABLE_PKCS11 */ static void man_hold(struct management *man, const char *cmd) { if (cmd) { if (streq(cmd, "on")) { man->settings.flags |= MF_HOLD; msg(M_CLIENT, "SUCCESS: hold flag set to ON"); } else if (streq(cmd, "off")) { man->settings.flags &= ~MF_HOLD; msg(M_CLIENT, "SUCCESS: hold flag set to OFF"); } else if (streq(cmd, "release")) { man->persist.hold_release = true; msg(M_CLIENT, "SUCCESS: hold release succeeded"); } else { msg(M_CLIENT, "ERROR: bad hold command parameter"); } } else { msg(M_CLIENT, "SUCCESS: hold=%d", BOOL_CAST(man->settings.flags & MF_HOLD)); } } #ifdef MANAGEMENT_IN_EXTRA #define IER_RESET 0 #define IER_NEW 1 static void in_extra_reset(struct man_connection *mc, const int mode) { if (mc) { if (mode != IER_NEW) { mc->in_extra_cmd = IEC_UNDEF; #ifdef MANAGEMENT_DEF_AUTH mc->in_extra_cid = 0; mc->in_extra_kid = 0; #endif } if (mc->in_extra) { buffer_list_free(mc->in_extra); mc->in_extra = NULL; } if (mode == IER_NEW) { mc->in_extra = buffer_list_new(0); } } } static void in_extra_dispatch(struct management *man) { switch (man->connection.in_extra_cmd) { #ifdef MANAGEMENT_DEF_AUTH case IEC_CLIENT_AUTH: if (man->persist.callback.client_auth) { const bool status = (*man->persist.callback.client_auth) (man->persist.callback.arg, man->connection.in_extra_cid, man->connection.in_extra_kid, true, NULL, NULL, man->connection.in_extra); man->connection.in_extra = NULL; if (status) { msg(M_CLIENT, "SUCCESS: client-auth command succeeded"); } else { msg(M_CLIENT, "ERROR: client-auth command failed"); } } else { msg(M_CLIENT, "ERROR: The client-auth command is not supported by the current daemon mode"); } break; #endif /* ifdef MANAGEMENT_DEF_AUTH */ #ifdef MANAGEMENT_PF case IEC_CLIENT_PF: if (man->persist.callback.client_pf) { const bool status = (*man->persist.callback.client_pf) (man->persist.callback.arg, man->connection.in_extra_cid, man->connection.in_extra); man->connection.in_extra = NULL; if (status) { msg(M_CLIENT, "SUCCESS: client-pf command succeeded"); } else { msg(M_CLIENT, "ERROR: client-pf command failed"); } } else { msg(M_CLIENT, "ERROR: The client-pf command is not supported by the current daemon mode"); } break; #endif /* ifdef MANAGEMENT_PF */ #ifdef MANAGMENT_EXTERNAL_KEY case IEC_RSA_SIGN: man->connection.ext_key_state = EKS_READY; buffer_list_free(man->connection.ext_key_input); man->connection.ext_key_input = man->connection.in_extra; man->connection.in_extra = NULL; return; case IEC_CERTIFICATE: man->connection.ext_cert_state = EKS_READY; buffer_list_free(man->connection.ext_cert_input); man->connection.ext_cert_input = man->connection.in_extra; man->connection.in_extra = NULL; return; #endif } in_extra_reset(&man->connection, IER_RESET); } #endif /* MANAGEMENT_IN_EXTRA */ #ifdef MANAGEMENT_DEF_AUTH static bool parse_cid(const char *str, unsigned long *cid) { if (sscanf(str, "%lu", cid) == 1) { return true; } else { msg(M_CLIENT, "ERROR: cannot parse CID"); return false; } } static bool parse_kid(const char *str, unsigned int *kid) { if (sscanf(str, "%u", kid) == 1) { return true; } else { msg(M_CLIENT, "ERROR: cannot parse KID"); return false; } } static void man_client_auth(struct management *man, const char *cid_str, const char *kid_str, const bool extra) { struct man_connection *mc = &man->connection; mc->in_extra_cid = 0; mc->in_extra_kid = 0; if (parse_cid(cid_str, &mc->in_extra_cid) && parse_kid(kid_str, &mc->in_extra_kid)) { mc->in_extra_cmd = IEC_CLIENT_AUTH; in_extra_reset(mc, IER_NEW); if (!extra) { in_extra_dispatch(man); } } } static void man_client_deny(struct management *man, const char *cid_str, const char *kid_str, const char *reason, const char *client_reason) { unsigned long cid = 0; unsigned int kid = 0; if (parse_cid(cid_str, &cid) && parse_kid(kid_str, &kid)) { if (man->persist.callback.client_auth) { const bool status = (*man->persist.callback.client_auth) (man->persist.callback.arg, cid, kid, false, reason, client_reason, NULL); if (status) { msg(M_CLIENT, "SUCCESS: client-deny command succeeded"); } else { msg(M_CLIENT, "ERROR: client-deny command failed"); } } else { msg(M_CLIENT, "ERROR: The client-deny command is not supported by the current daemon mode"); } } } static void man_client_kill(struct management *man, const char *cid_str, const char *kill_msg) { unsigned long cid = 0; if (parse_cid(cid_str, &cid)) { if (man->persist.callback.kill_by_cid) { const bool status = (*man->persist.callback.kill_by_cid)(man->persist.callback.arg, cid, kill_msg); if (status) { msg(M_CLIENT, "SUCCESS: client-kill command succeeded"); } else { msg(M_CLIENT, "ERROR: client-kill command failed"); } } else { msg(M_CLIENT, "ERROR: The client-kill command is not supported by the current daemon mode"); } } } static void man_client_n_clients(struct management *man) { if (man->persist.callback.n_clients) { const int nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg); msg(M_CLIENT, "SUCCESS: nclients=%d", nclients); } else { msg(M_CLIENT, "ERROR: The nclients command is not supported by the current daemon mode"); } } static void man_env_filter(struct management *man, const int level) { man->connection.env_filter_level = level; msg(M_CLIENT, "SUCCESS: env_filter_level=%d", level); } #ifdef MANAGEMENT_PF static void man_client_pf(struct management *man, const char *cid_str) { struct man_connection *mc = &man->connection; mc->in_extra_cid = 0; mc->in_extra_kid = 0; if (parse_cid(cid_str, &mc->in_extra_cid)) { mc->in_extra_cmd = IEC_CLIENT_PF; in_extra_reset(mc, IER_NEW); } } #endif /* MANAGEMENT_PF */ #endif /* MANAGEMENT_DEF_AUTH */ #ifdef MANAGMENT_EXTERNAL_KEY static void man_rsa_sig(struct management *man) { struct man_connection *mc = &man->connection; if (mc->ext_key_state == EKS_SOLICIT) { mc->ext_key_state = EKS_INPUT; mc->in_extra_cmd = IEC_RSA_SIGN; in_extra_reset(mc, IER_NEW); } else { msg(M_CLIENT, "ERROR: The rsa-sig command is not currently available"); } } static void man_certificate(struct management *man) { struct man_connection *mc = &man->connection; if (mc->ext_cert_state == EKS_SOLICIT) { mc->ext_cert_state = EKS_INPUT; mc->in_extra_cmd = IEC_CERTIFICATE; in_extra_reset(mc, IER_NEW); } else { msg(M_CLIENT, "ERROR: The certificate command is not currently available"); } } #endif /* ifdef MANAGMENT_EXTERNAL_KEY */ static void man_load_stats(struct management *man) { extern counter_type link_read_bytes_global; extern counter_type link_write_bytes_global; int nclients = 0; if (man->persist.callback.n_clients) { nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg); } msg(M_CLIENT, "SUCCESS: nclients=%d,bytesin=" counter_format ",bytesout=" counter_format, nclients, link_read_bytes_global, link_write_bytes_global); } #define MN_AT_LEAST (1<<0) static bool man_need(struct management *man, const char **p, const int n, unsigned int flags) { int i; ASSERT(p[0]); for (i = 1; i <= n; ++i) { if (!p[i]) { msg(M_CLIENT, "ERROR: the '%s' command requires %s%d parameter%s", p[0], (flags & MN_AT_LEAST) ? "at least " : "", n, n > 1 ? "s" : ""); return false; } } return true; } static void man_proxy(struct management *man, const char **p) { if (man->persist.callback.proxy_cmd) { const bool status = (*man->persist.callback.proxy_cmd)(man->persist.callback.arg, p); if (status) { msg(M_CLIENT, "SUCCESS: proxy command succeeded"); } else { msg(M_CLIENT, "ERROR: proxy command failed"); } } else { msg(M_CLIENT, "ERROR: The proxy command is not supported by the current daemon mode"); } } static void man_remote(struct management *man, const char **p) { if (man->persist.callback.remote_cmd) { const bool status = (*man->persist.callback.remote_cmd)(man->persist.callback.arg, p); if (status) { msg(M_CLIENT, "SUCCESS: remote command succeeded"); } else { msg(M_CLIENT, "ERROR: remote command failed"); } } else { msg(M_CLIENT, "ERROR: The remote command is not supported by the current daemon mode"); } } #ifdef TARGET_ANDROID static void man_network_change(struct management *man, bool samenetwork) { /* Called to signal the OpenVPN that the network configuration has changed and * the client should either float or reconnect. * * The code is currently only used by ics-openvpn */ if (man->persist.callback.network_change) { int fd = (*man->persist.callback.network_change) (man->persist.callback.arg, samenetwork); man->connection.fdtosend = fd; msg(M_CLIENT, "PROTECTFD: fd '%d' sent to be protected", fd); if (fd == -2) { man_signal(man, "SIGUSR1"); } } } #endif static void man_dispatch_command(struct management *man, struct status_output *so, const char **p, const int nparms) { struct gc_arena gc = gc_new(); ASSERT(p[0]); if (streq(p[0], "exit") || streq(p[0], "quit")) { man->connection.halt = true; goto done; } else if (streq(p[0], "help")) { man_help(); } else if (streq(p[0], "version")) { msg(M_CLIENT, "OpenVPN Version: %s", title_string); msg(M_CLIENT, "Management Version: %d", MANAGEMENT_VERSION); msg(M_CLIENT, "END"); } else if (streq(p[0], "pid")) { msg(M_CLIENT, "SUCCESS: pid=%d", platform_getpid()); } #ifdef MANAGEMENT_DEF_AUTH else if (streq(p[0], "nclients")) { man_client_n_clients(man); } else if (streq(p[0], "env-filter")) { int level = 0; if (p[1]) { level = atoi(p[1]); } man_env_filter(man, level); } #endif else if (streq(p[0], "signal")) { if (man_need(man, p, 1, 0)) { man_signal(man, p[1]); } } #ifdef TARGET_ANDROID else if (streq(p[0], "network-change")) { bool samenetwork = false; if (p[1] && streq(p[1], "samenetwork")) { samenetwork = true; } man_network_change(man, samenetwork); } #endif else if (streq(p[0], "load-stats")) { man_load_stats(man); } else if (streq(p[0], "status")) { int version = 0; if (p[1]) { version = atoi(p[1]); } man_status(man, version, so); } else if (streq(p[0], "kill")) { if (man_need(man, p, 1, 0)) { man_kill(man, p[1]); } } else if (streq(p[0], "verb")) { if (p[1]) { const int level = atoi(p[1]); if (set_debug_level(level, 0)) { msg(M_CLIENT, "SUCCESS: verb level changed"); } else { msg(M_CLIENT, "ERROR: verb level is out of range"); } } else { msg(M_CLIENT, "SUCCESS: verb=%d", get_debug_level()); } } else if (streq(p[0], "mute")) { if (p[1]) { const int level = atoi(p[1]); if (set_mute_cutoff(level)) { msg(M_CLIENT, "SUCCESS: mute level changed"); } else { msg(M_CLIENT, "ERROR: mute level is out of range"); } } else { msg(M_CLIENT, "SUCCESS: mute=%d", get_mute_cutoff()); } } else if (streq(p[0], "auth-retry")) { #if P2MP if (p[1]) { if (auth_retry_set(M_CLIENT, p[1])) { msg(M_CLIENT, "SUCCESS: auth-retry parameter changed"); } else { msg(M_CLIENT, "ERROR: bad auth-retry parameter"); } } else { msg(M_CLIENT, "SUCCESS: auth-retry=%s", auth_retry_print()); } #else /* if P2MP */ msg(M_CLIENT, "ERROR: auth-retry feature is unavailable"); #endif } else if (streq(p[0], "state")) { if (!p[1]) { man_state(man, "1"); } else { if (p[1]) { man_state(man, p[1]); } if (p[2]) { man_state(man, p[2]); } } } else if (streq(p[0], "log")) { if (man_need(man, p, 1, MN_AT_LEAST)) { if (p[1]) { man_log(man, p[1]); } if (p[2]) { man_log(man, p[2]); } } } else if (streq(p[0], "echo")) { if (man_need(man, p, 1, MN_AT_LEAST)) { if (p[1]) { man_echo(man, p[1]); } if (p[2]) { man_echo(man, p[2]); } } } else if (streq(p[0], "username")) { if (man_need(man, p, 2, 0)) { man_query_username(man, p[1], p[2]); } } else if (streq(p[0], "password")) { if (man_need(man, p, 2, 0)) { man_query_password(man, p[1], p[2]); } } else if (streq(p[0], "forget-passwords")) { man_forget_passwords(man); } else if (streq(p[0], "needok")) { if (man_need(man, p, 2, 0)) { man_query_need_ok(man, p[1], p[2]); } } else if (streq(p[0], "needstr")) { if (man_need(man, p, 2, 0)) { man_query_need_str(man, p[1], p[2]); } } else if (streq(p[0], "net")) { man_net(man); } else if (streq(p[0], "hold")) { man_hold(man, p[1]); } else if (streq(p[0], "bytecount")) { if (man_need(man, p, 1, 0)) { man_bytecount(man, atoi(p[1])); } } #ifdef MANAGEMENT_DEF_AUTH else if (streq(p[0], "client-kill")) { if (man_need(man, p, 1, MN_AT_LEAST)) { man_client_kill(man, p[1], p[2]); } } else if (streq(p[0], "client-deny")) { if (man_need(man, p, 3, MN_AT_LEAST)) { man_client_deny(man, p[1], p[2], p[3], p[4]); } } else if (streq(p[0], "client-auth-nt")) { if (man_need(man, p, 2, 0)) { man_client_auth(man, p[1], p[2], false); } } else if (streq(p[0], "client-auth")) { if (man_need(man, p, 2, 0)) { man_client_auth(man, p[1], p[2], true); } } #ifdef MANAGEMENT_PF else if (streq(p[0], "client-pf")) { if (man_need(man, p, 1, 0)) { man_client_pf(man, p[1]); } } #endif #endif /* ifdef MANAGEMENT_DEF_AUTH */ #ifdef MANAGMENT_EXTERNAL_KEY else if (streq(p[0], "rsa-sig")) { man_rsa_sig(man); } else if (streq(p[0], "certificate")) { man_certificate(man); } #endif #ifdef ENABLE_PKCS11 else if (streq(p[0], "pkcs11-id-count")) { man_pkcs11_id_count(man); } else if (streq(p[0], "pkcs11-id-get")) { if (man_need(man, p, 1, 0)) { man_pkcs11_id_get(man, atoi(p[1])); } } #endif else if (streq(p[0], "proxy")) { if (man_need(man, p, 1, MN_AT_LEAST)) { man_proxy(man, p); } } else if (streq(p[0], "remote")) { if (man_need(man, p, 1, MN_AT_LEAST)) { man_remote(man, p); } } #if 1 else if (streq(p[0], "test")) { if (man_need(man, p, 1, 0)) { int i; const int n = atoi(p[1]); for (i = 0; i < n; ++i) { msg(M_CLIENT, "[%d] The purpose of this command is to generate large amounts of output.", i); } } } #endif else { msg(M_CLIENT, "ERROR: unknown command, enter 'help' for more options"); } done: gc_free(&gc); } #ifdef _WIN32 static void man_start_ne32(struct management *man) { switch (man->connection.state) { case MS_LISTEN: net_event_win32_start(&man->connection.ne32, FD_ACCEPT, man->connection.sd_top); break; case MS_CC_WAIT_READ: case MS_CC_WAIT_WRITE: net_event_win32_start(&man->connection.ne32, FD_READ|FD_WRITE|FD_CLOSE, man->connection.sd_cli); break; default: ASSERT(0); } } static void man_stop_ne32(struct management *man) { net_event_win32_stop(&man->connection.ne32); } #endif /* ifdef _WIN32 */ static void man_record_peer_info(struct management *man) { struct gc_arena gc = gc_new(); if (man->settings.write_peer_info_file) { bool success = false; #ifdef HAVE_GETSOCKNAME if (socket_defined(man->connection.sd_cli)) { struct sockaddr_in addr; socklen_t addrlen = sizeof(addr); int status; CLEAR(addr); status = getsockname(man->connection.sd_cli, (struct sockaddr *)&addr, &addrlen); if (!status && addrlen == sizeof(addr)) { const in_addr_t a = ntohl(addr.sin_addr.s_addr); const int p = ntohs(addr.sin_port); FILE *fp = platform_fopen(man->settings.write_peer_info_file, "w"); if (fp) { fprintf(fp, "%s\n%d\n", print_in_addr_t(a, 0, &gc), p); if (!fclose(fp)) { success = true; } } } } #endif /* ifdef HAVE_GETSOCKNAME */ if (!success) { msg(D_MANAGEMENT, "MANAGEMENT: failed to write peer info to file %s", man->settings.write_peer_info_file); throw_signal_soft(SIGTERM, "management-connect-failed"); } } gc_free(&gc); } static void man_connection_settings_reset(struct management *man) { man->connection.state_realtime = false; man->connection.log_realtime = false; man->connection.echo_realtime = false; man->connection.bytecount_update_seconds = 0; man->connection.password_verified = false; man->connection.password_tries = 0; man->connection.halt = false; man->connection.state = MS_CC_WAIT_WRITE; } static void man_new_connection_post(struct management *man, const char *description) { struct gc_arena gc = gc_new(); set_nonblock(man->connection.sd_cli); man_connection_settings_reset(man); #ifdef _WIN32 man_start_ne32(man); #endif #if UNIX_SOCK_SUPPORT if (man->settings.flags & MF_UNIX_SOCK) { msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description, sockaddr_unix_name(&man->settings.local_unix, "NULL")); } else #endif msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description, print_sockaddr(man->settings.local->ai_addr, &gc)); buffer_list_reset(man->connection.out); if (!man_password_needed(man)) { man_welcome(man); } man_prompt(man); man_update_io_state(man); gc_free(&gc); } #if UNIX_SOCK_SUPPORT static bool man_verify_unix_peer_uid_gid(struct management *man, const socket_descriptor_t sd) { if (socket_defined(sd) && (man->settings.client_uid != -1 || man->settings.client_gid != -1)) { static const char err_prefix[] = "MANAGEMENT: unix domain socket client connection rejected --"; int uid, gid; if (unix_socket_get_peer_uid_gid(man->connection.sd_cli, &uid, &gid)) { if (man->settings.client_uid != -1 && man->settings.client_uid != uid) { msg(D_MANAGEMENT, "%s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user", err_prefix, uid, man->settings.client_uid); return false; } if (man->settings.client_gid != -1 && man->settings.client_gid != gid) { msg(D_MANAGEMENT, "%s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group", err_prefix, gid, man->settings.client_gid); return false; } } else { msg(D_MANAGEMENT, "%s cannot get UID/GID of socket peer", err_prefix); return false; } } return true; } #endif /* if UNIX_SOCK_SUPPORT */ static void man_accept(struct management *man) { struct link_socket_actual act; CLEAR(act); /* * Accept the TCP or Unix domain socket client. */ #if UNIX_SOCK_SUPPORT if (man->settings.flags & MF_UNIX_SOCK) { struct sockaddr_un remote; man->connection.sd_cli = socket_accept_unix(man->connection.sd_top, &remote); if (!man_verify_unix_peer_uid_gid(man, man->connection.sd_cli)) { sd_close(&man->connection.sd_cli); } } else #endif man->connection.sd_cli = socket_do_accept(man->connection.sd_top, &act, false); if (socket_defined(man->connection.sd_cli)) { man->connection.remote = act.dest; if (socket_defined(man->connection.sd_top)) { #ifdef _WIN32 man_stop_ne32(man); #endif } man_new_connection_post(man, "Client connected from"); } } static void man_listen(struct management *man) { struct gc_arena gc = gc_new(); /* * Initialize state */ man->connection.state = MS_LISTEN; man->connection.sd_cli = SOCKET_UNDEFINED; /* * Initialize listening socket */ if (man->connection.sd_top == SOCKET_UNDEFINED) { #if UNIX_SOCK_SUPPORT if (man->settings.flags & MF_UNIX_SOCK) { man_delete_unix_socket(man); man->connection.sd_top = create_socket_unix(); socket_bind_unix(man->connection.sd_top, &man->settings.local_unix, "MANAGEMENT"); } else #endif { man->connection.sd_top = create_socket_tcp(man->settings.local); socket_bind(man->connection.sd_top, man->settings.local, man->settings.local->ai_family, "MANAGEMENT", false); } /* * Listen for connection */ if (listen(man->connection.sd_top, 1)) { msg(M_ERR, "MANAGEMENT: listen() failed"); } /* * Set misc socket properties */ set_nonblock(man->connection.sd_top); #if UNIX_SOCK_SUPPORT if (man->settings.flags & MF_UNIX_SOCK) { msg(D_MANAGEMENT, "MANAGEMENT: unix domain socket listening on %s", sockaddr_unix_name(&man->settings.local_unix, "NULL")); } else #endif msg(D_MANAGEMENT, "MANAGEMENT: TCP Socket listening on %s", print_sockaddr(man->settings.local->ai_addr, &gc)); } #ifdef _WIN32 man_start_ne32(man); #endif gc_free(&gc); } static void man_connect(struct management *man) { struct gc_arena gc = gc_new(); int status; int signal_received = 0; /* * Initialize state */ man->connection.state = MS_INITIAL; man->connection.sd_top = SOCKET_UNDEFINED; #if UNIX_SOCK_SUPPORT if (man->settings.flags & MF_UNIX_SOCK) { man->connection.sd_cli = create_socket_unix(); status = socket_connect_unix(man->connection.sd_cli, &man->settings.local_unix); if (!status && !man_verify_unix_peer_uid_gid(man, man->connection.sd_cli)) { #ifdef EPERM status = EPERM; #else status = 1; #endif sd_close(&man->connection.sd_cli); } } else #endif { man->connection.sd_cli = create_socket_tcp(man->settings.local); status = openvpn_connect(man->connection.sd_cli, man->settings.local->ai_addr, 5, &signal_received); } if (signal_received) { throw_signal(signal_received); goto done; } if (status) { #if UNIX_SOCK_SUPPORT if (man->settings.flags & MF_UNIX_SOCK) { msg(D_LINK_ERRORS | M_ERRNO, "MANAGEMENT: connect to unix socket %s failed", sockaddr_unix_name(&man->settings.local_unix, "NULL")); } else #endif msg(D_LINK_ERRORS | M_ERRNO, "MANAGEMENT: connect to %s failed", print_sockaddr(man->settings.local->ai_addr, &gc)); throw_signal_soft(SIGTERM, "management-connect-failed"); goto done; } man_record_peer_info(man); man_new_connection_post(man, "Connected to management server at"); done: gc_free(&gc); } static void man_reset_client_socket(struct management *man, const bool exiting) { if (socket_defined(man->connection.sd_cli)) { #ifdef _WIN32 man_stop_ne32(man); #endif man_close_socket(man, man->connection.sd_cli); man->connection.sd_cli = SOCKET_UNDEFINED; man->connection.state = MS_INITIAL; command_line_reset(man->connection.in); buffer_list_reset(man->connection.out); #ifdef MANAGEMENT_IN_EXTRA in_extra_reset(&man->connection, IER_RESET); #endif msg(D_MANAGEMENT, "MANAGEMENT: Client disconnected"); } if (!exiting) { #ifdef ENABLE_CRYPTO if (man->settings.flags & MF_FORGET_DISCONNECT) { ssl_purge_auth(false); } #endif if (man->settings.flags & MF_SIGNAL) { int mysig = man_mod_signal(man, SIGUSR1); if (mysig >= 0) { msg(D_MANAGEMENT, "MANAGEMENT: Triggering management signal"); throw_signal_soft(mysig, "management-disconnect"); } } if (man->settings.flags & MF_CONNECT_AS_CLIENT) { msg(D_MANAGEMENT, "MANAGEMENT: Triggering management exit"); throw_signal_soft(SIGTERM, "management-exit"); } else { man_listen(man); } } } static void man_process_command(struct management *man, const char *line) { struct gc_arena gc = gc_new(); struct status_output *so; int nparms; char *parms[MAX_PARMS+1]; CLEAR(parms); so = status_open(NULL, 0, -1, &man->persist.vout, 0); #ifdef MANAGEMENT_IN_EXTRA in_extra_reset(&man->connection, IER_RESET); #endif if (man_password_needed(man)) { man_check_password(man, line); } else { nparms = parse_line(line, parms, MAX_PARMS, "TCP", 0, M_CLIENT, &gc); if (parms[0] && streq(parms[0], "password")) { msg(D_MANAGEMENT_DEBUG, "MANAGEMENT: CMD 'password [...]'"); } else if (!streq(line, "load-stats")) { msg(D_MANAGEMENT_DEBUG, "MANAGEMENT: CMD '%s'", line); } #if 0 /* DEBUGGING -- print args */ { int i; for (i = 0; i < nparms; ++i) { msg(M_INFO, "[%d] '%s'", i, parms[i]); } } #endif if (nparms > 0) { man_dispatch_command(man, so, (const char **)parms, nparms); } } CLEAR(parms); status_close(so); gc_free(&gc); } static bool man_io_error(struct management *man, const char *prefix) { const int err = openvpn_errno(); if (!ignore_sys_error(err)) { struct gc_arena gc = gc_new(); msg(D_MANAGEMENT, "MANAGEMENT: TCP %s error: %s", prefix, strerror(err)); gc_free(&gc); return true; } else { return false; } } #ifdef TARGET_ANDROID static ssize_t man_send_with_fd(int fd, void *ptr, size_t nbytes, int flags, int sendfd) { struct msghdr msg; struct iovec iov[1]; union { struct cmsghdr cm; char control[CMSG_SPACE(sizeof(int))]; } control_un; struct cmsghdr *cmptr; msg.msg_control = control_un.control; msg.msg_controllen = sizeof(control_un.control); cmptr = CMSG_FIRSTHDR(&msg); cmptr->cmsg_len = CMSG_LEN(sizeof(int)); cmptr->cmsg_level = SOL_SOCKET; cmptr->cmsg_type = SCM_RIGHTS; *((int *) CMSG_DATA(cmptr)) = sendfd; msg.msg_name = NULL; msg.msg_namelen = 0; iov[0].iov_base = ptr; iov[0].iov_len = nbytes; msg.msg_iov = iov; msg.msg_iovlen = 1; return (sendmsg(fd, &msg, flags)); } static ssize_t man_recv_with_fd(int fd, void *ptr, size_t nbytes, int flags, int *recvfd) { struct msghdr msghdr; struct iovec iov[1]; ssize_t n; union { struct cmsghdr cm; char control[CMSG_SPACE(sizeof(int))]; } control_un; struct cmsghdr *cmptr; msghdr.msg_control = control_un.control; msghdr.msg_controllen = sizeof(control_un.control); msghdr.msg_name = NULL; msghdr.msg_namelen = 0; iov[0].iov_base = ptr; iov[0].iov_len = nbytes; msghdr.msg_iov = iov; msghdr.msg_iovlen = 1; if ( (n = recvmsg(fd, &msghdr, flags)) <= 0) { return (n); } if ( (cmptr = CMSG_FIRSTHDR(&msghdr)) != NULL && cmptr->cmsg_len == CMSG_LEN(sizeof(int))) { if (cmptr->cmsg_level != SOL_SOCKET) { msg(M_ERR, "control level != SOL_SOCKET"); } if (cmptr->cmsg_type != SCM_RIGHTS) { msg(M_ERR, "control type != SCM_RIGHTS"); } *recvfd = *((int *) CMSG_DATA(cmptr)); } else { *recvfd = -1; /* descriptor was not passed */ } return (n); } /* * The android control method will instruct the GUI part of openvpn to do * the route/ifconfig/open tun command. See doc/android.txt for details. */ bool management_android_control(struct management *man, const char *command, const char *msg) { struct user_pass up; CLEAR(up); strncpy(up.username, msg, sizeof(up.username)-1); management_query_user_pass(management, &up, command, GET_USER_PASS_NEED_OK,(void *) 0); return strcmp("ok", up.password)==0; } /* * In Android 4.4 it is not possible to open a new tun device and then close the * old tun device without breaking the whole VPNService stack until the device * is rebooted. This management method ask the UI what method should be taken to * ensure the optimal solution for the situation */ int managment_android_persisttun_action(struct management *man) { struct user_pass up; CLEAR(up); strcpy(up.username,"tunmethod"); management_query_user_pass(management, &up, "PERSIST_TUN_ACTION", GET_USER_PASS_NEED_OK,(void *) 0); if (!strcmp("NOACTION", up.password)) { return ANDROID_KEEP_OLD_TUN; } else if (!strcmp("OPEN_AFTER_CLOSE", up.password)) { return ANDROID_OPEN_AFTER_CLOSE; } else if (!strcmp("OPEN_BEFORE_CLOSE", up.password)) { return ANDROID_OPEN_BEFORE_CLOSE; } else { msg(M_ERR, "Got unrecognised '%s' from management for PERSIST_TUN_ACTION query", up.password); } ASSERT(0); return ANDROID_OPEN_AFTER_CLOSE; } #endif /* ifdef TARGET_ANDROID */ static int man_read(struct management *man) { /* * read command line from socket */ unsigned char buf[256]; int len = 0; #ifdef TARGET_ANDROID int fd; len = man_recv_with_fd(man->connection.sd_cli, buf, sizeof(buf), MSG_NOSIGNAL, &fd); if (fd >= 0) { man->connection.lastfdreceived = fd; } #else /* ifdef TARGET_ANDROID */ len = recv(man->connection.sd_cli, buf, sizeof(buf), MSG_NOSIGNAL); #endif if (len == 0) { man_reset_client_socket(man, false); } else if (len > 0) { bool processed_command = false; ASSERT(len <= (int) sizeof(buf)); command_line_add(man->connection.in, buf, len); /* * Reset output object */ buffer_list_reset(man->connection.out); /* * process command line if complete */ { const unsigned char *line; while ((line = command_line_get(man->connection.in))) { #ifdef MANAGEMENT_IN_EXTRA if (man->connection.in_extra) { if (!strcmp((char *)line, "END")) { in_extra_dispatch(man); } else { buffer_list_push(man->connection.in_extra, line); } } else #endif man_process_command(man, (char *) line); if (man->connection.halt) { break; } command_line_next(man->connection.in); processed_command = true; } } /* * Reset output state to MS_CC_WAIT_(READ|WRITE) */ if (man->connection.halt) { man_reset_client_socket(man, false); len = 0; } else { if (processed_command) { man_prompt(man); } man_update_io_state(man); } } else /* len < 0 */ { if (man_io_error(man, "recv")) { man_reset_client_socket(man, false); } } return len; } static int man_write(struct management *man) { const int size_hint = 1024; int sent = 0; const struct buffer *buf; buffer_list_aggregate(man->connection.out, size_hint); buf = buffer_list_peek(man->connection.out); if (buf && BLEN(buf)) { const int len = min_int(size_hint, BLEN(buf)); #ifdef TARGET_ANDROID if (man->connection.fdtosend > 0) { sent = man_send_with_fd(man->connection.sd_cli, BPTR(buf), len, MSG_NOSIGNAL,man->connection.fdtosend); man->connection.fdtosend = -1; } else #endif sent = send(man->connection.sd_cli, BPTR(buf), len, MSG_NOSIGNAL); if (sent >= 0) { buffer_list_advance(man->connection.out, sent); } else if (sent < 0) { if (man_io_error(man, "send")) { man_reset_client_socket(man, false); } } } /* * Reset output state to MS_CC_WAIT_(READ|WRITE) */ man_update_io_state(man); return sent; } static void man_connection_clear(struct man_connection *mc) { CLEAR(*mc); /* set initial state */ mc->state = MS_INITIAL; /* clear socket descriptors */ mc->sd_top = SOCKET_UNDEFINED; mc->sd_cli = SOCKET_UNDEFINED; } static void man_persist_init(struct management *man, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size) { struct man_persist *mp = &man->persist; if (!mp->defined) { CLEAR(*mp); /* initialize log history store */ mp->log = log_history_init(log_history_cache); /* * Initialize virtual output object, so that functions * which write to a virtual_output object can be redirected * here to the management object. */ mp->vout.func = virtual_output_callback_func; mp->vout.arg = man; mp->vout.flags_default = M_CLIENT; msg_set_virtual_output(&mp->vout); /* * Initialize --echo list */ man->persist.echo = log_history_init(echo_buffer_size); /* * Initialize --state list */ man->persist.state = log_history_init(state_buffer_size); mp->defined = true; } } static void man_persist_close(struct man_persist *mp) { if (mp->log) { msg_set_virtual_output(NULL); log_history_close(mp->log); } if (mp->echo) { log_history_close(mp->echo); } if (mp->state) { log_history_close(mp->state); } CLEAR(*mp); } static void man_settings_init(struct man_settings *ms, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags) { if (!ms->defined) { CLEAR(*ms); ms->flags = flags; ms->client_uid = -1; ms->client_gid = -1; /* * Get username/password */ if (pass_file) { get_user_pass(&ms->up, pass_file, "Management", GET_USER_PASS_PASSWORD_ONLY); } /* * lookup client UID/GID if specified */ if (client_user) { struct platform_state_user s; platform_user_get(client_user, &s); ms->client_uid = platform_state_user_uid(&s); msg(D_MANAGEMENT, "MANAGEMENT: client_uid=%d", ms->client_uid); ASSERT(ms->client_uid >= 0); } if (client_group) { struct platform_state_group s; platform_group_get(client_group, &s); ms->client_gid = platform_state_group_gid(&s); msg(D_MANAGEMENT, "MANAGEMENT: client_gid=%d", ms->client_gid); ASSERT(ms->client_gid >= 0); } ms->write_peer_info_file = string_alloc(write_peer_info_file, NULL); #if UNIX_SOCK_SUPPORT if (ms->flags & MF_UNIX_SOCK) { sockaddr_unix_init(&ms->local_unix, addr); } else #endif { /* * Run management over tunnel, or * separate channel? */ if (streq(addr, "tunnel") && !(flags & MF_CONNECT_AS_CLIENT)) { ms->management_over_tunnel = true; } else { int status; int resolve_flags = GETADDR_RESOLVE|GETADDR_WARN_ON_SIGNAL|GETADDR_FATAL; if (!(flags & MF_CONNECT_AS_CLIENT)) { resolve_flags |= GETADDR_PASSIVE; } status = openvpn_getaddrinfo(resolve_flags, addr, port, 0, NULL, AF_UNSPEC, &ms->local); ASSERT(status==0); } } /* * Log history and echo buffer may need to be resized */ ms->log_history_cache = log_history_cache; ms->echo_buffer_size = echo_buffer_size; ms->state_buffer_size = state_buffer_size; /* * Set remap sigusr1 flags */ if (remap_sigusr1 == SIGHUP) { ms->mansig |= MANSIG_MAP_USR1_TO_HUP; } else if (remap_sigusr1 == SIGTERM) { ms->mansig |= MANSIG_MAP_USR1_TO_TERM; } ms->defined = true; } } static void man_settings_close(struct man_settings *ms) { if (ms->local) { freeaddrinfo(ms->local); } free(ms->write_peer_info_file); CLEAR(*ms); } static void man_connection_init(struct management *man) { if (man->connection.state == MS_INITIAL) { #ifdef _WIN32 /* * This object is a sort of TCP/IP helper * for Windows. */ net_event_win32_init(&man->connection.ne32); #endif /* * Allocate helper objects for command line input and * command output from/to the socket. */ man->connection.in = command_line_new(1024); man->connection.out = buffer_list_new(0); /* * Initialize event set for standalone usage, when we are * running outside of the primary event loop. */ { int maxevents = 1; man->connection.es = event_set_init(&maxevents, EVENT_METHOD_FAST); } /* * Listen/connect socket */ if (man->settings.flags & MF_CONNECT_AS_CLIENT) { man_connect(man); } else { man_listen(man); } } } static void man_connection_close(struct management *man) { struct man_connection *mc = &man->connection; if (mc->es) { event_free(mc->es); } #ifdef _WIN32 net_event_win32_close(&mc->ne32); #endif if (socket_defined(mc->sd_top)) { man_close_socket(man, mc->sd_top); man_delete_unix_socket(man); } if (socket_defined(mc->sd_cli)) { man_close_socket(man, mc->sd_cli); } if (mc->in) { command_line_free(mc->in); } if (mc->out) { buffer_list_free(mc->out); } #ifdef MANAGEMENT_IN_EXTRA in_extra_reset(&man->connection, IER_RESET); #endif #ifdef MANAGMENT_EXTERNAL_KEY buffer_list_free(mc->ext_key_input); #endif man_connection_clear(mc); } struct management * management_init(void) { struct management *man; ALLOC_OBJ_CLEAR(man, struct management); man_persist_init(man, MANAGEMENT_LOG_HISTORY_INITIAL_SIZE, MANAGEMENT_ECHO_BUFFER_SIZE, MANAGEMENT_STATE_BUFFER_SIZE); man_connection_clear(&man->connection); return man; } bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags) { bool ret = false; /* * Save the settings only if they have not * been saved before. */ man_settings_init(&man->settings, addr, port, pass_file, client_user, client_group, log_history_cache, echo_buffer_size, state_buffer_size, write_peer_info_file, remap_sigusr1, flags); /* * The log is initially sized to MANAGEMENT_LOG_HISTORY_INITIAL_SIZE, * but may be changed here. Ditto for echo and state buffers. */ log_history_resize(man->persist.log, man->settings.log_history_cache); log_history_resize(man->persist.echo, man->settings.echo_buffer_size); log_history_resize(man->persist.state, man->settings.state_buffer_size); /* * If connection object is uninitialized and we are not doing * over-the-tunnel management, then open (listening) connection. */ if (man->connection.state == MS_INITIAL) { if (!man->settings.management_over_tunnel) { man_connection_init(man); ret = true; } } return ret; } void management_close(struct management *man) { man_output_list_push_finalize(man); /* flush output queue */ man_connection_close(man); man_settings_close(&man->settings); man_persist_close(&man->persist); free(man); } void management_set_callback(struct management *man, const struct management_callback *cb) { man->persist.standalone_disabled = true; man->persist.callback = *cb; } void management_clear_callback(struct management *man) { man->persist.standalone_disabled = false; man->persist.hold_release = false; CLEAR(man->persist.callback); man_output_list_push_finalize(man); /* flush output queue */ } void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote) { if (man->persist.state && (!(man->settings.flags & MF_SERVER) || state < OPENVPN_STATE_CLIENT_BASE)) { struct gc_arena gc = gc_new(); struct log_entry e; const char *out = NULL; update_time(); CLEAR(e); e.timestamp = now; e.u.state = state; e.string = detail; if (tun_local_ip) { e.local_ip = *tun_local_ip; } if (tun_local_ip6) { e.local_ip6 = *tun_local_ip6; } if (local) { e.local_sock = *local; } if (remote) { e.remote_sock = *remote; } log_history_add(man->persist.state, &e); if (man->connection.state_realtime) { out = log_entry_print(&e, LOG_PRINT_STATE_PREFIX | LOG_PRINT_INT_DATE | LOG_PRINT_STATE | LOG_PRINT_LOCAL_IP | LOG_PRINT_REMOTE_IP | LOG_PRINT_CRLF | LOG_ECHO_TO_LOG, &gc); } if (out) { man_output_list_push(man, out); } gc_free(&gc); } } static bool env_filter_match(const char *env_str, const int env_filter_level) { static const char *env_names[] = { "username=", "password=", "X509_0_CN=", "tls_serial_", "untrusted_ip=", "ifconfig_local=", "ifconfig_netmask=", "daemon_start_time=", "daemon_pid=", "dev=", "ifconfig_pool_remote_ip=", "ifconfig_pool_netmask=", "time_duration=", "bytes_sent=", "bytes_received=" }; if (env_filter_level == 0) { return true; } else if (env_filter_level <= 1 && !strncmp(env_str, "X509_", 5)) { return true; } else if (env_filter_level <= 2) { size_t i; for (i = 0; i < SIZE(env_names); ++i) { const char *en = env_names[i]; const size_t len = strlen(en); if (!strncmp(env_str, en, len)) { return true; } } return false; } return false; } static void man_output_env(const struct env_set *es, const bool tail, const int env_filter_level, const char *prefix) { if (es) { struct env_item *e; for (e = es->list; e != NULL; e = e->next) { if (e->string && (!env_filter_level || env_filter_match(e->string, env_filter_level))) { msg(M_CLIENT, ">%s:ENV,%s", prefix, e->string); } } } if (tail) { msg(M_CLIENT, ">%s:ENV,END", prefix); } } static void man_output_extra_env(struct management *man, const char *prefix) { struct gc_arena gc = gc_new(); struct env_set *es = env_set_create(&gc); if (man->persist.callback.n_clients) { const int nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg); setenv_int(es, "n_clients", nclients); } man_output_env(es, false, man->connection.env_filter_level, prefix); gc_free(&gc); } void management_up_down(struct management *man, const char *updown, const struct env_set *es) { if (man->settings.flags & MF_UP_DOWN) { msg(M_CLIENT, ">UPDOWN:%s", updown); man_output_env(es, true, 0, "UPDOWN"); } } void management_notify(struct management *man, const char *severity, const char *type, const char *text) { msg(M_CLIENT, ">NOTIFY:%s,%s,%s", severity, type, text); } void management_notify_generic(struct management *man, const char *str) { msg(M_CLIENT, "%s", str); } #ifdef MANAGEMENT_DEF_AUTH static void man_output_peer_info_env(struct management *man, struct man_def_auth_context *mdac) { char line[256]; if (man->persist.callback.get_peer_info) { const char *peer_info = (*man->persist.callback.get_peer_info)(man->persist.callback.arg, mdac->cid); if (peer_info) { struct buffer buf; buf_set_read(&buf, (const uint8_t *) peer_info, strlen(peer_info)); while (buf_parse(&buf, '\n', line, sizeof(line))) { chomp(line); if (validate_peer_info_line(line)) { msg(M_CLIENT, ">CLIENT:ENV,%s", line); } else { msg(D_MANAGEMENT, "validation failed on peer_info line received from client"); } } } } } void management_notify_client_needing_auth(struct management *management, const unsigned int mda_key_id, struct man_def_auth_context *mdac, const struct env_set *es) { if (!(mdac->flags & DAF_CONNECTION_CLOSED)) { const char *mode = "CONNECT"; if (mdac->flags & DAF_CONNECTION_ESTABLISHED) { mode = "REAUTH"; } msg(M_CLIENT, ">CLIENT:%s,%lu,%u", mode, mdac->cid, mda_key_id); man_output_extra_env(management, "CLIENT"); if (management->connection.env_filter_level>0) { man_output_peer_info_env(management, mdac); } man_output_env(es, true, management->connection.env_filter_level, "CLIENT"); mdac->flags |= DAF_INITIAL_AUTH; } } void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es) { mdac->flags |= DAF_CONNECTION_ESTABLISHED; msg(M_CLIENT, ">CLIENT:ESTABLISHED,%lu", mdac->cid); man_output_extra_env(management, "CLIENT"); man_output_env(es, true, management->connection.env_filter_level, "CLIENT"); } void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es) { if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED)) { msg(M_CLIENT, ">CLIENT:DISCONNECT,%lu", mdac->cid); man_output_env(es, true, management->connection.env_filter_level, "CLIENT"); mdac->flags |= DAF_CONNECTION_CLOSED; } } void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary) { struct gc_arena gc = gc_new(); if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED)) { msg(M_CLIENT, ">CLIENT:ADDRESS,%lu,%s,%d", mdac->cid, mroute_addr_print_ex(addr, MAPF_SUBNET, &gc), BOOL_CAST(primary)); } gc_free(&gc); } #endif /* MANAGEMENT_DEF_AUTH */ void management_echo(struct management *man, const char *string, const bool pull) { if (man->persist.echo) { struct gc_arena gc = gc_new(); struct log_entry e; const char *out = NULL; update_time(); CLEAR(e); e.timestamp = now; e.string = string; e.u.intval = BOOL_CAST(pull); log_history_add(man->persist.echo, &e); if (man->connection.echo_realtime) { out = log_entry_print(&e, LOG_PRINT_INT_DATE|LOG_PRINT_ECHO_PREFIX|LOG_PRINT_CRLF|MANAGEMENT_ECHO_FLAGS, &gc); } if (out) { man_output_list_push(man, out); } gc_free(&gc); } } void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip) { /* * If we are running management over the tunnel, * this is the place to initialize the connection. */ if (man->settings.management_over_tunnel && man->connection.state == MS_INITIAL) { /* listen on our local TUN/TAP IP address */ struct in_addr ia; int ret; ia.s_addr = htonl(tun_local_ip); ret = openvpn_getaddrinfo(GETADDR_PASSIVE, inet_ntoa(ia), NULL, 0, NULL, AF_INET, &man->settings.local); ASSERT(ret==0); man_connection_init(man); } } void management_pre_tunnel_close(struct management *man) { if (man->settings.management_over_tunnel) { man_connection_close(man); } } void management_auth_failure(struct management *man, const char *type, const char *reason) { if (reason) { msg(M_CLIENT, ">PASSWORD:Verification Failed: '%s' ['%s']", type, reason); } else { msg(M_CLIENT, ">PASSWORD:Verification Failed: '%s'", type); } } void management_auth_token(struct management *man, const char *token) { msg(M_CLIENT, ">PASSWORD:Auth-Token:%s", token); } static inline bool man_persist_state(unsigned int *persistent, const int n) { if (persistent) { if (*persistent == (unsigned int)n) { return false; } *persistent = n; } return true; } #ifdef _WIN32 void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent) { if (man->connection.state != MS_INITIAL) { event_t ev = net_event_win32_get_event(&man->connection.ne32); net_event_win32_reset_write(&man->connection.ne32); switch (man->connection.state) { case MS_LISTEN: if (man_persist_state(persistent, 1)) { event_ctl(es, ev, EVENT_READ, arg); } break; case MS_CC_WAIT_READ: if (man_persist_state(persistent, 2)) { event_ctl(es, ev, EVENT_READ, arg); } break; case MS_CC_WAIT_WRITE: if (man_persist_state(persistent, 3)) { event_ctl(es, ev, EVENT_READ|EVENT_WRITE, arg); } break; default: ASSERT(0); } } } void management_io(struct management *man) { if (man->connection.state != MS_INITIAL) { long net_events; net_event_win32_reset(&man->connection.ne32); net_events = net_event_win32_get_event_mask(&man->connection.ne32); if (net_events & FD_CLOSE) { man_reset_client_socket(man, false); } else { if (man->connection.state == MS_LISTEN) { if (net_events & FD_ACCEPT) { man_accept(man); net_event_win32_clear_selected_events(&man->connection.ne32, FD_ACCEPT); } } else if (man->connection.state == MS_CC_WAIT_READ || man->connection.state == MS_CC_WAIT_WRITE) { if (net_events & FD_READ) { while (man_read(man) > 0) { } net_event_win32_clear_selected_events(&man->connection.ne32, FD_READ); } if (net_events & FD_WRITE) { int status; status = man_write(man); if (status < 0 && WSAGetLastError() == WSAEWOULDBLOCK) { net_event_win32_clear_selected_events(&man->connection.ne32, FD_WRITE); } } } } } } #else /* ifdef _WIN32 */ void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent) { switch (man->connection.state) { case MS_LISTEN: if (man_persist_state(persistent, 1)) { event_ctl(es, man->connection.sd_top, EVENT_READ, arg); } break; case MS_CC_WAIT_READ: if (man_persist_state(persistent, 2)) { event_ctl(es, man->connection.sd_cli, EVENT_READ, arg); } break; case MS_CC_WAIT_WRITE: if (man_persist_state(persistent, 3)) { event_ctl(es, man->connection.sd_cli, EVENT_WRITE, arg); } break; case MS_INITIAL: break; default: ASSERT(0); } } void management_io(struct management *man) { switch (man->connection.state) { case MS_LISTEN: man_accept(man); break; case MS_CC_WAIT_READ: man_read(man); break; case MS_CC_WAIT_WRITE: man_write(man); break; case MS_INITIAL: break; default: ASSERT(0); } } #endif /* ifdef _WIN32 */ static inline bool man_standalone_ok(const struct management *man) { return !man->settings.management_over_tunnel && man->connection.state != MS_INITIAL; } static bool man_check_for_signals(volatile int *signal_received) { if (signal_received) { get_signal(signal_received); if (*signal_received) { return true; } } return false; } /* * Wait for socket I/O when outside primary event loop */ static int man_block(struct management *man, volatile int *signal_received, const time_t expire) { struct timeval tv; struct event_set_return esr; int status = -1; if (man_standalone_ok(man)) { while (true) { event_reset(man->connection.es); management_socket_set(man, man->connection.es, NULL, NULL); tv.tv_usec = 0; tv.tv_sec = 1; if (man_check_for_signals(signal_received)) { status = -1; break; } status = event_wait(man->connection.es, &tv, &esr, 1); update_time(); if (man_check_for_signals(signal_received)) { status = -1; break; } if (status > 0) { break; } else if (expire && now >= expire) { /* set SIGINT signal if expiration time exceeded */ status = 0; if (signal_received) { *signal_received = SIGINT; } break; } } } return status; } /* * Perform management socket output outside primary event loop */ static void man_output_standalone(struct management *man, volatile int *signal_received) { if (man_standalone_ok(man)) { while (man->connection.state == MS_CC_WAIT_WRITE) { management_io(man); if (man->connection.state == MS_CC_WAIT_WRITE) { man_block(man, signal_received, 0); } if (signal_received && *signal_received) { break; } } } } /* * Process management event loop outside primary event loop */ static int man_standalone_event_loop(struct management *man, volatile int *signal_received, const time_t expire) { int status = -1; if (man_standalone_ok(man)) { status = man_block(man, signal_received, expire); if (status > 0) { management_io(man); } } return status; } #define MWCC_PASSWORD_WAIT (1<<0) #define MWCC_HOLD_WAIT (1<<1) #define MWCC_OTHER_WAIT (1<<2) /* * Block until client connects */ static void man_wait_for_client_connection(struct management *man, volatile int *signal_received, const time_t expire, unsigned int flags) { ASSERT(man_standalone_ok(man)); if (man->connection.state == MS_LISTEN) { if (flags & MWCC_PASSWORD_WAIT) { msg(D_MANAGEMENT, "Need password(s) from management interface, waiting..."); } if (flags & MWCC_HOLD_WAIT) { msg(D_MANAGEMENT, "Need hold release from management interface, waiting..."); } if (flags & MWCC_OTHER_WAIT) { msg(D_MANAGEMENT, "Need information from management interface, waiting..."); } do { man_standalone_event_loop(man, signal_received, expire); if (signal_received && *signal_received) { break; } } while (man->connection.state == MS_LISTEN || man_password_needed(man)); } } /* * Process the management event loop for sec seconds */ void management_event_loop_n_seconds(struct management *man, int sec) { if (man_standalone_ok(man)) { volatile int signal_received = 0; const bool standalone_disabled_save = man->persist.standalone_disabled; time_t expire = 0; man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */ /* set expire time */ update_time(); if (sec) { expire = now + sec; } /* if no client connection, wait for one */ man_wait_for_client_connection(man, &signal_received, expire, 0); if (signal_received) { return; } /* run command processing event loop */ do { man_standalone_event_loop(man, &signal_received, expire); if (!signal_received) { man_check_for_signals(&signal_received); } if (signal_received) { return; } update_time(); } while (expire && expire > now); /* revert state */ man->persist.standalone_disabled = standalone_disabled_save; } else { sleep(sec); } } /* * Get a username/password from management channel in standalone mode. */ bool management_query_user_pass(struct management *man, struct user_pass *up, const char *type, const unsigned int flags, const char *static_challenge) { struct gc_arena gc = gc_new(); bool ret = false; if (man_standalone_ok(man)) { volatile int signal_received = 0; const bool standalone_disabled_save = man->persist.standalone_disabled; struct buffer alert_msg = alloc_buf_gc(128, &gc); const char *alert_type = NULL; const char *prefix = NULL; unsigned int up_query_mode = 0; #ifdef ENABLE_CLIENT_CR const char *sc = NULL; #endif ret = true; man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */ man->persist.special_state_msg = NULL; CLEAR(man->connection.up_query); if (flags & GET_USER_PASS_NEED_OK) { up_query_mode = UP_QUERY_NEED_OK; prefix = "NEED-OK"; alert_type = "confirmation"; } else if (flags & GET_USER_PASS_NEED_STR) { up_query_mode = UP_QUERY_NEED_STR; prefix = "NEED-STR"; alert_type = "string"; } else if (flags & GET_USER_PASS_PASSWORD_ONLY) { up_query_mode = UP_QUERY_PASS; prefix = "PASSWORD"; alert_type = "password"; } else { up_query_mode = UP_QUERY_USER_PASS; prefix = "PASSWORD"; alert_type = "username/password"; #ifdef ENABLE_CLIENT_CR if (static_challenge) { sc = static_challenge; } #endif } buf_printf(&alert_msg, ">%s:Need '%s' %s", prefix, type, alert_type); if (flags & (GET_USER_PASS_NEED_OK | GET_USER_PASS_NEED_STR)) { buf_printf(&alert_msg, " MSG:%s", up->username); } #ifdef ENABLE_CLIENT_CR if (sc) { buf_printf(&alert_msg, " SC:%d,%s", BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO), sc); } #endif man_wait_for_client_connection(man, &signal_received, 0, MWCC_PASSWORD_WAIT); if (signal_received) { ret = false; } if (ret) { man->persist.special_state_msg = BSTR(&alert_msg); msg(M_CLIENT, "%s", man->persist.special_state_msg); /* tell command line parser which info we need */ man->connection.up_query_mode = up_query_mode; man->connection.up_query_type = type; /* run command processing event loop until we get our username/password/response */ do { man_standalone_event_loop(man, &signal_received, 0); if (!signal_received) { man_check_for_signals(&signal_received); } if (signal_received) { ret = false; break; } } while (!man->connection.up_query.defined); } /* revert state */ man->connection.up_query_mode = UP_QUERY_DISABLED; man->connection.up_query_type = NULL; man->persist.standalone_disabled = standalone_disabled_save; man->persist.special_state_msg = NULL; /* pass through blank passwords */ if (!strcmp(man->connection.up_query.password, blank_up)) { CLEAR(man->connection.up_query.password); } /* * Transfer u/p to return object, zero any record * we hold in the management object. */ if (ret) { /* preserve caller's settings */ man->connection.up_query.nocache = up->nocache; man->connection.up_query.wait_for_push = up->wait_for_push; *up = man->connection.up_query; } secure_memzero(&man->connection.up_query, sizeof(man->connection.up_query)); } gc_free(&gc); return ret; } #ifdef MANAGMENT_EXTERNAL_KEY static int management_query_multiline(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input) { struct gc_arena gc = gc_new(); int ret = 0; volatile int signal_received = 0; struct buffer alert_msg = clear_buf(); const bool standalone_disabled_save = man->persist.standalone_disabled; struct man_connection *mc = &man->connection; if (man_standalone_ok(man)) { man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */ man->persist.special_state_msg = NULL; *state = EKS_SOLICIT; if (b64_data) { alert_msg = alloc_buf_gc(strlen(b64_data)+strlen(prompt)+3, &gc); buf_printf(&alert_msg, ">%s:%s", prompt, b64_data); } else { alert_msg = alloc_buf_gc(strlen(prompt)+3, &gc); buf_printf(&alert_msg, ">%s", prompt); } man_wait_for_client_connection(man, &signal_received, 0, MWCC_OTHER_WAIT); if (signal_received) { goto done; } man->persist.special_state_msg = BSTR(&alert_msg); msg(M_CLIENT, "%s", man->persist.special_state_msg); /* run command processing event loop until we get our signature */ do { man_standalone_event_loop(man, &signal_received, 0); if (!signal_received) { man_check_for_signals(&signal_received); } if (signal_received) { goto done; } } while (*state != EKS_READY); ret = 1; } done: if (*state == EKS_READY && ret) { msg(M_CLIENT, "SUCCESS: %s command succeeded", cmd); } else if (*state == EKS_INPUT || *state == EKS_READY) { msg(M_CLIENT, "ERROR: %s command failed", cmd); } /* revert state */ man->persist.standalone_disabled = standalone_disabled_save; man->persist.special_state_msg = NULL; in_extra_reset(mc, IER_RESET); *state = EKS_UNDEF; gc_free(&gc); return ret; } static char * /* returns allocated base64 signature */ management_query_multiline_flatten_newline(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input) { int ok; char *result = NULL; struct buffer *buf; ok = management_query_multiline(man, b64_data, prompt, cmd, state, input); if (ok && buffer_list_defined(*input)) { buffer_list_aggregate_separator(*input, 10000, "\n"); buf = buffer_list_peek(*input); if (buf && BLEN(buf) > 0) { result = (char *) malloc(BLEN(buf)+1); check_malloc_return(result); memcpy(result, buf->data, BLEN(buf)); result[BLEN(buf)] = '\0'; } } buffer_list_free(*input); *input = NULL; return result; } static char * /* returns allocated base64 signature */ management_query_multiline_flatten(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input) { int ok; char *result = NULL; struct buffer *buf; ok = management_query_multiline(man, b64_data, prompt, cmd, state, input); if (ok && buffer_list_defined(*input)) { buffer_list_aggregate(*input, 2048); buf = buffer_list_peek(*input); if (buf && BLEN(buf) > 0) { result = (char *) malloc(BLEN(buf)+1); check_malloc_return(result); memcpy(result, buf->data, BLEN(buf)); result[BLEN(buf)] = '\0'; } } buffer_list_free(*input); *input = NULL; return result; } char * /* returns allocated base64 signature */ management_query_rsa_sig(struct management *man, const char *b64_data) { return management_query_multiline_flatten(man, b64_data, "RSA_SIGN", "rsa-sign", &man->connection.ext_key_state, &man->connection.ext_key_input); } char * management_query_cert(struct management *man, const char *cert_name) { const char prompt_1[] = "NEED-CERTIFICATE:"; struct buffer buf_prompt = alloc_buf(strlen(cert_name) + 20); buf_write(&buf_prompt, prompt_1, strlen(prompt_1)); buf_write(&buf_prompt, cert_name, strlen(cert_name)+1); /* +1 for \0 */ char *result; result = management_query_multiline_flatten_newline(management, NULL, (char *)buf_bptr(&buf_prompt), "certificate", &man->connection.ext_cert_state, &man->connection.ext_cert_input); free_buf(&buf_prompt); return result; } #endif /* ifdef MANAGMENT_EXTERNAL_KEY */ /* * Return true if management_hold() would block */ bool management_would_hold(struct management *man) { return (man->settings.flags & MF_HOLD) && !man->persist.hold_release && man_standalone_ok(man); } /* * Return true if (from the management interface's perspective) OpenVPN should * daemonize. */ bool management_should_daemonize(struct management *man) { return management_would_hold(man) || (man->settings.flags & MF_QUERY_PASSWORDS); } /* * If the hold flag is enabled, hibernate until a management client releases the hold. * Return true if the caller should not sleep for an additional time interval. */ bool management_hold(struct management *man, int holdtime) { if (management_would_hold(man)) { volatile int signal_received = 0; const bool standalone_disabled_save = man->persist.standalone_disabled; struct gc_arena gc = gc_new(); man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */ man->persist.special_state_msg = NULL; man->settings.mansig |= MANSIG_IGNORE_USR1_HUP; man_wait_for_client_connection(man, &signal_received, 0, MWCC_HOLD_WAIT); if (!signal_received) { struct buffer out = alloc_buf_gc(128, &gc); buf_printf(&out, ">HOLD:Waiting for hold release:%d", holdtime); man->persist.special_state_msg = BSTR(&out); msg(M_CLIENT, "%s", man->persist.special_state_msg); /* run command processing event loop until we get our username/password */ do { man_standalone_event_loop(man, &signal_received, 0); if (!signal_received) { man_check_for_signals(&signal_received); } if (signal_received) { break; } } while (!man->persist.hold_release); } /* revert state */ man->persist.standalone_disabled = standalone_disabled_save; man->persist.special_state_msg = NULL; man->settings.mansig &= ~MANSIG_IGNORE_USR1_HUP; gc_free(&gc); return true; } return false; } /* * struct command_line */ struct command_line * command_line_new(const int buf_len) { struct command_line *cl; ALLOC_OBJ_CLEAR(cl, struct command_line); cl->buf = alloc_buf(buf_len); cl->residual = alloc_buf(buf_len); return cl; } void command_line_reset(struct command_line *cl) { buf_clear(&cl->buf); buf_clear(&cl->residual); } void command_line_free(struct command_line *cl) { command_line_reset(cl); free_buf(&cl->buf); free_buf(&cl->residual); free(cl); } void command_line_add(struct command_line *cl, const unsigned char *buf, const int len) { int i; for (i = 0; i < len; ++i) { if (buf[i] && char_class(buf[i], (CC_PRINT|CC_NEWLINE))) { if (!buf_write_u8(&cl->buf, buf[i])) { buf_clear(&cl->buf); } } } } const unsigned char * command_line_get(struct command_line *cl) { int i; const unsigned char *ret = NULL; i = buf_substring_len(&cl->buf, '\n'); if (i >= 0) { buf_copy_excess(&cl->residual, &cl->buf, i); buf_chomp(&cl->buf); ret = (const unsigned char *) BSTR(&cl->buf); } return ret; } void command_line_next(struct command_line *cl) { buf_clear(&cl->buf); buf_copy(&cl->buf, &cl->residual); buf_clear(&cl->residual); } /* * struct log_entry */ const char * log_entry_print(const struct log_entry *e, unsigned int flags, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(ERR_BUF_SIZE, gc); if (flags & LOG_FATAL_NOTIFY) { buf_printf(&out, ">FATAL:"); } if (flags & LOG_PRINT_LOG_PREFIX) { buf_printf(&out, ">LOG:"); } if (flags & LOG_PRINT_ECHO_PREFIX) { buf_printf(&out, ">ECHO:"); } if (flags & LOG_PRINT_STATE_PREFIX) { buf_printf(&out, ">STATE:"); } if (flags & LOG_PRINT_INT_DATE) { buf_printf(&out, "%u,", (unsigned int)e->timestamp); } if (flags & LOG_PRINT_MSG_FLAGS) { buf_printf(&out, "%s,", msg_flags_string(e->u.msg_flags, gc)); } if (flags & LOG_PRINT_STATE) { buf_printf(&out, "%s,", man_state_name(e->u.state)); } if (flags & LOG_PRINT_INTVAL) { buf_printf(&out, "%d,", e->u.intval); } if (e->string) { buf_printf(&out, "%s", e->string); } if (flags & LOG_PRINT_LOCAL_IP) { buf_printf(&out, ",%s", print_in_addr_t(e->local_ip, IA_EMPTY_IF_UNDEF, gc)); } if (flags & LOG_PRINT_REMOTE_IP) { buf_printf(&out, ",%s", (!addr_defined(&e->remote_sock) ? "," : print_sockaddr_ex(&e->remote_sock.addr.sa, ",", PS_DONT_SHOW_FAMILY|PS_SHOW_PORT, gc))); buf_printf(&out, ",%s", (!addr_defined(&e->local_sock) ? "," : print_sockaddr_ex(&e->local_sock.addr.sa, ",", PS_DONT_SHOW_FAMILY|PS_SHOW_PORT, gc))); } if (flags & LOG_PRINT_LOCAL_IP && !IN6_IS_ADDR_UNSPECIFIED(&e->local_ip6)) { buf_printf(&out, ",%s", print_in6_addr(e->local_ip6, IA_EMPTY_IF_UNDEF, gc)); } if (flags & LOG_ECHO_TO_LOG) { msg(D_MANAGEMENT, "MANAGEMENT: %s", BSTR(&out)); } if (flags & LOG_PRINT_CRLF) { buf_printf(&out, "\r\n"); } return BSTR(&out); } static void log_entry_free_contents(struct log_entry *e) { if (e->string) { free((char *)e->string); } CLEAR(*e); } /* * struct log_history */ static inline int log_index(const struct log_history *h, int i) { return modulo_add(h->base, i, h->capacity); } static void log_history_obj_init(struct log_history *h, int capacity) { CLEAR(*h); h->capacity = capacity; ALLOC_ARRAY_CLEAR(h->array, struct log_entry, capacity); } struct log_history * log_history_init(const int capacity) { struct log_history *h; ASSERT(capacity > 0); ALLOC_OBJ(h, struct log_history); log_history_obj_init(h, capacity); return h; } static void log_history_free_contents(struct log_history *h) { int i; for (i = 0; i < h->size; ++i) { log_entry_free_contents(&h->array[log_index(h, i)]); } free(h->array); } void log_history_close(struct log_history *h) { log_history_free_contents(h); free(h); } void log_history_add(struct log_history *h, const struct log_entry *le) { struct log_entry *e; ASSERT(h->size >= 0 && h->size <= h->capacity); if (h->size == h->capacity) { e = &h->array[h->base]; log_entry_free_contents(e); h->base = log_index(h, 1); } else { e = &h->array[log_index(h, h->size)]; ++h->size; } *e = *le; e->string = string_alloc(le->string, NULL); } void log_history_resize(struct log_history *h, const int capacity) { if (capacity != h->capacity) { struct log_history newlog; int i; ASSERT(capacity > 0); log_history_obj_init(&newlog, capacity); for (i = 0; i < h->size; ++i) { log_history_add(&newlog, &h->array[log_index(h, i)]); } log_history_free_contents(h); *h = newlog; } } const struct log_entry * log_history_ref(const struct log_history *h, const int index) { if (index >= 0 && index < h->size) { return &h->array[log_index(h, (h->size - 1) - index)]; } else { return NULL; } } void management_sleep(const int n) { if (management) { management_event_loop_n_seconds(management, n); } else { sleep(n); } } #else /* ifdef ENABLE_MANAGEMENT */ void management_sleep(const int n) { sleep(n); } #endif /* ENABLE_MANAGEMENT */ openvpn-2.4.4/src/openvpn/manage.h000066400000000000000000000433351316434344000170750ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef MANAGE_H #define MANAGE_H #ifdef ENABLE_MANAGEMENT #include "misc.h" #include "event.h" #include "socket.h" #include "mroute.h" #define MANAGEMENT_VERSION 1 #define MANAGEMENT_N_PASSWORD_RETRIES 3 #define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 #define MANAGEMENT_ECHO_BUFFER_SIZE 100 #define MANAGEMENT_STATE_BUFFER_SIZE 100 /* * Management-interface-based deferred authentication */ #ifdef MANAGEMENT_DEF_AUTH struct man_def_auth_context { unsigned long cid; #define DAF_CONNECTION_ESTABLISHED (1<<0) #define DAF_CONNECTION_CLOSED (1<<1) #define DAF_INITIAL_AUTH (1<<2) unsigned int flags; unsigned int mda_key_id_counter; time_t bytecount_last_update; }; #endif /* * Manage build-up of command line */ struct command_line { struct buffer buf; struct buffer residual; }; struct command_line *command_line_new(const int buf_len); void command_line_free(struct command_line *cl); void command_line_add(struct command_line *cl, const unsigned char *buf, const int len); const unsigned char *command_line_get(struct command_line *cl); void command_line_reset(struct command_line *cl); void command_line_next(struct command_line *cl); /* * Manage log file history */ union log_entry_union { unsigned int msg_flags; int state; int intval; }; struct log_entry { time_t timestamp; const char *string; in_addr_t local_ip; struct in6_addr local_ip6; struct openvpn_sockaddr local_sock; struct openvpn_sockaddr remote_sock; union log_entry_union u; }; #define LOG_PRINT_LOG_PREFIX (1<<0) #define LOG_PRINT_ECHO_PREFIX (1<<1) #define LOG_PRINT_STATE_PREFIX (1<<2) #define LOG_PRINT_INT_DATE (1<<3) #define LOG_PRINT_MSG_FLAGS (1<<4) #define LOG_PRINT_STATE (1<<5) #define LOG_PRINT_LOCAL_IP (1<<6) #define LOG_PRINT_CRLF (1<<7) #define LOG_FATAL_NOTIFY (1<<8) #define LOG_PRINT_INTVAL (1<<9) #define LOG_PRINT_REMOTE_IP (1<<10) #define LOG_ECHO_TO_LOG (1<<11) const char *log_entry_print(const struct log_entry *e, unsigned int flags, struct gc_arena *gc); struct log_history { int base; int size; int capacity; struct log_entry *array; }; struct log_history *log_history_init(const int capacity); void log_history_close(struct log_history *h); void log_history_add(struct log_history *h, const struct log_entry *le); void log_history_resize(struct log_history *h, const int capacity); const struct log_entry *log_history_ref(const struct log_history *h, const int index); static inline int log_history_size(const struct log_history *h) { return h->size; } static inline int log_history_capacity(const struct log_history *h) { return h->capacity; } /* * Callbacks for 'status' and 'kill' commands. * Also for management-based deferred authentication and packet filter. */ struct management_callback { void *arg; #define MCF_SERVER (1<<0) /* is OpenVPN being run as a server? */ unsigned int flags; void (*status) (void *arg, const int version, struct status_output *so); void (*show_net) (void *arg, const int msglevel); int (*kill_by_cn) (void *arg, const char *common_name); int (*kill_by_addr) (void *arg, const in_addr_t addr, const int port); void (*delete_event) (void *arg, event_t event); int (*n_clients) (void *arg); #ifdef MANAGEMENT_DEF_AUTH bool (*kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg); bool (*client_auth) (void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config); /* ownership transferred */ char *(*get_peer_info) (void *arg, const unsigned long cid); #endif #ifdef MANAGEMENT_PF bool (*client_pf)(void *arg, const unsigned long cid, struct buffer_list *pf_config); /* ownership transferred */ #endif bool (*proxy_cmd)(void *arg, const char **p); bool (*remote_cmd) (void *arg, const char **p); #ifdef TARGET_ANDROID int (*network_change)(void *arg, bool samenetwork); #endif }; /* * Management object, split into three components: * * struct man_persist : Data elements which are persistent across * man_connection open and close. * * struct man_settings : management parameters. * * struct man_connection : created on socket binding and listen, * deleted on socket unbind, may * handle multiple sequential client * connections. */ struct man_persist { bool defined; struct log_history *log; struct virtual_output vout; bool standalone_disabled; struct management_callback callback; struct log_history *echo; /* saved --echo strings */ struct log_history *state; bool hold_release; const char *special_state_msg; counter_type bytes_in; counter_type bytes_out; }; struct man_settings { bool defined; unsigned int flags; /* MF_x flags */ struct addrinfo *local; #if UNIX_SOCK_SUPPORT struct sockaddr_un local_unix; #endif bool management_over_tunnel; struct user_pass up; int log_history_cache; int echo_buffer_size; int state_buffer_size; char *write_peer_info_file; int client_uid; int client_gid; /* flags for handling the management interface "signal" command */ #define MANSIG_IGNORE_USR1_HUP (1<<0) #define MANSIG_MAP_USR1_TO_HUP (1<<1) #define MANSIG_MAP_USR1_TO_TERM (1<<2) unsigned int mansig; }; /* up_query modes */ #define UP_QUERY_DISABLED 0 #define UP_QUERY_USER_PASS 1 #define UP_QUERY_PASS 2 #define UP_QUERY_NEED_OK 3 #define UP_QUERY_NEED_STR 4 /* states */ #define MS_INITIAL 0 /* all sockets are closed */ #define MS_LISTEN 1 /* no client is connected */ #define MS_CC_WAIT_READ 2 /* client is connected, waiting for read on socket */ #define MS_CC_WAIT_WRITE 3 /* client is connected, waiting for ability to write to socket */ struct man_connection { int state; socket_descriptor_t sd_top; socket_descriptor_t sd_cli; struct openvpn_sockaddr remote; #ifdef _WIN32 struct net_event_win32 ne32; #endif bool halt; bool password_verified; int password_tries; struct command_line *in; struct buffer_list *out; #ifdef MANAGEMENT_IN_EXTRA #define IEC_UNDEF 0 #define IEC_CLIENT_AUTH 1 #define IEC_CLIENT_PF 2 #define IEC_RSA_SIGN 3 #define IEC_CERTIFICATE 4 int in_extra_cmd; struct buffer_list *in_extra; #ifdef MANAGEMENT_DEF_AUTH unsigned long in_extra_cid; unsigned int in_extra_kid; #endif #ifdef MANAGMENT_EXTERNAL_KEY #define EKS_UNDEF 0 #define EKS_SOLICIT 1 #define EKS_INPUT 2 #define EKS_READY 3 int ext_key_state; struct buffer_list *ext_key_input; int ext_cert_state; struct buffer_list *ext_cert_input; #endif #endif /* ifdef MANAGEMENT_IN_EXTRA */ struct event_set *es; int env_filter_level; bool state_realtime; bool log_realtime; bool echo_realtime; int bytecount_update_seconds; time_t bytecount_last_update; const char *up_query_type; int up_query_mode; struct user_pass up_query; #ifdef MANAGMENT_EXTERNAL_KEY struct buffer_list *rsa_sig; #endif #ifdef TARGET_ANDROID int fdtosend; int lastfdreceived; #endif }; struct management { struct man_persist persist; struct man_settings settings; struct man_connection connection; }; extern struct management *management; struct user_pass; struct management *management_init(void); /* management_open flags */ #define MF_SERVER (1<<0) #define MF_QUERY_PASSWORDS (1<<1) #define MF_HOLD (1<<2) #define MF_SIGNAL (1<<3) #define MF_FORGET_DISCONNECT (1<<4) #define MF_CONNECT_AS_CLIENT (1<<5) #ifdef MANAGEMENT_DEF_AUTH #define MF_CLIENT_AUTH (1<<6) #endif #ifdef MANAGEMENT_PF #define MF_CLIENT_PF (1<<7) #endif #define MF_UNIX_SOCK (1<<8) #ifdef MANAGMENT_EXTERNAL_KEY #define MF_EXTERNAL_KEY (1<<9) #endif #define MF_UP_DOWN (1<<10) #define MF_QUERY_REMOTE (1<<11) #define MF_QUERY_PROXY (1<<12) #define MF_EXTERNAL_CERT (1<<13) bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags); void management_close(struct management *man); void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip); void management_pre_tunnel_close(struct management *man); void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent); void management_io(struct management *man); void management_set_callback(struct management *man, const struct management_callback *cb); void management_clear_callback(struct management *man); bool management_query_user_pass(struct management *man, struct user_pass *up, const char *type, const unsigned int flags, const char *static_challenge); #ifdef TARGET_ANDROID bool management_android_control(struct management *man, const char *command, const char *msg); #define ANDROID_KEEP_OLD_TUN 1 #define ANDROID_OPEN_AFTER_CLOSE 2 #define ANDROID_OPEN_BEFORE_CLOSE 3 int managment_android_persisttun_action(struct management *man); #endif bool management_should_daemonize(struct management *man); bool management_would_hold(struct management *man); bool management_hold(struct management *man, int holdtime); void management_event_loop_n_seconds(struct management *man, int sec); void management_up_down(struct management *man, const char *updown, const struct env_set *es); void management_notify(struct management *man, const char *severity, const char *type, const char *text); void management_notify_generic(struct management *man, const char *str); #ifdef MANAGEMENT_DEF_AUTH void management_notify_client_needing_auth(struct management *management, const unsigned int auth_id, struct man_def_auth_context *mdac, const struct env_set *es); void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es); void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es); void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary); #endif #ifdef MANAGMENT_EXTERNAL_KEY char *management_query_rsa_sig(struct management *man, const char *b64_data); char *management_query_cert(struct management *man, const char *cert_name); #endif static inline bool management_connected(const struct management *man) { return man->connection.state == MS_CC_WAIT_READ || man->connection.state == MS_CC_WAIT_WRITE; } static inline bool management_query_user_pass_enabled(const struct management *man) { return BOOL_CAST(man->settings.flags & MF_QUERY_PASSWORDS); } static inline bool management_query_remote_enabled(const struct management *man) { return BOOL_CAST(man->settings.flags & MF_QUERY_REMOTE); } static inline bool management_query_proxy_enabled(const struct management *man) { return BOOL_CAST(man->settings.flags & MF_QUERY_PROXY); } #ifdef MANAGEMENT_PF static inline bool management_enable_pf(const struct management *man) { return man && BOOL_CAST(man->settings.flags & MF_CLIENT_PF); } #endif #ifdef MANAGEMENT_DEF_AUTH static inline bool management_enable_def_auth(const struct management *man) { return man && BOOL_CAST(man->settings.flags & MF_CLIENT_AUTH); } #endif /* * OpenVPN tells the management layer what state it's in */ /* client/server states */ #define OPENVPN_STATE_INITIAL 0 /* Initial, undefined state */ #define OPENVPN_STATE_CONNECTING 1 /* Management interface has been initialized */ #define OPENVPN_STATE_ASSIGN_IP 2 /* Assigning IP address to virtual network interface */ #define OPENVPN_STATE_ADD_ROUTES 3 /* Adding routes to system */ #define OPENVPN_STATE_CONNECTED 4 /* Initialization sequence completed */ #define OPENVPN_STATE_RECONNECTING 5 /* Restart */ #define OPENVPN_STATE_EXITING 6 /* Exit */ /* client-only states */ #define OPENVPN_STATE_WAIT 7 /* Waiting for initial response from server */ #define OPENVPN_STATE_AUTH 8 /* Authenticating with server */ #define OPENVPN_STATE_GET_CONFIG 9 /* Downloading configuration from server */ #define OPENVPN_STATE_RESOLVE 10 /* DNS lookup */ #define OPENVPN_STATE_TCP_CONNECT 11 /* Connecting to TCP server */ #define OPENVPN_STATE_CLIENT_BASE 7 /* Base index of client-only states */ void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local_addr, const struct openvpn_sockaddr *remote_addr); /* * The management object keeps track of OpenVPN --echo * parameters. */ void management_echo(struct management *man, const char *string, const bool pull); /* * OpenVPN calls here to indicate a password failure */ void management_auth_failure(struct management *man, const char *type, const char *reason); /* * Echo an authentication token to management interface */ void management_auth_token(struct management *man, const char *token); /* * These functions drive the bytecount in/out counters. */ void man_bytecount_output_client(struct management *man); static inline void man_bytecount_possible_output_client(struct management *man) { if (man->connection.bytecount_update_seconds > 0 && now >= man->connection.bytecount_last_update + man->connection.bytecount_update_seconds) { man_bytecount_output_client(man); } } static inline void management_bytes_out_client(struct management *man, const int size) { man->persist.bytes_out += size; man_bytecount_possible_output_client(man); } static inline void management_bytes_in_client(struct management *man, const int size) { man->persist.bytes_in += size; man_bytecount_possible_output_client(man); } static inline void management_bytes_out(struct management *man, const int size) { if (!(man->persist.callback.flags & MCF_SERVER)) { management_bytes_out_client(man, size); } } static inline void management_bytes_in(struct management *man, const int size) { if (!(man->persist.callback.flags & MCF_SERVER)) { management_bytes_in_client(man, size); } } #ifdef MANAGEMENT_DEF_AUTH static inline void management_bytes_server(struct management *man, const counter_type *bytes_in_total, const counter_type *bytes_out_total, struct man_def_auth_context *mdac) { void man_bytecount_output_server(struct management *man, const counter_type *bytes_in_total, const counter_type *bytes_out_total, struct man_def_auth_context *mdac); if (man->connection.bytecount_update_seconds > 0 && now >= mdac->bytecount_last_update + man->connection.bytecount_update_seconds && (mdac->flags & (DAF_CONNECTION_ESTABLISHED|DAF_CONNECTION_CLOSED)) == DAF_CONNECTION_ESTABLISHED) { man_bytecount_output_server(man, bytes_in_total, bytes_out_total, mdac); } } #endif /* MANAGEMENT_DEF_AUTH */ #endif /* ifdef ENABLE_MANAGEMENT */ /** * A sleep function that services the management layer for n seconds rather * than doing nothing. */ void management_sleep(const int n); #endif /* ifndef MANAGE_H */ openvpn-2.4.4/src/openvpn/mbuf.c000066400000000000000000000102331316434344000165600ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if P2MP #include "buffer.h" #include "error.h" #include "integer.h" #include "misc.h" #include "mbuf.h" #include "memdbg.h" struct mbuf_set * mbuf_init(unsigned int size) { struct mbuf_set *ret; ALLOC_OBJ_CLEAR(ret, struct mbuf_set); ret->capacity = adjust_power_of_2(size); ALLOC_ARRAY(ret->array, struct mbuf_item, ret->capacity); return ret; } void mbuf_free(struct mbuf_set *ms) { if (ms) { int i; for (i = 0; i < (int) ms->len; ++i) { struct mbuf_item *item = &ms->array[MBUF_INDEX(ms->head, i, ms->capacity)]; mbuf_free_buf(item->buffer); } free(ms->array); free(ms); } } struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf) { struct mbuf_buffer *ret; ALLOC_OBJ(ret, struct mbuf_buffer); ret->buf = clone_buf(buf); ret->refcount = 1; ret->flags = 0; return ret; } void mbuf_free_buf(struct mbuf_buffer *mb) { if (mb) { if (--mb->refcount <= 0) { free_buf(&mb->buf); free(mb); } } } void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item) { ASSERT(ms); if (ms->len == ms->capacity) { struct mbuf_item rm; ASSERT(mbuf_extract_item(ms, &rm)); mbuf_free_buf(rm.buffer); msg(D_MULTI_DROPPED, "MBUF: mbuf packet dropped"); } ASSERT(ms->len < ms->capacity); ms->array[MBUF_INDEX(ms->head, ms->len, ms->capacity)] = *item; if (++ms->len > ms->max_queued) { ms->max_queued = ms->len; } ++item->buffer->refcount; } bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item) { bool ret = false; if (ms) { while (ms->len) { *item = ms->array[ms->head]; ms->head = MBUF_INDEX(ms->head, 1, ms->capacity); --ms->len; if (item->instance) /* ignore dereferenced instances */ { ret = true; break; } } } return ret; } struct multi_instance * mbuf_peek_dowork(struct mbuf_set *ms) { struct multi_instance *ret = NULL; if (ms) { int i; for (i = 0; i < (int) ms->len; ++i) { struct mbuf_item *item = &ms->array[MBUF_INDEX(ms->head, i, ms->capacity)]; if (item->instance) { ret = item->instance; break; } } } return ret; } void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi) { if (ms) { int i; for (i = 0; i < (int) ms->len; ++i) { struct mbuf_item *item = &ms->array[MBUF_INDEX(ms->head, i, ms->capacity)]; if (item->instance == mi) { mbuf_free_buf(item->buffer); item->buffer = NULL; item->instance = NULL; msg(D_MBUF, "MBUF: dereferenced queued packet"); } } } } #else /* if P2MP */ static void dummy(void) { } #endif /* P2MP */ openvpn-2.4.4/src/openvpn/mbuf.h000066400000000000000000000052261316434344000165730ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef MBUF_H #define MBUF_H /* * Handle both multicast and broadcast functions. */ #if P2MP /* define this to enable special test mode */ /*#define MBUF_TEST*/ #include "basic.h" #include "buffer.h" struct multi_instance; #define MBUF_INDEX(head, offset, size) (((head) + (offset)) & ((size)-1)) struct mbuf_buffer { struct buffer buf; int refcount; #define MF_UNICAST (1<<0) unsigned int flags; }; struct mbuf_item { struct mbuf_buffer *buffer; struct multi_instance *instance; }; struct mbuf_set { unsigned int head; unsigned int len; unsigned int capacity; unsigned int max_queued; struct mbuf_item *array; }; struct mbuf_set *mbuf_init(unsigned int size); void mbuf_free(struct mbuf_set *ms); struct mbuf_buffer *mbuf_alloc_buf(const struct buffer *buf); void mbuf_free_buf(struct mbuf_buffer *mb); void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item); bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item); void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi); static inline bool mbuf_defined(const struct mbuf_set *ms) { return ms && ms->len; } static inline unsigned int mbuf_len(const struct mbuf_set *ms) { return ms->len; } static inline int mbuf_maximum_queued(const struct mbuf_set *ms) { return (int) ms->max_queued; } static inline struct multi_instance * mbuf_peek(struct mbuf_set *ms) { struct multi_instance *mbuf_peek_dowork(struct mbuf_set *ms); if (mbuf_defined(ms)) { return mbuf_peek_dowork(ms); } else { return NULL; } } #endif /* if P2MP */ #endif /* ifndef MBUF_H */ openvpn-2.4.4/src/openvpn/memdbg.h000066400000000000000000000066731316434344000171040ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef MEMDBG_H #define MEMDBG_H /* * Valgrind debugging support. * * Valgrind is a great tool for debugging memory issues, * though it seems to generate a lot of warnings in OpenSSL * about uninitialized data. To silence these warnings, * I've put together a suppressions file * in debug/valgrind-suppress. * * Also, grep for VALGRIND_MAKE_READABLE in the OpenVPN source. * Because valgrind thinks that some of the data passed from * OpenSSL back to OpenVPN is tainted due to being sourced * from uninitialized data, we need to untaint it before use -- * otherwise we will get a lot of useless warnings. * * valgrind --tool=memcheck --error-limit=no --suppressions=debug/valgrind-suppress --gen-suppressions=yes ./openvpn ... */ #ifdef USE_VALGRIND #include "valgrind/memcheck.h" #define VALGRIND_MAKE_READABLE(addr, len) #else /* ifdef USE_VALGRIND */ #define VALGRIND_MAKE_READABLE(addr, len) #endif #ifdef DMALLOC /* see ./configure options to enable */ /* * See ./configure options to enable dmalloc * support for memory leak checking. * * The dmalloc package can be downloaded from: * * http://dmalloc.com/ * * When dmalloc is installed and enabled, * use this command prior to running openvpn: * * dmalloc -l dlog -i 100 low -p log-unknown * * Also, put this in your .bashrc file: * * function dmalloc { eval `command dmalloc -b $*`; } * * Or take a more low-level approach: * * export DMALLOC_OPTIONS="debug=0x4e48503,inter=100,log=dlog" * * NOTE: When building dmalloc you need to add something * like this to dmalloc's settings.h -- it will allocate a static * buffer to be used as the malloc arena: * * #define INTERNAL_MEMORY_SPACE (1024 * 1024 * 50) */ #include "dmalloc.h" #define openvpn_dmalloc(file, line, size) dmalloc_malloc((file), (line), (size), DMALLOC_FUNC_MALLOC, 0, 0) /* * This #define will put the line number of the log * file position where leaked memory was allocated instead * of the source code file and line number. Make sure * to increase the size of dmalloc's info tables, * (MEMORY_TABLE_SIZE in settings.h) * otherwise it might get overwhelmed by the large * number of unique file/line combinations. */ #if 0 #undef malloc #define malloc(size) openvpn_dmalloc("logfile", x_msg_line_num, (size)) #endif #endif /* DMALLOC */ /* * Force buffers to be zeroed after allocation. * For debugging only. */ /*#define ZERO_BUFFER_ON_ALLOC*/ #endif /* MEMDBG_H */ openvpn-2.4.4/src/openvpn/misc.c000066400000000000000000001214251316434344000165700ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2014-2015 David Sommerseth * Copyright (C) 2016-2017 David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "buffer.h" #include "misc.h" #include "base64.h" #include "tun.h" #include "error.h" #include "otime.h" #include "plugin.h" #include "options.h" #include "manage.h" #include "crypto.h" #include "route.h" #include "console.h" #include "win32.h" #include "memdbg.h" #ifdef ENABLE_IPROUTE const char *iproute_path = IPROUTE_PATH; /* GLOBAL */ #endif /* contains an SSEC_x value defined in misc.h */ int script_security = SSEC_BUILT_IN; /* GLOBAL */ /* * Set standard file descriptors to /dev/null */ void set_std_files_to_null(bool stdin_only) { #if defined(HAVE_DUP) && defined(HAVE_DUP2) int fd; if ((fd = open("/dev/null", O_RDWR, 0)) != -1) { dup2(fd, 0); if (!stdin_only) { dup2(fd, 1); dup2(fd, 2); } if (fd > 2) { close(fd); } } #endif } /* * dup inetd/xinetd socket descriptor and save */ int inetd_socket_descriptor = SOCKET_UNDEFINED; /* GLOBAL */ void save_inetd_socket_descriptor(void) { inetd_socket_descriptor = INETD_SOCKET_DESCRIPTOR; #if defined(HAVE_DUP) && defined(HAVE_DUP2) /* use handle passed by inetd/xinetd */ if ((inetd_socket_descriptor = dup(INETD_SOCKET_DESCRIPTOR)) < 0) { msg(M_ERR, "INETD_SOCKET_DESCRIPTOR dup(%d) failed", INETD_SOCKET_DESCRIPTOR); } set_std_files_to_null(true); #endif } /* * Print an error message based on the status code returned by system(). */ const char * system_error_message(int stat, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); #ifdef _WIN32 if (stat == -1) { buf_printf(&out, "external program did not execute -- "); } buf_printf(&out, "returned error code %d", stat); #else /* ifdef _WIN32 */ if (stat == -1) { buf_printf(&out, "external program fork failed"); } else if (!WIFEXITED(stat)) { buf_printf(&out, "external program did not exit normally"); } else { const int cmd_ret = WEXITSTATUS(stat); if (!cmd_ret) { buf_printf(&out, "external program exited normally"); } else if (cmd_ret == 127) { buf_printf(&out, "could not execute external program"); } else { buf_printf(&out, "external program exited with error status: %d", cmd_ret); } } #endif /* ifdef _WIN32 */ return (const char *)out.data; } /* * Wrapper around openvpn_execve */ bool openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message) { struct gc_arena gc = gc_new(); const int stat = openvpn_execve(a, es, flags); int ret = false; if (platform_system_ok(stat)) { ret = true; } else { if (error_message) { msg(((flags & S_FATAL) ? M_FATAL : M_WARN), "%s: %s", error_message, system_error_message(stat, &gc)); } } gc_free(&gc); return ret; } bool openvpn_execve_allowed(const unsigned int flags) { if (flags & S_SCRIPT) { return script_security >= SSEC_SCRIPTS; } else { return script_security >= SSEC_BUILT_IN; } } #ifndef _WIN32 /* * Run execve() inside a fork(). Designed to replicate the semantics of system() but * in a safer way that doesn't require the invocation of a shell or the risks * assocated with formatting and parsing a command line. */ int openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags) { struct gc_arena gc = gc_new(); int ret = -1; static bool warn_shown = false; if (a && a->argv[0]) { #if defined(ENABLE_FEATURE_EXECVE) if (openvpn_execve_allowed(flags)) { const char *cmd = a->argv[0]; char *const *argv = a->argv; char *const *envp = (char *const *)make_env_array(es, true, &gc); pid_t pid; pid = fork(); if (pid == (pid_t)0) /* child side */ { execve(cmd, argv, envp); exit(127); } else if (pid < (pid_t)0) /* fork failed */ { msg(M_ERR, "openvpn_execve: unable to fork"); } else /* parent side */ { if (waitpid(pid, &ret, 0) != pid) { ret = -1; } } } else if (!warn_shown && (script_security < SSEC_SCRIPTS)) { msg(M_WARN, SCRIPT_SECURITY_WARNING); warn_shown = true; } #else /* if defined(ENABLE_FEATURE_EXECVE) */ msg(M_WARN, "openvpn_execve: execve function not available"); #endif /* if defined(ENABLE_FEATURE_EXECVE) */ } else { msg(M_FATAL, "openvpn_execve: called with empty argv"); } gc_free(&gc); return ret; } #endif /* ifndef _WIN32 */ /* * Run execve() inside a fork(), duping stdout. Designed to replicate the semantics of popen() but * in a safer way that doesn't require the invocation of a shell or the risks * assocated with formatting and parsing a command line. */ int openvpn_popen(const struct argv *a, const struct env_set *es) { struct gc_arena gc = gc_new(); int ret = -1; static bool warn_shown = false; if (a && a->argv[0]) { #if defined(ENABLE_FEATURE_EXECVE) if (script_security >= SSEC_BUILT_IN) { const char *cmd = a->argv[0]; char *const *argv = a->argv; char *const *envp = (char *const *)make_env_array(es, true, &gc); pid_t pid; int pipe_stdout[2]; if (pipe(pipe_stdout) == 0) { pid = fork(); if (pid == (pid_t)0) /* child side */ { close(pipe_stdout[0]); /* Close read end */ dup2(pipe_stdout[1],1); execve(cmd, argv, envp); exit(127); } else if (pid > (pid_t)0) /* parent side */ { int status = 0; close(pipe_stdout[1]); /* Close write end */ waitpid(pid, &status, 0); ret = pipe_stdout[0]; } else /* fork failed */ { close(pipe_stdout[0]); close(pipe_stdout[1]); msg(M_ERR, "openvpn_popen: unable to fork %s", cmd); } } else { msg(M_WARN, "openvpn_popen: unable to create stdout pipe for %s", cmd); ret = -1; } } else if (!warn_shown && (script_security < SSEC_SCRIPTS)) { msg(M_WARN, SCRIPT_SECURITY_WARNING); warn_shown = true; } #else /* if defined(ENABLE_FEATURE_EXECVE) */ msg(M_WARN, "openvpn_popen: execve function not available"); #endif /* if defined(ENABLE_FEATURE_EXECVE) */ } else { msg(M_FATAL, "openvpn_popen: called with empty argv"); } gc_free(&gc); return ret; } /* * Set environmental variable (int or string). * * On Posix, we use putenv for portability, * and put up with its painful semantics * that require all the support code below. */ /* General-purpose environmental variable set functions */ static char * construct_name_value(const char *name, const char *value, struct gc_arena *gc) { struct buffer out; ASSERT(name); if (!value) { value = ""; } out = alloc_buf_gc(strlen(name) + strlen(value) + 2, gc); buf_printf(&out, "%s=%s", name, value); return BSTR(&out); } static bool env_string_equal(const char *s1, const char *s2) { int c1, c2; ASSERT(s1); ASSERT(s2); while (true) { c1 = *s1++; c2 = *s2++; if (c1 == '=') { c1 = 0; } if (c2 == '=') { c2 = 0; } if (!c1 && !c2) { return true; } if (c1 != c2) { break; } } return false; } static bool remove_env_item(const char *str, const bool do_free, struct env_item **list) { struct env_item *current, *prev; ASSERT(str); ASSERT(list); for (current = *list, prev = NULL; current != NULL; current = current->next) { if (env_string_equal(current->string, str)) { if (prev) { prev->next = current->next; } else { *list = current->next; } if (do_free) { secure_memzero(current->string, strlen(current->string)); free(current->string); free(current); } return true; } prev = current; } return false; } static void add_env_item(char *str, const bool do_alloc, struct env_item **list, struct gc_arena *gc) { struct env_item *item; ASSERT(str); ASSERT(list); ALLOC_OBJ_GC(item, struct env_item, gc); item->string = do_alloc ? string_alloc(str, gc) : str; item->next = *list; *list = item; } /* struct env_set functions */ static bool env_set_del_nolock(struct env_set *es, const char *str) { return remove_env_item(str, es->gc == NULL, &es->list); } static void env_set_add_nolock(struct env_set *es, const char *str) { remove_env_item(str, es->gc == NULL, &es->list); add_env_item((char *)str, true, &es->list, es->gc); } struct env_set * env_set_create(struct gc_arena *gc) { struct env_set *es; ALLOC_OBJ_CLEAR_GC(es, struct env_set, gc); es->list = NULL; es->gc = gc; return es; } void env_set_destroy(struct env_set *es) { if (es && es->gc == NULL) { struct env_item *e = es->list; while (e) { struct env_item *next = e->next; free(e->string); free(e); e = next; } free(es); } } bool env_set_del(struct env_set *es, const char *str) { bool ret; ASSERT(es); ASSERT(str); ret = env_set_del_nolock(es, str); return ret; } void env_set_add(struct env_set *es, const char *str) { ASSERT(es); ASSERT(str); env_set_add_nolock(es, str); } const char * env_set_get(const struct env_set *es, const char *name) { const struct env_item *item = es->list; while (item && !env_string_equal(item->string, name)) { item = item->next; } return item ? item->string : NULL; } void env_set_print(int msglevel, const struct env_set *es) { if (check_debug_level(msglevel)) { const struct env_item *e; int i; if (es) { e = es->list; i = 0; while (e) { if (env_safe_to_print(e->string)) { msg(msglevel, "ENV [%d] '%s'", i, e->string); } ++i; e = e->next; } } } } void env_set_inherit(struct env_set *es, const struct env_set *src) { const struct env_item *e; ASSERT(es); if (src) { e = src->list; while (e) { env_set_add_nolock(es, e->string); e = e->next; } } } /* add/modify/delete environmental strings */ void setenv_counter(struct env_set *es, const char *name, counter_type value) { char buf[64]; openvpn_snprintf(buf, sizeof(buf), counter_format, value); setenv_str(es, name, buf); } void setenv_int(struct env_set *es, const char *name, int value) { char buf[64]; openvpn_snprintf(buf, sizeof(buf), "%d", value); setenv_str(es, name, buf); } void setenv_unsigned(struct env_set *es, const char *name, unsigned int value) { char buf[64]; openvpn_snprintf(buf, sizeof(buf), "%u", value); setenv_str(es, name, buf); } void setenv_str(struct env_set *es, const char *name, const char *value) { setenv_str_ex(es, name, value, CC_NAME, 0, 0, CC_PRINT, 0, 0); } void setenv_str_safe(struct env_set *es, const char *name, const char *value) { uint8_t b[64]; struct buffer buf; buf_set_write(&buf, b, sizeof(b)); if (buf_printf(&buf, "OPENVPN_%s", name)) { setenv_str(es, BSTR(&buf), value); } else { msg(M_WARN, "setenv_str_safe: name overflow"); } } void setenv_str_incr(struct env_set *es, const char *name, const char *value) { unsigned int counter = 1; const size_t tmpname_len = strlen(name) + 5; /* 3 digits counter max */ char *tmpname = gc_malloc(tmpname_len, true, NULL); strcpy(tmpname, name); while (NULL != env_set_get(es, tmpname) && counter < 1000) { ASSERT(openvpn_snprintf(tmpname, tmpname_len, "%s_%u", name, counter)); counter++; } if (counter < 1000) { setenv_str(es, tmpname, value); } else { msg(D_TLS_DEBUG_MED, "Too many same-name env variables, ignoring: %s", name); } free(tmpname); } void setenv_del(struct env_set *es, const char *name) { ASSERT(name); setenv_str(es, name, NULL); } void setenv_str_ex(struct env_set *es, const char *name, const char *value, const unsigned int name_include, const unsigned int name_exclude, const char name_replace, const unsigned int value_include, const unsigned int value_exclude, const char value_replace) { struct gc_arena gc = gc_new(); const char *name_tmp; const char *val_tmp = NULL; ASSERT(name && strlen(name) > 1); name_tmp = string_mod_const(name, name_include, name_exclude, name_replace, &gc); if (value) { val_tmp = string_mod_const(value, value_include, value_exclude, value_replace, &gc); } ASSERT(es); if (val_tmp) { const char *str = construct_name_value(name_tmp, val_tmp, &gc); env_set_add(es, str); #if DEBUG_VERBOSE_SETENV msg(M_INFO, "SETENV_ES '%s'", str); #endif } else { env_set_del(es, name_tmp); } gc_free(&gc); } /* * Setenv functions that append an integer index to the name */ static const char * setenv_format_indexed_name(const char *name, const int i, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(strlen(name) + 16, gc); if (i >= 0) { buf_printf(&out, "%s_%d", name, i); } else { buf_printf(&out, "%s", name); } return BSTR(&out); } void setenv_int_i(struct env_set *es, const char *name, const int value, const int i) { struct gc_arena gc = gc_new(); const char *name_str = setenv_format_indexed_name(name, i, &gc); setenv_int(es, name_str, value); gc_free(&gc); } void setenv_str_i(struct env_set *es, const char *name, const char *value, const int i) { struct gc_arena gc = gc_new(); const char *name_str = setenv_format_indexed_name(name, i, &gc); setenv_str(es, name_str, value); gc_free(&gc); } /* return true if filename can be opened for read */ bool test_file(const char *filename) { bool ret = false; if (filename) { FILE *fp = platform_fopen(filename, "r"); if (fp) { fclose(fp); ret = true; } else { if (openvpn_errno() == EACCES) { msg( M_WARN | M_ERRNO, "Could not access file '%s'", filename); } } } dmsg(D_TEST_FILE, "TEST FILE '%s' [%d]", filename ? filename : "UNDEF", ret); return ret; } /* create a temporary filename in directory */ const char * create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc) { static unsigned int counter; struct buffer fname = alloc_buf_gc(256, gc); int fd; const char *retfname = NULL; unsigned int attempts = 0; do { ++attempts; ++counter; buf_printf(&fname, PACKAGE "_%s_%08lx%08lx.tmp", prefix, (unsigned long) get_random(), (unsigned long) get_random()); retfname = gen_path(directory, BSTR(&fname), gc); if (!retfname) { msg(M_FATAL, "Failed to create temporary filename and path"); return NULL; } /* Atomically create the file. Errors out if the file already * exists. */ fd = platform_open(retfname, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR | S_IWUSR); if (fd != -1) { close(fd); return retfname; } else if (fd == -1 && errno != EEXIST) { /* Something else went wrong, no need to retry. */ msg(M_FATAL | M_ERRNO, "Could not create temporary file '%s'", retfname); return NULL; } } while (attempts < 6); msg(M_FATAL, "Failed to create temporary file after %i attempts", attempts); return NULL; } #ifdef ENABLE_CRYPTO /* * Prepend a random string to hostname to prevent DNS caching. * For example, foo.bar.gov would be modified to .foo.bar.gov. * Of course, this requires explicit support in the DNS server (wildcard). */ const char * hostname_randomize(const char *hostname, struct gc_arena *gc) { #define n_rnd_bytes 6 uint8_t rnd_bytes[n_rnd_bytes]; const char *rnd_str; struct buffer hname = alloc_buf_gc(strlen(hostname)+sizeof(rnd_bytes)*2+4, gc); prng_bytes(rnd_bytes, sizeof(rnd_bytes)); rnd_str = format_hex_ex(rnd_bytes, sizeof(rnd_bytes), 40, 0, NULL, gc); buf_printf(&hname, "%s.%s", rnd_str, hostname); return BSTR(&hname); #undef n_rnd_bytes } #else /* ifdef ENABLE_CRYPTO */ const char * hostname_randomize(const char *hostname, struct gc_arena *gc) { msg(M_WARN, "WARNING: hostname randomization disabled when crypto support is not compiled"); return hostname; } #endif /* ifdef ENABLE_CRYPTO */ /* * Put a directory and filename together. */ const char * gen_path(const char *directory, const char *filename, struct gc_arena *gc) { #ifdef _WIN32 const int CC_PATH_RESERVED = CC_LESS_THAN|CC_GREATER_THAN|CC_COLON |CC_DOUBLE_QUOTE|CC_SLASH|CC_BACKSLASH|CC_PIPE|CC_QUESTION_MARK|CC_ASTERISK; #else const int CC_PATH_RESERVED = CC_SLASH; #endif const char *safe_filename = string_mod_const(filename, CC_PRINT, CC_PATH_RESERVED, '_', gc); if (safe_filename && strcmp(safe_filename, ".") && strcmp(safe_filename, "..") #ifdef _WIN32 && win_safe_filename(safe_filename) #endif ) { const size_t outsize = strlen(safe_filename) + (directory ? strlen(directory) : 0) + 16; struct buffer out = alloc_buf_gc(outsize, gc); char dirsep[2]; dirsep[0] = OS_SPECIFIC_DIRSEP; dirsep[1] = '\0'; if (directory) { buf_printf(&out, "%s%s", directory, dirsep); } buf_printf(&out, "%s", safe_filename); return BSTR(&out); } else { return NULL; } } bool absolute_pathname(const char *pathname) { if (pathname) { const int c = pathname[0]; #ifdef _WIN32 return c == '\\' || (isalpha(c) && pathname[1] == ':' && pathname[2] == '\\'); #else return c == '/'; #endif } else { return false; } } /* * Get and store a username/password */ bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge) { struct gc_arena gc = gc_new(); if (!up->defined) { bool from_authfile = (auth_file && !streq(auth_file, "stdin")); bool username_from_stdin = false; bool password_from_stdin = false; bool response_from_stdin = true; if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED) { msg(M_WARN, "Note: previous '%s' credentials failed", prefix); } #ifdef ENABLE_MANAGEMENT /* * Get username/password from management interface? */ if (management && (!from_authfile && (flags & GET_USER_PASS_MANAGEMENT)) && management_query_user_pass_enabled(management)) { const char *sc = NULL; response_from_stdin = false; if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED) { management_auth_failure(management, prefix, "previous auth credentials failed"); } #ifdef ENABLE_CLIENT_CR if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE)) { sc = auth_challenge; } #endif if (!management_query_user_pass(management, up, prefix, flags, sc)) { if ((flags & GET_USER_PASS_NOFATAL) != 0) { return false; } else { msg(M_FATAL, "ERROR: could not read %s username/password/ok/string from management interface", prefix); } } } else #endif /* ifdef ENABLE_MANAGEMENT */ /* * Get NEED_OK confirmation from the console */ if (flags & GET_USER_PASS_NEED_OK) { struct buffer user_prompt = alloc_buf_gc(128, &gc); buf_printf(&user_prompt, "NEED-OK|%s|%s:", prefix, up->username); if (!query_user_SINGLE(BSTR(&user_prompt), BLEN(&user_prompt), up->password, USER_PASS_LEN, false)) { msg(M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix); } if (!strlen(up->password)) { strcpy(up->password, "ok"); } } else if (flags & GET_USER_PASS_INLINE_CREDS) { struct buffer buf; buf_set_read(&buf, (uint8_t *) auth_file, strlen(auth_file) + 1); if (!(flags & GET_USER_PASS_PASSWORD_ONLY)) { buf_parse(&buf, '\n', up->username, USER_PASS_LEN); } buf_parse(&buf, '\n', up->password, USER_PASS_LEN); } /* * Read from auth file unless this is a dynamic challenge request. */ else if (from_authfile && !(flags & GET_USER_PASS_DYNAMIC_CHALLENGE)) { /* * Try to get username/password from a file. */ FILE *fp; char password_buf[USER_PASS_LEN] = { '\0' }; fp = platform_fopen(auth_file, "r"); if (!fp) { msg(M_ERR, "Error opening '%s' auth file: %s", prefix, auth_file); } if ((flags & GET_USER_PASS_PASSWORD_ONLY) == 0) { /* Read username first */ if (fgets(up->username, USER_PASS_LEN, fp) == NULL) { msg(M_FATAL, "Error reading username from %s authfile: %s", prefix, auth_file); } } chomp(up->username); if (fgets(password_buf, USER_PASS_LEN, fp) != NULL) { chomp(password_buf); } if (flags & GET_USER_PASS_PASSWORD_ONLY && !password_buf[0]) { msg(M_FATAL, "Error reading password from %s authfile: %s", prefix, auth_file); } if (password_buf[0]) { strncpy(up->password, password_buf, USER_PASS_LEN); } else { password_from_stdin = 1; } fclose(fp); if (!(flags & GET_USER_PASS_PASSWORD_ONLY) && strlen(up->username) == 0) { msg(M_FATAL, "ERROR: username from %s authfile '%s' is empty", prefix, auth_file); } } else { username_from_stdin = true; password_from_stdin = true; } /* * Get username/password from standard input? */ if (username_from_stdin || password_from_stdin || response_from_stdin) { #ifdef ENABLE_CLIENT_CR if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE) && response_from_stdin) { struct auth_challenge_info *ac = get_auth_challenge(auth_challenge, &gc); if (ac) { char *response = (char *) gc_malloc(USER_PASS_LEN, false, &gc); struct buffer packed_resp, challenge; challenge = alloc_buf_gc(14+strlen(ac->challenge_text), &gc); buf_printf(&challenge, "CHALLENGE: %s", ac->challenge_text); buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN); if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge), response, USER_PASS_LEN, BOOL_CAST(ac->flags&CR_ECHO))) { msg(M_FATAL, "ERROR: could not read challenge response from stdin"); } strncpynt(up->username, ac->user, USER_PASS_LEN); buf_printf(&packed_resp, "CRV1::%s::%s", ac->state_id, response); } else { msg(M_FATAL, "ERROR: received malformed challenge request from server"); } } else #endif /* ifdef ENABLE_CLIENT_CR */ { struct buffer user_prompt = alloc_buf_gc(128, &gc); struct buffer pass_prompt = alloc_buf_gc(128, &gc); query_user_clear(); buf_printf(&user_prompt, "Enter %s Username:", prefix); buf_printf(&pass_prompt, "Enter %s Password:", prefix); if (username_from_stdin && !(flags & GET_USER_PASS_PASSWORD_ONLY)) { query_user_add(BSTR(&user_prompt), BLEN(&user_prompt), up->username, USER_PASS_LEN, true); } if (password_from_stdin) { query_user_add(BSTR(&pass_prompt), BLEN(&pass_prompt), up->password, USER_PASS_LEN, false); } if (!query_user_exec() ) { msg(M_FATAL, "ERROR: Failed retrieving username or password"); } if (!(flags & GET_USER_PASS_PASSWORD_ONLY)) { if (strlen(up->username) == 0) { msg(M_FATAL, "ERROR: %s username is empty", prefix); } } #ifdef ENABLE_CLIENT_CR if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE) && response_from_stdin) { char *response = (char *) gc_malloc(USER_PASS_LEN, false, &gc); struct buffer packed_resp, challenge; char *pw64 = NULL, *resp64 = NULL; challenge = alloc_buf_gc(14+strlen(auth_challenge), &gc); buf_printf(&challenge, "CHALLENGE: %s", auth_challenge); if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge), response, USER_PASS_LEN, BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO))) { msg(M_FATAL, "ERROR: could not retrieve static challenge response"); } if (openvpn_base64_encode(up->password, strlen(up->password), &pw64) == -1 || openvpn_base64_encode(response, strlen(response), &resp64) == -1) { msg(M_FATAL, "ERROR: could not base64-encode password/static_response"); } buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN); buf_printf(&packed_resp, "SCRV1:%s:%s", pw64, resp64); string_clear(pw64); free(pw64); string_clear(resp64); free(resp64); } #endif /* ifdef ENABLE_CLIENT_CR */ } } string_mod(up->username, CC_PRINT, CC_CRLF, 0); string_mod(up->password, CC_PRINT, CC_CRLF, 0); up->defined = true; } #if 0 msg(M_INFO, "GET_USER_PASS %s u='%s' p='%s'", prefix, up->username, up->password); #endif gc_free(&gc); return true; } #ifdef ENABLE_CLIENT_CR /* * See management/management-notes.txt for more info on the * the dynamic challenge/response protocol implemented here. */ struct auth_challenge_info * get_auth_challenge(const char *auth_challenge, struct gc_arena *gc) { if (auth_challenge) { struct auth_challenge_info *ac; const int len = strlen(auth_challenge); char *work = (char *) gc_malloc(len+1, false, gc); char *cp; struct buffer b; buf_set_read(&b, (const uint8_t *)auth_challenge, len); ALLOC_OBJ_CLEAR_GC(ac, struct auth_challenge_info, gc); /* parse prefix */ if (!buf_parse(&b, ':', work, len)) { return NULL; } if (strcmp(work, "CRV1")) { return NULL; } /* parse flags */ if (!buf_parse(&b, ':', work, len)) { return NULL; } for (cp = work; *cp != '\0'; ++cp) { const char c = *cp; if (c == 'E') { ac->flags |= CR_ECHO; } else if (c == 'R') { ac->flags |= CR_RESPONSE; } } /* parse state ID */ if (!buf_parse(&b, ':', work, len)) { return NULL; } ac->state_id = string_alloc(work, gc); /* parse user name */ if (!buf_parse(&b, ':', work, len)) { return NULL; } ac->user = (char *) gc_malloc(strlen(work)+1, true, gc); openvpn_base64_decode(work, (void *)ac->user, -1); /* parse challenge text */ ac->challenge_text = string_alloc(BSTR(&b), gc); return ac; } else { return NULL; } } #endif /* ifdef ENABLE_CLIENT_CR */ #if AUTO_USERID void get_user_pass_auto_userid(struct user_pass *up, const char *tag) { struct gc_arena gc = gc_new(); struct buffer buf; uint8_t macaddr[6]; static uint8_t digest [MD5_DIGEST_LENGTH]; static const uint8_t hashprefix[] = "AUTO_USERID_DIGEST"; const md_kt_t *md5_kt = md_kt_get("MD5"); md_ctx_t *ctx; CLEAR(*up); buf_set_write(&buf, (uint8_t *)up->username, USER_PASS_LEN); buf_printf(&buf, "%s", TARGET_PREFIX); if (get_default_gateway_mac_addr(macaddr)) { dmsg(D_AUTO_USERID, "GUPAU: macaddr=%s", format_hex_ex(macaddr, sizeof(macaddr), 0, 1, ":", &gc)); ctx = md_ctx_new(); md_ctx_init(ctx, md5_kt); md_ctx_update(ctx, hashprefix, sizeof(hashprefix) - 1); md_ctx_update(ctx, macaddr, sizeof(macaddr)); md_ctx_final(ctx, digest); md_ctx_cleanup(ctx); md_ctx_free(ctx); buf_printf(&buf, "%s", format_hex_ex(digest, sizeof(digest), 0, 256, " ", &gc)); } else { buf_printf(&buf, "UNKNOWN"); } if (tag && strcmp(tag, "stdin")) { buf_printf(&buf, "-%s", tag); } up->defined = true; gc_free(&gc); dmsg(D_AUTO_USERID, "GUPAU: AUTO_USERID: '%s'", up->username); } #endif /* if AUTO_USERID */ void purge_user_pass(struct user_pass *up, const bool force) { const bool nocache = up->nocache; static bool warn_shown = false; if (nocache || force) { secure_memzero(up, sizeof(*up)); up->nocache = nocache; } /* * don't show warning if the pass has been replaced by a token: this is an * artificial "auth-nocache" */ else if (!warn_shown && (!up->tokenized)) { msg(M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this"); warn_shown = true; } } void set_auth_token(struct user_pass *up, const char *token) { if (token && strlen(token) && up && up->defined && !up->nocache) { CLEAR(up->password); strncpynt(up->password, token, USER_PASS_LEN); up->tokenized = true; } } /* * Process string received by untrusted peer before * printing to console or log file. * * Assumes that string has been null terminated. */ const char * safe_print(const char *str, struct gc_arena *gc) { return string_mod_const(str, CC_PRINT, CC_CRLF, '.', gc); } static bool is_password_env_var(const char *str) { return (strncmp(str, "password", 8) == 0); } bool env_allowed(const char *str) { return (script_security >= SSEC_PW_ENV || !is_password_env_var(str)); } bool env_safe_to_print(const char *str) { #ifndef UNSAFE_DEBUG if (is_password_env_var(str)) { return false; } #endif return true; } /* Make arrays of strings */ const char ** make_env_array(const struct env_set *es, const bool check_allowed, struct gc_arena *gc) { char **ret = NULL; struct env_item *e = NULL; int i = 0, n = 0; /* figure length of es */ if (es) { for (e = es->list; e != NULL; e = e->next) { ++n; } } /* alloc return array */ ALLOC_ARRAY_CLEAR_GC(ret, char *, n+1, gc); /* fill return array */ if (es) { i = 0; for (e = es->list; e != NULL; e = e->next) { if (!check_allowed || env_allowed(e->string)) { ASSERT(i < n); ret[i++] = e->string; } } } ret[i] = NULL; return (const char **)ret; } const char ** make_arg_array(const char *first, const char *parms, struct gc_arena *gc) { char **ret = NULL; int base = 0; const int max_parms = MAX_PARMS + 2; int n = 0; /* alloc return array */ ALLOC_ARRAY_CLEAR_GC(ret, char *, max_parms, gc); /* process first parameter, if provided */ if (first) { ret[base++] = string_alloc(first, gc); } if (parms) { n = parse_line(parms, &ret[base], max_parms - base - 1, "make_arg_array", 0, M_WARN, gc); ASSERT(n >= 0 && n + base + 1 <= max_parms); } ret[base + n] = NULL; return (const char **)ret; } static const char ** make_inline_array(const char *str, struct gc_arena *gc) { char line[OPTION_LINE_SIZE]; struct buffer buf; int len = 0; char **ret = NULL; int i = 0; buf_set_read(&buf, (const uint8_t *) str, strlen(str)); while (buf_parse(&buf, '\n', line, sizeof(line))) { ++len; } /* alloc return array */ ALLOC_ARRAY_CLEAR_GC(ret, char *, len + 1, gc); buf_set_read(&buf, (const uint8_t *) str, strlen(str)); while (buf_parse(&buf, '\n', line, sizeof(line))) { chomp(line); ASSERT(i < len); ret[i] = string_alloc(skip_leading_whitespace(line), gc); ++i; } ASSERT(i <= len); ret[i] = NULL; return (const char **)ret; } static const char ** make_arg_copy(char **p, struct gc_arena *gc) { char **ret = NULL; const int len = string_array_len((const char **)p); const int max_parms = len + 1; int i; /* alloc return array */ ALLOC_ARRAY_CLEAR_GC(ret, char *, max_parms, gc); for (i = 0; i < len; ++i) { ret[i] = p[i]; } return (const char **)ret; } const char ** make_extended_arg_array(char **p, struct gc_arena *gc) { const int argc = string_array_len((const char **)p); if (!strcmp(p[0], INLINE_FILE_TAG) && argc == 2) { return make_inline_array(p[1], gc); } else if (argc == 0) { return make_arg_array(NULL, NULL, gc); } else if (argc == 1) { return make_arg_array(p[0], NULL, gc); } else if (argc == 2) { return make_arg_array(p[0], p[1], gc); } else { return make_arg_copy(p, gc); } } /* * Remove security-sensitive strings from control message * so that they will not be output to log file. */ const char * sanitize_control_message(const char *src, struct gc_arena *gc) { char *ret = gc_malloc(strlen(src)+1, false, gc); char *dest = ret; bool redact = false; int skip = 0; for (;; ) { const char c = *src; if (c == '\0') { break; } if (c == 'S' && !strncmp(src, "SESS_ID_", 8)) { skip = 7; redact = true; } else if (c == 'e' && !strncmp(src, "echo ", 5)) { skip = 4; redact = true; } else if (!check_debug_level(D_SHOW_KEYS) && (c == 'a' && !strncmp(src, "auth-token ", 11))) { /* Unless --verb is 7 or higher (D_SHOW_KEYS), hide * the auth-token value coming in the src string */ skip = 10; redact = true; } if (c == ',') /* end of redacted item? */ { skip = 0; redact = false; } if (redact) { if (skip > 0) { --skip; *dest++ = c; } } else { *dest++ = c; } ++src; } *dest = '\0'; return ret; } /** * Will set or query for a global compat flag. To modify the compat flags * the COMPAT_FLAG_SET must be bitwise ORed together with the flag to set. * If no "operator" flag is given it defaults to COMPAT_FLAG_QUERY, * which returns the flag state. * * @param flag Flag to be set/queried for bitwise ORed with the operator flag * @return Returns 0 if the flag is not set, otherwise the 'flag' value is returned */ bool compat_flag(unsigned int flag) { static unsigned int compat_flags = 0; if (flag & COMPAT_FLAG_SET) { compat_flags |= (flag >> 1); } return (compat_flags & (flag >> 1)); } #if P2MP_SERVER /* helper to parse peer_info received from multi client, validate * (this is untrusted data) and put into environment */ bool validate_peer_info_line(char *line) { uint8_t c; int state = 0; while (*line) { c = *line; switch (state) { case 0: case 1: if (c == '=' && state == 1) { state = 2; } else if (isalnum(c) || c == '_') { state = 1; } else { return false; } case 2: /* after the '=', replace non-printable or shell meta with '_' */ if (!isprint(c) || isspace(c) || c == '$' || c == '(' || c == '`') { *line = '_'; } } line++; } return (state == 2); } void output_peer_info_env(struct env_set *es, const char *peer_info) { char line[256]; struct buffer buf; buf_set_read(&buf, (const uint8_t *) peer_info, strlen(peer_info)); while (buf_parse(&buf, '\n', line, sizeof(line))) { chomp(line); if (validate_peer_info_line(line) && (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0) ) { msg(M_INFO, "peer info: %s", line); env_set_add(es, line); } else { msg(M_WARN, "validation failed on peer_info line received from client"); } } } #endif /* P2MP_SERVER */ openvpn-2.4.4/src/openvpn/misc.h000066400000000000000000000236251316434344000166000ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef MISC_H #define MISC_H #include "argv.h" #include "basic.h" #include "common.h" #include "integer.h" #include "buffer.h" #include "platform.h" /* socket descriptor passed by inetd/xinetd server to us */ #define INETD_SOCKET_DESCRIPTOR 0 /* forward declarations */ struct plugin_list; /* * Handle environmental variable lists */ struct env_item { char *string; struct env_item *next; }; struct env_set { struct gc_arena *gc; struct env_item *list; }; /* system flags */ #define S_SCRIPT (1<<0) #define S_FATAL (1<<1) const char *system_error_message(int, struct gc_arena *gc); /* wrapper around the execve() call */ int openvpn_popen(const struct argv *a, const struct env_set *es); int openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags); bool openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message); bool openvpn_execve_allowed(const unsigned int flags); static inline bool openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook) { char msg[256]; openvpn_snprintf(msg, sizeof(msg), "WARNING: Failed running command (%s)", hook); return openvpn_execve_check(a, es, flags | S_SCRIPT, msg); } /* Set standard file descriptors to /dev/null */ void set_std_files_to_null(bool stdin_only); /* dup inetd/xinetd socket descriptor and save */ extern int inetd_socket_descriptor; void save_inetd_socket_descriptor(void); /* set/delete environmental variable */ void setenv_str_ex(struct env_set *es, const char *name, const char *value, const unsigned int name_include, const unsigned int name_exclude, const char name_replace, const unsigned int value_include, const unsigned int value_exclude, const char value_replace); void setenv_counter(struct env_set *es, const char *name, counter_type value); void setenv_int(struct env_set *es, const char *name, int value); void setenv_unsigned(struct env_set *es, const char *name, unsigned int value); void setenv_str(struct env_set *es, const char *name, const char *value); void setenv_str_safe(struct env_set *es, const char *name, const char *value); void setenv_del(struct env_set *es, const char *name); /** * Store the supplied name value pair in the env_set. If the variable with the * supplied name already exists, append _N to the name, starting at N=1. */ void setenv_str_incr(struct env_set *es, const char *name, const char *value); void setenv_int_i(struct env_set *es, const char *name, const int value, const int i); void setenv_str_i(struct env_set *es, const char *name, const char *value, const int i); /* struct env_set functions */ struct env_set *env_set_create(struct gc_arena *gc); void env_set_destroy(struct env_set *es); bool env_set_del(struct env_set *es, const char *str); void env_set_add(struct env_set *es, const char *str); const char *env_set_get(const struct env_set *es, const char *name); void env_set_print(int msglevel, const struct env_set *es); void env_set_inherit(struct env_set *es, const struct env_set *src); /* Make arrays of strings */ const char **make_env_array(const struct env_set *es, const bool check_allowed, struct gc_arena *gc); const char **make_arg_array(const char *first, const char *parms, struct gc_arena *gc); const char **make_extended_arg_array(char **p, struct gc_arena *gc); /* an analogue to the random() function, but use OpenSSL functions if available */ #ifdef ENABLE_CRYPTO long int get_random(void); #else #define get_random random #endif /* return true if filename can be opened for read */ bool test_file(const char *filename); /* create a temporary file in directory, returns the filename of the created file */ const char *create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc); /* put a directory and filename together */ const char *gen_path(const char *directory, const char *filename, struct gc_arena *gc); /* return true if pathname is absolute */ bool absolute_pathname(const char *pathname); /* prepend a random prefix to hostname (need ENABLE_CRYPTO) */ const char *hostname_randomize(const char *hostname, struct gc_arena *gc); /* * Get and store a username/password */ struct user_pass { bool defined; bool nocache; bool tokenized; /* true if password has been substituted by a token */ bool wait_for_push; /* true if this object is waiting for a push-reply */ /* max length of username/password */ #ifdef ENABLE_PKCS11 #define USER_PASS_LEN 4096 #else #define USER_PASS_LEN 128 #endif char username[USER_PASS_LEN]; char password[USER_PASS_LEN]; }; #ifdef ENABLE_CLIENT_CR /* * Challenge response info on client as pushed by server. */ struct auth_challenge_info { #define CR_ECHO (1<<0) /* echo response when typed by user */ #define CR_RESPONSE (1<<1) /* response needed */ unsigned int flags; const char *user; const char *state_id; const char *challenge_text; }; struct auth_challenge_info *get_auth_challenge(const char *auth_challenge, struct gc_arena *gc); /* * Challenge response info on client as pushed by server. */ struct static_challenge_info { #define SC_ECHO (1<<0) /* echo response when typed by user */ unsigned int flags; const char *challenge_text; }; #else /* ifdef ENABLE_CLIENT_CR */ struct auth_challenge_info {}; struct static_challenge_info {}; #endif /* ifdef ENABLE_CLIENT_CR */ /* * Flags for get_user_pass and management_query_user_pass */ #define GET_USER_PASS_MANAGEMENT (1<<0) /* GET_USER_PASS_SENSITIVE (1<<1) not used anymore */ #define GET_USER_PASS_PASSWORD_ONLY (1<<2) #define GET_USER_PASS_NEED_OK (1<<3) #define GET_USER_PASS_NOFATAL (1<<4) #define GET_USER_PASS_NEED_STR (1<<5) #define GET_USER_PASS_PREVIOUS_CREDS_FAILED (1<<6) #define GET_USER_PASS_DYNAMIC_CHALLENGE (1<<7) /* CRV1 protocol -- dynamic challenge */ #define GET_USER_PASS_STATIC_CHALLENGE (1<<8) /* SCRV1 protocol -- static challenge */ #define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1<<9) /* SCRV1 protocol -- echo response */ #define GET_USER_PASS_INLINE_CREDS (1<<10) /* indicates that auth_file is actually inline creds */ bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge); static inline bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags) { return get_user_pass_cr(up, auth_file, prefix, flags, NULL); } void fail_user_pass(const char *prefix, const unsigned int flags, const char *reason); void purge_user_pass(struct user_pass *up, const bool force); void set_auth_token(struct user_pass *up, const char *token); /* * Process string received by untrusted peer before * printing to console or log file. * Assumes that string has been null terminated. */ const char *safe_print(const char *str, struct gc_arena *gc); /* returns true if environmental variable safe to print to log */ bool env_safe_to_print(const char *str); /* returns true if environmental variable may be passed to an external program */ bool env_allowed(const char *str); void configure_path(void); const char *sanitize_control_message(const char *str, struct gc_arena *gc); #if AUTO_USERID void get_user_pass_auto_userid(struct user_pass *up, const char *tag); #endif /* * /sbin/ip path, may be overridden */ #ifdef ENABLE_IPROUTE extern const char *iproute_path; #endif /* Script security */ #define SSEC_NONE 0 /* strictly no calling of external programs */ #define SSEC_BUILT_IN 1 /* only call built-in programs such as ifconfig, route, netsh, etc.*/ #define SSEC_SCRIPTS 2 /* allow calling of built-in programs and user-defined scripts */ #define SSEC_PW_ENV 3 /* allow calling of built-in programs and user-defined scripts that may receive a password as an environmental variable */ extern int script_security; /* GLOBAL */ #define COMPAT_FLAG_QUERY 0 /** compat_flags operator: Query for a flag */ #define COMPAT_FLAG_SET (1<<0) /** compat_flags operator: Set a compat flag */ #define COMPAT_NAMES (1<<1) /** compat flag: --compat-names set */ #define COMPAT_NO_NAME_REMAPPING (1<<2) /** compat flag: --compat-names without char remapping */ bool compat_flag(unsigned int flag); #if P2MP_SERVER /* helper to parse peer_info received from multi client, validate * (this is untrusted data) and put into environment */ bool validate_peer_info_line(char *line); void output_peer_info_env(struct env_set *es, const char *peer_info); #endif /* P2MP_SERVER */ #endif /* ifndef MISC_H */ openvpn-2.4.4/src/openvpn/mroute.c000066400000000000000000000365311316434344000171530ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if P2MP_SERVER #include "mroute.h" #include "proto.h" #include "error.h" #include "socket.h" #include "memdbg.h" void mroute_addr_init(struct mroute_addr *addr) { CLEAR(*addr); } /* * Ethernet multicast addresses. */ static inline bool is_mac_mcast_addr(const uint8_t *mac) { return (bool) (mac[0] & 1); } static inline bool is_mac_mcast_maddr(const struct mroute_addr *addr) { return (addr->type & MR_ADDR_MASK) == MR_ADDR_ETHER && is_mac_mcast_addr(addr->eth_addr); } /* * Don't learn certain addresses. */ bool mroute_learnable_address(const struct mroute_addr *addr) { int i; bool not_all_zeros = false; bool not_all_ones = false; for (i = 0; i < addr->len; ++i) { int b = addr->raw_addr[i]; if (b != 0x00) { not_all_zeros = true; } if (b != 0xFF) { not_all_ones = true; } } return not_all_zeros && not_all_ones && !is_mac_mcast_maddr(addr); } static inline void mroute_get_in_addr_t(struct mroute_addr *ma, const in_addr_t src, unsigned int mask) { if (ma) { ma->type = MR_ADDR_IPV4 | mask; ma->netbits = 0; ma->len = 4; ma->v4.addr = src; } } static inline void mroute_get_in6_addr(struct mroute_addr *ma, const struct in6_addr src, unsigned int mask) { if (ma) { ma->type = MR_ADDR_IPV6 | mask; ma->netbits = 0; ma->len = 16; ma->v6.addr = src; } } static inline bool mroute_is_mcast(const in_addr_t addr) { return ((addr & htonl(IP_MCAST_SUBNET_MASK)) == htonl(IP_MCAST_NETWORK)); } /* RFC 4291, 2.7, "binary 11111111 at the start of an address identifies * the address as being a multicast address" */ static inline bool mroute_is_mcast_ipv6(const struct in6_addr addr) { return (addr.s6_addr[0] == 0xff); } #ifdef ENABLE_PF static unsigned int mroute_extract_addr_arp(struct mroute_addr *src, struct mroute_addr *dest, const struct buffer *buf) { unsigned int ret = 0; if (BLEN(buf) >= (int) sizeof(struct openvpn_arp)) { const struct openvpn_arp *arp = (const struct openvpn_arp *) BPTR(buf); if (arp->mac_addr_type == htons(0x0001) && arp->proto_addr_type == htons(0x0800) && arp->mac_addr_size == 0x06 && arp->proto_addr_size == 0x04) { mroute_get_in_addr_t(src, arp->ip_src, MR_ARP); mroute_get_in_addr_t(dest, arp->ip_dest, MR_ARP); /* multicast packet? */ if (mroute_is_mcast(arp->ip_dest)) { ret |= MROUTE_EXTRACT_MCAST; } ret |= MROUTE_EXTRACT_SUCCEEDED; } } return ret; } #endif /* ifdef ENABLE_PF */ unsigned int mroute_extract_addr_ip(struct mroute_addr *src, struct mroute_addr *dest, const struct buffer *buf) { unsigned int ret = 0; if (BLEN(buf) >= 1) { switch (OPENVPN_IPH_GET_VER(*BPTR(buf))) { case 4: if (BLEN(buf) >= (int) sizeof(struct openvpn_iphdr)) { const struct openvpn_iphdr *ip = (const struct openvpn_iphdr *) BPTR(buf); mroute_get_in_addr_t(src, ip->saddr, 0); mroute_get_in_addr_t(dest, ip->daddr, 0); /* multicast packet? */ if (mroute_is_mcast(ip->daddr)) { ret |= MROUTE_EXTRACT_MCAST; } /* IGMP message? */ if (ip->protocol == OPENVPN_IPPROTO_IGMP) { ret |= MROUTE_EXTRACT_IGMP; } ret |= MROUTE_EXTRACT_SUCCEEDED; } break; case 6: if (BLEN(buf) >= (int) sizeof(struct openvpn_ipv6hdr)) { const struct openvpn_ipv6hdr *ipv6 = (const struct openvpn_ipv6hdr *) BPTR(buf); #if 0 /* very basic debug */ struct gc_arena gc = gc_new(); msg( M_INFO, "IPv6 packet! src=%s, dst=%s", print_in6_addr( ipv6->saddr, 0, &gc ), print_in6_addr( ipv6->daddr, 0, &gc )); gc_free(&gc); #endif mroute_get_in6_addr(src, ipv6->saddr, 0); mroute_get_in6_addr(dest, ipv6->daddr, 0); if (mroute_is_mcast_ipv6(ipv6->daddr)) { ret |= MROUTE_EXTRACT_MCAST; } ret |= MROUTE_EXTRACT_SUCCEEDED; } break; default: msg(M_WARN, "IP packet with unknown IP version=%d seen", OPENVPN_IPH_GET_VER(*BPTR(buf))); } } return ret; } unsigned int mroute_extract_addr_ether(struct mroute_addr *src, struct mroute_addr *dest, struct mroute_addr *esrc, struct mroute_addr *edest, const struct buffer *buf) { unsigned int ret = 0; if (BLEN(buf) >= (int) sizeof(struct openvpn_ethhdr)) { const struct openvpn_ethhdr *eth = (const struct openvpn_ethhdr *) BPTR(buf); if (src) { src->type = MR_ADDR_ETHER; src->netbits = 0; src->len = 6; memcpy(src->eth_addr, eth->source, sizeof(dest->eth_addr)); } if (dest) { dest->type = MR_ADDR_ETHER; dest->netbits = 0; dest->len = 6; memcpy(dest->eth_addr, eth->dest, sizeof(dest->eth_addr)); /* ethernet broadcast/multicast packet? */ if (is_mac_mcast_addr(eth->dest)) { ret |= MROUTE_EXTRACT_BCAST; } } ret |= MROUTE_EXTRACT_SUCCEEDED; #ifdef ENABLE_PF if (esrc || edest) { struct buffer b = *buf; if (buf_advance(&b, sizeof(struct openvpn_ethhdr))) { switch (ntohs(eth->proto)) { case OPENVPN_ETH_P_IPV4: ret |= (mroute_extract_addr_ip(esrc, edest, &b) << MROUTE_SEC_SHIFT); break; case OPENVPN_ETH_P_ARP: ret |= (mroute_extract_addr_arp(esrc, edest, &b) << MROUTE_SEC_SHIFT); break; } } } #endif } return ret; } /* * Translate a struct openvpn_sockaddr (osaddr) * to a struct mroute_addr (addr). */ bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port) { switch (osaddr->addr.sa.sa_family) { case AF_INET: { if (use_port) { addr->type = MR_ADDR_IPV4 | MR_WITH_PORT; addr->netbits = 0; addr->len = 6; addr->v4.addr = osaddr->addr.in4.sin_addr.s_addr; addr->v4.port = osaddr->addr.in4.sin_port; } else { addr->type = MR_ADDR_IPV4; addr->netbits = 0; addr->len = 4; addr->v4.addr = osaddr->addr.in4.sin_addr.s_addr; } return true; } case AF_INET6: if (use_port) { addr->type = MR_ADDR_IPV6 | MR_WITH_PORT; addr->netbits = 0; addr->len = 18; addr->v6.addr = osaddr->addr.in6.sin6_addr; addr->v6.port = osaddr->addr.in6.sin6_port; } else { addr->type = MR_ADDR_IPV6; addr->netbits = 0; addr->len = 16; addr->v6.addr = osaddr->addr.in6.sin6_addr; } return true; } return false; } /* * Zero off the host bits in an address, leaving * only the network bits, using the netbits member of * struct mroute_addr as the controlling parameter. * * TODO: this is called for route-lookup for every yet-unhashed * destination address, so for lots of active net-iroutes, this * might benefit from some "zeroize 32 bit at a time" improvements */ void mroute_addr_mask_host_bits(struct mroute_addr *ma) { if ((ma->type & MR_ADDR_MASK) == MR_ADDR_IPV4) { in_addr_t addr = ntohl(ma->v4.addr); addr &= netbits_to_netmask(ma->netbits); ma->v4.addr = htonl(addr); } else if ((ma->type & MR_ADDR_MASK) == MR_ADDR_IPV6) { int byte = sizeof(ma->v6.addr) - 1; /* rightmost byte in address */ int bits_to_clear = 128 - ma->netbits; while (byte >= 0 && bits_to_clear > 0) { if (bits_to_clear >= 8) { ma->v6.addr.s6_addr[byte--] = 0; bits_to_clear -= 8; } else { ma->v6.addr.s6_addr[byte--] &= (IPV4_NETMASK_HOST << bits_to_clear); bits_to_clear = 0; } } ASSERT( bits_to_clear == 0 ); } else { ASSERT(0); } } /* * The mroute_addr hash function takes into account the * address type, number of bits in the network address, * and the actual address. */ uint32_t mroute_addr_hash_function(const void *key, uint32_t iv) { return hash_func(mroute_addr_hash_ptr((const struct mroute_addr *) key), mroute_addr_hash_len((const struct mroute_addr *) key), iv); } bool mroute_addr_compare_function(const void *key1, const void *key2) { return mroute_addr_equal((const struct mroute_addr *) key1, (const struct mroute_addr *) key2); } const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc) { return mroute_addr_print_ex(ma, MAPF_IA_EMPTY_IF_UNDEF, gc); } const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(64, gc); if (ma) { struct mroute_addr maddr = *ma; switch (maddr.type & MR_ADDR_MASK) { case MR_ADDR_ETHER: buf_printf(&out, "%s", format_hex_ex(ma->eth_addr, sizeof(ma->eth_addr), 0, 1, ":", gc)); break; case MR_ADDR_IPV4: { if ((flags & MAPF_SHOW_ARP) && (maddr.type & MR_ARP)) { buf_printf(&out, "ARP/"); } buf_printf(&out, "%s", print_in_addr_t(ntohl(maddr.v4.addr), (flags & MAPF_IA_EMPTY_IF_UNDEF) ? IA_EMPTY_IF_UNDEF : 0, gc)); if (maddr.type & MR_WITH_NETBITS) { if (flags & MAPF_SUBNET) { const in_addr_t netmask = netbits_to_netmask(maddr.netbits); buf_printf(&out, "/%s", print_in_addr_t(netmask, 0, gc)); } else { buf_printf(&out, "/%d", maddr.netbits); } } if (maddr.type & MR_WITH_PORT) { buf_printf(&out, ":%d", ntohs(maddr.v4.port)); } } break; case MR_ADDR_IPV6: { if (IN6_IS_ADDR_V4MAPPED( &maddr.v6.addr ) ) { buf_printf(&out, "%s", print_in_addr_t(maddr.v4mappedv6.addr, IA_NET_ORDER, gc)); } else { buf_printf(&out, "%s", print_in6_addr(maddr.v6.addr, 0, gc)); } if (maddr.type & MR_WITH_NETBITS) { buf_printf(&out, "/%d", maddr.netbits); } } break; default: buf_printf(&out, "UNKNOWN"); break; } return BSTR(&out); } else { return "[NULL]"; } } /* * mroute_helper's main job is keeping track of * currently used CIDR netlengths, so we don't * have to cycle through all 33. */ struct mroute_helper * mroute_helper_init(int ageable_ttl_secs) { struct mroute_helper *mh; ALLOC_OBJ_CLEAR(mh, struct mroute_helper); mh->ageable_ttl_secs = ageable_ttl_secs; return mh; } static void mroute_helper_regenerate(struct mroute_helper *mh) { int i, j = 0; for (i = MR_HELPER_NET_LEN - 1; i >= 0; --i) { if (mh->net_len_refcount[i] > 0) { mh->net_len[j++] = (uint8_t) i; } } mh->n_net_len = j; #ifdef ENABLE_DEBUG if (check_debug_level(D_MULTI_DEBUG)) { struct gc_arena gc = gc_new(); struct buffer out = alloc_buf_gc(256, &gc); buf_printf(&out, "MROUTE CIDR netlen:"); for (i = 0; i < mh->n_net_len; ++i) { buf_printf(&out, " /%d", mh->net_len[i]); } dmsg(D_MULTI_DEBUG, "%s", BSTR(&out)); gc_free(&gc); } #endif } void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits) { if (netbits >= 0) { ASSERT(netbits < MR_HELPER_NET_LEN); ++mh->cache_generation; ++mh->net_len_refcount[netbits]; if (mh->net_len_refcount[netbits] == 1) { mroute_helper_regenerate(mh); } } } void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits) { if (netbits >= 0) { ASSERT(netbits < MR_HELPER_NET_LEN); ++mh->cache_generation; --mh->net_len_refcount[netbits]; ASSERT(mh->net_len_refcount[netbits] >= 0); if (!mh->net_len_refcount[netbits]) { mroute_helper_regenerate(mh); } } } void mroute_helper_free(struct mroute_helper *mh) { free(mh); } #else /* if P2MP_SERVER */ static void dummy(void) { } #endif /* P2MP_SERVER */ openvpn-2.4.4/src/openvpn/mroute.h000066400000000000000000000203751316434344000171570ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef MROUTE_H #define MROUTE_H #if P2MP_SERVER #include "buffer.h" #include "list.h" #include "route.h" #include #define IP_MCAST_SUBNET_MASK ((in_addr_t)240<<24) #define IP_MCAST_NETWORK ((in_addr_t)224<<24) /* Return status values for mroute_extract_addr_from_packet */ #define MROUTE_EXTRACT_SUCCEEDED (1<<0) #define MROUTE_EXTRACT_BCAST (1<<1) #define MROUTE_EXTRACT_MCAST (1<<2) #define MROUTE_EXTRACT_IGMP (1<<3) #define MROUTE_SEC_EXTRACT_SUCCEEDED (1<<(0+MROUTE_SEC_SHIFT)) #define MROUTE_SEC_EXTRACT_BCAST (1<<(1+MROUTE_SEC_SHIFT)) #define MROUTE_SEC_EXTRACT_MCAST (1<<(2+MROUTE_SEC_SHIFT)) #define MROUTE_SEC_EXTRACT_IGMP (1<<(3+MROUTE_SEC_SHIFT)) #define MROUTE_SEC_SHIFT 4 /* * Choose the largest address possible with * any of our supported types, which is IPv6 * with port number. */ #define MR_MAX_ADDR_LEN 20 /* * Address Types */ #define MR_ADDR_NONE 0 #define MR_ADDR_ETHER 1 #define MR_ADDR_IPV4 2 #define MR_ADDR_IPV6 3 #define MR_ADDR_MASK 3 /* Address type mask indicating that port # is part of address */ #define MR_WITH_PORT 4 /* Address type mask indicating that netbits is part of address */ #define MR_WITH_NETBITS 8 /* Indicates than IPv4 addr was extracted from ARP packet */ #define MR_ARP 16 struct mroute_addr { uint8_t len; /* length of address */ uint8_t unused; uint8_t type; /* MR_ADDR/MR_WITH flags */ uint8_t netbits; /* number of bits in network part of address, * valid if MR_WITH_NETBITS is set */ union { uint8_t raw_addr[MR_MAX_ADDR_LEN]; /* actual address */ uint8_t eth_addr[OPENVPN_ETH_ALEN]; struct { in_addr_t addr; /* _network order_ IPv4 address */ in_port_t port; /* _network order_ TCP/UDP port */ } v4; struct { struct in6_addr addr; in_port_t port; /* _network order_ TCP/UDP port */ } v6; struct { uint8_t prefix[12]; in_addr_t addr; /* _network order_ IPv4 address */ } v4mappedv6; } #ifndef HAVE_ANONYMOUS_UNION_SUPPORT /* Wrappers to support compilers that do not grok anonymous unions */ mroute_union #define raw_addr mroute_union.raw_addr #define eth_addr mroute_union.eth_addr #define v4 mroute_union.v4 #define v6 mroute_union.v6 #define v4mappedv6 mroute_union.v4mappedv6 #endif ; }; /* Double-check that struct packing works as expected */ static_assert(offsetof(struct mroute_addr, v4.port) == offsetof(struct mroute_addr, v4) + 4, "Unexpected struct packing of v4"); static_assert(offsetof(struct mroute_addr, v6.port) == offsetof(struct mroute_addr, v6) + 16, "Unexpected struct packing of v6"); static_assert(offsetof(struct mroute_addr, v4mappedv6.addr) == offsetof(struct mroute_addr, v4mappedv6) + 12, "Unexpected struct packing of v4mappedv6"); /* * Number of bits in an address. Should be raised for IPv6. */ #define MR_HELPER_NET_LEN 129 /* * Used to help maintain CIDR routing table. */ struct mroute_helper { unsigned int cache_generation; /* incremented when route added */ int ageable_ttl_secs; /* host route cache entry time-to-live*/ int n_net_len; /* length of net_len array */ uint8_t net_len[MR_HELPER_NET_LEN]; /* CIDR netlengths in descending order */ int net_len_refcount[MR_HELPER_NET_LEN]; /* refcount of each netlength */ }; struct openvpn_sockaddr; bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port); bool mroute_learnable_address(const struct mroute_addr *addr); uint32_t mroute_addr_hash_function(const void *key, uint32_t iv); bool mroute_addr_compare_function(const void *key1, const void *key2); void mroute_addr_init(struct mroute_addr *addr); const char *mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc); #define MAPF_SUBNET (1<<0) #define MAPF_IA_EMPTY_IF_UNDEF (1<<1) #define MAPF_SHOW_ARP (1<<2) const char *mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc); void mroute_addr_mask_host_bits(struct mroute_addr *ma); struct mroute_helper *mroute_helper_init(int ageable_ttl_secs); void mroute_helper_free(struct mroute_helper *mh); void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits); void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits); /* * Given a raw packet in buf, return the src and dest * addresses of the packet. */ static inline unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, struct mroute_addr *esrc, struct mroute_addr *edest, const struct buffer *buf, int tunnel_type) { unsigned int mroute_extract_addr_ip(struct mroute_addr *src, struct mroute_addr *dest, const struct buffer *buf); unsigned int mroute_extract_addr_ether(struct mroute_addr *src, struct mroute_addr *dest, struct mroute_addr *esrc, struct mroute_addr *edest, const struct buffer *buf); unsigned int ret = 0; verify_align_4(buf); if (tunnel_type == DEV_TYPE_TUN) { ret = mroute_extract_addr_ip(src, dest, buf); } else if (tunnel_type == DEV_TYPE_TAP) { ret = mroute_extract_addr_ether(src, dest, esrc, edest, buf); } return ret; } static inline bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2) { if (a1->type != a2->type) { return false; } if (a1->netbits != a2->netbits) { return false; } if (a1->len != a2->len) { return false; } return memcmp(a1->raw_addr, a2->raw_addr, a1->len) == 0; } static inline const uint8_t * mroute_addr_hash_ptr(const struct mroute_addr *a) { /* NOTE: depends on ordering of struct mroute_addr */ return (uint8_t *) &a->type; } static inline uint32_t mroute_addr_hash_len(const struct mroute_addr *a) { return (uint32_t) a->len + 2; } static inline void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src) { dest->type = MR_ADDR_IPV4; dest->netbits = 0; dest->len = 4; dest->v4.addr = htonl(src); } static inline in_addr_t in_addr_t_from_mroute_addr(const struct mroute_addr *addr) { if ((addr->type & MR_ADDR_MASK) == MR_ADDR_IPV4 && addr->netbits == 0 && addr->len == 4) { return ntohl(addr->v4.addr); } else { return 0; } } static inline void mroute_addr_reset(struct mroute_addr *ma) { ma->len = 0; ma->type = MR_ADDR_NONE; } #endif /* P2MP_SERVER */ #endif /* MROUTE_H */ openvpn-2.4.4/src/openvpn/mss.c000066400000000000000000000133641316434344000164410ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "error.h" #include "mss.h" #include "memdbg.h" /* * Lower MSS on TCP SYN packets to fix MTU * problems which arise from protocol * encapsulation. */ /* * IPv4 packet: find TCP header, check flags for "SYN" * if yes, hand to mss_fixup_dowork() */ void mss_fixup_ipv4(struct buffer *buf, int maxmss) { const struct openvpn_iphdr *pip; int hlen; if (BLEN(buf) < (int) sizeof(struct openvpn_iphdr)) { return; } verify_align_4(buf); pip = (struct openvpn_iphdr *) BPTR(buf); hlen = OPENVPN_IPH_GET_LEN(pip->version_len); if (pip->protocol == OPENVPN_IPPROTO_TCP && ntohs(pip->tot_len) == BLEN(buf) && (ntohs(pip->frag_off) & OPENVPN_IP_OFFMASK) == 0 && hlen <= BLEN(buf) && BLEN(buf) - hlen >= (int) sizeof(struct openvpn_tcphdr)) { struct buffer newbuf = *buf; if (buf_advance(&newbuf, hlen)) { struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf); if (tc->flags & OPENVPN_TCPH_SYN_MASK) { mss_fixup_dowork(&newbuf, (uint16_t) maxmss); } } } } /* * IPv6 packet: find TCP header, check flags for "SYN" * if yes, hand to mss_fixup_dowork() * (IPv6 header structure is sufficiently different from IPv4...) */ void mss_fixup_ipv6(struct buffer *buf, int maxmss) { const struct openvpn_ipv6hdr *pip6; struct buffer newbuf; if (BLEN(buf) < (int) sizeof(struct openvpn_ipv6hdr)) { return; } verify_align_4(buf); pip6 = (struct openvpn_ipv6hdr *) BPTR(buf); /* do we have the full IPv6 packet? * "payload_len" does not include IPv6 header (+40 bytes) */ if (BLEN(buf) != (int) ntohs(pip6->payload_len)+40) { return; } /* follow header chain until we reach final header, then check for TCP * * An IPv6 packet could, theoretically, have a chain of multiple headers * before the final header (TCP, UDP, ...), so we'd need to walk that * chain (see RFC 2460 and RFC 6564 for details). * * In practice, "most typically used" extention headers (AH, routing, * fragment, mobility) are very unlikely to be seen inside an OpenVPN * tun, so for now, we only handle the case of "single next header = TCP" */ if (pip6->nexthdr != OPENVPN_IPPROTO_TCP) { return; } /* skip IPv6 header (40 bytes), * verify remainder is large enough to contain a full TCP header */ newbuf = *buf; if (buf_advance( &newbuf, 40 ) && BLEN(&newbuf) >= (int) sizeof(struct openvpn_tcphdr)) { struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf); if (tc->flags & OPENVPN_TCPH_SYN_MASK) { mss_fixup_dowork(&newbuf, (uint16_t) maxmss-20); } } } /* * change TCP MSS option in SYN/SYN-ACK packets, if present * this is generic for IPv4 and IPv6, as the TCP header is the same */ void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) { int hlen, olen, optlen; uint8_t *opt; uint16_t mssval; int accumulate; struct openvpn_tcphdr *tc; if (BLEN(buf) < (int) sizeof(struct openvpn_tcphdr)) { return; } verify_align_4(buf); tc = (struct openvpn_tcphdr *) BPTR(buf); hlen = OPENVPN_TCPH_GET_DOFF(tc->doff_res); /* Invalid header length or header without options. */ if (hlen <= (int) sizeof(struct openvpn_tcphdr) || hlen > BLEN(buf)) { return; } for (olen = hlen - sizeof(struct openvpn_tcphdr), opt = (uint8_t *)(tc + 1); olen > 1; olen -= optlen, opt += optlen) { if (*opt == OPENVPN_TCPOPT_EOL) { break; } else if (*opt == OPENVPN_TCPOPT_NOP) { optlen = 1; } else { optlen = *(opt + 1); if (optlen <= 0 || optlen > olen) { break; } if (*opt == OPENVPN_TCPOPT_MAXSEG) { if (optlen != OPENVPN_TCPOLEN_MAXSEG) { continue; } mssval = (opt[2]<<8)+opt[3]; if (mssval > maxmss) { dmsg(D_MSS, "MSS: %d -> %d", (int) mssval, (int) maxmss); accumulate = htons(mssval); opt[2] = (maxmss>>8)&0xff; opt[3] = maxmss&0xff; accumulate -= htons(maxmss); ADJUST_CHECKSUM(accumulate, tc->check); } } } } } openvpn-2.4.4/src/openvpn/mss.h000066400000000000000000000024021316434344000164350ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef MSS_H #define MSS_H #include "proto.h" #include "error.h" void mss_fixup_ipv4(struct buffer *buf, int maxmss); void mss_fixup_ipv6(struct buffer *buf, int maxmss); void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss); #endif openvpn-2.4.4/src/openvpn/mstats.c000066400000000000000000000063171316434344000171520ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * Maintain usage stats in a memory-mapped file */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if defined(ENABLE_MEMSTATS) #include #include "error.h" #include "misc.h" #include "mstats.h" #include "memdbg.h" volatile struct mmap_stats *mmap_stats = NULL; /* GLOBAL */ static char mmap_fn[128]; void mstats_open(const char *fn) { void *data; ssize_t stat; int fd; struct mmap_stats ms; if (mmap_stats) /* already called? */ { return; } /* verify that filename is not too long */ if (strlen(fn) >= sizeof(mmap_fn)) { msg(M_FATAL, "mstats_open: filename too long"); } /* create file that will be memory mapped */ fd = open(fn, O_CREAT | O_TRUNC | O_RDWR, S_IRUSR | S_IWUSR); if (fd < 0) { msg(M_ERR, "mstats_open: cannot open: %s", fn); return; } /* set the file to the correct size to contain a * struct mmap_stats, and zero it */ CLEAR(ms); ms.state = MSTATS_ACTIVE; stat = write(fd, &ms, sizeof(ms)); if (stat != sizeof(ms)) { msg(M_ERR, "mstats_open: write error: %s", fn); close(fd); return; } /* mmap the file */ data = mmap(NULL, sizeof(struct mmap_stats), PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); if (data == MAP_FAILED) { msg(M_ERR, "mstats_open: write error: %s", fn); close(fd); return; } /* close the fd (mmap now controls the file) */ if (close(fd)) { msg(M_ERR, "mstats_open: close error: %s", fn); } /* save filename so we can delete it later */ strcpy(mmap_fn, fn); /* save a global pointer to memory-mapped region */ mmap_stats = (struct mmap_stats *)data; msg(M_INFO, "memstats data will be written to %s", fn); } void mstats_close(void) { if (mmap_stats) { mmap_stats->state = MSTATS_EXPIRED; if (munmap((void *)mmap_stats, sizeof(struct mmap_stats))) { msg(M_WARN | M_ERRNO, "mstats_close: munmap error"); } platform_unlink(mmap_fn); mmap_stats = NULL; } } #endif /* if defined(ENABLE_MEMSTATS) */ openvpn-2.4.4/src/openvpn/mstats.h000066400000000000000000000032341316434344000171520ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * Maintain usage stats in a memory-mapped file */ #if !defined(OPENVPN_MEMSTATS_H) && defined(ENABLE_MEMSTATS) #define OPENVPN_MEMSTATS_H #include "basic.h" /* this struct is mapped to the file */ struct mmap_stats { counter_type link_read_bytes; /* counter_type can be assumed to be a uint64_t */ counter_type link_write_bytes; int n_clients; #define MSTATS_UNDEF 0 #define MSTATS_ACTIVE 1 #define MSTATS_EXPIRED 2 int state; }; extern volatile struct mmap_stats *mmap_stats; /* GLOBAL */ void mstats_open(const char *fn); void mstats_close(void); #endif /* if !defined(OPENVPN_MEMSTATS_H) && defined(ENABLE_MEMSTATS) */ openvpn-2.4.4/src/openvpn/mtcp.c000066400000000000000000000542051316434344000166010ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if P2MP_SERVER #include "multi.h" #include "forward-inline.h" #include "memdbg.h" #ifdef HAVE_SYS_INOTIFY_H #include #endif /* * TCP States */ #define TA_UNDEF 0 #define TA_SOCKET_READ 1 #define TA_SOCKET_READ_RESIDUAL 2 #define TA_SOCKET_WRITE 3 #define TA_SOCKET_WRITE_READY 4 #define TA_SOCKET_WRITE_DEFERRED 5 #define TA_TUN_READ 6 #define TA_TUN_WRITE 7 #define TA_INITIAL 8 #define TA_TIMEOUT 9 #define TA_TUN_WRITE_TIMEOUT 10 /* * Special tags passed to event.[ch] functions */ #define MTCP_SOCKET ((void *)1) #define MTCP_TUN ((void *)2) #define MTCP_SIG ((void *)3) /* Only on Windows */ #ifdef ENABLE_MANAGEMENT #define MTCP_MANAGEMENT ((void *)4) #endif #ifdef ENABLE_ASYNC_PUSH #define MTCP_FILE_CLOSE_WRITE ((void *)5) #endif #define MTCP_N ((void *)16) /* upper bound on MTCP_x */ struct ta_iow_flags { unsigned int flags; unsigned int ret; unsigned int tun; unsigned int sock; }; static const char * pract(int action) { switch (action) { case TA_UNDEF: return "TA_UNDEF"; case TA_SOCKET_READ: return "TA_SOCKET_READ"; case TA_SOCKET_READ_RESIDUAL: return "TA_SOCKET_READ_RESIDUAL"; case TA_SOCKET_WRITE: return "TA_SOCKET_WRITE"; case TA_SOCKET_WRITE_READY: return "TA_SOCKET_WRITE_READY"; case TA_SOCKET_WRITE_DEFERRED: return "TA_SOCKET_WRITE_DEFERRED"; case TA_TUN_READ: return "TA_TUN_READ"; case TA_TUN_WRITE: return "TA_TUN_WRITE"; case TA_INITIAL: return "TA_INITIAL"; case TA_TIMEOUT: return "TA_TIMEOUT"; case TA_TUN_WRITE_TIMEOUT: return "TA_TUN_WRITE_TIMEOUT"; default: return "?"; } } static struct multi_instance * multi_create_instance_tcp(struct multi_context *m) { struct gc_arena gc = gc_new(); struct multi_instance *mi = NULL; struct hash *hash = m->hash; mi = multi_create_instance(m, NULL); if (mi) { struct hash_element *he; const uint32_t hv = hash_value(hash, &mi->real); struct hash_bucket *bucket = hash_bucket(hash, hv); he = hash_lookup_fast(hash, bucket, &mi->real, hv); if (he) { struct multi_instance *oldmi = (struct multi_instance *) he->value; msg(D_MULTI_LOW, "MULTI TCP: new incoming client address matches existing client address -- new client takes precedence"); oldmi->did_real_hash = false; multi_close_instance(m, oldmi, false); he->key = &mi->real; he->value = mi; } else { hash_add_fast(hash, bucket, &mi->real, hv, mi); } mi->did_real_hash = true; } #ifdef ENABLE_DEBUG if (mi) { dmsg(D_MULTI_DEBUG, "MULTI TCP: instance added: %s", mroute_addr_print(&mi->real, &gc)); } else { dmsg(D_MULTI_DEBUG, "MULTI TCP: new client instance failed"); } #endif gc_free(&gc); ASSERT(!(mi && mi->halt)); return mi; } bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi) { /* buffer for queued TCP socket output packets */ mi->tcp_link_out_deferred = mbuf_init(m->top.options.n_bcast_buf); ASSERT(mi->context.c2.link_socket); ASSERT(mi->context.c2.link_socket->info.lsa); ASSERT(mi->context.c2.link_socket->mode == LS_MODE_TCP_ACCEPT_FROM); ASSERT(mi->context.c2.link_socket->info.lsa->actual.dest.addr.sa.sa_family == AF_INET || mi->context.c2.link_socket->info.lsa->actual.dest.addr.sa.sa_family == AF_INET6 ); if (!mroute_extract_openvpn_sockaddr(&mi->real, &mi->context.c2.link_socket->info.lsa->actual.dest, true)) { msg(D_MULTI_ERRORS, "MULTI TCP: TCP client address is undefined"); return false; } return true; } void multi_tcp_instance_specific_free(struct multi_instance *mi) { mbuf_free(mi->tcp_link_out_deferred); } struct multi_tcp * multi_tcp_init(int maxevents, int *maxclients) { struct multi_tcp *mtcp; const int extra_events = BASE_N_EVENTS; ASSERT(maxevents >= 1); ASSERT(maxclients); ALLOC_OBJ_CLEAR(mtcp, struct multi_tcp); mtcp->maxevents = maxevents + extra_events; mtcp->es = event_set_init(&mtcp->maxevents, 0); wait_signal(mtcp->es, MTCP_SIG); ALLOC_ARRAY(mtcp->esr, struct event_set_return, mtcp->maxevents); *maxclients = max_int(min_int(mtcp->maxevents - extra_events, *maxclients), 1); msg(D_MULTI_LOW, "MULTI: TCP INIT maxclients=%d maxevents=%d", *maxclients, mtcp->maxevents); return mtcp; } void multi_tcp_delete_event(struct multi_tcp *mtcp, event_t event) { if (mtcp && mtcp->es) { event_del(mtcp->es, event); } } void multi_tcp_free(struct multi_tcp *mtcp) { if (mtcp) { event_free(mtcp->es); if (mtcp->esr) { free(mtcp->esr); } free(mtcp); } } void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi) { struct link_socket *ls = mi->context.c2.link_socket; if (ls && mi->socket_set_called) { event_del(mtcp->es, socket_event_handle(ls)); } mtcp->n_esr = 0; } static inline void multi_tcp_set_global_rw_flags(struct multi_context *m, struct multi_instance *mi) { if (mi) { mi->socket_set_called = true; socket_set(mi->context.c2.link_socket, m->mtcp->es, mbuf_defined(mi->tcp_link_out_deferred) ? EVENT_WRITE : EVENT_READ, mi, &mi->tcp_rwflags); } } static inline int multi_tcp_wait(const struct context *c, struct multi_tcp *mtcp) { int status; socket_set_listen_persistent(c->c2.link_socket, mtcp->es, MTCP_SOCKET); tun_set(c->c1.tuntap, mtcp->es, EVENT_READ, MTCP_TUN, &mtcp->tun_rwflags); #ifdef ENABLE_MANAGEMENT if (management) { management_socket_set(management, mtcp->es, MTCP_MANAGEMENT, &mtcp->management_persist_flags); } #endif #ifdef ENABLE_ASYNC_PUSH /* arm inotify watcher */ event_ctl(mtcp->es, c->c2.inotify_fd, EVENT_READ, MTCP_FILE_CLOSE_WRITE); #endif status = event_wait(mtcp->es, &c->c2.timeval, mtcp->esr, mtcp->maxevents); update_time(); mtcp->n_esr = 0; if (status > 0) { mtcp->n_esr = status; } return status; } static inline struct context * multi_tcp_context(struct multi_context *m, struct multi_instance *mi) { if (mi) { return &mi->context; } else { return &m->top; } } static bool multi_tcp_process_outgoing_link_ready(struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags) { struct mbuf_item item; bool ret = true; ASSERT(mi); /* extract from queue */ if (mbuf_extract_item(mi->tcp_link_out_deferred, &item)) /* ciphertext IP packet */ { dmsg(D_MULTI_TCP, "MULTI TCP: transmitting previously deferred packet"); ASSERT(mi == item.instance); mi->context.c2.to_link = item.buffer->buf; ret = multi_process_outgoing_link_dowork(m, mi, mpp_flags); if (!ret) { mi = NULL; } mbuf_free_buf(item.buffer); } return ret; } static bool multi_tcp_process_outgoing_link(struct multi_context *m, bool defer, const unsigned int mpp_flags) { struct multi_instance *mi = multi_process_outgoing_link_pre(m); bool ret = true; if (mi) { if (defer || mbuf_defined(mi->tcp_link_out_deferred)) { /* save to queue */ struct buffer *buf = &mi->context.c2.to_link; if (BLEN(buf) > 0) { struct mbuf_buffer *mb = mbuf_alloc_buf(buf); struct mbuf_item item; set_prefix(mi); dmsg(D_MULTI_TCP, "MULTI TCP: queuing deferred packet"); item.buffer = mb; item.instance = mi; mbuf_add_item(mi->tcp_link_out_deferred, &item); mbuf_free_buf(mb); buf_reset(buf); ret = multi_process_post(m, mi, mpp_flags); if (!ret) { mi = NULL; } clear_prefix(); } } else { ret = multi_process_outgoing_link_dowork(m, mi, mpp_flags); if (!ret) { mi = NULL; } } } return ret; } static int multi_tcp_wait_lite(struct multi_context *m, struct multi_instance *mi, const int action, bool *tun_input_pending) { struct context *c = multi_tcp_context(m, mi); unsigned int looking_for = 0; dmsg(D_MULTI_DEBUG, "MULTI TCP: multi_tcp_wait_lite a=%s mi=" ptr_format, pract(action), (ptr_type)mi); tv_clear(&c->c2.timeval); /* ZERO-TIMEOUT */ switch (action) { case TA_TUN_READ: looking_for = TUN_READ; tun_input_pending = NULL; io_wait(c, IOW_READ_TUN); break; case TA_SOCKET_READ: looking_for = SOCKET_READ; tun_input_pending = NULL; io_wait(c, IOW_READ_LINK); break; case TA_TUN_WRITE: looking_for = TUN_WRITE; tun_input_pending = NULL; c->c2.timeval.tv_sec = 1; /* For some reason, the Linux 2.2 TUN/TAP driver hits this timeout */ perf_push(PERF_PROC_OUT_TUN_MTCP); io_wait(c, IOW_TO_TUN); perf_pop(); break; case TA_SOCKET_WRITE: looking_for = SOCKET_WRITE; io_wait(c, IOW_TO_LINK|IOW_READ_TUN_FORCE); break; default: msg(M_FATAL, "MULTI TCP: multi_tcp_wait_lite, unhandled action=%d", action); } if (tun_input_pending && (c->c2.event_set_status & TUN_READ)) { *tun_input_pending = true; } if (c->c2.event_set_status & looking_for) { return action; } else { switch (action) { /* TCP socket output buffer is full */ case TA_SOCKET_WRITE: return TA_SOCKET_WRITE_DEFERRED; /* TUN device timed out on accepting write */ case TA_TUN_WRITE: return TA_TUN_WRITE_TIMEOUT; } return TA_UNDEF; } } static struct multi_instance * multi_tcp_dispatch(struct multi_context *m, struct multi_instance *mi, const int action) { const unsigned int mpp_flags = MPP_PRE_SELECT|MPP_RECORD_TOUCH; struct multi_instance *touched = mi; m->mpp_touched = &touched; dmsg(D_MULTI_DEBUG, "MULTI TCP: multi_tcp_dispatch a=%s mi=" ptr_format, pract(action), (ptr_type)mi); switch (action) { case TA_TUN_READ: read_incoming_tun(&m->top); if (!IS_SIG(&m->top)) { multi_process_incoming_tun(m, mpp_flags); } break; case TA_SOCKET_READ: case TA_SOCKET_READ_RESIDUAL: ASSERT(mi); ASSERT(mi->context.c2.link_socket); set_prefix(mi); read_incoming_link(&mi->context); clear_prefix(); if (!IS_SIG(&mi->context)) { multi_process_incoming_link(m, mi, mpp_flags); if (!IS_SIG(&mi->context)) { stream_buf_read_setup(mi->context.c2.link_socket); } } break; case TA_TIMEOUT: multi_process_timeout(m, mpp_flags); break; case TA_TUN_WRITE: multi_process_outgoing_tun(m, mpp_flags); break; case TA_TUN_WRITE_TIMEOUT: multi_process_drop_outgoing_tun(m, mpp_flags); break; case TA_SOCKET_WRITE_READY: ASSERT(mi); multi_tcp_process_outgoing_link_ready(m, mi, mpp_flags); break; case TA_SOCKET_WRITE: multi_tcp_process_outgoing_link(m, false, mpp_flags); break; case TA_SOCKET_WRITE_DEFERRED: multi_tcp_process_outgoing_link(m, true, mpp_flags); break; case TA_INITIAL: ASSERT(mi); multi_tcp_set_global_rw_flags(m, mi); multi_process_post(m, mi, mpp_flags); break; default: msg(M_FATAL, "MULTI TCP: multi_tcp_dispatch, unhandled action=%d", action); } m->mpp_touched = NULL; return touched; } static int multi_tcp_post(struct multi_context *m, struct multi_instance *mi, const int action) { struct context *c = multi_tcp_context(m, mi); int newaction = TA_UNDEF; #define MTP_NONE 0 #define MTP_TUN_OUT (1<<0) #define MTP_LINK_OUT (1<<1) unsigned int flags = MTP_NONE; if (TUN_OUT(c)) { flags |= MTP_TUN_OUT; } if (LINK_OUT(c)) { flags |= MTP_LINK_OUT; } switch (flags) { case MTP_TUN_OUT|MTP_LINK_OUT: case MTP_TUN_OUT: newaction = TA_TUN_WRITE; break; case MTP_LINK_OUT: newaction = TA_SOCKET_WRITE; break; case MTP_NONE: if (mi && socket_read_residual(c->c2.link_socket)) { newaction = TA_SOCKET_READ_RESIDUAL; } else { multi_tcp_set_global_rw_flags(m, mi); } break; default: { struct gc_arena gc = gc_new(); msg(M_FATAL, "MULTI TCP: multi_tcp_post bad state, mi=%s flags=%d", multi_instance_string(mi, false, &gc), flags); gc_free(&gc); break; } } dmsg(D_MULTI_DEBUG, "MULTI TCP: multi_tcp_post %s -> %s", pract(action), pract(newaction)); return newaction; } static void multi_tcp_action(struct multi_context *m, struct multi_instance *mi, int action, bool poll) { bool tun_input_pending = false; do { dmsg(D_MULTI_DEBUG, "MULTI TCP: multi_tcp_action a=%s p=%d", pract(action), poll); /* * If TA_SOCKET_READ_RESIDUAL, it means we still have pending * input packets which were read by a prior TCP recv. * * Otherwise do a "lite" wait, which means we wait with 0 timeout * on I/O events only related to the current instance, not * the big list of events. * * On our first pass, poll will be false because we already know * that input is available, and to call io_wait would be redundant. */ if (poll && action != TA_SOCKET_READ_RESIDUAL) { const int orig_action = action; action = multi_tcp_wait_lite(m, mi, action, &tun_input_pending); if (action == TA_UNDEF) { msg(M_FATAL, "MULTI TCP: I/O wait required blocking in multi_tcp_action, action=%d", orig_action); } } /* * Dispatch the action */ { struct multi_instance *touched = multi_tcp_dispatch(m, mi, action); /* * Signal received or TCP connection * reset by peer? */ if (touched && IS_SIG(&touched->context)) { if (mi == touched) { mi = NULL; } multi_close_instance_on_signal(m, touched); } } /* * If dispatch produced any pending output * for a particular instance, point to * that instance. */ if (m->pending) { mi = m->pending; } /* * Based on the effects of the action, * such as generating pending output, * possibly transition to a new action state. */ action = multi_tcp_post(m, mi, action); /* * If we are finished processing the original action, * check if we have any TUN input. If so, transition * our action state to processing this input. */ if (tun_input_pending && action == TA_UNDEF) { action = TA_TUN_READ; mi = NULL; tun_input_pending = false; poll = false; } else { poll = true; } } while (action != TA_UNDEF); } static void multi_tcp_process_io(struct multi_context *m) { struct multi_tcp *mtcp = m->mtcp; int i; for (i = 0; i < mtcp->n_esr; ++i) { struct event_set_return *e = &mtcp->esr[i]; /* incoming data for instance? */ if (e->arg >= MTCP_N) { struct multi_instance *mi = (struct multi_instance *) e->arg; if (mi) { if (e->rwflags & EVENT_WRITE) { multi_tcp_action(m, mi, TA_SOCKET_WRITE_READY, false); } else if (e->rwflags & EVENT_READ) { multi_tcp_action(m, mi, TA_SOCKET_READ, false); } } } else { #ifdef ENABLE_MANAGEMENT if (e->arg == MTCP_MANAGEMENT) { ASSERT(management); management_io(management); } else #endif /* incoming data on TUN? */ if (e->arg == MTCP_TUN) { if (e->rwflags & EVENT_WRITE) { multi_tcp_action(m, NULL, TA_TUN_WRITE, false); } else if (e->rwflags & EVENT_READ) { multi_tcp_action(m, NULL, TA_TUN_READ, false); } } /* new incoming TCP client attempting to connect? */ else if (e->arg == MTCP_SOCKET) { struct multi_instance *mi; ASSERT(m->top.c2.link_socket); socket_reset_listen_persistent(m->top.c2.link_socket); mi = multi_create_instance_tcp(m); if (mi) { multi_tcp_action(m, mi, TA_INITIAL, false); } } /* signal received? */ else if (e->arg == MTCP_SIG) { get_signal(&m->top.sig->signal_received); } #ifdef ENABLE_ASYNC_PUSH else if (e->arg == MTCP_FILE_CLOSE_WRITE) { multi_process_file_closed(m, MPP_PRE_SELECT | MPP_RECORD_TOUCH); } #endif } if (IS_SIG(&m->top)) { break; } } mtcp->n_esr = 0; /* * Process queued mbuf packets destined for TCP socket */ { struct multi_instance *mi; while (!IS_SIG(&m->top) && (mi = mbuf_peek(m->mbuf)) != NULL) { multi_tcp_action(m, mi, TA_SOCKET_WRITE, true); } } } /* * Top level event loop for single-threaded operation. * TCP mode. */ void tunnel_server_tcp(struct context *top) { struct multi_context multi; int status; top->mode = CM_TOP; context_clear_2(top); /* initialize top-tunnel instance */ init_instance_handle_signals(top, top->es, CC_HARD_USR1_TO_HUP); if (IS_SIG(top)) { return; } /* initialize global multi_context object */ multi_init(&multi, top, true, MC_SINGLE_THREADED); /* initialize our cloned top object */ multi_top_init(&multi, top); /* initialize management interface */ init_management_callback_multi(&multi); /* finished with initialization */ initialization_sequence_completed(top, ISC_SERVER); /* --mode server --proto tcp-server */ #ifdef ENABLE_ASYNC_PUSH multi.top.c2.inotify_fd = inotify_init(); if (multi.top.c2.inotify_fd < 0) { msg(D_MULTI_ERRORS | M_ERRNO, "MULTI: inotify_init error"); } #endif /* per-packet event loop */ while (true) { perf_push(PERF_EVENT_LOOP); /* wait on tun/socket list */ multi_get_timeout(&multi, &multi.top.c2.timeval); status = multi_tcp_wait(&multi.top, multi.mtcp); MULTI_CHECK_SIG(&multi); /* check on status of coarse timers */ multi_process_per_second_timers(&multi); /* timeout? */ if (status > 0) { /* process the I/O which triggered select */ multi_tcp_process_io(&multi); MULTI_CHECK_SIG(&multi); } else if (status == 0) { multi_tcp_action(&multi, NULL, TA_TIMEOUT, false); } perf_pop(); } #ifdef ENABLE_ASYNC_PUSH close(top->c2.inotify_fd); #endif /* shut down management interface */ uninit_management_callback_multi(&multi); /* save ifconfig-pool */ multi_ifconfig_pool_persist(&multi, true); /* tear down tunnel instance (unless --persist-tun) */ multi_uninit(&multi); multi_top_free(&multi); close_instance(top); } #endif /* if P2MP_SERVER */ openvpn-2.4.4/src/openvpn/mtcp.h000066400000000000000000000043601316434344000166030ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * TCP specific code for --mode server */ #ifndef MTCP_H #define MTCP_H #if P2MP_SERVER #include "event.h" /* * Extra state info needed for TCP mode */ struct multi_tcp { struct event_set *es; struct event_set_return *esr; int n_esr; int maxevents; unsigned int tun_rwflags; #ifdef ENABLE_MANAGEMENT unsigned int management_persist_flags; #endif }; struct multi_instance; struct context; struct multi_tcp *multi_tcp_init(int maxevents, int *maxclients); void multi_tcp_free(struct multi_tcp *mtcp); void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi); bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi); void multi_tcp_instance_specific_free(struct multi_instance *mi); void multi_tcp_link_out_deferred(struct multi_context *m, struct multi_instance *mi); /**************************************************************************/ /** * Main event loop for OpenVPN in TCP server mode. * @ingroup eventloop * * @param top - Top-level context structure. */ void tunnel_server_tcp(struct context *top); void multi_tcp_delete_event(struct multi_tcp *mtcp, event_t event); #endif /* if P2MP_SERVER */ #endif /* ifndef MTCP_H */ openvpn-2.4.4/src/openvpn/mtu.c000066400000000000000000000220221316434344000164330ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "common.h" #include "buffer.h" #include "error.h" #include "integer.h" #include "mtu.h" #include "options.h" #include "memdbg.h" /* allocate a buffer for socket or tun layer */ void alloc_buf_sock_tun(struct buffer *buf, const struct frame *frame, const bool tuntap_buffer, const unsigned int align_mask) { /* allocate buffer for overlapped I/O */ *buf = alloc_buf(BUF_SIZE(frame)); ASSERT(buf_init(buf, FRAME_HEADROOM_ADJ(frame, align_mask))); buf->len = tuntap_buffer ? MAX_RW_SIZE_TUN(frame) : MAX_RW_SIZE_LINK(frame); ASSERT(buf_safe(buf, 0)); } void frame_finalize(struct frame *frame, bool link_mtu_defined, int link_mtu, bool tun_mtu_defined, int tun_mtu) { /* Set link_mtu based on command line options */ if (tun_mtu_defined) { ASSERT(!link_mtu_defined); frame->link_mtu = tun_mtu + TUN_LINK_DELTA(frame); } else { ASSERT(link_mtu_defined); frame->link_mtu = link_mtu; } if (TUN_MTU_SIZE(frame) < TUN_MTU_MIN) { msg(M_WARN, "TUN MTU value (%d) must be at least %d", TUN_MTU_SIZE(frame), TUN_MTU_MIN); frame_print(frame, M_FATAL, "MTU is too small"); } frame->link_mtu_dynamic = frame->link_mtu; } /* * Set the tun MTU dynamically. */ void frame_set_mtu_dynamic(struct frame *frame, int mtu, unsigned int flags) { #ifdef ENABLE_DEBUG const int orig_mtu = mtu; const int orig_link_mtu_dynamic = frame->link_mtu_dynamic; #endif ASSERT(mtu >= 0); if (flags & SET_MTU_TUN) { mtu += TUN_LINK_DELTA(frame); } if (!(flags & SET_MTU_UPPER_BOUND) || mtu < frame->link_mtu_dynamic) { frame->link_mtu_dynamic = constrain_int( mtu, EXPANDED_SIZE_MIN(frame), EXPANDED_SIZE(frame)); } dmsg(D_MTU_DEBUG, "MTU DYNAMIC mtu=%d, flags=%u, %d -> %d", orig_mtu, flags, orig_link_mtu_dynamic, frame->link_mtu_dynamic); } /* * Move extra_frame octets into extra_tun. Used by fragmenting code * to adjust frame relative to its position in the buffer processing * queue. */ void frame_subtract_extra(struct frame *frame, const struct frame *src) { frame->extra_frame -= src->extra_frame; frame->extra_tun += src->extra_frame; } void frame_init_mssfix(struct frame *frame, const struct options *options) { if (options->ce.mssfix) { frame_set_mtu_dynamic(frame, options->ce.mssfix, SET_MTU_UPPER_BOUND); } } void frame_print(const struct frame *frame, int level, const char *prefix) { struct gc_arena gc = gc_new(); struct buffer out = alloc_buf_gc(256, &gc); if (prefix) { buf_printf(&out, "%s ", prefix); } buf_printf(&out, "["); buf_printf(&out, " L:%d", frame->link_mtu); buf_printf(&out, " D:%d", frame->link_mtu_dynamic); buf_printf(&out, " EF:%d", frame->extra_frame); buf_printf(&out, " EB:%d", frame->extra_buffer); buf_printf(&out, " ET:%d", frame->extra_tun); buf_printf(&out, " EL:%d", frame->extra_link); if (frame->align_flags && frame->align_adjust) { buf_printf(&out, " AF:%u/%d", frame->align_flags, frame->align_adjust); } buf_printf(&out, " ]"); msg(level, "%s", out.data); gc_free(&gc); } #define MTUDISC_NOT_SUPPORTED_MSG "--mtu-disc is not supported on this OS" void set_mtu_discover_type(int sd, int mtu_type, sa_family_t proto_af) { if (mtu_type >= 0) { switch (proto_af) { #if defined(HAVE_SETSOCKOPT) && defined(IP_MTU_DISCOVER) case AF_INET: if (setsockopt (sd, IPPROTO_IP, IP_MTU_DISCOVER, &mtu_type, sizeof(mtu_type))) { msg(M_ERR, "Error setting IP_MTU_DISCOVER type=%d on TCP/UDP socket", mtu_type); } break; #endif #if defined(HAVE_SETSOCKOPT) && defined(IPV6_MTU_DISCOVER) case AF_INET6: if (setsockopt (sd, IPPROTO_IPV6, IPV6_MTU_DISCOVER, &mtu_type, sizeof(mtu_type))) { msg(M_ERR, "Error setting IPV6_MTU_DISCOVER type=%d on TCP6/UDP6 socket", mtu_type); } break; #endif default: msg(M_FATAL, MTUDISC_NOT_SUPPORTED_MSG); break; } } } int translate_mtu_discover_type_name(const char *name) { #if defined(IP_PMTUDISC_DONT) && defined(IP_PMTUDISC_WANT) && defined(IP_PMTUDISC_DO) if (!strcmp(name, "yes")) { return IP_PMTUDISC_DO; } if (!strcmp(name, "maybe")) { return IP_PMTUDISC_WANT; } if (!strcmp(name, "no")) { return IP_PMTUDISC_DONT; } msg(M_FATAL, "invalid --mtu-disc type: '%s' -- valid types are 'yes', 'maybe', or 'no'", name); #else /* if defined(IP_PMTUDISC_DONT) && defined(IP_PMTUDISC_WANT) && defined(IP_PMTUDISC_DO) */ msg(M_FATAL, MTUDISC_NOT_SUPPORTED_MSG); #endif return -1; /* NOTREACHED */ } #if EXTENDED_SOCKET_ERROR_CAPABILITY struct probehdr { uint32_t ttl; struct timeval tv; }; const char * format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc) { int res; struct probehdr rcvbuf; struct iovec iov; struct msghdr msg; struct cmsghdr *cmsg; struct sock_extended_err *e; struct sockaddr_in addr; struct buffer out = alloc_buf_gc(256, gc); char *cbuf = (char *) gc_malloc(256, false, gc); *mtu = 0; while (true) { memset(&rcvbuf, -1, sizeof(rcvbuf)); iov.iov_base = &rcvbuf; iov.iov_len = sizeof(rcvbuf); msg.msg_name = (uint8_t *) &addr; msg.msg_namelen = sizeof(addr); msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_flags = 0; msg.msg_control = cbuf; msg.msg_controllen = 256; /* size of cbuf */ res = recvmsg(fd, &msg, MSG_ERRQUEUE); if (res < 0) { goto exit; } e = NULL; for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) { if (cmsg->cmsg_level == SOL_IP) { if (cmsg->cmsg_type == IP_RECVERR) { e = (struct sock_extended_err *) CMSG_DATA(cmsg); } else { buf_printf(&out,"CMSG=%d|", cmsg->cmsg_type); } } } if (e == NULL) { buf_printf(&out, "NO-INFO|"); goto exit; } switch (e->ee_errno) { case ETIMEDOUT: buf_printf(&out, "ETIMEDOUT|"); break; case EMSGSIZE: buf_printf(&out, "EMSGSIZE Path-MTU=%d|", e->ee_info); *mtu = e->ee_info; break; case ECONNREFUSED: buf_printf(&out, "ECONNREFUSED|"); break; case EPROTO: buf_printf(&out, "EPROTO|"); break; case EHOSTUNREACH: buf_printf(&out, "EHOSTUNREACH|"); break; case ENETUNREACH: buf_printf(&out, "ENETUNREACH|"); break; case EACCES: buf_printf(&out, "EACCES|"); break; default: buf_printf(&out, "UNKNOWN|"); break; } } exit: buf_rmtail(&out, '|'); return BSTR(&out); } void set_sock_extended_error_passing(int sd) { int on = 1; if (setsockopt(sd, SOL_IP, IP_RECVERR, (void *) &on, sizeof(on))) { msg(M_WARN | M_ERRNO, "Note: enable extended error passing on TCP/UDP socket failed (IP_RECVERR)"); } } #endif /* if EXTENDED_SOCKET_ERROR_CAPABILITY */ openvpn-2.4.4/src/openvpn/mtu.h000066400000000000000000000232601316434344000164450ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef MTU_H #define MTU_H #include "buffer.h" /* * * Packet maninipulation routes such as encrypt, decrypt, compress, decompress * are passed a frame buffer that looks like this: * * [extra_frame bytes] [mtu bytes] [extra_frame_bytes] [compression overflow bytes] * ^ * Pointer passed to function points here so that routine * can make use of extra_frame bytes before pointer * to prepend headers, etc. * * extra_frame bytes is large enough for all encryption related overhead. * * mtu bytes will be the MTU size set in the ifconfig statement that configures * the TUN or TAP device such as: * * ifconfig $1 10.1.0.2 pointopoint 10.1.0.1 mtu 1450 * * Compression overflow bytes is the worst-case size expansion that would be * expected if we tried to compress mtu + extra_frame bytes of uncompressible data. */ /* * Standard ethernet MTU */ #define ETHERNET_MTU 1500 /* * It is a fatal error if mtu is less than * this value for tun device. */ #define TUN_MTU_MIN 100 /* * Default MTU of network over which tunnel data will pass by TCP/UDP. */ #define LINK_MTU_DEFAULT 1500 /* * Default MTU of tunnel device. */ #define TUN_MTU_DEFAULT 1500 /* * MTU Defaults for TAP devices */ #define TAP_MTU_EXTRA_DEFAULT 32 /* * Default MSSFIX value, used for reducing TCP MTU size */ #define MSSFIX_DEFAULT 1450 /* * Alignment of payload data such as IP packet or * ethernet frame. */ #define PAYLOAD_ALIGN 4 /**************************************************************************/ /** * Packet geometry parameters. */ struct frame { int link_mtu; /**< Maximum packet size to be sent over * the external network interface. */ int link_mtu_dynamic; /**< Dynamic MTU value for the external * network interface. */ int extra_frame; /**< Maximum number of bytes that all * processing steps together could add. * @code * frame.link_mtu = "socket MTU" - extra_frame; * @endcode */ int extra_buffer; /**< Maximum number of bytes that * processing steps could expand the * internal work buffer. * * This is used by the \link compression * Data Channel Compression * module\endlink to give enough working * space for worst-case expansion of * incompressible content. */ int extra_tun; /**< Maximum number of bytes in excess of * the tun/tap MTU that might be read * from or written to the virtual * tun/tap network interface. */ int extra_link; /**< Maximum number of bytes in excess of * external network interface's MTU that * might be read from or written to it. */ /* * Alignment control */ #define FRAME_HEADROOM_MARKER_DECRYPT (1<<0) #define FRAME_HEADROOM_MARKER_FRAGMENT (1<<1) #define FRAME_HEADROOM_MARKER_READ_LINK (1<<2) #define FRAME_HEADROOM_MARKER_READ_STREAM (1<<3) unsigned int align_flags; int align_adjust; }; /* Forward declarations, to prevent includes */ struct options; /* Routines which read struct frame should use the macros below */ /* * Overhead added to packet payload due to encapsulation */ #define EXTRA_FRAME(f) ((f)->extra_frame) /* * Delta between tun payload size and final TCP/UDP datagram size * (not including extra_link additions) */ #define TUN_LINK_DELTA(f) ((f)->extra_frame + (f)->extra_tun) /* * This is the size to "ifconfig" the tun or tap device. */ #define TUN_MTU_SIZE(f) ((f)->link_mtu - TUN_LINK_DELTA(f)) #define TUN_MTU_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic - TUN_LINK_DELTA(f)) /* * This is the maximum packet size that we need to be able to * read from or write to a tun or tap device. For example, * a tap device ifconfiged to an MTU of 1200 might actually want * to return a packet size of 1214 on a read(). */ #define PAYLOAD_SIZE(f) ((f)->link_mtu - (f)->extra_frame) #define PAYLOAD_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic - (f)->extra_frame) /* * Max size of a payload packet after encryption, compression, etc. * overhead is added. */ #define EXPANDED_SIZE(f) ((f)->link_mtu) #define EXPANDED_SIZE_DYNAMIC(f) ((f)->link_mtu_dynamic) #define EXPANDED_SIZE_MIN(f) (TUN_MTU_MIN + TUN_LINK_DELTA(f)) /* * These values are used as maximum size constraints * on read() or write() from TUN/TAP device or TCP/UDP port. */ #define MAX_RW_SIZE_TUN(f) (PAYLOAD_SIZE(f)) #define MAX_RW_SIZE_LINK(f) (EXPANDED_SIZE(f) + (f)->extra_link) /* * Control buffer headroom allocations to allow for efficient prepending. */ #define FRAME_HEADROOM_BASE(f) (TUN_LINK_DELTA(f) + (f)->extra_buffer + (f)->extra_link) #define FRAME_HEADROOM(f) frame_headroom(f, 0) #define FRAME_HEADROOM_ADJ(f, fm) frame_headroom(f, fm) /* * Max size of a buffer used to build a packet for output to * the TCP/UDP port. */ #define BUF_SIZE(f) (TUN_MTU_SIZE(f) + FRAME_HEADROOM_BASE(f) * 2) /* * Function prototypes. */ void frame_finalize(struct frame *frame, bool link_mtu_defined, int link_mtu, bool tun_mtu_defined, int tun_mtu); void frame_subtract_extra(struct frame *frame, const struct frame *src); void frame_print(const struct frame *frame, int level, const char *prefix); void set_mtu_discover_type(int sd, int mtu_type, sa_family_t proto_af); int translate_mtu_discover_type_name(const char *name); /* * frame_set_mtu_dynamic and flags */ #define SET_MTU_TUN (1<<0) /* use tun/tap rather than link sizing */ #define SET_MTU_UPPER_BOUND (1<<1) /* only decrease dynamic MTU */ void frame_set_mtu_dynamic(struct frame *frame, int mtu, unsigned int flags); /* * allocate a buffer for socket or tun layer */ void alloc_buf_sock_tun(struct buffer *buf, const struct frame *frame, const bool tuntap_buffer, const unsigned int align_mask); /** Set the --mssfix option. */ void frame_init_mssfix(struct frame *frame, const struct options *options); /* * EXTENDED_SOCKET_ERROR_CAPABILITY functions -- print extra error info * on socket errors, such as PMTU size. As of 2003.05.11, only works * on Linux 2.4+. */ #if EXTENDED_SOCKET_ERROR_CAPABILITY void set_sock_extended_error_passing(int sd); const char *format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc); #endif /* * Calculate a starting offset into a buffer object, dealing with * headroom and alignment issues. */ static inline int frame_headroom(const struct frame *f, const unsigned int flag_mask) { const int offset = FRAME_HEADROOM_BASE(f); const int adjust = (flag_mask & f->align_flags) ? f->align_adjust : 0; const int delta = ((PAYLOAD_ALIGN << 24) - (offset + adjust)) & (PAYLOAD_ALIGN - 1); return offset + delta; } /* * frame member adjustment functions */ static inline void frame_add_to_link_mtu(struct frame *frame, const int increment) { frame->link_mtu += increment; } static inline void frame_add_to_extra_frame(struct frame *frame, const int increment) { frame->extra_frame += increment; } static inline void frame_add_to_extra_tun(struct frame *frame, const int increment) { frame->extra_tun += increment; } static inline void frame_add_to_extra_link(struct frame *frame, const int increment) { frame->extra_link += increment; } static inline void frame_add_to_extra_buffer(struct frame *frame, const int increment) { frame->extra_buffer += increment; } static inline void frame_add_to_align_adjust(struct frame *frame, const int increment) { frame->align_adjust += increment; } static inline void frame_align_to_extra_frame(struct frame *frame) { frame->align_adjust = frame->extra_frame + frame->extra_link; } static inline void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask) { frame->align_flags |= flag_mask; } static inline bool frame_defined(const struct frame *frame) { return frame->link_mtu > 0; } #endif /* ifndef MTU_H */ openvpn-2.4.4/src/openvpn/mudp.c000066400000000000000000000246221316434344000166030ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if P2MP_SERVER #include "multi.h" #include #include "forward-inline.h" #include "memdbg.h" #ifdef HAVE_SYS_INOTIFY_H #include #endif /* * Get a client instance based on real address. If * the instance doesn't exist, create it while * maintaining real address hash table atomicity. */ struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated) { struct gc_arena gc = gc_new(); struct mroute_addr real; struct multi_instance *mi = NULL; struct hash *hash = m->hash; if (mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true) && m->top.c2.buf.len > 0) { struct hash_element *he; const uint32_t hv = hash_value(hash, &real); struct hash_bucket *bucket = hash_bucket(hash, hv); uint8_t *ptr = BPTR(&m->top.c2.buf); uint8_t op = ptr[0] >> P_OPCODE_SHIFT; bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3)); bool peer_id_disabled = false; /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */ if (v2) { uint32_t peer_id = ntohl(*(uint32_t *)ptr) & 0xFFFFFF; peer_id_disabled = (peer_id == MAX_PEER_ID); if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id])) { mi = m->instances[peer_id]; *floated = !link_socket_actual_match(&mi->context.c2.from, &m->top.c2.from); if (*floated) { /* reset prefix, since here we are not sure peer is the one it claims to be */ ungenerate_prefix(mi); msg(D_MULTI_MEDIUM, "Float requested for peer %" PRIu32 " to %s", peer_id, mroute_addr_print(&real, &gc)); } } } if (!v2 || peer_id_disabled) { he = hash_lookup_fast(hash, bucket, &real, hv); if (he) { mi = (struct multi_instance *) he->value; } } if (!mi) { if (!m->top.c2.tls_auth_standalone || tls_pre_decrypt_lite(m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf)) { if (frequency_limit_event_allowed(m->new_connection_limiter)) { mi = multi_create_instance(m, &real); if (mi) { int i; hash_add_fast(hash, bucket, &mi->real, hv, mi); mi->did_real_hash = true; /* max_clients must be less then max peer-id value */ ASSERT(m->max_clients < MAX_PEER_ID); for (i = 0; i < m->max_clients; ++i) { if (!m->instances[i]) { mi->context.c2.tls_multi->peer_id = i; m->instances[i] = mi; break; } } /* should not really end up here, since multi_create_instance returns null * if amount of clients exceeds max_clients */ ASSERT(i < m->max_clients); } } else { msg(D_MULTI_ERRORS, "MULTI: Connection from %s would exceed new connection frequency limit as controlled by --connect-freq", mroute_addr_print(&real, &gc)); } } } #ifdef ENABLE_DEBUG if (check_debug_level(D_MULTI_DEBUG)) { const char *status = mi ? "[ok]" : "[failed]"; dmsg(D_MULTI_DEBUG, "GET INST BY REAL: %s %s", mroute_addr_print(&real, &gc), status); } #endif } gc_free(&gc); ASSERT(!(mi && mi->halt)); return mi; } /* * Send a packet to TCP/UDP socket. */ static inline void multi_process_outgoing_link(struct multi_context *m, const unsigned int mpp_flags) { struct multi_instance *mi = multi_process_outgoing_link_pre(m); if (mi) { multi_process_outgoing_link_dowork(m, mi, mpp_flags); } } /* * Process an I/O event. */ static void multi_process_io_udp(struct multi_context *m) { const unsigned int status = m->top.c2.event_set_status; const unsigned int mpp_flags = m->top.c2.fast_io ? (MPP_CONDITIONAL_PRE_SELECT | MPP_CLOSE_ON_SIGNAL) : (MPP_PRE_SELECT | MPP_CLOSE_ON_SIGNAL); #ifdef MULTI_DEBUG_EVENT_LOOP char buf[16]; buf[0] = 0; if (status & SOCKET_READ) { strcat(buf, "SR/"); } else if (status & SOCKET_WRITE) { strcat(buf, "SW/"); } else if (status & TUN_READ) { strcat(buf, "TR/"); } else if (status & TUN_WRITE) { strcat(buf, "TW/"); } #ifdef ENABLE_ASYNC_PUSH else if (status & FILE_CLOSED) { strcat(buf, "FC/"); } #endif printf("IO %s\n", buf); #endif /* ifdef MULTI_DEBUG_EVENT_LOOP */ #ifdef ENABLE_MANAGEMENT if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE)) { ASSERT(management); management_io(management); } #endif /* UDP port ready to accept write */ if (status & SOCKET_WRITE) { multi_process_outgoing_link(m, mpp_flags); } /* TUN device ready to accept write */ else if (status & TUN_WRITE) { multi_process_outgoing_tun(m, mpp_flags); } /* Incoming data on UDP port */ else if (status & SOCKET_READ) { read_incoming_link(&m->top); if (!IS_SIG(&m->top)) { multi_process_incoming_link(m, NULL, mpp_flags); } } /* Incoming data on TUN device */ else if (status & TUN_READ) { read_incoming_tun(&m->top); if (!IS_SIG(&m->top)) { multi_process_incoming_tun(m, mpp_flags); } } #ifdef ENABLE_ASYNC_PUSH /* INOTIFY callback */ else if (status & FILE_CLOSED) { multi_process_file_closed(m, mpp_flags); } #endif } /* * Return the io_wait() flags appropriate for * a point-to-multipoint tunnel. */ static inline unsigned int p2mp_iow_flags(const struct multi_context *m) { unsigned int flags = IOW_WAIT_SIGNAL; if (m->pending) { if (TUN_OUT(&m->pending->context)) { flags |= IOW_TO_TUN; } if (LINK_OUT(&m->pending->context)) { flags |= IOW_TO_LINK; } } else if (mbuf_defined(m->mbuf)) { flags |= IOW_MBUF; } else { flags |= IOW_READ; } return flags; } /**************************************************************************/ /** * Main event loop for OpenVPN in UDP server mode. * @ingroup eventloop * * This function implements OpenVPN's main event loop for UDP server mode. * At this time, OpenVPN does not yet support multithreading. This * function's name is therefore slightly misleading. * * @param top - Top-level context structure. */ static void tunnel_server_udp_single_threaded(struct context *top) { struct multi_context multi; top->mode = CM_TOP; context_clear_2(top); /* initialize top-tunnel instance */ init_instance_handle_signals(top, top->es, CC_HARD_USR1_TO_HUP); if (IS_SIG(top)) { return; } /* initialize global multi_context object */ multi_init(&multi, top, false, MC_SINGLE_THREADED); /* initialize our cloned top object */ multi_top_init(&multi, top); /* initialize management interface */ init_management_callback_multi(&multi); /* finished with initialization */ initialization_sequence_completed(top, ISC_SERVER); /* --mode server --proto udp */ #ifdef ENABLE_ASYNC_PUSH multi.top.c2.inotify_fd = inotify_init(); if (multi.top.c2.inotify_fd < 0) { msg(D_MULTI_ERRORS | M_ERRNO, "MULTI: inotify_init error"); } #endif /* per-packet event loop */ while (true) { perf_push(PERF_EVENT_LOOP); /* set up and do the io_wait() */ multi_get_timeout(&multi, &multi.top.c2.timeval); io_wait(&multi.top, p2mp_iow_flags(&multi)); MULTI_CHECK_SIG(&multi); /* check on status of coarse timers */ multi_process_per_second_timers(&multi); /* timeout? */ if (multi.top.c2.event_set_status == ES_TIMEOUT) { multi_process_timeout(&multi, MPP_PRE_SELECT|MPP_CLOSE_ON_SIGNAL); } else { /* process I/O */ multi_process_io_udp(&multi); MULTI_CHECK_SIG(&multi); } perf_pop(); } #ifdef ENABLE_ASYNC_PUSH close(top->c2.inotify_fd); #endif /* shut down management interface */ uninit_management_callback_multi(&multi); /* save ifconfig-pool */ multi_ifconfig_pool_persist(&multi, true); /* tear down tunnel instance (unless --persist-tun) */ multi_uninit(&multi); multi_top_free(&multi); close_instance(top); } void tunnel_server_udp(struct context *top) { tunnel_server_udp_single_threaded(top); } #endif /* if P2MP_SERVER */ openvpn-2.4.4/src/openvpn/mudp.h000066400000000000000000000046531316434344000166120ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * UDP specific code for --mode server */ #ifndef MUDP_H #define MUDP_H #if P2MP_SERVER struct context; struct multi_context; /**************************************************************************/ /** * Main event loop wrapper function for OpenVPN in UDP server mode. * @ingroup eventloop * * This function simply calls \c tunnel_server_udp_single_threaded(). * * @param top - Top-level context structure. */ void tunnel_server_udp(struct context *top); /**************************************************************************/ /** * Get, and if necessary create, the multi_instance associated with a * packet's source address. * @ingroup external_multiplexer * * This function extracts the source address of a recently read packet * from \c m->top.c2.from and uses that source address as a hash key for * the hash table \c m->hash. If an entry exists, this function returns * it. If no entry exists, this function handles its creation, and if * successful, returns the newly created instance. * * @param m - The single multi_context structure. * * @return A pointer to a multi_instance if one already existed for the * packet's source address or if one was a newly created successfully. * NULL if one did not yet exist and a new one was not created. */ struct multi_instance *multi_get_create_instance_udp(struct multi_context *m, bool *floated); #endif #endif openvpn-2.4.4/src/openvpn/multi.c000066400000000000000000003162311316434344000167700ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #ifdef HAVE_SYS_INOTIFY_H #include #define INOTIFY_EVENT_BUFFER_SIZE 16384 #endif #include "syshead.h" #if P2MP_SERVER #include "multi.h" #include "push.h" #include "misc.h" #include "otime.h" #include "gremlin.h" #include "mstats.h" #include "ssl_verify.h" #include #include "memdbg.h" #include "forward-inline.h" #include "pf-inline.h" /*#define MULTI_DEBUG_EVENT_LOOP*/ #ifdef MULTI_DEBUG_EVENT_LOOP static const char * id(struct multi_instance *mi) { if (mi) { return tls_common_name(mi->context.c2.tls_multi, false); } else { return "NULL"; } } #endif #ifdef MANAGEMENT_DEF_AUTH static void set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config) { if (mi->cc_config) { buffer_list_free(mi->cc_config); } mi->cc_config = cc_config; } #endif static inline void update_mstat_n_clients(const int n_clients) { #ifdef ENABLE_MEMSTATS if (mmap_stats) { mmap_stats->n_clients = n_clients; } #endif } static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr) { struct gc_arena gc = gc_new(); struct env_set *es; bool ret = true; struct plugin_list *plugins; /* get environmental variable source */ if (mi && mi->context.c2.es) { es = mi->context.c2.es; } else { es = env_set_create(&gc); } /* get plugin source */ if (mi) { plugins = mi->context.plugins; } else { plugins = m->top.plugins; } if (plugin_defined(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS)) { struct argv argv = argv_new(); argv_printf(&argv, "%s %s", op, mroute_addr_print(addr, &gc)); if (mi) { argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false)); } if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: learn-address plugin call failed"); ret = false; } argv_reset(&argv); } if (m->top.options.learn_address_script) { struct argv argv = argv_new(); setenv_str(es, "script_type", "learn-address"); argv_parse_cmd(&argv, m->top.options.learn_address_script); argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc)); if (mi) { argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false)); } if (!openvpn_run_script(&argv, es, 0, "--learn-address")) { ret = false; } argv_reset(&argv); } gc_free(&gc); return ret; } void multi_ifconfig_pool_persist(struct multi_context *m, bool force) { /* write pool data to file */ if (m->ifconfig_pool && m->top.c1.ifconfig_pool_persist && (force || ifconfig_pool_write_trigger(m->top.c1.ifconfig_pool_persist))) { ifconfig_pool_write(m->top.c1.ifconfig_pool_persist, m->ifconfig_pool); } } static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket) { struct gc_arena gc = gc_new(); struct hash_iterator hi; struct hash_element *he; if (start_bucket < 0) { start_bucket = 0; end_bucket = hash_n_buckets(m->vhash); } dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket); hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket); while ((he = hash_iterator_next(&hi)) != NULL) { struct multi_route *r = (struct multi_route *) he->value; if (!multi_route_defined(m, r)) { dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s", mroute_addr_print(&r->addr, &gc)); learn_address_script(m, NULL, "delete", &r->addr); multi_route_del(r); hash_iterator_delete_element(&hi); } } hash_iterator_free(&hi); gc_free(&gc); } static void multi_reap_all(const struct multi_context *m) { multi_reap_range(m, -1, 0); } static struct multi_reap * multi_reap_new(int buckets_per_pass) { struct multi_reap *mr; ALLOC_OBJ(mr, struct multi_reap); mr->bucket_base = 0; mr->buckets_per_pass = buckets_per_pass; mr->last_call = now; return mr; } void multi_reap_process_dowork(const struct multi_context *m) { struct multi_reap *mr = m->reaper; if (mr->bucket_base >= hash_n_buckets(m->vhash)) { mr->bucket_base = 0; } multi_reap_range(m, mr->bucket_base, mr->bucket_base + mr->buckets_per_pass); mr->bucket_base += mr->buckets_per_pass; mr->last_call = now; } static void multi_reap_free(struct multi_reap *mr) { free(mr); } /* * How many buckets in vhash to reap per pass. */ static int reap_buckets_per_pass(int n_buckets) { return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX); } #ifdef MANAGEMENT_DEF_AUTH static uint32_t cid_hash_function(const void *key, uint32_t iv) { const unsigned long *k = (const unsigned long *)key; return (uint32_t) *k; } static bool cid_compare_function(const void *key1, const void *key2) { const unsigned long *k1 = (const unsigned long *)key1; const unsigned long *k2 = (const unsigned long *)key2; return *k1 == *k2; } #endif #ifdef ENABLE_ASYNC_PUSH static uint32_t /* * inotify watcher descriptors are used as hash value */ int_hash_function(const void *key, uint32_t iv) { return (unsigned long)key; } static bool int_compare_function(const void *key1, const void *key2) { return (unsigned long)key1 == (unsigned long)key2; } #endif /* * Main initialization function, init multi_context object. */ void multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode) { int dev = DEV_TYPE_UNDEF; msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d", t->options.real_hash_size, t->options.virtual_hash_size); /* * Get tun/tap/null device type */ dev = dev_type_enum(t->options.dev, t->options.dev_type); /* * Init our multi_context object. */ CLEAR(*m); m->thread_mode = thread_mode; /* * Real address hash table (source port number is * considered to be part of the address). Used * to determine which client sent an incoming packet * which is seen on the TCP/UDP socket. */ m->hash = hash_init(t->options.real_hash_size, get_random(), mroute_addr_hash_function, mroute_addr_compare_function); /* * Virtual address hash table. Used to determine * which client to route a packet to. */ m->vhash = hash_init(t->options.virtual_hash_size, get_random(), mroute_addr_hash_function, mroute_addr_compare_function); /* * This hash table is a clone of m->hash but with a * bucket size of one so that it can be used * for fast iteration through the list. */ m->iter = hash_init(1, get_random(), mroute_addr_hash_function, mroute_addr_compare_function); #ifdef MANAGEMENT_DEF_AUTH m->cid_hash = hash_init(t->options.real_hash_size, 0, cid_hash_function, cid_compare_function); #endif #ifdef ENABLE_ASYNC_PUSH /* * Mapping between inotify watch descriptors and * multi_instances. */ m->inotify_watchers = hash_init(t->options.real_hash_size, get_random(), int_hash_function, int_compare_function); #endif /* * This is our scheduler, for time-based wakeup * events. */ m->schedule = schedule_init(); /* * Limit frequency of incoming connections to control * DoS. */ m->new_connection_limiter = frequency_limit_init(t->options.cf_max, t->options.cf_per); /* * Allocate broadcast/multicast buffer list */ m->mbuf = mbuf_init(t->options.n_bcast_buf); /* * Different status file format options are available */ m->status_file_version = t->options.status_file_version; /* * Possibly allocate an ifconfig pool, do it * differently based on whether a tun or tap style * tunnel. */ if (t->options.ifconfig_pool_defined) { int pool_type = IFCONFIG_POOL_INDIV; if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30) { pool_type = IFCONFIG_POOL_30NET; } m->ifconfig_pool = ifconfig_pool_init(pool_type, t->options.ifconfig_pool_start, t->options.ifconfig_pool_end, t->options.duplicate_cn, t->options.ifconfig_ipv6_pool_defined, t->options.ifconfig_ipv6_pool_base, t->options.ifconfig_ipv6_pool_netbits ); /* reload pool data from file */ if (t->c1.ifconfig_pool_persist) { ifconfig_pool_read(t->c1.ifconfig_pool_persist, m->ifconfig_pool); } } /* * Help us keep track of routing table. */ m->route_helper = mroute_helper_init(MULTI_CACHE_ROUTE_TTL); /* * Initialize route and instance reaper. */ m->reaper = multi_reap_new(reap_buckets_per_pass(t->options.virtual_hash_size)); /* * Get local ifconfig address */ CLEAR(m->local); ASSERT(t->c1.tuntap); mroute_extract_in_addr_t(&m->local, t->c1.tuntap->local); /* * Per-client limits */ m->max_clients = t->options.max_clients; m->instances = calloc(m->max_clients, sizeof(struct multi_instance *)); /* * Initialize multi-socket TCP I/O wait object */ if (tcp_mode) { m->mtcp = multi_tcp_init(t->options.max_clients, &m->max_clients); } m->tcp_queue_limit = t->options.tcp_queue_limit; /* * Allow client <-> client communication, without going through * tun/tap interface and network stack? */ m->enable_c2c = t->options.enable_c2c; /* initialize stale routes check timer */ if (t->options.stale_routes_check_interval > 0) { msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds", t->options.stale_routes_check_interval, t->options.stale_routes_ageing_time); event_timeout_init(&m->stale_routes_check_et, t->options.stale_routes_check_interval, 0); } m->deferred_shutdown_signal.signal_received = 0; } const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc) { if (mi) { struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc); const char *cn = tls_common_name(mi->context.c2.tls_multi, true); if (cn) { buf_printf(&out, "%s/", cn); } buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc)); return BSTR(&out); } else if (null) { return NULL; } else { return "UNDEF"; } } static void generate_prefix(struct multi_instance *mi) { struct gc_arena gc = gc_new(); const char *prefix = multi_instance_string(mi, true, &gc); if (prefix) { strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix)); } else { mi->msg_prefix[0] = '\0'; } set_prefix(mi); gc_free(&gc); } void ungenerate_prefix(struct multi_instance *mi) { mi->msg_prefix[0] = '\0'; set_prefix(mi); } static const char * mi_prefix(const struct multi_instance *mi) { if (mi && mi->msg_prefix[0]) { return mi->msg_prefix; } else { return "UNDEF_I"; } } /* * Tell the route helper about deleted iroutes so * that it can update its mask of currently used * CIDR netlengths. */ static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi) { const struct iroute *ir; const struct iroute_ipv6 *ir6; if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN) { for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next) { mroute_helper_del_iroute46(m->route_helper, ir->netbits); } for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next) { mroute_helper_del_iroute46(m->route_helper, ir6->netbits); } } } static void setenv_stats(struct context *c) { setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes); setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes); } static void multi_client_disconnect_setenv(struct multi_context *m, struct multi_instance *mi) { /* setenv client real IP address */ setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context)); /* setenv stats */ setenv_stats(&mi->context); /* setenv connection duration */ { const unsigned int duration = (unsigned int) now - mi->created; setenv_unsigned(mi->context.c2.es, "time_duration", duration); } } static void multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi) { if ((mi->context.c2.context_auth == CAS_SUCCEEDED && mi->connection_established_flag) || mi->context.c2.context_auth == CAS_PARTIAL) { multi_client_disconnect_setenv(m, mi); if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT)) { if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: client-disconnect plugin call failed"); } } if (mi->context.options.client_disconnect_script) { struct argv argv = argv_new(); setenv_str(mi->context.c2.es, "script_type", "client-disconnect"); argv_parse_cmd(&argv, mi->context.options.client_disconnect_script); openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect"); argv_reset(&argv); } #ifdef MANAGEMENT_DEF_AUTH if (management) { management_notify_client_close(management, &mi->context.c2.mda_context, mi->context.c2.es); } #endif } } void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown) { perf_push(PERF_MULTI_CLOSE_INSTANCE); ASSERT(!mi->halt); mi->halt = true; dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called"); /* adjust current client connection count */ m->n_clients += mi->n_clients_delta; update_mstat_n_clients(m->n_clients); mi->n_clients_delta = 0; /* prevent dangling pointers */ if (m->pending == mi) { multi_set_pending(m, NULL); } if (m->earliest_wakeup == mi) { m->earliest_wakeup = NULL; } if (!shutdown) { if (mi->did_real_hash) { ASSERT(hash_remove(m->hash, &mi->real)); } if (mi->did_iter) { ASSERT(hash_remove(m->iter, &mi->real)); } #ifdef MANAGEMENT_DEF_AUTH if (mi->did_cid_hash) { ASSERT(hash_remove(m->cid_hash, &mi->context.c2.mda_context.cid)); } #endif #ifdef ENABLE_ASYNC_PUSH if (mi->inotify_watch != -1) { hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch); mi->inotify_watch = -1; } #endif if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID) { m->instances[mi->context.c2.tls_multi->peer_id] = NULL; } schedule_remove_entry(m->schedule, (struct schedule_entry *) mi); ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false); if (mi->did_iroutes) { multi_del_iroutes(m, mi); mi->did_iroutes = false; } if (m->mtcp) { multi_tcp_dereference_instance(m->mtcp, mi); } mbuf_dereference_instance(m->mbuf, mi); } #ifdef MANAGEMENT_DEF_AUTH set_cc_config(mi, NULL); #endif multi_client_disconnect_script(m, mi); if (mi->did_open_context) { close_context(&mi->context, SIGTERM, CC_GC_FREE); } multi_tcp_instance_specific_free(mi); ungenerate_prefix(mi); /* * Don't actually delete the instance memory allocation yet, * because virtual routes may still point to it. Let the * vhash reaper deal with it. */ multi_instance_dec_refcount(mi); perf_pop(); } /* * Called on shutdown or restart. */ void multi_uninit(struct multi_context *m) { if (m->thread_mode & MC_WORK_THREAD) { multi_top_free(m); m->thread_mode = MC_UNDEF; } else if (m->thread_mode) { if (m->hash) { struct hash_iterator hi; struct hash_element *he; hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) { struct multi_instance *mi = (struct multi_instance *) he->value; mi->did_iter = false; multi_close_instance(m, mi, true); } hash_iterator_free(&hi); multi_reap_all(m); hash_free(m->hash); hash_free(m->vhash); hash_free(m->iter); #ifdef MANAGEMENT_DEF_AUTH hash_free(m->cid_hash); #endif m->hash = NULL; free(m->instances); #ifdef ENABLE_ASYNC_PUSH hash_free(m->inotify_watchers); m->inotify_watchers = NULL; #endif schedule_free(m->schedule); mbuf_free(m->mbuf); ifconfig_pool_free(m->ifconfig_pool); frequency_limit_free(m->new_connection_limiter); multi_reap_free(m->reaper); mroute_helper_free(m->route_helper); multi_tcp_free(m->mtcp); m->thread_mode = MC_UNDEF; } } } /* * Create a client instance object for a newly connected client. */ struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real) { struct gc_arena gc = gc_new(); struct multi_instance *mi; perf_push(PERF_MULTI_CREATE_INSTANCE); msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called"); ALLOC_OBJ_CLEAR(mi, struct multi_instance); mi->gc = gc_new(); multi_instance_inc_refcount(mi); mi->vaddr_handle = -1; mi->created = now; mroute_addr_init(&mi->real); if (real) { mi->real = *real; generate_prefix(mi); } mi->did_open_context = true; inherit_context_child(&mi->context, &m->top); if (IS_SIG(&mi->context)) { goto err; } mi->context.c2.context_auth = CAS_PENDING; if (hash_n_elements(m->hash) >= m->max_clients) { msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients); goto err; } if (!real) /* TCP mode? */ { if (!multi_tcp_instance_specific_init(m, mi)) { goto err; } generate_prefix(mi); } if (!hash_add(m->iter, &mi->real, mi, false)) { msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table", mroute_addr_print(&mi->real, &gc)); goto err; } mi->did_iter = true; #ifdef MANAGEMENT_DEF_AUTH do { mi->context.c2.mda_context.cid = m->cid_counter++; } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false)); mi->did_cid_hash = true; #endif mi->context.c2.push_reply_deferred = true; #ifdef ENABLE_ASYNC_PUSH mi->context.c2.push_request_received = false; mi->inotify_watch = -1; #endif if (!multi_process_post(m, mi, MPP_PRE_SELECT)) { msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization"); goto err; } perf_pop(); gc_free(&gc); return mi; err: multi_close_instance(m, mi, false); perf_pop(); gc_free(&gc); return NULL; } /* * Dump tables -- triggered by SIGUSR2. * If status file is defined, write to file. * If status file is NULL, write to syslog. */ void multi_print_status(struct multi_context *m, struct status_output *so, const int version) { if (m->hash) { struct gc_arena gc_top = gc_new(); struct hash_iterator hi; const struct hash_element *he; status_reset(so); if (version == 1) /* WAS: m->status_file_version */ { /* * Status file version 1 */ status_printf(so, "OpenVPN CLIENT LIST"); status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top)); status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since"); hash_iterator_init(m->hash, &hi); while ((he = hash_iterator_next(&hi))) { struct gc_arena gc = gc_new(); const struct multi_instance *mi = (struct multi_instance *) he->value; if (!mi->halt) { status_printf(so, "%s,%s," counter_format "," counter_format ",%s", tls_common_name(mi->context.c2.tls_multi, false), mroute_addr_print(&mi->real, &gc), mi->context.c2.link_read_bytes, mi->context.c2.link_write_bytes, time_string(mi->created, 0, false, &gc)); } gc_free(&gc); } hash_iterator_free(&hi); status_printf(so, "ROUTING TABLE"); status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref"); hash_iterator_init(m->vhash, &hi); while ((he = hash_iterator_next(&hi))) { struct gc_arena gc = gc_new(); const struct multi_route *route = (struct multi_route *) he->value; if (multi_route_defined(m, route)) { const struct multi_instance *mi = route->instance; const struct mroute_addr *ma = &route->addr; char flags[2] = {0, 0}; if (route->flags & MULTI_ROUTE_CACHE) { flags[0] = 'C'; } status_printf(so, "%s%s,%s,%s,%s", mroute_addr_print(ma, &gc), flags, tls_common_name(mi->context.c2.tls_multi, false), mroute_addr_print(&mi->real, &gc), time_string(route->last_reference, 0, false, &gc)); } gc_free(&gc); } hash_iterator_free(&hi); status_printf(so, "GLOBAL STATS"); if (m->mbuf) { status_printf(so, "Max bcast/mcast queue length,%d", mbuf_maximum_queued(m->mbuf)); } status_printf(so, "END"); } else if (version == 2 || version == 3) { const char sep = (version == 3) ? '\t' : ','; /* * Status file version 2 and 3 */ status_printf(so, "TITLE%c%s", sep, title_string); status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now); status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID", sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep); hash_iterator_init(m->hash, &hi); while ((he = hash_iterator_next(&hi))) { struct gc_arena gc = gc_new(); const struct multi_instance *mi = (struct multi_instance *) he->value; if (!mi->halt) { status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c" #ifdef MANAGEMENT_DEF_AUTH "%lu" #else "" #endif "%c%" PRIu32, sep, tls_common_name(mi->context.c2.tls_multi, false), sep, mroute_addr_print(&mi->real, &gc), sep, print_in_addr_t(mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc), sep, print_in6_addr(mi->reporting_addr_ipv6, IA_EMPTY_IF_UNDEF, &gc), sep, mi->context.c2.link_read_bytes, sep, mi->context.c2.link_write_bytes, sep, time_string(mi->created, 0, false, &gc), sep, (unsigned int)mi->created, sep, tls_username(mi->context.c2.tls_multi, false), #ifdef MANAGEMENT_DEF_AUTH sep, mi->context.c2.mda_context.cid, #else sep, #endif sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX); } gc_free(&gc); } hash_iterator_free(&hi); status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)", sep, sep, sep, sep, sep, sep); hash_iterator_init(m->vhash, &hi); while ((he = hash_iterator_next(&hi))) { struct gc_arena gc = gc_new(); const struct multi_route *route = (struct multi_route *) he->value; if (multi_route_defined(m, route)) { const struct multi_instance *mi = route->instance; const struct mroute_addr *ma = &route->addr; char flags[2] = {0, 0}; if (route->flags & MULTI_ROUTE_CACHE) { flags[0] = 'C'; } status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u", sep, mroute_addr_print(ma, &gc), flags, sep, tls_common_name(mi->context.c2.tls_multi, false), sep, mroute_addr_print(&mi->real, &gc), sep, time_string(route->last_reference, 0, false, &gc), sep, (unsigned int)route->last_reference); } gc_free(&gc); } hash_iterator_free(&hi); if (m->mbuf) { status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d", sep, sep, mbuf_maximum_queued(m->mbuf)); } status_printf(so, "END"); } else { status_printf(so, "ERROR: bad status format version number"); } #ifdef PACKET_TRUNCATION_CHECK { status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc"); hash_iterator_init(m->hash, &hi); while ((he = hash_iterator_next(&hi))) { struct gc_arena gc = gc_new(); const struct multi_instance *mi = (struct multi_instance *) he->value; if (!mi->halt) { status_printf(so, "ERRORS,%s," counter_format "," counter_format "," counter_format "," counter_format, tls_common_name(mi->context.c2.tls_multi, false), m->top.c2.n_trunc_tun_read, mi->context.c2.n_trunc_tun_write, mi->context.c2.n_trunc_pre_encrypt, mi->context.c2.n_trunc_post_decrypt); } gc_free(&gc); } hash_iterator_free(&hi); } #endif /* ifdef PACKET_TRUNCATION_CHECK */ status_flush(so); gc_free(&gc_top); } #ifdef ENABLE_ASYNC_PUSH if (m->inotify_watchers) { msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers)); } #endif } /* * Learn a virtual address or route. * The learn will fail if the learn address * script/plugin fails. In this case the * return value may be != mi. * Return the instance which owns this route, * or NULL if none. */ static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags) { struct hash_element *he; const uint32_t hv = hash_value(m->vhash, addr); struct hash_bucket *bucket = hash_bucket(m->vhash, hv); struct multi_route *oldroute = NULL; struct multi_instance *owner = NULL; /* if route currently exists, get the instance which owns it */ he = hash_lookup_fast(m->vhash, bucket, addr, hv); if (he) { oldroute = (struct multi_route *) he->value; } if (oldroute && multi_route_defined(m, oldroute)) { owner = oldroute->instance; } /* do we need to add address to hash table? */ if ((!owner || owner != mi) && mroute_learnable_address(addr) && !mroute_addr_equal(addr, &m->local)) { struct gc_arena gc = gc_new(); struct multi_route *newroute; bool learn_succeeded = false; ALLOC_OBJ(newroute, struct multi_route); newroute->addr = *addr; newroute->instance = mi; newroute->flags = flags; newroute->last_reference = now; newroute->cache_generation = 0; /* The cache is invalidated when cache_generation is incremented */ if (flags & MULTI_ROUTE_CACHE) { newroute->cache_generation = m->route_helper->cache_generation; } if (oldroute) /* route already exists? */ { if (route_quota_test(m, mi) && learn_address_script(m, mi, "update", &newroute->addr)) { learn_succeeded = true; owner = mi; multi_instance_inc_refcount(mi); route_quota_inc(mi); /* delete old route */ multi_route_del(oldroute); /* modify hash table entry, replacing old route */ he->key = &newroute->addr; he->value = newroute; } } else { if (route_quota_test(m, mi) && learn_address_script(m, mi, "add", &newroute->addr)) { learn_succeeded = true; owner = mi; multi_instance_inc_refcount(mi); route_quota_inc(mi); /* add new route */ hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute); } } msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s", learn_succeeded ? "" : " FAILED", mroute_addr_print(&newroute->addr, &gc), multi_instance_string(mi, false, &gc)); if (!learn_succeeded) { free(newroute); } gc_free(&gc); } return owner; } /* * Get client instance based on virtual address. */ static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing) { struct multi_route *route; struct multi_instance *ret = NULL; /* check for local address */ if (mroute_addr_equal(addr, &m->local)) { return NULL; } route = (struct multi_route *) hash_lookup(m->vhash, addr); /* does host route (possible cached) exist? */ if (route && multi_route_defined(m, route)) { struct multi_instance *mi = route->instance; route->last_reference = now; ret = mi; } else if (cidr_routing) /* do we need to regenerate a host route cache entry? */ { struct mroute_helper *rh = m->route_helper; struct mroute_addr tryaddr; int i; /* cycle through each CIDR length */ for (i = 0; i < rh->n_net_len; ++i) { tryaddr = *addr; tryaddr.type |= MR_WITH_NETBITS; tryaddr.netbits = rh->net_len[i]; mroute_addr_mask_host_bits(&tryaddr); /* look up a possible route with netbits netmask */ route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr); if (route && multi_route_defined(m, route)) { /* found an applicable route, cache host route */ struct multi_instance *mi = route->instance; multi_learn_addr(m, mi, addr, MULTI_ROUTE_CACHE|MULTI_ROUTE_AGEABLE); ret = mi; break; } } } #ifdef ENABLE_DEBUG if (check_debug_level(D_MULTI_DEBUG)) { struct gc_arena gc = gc_new(); const char *addr_text = mroute_addr_print(addr, &gc); if (ret) { dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s", addr_text, multi_instance_string(ret, false, &gc), mroute_addr_print(&route->addr, &gc)); } else { dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]", addr_text); } gc_free(&gc); } #endif ASSERT(!(ret && ret->halt)); return ret; } /* * Helper function to multi_learn_addr(). */ static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, /* -1 if host route, otherwise # of network bits in address */ bool primary) { struct openvpn_sockaddr remote_si; struct mroute_addr addr; CLEAR(remote_si); remote_si.addr.in4.sin_family = AF_INET; remote_si.addr.in4.sin_addr.s_addr = htonl(a); ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false)); if (netbits >= 0) { addr.type |= MR_WITH_NETBITS; addr.netbits = (uint8_t) netbits; } { struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0); #ifdef MANAGEMENT_DEF_AUTH if (management && owner) { management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary); } #endif return owner; } } static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, /* -1 if host route, otherwise # of network bits in address */ bool primary) { struct mroute_addr addr; addr.len = 16; addr.type = MR_ADDR_IPV6; addr.netbits = 0; addr.v6.addr = a6; if (netbits >= 0) { addr.type |= MR_WITH_NETBITS; addr.netbits = (uint8_t) netbits; mroute_addr_mask_host_bits( &addr ); } { struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0); #ifdef MANAGEMENT_DEF_AUTH if (management && owner) { management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary); } #endif return owner; } } /* * A new client has connected, add routes (server -> client) * to internal routing table. */ static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi) { struct gc_arena gc = gc_new(); const struct iroute *ir; const struct iroute_ipv6 *ir6; if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN) { mi->did_iroutes = true; for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next) { if (ir->netbits >= 0) { msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s", print_in_addr_t(ir->network, 0, &gc), ir->netbits, multi_instance_string(mi, false, &gc)); } else { msg(D_MULTI_LOW, "MULTI: internal route %s -> %s", print_in_addr_t(ir->network, 0, &gc), multi_instance_string(mi, false, &gc)); } mroute_helper_add_iroute46(m->route_helper, ir->netbits); multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false); } for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next) { msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s", print_in6_addr(ir6->network, 0, &gc), ir6->netbits, multi_instance_string(mi, false, &gc)); mroute_helper_add_iroute46(m->route_helper, ir6->netbits); multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false); } } gc_free(&gc); } /* * Given an instance (new_mi), delete all other instances which use the * same common name. */ static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi) { if (new_mi) { const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true); if (new_cn) { struct hash_iterator hi; struct hash_element *he; int count = 0; hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) { struct multi_instance *mi = (struct multi_instance *) he->value; if (mi != new_mi && !mi->halt) { const char *cn = tls_common_name(mi->context.c2.tls_multi, true); if (cn && !strcmp(cn, new_cn)) { mi->did_iter = false; multi_close_instance(m, mi, false); hash_iterator_delete_element(&hi); ++count; } } } hash_iterator_free(&hi); if (count) { msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn); } } } } static void check_stale_routes(struct multi_context *m) { struct gc_arena gc = gc_new(); struct hash_iterator hi; struct hash_element *he; dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes"); hash_iterator_init_range(m->vhash, &hi, 0, hash_n_buckets(m->vhash)); while ((he = hash_iterator_next(&hi)) != NULL) { struct multi_route *r = (struct multi_route *) he->value; if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time) { dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'", mroute_addr_print(&r->addr, &gc)); learn_address_script(m, NULL, "delete", &r->addr); multi_route_del(r); hash_iterator_delete_element(&hi); } } hash_iterator_free(&hi); gc_free(&gc); } /* * Ensure that endpoint to be pushed to client * complies with --ifconfig-push-constraint directive. */ static bool ifconfig_push_constraint_satisfied(const struct context *c) { const struct options *o = &c->options; if (o->push_ifconfig_constraint_defined && c->c2.push_ifconfig_defined) { return (o->push_ifconfig_constraint_netmask & c->c2.push_ifconfig_local) == o->push_ifconfig_constraint_network; } else { return true; } } /* * Select a virtual address for a new client instance. * Use an --ifconfig-push directive, if given (static IP). * Otherwise use an --ifconfig-pool address (dynamic IP). */ static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi) { struct gc_arena gc = gc_new(); /* * If ifconfig addresses were set by dynamic config file, * release pool addresses, otherwise keep them. */ if (mi->context.options.push_ifconfig_defined) { /* ifconfig addresses were set statically, * release dynamic allocation */ if (mi->vaddr_handle >= 0) { ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, true); mi->vaddr_handle = -1; } mi->context.c2.push_ifconfig_defined = true; mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local; mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.push_ifconfig_remote_netmask; mi->context.c2.push_ifconfig_local_alias = mi->context.options.push_ifconfig_local_alias; /* the current implementation does not allow "static IPv4, pool IPv6", * (see below) so issue a warning if that happens - don't break the * session, though, as we don't even know if this client WANTS IPv6 */ if (mi->context.options.ifconfig_ipv6_pool_defined && !mi->context.options.push_ifconfig_ipv6_defined) { msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." ); } } else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */ { in_addr_t local = 0, remote = 0; struct in6_addr remote_ipv6; const char *cn = NULL; if (!mi->context.options.duplicate_cn) { cn = tls_common_name(mi->context.c2.tls_multi, true); } CLEAR(remote_ipv6); mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn); if (mi->vaddr_handle >= 0) { const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap); const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap); msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s", print_in_addr_t( remote, 0, &gc ), (mi->context.options.ifconfig_ipv6_pool_defined ? print_in6_addr( remote_ipv6, 0, &gc ) : "(Not enabled)") ); /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */ mi->context.c2.push_ifconfig_local = remote; if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET)) { mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.ifconfig_pool_netmask; if (!mi->context.c2.push_ifconfig_remote_netmask) { mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->remote_netmask; } } else if (tunnel_type == DEV_TYPE_TUN) { if (tunnel_topology == TOP_P2P) { mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->local; } else if (tunnel_topology == TOP_NET30) { mi->context.c2.push_ifconfig_remote_netmask = local; } } if (mi->context.c2.push_ifconfig_remote_netmask) { mi->context.c2.push_ifconfig_defined = true; } else { msg(D_MULTI_ERRORS, "MULTI: no --ifconfig-pool netmask parameter is available to push to %s", multi_instance_string(mi, false, &gc)); } if (mi->context.options.ifconfig_ipv6_pool_defined) { mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6; mi->context.c2.push_ifconfig_ipv6_remote = mi->context.c1.tuntap->local_ipv6; mi->context.c2.push_ifconfig_ipv6_netbits = mi->context.options.ifconfig_ipv6_netbits; mi->context.c2.push_ifconfig_ipv6_defined = true; } } else { msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available"); } } /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the * pool handling with IPv4, the combination "static IPv4, dynamic IPv6" * will fail (because no pool will be allocated in this case). * OTOH, this doesn't make too much sense in reality - and the other * way round ("dynamic IPv4, static IPv6") or "both static" makes sense * -> and so it's implemented right now */ if (mi->context.options.push_ifconfig_ipv6_defined) { mi->context.c2.push_ifconfig_ipv6_local = mi->context.options.push_ifconfig_ipv6_local; mi->context.c2.push_ifconfig_ipv6_remote = mi->context.options.push_ifconfig_ipv6_remote; mi->context.c2.push_ifconfig_ipv6_netbits = mi->context.options.push_ifconfig_ipv6_netbits; mi->context.c2.push_ifconfig_ipv6_defined = true; msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d", print_in6_addr( mi->context.c2.push_ifconfig_ipv6_local, 0, &gc ), mi->context.c2.push_ifconfig_ipv6_netbits ); } gc_free(&gc); } /* * Set virtual address environmental variables. */ static void multi_set_virtual_addr_env(struct multi_context *m, struct multi_instance *mi) { setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip"); setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip"); setenv_del(mi->context.c2.es, "ifconfig_pool_netmask"); if (mi->context.c2.push_ifconfig_defined) { const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap); const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap); setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_remote_ip", mi->context.c2.push_ifconfig_local, SA_SET_IF_NONZERO); if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET)) { setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_netmask", mi->context.c2.push_ifconfig_remote_netmask, SA_SET_IF_NONZERO); } else if (tunnel_type == DEV_TYPE_TUN) { setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_local_ip", mi->context.c2.push_ifconfig_remote_netmask, SA_SET_IF_NONZERO); } } setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6"); setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6"); setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits"); if (mi->context.c2.push_ifconfig_ipv6_defined) { setenv_in6_addr(mi->context.c2.es, "ifconfig_pool_remote", &mi->context.c2.push_ifconfig_ipv6_local, SA_SET_IF_NONZERO); setenv_in6_addr(mi->context.c2.es, "ifconfig_pool_local", &mi->context.c2.push_ifconfig_ipv6_remote, SA_SET_IF_NONZERO); setenv_int(mi->context.c2.es, "ifconfig_pool_ip6_netbits", mi->context.c2.push_ifconfig_ipv6_netbits); } } /* * Called after client-connect script is called */ static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int option_permissions_mask, unsigned int *option_types_found) { /* Did script generate a dynamic config file? */ if (test_file(dc_file)) { options_server_import(&mi->context.options, dc_file, D_IMPORT_ERRORS|M_OPTERR, option_permissions_mask, option_types_found, mi->context.c2.es); /* * If the --client-connect script generates a config file * with an --ifconfig-push directive, it will override any * --ifconfig-push directive from the --client-config-dir * directory or any --ifconfig-pool dynamic address. */ multi_select_virtual_addr(m, mi); multi_set_virtual_addr_env(m, mi); } } #ifdef ENABLE_PLUGIN /* * Called after client-connect plug-in is called */ static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int option_permissions_mask, unsigned int *option_types_found) { struct plugin_return config; plugin_return_get_column(pr, &config, "config"); /* Did script generate a dynamic config file? */ if (plugin_return_defined(&config)) { int i; for (i = 0; i < config.n; ++i) { if (config.list[i] && config.list[i]->value) { options_string_import(&mi->context.options, config.list[i]->value, D_IMPORT_ERRORS|M_OPTERR, option_permissions_mask, option_types_found, mi->context.c2.es); } } /* * If the --client-connect script generates a config file * with an --ifconfig-push directive, it will override any * --ifconfig-push directive from the --client-config-dir * directory or any --ifconfig-pool dynamic address. */ multi_select_virtual_addr(m, mi); multi_set_virtual_addr_env(m, mi); } } #endif /* ifdef ENABLE_PLUGIN */ #ifdef MANAGEMENT_DEF_AUTH /* * Called to load management-derived client-connect config */ static void multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, const struct buffer_list *config, unsigned int option_permissions_mask, unsigned int *option_types_found) { if (config) { struct buffer_entry *be; for (be = config->head; be != NULL; be = be->next) { const char *opt = BSTR(&be->buf); options_string_import(&mi->context.options, opt, D_IMPORT_ERRORS|M_OPTERR, option_permissions_mask, option_types_found, mi->context.c2.es); } /* * If the --client-connect script generates a config file * with an --ifconfig-push directive, it will override any * --ifconfig-push directive from the --client-config-dir * directory or any --ifconfig-pool dynamic address. */ multi_select_virtual_addr(m, mi); multi_set_virtual_addr_env(m, mi); } } #endif /* ifdef MANAGEMENT_DEF_AUTH */ static void multi_client_connect_setenv(struct multi_context *m, struct multi_instance *mi) { struct gc_arena gc = gc_new(); /* setenv incoming cert common name for script */ setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true)); /* setenv client real IP address */ setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context)); /* setenv client virtual IP address */ multi_set_virtual_addr_env(m, mi); /* setenv connection time */ { const char *created_ascii = time_string(mi->created, 0, false, &gc); setenv_str(mi->context.c2.es, "time_ascii", created_ascii); setenv_unsigned(mi->context.c2.es, "time_unix", (unsigned int)mi->created); } gc_free(&gc); } /* * Called as soon as the SSL/TLS connection authenticates. * * Instance-specific directives to be processed: * * iroute start-ip end-ip * ifconfig-push local remote-netmask * push */ static void multi_connection_established(struct multi_context *m, struct multi_instance *mi) { if (tls_authentication_status(mi->context.c2.tls_multi, 0) == TLS_AUTHENTICATION_SUCCEEDED) { struct gc_arena gc = gc_new(); unsigned int option_types_found = 0; const unsigned int option_permissions_mask = OPT_P_INSTANCE | OPT_P_INHERIT | OPT_P_PUSH | OPT_P_TIMER | OPT_P_CONFIG | OPT_P_ECHO | OPT_P_COMP | OPT_P_SOCKFLAGS; int cc_succeeded = true; /* client connect script status */ int cc_succeeded_count = 0; ASSERT(mi->context.c1.tuntap); /* lock down the common name and cert hashes so they can't change during future TLS renegotiations */ tls_lock_common_name(mi->context.c2.tls_multi); tls_lock_cert_hash_set(mi->context.c2.tls_multi); /* generate a msg() prefix for this client instance */ generate_prefix(mi); /* delete instances of previous clients with same common-name */ if (!mi->context.options.duplicate_cn) { multi_delete_dup(m, mi); } /* reset pool handle to null */ mi->vaddr_handle = -1; /* * Try to source a dynamic config file from the * --client-config-dir directory. */ if (mi->context.options.client_config_dir) { const char *ccd_file; ccd_file = gen_path(mi->context.options.client_config_dir, tls_common_name(mi->context.c2.tls_multi, false), &gc); /* try common-name file */ if (test_file(ccd_file)) { options_server_import(&mi->context.options, ccd_file, D_IMPORT_ERRORS|M_OPTERR, option_permissions_mask, &option_types_found, mi->context.c2.es); } else /* try default file */ { ccd_file = gen_path(mi->context.options.client_config_dir, CCD_DEFAULT, &gc); if (test_file(ccd_file)) { options_server_import(&mi->context.options, ccd_file, D_IMPORT_ERRORS|M_OPTERR, option_permissions_mask, &option_types_found, mi->context.c2.es); } } } /* * Select a virtual address from either --ifconfig-push in --client-config-dir file * or --ifconfig-pool. */ multi_select_virtual_addr(m, mi); /* do --client-connect setenvs */ multi_client_connect_setenv(m, mi); #ifdef ENABLE_PLUGIN /* * Call client-connect plug-in. */ /* deprecated callback, use a file for passing back return info */ if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT)) { struct argv argv = argv_new(); const char *dc_file = create_temp_file(mi->context.options.tmp_dir, "cc", &gc); if (!dc_file) { cc_succeeded = false; goto script_depr_failed; } argv_printf(&argv, "%s", dc_file); if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT, &argv, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: client-connect plugin call failed"); cc_succeeded = false; } else { multi_client_connect_post(m, mi, dc_file, option_permissions_mask, &option_types_found); ++cc_succeeded_count; } if (!platform_unlink(dc_file)) { msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", dc_file); } script_depr_failed: argv_reset(&argv); } /* V2 callback, use a plugin_return struct for passing back return info */ if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2)) { struct plugin_return pr; plugin_return_init(&pr); if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2, NULL, &pr, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: client-connect-v2 plugin call failed"); cc_succeeded = false; } else { multi_client_connect_post_plugin(m, mi, &pr, option_permissions_mask, &option_types_found); ++cc_succeeded_count; } plugin_return_free(&pr); } #endif /* ifdef ENABLE_PLUGIN */ /* * Run --client-connect script. */ if (mi->context.options.client_connect_script && cc_succeeded) { struct argv argv = argv_new(); const char *dc_file = NULL; setenv_str(mi->context.c2.es, "script_type", "client-connect"); dc_file = create_temp_file(mi->context.options.tmp_dir, "cc", &gc); if (!dc_file) { cc_succeeded = false; goto script_failed; } argv_parse_cmd(&argv, mi->context.options.client_connect_script); argv_printf_cat(&argv, "%s", dc_file); if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect")) { multi_client_connect_post(m, mi, dc_file, option_permissions_mask, &option_types_found); ++cc_succeeded_count; } else { cc_succeeded = false; } if (!platform_unlink(dc_file)) { msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", dc_file); } script_failed: argv_reset(&argv); } /* * Check for client-connect script left by management interface client */ #ifdef MANAGEMENT_DEF_AUTH if (cc_succeeded && mi->cc_config) { multi_client_connect_mda(m, mi, mi->cc_config, option_permissions_mask, &option_types_found); ++cc_succeeded_count; } #endif /* * Check for "disable" directive in client-config-dir file * or config file generated by --client-connect script. */ if (mi->context.options.disable) { msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to 'disable' directive"); cc_succeeded = false; cc_succeeded_count = 0; } if (cc_succeeded) { /* * Process sourced options. */ do_deferred_options(&mi->context, option_types_found); /* * make sure we got ifconfig settings from somewhere */ if (!mi->context.c2.push_ifconfig_defined) { msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote --ifconfig address is available for %s", multi_instance_string(mi, false, &gc)); } /* * make sure that ifconfig settings comply with constraints */ if (!ifconfig_push_constraint_satisfied(&mi->context)) { /* JYFIXME -- this should cause the connection to fail */ msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) violates tunnel network/netmask constraint (%s/%s)", multi_instance_string(mi, false, &gc), print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc), print_in_addr_t(mi->context.options.push_ifconfig_constraint_network, 0, &gc), print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc)); } /* * For routed tunnels, set up internal route to endpoint * plus add all iroute routes. */ if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN) { if (mi->context.c2.push_ifconfig_defined) { multi_learn_in_addr_t(m, mi, mi->context.c2.push_ifconfig_local, -1, true); msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s", multi_instance_string(mi, false, &gc), print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc)); } if (mi->context.c2.push_ifconfig_ipv6_defined) { multi_learn_in6_addr(m, mi, mi->context.c2.push_ifconfig_ipv6_local, -1, true); /* TODO: find out where addresses are "unlearned"!! */ msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s", multi_instance_string(mi, false, &gc), print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc)); } /* add routes locally, pointing to new client, if * --iroute options have been specified */ multi_add_iroutes(m, mi); /* * iroutes represent subnets which are "owned" by a particular * client. Therefore, do not actually push a route to a client * if it matches one of the client's iroutes. */ remove_iroutes_from_push_route_list(&mi->context.options); } else if (mi->context.options.iroutes) { msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute only works with tun-style tunnels", multi_instance_string(mi, false, &gc)); } /* set our client's VPN endpoint for status reporting purposes */ mi->reporting_addr = mi->context.c2.push_ifconfig_local; mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local; /* set context-level authentication flag */ mi->context.c2.context_auth = CAS_SUCCEEDED; #ifdef ENABLE_ASYNC_PUSH /* authentication complete, send push reply */ if (mi->context.c2.push_request_received) { process_incoming_push_request(&mi->context); } #endif } else { /* set context-level authentication flag */ mi->context.c2.context_auth = cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED; } /* set flag so we don't get called again */ mi->connection_established_flag = true; /* increment number of current authenticated clients */ ++m->n_clients; update_mstat_n_clients(m->n_clients); --mi->n_clients_delta; #ifdef MANAGEMENT_DEF_AUTH if (management) { management_connection_established(management, &mi->context.c2.mda_context, mi->context.c2.es); } #endif gc_free(&gc); } /* * Reply now to client's PUSH_REQUEST query */ mi->context.c2.push_reply_deferred = false; } #ifdef ENABLE_ASYNC_PUSH /* * Called when inotify event is fired, which happens when acf file is closed or deleted. * Continues authentication and sends push_reply. */ void multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags) { char buffer[INOTIFY_EVENT_BUFFER_SIZE]; size_t buffer_i = 0; int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE); while (buffer_i < r) { /* parse inotify events */ struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i]; size_t event_size = sizeof(struct inotify_event) + pevent->len; buffer_i += event_size; msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask); struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd); if (pevent->mask & IN_CLOSE_WRITE) { if (mi) { /* continue authentication and send push_reply */ multi_process_post(m, mi, mpp_flags); } else { msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!"); } } else if (pevent->mask & IN_IGNORED) { /* this event is _always_ fired when watch is removed or file is deleted */ if (mi) { hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd); mi->inotify_watch = -1; } } else { msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask); } } } #endif /* ifdef ENABLE_ASYNC_PUSH */ /* * Add a mbuf buffer to a particular * instance. */ void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb) { if (multi_output_queue_ready(m, mi)) { struct mbuf_item item; item.buffer = mb; item.instance = mi; mbuf_add_item(m->mbuf, &item); } else { msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)"); } } /* * Add a packet to a client instance output queue. */ static inline void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi) { struct mbuf_buffer *mb; if (BLEN(buf) > 0) { mb = mbuf_alloc_buf(buf); mb->flags = MF_UNICAST; multi_add_mbuf(m, mi, mb); mbuf_free_buf(mb); } } /* * Broadcast a packet to all clients. */ static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, const struct mroute_addr *sender_addr) { struct hash_iterator hi; struct hash_element *he; struct multi_instance *mi; struct mbuf_buffer *mb; if (BLEN(buf) > 0) { perf_push(PERF_MULTI_BCAST); #ifdef MULTI_DEBUG_EVENT_LOOP printf("BCAST len=%d\n", BLEN(buf)); #endif mb = mbuf_alloc_buf(buf); hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) { mi = (struct multi_instance *) he->value; if (mi != sender_instance && !mi->halt) { #ifdef ENABLE_PF if (sender_instance) { if (!pf_c2c_test(&sender_instance->context, &mi->context, "bcast_c2c")) { msg(D_PF_DROPPED_BCAST, "PF: client[%s] -> client[%s] packet dropped by BCAST packet filter", mi_prefix(sender_instance), mi_prefix(mi)); continue; } } if (sender_addr) { if (!pf_addr_test(&mi->context, sender_addr, "bcast_src_addr")) { struct gc_arena gc = gc_new(); msg(D_PF_DROPPED_BCAST, "PF: addr[%s] -> client[%s] packet dropped by BCAST packet filter", mroute_addr_print_ex(sender_addr, MAPF_SHOW_ARP, &gc), mi_prefix(mi)); gc_free(&gc); continue; } } #endif /* ifdef ENABLE_PF */ multi_add_mbuf(m, mi, mb); } } hash_iterator_free(&hi); mbuf_free_buf(mb); perf_pop(); } } /* * Given a time delta, indicating that we wish to be * awoken by the scheduler at time now + delta, figure * a sigma parameter (in microseconds) that represents * a sort of fuzz factor around delta, so that we're * really telling the scheduler to wake us up any time * between now + delta - sigma and now + delta + sigma. * * The sigma parameter helps the scheduler to run more efficiently. * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC */ static inline unsigned int compute_wakeup_sigma(const struct timeval *delta) { if (delta->tv_sec < 1) { /* if < 1 sec, fuzz = # of microseconds / 8 */ return delta->tv_usec >> 3; } else { /* if < 10 minutes, fuzz = 13.1% of timeout */ if (delta->tv_sec < 600) { return delta->tv_sec << 17; } else { return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */ } } } static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi) { /* calculate an absolute wakeup time */ ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL)); tv_add(&mi->wakeup, &mi->context.c2.timeval); /* tell scheduler to wake us up at some point in the future */ schedule_add_entry(m->schedule, (struct schedule_entry *) mi, &mi->wakeup, compute_wakeup_sigma(&mi->context.c2.timeval)); } /* * Figure instance-specific timers, convert * earliest to absolute time in mi->wakeup, * call scheduler with our future wakeup time. * * Also close context on signal. */ bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags) { bool ret = true; if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context)))) { #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) bool was_authenticated = false; struct key_state *ks = NULL; if (mi->context.c2.tls_multi) { ks = &mi->context.c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY]; was_authenticated = ks->authenticated; } #endif /* figure timeouts and fetch possible outgoing * to_link packets (such as ping or TLS control) */ pre_select(&mi->context); #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) if (ks && ks->auth_control_file && ks->auth_deferred && !was_authenticated) { /* watch acf file */ long watch_descriptor = inotify_add_watch(m->top.c2.inotify_fd, ks->auth_control_file, IN_CLOSE_WRITE | IN_ONESHOT); if (watch_descriptor >= 0) { if (mi->inotify_watch != -1) { hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch); } hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor, mi, true); mi->inotify_watch = watch_descriptor; } else { msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error"); } } #endif if (!IS_SIG(&mi->context)) { /* connection is "established" when SSL/TLS key negotiation succeeds * and (if specified) auth user/pass succeeds */ if (!mi->connection_established_flag && CONNECTION_ESTABLISHED(&mi->context)) { multi_connection_established(m, mi); } /* tell scheduler to wake us up at some point in the future */ multi_schedule_context_wakeup(m, mi); } } if (IS_SIG(&mi->context)) { if (flags & MPP_CLOSE_ON_SIGNAL) { multi_close_instance_on_signal(m, mi); ret = false; } } else { /* continue to pend on output? */ multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL); #ifdef MULTI_DEBUG_EVENT_LOOP printf("POST %s[%d] to=%d lo=%d/%d w=%d/%d\n", id(mi), (int) (mi == m->pending), mi ? mi->context.c2.to_tun.len : -1, mi ? mi->context.c2.to_link.len : -1, (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1, (int)mi->context.c2.timeval.tv_sec, (int)mi->context.c2.timeval.tv_usec); #endif } if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched) { *m->mpp_touched = mi; } return ret; } void multi_process_float(struct multi_context *m, struct multi_instance *mi) { struct mroute_addr real; struct hash *hash = m->hash; struct gc_arena gc = gc_new(); if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true)) { goto done; } const uint32_t hv = hash_value(hash, &real); struct hash_bucket *bucket = hash_bucket(hash, hv); /* make sure that we don't float to an address taken by another client */ struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv); if (he) { struct multi_instance *ex_mi = (struct multi_instance *) he->value; struct tls_multi *m1 = mi->context.c2.tls_multi; struct tls_multi *m2 = ex_mi->context.c2.tls_multi; /* do not float if target address is taken by client with another cert */ if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set)) { msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s", multi_instance_string(ex_mi, false, &gc)); mi->context.c2.buf.len = 0; goto done; } msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc)); multi_close_instance(m, ex_mi, false); } msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s", mi->context.c2.tls_multi->peer_id, tls_common_name(mi->context.c2.tls_multi, false), mroute_addr_print(&mi->real, &gc), print_link_socket_actual(&m->top.c2.from, &gc)); /* remove old address from hash table before changing address */ ASSERT(hash_remove(m->hash, &mi->real)); ASSERT(hash_remove(m->iter, &mi->real)); /* change external network address of the remote peer */ mi->real = real; generate_prefix(mi); mi->context.c2.from = m->top.c2.from; mi->context.c2.to_link_addr = &mi->context.c2.from; /* inherit parent link_socket and link_socket_info */ mi->context.c2.link_socket = m->top.c2.link_socket; mi->context.c2.link_socket_info->lsa->actual = m->top.c2.from; tls_update_remote_addr(mi->context.c2.tls_multi, &mi->context.c2.from); ASSERT(hash_add(m->hash, &mi->real, mi, false)); ASSERT(hash_add(m->iter, &mi->real, mi, false)); #ifdef MANAGEMENT_DEF_AUTH ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true)); #endif done: gc_free(&gc); } /* * Process packets in the TCP/UDP socket -> TUN/TAP interface direction, * i.e. client -> server direction. */ bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags) { struct gc_arena gc = gc_new(); struct context *c; struct mroute_addr src, dest; unsigned int mroute_flags; struct multi_instance *mi; bool ret = true; bool floated = false; if (m->pending) { return true; } if (!instance) { #ifdef MULTI_DEBUG_EVENT_LOOP printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf)); #endif multi_set_pending(m, multi_get_create_instance_udp(m, &floated)); } else { multi_set_pending(m, instance); } if (m->pending) { set_prefix(m->pending); /* get instance context */ c = &m->pending->context; if (!instance) { /* transfer packet pointer from top-level context buffer to instance */ c->c2.buf = m->top.c2.buf; /* transfer from-addr from top-level context buffer to instance */ if (!floated) { c->c2.from = m->top.c2.from; } } if (BLEN(&c->c2.buf) > 0) { struct link_socket_info *lsi; const uint8_t *orig_buf; /* decrypt in instance context */ perf_push(PERF_PROC_IN_LINK); lsi = get_link_socket_info(c); orig_buf = c->c2.buf.data; if (process_incoming_link_part1(c, lsi, floated)) { if (floated) { multi_process_float(m, m->pending); } process_incoming_link_part2(c, lsi, orig_buf); } perf_pop(); if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN) { /* extract packet source and dest addresses */ mroute_flags = mroute_extract_addr_from_packet(&src, &dest, NULL, NULL, &c->c2.to_tun, DEV_TYPE_TUN); /* drop packet if extract failed */ if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED)) { c->c2.to_tun.len = 0; } /* make sure that source address is associated with this client */ else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending) { /* IPv6 link-local address (fe80::xxx)? */ if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6 && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) ) { /* do nothing, for now. TODO: add address learning */ } else { msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped", mroute_addr_print(&src, &gc)); } c->c2.to_tun.len = 0; } /* client-to-client communication enabled? */ else if (m->enable_c2c) { /* multicast? */ if (mroute_flags & MROUTE_EXTRACT_MCAST) { /* for now, treat multicast as broadcast */ multi_bcast(m, &c->c2.to_tun, m->pending, NULL); } else /* possible client to client routing */ { ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST)); mi = multi_get_instance_by_virtual_addr(m, &dest, true); /* if dest addr is a known client, route to it */ if (mi) { #ifdef ENABLE_PF if (!pf_c2c_test(c, &mi->context, "tun_c2c")) { msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TUN packet filter", mi_prefix(mi)); } else #endif { multi_unicast(m, &c->c2.to_tun, mi); register_activity(c, BLEN(&c->c2.to_tun)); } c->c2.to_tun.len = 0; } } } #ifdef ENABLE_PF if (c->c2.to_tun.len && !pf_addr_test(c, &dest, "tun_dest_addr")) { msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TUN packet filter", mroute_addr_print_ex(&dest, MAPF_SHOW_ARP, &gc)); c->c2.to_tun.len = 0; } #endif } else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP) { #ifdef ENABLE_PF struct mroute_addr edest; mroute_addr_reset(&edest); #endif /* extract packet source and dest addresses */ mroute_flags = mroute_extract_addr_from_packet(&src, &dest, NULL, #ifdef ENABLE_PF &edest, #else NULL, #endif &c->c2.to_tun, DEV_TYPE_TAP); if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED) { if (multi_learn_addr(m, m->pending, &src, 0) == m->pending) { /* check for broadcast */ if (m->enable_c2c) { if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST)) { multi_bcast(m, &c->c2.to_tun, m->pending, NULL); } else /* try client-to-client routing */ { mi = multi_get_instance_by_virtual_addr(m, &dest, false); /* if dest addr is a known client, route to it */ if (mi) { #ifdef ENABLE_PF if (!pf_c2c_test(c, &mi->context, "tap_c2c")) { msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TAP packet filter", mi_prefix(mi)); } else #endif { multi_unicast(m, &c->c2.to_tun, mi); register_activity(c, BLEN(&c->c2.to_tun)); } c->c2.to_tun.len = 0; } } } #ifdef ENABLE_PF if (c->c2.to_tun.len && !pf_addr_test(c, &edest, "tap_dest_addr")) { msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TAP packet filter", mroute_addr_print_ex(&edest, MAPF_SHOW_ARP, &gc)); c->c2.to_tun.len = 0; } #endif } else { msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped", mroute_addr_print(&src, &gc)); c->c2.to_tun.len = 0; } } else { c->c2.to_tun.len = 0; } } } /* postprocess and set wakeup */ ret = multi_process_post(m, m->pending, mpp_flags); clear_prefix(); } gc_free(&gc); return ret; } /* * Process packets in the TUN/TAP interface -> TCP/UDP socket direction, * i.e. server -> client direction. */ bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags) { struct gc_arena gc = gc_new(); bool ret = true; if (BLEN(&m->top.c2.buf) > 0) { unsigned int mroute_flags; struct mroute_addr src, dest; const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap); #ifdef ENABLE_PF struct mroute_addr esrc, *e1, *e2; if (dev_type == DEV_TYPE_TUN) { e1 = NULL; e2 = &src; } else { e1 = e2 = &esrc; mroute_addr_reset(&esrc); } #endif #ifdef MULTI_DEBUG_EVENT_LOOP printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf)); #endif if (m->pending) { return true; } /* * Route an incoming tun/tap packet to * the appropriate multi_instance object. */ mroute_flags = mroute_extract_addr_from_packet(&src, &dest, #ifdef ENABLE_PF e1, #else NULL, #endif NULL, &m->top.c2.buf, dev_type); if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED) { struct context *c; /* broadcast or multicast dest addr? */ if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST)) { /* for now, treat multicast as broadcast */ #ifdef ENABLE_PF multi_bcast(m, &m->top.c2.buf, NULL, e2); #else multi_bcast(m, &m->top.c2.buf, NULL, NULL); #endif } else { multi_set_pending(m, multi_get_instance_by_virtual_addr(m, &dest, dev_type == DEV_TYPE_TUN)); if (m->pending) { /* get instance context */ c = &m->pending->context; set_prefix(m->pending); #ifdef ENABLE_PF if (!pf_addr_test(c, e2, "tun_tap_src_addr")) { msg(D_PF_DROPPED, "PF: addr[%s] -> client packet dropped by packet filter", mroute_addr_print_ex(&src, MAPF_SHOW_ARP, &gc)); buf_reset_len(&c->c2.buf); } else #endif { if (multi_output_queue_ready(m, m->pending)) { /* transfer packet pointer from top-level context buffer to instance */ c->c2.buf = m->top.c2.buf; } else { /* drop packet */ msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)"); buf_reset_len(&c->c2.buf); } } /* encrypt in instance context */ process_incoming_tun(c); /* postprocess and set wakeup */ ret = multi_process_post(m, m->pending, mpp_flags); clear_prefix(); } } } } gc_free(&gc); return ret; } /* * Process a possible client-to-client/bcast/mcast message in the * queue. */ struct multi_instance * multi_get_queue(struct mbuf_set *ms) { struct mbuf_item item; if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */ { unsigned int pip_flags = PIPV4_PASSTOS; set_prefix(item.instance); item.instance->context.c2.buf = item.buffer->buf; if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */ { pip_flags |= PIP_MSSFIX; } process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf); encrypt_sign(&item.instance->context, true); mbuf_free_buf(item.buffer); dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST"); clear_prefix(); return item.instance; } else { return NULL; } } /* * Called when an I/O wait times out. Usually means that a particular * client instance object needs timer-based service. */ bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags) { bool ret = true; #ifdef MULTI_DEBUG_EVENT_LOOP printf("%s -> TIMEOUT\n", id(m->earliest_wakeup)); #endif /* instance marked for wakeup? */ if (m->earliest_wakeup) { if (m->earliest_wakeup == (struct multi_instance *)&m->deferred_shutdown_signal) { schedule_remove_entry(m->schedule, (struct schedule_entry *) &m->deferred_shutdown_signal); throw_signal(m->deferred_shutdown_signal.signal_received); } else { set_prefix(m->earliest_wakeup); ret = multi_process_post(m, m->earliest_wakeup, mpp_flags); clear_prefix(); } m->earliest_wakeup = NULL; } return ret; } /* * Drop a TUN/TAP outgoing packet.. */ void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags) { struct multi_instance *mi = m->pending; ASSERT(mi); set_prefix(mi); msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d", mi->context.c2.to_tun.len); buf_reset(&mi->context.c2.to_tun); multi_process_post(m, mi, mpp_flags); clear_prefix(); } /* * Per-client route quota management */ void route_quota_exceeded(const struct multi_context *m, const struct multi_instance *mi) { struct gc_arena gc = gc_new(); msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)", mi->context.options.max_routes_per_client, multi_instance_string(mi, false, &gc)); gc_free(&gc); } #ifdef ENABLE_DEBUG /* * Flood clients with random packets */ static void gremlin_flood_clients(struct multi_context *m) { const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin); if (level) { struct gc_arena gc = gc_new(); struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc); struct packet_flood_parms parm = get_packet_flood_parms(level); int i; ASSERT(buf_init(&buf, FRAME_HEADROOM(&m->top.c2.frame))); parm.packet_size = min_int(parm.packet_size, MAX_RW_SIZE_TUN(&m->top.c2.frame)); msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d", parm.n_packets, parm.packet_size); for (i = 0; i < parm.packet_size; ++i) { ASSERT(buf_write_u8(&buf, get_random() & 0xFF)); } for (i = 0; i < parm.n_packets; ++i) { multi_bcast(m, &buf, NULL, NULL); } gc_free(&gc); } } #endif /* ifdef ENABLE_DEBUG */ static bool stale_route_check_trigger(struct multi_context *m) { struct timeval null; CLEAR(null); return event_timeout_trigger(&m->stale_routes_check_et, &null, ETT_DEFAULT); } /* * Process timers in the top-level context */ void multi_process_per_second_timers_dowork(struct multi_context *m) { /* possibly reap instances/routes in vhash */ multi_reap_process(m); /* possibly print to status log */ if (m->top.c1.status_output) { if (status_trigger(m->top.c1.status_output)) { multi_print_status(m, m->top.c1.status_output, m->status_file_version); } } /* possibly flush ifconfig-pool file */ multi_ifconfig_pool_persist(m, false); #ifdef ENABLE_DEBUG gremlin_flood_clients(m); #endif /* Should we check for stale routes? */ if (m->top.options.stale_routes_check_interval && stale_route_check_trigger(m)) { check_stale_routes(m); } } void multi_top_init(struct multi_context *m, const struct context *top) { inherit_context_top(&m->top, top); m->top.c2.buffers = init_context_buffers(&top->c2.frame); } void multi_top_free(struct multi_context *m) { close_context(&m->top, -1, CC_GC_FREE); free_context_buffers(m->top.c2.buffers); } static bool is_exit_restart(int sig) { return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT); } static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server) { struct hash_iterator hi; struct hash_element *he; struct timeval tv; /* tell all clients to restart */ hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) { struct multi_instance *mi = (struct multi_instance *) he->value; if (!mi->halt) { send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH); multi_schedule_context_wakeup(m, mi); } } hash_iterator_free(&hi); /* reschedule signal */ ASSERT(!openvpn_gettimeofday(&m->deferred_shutdown_signal.wakeup, NULL)); tv.tv_sec = 2; tv.tv_usec = 0; tv_add(&m->deferred_shutdown_signal.wakeup, &tv); m->deferred_shutdown_signal.signal_received = m->top.sig->signal_received; schedule_add_entry(m->schedule, (struct schedule_entry *) &m->deferred_shutdown_signal, &m->deferred_shutdown_signal.wakeup, compute_wakeup_sigma(&m->deferred_shutdown_signal.wakeup)); m->top.sig->signal_received = 0; } /* * Return true if event loop should break, * false if it should continue. */ bool multi_process_signal(struct multi_context *m) { if (m->top.sig->signal_received == SIGUSR2) { struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0); multi_print_status(m, so, m->status_file_version); status_close(so); m->top.sig->signal_received = 0; return false; } else if (proto_is_dgram(m->top.options.ce.proto) && is_exit_restart(m->top.sig->signal_received) && (m->deferred_shutdown_signal.signal_received == 0) && m->top.options.ce.explicit_exit_notification != 0) { multi_push_restart_schedule_exit(m, m->top.options.ce.explicit_exit_notification == 2); return false; } return true; } /* * Called when an instance should be closed due to the * reception of a soft signal. */ void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi) { remap_signal(&mi->context); set_prefix(mi); print_signal(mi->context.sig, "client-instance", D_MULTI_LOW); clear_prefix(); multi_close_instance(m, mi, false); } static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig) { mi->context.sig->signal_received = sig; multi_close_instance_on_signal(m, mi); } /* * Management subsystem callbacks */ #ifdef ENABLE_MANAGEMENT static void management_callback_status(void *arg, const int version, struct status_output *so) { struct multi_context *m = (struct multi_context *) arg; if (!version) { multi_print_status(m, so, m->status_file_version); } else { multi_print_status(m, so, version); } } static int management_callback_n_clients(void *arg) { struct multi_context *m = (struct multi_context *) arg; return m->n_clients; } static int management_callback_kill_by_cn(void *arg, const char *del_cn) { struct multi_context *m = (struct multi_context *) arg; struct hash_iterator hi; struct hash_element *he; int count = 0; hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) { struct multi_instance *mi = (struct multi_instance *) he->value; if (!mi->halt) { const char *cn = tls_common_name(mi->context.c2.tls_multi, false); if (cn && !strcmp(cn, del_cn)) { multi_signal_instance(m, mi, SIGTERM); ++count; } } } hash_iterator_free(&hi); return count; } static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port) { struct multi_context *m = (struct multi_context *) arg; struct hash_iterator hi; struct hash_element *he; struct openvpn_sockaddr saddr; struct mroute_addr maddr; int count = 0; CLEAR(saddr); saddr.addr.in4.sin_family = AF_INET; saddr.addr.in4.sin_addr.s_addr = htonl(addr); saddr.addr.in4.sin_port = htons(port); if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true)) { hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) { struct multi_instance *mi = (struct multi_instance *) he->value; if (!mi->halt && mroute_addr_equal(&maddr, &mi->real)) { multi_signal_instance(m, mi, SIGTERM); ++count; } } hash_iterator_free(&hi); } return count; } static void management_delete_event(void *arg, event_t event) { struct multi_context *m = (struct multi_context *) arg; if (m->mtcp) { multi_tcp_delete_event(m->mtcp, event); } } #endif /* ifdef ENABLE_MANAGEMENT */ #ifdef MANAGEMENT_DEF_AUTH static struct multi_instance * lookup_by_cid(struct multi_context *m, const unsigned long cid) { if (m) { struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid); if (mi && !mi->halt) { return mi; } } return NULL; } static bool management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg) { struct multi_context *m = (struct multi_context *) arg; struct multi_instance *mi = lookup_by_cid(m, cid); if (mi) { send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */ multi_schedule_context_wakeup(m, mi); return true; } else { return false; } } static bool management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config) /* ownership transferred */ { struct multi_context *m = (struct multi_context *) arg; struct multi_instance *mi = lookup_by_cid(m, cid); bool cc_config_owned = true; bool ret = false; if (mi) { ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason); if (ret) { if (auth) { if (!mi->connection_established_flag) { set_cc_config(mi, cc_config); cc_config_owned = false; } } else { if (reason) { msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason)); } if (mi->connection_established_flag) { send_auth_failed(&mi->context, client_reason); /* mid-session reauth failed */ multi_schedule_context_wakeup(m, mi); } } } } if (cc_config_owned && cc_config) { buffer_list_free(cc_config); } return ret; } static char * management_get_peer_info(void *arg, const unsigned long cid) { struct multi_context *m = (struct multi_context *) arg; struct multi_instance *mi = lookup_by_cid(m, cid); char *ret = NULL; if (mi) { ret = tls_get_peer_info(mi->context.c2.tls_multi); } return ret; } #endif /* ifdef MANAGEMENT_DEF_AUTH */ #ifdef MANAGEMENT_PF static bool management_client_pf(void *arg, const unsigned long cid, struct buffer_list *pf_config) /* ownership transferred */ { struct multi_context *m = (struct multi_context *) arg; struct multi_instance *mi = lookup_by_cid(m, cid); bool ret = false; if (mi && pf_config) { ret = pf_load_from_buffer_list(&mi->context, pf_config); } if (pf_config) { buffer_list_free(pf_config); } return ret; } #endif /* ifdef MANAGEMENT_PF */ void init_management_callback_multi(struct multi_context *m) { #ifdef ENABLE_MANAGEMENT if (management) { struct management_callback cb; CLEAR(cb); cb.arg = m; cb.flags = MCF_SERVER; cb.status = management_callback_status; cb.show_net = management_show_net_callback; cb.kill_by_cn = management_callback_kill_by_cn; cb.kill_by_addr = management_callback_kill_by_addr; cb.delete_event = management_delete_event; cb.n_clients = management_callback_n_clients; #ifdef MANAGEMENT_DEF_AUTH cb.kill_by_cid = management_kill_by_cid; cb.client_auth = management_client_auth; cb.get_peer_info = management_get_peer_info; #endif #ifdef MANAGEMENT_PF cb.client_pf = management_client_pf; #endif management_set_callback(management, &cb); } #endif /* ifdef ENABLE_MANAGEMENT */ } void uninit_management_callback_multi(struct multi_context *m) { uninit_management_callback(); } /* * Top level event loop. */ void tunnel_server(struct context *top) { ASSERT(top->options.mode == MODE_SERVER); if (proto_is_dgram(top->options.ce.proto)) { tunnel_server_udp(top); } else { tunnel_server_tcp(top); } } #else /* if P2MP_SERVER */ static void dummy(void) { } #endif /* P2MP_SERVER */ openvpn-2.4.4/src/openvpn/multi.h000066400000000000000000000460121316434344000167720ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Header file for server-mode related structures and functions. */ #ifndef MULTI_H #define MULTI_H #if P2MP_SERVER #include "init.h" #include "forward.h" #include "mroute.h" #include "mbuf.h" #include "list.h" #include "schedule.h" #include "pool.h" #include "mudp.h" #include "mtcp.h" #include "perf.h" #define MULTI_PREFIX_MAX_LENGTH 256 /* * Walk (don't run) through the routing table, * deleting old entries, and possibly multi_instance * structs as well which have been marked for deletion. */ struct multi_reap { int bucket_base; int buckets_per_pass; time_t last_call; }; struct deferred_signal_schedule_entry { struct schedule_entry se; int signal_received; struct timeval wakeup; }; /** * Server-mode state structure for one single VPN tunnel. * * This structure is used by OpenVPN processes running in server-mode to * store state information related to one single VPN tunnel. * * The @ref tunnel_state "Structure of VPN tunnel state storage" related * page describes the role the structure plays when OpenVPN is running in * server-mode. */ struct multi_instance { struct schedule_entry se; /* this must be the first element of the structure */ struct gc_arena gc; bool defined; bool halt; int refcount; int route_count; /* number of routes (including cached routes) owned by this instance */ time_t created; /**< Time at which a VPN tunnel instance * was created. This parameter is set * by the \c multi_create_instance() * function. */ struct timeval wakeup; /* absolute time */ struct mroute_addr real; /**< External network address of the * remote peer. */ ifconfig_pool_handle vaddr_handle; char msg_prefix[MULTI_PREFIX_MAX_LENGTH]; /* queued outgoing data in Server/TCP mode */ unsigned int tcp_rwflags; struct mbuf_set *tcp_link_out_deferred; bool socket_set_called; in_addr_t reporting_addr; /* IP address shown in status listing */ struct in6_addr reporting_addr_ipv6; /* IPv6 address in status listing */ bool did_open_context; bool did_real_hash; bool did_iter; #ifdef MANAGEMENT_DEF_AUTH bool did_cid_hash; struct buffer_list *cc_config; #endif bool connection_established_flag; bool did_iroutes; int n_clients_delta; /* added to multi_context.n_clients when instance is closed */ struct context context; /**< The context structure storing state * for this VPN tunnel. */ #ifdef ENABLE_ASYNC_PUSH int inotify_watch; /* watch descriptor for acf */ #endif }; /** * Main OpenVPN server state structure. * * This structure is used by OpenVPN processes running in server-mode to * store all the VPN tunnel and process-wide state. * * The @ref tunnel_state "Structure of VPN tunnel state storage" related * page describes the role the structure plays when OpenVPN is running in * server-mode. */ struct multi_context { #define MC_UNDEF 0 #define MC_SINGLE_THREADED (1<<0) #define MC_MULTI_THREADED_MASTER (1<<1) #define MC_MULTI_THREADED_WORKER (1<<2) #define MC_MULTI_THREADED_SCHEDULER (1<<3) #define MC_WORK_THREAD (MC_MULTI_THREADED_WORKER|MC_MULTI_THREADED_SCHEDULER) int thread_mode; struct multi_instance **instances; /**< Array of multi_instances. An instance can be * accessed using peer-id as an index. */ struct hash *hash; /**< VPN tunnel instances indexed by real * address of the remote peer. */ struct hash *vhash; /**< VPN tunnel instances indexed by * virtual address of remote hosts. */ struct hash *iter; /**< VPN tunnel instances indexed by real * address of the remote peer, optimized * for iteration. */ struct schedule *schedule; struct mbuf_set *mbuf; /**< Set of buffers for passing data * channel packets between VPN tunnel * instances. */ struct multi_tcp *mtcp; /**< State specific to OpenVPN using TCP * as external transport. */ struct ifconfig_pool *ifconfig_pool; struct frequency_limit *new_connection_limiter; struct mroute_helper *route_helper; struct multi_reap *reaper; struct mroute_addr local; bool enable_c2c; int max_clients; int tcp_queue_limit; int status_file_version; int n_clients; /* current number of authenticated clients */ #ifdef MANAGEMENT_DEF_AUTH struct hash *cid_hash; unsigned long cid_counter; #endif struct multi_instance *pending; struct multi_instance *earliest_wakeup; struct multi_instance **mpp_touched; struct context_buffers *context_buffers; time_t per_second_trigger; struct context top; /**< Storage structure for process-wide * configuration. */ /* * Timer object for stale route check */ struct event_timeout stale_routes_check_et; #ifdef ENABLE_ASYNC_PUSH /* mapping between inotify watch descriptors and multi_instances */ struct hash *inotify_watchers; #endif struct deferred_signal_schedule_entry deferred_shutdown_signal; }; /* * Host route */ struct multi_route { struct mroute_addr addr; struct multi_instance *instance; #define MULTI_ROUTE_CACHE (1<<0) #define MULTI_ROUTE_AGEABLE (1<<1) unsigned int flags; unsigned int cache_generation; time_t last_reference; }; /**************************************************************************/ /** * Main event loop for OpenVPN in server mode. * @ingroup eventloop * * This function calls the appropriate main event loop function depending * on the transport protocol used: * - \c tunnel_server_udp() * - \c tunnel_server_tcp() * * @param top - Top-level context structure. */ void tunnel_server(struct context *top); const char *multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc); /* * Called by mtcp.c, mudp.c, or other (to be written) protocol drivers */ void multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode); void multi_uninit(struct multi_context *m); void multi_top_init(struct multi_context *m, const struct context *top); void multi_top_free(struct multi_context *m); struct multi_instance *multi_create_instance(struct multi_context *m, const struct mroute_addr *real); void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown); bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags); /** * Handles peer floating. * * If peer is floated to a taken address, either drops packet * (if peer that owns address has different CN) or disconnects * existing peer. Updates multi_instance with new address, * updates hashtables in multi_context. */ void multi_process_float(struct multi_context *m, struct multi_instance *mi); #define MPP_PRE_SELECT (1<<0) #define MPP_CONDITIONAL_PRE_SELECT (1<<1) #define MPP_CLOSE_ON_SIGNAL (1<<2) #define MPP_RECORD_TOUCH (1<<3) /**************************************************************************/ /** * Perform postprocessing of a VPN tunnel instance. * * After some VPN tunnel activity has taken place, the VPN tunnel's state * may need updating and some follow-up action may be required. This * function controls the necessary postprocessing. It is called by many * other functions that handle VPN tunnel related activity, such as \c * multi_process_incoming_link(), \c multi_process_outgoing_link(), \c * multi_process_incoming_tun(), \c multi_process_outgoing_tun(), and \c * multi_process_timeout(), among others. * * @param m - The single \c multi_context structure. * @param mi - The \c multi_instance of the VPN tunnel to be * postprocessed. * @param flags - Fast I/O optimization flags. * * @return * - True, if the VPN tunnel instance \a mi was not closed due to a * signal during processing. * - False, if the VPN tunnel instance \a mi was closed. */ bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags); /**************************************************************************/ /** * Demultiplex and process a packet received over the external network * interface. * @ingroup external_multiplexer * * This function determines which VPN tunnel instance the incoming packet * is associated with, and then calls \c process_incoming_link() to handle * it. Afterwards, if the packet is destined for a broadcast/multicast * address or a remote host reachable through a different VPN tunnel, this * function takes care of sending it they are. * * @note This function is only used by OpenVPN processes which are running * in server mode, and can therefore sustain multiple active VPN * tunnels. * * @param m - The single \c multi_context structure. * @param instance - The VPN tunnel state structure associated with * the incoming packet, if known, as is the case * when using TCP transport. Otherwise NULL, as is * the case when using UDP transport. * @param mpp_flags - Fast I/O optimization flags. */ bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags); /** * Determine the destination VPN tunnel of a packet received over the * virtual tun/tap network interface and then process it accordingly. * @ingroup internal_multiplexer * * This function determines which VPN tunnel instance the packet is * destined for, and then calls \c process_outgoing_tun() to handle it. * * @note This function is only used by OpenVPN processes which are running * in server mode, and can therefore sustain multiple active VPN * tunnels. * * @param m - The single \c multi_context structure. * @param mpp_flags - Fast I/O optimization flags. */ bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags); void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags); void multi_print_status(struct multi_context *m, struct status_output *so, const int version); struct multi_instance *multi_get_queue(struct mbuf_set *ms); void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb); void multi_ifconfig_pool_persist(struct multi_context *m, bool force); bool multi_process_signal(struct multi_context *m); void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi); void init_management_callback_multi(struct multi_context *m); void uninit_management_callback_multi(struct multi_context *m); #ifdef ENABLE_ASYNC_PUSH /** * Called when inotify event is fired, which happens when acf file is closed or deleted. * Continues authentication and sends push_repl * * @param m multi_context * @param mpp_flags */ void multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags); #endif /* * Return true if our output queue is not full */ static inline bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi) { if (mi->tcp_link_out_deferred) { return mbuf_len(mi->tcp_link_out_deferred) <= m->tcp_queue_limit; } else { return true; } } /* * Determine which instance has pending output * and prepare the output for sending in * the to_link buffer. */ static inline struct multi_instance * multi_process_outgoing_link_pre(struct multi_context *m) { struct multi_instance *mi = NULL; if (m->pending) { mi = m->pending; } else if (mbuf_defined(m->mbuf)) { mi = multi_get_queue(m->mbuf); } return mi; } /* * Per-client route quota management */ void route_quota_exceeded(const struct multi_context *m, const struct multi_instance *mi); static inline void route_quota_inc(struct multi_instance *mi) { ++mi->route_count; } static inline void route_quota_dec(struct multi_instance *mi) { --mi->route_count; } /* can we add a new route? */ static inline bool route_quota_test(const struct multi_context *m, const struct multi_instance *mi) { if (mi->route_count >= mi->context.options.max_routes_per_client) { route_quota_exceeded(m, mi); return false; } else { return true; } } /* * Instance reference counting */ static inline void multi_instance_inc_refcount(struct multi_instance *mi) { ++mi->refcount; } static inline void multi_instance_dec_refcount(struct multi_instance *mi) { if (--mi->refcount <= 0) { gc_free(&mi->gc); free(mi); } } static inline void multi_route_del(struct multi_route *route) { struct multi_instance *mi = route->instance; route_quota_dec(mi); multi_instance_dec_refcount(mi); free(route); } static inline bool multi_route_defined(const struct multi_context *m, const struct multi_route *r) { if (r->instance->halt) { return false; } else if ((r->flags & MULTI_ROUTE_CACHE) && r->cache_generation != m->route_helper->cache_generation) { return false; } else if ((r->flags & MULTI_ROUTE_AGEABLE) && r->last_reference + m->route_helper->ageable_ttl_secs < now) { return false; } else { return true; } } /* * Takes prefix away from multi_instance. */ void ungenerate_prefix(struct multi_instance *mi); /* * Set a msg() function prefix with our current client instance ID. */ static inline void set_prefix(struct multi_instance *mi) { #ifdef MULTI_DEBUG_EVENT_LOOP if (mi->msg_prefix[0]) { printf("[%s]\n", mi->msg_prefix); } #endif msg_set_prefix(mi->msg_prefix[0] ? mi->msg_prefix : NULL); } static inline void clear_prefix(void) { #ifdef MULTI_DEBUG_EVENT_LOOP printf("[NULL]\n"); #endif msg_set_prefix(NULL); } /* * Instance Reaper * * Reaper constants. The reaper is the process where the virtual address * and virtual route hash table is scanned for dead entries which are * then removed. The hash table could potentially be quite large, so we * don't want to reap in a single pass. */ #define REAP_MAX_WAKEUP 10 /* Do reap pass at least once per n seconds */ #define REAP_DIVISOR 256 /* How many passes to cover whole hash table */ #define REAP_MIN 16 /* Minimum number of buckets per pass */ #define REAP_MAX 1024 /* Maximum number of buckets per pass */ /* * Mark a cached host route for deletion after this * many seconds without any references. */ #define MULTI_CACHE_ROUTE_TTL 60 static inline void multi_reap_process(const struct multi_context *m) { void multi_reap_process_dowork(const struct multi_context *m); if (m->reaper->last_call != now) { multi_reap_process_dowork(m); } } static inline void multi_process_per_second_timers(struct multi_context *m) { if (m->per_second_trigger != now) { void multi_process_per_second_timers_dowork(struct multi_context *m); multi_process_per_second_timers_dowork(m); m->per_second_trigger = now; } } /* * Compute earliest timeout expiry from the set of * all instances. Output: * * m->earliest_wakeup : instance needing the earliest service. * dest : earliest timeout as a delta in relation * to current time. */ static inline void multi_get_timeout(struct multi_context *m, struct timeval *dest) { struct timeval tv, current; CLEAR(tv); m->earliest_wakeup = (struct multi_instance *) schedule_get_earliest_wakeup(m->schedule, &tv); if (m->earliest_wakeup) { ASSERT(!openvpn_gettimeofday(¤t, NULL)); tv_delta(dest, ¤t, &tv); if (dest->tv_sec >= REAP_MAX_WAKEUP) { m->earliest_wakeup = NULL; dest->tv_sec = REAP_MAX_WAKEUP; dest->tv_usec = 0; } } else { dest->tv_sec = REAP_MAX_WAKEUP; dest->tv_usec = 0; } } /** * Send a packet over the virtual tun/tap network interface to its locally * reachable destination. * @ingroup internal_multiplexer * * This function calls \c process_outgoing_tun() to perform the actual * sending of the packet. Afterwards, it calls \c multi_process_post() to * perform server-mode postprocessing. * * @param m - The single \c multi_context structure. * @param mpp_flags - Fast I/O optimization flags. * * @return * - True, if the \c multi_instance associated with the packet sent was * not closed due to a signal during processing. * - Falls, if the \c multi_instance was closed. */ static inline bool multi_process_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags) { struct multi_instance *mi = m->pending; bool ret = true; ASSERT(mi); #ifdef MULTI_DEBUG_EVENT_LOOP printf("%s -> TUN len=%d\n", id(mi), mi->context.c2.to_tun.len); #endif set_prefix(mi); process_outgoing_tun(&mi->context); ret = multi_process_post(m, mi, mpp_flags); clear_prefix(); return ret; } static inline bool multi_process_outgoing_link_dowork(struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags) { bool ret = true; set_prefix(mi); process_outgoing_link(&mi->context); ret = multi_process_post(m, mi, mpp_flags); clear_prefix(); return ret; } /* * Check for signals. */ #define MULTI_CHECK_SIG(m) EVENT_LOOP_CHECK_SIGNAL(&(m)->top, multi_process_signal, (m)) static inline void multi_set_pending(struct multi_context *m, struct multi_instance *mi) { m->pending = mi; } #endif /* P2MP_SERVER */ #endif /* MULTI_H */ openvpn-2.4.4/src/openvpn/ntlm.c000066400000000000000000000312661316434344000166120ustar00rootroot00000000000000/* * ntlm proxy support for OpenVPN * * Copyright (C) 2004 William Preston * * *NTLMv2 support and domain name parsing by Miroslav Zajic, Nextsoft s.r.o.* * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if NTLM #include "common.h" #include "buffer.h" #include "misc.h" #include "socket.h" #include "fdmisc.h" #include "proxy.h" #include "ntlm.h" #include "base64.h" #include "crypto.h" #include "memdbg.h" /* 64bit datatype macros */ #ifdef _MSC_VER /* MS compilers */ #define UINTEGER64 __int64 #define UINT64(c) c ## Ui64 #else /* Non MS compilers */ #define UINTEGER64 unsigned long long #define UINT64(c) c ## LL #endif static void create_des_keys(const unsigned char *hash, unsigned char *key) { key[0] = hash[0]; key[1] = ((hash[0] & 1) << 7) | (hash[1] >> 1); key[2] = ((hash[1] & 3) << 6) | (hash[2] >> 2); key[3] = ((hash[2] & 7) << 5) | (hash[3] >> 3); key[4] = ((hash[3] & 15) << 4) | (hash[4] >> 4); key[5] = ((hash[4] & 31) << 3) | (hash[5] >> 5); key[6] = ((hash[5] & 63) << 2) | (hash[6] >> 6); key[7] = ((hash[6] & 127) << 1); key_des_fixup(key, 8, 1); } static void gen_md4_hash(const uint8_t *data, int data_len, uint8_t *result) { /* result is 16 byte md4 hash */ const md_kt_t *md4_kt = md_kt_get("MD4"); uint8_t md[MD4_DIGEST_LENGTH]; md_full(md4_kt, data, data_len, md); memcpy(result, md, MD4_DIGEST_LENGTH); } static void gen_hmac_md5(const uint8_t *data, int data_len, const uint8_t *key, int key_len, uint8_t *result) { const md_kt_t *md5_kt = md_kt_get("MD5"); hmac_ctx_t *hmac_ctx = hmac_ctx_new(); hmac_ctx_init(hmac_ctx, key, key_len, md5_kt); hmac_ctx_update(hmac_ctx, data, data_len); hmac_ctx_final(hmac_ctx, result); hmac_ctx_cleanup(hmac_ctx); hmac_ctx_free(hmac_ctx); } static void gen_timestamp(uint8_t *timestamp) { /* Copies 8 bytes long timestamp into "timestamp" buffer. * Timestamp is Little-endian, 64-bit signed value representing the * number of tenths of a microsecond since January 1, 1601. */ UINTEGER64 timestamp_ull; timestamp_ull = openvpn_time(NULL); timestamp_ull = (timestamp_ull + UINT64(11644473600)) * UINT64(10000000); /* store little endian value */ timestamp[0] = timestamp_ull & UINT64(0xFF); timestamp[1] = (timestamp_ull >> 8) & UINT64(0xFF); timestamp[2] = (timestamp_ull >> 16) & UINT64(0xFF); timestamp[3] = (timestamp_ull >> 24) & UINT64(0xFF); timestamp[4] = (timestamp_ull >> 32) & UINT64(0xFF); timestamp[5] = (timestamp_ull >> 40) & UINT64(0xFF); timestamp[6] = (timestamp_ull >> 48) & UINT64(0xFF); timestamp[7] = (timestamp_ull >> 56) & UINT64(0xFF); } static void gen_nonce(unsigned char *nonce) { /* Generates 8 random bytes to be used as client nonce */ int i; for (i = 0; i<8; i++) { nonce[i] = (unsigned char)get_random(); } } static void my_strupr(char *str) { /* converts string to uppercase in place */ while (*str) { *str = toupper(*str); str++; } } static int unicodize(char *dst, const char *src) { /* not really unicode... */ int i = 0; do { dst[i++] = *src; dst[i++] = 0; } while (*src++); return i; } static void add_security_buffer(int sb_offset, void *data, int length, unsigned char *msg_buf, int *msg_bufpos) { /* Adds security buffer data to a message and sets security buffer's * offset and length */ msg_buf[sb_offset] = (unsigned char)length; msg_buf[sb_offset + 2] = msg_buf[sb_offset]; msg_buf[sb_offset + 4] = (unsigned char)(*msg_bufpos & 0xff); msg_buf[sb_offset + 5] = (unsigned char)((*msg_bufpos >> 8) & 0xff); memcpy(&msg_buf[*msg_bufpos], data, msg_buf[sb_offset]); *msg_bufpos += length; } const char * ntlm_phase_1(const struct http_proxy_info *p, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(96, gc); /* try a minimal NTLM handshake * * http://davenport.sourceforge.net/ntlm.html * * This message contains only the NTLMSSP signature, * the NTLM message type, * and the minimal set of flags (Negotiate NTLM and Negotiate OEM). * */ buf_printf(&out, "%s", "TlRMTVNTUAABAAAAAgIAAA=="); return (BSTR(&out)); } const char * ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_arena *gc) { /* NTLM handshake * * http://davenport.sourceforge.net/ntlm.html * */ char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */ uint8_t buf2[128]; /* decoded reply from proxy */ uint8_t phase3[464]; uint8_t md4_hash[MD4_DIGEST_LENGTH + 5]; uint8_t challenge[8], ntlm_response[24]; int i, ret_val; uint8_t ntlmv2_response[144]; char userdomain_u[256]; /* for uppercase unicode username and domain */ char userdomain[128]; /* the same as previous but ascii */ uint8_t ntlmv2_hash[MD5_DIGEST_LENGTH]; uint8_t ntlmv2_hmacmd5[16]; uint8_t *ntlmv2_blob = ntlmv2_response + 16; /* inside ntlmv2_response, length: 128 */ int ntlmv2_blob_size = 0; int phase3_bufpos = 0x40; /* offset to next security buffer data to be added */ size_t len; char domain[128]; char username[128]; char *separator; bool ntlmv2_enabled = (p->auth_method == HTTP_AUTH_NTLM2); CLEAR(buf2); ASSERT(strlen(p->up.username) > 0); ASSERT(strlen(p->up.password) > 0); /* username parsing */ separator = strchr(p->up.username, '\\'); if (separator == NULL) { strncpy(username, p->up.username, sizeof(username)-1); username[sizeof(username)-1] = 0; domain[0] = 0; } else { strncpy(username, separator+1, sizeof(username)-1); username[sizeof(username)-1] = 0; len = separator - p->up.username; if (len > sizeof(domain) - 1) { len = sizeof(domain) - 1; } strncpy(domain, p->up.username, len); domain[len] = 0; } /* fill 1st 16 bytes with md4 hash, disregard terminating null */ int unicode_len = unicodize(pwbuf, p->up.password) - 2; gen_md4_hash((uint8_t *)pwbuf, unicode_len, md4_hash); /* pad to 21 bytes */ memset(md4_hash + MD4_DIGEST_LENGTH, 0, 5); ret_val = openvpn_base64_decode(phase_2, buf2, -1); if (ret_val < 0) { return NULL; } /* we can be sure that phase_2 is less than 128 * therefore buf2 needs to be (3/4 * 128) */ /* extract the challenge from bytes 24-31 */ for (i = 0; i<8; i++) { challenge[i] = buf2[i+24]; } if (ntlmv2_enabled) /* Generate NTLMv2 response */ { int tib_len; /* NTLMv2 hash */ strcpy(userdomain, username); my_strupr(userdomain); if (strlen(username) + strlen(domain) < sizeof(userdomain)) { strcat(userdomain, domain); } else { msg(M_INFO, "Warning: Username or domain too long"); } unicodize(userdomain_u, userdomain); gen_hmac_md5((uint8_t *)userdomain_u, 2 * strlen(userdomain), md4_hash, MD5_DIGEST_LENGTH, ntlmv2_hash); /* NTLMv2 Blob */ memset(ntlmv2_blob, 0, 128); /* Clear blob buffer */ ntlmv2_blob[0x00] = 1; /* Signature */ ntlmv2_blob[0x01] = 1; /* Signature */ ntlmv2_blob[0x04] = 0; /* Reserved */ gen_timestamp(&ntlmv2_blob[0x08]); /* 64-bit Timestamp */ gen_nonce(&ntlmv2_blob[0x10]); /* 64-bit Client Nonce */ ntlmv2_blob[0x18] = 0; /* Unknown, zero should work */ /* Add target information block to the blob */ /* Check for Target Information block */ /* The NTLM spec instructs to interpret these 4 consecutive bytes as a * 32bit long integer. However, no endianness is specified. * The code here and that found in other NTLM implementations point * towards the assumption that the byte order on the wire has to * match the order on the sending and receiving hosts. Probably NTLM has * been thought to be always running on x86_64/i386 machine thus * implying Little-Endian everywhere. * * This said, in case of future changes, we should keep in mind that the * byte order on the wire for the NTLM header is LE. */ const size_t hoff = 0x14; unsigned long flags = buf2[hoff] | (buf2[hoff + 1] << 8) | (buf2[hoff + 2] << 16) | (buf2[hoff + 3] << 24); if ((flags & 0x00800000) == 0x00800000) { tib_len = buf2[0x28]; /* Get Target Information block size */ if (tib_len > 96) { tib_len = 96; } { uint8_t *tib_ptr; uint8_t tib_pos = buf2[0x2c]; if (tib_pos + tib_len > sizeof(buf2)) { return NULL; } /* Get Target Information block pointer */ tib_ptr = buf2 + tib_pos; /* Copy Target Information block into the blob */ memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); } } else { tib_len = 0; } /* Unknown, zero works */ ntlmv2_blob[0x1c + tib_len] = 0; /* Get blob length */ ntlmv2_blob_size = 0x20 + tib_len; /* Add challenge from message 2 */ memcpy(&ntlmv2_response[8], challenge, 8); /* hmac-md5 */ gen_hmac_md5(&ntlmv2_response[8], ntlmv2_blob_size + 8, ntlmv2_hash, MD5_DIGEST_LENGTH, ntlmv2_hmacmd5); /* Add hmac-md5 result to the blob. * Note: This overwrites challenge previously written at * ntlmv2_response[8..15] */ memcpy(ntlmv2_response, ntlmv2_hmacmd5, MD5_DIGEST_LENGTH); } else /* Generate NTLM response */ { unsigned char key1[DES_KEY_LENGTH], key2[DES_KEY_LENGTH]; unsigned char key3[DES_KEY_LENGTH]; create_des_keys(md4_hash, key1); cipher_des_encrypt_ecb(key1, challenge, ntlm_response); create_des_keys(&md4_hash[DES_KEY_LENGTH - 1], key2); cipher_des_encrypt_ecb(key2, challenge, &ntlm_response[DES_KEY_LENGTH]); create_des_keys(&md4_hash[2 * (DES_KEY_LENGTH - 1)], key3); cipher_des_encrypt_ecb(key3, challenge, &ntlm_response[DES_KEY_LENGTH * 2]); } memset(phase3, 0, sizeof(phase3)); /* clear reply */ strcpy((char *)phase3, "NTLMSSP\0"); /* signature */ phase3[8] = 3; /* type 3 */ if (ntlmv2_enabled) /* NTLMv2 response */ { add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16, phase3, &phase3_bufpos); } else /* NTLM response */ { add_security_buffer(0x14, ntlm_response, 24, phase3, &phase3_bufpos); } /* username in ascii */ add_security_buffer(0x24, username, strlen(username), phase3, &phase3_bufpos); /* Set domain. If is empty, default domain will be used * (i.e. proxy's domain) */ add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos); /* other security buffers will be empty */ phase3[0x10] = phase3_bufpos; /* lm not used */ phase3[0x30] = phase3_bufpos; /* no workstation name supplied */ phase3[0x38] = phase3_bufpos; /* no session key */ /* flags */ phase3[0x3c] = 0x02; /* negotiate oem */ phase3[0x3d] = 0x02; /* negotiate ntlm */ return ((const char *)make_base64_string2((unsigned char *)phase3, phase3_bufpos, gc)); } #else /* if NTLM */ static void dummy(void) { } #endif /* if NTLM */ openvpn-2.4.4/src/openvpn/ntlm.h000066400000000000000000000003571316434344000166140ustar00rootroot00000000000000#ifndef NTLM_H #define NTLM_H #if NTLM const char *ntlm_phase_1(const struct http_proxy_info *p, struct gc_arena *gc); const char *ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_arena *gc); #endif #endif openvpn-2.4.4/src/openvpn/occ-inline.h000066400000000000000000000050371316434344000176620ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OCC_INLINE_H #define OCC_INLINE_H #ifdef ENABLE_OCC /* * Inline functions */ static inline int occ_reset_op(void) { return -1; } /* * Should we send an OCC_REQUEST message? */ static inline void check_send_occ_req(struct context *c) { void check_send_occ_req_dowork(struct context *c); if (event_timeout_defined(&c->c2.occ_interval) && event_timeout_trigger(&c->c2.occ_interval, &c->c2.timeval, (!TO_LINK_DEF(c) && c->c2.occ_op < 0) ? ETT_DEFAULT : 0)) { check_send_occ_req_dowork(c); } } /* * Should we send an MTU load test? */ static inline void check_send_occ_load_test(struct context *c) { void check_send_occ_load_test_dowork(struct context *c); if (event_timeout_defined(&c->c2.occ_mtu_load_test_interval) && event_timeout_trigger(&c->c2.occ_mtu_load_test_interval, &c->c2.timeval, (!TO_LINK_DEF(c) && c->c2.occ_op < 0) ? ETT_DEFAULT : 0)) { check_send_occ_load_test_dowork(c); } } /* * Should we send an OCC message? */ static inline void check_send_occ_msg(struct context *c) { void check_send_occ_msg_dowork(struct context *c); if (c->c2.occ_op >= 0) { if (!TO_LINK_DEF(c)) { check_send_occ_msg_dowork(c); } else { tv_clear(&c->c2.timeval); /* ZERO-TIMEOUT */ } } } #endif /* ifdef ENABLE_OCC */ #endif /* ifndef OCC_INLINE_H */ openvpn-2.4.4/src/openvpn/occ.c000066400000000000000000000315431316434344000164020ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #ifdef ENABLE_OCC #include "occ.h" #include "memdbg.h" #include "forward-inline.h" #include "occ-inline.h" /* * This random string identifies an OpenVPN * Configuration Control packet. * It should be of sufficient length and randomness * so as not to collide with other tunnel data. * * The OCC protocol is as follows: * * occ_magic -- (16 octets) * * type [OCC_REQUEST | OCC_REPLY] (1 octet) * null terminated options string if OCC_REPLY (variable) * * When encryption is used, the OCC packet * is encapsulated within the encrypted * envelope. * * OCC_STRING_SIZE must be set to sizeof (occ_magic) */ const uint8_t occ_magic[] = { 0x28, 0x7f, 0x34, 0x6b, 0xd4, 0xef, 0x7a, 0x81, 0x2d, 0x56, 0xb8, 0xd3, 0xaf, 0xc5, 0x45, 0x9c }; static const struct mtu_load_test mtu_load_test_sequence[] = { {OCC_MTU_LOAD_REQUEST, -1000}, {OCC_MTU_LOAD, -1000}, {OCC_MTU_LOAD_REQUEST, -1000}, {OCC_MTU_LOAD, -1000}, {OCC_MTU_LOAD_REQUEST, -1000}, {OCC_MTU_LOAD, -1000}, {OCC_MTU_LOAD_REQUEST, -750}, {OCC_MTU_LOAD, -750}, {OCC_MTU_LOAD_REQUEST, -750}, {OCC_MTU_LOAD, -750}, {OCC_MTU_LOAD_REQUEST, -750}, {OCC_MTU_LOAD, -750}, {OCC_MTU_LOAD_REQUEST, -500}, {OCC_MTU_LOAD, -500}, {OCC_MTU_LOAD_REQUEST, -500}, {OCC_MTU_LOAD, -500}, {OCC_MTU_LOAD_REQUEST, -500}, {OCC_MTU_LOAD, -500}, {OCC_MTU_LOAD_REQUEST, -400}, {OCC_MTU_LOAD, -400}, {OCC_MTU_LOAD_REQUEST, -400}, {OCC_MTU_LOAD, -400}, {OCC_MTU_LOAD_REQUEST, -400}, {OCC_MTU_LOAD, -400}, {OCC_MTU_LOAD_REQUEST, -300}, {OCC_MTU_LOAD, -300}, {OCC_MTU_LOAD_REQUEST, -300}, {OCC_MTU_LOAD, -300}, {OCC_MTU_LOAD_REQUEST, -300}, {OCC_MTU_LOAD, -300}, {OCC_MTU_LOAD_REQUEST, -200}, {OCC_MTU_LOAD, -200}, {OCC_MTU_LOAD_REQUEST, -200}, {OCC_MTU_LOAD, -200}, {OCC_MTU_LOAD_REQUEST, -200}, {OCC_MTU_LOAD, -200}, {OCC_MTU_LOAD_REQUEST, -150}, {OCC_MTU_LOAD, -150}, {OCC_MTU_LOAD_REQUEST, -150}, {OCC_MTU_LOAD, -150}, {OCC_MTU_LOAD_REQUEST, -150}, {OCC_MTU_LOAD, -150}, {OCC_MTU_LOAD_REQUEST, -100}, {OCC_MTU_LOAD, -100}, {OCC_MTU_LOAD_REQUEST, -100}, {OCC_MTU_LOAD, -100}, {OCC_MTU_LOAD_REQUEST, -100}, {OCC_MTU_LOAD, -100}, {OCC_MTU_LOAD_REQUEST, -50}, {OCC_MTU_LOAD, -50}, {OCC_MTU_LOAD_REQUEST, -50}, {OCC_MTU_LOAD, -50}, {OCC_MTU_LOAD_REQUEST, -50}, {OCC_MTU_LOAD, -50}, {OCC_MTU_LOAD_REQUEST, 0}, {OCC_MTU_LOAD, 0}, {OCC_MTU_LOAD_REQUEST, 0}, {OCC_MTU_LOAD, 0}, {OCC_MTU_LOAD_REQUEST, 0}, {OCC_MTU_LOAD, 0}, {OCC_MTU_REQUEST, 0}, {OCC_MTU_REQUEST, 0}, {OCC_MTU_REQUEST, 0}, {OCC_MTU_REQUEST, 0}, {OCC_MTU_REQUEST, 0}, {OCC_MTU_REQUEST, 0}, {OCC_MTU_REQUEST, 0}, {OCC_MTU_REQUEST, 0}, {OCC_MTU_REQUEST, 0}, {OCC_MTU_REQUEST, 0}, {-1, 0} }; void check_send_occ_req_dowork(struct context *c) { if (++c->c2.occ_n_tries >= OCC_N_TRIES) { if (c->options.ce.remote) { /* * No OCC_REPLY from peer after repeated attempts. * Give up. */ msg(D_SHOW_OCC, "NOTE: failed to obtain options consistency info from peer -- " "this could occur if the remote peer is running a version of " PACKAGE_NAME " before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent " PACKAGE_NAME " from running (" counter_format " bytes received from peer, " counter_format " bytes authenticated data channel traffic) -- you can disable the options consistency " "check with --disable-occ.", c->c2.link_read_bytes, c->c2.link_read_bytes_auth); } event_timeout_clear(&c->c2.occ_interval); } else { c->c2.occ_op = OCC_REQUEST; /* * If we don't hear back from peer, send another * OCC_REQUEST in OCC_INTERVAL_SECONDS. */ event_timeout_reset(&c->c2.occ_interval); } } void check_send_occ_load_test_dowork(struct context *c) { if (CONNECTION_ESTABLISHED(c)) { const struct mtu_load_test *entry; if (!c->c2.occ_mtu_load_n_tries) { msg(M_INFO, "NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes."); } entry = &mtu_load_test_sequence[c->c2.occ_mtu_load_n_tries++]; if (entry->op >= 0) { c->c2.occ_op = entry->op; c->c2.occ_mtu_load_size = EXPANDED_SIZE(&c->c2.frame) + entry->delta; } else { msg(M_INFO, "NOTE: failed to empirically measure MTU (requires " PACKAGE_NAME " 1.5 or higher at other end of connection)."); event_timeout_clear(&c->c2.occ_mtu_load_test_interval); c->c2.occ_mtu_load_n_tries = 0; } } } void check_send_occ_msg_dowork(struct context *c) { bool doit = false; c->c2.buf = c->c2.buffers->aux_buf; ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame))); ASSERT(buf_safe(&c->c2.buf, MAX_RW_SIZE_TUN(&c->c2.frame))); ASSERT(buf_write(&c->c2.buf, occ_magic, OCC_STRING_SIZE)); switch (c->c2.occ_op) { case OCC_REQUEST: if (!buf_write_u8(&c->c2.buf, OCC_REQUEST)) { break; } dmsg(D_PACKET_CONTENT, "SENT OCC_REQUEST"); doit = true; break; case OCC_REPLY: if (!c->c2.options_string_local) { break; } if (!buf_write_u8(&c->c2.buf, OCC_REPLY)) { break; } if (!buf_write(&c->c2.buf, c->c2.options_string_local, strlen(c->c2.options_string_local) + 1)) { break; } dmsg(D_PACKET_CONTENT, "SENT OCC_REPLY"); doit = true; break; case OCC_MTU_REQUEST: if (!buf_write_u8(&c->c2.buf, OCC_MTU_REQUEST)) { break; } dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_REQUEST"); doit = true; break; case OCC_MTU_REPLY: if (!buf_write_u8(&c->c2.buf, OCC_MTU_REPLY)) { break; } if (!buf_write_u16(&c->c2.buf, c->c2.max_recv_size_local)) { break; } if (!buf_write_u16(&c->c2.buf, c->c2.max_send_size_local)) { break; } dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_REPLY"); doit = true; break; case OCC_MTU_LOAD_REQUEST: if (!buf_write_u8(&c->c2.buf, OCC_MTU_LOAD_REQUEST)) { break; } if (!buf_write_u16(&c->c2.buf, c->c2.occ_mtu_load_size)) { break; } dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_LOAD_REQUEST"); doit = true; break; case OCC_MTU_LOAD: { int need_to_add; if (!buf_write_u8(&c->c2.buf, OCC_MTU_LOAD)) { break; } need_to_add = min_int(c->c2.occ_mtu_load_size, EXPANDED_SIZE(&c->c2.frame)) - OCC_STRING_SIZE - sizeof(uint8_t) - EXTRA_FRAME(&c->c2.frame); while (need_to_add > 0) { /* * Fill the load test packet with pseudo-random bytes. */ if (!buf_write_u8(&c->c2.buf, get_random() & 0xFF)) { break; } --need_to_add; } dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_LOAD min_int(%d-%d-%d-%d,%d) size=%d", c->c2.occ_mtu_load_size, OCC_STRING_SIZE, (int) sizeof(uint8_t), EXTRA_FRAME(&c->c2.frame), MAX_RW_SIZE_TUN(&c->c2.frame), BLEN(&c->c2.buf)); doit = true; } break; case OCC_EXIT: if (!buf_write_u8(&c->c2.buf, OCC_EXIT)) { break; } dmsg(D_PACKET_CONTENT, "SENT OCC_EXIT"); doit = true; break; } if (doit) { /* * We will treat the packet like any other outgoing packet, * compress, encrypt, sign, etc. */ encrypt_sign(c, true); } c->c2.occ_op = -1; } void process_received_occ_msg(struct context *c) { ASSERT(buf_advance(&c->c2.buf, OCC_STRING_SIZE)); switch (buf_read_u8(&c->c2.buf)) { case OCC_REQUEST: dmsg(D_PACKET_CONTENT, "RECEIVED OCC_REQUEST"); c->c2.occ_op = OCC_REPLY; break; case OCC_MTU_REQUEST: dmsg(D_PACKET_CONTENT, "RECEIVED OCC_MTU_REQUEST"); c->c2.occ_op = OCC_MTU_REPLY; break; case OCC_MTU_LOAD_REQUEST: dmsg(D_PACKET_CONTENT, "RECEIVED OCC_MTU_LOAD_REQUEST"); c->c2.occ_mtu_load_size = buf_read_u16(&c->c2.buf); if (c->c2.occ_mtu_load_size >= 0) { c->c2.occ_op = OCC_MTU_LOAD; } break; case OCC_REPLY: dmsg(D_PACKET_CONTENT, "RECEIVED OCC_REPLY"); if (c->options.occ && !TLS_MODE(c) && c->c2.options_string_remote) { if (!options_cmp_equal_safe((char *) BPTR(&c->c2.buf), c->c2.options_string_remote, c->c2.buf.len)) { options_warning_safe((char *) BPTR(&c->c2.buf), c->c2.options_string_remote, c->c2.buf.len); } } event_timeout_clear(&c->c2.occ_interval); break; case OCC_MTU_REPLY: dmsg(D_PACKET_CONTENT, "RECEIVED OCC_MTU_REPLY"); c->c2.max_recv_size_remote = buf_read_u16(&c->c2.buf); c->c2.max_send_size_remote = buf_read_u16(&c->c2.buf); if (c->options.mtu_test && c->c2.max_recv_size_remote > 0 && c->c2.max_send_size_remote > 0) { msg(M_INFO, "NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[%d,%d] remote->local=[%d,%d]", c->c2.max_send_size_local, c->c2.max_recv_size_remote, c->c2.max_send_size_remote, c->c2.max_recv_size_local); if (!c->options.ce.fragment && (proto_is_dgram(c->options.ce.proto)) && c->c2.max_send_size_local > TUN_MTU_MIN && (c->c2.max_recv_size_remote < c->c2.max_send_size_local || c->c2.max_recv_size_local < c->c2.max_send_size_remote)) { msg(M_INFO, "NOTE: This connection is unable to accommodate a UDP packet size of %d. Consider using --fragment or --mssfix options as a workaround.", c->c2.max_send_size_local); } } event_timeout_clear(&c->c2.occ_mtu_load_test_interval); break; case OCC_EXIT: dmsg(D_PACKET_CONTENT, "RECEIVED OCC_EXIT"); c->sig->signal_received = SIGTERM; c->sig->signal_text = "remote-exit"; break; } c->c2.buf.len = 0; /* don't pass packet on */ } #else /* ifdef ENABLE_OCC */ static void dummy(void) { } #endif /* ifdef ENABLE_OCC */ openvpn-2.4.4/src/openvpn/occ.h000066400000000000000000000056431316434344000164110ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OCC_H #define OCC_H #ifdef ENABLE_OCC #include "forward.h" /* OCC_STRING_SIZE must be set to sizeof (occ_magic) */ #define OCC_STRING_SIZE 16 /* * OCC (OpenVPN Configuration Control) protocol opcodes. */ #define OCC_REQUEST 0 /* request options string from peer */ #define OCC_REPLY 1 /* deliver options string to peer */ /* * Send an OCC_REQUEST once every OCC_INTERVAL * seconds until a reply is received. * * If we haven't received a reply after * OCC_N_TRIES, give up. */ #define OCC_INTERVAL_SECONDS 10 #define OCC_N_TRIES 12 /* * Other OCC protocol opcodes used to estimate the MTU empirically. */ #define OCC_MTU_LOAD_REQUEST 2 /* Ask peer to send a big packet to us */ #define OCC_MTU_LOAD 3 /* Send a big packet to peer */ #define OCC_MTU_REQUEST 4 /* Ask peer to tell us the largest * packet it has received from us so far */ #define OCC_MTU_REPLY 5 /* Send largest packet size to peer */ /* * Process one command from mtu_load_test_sequence * once every n seconds, if --mtu-test is specified. */ #define OCC_MTU_LOAD_INTERVAL_SECONDS 3 /* * Send an exit message to remote. */ #define OCC_EXIT 6 /* * Used to conduct a load test command sequence * of UDP connection for empirical MTU measurement. */ struct mtu_load_test { int op; /* OCC opcode to send to peer */ int delta; /* determine packet size to send by using * this delta against currently * configured MTU */ }; extern const uint8_t occ_magic[]; static inline bool is_occ_msg(const struct buffer *buf) { return buf_string_match_head(buf, occ_magic, OCC_STRING_SIZE); } void process_received_occ_msg(struct context *c); #endif /* ifdef ENABLE_OCC */ #endif /* ifndef OCC_H */ openvpn-2.4.4/src/openvpn/openssl_compat.h000066400000000000000000000360351316434344000206720ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file OpenSSL compatibility stub * * This file provide compatibility stubs for the OpenSSL libraries * prior to version 1.1. This version introduces many changes in the * library interface, including the fact that various objects and * structures are not fully opaque. */ #ifndef OPENSSL_COMPAT_H_ #define OPENSSL_COMPAT_H_ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "buffer.h" #include #include #if !defined(HAVE_EVP_MD_CTX_RESET) /** * Reset a message digest context * * @param ctx The message digest context * @return 1 on success, 0 on error */ static inline int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) { EVP_MD_CTX_cleanup(ctx); return 1; } #endif #if !defined(HAVE_EVP_MD_CTX_FREE) /** * Free an existing message digest context * * @param ctx The message digest context */ static inline void EVP_MD_CTX_free(EVP_MD_CTX *ctx) { free(ctx); } #endif #if !defined(HAVE_EVP_MD_CTX_NEW) /** * Allocate a new message digest object * * @return A zero'ed message digest object */ static inline EVP_MD_CTX * EVP_MD_CTX_new(void) { EVP_MD_CTX *ctx = NULL; ALLOC_OBJ_CLEAR(ctx, EVP_MD_CTX); return ctx; } #endif #if !defined(HAVE_HMAC_CTX_RESET) /** * Reset a HMAC context * * OpenSSL 1.1+ removes APIs HMAC_CTX_init() and HMAC_CTX_cleanup() * and replace them with a single call that does a cleanup followed * by an init. A proper _reset() for OpenSSL < 1.1 should perform * a similar set of operations. * * It means that before we kill a HMAC context, we'll have to cleanup * again, as we probably have allocated a few resources when we forced * an init. * * @param ctx The HMAC context * @return 1 on success, 0 on error */ static inline int HMAC_CTX_reset(HMAC_CTX *ctx) { HMAC_CTX_cleanup(ctx); HMAC_CTX_init(ctx); return 1; } #endif #if !defined(HAVE_HMAC_CTX_FREE) /** * Cleanup and free an existing HMAC context * * @param ctx The HMAC context */ static inline void HMAC_CTX_free(HMAC_CTX *ctx) { HMAC_CTX_cleanup(ctx); free(ctx); } #endif #if !defined(HAVE_HMAC_CTX_NEW) /** * Allocate a new HMAC context object * * @return A zero'ed HMAC context object */ static inline HMAC_CTX * HMAC_CTX_new(void) { HMAC_CTX *ctx = NULL; ALLOC_OBJ_CLEAR(ctx, HMAC_CTX); return ctx; } #endif #if !defined(HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA) /** * Fetch the default password callback user data from the SSL context * * @param ctx SSL context * @return The password callback user data */ static inline void * SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) { return ctx ? ctx->default_passwd_callback_userdata : NULL; } #endif #if !defined(HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB) /** * Fetch the default password callback from the SSL context * * @param ctx SSL context * @return The password callback */ static inline pem_password_cb * SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) { return ctx ? ctx->default_passwd_callback : NULL; } #endif #if !defined(HAVE_X509_GET0_PUBKEY) /** * Get the public key from a X509 certificate * * @param x X509 certificate * @return The certificate public key */ static inline EVP_PKEY * X509_get0_pubkey(const X509 *x) { return (x && x->cert_info && x->cert_info->key) ? x->cert_info->key->pkey : NULL; } #endif #if !defined(HAVE_X509_STORE_GET0_OBJECTS) /** * Fetch the X509 object stack from the X509 store * * @param store X509 object store * @return the X509 object stack */ static inline STACK_OF(X509_OBJECT) * X509_STORE_get0_objects(X509_STORE *store) { return store ? store->objs : NULL; } #endif #if !defined(HAVE_X509_OBJECT_FREE) /** * Destroy a X509 object * * @param obj X509 object */ static inline void X509_OBJECT_free(X509_OBJECT *obj) { if (obj) { X509_OBJECT_free_contents(obj); OPENSSL_free(obj); } } #endif #if !defined(HAVE_X509_OBJECT_GET_TYPE) /** * Get the type of an X509 object * * @param obj X509 object * @return The underlying object type */ static inline int X509_OBJECT_get_type(const X509_OBJECT *obj) { return obj ? obj->type : X509_LU_FAIL; } #endif #if !defined(HAVE_EVP_PKEY_GET0_RSA) /** * Get the RSA object of a public key * * @param pkey Public key object * @return The underlying RSA object */ static inline RSA * EVP_PKEY_get0_RSA(EVP_PKEY *pkey) { return pkey ? pkey->pkey.rsa : NULL; } #endif #if !defined(HAVE_EVP_PKEY_GET0_EC_KEY) && !defined(OPENSSL_NO_EC) /** * Get the EC_KEY object of a public key * * @param pkey Public key object * @return The underlying EC_KEY object */ static inline EC_KEY * EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey) { return pkey ? pkey->pkey.ec : NULL; } #endif #if !defined(HAVE_EVP_PKEY_ID) /** * Get the PKEY type * * @param pkey Public key object * @return The key type */ static inline int EVP_PKEY_id(const EVP_PKEY *pkey) { return pkey ? pkey->type : EVP_PKEY_NONE; } #endif #if !defined(HAVE_EVP_PKEY_GET0_DSA) /** * Get the DSA object of a public key * * @param pkey Public key object * @return The underlying DSA object */ static inline DSA * EVP_PKEY_get0_DSA(EVP_PKEY *pkey) { return pkey ? pkey->pkey.dsa : NULL; } #endif #if !defined(HAVE_RSA_SET_FLAGS) /** * Set the RSA flags * * @param rsa The RSA object * @param flags New flags value */ static inline void RSA_set_flags(RSA *rsa, int flags) { if (rsa) { rsa->flags = flags; } } #endif #if !defined(HAVE_RSA_GET0_KEY) /** * Get the RSA parameters * * @param rsa The RSA object * @param n The @c n parameter * @param e The @c e parameter * @param d The @c d parameter */ static inline void RSA_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) { if (n != NULL) { *n = rsa ? rsa->n : NULL; } if (e != NULL) { *e = rsa ? rsa->e : NULL; } if (d != NULL) { *d = rsa ? rsa->d : NULL; } } #endif #if !defined(HAVE_RSA_SET0_KEY) /** * Set the RSA parameters * * @param rsa The RSA object * @param n The @c n parameter * @param e The @c e parameter * @param d The @c d parameter * @return 1 on success, 0 on error */ static inline int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) { if ((rsa->n == NULL && n == NULL) || (rsa->e == NULL && e == NULL)) { return 0; } if (n != NULL) { BN_free(rsa->n); rsa->n = n; } if (e != NULL) { BN_free(rsa->e); rsa->e = e; } if (d != NULL) { BN_free(rsa->d); rsa->d = d; } return 1; } #endif #if !defined(HAVE_RSA_BITS) /** * Number of significant RSA bits * * @param rsa The RSA object ; shall not be NULL * @return The number of RSA bits or 0 on error */ static inline int RSA_bits(const RSA *rsa) { const BIGNUM *n = NULL; RSA_get0_key(rsa, &n, NULL, NULL); return n ? BN_num_bits(n) : 0; } #endif #if !defined(HAVE_DSA_GET0_PQG) /** * Get the DSA parameters * * @param dsa The DSA object * @param p The @c p parameter * @param q The @c q parameter * @param g The @c g parameter */ static inline void DSA_get0_pqg(const DSA *dsa, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) { if (p != NULL) { *p = dsa ? dsa->p : NULL; } if (q != NULL) { *q = dsa ? dsa->q : NULL; } if (g != NULL) { *g = dsa ? dsa->g : NULL; } } #endif #if !defined(HAVE_DSA_BITS) /** * Number of significant DSA bits * * @param rsa The DSA object ; shall not be NULL * @return The number of DSA bits or 0 on error */ static inline int DSA_bits(const DSA *dsa) { const BIGNUM *p = NULL; DSA_get0_pqg(dsa, &p, NULL, NULL); return p ? BN_num_bits(p) : 0; } #endif #if !defined(HAVE_RSA_METH_NEW) /** * Allocate a new RSA method object * * @param name The object name * @param flags Configuration flags * @return A new RSA method object */ static inline RSA_METHOD * RSA_meth_new(const char *name, int flags) { RSA_METHOD *rsa_meth = NULL; ALLOC_OBJ_CLEAR(rsa_meth, RSA_METHOD); rsa_meth->name = string_alloc(name, NULL); rsa_meth->flags = flags; return rsa_meth; } #endif #if !defined(HAVE_RSA_METH_FREE) /** * Free an existing RSA_METHOD object * * @param meth The RSA_METHOD object */ static inline void RSA_meth_free(RSA_METHOD *meth) { if (meth) { /* OpenSSL defines meth->name to be a const pointer, yet we * feed it with an allocated string (from RSA_meth_new()). * Thus we are allowed to free it here. In order to avoid a * "passing 'const char *' to parameter of type 'void *' discards * qualifiers" warning, we force the pointer to be a non-const value. */ free((char *)meth->name); free(meth); } } #endif #if !defined(HAVE_RSA_METH_SET_PUB_ENC) /** * Set the public encoding function of an RSA_METHOD object * * @param meth The RSA_METHOD object * @param pub_enc the public encoding function * @return 1 on success, 0 on error */ static inline int RSA_meth_set_pub_enc(RSA_METHOD *meth, int (*pub_enc) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) { if (meth) { meth->rsa_pub_enc = pub_enc; return 1; } return 0; } #endif #if !defined(HAVE_RSA_METH_SET_PUB_DEC) /** * Set the public decoding function of an RSA_METHOD object * * @param meth The RSA_METHOD object * @param pub_dec the public decoding function * @return 1 on success, 0 on error */ static inline int RSA_meth_set_pub_dec(RSA_METHOD *meth, int (*pub_dec) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) { if (meth) { meth->rsa_pub_dec = pub_dec; return 1; } return 0; } #endif #if !defined(HAVE_RSA_METH_SET_PRIV_ENC) /** * Set the private encoding function of an RSA_METHOD object * * @param meth The RSA_METHOD object * @param priv_enc the private encoding function * @return 1 on success, 0 on error */ static inline int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) { if (meth) { meth->rsa_priv_enc = priv_enc; return 1; } return 0; } #endif #if !defined(HAVE_RSA_METH_SET_PRIV_DEC) /** * Set the private decoding function of an RSA_METHOD object * * @param meth The RSA_METHOD object * @param priv_dec the private decoding function * @return 1 on success, 0 on error */ static inline int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) { if (meth) { meth->rsa_priv_dec = priv_dec; return 1; } return 0; } #endif #if !defined(HAVE_RSA_METH_SET_INIT) /** * Set the init function of an RSA_METHOD object * * @param meth The RSA_METHOD object * @param init the init function * @return 1 on success, 0 on error */ static inline int RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa)) { if (meth) { meth->init = init; return 1; } return 0; } #endif #if !defined(HAVE_RSA_METH_SET_FINISH) /** * Set the finish function of an RSA_METHOD object * * @param meth The RSA_METHOD object * @param finish the finish function * @return 1 on success, 0 on error */ static inline int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)) { if (meth) { meth->finish = finish; return 1; } return 0; } #endif #if !defined(HAVE_RSA_METH_SET0_APP_DATA) /** * Set the application data of an RSA_METHOD object * * @param meth The RSA_METHOD object * @param app_data Application data * @return 1 on success, 0 on error */ static inline int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data) { if (meth) { meth->app_data = app_data; return 1; } return 0; } #endif #if !defined(HAVE_EC_GROUP_ORDER_BITS) && !defined(OPENSSL_NO_EC) /** * Gets the number of bits of the order of an EC_GROUP * * @param group EC_GROUP object * @return number of bits of group order. */ static inline int EC_GROUP_order_bits(const EC_GROUP *group) { BIGNUM* order = BN_new(); EC_GROUP_get_order(group, order, NULL); int bits = BN_num_bits(order); BN_free(order); return bits; } #endif /* SSLeay symbols have been renamed in OpenSSL 1.1 */ #if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT) #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT #endif #endif /* OPENSSL_COMPAT_H_ */ openvpn-2.4.4/src/openvpn/openvpn.c000066400000000000000000000235651316434344000173300ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "init.h" #include "forward.h" #include "multi.h" #include "win32.h" #include "platform.h" #include "memdbg.h" #include "forward-inline.h" #define P2P_CHECK_SIG() EVENT_LOOP_CHECK_SIGNAL(c, process_signal_p2p, c); static bool process_signal_p2p(struct context *c) { remap_signal(c); return process_signal(c); } /* Write our PID to a file */ static void write_pid(const char *filename) { if (filename) { unsigned int pid = 0; FILE *fp = platform_fopen(filename, "w"); if (!fp) { msg(M_ERR, "Open error on pid file %s", filename); } pid = platform_getpid(); fprintf(fp, "%u\n", pid); if (fclose(fp)) { msg(M_ERR, "Close error on pid file %s", filename); } } } /**************************************************************************/ /** * Main event loop for OpenVPN in client mode, where only one VPN tunnel * is active. * @ingroup eventloop * * @param c - The context structure of the single active VPN tunnel. */ static void tunnel_point_to_point(struct context *c) { context_clear_2(c); /* set point-to-point mode */ c->mode = CM_P2P; /* initialize tunnel instance */ init_instance_handle_signals(c, c->es, CC_HARD_USR1_TO_HUP); if (IS_SIG(c)) { return; } /* main event loop */ while (true) { perf_push(PERF_EVENT_LOOP); /* process timers, TLS, etc. */ pre_select(c); P2P_CHECK_SIG(); /* set up and do the I/O wait */ io_wait(c, p2p_iow_flags(c)); P2P_CHECK_SIG(); /* timeout? */ if (c->c2.event_set_status == ES_TIMEOUT) { perf_pop(); continue; } /* process the I/O which triggered select */ process_io(c); P2P_CHECK_SIG(); perf_pop(); } uninit_management_callback(); /* tear down tunnel instance (unless --persist-tun) */ close_instance(c); } #undef PROCESS_SIGNAL_P2P /**************************************************************************/ /** * OpenVPN's main init-run-cleanup loop. * @ingroup eventloop * * This function contains the two outer OpenVPN loops. Its structure is * as follows: * - Once-per-process initialization. * - Outer loop, run at startup and then once per \c SIGHUP: * - Level 1 initialization * - Inner loop, run at startup and then once per \c SIGUSR1: * - Call event loop function depending on client or server mode: * - \c tunnel_point_to_point() * - \c tunnel_server() * - Level 1 cleanup * - Once-per-process cleanup. * * @param argc - Commandline argument count. * @param argv - Commandline argument values. */ static int openvpn_main(int argc, char *argv[]) { struct context c; #if PEDANTIC fprintf(stderr, "Sorry, I was built with --enable-pedantic and I am incapable of doing any real work!\n"); return 1; #endif #ifdef _WIN32 SetConsoleOutputCP(CP_UTF8); #endif CLEAR(c); /* signify first time for components which can * only be initialized once per program instantiation. */ c.first_time = true; /* initialize program-wide statics */ if (init_static()) { /* * This loop is initially executed on startup and then * once per SIGHUP. */ do { /* enter pre-initialization mode with regard to signal handling */ pre_init_signal_catch(); /* zero context struct but leave first_time member alone */ context_clear_all_except_first_time(&c); /* static signal info object */ CLEAR(siginfo_static); c.sig = &siginfo_static; /* initialize garbage collector scoped to context object */ gc_init(&c.gc); /* initialize environmental variable store */ c.es = env_set_create(NULL); #ifdef _WIN32 set_win_sys_path_via_env(c.es); #endif #ifdef ENABLE_MANAGEMENT /* initialize management subsystem */ init_management(&c); #endif /* initialize options to default state */ init_options(&c.options, true); /* parse command line options, and read configuration file */ parse_argv(&c.options, argc, argv, M_USAGE, OPT_P_DEFAULT, NULL, c.es); #ifdef ENABLE_PLUGIN /* plugins may contribute options configuration */ init_verb_mute(&c, IVM_LEVEL_1); init_plugins(&c); open_plugins(&c, true, OPENVPN_PLUGIN_INIT_PRE_CONFIG_PARSE); #endif /* init verbosity and mute levels */ init_verb_mute(&c, IVM_LEVEL_1); /* set dev options */ init_options_dev(&c.options); /* openssl print info? */ if (print_openssl_info(&c.options)) { break; } /* --genkey mode? */ if (do_genkey(&c.options)) { break; } /* tun/tap persist command? */ if (do_persist_tuntap(&c.options)) { break; } /* sanity check on options */ options_postprocess(&c.options); /* show all option settings */ show_settings(&c.options); /* print version number */ msg(M_INFO, "%s", title_string); #ifdef _WIN32 show_windows_version(M_INFO); #endif show_library_versions(M_INFO); /* misc stuff */ pre_setup(&c.options); /* test crypto? */ if (do_test_crypto(&c.options)) { break; } /* Query passwords before becoming a daemon if we don't use the * management interface to get them. */ #ifdef ENABLE_MANAGEMENT if (!(c.options.management_flags & MF_QUERY_PASSWORDS)) #endif init_query_passwords(&c); /* become a daemon if --daemon */ if (c.first_time) { c.did_we_daemonize = possibly_become_daemon(&c.options); write_pid(c.options.writepid); } #ifdef ENABLE_MANAGEMENT /* open management subsystem */ if (!open_management(&c)) { break; } /* query for passwords through management interface, if needed */ if (c.options.management_flags & MF_QUERY_PASSWORDS) { init_query_passwords(&c); } #endif /* set certain options as environmental variables */ setenv_settings(c.es, &c.options); /* finish context init */ context_init_1(&c); do { /* run tunnel depending on mode */ switch (c.options.mode) { case MODE_POINT_TO_POINT: tunnel_point_to_point(&c); break; #if P2MP_SERVER case MODE_SERVER: tunnel_server(&c); break; #endif default: ASSERT(0); } /* indicates first iteration -- has program-wide scope */ c.first_time = false; /* any signals received? */ if (IS_SIG(&c)) { print_signal(c.sig, NULL, M_INFO); } /* pass restart status to management subsystem */ signal_restart_status(c.sig); } while (c.sig->signal_received == SIGUSR1); uninit_options(&c.options); gc_reset(&c.gc); } while (c.sig->signal_received == SIGHUP); } context_gc_free(&c); env_set_destroy(c.es); #ifdef ENABLE_MANAGEMENT /* close management interface */ close_management(); #endif /* uninitialize program-wide statics */ uninit_static(); openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */ return 0; /* NOTREACHED */ } #ifdef _WIN32 int wmain(int argc, wchar_t *wargv[]) { char **argv; int ret; int i; if ((argv = calloc(argc+1, sizeof(char *))) == NULL) { return 1; } for (i = 0; i < argc; i++) { int n = WideCharToMultiByte(CP_UTF8, 0, wargv[i], -1, NULL, 0, NULL, NULL); argv[i] = malloc(n); WideCharToMultiByte(CP_UTF8, 0, wargv[i], -1, argv[i], n, NULL, NULL); } ret = openvpn_main(argc, argv); for (i = 0; i < argc; i++) { free(argv[i]); } free(argv); return ret; } #else /* ifdef _WIN32 */ int main(int argc, char *argv[]) { return openvpn_main(argc, argv); } #endif /* ifdef _WIN32 */ openvpn-2.4.4/src/openvpn/openvpn.h000066400000000000000000000435451316434344000173350ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OPENVPN_H #define OPENVPN_H #include "buffer.h" #include "options.h" #include "socket.h" #include "crypto.h" #include "ssl.h" #include "packet_id.h" #include "comp.h" #include "tun.h" #include "interval.h" #include "status.h" #include "fragment.h" #include "shaper.h" #include "route.h" #include "proxy.h" #include "socks.h" #include "sig.h" #include "misc.h" #include "mbuf.h" #include "pool.h" #include "plugin.h" #include "manage.h" #include "pf.h" /* * Our global key schedules, packaged thusly * to facilitate --persist-key. */ struct key_schedule { #ifdef ENABLE_CRYPTO /* which cipher, HMAC digest, and key sizes are we using? */ struct key_type key_type; /* pre-shared static key, read from a file */ struct key_ctx_bi static_key; /* our global SSL context */ struct tls_root_ctx ssl_ctx; /* optional TLS control channel wrapping */ struct key_type tls_auth_key_type; struct key_ctx_bi tls_wrap_key; #else /* ENABLE_CRYPTO */ int dummy; #endif /* ENABLE_CRYPTO */ }; /* * struct packet_id_persist should be empty if we are not * building with crypto. */ #ifndef PACKET_ID_H struct packet_id_persist { int dummy; }; static inline void packet_id_persist_init(struct packet_id_persist *p) { } #endif /* * Packet processing buffers. */ struct context_buffers { /* miscellaneous buffer, used by ping, occ, etc. */ struct buffer aux_buf; /* workspace buffers used by crypto routines */ #ifdef ENABLE_CRYPTO struct buffer encrypt_buf; struct buffer decrypt_buf; #endif /* workspace buffers for compression */ #ifdef USE_COMP struct buffer compress_buf; struct buffer decompress_buf; #endif /* * Buffers used to read from TUN device * and TCP/UDP port. */ struct buffer read_link_buf; struct buffer read_tun_buf; }; /* * always-persistent context variables */ struct context_persist { int restart_sleep_seconds; }; /**************************************************************************/ /** * Level 0 %context containing information related to the OpenVPN process. * * Level 0 state is initialized once at program startup, and then remains * throughout the lifetime of the OpenVPN process. This structure * contains information related to the process's PID, user, group, and * privileges. */ struct context_0 { /* workspace for --user/--group */ bool uid_gid_specified; /* helper which tells us whether we should keep trying to drop privileges */ bool uid_gid_chroot_set; struct platform_state_user platform_state_user; struct platform_state_group platform_state_group; }; /** * Level 1 %context containing state that persists across \c SIGUSR1 * restarts. * * Level 1 state is reset on \c SIGHUP restarts. This structure is * initialized for every iteration of the \c main() function's outer \c * SIGHUP loop, but persists over iteration of that function's inner \c * SIGUSR1 loop. */ struct context_1 { struct link_socket_addr link_socket_addr; /**< Local and remote addresses on the * external network. */ /* tunnel session keys */ struct key_schedule ks; /* preresolved and cached host names */ struct cached_dns_entry *dns_cache; /* persist crypto sequence number to/from file */ struct packet_id_persist pid_persist; struct tuntap *tuntap; /**< Tun/tap virtual network interface. */ bool tuntap_owned; /**< Whether the tun/tap interface should * be cleaned up when this %context is * cleaned up. */ struct route_list *route_list; /**< List of routing information. See the * \c --route command line option. */ /* list of --route-ipv6 directives */ struct route_ipv6_list *route_ipv6_list; /* --status file */ struct status_output *status_output; bool status_output_owned; /* HTTP proxy object */ struct http_proxy_info *http_proxy; bool http_proxy_owned; /* SOCKS proxy object */ struct socks_proxy_info *socks_proxy; bool socks_proxy_owned; #if P2MP #if P2MP_SERVER /* persist --ifconfig-pool db to file */ struct ifconfig_pool_persist *ifconfig_pool_persist; bool ifconfig_pool_persist_owned; #endif /* if client mode, hash of option strings we pulled from server */ struct sha256_digest pulled_options_digest_save; /**< Hash of option strings received from the * remote OpenVPN server. Only used in * client-mode. */ struct user_pass *auth_user_pass; /**< Username and password for * authentication. */ const char *ciphername; /**< Data channel cipher from config file */ const char *authname; /**< Data channel auth from config file */ int keysize; /**< Data channel keysize from config file */ #endif }; /** * Level 2 %context containing state that is reset on both \c SIGHUP and * \c SIGUSR1 restarts. * * This structure is initialized at the top of the \c * tunnel_point_to_point(), \c tunnel_server_udp_single_threaded(), and \c * tunnel_server_tcp() functions. In other words, it is reset for every * iteration of the \c main() function's inner \c SIGUSR1 loop. */ struct context_2 { struct gc_arena gc; /**< Garbage collection arena for * allocations done in the level 2 scope * of this context_2 structure. */ /* our global wait events */ struct event_set *event_set; int event_set_max; bool event_set_owned; /* event flags returned by io_wait */ #define SOCKET_READ (1<<0) #define SOCKET_WRITE (1<<1) #define TUN_READ (1<<2) #define TUN_WRITE (1<<3) #define ES_ERROR (1<<4) #define ES_TIMEOUT (1<<5) #ifdef ENABLE_MANAGEMENT #define MANAGEMENT_READ (1<<6) #define MANAGEMENT_WRITE (1<<7) #endif #ifdef ENABLE_ASYNC_PUSH #define FILE_CLOSED (1<<8) #endif unsigned int event_set_status; struct link_socket *link_socket; /* socket used for TCP/UDP connection to remote */ bool link_socket_owned; struct link_socket_info *link_socket_info; const struct link_socket *accept_from; /* possibly do accept() on a parent link_socket */ struct link_socket_actual *to_link_addr; /* IP address of remote */ struct link_socket_actual from; /* address of incoming datagram */ /* MTU frame parameters */ struct frame frame; /* Active frame parameters */ struct frame frame_initial; /* Restored on new session */ #ifdef ENABLE_FRAGMENT /* Object to handle advanced MTU negotiation and datagram fragmentation */ struct fragment_master *fragment; struct frame frame_fragment; struct frame frame_fragment_omit; #endif #ifdef ENABLE_FEATURE_SHAPER /* * Traffic shaper object. */ struct shaper shaper; #endif /* * Statistics */ counter_type tun_read_bytes; counter_type tun_write_bytes; counter_type link_read_bytes; counter_type link_read_bytes_auth; counter_type link_write_bytes; #ifdef PACKET_TRUNCATION_CHECK counter_type n_trunc_tun_read; counter_type n_trunc_tun_write; counter_type n_trunc_pre_encrypt; counter_type n_trunc_post_decrypt; #endif /* * Timer objects for ping and inactivity * timeout features. */ struct event_timeout wait_for_connect; struct event_timeout ping_send_interval; struct event_timeout ping_rec_interval; /* --inactive */ struct event_timeout inactivity_interval; int inactivity_bytes; #ifdef ENABLE_OCC /* the option strings must match across peers */ char *options_string_local; char *options_string_remote; int occ_op; /* INIT to -1 */ int occ_n_tries; struct event_timeout occ_interval; #endif /* * Keep track of maximum packet size received so far * (of authenticated packets). */ int original_recv_size; /* temporary */ int max_recv_size_local; /* max packet size received */ int max_recv_size_remote; /* max packet size received by remote */ int max_send_size_local; /* max packet size sent */ int max_send_size_remote; /* max packet size sent by remote */ #ifdef ENABLE_OCC /* remote wants us to send back a load test packet of this size */ int occ_mtu_load_size; struct event_timeout occ_mtu_load_test_interval; int occ_mtu_load_n_tries; #endif #ifdef ENABLE_CRYPTO /* * TLS-mode crypto objects. */ struct tls_multi *tls_multi; /**< TLS state structure for this VPN * tunnel. */ struct tls_auth_standalone *tls_auth_standalone; /**< TLS state structure required for the * initial authentication of a client's * connection attempt. This structure * is used by the \c * tls_pre_decrypt_lite() function when * it performs the HMAC firewall check * on the first connection packet * received from a new client. See the * \c --tls-auth commandline option. */ /* used to optimize calls to tls_multi_process */ struct interval tmp_int; /* throw this signal on TLS errors */ int tls_exit_signal; struct crypto_options crypto_options; /**< Security parameters and crypto state * used by the \link data_crypto Data * Channel Crypto module\endlink to * process data channel packet. */ struct event_timeout packet_id_persist_interval; #endif /* ENABLE_CRYPTO */ #ifdef USE_COMP struct compress_context *comp_context; /**< Compression context used by the * \link compression Data Channel * Compression module\endlink. */ #endif /* * Buffers used for packet processing. */ struct context_buffers *buffers; bool buffers_owned; /* if true, we should free all buffers on close */ /* * These buffers don't actually allocate storage, they are used * as pointers to the allocated buffers in * struct context_buffers. */ struct buffer buf; struct buffer to_tun; struct buffer to_link; /* should we print R|W|r|w to console on packet transfers? */ bool log_rw; /* route stuff */ struct event_timeout route_wakeup; struct event_timeout route_wakeup_expire; /* did we open tun/tap dev during this cycle? */ bool did_open_tun; /* * Event loop info */ /* how long to wait on link/tun read before we will need to be serviced */ struct timeval timeval; /* next wakeup for processing coarse timers (>1 sec resolution) */ time_t coarse_timer_wakeup; /* maintain a random delta to add to timeouts to avoid contexts * waking up simultaneously */ time_t update_timeout_random_component; struct timeval timeout_random_component; /* Timer for everything up to the first packet from the *OpenVPN* server * socks, http proxy, and tcp packets do not count */ struct event_timeout server_poll_interval; /* indicates that the do_up_delay function has run */ bool do_up_ran; #ifdef ENABLE_OCC /* indicates that we have received a SIGTERM when * options->explicit_exit_notification is enabled, * but we have not exited yet */ time_t explicit_exit_notification_time_wait; struct event_timeout explicit_exit_notification_interval; #endif /* environmental variables to pass to scripts */ struct env_set *es; bool es_owned; /* don't wait for TUN/TAP/UDP to be ready to accept write */ bool fast_io; #if P2MP #if P2MP_SERVER /* --ifconfig endpoints to be pushed to client */ bool push_reply_deferred; #ifdef ENABLE_ASYNC_PUSH bool push_request_received; #endif bool push_ifconfig_defined; time_t sent_push_reply_expiry; in_addr_t push_ifconfig_local; in_addr_t push_ifconfig_remote_netmask; in_addr_t push_ifconfig_local_alias; bool push_ifconfig_ipv6_defined; struct in6_addr push_ifconfig_ipv6_local; int push_ifconfig_ipv6_netbits; struct in6_addr push_ifconfig_ipv6_remote; /* client authentication state, CAS_SUCCEEDED must be 0 */ #define CAS_SUCCEEDED 0 #define CAS_PENDING 1 #define CAS_FAILED 2 #define CAS_PARTIAL 3 /* at least one client-connect script/plugin * succeeded while a later one in the chain failed */ int context_auth; #endif /* if P2MP_SERVER */ struct event_timeout push_request_interval; int n_sent_push_requests; bool did_pre_pull_restore; /* hash of pulled options, so we can compare when options change */ bool pulled_options_digest_init_done; md_ctx_t *pulled_options_state; struct sha256_digest pulled_options_digest; struct event_timeout scheduled_exit; int scheduled_exit_signal; #endif /* if P2MP */ /* packet filter */ #ifdef ENABLE_PF struct pf_context pf; #endif #ifdef MANAGEMENT_DEF_AUTH struct man_def_auth_context mda_context; #endif #ifdef ENABLE_ASYNC_PUSH int inotify_fd; /* descriptor for monitoring file changes */ #endif }; /** * Contains all state information for one tunnel. * * This structure represents one VPN tunnel. It is used to store state * information related to a VPN tunnel, but also includes process-wide * data, such as configuration options. * * The @ref tunnel_state "Structure of VPN tunnel state storage" related * page describes how this structure is used in client-mode and * server-mode. */ struct context { struct options options; /**< Options loaded from command line or * configuration file. */ bool first_time; /**< True on the first iteration of * OpenVPN's main loop. */ /* context modes */ #define CM_P2P 0 /* standalone point-to-point session or client */ #define CM_TOP 1 /* top level of a multi-client or point-to-multipoint server */ #define CM_TOP_CLONE 2 /* clone of a CM_TOP context for one thread */ #define CM_CHILD_UDP 3 /* child context of a CM_TOP or CM_THREAD */ #define CM_CHILD_TCP 4 /* child context of a CM_TOP or CM_THREAD */ int mode; /**< Role of this context within the * OpenVPN process. Valid values are \c * CM_P2P, \c CM_TOP, \c CM_TOP_CLONE, * \c CM_CHILD_UDP, and \c CM_CHILD_TCP. */ struct gc_arena gc; /**< Garbage collection arena for * allocations done in the scope of this * context structure. */ struct env_set *es; /**< Set of environment variables. */ struct signal_info *sig; /**< Internal error signaling object. */ struct plugin_list *plugins; /**< List of plug-ins. */ bool plugins_owned; /**< Whether the plug-ins should be * cleaned up when this %context is * cleaned up. */ bool did_we_daemonize; /**< Whether demonization has already * taken place. */ struct context_persist persist; /**< Persistent %context. */ struct context_0 *c0; /**< Level 0 %context. */ struct context_1 c1; /**< Level 1 %context. */ struct context_2 c2; /**< Level 2 %context. */ }; /* * Check for a signal when inside an event loop */ #define EVENT_LOOP_CHECK_SIGNAL(c, func, arg) \ if (IS_SIG(c)) \ { \ const int brk = func(arg); \ perf_pop(); \ if (brk) { \ break;} \ else { \ continue;} \ } /* * Macros for referencing objects which may not * have been compiled in. */ #ifdef ENABLE_CRYPTO #define TLS_MODE(c) ((c)->c2.tls_multi != NULL) #define PROTO_DUMP_FLAGS (check_debug_level(D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA|PD_VERBOSE) : 0) #define PROTO_DUMP(buf, gc) protocol_dump((buf), \ PROTO_DUMP_FLAGS \ |(c->c2.tls_multi ? PD_TLS : 0) \ |(c->options.tls_auth_file ? c->c1.ks.key_type.hmac_length : 0), \ gc) #else /* ifdef ENABLE_CRYPTO */ #define TLS_MODE(c) (false) #define PROTO_DUMP(buf, gc) format_hex(BPTR(buf), BLEN(buf), 80, gc) #endif #ifdef ENABLE_CRYPTO #define MD5SUM(buf, len, gc) md5sum((buf), (len), 0, (gc)) #else #define MD5SUM(buf, len, gc) "[unavailable]" #endif #ifdef ENABLE_CRYPTO #define CIPHER_ENABLED(c) (c->c1.ks.key_type.cipher != NULL) #else #define CIPHER_ENABLED(c) (false) #endif /* this represents "disabled peer-id" */ #define MAX_PEER_ID 0xFFFFFF #endif /* ifndef OPENVPN_H */ openvpn-2.4.4/src/openvpn/openvpn.vcxproj000066400000000000000000000317471316434344000206020ustar00rootroot00000000000000 Debug Win32 Release Win32 {29DF226E-4D4E-440F-ADAF-5829CFD4CA94} openvpn Win32Proj Application true Unicode v120 Application Unicode v120 <_ProjectFileVersion>10.0.30319.1 $(SolutionDir)$(Platform)-Output\$(Configuration)\ $(Configuration)\ true $(SolutionDir)$(Platform)-Output\$(Configuration)\ $(Configuration)\ false Disabled $(SOURCEBASE);$(SOURCEBASE)/src/compat;$(SOURCEBASE)/include;$(TAP_WINDOWS_HOME)/include;$(OPENSSL_HOME)/include;$(LZO_HOME)/include;$(PKCS11H_HOME)/include;%(AdditionalIncludeDirectories) WIN32;_DEBUG;_CONSOLE;$(CPPFLAGS);%(PreprocessorDefinitions) true EnableFastChecks MultiThreadedDebugDLL Level3 EditAndContinue UNICODE $(SOURCEBASE);%(AdditionalIncludeDirectories) libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;%(AdditionalDependencies) $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) true Console MachineX86 MaxSpeed true $(SOURCEBASE);$(SOURCEBASE)/src/compat;$(SOURCEBASE)/include;$(TAP_WINDOWS_HOME)/include;$(OPENSSL_HOME)/include;$(LZO_HOME)/include;$(PKCS11H_HOME)/include;%(AdditionalIncludeDirectories) WIN32;NDEBUG;_CONSOLE;$(CPPFLAGS);%(PreprocessorDefinitions) MultiThreadedDLL true Level3 ProgramDatabase UNICODE $(SOURCEBASE);%(AdditionalIncludeDirectories) libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;%(AdditionalDependencies) $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) true Console true true MachineX86 {8598c2c8-34c4-47a1-99b0-7c295a890615} false {4b2e2719-e661-45d7-9203-f6f456b22f19} false openvpn-2.4.4/src/openvpn/openvpn.vcxproj.filters000066400000000000000000000360571316434344000222500ustar00rootroot00000000000000 {4FC737F1-C7A5-4376-A066-2A32D752A2FF} cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx {93995380-89BD-4b04-88EB-625FBE52EBFB} h;hpp;hxx;hm;inl;inc;xsd {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Source Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Header Files Resource Files openvpn-2.4.4/src/openvpn/openvpn_win32_resources.rc000066400000000000000000000020241316434344000226110ustar00rootroot00000000000000#ifdef HAVE_CONFIG_H #include #else #include #endif #include #pragma code_page(65001) /* UTF8 */ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL VS_VERSION_INFO VERSIONINFO FILEVERSION OPENVPN_VERSION_RESOURCE PRODUCTVERSION OPENVPN_VERSION_RESOURCE FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L #else FILEFLAGS 0x0L #endif FILEOS 0x40004L FILETYPE 0x2L FILESUBTYPE 0x0L BEGIN BLOCK "StringFileInfo" BEGIN BLOCK "040904b0" BEGIN VALUE "CompanyName", "The OpenVPN Project" VALUE "FileDescription", "OpenVPN Daemon" VALUE "FileVersion", PACKAGE_VERSION ".0" VALUE "InternalName", "OpenVPN" VALUE "LegalCopyright", "Copyright © The OpenVPN Project" VALUE "OriginalFilename", "openvpn.exe" VALUE "ProductName", "OpenVPN" VALUE "ProductVersion", PACKAGE_VERSION ".0" END END BLOCK "VarFileInfo" BEGIN VALUE "Translation", 0x409, 1200 END END openvpn-2.4.4/src/openvpn/options.c000066400000000000000000010120401316434344000173210ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2008-2013 David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * 2004-01-28: Added Socks5 proxy support * (Christof Meerwald, http://cmeerw.org) */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #ifdef HAVE_CONFIG_VERSION_H #include "config-version.h" #endif #include "syshead.h" #include "buffer.h" #include "error.h" #include "common.h" #include "shaper.h" #include "crypto.h" #include "ssl.h" #include "options.h" #include "misc.h" #include "socket.h" #include "packet_id.h" #include "pkcs11.h" #include "win32.h" #include "push.h" #include "pool.h" #include "helper.h" #include "manage.h" #include "forward.h" #include "ssl_verify.h" #include "platform.h" #include #include "memdbg.h" const char title_string[] = PACKAGE_STRING #ifdef CONFIGURE_GIT_REVISION " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]" #endif " " TARGET_ALIAS #ifdef ENABLE_CRYPTO #if defined(ENABLE_CRYPTO_MBEDTLS) " [SSL (mbed TLS)]" #elif defined(ENABLE_CRYPTO_OPENSSL) " [SSL (OpenSSL)]" #else " [SSL]" #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */ #endif /* ENABLE_CRYPTO */ #ifdef USE_COMP #ifdef ENABLE_LZO " [LZO]" #endif #ifdef ENABLE_LZ4 " [LZ4]" #endif #ifdef ENABLE_COMP_STUB " [COMP_STUB]" #endif #endif /* USE_COMP */ #if EPOLL " [EPOLL]" #endif #ifdef PRODUCT_TAP_DEBUG " [TAPDBG]" #endif #ifdef ENABLE_PKCS11 " [PKCS11]" #endif #if ENABLE_IP_PKTINFO #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) " [MH/PKTINFO]" #elif defined(IP_RECVDSTADDR) " [MH/RECVDA]" #endif #endif #ifdef HAVE_AEAD_CIPHER_MODES " [AEAD]" #endif " built on " __DATE__ ; #ifndef ENABLE_SMALL static const char usage_message[] = "%s\n" "\n" "General Options:\n" "--config file : Read configuration options from file.\n" "--help : Show options.\n" "--version : Show copyright and version information.\n" "\n" "Tunnel Options:\n" "--local host : Local host name or ip address. Implies --bind.\n" "--remote host [port] : Remote host name or ip address.\n" "--remote-random : If multiple --remote options specified, choose one randomly.\n" "--remote-random-hostname : Add a random string to remote DNS name.\n" "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n" "--proto p : Use protocol p for communicating with peer.\n" " p = udp (default), tcp-server, or tcp-client\n" "--proto-force p : only consider protocol p in list of connection profiles.\n" " p = udp6, tcp6-server, or tcp6-client (ipv6)\n" "--connect-retry n [m] : For client, number of seconds to wait between\n" " connection retries (default=%d). On repeated retries\n" " the wait time is exponentially increased to a maximum of m\n" " (default=%d).\n" "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n" "--http-proxy s p [up] [auth] : Connect to remote host\n" " through an HTTP proxy at address s and port p.\n" " If proxy authentication is required,\n" " up is a file containing username/password on 2 lines, or\n" " 'stdin' to prompt from console. Add auth='ntlm' if\n" " the proxy requires NTLM authentication.\n" "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n" " determine auth method and query for username/password\n" " if needed. auto-nct disables weak proxy auth methods.\n" "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n" " Repeat to set multiple options.\n" " VERSION version (default=1.0)\n" " AGENT user-agent\n" "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n" " address s and port p (default port = 1080).\n" " If proxy authentication is required,\n" " up is a file containing username/password on 2 lines, or\n" " 'stdin' to prompt for console.\n" "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n" "--resolv-retry n: If hostname resolve fails for --remote, retry\n" " resolve for n seconds before failing (disabled by default).\n" " Set n=\"infinite\" to retry indefinitely.\n" "--float : Allow remote to change its IP address/port, such as through\n" " DHCP (this is the default if --remote is not used).\n" "--ipchange cmd : Run command cmd on remote ip address initial\n" " setting or change -- execute as: cmd ip-address port#\n" "--port port : TCP/UDP port # for both local and remote.\n" "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n" "--rport port : TCP/UDP port # for remote (default=%s).\n" "--bind : Bind to local address and port. (This is the default unless\n" " --proto tcp-client" " or --http-proxy" " or --socks-proxy" " is used).\n" "--nobind : Do not bind to local address and port.\n" "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n" "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n" " this option only if the tun/tap device used with --dev\n" " does not begin with \"tun\" or \"tap\".\n" "--dev-node node : Explicitly set the device node rather than using\n" " /dev/net/tun, /dev/tun, /dev/tap, etc.\n" "--lladdr hw : Set the link layer address of the tap device.\n" "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n" #ifdef ENABLE_IPROUTE "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n" #endif "--ifconfig l rn : TUN: configure device to use IP address l as a local\n" " endpoint and rn as a remote endpoint. l & rn should be\n" " swapped on the other peer. l & rn must be private\n" " addresses outside of the subnets used by either peer.\n" " TAP: configure device to use IP address l as a local\n" " endpoint and rn as a subnet mask.\n" "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n" " endpoint (as a /64) and r as remote endpoint\n" "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n" " pass --ifconfig parms by environment to scripts.\n" "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n" " connection doesn't match the remote side.\n" "--route network [netmask] [gateway] [metric] :\n" " Add route to routing table after connection\n" " is established. Multiple routes can be specified.\n" " netmask default: 255.255.255.255\n" " gateway default: taken from --route-gateway or --ifconfig\n" " Specify default by leaving blank or setting to \"nil\".\n" "--route-ipv6 network/bits [gateway] [metric] :\n" " Add IPv6 route to routing table after connection\n" " is established. Multiple routes can be specified.\n" " gateway default: taken from 'remote' in --ifconfig-ipv6\n" "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n" "--route-metric m : Specify a default metric for use with --route.\n" "--route-delay n [w] : Delay n seconds after connection initiation before\n" " adding routes (may be 0). If not specified, routes will\n" " be added immediately after tun/tap open. On Windows, wait\n" " up to w seconds for TUN/TAP adapter to come up.\n" "--route-up cmd : Run command cmd after routes are added.\n" "--route-pre-down cmd : Run command cmd before routes are removed.\n" "--route-noexec : Don't add routes automatically. Instead pass routes to\n" " --route-up script using environmental variables.\n" "--route-nopull : When used with --client or --pull, accept options pushed\n" " by server EXCEPT for routes and dhcp options.\n" "--allow-pull-fqdn : Allow client to pull DNS names from server for\n" " --ifconfig, --route, and --route-gateway.\n" "--redirect-gateway [flags]: Automatically execute routing\n" " commands to redirect all outgoing IP traffic through the\n" " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n" " connected via a common subnet, such as with WiFi.\n" " Add 'def1' flag to set default route using using 0.0.0.0/1\n" " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n" " flag to add a direct route to DHCP server, bypassing tunnel.\n" " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n" "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n" " the default gateway. Useful when pushing private subnets.\n" "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n" #ifdef ENABLE_PUSH_PEER_INFO "--push-peer-info : (client only) push client info to server.\n" #endif "--setenv name value : Set a custom environmental variable to pass to script.\n" "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n" " directives for future OpenVPN versions to be ignored.\n" "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n" " these options to be ignored when unknown\n" "--script-security level: Where level can be:\n" " 0 -- strictly no calling of external programs\n" " 1 -- (default) only call built-ins such as ifconfig\n" " 2 -- allow calling of built-ins and scripts\n" " 3 -- allow password to be passed to scripts via env\n" "--shaper n : Restrict output to peer to n bytes per second.\n" "--keepalive n m : Helper option for setting timeouts in server mode. Send\n" " ping once every n seconds, restart if ping not received\n" " for m seconds.\n" "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n" " produces a combined in/out byte count < bytes.\n" "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n" "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n" "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n" " remote address.\n" "--ping n : Ping remote once every n seconds over TCP/UDP port.\n" #if ENABLE_IP_PKTINFO "--multihome : Configure a multi-homed UDP server.\n" #endif "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n" "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n" "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n" "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n" "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n" "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n" #if PASSTOS_CAPABILITY "--passtos : TOS passthrough (applies to IPv4 only).\n" #endif "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n" " TCP/UDP MTU from it (default=%d).\n" "--tun-mtu-extra n : Assume that tun/tap device might return as many\n" " as n bytes more than the tun-mtu size on read\n" " (default TUN=0 TAP=%d).\n" "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n" " from it.\n" "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n" " 'no' -- Never send DF (Don't Fragment) frames\n" " 'maybe' -- Use per-route hints\n" " 'yes' -- Always DF (Don't Fragment)\n" #ifdef ENABLE_OCC "--mtu-test : Empirically measure and report MTU.\n" #endif #ifdef ENABLE_FRAGMENT "--fragment max : Enable internal datagram fragmentation so that no UDP\n" " datagrams are sent which are larger than max bytes.\n" " Adds 4 bytes of overhead per datagram.\n" #endif "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n" " or --fragment max value, whichever is lower.\n" "--sndbuf size : Set the TCP/UDP send buffer size.\n" "--rcvbuf size : Set the TCP/UDP receive buffer size.\n" #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK "--mark value : Mark encrypted packets being sent with value. The mark value\n" " can be matched in policy routing and packetfilter rules.\n" #endif "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n" #ifdef ENABLE_MEMSTATS "--memstats file : Write live usage stats to memory mapped binary file.\n" #endif "--mlock : Disable Paging -- ensures key material and tunnel\n" " data will never be written to disk.\n" "--up cmd : Run command cmd after successful tun device open.\n" " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n" " ifconfig-local-ip ifconfig-remote-ip\n" " (pre --user or --group UID/GID change)\n" "--up-delay : Delay tun/tap open and possible --up script execution\n" " until after TCP/UDP connection establishment with peer.\n" "--down cmd : Run command cmd after tun device close.\n" " (post --user/--group UID/GID change and/or --chroot)\n" " (command parameters are same as --up option)\n" "--down-pre : Run --down command before TUN/TAP close.\n" "--up-restart : Run up/down commands for all restarts including those\n" " caused by --ping-restart or SIGUSR1\n" "--user user : Set UID to user after initialization.\n" "--group group : Set GID to group after initialization.\n" "--chroot dir : Chroot to this directory after initialization.\n" #ifdef ENABLE_SELINUX "--setcon context: Apply this SELinux context after initialization.\n" #endif "--cd dir : Change to this directory before initialization.\n" "--daemon [name] : Become a daemon after initialization.\n" " The optional 'name' parameter will be passed\n" " as the program name to the system logger.\n" "--syslog [name] : Output to syslog, but do not become a daemon.\n" " See --daemon above for a description of the 'name' parm.\n" "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n" " See --daemon above for a description of the 'name' parm.\n" "--log file : Output log to file which is created/truncated on open.\n" "--log-append file : Append log to file, or create file if nonexistent.\n" "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n" "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n" "--writepid file : Write main process ID to file.\n" "--nice n : Change process priority (>0 = lower, <0 = higher).\n" "--echo [parms ...] : Echo parameters to log output.\n" "--verb n : Set output verbosity to n (default=%d):\n" " (Level 3 is recommended if you want a good summary\n" " of what's happening without being swamped by output).\n" " : 0 -- no output except fatal errors\n" " : 1 -- startup info + connection initiated messages +\n" " non-fatal encryption & net errors\n" " : 2,3 -- show TLS negotiations & route info\n" " : 4 -- show parameters\n" " : 5 -- show 'RrWw' chars on console for each packet sent\n" " and received from TCP/UDP (caps) or tun/tap (lc)\n" " : 6 to 11 -- debug messages of increasing verbosity\n" "--mute n : Log at most n consecutive messages in the same category.\n" "--status file n : Write operational status to file every n seconds.\n" "--status-version [n] : Choose the status file format version number.\n" " Currently, n can be 1, 2, or 3 (default=1).\n" #ifdef ENABLE_OCC "--disable-occ : Disable options consistency check between peers.\n" #endif #ifdef ENABLE_DEBUG "--gremlin mask : Special stress testing mode (for debugging only).\n" #endif #if defined(USE_COMP) "--compress alg : Use compression algorithm alg\n" #if defined(ENABLE_LZO) "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n" " packet for uncompressible data.\n" "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n" " is specified.\n" #endif #endif #ifdef ENABLE_MANAGEMENT "--management ip port [pass] : Enable a TCP server on ip:port to handle\n" " management functions. pass is a password file\n" " or 'stdin' to prompt from console.\n" #if UNIX_SOCK_SUPPORT " To listen on a unix domain socket, specific the pathname\n" " in place of ip and use 'unix' as the port number.\n" #endif "--management-client : Management interface will connect as a TCP client to\n" " ip/port rather than listen as a TCP server.\n" "--management-query-passwords : Query management channel for private key\n" " and auth-user-pass passwords.\n" "--management-query-proxy : Query management channel for proxy information.\n" "--management-query-remote : Query management channel for --remote directive.\n" "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n" " of the management interface explicitly starts it.\n" "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n" "--management-forget-disconnect : Forget passwords when management disconnect\n" " event occurs.\n" "--management-up-down : Report tunnel up/down events to management interface.\n" "--management-log-cache n : Cache n lines of log file history for usage\n" " by the management channel.\n" #if UNIX_SOCK_SUPPORT "--management-client-user u : When management interface is a unix socket, only\n" " allow connections from user u.\n" "--management-client-group g : When management interface is a unix socket, only\n" " allow connections from group g.\n" #endif #ifdef MANAGEMENT_DEF_AUTH "--management-client-auth : gives management interface client the responsibility\n" " to authenticate clients after their client certificate\n" " has been verified.\n" #endif #ifdef MANAGEMENT_PF "--management-client-pf : management interface clients must specify a packet\n" " filter file for each connecting client.\n" #endif #endif /* ifdef ENABLE_MANAGEMENT */ #ifdef ENABLE_PLUGIN "--plugin m [str]: Load plug-in module m passing str as an argument\n" " to its initialization function.\n" #endif #if P2MP #if P2MP_SERVER "\n" "Multi-Client Server options (when --mode server is used):\n" "--server network netmask : Helper option to easily configure server mode.\n" "--server-ipv6 network/bits : Configure IPv6 server mode.\n" "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n" " easily configure ethernet bridging server mode.\n" "--push \"option\" : Push a config file option back to the peer for remote\n" " execution. Peer must specify --pull in its config file.\n" "--push-reset : Don't inherit global push list for specific\n" " client instance.\n" "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n" " to be dynamically allocated to connecting clients.\n" "--ifconfig-pool-linear : (DEPRECATED) Use individual addresses rather \n" " than /30 subnets\n in tun mode. Not compatible with\n" " Windows clients.\n" "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n" " data to file, at seconds intervals (default=600).\n" " If seconds=0, file will be treated as read-only.\n" "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n" " to be dynamically allocated to connecting clients.\n" "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n" " overrides --ifconfig-pool dynamic allocation.\n" " Only valid in a client-specific config file.\n" "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n" " remote, overrides --ifconfig-ipv6-pool allocation.\n" " Only valid in a client-specific config file.\n" "--iroute network [netmask] : Route subnet to client.\n" "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n" " Sets up internal routes only.\n" " Only valid in a client-specific config file.\n" "--disable : Client is disabled.\n" " Only valid in a client-specific config file.\n" "--client-cert-not-required : (DEPRECATED) Don't require client certificate, client\n" " will authenticate using username/password.\n" "--verify-client-cert [none|optional|require] : perform no, optional or\n" " mandatory client certificate verification.\n" " Default is to require the client to supply a certificate.\n" "--username-as-common-name : For auth-user-pass authentication, use\n" " the authenticated username as the common name,\n" " rather than the common name from the client cert.\n" "--auth-user-pass-verify cmd method: Query client for username/password and\n" " run command cmd to verify. If method='via-env', pass\n" " user/pass via environment, if method='via-file', pass\n" " user/pass via temporary file.\n" "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n" " to each client, replacing the password. Usefull when\n" " OTP based two-factor auth mechanisms are in use and\n" " --reneg-* options are enabled. Optionally a lifetime in seconds\n" " for generated tokens can be set.\n" "--opt-verify : Clients that connect with options that are incompatible\n" " with those of the server will be disconnected.\n" "--auth-user-pass-optional : Allow connections by clients that don't\n" " specify a username/password.\n" "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n" " any printable character.\n" "--client-to-client : Internally route client-to-client traffic.\n" "--duplicate-cn : Allow multiple clients with the same common name to\n" " concurrently connect.\n" "--client-connect cmd : Run command cmd on client connection.\n" "--client-disconnect cmd : Run command cmd on client disconnection.\n" "--client-config-dir dir : Directory for custom client config files.\n" "--ccd-exclusive : Refuse connection unless custom client config is found.\n" "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n" "--hash-size r v : Set the size of the real address hash table to r and the\n" " virtual address table to v.\n" "--bcast-buffers n : Allocate n broadcast buffers.\n" "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n" "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n" " as well as pushes it to connecting clients.\n" "--learn-address cmd : Run command cmd to validate client virtual addresses.\n" "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n" "--max-clients n : Allow a maximum of n simultaneously connected clients.\n" "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n" "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n" " older than n seconds. Run this check every t\n" " seconds (defaults to n).\n" "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n" " clients. n = 1 - reconnect to same server,\n" " 2 - advance to next server, default=1.\n" #if PORT_SHARE "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n" " sessions to a web server at host:port. dir specifies an\n" " optional directory to write origin IP:port data.\n" #endif #endif /* if P2MP_SERVER */ "\n" "Client options (when connecting to a multi-client server):\n" "--client : Helper option to easily configure client mode.\n" "--auth-user-pass [up] : Authenticate with server using username/password.\n" " up is a file containing the username on the first line,\n" " and a password on the second. If either the password or both\n" " the username and the password are omitted OpenVPN will prompt\n" " for them from console.\n" "--pull : Accept certain config file options from the peer as if they\n" " were part of the local config file. Must be specified\n" " when connecting to a '--mode server' remote host.\n" "--pull-filter accept|ignore|reject t : Filter each option received from the\n" " server if it starts with the text t. The action flag accept,\n" " ignore or reject causes the option to be allowed, removed or\n" " rejected with error. May be specified multiple times, and\n" " each filter is applied in the order of appearance.\n" "--auth-retry t : How to handle auth failures. Set t to\n" " none (default), interact, or nointeract.\n" "--static-challenge t e : Enable static challenge/response protocol using\n" " challenge text t, with e indicating echo flag (0|1)\n" "--connect-timeout n : when polling possible remote servers to connect to\n" " in a round-robin fashion, spend no more than n seconds\n" " waiting for a response before trying the next server.\n" "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n" " incoming tun packets with same destination as host.\n" #endif /* if P2MP */ #ifdef ENABLE_OCC "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n" " server/remote. n = # of retries, default=1.\n" #endif #ifdef ENABLE_CRYPTO "\n" "Data Channel Encryption Options (must be compatible between peers):\n" "(These options are meaningful for both Static Key & TLS-mode)\n" "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n" " Use shared secret file f, generate with --genkey.\n" " The optional d parameter controls key directionality.\n" " If d is specified, use separate keys for each\n" " direction, set d=0 on one side of the connection,\n" " and d=1 on the other side.\n" "--auth alg : Authenticate packets with HMAC using message\n" " digest algorithm alg (default=%s).\n" " (usually adds 16 or 20 bytes per packet)\n" " Set alg=none to disable authentication.\n" "--cipher alg : Encrypt packets with cipher algorithm alg\n" " (default=%s).\n" " Set alg=none to disable encryption.\n" "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n" "--ncp-disable : Disable cipher negotiation.\n" "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n" " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n" #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH "--keysize n : (DEPRECATED) Size of cipher key in bits (optional).\n" " If unspecified, defaults to cipher-specific default.\n" #endif #ifndef ENABLE_CRYPTO_MBEDTLS "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n" #endif "--no-replay : (DEPRECATED) Disable replay protection.\n" "--mute-replay-warnings : Silence the output of replay warnings to log file.\n" "--replay-window n [t] : Use a replay protection sliding window of size n\n" " and a time window of t seconds.\n" " Default n=%d t=%d\n" "--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.\n" "--replay-persist file : Persist replay-protection state across sessions\n" " using file.\n" "--test-crypto : Run a self-test of crypto features enabled.\n" " For debugging only.\n" #ifdef ENABLE_PREDICTION_RESISTANCE "--use-prediction-resistance: Enable prediction resistance on the random\n" " number generator.\n" #endif "\n" "TLS Key Negotiation Options:\n" "(These options are meaningful only for TLS-mode)\n" "--tls-server : Enable TLS and assume server role during TLS handshake.\n" "--tls-client : Enable TLS and assume client role during TLS handshake.\n" "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n" " number, such as 1 (default), 2, etc.\n" "--ca file : Certificate authority file in .pem format containing\n" " root certificate.\n" #ifndef ENABLE_CRYPTO_MBEDTLS "--capath dir : A directory of trusted certificates (CAs" " and CRLs).\n" #endif /* ENABLE_CRYPTO_MBEDTLS */ "--dh file : File containing Diffie Hellman parameters\n" " in .pem format (for --tls-server only).\n" " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n" "--cert file : Local certificate in .pem format -- must be signed\n" " by a Certificate Authority in --ca file.\n" "--extra-certs file : one or more PEM certs that complete the cert chain.\n" "--key file : Local private key in .pem format.\n" "--tls-version-min ['or-highest'] : sets the minimum TLS version we\n" " will accept from the peer. If version is unrecognized and 'or-highest'\n" " is specified, require max TLS version supported by SSL implementation.\n" "--tls-version-max : sets the maximum TLS version we will use.\n" #ifndef ENABLE_CRYPTO_MBEDTLS "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n" " and optionally the root CA certificate.\n" #endif #ifdef ENABLE_X509ALTUSERNAME "--x509-username-field : Field in x509 certificate containing the username.\n" " Default is CN in the Subject field.\n" #endif "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n" " Valid algo flags are SHA1 and SHA256. \n" #ifdef _WIN32 "--cryptoapicert select-string : Load the certificate and private key from the\n" " Windows Certificate System Store.\n" #endif "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n" " : Use --show-tls to see a list of supported TLS ciphers.\n" "--tls-timeout n : Packet retransmit timeout on TLS control channel\n" " if no ACK from remote within n seconds (default=%d).\n" "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n" "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n" "--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n" "--hand-window n : Data channel key exchange must finalize within n seconds\n" " of handshake initiation by any peer (default=%d).\n" "--tran-window n : Transition window -- old key can live this many seconds\n" " after new key renegotiation begins (default=%d).\n" "--single-session: Allow only one session (reset state on restart).\n" "--tls-exit : Exit on TLS negotiation failure.\n" "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n" " control channel to protect against attacks on the TLS stack\n" " and DoS attacks.\n" " f (required) is a shared-secret key file.\n" " The optional d parameter controls key directionality,\n" " see --secret option for more info.\n" "--tls-crypt key : Add an additional layer of authenticated encryption on top\n" " of the TLS control channel to hide the TLS certificate,\n" " provide basic post-quantum security and protect against\n" " attacks on the TLS stack and DoS attacks.\n" " key (required) provides the pre-shared key file.\n" " see --secret option for more info.\n" "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n" "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n" "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n" "--tls-verify cmd: Run command cmd to verify the X509 name of a\n" " pending TLS connection that has otherwise passed all other\n" " tests of certification. cmd should return 0 to allow\n" " TLS handshake to proceed, or 1 to fail. (cmd is\n" " executed as 'cmd certificate_depth subject')\n" "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n" " in an openvpn temporary file in [directory]. Peer cert is \n" " stored before tls-verify script execution and deleted after.\n" "--verify-x509-name name: Accept connections only from a host with X509 subject\n" " DN name. The remote host must also pass all other tests\n" " of verification.\n" "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n" " an explicit nsCertType designation t = 'client' | 'server'.\n" "--x509-track x : Save peer X509 attribute x in environment for use by\n" " plugins and management interface.\n" #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n" " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n" #endif "--remote-cert-ku v ... : Require that the peer certificate was signed with\n" " explicit key usage, you can specify more than one value.\n" " value should be given in hex format.\n" "--remote-cert-eku oid : Require that the peer certificate was signed with\n" " explicit extended key usage. Extended key usage can be encoded\n" " as an object identifier or OpenSSL string representation.\n" "--remote-cert-tls t: Require that peer certificate was signed with explicit\n" " key usage and extended key usage based on RFC3280 TLS rules.\n" " t = 'client' | 'server'.\n" #ifdef ENABLE_PKCS11 "\n" "PKCS#11 Options:\n" "--pkcs11-providers provider ... : PKCS#11 provider to load.\n" "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n" " path. Set for each provider.\n" "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n" " 0 : Try to determind automatically (default).\n" " 1 : Use Sign.\n" " 2 : Use SignRecover.\n" " 4 : Use Decrypt.\n" " 8 : Use Unwrap.\n" "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n" " certificate can be accessed. Set for each provider.\n" "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n" " cache until token is removed.\n" "--pkcs11-id-management : Acquire identity from management interface.\n" "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n" #endif /* ENABLE_PKCS11 */ "\n" "SSL Library information:\n" "--show-ciphers : Show cipher algorithms to use with --cipher option.\n" "--show-digests : Show message digest algorithms to use with --auth option.\n" "--show-engines : Show hardware crypto accelerator engines (if available).\n" "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n" #ifdef _WIN32 "\n" "Windows Specific:\n" "--win-sys path : Pathname of Windows system directory. Default is the pathname\n" " from SystemRoot environment variable.\n" "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n" " IP address using method = manual, netsh, ipapi,\n" " dynamic, or adaptive (default = adaptive).\n" " Dynamic method allows two optional parameters:\n" " offset: DHCP server address offset (> -256 and < 256).\n" " If 0, use network address, if >0, take nth\n" " address forward from network address, if <0,\n" " take nth address backward from broadcast\n" " address.\n" " Default is 0.\n" " lease-time: Lease time in seconds.\n" " Default is one year.\n" "--route-method : Which method to use for adding routes on Windows?\n" " adaptive (default) -- Try ipapi then fall back to exe.\n" " ipapi -- Use IP helper API.\n" " exe -- Call the route.exe shell command.\n" "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n" " be used with --ip-win32 dynamic. For options\n" " which allow multiple addresses,\n" " --dhcp-option must be repeated.\n" " DOMAIN name : Set DNS suffix\n" " DNS addr : Set domain name server address(es) (IPv4)\n" " DNS6 addr : Set domain name server address(es) (IPv6)\n" " NTP : Set NTP server address(es)\n" " NBDD : Set NBDD server address(es)\n" " WINS addr : Set WINS server address(es)\n" " NBT type : Set NetBIOS over TCP/IP Node type\n" " 1: B, 2: P, 4: M, 8: H\n" " NBS id : Set NetBIOS scope ID\n" " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n" "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n" "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n" " startup.\n" "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n" " on connection initiation.\n" "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n" " attempting to set adapter properties.\n" "--pause-exit : When run from a console window, pause before exiting.\n" "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n" " service, and should not be used directly by end-users.\n" " ex is the name of an event object which, when\n" " signaled, will cause " PACKAGE_NAME " to exit. A second\n" " optional parameter controls the initial state of ex.\n" "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n" " after TAP adapter is up and routes have been added.\n" #ifdef _WIN32 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n" #endif "Windows Standalone Options:\n" "\n" "--show-adapters : Show all TAP-Windows adapters.\n" "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n" "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n" "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n" " to access TAP adapter.\n" #endif /* ifdef _WIN32 */ "\n" "Generate a random key (only for non-TLS static key encryption mode):\n" "--genkey : Generate a random key to be used as a shared secret,\n" " for use with the --secret option.\n" "--secret file : Write key to file.\n" #endif /* ENABLE_CRYPTO */ #ifdef ENABLE_FEATURE_TUN_PERSIST "\n" "Tun/tap config mode (available with linux 2.4+):\n" "--mktun : Create a persistent tunnel.\n" "--rmtun : Remove a persistent tunnel.\n" "--dev tunX|tapX : tun/tap device\n" "--dev-type dt : Device type. See tunnel options above for details.\n" "--user user : User to set privilege to.\n" "--group group : Group to set privilege to.\n" #endif #ifdef ENABLE_PKCS11 "\n" "PKCS#11 standalone options:\n" #ifdef DEFAULT_PKCS11_MODULE "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n" #else "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n" #endif " --verb option can be added *BEFORE* this.\n" #endif /* ENABLE_PKCS11 */ "\n" "General Standalone Options:\n" #ifdef ENABLE_DEBUG "--show-gateway : Show info about default gateway.\n" #endif ; #endif /* !ENABLE_SMALL */ /* * This is where the options defaults go. * Any option not explicitly set here * will be set to 0. */ void init_options(struct options *o, const bool init_gc) { CLEAR(*o); if (init_gc) { gc_init(&o->gc); o->gc_owned = true; } o->mode = MODE_POINT_TO_POINT; o->topology = TOP_NET30; o->ce.proto = PROTO_UDP; o->ce.af = AF_UNSPEC; o->ce.bind_ipv6_only = false; o->ce.connect_retry_seconds = 5; o->ce.connect_retry_seconds_max = 300; o->ce.connect_timeout = 120; o->connect_retry_max = 0; o->ce.local_port = o->ce.remote_port = OPENVPN_PORT; o->verbosity = 1; o->status_file_update_freq = 60; o->status_file_version = 1; o->ce.bind_local = true; o->ce.tun_mtu = TUN_MTU_DEFAULT; o->ce.link_mtu = LINK_MTU_DEFAULT; o->ce.mtu_discover_type = -1; o->ce.mssfix = MSSFIX_DEFAULT; o->route_delay_window = 30; o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; o->resolve_in_advance = false; o->proto_force = -1; #ifdef ENABLE_OCC o->occ = true; #endif #ifdef ENABLE_MANAGEMENT o->management_log_history_cache = 250; o->management_echo_buffer_size = 100; o->management_state_buffer_size = 100; #endif #ifdef ENABLE_FEATURE_TUN_PERSIST o->persist_mode = 1; #endif #ifdef TARGET_LINUX o->tuntap_options.txqueuelen = 100; #endif #ifdef _WIN32 #if 0 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE; #else o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ; #endif o->tuntap_options.dhcp_lease_time = 31536000; /* one year */ o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */ o->route_method = ROUTE_METHOD_ADAPTIVE; o->block_outside_dns = false; #endif #if P2MP_SERVER o->real_hash_size = 256; o->virtual_hash_size = 256; o->n_bcast_buf = 256; o->tcp_queue_limit = 64; o->max_clients = 1024; o->max_routes_per_client = 256; o->stale_routes_check_interval = 0; o->ifconfig_pool_persist_refresh_freq = 600; #endif #if P2MP o->scheduled_exit_interval = 5; #endif #ifdef ENABLE_CRYPTO o->ciphername = "BF-CBC"; #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */ o->ncp_enabled = true; #else o->ncp_enabled = false; #endif o->ncp_ciphers = "AES-256-GCM:AES-128-GCM"; o->authname = "SHA1"; o->prng_hash = "SHA1"; o->prng_nonce_secret_len = 16; o->replay = true; o->replay_window = DEFAULT_SEQ_BACKTRACK; o->replay_time = DEFAULT_TIME_BACKTRACK; o->use_iv = true; o->key_direction = KEY_DIRECTION_BIDIRECTIONAL; #ifdef ENABLE_PREDICTION_RESISTANCE o->use_prediction_resistance = false; #endif o->key_method = 2; o->tls_timeout = 2; o->renegotiate_bytes = -1; o->renegotiate_seconds = 3600; o->handshake_window = 60; o->transition_window = 3600; o->ecdh_curve = NULL; #ifdef ENABLE_X509ALTUSERNAME o->x509_username_field = X509_USERNAME_FIELD_DEFAULT; #endif #endif /* ENABLE_CRYPTO */ #ifdef ENABLE_PKCS11 o->pkcs11_pin_cache_period = -1; #endif /* ENABLE_PKCS11 */ /* P2MP server context features */ #if P2MP_SERVER o->auth_token_generate = false; /* Set default --tmp-dir */ #ifdef _WIN32 /* On Windows, find temp dir via enviroment variables */ o->tmp_dir = win_get_tempdir(); #else /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */ o->tmp_dir = getenv("TMPDIR"); if (!o->tmp_dir) { o->tmp_dir = "/tmp"; } #endif /* _WIN32 */ #endif /* P2MP_SERVER */ o->allow_recursive_routing = false; } void uninit_options(struct options *o) { if (o->gc_owned) { gc_free(&o->gc); } } struct pull_filter { #define PUF_TYPE_UNDEF 0 /** undefined filter type */ #define PUF_TYPE_ACCEPT 1 /** filter type to accept a matching option */ #define PUF_TYPE_IGNORE 2 /** filter type to ignore a matching option */ #define PUF_TYPE_REJECT 3 /** filter type to reject and trigger SIGUSR1 */ int type; int size; char *pattern; struct pull_filter *next; }; struct pull_filter_list { struct pull_filter *head; struct pull_filter *tail; }; static const char * pull_filter_type_name(int type) { if (type == PUF_TYPE_ACCEPT) { return "accept"; } if (type == PUF_TYPE_IGNORE) { return "ignore"; } if (type == PUF_TYPE_REJECT) { return "reject"; } else { return "???"; } } #ifndef ENABLE_SMALL #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value)) #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'") #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d") #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u") #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x") #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s"); #endif static void setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i) { setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i); setenv_str_i(es, "local", e->local, i); setenv_str_i(es, "local_port", e->local_port, i); setenv_str_i(es, "remote", e->remote, i); setenv_str_i(es, "remote_port", e->remote_port, i); if (e->http_proxy_options) { setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i); setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i); } if (e->socks_proxy_server) { setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i); setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i); } } void setenv_settings(struct env_set *es, const struct options *o) { setenv_str(es, "config", o->config); setenv_int(es, "verb", o->verbosity); setenv_int(es, "daemon", o->daemon); setenv_int(es, "daemon_log_redirect", o->log); setenv_unsigned(es, "daemon_start_time", time(NULL)); setenv_int(es, "daemon_pid", platform_getpid()); if (o->connection_list) { int i; for (i = 0; i < o->connection_list->len; ++i) { setenv_connection_entry(es, o->connection_list->array[i], i+1); } } else { setenv_connection_entry(es, &o->ce, 1); } } static in_addr_t get_ip_addr(const char *ip_string, int msglevel, bool *error) { unsigned int flags = GETADDR_HOST_ORDER; bool succeeded = false; in_addr_t ret; if (msglevel & M_FATAL) { flags |= GETADDR_FATAL; } ret = getaddr(flags, ip_string, 0, &succeeded, NULL); if (!succeeded && error) { *error = true; } return ret; } /* helper: parse a text string containing an IPv6 address + netbits * in "standard format" (2001:dba::/32) * "/nn" is optional, default to /64 if missing * * return true if parsing succeeded, modify *network and *netbits */ bool get_ipv6_addr( const char *prefix_str, struct in6_addr *network, unsigned int *netbits, int msglevel) { char *sep, *endp; int bits; struct in6_addr t_network; sep = strchr( prefix_str, '/' ); if (sep == NULL) { bits = 64; } else { bits = strtol( sep+1, &endp, 10 ); if (*endp != '\0' || bits < 0 || bits > 128) { msg(msglevel, "IPv6 prefix '%s': invalid '/bits' spec", prefix_str); return false; } } /* temporary replace '/' in caller-provided string with '\0', otherwise * inet_pton() will refuse prefix string * (alternative would be to strncpy() the prefix to temporary buffer) */ if (sep != NULL) { *sep = '\0'; } if (inet_pton( AF_INET6, prefix_str, &t_network ) != 1) { msg(msglevel, "IPv6 prefix '%s': invalid IPv6 address", prefix_str); return false; } if (sep != NULL) { *sep = '/'; } if (netbits != NULL) { *netbits = bits; } if (network != NULL) { *network = t_network; } return true; /* parsing OK, values set */ } /** * Returns newly allocated string containing address part without "/nn". * * If gc != NULL, the allocated memory is registered in the supplied gc. */ static char * get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc) { const char *end = strchr(addr, '/'); char *ret = NULL; if (NULL == end) { ret = string_alloc(addr, gc); } else { size_t len = end - addr; ret = gc_malloc(len + 1, true, gc); memcpy(ret, addr, len); } return ret; } static bool ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec ) { struct in6_addr t_addr; unsigned int t_bits; return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN ); } static char * string_substitute(const char *src, int from, int to, struct gc_arena *gc) { char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc); char *dest = ret; char c; do { c = *src++; if (c == from) { c = to; } *dest++ = c; } while (c); return ret; } #ifdef ENABLE_CRYPTO static uint8_t * parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc) { int i; const char *cp = str; uint8_t *ret = (uint8_t *) gc_malloc(nbytes, true, gc); char term = 1; int byte; char bs[3]; for (i = 0; i < nbytes; ++i) { if (strlen(cp) < 2) { msg(msglevel, "format error in hash fingerprint: %s", str); } bs[0] = *cp++; bs[1] = *cp++; bs[2] = 0; byte = 0; if (sscanf(bs, "%x", &byte) != 1) { msg(msglevel, "format error in hash fingerprint hex byte: %s", str); } ret[i] = (uint8_t)byte; term = *cp++; if (term != ':' && term != 0) { msg(msglevel, "format error in hash fingerprint delimiter: %s", str); } if (term == 0) { break; } } if (term != 0 || i != nbytes-1) { msg(msglevel, "hash fingerprint is different length than expected (%d bytes): %s", nbytes, str); } return ret; } #endif /* ifdef ENABLE_CRYPTO */ #ifdef _WIN32 #ifndef ENABLE_SMALL static void show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len) { struct gc_arena gc = gc_new(); int i; for (i = 0; i < len; ++i) { msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, print_in_addr_t(array[i], 0, &gc)); } gc_free(&gc); } static void show_tuntap_options(const struct tuntap_options *o) { SHOW_BOOL(ip_win32_defined); SHOW_INT(ip_win32_type); SHOW_INT(dhcp_masq_offset); SHOW_INT(dhcp_lease_time); SHOW_INT(tap_sleep); SHOW_BOOL(dhcp_options); SHOW_BOOL(dhcp_renew); SHOW_BOOL(dhcp_pre_release); SHOW_STR(domain); SHOW_STR(netbios_scope); SHOW_INT(netbios_node_type); SHOW_BOOL(disable_nbt); show_dhcp_option_addrs("DNS", o->dns, o->dns_len); show_dhcp_option_addrs("WINS", o->wins, o->wins_len); show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len); show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len); } #endif /* ifndef ENABLE_SMALL */ #endif /* ifdef _WIN32 */ #if defined(_WIN32) || defined(TARGET_ANDROID) static void dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel) { if (*len >= N_DHCP_ADDR) { msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified", name, N_DHCP_ADDR, name); } else { if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */ { bool error = false; const in_addr_t addr = get_ip_addr(parm, msglevel, &error); if (!error) { array[(*len)++] = addr; } } else { msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm); } } } #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */ #if P2MP #ifndef ENABLE_SMALL static void show_p2mp_parms(const struct options *o) { struct gc_arena gc = gc_new(); #if P2MP_SERVER msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc)); msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc)); msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) ); SHOW_INT(server_netbits_ipv6); msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc)); msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc)); msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc)); msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc)); if (o->push_list.head) { const struct push_entry *e = o->push_list.head; while (e) { if (e->enable) { msg(D_SHOW_PARMS, " push_entry = '%s'", e->option); } e = e->next; } } SHOW_BOOL(ifconfig_pool_defined); msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc)); msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc)); msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc)); SHOW_STR(ifconfig_pool_persist_filename); SHOW_INT(ifconfig_pool_persist_refresh_freq); SHOW_BOOL(ifconfig_ipv6_pool_defined); msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc)); SHOW_INT(ifconfig_ipv6_pool_netbits); SHOW_INT(n_bcast_buf); SHOW_INT(tcp_queue_limit); SHOW_INT(real_hash_size); SHOW_INT(virtual_hash_size); SHOW_STR(client_connect_script); SHOW_STR(learn_address_script); SHOW_STR(client_disconnect_script); SHOW_STR(client_config_dir); SHOW_BOOL(ccd_exclusive); SHOW_STR(tmp_dir); SHOW_BOOL(push_ifconfig_defined); msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc)); msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc)); SHOW_BOOL(push_ifconfig_ipv6_defined); msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits ); msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc)); SHOW_BOOL(enable_c2c); SHOW_BOOL(duplicate_cn); SHOW_INT(cf_max); SHOW_INT(cf_per); SHOW_INT(max_clients); SHOW_INT(max_routes_per_client); SHOW_STR(auth_user_pass_verify_script); SHOW_BOOL(auth_user_pass_verify_script_via_file); SHOW_BOOL(auth_token_generate); SHOW_INT(auth_token_lifetime); #if PORT_SHARE SHOW_STR(port_share_host); SHOW_STR(port_share_port); #endif #endif /* P2MP_SERVER */ SHOW_BOOL(client); SHOW_BOOL(pull); SHOW_STR(auth_user_pass_file); gc_free(&gc); } #endif /* ! ENABLE_SMALL */ #if P2MP_SERVER static void option_iroute(struct options *o, const char *network_str, const char *netmask_str, int msglevel) { struct iroute *ir; ALLOC_OBJ_GC(ir, struct iroute, &o->gc); ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL); ir->netbits = -1; if (netmask_str) { const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL); if (!netmask_to_netbits(ir->network, netmask, &ir->netbits)) { msg(msglevel, "in --iroute %s %s : Bad network/subnet specification", network_str, netmask_str); return; } } ir->next = o->iroutes; o->iroutes = ir; } static void option_iroute_ipv6(struct options *o, const char *prefix_str, int msglevel) { struct iroute_ipv6 *ir; ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc); if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel )) { msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification", prefix_str); return; } ir->next = o->iroutes_ipv6; o->iroutes_ipv6 = ir; } #endif /* P2MP_SERVER */ #endif /* P2MP */ #ifndef ENABLE_SMALL static void show_http_proxy_options(const struct http_proxy_options *o) { int i; msg(D_SHOW_PARMS, "BEGIN http_proxy"); SHOW_STR(server); SHOW_STR(port); SHOW_STR(auth_method_string); SHOW_STR(auth_file); SHOW_STR(http_version); SHOW_STR(user_agent); for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++) { if (o->custom_headers[i].content) { msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i, o->custom_headers[i].name, o->custom_headers[i].content); } else { msg(D_SHOW_PARMS, " custom_header[%d] = %s", i, o->custom_headers[i].name); } } msg(D_SHOW_PARMS, "END http_proxy"); } #endif /* ifndef ENABLE_SMALL */ void options_detach(struct options *o) { gc_detach(&o->gc); o->routes = NULL; o->client_nat = NULL; #if P2MP_SERVER clone_push_list(o); #endif } void rol_check_alloc(struct options *options) { if (!options->routes) { options->routes = new_route_option_list(&options->gc); } } static void rol6_check_alloc(struct options *options) { if (!options->routes_ipv6) { options->routes_ipv6 = new_route_ipv6_option_list(&options->gc); } } static void cnol_check_alloc(struct options *options) { if (!options->client_nat) { options->client_nat = new_client_nat_list(&options->gc); } } #ifndef ENABLE_SMALL static void show_connection_entry(const struct connection_entry *o) { msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false)); SHOW_STR(local); SHOW_STR(local_port); SHOW_STR(remote); SHOW_STR(remote_port); SHOW_BOOL(remote_float); SHOW_BOOL(bind_defined); SHOW_BOOL(bind_local); SHOW_BOOL(bind_ipv6_only); SHOW_INT(connect_retry_seconds); SHOW_INT(connect_timeout); if (o->http_proxy_options) { show_http_proxy_options(o->http_proxy_options); } SHOW_STR(socks_proxy_server); SHOW_STR(socks_proxy_port); SHOW_INT(tun_mtu); SHOW_BOOL(tun_mtu_defined); SHOW_INT(link_mtu); SHOW_BOOL(link_mtu_defined); SHOW_INT(tun_mtu_extra); SHOW_BOOL(tun_mtu_extra_defined); SHOW_INT(mtu_discover_type); #ifdef ENABLE_FRAGMENT SHOW_INT(fragment); #endif SHOW_INT(mssfix); #ifdef ENABLE_OCC SHOW_INT(explicit_exit_notification); #endif } static void show_connection_entries(const struct options *o) { if (o->connection_list) { const struct connection_list *l = o->connection_list; int i; for (i = 0; i < l->len; ++i) { msg(D_SHOW_PARMS, "Connection profiles [%d]:", i); show_connection_entry(l->array[i]); } } else { msg(D_SHOW_PARMS, "Connection profiles [default]:"); show_connection_entry(&o->ce); } msg(D_SHOW_PARMS, "Connection profiles END"); } static void show_pull_filter_list(const struct pull_filter_list *l) { struct pull_filter *f; if (!l) { return; } msg(D_SHOW_PARMS, " Pull filters:"); for (f = l->head; f; f = f->next) { msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern); } } #endif /* ifndef ENABLE_SMALL */ void show_settings(const struct options *o) { #ifndef ENABLE_SMALL msg(D_SHOW_PARMS, "Current Parameter Settings:"); SHOW_STR(config); SHOW_INT(mode); #ifdef ENABLE_FEATURE_TUN_PERSIST SHOW_BOOL(persist_config); SHOW_INT(persist_mode); #endif #ifdef ENABLE_CRYPTO SHOW_BOOL(show_ciphers); SHOW_BOOL(show_digests); SHOW_BOOL(show_engines); SHOW_BOOL(genkey); SHOW_STR(key_pass_file); SHOW_BOOL(show_tls_ciphers); #endif SHOW_INT(connect_retry_max); show_connection_entries(o); SHOW_BOOL(remote_random); SHOW_STR(ipchange); SHOW_STR(dev); SHOW_STR(dev_type); SHOW_STR(dev_node); SHOW_STR(lladdr); SHOW_INT(topology); SHOW_STR(ifconfig_local); SHOW_STR(ifconfig_remote_netmask); SHOW_BOOL(ifconfig_noexec); SHOW_BOOL(ifconfig_nowarn); SHOW_STR(ifconfig_ipv6_local); SHOW_INT(ifconfig_ipv6_netbits); SHOW_STR(ifconfig_ipv6_remote); #ifdef ENABLE_FEATURE_SHAPER SHOW_INT(shaper); #endif #ifdef ENABLE_OCC SHOW_INT(mtu_test); #endif SHOW_BOOL(mlock); SHOW_INT(keepalive_ping); SHOW_INT(keepalive_timeout); SHOW_INT(inactivity_timeout); SHOW_INT(ping_send_timeout); SHOW_INT(ping_rec_timeout); SHOW_INT(ping_rec_timeout_action); SHOW_BOOL(ping_timer_remote); SHOW_INT(remap_sigusr1); SHOW_BOOL(persist_tun); SHOW_BOOL(persist_local_ip); SHOW_BOOL(persist_remote_ip); SHOW_BOOL(persist_key); #if PASSTOS_CAPABILITY SHOW_BOOL(passtos); #endif SHOW_INT(resolve_retry_seconds); SHOW_BOOL(resolve_in_advance); SHOW_STR(username); SHOW_STR(groupname); SHOW_STR(chroot_dir); SHOW_STR(cd_dir); #ifdef ENABLE_SELINUX SHOW_STR(selinux_context); #endif SHOW_STR(writepid); SHOW_STR(up_script); SHOW_STR(down_script); SHOW_BOOL(down_pre); SHOW_BOOL(up_restart); SHOW_BOOL(up_delay); SHOW_BOOL(daemon); SHOW_INT(inetd); SHOW_BOOL(log); SHOW_BOOL(suppress_timestamps); SHOW_BOOL(machine_readable_output); SHOW_INT(nice); SHOW_INT(verbosity); SHOW_INT(mute); #ifdef ENABLE_DEBUG SHOW_INT(gremlin); #endif SHOW_STR(status_file); SHOW_INT(status_file_version); SHOW_INT(status_file_update_freq); #ifdef ENABLE_OCC SHOW_BOOL(occ); #endif SHOW_INT(rcvbuf); SHOW_INT(sndbuf); #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK SHOW_INT(mark); #endif SHOW_INT(sockflags); SHOW_BOOL(fast_io); #ifdef USE_COMP SHOW_INT(comp.alg); SHOW_INT(comp.flags); #endif SHOW_STR(route_script); SHOW_STR(route_default_gateway); SHOW_INT(route_default_metric); SHOW_BOOL(route_noexec); SHOW_INT(route_delay); SHOW_INT(route_delay_window); SHOW_BOOL(route_delay_defined); SHOW_BOOL(route_nopull); SHOW_BOOL(route_gateway_via_dhcp); SHOW_BOOL(allow_pull_fqdn); show_pull_filter_list(o->pull_filter_list); if (o->routes) { print_route_options(o->routes, D_SHOW_PARMS); } if (o->client_nat) { print_client_nat_list(o->client_nat, D_SHOW_PARMS); } #ifdef ENABLE_MANAGEMENT SHOW_STR(management_addr); SHOW_STR(management_port); SHOW_STR(management_user_pass); SHOW_INT(management_log_history_cache); SHOW_INT(management_echo_buffer_size); SHOW_STR(management_write_peer_info_file); SHOW_STR(management_client_user); SHOW_STR(management_client_group); SHOW_INT(management_flags); #endif #ifdef ENABLE_PLUGIN if (o->plugin_list) { plugin_option_list_print(o->plugin_list, D_SHOW_PARMS); } #endif #ifdef ENABLE_CRYPTO SHOW_STR(shared_secret_file); SHOW_INT(key_direction); SHOW_STR(ciphername); SHOW_BOOL(ncp_enabled); SHOW_STR(ncp_ciphers); SHOW_STR(authname); SHOW_STR(prng_hash); SHOW_INT(prng_nonce_secret_len); SHOW_INT(keysize); #ifndef ENABLE_CRYPTO_MBEDTLS SHOW_BOOL(engine); #endif /* ENABLE_CRYPTO_MBEDTLS */ SHOW_BOOL(replay); SHOW_BOOL(mute_replay_warnings); SHOW_INT(replay_window); SHOW_INT(replay_time); SHOW_STR(packet_id_file); SHOW_BOOL(use_iv); SHOW_BOOL(test_crypto); #ifdef ENABLE_PREDICTION_RESISTANCE SHOW_BOOL(use_prediction_resistance); #endif SHOW_BOOL(tls_server); SHOW_BOOL(tls_client); SHOW_INT(key_method); SHOW_STR(ca_file); SHOW_STR(ca_path); SHOW_STR(dh_file); #ifdef MANAGMENT_EXTERNAL_KEY if ((o->management_flags & MF_EXTERNAL_CERT)) { SHOW_PARM("cert_file","EXTERNAL_CERT","%s"); } else #endif SHOW_STR(cert_file); SHOW_STR(extra_certs_file); #ifdef MANAGMENT_EXTERNAL_KEY if ((o->management_flags & MF_EXTERNAL_KEY)) { SHOW_PARM("priv_key_file","EXTERNAL_PRIVATE_KEY","%s"); } else #endif SHOW_STR(priv_key_file); #ifndef ENABLE_CRYPTO_MBEDTLS SHOW_STR(pkcs12_file); #endif #ifdef ENABLE_CRYPTOAPI SHOW_STR(cryptoapi_cert); #endif SHOW_STR(cipher_list); SHOW_STR(tls_verify); SHOW_STR(tls_export_cert); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR(crl_file); SHOW_INT(ns_cert_type); { int i; for (i = 0; ipkcs11_providers[i] != NULL; i++) { SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s"); } } { int i; for (i = 0; ipkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s"); } } { int i; for (i = 0; ipkcs11_private_mode[i], "%08x"); } } { int i; for (i = 0; ipkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s"); } } SHOW_INT(pkcs11_pin_cache_period); SHOW_STR(pkcs11_id); SHOW_BOOL(pkcs11_id_management); #endif /* ENABLE_PKCS11 */ #if P2MP show_p2mp_parms(o); #endif #ifdef _WIN32 SHOW_BOOL(show_net_up); SHOW_INT(route_method); SHOW_BOOL(block_outside_dns); show_tuntap_options(&o->tuntap_options); #endif #endif /* ifndef ENABLE_SMALL */ } #undef SHOW_PARM #undef SHOW_STR #undef SHOW_INT #undef SHOW_BOOL #ifdef ENABLE_MANAGEMENT static struct http_proxy_options * parse_http_proxy_override(const char *server, const char *port, const char *flags, const int msglevel, struct gc_arena *gc) { if (server && port) { struct http_proxy_options *ho; ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc); ho->server = string_alloc(server, gc); ho->port = port; if (flags && !strcmp(flags, "nct")) { ho->auth_retry = PAR_NCT; } else { ho->auth_retry = PAR_ALL; } ho->http_version = "1.0"; ho->user_agent = "OpenVPN-Autoproxy/1.0"; return ho; } else { return NULL; } } static void options_postprocess_http_proxy_override(struct options *o) { const struct connection_list *l = o->connection_list; int i; bool succeed = false; for (i = 0; i < l->len; ++i) { struct connection_entry *ce = l->array[i]; if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP) { ce->http_proxy_options = o->http_proxy_override; succeed = true; } } if (succeed) { for (i = 0; i < l->len; ++i) { struct connection_entry *ce = l->array[i]; if (ce->proto == PROTO_UDP) { ce->flags |= CE_DISABLED; } } } else { msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined"); } } #endif /* ifdef ENABLE_MANAGEMENT */ static struct connection_list * alloc_connection_list_if_undef(struct options *options) { if (!options->connection_list) { ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc); } return options->connection_list; } static struct connection_entry * alloc_connection_entry(struct options *options, const int msglevel) { struct connection_list *l = alloc_connection_list_if_undef(options); struct connection_entry *e; if (l->len >= CONNECTION_LIST_SIZE) { msg(msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE); return NULL; } ALLOC_OBJ_GC(e, struct connection_entry, &options->gc); l->array[l->len++] = e; return e; } static struct remote_list * alloc_remote_list_if_undef(struct options *options) { if (!options->remote_list) { ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc); } return options->remote_list; } static struct remote_entry * alloc_remote_entry(struct options *options, const int msglevel) { struct remote_list *l = alloc_remote_list_if_undef(options); struct remote_entry *e; if (l->len >= CONNECTION_LIST_SIZE) { msg(msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE); return NULL; } ALLOC_OBJ_GC(e, struct remote_entry, &options->gc); l->array[l->len++] = e; return e; } static struct pull_filter_list * alloc_pull_filter_list(struct options *o) { if (!o->pull_filter_list) { ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc); } return o->pull_filter_list; } static struct pull_filter * alloc_pull_filter(struct options *o, const int msglevel) { struct pull_filter_list *l = alloc_pull_filter_list(o); struct pull_filter *f; ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc); if (l->head) { ASSERT(l->tail); l->tail->next = f; } else { ASSERT(!l->tail); l->head = f; } l->tail = f; return f; } static void connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re) { if (re->remote) { ce->remote = re->remote; } if (re->remote_port) { ce->remote_port = re->remote_port; } if (re->proto >= 0) { ce->proto = re->proto; } if (re->af > 0) { ce->af = re->af; } } static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce) { struct options defaults; int dev = DEV_TYPE_UNDEF; bool pull = false; init_options(&defaults, true); #ifdef ENABLE_CRYPTO if (options->test_crypto) { notnull(options->shared_secret_file, "key file (--secret)"); } else #endif notnull(options->dev, "TUN/TAP device (--dev)"); /* * Get tun/tap/null device type */ dev = dev_type_enum(options->dev, options->dev_type); /* * If "proto tcp" is specified, make sure we know whether it is * tcp-client or tcp-server. */ if (ce->proto == PROTO_TCP) { msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client"); } /* * Sanity check on daemon/inetd modes */ if (options->daemon && options->inetd) { msg(M_USAGE, "only one of --daemon or --inetd may be specified"); } if (options->inetd && (ce->local || ce->remote)) { msg(M_USAGE, "--local or --remote cannot be used with --inetd"); } if (options->inetd && ce->proto == PROTO_TCP_CLIENT) { msg(M_USAGE, "--proto tcp-client cannot be used with --inetd"); } if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCP_SERVER) { msg(M_USAGE, "--inetd nowait can only be used with --proto tcp-server"); } if (options->inetd == INETD_NOWAIT #ifdef ENABLE_CRYPTO && !(options->tls_server || options->tls_client) #endif ) { msg(M_USAGE, "--inetd nowait can only be used in TLS mode"); } if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP) { msg(M_USAGE, "--inetd nowait only makes sense in --dev tap mode"); } if (options->lladdr && dev != DEV_TYPE_TAP) { msg(M_USAGE, "--lladdr can only be used in --dev tap mode"); } /* * Sanity check on MTU parameters */ if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined) { msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT); } #ifdef ENABLE_OCC if (!proto_is_udp(ce->proto) && options->mtu_test) { msg(M_USAGE, "--mtu-test only makes sense with --proto udp"); } #endif /* will we be pulling options from server? */ #if P2MP pull = options->pull; #endif /* * Sanity check on --local, --remote, and --ifconfig */ if (proto_is_net(ce->proto) && string_defined_equal(ce->local, ce->remote) && string_defined_equal(ce->local_port, ce->remote_port)) { msg(M_USAGE, "--remote and --local addresses are the same"); } if (string_defined_equal(ce->remote, options->ifconfig_local) || string_defined_equal(ce->remote, options->ifconfig_remote_netmask)) { msg(M_USAGE, "--local and --remote addresses must be distinct from --ifconfig addresses"); } if (string_defined_equal(ce->local, options->ifconfig_local) || string_defined_equal(ce->local, options->ifconfig_remote_netmask)) { msg(M_USAGE, "--local addresses must be distinct from --ifconfig addresses"); } if (string_defined_equal(options->ifconfig_local, options->ifconfig_remote_netmask)) { msg(M_USAGE, "local and remote/netmask --ifconfig addresses must be different"); } if (ce->bind_defined && !ce->bind_local) { msg(M_USAGE, "--bind and --nobind can't be used together"); } if (ce->local && !ce->bind_local) { msg(M_USAGE, "--local and --nobind don't make sense when used together"); } if (ce->local_port_defined && !ce->bind_local) { msg(M_USAGE, "--lport and --nobind don't make sense when used together"); } if (!ce->remote && !ce->bind_local) { msg(M_USAGE, "--nobind doesn't make sense unless used with --remote"); } /* * Check for consistency of management options */ #ifdef ENABLE_MANAGEMENT if (!options->management_addr && (options->management_flags || options->management_write_peer_info_file || options->management_log_history_cache != defaults.management_log_history_cache)) { msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified"); } if ((options->management_client_user || options->management_client_group) && !(options->management_flags & MF_UNIX_SOCK)) { msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); } #endif /* * Windows-specific options. */ #ifdef _WIN32 if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask))) { msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used"); } if ((options->tuntap_options.ip_win32_defined) && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask))) { msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used"); } if (options->tuntap_options.dhcp_options && options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE) { msg(M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive"); } #endif /* * Check that protocol options make sense. */ #ifdef ENABLE_FRAGMENT if (!proto_is_udp(ce->proto) && ce->fragment) { msg(M_USAGE, "--fragment can only be used with --proto udp"); } #endif #ifdef ENABLE_OCC if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification) { msg(M_USAGE, "--explicit-exit-notify can only be used with --proto udp"); } #endif if (!ce->remote && ce->proto == PROTO_TCP_CLIENT) { msg(M_USAGE, "--remote MUST be used in TCP Client mode"); } if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT) { msg(M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)"); } if ((ce->http_proxy_options) && !ce->http_proxy_options->server) { msg(M_USAGE, "--http-proxy not specified but other http proxy options present"); } if (ce->http_proxy_options && ce->socks_proxy_server) { msg(M_USAGE, "--http-proxy can not be used together with --socks-proxy"); } if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER) { msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode"); } if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1)) { msg(M_USAGE, "TCP server mode allows at most one --remote address"); } #if P2MP_SERVER /* * Check consistency of --mode server options. */ if (options->mode == MODE_SERVER) { if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP)) { msg(M_USAGE, "--mode server only works with --dev tun or --dev tap"); } if (options->pull) { msg(M_USAGE, "--pull cannot be used with --mode server"); } if (options->pull_filter_list) { msg(M_USAGE, "--pull-filter cannot be used with --mode server"); } if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER)) { msg(M_USAGE, "--mode server currently only supports " "--proto udp or --proto tcp-server or proto tcp6-server"); } #if PORT_SHARE if ((options->port_share_host || options->port_share_port) && (ce->proto != PROTO_TCP_SERVER)) { msg(M_USAGE, "--port-share only works in TCP server mode " "(--proto tcp-server or tcp6-server)"); } #endif if (!options->tls_server) { msg(M_USAGE, "--mode server requires --tls-server"); } if (ce->remote) { msg(M_USAGE, "--remote cannot be used with --mode server"); } if (!ce->bind_local) { msg(M_USAGE, "--nobind cannot be used with --mode server"); } if (ce->http_proxy_options) { msg(M_USAGE, "--http-proxy cannot be used with --mode server"); } if (ce->socks_proxy_server) { msg(M_USAGE, "--socks-proxy cannot be used with --mode server"); } /* blocks force to have a remote embedded, so we check for the * --remote and bail out if it is present */ if (options->connection_list->len >1 || options->connection_list->array[0]->remote) { msg(M_USAGE, " cannot be used with --mode server"); } if (options->shaper) { msg(M_USAGE, "--shaper cannot be used with --mode server"); } if (options->inetd) { msg(M_USAGE, "--inetd cannot be used with --mode server"); } if (options->ipchange) { msg(M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)"); } if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER)) { msg(M_USAGE, "--mode server currently only supports " "--proto udp or --proto tcp-server or --proto tcp6-server"); } if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per)) { msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead."); } if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask) { msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode"); } if (options->routes && (options->routes->flags & RG_ENABLE)) { msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)"); } if (options->route_delay_defined) { msg(M_USAGE, "--route-delay cannot be used with --mode server"); } if (options->up_delay) { msg(M_USAGE, "--up-delay cannot be used with --mode server"); } if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename) { msg(M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool"); } if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local) { msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6"); } if (options->allow_recursive_routing) { msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server"); } if (options->auth_user_pass_file) { msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)"); } if (options->ccd_exclusive && !options->client_config_dir) { msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir"); } if (options->key_method != 2) { msg(M_USAGE, "--mode server requires --key-method 2"); } { const bool ccnr = (options->auth_user_pass_verify_script || PLUGIN_OPTION_LIST(options) || MAN_CLIENT_AUTH_ENABLED(options)); const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin"; if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr) { msg(M_USAGE, "--verify-client-cert none|optional %s", postfix); } if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr) { msg(M_USAGE, "--username-as-common-name %s", postfix); } if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr) { msg(M_USAGE, "--auth-user-pass-optional %s", postfix); } } } else { /* * When not in server mode, err if parameters are * specified which require --mode server. */ if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename) { msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server"); } if (options->ifconfig_ipv6_pool_defined) { msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server"); } if (options->real_hash_size != defaults.real_hash_size || options->virtual_hash_size != defaults.virtual_hash_size) { msg(M_USAGE, "--hash-size requires --mode server"); } if (options->learn_address_script) { msg(M_USAGE, "--learn-address requires --mode server"); } if (options->client_connect_script) { msg(M_USAGE, "--client-connect requires --mode server"); } if (options->client_disconnect_script) { msg(M_USAGE, "--client-disconnect requires --mode server"); } if (options->client_config_dir || options->ccd_exclusive) { msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server"); } if (options->enable_c2c) { msg(M_USAGE, "--client-to-client requires --mode server"); } if (options->duplicate_cn) { msg(M_USAGE, "--duplicate-cn requires --mode server"); } if (options->cf_max || options->cf_per) { msg(M_USAGE, "--connect-freq requires --mode server"); } if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) { msg(M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server"); } if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) { msg(M_USAGE, "--username-as-common-name requires --mode server"); } if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) { msg(M_USAGE, "--auth-user-pass-optional requires --mode server"); } if (options->ssl_flags & SSLF_OPT_VERIFY) { msg(M_USAGE, "--opt-verify requires --mode server"); } if (options->server_flags & SF_TCP_NODELAY_HELPER) { msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not " "affect the server. To have TCP_NODELAY in both direction use " "tcp-nodelay in the server configuration instead."); } if (options->auth_user_pass_verify_script) { msg(M_USAGE, "--auth-user-pass-verify requires --mode server"); } if (options->auth_token_generate) { msg(M_USAGE, "--auth-gen-token requires --mode server"); } #if PORT_SHARE if (options->port_share_host || options->port_share_port) { msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)"); } #endif if (options->stale_routes_check_interval) { msg(M_USAGE, "--stale-routes-check requires --mode server"); } if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NO_NAME_REMAPPING)) { msg(M_USAGE, "--compat-x509-names no-remapping requires --mode server"); } } #endif /* P2MP_SERVER */ #ifdef ENABLE_CRYPTO if (options->ncp_enabled && !tls_check_ncp_cipher_list(options->ncp_ciphers)) { msg(M_USAGE, "NCP cipher list contains unsupported ciphers."); } if (options->ncp_enabled && !options->use_iv) { msg(M_USAGE, "--no-iv not allowed when NCP is enabled."); } if (!options->use_iv) { msg(M_WARN, "WARNING: --no-iv is deprecated and will be removed in 2.5"); } if (options->keysize) { msg(M_WARN, "WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6"); } if (!options->replay) { msg(M_WARN, "WARNING: --no-replay is DEPRECATED and will be removed in OpenVPN 2.5"); } /* * Check consistency of replay options */ if (!options->replay && (options->replay_window != defaults.replay_window || options->replay_time != defaults.replay_time)) { msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay"); } /* * SSL/TLS mode sanity checks. */ if (options->tls_server + options->tls_client +(options->shared_secret_file != NULL) > 1) { msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret"); } if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) { msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION " "--verify-client-cert none|optional (or --client-cert-not-required) " "may accept clients which do not present a certificate"); } if (options->key_method == 1) { msg(M_WARN, "WARNING: --key-method 1 is deprecated and will be removed " "in OpenVPN 2.5. By default --key-method 2 will be used if not set " "in the configuration file, which is the recommended approach."); } if (options->tls_server || options->tls_client) { #ifdef ENABLE_PKCS11 if (options->pkcs11_providers[0]) { notnull(options->ca_file, "CA file (--ca)"); if (options->pkcs11_id_management && options->pkcs11_id != NULL) { msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified."); } if (!options->pkcs11_id_management && options->pkcs11_id == NULL) { msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified."); } if (options->cert_file) { msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified."); } if (options->priv_key_file) { msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified."); } #ifdef MANAGMENT_EXTERNAL_KEY if (options->management_flags & MF_EXTERNAL_KEY) { msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified."); } if (options->management_flags & MF_EXTERNAL_CERT) { msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified."); } #endif if (options->pkcs12_file) { msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified."); } #ifdef ENABLE_CRYPTOAPI if (options->cryptoapi_cert) { msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified."); } #endif } else #endif /* ifdef ENABLE_PKCS11 */ #ifdef MANAGMENT_EXTERNAL_KEY if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file) { msg(M_USAGE, "--key and --management-external-key are mutually exclusive"); } else if ((options->management_flags & MF_EXTERNAL_CERT)) { if (options->cert_file) { msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive"); } else if (!(options->management_flags & MF_EXTERNAL_KEY)) { msg(M_USAGE, "--management-external-cert must be used with --management-external-key"); } } else #endif #ifdef ENABLE_CRYPTOAPI if (options->cryptoapi_cert) { if ((!(options->ca_file)) && (!(options->ca_path))) { msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); } if (options->cert_file) { msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified."); } if (options->priv_key_file) { msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified."); } if (options->pkcs12_file) { msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified."); } #ifdef MANAGMENT_EXTERNAL_KEY if (options->management_flags & MF_EXTERNAL_KEY) { msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified."); } if (options->management_flags & MF_EXTERNAL_CERT) { msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified."); } #endif } else #endif /* ifdef ENABLE_CRYPTOAPI */ if (options->pkcs12_file) { #ifdef ENABLE_CRYPTO_MBEDTLS msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN."); #else if (options->ca_path) { msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified."); } if (options->cert_file) { msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified."); } if (options->priv_key_file) { msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified."); } #ifdef MANAGMENT_EXTERNAL_KEY if (options->management_flags & MF_EXTERNAL_KEY) { msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified."); } if (options->management_flags & MF_EXTERNAL_CERT) { msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified."); } #endif #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */ } else { #ifdef ENABLE_CRYPTO_MBEDTLS if (!(options->ca_file)) { msg(M_USAGE, "You must define CA file (--ca)"); } if (options->ca_path) { msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN."); } #else /* ifdef ENABLE_CRYPTO_MBEDTLS */ if ((!(options->ca_file)) && (!(options->ca_path))) { msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); } #endif if (pull) { const int sum = #ifdef MANAGMENT_EXTERNAL_KEY ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT)) +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY)); #else (options->cert_file != NULL) + (options->priv_key_file != NULL); #endif if (sum == 0) { #if P2MP if (!options->auth_user_pass_file) #endif msg(M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass"); } else if (sum == 2) { } else { msg(M_USAGE, "If you use one of --cert or --key, you must use them both"); } } else { #ifdef MANAGMENT_EXTERNAL_KEY if (!(options->management_flags & MF_EXTERNAL_CERT)) #endif notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)"); #ifdef MANAGMENT_EXTERNAL_KEY if (!(options->management_flags & MF_EXTERNAL_KEY)) #endif notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)"); } } if (options->tls_auth_file && options->tls_crypt_file) { msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive"); } } else { /* * Make sure user doesn't specify any TLS options * when in non-TLS mode. */ #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \ } const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified."; MUST_BE_UNDEF(ca_file); MUST_BE_UNDEF(ca_path); MUST_BE_UNDEF(dh_file); MUST_BE_UNDEF(cert_file); MUST_BE_UNDEF(priv_key_file); #ifndef ENABLE_CRYPTO_MBEDTLS MUST_BE_UNDEF(pkcs12_file); #endif MUST_BE_UNDEF(cipher_list); MUST_BE_UNDEF(tls_verify); MUST_BE_UNDEF(tls_export_cert); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); MUST_BE_UNDEF(renegotiate_packets); MUST_BE_UNDEF(renegotiate_seconds); MUST_BE_UNDEF(handshake_window); MUST_BE_UNDEF(transition_window); MUST_BE_UNDEF(tls_auth_file); MUST_BE_UNDEF(tls_crypt_file); MUST_BE_UNDEF(single_session); #ifdef ENABLE_PUSH_PEER_INFO MUST_BE_UNDEF(push_peer_info); #endif MUST_BE_UNDEF(tls_exit); MUST_BE_UNDEF(crl_file); MUST_BE_UNDEF(key_method); MUST_BE_UNDEF(ns_cert_type); MUST_BE_UNDEF(remote_cert_ku[0]); MUST_BE_UNDEF(remote_cert_eku); #ifdef ENABLE_PKCS11 MUST_BE_UNDEF(pkcs11_providers[0]); MUST_BE_UNDEF(pkcs11_private_mode[0]); MUST_BE_UNDEF(pkcs11_id); MUST_BE_UNDEF(pkcs11_id_management); #endif if (pull) { msg(M_USAGE, err, "--pull"); } } #undef MUST_BE_UNDEF #endif /* ENABLE_CRYPTO */ #if P2MP if (options->auth_user_pass_file && !options->pull) { msg(M_USAGE, "--auth-user-pass requires --pull"); } #endif uninit_options(&defaults); } static void options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) { const int dev = dev_type_enum(o->dev, o->dev_type); #if P2MP_SERVER if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp) { if (ce->proto == PROTO_TCP) { ce->proto = PROTO_TCP_SERVER; } } #endif #if P2MP if (o->client) { if (ce->proto == PROTO_TCP) { ce->proto = PROTO_TCP_CLIENT; } } #endif if (ce->proto == PROTO_TCP_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined) { ce->bind_local = false; } if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined) { ce->bind_local = false; } if (!ce->bind_local) { ce->local_port = NULL; } /* if protocol forcing is enabled, disable all protocols except for the forced one */ if (o->proto_force >= 0 && o->proto_force != ce->proto) { ce->flags |= CE_DISABLED; } /* * If --mssfix is supplied without a parameter, default * it to --fragment value, if --fragment is specified. */ if (o->ce.mssfix_default) { #ifdef ENABLE_FRAGMENT if (ce->fragment) { ce->mssfix = ce->fragment; } #else msg(M_USAGE, "--mssfix must specify a parameter"); #endif } /* * Set MTU defaults */ { if (!ce->tun_mtu_defined && !ce->link_mtu_defined) { ce->tun_mtu_defined = true; } if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined) { ce->tun_mtu_extra_defined = true; ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT; } } } #ifdef _WIN32 /* If iservice is in use, we need def1 method for redirect-gateway */ static void remap_redirect_gateway_flags(struct options *opt) { if (opt->routes && opt->route_method == ROUTE_METHOD_SERVICE && opt->routes->flags & RG_REROUTE_GW && !(opt->routes->flags & RG_DEF1)) { msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)"); opt->routes->flags |= RG_DEF1; } } #endif static void options_postprocess_mutate_invariant(struct options *options) { #ifdef _WIN32 const int dev = dev_type_enum(options->dev, options->dev_type); #endif /* * In forking TCP server mode, you don't need to ifconfig * the tap device (the assumption is that it will be bridged). */ if (options->inetd == INETD_NOWAIT) { options->ifconfig_noexec = true; } #ifdef _WIN32 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined) { if (options->mode == MODE_POINT_TO_POINT) { options->route_delay_defined = true; options->route_delay = 5; /* Vista sometimes has a race without this */ } } if (options->ifconfig_noexec) { options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL; options->ifconfig_noexec = false; } remap_redirect_gateway_flags(options); #endif #if P2MP_SERVER /* * Check consistency of --mode server options. */ if (options->mode == MODE_SERVER) { #ifdef _WIN32 /* * We need to explicitly set --tap-sleep because * we do not schedule event timers in the top-level context. */ options->tuntap_options.tap_sleep = 10; if (options->route_delay_defined && options->route_delay) { options->tuntap_options.tap_sleep = options->route_delay; } options->route_delay_defined = false; #endif } #endif #ifdef DEFAULT_PKCS11_MODULE /* If p11-kit is present on the system then load its p11-kit-proxy.so * by default if the user asks for PKCS#11 without otherwise specifying * the module to use. */ if (!options->pkcs11_providers[0] && (options->pkcs11_id || options->pkcs11_id_management)) { options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE; } #endif } static void options_postprocess_verify(const struct options *o) { if (o->connection_list) { int i; for (i = 0; i < o->connection_list->len; ++i) { options_postprocess_verify_ce(o, o->connection_list->array[i]); } } else { options_postprocess_verify_ce(o, &o->ce); } } static void options_postprocess_mutate(struct options *o) { int i; /* * Process helper-type options which map to other, more complex * sequences of options. */ helper_client_server(o); helper_keepalive(o); helper_tcp_nodelay(o); options_postprocess_mutate_invariant(o); if (o->remote_list && !o->connection_list) { /* * Convert remotes into connection list */ const struct remote_list *rl = o->remote_list; for (i = 0; i < rl->len; ++i) { const struct remote_entry *re = rl->array[i]; struct connection_entry ce = o->ce; struct connection_entry *ace; ASSERT(re->remote); connection_entry_load_re(&ce, re); ace = alloc_connection_entry(o, M_USAGE); ASSERT(ace); *ace = ce; } } else if (!o->remote_list && !o->connection_list) { struct connection_entry *ace; ace = alloc_connection_entry(o, M_USAGE); ASSERT(ace); *ace = o->ce; } ASSERT(o->connection_list); for (i = 0; i < o->connection_list->len; ++i) { options_postprocess_mutate_ce(o, o->connection_list->array[i]); } #ifdef ENABLE_CRYPTO if (o->tls_server) { /* Check that DH file is specified, or explicitly disabled */ notnull(o->dh_file, "DH file (--dh)"); if (streq(o->dh_file, "none")) { o->dh_file = NULL; } } else if (o->dh_file) { /* DH file is only meaningful in a tls-server context. */ msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only " "include this in your server configuration"); o->dh_file = NULL; } /* cipher negotiation (NCP) currently assumes --pull or --mode server */ if (o->ncp_enabled && !(o->pull || o->mode == MODE_SERVER) ) { msg( M_WARN, "disabling NCP mode (--ncp-disable) because not " "in P2MP client or server mode" ); o->ncp_enabled = false; } #endif #if ENABLE_MANAGEMENT if (o->http_proxy_override) { options_postprocess_http_proxy_override(o); } #endif #ifdef ENABLE_CRYPTOAPI if (o->cryptoapi_cert) { const int tls_version_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) &SSLF_TLS_VERSION_MAX_MASK; if (tls_version_max == TLS_VER_UNSPEC || tls_version_max > TLS_VER_1_1) { msg(M_WARN, "Warning: cryptapicert used, setting maximum TLS " "version to 1.1."); o->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK <ssl_flags |= (TLS_VER_1_1 << SSLF_TLS_VERSION_MAX_SHIFT); } } #endif /* ENABLE_CRYPTOAPI */ #if P2MP /* * Save certain parms before modifying options via --pull */ pre_pull_save(o); #endif } /* * Check file/directory sanity * */ #ifndef ENABLE_SMALL /** Expect people using the stripped down version to know what they do */ #define CHKACC_FILE (1<<0) /** Check for a file/directory precense */ #define CHKACC_DIRPATH (1<<1) /** Check for directory precense where a file should reside */ #define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */ #define CHKACC_INLINE (1<<3) /** File is present if it's an inline file */ #define CHKACC_ACPTSTDIN (1<<4) /** If filename is stdin, it's allowed and "exists" */ #define CHKACC_PRIVATE (1<<5) /** Warn if this (private) file is group/others accessible */ static bool check_file_access(const int type, const char *file, const int mode, const char *opt) { int errcode = 0; /* If no file configured, no errors to look for */ if (!file) { return false; } /* If this may be an inline file, and the proper inline "filename" is set - no issues */ if ((type & CHKACC_INLINE) && streq(file, INLINE_FILE_TAG) ) { return false; } /* If stdin is allowed and the file name is 'stdin', then do no * further checks as stdin is always available */ if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") ) { return false; } /* Is the directory path leading to the given file accessible? */ if (type & CHKACC_DIRPATH) { char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementaion may modify its arguments */ char *dirpath = dirname(fullpath); if (platform_access(dirpath, mode|X_OK) != 0) { errcode = errno; } free(fullpath); } /* Is the file itself accessible? */ if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) ) { errcode = errno; } /* If the file exists and is accessible, is it writable? */ if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) ) { if (platform_access(file, W_OK) != 0) { errcode = errno; } } /* Warn if a given private file is group/others accessible. */ if (type & CHKACC_PRIVATE) { platform_stat_t st; if (platform_stat(file, &st)) { msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file); } #ifndef _WIN32 else { if (st.st_mode & (S_IRWXG|S_IRWXO)) { msg(M_WARN, "WARNING: file '%s' is group or others accessible", file); } } #endif } /* Scream if an error is found */ if (errcode > 0) { msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file); } /* Return true if an error occured */ return (errcode != 0 ? true : false); } /* A wrapper for check_file_access() which also takes a chroot directory. * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly, * otherwise it will look for the file inside the given chroot directory instead. */ static bool check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt) { bool ret = false; /* If no file configured, no errors to look for */ if (!file) { return false; } /* If chroot is set, look for the file/directory inside the chroot */ if (chroot) { struct gc_arena gc = gc_new(); struct buffer chroot_file; int len = 0; /* Build up a new full path including chroot directory */ len = strlen(chroot) + strlen(PATH_SEPARATOR_STR) + strlen(file) + 1; chroot_file = alloc_buf_gc(len, &gc); buf_printf(&chroot_file, "%s%s%s", chroot, PATH_SEPARATOR_STR, file); ASSERT(chroot_file.len > 0); ret = check_file_access(type, BSTR(&chroot_file), mode, opt); gc_free(&gc); } else { /* No chroot in play, just call core file check function */ ret = check_file_access(type, file, mode, opt); } return ret; } /* * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a * valid file with appropriate permissions. * * "command" consists of a path, optionally followed by a space, which may be * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not * performed. * * The path and arguments in "command" may be single- or double-quoted or escaped. * * The path is extracted from "command", then check_file_access() is called to check it. The * arguments, if any, are ignored. * * Note that the type, mode, and opt arguments to this routine are the same as the corresponding * check_file_access() arguments. */ static bool check_cmd_access(const char *command, const char *opt, const char *chroot) { struct argv argv; bool return_code; /* If no command was set, there are no errors to look for */ if (!command) { return false; } /* Extract executable path and arguments */ argv = argv_new(); argv_parse_cmd(&argv, command); /* if an executable is specified then check it; otherwise, complain */ if (argv.argv[0]) { /* Scripts requires R_OK as well, but that might fail on binaries which * only requires X_OK to function on Unix - a scenario not unlikely to * be seen on suid binaries. */ return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt); } else { msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.", opt, command); return_code = true; } argv_reset(&argv); return return_code; } /* * Sanity check of all file/dir options. Checks that file/dir * is accessible by OpenVPN */ static void options_postprocess_filechecks(struct options *options) { bool errs = false; #ifdef ENABLE_CRYPTO /* ** SSL/TLS/crypto related files ** */ errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh"); errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca"); errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath"); errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->cert_file, R_OK, "--cert"); errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->extra_certs_file, R_OK, "--extra-certs"); #ifdef MANAGMENT_EXTERNAL_KEY if (!(options->management_flags & MF_EXTERNAL_KEY)) #endif { errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, options->priv_key_file, R_OK, "--key"); } errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, options->pkcs12_file, R_OK, "--pkcs12"); if (options->ssl_flags & SSLF_CRL_VERIFY_DIR) { errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK, "--crl-verify directory"); } else { errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE|CHKACC_INLINE, options->crl_file, R_OK, "--crl-verify"); } errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, options->tls_auth_file, R_OK, "--tls-auth"); errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, options->tls_crypt_file, R_OK, "--tls-crypt"); errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, options->shared_secret_file, R_OK, "--secret"); errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->packet_id_file, R_OK|W_OK, "--replay-persist"); /* ** Password files ** */ errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, options->key_pass_file, R_OK, "--askpass"); #endif /* ENABLE_CRYPTO */ #ifdef ENABLE_MANAGEMENT errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, options->management_user_pass, R_OK, "--management user/password file"); #endif /* ENABLE_MANAGEMENT */ #if P2MP errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, options->auth_user_pass_file, R_OK, "--auth-user-pass"); #endif /* P2MP */ /* ** System related ** */ errs |= check_file_access(CHKACC_FILE, options->chroot_dir, R_OK|X_OK, "--chroot directory"); errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid, R_OK|W_OK, "--writepid"); /* ** Log related ** */ errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file, R_OK|W_OK, "--status"); /* ** Config related ** */ #ifdef ENABLE_CRYPTO errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert, R_OK|W_OK|X_OK, "--tls-export-cert"); #endif /* ENABLE_CRYPTO */ #if P2MP_SERVER errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir, R_OK|X_OK, "--client-config-dir"); errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir, R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)"); #endif /* P2MP_SERVER */ if (errs) { msg(M_USAGE, "Please correct these errors."); } } #endif /* !ENABLE_SMALL */ /* * Sanity check on options. * Also set some options based on other * options. */ void options_postprocess(struct options *options) { options_postprocess_mutate(options); options_postprocess_verify(options); #ifndef ENABLE_SMALL options_postprocess_filechecks(options); #endif /* !ENABLE_SMALL */ } #if P2MP /* * Save/Restore certain option defaults before --pull is applied. */ void pre_pull_save(struct options *o) { if (o->pull) { ALLOC_OBJ_CLEAR_GC(o->pre_pull, struct options_pre_pull, &o->gc); o->pre_pull->tuntap_options = o->tuntap_options; o->pre_pull->tuntap_options_defined = true; o->pre_pull->foreign_option_index = o->foreign_option_index; if (o->routes) { o->pre_pull->routes = clone_route_option_list(o->routes, &o->gc); o->pre_pull->routes_defined = true; } if (o->routes_ipv6) { o->pre_pull->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc); o->pre_pull->routes_ipv6_defined = true; } if (o->client_nat) { o->pre_pull->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc); o->pre_pull->client_nat_defined = true; } } } void pre_pull_restore(struct options *o, struct gc_arena *gc) { const struct options_pre_pull *pp = o->pre_pull; if (pp) { CLEAR(o->tuntap_options); if (pp->tuntap_options_defined) { o->tuntap_options = pp->tuntap_options; } if (pp->routes_defined) { rol_check_alloc(o); copy_route_option_list(o->routes, pp->routes, gc); } else { o->routes = NULL; } if (pp->routes_ipv6_defined) { rol6_check_alloc(o); copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc); } else { o->routes_ipv6 = NULL; } if (pp->client_nat_defined) { cnol_check_alloc(o); copy_client_nat_option_list(o->client_nat, pp->client_nat); } else { o->client_nat = NULL; } o->foreign_option_index = pp->foreign_option_index; } o->push_continuation = 0; o->push_option_types_found = 0; } #endif /* if P2MP */ #ifdef ENABLE_OCC /** * Calculate the link-mtu to advertise to our peer. The actual value is not * relevant, because we will possibly perform data channel cipher negotiation * after this, but older clients will log warnings if we do not supply them the * value they expect. This assumes that the traditional cipher/auth directives * in the config match the config of the peer. */ static size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame) { size_t link_mtu = EXPANDED_SIZE(frame); #ifdef ENABLE_CRYPTO if (o->pull || o->mode == MODE_SERVER) { struct frame fake_frame = *frame; struct key_type fake_kt; init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true, false); frame_add_to_extra_frame(&fake_frame, -(crypto_max_overhead())); crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->use_iv, o->replay, cipher_kt_mode_ofb_cfb(fake_kt.cipher)); frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu, o->ce.tun_mtu_defined, o->ce.tun_mtu); msg(D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu, EXPANDED_SIZE(&fake_frame)); link_mtu = EXPANDED_SIZE(&fake_frame); } #endif return link_mtu; } /* * Build an options string to represent data channel encryption options. * This string must match exactly between peers. The keysize is checked * separately by read_key(). * * The following options must match on both peers: * * Tunnel options: * * --dev tun|tap [unit number need not match] * --dev-type tun|tap * --link-mtu * --udp-mtu * --tun-mtu * --proto udp * --proto tcp-client [matched with --proto tcp-server * on the other end of the connection] * --proto tcp-server [matched with --proto tcp-client on * the other end of the connection] * --tun-ipv6 * --ifconfig x y [matched with --ifconfig y x on * the other end of the connection] * * --comp-lzo * --compress alg * --fragment * * Crypto Options: * * --cipher * --auth * --keysize * --secret * --no-replay * --no-iv * * SSL Options: * * --tls-auth * --tls-client [matched with --tls-server on * the other end of the connection] * --tls-server [matched with --tls-client on * the other end of the connection] */ char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, bool remote, struct gc_arena *gc) { struct buffer out = alloc_buf(OPTION_LINE_SIZE); bool tt_local = false; buf_printf(&out, "V4"); /* * Tunnel Options */ buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type)); buf_printf(&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame)); buf_printf(&out, ",tun-mtu %d", PAYLOAD_SIZE(frame)); buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote)); /* send tun_ipv6 only in peer2peer mode - in client/server mode, it * is usually pushed by the server, triggering a non-helpful warning */ if (o->ifconfig_ipv6_local && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o)) { buf_printf(&out, ",tun-ipv6"); } /* * Try to get ifconfig parameters into the options string. * If tt is undefined, make a temporary instantiation. */ if (!tt) { tt = init_tun(o->dev, o->dev_type, o->topology, o->ifconfig_local, o->ifconfig_remote_netmask, o->ifconfig_ipv6_local, o->ifconfig_ipv6_netbits, o->ifconfig_ipv6_remote, NULL, NULL, false, NULL); if (tt) { tt_local = true; } } if (tt && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o)) { const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc); if (ios && strlen(ios)) { buf_printf(&out, ",ifconfig %s", ios); } } if (tt_local) { free(tt); tt = NULL; } #ifdef USE_COMP if (o->comp.alg != COMP_ALG_UNDEF) { buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */ } #endif #ifdef ENABLE_FRAGMENT if (o->ce.fragment) { buf_printf(&out, ",mtu-dynamic"); } #endif #ifdef ENABLE_CRYPTO #define TLS_CLIENT (o->tls_client) #define TLS_SERVER (o->tls_server) /* * Key direction */ { const char *kd = keydirection2ascii(o->key_direction, remote); if (kd) { buf_printf(&out, ",keydir %s", kd); } } /* * Crypto Options */ if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER) { struct key_type kt; ASSERT((o->shared_secret_file != NULL) + (TLS_CLIENT == true) + (TLS_SERVER == true) <= 1); init_key_type(&kt, o->ciphername, o->authname, o->keysize, true, false); buf_printf(&out, ",cipher %s", translate_cipher_name_to_openvpn(cipher_kt_name(kt.cipher))); buf_printf(&out, ",auth %s", md_kt_name(kt.digest)); buf_printf(&out, ",keysize %d", kt.cipher_length * 8); if (o->shared_secret_file) { buf_printf(&out, ",secret"); } if (!o->replay) { buf_printf(&out, ",no-replay"); } if (!o->use_iv) { buf_printf(&out, ",no-iv"); } #ifdef ENABLE_PREDICTION_RESISTANCE if (o->use_prediction_resistance) { buf_printf(&out, ",use-prediction-resistance"); } #endif } /* * SSL Options */ { if (TLS_CLIENT || TLS_SERVER) { if (o->tls_auth_file) { buf_printf(&out, ",tls-auth"); } /* Not adding tls-crypt here, because we won't reach this code if * tls-auth/tls-crypt does not match. Removing tls-auth here would * break stuff, so leaving that in place. */ if (o->key_method > 1) { buf_printf(&out, ",key-method %d", o->key_method); } } if (remote) { if (TLS_CLIENT) { buf_printf(&out, ",tls-server"); } else if (TLS_SERVER) { buf_printf(&out, ",tls-client"); } } else { if (TLS_CLIENT) { buf_printf(&out, ",tls-client"); } else if (TLS_SERVER) { buf_printf(&out, ",tls-server"); } } } #undef TLS_CLIENT #undef TLS_SERVER #endif /* ENABLE_CRYPTO */ return BSTR(&out); } /* * Compare option strings for equality. * If the first two chars of the strings differ, it means that * we are looking at different versions of the options string, * therefore don't compare them and return true. */ bool options_cmp_equal(char *actual, const char *expected) { return options_cmp_equal_safe(actual, expected, strlen(actual) + 1); } void options_warning(char *actual, const char *expected) { options_warning_safe(actual, expected, strlen(actual) + 1); } static const char * options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret) { struct gc_arena gc = gc_new(); struct buffer b = string_alloc_buf(option_string, &gc); char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc); const char *ret; buf_parse(&b, ' ', p, OPTION_PARM_SIZE); ret = string_alloc(p, gc_ret); gc_free(&gc); return ret; } static void options_warning_safe_scan2(const int msglevel, const int delim, const bool report_inconsistent, const char *p1, const struct buffer *b2_src, const char *b1_name, const char *b2_name) { /* we will stop sending 'proto xxx' in OCC in a future version * (because it's not useful), and to reduce questions when * interoperating, we start not-printing a warning about it today */ if (strncmp(p1, "proto ", 6) == 0) { return; } if (strlen(p1) > 0) { struct gc_arena gc = gc_new(); struct buffer b2 = *b2_src; const char *p1_prefix = options_warning_extract_parm1(p1, &gc); char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc); while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE)) { if (strlen(p2)) { const char *p2_prefix = options_warning_extract_parm1(p2, &gc); if (!strcmp(p1, p2)) { goto done; } if (!strcmp(p1_prefix, p2_prefix)) { if (report_inconsistent) { msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'", safe_print(p1_prefix, &gc), b1_name, safe_print(p1, &gc), b2_name, safe_print(p2, &gc)); } goto done; } } } msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'", safe_print(p1_prefix, &gc), b1_name, b2_name, b1_name, safe_print(p1, &gc)); done: gc_free(&gc); } } static void options_warning_safe_scan1(const int msglevel, const int delim, const bool report_inconsistent, const struct buffer *b1_src, const struct buffer *b2_src, const char *b1_name, const char *b2_name) { struct gc_arena gc = gc_new(); struct buffer b = *b1_src; char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc); while (buf_parse(&b, delim, p, OPTION_PARM_SIZE)) { options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name); } gc_free(&gc); } static void options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n) { struct gc_arena gc = gc_new(); if (actual_n > 0) { struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc); struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc); actual[actual_n - 1] = 0; buf_printf(&local, "version %s", expected); buf_printf(&remote, "version %s", actual); options_warning_safe_scan1(msglevel, ',', true, &local, &remote, "local", "remote"); options_warning_safe_scan1(msglevel, ',', false, &remote, &local, "remote", "local"); } gc_free(&gc); } bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n) { struct gc_arena gc = gc_new(); bool ret = true; if (actual_n > 0) { actual[actual_n - 1] = 0; #ifndef ENABLE_STRICT_OPTIONS_CHECK if (strncmp(actual, expected, 2)) { msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences"); options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n); } else #endif ret = !strcmp(actual, expected); } gc_free(&gc); return ret; } void options_warning_safe(char *actual, const char *expected, size_t actual_n) { options_warning_safe_ml(M_WARN, actual, expected, actual_n); } const char * options_string_version(const char *s, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(4, gc); strncpynt((char *) BPTR(&out), s, 3); return BSTR(&out); } #endif /* ENABLE_OCC */ char * options_string_extract_option(const char *options_string,const char *opt_name, struct gc_arena *gc) { char *ret = NULL; const size_t opt_name_len = strlen(opt_name); const char *p = options_string; while (p) { if (0 == strncmp(p, opt_name, opt_name_len) && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ') { /* option found, extract value */ const char *start = &p[opt_name_len+1]; const char *end = strchr(p, ','); size_t val_len = end ? end - start : strlen(start); ret = gc_malloc(val_len+1, true, gc); memcpy(ret, start, val_len); break; } p = strchr(p, ','); if (p) { p++; /* skip delimiter */ } } return ret; } static void foreign_option(struct options *o, char *argv[], int len, struct env_set *es) { if (len > 0) { struct gc_arena gc = gc_new(); struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc); struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc); int i; bool first = true; bool good = true; good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1); ++o->foreign_option_index; for (i = 0; i < len; ++i) { if (argv[i]) { if (!first) { good &= buf_printf(&value, " "); } good &= buf_printf(&value, "%s", argv[i]); first = false; } } if (good) { setenv_str(es, BSTR(&name), BSTR(&value)); } else { msg(M_WARN, "foreign_option: name/value overflow"); } gc_free(&gc); } } /* * parse/print topology coding */ int parse_topology(const char *str, const int msglevel) { if (streq(str, "net30")) { return TOP_NET30; } else if (streq(str, "p2p")) { return TOP_P2P; } else if (streq(str, "subnet")) { return TOP_SUBNET; } else { msg(msglevel, "--topology must be net30, p2p, or subnet"); return TOP_UNDEF; } } const char * print_topology(const int topology) { switch (topology) { case TOP_UNDEF: return "undef"; case TOP_NET30: return "net30"; case TOP_P2P: return "p2p"; case TOP_SUBNET: return "subnet"; default: return "unknown"; } } #if P2MP /* * Manage auth-retry variable */ static int global_auth_retry; /* GLOBAL */ int auth_retry_get(void) { return global_auth_retry; } bool auth_retry_set(const int msglevel, const char *option) { if (streq(option, "interact")) { global_auth_retry = AR_INTERACT; } else if (streq(option, "nointeract")) { global_auth_retry = AR_NOINTERACT; } else if (streq(option, "none")) { global_auth_retry = AR_NONE; } else { msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'"); return false; } return true; } const char * auth_retry_print(void) { switch (global_auth_retry) { case AR_NONE: return "none"; case AR_NOINTERACT: return "nointeract"; case AR_INTERACT: return "interact"; default: return "???"; } } #endif /* if P2MP */ /* * Print the help message. */ static void usage(void) { FILE *fp = msg_fp(0); #ifdef ENABLE_SMALL fprintf(fp, "Usage message not available\n"); #else struct options o; init_options(&o, true); #ifdef ENABLE_CRYPTO fprintf(fp, usage_message, title_string, o.ce.connect_retry_seconds, o.ce.connect_retry_seconds_max, o.ce.local_port, o.ce.remote_port, TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT, o.verbosity, o.authname, o.ciphername, o.replay_window, o.replay_time, o.tls_timeout, o.renegotiate_seconds, o.handshake_window, o.transition_window); #else /* ifdef ENABLE_CRYPTO */ fprintf(fp, usage_message, title_string, o.ce.connect_retry_seconds, o.ce.connect_retry_seconds_max, o.ce.local_port, o.ce.remote_port, TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT, o.verbosity); #endif fflush(fp); #endif /* ENABLE_SMALL */ openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */ } void usage_small(void) { msg(M_WARN|M_NOPREFIX, "Use --help for more information."); openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */ } #ifdef _WIN32 void show_windows_version(const unsigned int flags) { struct gc_arena gc = gc_new(); msg(flags, "Windows version %s", win32_version_string(&gc, true)); gc_free(&gc); } #endif void show_library_versions(const unsigned int flags) { #ifdef ENABLE_CRYPTO #define SSL_LIB_VER_STR get_ssl_library_version() #else #define SSL_LIB_VER_STR "" #endif #ifdef ENABLE_LZO #define LZO_LIB_VER_STR ", LZO ", lzo_version_string() #else #define LZO_LIB_VER_STR "", "" #endif msg(flags, "library versions: %s%s%s", SSL_LIB_VER_STR, LZO_LIB_VER_STR); #undef SSL_LIB_VER_STR #undef LZO_LIB_VER_STR } static void usage_version(void) { msg(M_INFO|M_NOPREFIX, "%s", title_string); show_library_versions( M_INFO|M_NOPREFIX ); #ifdef _WIN32 show_windows_version( M_INFO|M_NOPREFIX ); #endif msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan"); msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2017 OpenVPN Technologies, Inc. "); #ifndef ENABLE_SMALL #ifdef CONFIGURE_DEFINES msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES); #endif #ifdef CONFIGURE_SPECIAL_BUILD msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD); #endif #endif openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */ } void notnull(const char *arg, const char *description) { if (!arg) { msg(M_USAGE, "You must define %s", description); } } bool string_defined_equal(const char *s1, const char *s2) { if (s1 && s2) { return !strcmp(s1, s2); } else { return false; } } #if 0 static void ping_rec_err(int msglevel) { msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified"); } #endif static int positive_atoi(const char *str) { const int i = atoi(str); return i < 0 ? 0 : i; } #ifdef _WIN32 /* This function is only used when compiling on Windows */ static unsigned int atou(const char *str) { unsigned int val = 0; sscanf(str, "%u", &val); return val; } #endif static inline bool space(unsigned char c) { return c == '\0' || isspace(c); } int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc) { const int STATE_INITIAL = 0; const int STATE_READING_QUOTED_PARM = 1; const int STATE_READING_UNQUOTED_PARM = 2; const int STATE_DONE = 3; const int STATE_READING_SQUOTED_PARM = 4; const char *error_prefix = ""; int ret = 0; const char *c = line; int state = STATE_INITIAL; bool backslash = false; char in, out; char parm[OPTION_PARM_SIZE]; unsigned int parm_len = 0; msglevel &= ~M_OPTERR; if (msglevel & M_MSG_VIRT_OUT) { error_prefix = "ERROR: "; } do { in = *c; out = 0; if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM) { backslash = true; } else { if (state == STATE_INITIAL) { if (!space(in)) { if (in == ';' || in == '#') /* comment */ { break; } if (!backslash && in == '\"') { state = STATE_READING_QUOTED_PARM; } else if (!backslash && in == '\'') { state = STATE_READING_SQUOTED_PARM; } else { out = in; state = STATE_READING_UNQUOTED_PARM; } } } else if (state == STATE_READING_UNQUOTED_PARM) { if (!backslash && space(in)) { state = STATE_DONE; } else { out = in; } } else if (state == STATE_READING_QUOTED_PARM) { if (!backslash && in == '\"') { state = STATE_DONE; } else { out = in; } } else if (state == STATE_READING_SQUOTED_PARM) { if (in == '\'') { state = STATE_DONE; } else { out = in; } } if (state == STATE_DONE) { /* ASSERT (parm_len > 0); */ p[ret] = gc_malloc(parm_len + 1, true, gc); memcpy(p[ret], parm, parm_len); p[ret][parm_len] = '\0'; state = STATE_INITIAL; parm_len = 0; ++ret; } if (backslash && out) { if (!(out == '\\' || out == '\"' || space(out))) { #ifdef ENABLE_SMALL msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num); #else msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num); #endif return 0; } } backslash = false; } /* store parameter character */ if (out) { if (parm_len >= SIZE(parm)) { parm[SIZE(parm) - 1] = 0; msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s", error_prefix, file, line_num, (int) SIZE(parm), parm); return 0; } parm[parm_len++] = out; } /* avoid overflow if too many parms in one config file line */ if (ret >= n) { break; } } while (*c++ != '\0'); if (state == STATE_READING_QUOTED_PARM) { msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num); return 0; } if (state == STATE_READING_SQUOTED_PARM) { msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num); return 0; } if (state != STATE_INITIAL) { msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num); return 0; } #if 0 { int i; for (i = 0; i < ret; ++i) { msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]); } } #endif return ret; } static void bypass_doubledash(char **p) { if (strlen(*p) >= 3 && !strncmp(*p, "--", 2)) { *p += 2; } } struct in_src { #define IS_TYPE_FP 1 #define IS_TYPE_BUF 2 int type; union { FILE *fp; struct buffer *multiline; } u; }; static bool in_src_get(const struct in_src *is, char *line, const int size) { if (is->type == IS_TYPE_FP) { return BOOL_CAST(fgets(line, size, is->u.fp)); } else if (is->type == IS_TYPE_BUF) { bool status = buf_parse(is->u.multiline, '\n', line, size); if ((int) strlen(line) + 1 < size) { strcat(line, "\n"); } return status; } else { ASSERT(0); return false; } } static char * read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc) { char line[OPTION_LINE_SIZE]; struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE); char *ret; bool endtagfound = false; while (in_src_get(is, line, sizeof(line))) { char *line_ptr = line; /* Remove leading spaces */ while (isspace(*line_ptr)) { line_ptr++; } if (!strncmp(line_ptr, close_tag, strlen(close_tag))) { endtagfound = true; break; } if (!buf_safe(&buf, strlen(line)+1)) { /* Increase buffer size */ struct buffer buf2 = alloc_buf(buf.capacity * 2); ASSERT(buf_copy(&buf2, &buf)); buf_clear(&buf); free_buf(&buf); buf = buf2; } buf_printf(&buf, "%s", line); } if (!endtagfound) { msg(M_FATAL, "ERROR: Endtag %s missing", close_tag); } ret = string_alloc(BSTR(&buf), gc); buf_clear(&buf); free_buf(&buf); secure_memzero(line, sizeof(line)); return ret; } static bool check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc) { bool ret = false; if (p[0] && !p[1]) { char *arg = p[0]; if (arg[0] == '<' && arg[strlen(arg)-1] == '>') { struct buffer close_tag; arg[strlen(arg)-1] = '\0'; p[0] = string_alloc(arg+1, gc); p[1] = string_alloc(INLINE_FILE_TAG, gc); close_tag = alloc_buf(strlen(p[0]) + 4); buf_printf(&close_tag, "", p[0]); p[2] = read_inline_file(is, BSTR(&close_tag), gc); p[3] = NULL; free_buf(&close_tag); ret = true; } } return ret; } static bool check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc) { struct in_src is; is.type = IS_TYPE_FP; is.u.fp = fp; return check_inline_file(&is, p, gc); } static bool check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc) { struct in_src is; is.type = IS_TYPE_BUF; is.u.multiline = multiline; return check_inline_file(&is, p, gc); } static void add_option(struct options *options, char *p[], const char *file, int line, const int level, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es); static void read_config_file(struct options *options, const char *file, int level, const char *top_file, const int top_line, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es) { const int max_recursive_levels = 10; FILE *fp; int line_num; char line[OPTION_LINE_SIZE+1]; char *p[MAX_PARMS+1]; ++level; if (level <= max_recursive_levels) { if (streq(file, "stdin")) { fp = stdin; } else { fp = platform_fopen(file, "r"); } if (fp) { line_num = 0; while (fgets(line, sizeof(line), fp)) { int offset = 0; CLEAR(p); ++line_num; if (strlen(line) == OPTION_LINE_SIZE) { msg(msglevel, "In %s:%d: Maximum optione line length (%d) exceeded, line starts with %s", file, line_num, OPTION_LINE_SIZE, line); } /* Ignore UTF-8 BOM at start of stream */ if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0) { offset = 3; } if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc)) { bypass_doubledash(&p[0]); check_inline_file_via_fp(fp, p, &options->gc); add_option(options, p, file, line_num, level, msglevel, permission_mask, option_types_found, es); } } if (fp != stdin) { fclose(fp); } } else { msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file); } } else { msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file); } secure_memzero(line, sizeof(line)); CLEAR(p); } static void read_config_string(const char *prefix, struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es) { char line[OPTION_LINE_SIZE]; struct buffer multiline; int line_num = 0; buf_set_read(&multiline, (uint8_t *)config, strlen(config)); while (buf_parse(&multiline, '\n', line, sizeof(line))) { char *p[MAX_PARMS+1]; CLEAR(p); ++line_num; if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc)) { bypass_doubledash(&p[0]); check_inline_file_via_buf(&multiline, p, &options->gc); add_option(options, p, prefix, line_num, 0, msglevel, permission_mask, option_types_found, es); } CLEAR(p); } secure_memzero(line, sizeof(line)); } void parse_argv(struct options *options, const int argc, char *argv[], const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es) { int i, j; /* usage message */ if (argc <= 1) { usage(); } /* config filename specified only? */ if (argc == 2 && strncmp(argv[1], "--", 2)) { char *p[MAX_PARMS]; CLEAR(p); p[0] = "config"; p[1] = argv[1]; add_option(options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es); } else { /* parse command line */ for (i = 1; i < argc; ++i) { char *p[MAX_PARMS]; CLEAR(p); p[0] = argv[i]; if (strncmp(p[0], "--", 2)) { msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]); } else { p[0] += 2; } for (j = 1; j < MAX_PARMS; ++j) { if (i + j < argc) { char *arg = argv[i + j]; if (strncmp(arg, "--", 2)) { p[j] = arg; } else { break; } } } add_option(options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es); i += j - 1; } } } /** * Filter an option line by all pull filters. * * If a match is found, the line is modified depending on * the filter type, and returns true. If the filter type is * reject, SIGUSR1 is triggered and the return value is false. * In that case the caller must end the push processing. */ static bool apply_pull_filter(const struct options *o, char *line) { struct pull_filter *f; if (!o->pull_filter_list) { return true; } for (f = o->pull_filter_list->head; f; f = f->next) { if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0) { msg(D_LOW, "Pushed option accepted by filter: '%s'", line); return true; } else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0) { msg(D_PUSH, "Pushed option removed by filter: '%s'", line); *line = '\0'; return true; } else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0) { msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line); *line = '\0'; throw_signal_soft(SIGUSR1, "Offending option received from server"); return false; } } return true; } bool apply_push_options(struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es) { char line[OPTION_PARM_SIZE]; int line_num = 0; const char *file = "[PUSH-OPTIONS]"; const int msglevel = D_PUSH_ERRORS|M_OPTERR; while (buf_parse(buf, ',', line, sizeof(line))) { char *p[MAX_PARMS+1]; CLEAR(p); ++line_num; if (!apply_pull_filter(options, line)) { return false; /* Cause push/pull error and stop push processing */ } if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc)) { add_option(options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es); } } return true; } void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es) { msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename); read_config_file(o, filename, 0, filename, 0, msglevel, permission_mask, option_types_found, es); } void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es) { read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es); } #if P2MP #define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, msglevel, options)) {goto err;}} static bool verify_permission(const char *name, const char *file, int line, const unsigned int type, const unsigned int allowed, unsigned int *found, const int msglevel, struct options *options) { if (!(type & allowed)) { msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file); return false; } if (found) { *found |= type; } #ifndef ENABLE_SMALL /* Check if this options is allowed in connection block, * but we are currently not in a connection block * Parsing a connection block uses a temporary options struct without * connection_list */ if ((type & OPT_P_CONNECTION) && options->connection_list) { if (file) { msg(M_WARN, "Option '%s' in %s:%d is ignored by previous blocks ", name, file, line); } else { msg(M_WARN, "Option '%s' is ignored by previous blocks", name); } } #endif return true; } #else /* if P2MP */ #define VERIFY_PERMISSION(mask) #endif /* if P2MP */ /* * Check that an option doesn't have too * many parameters. */ #define NM_QUOTE_HINT (1<<0) static bool no_more_than_n_args(const int msglevel, char *p[], const int max, const unsigned int flags) { const int len = string_array_len((const char **)p); if (!len) { return false; } if (len > max) { msg(msglevel, "the --%s directive should have at most %d parameter%s.%s", p[0], max - 1, max >= 3 ? "s" : "", (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : ""); return false; } else { return true; } } static inline int msglevel_forward_compatible(struct options *options, const int msglevel) { return options->forward_compatible ? M_WARN : msglevel; } static void set_user_script(struct options *options, const char **script, const char *new_script, const char *type, bool in_chroot) { if (*script) { msg(M_WARN, "Multiple --%s scripts defined. " "The previously configured script is overridden.", type); } *script = new_script; options->user_script_used = true; #ifndef ENABLE_SMALL { char script_name[100]; openvpn_snprintf(script_name, sizeof(script_name), "--%s script", type); if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL))) { msg(M_USAGE, "Please correct this error."); } } #endif } static void add_option(struct options *options, char *p[], const char *file, int line, const int level, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es) { struct gc_arena gc = gc_new(); const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE); int msglevel_fc = msglevel_forward_compatible(options, msglevel); ASSERT(MAX_PARMS >= 7); /* * If directive begins with "setenv opt" prefix, don't raise an error if * directive is unrecognized. */ if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE)) { if (!p[2]) { p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */ } p += 2; msglevel_fc = M_WARN; } if (!file) { file = "[CMD-LINE]"; line = 1; } if (streq(p[0], "help")) { VERIFY_PERMISSION(OPT_P_GENERAL); usage(); if (p[1]) { msg(msglevel, "--help does not accept any parameters"); goto err; } } if (streq(p[0], "version") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); usage_version(); } else if (streq(p[0], "config") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_CONFIG); /* save first config file only in options */ if (!options->config) { options->config = p[1]; } read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es); } #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) else if (streq(p[0], "show-gateway") && !p[2]) { struct route_gateway_info rgi; struct route_ipv6_gateway_info rgi6; struct in6_addr remote = IN6ADDR_ANY_INIT; VERIFY_PERMISSION(OPT_P_GENERAL); if (p[1]) { get_ipv6_addr(p[1], &remote, NULL, M_WARN); } get_default_gateway(&rgi); get_default_gateway_ipv6(&rgi6, &remote); print_default_gateway(M_INFO, &rgi, &rgi6); openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } #endif #if 0 else if (streq(p[0], "foreign-option") && p[1]) { VERIFY_PERMISSION(OPT_P_IPWIN32); foreign_option(options, p, 3, es); } #endif else if (streq(p[0], "echo") || streq(p[0], "parameter")) { struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc); int j; bool good = true; VERIFY_PERMISSION(OPT_P_ECHO); for (j = 1; j < MAX_PARMS; ++j) { if (!p[j]) { break; } if (j > 1) { good &= buf_printf(&string, " "); } good &= buf_printf(&string, "%s", p[j]); } if (good) { #if 0 /* removed for now since ECHO can potentially include * security-sensitive strings */ msg(M_INFO, "%s:%s", pull_mode ? "ECHO-PULL" : "ECHO", BSTR(&string)); #endif #ifdef ENABLE_MANAGEMENT if (management) { management_echo(management, BSTR(&string), pull_mode); } #endif } else { msg(M_WARN, "echo/parameter option overflow"); } } #ifdef ENABLE_MANAGEMENT else if (streq(p[0], "management") && p[1] && p[2] && !p[4]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (streq(p[2], "unix")) { #if UNIX_SOCK_SUPPORT options->management_flags |= MF_UNIX_SOCK; #else msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets"); goto err; #endif } options->management_addr = p[1]; options->management_port = p[2]; if (p[3]) { options->management_user_pass = p[3]; } } else if (streq(p[0], "management-client-user") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->management_client_user = p[1]; } else if (streq(p[0], "management-client-group") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->management_client_group = p[1]; } else if (streq(p[0], "management-query-passwords") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->management_flags |= MF_QUERY_PASSWORDS; } else if (streq(p[0], "management-query-remote") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->management_flags |= MF_QUERY_REMOTE; } else if (streq(p[0], "management-query-proxy") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->management_flags |= MF_QUERY_PROXY; } else if (streq(p[0], "management-hold") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->management_flags |= MF_HOLD; } else if (streq(p[0], "management-signal") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->management_flags |= MF_SIGNAL; } else if (streq(p[0], "management-forget-disconnect") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->management_flags |= MF_FORGET_DISCONNECT; } else if (streq(p[0], "management-up-down") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->management_flags |= MF_UP_DOWN; } else if (streq(p[0], "management-client") && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->management_flags |= MF_CONNECT_AS_CLIENT; options->management_write_peer_info_file = p[1]; } #ifdef MANAGMENT_EXTERNAL_KEY else if (streq(p[0], "management-external-key") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->management_flags |= MF_EXTERNAL_KEY; } else if (streq(p[0], "management-external-cert") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->management_flags |= MF_EXTERNAL_CERT; options->management_certificate = p[1]; } #endif #ifdef MANAGEMENT_DEF_AUTH else if (streq(p[0], "management-client-auth") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->management_flags |= MF_CLIENT_AUTH; } #endif #ifdef MANAGEMENT_PF else if (streq(p[0], "management-client-pf") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH); } #endif else if (streq(p[0], "management-log-cache") && p[1] && !p[2]) { int cache; VERIFY_PERMISSION(OPT_P_GENERAL); cache = atoi(p[1]); if (cache < 1) { msg(msglevel, "--management-log-cache parameter is out of range"); goto err; } options->management_log_history_cache = cache; } #endif /* ifdef ENABLE_MANAGEMENT */ #ifdef ENABLE_PLUGIN else if (streq(p[0], "plugin") && p[1]) { VERIFY_PERMISSION(OPT_P_PLUGIN); if (!options->plugin_list) { options->plugin_list = plugin_option_list_new(&options->gc); } if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc)) { msg(msglevel, "plugin add failed: %s", p[1]); goto err; } } #endif else if (streq(p[0], "mode") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (streq(p[1], "p2p")) { options->mode = MODE_POINT_TO_POINT; } #if P2MP_SERVER else if (streq(p[1], "server")) { options->mode = MODE_SERVER; } #endif else { msg(msglevel, "Bad --mode parameter: %s", p[1]); goto err; } } else if (streq(p[0], "dev") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->dev = p[1]; } else if (streq(p[0], "dev-type") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->dev_type = p[1]; } else if (streq(p[0], "dev-node") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->dev_node = p[1]; } else if (streq(p[0], "lladdr") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_UP); if (mac_addr_safe(p[1])) /* MAC address only */ { options->lladdr = p[1]; } else { msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]); goto err; } } else if (streq(p[0], "topology") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_UP); options->topology = parse_topology(p[1], msglevel); } else if (streq(p[0], "tun-ipv6") && !p[1]) { VERIFY_PERMISSION(OPT_P_UP); msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore."); } #ifdef ENABLE_IPROUTE else if (streq(p[0], "iproute") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); iproute_path = p[1]; } #endif else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3]) { VERIFY_PERMISSION(OPT_P_UP); if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */ { options->ifconfig_local = p[1]; options->ifconfig_remote_netmask = p[2]; } else { msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]); goto err; } } else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3]) { unsigned int netbits; VERIFY_PERMISSION(OPT_P_UP); if (get_ipv6_addr( p[1], NULL, &netbits, msglevel ) && ipv6_addr_safe( p[2] ) ) { if (netbits < 64 || netbits > 124) { msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits ); goto err; } options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc); options->ifconfig_ipv6_netbits = netbits; options->ifconfig_ipv6_remote = p[2]; } else { msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]); goto err; } } else if (streq(p[0], "ifconfig-noexec") && !p[1]) { VERIFY_PERMISSION(OPT_P_UP); options->ifconfig_noexec = true; } else if (streq(p[0], "ifconfig-nowarn") && !p[1]) { VERIFY_PERMISSION(OPT_P_UP); options->ifconfig_nowarn = true; } else if (streq(p[0], "local") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.local = p[1]; } else if (streq(p[0], "remote-random") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->remote_random = true; } else if (streq(p[0], "connection") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (streq(p[1], INLINE_FILE_TAG) && p[2]) { struct options sub; struct connection_entry *e; init_options(&sub, true); sub.ce = options->ce; read_config_string("[CONNECTION-OPTIONS]", &sub, p[2], msglevel, OPT_P_CONNECTION, option_types_found, es); if (!sub.ce.remote) { msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive"); uninit_options(&sub); goto err; } e = alloc_connection_entry(options, msglevel); if (!e) { uninit_options(&sub); goto err; } *e = sub.ce; gc_transfer(&options->gc, &sub.gc); uninit_options(&sub); } } else if (streq(p[0], "ignore-unknown-option") && p[1]) { int i; int j; int numignored = 0; const char **ignore; VERIFY_PERMISSION(OPT_P_GENERAL); /* Find out how many options to be ignored */ for (i = 1; p[i]; i++) { numignored++; } /* add number of options already ignored */ for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++) { numignored++; } /* Allocate array */ ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc); for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++) { ignore[i] = options->ignore_unknown_option[i]; } options->ignore_unknown_option = ignore; for (j = 1; p[j]; j++) { /* Allow the user to specify ignore-unknown-option --opt too */ if (p[j][0]=='-' && p[j][1]=='-') { options->ignore_unknown_option[i] = (p[j]+2); } else { options->ignore_unknown_option[i] = p[j]; } i++; } options->ignore_unknown_option[i] = NULL; } #if ENABLE_MANAGEMENT else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc); if (!options->http_proxy_override) { goto err; } } #endif else if (streq(p[0], "remote") && p[1] && !p[4]) { struct remote_entry re; re.remote = re.remote_port = NULL; re.proto = -1; re.af = 0; VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); re.remote = p[1]; if (p[2]) { re.remote_port = p[2]; if (p[3]) { const int proto = ascii2proto(p[3]); const sa_family_t af = ascii2af(p[3]); if (proto < 0) { msg(msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]); goto err; } re.proto = proto; re.af = af; } } if (permission_mask & OPT_P_GENERAL) { struct remote_entry *e = alloc_remote_entry(options, msglevel); if (!e) { goto err; } *e = re; } else if (permission_mask & OPT_P_CONNECTION) { connection_entry_load_re(&options->ce, &re); } } else if (streq(p[0], "resolv-retry") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (streq(p[1], "infinite")) { options->resolve_retry_seconds = RESOLV_RETRY_INFINITE; } else { options->resolve_retry_seconds = positive_atoi(p[1]); } } else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->resolve_in_advance = true; /* Note the ip-remote-hint and the argument p[1] are for * backward compatibility */ if (p[1]) { options->ip_remote_hint = p[1]; } } else if (streq(p[0], "connect-retry") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.connect_retry_seconds = positive_atoi(p[1]); /* * Limit the base value of retry wait interval to 16 bits to avoid * overflow when scaled up for exponential backoff */ if (options->ce.connect_retry_seconds > 0xFFFF) { options->ce.connect_retry_seconds = 0xFFFF; msg(M_WARN, "connect retry wait interval truncated to %d", options->ce.connect_retry_seconds); } if (p[2]) { options->ce.connect_retry_seconds_max = max_int(positive_atoi(p[2]), options->ce.connect_retry_seconds); } } else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout")) && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.connect_timeout = positive_atoi(p[1]); } else if (streq(p[0], "connect-retry-max") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); options->connect_retry_max = positive_atoi(p[1]); } else if (streq(p[0], "ipchange") && p[1]) { VERIFY_PERMISSION(OPT_P_SCRIPT); if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT)) { goto err; } set_user_script(options, &options->ipchange, string_substitute(p[1], ',', ' ', &options->gc), "ipchange", true); } else if (streq(p[0], "float") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.remote_float = true; } #ifdef ENABLE_DEBUG else if (streq(p[0], "gremlin") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->gremlin = positive_atoi(p[1]); } #endif else if (streq(p[0], "chroot") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->chroot_dir = p[1]; } else if (streq(p[0], "cd") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (platform_chdir(p[1])) { msg(M_ERR, "cd to '%s' failed", p[1]); goto err; } options->cd_dir = p[1]; } #ifdef ENABLE_SELINUX else if (streq(p[0], "setcon") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->selinux_context = p[1]; } #endif else if (streq(p[0], "writepid") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->writepid = p[1]; } else if (streq(p[0], "up") && p[1]) { VERIFY_PERMISSION(OPT_P_SCRIPT); if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT)) { goto err; } set_user_script(options, &options->up_script, p[1], "up", false); } else if (streq(p[0], "down") && p[1]) { VERIFY_PERMISSION(OPT_P_SCRIPT); if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT)) { goto err; } set_user_script(options, &options->down_script, p[1], "down", true); } else if (streq(p[0], "down-pre") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->down_pre = true; } else if (streq(p[0], "up-delay") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->up_delay = true; } else if (streq(p[0], "up-restart") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->up_restart = true; } else if (streq(p[0], "syslog") && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); open_syslog(p[1], false); } else if (streq(p[0], "daemon") && !p[2]) { bool didit = false; VERIFY_PERMISSION(OPT_P_GENERAL); if (!options->daemon) { options->daemon = didit = true; open_syslog(p[1], false); } if (p[1]) { if (!didit) { msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]); goto err; } } } else if (streq(p[0], "inetd") && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (!options->inetd) { int z; const char *name = NULL; const char *opterr = "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging"; options->inetd = -1; for (z = 1; z <= 2; ++z) { if (p[z]) { if (streq(p[z], "wait")) { if (options->inetd != -1) { msg(msglevel, "%s", opterr); goto err; } else { options->inetd = INETD_WAIT; } } else if (streq(p[z], "nowait")) { if (options->inetd != -1) { msg(msglevel, "%s", opterr); goto err; } else { options->inetd = INETD_NOWAIT; } } else { if (name != NULL) { msg(msglevel, "%s", opterr); goto err; } name = p[z]; } } } /* default */ if (options->inetd == -1) { options->inetd = INETD_WAIT; } save_inetd_socket_descriptor(); open_syslog(name, true); } } else if (streq(p[0], "log") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->log = true; redirect_stdout_stderr(p[1], false); } else if (streq(p[0], "suppress-timestamps") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->suppress_timestamps = true; set_suppress_timestamps(true); } else if (streq(p[0], "machine-readable-output") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->machine_readable_output = true; set_machine_readable_output(true); } else if (streq(p[0], "log-append") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->log = true; redirect_stdout_stderr(p[1], true); } #ifdef ENABLE_MEMSTATS else if (streq(p[0], "memstats") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->memstats_fn = p[1]; } #endif else if (streq(p[0], "mlock") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->mlock = true; } #if ENABLE_IP_PKTINFO else if (streq(p[0], "multihome") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->sockflags |= SF_USE_IP_PKTINFO; } #endif else if (streq(p[0], "verb") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_MESSAGES); options->verbosity = positive_atoi(p[1]); #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) /* Warn when a debug verbosity is supplied when built without debug support */ if (options->verbosity >= 7) { msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.", options->verbosity); } #endif } else if (streq(p[0], "mute") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_MESSAGES); options->mute = positive_atoi(p[1]); } else if (streq(p[0], "errors-to-stderr") && !p[1]) { VERIFY_PERMISSION(OPT_P_MESSAGES); errors_to_stderr(); } else if (streq(p[0], "status") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->status_file = p[1]; if (p[2]) { options->status_file_update_freq = positive_atoi(p[2]); } } else if (streq(p[0], "status-version") && p[1] && !p[2]) { int version; VERIFY_PERMISSION(OPT_P_GENERAL); version = atoi(p[1]); if (version < 1 || version > 3) { msg(msglevel, "--status-version must be 1 to 3"); goto err; } options->status_file_version = version; } else if (streq(p[0], "remap-usr1") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (streq(p[1], "SIGHUP")) { options->remap_sigusr1 = SIGHUP; } else if (streq(p[1], "SIGTERM")) { options->remap_sigusr1 = SIGTERM; } else { msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'"); goto err; } } else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); options->ce.link_mtu = positive_atoi(p[1]); options->ce.link_mtu_defined = true; } else if (streq(p[0], "tun-mtu") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); options->ce.tun_mtu = positive_atoi(p[1]); options->ce.tun_mtu_defined = true; } else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); options->ce.tun_mtu_extra = positive_atoi(p[1]); options->ce.tun_mtu_extra_defined = true; } #ifdef ENABLE_FRAGMENT else if (streq(p[0], "mtu-dynamic")) { VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); msg(msglevel, "--mtu-dynamic has been replaced by --fragment"); goto err; } else if (streq(p[0], "fragment") && p[1] && !p[2]) { /* VERIFY_PERMISSION (OPT_P_MTU); */ VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); options->ce.fragment = positive_atoi(p[1]); } #endif else if (streq(p[0], "mtu-disc") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]); } #ifdef ENABLE_OCC else if (streq(p[0], "mtu-test") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->mtu_test = true; } #endif else if (streq(p[0], "nice") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_NICE); options->nice = atoi(p[1]); } else if (streq(p[0], "rcvbuf") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_SOCKBUF); options->rcvbuf = positive_atoi(p[1]); } else if (streq(p[0], "sndbuf") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_SOCKBUF); options->sndbuf = positive_atoi(p[1]); } else if (streq(p[0], "mark") && p[1] && !p[2]) { #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK VERIFY_PERMISSION(OPT_P_GENERAL); options->mark = atoi(p[1]); #endif } else if (streq(p[0], "socket-flags")) { int j; VERIFY_PERMISSION(OPT_P_SOCKFLAGS); for (j = 1; j < MAX_PARMS && p[j]; ++j) { if (streq(p[j], "TCP_NODELAY")) { options->sockflags |= SF_TCP_NODELAY; } else { msg(msglevel, "unknown socket flag: %s", p[j]); } } } else if (streq(p[0], "txqueuelen") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); #ifdef TARGET_LINUX options->tuntap_options.txqueuelen = positive_atoi(p[1]); #else msg(msglevel, "--txqueuelen not supported on this OS"); goto err; #endif } else if (streq(p[0], "shaper") && p[1] && !p[2]) { #ifdef ENABLE_FEATURE_SHAPER int shaper; VERIFY_PERMISSION(OPT_P_SHAPER); shaper = atoi(p[1]); if (shaper < SHAPER_MIN || shaper > SHAPER_MAX) { msg(msglevel, "Bad shaper value, must be between %d and %d", SHAPER_MIN, SHAPER_MAX); goto err; } options->shaper = shaper; #else /* ENABLE_FEATURE_SHAPER */ VERIFY_PERMISSION(OPT_P_GENERAL); msg(msglevel, "--shaper requires the gettimeofday() function which is missing"); goto err; #endif /* ENABLE_FEATURE_SHAPER */ } else if (streq(p[0], "port") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.local_port = options->ce.remote_port = p[1]; } else if (streq(p[0], "lport") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.local_port_defined = true; options->ce.local_port = p[1]; } else if (streq(p[0], "rport") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.remote_port = p[1]; } else if (streq(p[0], "bind") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.bind_defined = true; if (p[1] && streq(p[1], "ipv6only")) { options->ce.bind_ipv6_only = true; } } else if (streq(p[0], "nobind") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.bind_local = false; } else if (streq(p[0], "fast-io") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->fast_io = true; } else if (streq(p[0], "inactive") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_TIMER); options->inactivity_timeout = positive_atoi(p[1]); if (p[2]) { options->inactivity_minimum_bytes = positive_atoi(p[2]); } } else if (streq(p[0], "proto") && p[1] && !p[2]) { int proto; sa_family_t af; VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); proto = ascii2proto(p[1]); af = ascii2af(p[1]); if (proto < 0) { msg(msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s", p[1], proto2ascii_all(&gc)); goto err; } options->ce.proto = proto; options->ce.af = af; } else if (streq(p[0], "proto-force") && p[1] && !p[2]) { int proto_force; VERIFY_PERMISSION(OPT_P_GENERAL); proto_force = ascii2proto(p[1]); if (proto_force < 0) { msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]); goto err; } options->proto_force = proto_force; } else if (streq(p[0], "http-proxy") && p[1] && !p[5]) { struct http_proxy_options *ho; VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); { if (!p[2]) { msg(msglevel, "http-proxy port number not defined"); goto err; } ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc); ho->server = p[1]; ho->port = p[2]; } if (p[3]) { /* auto -- try to figure out proxy addr, port, and type automatically */ /* semiauto -- given proxy addr:port, try to figure out type automatically */ /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */ if (streq(p[3], "auto")) { ho->auth_retry = PAR_ALL; } else if (streq(p[3], "auto-nct")) { ho->auth_retry = PAR_NCT; } else { ho->auth_method_string = "basic"; ho->auth_file = p[3]; if (p[4]) { ho->auth_method_string = p[4]; } } } else { ho->auth_method_string = "none"; } } else if (streq(p[0], "http-proxy-user-pass") && p[1]) { struct http_proxy_options *ho; VERIFY_PERMISSION(OPT_P_GENERAL); ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc); if (streq(p[1], INLINE_FILE_TAG) && p[2]) { ho->auth_file = p[2]; ho->inline_creds = true; } else { ho->auth_file = p[1]; } } else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry")) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: " "In OpenVPN 2.4 proxy connection retries are handled like regular connections. " "Use connect-retry-max 1 to get a similar behavior as before."); } else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); msg(M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a " "server is established is managed with a single timeout set by connect-timeout"); } else if (streq(p[0], "http-proxy-option") && p[1] && !p[4]) { struct http_proxy_options *ho; VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc); if (streq(p[1], "VERSION") && p[2] && !p[3]) { ho->http_version = p[2]; } else if (streq(p[1], "AGENT") && p[2] && !p[3]) { ho->user_agent = p[2]; } else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER")) && p[2]) { /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER * with either two argument or one */ struct http_custom_header *custom_header = NULL; int i; /* Find the first free header */ for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++) { if (!ho->custom_headers[i].name) { custom_header = &ho->custom_headers[i]; break; } } if (!custom_header) { msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]); } else { /* We will save p[2] and p[3], the proxy code will detect if * p[3] is NULL */ custom_header->name = p[2]; custom_header->content = p[3]; } } else { msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]); } } else if (streq(p[0], "socks-proxy") && p[1] && !p[4]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); if (p[2]) { options->ce.socks_proxy_port = p[2]; } else { options->ce.socks_proxy_port = "1080"; } options->ce.socks_proxy_server = p[1]; options->ce.socks_proxy_authfile = p[3]; /* might be NULL */ } else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->keepalive_ping = atoi(p[1]); options->keepalive_timeout = atoi(p[2]); } else if (streq(p[0], "ping") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TIMER); options->ping_send_timeout = positive_atoi(p[1]); } else if (streq(p[0], "ping-exit") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TIMER); options->ping_rec_timeout = positive_atoi(p[1]); options->ping_rec_timeout_action = PING_EXIT; } else if (streq(p[0], "ping-restart") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TIMER); options->ping_rec_timeout = positive_atoi(p[1]); options->ping_rec_timeout_action = PING_RESTART; } else if (streq(p[0], "ping-timer-rem") && !p[1]) { VERIFY_PERMISSION(OPT_P_TIMER); options->ping_timer_remote = true; } #ifdef ENABLE_OCC else if (streq(p[0], "explicit-exit-notify") && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY); if (p[1]) { options->ce.explicit_exit_notification = positive_atoi(p[1]); } else { options->ce.explicit_exit_notification = 1; } } #endif else if (streq(p[0], "persist-tun") && !p[1]) { VERIFY_PERMISSION(OPT_P_PERSIST); options->persist_tun = true; } else if (streq(p[0], "persist-key") && !p[1]) { VERIFY_PERMISSION(OPT_P_PERSIST); options->persist_key = true; } else if (streq(p[0], "persist-local-ip") && !p[1]) { VERIFY_PERMISSION(OPT_P_PERSIST_IP); options->persist_local_ip = true; } else if (streq(p[0], "persist-remote-ip") && !p[1]) { VERIFY_PERMISSION(OPT_P_PERSIST_IP); options->persist_remote_ip = true; } else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5]) { VERIFY_PERMISSION(OPT_P_ROUTE); cnol_check_alloc(options); add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel); } else if (streq(p[0], "route") && p[1] && !p[5]) { VERIFY_PERMISSION(OPT_P_ROUTE); rol_check_alloc(options); if (pull_mode) { if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */ { msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]); goto err; } if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */ { msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]); goto err; } if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */ { msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]); goto err; } } add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]); } else if (streq(p[0], "route-ipv6") && p[1] && !p[4]) { VERIFY_PERMISSION(OPT_P_ROUTE); rol6_check_alloc(options); if (pull_mode) { if (!ipv6_addr_safe_hexplusbits(p[1])) { msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]); goto err; } if (p[2] && !ipv6_addr_safe(p[2])) { msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]); goto err; } /* p[3] is metric, if present */ } add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]); } else if (streq(p[0], "max-routes") && !p[2]) { msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored." "The number of routes is unlimited as of OpenVPN 2.4. " "This option will be removed in a future version, " "please remove it from your configuration."); } else if (streq(p[0], "route-gateway") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS); if (streq(p[1], "dhcp")) { options->route_gateway_via_dhcp = true; } else { if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) || is_special_addr(p[1])) /* FQDN -- may be DNS name */ { options->route_default_gateway = p[1]; } else { msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]); goto err; } } } else if (streq(p[0], "route-metric") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_ROUTE); options->route_default_metric = positive_atoi(p[1]); } else if (streq(p[0], "route-delay") && !p[3]) { VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS); options->route_delay_defined = true; if (p[1]) { options->route_delay = positive_atoi(p[1]); if (p[2]) { options->route_delay_window = positive_atoi(p[2]); } } else { options->route_delay = 0; } } else if (streq(p[0], "route-up") && p[1]) { VERIFY_PERMISSION(OPT_P_SCRIPT); if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT)) { goto err; } set_user_script(options, &options->route_script, p[1], "route-up", false); } else if (streq(p[0], "route-pre-down") && p[1]) { VERIFY_PERMISSION(OPT_P_SCRIPT); if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT)) { goto err; } set_user_script(options, &options->route_predown_script, p[1], "route-pre-down", true); } else if (streq(p[0], "route-noexec") && !p[1]) { VERIFY_PERMISSION(OPT_P_SCRIPT); options->route_noexec = true; } else if (streq(p[0], "route-nopull") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->route_nopull = true; } else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3]) { struct pull_filter *f; VERIFY_PERMISSION(OPT_P_GENERAL) f = alloc_pull_filter(options, msglevel); if (strcmp("accept", p[1]) == 0) { f->type = PUF_TYPE_ACCEPT; } else if (strcmp("ignore", p[1]) == 0) { f->type = PUF_TYPE_IGNORE; } else if (strcmp("reject", p[1]) == 0) { f->type = PUF_TYPE_REJECT; } else { msg(msglevel, "Unknown --pull-filter type: %s", p[1]); goto err; } f->pattern = p[2]; f->size = strlen(p[2]); } else if (streq(p[0], "allow-pull-fqdn") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->allow_pull_fqdn = true; } else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private")) { int j; VERIFY_PERMISSION(OPT_P_ROUTE); rol_check_alloc(options); if (streq(p[0], "redirect-gateway")) { options->routes->flags |= RG_REROUTE_GW; } for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) { if (streq(p[j], "local")) { options->routes->flags |= RG_LOCAL; } else if (streq(p[j], "autolocal")) { options->routes->flags |= RG_AUTO_LOCAL; } else if (streq(p[j], "def1")) { options->routes->flags |= RG_DEF1; } else if (streq(p[j], "bypass-dhcp")) { options->routes->flags |= RG_BYPASS_DHCP; } else if (streq(p[j], "bypass-dns")) { options->routes->flags |= RG_BYPASS_DNS; } else if (streq(p[j], "block-local")) { options->routes->flags |= RG_BLOCK_LOCAL; } else if (streq(p[j], "ipv6")) { rol6_check_alloc(options); options->routes_ipv6->flags |= RG_REROUTE_GW; } else if (streq(p[j], "!ipv4")) { options->routes->flags &= ~RG_REROUTE_GW; } else { msg(msglevel, "unknown --%s flag: %s", p[0], p[j]); goto err; } } #ifdef _WIN32 /* we need this here to handle pushed --redirect-gateway */ remap_redirect_gateway_flags(options); #endif options->routes->flags |= RG_ENABLE; } else if (streq(p[0], "remote-random-hostname") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->sockflags |= SF_HOST_RANDOMIZE; } else if (streq(p[0], "setenv") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2]) { options->sockflags |= SF_HOST_RANDOMIZE; } else if (streq(p[1], "GENERIC_CONFIG")) { msg(msglevel, "this is a generic configuration and cannot directly be used"); goto err; } #ifdef ENABLE_PUSH_PEER_INFO else if (streq(p[1], "PUSH_PEER_INFO") && !p[2]) { options->push_peer_info = true; } #endif else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2]) { options->ce.connect_timeout = positive_atoi(p[2]); } else { if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1")) { options->forward_compatible = true; msglevel_fc = msglevel_forward_compatible(options, msglevel); } setenv_str(es, p[1], p[2] ? p[2] : ""); } } else if (streq(p[0], "setenv-safe") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_SETENV); setenv_str_safe(es, p[1], p[2] ? p[2] : ""); } else if (streq(p[0], "script-security") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); script_security = atoi(p[1]); } else if (streq(p[0], "mssfix") && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); if (p[1]) { options->ce.mssfix = positive_atoi(p[1]); } else { options->ce.mssfix_default = true; } } #ifdef ENABLE_OCC else if (streq(p[0], "disable-occ") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->occ = false; } #endif #if P2MP #if P2MP_SERVER else if (streq(p[0], "server") && p[1] && p[2] && !p[4]) { const int lev = M_WARN; bool error = false; in_addr_t network, netmask; VERIFY_PERMISSION(OPT_P_GENERAL); network = get_ip_addr(p[1], lev, &error); netmask = get_ip_addr(p[2], lev, &error); if (error || !network || !netmask) { msg(msglevel, "error parsing --server parameters"); goto err; } options->server_defined = true; options->server_network = network; options->server_netmask = netmask; if (p[3]) { if (streq(p[3], "nopool")) { options->server_flags |= SF_NOPOOL; } else { msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]); goto err; } } } else if (streq(p[0], "server-ipv6") && p[1] && !p[3]) { const int lev = M_WARN; struct in6_addr network; unsigned int netbits = 0; VERIFY_PERMISSION(OPT_P_GENERAL); if (!get_ipv6_addr(p[1], &network, &netbits, lev) ) { msg(msglevel, "error parsing --server-ipv6 parameter"); goto err; } if (netbits < 64 || netbits > 112) { msg( msglevel, "--server-ipv6 settings: only /64../112 supported right now (not /%d)", netbits ); goto err; } options->server_ipv6_defined = true; options->server_network_ipv6 = network; options->server_netbits_ipv6 = netbits; if (p[2]) /* no "nopool" options or similar for IPv6 */ { msg(msglevel, "error parsing --server-ipv6: %s is not a recognized flag", p[3]); goto err; } } else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5]) { const int lev = M_WARN; bool error = false; in_addr_t ip, netmask, pool_start, pool_end; VERIFY_PERMISSION(OPT_P_GENERAL); ip = get_ip_addr(p[1], lev, &error); netmask = get_ip_addr(p[2], lev, &error); pool_start = get_ip_addr(p[3], lev, &error); pool_end = get_ip_addr(p[4], lev, &error); if (error || !ip || !netmask || !pool_start || !pool_end) { msg(msglevel, "error parsing --server-bridge parameters"); goto err; } options->server_bridge_defined = true; options->server_bridge_ip = ip; options->server_bridge_netmask = netmask; options->server_bridge_pool_start = pool_start; options->server_bridge_pool_end = pool_end; } else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->server_bridge_proxy_dhcp = true; options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY; } else if (streq(p[0], "server-bridge") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->server_bridge_proxy_dhcp = true; } else if (streq(p[0], "push") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_PUSH); push_options(options, &p[1], msglevel, &options->gc); } else if (streq(p[0], "push-reset") && !p[1]) { VERIFY_PERMISSION(OPT_P_INSTANCE); push_reset(options); } else if (streq(p[0], "push-remove") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_INSTANCE); msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]); push_remove_option(options,p[1]); } else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4]) { const int lev = M_WARN; bool error = false; in_addr_t start, end, netmask = 0; VERIFY_PERMISSION(OPT_P_GENERAL); start = get_ip_addr(p[1], lev, &error); end = get_ip_addr(p[2], lev, &error); if (p[3]) { netmask = get_ip_addr(p[3], lev, &error); } if (error) { msg(msglevel, "error parsing --ifconfig-pool parameters"); goto err; } if (!ifconfig_pool_verify_range(msglevel, start, end)) { goto err; } options->ifconfig_pool_defined = true; options->ifconfig_pool_start = start; options->ifconfig_pool_end = end; if (netmask) { options->ifconfig_pool_netmask = netmask; } } else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->ifconfig_pool_persist_filename = p[1]; if (p[2]) { options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2]); } } else if (streq(p[0], "ifconfig-pool-linear") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->topology = TOP_P2P; msg(M_WARN, "DEPRECATED OPTION: --ifconfig-pool-linear, use --topology p2p instead"); } else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2]) { const int lev = M_WARN; struct in6_addr network; unsigned int netbits = 0; VERIFY_PERMISSION(OPT_P_GENERAL); if (!get_ipv6_addr(p[1], &network, &netbits, lev ) ) { msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters"); goto err; } if (netbits < 64 || netbits > 112) { msg( msglevel, "--ifconfig-ipv6-pool settings: only /64../112 supported right now (not /%d)", netbits ); goto err; } options->ifconfig_ipv6_pool_defined = true; options->ifconfig_ipv6_pool_base = network; options->ifconfig_ipv6_pool_netbits = netbits; } else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3]) { int real, virtual; VERIFY_PERMISSION(OPT_P_GENERAL); real = atoi(p[1]); virtual = atoi(p[2]); if (real < 1 || virtual < 1) { msg(msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)"); goto err; } options->real_hash_size = real; options->virtual_hash_size = real; } else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3]) { int cf_max, cf_per; VERIFY_PERMISSION(OPT_P_GENERAL); cf_max = atoi(p[1]); cf_per = atoi(p[2]); if (cf_max < 0 || cf_per < 0) { msg(msglevel, "--connect-freq parms must be > 0"); goto err; } options->cf_max = cf_max; options->cf_per = cf_per; } else if (streq(p[0], "max-clients") && p[1] && !p[2]) { int max_clients; VERIFY_PERMISSION(OPT_P_GENERAL); max_clients = atoi(p[1]); if (max_clients < 0) { msg(msglevel, "--max-clients must be at least 1"); goto err; } if (max_clients >= MAX_PEER_ID) /* max peer-id value */ { msg(msglevel, "--max-clients must be less than %d", MAX_PEER_ID); goto err; } options->max_clients = max_clients; } else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_INHERIT); options->max_routes_per_client = max_int(atoi(p[1]), 1); } else if (streq(p[0], "client-cert-not-required") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED; msg(M_WARN, "DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead"); } else if (streq(p[0], "verify-client-cert") && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); /* Reset any existing flags */ options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL; options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED; if (p[1]) { if (streq(p[1], "none")) { options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED; } else if (streq(p[1], "optional")) { options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL; } else if (!streq(p[1], "require")) { msg(msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'"); goto err; } } } else if (streq(p[0], "username-as-common-name") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME; } else if (streq(p[0], "auth-user-pass-optional") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL; } else if (streq(p[0], "opt-verify") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->ssl_flags |= SSLF_OPT_VERIFY; } else if (streq(p[0], "auth-user-pass-verify") && p[1]) { VERIFY_PERMISSION(OPT_P_SCRIPT); if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT)) { goto err; } if (p[2]) { if (streq(p[2], "via-env")) { options->auth_user_pass_verify_script_via_file = false; } else if (streq(p[2], "via-file")) { options->auth_user_pass_verify_script_via_file = true; } else { msg(msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'"); goto err; } } else { msg(msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')"); goto err; } set_user_script(options, &options->auth_user_pass_verify_script, p[1], "auth-user-pass-verify", true); } else if (streq(p[0], "auth-gen-token")) { VERIFY_PERMISSION(OPT_P_GENERAL); options->auth_token_generate = true; options->auth_token_lifetime = p[1] ? positive_atoi(p[1]) : 0; } else if (streq(p[0], "client-connect") && p[1]) { VERIFY_PERMISSION(OPT_P_SCRIPT); if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT)) { goto err; } set_user_script(options, &options->client_connect_script, p[1], "client-connect", true); } else if (streq(p[0], "client-disconnect") && p[1]) { VERIFY_PERMISSION(OPT_P_SCRIPT); if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT)) { goto err; } set_user_script(options, &options->client_disconnect_script, p[1], "client-disconnect", true); } else if (streq(p[0], "learn-address") && p[1]) { VERIFY_PERMISSION(OPT_P_SCRIPT); if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT)) { goto err; } set_user_script(options, &options->learn_address_script, p[1], "learn-address", true); } else if (streq(p[0], "tmp-dir") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->tmp_dir = p[1]; } else if (streq(p[0], "client-config-dir") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->client_config_dir = p[1]; } else if (streq(p[0], "ccd-exclusive") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->ccd_exclusive = true; } else if (streq(p[0], "bcast-buffers") && p[1] && !p[2]) { int n_bcast_buf; VERIFY_PERMISSION(OPT_P_GENERAL); n_bcast_buf = atoi(p[1]); if (n_bcast_buf < 1) { msg(msglevel, "--bcast-buffers parameter must be > 0"); } options->n_bcast_buf = n_bcast_buf; } else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2]) { int tcp_queue_limit; VERIFY_PERMISSION(OPT_P_GENERAL); tcp_queue_limit = atoi(p[1]); if (tcp_queue_limit < 1) { msg(msglevel, "--tcp-queue-limit parameter must be > 0"); } options->tcp_queue_limit = tcp_queue_limit; } #if PORT_SHARE else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->port_share_host = p[1]; options->port_share_port = p[2]; options->port_share_journal_dir = p[3]; } #endif else if (streq(p[0], "client-to-client") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->enable_c2c = true; } else if (streq(p[0], "duplicate-cn") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->duplicate_cn = true; } else if (streq(p[0], "iroute") && p[1] && !p[3]) { const char *netmask = NULL; VERIFY_PERMISSION(OPT_P_INSTANCE); if (p[2]) { netmask = p[2]; } option_iroute(options, p[1], netmask, msglevel); } else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_INSTANCE); option_iroute_ipv6(options, p[1], msglevel); } else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4]) { in_addr_t local, remote_netmask; VERIFY_PERMISSION(OPT_P_INSTANCE); local = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL); remote_netmask = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL); if (local && remote_netmask) { options->push_ifconfig_defined = true; options->push_ifconfig_local = local; options->push_ifconfig_remote_netmask = remote_netmask; if (p[3]) { options->push_ifconfig_local_alias = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL); } } else { msg(msglevel, "cannot parse --ifconfig-push addresses"); goto err; } } else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3]) { in_addr_t network, netmask; VERIFY_PERMISSION(OPT_P_GENERAL); network = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL); netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL); if (network && netmask) { options->push_ifconfig_constraint_defined = true; options->push_ifconfig_constraint_network = network; options->push_ifconfig_constraint_netmask = netmask; } else { msg(msglevel, "cannot parse --ifconfig-push-constraint addresses"); goto err; } } else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3]) { struct in6_addr local, remote; unsigned int netbits; VERIFY_PERMISSION(OPT_P_INSTANCE); if (!get_ipv6_addr( p[1], &local, &netbits, msglevel ) ) { msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses"); goto err; } if (p[2]) { if (!get_ipv6_addr( p[2], &remote, NULL, msglevel ) ) { msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses"); goto err; } } else { if (!options->ifconfig_ipv6_local || !get_ipv6_addr( options->ifconfig_ipv6_local, &remote, NULL, msglevel ) ) { msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set"); goto err; } } options->push_ifconfig_ipv6_defined = true; options->push_ifconfig_ipv6_local = local; options->push_ifconfig_ipv6_netbits = netbits; options->push_ifconfig_ipv6_remote = remote; options->push_ifconfig_ipv6_blocked = false; } else if (streq(p[0], "disable") && !p[1]) { VERIFY_PERMISSION(OPT_P_INSTANCE); options->disable = true; } else if (streq(p[0], "tcp-nodelay") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->server_flags |= SF_TCP_NODELAY_HELPER; } else if (streq(p[0], "stale-routes-check") && p[1] && !p[3]) { int ageing_time, check_interval; VERIFY_PERMISSION(OPT_P_GENERAL); ageing_time = atoi(p[1]); if (p[2]) { check_interval = atoi(p[2]); } else { check_interval = ageing_time; } if (ageing_time < 1 || check_interval < 1) { msg(msglevel, "--stale-routes-check aging time and check interval must be >= 1"); goto err; } options->stale_routes_ageing_time = ageing_time; options->stale_routes_check_interval = check_interval; } #endif /* P2MP_SERVER */ else if (streq(p[0], "client") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->client = true; } else if (streq(p[0], "pull") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->pull = true; } else if (streq(p[0], "push-continuation") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_PULL_MODE); options->push_continuation = atoi(p[1]); } else if (streq(p[0], "auth-user-pass") && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (p[1]) { options->auth_user_pass_file = p[1]; } else { options->auth_user_pass_file = "stdin"; } } else if (streq(p[0], "auth-retry") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); auth_retry_set(msglevel, p[1]); } #ifdef ENABLE_CLIENT_CR else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->sc_info.challenge_text = p[1]; if (atoi(p[2])) { options->sc_info.flags |= SC_ECHO; } } #endif #endif /* if P2MP */ else if (streq(p[0], "msg-channel") && p[1]) { #ifdef _WIN32 VERIFY_PERMISSION(OPT_P_GENERAL); HANDLE process = GetCurrentProcess(); HANDLE handle = (HANDLE) atoi(p[1]); if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0, FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) { msg(msglevel, "could not duplicate service pipe handle"); goto err; } options->route_method = ROUTE_METHOD_SERVICE; #else /* ifdef _WIN32 */ msg(msglevel, "--msg-channel is only supported on Windows"); goto err; #endif } #ifdef _WIN32 else if (streq(p[0], "win-sys") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (streq(p[1], "env")) { msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. " "This entry will now be ignored. " "Please remove this entry from your configuration file."); } else { set_win_sys_path(p[1], es); } } else if (streq(p[0], "route-method") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS); if (streq(p[1], "adaptive")) { options->route_method = ROUTE_METHOD_ADAPTIVE; } else if (streq(p[1], "ipapi")) { options->route_method = ROUTE_METHOD_IPAPI; } else if (streq(p[1], "exe")) { options->route_method = ROUTE_METHOD_EXE; } else { msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'"); goto err; } } else if (streq(p[0], "ip-win32") && p[1] && !p[4]) { const int index = ascii2ipset(p[1]); struct tuntap_options *to = &options->tuntap_options; VERIFY_PERMISSION(OPT_P_IPWIN32); if (index < 0) { msg(msglevel, "Bad --ip-win32 method: '%s'. Allowed methods: %s", p[1], ipset2ascii_all(&gc)); goto err; } if (index == IPW32_SET_ADAPTIVE) { options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW; } if (index == IPW32_SET_DHCP_MASQ) { if (p[2]) { if (!streq(p[2], "default")) { int offset = atoi(p[2]); if (!(offset > -256 && offset < 256)) { msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset); goto err; } to->dhcp_masq_custom_offset = true; to->dhcp_masq_offset = offset; } if (p[3]) { const int min_lease = 30; int lease_time; lease_time = atoi(p[3]); if (lease_time < min_lease) { msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease); goto err; } to->dhcp_lease_time = lease_time; } } } to->ip_win32_type = index; to->ip_win32_defined = true; } #endif /* ifdef _WIN32 */ #if defined(_WIN32) || defined(TARGET_ANDROID) else if (streq(p[0], "dhcp-option") && p[1] && !p[3]) { struct tuntap_options *o = &options->tuntap_options; VERIFY_PERMISSION(OPT_P_IPWIN32); if (streq(p[1], "DOMAIN") && p[2]) { o->domain = p[2]; } else if (streq(p[1], "NBS") && p[2]) { o->netbios_scope = p[2]; } else if (streq(p[1], "NBT") && p[2]) { int t; t = atoi(p[2]); if (!(t == 1 || t == 2 || t == 4 || t == 8)) { msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t); goto err; } o->netbios_node_type = t; } else if (streq(p[1], "DNS") && p[2]) { dhcp_option_address_parse("DNS", p[2], o->dns, &o->dns_len, msglevel); } else if (streq(p[1], "DNS6") && p[2] && ipv6_addr_safe(p[2])) { struct in6_addr addr; foreign_option(options, p, 3, es); if (o->dns6_len >= N_DHCP_ADDR) { msg(msglevel, "--dhcp-option DNS6: maximum of %d dns servers can be specified", N_DHCP_ADDR); } else if (get_ipv6_addr(p[2], &addr, NULL, msglevel)) { o->dns6[o->dns6_len++] = addr; } } else if (streq(p[1], "WINS") && p[2]) { dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel); } else if (streq(p[1], "NTP") && p[2]) { dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel); } else if (streq(p[1], "NBDD") && p[2]) { dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel); } else if (streq(p[1], "DISABLE-NBT") && !p[2]) { o->disable_nbt = 1; } else { msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]); goto err; } /* flag that we have options to give to the TAP driver's DHCPv4 server * - skipped for "DNS6", as that's not a DHCPv4 option */ if (!streq(p[1], "DNS6")) { o->dhcp_options = true; } } #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */ #ifdef _WIN32 else if (streq(p[0], "show-adapters") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); show_tap_win_adapters(M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX); openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } else if (streq(p[0], "show-net") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); show_routes(M_INFO|M_NOPREFIX); show_adapters(M_INFO|M_NOPREFIX); openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } else if (streq(p[0], "show-net-up") && !p[1]) { VERIFY_PERMISSION(OPT_P_UP); options->show_net_up = true; } else if (streq(p[0], "tap-sleep") && p[1] && !p[2]) { int s; VERIFY_PERMISSION(OPT_P_IPWIN32); s = atoi(p[1]); if (s < 0 || s >= 256) { msg(msglevel, "--tap-sleep parameter must be between 0 and 255"); goto err; } options->tuntap_options.tap_sleep = s; } else if (streq(p[0], "dhcp-renew") && !p[1]) { VERIFY_PERMISSION(OPT_P_IPWIN32); options->tuntap_options.dhcp_renew = true; } else if (streq(p[0], "dhcp-pre-release") && !p[1]) { VERIFY_PERMISSION(OPT_P_IPWIN32); options->tuntap_options.dhcp_pre_release = true; options->tuntap_options.dhcp_renew = true; } else if (streq(p[0], "dhcp-release") && !p[1]) { msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default"); } else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */ { unsigned int adapter_index; VERIFY_PERMISSION(OPT_P_GENERAL); set_debug_level(options->verbosity, SDL_CONSTRAIN); adapter_index = atou(p[1]); sleep(options->tuntap_options.tap_sleep); if (options->tuntap_options.dhcp_pre_release) { dhcp_release_by_adapter_index(adapter_index); } if (options->tuntap_options.dhcp_renew) { dhcp_renew_by_adapter_index(adapter_index); } openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } else if (streq(p[0], "register-dns") && !p[1]) { VERIFY_PERMISSION(OPT_P_IPWIN32); options->tuntap_options.register_dns = true; } else if (streq(p[0], "block-outside-dns") && !p[1]) { VERIFY_PERMISSION(OPT_P_IPWIN32); options->block_outside_dns = true; } else if (streq(p[0], "rdns-internal") && !p[1]) /* standalone method for internal use * * (if --register-dns is set, openvpn needs to call itself in a * sub-process to execute the required functions in a non-blocking * way, and uses --rdns-internal to signal that to itself) */ { VERIFY_PERMISSION(OPT_P_GENERAL); set_debug_level(options->verbosity, SDL_CONSTRAIN); if (options->tuntap_options.register_dns) { ipconfig_register_dns(NULL); } openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } else if (streq(p[0], "show-valid-subnets") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); show_valid_win32_tun_subnets(); openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } else if (streq(p[0], "pause-exit") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); set_pause_exit_win32(); } else if (streq(p[0], "service") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->exit_event_name = p[1]; if (p[2]) { options->exit_event_initial_state = (atoi(p[2]) != 0); } } else if (streq(p[0], "allow-nonadmin") && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); tap_allow_nonadmin_access(p[1]); openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } else if (streq(p[0], "user") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); msg(M_WARN, "NOTE: --user option is not implemented on Windows"); } else if (streq(p[0], "group") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); msg(M_WARN, "NOTE: --group option is not implemented on Windows"); } #else /* ifdef _WIN32 */ else if (streq(p[0], "user") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->username = p[1]; } else if (streq(p[0], "group") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->groupname = p[1]; } else if (streq(p[0], "dhcp-option") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_IPWIN32); foreign_option(options, p, 3, es); } else if (streq(p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */ { VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS); } #endif /* ifdef _WIN32 */ #if PASSTOS_CAPABILITY else if (streq(p[0], "passtos") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->passtos = true; } #endif #if defined(USE_COMP) else if (streq(p[0], "comp-lzo") && !p[2]) { VERIFY_PERMISSION(OPT_P_COMP); #if defined(ENABLE_LZO) if (p[1] && streq(p[1], "no")) #endif { options->comp.alg = COMP_ALG_STUB; options->comp.flags = 0; } #if defined(ENABLE_LZO) else if (p[1]) { if (streq(p[1], "yes")) { options->comp.alg = COMP_ALG_LZO; options->comp.flags = 0; } else if (streq(p[1], "adaptive")) { options->comp.alg = COMP_ALG_LZO; options->comp.flags = COMP_F_ADAPTIVE; } else { msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]); goto err; } } else { options->comp.alg = COMP_ALG_LZO; options->comp.flags = COMP_F_ADAPTIVE; } #endif /* if defined(ENABLE_LZO) */ } else if (streq(p[0], "comp-noadapt") && !p[1]) { VERIFY_PERMISSION(OPT_P_COMP); options->comp.flags &= ~COMP_F_ADAPTIVE; } else if (streq(p[0], "compress") && !p[2]) { VERIFY_PERMISSION(OPT_P_COMP); if (p[1]) { if (streq(p[1], "stub")) { options->comp.alg = COMP_ALG_STUB; options->comp.flags = (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY); } else if (streq(p[1], "stub-v2")) { options->comp.alg = COMP_ALGV2_UNCOMPRESSED; options->comp.flags = COMP_F_ADVERTISE_STUBS_ONLY; } #if defined(ENABLE_LZO) else if (streq(p[1], "lzo")) { options->comp.alg = COMP_ALG_LZO; options->comp.flags = 0; } #endif #if defined(ENABLE_LZ4) else if (streq(p[1], "lz4")) { options->comp.alg = COMP_ALG_LZ4; options->comp.flags = COMP_F_SWAP; } else if (streq(p[1], "lz4-v2")) { options->comp.alg = COMP_ALGV2_LZ4; options->comp.flags = 0; } #endif else { msg(msglevel, "bad comp option: %s", p[1]); goto err; } } else { options->comp.alg = COMP_ALG_STUB; options->comp.flags = COMP_F_SWAP; } } #endif /* USE_COMP */ #ifdef ENABLE_CRYPTO else if (streq(p[0], "show-ciphers") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->show_ciphers = true; } else if (streq(p[0], "show-digests") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->show_digests = true; } else if (streq(p[0], "show-engines") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->show_engines = true; } else if (streq(p[0], "key-direction") && p[1] && !p[2]) { int key_direction; key_direction = ascii2keydirection(msglevel, p[1]); if (key_direction >= 0) { options->key_direction = key_direction; } else { goto err; } } else if (streq(p[0], "secret") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (streq(p[1], INLINE_FILE_TAG) && p[2]) { options->shared_secret_file_inline = p[2]; } else if (p[2]) { int key_direction; key_direction = ascii2keydirection(msglevel, p[2]); if (key_direction >= 0) { options->key_direction = key_direction; } else { goto err; } } options->shared_secret_file = p[1]; } else if (streq(p[0], "genkey") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->genkey = true; } else if (streq(p[0], "auth") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->authname = p[1]; } else if (streq(p[0], "cipher") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_NCP); options->ciphername = p[1]; } else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE); options->ncp_ciphers = p[1]; } else if (streq(p[0], "ncp-disable") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE); options->ncp_enabled = false; } else if (streq(p[0], "prng") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (streq(p[1], "none")) { options->prng_hash = NULL; } else { options->prng_hash = p[1]; } if (p[2]) { const int sl = atoi(p[2]); if (sl >= NONCE_SECRET_LEN_MIN && sl <= NONCE_SECRET_LEN_MAX) { options->prng_nonce_secret_len = sl; } else { msg(msglevel, "prng parameter nonce_secret_len must be between %d and %d", NONCE_SECRET_LEN_MIN, NONCE_SECRET_LEN_MAX); goto err; } } } else if (streq(p[0], "no-replay") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->replay = false; } else if (streq(p[0], "replay-window") && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (p[1]) { int replay_window; replay_window = atoi(p[1]); if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK)) { msg(msglevel, "replay-window window size parameter (%d) must be between %d and %d", replay_window, MIN_SEQ_BACKTRACK, MAX_SEQ_BACKTRACK); goto err; } options->replay_window = replay_window; if (p[2]) { int replay_time; replay_time = atoi(p[2]); if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK)) { msg(msglevel, "replay-window time window parameter (%d) must be between %d and %d", replay_time, MIN_TIME_BACKTRACK, MAX_TIME_BACKTRACK); goto err; } options->replay_time = replay_time; } } else { msg(msglevel, "replay-window option is missing window size parameter"); goto err; } } else if (streq(p[0], "mute-replay-warnings") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->mute_replay_warnings = true; } else if (streq(p[0], "no-iv") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->use_iv = false; } else if (streq(p[0], "replay-persist") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->packet_id_file = p[1]; } else if (streq(p[0], "test-crypto") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->test_crypto = true; } #ifndef ENABLE_CRYPTO_MBEDTLS else if (streq(p[0], "engine") && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (p[1]) { options->engine = p[1]; } else { options->engine = "auto"; } } #endif /* ENABLE_CRYPTO_MBEDTLS */ #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH else if (streq(p[0], "keysize") && p[1] && !p[2]) { int keysize; VERIFY_PERMISSION(OPT_P_NCP); keysize = atoi(p[1]) / 8; if (keysize < 0 || keysize > MAX_CIPHER_KEY_LENGTH) { msg(msglevel, "Bad keysize: %s", p[1]); goto err; } options->keysize = keysize; } #endif #ifdef ENABLE_PREDICTION_RESISTANCE else if (streq(p[0], "use-prediction-resistance") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->use_prediction_resistance = true; } #endif else if (streq(p[0], "show-tls") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->show_tls_ciphers = true; } else if (streq(p[0], "show-curves") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->show_curves = true; } else if (streq(p[0], "ecdh-curve") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->ecdh_curve = p[1]; } else if (streq(p[0], "tls-server") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->tls_server = true; } else if (streq(p[0], "tls-client") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->tls_client = true; } else if (streq(p[0], "ca") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->ca_file = p[1]; if (streq(p[1], INLINE_FILE_TAG) && p[2]) { options->ca_file_inline = p[2]; } } #ifndef ENABLE_CRYPTO_MBEDTLS else if (streq(p[0], "capath") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->ca_path = p[1]; } #endif /* ENABLE_CRYPTO_MBEDTLS */ else if (streq(p[0], "dh") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->dh_file = p[1]; if (streq(p[1], INLINE_FILE_TAG) && p[2]) { options->dh_file_inline = p[2]; } } else if (streq(p[0], "cert") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->cert_file = p[1]; if (streq(p[1], INLINE_FILE_TAG) && p[2]) { options->cert_file_inline = p[2]; } } else if (streq(p[0], "extra-certs") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->extra_certs_file = p[1]; if (streq(p[1], INLINE_FILE_TAG) && p[2]) { options->extra_certs_file_inline = p[2]; } } else if (streq(p[0], "verify-hash") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (!p[2] || (p[2] && streq(p[2], "SHA1"))) { options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc); options->verify_hash_algo = MD_SHA1; } else if (p[2] && streq(p[2], "SHA256")) { options->verify_hash = parse_hash_fingerprint(p[1], SHA256_DIGEST_LENGTH, msglevel, &options->gc); options->verify_hash_algo = MD_SHA256; } else { msg(msglevel, "invalid or unsupported hashing algorithm: %s (only SHA1 and SHA256 are valid)", p[2]); goto err; } } #ifdef ENABLE_CRYPTOAPI else if (streq(p[0], "cryptoapicert") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->cryptoapi_cert = p[1]; } #endif else if (streq(p[0], "key") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->priv_key_file = p[1]; if (streq(p[1], INLINE_FILE_TAG) && p[2]) { options->priv_key_file_inline = p[2]; } } else if (streq(p[0], "tls-version-min") && p[1] && !p[3]) { int ver; VERIFY_PERMISSION(OPT_P_GENERAL); ver = tls_version_parse(p[1], p[2]); if (ver == TLS_VER_BAD) { msg(msglevel, "unknown tls-version-min parameter: %s", p[1]); goto err; } options->ssl_flags &= ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT); options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT); } else if (streq(p[0], "tls-version-max") && p[1] && !p[2]) { int ver; VERIFY_PERMISSION(OPT_P_GENERAL); ver = tls_version_parse(p[1], NULL); if (ver == TLS_VER_BAD) { msg(msglevel, "unknown tls-version-max parameter: %s", p[1]); goto err; } options->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT); options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT); } #ifndef ENABLE_CRYPTO_MBEDTLS else if (streq(p[0], "pkcs12") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->pkcs12_file = p[1]; if (streq(p[1], INLINE_FILE_TAG) && p[2]) { options->pkcs12_file_inline = p[2]; } } #endif /* ENABLE_CRYPTO_MBEDTLS */ else if (streq(p[0], "askpass") && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (p[1]) { options->key_pass_file = p[1]; } else { options->key_pass_file = "stdin"; } } else if (streq(p[0], "auth-nocache") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); ssl_set_auth_nocache(); } else if (streq(p[0], "auth-token") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_ECHO); ssl_set_auth_token(p[1]); #ifdef ENABLE_MANAGEMENT if (management) { management_auth_token(management, p[1]); } #endif } else if (streq(p[0], "single-session") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->single_session = true; } #ifdef ENABLE_PUSH_PEER_INFO else if (streq(p[0], "push-peer-info") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->push_peer_info = true; } #endif else if (streq(p[0], "tls-exit") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->tls_exit = true; } else if (streq(p[0], "tls-cipher") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->cipher_list = p[1]; } else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || (p[2] && streq(p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (p[2] && streq(p[2], "dir")) { options->ssl_flags |= SSLF_CRL_VERIFY_DIR; } options->crl_file = p[1]; if (streq(p[1], INLINE_FILE_TAG) && p[2]) { options->crl_file_inline = p[2]; } } else if (streq(p[0], "tls-verify") && p[1]) { VERIFY_PERMISSION(OPT_P_SCRIPT); if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT)) { goto err; } set_user_script(options, &options->tls_verify, string_substitute(p[1], ',', ' ', &options->gc), "tls-verify", true); } #ifndef ENABLE_CRYPTO_MBEDTLS else if (streq(p[0], "tls-export-cert") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->tls_export_cert = p[1]; } #endif #if P2MP_SERVER else if (streq(p[0], "compat-names") && ((p[1] && streq(p[1], "no-remapping")) || !p[1]) && !p[2]) #else else if (streq(p[0], "compat-names") && !p[1]) #endif { VERIFY_PERMISSION(OPT_P_GENERAL); if (options->verify_x509_type != VERIFY_X509_NONE) { msg(msglevel, "you cannot use --compat-names with --verify-x509-name"); goto err; } msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5."); compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); #if P2MP_SERVER if (p[1] && streq(p[1], "no-remapping")) { compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); } } else if (streq(p[0], "no-name-remapping") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (options->verify_x509_type != VERIFY_X509_NONE) { msg(msglevel, "you cannot use --no-name-remapping with --verify-x509-name"); goto err; } msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN 2.5."); compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); #endif } else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3]) { int type = VERIFY_X509_SUBJECT_DN; VERIFY_PERMISSION(OPT_P_GENERAL); if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NAMES)) { msg(msglevel, "you cannot use --verify-x509-name with " "--compat-names or --no-name-remapping"); goto err; } if (p[2]) { if (streq(p[2], "subject")) { type = VERIFY_X509_SUBJECT_DN; } else if (streq(p[2], "name")) { type = VERIFY_X509_SUBJECT_RDN; } else if (streq(p[2], "name-prefix")) { type = VERIFY_X509_SUBJECT_RDN_PREFIX; } else { msg(msglevel, "unknown X.509 name type: %s", p[2]); goto err; } } options->verify_x509_type = type; options->verify_x509_name = p[1]; } else if (streq(p[0], "ns-cert-type") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (streq(p[1], "server")) { options->ns_cert_type = NS_CERT_CHECK_SERVER; } else if (streq(p[1], "client")) { options->ns_cert_type = NS_CERT_CHECK_CLIENT; } else { msg(msglevel, "--ns-cert-type must be 'client' or 'server'"); goto err; } } else if (streq(p[0], "remote-cert-ku")) { VERIFY_PERMISSION(OPT_P_GENERAL); size_t j; for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) { sscanf(p[j], "%x", &(options->remote_cert_ku[j-1])); } if (j == 1) { /* No specific KU required, but require KU to be present */ options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED; } } else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->remote_cert_eku = p[1]; } else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (streq(p[1], "server")) { options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED; options->remote_cert_eku = "TLS Web Server Authentication"; } else if (streq(p[1], "client")) { options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED; options->remote_cert_eku = "TLS Web Client Authentication"; } else { msg(msglevel, "--remote-cert-tls must be 'client' or 'server'"); goto err; } } else if (streq(p[0], "tls-timeout") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TLS_PARMS); options->tls_timeout = positive_atoi(p[1]); } else if (streq(p[0], "reneg-bytes") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TLS_PARMS); options->renegotiate_bytes = positive_atoi(p[1]); } else if (streq(p[0], "reneg-pkts") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TLS_PARMS); options->renegotiate_packets = positive_atoi(p[1]); } else if (streq(p[0], "reneg-sec") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TLS_PARMS); options->renegotiate_seconds = positive_atoi(p[1]); } else if (streq(p[0], "hand-window") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TLS_PARMS); options->handshake_window = positive_atoi(p[1]); } else if (streq(p[0], "tran-window") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TLS_PARMS); options->transition_window = positive_atoi(p[1]); } else if (streq(p[0], "tls-auth") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (streq(p[1], INLINE_FILE_TAG) && p[2]) { options->tls_auth_file_inline = p[2]; } else if (p[2]) { int key_direction; key_direction = ascii2keydirection(msglevel, p[2]); if (key_direction >= 0) { options->key_direction = key_direction; } else { goto err; } } options->tls_auth_file = p[1]; } else if (streq(p[0], "tls-crypt") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); if (streq(p[1], INLINE_FILE_TAG) && p[2]) { options->tls_crypt_inline = p[2]; } options->tls_crypt_file = p[1]; } else if (streq(p[0], "key-method") && p[1] && !p[2]) { int key_method; VERIFY_PERMISSION(OPT_P_GENERAL); key_method = atoi(p[1]); if (key_method < KEY_METHOD_MIN || key_method > KEY_METHOD_MAX) { msg(msglevel, "key_method parameter (%d) must be >= %d and <= %d", key_method, KEY_METHOD_MIN, KEY_METHOD_MAX); goto err; } options->key_method = key_method; } else if (streq(p[0], "x509-track") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); x509_track_add(&options->x509_track, p[1], msglevel, &options->gc); } #ifdef ENABLE_X509ALTUSERNAME else if (streq(p[0], "x509-username-field") && p[1] && !p[2]) { /* This option used to automatically upcase the fieldname passed as the * option argument, e.g., "ou" became "OU". Now, this "helpfulness" is * fine-tuned by only upcasing Subject field attribute names which consist * of all lower-case characters. Mixed-case attributes such as * "emailAddress" are left as-is. An option parameter having the "ext:" * prefix for matching X.509v3 extended fields will also remain unchanged. */ char *s = p[1]; VERIFY_PERMISSION(OPT_P_GENERAL); if (strncmp("ext:", s, 4) != 0) { size_t i = 0; while (s[i] && !isupper(s[i])) { i++; } if (strlen(s) == i) { while ((*s = toupper(*s)) != '\0') { s++; } msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the " "--x509-username-field parameter to '%s'; please update your" "configuration", p[1]); } } else if (!x509_username_field_ext_supported(s+4)) { msg(msglevel, "Unsupported x509-username-field extension: %s", s); } options->x509_username_field = p[1]; } #endif /* ENABLE_X509ALTUSERNAME */ #endif /* ENABLE_CRYPTO */ #ifdef ENABLE_PKCS11 else if (streq(p[0], "show-pkcs11-ids") && !p[3]) { char *provider = p[1]; bool cert_private = (p[2] == NULL ? false : ( atoi(p[2]) != 0 )); #ifdef DEFAULT_PKCS11_MODULE if (!provider) { provider = DEFAULT_PKCS11_MODULE; } else if (!p[2]) { char *endp = NULL; int i = strtol(provider, &endp, 10); if (*endp == 0) { /* There was one argument, and it was purely numeric. * Interpret it as the cert_private argument */ provider = DEFAULT_PKCS11_MODULE; cert_private = i; } } #else /* ifdef DEFAULT_PKCS11_MODULE */ if (!provider) { msg(msglevel, "--show-pkcs11-ids requires a provider parameter"); goto err; } #endif /* ifdef DEFAULT_PKCS11_MODULE */ VERIFY_PERMISSION(OPT_P_GENERAL); set_debug_level(options->verbosity, SDL_CONSTRAIN); show_pkcs11_ids(provider, cert_private); openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } else if (streq(p[0], "pkcs11-providers") && p[1]) { int j; VERIFY_PERMISSION(OPT_P_GENERAL); for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) { options->pkcs11_providers[j-1] = p[j]; } } else if (streq(p[0], "pkcs11-protected-authentication")) { int j; VERIFY_PERMISSION(OPT_P_GENERAL); for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) { options->pkcs11_protected_authentication[j-1] = atoi(p[j]) != 0 ? 1 : 0; } } else if (streq(p[0], "pkcs11-private-mode") && p[1]) { int j; VERIFY_PERMISSION(OPT_P_GENERAL); for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) { sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1])); } } else if (streq(p[0], "pkcs11-cert-private")) { int j; VERIFY_PERMISSION(OPT_P_GENERAL); for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) { options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0; } } else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->pkcs11_pin_cache_period = atoi(p[1]); } else if (streq(p[0], "pkcs11-id") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->pkcs11_id = p[1]; } else if (streq(p[0], "pkcs11-id-management") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->pkcs11_id_management = true; } #endif /* ifdef ENABLE_PKCS11 */ else if (streq(p[0], "rmtun") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->persist_config = true; options->persist_mode = 0; } else if (streq(p[0], "mktun") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->persist_config = true; options->persist_mode = 1; } else if (streq(p[0], "peer-id") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_PEER_ID); options->use_peer_id = true; options->peer_id = atoi(p[1]); } #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 else if (streq(p[0], "keying-material-exporter") && p[1] && p[2]) { int ekm_length = positive_atoi(p[2]); VERIFY_PERMISSION(OPT_P_GENERAL); if (strncmp(p[1], "EXPORTER", 8)) { msg(msglevel, "Keying material exporter label must begin with " "\"EXPORTER\""); goto err; } if (ekm_length < 16 || ekm_length > 4095) { msg(msglevel, "Invalid keying material exporter length"); goto err; } options->keying_material_exporter_label = p[1]; options->keying_material_exporter_length = ekm_length; } #endif /* if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 */ else if (streq(p[0], "allow-recursive-routing") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->allow_recursive_routing = true; } else { int i; int msglevel = msglevel_fc; /* Check if an option is in --ignore-unknown-option and * set warning level to non fatal */ for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++) { if (streq(p[0], options->ignore_unknown_option[i])) { msglevel = M_WARN; break; } } if (file) { msg(msglevel, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION); } else { msg(msglevel, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION); } } err: gc_free(&gc); } openvpn-2.4.4/src/openvpn/options.h000066400000000000000000000543371316434344000173440ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * 2004-01-28: Added Socks5 proxy support * (Christof Meerwald, http://cmeerw.org) */ #ifndef OPTIONS_H #define OPTIONS_H #include "basic.h" #include "common.h" #include "mtu.h" #include "route.h" #include "tun.h" #include "socket.h" #include "plugin.h" #include "manage.h" #include "proxy.h" #include "comp.h" #include "pushlist.h" #include "clinat.h" #ifdef ENABLE_CRYPTO #include "crypto_backend.h" #endif /* * Maximum number of parameters associated with an option, * including the option name itself. */ #define MAX_PARMS 16 /* * Max size of options line and parameter. */ #define OPTION_PARM_SIZE 256 #define OPTION_LINE_SIZE 256 extern const char title_string[]; #if P2MP /* certain options are saved before --pull modifications are applied */ struct options_pre_pull { bool tuntap_options_defined; struct tuntap_options tuntap_options; bool routes_defined; struct route_option_list *routes; bool routes_ipv6_defined; struct route_ipv6_option_list *routes_ipv6; bool client_nat_defined; struct client_nat_option_list *client_nat; int foreign_option_index; }; #endif #if defined(ENABLE_CRYPTO) && !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS) #error "At least one of OpenSSL or mbed TLS needs to be defined." #endif struct connection_entry { int proto; sa_family_t af; const char *local_port; bool local_port_defined; const char *remote_port; const char *local; const char *remote; bool remote_float; bool bind_defined; bool bind_ipv6_only; bool bind_local; int connect_retry_seconds; int connect_retry_seconds_max; int connect_timeout; struct http_proxy_options *http_proxy_options; const char *socks_proxy_server; const char *socks_proxy_port; const char *socks_proxy_authfile; int tun_mtu; /* MTU of tun device */ bool tun_mtu_defined; /* true if user overriding parm with command line option */ int tun_mtu_extra; bool tun_mtu_extra_defined; int link_mtu; /* MTU of device over which tunnel packets pass via TCP/UDP */ bool link_mtu_defined; /* true if user overriding parm with command line option */ /* Advanced MTU negotiation and datagram fragmentation options */ int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */ int fragment; /* internal fragmentation size */ int mssfix; /* Upper bound on TCP MSS */ bool mssfix_default; /* true if --mssfix was supplied without a parameter */ int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT or [RESTART] message */ #define CE_DISABLED (1<<0) #define CE_MAN_QUERY_PROXY (1<<1) #define CE_MAN_QUERY_REMOTE_UNDEF 0 #define CE_MAN_QUERY_REMOTE_QUERY 1 #define CE_MAN_QUERY_REMOTE_ACCEPT 2 #define CE_MAN_QUERY_REMOTE_MOD 3 #define CE_MAN_QUERY_REMOTE_SKIP 4 #define CE_MAN_QUERY_REMOTE_MASK (0x07) #define CE_MAN_QUERY_REMOTE_SHIFT (2) unsigned int flags; }; struct remote_entry { const char *remote; const char *remote_port; int proto; sa_family_t af; }; #define CONNECTION_LIST_SIZE 64 struct connection_list { int len; int current; struct connection_entry *array[CONNECTION_LIST_SIZE]; }; struct remote_list { int len; struct remote_entry *array[CONNECTION_LIST_SIZE]; }; struct remote_host_store { #define RH_HOST_LEN 80 char host[RH_HOST_LEN]; #define RH_PORT_LEN 20 char port[RH_PORT_LEN]; }; /* Command line options */ struct options { struct gc_arena gc; bool gc_owned; /* first config file */ const char *config; /* major mode */ #define MODE_POINT_TO_POINT 0 #define MODE_SERVER 1 int mode; /* enable forward compatibility for post-2.1 features */ bool forward_compatible; /* list of options that should be ignored even if unknown */ const char **ignore_unknown_option; /* persist parms */ bool persist_config; int persist_mode; #ifdef ENABLE_CRYPTO const char *key_pass_file; bool show_ciphers; bool show_digests; bool show_engines; bool show_tls_ciphers; bool show_curves; bool genkey; #endif /* Networking parms */ int connect_retry_max; struct connection_entry ce; struct connection_list *connection_list; struct remote_list *remote_list; /* Do not advanced the connection or remote addr list*/ bool no_advance; /* Counts the number of unsuccessful connection attempts */ unsigned int unsuccessful_attempts; #if ENABLE_MANAGEMENT struct http_proxy_options *http_proxy_override; #endif struct remote_host_store *rh_store; bool remote_random; const char *ipchange; const char *dev; const char *dev_type; const char *dev_node; const char *lladdr; int topology; /* one of the TOP_x values from proto.h */ const char *ifconfig_local; const char *ifconfig_remote_netmask; const char *ifconfig_ipv6_local; int ifconfig_ipv6_netbits; const char *ifconfig_ipv6_remote; bool ifconfig_noexec; bool ifconfig_nowarn; #ifdef ENABLE_FEATURE_SHAPER int shaper; #endif int proto_force; #ifdef ENABLE_OCC bool mtu_test; #endif #ifdef ENABLE_MEMSTATS char *memstats_fn; #endif bool mlock; int keepalive_ping; /* a proxy for ping/ping-restart */ int keepalive_timeout; int inactivity_timeout; /* --inactive */ int inactivity_minimum_bytes; int ping_send_timeout; /* Send a TCP/UDP ping to remote every n seconds */ int ping_rec_timeout; /* Expect a TCP/UDP ping from remote at least once every n seconds */ bool ping_timer_remote; /* Run ping timer only if we have a remote address */ #define PING_UNDEF 0 #define PING_EXIT 1 #define PING_RESTART 2 int ping_rec_timeout_action; /* What action to take on ping_rec_timeout (exit or restart)? */ bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */ bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */ bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */ bool persist_key; /* Don't re-read key files on SIGUSR1 or PING_RESTART */ #if PASSTOS_CAPABILITY bool passtos; #endif int resolve_retry_seconds; /* If hostname resolve fails, retry for n seconds */ bool resolve_in_advance; const char *ip_remote_hint; struct tuntap_options tuntap_options; /* Misc parms */ const char *username; const char *groupname; const char *chroot_dir; const char *cd_dir; #ifdef ENABLE_SELINUX char *selinux_context; #endif const char *writepid; const char *up_script; const char *down_script; bool user_script_used; bool down_pre; bool up_delay; bool up_restart; bool daemon; int remap_sigusr1; /* inetd modes defined in socket.h */ int inetd; bool log; bool suppress_timestamps; bool machine_readable_output; int nice; int verbosity; int mute; #ifdef ENABLE_DEBUG int gremlin; #endif const char *status_file; int status_file_version; int status_file_update_freq; /* optimize TUN/TAP/UDP writes */ bool fast_io; #ifdef USE_COMP struct compress_options comp; #endif /* buffer sizes */ int rcvbuf; int sndbuf; /* mark value */ int mark; /* socket flags */ unsigned int sockflags; /* route management */ const char *route_script; const char *route_predown_script; const char *route_default_gateway; int route_default_metric; bool route_noexec; int route_delay; int route_delay_window; bool route_delay_defined; struct route_option_list *routes; struct route_ipv6_option_list *routes_ipv6; /* IPv6 */ bool route_nopull; bool route_gateway_via_dhcp; bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */ struct client_nat_option_list *client_nat; #ifdef ENABLE_OCC /* Enable options consistency check between peers */ bool occ; #endif #ifdef ENABLE_MANAGEMENT const char *management_addr; const char *management_port; const char *management_user_pass; int management_log_history_cache; int management_echo_buffer_size; int management_state_buffer_size; const char *management_write_peer_info_file; const char *management_client_user; const char *management_client_group; /* Mask of MF_ values of manage.h */ unsigned int management_flags; const char *management_certificate; #endif #ifdef ENABLE_PLUGIN struct plugin_option_list *plugin_list; #endif #if P2MP #if P2MP_SERVER /* the tmp dir is for now only used in the P2P server context */ const char *tmp_dir; bool server_defined; in_addr_t server_network; in_addr_t server_netmask; bool server_ipv6_defined; /* IPv6 */ struct in6_addr server_network_ipv6; /* IPv6 */ unsigned int server_netbits_ipv6; /* IPv6 */ #define SF_NOPOOL (1<<0) #define SF_TCP_NODELAY_HELPER (1<<1) #define SF_NO_PUSH_ROUTE_GATEWAY (1<<2) unsigned int server_flags; bool server_bridge_proxy_dhcp; bool server_bridge_defined; in_addr_t server_bridge_ip; in_addr_t server_bridge_netmask; in_addr_t server_bridge_pool_start; in_addr_t server_bridge_pool_end; struct push_list push_list; bool ifconfig_pool_defined; in_addr_t ifconfig_pool_start; in_addr_t ifconfig_pool_end; in_addr_t ifconfig_pool_netmask; const char *ifconfig_pool_persist_filename; int ifconfig_pool_persist_refresh_freq; bool ifconfig_ipv6_pool_defined; /* IPv6 */ struct in6_addr ifconfig_ipv6_pool_base; /* IPv6 */ int ifconfig_ipv6_pool_netbits; /* IPv6 */ int real_hash_size; int virtual_hash_size; const char *client_connect_script; const char *client_disconnect_script; const char *learn_address_script; const char *client_config_dir; bool ccd_exclusive; bool disable; int n_bcast_buf; int tcp_queue_limit; struct iroute *iroutes; struct iroute_ipv6 *iroutes_ipv6; /* IPv6 */ bool push_ifconfig_defined; in_addr_t push_ifconfig_local; in_addr_t push_ifconfig_remote_netmask; in_addr_t push_ifconfig_local_alias; bool push_ifconfig_constraint_defined; in_addr_t push_ifconfig_constraint_network; in_addr_t push_ifconfig_constraint_netmask; bool push_ifconfig_ipv6_defined; /* IPv6 */ struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */ int push_ifconfig_ipv6_netbits; /* IPv6 */ struct in6_addr push_ifconfig_ipv6_remote; /* IPv6 */ bool push_ifconfig_ipv6_blocked; /* IPv6 */ bool enable_c2c; bool duplicate_cn; int cf_max; int cf_per; int max_clients; int max_routes_per_client; int stale_routes_check_interval; int stale_routes_ageing_time; const char *auth_user_pass_verify_script; bool auth_user_pass_verify_script_via_file; bool auth_token_generate; unsigned int auth_token_lifetime; #if PORT_SHARE char *port_share_host; char *port_share_port; const char *port_share_journal_dir; #endif #endif /* if P2MP_SERVER */ bool client; bool pull; /* client pull of config options from server */ int push_continuation; unsigned int push_option_types_found; const char *auth_user_pass_file; struct options_pre_pull *pre_pull; int scheduled_exit_interval; #ifdef ENABLE_CLIENT_CR struct static_challenge_info sc_info; #endif #endif /* if P2MP */ #ifdef ENABLE_CRYPTO /* Cipher parms */ const char *shared_secret_file; const char *shared_secret_file_inline; int key_direction; const char *ciphername; bool ncp_enabled; const char *ncp_ciphers; const char *authname; int keysize; const char *prng_hash; int prng_nonce_secret_len; const char *engine; bool replay; bool mute_replay_warnings; int replay_window; int replay_time; const char *packet_id_file; bool use_iv; bool test_crypto; #ifdef ENABLE_PREDICTION_RESISTANCE bool use_prediction_resistance; #endif /* TLS (control channel) parms */ bool tls_server; bool tls_client; const char *ca_file; const char *ca_path; const char *dh_file; const char *cert_file; const char *extra_certs_file; const char *priv_key_file; const char *pkcs12_file; const char *cipher_list; const char *ecdh_curve; const char *tls_verify; int verify_x509_type; const char *verify_x509_name; const char *tls_export_cert; const char *crl_file; const char *ca_file_inline; const char *cert_file_inline; const char *extra_certs_file_inline; const char *crl_file_inline; char *priv_key_file_inline; const char *dh_file_inline; const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */ int ns_cert_type; /* set to 0, NS_CERT_CHECK_SERVER, or NS_CERT_CHECK_CLIENT */ unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; uint8_t *verify_hash; hash_algo_type verify_hash_algo; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ #ifdef ENABLE_PKCS11 const char *pkcs11_providers[MAX_PARMS]; unsigned pkcs11_private_mode[MAX_PARMS]; bool pkcs11_protected_authentication[MAX_PARMS]; bool pkcs11_cert_private[MAX_PARMS]; int pkcs11_pin_cache_period; const char *pkcs11_id; bool pkcs11_id_management; #endif #ifdef ENABLE_CRYPTOAPI const char *cryptoapi_cert; #endif /* data channel key exchange method */ int key_method; /* Per-packet timeout on control channel */ int tls_timeout; /* Data channel key renegotiation parameters */ int renegotiate_bytes; int renegotiate_packets; int renegotiate_seconds; /* Data channel key handshake must finalize * within n seconds of handshake initiation. */ int handshake_window; #ifdef ENABLE_X509ALTUSERNAME /* Field used to be the username in X509 cert. */ char *x509_username_field; #endif /* Old key allowed to live n seconds after new key goes active */ int transition_window; /* Shared secret used for TLS control channel authentication */ const char *tls_auth_file; const char *tls_auth_file_inline; /* Shared secret used for TLS control channel authenticated encryption */ const char *tls_crypt_file; const char *tls_crypt_inline; /* Allow only one session */ bool single_session; #ifdef ENABLE_PUSH_PEER_INFO bool push_peer_info; #endif bool tls_exit; #endif /* ENABLE_CRYPTO */ const struct x509_track *x509_track; /* special state parms */ int foreign_option_index; #ifdef _WIN32 HANDLE msg_channel; const char *exit_event_name; bool exit_event_initial_state; bool show_net_up; int route_method; bool block_outside_dns; #endif bool use_peer_id; uint32_t peer_id; #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 /* Keying Material Exporters [RFC 5705] */ const char *keying_material_exporter_label; int keying_material_exporter_length; #endif struct pull_filter_list *pull_filter_list; /* Useful when packets sent by openvpn itself are not subject * to the routing tables that would move packets into the tunnel. */ bool allow_recursive_routing; }; #define streq(x, y) (!strcmp((x), (y))) /* * Option classes. */ #define OPT_P_GENERAL (1<<0) #define OPT_P_UP (1<<1) #define OPT_P_ROUTE (1<<2) #define OPT_P_IPWIN32 (1<<3) #define OPT_P_SCRIPT (1<<4) #define OPT_P_SETENV (1<<5) #define OPT_P_SHAPER (1<<6) #define OPT_P_TIMER (1<<7) #define OPT_P_PERSIST (1<<8) #define OPT_P_PERSIST_IP (1<<9) #define OPT_P_COMP (1<<10) /* TODO */ #define OPT_P_MESSAGES (1<<11) #define OPT_P_NCP (1<<12) /**< Negotiable crypto parameters */ #define OPT_P_TLS_PARMS (1<<13) /* TODO */ #define OPT_P_MTU (1<<14) /* TODO */ #define OPT_P_NICE (1<<15) #define OPT_P_PUSH (1<<16) #define OPT_P_INSTANCE (1<<17) #define OPT_P_CONFIG (1<<18) #define OPT_P_EXPLICIT_NOTIFY (1<<19) #define OPT_P_ECHO (1<<20) #define OPT_P_INHERIT (1<<21) #define OPT_P_ROUTE_EXTRAS (1<<22) #define OPT_P_PULL_MODE (1<<23) #define OPT_P_PLUGIN (1<<24) #define OPT_P_SOCKBUF (1<<25) #define OPT_P_SOCKFLAGS (1<<26) #define OPT_P_CONNECTION (1<<27) #define OPT_P_PEER_ID (1<<28) #define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE)) #if P2MP #define PULL_DEFINED(opt) ((opt)->pull) #if P2MP_SERVER #define PUSH_DEFINED(opt) ((opt)->push_list) #endif #endif #ifndef PULL_DEFINED #define PULL_DEFINED(opt) (false) #endif #ifndef PUSH_DEFINED #define PUSH_DEFINED(opt) (false) #endif #ifdef _WIN32 #define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK) #else #define ROUTE_OPTION_FLAGS(o) (0) #endif #ifdef ENABLE_FEATURE_SHAPER #define SHAPER_DEFINED(opt) ((opt)->shaper) #else #define SHAPER_DEFINED(opt) (false) #endif #ifdef ENABLE_PLUGIN #define PLUGIN_OPTION_LIST(opt) ((opt)->plugin_list) #else #define PLUGIN_OPTION_LIST(opt) (NULL) #endif #ifdef MANAGEMENT_DEF_AUTH #define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH) #else #define MAN_CLIENT_AUTH_ENABLED(opt) (false) #endif void parse_argv(struct options *options, const int argc, char *argv[], const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es); void notnull(const char *arg, const char *description); void usage_small(void); void show_library_versions(const unsigned int flags); #ifdef _WIN32 void show_windows_version(const unsigned int flags); #endif void init_options(struct options *o, const bool init_gc); void uninit_options(struct options *o); void setenv_settings(struct env_set *es, const struct options *o); void show_settings(const struct options *o); bool string_defined_equal(const char *s1, const char *s2); #ifdef ENABLE_OCC const char *options_string_version(const char *s, struct gc_arena *gc); char *options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, bool remote, struct gc_arena *gc); bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n); void options_warning_safe(char *actual, const char *expected, size_t actual_n); bool options_cmp_equal(char *actual, const char *expected); void options_warning(char *actual, const char *expected); #endif /** * Given an OpenVPN options string, extract the value of an option. * * @param options_string Zero-terminated, comma-separated options string * @param opt_name The name of the option to extract * @param gc The gc to allocate the return value * * @return gc-allocated value of option with name opt_name if option was found, * or NULL otherwise. */ char *options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc); void options_postprocess(struct options *options); void pre_pull_save(struct options *o); void pre_pull_restore(struct options *o, struct gc_arena *gc); bool apply_push_options(struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es); void options_detach(struct options *o); void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es); void pre_pull_default(struct options *o); void rol_check_alloc(struct options *options); int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc); /* * parse/print topology coding */ int parse_topology(const char *str, const int msglevel); const char *print_topology(const int topology); /* * Manage auth-retry variable */ #if P2MP #define AR_NONE 0 #define AR_INTERACT 1 #define AR_NOINTERACT 2 int auth_retry_get(void); bool auth_retry_set(const int msglevel, const char *option); const char *auth_retry_print(void); #endif void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es); bool get_ipv6_addr( const char *prefix_str, struct in6_addr *network, unsigned int *netbits, int msglevel ); #endif /* ifndef OPTIONS_H */ openvpn-2.4.4/src/openvpn/otime.c000066400000000000000000000110751316434344000167510ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "otime.h" #include "memdbg.h" time_t now = 0; /* GLOBAL */ #if TIME_BACKTRACK_PROTECTION static time_t now_adj = 0; /* GLOBAL */ time_t now_usec = 0; /* GLOBAL */ /* * Try to filter out time instability caused by the system * clock backtracking or jumping forward. */ void update_now(const time_t system_time) { const int forward_threshold = 86400; /* threshold at which to dampen forward jumps */ const int backward_trigger = 10; /* backward jump must be >= this many seconds before we adjust */ time_t real_time = system_time + now_adj; if (real_time > now) { const time_t overshoot = real_time - now - 1; if (overshoot > forward_threshold && now_adj >= overshoot) { now_adj -= overshoot; real_time -= overshoot; } now = real_time; } else if (real_time < now - backward_trigger) { now_adj += (now - real_time); } } void update_now_usec(struct timeval *tv) { const time_t last = now; update_now(tv->tv_sec); if (now > last || (now == last && tv->tv_usec > now_usec)) { now_usec = tv->tv_usec; } } #endif /* TIME_BACKTRACK_PROTECTION */ /* * Return a numerical string describing a struct timeval. */ const char * tv_string(const struct timeval *tv, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(64, gc); buf_printf(&out, "[%d/%d]", (int) tv->tv_sec, (int )tv->tv_usec); return BSTR(&out); } /* * Return an ascii string describing an absolute * date/time in a struct timeval. * */ const char * tv_string_abs(const struct timeval *tv, struct gc_arena *gc) { return time_string((time_t) tv->tv_sec, (int) tv->tv_usec, true, gc); } /* format a time_t as ascii, or use current time if 0 */ const char * time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(64, gc); struct timeval tv; if (t) { tv.tv_sec = t; tv.tv_usec = usec; } else { gettimeofday(&tv, NULL); } t = tv.tv_sec; buf_printf(&out, "%s", ctime(&t)); buf_rmtail(&out, '\n'); if (show_usec && tv.tv_usec) { buf_printf(&out, " us=%d", (int)tv.tv_usec); } return BSTR(&out); } /* * Limit the frequency of an event stream. * * Used to control maximum rate of new * incoming connections. */ struct frequency_limit * frequency_limit_init(int max, int per) { struct frequency_limit *f; ASSERT(max >= 0 && per >= 0); ALLOC_OBJ(f, struct frequency_limit); f->max = max; f->per = per; f->n = 0; f->reset = 0; return f; } void frequency_limit_free(struct frequency_limit *f) { free(f); } bool frequency_limit_event_allowed(struct frequency_limit *f) { if (f->per) { bool ret; if (now >= f->reset + f->per) { f->reset = now; f->n = 0; } ret = (++f->n <= f->max); return ret; } else { return true; } } #ifdef TIME_TEST void time_test(void) { struct timeval tv; time_t t; int i; for (i = 0; i < 10000; ++i) { t = time(NULL); gettimeofday(&tv, NULL); #if 1 msg(M_INFO, "t=%u s=%u us=%u", (unsigned int)t, (unsigned int)tv.tv_sec, (unsigned int)tv.tv_usec); #endif } } #endif openvpn-2.4.4/src/openvpn/otime.h000066400000000000000000000151611316434344000167560ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OTIME_H #define OTIME_H #include "common.h" #include "integer.h" #include "buffer.h" struct frequency_limit { int max; int per; int n; time_t reset; }; struct frequency_limit *frequency_limit_init(int max, int per); void frequency_limit_free(struct frequency_limit *f); bool frequency_limit_event_allowed(struct frequency_limit *f); /* format a time_t as ascii, or use current time if 0 */ const char *time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc); /* struct timeval functions */ const char *tv_string(const struct timeval *tv, struct gc_arena *gc); const char *tv_string_abs(const struct timeval *tv, struct gc_arena *gc); extern time_t now; /* updated frequently to time(NULL) */ void time_test(void); #if TIME_BACKTRACK_PROTECTION void update_now(const time_t system_time); extern time_t now_usec; void update_now_usec(struct timeval *tv); static inline int openvpn_gettimeofday(struct timeval *tv, void *tz) { const int status = gettimeofday(tv, tz); if (!status) { update_now_usec(tv); tv->tv_sec = now; tv->tv_usec = now_usec; } return status; } static inline void update_time(void) { #ifdef _WIN32 /* on _WIN32, gettimeofday is faster than time(NULL) */ struct timeval tv; openvpn_gettimeofday(&tv, NULL); #else update_now(time(NULL)); #endif } #else /* !TIME_BACKTRACK_PROTECTION */ static inline void update_time(void) { #if defined(_WIN32) /* on _WIN32, gettimeofday is faster than time(NULL) */ struct timeval tv; if (!gettimeofday(&tv, NULL)) { if (tv.tv_sec != now) { now = tv.tv_sec; } } #else /* if defined(_WIN32) */ const time_t real_time = time(NULL); if (real_time != now) { now = real_time; } #endif } static inline int openvpn_gettimeofday(struct timeval *tv, void *tz) { return gettimeofday(tv, tz); } #endif /* TIME_BACKTRACK_PROTECTION */ static inline time_t openvpn_time(time_t *t) { update_time(); if (t) { *t = now; } return now; } static inline void tv_clear(struct timeval *tv) { tv->tv_sec = 0; tv->tv_usec = 0; } static inline bool tv_defined(const struct timeval *tv) { return tv->tv_sec > 0 && tv->tv_usec > 0; } /* return tv1 - tv2 in usec, constrained by max_seconds */ static inline int tv_subtract(const struct timeval *tv1, const struct timeval *tv2, const unsigned int max_seconds) { const int max_usec = max_seconds * 1000000; const int sec_diff = tv1->tv_sec - tv2->tv_sec; if (sec_diff > ((int)max_seconds + 10)) { return max_usec; } else if (sec_diff < -((int)max_seconds + 10)) { return -max_usec; } return constrain_int(sec_diff * 1000000 + (tv1->tv_usec - tv2->tv_usec), -max_usec, max_usec); } static inline void tv_add(struct timeval *dest, const struct timeval *src) { dest->tv_sec += src->tv_sec; dest->tv_usec += src->tv_usec; dest->tv_sec += (dest->tv_usec >> 20); dest->tv_usec &= 0x000FFFFF; if (dest->tv_usec >= 1000000) { dest->tv_usec -= 1000000; dest->tv_sec += 1; } } static inline bool tv_lt(const struct timeval *t1, const struct timeval *t2) { if (t1->tv_sec < t2->tv_sec) { return true; } else if (t1->tv_sec > t2->tv_sec) { return false; } else { return t1->tv_usec < t2->tv_usec; } } static inline bool tv_le(const struct timeval *t1, const struct timeval *t2) { if (t1->tv_sec < t2->tv_sec) { return true; } else if (t1->tv_sec > t2->tv_sec) { return false; } else { return t1->tv_usec <= t2->tv_usec; } } static inline bool tv_ge(const struct timeval *t1, const struct timeval *t2) { if (t1->tv_sec > t2->tv_sec) { return true; } else if (t1->tv_sec < t2->tv_sec) { return false; } else { return t1->tv_usec >= t2->tv_usec; } } static inline bool tv_gt(const struct timeval *t1, const struct timeval *t2) { if (t1->tv_sec > t2->tv_sec) { return true; } else if (t1->tv_sec < t2->tv_sec) { return false; } else { return t1->tv_usec > t2->tv_usec; } } static inline bool tv_eq(const struct timeval *t1, const struct timeval *t2) { return t1->tv_sec == t2->tv_sec && t1->tv_usec == t2->tv_usec; } static inline void tv_delta(struct timeval *dest, const struct timeval *t1, const struct timeval *t2) { int sec = t2->tv_sec - t1->tv_sec; int usec = t2->tv_usec - t1->tv_usec; while (usec < 0) { usec += 1000000; sec -= 1; } if (sec < 0) { usec = sec = 0; } dest->tv_sec = sec; dest->tv_usec = usec; } #define TV_WITHIN_SIGMA_MAX_SEC 600 #define TV_WITHIN_SIGMA_MAX_USEC (TV_WITHIN_SIGMA_MAX_SEC * 1000000) /* * Is t1 and t2 within sigma microseconds of each other? */ static inline bool tv_within_sigma(const struct timeval *t1, const struct timeval *t2, unsigned int sigma) { const int delta = tv_subtract(t1, t2, TV_WITHIN_SIGMA_MAX_SEC); /* sigma should be less than 10 minutes */ return -(int)sigma <= delta && delta <= (int)sigma; } /* * Used to determine in how many seconds we should be * called again. */ static inline void interval_earliest_wakeup(interval_t *wakeup, time_t at, time_t current) { if (at > current) { const interval_t delta = (interval_t) (at - current); if (delta < *wakeup) { *wakeup = delta; } if (*wakeup < 0) { *wakeup = 0; } } } #endif /* ifndef OTIME_H */ openvpn-2.4.4/src/openvpn/packet_id.c000066400000000000000000000444631316434344000175660ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * These routines are designed to catch replay attacks, * where a man-in-the-middle captures packets and then * attempts to replay them back later. * * We use the "sliding-window" algorithm, similar * to IPSec. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #ifdef ENABLE_CRYPTO #include "packet_id.h" #include "misc.h" #include "integer.h" #include "memdbg.h" /* #define PID_SIMULATE_BACKTRACK */ /* * Special time_t value that indicates that * sequence number has expired. */ #define SEQ_UNSEEN ((time_t)0) #define SEQ_EXPIRED ((time_t)1) static void packet_id_debug_print(int msglevel, const struct packet_id_rec *p, const struct packet_id_net *pin, const char *message, int value); static inline void packet_id_debug(int msglevel, const struct packet_id_rec *p, const struct packet_id_net *pin, const char *message, int value) { #ifdef ENABLE_DEBUG if (unlikely(check_debug_level(msglevel))) { packet_id_debug_print(msglevel, p, pin, message, value); } #endif } void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit) { dmsg(D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d", seq_backtrack, time_backtrack); ASSERT(p); CLEAR(*p); p->rec.name = name; p->rec.unit = unit; if (seq_backtrack) { ASSERT(MIN_SEQ_BACKTRACK <= seq_backtrack && seq_backtrack <= MAX_SEQ_BACKTRACK); ASSERT(MIN_TIME_BACKTRACK <= time_backtrack && time_backtrack <= MAX_TIME_BACKTRACK); CIRC_LIST_ALLOC(p->rec.seq_list, struct seq_list, seq_backtrack); p->rec.seq_backtrack = seq_backtrack; p->rec.time_backtrack = time_backtrack; } p->rec.initialized = true; } void packet_id_free(struct packet_id *p) { if (p) { dmsg(D_PID_DEBUG, "PID packet_id_free"); if (p->rec.seq_list) { free(p->rec.seq_list); } CLEAR(*p); } } void packet_id_add(struct packet_id_rec *p, const struct packet_id_net *pin) { const time_t local_now = now; if (p->seq_list) { packet_id_type diff; /* * If time value increases, start a new * sequence number sequence. */ if (!CIRC_LIST_SIZE(p->seq_list) || pin->time > p->time || (pin->id >= (packet_id_type)p->seq_backtrack && pin->id - (packet_id_type)p->seq_backtrack > p->id)) { p->time = pin->time; p->id = 0; if (pin->id > (packet_id_type)p->seq_backtrack) { p->id = pin->id - (packet_id_type)p->seq_backtrack; } CIRC_LIST_RESET(p->seq_list); } while (p->id < pin->id #ifdef PID_SIMULATE_BACKTRACK || (get_random() % 64) < 31 #endif ) { CIRC_LIST_PUSH(p->seq_list, SEQ_UNSEEN); ++p->id; } diff = p->id - pin->id; if (diff < (packet_id_type) CIRC_LIST_SIZE(p->seq_list) && local_now > SEQ_EXPIRED) { CIRC_LIST_ITEM(p->seq_list, diff) = local_now; } } else { p->time = pin->time; p->id = pin->id; } } /* * Expire sequence numbers which can no longer * be accepted because they would violate * time_backtrack. */ void packet_id_reap(struct packet_id_rec *p) { const time_t local_now = now; if (p->time_backtrack) { int i; bool expire = false; for (i = 0; i < CIRC_LIST_SIZE(p->seq_list); ++i) { const time_t t = CIRC_LIST_ITEM(p->seq_list, i); if (t == SEQ_EXPIRED) { break; } if (!expire && t && t + p->time_backtrack < local_now) { expire = true; } if (expire) { CIRC_LIST_ITEM(p->seq_list, i) = SEQ_EXPIRED; } } } p->last_reap = local_now; } /* * Return true if packet id is ok, or false if * it is a replay. */ bool packet_id_test(struct packet_id_rec *p, const struct packet_id_net *pin) { packet_id_type diff; packet_id_debug(D_PID_DEBUG, p, pin, "PID_TEST", 0); ASSERT(p->initialized); if (!pin->id) { return false; } if (p->seq_backtrack) { /* * In backtrack mode, we allow packet reordering subject * to the seq_backtrack and time_backtrack constraints. * * This mode is used with UDP. */ if (pin->time == p->time) { /* is packet-id greater than any one we've seen yet? */ if (pin->id > p->id) { return true; } /* check packet-id sliding window for original/replay status */ diff = p->id - pin->id; /* keep track of maximum backtrack seen for debugging purposes */ if ((int)diff > p->max_backtrack_stat) { p->max_backtrack_stat = (int)diff; packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR replay-window backtrack occurred", p->max_backtrack_stat); } if (diff >= (packet_id_type) CIRC_LIST_SIZE(p->seq_list)) { packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR large diff", diff); return false; } { const time_t v = CIRC_LIST_ITEM(p->seq_list, diff); if (v == 0) { return true; } else { /* raised from D_PID_DEBUG_LOW to reduce verbosity */ packet_id_debug(D_PID_DEBUG_MEDIUM, p, pin, "PID_ERR replay", diff); return false; } } } else if (pin->time < p->time) /* if time goes back, reject */ { packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR time backtrack", 0); return false; } else /* time moved forward */ { return true; } } else { /* * In non-backtrack mode, all sequence number series must * begin at some number n > 0 and must increment linearly without gaps. * * This mode is used with TCP. */ if (pin->time == p->time) { return !p->id || pin->id == p->id + 1; } else if (pin->time < p->time) /* if time goes back, reject */ { return false; } else /* time moved forward */ { return pin->id == 1; } } } /* * Read/write a packet ID to/from the buffer. Short form is sequence number * only. Long form is sequence number and timestamp. */ bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form) { packet_id_type net_id; net_time_t net_time; pin->id = 0; pin->time = 0; if (!buf_read(buf, &net_id, sizeof(net_id))) { return false; } pin->id = ntohpid(net_id); if (long_form) { if (!buf_read(buf, &net_time, sizeof(net_time))) { return false; } pin->time = ntohtime(net_time); } return true; } static bool packet_id_send_update(struct packet_id_send *p, bool long_form) { if (!p->time) { p->time = now; } if (p->id == PACKET_ID_MAX) { /* Packet ID only allowed to roll over if using long form and time has * moved forward since last roll over. */ if (!long_form || now <= p->time) { return false; } p->time = now; p->id = 0; } p->id++; return true; } bool packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, bool prepend) { if (!packet_id_send_update(p, long_form)) { return false; } const packet_id_type net_id = htonpid(p->id); const net_time_t net_time = htontime(p->time); if (prepend) { if (long_form) { if (!buf_write_prepend(buf, &net_time, sizeof(net_time))) { return false; } } if (!buf_write_prepend(buf, &net_id, sizeof(net_id))) { return false; } } else { if (!buf_write(buf, &net_id, sizeof(net_id))) { return false; } if (long_form) { if (!buf_write(buf, &net_time, sizeof(net_time))) { return false; } } } return true; } const char * packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); buf_printf(&out, "[ #" packet_id_format, (packet_id_print_type)pin->id); if (print_timestamp && pin->time) { buf_printf(&out, " / time = (" packet_id_format ") %s", (packet_id_print_type)pin->time, time_string(pin->time, 0, false, gc)); } buf_printf(&out, " ]"); return BSTR(&out); } /* initialize the packet_id_persist structure in a disabled state */ void packet_id_persist_init(struct packet_id_persist *p) { p->filename = NULL; p->fd = -1; p->time = p->time_last_written = 0; p->id = p->id_last_written = 0; } /* close the file descriptor if it is open, and switch to disabled state */ void packet_id_persist_close(struct packet_id_persist *p) { if (packet_id_persist_enabled(p)) { if (close(p->fd)) { msg(D_PID_PERSIST | M_ERRNO, "Close error on --replay-persist file %s", p->filename); } packet_id_persist_init(p); } } /* load persisted rec packet_id (time and id) only once from file, and set state to enabled */ void packet_id_persist_load(struct packet_id_persist *p, const char *filename) { struct gc_arena gc = gc_new(); if (!packet_id_persist_enabled(p)) { /* open packet-id persist file for both read and write */ p->fd = platform_open(filename, O_CREAT | O_RDWR | O_BINARY, S_IRUSR | S_IWUSR); if (p->fd == -1) { msg(D_PID_PERSIST | M_ERRNO, "Cannot open --replay-persist file %s for read/write", filename); } else { struct packet_id_persist_file_image image; ssize_t n; #if defined(HAVE_FLOCK) && defined(LOCK_EX) && defined(LOCK_NB) if (flock(p->fd, LOCK_EX | LOCK_NB)) { msg(M_ERR, "Cannot obtain exclusive lock on --replay-persist file %s", filename); } #endif p->filename = filename; n = read(p->fd, &image, sizeof(image)); if (n == sizeof(image)) { p->time = p->time_last_written = image.time; p->id = p->id_last_written = image.id; dmsg(D_PID_PERSIST_DEBUG, "PID Persist Read from %s: %s", p->filename, packet_id_persist_print(p, &gc)); } else if (n == -1) { msg(D_PID_PERSIST | M_ERRNO, "Read error on --replay-persist file %s", p->filename); } } } gc_free(&gc); } /* save persisted rec packet_id (time and id) to file (only if enabled state) */ void packet_id_persist_save(struct packet_id_persist *p) { if (packet_id_persist_enabled(p) && p->time && (p->time != p->time_last_written || p->id != p->id_last_written)) { struct packet_id_persist_file_image image; ssize_t n; off_t seek_ret; struct gc_arena gc = gc_new(); image.time = p->time; image.id = p->id; seek_ret = lseek(p->fd, (off_t)0, SEEK_SET); if (seek_ret == (off_t)0) { n = write(p->fd, &image, sizeof(image)); if (n == sizeof(image)) { p->time_last_written = p->time; p->id_last_written = p->id; dmsg(D_PID_PERSIST_DEBUG, "PID Persist Write to %s: %s", p->filename, packet_id_persist_print(p, &gc)); } else { msg(D_PID_PERSIST | M_ERRNO, "Cannot write to --replay-persist file %s", p->filename); } } else { msg(D_PID_PERSIST | M_ERRNO, "Cannot seek to beginning of --replay-persist file %s", p->filename); } gc_free(&gc); } } /* transfer packet_id_persist -> packet_id */ void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid) { if (p && pid && packet_id_persist_enabled(p) && p->time) { pid->rec.time = p->time; pid->rec.id = p->id; } } const char * packet_id_persist_print(const struct packet_id_persist *p, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); buf_printf(&out, "["); if (packet_id_persist_enabled(p)) { buf_printf(&out, " #" packet_id_format, (packet_id_print_type)p->id); if (p->time) { buf_printf(&out, " / time = (" packet_id_format ") %s", (packet_id_print_type)p->time, time_string(p->time, 0, false, gc)); } } buf_printf(&out, " ]"); return (char *)out.data; } #ifdef ENABLE_DEBUG static void packet_id_debug_print(int msglevel, const struct packet_id_rec *p, const struct packet_id_net *pin, const char *message, int value) { struct gc_arena gc = gc_new(); struct buffer out = alloc_buf_gc(256, &gc); struct timeval tv; const time_t prev_now = now; const struct seq_list *sl = p->seq_list; int i; CLEAR(tv); gettimeofday(&tv, NULL); buf_printf(&out, "%s [%d]", message, value); buf_printf(&out, " [%s-%d] [", p->name, p->unit); for (i = 0; sl != NULL && i < sl->x_size; ++i) { char c; time_t v; int diff; v = CIRC_LIST_ITEM(sl, i); if (v == SEQ_UNSEEN) { c = '_'; } else if (v == SEQ_EXPIRED) { c = 'E'; } else { diff = (int) prev_now - v; if (diff < 0) { c = 'N'; } else if (diff < 10) { c = '0' + diff; } else { c = '>'; } } buf_printf(&out, "%c", c); } buf_printf(&out, "] " time_format ":" packet_id_format, (time_type)p->time, (packet_id_print_type)p->id); if (pin) { buf_printf(&out, " " time_format ":" packet_id_format, (time_type)pin->time, (packet_id_print_type)pin->id); } buf_printf(&out, " t=" time_format "[%d]", (time_type)prev_now, (int)(prev_now - tv.tv_sec)); buf_printf(&out, " r=[%d,%d,%d,%d,%d]", (int)(p->last_reap - tv.tv_sec), p->seq_backtrack, p->time_backtrack, p->max_backtrack_stat, (int)p->initialized); if (sl != NULL) { buf_printf(&out, " sl=[%d,%d,%d,%d]", sl->x_head, sl->x_size, sl->x_cap, sl->x_sizeof); } msg(msglevel, "%s", BSTR(&out)); gc_free(&gc); } #endif /* ifdef ENABLE_DEBUG */ #ifdef PID_TEST void packet_id_interactive_test(void) { struct packet_id pid; struct packet_id_net pin; bool long_form; bool count = 0; bool test; const int seq_backtrack = 10; const int time_backtrack = 10; packet_id_init(&pid, seq_backtrack, time_backtrack); while (true) { char buf[80]; if (!fgets(buf, sizeof(buf), stdin)) { break; } update_time(); if (sscanf(buf, "%lu,%u", &pin.time, &pin.id) == 2) { packet_id_reap_test(&pid.rec); test = packet_id_test(&pid.rec, &pin); printf("packet_id_test (" time_format ", " packet_id_format ") returned %d\n", (time_type)pin.time, (packet_id_print_type)pin.id, test); if (test) { packet_id_add(&pid.rec, &pin); } } else { long_form = (count < 20); packet_id_alloc_outgoing(&pid.send, &pin, long_form); printf("(" time_format "(" packet_id_format "), %d)\n", (time_type)pin.time, (packet_id_print_type)pin.id, long_form); if (pid.send.id == 10) { pid.send.id = 0xFFFFFFF8; } ++count; } } packet_id_free(&pid); } #endif /* ifdef PID_TEST */ #endif /* ENABLE_CRYPTO */ openvpn-2.4.4/src/openvpn/packet_id.h000066400000000000000000000217461316434344000175720ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * These routines are designed to catch replay attacks, * where a man-in-the-middle captures packets and then * attempts to replay them back later. */ #ifdef ENABLE_CRYPTO #ifndef PACKET_ID_H #define PACKET_ID_H #include "circ_list.h" #include "buffer.h" #include "error.h" #include "otime.h" /* * Enables OpenVPN to be compiled in special packet_id test mode. */ /*#define PID_TEST*/ #if 1 /* * These are the types that members of * a struct packet_id_net are converted * to for network transmission. */ typedef uint32_t packet_id_type; #define PACKET_ID_MAX UINT32_MAX typedef uint32_t net_time_t; /* * In TLS mode, when a packet ID gets to this level, * start thinking about triggering a new * SSL/TLS handshake. */ #define PACKET_ID_WRAP_TRIGGER 0xFF000000 /* convert a packet_id_type from host to network order */ #define htonpid(x) htonl(x) /* convert a packet_id_type from network to host order */ #define ntohpid(x) ntohl(x) /* convert a time_t in host order to a net_time_t in network order */ #define htontime(x) htonl((net_time_t)x) /* convert a net_time_t in network order to a time_t in host order */ #define ntohtime(x) ((time_t)ntohl(x)) #else /* if 1 */ /* * DEBUGGING ONLY. * Make packet_id_type and net_time_t small * to test wraparound logic and corner cases. */ typedef uint8_t packet_id_type; typedef uint16_t net_time_t; #define PACKET_ID_WRAP_TRIGGER 0x80 #define htonpid(x) (x) #define ntohpid(x) (x) #define htontime(x) htons((net_time_t)x) #define ntohtime(x) ((time_t)ntohs(x)) #endif /* if 1 */ /* * Printf formats for special types */ #define packet_id_format "%u" typedef unsigned int packet_id_print_type; /* * Maximum allowed backtrack in * sequence number due to packets arriving * out of order. */ #define MIN_SEQ_BACKTRACK 0 #define MAX_SEQ_BACKTRACK 65536 #define DEFAULT_SEQ_BACKTRACK 64 /* * Maximum allowed backtrack in * seconds due to packets arriving * out of order. */ #define MIN_TIME_BACKTRACK 0 #define MAX_TIME_BACKTRACK 600 #define DEFAULT_TIME_BACKTRACK 15 /* * Do a reap pass through the sequence number * array once every n seconds in order to * expire sequence numbers which can no longer * be accepted because they would violate * TIME_BACKTRACK. */ #define SEQ_REAP_INTERVAL 5 CIRC_LIST(seq_list, time_t); /* * This is the data structure we keep on the receiving side, * to check that no packet-id (i.e. sequence number + optional timestamp) * is accepted more than once. */ struct packet_id_rec { time_t last_reap; /* last call of packet_id_reap */ time_t time; /* highest time stamp received */ packet_id_type id; /* highest sequence number received */ int seq_backtrack; /* set from --replay-window */ int time_backtrack; /* set from --replay-window */ int max_backtrack_stat; /* maximum backtrack seen so far */ bool initialized; /* true if packet_id_init was called */ struct seq_list *seq_list; /* packet-id "memory" */ const char *name; int unit; }; /* * file to facilitate cross-session persistence * of time/id */ struct packet_id_persist { const char *filename; int fd; time_t time; /* time stamp */ packet_id_type id; /* sequence number */ time_t time_last_written; packet_id_type id_last_written; }; struct packet_id_persist_file_image { time_t time; /* time stamp */ packet_id_type id; /* sequence number */ }; /* * Keep a record of our current packet-id state * on the sending side. */ struct packet_id_send { packet_id_type id; time_t time; }; /* * Communicate packet-id over the wire. * A short packet-id is just a 32 bit * sequence number. A long packet-id * includes a timestamp as well. * * Long packet-ids are used as IVs for * CFB/OFB ciphers. * * This data structure is always sent * over the net in network byte order, * by calling htonpid, ntohpid, * htontime, and ntohtime on the * data elements to change them * to and from standard sizes. * * In addition, time is converted to * a net_time_t before sending, * since openvpn always * uses a 32-bit time_t but some * 64 bit platforms use a * 64 bit time_t. */ struct packet_id_net { packet_id_type id; time_t time; /* converted to net_time_t before transmission */ }; struct packet_id { struct packet_id_send send; struct packet_id_rec rec; }; void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit); void packet_id_free(struct packet_id *p); /* should we accept an incoming packet id ? */ bool packet_id_test(struct packet_id_rec *p, const struct packet_id_net *pin); /* change our current state to reflect an accepted packet id */ void packet_id_add(struct packet_id_rec *p, const struct packet_id_net *pin); /* expire TIME_BACKTRACK sequence numbers */ void packet_id_reap(struct packet_id_rec *p); /* * packet ID persistence */ /* initialize the packet_id_persist structure in a disabled state */ void packet_id_persist_init(struct packet_id_persist *p); /* close the file descriptor if it is open, and switch to disabled state */ void packet_id_persist_close(struct packet_id_persist *p); /* load persisted rec packet_id (time and id) only once from file, and set state to enabled */ void packet_id_persist_load(struct packet_id_persist *p, const char *filename); /* save persisted rec packet_id (time and id) to file (only if enabled state) */ void packet_id_persist_save(struct packet_id_persist *p); /* transfer packet_id_persist -> packet_id */ void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid); /* return an ascii string representing a packet_id_persist object */ const char *packet_id_persist_print(const struct packet_id_persist *p, struct gc_arena *gc); /* * Read/write a packet ID to/from the buffer. Short form is sequence number * only. Long form is sequence number and timestamp. */ bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form); /** * Write a packet ID to buf, and update the packet ID state. * * @param p Packet ID state. * @param buf Buffer to write the packet ID too * @param long_form If true, also update and write time_t to buf * @param prepend If true, prepend to buffer, otherwise apppend. * * @return true if successful, false otherwise. */ bool packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, bool prepend); /* * Inline functions. */ /** Is this struct packet_id initialized? */ static inline bool packet_id_initialized(const struct packet_id *pid) { return pid->rec.initialized; } /* are we in enabled state? */ static inline bool packet_id_persist_enabled(const struct packet_id_persist *p) { return p->fd >= 0; } /* transfer packet_id -> packet_id_persist */ static inline void packet_id_persist_save_obj(struct packet_id_persist *p, const struct packet_id *pid) { if (packet_id_persist_enabled(p) && pid->rec.time) { p->time = pid->rec.time; p->id = pid->rec.id; } } const char *packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc); #ifdef PID_TEST void packet_id_interactive_test(void); #endif static inline int packet_id_size(bool long_form) { return sizeof(packet_id_type) + (long_form ? sizeof(net_time_t) : 0); } static inline bool packet_id_close_to_wrapping(const struct packet_id_send *p) { return p->id >= PACKET_ID_WRAP_TRIGGER; } static inline bool check_timestamp_delta(time_t remote, unsigned int max_delta) { unsigned int abs; const time_t local_now = now; if (local_now >= remote) { abs = local_now - remote; } else { abs = remote - local_now; } return abs <= max_delta; } static inline void packet_id_reap_test(struct packet_id_rec *p) { if (p->last_reap + SEQ_REAP_INTERVAL <= now) { packet_id_reap(p); } } #endif /* PACKET_ID_H */ #endif /* ENABLE_CRYPTO */ openvpn-2.4.4/src/openvpn/perf.c000066400000000000000000000153401316434344000165670ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "perf.h" #ifdef ENABLE_PERFORMANCE_METRICS #include "error.h" #include "otime.h" #include "memdbg.h" static const char *metric_names[] = { "PERF_BIO_READ_PLAINTEXT", "PERF_BIO_WRITE_PLAINTEXT", "PERF_BIO_READ_CIPHERTEXT", "PERF_BIO_WRITE_CIPHERTEXT", "PERF_TLS_MULTI_PROCESS", "PERF_IO_WAIT", "PERF_EVENT_LOOP", "PERF_MULTI_CREATE_INSTANCE", "PERF_MULTI_CLOSE_INSTANCE", "PERF_MULTI_SHOW_STATS", "PERF_MULTI_BCAST", "PERF_MULTI_MCAST", "PERF_SCRIPT", "PERF_READ_IN_LINK", "PERF_PROC_IN_LINK", "PERF_READ_IN_TUN", "PERF_PROC_IN_TUN", "PERF_PROC_OUT_LINK", "PERF_PROC_OUT_TUN", "PERF_PROC_OUT_TUN_MTCP" }; struct perf { #define PS_INITIAL 0 #define PS_METER_RUNNING 1 #define PS_METER_INTERRUPTED 2 int state; struct timeval start; double sofar; double sum; double max; double count; }; struct perf_set { int stack_len; int stack[STACK_N]; struct perf perf[PERF_N]; }; static struct perf_set perf_set; static void perf_print_state(int lev); static inline int get_stack_index(int sdelta) { const int sindex = perf_set.stack_len + sdelta; if (sindex >= 0 && sindex < STACK_N) { return sindex; } else { return -1; } } static int get_perf_index(int sdelta) { const int sindex = get_stack_index(sdelta); if (sindex >= 0) { const int pindex = perf_set.stack[sindex]; if (pindex >= 0 && pindex < PERF_N) { return pindex; } else { return -1; } } else { return -1; } } static struct perf * get_perf(int sdelta) { const int pindex = get_perf_index(sdelta); if (pindex >= 0) { return &perf_set.perf[pindex]; } else { return NULL; } } static void push_perf_index(int pindex) { const int sindex = get_stack_index(0); const int newlen = get_stack_index(1); if (sindex >= 0 && newlen >= 0 && pindex >= 0 && pindex < PERF_N) { int i; for (i = 0; i < sindex; ++i) { if (perf_set.stack[i] == pindex) { perf_print_state(M_INFO); msg(M_FATAL, "PERF: push_perf_index %s failed", metric_names [pindex]); } } perf_set.stack[sindex] = pindex; perf_set.stack_len = newlen; } else { msg(M_FATAL, "PERF: push_perf_index: stack push error"); } } static void pop_perf_index(void) { const int newlen = get_stack_index(-1); if (newlen >= 0) { perf_set.stack_len = newlen; } else { msg(M_FATAL, "PERF: pop_perf_index: stack pop error"); } } static void state_must_be(const struct perf *p, const int wanted) { if (p->state != wanted) { msg(M_FATAL, "PERF: bad state actual=%d wanted=%d", p->state, wanted); } } static void update_sofar(struct perf *p) { struct timeval current; ASSERT(!gettimeofday(¤t, NULL)); p->sofar += (double) tv_subtract(¤t, &p->start, 600) / 1000000.0; tv_clear(&p->start); } static void perf_start(struct perf *p) { state_must_be(p, PS_INITIAL); ASSERT(!gettimeofday(&p->start, NULL)); p->sofar = 0.0; p->state = PS_METER_RUNNING; } static void perf_stop(struct perf *p) { state_must_be(p, PS_METER_RUNNING); update_sofar(p); p->sum += p->sofar; if (p->sofar > p->max) { p->max = p->sofar; } p->count += 1.0; p->sofar = 0.0; p->state = PS_INITIAL; } static void perf_interrupt(struct perf *p) { state_must_be(p, PS_METER_RUNNING); update_sofar(p); p->state = PS_METER_INTERRUPTED; } static void perf_resume(struct perf *p) { state_must_be(p, PS_METER_INTERRUPTED); ASSERT(!gettimeofday(&p->start, NULL)); p->state = PS_METER_RUNNING; } void perf_push(int type) { struct perf *prev; struct perf *cur; ASSERT(SIZE(metric_names) == PERF_N); push_perf_index(type); prev = get_perf(-2); cur = get_perf(-1); ASSERT(cur); if (prev) { perf_interrupt(prev); } perf_start(cur); } void perf_pop(void) { struct perf *prev; struct perf *cur; prev = get_perf(-2); cur = get_perf(-1); ASSERT(cur); perf_stop(cur); if (prev) { perf_resume(prev); } pop_perf_index(); } void perf_output_results(void) { int i; msg(M_INFO, "LATENCY PROFILE (mean and max are in milliseconds)"); for (i = 0; i < PERF_N; ++i) { struct perf *p = &perf_set.perf[i]; if (p->count > 0.0) { const double mean = p->sum / p->count; msg(M_INFO, "%s n=%.0f mean=%.3f max=%.3f", metric_names[i], p->count, mean*1000.0, p->max*1000.0); } } } static void perf_print_state(int lev) { struct gc_arena gc = gc_new(); int i; msg(lev, "PERF STATE"); msg(lev, "Stack:"); for (i = 0; i < perf_set.stack_len; ++i) { const int j = perf_set.stack[i]; const struct perf *p = &perf_set.perf[j]; msg(lev, "[%d] %s state=%d start=%s sofar=%f sum=%f max=%f count=%f", i, metric_names[j], p->state, tv_string(&p->start, &gc), p->sofar, p->sum, p->max, p->count); } gc_free(&gc); } #else /* ifdef ENABLE_PERFORMANCE_METRICS */ #ifdef _MSC_VER /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */ static void dummy(void) { } #endif #endif /* ifdef ENABLE_PERFORMANCE_METRICS */ openvpn-2.4.4/src/openvpn/perf.h000066400000000000000000000047741316434344000166050ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * The interval_ routines are designed to optimize the calling of a routine * (normally tls_multi_process()) which can be called less frequently * between triggers. */ #ifndef PERF_H #define PERF_H /*#define ENABLE_PERFORMANCE_METRICS*/ /* * Metrics */ #define PERF_BIO_READ_PLAINTEXT 0 #define PERF_BIO_WRITE_PLAINTEXT 1 #define PERF_BIO_READ_CIPHERTEXT 2 #define PERF_BIO_WRITE_CIPHERTEXT 3 #define PERF_TLS_MULTI_PROCESS 4 #define PERF_IO_WAIT 5 #define PERF_EVENT_LOOP 6 #define PERF_MULTI_CREATE_INSTANCE 7 #define PERF_MULTI_CLOSE_INSTANCE 8 #define PERF_MULTI_SHOW_STATS 9 #define PERF_MULTI_BCAST 10 #define PERF_MULTI_MCAST 11 #define PERF_SCRIPT 12 #define PERF_READ_IN_LINK 13 #define PERF_PROC_IN_LINK 14 #define PERF_READ_IN_TUN 15 #define PERF_PROC_IN_TUN 16 #define PERF_PROC_OUT_LINK 17 #define PERF_PROC_OUT_TUN 18 #define PERF_PROC_OUT_TUN_MTCP 19 #define PERF_N 20 #ifdef ENABLE_PERFORMANCE_METRICS #include "basic.h" /* * Stack size */ #define STACK_N 64 void perf_push(int type); void perf_pop(void); void perf_output_results(void); #else /* ifdef ENABLE_PERFORMANCE_METRICS */ static inline void perf_push(int type) { } static inline void perf_pop(void) { } static inline void perf_output_results(void) { } #endif /* ifdef ENABLE_PERFORMANCE_METRICS */ #endif /* ifndef PERF_H */ openvpn-2.4.4/src/openvpn/pf-inline.h000066400000000000000000000040741316434344000175230ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #if defined(ENABLE_PF) && !defined(PF_INLINE_H) #define PF_INLINE_H /* * Inline functions */ #define PCT_SRC 1 #define PCT_DEST 2 static inline bool pf_c2c_test(const struct context *src, const struct context *dest, const char *prefix) { bool pf_cn_test(struct pf_set *pfs, const struct tls_multi *tm, const int type, const char *prefix); return (!src->c2.pf.enabled || pf_cn_test(src->c2.pf.pfs, dest->c2.tls_multi, PCT_DEST, prefix)) && (!dest->c2.pf.enabled || pf_cn_test(dest->c2.pf.pfs, src->c2.tls_multi, PCT_SRC, prefix)); } static inline bool pf_addr_test(const struct context *src, const struct mroute_addr *dest, const char *prefix) { bool pf_addr_test_dowork(const struct context *src, const struct mroute_addr *dest, const char *prefix); if (src->c2.pf.enabled) { return pf_addr_test_dowork(src, dest, prefix); } else { return true; } } static inline bool pf_kill_test(const struct pf_set *pfs) { return pfs->kill; } #endif /* if defined(ENABLE_PF) && !defined(PF_INLINE_H) */ openvpn-2.4.4/src/openvpn/pf.c000066400000000000000000000507021316434344000162410ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* packet filter functions */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if defined(ENABLE_PF) #include "init.h" #include "memdbg.h" #include "ssl_verify.h" #include "pf-inline.h" static void pf_destroy(struct pf_set *pfs) { if (pfs) { if (pfs->cns.hash_table) { hash_free(pfs->cns.hash_table); } { struct pf_cn_elem *l = pfs->cns.list; while (l) { struct pf_cn_elem *next = l->next; free(l->rule.cn); free(l); l = next; } } { struct pf_subnet *l = pfs->sns.list; while (l) { struct pf_subnet *next = l->next; free(l); l = next; } } free(pfs); } } static bool add_client(const char *line, const char *prefix, const int line_num, struct pf_cn_elem ***next, const bool exclude) { struct pf_cn_elem *e; ALLOC_OBJ_CLEAR(e, struct pf_cn_elem); e->rule.exclude = exclude; e->rule.cn = string_alloc(line, NULL); **next = e; *next = &e->next; return true; } static bool add_subnet(const char *line, const char *prefix, const int line_num, struct pf_subnet ***next, const bool exclude) { struct in_addr network; in_addr_t netmask = 0; if (strcmp(line, "unknown")) { int netbits = 32; char *div = strchr(line, '/'); if (div) { *div++ = '\0'; if (sscanf(div, "%d", &netbits) != 1) { msg(D_PF_INFO, "PF: %s/%d: bad '/n' subnet specifier: '%s'", prefix, line_num, div); return false; } if (netbits < 0 || netbits > 32) { msg(D_PF_INFO, "PF: %s/%d: bad '/n' subnet specifier: must be between 0 and 32: '%s'", prefix, line_num, div); return false; } } if (openvpn_inet_aton(line, &network) != OIA_IP) { msg(D_PF_INFO, "PF: %s/%d: bad network address: '%s'", prefix, line_num, line); return false; } netmask = netbits_to_netmask(netbits); if ((network.s_addr & htonl(netmask)) != network.s_addr) { network.s_addr &= htonl(netmask); msg(M_WARN, "WARNING: PF: %s/%d: incorrect subnet %s/%d changed to %s/%d", prefix, line_num, line, netbits, inet_ntoa(network), netbits); } } else { /* match special "unknown" tag for addresses unrecognized by mroute */ network.s_addr = htonl(0); netmask = IPV4_NETMASK_HOST; } { struct pf_subnet *e; ALLOC_OBJ_CLEAR(e, struct pf_subnet); e->rule.exclude = exclude; e->rule.network = ntohl(network.s_addr); e->rule.netmask = netmask; **next = e; *next = &e->next; return true; } } static uint32_t cn_hash_function(const void *key, uint32_t iv) { return hash_func((uint8_t *)key, strlen((char *)key) + 1, iv); } static bool cn_compare_function(const void *key1, const void *key2) { return !strcmp((const char *)key1, (const char *)key2); } static bool genhash(struct pf_cn_set *cns, const char *prefix, const int n_clients) { struct pf_cn_elem *e; bool status = true; int n_buckets = n_clients; if (n_buckets < 16) { n_buckets = 16; } cns->hash_table = hash_init(n_buckets, 0, cn_hash_function, cn_compare_function); for (e = cns->list; e != NULL; e = e->next) { if (!hash_add(cns->hash_table, e->rule.cn, &e->rule, false)) { msg(D_PF_INFO, "PF: %s: duplicate common name in [clients] section: '%s'", prefix, e->rule.cn); status = false; } } return status; } static struct pf_set * pf_init(const struct buffer_list *bl, const char *prefix, const bool allow_kill) { #define MODE_UNDEF 0 #define MODE_CLIENTS 1 #define MODE_SUBNETS 2 int mode = MODE_UNDEF; int line_num = 0; int n_clients = 0; int n_subnets = 0; int n_errors = 0; struct pf_set *pfs = NULL; char line[PF_MAX_LINE_LEN]; ALLOC_OBJ_CLEAR(pfs, struct pf_set); if (bl) { struct pf_cn_elem **cl = &pfs->cns.list; struct pf_subnet **sl = &pfs->sns.list; struct buffer_entry *be; for (be = bl->head; be != NULL; be = be->next) { ++line_num; strncpynt(line, BSTR(&be->buf), sizeof(line)); rm_trailing_chars(line, "\r\n\t "); if (line[0] == '\0' || line[0] == '#') { } else if (line[0] == '+' || line[0] == '-') { bool exclude = (line[0] == '-'); if (line[1] =='\0') { msg(D_PF_INFO, "PF: %s/%d: no data after +/-: '%s'", prefix, line_num, line); ++n_errors; } else if (mode == MODE_CLIENTS) { if (add_client(&line[1], prefix, line_num, &cl, exclude)) { ++n_clients; } else { ++n_errors; } } else if (mode == MODE_SUBNETS) { if (add_subnet(&line[1], prefix, line_num, &sl, exclude)) { ++n_subnets; } else { ++n_errors; } } else if (mode == MODE_UNDEF) { } else { ASSERT(0); } } else if (line[0] == '[') { if (!strcasecmp(line, "[clients accept]")) { mode = MODE_CLIENTS; pfs->cns.default_allow = true; } else if (!strcasecmp(line, "[clients drop]")) { mode = MODE_CLIENTS; pfs->cns.default_allow = false; } else if (!strcasecmp(line, "[subnets accept]")) { mode = MODE_SUBNETS; pfs->sns.default_allow = true; } else if (!strcasecmp(line, "[subnets drop]")) { mode = MODE_SUBNETS; pfs->sns.default_allow = false; } else if (!strcasecmp(line, "[end]")) { goto done; } else if (allow_kill && !strcasecmp(line, "[kill]")) { goto kill; } else { mode = MODE_UNDEF; msg(D_PF_INFO, "PF: %s/%d unknown tag: '%s'", prefix, line_num, line); ++n_errors; } } else { msg(D_PF_INFO, "PF: %s/%d line must begin with '+', '-', or '[' : '%s'", prefix, line_num, line); ++n_errors; } } ++n_errors; msg(D_PF_INFO, "PF: %s: missing [end]", prefix); } else { msg(D_PF_INFO, "PF: %s: cannot open", prefix); ++n_errors; } done: if (bl) { if (!n_errors) { if (!genhash(&pfs->cns, prefix, n_clients)) { ++n_errors; } } if (n_errors) { msg(D_PF_INFO, "PF: %s rejected due to %d error(s)", prefix, n_errors); } } if (n_errors) { pf_destroy(pfs); pfs = NULL; } return pfs; kill: pf_destroy(pfs); ALLOC_OBJ_CLEAR(pfs, struct pf_set); pfs->kill = true; return pfs; } #ifdef PLUGIN_PF static struct pf_set * pf_init_from_file(const char *fn) { struct buffer_list *bl = buffer_list_file(fn, PF_MAX_LINE_LEN); if (bl) { struct pf_set *pfs = pf_init(bl, fn, true); buffer_list_free(bl); return pfs; } else { msg(D_PF_INFO|M_ERRNO, "PF: %s: cannot open", fn); return NULL; } } #endif #ifdef ENABLE_DEBUG static const char * drop_accept(const bool accept) { return accept ? "ACCEPT" : "DROP"; } static const char * pct_name(const int type) { switch (type) { case PCT_SRC: return "SRC"; case PCT_DEST: return "DEST"; default: return "???"; } } static void pf_cn_test_print(const char *prefix, const int type, const char *prefix2, const char *cn, const bool allow, const struct pf_cn *rule) { if (rule) { dmsg(D_PF_DEBUG, "PF: %s/%s/%s %s %s rule=[%s %s]", prefix, prefix2, pct_name(type), cn, drop_accept(allow), rule->cn, drop_accept(!rule->exclude)); } else { dmsg(D_PF_DEBUG, "PF: %s/%s/%s %s %s", prefix, prefix2, pct_name(type), cn, drop_accept(allow)); } } static void pf_addr_test_print(const char *prefix, const char *prefix2, const struct context *src, const struct mroute_addr *dest, const bool allow, const struct ipv4_subnet *rule) { struct gc_arena gc = gc_new(); if (rule) { dmsg(D_PF_DEBUG, "PF: %s/%s %s %s %s rule=[%s/%s %s]", prefix, prefix2, tls_common_name(src->c2.tls_multi, false), mroute_addr_print_ex(dest, MAPF_SHOW_ARP, &gc), drop_accept(allow), print_in_addr_t(rule->network, 0, &gc), print_in_addr_t(rule->netmask, 0, &gc), drop_accept(!rule->exclude)); } else { dmsg(D_PF_DEBUG, "PF: %s/%s %s %s %s", prefix, prefix2, tls_common_name(src->c2.tls_multi, false), mroute_addr_print_ex(dest, MAPF_SHOW_ARP, &gc), drop_accept(allow)); } gc_free(&gc); } #endif /* ifdef ENABLE_DEBUG */ static inline struct pf_cn * lookup_cn_rule(struct hash *h, const char *cn, const uint32_t cn_hash) { struct hash_element *he = hash_lookup_fast(h, hash_bucket(h, cn_hash), cn, cn_hash); if (he) { return (struct pf_cn *) he->value; } else { return NULL; } } bool pf_cn_test(struct pf_set *pfs, const struct tls_multi *tm, const int type, const char *prefix) { if (pfs && !pfs->kill) { const char *cn; uint32_t cn_hash; if (tls_common_name_hash(tm, &cn, &cn_hash)) { const struct pf_cn *rule = lookup_cn_rule(pfs->cns.hash_table, cn, cn_hash); if (rule) { #ifdef ENABLE_DEBUG if (check_debug_level(D_PF_DEBUG)) { pf_cn_test_print("PF_CN_MATCH", type, prefix, cn, !rule->exclude, rule); } #endif if (!rule->exclude) { return true; } else { return false; } } else { #ifdef ENABLE_DEBUG if (check_debug_level(D_PF_DEBUG)) { pf_cn_test_print("PF_CN_DEFAULT", type, prefix, cn, pfs->cns.default_allow, NULL); } #endif if (pfs->cns.default_allow) { return true; } else { return false; } } } } #ifdef ENABLE_DEBUG if (check_debug_level(D_PF_DEBUG)) { pf_cn_test_print("PF_CN_FAULT", type, prefix, tls_common_name(tm, false), false, NULL); } #endif return false; } bool pf_addr_test_dowork(const struct context *src, const struct mroute_addr *dest, const char *prefix) { struct pf_set *pfs = src->c2.pf.pfs; if (pfs && !pfs->kill) { const in_addr_t addr = in_addr_t_from_mroute_addr(dest); const struct pf_subnet *se = pfs->sns.list; while (se) { if ((addr & se->rule.netmask) == se->rule.network) { #ifdef ENABLE_DEBUG if (check_debug_level(D_PF_DEBUG)) { pf_addr_test_print("PF_ADDR_MATCH", prefix, src, dest, !se->rule.exclude, &se->rule); } #endif return !se->rule.exclude; } se = se->next; } #ifdef ENABLE_DEBUG if (check_debug_level(D_PF_DEBUG)) { pf_addr_test_print("PF_ADDR_DEFAULT", prefix, src, dest, pfs->sns.default_allow, NULL); } #endif return pfs->sns.default_allow; } else { #ifdef ENABLE_DEBUG if (check_debug_level(D_PF_DEBUG)) { pf_addr_test_print("PF_ADDR_FAULT", prefix, src, dest, false, NULL); } #endif return false; } } #ifdef PLUGIN_PF void pf_check_reload(struct context *c) { const int slow_wakeup = 15; const int fast_wakeup = 1; const int wakeup_transition = 60; bool reloaded = false; if (c->c2.pf.enabled && c->c2.pf.filename && event_timeout_trigger(&c->c2.pf.reload, &c->c2.timeval, ETT_DEFAULT)) { platform_stat_t s; if (!platform_stat(c->c2.pf.filename, &s)) { if (s.st_mtime > c->c2.pf.file_last_mod) { struct pf_set *pfs = pf_init_from_file(c->c2.pf.filename); if (pfs) { if (c->c2.pf.pfs) { pf_destroy(c->c2.pf.pfs); } c->c2.pf.pfs = pfs; reloaded = true; if (pf_kill_test(pfs)) { c->sig->signal_received = SIGTERM; c->sig->signal_text = "pf-kill"; } } c->c2.pf.file_last_mod = s.st_mtime; } } { int wakeup = slow_wakeup; if (!c->c2.pf.pfs && c->c2.pf.n_check_reload < wakeup_transition) { wakeup = fast_wakeup; } event_timeout_init(&c->c2.pf.reload, wakeup, now); reset_coarse_timers(c); c->c2.pf.n_check_reload++; } } #ifdef ENABLE_DEBUG if (reloaded && check_debug_level(D_PF_DEBUG)) { pf_context_print(&c->c2.pf, "pf_check_reload", D_PF_DEBUG); } #endif } #endif /* ifdef PLUGIN_PF */ #ifdef MANAGEMENT_PF bool pf_load_from_buffer_list(struct context *c, const struct buffer_list *config) { struct pf_set *pfs = pf_init(config, "[SERVER-PF]", false); if (pfs) { if (c->c2.pf.pfs) { pf_destroy(c->c2.pf.pfs); } c->c2.pf.pfs = pfs; return true; } else { return false; } } #endif void pf_init_context(struct context *c) { struct gc_arena gc = gc_new(); #ifdef PLUGIN_PF if (plugin_defined(c->plugins, OPENVPN_PLUGIN_ENABLE_PF)) { const char *pf_file = create_temp_file(c->options.tmp_dir, "pf", &gc); if (pf_file) { setenv_str(c->c2.es, "pf_file", pf_file); if (plugin_call(c->plugins, OPENVPN_PLUGIN_ENABLE_PF, NULL, NULL, c->c2.es) == OPENVPN_PLUGIN_FUNC_SUCCESS) { event_timeout_init(&c->c2.pf.reload, 1, now); c->c2.pf.filename = string_alloc(pf_file, &c->c2.gc); c->c2.pf.enabled = true; #ifdef ENABLE_DEBUG if (check_debug_level(D_PF_DEBUG)) { pf_context_print(&c->c2.pf, "pf_init_context#1", D_PF_DEBUG); } #endif } else { msg(M_WARN, "WARNING: OPENVPN_PLUGIN_ENABLE_PF disabled"); } } } #endif /* ifdef PLUGIN_PF */ #ifdef MANAGEMENT_PF if (!c->c2.pf.enabled && management_enable_pf(management)) { c->c2.pf.enabled = true; #ifdef ENABLE_DEBUG if (check_debug_level(D_PF_DEBUG)) { pf_context_print(&c->c2.pf, "pf_init_context#2", D_PF_DEBUG); } #endif } #endif gc_free(&gc); } void pf_destroy_context(struct pf_context *pfc) { #ifdef PLUGIN_PF if (pfc->filename) { platform_unlink(pfc->filename); } #endif if (pfc->pfs) { pf_destroy(pfc->pfs); } } #ifdef ENABLE_DEBUG static void pf_subnet_set_print(const struct pf_subnet_set *s, const int lev) { struct gc_arena gc = gc_new(); if (s) { struct pf_subnet *e; msg(lev, " ----- struct pf_subnet_set -----"); msg(lev, " default_allow=%s", drop_accept(s->default_allow)); for (e = s->list; e != NULL; e = e->next) { msg(lev, " %s/%s %s", print_in_addr_t(e->rule.network, 0, &gc), print_in_addr_t(e->rule.netmask, 0, &gc), drop_accept(!e->rule.exclude)); } } gc_free(&gc); } static void pf_cn_set_print(const struct pf_cn_set *s, const int lev) { if (s) { struct hash_iterator hi; struct hash_element *he; msg(lev, " ----- struct pf_cn_set -----"); msg(lev, " default_allow=%s", drop_accept(s->default_allow)); if (s->hash_table) { hash_iterator_init(s->hash_table, &hi); while ((he = hash_iterator_next(&hi))) { struct pf_cn *e = (struct pf_cn *)he->value; msg(lev, " %s %s", e->cn, drop_accept(!e->exclude)); } msg(lev, " ----------"); { struct pf_cn_elem *ce; for (ce = s->list; ce != NULL; ce = ce->next) { struct pf_cn *e = lookup_cn_rule(s->hash_table, ce->rule.cn, cn_hash_function(ce->rule.cn, 0)); if (e) { msg(lev, " %s %s", e->cn, drop_accept(!e->exclude)); } else { msg(lev, " %s LOOKUP FAILED", ce->rule.cn); } } } } } } static void pf_set_print(const struct pf_set *pfs, const int lev) { if (pfs) { msg(lev, " ----- struct pf_set -----"); msg(lev, " kill=%d", pfs->kill); pf_subnet_set_print(&pfs->sns, lev); pf_cn_set_print(&pfs->cns, lev); } } void pf_context_print(const struct pf_context *pfc, const char *prefix, const int lev) { msg(lev, "----- %s : struct pf_context -----", prefix); if (pfc) { msg(lev, "enabled=%d", pfc->enabled); #ifdef PLUGIN_PF msg(lev, "filename='%s'", np(pfc->filename)); msg(lev, "file_last_mod=%u", (unsigned int)pfc->file_last_mod); msg(lev, "n_check_reload=%u", pfc->n_check_reload); msg(lev, "reload=[%d,%u,%u]", pfc->reload.defined, pfc->reload.n, (unsigned int)pfc->reload.last); #endif pf_set_print(pfc->pfs, lev); } msg(lev, "--------------------"); } #endif /* ifdef ENABLE_DEBUG */ #endif /* if defined(ENABLE_PF) */ openvpn-2.4.4/src/openvpn/pf.h000066400000000000000000000046211316434344000162450ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* packet filter functions */ #if defined(ENABLE_PF) && !defined(OPENVPN_PF_H) #define OPENVPN_PF_H #include "list.h" #include "mroute.h" #define PF_MAX_LINE_LEN 256 struct context; struct ipv4_subnet { bool exclude; in_addr_t network; in_addr_t netmask; }; struct pf_subnet { struct pf_subnet *next; struct ipv4_subnet rule; }; struct pf_subnet_set { bool default_allow; struct pf_subnet *list; }; struct pf_cn { bool exclude; char *cn; }; struct pf_cn_elem { struct pf_cn_elem *next; struct pf_cn rule; }; struct pf_cn_set { bool default_allow; struct pf_cn_elem *list; struct hash *hash_table; }; struct pf_set { bool kill; struct pf_subnet_set sns; struct pf_cn_set cns; }; struct pf_context { bool enabled; struct pf_set *pfs; #ifdef PLUGIN_PF char *filename; time_t file_last_mod; unsigned int n_check_reload; struct event_timeout reload; #endif }; void pf_init_context(struct context *c); void pf_destroy_context(struct pf_context *pfc); #ifdef PLUGIN_PF void pf_check_reload(struct context *c); #endif #ifdef MANAGEMENT_PF bool pf_load_from_buffer_list(struct context *c, const struct buffer_list *config); #endif #ifdef ENABLE_DEBUG void pf_context_print(const struct pf_context *pfc, const char *prefix, const int lev); #endif #endif /* if defined(ENABLE_PF) && !defined(OPENVPN_PF_H) */ openvpn-2.4.4/src/openvpn/ping-inline.h000066400000000000000000000041651316434344000200540ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef PING_INLINE_H #define PING_INLINE_H /* * Should we exit or restart due to ping (or other authenticated packet) * not received in n seconds? */ static inline void check_ping_restart(struct context *c) { void check_ping_restart_dowork(struct context *c); if (c->options.ping_rec_timeout && event_timeout_trigger(&c->c2.ping_rec_interval, &c->c2.timeval, (!c->options.ping_timer_remote || link_socket_actual_defined(&c->c1.link_socket_addr.actual)) ? ETT_DEFAULT : 15)) { check_ping_restart_dowork(c); } } /* * Should we ping the remote? */ static inline void check_ping_send(struct context *c) { void check_ping_send_dowork(struct context *c); if (c->options.ping_send_timeout && event_timeout_trigger(&c->c2.ping_send_interval, &c->c2.timeval, !TO_LINK_DEF(c) ? ETT_DEFAULT : 1)) { check_ping_send_dowork(c); } } #endif /* ifndef PING_INLINE_H */ openvpn-2.4.4/src/openvpn/ping.c000066400000000000000000000057221316434344000165730ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "ping.h" #include "memdbg.h" #include "ping-inline.h" /* * This random string identifies an OpenVPN ping packet. * It should be of sufficient length and randomness * so as not to collide with other tunnel data. * * PING_STRING_SIZE must be sizeof (ping_string) */ const uint8_t ping_string[] = { 0x2a, 0x18, 0x7b, 0xf3, 0x64, 0x1e, 0xb4, 0xcb, 0x07, 0xed, 0x2d, 0x0a, 0x98, 0x1f, 0xc7, 0x48 }; /* * Should we exit or restart due to ping (or other authenticated packet) * not received in n seconds? */ void check_ping_restart_dowork(struct context *c) { struct gc_arena gc = gc_new(); switch (c->options.ping_rec_timeout_action) { case PING_EXIT: msg(M_INFO, "%sInactivity timeout (--ping-exit), exiting", format_common_name(c, &gc)); c->sig->signal_received = SIGTERM; c->sig->signal_text = "ping-exit"; break; case PING_RESTART: msg(M_INFO, "%sInactivity timeout (--ping-restart), restarting", format_common_name(c, &gc)); c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Ping Restart */ c->sig->signal_text = "ping-restart"; break; default: ASSERT(0); } gc_free(&gc); } /* * Should we ping the remote? */ void check_ping_send_dowork(struct context *c) { c->c2.buf = c->c2.buffers->aux_buf; ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame))); ASSERT(buf_safe(&c->c2.buf, MAX_RW_SIZE_TUN(&c->c2.frame))); ASSERT(buf_write(&c->c2.buf, ping_string, sizeof(ping_string))); /* * We will treat the ping like any other outgoing packet, * encrypt, sign, etc. */ encrypt_sign(c, true); /* Set length to 0, so it won't be counted as activity */ c->c2.buf.len = 0; dmsg(D_PING, "SENT PING"); } openvpn-2.4.4/src/openvpn/ping.h000066400000000000000000000027051316434344000165760ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef PING_H #define PING_H #include "init.h" #include "forward.h" /* * Initial default --ping-restart before --pull */ #define PRE_PULL_INITIAL_PING_RESTART 120 /* in seconds */ extern const uint8_t ping_string[]; /* PING_STRING_SIZE must be sizeof (ping_string) */ #define PING_STRING_SIZE 16 static inline bool is_ping_msg(const struct buffer *buf) { return buf_string_match(buf, ping_string, PING_STRING_SIZE); } #endif openvpn-2.4.4/src/openvpn/pkcs11.c000066400000000000000000000561041316434344000167400ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if defined(ENABLE_PKCS11) #include #include "basic.h" #include "error.h" #include "manage.h" #include "base64.h" #include "pkcs11.h" #include "misc.h" #include "otime.h" #include "console.h" #include "pkcs11_backend.h" static time_t __mytime(void) { return openvpn_time(NULL); } #if !defined(_WIN32) static int __mygettimeofday(struct timeval *tv) { return gettimeofday(tv, NULL); } #endif static void __mysleep(const unsigned long usec) { #if defined(_WIN32) Sleep(usec/1000); #else usleep(usec); #endif } static pkcs11h_engine_system_t s_pkcs11h_sys_engine = { malloc, free, __mytime, __mysleep, #if defined(_WIN32) NULL #else __mygettimeofday #endif }; static unsigned _pkcs11_msg_pkcs112openvpn( const unsigned flags ) { unsigned openvpn_flags; switch (flags) { case PKCS11H_LOG_DEBUG2: openvpn_flags = D_PKCS11_DEBUG; break; case PKCS11H_LOG_DEBUG1: openvpn_flags = D_SHOW_PKCS11; break; case PKCS11H_LOG_INFO: openvpn_flags = M_INFO; break; case PKCS11H_LOG_WARN: openvpn_flags = M_WARN; break; case PKCS11H_LOG_ERROR: openvpn_flags = M_FATAL; break; default: openvpn_flags = M_FATAL; break; } #if defined(ENABLE_PKCS11_FORCE_DEBUG) openvpn_flags = M_INFO; #endif return openvpn_flags; } static unsigned _pkcs11_msg_openvpn2pkcs11( const unsigned flags ) { unsigned pkcs11_flags; if ((flags & D_PKCS11_DEBUG) != 0) { pkcs11_flags = PKCS11H_LOG_DEBUG2; } else if ((flags & D_SHOW_PKCS11) != 0) { pkcs11_flags = PKCS11H_LOG_DEBUG1; } else if ((flags & M_INFO) != 0) { pkcs11_flags = PKCS11H_LOG_INFO; } else if ((flags & M_WARN) != 0) { pkcs11_flags = PKCS11H_LOG_WARN; } else if ((flags & M_FATAL) != 0) { pkcs11_flags = PKCS11H_LOG_ERROR; } else { pkcs11_flags = PKCS11H_LOG_ERROR; } #if defined(ENABLE_PKCS11_FORCE_DEBUG) pkcs11_flags = PKCS11H_LOG_DEBUG2; #endif return pkcs11_flags; } static void _pkcs11_openvpn_log( void *const global_data, unsigned flags, const char *const szFormat, va_list args ) { char Buffer[10*1024]; (void)global_data; vsnprintf(Buffer, sizeof(Buffer), szFormat, args); Buffer[sizeof(Buffer)-1] = 0; msg(_pkcs11_msg_pkcs112openvpn(flags), "%s", Buffer); } static PKCS11H_BOOL _pkcs11_openvpn_token_prompt( void *const global_data, void *const user_data, const pkcs11h_token_id_t token, const unsigned retry ) { struct user_pass token_resp; (void)global_data; (void)user_data; (void)retry; ASSERT(token!=NULL); CLEAR(token_resp); token_resp.defined = false; token_resp.nocache = true; openvpn_snprintf( token_resp.username, sizeof(token_resp.username), "Please insert %s token", token->label ); if ( !get_user_pass( &token_resp, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK|GET_USER_PASS_NOFATAL ) ) { return false; } else { return strcmp(token_resp.password, "ok") == 0; } } static PKCS11H_BOOL _pkcs11_openvpn_pin_prompt( void *const global_data, void *const user_data, const pkcs11h_token_id_t token, const unsigned retry, char *const pin, const size_t pin_max ) { struct user_pass token_pass; char prompt[1024]; (void)global_data; (void)user_data; (void)retry; ASSERT(token!=NULL); openvpn_snprintf(prompt, sizeof(prompt), "%s token", token->label); token_pass.defined = false; token_pass.nocache = true; if ( !get_user_pass( &token_pass, NULL, prompt, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL ) ) { return false; } else { strncpynt(pin, token_pass.password, pin_max); purge_user_pass(&token_pass, true); if (strlen(pin) == 0) { return false; } else { return true; } } } bool pkcs11_initialize( const bool protected_auth, const int nPINCachePeriod ) { CK_RV rv = CKR_FUNCTION_FAILED; dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_initialize - entered" ); if ((rv = pkcs11h_engine_setSystem(&s_pkcs11h_sys_engine)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot initialize system engine %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_initialize()) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_setLogHook(_pkcs11_openvpn_log, NULL)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } pkcs11h_setLogLevel(_pkcs11_msg_openvpn2pkcs11(get_debug_level())); if ((rv = pkcs11h_setForkMode(TRUE)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set fork mode %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_setTokenPromptHook(_pkcs11_openvpn_token_prompt, NULL)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_setProtectedAuthentication(protected_auth)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_setPINCachePeriod(nPINCachePeriod)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set Pcache period %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } rv = CKR_OK; cleanup: dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_initialize - return %ld-'%s'", rv, pkcs11h_getMessage(rv) ); return rv == CKR_OK; } void pkcs11_terminate(void) { dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_terminate - entered" ); pkcs11h_terminate(); dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_terminate - return" ); } bool pkcs11_addProvider( const char *const provider, const bool protected_auth, const unsigned private_mode, const bool cert_private ) { CK_RV rv = CKR_OK; ASSERT(provider!=NULL); dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_addProvider - entered - provider='%s', private_mode=%08x", provider, private_mode ); msg( M_INFO, "PKCS#11: Adding PKCS#11 provider '%s'", provider ); if ( (rv = pkcs11h_addProvider( provider, provider, protected_auth, private_mode, PKCS11H_SLOTEVENT_METHOD_AUTO, 0, cert_private )) != CKR_OK ) { msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv)); } dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_addProvider - return rv=%ld-'%s'", rv, pkcs11h_getMessage(rv) ); return rv == CKR_OK; } int pkcs11_logout(void) { return pkcs11h_logout() == CKR_OK; } int pkcs11_management_id_count(void) { pkcs11h_certificate_id_list_t id_list = NULL; pkcs11h_certificate_id_list_t t = NULL; CK_RV rv = CKR_OK; int count = 0; dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_count - entered" ); if ( (rv = pkcs11h_certificate_enumCertificateIds( PKCS11H_ENUM_METHOD_CACHE_EXIST, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL, NULL, &id_list )) != CKR_OK ) { msg(M_WARN, "PKCS#11: Cannot get certificate list %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } for (count = 0, t = id_list; t != NULL; t = t->next) { count++; } cleanup: if (id_list != NULL) { pkcs11h_certificate_freeCertificateIdList(id_list); id_list = NULL; } dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_count - return count=%d", count ); return count; } bool pkcs11_management_id_get( const int index, char **id, char **base64 ) { pkcs11h_certificate_id_list_t id_list = NULL; pkcs11h_certificate_id_list_t entry = NULL; #if 0 /* certificate_id seems to be unused -- JY */ pkcs11h_certificate_id_t certificate_id = NULL; #endif pkcs11h_certificate_t certificate = NULL; CK_RV rv = CKR_OK; unsigned char *certificate_blob = NULL; size_t certificate_blob_size = 0; size_t max; char *internal_id = NULL; char *internal_base64 = NULL; int count = 0; bool success = false; ASSERT(id!=NULL); ASSERT(base64!=NULL); dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_get - entered index=%d", index ); *id = NULL; *base64 = NULL; if ( (rv = pkcs11h_certificate_enumCertificateIds( PKCS11H_ENUM_METHOD_CACHE_EXIST, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL, NULL, &id_list )) != CKR_OK ) { msg(M_WARN, "PKCS#11: Cannot get certificate list %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } entry = id_list; count = 0; while (entry != NULL && count != index) { count++; entry = entry->next; } if (entry == NULL) { dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_get - no certificate at index=%d", index ); goto cleanup; } if ( (rv = pkcs11h_certificate_serializeCertificateId( NULL, &max, entry->certificate_id )) != CKR_OK ) { msg(M_WARN, "PKCS#11: Cannot serialize certificate id %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((internal_id = (char *)malloc(max)) == NULL) { msg(M_FATAL, "PKCS#11: Cannot allocate memory"); goto cleanup; } if ( (rv = pkcs11h_certificate_serializeCertificateId( internal_id, &max, entry->certificate_id )) != CKR_OK ) { msg(M_WARN, "PKCS#11: Cannot serialize certificate id %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ( (rv = pkcs11h_certificate_create( entry->certificate_id, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL, PKCS11H_PIN_CACHE_INFINITE, &certificate )) != CKR_OK ) { msg(M_WARN, "PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ( (rv = pkcs11h_certificate_getCertificateBlob( certificate, NULL, &certificate_blob_size )) != CKR_OK ) { msg(M_WARN, "PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((certificate_blob = (unsigned char *)malloc(certificate_blob_size)) == NULL) { msg(M_FATAL, "PKCS#11: Cannot allocate memory"); goto cleanup; } if ( (rv = pkcs11h_certificate_getCertificateBlob( certificate, certificate_blob, &certificate_blob_size )) != CKR_OK ) { msg(M_WARN, "PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if (openvpn_base64_encode(certificate_blob, certificate_blob_size, &internal_base64) == -1) { msg(M_WARN, "PKCS#11: Cannot encode certificate"); goto cleanup; } *id = internal_id; internal_id = NULL; *base64 = internal_base64; internal_base64 = NULL; success = true; cleanup: if (id_list != NULL) { pkcs11h_certificate_freeCertificateIdList(id_list); id_list = NULL; } if (internal_id != NULL) { free(internal_id); internal_id = NULL; } if (internal_base64 != NULL) { free(internal_base64); internal_base64 = NULL; } if (certificate_blob != NULL) { free(certificate_blob); certificate_blob = NULL; } dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_management_id_get - return success=%d, id='%s'", success ? 1 : 0, *id ); return success; } int tls_ctx_use_pkcs11( struct tls_root_ctx *const ssl_ctx, bool pkcs11_id_management, const char *const pkcs11_id ) { pkcs11h_certificate_id_t certificate_id = NULL; pkcs11h_certificate_t certificate = NULL; CK_RV rv = CKR_OK; bool ok = false; ASSERT(ssl_ctx!=NULL); ASSERT(pkcs11_id_management || pkcs11_id!=NULL); dmsg( D_PKCS11_DEBUG, "PKCS#11: tls_ctx_use_pkcs11 - entered - ssl_ctx=%p, pkcs11_id_management=%d, pkcs11_id='%s'", (void *)ssl_ctx, pkcs11_id_management ? 1 : 0, pkcs11_id ); if (pkcs11_id_management) { struct user_pass id_resp; CLEAR(id_resp); id_resp.defined = false; id_resp.nocache = true; openvpn_snprintf( id_resp.username, sizeof(id_resp.username), "Please specify PKCS#11 id to use" ); if ( !get_user_pass( &id_resp, NULL, "pkcs11-id-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_STR|GET_USER_PASS_NOFATAL ) ) { goto cleanup; } if ( (rv = pkcs11h_certificate_deserializeCertificateId( &certificate_id, id_resp.password )) != CKR_OK ) { msg(M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } } else { if ( (rv = pkcs11h_certificate_deserializeCertificateId( &certificate_id, pkcs11_id )) != CKR_OK ) { msg(M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } } if ( (rv = pkcs11h_certificate_create( certificate_id, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL, PKCS11H_PIN_CACHE_INFINITE, &certificate )) != CKR_OK ) { msg(M_WARN, "PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ( (pkcs11_init_tls_session( certificate, ssl_ctx )) ) { /* Handled by SSL context free */ certificate = NULL; goto cleanup; } /* Handled by SSL context free */ certificate = NULL; ok = true; cleanup: if (certificate != NULL) { pkcs11h_certificate_freeCertificate(certificate); certificate = NULL; } if (certificate_id != NULL) { pkcs11h_certificate_freeCertificateId(certificate_id); certificate_id = NULL; } dmsg( D_PKCS11_DEBUG, "PKCS#11: tls_ctx_use_pkcs11 - return ok=%d, rv=%ld", ok ? 1 : 0, rv ); return ok ? 1 : 0; } static PKCS11H_BOOL _pkcs11_openvpn_show_pkcs11_ids_pin_prompt( void *const global_data, void *const user_data, const pkcs11h_token_id_t token, const unsigned retry, char *const pin, const size_t pin_max ) { struct gc_arena gc = gc_new(); struct buffer pass_prompt = alloc_buf_gc(128, &gc); (void)global_data; (void)user_data; (void)retry; ASSERT(token!=NULL); buf_printf(&pass_prompt, "Please enter '%s' token PIN or 'cancel': ", token->display); if (!query_user_SINGLE(BSTR(&pass_prompt), BLEN(&pass_prompt), pin, pin_max, false)) { msg(M_FATAL, "Could not retrieve the PIN"); } gc_free(&gc); if (!strcmp(pin, "cancel")) { return FALSE; } else { return TRUE; } } void show_pkcs11_ids( const char *const provider, bool cert_private ) { struct gc_arena gc = gc_new(); pkcs11h_certificate_id_list_t user_certificates = NULL; pkcs11h_certificate_id_list_t current = NULL; CK_RV rv = CKR_FUNCTION_FAILED; if ((rv = pkcs11h_initialize()) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_setLogHook(_pkcs11_openvpn_log, NULL)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } pkcs11h_setLogLevel(_pkcs11_msg_openvpn2pkcs11(get_debug_level())); if ((rv = pkcs11h_setProtectedAuthentication(TRUE)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set protected authentication %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_show_pkcs11_ids_pin_prompt, NULL)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set PIN hook %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ( (rv = pkcs11h_addProvider( provider, provider, TRUE, 0, FALSE, 0, cert_private ? TRUE : FALSE )) != CKR_OK ) { msg(M_FATAL, "PKCS#11: Cannot add provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv)); goto cleanup; } if ( (rv = pkcs11h_certificate_enumCertificateIds( PKCS11H_ENUM_METHOD_CACHE_EXIST, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL, NULL, &user_certificates )) != CKR_OK ) { msg(M_FATAL, "PKCS#11: Cannot enumerate certificates %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } msg( M_INFO|M_NOPREFIX|M_NOLF, ( "\n" "The following objects are available for use.\n" "Each object shown below may be used as parameter to\n" "--pkcs11-id option please remember to use single quote mark.\n" ) ); for (current = user_certificates; current != NULL; current = current->next) { pkcs11h_certificate_t certificate = NULL; char *dn = NULL; char serial[1024] = {0}; char *ser = NULL; size_t ser_len = 0; if ( (rv = pkcs11h_certificate_serializeCertificateId( NULL, &ser_len, current->certificate_id )) != CKR_OK ) { msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup1; } if ( rv == CKR_OK && (ser = (char *)malloc(ser_len)) == NULL ) { msg(M_FATAL, "PKCS#11: Cannot allocate memory"); goto cleanup1; } if ( (rv = pkcs11h_certificate_serializeCertificateId( ser, &ser_len, current->certificate_id )) != CKR_OK ) { msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup1; } if ( (rv = pkcs11h_certificate_create( current->certificate_id, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL, PKCS11H_PIN_CACHE_INFINITE, &certificate )) ) { msg(M_FATAL, "PKCS#11: Cannot create certificate %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup1; } if ( (dn = pkcs11_certificate_dn( certificate, &gc )) == NULL ) { goto cleanup1; } if ( (pkcs11_certificate_serial( certificate, serial, sizeof(serial) )) ) { goto cleanup1; } msg( M_INFO|M_NOPREFIX|M_NOLF, ( "\n" "Certificate\n" " DN: %s\n" " Serial: %s\n" " Serialized id: %s\n" ), dn, serial, ser ); cleanup1: if (certificate != NULL) { pkcs11h_certificate_freeCertificate(certificate); certificate = NULL; } if (ser != NULL) { free(ser); ser = NULL; } } cleanup: if (user_certificates != NULL) { pkcs11h_certificate_freeCertificateIdList(user_certificates); user_certificates = NULL; } pkcs11h_terminate(); gc_free(&gc); } #else /* if defined(ENABLE_PKCS11) */ #ifdef _MSC_VER /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */ static void dummy(void) { } #endif #endif /* ENABLE_PKCS11 */ openvpn-2.4.4/src/openvpn/pkcs11.h000066400000000000000000000035561316434344000167500ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OPENVPN_PKCS11_H #define OPENVPN_PKCS11_H #if defined(ENABLE_PKCS11) #include "ssl_common.h" bool pkcs11_initialize( const bool fProtectedAuthentication, const int nPINCachePeriod ); void pkcs11_terminate(); bool pkcs11_addProvider( const char *const provider, const bool fProtectedAuthentication, const unsigned private_mode, const bool fCertIsPrivate ); int pkcs11_logout(); int pkcs11_management_id_count(); bool pkcs11_management_id_get( const int index, char **id, char **base64 ); int tls_ctx_use_pkcs11( struct tls_root_ctx *const ssl_ctx, bool pkcs11_id_management, const char *const pkcs11_id ); void show_pkcs11_ids( const char *const provider, bool cert_private ); #endif /* ENABLE_PKCS11 */ #endif /* OPENVPN_PKCS11H_H */ openvpn-2.4.4/src/openvpn/pkcs11_backend.h000066400000000000000000000050431316434344000204100ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file PKCS #11 SSL library-specific backend */ #ifndef PKCS11_BACKEND_H_ #define PKCS11_BACKEND_H_ #include "syshead.h" #if defined(ENABLE_PKCS11) #include "ssl_common.h" #include /** * Retrieve PKCS #11 Certificate's DN in a printable format. * * @param certificate The PKCS #11 helper certificate object * @param gc Garbage collection pool to allocate memory in * * @return Certificate's DN on success, NULL on failure */ char *pkcs11_certificate_dn(pkcs11h_certificate_t certificate, struct gc_arena *gc); /** * Retrieve PKCS #11 Certificate's serial number in a printable format. * * @param certificate The PKCS #11 helper certificate object * @param serial Buffer that the certificate's serial will be placed in. * @param serial_len Size of said buffer. * * @return 1 on failure, 0 on success */ int pkcs11_certificate_serial(pkcs11h_certificate_t certificate, char *serial, size_t serial_len); /** * Load PKCS #11 Certificate's information into the given TLS context * * @param certificate The PKCS #11 helper certificate object * @param ssl_ctx TLS context to use. * * @return 1 on failure, 0 on success */ int pkcs11_init_tls_session(pkcs11h_certificate_t certificate, struct tls_root_ctx *const ssl_ctx); #endif /* defined(ENABLE_PKCS11) */ #endif /* PKCS11_BACKEND_H_ */ openvpn-2.4.4/src/openvpn/pkcs11_mbedtls.c000066400000000000000000000072241316434344000204510ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file PKCS #11 mbed TLS backend */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_MBEDTLS) #include "errlevel.h" #include "pkcs11_backend.h" #include "ssl_verify_backend.h" #include #include int pkcs11_init_tls_session(pkcs11h_certificate_t certificate, struct tls_root_ctx *const ssl_ctx) { int ret = 1; ASSERT(NULL != ssl_ctx); ALLOC_OBJ_CLEAR(ssl_ctx->crt_chain, mbedtls_x509_crt); if (mbedtls_pkcs11_x509_cert_bind(ssl_ctx->crt_chain, certificate)) { msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); goto cleanup; } ALLOC_OBJ_CLEAR(ssl_ctx->priv_key_pkcs11, mbedtls_pkcs11_context); if (mbedtls_pkcs11_priv_key_bind(ssl_ctx->priv_key_pkcs11, certificate)) { msg(M_FATAL, "PKCS#11: Cannot initialize mbed TLS private key object"); goto cleanup; } ALLOC_OBJ_CLEAR(ssl_ctx->priv_key, mbedtls_pk_context); if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ssl_ctx->priv_key, ssl_ctx->priv_key_pkcs11, mbedtls_ssl_pkcs11_decrypt, mbedtls_ssl_pkcs11_sign, mbedtls_ssl_pkcs11_key_len))) { goto cleanup; } ret = 0; cleanup: return ret; } char * pkcs11_certificate_dn(pkcs11h_certificate_t cert, struct gc_arena *gc) { char *ret = NULL; mbedtls_x509_crt mbed_crt = {0}; if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) { msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); goto cleanup; } if (!(ret = x509_get_subject(&mbed_crt, gc))) { msg(M_FATAL, "PKCS#11: mbed TLS cannot parse subject"); goto cleanup; } cleanup: mbedtls_x509_crt_free(&mbed_crt); return ret; } int pkcs11_certificate_serial(pkcs11h_certificate_t cert, char *serial, size_t serial_len) { int ret = 1; mbedtls_x509_crt mbed_crt = {0}; if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) { msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); goto cleanup; } if (-1 == mbedtls_x509_serial_gets(serial, serial_len, &mbed_crt.serial)) { msg(M_FATAL, "PKCS#11: mbed TLS cannot parse serial"); goto cleanup; } ret = 0; cleanup: mbedtls_x509_crt_free(&mbed_crt); return ret; } #endif /* defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_MBEDTLS) */ openvpn-2.4.4/src/openvpn/pkcs11_openssl.c000066400000000000000000000110001316434344000204650ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file PKCS #11 OpenSSL backend */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_OPENSSL) #include "errlevel.h" #include "pkcs11_backend.h" #include "ssl_verify.h" #include int pkcs11_init_tls_session(pkcs11h_certificate_t certificate, struct tls_root_ctx *const ssl_ctx) { int ret = 1; X509 *x509 = NULL; EVP_PKEY *evp = NULL; pkcs11h_openssl_session_t openssl_session = NULL; if ((openssl_session = pkcs11h_openssl_createSession(certificate)) == NULL) { msg(M_WARN, "PKCS#11: Cannot initialize openssl session"); goto cleanup; } /* * Will be released by openssl_session */ certificate = NULL; if ((evp = pkcs11h_openssl_session_getEVP(openssl_session)) == NULL) { msg(M_WARN, "PKCS#11: Unable get evp object"); goto cleanup; } if ((x509 = pkcs11h_openssl_session_getX509(openssl_session)) == NULL) { msg(M_WARN, "PKCS#11: Unable get certificate object"); goto cleanup; } if (!SSL_CTX_use_PrivateKey(ssl_ctx->ctx, evp)) { msg(M_WARN, "PKCS#11: Cannot set private key for openssl"); goto cleanup; } if (!SSL_CTX_use_certificate(ssl_ctx->ctx, x509)) { msg(M_WARN, "PKCS#11: Cannot set certificate for openssl"); goto cleanup; } ret = 0; cleanup: /* * Certificate freeing is usually handled by openssl_session. * If something went wrong, creating the session we have to do it manually. */ if (certificate != NULL) { pkcs11h_certificate_freeCertificate(certificate); certificate = NULL; } /* * openssl objects have reference * count, so release them */ if (x509 != NULL) { X509_free(x509); x509 = NULL; } if (evp != NULL) { EVP_PKEY_free(evp); evp = NULL; } if (openssl_session != NULL) { pkcs11h_openssl_freeSession(openssl_session); openssl_session = NULL; } return ret; } char * pkcs11_certificate_dn(pkcs11h_certificate_t certificate, struct gc_arena *gc) { X509 *x509 = NULL; char *dn = NULL; if ((x509 = pkcs11h_openssl_getX509(certificate)) == NULL) { msg(M_FATAL, "PKCS#11: Cannot get X509"); goto cleanup; } dn = x509_get_subject(x509, gc); cleanup: if (x509 != NULL) { X509_free(x509); x509 = NULL; } return dn; } int pkcs11_certificate_serial(pkcs11h_certificate_t certificate, char *serial, size_t serial_len) { X509 *x509 = NULL; BIO *bio = NULL; int ret = 1; int n; if ((x509 = pkcs11h_openssl_getX509(certificate)) == NULL) { msg(M_FATAL, "PKCS#11: Cannot get X509"); goto cleanup; } if ((bio = BIO_new(BIO_s_mem())) == NULL) { msg(M_FATAL, "PKCS#11: Cannot create BIO"); goto cleanup; } i2a_ASN1_INTEGER(bio, X509_get_serialNumber(x509)); n = BIO_read(bio, serial, serial_len-1); if (n<0) { serial[0] = '\x0'; } else { serial[n] = 0; } ret = 0; cleanup: if (x509 != NULL) { X509_free(x509); x509 = NULL; } return ret; } #endif /* defined(ENABLE_PKCS11) && defined(ENABLE_OPENSSL) */ openvpn-2.4.4/src/openvpn/platform.c000066400000000000000000000167731316434344000174720ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "buffer.h" #include "error.h" #include "win32.h" #include "memdbg.h" #include "platform.h" /* Redefine the top level directory of the filesystem * to restrict access to files for security */ void platform_chroot(const char *path) { if (path) { #ifdef HAVE_CHROOT const char *top = "/"; if (chroot(path)) { msg(M_ERR, "chroot to '%s' failed", path); } if (platform_chdir(top)) { msg(M_ERR, "cd to '%s' failed", top); } msg(M_INFO, "chroot to '%s' and cd to '%s' succeeded", path, top); #else /* ifdef HAVE_CHROOT */ msg(M_FATAL, "Sorry but I can't chroot to '%s' because this operating system doesn't appear to support the chroot() system call", path); #endif } } /* Get/Set UID of process */ bool platform_user_get(const char *username, struct platform_state_user *state) { bool ret = false; CLEAR(*state); if (username) { #if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) state->pw = getpwnam(username); if (!state->pw) { msg(M_ERR, "failed to find UID for user %s", username); } state->username = username; ret = true; #else /* if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) */ msg(M_FATAL, "cannot get UID for user %s -- platform lacks getpwname() or setuid() system calls", username); #endif } return ret; } void platform_user_set(const struct platform_state_user *state) { #if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) if (state->username && state->pw) { if (setuid(state->pw->pw_uid)) { msg(M_ERR, "setuid('%s') failed", state->username); } msg(M_INFO, "UID set to %s", state->username); } #endif } /* Get/Set GID of process */ bool platform_group_get(const char *groupname, struct platform_state_group *state) { bool ret = false; CLEAR(*state); if (groupname) { #if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) state->gr = getgrnam(groupname); if (!state->gr) { msg(M_ERR, "failed to find GID for group %s", groupname); } state->groupname = groupname; ret = true; #else /* if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) */ msg(M_FATAL, "cannot get GID for group %s -- platform lacks getgrnam() or setgid() system calls", groupname); #endif } return ret; } void platform_group_set(const struct platform_state_group *state) { #if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) if (state->groupname && state->gr) { if (setgid(state->gr->gr_gid)) { msg(M_ERR, "setgid('%s') failed", state->groupname); } msg(M_INFO, "GID set to %s", state->groupname); #ifdef HAVE_SETGROUPS { gid_t gr_list[1]; gr_list[0] = state->gr->gr_gid; if (setgroups(1, gr_list)) { msg(M_ERR, "setgroups('%s') failed", state->groupname); } } #endif } #endif } /* Change process priority */ void platform_nice(int niceval) { if (niceval) { #ifdef HAVE_NICE errno = 0; if (nice(niceval) < 0 && errno != 0) { msg(M_WARN | M_ERRNO, "WARNING: nice %d failed", niceval); } else { msg(M_INFO, "nice %d succeeded", niceval); } #else /* ifdef HAVE_NICE */ msg(M_WARN, "WARNING: nice %d failed (function not implemented)", niceval); #endif } } /* Get current PID */ unsigned int platform_getpid(void) { #ifdef _WIN32 return (unsigned int) GetCurrentProcessId(); #else #ifdef HAVE_GETPID return (unsigned int) getpid(); #else return 0; #endif #endif } /* Disable paging */ void platform_mlockall(bool print_msg) { #ifdef HAVE_MLOCKALL if (mlockall(MCL_CURRENT | MCL_FUTURE)) { msg(M_WARN | M_ERRNO, "WARNING: mlockall call failed"); } else if (print_msg) { msg(M_INFO, "mlockall call succeeded"); } #else /* ifdef HAVE_MLOCKALL */ msg(M_WARN, "WARNING: mlockall call failed (function not implemented)"); #endif } /* * Wrapper for chdir library function */ int platform_chdir(const char *dir) { #ifdef HAVE_CHDIR #ifdef _WIN32 int res; struct gc_arena gc = gc_new(); res = _wchdir(wide_string(dir, &gc)); gc_free(&gc); return res; #else /* ifdef _WIN32 */ return chdir(dir); #endif #else /* ifdef HAVE_CHDIR */ return -1; #endif } /* * convert execve() return into a success/failure value */ bool platform_system_ok(int stat) { #ifdef _WIN32 return stat == 0; #else return stat != -1 && WIFEXITED(stat) && WEXITSTATUS(stat) == 0; #endif } int platform_access(const char *path, int mode) { #ifdef _WIN32 struct gc_arena gc = gc_new(); int ret = _waccess(wide_string(path, &gc), mode & ~X_OK); gc_free(&gc); return ret; #else return access(path, mode); #endif } /* * Go to sleep for n milliseconds. */ void platform_sleep_milliseconds(unsigned int n) { #ifdef _WIN32 Sleep(n); #else struct timeval tv; tv.tv_sec = n / 1000; tv.tv_usec = (n % 1000) * 1000; select(0, NULL, NULL, NULL, &tv); #endif } /* * Go to sleep indefinitely. */ void platform_sleep_until_signal(void) { #ifdef _WIN32 ASSERT(0); #else select(0, NULL, NULL, NULL, NULL); #endif } /* delete a file, return true if succeeded */ bool platform_unlink(const char *filename) { #if defined(_WIN32) struct gc_arena gc = gc_new(); BOOL ret = DeleteFileW(wide_string(filename, &gc)); gc_free(&gc); return (ret != 0); #elif defined(HAVE_UNLINK) return (unlink(filename) == 0); #else /* if defined(_WIN32) */ return false; #endif } FILE * platform_fopen(const char *path, const char *mode) { #ifdef _WIN32 struct gc_arena gc = gc_new(); FILE *f = _wfopen(wide_string(path, &gc), wide_string(mode, &gc)); gc_free(&gc); return f; #else return fopen(path, mode); #endif } int platform_open(const char *path, int flags, int mode) { #ifdef _WIN32 struct gc_arena gc = gc_new(); int fd = _wopen(wide_string(path, &gc), flags, mode); gc_free(&gc); return fd; #else return open(path, flags, mode); #endif } int platform_stat(const char *path, platform_stat_t *buf) { #ifdef _WIN32 struct gc_arena gc = gc_new(); int res = _wstat(wide_string(path, &gc), buf); gc_free(&gc); return res; #else return stat(path, buf); #endif } openvpn-2.4.4/src/openvpn/platform.h000066400000000000000000000065251316434344000174710ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef PLATFORM_H #define PLATFORM_H #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_STAT_H #include #endif #ifdef HAVE_UNISTD_H #include #endif #ifdef HAVE_PWD_H #include #endif #ifdef HAVE_GRP_H #include #endif #ifdef HAVE_STDIO_H #include #endif #include "basic.h" /* Get/Set UID of process */ struct platform_state_user { #if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) const char *username; struct passwd *pw; #else int dummy; #endif }; /* Get/Set GID of process */ struct platform_state_group { #if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) const char *groupname; struct group *gr; #else int dummy; #endif }; bool platform_user_get(const char *username, struct platform_state_user *state); void platform_user_set(const struct platform_state_user *state); bool platform_group_get(const char *groupname, struct platform_state_group *state); void platform_group_set(const struct platform_state_group *state); /* * Extract UID or GID */ static inline int platform_state_user_uid(const struct platform_state_user *s) { #if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) if (s->pw) { return s->pw->pw_uid; } #endif return -1; } static inline int platform_state_group_gid(const struct platform_state_group *s) { #if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) if (s->gr) { return s->gr->gr_gid; } #endif return -1; } void platform_chroot(const char *path); void platform_nice(int niceval); unsigned int platform_getpid(void); void platform_mlockall(bool print_msg); /* Disable paging */ int platform_chdir(const char *dir); /* interpret the status code returned by execve() */ bool platform_system_ok(int stat); int platform_access(const char *path, int mode); void platform_sleep_milliseconds(unsigned int n); void platform_sleep_until_signal(void); /* delete a file, return true if succeeded */ bool platform_unlink(const char *filename); int platform_putenv(char *string); FILE *platform_fopen(const char *path, const char *mode); int platform_open(const char *path, int flags, int mode); #ifdef _WIN32 typedef struct _stat platform_stat_t; #else typedef struct stat platform_stat_t; #endif int platform_stat(const char *path, platform_stat_t *buf); #endif /* ifndef PLATFORM_H */ openvpn-2.4.4/src/openvpn/plugin.c000066400000000000000000000642361316434344000171410ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #ifdef HAVE_CONFIG_VERSION_H #include "config-version.h" #endif #include "syshead.h" #ifdef ENABLE_PLUGIN #ifdef HAVE_DLFCN_H #include #endif #include "buffer.h" #include "error.h" #include "misc.h" #include "plugin.h" #include "ssl_backend.h" #include "win32.h" #include "memdbg.h" #define PLUGIN_SYMBOL_REQUIRED (1<<0) /* used only for program aborts */ static struct plugin_common *static_plugin_common = NULL; /* GLOBAL */ static void plugin_show_string_array(int msglevel, const char *name, const char *array[]) { int i; for (i = 0; array[i]; ++i) { if (env_safe_to_print(array[i])) { msg(msglevel, "%s[%d] = '%s'", name, i, array[i]); } } } static void plugin_show_args_env(int msglevel, const char *argv[], const char *envp[]) { if (check_debug_level(msglevel)) { plugin_show_string_array(msglevel, "ARGV", argv); plugin_show_string_array(msglevel, "ENVP", envp); } } static const char * plugin_type_name(const int type) { switch (type) { case OPENVPN_PLUGIN_UP: return "PLUGIN_UP"; case OPENVPN_PLUGIN_DOWN: return "PLUGIN_DOWN"; case OPENVPN_PLUGIN_ROUTE_UP: return "PLUGIN_ROUTE_UP"; case OPENVPN_PLUGIN_IPCHANGE: return "PLUGIN_IPCHANGE"; case OPENVPN_PLUGIN_TLS_VERIFY: return "PLUGIN_TLS_VERIFY"; case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: return "PLUGIN_AUTH_USER_PASS_VERIFY"; case OPENVPN_PLUGIN_CLIENT_CONNECT: return "PLUGIN_CLIENT_CONNECT"; case OPENVPN_PLUGIN_CLIENT_CONNECT_V2: return "PLUGIN_CLIENT_CONNECT"; case OPENVPN_PLUGIN_CLIENT_DISCONNECT: return "PLUGIN_CLIENT_DISCONNECT"; case OPENVPN_PLUGIN_LEARN_ADDRESS: return "PLUGIN_LEARN_ADDRESS"; case OPENVPN_PLUGIN_TLS_FINAL: return "PLUGIN_TLS_FINAL"; case OPENVPN_PLUGIN_ENABLE_PF: return "PLUGIN_ENABLE_PF"; case OPENVPN_PLUGIN_ROUTE_PREDOWN: return "PLUGIN_ROUTE_PREDOWN"; default: return "PLUGIN_???"; } } static const char * plugin_mask_string(const unsigned int type_mask, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); bool first = true; int i; for (i = 0; i < OPENVPN_PLUGIN_N; ++i) { if (OPENVPN_PLUGIN_MASK(i) & type_mask) { if (!first) { buf_printf(&out, "|"); } buf_printf(&out, "%s", plugin_type_name(i)); first = false; } } return BSTR(&out); } static inline unsigned int plugin_supported_types(void) { return ((1<n < MAX_PLUGINS) { struct plugin_option *o = &list->plugins[list->n++]; o->argv = make_extended_arg_array(p, gc); if (o->argv[0]) { o->so_pathname = o->argv[0]; } return true; } else { return false; } } #ifndef ENABLE_SMALL void plugin_option_list_print(const struct plugin_option_list *list, int msglevel) { int i; struct gc_arena gc = gc_new(); for (i = 0; i < list->n; ++i) { const struct plugin_option *o = &list->plugins[i]; msg(msglevel, " plugin[%d] %s '%s'", i, o->so_pathname, print_argv(o->argv, &gc, PA_BRACKET)); } gc_free(&gc); } #endif #ifndef _WIN32 static void libdl_resolve_symbol(void *handle, void **dest, const char *symbol, const char *plugin_name, const unsigned int flags) { *dest = dlsym(handle, symbol); if ((flags & PLUGIN_SYMBOL_REQUIRED) && !*dest) { msg(M_FATAL, "PLUGIN: could not find required symbol '%s' in plugin shared object %s: %s", symbol, plugin_name, dlerror()); } } #else /* ifndef _WIN32 */ static void dll_resolve_symbol(HMODULE module, void **dest, const char *symbol, const char *plugin_name, const unsigned int flags) { *dest = GetProcAddress(module, symbol); if ((flags & PLUGIN_SYMBOL_REQUIRED) && !*dest) { msg(M_FATAL, "PLUGIN: could not find required symbol '%s' in plugin DLL %s", symbol, plugin_name); } } #endif /* ifndef _WIN32 */ static void plugin_init_item(struct plugin *p, const struct plugin_option *o) { struct gc_arena gc = gc_new(); bool rel = false; p->so_pathname = o->so_pathname; p->plugin_type_mask = plugin_supported_types(); #ifndef _WIN32 p->handle = NULL; /* If the plug-in filename is not an absolute path, * or beginning with '.', it should use the PLUGIN_LIBDIR * as the base directory for loading the plug-in. * * This means the following scenarios are loaded from these places: * --plugin fancyplug.so -> $PLUGIN_LIBDIR/fancyplug.so * --plugin my/fancyplug.so -> $PLUGIN_LIBDIR/my/fancyplug.so * --plugin ./fancyplug.so -> $CWD/fancyplug.so * --plugin /usr/lib/my/fancyplug.so -> /usr/lib/my/fancyplug.so * * Please note that $CWD means the directory OpenVPN is either started from * or the directory OpenVPN have changed into using --cd before --plugin * was parsed. * */ if (!absolute_pathname(p->so_pathname) && p->so_pathname[0] != '.') { char full[PATH_MAX]; openvpn_snprintf(full, sizeof(full), "%s/%s", PLUGIN_LIBDIR, p->so_pathname); p->handle = dlopen(full, RTLD_NOW); } else { rel = !absolute_pathname(p->so_pathname); p->handle = dlopen(p->so_pathname, RTLD_NOW); } if (!p->handle) { msg(M_ERR, "PLUGIN_INIT: could not load plugin shared object %s: %s", p->so_pathname, dlerror()); } #define PLUGIN_SYM(var, name, flags) libdl_resolve_symbol(p->handle, (void *)&p->var, name, p->so_pathname, flags) #else /* ifndef _WIN32 */ rel = !absolute_pathname(p->so_pathname); p->module = LoadLibraryW(wide_string(p->so_pathname, &gc)); if (!p->module) { msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %s", p->so_pathname); } #define PLUGIN_SYM(var, name, flags) dll_resolve_symbol(p->module, (void *)&p->var, name, p->so_pathname, flags) #endif /* ifndef _WIN32 */ PLUGIN_SYM(open1, "openvpn_plugin_open_v1", 0); PLUGIN_SYM(open2, "openvpn_plugin_open_v2", 0); PLUGIN_SYM(open3, "openvpn_plugin_open_v3", 0); PLUGIN_SYM(func1, "openvpn_plugin_func_v1", 0); PLUGIN_SYM(func2, "openvpn_plugin_func_v2", 0); PLUGIN_SYM(func3, "openvpn_plugin_func_v3", 0); PLUGIN_SYM(close, "openvpn_plugin_close_v1", PLUGIN_SYMBOL_REQUIRED); PLUGIN_SYM(abort, "openvpn_plugin_abort_v1", 0); PLUGIN_SYM(client_constructor, "openvpn_plugin_client_constructor_v1", 0); PLUGIN_SYM(client_destructor, "openvpn_plugin_client_destructor_v1", 0); PLUGIN_SYM(min_version_required, "openvpn_plugin_min_version_required_v1", 0); PLUGIN_SYM(initialization_point, "openvpn_plugin_select_initialization_point_v1", 0); if (!p->open1 && !p->open2 && !p->open3) { msg(M_FATAL, "PLUGIN: symbol openvpn_plugin_open_vX is undefined in plugin: %s", p->so_pathname); } if (!p->func1 && !p->func2 && !p->func3) { msg(M_FATAL, "PLUGIN: symbol openvpn_plugin_func_vX is undefined in plugin: %s", p->so_pathname); } /* * Verify that we are sufficiently up-to-date to handle the plugin */ if (p->min_version_required) { const int plugin_needs_version = (*p->min_version_required)(); if (plugin_needs_version > OPENVPN_PLUGIN_VERSION) { msg(M_FATAL, "PLUGIN_INIT: plugin needs interface version %d, but this version of OpenVPN only supports version %d: %s", plugin_needs_version, OPENVPN_PLUGIN_VERSION, p->so_pathname); } } if (p->initialization_point) { p->requested_initialization_point = (*p->initialization_point)(); } else { p->requested_initialization_point = OPENVPN_PLUGIN_INIT_PRE_DAEMON; } if (rel) { msg(M_WARN, "WARNING: plugin '%s' specified by a relative pathname -- using an absolute pathname would be more secure", p->so_pathname); } p->initialized = true; gc_free(&gc); } static void plugin_vlog(openvpn_plugin_log_flags_t flags, const char *name, const char *format, va_list arglist) { unsigned int msg_flags = 0; if (!format) { return; } if (!name || name[0] == '\0') { msg(D_PLUGIN_DEBUG, "PLUGIN: suppressed log message from plugin with unknown name"); return; } if (flags & PLOG_ERR) { msg_flags = M_INFO | M_NONFATAL; } else if (flags & PLOG_WARN) { msg_flags = M_INFO | M_WARN; } else if (flags & PLOG_NOTE) { msg_flags = M_INFO; } else if (flags & PLOG_DEBUG) { msg_flags = D_PLUGIN_DEBUG; } if (flags & PLOG_ERRNO) { msg_flags |= M_ERRNO; } if (flags & PLOG_NOMUTE) { msg_flags |= M_NOMUTE; } if (msg_test(msg_flags)) { struct gc_arena gc; char *msg_fmt; /* Never add instance prefix; not thread safe */ msg_flags |= M_NOIPREFIX; gc_init(&gc); msg_fmt = gc_malloc(ERR_BUF_SIZE, false, &gc); openvpn_snprintf(msg_fmt, ERR_BUF_SIZE, "PLUGIN %s: %s", name, format); x_msg_va(msg_flags, msg_fmt, arglist); gc_free(&gc); } } static void plugin_log(openvpn_plugin_log_flags_t flags, const char *name, const char *format, ...) { va_list arglist; va_start(arglist, format); plugin_vlog(flags, name, format, arglist); va_end(arglist); } static struct openvpn_plugin_callbacks callbacks = { plugin_log, plugin_vlog, secure_memzero /* plugin_secure_memzero */ }; /* Provide a wrapper macro for a version patch level string to plug-ins. * This is located here purely to not make the code too messy with #ifndef * inside a struct declaration */ #ifndef CONFIGURE_GIT_REVISION #define _OPENVPN_PATCH_LEVEL OPENVPN_VERSION_PATCH #else #define _OPENVPN_PATCH_LEVEL "git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS #endif static void plugin_open_item(struct plugin *p, const struct plugin_option *o, struct openvpn_plugin_string_list **retlist, const char **envp, const int init_point) { ASSERT(p->initialized); /* clear return list */ if (retlist) { *retlist = NULL; } if (!p->plugin_handle && init_point == p->requested_initialization_point) { struct gc_arena gc = gc_new(); dmsg(D_PLUGIN_DEBUG, "PLUGIN_INIT: PRE"); plugin_show_args_env(D_PLUGIN_DEBUG, o->argv, envp); /* * Call the plugin initialization */ if (p->open3) { struct openvpn_plugin_args_open_in args = { p->plugin_type_mask, (const char **const) o->argv, (const char **const) envp, &callbacks, SSLAPI, PACKAGE_VERSION, OPENVPN_VERSION_MAJOR, OPENVPN_VERSION_MINOR, _OPENVPN_PATCH_LEVEL}; struct openvpn_plugin_args_open_return retargs; CLEAR(retargs); retargs.return_list = retlist; if ((*p->open3)(OPENVPN_PLUGINv3_STRUCTVER, &args, &retargs) == OPENVPN_PLUGIN_FUNC_SUCCESS) { p->plugin_type_mask = retargs.type_mask; p->plugin_handle = retargs.handle; } else { p->plugin_handle = NULL; } } else if (p->open2) { p->plugin_handle = (*p->open2)(&p->plugin_type_mask, o->argv, envp, retlist); } else if (p->open1) { p->plugin_handle = (*p->open1)(&p->plugin_type_mask, o->argv, envp); } else { ASSERT(0); } msg(D_PLUGIN, "PLUGIN_INIT: POST %s '%s' intercepted=%s %s", p->so_pathname, print_argv(o->argv, &gc, PA_BRACKET), plugin_mask_string(p->plugin_type_mask, &gc), (retlist && *retlist) ? "[RETLIST]" : ""); if ((p->plugin_type_mask | plugin_supported_types()) != plugin_supported_types()) { msg(M_FATAL, "PLUGIN_INIT: plugin %s expressed interest in unsupported plugin types: [want=0x%08x, have=0x%08x]", p->so_pathname, p->plugin_type_mask, plugin_supported_types()); } if (p->plugin_handle == NULL) { msg(M_FATAL, "PLUGIN_INIT: plugin initialization function failed: %s", p->so_pathname); } gc_free(&gc); } } static int plugin_call_item(const struct plugin *p, void *per_client_context, const int type, const struct argv *av, struct openvpn_plugin_string_list **retlist, const char **envp #ifdef ENABLE_CRYPTO , int certdepth, openvpn_x509_cert_t *current_cert #endif ) { int status = OPENVPN_PLUGIN_FUNC_SUCCESS; /* clear return list */ if (retlist) { *retlist = NULL; } if (p->plugin_handle && (p->plugin_type_mask & OPENVPN_PLUGIN_MASK(type))) { struct gc_arena gc = gc_new(); struct argv a = argv_insert_head(av, p->so_pathname); dmsg(D_PLUGIN_DEBUG, "PLUGIN_CALL: PRE type=%s", plugin_type_name(type)); plugin_show_args_env(D_PLUGIN_DEBUG, (const char **)a.argv, envp); /* * Call the plugin work function */ if (p->func3) { struct openvpn_plugin_args_func_in args = { type, (const char **const) a.argv, (const char **const) envp, p->plugin_handle, per_client_context, #ifdef ENABLE_CRYPTO (current_cert ? certdepth : -1), current_cert #else -1, NULL #endif }; struct openvpn_plugin_args_func_return retargs; CLEAR(retargs); retargs.return_list = retlist; status = (*p->func3)(OPENVPN_PLUGINv3_STRUCTVER, &args, &retargs); } else if (p->func2) { status = (*p->func2)(p->plugin_handle, type, (const char **)a.argv, envp, per_client_context, retlist); } else if (p->func1) { status = (*p->func1)(p->plugin_handle, type, (const char **)a.argv, envp); } else { ASSERT(0); } msg(D_PLUGIN, "PLUGIN_CALL: POST %s/%s status=%d", p->so_pathname, plugin_type_name(type), status); if (status == OPENVPN_PLUGIN_FUNC_ERROR) { msg(M_WARN, "PLUGIN_CALL: plugin function %s failed with status %d: %s", plugin_type_name(type), status, p->so_pathname); } argv_reset(&a); gc_free(&gc); } return status; } static void plugin_close_item(struct plugin *p) { if (p->initialized) { msg(D_PLUGIN, "PLUGIN_CLOSE: %s", p->so_pathname); /* * Call the plugin close function */ if (p->plugin_handle) { (*p->close)(p->plugin_handle); } #ifndef _WIN32 if (dlclose(p->handle)) { msg(M_WARN, "PLUGIN_CLOSE: dlclose() failed on plugin: %s", p->so_pathname); } #elif defined(_WIN32) if (!FreeLibrary(p->module)) { msg(M_WARN, "PLUGIN_CLOSE: FreeLibrary() failed on plugin: %s", p->so_pathname); } #endif p->initialized = false; } } static void plugin_abort_item(const struct plugin *p) { /* * Call the plugin abort function */ if (p->abort) { (*p->abort)(p->plugin_handle); } } static void plugin_per_client_init(const struct plugin_common *pc, struct plugin_per_client *cli, const int init_point) { const int n = pc->n; int i; for (i = 0; i < n; ++i) { const struct plugin *p = &pc->plugins[i]; if (p->plugin_handle && (init_point < 0 || init_point == p->requested_initialization_point) && p->client_constructor) { cli->per_client_context[i] = (*p->client_constructor)(p->plugin_handle); } } } static void plugin_per_client_destroy(const struct plugin_common *pc, struct plugin_per_client *cli) { const int n = pc->n; int i; for (i = 0; i < n; ++i) { const struct plugin *p = &pc->plugins[i]; void *cc = cli->per_client_context[i]; if (p->client_destructor && cc) { (*p->client_destructor)(p->plugin_handle, cc); } } CLEAR(*cli); } struct plugin_list * plugin_list_inherit(const struct plugin_list *src) { struct plugin_list *pl; ALLOC_OBJ_CLEAR(pl, struct plugin_list); pl->common = src->common; ASSERT(pl->common); plugin_per_client_init(pl->common, &pl->per_client, -1); return pl; } static struct plugin_common * plugin_common_init(const struct plugin_option_list *list) { int i; struct plugin_common *pc; ALLOC_OBJ_CLEAR(pc, struct plugin_common); for (i = 0; i < list->n; ++i) { plugin_init_item(&pc->plugins[i], &list->plugins[i]); pc->n = i + 1; } static_plugin_common = pc; return pc; } static void plugin_common_open(struct plugin_common *pc, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point) { struct gc_arena gc = gc_new(); int i; const char **envp; envp = make_env_array(es, false, &gc); if (pr) { plugin_return_init(pr); } for (i = 0; i < pc->n; ++i) { plugin_open_item(&pc->plugins[i], &list->plugins[i], pr ? &pr->list[i] : NULL, envp, init_point); } if (pr) { pr->n = i; } gc_free(&gc); } static void plugin_common_close(struct plugin_common *pc) { static_plugin_common = NULL; if (pc) { int i; for (i = 0; i < pc->n; ++i) { plugin_close_item(&pc->plugins[i]); } free(pc); } } struct plugin_list * plugin_list_init(const struct plugin_option_list *list) { struct plugin_list *pl; ALLOC_OBJ_CLEAR(pl, struct plugin_list); pl->common = plugin_common_init(list); pl->common_owned = true; return pl; } void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point) { plugin_common_open(pl->common, list, pr, es, init_point); plugin_per_client_init(pl->common, &pl->per_client, init_point); } int plugin_call_ssl(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es #ifdef ENABLE_CRYPTO , int certdepth, openvpn_x509_cert_t *current_cert #endif ) { if (pr) { plugin_return_init(pr); } if (plugin_defined(pl, type)) { struct gc_arena gc = gc_new(); int i; const char **envp; const int n = plugin_n(pl); bool success = false; bool error = false; bool deferred = false; setenv_del(es, "script_type"); envp = make_env_array(es, false, &gc); for (i = 0; i < n; ++i) { const int status = plugin_call_item(&pl->common->plugins[i], pl->per_client.per_client_context[i], type, av, pr ? &pr->list[i] : NULL, envp #ifdef ENABLE_CRYPTO ,certdepth, current_cert #endif ); switch (status) { case OPENVPN_PLUGIN_FUNC_SUCCESS: success = true; break; case OPENVPN_PLUGIN_FUNC_DEFERRED: deferred = true; break; default: error = true; break; } } if (pr) { pr->n = i; } gc_free(&gc); if (type == OPENVPN_PLUGIN_ENABLE_PF && success) { return OPENVPN_PLUGIN_FUNC_SUCCESS; } else if (error) { return OPENVPN_PLUGIN_FUNC_ERROR; } else if (deferred) { return OPENVPN_PLUGIN_FUNC_DEFERRED; } } return OPENVPN_PLUGIN_FUNC_SUCCESS; } void plugin_list_close(struct plugin_list *pl) { if (pl) { if (pl->common) { plugin_per_client_destroy(pl->common, &pl->per_client); if (pl->common_owned) { plugin_common_close(pl->common); } } free(pl); } } void plugin_abort(void) { struct plugin_common *pc = static_plugin_common; static_plugin_common = NULL; if (pc) { int i; for (i = 0; i < pc->n; ++i) { plugin_abort_item(&pc->plugins[i]); } } } bool plugin_defined(const struct plugin_list *pl, const int type) { bool ret = false; if (pl) { const struct plugin_common *pc = pl->common; if (pc) { int i; const unsigned int mask = OPENVPN_PLUGIN_MASK(type); for (i = 0; i < pc->n; ++i) { if (pc->plugins[i].plugin_type_mask & mask) { ret = true; break; } } } } return ret; } /* * Plugin return functions */ static void openvpn_plugin_string_list_item_free(struct openvpn_plugin_string_list *l) { if (l) { free(l->name); string_clear(l->value); free(l->value); free(l); } } static void openvpn_plugin_string_list_free(struct openvpn_plugin_string_list *l) { struct openvpn_plugin_string_list *next; while (l) { next = l->next; openvpn_plugin_string_list_item_free(l); l = next; } } static struct openvpn_plugin_string_list * openvpn_plugin_string_list_find(struct openvpn_plugin_string_list *l, const char *name) { while (l) { if (!strcmp(l->name, name)) { return l; } l = l->next; } return NULL; } void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname) { int i; dest->n = 0; for (i = 0; i < src->n; ++i) { dest->list[i] = openvpn_plugin_string_list_find(src->list[i], colname); } dest->n = i; } void plugin_return_free(struct plugin_return *pr) { int i; for (i = 0; i < pr->n; ++i) { openvpn_plugin_string_list_free(pr->list[i]); } pr->n = 0; } #ifdef ENABLE_DEBUG void plugin_return_print(const int msglevel, const char *prefix, const struct plugin_return *pr) { int i; msg(msglevel, "PLUGIN_RETURN_PRINT %s", prefix); for (i = 0; i < pr->n; ++i) { struct openvpn_plugin_string_list *l = pr->list[i]; int count = 0; msg(msglevel, "PLUGIN #%d (%s)", i, prefix); while (l) { msg(msglevel, "[%d] '%s' -> '%s'\n", ++count, l->name, l->value); l = l->next; } } } #endif /* ifdef ENABLE_DEBUG */ #else /* ifdef ENABLE_PLUGIN */ static void dummy(void) { } #endif /* ENABLE_PLUGIN */ openvpn-2.4.4/src/openvpn/plugin.h000066400000000000000000000126701316434344000171410ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * plug-in support, using dynamically loaded libraries */ #ifndef OPENVPN_PLUGIN_H #define OPENVPN_PLUGIN_H #ifdef ENABLE_CRYPTO_OPENSSL #include "ssl_verify_openssl.h" #endif #ifdef ENABLE_CRYPTO_MBEDTLS #include "ssl_verify_mbedtls.h" #endif #include "openvpn-plugin.h" #ifdef ENABLE_PLUGIN #include "misc.h" #define MAX_PLUGINS 16 struct plugin_option { const char *so_pathname; const char **argv; }; struct plugin_option_list { int n; struct plugin_option plugins[MAX_PLUGINS]; }; struct plugin { bool initialized; const char *so_pathname; unsigned int plugin_type_mask; int requested_initialization_point; #ifndef _WIN32 void *handle; #else HMODULE module; #endif openvpn_plugin_open_v1 open1; openvpn_plugin_open_v2 open2; openvpn_plugin_open_v3 open3; openvpn_plugin_func_v1 func1; openvpn_plugin_func_v2 func2; openvpn_plugin_func_v3 func3; openvpn_plugin_close_v1 close; openvpn_plugin_abort_v1 abort; openvpn_plugin_client_constructor_v1 client_constructor; openvpn_plugin_client_destructor_v1 client_destructor; openvpn_plugin_min_version_required_v1 min_version_required; openvpn_plugin_select_initialization_point_v1 initialization_point; openvpn_plugin_handle_t plugin_handle; }; struct plugin_per_client { void *per_client_context[MAX_PLUGINS]; }; struct plugin_common { int n; struct plugin plugins[MAX_PLUGINS]; }; struct plugin_list { struct plugin_per_client per_client; struct plugin_common *common; bool common_owned; }; struct plugin_return { int n; struct openvpn_plugin_string_list *list[MAX_PLUGINS]; }; struct plugin_option_list *plugin_option_list_new(struct gc_arena *gc); bool plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc); #ifndef ENABLE_SMALL void plugin_option_list_print(const struct plugin_option_list *list, int msglevel); #endif struct plugin_list *plugin_list_init(const struct plugin_option_list *list); void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point); struct plugin_list *plugin_list_inherit(const struct plugin_list *src); int plugin_call_ssl(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es #ifdef ENABLE_CRYPTO , int current_cert_depth, openvpn_x509_cert_t *current_cert #endif ); void plugin_list_close(struct plugin_list *pl); bool plugin_defined(const struct plugin_list *pl, const int type); void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname); void plugin_return_free(struct plugin_return *pr); #ifdef ENABLE_DEBUG void plugin_return_print(const int msglevel, const char *prefix, const struct plugin_return *pr); #endif static inline int plugin_n(const struct plugin_list *pl) { if (pl && pl->common) { return pl->common->n; } else { return 0; } } static inline bool plugin_return_defined(const struct plugin_return *pr) { return pr->n >= 0; } static inline void plugin_return_init(struct plugin_return *pr) { pr->n = 0; } #else /* ifdef ENABLE_PLUGIN */ struct plugin_list { int dummy; }; struct plugin_return { int dummy; }; static inline bool plugin_defined(const struct plugin_list *pl, const int type) { return false; } static inline int plugin_call_ssl(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es #ifdef ENABLE_CRYPTO , int current_cert_depth, openvpn_x509_cert_t *current_cert #endif ) { return 0; } #endif /* ENABLE_PLUGIN */ static inline int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es) { return plugin_call_ssl(pl, type, av, pr, es #ifdef ENABLE_CRYPTO , -1, NULL #endif ); } #endif /* OPENVPN_PLUGIN_H */ openvpn-2.4.4/src/openvpn/pool.c000066400000000000000000000367721316434344000166200ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "pool.h" #include "buffer.h" #include "error.h" #include "socket.h" #include "otime.h" #include "memdbg.h" #if P2MP static void ifconfig_pool_entry_free(struct ifconfig_pool_entry *ipe, bool hard) { ipe->in_use = false; if (hard && ipe->common_name) { free(ipe->common_name); ipe->common_name = NULL; } if (hard) { ipe->last_release = 0; } else { ipe->last_release = now; } } static int ifconfig_pool_find(struct ifconfig_pool *pool, const char *common_name) { int i; time_t earliest_release = 0; int previous_usage = -1; int new_usage = -1; for (i = 0; i < pool->size; ++i) { struct ifconfig_pool_entry *ipe = &pool->list[i]; if (!ipe->in_use) { /* * If duplicate_cn mode, take first available IP address */ if (pool->duplicate_cn) { new_usage = i; break; } /* * Keep track of the unused IP address entry which * was released earliest. */ if ((new_usage == -1 || ipe->last_release < earliest_release) && !ipe->fixed) { earliest_release = ipe->last_release; new_usage = i; } /* * Keep track of a possible allocation to us * from an earlier session. */ if (previous_usage < 0 && common_name && ipe->common_name && !strcmp(common_name, ipe->common_name)) { previous_usage = i; } } } if (previous_usage >= 0) { return previous_usage; } if (new_usage >= 0) { return new_usage; } return -1; } /* * Verify start/end range */ bool ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_addr_t end) { struct gc_arena gc = gc_new(); bool ret = true; if (start > end) { msg(msglevel, "--ifconfig-pool start IP [%s] is greater than end IP [%s]", print_in_addr_t(start, 0, &gc), print_in_addr_t(end, 0, &gc)); ret = false; } if (end - start >= IFCONFIG_POOL_MAX) { msg(msglevel, "--ifconfig-pool address range is too large [%s -> %s]. Current maximum is %d addresses, as defined by IFCONFIG_POOL_MAX variable.", print_in_addr_t(start, 0, &gc), print_in_addr_t(end, 0, &gc), IFCONFIG_POOL_MAX); ret = false; } gc_free(&gc); return ret; } struct ifconfig_pool * ifconfig_pool_init(int type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits ) { struct gc_arena gc = gc_new(); struct ifconfig_pool *pool = NULL; ASSERT(start <= end && end - start < IFCONFIG_POOL_MAX); ALLOC_OBJ_CLEAR(pool, struct ifconfig_pool); pool->type = type; pool->duplicate_cn = duplicate_cn; switch (type) { case IFCONFIG_POOL_30NET: pool->base = start & ~3; pool->size = (((end | 3) + 1) - pool->base) >> 2; break; case IFCONFIG_POOL_INDIV: pool->base = start; pool->size = end - start + 1; break; default: ASSERT(0); } /* IPv6 pools are always "INDIV" type */ pool->ipv6 = ipv6_pool; if (pool->ipv6) { pool->base_ipv6 = ipv6_base; pool->size_ipv6 = ipv6_netbits>96 ? ( 1<<(128-ipv6_netbits) ) : IFCONFIG_POOL_MAX; msg( D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: (IPv4) size=%d, size_ipv6=%d, netbits=%d, base_ipv6=%s", pool->size, pool->size_ipv6, ipv6_netbits, print_in6_addr( pool->base_ipv6, 0, &gc )); /* the current code is very simple and assumes that the IPv6 * pool is at least as big as the IPv4 pool, and we don't need * to do separate math etc. for IPv6 */ ASSERT( pool->size < pool->size_ipv6 ); } ALLOC_ARRAY_CLEAR(pool->list, struct ifconfig_pool_entry, pool->size); msg(D_IFCONFIG_POOL, "IFCONFIG POOL: base=%s size=%d, ipv6=%d", print_in_addr_t(pool->base, 0, &gc), pool->size, pool->ipv6 ); gc_free(&gc); return pool; } void ifconfig_pool_free(struct ifconfig_pool *pool) { if (pool) { int i; for (i = 0; i < pool->size; ++i) { ifconfig_pool_entry_free(&pool->list[i], true); } free(pool->list); free(pool); } } ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name) { int i; i = ifconfig_pool_find(pool, common_name); if (i >= 0) { struct ifconfig_pool_entry *ipe = &pool->list[i]; ASSERT(!ipe->in_use); ifconfig_pool_entry_free(ipe, true); ipe->in_use = true; if (common_name) { ipe->common_name = string_alloc(common_name, NULL); } switch (pool->type) { case IFCONFIG_POOL_30NET: { in_addr_t b = pool->base + (i << 2); *local = b + 1; *remote = b + 2; break; } case IFCONFIG_POOL_INDIV: { in_addr_t b = pool->base + i; *local = 0; *remote = b; break; } default: ASSERT(0); } /* IPv6 pools are always INDIV (--linear) */ if (pool->ipv6 && remote_ipv6) { *remote_ipv6 = add_in6_addr( pool->base_ipv6, i ); } } return i; } bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard) { bool ret = false; if (pool && hand >= 0 && hand < pool->size) { ifconfig_pool_entry_free(&pool->list[hand], hard); ret = true; } return ret; } /* * private access functions */ static ifconfig_pool_handle ifconfig_pool_ip_base_to_handle(const struct ifconfig_pool *pool, const in_addr_t addr) { ifconfig_pool_handle ret = -1; switch (pool->type) { case IFCONFIG_POOL_30NET: { ret = (addr - pool->base) >> 2; break; } case IFCONFIG_POOL_INDIV: { ret = (addr - pool->base); break; } default: ASSERT(0); } if (ret < 0 || ret >= pool->size) { ret = -1; } return ret; } static in_addr_t ifconfig_pool_handle_to_ip_base(const struct ifconfig_pool *pool, ifconfig_pool_handle hand) { in_addr_t ret = 0; if (hand >= 0 && hand < pool->size) { switch (pool->type) { case IFCONFIG_POOL_30NET: { ret = pool->base + (hand << 2); break; } case IFCONFIG_POOL_INDIV: { ret = pool->base + hand; break; } default: ASSERT(0); } } return ret; } static struct in6_addr ifconfig_pool_handle_to_ipv6_base(const struct ifconfig_pool *pool, ifconfig_pool_handle hand) { struct in6_addr ret = in6addr_any; /* IPv6 pools are always INDIV (--linear) */ if (hand >= 0 && hand < pool->size_ipv6) { ret = add_in6_addr( pool->base_ipv6, hand ); } return ret; } static void ifconfig_pool_set(struct ifconfig_pool *pool, const char *cn, const in_addr_t addr, const bool fixed) { ifconfig_pool_handle h = ifconfig_pool_ip_base_to_handle(pool, addr); if (h >= 0) { struct ifconfig_pool_entry *e = &pool->list[h]; ifconfig_pool_entry_free(e, true); e->in_use = false; e->common_name = string_alloc(cn, NULL); e->last_release = now; e->fixed = fixed; } } static void ifconfig_pool_list(const struct ifconfig_pool *pool, struct status_output *out) { if (pool && out) { struct gc_arena gc = gc_new(); int i; for (i = 0; i < pool->size; ++i) { const struct ifconfig_pool_entry *e = &pool->list[i]; if (e->common_name) { const in_addr_t ip = ifconfig_pool_handle_to_ip_base(pool, i); if (pool->ipv6) { struct in6_addr ip6 = ifconfig_pool_handle_to_ipv6_base(pool, i); status_printf(out, "%s,%s,%s", e->common_name, print_in_addr_t(ip, 0, &gc), print_in6_addr(ip6, 0, &gc)); } else { status_printf(out, "%s,%s", e->common_name, print_in_addr_t(ip, 0, &gc)); } } } gc_free(&gc); } } static void ifconfig_pool_msg(const struct ifconfig_pool *pool, int msglevel) { struct status_output *so = status_open(NULL, 0, msglevel, NULL, 0); ASSERT(so); status_printf(so, "IFCONFIG POOL LIST"); ifconfig_pool_list(pool, so); status_close(so); } /* * Deal with reading/writing the ifconfig pool database to a file */ struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq) { struct ifconfig_pool_persist *ret; ASSERT(filename); ALLOC_OBJ_CLEAR(ret, struct ifconfig_pool_persist); if (refresh_freq > 0) { ret->fixed = false; ret->file = status_open(filename, refresh_freq, -1, NULL, STATUS_OUTPUT_READ|STATUS_OUTPUT_WRITE); } else { ret->fixed = true; ret->file = status_open(filename, 0, -1, NULL, STATUS_OUTPUT_READ); } return ret; } void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist) { if (persist) { if (persist->file) { status_close(persist->file); } free(persist); } } bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist) { if (persist->file) { return status_trigger(persist->file); } else { return false; } } void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool) { const int buf_size = 128; update_time(); if (persist && persist->file && pool) { struct gc_arena gc = gc_new(); struct buffer in = alloc_buf_gc(256, &gc); char *cn_buf; char *ip_buf; int line = 0; ALLOC_ARRAY_CLEAR_GC(cn_buf, char, buf_size, &gc); ALLOC_ARRAY_CLEAR_GC(ip_buf, char, buf_size, &gc); while (true) { ASSERT(buf_init(&in, 0)); if (!status_read(persist->file, &in)) { break; } ++line; if (BLEN(&in)) { int c = *BSTR(&in); if (c == '#' || c == ';') { continue; } msg( M_INFO, "ifconfig_pool_read(), in='%s', TODO: IPv6", BSTR(&in) ); if (buf_parse(&in, ',', cn_buf, buf_size) && buf_parse(&in, ',', ip_buf, buf_size)) { bool succeeded; const in_addr_t addr = getaddr(GETADDR_HOST_ORDER, ip_buf, 0, &succeeded, NULL); if (succeeded) { msg( M_INFO, "succeeded -> ifconfig_pool_set()"); ifconfig_pool_set(pool, cn_buf, addr, persist->fixed); } } } } ifconfig_pool_msg(pool, D_IFCONFIG_POOL); gc_free(&gc); } } void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool) { if (persist && persist->file && (status_rw_flags(persist->file) & STATUS_OUTPUT_WRITE) && pool) { status_reset(persist->file); ifconfig_pool_list(pool, persist->file); status_flush(persist->file); } } /* * TESTING ONLY */ #ifdef IFCONFIG_POOL_TEST #define DUP_CN void ifconfig_pool_test(in_addr_t start, in_addr_t end) { struct gc_arena gc = gc_new(); struct ifconfig_pool *p = ifconfig_pool_init(IFCONFIG_POOL_30NET, start, end); /*struct ifconfig_pool *p = ifconfig_pool_init (IFCONFIG_POOL_INDIV, start, end);*/ ifconfig_pool_handle array[256]; int i; CLEAR(array); msg(M_INFO | M_NOPREFIX, "************ 1"); for (i = 0; i < (int) SIZE(array); ++i) { char *cn; ifconfig_pool_handle h; in_addr_t local, remote; char buf[256]; openvpn_snprintf(buf, sizeof(buf), "common-name-%d", i); #ifdef DUP_CN cn = NULL; #else cn = buf; #endif h = ifconfig_pool_acquire(p, &local, &remote, NULL, cn); if (h < 0) { break; } msg(M_INFO | M_NOPREFIX, "IFCONFIG_POOL TEST pass 1: l=%s r=%s cn=%s", print_in_addr_t(local, 0, &gc), print_in_addr_t(remote, 0, &gc), cn); array[i] = h; } msg(M_INFO | M_NOPREFIX, "************* 2"); for (i = (int) SIZE(array) / 16; i < (int) SIZE(array) / 8; ++i) { msg(M_INFO, "Attempt to release %d cn=%s", array[i], p->list[i].common_name); if (!ifconfig_pool_release(p, array[i])) { break; } msg(M_INFO, "Succeeded"); } CLEAR(array); msg(M_INFO | M_NOPREFIX, "**************** 3"); for (i = 0; i < (int) SIZE(array); ++i) { char *cn; ifconfig_pool_handle h; in_addr_t local, remote; char buf[256]; snprintf(buf, sizeof(buf), "common-name-%d", i+24); #ifdef DUP_CN cn = NULL; #else cn = buf; #endif h = ifconfig_pool_acquire(p, &local, &remote, NULL, cn); if (h < 0) { break; } msg(M_INFO | M_NOPREFIX, "IFCONFIG_POOL TEST pass 3: l=%s r=%s cn=%s", print_in_addr_t(local, 0, &gc), print_in_addr_t(remote, 0, &gc), cn); array[i] = h; } ifconfig_pool_free(p); gc_free(&gc); } #endif /* ifdef IFCONFIG_POOL_TEST */ #endif /* if P2MP */ openvpn-2.4.4/src/openvpn/pool.h000066400000000000000000000055571316434344000166220ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef POOL_H #define POOL_H #if P2MP /*#define IFCONFIG_POOL_TEST*/ #include "basic.h" #include "status.h" #define IFCONFIG_POOL_MAX 65536 #define IFCONFIG_POOL_MIN_NETBITS 16 #define IFCONFIG_POOL_30NET 0 #define IFCONFIG_POOL_INDIV 1 struct ifconfig_pool_entry { bool in_use; char *common_name; time_t last_release; bool fixed; }; struct ifconfig_pool { in_addr_t base; int size; int type; bool duplicate_cn; bool ipv6; struct in6_addr base_ipv6; unsigned int size_ipv6; struct ifconfig_pool_entry *list; }; struct ifconfig_pool_persist { struct status_output *file; bool fixed; }; typedef int ifconfig_pool_handle; struct ifconfig_pool *ifconfig_pool_init(int type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits ); void ifconfig_pool_free(struct ifconfig_pool *pool); bool ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_addr_t end); ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name); bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard); struct ifconfig_pool_persist *ifconfig_pool_persist_init(const char *filename, int refresh_freq); void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist); bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist); void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool); void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool); #ifdef IFCONFIG_POOL_TEST void ifconfig_pool_test(in_addr_t start, in_addr_t end); #endif #endif /* if P2MP */ #endif /* ifndef POOL_H */ openvpn-2.4.4/src/openvpn/proto.c000066400000000000000000000101361316434344000167740ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "proto.h" #include "error.h" #include "memdbg.h" /* * If raw tunnel packet is IPv, return true and increment * buffer offset to start of IP header. */ static bool is_ipv_X( int tunnel_type, struct buffer *buf, int ip_ver ) { int offset; const struct openvpn_iphdr *ih; verify_align_4(buf); if (tunnel_type == DEV_TYPE_TUN) { if (BLEN(buf) < (int) sizeof(struct openvpn_iphdr)) { return false; } offset = 0; } else if (tunnel_type == DEV_TYPE_TAP) { const struct openvpn_ethhdr *eh; if (BLEN(buf) < (int)(sizeof(struct openvpn_ethhdr) + sizeof(struct openvpn_iphdr))) { return false; } eh = (const struct openvpn_ethhdr *) BPTR(buf); if (ntohs(eh->proto) != (ip_ver == 6 ? OPENVPN_ETH_P_IPV6 : OPENVPN_ETH_P_IPV4)) { return false; } offset = sizeof(struct openvpn_ethhdr); } else { return false; } ih = (const struct openvpn_iphdr *) (BPTR(buf) + offset); /* IP version is stored in the same bits for IPv4 or IPv6 header */ if (OPENVPN_IPH_GET_VER(ih->version_len) == ip_ver) { return buf_advance(buf, offset); } else { return false; } } bool is_ipv4(int tunnel_type, struct buffer *buf) { return is_ipv_X( tunnel_type, buf, 4 ); } bool is_ipv6(int tunnel_type, struct buffer *buf) { return is_ipv_X( tunnel_type, buf, 6 ); } #ifdef PACKET_TRUNCATION_CHECK void ipv4_packet_size_verify(const uint8_t *data, const int size, const int tunnel_type, const char *prefix, counter_type *errors) { if (size > 0) { struct buffer buf; buf_set_read(&buf, data, size); if (is_ipv4(tunnel_type, &buf)) { const struct openvpn_iphdr *pip; int hlen; int totlen; const char *msgstr = "PACKET SIZE INFO"; unsigned int msglevel = D_PACKET_TRUNC_DEBUG; if (BLEN(&buf) < (int) sizeof(struct openvpn_iphdr)) { return; } verify_align_4(&buf); pip = (struct openvpn_iphdr *) BPTR(&buf); hlen = OPENVPN_IPH_GET_LEN(pip->version_len); totlen = ntohs(pip->tot_len); if (BLEN(&buf) != totlen) { msgstr = "PACKET TRUNCATION ERROR"; msglevel = D_PACKET_TRUNC_ERR; if (errors) { ++(*errors); } } msg(msglevel, "%s %s: size=%d totlen=%d hlen=%d errcount=" counter_format, msgstr, prefix, BLEN(&buf), totlen, hlen, errors ? *errors : (counter_type)0); } } } #endif /* ifdef PACKET_TRUNCATION_CHECK */ openvpn-2.4.4/src/openvpn/proto.h000066400000000000000000000164201316434344000170030ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef PROTO_H #define PROTO_H #include "common.h" #include "buffer.h" #pragma pack(1) /* * Tunnel types */ #define DEV_TYPE_UNDEF 0 #define DEV_TYPE_NULL 1 #define DEV_TYPE_TUN 2 /* point-to-point IP tunnel */ #define DEV_TYPE_TAP 3 /* ethernet (802.3) tunnel */ /* TUN topologies */ #define TOP_UNDEF 0 #define TOP_NET30 1 #define TOP_P2P 2 #define TOP_SUBNET 3 /* * IP and Ethernet protocol structs. For portability, * OpenVPN needs its own definitions of these structs, and * names have been adjusted to avoid collisions with * native structs. */ #define OPENVPN_ETH_ALEN 6 /* ethernet address length */ struct openvpn_ethhdr { uint8_t dest[OPENVPN_ETH_ALEN]; /* destination ethernet addr */ uint8_t source[OPENVPN_ETH_ALEN]; /* source ethernet addr */ #define OPENVPN_ETH_P_IPV4 0x0800 /* IPv4 protocol */ #define OPENVPN_ETH_P_IPV6 0x86DD /* IPv6 protocol */ #define OPENVPN_ETH_P_ARP 0x0806 /* ARP protocol */ uint16_t proto; /* packet type ID field */ }; struct openvpn_arp { #define ARP_MAC_ADDR_TYPE 0x0001 uint16_t mac_addr_type; /* 0x0001 */ uint16_t proto_addr_type; /* 0x0800 */ uint8_t mac_addr_size; /* 0x06 */ uint8_t proto_addr_size; /* 0x04 */ #define ARP_REQUEST 0x0001 #define ARP_REPLY 0x0002 uint16_t arp_command; /* 0x0001 for ARP request, 0x0002 for ARP reply */ uint8_t mac_src[OPENVPN_ETH_ALEN]; in_addr_t ip_src; uint8_t mac_dest[OPENVPN_ETH_ALEN]; in_addr_t ip_dest; }; struct openvpn_iphdr { #define OPENVPN_IPH_GET_VER(v) (((v) >> 4) & 0x0F) #define OPENVPN_IPH_GET_LEN(v) (((v) & 0x0F) << 2) uint8_t version_len; uint8_t tos; uint16_t tot_len; uint16_t id; #define OPENVPN_IP_OFFMASK 0x1fff uint16_t frag_off; uint8_t ttl; #define OPENVPN_IPPROTO_IGMP 2 /* IGMP protocol */ #define OPENVPN_IPPROTO_TCP 6 /* TCP protocol */ #define OPENVPN_IPPROTO_UDP 17 /* UDP protocol */ uint8_t protocol; uint16_t check; uint32_t saddr; uint32_t daddr; /*The options start here. */ }; /* * IPv6 header */ struct openvpn_ipv6hdr { uint8_t version_prio; uint8_t flow_lbl[3]; uint16_t payload_len; uint8_t nexthdr; uint8_t hop_limit; struct in6_addr saddr; struct in6_addr daddr; }; /* * UDP header */ struct openvpn_udphdr { uint16_t source; uint16_t dest; uint16_t len; uint16_t check; }; /* * TCP header, per RFC 793. */ struct openvpn_tcphdr { uint16_t source; /* source port */ uint16_t dest; /* destination port */ uint32_t seq; /* sequence number */ uint32_t ack_seq; /* acknowledgement number */ #define OPENVPN_TCPH_GET_DOFF(d) (((d) & 0xF0) >> 2) uint8_t doff_res; #define OPENVPN_TCPH_FIN_MASK (1<<0) #define OPENVPN_TCPH_SYN_MASK (1<<1) #define OPENVPN_TCPH_RST_MASK (1<<2) #define OPENVPN_TCPH_PSH_MASK (1<<3) #define OPENVPN_TCPH_ACK_MASK (1<<4) #define OPENVPN_TCPH_URG_MASK (1<<5) #define OPENVPN_TCPH_ECE_MASK (1<<6) #define OPENVPN_TCPH_CWR_MASK (1<<7) uint8_t flags; uint16_t window; uint16_t check; uint16_t urg_ptr; }; #define OPENVPN_TCPOPT_EOL 0 #define OPENVPN_TCPOPT_NOP 1 #define OPENVPN_TCPOPT_MAXSEG 2 #define OPENVPN_TCPOLEN_MAXSEG 4 struct ip_tcp_udp_hdr { struct openvpn_iphdr ip; union { struct openvpn_tcphdr tcp; struct openvpn_udphdr udp; } u; }; #pragma pack() /* * The following macro is used to update an * internet checksum. "acc" is a 32-bit * accumulation of all the changes to the * checksum (adding in old 16-bit words and * subtracting out new words), and "cksum" * is the checksum value to be updated. */ #define ADJUST_CHECKSUM(acc, cksum) { \ int _acc = acc; \ _acc += (cksum); \ if (_acc < 0) { \ _acc = -_acc; \ _acc = (_acc >> 16) + (_acc & 0xffff); \ _acc += _acc >> 16; \ (cksum) = (uint16_t) ~_acc; \ } else { \ _acc = (_acc >> 16) + (_acc & 0xffff); \ _acc += _acc >> 16; \ (cksum) = (uint16_t) _acc; \ } \ } #define ADD_CHECKSUM_32(acc, u32) { \ acc += (u32) & 0xffff; \ acc += (u32) >> 16; \ } #define SUB_CHECKSUM_32(acc, u32) { \ acc -= (u32) & 0xffff; \ acc -= (u32) >> 16; \ } /* * We are in a "liberal" position with respect to MSS, * i.e. we assume that MSS can be calculated from MTU * by subtracting out only the IP and TCP header sizes * without options. * * (RFC 879, section 7). */ #define MTU_TO_MSS(mtu) (mtu - sizeof(struct openvpn_iphdr) \ - sizeof(struct openvpn_tcphdr)) /* * This returns an ip protocol version of packet inside tun * and offset of IP header (via parameter). */ inline static int get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset) { int ip_ver = -1; /* for tun get ip version from ip header */ if (tunnel_type == DEV_TYPE_TUN) { *ip_hdr_offset = 0; if (likely(BLEN(buf) >= (int) sizeof(struct openvpn_iphdr))) { ip_ver = OPENVPN_IPH_GET_VER(*BPTR(buf)); } } else if (tunnel_type == DEV_TYPE_TAP) { *ip_hdr_offset = (int)(sizeof(struct openvpn_ethhdr)); /* for tap get ip version from eth header */ if (likely(BLEN(buf) >= *ip_hdr_offset)) { const struct openvpn_ethhdr *eh = (const struct openvpn_ethhdr *) BPTR(buf); uint16_t proto = ntohs(eh->proto); if (proto == OPENVPN_ETH_P_IPV6) { ip_ver = 6; } else if (proto == OPENVPN_ETH_P_IPV4) { ip_ver = 4; } } } return ip_ver; } /* * If raw tunnel packet is IPv4 or IPv6, return true and increment * buffer offset to start of IP header. */ bool is_ipv4(int tunnel_type, struct buffer *buf); bool is_ipv6(int tunnel_type, struct buffer *buf); #ifdef PACKET_TRUNCATION_CHECK void ipv4_packet_size_verify(const uint8_t *data, const int size, const int tunnel_type, const char *prefix, counter_type *errors); #endif #endif /* ifndef PROTO_H */ openvpn-2.4.4/src/openvpn/proxy.c000066400000000000000000000741471316434344000170260ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "common.h" #include "misc.h" #include "crypto.h" #include "win32.h" #include "socket.h" #include "fdmisc.h" #include "proxy.h" #include "base64.h" #include "httpdigest.h" #include "ntlm.h" #include "memdbg.h" #include "forward.h" #define UP_TYPE_PROXY "HTTP Proxy" struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc) { if (!*hpo) { ALLOC_OBJ_CLEAR_GC(*hpo, struct http_proxy_options, gc); /* http proxy defaults */ (*hpo)->http_version = "1.0"; } return *hpo; } /* cached proxy username/password */ static struct user_pass static_proxy_user_pass; static bool recv_line(socket_descriptor_t sd, char *buf, int len, const int timeout_sec, const bool verbose, struct buffer *lookahead, volatile int *signal_received) { struct buffer la; int lastc = 0; CLEAR(la); if (lookahead) { la = *lookahead; } while (true) { int status; ssize_t size; fd_set reads; struct timeval tv; uint8_t c; if (buf_defined(&la)) { ASSERT(buf_init(&la, 0)); } FD_ZERO(&reads); openvpn_fd_set(sd, &reads); tv.tv_sec = timeout_sec; tv.tv_usec = 0; status = select(sd + 1, &reads, NULL, NULL, &tv); get_signal(signal_received); if (*signal_received) { goto error; } /* timeout? */ if (status == 0) { if (verbose) { msg(D_LINK_ERRORS | M_ERRNO, "recv_line: TCP port read timeout expired"); } goto error; } /* error */ if (status < 0) { if (verbose) { msg(D_LINK_ERRORS | M_ERRNO, "recv_line: TCP port read failed on select()"); } goto error; } /* read single char */ size = recv(sd, &c, 1, MSG_NOSIGNAL); /* error? */ if (size != 1) { if (verbose) { msg(D_LINK_ERRORS | M_ERRNO, "recv_line: TCP port read failed on recv()"); } goto error; } #if 0 if (isprint(c)) { msg(M_INFO, "PROXY: read '%c' (%d)", c, (int)c); } else { msg(M_INFO, "PROXY: read (%d)", (int)c); } #endif /* store char in buffer */ if (len > 1) { *buf++ = c; --len; } /* also store char in lookahead buffer */ if (buf_defined(&la)) { buf_write_u8(&la, c); if (!isprint(c) && !isspace(c)) /* not ascii? */ { if (verbose) { msg(D_LINK_ERRORS | M_ERRNO, "recv_line: Non-ASCII character (%d) read on recv()", (int)c); } *lookahead = la; return false; } } /* end of line? */ if (lastc == '\r' && c == '\n') { break; } lastc = c; } /* append trailing null */ if (len > 0) { *buf++ = '\0'; } return true; error: return false; } static bool send_line(socket_descriptor_t sd, const char *buf) { const ssize_t size = send(sd, buf, strlen(buf), MSG_NOSIGNAL); if (size != (ssize_t) strlen(buf)) { msg(D_LINK_ERRORS | M_ERRNO, "send_line: TCP port write failed on send()"); return false; } return true; } static bool send_line_crlf(socket_descriptor_t sd, const char *src) { bool ret; struct buffer buf = alloc_buf(strlen(src) + 3); ASSERT(buf_write(&buf, src, strlen(src))); ASSERT(buf_write(&buf, "\r\n", 3)); ret = send_line(sd, BSTR(&buf)); free_buf(&buf); return ret; } static bool send_crlf(socket_descriptor_t sd) { return send_line_crlf(sd, ""); } uint8_t * make_base64_string2(const uint8_t *str, int src_len, struct gc_arena *gc) { uint8_t *ret = NULL; char *b64out = NULL; ASSERT(openvpn_base64_encode((const void *)str, src_len, &b64out) >= 0); ret = (uint8_t *) string_alloc(b64out, gc); free(b64out); return ret; } uint8_t * make_base64_string(const uint8_t *str, struct gc_arena *gc) { return make_base64_string2(str, strlen((const char *)str), gc); } static const char * username_password_as_base64(const struct http_proxy_info *p, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(strlen(p->up.username) + strlen(p->up.password) + 2, gc); ASSERT(strlen(p->up.username) > 0); buf_printf(&out, "%s:%s", p->up.username, p->up.password); return (const char *)make_base64_string((const uint8_t *)BSTR(&out), gc); } static void get_user_pass_http(struct http_proxy_info *p, const bool force) { if (!static_proxy_user_pass.defined || force) { unsigned int flags = GET_USER_PASS_MANAGEMENT; if (p->queried_creds) { flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED; } if (p->options.inline_creds) { flags |= GET_USER_PASS_INLINE_CREDS; } get_user_pass(&static_proxy_user_pass, p->options.auth_file, UP_TYPE_PROXY, flags); p->queried_creds = true; p->up = static_proxy_user_pass; } } static void clear_user_pass_http(void) { purge_user_pass(&static_proxy_user_pass, true); } #if 0 /* function only used in #if 0 debug statement */ static void dump_residual(socket_descriptor_t sd, int timeout, volatile int *signal_received) { char buf[256]; while (true) { if (!recv_line(sd, buf, sizeof(buf), timeout, true, NULL, signal_received)) { return; } chomp(buf); msg(D_PROXY, "PROXY HEADER: '%s'", buf); } } #endif /* * Extract the Proxy-Authenticate header from the stream. * Consumes all headers. */ static int get_proxy_authenticate(socket_descriptor_t sd, int timeout, char **data, struct gc_arena *gc, volatile int *signal_received) { char buf[256]; int ret = HTTP_AUTH_NONE; while (true) { if (!recv_line(sd, buf, sizeof(buf), timeout, true, NULL, signal_received)) { free(*data); *data = NULL; return HTTP_AUTH_NONE; } chomp(buf); if (!strlen(buf)) { return ret; } if (ret == HTTP_AUTH_NONE && !strncmp(buf, "Proxy-Authenticate: ", 20)) { if (!strncmp(buf+20, "Basic ", 6)) { msg(D_PROXY, "PROXY AUTH BASIC: '%s'", buf); *data = string_alloc(buf+26, gc); ret = HTTP_AUTH_BASIC; } #if PROXY_DIGEST_AUTH else if (!strncmp(buf+20, "Digest ", 7)) { msg(D_PROXY, "PROXY AUTH DIGEST: '%s'", buf); *data = string_alloc(buf+27, gc); ret = HTTP_AUTH_DIGEST; } #endif #if NTLM else if (!strncmp(buf+20, "NTLM", 4)) { msg(D_PROXY, "PROXY AUTH HTLM: '%s'", buf); *data = NULL; ret = HTTP_AUTH_NTLM; } #endif } } } static void store_proxy_authenticate(struct http_proxy_info *p, char *data) { if (p->proxy_authenticate) { free(p->proxy_authenticate); } p->proxy_authenticate = data; } /* * Parse out key/value pairs from Proxy-Authenticate string. * Return true on success, or false on parse failure. */ static bool get_key_value(const char *str, /* source string */ char *key, /* key stored here */ char *value, /* value stored here */ int max_key_len, int max_value_len, const char **endptr) /* next search position */ { int c; bool starts_with_quote = false; bool escape = false; for (c = max_key_len-1; (*str && (*str != '=') && c--); ) { *key++ = *str++; } *key = '\0'; if ('=' != *str++) { /* no key/value found */ return false; } if ('\"' == *str) { /* quoted string */ str++; starts_with_quote = true; } for (c = max_value_len-1; *str && c--; str++) { switch (*str) { case '\\': if (!escape) { /* possibly the start of an escaped quote */ escape = true; *value++ = '\\'; /* even though this is an escape character, we still * store it as-is in the target buffer */ continue; } break; case ',': if (!starts_with_quote) { /* this signals the end of the value if we didn't get a starting quote * and then we do "sloppy" parsing */ c = 0; /* the end */ continue; } break; case '\r': case '\n': /* end of string */ c = 0; continue; case '\"': if (!escape && starts_with_quote) { /* end of string */ c = 0; continue; } break; } escape = false; *value++ = *str; } *value = '\0'; *endptr = str; return true; /* success */ } static char * get_pa_var(const char *key, const char *pa, struct gc_arena *gc) { char k[64]; char v[256]; const char *content = pa; while (true) { const int status = get_key_value(content, k, v, sizeof(k), sizeof(v), &content); if (status) { if (!strcmp(key, k)) { return string_alloc(v, gc); } } else { return NULL; } /* advance to start of next key */ if (*content == ',') { ++content; } while (*content && isspace(*content)) { ++content; } } } struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o) { struct http_proxy_info *p; if (!o || !o->server) { msg(M_FATAL, "HTTP_PROXY: server not specified"); } ASSERT( o->port); ALLOC_OBJ_CLEAR(p, struct http_proxy_info); p->options = *o; /* parse authentication method */ p->auth_method = HTTP_AUTH_NONE; if (o->auth_method_string) { if (!strcmp(o->auth_method_string, "none")) { p->auth_method = HTTP_AUTH_NONE; } else if (!strcmp(o->auth_method_string, "basic")) { p->auth_method = HTTP_AUTH_BASIC; } #if NTLM else if (!strcmp(o->auth_method_string, "ntlm")) { p->auth_method = HTTP_AUTH_NTLM; } else if (!strcmp(o->auth_method_string, "ntlm2")) { p->auth_method = HTTP_AUTH_NTLM2; } #endif else { msg(M_FATAL, "ERROR: unknown HTTP authentication method: '%s'", o->auth_method_string); } } /* only basic and NTLM/NTLMv2 authentication supported so far */ if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http(p, true); } #if !NTLM if (p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2) { msg(M_FATAL, "Sorry, this version of " PACKAGE_NAME " was built without NTLM Proxy support."); } #endif p->defined = true; return p; } void http_proxy_close(struct http_proxy_info *hp) { free(hp); } static bool add_proxy_headers(struct http_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ const char *host, /* openvpn server remote */ const char *port /* openvpn server port */ ) { char buf[512]; int i; bool host_header_sent = false; /* * Send custom headers if provided * If content is NULL the whole header is in name * Also remember if we already sent a Host: header */ for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && p->options.custom_headers[i].name; i++) { if (p->options.custom_headers[i].content) { openvpn_snprintf(buf, sizeof(buf), "%s: %s", p->options.custom_headers[i].name, p->options.custom_headers[i].content); if (!strcasecmp(p->options.custom_headers[i].name, "Host")) { host_header_sent = true; } } else { openvpn_snprintf(buf, sizeof(buf), "%s", p->options.custom_headers[i].name); if (!strncasecmp(p->options.custom_headers[i].name, "Host:", 5)) { host_header_sent = true; } } msg(D_PROXY, "Send to HTTP proxy: '%s'", buf); if (!send_line_crlf(sd, buf)) { return false; } } if (!host_header_sent) { openvpn_snprintf(buf, sizeof(buf), "Host: %s", host); msg(D_PROXY, "Send to HTTP proxy: '%s'", buf); if (!send_line_crlf(sd, buf)) { return false; } } /* send User-Agent string if provided */ if (p->options.user_agent) { openvpn_snprintf(buf, sizeof(buf), "User-Agent: %s", p->options.user_agent); msg(D_PROXY, "Send to HTTP proxy: '%s'", buf); if (!send_line_crlf(sd, buf)) { return false; } } return true; } bool establish_http_proxy_passthru(struct http_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ const char *host, /* openvpn server remote */ const char *port, /* openvpn server port */ struct event_timeout *server_poll_timeout, struct buffer *lookahead, volatile int *signal_received) { struct gc_arena gc = gc_new(); char buf[512]; char buf2[129]; char get[80]; int status; int nparms; bool ret = false; bool processed = false; /* get user/pass if not previously given */ if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_DIGEST || p->auth_method == HTTP_AUTH_NTLM) { get_user_pass_http(p, false); } /* are we being called again after getting the digest server nonce in the previous transaction? */ if (p->auth_method == HTTP_AUTH_DIGEST && p->proxy_authenticate) { nparms = 1; status = 407; } else { /* format HTTP CONNECT message */ openvpn_snprintf(buf, sizeof(buf), "CONNECT %s:%s HTTP/%s", host, port, p->options.http_version); msg(D_PROXY, "Send to HTTP proxy: '%s'", buf); /* send HTTP CONNECT message to proxy */ if (!send_line_crlf(sd, buf)) { goto error; } if (!add_proxy_headers(p, sd, host, port)) { goto error; } /* auth specified? */ switch (p->auth_method) { case HTTP_AUTH_NONE: break; case HTTP_AUTH_BASIC: openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization: Basic %s", username_password_as_base64(p, &gc)); msg(D_PROXY, "Attempting Basic Proxy-Authorization"); dmsg(D_SHOW_KEYS, "Send to HTTP proxy: '%s'", buf); if (!send_line_crlf(sd, buf)) { goto error; } break; #if NTLM case HTTP_AUTH_NTLM: case HTTP_AUTH_NTLM2: /* keep-alive connection */ openvpn_snprintf(buf, sizeof(buf), "Proxy-Connection: Keep-Alive"); if (!send_line_crlf(sd, buf)) { goto error; } openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization: NTLM %s", ntlm_phase_1(p, &gc)); msg(D_PROXY, "Attempting NTLM Proxy-Authorization phase 1"); dmsg(D_SHOW_KEYS, "Send to HTTP proxy: '%s'", buf); if (!send_line_crlf(sd, buf)) { goto error; } break; #endif default: ASSERT(0); } /* send empty CR, LF */ if (!send_crlf(sd)) { goto error; } /* receive reply from proxy */ if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) { goto error; } /* remove trailing CR, LF */ chomp(buf); msg(D_PROXY, "HTTP proxy returned: '%s'", buf); /* parse return string */ nparms = sscanf(buf, "%*s %d", &status); } /* check for a "407 Proxy Authentication Required" response */ while (nparms >= 1 && status == 407) { msg(D_PROXY, "Proxy requires authentication"); if (p->auth_method == HTTP_AUTH_BASIC && !processed) { processed = true; } else if ((p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2) && !processed) /* check for NTLM */ { #if NTLM /* look for the phase 2 response */ while (true) { if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) { goto error; } chomp(buf); msg(D_PROXY, "HTTP proxy returned: '%s'", buf); openvpn_snprintf(get, sizeof get, "%%*s NTLM %%%ds", (int) sizeof(buf2) - 1); nparms = sscanf(buf, get, buf2); buf2[128] = 0; /* we only need the beginning - ensure it's null terminated. */ /* check for "Proxy-Authenticate: NTLM TlRM..." */ if (nparms == 1) { /* parse buf2 */ msg(D_PROXY, "auth string: '%s'", buf2); break; } } /* if we are here then auth string was got */ msg(D_PROXY, "Received NTLM Proxy-Authorization phase 2 response"); /* receive and discard everything else */ while (recv_line(sd, NULL, 0, 2, true, NULL, signal_received)) { } /* now send the phase 3 reply */ /* format HTTP CONNECT message */ openvpn_snprintf(buf, sizeof(buf), "CONNECT %s:%s HTTP/%s", host, port, p->options.http_version); msg(D_PROXY, "Send to HTTP proxy: '%s'", buf); /* send HTTP CONNECT message to proxy */ if (!send_line_crlf(sd, buf)) { goto error; } /* keep-alive connection */ openvpn_snprintf(buf, sizeof(buf), "Proxy-Connection: Keep-Alive"); if (!send_line_crlf(sd, buf)) { goto error; } /* send HOST etc, */ if (!add_proxy_headers(p, sd, host, port)) { goto error; } msg(D_PROXY, "Attempting NTLM Proxy-Authorization phase 3"); { const char *np3 = ntlm_phase_3(p, buf2, &gc); if (!np3) { msg(D_PROXY, "NTLM Proxy-Authorization phase 3 failed: received corrupted data from proxy server"); goto error; } openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization: NTLM %s", np3); } msg(D_PROXY, "Send to HTTP proxy: '%s'", buf); if (!send_line_crlf(sd, buf)) { goto error; } /* ok so far... */ /* send empty CR, LF */ if (!send_crlf(sd)) { goto error; } /* receive reply from proxy */ if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) { goto error; } /* remove trailing CR, LF */ chomp(buf); msg(D_PROXY, "HTTP proxy returned: '%s'", buf); /* parse return string */ nparms = sscanf(buf, "%*s %d", &status); processed = true; #endif /* if NTLM */ } #if PROXY_DIGEST_AUTH else if (p->auth_method == HTTP_AUTH_DIGEST && !processed) { char *pa = p->proxy_authenticate; const int method = p->auth_method; ASSERT(pa); if (method == HTTP_AUTH_DIGEST) { const char *http_method = "CONNECT"; const char *nonce_count = "00000001"; const char *qop = "auth"; const char *username = p->up.username; const char *password = p->up.password; char *opaque_kv = ""; char uri[128]; uint8_t cnonce_raw[8]; uint8_t *cnonce; HASHHEX session_key; HASHHEX response; const char *realm = get_pa_var("realm", pa, &gc); const char *nonce = get_pa_var("nonce", pa, &gc); const char *algor = get_pa_var("algorithm", pa, &gc); const char *opaque = get_pa_var("opaque", pa, &gc); if ( !realm || !nonce ) { msg(D_LINK_ERRORS, "HTTP proxy: digest auth failed, malformed response " "from server: realm= or nonce= missing" ); goto error; } /* generate a client nonce */ ASSERT(rand_bytes(cnonce_raw, sizeof(cnonce_raw))); cnonce = make_base64_string2(cnonce_raw, sizeof(cnonce_raw), &gc); /* build the digest response */ openvpn_snprintf(uri, sizeof(uri), "%s:%s", host, port); if (opaque) { const int len = strlen(opaque)+16; opaque_kv = gc_malloc(len, false, &gc); openvpn_snprintf(opaque_kv, len, ", opaque=\"%s\"", opaque); } DigestCalcHA1(algor, username, realm, password, nonce, (char *)cnonce, session_key); DigestCalcResponse(session_key, nonce, nonce_count, (char *)cnonce, qop, http_method, uri, NULL, response); /* format HTTP CONNECT message */ openvpn_snprintf(buf, sizeof(buf), "%s %s HTTP/%s", http_method, uri, p->options.http_version); msg(D_PROXY, "Send to HTTP proxy: '%s'", buf); /* send HTTP CONNECT message to proxy */ if (!send_line_crlf(sd, buf)) { goto error; } /* send HOST etc, */ if (!add_proxy_headers(p, sd, host, port)) { goto error; } /* send digest response */ openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s", username, realm, nonce, uri, qop, nonce_count, cnonce, response, opaque_kv ); msg(D_PROXY, "Send to HTTP proxy: '%s'", buf); if (!send_line_crlf(sd, buf)) { goto error; } if (!send_crlf(sd)) { goto error; } /* receive reply from proxy */ if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) { goto error; } /* remove trailing CR, LF */ chomp(buf); msg(D_PROXY, "HTTP proxy returned: '%s'", buf); /* parse return string */ nparms = sscanf(buf, "%*s %d", &status); processed = true; } else { msg(D_PROXY, "HTTP proxy: digest method not supported"); goto error; } } #endif /* if PROXY_DIGEST_AUTH */ else if (p->options.auth_retry) { /* figure out what kind of authentication the proxy needs */ char *pa = NULL; const int method = get_proxy_authenticate(sd, get_server_poll_remaining_time(server_poll_timeout), &pa, NULL, signal_received); if (method != HTTP_AUTH_NONE) { if (pa) { msg(D_PROXY, "HTTP proxy authenticate '%s'", pa); } if (p->options.auth_retry == PAR_NCT && method == HTTP_AUTH_BASIC) { msg(D_PROXY, "HTTP proxy: support for basic auth and other cleartext proxy auth methods is disabled"); free(pa); goto error; } p->auth_method = method; store_proxy_authenticate(p, pa); ret = true; goto done; } else { msg(D_PROXY, "HTTP proxy: do not recognize the authentication method required by proxy"); free(pa); goto error; } } else { if (!processed) { msg(D_PROXY, "HTTP proxy: no support for proxy authentication method"); } goto error; } /* clear state */ if (p->options.auth_retry) { clear_user_pass_http(); } store_proxy_authenticate(p, NULL); } /* check return code, success = 200 */ if (nparms < 1 || status != 200) { msg(D_LINK_ERRORS, "HTTP proxy returned bad status"); #if 0 /* DEBUGGING -- show a multi-line HTTP error response */ dump_residual(sd, get_server_poll_remaining_time(server_poll_timeout), signal_received); #endif goto error; } /* SUCCESS */ /* receive line from proxy and discard */ if (!recv_line(sd, NULL, 0, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) { goto error; } /* * Toss out any extraneous chars, but don't throw away the * start of the OpenVPN data stream (put it in lookahead). */ while (recv_line(sd, NULL, 0, 2, false, lookahead, signal_received)) { } /* reset queried_creds so that we don't think that the next creds request is due to an auth error */ p->queried_creds = false; #if 0 if (lookahead && BLEN(lookahead)) { msg(M_INFO, "HTTP PROXY: lookahead: %s", format_hex(BPTR(lookahead), BLEN(lookahead), 0)); } #endif done: gc_free(&gc); return ret; error: if (!*signal_received) { *signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- HTTP proxy error */ } gc_free(&gc); return ret; } openvpn-2.4.4/src/openvpn/proxy.h000066400000000000000000000062651316434344000170270ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef PROXY_H #define PROXY_H #include "buffer.h" #include "misc.h" /* HTTP CONNECT authentication methods */ #define HTTP_AUTH_NONE 0 #define HTTP_AUTH_BASIC 1 #define HTTP_AUTH_DIGEST 2 #define HTTP_AUTH_NTLM 3 #define HTTP_AUTH_NTLM2 4 #define HTTP_AUTH_N 5 /* number of HTTP_AUTH methods */ struct http_custom_header { const char *name; const char *content; }; #define MAX_CUSTOM_HTTP_HEADER 10 struct http_proxy_options { const char *server; const char *port; #define PAR_NO 0 /* don't support any auth retries */ #define PAR_ALL 1 /* allow all proxy auth protocols */ #define PAR_NCT 2 /* disable cleartext proxy auth protocols */ int auth_retry; const char *auth_method_string; const char *auth_file; const char *http_version; const char *user_agent; struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]; bool inline_creds; }; struct http_proxy_options_simple { const char *server; const char *port; int auth_retry; }; struct http_proxy_info { bool defined; int auth_method; struct http_proxy_options options; struct user_pass up; char *proxy_authenticate; bool queried_creds; }; struct http_proxy_options *init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc); struct http_proxy_info *http_proxy_new(const struct http_proxy_options *o); void http_proxy_close(struct http_proxy_info *hp); bool establish_http_proxy_passthru(struct http_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ const char *host, /* openvpn server remote */ const char *port, /* openvpn server port */ struct event_timeout *server_poll_timeout, struct buffer *lookahead, volatile int *signal_received); uint8_t *make_base64_string2(const uint8_t *str, int str_len, struct gc_arena *gc); uint8_t *make_base64_string(const uint8_t *str, struct gc_arena *gc); #endif /* PROXY_H */ openvpn-2.4.4/src/openvpn/ps.c000066400000000000000000000660311316434344000162600ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if PORT_SHARE #include "event.h" #include "socket.h" #include "fdmisc.h" #include "crypto.h" #include "ps.h" #include "memdbg.h" struct port_share *port_share = NULL; /* GLOBAL */ /* size of i/o buffers */ #define PROXY_CONNECTION_BUFFER_SIZE 1500 /* Command codes for foreground -> background communication */ #define COMMAND_REDIRECT 10 #define COMMAND_EXIT 11 /* Response codes for background -> foreground communication */ #define RESPONSE_INIT_SUCCEEDED 20 #define RESPONSE_INIT_FAILED 21 /* * Return values for proxy_connection_io functions */ #define IOSTAT_EAGAIN_ON_READ 0 /* recv returned EAGAIN */ #define IOSTAT_EAGAIN_ON_WRITE 1 /* send returned EAGAIN */ #define IOSTAT_READ_ERROR 2 /* the other end of our read socket (pc) was closed */ #define IOSTAT_WRITE_ERROR 3 /* the other end of our write socket (pc->counterpart) was closed */ #define IOSTAT_GOOD 4 /* nothing to report */ /* * A foreign (non-OpenVPN) connection we are proxying, * usually HTTPS */ struct proxy_connection { bool defined; struct proxy_connection *next; struct proxy_connection *counterpart; struct buffer buf; bool buffer_initial; int rwflags; int sd; char *jfn; }; #if 0 static const char * headc(const struct buffer *buf) { static char foo[16]; strncpy(foo, BSTR(buf), 15); foo[15] = 0; return foo; } #endif static inline void close_socket_if_defined(const socket_descriptor_t sd) { if (socket_defined(sd)) { openvpn_close_socket(sd); } } /* * Close most of parent's fds. * Keep stdin/stdout/stderr, plus one * other fd which is presumed to be * our pipe back to parent. * Admittedly, a bit of a kludge, * but posix doesn't give us a kind * of FD_CLOEXEC which will stop * fds from crossing a fork(). */ static void close_fds_except(int keep) { socket_descriptor_t i; closelog(); for (i = 3; i <= 100; ++i) { if (i != keep) { openvpn_close_socket(i); } } } /* * Usually we ignore signals, because our parent will * deal with them. */ static void set_signals(void) { signal(SIGTERM, SIG_DFL); signal(SIGINT, SIG_IGN); signal(SIGHUP, SIG_IGN); signal(SIGUSR1, SIG_IGN); signal(SIGUSR2, SIG_IGN); signal(SIGPIPE, SIG_IGN); } /* * Socket read/write functions. */ static int recv_control(const socket_descriptor_t fd) { unsigned char c; const ssize_t size = read(fd, &c, sizeof(c)); if (size == sizeof(c)) { return c; } else { return -1; } } static int send_control(const socket_descriptor_t fd, int code) { unsigned char c = (unsigned char) code; const ssize_t size = write(fd, &c, sizeof(c)); if (size == sizeof(c)) { return (int) size; } else { return -1; } } static int cmsg_size(void) { return CMSG_SPACE(sizeof(socket_descriptor_t)); } /* * Send a command (char), data (head), and a file descriptor (sd_send) to a local process * over unix socket sd. Unfortunately, there's no portable way to send file descriptors * to other processes, so this code, as well as its analog (control_message_from_parent below), * is Linux-specific. This function runs in the context of the main process and is used to * send commands, data, and file descriptors to the background process. */ static void port_share_sendmsg(const socket_descriptor_t sd, const char command, const struct buffer *head, const socket_descriptor_t sd_send) { if (socket_defined(sd)) { struct msghdr mesg; struct cmsghdr *h; struct iovec iov[2]; socket_descriptor_t sd_null[2] = { SOCKET_UNDEFINED, SOCKET_UNDEFINED }; char cmd; ssize_t status; dmsg(D_PS_PROXY_DEBUG, "PORT SHARE: sendmsg sd=%d len=%d", (int)sd_send, head ? BLEN(head) : -1); CLEAR(mesg); cmd = command; iov[0].iov_base = &cmd; iov[0].iov_len = sizeof(cmd); mesg.msg_iovlen = 1; if (head) { iov[1].iov_base = BPTR(head); iov[1].iov_len = BLEN(head); mesg.msg_iovlen = 2; } mesg.msg_iov = iov; mesg.msg_controllen = cmsg_size(); mesg.msg_control = (char *) malloc(mesg.msg_controllen); check_malloc_return(mesg.msg_control); mesg.msg_flags = 0; h = CMSG_FIRSTHDR(&mesg); h->cmsg_level = SOL_SOCKET; h->cmsg_type = SCM_RIGHTS; h->cmsg_len = CMSG_LEN(sizeof(socket_descriptor_t)); if (socket_defined(sd_send)) { memcpy(CMSG_DATA(h), &sd_send, sizeof(sd_send)); } else { socketpair(PF_UNIX, SOCK_DGRAM, 0, sd_null); memcpy(CMSG_DATA(h), &sd_null[0], sizeof(sd_null[0])); } status = sendmsg(sd, &mesg, MSG_NOSIGNAL); if (status == -1) { msg(M_WARN|M_ERRNO, "PORT SHARE: sendmsg failed -- unable to communicate with background process (%d,%d,%d,%d)", sd, sd_send, sd_null[0], sd_null[1] ); } close_socket_if_defined(sd_null[0]); close_socket_if_defined(sd_null[1]); free(mesg.msg_control); } } static void proxy_entry_close_sd(struct proxy_connection *pc, struct event_set *es) { if (pc->defined && socket_defined(pc->sd)) { dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: delete sd=%d", (int)pc->sd); if (es) { event_del(es, pc->sd); } openvpn_close_socket(pc->sd); pc->sd = SOCKET_UNDEFINED; } } /* * Mark a proxy entry and its counterpart for close. */ static void proxy_entry_mark_for_close(struct proxy_connection *pc, struct event_set *es) { if (pc->defined) { struct proxy_connection *cp = pc->counterpart; proxy_entry_close_sd(pc, es); free_buf(&pc->buf); pc->buffer_initial = false; pc->rwflags = 0; pc->defined = false; if (pc->jfn) { unlink(pc->jfn); free(pc->jfn); pc->jfn = NULL; } if (cp && cp->defined && cp->counterpart == pc) { proxy_entry_mark_for_close(cp, es); } } } /* * Run through the proxy entry list and delete all entries marked * for close. */ static void proxy_list_housekeeping(struct proxy_connection **list) { if (list) { struct proxy_connection *prev = NULL; struct proxy_connection *pc = *list; while (pc) { struct proxy_connection *next = pc->next; if (!pc->defined) { free(pc); if (prev) { prev->next = next; } else { *list = next; } } else { prev = pc; } pc = next; } } } /* * Record IP/port of client in filesystem, so that server receiving * the proxy can determine true client origin. */ static void journal_add(const char *journal_dir, struct proxy_connection *pc, struct proxy_connection *cp) { struct gc_arena gc = gc_new(); struct openvpn_sockaddr from, to; socklen_t slen, dlen; int fnlen; char *jfn; int fd; slen = sizeof(from.addr.sa); dlen = sizeof(to.addr.sa); if (!getpeername(pc->sd, (struct sockaddr *) &from.addr.sa, &slen) && !getsockname(cp->sd, (struct sockaddr *) &to.addr.sa, &dlen)) { const char *f = print_openvpn_sockaddr(&from, &gc); const char *t = print_openvpn_sockaddr(&to, &gc); fnlen = strlen(journal_dir) + strlen(t) + 2; jfn = (char *) malloc(fnlen); check_malloc_return(jfn); openvpn_snprintf(jfn, fnlen, "%s/%s", journal_dir, t); dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: client origin %s -> %s", jfn, f); fd = platform_open(jfn, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR | S_IRGRP); if (fd != -1) { if (write(fd, f, strlen(f)) != strlen(f)) { msg(M_WARN, "PORT SHARE: writing to journal file (%s) failed", jfn); } close(fd); cp->jfn = jfn; } else { msg(M_WARN|M_ERRNO, "PORT SHARE: unable to write journal file in %s", jfn); free(jfn); } } gc_free(&gc); } /* * Cleanup function, on proxy process exit. */ static void proxy_list_close(struct proxy_connection **list) { if (list) { struct proxy_connection *pc = *list; while (pc) { proxy_entry_mark_for_close(pc, NULL); pc = pc->next; } proxy_list_housekeeping(list); } } static inline void proxy_connection_io_requeue(struct proxy_connection *pc, const int rwflags_new, struct event_set *es) { if (socket_defined(pc->sd) && pc->rwflags != rwflags_new) { /*dmsg (D_PS_PROXY_DEBUG, "PORT SHARE PROXY: requeue[%d] rwflags=%d", (int)pc->sd, rwflags_new);*/ event_ctl(es, pc->sd, rwflags_new, (void *)pc); pc->rwflags = rwflags_new; } } /* * Create a new pair of proxy_connection entries, one for each * socket file descriptor involved in the proxy. We are given * the client fd, and we should derive our own server fd by connecting * to the server given by server_addr/server_port. Return true * on success and false on failure to connect to server. */ static bool proxy_entry_new(struct proxy_connection **list, struct event_set *es, const struct sockaddr_in server_addr, const socket_descriptor_t sd_client, struct buffer *initial_data, const char *journal_dir) { socket_descriptor_t sd_server; int status; struct proxy_connection *pc; struct proxy_connection *cp; /* connect to port share server */ if ((sd_server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { msg(M_WARN|M_ERRNO, "PORT SHARE PROXY: cannot create socket"); return false; } status = openvpn_connect(sd_server,(const struct sockaddr *) &server_addr, 5, NULL); if (status) { msg(M_WARN, "PORT SHARE PROXY: connect to port-share server failed"); openvpn_close_socket(sd_server); return false; } dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: connect to port-share server succeeded"); set_nonblock(sd_client); set_nonblock(sd_server); /* allocate 2 new proxy_connection objects */ ALLOC_OBJ_CLEAR(pc, struct proxy_connection); ALLOC_OBJ_CLEAR(cp, struct proxy_connection); /* client object */ pc->defined = true; pc->next = cp; pc->counterpart = cp; pc->buf = *initial_data; pc->buffer_initial = true; pc->rwflags = EVENT_UNDEF; pc->sd = sd_client; /* server object */ cp->defined = true; cp->next = *list; cp->counterpart = pc; cp->buf = alloc_buf(PROXY_CONNECTION_BUFFER_SIZE); cp->buffer_initial = false; cp->rwflags = EVENT_UNDEF; cp->sd = sd_server; /* add to list */ *list = pc; /* add journal entry */ if (journal_dir) { journal_add(journal_dir, pc, cp); } dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: NEW CONNECTION [c=%d s=%d]", (int)sd_client, (int)sd_server); /* set initial i/o states */ proxy_connection_io_requeue(pc, EVENT_READ, es); proxy_connection_io_requeue(cp, EVENT_READ|EVENT_WRITE, es); return true; } /* * This function runs in the context of the background proxy process. * Receive a control message from the parent (sent by the port_share_sendmsg * function above) and act on it. Return false if the proxy process should * exit, true otherwise. */ static bool control_message_from_parent(const socket_descriptor_t sd_control, struct proxy_connection **list, struct event_set *es, const struct sockaddr_in server_addr, const int max_initial_buf, const char *journal_dir) { /* this buffer needs to be large enough to handle the largest buffer * that might be returned by the link_socket_read call in read_incoming_link. */ struct buffer buf = alloc_buf(max_initial_buf); struct msghdr mesg; struct cmsghdr *h; struct iovec iov[2]; char command = 0; ssize_t status; int ret = true; CLEAR(mesg); iov[0].iov_base = &command; iov[0].iov_len = sizeof(command); iov[1].iov_base = BPTR(&buf); iov[1].iov_len = BCAP(&buf); mesg.msg_iov = iov; mesg.msg_iovlen = 2; mesg.msg_controllen = cmsg_size(); mesg.msg_control = (char *) malloc(mesg.msg_controllen); check_malloc_return(mesg.msg_control); mesg.msg_flags = 0; h = CMSG_FIRSTHDR(&mesg); h->cmsg_len = CMSG_LEN(sizeof(socket_descriptor_t)); h->cmsg_level = SOL_SOCKET; h->cmsg_type = SCM_RIGHTS; static const socket_descriptor_t socket_undefined = SOCKET_UNDEFINED; memcpy(CMSG_DATA(h), &socket_undefined, sizeof(socket_undefined)); status = recvmsg(sd_control, &mesg, MSG_NOSIGNAL); if (status != -1) { if (h == NULL || h->cmsg_len != CMSG_LEN(sizeof(socket_descriptor_t)) || h->cmsg_level != SOL_SOCKET || h->cmsg_type != SCM_RIGHTS) { msg(M_WARN, "PORT SHARE PROXY: received unknown message"); } else { socket_descriptor_t received_fd; memcpy(&received_fd, CMSG_DATA(h), sizeof(received_fd)); dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: RECEIVED sd=%d", (int)received_fd); if (status >= 2 && command == COMMAND_REDIRECT) { buf.len = status - 1; if (proxy_entry_new(list, es, server_addr, received_fd, &buf, journal_dir)) { CLEAR(buf); /* we gave the buffer to proxy_entry_new */ } else { openvpn_close_socket(received_fd); } } else if (status >= 1 && command == COMMAND_EXIT) { dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: RECEIVED COMMAND_EXIT"); openvpn_close_socket(received_fd); /* null socket */ ret = false; } } } free(mesg.msg_control); free_buf(&buf); return ret; } static int proxy_connection_io_recv(struct proxy_connection *pc) { /* recv data from socket */ const int status = recv(pc->sd, BPTR(&pc->buf), BCAP(&pc->buf), MSG_NOSIGNAL); if (status < 0) { return (errno == EAGAIN) ? IOSTAT_EAGAIN_ON_READ : IOSTAT_READ_ERROR; } else { if (!status) { return IOSTAT_READ_ERROR; } dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: read[%d] %d", (int)pc->sd, status); pc->buf.len = status; } return IOSTAT_GOOD; } static int proxy_connection_io_send(struct proxy_connection *pc, int *bytes_sent) { const socket_descriptor_t sd = pc->counterpart->sd; const int status = send(sd, BPTR(&pc->buf), BLEN(&pc->buf), MSG_NOSIGNAL); if (status < 0) { const int e = errno; return (e == EAGAIN) ? IOSTAT_EAGAIN_ON_WRITE : IOSTAT_WRITE_ERROR; } else { *bytes_sent += status; if (status != pc->buf.len) { dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: partial write[%d], tried=%d got=%d", (int)sd, pc->buf.len, status); buf_advance(&pc->buf, status); return IOSTAT_EAGAIN_ON_WRITE; } else { dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: wrote[%d] %d", (int)sd, status); pc->buf.len = 0; pc->buf.offset = 0; } } /* realloc send buffer after initial send */ if (pc->buffer_initial) { free_buf(&pc->buf); pc->buf = alloc_buf(PROXY_CONNECTION_BUFFER_SIZE); pc->buffer_initial = false; } return IOSTAT_GOOD; } /* * Forward data from pc to pc->counterpart. */ static int proxy_connection_io_xfer(struct proxy_connection *pc, const int max_transfer) { int transferred = 0; while (transferred < max_transfer) { if (!BLEN(&pc->buf)) { const int status = proxy_connection_io_recv(pc); if (status != IOSTAT_GOOD) { return status; } } if (BLEN(&pc->buf)) { const int status = proxy_connection_io_send(pc, &transferred); if (status != IOSTAT_GOOD) { return status; } } } return IOSTAT_EAGAIN_ON_READ; } /* * Decide how the receipt of an EAGAIN status should affect our next IO queueing. */ static bool proxy_connection_io_status(const int status, int *rwflags_pc, int *rwflags_cp) { switch (status) { case IOSTAT_EAGAIN_ON_READ: *rwflags_pc |= EVENT_READ; *rwflags_cp &= ~EVENT_WRITE; return true; case IOSTAT_EAGAIN_ON_WRITE: *rwflags_pc &= ~EVENT_READ; *rwflags_cp |= EVENT_WRITE; return true; case IOSTAT_READ_ERROR: return false; case IOSTAT_WRITE_ERROR: return false; default: msg(M_FATAL, "PORT SHARE PROXY: unexpected status=%d", status); } return false; /* NOTREACHED */ } /* * Dispatch function for forwarding data between the two socket fds involved * in the proxied connection. */ static int proxy_connection_io_dispatch(struct proxy_connection *pc, const int rwflags, struct event_set *es) { const int max_transfer_per_iteration = 10000; struct proxy_connection *cp = pc->counterpart; int rwflags_pc = pc->rwflags; int rwflags_cp = cp->rwflags; ASSERT(pc->defined && cp->defined && cp->counterpart == pc); if (rwflags & EVENT_READ) { const int status = proxy_connection_io_xfer(pc, max_transfer_per_iteration); if (!proxy_connection_io_status(status, &rwflags_pc, &rwflags_cp)) { goto bad; } } if (rwflags & EVENT_WRITE) { const int status = proxy_connection_io_xfer(cp, max_transfer_per_iteration); if (!proxy_connection_io_status(status, &rwflags_cp, &rwflags_pc)) { goto bad; } } proxy_connection_io_requeue(pc, rwflags_pc, es); proxy_connection_io_requeue(cp, rwflags_cp, es); return true; bad: proxy_entry_mark_for_close(pc, es); return false; } /* * This is the main function for the port share proxy background process. */ static void port_share_proxy(const struct sockaddr_in hostaddr, const socket_descriptor_t sd_control, const int max_initial_buf, const char *journal_dir) { if (send_control(sd_control, RESPONSE_INIT_SUCCEEDED) >= 0) { void *sd_control_marker = (void *)1; int maxevents = 256; struct event_set *es; struct event_set_return esr[64]; struct proxy_connection *list = NULL; time_t last_housekeeping = 0; msg(D_PS_PROXY, "PORT SHARE PROXY: proxy starting"); es = event_set_init(&maxevents, 0); event_ctl(es, sd_control, EVENT_READ, sd_control_marker); while (true) { int n_events; struct timeval tv; time_t current; tv.tv_sec = 10; tv.tv_usec = 0; n_events = event_wait(es, &tv, esr, SIZE(esr)); /*dmsg (D_PS_PROXY_DEBUG, "PORT SHARE PROXY: event_wait returned %d", n_events);*/ current = time(NULL); if (n_events > 0) { int i; for (i = 0; i < n_events; ++i) { const struct event_set_return *e = &esr[i]; if (e->arg == sd_control_marker) { if (!control_message_from_parent(sd_control, &list, es, hostaddr, max_initial_buf, journal_dir)) { goto done; } } else { struct proxy_connection *pc = (struct proxy_connection *)e->arg; if (pc->defined) { proxy_connection_io_dispatch(pc, e->rwflags, es); } } } } else if (n_events < 0) { dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: event_wait failed"); } if (current > last_housekeeping) { proxy_list_housekeeping(&list); last_housekeeping = current; } } done: proxy_list_close(&list); event_free(es); } msg(M_INFO, "PORT SHARE PROXY: proxy exiting"); } /* * Called from the main OpenVPN process to enable the port * share proxy. */ struct port_share * port_share_open(const char *host, const char *port, const int max_initial_buf, const char *journal_dir) { pid_t pid; socket_descriptor_t fd[2]; struct sockaddr_in hostaddr; struct port_share *ps; int status; struct addrinfo *ai; ALLOC_OBJ_CLEAR(ps, struct port_share); ps->foreground_fd = -1; ps->background_pid = -1; /* * Get host's IP address */ status = openvpn_getaddrinfo(GETADDR_RESOLVE|GETADDR_FATAL, host, port, 0, NULL, AF_INET, &ai); ASSERT(status==0); hostaddr = *((struct sockaddr_in *) ai->ai_addr); freeaddrinfo(ai); /* * Make a socket for foreground and background processes * to communicate. */ if (socketpair(PF_UNIX, SOCK_DGRAM, 0, fd) == -1) { msg(M_WARN, "PORT SHARE: socketpair call failed"); goto error; } /* * Fork off background proxy process. */ pid = fork(); if (pid) { int status; /* * Foreground Process */ ps->background_pid = pid; /* close our copy of child's socket */ openvpn_close_socket(fd[1]); /* don't let future subprocesses inherit child socket */ set_cloexec(fd[0]); /* wait for background child process to initialize */ status = recv_control(fd[0]); if (status == RESPONSE_INIT_SUCCEEDED) { /* note that this will cause possible EAGAIN when writing to * control socket if proxy process is backlogged */ set_nonblock(fd[0]); ps->foreground_fd = fd[0]; return ps; } else { msg(M_ERR, "PORT SHARE: unexpected init recv_control status=%d", status); } } else { /* * Background Process */ /* Ignore most signals (the parent will receive them) */ set_signals(); /* Let msg know that we forked */ msg_forked(); #ifdef ENABLE_MANAGEMENT /* Don't interact with management interface */ management = NULL; #endif /* close all parent fds except our socket back to parent */ close_fds_except(fd[1]); /* no blocking on control channel back to parent */ set_nonblock(fd[1]); /* initialize prng */ prng_init(NULL, 0); /* execute the event loop */ port_share_proxy(hostaddr, fd[1], max_initial_buf, journal_dir); openvpn_close_socket(fd[1]); exit(0); return NULL; /* NOTREACHED */ } error: port_share_close(ps); return NULL; } void port_share_close(struct port_share *ps) { if (ps) { if (ps->foreground_fd >= 0) { /* tell background process to exit */ port_share_sendmsg(ps->foreground_fd, COMMAND_EXIT, NULL, SOCKET_UNDEFINED); /* wait for background process to exit */ dmsg(D_PS_PROXY_DEBUG, "PORT SHARE: waiting for background process to exit"); if (ps->background_pid > 0) { waitpid(ps->background_pid, NULL, 0); } dmsg(D_PS_PROXY_DEBUG, "PORT SHARE: background process exited"); openvpn_close_socket(ps->foreground_fd); ps->foreground_fd = -1; } free(ps); } } void port_share_abort(struct port_share *ps) { if (ps) { /* tell background process to exit */ if (ps->foreground_fd >= 0) { send_control(ps->foreground_fd, COMMAND_EXIT); openvpn_close_socket(ps->foreground_fd); ps->foreground_fd = -1; } } } /* * Given either the first 2 or 3 bytes of an initial client -> server * data payload, return true if the protocol is that of an OpenVPN * client attempting to connect with an OpenVPN server. */ bool is_openvpn_protocol(const struct buffer *buf) { const unsigned char *p = (const unsigned char *) BSTR(buf); const int len = BLEN(buf); if (len >= 3) { return p[0] == 0 && p[1] >= 14 && p[2] == (P_CONTROL_HARD_RESET_CLIENT_V2<= 2) { return p[0] == 0 && p[1] >= 14; } else { return true; } } /* * Called from the foreground process. Send a message to the background process that it * should proxy the TCP client on sd to the host/port defined in the initial port_share_open * call. */ void port_share_redirect(struct port_share *ps, const struct buffer *head, socket_descriptor_t sd) { if (ps) { port_share_sendmsg(ps->foreground_fd, COMMAND_REDIRECT, head, sd); } } #endif /* if PORT_SHARE */ openvpn-2.4.4/src/openvpn/ps.h000066400000000000000000000036321316434344000162630ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef PS_H #define PS_H #if PORT_SHARE #include "basic.h" #include "buffer.h" #include "ssl.h" typedef void (*post_fork_cleanup_func_t)(void *arg); struct port_share { /* Foreground's socket to background process */ socket_descriptor_t foreground_fd; /* Process ID of background process */ pid_t background_pid; }; extern struct port_share *port_share; struct port_share *port_share_open(const char *host, const char *port, const int max_initial_buf, const char *journal_dir); void port_share_close(struct port_share *ps); void port_share_abort(struct port_share *ps); bool is_openvpn_protocol(const struct buffer *buf); void port_share_redirect(struct port_share *ps, const struct buffer *head, socket_descriptor_t sd); #endif /* if PORT_SHARE */ #endif /* ifndef PS_H */ openvpn-2.4.4/src/openvpn/push.c000066400000000000000000000604251316434344000166160ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "push.h" #include "options.h" #include "ssl.h" #include "ssl_verify.h" #include "manage.h" #include "memdbg.h" #if P2MP static char push_reply_cmd[] = "PUSH_REPLY"; /* * Auth username/password * * Client received an authentication failed message from server. * Runs on client. */ void receive_auth_failed(struct context *c, const struct buffer *buffer) { msg(M_VERB0, "AUTH: Received control message: %s", BSTR(buffer)); c->options.no_advance = true; if (c->options.pull) { switch (auth_retry_get()) { case AR_NONE: c->sig->signal_received = SIGTERM; /* SOFT-SIGTERM -- Auth failure error */ break; case AR_INTERACT: ssl_purge_auth(false); case AR_NOINTERACT: c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Auth failure error */ break; default: ASSERT(0); } c->sig->signal_text = "auth-failure"; #ifdef ENABLE_MANAGEMENT if (management) { const char *reason = NULL; struct buffer buf = *buffer; if (buf_string_compare_advance(&buf, "AUTH_FAILED,") && BLEN(&buf)) { reason = BSTR(&buf); } management_auth_failure(management, UP_TYPE_AUTH, reason); } #endif /* * Save the dynamic-challenge text even when management is defined */ { #ifdef ENABLE_CLIENT_CR struct buffer buf = *buffer; if (buf_string_match_head_str(&buf, "AUTH_FAILED,CRV1:") && BLEN(&buf)) { buf_advance(&buf, 12); /* Length of "AUTH_FAILED," substring */ ssl_put_auth_challenge(BSTR(&buf)); } #endif } } } /* * Act on received restart message from server */ void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv) { if (c->options.pull) { struct buffer buf = *buffer; const char *m = ""; if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf)) { m = BSTR(&buf); } /* preserve cached passwords? */ /* advance to next server? */ { bool purge = true; if (m[0] == '[') { int i; for (i = 1; m[i] != '\0' && m[i] != ']'; ++i) { if (m[i] == 'P') { purge = false; } else if (m[i] == 'N') { /* next server? */ c->options.no_advance = false; } } } if (purge) { ssl_purge_auth(true); } } if (restart) { msg(D_STREAM_ERRORS, "Connection reset command was pushed by server ('%s')", m); c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- server-pushed connection reset */ c->sig->signal_text = "server-pushed-connection-reset"; } else { msg(D_STREAM_ERRORS, "Halt command was pushed by server ('%s')", m); c->sig->signal_received = SIGTERM; /* SOFT-SIGTERM -- server-pushed halt */ c->sig->signal_text = "server-pushed-halt"; } #ifdef ENABLE_MANAGEMENT if (management) { management_notify(management, "info", c->sig->signal_text, m); } #endif } } #if P2MP_SERVER /** * Add an option to the given push list by providing a format string. * * The string added to the push options is allocated in o->gc, so the caller * does not have to preserve anything. * * @param gc GC arena where options are allocated * @param push_list Push list containing options * @param msglevel The message level to use when printing errors * @param fmt Format string for the option * @param ... Format string arguments * * @return true on success, false on failure. */ static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel, const char *fmt, ...) #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO __attribute__ ((format(gnu_printf, 4, 5))) #else __attribute__ ((format(__printf__, 4, 5))) #endif #endif ; /* * Send auth failed message from server to client. */ void send_auth_failed(struct context *c, const char *client_reason) { struct gc_arena gc = gc_new(); static const char auth_failed[] = "AUTH_FAILED"; size_t len; schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed); if (len > PUSH_BUNDLE_SIZE) { len = PUSH_BUNDLE_SIZE; } { struct buffer buf = alloc_buf_gc(len, &gc); buf_printf(&buf, auth_failed); if (client_reason) { buf_printf(&buf, ",%s", client_reason); } send_control_channel_string(c, BSTR(&buf), D_PUSH); } gc_free(&gc); } /* * Send restart message from server to client. */ void send_restart(struct context *c, const char *kill_msg) { schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH); } #endif /* if P2MP_SERVER */ /* * Push/Pull */ void incoming_push_message(struct context *c, const struct buffer *buffer) { struct gc_arena gc = gc_new(); unsigned int option_types_found = 0; int status; msg(D_PUSH, "PUSH: Received control message: '%s'", sanitize_control_message(BSTR(buffer), &gc)); status = process_incoming_push_msg(c, buffer, c->options.pull, pull_permission_mask(c), &option_types_found); if (status == PUSH_MSG_ERROR) { msg(D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc)); } else if (status == PUSH_MSG_REPLY || status == PUSH_MSG_CONTINUATION) { c->options.push_option_types_found |= option_types_found; /* delay bringing tun/tap up until --push parms received from remote */ if (status == PUSH_MSG_REPLY) { if (!do_up(c, true, c->options.push_option_types_found)) { msg(D_PUSH_ERRORS, "Failed to open tun/tap interface"); goto error; } } event_timeout_clear(&c->c2.push_request_interval); } else if (status == PUSH_MSG_REQUEST) { if (c->options.mode == MODE_SERVER) { struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; /* Do not regenerate keys if client send a second push request */ if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame)) { msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); goto error; } } } goto cleanup; error: register_signal(c, SIGUSR1, "process-push-msg-failed"); cleanup: gc_free(&gc); } bool send_push_request(struct context *c) { const int max_push_requests = c->options.handshake_window / PUSH_REQUEST_INTERVAL; if (++c->c2.n_sent_push_requests <= max_push_requests) { return send_control_channel_string(c, "PUSH_REQUEST", D_PUSH); } else { msg(D_STREAM_ERRORS, "No reply from server after sending %d push requests", max_push_requests); c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- server-pushed connection reset */ c->sig->signal_text = "no-push-reply"; return false; } } #if P2MP_SERVER /** * Prepare push options, based on local options and available peer info. * * @param context context structure storing data for VPN tunnel * @param gc gc arena for allocating push options * @param push_list push list to where options are added * * @return true on success, false on failure. */ static bool prepare_push_reply(struct context *c, struct gc_arena *gc, struct push_list *push_list) { const char *optstr = NULL; struct tls_multi *tls_multi = c->c2.tls_multi; const char *const peer_info = tls_multi->peer_info; struct options *o = &c->options; /* ipv6 */ if (c->c2.push_ifconfig_ipv6_defined && !o->push_ifconfig_ipv6_blocked) { push_option_fmt(gc, push_list, M_USAGE, "ifconfig-ipv6 %s/%d %s", print_in6_addr(c->c2.push_ifconfig_ipv6_local, 0, gc), c->c2.push_ifconfig_ipv6_netbits, print_in6_addr(c->c2.push_ifconfig_ipv6_remote, 0, gc)); } /* ipv4 */ if (c->c2.push_ifconfig_defined && c->c2.push_ifconfig_local && c->c2.push_ifconfig_remote_netmask) { in_addr_t ifconfig_local = c->c2.push_ifconfig_local; if (c->c2.push_ifconfig_local_alias) { ifconfig_local = c->c2.push_ifconfig_local_alias; } push_option_fmt(gc, push_list, M_USAGE, "ifconfig %s %s", print_in_addr_t(ifconfig_local, 0, gc), print_in_addr_t(c->c2.push_ifconfig_remote_netmask, 0, gc)); } /* Send peer-id if client supports it */ optstr = peer_info ? strstr(peer_info, "IV_PROTO=") : NULL; if (optstr) { int proto = 0; int r = sscanf(optstr, "IV_PROTO=%d", &proto); if ((r == 1) && (proto >= 2)) { push_option_fmt(gc, push_list, M_USAGE, "peer-id %d", tls_multi->peer_id); } } /* Push cipher if client supports Negotiable Crypto Parameters */ if (tls_peer_info_ncp_ver(peer_info) >= 2 && o->ncp_enabled) { /* if we have already created our key, we cannot *change* our own * cipher -> so log the fact and push the "what we have now" cipher * (so the client is always told what we expect it to use) */ const struct tls_session *session = &tls_multi->session[TM_ACTIVE]; if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized) { msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but " "server has already generated data channel keys, " "re-sending previously negotiated cipher '%s'", o->ciphername ); } else { /* Push the first cipher from --ncp-ciphers to the client. * TODO: actual negotiation, instead of server dictatorship. */ char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc); o->ciphername = strtok(push_cipher, ":"); } push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername); } else if (o->ncp_enabled) { tls_poor_mans_ncp(o, tls_multi->remote_ciphername); } /* If server uses --auth-gen-token and we have an auth token * to send to the client */ if (false == tls_multi->auth_token_sent && NULL != tls_multi->auth_token) { push_option_fmt(gc, push_list, M_USAGE, "auth-token %s", tls_multi->auth_token); tls_multi->auth_token_sent = true; } return true; } static bool send_push_options(struct context *c, struct buffer *buf, struct push_list *push_list, int safe_cap, bool *push_sent, bool *multi_push) { struct push_entry *e = push_list->head; while (e) { if (e->enable) { const int l = strlen(e->option); if (BLEN(buf) + l >= safe_cap) { buf_printf(buf, ",push-continuation 2"); { const bool status = send_control_channel_string(c, BSTR(buf), D_PUSH); if (!status) { return false; } *push_sent = true; *multi_push = true; buf_reset_len(buf); buf_printf(buf, "%s", push_reply_cmd); } } if (BLEN(buf) + l >= safe_cap) { msg(M_WARN, "--push option is too long"); return false; } buf_printf(buf, ",%s", e->option); } e = e->next; } return true; } static bool send_push_reply(struct context *c, struct push_list *per_client_push_list) { struct gc_arena gc = gc_new(); struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc); bool multi_push = false; const int extra = 84; /* extra space for possible trailing ifconfig and push-continuation */ const int safe_cap = BCAP(&buf) - extra; bool push_sent = false; buf_printf(&buf, "%s", push_reply_cmd); /* send options which are common to all clients */ if (!send_push_options(c, &buf, &c->options.push_list, safe_cap, &push_sent, &multi_push)) { goto fail; } /* send client-specific options */ if (!send_push_options(c, &buf, per_client_push_list, safe_cap, &push_sent, &multi_push)) { goto fail; } if (multi_push) { buf_printf(&buf, ",push-continuation 1"); } if (BLEN(&buf) > sizeof(push_reply_cmd)-1) { const bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH); if (!status) { goto fail; } push_sent = true; } /* If nothing have been pushed, send an empty push, * as the client is expecting a response */ if (!push_sent) { bool status = false; buf_reset_len(&buf); buf_printf(&buf, "%s", push_reply_cmd); status = send_control_channel_string(c, BSTR(&buf), D_PUSH); if (!status) { goto fail; } } gc_free(&gc); return true; fail: gc_free(&gc); return false; } static void push_option_ex(struct gc_arena *gc, struct push_list *push_list, const char *opt, bool enable, int msglevel) { if (!string_class(opt, CC_ANY, CC_COMMA)) { msg(msglevel, "PUSH OPTION FAILED (illegal comma (',') in string): '%s'", opt); } else { struct push_entry *e; ALLOC_OBJ_CLEAR_GC(e, struct push_entry, gc); e->enable = true; e->option = opt; if (push_list->head) { ASSERT(push_list->tail); push_list->tail->next = e; push_list->tail = e; } else { ASSERT(!push_list->tail); push_list->head = e; push_list->tail = e; } } } void push_option(struct options *o, const char *opt, int msglevel) { push_option_ex(&o->gc, &o->push_list, opt, true, msglevel); } void clone_push_list(struct options *o) { if (o->push_list.head) { const struct push_entry *e = o->push_list.head; push_reset(o); while (e) { push_option_ex(&o->gc, &o->push_list, string_alloc(e->option, &o->gc), true, M_FATAL); e = e->next; } } } void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc) { const char **argv = make_extended_arg_array(p, gc); char *opt = print_argv(argv, gc, 0); push_option(o, opt, msglevel); } static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel, const char *format, ...) { va_list arglist; char tmp[256] = {0}; int len; va_start(arglist, format); len = vsnprintf(tmp, sizeof(tmp), format, arglist); va_end(arglist); if (len > sizeof(tmp)-1) { return false; } push_option_ex(gc, push_list, string_alloc(tmp, gc), true, msglevel); return true; } void push_reset(struct options *o) { CLEAR(o->push_list); } void push_remove_option(struct options *o, const char *p) { msg(D_PUSH_DEBUG, "PUSH_REMOVE searching for: '%s'", p); /* ifconfig-ipv6 is special, as not part of the push list */ if (streq( p, "ifconfig-ipv6" )) { o->push_ifconfig_ipv6_blocked = true; return; } if (o && o->push_list.head) { struct push_entry *e = o->push_list.head; /* cycle through the push list */ while (e) { if (e->enable && strncmp( e->option, p, strlen(p) ) == 0) { msg(D_PUSH_DEBUG, "PUSH_REMOVE removing: '%s'", e->option); e->enable = false; } e = e->next; } } } #endif /* if P2MP_SERVER */ #if P2MP_SERVER int process_incoming_push_request(struct context *c) { int ret = PUSH_MSG_ERROR; #ifdef ENABLE_ASYNC_PUSH c->c2.push_request_received = true; #endif if (tls_authentication_status(c->c2.tls_multi, 0) == TLS_AUTHENTICATION_FAILED || c->c2.context_auth == CAS_FAILED) { const char *client_reason = tls_client_reason(c->c2.tls_multi); send_auth_failed(c, client_reason); ret = PUSH_MSG_AUTH_FAILURE; } else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED) { time_t now; openvpn_time(&now); if (c->c2.sent_push_reply_expiry > now) { ret = PUSH_MSG_ALREADY_REPLIED; } else { /* per-client push options - peer-id, cipher, ifconfig, ipv6-ifconfig */ struct push_list push_list; struct gc_arena gc = gc_new(); CLEAR(push_list); if (prepare_push_reply(c, &gc, &push_list) && send_push_reply(c, &push_list)) { ret = PUSH_MSG_REQUEST; c->c2.sent_push_reply_expiry = now + 30; } gc_free(&gc); } } else { ret = PUSH_MSG_REQUEST_DEFERRED; } return ret; } #endif /* if P2MP_SERVER */ static void push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt) { char line[OPTION_PARM_SIZE]; while (buf_parse(buf, ',', line, sizeof(line))) { /* peer-id might change on restart and this should not trigger reopening tun */ if (strprefix(line, "peer-id ")) { continue; } /* tun reopen only needed if cipher change can change tun MTU */ if (strprefix(line, "cipher ") && !opt->ce.tun_mtu_defined) { continue; } md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1); } } int process_incoming_push_msg(struct context *c, const struct buffer *buffer, bool honor_received_options, unsigned int permission_mask, unsigned int *option_types_found) { int ret = PUSH_MSG_ERROR; struct buffer buf = *buffer; #if P2MP_SERVER if (buf_string_compare_advance(&buf, "PUSH_REQUEST")) { ret = process_incoming_push_request(c); } else #endif if (honor_received_options && buf_string_compare_advance(&buf, "PUSH_REPLY")) { const uint8_t ch = buf_read_u8(&buf); if (ch == ',') { struct buffer buf_orig = buf; if (!c->c2.pulled_options_digest_init_done) { c->c2.pulled_options_state = md_ctx_new(); md_ctx_init(c->c2.pulled_options_state, md_kt_get("SHA256")); c->c2.pulled_options_digest_init_done = true; } if (!c->c2.did_pre_pull_restore) { pre_pull_restore(&c->options, &c->c2.gc); c->c2.did_pre_pull_restore = true; } if (apply_push_options(&c->options, &buf, permission_mask, option_types_found, c->c2.es)) { push_update_digest(c->c2.pulled_options_state, &buf_orig, &c->options); switch (c->options.push_continuation) { case 0: case 1: md_ctx_final(c->c2.pulled_options_state, c->c2.pulled_options_digest.digest); md_ctx_cleanup(c->c2.pulled_options_state); md_ctx_free(c->c2.pulled_options_state); c->c2.pulled_options_state = NULL; c->c2.pulled_options_digest_init_done = false; ret = PUSH_MSG_REPLY; break; case 2: ret = PUSH_MSG_CONTINUATION; break; } } } else if (ch == '\0') { ret = PUSH_MSG_REPLY; } /* show_settings (&c->options); */ } return ret; } #if P2MP_SERVER /* * Remove iroutes from the push_list. */ void remove_iroutes_from_push_route_list(struct options *o) { if (o && o->push_list.head && o->iroutes) { struct gc_arena gc = gc_new(); struct push_entry *e = o->push_list.head; /* cycle through the push list */ while (e) { char *p[MAX_PARMS]; bool enable = true; /* parse the push item */ CLEAR(p); if (e->enable && parse_line(e->option, p, SIZE(p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) { /* is the push item a route directive? */ if (p[0] && !strcmp(p[0], "route") && !p[3]) { /* get route parameters */ bool status1, status2; const in_addr_t network = getaddr(GETADDR_HOST_ORDER, p[1], 0, &status1, NULL); const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL); /* did route parameters parse correctly? */ if (status1 && status2) { const struct iroute *ir; /* does route match an iroute? */ for (ir = o->iroutes; ir != NULL; ir = ir->next) { if (network == ir->network && netmask == netbits_to_netmask(ir->netbits >= 0 ? ir->netbits : 32)) { enable = false; break; } } } } /* should we copy the push item? */ e->enable = enable; if (!enable) { msg(D_PUSH, "REMOVE PUSH ROUTE: '%s'", e->option); } } e = e->next; } gc_free(&gc); } } #endif /* if P2MP_SERVER */ #endif /* if P2MP */ openvpn-2.4.4/src/openvpn/push.h000066400000000000000000000050051316434344000166140ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef PUSH_H #define PUSH_H #if P2MP #include "forward.h" #define PUSH_MSG_ERROR 0 #define PUSH_MSG_REQUEST 1 #define PUSH_MSG_REPLY 2 #define PUSH_MSG_REQUEST_DEFERRED 3 #define PUSH_MSG_AUTH_FAILURE 4 #define PUSH_MSG_CONTINUATION 5 #define PUSH_MSG_ALREADY_REPLIED 6 int process_incoming_push_request(struct context *c); int process_incoming_push_msg(struct context *c, const struct buffer *buffer, bool honor_received_options, unsigned int permission_mask, unsigned int *option_types_found); bool send_push_request(struct context *c); void receive_auth_failed(struct context *c, const struct buffer *buffer); void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv); void incoming_push_message(struct context *c, const struct buffer *buffer); #if P2MP_SERVER void clone_push_list(struct options *o); void push_option(struct options *o, const char *opt, int msglevel); void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc); void push_reset(struct options *o); void push_remove_option(struct options *o, const char *p); void remove_iroutes_from_push_route_list(struct options *o); void send_auth_failed(struct context *c, const char *client_reason); void send_restart(struct context *c, const char *kill_msg); #endif #endif /* if P2MP */ #endif /* ifndef PUSH_H */ openvpn-2.4.4/src/openvpn/pushlist.h000066400000000000000000000024601316434344000175120ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #if !defined(PUSHLIST_H) && P2MP && P2MP_SERVER #define PUSHLIST_H /* parameters to be pushed to peer */ struct push_entry { struct push_entry *next; bool enable; const char *option; }; struct push_list { struct push_entry *head; struct push_entry *tail; }; #endif openvpn-2.4.4/src/openvpn/reliable.c000066400000000000000000000501031316434344000174060ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * These routines implement a reliability layer on top of UDP, * so that SSL/TLS can be run over UDP. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #ifdef ENABLE_CRYPTO #include "buffer.h" #include "error.h" #include "common.h" #include "reliable.h" #include "memdbg.h" /* * verify that test - base < extent while allowing for base or test wraparound */ static inline bool reliable_pid_in_range1(const packet_id_type test, const packet_id_type base, const unsigned int extent) { if (test >= base) { if (test - base < extent) { return true; } } else { if ((test+0x80000000u) - (base+0x80000000u) < extent) { return true; } } return false; } /* * verify that test < base + extent while allowing for base or test wraparound */ static inline bool reliable_pid_in_range2(const packet_id_type test, const packet_id_type base, const unsigned int extent) { if (base + extent >= base) { if (test < base + extent) { return true; } } else { if ((test+0x80000000u) < (base+0x80000000u) + extent) { return true; } } return false; } /* * verify that p1 < p2 while allowing for p1 or p2 wraparound */ static inline bool reliable_pid_min(const packet_id_type p1, const packet_id_type p2) { return !reliable_pid_in_range1(p1, p2, 0x80000000u); } /* check if a particular packet_id is present in ack */ static inline bool reliable_ack_packet_id_present(struct reliable_ack *ack, packet_id_type pid) { int i; for (i = 0; i < ack->len; ++i) { if (ack->packet_id[i] == pid) { return true; } } return false; } /* get a packet_id from buf */ bool reliable_ack_read_packet_id(struct buffer *buf, packet_id_type *pid) { packet_id_type net_pid; if (buf_read(buf, &net_pid, sizeof(net_pid))) { *pid = ntohpid(net_pid); dmsg(D_REL_DEBUG, "ACK read ID " packet_id_format " (buf->len=%d)", (packet_id_print_type)*pid, buf->len); return true; } dmsg(D_REL_LOW, "ACK read ID FAILED (buf->len=%d)", buf->len); return false; } /* acknowledge a packet_id by adding it to a struct reliable_ack */ bool reliable_ack_acknowledge_packet_id(struct reliable_ack *ack, packet_id_type pid) { if (!reliable_ack_packet_id_present(ack, pid) && ack->len < RELIABLE_ACK_SIZE) { ack->packet_id[ack->len++] = pid; dmsg(D_REL_DEBUG, "ACK acknowledge ID " packet_id_format " (ack->len=%d)", (packet_id_print_type)pid, ack->len); return true; } dmsg(D_REL_LOW, "ACK acknowledge ID " packet_id_format " FAILED (ack->len=%d)", (packet_id_print_type)pid, ack->len); return false; } /* read a packet ID acknowledgement record from buf into ack */ bool reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid) { struct gc_arena gc = gc_new(); int i; uint8_t count; packet_id_type net_pid; packet_id_type pid; struct session_id session_id_remote; if (!buf_read(buf, &count, sizeof(count))) { goto error; } for (i = 0; i < count; ++i) { if (!buf_read(buf, &net_pid, sizeof(net_pid))) { goto error; } if (ack->len >= RELIABLE_ACK_SIZE) { goto error; } pid = ntohpid(net_pid); ack->packet_id[ack->len++] = pid; } if (count) { if (!session_id_read(&session_id_remote, buf)) { goto error; } if (!session_id_defined(&session_id_remote) || !session_id_equal(&session_id_remote, sid)) { dmsg(D_REL_LOW, "ACK read BAD SESSION-ID FROM REMOTE, local=%s, remote=%s", session_id_print(sid, &gc), session_id_print(&session_id_remote, &gc)); goto error; } } gc_free(&gc); return true; error: gc_free(&gc); return false; } #define ACK_SIZE(n) (sizeof(uint8_t) + ((n) ? SID_SIZE : 0) + sizeof(packet_id_type) * (n)) /* write a packet ID acknowledgement record to buf, */ /* removing all acknowledged entries from ack */ bool reliable_ack_write(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid, int max, bool prepend) { int i, j; uint8_t n; struct buffer sub; n = ack->len; if (n > max) { n = max; } sub = buf_sub(buf, ACK_SIZE(n), prepend); if (!BDEF(&sub)) { goto error; } ASSERT(buf_write(&sub, &n, sizeof(n))); for (i = 0; i < n; ++i) { packet_id_type pid = ack->packet_id[i]; packet_id_type net_pid = htonpid(pid); ASSERT(buf_write(&sub, &net_pid, sizeof(net_pid))); dmsg(D_REL_DEBUG, "ACK write ID " packet_id_format " (ack->len=%d, n=%d)", (packet_id_print_type)pid, ack->len, n); } if (n) { ASSERT(session_id_defined(sid)); ASSERT(session_id_write(sid, &sub)); for (i = 0, j = n; j < ack->len; ) { ack->packet_id[i++] = ack->packet_id[j++]; } ack->len = i; } return true; error: return false; } /* add to extra_frame the maximum number of bytes we will need for reliable_ack_write */ void reliable_ack_adjust_frame_parameters(struct frame *frame, int max) { frame_add_to_extra_frame(frame, ACK_SIZE(max)); } /* print a reliable ACK record coming off the wire */ const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc) { int i; uint8_t n_ack; struct session_id sid_ack; packet_id_type pid; struct buffer out = alloc_buf_gc(256, gc); buf_printf(&out, "["); if (!buf_read(buf, &n_ack, sizeof(n_ack))) { goto done; } for (i = 0; i < n_ack; ++i) { if (!buf_read(buf, &pid, sizeof(pid))) { goto done; } pid = ntohpid(pid); buf_printf(&out, " " packet_id_format, (packet_id_print_type)pid); } if (n_ack) { if (!session_id_read(&sid_ack, buf)) { goto done; } if (verbose) { buf_printf(&out, " sid=%s", session_id_print(&sid_ack, gc)); } } done: buf_printf(&out, " ]"); return BSTR(&out); } /* * struct reliable member functions. */ void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold) { int i; CLEAR(*rel); ASSERT(array_size > 0 && array_size <= RELIABLE_CAPACITY); rel->hold = hold; rel->size = array_size; rel->offset = offset; for (i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; e->buf = alloc_buf(buf_size); ASSERT(buf_init(&e->buf, offset)); } } void reliable_free(struct reliable *rel) { int i; for (i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; free_buf(&e->buf); } } /* no active buffers? */ bool reliable_empty(const struct reliable *rel) { int i; for (i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) { return false; } } return true; } /* del acknowledged items from send buf */ void reliable_send_purge(struct reliable *rel, struct reliable_ack *ack) { int i, j; for (i = 0; i < ack->len; ++i) { packet_id_type pid = ack->packet_id[i]; for (j = 0; j < rel->size; ++j) { struct reliable_entry *e = &rel->array[j]; if (e->active && e->packet_id == pid) { dmsg(D_REL_DEBUG, "ACK received for pid " packet_id_format ", deleting from send buffer", (packet_id_print_type)pid); #if 0 /* DEBUGGING -- how close were we timing out on ACK failure and resending? */ { if (e->next_try) { const interval_t wake = e->next_try - now; msg(M_INFO, "ACK " packet_id_format ", wake=%d", pid, wake); } } #endif e->active = false; break; } } } } /* print the current sequence of active packet IDs */ static const char * reliable_print_ids(const struct reliable *rel, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); int i; buf_printf(&out, "[" packet_id_format "]", (packet_id_print_type)rel->packet_id); for (i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) { buf_printf(&out, " " packet_id_format, (packet_id_print_type)e->packet_id); } } return BSTR(&out); } /* true if at least one free buffer available */ bool reliable_can_get(const struct reliable *rel) { struct gc_arena gc = gc_new(); int i; for (i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (!e->active) { return true; } } dmsg(D_REL_LOW, "ACK no free receive buffer available: %s", reliable_print_ids(rel, &gc)); gc_free(&gc); return false; } /* make sure that incoming packet ID isn't a replay */ bool reliable_not_replay(const struct reliable *rel, packet_id_type id) { struct gc_arena gc = gc_new(); int i; if (reliable_pid_min(id, rel->packet_id)) { goto bad; } for (i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active && e->packet_id == id) { goto bad; } } gc_free(&gc); return true; bad: dmsg(D_REL_DEBUG, "ACK " packet_id_format " is a replay: %s", (packet_id_print_type)id, reliable_print_ids(rel, &gc)); gc_free(&gc); return false; } /* make sure that incoming packet ID won't deadlock the receive buffer */ bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id) { struct gc_arena gc = gc_new(); const int ret = reliable_pid_in_range2(id, rel->packet_id, rel->size); if (!ret) { dmsg(D_REL_LOW, "ACK " packet_id_format " breaks sequentiality: %s", (packet_id_print_type)id, reliable_print_ids(rel, &gc)); } dmsg(D_REL_DEBUG, "ACK RWBS rel->size=%d rel->packet_id=%08x id=%08x ret=%d\n", rel->size, rel->packet_id, id, ret); gc_free(&gc); return ret; } /* grab a free buffer */ struct buffer * reliable_get_buf(struct reliable *rel) { int i; for (i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (!e->active) { ASSERT(buf_init(&e->buf, rel->offset)); return &e->buf; } } return NULL; } /* grab a free buffer, fail if buffer clogged by unacknowledged low packet IDs */ struct buffer * reliable_get_buf_output_sequenced(struct reliable *rel) { struct gc_arena gc = gc_new(); int i; packet_id_type min_id = 0; bool min_id_defined = false; struct buffer *ret = NULL; /* find minimum active packet_id */ for (i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) { if (!min_id_defined || reliable_pid_min(e->packet_id, min_id)) { min_id_defined = true; min_id = e->packet_id; } } } if (!min_id_defined || reliable_pid_in_range1(rel->packet_id, min_id, rel->size)) { ret = reliable_get_buf(rel); } else { dmsg(D_REL_LOW, "ACK output sequence broken: %s", reliable_print_ids(rel, &gc)); } gc_free(&gc); return ret; } /* get active buffer for next sequentially increasing key ID */ struct buffer * reliable_get_buf_sequenced(struct reliable *rel) { int i; for (i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (e->active && e->packet_id == rel->packet_id) { return &e->buf; } } return NULL; } /* return true if reliable_send would return a non-NULL result */ bool reliable_can_send(const struct reliable *rel) { struct gc_arena gc = gc_new(); int i; int n_active = 0, n_current = 0; for (i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) { ++n_active; if (now >= e->next_try) { ++n_current; } } } dmsg(D_REL_DEBUG, "ACK reliable_can_send active=%d current=%d : %s", n_active, n_current, reliable_print_ids(rel, &gc)); gc_free(&gc); return n_current > 0 && !rel->hold; } #ifdef EXPONENTIAL_BACKOFF /* return a unique point-in-time to trigger retry */ static time_t reliable_unique_retry(struct reliable *rel, time_t retry) { int i; while (true) { for (i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (e->active && e->next_try == retry) { goto again; } } break; again: ++retry; } return retry; } #endif /* ifdef EXPONENTIAL_BACKOFF */ /* return next buffer to send to remote */ struct buffer * reliable_send(struct reliable *rel, int *opcode) { int i; struct reliable_entry *best = NULL; const time_t local_now = now; for (i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (e->active && local_now >= e->next_try) { if (!best || reliable_pid_min(e->packet_id, best->packet_id)) { best = e; } } } if (best) { #ifdef EXPONENTIAL_BACKOFF /* exponential backoff */ best->next_try = reliable_unique_retry(rel, local_now + best->timeout); best->timeout *= 2; #else /* constant timeout, no backoff */ best->next_try = local_now + best->timeout; #endif *opcode = best->opcode; dmsg(D_REL_DEBUG, "ACK reliable_send ID " packet_id_format " (size=%d to=%d)", (packet_id_print_type)best->packet_id, best->buf.len, (int)(best->next_try - local_now)); return &best->buf; } return NULL; } /* schedule all pending packets for immediate retransmit */ void reliable_schedule_now(struct reliable *rel) { int i; dmsg(D_REL_DEBUG, "ACK reliable_schedule_now"); rel->hold = false; for (i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (e->active) { e->next_try = now; e->timeout = rel->initial_timeout; } } } /* in how many seconds should we wake up to check for timeout */ /* if we return BIG_TIMEOUT, nothing to wait for */ interval_t reliable_send_timeout(const struct reliable *rel) { struct gc_arena gc = gc_new(); interval_t ret = BIG_TIMEOUT; int i; const time_t local_now = now; for (i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) { if (e->next_try <= local_now) { ret = 0; break; } else { ret = min_int(ret, e->next_try - local_now); } } } dmsg(D_REL_DEBUG, "ACK reliable_send_timeout %d %s", (int) ret, reliable_print_ids(rel, &gc)); gc_free(&gc); return ret; } /* * Enable an incoming buffer previously returned by a get function as active. */ void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode) { int i; for (i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (buf == &e->buf) { e->active = true; /* packets may not arrive in sequential order */ e->packet_id = pid; /* check for replay */ ASSERT(!reliable_pid_min(pid, rel->packet_id)); e->opcode = opcode; e->next_try = 0; e->timeout = 0; dmsg(D_REL_DEBUG, "ACK mark active incoming ID " packet_id_format, (packet_id_print_type)e->packet_id); return; } } ASSERT(0); /* buf not found in rel */ } /* * Enable an outgoing buffer previously returned by a get function as active. */ void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode) { int i; for (i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (buf == &e->buf) { /* Write mode, increment packet_id (i.e. sequence number) * linearly and prepend id to packet */ packet_id_type net_pid; e->packet_id = rel->packet_id++; net_pid = htonpid(e->packet_id); ASSERT(buf_write_prepend(buf, &net_pid, sizeof(net_pid))); e->active = true; e->opcode = opcode; e->next_try = 0; e->timeout = rel->initial_timeout; dmsg(D_REL_DEBUG, "ACK mark active outgoing ID " packet_id_format, (packet_id_print_type)e->packet_id); return; } } ASSERT(0); /* buf not found in rel */ } /* delete a buffer previously activated by reliable_mark_active() */ void reliable_mark_deleted(struct reliable *rel, struct buffer *buf, bool inc_pid) { int i; for (i = 0; i < rel->size; ++i) { struct reliable_entry *e = &rel->array[i]; if (buf == &e->buf) { e->active = false; if (inc_pid) { rel->packet_id = e->packet_id + 1; } return; } } ASSERT(0); } #if 0 void reliable_ack_debug_print(const struct reliable_ack *ack, char *desc) { int i; printf("********* struct reliable_ack %s\n", desc); for (i = 0; i < ack->len; ++i) { printf(" %d: " packet_id_format "\n", i, (packet_id_print_type) ack->packet_id[i]); } } void reliable_debug_print(const struct reliable *rel, char *desc) { int i; update_time(); printf("********* struct reliable %s\n", desc); printf(" initial_timeout=%d\n", (int)rel->initial_timeout); printf(" packet_id=" packet_id_format "\n", rel->packet_id); printf(" now=" time_format "\n", now); for (i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) { printf(" %d: packet_id=" packet_id_format " len=%d", i, e->packet_id, e->buf.len); printf(" next_try=" time_format, e->next_try); printf("\n"); } } } #endif /* if 0 */ #else /* ifdef ENABLE_CRYPTO */ static void dummy(void) { } #endif /* ENABLE_CRYPTO */ openvpn-2.4.4/src/openvpn/reliable.h000066400000000000000000000361631316434344000174250ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file * Reliability Layer module header file. */ #ifdef ENABLE_CRYPTO #ifndef RELIABLE_H #define RELIABLE_H #include "basic.h" #include "buffer.h" #include "packet_id.h" #include "session_id.h" #include "mtu.h" /** @addtogroup reliable * @{ */ #define EXPONENTIAL_BACKOFF #define RELIABLE_ACK_SIZE 8 /**< The maximum number of packet IDs * waiting to be acknowledged which can * be stored in one \c reliable_ack * structure. */ #define RELIABLE_CAPACITY 8 /**< The maximum number of packets that * the reliability layer for one VPN * tunnel in one direction can store. */ /** * The acknowledgment structure in which packet IDs are stored for later * acknowledgment. */ struct reliable_ack { int len; packet_id_type packet_id[RELIABLE_ACK_SIZE]; }; /** * The structure in which the reliability layer stores a single incoming * or outgoing packet. */ struct reliable_entry { bool active; interval_t timeout; time_t next_try; packet_id_type packet_id; int opcode; struct buffer buf; }; /** * The reliability layer storage structure for one VPN tunnel's control * channel in one direction. */ struct reliable { int size; interval_t initial_timeout; packet_id_type packet_id; int offset; bool hold; /* don't xmit until reliable_schedule_now is called */ struct reliable_entry array[RELIABLE_CAPACITY]; }; /**************************************************************************/ /** @name Functions for processing incoming acknowledgments * @{ */ /** * Read an acknowledgment record from a received packet. * * This function reads the packet ID acknowledgment record from the packet * contained in \a buf. If the record contains acknowledgments, these are * stored in \a ack. This function also compares the packet's session ID * with the expected session ID \a sid, which should be equal. * * @param ack The acknowledgment structure in which received * acknowledgments are to be stored. * @param buf The buffer containing the packet. * @param sid The expected session ID to compare to the session ID in * the packet. * * @return * @li True, if processing was successful. * @li False, if an error occurs during processing. */ bool reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid); /** * Remove acknowledged packets from a reliable structure. * * @param rel The reliable structure storing sent packets. * @param ack The acknowledgment structure containing received * acknowledgments. */ void reliable_send_purge(struct reliable *rel, struct reliable_ack *ack); /** @} name Functions for processing incoming acknowledgments */ /**************************************************************************/ /** @name Functions for processing outgoing acknowledgments * @{ */ /** * Check whether an acknowledgment structure contains any * packet IDs to be acknowledged. * * @param ack The acknowledgment structure to check. * * @return * @li True, if the acknowledgment structure is empty. * @li False, if there are packet IDs to be acknowledged. */ static inline bool reliable_ack_empty(struct reliable_ack *ack) { return !ack->len; } /** * Write a packet ID acknowledgment record to a buffer. * * @param ack The acknowledgment structure containing packet IDs to be * acknowledged. * @param buf The buffer into which the acknowledgment record will be * written. * @param sid The session ID of the VPN tunnel associated with the * packet IDs to be acknowledged. * @param max The maximum number of acknowledgments to be written in * the record. * @param prepend If true, prepend the acknowledgment record in the * buffer; if false, write into the buffer's current position. * * @return * @li True, if processing was successful. * @li False, if an error occurs during processing. */ bool reliable_ack_write(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid, int max, bool prepend); /** @} name Functions for processing outgoing acknowledgments */ /**************************************************************************/ /** @name Functions for initialization and cleanup * @{ */ /** * Initialize a reliable structure. * * @param rel The reliable structure to initialize. * @param buf_size The size of the buffers in which packets will be * stored. * @param offset The size of reserved space at the beginning of the * buffers to allow efficient header prepending. * @param array_size The number of packets that this reliable * structure can store simultaneously. * @param hold description */ void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold); /** * Free allocated memory associated with a reliable structure. * * @param rel The reliable structured to clean up. */ void reliable_free(struct reliable *rel); /* add to extra_frame the maximum number of bytes we will need for reliable_ack_write */ void reliable_ack_adjust_frame_parameters(struct frame *frame, int max); /** @} name Functions for initialization and cleanup */ /**************************************************************************/ /** @name Functions for inserting incoming packets * @{ */ /** * Check whether a reliable structure has any free buffers * available for use. * * @param rel The reliable structure to check. * * @return * @li True, if at least one buffer is available for use. * @li False, if all the buffers are active. */ bool reliable_can_get(const struct reliable *rel); /** * Check that a received packet's ID is not a replay. * * @param rel The reliable structure for handling this VPN tunnel's * received packets. * @param id The packet ID of the received packet. * * @return * @li True, if the packet ID is not a replay. * @li False, if the packet ID is a replay. */ bool reliable_not_replay(const struct reliable *rel, packet_id_type id); /** * Check that a received packet's ID can safely be stored in * the reliable structure's processing window. * * This function checks the difference between the received packet's ID * and the lowest non-acknowledged packet ID in the given reliable * structure. If that difference is larger than the total number of * packets which can be stored, then this packet cannot be stored safely, * because the reliable structure could possibly fill up without leaving * room for all intervening packets. In that case, this received packet * could break the reliable structure's sequentiality, and must therefore * be discarded. * * @param rel The reliable structure for handling this VPN tunnel's * received packets. * @param id The packet ID of the received packet. * * @return * @li True, if the packet can safely be stored. * @li False, if the packet does not fit safely in the reliable * structure's processing window. */ bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id); /** * Read the packet ID of a received packet. * * @param buf The buffer containing the received packet. * @param pid A pointer where the packet's packet ID will be written. * * @return * @li True, if processing was successful. * @li False, if an error occurs during processing. */ bool reliable_ack_read_packet_id(struct buffer *buf, packet_id_type *pid); /** * Get the buffer of a free %reliable entry in which to store a * packet. * * @param rel The reliable structure in which to search for a free * entry. * * @return A pointer to a buffer of a free entry in the \a rel * reliable structure. If there are no free entries available, this * function returns NULL. */ struct buffer *reliable_get_buf(struct reliable *rel); /** * Mark the %reliable entry associated with the given buffer as active * incoming. * * @param rel The reliable structure associated with this packet. * @param buf The buffer into which the packet has been copied. * @param pid The packet's packet ID. * @param opcode The packet's opcode. */ void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode); /** * Record a packet ID for later acknowledgment. * * @param ack The acknowledgment structure which stores this VPN * tunnel's packet IDs for later acknowledgment. * @param pid The packet ID of the received packet which should be * acknowledged. * * @return * @li True, if the packet ID was added to \a ack. * @li False, if the packet ID was already present in \a ack or \a ack * has no free space to store any more packet IDs. */ bool reliable_ack_acknowledge_packet_id(struct reliable_ack *ack, packet_id_type pid); /** @} name Functions for inserting incoming packets */ /**************************************************************************/ /** @name Functions for extracting incoming packets * @{ */ /** * Get the buffer of the next sequential and active entry. * * @param rel The reliable structure from which to retrieve the * buffer. * * @return A pointer to the buffer of the entry with the next * sequential key ID. If no such entry is present, this function * returns NULL. */ struct buffer *reliable_get_buf_sequenced(struct reliable *rel); /** * Remove an entry from a reliable structure. * * @param rel The reliable structure associated with the given buffer. * @param buf The buffer of the reliable entry which is to be removed. * @param inc_pid If true, the reliable structure's packet ID counter * will be incremented. */ void reliable_mark_deleted(struct reliable *rel, struct buffer *buf, bool inc_pid); /** @} name Functions for extracting incoming packets */ /**************************************************************************/ /** @name Functions for inserting outgoing packets * @{ */ /** * Get the buffer of free reliable entry and check whether the * outgoing acknowledgment sequence is still okay. * * @param rel The reliable structure in which to search for a free * entry. * * @return A pointer to a buffer of a free entry in the \a rel * reliable structure. If there are no free entries available, this * function returns NULL. If the outgoing acknowledgment sequence is * broken, this function also returns NULL. */ struct buffer *reliable_get_buf_output_sequenced(struct reliable *rel); /** * Mark the reliable entry associated with the given buffer as * active outgoing. * * @param rel The reliable structure for handling this VPN tunnel's * outgoing packets. * @param buf The buffer previously returned by \c * reliable_get_buf_output_sequenced() into which the packet has been * copied. * @param opcode The packet's opcode. */ void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode); /** @} name Functions for inserting outgoing packets */ /**************************************************************************/ /** @name Functions for extracting outgoing packets * @{ */ /** * Check whether a reliable structure has any active entries * ready to be (re)sent. * * @param rel The reliable structure to check. * * @return * @li True, if there are active entries ready to be (re)sent * president. * @li False, if there are no active entries, or the active entries * are not yet ready for resending. */ bool reliable_can_send(const struct reliable *rel); /** * Get the next packet to send to the remote peer. * * This function looks for the active entry ready for (re)sending with the * lowest packet ID, and returns the buffer associated with it. This * function also resets the timeout after which that entry will become * ready for resending again. * * @param rel The reliable structure to check. * @param opcode A pointer to an integer in which this function will * store the opcode of the next packet to be sent. * * @return A pointer to the buffer of the next entry to be sent, or * NULL if there are no entries ready for (re)sending present in the * reliable structure. If a valid pointer is returned, then \a opcode * will point to the opcode of that packet. */ struct buffer *reliable_send(struct reliable *rel, int *opcode); /** @} name Functions for extracting outgoing packets */ /**************************************************************************/ /** @name Miscellaneous functions * @{ */ /** * Check whether a reliable structure is empty. * * @param rel The reliable structure to check. * * @return * @li True, if there are no active entries in the given reliable * structure. * @li False, if there is at least one active entry present. */ bool reliable_empty(const struct reliable *rel); /** * Determined how many seconds until the earliest resend should * be attempted. * * @param rel The reliable structured to check. * * @return The interval in seconds until the earliest resend attempt * of the outgoing packets stored in the \a rel reliable structure. If * the next time for attempting resending of one or more packets has * already passed, this function will return 0. */ interval_t reliable_send_timeout(const struct reliable *rel); /** * Reschedule all entries of a reliable structure to be ready * for (re)sending immediately. * * @param rel The reliable structure of which the entries should be * modified. */ void reliable_schedule_now(struct reliable *rel); void reliable_debug_print(const struct reliable *rel, char *desc); /* set sending timeout (after this time we send again until ACK) */ static inline void reliable_set_timeout(struct reliable *rel, interval_t timeout) { rel->initial_timeout = timeout; } /* print a reliable ACK record coming off the wire */ const char *reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc); void reliable_ack_debug_print(const struct reliable_ack *ack, char *desc); /** @} name Miscellaneous functions */ /** @} addtogroup reliable */ #endif /* RELIABLE_H */ #endif /* ENABLE_CRYPTO */ openvpn-2.4.4/src/openvpn/route.c000066400000000000000000003524271316434344000170030ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * Support routines for adding/deleting network routes. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "common.h" #include "error.h" #include "route.h" #include "misc.h" #include "socket.h" #include "manage.h" #include "win32.h" #include "options.h" #include "memdbg.h" #if defined(TARGET_LINUX) || defined(TARGET_ANDROID) #include /* RTM_GETROUTE etc. */ #endif #ifdef _WIN32 #include "openvpn-msg.h" #define METRIC_NOT_USED ((DWORD)-1) static bool add_route_service(const struct route_ipv4 *, const struct tuntap *); static bool del_route_service(const struct route_ipv4 *, const struct tuntap *); static bool add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *); static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *); #endif static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es); static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags); #ifdef ENABLE_DEBUG static void print_bypass_addresses(const struct route_bypass *rb) { struct gc_arena gc = gc_new(); int i; for (i = 0; i < rb->n_bypass; ++i) { msg(D_ROUTE, "ROUTE: bypass_host_route[%d]=%s", i, print_in_addr_t(rb->bypass[i], 0, &gc)); } gc_free(&gc); } #endif static bool add_bypass_address(struct route_bypass *rb, const in_addr_t a) { int i; for (i = 0; i < rb->n_bypass; ++i) { if (a == rb->bypass[i]) /* avoid duplicates */ { return true; } } if (rb->n_bypass < N_ROUTE_BYPASS) { rb->bypass[rb->n_bypass++] = a; return true; } else { return false; } } struct route_option_list * new_route_option_list(struct gc_arena *a) { struct route_option_list *ret; ALLOC_OBJ_CLEAR_GC(ret, struct route_option_list, a); ret->gc = a; return ret; } struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a) { struct route_ipv6_option_list *ret; ALLOC_OBJ_CLEAR_GC(ret, struct route_ipv6_option_list, a); ret->gc = a; return ret; } /* * NOTE: structs are cloned/copied shallow by design. * The routes list from src will stay intact since it is allocated using * the options->gc. The cloned/copied lists will share this common tail * to avoid copying the data around between pulls. Pulled routes use * the c2->gc so they get freed immediately after a reconnect. */ struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a) { struct route_option_list *ret; ALLOC_OBJ_GC(ret, struct route_option_list, a); *ret = *src; return ret; } struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a) { struct route_ipv6_option_list *ret; ALLOC_OBJ_GC(ret, struct route_ipv6_option_list, a); *ret = *src; return ret; } void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a) { *dest = *src; dest->gc = a; } void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a) { *dest = *src; dest->gc = a; } static const char * route_string(const struct route_ipv4 *r, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); buf_printf(&out, "ROUTE network %s netmask %s gateway %s", print_in_addr_t(r->network, 0, gc), print_in_addr_t(r->netmask, 0, gc), print_in_addr_t(r->gateway, 0, gc) ); if (r->flags & RT_METRIC_DEFINED) { buf_printf(&out, " metric %d", r->metric); } return BSTR(&out); } static bool is_route_parm_defined(const char *parm) { if (!parm) { return false; } if (!strcmp(parm, "default")) { return false; } return true; } static void setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i) { struct gc_arena gc = gc_new(); struct buffer name = alloc_buf_gc(256, &gc); if (i >= 0) { buf_printf(&name, "route_%s_%d", key, i); } else { buf_printf(&name, "route_%s", key); } setenv_str(es, BSTR(&name), print_in_addr_t(addr, 0, &gc)); gc_free(&gc); } static bool get_special_addr(const struct route_list *rl, const char *string, in_addr_t *out, bool *status) { if (status) { *status = true; } if (!strcmp(string, "vpn_gateway")) { if (rl) { if (rl->spec.flags & RTSA_REMOTE_ENDPOINT) { *out = rl->spec.remote_endpoint; } else { msg(M_INFO, PACKAGE_NAME " ROUTE: vpn_gateway undefined"); if (status) { *status = false; } } } return true; } else if (!strcmp(string, "net_gateway")) { if (rl) { if (rl->rgi.flags & RGI_ADDR_DEFINED) { *out = rl->rgi.gateway.addr; } else { msg(M_INFO, PACKAGE_NAME " ROUTE: net_gateway undefined -- unable to get default gateway from system"); if (status) { *status = false; } } } return true; } else if (!strcmp(string, "remote_host")) { if (rl) { if (rl->spec.flags & RTSA_REMOTE_HOST) { *out = rl->spec.remote_host; } else { msg(M_INFO, PACKAGE_NAME " ROUTE: remote_host undefined"); if (status) { *status = false; } } } return true; } return false; } bool is_special_addr(const char *addr_str) { if (addr_str) { return get_special_addr(NULL, addr_str, NULL, NULL); } else { return false; } } static bool init_route(struct route_ipv4 *r, struct addrinfo **network_list, const struct route_option *ro, const struct route_list *rl) { const in_addr_t default_netmask = IPV4_NETMASK_HOST; bool status; int ret; struct in_addr special; CLEAR(*r); r->option = ro; /* network */ if (!is_route_parm_defined(ro->network)) { goto fail; } /* get_special_addr replaces specialaddr with a special ip addr * like gw. getaddrinfo is called to convert a a addrinfo struct */ if (get_special_addr(rl, ro->network, (in_addr_t *) &special.s_addr, &status)) { special.s_addr = htonl(special.s_addr); ret = openvpn_getaddrinfo(0, inet_ntoa(special), NULL, 0, NULL, AF_INET, network_list); } else { ret = openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL, ro->network, NULL, 0, NULL, AF_INET, network_list); } status = (ret == 0); if (!status) { goto fail; } /* netmask */ if (is_route_parm_defined(ro->netmask)) { r->netmask = getaddr( GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL, ro->netmask, 0, &status, NULL); if (!status) { goto fail; } } else { r->netmask = default_netmask; } /* gateway */ if (is_route_parm_defined(ro->gateway)) { if (!get_special_addr(rl, ro->gateway, &r->gateway, &status)) { r->gateway = getaddr( GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL, ro->gateway, 0, &status, NULL); } if (!status) { goto fail; } } else { if (rl->spec.flags & RTSA_REMOTE_ENDPOINT) { r->gateway = rl->spec.remote_endpoint; } else { msg(M_WARN, PACKAGE_NAME " ROUTE: " PACKAGE_NAME " needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options"); goto fail; } } /* metric */ r->metric = 0; if (is_route_parm_defined(ro->metric)) { r->metric = atoi(ro->metric); if (r->metric < 0) { msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0", ro->network, ro->metric); goto fail; } r->flags |= RT_METRIC_DEFINED; } else if (rl->spec.flags & RTSA_DEFAULT_METRIC) { r->metric = rl->spec.default_metric; r->flags |= RT_METRIC_DEFINED; } r->flags |= RT_DEFINED; return true; fail: msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s", ro->network); return false; } static bool init_route_ipv6(struct route_ipv6 *r6, const struct route_ipv6_option *r6o, const struct route_ipv6_list *rl6 ) { CLEAR(*r6); if (!get_ipv6_addr( r6o->prefix, &r6->network, &r6->netbits, M_WARN )) { goto fail; } /* gateway */ if (is_route_parm_defined(r6o->gateway)) { if (inet_pton( AF_INET6, r6o->gateway, &r6->gateway ) != 1) { msg( M_WARN, PACKAGE_NAME "ROUTE6: cannot parse gateway spec '%s'", r6o->gateway ); } } else if (rl6->spec_flags & RTSA_REMOTE_ENDPOINT) { r6->gateway = rl6->remote_endpoint_ipv6; } else { msg(M_WARN, PACKAGE_NAME " ROUTE6: " PACKAGE_NAME " needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options"); goto fail; } /* metric */ r6->metric = -1; if (is_route_parm_defined(r6o->metric)) { r6->metric = atoi(r6o->metric); if (r6->metric < 0) { msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0", r6o->prefix, r6o->metric); goto fail; } r6->flags |= RT_METRIC_DEFINED; } else if (rl6->spec_flags & RTSA_DEFAULT_METRIC) { r6->metric = rl6->default_metric; r6->flags |= RT_METRIC_DEFINED; } r6->flags |= RT_DEFINED; return true; fail: msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s", r6o->prefix); return false; } void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric) { struct route_option *ro; ALLOC_OBJ_GC(ro, struct route_option, l->gc); ro->network = network; ro->netmask = netmask; ro->gateway = gateway; ro->metric = metric; ro->next = l->routes; l->routes = ro; } void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric) { struct route_ipv6_option *ro; ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc); ro->prefix = prefix; ro->gateway = gateway; ro->metric = metric; ro->next = l->routes_ipv6; l->routes_ipv6 = ro; } static void clear_route_list(struct route_list *rl) { gc_free(&rl->gc); CLEAR(*rl); } static void clear_route_ipv6_list(struct route_ipv6_list *rl6) { gc_free(&rl6->gc); CLEAR(*rl6); } void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr) { ASSERT(rl); rl->spec.remote_endpoint = addr; rl->spec.flags |= RTSA_REMOTE_ENDPOINT; setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1); } static void add_block_local_item(struct route_list *rl, const struct route_gateway_address *gateway, in_addr_t target) { const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED); if ((rl->rgi.flags & rgi_needed) == rgi_needed && rl->rgi.gateway.netmask < 0xFFFFFFFF) { struct route_ipv4 *r1, *r2; unsigned int l2; ALLOC_OBJ_GC(r1, struct route_ipv4, &rl->gc); ALLOC_OBJ_GC(r2, struct route_ipv4, &rl->gc); /* split a route into two smaller blocking routes, and direct them to target */ l2 = ((~gateway->netmask)+1)>>1; r1->flags = RT_DEFINED; r1->gateway = target; r1->network = gateway->addr & gateway->netmask; r1->netmask = ~(l2-1); r1->next = rl->routes; rl->routes = r1; *r2 = *r1; r2->network += l2; r2->next = rl->routes; rl->routes = r2; } } static void add_block_local(struct route_list *rl) { const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED); if ((rl->flags & RG_BLOCK_LOCAL) && (rl->rgi.flags & rgi_needed) == rgi_needed && (rl->spec.flags & RTSA_REMOTE_ENDPOINT) && rl->spec.remote_host_local != TLA_LOCAL) { size_t i; #ifndef TARGET_ANDROID /* add bypass for gateway addr */ add_bypass_address(&rl->spec.bypass, rl->rgi.gateway.addr); #endif /* block access to local subnet */ add_block_local_item(rl, &rl->rgi.gateway, rl->spec.remote_endpoint); /* process additional subnets on gateway interface */ for (i = 0; i < rl->rgi.n_addrs; ++i) { const struct route_gateway_address *gwa = &rl->rgi.addrs[i]; /* omit the add/subnet in &rl->rgi which we processed above */ if (!((rl->rgi.gateway.addr & rl->rgi.gateway.netmask) == (gwa->addr & gwa->netmask) && rl->rgi.gateway.netmask == gwa->netmask)) { add_block_local_item(rl, gwa, rl->spec.remote_endpoint); } } } } bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es) { struct gc_arena gc = gc_new(); bool ret = true; clear_route_list(rl); rl->flags = opt->flags; if (remote_host) { rl->spec.remote_host = remote_host; rl->spec.flags |= RTSA_REMOTE_HOST; } if (default_metric) { rl->spec.default_metric = default_metric; rl->spec.flags |= RTSA_DEFAULT_METRIC; } get_default_gateway(&rl->rgi); if (rl->rgi.flags & RGI_ADDR_DEFINED) { setenv_route_addr(es, "net_gateway", rl->rgi.gateway.addr, -1); #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) print_default_gateway(D_ROUTE, &rl->rgi, NULL); #endif } else { dmsg(D_ROUTE, "ROUTE: default_gateway=UNDEF"); } if (rl->spec.flags & RTSA_REMOTE_HOST) { rl->spec.remote_host_local = test_local_addr(remote_host, &rl->rgi); } if (is_route_parm_defined(remote_endpoint)) { bool defined = false; rl->spec.remote_endpoint = getaddr( GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL, remote_endpoint, 0, &defined, NULL); if (defined) { setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1); rl->spec.flags |= RTSA_REMOTE_ENDPOINT; } else { msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve default gateway: %s", remote_endpoint); ret = false; } } if (rl->flags & RG_ENABLE) { add_block_local(rl); get_bypass_addresses(&rl->spec.bypass, rl->flags); #ifdef ENABLE_DEBUG print_bypass_addresses(&rl->spec.bypass); #endif } /* parse the routes from opt to rl */ { struct route_option *ro; for (ro = opt->routes; ro; ro = ro->next) { struct addrinfo *netlist = NULL; struct route_ipv4 r; if (!init_route(&r, &netlist, ro, rl)) { ret = false; } else { struct addrinfo *curele; for (curele = netlist; curele; curele = curele->ai_next) { struct route_ipv4 *new; ALLOC_OBJ_GC(new, struct route_ipv4, &rl->gc); *new = r; new->network = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr); new->next = rl->routes; rl->routes = new; } } if (netlist) { gc_addspecial(netlist, &gc_freeaddrinfo_callback, &gc); } } } gc_free(&gc); return ret; } /* check whether an IPv6 host address is covered by a given route_ipv6 * (not the most beautiful implementation in the world, but portable and * "good enough") */ static bool route_ipv6_match_host( const struct route_ipv6 *r6, const struct in6_addr *host ) { unsigned int bits = r6->netbits; int i; unsigned int mask; if (bits>128) { return false; } for (i = 0; bits >= 8; i++, bits -= 8) { if (r6->network.s6_addr[i] != host->s6_addr[i]) { return false; } } if (bits == 0) { return true; } mask = 0xff << (8-bits); if ( (r6->network.s6_addr[i] & mask) == (host->s6_addr[i] & mask )) { return true; } return false; } bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es) { struct gc_arena gc = gc_new(); bool ret = true; bool need_remote_ipv6_route; clear_route_ipv6_list(rl6); rl6->flags = opt6->flags; if (remote_host_ipv6) { rl6->remote_host_ipv6 = *remote_host_ipv6; rl6->spec_flags |= RTSA_REMOTE_HOST; } if (default_metric >= 0) { rl6->default_metric = default_metric; rl6->spec_flags |= RTSA_DEFAULT_METRIC; } msg(D_ROUTE, "GDG6: remote_host_ipv6=%s", remote_host_ipv6 ? print_in6_addr(*remote_host_ipv6, 0, &gc) : "n/a" ); get_default_gateway_ipv6(&rl6->rgi6, remote_host_ipv6); if (rl6->rgi6.flags & RGI_ADDR_DEFINED) { setenv_str(es, "net_gateway_ipv6", print_in6_addr(rl6->rgi6.gateway.addr_ipv6, 0, &gc)); #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) print_default_gateway(D_ROUTE, NULL, &rl6->rgi6); #endif } else { dmsg(D_ROUTE, "ROUTE6: default_gateway=UNDEF"); } if (is_route_parm_defined( remote_endpoint )) { if (inet_pton( AF_INET6, remote_endpoint, &rl6->remote_endpoint_ipv6) == 1) { rl6->spec_flags |= RTSA_REMOTE_ENDPOINT; } else { msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s", remote_endpoint); ret = false; } } /* parse the routes from opt6 to rl6 * discovering potential overlaps with remote_host_ipv6 in the process */ need_remote_ipv6_route = false; { struct route_ipv6_option *ro6; for (ro6 = opt6->routes_ipv6; ro6; ro6 = ro6->next) { struct route_ipv6 *r6; ALLOC_OBJ_GC(r6, struct route_ipv6, &rl6->gc); if (!init_route_ipv6(r6, ro6, rl6)) { ret = false; } else { r6->next = rl6->routes_ipv6; rl6->routes_ipv6 = r6; #ifndef TARGET_ANDROID /* On Android the VPNService protect function call will take of * avoiding routing loops, so ignore this part and let * need_remote_ipv6_route always evaluate to false */ if (remote_host_ipv6 && route_ipv6_match_host( r6, remote_host_ipv6 ) ) { need_remote_ipv6_route = true; msg(D_ROUTE, "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint", print_in6_addr(r6->network, 0, &gc), r6->netbits, print_in6_addr(*remote_host_ipv6, 0, &gc)); } #endif } } } /* add VPN server host route if needed */ if (need_remote_ipv6_route) { if ( (rl6->rgi6.flags & (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) ) == (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) ) { struct route_ipv6 *r6; ALLOC_OBJ_CLEAR_GC(r6, struct route_ipv6, &rl6->gc); r6->network = *remote_host_ipv6; r6->netbits = 128; if (!(rl6->rgi6.flags & RGI_ON_LINK) ) { r6->gateway = rl6->rgi6.gateway.addr_ipv6; } r6->metric = 1; #ifdef _WIN32 r6->adapter_index = rl6->rgi6.adapter_index; #else r6->iface = rl6->rgi6.iface; #endif r6->flags = RT_DEFINED | RT_METRIC_DEFINED; r6->next = rl6->routes_ipv6; rl6->routes_ipv6 = r6; } else { msg(M_WARN, "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n" ); } } gc_free(&gc); return ret; } static void add_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es) { struct route_ipv4 r; CLEAR(r); r.flags = RT_DEFINED; r.network = network; r.netmask = netmask; r.gateway = gateway; add_route(&r, tt, flags, rgi, es); } static void del_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es) { struct route_ipv4 r; CLEAR(r); r.flags = RT_DEFINED|RT_ADDED; r.network = network; r.netmask = netmask; r.gateway = gateway; delete_route(&r, tt, flags, rgi, es); } static void add_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es) { int i; for (i = 0; i < rb->n_bypass; ++i) { if (rb->bypass[i]) { add_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt, flags | ROUTE_REF_GW, rgi, es); } } } static void del_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es) { int i; for (i = 0; i < rb->n_bypass; ++i) { if (rb->bypass[i]) { del_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt, flags | ROUTE_REF_GW, rgi, es); } } } static void redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es) { const char err[] = "NOTE: unable to redirect default gateway --"; if (rl && rl->flags & RG_ENABLE) { bool local = rl->flags & RG_LOCAL; if (!(rl->spec.flags & RTSA_REMOTE_ENDPOINT) && (rl->flags & RG_REROUTE_GW)) { msg(M_WARN, "%s VPN gateway parameter (--route-gateway or --ifconfig) is missing", err); } /* * check if a default route is defined, unless: * - we are connecting to a remote host in our network * - we are connecting to a non-IPv4 remote host (i.e. we use IPv6) */ else if (!(rl->rgi.flags & RGI_ADDR_DEFINED) && !local && (rl->spec.remote_host != IPV4_INVALID_ADDR)) { msg(M_WARN, "%s Cannot read current default gateway from system", err); } else if (!(rl->spec.flags & RTSA_REMOTE_HOST)) { msg(M_WARN, "%s Cannot obtain current remote host address", err); } else { #ifndef TARGET_ANDROID if (rl->flags & RG_AUTO_LOCAL) { const int tla = rl->spec.remote_host_local; if (tla == TLA_NONLOCAL) { dmsg(D_ROUTE, "ROUTE remote_host is NOT LOCAL"); local = false; } else if (tla == TLA_LOCAL) { dmsg(D_ROUTE, "ROUTE remote_host is LOCAL"); local = true; } } if (!local) { /* route remote host to original default gateway */ /* if remote_host is not ipv4 (ie: ipv6), just skip * adding this special /32 route */ if (rl->spec.remote_host != IPV4_INVALID_ADDR) { add_route3(rl->spec.remote_host, IPV4_NETMASK_HOST, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi, es); rl->iflags |= RL_DID_LOCAL; } else { dmsg(D_ROUTE, "ROUTE remote_host protocol differs from tunneled"); } } #endif /* ifndef TARGET_ANDROID */ /* route DHCP/DNS server traffic through original default gateway */ add_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es); if (rl->flags & RG_REROUTE_GW) { if (rl->flags & RG_DEF1) { /* add new default route (1st component) */ add_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es); /* add new default route (2nd component) */ add_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es); } else { /* don't try to remove the def route if it does not exist */ if (rl->rgi.flags & RGI_ADDR_DEFINED) { /* delete default route */ del_route3(0, 0, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi, es); } /* add new default route */ add_route3(0, 0, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es); } } /* set a flag so we can undo later */ rl->iflags |= RL_DID_REDIRECT_DEFAULT_GATEWAY; } } } static void undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es) { if (rl && rl->iflags & RL_DID_REDIRECT_DEFAULT_GATEWAY) { /* delete remote host route */ if (rl->iflags & RL_DID_LOCAL) { del_route3(rl->spec.remote_host, IPV4_NETMASK_HOST, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi, es); rl->iflags &= ~RL_DID_LOCAL; } /* delete special DHCP/DNS bypass route */ del_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es); if (rl->flags & RG_REROUTE_GW) { if (rl->flags & RG_DEF1) { /* delete default route (1st component) */ del_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es); /* delete default route (2nd component) */ del_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es); } else { /* delete default route */ del_route3(0, 0, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es); /* restore original default route if there was any */ if (rl->rgi.flags & RGI_ADDR_DEFINED) { add_route3(0, 0, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi, es); } } } rl->iflags &= ~RL_DID_REDIRECT_DEFAULT_GATEWAY; } } void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es) { redirect_default_route_to_vpn(rl, tt, flags, es); if (rl && !(rl->iflags & RL_ROUTES_ADDED) ) { struct route_ipv4 *r; #ifdef ENABLE_MANAGEMENT if (management && rl->routes) { management_set_state(management, OPENVPN_STATE_ADD_ROUTES, NULL, NULL, NULL, NULL, NULL); } #endif for (r = rl->routes; r; r = r->next) { check_subnet_conflict(r->network, r->netmask, "route"); if (flags & ROUTE_DELETE_FIRST) { delete_route(r, tt, flags, &rl->rgi, es); } add_route(r, tt, flags, &rl->rgi, es); } rl->iflags |= RL_ROUTES_ADDED; } if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) ) { struct route_ipv6 *r; if (!tt->did_ifconfig_ipv6_setup) { msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv6 " "route over %s. However, no IPv6 has been configured for " "this interface, therefore the route installation may " "fail or may not work as expected.", tt->actual_name); } for (r = rl6->routes_ipv6; r; r = r->next) { if (flags & ROUTE_DELETE_FIRST) { delete_route_ipv6(r, tt, flags, es); } add_route_ipv6(r, tt, flags, es); } rl6->iflags |= RL_ROUTES_ADDED; } } void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es) { if (rl && rl->iflags & RL_ROUTES_ADDED) { struct route_ipv4 *r; for (r = rl->routes; r; r = r->next) { delete_route(r, tt, flags, &rl->rgi, es); } rl->iflags &= ~RL_ROUTES_ADDED; } undo_redirect_default_route_to_vpn(rl, tt, flags, es); if (rl) { clear_route_list(rl); } if (rl6 && (rl6->iflags & RL_ROUTES_ADDED) ) { struct route_ipv6 *r6; for (r6 = rl6->routes_ipv6; r6; r6 = r6->next) { delete_route_ipv6(r6, tt, flags, es); } rl6->iflags &= ~RL_ROUTES_ADDED; } if (rl6) { clear_route_ipv6_list(rl6); } } #ifndef ENABLE_SMALL static const char * show_opt(const char *option) { if (!option) { return "default (not set)"; } else { return option; } } static void print_route_option(const struct route_option *ro, int level) { msg(level, " route %s/%s/%s/%s", show_opt(ro->network), show_opt(ro->netmask), show_opt(ro->gateway), show_opt(ro->metric)); } void print_route_options(const struct route_option_list *rol, int level) { struct route_option *ro; if (rol->flags & RG_ENABLE) { msg(level, " [redirect_default_gateway local=%d]", (rol->flags & RG_LOCAL) != 0); } for (ro = rol->routes; ro; ro = ro->next) { print_route_option(ro, level); } } void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6) { struct gc_arena gc = gc_new(); if (rgi && (rgi->flags & RGI_ADDR_DEFINED)) { struct buffer out = alloc_buf_gc(256, &gc); buf_printf(&out, "ROUTE_GATEWAY"); if (rgi->flags & RGI_ON_LINK) { buf_printf(&out, " ON_LINK"); } else { buf_printf(&out, " %s", print_in_addr_t(rgi->gateway.addr, 0, &gc)); } if (rgi->flags & RGI_NETMASK_DEFINED) { buf_printf(&out, "/%s", print_in_addr_t(rgi->gateway.netmask, 0, &gc)); } #ifdef _WIN32 if (rgi->flags & RGI_IFACE_DEFINED) { buf_printf(&out, " I=%u", (unsigned int)rgi->adapter_index); } #else if (rgi->flags & RGI_IFACE_DEFINED) { buf_printf(&out, " IFACE=%s", rgi->iface); } #endif if (rgi->flags & RGI_HWADDR_DEFINED) { buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi->hwaddr, 6, 0, 1, ":", &gc)); } msg(msglevel, "%s", BSTR(&out)); } if (rgi6 && (rgi6->flags & RGI_ADDR_DEFINED)) { struct buffer out = alloc_buf_gc(256, &gc); buf_printf(&out, "ROUTE6_GATEWAY"); buf_printf(&out, " %s", print_in6_addr(rgi6->gateway.addr_ipv6, 0, &gc)); if (rgi6->flags & RGI_ON_LINK) { buf_printf(&out, " ON_LINK"); } if (rgi6->flags & RGI_NETMASK_DEFINED) { buf_printf(&out, "/%d", rgi6->gateway.netbits_ipv6); } #ifdef _WIN32 if (rgi6->flags & RGI_IFACE_DEFINED) { buf_printf(&out, " I=%u", (unsigned int)rgi6->adapter_index); } #else if (rgi6->flags & RGI_IFACE_DEFINED) { buf_printf(&out, " IFACE=%s", rgi6->iface); } #endif if (rgi6->flags & RGI_HWADDR_DEFINED) { buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi6->hwaddr, 6, 0, 1, ":", &gc)); } msg(msglevel, "%s", BSTR(&out)); } gc_free(&gc); } #endif /* ifndef ENABLE_SMALL */ static void print_route(const struct route_ipv4 *r, int level) { struct gc_arena gc = gc_new(); if (r->flags & RT_DEFINED) { msg(level, "%s", route_string(r, &gc)); } gc_free(&gc); } void print_routes(const struct route_list *rl, int level) { struct route_ipv4 *r; for (r = rl->routes; r; r = r->next) { print_route(r, level); } } static void setenv_route(struct env_set *es, const struct route_ipv4 *r, int i) { struct gc_arena gc = gc_new(); if (r->flags & RT_DEFINED) { setenv_route_addr(es, "network", r->network, i); setenv_route_addr(es, "netmask", r->netmask, i); setenv_route_addr(es, "gateway", r->gateway, i); if (r->flags & RT_METRIC_DEFINED) { struct buffer name = alloc_buf_gc(256, &gc); buf_printf(&name, "route_metric_%d", i); setenv_int(es, BSTR(&name), r->metric); } } gc_free(&gc); } void setenv_routes(struct env_set *es, const struct route_list *rl) { int i = 1; struct route_ipv4 *r; for (r = rl->routes; r; r = r->next) { setenv_route(es, r, i++); } } static void setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i) { struct gc_arena gc = gc_new(); if (r6->flags & RT_DEFINED) { struct buffer name1 = alloc_buf_gc( 256, &gc ); struct buffer val = alloc_buf_gc( 256, &gc ); struct buffer name2 = alloc_buf_gc( 256, &gc ); buf_printf( &name1, "route_ipv6_network_%d", i ); buf_printf( &val, "%s/%d", print_in6_addr( r6->network, 0, &gc ), r6->netbits ); setenv_str( es, BSTR(&name1), BSTR(&val) ); buf_printf( &name2, "route_ipv6_gateway_%d", i ); setenv_str( es, BSTR(&name2), print_in6_addr( r6->gateway, 0, &gc )); } gc_free(&gc); } void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6) { int i = 1; struct route_ipv6 *r6; for (r6 = rl6->routes_ipv6; r6; r6 = r6->next) { setenv_route_ipv6(es, r6, i++); } } /* * local_route() determines whether the gateway of a provided host * route is on the same interface that owns the default gateway. * It uses the data structure * returned by get_default_gateway() (struct route_gateway_info) * to determine this. If the route is local, LR_MATCH is returned. * When adding routes into the kernel, if LR_MATCH is defined for * a given route, the route should explicitly reference the default * gateway interface as the route destination. For example, here * is an example on Linux that uses LR_MATCH: * * route add -net 10.10.0.1 netmask 255.255.255.255 dev eth0 * * This capability is needed by the "default-gateway block-local" * directive, to allow client access to the local subnet to be * blocked but still allow access to the local default gateway. */ /* local_route() return values */ #define LR_NOMATCH 0 /* route is not local */ #define LR_MATCH 1 /* route is local */ #define LR_ERROR 2 /* caller should abort adding route */ static int local_route(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct route_gateway_info *rgi) { /* set LR_MATCH on local host routes */ const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED|RGI_IFACE_DEFINED); if (rgi && (rgi->flags & rgi_needed) == rgi_needed && gateway == rgi->gateway.addr && netmask == 0xFFFFFFFF) { if (((network ^ rgi->gateway.addr) & rgi->gateway.netmask) == 0) { return LR_MATCH; } else { /* examine additional subnets on gateway interface */ size_t i; for (i = 0; i < rgi->n_addrs; ++i) { const struct route_gateway_address *gwa = &rgi->addrs[i]; if (((network ^ gwa->addr) & gwa->netmask) == 0) { return LR_MATCH; } } } } return LR_NOMATCH; } /* Return true if the "on-link" form of the route should be used. This is when the gateway for a * a route is specified as an interface rather than an address. */ static inline bool is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi) { return rgi && (is_local_route == LR_MATCH || ((flags & ROUTE_REF_GW) && (rgi->flags & RGI_ON_LINK))); } void add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, /* may be NULL */ const struct env_set *es) { struct gc_arena gc; struct argv argv = argv_new(); const char *network; #if !defined(ENABLE_IPROUTE) && !defined(TARGET_AIX) const char *netmask; #endif const char *gateway; bool status = false; int is_local_route; if (!(r->flags & RT_DEFINED)) { return; } gc_init(&gc); network = print_in_addr_t(r->network, 0, &gc); #if !defined(ENABLE_IPROUTE) && !defined(TARGET_AIX) netmask = print_in_addr_t(r->netmask, 0, &gc); #endif gateway = print_in_addr_t(r->gateway, 0, &gc); is_local_route = local_route(r->network, r->netmask, r->gateway, rgi); if (is_local_route == LR_ERROR) { goto done; } #if defined(TARGET_LINUX) #ifdef ENABLE_IPROUTE argv_printf(&argv, "%s route add %s/%d", iproute_path, network, netmask_to_netbits2(r->netmask)); if (r->flags & RT_METRIC_DEFINED) { argv_printf_cat(&argv, "metric %d", r->metric); } if (is_on_link(is_local_route, flags, rgi)) { argv_printf_cat(&argv, "dev %s", rgi->iface); } else { argv_printf_cat(&argv, "via %s", gateway); } #else /* ifdef ENABLE_IPROUTE */ argv_printf(&argv, "%s add -net %s netmask %s", ROUTE_PATH, network, netmask); if (r->flags & RT_METRIC_DEFINED) { argv_printf_cat(&argv, "metric %d", r->metric); } if (is_on_link(is_local_route, flags, rgi)) { argv_printf_cat(&argv, "dev %s", rgi->iface); } else { argv_printf_cat(&argv, "gw %s", gateway); } #endif /*ENABLE_IPROUTE*/ argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: Linux route add command failed"); #elif defined (TARGET_ANDROID) struct buffer out = alloc_buf_gc(128, &gc); if (rgi) { buf_printf(&out, "%s %s %s dev %s", network, netmask, gateway, rgi->iface); } else { buf_printf(&out, "%s %s %s", network, netmask, gateway); } management_android_control(management, "ROUTE", buf_bptr(&out)); #elif defined (_WIN32) { DWORD ai = TUN_ADAPTER_INDEX_INVALID; argv_printf(&argv, "%s%sc ADD %s MASK %s %s", get_win_sys_path(), WIN_ROUTE_PATH_SUFFIX, network, netmask, gateway); if (r->flags & RT_METRIC_DEFINED) { argv_printf_cat(&argv, "METRIC %d", r->metric); } if (is_on_link(is_local_route, flags, rgi)) { ai = rgi->adapter_index; argv_printf_cat(&argv, "IF %u", (unsigned int)ai); } argv_msg(D_ROUTE, &argv); if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE) { status = add_route_service(r, tt); msg(D_ROUTE, "Route addition via service %s", status ? "succeeded" : "failed"); } else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI) { status = add_route_ipapi(r, tt, ai); msg(D_ROUTE, "Route addition via IPAPI %s", status ? "succeeded" : "failed"); } else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE) { netcmd_semaphore_lock(); status = openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add command failed"); netcmd_semaphore_release(); } else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE) { status = add_route_ipapi(r, tt, ai); msg(D_ROUTE, "Route addition via IPAPI %s [adaptive]", status ? "succeeded" : "failed"); if (!status) { msg(D_ROUTE, "Route addition fallback to route.exe"); netcmd_semaphore_lock(); status = openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add command failed [adaptive]"); netcmd_semaphore_release(); } } else { ASSERT(0); } } #elif defined (TARGET_SOLARIS) /* example: route add 192.0.2.32 -netmask 255.255.255.224 somegateway */ argv_printf(&argv, "%s add", ROUTE_PATH); argv_printf_cat(&argv, "%s -netmask %s %s", network, netmask, gateway); /* Solaris can only distinguish between "metric 0" == "on-link on the * interface where the IP address given is configured" and "metric > 0" * == "use gateway specified" (no finer-grained route metrics available) * * More recent versions of Solaris can also do "-interface", but that * would break backwards compatibility with older versions for no gain. */ if (r->flags & RT_METRIC_DEFINED) { argv_printf_cat(&argv, "%d", r->metric); } argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed"); #elif defined(TARGET_FREEBSD) argv_printf(&argv, "%s add", ROUTE_PATH); #if 0 if (r->flags & RT_METRIC_DEFINED) { argv_printf_cat(&argv, "-rtt %d", r->metric); } #endif argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask); /* FIXME -- add on-link support for FreeBSD */ argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route add command failed"); #elif defined(TARGET_DRAGONFLY) argv_printf(&argv, "%s add", ROUTE_PATH); #if 0 if (r->flags & RT_METRIC_DEFINED) { argv_printf_cat(&argv, "-rtt %d", r->metric); } #endif argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask); /* FIXME -- add on-link support for Dragonfly */ argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route add command failed"); #elif defined(TARGET_DARWIN) argv_printf(&argv, "%s add", ROUTE_PATH); #if 0 if (r->flags & RT_METRIC_DEFINED) { argv_printf_cat(&argv, "-rtt %d", r->metric); } #endif if (is_on_link(is_local_route, flags, rgi)) { /* Mac OS X route syntax for ON_LINK: * route add -cloning -net 10.10.0.1 -netmask 255.255.255.255 -interface en0 */ argv_printf_cat(&argv, "-cloning -net %s -netmask %s -interface %s", network, netmask, rgi->iface); } else { argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask); } argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: OS X route add command failed"); #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) argv_printf(&argv, "%s add", ROUTE_PATH); #if 0 if (r->flags & RT_METRIC_DEFINED) { argv_printf_cat(&argv, "-rtt %d", r->metric); } #endif argv_printf_cat(&argv, "-net %s %s -netmask %s", network, gateway, netmask); /* FIXME -- add on-link support for OpenBSD/NetBSD */ argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed"); #elif defined(TARGET_AIX) { int netbits = netmask_to_netbits2(r->netmask); argv_printf(&argv, "%s add -net %s/%d %s", ROUTE_PATH, network, netbits, gateway); argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed"); } #else /* if defined(TARGET_LINUX) */ msg(M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script"); #endif /* if defined(TARGET_LINUX) */ done: if (status) { r->flags |= RT_ADDED; } else { r->flags &= ~RT_ADDED; } argv_reset(&argv); gc_free(&gc); } static void route_ipv6_clear_host_bits( struct route_ipv6 *r6 ) { /* clear host bit parts of route * (needed if routes are specified improperly, or if we need to * explicitely setup/clear the "connected" network routes on some OSes) */ int byte = 15; int bits_to_clear = 128 - r6->netbits; while (byte >= 0 && bits_to_clear > 0) { if (bits_to_clear >= 8) { r6->network.s6_addr[byte--] = 0; bits_to_clear -= 8; } else { r6->network.s6_addr[byte--] &= (0xff << bits_to_clear); bits_to_clear = 0; } } } void add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es) { struct gc_arena gc; struct argv argv = argv_new(); const char *network; const char *gateway; bool status = false; const char *device = tt->actual_name; bool gateway_needed = false; if (!(r6->flags & RT_DEFINED) ) { return; } #ifndef _WIN32 if (r6->iface != NULL) /* vpn server special route */ { device = r6->iface; if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) ) { gateway_needed = true; } } #endif gc_init(&gc); route_ipv6_clear_host_bits(r6); network = print_in6_addr( r6->network, 0, &gc); gateway = print_in6_addr( r6->gateway, 0, &gc); #if defined(TARGET_DARWIN) \ || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) /* the BSD platforms cannot specify gateway and interface independently, * but for link-local destinations, we MUST specify the interface, so * we build a combined "$gateway%$interface" gateway string */ if (r6->iface != NULL && gateway_needed && IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */ { int len = strlen(gateway) + 1 + strlen(r6->iface)+1; char *tmp = gc_malloc( len, true, &gc ); snprintf( tmp, len, "%s%%%s", gateway, r6->iface ); gateway = tmp; } #endif msg( M_INFO, "add_route_ipv6(%s/%d -> %s metric %d) dev %s", network, r6->netbits, gateway, r6->metric, device ); /* * Filter out routes which are essentially no-ops * (not currently done for IPv6) */ /* On "tun" interface, we never set a gateway if the operating system * can do "route to interface" - it does not add value, as the target * dev already fully qualifies the route destination on point-to-point * interfaces. OTOH, on "tap" interface, we must always set the * gateway unless the route is to be an on-link network */ if (tt->type == DEV_TYPE_TAP && !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) ) { gateway_needed = true; } #if defined(TARGET_LINUX) #ifdef ENABLE_IPROUTE argv_printf(&argv, "%s -6 route add %s/%d dev %s", iproute_path, network, r6->netbits, device); if (gateway_needed) { argv_printf_cat(&argv, "via %s", gateway); } if ( (r6->flags & RT_METRIC_DEFINED) && r6->metric > 0) { argv_printf_cat(&argv, " metric %d", r6->metric); } #else /* ifdef ENABLE_IPROUTE */ argv_printf(&argv, "%s -A inet6 add %s/%d dev %s", ROUTE_PATH, network, r6->netbits, device); if (gateway_needed) { argv_printf_cat(&argv, "gw %s", gateway); } if ( (r6->flags & RT_METRIC_DEFINED) && r6->metric > 0) { argv_printf_cat(&argv, " metric %d", r6->metric); } #endif /*ENABLE_IPROUTE*/ argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: Linux route -6/-A inet6 add command failed"); #elif defined (TARGET_ANDROID) struct buffer out = alloc_buf_gc(64, &gc); buf_printf(&out, "%s/%d %s", network, r6->netbits, device); management_android_control(management, "ROUTE6", buf_bptr(&out)); #elif defined (_WIN32) if (tt->options.msg_channel) { status = add_route_ipv6_service(r6, tt); } else { struct buffer out = alloc_buf_gc(64, &gc); if (r6->adapter_index) /* vpn server special route */ { buf_printf(&out, "interface=%d", r6->adapter_index ); gateway_needed = true; } else { buf_printf(&out, "interface=%d", tt->adapter_index ); } device = buf_bptr(&out); /* netsh interface ipv6 add route 2001:db8::/32 MyTunDevice */ argv_printf(&argv, "%s%sc interface ipv6 add route %s/%d %s", get_win_sys_path(), NETSH_PATH_SUFFIX, network, r6->netbits, device); /* next-hop depends on TUN or TAP mode: * - in TAP mode, we use the "real" next-hop * - in TUN mode we use a special-case link-local address that the tapdrvr * knows about and will answer ND (neighbor discovery) packets for */ if (tt->type == DEV_TYPE_TUN && !gateway_needed) { argv_printf_cat( &argv, " %s", "fe80::8" ); } else if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) ) { argv_printf_cat( &argv, " %s", gateway ); } #if 0 if (r6->flags & RT_METRIC_DEFINED) { argv_printf_cat(&argv, " METRIC %d", r->metric); } #endif /* in some versions of Windows, routes are persistent across reboots by * default, unless "store=active" is set (pointed out by Tony Lim, thanks) */ argv_printf_cat( &argv, " store=active" ); argv_msg(D_ROUTE, &argv); netcmd_semaphore_lock(); status = openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add ipv6 command failed"); netcmd_semaphore_release(); } #elif defined (TARGET_SOLARIS) /* example: route add -inet6 2001:db8::/32 somegateway 0 */ /* for some reason, routes to tun/tap do not work for me unless I set * "metric 0" - otherwise, the routes will be nicely installed, but * packets will just disappear somewhere. So we always use "0" now, * unless the route points to "gateway on other interface"... * * (Note: OpenSolaris can not specify host%interface gateways, so we just * use the GW addresses - it seems to still work for fe80:: addresses, * however this is done internally. NUD maybe?) */ argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway ); /* on tun/tap, not "elsewhere"? -> metric 0 */ if (!r6->iface) { argv_printf_cat(&argv, "0"); } argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed"); #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) argv_printf(&argv, "%s add -inet6 %s/%d", ROUTE_PATH, network, r6->netbits); if (gateway_needed) { argv_printf_cat(&argv, "%s", gateway); } else { argv_printf_cat(&argv, "-iface %s", device); } argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route add -inet6 command failed"); #elif defined(TARGET_DARWIN) argv_printf(&argv, "%s add -inet6 %s -prefixlen %d", ROUTE_PATH, network, r6->netbits ); if (gateway_needed) { argv_printf_cat(&argv, "%s", gateway); } else { argv_printf_cat(&argv, "-iface %s", device); } argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route add -inet6 command failed"); #elif defined(TARGET_OPENBSD) argv_printf(&argv, "%s add -inet6 %s -prefixlen %d %s", ROUTE_PATH, network, r6->netbits, gateway ); argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route add -inet6 command failed"); #elif defined(TARGET_NETBSD) argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway ); argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route add -inet6 command failed"); #elif defined(TARGET_AIX) argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway); argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed"); #else /* if defined(TARGET_LINUX) */ msg(M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script"); #endif /* if defined(TARGET_LINUX) */ if (status) { r6->flags |= RT_ADDED; } else { r6->flags &= ~RT_ADDED; } argv_reset(&argv); gc_free(&gc); } static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es) { struct gc_arena gc; struct argv argv = argv_new(); const char *network; #if !defined(ENABLE_IPROUTE) && !defined(TARGET_AIX) const char *netmask; #endif #if !defined(TARGET_LINUX) && !defined(TARGET_ANDROID) const char *gateway; #endif int is_local_route; if ((r->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED)) { return; } gc_init(&gc); network = print_in_addr_t(r->network, 0, &gc); #if !defined(ENABLE_IPROUTE) && !defined(TARGET_AIX) netmask = print_in_addr_t(r->netmask, 0, &gc); #endif #if !defined(TARGET_LINUX) && !defined(TARGET_ANDROID) gateway = print_in_addr_t(r->gateway, 0, &gc); #endif is_local_route = local_route(r->network, r->netmask, r->gateway, rgi); if (is_local_route == LR_ERROR) { goto done; } #if defined(TARGET_LINUX) #ifdef ENABLE_IPROUTE argv_printf(&argv, "%s route del %s/%d", iproute_path, network, netmask_to_netbits2(r->netmask)); #else argv_printf(&argv, "%s del -net %s netmask %s", ROUTE_PATH, network, netmask); #endif /*ENABLE_IPROUTE*/ if (r->flags & RT_METRIC_DEFINED) { argv_printf_cat(&argv, "metric %d", r->metric); } argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: Linux route delete command failed"); #elif defined (_WIN32) argv_printf(&argv, "%s%sc DELETE %s MASK %s %s", get_win_sys_path(), WIN_ROUTE_PATH_SUFFIX, network, netmask, gateway); argv_msg(D_ROUTE, &argv); if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE) { const bool status = del_route_service(r, tt); msg(D_ROUTE, "Route deletion via service %s", status ? "succeeded" : "failed"); } else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI) { const bool status = del_route_ipapi(r, tt); msg(D_ROUTE, "Route deletion via IPAPI %s", status ? "succeeded" : "failed"); } else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE) { netcmd_semaphore_lock(); openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed"); netcmd_semaphore_release(); } else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE) { const bool status = del_route_ipapi(r, tt); msg(D_ROUTE, "Route deletion via IPAPI %s [adaptive]", status ? "succeeded" : "failed"); if (!status) { msg(D_ROUTE, "Route deletion fallback to route.exe"); netcmd_semaphore_lock(); openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed [adaptive]"); netcmd_semaphore_release(); } } else { ASSERT(0); } #elif defined (TARGET_SOLARIS) argv_printf(&argv, "%s delete %s -netmask %s %s", ROUTE_PATH, network, netmask, gateway); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed"); #elif defined(TARGET_FREEBSD) argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route delete command failed"); #elif defined(TARGET_DRAGONFLY) argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route delete command failed"); #elif defined(TARGET_DARWIN) if (is_on_link(is_local_route, flags, rgi)) { argv_printf(&argv, "%s delete -cloning -net %s -netmask %s -interface %s", ROUTE_PATH, network, netmask, rgi->iface); } else { argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask); } argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: OS X route delete command failed"); #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) argv_printf(&argv, "%s delete -net %s %s -netmask %s", ROUTE_PATH, network, gateway, netmask); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route delete command failed"); #elif defined(TARGET_ANDROID) msg(M_NONFATAL, "Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only."); #elif defined(TARGET_AIX) { int netbits = netmask_to_netbits2(r->netmask); argv_printf(&argv, "%s delete -net %s/%d %s", ROUTE_PATH, network, netbits, gateway); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: AIX route delete command failed"); } #else /* if defined(TARGET_LINUX) */ msg(M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script"); #endif /* if defined(TARGET_LINUX) */ done: r->flags &= ~RT_ADDED; argv_reset(&argv); gc_free(&gc); } void delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es) { struct gc_arena gc; struct argv argv = argv_new(); const char *network; const char *gateway; const char *device = tt->actual_name; bool gateway_needed = false; if ((r6->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED)) { return; } #ifndef _WIN32 if (r6->iface != NULL) /* vpn server special route */ { device = r6->iface; gateway_needed = true; } #endif gc_init(&gc); network = print_in6_addr( r6->network, 0, &gc); gateway = print_in6_addr( r6->gateway, 0, &gc); #if defined(TARGET_DARWIN) \ || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) /* the BSD platforms cannot specify gateway and interface independently, * but for link-local destinations, we MUST specify the interface, so * we build a combined "$gateway%$interface" gateway string */ if (r6->iface != NULL && gateway_needed && IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */ { int len = strlen(gateway) + 1 + strlen(r6->iface)+1; char *tmp = gc_malloc( len, true, &gc ); snprintf( tmp, len, "%s%%%s", gateway, r6->iface ); gateway = tmp; } #endif msg( M_INFO, "delete_route_ipv6(%s/%d)", network, r6->netbits ); /* if we used a gateway on "add route", we also need to specify it on * delete, otherwise some OSes will refuse to delete the route */ if (tt->type == DEV_TYPE_TAP && !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) ) { gateway_needed = true; } #if defined(TARGET_LINUX) #ifdef ENABLE_IPROUTE argv_printf(&argv, "%s -6 route del %s/%d dev %s", iproute_path, network, r6->netbits, device); if (gateway_needed) { argv_printf_cat(&argv, "via %s", gateway); } #else /* ifdef ENABLE_IPROUTE */ argv_printf(&argv, "%s -A inet6 del %s/%d dev %s", ROUTE_PATH, network, r6->netbits, device); if (gateway_needed) { argv_printf_cat(&argv, "gw %s", gateway); } if ( (r6->flags & RT_METRIC_DEFINED) && r6->metric > 0) { argv_printf_cat(&argv, " metric %d", r6->metric); } #endif /*ENABLE_IPROUTE*/ argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: Linux route -6/-A inet6 del command failed"); #elif defined (_WIN32) if (tt->options.msg_channel) { del_route_ipv6_service(r6, tt); } else { struct buffer out = alloc_buf_gc(64, &gc); if (r6->adapter_index) /* vpn server special route */ { buf_printf(&out, "interface=%d", r6->adapter_index ); gateway_needed = true; } else { buf_printf(&out, "interface=%d", tt->adapter_index ); } device = buf_bptr(&out); /* netsh interface ipv6 delete route 2001:db8::/32 MyTunDevice */ argv_printf(&argv, "%s%sc interface ipv6 delete route %s/%d %s", get_win_sys_path(), NETSH_PATH_SUFFIX, network, r6->netbits, device); /* next-hop depends on TUN or TAP mode: * - in TAP mode, we use the "real" next-hop * - in TUN mode we use a special-case link-local address that the tapdrvr * knows about and will answer ND (neighbor discovery) packets for * (and "route deletion without specifying next-hop" does not work...) */ if (tt->type == DEV_TYPE_TUN && !gateway_needed) { argv_printf_cat( &argv, " %s", "fe80::8" ); } else if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) ) { argv_printf_cat( &argv, " %s", gateway ); } #if 0 if (r6->flags & RT_METRIC_DEFINED) { argv_printf_cat(&argv, "METRIC %d", r->metric); } #endif /* Windows XP to 7 "just delete" routes, wherever they came from, but * in Windows 8(.1?), if you create them with "store=active", this is * how you should delete them as well (pointed out by Cedric Tabary) */ argv_printf_cat( &argv, " store=active" ); argv_msg(D_ROUTE, &argv); netcmd_semaphore_lock(); openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete ipv6 command failed"); netcmd_semaphore_release(); } #elif defined (TARGET_SOLARIS) /* example: route delete -inet6 2001:db8::/32 somegateway */ argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway ); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed"); #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) argv_printf(&argv, "%s delete -inet6 %s/%d", ROUTE_PATH, network, r6->netbits ); if (gateway_needed) { argv_printf_cat(&argv, "%s", gateway); } else { argv_printf_cat(&argv, "-iface %s", device); } argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route delete -inet6 command failed"); #elif defined(TARGET_DARWIN) argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d", ROUTE_PATH, network, r6->netbits ); if (gateway_needed) { argv_printf_cat(&argv, "%s", gateway); } else { argv_printf_cat(&argv, "-iface %s", device); } argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route delete -inet6 command failed"); #elif defined(TARGET_OPENBSD) argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d %s", ROUTE_PATH, network, r6->netbits, gateway ); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route delete -inet6 command failed"); #elif defined(TARGET_NETBSD) argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway ); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route delete -inet6 command failed"); #elif defined(TARGET_AIX) argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway); argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed"); #else /* if defined(TARGET_LINUX) */ msg(M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script"); #endif /* if defined(TARGET_LINUX) */ argv_reset(&argv); gc_free(&gc); } /* * The --redirect-gateway option requires OS-specific code below * to get the current default gateway. */ #if defined(_WIN32) static const MIB_IPFORWARDTABLE * get_windows_routing_table(struct gc_arena *gc) { ULONG size = 0; PMIB_IPFORWARDTABLE rt = NULL; DWORD status; status = GetIpForwardTable(NULL, &size, TRUE); if (status == ERROR_INSUFFICIENT_BUFFER) { rt = (PMIB_IPFORWARDTABLE) gc_malloc(size, false, gc); status = GetIpForwardTable(rt, &size, TRUE); if (status != NO_ERROR) { msg(D_ROUTE, "NOTE: GetIpForwardTable returned error: %s (code=%u)", strerror_win32(status, gc), (unsigned int)status); rt = NULL; } } return rt; } static int test_route(const IP_ADAPTER_INFO *adapters, const in_addr_t gateway, DWORD *index) { int count = 0; DWORD i = adapter_index_of_ip(adapters, gateway, &count, NULL); if (index) { *index = i; } return count; } static void test_route_helper(bool *ret, int *count, int *good, int *ambig, const IP_ADAPTER_INFO *adapters, const in_addr_t gateway) { int c; ++*count; c = test_route(adapters, gateway, NULL); if (c == 0) { *ret = false; } else { ++*good; } if (c > 1) { ++*ambig; } } /* * If we tried to add routes now, would we succeed? */ bool test_routes(const struct route_list *rl, const struct tuntap *tt) { struct gc_arena gc = gc_new(); const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc); bool ret = false; int count = 0; int good = 0; int ambig = 0; int len = -1; bool adapter_up = false; if (is_adapter_up(tt, adapters)) { ret = true; adapter_up = true; if (rl) { struct route_ipv4 *r; for (r = rl->routes, len = 0; r; r = r->next, ++len) { test_route_helper(&ret, &count, &good, &ambig, adapters, r->gateway); } if ((rl->flags & RG_ENABLE) && (rl->spec.flags & RTSA_REMOTE_ENDPOINT)) { test_route_helper(&ret, &count, &good, &ambig, adapters, rl->spec.remote_endpoint); } } } msg(D_ROUTE, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s", good, count, len, (int)ret, ambig, adapter_up ? "up" : "down"); gc_free(&gc); return ret; } static const MIB_IPFORWARDROW * get_default_gateway_row(const MIB_IPFORWARDTABLE *routes) { struct gc_arena gc = gc_new(); DWORD lowest_metric = MAXDWORD; const MIB_IPFORWARDROW *ret = NULL; int i; int best = -1; if (routes) { for (i = 0; i < routes->dwNumEntries; ++i) { const MIB_IPFORWARDROW *row = &routes->table[i]; const in_addr_t net = ntohl(row->dwForwardDest); const in_addr_t mask = ntohl(row->dwForwardMask); const DWORD index = row->dwForwardIfIndex; const DWORD metric = row->dwForwardMetric1; dmsg(D_ROUTE_DEBUG, "GDGR: route[%d] %s/%s i=%d m=%d", i, print_in_addr_t((in_addr_t) net, 0, &gc), print_in_addr_t((in_addr_t) mask, 0, &gc), (int)index, (int)metric); if (!net && !mask && metric < lowest_metric) { ret = row; lowest_metric = metric; best = i; } } } dmsg(D_ROUTE_DEBUG, "GDGR: best=%d lm=%u", best, (unsigned int)lowest_metric); gc_free(&gc); return ret; } void get_default_gateway(struct route_gateway_info *rgi) { struct gc_arena gc = gc_new(); const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc); const MIB_IPFORWARDTABLE *routes = get_windows_routing_table(&gc); const MIB_IPFORWARDROW *row = get_default_gateway_row(routes); DWORD a_index; const IP_ADAPTER_INFO *ai; CLEAR(*rgi); if (row) { rgi->gateway.addr = ntohl(row->dwForwardNextHop); if (rgi->gateway.addr) { rgi->flags |= RGI_ADDR_DEFINED; a_index = adapter_index_of_ip(adapters, rgi->gateway.addr, NULL, &rgi->gateway.netmask); if (a_index != TUN_ADAPTER_INDEX_INVALID) { rgi->adapter_index = a_index; rgi->flags |= (RGI_IFACE_DEFINED|RGI_NETMASK_DEFINED); ai = get_adapter(adapters, a_index); if (ai) { memcpy(rgi->hwaddr, ai->Address, 6); rgi->flags |= RGI_HWADDR_DEFINED; } } } } gc_free(&gc); } static DWORD windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt) { struct gc_arena gc = gc_new(); DWORD ret = TUN_ADAPTER_INDEX_INVALID; int count = 0; const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc); const IP_ADAPTER_INFO *tun_adapter = get_tun_adapter(tt, adapters); bool on_tun = false; /* first test on tun interface */ if (is_ip_in_adapter_subnet(tun_adapter, r->gateway, NULL)) { ret = tun_adapter->Index; count = 1; on_tun = true; } else /* test on other interfaces */ { count = test_route(adapters, r->gateway, &ret); } if (count == 0) { msg(M_WARN, "Warning: route gateway is not reachable on any active network adapters: %s", print_in_addr_t(r->gateway, 0, &gc)); ret = TUN_ADAPTER_INDEX_INVALID; } else if (count > 1) { msg(M_WARN, "Warning: route gateway is ambiguous: %s (%d matches)", print_in_addr_t(r->gateway, 0, &gc), count); ret = TUN_ADAPTER_INDEX_INVALID; } dmsg(D_ROUTE_DEBUG, "DEBUG: route find if: on_tun=%d count=%d index=%d", on_tun, count, (int)ret); gc_free(&gc); return ret; } /* IPv6 implementation using GetBestRoute2() * (TBD: dynamic linking so the binary can still run on XP?) * https://msdn.microsoft.com/en-us/library/windows/desktop/aa365922(v=vs.85).aspx * https://msdn.microsoft.com/en-us/library/windows/desktop/aa814411(v=vs.85).aspx */ void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest) { struct gc_arena gc = gc_new(); MIB_IPFORWARD_ROW2 BestRoute; SOCKADDR_INET DestinationAddress, BestSourceAddress; DWORD BestIfIndex; DWORD status; NET_LUID InterfaceLuid; CLEAR(*rgi6); CLEAR(InterfaceLuid); /* cleared = not used for lookup */ CLEAR(DestinationAddress); DestinationAddress.si_family = AF_INET6; if (dest) { DestinationAddress.Ipv6.sin6_addr = *dest; } status = GetBestInterfaceEx( &DestinationAddress, &BestIfIndex ); if (status != NO_ERROR) { msg(D_ROUTE, "NOTE: GetBestInterfaceEx returned error: %s (code=%u)", strerror_win32(status, &gc), (unsigned int)status); goto done; } msg( D_ROUTE, "GetBestInterfaceEx() returned if=%d", (int) BestIfIndex ); status = GetBestRoute2( &InterfaceLuid, BestIfIndex, NULL, &DestinationAddress, 0, &BestRoute, &BestSourceAddress ); if (status != NO_ERROR) { msg(D_ROUTE, "NOTE: GetIpForwardEntry2 returned error: %s (code=%u)", strerror_win32(status, &gc), (unsigned int)status); goto done; } msg( D_ROUTE, "GDG6: II=%d DP=%s/%d NH=%s", BestRoute.InterfaceIndex, print_in6_addr( BestRoute.DestinationPrefix.Prefix.Ipv6.sin6_addr, 0, &gc), BestRoute.DestinationPrefix.PrefixLength, print_in6_addr( BestRoute.NextHop.Ipv6.sin6_addr, 0, &gc) ); msg( D_ROUTE, "GDG6: Metric=%d, Loopback=%d, AA=%d, I=%d", (int) BestRoute.Metric, (int) BestRoute.Loopback, (int) BestRoute.AutoconfigureAddress, (int) BestRoute.Immortal ); rgi6->gateway.addr_ipv6 = BestRoute.NextHop.Ipv6.sin6_addr; rgi6->adapter_index = BestRoute.InterfaceIndex; rgi6->flags |= RGI_ADDR_DEFINED | RGI_IFACE_DEFINED; /* on-link is signalled by receiving an empty (::) NextHop */ if (IN6_IS_ADDR_UNSPECIFIED(&BestRoute.NextHop.Ipv6.sin6_addr) ) { rgi6->flags |= RGI_ON_LINK; } done: gc_free(&gc); } bool add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index) { struct gc_arena gc = gc_new(); bool ret = false; DWORD status; const DWORD if_index = (adapter_index == TUN_ADAPTER_INDEX_INVALID) ? windows_route_find_if_index(r, tt) : adapter_index; if (if_index != TUN_ADAPTER_INDEX_INVALID) { MIB_IPFORWARDROW fr; CLEAR(fr); fr.dwForwardDest = htonl(r->network); fr.dwForwardMask = htonl(r->netmask); fr.dwForwardPolicy = 0; fr.dwForwardNextHop = htonl(r->gateway); fr.dwForwardIfIndex = if_index; fr.dwForwardType = 4; /* the next hop is not the final dest */ fr.dwForwardProto = 3; /* PROTO_IP_NETMGMT */ fr.dwForwardAge = 0; fr.dwForwardNextHopAS = 0; fr.dwForwardMetric1 = (r->flags & RT_METRIC_DEFINED) ? r->metric : 1; fr.dwForwardMetric2 = METRIC_NOT_USED; fr.dwForwardMetric3 = METRIC_NOT_USED; fr.dwForwardMetric4 = METRIC_NOT_USED; fr.dwForwardMetric5 = METRIC_NOT_USED; if ((r->network & r->netmask) != r->network) { msg(M_WARN, "Warning: address %s is not a network address in relation to netmask %s", print_in_addr_t(r->network, 0, &gc), print_in_addr_t(r->netmask, 0, &gc)); } status = CreateIpForwardEntry(&fr); if (status == NO_ERROR) { ret = true; } else { /* failed, try increasing the metric to work around Vista issue */ const unsigned int forward_metric_limit = 2048; /* iteratively retry higher metrics up to this limit */ for (; fr.dwForwardMetric1 <= forward_metric_limit; ++fr.dwForwardMetric1) { /* try a different forward type=3 ("the next hop is the final dest") in addition to 4. * --redirect-gateway over RRAS seems to need this. */ for (fr.dwForwardType = 4; fr.dwForwardType >= 3; --fr.dwForwardType) { status = CreateIpForwardEntry(&fr); if (status == NO_ERROR) { msg(D_ROUTE, "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u", (unsigned int)fr.dwForwardMetric1, (unsigned int)fr.dwForwardType); ret = true; goto doublebreak; } else if (status != ERROR_BAD_ARGUMENTS) { goto doublebreak; } } } doublebreak: if (status != NO_ERROR) { msg(M_WARN, "ROUTE: route addition failed using CreateIpForwardEntry: %s [status=%u if_index=%u]", strerror_win32(status, &gc), (unsigned int)status, (unsigned int)if_index); } } } gc_free(&gc); return ret; } bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt) { struct gc_arena gc = gc_new(); bool ret = false; DWORD status; const DWORD if_index = windows_route_find_if_index(r, tt); if (if_index != TUN_ADAPTER_INDEX_INVALID) { MIB_IPFORWARDROW fr; CLEAR(fr); fr.dwForwardDest = htonl(r->network); fr.dwForwardMask = htonl(r->netmask); fr.dwForwardPolicy = 0; fr.dwForwardNextHop = htonl(r->gateway); fr.dwForwardIfIndex = if_index; status = DeleteIpForwardEntry(&fr); if (status == NO_ERROR) { ret = true; } else { msg(M_WARN, "ROUTE: route deletion failed using DeleteIpForwardEntry: %s", strerror_win32(status, &gc)); } } gc_free(&gc); return ret; } static bool do_route_service(const bool add, const route_message_t *rt, const size_t size, HANDLE pipe) { DWORD len; bool ret = false; ack_message_t ack; struct gc_arena gc = gc_new(); if (!WriteFile(pipe, rt, size, &len, NULL) || !ReadFile(pipe, &ack, sizeof(ack), &len, NULL)) { msg(M_WARN, "ROUTE: could not talk to service: %s [%lu]", strerror_win32(GetLastError(), &gc), GetLastError()); goto out; } if (ack.error_number != NO_ERROR) { msg(M_WARN, "ROUTE: route %s failed using service: %s [status=%u if_index=%lu]", (add ? "addition" : "deletion"), strerror_win32(ack.error_number, &gc), ack.error_number, rt->iface.index); goto out; } ret = true; out: gc_free(&gc); return ret; } static bool do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt) { DWORD if_index = windows_route_find_if_index(r, tt); if (if_index == ~0) { return false; } route_message_t msg = { .header = { (add ? msg_add_route : msg_del_route), sizeof(route_message_t), 0 }, .family = AF_INET, .prefix.ipv4.s_addr = htonl(r->network), .gateway.ipv4.s_addr = htonl(r->gateway), .iface = { .index = if_index, .name = "" }, .metric = (r->flags & RT_METRIC_DEFINED ? r->metric : -1) }; netmask_to_netbits(r->network, r->netmask, &msg.prefix_len); if (msg.prefix_len == -1) { msg.prefix_len = 32; } return do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel); } static bool do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt) { bool status; route_message_t msg = { .header = { (add ? msg_add_route : msg_del_route), sizeof(route_message_t), 0 }, .family = AF_INET6, .prefix.ipv6 = r->network, .prefix_len = r->netbits, .gateway.ipv6 = r->gateway, .iface = { .index = tt->adapter_index, .name = "" }, .metric = ( (r->flags & RT_METRIC_DEFINED) ? r->metric : -1) }; if (r->adapter_index) /* vpn server special route */ { msg.iface.index = r->adapter_index; } /* In TUN mode we use a special link-local address as the next hop. * The tapdrvr knows about it and will answer neighbor discovery packets. * (only do this for routes actually using the tun/tap device) */ if (tt->type == DEV_TYPE_TUN && msg.iface.index == tt->adapter_index ) { inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6); } if (msg.iface.index == TUN_ADAPTER_INDEX_INVALID) { strncpy(msg.iface.name, tt->actual_name, sizeof(msg.iface.name)); msg.iface.name[sizeof(msg.iface.name) - 1] = '\0'; } status = do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel); msg(D_ROUTE, "IPv6 route %s via service %s", add ? "addition" : "deletion", status ? "succeeded" : "failed"); return status; } static bool add_route_service(const struct route_ipv4 *r, const struct tuntap *tt) { return do_route_ipv4_service(true, r, tt); } static bool del_route_service(const struct route_ipv4 *r, const struct tuntap *tt) { return do_route_ipv4_service(false, r, tt); } static bool add_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt) { return do_route_ipv6_service(true, r, tt); } static bool del_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt) { return do_route_ipv6_service(false, r, tt); } static const char * format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); buf_printf(&out, "%s %s %s p=%d i=%d t=%d pr=%d a=%d h=%d m=%d/%d/%d/%d/%d", print_in_addr_t(r->dwForwardDest, IA_NET_ORDER, gc), print_in_addr_t(r->dwForwardMask, IA_NET_ORDER, gc), print_in_addr_t(r->dwForwardNextHop, IA_NET_ORDER, gc), (int)r->dwForwardPolicy, (int)r->dwForwardIfIndex, (int)r->dwForwardType, (int)r->dwForwardProto, (int)r->dwForwardAge, (int)r->dwForwardNextHopAS, (int)r->dwForwardMetric1, (int)r->dwForwardMetric2, (int)r->dwForwardMetric3, (int)r->dwForwardMetric4, (int)r->dwForwardMetric5); return BSTR(&out); } /* * Show current routing table */ void show_routes(int msglev) { struct gc_arena gc = gc_new(); int i; const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc); msg(msglev, "SYSTEM ROUTING TABLE"); if (rt) { for (i = 0; i < rt->dwNumEntries; ++i) { msg(msglev, "%s", format_route_entry(&rt->table[i], &gc)); } } gc_free(&gc); } #elif defined(TARGET_LINUX) || defined(TARGET_ANDROID) void get_default_gateway(struct route_gateway_info *rgi) { struct gc_arena gc = gc_new(); int sd = -1; char best_name[16]; best_name[0] = 0; CLEAR(*rgi); #ifndef TARGET_ANDROID /* get default gateway IP addr */ { FILE *fp = fopen("/proc/net/route", "r"); if (fp) { char line[256]; int count = 0; unsigned int lowest_metric = UINT_MAX; in_addr_t best_gw = 0; bool found = false; while (fgets(line, sizeof(line), fp) != NULL) { if (count) { unsigned int net_x = 0; unsigned int mask_x = 0; unsigned int gw_x = 0; unsigned int metric = 0; unsigned int flags = 0; char name[16]; name[0] = 0; const int np = sscanf(line, "%15s\t%x\t%x\t%x\t%*s\t%*s\t%d\t%x", name, &net_x, &gw_x, &flags, &metric, &mask_x); if (np == 6 && (flags & IFF_UP)) { const in_addr_t net = ntohl(net_x); const in_addr_t mask = ntohl(mask_x); const in_addr_t gw = ntohl(gw_x); if (!net && !mask && metric < lowest_metric) { found = true; best_gw = gw; strcpy(best_name, name); lowest_metric = metric; } } } ++count; } fclose(fp); if (found) { rgi->gateway.addr = best_gw; rgi->flags |= RGI_ADDR_DEFINED; if (!rgi->gateway.addr && best_name[0]) { rgi->flags |= RGI_ON_LINK; } } } } #else /* ifndef TARGET_ANDROID */ /* Android, set some pseudo GW, addr is in host byte order, * Determining the default GW on Android 5.0+ is non trivial * and serves almost no purpose since OpenVPN only uses the * default GW address to add routes for networks that should * NOT be routed over the VPN. Using a well known address * (127.'d'.'g'.'w') for the default GW make detecting * these routes easier from the controlling app. */ rgi->gateway.addr = 127 << 24 | 'd' << 16 | 'g' << 8 | 'w'; rgi->flags |= RGI_ADDR_DEFINED; strcpy(best_name, "android-gw"); #endif /* ifndef TARGET_ANDROID */ /* scan adapter list */ if (rgi->flags & RGI_ADDR_DEFINED) { struct ifreq *ifr, *ifend; in_addr_t addr, netmask; struct ifreq ifreq; struct ifconf ifc; struct ifreq ifs[20]; /* Maximum number of interfaces to scan */ if ((sd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { msg(M_WARN, "GDG: socket() failed"); goto done; } ifc.ifc_len = sizeof(ifs); ifc.ifc_req = ifs; if (ioctl(sd, SIOCGIFCONF, &ifc) < 0) { msg(M_WARN, "GDG: ioctl(SIOCGIFCONF) failed"); goto done; } /* scan through interface list */ ifend = ifs + (ifc.ifc_len / sizeof(struct ifreq)); for (ifr = ifc.ifc_req; ifr < ifend; ifr++) { if (ifr->ifr_addr.sa_family == AF_INET) { /* get interface addr */ addr = ntohl(((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr.s_addr); /* get interface name */ strncpynt(ifreq.ifr_name, ifr->ifr_name, sizeof(ifreq.ifr_name)); /* check that the interface is up */ if (ioctl(sd, SIOCGIFFLAGS, &ifreq) < 0) { continue; } if (!(ifreq.ifr_flags & IFF_UP)) { continue; } if (rgi->flags & RGI_ON_LINK) { /* check that interface name of current interface * matches interface name of best default route */ if (strcmp(ifreq.ifr_name, best_name)) { continue; } #if 0 /* if point-to-point link, use remote addr as route gateway */ if ((ifreq.ifr_flags & IFF_POINTOPOINT) && ioctl(sd, SIOCGIFDSTADDR, &ifreq) >= 0) { rgi->gateway.addr = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr); if (rgi->gateway.addr) { rgi->flags &= ~RGI_ON_LINK; } } #endif } else { /* get interface netmask */ if (ioctl(sd, SIOCGIFNETMASK, &ifreq) < 0) { continue; } netmask = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr); /* check that interface matches default route */ if (((rgi->gateway.addr ^ addr) & netmask) != 0) { continue; } /* save netmask */ rgi->gateway.netmask = netmask; rgi->flags |= RGI_NETMASK_DEFINED; } /* save iface name */ strncpynt(rgi->iface, ifreq.ifr_name, sizeof(rgi->iface)); rgi->flags |= RGI_IFACE_DEFINED; /* now get the hardware address. */ memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr)); if (ioctl(sd, SIOCGIFHWADDR, &ifreq) < 0) { msg(M_WARN, "GDG: SIOCGIFHWADDR(%s) failed", ifreq.ifr_name); goto done; } memcpy(rgi->hwaddr, &ifreq.ifr_hwaddr.sa_data, 6); rgi->flags |= RGI_HWADDR_DEFINED; break; } } } done: if (sd >= 0) { close(sd); } gc_free(&gc); } /* IPv6 implementation using netlink * http://www.linuxjournal.com/article/7356 * netlink(3), netlink(7), rtnetlink(7) * http://www.virtualbox.org/svn/vbox/trunk/src/VBox/NetworkServices/NAT/rtmon_linux.c */ struct rtreq { struct nlmsghdr nh; struct rtmsg rtm; char attrbuf[512]; }; void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest) { int nls = -1; struct rtreq rtreq; struct rtattr *rta; char rtbuf[2000]; ssize_t ssize; CLEAR(*rgi6); nls = socket( PF_NETLINK, SOCK_RAW, NETLINK_ROUTE ); if (nls < 0) { msg(M_WARN|M_ERRNO, "GDG6: socket() failed" ); goto done; } /* bind() is not needed, no unsolicited msgs coming in */ /* request best matching route, see netlink(7) for explanations */ CLEAR(rtreq); rtreq.nh.nlmsg_type = RTM_GETROUTE; rtreq.nh.nlmsg_flags = NLM_F_REQUEST; /* best match only */ rtreq.rtm.rtm_family = AF_INET6; rtreq.rtm.rtm_src_len = 0; /* not source dependent */ rtreq.rtm.rtm_dst_len = 128; /* exact dst */ rtreq.rtm.rtm_table = RT_TABLE_MAIN; rtreq.rtm.rtm_protocol = RTPROT_UNSPEC; rtreq.nh.nlmsg_len = NLMSG_SPACE(sizeof(rtreq.rtm)); /* set RTA_DST for target IPv6 address we want */ rta = (struct rtattr *)(((char *) &rtreq)+NLMSG_ALIGN(rtreq.nh.nlmsg_len)); rta->rta_type = RTA_DST; rta->rta_len = RTA_LENGTH(16); rtreq.nh.nlmsg_len = NLMSG_ALIGN(rtreq.nh.nlmsg_len) +RTA_LENGTH(16); if (dest == NULL) /* ::, unspecified */ { memset( RTA_DATA(rta), 0, 16 ); /* :: = all-zero */ } else { memcpy( RTA_DATA(rta), (void *)dest, 16 ); } /* send and receive reply */ if (send( nls, &rtreq, rtreq.nh.nlmsg_len, 0 ) < 0) { msg(M_WARN|M_ERRNO, "GDG6: send() failed" ); goto done; } ssize = recv(nls, rtbuf, sizeof(rtbuf), MSG_TRUNC); if (ssize < 0) { msg(M_WARN|M_ERRNO, "GDG6: recv() failed" ); goto done; } if (ssize > sizeof(rtbuf)) { msg(M_WARN, "get_default_gateway_ipv6: returned message too big for buffer (%d>%d)", (int)ssize, (int)sizeof(rtbuf) ); goto done; } struct nlmsghdr *nh; for (nh = (struct nlmsghdr *)rtbuf; NLMSG_OK(nh, ssize); nh = NLMSG_NEXT(nh, ssize)) { struct rtmsg *rtm; int attrlen; if (nh->nlmsg_type == NLMSG_DONE) { break; } if (nh->nlmsg_type == NLMSG_ERROR) { struct nlmsgerr *ne = (struct nlmsgerr *)NLMSG_DATA(nh); /* since linux-4.11 -ENETUNREACH is returned when no route can be * found. Don't print any error message in this case */ if (ne->error != -ENETUNREACH) { msg(M_WARN, "GDG6: NLMSG_ERROR: error %s\n", strerror(-ne->error)); } break; } if (nh->nlmsg_type != RTM_NEWROUTE) { /* shouldn't happen */ msg(M_WARN, "GDG6: unexpected msg_type %d", nh->nlmsg_type ); continue; } rtm = (struct rtmsg *)NLMSG_DATA(nh); attrlen = RTM_PAYLOAD(nh); /* we're only looking for routes in the main table, as "we have * no IPv6" will lead to a lookup result in "Local" (::/0 reject) */ if (rtm->rtm_family != AF_INET6 || rtm->rtm_table != RT_TABLE_MAIN) { continue; } /* we're not interested */ for (rta = RTM_RTA(rtm); RTA_OK(rta, attrlen); rta = RTA_NEXT(rta, attrlen)) { if (rta->rta_type == RTA_GATEWAY) { if (RTA_PAYLOAD(rta) != sizeof(struct in6_addr) ) { msg(M_WARN, "GDG6: RTA_GW size mismatch"); continue; } rgi6->gateway.addr_ipv6 = *(struct in6_addr *) RTA_DATA(rta); rgi6->flags |= RGI_ADDR_DEFINED; } else if (rta->rta_type == RTA_OIF) { char ifname[IF_NAMESIZE+1]; int oif; if (RTA_PAYLOAD(rta) != sizeof(oif) ) { msg(M_WARN, "GDG6: oif size mismatch"); continue; } memcpy(&oif, RTA_DATA(rta), sizeof(oif)); if_indextoname(oif,ifname); strncpy( rgi6->iface, ifname, sizeof(rgi6->iface)-1 ); rgi6->flags |= RGI_IFACE_DEFINED; } } } /* if we have an interface but no gateway, the destination is on-link */ if ( ( rgi6->flags & (RGI_IFACE_DEFINED|RGI_ADDR_DEFINED) ) == RGI_IFACE_DEFINED) { rgi6->flags |= (RGI_ADDR_DEFINED | RGI_ON_LINK); if (dest) { rgi6->gateway.addr_ipv6 = *dest; } } done: if (nls >= 0) { close(nls); } } #elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) \ || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) #include #include #include #include #include struct rtmsg { struct rt_msghdr m_rtm; char m_space[512]; }; /* the route socket code is identical for all 4 supported BSDs and for * MacOS X (Darwin), with one crucial difference: when going from * 32 bit to 64 bit, the BSDs increased the structure size but kept * source code compatibility by keeping the use of "long", while * MacOS X decided to keep binary compatibility by *changing* the API * to use "uint32_t", thus 32 bit on all OS X variants * * We used to have a large amount of duplicate code here which really * differed only in this (long) vs. (uint32_t) - IMHO, worse than * having a combined block for all BSDs with this single #ifdef inside */ #if defined(TARGET_DARWIN) #define ROUNDUP(a) \ ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t)) #else #define ROUNDUP(a) \ ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) #endif #if defined(TARGET_SOLARIS) #define NEXTADDR(w, u) \ if (rtm_addrs & (w)) { \ l = ROUNDUP(sizeof(u)); memmove(cp, &(u), l); cp += l; \ } #define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in))) #else /* if defined(TARGET_SOLARIS) */ #define NEXTADDR(w, u) \ if (rtm_addrs & (w)) { \ l = ROUNDUP( ((struct sockaddr *)&(u))->sa_len); memmove(cp, &(u), l); cp += l; \ } #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len)) #endif #define max(a,b) ((a) > (b) ? (a) : (b)) void get_default_gateway(struct route_gateway_info *rgi) { struct gc_arena gc = gc_new(); struct rtmsg m_rtmsg; int sockfd = -1; int seq, l, pid, rtm_addrs; unsigned int i; struct sockaddr so_dst, so_mask; char *cp = m_rtmsg.m_space; struct sockaddr *gate = NULL, *ifp = NULL, *sa; struct rt_msghdr *rtm_aux; #define rtm m_rtmsg.m_rtm CLEAR(*rgi); /* setup data to send to routing socket */ pid = getpid(); seq = 0; rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP; bzero(&m_rtmsg, sizeof(m_rtmsg)); bzero(&so_dst, sizeof(so_dst)); bzero(&so_mask, sizeof(so_mask)); bzero(&rtm, sizeof(struct rt_msghdr)); rtm.rtm_type = RTM_GET; rtm.rtm_flags = RTF_UP | RTF_GATEWAY; rtm.rtm_version = RTM_VERSION; rtm.rtm_seq = ++seq; #ifdef TARGET_OPENBSD rtm.rtm_tableid = getrtable(); #endif rtm.rtm_addrs = rtm_addrs; so_dst.sa_family = AF_INET; so_mask.sa_family = AF_INET; #ifndef TARGET_SOLARIS so_dst.sa_len = sizeof(struct sockaddr_in); so_mask.sa_len = sizeof(struct sockaddr_in); #endif NEXTADDR(RTA_DST, so_dst); NEXTADDR(RTA_NETMASK, so_mask); rtm.rtm_msglen = l = cp - (char *)&m_rtmsg; /* transact with routing socket */ sockfd = socket(PF_ROUTE, SOCK_RAW, 0); if (sockfd < 0) { msg(M_WARN, "GDG: socket #1 failed"); goto done; } if (write(sockfd, (char *)&m_rtmsg, l) < 0) { msg(M_WARN, "GDG: problem writing to routing socket"); goto done; } do { l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg)); } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid)); close(sockfd); sockfd = -1; /* extract return data from routing socket */ rtm_aux = &rtm; cp = ((char *)(rtm_aux + 1)); if (rtm_aux->rtm_addrs) { for (i = 1; i; i <<= 1) { if (i & rtm_aux->rtm_addrs) { sa = (struct sockaddr *)cp; if (i == RTA_GATEWAY) { gate = sa; } else if (i == RTA_IFP) { ifp = sa; } ADVANCE(cp, sa); } } } else { goto done; } /* get gateway addr and interface name */ if (gate != NULL) { /* get default gateway addr */ rgi->gateway.addr = ntohl(((struct sockaddr_in *)gate)->sin_addr.s_addr); if (rgi->gateway.addr) { rgi->flags |= RGI_ADDR_DEFINED; } if (ifp) { /* get interface name */ const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp; if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi->iface)) { memcpy(rgi->iface, adl->sdl_data, adl->sdl_nlen); rgi->iface[adl->sdl_nlen] = '\0'; rgi->flags |= RGI_IFACE_DEFINED; } } } /* get netmask of interface that owns default gateway */ if (rgi->flags & RGI_IFACE_DEFINED) { struct ifreq ifr; sockfd = socket(AF_INET, SOCK_DGRAM, 0); if (sockfd < 0) { msg(M_WARN, "GDG: socket #2 failed"); goto done; } CLEAR(ifr); ifr.ifr_addr.sa_family = AF_INET; strncpynt(ifr.ifr_name, rgi->iface, IFNAMSIZ); if (ioctl(sockfd, SIOCGIFNETMASK, (char *)&ifr) < 0) { msg(M_WARN, "GDG: ioctl #1 failed"); goto done; } close(sockfd); sockfd = -1; rgi->gateway.netmask = ntohl(((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr); rgi->flags |= RGI_NETMASK_DEFINED; } /* try to read MAC addr associated with interface that owns default gateway */ if (rgi->flags & RGI_IFACE_DEFINED) { struct ifconf ifc; struct ifreq *ifr; const int bufsize = 4096; char *buffer; buffer = (char *) gc_malloc(bufsize, true, &gc); sockfd = socket(AF_INET, SOCK_DGRAM, 0); if (sockfd < 0) { msg(M_WARN, "GDG: socket #3 failed"); goto done; } ifc.ifc_len = bufsize; ifc.ifc_buf = buffer; if (ioctl(sockfd, SIOCGIFCONF, (char *)&ifc) < 0) { msg(M_WARN, "GDG: ioctl #2 failed"); goto done; } close(sockfd); sockfd = -1; for (cp = buffer; cp <= buffer + ifc.ifc_len - sizeof(struct ifreq); ) { ifr = (struct ifreq *)cp; #if defined(TARGET_SOLARIS) const size_t len = sizeof(ifr->ifr_name) + sizeof(ifr->ifr_addr); #else const size_t len = sizeof(ifr->ifr_name) + max(sizeof(ifr->ifr_addr), ifr->ifr_addr.sa_len); #endif if (!ifr->ifr_addr.sa_family) { break; } if (!strncmp(ifr->ifr_name, rgi->iface, IFNAMSIZ)) { if (ifr->ifr_addr.sa_family == AF_LINK) { struct sockaddr_dl *sdl = (struct sockaddr_dl *)&ifr->ifr_addr; memcpy(rgi->hwaddr, LLADDR(sdl), 6); rgi->flags |= RGI_HWADDR_DEFINED; } } cp += len; } } done: if (sockfd >= 0) { close(sockfd); } gc_free(&gc); } /* BSD implementation using routing socket (as does IPv4) * (the code duplication is somewhat unavoidable if we want this to * work on OpenSolaris as well. *sigh*) */ /* Solaris has no length field - this is ugly, but less #ifdef in total */ #if defined(TARGET_SOLARIS) #undef ADVANCE #define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in6))) #endif void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest) { struct rtmsg m_rtmsg; int sockfd = -1; int seq, l, pid, rtm_addrs; unsigned int i; struct sockaddr_in6 so_dst, so_mask; char *cp = m_rtmsg.m_space; struct sockaddr *gate = NULL, *ifp = NULL, *sa; struct rt_msghdr *rtm_aux; CLEAR(*rgi6); /* setup data to send to routing socket */ pid = getpid(); seq = 0; rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP; bzero(&m_rtmsg, sizeof(m_rtmsg)); bzero(&so_dst, sizeof(so_dst)); bzero(&so_mask, sizeof(so_mask)); bzero(&rtm, sizeof(struct rt_msghdr)); rtm.rtm_type = RTM_GET; rtm.rtm_flags = RTF_UP; rtm.rtm_version = RTM_VERSION; rtm.rtm_seq = ++seq; #ifdef TARGET_OPENBSD rtm.rtm_tableid = getrtable(); #endif so_dst.sin6_family = AF_INET6; so_mask.sin6_family = AF_INET6; if (dest != NULL /* specific host? */ && !IN6_IS_ADDR_UNSPECIFIED(dest) ) { so_dst.sin6_addr = *dest; /* :: needs /0 "netmask", host route wants "no netmask */ rtm_addrs &= ~RTA_NETMASK; } rtm.rtm_addrs = rtm_addrs; #ifndef TARGET_SOLARIS so_dst.sin6_len = sizeof(struct sockaddr_in6); so_mask.sin6_len = sizeof(struct sockaddr_in6); #endif NEXTADDR(RTA_DST, so_dst); NEXTADDR(RTA_NETMASK, so_mask); rtm.rtm_msglen = l = cp - (char *)&m_rtmsg; /* transact with routing socket */ sockfd = socket(PF_ROUTE, SOCK_RAW, 0); if (sockfd < 0) { msg(M_WARN, "GDG6: socket #1 failed"); goto done; } if (write(sockfd, (char *)&m_rtmsg, l) < 0) { msg(M_WARN, "GDG6: problem writing to routing socket"); goto done; } do { l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg)); } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid)); close(sockfd); sockfd = -1; /* extract return data from routing socket */ rtm_aux = &rtm; cp = ((char *)(rtm_aux + 1)); if (rtm_aux->rtm_addrs) { for (i = 1; i; i <<= 1) { if (i & rtm_aux->rtm_addrs) { sa = (struct sockaddr *)cp; if (i == RTA_GATEWAY) { gate = sa; } else if (i == RTA_IFP) { ifp = sa; } ADVANCE(cp, sa); } } } else { goto done; } /* get gateway addr and interface name */ if (gate != NULL) { struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)gate; struct in6_addr gw = s6->sin6_addr; #ifndef TARGET_SOLARIS /* You do not really want to know... from FreeBSD's route.c * (KAME encodes the 16 bit scope_id in s6_addr[2] + [3], * but for a correct link-local address these must be :0000: ) */ if (gate->sa_len == sizeof(struct sockaddr_in6) && IN6_IS_ADDR_LINKLOCAL(&gw) ) { gw.s6_addr[2] = gw.s6_addr[3] = 0; } if (gate->sa_len != sizeof(struct sockaddr_in6) || IN6_IS_ADDR_UNSPECIFIED(&gw) ) { rgi6->flags |= RGI_ON_LINK; } else #endif rgi6->gateway.addr_ipv6 = gw; rgi6->flags |= RGI_ADDR_DEFINED; if (ifp) { /* get interface name */ const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp; if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi6->iface)) { memcpy(rgi6->iface, adl->sdl_data, adl->sdl_nlen); rgi6->flags |= RGI_IFACE_DEFINED; } } } done: if (sockfd >= 0) { close(sockfd); } } #undef max #else /* if defined(_WIN32) */ /* * This is a platform-specific method that returns data about * the current default gateway. Return data is placed into * a struct route_gateway_info object provided by caller. The * implementation should CLEAR the structure before adding * data to it. * * Data returned includes: * 1. default gateway address (rgi->gateway.addr) * 2. netmask of interface that owns default gateway * (rgi->gateway.netmask) * 3. hardware address (i.e. MAC address) of interface that owns * default gateway (rgi->hwaddr) * 4. interface name (or adapter index on Windows) that owns default * gateway (rgi->iface or rgi->adapter_index) * 5. an array of additional address/netmask pairs defined by * interface that owns default gateway (rgi->addrs with length * given in rgi->n_addrs) * * The flags RGI_x_DEFINED may be used to indicate which of the data * members were successfully returned (set in rgi->flags). All of * the data members are optional, however certain OpenVPN functionality * may be disabled by missing items. */ void get_default_gateway(struct route_gateway_info *rgi) { CLEAR(*rgi); } void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest) { msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system"); CLEAR(*rgi6); } #endif /* if defined(_WIN32) */ bool netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits) { int i; const int addrlen = sizeof(in_addr_t) * 8; if ((network & netmask) == network) { for (i = 0; i <= addrlen; ++i) { in_addr_t mask = netbits_to_netmask(i); if (mask == netmask) { if (i == addrlen) { *netbits = -1; } else { *netbits = i; } return true; } } } return false; } /* similar to netmask_to_netbits(), but don't mess with base address * etc., just convert to netbits - non-mappable masks are returned as "-1" */ int netmask_to_netbits2(in_addr_t netmask) { int i; const int addrlen = sizeof(in_addr_t) * 8; for (i = 0; i <= addrlen; ++i) { in_addr_t mask = netbits_to_netmask(i); if (mask == netmask) { return i; } } return -1; } /* * get_bypass_addresses() is used by the redirect-gateway bypass-x * functions to build a route bypass to selected DHCP/DNS servers, * so that outgoing packets to these servers don't end up in the tunnel. */ #if defined(_WIN32) static void add_host_route_if_nonlocal(struct route_bypass *rb, const in_addr_t addr) { if (test_local_addr(addr, NULL) == TLA_NONLOCAL && addr != 0 && addr != IPV4_NETMASK_HOST) { add_bypass_address(rb, addr); } } static void add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist) { while (iplist) { bool succeed = false; const in_addr_t ip = getaddr(GETADDR_HOST_ORDER, iplist->IpAddress.String, 0, &succeed, NULL); if (succeed) { add_host_route_if_nonlocal(rb, ip); } iplist = iplist->Next; } } static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) { struct gc_arena gc = gc_new(); /*bool ret_bool = false;*/ /* get full routing table */ const MIB_IPFORWARDTABLE *routes = get_windows_routing_table(&gc); /* get the route which represents the default gateway */ const MIB_IPFORWARDROW *row = get_default_gateway_row(routes); if (row) { /* get the adapter which the default gateway is associated with */ const IP_ADAPTER_INFO *dgi = get_adapter_info(row->dwForwardIfIndex, &gc); /* get extra adapter info, such as DNS addresses */ const IP_PER_ADAPTER_INFO *pai = get_per_adapter_info(row->dwForwardIfIndex, &gc); /* Bypass DHCP server address */ if ((flags & RG_BYPASS_DHCP) && dgi && dgi->DhcpEnabled) { add_host_route_array(rb, &dgi->DhcpServer); } /* Bypass DNS server addresses */ if ((flags & RG_BYPASS_DNS) && pai) { add_host_route_array(rb, &pai->DnsServerList); } } gc_free(&gc); } #else /* if defined(_WIN32) */ static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) /* PLATFORM-SPECIFIC */ { } #endif /* if defined(_WIN32) */ /* * Test if addr is reachable via a local interface (return ILA_LOCAL), * or if it needs to be routed via the default gateway (return * ILA_NONLOCAL). If the target platform doesn't implement this * function, return ILA_NOT_IMPLEMENTED. * * Used by redirect-gateway autolocal feature */ #if defined(_WIN32) int test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) { struct gc_arena gc = gc_new(); const in_addr_t nonlocal_netmask = 0x80000000L; /* routes with netmask <= to this are considered non-local */ int ret = TLA_NONLOCAL; /* get full routing table */ const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc); if (rt) { int i; for (i = 0; i < rt->dwNumEntries; ++i) { const MIB_IPFORWARDROW *row = &rt->table[i]; const in_addr_t net = ntohl(row->dwForwardDest); const in_addr_t mask = ntohl(row->dwForwardMask); if (mask > nonlocal_netmask && (addr & mask) == net) { ret = TLA_LOCAL; break; } } } gc_free(&gc); return ret; } #else /* if defined(_WIN32) */ int test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) /* PLATFORM-SPECIFIC */ { if (rgi) { if (local_route(addr, 0xFFFFFFFF, rgi->gateway.addr, rgi)) { return TLA_LOCAL; } else { return TLA_NONLOCAL; } } return TLA_NOT_IMPLEMENTED; } #endif /* if defined(_WIN32) */ openvpn-2.4.4/src/openvpn/route.h000066400000000000000000000275411316434344000170040ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * Support routines for adding/deleting network routes. */ #ifndef ROUTE_H #define ROUTE_H #include "basic.h" #include "tun.h" #include "misc.h" #ifdef _WIN32 /* * Windows route methods */ #define ROUTE_METHOD_ADAPTIVE 0 /* try IP helper first then route.exe */ #define ROUTE_METHOD_IPAPI 1 /* use IP helper API */ #define ROUTE_METHOD_EXE 2 /* use route.exe */ #define ROUTE_METHOD_SERVICE 3 /* use the privileged Windows service */ #define ROUTE_METHOD_MASK 3 #endif /* * Route add/delete flags (must stay clear of ROUTE_METHOD bits) */ #define ROUTE_DELETE_FIRST (1<<2) #define ROUTE_REF_GW (1<<3) struct route_bypass { #define N_ROUTE_BYPASS 8 int n_bypass; in_addr_t bypass[N_ROUTE_BYPASS]; }; struct route_special_addr { /* bits indicating which members below are defined */ #define RTSA_REMOTE_ENDPOINT (1<<0) #define RTSA_REMOTE_HOST (1<<1) #define RTSA_DEFAULT_METRIC (1<<2) unsigned int flags; in_addr_t remote_endpoint; in_addr_t remote_host; int remote_host_local; /* TLA_x value */ struct route_bypass bypass; int default_metric; }; struct route_option { struct route_option *next; const char *network; const char *netmask; const char *gateway; const char *metric; }; /* redirect-gateway flags */ #define RG_ENABLE (1<<0) #define RG_LOCAL (1<<1) #define RG_DEF1 (1<<2) #define RG_BYPASS_DHCP (1<<3) #define RG_BYPASS_DNS (1<<4) #define RG_REROUTE_GW (1<<5) #define RG_AUTO_LOCAL (1<<6) #define RG_BLOCK_LOCAL (1<<7) struct route_option_list { unsigned int flags; /* RG_x flags */ struct route_option *routes; struct gc_arena *gc; }; struct route_ipv6_option { struct route_ipv6_option *next; const char *prefix; /* e.g. "2001:db8:1::/64" */ const char *gateway; /* e.g. "2001:db8:0::2" */ const char *metric; /* e.g. "5" */ }; struct route_ipv6_option_list { unsigned int flags; /* RG_x flags, see route_option-list */ struct route_ipv6_option *routes_ipv6; struct gc_arena *gc; }; struct route_ipv4 { #define RT_DEFINED (1<<0) #define RT_ADDED (1<<1) #define RT_METRIC_DEFINED (1<<2) struct route_ipv4 *next; unsigned int flags; const struct route_option *option; in_addr_t network; in_addr_t netmask; in_addr_t gateway; int metric; }; struct route_ipv6 { struct route_ipv6 *next; unsigned int flags; /* RT_ flags, see route_ipv4 */ struct in6_addr network; unsigned int netbits; struct in6_addr gateway; int metric; /* gateway interface */ #ifdef _WIN32 DWORD adapter_index; /* interface or ~0 if undefined */ #else char *iface; /* interface name (null terminated) */ #endif }; struct route_gateway_address { in_addr_t addr; in_addr_t netmask; }; struct route_gateway_info { #define RGI_ADDR_DEFINED (1<<0) /* set if gateway.addr defined */ #define RGI_NETMASK_DEFINED (1<<1) /* set if gateway.netmask defined */ #define RGI_HWADDR_DEFINED (1<<2) /* set if hwaddr is defined */ #define RGI_IFACE_DEFINED (1<<3) /* set if iface is defined */ #define RGI_OVERFLOW (1<<4) /* set if more interface addresses than will fit in addrs */ #define RGI_ON_LINK (1<<5) unsigned int flags; /* gateway interface */ #ifdef _WIN32 DWORD adapter_index; /* interface or ~0 if undefined */ #else char iface[16]; /* interface name (null terminated), may be empty */ #endif /* gateway interface hardware address */ uint8_t hwaddr[6]; /* gateway/router address */ struct route_gateway_address gateway; /* address/netmask pairs bound to interface */ #define RGI_N_ADDRESSES 8 int n_addrs; /* len of addrs, may be 0 */ struct route_gateway_address addrs[RGI_N_ADDRESSES]; /* local addresses attached to iface */ }; struct route_ipv6_gateway_address { struct in6_addr addr_ipv6; int netbits_ipv6; }; struct route_ipv6_gateway_info { /* RGI_ flags used as in route_gateway_info */ unsigned int flags; /* gateway interface */ #ifdef _WIN32 DWORD adapter_index; /* interface or ~0 if undefined */ #else char iface[16]; /* interface name (null terminated), may be empty */ #endif /* gateway interface hardware address */ uint8_t hwaddr[6]; /* gateway/router address */ struct route_ipv6_gateway_address gateway; /* address/netmask pairs bound to interface */ #define RGI_N_ADDRESSES 8 int n_addrs; /* len of addrs, may be 0 */ struct route_ipv6_gateway_address addrs[RGI_N_ADDRESSES]; /* local addresses attached to iface */ }; struct route_list { #define RL_DID_REDIRECT_DEFAULT_GATEWAY (1<<0) #define RL_DID_LOCAL (1<<1) #define RL_ROUTES_ADDED (1<<2) unsigned int iflags; struct route_special_addr spec; struct route_gateway_info rgi; unsigned int flags; /* RG_x flags */ struct route_ipv4 *routes; struct gc_arena gc; }; struct route_ipv6_list { unsigned int iflags; /* RL_ flags, see route_list */ unsigned int spec_flags; /* RTSA_ flags, route_special_addr */ struct in6_addr remote_endpoint_ipv6; /* inside tun */ struct in6_addr remote_host_ipv6; /* --remote address */ int default_metric; struct route_ipv6_gateway_info rgi6; unsigned int flags; /* RG_x flags, see route_option_list */ struct route_ipv6 *routes_ipv6; struct gc_arena gc; }; #if P2MP /* internal OpenVPN route */ struct iroute { in_addr_t network; int netbits; struct iroute *next; }; struct iroute_ipv6 { struct in6_addr network; unsigned int netbits; struct iroute_ipv6 *next; }; #endif struct route_option_list *new_route_option_list(struct gc_arena *a); struct route_ipv6_option_list *new_route_ipv6_option_list(struct gc_arena *a); struct route_option_list *clone_route_option_list(const struct route_option_list *src, struct gc_arena *a); struct route_ipv6_option_list *clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a); void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a); void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a); void add_route_ipv6(struct route_ipv6 *r, const struct tuntap *tt, unsigned int flags, const struct env_set *es); void delete_route_ipv6(const struct route_ipv6 *r, const struct tuntap *tt, unsigned int flags, const struct env_set *es); void add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es); void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric); void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric); bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es); bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host, struct env_set *es); void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr); void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es); void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es); void setenv_routes(struct env_set *es, const struct route_list *rl); void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6); bool is_special_addr(const char *addr_str); void get_default_gateway(struct route_gateway_info *rgi); void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi, const struct in6_addr *dest); void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6); /* * Test if addr is reachable via a local interface (return ILA_LOCAL), * or if it needs to be routed via the default gateway (return * ILA_NONLOCAL). If the current platform doesn't implement this * function, return ILA_NOT_IMPLEMENTED. */ #define TLA_NOT_IMPLEMENTED 0 #define TLA_NONLOCAL 1 #define TLA_LOCAL 2 int test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi); #ifndef ENABLE_SMALL void print_route_options(const struct route_option_list *rol, int level); #endif void print_routes(const struct route_list *rl, int level); #ifdef _WIN32 void show_routes(int msglev); bool test_routes(const struct route_list *rl, const struct tuntap *tt); bool add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index); bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt); #else /* ifdef _WIN32 */ static inline bool test_routes(const struct route_list *rl, const struct tuntap *tt) { return true; } #endif bool netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits); int netmask_to_netbits2(in_addr_t netmask); static inline in_addr_t netbits_to_netmask(const int netbits) { const int addrlen = sizeof(in_addr_t) * 8; in_addr_t mask = 0; if (netbits > 0 && netbits <= addrlen) { mask = IPV4_NETMASK_HOST << (addrlen-netbits); } return mask; } static inline bool route_list_vpn_gateway_needed(const struct route_list *rl) { if (!rl) { return false; } else { return !(rl->spec.flags & RTSA_REMOTE_ENDPOINT); } } static inline int route_did_redirect_default_gateway(const struct route_list *rl) { return rl && BOOL_CAST(rl->iflags & RL_DID_REDIRECT_DEFAULT_GATEWAY); } #endif /* ifndef ROUTE_H */ openvpn-2.4.4/src/openvpn/schedule.c000066400000000000000000000363071316434344000174350ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if P2MP_SERVER #include "buffer.h" #include "misc.h" #include "crypto.h" #include "schedule.h" #include "memdbg.h" #ifdef SCHEDULE_TEST struct status { int sru; int ins; int coll; int lsteps; }; static struct status z; #endif #ifdef ENABLE_DEBUG static void schedule_entry_debug_info(const char *caller, const struct schedule_entry *e) { struct gc_arena gc = gc_new(); if (e) { dmsg(D_SCHEDULER, "SCHEDULE: %s wakeup=[%s] pri=%u", caller, tv_string_abs(&e->tv, &gc), e->pri); } else { dmsg(D_SCHEDULER, "SCHEDULE: %s NULL", caller); } gc_free(&gc); } #endif static inline void schedule_set_pri(struct schedule_entry *e) { e->pri = random(); if (e->pri < 1) { e->pri = 1; } } /* This is the master key comparison routine. A key is * simply a struct timeval containing the absolute time for * an event. The unique treap priority (pri) is used to ensure * that keys do not collide. */ static inline int schedule_entry_compare(const struct schedule_entry *e1, const struct schedule_entry *e2) { if (e1->tv.tv_sec < e2->tv.tv_sec) { return -1; } else if (e1->tv.tv_sec > e2->tv.tv_sec) { return 1; } else { if (e1->tv.tv_usec < e2->tv.tv_usec) { return -1; } else if (e1->tv.tv_usec > e2->tv.tv_usec) { return 1; } else { if (e1->pri < e2->pri) { return -1; } else if (e1->pri > e2->pri) { return 1; } else { return 0; } } } } /* * Detach a btree node from its parent */ static inline void schedule_detach_parent(struct schedule *s, struct schedule_entry *e) { if (e) { if (e->parent) { if (e->parent->lt == e) { e->parent->lt = NULL; } else if (e->parent->gt == e) { e->parent->gt = NULL; } else { /* parent <-> child linkage is corrupted */ ASSERT(0); } e->parent = NULL; } else { if (s->root == e) /* last element deleted, tree is empty */ { s->root = NULL; } } } } /* * * Given a binary search tree, move a node toward the root * while still maintaining the correct ordering relationships * within the tree. This function is the workhorse * of the tree balancer. * * This code will break on key collisions, which shouldn't * happen because the treap priority is considered part of the key * and is guaranteed to be unique. */ static void schedule_rotate_up(struct schedule *s, struct schedule_entry *e) { if (e && e->parent) { struct schedule_entry *lt = e->lt; struct schedule_entry *gt = e->gt; struct schedule_entry *p = e->parent; struct schedule_entry *gp = p->parent; if (gp) /* if grandparent exists, modify its child link */ { if (gp->gt == p) { gp->gt = e; } else if (gp->lt == p) { gp->lt = e; } else { ASSERT(0); } } else /* no grandparent, now we are the root */ { s->root = e; } /* grandparent is now our parent */ e->parent = gp; /* parent is now our child */ p->parent = e; /* reorient former parent's links * to reflect new position in the tree */ if (p->gt == e) { e->lt = p; p->gt = lt; if (lt) { lt->parent = p; } } else if (p->lt == e) { e->gt = p; p->lt = gt; if (gt) { gt->parent = p; } } else { /* parent <-> child linkage is corrupted */ ASSERT(0); } #ifdef SCHEDULE_TEST ++z.sru; #endif } } /* * This is the treap deletion algorithm: * * Rotate lesser-priority children up in the tree * until we are childless. Then delete. */ void schedule_remove_node(struct schedule *s, struct schedule_entry *e) { while (e->lt || e->gt) { if (e->lt) { if (e->gt) { if (e->lt->pri < e->gt->pri) { schedule_rotate_up(s, e->lt); } else { schedule_rotate_up(s, e->gt); } } else { schedule_rotate_up(s, e->lt); } } else if (e->gt) { schedule_rotate_up(s, e->gt); } } schedule_detach_parent(s, e); e->pri = 0; } /* * Trivially add a node to a binary search tree without * regard for balance. */ static void schedule_insert(struct schedule *s, struct schedule_entry *e) { struct schedule_entry *c = s->root; while (true) { const int comp = schedule_entry_compare(e, c); #ifdef SCHEDULE_TEST ++z.ins; #endif if (comp == -1) { if (c->lt) { c = c->lt; continue; } else { c->lt = e; e->parent = c; break; } } else if (comp == 1) { if (c->gt) { c = c->gt; continue; } else { c->gt = e; e->parent = c; break; } } else { /* rare key/priority collision -- no big deal, * just choose another priority and retry */ #ifdef SCHEDULE_TEST ++z.coll; #endif schedule_set_pri(e); /* msg (M_INFO, "PRI COLLISION pri=%u", e->pri); */ c = s->root; continue; } } } /* * Given an element, remove it from the btree if it's already * there and re-insert it based on its current key. */ void schedule_add_modify(struct schedule *s, struct schedule_entry *e) { #ifdef ENABLE_DEBUG if (check_debug_level(D_SCHEDULER)) { schedule_entry_debug_info("schedule_add_modify", e); } #endif /* already in tree, remove */ if (IN_TREE(e)) { schedule_remove_node(s, e); } /* set random priority */ schedule_set_pri(e); if (s->root) { schedule_insert(s, e); /* trivial insert into tree */ } else { s->root = e; /* tree was empty, we are the first element */ } /* This is the magic of the randomized treap algorithm which * keeps the tree balanced. Move the node up the tree until * its own priority is greater than that of its parent */ while (e->parent && e->parent->pri > e->pri) { schedule_rotate_up(s, e); } } /* * Find the earliest event to be scheduled */ struct schedule_entry * schedule_find_least(struct schedule_entry *e) { if (e) { while (e->lt) { #ifdef SCHEDULE_TEST ++z.lsteps; #endif e = e->lt; } } #ifdef ENABLE_DEBUG if (check_debug_level(D_SCHEDULER)) { schedule_entry_debug_info("schedule_find_least", e); } #endif return e; } /* * Public functions below this point */ struct schedule * schedule_init(void) { struct schedule *s; ALLOC_OBJ_CLEAR(s, struct schedule); return s; } void schedule_free(struct schedule *s) { free(s); } void schedule_remove_entry(struct schedule *s, struct schedule_entry *e) { s->earliest_wakeup = NULL; /* invalidate cache */ schedule_remove_node(s, e); } /* * Debug functions below this point */ #ifdef SCHEDULE_TEST static inline struct schedule_entry * schedule_find_earliest_wakeup(struct schedule *s) { return schedule_find_least(s->root); } /* * Recursively check that the treap (btree) is * internally consistent. */ int schedule_debug_entry(const struct schedule_entry *e, int depth, int *count, struct timeval *least, const struct timeval *min, const struct timeval *max) { struct gc_arena gc = gc_new(); int maxdepth = depth; if (e) { int d; ASSERT(e != e->lt); ASSERT(e != e->gt); ASSERT(e != e->parent); ASSERT(!e->parent || e->parent != e->lt); ASSERT(!e->parent || e->parent != e->gt); ASSERT(!e->lt || e->lt != e->gt); if (e->lt) { ASSERT(e->lt->parent == e); ASSERT(schedule_entry_compare(e->lt, e) == -1); ASSERT(e->lt->pri >= e->pri); } if (e->gt) { ASSERT(e->gt->parent == e); ASSERT(schedule_entry_compare(e->gt, e)); ASSERT(e->gt->pri >= e->pri); } ASSERT(tv_le(min, &e->tv)); ASSERT(tv_le(&e->tv, max)); if (count) { ++(*count); } if (least && tv_lt(&e->tv, least)) { *least = e->tv; } d = schedule_debug_entry(e->lt, depth+1, count, least, min, &e->tv); if (d > maxdepth) { maxdepth = d; } d = schedule_debug_entry(e->gt, depth+1, count, least, &e->tv, max); if (d > maxdepth) { maxdepth = d; } } gc_free(&gc); return maxdepth; } int schedule_debug(struct schedule *s, int *count, struct timeval *least) { struct timeval min; struct timeval max; min.tv_sec = 0; min.tv_usec = 0; max.tv_sec = 0x7FFFFFFF; max.tv_usec = 0x7FFFFFFF; if (s->root) { ASSERT(s->root->parent == NULL); } return schedule_debug_entry(s->root, 0, count, least, &min, &max); } #if 1 void tv_randomize(struct timeval *tv) { tv->tv_sec += random() % 100; tv->tv_usec = random() % 100; } #else /* if 1 */ void tv_randomize(struct timeval *tv) { struct gc_arena gc = gc_new(); long int choice = get_random(); if ((choice & 0xFF) == 0) { tv->tv_usec += ((choice >> 8) & 0xFF); } else { prng_bytes((uint8_t *)tv, sizeof(struct timeval)); } gc_free(&gc); } #endif /* if 1 */ void schedule_verify(struct schedule *s) { struct gc_arena gc = gc_new(); struct timeval least; int count; int maxlev; struct schedule_entry *e; const struct status zz = z; least.tv_sec = least.tv_usec = 0x7FFFFFFF; count = 0; maxlev = schedule_debug(s, &count, &least); e = schedule_find_earliest_wakeup(s); if (e) { printf("Verification Phase count=%d maxlev=%d sru=%d ins=%d coll=%d ls=%d l=%s", count, maxlev, zz.sru, zz.ins, zz.coll, zz.lsteps, tv_string(&e->tv, &gc)); if (!tv_eq(&least, &e->tv)) { printf(" [COMPUTED DIFFERENT MIN VALUES!]"); } printf("\n"); } CLEAR(z); gc_free(&gc); } void schedule_randomize_array(struct schedule_entry **array, int size) { int i; for (i = 0; i < size; ++i) { const int src = get_random() % size; struct schedule_entry *tmp = array [i]; if (i != src) { array [i] = array [src]; array [src] = tmp; } } } void schedule_print_work(struct schedule_entry *e, int indent) { struct gc_arena gc = gc_new(); int i; for (i = 0; i < indent; ++i) { printf(" "); } if (e) { printf("%s [%u] e=" ptr_format ", p=" ptr_format " lt=" ptr_format " gt=" ptr_format "\n", tv_string(&e->tv, &gc), e->pri, (ptr_type)e, (ptr_type)e->parent, (ptr_type)e->lt, (ptr_type)e->gt); schedule_print_work(e->lt, indent+1); schedule_print_work(e->gt, indent+1); } else { printf("NULL\n"); } gc_free(&gc); } void schedule_print(struct schedule *s) { printf("*************************\n"); schedule_print_work(s->root, 0); } void schedule_test(void) { struct gc_arena gc = gc_new(); int n = 1000; int n_mod = 25; int i, j; struct schedule_entry **array; struct schedule *s = schedule_init(); struct schedule_entry *e; CLEAR(z); ALLOC_ARRAY(array, struct schedule_entry *, n); printf("Creation/Insertion Phase\n"); for (i = 0; i < n; ++i) { ALLOC_OBJ_CLEAR(array[i], struct schedule_entry); tv_randomize(&array[i]->tv); /*schedule_print (s);*/ /*schedule_verify (s);*/ schedule_add_modify(s, array[i]); } schedule_randomize_array(array, n); /*schedule_print (s);*/ schedule_verify(s); for (j = 1; j <= n_mod; ++j) { printf("Modification Phase Pass %d\n", j); for (i = 0; i < n; ++i) { e = schedule_find_earliest_wakeup(s); /*printf ("BEFORE %s\n", tv_string (&e->tv, &gc));*/ tv_randomize(&e->tv); /*printf ("AFTER %s\n", tv_string (&e->tv, &gc));*/ schedule_add_modify(s, e); /*schedule_verify (s);*/ /*schedule_print (s);*/ } schedule_verify(s); /*schedule_print (s);*/ } /*printf ("INS=%d\n", z.ins);*/ while ((e = schedule_find_earliest_wakeup(s))) { schedule_remove_node(s, e); /*schedule_verify (s);*/ } schedule_verify(s); printf("S->ROOT is %s\n", s->root ? "NOT NULL" : "NULL"); for (i = 0; i < n; ++i) { free(array[i]); } free(array); free(s); gc_free(&gc); } #endif /* ifdef SCHEDULE_TEST */ #endif /* if P2MP_SERVER */ openvpn-2.4.4/src/openvpn/schedule.h000066400000000000000000000101341316434344000174300ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef SCHEDULE_H #define SCHEDULE_H /* * This code implements an efficient scheduler using * a random treap binary tree. * * The scheduler is used by the server executive to * keep track of which instances need service at a * known time in the future. Instances need to * schedule events for things such as sending * a ping or scheduling a TLS renegotiation. */ #if P2MP_SERVER /* define to enable a special test mode */ /*#define SCHEDULE_TEST*/ #include "otime.h" #include "error.h" struct schedule_entry { struct timeval tv; /* wakeup time */ unsigned int pri; /* random treap priority */ struct schedule_entry *parent; /* treap (btree) links */ struct schedule_entry *lt; struct schedule_entry *gt; }; struct schedule { struct schedule_entry *earliest_wakeup; /* cached earliest wakeup */ struct schedule_entry *root; /* the root of the treap (btree) */ }; /* Public functions */ struct schedule *schedule_init(void); void schedule_free(struct schedule *s); void schedule_remove_entry(struct schedule *s, struct schedule_entry *e); #ifdef SCHEDULE_TEST void schedule_test(void); #endif /* Private Functions */ /* is node already in tree? */ #define IN_TREE(e) ((e)->pri) struct schedule_entry *schedule_find_least(struct schedule_entry *e); void schedule_add_modify(struct schedule *s, struct schedule_entry *e); void schedule_remove_node(struct schedule *s, struct schedule_entry *e); /* Public inline functions */ /* * Add a struct schedule_entry (whose storage is managed by * caller) to the btree. tv signifies the wakeup time for * a future event. sigma is a time interval measured * in microseconds -- the event window being represented * starts at (tv - sigma) and ends at (tv + sigma). * Event signaling can occur anywere within this interval. * Making the interval larger makes the scheduler more efficient, * while making it smaller results in more precise scheduling. * The caller should treat the passed struct schedule_entry as * an opaque object. */ static inline void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma) { if (!IN_TREE(e) || !sigma || !tv_within_sigma(tv, &e->tv, sigma)) { e->tv = *tv; schedule_add_modify(s, e); s->earliest_wakeup = NULL; /* invalidate cache */ } } /* * Return the node with the earliest wakeup time. If two * nodes have the exact same wakeup time, select based on * the random priority assigned to each node (the priority * is randomized every time an entry is re-added). */ static inline struct schedule_entry * schedule_get_earliest_wakeup(struct schedule *s, struct timeval *wakeup) { struct schedule_entry *ret; /* cache result */ if (!s->earliest_wakeup) { s->earliest_wakeup = schedule_find_least(s->root); } ret = s->earliest_wakeup; if (ret) { *wakeup = ret->tv; } return ret; } #endif /* if P2MP_SERVER */ #endif /* ifndef SCHEDULE_H */ openvpn-2.4.4/src/openvpn/session_id.c000066400000000000000000000037061316434344000177750ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * Each session is identified by a random 8-byte session identifier. * * For efficiency, the session id is only transmitted over the control * channel (which only sees traffic occasionally when keys are being * negotiated). The data channel sees a smaller version of the session-id -- * it is called the key_id and is currently 2 bits long. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #ifdef ENABLE_CRYPTO #include "error.h" #include "common.h" #include "crypto.h" #include "session_id.h" #include "memdbg.h" const struct session_id x_session_id_zero; void session_id_random(struct session_id *sid) { prng_bytes(sid->id, SID_SIZE); } const char * session_id_print(const struct session_id *sid, struct gc_arena *gc) { return format_hex(sid->id, SID_SIZE, 0, gc); } #else /* ifdef ENABLE_CRYPTO */ static void dummy(void) { } #endif /* ENABLE_CRYPTO */ openvpn-2.4.4/src/openvpn/session_id.h000066400000000000000000000046001316434344000177740ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * Each session is identified by a random 8-byte session identifier. * * For efficiency, the session id is only transmitted over the control * channel (which only sees traffic occasionally when keys are being * negotiated). */ #ifdef ENABLE_CRYPTO #ifndef SESSION_ID_H #define SESSION_ID_H #include "basic.h" #include "buffer.h" struct session_id { uint8_t id[8]; }; extern const struct session_id x_session_id_zero; #define SID_SIZE (sizeof(x_session_id_zero.id)) static inline bool session_id_equal(const struct session_id *sid1, const struct session_id *sid2) { return !memcmp(sid1->id, sid2->id, SID_SIZE); } static inline bool session_id_defined(const struct session_id *sid1) { return memcmp(sid1->id, &x_session_id_zero.id, SID_SIZE) != 0; } static inline bool session_id_read(struct session_id *sid, struct buffer *buf) { return buf_read(buf, sid->id, SID_SIZE); } static inline bool session_id_write_prepend(const struct session_id *sid, struct buffer *buf) { return buf_write_prepend(buf, sid->id, SID_SIZE); } static inline bool session_id_write(const struct session_id *sid, struct buffer *buf) { return buf_write(buf, sid->id, SID_SIZE); } void session_id_random(struct session_id *sid); const char *session_id_print(const struct session_id *sid, struct gc_arena *gc); #endif /* SESSION_ID_H */ #endif /* ENABLE_CRYPTO */ openvpn-2.4.4/src/openvpn/shaper.c000066400000000000000000000050751316434344000171210ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "shaper.h" #include "memdbg.h" #ifdef ENABLE_FEATURE_SHAPER /* * We want to wake up in delay microseconds. If timeval is larger * than delay, set timeval to delay. */ bool shaper_soonest_event(struct timeval *tv, int delay) { bool ret = false; if (delay < 1000000) { if (tv->tv_sec) { tv->tv_sec = 0; tv->tv_usec = delay; ret = true; } else if (delay < tv->tv_usec) { tv->tv_usec = delay; ret = true; } } else { const int sec = delay / 1000000; const int usec = delay % 1000000; if (sec < tv->tv_sec) { tv->tv_sec = sec; tv->tv_usec = usec; ret = true; } else if (sec == tv->tv_sec) { if (usec < tv->tv_usec) { tv->tv_usec = usec; ret = true; } } } #ifdef SHAPER_DEBUG dmsg(D_SHAPER_DEBUG, "SHAPER shaper_soonest_event sec=%d usec=%d ret=%d", (int)tv->tv_sec, (int)tv->tv_usec, (int)ret); #endif return ret; } void shaper_reset_wakeup(struct shaper *s) { CLEAR(s->wakeup); } void shaper_msg(struct shaper *s) { msg(M_INFO, "Output Traffic Shaping initialized at %d bytes per second", s->bytes_per_second); } #else /* ifdef ENABLE_FEATURE_SHAPER */ static void dummy(void) { } #endif /* ENABLE_FEATURE_SHAPER */ openvpn-2.4.4/src/openvpn/shaper.h000066400000000000000000000104111316434344000171140ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef SHAPER_H #define SHAPER_H /*#define SHAPER_DEBUG*/ #ifdef ENABLE_FEATURE_SHAPER #include "basic.h" #include "integer.h" #include "misc.h" #include "error.h" #include "interval.h" /* * A simple traffic shaper for * the output direction. */ #define SHAPER_MIN 100 /* bytes per second */ #define SHAPER_MAX 100000000 #define SHAPER_MAX_TIMEOUT 10 /* seconds */ #define SHAPER_USE_FP struct shaper { int bytes_per_second; struct timeval wakeup; #ifdef SHAPER_USE_FP double factor; #else int factor; #endif }; void shaper_msg(struct shaper *s); void shaper_reset_wakeup(struct shaper *s); /* * We want to wake up in delay microseconds. If timeval is larger * than delay, set timeval to delay. */ bool shaper_soonest_event(struct timeval *tv, int delay); /* * inline functions */ static inline void shaper_reset(struct shaper *s, int bytes_per_second) { s->bytes_per_second = constrain_int(bytes_per_second, SHAPER_MIN, SHAPER_MAX); #ifdef SHAPER_USE_FP s->factor = 1000000.0 / (double)s->bytes_per_second; #else s->factor = 1000000 / s->bytes_per_second; #endif } static inline void shaper_init(struct shaper *s, int bytes_per_second) { shaper_reset(s, bytes_per_second); shaper_reset_wakeup(s); } static inline int shaper_current_bandwidth(struct shaper *s) { return s->bytes_per_second; } /* * Returns traffic shaping delay in microseconds relative to current * time, or 0 if no delay. */ static inline int shaper_delay(struct shaper *s) { struct timeval tv; int delay = 0; if (tv_defined(&s->wakeup)) { ASSERT(!openvpn_gettimeofday(&tv, NULL)); delay = tv_subtract(&s->wakeup, &tv, SHAPER_MAX_TIMEOUT); #ifdef SHAPER_DEBUG dmsg(D_SHAPER_DEBUG, "SHAPER shaper_delay delay=%d", delay); #endif } return delay > 0 ? delay : 0; } /* * We are about to send a datagram of nbytes bytes. * * Compute when we can send another datagram, * based on target throughput (s->bytes_per_second). */ static inline void shaper_wrote_bytes(struct shaper *s, int nbytes) { struct timeval tv; /* compute delay in microseconds */ tv.tv_sec = 0; #ifdef SHAPER_USE_FP tv.tv_usec = min_int((int)((double)max_int(nbytes, 100) * s->factor), (SHAPER_MAX_TIMEOUT*1000000)); #else tv.tv_usec = s->bytes_per_second ? min_int(max_int(nbytes, 100) * s->factor, (SHAPER_MAX_TIMEOUT*1000000)) : 0; #endif if (tv.tv_usec) { ASSERT(!openvpn_gettimeofday(&s->wakeup, NULL)); tv_add(&s->wakeup, &tv); #ifdef SHAPER_DEBUG dmsg(D_SHAPER_DEBUG, "SHAPER shaper_wrote_bytes bytes=%d delay=%d sec=%d usec=%d", nbytes, (int)tv.tv_usec, (int)s->wakeup.tv_sec, (int)s->wakeup.tv_usec); #endif } } #if 0 /* * Increase/Decrease bandwidth by a percentage. * * Return true if bandwidth changed. */ static inline bool shaper_change_pct(struct shaper *s, int pct) { const int orig_bandwidth = s->bytes_per_second; const int new_bandwidth = orig_bandwidth + (orig_bandwidth * pct / 100); ASSERT(s->bytes_per_second); shaper_reset(s, new_bandwidth); return s->bytes_per_second != orig_bandwidth; } #endif #endif /* ENABLE_FEATURE_SHAPER */ #endif /* ifndef SHAPER_H */ openvpn-2.4.4/src/openvpn/sig.c000066400000000000000000000267501316434344000164240ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "buffer.h" #include "error.h" #include "win32.h" #include "init.h" #include "status.h" #include "sig.h" #include "occ.h" #include "manage.h" #include "openvpn.h" #include "memdbg.h" /* Handle signals */ struct signal_info siginfo_static; /* GLOBAL */ struct signame { int value; const char *upper; const char *lower; }; static const struct signame signames[] = { { SIGINT, "SIGINT", "sigint"}, { SIGTERM, "SIGTERM", "sigterm" }, { SIGHUP, "SIGHUP", "sighup" }, { SIGUSR1, "SIGUSR1", "sigusr1" }, { SIGUSR2, "SIGUSR2", "sigusr2" } }; int parse_signal(const char *signame) { int i; for (i = 0; i < (int)SIZE(signames); ++i) { if (!strcmp(signame, signames[i].upper)) { return signames[i].value; } } return -1; } const char * signal_name(const int sig, const bool upper) { int i; for (i = 0; i < (int)SIZE(signames); ++i) { if (sig == signames[i].value) { return upper ? signames[i].upper : signames[i].lower; } } return "UNKNOWN"; } const char * signal_description(const int signum, const char *sigtext) { if (sigtext) { return sigtext; } else { return signal_name(signum, false); } } void throw_signal(const int signum) { siginfo_static.signal_received = signum; siginfo_static.source = SIG_SOURCE_HARD; } void throw_signal_soft(const int signum, const char *signal_text) { siginfo_static.signal_received = signum; siginfo_static.source = SIG_SOURCE_SOFT; siginfo_static.signal_text = signal_text; } static void signal_reset(struct signal_info *si) { if (si) { si->signal_received = 0; si->signal_text = NULL; si->source = SIG_SOURCE_SOFT; } } void print_signal(const struct signal_info *si, const char *title, int msglevel) { if (si) { const char *type = (si->signal_text ? si->signal_text : ""); const char *t = (title ? title : "process"); const char *hs = NULL; switch (si->source) { case SIG_SOURCE_SOFT: hs = "soft"; break; case SIG_SOURCE_HARD: hs = "hard"; break; case SIG_SOURCE_CONNECTION_FAILED: hs = "connection failed(soft)"; break; default: ASSERT(0); } switch (si->signal_received) { case SIGINT: case SIGTERM: msg(msglevel, "%s[%s,%s] received, %s exiting", signal_name(si->signal_received, true), hs, type, t); break; case SIGHUP: case SIGUSR1: msg(msglevel, "%s[%s,%s] received, %s restarting", signal_name(si->signal_received, true), hs, type, t); break; default: msg(msglevel, "Unknown signal %d [%s,%s] received by %s", si->signal_received, hs, type, t); break; } } else { msg(msglevel, "Unknown signal received"); } } /* * Call management interface with restart info */ void signal_restart_status(const struct signal_info *si) { #ifdef ENABLE_MANAGEMENT if (management) { int state = -1; switch (si->signal_received) { case SIGINT: case SIGTERM: state = OPENVPN_STATE_EXITING; break; case SIGHUP: case SIGUSR1: state = OPENVPN_STATE_RECONNECTING; break; } if (state >= 0) { management_set_state(management, state, si->signal_text ? si->signal_text : signal_name(si->signal_received, true), NULL, NULL, NULL, NULL); } } #endif /* ifdef ENABLE_MANAGEMENT */ } #ifdef HAVE_SIGNAL_H /* normal signal handler, when we are in event loop */ static void signal_handler(const int signum) { throw_signal(signum); signal(signum, signal_handler); } #endif /* set handlers for unix signals */ #ifdef HAVE_SIGNAL_H #define SM_UNDEF 0 #define SM_PRE_INIT 1 #define SM_POST_INIT 2 static int signal_mode; /* GLOBAL */ #endif void pre_init_signal_catch(void) { #ifndef _WIN32 #ifdef HAVE_SIGNAL_H signal_mode = SM_PRE_INIT; signal(SIGINT, signal_handler); signal(SIGTERM, signal_handler); signal(SIGHUP, SIG_IGN); signal(SIGUSR1, SIG_IGN); signal(SIGUSR2, SIG_IGN); signal(SIGPIPE, SIG_IGN); #endif /* HAVE_SIGNAL_H */ #endif /* _WIN32 */ } void post_init_signal_catch(void) { #ifndef _WIN32 #ifdef HAVE_SIGNAL_H signal_mode = SM_POST_INIT; signal(SIGINT, signal_handler); signal(SIGTERM, signal_handler); signal(SIGHUP, signal_handler); signal(SIGUSR1, signal_handler); signal(SIGUSR2, signal_handler); signal(SIGPIPE, SIG_IGN); #endif /* HAVE_SIGNAL_H */ #endif } /* called after daemonization to retain signal settings */ void restore_signal_state(void) { #ifdef HAVE_SIGNAL_H if (signal_mode == SM_PRE_INIT) { pre_init_signal_catch(); } else if (signal_mode == SM_POST_INIT) { post_init_signal_catch(); } #endif } /* * Print statistics. * * Triggered by SIGUSR2 or F2 on Windows. */ void print_status(const struct context *c, struct status_output *so) { struct gc_arena gc = gc_new(); status_reset(so); status_printf(so, "OpenVPN STATISTICS"); status_printf(so, "Updated,%s", time_string(0, 0, false, &gc)); status_printf(so, "TUN/TAP read bytes," counter_format, c->c2.tun_read_bytes); status_printf(so, "TUN/TAP write bytes," counter_format, c->c2.tun_write_bytes); status_printf(so, "TCP/UDP read bytes," counter_format, c->c2.link_read_bytes); status_printf(so, "TCP/UDP write bytes," counter_format, c->c2.link_write_bytes); status_printf(so, "Auth read bytes," counter_format, c->c2.link_read_bytes_auth); #ifdef USE_COMP if (c->c2.comp_context) { comp_print_stats(c->c2.comp_context, so); } #endif #ifdef PACKET_TRUNCATION_CHECK status_printf(so, "TUN read truncations," counter_format, c->c2.n_trunc_tun_read); status_printf(so, "TUN write truncations," counter_format, c->c2.n_trunc_tun_write); status_printf(so, "Pre-encrypt truncations," counter_format, c->c2.n_trunc_pre_encrypt); status_printf(so, "Post-decrypt truncations," counter_format, c->c2.n_trunc_post_decrypt); #endif #ifdef _WIN32 if (tuntap_defined(c->c1.tuntap)) { status_printf(so, "TAP-WIN32 driver status,\"%s\"", tap_win_getinfo(c->c1.tuntap, &gc)); } #endif status_printf(so, "END"); status_flush(so); gc_free(&gc); } #ifdef ENABLE_OCC /* * Handle the triggering and time-wait of explicit * exit notification. */ static void process_explicit_exit_notification_init(struct context *c) { msg(M_INFO, "SIGTERM received, sending exit notification to peer"); event_timeout_init(&c->c2.explicit_exit_notification_interval, 1, 0); reset_coarse_timers(c); signal_reset(c->sig); halt_non_edge_triggered_signals(); c->c2.explicit_exit_notification_time_wait = now; } void process_explicit_exit_notification_timer_wakeup(struct context *c) { if (event_timeout_trigger(&c->c2.explicit_exit_notification_interval, &c->c2.timeval, ETT_DEFAULT)) { ASSERT(c->c2.explicit_exit_notification_time_wait && c->options.ce.explicit_exit_notification); if (now >= c->c2.explicit_exit_notification_time_wait + c->options.ce.explicit_exit_notification) { event_timeout_clear(&c->c2.explicit_exit_notification_interval); c->sig->signal_received = SIGTERM; c->sig->signal_text = "exit-with-notification"; } else { c->c2.occ_op = OCC_EXIT; } } } #endif /* ifdef ENABLE_OCC */ /* * Process signals */ void remap_signal(struct context *c) { if (c->sig->signal_received == SIGUSR1 && c->options.remap_sigusr1) { c->sig->signal_received = c->options.remap_sigusr1; } } static void process_sigusr2(const struct context *c) { struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0); print_status(c, so); status_close(so); signal_reset(c->sig); } static bool process_sigterm(struct context *c) { bool ret = true; #ifdef ENABLE_OCC if (c->options.ce.explicit_exit_notification && !c->c2.explicit_exit_notification_time_wait) { process_explicit_exit_notification_init(c); ret = false; } #endif return ret; } /** * If a restart signal is received during exit-notification, reset the * signal and return true. If its a soft restart signal from the event loop * which implies the loop cannot continue, remap to SIGTERM to exit promptly. */ static bool ignore_restart_signals(struct context *c) { bool ret = false; #ifdef ENABLE_OCC if ( (c->sig->signal_received == SIGUSR1 || c->sig->signal_received == SIGHUP) && event_timeout_defined(&c->c2.explicit_exit_notification_interval) ) { if (c->sig->source == SIG_SOURCE_HARD) { msg(M_INFO, "Ignoring %s received during exit notification", signal_name(c->sig->signal_received, true)); signal_reset(c->sig); ret = true; } else { msg(M_INFO, "Converting soft %s received during exit notification to SIGTERM", signal_name(c->sig->signal_received, true)); register_signal(c, SIGTERM, "exit-with-notification"); ret = false; } } #endif return ret; } bool process_signal(struct context *c) { bool ret = true; if (ignore_restart_signals(c)) { ret = false; } else if (c->sig->signal_received == SIGTERM || c->sig->signal_received == SIGINT) { ret = process_sigterm(c); } else if (c->sig->signal_received == SIGUSR2) { process_sigusr2(c); ret = false; } return ret; } void register_signal(struct context *c, int sig, const char *text) { if (c->sig->signal_received != SIGTERM) { c->sig->signal_received = sig; } c->sig->signal_text = text; } openvpn-2.4.4/src/openvpn/sig.h000066400000000000000000000055731316434344000164310ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef SIG_H #define SIG_H #include "status.h" #include "win32.h" #define SIG_SOURCE_SOFT 0 #define SIG_SOURCE_HARD 1 /* CONNECTION_FAILED is also a "soft" status, * It is thrown if a connection attempt fails */ #define SIG_SOURCE_CONNECTION_FAILED 2 /* * Signal information, including signal code * and descriptive text. */ struct signal_info { volatile int signal_received; volatile int source; const char *signal_text; }; #define IS_SIG(c) ((c)->sig->signal_received) struct context; extern struct signal_info siginfo_static; int parse_signal(const char *signame); const char *signal_name(const int sig, const bool upper); const char *signal_description(const int signum, const char *sigtext); void throw_signal(const int signum); void throw_signal_soft(const int signum, const char *signal_text); void pre_init_signal_catch(void); void post_init_signal_catch(void); void restore_signal_state(void); void print_signal(const struct signal_info *si, const char *title, int msglevel); void print_status(const struct context *c, struct status_output *so); void remap_signal(struct context *c); void signal_restart_status(const struct signal_info *si); bool process_signal(struct context *c); void register_signal(struct context *c, int sig, const char *text); #ifdef ENABLE_OCC void process_explicit_exit_notification_timer_wakeup(struct context *c); #endif #ifdef _WIN32 static inline void get_signal(volatile int *sig) { *sig = win32_signal_get(&win32_signal); } static inline void halt_non_edge_triggered_signals(void) { win32_signal_close(&win32_signal); } #else /* ifdef _WIN32 */ static inline void get_signal(volatile int *sig) { const int i = siginfo_static.signal_received; if (i) { *sig = i; } } static inline void halt_non_edge_triggered_signals(void) { } #endif /* ifdef _WIN32 */ #endif /* ifndef SIG_H */ openvpn-2.4.4/src/openvpn/socket.c000066400000000000000000003303141316434344000171240ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "socket.h" #include "fdmisc.h" #include "misc.h" #include "gremlin.h" #include "plugin.h" #include "ps.h" #include "manage.h" #include "misc.h" #include "manage.h" #include "openvpn.h" #include "forward.h" #include "memdbg.h" const int proto_overhead[] = { /* indexed by PROTO_x */ 0, IPv4_UDP_HEADER_SIZE, /* IPv4 */ IPv4_TCP_HEADER_SIZE, IPv4_TCP_HEADER_SIZE, IPv6_UDP_HEADER_SIZE, /* IPv6 */ IPv6_TCP_HEADER_SIZE, IPv6_TCP_HEADER_SIZE, IPv6_TCP_HEADER_SIZE, }; /* * Convert sockflags/getaddr_flags into getaddr_flags */ static unsigned int sf2gaf(const unsigned int getaddr_flags, const unsigned int sockflags) { if (sockflags & SF_HOST_RANDOMIZE) { return getaddr_flags | GETADDR_RANDOMIZE; } else { return getaddr_flags; } } /* * Functions related to the translation of DNS names to IP addresses. */ /* * Translate IP addr or hostname to in_addr_t. * If resolve error, try again for * resolve_retry_seconds seconds. */ in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, volatile int *signal_received) { struct addrinfo *ai; int status; status = openvpn_getaddrinfo(flags & ~GETADDR_HOST_ORDER, hostname, NULL, resolve_retry_seconds, signal_received, AF_INET, &ai); if (status==0) { struct in_addr ia; if (succeeded) { *succeeded = true; } ia = ((struct sockaddr_in *)ai->ai_addr)->sin_addr; freeaddrinfo(ai); return (flags & GETADDR_HOST_ORDER) ? ntohl(ia.s_addr) : ia.s_addr; } else { if (succeeded) { *succeeded = false; } return 0; } } static inline bool streqnull(const char *a, const char *b) { if (a == NULL && b == NULL) { return true; } else if (a == NULL || b == NULL) { return false; } else { return streq(a, b); } } /* * get_cached_dns_entry return 0 on success and -1 * otherwise. (like getaddrinfo) */ static int get_cached_dns_entry(struct cached_dns_entry *dns_cache, const char *hostname, const char *servname, int ai_family, int resolve_flags, struct addrinfo **ai) { struct cached_dns_entry *ph; int flags; /* Only use flags that are relevant for the structure */ flags = resolve_flags & GETADDR_CACHE_MASK; for (ph = dns_cache; ph; ph = ph->next) { if (streqnull(ph->hostname, hostname) && streqnull(ph->servname, servname) && ph->ai_family == ai_family && ph->flags == flags) { *ai = ph->ai; return 0; } } return -1; } static int do_preresolve_host(struct context *c, const char *hostname, const char *servname, const int af, const int flags) { struct addrinfo *ai; int status; if (get_cached_dns_entry(c->c1.dns_cache, hostname, servname, af, flags, &ai) == 0) { /* entry already cached, return success */ return 0; } status = openvpn_getaddrinfo(flags, hostname, servname, c->options.resolve_retry_seconds, NULL, af, &ai); if (status == 0) { struct cached_dns_entry *ph; ALLOC_OBJ_CLEAR_GC(ph, struct cached_dns_entry, &c->gc); ph->ai = ai; ph->hostname = hostname; ph->servname = servname; ph->flags = flags & GETADDR_CACHE_MASK; if (!c->c1.dns_cache) { c->c1.dns_cache = ph; } else { struct cached_dns_entry *prev = c->c1.dns_cache; while (prev->next) { prev = prev->next; } prev->next = ph; } gc_addspecial(ai, &gc_freeaddrinfo_callback, &c->gc); } return status; } void do_preresolve(struct context *c) { int i; struct connection_list *l = c->options.connection_list; const unsigned int preresolve_flags = GETADDR_RESOLVE |GETADDR_UPDATE_MANAGEMENT_STATE |GETADDR_MENTION_RESOLVE_RETRY |GETADDR_FATAL; for (i = 0; i < l->len; ++i) { int status; const char *remote; int flags = preresolve_flags; struct connection_entry *ce = c->options.connection_list->array[i]; if (proto_is_dgram(ce->proto)) { flags |= GETADDR_DATAGRAM; } if (c->options.sockflags & SF_HOST_RANDOMIZE) { flags |= GETADDR_RANDOMIZE; } if (c->options.ip_remote_hint) { remote = c->options.ip_remote_hint; } else { remote = ce->remote; } /* HTTP remote hostname does not need to be resolved */ if (!ce->http_proxy_options) { status = do_preresolve_host(c, remote, ce->remote_port, ce->af, flags); if (status != 0) { goto err; } } /* Preresolve proxy */ if (ce->http_proxy_options) { status = do_preresolve_host(c, ce->http_proxy_options->server, ce->http_proxy_options->port, ce->af, preresolve_flags); if (status != 0) { goto err; } } if (ce->socks_proxy_server) { status = do_preresolve_host(c, ce->socks_proxy_server, ce->socks_proxy_port, ce->af, flags); if (status != 0) { goto err; } } if (ce->bind_local) { flags |= GETADDR_PASSIVE; flags &= ~GETADDR_RANDOMIZE; status = do_preresolve_host(c, ce->local, ce->local_port, ce->af, flags); if (status != 0) { goto err; } } } return; err: throw_signal_soft(SIGHUP, "Preresolving failed"); } /* * Translate IPv4/IPv6 addr or hostname into struct addrinfo * If resolve error, try again for resolve_retry_seconds seconds. */ int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, volatile int *signal_received, int ai_family, struct addrinfo **res) { struct addrinfo hints; int status; int sigrec = 0; int msglevel = (flags & GETADDR_FATAL) ? M_FATAL : D_RESOLVE_ERRORS; struct gc_arena gc = gc_new(); const char *print_hostname; const char *print_servname; ASSERT(res); ASSERT(hostname || servname); ASSERT(!(flags & GETADDR_HOST_ORDER)); if (servname) { print_servname = servname; } else { print_servname = ""; } if (flags & GETADDR_MSG_VIRT_OUT) { msglevel |= M_MSG_VIRT_OUT; } if ((flags & (GETADDR_FATAL_ON_SIGNAL|GETADDR_WARN_ON_SIGNAL)) && !signal_received) { signal_received = &sigrec; } /* try numeric ipv6 addr first */ CLEAR(hints); hints.ai_family = ai_family; hints.ai_flags = AI_NUMERICHOST; if (flags & GETADDR_PASSIVE) { hints.ai_flags |= AI_PASSIVE; } if (flags & GETADDR_DATAGRAM) { hints.ai_socktype = SOCK_DGRAM; } else { hints.ai_socktype = SOCK_STREAM; } status = getaddrinfo(hostname, servname, &hints, res); if (status != 0) /* parse as numeric address failed? */ { const int fail_wait_interval = 5; /* seconds */ /* Add +4 to cause integer division rounding up (1 + 4) = 5, (0+4)/5=0 */ int resolve_retries = (flags & GETADDR_TRY_ONCE) ? 1 : ((resolve_retry_seconds + 4)/ fail_wait_interval); const char *fmt; int level = 0; if (hostname && (flags & GETADDR_RANDOMIZE)) { hostname = hostname_randomize(hostname, &gc); } if (hostname) { print_hostname = hostname; } else { print_hostname = "undefined"; } fmt = "RESOLVE: Cannot resolve host address: %s:%s (%s)"; if ((flags & GETADDR_MENTION_RESOLVE_RETRY) && !resolve_retry_seconds) { fmt = "RESOLVE: Cannot resolve host address: %s:%s (%s) (I would have retried this name query if you had specified the --resolv-retry option.)"; } if (!(flags & GETADDR_RESOLVE) || status == EAI_FAIL) { msg(msglevel, "RESOLVE: Cannot parse IP address: %s:%s (%s)", print_hostname,print_servname, gai_strerror(status)); goto done; } #ifdef ENABLE_MANAGEMENT if (flags & GETADDR_UPDATE_MANAGEMENT_STATE) { if (management) { management_set_state(management, OPENVPN_STATE_RESOLVE, NULL, NULL, NULL, NULL, NULL); } } #endif /* * Resolve hostname */ while (true) { #ifndef _WIN32 res_init(); #endif /* try hostname lookup */ hints.ai_flags &= ~AI_NUMERICHOST; dmsg(D_SOCKET_DEBUG, "GETADDRINFO flags=0x%04x ai_family=%d ai_socktype=%d", flags, hints.ai_family, hints.ai_socktype); status = getaddrinfo(hostname, servname, &hints, res); if (signal_received) { get_signal(signal_received); if (*signal_received) /* were we interrupted by a signal? */ { if (*signal_received == SIGUSR1) /* ignore SIGUSR1 */ { msg(level, "RESOLVE: Ignored SIGUSR1 signal received during DNS resolution attempt"); *signal_received = 0; } else { /* turn success into failure (interrupted syscall) */ if (0 == status) { ASSERT(res); freeaddrinfo(*res); *res = NULL; status = EAI_AGAIN; /* = temporary failure */ errno = EINTR; } goto done; } } } /* success? */ if (0 == status) { break; } /* resolve lookup failed, should we * continue or fail? */ level = msglevel; if (resolve_retries > 0) { level = D_RESOLVE_ERRORS; } msg(level, fmt, print_hostname, print_servname, gai_strerror(status)); if (--resolve_retries <= 0) { goto done; } management_sleep(fail_wait_interval); } ASSERT(res); /* hostname resolve succeeded */ /* * Do not choose an IP Addresse by random or change the order * * of IP addresses, doing so will break RFC 3484 address selection * */ } else { /* IP address parse succeeded */ if (flags & GETADDR_RANDOMIZE) { msg(M_WARN, "WARNING: ignoring --remote-random-hostname because the hostname is an IP address"); } } done: if (signal_received && *signal_received) { int level = 0; if (flags & GETADDR_FATAL_ON_SIGNAL) { level = M_FATAL; } else if (flags & GETADDR_WARN_ON_SIGNAL) { level = M_WARN; } msg(level, "RESOLVE: signal received during DNS resolution attempt"); } gc_free(&gc); return status; } /* * We do our own inet_aton because the glibc function * isn't very good about error checking. */ int openvpn_inet_aton(const char *dotted_quad, struct in_addr *addr) { unsigned int a, b, c, d; CLEAR(*addr); if (sscanf(dotted_quad, "%u.%u.%u.%u", &a, &b, &c, &d) == 4) { if (a < 256 && b < 256 && c < 256 && d < 256) { addr->s_addr = htonl(a<<24 | b<<16 | c<<8 | d); return OIA_IP; /* good dotted quad */ } } if (string_class(dotted_quad, CC_DIGIT|CC_DOT, 0)) { return OIA_ERROR; /* probably a badly formatted dotted quad */ } else { return OIA_HOSTNAME; /* probably a hostname */ } } bool ip_addr_dotted_quad_safe(const char *dotted_quad) { /* verify non-NULL */ if (!dotted_quad) { return false; } /* verify length is within limits */ if (strlen(dotted_quad) > 15) { return false; } /* verify that all chars are either numeric or '.' and that no numeric * substring is greater than 3 chars */ { int nnum = 0; const char *p = dotted_quad; int c; while ((c = *p++)) { if (c >= '0' && c <= '9') { ++nnum; if (nnum > 3) { return false; } } else if (c == '.') { nnum = 0; } else { return false; } } } /* verify that string will convert to IP address */ { struct in_addr a; return openvpn_inet_aton(dotted_quad, &a) == OIA_IP; } } bool ipv6_addr_safe(const char *ipv6_text_addr) { /* verify non-NULL */ if (!ipv6_text_addr) { return false; } /* verify length is within limits */ if (strlen(ipv6_text_addr) > INET6_ADDRSTRLEN) { return false; } /* verify that string will convert to IPv6 address */ { struct in6_addr a6; return inet_pton( AF_INET6, ipv6_text_addr, &a6 ) == 1; } } static bool dns_addr_safe(const char *addr) { if (addr) { const size_t len = strlen(addr); return len > 0 && len <= 255 && string_class(addr, CC_ALNUM|CC_DASH|CC_DOT, 0); } else { return false; } } bool ip_or_dns_addr_safe(const char *addr, const bool allow_fqdn) { if (ip_addr_dotted_quad_safe(addr)) { return true; } else if (allow_fqdn) { return dns_addr_safe(addr); } else { return false; } } bool mac_addr_safe(const char *mac_addr) { /* verify non-NULL */ if (!mac_addr) { return false; } /* verify length is within limits */ if (strlen(mac_addr) > 17) { return false; } /* verify that all chars are either alphanumeric or ':' and that no * alphanumeric substring is greater than 2 chars */ { int nnum = 0; const char *p = mac_addr; int c; while ((c = *p++)) { if ( (c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F') ) { ++nnum; if (nnum > 2) { return false; } } else if (c == ':') { nnum = 0; } else { return false; } } } /* error-checking is left to script invoked in lladdr.c */ return true; } static int socket_get_sndbuf(int sd) { #if defined(HAVE_GETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_SNDBUF) int val; socklen_t len; len = sizeof(val); if (getsockopt(sd, SOL_SOCKET, SO_SNDBUF, (void *) &val, &len) == 0 && len == sizeof(val)) { return val; } #endif return 0; } static void socket_set_sndbuf(int sd, int size) { #if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_SNDBUF) if (setsockopt(sd, SOL_SOCKET, SO_SNDBUF, (void *) &size, sizeof(size)) != 0) { msg(M_WARN, "NOTE: setsockopt SO_SNDBUF=%d failed", size); } #endif } static int socket_get_rcvbuf(int sd) { #if defined(HAVE_GETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_RCVBUF) int val; socklen_t len; len = sizeof(val); if (getsockopt(sd, SOL_SOCKET, SO_RCVBUF, (void *) &val, &len) == 0 && len == sizeof(val)) { return val; } #endif return 0; } static bool socket_set_rcvbuf(int sd, int size) { #if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_RCVBUF) if (setsockopt(sd, SOL_SOCKET, SO_RCVBUF, (void *) &size, sizeof(size)) != 0) { msg(M_WARN, "NOTE: setsockopt SO_RCVBUF=%d failed", size); return false; } return true; #endif } static void socket_set_buffers(int fd, const struct socket_buffer_size *sbs) { if (sbs) { const int sndbuf_old = socket_get_sndbuf(fd); const int rcvbuf_old = socket_get_rcvbuf(fd); if (sbs->sndbuf) { socket_set_sndbuf(fd, sbs->sndbuf); } if (sbs->rcvbuf) { socket_set_rcvbuf(fd, sbs->rcvbuf); } msg(D_OSBUF, "Socket Buffers: R=[%d->%d] S=[%d->%d]", rcvbuf_old, socket_get_rcvbuf(fd), sndbuf_old, socket_get_sndbuf(fd)); } } /* * Set other socket options */ static bool socket_set_tcp_nodelay(int sd, int state) { #if defined(_WIN32) || (defined(HAVE_SETSOCKOPT) && defined(IPPROTO_TCP) && defined(TCP_NODELAY)) if (setsockopt(sd, IPPROTO_TCP, TCP_NODELAY, (void *) &state, sizeof(state)) != 0) { msg(M_WARN, "NOTE: setsockopt TCP_NODELAY=%d failed", state); return false; } else { dmsg(D_OSBUF, "Socket flags: TCP_NODELAY=%d succeeded", state); return true; } #else /* if defined(_WIN32) || (defined(HAVE_SETSOCKOPT) && defined(IPPROTO_TCP) && defined(TCP_NODELAY)) */ msg(M_WARN, "NOTE: setsockopt TCP_NODELAY=%d failed (No kernel support)", state); return false; #endif } static inline void socket_set_mark(int sd, int mark) { #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK if (mark && setsockopt(sd, SOL_SOCKET, SO_MARK, (void *) &mark, sizeof(mark)) != 0) { msg(M_WARN, "NOTE: setsockopt SO_MARK=%d failed", mark); } #endif } static bool socket_set_flags(int sd, unsigned int sockflags) { if (sockflags & SF_TCP_NODELAY) { return socket_set_tcp_nodelay(sd, 1); } else { return true; } } bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags) { if (ls && socket_defined(ls->sd)) { return socket_set_flags(ls->sd, ls->sockflags = sockflags); } else { return false; } } void link_socket_update_buffer_sizes(struct link_socket *ls, int rcvbuf, int sndbuf) { if (ls && socket_defined(ls->sd)) { ls->socket_buffer_sizes.sndbuf = sndbuf; ls->socket_buffer_sizes.rcvbuf = rcvbuf; socket_set_buffers(ls->sd, &ls->socket_buffer_sizes); } } /* * SOCKET INITALIZATION CODE. * Create a TCP/UDP socket */ socket_descriptor_t create_socket_tcp(struct addrinfo *addrinfo) { socket_descriptor_t sd; ASSERT(addrinfo); ASSERT(addrinfo->ai_socktype == SOCK_STREAM); if ((sd = socket(addrinfo->ai_family, addrinfo->ai_socktype, addrinfo->ai_protocol)) < 0) { msg(M_ERR, "Cannot create TCP socket"); } #ifndef _WIN32 /* using SO_REUSEADDR on Windows will cause bind to succeed on port conflicts! */ /* set SO_REUSEADDR on socket */ { int on = 1; if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (void *) &on, sizeof(on)) < 0) { msg(M_ERR, "TCP: Cannot setsockopt SO_REUSEADDR on TCP socket"); } } #endif /* set socket file descriptor to not pass across execs, so that * scripts don't have access to it */ set_cloexec(sd); return sd; } static socket_descriptor_t create_socket_udp(struct addrinfo *addrinfo, const unsigned int flags) { socket_descriptor_t sd; ASSERT(addrinfo); ASSERT(addrinfo->ai_socktype == SOCK_DGRAM); if ((sd = socket(addrinfo->ai_family, addrinfo->ai_socktype, addrinfo->ai_protocol)) < 0) { msg(M_ERR, "UDP: Cannot create UDP/UDP6 socket"); } #if ENABLE_IP_PKTINFO else if (flags & SF_USE_IP_PKTINFO) { int pad = 1; if (addrinfo->ai_family == AF_INET) { #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) if (setsockopt(sd, SOL_IP, IP_PKTINFO, (void *)&pad, sizeof(pad)) < 0) { msg(M_ERR, "UDP: failed setsockopt for IP_PKTINFO"); } #elif defined(IP_RECVDSTADDR) if (setsockopt(sd, IPPROTO_IP, IP_RECVDSTADDR, (void *)&pad, sizeof(pad)) < 0) { msg(M_ERR, "UDP: failed setsockopt for IP_RECVDSTADDR"); } #else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif } else if (addrinfo->ai_family == AF_INET6) { #ifndef IPV6_RECVPKTINFO /* Some older Darwin platforms require this */ if (setsockopt(sd, IPPROTO_IPV6, IPV6_PKTINFO, (void *)&pad, sizeof(pad)) < 0) #else if (setsockopt(sd, IPPROTO_IPV6, IPV6_RECVPKTINFO, (void *)&pad, sizeof(pad)) < 0) #endif { msg(M_ERR, "UDP: failed setsockopt for IPV6_RECVPKTINFO");} } } #endif /* if ENABLE_IP_PKTINFO */ /* set socket file descriptor to not pass across execs, so that * scripts don't have access to it */ set_cloexec(sd); return sd; } static void bind_local(struct link_socket *sock, const sa_family_t ai_family) { /* bind to local address/port */ if (sock->bind_local) { if (sock->socks_proxy && sock->info.proto == PROTO_UDP) { socket_bind(sock->ctrl_sd, sock->info.lsa->bind_local, ai_family, "SOCKS", false); } else { socket_bind(sock->sd, sock->info.lsa->bind_local, ai_family, "TCP/UDP", sock->info.bind_ipv6_only); } } } static void create_socket(struct link_socket *sock, struct addrinfo *addr) { if (addr->ai_protocol == IPPROTO_UDP || addr->ai_socktype == SOCK_DGRAM) { sock->sd = create_socket_udp(addr, sock->sockflags); sock->sockflags |= SF_GETADDRINFO_DGRAM; /* Assume that control socket and data socket to the socks proxy * are using the same IP family */ if (sock->socks_proxy) { /* Construct a temporary addrinfo to create the socket, * currently resolve two remote addresses is not supported, * TODO: Rewrite the whole resolve_remote */ struct addrinfo addrinfo_tmp = *addr; addrinfo_tmp.ai_socktype = SOCK_STREAM; addrinfo_tmp.ai_protocol = IPPROTO_TCP; sock->ctrl_sd = create_socket_tcp(&addrinfo_tmp); } } else if (addr->ai_protocol == IPPROTO_TCP || addr->ai_socktype == SOCK_STREAM) { sock->sd = create_socket_tcp(addr); } else { ASSERT(0); } /* set socket buffers based on --sndbuf and --rcvbuf options */ socket_set_buffers(sock->sd, &sock->socket_buffer_sizes); /* set socket to --mark packets with given value */ socket_set_mark(sock->sd, sock->mark); bind_local(sock, addr->ai_family); } #ifdef TARGET_ANDROID static void protect_fd_nonlocal(int fd, const struct sockaddr *addr) { /* pass socket FD to management interface to pass on to VPNService API * as "protected socket" (exempt from being routed into tunnel) */ if (addr_local(addr)) { msg(D_SOCKET_DEBUG, "Address is local, not protecting socket fd %d", fd); return; } msg(D_SOCKET_DEBUG, "Protecting socket fd %d", fd); management->connection.fdtosend = fd; management_android_control(management, "PROTECTFD", __func__); } #endif /* * Functions used for establishing a TCP stream connection. */ static void socket_do_listen(socket_descriptor_t sd, const struct addrinfo *local, bool do_listen, bool do_set_nonblock) { struct gc_arena gc = gc_new(); if (do_listen) { ASSERT(local); msg(M_INFO, "Listening for incoming TCP connection on %s", print_sockaddr(local->ai_addr, &gc)); if (listen(sd, 1)) { msg(M_ERR, "TCP: listen() failed"); } } /* set socket to non-blocking mode */ if (do_set_nonblock) { set_nonblock(sd); } gc_free(&gc); } socket_descriptor_t socket_do_accept(socket_descriptor_t sd, struct link_socket_actual *act, const bool nowait) { /* af_addr_size WILL return 0 in this case if AFs other than AF_INET * are compiled because act is empty here. * could use getsockname() to support later remote_len check */ socklen_t remote_len_af = af_addr_size(act->dest.addr.sa.sa_family); socklen_t remote_len = sizeof(act->dest.addr); socket_descriptor_t new_sd = SOCKET_UNDEFINED; CLEAR(*act); #ifdef HAVE_GETPEERNAME if (nowait) { new_sd = getpeername(sd, &act->dest.addr.sa, &remote_len); if (!socket_defined(new_sd)) { msg(D_LINK_ERRORS | M_ERRNO, "TCP: getpeername() failed"); } else { new_sd = sd; } } #else /* ifdef HAVE_GETPEERNAME */ if (nowait) { msg(M_WARN, "TCP: this OS does not provide the getpeername() function"); } #endif else { new_sd = accept(sd, &act->dest.addr.sa, &remote_len); } #if 0 /* For debugging only, test the effect of accept() failures */ { static int foo = 0; ++foo; if (foo & 1) { new_sd = -1; } } #endif if (!socket_defined(new_sd)) { msg(D_LINK_ERRORS | M_ERRNO, "TCP: accept(%d) failed", sd); } /* only valid if we have remote_len_af!=0 */ else if (remote_len_af && remote_len != remote_len_af) { msg(D_LINK_ERRORS, "TCP: Received strange incoming connection with unknown address length=%d", remote_len); openvpn_close_socket(new_sd); new_sd = SOCKET_UNDEFINED; } else { /* set socket file descriptor to not pass across execs, so that * scripts don't have access to it */ set_cloexec(sd); } return new_sd; } static void tcp_connection_established(const struct link_socket_actual *act) { struct gc_arena gc = gc_new(); msg(M_INFO, "TCP connection established with %s", print_link_socket_actual(act, &gc)); gc_free(&gc); } static socket_descriptor_t socket_listen_accept(socket_descriptor_t sd, struct link_socket_actual *act, const char *remote_dynamic, const struct addrinfo *local, bool do_listen, bool nowait, volatile int *signal_received) { struct gc_arena gc = gc_new(); /* struct openvpn_sockaddr *remote = &act->dest; */ struct openvpn_sockaddr remote_verify = act->dest; socket_descriptor_t new_sd = SOCKET_UNDEFINED; CLEAR(*act); socket_do_listen(sd, local, do_listen, true); while (true) { int status; fd_set reads; struct timeval tv; FD_ZERO(&reads); openvpn_fd_set(sd, &reads); tv.tv_sec = 0; tv.tv_usec = 0; status = select(sd + 1, &reads, NULL, NULL, &tv); get_signal(signal_received); if (*signal_received) { gc_free(&gc); return sd; } if (status < 0) { msg(D_LINK_ERRORS | M_ERRNO, "TCP: select() failed"); } if (status <= 0) { management_sleep(1); continue; } new_sd = socket_do_accept(sd, act, nowait); if (socket_defined(new_sd)) { struct addrinfo *ai = NULL; if (remote_dynamic) { openvpn_getaddrinfo(0, remote_dynamic, NULL, 1, NULL, remote_verify.addr.sa.sa_family, &ai); } if (ai && !addrlist_match(&remote_verify, ai)) { msg(M_WARN, "TCP NOTE: Rejected connection attempt from %s due to --remote setting", print_link_socket_actual(act, &gc)); if (openvpn_close_socket(new_sd)) { msg(M_ERR, "TCP: close socket failed (new_sd)"); } freeaddrinfo(ai); } else { if (ai) { freeaddrinfo(ai); } break; } } management_sleep(1); } if (!nowait && openvpn_close_socket(sd)) { msg(M_ERR, "TCP: close socket failed (sd)"); } tcp_connection_established(act); gc_free(&gc); return new_sd; } /* older mingw versions and WinXP do not have this define, * but Vista and up support the functionality - just define it here */ #ifdef _WIN32 #ifndef IPV6_V6ONLY #define IPV6_V6ONLY 27 #endif #endif void socket_bind(socket_descriptor_t sd, struct addrinfo *local, int ai_family, const char *prefix, bool ipv6only) { struct gc_arena gc = gc_new(); /* FIXME (schwabe) * getaddrinfo for the bind address might return multiple AF_INET/AF_INET6 * entries for the requested protocol. * For example if an address has multiple A records * What is the correct way to deal with it? */ struct addrinfo *cur; ASSERT(local); /* find the first addrinfo with correct ai_family */ for (cur = local; cur; cur = cur->ai_next) { if (cur->ai_family == ai_family) { break; } } if (!cur) { msg(M_FATAL, "%s: Socket bind failed: Addr to bind has no %s record", prefix, addr_family_name(ai_family)); } if (ai_family == AF_INET6) { int v6only = ipv6only ? 1 : 0; /* setsockopt must have an "int" */ msg(M_INFO, "setsockopt(IPV6_V6ONLY=%d)", v6only); if (setsockopt(sd, IPPROTO_IPV6, IPV6_V6ONLY, (void *) &v6only, sizeof(v6only))) { msg(M_NONFATAL|M_ERRNO, "Setting IPV6_V6ONLY=%d failed", v6only); } } if (bind(sd, cur->ai_addr, cur->ai_addrlen)) { msg(M_FATAL | M_ERRNO, "%s: Socket bind failed on local address %s", prefix, print_sockaddr_ex(local->ai_addr, ":", PS_SHOW_PORT, &gc)); } gc_free(&gc); } int openvpn_connect(socket_descriptor_t sd, const struct sockaddr *remote, int connect_timeout, volatile int *signal_received) { int status = 0; #ifdef TARGET_ANDROID protect_fd_nonlocal(sd, remote); #endif #ifdef CONNECT_NONBLOCK set_nonblock(sd); status = connect(sd, remote, af_addr_size(remote->sa_family)); if (status) { status = openvpn_errno(); } if ( #ifdef _WIN32 status == WSAEWOULDBLOCK #else status == EINPROGRESS #endif ) { while (true) { #if POLL struct pollfd fds[1]; fds[0].fd = sd; fds[0].events = POLLOUT; status = poll(fds, 1, 0); #else fd_set writes; struct timeval tv; FD_ZERO(&writes); openvpn_fd_set(sd, &writes); tv.tv_sec = 0; tv.tv_usec = 0; status = select(sd + 1, NULL, &writes, NULL, &tv); #endif if (signal_received) { get_signal(signal_received); if (*signal_received) { status = 0; break; } } if (status < 0) { status = openvpn_errno(); break; } if (status <= 0) { if (--connect_timeout < 0) { #ifdef _WIN32 status = WSAETIMEDOUT; #else status = ETIMEDOUT; #endif break; } management_sleep(1); continue; } /* got it */ { int val = 0; socklen_t len; len = sizeof(val); if (getsockopt(sd, SOL_SOCKET, SO_ERROR, (void *) &val, &len) == 0 && len == sizeof(val)) { status = val; } else { status = openvpn_errno(); } break; } } } #else /* ifdef CONNECT_NONBLOCK */ status = connect(sd, remote, af_addr_size(remote->sa_family)); if (status) { status = openvpn_errno(); } #endif /* ifdef CONNECT_NONBLOCK */ return status; } void set_actual_address(struct link_socket_actual *actual, struct addrinfo *ai) { CLEAR(*actual); ASSERT(ai); if (ai->ai_family == AF_INET) { actual->dest.addr.in4 = *((struct sockaddr_in *) ai->ai_addr); } else if (ai->ai_family == AF_INET6) { actual->dest.addr.in6 = *((struct sockaddr_in6 *) ai->ai_addr); } else { ASSERT(0); } } static void socket_connect(socket_descriptor_t *sd, const struct sockaddr *dest, const int connect_timeout, struct signal_info *sig_info) { struct gc_arena gc = gc_new(); int status; #ifdef CONNECT_NONBLOCK msg(M_INFO, "Attempting to establish TCP connection with %s [nonblock]", print_sockaddr(dest, &gc)); #else msg(M_INFO, "Attempting to establish TCP connection with %s", print_sockaddr(dest, &gc)); #endif #ifdef ENABLE_MANAGEMENT if (management) { management_set_state(management, OPENVPN_STATE_TCP_CONNECT, NULL, NULL, NULL, NULL, NULL); } #endif /* Set the actual address */ status = openvpn_connect(*sd, dest, connect_timeout, &sig_info->signal_received); get_signal(&sig_info->signal_received); if (sig_info->signal_received) { goto done; } if (status) { msg(D_LINK_ERRORS, "TCP: connect to %s failed: %s", print_sockaddr(dest, &gc), strerror(status)); openvpn_close_socket(*sd); *sd = SOCKET_UNDEFINED; sig_info->signal_received = SIGUSR1; sig_info->source = SIG_SOURCE_CONNECTION_FAILED; } else { msg(M_INFO, "TCP connection established with %s", print_sockaddr(dest, &gc)); } done: gc_free(&gc); } /* For stream protocols, allocate a buffer to build up packet. * Called after frame has been finalized. */ static void socket_frame_init(const struct frame *frame, struct link_socket *sock) { #ifdef _WIN32 overlapped_io_init(&sock->reads, frame, FALSE, false); overlapped_io_init(&sock->writes, frame, TRUE, false); sock->rw_handle.read = sock->reads.overlapped.hEvent; sock->rw_handle.write = sock->writes.overlapped.hEvent; #endif if (link_socket_connection_oriented(sock)) { #ifdef _WIN32 stream_buf_init(&sock->stream_buf, &sock->reads.buf_init, sock->sockflags, sock->info.proto); #else alloc_buf_sock_tun(&sock->stream_buf_data, frame, false, FRAME_HEADROOM_MARKER_READ_STREAM); stream_buf_init(&sock->stream_buf, &sock->stream_buf_data, sock->sockflags, sock->info.proto); #endif } } /* * Adjust frame structure based on a Path MTU value given * to us by the OS. */ void frame_adjust_path_mtu(struct frame *frame, int pmtu, int proto) { frame_set_mtu_dynamic(frame, pmtu - datagram_overhead(proto), SET_MTU_UPPER_BOUND); } static void resolve_bind_local(struct link_socket *sock, const sa_family_t af) { struct gc_arena gc = gc_new(); /* resolve local address if undefined */ if (!sock->info.lsa->bind_local) { int flags = GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL |GETADDR_FATAL | GETADDR_PASSIVE; int status; if (proto_is_dgram(sock->info.proto)) { flags |= GETADDR_DATAGRAM; } /* will return AF_{INET|INET6}from local_host */ status = get_cached_dns_entry(sock->dns_cache, sock->local_host, sock->local_port, af, flags, &sock->info.lsa->bind_local); if (status) { status = openvpn_getaddrinfo(flags, sock->local_host, sock->local_port, 0, NULL, af, &sock->info.lsa->bind_local); } if (status !=0) { msg(M_FATAL, "getaddrinfo() failed for local \"%s:%s\": %s", sock->local_host, sock->local_port, gai_strerror(status)); } } gc_free(&gc); } static void resolve_remote(struct link_socket *sock, int phase, const char **remote_dynamic, volatile int *signal_received) { struct gc_arena gc = gc_new(); /* resolve remote address if undefined */ if (!sock->info.lsa->remote_list) { if (sock->remote_host) { unsigned int flags = sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sock->sockflags); int retry = 0; int status = -1; struct addrinfo *ai; if (proto_is_dgram(sock->info.proto)) { flags |= GETADDR_DATAGRAM; } if (sock->resolve_retry_seconds == RESOLV_RETRY_INFINITE) { if (phase == 2) { flags |= (GETADDR_TRY_ONCE | GETADDR_FATAL); } retry = 0; } else if (phase == 1) { if (sock->resolve_retry_seconds) { retry = 0; } else { flags |= (GETADDR_FATAL | GETADDR_MENTION_RESOLVE_RETRY); retry = 0; } } else if (phase == 2) { if (sock->resolve_retry_seconds) { flags |= GETADDR_FATAL; retry = sock->resolve_retry_seconds; } else { ASSERT(0); } } else { ASSERT(0); } status = get_cached_dns_entry(sock->dns_cache, sock->remote_host, sock->remote_port, sock->info.af, flags, &ai); if (status) { status = openvpn_getaddrinfo(flags, sock->remote_host, sock->remote_port, retry, signal_received, sock->info.af, &ai); } if (status == 0) { sock->info.lsa->remote_list = ai; sock->info.lsa->current_remote = ai; dmsg(D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d", flags, phase, retry, signal_received ? *signal_received : -1, status); } if (signal_received) { if (*signal_received) { goto done; } } if (status!=0) { if (signal_received) { *signal_received = SIGUSR1; } goto done; } } } /* should we re-use previous active remote address? */ if (link_socket_actual_defined(&sock->info.lsa->actual)) { msg(M_INFO, "TCP/UDP: Preserving recently used remote address: %s", print_link_socket_actual(&sock->info.lsa->actual, &gc)); if (remote_dynamic) { *remote_dynamic = NULL; } } else { CLEAR(sock->info.lsa->actual); if (sock->info.lsa->current_remote) { set_actual_address(&sock->info.lsa->actual, sock->info.lsa->current_remote); } } done: gc_free(&gc); } struct link_socket * link_socket_new(void) { struct link_socket *sock; ALLOC_OBJ_CLEAR(sock, struct link_socket); sock->sd = SOCKET_UNDEFINED; sock->ctrl_sd = SOCKET_UNDEFINED; return sock; } void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, #ifdef ENABLE_DEBUG int gremlin, #endif bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags) { ASSERT(sock); sock->local_host = local_host; sock->local_port = local_port; sock->remote_host = remote_host; sock->remote_port = remote_port; sock->dns_cache = dns_cache; sock->http_proxy = http_proxy; sock->socks_proxy = socks_proxy; sock->bind_local = bind_local; sock->inetd = inetd; sock->resolve_retry_seconds = resolve_retry_seconds; sock->mtu_discover_type = mtu_discover_type; #ifdef ENABLE_DEBUG sock->gremlin = gremlin; #endif sock->socket_buffer_sizes.rcvbuf = rcvbuf; sock->socket_buffer_sizes.sndbuf = sndbuf; sock->sockflags = sockflags; sock->mark = mark; sock->info.proto = proto; sock->info.af = af; sock->info.remote_float = remote_float; sock->info.lsa = lsa; sock->info.bind_ipv6_only = bind_ipv6_only; sock->info.ipchange_command = ipchange_command; sock->info.plugins = plugins; sock->server_poll_timeout = server_poll_timeout; sock->mode = mode; if (mode == LS_MODE_TCP_ACCEPT_FROM) { ASSERT(accept_from); ASSERT(sock->info.proto == PROTO_TCP_SERVER); ASSERT(!sock->inetd); sock->sd = accept_from->sd; /* inherit (possibly guessed) info AF from parent context */ sock->info.af = accept_from->info.af; } /* are we running in HTTP proxy mode? */ if (sock->http_proxy) { ASSERT(sock->info.proto == PROTO_TCP_CLIENT); ASSERT(!sock->inetd); /* the proxy server */ sock->remote_host = http_proxy->options.server; sock->remote_port = http_proxy->options.port; /* the OpenVPN server we will use the proxy to connect to */ sock->proxy_dest_host = remote_host; sock->proxy_dest_port = remote_port; } /* or in Socks proxy mode? */ else if (sock->socks_proxy) { ASSERT(!sock->inetd); /* the proxy server */ sock->remote_host = socks_proxy->server; sock->remote_port = socks_proxy->port; /* the OpenVPN server we will use the proxy to connect to */ sock->proxy_dest_host = remote_host; sock->proxy_dest_port = remote_port; } else { sock->remote_host = remote_host; sock->remote_port = remote_port; } /* bind behavior for TCP server vs. client */ if (sock->info.proto == PROTO_TCP_SERVER) { if (sock->mode == LS_MODE_TCP_ACCEPT_FROM) { sock->bind_local = false; } else { sock->bind_local = true; } } /* were we started by inetd or xinetd? */ if (sock->inetd) { ASSERT(sock->info.proto != PROTO_TCP_CLIENT); ASSERT(socket_defined(inetd_socket_descriptor)); sock->sd = inetd_socket_descriptor; set_cloexec(sock->sd); /* not created by create_socket*() */ } else if (mode != LS_MODE_TCP_ACCEPT_FROM) { if (sock->bind_local) { resolve_bind_local(sock, sock->info.af); } resolve_remote(sock, 1, NULL, NULL); } } static void phase2_inetd(struct link_socket *sock, const struct frame *frame, const char *remote_dynamic, volatile int *signal_received) { bool remote_changed = false; if (sock->info.proto == PROTO_TCP_SERVER) { /* AF_INET as default (and fallback) for inetd */ sock->info.lsa->actual.dest.addr.sa.sa_family = AF_INET; #ifdef HAVE_GETSOCKNAME { /* inetd: hint family type for dest = local's */ struct openvpn_sockaddr local_addr; socklen_t addrlen = sizeof(local_addr); if (getsockname(sock->sd, &local_addr.addr.sa, &addrlen) == 0) { sock->info.lsa->actual.dest.addr.sa.sa_family = local_addr.addr.sa.sa_family; dmsg(D_SOCKET_DEBUG, "inetd(%s): using sa_family=%d from getsockname(%d)", proto2ascii(sock->info.proto, sock->info.af, false), local_addr.addr.sa.sa_family, sock->sd); } else { msg(M_WARN, "inetd(%s): getsockname(%d) failed, using AF_INET", proto2ascii(sock->info.proto, sock->info.af, false), sock->sd); } } #else /* ifdef HAVE_GETSOCKNAME */ msg(M_WARN, "inetd(%s): this OS does not provide the getsockname() " "function, using AF_INET", proto2ascii(sock->info.proto, false)); #endif /* ifdef HAVE_GETSOCKNAME */ sock->sd = socket_listen_accept(sock->sd, &sock->info.lsa->actual, remote_dynamic, sock->info.lsa->bind_local, false, sock->inetd == INETD_NOWAIT, signal_received); } ASSERT(!remote_changed); } static void phase2_set_socket_flags(struct link_socket *sock) { /* set misc socket parameters */ socket_set_flags(sock->sd, sock->sockflags); /* set socket to non-blocking mode */ set_nonblock(sock->sd); /* set Path MTU discovery options on the socket */ set_mtu_discover_type(sock->sd, sock->mtu_discover_type, sock->info.af); #if EXTENDED_SOCKET_ERROR_CAPABILITY /* if the OS supports it, enable extended error passing on the socket */ set_sock_extended_error_passing(sock->sd); #endif } static void linksock_print_addr(struct link_socket *sock) { struct gc_arena gc = gc_new(); const int msglevel = (sock->mode == LS_MODE_TCP_ACCEPT_FROM) ? D_INIT_MEDIUM : M_INFO; /* print local address */ if (sock->inetd) { msg(msglevel, "%s link local: [inetd]", proto2ascii(sock->info.proto, sock->info.af, true)); } else if (sock->bind_local) { sa_family_t ai_family = sock->info.lsa->actual.dest.addr.sa.sa_family; /* Socket is always bound on the first matching address, * For bound sockets with no remote addr this is the element of * the list */ struct addrinfo *cur; for (cur = sock->info.lsa->bind_local; cur; cur = cur->ai_next) { if (!ai_family || ai_family == cur->ai_family) { break; } } ASSERT(cur); msg(msglevel, "%s link local (bound): %s", proto2ascii(sock->info.proto, sock->info.af, true), print_sockaddr(cur->ai_addr,&gc)); } else { msg(msglevel, "%s link local: (not bound)", proto2ascii(sock->info.proto, sock->info.af, true)); } /* print active remote address */ msg(msglevel, "%s link remote: %s", proto2ascii(sock->info.proto, sock->info.af, true), print_link_socket_actual_ex(&sock->info.lsa->actual, ":", PS_SHOW_PORT_IF_DEFINED, &gc)); gc_free(&gc); } static void phase2_tcp_server(struct link_socket *sock, const char *remote_dynamic, volatile int *signal_received) { switch (sock->mode) { case LS_MODE_DEFAULT: sock->sd = socket_listen_accept(sock->sd, &sock->info.lsa->actual, remote_dynamic, sock->info.lsa->bind_local, true, false, signal_received); break; case LS_MODE_TCP_LISTEN: socket_do_listen(sock->sd, sock->info.lsa->bind_local, true, false); break; case LS_MODE_TCP_ACCEPT_FROM: sock->sd = socket_do_accept(sock->sd, &sock->info.lsa->actual, false); if (!socket_defined(sock->sd)) { *signal_received = SIGTERM; return; } tcp_connection_established(&sock->info.lsa->actual); break; default: ASSERT(0); } } static void phase2_tcp_client(struct link_socket *sock, struct signal_info *sig_info) { bool proxy_retry = false; do { socket_connect(&sock->sd, sock->info.lsa->current_remote->ai_addr, get_server_poll_remaining_time(sock->server_poll_timeout), sig_info); if (sig_info->signal_received) { return; } if (sock->http_proxy) { proxy_retry = establish_http_proxy_passthru(sock->http_proxy, sock->sd, sock->proxy_dest_host, sock->proxy_dest_port, sock->server_poll_timeout, &sock->stream_buf.residual, &sig_info->signal_received); } else if (sock->socks_proxy) { establish_socks_proxy_passthru(sock->socks_proxy, sock->sd, sock->proxy_dest_host, sock->proxy_dest_port, &sig_info->signal_received); } if (proxy_retry) { openvpn_close_socket(sock->sd); sock->sd = create_socket_tcp(sock->info.lsa->current_remote); } } while (proxy_retry); } static void phase2_socks_client(struct link_socket *sock, struct signal_info *sig_info) { socket_connect(&sock->ctrl_sd, sock->info.lsa->current_remote->ai_addr, get_server_poll_remaining_time(sock->server_poll_timeout), sig_info); if (sig_info->signal_received) { return; } establish_socks_proxy_udpassoc(sock->socks_proxy, sock->ctrl_sd, sock->sd, &sock->socks_relay.dest, &sig_info->signal_received); if (sig_info->signal_received) { return; } sock->remote_host = sock->proxy_dest_host; sock->remote_port = sock->proxy_dest_port; addr_zero_host(&sock->info.lsa->actual.dest); if (sock->info.lsa->remote_list) { freeaddrinfo(sock->info.lsa->remote_list); sock->info.lsa->current_remote = NULL; sock->info.lsa->remote_list = NULL; } resolve_remote(sock, 1, NULL, &sig_info->signal_received); } /* finalize socket initialization */ void link_socket_init_phase2(struct link_socket *sock, const struct frame *frame, struct signal_info *sig_info) { const char *remote_dynamic = NULL; int sig_save = 0; ASSERT(sock); ASSERT(sig_info); if (sig_info->signal_received) { sig_save = sig_info->signal_received; sig_info->signal_received = 0; } /* initialize buffers */ socket_frame_init(frame, sock); /* * Pass a remote name to connect/accept so that * they can test for dynamic IP address changes * and throw a SIGUSR1 if appropriate. */ if (sock->resolve_retry_seconds) { remote_dynamic = sock->remote_host; } /* were we started by inetd or xinetd? */ if (sock->inetd) { phase2_inetd(sock, frame, remote_dynamic, &sig_info->signal_received); if (sig_info->signal_received) { goto done; } } else { /* Second chance to resolv/create socket */ resolve_remote(sock, 2, &remote_dynamic, &sig_info->signal_received); /* If a valid remote has been found, create the socket with its addrinfo */ if (sock->info.lsa->current_remote) { create_socket(sock, sock->info.lsa->current_remote); } /* If socket has not already been created create it now */ if (sock->sd == SOCKET_UNDEFINED) { /* If we have no --remote and have still not figured out the * protocol family to use we will use the first of the bind */ if (sock->bind_local && !sock->remote_host && sock->info.lsa->bind_local) { /* Warn if this is because neither v4 or v6 was specified * and we should not connect a remote */ if (sock->info.af == AF_UNSPEC) { msg(M_WARN, "Could not determine IPv4/IPv6 protocol. Using %s", addr_family_name(sock->info.lsa->bind_local->ai_family)); sock->info.af = sock->info.lsa->bind_local->ai_family; } create_socket(sock, sock->info.lsa->bind_local); } } /* Socket still undefined, give a warning and abort connection */ if (sock->sd == SOCKET_UNDEFINED) { msg(M_WARN, "Could not determine IPv4/IPv6 protocol"); sig_info->signal_received = SIGUSR1; goto done; } if (sig_info->signal_received) { goto done; } if (sock->info.proto == PROTO_TCP_SERVER) { phase2_tcp_server(sock, remote_dynamic, &sig_info->signal_received); } else if (sock->info.proto == PROTO_TCP_CLIENT) { phase2_tcp_client(sock, sig_info); } else if (sock->info.proto == PROTO_UDP && sock->socks_proxy) { phase2_socks_client(sock, sig_info); } #ifdef TARGET_ANDROID if (sock->sd != -1) { protect_fd_nonlocal(sock->sd, &sock->info.lsa->actual.dest.addr.sa); } #endif if (sig_info->signal_received) { goto done; } } phase2_set_socket_flags(sock); linksock_print_addr(sock); done: if (sig_save) { if (!sig_info->signal_received) { sig_info->signal_received = sig_save; } } } void link_socket_close(struct link_socket *sock) { if (sock) { #ifdef ENABLE_DEBUG const int gremlin = GREMLIN_CONNECTION_FLOOD_LEVEL(sock->gremlin); #else const int gremlin = 0; #endif if (socket_defined(sock->sd)) { #ifdef _WIN32 close_net_event_win32(&sock->listen_handle, sock->sd, 0); #endif if (!gremlin) { msg(D_LOW, "TCP/UDP: Closing socket"); if (openvpn_close_socket(sock->sd)) { msg(M_WARN | M_ERRNO, "TCP/UDP: Close Socket failed"); } } sock->sd = SOCKET_UNDEFINED; #ifdef _WIN32 if (!gremlin) { overlapped_io_close(&sock->reads); overlapped_io_close(&sock->writes); } #endif } if (socket_defined(sock->ctrl_sd)) { if (openvpn_close_socket(sock->ctrl_sd)) { msg(M_WARN | M_ERRNO, "TCP/UDP: Close Socket (ctrl_sd) failed"); } sock->ctrl_sd = SOCKET_UNDEFINED; } stream_buf_close(&sock->stream_buf); free_buf(&sock->stream_buf_data); if (!gremlin) { free(sock); } } } /* for stream protocols, allow for packet length prefix */ void socket_adjust_frame_parameters(struct frame *frame, int proto) { if (link_socket_proto_connection_oriented(proto)) { frame_add_to_extra_frame(frame, sizeof(packet_size_type)); } } void setenv_trusted(struct env_set *es, const struct link_socket_info *info) { setenv_link_socket_actual(es, "trusted", &info->lsa->actual, SA_IP_PORT); } static void ipchange_fmt(const bool include_cmd, struct argv *argv, const struct link_socket_info *info, struct gc_arena *gc) { const char *host = print_sockaddr_ex(&info->lsa->actual.dest.addr.sa, " ", PS_SHOW_PORT, gc); if (include_cmd) { argv_parse_cmd(argv, info->ipchange_command); argv_printf_cat(argv, "%s", host); } else { argv_printf(argv, "%s", host); } } void link_socket_connection_initiated(const struct buffer *buf, struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es) { struct gc_arena gc = gc_new(); info->lsa->actual = *act; /* Note: skip this line for --force-dest */ setenv_trusted(es, info); info->connection_established = true; /* Print connection initiated message, with common name if available */ { struct buffer out = alloc_buf_gc(256, &gc); if (common_name) { buf_printf(&out, "[%s] ", common_name); } buf_printf(&out, "Peer Connection Initiated with %s", print_link_socket_actual(&info->lsa->actual, &gc)); msg(M_INFO, "%s", BSTR(&out)); } /* set environmental vars */ setenv_str(es, "common_name", common_name); /* Process --ipchange plugin */ if (plugin_defined(info->plugins, OPENVPN_PLUGIN_IPCHANGE)) { struct argv argv = argv_new(); ipchange_fmt(false, &argv, info, &gc); if (plugin_call(info->plugins, OPENVPN_PLUGIN_IPCHANGE, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: ipchange plugin call failed"); } argv_reset(&argv); } /* Process --ipchange option */ if (info->ipchange_command) { struct argv argv = argv_new(); setenv_str(es, "script_type", "ipchange"); ipchange_fmt(true, &argv, info, &gc); openvpn_run_script(&argv, es, 0, "--ipchange"); argv_reset(&argv); } gc_free(&gc); } void link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr) { struct gc_arena gc = gc_new(); struct addrinfo *ai; switch (from_addr->dest.addr.sa.sa_family) { case AF_INET: case AF_INET6: msg(D_LINK_ERRORS, "TCP/UDP: Incoming packet rejected from %s[%d], expected peer address: %s (allow this incoming source address/port by removing --remote or adding --float)", print_link_socket_actual(from_addr, &gc), (int)from_addr->dest.addr.sa.sa_family, print_sockaddr_ex(info->lsa->remote_list->ai_addr,":",PS_SHOW_PORT, &gc)); /* print additional remote addresses */ for (ai = info->lsa->remote_list->ai_next; ai; ai = ai->ai_next) { msg(D_LINK_ERRORS,"or from peer address: %s", print_sockaddr_ex(ai->ai_addr,":",PS_SHOW_PORT, &gc)); } break; } buf->len = 0; gc_free(&gc); } void link_socket_bad_outgoing_addr(void) { dmsg(D_READ_WRITE, "TCP/UDP: No outgoing address to send packet"); } in_addr_t link_socket_current_remote(const struct link_socket_info *info) { const struct link_socket_addr *lsa = info->lsa; /* * This logic supports "redirect-gateway" semantic, which * makes sense only for PF_INET routes over PF_INET endpoints * * Maybe in the future consider PF_INET6 endpoints also ... * by now just ignore it * * For --remote entries with multiple addresses this * only return the actual endpoint we have sucessfully connected to */ if (lsa->actual.dest.addr.sa.sa_family != AF_INET) { return IPV4_INVALID_ADDR; } if (link_socket_actual_defined(&lsa->actual)) { return ntohl(lsa->actual.dest.addr.in4.sin_addr.s_addr); } else if (lsa->current_remote) { return ntohl(((struct sockaddr_in *)lsa->current_remote->ai_addr) ->sin_addr.s_addr); } else { return 0; } } const struct in6_addr * link_socket_current_remote_ipv6(const struct link_socket_info *info) { const struct link_socket_addr *lsa = info->lsa; /* This logic supports "redirect-gateway" semantic, * for PF_INET6 routes over PF_INET6 endpoints * * For --remote entries with multiple addresses this * only return the actual endpoint we have sucessfully connected to */ if (lsa->actual.dest.addr.sa.sa_family != AF_INET6) { return NULL; } if (link_socket_actual_defined(&lsa->actual)) { return &(lsa->actual.dest.addr.in6.sin6_addr); } else if (lsa->current_remote) { return &(((struct sockaddr_in6 *)lsa->current_remote->ai_addr)->sin6_addr); } else { return NULL; } } /* * Return a status string describing socket state. */ const char * socket_stat(const struct link_socket *s, unsigned int rwflags, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(64, gc); if (s) { if (rwflags & EVENT_READ) { buf_printf(&out, "S%s", (s->rwflags_debug & EVENT_READ) ? "R" : "r"); #ifdef _WIN32 buf_printf(&out, "%s", overlapped_io_state_ascii(&s->reads)); #endif } if (rwflags & EVENT_WRITE) { buf_printf(&out, "S%s", (s->rwflags_debug & EVENT_WRITE) ? "W" : "w"); #ifdef _WIN32 buf_printf(&out, "%s", overlapped_io_state_ascii(&s->writes)); #endif } } else { buf_printf(&out, "S?"); } return BSTR(&out); } /* * Stream buffer functions, used to packetize a TCP * stream connection. */ static inline void stream_buf_reset(struct stream_buf *sb) { dmsg(D_STREAM_DEBUG, "STREAM: RESET"); sb->residual_fully_formed = false; sb->buf = sb->buf_init; buf_reset(&sb->next); sb->len = -1; } void stream_buf_init(struct stream_buf *sb, struct buffer *buf, const unsigned int sockflags, const int proto) { sb->buf_init = *buf; sb->maxlen = sb->buf_init.len; sb->buf_init.len = 0; sb->residual = alloc_buf(sb->maxlen); sb->error = false; #if PORT_SHARE sb->port_share_state = ((sockflags & SF_PORT_SHARE) && (proto == PROTO_TCP_SERVER)) ? PS_ENABLED : PS_DISABLED; #endif stream_buf_reset(sb); dmsg(D_STREAM_DEBUG, "STREAM: INIT maxlen=%d", sb->maxlen); } static inline void stream_buf_set_next(struct stream_buf *sb) { /* set up 'next' for next i/o read */ sb->next = sb->buf; sb->next.offset = sb->buf.offset + sb->buf.len; sb->next.len = (sb->len >= 0 ? sb->len : sb->maxlen) - sb->buf.len; dmsg(D_STREAM_DEBUG, "STREAM: SET NEXT, buf=[%d,%d] next=[%d,%d] len=%d maxlen=%d", sb->buf.offset, sb->buf.len, sb->next.offset, sb->next.len, sb->len, sb->maxlen); ASSERT(sb->next.len > 0); ASSERT(buf_safe(&sb->buf, sb->next.len)); } static inline void stream_buf_get_final(struct stream_buf *sb, struct buffer *buf) { dmsg(D_STREAM_DEBUG, "STREAM: GET FINAL len=%d", buf_defined(&sb->buf) ? sb->buf.len : -1); ASSERT(buf_defined(&sb->buf)); *buf = sb->buf; } static inline void stream_buf_get_next(struct stream_buf *sb, struct buffer *buf) { dmsg(D_STREAM_DEBUG, "STREAM: GET NEXT len=%d", buf_defined(&sb->next) ? sb->next.len : -1); ASSERT(buf_defined(&sb->next)); *buf = sb->next; } bool stream_buf_read_setup_dowork(struct link_socket *sock) { if (sock->stream_buf.residual.len && !sock->stream_buf.residual_fully_formed) { ASSERT(buf_copy(&sock->stream_buf.buf, &sock->stream_buf.residual)); ASSERT(buf_init(&sock->stream_buf.residual, 0)); sock->stream_buf.residual_fully_formed = stream_buf_added(&sock->stream_buf, 0); dmsg(D_STREAM_DEBUG, "STREAM: RESIDUAL FULLY FORMED [%s], len=%d", sock->stream_buf.residual_fully_formed ? "YES" : "NO", sock->stream_buf.residual.len); } if (!sock->stream_buf.residual_fully_formed) { stream_buf_set_next(&sock->stream_buf); } return !sock->stream_buf.residual_fully_formed; } bool stream_buf_added(struct stream_buf *sb, int length_added) { dmsg(D_STREAM_DEBUG, "STREAM: ADD length_added=%d", length_added); if (length_added > 0) { sb->buf.len += length_added; } /* if length unknown, see if we can get the length prefix from * the head of the buffer */ if (sb->len < 0 && sb->buf.len >= (int) sizeof(packet_size_type)) { packet_size_type net_size; #if PORT_SHARE if (sb->port_share_state == PS_ENABLED) { if (!is_openvpn_protocol(&sb->buf)) { msg(D_STREAM_ERRORS, "Non-OpenVPN client protocol detected"); sb->port_share_state = PS_FOREIGN; sb->error = true; return false; } else { sb->port_share_state = PS_DISABLED; } } #endif ASSERT(buf_read(&sb->buf, &net_size, sizeof(net_size))); sb->len = ntohps(net_size); if (sb->len < 1 || sb->len > sb->maxlen) { msg(M_WARN, "WARNING: Bad encapsulated packet length from peer (%d), which must be > 0 and <= %d -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]", sb->len, sb->maxlen); stream_buf_reset(sb); sb->error = true; return false; } } /* is our incoming packet fully read? */ if (sb->len > 0 && sb->buf.len >= sb->len) { /* save any residual data that's part of the next packet */ ASSERT(buf_init(&sb->residual, 0)); if (sb->buf.len > sb->len) { ASSERT(buf_copy_excess(&sb->residual, &sb->buf, sb->len)); } dmsg(D_STREAM_DEBUG, "STREAM: ADD returned TRUE, buf_len=%d, residual_len=%d", BLEN(&sb->buf), BLEN(&sb->residual)); return true; } else { dmsg(D_STREAM_DEBUG, "STREAM: ADD returned FALSE (have=%d need=%d)", sb->buf.len, sb->len); stream_buf_set_next(sb); return false; } } void stream_buf_close(struct stream_buf *sb) { free_buf(&sb->residual); } /* * The listen event is a special event whose sole purpose is * to tell us that there's a new incoming connection on a * TCP socket, for use in server mode. */ event_t socket_listen_event_handle(struct link_socket *s) { #ifdef _WIN32 if (!defined_net_event_win32(&s->listen_handle)) { init_net_event_win32(&s->listen_handle, FD_ACCEPT, s->sd, 0); } return &s->listen_handle; #else /* ifdef _WIN32 */ return s->sd; #endif } /* * Format IP addresses in ascii */ const char * print_sockaddr_ex(const struct sockaddr *sa, const char *separator, const unsigned int flags, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(128, gc); bool addr_is_defined = false; char hostaddr[NI_MAXHOST] = ""; char servname[NI_MAXSERV] = ""; int status; socklen_t salen = 0; switch (sa->sa_family) { case AF_INET: if (!(flags & PS_DONT_SHOW_FAMILY)) { buf_puts(&out, "[AF_INET]"); } salen = sizeof(struct sockaddr_in); addr_is_defined = ((struct sockaddr_in *) sa)->sin_addr.s_addr != 0; break; case AF_INET6: if (!(flags & PS_DONT_SHOW_FAMILY)) { buf_puts(&out, "[AF_INET6]"); } salen = sizeof(struct sockaddr_in6); addr_is_defined = !IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *) sa)->sin6_addr); break; case AF_UNSPEC: if (!(flags & PS_DONT_SHOW_FAMILY)) { return "[AF_UNSPEC]"; } else { return ""; } default: ASSERT(0); } status = getnameinfo(sa, salen, hostaddr, sizeof(hostaddr), servname, sizeof(servname), NI_NUMERICHOST | NI_NUMERICSERV); if (status!=0) { buf_printf(&out,"[nameinfo() err: %s]",gai_strerror(status)); return BSTR(&out); } if (!(flags & PS_DONT_SHOW_ADDR)) { if (addr_is_defined) { buf_puts(&out, hostaddr); } else { buf_puts(&out, "[undef]"); } } if ((flags & PS_SHOW_PORT) || (flags & PS_SHOW_PORT_IF_DEFINED)) { if (separator) { buf_puts(&out, separator); } buf_puts(&out, servname); } return BSTR(&out); } const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc) { return print_link_socket_actual_ex(act, ":", PS_SHOW_PORT|PS_SHOW_PKTINFO, gc); } #ifndef IF_NAMESIZE #define IF_NAMESIZE 16 #endif const char * print_link_socket_actual_ex(const struct link_socket_actual *act, const char *separator, const unsigned int flags, struct gc_arena *gc) { if (act) { char ifname[IF_NAMESIZE] = "[undef]"; struct buffer out = alloc_buf_gc(128, gc); buf_printf(&out, "%s", print_sockaddr_ex(&act->dest.addr.sa, separator, flags, gc)); #if ENABLE_IP_PKTINFO if ((flags & PS_SHOW_PKTINFO) && addr_defined_ipi(act)) { switch (act->dest.addr.sa.sa_family) { case AF_INET: { struct openvpn_sockaddr sa; CLEAR(sa); sa.addr.in4.sin_family = AF_INET; #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) sa.addr.in4.sin_addr = act->pi.in4.ipi_spec_dst; if_indextoname(act->pi.in4.ipi_ifindex, ifname); #elif defined(IP_RECVDSTADDR) sa.addr.in4.sin_addr = act->pi.in4; ifname[0] = 0; #else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif buf_printf(&out, " (via %s%%%s)", print_sockaddr_ex(&sa.addr.sa, separator, 0, gc), ifname); } break; case AF_INET6: { struct sockaddr_in6 sin6; char buf[INET6_ADDRSTRLEN] = "[undef]"; CLEAR(sin6); sin6.sin6_family = AF_INET6; sin6.sin6_addr = act->pi.in6.ipi6_addr; if_indextoname(act->pi.in6.ipi6_ifindex, ifname); if (getnameinfo((struct sockaddr *)&sin6, sizeof(struct sockaddr_in6), buf, sizeof(buf), NULL, 0, NI_NUMERICHOST) == 0) { buf_printf(&out, " (via %s%%%s)", buf, ifname); } else { buf_printf(&out, " (via [getnameinfo() err]%%%s)", ifname); } } break; } } #endif /* if ENABLE_IP_PKTINFO */ return BSTR(&out); } else { return "[NULL]"; } } /* * Convert an in_addr_t in host byte order * to an ascii dotted quad. */ const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc) { struct in_addr ia; struct buffer out = alloc_buf_gc(64, gc); if (addr || !(flags & IA_EMPTY_IF_UNDEF)) { CLEAR(ia); ia.s_addr = (flags & IA_NET_ORDER) ? addr : htonl(addr); buf_printf(&out, "%s", inet_ntoa(ia)); } return BSTR(&out); } /* * Convert an in6_addr in host byte order * to an ascii representation of an IPv6 address */ const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(64, gc); char tmp_out_buf[64]; /* inet_ntop wants pointer to buffer */ if (memcmp(&a6, &in6addr_any, sizeof(a6)) != 0 || !(flags & IA_EMPTY_IF_UNDEF)) { inet_ntop(AF_INET6, &a6, tmp_out_buf, sizeof(tmp_out_buf)-1); buf_printf(&out, "%s", tmp_out_buf ); } return BSTR(&out); } #ifndef UINT8_MAX #define UINT8_MAX 0xff #endif /* add some offset to an ipv6 address * (add in steps of 8 bits, taking overflow into next round) */ struct in6_addr add_in6_addr( struct in6_addr base, uint32_t add ) { int i; for (i = 15; i>=0 && add > 0; i--) { register int carry; register uint32_t h; h = (unsigned char) base.s6_addr[i]; base.s6_addr[i] = (h+add) & UINT8_MAX; /* using explicit carry for the 8-bit additions will catch * 8-bit and(!) 32-bit overruns nicely */ carry = ((h & 0xff) + (add & 0xff)) >> 8; add = (add>>8) + carry; } return base; } /* set environmental variables for ip/port in *addr */ void setenv_sockaddr(struct env_set *es, const char *name_prefix, const struct openvpn_sockaddr *addr, const unsigned int flags) { char name_buf[256]; char buf[128]; switch (addr->addr.sa.sa_family) { case AF_INET: if (flags & SA_IP_PORT) { openvpn_snprintf(name_buf, sizeof(name_buf), "%s_ip", name_prefix); } else { openvpn_snprintf(name_buf, sizeof(name_buf), "%s", name_prefix); } setenv_str(es, name_buf, inet_ntoa(addr->addr.in4.sin_addr)); if ((flags & SA_IP_PORT) && addr->addr.in4.sin_port) { openvpn_snprintf(name_buf, sizeof(name_buf), "%s_port", name_prefix); setenv_int(es, name_buf, ntohs(addr->addr.in4.sin_port)); } break; case AF_INET6: if (IN6_IS_ADDR_V4MAPPED( &addr->addr.in6.sin6_addr )) { struct in_addr ia; memcpy(&ia.s_addr, &addr->addr.in6.sin6_addr.s6_addr[12], sizeof(ia.s_addr)); openvpn_snprintf(name_buf, sizeof(name_buf), "%s_ip", name_prefix); openvpn_snprintf(buf, sizeof(buf), "%s", inet_ntoa(ia) ); } else { openvpn_snprintf(name_buf, sizeof(name_buf), "%s_ip6", name_prefix); getnameinfo(&addr->addr.sa, sizeof(struct sockaddr_in6), buf, sizeof(buf), NULL, 0, NI_NUMERICHOST); } setenv_str(es, name_buf, buf); if ((flags & SA_IP_PORT) && addr->addr.in6.sin6_port) { openvpn_snprintf(name_buf, sizeof(name_buf), "%s_port", name_prefix); setenv_int(es, name_buf, ntohs(addr->addr.in6.sin6_port)); } break; } } void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags) { if (addr || !(flags & SA_SET_IF_NONZERO)) { struct openvpn_sockaddr si; CLEAR(si); si.addr.in4.sin_family = AF_INET; si.addr.in4.sin_addr.s_addr = htonl(addr); setenv_sockaddr(es, name_prefix, &si, flags); } } void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags) { if (!IN6_IS_ADDR_UNSPECIFIED(addr) || !(flags & SA_SET_IF_NONZERO)) { struct openvpn_sockaddr si; CLEAR(si); si.addr.in6.sin6_family = AF_INET6; si.addr.in6.sin6_addr = *addr; setenv_sockaddr(es, name_prefix, &si, flags); } } void setenv_link_socket_actual(struct env_set *es, const char *name_prefix, const struct link_socket_actual *act, const unsigned int flags) { setenv_sockaddr(es, name_prefix, &act->dest, flags); } /* * Convert protocol names between index and ascii form. */ struct proto_names { const char *short_form; const char *display_form; sa_family_t proto_af; int proto; }; /* Indexed by PROTO_x */ static const struct proto_names proto_names[] = { {"proto-uninitialized", "proto-NONE", AF_UNSPEC, PROTO_NONE}, /* try IPv4 and IPv6 (client), bind dual-stack (server) */ {"udp", "UDP", AF_UNSPEC, PROTO_UDP}, {"tcp-server", "TCP_SERVER", AF_UNSPEC, PROTO_TCP_SERVER}, {"tcp-client", "TCP_CLIENT", AF_UNSPEC, PROTO_TCP_CLIENT}, {"tcp", "TCP", AF_UNSPEC, PROTO_TCP}, /* force IPv4 */ {"udp4", "UDPv4", AF_INET, PROTO_UDP}, {"tcp4-server","TCPv4_SERVER", AF_INET, PROTO_TCP_SERVER}, {"tcp4-client","TCPv4_CLIENT", AF_INET, PROTO_TCP_CLIENT}, {"tcp4", "TCPv4", AF_INET, PROTO_TCP}, /* force IPv6 */ {"udp6","UDPv6", AF_INET6, PROTO_UDP}, {"tcp6-server","TCPv6_SERVER", AF_INET6, PROTO_TCP_SERVER}, {"tcp6-client","TCPv6_CLIENT", AF_INET6, PROTO_TCP_CLIENT}, {"tcp6","TCPv6", AF_INET6, PROTO_TCP}, }; bool proto_is_net(int proto) { if (proto < 0 || proto >= PROTO_N) { ASSERT(0); } return proto != PROTO_NONE; } bool proto_is_dgram(int proto) { return proto_is_udp(proto); } bool proto_is_udp(int proto) { if (proto < 0 || proto >= PROTO_N) { ASSERT(0); } return proto == PROTO_UDP; } bool proto_is_tcp(int proto) { if (proto < 0 || proto >= PROTO_N) { ASSERT(0); } return proto == PROTO_TCP_CLIENT || proto == PROTO_TCP_SERVER; } int ascii2proto(const char *proto_name) { int i; for (i = 0; i < SIZE(proto_names); ++i) { if (!strcmp(proto_name, proto_names[i].short_form)) { return proto_names[i].proto; } } return -1; } sa_family_t ascii2af(const char *proto_name) { int i; for (i = 0; i < SIZE(proto_names); ++i) { if (!strcmp(proto_name, proto_names[i].short_form)) { return proto_names[i].proto_af; } } return 0; } const char * proto2ascii(int proto, sa_family_t af, bool display_form) { unsigned int i; for (i = 0; i < SIZE(proto_names); ++i) { if (proto_names[i].proto_af == af && proto_names[i].proto == proto) { if (display_form) { return proto_names[i].display_form; } else { return proto_names[i].short_form; } } } return "[unknown protocol]"; } const char * proto2ascii_all(struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); int i; for (i = 0; i < SIZE(proto_names); ++i) { if (i) { buf_printf(&out, " "); } buf_printf(&out, "[%s]", proto_names[i].short_form); } return BSTR(&out); } const char * addr_family_name(int af) { switch (af) { case AF_INET: return "AF_INET"; case AF_INET6: return "AF_INET6"; } return "AF_UNSPEC"; } /* * Given a local proto, return local proto * if !remote, or compatible remote proto * if remote. * * This is used for options compatibility * checking. * * IPv6 and IPv4 protocols are comptabile but OpenVPN * has always sent UDPv4, TCPv4 over the wire. Keep these * strings for backward compatbility */ const char * proto_remote(int proto, bool remote) { ASSERT(proto >= 0 && proto < PROTO_N); if (proto == PROTO_UDP) { return "UDPv4"; } if ( (remote && proto == PROTO_TCP_CLIENT) || (!remote && proto == PROTO_TCP_SERVER)) { return "TCPv4_SERVER"; } if ( (remote && proto == PROTO_TCP_SERVER) || (!remote && proto == PROTO_TCP_CLIENT)) { return "TCPv4_CLIENT"; } ASSERT(0); return ""; /* Make the compiler happy */ } /* * Bad incoming address lengths that differ from what * we expect are considered to be fatal errors. */ void bad_address_length(int actual, int expected) { msg(M_FATAL, "ERROR: received strange incoming packet with an address length of %d -- we only accept address lengths of %d.", actual, expected); } /* * Socket Read Routines */ int link_socket_read_tcp(struct link_socket *sock, struct buffer *buf) { int len = 0; if (!sock->stream_buf.residual_fully_formed) { #ifdef _WIN32 len = socket_finalize(sock->sd, &sock->reads, buf, NULL); #else struct buffer frag; stream_buf_get_next(&sock->stream_buf, &frag); len = recv(sock->sd, BPTR(&frag), BLEN(&frag), MSG_NOSIGNAL); #endif if (!len) { sock->stream_reset = true; } if (len <= 0) { return buf->len = len; } } if (sock->stream_buf.residual_fully_formed || stream_buf_added(&sock->stream_buf, len)) /* packet complete? */ { stream_buf_get_final(&sock->stream_buf, buf); stream_buf_reset(&sock->stream_buf); return buf->len; } else { return buf->len = 0; /* no error, but packet is still incomplete */ } } #ifndef _WIN32 #if ENABLE_IP_PKTINFO /* make the buffer large enough to handle ancilliary socket data for * both IPv4 and IPv6 destination addresses, plus padding (see RFC 2292) */ #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) #define PKTINFO_BUF_SIZE max_int( CMSG_SPACE(sizeof(struct in6_pktinfo)), \ CMSG_SPACE(sizeof(struct in_pktinfo)) ) #else #define PKTINFO_BUF_SIZE max_int( CMSG_SPACE(sizeof(struct in6_pktinfo)), \ CMSG_SPACE(sizeof(struct in_addr)) ) #endif static socklen_t link_socket_read_udp_posix_recvmsg(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from) { struct iovec iov; uint8_t pktinfo_buf[PKTINFO_BUF_SIZE]; struct msghdr mesg; socklen_t fromlen = sizeof(from->dest.addr); iov.iov_base = BPTR(buf); iov.iov_len = buf_forward_capacity_total(buf); mesg.msg_iov = &iov; mesg.msg_iovlen = 1; mesg.msg_name = &from->dest.addr; mesg.msg_namelen = fromlen; mesg.msg_control = pktinfo_buf; mesg.msg_controllen = sizeof pktinfo_buf; buf->len = recvmsg(sock->sd, &mesg, 0); if (buf->len >= 0) { struct cmsghdr *cmsg; fromlen = mesg.msg_namelen; cmsg = CMSG_FIRSTHDR(&mesg); if (cmsg != NULL && CMSG_NXTHDR(&mesg, cmsg) == NULL #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) && cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_PKTINFO && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in_pktinfo)) ) #elif defined(IP_RECVDSTADDR) && cmsg->cmsg_level == IPPROTO_IP && cmsg->cmsg_type == IP_RECVDSTADDR && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in_addr)) ) #else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif { #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) struct in_pktinfo *pkti = (struct in_pktinfo *) CMSG_DATA(cmsg); from->pi.in4.ipi_ifindex = pkti->ipi_ifindex; from->pi.in4.ipi_spec_dst = pkti->ipi_spec_dst; #elif defined(IP_RECVDSTADDR) from->pi.in4 = *(struct in_addr *) CMSG_DATA(cmsg); #else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif } else if (cmsg != NULL && CMSG_NXTHDR(&mesg, cmsg) == NULL && cmsg->cmsg_level == IPPROTO_IPV6 && cmsg->cmsg_type == IPV6_PKTINFO && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in6_pktinfo)) ) { struct in6_pktinfo *pkti6 = (struct in6_pktinfo *) CMSG_DATA(cmsg); from->pi.in6.ipi6_ifindex = pkti6->ipi6_ifindex; from->pi.in6.ipi6_addr = pkti6->ipi6_addr; } else if (cmsg != NULL) { msg(M_WARN, "CMSG received that cannot be parsed (cmsg_level=%d, cmsg_type=%d, cmsg=len=%d)", (int)cmsg->cmsg_level, (int)cmsg->cmsg_type, (int)cmsg->cmsg_len ); } } return fromlen; } #endif /* if ENABLE_IP_PKTINFO */ int link_socket_read_udp_posix(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from) { socklen_t fromlen = sizeof(from->dest.addr); socklen_t expectedlen = af_addr_size(sock->info.af); addr_zero_host(&from->dest); #if ENABLE_IP_PKTINFO /* Both PROTO_UDPv4 and PROTO_UDPv6 */ if (sock->info.proto == PROTO_UDP && sock->sockflags & SF_USE_IP_PKTINFO) { fromlen = link_socket_read_udp_posix_recvmsg(sock, buf, from); } else #endif buf->len = recvfrom(sock->sd, BPTR(buf), buf_forward_capacity(buf), 0, &from->dest.addr.sa, &fromlen); /* FIXME: won't do anything when sock->info.af == AF_UNSPEC */ if (buf->len >= 0 && expectedlen && fromlen != expectedlen) { bad_address_length(fromlen, expectedlen); } return buf->len; } #endif /* ifndef _WIN32 */ /* * Socket Write Routines */ int link_socket_write_tcp(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { packet_size_type len = BLEN(buf); dmsg(D_STREAM_DEBUG, "STREAM: WRITE %d offset=%d", (int)len, buf->offset); ASSERT(len <= sock->stream_buf.maxlen); len = htonps(len); ASSERT(buf_write_prepend(buf, &len, sizeof(len))); #ifdef _WIN32 return link_socket_write_win32(sock, buf, to); #else return link_socket_write_tcp_posix(sock, buf, to); #endif } #if ENABLE_IP_PKTINFO size_t link_socket_write_udp_posix_sendmsg(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { struct iovec iov; struct msghdr mesg; struct cmsghdr *cmsg; uint8_t pktinfo_buf[PKTINFO_BUF_SIZE]; iov.iov_base = BPTR(buf); iov.iov_len = BLEN(buf); mesg.msg_iov = &iov; mesg.msg_iovlen = 1; switch (to->dest.addr.sa.sa_family) { case AF_INET: { mesg.msg_name = &to->dest.addr.sa; mesg.msg_namelen = sizeof(struct sockaddr_in); mesg.msg_control = pktinfo_buf; mesg.msg_flags = 0; #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) mesg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo)); cmsg = CMSG_FIRSTHDR(&mesg); cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); cmsg->cmsg_level = SOL_IP; cmsg->cmsg_type = IP_PKTINFO; { struct in_pktinfo *pkti; pkti = (struct in_pktinfo *) CMSG_DATA(cmsg); pkti->ipi_ifindex = to->pi.in4.ipi_ifindex; pkti->ipi_spec_dst = to->pi.in4.ipi_spec_dst; pkti->ipi_addr.s_addr = 0; } #elif defined(IP_RECVDSTADDR) ASSERT( CMSG_SPACE(sizeof(struct in_addr)) <= sizeof(pktinfo_buf) ); mesg.msg_controllen = CMSG_SPACE(sizeof(struct in_addr)); cmsg = CMSG_FIRSTHDR(&mesg); cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr)); cmsg->cmsg_level = IPPROTO_IP; cmsg->cmsg_type = IP_RECVDSTADDR; *(struct in_addr *) CMSG_DATA(cmsg) = to->pi.in4; #else /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif /* if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) */ break; } case AF_INET6: { struct in6_pktinfo *pkti6; mesg.msg_name = &to->dest.addr.sa; mesg.msg_namelen = sizeof(struct sockaddr_in6); ASSERT( CMSG_SPACE(sizeof(struct in6_pktinfo)) <= sizeof(pktinfo_buf) ); mesg.msg_control = pktinfo_buf; mesg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); mesg.msg_flags = 0; cmsg = CMSG_FIRSTHDR(&mesg); cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_PKTINFO; pkti6 = (struct in6_pktinfo *) CMSG_DATA(cmsg); pkti6->ipi6_ifindex = to->pi.in6.ipi6_ifindex; pkti6->ipi6_addr = to->pi.in6.ipi6_addr; break; } default: ASSERT(0); } return sendmsg(sock->sd, &mesg, 0); } #endif /* if ENABLE_IP_PKTINFO */ /* * Win32 overlapped socket I/O functions. */ #ifdef _WIN32 int socket_recv_queue(struct link_socket *sock, int maxsize) { if (sock->reads.iostate == IOSTATE_INITIAL) { WSABUF wsabuf[1]; int status; /* reset buf to its initial state */ if (proto_is_udp(sock->info.proto)) { sock->reads.buf = sock->reads.buf_init; } else if (proto_is_tcp(sock->info.proto)) { stream_buf_get_next(&sock->stream_buf, &sock->reads.buf); } else { ASSERT(0); } /* Win32 docs say it's okay to allocate the wsabuf on the stack */ wsabuf[0].buf = BPTR(&sock->reads.buf); wsabuf[0].len = maxsize ? maxsize : BLEN(&sock->reads.buf); /* check for buffer overflow */ ASSERT(wsabuf[0].len <= BLEN(&sock->reads.buf)); /* the overlapped read will signal this event on I/O completion */ ASSERT(ResetEvent(sock->reads.overlapped.hEvent)); sock->reads.flags = 0; if (proto_is_udp(sock->info.proto)) { sock->reads.addr_defined = true; sock->reads.addrlen = sizeof(sock->reads.addr6); status = WSARecvFrom( sock->sd, wsabuf, 1, &sock->reads.size, &sock->reads.flags, (struct sockaddr *) &sock->reads.addr, &sock->reads.addrlen, &sock->reads.overlapped, NULL); } else if (proto_is_tcp(sock->info.proto)) { sock->reads.addr_defined = false; status = WSARecv( sock->sd, wsabuf, 1, &sock->reads.size, &sock->reads.flags, &sock->reads.overlapped, NULL); } else { status = 0; ASSERT(0); } if (!status) /* operation completed immediately? */ { /* FIXME: won't do anything when sock->info.af == AF_UNSPEC */ int af_len = af_addr_size(sock->info.af); if (sock->reads.addr_defined && af_len && sock->reads.addrlen != af_len) { bad_address_length(sock->reads.addrlen, af_len); } sock->reads.iostate = IOSTATE_IMMEDIATE_RETURN; /* since we got an immediate return, we must signal the event object ourselves */ ASSERT(SetEvent(sock->reads.overlapped.hEvent)); sock->reads.status = 0; dmsg(D_WIN32_IO, "WIN32 I/O: Socket Receive immediate return [%d,%d]", (int) wsabuf[0].len, (int) sock->reads.size); } else { status = WSAGetLastError(); if (status == WSA_IO_PENDING) /* operation queued? */ { sock->reads.iostate = IOSTATE_QUEUED; sock->reads.status = status; dmsg(D_WIN32_IO, "WIN32 I/O: Socket Receive queued [%d]", (int) wsabuf[0].len); } else /* error occurred */ { struct gc_arena gc = gc_new(); ASSERT(SetEvent(sock->reads.overlapped.hEvent)); sock->reads.iostate = IOSTATE_IMMEDIATE_RETURN; sock->reads.status = status; dmsg(D_WIN32_IO, "WIN32 I/O: Socket Receive error [%d]: %s", (int) wsabuf[0].len, strerror_win32(status, &gc)); gc_free(&gc); } } } return sock->reads.iostate; } int socket_send_queue(struct link_socket *sock, struct buffer *buf, const struct link_socket_actual *to) { if (sock->writes.iostate == IOSTATE_INITIAL) { WSABUF wsabuf[1]; int status; /* make a private copy of buf */ sock->writes.buf = sock->writes.buf_init; sock->writes.buf.len = 0; ASSERT(buf_copy(&sock->writes.buf, buf)); /* Win32 docs say it's okay to allocate the wsabuf on the stack */ wsabuf[0].buf = BPTR(&sock->writes.buf); wsabuf[0].len = BLEN(&sock->writes.buf); /* the overlapped write will signal this event on I/O completion */ ASSERT(ResetEvent(sock->writes.overlapped.hEvent)); sock->writes.flags = 0; if (proto_is_udp(sock->info.proto)) { /* set destination address for UDP writes */ sock->writes.addr_defined = true; if (to->dest.addr.sa.sa_family == AF_INET6) { sock->writes.addr6 = to->dest.addr.in6; sock->writes.addrlen = sizeof(sock->writes.addr6); } else { sock->writes.addr = to->dest.addr.in4; sock->writes.addrlen = sizeof(sock->writes.addr); } status = WSASendTo( sock->sd, wsabuf, 1, &sock->writes.size, sock->writes.flags, (struct sockaddr *) &sock->writes.addr, sock->writes.addrlen, &sock->writes.overlapped, NULL); } else if (proto_is_tcp(sock->info.proto)) { /* destination address for TCP writes was established on connection initiation */ sock->writes.addr_defined = false; status = WSASend( sock->sd, wsabuf, 1, &sock->writes.size, sock->writes.flags, &sock->writes.overlapped, NULL); } else { status = 0; ASSERT(0); } if (!status) /* operation completed immediately? */ { sock->writes.iostate = IOSTATE_IMMEDIATE_RETURN; /* since we got an immediate return, we must signal the event object ourselves */ ASSERT(SetEvent(sock->writes.overlapped.hEvent)); sock->writes.status = 0; dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send immediate return [%d,%d]", (int) wsabuf[0].len, (int) sock->writes.size); } else { status = WSAGetLastError(); if (status == WSA_IO_PENDING) /* operation queued? */ { sock->writes.iostate = IOSTATE_QUEUED; sock->writes.status = status; dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send queued [%d]", (int) wsabuf[0].len); } else /* error occurred */ { struct gc_arena gc = gc_new(); ASSERT(SetEvent(sock->writes.overlapped.hEvent)); sock->writes.iostate = IOSTATE_IMMEDIATE_RETURN; sock->writes.status = status; dmsg(D_WIN32_IO, "WIN32 I/O: Socket Send error [%d]: %s", (int) wsabuf[0].len, strerror_win32(status, &gc)); gc_free(&gc); } } } return sock->writes.iostate; } int socket_finalize(SOCKET s, struct overlapped_io *io, struct buffer *buf, struct link_socket_actual *from) { int ret = -1; BOOL status; switch (io->iostate) { case IOSTATE_QUEUED: status = WSAGetOverlappedResult( s, &io->overlapped, &io->size, FALSE, &io->flags ); if (status) { /* successful return for a queued operation */ if (buf) { *buf = io->buf; } ret = io->size; io->iostate = IOSTATE_INITIAL; ASSERT(ResetEvent(io->overlapped.hEvent)); dmsg(D_WIN32_IO, "WIN32 I/O: Socket Completion success [%d]", ret); } else { /* error during a queued operation */ ret = -1; if (WSAGetLastError() != WSA_IO_INCOMPLETE) { /* if no error (i.e. just not finished yet), then DON'T execute this code */ io->iostate = IOSTATE_INITIAL; ASSERT(ResetEvent(io->overlapped.hEvent)); msg(D_WIN32_IO | M_ERRNO, "WIN32 I/O: Socket Completion error"); } } break; case IOSTATE_IMMEDIATE_RETURN: io->iostate = IOSTATE_INITIAL; ASSERT(ResetEvent(io->overlapped.hEvent)); if (io->status) { /* error return for a non-queued operation */ WSASetLastError(io->status); ret = -1; msg(D_WIN32_IO | M_ERRNO, "WIN32 I/O: Socket Completion non-queued error"); } else { /* successful return for a non-queued operation */ if (buf) { *buf = io->buf; } ret = io->size; dmsg(D_WIN32_IO, "WIN32 I/O: Socket Completion non-queued success [%d]", ret); } break; case IOSTATE_INITIAL: /* were we called without proper queueing? */ WSASetLastError(WSAEINVAL); ret = -1; dmsg(D_WIN32_IO, "WIN32 I/O: Socket Completion BAD STATE"); break; default: ASSERT(0); } /* return from address if requested */ if (from) { if (ret >= 0 && io->addr_defined) { /* TODO(jjo): streamline this mess */ /* in this func we dont have relevant info about the PF_ of this * endpoint, as link_socket_actual will be zero for the 1st received packet * * Test for inets PF_ possible sizes */ switch (io->addrlen) { case sizeof(struct sockaddr_in): case sizeof(struct sockaddr_in6): /* TODO(jjo): for some reason (?) I'm getting 24,28 for AF_INET6 * under _WIN32*/ case sizeof(struct sockaddr_in6)-4: break; default: bad_address_length(io->addrlen, af_addr_size(io->addr.sin_family)); } switch (io->addr.sin_family) { case AF_INET: from->dest.addr.in4 = io->addr; break; case AF_INET6: from->dest.addr.in6 = io->addr6; break; } } else { CLEAR(from->dest.addr); } } if (buf) { buf->len = ret; } return ret; } #endif /* _WIN32 */ /* * Socket event notification */ unsigned int socket_set(struct link_socket *s, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent) { if (s) { if ((rwflags & EVENT_READ) && !stream_buf_read_setup(s)) { ASSERT(!persistent); rwflags &= ~EVENT_READ; } #ifdef _WIN32 if (rwflags & EVENT_READ) { socket_recv_queue(s, 0); } #endif /* if persistent is defined, call event_ctl only if rwflags has changed since last call */ if (!persistent || *persistent != rwflags) { event_ctl(es, socket_event_handle(s), rwflags, arg); if (persistent) { *persistent = rwflags; } } s->rwflags_debug = rwflags; } return rwflags; } void sd_close(socket_descriptor_t *sd) { if (sd && socket_defined(*sd)) { openvpn_close_socket(*sd); *sd = SOCKET_UNDEFINED; } } #if UNIX_SOCK_SUPPORT /* * code for unix domain sockets */ const char * sockaddr_unix_name(const struct sockaddr_un *local, const char *null) { if (local && local->sun_family == PF_UNIX) { return local->sun_path; } else { return null; } } socket_descriptor_t create_socket_unix(void) { socket_descriptor_t sd; if ((sd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) { msg(M_ERR, "Cannot create unix domain socket"); } /* set socket file descriptor to not pass across execs, so that * scripts don't have access to it */ set_cloexec(sd); return sd; } void socket_bind_unix(socket_descriptor_t sd, struct sockaddr_un *local, const char *prefix) { struct gc_arena gc = gc_new(); #ifdef HAVE_UMASK const mode_t orig_umask = umask(0); #endif if (bind(sd, (struct sockaddr *) local, sizeof(struct sockaddr_un))) { msg(M_FATAL | M_ERRNO, "%s: Socket bind[%d] failed on unix domain socket %s", prefix, (int)sd, sockaddr_unix_name(local, "NULL")); } #ifdef HAVE_UMASK umask(orig_umask); #endif gc_free(&gc); } socket_descriptor_t socket_accept_unix(socket_descriptor_t sd, struct sockaddr_un *remote) { socklen_t remote_len = sizeof(struct sockaddr_un); socket_descriptor_t ret; CLEAR(*remote); ret = accept(sd, (struct sockaddr *) remote, &remote_len); if (ret >= 0) { /* set socket file descriptor to not pass across execs, so that * scripts don't have access to it */ set_cloexec(ret); } return ret; } int socket_connect_unix(socket_descriptor_t sd, struct sockaddr_un *remote) { int status = connect(sd, (struct sockaddr *) remote, sizeof(struct sockaddr_un)); if (status) { status = openvpn_errno(); } return status; } void sockaddr_unix_init(struct sockaddr_un *local, const char *path) { local->sun_family = PF_UNIX; strncpynt(local->sun_path, path, sizeof(local->sun_path)); } void socket_delete_unix(const struct sockaddr_un *local) { const char *name = sockaddr_unix_name(local, NULL); #ifdef HAVE_UNLINK if (name && strlen(name)) { unlink(name); } #endif } bool unix_socket_get_peer_uid_gid(const socket_descriptor_t sd, int *uid, int *gid) { #ifdef HAVE_GETPEEREID uid_t u; gid_t g; if (getpeereid(sd, &u, &g) == -1) { return false; } if (uid) { *uid = u; } if (gid) { *gid = g; } return true; #elif defined(SO_PEERCRED) struct ucred peercred; socklen_t so_len = sizeof(peercred); if (getsockopt(sd, SOL_SOCKET, SO_PEERCRED, &peercred, &so_len) == -1) { return false; } if (uid) { *uid = peercred.uid; } if (gid) { *gid = peercred.gid; } return true; #else /* ifdef HAVE_GETPEEREID */ return false; #endif /* ifdef HAVE_GETPEEREID */ } #endif /* if UNIX_SOCK_SUPPORT */ openvpn-2.4.4/src/openvpn/socket.h000066400000000000000000001030131316434344000171230ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef SOCKET_H #define SOCKET_H #include "buffer.h" #include "common.h" #include "error.h" #include "proto.h" #include "mtu.h" #include "win32.h" #include "event.h" #include "proxy.h" #include "socks.h" #include "misc.h" /* * OpenVPN's default port number as assigned by IANA. */ #define OPENVPN_PORT "1194" /* * Number of seconds that "resolv-retry infinite" * represents. */ #define RESOLV_RETRY_INFINITE 1000000000 /* * packet_size_type is used to communicate packet size * over the wire when stream oriented protocols are * being used */ typedef uint16_t packet_size_type; /* convert a packet_size_type from host to network order */ #define htonps(x) htons(x) /* convert a packet_size_type from network to host order */ #define ntohps(x) ntohs(x) /* OpenVPN sockaddr struct */ struct openvpn_sockaddr { /*int dummy;*/ /* add offset to force a bug if sa not explicitly dereferenced */ union { struct sockaddr sa; struct sockaddr_in in4; struct sockaddr_in6 in6; } addr; }; /* struct to hold preresolved host names */ struct cached_dns_entry { const char *hostname; const char *servname; int ai_family; int flags; struct addrinfo *ai; struct cached_dns_entry *next; }; /* actual address of remote, based on source address of received packets */ struct link_socket_actual { /*int dummy;*/ /* add offset to force a bug if dest not explicitly dereferenced */ struct openvpn_sockaddr dest; #if ENABLE_IP_PKTINFO union { #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) struct in_pktinfo in4; #elif defined(IP_RECVDSTADDR) struct in_addr in4; #endif struct in6_pktinfo in6; } pi; #endif }; /* IP addresses which are persistant across SIGUSR1s */ struct link_socket_addr { struct addrinfo *bind_local; struct addrinfo *remote_list; /* complete remote list */ struct addrinfo *current_remote; /* remote used in the * current connection attempt */ struct link_socket_actual actual; /* reply to this address */ }; struct link_socket_info { struct link_socket_addr *lsa; bool connection_established; const char *ipchange_command; const struct plugin_list *plugins; bool remote_float; int proto; /* Protocol (PROTO_x defined below) */ sa_family_t af; /* Address family like AF_INET, AF_INET6 or AF_UNSPEC*/ bool bind_ipv6_only; int mtu_changed; /* Set to true when mtu value is changed */ }; /* * Used to extract packets encapsulated in streams into a buffer, * in this case IP packets embedded in a TCP stream. */ struct stream_buf { struct buffer buf_init; struct buffer residual; int maxlen; bool residual_fully_formed; struct buffer buf; struct buffer next; int len; /* -1 if not yet known */ bool error; /* if true, fatal TCP error has occurred, * requiring that connection be restarted */ #if PORT_SHARE #define PS_DISABLED 0 #define PS_ENABLED 1 #define PS_FOREIGN 2 int port_share_state; #endif }; /* * Used to set socket buffer sizes */ struct socket_buffer_size { int rcvbuf; int sndbuf; }; /* * This is the main socket structure used by OpenVPN. The SOCKET_ * defines try to abstract away our implementation differences between * using sockets on Posix vs. Win32. */ struct link_socket { struct link_socket_info info; socket_descriptor_t sd; socket_descriptor_t ctrl_sd; /* only used for UDP over Socks */ #ifdef _WIN32 struct overlapped_io reads; struct overlapped_io writes; struct rw_handle rw_handle; struct rw_handle listen_handle; /* For listening on TCP socket in server mode */ #endif /* used for printing status info only */ unsigned int rwflags_debug; /* used for long-term queueing of pre-accepted socket listen */ bool listen_persistent_queued; const char *remote_host; const char *remote_port; const char *local_host; const char *local_port; struct cached_dns_entry *dns_cache; bool bind_local; #define INETD_NONE 0 #define INETD_WAIT 1 #define INETD_NOWAIT 2 int inetd; #define LS_MODE_DEFAULT 0 #define LS_MODE_TCP_LISTEN 1 #define LS_MODE_TCP_ACCEPT_FROM 2 int mode; int resolve_retry_seconds; int mtu_discover_type; struct socket_buffer_size socket_buffer_sizes; int mtu; /* OS discovered MTU, or 0 if unknown */ #define SF_USE_IP_PKTINFO (1<<0) #define SF_TCP_NODELAY (1<<1) #define SF_PORT_SHARE (1<<2) #define SF_HOST_RANDOMIZE (1<<3) #define SF_GETADDRINFO_DGRAM (1<<4) unsigned int sockflags; int mark; /* for stream sockets */ struct stream_buf stream_buf; struct buffer stream_buf_data; bool stream_reset; /* HTTP proxy */ struct http_proxy_info *http_proxy; /* Socks proxy */ struct socks_proxy_info *socks_proxy; struct link_socket_actual socks_relay; /* Socks UDP relay address */ /* The OpenVPN server we will use the proxy to connect to */ const char *proxy_dest_host; const char *proxy_dest_port; /* Pointer to the server-poll to trigger the timeout in function which have * their own loop instead of using the main oop */ struct event_timeout *server_poll_timeout; #if PASSTOS_CAPABILITY /* used to get/set TOS. */ #if defined(TARGET_LINUX) uint8_t ptos; #else /* all the BSDs, Solaris, MacOS use plain "int" -> see "man ip" there */ int ptos; #endif bool ptos_defined; #endif #ifdef ENABLE_DEBUG int gremlin; /* --gremlin bits */ #endif }; /* * Some Posix/Win32 differences. */ #ifndef MSG_NOSIGNAL #define MSG_NOSIGNAL 0 #endif #ifdef _WIN32 #define openvpn_close_socket(s) closesocket(s) int socket_recv_queue(struct link_socket *sock, int maxsize); int socket_send_queue(struct link_socket *sock, struct buffer *buf, const struct link_socket_actual *to); int socket_finalize( SOCKET s, struct overlapped_io *io, struct buffer *buf, struct link_socket_actual *from); #else /* ifdef _WIN32 */ #define openvpn_close_socket(s) close(s) #endif struct link_socket *link_socket_new(void); void socket_bind(socket_descriptor_t sd, struct addrinfo *local, int af_family, const char *prefix, bool ipv6only); int openvpn_connect(socket_descriptor_t sd, const struct sockaddr *remote, int connect_timeout, volatile int *signal_received); /* * Initialize link_socket object. */ void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, #ifdef ENABLE_DEBUG int gremlin, #endif bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags); void link_socket_init_phase2(struct link_socket *sock, const struct frame *frame, struct signal_info *sig_info); void do_preresolve(struct context *c); void socket_adjust_frame_parameters(struct frame *frame, int proto); void frame_adjust_path_mtu(struct frame *frame, int pmtu, int proto); void link_socket_close(struct link_socket *sock); void sd_close(socket_descriptor_t *sd); #define PS_SHOW_PORT_IF_DEFINED (1<<0) #define PS_SHOW_PORT (1<<1) #define PS_SHOW_PKTINFO (1<<2) #define PS_DONT_SHOW_ADDR (1<<3) #define PS_DONT_SHOW_FAMILY (1<<4) const char *print_sockaddr_ex(const struct sockaddr *addr, const char *separator, const unsigned int flags, struct gc_arena *gc); static inline const char * print_openvpn_sockaddr_ex(const struct openvpn_sockaddr *addr, const char *separator, const unsigned int flags, struct gc_arena *gc) { return print_sockaddr_ex(&addr->addr.sa, separator, flags, gc); } static inline const char * print_openvpn_sockaddr(const struct openvpn_sockaddr *addr, struct gc_arena *gc) { return print_sockaddr_ex(&addr->addr.sa, ":", PS_SHOW_PORT, gc); } static inline const char * print_sockaddr(const struct sockaddr *addr, struct gc_arena *gc) { return print_sockaddr_ex(addr, ":", PS_SHOW_PORT, gc); } const char *print_link_socket_actual_ex(const struct link_socket_actual *act, const char *separator, const unsigned int flags, struct gc_arena *gc); const char *print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc); #define IA_EMPTY_IF_UNDEF (1<<0) #define IA_NET_ORDER (1<<1) const char *print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc); const char *print_in6_addr(struct in6_addr addr6, unsigned int flags, struct gc_arena *gc); struct in6_addr add_in6_addr( struct in6_addr base, uint32_t add ); #define SA_IP_PORT (1<<0) #define SA_SET_IF_NONZERO (1<<1) void setenv_sockaddr(struct env_set *es, const char *name_prefix, const struct openvpn_sockaddr *addr, const unsigned int flags); void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags); void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags); void setenv_link_socket_actual(struct env_set *es, const char *name_prefix, const struct link_socket_actual *act, const unsigned int flags); void bad_address_length(int actual, int expected); /* IPV4_INVALID_ADDR: returned by link_socket_current_remote() * to ease redirect-gateway logic for ipv4 tunnels on ipv6 endpoints */ #define IPV4_INVALID_ADDR 0xffffffff in_addr_t link_socket_current_remote(const struct link_socket_info *info); const struct in6_addr *link_socket_current_remote_ipv6 (const struct link_socket_info *info); void link_socket_connection_initiated(const struct buffer *buf, struct link_socket_info *info, const struct link_socket_actual *addr, const char *common_name, struct env_set *es); void link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr); void set_actual_address(struct link_socket_actual *actual, struct addrinfo *ai); void link_socket_bad_outgoing_addr(void); void setenv_trusted(struct env_set *es, const struct link_socket_info *info); bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags); void link_socket_update_buffer_sizes(struct link_socket *ls, int rcvbuf, int sndbuf); /* * Low-level functions */ /* return values of openvpn_inet_aton */ #define OIA_HOSTNAME 0 #define OIA_IP 1 #define OIA_ERROR -1 int openvpn_inet_aton(const char *dotted_quad, struct in_addr *addr); /* integrity validation on pulled options */ bool ip_addr_dotted_quad_safe(const char *dotted_quad); bool ip_or_dns_addr_safe(const char *addr, const bool allow_fqdn); bool mac_addr_safe(const char *mac_addr); bool ipv6_addr_safe(const char *ipv6_text_addr); socket_descriptor_t create_socket_tcp(struct addrinfo *); socket_descriptor_t socket_do_accept(socket_descriptor_t sd, struct link_socket_actual *act, const bool nowait); /* * proto related */ bool proto_is_net(int proto); bool proto_is_dgram(int proto); bool proto_is_udp(int proto); bool proto_is_tcp(int proto); #if UNIX_SOCK_SUPPORT socket_descriptor_t create_socket_unix(void); void socket_bind_unix(socket_descriptor_t sd, struct sockaddr_un *local, const char *prefix); socket_descriptor_t socket_accept_unix(socket_descriptor_t sd, struct sockaddr_un *remote); int socket_connect_unix(socket_descriptor_t sd, struct sockaddr_un *remote); void sockaddr_unix_init(struct sockaddr_un *local, const char *path); const char *sockaddr_unix_name(const struct sockaddr_un *local, const char *null); void socket_delete_unix(const struct sockaddr_un *local); bool unix_socket_get_peer_uid_gid(const socket_descriptor_t sd, int *uid, int *gid); #endif /* if UNIX_SOCK_SUPPORT */ /* * DNS resolution */ #define GETADDR_RESOLVE (1<<0) #define GETADDR_FATAL (1<<1) #define GETADDR_HOST_ORDER (1<<2) #define GETADDR_MENTION_RESOLVE_RETRY (1<<3) #define GETADDR_FATAL_ON_SIGNAL (1<<4) #define GETADDR_WARN_ON_SIGNAL (1<<5) #define GETADDR_MSG_VIRT_OUT (1<<6) #define GETADDR_TRY_ONCE (1<<7) #define GETADDR_UPDATE_MANAGEMENT_STATE (1<<8) #define GETADDR_RANDOMIZE (1<<9) #define GETADDR_PASSIVE (1<<10) #define GETADDR_DATAGRAM (1<<11) #define GETADDR_CACHE_MASK (GETADDR_DATAGRAM|GETADDR_PASSIVE) in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, volatile int *signal_received); int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, volatile int *signal_received, int ai_family, struct addrinfo **res); /* * Transport protocol naming and other details. */ /* * Use enum's instead of #define to allow for easier * optional proto support */ enum proto_num { PROTO_NONE, /* catch for uninitialized */ PROTO_UDP, PROTO_TCP, PROTO_TCP_SERVER, PROTO_TCP_CLIENT, PROTO_N }; int ascii2proto(const char *proto_name); sa_family_t ascii2af(const char *proto_name); const char *proto2ascii(int proto, sa_family_t af, bool display_form); const char *proto2ascii_all(struct gc_arena *gc); const char *proto_remote(int proto, bool remote); const char *addr_family_name(int af); /* * Overhead added to packets by various protocols. */ #define IPv4_UDP_HEADER_SIZE 28 #define IPv4_TCP_HEADER_SIZE 40 #define IPv6_UDP_HEADER_SIZE 48 #define IPv6_TCP_HEADER_SIZE 60 extern const int proto_overhead[]; static inline int datagram_overhead(int proto) { ASSERT(proto >= 0 && proto < PROTO_N); return proto_overhead [proto]; } /* * Misc inline functions */ static inline bool link_socket_proto_connection_oriented(int proto) { return !proto_is_dgram(proto); } static inline bool link_socket_connection_oriented(const struct link_socket *sock) { if (sock) { return link_socket_proto_connection_oriented(sock->info.proto); } else { return false; } } static inline bool addr_defined(const struct openvpn_sockaddr *addr) { if (!addr) { return 0; } switch (addr->addr.sa.sa_family) { case AF_INET: return addr->addr.in4.sin_addr.s_addr != 0; case AF_INET6: return !IN6_IS_ADDR_UNSPECIFIED(&addr->addr.in6.sin6_addr); default: return 0; } } static inline bool addr_local(const struct sockaddr *addr) { if (!addr) { return false; } switch (addr->sa_family) { case AF_INET: return ((const struct sockaddr_in *)addr)->sin_addr.s_addr == htonl(INADDR_LOOPBACK); case AF_INET6: return IN6_IS_ADDR_LOOPBACK(&((const struct sockaddr_in6 *)addr)->sin6_addr); default: return false; } } static inline bool addr_defined_ipi(const struct link_socket_actual *lsa) { #if ENABLE_IP_PKTINFO if (!lsa) { return 0; } switch (lsa->dest.addr.sa.sa_family) { #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) case AF_INET: return lsa->pi.in4.ipi_spec_dst.s_addr != 0; #elif defined(IP_RECVDSTADDR) case AF_INET: return lsa->pi.in4.s_addr != 0; #endif case AF_INET6: return !IN6_IS_ADDR_UNSPECIFIED(&lsa->pi.in6.ipi6_addr); default: return 0; } #else /* if ENABLE_IP_PKTINFO */ ASSERT(0); #endif return false; } static inline bool link_socket_actual_defined(const struct link_socket_actual *act) { return act && addr_defined(&act->dest); } static inline bool addr_match(const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2) { switch (a1->addr.sa.sa_family) { case AF_INET: return a1->addr.in4.sin_addr.s_addr == a2->addr.in4.sin_addr.s_addr; case AF_INET6: return IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &a2->addr.in6.sin6_addr); } ASSERT(0); return false; } static inline bool addrlist_match(const struct openvpn_sockaddr *a1, const struct addrinfo *addrlist) { const struct addrinfo *curele; for (curele = addrlist; curele; curele = curele->ai_next) { switch (a1->addr.sa.sa_family) { case AF_INET: if (a1->addr.in4.sin_addr.s_addr == ((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr) { return true; } break; case AF_INET6: if (IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &((struct sockaddr_in6 *) curele->ai_addr)->sin6_addr)) { return true; } break; default: ASSERT(0); } } return false; } static inline in_addr_t addr_host(const struct openvpn_sockaddr *addr) { /* * "public" addr returned is checked against ifconfig for * possible clash: non sense for now given * that we do ifconfig only IPv4 */ if (addr->addr.sa.sa_family != AF_INET) { return 0; } return ntohl(addr->addr.in4.sin_addr.s_addr); } static inline bool addrlist_port_match(const struct openvpn_sockaddr *a1, const struct addrinfo *a2) { const struct addrinfo *curele; for (curele = a2; curele; curele = curele->ai_next) { switch (a1->addr.sa.sa_family) { case AF_INET: if (curele->ai_family == AF_INET && a1->addr.in4.sin_addr.s_addr == ((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr && a1->addr.in4.sin_port == ((struct sockaddr_in *)curele->ai_addr)->sin_port) { return true; } break; case AF_INET6: if (curele->ai_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &((struct sockaddr_in6 *) curele->ai_addr)->sin6_addr) && a1->addr.in6.sin6_port == ((struct sockaddr_in6 *) curele->ai_addr)->sin6_port) { return true; } break; default: ASSERT(0); } } return false; } static inline bool addr_port_match(const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2) { switch (a1->addr.sa.sa_family) { case AF_INET: return a1->addr.in4.sin_addr.s_addr == a2->addr.in4.sin_addr.s_addr && a1->addr.in4.sin_port == a2->addr.in4.sin_port; case AF_INET6: return IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &a2->addr.in6.sin6_addr) && a1->addr.in6.sin6_port == a2->addr.in6.sin6_port; } ASSERT(0); return false; } static inline bool addr_match_proto(const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2, const int proto) { return link_socket_proto_connection_oriented(proto) ? addr_match(a1, a2) : addr_port_match(a1, a2); } static inline bool addrlist_match_proto(const struct openvpn_sockaddr *a1, struct addrinfo *addr_list, const int proto) { return link_socket_proto_connection_oriented(proto) ? addrlist_match(a1, addr_list) : addrlist_port_match(a1, addr_list); } static inline void addr_zero_host(struct openvpn_sockaddr *addr) { switch (addr->addr.sa.sa_family) { case AF_INET: addr->addr.in4.sin_addr.s_addr = 0; break; case AF_INET6: memset(&addr->addr.in6.sin6_addr, 0, sizeof(struct in6_addr)); break; } } static inline void addr_copy_sa(struct openvpn_sockaddr *dst, const struct openvpn_sockaddr *src) { dst->addr = src->addr; } static inline bool addr_inet4or6(struct sockaddr *addr) { return addr->sa_family == AF_INET || addr->sa_family == AF_INET6; } int addr_guess_family(sa_family_t af,const char *name); static inline int af_addr_size(sa_family_t af) { switch (af) { case AF_INET: return sizeof(struct sockaddr_in); case AF_INET6: return sizeof(struct sockaddr_in6); default: #if 0 /* could be called from socket_do_accept() with empty addr */ msg(M_ERR, "Bad address family: %d\n", af); ASSERT(0); #endif return 0; } } static inline bool link_socket_actual_match(const struct link_socket_actual *a1, const struct link_socket_actual *a2) { return addr_port_match(&a1->dest, &a2->dest); } #if PORT_SHARE static inline bool socket_foreign_protocol_detected(const struct link_socket *sock) { return link_socket_connection_oriented(sock) && sock->stream_buf.port_share_state == PS_FOREIGN; } static inline const struct buffer * socket_foreign_protocol_head(const struct link_socket *sock) { return &sock->stream_buf.buf; } static inline int socket_foreign_protocol_sd(const struct link_socket *sock) { return sock->sd; } #endif /* if PORT_SHARE */ static inline bool socket_connection_reset(const struct link_socket *sock, int status) { if (link_socket_connection_oriented(sock)) { if (sock->stream_reset || sock->stream_buf.error) { return true; } else if (status < 0) { const int err = openvpn_errno(); #ifdef _WIN32 return err == WSAECONNRESET || err == WSAECONNABORTED; #else return err == ECONNRESET; #endif } } return false; } static inline bool link_socket_verify_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr) { if (buf->len > 0) { switch (from_addr->dest.addr.sa.sa_family) { case AF_INET6: case AF_INET: if (!link_socket_actual_defined(from_addr)) { return false; } if (info->remote_float || (!info->lsa->remote_list)) { return true; } if (addrlist_match_proto(&from_addr->dest, info->lsa->remote_list, info->proto)) { return true; } } } return false; } static inline void link_socket_get_outgoing_addr(struct buffer *buf, const struct link_socket_info *info, struct link_socket_actual **act) { if (buf->len > 0) { struct link_socket_addr *lsa = info->lsa; if (link_socket_actual_defined(&lsa->actual)) { *act = &lsa->actual; } else { link_socket_bad_outgoing_addr(); buf->len = 0; *act = NULL; } } } static inline void link_socket_set_outgoing_addr(const struct buffer *buf, struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es) { if (!buf || buf->len > 0) { struct link_socket_addr *lsa = info->lsa; if ( /* new or changed address? */ (!info->connection_established || !addr_match_proto(&act->dest, &lsa->actual.dest, info->proto) ) && /* address undef or address == remote or --float */ (info->remote_float || (!lsa->remote_list || addrlist_match_proto(&act->dest, lsa->remote_list, info->proto)) ) ) { link_socket_connection_initiated(buf, info, act, common_name, es); } } } /* * Stream buffer handling -- stream_buf is a helper class * to assist in the packetization of stream transport protocols * such as TCP. */ void stream_buf_init(struct stream_buf *sb, struct buffer *buf, const unsigned int sockflags, const int proto); void stream_buf_close(struct stream_buf *sb); bool stream_buf_added(struct stream_buf *sb, int length_added); static inline bool stream_buf_read_setup(struct link_socket *sock) { bool stream_buf_read_setup_dowork(struct link_socket *sock); if (link_socket_connection_oriented(sock)) { return stream_buf_read_setup_dowork(sock); } else { return true; } } /* * Socket Read Routines */ int link_socket_read_tcp(struct link_socket *sock, struct buffer *buf); #ifdef _WIN32 static inline int link_socket_read_udp_win32(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from) { return socket_finalize(sock->sd, &sock->reads, buf, from); } #else /* ifdef _WIN32 */ int link_socket_read_udp_posix(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from); #endif /* read a TCP or UDP packet from link */ static inline int link_socket_read(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from) { if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ { int res; #ifdef _WIN32 res = link_socket_read_udp_win32(sock, buf, from); #else res = link_socket_read_udp_posix(sock, buf, from); #endif return res; } else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */ { /* from address was returned by accept */ addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest); return link_socket_read_tcp(sock, buf); } else { ASSERT(0); return -1; /* NOTREACHED */ } } /* * Socket Write routines */ int link_socket_write_tcp(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to); #ifdef _WIN32 static inline int link_socket_write_win32(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { int err = 0; int status = 0; if (overlapped_io_active(&sock->writes)) { status = socket_finalize(sock->sd, &sock->writes, NULL, NULL); if (status < 0) { err = WSAGetLastError(); } } socket_send_queue(sock, buf, to); if (status < 0) { WSASetLastError(err); return status; } else { return BLEN(buf); } } #else /* ifdef _WIN32 */ static inline size_t link_socket_write_udp_posix(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { #if ENABLE_IP_PKTINFO size_t link_socket_write_udp_posix_sendmsg(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to); if (proto_is_udp(sock->info.proto) && (sock->sockflags & SF_USE_IP_PKTINFO) && addr_defined_ipi(to)) { return link_socket_write_udp_posix_sendmsg(sock, buf, to); } else #endif return sendto(sock->sd, BPTR(buf), BLEN(buf), 0, (struct sockaddr *) &to->dest.addr.sa, (socklen_t) af_addr_size(to->dest.addr.sa.sa_family)); } static inline size_t link_socket_write_tcp_posix(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { return send(sock->sd, BPTR(buf), BLEN(buf), MSG_NOSIGNAL); } #endif /* ifdef _WIN32 */ static inline size_t link_socket_write_udp(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { #ifdef _WIN32 return link_socket_write_win32(sock, buf, to); #else return link_socket_write_udp_posix(sock, buf, to); #endif } /* write a TCP or UDP packet to link */ static inline int link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ { return link_socket_write_udp(sock, buf, to); } else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */ { return link_socket_write_tcp(sock, buf, to); } else { ASSERT(0); return -1; /* NOTREACHED */ } } #if PASSTOS_CAPABILITY /* * Extract TOS bits. Assumes that ipbuf is a valid IPv4 packet. */ static inline void link_socket_extract_tos(struct link_socket *ls, const struct buffer *ipbuf) { if (ls && ipbuf) { struct openvpn_iphdr *iph = (struct openvpn_iphdr *) BPTR(ipbuf); ls->ptos = iph->tos; ls->ptos_defined = true; } } /* * Set socket properties to reflect TOS bits which were extracted * from tunnel packet. */ static inline void link_socket_set_tos(struct link_socket *ls) { if (ls && ls->ptos_defined) { setsockopt(ls->sd, IPPROTO_IP, IP_TOS, (const void *)&ls->ptos, sizeof(ls->ptos)); } } #endif /* if PASSTOS_CAPABILITY */ /* * Socket I/O wait functions */ static inline bool socket_read_residual(const struct link_socket *s) { return s && s->stream_buf.residual_fully_formed; } static inline event_t socket_event_handle(const struct link_socket *s) { #ifdef _WIN32 return &s->rw_handle; #else return s->sd; #endif } event_t socket_listen_event_handle(struct link_socket *s); unsigned int socket_set(struct link_socket *s, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent); static inline void socket_set_listen_persistent(struct link_socket *s, struct event_set *es, void *arg) { if (s && !s->listen_persistent_queued) { event_ctl(es, socket_listen_event_handle(s), EVENT_READ, arg); s->listen_persistent_queued = true; } } static inline void socket_reset_listen_persistent(struct link_socket *s) { #ifdef _WIN32 reset_net_event_win32(&s->listen_handle, s->sd); #endif } const char *socket_stat(const struct link_socket *s, unsigned int rwflags, struct gc_arena *gc); #endif /* SOCKET_H */ openvpn-2.4.4/src/openvpn/socks.c000066400000000000000000000364161316434344000167640ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * 2004-01-30: Added Socks5 proxy support, see RFC 1928 * (Christof Meerwald, http://cmeerw.org) * * 2010-10-10: Added Socks5 plain text authentication support (RFC 1929) * (Pierre Bourdon ) */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "common.h" #include "misc.h" #include "win32.h" #include "socket.h" #include "fdmisc.h" #include "misc.h" #include "proxy.h" #include "memdbg.h" #define UP_TYPE_SOCKS "SOCKS Proxy" void socks_adjust_frame_parameters(struct frame *frame, int proto) { if (proto == PROTO_UDP) { frame_add_to_extra_link(frame, 10); } } struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile) { struct socks_proxy_info *p; ALLOC_OBJ_CLEAR(p, struct socks_proxy_info); ASSERT(server); ASSERT(port); strncpynt(p->server, server, sizeof(p->server)); p->port = port; if (authfile) { strncpynt(p->authfile, authfile, sizeof(p->authfile)); } else { p->authfile[0] = 0; } p->defined = true; return p; } void socks_proxy_close(struct socks_proxy_info *sp) { free(sp); } static bool socks_username_password_auth(struct socks_proxy_info *p, socket_descriptor_t sd, volatile int *signal_received) { char to_send[516]; char buf[2]; int len = 0; const int timeout_sec = 5; struct user_pass creds; ssize_t size; creds.defined = 0; if (!get_user_pass(&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT)) { msg(M_NONFATAL, "SOCKS failed to get username/password."); return false; } if ( (strlen(creds.username) > 255) || (strlen(creds.password) > 255) ) { msg(M_NONFATAL, "SOCKS username and/or password exceeds 255 characters. " "Authentication not possible."); return false; } openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int) strlen(creds.username), creds.username, (int) strlen(creds.password), creds.password); size = send(sd, to_send, strlen(to_send), MSG_NOSIGNAL); if (size != strlen(to_send)) { msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port write failed on send()"); return false; } while (len < 2) { int status; ssize_t size; fd_set reads; struct timeval tv; char c; FD_ZERO(&reads); openvpn_fd_set(sd, &reads); tv.tv_sec = timeout_sec; tv.tv_usec = 0; status = select(sd + 1, &reads, NULL, NULL, &tv); get_signal(signal_received); if (*signal_received) { return false; } /* timeout? */ if (status == 0) { msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read timeout expired"); return false; } /* error */ if (status < 0) { msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on select()"); return false; } /* read single char */ size = recv(sd, &c, 1, MSG_NOSIGNAL); /* error? */ if (size != 1) { msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on recv()"); return false; } /* store char in buffer */ buf[len++] = c; } /* VER = 5, SUCCESS = 0 --> auth success */ if (buf[0] != 5 && buf[1] != 0) { msg(D_LINK_ERRORS, "socks_username_password_auth: server refused the authentication"); return false; } return true; } static bool socks_handshake(struct socks_proxy_info *p, socket_descriptor_t sd, volatile int *signal_received) { char buf[2]; int len = 0; const int timeout_sec = 5; ssize_t size; /* VER = 5, NMETHODS = 1, METHODS = [0 (no auth)] */ char method_sel[3] = { 0x05, 0x01, 0x00 }; if (p->authfile[0]) { method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */ } size = send(sd, method_sel, sizeof(method_sel), MSG_NOSIGNAL); if (size != sizeof(method_sel)) { msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port write failed on send()"); return false; } while (len < 2) { int status; ssize_t size; fd_set reads; struct timeval tv; char c; FD_ZERO(&reads); openvpn_fd_set(sd, &reads); tv.tv_sec = timeout_sec; tv.tv_usec = 0; status = select(sd + 1, &reads, NULL, NULL, &tv); get_signal(signal_received); if (*signal_received) { return false; } /* timeout? */ if (status == 0) { msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read timeout expired"); return false; } /* error */ if (status < 0) { msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read failed on select()"); return false; } /* read single char */ size = recv(sd, &c, 1, MSG_NOSIGNAL); /* error? */ if (size != 1) { msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read failed on recv()"); return false; } /* store char in buffer */ buf[len++] = c; } /* VER == 5 */ if (buf[0] != '\x05') { msg(D_LINK_ERRORS, "socks_handshake: Socks proxy returned bad status"); return false; } /* validate that the auth method returned is the one sent */ if (buf[1] != method_sel[2]) { msg(D_LINK_ERRORS, "socks_handshake: Socks proxy returned unexpected auth"); return false; } /* select the appropriate authentication method */ switch (buf[1]) { case 0: /* no authentication */ break; case 2: /* login/password */ if (!p->authfile[0]) { msg(D_LINK_ERRORS, "socks_handshake: server asked for username/login auth but we were " "not provided any credentials"); return false; } if (!socks_username_password_auth(p, sd, signal_received)) { return false; } break; default: /* unknown auth method */ msg(D_LINK_ERRORS, "socks_handshake: unknown SOCKS auth method"); return false; } return true; } static bool recv_socks_reply(socket_descriptor_t sd, struct openvpn_sockaddr *addr, volatile int *signal_received) { char atyp = '\0'; int alen = 0; int len = 0; char buf[22]; const int timeout_sec = 5; if (addr != NULL) { addr->addr.in4.sin_family = AF_INET; addr->addr.in4.sin_addr.s_addr = htonl(INADDR_ANY); addr->addr.in4.sin_port = htons(0); } while (len < 4 + alen + 2) { int status; ssize_t size; fd_set reads; struct timeval tv; char c; FD_ZERO(&reads); openvpn_fd_set(sd, &reads); tv.tv_sec = timeout_sec; tv.tv_usec = 0; status = select(sd + 1, &reads, NULL, NULL, &tv); get_signal(signal_received); if (*signal_received) { return false; } /* timeout? */ if (status == 0) { msg(D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read timeout expired"); return false; } /* error */ if (status < 0) { msg(D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read failed on select()"); return false; } /* read single char */ size = recv(sd, &c, 1, MSG_NOSIGNAL); /* error? */ if (size != 1) { msg(D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read failed on recv()"); return false; } if (len == 3) { atyp = c; } if (len == 4) { switch (atyp) { case '\x01': /* IP V4 */ alen = 4; break; case '\x03': /* DOMAINNAME */ alen = (unsigned char) c; break; case '\x04': /* IP V6 */ alen = 16; break; default: msg(D_LINK_ERRORS, "recv_socks_reply: Socks proxy returned bad address type"); return false; } } /* store char in buffer */ if (len < (int)sizeof(buf)) { buf[len] = c; } ++len; } /* VER == 5 && REP == 0 (succeeded) */ if (buf[0] != '\x05' || buf[1] != '\x00') { msg(D_LINK_ERRORS, "recv_socks_reply: Socks proxy returned bad reply"); return false; } /* ATYP == 1 (IP V4 address) */ if (atyp == '\x01' && addr != NULL) { memcpy(&addr->addr.in4.sin_addr, buf + 4, sizeof(addr->addr.in4.sin_addr)); memcpy(&addr->addr.in4.sin_port, buf + 8, sizeof(addr->addr.in4.sin_port)); } return true; } static int port_from_servname(const char *servname) { int port = 0; port = atoi(servname); if (port >0 && port < 65536) { return port; } struct servent *service; service = getservbyname(servname, NULL); if (service) { return service->s_port; } return 0; } void establish_socks_proxy_passthru(struct socks_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ const char *host, /* openvpn server remote */ const char *servname, /* openvpn server port */ volatile int *signal_received) { char buf[128]; size_t len; if (!socks_handshake(p, sd, signal_received)) { goto error; } /* format Socks CONNECT message */ buf[0] = '\x05'; /* VER = 5 */ buf[1] = '\x01'; /* CMD = 1 (CONNECT) */ buf[2] = '\x00'; /* RSV */ buf[3] = '\x03'; /* ATYP = 3 (DOMAINNAME) */ len = strlen(host); len = (5 + len + 2 > sizeof(buf)) ? (sizeof(buf) - 5 - 2) : len; buf[4] = (char) len; memcpy(buf + 5, host, len); int port = port_from_servname(servname); if (port ==0) { msg(D_LINK_ERRORS, "establish_socks_proxy_passthrough: Cannot convert %s to port number", servname); goto error; } buf[5 + len] = (char) (port >> 8); buf[5 + len + 1] = (char) (port & 0xff); { const ssize_t size = send(sd, buf, 5 + len + 2, MSG_NOSIGNAL); if ((int)size != 5 + (int)len + 2) { msg(D_LINK_ERRORS | M_ERRNO, "establish_socks_proxy_passthru: TCP port write failed on send()"); goto error; } } /* receive reply from Socks proxy and discard */ if (!recv_socks_reply(sd, NULL, signal_received)) { goto error; } return; error: if (!*signal_received) { *signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- socks error */ } return; } void establish_socks_proxy_udpassoc(struct socks_proxy_info *p, socket_descriptor_t ctrl_sd, /* already open to proxy */ socket_descriptor_t udp_sd, struct openvpn_sockaddr *relay_addr, volatile int *signal_received) { if (!socks_handshake(p, ctrl_sd, signal_received)) { goto error; } { /* send Socks UDP ASSOCIATE message */ /* VER = 5, CMD = 3 (UDP ASSOCIATE), RSV = 0, ATYP = 1 (IP V4), * BND.ADDR = 0, BND.PORT = 0 */ const ssize_t size = send(ctrl_sd, "\x05\x03\x00\x01\x00\x00\x00\x00\x00\x00", 10, MSG_NOSIGNAL); if (size != 10) { msg(D_LINK_ERRORS | M_ERRNO, "establish_socks_proxy_passthru: TCP port write failed on send()"); goto error; } } /* receive reply from Socks proxy */ CLEAR(*relay_addr); if (!recv_socks_reply(ctrl_sd, relay_addr, signal_received)) { goto error; } return; error: if (!*signal_received) { *signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- socks error */ } return; } /* * Remove the 10 byte socks5 header from an incoming * UDP packet, setting *from to the source address. * * Run after UDP read. */ void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from) { int atyp; if (BLEN(buf) < 10) { goto error; } buf_read_u16(buf); if (buf_read_u8(buf) != 0) { goto error; } atyp = buf_read_u8(buf); if (atyp != 1) /* ATYP == 1 (IP V4) */ { goto error; } buf_read(buf, &from->dest.addr.in4.sin_addr, sizeof(from->dest.addr.in4.sin_addr)); buf_read(buf, &from->dest.addr.in4.sin_port, sizeof(from->dest.addr.in4.sin_port)); return; error: buf->len = 0; } /* * Add a 10 byte socks header prior to UDP write. * *to is the destination address. * * Run before UDP write. * Returns the size of the header. */ int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to) { /* * Get a 10 byte subset buffer prepended to buf -- * we expect these bytes will be here because * we allocated frame space in socks_adjust_frame_parameters. */ struct buffer head = buf_sub(buf, 10, true); /* crash if not enough headroom in buf */ ASSERT(buf_defined(&head)); buf_write_u16(&head, 0); /* RSV = 0 */ buf_write_u8(&head, 0); /* FRAG = 0 */ buf_write_u8(&head, '\x01'); /* ATYP = 1 (IP V4) */ buf_write(&head, &to->dest.addr.in4.sin_addr, sizeof(to->dest.addr.in4.sin_addr)); buf_write(&head, &to->dest.addr.in4.sin_port, sizeof(to->dest.addr.in4.sin_port)); return 10; } openvpn-2.4.4/src/openvpn/socks.h000066400000000000000000000052141316434344000167610ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * 2004-01-30: Added Socks5 proxy support * (Christof Meerwald, http://cmeerw.org) */ #ifndef SOCKS_H #define SOCKS_H #include "buffer.h" struct openvpn_sockaddr; struct link_socket_actual; struct socks_proxy_info { bool defined; char server[128]; const char *port; char authfile[256]; }; void socks_adjust_frame_parameters(struct frame *frame, int proto); struct socks_proxy_info *socks_proxy_new(const char *server, const char *port, const char *authfile); void socks_proxy_close(struct socks_proxy_info *sp); void establish_socks_proxy_passthru(struct socks_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ const char *host, /* openvpn server remote */ const char *servname, /* openvpn server port */ volatile int *signal_received); void establish_socks_proxy_udpassoc(struct socks_proxy_info *p, socket_descriptor_t ctrl_sd, /* already open to proxy */ socket_descriptor_t udp_sd, struct openvpn_sockaddr *relay_addr, volatile int *signal_received); void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from); int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to); #endif /* ifndef SOCKS_H */ openvpn-2.4.4/src/openvpn/ssl.c000066400000000000000000003735541316434344000164520ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * Copyright (C) 2008-2013 David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel SSL/Data channel negotiation Module */ /* * The routines in this file deal with dynamically negotiating * the data channel HMAC and cipher keys through a TLS session. * * Both the TLS session and the data channel are multiplexed * over the same TCP/UDP port. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "win32.h" #if defined(ENABLE_CRYPTO) #include "error.h" #include "common.h" #include "socket.h" #include "misc.h" #include "fdmisc.h" #include "interval.h" #include "perf.h" #include "status.h" #include "gremlin.h" #include "pkcs11.h" #include "route.h" #include "tls_crypt.h" #include "ssl.h" #include "ssl_verify.h" #include "ssl_backend.h" #include "memdbg.h" #ifndef ENABLE_OCC static const char ssl_default_options_string[] = "V0 UNDEF"; #endif static inline const char * local_options_string(const struct tls_session *session) { #ifdef ENABLE_OCC return session->opt->local_options; #else return ssl_default_options_string; #endif } #ifdef MEASURE_TLS_HANDSHAKE_STATS static int tls_handshake_success; /* GLOBAL */ static int tls_handshake_error; /* GLOBAL */ static int tls_packets_generated; /* GLOBAL */ static int tls_packets_sent; /* GLOBAL */ #define INCR_SENT ++tls_packets_sent #define INCR_GENERATED ++tls_packets_generated #define INCR_SUCCESS ++tls_handshake_success #define INCR_ERROR ++tls_handshake_error void show_tls_performance_stats(void) { msg(D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%", (double) tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0, tls_handshake_success, tls_handshake_error, (double) (tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0); } #else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */ #define INCR_SENT #define INCR_GENERATED #define INCR_SUCCESS #define INCR_ERROR #endif /* ifdef MEASURE_TLS_HANDSHAKE_STATS */ /** * SSL/TLS Cipher suite name translation table */ static const tls_cipher_name_pair tls_cipher_name_translation_table[] = { {"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"}, {"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"}, {"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"}, {"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"}, {"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"}, {"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"}, {"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"}, {"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, {"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"}, {"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"}, {"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"}, {"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"}, {"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"}, {"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"}, {"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"}, {"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"}, {"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"}, {"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"}, {"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"}, {"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"}, {"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"}, {"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"}, {"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"}, {"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"}, {"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"}, {"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"}, {"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"}, {"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"}, {"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"}, {"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"}, {"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"}, {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"}, {"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"}, {"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"}, {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"}, {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"}, {"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"}, {"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"}, {"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"}, {"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"}, {"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"}, {"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"}, {"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"}, {"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"}, {"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"}, {"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"}, {"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"}, {"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"}, {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"}, {"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"}, {"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"}, {"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"}, {"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"}, {"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"}, {"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"}, {"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"}, {"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"}, {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"}, {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"}, {"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"}, {"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"}, {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"}, {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"}, {"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"}, {"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"}, {"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"}, {"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"}, {"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"}, {"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"}, {"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"}, {"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"}, {"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"}, {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"}, {"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"}, {"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"}, {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"}, {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"}, {"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"}, {"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"}, {"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"}, {"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"}, {"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"}, {"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"}, {"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"}, {"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"}, {"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, {"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"}, {"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"}, {"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"}, {"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"}, {"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"}, {"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"}, {"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"}, {"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"}, {"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"}, {"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"}, {"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"}, {"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"}, {"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"}, {"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"}, {"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"}, {"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"}, {"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"}, {"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"}, {"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"}, {"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"}, {"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"}, {"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"}, {"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"}, {"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"}, {"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"}, {"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"}, {"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"}, {"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"}, {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"}, {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"}, #ifdef ENABLE_CRYPTO_OPENSSL /* OpenSSL-specific group names */ {"DEFAULT", "DEFAULT"}, {"ALL", "ALL"}, {"HIGH", "HIGH"}, {"!HIGH", "!HIGH"}, {"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"}, {"LOW", "LOW"}, {"!LOW", "!LOW"}, {"ECDH", "ECDH"}, {"!ECDH", "!ECDH"}, {"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"}, {"EDH", "EDH"}, {"!EDH", "!EDH"}, {"EXP", "EXP"}, {"!EXP", "!EXP"}, {"RSA", "RSA"}, {"!RSA", "!RSA"}, {"kRSA", "kRSA"}, {"!kRSA", "!kRSA"}, {"SRP", "SRP"}, {"!SRP", "!SRP"}, #endif {NULL, NULL} }; /** * Update the implicit IV for a key_ctx_bi based on TLS session ids and cipher * used. * * Note that the implicit IV is based on the HMAC key, but only in AEAD modes * where the HMAC key is not used for an actual HMAC. * * @param ctx Encrypt/decrypt key context * @param key HMAC key, used to calculate implicit IV * @param key_len HMAC key length */ static void key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len); const tls_cipher_name_pair * tls_get_cipher_name_pair(const char *cipher_name, size_t len) { const tls_cipher_name_pair *pair = tls_cipher_name_translation_table; while (pair->openssl_name != NULL) { if ((strlen(pair->openssl_name) == len && 0 == memcmp(cipher_name, pair->openssl_name, len)) || (strlen(pair->iana_name) == len && 0 == memcmp(cipher_name, pair->iana_name, len))) { return pair; } pair++; } /* No entry found, return NULL */ return NULL; } /** * Limit the reneg_bytes value when using a small-block (<128 bytes) cipher. * * @param cipher The current cipher (may be NULL). * @param reneg_bytes Pointer to the current reneg_bytes, updated if needed. * May *not* be NULL. */ static void tls_limit_reneg_bytes(const cipher_kt_t *cipher, int *reneg_bytes) { if (cipher && (cipher_kt_block_size(cipher) < 128/8)) { if (*reneg_bytes == -1) /* Not user-specified */ { msg(M_WARN, "WARNING: cipher with small block size in use, " "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks."); *reneg_bytes = 64 * 1024 * 1024; } } } /* * Max number of bytes we will add * for data structures common to both * data and control channel packets. * (opcode only). */ void tls_adjust_frame_parameters(struct frame *frame) { frame_add_to_extra_frame(frame, 1); /* space for opcode */ } /* * Max number of bytes we will add * to control channel packet. */ static void tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame, struct frame *frame) { /* * frame->extra_frame is already initialized with tls_auth buffer requirements, * if --tls-auth is enabled. */ /* inherit link MTU and extra_link from data channel */ frame->link_mtu = data_channel_frame->link_mtu; frame->extra_link = data_channel_frame->extra_link; /* set extra_frame */ tls_adjust_frame_parameters(frame); reliable_ack_adjust_frame_parameters(frame, CONTROL_SEND_ACK_MAX); frame_add_to_extra_frame(frame, SID_SIZE + sizeof(packet_id_type)); /* set dynamic link MTU to cap control channel packets at 1250 bytes */ ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250)); frame->link_mtu_dynamic = min_int(frame->link_mtu, 1250) - TUN_LINK_DELTA(frame); } void init_ssl_lib(void) { tls_init_lib(); crypto_init_lib(); } void free_ssl_lib(void) { crypto_uninit_lib(); prng_uninit(); tls_free_lib(); } /* * OpenSSL library calls pem_password_callback if the * private key is protected by a password. */ static struct user_pass passbuf; /* GLOBAL */ void pem_password_setup(const char *auth_file) { if (!strlen(passbuf.password)) { get_user_pass(&passbuf, auth_file, UP_TYPE_PRIVATE_KEY, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY); } } int pem_password_callback(char *buf, int size, int rwflag, void *u) { if (buf) { /* prompt for password even if --askpass wasn't specified */ pem_password_setup(NULL); strncpynt(buf, passbuf.password, size); purge_user_pass(&passbuf, false); return strlen(buf); } return 0; } /* * Auth username/password handling */ static bool auth_user_pass_enabled; /* GLOBAL */ static struct user_pass auth_user_pass; /* GLOBAL */ #ifdef ENABLE_CLIENT_CR static char *auth_challenge; /* GLOBAL */ #endif void auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci) { auth_user_pass_enabled = true; if (!auth_user_pass.defined) { #if AUTO_USERID get_user_pass_auto_userid(&auth_user_pass, auth_file); #else #ifdef ENABLE_CLIENT_CR if (auth_challenge) /* dynamic challenge/response */ { get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_DYNAMIC_CHALLENGE, auth_challenge); } else if (sci) /* static challenge response */ { int flags = GET_USER_PASS_MANAGEMENT|GET_USER_PASS_STATIC_CHALLENGE; if (sci->flags & SC_ECHO) { flags |= GET_USER_PASS_STATIC_CHALLENGE_ECHO; } get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags, sci->challenge_text); } else #endif /* ifdef ENABLE_CLIENT_CR */ get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT); #endif /* if AUTO_USERID */ } } /* * Disable password caching */ void ssl_set_auth_nocache(void) { passbuf.nocache = true; auth_user_pass.nocache = true; /* wait for push-reply, because auth-token may invert nocache */ auth_user_pass.wait_for_push = true; } /* * Set an authentication token */ void ssl_set_auth_token(const char *token) { if (auth_user_pass.nocache) { msg(M_INFO, "auth-token received, disabling auth-nocache for the " "authentication token"); auth_user_pass.nocache = false; } set_auth_token(&auth_user_pass, token); } /* * Forget private key password AND auth-user-pass username/password. */ void ssl_purge_auth(const bool auth_user_pass_only) { if (!auth_user_pass_only) { #ifdef ENABLE_PKCS11 pkcs11_logout(); #endif purge_user_pass(&passbuf, true); } purge_user_pass(&auth_user_pass, true); #ifdef ENABLE_CLIENT_CR ssl_purge_auth_challenge(); #endif } #ifdef ENABLE_CLIENT_CR void ssl_purge_auth_challenge(void) { free(auth_challenge); auth_challenge = NULL; } void ssl_put_auth_challenge(const char *cr_str) { ssl_purge_auth_challenge(); auth_challenge = string_alloc(cr_str, NULL); } #endif /* * Parse a TLS version string, returning a TLS_VER_x constant. * If version string is not recognized and extra == "or-highest", * return tls_version_max(). */ int tls_version_parse(const char *vstr, const char *extra) { const int max_version = tls_version_max(); if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version) { return TLS_VER_1_0; } else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version) { return TLS_VER_1_1; } else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version) { return TLS_VER_1_2; } else if (extra && !strcmp(extra, "or-highest")) { return max_version; } else { return TLS_VER_BAD; } } /** * Load (or possibly reload) the CRL file into the SSL context. * No reload is performed under the following conditions: * - the CRL file was passed inline * - the CRL file was not modified since the last (re)load * * @param ssl_ctx The TLS context to use when reloading the CRL * @param crl_file The file name to load the CRL from, or * "[[INLINE]]" in the case of inline files. * @param crl_inline A string containing the CRL */ static void tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, const char *crl_file_inline) { /* if something goes wrong with stat(), we'll store 0 as mtime */ platform_stat_t crl_stat = {0}; /* * an inline CRL can't change at runtime, therefore there is no need to * reload it. It will be reloaded upon config change + SIGHUP. * Use always '1' as dummy timestamp in this case: it will trigger the * first load, but will prevent any future reload. */ if (crl_file_inline) { crl_stat.st_mtime = 1; } else if (platform_stat(crl_file, &crl_stat) < 0) { msg(M_WARN, "WARNING: Failed to stat CRL file, not (re)loading CRL."); return; } /* * Store the CRL if this is the first time or if the file was changed since * the last load. * Note: Windows does not support tv_nsec. */ if ((ssl_ctx->crl_last_size == crl_stat.st_size) && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime)) { return; } ssl_ctx->crl_last_mtime = crl_stat.st_mtime; ssl_ctx->crl_last_size = crl_stat.st_size; backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline); } /* * Initialize SSL context. * All files are in PEM format. */ void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) { ASSERT(NULL != new_ctx); tls_clear_error(); if (options->tls_server) { tls_ctx_server_new(new_ctx); if (options->dh_file) { tls_ctx_load_dh_params(new_ctx, options->dh_file, options->dh_file_inline); } } else /* if client */ { tls_ctx_client_new(new_ctx); } /* Allowable ciphers */ /* Since @SECLEVEL also influces loading of certificates, set the * cipher restrictions before loading certificates */ tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); tls_ctx_set_options(new_ctx, options->ssl_flags); if (options->pkcs12_file) { if (0 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file, options->pkcs12_file_inline, !options->ca_file)) { goto err; } } #ifdef ENABLE_PKCS11 else if (options->pkcs11_providers[0]) { if (!tls_ctx_use_pkcs11(new_ctx, options->pkcs11_id_management, options->pkcs11_id)) { msg(M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface", options->pkcs11_id); goto err; } } #endif #ifdef ENABLE_CRYPTOAPI else if (options->cryptoapi_cert) { tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert); } #endif #ifdef MANAGMENT_EXTERNAL_KEY else if ((options->management_flags & MF_EXTERNAL_KEY) && (options->cert_file || options->management_flags & MF_EXTERNAL_CERT)) { if (options->cert_file) { tls_ctx_use_external_private_key(new_ctx, options->cert_file, options->cert_file_inline); } else { char *external_certificate = management_query_cert(management, options->management_certificate); tls_ctx_use_external_private_key(new_ctx, INLINE_FILE_TAG, external_certificate); free(external_certificate); } } #endif else { /* Load Certificate */ if (options->cert_file) { tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline); } /* Load Private Key */ if (options->priv_key_file) { if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file, options->priv_key_file_inline)) { goto err; } } } if (options->ca_file || options->ca_path) { tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline, options->ca_path, options->tls_server); } /* Load extra certificates that are part of our own certificate * chain but shouldn't be included in the verify chain */ if (options->extra_certs_file) { tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline); } /* Check certificate notBefore and notAfter */ tls_ctx_check_cert_time(new_ctx); /* Read CRL */ if (options->crl_file && !(options->ssl_flags & SSLF_CRL_VERIFY_DIR)) { tls_ctx_reload_crl(new_ctx, options->crl_file, options->crl_file_inline); } /* Once keys and cert are loaded, load ECDH parameters */ if (options->tls_server) { tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve); } #ifdef ENABLE_CRYPTO_MBEDTLS /* Personalise the random by mixing in the certificate */ tls_ctx_personalise_random(new_ctx); #endif tls_clear_error(); return; err: tls_clear_error(); tls_ctx_free(new_ctx); return; } /* * Map internal constants to ascii names. */ static const char * state_name(int state) { switch (state) { case S_UNDEF: return "S_UNDEF"; case S_INITIAL: return "S_INITIAL"; case S_PRE_START: return "S_PRE_START"; case S_START: return "S_START"; case S_SENT_KEY: return "S_SENT_KEY"; case S_GOT_KEY: return "S_GOT_KEY"; case S_ACTIVE: return "S_ACTIVE"; case S_NORMAL_OP: return "S_NORMAL_OP"; case S_ERROR: return "S_ERROR"; default: return "S_???"; } } static const char * packet_opcode_name(int op) { switch (op) { case P_CONTROL_HARD_RESET_CLIENT_V1: return "P_CONTROL_HARD_RESET_CLIENT_V1"; case P_CONTROL_HARD_RESET_SERVER_V1: return "P_CONTROL_HARD_RESET_SERVER_V1"; case P_CONTROL_HARD_RESET_CLIENT_V2: return "P_CONTROL_HARD_RESET_CLIENT_V2"; case P_CONTROL_HARD_RESET_SERVER_V2: return "P_CONTROL_HARD_RESET_SERVER_V2"; case P_CONTROL_SOFT_RESET_V1: return "P_CONTROL_SOFT_RESET_V1"; case P_CONTROL_V1: return "P_CONTROL_V1"; case P_ACK_V1: return "P_ACK_V1"; case P_DATA_V1: return "P_DATA_V1"; case P_DATA_V2: return "P_DATA_V2"; default: return "P_???"; } } static const char * session_index_name(int index) { switch (index) { case TM_ACTIVE: return "TM_ACTIVE"; case TM_UNTRUSTED: return "TM_UNTRUSTED"; case TM_LAME_DUCK: return "TM_LAME_DUCK"; default: return "TM_???"; } } /* * For debugging. */ static const char * print_key_id(struct tls_multi *multi, struct gc_arena *gc) { int i; struct buffer out = alloc_buf_gc(256, gc); for (i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = multi->key_scan[i]; buf_printf(&out, " [key#%d state=%s id=%d sid=%s]", i, state_name(ks->state), ks->key_id, session_id_print(&ks->session_id_remote, gc)); } return BSTR(&out); } bool is_hard_reset(int op, int key_method) { if (!key_method || key_method == 1) { if (op == P_CONTROL_HARD_RESET_CLIENT_V1 || op == P_CONTROL_HARD_RESET_SERVER_V1) { return true; } } if (!key_method || key_method >= 2) { if (op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_SERVER_V2) { return true; } } return false; } /** @addtogroup control_processor * @{ */ /** @name Functions for initialization and cleanup of key_state structures * @{ */ /** * Initialize a \c key_state structure. * @ingroup control_processor * * This function initializes a \c key_state structure associated with a \c * tls_session. It sets up the structure's SSL-BIO, sets the object's \c * key_state.state to \c S_INITIAL, and sets the session ID and key ID two * appropriate values based on the \c tls_session's internal state. It * also initializes a new set of structures for the \link reliable * Reliability Layer\endlink. * * @param session - A pointer to the \c tls_session structure * associated with the \a ks argument. * @param ks - A pointer to the \c key_state structure to be * initialized. This structure should already have * been allocated before calling this function. */ static void key_state_init(struct tls_session *session, struct key_state *ks) { update_time(); CLEAR(*ks); /* * Build TLS object that reads/writes ciphertext * to/from memory BIOs. */ key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server, session); /* Set control-channel initiation mode */ ks->initial_opcode = session->initial_opcode; session->initial_opcode = P_CONTROL_SOFT_RESET_V1; ks->state = S_INITIAL; ks->key_id = session->key_id; /* * key_id increments to KEY_ID_MASK then recycles back to 1. * This way you know that if key_id is 0, it is the first key. */ ++session->key_id; session->key_id &= P_KEY_ID_MASK; if (!session->key_id) { session->key_id = 1; } /* allocate key source material object */ ALLOC_OBJ_CLEAR(ks->key_src, struct key_source2); /* allocate reliability objects */ ALLOC_OBJ_CLEAR(ks->send_reliable, struct reliable); ALLOC_OBJ_CLEAR(ks->rec_reliable, struct reliable); ALLOC_OBJ_CLEAR(ks->rec_ack, struct reliable_ack); /* allocate buffers */ ks->plaintext_read_buf = alloc_buf(TLS_CHANNEL_BUF_SIZE); ks->plaintext_write_buf = alloc_buf(TLS_CHANNEL_BUF_SIZE); ks->ack_write_buf = alloc_buf(BUF_SIZE(&session->opt->frame)); reliable_init(ks->send_reliable, BUF_SIZE(&session->opt->frame), FRAME_HEADROOM(&session->opt->frame), TLS_RELIABLE_N_SEND_BUFFERS, ks->key_id ? false : session->opt->xmit_hold); reliable_init(ks->rec_reliable, BUF_SIZE(&session->opt->frame), FRAME_HEADROOM(&session->opt->frame), TLS_RELIABLE_N_REC_BUFFERS, false); reliable_set_timeout(ks->send_reliable, session->opt->packet_timeout); /* init packet ID tracker */ if (session->opt->replay) { packet_id_init(&ks->crypto_options.packet_id, session->opt->replay_window, session->opt->replay_time, "SSL", ks->key_id); } ks->crypto_options.pid_persist = NULL; #ifdef MANAGEMENT_DEF_AUTH ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++; #endif } /** * Cleanup a \c key_state structure. * @ingroup control_processor * * This function cleans up a \c key_state structure. It frees the * associated SSL-BIO, and the structures allocated for the \link reliable * Reliability Layer\endlink. * * @param ks - A pointer to the \c key_state structure to be * cleaned up. * @param clear - Whether the memory allocated for the \a ks object * should be overwritten with 0s. */ static void key_state_free(struct key_state *ks, bool clear) { ks->state = S_UNDEF; key_state_ssl_free(&ks->ks_ssl); free_key_ctx_bi(&ks->crypto_options.key_ctx_bi); free_buf(&ks->plaintext_read_buf); free_buf(&ks->plaintext_write_buf); free_buf(&ks->ack_write_buf); buffer_list_free(ks->paybuf); if (ks->send_reliable) { reliable_free(ks->send_reliable); free(ks->send_reliable); } if (ks->rec_reliable) { reliable_free(ks->rec_reliable); free(ks->rec_reliable); } if (ks->rec_ack) { free(ks->rec_ack); } if (ks->key_src) { free(ks->key_src); } packet_id_free(&ks->crypto_options.packet_id); #ifdef PLUGIN_DEF_AUTH key_state_rm_auth_control_file(ks); #endif if (clear) { secure_memzero(ks, sizeof(*ks)); } } /** @} name Functions for initialization and cleanup of key_state structures */ /** @} addtogroup control_processor */ /** * Returns whether or not the server should check for username/password * * @param session The current TLS session * * @return true if username and password verification is enabled, * false if not. */ static inline bool tls_session_user_pass_enabled(struct tls_session *session) { return (session->opt->auth_user_pass_verify_script || plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) #ifdef MANAGEMENT_DEF_AUTH || management_enable_def_auth(management) #endif ); } /** @addtogroup control_processor * @{ */ /** @name Functions for initialization and cleanup of tls_session structures * @{ */ /** * Initialize a \c tls_session structure. * @ingroup control_processor * * This function initializes a \c tls_session structure. This includes * generating a random session ID, and initializing the \c KS_PRIMARY \c * key_state in the \c tls_session.key array. * * @param multi - A pointer to the \c tls_multi structure * associated with the \a session argument. * @param session - A pointer to the \c tls_session structure to be * initialized. This structure should already have * been allocated before calling this function. */ static void tls_session_init(struct tls_multi *multi, struct tls_session *session) { struct gc_arena gc = gc_new(); dmsg(D_TLS_DEBUG, "TLS: tls_session_init: entry"); CLEAR(*session); /* Set options data to point to parent's option structure */ session->opt = &multi->opt; /* Randomize session # if it is 0 */ while (!session_id_defined(&session->session_id)) { session_id_random(&session->session_id); } /* Are we a TLS server or client? */ ASSERT(session->opt->key_method >= 1); if (session->opt->key_method == 1) { session->initial_opcode = session->opt->server ? P_CONTROL_HARD_RESET_SERVER_V1 : P_CONTROL_HARD_RESET_CLIENT_V1; } else /* session->opt->key_method >= 2 */ { session->initial_opcode = session->opt->server ? P_CONTROL_HARD_RESET_SERVER_V2 : P_CONTROL_HARD_RESET_CLIENT_V2; } /* Initialize control channel authentication parameters */ session->tls_wrap = session->opt->tls_wrap; session->tls_wrap.work = alloc_buf(BUF_SIZE(&session->opt->frame)); /* initialize packet ID replay window for --tls-auth */ packet_id_init(&session->tls_wrap.opt.packet_id, session->opt->replay_window, session->opt->replay_time, "TLS_WRAP", session->key_id); /* load most recent packet-id to replay protect on --tls-auth */ packet_id_persist_load_obj(session->tls_wrap.opt.pid_persist, &session->tls_wrap.opt.packet_id); key_state_init(session, &session->key[KS_PRIMARY]); dmsg(D_TLS_DEBUG, "TLS: tls_session_init: new session object, sid=%s", session_id_print(&session->session_id, &gc)); gc_free(&gc); } /** * Clean up a \c tls_session structure. * @ingroup control_processor * * This function cleans up a \c tls_session structure. This includes * cleaning up all associated \c key_state structures. * * @param session - A pointer to the \c tls_session structure to be * cleaned up. * @param clear - Whether the memory allocated for the \a session * object should be overwritten with 0s. */ static void tls_session_free(struct tls_session *session, bool clear) { int i; if (packet_id_initialized(&session->tls_wrap.opt.packet_id)) { packet_id_free(&session->tls_wrap.opt.packet_id); } free_buf(&session->tls_wrap.work); for (i = 0; i < KS_SIZE; ++i) { key_state_free(&session->key[i], false); } if (session->common_name) { free(session->common_name); } cert_hash_free(session->cert_hash_set); if (clear) { secure_memzero(session, sizeof(*session)); } } /** @} name Functions for initialization and cleanup of tls_session structures */ /** @} addtogroup control_processor */ static void move_session(struct tls_multi *multi, int dest, int src, bool reinit_src) { msg(D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d", session_index_name(dest), session_index_name(src), reinit_src); ASSERT(src != dest); ASSERT(src >= 0 && src < TM_SIZE); ASSERT(dest >= 0 && dest < TM_SIZE); tls_session_free(&multi->session[dest], false); multi->session[dest] = multi->session[src]; if (reinit_src) { tls_session_init(multi, &multi->session[src]); } else { secure_memzero(&multi->session[src], sizeof(multi->session[src])); } dmsg(D_TLS_DEBUG, "TLS: move_session: exit"); } static void reset_session(struct tls_multi *multi, struct tls_session *session) { tls_session_free(session, false); tls_session_init(multi, session); } /* * Used to determine in how many seconds we should be * called again. */ static inline void compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now) { if (seconds_from_now < *earliest) { *earliest = seconds_from_now; } if (*earliest < 0) { *earliest = 0; } } /* * Return true if "lame duck" or retiring key has expired and can * no longer be used. */ static inline bool lame_duck_must_die(const struct tls_session *session, interval_t *wakeup) { const struct key_state *lame = &session->key[KS_LAME_DUCK]; if (lame->state >= S_INITIAL) { const time_t local_now = now; ASSERT(lame->must_die); /* a lame duck key must always have an expiration */ if (local_now < lame->must_die) { compute_earliest_wakeup(wakeup, lame->must_die - local_now); return false; } else { return true; } } else if (lame->state == S_ERROR) { return true; } else { return false; } } struct tls_multi * tls_multi_init(struct tls_options *tls_options) { struct tls_multi *ret; ALLOC_OBJ_CLEAR(ret, struct tls_multi); /* get command line derived options */ ret->opt = *tls_options; /* set up list of keys to be scanned by data channel encrypt and decrypt routines */ ASSERT(SIZE(ret->key_scan) == 3); ret->key_scan[0] = &ret->session[TM_ACTIVE].key[KS_PRIMARY]; ret->key_scan[1] = &ret->session[TM_ACTIVE].key[KS_LAME_DUCK]; ret->key_scan[2] = &ret->session[TM_LAME_DUCK].key[KS_LAME_DUCK]; /* By default not use P_DATA_V2 */ ret->use_peer_id = false; return ret; } void tls_multi_init_finalize(struct tls_multi *multi, const struct frame *frame) { tls_init_control_channel_frame_parameters(frame, &multi->opt.frame); /* initialize the active and untrusted sessions */ tls_session_init(multi, &multi->session[TM_ACTIVE]); if (!multi->opt.single_session) { tls_session_init(multi, &multi->session[TM_UNTRUSTED]); } } /* * Initialize and finalize a standalone tls-auth verification object. */ struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc) { struct tls_auth_standalone *tas; ALLOC_OBJ_CLEAR_GC(tas, struct tls_auth_standalone, gc); tas->tls_wrap = tls_options->tls_wrap; /* * Standalone tls-auth is in read-only mode with respect to TLS * control channel state. After we build a new client instance * object, we will process this session-initiating packet for real. */ tas->tls_wrap.opt.flags |= CO_IGNORE_PACKET_ID; /* get initial frame parms, still need to finalize */ tas->frame = tls_options->frame; return tas; } void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame) { tls_init_control_channel_frame_parameters(frame, &tas->frame); } /* * Set local and remote option compatibility strings. * Used to verify compatibility of local and remote option * sets. */ void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote) { #ifdef ENABLE_OCC /* initialize options string */ multi->opt.local_options = local; multi->opt.remote_options = remote; #endif } /* * Cleanup a tls_multi structure and free associated memory allocations. */ void tls_multi_free(struct tls_multi *multi, bool clear) { int i; ASSERT(multi); #ifdef MANAGEMENT_DEF_AUTH man_def_auth_set_client_reason(multi, NULL); #endif #if P2MP_SERVER free(multi->peer_info); #endif if (multi->locked_cn) { free(multi->locked_cn); } if (multi->locked_username) { free(multi->locked_username); } cert_hash_free(multi->locked_cert_hash_set); if (multi->auth_token) { secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE); free(multi->auth_token); } free(multi->remote_ciphername); for (i = 0; i < TM_SIZE; ++i) { tls_session_free(&multi->session[i], false); } if (clear) { secure_memzero(multi, sizeof(*multi)); } free(multi); } /* * Move a packet authentication HMAC + related fields to or from the front * of the buffer so it can be processed by encrypt/decrypt. */ /* * Dependent on hmac size, opcode size, and session_id size. * Will assert if too small. */ #define SWAP_BUF_SIZE 256 static bool swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming) { const struct key_ctx *ctx; ASSERT(co); ctx = (incoming ? &co->key_ctx_bi.decrypt : &co->key_ctx_bi.encrypt); ASSERT(ctx->hmac); { /* hmac + packet_id (8 bytes) */ const int hmac_size = hmac_ctx_size(ctx->hmac) + packet_id_size(true); /* opcode + session_id */ const int osid_size = 1 + SID_SIZE; int e1, e2; uint8_t *b = BPTR(buf); uint8_t buf1[SWAP_BUF_SIZE]; uint8_t buf2[SWAP_BUF_SIZE]; if (incoming) { e1 = osid_size; e2 = hmac_size; } else { e1 = hmac_size; e2 = osid_size; } ASSERT(e1 <= SWAP_BUF_SIZE && e2 <= SWAP_BUF_SIZE); if (buf->len >= e1 + e2) { memcpy(buf1, b, e1); memcpy(buf2, b + e1, e2); memcpy(b, buf2, e2); memcpy(b + e2, buf1, e1); return true; } else { return false; } } } #undef SWAP_BUF_SIZE /* * Write a control channel authentication record. */ static void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack) { uint8_t header = ks->key_id | (opcode << P_OPCODE_SHIFT); struct buffer null = clear_buf(); ASSERT(link_socket_actual_defined(&ks->remote_addr)); ASSERT(reliable_ack_write (ks->rec_ack, buf, &ks->session_id_remote, max_ack, prepend_ack)); if (session->tls_wrap.mode == TLS_WRAP_AUTH || session->tls_wrap.mode == TLS_WRAP_NONE) { ASSERT(session_id_write_prepend(&session->session_id, buf)); ASSERT(buf_write_prepend(buf, &header, sizeof(header))); } if (session->tls_wrap.mode == TLS_WRAP_AUTH) { /* no encryption, only write hmac */ openvpn_encrypt(buf, null, &session->tls_wrap.opt); ASSERT(swap_hmac(buf, &session->tls_wrap.opt, false)); } else if (session->tls_wrap.mode == TLS_WRAP_CRYPT) { ASSERT(buf_init(&session->tls_wrap.work, buf->offset)); ASSERT(buf_write(&session->tls_wrap.work, &header, sizeof(header))); ASSERT(session_id_write(&session->session_id, &session->tls_wrap.work)); if (tls_crypt_wrap(buf, &session->tls_wrap.work, &session->tls_wrap.opt)) { /* Don't change the original data in buf, it's used by the reliability * layer to resend on failure. */ *buf = session->tls_wrap.work; } else { buf->len = 0; return; } } *to_link_addr = &ks->remote_addr; } /* * Read a control channel authentication record. */ static bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from) { struct gc_arena gc = gc_new(); bool ret = false; if (ctx->mode == TLS_WRAP_AUTH) { struct buffer null = clear_buf(); /* move the hmac record to the front of the packet */ if (!swap_hmac(buf, &ctx->opt, true)) { msg(D_TLS_ERRORS, "TLS Error: cannot locate HMAC in incoming packet from %s", print_link_socket_actual(from, &gc)); gc_free(&gc); return false; } /* authenticate only (no decrypt) and remove the hmac record * from the head of the buffer */ openvpn_decrypt(buf, null, &ctx->opt, NULL, BPTR(buf)); if (!buf->len) { msg(D_TLS_ERRORS, "TLS Error: incoming packet authentication failed from %s", print_link_socket_actual(from, &gc)); goto cleanup; } } else if (ctx->mode == TLS_WRAP_CRYPT) { struct buffer tmp = alloc_buf_gc(buf_forward_capacity_total(buf), &gc); if (!tls_crypt_unwrap(buf, &tmp, &ctx->opt)) { msg(D_TLS_ERRORS, "TLS Error: tls-crypt unwrapping failed from %s", print_link_socket_actual(from, &gc)); goto cleanup; } ASSERT(buf_init(buf, buf->offset)); ASSERT(buf_copy(buf, &tmp)); buf_clear(&tmp); } if (ctx->mode == TLS_WRAP_NONE || ctx->mode == TLS_WRAP_AUTH) { /* advance buffer pointer past opcode & session_id since our caller * already read it */ buf_advance(buf, SID_SIZE + 1); } ret = true; cleanup: gc_free(&gc); return ret; } /* * For debugging, print contents of key_source2 structure. */ static void key_source_print(const struct key_source *k, const char *prefix) { struct gc_arena gc = gc_new(); VALGRIND_MAKE_READABLE((void *)k->pre_master, sizeof(k->pre_master)); VALGRIND_MAKE_READABLE((void *)k->random1, sizeof(k->random1)); VALGRIND_MAKE_READABLE((void *)k->random2, sizeof(k->random2)); dmsg(D_SHOW_KEY_SOURCE, "%s pre_master: %s", prefix, format_hex(k->pre_master, sizeof(k->pre_master), 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "%s random1: %s", prefix, format_hex(k->random1, sizeof(k->random1), 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "%s random2: %s", prefix, format_hex(k->random2, sizeof(k->random2), 0, &gc)); gc_free(&gc); } static void key_source2_print(const struct key_source2 *k) { key_source_print(&k->client, "Client"); key_source_print(&k->server, "Server"); } /* * Generate the hash required by for the \c tls1_PRF function. * * @param md_kt Message digest to use * @param sec Secret to base the hash on * @param sec_len Length of the secret * @param seed Seed to hash * @param seed_len Length of the seed * @param out Output buffer * @param olen Length of the output buffer */ static void tls1_P_hash(const md_kt_t *md_kt, const uint8_t *sec, int sec_len, const uint8_t *seed, int seed_len, uint8_t *out, int olen) { struct gc_arena gc = gc_new(); int chunk; hmac_ctx_t *ctx; hmac_ctx_t *ctx_tmp; uint8_t A1[MAX_HMAC_KEY_LENGTH]; unsigned int A1_len; #ifdef ENABLE_DEBUG const int olen_orig = olen; const uint8_t *out_orig = out; #endif ctx = hmac_ctx_new(); ctx_tmp = hmac_ctx_new(); dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash sec: %s", format_hex(sec, sec_len, 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash seed: %s", format_hex(seed, seed_len, 0, &gc)); chunk = md_kt_size(md_kt); A1_len = md_kt_size(md_kt); hmac_ctx_init(ctx, sec, sec_len, md_kt); hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt); hmac_ctx_update(ctx,seed,seed_len); hmac_ctx_final(ctx, A1); for (;; ) { hmac_ctx_reset(ctx); hmac_ctx_reset(ctx_tmp); hmac_ctx_update(ctx,A1,A1_len); hmac_ctx_update(ctx_tmp,A1,A1_len); hmac_ctx_update(ctx,seed,seed_len); if (olen > chunk) { hmac_ctx_final(ctx, out); out += chunk; olen -= chunk; hmac_ctx_final(ctx_tmp, A1); /* calc the next A1 value */ } else /* last one */ { hmac_ctx_final(ctx, A1); memcpy(out,A1,olen); break; } } hmac_ctx_cleanup(ctx); hmac_ctx_free(ctx); hmac_ctx_cleanup(ctx_tmp); hmac_ctx_free(ctx_tmp); secure_memzero(A1, sizeof(A1)); dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex(out_orig, olen_orig, 0, &gc)); gc_free(&gc); } /* * Use the TLS PRF function for generating data channel keys. * This code is based on the OpenSSL library. * * TLS generates keys as such: * * master_secret[48] = PRF(pre_master_secret[48], "master secret", * ClientHello.random[32] + ServerHello.random[32]) * * key_block[] = PRF(SecurityParameters.master_secret[48], * "key expansion", * SecurityParameters.server_random[32] + * SecurityParameters.client_random[32]); * * Notes: * * (1) key_block contains a full set of 4 keys. * (2) The pre-master secret is generated by the client. */ static void tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1, int olen) { struct gc_arena gc = gc_new(); const md_kt_t *md5 = md_kt_get("MD5"); const md_kt_t *sha1 = md_kt_get("SHA1"); int len,i; const uint8_t *S1,*S2; uint8_t *out2; out2 = (uint8_t *) gc_malloc(olen, false, &gc); len = slen/2; S1 = sec; S2 = &(sec[len]); len += (slen&1); /* add for odd, make longer */ tls1_P_hash(md5,S1,len,label,label_len,out1,olen); tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); for (i = 0; iid, SID_SIZE)); } if (server_sid) { ASSERT(buf_write(&seed, server_sid->id, SID_SIZE)); } /* compute PRF */ tls1_PRF(BPTR(&seed), BLEN(&seed), secret, secret_len, output, output_len); buf_clear(&seed); free_buf(&seed); VALGRIND_MAKE_READABLE((void *)output, output_len); } /* * Using source entropy from local and remote hosts, mix into * master key. */ static bool generate_key_expansion(struct key_ctx_bi *key, const struct key_type *key_type, const struct key_source2 *key_src, const struct session_id *client_sid, const struct session_id *server_sid, bool server) { uint8_t master[48] = { 0 }; struct key2 key2 = { 0 }; bool ret = false; if (key->initialized) { msg(D_TLS_ERRORS, "TLS Error: key already initialized"); goto exit; } /* debugging print of source key material */ key_source2_print(key_src); /* compute master secret */ openvpn_PRF(key_src->client.pre_master, sizeof(key_src->client.pre_master), KEY_EXPANSION_ID " master secret", key_src->client.random1, sizeof(key_src->client.random1), key_src->server.random1, sizeof(key_src->server.random1), NULL, NULL, master, sizeof(master)); /* compute key expansion */ openvpn_PRF(master, sizeof(master), KEY_EXPANSION_ID " key expansion", key_src->client.random2, sizeof(key_src->client.random2), key_src->server.random2, sizeof(key_src->server.random2), client_sid, server_sid, (uint8_t *)key2.keys, sizeof(key2.keys)); key2.n = 2; key2_print(&key2, key_type, "Master Encrypt", "Master Decrypt"); /* check for weak keys */ for (int i = 0; i < 2; ++i) { fixup_key(&key2.keys[i], key_type); if (!check_key(&key2.keys[i], key_type)) { msg(D_TLS_ERRORS, "TLS Error: Bad dynamic key generated"); goto exit; } } /* Initialize OpenSSL key contexts */ int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL; init_key_ctx_bi(key, &key2, key_direction, key_type, "Data Channel"); /* Initialize implicit IVs */ key_ctx_update_implicit_iv(&key->encrypt, key2.keys[(int)server].hmac, MAX_HMAC_KEY_LENGTH); key_ctx_update_implicit_iv(&key->decrypt, key2.keys[1-(int)server].hmac, MAX_HMAC_KEY_LENGTH); ret = true; exit: secure_memzero(&master, sizeof(master)); secure_memzero(&key2, sizeof(key2)); return ret; } static void key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len) { const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher); /* Only use implicit IV in AEAD cipher mode, where HMAC key is not used */ if (cipher_kt_mode_aead(cipher_kt)) { size_t impl_iv_len = 0; ASSERT(cipher_kt_iv_size(cipher_kt) >= OPENVPN_AEAD_MIN_IV_LEN); impl_iv_len = cipher_kt_iv_size(cipher_kt) - sizeof(packet_id_type); ASSERT(impl_iv_len <= OPENVPN_MAX_IV_LENGTH); ASSERT(impl_iv_len <= key_len); memcpy(ctx->implicit_iv, key, impl_iv_len); ctx->implicit_iv_len = impl_iv_len; } } bool tls_item_in_cipher_list(const char *item, const char *list) { char *tmp_ciphers = string_alloc(list, NULL); char *tmp_ciphers_orig = tmp_ciphers; const char *token = strtok(tmp_ciphers, ":"); while (token) { if (0 == strcmp(token, item)) { break; } token = strtok(NULL, ":"); } free(tmp_ciphers_orig); return token != NULL; } void tls_poor_mans_ncp(struct options *o, const char *remote_ciphername) { if (o->ncp_enabled && remote_ciphername && 0 != strcmp(o->ciphername, remote_ciphername)) { if (tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers)) { o->ciphername = string_alloc(remote_ciphername, &o->gc); msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername); } } } /** * Generate data channel keys for the supplied TLS session. * * This erases the source material used to generate the data channel keys, and * can thus be called only once per session. */ static bool tls_session_generate_data_channel_keys(struct tls_session *session) { bool ret = false; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ const struct session_id *client_sid = session->opt->server ? &ks->session_id_remote : &session->session_id; const struct session_id *server_sid = !session->opt->server ? &ks->session_id_remote : &session->session_id; ASSERT(ks->authenticated); ks->crypto_options.flags = session->opt->crypto_flags; if (!generate_key_expansion(&ks->crypto_options.key_ctx_bi, &session->opt->key_type, ks->key_src, client_sid, server_sid, session->opt->server)) { msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed"); goto cleanup; } tls_limit_reneg_bytes(session->opt->key_type.cipher, &session->opt->renegotiate_bytes); ret = true; cleanup: secure_memzero(ks->key_src, sizeof(*ks->key_src)); return ret; } bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame) { if (!session->opt->server && 0 != strcmp(options->ciphername, session->opt->config_ciphername) && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) { msg(D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s or %s", options->ciphername, session->opt->config_ciphername, options->ncp_ciphers); /* undo cipher push, abort connection setup */ options->ciphername = session->opt->config_ciphername; return false; } if (strcmp(options->ciphername, session->opt->config_ciphername)) { msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'", options->ciphername); if (options->keysize) { msg(D_HANDSHAKE, "NCP: overriding user-set keysize with default"); options->keysize = 0; } } init_key_type(&session->opt->key_type, options->ciphername, options->authname, options->keysize, true, true); bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher); session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM); if (packet_id_long_form) { session->opt->crypto_flags |= CO_PACKET_ID_LONG_FORM; } /* Update frame parameters: undo worst-case overhead, add actual overhead */ frame_add_to_extra_frame(frame, -(crypto_max_overhead())); crypto_adjust_frame_parameters(frame, &session->opt->key_type, options->use_iv, options->replay, packet_id_long_form); frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu, options->ce.tun_mtu_defined, options->ce.tun_mtu); frame_init_mssfix(frame, options); frame_print(frame, D_MTU_INFO, "Data Channel MTU parms"); return tls_session_generate_data_channel_keys(session); } static bool random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen) { if (!rand_bytes(out, outlen)) { msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation [SSL]"); } if (!buf_write(buf, out, outlen)) { return false; } return true; } static bool key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server) { struct key_source *k = &k2->client; if (server) { k = &k2->server; } CLEAR(*k); if (!server) { if (!random_bytes_to_buf(buf, k->pre_master, sizeof(k->pre_master))) { return false; } } if (!random_bytes_to_buf(buf, k->random1, sizeof(k->random1))) { return false; } if (!random_bytes_to_buf(buf, k->random2, sizeof(k->random2))) { return false; } return true; } static int key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server) { struct key_source *k = &k2->client; if (!server) { k = &k2->server; } CLEAR(*k); if (server) { if (!buf_read(buf, k->pre_master, sizeof(k->pre_master))) { return 0; } } if (!buf_read(buf, k->random1, sizeof(k->random1))) { return 0; } if (!buf_read(buf, k->random2, sizeof(k->random2))) { return 0; } return 1; } static void flush_payload_buffer(struct key_state *ks) { struct buffer *b; while ((b = buffer_list_peek(ks->paybuf))) { key_state_write_plaintext_const(&ks->ks_ssl, b->data, b->len); buffer_list_pop(ks->paybuf); } } /* true if no in/out acknowledgements pending */ #define FULL_SYNC \ (reliable_empty(ks->send_reliable) && reliable_ack_empty(ks->rec_ack)) /* * Move the active key to the lame duck key and reinitialize the * active key. */ static void key_state_soft_reset(struct tls_session *session) { struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */ ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */ key_state_free(ks_lame, false); *ks_lame = *ks; key_state_init(session, ks); ks->session_id_remote = ks_lame->session_id_remote; ks->remote_addr = ks_lame->remote_addr; } /* * Read/write strings from/to a struct buffer with a u16 length prefix. */ static bool write_empty_string(struct buffer *buf) { if (!buf_write_u16(buf, 0)) { return false; } return true; } static bool write_string(struct buffer *buf, const char *str, const int maxlen) { const int len = strlen(str) + 1; if (len < 1 || (maxlen >= 0 && len > maxlen)) { return false; } if (!buf_write_u16(buf, len)) { return false; } if (!buf_write(buf, str, len)) { return false; } return true; } static bool read_string(struct buffer *buf, char *str, const unsigned int capacity) { const int len = buf_read_u16(buf); if (len < 1 || len > (int)capacity) { return false; } if (!buf_read(buf, str, len)) { return false; } str[len-1] = '\0'; return true; } static char * read_string_alloc(struct buffer *buf) { const int len = buf_read_u16(buf); char *str; if (len < 1) { return NULL; } str = (char *) malloc(len); check_malloc_return(str); if (!buf_read(buf, str, len)) { free(str); return NULL; } str[len-1] = '\0'; return str; } /* * Handle the reading and writing of key data to and from * the TLS control channel (cleartext). */ static bool key_method_1_write(struct buffer *buf, struct tls_session *session) { struct key key; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ ASSERT(session->opt->key_method == 1); ASSERT(buf_init(buf, 0)); generate_key_random(&key, &session->opt->key_type); if (!check_key(&key, &session->opt->key_type)) { msg(D_TLS_ERRORS, "TLS Error: Bad encrypting key generated"); return false; } if (!write_key(&key, &session->opt->key_type, buf)) { msg(D_TLS_ERRORS, "TLS Error: write_key failed"); return false; } init_key_ctx(&ks->crypto_options.key_ctx_bi.encrypt, &key, &session->opt->key_type, OPENVPN_OP_ENCRYPT, "Data Channel Encrypt"); secure_memzero(&key, sizeof(key)); /* send local options string */ { const char *local_options = local_options_string(session); const int optlen = strlen(local_options) + 1; if (!buf_write(buf, local_options, optlen)) { msg(D_TLS_ERRORS, "TLS Error: KM1 write options failed"); return false; } } return true; } static bool push_peer_info(struct buffer *buf, struct tls_session *session) { struct gc_arena gc = gc_new(); bool ret = false; #ifdef ENABLE_PUSH_PEER_INFO if (session->opt->push_peer_info_detail > 0) { struct env_set *es = session->opt->es; struct env_item *e; struct buffer out = alloc_buf_gc(512*3, &gc); /* push version */ buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION); /* push platform */ #if defined(TARGET_LINUX) buf_printf(&out, "IV_PLAT=linux\n"); #elif defined(TARGET_SOLARIS) buf_printf(&out, "IV_PLAT=solaris\n"); #elif defined(TARGET_OPENBSD) buf_printf(&out, "IV_PLAT=openbsd\n"); #elif defined(TARGET_DARWIN) buf_printf(&out, "IV_PLAT=mac\n"); #elif defined(TARGET_NETBSD) buf_printf(&out, "IV_PLAT=netbsd\n"); #elif defined(TARGET_FREEBSD) buf_printf(&out, "IV_PLAT=freebsd\n"); #elif defined(TARGET_ANDROID) buf_printf(&out, "IV_PLAT=android\n"); #elif defined(_WIN32) buf_printf(&out, "IV_PLAT=win\n"); #endif /* support for P_DATA_V2 */ buf_printf(&out, "IV_PROTO=2\n"); /* support for Negotiable Crypto Paramters */ if (session->opt->ncp_enabled && (session->opt->mode == MODE_SERVER || session->opt->pull)) { buf_printf(&out, "IV_NCP=2\n"); } /* push compression status */ #ifdef USE_COMP comp_generate_peer_info_string(&session->opt->comp_options, &out); #endif if (session->opt->push_peer_info_detail >= 2) { /* push mac addr */ struct route_gateway_info rgi; get_default_gateway(&rgi); if (rgi.flags & RGI_HWADDR_DEFINED) { buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc)); } buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version() ); #if defined(_WIN32) buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc, false)); #endif } /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */ for (e = es->list; e != NULL; e = e->next) { if (e->string) { if ((((strncmp(e->string, "UV_", 3)==0 || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=")-1)==0) && session->opt->push_peer_info_detail >= 2) || (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0)) && buf_safe(&out, strlen(e->string)+1)) { buf_printf(&out, "%s\n", e->string); } } } if (!write_string(buf, BSTR(&out), -1)) { goto error; } } else #endif /* ifdef ENABLE_PUSH_PEER_INFO */ { if (!write_empty_string(buf)) /* no peer info */ { goto error; } } ret = true; error: gc_free(&gc); return ret; } static bool key_method_2_write(struct buffer *buf, struct tls_session *session) { struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ ASSERT(session->opt->key_method == 2); ASSERT(buf_init(buf, 0)); /* write a uint32 0 */ if (!buf_write_u32(buf, 0)) { goto error; } /* write key_method + flags */ if (!buf_write_u8(buf, (session->opt->key_method & KEY_METHOD_MASK))) { goto error; } /* write key source material */ if (!key_source2_randomize_write(ks->key_src, buf, session->opt->server)) { goto error; } /* write options string */ { if (!write_string(buf, local_options_string(session), TLS_OPTIONS_LEN)) { goto error; } } /* write username/password if specified */ if (auth_user_pass_enabled) { #ifdef ENABLE_CLIENT_CR auth_user_pass_setup(session->opt->auth_user_pass_file, session->opt->sci); #else auth_user_pass_setup(session->opt->auth_user_pass_file, NULL); #endif if (!write_string(buf, auth_user_pass.username, -1)) { goto error; } if (!write_string(buf, auth_user_pass.password, -1)) { goto error; } /* if auth-nocache was specified, the auth_user_pass object reaches * a "complete" state only after having received the push-reply * message. * This is the case because auth-token statement in a push-reply would * invert its nocache. * * For this reason, skip the purge operation here if no push-reply * message has been received yet. * * This normally happens upon first negotiation only. */ if (!auth_user_pass.wait_for_push) { purge_user_pass(&auth_user_pass, false); } } else { if (!write_empty_string(buf)) /* no username */ { goto error; } if (!write_empty_string(buf)) /* no password */ { goto error; } } if (!push_peer_info(buf, session)) { goto error; } /* Generate tunnel keys if we're a TLS server. * If we're a p2mp server and IV_NCP >= 2 is negotiated, the first key * generation is postponed until after the pull/push, so we can process pushed * cipher directives. */ if (session->opt->server && !(session->opt->ncp_enabled && session->opt->mode == MODE_SERVER && ks->key_id <= 0)) { if (ks->authenticated) { if (!tls_session_generate_data_channel_keys(session)) { msg(D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed"); goto error; } } } return true; error: msg(D_TLS_ERRORS, "TLS Error: Key Method #2 write failed"); secure_memzero(ks->key_src, sizeof(*ks->key_src)); return false; } static bool key_method_1_read(struct buffer *buf, struct tls_session *session) { int status; struct key key; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ ASSERT(session->opt->key_method == 1); if (!session->verified) { msg(D_TLS_ERRORS, "TLS Error: Certificate verification failed (key-method 1)"); goto error; } status = read_key(&key, &session->opt->key_type, buf); if (status != 1) { msg(D_TLS_ERRORS, "TLS Error: Error reading data channel key from plaintext buffer"); goto error; } if (!check_key(&key, &session->opt->key_type)) { msg(D_TLS_ERRORS, "TLS Error: Bad decrypting key received from peer"); goto error; } if (buf->len < 1) { msg(D_TLS_ERRORS, "TLS Error: Missing options string"); goto error; } #ifdef ENABLE_OCC /* compare received remote options string * with our locally computed options string */ if (!session->opt->disable_occ && !options_cmp_equal_safe((char *) BPTR(buf), session->opt->remote_options, buf->len)) { options_warning_safe((char *) BPTR(buf), session->opt->remote_options, buf->len); } #endif buf_clear(buf); init_key_ctx(&ks->crypto_options.key_ctx_bi.decrypt, &key, &session->opt->key_type, OPENVPN_OP_DECRYPT, "Data Channel Decrypt"); secure_memzero(&key, sizeof(key)); ks->authenticated = true; return true; error: buf_clear(buf); secure_memzero(&key, sizeof(key)); return false; } static bool key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session) { struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ int key_method_flags; bool username_status, password_status; struct gc_arena gc = gc_new(); char *options; struct user_pass *up = NULL; /* allocate temporary objects */ ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc); ASSERT(session->opt->key_method == 2); /* discard leading uint32 */ if (!buf_advance(buf, 4)) { msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", buf->len); goto error; } /* get key method */ key_method_flags = buf_read_u8(buf); if ((key_method_flags & KEY_METHOD_MASK) != 2) { msg(D_TLS_ERRORS, "TLS ERROR: Unknown key_method/flags=%d received from remote host", key_method_flags); goto error; } /* get key source material (not actual keys yet) */ if (!key_source2_read(ks->key_src, buf, session->opt->server)) { msg(D_TLS_ERRORS, "TLS Error: Error reading remote data channel key source entropy from plaintext buffer"); goto error; } /* get options */ if (!read_string(buf, options, TLS_OPTIONS_LEN)) { msg(D_TLS_ERRORS, "TLS Error: Failed to read required OCC options string"); goto error; } ks->authenticated = false; /* always extract username + password fields from buf, even if not * authenticating for it, because otherwise we can't get at the * peer_info data which follows behind */ ALLOC_OBJ_CLEAR_GC(up, struct user_pass, &gc); username_status = read_string(buf, up->username, USER_PASS_LEN); password_status = read_string(buf, up->password, USER_PASS_LEN); #if P2MP_SERVER /* get peer info from control channel */ free(multi->peer_info); multi->peer_info = read_string_alloc(buf); if (multi->peer_info) { output_peer_info_env(session->opt->es, multi->peer_info); } free(multi->remote_ciphername); multi->remote_ciphername = options_string_extract_option(options, "cipher", NULL); if (tls_peer_info_ncp_ver(multi->peer_info) < 2) { /* Peer does not support NCP, but leave NCP enabled if the local and * remote cipher do not match to attempt 'poor-man's NCP'. */ if (multi->remote_ciphername == NULL || 0 == strcmp(multi->remote_ciphername, multi->opt.config_ciphername)) { session->opt->ncp_enabled = false; } } #endif /* if P2MP_SERVER */ if (tls_session_user_pass_enabled(session)) { /* Perform username/password authentication */ if (!username_status || !password_status) { CLEAR(*up); if (!(session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)) { msg(D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer"); goto error; } } verify_user_pass(up, multi, session); } else { /* Session verification should have occurred during TLS negotiation*/ if (!session->verified) { msg(D_TLS_ERRORS, "TLS Error: Certificate verification failed (key-method 2)"); goto error; } ks->authenticated = true; } /* clear username and password from memory */ secure_memzero(up, sizeof(*up)); /* Perform final authentication checks */ if (ks->authenticated) { verify_final_auth_checks(multi, session); } #ifdef ENABLE_OCC /* check options consistency */ if (!session->opt->disable_occ && !options_cmp_equal(options, session->opt->remote_options)) { options_warning(options, session->opt->remote_options); if (session->opt->ssl_flags & SSLF_OPT_VERIFY) { msg(D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify"); ks->authenticated = false; } } #endif buf_clear(buf); /* * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final * veto opportunity over authentication decision. */ if (ks->authenticated && plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL)) { key_state_export_keying_material(&ks->ks_ssl, session); if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS) { ks->authenticated = false; } setenv_del(session->opt->es, "exported_keying_material"); } /* * Generate tunnel keys if we're a client. * If --pull is enabled, the first key generation is postponed until after the * pull/push, so we can process pushed cipher directives. */ if (!session->opt->server && (!session->opt->pull || ks->key_id > 0)) { if (!tls_session_generate_data_channel_keys(session)) { msg(D_TLS_ERRORS, "TLS Error: client generate_key_expansion failed"); goto error; } } gc_free(&gc); return true; error: secure_memzero(ks->key_src, sizeof(*ks->key_src)); if (up) { secure_memzero(up, sizeof(*up)); } buf_clear(buf); gc_free(&gc); return false; } static int auth_deferred_expire_window(const struct tls_options *o) { int ret = o->handshake_window; const int r2 = o->renegotiate_seconds / 2; if (o->renegotiate_seconds && r2 < ret) { ret = r2; } return ret; } /* * This is the primary routine for processing TLS stuff inside the * the main event loop. When this routine exits * with non-error status, it will set *wakeup to the number of seconds * when it wants to be called again. * * Return value is true if we have placed a packet in *to_link which we * want to send to our peer. */ static bool tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup) { struct gc_arena gc = gc_new(); struct buffer *buf; bool state_change = false; bool active = false; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */ /* Make sure we were initialized and that we're not in an error state */ ASSERT(ks->state != S_UNDEF); ASSERT(ks->state != S_ERROR); ASSERT(session_id_defined(&session->session_id)); /* Should we trigger a soft reset? -- new key, keeps old key for a while */ if (ks->state >= S_ACTIVE && ((session->opt->renegotiate_seconds && now >= ks->established + session->opt->renegotiate_seconds) || (session->opt->renegotiate_bytes > 0 && ks->n_bytes >= session->opt->renegotiate_bytes) || (session->opt->renegotiate_packets && ks->n_packets >= session->opt->renegotiate_packets) || (packet_id_close_to_wrapping(&ks->crypto_options.packet_id.send)))) { msg(D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d bytes=" counter_format "/%d pkts=" counter_format "/%d", (int)(ks->established + session->opt->renegotiate_seconds - now), ks->n_bytes, session->opt->renegotiate_bytes, ks->n_packets, session->opt->renegotiate_packets); key_state_soft_reset(session); } /* Kill lame duck key transition_window seconds after primary key negotiation */ if (lame_duck_must_die(session, wakeup)) { key_state_free(ks_lame, true); msg(D_TLS_DEBUG_LOW, "TLS: tls_process: killed expiring key"); } do { update_time(); dmsg(D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d", state_change, state_name(ks->state), state_name(ks_lame->state), to_link->len, *wakeup); state_change = false; /* * TLS activity is finished once we get to S_ACTIVE, * though we will still process acknowledgements. * * CHANGED with 2.0 -> now we may send tunnel configuration * info over the control channel. */ /* Initial handshake */ if (ks->state == S_INITIAL) { buf = reliable_get_buf_output_sequenced(ks->send_reliable); if (buf) { ks->must_negotiate = now + session->opt->handshake_window; ks->auth_deferred_expire = now + auth_deferred_expire_window(session->opt); /* null buffer */ reliable_mark_active_outgoing(ks->send_reliable, buf, ks->initial_opcode); INCR_GENERATED; ks->state = S_PRE_START; state_change = true; dmsg(D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s", session_id_print(&session->session_id, &gc)); #ifdef ENABLE_MANAGEMENT if (management && ks->initial_opcode != P_CONTROL_SOFT_RESET_V1) { management_set_state(management, OPENVPN_STATE_WAIT, NULL, NULL, NULL, NULL, NULL); } #endif } } /* Are we timed out on receive? */ if (now >= ks->must_negotiate) { if (ks->state < S_ACTIVE) { msg(D_TLS_ERRORS, "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)", session->opt->handshake_window); goto error; } else /* assume that ks->state == S_ACTIVE */ { dmsg(D_TLS_DEBUG_MED, "STATE S_NORMAL_OP"); ks->state = S_NORMAL_OP; ks->must_negotiate = 0; } } /* Wait for Initial Handshake ACK */ if (ks->state == S_PRE_START && FULL_SYNC) { ks->state = S_START; state_change = true; /* * Attempt CRL reload before TLS negotiation. Won't be performed if * the file was not modified since the last reload */ if (session->opt->crl_file && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR)) { tls_ctx_reload_crl(&session->opt->ssl_ctx, session->opt->crl_file, session->opt->crl_file_inline); } /* New connection, remove any old X509 env variables */ tls_x509_clear_env(session->opt->es); dmsg(D_TLS_DEBUG_MED, "STATE S_START"); } /* Wait for ACK */ if (((ks->state == S_GOT_KEY && !session->opt->server) || (ks->state == S_SENT_KEY && session->opt->server))) { if (FULL_SYNC) { ks->established = now; dmsg(D_TLS_DEBUG_MED, "STATE S_ACTIVE"); if (check_debug_level(D_HANDSHAKE)) { print_details(&ks->ks_ssl, "Control Channel:"); } state_change = true; ks->state = S_ACTIVE; INCR_SUCCESS; /* Set outgoing address for data channel packets */ link_socket_set_outgoing_addr(NULL, to_link_socket_info, &ks->remote_addr, session->common_name, session->opt->es); /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */ flush_payload_buffer(ks); #ifdef MEASURE_TLS_HANDSHAKE_STATS show_tls_performance_stats(); #endif } } /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs * for previously received packets) */ if (!to_link->len && reliable_can_send(ks->send_reliable)) { int opcode; struct buffer b; buf = reliable_send(ks->send_reliable, &opcode); ASSERT(buf); b = *buf; INCR_SENT; write_control_auth(session, ks, &b, to_link_addr, opcode, CONTROL_SEND_ACK_MAX, true); *to_link = b; active = true; state_change = true; dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP"); break; } /* Write incoming ciphertext to TLS object */ buf = reliable_get_buf_sequenced(ks->rec_reliable); if (buf) { int status = 0; if (buf->len) { status = key_state_write_ciphertext(&ks->ks_ssl, buf); if (status == -1) { msg(D_TLS_ERRORS, "TLS Error: Incoming Ciphertext -> TLS object write error"); goto error; } } else { status = 1; } if (status == 1) { reliable_mark_deleted(ks->rec_reliable, buf, true); state_change = true; dmsg(D_TLS_DEBUG, "Incoming Ciphertext -> TLS"); } } /* Read incoming plaintext from TLS object */ buf = &ks->plaintext_read_buf; if (!buf->len) { int status; ASSERT(buf_init(buf, 0)); status = key_state_read_plaintext(&ks->ks_ssl, buf, TLS_CHANNEL_BUF_SIZE); update_time(); if (status == -1) { msg(D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error"); goto error; } if (status == 1) { state_change = true; dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext"); } } /* Send Key */ buf = &ks->plaintext_write_buf; if (!buf->len && ((ks->state == S_START && !session->opt->server) || (ks->state == S_GOT_KEY && session->opt->server))) { if (session->opt->key_method == 1) { if (!key_method_1_write(buf, session)) { goto error; } } else if (session->opt->key_method == 2) { if (!key_method_2_write(buf, session)) { goto error; } } else { ASSERT(0); } state_change = true; dmsg(D_TLS_DEBUG_MED, "STATE S_SENT_KEY"); ks->state = S_SENT_KEY; } /* Receive Key */ buf = &ks->plaintext_read_buf; if (buf->len && ((ks->state == S_SENT_KEY && !session->opt->server) || (ks->state == S_START && session->opt->server))) { if (session->opt->key_method == 1) { if (!key_method_1_read(buf, session)) { goto error; } } else if (session->opt->key_method == 2) { if (!key_method_2_read(buf, multi, session)) { goto error; } } else { ASSERT(0); } state_change = true; dmsg(D_TLS_DEBUG_MED, "STATE S_GOT_KEY"); ks->state = S_GOT_KEY; } /* Write outgoing plaintext to TLS object */ buf = &ks->plaintext_write_buf; if (buf->len) { int status = key_state_write_plaintext(&ks->ks_ssl, buf); if (status == -1) { msg(D_TLS_ERRORS, "TLS ERROR: Outgoing Plaintext -> TLS object write error"); goto error; } if (status == 1) { state_change = true; dmsg(D_TLS_DEBUG, "Outgoing Plaintext -> TLS"); } } /* Outgoing Ciphertext to reliable buffer */ if (ks->state >= S_START) { buf = reliable_get_buf_output_sequenced(ks->send_reliable); if (buf) { int status = key_state_read_ciphertext(&ks->ks_ssl, buf, PAYLOAD_SIZE_DYNAMIC(&multi->opt.frame)); if (status == -1) { msg(D_TLS_ERRORS, "TLS Error: Ciphertext -> reliable TCP/UDP transport read error"); goto error; } if (status == 1) { reliable_mark_active_outgoing(ks->send_reliable, buf, P_CONTROL_V1); INCR_GENERATED; state_change = true; dmsg(D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable"); } } } } while (state_change); update_time(); /* Send 1 or more ACKs (each received control packet gets one ACK) */ if (!to_link->len && !reliable_ack_empty(ks->rec_ack)) { struct buffer buf = ks->ack_write_buf; ASSERT(buf_init(&buf, FRAME_HEADROOM(&multi->opt.frame))); write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1, RELIABLE_ACK_SIZE, false); *to_link = buf; active = true; dmsg(D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP"); } /* When should we wake up again? */ { if (ks->state >= S_INITIAL) { compute_earliest_wakeup(wakeup, reliable_send_timeout(ks->send_reliable)); if (ks->must_negotiate) { compute_earliest_wakeup(wakeup, ks->must_negotiate - now); } } if (ks->established && session->opt->renegotiate_seconds) { compute_earliest_wakeup(wakeup, ks->established + session->opt->renegotiate_seconds - now); } /* prevent event-loop spinning by setting minimum wakeup of 1 second */ if (*wakeup <= 0) { *wakeup = 1; /* if we had something to send to remote, but to_link was busy, * let caller know we need to be called again soon */ active = true; } dmsg(D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", *wakeup); gc_free(&gc); return active; } error: tls_clear_error(); ks->state = S_ERROR; msg(D_TLS_ERRORS, "TLS Error: TLS handshake failed"); INCR_ERROR; gc_free(&gc); return false; } /* * Called by the top-level event loop. * * Basically decides if we should call tls_process for * the active or untrusted sessions. */ int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup) { struct gc_arena gc = gc_new(); int i; int active = TLSMP_INACTIVE; bool error = false; int tas; perf_push(PERF_TLS_MULTI_PROCESS); tls_clear_error(); /* * Process each session object having state of S_INITIAL or greater, * and which has a defined remote IP addr. */ for (i = 0; i < TM_SIZE; ++i) { struct tls_session *session = &multi->session[i]; struct key_state *ks = &session->key[KS_PRIMARY]; struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* set initial remote address */ if (i == TM_ACTIVE && ks->state == S_INITIAL && link_socket_actual_defined(&to_link_socket_info->lsa->actual)) { ks->remote_addr = to_link_socket_info->lsa->actual; } dmsg(D_TLS_DEBUG, "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s", i, state_name(ks->state), session_id_print(&session->session_id, &gc), session_id_print(&ks->session_id_remote, &gc), print_link_socket_actual(&ks->remote_addr, &gc)); if (ks->state >= S_INITIAL && link_socket_actual_defined(&ks->remote_addr)) { struct link_socket_actual *tla = NULL; update_time(); if (tls_process(multi, session, to_link, &tla, to_link_socket_info, wakeup)) { active = TLSMP_ACTIVE; } /* * If tls_process produced an outgoing packet, * return the link_socket_actual object (which * contains the outgoing address). */ if (tla) { multi->to_link_addr = *tla; *to_link_addr = &multi->to_link_addr; } /* * If tls_process hits an error: * (1) If the session has an unexpired lame duck key, preserve it. * (2) Reinitialize the session. * (3) Increment soft error count */ if (ks->state == S_ERROR) { ++multi->n_soft_errors; if (i == TM_ACTIVE) { error = true; } if (i == TM_ACTIVE && ks_lame->state >= S_ACTIVE && !multi->opt.single_session) { move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true); } else { reset_session(multi, session); } } } } update_time(); tas = tls_authentication_status(multi, TLS_MULTI_AUTH_STATUS_INTERVAL); /* * If lame duck session expires, kill it. */ if (lame_duck_must_die(&multi->session[TM_LAME_DUCK], wakeup)) { tls_session_free(&multi->session[TM_LAME_DUCK], true); msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: killed expiring key"); } /* * If untrusted session achieves TLS authentication, * move it to active session, usurping any prior session. * * A semi-trusted session is one in which the certificate authentication * succeeded (if cert verification is enabled) but the username/password * verification failed. A semi-trusted session can forward data on the * TLS control channel but not on the tunnel channel. */ if (DECRYPT_KEY_ENABLED(multi, &multi->session[TM_UNTRUSTED].key[KS_PRIMARY])) { move_session(multi, TM_ACTIVE, TM_UNTRUSTED, true); msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: untrusted session promoted to %strusted", tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-"); } /* * A hard error means that TM_ACTIVE hit an S_ERROR state and that no * other key state objects are S_ACTIVE or higher. */ if (error) { for (i = 0; i < (int) SIZE(multi->key_scan); ++i) { if (multi->key_scan[i]->state >= S_ACTIVE) { goto nohard; } } ++multi->n_hard_errors; } nohard: #ifdef ENABLE_DEBUG /* DEBUGGING -- flood peer with repeating connection attempts */ { const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL(multi->opt.gremlin); if (throw_level) { for (i = 0; i < (int) SIZE(multi->key_scan); ++i) { if (multi->key_scan[i]->state >= throw_level) { ++multi->n_hard_errors; ++multi->n_soft_errors; } } } } #endif perf_pop(); gc_free(&gc); return (tas == TLS_AUTHENTICATION_FAILED) ? TLSMP_KILL : active; } /* * Pre and post-process the encryption & decryption buffers in order * to implement a multiplexed TLS channel over the TCP/UDP port. */ /* * * When we are in TLS mode, this is the first routine which sees * an incoming packet. * * If it's a data packet, we set opt so that our caller can * decrypt it. We also give our caller the appropriate decryption key. * * If it's a control packet, we authenticate it and process it, * possibly creating a new tls_session if it represents the * first packet of a new session. For control packets, we will * also zero the size of *buf so that our caller ignores the * packet on our return. * * Note that openvpn only allows one active session at a time, * so a new session (once authenticated) will always usurp * an old session. * * Return true if input was an authenticated control channel * packet. * * If we are running in TLS thread mode, all public routines * below this point must be called with the L_TLS lock held. */ bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start) { struct gc_arena gc = gc_new(); bool ret = false; if (buf->len > 0) { int i; int op; int key_id; /* get opcode and key ID */ { uint8_t c = *BPTR(buf); op = c >> P_OPCODE_SHIFT; key_id = c & P_KEY_ID_MASK; } if ((op == P_DATA_V1) || (op == P_DATA_V2)) { /* data channel packet */ for (i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = multi->key_scan[i]; /* * This is the basic test of TLS state compatibility between a local OpenVPN * instance and its remote peer. * * If the test fails, it tells us that we are getting a packet from a source * which claims reference to a prior negotiated TLS session, but the local * OpenVPN instance has no memory of such a negotiation. * * It almost always occurs on UDP sessions when the passive side of the * connection is restarted without the active side restarting as well (the * passive side is the server which only listens for the connections, the * active side is the client which initiates connections). */ if (DECRYPT_KEY_ENABLED(multi, ks) && key_id == ks->key_id && ks->authenticated #ifdef ENABLE_DEF_AUTH && !ks->auth_deferred #endif && (floated || link_socket_actual_match(from, &ks->remote_addr))) { if (!ks->crypto_options.key_ctx_bi.initialized) { msg(D_TLS_DEBUG_LOW, "Key %s [%d] not initialized (yet), dropping packet.", print_link_socket_actual(from, &gc), key_id); goto error_lite; } /* return appropriate data channel decrypt key in opt */ *opt = &ks->crypto_options; if (op == P_DATA_V2) { *ad_start = BPTR(buf); } ASSERT(buf_advance(buf, 1)); if (op == P_DATA_V1) { *ad_start = BPTR(buf); } else if (op == P_DATA_V2) { if (buf->len < 4) { msg(D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4", print_link_socket_actual(from, &gc)); goto error; } ASSERT(buf_advance(buf, 3)); } ++ks->n_packets; ks->n_bytes += buf->len; dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_decrypt, key_id=%d, IP=%s", key_id, print_link_socket_actual(from, &gc)); gc_free(&gc); return ret; } } msg(D_TLS_ERRORS, "TLS Error: local/remote TLS keys are out of sync: %s [%d]", print_link_socket_actual(from, &gc), key_id); goto error_lite; } else /* control channel packet */ { bool do_burst = false; bool new_link = false; struct session_id sid; /* remote session ID */ /* verify legal opcode */ if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE) { msg(D_TLS_ERRORS, "TLS Error: unknown opcode received from %s op=%d", print_link_socket_actual(from, &gc), op); goto error; } /* hard reset ? */ if (is_hard_reset(op, 0)) { /* verify client -> server or server -> client connection */ if (((op == P_CONTROL_HARD_RESET_CLIENT_V1 || op == P_CONTROL_HARD_RESET_CLIENT_V2) && !multi->opt.server) || ((op == P_CONTROL_HARD_RESET_SERVER_V1 || op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server)) { msg(D_TLS_ERRORS, "TLS Error: client->client or server->server connection attempted from %s", print_link_socket_actual(from, &gc)); goto error; } } /* * Authenticate Packet */ dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s", packet_opcode_name(op), print_link_socket_actual(from, &gc)); /* get remote session-id */ { struct buffer tmp = *buf; buf_advance(&tmp, 1); if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid)) { msg(D_TLS_ERRORS, "TLS Error: session-id not found in packet from %s", print_link_socket_actual(from, &gc)); goto error; } } /* use session ID to match up packet with appropriate tls_session object */ for (i = 0; i < TM_SIZE; ++i) { struct tls_session *session = &multi->session[i]; struct key_state *ks = &session->key[KS_PRIMARY]; dmsg(D_TLS_DEBUG, "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s", i, state_name(ks->state), session_id_print(&session->session_id, &gc), session_id_print(&sid, &gc), print_link_socket_actual(from, &gc), session_id_print(&ks->session_id_remote, &gc), print_link_socket_actual(&ks->remote_addr, &gc)); if (session_id_equal(&ks->session_id_remote, &sid)) /* found a match */ { if (i == TM_LAME_DUCK) { msg(D_TLS_ERRORS, "TLS ERROR: received control packet with stale session-id=%s", session_id_print(&sid, &gc)); goto error; } dmsg(D_TLS_DEBUG, "TLS: found match, session[%d], sid=%s", i, session_id_print(&sid, &gc)); break; } } /* * Initial packet received. */ if (i == TM_SIZE && is_hard_reset(op, 0)) { struct tls_session *session = &multi->session[TM_ACTIVE]; struct key_state *ks = &session->key[KS_PRIMARY]; if (!is_hard_reset(op, multi->opt.key_method)) { msg(D_TLS_ERRORS, "TLS ERROR: initial packet local/remote key_method mismatch, local key_method=%d, op=%s", multi->opt.key_method, packet_opcode_name(op)); goto error; } /* * If we have no session currently in progress, the initial packet will * open a new session in TM_ACTIVE rather than TM_UNTRUSTED. */ if (!session_id_defined(&ks->session_id_remote)) { if (multi->opt.single_session && multi->n_sessions) { msg(D_TLS_ERRORS, "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]", print_link_socket_actual(from, &gc)); goto error; } #ifdef ENABLE_MANAGEMENT if (management) { management_set_state(management, OPENVPN_STATE_AUTH, NULL, NULL, NULL, NULL, NULL); } #endif msg(D_TLS_DEBUG_LOW, "TLS: Initial packet from %s, sid=%s", print_link_socket_actual(from, &gc), session_id_print(&sid, &gc)); do_burst = true; new_link = true; i = TM_ACTIVE; session->untrusted_addr = *from; } } if (i == TM_SIZE && is_hard_reset(op, 0)) { /* * No match with existing sessions, * probably a new session. */ struct tls_session *session = &multi->session[TM_UNTRUSTED]; /* * If --single-session, don't allow any hard-reset connection request * unless it the the first packet of the session. */ if (multi->opt.single_session) { msg(D_TLS_ERRORS, "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]", print_link_socket_actual(from, &gc)); goto error; } if (!is_hard_reset(op, multi->opt.key_method)) { msg(D_TLS_ERRORS, "TLS ERROR: new session local/remote key_method mismatch, local key_method=%d, op=%s", multi->opt.key_method, packet_opcode_name(op)); goto error; } if (!read_control_auth(buf, &session->tls_wrap, from)) { goto error; } /* * New session-initiating control packet is authenticated at this point, * assuming that the --tls-auth command line option was used. * * Without --tls-auth, we leave authentication entirely up to TLS. */ msg(D_TLS_DEBUG_LOW, "TLS: new session incoming connection from %s", print_link_socket_actual(from, &gc)); new_link = true; i = TM_UNTRUSTED; session->untrusted_addr = *from; } else { struct tls_session *session = &multi->session[i]; struct key_state *ks = &session->key[KS_PRIMARY]; /* * Packet must belong to an existing session. */ if (i != TM_ACTIVE && i != TM_UNTRUSTED) { msg(D_TLS_ERRORS, "TLS Error: Unroutable control packet received from %s (si=%d op=%s)", print_link_socket_actual(from, &gc), i, packet_opcode_name(op)); goto error; } /* * Verify remote IP address */ if (!new_link && !link_socket_actual_match(&ks->remote_addr, from)) { msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s", print_link_socket_actual(from, &gc)); goto error; } /* * Remote is requesting a key renegotiation */ if (op == P_CONTROL_SOFT_RESET_V1 && DECRYPT_KEY_ENABLED(multi, ks)) { if (!read_control_auth(buf, &session->tls_wrap, from)) { goto error; } key_state_soft_reset(session); dmsg(D_TLS_DEBUG, "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s", i, session_id_print(&sid, &gc)); } else { /* * Remote responding to our key renegotiation request? */ if (op == P_CONTROL_SOFT_RESET_V1) { do_burst = true; } if (!read_control_auth(buf, &session->tls_wrap, from)) { goto error; } dmsg(D_TLS_DEBUG, "TLS: received control channel packet s#=%d sid=%s", i, session_id_print(&sid, &gc)); } } /* * We have an authenticated packet (if --tls-auth was set). * Now pass to our reliability level which deals with * packet acknowledgements, retransmits, sequencing, etc. */ { struct tls_session *session = &multi->session[i]; struct key_state *ks = &session->key[KS_PRIMARY]; /* Make sure we were initialized and that we're not in an error state */ ASSERT(ks->state != S_UNDEF); ASSERT(ks->state != S_ERROR); ASSERT(session_id_defined(&session->session_id)); /* Let our caller know we processed a control channel packet */ ret = true; /* * Set our remote address and remote session_id */ if (new_link) { ks->session_id_remote = sid; ks->remote_addr = *from; ++multi->n_sessions; } else if (!link_socket_actual_match(&ks->remote_addr, from)) { msg(D_TLS_ERRORS, "TLS Error: Existing session control channel packet from unknown IP address: %s", print_link_socket_actual(from, &gc)); goto error; } /* * Should we do a retransmit of all unacknowledged packets in * the send buffer? This improves the start-up efficiency of the * initial key negotiation after the 2nd peer comes online. */ if (do_burst && !session->burst) { reliable_schedule_now(ks->send_reliable); session->burst = true; } /* Check key_id */ if (ks->key_id != key_id) { msg(D_TLS_ERRORS, "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s", ks->key_id, key_id, print_key_id(multi, &gc)); goto error; } /* * Process incoming ACKs for packets we can now * delete from reliable send buffer */ { /* buffers all packet IDs to delete from send_reliable */ struct reliable_ack send_ack; send_ack.len = 0; if (!reliable_ack_read(&send_ack, buf, &session->session_id)) { msg(D_TLS_ERRORS, "TLS Error: reading acknowledgement record from packet"); goto error; } reliable_send_purge(ks->send_reliable, &send_ack); } if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable)) { packet_id_type id; /* Extract the packet ID from the packet */ if (reliable_ack_read_packet_id(buf, &id)) { /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */ if (reliable_wont_break_sequentiality(ks->rec_reliable, id)) { if (reliable_not_replay(ks->rec_reliable, id)) { /* Save incoming ciphertext packet to reliable buffer */ struct buffer *in = reliable_get_buf(ks->rec_reliable); ASSERT(in); if(!buf_copy(in, buf)) { msg(D_MULTI_DROPPED, "Incoming control channel packet too big, dropping."); goto error; } reliable_mark_active_incoming(ks->rec_reliable, in, id, op); } /* Process outgoing acknowledgment for packet just received, even if it's a replay */ reliable_ack_acknowledge_packet_id(ks->rec_ack, id); } } } } } } done: buf->len = 0; *opt = NULL; gc_free(&gc); return ret; error: ++multi->n_soft_errors; error_lite: tls_clear_error(); goto done; } /* * This function is similar to tls_pre_decrypt, except it is called * when we are in server mode and receive an initial incoming * packet. Note that we don't modify * any state in our parameter objects. The purpose is solely to * determine whether we should generate a client instance * object, in which case true is returned. * * This function is essentially the first-line HMAC firewall * on the UDP port listener in --mode server mode. */ bool tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, const struct link_socket_actual *from, const struct buffer *buf) { struct gc_arena gc = gc_new(); bool ret = false; if (buf->len > 0) { int op; int key_id; /* get opcode and key ID */ { uint8_t c = *BPTR(buf); op = c >> P_OPCODE_SHIFT; key_id = c & P_KEY_ID_MASK; } /* this packet is from an as-yet untrusted source, so * scrutinize carefully */ if (op != P_CONTROL_HARD_RESET_CLIENT_V2) { /* * This can occur due to bogus data or DoS packets. */ dmsg(D_TLS_STATE_ERRORS, "TLS State Error: No TLS state for client %s, opcode=%d", print_link_socket_actual(from, &gc), op); goto error; } if (key_id != 0) { dmsg(D_TLS_STATE_ERRORS, "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected", key_id, print_link_socket_actual(from, &gc)); goto error; } if (buf->len > EXPANDED_SIZE_DYNAMIC(&tas->frame)) { dmsg(D_TLS_STATE_ERRORS, "TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected", buf->len, print_link_socket_actual(from, &gc), EXPANDED_SIZE_DYNAMIC(&tas->frame)); goto error; } { struct buffer newbuf = clone_buf(buf); struct tls_wrap_ctx tls_wrap_tmp = tas->tls_wrap; bool status; /* HMAC test, if --tls-auth was specified */ status = read_control_auth(&newbuf, &tls_wrap_tmp, from); free_buf(&newbuf); if (!status) { goto error; } /* * At this point, if --tls-auth is being used, we know that * the packet has passed the HMAC test, but we don't know if * it is a replay yet. We will attempt to defeat replays * by not advancing to the S_START state until we * receive an ACK from our first reply to the client * that includes an HMAC of our randomly generated 64 bit * session ID. * * On the other hand if --tls-auth is not being used, we * will proceed to begin the TLS authentication * handshake with only cursory integrity checks having * been performed, since we will be leaving the task * of authentication solely up to TLS. */ ret = true; } } gc_free(&gc); return ret; error: tls_clear_error(); gc_free(&gc); return ret; } /* Choose the key with which to encrypt a data packet */ void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt) { multi->save_ks = NULL; if (buf->len > 0) { int i; struct key_state *ks_select = NULL; for (i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = multi->key_scan[i]; if (ks->state >= S_ACTIVE && ks->authenticated && ks->crypto_options.key_ctx_bi.initialized #ifdef ENABLE_DEF_AUTH && !ks->auth_deferred #endif ) { if (!ks_select) { ks_select = ks; } if (now >= ks->auth_deferred_expire) { ks_select = ks; break; } } } if (ks_select) { *opt = &ks_select->crypto_options; multi->save_ks = ks_select; dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id); return; } else { struct gc_arena gc = gc_new(); dmsg(D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s", print_key_id(multi, &gc)); gc_free(&gc); } } buf->len = 0; *opt = NULL; } void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf) { struct key_state *ks = multi->save_ks; uint8_t op; msg(D_TLS_DEBUG, __func__); ASSERT(ks); op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id; ASSERT(buf_write_prepend(buf, &op, 1)); } void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf) { struct key_state *ks = multi->save_ks; uint32_t peer; msg(D_TLS_DEBUG, __func__); ASSERT(ks); peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24 | (multi->peer_id & 0xFFFFFF)); ASSERT(buf_write_prepend(buf, &peer, 4)); } void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf) { struct key_state *ks = multi->save_ks; multi->save_ks = NULL; if (buf->len > 0) { ASSERT(ks); ++ks->n_packets; ks->n_bytes += buf->len; } } /* * Send a payload over the TLS control channel. * Called externally. */ bool tls_send_payload(struct tls_multi *multi, const uint8_t *data, int size) { struct tls_session *session; struct key_state *ks; bool ret = false; tls_clear_error(); ASSERT(multi); session = &multi->session[TM_ACTIVE]; ks = &session->key[KS_PRIMARY]; if (ks->state >= S_ACTIVE) { if (key_state_write_plaintext_const(&ks->ks_ssl, data, size) == 1) { ret = true; } } else { if (!ks->paybuf) { ks->paybuf = buffer_list_new(0); } buffer_list_push_data(ks->paybuf, data, (size_t)size); ret = true; } tls_clear_error(); return ret; } bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf) { struct tls_session *session; struct key_state *ks; bool ret = false; tls_clear_error(); ASSERT(multi); session = &multi->session[TM_ACTIVE]; ks = &session->key[KS_PRIMARY]; if (ks->state >= S_ACTIVE && BLEN(&ks->plaintext_read_buf)) { if (buf_copy(buf, &ks->plaintext_read_buf)) { ret = true; } ks->plaintext_read_buf.len = 0; } tls_clear_error(); return ret; } void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr) { struct gc_arena gc = gc_new(); int i, j; for (i = 0; i < TM_SIZE; ++i) { struct tls_session *session = &multi->session[i]; for (j = 0; j < KS_SIZE; ++j) { struct key_state *ks = &session->key[j]; if (!link_socket_actual_defined(&ks->remote_addr) || link_socket_actual_match(addr, &ks->remote_addr)) { continue; } dmsg(D_TLS_KEYSELECT, "TLS: tls_update_remote_addr from IP=%s to IP=%s", print_link_socket_actual(&ks->remote_addr, &gc), print_link_socket_actual(addr, &gc)); ks->remote_addr = *addr; } } gc_free(&gc); } int tls_peer_info_ncp_ver(const char *peer_info) { const char *ncpstr = peer_info ? strstr(peer_info, "IV_NCP=") : NULL; if (ncpstr) { int ncp = 0; int r = sscanf(ncpstr, "IV_NCP=%d", &ncp); if (r == 1) { return ncp; } } return 0; } bool tls_check_ncp_cipher_list(const char *list) { bool unsupported_cipher_found = false; ASSERT(list); char *const tmp_ciphers = string_alloc(list, NULL); const char *token = strtok(tmp_ciphers, ":"); while (token) { if (!cipher_kt_get(translate_cipher_name_from_openvpn(token))) { msg(M_WARN, "Unsupported cipher in --ncp-ciphers: %s", token); unsupported_cipher_found = true; } token = strtok(NULL, ":"); } free(tmp_ciphers); return 0 < strlen(list) && !unsupported_cipher_found; } /* * Dump a human-readable rendition of an openvpn packet * into a garbage collectable string which is returned. */ const char * protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); struct buffer buf = *buffer; uint8_t c; int op; int key_id; int tls_auth_hmac_size = (flags & PD_TLS_AUTH_HMAC_SIZE_MASK); if (buf.len <= 0) { buf_printf(&out, "DATA UNDEF len=%d", buf.len); goto done; } if (!(flags & PD_TLS)) { goto print_data; } /* * Initial byte (opcode) */ if (!buf_read(&buf, &c, sizeof(c))) { goto done; } op = (c >> P_OPCODE_SHIFT); key_id = c & P_KEY_ID_MASK; buf_printf(&out, "%s kid=%d", packet_opcode_name(op), key_id); if ((op == P_DATA_V1) || (op == P_DATA_V2)) { goto print_data; } /* * Session ID */ { struct session_id sid; if (!session_id_read(&sid, &buf)) { goto done; } if (flags & PD_VERBOSE) { buf_printf(&out, " sid=%s", session_id_print(&sid, gc)); } } /* * tls-auth hmac + packet_id */ if (tls_auth_hmac_size) { struct packet_id_net pin; uint8_t tls_auth_hmac[MAX_HMAC_KEY_LENGTH]; ASSERT(tls_auth_hmac_size <= MAX_HMAC_KEY_LENGTH); if (!buf_read(&buf, tls_auth_hmac, tls_auth_hmac_size)) { goto done; } if (flags & PD_VERBOSE) { buf_printf(&out, " tls_hmac=%s", format_hex(tls_auth_hmac, tls_auth_hmac_size, 0, gc)); } if (!packet_id_read(&pin, &buf, true)) { goto done; } buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc)); } /* * ACK list */ buf_printf(&out, " %s", reliable_ack_print(&buf, (flags & PD_VERBOSE), gc)); if (op == P_ACK_V1) { goto done; } /* * Packet ID */ { packet_id_type l; if (!buf_read(&buf, &l, sizeof(l))) { goto done; } l = ntohpid(l); buf_printf(&out, " pid=" packet_id_format, (packet_id_print_type)l); } print_data: if (flags & PD_SHOW_DATA) { buf_printf(&out, " DATA %s", format_hex(BPTR(&buf), BLEN(&buf), 80, gc)); } else { buf_printf(&out, " DATA len=%d", buf.len); } done: return BSTR(&out); } void delayed_auth_pass_purge(void) { auth_user_pass.wait_for_push = false; purge_user_pass(&auth_user_pass, false); } #else /* if defined(ENABLE_CRYPTO) */ static void dummy(void) { } #endif /* ENABLE_CRYPTO */ openvpn-2.4.4/src/openvpn/ssl.h000066400000000000000000000465271316434344000164540ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel SSL/Data channel negotiation module */ #ifndef OPENVPN_SSL_H #define OPENVPN_SSL_H #if defined(ENABLE_CRYPTO) #include "basic.h" #include "common.h" #include "crypto.h" #include "packet_id.h" #include "session_id.h" #include "reliable.h" #include "socket.h" #include "mtu.h" #include "options.h" #include "plugin.h" #include "ssl_common.h" #include "ssl_backend.h" /* Used in the TLS PRF function */ #define KEY_EXPANSION_ID "OpenVPN" /* packet opcode (high 5 bits) and key-id (low 3 bits) are combined in one byte */ #define P_KEY_ID_MASK 0x07 #define P_OPCODE_SHIFT 3 /* packet opcodes -- the V1 is intended to allow protocol changes in the future */ #define P_CONTROL_HARD_RESET_CLIENT_V1 1 /* initial key from client, forget previous state */ #define P_CONTROL_HARD_RESET_SERVER_V1 2 /* initial key from server, forget previous state */ #define P_CONTROL_SOFT_RESET_V1 3 /* new key, graceful transition from old to new key */ #define P_CONTROL_V1 4 /* control channel packet (usually TLS ciphertext) */ #define P_ACK_V1 5 /* acknowledgement for packets received */ #define P_DATA_V1 6 /* data channel packet */ #define P_DATA_V2 9 /* data channel packet with peer-id */ /* indicates key_method >= 2 */ #define P_CONTROL_HARD_RESET_CLIENT_V2 7 /* initial key from client, forget previous state */ #define P_CONTROL_HARD_RESET_SERVER_V2 8 /* initial key from server, forget previous state */ /* define the range of legal opcodes */ #define P_FIRST_OPCODE 1 #define P_LAST_OPCODE 9 /* * Set the max number of acknowledgments that can "hitch a ride" on an outgoing * non-P_ACK_V1 control packet. */ #define CONTROL_SEND_ACK_MAX 4 /* * Define number of buffers for send and receive in the reliability layer. */ #define TLS_RELIABLE_N_SEND_BUFFERS 4 /* also window size for reliablity layer */ #define TLS_RELIABLE_N_REC_BUFFERS 8 /* * Various timeouts */ #define TLS_MULTI_REFRESH 15 /* call tls_multi_process once every n seconds */ #define TLS_MULTI_HORIZON 2 /* call tls_multi_process frequently for n seconds after * every packet sent/received action */ /* * The SSL/TLS worker thread will wait at most this many seconds for the * interprocess communication pipe to the main thread to be ready to accept * writes. */ #define TLS_MULTI_THREAD_SEND_TIMEOUT 5 /* Interval that tls_multi_process should call tls_authentication_status */ #define TLS_MULTI_AUTH_STATUS_INTERVAL 10 /* * Buffer sizes (also see mtu.h). */ /* Maximum length of OCC options string passed as part of auth handshake */ #define TLS_OPTIONS_LEN 512 /* Default field in X509 to be username */ #define X509_USERNAME_FIELD_DEFAULT "CN" /* * Range of key exchange methods */ #define KEY_METHOD_MIN 1 #define KEY_METHOD_MAX 2 /* key method taken from lower 4 bits */ #define KEY_METHOD_MASK 0x0F /* * Measure success rate of TLS handshakes, for debugging only */ /* #define MEASURE_TLS_HANDSHAKE_STATS */ /* * Used in --mode server mode to check tls-auth signature on initial * packets received from new clients. */ struct tls_auth_standalone { struct tls_wrap_ctx tls_wrap; struct frame frame; }; /* * Prepare the SSL library for use */ void init_ssl_lib(void); /* * Free any internal state that the SSL library might have */ void free_ssl_lib(void); /** * Build master SSL context object that serves for the whole of OpenVPN * instantiation */ void init_ssl(const struct options *options, struct tls_root_ctx *ctx); /** @addtogroup control_processor * @{ */ /** @name Functions for initialization and cleanup of tls_multi structures * @{ */ /** * Allocate and initialize a \c tls_multi structure. * @ingroup control_processor * * This function allocates a new \c tls_multi structure, and performs some * amount of initialization. Afterwards, the \c tls_multi_init_finalize() * function must be called to finalize the structure's initialization * process. * * @param tls_options - The configuration options to be used for this VPN * tunnel. * * @return A newly allocated and initialized \c tls_multi structure. */ struct tls_multi *tls_multi_init(struct tls_options *tls_options); /** * Finalize initialization of a \c tls_multi structure. * @ingroup control_processor * * This function initializes the \c TM_ACTIVE \c tls_session, and in * server mode also the \c TM_UNTRUSTED \c tls_session, associated with * this \c tls_multi structure. It also configures the control channel's * \c frame structure based on the data channel's \c frame given in * argument \a frame. * * @param multi - The \c tls_multi structure of which to finalize * initialization. * @param frame - The data channel's \c frame structure. */ void tls_multi_init_finalize(struct tls_multi *multi, const struct frame *frame); /* * Initialize a standalone tls-auth verification object. */ struct tls_auth_standalone *tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc); /* * Finalize a standalone tls-auth verification object. */ void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame); /* * Set local and remote option compatibility strings. * Used to verify compatibility of local and remote option * sets. */ void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote); /** * Cleanup a \c tls_multi structure and free associated memory * allocations. * @ingroup control_processor * * This function cleans up a \c tls_multi structure. This includes * cleaning up all associated \c tls_session structures. * * @param multi - The \c tls_multi structure to clean up in free. * @param clear - Whether the memory allocated for the \a multi * object should be overwritten with 0s. */ void tls_multi_free(struct tls_multi *multi, bool clear); /** @} name Functions for initialization and cleanup of tls_multi structures */ /** @} addtogroup control_processor */ #define TLSMP_INACTIVE 0 #define TLSMP_ACTIVE 1 #define TLSMP_KILL 2 /* * Called by the top-level event loop. * * Basically decides if we should call tls_process for * the active or untrusted sessions. */ int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup); /**************************************************************************/ /** * Determine whether an incoming packet is a data channel or control * channel packet, and process accordingly. * @ingroup external_multiplexer * * When OpenVPN is in TLS mode, this is the first function to process an * incoming packet. It inspects the packet's one-byte header which * contains the packet's opcode and key ID. Depending on the opcode, the * packet is processed as a data channel or as a control channel packet. * * @par Data channel packets * * If the opcode indicates the packet is a data channel packet, then the * packet's key ID is used to find the local TLS state it is associated * with. This state is checked whether it is active, authenticated, and * its remote peer is the source of this packet. If these checks passed, * the state's security parameters are loaded into the \a opt crypto * options so that \p openvpn_decrypt() can later use them to authenticate * and decrypt the packet. * * This function then returns false. The \a buf buffer has not been * modified, except for removing the header. * * @par Control channel packets * * If the opcode indicates the packet is a control channel packet, then * this function will process it based on its plaintext header. depending * on the packet's opcode and session ID this function determines if it is * destined for an active TLS session, or whether a new TLS session should * be started. This function also initiates data channel session key * renegotiation if the received opcode requests that. * * If the incoming packet is destined for an active TLS session, then the * packet is inserted into the Reliability Layer and will be handled * later. * * @param multi - The TLS multi structure associated with the VPN tunnel * of this packet. * @param from - The source address of the packet. * @param buf - A buffer structure containing the incoming packet. * @param opt - Returns a crypto options structure with the appropriate security * parameters to handle the packet if it is a data channel packet. * @param ad_start - Returns a pointer to the start of the authenticated data of * of this packet * * @return * @li True if the packet is a control channel packet that has been * processed successfully. * @li False if the packet is a data channel packet, or if an error * occurred during processing of a control channel packet. */ bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start); /**************************************************************************/ /** @name Functions for managing security parameter state for data channel packets * @{ */ /** * Inspect an incoming packet for which no VPN tunnel is active, and * determine whether a new VPN tunnel should be created. * @ingroup data_crypto * * This function receives the initial incoming packet from a client that * wishes to establish a new VPN tunnel, and determines the packet is a * valid initial packet. It is only used when OpenVPN is running in * server mode. * * The tests performed by this function are whether the packet's opcode is * correct for establishing a new VPN tunnel, whether its key ID is 0, and * whether its size is not too large. This function also performs the * initial HMAC firewall test, if configured to do so. * * The incoming packet and the local VPN tunnel state are not modified by * this function. Its sole purpose is to inspect the packet and determine * whether a new VPN tunnel should be created. If so, that new VPN tunnel * instance will handle processing of the packet. * * @param tas - The standalone TLS authentication setting structure for * this process. * @param from - The source address of the packet. * @param buf - A buffer structure containing the incoming packet. * * @return * @li True if the packet is valid and a new VPN tunnel should be created * for this client. * @li False if the packet is not valid, did not pass the HMAC firewall * test, or some other error occurred. */ bool tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, const struct link_socket_actual *from, const struct buffer *buf); /** * Choose the appropriate security parameters with which to process an * outgoing packet. * @ingroup data_crypto * * If no appropriate security parameters can be found, or if some other * error occurs, then the buffer is set to empty, and the parameters to a NULL * pointer. * * @param multi - The TLS state for this packet's destination VPN tunnel. * @param buf - The buffer containing the outgoing packet. * @param opt - Returns a crypto options structure with the security parameters. */ void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt); /** * Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet. * * The opcode identifies the packet as a V1 data channel packet and gives the * low-permutation version of the key-id to the recipient, so it knows which * decrypt key to use. * * @param multi - The TLS state for this packet's destination VPN tunnel. * @param buf - The buffer to write the header to. * * @ingroup data_crypto */ void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf); /** * Prepend an OpenVPN data channel P_DATA_V2 header to the packet. The * P_DATA_V2 header consists of a 1-byte opcode, followed by a 3-byte peer-id. * * The opcode identifies the packet as a V2 data channel packet and gives the * low-permutation version of the key-id to the recipient, so it knows which * decrypt key to use. * * The peer-id is sent by clients to servers to help the server determine to * select the decrypt key when the client is roaming between addresses/ports. * * @param multi - The TLS state for this packet's destination VPN tunnel. * @param buf - The buffer to write the header to. * * @ingroup data_crypto */ void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf); /** * Perform some accounting for the key state used. * @ingroup data_crypto * * @param multi - The TLS state for this packet's destination VPN tunnel. * @param buf - The buffer containing the outgoing packet. */ void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf); /** @} name Functions for managing security parameter state for data channel packets */ /* * Setup private key file password. If auth_file is given, use the * credentials stored in the file. */ void pem_password_setup(const char *auth_file); /* * Setup authentication username and password. If auth_file is given, use the * credentials stored in the file. */ void auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sc_info); /* * Ensure that no caching is performed on authentication information */ void ssl_set_auth_nocache(void); /* * Purge any stored authentication information, both for key files and tunnel * authentication. If PCKS #11 is enabled, purge authentication for that too. */ void ssl_purge_auth(const bool auth_user_pass_only); void ssl_set_auth_token(const char *token); #ifdef ENABLE_CLIENT_CR /* * ssl_get_auth_challenge will parse the server-pushed auth-failed * reason string and return a dynamically allocated * auth_challenge_info struct. */ void ssl_purge_auth_challenge(void); void ssl_put_auth_challenge(const char *cr_str); #endif /* * Reserve any extra space required on frames. */ void tls_adjust_frame_parameters(struct frame *frame); /* * Send a payload over the TLS control channel */ bool tls_send_payload(struct tls_multi *multi, const uint8_t *data, int size); /* * Receive a payload through the TLS control channel */ bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf); /** * Updates remote address in TLS sessions. * * @param multi - Tunnel to update * @param addr - new address */ void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr); /** * Update TLS session crypto parameters (cipher and auth) and derive data * channel keys based on the supplied options. * * @param session The TLS session to update. * @param options The options to use when updating session. * @param frame The frame options for this session (frame overhead is * adjusted based on the selected cipher/auth). * * @return true if updating succeeded, false otherwise. */ bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame); /** * "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher. * Allows non-NCP peers to upgrade their cipher individually. * * Make sure to call tls_session_update_crypto_params() after calling this * function. */ void tls_poor_mans_ncp(struct options *o, const char *remote_ciphername); #ifdef MANAGEMENT_DEF_AUTH static inline char * tls_get_peer_info(const struct tls_multi *multi) { return multi->peer_info; } #endif /** * Return the Negotiable Crypto Parameters version advertised in the peer info * string, or 0 if none specified. */ int tls_peer_info_ncp_ver(const char *peer_info); /** * Check whether the ciphers in the supplied list are supported. * * @param list Colon-separated list of ciphers * * @returns true iff all ciphers in list are supported. */ bool tls_check_ncp_cipher_list(const char *list); /** * Return true iff item is present in the colon-separated zero-terminated * cipher list. */ bool tls_item_in_cipher_list(const char *item, const char *list); /* * inline functions */ static inline bool tls_initial_packet_received(const struct tls_multi *multi) { return multi->n_sessions > 0; } static inline bool tls_test_auth_deferred_interval(const struct tls_multi *multi) { if (multi) { const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY]; return now < ks->auth_deferred_expire; } return false; } static inline int tls_test_payload_len(const struct tls_multi *multi) { if (multi) { const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY]; if (ks->state >= S_ACTIVE) { return BLEN(&ks->plaintext_read_buf); } } return 0; } static inline void tls_set_single_session(struct tls_multi *multi) { if (multi) { multi->opt.single_session = true; } } /* * protocol_dump() flags */ #define PD_TLS_AUTH_HMAC_SIZE_MASK 0xFF #define PD_SHOW_DATA (1<<8) #define PD_TLS (1<<9) #define PD_VERBOSE (1<<10) const char *protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc); /* * debugging code */ #ifdef MEASURE_TLS_HANDSHAKE_STATS void show_tls_performance_stats(void); #endif /*#define EXTRACT_X509_FIELD_TEST*/ void extract_x509_field_test(void); /** * Given a key_method, return true if opcode represents the required form of * hard_reset. * * If key_method == 0, return true if any form of hard reset is used. */ bool is_hard_reset(int op, int key_method); void delayed_auth_pass_purge(void); #endif /* ENABLE_CRYPTO */ #endif /* ifndef OPENVPN_SSL_H */ openvpn-2.4.4/src/openvpn/ssl_backend.h000066400000000000000000000430231316434344000201070ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel SSL library backend module */ #ifndef SSL_BACKEND_H_ #define SSL_BACKEND_H_ #include "buffer.h" #ifdef ENABLE_CRYPTO_OPENSSL #include "ssl_openssl.h" #include "ssl_verify_openssl.h" #define SSLAPI SSLAPI_OPENSSL #endif #ifdef ENABLE_CRYPTO_MBEDTLS #include "ssl_mbedtls.h" #include "ssl_verify_mbedtls.h" #define SSLAPI SSLAPI_MBEDTLS #endif /* Ensure that SSLAPI got a sane value if SSL is disabled or unknown */ #ifndef SSLAPI #define SSLAPI SSLAPI_NONE #endif /** * prototype for struct tls_session from ssl_common.h */ struct tls_session; /** * Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name * * @param cipher_name Can be either OpenSSL or IANA cipher name * @return tls_cipher_name_pair* if found, NULL otherwise */ typedef struct { const char *openssl_name; const char *iana_name; } tls_cipher_name_pair; const tls_cipher_name_pair *tls_get_cipher_name_pair(const char *cipher_name, size_t len); /* * * Functions implemented in ssl.c for use by the backend SSL library * */ /** * Callback to retrieve the user's password * * @param buf Buffer to return the password in * @param size Size of the buffer * @param rwflag Unused, needed for OpenSSL compatibility * @param u Unused, needed for OpenSSL compatibility */ int pem_password_callback(char *buf, int size, int rwflag, void *u); /* * * Functions used in ssl.c which must be implemented by the backend SSL library * */ /** * Perform any static initialisation necessary by the library. * Called on OpenVPN initialisation */ void tls_init_lib(void); /** * Free any global SSL library-specific data structures. */ void tls_free_lib(void); /** * Clear the underlying SSL library's error state. */ void tls_clear_error(void); /** * Parse a TLS version specifier * * @param vstr The TLS version string * @param extra An optional extra parameter, may be NULL * * @return One of the TLS_VER_x constants or TLS_VER_BAD * if a parse error should be flagged. */ #define TLS_VER_BAD -1 #define TLS_VER_UNSPEC 0 /* default */ #define TLS_VER_1_0 1 #define TLS_VER_1_1 2 #define TLS_VER_1_2 3 int tls_version_parse(const char *vstr, const char *extra); /** * Return the maximum TLS version (as a TLS_VER_x constant) * supported by current SSL implementation * * @return One of the TLS_VER_x constants (but not TLS_VER_BAD). */ int tls_version_max(void); #ifdef ENABLE_CRYPTO /** * Initialise a library-specific TLS context for a server. * * @param ctx TLS context to initialise */ void tls_ctx_server_new(struct tls_root_ctx *ctx); /** * Initialises a library-specific TLS context for a client. * * @param ctx TLS context to initialise */ void tls_ctx_client_new(struct tls_root_ctx *ctx); /** * Frees the library-specific TLSv1 context * * @param ctx TLS context to free */ void tls_ctx_free(struct tls_root_ctx *ctx); /** * Checks whether the given TLS context is initialised * * @param ctx TLS context to check * * @return true if the context is initialised, false if not. */ bool tls_ctx_initialised(struct tls_root_ctx *ctx); /** * Set any library specific options. * * Examples include disabling session caching, the password callback to use, * and session verification parameters. * * @param ctx TLS context to set options on * @param ssl_flags SSL flags to set */ void tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags); /** * Restrict the list of ciphers that can be used within the TLS context. * * @param ctx TLS context to restrict, must be valid. * @param ciphers String containing : delimited cipher names, or NULL to use * sane defaults. */ void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers); /** * Check our certificate notBefore and notAfter fields, and warn if the cert is * either not yet valid or has expired. Note that this is a non-fatal error, * since we compare against the system time, which might be incorrect. * * @param ctx TLS context to get our certificate from. */ void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx); /** * Load Diffie Hellman Parameters, and load them into the library-specific * TLS context. * * @param ctx TLS context to use * @param dh_file The file name to load the parameters from, or * "[[INLINE]]" in the case of inline files. * @param dh_file_inline A string containing the parameters */ void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, const char *dh_file_inline); /** * Load Elliptic Curve Parameters, and load them into the library-specific * TLS context. * * @param ctx TLS context to use * @param curve_name The name of the elliptic curve to load. */ void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name ); /** * Load PKCS #12 file for key, cert and (optionally) CA certs, and add to * library-specific TLS context. * * @param ctx TLS context to use * @param pkcs12_file The file name to load the information from, or * "[[INLINE]]" in the case of inline files. * @param pkcs12_file_inline A string containing the information * * @return 1 if an error occurred, 0 if parsing was * successful. */ int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, const char *pkcs12_file_inline, bool load_ca_file ); /** * Use Windows cryptoapi for key and cert, and add to library-specific TLS * context. * * @param ctx TLS context to use * @param crypto_api_cert String representing the certificate to load. */ #ifdef ENABLE_CRYPTOAPI void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert); #endif /* _WIN32 */ /** * Load certificate file into the given TLS context. If the given certificate * file contains a certificate chain, load the whole chain. * * @param ctx TLS context to use * @param cert_file The file name to load the certificate from, or * "[[INLINE]]" in the case of inline files. * @param cert_file_inline A string containing the certificate */ void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, const char *cert_file_inline); /** * Load private key file into the given TLS context. * * @param ctx TLS context to use * @param priv_key_file The file name to load the private key from, or * "[[INLINE]]" in the case of inline files. * @param priv_key_file_inline A string containing the private key * * @return 1 if an error occurred, 0 if parsing was * successful. */ int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, const char *priv_key_file_inline ); #ifdef MANAGMENT_EXTERNAL_KEY /** * Tell the management interface to load the given certificate and the external * private key matching the given certificate. * * @param ctx TLS context to use * @param cert_file The file name to load the certificate from, or * "[[INLINE]]" in the case of inline files. * @param cert_file_inline A string containing the certificate * * @return 1 if an error occurred, 0 if parsing was * successful. */ int tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, const char *cert_file, const char *cert_file_inline); #endif /** * Load certificate authority certificates from the given file or path. * * Note that not all SSL libraries support loading from a path. * * @param ctx TLS context to use * @param ca_file The file name to load the CAs from, or * "[[INLINE]]" in the case of inline files. * @param ca_file_inline A string containing the CAs * @param ca_path The path to load the CAs from */ void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, const char *ca_file_inline, const char *ca_path, bool tls_server ); /** * Load extra certificate authority certificates from the given file or path. * These Load extra certificates that are part of our own certificate * chain but shouldn't be included in the verify chain. * * * @param ctx TLS context to use * @param extra_certs_file The file name to load the certs from, or * "[[INLINE]]" in the case of inline files. * @param extra_certs_file_inline A string containing the certs */ void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, const char *extra_certs_file_inline ); #ifdef ENABLE_CRYPTO_MBEDTLS /** * Add a personalisation string to the mbed TLS RNG, based on the certificate * loaded into the given context. * * @param ctx TLS context to use */ void tls_ctx_personalise_random(struct tls_root_ctx *ctx); #endif /* ************************************** * * Key-state specific functions * ***************************************/ /** * Initialise the SSL channel part of the given key state. Settings will be * loaded from a previously initialised TLS context. * * @param ks_ssl The SSL channel's state info to initialise * @param ssl_ctx The TLS context to use when initialising the channel. * @param is_server Initialise a server? * @param session The session associated with the given key_state */ void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session); /** * Free the SSL channel part of the given key state. * * @param ks_ssl The SSL channel's state info to free */ void key_state_ssl_free(struct key_state_ssl *ks_ssl); /** * Reload the Certificate Revocation List for the SSL channel * * @param ssl_ctx The TLS context to use when reloading the CRL * @param crl_file The file name to load the CRL from, or * "[[INLINE]]" in the case of inline files. * @param crl_inline A string containing the CRL */ void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, const char *crl_inline); /** * Keying Material Exporters [RFC 5705] allows additional keying material to be * derived from existing TLS channel. This exported keying material can then be * used for a variety of purposes. * * @param ks_ssl The SSL channel's state info * @param session The session associated with the given key_state */ void key_state_export_keying_material(struct key_state_ssl *ks_ssl, struct tls_session *session) __attribute__((nonnull)); /**************************************************************************/ /** @addtogroup control_tls * @{ */ /** @name Functions for packets to be sent to a remote OpenVPN peer * @{ */ /** * Insert a plaintext buffer into the TLS module. * * After successfully processing the data, the data in \a buf is zeroized, * its length set to zero, and a value of \c 1 is returned. * * @param ks_ssl - The security parameter state for this %key * session. * @param buf - The plaintext message to process. * * @return The return value indicates whether the data was successfully * processed: * - \c 1: All the data was processed successfully. * - \c 0: The data was not processed, this function should be called * again later to retry. * - \c -1: An error occurred. */ int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf); /** * Insert plaintext data into the TLS module. * * @param ks_ssl - The security parameter state for this %key * session. * @param data - A pointer to the data to process. * @param len - The length in bytes of the data to process. * * @return The return value indicates whether the data was successfully * processed: * - \c 1: All the data was processed successfully. * - \c 0: The data was not processed, this function should be called * again later to retry. * - \c -1: An error occurred. */ int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len); /** * Extract ciphertext data from the TLS module. * * If the \a buf buffer has a length other than zero, this function does * not perform any action and returns 0. * * @param ks_ssl - The security parameter state for this %key * session. * @param buf - A buffer in which to store the ciphertext. * @param maxlen - The maximum number of bytes to extract. * * @return The return value indicates whether the data was successfully * processed: * - \c 1: Data was extracted successfully. * - \c 0: No data was extracted, this function should be called again * later to retry. * - \c -1: An error occurred. */ int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen); /** @} name Functions for packets to be sent to a remote OpenVPN peer */ /** @name Functions for packets received from a remote OpenVPN peer * @{ */ /** * Insert a ciphertext buffer into the TLS module. * * After successfully processing the data, the data in \a buf is zeroized, * its length set to zero, and a value of \c 1 is returned. * * @param ks_ssl - The security parameter state for this %key * session. * @param buf - The ciphertext message to process. * * @return The return value indicates whether the data was successfully * processed: * - \c 1: All the data was processed successfully. * - \c 0: The data was not processed, this function should be called * again later to retry. * - \c -1: An error occurred. */ int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf); /** * Extract plaintext data from the TLS module. * * If the \a buf buffer has a length other than zero, this function does * not perform any action and returns 0. * * @param ks_ssl - The security parameter state for this %key * session. * @param buf - A buffer in which to store the plaintext. * @param maxlen - The maximum number of bytes to extract. * * @return The return value indicates whether the data was successfully * processed: * - \c 1: Data was extracted successfully. * - \c 0: No data was extracted, this function should be called again * later to retry. * - \c -1: An error occurred. */ int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen); /** @} name Functions for packets received from a remote OpenVPN peer */ /** @} addtogroup control_tls */ /* ************************************** * * Information functions * * Print information for the end user. * ***************************************/ /* * Print a one line summary of SSL/TLS session handshake. */ void print_details(struct key_state_ssl *ks_ssl, const char *prefix); /* * Show the TLS ciphers that are available for us to use in the OpenSSL * library. * * @param - list of allowed TLS cipher, or NULL. */ void show_available_tls_ciphers(const char *tls_ciphers); /* * Show the available elliptic curves in the crypto library */ void show_available_curves(void); /* * The OpenSSL library has a notion of preference in TLS ciphers. Higher * preference == more secure. Return the highest preference cipher. */ void get_highest_preference_tls_cipher(char *buf, int size); /** * return a pointer to a static memory area containing the * name and version number of the SSL library in use */ const char *get_ssl_library_version(void); #endif /* ENABLE_CRYPTO */ #endif /* SSL_BACKEND_H_ */ openvpn-2.4.4/src/openvpn/ssl_common.h000066400000000000000000000465401316434344000200170ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel Common Data Structures */ #ifndef SSL_COMMON_H_ #define SSL_COMMON_H_ #include "session_id.h" #include "socket.h" #include "packet_id.h" #include "crypto.h" #include "options.h" #include "ssl_backend.h" /* passwords */ #define UP_TYPE_AUTH "Auth" #define UP_TYPE_PRIVATE_KEY "Private Key" /** @addtogroup control_processor * @{ */ /** * @name Control channel negotiation states * * These states represent the different phases of control channel * negotiation between OpenVPN peers. OpenVPN servers and clients * progress through the states in a different order, because of their * different roles during exchange of random material. The references to * the \c key_source2 structure in the list below is only valid if %key * method 2 is being used. See the \link key_generation data channel key * generation\endlink related page for more information. * * Clients follow this order: * -# \c S_INITIAL, ready to begin three-way handshake and control * channel negotiation. * -# \c S_PRE_START, have started three-way handshake, waiting for * acknowledgment from remote. * -# \c S_START, initial three-way handshake complete. * -# \c S_SENT_KEY, have sent local part of \c key_source2 random * material. * -# \c S_GOT_KEY, have received remote part of \c key_source2 random * material. * -# \c S_ACTIVE, normal operation during remaining handshake window. * -# \c S_NORMAL_OP, normal operation. * * Servers follow the same order, except for \c S_SENT_KEY and \c * S_GOT_KEY being reversed, because the server first receives the * client's \c key_source2 random material before generating and sending * its own. * * @{ */ #define S_ERROR -1 /**< Error state. */ #define S_UNDEF 0 /**< Undefined state, used after a \c * key_state is cleaned up. */ #define S_INITIAL 1 /**< Initial \c key_state state after * initialization by \c key_state_init() * before start of three-way handshake. */ #define S_PRE_START 2 /**< Waiting for the remote OpenVPN peer * to acknowledge during the initial * three-way handshake. */ #define S_START 3 /**< Three-way handshake is complete, * start of key exchange. */ #define S_SENT_KEY 4 /**< Local OpenVPN process has sent its * part of the key material. */ #define S_GOT_KEY 5 /**< Local OpenVPN process has received * the remote's part of the key * material. */ #define S_ACTIVE 6 /**< Operational \c key_state state * immediately after negotiation has * completed while still within the * handshake window. */ /* ready to exchange data channel packets */ #define S_NORMAL_OP 7 /**< Normal operational \c key_state * state. */ /** @} name Control channel negotiation states */ /** @} addtogroup control_processor */ /** * Container for one half of random material to be used in %key method 2 * \ref key_generation "data channel key generation". * @ingroup control_processor */ struct key_source { uint8_t pre_master[48]; /**< Random used for master secret * generation, provided only by client * OpenVPN peer. */ uint8_t random1[32]; /**< Seed used for master secret * generation, provided by both client * and server. */ uint8_t random2[32]; /**< Seed used for key expansion, provided * by both client and server. */ }; /** * Container for both halves of random material to be used in %key method * 2 \ref key_generation "data channel key generation". * @ingroup control_processor */ struct key_source2 { struct key_source client; /**< Random provided by client. */ struct key_source server; /**< Random provided by server. */ }; /** * Security parameter state of one TLS and data channel %key session. * @ingroup control_processor * * This structure represents one security parameter session between * OpenVPN peers. It includes the control channel TLS state and the data * channel crypto state. It also contains the reliability layer * structures used for control channel messages. * * A new \c key_state structure is initialized for each hard or soft * reset. * * @see * - This structure should be initialized using the \c key_state_init() * function. * - This structure should be cleaned up using the \c key_state_free() * function. */ struct key_state { int state; /** * Key id for this key_state, inherited from struct tls_session. * @see tls_session::key_id. */ int key_id; struct key_state_ssl ks_ssl; /* contains SSL object and BIOs for the control channel */ time_t established; /* when our state went S_ACTIVE */ time_t must_negotiate; /* key negotiation times out if not finished before this time */ time_t must_die; /* this object is destroyed at this time */ int initial_opcode; /* our initial P_ opcode */ struct session_id session_id_remote; /* peer's random session ID */ struct link_socket_actual remote_addr; /* peer's IP addr */ struct crypto_options crypto_options;/* data channel crypto options */ struct key_source2 *key_src; /* source entropy for key expansion */ struct buffer plaintext_read_buf; struct buffer plaintext_write_buf; struct buffer ack_write_buf; struct reliable *send_reliable; /* holds a copy of outgoing packets until ACK received */ struct reliable *rec_reliable; /* order incoming ciphertext packets before we pass to TLS */ struct reliable_ack *rec_ack; /* buffers all packet IDs we want to ACK back to sender */ struct buffer_list *paybuf; counter_type n_bytes; /* how many bytes sent/recvd since last key exchange */ counter_type n_packets; /* how many packets sent/recvd since last key exchange */ /* * If bad username/password, TLS connection will come up but 'authenticated' will be false. */ bool authenticated; time_t auth_deferred_expire; #ifdef ENABLE_DEF_AUTH /* If auth_deferred is true, authentication is being deferred */ bool auth_deferred; #ifdef MANAGEMENT_DEF_AUTH unsigned int mda_key_id; unsigned int mda_status; #endif #ifdef PLUGIN_DEF_AUTH unsigned int auth_control_status; time_t acf_last_mod; char *auth_control_file; #endif #endif }; /** Control channel wrapping (--tls-auth/--tls-crypt) context */ struct tls_wrap_ctx { enum { TLS_WRAP_NONE = 0, /**< No control channel wrapping */ TLS_WRAP_AUTH, /**< Control channel authentication */ TLS_WRAP_CRYPT, /**< Control channel encryption and authentication */ } mode; /**< Control channel wrapping mode */ struct crypto_options opt; /**< Crypto state */ struct buffer work; /**< Work buffer (only for --tls-crypt) */ }; /* * Our const options, obtained directly or derived from * command line options. */ struct tls_options { /* our master TLS context from which all SSL objects derived */ struct tls_root_ctx ssl_ctx; /* data channel cipher, hmac, and key lengths */ struct key_type key_type; /* true if we are a TLS server, client otherwise */ bool server; /* if true, don't xmit until first packet from peer is received */ bool xmit_hold; #ifdef ENABLE_OCC /* local and remote options strings * that must match between client and server */ const char *local_options; const char *remote_options; #endif /* from command line */ int key_method; bool replay; bool single_session; #ifdef ENABLE_OCC bool disable_occ; #endif int mode; bool pull; #ifdef ENABLE_PUSH_PEER_INFO int push_peer_info_detail; #endif int transition_window; int handshake_window; interval_t packet_timeout; int renegotiate_bytes; int renegotiate_packets; interval_t renegotiate_seconds; /* cert verification parms */ const char *verify_command; const char *verify_export_cert; int verify_x509_type; const char *verify_x509_name; const char *crl_file; const char *crl_file_inline; int ns_cert_type; unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; uint8_t *verify_hash; hash_algo_type verify_hash_algo; char *x509_username_field; /* allow openvpn config info to be * passed over control channel */ bool pass_config_info; /* struct crypto_option flags */ unsigned int crypto_flags; int replay_window; /* --replay-window parm */ int replay_time; /* --replay-window parm */ bool tcp_mode; const char *config_ciphername; const char *config_authname; bool ncp_enabled; /** TLS handshake wrapping state */ struct tls_wrap_ctx tls_wrap; /* frame parameters for TLS control channel */ struct frame frame; /* used for username/password authentication */ const char *auth_user_pass_verify_script; bool auth_user_pass_verify_script_via_file; const char *tmp_dir; const char *auth_user_pass_file; bool auth_token_generate; /**< Generate auth-tokens on successful user/pass auth, * set via options->auth_token_generate. */ unsigned int auth_token_lifetime; /* use the client-config-dir as a positive authenticator */ const char *client_config_dir_exclusive; /* instance-wide environment variable set */ struct env_set *es; const struct plugin_list *plugins; /* compression parms */ #ifdef USE_COMP struct compress_options comp_options; #endif /* configuration file SSL-related boolean and low-permutation options */ #define SSLF_CLIENT_CERT_NOT_REQUIRED (1<<0) #define SSLF_CLIENT_CERT_OPTIONAL (1<<1) #define SSLF_USERNAME_AS_COMMON_NAME (1<<2) #define SSLF_AUTH_USER_PASS_OPTIONAL (1<<3) #define SSLF_OPT_VERIFY (1<<4) #define SSLF_CRL_VERIFY_DIR (1<<5) #define SSLF_TLS_VERSION_MIN_SHIFT 6 #define SSLF_TLS_VERSION_MIN_MASK 0xF /* (uses bit positions 6 to 9) */ #define SSLF_TLS_VERSION_MAX_SHIFT 10 #define SSLF_TLS_VERSION_MAX_MASK 0xF /* (uses bit positions 10 to 13) */ unsigned int ssl_flags; #ifdef MANAGEMENT_DEF_AUTH struct man_def_auth_context *mda_context; #endif const struct x509_track *x509_track; #ifdef ENABLE_CLIENT_CR const struct static_challenge_info *sci; #endif /* --gremlin bits */ int gremlin; /* Keying Material Exporter [RFC 5705] parameters */ const char *ekm_label; size_t ekm_label_size; size_t ekm_size; }; /** @addtogroup control_processor * @{ */ /** @name Index of key_state objects within a tls_session structure * * This is the index of \c tls_session.key * * @{ */ #define KS_PRIMARY 0 /**< Primary %key state index. */ #define KS_LAME_DUCK 1 /**< %Key state index that will retire * soon. */ #define KS_SIZE 2 /**< Size of the \c tls_session.key array. */ /** @} name Index of key_state objects within a tls_session structure */ /** @} addtogroup control_processor */ #define AUTH_TOKEN_SIZE 32 /**< Size of server side generated auth tokens. * 32 bytes == 256 bits */ /** * Security parameter state of a single session within a VPN tunnel. * @ingroup control_processor * * This structure represents an OpenVPN peer-to-peer control channel * session. * * A \c tls_session remains over soft resets, but a new instance is * initialized for each hard reset. * * @see * - This structure should be initialized using the \c tls_session_init() * function. * - This structure should be cleaned up using the \c tls_session_free() * function. */ struct tls_session { /* const options and config info */ struct tls_options *opt; /* during hard reset used to control burst retransmit */ bool burst; /* authenticate control packets */ struct tls_wrap_ctx tls_wrap; int initial_opcode; /* our initial P_ opcode */ struct session_id session_id; /* our random session ID */ /** * The current active key id, used to keep track of renegotiations. * key_id increments with each soft reset to KEY_ID_MASK then recycles back * to 1. This way you know that if key_id is 0, it is the first key. */ int key_id; int limit_next; /* used for traffic shaping on the control channel */ int verify_maxlevel; char *common_name; struct cert_hash_set *cert_hash_set; #ifdef ENABLE_PF uint32_t common_name_hashval; #endif bool verified; /* true if peer certificate was verified against CA */ /* not-yet-authenticated incoming client */ struct link_socket_actual untrusted_addr; struct key_state key[KS_SIZE]; }; /** @addtogroup control_processor * @{ */ /** @name Index of tls_session objects within a tls_multi structure * * This is the index of \c tls_multi.session * * Normally three tls_session objects are maintained by an active openvpn * session. The first is the current, TLS authenticated session, the * second is used to process connection requests from a new client that * would usurp the current session if successfully authenticated, and the * third is used as a repository for a "lame-duck" %key in the event that * the primary session resets due to error while the lame-duck %key still * has time left before its expiration. Lame duck keys are used to * maintain the continuity of the data channel connection while a new %key * is being negotiated. * * @{ */ #define TM_ACTIVE 0 /**< Active \c tls_session. */ #define TM_UNTRUSTED 1 /**< As yet un-trusted \c tls_session * being negotiated. */ #define TM_LAME_DUCK 2 /**< Old \c tls_session. */ #define TM_SIZE 3 /**< Size of the \c tls_multi.session * array. */ /** @} name Index of tls_session objects within a tls_multi structure */ /** @} addtogroup control_processor */ /* * The number of keys we will scan on encrypt or decrypt. The first * is the "active" key. The second is the lame_duck or retiring key * associated with the active key's session ID. The third is a detached * lame duck session that only occurs in situations where a key renegotiate * failed on the active key, but a lame duck key was still valid. By * preserving the lame duck session, we can be assured of having a data * channel key available even when network conditions are so bad that * we can't negotiate a new key within the time allotted. */ #define KEY_SCAN_SIZE 3 /** * Security parameter state for a single VPN tunnel. * @ingroup control_processor * * An active VPN tunnel running with TLS enabled has one \c tls_multi * object, in which it stores all control channel and data channel * security parameter state. This structure can contain multiple, * possibly simultaneously active, \c tls_context objects to allow for * interruption-less transitions during session renegotiations. Each \c * tls_context represents one control channel session, which can span * multiple data channel security parameter sessions stored in \c * key_state structures. */ struct tls_multi { /* used to coordinate access between main thread and TLS thread */ /*MUTEX_PTR_DEFINE (mutex);*/ /* const options and config info */ struct tls_options opt; struct key_state *key_scan[KEY_SCAN_SIZE]; /**< List of \c key_state objects in the * order they should be scanned by data * channel modules. */ /* * used by tls_pre_encrypt to communicate the encrypt key * to tls_post_encrypt() */ struct key_state *save_ks; /* temporary pointer used between pre/post routines */ /* * Used to return outgoing address from * tls_multi_process. */ struct link_socket_actual to_link_addr; int n_sessions; /**< Number of sessions negotiated thus * far. */ /* * Number of errors. */ int n_hard_errors; /* errors due to TLS negotiation failure */ int n_soft_errors; /* errors due to unrecognized or failed-to-authenticate incoming packets */ /* * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object) */ char *locked_cn; char *locked_username; struct cert_hash_set *locked_cert_hash_set; #ifdef ENABLE_DEF_AUTH /* * An error message to send to client on AUTH_FAILED */ char *client_reason; /* Time of last call to tls_authentication_status */ time_t tas_last; #endif #if P2MP_SERVER /* * A multi-line string of general-purpose info received from peer * over control channel. */ char *peer_info; #endif /* For P_DATA_V2 */ uint32_t peer_id; bool use_peer_id; char *remote_ciphername; /**< cipher specified in peer's config file */ char *auth_token; /**< If server sends a generated auth-token, * this is the token to use for future * user/pass authentications in this session. */ time_t auth_token_tstamp; /**< timestamp of the generated token */ bool auth_token_sent; /**< If server uses --auth-gen-token and * token has been sent to client */ /* * Our session objects. */ struct tls_session session[TM_SIZE]; /**< Array of \c tls_session objects * representing control channel * sessions with the remote peer. */ }; #define SHOW_TLS_CIPHER_LIST_WARNING \ "Be aware that that whether a cipher suite in this list can actually work\n" \ "depends on the specific setup of both peers. See the man page entries of\n" \ "--tls-cipher and --show-tls for more details.\n\n" #endif /* SSL_COMMON_H_ */ openvpn-2.4.4/src/openvpn/ssl_mbedtls.c000066400000000000000000001035431316434344000201510ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * Copyright (C) 2006-2010, Brainspark B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel mbed TLS Backend */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) #include "errlevel.h" #include "ssl_backend.h" #include "base64.h" #include "buffer.h" #include "misc.h" #include "manage.h" #include "ssl_common.h" #include #include "ssl_verify_mbedtls.h" #include #include #include #if MBEDTLS_VERSION_NUMBER >= 0x02040000 #include #else #include #endif #include #include #include void tls_init_lib(void) { } void tls_free_lib(void) { } void tls_clear_error(void) { } void tls_ctx_server_new(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); CLEAR(*ctx); ALLOC_OBJ_CLEAR(ctx->dhm_ctx, mbedtls_dhm_context); ALLOC_OBJ_CLEAR(ctx->ca_chain, mbedtls_x509_crt); ctx->endpoint = MBEDTLS_SSL_IS_SERVER; ctx->initialised = true; } void tls_ctx_client_new(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); CLEAR(*ctx); ALLOC_OBJ_CLEAR(ctx->dhm_ctx, mbedtls_dhm_context); ALLOC_OBJ_CLEAR(ctx->ca_chain, mbedtls_x509_crt); ctx->endpoint = MBEDTLS_SSL_IS_CLIENT; ctx->initialised = true; } void tls_ctx_free(struct tls_root_ctx *ctx) { if (ctx) { mbedtls_pk_free(ctx->priv_key); if (ctx->priv_key) { free(ctx->priv_key); } mbedtls_x509_crt_free(ctx->ca_chain); if (ctx->ca_chain) { free(ctx->ca_chain); } mbedtls_x509_crt_free(ctx->crt_chain); if (ctx->crt_chain) { free(ctx->crt_chain); } mbedtls_dhm_free(ctx->dhm_ctx); if (ctx->dhm_ctx) { free(ctx->dhm_ctx); } mbedtls_x509_crl_free(ctx->crl); if (ctx->crl) { free(ctx->crl); } #if defined(ENABLE_PKCS11) if (ctx->priv_key_pkcs11 != NULL) { mbedtls_pkcs11_priv_key_free(ctx->priv_key_pkcs11); free(ctx->priv_key_pkcs11); } #endif #if defined(MANAGMENT_EXTERNAL_KEY) if (ctx->external_key != NULL) { free(ctx->external_key); } #endif if (ctx->allowed_ciphers) { free(ctx->allowed_ciphers); } CLEAR(*ctx); ctx->initialised = false; } } bool tls_ctx_initialised(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); return ctx->initialised; } void key_state_export_keying_material(struct key_state_ssl *ssl, struct tls_session *session) { } void tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) { } static const char * tls_translate_cipher_name(const char *cipher_name) { const tls_cipher_name_pair *pair = tls_get_cipher_name_pair(cipher_name, strlen(cipher_name)); if (NULL == pair) { /* No translation found, return original */ return cipher_name; } if (0 != strcmp(cipher_name, pair->iana_name)) { /* Deprecated name found, notify user */ msg(M_WARN, "Deprecated cipher suite name '%s', please use IANA name '%s'", pair->openssl_name, pair->iana_name); } return pair->iana_name; } void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) { char *tmp_ciphers, *tmp_ciphers_orig, *token; int i, cipher_count; int ciphers_len; if (NULL == ciphers) { return; /* Nothing to do */ } ciphers_len = strlen(ciphers); ASSERT(NULL != ctx); ASSERT(0 != ciphers_len); /* Get number of ciphers */ for (i = 0, cipher_count = 1; i < ciphers_len; i++) { if (ciphers[i] == ':') { cipher_count++; } } /* Allocate an array for them */ ALLOC_ARRAY_CLEAR(ctx->allowed_ciphers, int, cipher_count+1) /* Parse allowed ciphers, getting IDs */ i = 0; tmp_ciphers_orig = tmp_ciphers = string_alloc(ciphers, NULL); token = strtok(tmp_ciphers, ":"); while (token) { ctx->allowed_ciphers[i] = mbedtls_ssl_get_ciphersuite_id( tls_translate_cipher_name(token)); if (0 != ctx->allowed_ciphers[i]) { i++; } token = strtok(NULL, ":"); } free(tmp_ciphers_orig); } void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) { ASSERT(ctx); if (ctx->crt_chain == NULL) { return; /* Nothing to check if there is no certificate */ } if (mbedtls_x509_time_is_future(&ctx->crt_chain->valid_from)) { msg(M_WARN, "WARNING: Your certificate is not yet valid!"); } if (mbedtls_x509_time_is_past(&ctx->crt_chain->valid_to)) { msg(M_WARN, "WARNING: Your certificate has expired!"); } } void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, const char *dh_inline ) { if (!strcmp(dh_file, INLINE_FILE_TAG) && dh_inline) { if (!mbed_ok(mbedtls_dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline, strlen(dh_inline)+1))) { msg(M_FATAL, "Cannot read inline DH parameters"); } } else { if (!mbed_ok(mbedtls_dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))) { msg(M_FATAL, "Cannot read DH parameters from file %s", dh_file); } } msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with " counter_format " bit key", (counter_type) 8 * mbedtls_mpi_size(&ctx->dhm_ctx->P)); } void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name ) { if (NULL != curve_name) { msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an ECDH " "curve, using default curves."); } } int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, const char *pkcs12_file_inline, bool load_ca_file ) { msg(M_FATAL, "PKCS #12 files not yet supported for mbed TLS."); return 0; } #ifdef ENABLE_CRYPTOAPI void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert) { msg(M_FATAL, "Windows CryptoAPI not yet supported for mbed TLS."); } #endif /* _WIN32 */ void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, const char *cert_inline ) { ASSERT(NULL != ctx); if (!ctx->crt_chain) { ALLOC_OBJ_CLEAR(ctx->crt_chain, mbedtls_x509_crt); } if (!strcmp(cert_file, INLINE_FILE_TAG) && cert_inline) { if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, (const unsigned char *) cert_inline, strlen(cert_inline)+1))) { msg(M_FATAL, "Cannot load inline certificate file"); } } else { if (!mbed_ok(mbedtls_x509_crt_parse_file(ctx->crt_chain, cert_file))) { msg(M_FATAL, "Cannot load certificate file %s", cert_file); } } } int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, const char *priv_key_inline ) { int status; ASSERT(NULL != ctx); if (!ctx->priv_key) { ALLOC_OBJ_CLEAR(ctx->priv_key, mbedtls_pk_context); } if (!strcmp(priv_key_file, INLINE_FILE_TAG) && priv_key_inline) { status = mbedtls_pk_parse_key(ctx->priv_key, (const unsigned char *) priv_key_inline, strlen(priv_key_inline)+1, NULL, 0); if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status) { char passbuf[512] = {0}; pem_password_callback(passbuf, 512, 0, NULL); status = mbedtls_pk_parse_key(ctx->priv_key, (const unsigned char *) priv_key_inline, strlen(priv_key_inline)+1, (unsigned char *) passbuf, strlen(passbuf)); } } else { status = mbedtls_pk_parse_keyfile(ctx->priv_key, priv_key_file, NULL); if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status) { char passbuf[512] = {0}; pem_password_callback(passbuf, 512, 0, NULL); status = mbedtls_pk_parse_keyfile(ctx->priv_key, priv_key_file, passbuf); } } if (!mbed_ok(status)) { #ifdef ENABLE_MANAGEMENT if (management && (MBEDTLS_ERR_PK_PASSWORD_MISMATCH == status)) { management_auth_failure(management, UP_TYPE_PRIVATE_KEY, NULL); } #endif msg(M_WARN, "Cannot load private key file %s", priv_key_file); return 1; } if (!mbed_ok(mbedtls_pk_check_pair(&ctx->crt_chain->pk, ctx->priv_key))) { msg(M_WARN, "Private key does not match the certificate"); return 1; } return 0; } #ifdef MANAGMENT_EXTERNAL_KEY struct external_context { size_t signature_length; }; /** * external_pkcs1_sign implements a mbed TLS rsa_sign_func callback, that uses * the management interface to request an RSA signature for the supplied hash. * * @param ctx_voidptr Management external key context. * @param f_rng (Unused) * @param p_rng (Unused) * @param mode RSA mode (should be RSA_PRIVATE). * @param md_alg Message digest ('hash') algorithm type. * @param hashlen Length of hash (overridden by length specified by md_alg * if md_alg != MBEDTLS_MD_NONE). * @param hash The digest ('hash') to sign. Should have a size * matching the length of md_alg (if != MBEDTLS_MD_NONE), * or hashlen otherwise. * @param sig Buffer that returns the signature. Should be at least of * size ctx->signature_length. * * @return 0 on success, non-zero mbed TLS error code on failure. */ static inline int external_pkcs1_sign( void *ctx_voidptr, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig ) { struct external_context *const ctx = ctx_voidptr; char *in_b64 = NULL; char *out_b64 = NULL; int rv; unsigned char *p = sig; size_t asn_len = 0, oid_size = 0, sig_len = 0; const char *oid = NULL; if (NULL == ctx) { return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } if (MBEDTLS_RSA_PRIVATE != mode) { return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } /* * Support a wide range of hashes. TLSv1.1 and before only need SIG_RSA_RAW, * but TLSv1.2 needs the full suite of hashes. * * This code has been taken from mbed TLS pkcs11_sign(), under the GPLv2.0+. */ if (md_alg != MBEDTLS_MD_NONE) { const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); if (md_info == NULL) { return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); } if (!mbed_ok(mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ))) { return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); } hashlen = mbedtls_md_get_size( md_info ); asn_len = 10 + oid_size; } sig_len = ctx->signature_length; if ( (SIZE_MAX - hashlen) < asn_len || (hashlen + asn_len) > sig_len) { return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } if (md_alg != MBEDTLS_MD_NONE) { /* * DigestInfo ::= SEQUENCE { * digestAlgorithm DigestAlgorithmIdentifier, * digest Digest } * * DigestAlgorithmIdentifier ::= AlgorithmIdentifier * * Digest ::= OCTET STRING */ *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; *p++ = (unsigned char) ( 0x08 + oid_size + hashlen ); *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; *p++ = (unsigned char) ( 0x04 + oid_size ); *p++ = MBEDTLS_ASN1_OID; *p++ = oid_size & 0xFF; memcpy( p, oid, oid_size ); p += oid_size; *p++ = MBEDTLS_ASN1_NULL; *p++ = 0x00; *p++ = MBEDTLS_ASN1_OCTET_STRING; *p++ = hashlen; /* Determine added ASN length */ asn_len = p - sig; } /* Copy the hash to be signed */ memcpy( p, hash, hashlen ); /* convert 'from' to base64 */ if (openvpn_base64_encode(sig, asn_len + hashlen, &in_b64) <= 0) { rv = MBEDTLS_ERR_RSA_BAD_INPUT_DATA; goto done; } /* call MI for signature */ if (management) { out_b64 = management_query_rsa_sig(management, in_b64); } if (!out_b64) { rv = MBEDTLS_ERR_RSA_PRIVATE_FAILED; goto done; } /* decode base64 signature to binary and verify length */ if (openvpn_base64_decode(out_b64, sig, ctx->signature_length) != ctx->signature_length) { rv = MBEDTLS_ERR_RSA_PRIVATE_FAILED; goto done; } rv = 0; done: if (in_b64) { free(in_b64); } if (out_b64) { free(out_b64); } return rv; } static inline size_t external_key_len(void *vctx) { struct external_context *const ctx = vctx; return ctx->signature_length; } int tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, const char *cert_file, const char *cert_file_inline) { ASSERT(NULL != ctx); tls_ctx_load_cert_file(ctx, cert_file, cert_file_inline); if (ctx->crt_chain == NULL) { return 0; } ALLOC_OBJ_CLEAR(ctx->external_key, struct external_context); ctx->external_key->signature_length = mbedtls_pk_get_len(&ctx->crt_chain->pk); ALLOC_OBJ_CLEAR(ctx->priv_key, mbedtls_pk_context); if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ctx->priv_key, ctx->external_key, NULL, external_pkcs1_sign, external_key_len))) { return 0; } return 1; } #endif /* ifdef MANAGMENT_EXTERNAL_KEY */ void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, const char *ca_inline, const char *ca_path, bool tls_server ) { if (ca_path) { msg(M_FATAL, "ERROR: mbed TLS cannot handle the capath directive"); } if (ca_file && !strcmp(ca_file, INLINE_FILE_TAG) && ca_inline) { if (!mbed_ok(mbedtls_x509_crt_parse(ctx->ca_chain, (const unsigned char *) ca_inline, strlen(ca_inline)+1))) { msg(M_FATAL, "Cannot load inline CA certificates"); } } else { /* Load CA file for verifying peer supplied certificate */ if (!mbed_ok(mbedtls_x509_crt_parse_file(ctx->ca_chain, ca_file))) { msg(M_FATAL, "Cannot load CA certificate file %s", ca_file); } } } void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, const char *extra_certs_inline ) { ASSERT(NULL != ctx); if (!ctx->crt_chain) { ALLOC_OBJ_CLEAR(ctx->crt_chain, mbedtls_x509_crt); } if (!strcmp(extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline) { if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, (const unsigned char *) extra_certs_inline, strlen(extra_certs_inline)+1))) { msg(M_FATAL, "Cannot load inline extra-certs file"); } } else { if (!mbed_ok(mbedtls_x509_crt_parse_file(ctx->crt_chain, extra_certs_file))) { msg(M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file); } } } /* ************************************** * * Key-state specific functions * ***************************************/ /* * "Endless buffer" */ static inline void buf_free_entry(buffer_entry *entry) { if (NULL != entry) { free(entry->data); free(entry); } } static void buf_free_entries(endless_buffer *buf) { while (buf->first_block) { buffer_entry *cur_block = buf->first_block; buf->first_block = cur_block->next_block; buf_free_entry(cur_block); } buf->last_block = NULL; } static int endless_buf_read( endless_buffer *in, unsigned char *out, size_t out_len ) { size_t read_len = 0; if (in->first_block == NULL) { return MBEDTLS_ERR_SSL_WANT_READ; } while (in->first_block != NULL && read_len < out_len) { int block_len = in->first_block->length - in->data_start; if (block_len <= out_len - read_len) { buffer_entry *cur_entry = in->first_block; memcpy(out + read_len, cur_entry->data + in->data_start, block_len); read_len += block_len; in->first_block = cur_entry->next_block; in->data_start = 0; if (in->first_block == NULL) { in->last_block = NULL; } buf_free_entry(cur_entry); } else { memcpy(out + read_len, in->first_block->data + in->data_start, out_len - read_len); in->data_start += out_len - read_len; read_len = out_len; } } return read_len; } static int endless_buf_write( endless_buffer *out, const unsigned char *in, size_t len ) { buffer_entry *new_block = malloc(sizeof(buffer_entry)); if (NULL == new_block) { return MBEDTLS_ERR_NET_SEND_FAILED; } new_block->data = malloc(len); if (NULL == new_block->data) { free(new_block); return MBEDTLS_ERR_NET_SEND_FAILED; } new_block->length = len; new_block->next_block = NULL; memcpy(new_block->data, in, len); if (NULL == out->first_block) { out->first_block = new_block; } if (NULL != out->last_block) { out->last_block->next_block = new_block; } out->last_block = new_block; return len; } static int ssl_bio_read( void *ctx, unsigned char *out, size_t out_len) { bio_ctx *my_ctx = (bio_ctx *) ctx; return endless_buf_read(&my_ctx->in, out, out_len); } static int ssl_bio_write( void *ctx, const unsigned char *in, size_t in_len) { bio_ctx *my_ctx = (bio_ctx *) ctx; return endless_buf_write(&my_ctx->out, in, in_len); } static void my_debug( void *ctx, int level, const char *file, int line, const char *str ) { int my_loglevel = (level < 3) ? D_TLS_DEBUG_MED : D_TLS_DEBUG; msg(my_loglevel, "mbed TLS msg (%s:%d): %s", file, line, str); } /* * Further personalise the RNG using a hash of the public key */ void tls_ctx_personalise_random(struct tls_root_ctx *ctx) { static char old_sha256_hash[32] = {0}; unsigned char sha256_hash[32] = {0}; mbedtls_ctr_drbg_context *cd_ctx = rand_ctx_get(); if (NULL != ctx->crt_chain) { mbedtls_x509_crt *cert = ctx->crt_chain; mbedtls_sha256(cert->tbs.p, cert->tbs.len, sha256_hash, false); if (0 != memcmp(old_sha256_hash, sha256_hash, sizeof(sha256_hash))) { mbedtls_ctr_drbg_update(cd_ctx, sha256_hash, 32); memcpy(old_sha256_hash, sha256_hash, sizeof(old_sha256_hash)); } } } int tls_version_max(void) { #if defined(MBEDTLS_SSL_MAJOR_VERSION_3) && defined(MBEDTLS_SSL_MINOR_VERSION_3) return TLS_VER_1_2; #elif defined(MBEDTLS_SSL_MAJOR_VERSION_3) && defined(MBEDTLS_SSL_MINOR_VERSION_2) return TLS_VER_1_1; #else return TLS_VER_1_0; #endif } /** * Convert an OpenVPN tls-version variable to mbed TLS format (i.e. a major and * minor ssl version number). * * @param tls_ver The tls-version variable to convert. * @param major Returns the TLS major version in mbed TLS format. * Must be a valid pointer. * @param minor Returns the TLS minor version in mbed TLS format. * Must be a valid pointer. */ static void tls_version_to_major_minor(int tls_ver, int *major, int *minor) { ASSERT(major); ASSERT(minor); switch (tls_ver) { case TLS_VER_1_0: *major = MBEDTLS_SSL_MAJOR_VERSION_3; *minor = MBEDTLS_SSL_MINOR_VERSION_1; break; case TLS_VER_1_1: *major = MBEDTLS_SSL_MAJOR_VERSION_3; *minor = MBEDTLS_SSL_MINOR_VERSION_2; break; case TLS_VER_1_2: *major = MBEDTLS_SSL_MAJOR_VERSION_3; *minor = MBEDTLS_SSL_MINOR_VERSION_3; break; default: msg(M_FATAL, "%s: invalid TLS version %d", __func__, tls_ver); break; } } void backend_tls_ctx_reload_crl(struct tls_root_ctx *ctx, const char *crl_file, const char *crl_inline) { ASSERT(crl_file); if (ctx->crl == NULL) { ALLOC_OBJ_CLEAR(ctx->crl, mbedtls_x509_crl); } mbedtls_x509_crl_free(ctx->crl); if (!strcmp(crl_file, INLINE_FILE_TAG) && crl_inline) { if (!mbed_ok(mbedtls_x509_crl_parse(ctx->crl, (const unsigned char *)crl_inline, strlen(crl_inline)+1))) { msg(M_WARN, "CRL: cannot parse inline CRL"); goto err; } } else { if (!mbed_ok(mbedtls_x509_crl_parse_file(ctx->crl, crl_file))) { msg(M_WARN, "CRL: cannot read CRL from file %s", crl_file); goto err; } } return; err: mbedtls_x509_crl_free(ctx->crl); } void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session) { ASSERT(NULL != ssl_ctx); ASSERT(ks_ssl); CLEAR(*ks_ssl); /* Initialise SSL config */ mbedtls_ssl_config_init(&ks_ssl->ssl_config); mbedtls_ssl_config_defaults(&ks_ssl->ssl_config, ssl_ctx->endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); #ifdef MBEDTLS_DEBUG_C mbedtls_debug_set_threshold(3); #endif mbedtls_ssl_conf_dbg(&ks_ssl->ssl_config, my_debug, NULL); mbedtls_ssl_conf_rng(&ks_ssl->ssl_config, mbedtls_ctr_drbg_random, rand_ctx_get()); if (ssl_ctx->allowed_ciphers) { mbedtls_ssl_conf_ciphersuites(&ks_ssl->ssl_config, ssl_ctx->allowed_ciphers); } /* Disable record splitting (for now). OpenVPN assumes records are sent * unfragmented, and changing that will require thorough review and * testing. Since OpenVPN is not susceptible to BEAST, we can just * disable record splitting as a quick fix. */ #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) mbedtls_ssl_conf_cbc_record_splitting(&ks_ssl->ssl_config, MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED); #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ /* Initialise authentication information */ if (is_server) { mbed_ok(mbedtls_ssl_conf_dh_param_ctx(&ks_ssl->ssl_config, ssl_ctx->dhm_ctx)); } mbed_ok(mbedtls_ssl_conf_own_cert(&ks_ssl->ssl_config, ssl_ctx->crt_chain, ssl_ctx->priv_key)); /* Initialise SSL verification */ #if P2MP_SERVER if (session->opt->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL) { mbedtls_ssl_conf_authmode(&ks_ssl->ssl_config, MBEDTLS_SSL_VERIFY_OPTIONAL); } else if (!(session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)) #endif { mbedtls_ssl_conf_authmode(&ks_ssl->ssl_config, MBEDTLS_SSL_VERIFY_REQUIRED); } mbedtls_ssl_conf_verify(&ks_ssl->ssl_config, verify_callback, session); /* TODO: mbed TLS does not currently support sending the CA chain to the client */ mbedtls_ssl_conf_ca_chain(&ks_ssl->ssl_config, ssl_ctx->ca_chain, ssl_ctx->crl); /* Initialize minimum TLS version */ { const int tls_version_min = (session->opt->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) &SSLF_TLS_VERSION_MIN_MASK; /* default to TLS 1.0 */ int major = MBEDTLS_SSL_MAJOR_VERSION_3; int minor = MBEDTLS_SSL_MINOR_VERSION_1; if (tls_version_min > TLS_VER_UNSPEC) { tls_version_to_major_minor(tls_version_min, &major, &minor); } mbedtls_ssl_conf_min_version(&ks_ssl->ssl_config, major, minor); } /* Initialize maximum TLS version */ { const int tls_version_max = (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) &SSLF_TLS_VERSION_MAX_MASK; if (tls_version_max > TLS_VER_UNSPEC) { int major, minor; tls_version_to_major_minor(tls_version_max, &major, &minor); mbedtls_ssl_conf_max_version(&ks_ssl->ssl_config, major, minor); } } /* Initialise SSL context */ ALLOC_OBJ_CLEAR(ks_ssl->ctx, mbedtls_ssl_context); mbedtls_ssl_init(ks_ssl->ctx); mbedtls_ssl_setup(ks_ssl->ctx, &ks_ssl->ssl_config); /* Initialise BIOs */ CLEAR(ks_ssl->bio_ctx); mbedtls_ssl_set_bio(ks_ssl->ctx, &ks_ssl->bio_ctx, ssl_bio_write, ssl_bio_read, NULL); } void key_state_ssl_free(struct key_state_ssl *ks_ssl) { if (ks_ssl) { if (ks_ssl->ctx) { mbedtls_ssl_free(ks_ssl->ctx); free(ks_ssl->ctx); } mbedtls_ssl_config_free(&ks_ssl->ssl_config); buf_free_entries(&ks_ssl->bio_ctx.in); buf_free_entries(&ks_ssl->bio_ctx.out); CLEAR(*ks_ssl); } } int key_state_write_plaintext(struct key_state_ssl *ks, struct buffer *buf) { int retval = 0; ASSERT(buf); retval = key_state_write_plaintext_const(ks, BPTR(buf), BLEN(buf)); if (1 == retval) { memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */ buf->len = 0; } return retval; } int key_state_write_plaintext_const(struct key_state_ssl *ks, const uint8_t *data, int len) { int retval = 0; perf_push(PERF_BIO_WRITE_PLAINTEXT); ASSERT(NULL != ks); ASSERT(len >= 0); if (0 == len) { perf_pop(); return 0; } ASSERT(data); retval = mbedtls_ssl_write(ks->ctx, data, len); if (retval < 0) { perf_pop(); if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) { return 0; } mbed_log_err(D_TLS_ERRORS, retval, "TLS ERROR: write tls_write_plaintext_const error"); return -1; } if (retval != len) { msg(D_TLS_ERRORS, "TLS ERROR: write tls_write_plaintext_const incomplete %d/%d", retval, len); perf_pop(); return -1; } /* successful write */ dmsg(D_HANDSHAKE_VERBOSE, "write tls_write_plaintext_const %d bytes", retval); perf_pop(); return 1; } int key_state_read_ciphertext(struct key_state_ssl *ks, struct buffer *buf, int maxlen) { int retval = 0; int len = 0; perf_push(PERF_BIO_READ_CIPHERTEXT); ASSERT(NULL != ks); ASSERT(buf); ASSERT(buf->len >= 0); if (buf->len) { perf_pop(); return 0; } len = buf_forward_capacity(buf); if (maxlen < len) { len = maxlen; } retval = endless_buf_read(&ks->bio_ctx.out, BPTR(buf), len); /* Error during read, check for retry error */ if (retval < 0) { perf_pop(); if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) { return 0; } mbed_log_err(D_TLS_ERRORS, retval, "TLS_ERROR: read tls_read_ciphertext error"); buf->len = 0; return -1; } /* Nothing read, try again */ if (0 == retval) { buf->len = 0; perf_pop(); return 0; } /* successful read */ dmsg(D_HANDSHAKE_VERBOSE, "read tls_read_ciphertext %d bytes", retval); buf->len = retval; perf_pop(); return 1; } int key_state_write_ciphertext(struct key_state_ssl *ks, struct buffer *buf) { int retval = 0; perf_push(PERF_BIO_WRITE_CIPHERTEXT); ASSERT(NULL != ks); ASSERT(buf); ASSERT(buf->len >= 0); if (0 == buf->len) { perf_pop(); return 0; } retval = endless_buf_write(&ks->bio_ctx.in, BPTR(buf), buf->len); if (retval < 0) { perf_pop(); if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) { return 0; } mbed_log_err(D_TLS_ERRORS, retval, "TLS ERROR: write tls_write_ciphertext error"); return -1; } if (retval != buf->len) { msg(D_TLS_ERRORS, "TLS ERROR: write tls_write_ciphertext incomplete %d/%d", retval, buf->len); perf_pop(); return -1; } /* successful write */ dmsg(D_HANDSHAKE_VERBOSE, "write tls_write_ciphertext %d bytes", retval); memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */ buf->len = 0; perf_pop(); return 1; } int key_state_read_plaintext(struct key_state_ssl *ks, struct buffer *buf, int maxlen) { int retval = 0; int len = 0; perf_push(PERF_BIO_READ_PLAINTEXT); ASSERT(NULL != ks); ASSERT(buf); ASSERT(buf->len >= 0); if (buf->len) { perf_pop(); return 0; } len = buf_forward_capacity(buf); if (maxlen < len) { len = maxlen; } retval = mbedtls_ssl_read(ks->ctx, BPTR(buf), len); /* Error during read, check for retry error */ if (retval < 0) { if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) { return 0; } mbed_log_err(D_TLS_ERRORS, retval, "TLS_ERROR: read tls_read_plaintext error"); buf->len = 0; perf_pop(); return -1; } /* Nothing read, try again */ if (0 == retval) { buf->len = 0; perf_pop(); return 0; } /* successful read */ dmsg(D_HANDSHAKE_VERBOSE, "read tls_read_plaintext %d bytes", retval); buf->len = retval; perf_pop(); return 1; } /* ************************************** * * Information functions * * Print information for the end user. * ***************************************/ void print_details(struct key_state_ssl *ks_ssl, const char *prefix) { const mbedtls_x509_crt *cert; char s1[256]; char s2[256]; s1[0] = s2[0] = 0; openvpn_snprintf(s1, sizeof(s1), "%s %s, cipher %s", prefix, mbedtls_ssl_get_version(ks_ssl->ctx), mbedtls_ssl_get_ciphersuite(ks_ssl->ctx)); cert = mbedtls_ssl_get_peer_cert(ks_ssl->ctx); if (cert != NULL) { openvpn_snprintf(s2, sizeof(s2), ", %u bit key", (unsigned int) mbedtls_pk_get_bitlen(&cert->pk)); } msg(D_HANDSHAKE, "%s%s", s1, s2); } void show_available_tls_ciphers(const char *cipher_list) { struct tls_root_ctx tls_ctx; const int *ciphers = mbedtls_ssl_list_ciphersuites(); tls_ctx_server_new(&tls_ctx); tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); if (tls_ctx.allowed_ciphers) { ciphers = tls_ctx.allowed_ciphers; } #ifndef ENABLE_SMALL printf("Available TLS Ciphers,\n"); printf("listed in order of preference:\n\n"); #endif while (*ciphers != 0) { printf("%s\n", mbedtls_ssl_get_ciphersuite_name(*ciphers)); ciphers++; } printf("\n" SHOW_TLS_CIPHER_LIST_WARNING); tls_ctx_free(&tls_ctx); } void show_available_curves(void) { const mbedtls_ecp_curve_info *pcurve = mbedtls_ecp_curve_list(); if (NULL == pcurve) { msg(M_FATAL, "Cannot retrieve curve list from mbed TLS"); } /* Print curve list */ printf("Available Elliptic curves, listed in order of preference:\n\n"); while (MBEDTLS_ECP_DP_NONE != pcurve->grp_id) { printf("%s\n", pcurve->name); pcurve++; } } void get_highest_preference_tls_cipher(char *buf, int size) { const char *cipher_name; const int *ciphers = mbedtls_ssl_list_ciphersuites(); if (*ciphers == 0) { msg(M_FATAL, "Cannot retrieve list of supported SSL ciphers."); } cipher_name = mbedtls_ssl_get_ciphersuite_name(*ciphers); strncpynt(buf, cipher_name, size); } const char * get_ssl_library_version(void) { static char mbedtls_version[30]; unsigned int pv = mbedtls_version_get_number(); sprintf( mbedtls_version, "mbed TLS %d.%d.%d", (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff ); return mbedtls_version; } #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) */ openvpn-2.4.4/src/openvpn/ssl_mbedtls.h000066400000000000000000000060221316434344000201500ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel mbed TLS Backend */ #ifndef SSL_MBEDTLS_H_ #define SSL_MBEDTLS_H_ #include "syshead.h" #include #include #if defined(ENABLE_PKCS11) #include #endif typedef struct _buffer_entry buffer_entry; struct _buffer_entry { size_t length; uint8_t *data; buffer_entry *next_block; }; typedef struct { size_t data_start; buffer_entry *first_block; buffer_entry *last_block; } endless_buffer; typedef struct { endless_buffer in; endless_buffer out; } bio_ctx; /** * Structure that wraps the TLS context. Contents differ depending on the * SSL library used. * * Either \c priv_key_pkcs11 or \c priv_key must be filled in. */ struct tls_root_ctx { bool initialised; /**< True if the context has been initialised */ int endpoint; /**< Whether or not this is a server or a client */ mbedtls_dhm_context *dhm_ctx; /**< Diffie-Helmann-Merkle context */ mbedtls_x509_crt *crt_chain; /**< Local Certificate chain */ mbedtls_x509_crt *ca_chain; /**< CA chain for remote verification */ mbedtls_pk_context *priv_key; /**< Local private key */ mbedtls_x509_crl *crl; /**< Certificate Revocation List */ time_t crl_last_mtime; /**< CRL last modification time */ off_t crl_last_size; /**< size of last loaded CRL */ #if defined(ENABLE_PKCS11) mbedtls_pkcs11_context *priv_key_pkcs11; /**< PKCS11 private key */ #endif #ifdef MANAGMENT_EXTERNAL_KEY struct external_context *external_key; /**< Management external key */ #endif int *allowed_ciphers; /**< List of allowed ciphers for this connection */ }; struct key_state_ssl { mbedtls_ssl_config ssl_config; /**< mbedTLS global ssl config */ mbedtls_ssl_context *ctx; /**< mbedTLS connection context */ bio_ctx bio_ctx; }; #endif /* SSL_MBEDTLS_H_ */ openvpn-2.4.4/src/openvpn/ssl_openssl.c000066400000000000000000001366151316434344000202100ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel OpenSSL Backend */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) #include "errlevel.h" #include "buffer.h" #include "misc.h" #include "manage.h" #include "memdbg.h" #include "ssl_backend.h" #include "ssl_common.h" #include "base64.h" #include "openssl_compat.h" #ifdef ENABLE_CRYPTOAPI #include "cryptoapi.h" #endif #include "ssl_verify_openssl.h" #include #include #include #include #ifndef OPENSSL_NO_EC #include #endif /* * Allocate space in SSL objects in which to store a struct tls_session * pointer back to parent. * */ int mydata_index; /* GLOBAL */ void tls_init_lib(void) { SSL_library_init(); #ifndef ENABLE_SMALL SSL_load_error_strings(); #endif OpenSSL_add_all_algorithms(); mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); ASSERT(mydata_index >= 0); } void tls_free_lib(void) { EVP_cleanup(); #ifndef ENABLE_SMALL ERR_free_strings(); #endif } void tls_clear_error(void) { ERR_clear_error(); } void tls_ctx_server_new(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); ctx->ctx = SSL_CTX_new(SSLv23_server_method()); if (ctx->ctx == NULL) { crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_server_method"); } } void tls_ctx_client_new(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); ctx->ctx = SSL_CTX_new(SSLv23_client_method()); if (ctx->ctx == NULL) { crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_client_method"); } } void tls_ctx_free(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); if (NULL != ctx->ctx) { SSL_CTX_free(ctx->ctx); } ctx->ctx = NULL; } bool tls_ctx_initialised(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); return NULL != ctx->ctx; } void key_state_export_keying_material(struct key_state_ssl *ssl, struct tls_session *session) { if (session->opt->ekm_size > 0) { #if (OPENSSL_VERSION_NUMBER >= 0x10001000) unsigned int size = session->opt->ekm_size; struct gc_arena gc = gc_new(); unsigned char *ekm = (unsigned char *) gc_malloc(size, true, &gc); if (SSL_export_keying_material(ssl->ssl, ekm, size, session->opt->ekm_label, session->opt->ekm_label_size, NULL, 0, 0)) { unsigned int len = (size * 2) + 2; const char *key = format_hex_ex(ekm, size, len, 0, NULL, &gc); setenv_str(session->opt->es, "exported_keying_material", key); dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s", __func__, key); } else { msg(M_WARN, "WARNING: Export keying material failed!"); setenv_del(session->opt->es, "exported_keying_material"); } gc_free(&gc); #endif /* if (OPENSSL_VERSION_NUMBER >= 0x10001000) */ } } /* * Print debugging information on SSL/TLS session negotiation. */ #ifndef INFO_CALLBACK_SSL_CONST #define INFO_CALLBACK_SSL_CONST const #endif static void info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret) { if (where & SSL_CB_LOOP) { dmsg(D_HANDSHAKE_VERBOSE, "SSL state (%s): %s", where & SSL_ST_CONNECT ? "connect" : where &SSL_ST_ACCEPT ? "accept" : "undefined", SSL_state_string_long(s)); } else if (where & SSL_CB_ALERT) { dmsg(D_HANDSHAKE_VERBOSE, "SSL alert (%s): %s: %s", where & SSL_CB_READ ? "read" : "write", SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } } /* * Return maximum TLS version supported by local OpenSSL library. * Assume that presence of SSL_OP_NO_TLSvX macro indicates that * TLSvX is supported. */ int tls_version_max(void) { #if defined(SSL_OP_NO_TLSv1_2) return TLS_VER_1_2; #elif defined(SSL_OP_NO_TLSv1_1) return TLS_VER_1_1; #else return TLS_VER_1_0; #endif } void tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) { ASSERT(NULL != ctx); /* default certificate verification flags */ int flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; /* process SSL options including minimum TLS version we will accept from peer */ { long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; int tls_ver_max = TLS_VER_UNSPEC; const int tls_ver_min = (ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK; tls_ver_max = (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; if (tls_ver_max <= TLS_VER_UNSPEC) { tls_ver_max = tls_version_max(); } if (tls_ver_min > TLS_VER_1_0 || tls_ver_max < TLS_VER_1_0) { sslopt |= SSL_OP_NO_TLSv1; } #ifdef SSL_OP_NO_TLSv1_1 if (tls_ver_min > TLS_VER_1_1 || tls_ver_max < TLS_VER_1_1) { sslopt |= SSL_OP_NO_TLSv1_1; } #endif #ifdef SSL_OP_NO_TLSv1_2 if (tls_ver_min > TLS_VER_1_2 || tls_ver_max < TLS_VER_1_2) { sslopt |= SSL_OP_NO_TLSv1_2; } #endif #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE; #endif #ifdef SSL_OP_NO_COMPRESSION /* Disable compression - flag not available in OpenSSL 0.9.8 */ sslopt |= SSL_OP_NO_COMPRESSION; #endif SSL_CTX_set_options(ctx->ctx, sslopt); } #ifdef SSL_MODE_RELEASE_BUFFERS SSL_CTX_set_mode(ctx->ctx, SSL_MODE_RELEASE_BUFFERS); #endif SSL_CTX_set_session_cache_mode(ctx->ctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_default_passwd_cb(ctx->ctx, pem_password_callback); /* Require peer certificate verification */ #if P2MP_SERVER if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) { flags = 0; } else if (ssl_flags & SSLF_CLIENT_CERT_OPTIONAL) { flags = SSL_VERIFY_PEER; } #endif SSL_CTX_set_verify(ctx->ctx, flags, verify_callback); SSL_CTX_set_info_callback(ctx->ctx, info_callback); } void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) { if (ciphers == NULL) { /* Use sane default TLS cipher list */ if (!SSL_CTX_set_cipher_list(ctx->ctx, /* Use openssl's default list as a basis */ "DEFAULT" /* Disable export ciphers and openssl's 'low' and 'medium' ciphers */ ":!EXP:!LOW:!MEDIUM" /* Disable static (EC)DH keys (no forward secrecy) */ ":!kDH:!kECDH" /* Disable DSA private keys */ ":!DSS" /* Disable unsupported TLS modes */ ":!PSK:!SRP:!kRSA")) { crypto_msg(M_FATAL, "Failed to set default TLS cipher list."); } return; } /* Parse supplied cipher list and pass on to OpenSSL */ size_t begin_of_cipher, end_of_cipher; const char *current_cipher; size_t current_cipher_len; const tls_cipher_name_pair *cipher_pair; char openssl_ciphers[4096]; size_t openssl_ciphers_len = 0; openssl_ciphers[0] = '\0'; ASSERT(NULL != ctx); /* Translate IANA cipher suite names to OpenSSL names */ begin_of_cipher = end_of_cipher = 0; for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) { end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":"); cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher); if (NULL == cipher_pair) { /* No translation found, use original */ current_cipher = &ciphers[begin_of_cipher]; current_cipher_len = end_of_cipher - begin_of_cipher; /* Issue warning on missing translation */ /* %.*s format specifier expects length of type int, so guarantee */ /* that length is small enough and cast to int. */ msg(D_LOW, "No valid translation found for TLS cipher '%.*s'", constrain_int(current_cipher_len, 0, 256), current_cipher); } else { /* Use OpenSSL name */ current_cipher = cipher_pair->openssl_name; current_cipher_len = strlen(current_cipher); if (end_of_cipher - begin_of_cipher == current_cipher_len && 0 != memcmp(&ciphers[begin_of_cipher], cipher_pair->iana_name, end_of_cipher - begin_of_cipher)) { /* Non-IANA name used, show warning */ msg(M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'", cipher_pair->openssl_name, cipher_pair->iana_name); } } /* Make sure new cipher name fits in cipher string */ if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len || ((sizeof(openssl_ciphers)-1) < openssl_ciphers_len + current_cipher_len)) { msg(M_FATAL, "Failed to set restricted TLS cipher list, too long (>%d).", (int)sizeof(openssl_ciphers)-1); } /* Concatenate cipher name to OpenSSL cipher string */ memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, current_cipher_len); openssl_ciphers_len += current_cipher_len; openssl_ciphers[openssl_ciphers_len] = ':'; openssl_ciphers_len++; end_of_cipher++; } if (openssl_ciphers_len > 0) { openssl_ciphers[openssl_ciphers_len-1] = '\0'; } /* Set OpenSSL cipher list */ if (!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers)) { crypto_msg(M_FATAL, "Failed to set restricted TLS cipher list: %s", openssl_ciphers); } } void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) { int ret; const X509 *cert; ASSERT(ctx); #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.0.2 and up */ cert = SSL_CTX_get0_certificate(ctx->ctx); #else /* OpenSSL 1.0.1 and earlier need an SSL object to get at the certificate */ SSL *ssl = SSL_new(ctx->ctx); cert = SSL_get_certificate(ssl); #endif if (cert == NULL) { goto cleanup; /* Nothing to check if there is no certificate */ } ret = X509_cmp_time(X509_get_notBefore(cert), NULL); if (ret == 0) { msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field."); } if (ret > 0) { msg(M_WARN, "WARNING: Your certificate is not yet valid!"); } ret = X509_cmp_time(X509_get_notAfter(cert), NULL); if (ret == 0) { msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field."); } if (ret < 0) { msg(M_WARN, "WARNING: Your certificate has expired!"); } cleanup: #if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) SSL_free(ssl); #endif return; } void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, const char *dh_file_inline ) { DH *dh; BIO *bio; ASSERT(NULL != ctx); if (!strcmp(dh_file, INLINE_FILE_TAG) && dh_file_inline) { if (!(bio = BIO_new_mem_buf((char *)dh_file_inline, -1))) { crypto_msg(M_FATAL, "Cannot open memory BIO for inline DH parameters"); } } else { /* Get Diffie Hellman Parameters */ if (!(bio = BIO_new_file(dh_file, "r"))) { crypto_msg(M_FATAL, "Cannot open %s for DH parameters", dh_file); } } dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); BIO_free(bio); if (!dh) { crypto_msg(M_FATAL, "Cannot load DH parameters from %s", dh_file); } if (!SSL_CTX_set_tmp_dh(ctx->ctx, dh)) { crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh"); } msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key", 8 * DH_size(dh)); DH_free(dh); } void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name ) { #ifndef OPENSSL_NO_EC int nid = NID_undef; EC_KEY *ecdh = NULL; const char *sname = NULL; /* Generate a new ECDH key for each SSL session (for non-ephemeral ECDH) */ SSL_CTX_set_options(ctx->ctx, SSL_OP_SINGLE_ECDH_USE); if (curve_name != NULL) { /* Use user supplied curve if given */ msg(D_TLS_DEBUG, "Using user specified ECDH curve (%s)", curve_name); nid = OBJ_sn2nid(curve_name); } else { #if OPENSSL_VERSION_NUMBER >= 0x10002000L /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter * loading */ SSL_CTX_set_ecdh_auto(ctx->ctx, 1); return; #else /* For older OpenSSL we have to extract the curve from key on our own */ EC_KEY *eckey = NULL; const EC_GROUP *ecgrp = NULL; EVP_PKEY *pkey = NULL; /* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */ SSL *ssl = SSL_new(ctx->ctx); if (!ssl) { crypto_msg(M_FATAL, "SSL_new failed"); } pkey = SSL_get_privatekey(ssl); SSL_free(ssl); msg(D_TLS_DEBUG, "Extracting ECDH curve from private key"); if (pkey != NULL && (eckey = EVP_PKEY_get1_EC_KEY(pkey)) != NULL && (ecgrp = EC_KEY_get0_group(eckey)) != NULL) { nid = EC_GROUP_get_curve_name(ecgrp); } #endif } /* Translate NID back to name , just for kicks */ sname = OBJ_nid2sn(nid); if (sname == NULL) { sname = "(Unknown)"; } /* Create new EC key and set as ECDH key */ if (NID_undef == nid || NULL == (ecdh = EC_KEY_new_by_curve_name(nid))) { /* Creating key failed, fall back on sane default */ ecdh = EC_KEY_new_by_curve_name(NID_secp384r1); const char *source = (NULL == curve_name) ? "extract curve from certificate" : "use supplied curve"; msg(D_TLS_DEBUG_LOW, "Failed to %s (%s), using secp384r1 instead.", source, sname); sname = OBJ_nid2sn(NID_secp384r1); } if (!SSL_CTX_set_tmp_ecdh(ctx->ctx, ecdh)) { crypto_msg(M_FATAL, "SSL_CTX_set_tmp_ecdh: cannot add curve"); } msg(D_TLS_DEBUG_LOW, "ECDH curve %s added", sname); EC_KEY_free(ecdh); #else /* ifndef OPENSSL_NO_EC */ msg(M_DEBUG, "Your OpenSSL library was built without elliptic curve support." " Skipping ECDH parameter loading."); #endif /* OPENSSL_NO_EC */ } int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, const char *pkcs12_file_inline, bool load_ca_file ) { FILE *fp; EVP_PKEY *pkey; X509 *cert; STACK_OF(X509) *ca = NULL; PKCS12 *p12; int i; char password[256]; ASSERT(NULL != ctx); if (!strcmp(pkcs12_file, INLINE_FILE_TAG) && pkcs12_file_inline) { BIO *b64 = BIO_new(BIO_f_base64()); BIO *bio = BIO_new_mem_buf((void *) pkcs12_file_inline, (int) strlen(pkcs12_file_inline)); ASSERT(b64 && bio); BIO_push(b64, bio); p12 = d2i_PKCS12_bio(b64, NULL); if (!p12) { crypto_msg(M_FATAL, "Error reading inline PKCS#12 file"); } BIO_free(b64); BIO_free(bio); } else { /* Load the PKCS #12 file */ if (!(fp = platform_fopen(pkcs12_file, "rb"))) { crypto_msg(M_FATAL, "Error opening file %s", pkcs12_file); } p12 = d2i_PKCS12_fp(fp, NULL); fclose(fp); if (!p12) { crypto_msg(M_FATAL, "Error reading PKCS#12 file %s", pkcs12_file); } } /* Parse the PKCS #12 file */ if (!PKCS12_parse(p12, "", &pkey, &cert, &ca)) { pem_password_callback(password, sizeof(password) - 1, 0, NULL); /* Reparse the PKCS #12 file with password */ ca = NULL; if (!PKCS12_parse(p12, password, &pkey, &cert, &ca)) { #ifdef ENABLE_MANAGEMENT if (management && (ERR_GET_REASON(ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE)) { management_auth_failure(management, UP_TYPE_PRIVATE_KEY, NULL); } #endif PKCS12_free(p12); return 1; } } PKCS12_free(p12); /* Load Certificate */ if (!SSL_CTX_use_certificate(ctx->ctx, cert)) { crypto_msg(M_FATAL, "Cannot use certificate"); } /* Load Private Key */ if (!SSL_CTX_use_PrivateKey(ctx->ctx, pkey)) { crypto_msg(M_FATAL, "Cannot use private key"); } /* Check Private Key */ if (!SSL_CTX_check_private_key(ctx->ctx)) { crypto_msg(M_FATAL, "Private key does not match the certificate"); } /* Set Certificate Verification chain */ if (load_ca_file) { /* Add CAs from PKCS12 to the cert store and mark them as trusted. * They're also used to fill in the chain of intermediate certs as * necessary. */ if (ca && sk_X509_num(ca)) { for (i = 0; i < sk_X509_num(ca); i++) { X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx); if (!X509_STORE_add_cert(cert_store,sk_X509_value(ca, i))) { crypto_msg(M_FATAL,"Cannot add certificate to certificate chain (X509_STORE_add_cert)"); } if (!SSL_CTX_add_client_CA(ctx->ctx, sk_X509_value(ca, i))) { crypto_msg(M_FATAL,"Cannot add certificate to client CA list (SSL_CTX_add_client_CA)"); } } } } else { /* If trusted CA certs were loaded from a PEM file, and we ignore the * ones in PKCS12, do load PKCS12-provided certs to the client extra * certs chain just in case they include intermediate CAs needed to * prove my identity to the other end. This does not make them trusted. */ if (ca && sk_X509_num(ca)) { for (i = 0; i < sk_X509_num(ca); i++) { if (!SSL_CTX_add_extra_chain_cert(ctx->ctx,sk_X509_value(ca, i))) { crypto_msg(M_FATAL, "Cannot add extra certificate to chain (SSL_CTX_add_extra_chain_cert)"); } } } } return 0; } #ifdef ENABLE_CRYPTOAPI void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert) { ASSERT(NULL != ctx); /* Load Certificate and Private Key */ if (!SSL_CTX_use_CryptoAPI_certificate(ctx->ctx, cryptoapi_cert)) { crypto_msg(M_FATAL, "Cannot load certificate \"%s\" from Microsoft Certificate Store", cryptoapi_cert); } } #endif /* ENABLE_CRYPTOAPI */ static void tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio) { X509 *cert; for (;; ) { cert = NULL; if (!PEM_read_bio_X509(bio, &cert, NULL, NULL)) /* takes ownership of cert */ { break; } if (!cert) { crypto_msg(M_FATAL, "Error reading extra certificate"); } if (SSL_CTX_add_extra_chain_cert(ctx->ctx, cert) != 1) { crypto_msg(M_FATAL, "Error adding extra certificate"); } } } /* Like tls_ctx_load_cert, but returns a copy of the certificate in **X509 */ static void tls_ctx_load_cert_file_and_copy(struct tls_root_ctx *ctx, const char *cert_file, const char *cert_file_inline, X509 **x509 ) { BIO *in = NULL; X509 *x = NULL; int ret = 0; bool inline_file = false; ASSERT(NULL != ctx); if (NULL != x509) { ASSERT(NULL == *x509); } inline_file = (strcmp(cert_file, INLINE_FILE_TAG) == 0); if (inline_file && cert_file_inline) { in = BIO_new_mem_buf((char *)cert_file_inline, -1); } else { in = BIO_new_file(cert_file, "r"); } if (in == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); goto end; } x = PEM_read_bio_X509(in, NULL, SSL_CTX_get_default_passwd_cb(ctx->ctx), SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); if (x == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB); goto end; } ret = SSL_CTX_use_certificate(ctx->ctx, x); if (ret) { tls_ctx_add_extra_certs(ctx, in); } end: if (!ret) { if (inline_file) { crypto_msg(M_FATAL, "Cannot load inline certificate file"); } else { crypto_msg(M_FATAL, "Cannot load certificate file %s", cert_file); } } if (in != NULL) { BIO_free(in); } if (x509) { *x509 = x; } else if (x) { X509_free(x); } } void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, const char *cert_file_inline) { tls_ctx_load_cert_file_and_copy(ctx, cert_file, cert_file_inline, NULL); } int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, const char *priv_key_file_inline ) { SSL_CTX *ssl_ctx = NULL; BIO *in = NULL; EVP_PKEY *pkey = NULL; int ret = 1; ASSERT(NULL != ctx); ssl_ctx = ctx->ctx; if (!strcmp(priv_key_file, INLINE_FILE_TAG) && priv_key_file_inline) { in = BIO_new_mem_buf((char *)priv_key_file_inline, -1); } else { in = BIO_new_file(priv_key_file, "r"); } if (!in) { goto end; } pkey = PEM_read_bio_PrivateKey(in, NULL, SSL_CTX_get_default_passwd_cb(ctx->ctx), SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); if (!pkey) { goto end; } if (!SSL_CTX_use_PrivateKey(ssl_ctx, pkey)) { #ifdef ENABLE_MANAGEMENT if (management && (ERR_GET_REASON(ERR_peek_error()) == EVP_R_BAD_DECRYPT)) { management_auth_failure(management, UP_TYPE_PRIVATE_KEY, NULL); } #endif crypto_msg(M_WARN, "Cannot load private key file %s", priv_key_file); goto end; } /* Check Private Key */ if (!SSL_CTX_check_private_key(ssl_ctx)) { crypto_msg(M_FATAL, "Private key does not match the certificate"); } ret = 0; end: if (pkey) { EVP_PKEY_free(pkey); } if (in) { BIO_free(in); } return ret; } void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, const char *crl_inline) { X509_CRL *crl = NULL; BIO *in = NULL; X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx); if (!store) { crypto_msg(M_FATAL, "Cannot get certificate store"); } /* Always start with a cleared CRL list, for that we * we need to manually find the CRL object from the stack * and remove it */ STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store); for (int i = 0; i < sk_X509_OBJECT_num(objs); i++) { X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i); ASSERT(obj); if (X509_OBJECT_get_type(obj) == X509_LU_CRL) { sk_X509_OBJECT_delete(objs, i); X509_OBJECT_free(obj); } } X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); if (!strcmp(crl_file, INLINE_FILE_TAG) && crl_inline) { in = BIO_new_mem_buf((char *)crl_inline, -1); } else { in = BIO_new_file(crl_file, "r"); } if (in == NULL) { msg(M_WARN, "CRL: cannot read: %s", crl_file); goto end; } crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); if (crl == NULL) { msg(M_WARN, "CRL: cannot read CRL from file %s", crl_file); goto end; } if (!X509_STORE_add_crl(store, crl)) { msg(M_WARN, "CRL: cannot add %s to store", crl_file); goto end; } end: X509_CRL_free(crl); BIO_free(in); } #ifdef MANAGMENT_EXTERNAL_KEY /* encrypt */ static int rsa_pub_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { ASSERT(0); return -1; } /* verify arbitrary data */ static int rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { ASSERT(0); return -1; } /* decrypt */ static int rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { ASSERT(0); return -1; } /* called at RSA_free */ static int openvpn_extkey_rsa_finish(RSA *rsa) { /* meth was allocated in tls_ctx_use_external_private_key() ; since * this function is called when the parent RSA object is destroyed, * it is no longer used after this point so kill it. */ const RSA_METHOD *meth = RSA_get_method(rsa); RSA_meth_free((RSA_METHOD *)meth); return 1; } /* sign arbitrary data */ static int rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { /* optional app data in rsa->meth->app_data; */ char *in_b64 = NULL; char *out_b64 = NULL; int ret = -1; int len; if (padding != RSA_PKCS1_PADDING) { RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); goto done; } /* convert 'from' to base64 */ if (openvpn_base64_encode(from, flen, &in_b64) <= 0) { goto done; } /* call MI for signature */ if (management) { out_b64 = management_query_rsa_sig(management, in_b64); } if (!out_b64) { goto done; } /* decode base64 signature to binary */ len = RSA_size(rsa); ret = openvpn_base64_decode(out_b64, to, len); /* verify length */ if (ret != len) { ret = -1; } done: if (in_b64) { free(in_b64); } if (out_b64) { free(out_b64); } return ret; } int tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, const char *cert_file, const char *cert_file_inline) { RSA *rsa = NULL; RSA *pub_rsa; RSA_METHOD *rsa_meth; X509 *cert = NULL; ASSERT(NULL != ctx); tls_ctx_load_cert_file_and_copy(ctx, cert_file, cert_file_inline, &cert); ASSERT(NULL != cert); /* allocate custom RSA method object */ rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method", RSA_METHOD_FLAG_NO_CHECK); check_malloc_return(rsa_meth); RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc); RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec); RSA_meth_set_priv_enc(rsa_meth, rsa_priv_enc); RSA_meth_set_priv_dec(rsa_meth, rsa_priv_dec); RSA_meth_set_init(rsa_meth, NULL); RSA_meth_set_finish(rsa_meth, openvpn_extkey_rsa_finish); RSA_meth_set0_app_data(rsa_meth, NULL); /* allocate RSA object */ rsa = RSA_new(); if (rsa == NULL) { SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE); goto err; } /* get the public key */ EVP_PKEY *pkey = X509_get0_pubkey(cert); ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ pub_rsa = EVP_PKEY_get0_RSA(pkey); /* Certificate might not be RSA but DSA or EC */ if (!pub_rsa) { crypto_msg(M_WARN, "management-external-key requires a RSA certificate"); goto err; } /* initialize RSA object */ const BIGNUM *n = NULL; const BIGNUM *e = NULL; RSA_get0_key(pub_rsa, &n, &e, NULL); RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL); RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); if (!RSA_set_method(rsa, rsa_meth)) { goto err; } /* bind our custom RSA object to ssl_ctx */ if (!SSL_CTX_use_RSAPrivateKey(ctx->ctx, rsa)) { goto err; } X509_free(cert); RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */ return 1; err: if (cert) { X509_free(cert); } if (rsa) { RSA_free(rsa); } else { if (rsa_meth) { free(rsa_meth); } } crypto_msg(M_FATAL, "Cannot enable SSL external private key capability"); return 0; } #endif /* ifdef MANAGMENT_EXTERNAL_KEY */ static int sk_x509_name_cmp(const X509_NAME *const *a, const X509_NAME *const *b) { return X509_NAME_cmp(*a, *b); } void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, const char *ca_file_inline, const char *ca_path, bool tls_server ) { STACK_OF(X509_INFO) *info_stack = NULL; STACK_OF(X509_NAME) *cert_names = NULL; X509_LOOKUP *lookup = NULL; X509_STORE *store = NULL; X509_NAME *xn = NULL; BIO *in = NULL; int i, added = 0, prev = 0; ASSERT(NULL != ctx); store = SSL_CTX_get_cert_store(ctx->ctx); if (!store) { crypto_msg(M_FATAL, "Cannot get certificate store"); } /* Try to add certificates and CRLs from ca_file */ if (ca_file) { if (!strcmp(ca_file, INLINE_FILE_TAG) && ca_file_inline) { in = BIO_new_mem_buf((char *)ca_file_inline, -1); } else { in = BIO_new_file(ca_file, "r"); } if (in) { info_stack = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL); } if (info_stack) { for (i = 0; i < sk_X509_INFO_num(info_stack); i++) { X509_INFO *info = sk_X509_INFO_value(info_stack, i); if (info->crl) { X509_STORE_add_crl(store, info->crl); } if (tls_server && !info->x509) { crypto_msg(M_FATAL, "X509 name was missing in TLS mode"); } if (info->x509) { X509_STORE_add_cert(store, info->x509); added++; if (!tls_server) { continue; } /* Use names of CAs as a client CA list */ if (cert_names == NULL) { cert_names = sk_X509_NAME_new(sk_x509_name_cmp); if (!cert_names) { continue; } } xn = X509_get_subject_name(info->x509); if (!xn) { continue; } /* Don't add duplicate CA names */ if (sk_X509_NAME_find(cert_names, xn) == -1) { xn = X509_NAME_dup(xn); if (!xn) { continue; } sk_X509_NAME_push(cert_names, xn); } } if (tls_server) { int cnum = sk_X509_NAME_num(cert_names); if (cnum != (prev + 1)) { crypto_msg(M_WARN, "Cannot load CA certificate file %s (entry %d did not validate)", np(ca_file), added); } prev = cnum; } } sk_X509_INFO_pop_free(info_stack, X509_INFO_free); } if (tls_server) { SSL_CTX_set_client_CA_list(ctx->ctx, cert_names); } if (!added) { crypto_msg(M_FATAL, "Cannot load CA certificate file %s (no entries were read)", np(ca_file)); } if (tls_server) { int cnum = sk_X509_NAME_num(cert_names); if (cnum != added) { crypto_msg(M_FATAL, "Cannot load CA certificate file %s (only %d " "of %d entries were valid X509 names)", np(ca_file), cnum, added); } } if (in) { BIO_free(in); } } /* Set a store for certs (CA & CRL) with a lookup on the "capath" hash directory */ if (ca_path) { lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); if (lookup && X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM)) { msg(M_WARN, "WARNING: experimental option --capath %s", ca_path); } else { crypto_msg(M_FATAL, "Cannot add lookup at --capath %s", ca_path); } X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); } } void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, const char *extra_certs_file_inline ) { BIO *in; if (!strcmp(extra_certs_file, INLINE_FILE_TAG) && extra_certs_file_inline) { in = BIO_new_mem_buf((char *)extra_certs_file_inline, -1); } else { in = BIO_new_file(extra_certs_file, "r"); } if (in == NULL) { crypto_msg(M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file); } else { tls_ctx_add_extra_certs(ctx, in); } BIO_free(in); } /* ************************************** * * Key-state specific functions * ***************************************/ /* * * BIO functions * */ #ifdef BIO_DEBUG #warning BIO_DEBUG defined static FILE *biofp; /* GLOBAL */ static bool biofp_toggle; /* GLOBAL */ static time_t biofp_last_open; /* GLOBAL */ static const int biofp_reopen_interval = 600; /* GLOBAL */ static void close_biofp(void) { if (biofp) { ASSERT(!fclose(biofp)); biofp = NULL; } } static void open_biofp(void) { const time_t current = time(NULL); const pid_t pid = getpid(); if (biofp_last_open + biofp_reopen_interval < current) { close_biofp(); } if (!biofp) { char fn[256]; openvpn_snprintf(fn, sizeof(fn), "bio/%d-%d.log", pid, biofp_toggle); biofp = fopen(fn, "w"); ASSERT(biofp); biofp_last_open = time(NULL); biofp_toggle ^= 1; } } static void bio_debug_data(const char *mode, BIO *bio, const uint8_t *buf, int len, const char *desc) { struct gc_arena gc = gc_new(); if (len > 0) { open_biofp(); fprintf(biofp, "BIO_%s %s time=" time_format " bio=" ptr_format " len=%d data=%s\n", mode, desc, time(NULL), (ptr_type)bio, len, format_hex(buf, len, 0, &gc)); fflush(biofp); } gc_free(&gc); } static void bio_debug_oc(const char *mode, BIO *bio) { open_biofp(); fprintf(biofp, "BIO %s time=" time_format " bio=" ptr_format "\n", mode, time(NULL), (ptr_type)bio); fflush(biofp); } #endif /* ifdef BIO_DEBUG */ /* * OpenVPN's interface to SSL/TLS authentication, * encryption, and decryption is exclusively * through "memory BIOs". */ static BIO * getbio(BIO_METHOD *type, const char *desc) { BIO *ret; ret = BIO_new(type); if (!ret) { crypto_msg(M_FATAL, "Error creating %s BIO", desc); } return ret; } /* * Write to an OpenSSL BIO in non-blocking mode. */ static int bio_write(BIO *bio, const uint8_t *data, int size, const char *desc) { int i; int ret = 0; ASSERT(size >= 0); if (size) { /* * Free the L_TLS lock prior to calling BIO routines * so that foreground thread can still call * tls_pre_decrypt or tls_pre_encrypt, * allowing tunnel packet forwarding to continue. */ #ifdef BIO_DEBUG bio_debug_data("write", bio, data, size, desc); #endif i = BIO_write(bio, data, size); if (i < 0) { if (BIO_should_retry(bio)) { } else { crypto_msg(D_TLS_ERRORS, "TLS ERROR: BIO write %s error", desc); ret = -1; ERR_clear_error(); } } else if (i != size) { crypto_msg(D_TLS_ERRORS, "TLS ERROR: BIO write %s incomplete %d/%d", desc, i, size); ret = -1; ERR_clear_error(); } else { /* successful write */ dmsg(D_HANDSHAKE_VERBOSE, "BIO write %s %d bytes", desc, i); ret = 1; } } return ret; } /* * Inline functions for reading from and writing * to BIOs. */ static void bio_write_post(const int status, struct buffer *buf) { if (status == 1) /* success status return from bio_write? */ { memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */ buf->len = 0; } } /* * Read from an OpenSSL BIO in non-blocking mode. */ static int bio_read(BIO *bio, struct buffer *buf, int maxlen, const char *desc) { int i; int ret = 0; ASSERT(buf->len >= 0); if (buf->len) { } else { int len = buf_forward_capacity(buf); if (maxlen < len) { len = maxlen; } /* * BIO_read brackets most of the serious RSA * key negotiation number crunching. */ i = BIO_read(bio, BPTR(buf), len); VALGRIND_MAKE_READABLE((void *) &i, sizeof(i)); #ifdef BIO_DEBUG bio_debug_data("read", bio, BPTR(buf), i, desc); #endif if (i < 0) { if (BIO_should_retry(bio)) { } else { crypto_msg(D_TLS_ERRORS, "TLS_ERROR: BIO read %s error", desc); buf->len = 0; ret = -1; ERR_clear_error(); } } else if (!i) { buf->len = 0; } else { /* successful read */ dmsg(D_HANDSHAKE_VERBOSE, "BIO read %s %d bytes", desc, i); buf->len = i; ret = 1; VALGRIND_MAKE_READABLE((void *) BPTR(buf), BLEN(buf)); } } return ret; } void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session) { ASSERT(NULL != ssl_ctx); ASSERT(ks_ssl); CLEAR(*ks_ssl); ks_ssl->ssl = SSL_new(ssl_ctx->ctx); if (!ks_ssl->ssl) { crypto_msg(M_FATAL, "SSL_new failed"); } /* put session * in ssl object so we can access it * from verify callback*/ SSL_set_ex_data(ks_ssl->ssl, mydata_index, session); ks_ssl->ssl_bio = getbio(BIO_f_ssl(), "ssl_bio"); ks_ssl->ct_in = getbio(BIO_s_mem(), "ct_in"); ks_ssl->ct_out = getbio(BIO_s_mem(), "ct_out"); #ifdef BIO_DEBUG bio_debug_oc("open ssl_bio", ks_ssl->ssl_bio); bio_debug_oc("open ct_in", ks_ssl->ct_in); bio_debug_oc("open ct_out", ks_ssl->ct_out); #endif if (is_server) { SSL_set_accept_state(ks_ssl->ssl); } else { SSL_set_connect_state(ks_ssl->ssl); } SSL_set_bio(ks_ssl->ssl, ks_ssl->ct_in, ks_ssl->ct_out); BIO_set_ssl(ks_ssl->ssl_bio, ks_ssl->ssl, BIO_NOCLOSE); } void key_state_ssl_free(struct key_state_ssl *ks_ssl) { if (ks_ssl->ssl) { #ifdef BIO_DEBUG bio_debug_oc("close ssl_bio", ks_ssl->ssl_bio); bio_debug_oc("close ct_in", ks_ssl->ct_in); bio_debug_oc("close ct_out", ks_ssl->ct_out); #endif BIO_free_all(ks_ssl->ssl_bio); SSL_free(ks_ssl->ssl); } } int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf) { int ret = 0; perf_push(PERF_BIO_WRITE_PLAINTEXT); #ifdef ENABLE_CRYPTO_OPENSSL ASSERT(NULL != ks_ssl); ret = bio_write(ks_ssl->ssl_bio, BPTR(buf), BLEN(buf), "tls_write_plaintext"); bio_write_post(ret, buf); #endif /* ENABLE_CRYPTO_OPENSSL */ perf_pop(); return ret; } int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len) { int ret = 0; perf_push(PERF_BIO_WRITE_PLAINTEXT); ASSERT(NULL != ks_ssl); ret = bio_write(ks_ssl->ssl_bio, data, len, "tls_write_plaintext_const"); perf_pop(); return ret; } int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen) { int ret = 0; perf_push(PERF_BIO_READ_CIPHERTEXT); ASSERT(NULL != ks_ssl); ret = bio_read(ks_ssl->ct_out, buf, maxlen, "tls_read_ciphertext"); perf_pop(); return ret; } int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf) { int ret = 0; perf_push(PERF_BIO_WRITE_CIPHERTEXT); ASSERT(NULL != ks_ssl); ret = bio_write(ks_ssl->ct_in, BPTR(buf), BLEN(buf), "tls_write_ciphertext"); bio_write_post(ret, buf); perf_pop(); return ret; } int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen) { int ret = 0; perf_push(PERF_BIO_READ_PLAINTEXT); ASSERT(NULL != ks_ssl); ret = bio_read(ks_ssl->ssl_bio, buf, maxlen, "tls_read_plaintext"); perf_pop(); return ret; } /* ************************************** * * Information functions * * Print information for the end user. * ***************************************/ void print_details(struct key_state_ssl *ks_ssl, const char *prefix) { const SSL_CIPHER *ciph; X509 *cert; char s1[256]; char s2[256]; s1[0] = s2[0] = 0; ciph = SSL_get_current_cipher(ks_ssl->ssl); openvpn_snprintf(s1, sizeof(s1), "%s %s, cipher %s %s", prefix, SSL_get_version(ks_ssl->ssl), SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph)); cert = SSL_get_peer_certificate(ks_ssl->ssl); if (cert != NULL) { EVP_PKEY *pkey = X509_get_pubkey(cert); if (pkey != NULL) { if ((EVP_PKEY_id(pkey) == EVP_PKEY_RSA) && (EVP_PKEY_get0_RSA(pkey) != NULL)) { RSA *rsa = EVP_PKEY_get0_RSA(pkey); openvpn_snprintf(s2, sizeof(s2), ", %d bit RSA", RSA_bits(rsa)); } else if ((EVP_PKEY_id(pkey) == EVP_PKEY_DSA) && (EVP_PKEY_get0_DSA(pkey) != NULL)) { DSA *dsa = EVP_PKEY_get0_DSA(pkey); openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA", DSA_bits(dsa)); } #ifndef OPENSSL_NO_EC else if ((EVP_PKEY_id(pkey) == EVP_PKEY_EC) && (EVP_PKEY_get0_EC_KEY(pkey) != NULL)) { EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); const EC_GROUP *group = EC_KEY_get0_group(ec); const char* curve; int nid = EC_GROUP_get_curve_name(group); if (nid == 0 || (curve = OBJ_nid2sn(nid)) == NULL) { curve = "Error getting curve name"; } openvpn_snprintf(s2, sizeof(s2), ", %d bit EC, curve: %s", EC_GROUP_order_bits(group), curve); } #endif EVP_PKEY_free(pkey); } X509_free(cert); } /* The SSL API does not allow us to look at temporary RSA/DH keys, * otherwise we should print their lengths too */ msg(D_HANDSHAKE, "%s%s", s1, s2); } void show_available_tls_ciphers(const char *cipher_list) { struct tls_root_ctx tls_ctx; SSL *ssl; const char *cipher_name; const tls_cipher_name_pair *pair; int priority = 0; tls_ctx.ctx = SSL_CTX_new(SSLv23_method()); if (!tls_ctx.ctx) { crypto_msg(M_FATAL, "Cannot create SSL_CTX object"); } ssl = SSL_new(tls_ctx.ctx); if (!ssl) { crypto_msg(M_FATAL, "Cannot create SSL object"); } tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); printf("Available TLS Ciphers,\n"); printf("listed in order of preference:\n\n"); while ((cipher_name = SSL_get_cipher_list(ssl, priority++))) { pair = tls_get_cipher_name_pair(cipher_name, strlen(cipher_name)); if (NULL == pair) { /* No translation found, print warning */ printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name); } else { printf("%s\n", pair->iana_name); } } printf("\n" SHOW_TLS_CIPHER_LIST_WARNING); SSL_free(ssl); SSL_CTX_free(tls_ctx.ctx); } /* * Show the Elliptic curves that are available for us to use * in the OpenSSL library. */ void show_available_curves(void) { #ifndef OPENSSL_NO_EC EC_builtin_curve *curves = NULL; size_t crv_len = 0; size_t n = 0; crv_len = EC_get_builtin_curves(NULL, 0); ALLOC_ARRAY(curves, EC_builtin_curve, crv_len); if (EC_get_builtin_curves(curves, crv_len)) { printf("Available Elliptic curves:\n"); for (n = 0; n < crv_len; n++) { const char *sname; sname = OBJ_nid2sn(curves[n].nid); if (sname == NULL) { sname = ""; } printf("%s\n", sname); } } else { crypto_msg(M_FATAL, "Cannot get list of builtin curves"); } free(curves); #else /* ifndef OPENSSL_NO_EC */ msg(M_WARN, "Your OpenSSL library was built without elliptic curve support. " "No curves available."); #endif /* ifndef OPENSSL_NO_EC */ } void get_highest_preference_tls_cipher(char *buf, int size) { SSL_CTX *ctx; SSL *ssl; const char *cipher_name; ctx = SSL_CTX_new(SSLv23_method()); if (!ctx) { crypto_msg(M_FATAL, "Cannot create SSL_CTX object"); } ssl = SSL_new(ctx); if (!ssl) { crypto_msg(M_FATAL, "Cannot create SSL object"); } cipher_name = SSL_get_cipher_list(ssl, 0); strncpynt(buf, cipher_name, size); SSL_free(ssl); SSL_CTX_free(ctx); } const char * get_ssl_library_version(void) { return SSLeay_version(SSLEAY_VERSION); } #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */ openvpn-2.4.4/src/openvpn/ssl_openssl.h000066400000000000000000000045301316434344000202030ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel OpenSSL Backend */ #ifndef SSL_OPENSSL_H_ #define SSL_OPENSSL_H_ #include /** * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption", * as this is something we do not want nor need, but could potentially be * used for a future attack. For compatibility reasons we keep building if the * OpenSSL version is too old (pre-0.9.8f) to support stateless session * resumption (and the accompanying SSL_OP_NO_TICKET flag). */ #ifndef SSL_OP_NO_TICKET #define SSL_OP_NO_TICKET 0 #endif /** * Structure that wraps the TLS context. Contents differ depending on the * SSL library used. */ struct tls_root_ctx { SSL_CTX *ctx; time_t crl_last_mtime; off_t crl_last_size; }; struct key_state_ssl { SSL *ssl; /* SSL object -- new obj created for each new key */ BIO *ssl_bio; /* read/write plaintext from here */ BIO *ct_in; /* write ciphertext to here */ BIO *ct_out; /* read ciphertext from here */ }; /** * Allocate space in SSL objects in which to store a struct tls_session * pointer back to parent. */ extern int mydata_index; /* GLOBAL */ void openssl_set_mydata_index(void); #endif /* SSL_OPENSSL_H_ */ openvpn-2.4.4/src/openvpn/ssl_verify.c000066400000000000000000001263711316434344000200270ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel Verification Module */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #ifdef ENABLE_CRYPTO #include "misc.h" #include "manage.h" #include "otime.h" #include "base64.h" #include "ssl_verify.h" #include "ssl_verify_backend.h" #ifdef ENABLE_CRYPTO_OPENSSL #include "ssl_verify_openssl.h" #endif /** Maximum length of common name */ #define TLS_USERNAME_LEN 64 /** Legal characters in an X509 name with --compat-names */ #define X509_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH|CC_COLON|CC_EQUAL) /** Legal characters in a common name with --compat-names */ #define COMMON_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH) static void string_mod_remap_name(char *str, const unsigned int restrictive_flags) { if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NAMES) && !compat_flag(COMPAT_FLAG_QUERY | COMPAT_NO_NAME_REMAPPING)) { string_mod(str, restrictive_flags, 0, '_'); } else { string_mod(str, CC_PRINT, CC_CRLF, '_'); } } /* * Export the untrusted IP address and port to the environment */ static void setenv_untrusted(struct tls_session *session) { setenv_link_socket_actual(session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT); } /** * Wipes the authentication token out of the memory, frees and cleans up related buffers and flags * * @param multi Pointer to a multi object holding the auth_token variables */ static void wipe_auth_token(struct tls_multi *multi) { if(multi) { if (multi->auth_token) { secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE); free(multi->auth_token); } multi->auth_token = NULL; multi->auth_token_sent = false; } } /* * Remove authenticated state from all sessions in the given tunnel */ static void tls_deauthenticate(struct tls_multi *multi) { if (multi) { wipe_auth_token(multi); for (int i = 0; i < TM_SIZE; ++i) { for (int j = 0; j < KS_SIZE; ++j) { multi->session[i].key[j].authenticated = false; } } } } /* * Set the given session's common_name */ static void set_common_name(struct tls_session *session, const char *common_name) { if (session->common_name) { free(session->common_name); session->common_name = NULL; #ifdef ENABLE_PF session->common_name_hashval = 0; #endif } if (common_name) { /* FIXME: Last alloc will never be freed */ session->common_name = string_alloc(common_name, NULL); #ifdef ENABLE_PF { const uint32_t len = (uint32_t) strlen(common_name); if (len) { session->common_name_hashval = hash_func((const uint8_t *)common_name, len+1, 0); } else { session->common_name_hashval = 0; } } #endif } } /* * Retrieve the common name for the given tunnel's active session. If the * common name is NULL or empty, return NULL if null is true, or "UNDEF" if * null is false. */ const char * tls_common_name(const struct tls_multi *multi, const bool null) { const char *ret = NULL; if (multi) { ret = multi->session[TM_ACTIVE].common_name; } if (ret && strlen(ret)) { return ret; } else if (null) { return NULL; } else { return "UNDEF"; } } /* * Lock the common name for the given tunnel. */ void tls_lock_common_name(struct tls_multi *multi) { const char *cn = multi->session[TM_ACTIVE].common_name; if (cn && !multi->locked_cn) { multi->locked_cn = string_alloc(cn, NULL); } } /* * Lock the username for the given tunnel */ static bool tls_lock_username(struct tls_multi *multi, const char *username) { if (multi->locked_username) { if (!username || strcmp(username, multi->locked_username)) { msg(D_TLS_ERRORS, "TLS Auth Error: username attempted to change from '%s' to '%s' -- tunnel disabled", multi->locked_username, np(username)); /* disable the tunnel */ tls_deauthenticate(multi); return false; } } else { if (username) { multi->locked_username = string_alloc(username, NULL); } } return true; } const char * tls_username(const struct tls_multi *multi, const bool null) { const char *ret = NULL; if (multi) { ret = multi->locked_username; } if (ret && strlen(ret)) { return ret; } else if (null) { return NULL; } else { return "UNDEF"; } } void cert_hash_remember(struct tls_session *session, const int error_depth, const struct buffer *cert_hash) { if (error_depth >= 0 && error_depth < MAX_CERT_DEPTH) { if (!session->cert_hash_set) { ALLOC_OBJ_CLEAR(session->cert_hash_set, struct cert_hash_set); } if (!session->cert_hash_set->ch[error_depth]) { ALLOC_OBJ(session->cert_hash_set->ch[error_depth], struct cert_hash); } struct cert_hash *ch = session->cert_hash_set->ch[error_depth]; ASSERT(sizeof(ch->sha256_hash) == BLEN(cert_hash)); memcpy(ch->sha256_hash, BPTR(cert_hash), sizeof(ch->sha256_hash)); } } void cert_hash_free(struct cert_hash_set *chs) { if (chs) { int i; for (i = 0; i < MAX_CERT_DEPTH; ++i) { free(chs->ch[i]); } free(chs); } } bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2) { if (chs1 && chs2) { int i; for (i = 0; i < MAX_CERT_DEPTH; ++i) { const struct cert_hash *ch1 = chs1->ch[i]; const struct cert_hash *ch2 = chs2->ch[i]; if (!ch1 && !ch2) { continue; } else if (ch1 && ch2 && !memcmp(ch1->sha256_hash, ch2->sha256_hash, sizeof(ch1->sha256_hash))) { continue; } else { return false; } } return true; } else if (!chs1 && !chs2) { return true; } else { return false; } } static struct cert_hash_set * cert_hash_copy(const struct cert_hash_set *chs) { struct cert_hash_set *dest = NULL; if (chs) { int i; ALLOC_OBJ_CLEAR(dest, struct cert_hash_set); for (i = 0; i < MAX_CERT_DEPTH; ++i) { const struct cert_hash *ch = chs->ch[i]; if (ch) { ALLOC_OBJ(dest->ch[i], struct cert_hash); memcpy(dest->ch[i]->sha256_hash, ch->sha256_hash, sizeof(dest->ch[i]->sha256_hash)); } } } return dest; } void tls_lock_cert_hash_set(struct tls_multi *multi) { const struct cert_hash_set *chs = multi->session[TM_ACTIVE].cert_hash_set; if (chs && !multi->locked_cert_hash_set) { multi->locked_cert_hash_set = cert_hash_copy(chs); } } /* * Returns the string associated with the given certificate type. */ static const char * print_nsCertType(int type) { switch (type) { case NS_CERT_CHECK_SERVER: return "SERVER"; case NS_CERT_CHECK_CLIENT: return "CLIENT"; default: return "?"; } } /* * Verify the peer's certificate fields. * * @param opt the tls options to verify against * @param peer_cert the peer's certificate * @param subject the peer's extracted subject name * @param subject the peer's extracted common name */ static result_t verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, const char *subject, const char *common_name) { /* verify certificate nsCertType */ if (opt->ns_cert_type != NS_CERT_CHECK_NONE) { if (SUCCESS == x509_verify_ns_cert_type(peer_cert, opt->ns_cert_type)) { msg(D_HANDSHAKE, "VERIFY OK: nsCertType=%s", print_nsCertType(opt->ns_cert_type)); } else { msg(D_HANDSHAKE, "VERIFY nsCertType ERROR: %s, require nsCertType=%s", subject, print_nsCertType(opt->ns_cert_type)); return FAILURE; /* Reject connection */ } } /* verify certificate ku */ if (opt->remote_cert_ku[0] != 0) { if (SUCCESS == x509_verify_cert_ku(peer_cert, opt->remote_cert_ku, MAX_PARMS)) { msg(D_HANDSHAKE, "VERIFY KU OK"); } else { msg(D_HANDSHAKE, "VERIFY KU ERROR"); return FAILURE; /* Reject connection */ } } /* verify certificate eku */ if (opt->remote_cert_eku != NULL) { if (SUCCESS == x509_verify_cert_eku(peer_cert, opt->remote_cert_eku)) { msg(D_HANDSHAKE, "VERIFY EKU OK"); } else { msg(D_HANDSHAKE, "VERIFY EKU ERROR"); return FAILURE; /* Reject connection */ } } /* verify X509 name or username against --verify-x509-[user]name */ if (opt->verify_x509_type != VERIFY_X509_NONE) { if ( (opt->verify_x509_type == VERIFY_X509_SUBJECT_DN && strcmp(opt->verify_x509_name, subject) == 0) || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN && strcmp(opt->verify_x509_name, common_name) == 0) || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX && strncmp(opt->verify_x509_name, common_name, strlen(opt->verify_x509_name)) == 0) ) { msg(D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject); } else { msg(D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s", subject, opt->verify_x509_name); return FAILURE; /* Reject connection */ } } return SUCCESS; } /* * Export the subject, common_name, and raw certificate fields to the * environment for later verification by scripts and plugins. */ static void verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert_depth, const char *subject, const char *common_name, const struct x509_track *x509_track) { char envname[64]; char *serial = NULL; struct gc_arena gc = gc_new(); /* Save X509 fields in environment */ if (x509_track) { x509_setenv_track(x509_track, es, cert_depth, peer_cert); } else { x509_setenv(es, cert_depth, peer_cert); } /* export subject name string as environmental variable */ openvpn_snprintf(envname, sizeof(envname), "tls_id_%d", cert_depth); setenv_str(es, envname, subject); #if 0 /* export common name string as environmental variable */ openvpn_snprintf(envname, sizeof(envname), "tls_common_name_%d", cert_depth); setenv_str(es, envname, common_name); #endif /* export X509 cert fingerprints */ { struct buffer sha1 = x509_get_sha1_fingerprint(peer_cert, &gc); struct buffer sha256 = x509_get_sha256_fingerprint(peer_cert, &gc); openvpn_snprintf(envname, sizeof(envname), "tls_digest_%d", cert_depth); setenv_str(es, envname, format_hex_ex(BPTR(&sha1), BLEN(&sha1), 0, 1, ":", &gc)); openvpn_snprintf(envname, sizeof(envname), "tls_digest_sha256_%d", cert_depth); setenv_str(es, envname, format_hex_ex(BPTR(&sha256), BLEN(&sha256), 0, 1, ":", &gc)); } /* export serial number as environmental variable */ serial = backend_x509_get_serial(peer_cert, &gc); openvpn_snprintf(envname, sizeof(envname), "tls_serial_%d", cert_depth); setenv_str(es, envname, serial); /* export serial number in hex as environmental variable */ serial = backend_x509_get_serial_hex(peer_cert, &gc); openvpn_snprintf(envname, sizeof(envname), "tls_serial_hex_%d", cert_depth); setenv_str(es, envname, serial); gc_free(&gc); } /* * call --tls-verify plug-in(s) */ static result_t verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert, char *subject) { if (plugin_defined(plugins, OPENVPN_PLUGIN_TLS_VERIFY)) { int ret; struct argv argv = argv_new(); argv_printf(&argv, "%d %s", cert_depth, subject); ret = plugin_call_ssl(plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, es, cert_depth, cert); argv_reset(&argv); if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s", cert_depth, subject); } else { msg(D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s", cert_depth, subject); return FAILURE; /* Reject connection */ } } return SUCCESS; } static const char * verify_cert_export_cert(openvpn_x509_cert_t *peercert, const char *tmp_dir, struct gc_arena *gc) { FILE *peercert_file; const char *peercert_filename = ""; if (!tmp_dir) { return NULL; } /* create tmp file to store peer cert */ peercert_filename = create_temp_file(tmp_dir, "pcf", gc); /* write peer-cert in tmp-file */ peercert_file = fopen(peercert_filename, "w+"); if (!peercert_file) { msg(M_ERR, "Failed to open temporary file : %s", peercert_filename); return NULL; } if (SUCCESS != x509_write_pem(peercert_file, peercert)) { msg(M_ERR, "Error writing PEM file containing certificate"); } fclose(peercert_file); return peercert_filename; } /* * run --tls-verify script */ static result_t verify_cert_call_command(const char *verify_command, struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert, char *subject, const char *verify_export_cert) { const char *tmp_file = NULL; int ret; struct gc_arena gc = gc_new(); struct argv argv = argv_new(); setenv_str(es, "script_type", "tls-verify"); if (verify_export_cert) { if ((tmp_file = verify_cert_export_cert(cert, verify_export_cert, &gc))) { setenv_str(es, "peer_cert", tmp_file); } } argv_parse_cmd(&argv, verify_command); argv_printf_cat(&argv, "%d %s", cert_depth, subject); argv_msg_prefix(D_TLS_DEBUG, &argv, "TLS: executing verify command"); ret = openvpn_run_script(&argv, es, 0, "--tls-verify script"); if (verify_export_cert) { if (tmp_file) { platform_unlink(tmp_file); } } gc_free(&gc); argv_reset(&argv); if (ret) { msg(D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s", cert_depth, subject); return SUCCESS; } msg(D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s", cert_depth, subject); return FAILURE; /* Reject connection */ } /* * check peer cert against CRL directory */ static result_t verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert) { result_t ret = FAILURE; char fn[256]; int fd = -1; struct gc_arena gc = gc_new(); char *serial = backend_x509_get_serial(cert, &gc); if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial)) { msg(D_HANDSHAKE, "VERIFY CRL: filename overflow"); goto cleanup; } fd = platform_open(fn, O_RDONLY, 0); if (fd >= 0) { msg(D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial); goto cleanup; } ret = SUCCESS; cleanup: if (fd != -1) { close(fd); } gc_free(&gc); return ret; } result_t verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth) { result_t ret = FAILURE; char *subject = NULL; char common_name[TLS_USERNAME_LEN+1] = {0}; /* null-terminated */ const struct tls_options *opt; struct gc_arena gc = gc_new(); opt = session->opt; ASSERT(opt); session->verified = false; /* get the X509 name */ subject = x509_get_subject(cert, &gc); if (!subject) { msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 " "subject string from certificate", cert_depth); goto cleanup; } /* enforce character class restrictions in X509 name */ string_mod_remap_name(subject, X509_NAME_CHAR_CLASS); string_replace_leading(subject, '-', '_'); /* extract the username (default is CN) */ if (SUCCESS != backend_x509_get_username(common_name, sizeof(common_name), opt->x509_username_field, cert)) { if (!cert_depth) { msg(D_TLS_ERRORS, "VERIFY ERROR: could not extract %s from X509 " "subject string ('%s') -- note that the username length is " "limited to %d characters", opt->x509_username_field, subject, TLS_USERNAME_LEN); goto cleanup; } } /* enforce character class restrictions in common name */ string_mod_remap_name(common_name, COMMON_NAME_CHAR_CLASS); /* warn if cert chain is too deep */ if (cert_depth >= MAX_CERT_DEPTH) { msg(D_TLS_ERRORS, "TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d", cert_depth, MAX_CERT_DEPTH); goto cleanup; /* Reject connection */ } /* verify level 1 cert, i.e. the CA that signed our leaf cert */ if (cert_depth == 1 && opt->verify_hash) { struct buffer ca_hash = {0}; switch (opt->verify_hash_algo) { case MD_SHA1: ca_hash = x509_get_sha1_fingerprint(cert, &gc); break; case MD_SHA256: ca_hash = x509_get_sha256_fingerprint(cert, &gc); break; default: /* This should normally not happen at all; the algorithm used * is parsed by add_option() [options.c] and set to a predefined * value in an enumerated type. So if this unlikely scenario * happens, consider this a failure */ msg(M_WARN, "Unexpected invalid algorithm used with " "--verify-hash (%i)", opt->verify_hash_algo); ret = FAILURE; goto cleanup; } if (memcmp(BPTR(&ca_hash), opt->verify_hash, BLEN(&ca_hash))) { msg(D_TLS_ERRORS, "TLS Error: level-1 certificate hash verification failed"); goto cleanup; } } /* save common name in session object */ if (cert_depth == 0) { set_common_name(session, common_name); } session->verify_maxlevel = max_int(session->verify_maxlevel, cert_depth); /* export certificate values to the environment */ verify_cert_set_env(opt->es, cert, cert_depth, subject, common_name, opt->x509_track); /* export current untrusted IP */ setenv_untrusted(session); /* If this is the peer's own certificate, verify it */ if (cert_depth == 0 && SUCCESS != verify_peer_cert(opt, cert, subject, common_name)) { goto cleanup; } /* call --tls-verify plug-in(s), if registered */ if (SUCCESS != verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject)) { goto cleanup; } /* run --tls-verify script */ if (opt->verify_command && SUCCESS != verify_cert_call_command(opt->verify_command, opt->es, cert_depth, cert, subject, opt->verify_export_cert)) { goto cleanup; } /* check peer cert against CRL */ if (opt->crl_file) { if (opt->ssl_flags & SSLF_CRL_VERIFY_DIR) { if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert)) { goto cleanup; } } else { if (tls_verify_crl_missing(opt)) { msg(D_TLS_ERRORS, "VERIFY ERROR: CRL not loaded"); goto cleanup; } } } msg(D_HANDSHAKE, "VERIFY OK: depth=%d, %s", cert_depth, subject); session->verified = true; ret = SUCCESS; cleanup: if (ret != SUCCESS) { tls_clear_error(); /* always? */ session->verified = false; /* double sure? */ } gc_free(&gc); return ret; } /* *************************************************************************** * Functions for the management of deferred authentication when using * user/password authentication. *************************************************************************** */ #ifdef ENABLE_DEF_AUTH /* key_state_test_auth_control_file return values, * NOTE: acf_merge indexing depends on these values */ #define ACF_UNDEFINED 0 #define ACF_SUCCEEDED 1 #define ACF_DISABLED 2 #define ACF_FAILED 3 #endif #ifdef MANAGEMENT_DEF_AUTH void man_def_auth_set_client_reason(struct tls_multi *multi, const char *client_reason) { if (multi->client_reason) { free(multi->client_reason); multi->client_reason = NULL; } if (client_reason && strlen(client_reason)) { /* FIXME: Last alloc will never be freed */ multi->client_reason = string_alloc(client_reason, NULL); } } static inline unsigned int man_def_auth_test(const struct key_state *ks) { if (management_enable_def_auth(management)) { return ks->mda_status; } else { return ACF_DISABLED; } } #endif /* ifdef MANAGEMENT_DEF_AUTH */ #ifdef PLUGIN_DEF_AUTH /* * auth_control_file functions */ void key_state_rm_auth_control_file(struct key_state *ks) { if (ks && ks->auth_control_file) { platform_unlink(ks->auth_control_file); free(ks->auth_control_file); ks->auth_control_file = NULL; } } static void key_state_gen_auth_control_file(struct key_state *ks, const struct tls_options *opt) { struct gc_arena gc = gc_new(); const char *acf; key_state_rm_auth_control_file(ks); acf = create_temp_file(opt->tmp_dir, "acf", &gc); if (acf) { ks->auth_control_file = string_alloc(acf, NULL); setenv_str(opt->es, "auth_control_file", ks->auth_control_file); } /* FIXME: Should have better error handling? */ gc_free(&gc); } static unsigned int key_state_test_auth_control_file(struct key_state *ks) { if (ks && ks->auth_control_file) { unsigned int ret = ks->auth_control_status; if (ret == ACF_UNDEFINED) { FILE *fp = fopen(ks->auth_control_file, "r"); if (fp) { const int c = fgetc(fp); if (c == '1') { ret = ACF_SUCCEEDED; } else if (c == '0') { ret = ACF_FAILED; } fclose(fp); ks->auth_control_status = ret; } } return ret; } return ACF_DISABLED; } #endif /* ifdef PLUGIN_DEF_AUTH */ /* * Return current session authentication state. Return * value is TLS_AUTHENTICATION_x. */ int tls_authentication_status(struct tls_multi *multi, const int latency) { bool deferred = false; bool success = false; bool active = false; #ifdef ENABLE_DEF_AUTH static const unsigned char acf_merge[] = { ACF_UNDEFINED, /* s1=ACF_UNDEFINED s2=ACF_UNDEFINED */ ACF_UNDEFINED, /* s1=ACF_UNDEFINED s2=ACF_SUCCEEDED */ ACF_UNDEFINED, /* s1=ACF_UNDEFINED s2=ACF_DISABLED */ ACF_FAILED, /* s1=ACF_UNDEFINED s2=ACF_FAILED */ ACF_UNDEFINED, /* s1=ACF_SUCCEEDED s2=ACF_UNDEFINED */ ACF_SUCCEEDED, /* s1=ACF_SUCCEEDED s2=ACF_SUCCEEDED */ ACF_SUCCEEDED, /* s1=ACF_SUCCEEDED s2=ACF_DISABLED */ ACF_FAILED, /* s1=ACF_SUCCEEDED s2=ACF_FAILED */ ACF_UNDEFINED, /* s1=ACF_DISABLED s2=ACF_UNDEFINED */ ACF_SUCCEEDED, /* s1=ACF_DISABLED s2=ACF_SUCCEEDED */ ACF_DISABLED, /* s1=ACF_DISABLED s2=ACF_DISABLED */ ACF_FAILED, /* s1=ACF_DISABLED s2=ACF_FAILED */ ACF_FAILED, /* s1=ACF_FAILED s2=ACF_UNDEFINED */ ACF_FAILED, /* s1=ACF_FAILED s2=ACF_SUCCEEDED */ ACF_FAILED, /* s1=ACF_FAILED s2=ACF_DISABLED */ ACF_FAILED /* s1=ACF_FAILED s2=ACF_FAILED */ }; #endif /* ENABLE_DEF_AUTH */ if (multi) { int i; #ifdef ENABLE_DEF_AUTH if (latency && multi->tas_last && multi->tas_last + latency >= now) { return TLS_AUTHENTICATION_UNDEFINED; } multi->tas_last = now; #endif /* ENABLE_DEF_AUTH */ for (i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = multi->key_scan[i]; if (DECRYPT_KEY_ENABLED(multi, ks)) { active = true; if (ks->authenticated) { #ifdef ENABLE_DEF_AUTH unsigned int s1 = ACF_DISABLED; unsigned int s2 = ACF_DISABLED; #ifdef PLUGIN_DEF_AUTH s1 = key_state_test_auth_control_file(ks); #endif /* PLUGIN_DEF_AUTH */ #ifdef MANAGEMENT_DEF_AUTH s2 = man_def_auth_test(ks); #endif /* MANAGEMENT_DEF_AUTH */ ASSERT(s1 < 4 && s2 < 4); switch (acf_merge[(s1<<2) + s2]) { case ACF_SUCCEEDED: case ACF_DISABLED: success = true; ks->auth_deferred = false; break; case ACF_UNDEFINED: if (now < ks->auth_deferred_expire) { deferred = true; } break; case ACF_FAILED: ks->authenticated = false; break; default: ASSERT(0); } #else /* !ENABLE_DEF_AUTH */ success = true; #endif /* ENABLE_DEF_AUTH */ } } } } #if 0 dmsg(D_TLS_ERRORS, "TAS: a=%d s=%d d=%d", active, success, deferred); #endif if (success) { return TLS_AUTHENTICATION_SUCCEEDED; } else if (!active || deferred) { return TLS_AUTHENTICATION_DEFERRED; } else { return TLS_AUTHENTICATION_FAILED; } } #ifdef MANAGEMENT_DEF_AUTH /* * For deferred auth, this is where the management interface calls (on server) * to indicate auth failure/success. */ bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason) { bool ret = false; if (multi) { int i; man_def_auth_set_client_reason(multi, client_reason); for (i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = multi->key_scan[i]; if (ks->mda_key_id == mda_key_id) { ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED; ret = true; } } } return ret; } #endif /* ifdef MANAGEMENT_DEF_AUTH */ /* **************************************************************************** * Functions to verify username and password * * Authenticate a client using username/password. * Runs on server. * * If you want to add new authentication methods, * this is the place to start. *************************************************************************** */ /* * Verify the user name and password using a script */ static bool verify_user_pass_script(struct tls_session *session, const struct user_pass *up) { struct gc_arena gc = gc_new(); struct argv argv = argv_new(); const char *tmp_file = ""; bool ret = false; /* Is username defined? */ if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen(up->username)) { /* Set environmental variables prior to calling script */ setenv_str(session->opt->es, "script_type", "user-pass-verify"); if (session->opt->auth_user_pass_verify_script_via_file) { struct status_output *so; tmp_file = create_temp_file(session->opt->tmp_dir, "up", &gc); if (tmp_file) { so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE); status_printf(so, "%s", up->username); status_printf(so, "%s", up->password); if (!status_close(so)) { msg(D_TLS_ERRORS, "TLS Auth Error: could not write username/password to file: %s", tmp_file); goto done; } } else { msg(D_TLS_ERRORS, "TLS Auth Error: could not create write " "username/password to temp file"); } } else { setenv_str(session->opt->es, "username", up->username); setenv_str(session->opt->es, "password", up->password); } /* setenv incoming cert common name for script */ setenv_str(session->opt->es, "common_name", session->common_name); /* setenv client real IP address */ setenv_untrusted(session); /* format command line */ argv_parse_cmd(&argv, session->opt->auth_user_pass_verify_script); argv_printf_cat(&argv, "%s", tmp_file); /* call command */ ret = openvpn_run_script(&argv, session->opt->es, 0, "--auth-user-pass-verify"); if (!session->opt->auth_user_pass_verify_script_via_file) { setenv_del(session->opt->es, "password"); } } else { msg(D_TLS_ERRORS, "TLS Auth Error: peer provided a blank username"); } done: if (tmp_file && strlen(tmp_file) > 0) { platform_unlink(tmp_file); } argv_reset(&argv); gc_free(&gc); return ret; } /* * Verify the username and password using a plugin */ static int verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up, const char *raw_username) { int retval = OPENVPN_PLUGIN_FUNC_ERROR; #ifdef PLUGIN_DEF_AUTH struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ #endif /* Is username defined? */ if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen(up->username)) { /* set username/password in private env space */ setenv_str(session->opt->es, "username", (raw_username ? raw_username : up->username)); setenv_str(session->opt->es, "password", up->password); /* setenv incoming cert common name for script */ setenv_str(session->opt->es, "common_name", session->common_name); /* setenv client real IP address */ setenv_untrusted(session); #ifdef PLUGIN_DEF_AUTH /* generate filename for deferred auth control file */ key_state_gen_auth_control_file(ks, session->opt); #endif /* call command */ retval = plugin_call(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, NULL, session->opt->es); #ifdef PLUGIN_DEF_AUTH /* purge auth control filename (and file itself) for non-deferred returns */ if (retval != OPENVPN_PLUGIN_FUNC_DEFERRED) { key_state_rm_auth_control_file(ks); } #endif setenv_del(session->opt->es, "password"); if (raw_username) { setenv_str(session->opt->es, "username", up->username); } } else { msg(D_TLS_ERRORS, "TLS Auth Error (verify_user_pass_plugin): peer provided a blank username"); } return retval; } #ifdef MANAGEMENT_DEF_AUTH /* * MANAGEMENT_DEF_AUTH internal ssl_verify.c status codes */ #define KMDA_ERROR 0 #define KMDA_SUCCESS 1 #define KMDA_UNDEF 2 #define KMDA_DEF 3 static int verify_user_pass_management(struct tls_session *session, const struct user_pass *up, const char *raw_username) { int retval = KMDA_ERROR; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ /* Is username defined? */ if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen(up->username)) { /* set username/password in private env space */ setenv_str(session->opt->es, "username", (raw_username ? raw_username : up->username)); setenv_str(session->opt->es, "password", up->password); /* setenv incoming cert common name for script */ setenv_str(session->opt->es, "common_name", session->common_name); /* setenv client real IP address */ setenv_untrusted(session); if (management) { management_notify_client_needing_auth(management, ks->mda_key_id, session->opt->mda_context, session->opt->es); } setenv_del(session->opt->es, "password"); if (raw_username) { setenv_str(session->opt->es, "username", up->username); } retval = KMDA_SUCCESS; } else { msg(D_TLS_ERRORS, "TLS Auth Error (verify_user_pass_management): peer provided a blank username"); } return retval; } #endif /* ifdef MANAGEMENT_DEF_AUTH */ /* * Main username/password verification entry point */ void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session) { int s1 = OPENVPN_PLUGIN_FUNC_SUCCESS; bool s2 = true; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ struct gc_arena gc = gc_new(); char *raw_username = NULL; #ifdef MANAGEMENT_DEF_AUTH int man_def_auth = KMDA_UNDEF; if (management_enable_def_auth(management)) { man_def_auth = KMDA_DEF; } #endif /* * Preserve the raw username before string_mod remapping, for plugins * and management clients when in --compat-names mode */ if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NAMES)) { ALLOC_ARRAY_CLEAR_GC(raw_username, char, USER_PASS_LEN, &gc); strcpy(raw_username, up->username); string_mod(raw_username, CC_PRINT, CC_CRLF, '_'); } /* enforce character class restrictions in username/password */ string_mod_remap_name(up->username, COMMON_NAME_CHAR_CLASS); string_mod(up->password, CC_PRINT, CC_CRLF, '_'); /* If server is configured with --auth-gen-token and we have an * authentication token for this client, this authentication * round will be done internally using the token instead of * calling any external authentication modules. */ if (session->opt->auth_token_generate && multi->auth_token_sent && NULL != multi->auth_token) { unsigned int ssl_flags = session->opt->ssl_flags; /* Ensure that the username has not changed */ if (!tls_lock_username(multi, up->username)) { /* auth-token cleared in tls_lock_username() on failure */ ks->authenticated = false; goto done; } /* If auth-token lifetime has been enabled, * ensure the token has not expired */ if (session->opt->auth_token_lifetime > 0 && (multi->auth_token_tstamp + session->opt->auth_token_lifetime) < now) { msg(D_HANDSHAKE, "Auth-token for client expired\n"); wipe_auth_token(multi); ks->authenticated = false; goto done; } /* The core authentication of the token itself */ if (memcmp_constant_time(multi->auth_token, up->password, strlen(multi->auth_token)) != 0) { ks->authenticated = false; tls_deauthenticate(multi); msg(D_TLS_ERRORS, "TLS Auth Error: Auth-token verification " "failed for username '%s' %s", up->username, (ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); } else { ks->authenticated = true; if (ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) { set_common_name(session, up->username); } msg(D_HANDSHAKE, "TLS: Username/auth-token authentication " "succeeded for username '%s' %s", up->username, (ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); } goto done; } /* call plugin(s) and/or script */ #ifdef MANAGEMENT_DEF_AUTH if (man_def_auth == KMDA_DEF) { man_def_auth = verify_user_pass_management(session, up, raw_username); } #endif if (plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)) { s1 = verify_user_pass_plugin(session, up, raw_username); } if (session->opt->auth_user_pass_verify_script) { s2 = verify_user_pass_script(session, up); } /* check sizing of username if it will become our common name */ if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && strlen(up->username) > TLS_USERNAME_LEN) { msg(D_TLS_ERRORS, "TLS Auth Error: --username-as-common name specified and username is longer than the maximum permitted Common Name length of %d characters", TLS_USERNAME_LEN); s1 = OPENVPN_PLUGIN_FUNC_ERROR; } /* auth succeeded? */ if ((s1 == OPENVPN_PLUGIN_FUNC_SUCCESS #ifdef PLUGIN_DEF_AUTH || s1 == OPENVPN_PLUGIN_FUNC_DEFERRED #endif ) && s2 #ifdef MANAGEMENT_DEF_AUTH && man_def_auth != KMDA_ERROR #endif && tls_lock_username(multi, up->username)) { ks->authenticated = true; #ifdef PLUGIN_DEF_AUTH if (s1 == OPENVPN_PLUGIN_FUNC_DEFERRED) { ks->auth_deferred = true; } #endif #ifdef MANAGEMENT_DEF_AUTH if (man_def_auth != KMDA_UNDEF) { ks->auth_deferred = true; } #endif if ((session->opt->auth_token_generate) && (NULL == multi->auth_token)) { /* Server is configured with --auth-gen-token but no token has yet * been generated for this client. Generate one and save it. */ uint8_t tok[AUTH_TOKEN_SIZE]; if (!rand_bytes(tok, AUTH_TOKEN_SIZE)) { msg( M_FATAL, "Failed to get enough randomness for " "authentication token"); } /* The token should be longer than the input when * being base64 encoded */ ASSERT(openvpn_base64_encode(tok, AUTH_TOKEN_SIZE, &multi->auth_token) > AUTH_TOKEN_SIZE); multi->auth_token_tstamp = now; dmsg(D_SHOW_KEYS, "Generated token for client: %s", multi->auth_token); } if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)) { set_common_name(session, up->username); } #ifdef ENABLE_DEF_AUTH msg(D_HANDSHAKE, "TLS: Username/Password authentication %s for username '%s' %s", ks->auth_deferred ? "deferred" : "succeeded", up->username, (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); #else msg(D_HANDSHAKE, "TLS: Username/Password authentication %s for username '%s' %s", "succeeded", up->username, (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); #endif } else { msg(D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification failed for peer"); } done: gc_free(&gc); } void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) { struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ /* While it shouldn't really happen, don't allow the common name to be NULL */ if (!session->common_name) { set_common_name(session, ""); } /* Don't allow the CN to change once it's been locked */ if (ks->authenticated && multi->locked_cn) { const char *cn = session->common_name; if (cn && strcmp(cn, multi->locked_cn)) { msg(D_TLS_ERRORS, "TLS Auth Error: TLS object CN attempted to change from '%s' to '%s' -- tunnel disabled", multi->locked_cn, cn); /* change the common name back to its original value and disable the tunnel */ set_common_name(session, multi->locked_cn); tls_deauthenticate(multi); } } /* Don't allow the cert hashes to change once they have been locked */ if (ks->authenticated && multi->locked_cert_hash_set) { const struct cert_hash_set *chs = session->cert_hash_set; if (chs && !cert_hash_compare(chs, multi->locked_cert_hash_set)) { msg(D_TLS_ERRORS, "TLS Auth Error: TLS object CN=%s client-provided SSL certs unexpectedly changed during mid-session reauth", session->common_name); /* disable the tunnel */ tls_deauthenticate(multi); } } /* verify --client-config-dir based authentication */ if (ks->authenticated && session->opt->client_config_dir_exclusive) { struct gc_arena gc = gc_new(); const char *cn = session->common_name; const char *path = gen_path(session->opt->client_config_dir_exclusive, cn, &gc); if (!cn || !strcmp(cn, CCD_DEFAULT) || !test_file(path)) { ks->authenticated = false; wipe_auth_token(multi); msg(D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'", session->common_name, path ? path : "UNDEF"); } gc_free(&gc); } } void tls_x509_clear_env(struct env_set *es) { struct env_item *item = es->list; while (item) { struct env_item *next = item->next; if (item->string && 0 == strncmp("X509_", item->string, strlen("X509_"))) { env_set_del(es, item->string); } item = next; } } #endif /* ENABLE_CRYPTO */ openvpn-2.4.4/src/openvpn/ssl_verify.h000066400000000000000000000161261316434344000200300ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel Verification Module */ #ifndef SSL_VERIFY_H_ #define SSL_VERIFY_H_ #ifdef ENABLE_CRYPTO #include "syshead.h" #include "misc.h" #include "ssl_common.h" /* Include OpenSSL-specific code */ #ifdef ENABLE_CRYPTO_OPENSSL #include "ssl_verify_openssl.h" #endif #ifdef ENABLE_CRYPTO_MBEDTLS #include "ssl_verify_mbedtls.h" #endif #include "ssl_verify_backend.h" /* * Keep track of certificate hashes at various depths */ /** Maximum certificate depth we will allow */ #define MAX_CERT_DEPTH 16 /** Structure containing the hash for a single certificate */ struct cert_hash { unsigned char sha256_hash[256/8]; }; /** Structure containing the hashes for a full certificate chain */ struct cert_hash_set { struct cert_hash *ch[MAX_CERT_DEPTH]; /**< Array of certificate hashes */ }; #define VERIFY_X509_NONE 0 #define VERIFY_X509_SUBJECT_DN 1 #define VERIFY_X509_SUBJECT_RDN 2 #define VERIFY_X509_SUBJECT_RDN_PREFIX 3 #define TLS_AUTHENTICATION_SUCCEEDED 0 #define TLS_AUTHENTICATION_FAILED 1 #define TLS_AUTHENTICATION_DEFERRED 2 #define TLS_AUTHENTICATION_UNDEFINED 3 /* * Return current session authentication state. Return * value is TLS_AUTHENTICATION_x. * * TODO: document this function */ int tls_authentication_status(struct tls_multi *multi, const int latency); /** Check whether the \a ks \c key_state is ready to receive data channel * packets. * @ingroup data_crypto * * If true, it is safe to assume that this session has been authenticated * by TLS. * * @note This macro only works if S_SENT_KEY + 1 == S_GOT_KEY. */ #define DECRYPT_KEY_ENABLED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server)) /** * Remove the given key state's auth control file, if it exists. * * @param ks The key state the remove the file for */ void key_state_rm_auth_control_file(struct key_state *ks); /** * Frees the given set of certificate hashes. * * @param chs The certificate hash set to free. */ void cert_hash_free(struct cert_hash_set *chs); /** * Locks the certificate hash set used in the given tunnel * * @param multi The tunnel to lock */ void tls_lock_cert_hash_set(struct tls_multi *multi); /** * Locks the common name field for the given tunnel * * @param multi The tunnel to lock */ void tls_lock_common_name(struct tls_multi *multi); /** * Returns the common name field for the given tunnel * * @param multi The tunnel to return the common name for * @param null Whether null may be returned. If not, "UNDEF" will be returned. */ const char *tls_common_name(const struct tls_multi *multi, const bool null); /** * Returns the username field for the given tunnel * * @param multi The tunnel to return the username for * @param null Whether null may be returned. If not, "UNDEF" will be returned. */ const char *tls_username(const struct tls_multi *multi, const bool null); /** * Compares certificates hashes, returns true if hashes are equal. * * @param chs1 cert 1 hash set * @param chs2 cert 2 hash set */ bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2); #ifdef ENABLE_PF /** * Retrieve the given tunnel's common name and its hash value. * * @param multi The tunnel to use * @param cn Common name's string * @param cn_hash Common name's hash value * * @return true if the common name was set, false otherwise. */ static inline bool tls_common_name_hash(const struct tls_multi *multi, const char **cn, uint32_t *cn_hash) { if (multi) { const struct tls_session *s = &multi->session[TM_ACTIVE]; if (s->common_name && s->common_name[0] != '\0') { *cn = s->common_name; *cn_hash = s->common_name_hashval; return true; } } return false; } #endif /** * Verify the given username and password, using either an external script, a * plugin, or the management interface. * * If authentication succeeds, the appropriate state is filled into the * session's primary key state's authenticated field. Authentication may also * be deferred, in which case the key state's auth_deferred field is filled in. * * @param up The username and password to verify. * @param multi The TLS multi structure to verify usernames against. * @param session The current TLS session * */ void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session); /** * Perform final authentication checks, including locking of the cn, the allowed * certificate hashes, and whether a client config entry exists in the * client config directory. * * @param multi The TLS multi structure to verify locked structures. * @param session The current TLS session * */ void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session); struct x509_track { const struct x509_track *next; const char *name; #define XT_FULL_CHAIN (1<<0) unsigned int flags; int nid; }; /* * Certificate checking for verify_nsCertType */ /** Do not perform Netscape certificate type verification */ #define NS_CERT_CHECK_NONE (0) /** Do not perform Netscape certificate type verification */ #define NS_CERT_CHECK_SERVER (1<<0) /** Do not perform Netscape certificate type verification */ #define NS_CERT_CHECK_CLIENT (1<<1) /** Require keyUsage to be present in cert (0xFFFF is an invalid KU value) */ #define OPENVPN_KU_REQUIRED (0xFFFF) /* * TODO: document */ #ifdef MANAGEMENT_DEF_AUTH bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason); void man_def_auth_set_client_reason(struct tls_multi *multi, const char *client_reason); #endif static inline const char * tls_client_reason(struct tls_multi *multi) { #ifdef ENABLE_DEF_AUTH return multi->client_reason; #else return NULL; #endif } /** Remove any X509_ env variables from env_set es */ void tls_x509_clear_env(struct env_set *es); #endif /* ENABLE_CRYPTO */ #endif /* SSL_VERIFY_H_ */ openvpn-2.4.4/src/openvpn/ssl_verify_backend.h000066400000000000000000000236751316434344000215060ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel Verification Module library-specific backend interface */ #ifndef SSL_VERIFY_BACKEND_H_ #define SSL_VERIFY_BACKEND_H_ /** * Result of verification function */ typedef enum { SUCCESS = 0, FAILURE = 1 } result_t; /* * Backend support functions. * * The following functions are needed by the backend, but defined in the main * file. */ /* * Verify certificate for the given session. Performs OpenVPN-specific * verification. * * This function must be called for every certificate in the certificate * chain during the certificate verification stage of the handshake. * * @param session TLS Session associated with this tunnel * @param cert Certificate to process * @param cert_depth Depth of the current certificate * * @return \c SUCCESS if verification was successful, \c FAILURE on failure. */ result_t verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth); /* * Remember the given certificate hash, allowing the certificate chain to be * locked between sessions. * * Must be called for every certificate in the verification chain, whether it * is valid or not. * * @param session TLS Session associated with this tunnel * @param cert_depth Depth of the current certificate * @param cert_hash Hash of the current certificate */ void cert_hash_remember(struct tls_session *session, const int cert_depth, const struct buffer *cert_hash); /* * Library-specific functions. * * The following functions must be implemented on a library-specific basis. */ /* * Retrieve certificate's subject name. * * @param cert Certificate to retrieve the subject from. * @param gc Garbage collection arena to use when allocating string. * * @return a string containing the subject */ char *x509_get_subject(openvpn_x509_cert_t *cert, struct gc_arena *gc); /** * Retrieve the certificate's SHA1 fingerprint. * * @param cert Certificate to retrieve the fingerprint from. * @param gc Garbage collection arena to use when allocating string. * * @return a string containing the certificate fingerprint */ struct buffer x509_get_sha1_fingerprint(openvpn_x509_cert_t *cert, struct gc_arena *gc); /** * Retrieve the certificate's SHA256 fingerprint. * * @param cert Certificate to retrieve the fingerprint from. * @param gc Garbage collection arena to use when allocating string. * * @return a string containing the certificate fingerprint */ struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert, struct gc_arena *gc); /* * Retrieve the certificate's username from the specified field. * * If the field is prepended with ext: and ENABLE_X509ALTUSERNAME is enabled, * it will be loaded from an X.509 extension * * @param cn Buffer to return the common name in. * @param cn_len Length of the cn buffer. * @param x509_username_field Name of the field to load from * @param cert Certificate to retrieve the common name from. * * @return \c FAILURE, \c or SUCCESS */ result_t backend_x509_get_username(char *common_name, int cn_len, char *x509_username_field, openvpn_x509_cert_t *peer_cert); #ifdef ENABLE_X509ALTUSERNAME /** * Return true iff the supplied extension field is supported by the * --x509-username-field option. */ bool x509_username_field_ext_supported(const char *extname); #endif /* * Return the certificate's serial number in decimal string representation. * * The serial number is returned as a string, since it might be a bignum. * * @param cert Certificate to retrieve the serial number from. * @param gc Garbage collection arena to use when allocating string. * * @return String representation of the certificate's serial number * in decimal notation, or NULL on error. */ char *backend_x509_get_serial(openvpn_x509_cert_t *cert, struct gc_arena *gc); /* * Return the certificate's serial number in hex string representation. * * The serial number is returned as a string, since it might be a bignum. * * @param cert Certificate to retrieve the serial number from. * @param gc Garbage collection arena to use when allocating string. * * @return String representation of the certificate's serial number * in hex notation, or NULL on error. */ char *backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc); /* * Save X509 fields to environment, using the naming convention: * * X509_{cert_depth}_{name}={value} * * @param es Environment set to save variables in * @param cert_depth Depth of the certificate * @param cert Certificate to set the environment for */ void x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert); /* * Start tracking the given attribute. * * The tracked attributes are stored in ll_head. * * @param ll_head The x509_track to store tracked atttributes in * @param name Name of the attribute to track * @param msglevel Message level for errors * @param gc Garbage collection arena for temp data * */ void x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc); /* * Save X509 fields to environment, using the naming convention: * * X509_{cert_depth}_{name}={value} * * This function differs from setenv_x509 below in the following ways: * * (1) Only explicitly named attributes in xt are saved, per usage * of --x509-track program options. * (2) Only the level 0 cert info is saved unless the XT_FULL_CHAIN * flag is set in xt->flags (corresponds with prepending a '+' * to the name when specified by --x509-track program option). * (3) This function supports both X509 subject name fields as * well as X509 V3 extensions. * * @param xt * @param es Environment set to save variables in * @param cert_depth Depth of the certificate * @param cert Certificate to set the environment for */ void x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int depth, openvpn_x509_cert_t *x509); /* * Check X.509 Netscape certificate type field, if available. * * @param cert Certificate to check. * @param usage One of \c NS_CERT_CHECK_CLIENT, \c NS_CERT_CHECK_SERVER, * or \c NS_CERT_CHECK_NONE. * * @return \c SUCCESS if NS_CERT_CHECK_NONE or if the certificate has * the expected bit set. \c FAILURE if the certificate does * not have NS cert type verification or the wrong bit set. */ result_t x509_verify_ns_cert_type(openvpn_x509_cert_t *cert, const int usage); /* * Verify X.509 key usage extension field. * * @param cert Certificate to check. * @param expected_ku Array of valid key usage values * @param expected_len Length of the key usage array * * @return \c SUCCESS if one of the key usage values matches, \c FAILURE * if key usage is not enabled, or the values do not match. */ result_t x509_verify_cert_ku(openvpn_x509_cert_t *x509, const unsigned *const expected_ku, int expected_len); /* * Verify X.509 extended key usage extension field. * * @param cert Certificate to check. * @param expected_oid String representation of the expected Object ID. May be * either the string representation of the numeric OID * (e.g. \c "1.2.3.4", or the descriptive string matching * the OID. * * @return \c SUCCESS if one of the expected OID matches one of the * extended key usage fields, \c FAILURE if extended key * usage is not enabled, or the values do not match. */ result_t x509_verify_cert_eku(openvpn_x509_cert_t *x509, const char *const expected_oid); /* * Store the given certificate in pem format in a temporary file in tmp_dir * * @param cert Certificate to store * @param tmp_dir Temporary directory to store the directory * @param gc gc_arena to store temporary objects in * * */ result_t x509_write_pem(FILE *peercert_file, openvpn_x509_cert_t *peercert); /** * Return true iff a CRL is configured, but is not loaded. This can be caused * by e.g. a CRL parsing error, a missing CRL file or CRL file permission * errors. (These conditions are checked upon startup, but the CRL might be * updated and reloaded during runtime.) */ bool tls_verify_crl_missing(const struct tls_options *opt); #endif /* SSL_VERIFY_BACKEND_H_ */ openvpn-2.4.4/src/openvpn/ssl_verify_mbedtls.c000066400000000000000000000357741316434344000215470ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel Verification Module mbed TLS backend */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) #include "crypto_mbedtls.h" #include "ssl_verify.h" #include #include #include #include #include #define MAX_SUBJECT_LENGTH 256 int verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, uint32_t *flags) { struct tls_session *session = (struct tls_session *) session_obj; struct gc_arena gc = gc_new(); ASSERT(cert); ASSERT(session); session->verified = false; /* Remember certificate hash */ struct buffer cert_fingerprint = x509_get_sha256_fingerprint(cert, &gc); cert_hash_remember(session, cert_depth, &cert_fingerprint); /* did peer present cert which was signed by our root cert? */ if (*flags != 0) { int ret = 0; char errstr[512] = { 0 }; char *subject = x509_get_subject(cert, &gc); ret = mbedtls_x509_crt_verify_info(errstr, sizeof(errstr)-1, "", *flags); if (ret <= 0 && !openvpn_snprintf(errstr, sizeof(errstr), "Could not retrieve error string, flags=%" PRIx32, *flags)) { errstr[0] = '\0'; } else { chomp(errstr); } if (subject) { msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s: %s", cert_depth, subject, errstr); } else { msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, (could not extract X509 " "subject string from certificate): %s", cert_depth, errstr); } /* Leave flags set to non-zero to indicate that the cert is not ok */ } else if (SUCCESS != verify_cert(session, cert, cert_depth)) { *flags |= MBEDTLS_X509_BADCERT_OTHER; } gc_free(&gc); /* * PolarSSL/mbed TLS-1.2.0+ expects 0 on anything except fatal errors. */ return 0; } #ifdef ENABLE_X509ALTUSERNAME #warning "X509 alt user name not yet supported for mbed TLS" #endif result_t backend_x509_get_username(char *cn, int cn_len, char *x509_username_field, mbedtls_x509_crt *cert) { mbedtls_x509_name *name; ASSERT( cn != NULL ); name = &cert->subject; /* Find common name */ while (name != NULL) { if (0 == memcmp(name->oid.p, MBEDTLS_OID_AT_CN, MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN))) { break; } name = name->next; } /* Not found, return an error if this is the peer's certificate */ if (name == NULL) { return FAILURE; } /* Found, extract CN */ if (cn_len > name->val.len) { memcpy( cn, name->val.p, name->val.len ); cn[name->val.len] = '\0'; } else { memcpy( cn, name->val.p, cn_len); cn[cn_len-1] = '\0'; } return SUCCESS; } char * backend_x509_get_serial(mbedtls_x509_crt *cert, struct gc_arena *gc) { char *buf = NULL; size_t buflen = 0; mbedtls_mpi serial_mpi = { 0 }; /* Transform asn1 integer serial into mbed TLS MPI */ mbedtls_mpi_init(&serial_mpi); if (!mbed_ok(mbedtls_mpi_read_binary(&serial_mpi, cert->serial.p, cert->serial.len))) { msg(M_WARN, "Failed to retrieve serial from certificate."); goto end; } /* Determine decimal representation length, allocate buffer */ mbedtls_mpi_write_string(&serial_mpi, 10, NULL, 0, &buflen); buf = gc_malloc(buflen, true, gc); /* Write MPI serial as decimal string into buffer */ if (!mbed_ok(mbedtls_mpi_write_string(&serial_mpi, 10, buf, buflen, &buflen))) { msg(M_WARN, "Failed to write serial to string."); buf = NULL; goto end; } end: mbedtls_mpi_free(&serial_mpi); return buf; } char * backend_x509_get_serial_hex(mbedtls_x509_crt *cert, struct gc_arena *gc) { char *buf = NULL; size_t len = cert->serial.len * 3 + 1; buf = gc_malloc(len, true, gc); if (mbedtls_x509_serial_gets(buf, len-1, &cert->serial) < 0) { buf = NULL; } return buf; } static struct buffer x509_get_fingerprint(const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert, struct gc_arena *gc) { const size_t md_size = mbedtls_md_get_size(md_info); struct buffer fingerprint = alloc_buf_gc(md_size, gc); mbedtls_md(md_info, cert->raw.p, cert->raw.len, BPTR(&fingerprint)); ASSERT(buf_inc_len(&fingerprint, md_size)); return fingerprint; } struct buffer x509_get_sha1_fingerprint(mbedtls_x509_crt *cert, struct gc_arena *gc) { return x509_get_fingerprint(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), cert, gc); } struct buffer x509_get_sha256_fingerprint(mbedtls_x509_crt *cert, struct gc_arena *gc) { return x509_get_fingerprint(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), cert, gc); } char * x509_get_subject(mbedtls_x509_crt *cert, struct gc_arena *gc) { char tmp_subject[MAX_SUBJECT_LENGTH] = {0}; char *subject = NULL; int ret = 0; ret = mbedtls_x509_dn_gets( tmp_subject, MAX_SUBJECT_LENGTH-1, &cert->subject ); if (ret > 0) { /* Allocate the required space for the subject */ subject = string_alloc(tmp_subject, gc); } return subject; } static void do_setenv_x509(struct env_set *es, const char *name, char *value, int depth) { char *name_expand; size_t name_expand_size; string_mod(value, CC_ANY, CC_CRLF, '?'); msg(D_X509_ATTR, "X509 ATTRIBUTE name='%s' value='%s' depth=%d", name, value, depth); name_expand_size = 64 + strlen(name); name_expand = (char *) malloc(name_expand_size); check_malloc_return(name_expand); openvpn_snprintf(name_expand, name_expand_size, "X509_%d_%s", depth, name); setenv_str(es, name_expand, value); free(name_expand); } static char * asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct gc_arena *gc) { size_t i; char *val; if (!(orig->tag == MBEDTLS_ASN1_UTF8_STRING || orig->tag == MBEDTLS_ASN1_PRINTABLE_STRING || orig->tag == MBEDTLS_ASN1_IA5_STRING)) { /* Only support C-string compatible types */ return string_alloc("ERROR: unsupported ASN.1 string type", gc); } for (i = 0; i < orig->len; ++i) { if (orig->p[i] == '\0') { return string_alloc("ERROR: embedded null value", gc); } } val = gc_malloc(orig->len+1, false, gc); memcpy(val, orig->p, orig->len); val[orig->len] = '\0'; return val; } static void do_setenv_name(struct env_set *es, const struct x509_track *xt, const mbedtls_x509_crt *cert, int depth, struct gc_arena *gc) { const mbedtls_x509_name *xn; for (xn = &cert->subject; xn != NULL; xn = xn->next) { const char *xn_short_name = NULL; if (0 == mbedtls_oid_get_attr_short_name(&xn->oid, &xn_short_name) && 0 == strcmp(xt->name, xn_short_name)) { char *val_str = asn1_buf_to_c_string(&xn->val, gc); do_setenv_x509(es, xt->name, val_str, depth); } } } void x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc) { struct x509_track *xt; ALLOC_OBJ_CLEAR_GC(xt, struct x509_track, gc); if (*name == '+') { xt->flags |= XT_FULL_CHAIN; ++name; } xt->name = name; xt->next = *ll_head; *ll_head = xt; } void x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int depth, mbedtls_x509_crt *cert) { struct gc_arena gc = gc_new(); while (xt) { if (depth == 0 || (xt->flags & XT_FULL_CHAIN)) { if (0 == strcmp(xt->name, "SHA1") || 0 == strcmp(xt->name, "SHA256")) { /* Fingerprint is not part of X509 structure */ struct buffer cert_hash; char *fingerprint; if (0 == strcmp(xt->name, "SHA1")) { cert_hash = x509_get_sha1_fingerprint(cert, &gc); } else { cert_hash = x509_get_sha256_fingerprint(cert, &gc); } fingerprint = format_hex_ex(BPTR(&cert_hash), BLEN(&cert_hash), 0, 1 | FHE_CAPS, ":", &gc); do_setenv_x509(es, xt->name, fingerprint, depth); } else { do_setenv_name(es, xt, cert, depth, &gc); } } xt = xt->next; } gc_free(&gc); } /* * Save X509 fields to environment, using the naming convention: * * X509_{cert_depth}_{name}={value} */ void x509_setenv(struct env_set *es, int cert_depth, mbedtls_x509_crt *cert) { int i; unsigned char c; const mbedtls_x509_name *name; char s[128] = { 0 }; name = &cert->subject; while (name != NULL) { char name_expand[64+8]; const char *shortname; if (0 == mbedtls_oid_get_attr_short_name(&name->oid, &shortname) ) { openvpn_snprintf(name_expand, sizeof(name_expand), "X509_%d_%s", cert_depth, shortname); } else { openvpn_snprintf(name_expand, sizeof(name_expand), "X509_%d_\?\?", cert_depth); } for (i = 0; i < name->val.len; i++) { if (i >= (int) sizeof( s ) - 1) { break; } c = name->val.p[i]; if (c < 32 || c == 127 || ( c > 128 && c < 160 ) ) { s[i] = '?'; } else { s[i] = c; } } s[i] = '\0'; /* Check both strings, set environment variable */ string_mod(name_expand, CC_PRINT, CC_CRLF, '_'); string_mod((char *)s, CC_PRINT, CC_CRLF, '_'); setenv_str_incr(es, name_expand, (char *)s); name = name->next; } } result_t x509_verify_ns_cert_type(mbedtls_x509_crt *cert, const int usage) { if (usage == NS_CERT_CHECK_NONE) { return SUCCESS; } if (usage == NS_CERT_CHECK_CLIENT) { return ((cert->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) && (cert->ns_cert_type & MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT)) ? SUCCESS : FAILURE; } if (usage == NS_CERT_CHECK_SERVER) { return ((cert->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) && (cert->ns_cert_type & MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER)) ? SUCCESS : FAILURE; } return FAILURE; } result_t x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned *const expected_ku, int expected_len) { msg(D_HANDSHAKE, "Validating certificate key usage"); if (!(cert->ext_types & MBEDTLS_X509_EXT_KEY_USAGE)) { msg(D_TLS_ERRORS, "ERROR: Certificate does not have key usage extension"); return FAILURE; } if (expected_ku[0] == OPENVPN_KU_REQUIRED) { /* Extension required, value checked by TLS library */ return SUCCESS; } result_t fFound = FAILURE; for (size_t i = 0; SUCCESS != fFound && ikey_usage); for (size_t i = 0; i < expected_len && expected_ku[i]; i++) { msg(D_TLS_ERRORS, " * %04x", expected_ku[i]); } } return fFound; } result_t x509_verify_cert_eku(mbedtls_x509_crt *cert, const char *const expected_oid) { result_t fFound = FAILURE; if (!(cert->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE)) { msg(D_HANDSHAKE, "Certificate does not have extended key usage extension"); } else { mbedtls_x509_sequence *oid_seq = &(cert->ext_key_usage); msg(D_HANDSHAKE, "Validating certificate extended key usage"); while (oid_seq != NULL) { mbedtls_x509_buf *oid = &oid_seq->buf; char oid_num_str[1024]; const char *oid_str; if (0 == mbedtls_oid_get_extended_key_usage( oid, &oid_str )) { msg(D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", oid_str, expected_oid); if (!strcmp(expected_oid, oid_str)) { fFound = SUCCESS; break; } } if (0 < mbedtls_oid_get_numeric_string( oid_num_str, sizeof(oid_num_str), oid)) { msg(D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", oid_num_str, expected_oid); if (!strcmp(expected_oid, oid_num_str)) { fFound = SUCCESS; break; } } oid_seq = oid_seq->next; } } return fFound; } result_t x509_write_pem(FILE *peercert_file, mbedtls_x509_crt *peercert) { msg(M_WARN, "mbed TLS does not support writing peer certificate in PEM format"); return FAILURE; } bool tls_verify_crl_missing(const struct tls_options *opt) { if (opt->crl_file && !(opt->ssl_flags & SSLF_CRL_VERIFY_DIR) && (opt->ssl_ctx.crl == NULL || opt->ssl_ctx.crl->version == 0)) { return true; } return false; } #endif /* #if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) */ openvpn-2.4.4/src/openvpn/ssl_verify_mbedtls.h000066400000000000000000000062631316434344000215430ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel Verification Module mbed TLS backend */ #ifndef SSL_VERIFY_MBEDTLS_H_ #define SSL_VERIFY_MBEDTLS_H_ #include "syshead.h" #include #ifndef __OPENVPN_X509_CERT_T_DECLARED #define __OPENVPN_X509_CERT_T_DECLARED typedef mbedtls_x509_crt openvpn_x509_cert_t; #endif /** @name Function for authenticating a new connection from a remote OpenVPN peer * @{ */ /** * Verify that the remote OpenVPN peer's certificate allows setting up a * VPN tunnel. * @ingroup control_tls * * This callback function is called when a new TLS session is being setup to * determine whether the remote OpenVPN peer's certificate is allowed to * connect. It is called for once for every certificate in the chain. The * callback functionality is configured in the \c init_ssl() function, which * calls the mbed TLS library's \c ssl_set_verify_callback() function with \c * verify_callback() as its callback argument. * * It checks *flags and registers the certificate hash. If these steps succeed, * it calls the \c verify_cert() function, which performs OpenVPN-specific * verification. * * @param session_obj - The OpenVPN \c tls_session associated with this object, * as set during SSL session setup. * @param cert - The certificate used by mbed TLS. * @param cert_depth - The depth of the current certificate in the chain, with * 0 being the actual certificate. * @param flags - Whether the remote OpenVPN peer's certificate * passed verification. A value of 0 means it * verified successfully, any other value means it * failed. \c verify_callback() is considered to have * ok'ed this certificate if flags is 0 when it returns. * * @return The return value is 0 unless a fatal error occurred. */ int verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, uint32_t *flags); /** @} name Function for authenticating a new connection from a remote OpenVPN peer */ #endif /* SSL_VERIFY_MBEDTLS_H_ */ openvpn-2.4.4/src/openvpn/ssl_verify_openssl.c000066400000000000000000000555031316434344000215700ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel Verification Module OpenSSL implementation */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) #include "ssl_verify_openssl.h" #include "error.h" #include "ssl_openssl.h" #include "ssl_verify.h" #include "ssl_verify_backend.h" #include "openssl_compat.h" #include #include int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) { int ret = 0; struct tls_session *session; SSL *ssl; struct gc_arena gc = gc_new(); /* get the tls_session pointer */ ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); ASSERT(ssl); session = (struct tls_session *) SSL_get_ex_data(ssl, mydata_index); ASSERT(session); X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); struct buffer cert_hash = x509_get_sha256_fingerprint(current_cert, &gc); cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash); /* did peer present cert which was signed by our root cert? */ if (!preverify_ok) { /* get the X509 name */ char *subject = x509_get_subject(current_cert, &gc); if (!subject) { subject = "(Failed to retrieve certificate subject)"; } /* Log and ignore missing CRL errors */ if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) { msg(D_TLS_DEBUG_LOW, "VERIFY WARNING: depth=%d, %s: %s", X509_STORE_CTX_get_error_depth(ctx), X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), subject); ret = 1; goto cleanup; } /* Remote site specified a certificate, but it's not correct */ msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s", X509_STORE_CTX_get_error_depth(ctx), X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), subject); ERR_clear_error(); session->verified = false; goto cleanup; } if (SUCCESS != verify_cert(session, current_cert, X509_STORE_CTX_get_error_depth(ctx))) { goto cleanup; } ret = 1; cleanup: gc_free(&gc); return ret; } #ifdef ENABLE_X509ALTUSERNAME bool x509_username_field_ext_supported(const char *fieldname) { int nid = OBJ_txt2nid(fieldname); return nid == NID_subject_alt_name || nid == NID_issuer_alt_name; } static bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) { bool retval = false; char *buf = 0; if (!x509_username_field_ext_supported(fieldname)) { msg(D_TLS_ERRORS, "ERROR: --x509-username-field 'ext:%s' not supported", fieldname); return false; } int nid = OBJ_txt2nid(fieldname); GENERAL_NAMES *extensions = X509_get_ext_d2i(cert, nid, NULL, NULL); if (extensions) { int numalts; int i; /* get amount of alternatives, * RFC2459 claims there MUST be at least * one, but we don't depend on it... */ numalts = sk_GENERAL_NAME_num(extensions); /* loop through all alternatives */ for (i = 0; itype) { case GEN_EMAIL: if (ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5) < 0) { continue; } if (strlen(buf) != name->d.ia5->length) { msg(D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero"); OPENSSL_free(buf); } else { strncpynt(out, buf, size); OPENSSL_free(buf); retval = true; } break; default: msg(D_TLS_DEBUG, "%s: ignoring general name field type %i", __func__, name->type); break; } } GENERAL_NAMES_free(extensions); } return retval; } #endif /* ENABLE_X509ALTUSERNAME */ /* * Extract a field from an X509 subject name. * * Example: * * /C=US/ST=CO/L=Denver/O=ORG/CN=First-CN/CN=Test-CA/Email=jim@yonan.net * * The common name is 'Test-CA' * * Return true on success, false on error (insufficient buffer size in 'out' * to contain result is grounds for error). */ static result_t extract_x509_field_ssl(X509_NAME *x509, const char *field_name, char *out, int size) { int lastpos = -1; int tmp = -1; X509_NAME_ENTRY *x509ne = NULL; ASN1_STRING *asn1 = NULL; unsigned char *buf = NULL; ASN1_OBJECT *field_name_obj = OBJ_txt2obj(field_name, 0); if (field_name_obj == NULL) { msg(D_TLS_ERRORS, "Invalid X509 attribute name '%s'", field_name); return FAILURE; } ASSERT(size > 0); *out = '\0'; do { lastpos = tmp; tmp = X509_NAME_get_index_by_OBJ(x509, field_name_obj, lastpos); } while (tmp > -1); ASN1_OBJECT_free(field_name_obj); /* Nothing found */ if (lastpos == -1) { return FAILURE; } x509ne = X509_NAME_get_entry(x509, lastpos); if (!x509ne) { return FAILURE; } asn1 = X509_NAME_ENTRY_get_data(x509ne); if (!asn1) { return FAILURE; } if (ASN1_STRING_to_UTF8(&buf, asn1) < 0) { return FAILURE; } strncpynt(out, (char *)buf, size); { const result_t ret = (strlen((char *)buf) < size) ? SUCCESS : FAILURE; OPENSSL_free(buf); return ret; } } result_t backend_x509_get_username(char *common_name, int cn_len, char *x509_username_field, X509 *peer_cert) { #ifdef ENABLE_X509ALTUSERNAME if (strncmp("ext:",x509_username_field,4) == 0) { if (!extract_x509_extension(peer_cert, x509_username_field+4, common_name, cn_len)) { return FAILURE; } } else #endif if (FAILURE == extract_x509_field_ssl(X509_get_subject_name(peer_cert), x509_username_field, common_name, cn_len)) { return FAILURE; } return SUCCESS; } char * backend_x509_get_serial(openvpn_x509_cert_t *cert, struct gc_arena *gc) { ASN1_INTEGER *asn1_i; BIGNUM *bignum; char *openssl_serial, *serial; asn1_i = X509_get_serialNumber(cert); bignum = ASN1_INTEGER_to_BN(asn1_i, NULL); openssl_serial = BN_bn2dec(bignum); serial = string_alloc(openssl_serial, gc); BN_free(bignum); OPENSSL_free(openssl_serial); return serial; } char * backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc) { const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert); return format_hex_ex(asn1_i->data, asn1_i->length, 0, 1, ":", gc); } struct buffer x509_get_sha1_fingerprint(X509 *cert, struct gc_arena *gc) { const EVP_MD *sha1 = EVP_sha1(); struct buffer hash = alloc_buf_gc(EVP_MD_size(sha1), gc); X509_digest(cert, EVP_sha1(), BPTR(&hash), NULL); ASSERT(buf_inc_len(&hash, EVP_MD_size(sha1))); return hash; } struct buffer x509_get_sha256_fingerprint(X509 *cert, struct gc_arena *gc) { const EVP_MD *sha256 = EVP_sha256(); struct buffer hash = alloc_buf_gc(EVP_MD_size(sha256), gc); X509_digest(cert, EVP_sha256(), BPTR(&hash), NULL); ASSERT(buf_inc_len(&hash, EVP_MD_size(sha256))); return hash; } char * x509_get_subject(X509 *cert, struct gc_arena *gc) { BIO *subject_bio = NULL; BUF_MEM *subject_mem; char *subject = NULL; /* * Generate the subject string in OpenSSL proprietary format, * when in --compat-names mode */ if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NAMES)) { subject = gc_malloc(256, false, gc); X509_NAME_oneline(X509_get_subject_name(cert), subject, 256); subject[255] = '\0'; return subject; } subject_bio = BIO_new(BIO_s_mem()); if (subject_bio == NULL) { goto err; } X509_NAME_print_ex(subject_bio, X509_get_subject_name(cert), 0, XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN |ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_ESC_CTRL); if (BIO_eof(subject_bio)) { goto err; } BIO_get_mem_ptr(subject_bio, &subject_mem); subject = gc_malloc(subject_mem->length + 1, false, gc); memcpy(subject, subject_mem->data, subject_mem->length); subject[subject_mem->length] = '\0'; err: if (subject_bio) { BIO_free(subject_bio); } return subject; } /* * x509-track implementation -- save X509 fields to environment, * using the naming convention: * * X509_{cert_depth}_{name}={value} * * This function differs from x509_setenv below in the following ways: * * (1) Only explicitly named attributes in xt are saved, per usage * of "x509-track" program options. * (2) Only the level 0 cert info is saved unless the XT_FULL_CHAIN * flag is set in xt->flags (corresponds with prepending a '+' * to the name when specified by "x509-track" program option). * (3) This function supports both X509 subject name fields as * well as X509 V3 extensions. * (4) This function can return the SHA1 fingerprint of a cert, e.g. * x509-track "+SHA1" * will return the SHA1 fingerprint for each certificate in the * peer chain. */ void x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc) { struct x509_track *xt; ALLOC_OBJ_CLEAR_GC(xt, struct x509_track, gc); if (*name == '+') { xt->flags |= XT_FULL_CHAIN; ++name; } xt->name = name; xt->nid = OBJ_txt2nid(name); if (xt->nid != NID_undef) { xt->next = *ll_head; *ll_head = xt; } else { msg(msglevel, "x509_track: no such attribute '%s'", name); } } /* worker method for setenv_x509_track */ static void do_setenv_x509(struct env_set *es, const char *name, char *value, int depth) { char *name_expand; size_t name_expand_size; string_mod(value, CC_ANY, CC_CRLF, '?'); msg(D_X509_ATTR, "X509 ATTRIBUTE name='%s' value='%s' depth=%d", name, value, depth); name_expand_size = 64 + strlen(name); name_expand = (char *) malloc(name_expand_size); check_malloc_return(name_expand); openvpn_snprintf(name_expand, name_expand_size, "X509_%d_%s", depth, name); setenv_str(es, name_expand, value); free(name_expand); } void x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509) { struct gc_arena gc = gc_new(); X509_NAME *x509_name = X509_get_subject_name(x509); const char nullc = '\0'; while (xt) { if (depth == 0 || (xt->flags & XT_FULL_CHAIN)) { switch (xt->nid) { case NID_sha1: case NID_sha256: { struct buffer fp_buf; char *fp_str = NULL; if (xt->nid == NID_sha1) { fp_buf = x509_get_sha1_fingerprint(x509, &gc); } else { fp_buf = x509_get_sha256_fingerprint(x509, &gc); } fp_str = format_hex_ex(BPTR(&fp_buf), BLEN(&fp_buf), 0, 1 | FHE_CAPS, ":", &gc); do_setenv_x509(es, xt->name, fp_str, depth); } break; default: { int i = X509_NAME_get_index_by_NID(x509_name, xt->nid, -1); if (i >= 0) { X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i); if (ent) { ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent); unsigned char *buf; buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ if (ASN1_STRING_to_UTF8(&buf, val) >= 0) { do_setenv_x509(es, xt->name, (char *)buf, depth); OPENSSL_free(buf); } } } else { i = X509_get_ext_by_NID(x509, xt->nid, -1); if (i >= 0) { X509_EXTENSION *ext = X509_get_ext(x509, i); if (ext) { BIO *bio = BIO_new(BIO_s_mem()); if (bio) { if (X509V3_EXT_print(bio, ext, 0, 0)) { if (BIO_write(bio, &nullc, 1) == 1) { char *str; BIO_get_mem_data(bio, &str); do_setenv_x509(es, xt->name, str, depth); } } BIO_free(bio); } } } } } } } xt = xt->next; } gc_free(&gc); } /* * Save X509 fields to environment, using the naming convention: * * X509_{cert_depth}_{name}={value} */ void x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert) { int i, n; int fn_nid; ASN1_OBJECT *fn; ASN1_STRING *val; X509_NAME_ENTRY *ent; const char *objbuf; unsigned char *buf; char *name_expand; size_t name_expand_size; X509_NAME *x509 = X509_get_subject_name(peer_cert); n = X509_NAME_entry_count(x509); for (i = 0; i < n; ++i) { ent = X509_NAME_get_entry(x509, i); if (!ent) { continue; } fn = X509_NAME_ENTRY_get_object(ent); if (!fn) { continue; } val = X509_NAME_ENTRY_get_data(ent); if (!val) { continue; } fn_nid = OBJ_obj2nid(fn); if (fn_nid == NID_undef) { continue; } objbuf = OBJ_nid2sn(fn_nid); if (!objbuf) { continue; } buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ if (ASN1_STRING_to_UTF8(&buf, val) < 0) { continue; } name_expand_size = 64 + strlen(objbuf); name_expand = (char *) malloc(name_expand_size); check_malloc_return(name_expand); openvpn_snprintf(name_expand, name_expand_size, "X509_%d_%s", cert_depth, objbuf); string_mod(name_expand, CC_PRINT, CC_CRLF, '_'); string_mod((char *)buf, CC_PRINT, CC_CRLF, '_'); setenv_str_incr(es, name_expand, (char *)buf); free(name_expand); OPENSSL_free(buf); } } result_t x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage) { if (usage == NS_CERT_CHECK_NONE) { return SUCCESS; } if (usage == NS_CERT_CHECK_CLIENT) { /* * Unfortunately, X509_check_purpose() does some weird thing that * prevent it to take a const argument */ result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_CLIENT, 0) ? SUCCESS : FAILURE; /* * old versions of OpenSSL allow us to make the less strict check we used to * do. If this less strict check pass, warn user that this might not be the * case when its distribution will update to OpenSSL 1.1 */ if (result == FAILURE) { ASN1_BIT_STRING *ns; ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE; if (result == SUCCESS) { msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose " "cannot be verified (check may fail in the future)"); } ASN1_BIT_STRING_free(ns); } return result; } if (usage == NS_CERT_CHECK_SERVER) { /* * Unfortunately, X509_check_purpose() does some weird thing that * prevent it to take a const argument */ result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_SERVER, 0) ? SUCCESS : FAILURE; /* * old versions of OpenSSL allow us to make the less strict check we used to * do. If this less strict check pass, warn user that this might not be the * case when its distribution will update to OpenSSL 1.1 */ if (result == FAILURE) { ASN1_BIT_STRING *ns; ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE; if (result == SUCCESS) { msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose " "cannot be verified (check may fail in the future)"); } ASN1_BIT_STRING_free(ns); } return result; } return FAILURE; } result_t x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku, int expected_len) { ASN1_BIT_STRING *ku = X509_get_ext_d2i(x509, NID_key_usage, NULL, NULL); if (ku == NULL) { msg(D_TLS_ERRORS, "Certificate does not have key usage extension"); return FAILURE; } if (expected_ku[0] == OPENVPN_KU_REQUIRED) { /* Extension required, value checked by TLS library */ ASN1_BIT_STRING_free(ku); return SUCCESS; } unsigned nku = 0; for (size_t i = 0; i < 8; i++) { if (ASN1_BIT_STRING_get_bit(ku, i)) { nku |= 1 << (7 - i); } } /* * Fixup if no LSB bits */ if ((nku & 0xff) == 0) { nku >>= 8; } msg(D_HANDSHAKE, "Validating certificate key usage"); result_t fFound = FAILURE; for (size_t i = 0; fFound != SUCCESS && i < expected_len; i++) { if (expected_ku[i] != 0 && (nku & expected_ku[i]) == expected_ku[i]) { fFound = SUCCESS; } } if (fFound != SUCCESS) { msg(D_TLS_ERRORS, "ERROR: Certificate has key usage %04x, expected one of:", nku); for (size_t i = 0; i < expected_len && expected_ku[i]; i++) { msg(D_TLS_ERRORS, " * %04x", expected_ku[i]); } } ASN1_BIT_STRING_free(ku); return fFound; } result_t x509_verify_cert_eku(X509 *x509, const char *const expected_oid) { EXTENDED_KEY_USAGE *eku = NULL; result_t fFound = FAILURE; if ((eku = (EXTENDED_KEY_USAGE *) X509_get_ext_d2i(x509, NID_ext_key_usage, NULL, NULL)) == NULL) { msg(D_HANDSHAKE, "Certificate does not have extended key usage extension"); } else { int i; msg(D_HANDSHAKE, "Validating certificate extended key usage"); for (i = 0; SUCCESS != fFound && i < sk_ASN1_OBJECT_num(eku); i++) { ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(eku, i); char szOid[1024]; if (SUCCESS != fFound && OBJ_obj2txt(szOid, sizeof(szOid), oid, 0) != -1) { msg(D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", szOid, expected_oid); if (!strcmp(expected_oid, szOid)) { fFound = SUCCESS; } } if (SUCCESS != fFound && OBJ_obj2txt(szOid, sizeof(szOid), oid, 1) != -1) { msg(D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", szOid, expected_oid); if (!strcmp(expected_oid, szOid)) { fFound = SUCCESS; } } } } if (eku != NULL) { sk_ASN1_OBJECT_pop_free(eku, ASN1_OBJECT_free); } return fFound; } result_t x509_write_pem(FILE *peercert_file, X509 *peercert) { if (PEM_write_X509(peercert_file, peercert) < 0) { msg(M_ERR, "Failed to write peer certificate in PEM format"); return FAILURE; } return SUCCESS; } bool tls_verify_crl_missing(const struct tls_options *opt) { if (!opt->crl_file || (opt->ssl_flags & SSLF_CRL_VERIFY_DIR)) { return false; } X509_STORE *store = SSL_CTX_get_cert_store(opt->ssl_ctx.ctx); if (!store) { crypto_msg(M_FATAL, "Cannot get certificate store"); } STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store); for (int i = 0; i < sk_X509_OBJECT_num(objs); i++) { X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i); ASSERT(obj); if (X509_OBJECT_get_type(obj) == X509_LU_CRL) { return false; } } return true; } #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */ openvpn-2.4.4/src/openvpn/ssl_verify_openssl.h000066400000000000000000000057221316434344000215730ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @file Control Channel Verification Module OpenSSL backend */ #ifndef SSL_VERIFY_OPENSSL_H_ #define SSL_VERIFY_OPENSSL_H_ #include #ifndef __OPENVPN_X509_CERT_T_DECLARED #define __OPENVPN_X509_CERT_T_DECLARED typedef X509 openvpn_x509_cert_t; #endif /** @name Function for authenticating a new connection from a remote OpenVPN peer * @{ */ /** * Verify that the remote OpenVPN peer's certificate allows setting up a * VPN tunnel. * @ingroup control_tls * * This callback function is called every time a new TLS session is being * setup to determine whether the remote OpenVPN peer's certificate is * allowed to connect. It is called for once for every certificate in the chain. * The callback functionality is configured in the \c init_ssl() function, which * calls the OpenSSL library's \c SSL_CTX_set_verify() function with \c * verify_callback() as its callback argument. * * It checks preverify_ok, and registers the certificate hash. If these steps * succeed, it calls the \c verify_cert() function, which performs * OpenVPN-specific verification. * * @param preverify_ok - Whether the remote OpenVPN peer's certificate * past verification. A value of 1 means it * verified successfully, 0 means it failed. * @param ctx - The complete context used by the OpenSSL library * to verify the certificate chain. * * @return The return value indicates whether the supplied certificate is * allowed to set up a VPN tunnel. The following values can be * returned: * - \c 0: failure, this certificate is not allowed to connect. * - \c 1: success, this certificate is allowed to connect. */ int verify_callback(int preverify_ok, X509_STORE_CTX *ctx); /** @} name Function for authenticating a new connection from a remote OpenVPN peer */ #endif /* SSL_VERIFY_OPENSSL_H_ */ openvpn-2.4.4/src/openvpn/status.c000066400000000000000000000175571316434344000171720ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "status.h" #include "perf.h" #include "misc.h" #include "fdmisc.h" #include "memdbg.h" /* * printf-style interface for outputting status info */ static const char * print_status_mode(unsigned int flags) { switch (flags) { case STATUS_OUTPUT_WRITE: return "WRITE"; case STATUS_OUTPUT_READ: return "READ"; case STATUS_OUTPUT_READ|STATUS_OUTPUT_WRITE: return "READ/WRITE"; default: return "UNDEF"; } } struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags) { struct status_output *so = NULL; if (filename || msglevel >= 0 || vout) { ALLOC_OBJ_CLEAR(so, struct status_output); so->flags = flags; so->msglevel = msglevel; so->vout = vout; so->fd = -1; buf_reset(&so->read_buf); event_timeout_clear(&so->et); if (filename) { switch (so->flags) { case STATUS_OUTPUT_WRITE: so->fd = platform_open(filename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR); break; case STATUS_OUTPUT_READ: so->fd = platform_open(filename, O_RDONLY, S_IRUSR | S_IWUSR); break; case STATUS_OUTPUT_READ|STATUS_OUTPUT_WRITE: so->fd = platform_open(filename, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR); break; default: ASSERT(0); } if (so->fd >= 0) { so->filename = string_alloc(filename, NULL); set_cloexec(so->fd); /* allocate read buffer */ if (so->flags & STATUS_OUTPUT_READ) { so->read_buf = alloc_buf(512); } } else { msg(M_WARN, "Note: cannot open %s for %s", filename, print_status_mode(so->flags)); so->errors = true; } } else { so->flags = STATUS_OUTPUT_WRITE; } if ((so->flags & STATUS_OUTPUT_WRITE) && refresh_freq > 0) { event_timeout_init(&so->et, refresh_freq, 0); } } return so; } bool status_trigger(struct status_output *so) { if (so) { struct timeval null; CLEAR(null); return event_timeout_trigger(&so->et, &null, ETT_DEFAULT); } else { return false; } } bool status_trigger_tv(struct status_output *so, struct timeval *tv) { if (so) { return event_timeout_trigger(&so->et, tv, ETT_DEFAULT); } else { return false; } } void status_reset(struct status_output *so) { if (so && so->fd >= 0) { lseek(so->fd, (off_t)0, SEEK_SET); } } void status_flush(struct status_output *so) { if (so && so->fd >= 0 && (so->flags & STATUS_OUTPUT_WRITE)) { #if defined(HAVE_FTRUNCATE) { const off_t off = lseek(so->fd, (off_t)0, SEEK_CUR); if (ftruncate(so->fd, off) != 0) { msg(M_WARN | M_ERRNO, "Failed to truncate status file"); } } #elif defined(HAVE_CHSIZE) { const long off = (long) lseek(so->fd, (off_t)0, SEEK_CUR); chsize(so->fd, off); } #else /* if defined(HAVE_FTRUNCATE) */ #warning both ftruncate and chsize functions appear to be missing from this OS #endif /* clear read buffer */ if (buf_defined(&so->read_buf)) { ASSERT(buf_init(&so->read_buf, 0)); } } } /* return false if error occurred */ bool status_close(struct status_output *so) { bool ret = true; if (so) { if (so->errors) { ret = false; } if (so->fd >= 0) { if (close(so->fd) < 0) { ret = false; } } if (so->filename) { free(so->filename); } if (buf_defined(&so->read_buf)) { free_buf(&so->read_buf); } free(so); } else { ret = false; } return ret; } #define STATUS_PRINTF_MAXLEN 512 void status_printf(struct status_output *so, const char *format, ...) { if (so && (so->flags & STATUS_OUTPUT_WRITE)) { char buf[STATUS_PRINTF_MAXLEN+2]; /* leave extra bytes for CR, LF */ va_list arglist; int stat; va_start(arglist, format); stat = vsnprintf(buf, STATUS_PRINTF_MAXLEN, format, arglist); va_end(arglist); buf[STATUS_PRINTF_MAXLEN - 1] = 0; if (stat < 0 || stat >= STATUS_PRINTF_MAXLEN) { so->errors = true; } if (so->msglevel >= 0 && !so->errors) { msg(so->msglevel, "%s", buf); } if (so->fd >= 0 && !so->errors) { int len; strcat(buf, "\n"); len = strlen(buf); if (len > 0) { if (write(so->fd, buf, len) != len) { so->errors = true; } } } if (so->vout && !so->errors) { chomp(buf); (*so->vout->func)(so->vout->arg, so->vout->flags_default, buf); } } } bool status_read(struct status_output *so, struct buffer *buf) { bool ret = false; if (so && so->fd >= 0 && (so->flags & STATUS_OUTPUT_READ)) { ASSERT(buf_defined(&so->read_buf)); ASSERT(buf_defined(buf)); while (true) { const int c = buf_read_u8(&so->read_buf); /* read more of file into buffer */ if (c == -1) { int len; ASSERT(buf_init(&so->read_buf, 0)); len = read(so->fd, BPTR(&so->read_buf), BCAP(&so->read_buf)); if (len <= 0) { break; } ASSERT(buf_inc_len(&so->read_buf, len)); continue; } ret = true; if (c == '\r') { continue; } if (c == '\n') { break; } buf_write_u8(buf, c); } buf_null_terminate(buf); } return ret; } openvpn-2.4.4/src/openvpn/status.h000066400000000000000000000054521316434344000171660ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef STATUS_H #define STATUS_H #include "interval.h" /* * virtual function interface for status output */ struct virtual_output { void *arg; unsigned int flags_default; void (*func) (void *arg, const unsigned int flags, const char *str); }; static inline void virtual_output_print(const struct virtual_output *vo, const unsigned int flags, const char *str) { (*vo->func)(vo->arg, flags, str); } /* * printf-style interface for inputting/outputting status info */ struct status_output { #define STATUS_OUTPUT_READ (1<<0) #define STATUS_OUTPUT_WRITE (1<<1) unsigned int flags; char *filename; int fd; int msglevel; const struct virtual_output *vout; struct buffer read_buf; struct event_timeout et; bool errors; }; struct status_output *status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags); bool status_trigger_tv(struct status_output *so, struct timeval *tv); bool status_trigger(struct status_output *so); void status_reset(struct status_output *so); void status_flush(struct status_output *so); bool status_close(struct status_output *so); void status_printf(struct status_output *so, const char *format, ...) #ifdef __GNUC__ #if __USE_MINGW_ANSI_STDIO __attribute__ ((format(gnu_printf, 2, 3))) #else __attribute__ ((format(__printf__, 2, 3))) #endif #endif ; bool status_read(struct status_output *so, struct buffer *buf); static inline unsigned int status_rw_flags(const struct status_output *so) { if (so) { return so->flags; } else { return 0; } } #endif /* ifndef STATUS_H */ openvpn-2.4.4/src/openvpn/syshead.h000066400000000000000000000320121316434344000172730ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef SYSHEAD_H #define SYSHEAD_H #include "compat.h" #include /* branch prediction hints */ #if defined(__GNUC__) #define likely(x) __builtin_expect((x),1) #define unlikely(x) __builtin_expect((x),0) #else #define likely(x) (x) #define unlikely(x) (x) #endif #ifdef _WIN32 #include #include #define sleep(x) Sleep((x)*1000) #define random rand #define srandom srand #endif #ifdef _MSC_VER /* Visual Studio */ #define __func__ __FUNCTION__ #define __attribute__(x) #endif #if defined(__APPLE__) #if __ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ >= 1070 #define __APPLE_USE_RFC_3542 1 #endif #endif #ifdef HAVE_SYS_TYPES_H #include #endif #ifdef HAVE_SYS_WAIT_H #include #endif #ifndef _WIN32 #ifndef WEXITSTATUS #define WEXITSTATUS(stat_val) ((unsigned)(stat_val) >> 8) #endif #ifndef WIFEXITED #define WIFEXITED(stat_val) (((stat_val) & 255) == 0) #endif #endif #ifdef HAVE_SYS_TIME_H #include #endif #ifdef HAVE_TIME_H #include #endif #ifdef HAVE_SYS_SOCKET_H #include #endif #ifdef HAVE_SYS_UN_H #include #endif #ifdef HAVE_SYS_IOCTL_H #include #endif #ifdef HAVE_SYS_STAT_H #include #endif #ifdef HAVE_FCNTL_H #include #endif #ifdef HAVE_DIRECT_H #include #endif #ifdef HAVE_IO_H #include #endif #ifdef HAVE_SYS_FILE_H #include #endif #ifdef HAVE_STDLIB_H #include #endif #ifdef HAVE_INTTYPES_H #include #elif defined(HAVE_STDINT_H) #include #endif #ifdef HAVE_STDARG_H #include #endif #ifdef HAVE_UNISTD_H #include #endif #ifdef HAVE_SIGNAL_H #include #endif #ifdef HAVE_LIMITS_H #include #endif #ifdef HAVE_STDIO_H #include #endif #ifdef HAVE_CTYPE_H #include #endif #ifdef HAVE_ERRNO_H #include #endif #ifdef HAVE_ERR_H #include #endif #ifdef HAVE_SYSLOG_H #include #endif #ifdef HAVE_PWD_H #include #endif #ifdef HAVE_GRP_H #include #endif #ifdef HAVE_NETDB_H #include #endif #ifdef HAVE_NETINET_IN_H #include #endif #ifdef HAVE_RESOLV_H #include #endif #ifdef HAVE_SYS_POLL_H #include #endif #ifdef HAVE_SYS_EPOLL_H #include #endif #ifdef ENABLE_SELINUX #include #endif #if defined(HAVE_LIBGEN_H) #include #endif #ifdef TARGET_SOLARIS #ifdef HAVE_STRINGS_H #include #endif #else #ifdef HAVE_STRING_H #include #endif #endif #ifdef HAVE_ARPA_INET_H #include #endif #ifdef HAVE_NET_IF_H #include #endif #ifdef TARGET_NETBSD #include #endif #if defined(TARGET_LINUX) || defined (TARGET_ANDROID) #ifdef HAVE_LINUX_IF_TUN_H #include #endif #ifdef HAVE_NETINET_IP_H #include #endif #ifdef HAVE_LINUX_SOCKIOS_H #include #endif #ifdef HAVE_LINUX_TYPES_H #include #endif #ifdef HAVE_LINUX_ERRQUEUE_H #include #endif #ifdef HAVE_NETINET_TCP_H #include #endif #endif /* TARGET_LINUX */ #ifdef TARGET_SOLARIS #ifdef HAVE_STROPTS_H #include #undef S_ERROR #endif #ifdef HAVE_NET_IF_TUN_H #include #endif #ifdef HAVE_SYS_SOCKIO_H #include #endif #ifdef HAVE_NETINET_IN_SYSTM_H #include #endif #ifdef HAVE_NETINET_IP_H #include #endif #ifdef HAVE_NETINET_TCP_H #include #endif #endif /* TARGET_SOLARIS */ #ifdef TARGET_OPENBSD #ifdef HAVE_SYS_UIO_H #include #endif #ifdef HAVE_NETINET_IN_SYSTM_H #include #endif #ifdef HAVE_NETINET_IP_H #include #endif #ifdef HAVE_NETINET_TCP_H #include #endif #ifdef HAVE_NET_IF_TUN_H #include #endif #endif /* TARGET_OPENBSD */ #ifdef TARGET_FREEBSD #ifdef HAVE_SYS_UIO_H #include #endif #ifdef HAVE_NETINET_IN_SYSTM_H #include #endif #ifdef HAVE_NETINET_IP_H #include #endif #ifdef HAVE_NETINET_TCP_H #include #endif #ifdef HAVE_NET_IF_TUN_H #include #endif #endif /* TARGET_FREEBSD */ #ifdef TARGET_NETBSD #ifdef HAVE_NET_IF_TUN_H #include #endif #ifdef HAVE_NETINET_TCP_H #include #endif #endif /* TARGET_NETBSD */ #ifdef TARGET_DRAGONFLY #ifdef HAVE_SYS_UIO_H #include #endif #ifdef HAVE_NETINET_IN_SYSTM_H #include #endif #ifdef HAVE_NETINET_IP_H #include #endif #ifdef HAVE_NET_TUN_IF_TUN_H #include #endif #endif /* TARGET_DRAGONFLY */ #ifdef TARGET_DARWIN #ifdef HAVE_NETINET_TCP_H #include #endif #endif /* TARGET_DARWIN */ #ifdef _WIN32 /* Missing declarations for MinGW 32. */ /* #if !defined(__MINGW64_VERSION_MAJOR) || __MINGW64_VERSION_MAJOR < 2 */ typedef int MIB_TCP_STATE; /* #endif */ #include #include #include #include #include /* The following two headers are needed of PF_INET6 */ #include #include #endif #ifdef HAVE_SYS_MMAN_H #ifdef TARGET_DARWIN #define _P1003_1B_VISIBLE #endif /* TARGET_DARWIN */ #include #endif /* * Pedantic mode is meant to accomplish lint-style program checking, * not to build a working executable. */ #ifdef PEDANTIC #undef HAVE_CPP_VARARG_MACRO_GCC #undef HAVE_CPP_VARARG_MACRO_ISO #undef EMPTY_ARRAY_SIZE #define EMPTY_ARRAY_SIZE 1 #undef inline #define inline #endif /* * Do we have the capability to support the --passtos option? */ #if defined(IPPROTO_IP) && defined(IP_TOS) && defined(HAVE_SETSOCKOPT) #define PASSTOS_CAPABILITY 1 #else #define PASSTOS_CAPABILITY 0 #endif /* * Do we have nanoseconds gettimeofday? */ #if defined(HAVE_GETTIMEOFDAY) || defined(_WIN32) #define HAVE_GETTIMEOFDAY_NANOSECONDS 1 #endif /* * Do we have the capability to report extended socket errors? */ #if defined(HAVE_LINUX_TYPES_H) && defined(HAVE_LINUX_ERRQUEUE_H) && defined(HAVE_SOCK_EXTENDED_ERR) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(IP_RECVERR) && defined(MSG_ERRQUEUE) && defined(SOL_IP) && defined(HAVE_IOVEC) #define EXTENDED_SOCKET_ERROR_CAPABILITY 1 #else #define EXTENDED_SOCKET_ERROR_CAPABILITY 0 #endif /* * Does this platform support linux-style IP_PKTINFO * or bsd-style IP_RECVDSTADDR ? */ #if defined(ENABLE_MULTIHOME) && ((defined(HAVE_IN_PKTINFO) && defined(IP_PKTINFO)) || defined(IP_RECVDSTADDR)) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(HAVE_IOVEC) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG) #define ENABLE_IP_PKTINFO 1 #else #define ENABLE_IP_PKTINFO 0 #endif /* * Does this platform define SOL_IP * or only bsd-style IPPROTO_IP ? */ #ifndef SOL_IP #define SOL_IP IPPROTO_IP #endif /* * Define type sa_family_t if it isn't defined in the socket headers */ #ifndef HAVE_SA_FAMILY_T typedef unsigned short sa_family_t; #endif /* * Disable ESEC */ #if 0 #undef EXTENDED_SOCKET_ERROR_CAPABILITY #define EXTENDED_SOCKET_ERROR_CAPABILITY 0 #endif /* * Do we have a syslog capability? */ #if defined(HAVE_OPENLOG) && defined(HAVE_SYSLOG) #define SYSLOG_CAPABILITY 1 #else #define SYSLOG_CAPABILITY 0 #endif /* * Does this OS draw a distinction between binary and ascii files? */ #ifndef O_BINARY #define O_BINARY 0 #endif /* * Directory separation char */ #ifdef _WIN32 #define OS_SPECIFIC_DIRSEP '\\' #else #define OS_SPECIFIC_DIRSEP '/' #endif /* * Our socket descriptor type. */ #ifdef _WIN32 #define SOCKET_UNDEFINED (INVALID_SOCKET) typedef SOCKET socket_descriptor_t; #else #define SOCKET_UNDEFINED (-1) typedef int socket_descriptor_t; #endif static inline int socket_defined(const socket_descriptor_t sd) { return sd != SOCKET_UNDEFINED; } /* * Should statistics counters be 64 bits? */ #define USE_64_BIT_COUNTERS /* * Should we enable the use of execve() for calling subprocesses, * instead of system()? */ #if defined(HAVE_EXECVE) && defined(HAVE_FORK) #define ENABLE_FEATURE_EXECVE #endif /* * Do we have point-to-multipoint capability? */ #if defined(ENABLE_CRYPTO) && defined(HAVE_GETTIMEOFDAY_NANOSECONDS) #define P2MP 1 #else #define P2MP 0 #endif #if P2MP && !defined(ENABLE_CLIENT_ONLY) #define P2MP_SERVER 1 #else #define P2MP_SERVER 0 #endif /* * HTTPS port sharing capability */ #if defined(ENABLE_PORT_SHARE) && P2MP_SERVER && defined(SCM_RIGHTS) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(HAVE_IOVEC) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(HAVE_RECVMSG) && defined(HAVE_SENDMSG) #define PORT_SHARE 1 #else #define PORT_SHARE 0 #endif /* * Enable deferred authentication? */ #if defined(ENABLE_DEF_AUTH) && P2MP_SERVER && defined(ENABLE_PLUGIN) #define PLUGIN_DEF_AUTH #endif #if defined(ENABLE_DEF_AUTH) && P2MP_SERVER && defined(ENABLE_MANAGEMENT) #define MANAGEMENT_DEF_AUTH #endif #if !defined(PLUGIN_DEF_AUTH) && !defined(MANAGEMENT_DEF_AUTH) #undef ENABLE_DEF_AUTH #endif /* * Enable external private key */ #if defined(ENABLE_MANAGEMENT) && defined(ENABLE_CRYPTO) #define MANAGMENT_EXTERNAL_KEY #endif /* Enable mbed TLS RNG prediction resistance support */ #ifdef ENABLE_CRYPTO_MBEDTLS #define ENABLE_PREDICTION_RESISTANCE #endif /* ENABLE_CRYPTO_MBEDTLS */ /* * MANAGEMENT_IN_EXTRA allows the management interface to * read multi-line inputs from clients. */ #if defined(MANAGEMENT_DEF_AUTH) || defined(MANAGMENT_EXTERNAL_KEY) #define MANAGEMENT_IN_EXTRA #endif /* * Enable packet filter? */ #if defined(ENABLE_PF) && P2MP_SERVER && defined(ENABLE_PLUGIN) && defined(HAVE_STAT) #define PLUGIN_PF #endif #if defined(ENABLE_PF) && P2MP_SERVER && defined(MANAGEMENT_DEF_AUTH) #define MANAGEMENT_PF #endif #if !defined(PLUGIN_PF) && !defined(MANAGEMENT_PF) #undef ENABLE_PF #endif /* * Do we support Unix domain sockets? */ #if defined(PF_UNIX) && !defined(_WIN32) #define UNIX_SOCK_SUPPORT 1 #else #define UNIX_SOCK_SUPPORT 0 #endif /* * Should we include OCC (options consistency check) code? */ #define ENABLE_OCC /* * Should we include NTLM proxy functionality */ #if defined(ENABLE_CRYPTO) #define NTLM 1 #else #define NTLM 0 #endif /* * Should we include proxy digest auth functionality */ #if defined(ENABLE_CRYPTO) #define PROXY_DIGEST_AUTH 1 #else #define PROXY_DIGEST_AUTH 0 #endif /* * Do we have CryptoAPI capability? */ #if defined(_WIN32) && defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) #define ENABLE_CRYPTOAPI #endif /* * Is poll available on this platform? */ #if defined(HAVE_POLL) && defined(HAVE_SYS_POLL_H) #define POLL 1 #else #define POLL 0 #endif /* * Is epoll available on this platform? */ #if defined(HAVE_EPOLL_CREATE) && defined(HAVE_SYS_EPOLL_H) #define EPOLL 1 #else #define EPOLL 0 #endif /* Disable EPOLL */ #if 0 #undef EPOLL #define EPOLL 0 #endif /* * Reduce sensitivity to system clock instability * and backtracks. */ #if defined(HAVE_GETTIMEOFDAY_NANOSECONDS) #define TIME_BACKTRACK_PROTECTION 1 #endif /* * Enable traffic shaper. */ #if defined(HAVE_GETTIMEOFDAY_NANOSECONDS) #define ENABLE_FEATURE_SHAPER 1 #endif /* * Is non-blocking connect() supported? */ #if defined(HAVE_GETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_ERROR) && defined(EINPROGRESS) && defined(ETIMEDOUT) #define CONNECT_NONBLOCK #endif /* * Do we have the capability to support the AUTO_USERID feature? */ #if defined(ENABLE_AUTO_USERID) #define AUTO_USERID 1 #else #define AUTO_USERID 0 #endif /* * Do we support challenge/response authentication as client? */ #if defined(ENABLE_MANAGEMENT) #define ENABLE_CLIENT_CR #endif /* * Do we support pushing peer info? */ #if defined(ENABLE_CRYPTO) #define ENABLE_PUSH_PEER_INFO #endif /* * Compression support */ #if defined(ENABLE_LZO) || defined(ENABLE_LZ4) \ || defined(ENABLE_COMP_STUB) #define USE_COMP #endif /* * Enable --memstats option */ #ifdef TARGET_LINUX #define ENABLE_MEMSTATS #endif #endif /* ifndef SYSHEAD_H */ openvpn-2.4.4/src/openvpn/tls_crypt.c000066400000000000000000000176121316434344000176620ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2016-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #ifdef ENABLE_CRYPTO #include "crypto.h" #include "session_id.h" #include "tls_crypt.h" static struct key_type tls_crypt_kt(void) { struct key_type kt; kt.cipher = cipher_kt_get("AES-256-CTR"); kt.digest = md_kt_get("SHA256"); if (!kt.cipher) { msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support."); return (struct key_type) { 0 }; } if (!kt.digest) { msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); return (struct key_type) { 0 }; } kt.cipher_length = cipher_kt_key_size(kt.cipher); kt.hmac_length = md_kt_size(kt.digest); return kt; } int tls_crypt_buf_overhead(void) { return packet_id_size(true) + TLS_CRYPT_TAG_SIZE + TLS_CRYPT_BLOCK_SIZE; } void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server) { const int key_direction = tls_server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; struct key_type kt = tls_crypt_kt(); if (!kt.cipher || !kt.digest) { msg (M_FATAL, "ERROR: --tls-crypt not supported"); } crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction, "Control Channel Encryption", "tls-crypt"); } void tls_crypt_adjust_frame_parameters(struct frame *frame) { frame_add_to_extra_frame(frame, tls_crypt_buf_overhead()); msg(D_MTU_DEBUG, "%s: Adjusting frame parameters for tls-crypt by %i bytes", __func__, tls_crypt_buf_overhead()); } bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt) { const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; struct gc_arena gc; /* IV, packet-ID and implicit IV required for this mode. */ ASSERT(ctx->cipher); ASSERT(ctx->hmac); ASSERT(packet_id_initialized(&opt->packet_id)); ASSERT(hmac_ctx_size(ctx->hmac) == 256/8); gc_init(&gc); dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP FROM: %s", format_hex(BPTR(src), BLEN(src), 80, &gc)); /* Get packet ID */ if (!packet_id_write(&opt->packet_id.send, dst, true, false)) { msg(D_CRYPT_ERRORS, "TLS-CRYPT ERROR: packet ID roll over."); goto err; } dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s", format_hex(BPTR(dst), BLEN(dst), 0, &gc)); /* Buffer overflow check */ if (!buf_safe(dst, BLEN(src) + TLS_CRYPT_BLOCK_SIZE + TLS_CRYPT_TAG_SIZE)) { msg(D_CRYPT_ERRORS, "TLS-CRYPT WRAP: buffer size error, " "sc=%d so=%d sl=%d dc=%d do=%d dl=%d", src->capacity, src->offset, src->len, dst->capacity, dst->offset, dst->len); goto err; } /* Calculate auth tag and synthetic IV */ { uint8_t *tag = NULL; hmac_ctx_reset(ctx->hmac); hmac_ctx_update(ctx->hmac, BPTR(dst), BLEN(dst)); hmac_ctx_update(ctx->hmac, BPTR(src), BLEN(src)); ASSERT(tag = buf_write_alloc(dst, TLS_CRYPT_TAG_SIZE)); hmac_ctx_final(ctx->hmac, tag); dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TAG: %s", format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, &gc)); /* Use the 128 most significant bits of the tag as IV */ ASSERT(cipher_ctx_reset(ctx->cipher, tag)); } /* Encrypt src */ { int outlen = 0; ASSERT(cipher_ctx_update(ctx->cipher, BEND(dst), &outlen, BPTR(src), BLEN(src))); ASSERT(buf_inc_len(dst, outlen)); ASSERT(cipher_ctx_final(ctx->cipher, BPTR(dst), &outlen)); ASSERT(buf_inc_len(dst, outlen)); } dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TO: %s", format_hex(BPTR(dst), BLEN(dst), 80, &gc)); gc_free(&gc); return true; err: crypto_clear_error(); dst->len = 0; gc_free(&gc); return false; } bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt) { static const char error_prefix[] = "tls-crypt unwrap error"; const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; struct gc_arena gc; gc_init(&gc); ASSERT(opt); ASSERT(src->len > 0); ASSERT(ctx->cipher); ASSERT(packet_id_initialized(&opt->packet_id) || (opt->flags & CO_IGNORE_PACKET_ID)); dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP FROM: %s", format_hex(BPTR(src), BLEN(src), 80, &gc)); if (buf_len(src) < TLS_CRYPT_OFF_CT) { CRYPT_ERROR("packet too short"); } /* Decrypt cipher text */ { int outlen = 0; /* Buffer overflow check (should never fail) */ if (!buf_safe(dst, BLEN(src) - TLS_CRYPT_OFF_CT + TLS_CRYPT_BLOCK_SIZE)) { CRYPT_ERROR("potential buffer overflow"); } if (!cipher_ctx_reset(ctx->cipher, BPTR(src) + TLS_CRYPT_OFF_TAG)) { CRYPT_ERROR("cipher reset failed"); } if (!cipher_ctx_update(ctx->cipher, BPTR(dst), &outlen, BPTR(src) + TLS_CRYPT_OFF_CT, BLEN(src) - TLS_CRYPT_OFF_CT)) { CRYPT_ERROR("cipher update failed"); } ASSERT(buf_inc_len(dst, outlen)); if (!cipher_ctx_final(ctx->cipher, BPTR(dst), &outlen)) { CRYPT_ERROR("cipher final failed"); } ASSERT(buf_inc_len(dst, outlen)); } /* Check authentication */ { const uint8_t *tag = BPTR(src) + TLS_CRYPT_OFF_TAG; uint8_t tag_check[TLS_CRYPT_TAG_SIZE] = { 0 }; dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP AD: %s", format_hex(BPTR(src), TLS_CRYPT_OFF_TAG, 0, &gc)); dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP TO: %s", format_hex(BPTR(dst), BLEN(dst), 80, &gc)); hmac_ctx_reset(ctx->hmac); hmac_ctx_update(ctx->hmac, BPTR(src), TLS_CRYPT_OFF_TAG); hmac_ctx_update(ctx->hmac, BPTR(dst), BLEN(dst)); hmac_ctx_final(ctx->hmac, tag_check); if (memcmp_constant_time(tag, tag_check, sizeof(tag_check))) { dmsg(D_CRYPTO_DEBUG, "tag : %s", format_hex(tag, sizeof(tag_check), 0, &gc)); dmsg(D_CRYPTO_DEBUG, "tag_check: %s", format_hex(tag_check, sizeof(tag_check), 0, &gc)); CRYPT_ERROR("packet authentication failed"); } } /* Check replay */ if (!(opt->flags & CO_IGNORE_PACKET_ID)) { struct packet_id_net pin; struct buffer tmp = *src; ASSERT(buf_advance(&tmp, TLS_CRYPT_OFF_PID)); ASSERT(packet_id_read(&pin, &tmp, true)); if (!crypto_check_replay(opt, &pin, error_prefix, &gc)) { CRYPT_ERROR("packet replay"); } } gc_free(&gc); return true; error_exit: crypto_clear_error(); dst->len = 0; gc_free(&gc); return false; } #endif /* EMABLE_CRYPTO */ openvpn-2.4.4/src/openvpn/tls_crypt.h000066400000000000000000000116721316434344000176670ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2016-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** * @defgroup tls_crypt Control channel encryption (--tls-crypt) * @ingroup control_tls * @{ * * @par * Control channel encryption uses a pre-shared static key (like the --tls-auth * key) to encrypt control channel packets. * * @par * Encrypting control channel packets has three main advantages: * - It provides more privacy by hiding the certificate used for the TLS * connection. * - It is harder to identify OpenVPN traffic as such. * - It provides "poor-man's" post-quantum security, against attackers who * will never know the pre-shared key (i.e. no forward secrecy). * * @par Specification * Control channel encryption is based on the SIV construction [0], to achieve * nonce misuse-resistant authenticated encryption: * * @par * \code{.unparsed} * msg = control channel plaintext * header = opcode (1 byte) || session_id (8 bytes) || packet_id (8 bytes) * Ka = authentication key (256 bits) * Ke = encryption key (256 bits) * (Ka and Ke are pre-shared keys, like with --tls-auth) * * auth_tag = HMAC-SHA256(Ka, header || msg) * IV = 128 most-significant bits of auth_tag * ciph = AES256-CTR(Ke, IV, msg) * * output = Header || Tag || Ciph * \endcode * * @par * This boils down to the following on-the-wire packet format: * * @par * \code{.unparsed} * - opcode - || - session_id - || - packet_id - || auth_tag || * payload * * \endcode * * @par * Where * - XXX - means authenticated, and * * XXX * means authenticated and encrypted. */ #ifndef TLSCRYPT_H #define TLSCRYPT_H #ifdef ENABLE_CRYPTO #include "buffer.h" #include "crypto.h" #include "session_id.h" #define TLS_CRYPT_TAG_SIZE (256/8) #define TLS_CRYPT_PID_SIZE (sizeof(packet_id_type) + sizeof(net_time_t)) #define TLS_CRYPT_BLOCK_SIZE (128/8) #define TLS_CRYPT_OFF_PID (1 + SID_SIZE) #define TLS_CRYPT_OFF_TAG (TLS_CRYPT_OFF_PID + TLS_CRYPT_PID_SIZE) #define TLS_CRYPT_OFF_CT (TLS_CRYPT_OFF_TAG + TLS_CRYPT_TAG_SIZE) /** * Initialize a key_ctx_bi structure for use with --tls-crypt. * * @param key The key context to initialize * @param key_file The file to read the key from (or the inline tag to * indicate and inline key). * @param key_inline Array containing (zero-terminated) inline key, or NULL * if not used. * @param tls_server Must be set to true is this is a TLS server instance. */ void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server); /** * Returns the maximum overhead (in bytes) added to the destination buffer by * tls_crypt_wrap(). */ int tls_crypt_buf_overhead(void); /** * Adjust frame parameters for --tls-crypt overhead. */ void tls_crypt_adjust_frame_parameters(struct frame *frame); /** * Wrap a control channel packet (both authenticates and encrypts the data). * * @param src Data to authenticate and encrypt. * @param dst Any data present in this buffer is first authenticated, then * the wrapped packet id and data from the src buffer are appended. * Must have at least tls_crypt_buf_overhead()+BLEN(src) headroom. * @param opt The crypto state for this --tls-crypt instance. * * @returns true iff wrapping succeeded. */ bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt); /** * Unwrap a control channel packet (decrypts, authenticates and performs * replay checks). * * @param src Data to decrypt and authenticate. * @param dst Returns the decrypted data, if unwrapping was successful. * @param opt The crypto state for this --tls-crypt instance. * * @returns true iff unwrapping succeeded (data authenticated correctly and was * no replay). */ bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt); /** @} */ #endif /* ENABLE_CRYPTO */ #endif /* TLSCRYPT_H */ openvpn-2.4.4/src/openvpn/tun.c000066400000000000000000005373641316434344000164600ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * Support routines for configuring and accessing TUN/TAP * virtual network adapters. * * This file is based on the TUN/TAP driver interface routines * from VTun by Maxim Krasnyansky . */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "tun.h" #include "fdmisc.h" #include "common.h" #include "misc.h" #include "socket.h" #include "manage.h" #include "route.h" #include "win32.h" #include "memdbg.h" #ifdef _WIN32 #include "openvpn-msg.h" #endif #include #ifdef _WIN32 /* #define SIMULATE_DHCP_FAILED */ /* simulate bad DHCP negotiation */ #define NI_TEST_FIRST (1<<0) #define NI_IP_NETMASK (1<<1) #define NI_OPTIONS (1<<2) static void netsh_ifconfig(const struct tuntap_options *to, const char *flex_name, const in_addr_t ip, const in_addr_t netmask, const unsigned int flags); static void netsh_set_dns6_servers(const struct in6_addr *addr_list, const int addr_len, const char *flex_name); static void netsh_command(const struct argv *a, int n, int msglevel); static const char *netsh_get_id(const char *dev_node, struct gc_arena *gc); static DWORD get_adapter_index_flexible(const char *name); static bool do_address_service(const bool add, const short family, const struct tuntap *tt) { DWORD len; bool ret = false; ack_message_t ack; struct gc_arena gc = gc_new(); HANDLE pipe = tt->options.msg_channel; address_message_t addr = { .header = { (add ? msg_add_address : msg_del_address), sizeof(address_message_t), 0 }, .family = family, .iface = { .index = tt->adapter_index, .name = "" } }; if (addr.iface.index == TUN_ADAPTER_INDEX_INVALID) { strncpy(addr.iface.name, tt->actual_name, sizeof(addr.iface.name)); addr.iface.name[sizeof(addr.iface.name) - 1] = '\0'; } if (addr.family == AF_INET) { addr.address.ipv4.s_addr = tt->local; addr.prefix_len = 32; } else { addr.address.ipv6 = tt->local_ipv6; addr.prefix_len = tt->netbits_ipv6; } if (!WriteFile(pipe, &addr, sizeof(addr), &len, NULL) || !ReadFile(pipe, &ack, sizeof(ack), &len, NULL)) { msg(M_WARN, "TUN: could not talk to service: %s [%lu]", strerror_win32(GetLastError(), &gc), GetLastError()); goto out; } if (ack.error_number != NO_ERROR) { msg(M_WARN, "TUN: %s address failed using service: %s [status=%u if_index=%lu]", (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), ack.error_number, addr.iface.index); goto out; } ret = true; out: gc_free(&gc); return ret; } static bool do_dns6_service(bool add, const struct tuntap *tt) { DWORD len; bool ret = false; ack_message_t ack; struct gc_arena gc = gc_new(); HANDLE pipe = tt->options.msg_channel; int addr_len = add ? tt->options.dns6_len : 0; if (addr_len == 0 && add) /* no addresses to add */ { return true; } dns_cfg_message_t dns = { .header = { (add ? msg_add_dns_cfg : msg_del_dns_cfg), sizeof(dns_cfg_message_t), 0 }, .iface = { .index = tt->adapter_index, .name = "" }, .domains = "", .family = AF_INET6, .addr_len = addr_len }; /* interface name is required */ strncpy(dns.iface.name, tt->actual_name, sizeof(dns.iface.name)); dns.iface.name[sizeof(dns.iface.name) - 1] = '\0'; if (addr_len > _countof(dns.addr)) { addr_len = _countof(dns.addr); dns.addr_len = addr_len; msg(M_WARN, "Number of IPv6 DNS addresses sent to service truncated to %d", addr_len); } for (int i = 0; i < addr_len; ++i) { dns.addr[i].ipv6 = tt->options.dns6[i]; } msg(D_LOW, "%s IPv6 dns servers on '%s' (if_index = %d) using service", (add ? "Setting" : "Deleting"), dns.iface.name, dns.iface.index); if (!WriteFile(pipe, &dns, sizeof(dns), &len, NULL) || !ReadFile(pipe, &ack, sizeof(ack), &len, NULL)) { msg(M_WARN, "TUN: could not talk to service: %s [%lu]", strerror_win32(GetLastError(), &gc), GetLastError()); goto out; } if (ack.error_number != NO_ERROR) { msg(M_WARN, "TUN: %s IPv6 dns failed using service: %s [status=%u if_name=%s]", (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), ack.error_number, dns.iface.name); goto out; } msg(M_INFO, "IPv6 dns servers %s using service", (add ? "set" : "deleted")); ret = true; out: gc_free(&gc); return ret; } #endif /* ifdef _WIN32 */ #ifdef TARGET_SOLARIS static void solaris_error_close(struct tuntap *tt, const struct env_set *es, const char *actual, bool unplumb_inet6); #include #endif #if defined(TARGET_DARWIN) && HAVE_NET_IF_UTUN_H #include #include #include #endif static void clear_tuntap(struct tuntap *tuntap); bool is_dev_type(const char *dev, const char *dev_type, const char *match_type) { ASSERT(match_type); if (!dev) { return false; } if (dev_type) { return !strcmp(dev_type, match_type); } else { return !strncmp(dev, match_type, strlen(match_type)); } } int dev_type_enum(const char *dev, const char *dev_type) { if (is_dev_type(dev, dev_type, "tun")) { return DEV_TYPE_TUN; } else if (is_dev_type(dev, dev_type, "tap")) { return DEV_TYPE_TAP; } else if (is_dev_type(dev, dev_type, "null")) { return DEV_TYPE_NULL; } else { return DEV_TYPE_UNDEF; } } const char * dev_type_string(const char *dev, const char *dev_type) { switch (dev_type_enum(dev, dev_type)) { case DEV_TYPE_TUN: return "tun"; case DEV_TYPE_TAP: return "tap"; case DEV_TYPE_NULL: return "null"; default: return "[unknown-dev-type]"; } } /* * Try to predict the actual TUN/TAP device instance name, * before the device is actually opened. */ const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc) { #ifdef _WIN32 const int dt = dev_type_enum(dev, dev_type); if (dt == DEV_TYPE_TUN || dt == DEV_TYPE_TAP) { return netsh_get_id(dev_node, gc); } #endif /* default case */ return dev; } /* --ifconfig-nowarn disables some options sanity checking */ static const char ifconfig_warn_how_to_silence[] = "(silence this warning with --ifconfig-nowarn)"; /* * If !tun, make sure ifconfig_remote_netmask looks * like a netmask. * * If tun, make sure ifconfig_remote_netmask looks * like an IPv4 address. */ static void ifconfig_sanity_check(bool tun, in_addr_t addr, int topology) { struct gc_arena gc = gc_new(); const bool looks_like_netmask = ((addr & 0xFF000000) == 0xFF000000); if (tun) { if (looks_like_netmask && (topology == TOP_NET30 || topology == TOP_P2P)) { msg(M_WARN, "WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (%s) that looks more like a netmask. %s", print_in_addr_t(addr, 0, &gc), ifconfig_warn_how_to_silence); } } else /* tap */ { if (!looks_like_netmask) { msg(M_WARN, "WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. %s", ifconfig_warn_how_to_silence); } } gc_free(&gc); } /* * For TAP-style devices, generate a broadcast address. */ static in_addr_t generate_ifconfig_broadcast_addr(in_addr_t local, in_addr_t netmask) { return local | ~netmask; } /* * Check that --local and --remote addresses do not * clash with ifconfig addresses or subnet. */ static void check_addr_clash(const char *name, int type, in_addr_t public, in_addr_t local, in_addr_t remote_netmask) { struct gc_arena gc = gc_new(); #if 0 msg(M_INFO, "CHECK_ADDR_CLASH type=%d public=%s local=%s, remote_netmask=%s", type, print_in_addr_t(public, 0, &gc), print_in_addr_t(local, 0, &gc), print_in_addr_t(remote_netmask, 0, &gc)); #endif if (public) { if (type == DEV_TYPE_TUN) { const in_addr_t test_netmask = 0xFFFFFF00; const in_addr_t public_net = public & test_netmask; const in_addr_t local_net = local & test_netmask; const in_addr_t remote_net = remote_netmask & test_netmask; if (public == local || public == remote_netmask) { msg(M_WARN, "WARNING: --%s address [%s] conflicts with --ifconfig address pair [%s, %s]. %s", name, print_in_addr_t(public, 0, &gc), print_in_addr_t(local, 0, &gc), print_in_addr_t(remote_netmask, 0, &gc), ifconfig_warn_how_to_silence); } if (public_net == local_net || public_net == remote_net) { msg(M_WARN, "WARNING: potential conflict between --%s address [%s] and --ifconfig address pair [%s, %s] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. %s", name, print_in_addr_t(public, 0, &gc), print_in_addr_t(local, 0, &gc), print_in_addr_t(remote_netmask, 0, &gc), ifconfig_warn_how_to_silence); } } else if (type == DEV_TYPE_TAP) { const in_addr_t public_network = public & remote_netmask; const in_addr_t virtual_network = local & remote_netmask; if (public_network == virtual_network) { msg(M_WARN, "WARNING: --%s address [%s] conflicts with --ifconfig subnet [%s, %s] -- local and remote addresses cannot be inside of the --ifconfig subnet. %s", name, print_in_addr_t(public, 0, &gc), print_in_addr_t(local, 0, &gc), print_in_addr_t(remote_netmask, 0, &gc), ifconfig_warn_how_to_silence); } } } gc_free(&gc); } /* * Issue a warning if ip/netmask (on the virtual IP network) conflicts with * the settings on the local LAN. This is designed to flag issues where * (for example) the OpenVPN server LAN is running on 192.168.1.x, but then * an OpenVPN client tries to connect from a public location that is also running * off of a router set to 192.168.1.x. */ void check_subnet_conflict(const in_addr_t ip, const in_addr_t netmask, const char *prefix) { #if 0 /* too many false positives */ struct gc_arena gc = gc_new(); in_addr_t lan_gw = 0; in_addr_t lan_netmask = 0; if (get_default_gateway(&lan_gw, &lan_netmask) && lan_netmask) { const in_addr_t lan_network = lan_gw & lan_netmask; const in_addr_t network = ip & netmask; /* do the two subnets defined by network/netmask and lan_network/lan_netmask intersect? */ if ((network & lan_netmask) == lan_network || (lan_network & netmask) == network) { msg(M_WARN, "WARNING: potential %s subnet conflict between local LAN [%s/%s] and remote VPN [%s/%s]", prefix, print_in_addr_t(lan_network, 0, &gc), print_in_addr_t(lan_netmask, 0, &gc), print_in_addr_t(network, 0, &gc), print_in_addr_t(netmask, 0, &gc)); } } gc_free(&gc); #endif /* if 0 */ } void warn_on_use_of_common_subnets(void) { struct gc_arena gc = gc_new(); struct route_gateway_info rgi; const int needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED); get_default_gateway(&rgi); if ((rgi.flags & needed) == needed) { const in_addr_t lan_network = rgi.gateway.addr & rgi.gateway.netmask; if (lan_network == 0xC0A80000 || lan_network == 0xC0A80100) { msg(M_WARN, "NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet."); } } gc_free(&gc); } /* * Return a string to be used for options compatibility check * between peers. */ const char * ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); if (tt->did_ifconfig_setup && !disable) { if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)) { buf_printf(&out, "%s %s", print_in_addr_t(tt->local & tt->remote_netmask, 0, gc), print_in_addr_t(tt->remote_netmask, 0, gc)); } else if (tt->type == DEV_TYPE_TUN) { const char *l, *r; if (remote) { r = print_in_addr_t(tt->local, 0, gc); l = print_in_addr_t(tt->remote_netmask, 0, gc); } else { l = print_in_addr_t(tt->local, 0, gc); r = print_in_addr_t(tt->remote_netmask, 0, gc); } buf_printf(&out, "%s %s", r, l); } else { buf_printf(&out, "[undef]"); } } return BSTR(&out); } /* * Return a status string describing wait state. */ const char * tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(64, gc); if (tt) { if (rwflags & EVENT_READ) { buf_printf(&out, "T%s", (tt->rwflags_debug & EVENT_READ) ? "R" : "r"); #ifdef _WIN32 buf_printf(&out, "%s", overlapped_io_state_ascii(&tt->reads)); #endif } if (rwflags & EVENT_WRITE) { buf_printf(&out, "T%s", (tt->rwflags_debug & EVENT_WRITE) ? "W" : "w"); #ifdef _WIN32 buf_printf(&out, "%s", overlapped_io_state_ascii(&tt->writes)); #endif } } else { buf_printf(&out, "T?"); } return BSTR(&out); } /* * Return true for point-to-point topology, false for subnet topology */ bool is_tun_p2p(const struct tuntap *tt) { bool tun = false; if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET) || tt->type == DEV_TYPE_NULL ) { tun = false; } else if (tt->type == DEV_TYPE_TUN) { tun = true; } else { msg(M_FATAL, "Error: problem with tun vs. tap setting"); /* JYFIXME -- needs to be caught earlier, in init_tun? */ } return tun; } /* * Set the ifconfig_* environment variables, both for IPv4 and IPv6 */ void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es) { struct gc_arena gc = gc_new(); const char *ifconfig_local = print_in_addr_t(tt->local, 0, &gc); const char *ifconfig_remote_netmask = print_in_addr_t(tt->remote_netmask, 0, &gc); /* * Set environmental variables with ifconfig parameters. */ if (tt->did_ifconfig_setup) { bool tun = is_tun_p2p(tt); setenv_str(es, "ifconfig_local", ifconfig_local); if (tun) { setenv_str(es, "ifconfig_remote", ifconfig_remote_netmask); } else { const char *ifconfig_broadcast = print_in_addr_t(tt->broadcast, 0, &gc); setenv_str(es, "ifconfig_netmask", ifconfig_remote_netmask); setenv_str(es, "ifconfig_broadcast", ifconfig_broadcast); } } if (tt->did_ifconfig_ipv6_setup) { const char *ifconfig_ipv6_local = print_in6_addr(tt->local_ipv6, 0, &gc); const char *ifconfig_ipv6_remote = print_in6_addr(tt->remote_ipv6, 0, &gc); setenv_str(es, "ifconfig_ipv6_local", ifconfig_ipv6_local); setenv_int(es, "ifconfig_ipv6_netbits", tt->netbits_ipv6); setenv_str(es, "ifconfig_ipv6_remote", ifconfig_ipv6_remote); } gc_free(&gc); } /* * Init tun/tap object. * * Set up tuntap structure for ifconfig, * but don't execute yet. */ struct tuntap * init_tun(const char *dev, /* --dev option */ const char *dev_type, /* --dev-type option */ int topology, /* one of the TOP_x values */ const char *ifconfig_local_parm, /* --ifconfig parm 1 */ const char *ifconfig_remote_netmask_parm, /* --ifconfig parm 2 */ const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 IPv6 */ int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 IPv6 */ struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es) { struct gc_arena gc = gc_new(); struct tuntap *tt; ALLOC_OBJ(tt, struct tuntap); clear_tuntap(tt); tt->type = dev_type_enum(dev, dev_type); tt->topology = topology; if (ifconfig_local_parm && ifconfig_remote_netmask_parm) { bool tun = false; /* * We only handle TUN/TAP devices here, not --dev null devices. */ tun = is_tun_p2p(tt); /* * Convert arguments to binary IPv4 addresses. */ tt->local = getaddr( GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_FATAL_ON_SIGNAL | GETADDR_FATAL, ifconfig_local_parm, 0, NULL, NULL); tt->remote_netmask = getaddr( (tun ? GETADDR_RESOLVE : 0) | GETADDR_HOST_ORDER | GETADDR_FATAL_ON_SIGNAL | GETADDR_FATAL, ifconfig_remote_netmask_parm, 0, NULL, NULL); /* * Look for common errors in --ifconfig parms */ if (strict_warn) { struct addrinfo *curele; ifconfig_sanity_check(tt->type == DEV_TYPE_TUN, tt->remote_netmask, tt->topology); /* * If local_public or remote_public addresses are defined, * make sure they do not clash with our virtual subnet. */ for (curele = local_public; curele; curele = curele->ai_next) { if (curele->ai_family == AF_INET) { check_addr_clash("local", tt->type, ((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr, tt->local, tt->remote_netmask); } } for (curele = remote_public; curele; curele = curele->ai_next) { if (curele->ai_family == AF_INET) { check_addr_clash("remote", tt->type, ((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr, tt->local, tt->remote_netmask); } } if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)) { check_subnet_conflict(tt->local, tt->remote_netmask, "TUN/TAP adapter"); } else if (tt->type == DEV_TYPE_TUN) { check_subnet_conflict(tt->local, IPV4_NETMASK_HOST, "TUN/TAP adapter"); } } /* * If TAP-style interface, generate broadcast address. */ if (!tun) { tt->broadcast = generate_ifconfig_broadcast_addr(tt->local, tt->remote_netmask); } #ifdef _WIN32 /* * Make sure that both ifconfig addresses are part of the * same .252 subnet. */ if (tun) { verify_255_255_255_252(tt->local, tt->remote_netmask); tt->adapter_netmask = ~3; } else { tt->adapter_netmask = tt->remote_netmask; } #endif tt->did_ifconfig_setup = true; } if (ifconfig_ipv6_local_parm && ifconfig_ipv6_remote_parm) { /* * Convert arguments to binary IPv6 addresses. */ if (inet_pton( AF_INET6, ifconfig_ipv6_local_parm, &tt->local_ipv6 ) != 1 || inet_pton( AF_INET6, ifconfig_ipv6_remote_parm, &tt->remote_ipv6 ) != 1) { msg( M_FATAL, "init_tun: problem converting IPv6 ifconfig addresses %s and %s to binary", ifconfig_ipv6_local_parm, ifconfig_ipv6_remote_parm ); } tt->netbits_ipv6 = ifconfig_ipv6_netbits_parm; tt->did_ifconfig_ipv6_setup = true; } /* * Set environmental variables with ifconfig parameters. */ if (es) { do_ifconfig_setenv(tt, es); } gc_free(&gc); return tt; } /* * Platform specific tun initializations */ void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options) { tt->options = *options; #ifdef _WIN32 overlapped_io_init(&tt->reads, frame, FALSE, true); overlapped_io_init(&tt->writes, frame, TRUE, true); tt->rw_handle.read = tt->reads.overlapped.hEvent; tt->rw_handle.write = tt->writes.overlapped.hEvent; tt->adapter_index = TUN_ADAPTER_INDEX_INVALID; #endif } #if defined(_WIN32) \ || defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) /* some of the platforms will auto-add a "network route" pointing * to the interface on "ifconfig tunX 2001:db8::1/64", others need * an extra call to "route add..." * -> helper function to simplify code below */ void add_route_connected_v6_net(struct tuntap *tt, const struct env_set *es) { struct route_ipv6 r6; CLEAR(r6); r6.network = tt->local_ipv6; r6.netbits = tt->netbits_ipv6; r6.gateway = tt->local_ipv6; r6.metric = 0; /* connected route */ r6.flags = RT_DEFINED | RT_METRIC_DEFINED; add_route_ipv6(&r6, tt, 0, es); } void delete_route_connected_v6_net(struct tuntap *tt, const struct env_set *es) { struct route_ipv6 r6; CLEAR(r6); r6.network = tt->local_ipv6; r6.netbits = tt->netbits_ipv6; r6.gateway = tt->local_ipv6; r6.metric = 0; /* connected route */ r6.flags = RT_DEFINED | RT_ADDED | RT_METRIC_DEFINED; delete_route_ipv6(&r6, tt, 0, es); } #endif /* if defined(_WIN32) || defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) */ #if defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ || defined(TARGET_OPENBSD) /* we can't use true subnet mode on tun on all platforms, as that * conflicts with IPv6 (wants to use ND then, which we don't do), * but the OSes want "a remote address that is different from ours" * - so we construct one, normally the first in the subnet, but if * this is the same as ours, use the second one. * The actual address does not matter at all, as the tun interface * is still point to point and no layer 2 resolution is done... */ in_addr_t create_arbitrary_remote( struct tuntap *tt ) { in_addr_t remote; remote = (tt->local & tt->remote_netmask) +1; if (remote == tt->local) { remote++; } return remote; } #endif /* execute the ifconfig command through the shell */ void do_ifconfig(struct tuntap *tt, const char *actual, /* actual device name */ int tun_mtu, const struct env_set *es) { struct gc_arena gc = gc_new(); if (tt->did_ifconfig_setup) { bool tun = false; const char *ifconfig_local = NULL; const char *ifconfig_remote_netmask = NULL; const char *ifconfig_broadcast = NULL; const char *ifconfig_ipv6_local = NULL; bool do_ipv6 = false; struct argv argv = argv_new(); msg( M_DEBUG, "do_ifconfig, tt->did_ifconfig_ipv6_setup=%d", tt->did_ifconfig_ipv6_setup ); /* * We only handle TUN/TAP devices here, not --dev null devices. */ tun = is_tun_p2p(tt); /* * Set ifconfig parameters */ ifconfig_local = print_in_addr_t(tt->local, 0, &gc); ifconfig_remote_netmask = print_in_addr_t(tt->remote_netmask, 0, &gc); if (tt->did_ifconfig_ipv6_setup) { ifconfig_ipv6_local = print_in6_addr(tt->local_ipv6, 0, &gc); do_ipv6 = true; } /* * If TAP-style device, generate broadcast address. */ if (!tun) { ifconfig_broadcast = print_in_addr_t(tt->broadcast, 0, &gc); } #ifdef ENABLE_MANAGEMENT if (management) { management_set_state(management, OPENVPN_STATE_ASSIGN_IP, NULL, &tt->local, &tt->local_ipv6, NULL, NULL); } #endif #if defined(TARGET_LINUX) #ifdef ENABLE_IPROUTE /* * Set the MTU for the device */ argv_printf(&argv, "%s link set dev %s up mtu %d", iproute_path, actual, tun_mtu ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "Linux ip link set failed"); if (tun) { /* * Set the address for the device */ argv_printf(&argv, "%s addr add dev %s local %s peer %s", iproute_path, actual, ifconfig_local, ifconfig_remote_netmask ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "Linux ip addr add failed"); } else { argv_printf(&argv, "%s addr add dev %s %s/%d broadcast %s", iproute_path, actual, ifconfig_local, netmask_to_netbits2(tt->remote_netmask), ifconfig_broadcast ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "Linux ip addr add failed"); } if (do_ipv6) { argv_printf( &argv, "%s -6 addr add %s/%d dev %s", iproute_path, ifconfig_ipv6_local, tt->netbits_ipv6, actual ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "Linux ip -6 addr add failed"); } tt->did_ifconfig = true; #else /* ifdef ENABLE_IPROUTE */ if (tun) { argv_printf(&argv, "%s %s %s pointopoint %s mtu %d", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu ); } else { argv_printf(&argv, "%s %s %s netmask %s mtu %d broadcast %s", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu, ifconfig_broadcast ); } argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "Linux ifconfig failed"); if (do_ipv6) { argv_printf(&argv, "%s %s add %s/%d", IFCONFIG_PATH, actual, ifconfig_ipv6_local, tt->netbits_ipv6 ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "Linux ifconfig inet6 failed"); } tt->did_ifconfig = true; #endif /*ENABLE_IPROUTE*/ #elif defined(TARGET_ANDROID) if (do_ipv6) { struct buffer out6 = alloc_buf_gc(64, &gc); buf_printf(&out6, "%s/%d", ifconfig_ipv6_local,tt->netbits_ipv6); management_android_control(management, "IFCONFIG6",buf_bptr(&out6)); } struct buffer out = alloc_buf_gc(64, &gc); char *top; switch (tt->topology) { case TOP_NET30: top = "net30"; break; case TOP_P2P: top = "p2p"; break; case TOP_SUBNET: top = "subnet"; break; default: top = "undef"; } buf_printf(&out, "%s %s %d %s", ifconfig_local, ifconfig_remote_netmask, tun_mtu, top); management_android_control(management, "IFCONFIG", buf_bptr(&out)); #elif defined(TARGET_SOLARIS) /* Solaris 2.6 (and 7?) cannot set all parameters in one go... * example: * ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 up * ifconfig tun2 netmask 255.255.255.255 */ if (tun) { argv_printf(&argv, "%s %s %s %s mtu %d up", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu ); argv_msg(M_INFO, &argv); if (!openvpn_execve_check(&argv, es, 0, "Solaris ifconfig phase-1 failed")) { solaris_error_close(tt, es, actual, false); } argv_printf(&argv, "%s %s netmask 255.255.255.255", IFCONFIG_PATH, actual ); } else if (tt->topology == TOP_SUBNET) { argv_printf(&argv, "%s %s %s %s netmask %s mtu %d up", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_local, ifconfig_remote_netmask, tun_mtu ); } else { argv_printf(&argv, " %s %s %s netmask %s broadcast + up", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask ); } argv_msg(M_INFO, &argv); if (!openvpn_execve_check(&argv, es, 0, "Solaris ifconfig phase-2 failed")) { solaris_error_close(tt, es, actual, false); } if (do_ipv6) { argv_printf(&argv, "%s %s inet6 unplumb", IFCONFIG_PATH, actual ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, 0, NULL); if (tt->type == DEV_TYPE_TUN) { const char *ifconfig_ipv6_remote = print_in6_addr(tt->remote_ipv6, 0, &gc); argv_printf(&argv, "%s %s inet6 plumb %s/%d %s up", IFCONFIG_PATH, actual, ifconfig_ipv6_local, tt->netbits_ipv6, ifconfig_ipv6_remote ); } else /* tap mode */ { /* base IPv6 tap interface needs to be brought up first */ argv_printf(&argv, "%s %s inet6 plumb up", IFCONFIG_PATH, actual ); argv_msg(M_INFO, &argv); if (!openvpn_execve_check(&argv, es, 0, "Solaris ifconfig IPv6 (prepare) failed")) { solaris_error_close(tt, es, actual, true); } /* we might need to do "ifconfig %s inet6 auto-dhcp drop" * after the system has noticed the interface and fired up * the DHCPv6 client - but this takes quite a while, and the * server will ignore the DHCPv6 packets anyway. So we don't. */ /* static IPv6 addresses need to go to a subinterface (tap0:1) */ argv_printf(&argv, "%s %s inet6 addif %s/%d up", IFCONFIG_PATH, actual, ifconfig_ipv6_local, tt->netbits_ipv6 ); } argv_msg(M_INFO, &argv); if (!openvpn_execve_check(&argv, es, 0, "Solaris ifconfig IPv6 failed")) { solaris_error_close(tt, es, actual, true); } } if (!tun && tt->topology == TOP_SUBNET) { /* Add a network route for the local tun interface */ struct route_ipv4 r; CLEAR(r); r.flags = RT_DEFINED | RT_METRIC_DEFINED; r.network = tt->local & tt->remote_netmask; r.netmask = tt->remote_netmask; r.gateway = tt->local; r.metric = 0; add_route(&r, tt, 0, NULL, es); } tt->did_ifconfig = true; #elif defined(TARGET_OPENBSD) in_addr_t remote_end; /* for "virtual" subnet topology */ /* * On OpenBSD, tun interfaces are persistent if created with * "ifconfig tunX create", and auto-destroyed if created by * opening "/dev/tunX" (so we just use the /dev/tunX) */ /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */ if (tun) { argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up -link0", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu ); } else if (tt->topology == TOP_SUBNET) { remote_end = create_arbitrary_remote( tt ); argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up -link0", IFCONFIG_PATH, actual, ifconfig_local, print_in_addr_t(remote_end, 0, &gc), tun_mtu, ifconfig_remote_netmask ); } else { argv_printf(&argv, "%s %s %s netmask %s mtu %d broadcast %s link0", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu, ifconfig_broadcast ); } argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "OpenBSD ifconfig failed"); /* Add a network route for the local tun interface */ if (!tun && tt->topology == TOP_SUBNET) { struct route_ipv4 r; CLEAR(r); r.flags = RT_DEFINED; r.network = tt->local & tt->remote_netmask; r.netmask = tt->remote_netmask; r.gateway = remote_end; add_route(&r, tt, 0, NULL, es); } if (do_ipv6) { argv_printf(&argv, "%s %s inet6 %s/%d", IFCONFIG_PATH, actual, ifconfig_ipv6_local, tt->netbits_ipv6 ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "OpenBSD ifconfig inet6 failed"); /* and, hooray, we explicitely need to add a route... */ add_route_connected_v6_net(tt, es); } tt->did_ifconfig = true; #elif defined(TARGET_NETBSD) if (tun) { argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu ); } else if (tt->topology == TOP_SUBNET) { argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_local, tun_mtu, ifconfig_remote_netmask ); } else { /* * NetBSD has distinct tun and tap devices * so we don't need the "link0" extra parameter to specify we want to do * tunneling at the ethernet level */ argv_printf(&argv, "%s %s %s netmask %s mtu %d broadcast %s", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu, ifconfig_broadcast ); } argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "NetBSD ifconfig failed"); if (do_ipv6) { argv_printf(&argv, "%s %s inet6 %s/%d", IFCONFIG_PATH, actual, ifconfig_ipv6_local, tt->netbits_ipv6 ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "NetBSD ifconfig inet6 failed"); /* and, hooray, we explicitely need to add a route... */ add_route_connected_v6_net(tt, es); } tt->did_ifconfig = true; #elif defined(TARGET_DARWIN) /* * Darwin (i.e. Mac OS X) seems to exhibit similar behaviour to OpenBSD... */ argv_printf(&argv, "%s %s delete", IFCONFIG_PATH, actual); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, 0, NULL); msg(M_INFO, "NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure"); /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */ if (tun) { argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu ); } else { if (tt->topology == TOP_SUBNET) { argv_printf(&argv, "%s %s %s %s netmask %s mtu %d up", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_local, ifconfig_remote_netmask, tun_mtu ); } else { argv_printf(&argv, "%s %s %s netmask %s mtu %d up", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu ); } } argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "Mac OS X ifconfig failed"); tt->did_ifconfig = true; /* Add a network route for the local tun interface */ if (!tun && tt->topology == TOP_SUBNET) { struct route_ipv4 r; CLEAR(r); r.flags = RT_DEFINED; r.network = tt->local & tt->remote_netmask; r.netmask = tt->remote_netmask; r.gateway = tt->local; add_route(&r, tt, 0, NULL, es); } if (do_ipv6) { argv_printf(&argv, "%s %s inet6 %s/%d", IFCONFIG_PATH, actual, ifconfig_ipv6_local, tt->netbits_ipv6 ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "MacOS X ifconfig inet6 failed"); /* and, hooray, we explicitely need to add a route... */ add_route_connected_v6_net(tt, es); } #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) in_addr_t remote_end; /* for "virtual" subnet topology */ /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */ if (tun) { argv_printf(&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu ); } else if (tt->topology == TOP_SUBNET) { remote_end = create_arbitrary_remote( tt ); argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up", IFCONFIG_PATH, actual, ifconfig_local, print_in_addr_t(remote_end, 0, &gc), tun_mtu, ifconfig_remote_netmask ); } else { argv_printf(&argv, "%s %s %s netmask %s mtu %d up", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu ); } argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "FreeBSD ifconfig failed"); tt->did_ifconfig = true; /* Add a network route for the local tun interface */ if (!tun && tt->topology == TOP_SUBNET) { struct route_ipv4 r; CLEAR(r); r.flags = RT_DEFINED; r.network = tt->local & tt->remote_netmask; r.netmask = tt->remote_netmask; r.gateway = remote_end; add_route(&r, tt, 0, NULL, es); } if (do_ipv6) { argv_printf(&argv, "%s %s inet6 %s/%d", IFCONFIG_PATH, actual, ifconfig_ipv6_local, tt->netbits_ipv6 ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "FreeBSD ifconfig inet6 failed"); } #elif defined(TARGET_AIX) { /* AIX ifconfig will complain if it can't find ODM path in env */ struct env_set *aix_es = env_set_create(NULL); env_set_add( aix_es, "ODMDIR=/etc/objrepos" ); if (tun) { msg(M_FATAL, "no tun support on AIX (canthappen)"); } /* example: ifconfig tap0 172.30.1.1 netmask 255.255.254.0 up */ argv_printf(&argv, "%s %s %s netmask %s mtu %d up", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, aix_es, S_FATAL, "AIX ifconfig failed"); tt->did_ifconfig = true; if (do_ipv6) { argv_printf(&argv, "%s %s inet6 %s/%d", IFCONFIG_PATH, actual, ifconfig_ipv6_local, tt->netbits_ipv6 ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, aix_es, S_FATAL, "AIX ifconfig inet6 failed"); } env_set_destroy(aix_es); } #elif defined (_WIN32) { ASSERT(actual != NULL); switch (tt->options.ip_win32_type) { case IPW32_SET_MANUAL: msg(M_INFO, "******** NOTE: Please manually set the IP/netmask of '%s' to %s/%s (if it is not already set)", actual, ifconfig_local, print_in_addr_t(tt->adapter_netmask, 0, &gc)); break; case IPW32_SET_NETSH: netsh_ifconfig(&tt->options, actual, tt->local, tt->adapter_netmask, NI_IP_NETMASK|NI_OPTIONS); break; } tt->did_ifconfig = true; } if (do_ipv6) { if (tt->options.ip_win32_type == IPW32_SET_MANUAL) { msg(M_INFO, "******** NOTE: Please manually set the v6 IP of '%s' to %s (if it is not already set)", actual, ifconfig_ipv6_local); } else if (tt->options.msg_channel) { do_address_service(true, AF_INET6, tt); do_dns6_service(true, tt); } else { /* example: netsh interface ipv6 set address interface=42 2001:608:8003::d store=active */ char iface[64]; openvpn_snprintf(iface, sizeof(iface), "interface=%lu", tt->adapter_index ); argv_printf(&argv, "%s%sc interface ipv6 set address %s %s store=active", get_win_sys_path(), NETSH_PATH_SUFFIX, iface, ifconfig_ipv6_local ); netsh_command(&argv, 4, M_FATAL); /* set ipv6 dns servers if any are specified */ netsh_set_dns6_servers(tt->options.dns6, tt->options.dns6_len, actual); } /* explicit route needed */ if (tt->options.ip_win32_type != IPW32_SET_MANUAL) { add_route_connected_v6_net(tt, es); } } #else /* if defined(TARGET_LINUX) */ msg(M_FATAL, "Sorry, but I don't know how to do 'ifconfig' commands on this operating system. You should ifconfig your TUN/TAP device manually or use an --up script."); #endif /* if defined(TARGET_LINUX) */ argv_reset(&argv); } gc_free(&gc); } static void clear_tuntap(struct tuntap *tuntap) { CLEAR(*tuntap); #ifdef _WIN32 tuntap->hand = NULL; #else tuntap->fd = -1; #endif #ifdef TARGET_SOLARIS tuntap->ip_fd = -1; #endif } static void open_null(struct tuntap *tt) { tt->actual_name = string_alloc("null", NULL); } #if defined (TARGET_OPENBSD) || (defined(TARGET_DARWIN) && HAVE_NET_IF_UTUN_H) /* * OpenBSD and Mac OS X when using utun * have a slightly incompatible TUN device from * the rest of the world, in that it prepends a * uint32 to the beginning of the IP header * to designate the protocol (why not just * look at the version field in the IP header to * determine v4 or v6?). * * We strip off this field on reads and * put it back on writes. * * I have not tested TAP devices on OpenBSD, * but I have conditionalized the special * TUN handling code described above to * go away for TAP devices. */ #include #include static inline int header_modify_read_write_return(int len) { if (len > 0) { return len > sizeof(u_int32_t) ? len - sizeof(u_int32_t) : 0; } else { return len; } } int write_tun_header(struct tuntap *tt, uint8_t *buf, int len) { if (tt->type == DEV_TYPE_TUN) { u_int32_t type; struct iovec iv[2]; struct openvpn_iphdr *iph; iph = (struct openvpn_iphdr *) buf; if (OPENVPN_IPH_GET_VER(iph->version_len) == 6) { type = htonl(AF_INET6); } else { type = htonl(AF_INET); } iv[0].iov_base = &type; iv[0].iov_len = sizeof(type); iv[1].iov_base = buf; iv[1].iov_len = len; return header_modify_read_write_return(writev(tt->fd, iv, 2)); } else { return write(tt->fd, buf, len); } } int read_tun_header(struct tuntap *tt, uint8_t *buf, int len) { if (tt->type == DEV_TYPE_TUN) { u_int32_t type; struct iovec iv[2]; iv[0].iov_base = &type; iv[0].iov_len = sizeof(type); iv[1].iov_base = buf; iv[1].iov_len = len; return header_modify_read_write_return(readv(tt->fd, iv, 2)); } else { return read(tt->fd, buf, len); } } #endif /* if defined (TARGET_OPENBSD) || (defined(TARGET_DARWIN) && HAVE_NET_IF_UTUN_H) */ #if !(defined(_WIN32) || defined(TARGET_LINUX)) static void open_tun_generic(const char *dev, const char *dev_type, const char *dev_node, bool dynamic, struct tuntap *tt) { char tunname[256]; char dynamic_name[256]; bool dynamic_opened = false; if (tt->type == DEV_TYPE_NULL) { open_null(tt); } else { /* * --dev-node specified, so open an explicit device node */ if (dev_node) { openvpn_snprintf(tunname, sizeof(tunname), "%s", dev_node); } else { /* * dynamic open is indicated by --dev specified without * explicit unit number. Try opening /dev/[dev]n * where n = [0, 255]. */ #ifdef TARGET_NETBSD /* on NetBSD, tap (but not tun) devices are opened by * opening /dev/tap and then querying the system about the * actual device name (tap0, tap1, ...) assigned */ if (dynamic && strcmp( dev, "tap" ) == 0) { struct ifreq ifr; if ((tt->fd = open( "/dev/tap", O_RDWR)) < 0) { msg(M_FATAL, "Cannot allocate NetBSD TAP dev dynamically"); } if (ioctl( tt->fd, TAPGIFNAME, (void *)&ifr ) < 0) { msg(M_FATAL, "Cannot query NetBSD TAP device name"); } CLEAR(dynamic_name); strncpy( dynamic_name, ifr.ifr_name, sizeof(dynamic_name)-1 ); dynamic_opened = true; openvpn_snprintf(tunname, sizeof(tunname), "/dev/%s", dynamic_name ); } else #endif if (dynamic && !has_digit((unsigned char *)dev)) { int i; for (i = 0; i < 256; ++i) { openvpn_snprintf(tunname, sizeof(tunname), "/dev/%s%d", dev, i); openvpn_snprintf(dynamic_name, sizeof(dynamic_name), "%s%d", dev, i); if ((tt->fd = open(tunname, O_RDWR)) > 0) { dynamic_opened = true; break; } msg(D_READ_WRITE | M_ERRNO, "Tried opening %s (failed)", tunname); } if (!dynamic_opened) { msg(M_FATAL, "Cannot allocate TUN/TAP dev dynamically"); } } /* * explicit unit number specified */ else { openvpn_snprintf(tunname, sizeof(tunname), "/dev/%s", dev); } } if (!dynamic_opened) { /* has named device existed before? if so, don't destroy at end */ if (if_nametoindex( dev ) > 0) { msg(M_INFO, "TUN/TAP device %s exists previously, keep at program end", dev ); tt->persistent_if = true; } if ((tt->fd = open(tunname, O_RDWR)) < 0) { msg(M_ERR, "Cannot open TUN/TAP dev %s", tunname); } } set_nonblock(tt->fd); set_cloexec(tt->fd); /* don't pass fd to scripts */ msg(M_INFO, "TUN/TAP device %s opened", tunname); /* tt->actual_name is passed to up and down scripts and used as the ifconfig dev name */ tt->actual_name = string_alloc(dynamic_opened ? dynamic_name : dev, NULL); } } #endif /* !_WIN32 && !TARGET_LINUX */ #if !defined(_WIN32) static void close_tun_generic(struct tuntap *tt) { if (tt->fd >= 0) { close(tt->fd); } if (tt->actual_name) { free(tt->actual_name); } clear_tuntap(tt); } #endif /* !_WIN32 */ #if defined (TARGET_ANDROID) void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { #define ANDROID_TUNNAME "vpnservice-tun" struct user_pass up; struct gc_arena gc = gc_new(); bool opentun; int oldtunfd = tt->fd; /* Prefer IPv6 DNS servers, * Android will use the DNS server in the order we specify*/ for (int i = 0; i < tt->options.dns6_len; i++) { management_android_control(management, "DNS6SERVER", print_in6_addr(tt->options.dns6[i], 0, &gc)); } for (int i = 0; i < tt->options.dns_len; i++) { management_android_control(management, "DNSSERVER", print_in_addr_t(tt->options.dns[i], 0, &gc)); } if (tt->options.domain) { management_android_control(management, "DNSDOMAIN", tt->options.domain); } int android_method = managment_android_persisttun_action(management); /* Android 4.4 workaround */ if (oldtunfd >=0 && android_method == ANDROID_OPEN_AFTER_CLOSE) { close(oldtunfd); management_sleep(2); } if (oldtunfd >=0 && android_method == ANDROID_KEEP_OLD_TUN) { /* keep the old fd */ opentun = true; } else { opentun = management_android_control(management, "OPENTUN", dev); /* Pick up the fd from management interface after calling the * OPENTUN command */ tt->fd = management->connection.lastfdreceived; management->connection.lastfdreceived = -1; } if (oldtunfd>=0 && android_method == ANDROID_OPEN_BEFORE_CLOSE) { close(oldtunfd); } /* Set the actual name to a dummy name */ tt->actual_name = string_alloc(ANDROID_TUNNAME, NULL); if ((tt->fd < 0) || !opentun) { msg(M_ERR, "ERROR: Cannot open TUN"); } gc_free(&gc); } void close_tun(struct tuntap *tt) { if (tt) { close_tun_generic(tt); free(tt); } } int write_tun(struct tuntap *tt, uint8_t *buf, int len) { return write(tt->fd, buf, len); } int read_tun(struct tuntap *tt, uint8_t *buf, int len) { return read(tt->fd, buf, len); } #elif defined(TARGET_LINUX) #ifndef HAVE_LINUX_SOCKIOS_H #error header file linux/sockios.h required #endif #if !PEDANTIC void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { struct ifreq ifr; /* * We handle --dev null specially, we do not open /dev/null for this. */ if (tt->type == DEV_TYPE_NULL) { open_null(tt); } else { /* * Process --dev-node */ const char *node = dev_node; if (!node) { node = "/dev/net/tun"; } /* * Open the interface */ if ((tt->fd = open(node, O_RDWR)) < 0) { msg(M_ERR, "ERROR: Cannot open TUN/TAP dev %s", node); } /* * Process --tun-ipv6 */ CLEAR(ifr); ifr.ifr_flags = IFF_NO_PI; #if defined(IFF_ONE_QUEUE) && defined(SIOCSIFTXQLEN) ifr.ifr_flags |= IFF_ONE_QUEUE; #endif /* * Figure out if tun or tap device */ if (tt->type == DEV_TYPE_TUN) { ifr.ifr_flags |= IFF_TUN; } else if (tt->type == DEV_TYPE_TAP) { ifr.ifr_flags |= IFF_TAP; } else { msg(M_FATAL, "I don't recognize device %s as a tun or tap device", dev); } /* * Set an explicit name, if --dev is not tun or tap */ if (strcmp(dev, "tun") && strcmp(dev, "tap")) { strncpynt(ifr.ifr_name, dev, IFNAMSIZ); } /* * Use special ioctl that configures tun/tap device with the parms * we set in ifr */ if (ioctl(tt->fd, TUNSETIFF, (void *) &ifr) < 0) { msg(M_ERR, "ERROR: Cannot ioctl TUNSETIFF %s", dev); } msg(M_INFO, "TUN/TAP device %s opened", ifr.ifr_name); /* * Try making the TX send queue bigger */ #if defined(IFF_ONE_QUEUE) && defined(SIOCSIFTXQLEN) if (tt->options.txqueuelen) { struct ifreq netifr; int ctl_fd; if ((ctl_fd = socket(AF_INET, SOCK_DGRAM, 0)) >= 0) { CLEAR(netifr); strncpynt(netifr.ifr_name, ifr.ifr_name, IFNAMSIZ); netifr.ifr_qlen = tt->options.txqueuelen; if (ioctl(ctl_fd, SIOCSIFTXQLEN, (void *) &netifr) >= 0) { msg(D_OSBUF, "TUN/TAP TX queue length set to %d", tt->options.txqueuelen); } else { msg(M_WARN | M_ERRNO, "Note: Cannot set tx queue length on %s", ifr.ifr_name); } close(ctl_fd); } else { msg(M_WARN | M_ERRNO, "Note: Cannot open control socket on %s", ifr.ifr_name); } } #endif /* if defined(IFF_ONE_QUEUE) && defined(SIOCSIFTXQLEN) */ set_nonblock(tt->fd); set_cloexec(tt->fd); tt->actual_name = string_alloc(ifr.ifr_name, NULL); } return; } #else /* if !PEDANTIC */ void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { ASSERT(0); } #endif /* !PENDANTIC */ #ifdef ENABLE_FEATURE_TUN_PERSIST void tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode, const char *username, const char *groupname, const struct tuntap_options *options) { struct tuntap *tt; ALLOC_OBJ(tt, struct tuntap); clear_tuntap(tt); tt->type = dev_type_enum(dev, dev_type); tt->options = *options; open_tun(dev, dev_type, dev_node, tt); if (ioctl(tt->fd, TUNSETPERSIST, persist_mode) < 0) { msg(M_ERR, "Cannot ioctl TUNSETPERSIST(%d) %s", persist_mode, dev); } if (username != NULL) { struct platform_state_user platform_state_user; if (!platform_user_get(username, &platform_state_user)) { msg(M_ERR, "Cannot get user entry for %s", username); } else if (ioctl(tt->fd, TUNSETOWNER, platform_state_user.pw->pw_uid) < 0) { msg(M_ERR, "Cannot ioctl TUNSETOWNER(%s) %s", username, dev); } } if (groupname != NULL) { struct platform_state_group platform_state_group; if (!platform_group_get(groupname, &platform_state_group)) { msg(M_ERR, "Cannot get group entry for %s", groupname); } else if (ioctl(tt->fd, TUNSETGROUP, platform_state_group.gr->gr_gid) < 0) { msg(M_ERR, "Cannot ioctl TUNSETOWNER(%s) %s", groupname, dev); } } close_tun(tt); msg(M_INFO, "Persist state set to: %s", (persist_mode ? "ON" : "OFF")); } #endif /* ENABLE_FEATURE_TUN_PERSIST */ void close_tun(struct tuntap *tt) { if (tt) { if (tt->type != DEV_TYPE_NULL && tt->did_ifconfig) { struct argv argv = argv_new(); struct gc_arena gc = gc_new(); #ifdef ENABLE_IPROUTE if (is_tun_p2p(tt)) { argv_printf(&argv, "%s addr del dev %s local %s peer %s", iproute_path, tt->actual_name, print_in_addr_t(tt->local, 0, &gc), print_in_addr_t(tt->remote_netmask, 0, &gc) ); } else { argv_printf(&argv, "%s addr del dev %s %s/%d", iproute_path, tt->actual_name, print_in_addr_t(tt->local, 0, &gc), netmask_to_netbits2(tt->remote_netmask) ); } #else /* ifdef ENABLE_IPROUTE */ argv_printf(&argv, "%s %s 0.0.0.0", IFCONFIG_PATH, tt->actual_name ); #endif /* ifdef ENABLE_IPROUTE */ argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, NULL, 0, "Linux ip addr del failed"); if (tt->did_ifconfig_ipv6_setup) { const char *ifconfig_ipv6_local = print_in6_addr(tt->local_ipv6, 0, &gc); #ifdef ENABLE_IPROUTE argv_printf(&argv, "%s -6 addr del %s/%d dev %s", iproute_path, ifconfig_ipv6_local, tt->netbits_ipv6, tt->actual_name ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, NULL, 0, "Linux ip -6 addr del failed"); #else /* ifdef ENABLE_IPROUTE */ argv_printf(&argv, "%s %s del %s/%d", IFCONFIG_PATH, tt->actual_name, ifconfig_ipv6_local, tt->netbits_ipv6 ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, NULL, 0, "Linux ifconfig inet6 del failed"); #endif } argv_reset(&argv); gc_free(&gc); } close_tun_generic(tt); free(tt); } } int write_tun(struct tuntap *tt, uint8_t *buf, int len) { return write(tt->fd, buf, len); } int read_tun(struct tuntap *tt, uint8_t *buf, int len) { return read(tt->fd, buf, len); } #elif defined(TARGET_SOLARIS) #ifndef TUNNEWPPA #error I need the symbol TUNNEWPPA from net/if_tun.h #endif void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { int if_fd, ip_muxid, arp_muxid, arp_fd, ppa = -1; struct lifreq ifr; const char *ptr; const char *ip_node, *arp_node; const char *dev_tuntap_type; int link_type; bool is_tun; struct strioctl strioc_if, strioc_ppa; /* improved generic TUN/TAP driver from * http://www.whiteboard.ne.jp/~admin2/tuntap/ * has IPv6 support */ CLEAR(ifr); if (tt->type == DEV_TYPE_NULL) { open_null(tt); return; } if (tt->type == DEV_TYPE_TUN) { ip_node = "/dev/udp"; if (!dev_node) { dev_node = "/dev/tun"; } dev_tuntap_type = "tun"; link_type = I_PLINK; is_tun = true; } else if (tt->type == DEV_TYPE_TAP) { ip_node = "/dev/udp"; if (!dev_node) { dev_node = "/dev/tap"; } arp_node = dev_node; dev_tuntap_type = "tap"; link_type = I_PLINK; /* was: I_LINK */ is_tun = false; } else { msg(M_FATAL, "I don't recognize device %s as a tun or tap device", dev); } if ((tt->ip_fd = open(ip_node, O_RDWR, 0)) < 0) { msg(M_ERR, "Can't open %s", ip_node); } if ((tt->fd = open(dev_node, O_RDWR, 0)) < 0) { msg(M_ERR, "Can't open %s", dev_node); } /* get unit number */ if (*dev) { ptr = dev; while (*ptr && !isdigit((int) *ptr)) { ptr++; } ppa = atoi(ptr); } /* Assign a new PPA and get its unit number. */ strioc_ppa.ic_cmd = TUNNEWPPA; strioc_ppa.ic_timout = 0; strioc_ppa.ic_len = sizeof(ppa); strioc_ppa.ic_dp = (char *)&ppa; if (*ptr == '\0') /* no number given, try dynamic */ { bool found_one = false; while (!found_one && ppa < 64) { int new_ppa = ioctl(tt->fd, I_STR, &strioc_ppa); if (new_ppa >= 0) { msg( M_INFO, "open_tun: got dynamic interface '%s%d'", dev_tuntap_type, new_ppa ); ppa = new_ppa; found_one = true; break; } if (errno != EEXIST) { msg(M_ERR, "open_tun: unexpected error trying to find free %s interface", dev_tuntap_type ); } ppa++; } if (!found_one) { msg(M_ERR, "open_tun: could not find free %s interface, give up.", dev_tuntap_type ); } } else /* try this particular one */ { if ((ppa = ioctl(tt->fd, I_STR, &strioc_ppa)) < 0) { msg(M_ERR, "Can't assign PPA for new interface (%s%d)", dev_tuntap_type, ppa ); } } if ((if_fd = open(dev_node, O_RDWR, 0)) < 0) { msg(M_ERR, "Can't open %s (2)", dev_node); } if (ioctl(if_fd, I_PUSH, "ip") < 0) { msg(M_ERR, "Can't push IP module"); } if (tt->type == DEV_TYPE_TUN) { /* Assign ppa according to the unit number returned by tun device */ if (ioctl(if_fd, IF_UNITSEL, (char *) &ppa) < 0) { msg(M_ERR, "Can't set PPA %d", ppa); } } tt->actual_name = (char *) malloc(32); check_malloc_return(tt->actual_name); openvpn_snprintf(tt->actual_name, 32, "%s%d", dev_tuntap_type, ppa); if (tt->type == DEV_TYPE_TAP) { if (ioctl(if_fd, SIOCGLIFFLAGS, &ifr) < 0) { msg(M_ERR, "Can't get flags\n"); } strncpynt(ifr.lifr_name, tt->actual_name, sizeof(ifr.lifr_name)); ifr.lifr_ppa = ppa; /* Assign ppa according to the unit number returned by tun device */ if (ioctl(if_fd, SIOCSLIFNAME, &ifr) < 0) { msg(M_ERR, "Can't set PPA %d", ppa); } if (ioctl(if_fd, SIOCGLIFFLAGS, &ifr) <0) { msg(M_ERR, "Can't get flags\n"); } /* Push arp module to if_fd */ if (ioctl(if_fd, I_PUSH, "arp") < 0) { msg(M_ERR, "Can't push ARP module"); } /* Pop any modules on the stream */ while (true) { if (ioctl(tt->ip_fd, I_POP, NULL) < 0) { break; } } /* Push arp module to ip_fd */ if (ioctl(tt->ip_fd, I_PUSH, "arp") < 0) { msg(M_ERR, "Can't push ARP module\n"); } /* Open arp_fd */ if ((arp_fd = open(arp_node, O_RDWR, 0)) < 0) { msg(M_ERR, "Can't open %s\n", arp_node); } /* Push arp module to arp_fd */ if (ioctl(arp_fd, I_PUSH, "arp") < 0) { msg(M_ERR, "Can't push ARP module\n"); } /* Set ifname to arp */ strioc_if.ic_cmd = SIOCSLIFNAME; strioc_if.ic_timout = 0; strioc_if.ic_len = sizeof(ifr); strioc_if.ic_dp = (char *)𝔦 if (ioctl(arp_fd, I_STR, &strioc_if) < 0) { msg(M_ERR, "Can't set ifname to arp\n"); } } if ((ip_muxid = ioctl(tt->ip_fd, link_type, if_fd)) < 0) { msg(M_ERR, "Can't link %s device to IP", dev_tuntap_type); } if (tt->type == DEV_TYPE_TAP) { if ((arp_muxid = ioctl(tt->ip_fd, link_type, arp_fd)) < 0) { msg(M_ERR, "Can't link %s device to ARP", dev_tuntap_type); } close(arp_fd); } CLEAR(ifr); strncpynt(ifr.lifr_name, tt->actual_name, sizeof(ifr.lifr_name)); ifr.lifr_ip_muxid = ip_muxid; if (tt->type == DEV_TYPE_TAP) { ifr.lifr_arp_muxid = arp_muxid; } if (ioctl(tt->ip_fd, SIOCSLIFMUXID, &ifr) < 0) { if (tt->type == DEV_TYPE_TAP) { ioctl(tt->ip_fd, I_PUNLINK, arp_muxid); } ioctl(tt->ip_fd, I_PUNLINK, ip_muxid); msg(M_ERR, "Can't set multiplexor id"); } set_nonblock(tt->fd); set_cloexec(tt->fd); set_cloexec(tt->ip_fd); msg(M_INFO, "TUN/TAP device %s opened", tt->actual_name); } static void solaris_close_tun(struct tuntap *tt) { if (tt) { /* IPv6 interfaces need to be 'manually' de-configured */ if (tt->did_ifconfig_ipv6_setup) { struct argv argv = argv_new(); argv_printf( &argv, "%s %s inet6 unplumb", IFCONFIG_PATH, tt->actual_name ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, NULL, 0, "Solaris ifconfig inet6 unplumb failed"); argv_reset(&argv); } if (tt->ip_fd >= 0) { struct lifreq ifr; CLEAR(ifr); strncpynt(ifr.lifr_name, tt->actual_name, sizeof(ifr.lifr_name)); if (ioctl(tt->ip_fd, SIOCGLIFFLAGS, &ifr) < 0) { msg(M_WARN | M_ERRNO, "Can't get iface flags"); } if (ioctl(tt->ip_fd, SIOCGLIFMUXID, &ifr) < 0) { msg(M_WARN | M_ERRNO, "Can't get multiplexor id"); } if (tt->type == DEV_TYPE_TAP) { if (ioctl(tt->ip_fd, I_PUNLINK, ifr.lifr_arp_muxid) < 0) { msg(M_WARN | M_ERRNO, "Can't unlink interface(arp)"); } } if (ioctl(tt->ip_fd, I_PUNLINK, ifr.lifr_ip_muxid) < 0) { msg(M_WARN | M_ERRNO, "Can't unlink interface(ip)"); } close(tt->ip_fd); tt->ip_fd = -1; } if (tt->fd >= 0) { close(tt->fd); tt->fd = -1; } } } /* * Close TUN device. */ void close_tun(struct tuntap *tt) { if (tt) { solaris_close_tun(tt); if (tt->actual_name) { free(tt->actual_name); } clear_tuntap(tt); free(tt); } } static void solaris_error_close(struct tuntap *tt, const struct env_set *es, const char *actual, bool unplumb_inet6 ) { struct argv argv = argv_new(); if (unplumb_inet6) { argv_printf( &argv, "%s %s inet6 unplumb", IFCONFIG_PATH, actual ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, 0, "Solaris ifconfig inet6 unplumb failed"); } argv_printf(&argv, "%s %s unplumb", IFCONFIG_PATH, actual); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, 0, "Solaris ifconfig unplumb failed"); close_tun(tt); msg(M_FATAL, "Solaris ifconfig failed"); argv_reset(&argv); } int write_tun(struct tuntap *tt, uint8_t *buf, int len) { struct strbuf sbuf; sbuf.len = len; sbuf.buf = (char *)buf; return putmsg(tt->fd, NULL, &sbuf, 0) >= 0 ? sbuf.len : -1; } int read_tun(struct tuntap *tt, uint8_t *buf, int len) { struct strbuf sbuf; int f = 0; sbuf.maxlen = len; sbuf.buf = (char *)buf; return getmsg(tt->fd, NULL, &sbuf, &f) >= 0 ? sbuf.len : -1; } #elif defined(TARGET_OPENBSD) void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { open_tun_generic(dev, dev_type, dev_node, true, tt); /* Enable multicast on the interface */ if (tt->fd >= 0) { struct tuninfo info; if (ioctl(tt->fd, TUNGIFINFO, &info) < 0) { msg(M_WARN | M_ERRNO, "Can't get interface info"); } #ifdef IFF_MULTICAST /* openbsd 4.x doesn't have this */ info.flags |= IFF_MULTICAST; #endif if (ioctl(tt->fd, TUNSIFINFO, &info) < 0) { msg(M_WARN | M_ERRNO, "Can't set interface info"); } } } /* tun(4): "If the device was created by opening /dev/tunN, it will be * automatically destroyed. Devices created via ifconfig(8) are * only marked as not running and traffic will be dropped * returning EHOSTDOWN." * --> no special handling should be needed - *but* OpenBSD is misbehaving * here: if the interface was put in tap mode ("ifconfig tunN link0"), it * *will* stay around, and needs to be cleaned up manually */ void close_tun(struct tuntap *tt) { /* only *TAP* devices need destroying, tun devices auto-self-destruct */ if (tt && (tt->type == DEV_TYPE_TUN || tt->persistent_if ) ) { close_tun_generic(tt); free(tt); } else if (tt) { struct gc_arena gc = gc_new(); struct argv argv = argv_new(); /* setup command, close tun dev (clears tt->actual_name!), run command */ argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name); close_tun_generic(tt); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, NULL, 0, "OpenBSD 'destroy tun interface' failed (non-critical)"); free(tt); } } int write_tun(struct tuntap *tt, uint8_t *buf, int len) { return write_tun_header(tt, buf, len); } int read_tun(struct tuntap *tt, uint8_t *buf, int len) { return read_tun_header(tt, buf, len); } #elif defined(TARGET_NETBSD) /* * NetBSD before 4.0 does not support IPv6 on tun out of the box, * but there exists a patch (sys/net/if_tun.c, 1.79->1.80, see PR 32944). * * NetBSD 4.0 and up do, but we need to put the tun interface into * "multi_af" mode, which will prepend the address family to all packets * (same as OpenBSD and FreeBSD). If this is not enabled, the kernel * silently drops all IPv6 packets on output and gets confused on input. * * On earlier versions, multi_af is not available at all, so we have * two different NetBSD code variants here :-( * */ void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { open_tun_generic(dev, dev_type, dev_node, true, tt); if (tt->fd >= 0) { int i = IFF_POINTOPOINT|IFF_MULTICAST; ioctl(tt->fd, TUNSIFMODE, &i); /* multicast on */ i = 0; ioctl(tt->fd, TUNSLMODE, &i); /* link layer mode off */ if (tt->type == DEV_TYPE_TUN) { i = 1; if (ioctl(tt->fd, TUNSIFHEAD, &i) < 0) /* multi-af mode on */ { msg(M_WARN | M_ERRNO, "ioctl(TUNSIFHEAD)"); } } } } /* the current way OpenVPN handles tun devices on NetBSD leads to * lingering tunX interfaces after close -> for a full cleanup, they * need to be explicitely destroyed */ void close_tun(struct tuntap *tt) { /* only tun devices need destroying, tap devices auto-self-destruct */ if (tt && ( tt->type != DEV_TYPE_TUN || tt->persistent_if ) ) { close_tun_generic(tt); free(tt); } else if (tt) { struct gc_arena gc = gc_new(); struct argv argv = argv_new(); /* setup command, close tun dev (clears tt->actual_name!), run command */ argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name); close_tun_generic(tt); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, NULL, 0, "NetBSD 'destroy tun interface' failed (non-critical)"); free(tt); } } static inline int netbsd_modify_read_write_return(int len) { if (len > 0) { return len > sizeof(u_int32_t) ? len - sizeof(u_int32_t) : 0; } else { return len; } } int write_tun(struct tuntap *tt, uint8_t *buf, int len) { if (tt->type == DEV_TYPE_TUN) { u_int32_t type; struct iovec iv[2]; struct openvpn_iphdr *iph; iph = (struct openvpn_iphdr *) buf; if (OPENVPN_IPH_GET_VER(iph->version_len) == 6) { type = htonl(AF_INET6); } else { type = htonl(AF_INET); } iv[0].iov_base = (char *)&type; iv[0].iov_len = sizeof(type); iv[1].iov_base = buf; iv[1].iov_len = len; return netbsd_modify_read_write_return(writev(tt->fd, iv, 2)); } else { return write(tt->fd, buf, len); } } int read_tun(struct tuntap *tt, uint8_t *buf, int len) { if (tt->type == DEV_TYPE_TUN) { u_int32_t type; struct iovec iv[2]; iv[0].iov_base = (char *)&type; iv[0].iov_len = sizeof(type); iv[1].iov_base = buf; iv[1].iov_len = len; return netbsd_modify_read_write_return(readv(tt->fd, iv, 2)); } else { return read(tt->fd, buf, len); } } #elif defined(TARGET_FREEBSD) static inline int freebsd_modify_read_write_return(int len) { if (len > 0) { return len > sizeof(u_int32_t) ? len - sizeof(u_int32_t) : 0; } else { return len; } } void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { open_tun_generic(dev, dev_type, dev_node, true, tt); if (tt->fd >= 0 && tt->type == DEV_TYPE_TUN) { int i = IFF_POINTOPOINT | IFF_MULTICAST; if (ioctl(tt->fd, TUNSIFMODE, &i) < 0) { msg(M_WARN | M_ERRNO, "ioctl(TUNSIFMODE)"); } i = 1; if (ioctl(tt->fd, TUNSIFHEAD, &i) < 0) { msg(M_WARN | M_ERRNO, "ioctl(TUNSIFHEAD)"); } } } /* tun(4): "These network interfaces persist until the if_tun.ko module is * unloaded, or until removed with the ifconfig(8) command." * (verified for FreeBSD 6.3, 7.4, 8.2 and 9, same for tap(4)) * * so, to avoid lingering tun/tap interfaces after OpenVPN quits, * we need to call "ifconfig ... destroy" for cleanup */ void close_tun(struct tuntap *tt) { if (tt && tt->persistent_if) /* keep pre-existing if around */ { close_tun_generic(tt); free(tt); } else if (tt) /* close and destroy */ { struct argv argv = argv_new(); /* setup command, close tun dev (clears tt->actual_name!), run command */ argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name); close_tun_generic(tt); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, NULL, 0, "FreeBSD 'destroy tun interface' failed (non-critical)"); free(tt); } } int write_tun(struct tuntap *tt, uint8_t *buf, int len) { if (tt->type == DEV_TYPE_TUN) { u_int32_t type; struct iovec iv[2]; struct ip *iph; iph = (struct ip *) buf; if (iph->ip_v == 6) { type = htonl(AF_INET6); } else { type = htonl(AF_INET); } iv[0].iov_base = (char *)&type; iv[0].iov_len = sizeof(type); iv[1].iov_base = buf; iv[1].iov_len = len; return freebsd_modify_read_write_return(writev(tt->fd, iv, 2)); } else { return write(tt->fd, buf, len); } } int read_tun(struct tuntap *tt, uint8_t *buf, int len) { if (tt->type == DEV_TYPE_TUN) { u_int32_t type; struct iovec iv[2]; iv[0].iov_base = (char *)&type; iv[0].iov_len = sizeof(type); iv[1].iov_base = buf; iv[1].iov_len = len; return freebsd_modify_read_write_return(readv(tt->fd, iv, 2)); } else { return read(tt->fd, buf, len); } } #elif defined(TARGET_DRAGONFLY) static inline int dragonfly_modify_read_write_return(int len) { if (len > 0) { return len > sizeof(u_int32_t) ? len - sizeof(u_int32_t) : 0; } else { return len; } } void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { open_tun_generic(dev, dev_type, dev_node, true, tt); if (tt->fd >= 0) { int i = 0; /* Disable extended modes */ ioctl(tt->fd, TUNSLMODE, &i); i = 1; ioctl(tt->fd, TUNSIFHEAD, &i); } } void close_tun(struct tuntap *tt) { if (tt) { close_tun_generic(tt); free(tt); } } int write_tun(struct tuntap *tt, uint8_t *buf, int len) { if (tt->type == DEV_TYPE_TUN) { u_int32_t type; struct iovec iv[2]; struct ip *iph; iph = (struct ip *) buf; if (iph->ip_v == 6) { type = htonl(AF_INET6); } else { type = htonl(AF_INET); } iv[0].iov_base = (char *)&type; iv[0].iov_len = sizeof(type); iv[1].iov_base = buf; iv[1].iov_len = len; return dragonfly_modify_read_write_return(writev(tt->fd, iv, 2)); } else { return write(tt->fd, buf, len); } } int read_tun(struct tuntap *tt, uint8_t *buf, int len) { if (tt->type == DEV_TYPE_TUN) { u_int32_t type; struct iovec iv[2]; iv[0].iov_base = (char *)&type; iv[0].iov_len = sizeof(type); iv[1].iov_base = buf; iv[1].iov_len = len; return dragonfly_modify_read_write_return(readv(tt->fd, iv, 2)); } else { return read(tt->fd, buf, len); } } #elif defined(TARGET_DARWIN) /* Darwin (MacOS X) is mostly "just use the generic stuff", but there * is always one caveat...: * * If IPv6 is configured, and the tun device is closed, the IPv6 address * configured to the tun interface changes to a lingering /128 route * pointing to lo0. Need to unconfigure... (observed on 10.5) */ /* * utun is the native Darwin tun driver present since at least 10.7 * Thanks goes to Jonathan Levin for providing an example how to utun * (http://newosxbook.com/src.jl?tree=listings&file=17-15-utun.c) */ #ifdef HAVE_NET_IF_UTUN_H /* Helper functions that tries to open utun device * return -2 on early initialization failures (utun not supported * at all (old OS X) and -1 on initlization failure of utun * device (utun works but utunX is already used */ static int utun_open_helper(struct ctl_info ctlInfo, int utunnum) { struct sockaddr_ctl sc; int fd; fd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL); if (fd < 0) { msg(M_INFO | M_ERRNO, "Opening utun (socket(SYSPROTO_CONTROL))"); return -2; } if (ioctl(fd, CTLIOCGINFO, &ctlInfo) == -1) { close(fd); msg(M_INFO | M_ERRNO, "Opening utun (ioctl(CTLIOCGINFO))"); return -2; } sc.sc_id = ctlInfo.ctl_id; sc.sc_len = sizeof(sc); sc.sc_family = AF_SYSTEM; sc.ss_sysaddr = AF_SYS_CONTROL; sc.sc_unit = utunnum+1; /* If the connect is successful, a utun%d device will be created, where "%d" * is (sc.sc_unit - 1) */ if (connect(fd, (struct sockaddr *)&sc, sizeof(sc)) < 0) { msg(M_INFO | M_ERRNO, "Opening utun (connect(AF_SYS_CONTROL))"); close(fd); return -1; } set_nonblock(fd); set_cloexec(fd); /* don't pass fd to scripts */ return fd; } void open_darwin_utun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { struct ctl_info ctlInfo; int fd; char utunname[20]; int utunnum = -1; socklen_t utunname_len = sizeof(utunname); /* dev_node is simply utun, do the normal dynamic utun * otherwise try to parse the utun number */ if (dev_node && (strcmp("utun", dev_node) != 0 )) { if (sscanf(dev_node, "utun%d", &utunnum) != 1) { msg(M_FATAL, "Cannot parse 'dev-node %s' please use 'dev-node utunX'" "to use a utun device number X", dev_node); } } CLEAR(ctlInfo); if (strlcpy(ctlInfo.ctl_name, UTUN_CONTROL_NAME, sizeof(ctlInfo.ctl_name)) >= sizeof(ctlInfo.ctl_name)) { msg(M_ERR, "Opening utun: UTUN_CONTROL_NAME too long"); } /* try to open first available utun device if no specific utun is requested */ if (utunnum == -1) { for (utunnum = 0; utunnum<255; utunnum++) { fd = utun_open_helper(ctlInfo, utunnum); /* Break if the fd is valid, * or if early initalization failed (-2) */ if (fd !=-1) { break; } } } else { fd = utun_open_helper(ctlInfo, utunnum); } /* opening an utun device failed */ tt->fd = fd; if (fd < 0) { return; } /* Retrieve the assigned interface name. */ if (getsockopt(fd, SYSPROTO_CONTROL, UTUN_OPT_IFNAME, utunname, &utunname_len)) { msg(M_ERR | M_ERRNO, "Error retrieving utun interface name"); } tt->actual_name = string_alloc(utunname, NULL); msg(M_INFO, "Opened utun device %s", utunname); tt->is_utun = true; } #endif /* ifdef HAVE_NET_IF_UTUN_H */ void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { #ifdef HAVE_NET_IF_UTUN_H /* If dev_node does not start start with utun assume regular tun/tap */ if ((!dev_node && tt->type==DEV_TYPE_TUN) || (dev_node && !strncmp(dev_node, "utun", 4))) { /* Check if user has specific dev_type tap and forced utun with * dev-node utun */ if (tt->type!=DEV_TYPE_TUN) { msg(M_FATAL, "Cannot use utun devices with --dev-type %s", dev_type_string(dev, dev_type)); } /* Try utun first and fall back to normal tun if utun fails * and dev_node is not specified */ open_darwin_utun(dev, dev_type, dev_node, tt); if (!tt->is_utun) { if (!dev_node) { /* No explicit utun and utun failed, try the generic way) */ msg(M_INFO, "Failed to open utun device. Falling back to /dev/tun device"); open_tun_generic(dev, dev_type, NULL, true, tt); } else { /* Specific utun device or generic utun request with no tun * fall back failed, consider this a fatal failure */ msg(M_FATAL, "Cannot open utun device"); } } } else #endif /* ifdef HAVE_NET_IF_UTUN_H */ { /* Use plain dev-node tun to select /dev/tun style * Unset dev_node variable prior to passing to open_tun_generic to * let open_tun_generic pick the first available tun device */ if (dev_node && strcmp(dev_node, "tun")==0) { dev_node = NULL; } open_tun_generic(dev, dev_type, dev_node, true, tt); } } void close_tun(struct tuntap *tt) { if (tt) { struct gc_arena gc = gc_new(); struct argv argv = argv_new(); if (tt->did_ifconfig_ipv6_setup) { const char *ifconfig_ipv6_local = print_in6_addr(tt->local_ipv6, 0, &gc); argv_printf(&argv, "%s delete -inet6 %s", ROUTE_PATH, ifconfig_ipv6_local ); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, NULL, 0, "MacOS X 'remove inet6 route' failed (non-critical)"); } close_tun_generic(tt); free(tt); argv_reset(&argv); gc_free(&gc); } } int write_tun(struct tuntap *tt, uint8_t *buf, int len) { #ifdef HAVE_NET_IF_UTUN_H if (tt->is_utun) { return write_tun_header(tt, buf, len); } else #endif return write(tt->fd, buf, len); } int read_tun(struct tuntap *tt, uint8_t *buf, int len) { #ifdef HAVE_NET_IF_UTUN_H if (tt->is_utun) { return read_tun_header(tt, buf, len); } else #endif return read(tt->fd, buf, len); } #elif defined(TARGET_AIX) void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { char tunname[256]; char dynamic_name[20]; const char *p; if (tt->type == DEV_TYPE_NULL) { open_null(tt); return; } if (tt->type == DEV_TYPE_TUN) { msg(M_FATAL, "no support for 'tun' devices on AIX" ); } if (strncmp( dev, "tap", 3 ) != 0 || dev_node) { msg(M_FATAL, "'--dev %s' and/or '--dev-node' not supported on AIX, use '--dev tap0', 'tap1', etc.", dev ); } if (strcmp( dev, "tap" ) == 0) /* find first free tap dev */ { /* (= no /dev/tapN node) */ int i; for (i = 0; i<99; i++) { openvpn_snprintf(tunname, sizeof(tunname), "/dev/tap%d", i); if (access( tunname, F_OK ) < 0 && errno == ENOENT) { break; } } if (i >= 99) { msg( M_FATAL, "cannot find unused tap device" ); } openvpn_snprintf( dynamic_name, sizeof(dynamic_name), "tap%d", i ); dev = dynamic_name; } else /* name given, sanity check */ { /* ensure that dev name is "tap+" *only* */ p = &dev[3]; while (isdigit(*p) ) { p++; } if (*p != '\0') { msg( M_FATAL, "TAP device name must be '--dev tapNNNN'" ); } openvpn_snprintf(tunname, sizeof(tunname), "/dev/%s", dev); } /* pre-existing device? */ if (access( tunname, F_OK ) < 0 && errno == ENOENT) { /* tunnel device must be created with 'ifconfig tapN create' */ struct argv argv = argv_new(); struct env_set *es = env_set_create(NULL); argv_printf(&argv, "%s %s create", IFCONFIG_PATH, dev); argv_msg(M_INFO, &argv); env_set_add( es, "ODMDIR=/etc/objrepos" ); openvpn_execve_check(&argv, es, S_FATAL, "AIX 'create tun interface' failed"); env_set_destroy(es); } else { /* we didn't make it, we're not going to break it */ tt->persistent_if = TRUE; } if ((tt->fd = open(tunname, O_RDWR)) < 0) { msg(M_ERR, "Cannot open TAP device '%s'", tunname); } set_nonblock(tt->fd); set_cloexec(tt->fd); /* don't pass fd to scripts */ msg(M_INFO, "TUN/TAP device %s opened", tunname); /* tt->actual_name is passed to up and down scripts and used as the ifconfig dev name */ tt->actual_name = string_alloc(dev, NULL); } /* tap devices need to be manually destroyed on AIX */ void close_tun(struct tuntap *tt) { struct gc_arena gc = gc_new(); struct argv argv = argv_new(); struct env_set *es = env_set_create(NULL); if (!tt) { return; } /* persistent devices need IP address unconfig, others need destroyal */ if (tt->persistent_if) { argv_printf(&argv, "%s %s 0.0.0.0 down", IFCONFIG_PATH, tt->actual_name); } else { argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name); } close_tun_generic(tt); argv_msg(M_INFO, &argv); env_set_add( es, "ODMDIR=/etc/objrepos" ); openvpn_execve_check(&argv, es, 0, "AIX 'destroy tap interface' failed (non-critical)"); free(tt); env_set_destroy(es); } int write_tun(struct tuntap *tt, uint8_t *buf, int len) { return write(tt->fd, buf, len); } int read_tun(struct tuntap *tt, uint8_t *buf, int len) { return read(tt->fd, buf, len); } #elif defined(_WIN32) int tun_read_queue(struct tuntap *tt, int maxsize) { if (tt->reads.iostate == IOSTATE_INITIAL) { DWORD len; BOOL status; int err; /* reset buf to its initial state */ tt->reads.buf = tt->reads.buf_init; len = maxsize ? maxsize : BLEN(&tt->reads.buf); ASSERT(len <= BLEN(&tt->reads.buf)); /* the overlapped read will signal this event on I/O completion */ ASSERT(ResetEvent(tt->reads.overlapped.hEvent)); status = ReadFile( tt->hand, BPTR(&tt->reads.buf), len, &tt->reads.size, &tt->reads.overlapped ); if (status) /* operation completed immediately? */ { /* since we got an immediate return, we must signal the event object ourselves */ ASSERT(SetEvent(tt->reads.overlapped.hEvent)); tt->reads.iostate = IOSTATE_IMMEDIATE_RETURN; tt->reads.status = 0; dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read immediate return [%d,%d]", (int) len, (int) tt->reads.size); } else { err = GetLastError(); if (err == ERROR_IO_PENDING) /* operation queued? */ { tt->reads.iostate = IOSTATE_QUEUED; tt->reads.status = err; dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read queued [%d]", (int) len); } else /* error occurred */ { struct gc_arena gc = gc_new(); ASSERT(SetEvent(tt->reads.overlapped.hEvent)); tt->reads.iostate = IOSTATE_IMMEDIATE_RETURN; tt->reads.status = err; dmsg(D_WIN32_IO, "WIN32 I/O: TAP Read error [%d] : %s", (int) len, strerror_win32(status, &gc)); gc_free(&gc); } } } return tt->reads.iostate; } int tun_write_queue(struct tuntap *tt, struct buffer *buf) { if (tt->writes.iostate == IOSTATE_INITIAL) { BOOL status; int err; /* make a private copy of buf */ tt->writes.buf = tt->writes.buf_init; tt->writes.buf.len = 0; ASSERT(buf_copy(&tt->writes.buf, buf)); /* the overlapped write will signal this event on I/O completion */ ASSERT(ResetEvent(tt->writes.overlapped.hEvent)); status = WriteFile( tt->hand, BPTR(&tt->writes.buf), BLEN(&tt->writes.buf), &tt->writes.size, &tt->writes.overlapped ); if (status) /* operation completed immediately? */ { tt->writes.iostate = IOSTATE_IMMEDIATE_RETURN; /* since we got an immediate return, we must signal the event object ourselves */ ASSERT(SetEvent(tt->writes.overlapped.hEvent)); tt->writes.status = 0; dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write immediate return [%d,%d]", BLEN(&tt->writes.buf), (int) tt->writes.size); } else { err = GetLastError(); if (err == ERROR_IO_PENDING) /* operation queued? */ { tt->writes.iostate = IOSTATE_QUEUED; tt->writes.status = err; dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write queued [%d]", BLEN(&tt->writes.buf)); } else /* error occurred */ { struct gc_arena gc = gc_new(); ASSERT(SetEvent(tt->writes.overlapped.hEvent)); tt->writes.iostate = IOSTATE_IMMEDIATE_RETURN; tt->writes.status = err; dmsg(D_WIN32_IO, "WIN32 I/O: TAP Write error [%d] : %s", BLEN(&tt->writes.buf), strerror_win32(err, &gc)); gc_free(&gc); } } } return tt->writes.iostate; } int tun_finalize( HANDLE h, struct overlapped_io *io, struct buffer *buf) { int ret = -1; BOOL status; switch (io->iostate) { case IOSTATE_QUEUED: status = GetOverlappedResult( h, &io->overlapped, &io->size, FALSE ); if (status) { /* successful return for a queued operation */ if (buf) { *buf = io->buf; } ret = io->size; io->iostate = IOSTATE_INITIAL; ASSERT(ResetEvent(io->overlapped.hEvent)); dmsg(D_WIN32_IO, "WIN32 I/O: TAP Completion success [%d]", ret); } else { /* error during a queued operation */ ret = -1; if (GetLastError() != ERROR_IO_INCOMPLETE) { /* if no error (i.e. just not finished yet), * then DON'T execute this code */ io->iostate = IOSTATE_INITIAL; ASSERT(ResetEvent(io->overlapped.hEvent)); msg(D_WIN32_IO | M_ERRNO, "WIN32 I/O: TAP Completion error"); } } break; case IOSTATE_IMMEDIATE_RETURN: io->iostate = IOSTATE_INITIAL; ASSERT(ResetEvent(io->overlapped.hEvent)); if (io->status) { /* error return for a non-queued operation */ SetLastError(io->status); ret = -1; msg(D_WIN32_IO | M_ERRNO, "WIN32 I/O: TAP Completion non-queued error"); } else { /* successful return for a non-queued operation */ if (buf) { *buf = io->buf; } ret = io->size; dmsg(D_WIN32_IO, "WIN32 I/O: TAP Completion non-queued success [%d]", ret); } break; case IOSTATE_INITIAL: /* were we called without proper queueing? */ SetLastError(ERROR_INVALID_FUNCTION); ret = -1; dmsg(D_WIN32_IO, "WIN32 I/O: TAP Completion BAD STATE"); break; default: ASSERT(0); } if (buf) { buf->len = ret; } return ret; } const struct tap_reg * get_tap_reg(struct gc_arena *gc) { HKEY adapter_key; LONG status; DWORD len; struct tap_reg *first = NULL; struct tap_reg *last = NULL; int i = 0; status = RegOpenKeyEx( HKEY_LOCAL_MACHINE, ADAPTER_KEY, 0, KEY_READ, &adapter_key); if (status != ERROR_SUCCESS) { msg(M_FATAL, "Error opening registry key: %s", ADAPTER_KEY); } while (true) { char enum_name[256]; char unit_string[256]; HKEY unit_key; char component_id_string[] = "ComponentId"; char component_id[256]; char net_cfg_instance_id_string[] = "NetCfgInstanceId"; char net_cfg_instance_id[256]; DWORD data_type; len = sizeof(enum_name); status = RegEnumKeyEx( adapter_key, i, enum_name, &len, NULL, NULL, NULL, NULL); if (status == ERROR_NO_MORE_ITEMS) { break; } else if (status != ERROR_SUCCESS) { msg(M_FATAL, "Error enumerating registry subkeys of key: %s", ADAPTER_KEY); } openvpn_snprintf(unit_string, sizeof(unit_string), "%s\\%s", ADAPTER_KEY, enum_name); status = RegOpenKeyEx( HKEY_LOCAL_MACHINE, unit_string, 0, KEY_READ, &unit_key); if (status != ERROR_SUCCESS) { dmsg(D_REGISTRY, "Error opening registry key: %s", unit_string); } else { len = sizeof(component_id); status = RegQueryValueEx( unit_key, component_id_string, NULL, &data_type, component_id, &len); if (status != ERROR_SUCCESS || data_type != REG_SZ) { dmsg(D_REGISTRY, "Error opening registry key: %s\\%s", unit_string, component_id_string); } else { len = sizeof(net_cfg_instance_id); status = RegQueryValueEx( unit_key, net_cfg_instance_id_string, NULL, &data_type, net_cfg_instance_id, &len); if (status == ERROR_SUCCESS && data_type == REG_SZ) { if (!strcmp(component_id, TAP_WIN_COMPONENT_ID)) { struct tap_reg *reg; ALLOC_OBJ_CLEAR_GC(reg, struct tap_reg, gc); reg->guid = string_alloc(net_cfg_instance_id, gc); /* link into return list */ if (!first) { first = reg; } if (last) { last->next = reg; } last = reg; } } } RegCloseKey(unit_key); } ++i; } RegCloseKey(adapter_key); return first; } const struct panel_reg * get_panel_reg(struct gc_arena *gc) { LONG status; HKEY network_connections_key; DWORD len; struct panel_reg *first = NULL; struct panel_reg *last = NULL; int i = 0; status = RegOpenKeyEx( HKEY_LOCAL_MACHINE, NETWORK_CONNECTIONS_KEY, 0, KEY_READ, &network_connections_key); if (status != ERROR_SUCCESS) { msg(M_FATAL, "Error opening registry key: %s", NETWORK_CONNECTIONS_KEY); } while (true) { char enum_name[256]; char connection_string[256]; HKEY connection_key; WCHAR name_data[256]; DWORD name_type; const WCHAR name_string[] = L"Name"; len = sizeof(enum_name); status = RegEnumKeyEx( network_connections_key, i, enum_name, &len, NULL, NULL, NULL, NULL); if (status == ERROR_NO_MORE_ITEMS) { break; } else if (status != ERROR_SUCCESS) { msg(M_FATAL, "Error enumerating registry subkeys of key: %s", NETWORK_CONNECTIONS_KEY); } openvpn_snprintf(connection_string, sizeof(connection_string), "%s\\%s\\Connection", NETWORK_CONNECTIONS_KEY, enum_name); status = RegOpenKeyEx( HKEY_LOCAL_MACHINE, connection_string, 0, KEY_READ, &connection_key); if (status != ERROR_SUCCESS) { dmsg(D_REGISTRY, "Error opening registry key: %s", connection_string); } else { len = sizeof(name_data); status = RegQueryValueExW( connection_key, name_string, NULL, &name_type, (LPBYTE) name_data, &len); if (status != ERROR_SUCCESS || name_type != REG_SZ) { dmsg(D_REGISTRY, "Error opening registry key: %s\\%s\\%s", NETWORK_CONNECTIONS_KEY, connection_string, name_string); } else { int n; LPSTR name; struct panel_reg *reg; ALLOC_OBJ_CLEAR_GC(reg, struct panel_reg, gc); n = WideCharToMultiByte(CP_UTF8, 0, name_data, -1, NULL, 0, NULL, NULL); name = gc_malloc(n, false, gc); WideCharToMultiByte(CP_UTF8, 0, name_data, -1, name, n, NULL, NULL); reg->name = name; reg->guid = string_alloc(enum_name, gc); /* link into return list */ if (!first) { first = reg; } if (last) { last->next = reg; } last = reg; } RegCloseKey(connection_key); } ++i; } RegCloseKey(network_connections_key); return first; } /* * Check that two addresses are part of the same 255.255.255.252 subnet. */ void verify_255_255_255_252(in_addr_t local, in_addr_t remote) { struct gc_arena gc = gc_new(); const unsigned int mask = 3; const char *err = NULL; if (local == remote) { err = "must be different"; goto error; } if ((local & (~mask)) != (remote & (~mask))) { err = "must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver"; goto error; } if ((local & mask) == 0 || (local & mask) == 3 || (remote & mask) == 0 || (remote & mask) == 3) { err = "cannot use the first or last address within a given 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver"; goto error; } gc_free(&gc); return; error: msg(M_FATAL, "There is a problem in your selection of --ifconfig endpoints [local=%s, remote=%s]. The local and remote VPN endpoints %s. Try '" PACKAGE " --show-valid-subnets' option for more info.", print_in_addr_t(local, 0, &gc), print_in_addr_t(remote, 0, &gc), err); gc_free(&gc); } void show_valid_win32_tun_subnets(void) { int i; int col = 0; printf("On Windows, point-to-point IP support (i.e. --dev tun)\n"); printf("is emulated by the TAP-Windows driver. The major limitation\n"); printf("imposed by this approach is that the --ifconfig local and\n"); printf("remote endpoints must be part of the same 255.255.255.252\n"); printf("subnet. The following list shows examples of endpoint\n"); printf("pairs which satisfy this requirement. Only the final\n"); printf("component of the IP address pairs is at issue.\n\n"); printf("As an example, the following option would be correct:\n"); printf(" --ifconfig 10.7.0.5 10.7.0.6 (on host A)\n"); printf(" --ifconfig 10.7.0.6 10.7.0.5 (on host B)\n"); printf("because [5,6] is part of the below list.\n\n"); for (i = 0; i < 256; i += 4) { printf("[%3d,%3d] ", i+1, i+2); if (++col > 4) { col = 0; printf("\n"); } } if (col) { printf("\n"); } } void show_tap_win_adapters(int msglev, int warnlev) { struct gc_arena gc = gc_new(); bool warn_panel_null = false; bool warn_panel_dup = false; bool warn_tap_dup = false; int links; const struct tap_reg *tr; const struct tap_reg *tr1; const struct panel_reg *pr; const struct tap_reg *tap_reg = get_tap_reg(&gc); const struct panel_reg *panel_reg = get_panel_reg(&gc); msg(msglev, "Available TAP-WIN32 adapters [name, GUID]:"); /* loop through each TAP-Windows adapter registry entry */ for (tr = tap_reg; tr != NULL; tr = tr->next) { links = 0; /* loop through each network connections entry in the control panel */ for (pr = panel_reg; pr != NULL; pr = pr->next) { if (!strcmp(tr->guid, pr->guid)) { msg(msglev, "'%s' %s", pr->name, tr->guid); ++links; } } if (links > 1) { warn_panel_dup = true; } else if (links == 0) { /* a TAP adapter exists without a link from the network * connections control panel */ warn_panel_null = true; msg(msglev, "[NULL] %s", tr->guid); } } /* check for TAP-Windows adapter duplicated GUIDs */ for (tr = tap_reg; tr != NULL; tr = tr->next) { for (tr1 = tap_reg; tr1 != NULL; tr1 = tr1->next) { if (tr != tr1 && !strcmp(tr->guid, tr1->guid)) { warn_tap_dup = true; } } } /* warn on registry inconsistencies */ if (warn_tap_dup) { msg(warnlev, "WARNING: Some TAP-Windows adapters have duplicate GUIDs"); } if (warn_panel_dup) { msg(warnlev, "WARNING: Some TAP-Windows adapters have duplicate links from the Network Connections control panel"); } if (warn_panel_null) { msg(warnlev, "WARNING: Some TAP-Windows adapters have no link from the Network Connections control panel"); } gc_free(&gc); } /* * Confirm that GUID is a TAP-Windows adapter. */ static bool is_tap_win(const char *guid, const struct tap_reg *tap_reg) { const struct tap_reg *tr; for (tr = tap_reg; tr != NULL; tr = tr->next) { if (guid && !strcmp(tr->guid, guid)) { return true; } } return false; } static const char * guid_to_name(const char *guid, const struct panel_reg *panel_reg) { const struct panel_reg *pr; for (pr = panel_reg; pr != NULL; pr = pr->next) { if (guid && !strcmp(pr->guid, guid)) { return pr->name; } } return NULL; } static const char * name_to_guid(const char *name, const struct tap_reg *tap_reg, const struct panel_reg *panel_reg) { const struct panel_reg *pr; for (pr = panel_reg; pr != NULL; pr = pr->next) { if (name && !strcmp(pr->name, name) && is_tap_win(pr->guid, tap_reg)) { return pr->guid; } } return NULL; } static void at_least_one_tap_win(const struct tap_reg *tap_reg) { if (!tap_reg) { msg(M_FATAL, "There are no TAP-Windows adapters on this system. You should be able to create a TAP-Windows adapter by going to Start -> All Programs -> TAP-Windows -> Utilities -> Add a new TAP-Windows virtual ethernet adapter."); } } /* * Get an adapter GUID and optional actual_name from the * registry for the TAP device # = device_number. */ static const char * get_unspecified_device_guid(const int device_number, char *actual_name, int actual_name_size, const struct tap_reg *tap_reg_src, const struct panel_reg *panel_reg_src, struct gc_arena *gc) { const struct tap_reg *tap_reg = tap_reg_src; struct buffer ret = clear_buf(); struct buffer actual = clear_buf(); int i; ASSERT(device_number >= 0); /* Make sure we have at least one TAP adapter */ if (!tap_reg) { return NULL; } /* The actual_name output buffer may be NULL */ if (actual_name) { ASSERT(actual_name_size > 0); buf_set_write(&actual, actual_name, actual_name_size); } /* Move on to specified device number */ for (i = 0; i < device_number; i++) { tap_reg = tap_reg->next; if (!tap_reg) { return NULL; } } /* Save Network Panel name (if exists) in actual_name */ if (actual_name) { const char *act = guid_to_name(tap_reg->guid, panel_reg_src); if (act) { buf_printf(&actual, "%s", act); } else { buf_printf(&actual, "%s", tap_reg->guid); } } /* Save GUID for return value */ ret = alloc_buf_gc(256, gc); buf_printf(&ret, "%s", tap_reg->guid); return BSTR(&ret); } /* * Lookup a --dev-node adapter name in the registry * returning the GUID and optional actual_name. */ static const char * get_device_guid(const char *name, char *actual_name, int actual_name_size, const struct tap_reg *tap_reg, const struct panel_reg *panel_reg, struct gc_arena *gc) { struct buffer ret = alloc_buf_gc(256, gc); struct buffer actual = clear_buf(); /* Make sure we have at least one TAP adapter */ if (!tap_reg) { return NULL; } /* The actual_name output buffer may be NULL */ if (actual_name) { ASSERT(actual_name_size > 0); buf_set_write(&actual, actual_name, actual_name_size); } /* Check if GUID was explicitly specified as --dev-node parameter */ if (is_tap_win(name, tap_reg)) { const char *act = guid_to_name(name, panel_reg); buf_printf(&ret, "%s", name); if (act) { buf_printf(&actual, "%s", act); } else { buf_printf(&actual, "%s", name); } return BSTR(&ret); } /* Lookup TAP adapter in network connections list */ { const char *guid = name_to_guid(name, tap_reg, panel_reg); if (guid) { buf_printf(&actual, "%s", name); buf_printf(&ret, "%s", guid); return BSTR(&ret); } } return NULL; } /* * Get adapter info list */ const IP_ADAPTER_INFO * get_adapter_info_list(struct gc_arena *gc) { ULONG size = 0; IP_ADAPTER_INFO *pi = NULL; DWORD status; if ((status = GetAdaptersInfo(NULL, &size)) != ERROR_BUFFER_OVERFLOW) { msg(M_INFO, "GetAdaptersInfo #1 failed (status=%u) : %s", (unsigned int)status, strerror_win32(status, gc)); } else { pi = (PIP_ADAPTER_INFO) gc_malloc(size, false, gc); if ((status = GetAdaptersInfo(pi, &size)) == NO_ERROR) { return pi; } else { msg(M_INFO, "GetAdaptersInfo #2 failed (status=%u) : %s", (unsigned int)status, strerror_win32(status, gc)); } } return pi; } const IP_PER_ADAPTER_INFO * get_per_adapter_info(const DWORD index, struct gc_arena *gc) { ULONG size = 0; IP_PER_ADAPTER_INFO *pi = NULL; DWORD status; if (index != TUN_ADAPTER_INDEX_INVALID) { if ((status = GetPerAdapterInfo(index, NULL, &size)) != ERROR_BUFFER_OVERFLOW) { msg(M_INFO, "GetPerAdapterInfo #1 failed (status=%u) : %s", (unsigned int)status, strerror_win32(status, gc)); } else { pi = (PIP_PER_ADAPTER_INFO) gc_malloc(size, false, gc); if ((status = GetPerAdapterInfo((ULONG)index, pi, &size)) == ERROR_SUCCESS) { return pi; } else { msg(M_INFO, "GetPerAdapterInfo #2 failed (status=%u) : %s", (unsigned int)status, strerror_win32(status, gc)); } } } return pi; } static const IP_INTERFACE_INFO * get_interface_info_list(struct gc_arena *gc) { ULONG size = 0; IP_INTERFACE_INFO *ii = NULL; DWORD status; if ((status = GetInterfaceInfo(NULL, &size)) != ERROR_INSUFFICIENT_BUFFER) { msg(M_INFO, "GetInterfaceInfo #1 failed (status=%u) : %s", (unsigned int)status, strerror_win32(status, gc)); } else { ii = (PIP_INTERFACE_INFO) gc_malloc(size, false, gc); if ((status = GetInterfaceInfo(ii, &size)) == NO_ERROR) { return ii; } else { msg(M_INFO, "GetInterfaceInfo #2 failed (status=%u) : %s", (unsigned int)status, strerror_win32(status, gc)); } } return ii; } static const IP_ADAPTER_INDEX_MAP * get_interface_info(DWORD index, struct gc_arena *gc) { const IP_INTERFACE_INFO *list = get_interface_info_list(gc); if (list) { int i; for (i = 0; i < list->NumAdapters; ++i) { const IP_ADAPTER_INDEX_MAP *inter = &list->Adapter[i]; if (index == inter->Index) { return inter; } } } return NULL; } /* * Given an adapter index, return a pointer to the * IP_ADAPTER_INFO structure for that adapter. */ const IP_ADAPTER_INFO * get_adapter(const IP_ADAPTER_INFO *ai, DWORD index) { if (ai && index != TUN_ADAPTER_INDEX_INVALID) { const IP_ADAPTER_INFO *a; /* find index in the linked list */ for (a = ai; a != NULL; a = a->Next) { if (a->Index == index) { return a; } } } return NULL; } const IP_ADAPTER_INFO * get_adapter_info(DWORD index, struct gc_arena *gc) { return get_adapter(get_adapter_info_list(gc), index); } static int get_adapter_n_ip_netmask(const IP_ADAPTER_INFO *ai) { if (ai) { int n = 0; const IP_ADDR_STRING *ip = &ai->IpAddressList; while (ip) { ++n; ip = ip->Next; } return n; } else { return 0; } } static bool get_adapter_ip_netmask(const IP_ADAPTER_INFO *ai, const int n, in_addr_t *ip, in_addr_t *netmask) { bool ret = false; *ip = 0; *netmask = 0; if (ai) { const IP_ADDR_STRING *iplist = &ai->IpAddressList; int i = 0; while (iplist) { if (i == n) { break; } ++i; iplist = iplist->Next; } if (iplist) { const unsigned int getaddr_flags = GETADDR_HOST_ORDER; const char *ip_str = iplist->IpAddress.String; const char *netmask_str = iplist->IpMask.String; bool succeed1 = false; bool succeed2 = false; if (ip_str && netmask_str && strlen(ip_str) && strlen(netmask_str)) { *ip = getaddr(getaddr_flags, ip_str, 0, &succeed1, NULL); *netmask = getaddr(getaddr_flags, netmask_str, 0, &succeed2, NULL); ret = (succeed1 == true && succeed2 == true); } } } return ret; } static bool test_adapter_ip_netmask(const IP_ADAPTER_INFO *ai, const in_addr_t ip, const in_addr_t netmask) { if (ai) { in_addr_t ip_adapter = 0; in_addr_t netmask_adapter = 0; const bool status = get_adapter_ip_netmask(ai, 0, &ip_adapter, &netmask_adapter); return (status && ip_adapter == ip && netmask_adapter == netmask); } else { return false; } } const IP_ADAPTER_INFO * get_tun_adapter(const struct tuntap *tt, const IP_ADAPTER_INFO *list) { if (list && tt) { return get_adapter(list, tt->adapter_index); } else { return NULL; } } bool is_adapter_up(const struct tuntap *tt, const IP_ADAPTER_INFO *list) { int i; bool ret = false; const IP_ADAPTER_INFO *ai = get_tun_adapter(tt, list); if (ai) { const int n = get_adapter_n_ip_netmask(ai); /* loop once for every IP/netmask assigned to adapter */ for (i = 0; i < n; ++i) { in_addr_t ip, netmask; if (get_adapter_ip_netmask(ai, i, &ip, &netmask)) { if (tt->local && tt->adapter_netmask) { /* wait for our --ifconfig parms to match the actual adapter parms */ if (tt->local == ip && tt->adapter_netmask == netmask) { ret = true; } } else { /* --ifconfig was not defined, maybe using a real DHCP server */ if (ip && netmask) { ret = true; } } } } } else { ret = true; /* this can occur when TAP adapter is bridged */ } return ret; } bool is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_t *highest_netmask) { int i; bool ret = false; if (highest_netmask) { *highest_netmask = 0; } if (ai) { const int n = get_adapter_n_ip_netmask(ai); for (i = 0; i < n; ++i) { in_addr_t adapter_ip, adapter_netmask; if (get_adapter_ip_netmask(ai, i, &adapter_ip, &adapter_netmask)) { if (adapter_ip && adapter_netmask && (ip & adapter_netmask) == (adapter_ip & adapter_netmask)) { if (highest_netmask && adapter_netmask > *highest_netmask) { *highest_netmask = adapter_netmask; } ret = true; } } } } return ret; } DWORD adapter_index_of_ip(const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count, in_addr_t *netmask) { struct gc_arena gc = gc_new(); DWORD ret = TUN_ADAPTER_INDEX_INVALID; in_addr_t highest_netmask = 0; bool first = true; if (count) { *count = 0; } while (list) { in_addr_t hn; if (is_ip_in_adapter_subnet(list, ip, &hn)) { if (first || hn > highest_netmask) { highest_netmask = hn; if (count) { *count = 1; } ret = list->Index; first = false; } else if (hn == highest_netmask) { if (count) { ++*count; } } } list = list->Next; } dmsg(D_ROUTE_DEBUG, "DEBUG: IP Locate: ip=%s nm=%s index=%d count=%d", print_in_addr_t(ip, 0, &gc), print_in_addr_t(highest_netmask, 0, &gc), (int)ret, count ? *count : -1); if (ret == TUN_ADAPTER_INDEX_INVALID && count) { *count = 0; } if (netmask) { *netmask = highest_netmask; } gc_free(&gc); return ret; } /* * Given an adapter index, return true if the adapter * is DHCP disabled. */ #define DHCP_STATUS_UNDEF 0 #define DHCP_STATUS_ENABLED 1 #define DHCP_STATUS_DISABLED 2 static int dhcp_status(DWORD index) { struct gc_arena gc = gc_new(); int ret = DHCP_STATUS_UNDEF; if (index != TUN_ADAPTER_INDEX_INVALID) { const IP_ADAPTER_INFO *ai = get_adapter_info(index, &gc); if (ai) { if (ai->DhcpEnabled) { ret = DHCP_STATUS_ENABLED; } else { ret = DHCP_STATUS_DISABLED; } } } gc_free(&gc); return ret; } /* * Delete all temporary address/netmask pairs which were added * to adapter (given by index) by previous calls to AddIPAddress. */ static void delete_temp_addresses(DWORD index) { struct gc_arena gc = gc_new(); const IP_ADAPTER_INFO *a = get_adapter_info(index, &gc); if (a) { const IP_ADDR_STRING *ip = &a->IpAddressList; while (ip) { DWORD status; const DWORD context = ip->Context; if ((status = DeleteIPAddress((ULONG) context)) == NO_ERROR) { msg(M_INFO, "Successfully deleted previously set dynamic IP/netmask: %s/%s", ip->IpAddress.String, ip->IpMask.String); } else { const char *empty = "0.0.0.0"; if (strcmp(ip->IpAddress.String, empty) || strcmp(ip->IpMask.String, empty)) { msg(M_INFO, "NOTE: could not delete previously set dynamic IP/netmask: %s/%s (status=%u)", ip->IpAddress.String, ip->IpMask.String, (unsigned int)status); } } ip = ip->Next; } } gc_free(&gc); } /* * Get interface index for use with IP Helper API functions. */ static DWORD get_adapter_index_method_1(const char *guid) { DWORD index; ULONG aindex; wchar_t wbuf[256]; _snwprintf(wbuf, SIZE(wbuf), L"\\DEVICE\\TCPIP_%S", guid); wbuf [SIZE(wbuf) - 1] = 0; if (GetAdapterIndex(wbuf, &aindex) != NO_ERROR) { index = TUN_ADAPTER_INDEX_INVALID; } else { index = (DWORD)aindex; } return index; } static DWORD get_adapter_index_method_2(const char *guid) { struct gc_arena gc = gc_new(); DWORD index = TUN_ADAPTER_INDEX_INVALID; const IP_ADAPTER_INFO *list = get_adapter_info_list(&gc); while (list) { if (!strcmp(guid, list->AdapterName)) { index = list->Index; break; } list = list->Next; } gc_free(&gc); return index; } static DWORD get_adapter_index(const char *guid) { DWORD index; index = get_adapter_index_method_1(guid); if (index == TUN_ADAPTER_INDEX_INVALID) { index = get_adapter_index_method_2(guid); } if (index == TUN_ADAPTER_INDEX_INVALID) { msg(M_INFO, "NOTE: could not get adapter index for %s", guid); } return index; } static DWORD get_adapter_index_flexible(const char *name) /* actual name or GUID */ { struct gc_arena gc = gc_new(); DWORD index; index = get_adapter_index_method_1(name); if (index == TUN_ADAPTER_INDEX_INVALID) { index = get_adapter_index_method_2(name); } if (index == TUN_ADAPTER_INDEX_INVALID) { const struct tap_reg *tap_reg = get_tap_reg(&gc); const struct panel_reg *panel_reg = get_panel_reg(&gc); const char *guid = name_to_guid(name, tap_reg, panel_reg); index = get_adapter_index_method_1(guid); if (index == TUN_ADAPTER_INDEX_INVALID) { index = get_adapter_index_method_2(guid); } } if (index == TUN_ADAPTER_INDEX_INVALID) { msg(M_INFO, "NOTE: could not get adapter index for name/GUID '%s'", name); } gc_free(&gc); return index; } /* * Return a string representing a PIP_ADDR_STRING */ static const char * format_ip_addr_string(const IP_ADDR_STRING *ip, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); while (ip) { buf_printf(&out, "%s", ip->IpAddress.String); if (strlen(ip->IpMask.String)) { buf_printf(&out, "/"); buf_printf(&out, "%s", ip->IpMask.String); } buf_printf(&out, " "); ip = ip->Next; } return BSTR(&out); } /* * Show info for a single adapter */ static void show_adapter(int msglev, const IP_ADAPTER_INFO *a, struct gc_arena *gc) { msg(msglev, "%s", a->Description); msg(msglev, " Index = %d", (int)a->Index); msg(msglev, " GUID = %s", a->AdapterName); msg(msglev, " IP = %s", format_ip_addr_string(&a->IpAddressList, gc)); msg(msglev, " MAC = %s", format_hex_ex(a->Address, a->AddressLength, 0, 1, ":", gc)); msg(msglev, " GATEWAY = %s", format_ip_addr_string(&a->GatewayList, gc)); if (a->DhcpEnabled) { msg(msglev, " DHCP SERV = %s", format_ip_addr_string(&a->DhcpServer, gc)); msg(msglev, " DHCP LEASE OBTAINED = %s", time_string(a->LeaseObtained, 0, false, gc)); msg(msglev, " DHCP LEASE EXPIRES = %s", time_string(a->LeaseExpires, 0, false, gc)); } if (a->HaveWins) { msg(msglev, " PRI WINS = %s", format_ip_addr_string(&a->PrimaryWinsServer, gc)); msg(msglev, " SEC WINS = %s", format_ip_addr_string(&a->SecondaryWinsServer, gc)); } { const IP_PER_ADAPTER_INFO *pai = get_per_adapter_info(a->Index, gc); if (pai) { msg(msglev, " DNS SERV = %s", format_ip_addr_string(&pai->DnsServerList, gc)); } } } /* * Show current adapter list */ void show_adapters(int msglev) { struct gc_arena gc = gc_new(); const IP_ADAPTER_INFO *ai = get_adapter_info_list(&gc); msg(msglev, "SYSTEM ADAPTER LIST"); if (ai) { const IP_ADAPTER_INFO *a; /* find index in the linked list */ for (a = ai; a != NULL; a = a->Next) { show_adapter(msglev, a, &gc); } } gc_free(&gc); } /* * Set a particular TAP-Windows adapter (or all of them if * adapter_name == NULL) to allow it to be opened from * a non-admin account. This setting will only persist * for the lifetime of the device object. */ static void tap_allow_nonadmin_access_handle(const char *device_path, HANDLE hand) { struct security_attributes sa; BOOL status; if (!init_security_attributes_allow_all(&sa)) { msg(M_ERR, "Error: init SA failed"); } status = SetKernelObjectSecurity(hand, DACL_SECURITY_INFORMATION, &sa.sd); if (!status) { msg(M_ERRNO, "Error: SetKernelObjectSecurity failed on %s", device_path); } else { msg(M_INFO|M_NOPREFIX, "TAP-Windows device: %s [Non-admin access allowed]", device_path); } } void tap_allow_nonadmin_access(const char *dev_node) { struct gc_arena gc = gc_new(); const struct tap_reg *tap_reg = get_tap_reg(&gc); const struct panel_reg *panel_reg = get_panel_reg(&gc); const char *device_guid = NULL; HANDLE hand; char actual_buffer[256]; char device_path[256]; at_least_one_tap_win(tap_reg); if (dev_node) { /* Get the device GUID for the device specified with --dev-node. */ device_guid = get_device_guid(dev_node, actual_buffer, sizeof(actual_buffer), tap_reg, panel_reg, &gc); if (!device_guid) { msg(M_FATAL, "TAP-Windows adapter '%s' not found", dev_node); } /* Open Windows TAP-Windows adapter */ openvpn_snprintf(device_path, sizeof(device_path), "%s%s%s", USERMODEDEVICEDIR, device_guid, TAP_WIN_SUFFIX); hand = CreateFile( device_path, MAXIMUM_ALLOWED, 0, /* was: FILE_SHARE_READ */ 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, 0 ); if (hand == INVALID_HANDLE_VALUE) { msg(M_ERR, "CreateFile failed on TAP device: %s", device_path); } tap_allow_nonadmin_access_handle(device_path, hand); CloseHandle(hand); } else { int device_number = 0; /* Try opening all TAP devices */ while (true) { device_guid = get_unspecified_device_guid(device_number, actual_buffer, sizeof(actual_buffer), tap_reg, panel_reg, &gc); if (!device_guid) { break; } /* Open Windows TAP-Windows adapter */ openvpn_snprintf(device_path, sizeof(device_path), "%s%s%s", USERMODEDEVICEDIR, device_guid, TAP_WIN_SUFFIX); hand = CreateFile( device_path, MAXIMUM_ALLOWED, 0, /* was: FILE_SHARE_READ */ 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, 0 ); if (hand == INVALID_HANDLE_VALUE) { msg(M_WARN, "CreateFile failed on TAP device: %s", device_path); } else { tap_allow_nonadmin_access_handle(device_path, hand); CloseHandle(hand); } device_number++; } } gc_free(&gc); } /* * DHCP release/renewal */ bool dhcp_release_by_adapter_index(const DWORD adapter_index) { struct gc_arena gc = gc_new(); bool ret = false; const IP_ADAPTER_INDEX_MAP *inter = get_interface_info(adapter_index, &gc); if (inter) { DWORD status = IpReleaseAddress((IP_ADAPTER_INDEX_MAP *)inter); if (status == NO_ERROR) { msg(D_TUNTAP_INFO, "TAP: DHCP address released"); ret = true; } else { msg(M_WARN, "NOTE: Release of DHCP-assigned IP address lease on TAP-Windows adapter failed: %s (code=%u)", strerror_win32(status, &gc), (unsigned int)status); } } gc_free(&gc); return ret; } static bool dhcp_release(const struct tuntap *tt) { if (tt && tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ && tt->adapter_index != TUN_ADAPTER_INDEX_INVALID) { return dhcp_release_by_adapter_index(tt->adapter_index); } else { return false; } } bool dhcp_renew_by_adapter_index(const DWORD adapter_index) { struct gc_arena gc = gc_new(); bool ret = false; const IP_ADAPTER_INDEX_MAP *inter = get_interface_info(adapter_index, &gc); if (inter) { DWORD status = IpRenewAddress((IP_ADAPTER_INDEX_MAP *)inter); if (status == NO_ERROR) { msg(D_TUNTAP_INFO, "TAP: DHCP address renewal succeeded"); ret = true; } else { msg(M_WARN, "WARNING: Failed to renew DHCP IP address lease on TAP-Windows adapter: %s (code=%u)", strerror_win32(status, &gc), (unsigned int)status); } } gc_free(&gc); return ret; } static bool dhcp_renew(const struct tuntap *tt) { if (tt && tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ && tt->adapter_index != TUN_ADAPTER_INDEX_INVALID) { return dhcp_renew_by_adapter_index(tt->adapter_index); } else { return false; } } /* * netsh functions */ static void netsh_command(const struct argv *a, int n, int msglevel) { int i; for (i = 0; i < n; ++i) { bool status; management_sleep(1); netcmd_semaphore_lock(); argv_msg_prefix(M_INFO, a, "NETSH"); status = openvpn_execve_check(a, NULL, 0, "ERROR: netsh command failed"); netcmd_semaphore_release(); if (status) { return; } management_sleep(4); } msg(msglevel, "NETSH: command failed"); } void ipconfig_register_dns(const struct env_set *es) { struct argv argv = argv_new(); bool status; const char err[] = "ERROR: Windows ipconfig command failed"; msg(D_TUNTAP_INFO, "Start ipconfig commands for register-dns..."); netcmd_semaphore_lock(); argv_printf(&argv, "%s%sc /flushdns", get_win_sys_path(), WIN_IPCONFIG_PATH_SUFFIX); argv_msg(D_TUNTAP_INFO, &argv); status = openvpn_execve_check(&argv, es, 0, err); argv_reset(&argv); argv_printf(&argv, "%s%sc /registerdns", get_win_sys_path(), WIN_IPCONFIG_PATH_SUFFIX); argv_msg(D_TUNTAP_INFO, &argv); status = openvpn_execve_check(&argv, es, 0, err); argv_reset(&argv); netcmd_semaphore_release(); msg(D_TUNTAP_INFO, "End ipconfig commands for register-dns..."); } void ip_addr_string_to_array(in_addr_t *dest, int *dest_len, const IP_ADDR_STRING *src) { int i = 0; while (src) { const unsigned int getaddr_flags = GETADDR_HOST_ORDER; const char *ip_str = src->IpAddress.String; in_addr_t ip = 0; bool succeed = false; if (i >= *dest_len) { break; } if (!ip_str || !strlen(ip_str)) { break; } ip = getaddr(getaddr_flags, ip_str, 0, &succeed, NULL); if (!succeed) { break; } dest[i++] = ip; src = src->Next; } *dest_len = i; #if 0 { struct gc_arena gc = gc_new(); msg(M_INFO, "ip_addr_string_to_array [%d]", *dest_len); for (i = 0; i < *dest_len; ++i) { msg(M_INFO, "%s", print_in_addr_t(dest[i], 0, &gc)); } gc_free(&gc); } #endif } static bool ip_addr_one_to_one(const in_addr_t *a1, const int a1len, const IP_ADDR_STRING *ias) { in_addr_t a2[8]; int a2len = SIZE(a2); int i; ip_addr_string_to_array(a2, &a2len, ias); /*msg (M_INFO, "a1len=%d a2len=%d", a1len, a2len);*/ if (a1len != a2len) { return false; } for (i = 0; i < a1len; ++i) { if (a1[i] != a2[i]) { return false; } } return true; } static bool ip_addr_member_of(const in_addr_t addr, const IP_ADDR_STRING *ias) { in_addr_t aa[8]; int len = SIZE(aa); int i; ip_addr_string_to_array(aa, &len, ias); for (i = 0; i < len; ++i) { if (addr == aa[i]) { return true; } } return false; } /** * Set the ipv6 dns servers on the specified interface. * The list of dns servers currently set on the interface * are cleared first. * No action is taken if number of addresses (addr_len) < 1. */ static void netsh_set_dns6_servers(const struct in6_addr *addr_list, const int addr_len, const char *flex_name) { struct gc_arena gc = gc_new(); struct argv argv = argv_new(); for (int i = 0; i < addr_len; ++i) { const char *fmt = (i == 0) ? "%s%sc interface ipv6 set dns %s static %s" : "%s%sc interface ipv6 add dns %s %s"; argv_printf(&argv, fmt, get_win_sys_path(), NETSH_PATH_SUFFIX, flex_name, print_in6_addr(addr_list[i], 0, &gc)); /* disable slow address validation on Windows 7 and higher */ if (win32_version_info() >= WIN_7) { argv_printf_cat(&argv, "%s", "validate=no"); } /* Treat errors while adding as non-fatal as we do not check for duplicates */ netsh_command(&argv, 1, (i==0) ? M_FATAL : M_NONFATAL); } argv_reset(&argv); gc_free(&gc); } static void netsh_ifconfig_options(const char *type, const in_addr_t *addr_list, const int addr_len, const IP_ADDR_STRING *current, const char *flex_name, const bool test_first) { struct gc_arena gc = gc_new(); struct argv argv = argv_new(); bool delete_first = false; /* first check if we should delete existing DNS/WINS settings from TAP interface */ if (test_first) { if (!ip_addr_one_to_one(addr_list, addr_len, current)) { delete_first = true; } } else { delete_first = true; } /* delete existing DNS/WINS settings from TAP interface */ if (delete_first) { argv_printf(&argv, "%s%sc interface ip delete %s %s all", get_win_sys_path(), NETSH_PATH_SUFFIX, type, flex_name); netsh_command(&argv, 2, M_FATAL); } /* add new DNS/WINS settings to TAP interface */ { int count = 0; int i; for (i = 0; i < addr_len; ++i) { if (delete_first || !test_first || !ip_addr_member_of(addr_list[i], current)) { const char *fmt = count ? "%s%sc interface ip add %s %s %s" : "%s%sc interface ip set %s %s static %s"; argv_printf(&argv, fmt, get_win_sys_path(), NETSH_PATH_SUFFIX, type, flex_name, print_in_addr_t(addr_list[i], 0, &gc)); netsh_command(&argv, 2, M_FATAL); ++count; } else { msg(M_INFO, "NETSH: \"%s\" %s %s [already set]", flex_name, type, print_in_addr_t(addr_list[i], 0, &gc)); } } } argv_reset(&argv); gc_free(&gc); } static void init_ip_addr_string2(IP_ADDR_STRING *dest, const IP_ADDR_STRING *src1, const IP_ADDR_STRING *src2) { CLEAR(dest[0]); CLEAR(dest[1]); if (src1) { dest[0] = *src1; dest[0].Next = NULL; } if (src2) { dest[1] = *src2; dest[0].Next = &dest[1]; dest[1].Next = NULL; } } static void netsh_ifconfig(const struct tuntap_options *to, const char *flex_name, const in_addr_t ip, const in_addr_t netmask, const unsigned int flags) { struct gc_arena gc = gc_new(); struct argv argv = argv_new(); const IP_ADAPTER_INFO *ai = NULL; const IP_PER_ADAPTER_INFO *pai = NULL; if (flags & NI_TEST_FIRST) { const IP_ADAPTER_INFO *list = get_adapter_info_list(&gc); const int index = get_adapter_index_flexible(flex_name); ai = get_adapter(list, index); pai = get_per_adapter_info(index, &gc); } if (flags & NI_IP_NETMASK) { if (test_adapter_ip_netmask(ai, ip, netmask)) { msg(M_INFO, "NETSH: \"%s\" %s/%s [already set]", flex_name, print_in_addr_t(ip, 0, &gc), print_in_addr_t(netmask, 0, &gc)); } else { /* example: netsh interface ip set address my-tap static 10.3.0.1 255.255.255.0 */ argv_printf(&argv, "%s%sc interface ip set address %s static %s %s", get_win_sys_path(), NETSH_PATH_SUFFIX, flex_name, print_in_addr_t(ip, 0, &gc), print_in_addr_t(netmask, 0, &gc)); netsh_command(&argv, 4, M_FATAL); } } /* set WINS/DNS options */ if (flags & NI_OPTIONS) { IP_ADDR_STRING wins[2]; CLEAR(wins[0]); CLEAR(wins[1]); netsh_ifconfig_options("dns", to->dns, to->dns_len, pai ? &pai->DnsServerList : NULL, flex_name, BOOL_CAST(flags & NI_TEST_FIRST)); if (ai && ai->HaveWins) { init_ip_addr_string2(wins, &ai->PrimaryWinsServer, &ai->SecondaryWinsServer); } netsh_ifconfig_options("wins", to->wins, to->wins_len, ai ? wins : NULL, flex_name, BOOL_CAST(flags & NI_TEST_FIRST)); } argv_reset(&argv); gc_free(&gc); } static void netsh_enable_dhcp(const struct tuntap_options *to, const char *actual_name) { struct argv argv = argv_new(); /* example: netsh interface ip set address my-tap dhcp */ argv_printf(&argv, "%s%sc interface ip set address %s dhcp", get_win_sys_path(), NETSH_PATH_SUFFIX, actual_name); netsh_command(&argv, 4, M_FATAL); argv_reset(&argv); } /* * Return a TAP name for netsh commands. */ static const char * netsh_get_id(const char *dev_node, struct gc_arena *gc) { const struct tap_reg *tap_reg = get_tap_reg(gc); const struct panel_reg *panel_reg = get_panel_reg(gc); struct buffer actual = alloc_buf_gc(256, gc); const char *guid; at_least_one_tap_win(tap_reg); if (dev_node) { guid = get_device_guid(dev_node, BPTR(&actual), BCAP(&actual), tap_reg, panel_reg, gc); } else { guid = get_unspecified_device_guid(0, BPTR(&actual), BCAP(&actual), tap_reg, panel_reg, gc); if (get_unspecified_device_guid(1, NULL, 0, tap_reg, panel_reg, gc)) /* ambiguous if more than one TAP-Windows adapter */ { guid = NULL; } } if (!guid) { return "NULL"; /* not found */ } else if (strcmp(BPTR(&actual), "NULL")) { return BPTR(&actual); /* control panel name */ } else { return guid; /* no control panel name, return GUID instead */ } } /* * Called iteratively on TAP-Windows wait-for-initialization polling loop */ void tun_standby_init(struct tuntap *tt) { tt->standby_iter = 0; } bool tun_standby(struct tuntap *tt) { bool ret = true; ++tt->standby_iter; if (tt->options.ip_win32_type == IPW32_SET_ADAPTIVE) { if (tt->standby_iter == IPW32_SET_ADAPTIVE_TRY_NETSH) { msg(M_INFO, "NOTE: now trying netsh (this may take some time)"); netsh_ifconfig(&tt->options, tt->actual_name, tt->local, tt->adapter_netmask, NI_TEST_FIRST|NI_IP_NETMASK|NI_OPTIONS); } else if (tt->standby_iter >= IPW32_SET_ADAPTIVE_TRY_NETSH*2) { ret = false; } } return ret; } /* * Convert DHCP options from the command line / config file * into a raw DHCP-format options string. */ static void write_dhcp_u8(struct buffer *buf, const int type, const int data, bool *error) { if (!buf_safe(buf, 3)) { *error = true; msg(M_WARN, "write_dhcp_u8: buffer overflow building DHCP options"); return; } buf_write_u8(buf, type); buf_write_u8(buf, 1); buf_write_u8(buf, data); } static void write_dhcp_u32_array(struct buffer *buf, const int type, const uint32_t *data, const unsigned int len, bool *error) { if (len > 0) { int i; const int size = len * sizeof(uint32_t); if (!buf_safe(buf, 2 + size)) { *error = true; msg(M_WARN, "write_dhcp_u32_array: buffer overflow building DHCP options"); return; } if (size < 1 || size > 255) { *error = true; msg(M_WARN, "write_dhcp_u32_array: size (%d) must be > 0 and <= 255", size); return; } buf_write_u8(buf, type); buf_write_u8(buf, size); for (i = 0; i < len; ++i) { buf_write_u32(buf, data[i]); } } } static void write_dhcp_str(struct buffer *buf, const int type, const char *str, bool *error) { const int len = strlen(str); if (!buf_safe(buf, 2 + len)) { *error = true; msg(M_WARN, "write_dhcp_str: buffer overflow building DHCP options"); return; } if (len < 1 || len > 255) { *error = true; msg(M_WARN, "write_dhcp_str: string '%s' must be > 0 bytes and <= 255 bytes", str); return; } buf_write_u8(buf, type); buf_write_u8(buf, len); buf_write(buf, str, len); } static bool build_dhcp_options_string(struct buffer *buf, const struct tuntap_options *o) { bool error = false; if (o->domain) { write_dhcp_str(buf, 15, o->domain, &error); } if (o->netbios_scope) { write_dhcp_str(buf, 47, o->netbios_scope, &error); } if (o->netbios_node_type) { write_dhcp_u8(buf, 46, o->netbios_node_type, &error); } write_dhcp_u32_array(buf, 6, (uint32_t *)o->dns, o->dns_len, &error); write_dhcp_u32_array(buf, 44, (uint32_t *)o->wins, o->wins_len, &error); write_dhcp_u32_array(buf, 42, (uint32_t *)o->ntp, o->ntp_len, &error); write_dhcp_u32_array(buf, 45, (uint32_t *)o->nbdd, o->nbdd_len, &error); /* the MS DHCP server option 'Disable Netbios-over-TCP/IP * is implemented as vendor option 001, value 002. * A value of 001 means 'leave NBT alone' which is the default */ if (o->disable_nbt) { if (!buf_safe(buf, 8)) { msg(M_WARN, "build_dhcp_options_string: buffer overflow building DHCP options"); return false; } buf_write_u8(buf, 43); buf_write_u8(buf, 6);/* total length field */ buf_write_u8(buf, 0x001); buf_write_u8(buf, 4);/* length of the vendor specified field */ buf_write_u32(buf, 0x002); } return !error; } static void fork_dhcp_action(struct tuntap *tt) { if (tt->options.dhcp_pre_release || tt->options.dhcp_renew) { struct gc_arena gc = gc_new(); struct buffer cmd = alloc_buf_gc(256, &gc); const int verb = 3; const int pre_sleep = 1; buf_printf(&cmd, "openvpn --verb %d --tap-sleep %d", verb, pre_sleep); if (tt->options.dhcp_pre_release) { buf_printf(&cmd, " --dhcp-pre-release"); } if (tt->options.dhcp_renew) { buf_printf(&cmd, " --dhcp-renew"); } buf_printf(&cmd, " --dhcp-internal %u", (unsigned int)tt->adapter_index); fork_to_self(BSTR(&cmd)); gc_free(&gc); } } static void register_dns_service(const struct tuntap *tt) { DWORD len; HANDLE msg_channel = tt->options.msg_channel; ack_message_t ack; struct gc_arena gc = gc_new(); message_header_t rdns = { msg_register_dns, sizeof(message_header_t), 0 }; if (!WriteFile(msg_channel, &rdns, sizeof(rdns), &len, NULL) || !ReadFile(msg_channel, &ack, sizeof(ack), &len, NULL)) { msg(M_WARN, "Register_dns: could not talk to service: %s [status=0x%lx]", strerror_win32(GetLastError(), &gc), GetLastError()); } else if (ack.error_number != NO_ERROR) { msg(M_WARN, "Register_dns failed using service: %s [status=0x%x]", strerror_win32(ack.error_number, &gc), ack.error_number); } else { msg(M_INFO, "Register_dns request sent to the service"); } gc_free(&gc); } void fork_register_dns_action(struct tuntap *tt) { if (tt && tt->options.register_dns && tt->options.msg_channel) { register_dns_service(tt); } else if (tt && tt->options.register_dns) { struct gc_arena gc = gc_new(); struct buffer cmd = alloc_buf_gc(256, &gc); const int verb = 3; buf_printf(&cmd, "openvpn --verb %d --register-dns --rdns-internal", verb); fork_to_self(BSTR(&cmd)); gc_free(&gc); } } static uint32_t dhcp_masq_addr(const in_addr_t local, const in_addr_t netmask, const int offset) { struct gc_arena gc = gc_new(); in_addr_t dsa; /* DHCP server addr */ if (offset < 0) { dsa = (local | (~netmask)) + offset; } else { dsa = (local & netmask) + offset; } if (dsa == local) { msg(M_FATAL, "ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address -- both are set to %s -- please use the --ip-win32 dynamic option to choose a different free address from the --ifconfig subnet for the internal DHCP server", print_in_addr_t(dsa, 0, &gc)); } if ((local & netmask) != (dsa & netmask)) { msg(M_FATAL, "ERROR: --ip-win32 dynamic [offset] : offset is outside of --ifconfig subnet"); } gc_free(&gc); return htonl(dsa); } void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { struct gc_arena gc = gc_new(); char device_path[256]; const char *device_guid = NULL; DWORD len; bool dhcp_masq = false; bool dhcp_masq_post = false; /*netcmd_semaphore_lock ();*/ msg( M_INFO, "open_tun"); if (tt->type == DEV_TYPE_NULL) { open_null(tt); gc_free(&gc); return; } else if (tt->type == DEV_TYPE_TAP || tt->type == DEV_TYPE_TUN) { } else { msg(M_FATAL|M_NOPREFIX, "Unknown virtual device type: '%s'", dev); } /* * Lookup the device name in the registry, using the --dev-node high level name. */ { const struct tap_reg *tap_reg = get_tap_reg(&gc); const struct panel_reg *panel_reg = get_panel_reg(&gc); char actual_buffer[256]; at_least_one_tap_win(tap_reg); if (dev_node) { /* Get the device GUID for the device specified with --dev-node. */ device_guid = get_device_guid(dev_node, actual_buffer, sizeof(actual_buffer), tap_reg, panel_reg, &gc); if (!device_guid) { msg(M_FATAL, "TAP-Windows adapter '%s' not found", dev_node); } /* Open Windows TAP-Windows adapter */ openvpn_snprintf(device_path, sizeof(device_path), "%s%s%s", USERMODEDEVICEDIR, device_guid, TAP_WIN_SUFFIX); tt->hand = CreateFile( device_path, GENERIC_READ | GENERIC_WRITE, 0, /* was: FILE_SHARE_READ */ 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, 0 ); if (tt->hand == INVALID_HANDLE_VALUE) { msg(M_ERR, "CreateFile failed on TAP device: %s", device_path); } } else { int device_number = 0; /* Try opening all TAP devices until we find one available */ while (true) { device_guid = get_unspecified_device_guid(device_number, actual_buffer, sizeof(actual_buffer), tap_reg, panel_reg, &gc); if (!device_guid) { msg(M_FATAL, "All TAP-Windows adapters on this system are currently in use."); } /* Open Windows TAP-Windows adapter */ openvpn_snprintf(device_path, sizeof(device_path), "%s%s%s", USERMODEDEVICEDIR, device_guid, TAP_WIN_SUFFIX); tt->hand = CreateFile( device_path, GENERIC_READ | GENERIC_WRITE, 0, /* was: FILE_SHARE_READ */ 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, 0 ); if (tt->hand == INVALID_HANDLE_VALUE) { msg(D_TUNTAP_INFO, "CreateFile failed on TAP device: %s", device_path); } else { break; } device_number++; } } /* translate high-level device name into a device instance * GUID using the registry */ tt->actual_name = string_alloc(actual_buffer, NULL); } msg(M_INFO, "TAP-WIN32 device [%s] opened: %s", tt->actual_name, device_path); tt->adapter_index = get_adapter_index(device_guid); /* get driver version info */ { ULONG info[3]; CLEAR(info); if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_VERSION, &info, sizeof(info), &info, sizeof(info), &len, NULL)) { msg(D_TUNTAP_INFO, "TAP-Windows Driver Version %d.%d %s", (int) info[0], (int) info[1], (info[2] ? "(DEBUG)" : "")); } if (!(info[0] == TAP_WIN_MIN_MAJOR && info[1] >= TAP_WIN_MIN_MINOR)) { msg(M_FATAL, "ERROR: This version of " PACKAGE_NAME " requires a TAP-Windows driver that is at least version %d.%d -- If you recently upgraded your " PACKAGE_NAME " distribution, a reboot is probably required at this point to get Windows to see the new driver.", TAP_WIN_MIN_MAJOR, TAP_WIN_MIN_MINOR); } /* usage of numeric constants is ugly, but this is really tied to * *this* version of the driver */ if (tt->type == DEV_TYPE_TUN && info[0] == 9 && info[1] < 8) { msg( M_INFO, "WARNING: Tap-Win32 driver version %d.%d does not support IPv6 in TUN mode. IPv6 will not work. Upgrade your Tap-Win32 driver.", (int) info[0], (int) info[1] ); } /* tap driver 9.8 (2.2.0 and 2.2.1 release) is buggy */ if (tt->type == DEV_TYPE_TUN && info[0] == 9 && info[1] == 8) { msg( M_FATAL, "ERROR: Tap-Win32 driver version %d.%d is buggy regarding small IPv4 packets in TUN mode. Upgrade your Tap-Win32 driver.", (int) info[0], (int) info[1] ); } } /* get driver MTU */ { ULONG mtu; if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_MTU, &mtu, sizeof(mtu), &mtu, sizeof(mtu), &len, NULL)) { tt->post_open_mtu = (int) mtu; msg(D_MTU_INFO, "TAP-Windows MTU=%d", (int) mtu); } } /* * Preliminaries for setting TAP-Windows adapter TCP/IP * properties via --ip-win32 dynamic or --ip-win32 adaptive. */ if (tt->did_ifconfig_setup) { if (tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ) { /* * If adapter is set to non-DHCP, set to DHCP mode. */ if (dhcp_status(tt->adapter_index) == DHCP_STATUS_DISABLED) { netsh_enable_dhcp(&tt->options, tt->actual_name); } dhcp_masq = true; dhcp_masq_post = true; } else if (tt->options.ip_win32_type == IPW32_SET_ADAPTIVE) { /* * If adapter is set to non-DHCP, use netsh right away. */ if (dhcp_status(tt->adapter_index) != DHCP_STATUS_ENABLED) { netsh_ifconfig(&tt->options, tt->actual_name, tt->local, tt->adapter_netmask, NI_TEST_FIRST|NI_IP_NETMASK|NI_OPTIONS); } else { dhcp_masq = true; } } } /* set point-to-point mode if TUN device */ if (tt->type == DEV_TYPE_TUN) { if (!tt->did_ifconfig_setup) { msg(M_FATAL, "ERROR: --dev tun also requires --ifconfig"); } if (tt->topology == TOP_SUBNET) { in_addr_t ep[3]; BOOL status; ep[0] = htonl(tt->local); ep[1] = htonl(tt->local & tt->remote_netmask); ep[2] = htonl(tt->remote_netmask); status = DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_TUN, ep, sizeof(ep), ep, sizeof(ep), &len, NULL); msg(status ? M_INFO : M_FATAL, "Set TAP-Windows TUN subnet mode network/local/netmask = %s/%s/%s [%s]", print_in_addr_t(ep[1], IA_NET_ORDER, &gc), print_in_addr_t(ep[0], IA_NET_ORDER, &gc), print_in_addr_t(ep[2], IA_NET_ORDER, &gc), status ? "SUCCEEDED" : "FAILED"); } else { in_addr_t ep[2]; ep[0] = htonl(tt->local); ep[1] = htonl(tt->remote_netmask); if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_POINT_TO_POINT, ep, sizeof(ep), ep, sizeof(ep), &len, NULL)) { msg(M_FATAL, "ERROR: The TAP-Windows driver rejected a DeviceIoControl call to set Point-to-Point mode, which is required for --dev tun"); } } } /* should we tell the TAP-Windows driver to masquerade as a DHCP server as a means * of setting the adapter address? */ if (dhcp_masq) { uint32_t ep[4]; /* We will answer DHCP requests with a reply to set IP/subnet to these values */ ep[0] = htonl(tt->local); ep[1] = htonl(tt->adapter_netmask); /* At what IP address should the DHCP server masquerade at? */ if (tt->type == DEV_TYPE_TUN) { if (tt->topology == TOP_SUBNET) { if (tt->options.dhcp_masq_custom_offset) { ep[2] = dhcp_masq_addr(tt->local, tt->remote_netmask, tt->options.dhcp_masq_offset); } else { ep[2] = dhcp_masq_addr(tt->local, tt->remote_netmask, -1); } } else { ep[2] = htonl(tt->remote_netmask); } } else { ASSERT(tt->type == DEV_TYPE_TAP); ep[2] = dhcp_masq_addr(tt->local, tt->adapter_netmask, tt->options.dhcp_masq_custom_offset ? tt->options.dhcp_masq_offset : 0); } /* lease time in seconds */ ep[3] = (uint32_t) tt->options.dhcp_lease_time; ASSERT(ep[3] > 0); #ifndef SIMULATE_DHCP_FAILED /* this code is disabled to simulate bad DHCP negotiation */ if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_DHCP_MASQ, ep, sizeof(ep), ep, sizeof(ep), &len, NULL)) { msg(M_FATAL, "ERROR: The TAP-Windows driver rejected a DeviceIoControl call to set TAP_WIN_IOCTL_CONFIG_DHCP_MASQ mode"); } msg(M_INFO, "Notified TAP-Windows driver to set a DHCP IP/netmask of %s/%s on interface %s [DHCP-serv: %s, lease-time: %d]", print_in_addr_t(tt->local, 0, &gc), print_in_addr_t(tt->adapter_netmask, 0, &gc), device_guid, print_in_addr_t(ep[2], IA_NET_ORDER, &gc), ep[3] ); /* user-supplied DHCP options capability */ if (tt->options.dhcp_options) { struct buffer buf = alloc_buf(256); if (build_dhcp_options_string(&buf, &tt->options)) { msg(D_DHCP_OPT, "DHCP option string: %s", format_hex(BPTR(&buf), BLEN(&buf), 0, &gc)); if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT, BPTR(&buf), BLEN(&buf), BPTR(&buf), BLEN(&buf), &len, NULL)) { msg(M_FATAL, "ERROR: The TAP-Windows driver rejected a TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT DeviceIoControl call"); } } else { msg(M_WARN, "DHCP option string not set due to error"); } free_buf(&buf); } #endif /* ifndef SIMULATE_DHCP_FAILED */ } /* set driver media status to 'connected' */ { ULONG status = TRUE; if (!DeviceIoControl(tt->hand, TAP_WIN_IOCTL_SET_MEDIA_STATUS, &status, sizeof(status), &status, sizeof(status), &len, NULL)) { msg(M_WARN, "WARNING: The TAP-Windows driver rejected a TAP_WIN_IOCTL_SET_MEDIA_STATUS DeviceIoControl call."); } } /* possible wait for adapter to come up */ { int s = tt->options.tap_sleep; if (s > 0) { msg(M_INFO, "Sleeping for %d seconds...", s); management_sleep(s); } } /* possibly use IP Helper API to set IP address on adapter */ { const DWORD index = tt->adapter_index; /* flush arp cache */ if (index != TUN_ADAPTER_INDEX_INVALID) { DWORD status = -1; if (tt->options.msg_channel) { ack_message_t ack; flush_neighbors_message_t msg = { .header = { msg_flush_neighbors, sizeof(flush_neighbors_message_t), 0 }, .family = AF_INET, .iface = { .index = index, .name = "" } }; if (!WriteFile(tt->options.msg_channel, &msg, sizeof(msg), &len, NULL) || !ReadFile(tt->options.msg_channel, &ack, sizeof(ack), &len, NULL)) { msg(M_WARN, "TUN: could not talk to service: %s [%lu]", strerror_win32(GetLastError(), &gc), GetLastError()); } status = ack.error_number; } else { status = FlushIpNetTable(index); } if (status == NO_ERROR) { msg(M_INFO, "Successful ARP Flush on interface [%u] %s", (unsigned int)index, device_guid); } else if (status != -1) { msg(D_TUNTAP_INFO, "NOTE: FlushIpNetTable failed on interface [%u] %s (status=%u) : %s", (unsigned int)index, device_guid, (unsigned int)status, strerror_win32(status, &gc)); } } /* * If the TAP-Windows driver is masquerading as a DHCP server * make sure the TCP/IP properties for the adapter are * set correctly. */ if (dhcp_masq_post) { /* check dhcp enable status */ if (dhcp_status(index) == DHCP_STATUS_DISABLED) { msg(M_WARN, "WARNING: You have selected '--ip-win32 dynamic', which will not work unless the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'"); } /* force an explicit DHCP lease renewal on TAP adapter? */ if (tt->options.dhcp_pre_release) { dhcp_release(tt); } if (tt->options.dhcp_renew) { dhcp_renew(tt); } } else { fork_dhcp_action(tt); } if (tt->did_ifconfig_setup && tt->options.ip_win32_type == IPW32_SET_IPAPI) { DWORD status; const char *error_suffix = "I am having trouble using the Windows 'IP helper API' to automatically set the IP address -- consider using other --ip-win32 methods (not 'ipapi')"; /* couldn't get adapter index */ if (index == TUN_ADAPTER_INDEX_INVALID) { msg(M_FATAL, "ERROR: unable to get adapter index for interface %s -- %s", device_guid, error_suffix); } /* check dhcp enable status */ if (dhcp_status(index) == DHCP_STATUS_DISABLED) { msg(M_WARN, "NOTE: You have selected (explicitly or by default) '--ip-win32 ipapi', which has a better chance of working correctly if the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'"); } /* delete previously added IP addresses which were not * correctly deleted */ delete_temp_addresses(index); /* add a new IP address */ if ((status = AddIPAddress(htonl(tt->local), htonl(tt->adapter_netmask), index, &tt->ipapi_context, &tt->ipapi_instance)) == NO_ERROR) { msg(M_INFO, "Succeeded in adding a temporary IP/netmask of %s/%s to interface %s using the Win32 IP Helper API", print_in_addr_t(tt->local, 0, &gc), print_in_addr_t(tt->adapter_netmask, 0, &gc), device_guid ); } else { msg(M_FATAL, "ERROR: AddIPAddress %s/%s failed on interface %s, index=%d, status=%u (windows error: '%s') -- %s", print_in_addr_t(tt->local, 0, &gc), print_in_addr_t(tt->adapter_netmask, 0, &gc), device_guid, (int)index, (unsigned int)status, strerror_win32(status, &gc), error_suffix); } tt->ipapi_context_defined = true; } } /*netcmd_semaphore_release ();*/ gc_free(&gc); } const char * tap_win_getinfo(const struct tuntap *tt, struct gc_arena *gc) { if (tt && tt->hand != NULL) { struct buffer out = alloc_buf_gc(256, gc); DWORD len; if (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_INFO, BSTR(&out), BCAP(&out), BSTR(&out), BCAP(&out), &len, NULL)) { return BSTR(&out); } } return NULL; } void tun_show_debug(struct tuntap *tt) { if (tt && tt->hand != NULL) { struct buffer out = alloc_buf(1024); DWORD len; while (DeviceIoControl(tt->hand, TAP_WIN_IOCTL_GET_LOG_LINE, BSTR(&out), BCAP(&out), BSTR(&out), BCAP(&out), &len, NULL)) { msg(D_TAP_WIN_DEBUG, "TAP-Windows: %s", BSTR(&out)); } free_buf(&out); } } void close_tun(struct tuntap *tt) { struct gc_arena gc = gc_new(); if (tt) { if (tt->did_ifconfig_ipv6_setup) { if (tt->options.msg_channel) { do_address_service(false, AF_INET6, tt); if (tt->options.dns6_len > 0) { do_dns6_service(false, tt); } } else { const char *ifconfig_ipv6_local; struct argv argv = argv_new(); /* remove route pointing to interface */ delete_route_connected_v6_net(tt, NULL); /* "store=active" is needed in Windows 8(.1) to delete the * address we added (pointed out by Cedric Tabary). */ /* netsh interface ipv6 delete address \"%s\" %s */ ifconfig_ipv6_local = print_in6_addr(tt->local_ipv6, 0, &gc); argv_printf(&argv, "%s%sc interface ipv6 delete address %s %s store=active", get_win_sys_path(), NETSH_PATH_SUFFIX, tt->actual_name, ifconfig_ipv6_local); netsh_command(&argv, 1, M_WARN); /* delete ipv6 dns servers if any were set */ if (tt->options.dns6_len > 0) { argv_printf(&argv, "%s%sc interface ipv6 delete dns %s all", get_win_sys_path(), NETSH_PATH_SUFFIX, tt->actual_name); netsh_command(&argv, 1, M_WARN); } argv_reset(&argv); } } #if 1 if (tt->ipapi_context_defined) { DWORD status; if ((status = DeleteIPAddress(tt->ipapi_context)) != NO_ERROR) { msg(M_WARN, "Warning: DeleteIPAddress[%u] failed on TAP-Windows adapter, status=%u : %s", (unsigned int)tt->ipapi_context, (unsigned int)status, strerror_win32(status, &gc)); } } #endif dhcp_release(tt); if (tt->hand != NULL) { dmsg(D_WIN32_IO_LOW, "Attempting CancelIO on TAP-Windows adapter"); if (!CancelIo(tt->hand)) { msg(M_WARN | M_ERRNO, "Warning: CancelIO failed on TAP-Windows adapter"); } } dmsg(D_WIN32_IO_LOW, "Attempting close of overlapped read event on TAP-Windows adapter"); overlapped_io_close(&tt->reads); dmsg(D_WIN32_IO_LOW, "Attempting close of overlapped write event on TAP-Windows adapter"); overlapped_io_close(&tt->writes); if (tt->hand != NULL) { dmsg(D_WIN32_IO_LOW, "Attempting CloseHandle on TAP-Windows adapter"); if (!CloseHandle(tt->hand)) { msg(M_WARN | M_ERRNO, "Warning: CloseHandle failed on TAP-Windows adapter"); } } if (tt->actual_name) { free(tt->actual_name); } clear_tuntap(tt); free(tt); } gc_free(&gc); } /* * Convert --ip-win32 constants between index and ascii form. */ struct ipset_names { const char *short_form; }; /* Indexed by IPW32_SET_x */ static const struct ipset_names ipset_names[] = { {"manual"}, {"netsh"}, {"ipapi"}, {"dynamic"}, {"adaptive"} }; int ascii2ipset(const char *name) { int i; ASSERT(IPW32_SET_N == SIZE(ipset_names)); for (i = 0; i < IPW32_SET_N; ++i) { if (!strcmp(name, ipset_names[i].short_form)) { return i; } } return -1; } const char * ipset2ascii(int index) { ASSERT(IPW32_SET_N == SIZE(ipset_names)); if (index < 0 || index >= IPW32_SET_N) { return "[unknown --ip-win32 type]"; } else { return ipset_names[index].short_form; } } const char * ipset2ascii_all(struct gc_arena *gc) { struct buffer out = alloc_buf_gc(256, gc); int i; ASSERT(IPW32_SET_N == SIZE(ipset_names)); for (i = 0; i < IPW32_SET_N; ++i) { if (i) { buf_printf(&out, " "); } buf_printf(&out, "[%s]", ipset2ascii(i)); } return BSTR(&out); } #else /* generic */ void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { open_tun_generic(dev, dev_type, dev_node, true, tt); } void close_tun(struct tuntap *tt) { if (tt) { close_tun_generic(tt); free(tt); } } int write_tun(struct tuntap *tt, uint8_t *buf, int len) { return write(tt->fd, buf, len); } int read_tun(struct tuntap *tt, uint8_t *buf, int len) { return read(tt->fd, buf, len); } #endif /* if defined (TARGET_ANDROID) */ openvpn-2.4.4/src/openvpn/tun.h000066400000000000000000000316751316434344000164570ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef TUN_H #define TUN_H #ifdef _WIN32 #include #include #endif #include "buffer.h" #include "error.h" #include "mtu.h" #include "win32.h" #include "event.h" #include "proto.h" #include "misc.h" #if defined(_WIN32) || defined(TARGET_ANDROID) #define TUN_ADAPTER_INDEX_INVALID ((DWORD)-1) /* time constants for --ip-win32 adaptive */ #define IPW32_SET_ADAPTIVE_DELAY_WINDOW 300 #define IPW32_SET_ADAPTIVE_TRY_NETSH 20 struct tuntap_options { /* --ip-win32 options */ bool ip_win32_defined; #define IPW32_SET_MANUAL 0 /* "--ip-win32 manual" */ #define IPW32_SET_NETSH 1 /* "--ip-win32 netsh" */ #define IPW32_SET_IPAPI 2 /* "--ip-win32 ipapi" */ #define IPW32_SET_DHCP_MASQ 3 /* "--ip-win32 dynamic" */ #define IPW32_SET_ADAPTIVE 4 /* "--ip-win32 adaptive" */ #define IPW32_SET_N 5 int ip_win32_type; #ifdef _WIN32 HANDLE msg_channel; #endif /* --ip-win32 dynamic options */ bool dhcp_masq_custom_offset; int dhcp_masq_offset; int dhcp_lease_time; /* --tap-sleep option */ int tap_sleep; /* --dhcp-option options */ bool dhcp_options; const char *domain; /* DOMAIN (15) */ const char *netbios_scope; /* NBS (47) */ int netbios_node_type; /* NBT 1,2,4,8 (46) */ #define N_DHCP_ADDR 4 /* Max # of addresses allowed for * DNS, WINS, etc. */ /* DNS (6) */ in_addr_t dns[N_DHCP_ADDR]; int dns_len; /* WINS (44) */ in_addr_t wins[N_DHCP_ADDR]; int wins_len; /* NTP (42) */ in_addr_t ntp[N_DHCP_ADDR]; int ntp_len; /* NBDD (45) */ in_addr_t nbdd[N_DHCP_ADDR]; int nbdd_len; /* DISABLE_NBT (43, Vendor option 001) */ bool disable_nbt; bool dhcp_renew; bool dhcp_pre_release; bool register_dns; struct in6_addr dns6[N_DHCP_ADDR]; int dns6_len; }; #elif TARGET_LINUX struct tuntap_options { int txqueuelen; }; #else /* if defined(_WIN32) || defined(TARGET_ANDROID) */ struct tuntap_options { int dummy; /* not used */ }; #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */ /* * Define a TUN/TAP dev. */ struct tuntap { #define TUNNEL_TYPE(tt) ((tt) ? ((tt)->type) : DEV_TYPE_UNDEF) int type; /* DEV_TYPE_x as defined in proto.h */ #define TUNNEL_TOPOLOGY(tt) ((tt) ? ((tt)->topology) : TOP_UNDEF) int topology; /* one of the TOP_x values */ bool did_ifconfig_setup; bool did_ifconfig_ipv6_setup; bool did_ifconfig; bool persistent_if; /* if existed before, keep on program end */ struct tuntap_options options; /* options set on command line */ char *actual_name; /* actual name of TUN/TAP dev, usually including unit number */ /* number of TX buffers */ int txqueuelen; /* ifconfig parameters */ in_addr_t local; in_addr_t remote_netmask; in_addr_t broadcast; struct in6_addr local_ipv6; struct in6_addr remote_ipv6; int netbits_ipv6; #ifdef _WIN32 HANDLE hand; struct overlapped_io reads; struct overlapped_io writes; struct rw_handle rw_handle; /* used for setting interface address via IP Helper API * or DHCP masquerade */ bool ipapi_context_defined; ULONG ipapi_context; ULONG ipapi_instance; in_addr_t adapter_netmask; /* Windows adapter index for TAP-Windows adapter, * ~0 if undefined */ DWORD adapter_index; int standby_iter; #else /* ifdef _WIN32 */ int fd; /* file descriptor for TUN/TAP dev */ #endif #ifdef TARGET_SOLARIS int ip_fd; #endif #ifdef HAVE_NET_IF_UTUN_H bool is_utun; #endif /* used for printing status info only */ unsigned int rwflags_debug; /* Some TUN/TAP drivers like to be ioctled for mtu * after open */ int post_open_mtu; }; static inline bool tuntap_defined(const struct tuntap *tt) { #ifdef _WIN32 return tt && tt->hand != NULL; #else return tt && tt->fd >= 0; #endif } /* * Function prototypes */ void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt); void close_tun(struct tuntap *tt); int write_tun(struct tuntap *tt, uint8_t *buf, int len); int read_tun(struct tuntap *tt, uint8_t *buf, int len); void tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode, const char *username, const char *groupname, const struct tuntap_options *options); const char *guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc); struct tuntap *init_tun(const char *dev, /* --dev option */ const char *dev_type, /* --dev-type option */ int topology, /* one of the TOP_x values */ const char *ifconfig_local_parm, /* --ifconfig parm 1 */ const char *ifconfig_remote_netmask_parm, /* --ifconfig parm 2 */ const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 / IPv6 */ int ifconfig_ipv6_netbits_parm, /* --ifconfig parm 1 / bits */ const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 / IPv6 */ struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es); void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options); void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es); void do_ifconfig(struct tuntap *tt, const char *actual, /* actual device name */ int tun_mtu, const struct env_set *es); bool is_dev_type(const char *dev, const char *dev_type, const char *match_type); int dev_type_enum(const char *dev, const char *dev_type); const char *dev_type_string(const char *dev, const char *dev_type); const char *ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc); bool is_tun_p2p(const struct tuntap *tt); void check_subnet_conflict(const in_addr_t ip, const in_addr_t netmask, const char *prefix); void warn_on_use_of_common_subnets(void); /* * Inline functions */ static inline void tun_adjust_frame_parameters(struct frame *frame, int size) { frame_add_to_extra_tun(frame, size); } /* * Should ifconfig be called before or after * tun dev open? */ #define IFCONFIG_BEFORE_TUN_OPEN 0 #define IFCONFIG_AFTER_TUN_OPEN 1 #define IFCONFIG_DEFAULT IFCONFIG_AFTER_TUN_OPEN static inline int ifconfig_order(void) { #if defined(TARGET_LINUX) return IFCONFIG_AFTER_TUN_OPEN; #elif defined(TARGET_SOLARIS) return IFCONFIG_AFTER_TUN_OPEN; #elif defined(TARGET_OPENBSD) return IFCONFIG_AFTER_TUN_OPEN; #elif defined(TARGET_DARWIN) return IFCONFIG_AFTER_TUN_OPEN; #elif defined(TARGET_NETBSD) return IFCONFIG_AFTER_TUN_OPEN; #elif defined(_WIN32) return IFCONFIG_AFTER_TUN_OPEN; #elif defined(TARGET_ANDROID) return IFCONFIG_BEFORE_TUN_OPEN; #else /* if defined(TARGET_LINUX) */ return IFCONFIG_DEFAULT; #endif } #define ROUTE_BEFORE_TUN 0 #define ROUTE_AFTER_TUN 1 #define ROUTE_ORDER_DEFAULT ROUTE_AFTER_TUN static inline int route_order(void) { #if defined(TARGET_ANDROID) return ROUTE_BEFORE_TUN; #else return ROUTE_ORDER_DEFAULT; #endif } #ifdef _WIN32 #define TUN_PASS_BUFFER struct tap_reg { const char *guid; struct tap_reg *next; }; struct panel_reg { const char *name; const char *guid; struct panel_reg *next; }; int ascii2ipset(const char *name); const char *ipset2ascii(int index); const char *ipset2ascii_all(struct gc_arena *gc); void verify_255_255_255_252(in_addr_t local, in_addr_t remote); const IP_ADAPTER_INFO *get_adapter_info_list(struct gc_arena *gc); const IP_ADAPTER_INFO *get_tun_adapter(const struct tuntap *tt, const IP_ADAPTER_INFO *list); const IP_ADAPTER_INFO *get_adapter_info(DWORD index, struct gc_arena *gc); const IP_PER_ADAPTER_INFO *get_per_adapter_info(const DWORD index, struct gc_arena *gc); const IP_ADAPTER_INFO *get_adapter(const IP_ADAPTER_INFO *ai, DWORD index); bool is_adapter_up(const struct tuntap *tt, const IP_ADAPTER_INFO *list); bool is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_t *highest_netmask); DWORD adapter_index_of_ip(const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count, in_addr_t *netmask); void show_tap_win_adapters(int msglev, int warnlev); void show_adapters(int msglev); void tap_allow_nonadmin_access(const char *dev_node); void show_valid_win32_tun_subnets(void); const char *tap_win_getinfo(const struct tuntap *tt, struct gc_arena *gc); void tun_show_debug(struct tuntap *tt); bool dhcp_release_by_adapter_index(const DWORD adapter_index); bool dhcp_renew_by_adapter_index(const DWORD adapter_index); void fork_register_dns_action(struct tuntap *tt); void ipconfig_register_dns(const struct env_set *es); void tun_standby_init(struct tuntap *tt); bool tun_standby(struct tuntap *tt); int tun_read_queue(struct tuntap *tt, int maxsize); int tun_write_queue(struct tuntap *tt, struct buffer *buf); int tun_finalize(HANDLE h, struct overlapped_io *io, struct buffer *buf); static inline bool tuntap_stop(int status) { /* * This corresponds to the STATUS_NO_SUCH_DEVICE * error in tapdrvr.c. */ if (status < 0) { return openvpn_errno() == ERROR_FILE_NOT_FOUND; } return false; } static inline bool tuntap_abort(int status) { /* * Typically generated when driver is halted. */ if (status < 0) { return openvpn_errno() == ERROR_OPERATION_ABORTED; } return false; } static inline int tun_write_win32(struct tuntap *tt, struct buffer *buf) { int err = 0; int status = 0; if (overlapped_io_active(&tt->writes)) { status = tun_finalize(tt->hand, &tt->writes, NULL); if (status < 0) { err = GetLastError(); } } tun_write_queue(tt, buf); if (status < 0) { SetLastError(err); return status; } else { return BLEN(buf); } } static inline int read_tun_buffered(struct tuntap *tt, struct buffer *buf, int maxsize) { return tun_finalize(tt->hand, &tt->reads, buf); } static inline int write_tun_buffered(struct tuntap *tt, struct buffer *buf) { return tun_write_win32(tt, buf); } #else /* ifdef _WIN32 */ static inline bool tuntap_stop(int status) { return false; } static inline bool tuntap_abort(int status) { return false; } static inline void tun_standby_init(struct tuntap *tt) { } static inline bool tun_standby(struct tuntap *tt) { return true; } #endif /* ifdef _WIN32 */ /* * TUN/TAP I/O wait functions */ static inline event_t tun_event_handle(const struct tuntap *tt) { #ifdef _WIN32 return &tt->rw_handle; #else return tt->fd; #endif } static inline unsigned int tun_set(struct tuntap *tt, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent) { if (tuntap_defined(tt)) { /* if persistent is defined, call event_ctl only if rwflags has changed since last call */ if (!persistent || *persistent != rwflags) { event_ctl(es, tun_event_handle(tt), rwflags, arg); if (persistent) { *persistent = rwflags; } } #ifdef _WIN32 if (rwflags & EVENT_READ) { tun_read_queue(tt, 0); } #endif tt->rwflags_debug = rwflags; } return rwflags; } const char *tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc); #endif /* TUN_H */ openvpn-2.4.4/src/openvpn/win32.c000066400000000000000000001055141316434344000166000ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * Win32-specific OpenVPN code, targetted at the mingw * development environment. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #ifdef _WIN32 #include "buffer.h" #include "error.h" #include "mtu.h" #include "sig.h" #include "win32.h" #include "misc.h" #include "openvpn-msg.h" #include "memdbg.h" #ifdef HAVE_VERSIONHELPERS_H #include #else #include "compat-versionhelpers.h" #endif #include "block_dns.h" /* * WFP handle */ static HANDLE m_hEngineHandle = NULL; /* GLOBAL */ /* * TAP adapter original metric value */ static int tap_metric_v4 = -1; /* GLOBAL */ static int tap_metric_v6 = -1; /* GLOBAL */ /* * Windows internal socket API state (opaque). */ static struct WSAData wsa_state; /* GLOBAL */ /* * Should we call win32_pause() on program exit? */ static bool pause_exit_enabled = false; /* GLOBAL */ /* * win32_signal is used to get input from the keyboard * if we are running in a console, or get input from an * event object if we are running as a service. */ struct win32_signal win32_signal; /* GLOBAL */ /* * Save our old window title so we can restore * it on exit. */ struct window_title window_title; /* GLOBAL*/ /* * Special global semaphore used to protect network * shell commands from simultaneous instantiation. */ struct semaphore netcmd_semaphore; /* GLOBAL */ /* * Windows system pathname such as c:\windows */ static char *win_sys_path = NULL; /* GLOBAL */ void init_win32(void) { if (WSAStartup(0x0101, &wsa_state)) { msg(M_ERR, "WSAStartup failed"); } window_title_clear(&window_title); win32_signal_clear(&win32_signal); } void uninit_win32(void) { netcmd_semaphore_close(); if (pause_exit_enabled) { if (win32_signal.mode == WSO_MODE_UNDEF) { struct win32_signal w; win32_signal_open(&w, WSO_FORCE_CONSOLE, NULL, false); win32_pause(&w); win32_signal_close(&w); } else { win32_pause(&win32_signal); } } window_title_restore(&window_title); win32_signal_close(&win32_signal); WSACleanup(); free(win_sys_path); } void set_pause_exit_win32(void) { pause_exit_enabled = true; } bool init_security_attributes_allow_all(struct security_attributes *obj) { CLEAR(*obj); obj->sa.nLength = sizeof(SECURITY_ATTRIBUTES); obj->sa.lpSecurityDescriptor = &obj->sd; obj->sa.bInheritHandle = FALSE; if (!InitializeSecurityDescriptor(&obj->sd, SECURITY_DESCRIPTOR_REVISION)) { return false; } if (!SetSecurityDescriptorDacl(&obj->sd, TRUE, NULL, FALSE)) { return false; } return true; } void overlapped_io_init(struct overlapped_io *o, const struct frame *frame, BOOL event_state, bool tuntap_buffer) /* if true: tuntap buffer, if false: socket buffer */ { CLEAR(*o); /* manual reset event, initially set according to event_state */ o->overlapped.hEvent = CreateEvent(NULL, TRUE, event_state, NULL); if (o->overlapped.hEvent == NULL) { msg(M_ERR, "Error: overlapped_io_init: CreateEvent failed"); } /* allocate buffer for overlapped I/O */ alloc_buf_sock_tun(&o->buf_init, frame, tuntap_buffer, 0); } void overlapped_io_close(struct overlapped_io *o) { if (o->overlapped.hEvent) { if (!CloseHandle(o->overlapped.hEvent)) { msg(M_WARN | M_ERRNO, "Warning: CloseHandle failed on overlapped I/O event object"); } } free_buf(&o->buf_init); } char * overlapped_io_state_ascii(const struct overlapped_io *o) { switch (o->iostate) { case IOSTATE_INITIAL: return "0"; case IOSTATE_QUEUED: return "Q"; case IOSTATE_IMMEDIATE_RETURN: return "1"; } return "?"; } /* * Event-based notification of network events */ void init_net_event_win32(struct rw_handle *event, long network_events, socket_descriptor_t sd, unsigned int flags) { /* manual reset events, initially set to unsignaled */ /* initialize write event */ if (!(flags & NE32_PERSIST_EVENT) || !event->write) { if (flags & NE32_WRITE_EVENT) { event->write = CreateEvent(NULL, TRUE, FALSE, NULL); if (event->write == NULL) { msg(M_ERR, "Error: init_net_event_win32: CreateEvent (write) failed"); } } else { event->write = NULL; } } /* initialize read event */ if (!(flags & NE32_PERSIST_EVENT) || !event->read) { event->read = CreateEvent(NULL, TRUE, FALSE, NULL); if (event->read == NULL) { msg(M_ERR, "Error: init_net_event_win32: CreateEvent (read) failed"); } } /* setup network events to change read event state */ if (WSAEventSelect(sd, event->read, network_events) != 0) { msg(M_FATAL | M_ERRNO, "Error: init_net_event_win32: WSAEventSelect call failed"); } } long reset_net_event_win32(struct rw_handle *event, socket_descriptor_t sd) { WSANETWORKEVENTS wne; if (WSAEnumNetworkEvents(sd, event->read, &wne) != 0) { msg(M_FATAL | M_ERRNO, "Error: reset_net_event_win32: WSAEnumNetworkEvents call failed"); return 0; /* NOTREACHED */ } else { return wne.lNetworkEvents; } } void close_net_event_win32(struct rw_handle *event, socket_descriptor_t sd, unsigned int flags) { if (event->read) { if (socket_defined(sd)) { if (WSAEventSelect(sd, event->read, 0) != 0) { msg(M_WARN | M_ERRNO, "Warning: close_net_event_win32: WSAEventSelect call failed"); } } if (!ResetEvent(event->read)) { msg(M_WARN | M_ERRNO, "Warning: ResetEvent (read) failed in close_net_event_win32"); } if (!(flags & NE32_PERSIST_EVENT)) { if (!CloseHandle(event->read)) { msg(M_WARN | M_ERRNO, "Warning: CloseHandle (read) failed in close_net_event_win32"); } event->read = NULL; } } if (event->write) { if (!ResetEvent(event->write)) { msg(M_WARN | M_ERRNO, "Warning: ResetEvent (write) failed in close_net_event_win32"); } if (!(flags & NE32_PERSIST_EVENT)) { if (!CloseHandle(event->write)) { msg(M_WARN | M_ERRNO, "Warning: CloseHandle (write) failed in close_net_event_win32"); } event->write = NULL; } } } /* * struct net_event_win32 */ void net_event_win32_init(struct net_event_win32 *ne) { CLEAR(*ne); ne->sd = SOCKET_UNDEFINED; } void net_event_win32_start(struct net_event_win32 *ne, long network_events, socket_descriptor_t sd) { ASSERT(!socket_defined(ne->sd)); ne->sd = sd; ne->event_mask = 0; init_net_event_win32(&ne->handle, network_events, sd, NE32_PERSIST_EVENT|NE32_WRITE_EVENT); } void net_event_win32_reset_write(struct net_event_win32 *ne) { BOOL status; if (ne->event_mask & FD_WRITE) { status = SetEvent(ne->handle.write); } else { status = ResetEvent(ne->handle.write); } if (!status) { msg(M_WARN | M_ERRNO, "Warning: SetEvent/ResetEvent failed in net_event_win32_reset_write"); } } void net_event_win32_reset(struct net_event_win32 *ne) { ne->event_mask |= reset_net_event_win32(&ne->handle, ne->sd); } void net_event_win32_stop(struct net_event_win32 *ne) { if (net_event_win32_defined(ne)) { close_net_event_win32(&ne->handle, ne->sd, NE32_PERSIST_EVENT); } ne->sd = SOCKET_UNDEFINED; ne->event_mask = 0; } void net_event_win32_close(struct net_event_win32 *ne) { if (net_event_win32_defined(ne)) { close_net_event_win32(&ne->handle, ne->sd, 0); } net_event_win32_init(ne); } /* * Simulate *nix signals on Windows. * * Two modes: * (1) Console mode -- map keyboard function keys to signals * (2) Service mode -- map Windows event object to SIGTERM */ static void win_trigger_event(struct win32_signal *ws) { if (ws->mode == WSO_MODE_SERVICE && HANDLE_DEFINED(ws->in.read)) { SetEvent(ws->in.read); } else /* generate a key-press event */ { DWORD tmp; INPUT_RECORD ir; HANDLE stdin_handle = GetStdHandle(STD_INPUT_HANDLE); CLEAR(ir); ir.EventType = KEY_EVENT; ir.Event.KeyEvent.bKeyDown = true; if (!stdin_handle || !WriteConsoleInput(stdin_handle, &ir, 1, &tmp)) { msg(M_WARN|M_ERRNO, "WARN: win_trigger_event: WriteConsoleInput"); } } } /* * Callback to handle console ctrl events */ static bool WINAPI win_ctrl_handler(DWORD signum) { msg(D_LOW, "win_ctrl_handler: signal received (code=%lu)", (unsigned long) signum); if (siginfo_static.signal_received == SIGTERM) { return true; } switch (signum) { case CTRL_C_EVENT: case CTRL_BREAK_EVENT: throw_signal(SIGTERM); /* trigget the win32_signal to interrupt the event loop */ win_trigger_event(&win32_signal); return true; break; default: msg(D_LOW, "win_ctrl_handler: signal (code=%lu) not handled", (unsigned long) signum); break; } /* pass all other signals to the next handler */ return false; } void win32_signal_clear(struct win32_signal *ws) { CLEAR(*ws); } void win32_signal_open(struct win32_signal *ws, int force, const char *exit_event_name, bool exit_event_initial_state) { CLEAR(*ws); ws->mode = WSO_MODE_UNDEF; ws->in.read = INVALID_HANDLE_VALUE; ws->in.write = INVALID_HANDLE_VALUE; ws->console_mode_save = 0; ws->console_mode_save_defined = false; if (force == WSO_NOFORCE || force == WSO_FORCE_CONSOLE) { /* * Try to open console. */ ws->in.read = GetStdHandle(STD_INPUT_HANDLE); if (ws->in.read != INVALID_HANDLE_VALUE) { if (GetConsoleMode(ws->in.read, &ws->console_mode_save)) { /* running on a console */ const DWORD new_console_mode = ws->console_mode_save & ~(ENABLE_WINDOW_INPUT | ENABLE_PROCESSED_INPUT | ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_MOUSE_INPUT); if (new_console_mode != ws->console_mode_save) { if (!SetConsoleMode(ws->in.read, new_console_mode)) { msg(M_ERR, "Error: win32_signal_open: SetConsoleMode failed"); } ws->console_mode_save_defined = true; } ws->mode = WSO_MODE_CONSOLE; } else { ws->in.read = INVALID_HANDLE_VALUE; /* probably running as a service */ } } } /* * If console open failed, assume we are running * as a service. */ if ((force == WSO_NOFORCE || force == WSO_FORCE_SERVICE) && !HANDLE_DEFINED(ws->in.read) && exit_event_name) { struct security_attributes sa; if (!init_security_attributes_allow_all(&sa)) { msg(M_ERR, "Error: win32_signal_open: init SA failed"); } ws->in.read = CreateEvent(&sa.sa, TRUE, exit_event_initial_state ? TRUE : FALSE, exit_event_name); if (ws->in.read == NULL) { msg(M_WARN|M_ERRNO, "NOTE: CreateEvent '%s' failed", exit_event_name); } else { if (WaitForSingleObject(ws->in.read, 0) != WAIT_TIMEOUT) { msg(M_FATAL, "ERROR: Exit Event ('%s') is signaled", exit_event_name); } else { ws->mode = WSO_MODE_SERVICE; } } } /* set the ctrl handler in both console and service modes */ if (!SetConsoleCtrlHandler((PHANDLER_ROUTINE) win_ctrl_handler, true)) { msg(M_WARN|M_ERRNO, "WARN: SetConsoleCtrlHandler failed"); } } static bool keyboard_input_available(struct win32_signal *ws) { ASSERT(ws->mode == WSO_MODE_CONSOLE); if (HANDLE_DEFINED(ws->in.read)) { DWORD n; if (GetNumberOfConsoleInputEvents(ws->in.read, &n)) { return n > 0; } } return false; } static unsigned int keyboard_ir_to_key(INPUT_RECORD *ir) { if (ir->Event.KeyEvent.uChar.AsciiChar == 0) { return ir->Event.KeyEvent.wVirtualScanCode; } if ((ir->Event.KeyEvent.dwControlKeyState & (LEFT_ALT_PRESSED | RIGHT_ALT_PRESSED)) && (ir->Event.KeyEvent.wVirtualKeyCode != 18)) { return ir->Event.KeyEvent.wVirtualScanCode * 256; } return ir->Event.KeyEvent.uChar.AsciiChar; } static unsigned int win32_keyboard_get(struct win32_signal *ws) { ASSERT(ws->mode == WSO_MODE_CONSOLE); if (HANDLE_DEFINED(ws->in.read)) { INPUT_RECORD ir; do { DWORD n; if (!keyboard_input_available(ws)) { return 0; } if (!ReadConsoleInput(ws->in.read, &ir, 1, &n)) { return 0; } } while (ir.EventType != KEY_EVENT || ir.Event.KeyEvent.bKeyDown != TRUE); return keyboard_ir_to_key(&ir); } else { return 0; } } void win32_signal_close(struct win32_signal *ws) { if (ws->mode == WSO_MODE_SERVICE && HANDLE_DEFINED(ws->in.read)) { CloseHandle(ws->in.read); } if (ws->console_mode_save_defined) { if (!SetConsoleMode(ws->in.read, ws->console_mode_save)) { msg(M_ERR, "Error: win32_signal_close: SetConsoleMode failed"); } } CLEAR(*ws); } /* * Return true if interrupt occurs in service mode. */ bool win32_service_interrupt(struct win32_signal *ws) { if (ws->mode == WSO_MODE_SERVICE) { if (HANDLE_DEFINED(ws->in.read) && WaitForSingleObject(ws->in.read, 0) == WAIT_OBJECT_0) { return true; } } return false; } int win32_signal_get(struct win32_signal *ws) { int ret = 0; if (siginfo_static.signal_received) { ret = siginfo_static.signal_received; } else { if (ws->mode == WSO_MODE_SERVICE) { if (win32_service_interrupt(ws)) { ret = SIGTERM; } } else if (ws->mode == WSO_MODE_CONSOLE) { switch (win32_keyboard_get(ws)) { case 0x3B: /* F1 -> USR1 */ ret = SIGUSR1; break; case 0x3C: /* F2 -> USR2 */ ret = SIGUSR2; break; case 0x3D: /* F3 -> HUP */ ret = SIGHUP; break; case 0x3E: /* F4 -> TERM */ ret = SIGTERM; break; case 0x03: /* CTRL-C -> TERM */ ret = SIGTERM; break; } } if (ret) { siginfo_static.signal_received = ret; siginfo_static.source = SIG_SOURCE_HARD; } } return ret; } void win32_pause(struct win32_signal *ws) { if (ws->mode == WSO_MODE_CONSOLE && HANDLE_DEFINED(ws->in.read)) { int status; msg(M_INFO|M_NOPREFIX, "Press any key to continue..."); do { status = WaitForSingleObject(ws->in.read, INFINITE); } while (!win32_keyboard_get(ws)); } } /* window functions */ void window_title_clear(struct window_title *wt) { CLEAR(*wt); } void window_title_save(struct window_title *wt) { if (!wt->saved) { if (!GetConsoleTitle(wt->old_window_title, sizeof(wt->old_window_title))) { wt->old_window_title[0] = 0; wt->saved = false; } else { wt->saved = true; } } } void window_title_restore(const struct window_title *wt) { if (wt->saved) { SetConsoleTitle(wt->old_window_title); } } void window_title_generate(const char *title) { struct gc_arena gc = gc_new(); struct buffer out = alloc_buf_gc(256, &gc); if (!title) { title = ""; } buf_printf(&out, "[%s] " PACKAGE_NAME " " PACKAGE_VERSION " F4:EXIT F1:USR1 F2:USR2 F3:HUP", title); SetConsoleTitle(BSTR(&out)); gc_free(&gc); } /* semaphore functions */ void semaphore_clear(struct semaphore *s) { CLEAR(*s); } void semaphore_open(struct semaphore *s, const char *name) { struct security_attributes sa; s->locked = false; s->name = name; s->hand = NULL; if (init_security_attributes_allow_all(&sa)) { s->hand = CreateSemaphore(&sa.sa, 1, 1, name); } if (s->hand == NULL) { msg(M_WARN|M_ERRNO, "WARNING: Cannot create Win32 semaphore '%s'", name); } else { dmsg(D_SEMAPHORE, "Created Win32 semaphore '%s'", s->name); } } bool semaphore_lock(struct semaphore *s, int timeout_milliseconds) { bool ret = true; if (s->hand) { DWORD status; ASSERT(!s->locked); dmsg(D_SEMAPHORE_LOW, "Attempting to lock Win32 semaphore '%s' prior to net shell command (timeout = %d sec)", s->name, timeout_milliseconds / 1000); status = WaitForSingleObject(s->hand, timeout_milliseconds); if (status == WAIT_FAILED) { msg(M_ERR, "Wait failed on Win32 semaphore '%s'", s->name); } ret = (status == WAIT_TIMEOUT) ? false : true; if (ret) { dmsg(D_SEMAPHORE, "Locked Win32 semaphore '%s'", s->name); s->locked = true; } else { dmsg(D_SEMAPHORE, "Wait on Win32 semaphore '%s' timed out after %d milliseconds", s->name, timeout_milliseconds); } } return ret; } void semaphore_release(struct semaphore *s) { if (s->hand) { ASSERT(s->locked); dmsg(D_SEMAPHORE, "Releasing Win32 semaphore '%s'", s->name); if (!ReleaseSemaphore(s->hand, 1, NULL)) { msg(M_WARN | M_ERRNO, "ReleaseSemaphore failed on Win32 semaphore '%s'", s->name); } s->locked = false; } } void semaphore_close(struct semaphore *s) { if (s->hand) { if (s->locked) { semaphore_release(s); } dmsg(D_SEMAPHORE, "Closing Win32 semaphore '%s'", s->name); CloseHandle(s->hand); s->hand = NULL; } } /* * Special global semaphore used to protect network * shell commands from simultaneous instantiation. */ void netcmd_semaphore_init(void) { semaphore_open(&netcmd_semaphore, PACKAGE "_netcmd"); } void netcmd_semaphore_close(void) { semaphore_close(&netcmd_semaphore); } void netcmd_semaphore_lock(void) { const int timeout_seconds = 600; if (!netcmd_semaphore.hand) { netcmd_semaphore_init(); } if (!semaphore_lock(&netcmd_semaphore, timeout_seconds * 1000)) { msg(M_FATAL, "Cannot lock net command semaphore"); } } void netcmd_semaphore_release(void) { semaphore_release(&netcmd_semaphore); /* netcmd_semaphore has max count of 1 - safe to close after release */ semaphore_close(&netcmd_semaphore); } /* * Return true if filename is safe to be used on Windows, * by avoiding the following reserved names: * * CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, * LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, LPT9, and CLOCK$ * * See: http://msdn.microsoft.com/en-us/library/aa365247.aspx * and http://msdn.microsoft.com/en-us/library/86k9f82k(VS.80).aspx */ static bool cmp_prefix(const char *str, const bool n, const char *pre) { size_t i = 0; if (!str) { return false; } while (true) { const int c1 = pre[i]; int c2 = str[i]; ++i; if (c1 == '\0') { if (n) { if (isdigit(c2)) { c2 = str[i]; } else { return false; } } return c2 == '\0' || c2 == '.'; } else if (c2 == '\0') { return false; } if (c1 != tolower(c2)) { return false; } } } bool win_safe_filename(const char *fn) { if (cmp_prefix(fn, false, "con")) { return false; } if (cmp_prefix(fn, false, "prn")) { return false; } if (cmp_prefix(fn, false, "aux")) { return false; } if (cmp_prefix(fn, false, "nul")) { return false; } if (cmp_prefix(fn, true, "com")) { return false; } if (cmp_prefix(fn, true, "lpt")) { return false; } if (cmp_prefix(fn, false, "clock$")) { return false; } return true; } /* * Service functions for openvpn_execve */ static char * env_block(const struct env_set *es) { char force_path[256]; char *sysroot = get_win_sys_path(); if (!openvpn_snprintf(force_path, sizeof(force_path), "PATH=%s\\System32;%s;%s\\System32\\Wbem", sysroot, sysroot, sysroot)) { msg(M_WARN, "env_block: default path truncated to %s", force_path); } if (es) { struct env_item *e; char *ret; char *p; size_t nchars = 1; bool path_seen = false; for (e = es->list; e != NULL; e = e->next) { nchars += strlen(e->string) + 1; } nchars += strlen(force_path)+1; ret = (char *) malloc(nchars); check_malloc_return(ret); p = ret; for (e = es->list; e != NULL; e = e->next) { if (env_allowed(e->string)) { strcpy(p, e->string); p += strlen(e->string) + 1; } if (strncmp(e->string, "PATH=", 5 ) == 0) { path_seen = true; } } /* make sure PATH is set */ if (!path_seen) { msg( M_INFO, "env_block: add %s", force_path ); strcpy( p, force_path ); p += strlen(force_path) + 1; } *p = '\0'; return ret; } else { return NULL; } } static WCHAR * wide_cmd_line(const struct argv *a, struct gc_arena *gc) { size_t nchars = 1; size_t maxlen = 0; size_t i; struct buffer buf; char *work = NULL; if (!a) { return NULL; } for (i = 0; i < a->argc; ++i) { const char *arg = a->argv[i]; const size_t len = strlen(arg); nchars += len + 3; if (len > maxlen) { maxlen = len; } } work = gc_malloc(maxlen + 1, false, gc); check_malloc_return(work); buf = alloc_buf_gc(nchars, gc); for (i = 0; i < a->argc; ++i) { const char *arg = a->argv[i]; strcpy(work, arg); string_mod(work, CC_PRINT, CC_DOUBLE_QUOTE|CC_CRLF, '_'); if (i) { buf_printf(&buf, " "); } if (string_class(work, CC_ANY, CC_SPACE)) { buf_printf(&buf, "%s", work); } else { buf_printf(&buf, "\"%s\"", work); } } return wide_string(BSTR(&buf), gc); } /* * Attempt to simulate fork/execve on Windows */ int openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags) { int ret = -1; static bool exec_warn = false; if (a && a->argv[0]) { if (openvpn_execve_allowed(flags)) { struct gc_arena gc = gc_new(); STARTUPINFOW start_info; PROCESS_INFORMATION proc_info; char *env = env_block(es); WCHAR *cl = wide_cmd_line(a, &gc); WCHAR *cmd = wide_string(a->argv[0], &gc); /* this allows console programs to run, and is ignored otherwise */ DWORD proc_flags = CREATE_NO_WINDOW; CLEAR(start_info); CLEAR(proc_info); /* fill in STARTUPINFO struct */ GetStartupInfoW(&start_info); start_info.cb = sizeof(start_info); start_info.dwFlags = STARTF_USESHOWWINDOW; start_info.wShowWindow = SW_HIDE; if (CreateProcessW(cmd, cl, NULL, NULL, FALSE, proc_flags, env, NULL, &start_info, &proc_info)) { DWORD exit_status = 0; CloseHandle(proc_info.hThread); WaitForSingleObject(proc_info.hProcess, INFINITE); if (GetExitCodeProcess(proc_info.hProcess, &exit_status)) { ret = (int)exit_status; } else { msg(M_WARN|M_ERRNO, "openvpn_execve: GetExitCodeProcess %S failed", cmd); } CloseHandle(proc_info.hProcess); } else { msg(M_WARN|M_ERRNO, "openvpn_execve: CreateProcess %S failed", cmd); } free(env); gc_free(&gc); } else if (!exec_warn && (script_security < SSEC_SCRIPTS)) { msg(M_WARN, SCRIPT_SECURITY_WARNING); exec_warn = true; } } else { msg(M_WARN, "openvpn_execve: called with empty argv"); } return ret; } WCHAR * wide_string(const char *utf8, struct gc_arena *gc) { int n = MultiByteToWideChar(CP_UTF8, 0, utf8, -1, NULL, 0); WCHAR *ucs16 = gc_malloc(n * sizeof(WCHAR), false, gc); MultiByteToWideChar(CP_UTF8, 0, utf8, -1, ucs16, n); return ucs16; } /* * call ourself in another process */ void fork_to_self(const char *cmdline) { STARTUPINFO start_info; PROCESS_INFORMATION proc_info; char self_exe[256]; char *cl = string_alloc(cmdline, NULL); DWORD status; CLEAR(start_info); CLEAR(proc_info); CLEAR(self_exe); status = GetModuleFileName(NULL, self_exe, sizeof(self_exe)); if (status == 0 || status == sizeof(self_exe)) { msg(M_WARN|M_ERRNO, "fork_to_self: CreateProcess failed: cannot get module name via GetModuleFileName"); goto done; } /* fill in STARTUPINFO struct */ GetStartupInfo(&start_info); start_info.cb = sizeof(start_info); start_info.dwFlags = STARTF_USESHOWWINDOW; start_info.wShowWindow = SW_HIDE; if (CreateProcess(self_exe, cl, NULL, NULL, FALSE, 0, NULL, NULL, &start_info, &proc_info)) { CloseHandle(proc_info.hThread); CloseHandle(proc_info.hProcess); } else { msg(M_WARN|M_ERRNO, "fork_to_self: CreateProcess failed: %s", cmdline); } done: free(cl); } char * get_win_sys_path(void) { ASSERT(win_sys_path); return win_sys_path; } void set_win_sys_path(const char *newpath, struct env_set *es) { free(win_sys_path); win_sys_path = string_alloc(newpath, NULL); setenv_str(es, SYS_PATH_ENV_VAR_NAME, win_sys_path); /* route.exe needs this */ } void set_win_sys_path_via_env(struct env_set *es) { char buf[256]; DWORD status = GetEnvironmentVariable(SYS_PATH_ENV_VAR_NAME, buf, sizeof(buf)); if (!status) { msg(M_ERR, "Cannot find environmental variable %s", SYS_PATH_ENV_VAR_NAME); } if (status > sizeof(buf) - 1) { msg(M_FATAL, "String overflow attempting to read environmental variable %s", SYS_PATH_ENV_VAR_NAME); } set_win_sys_path(buf, es); } const char * win_get_tempdir(void) { static char tmpdir[MAX_PATH]; WCHAR wtmpdir[MAX_PATH]; if (!GetTempPathW(_countof(wtmpdir), wtmpdir)) { /* Warn if we can't find a valid temporary directory, which should * be unlikely. */ msg(M_WARN, "Could not find a suitable temporary directory." " (GetTempPath() failed). Consider using --tmp-dir"); return NULL; } if (WideCharToMultiByte(CP_UTF8, 0, wtmpdir, -1, NULL, 0, NULL, NULL) > sizeof(tmpdir)) { msg(M_WARN, "Could not get temporary directory. Path is too long." " Consider using --tmp-dir"); return NULL; } WideCharToMultiByte(CP_UTF8, 0, wtmpdir, -1, tmpdir, sizeof(tmpdir), NULL, NULL); return tmpdir; } static bool win_block_dns_service(bool add, int index, const HANDLE pipe) { DWORD len; bool ret = false; ack_message_t ack; struct gc_arena gc = gc_new(); block_dns_message_t data = { .header = { (add ? msg_add_block_dns : msg_del_block_dns), sizeof(block_dns_message_t), 0 }, .iface = { .index = index, .name = "" } }; if (!WriteFile(pipe, &data, sizeof(data), &len, NULL) || !ReadFile(pipe, &ack, sizeof(ack), &len, NULL)) { msg(M_WARN, "Block_DNS: could not talk to service: %s [%lu]", strerror_win32(GetLastError(), &gc), GetLastError()); goto out; } if (ack.error_number != NO_ERROR) { msg(M_WARN, "Block_DNS: %s block dns filters using service failed: %s [status=0x%x if_index=%d]", (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc), ack.error_number, data.iface.index); goto out; } ret = true; msg(M_INFO, "%s outside dns using service succeeded.", (add ? "Blocking" : "Unblocking")); out: gc_free(&gc); return ret; } static void block_dns_msg_handler(DWORD err, const char *msg) { struct gc_arena gc = gc_new(); if (err == 0) { msg(M_INFO, "%s", msg); } else { msg(M_WARN, "Error in add_block_dns_filters(): %s : %s [status=0x%lx]", msg, strerror_win32(err, &gc), err); } gc_free(&gc); } bool win_wfp_block_dns(const NET_IFINDEX index, const HANDLE msg_channel) { WCHAR openvpnpath[MAX_PATH]; bool ret = false; DWORD status; if (msg_channel) { dmsg(D_LOW, "Using service to add block dns filters"); ret = win_block_dns_service(true, index, msg_channel); goto out; } status = GetModuleFileNameW(NULL, openvpnpath, _countof(openvpnpath)); if (status == 0 || status == _countof(openvpnpath)) { msg(M_WARN|M_ERRNO, "block_dns: cannot get executable path"); goto out; } status = add_block_dns_filters(&m_hEngineHandle, index, openvpnpath, block_dns_msg_handler); if (status == 0) { tap_metric_v4 = get_interface_metric(index, AF_INET); tap_metric_v6 = get_interface_metric(index, AF_INET6); if (tap_metric_v4 < 0) { /* error, should not restore metric */ tap_metric_v4 = -1; } if (tap_metric_v6 < 0) { /* error, should not restore metric */ tap_metric_v6 = -1; } status = set_interface_metric(index, AF_INET, BLOCK_DNS_IFACE_METRIC); if (!status) { set_interface_metric(index, AF_INET6, BLOCK_DNS_IFACE_METRIC); } } ret = (status == 0); out: return ret; } bool win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel) { dmsg(D_LOW, "Uninitializing WFP"); if (msg_channel) { msg(D_LOW, "Using service to delete block dns filters"); win_block_dns_service(false, index, msg_channel); } else { delete_block_dns_filters(m_hEngineHandle); m_hEngineHandle = NULL; if (tap_metric_v4 >= 0) { set_interface_metric(index, AF_INET, tap_metric_v4); } if (tap_metric_v6 >= 0) { set_interface_metric(index, AF_INET6, tap_metric_v6); } } return true; } int win32_version_info(void) { if (!IsWindowsXPOrGreater()) { msg(M_FATAL, "Error: Windows version must be XP or greater."); } if (!IsWindowsVistaOrGreater()) { return WIN_XP; } if (!IsWindows7OrGreater()) { return WIN_VISTA; } if (!IsWindows8OrGreater()) { return WIN_7; } else { return WIN_8; } } bool win32_is_64bit(void) { #if defined(_WIN64) return true; /* 64-bit programs run only on Win64 */ #elif defined(_WIN32) /* 32-bit programs run on both 32-bit and 64-bit Windows */ BOOL f64 = FALSE; return IsWow64Process(GetCurrentProcess(), &f64) && f64; #else /* if defined(_WIN64) */ return false; /* Win64 does not support Win16 */ #endif } const char * win32_version_string(struct gc_arena *gc, bool add_name) { int version = win32_version_info(); struct buffer out = alloc_buf_gc(256, gc); switch (version) { case WIN_XP: buf_printf(&out, "5.1%s", add_name ? " (Windows XP)" : ""); break; case WIN_VISTA: buf_printf(&out, "6.0%s", add_name ? " (Windows Vista)" : ""); break; case WIN_7: buf_printf(&out, "6.1%s", add_name ? " (Windows 7)" : ""); break; case WIN_8: buf_printf(&out, "6.2%s", add_name ? " (Windows 8 or greater)" : ""); break; default: msg(M_NONFATAL, "Unknown Windows version: %d", version); buf_printf(&out, "0.0%s", add_name ? " (unknown)" : ""); break; } buf_printf(&out, win32_is_64bit() ? " 64bit" : " 32bit"); return (const char *)out.data; } #endif /* ifdef _WIN32 */ openvpn-2.4.4/src/openvpn/win32.h000066400000000000000000000200721316434344000166000ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef _WIN32 #ifndef OPENVPN_WIN32_H #define OPENVPN_WIN32_H #include "mtu.h" /* location of executables */ #define SYS_PATH_ENV_VAR_NAME "SystemRoot" /* environmental variable name that normally contains the system path */ #define NETSH_PATH_SUFFIX "\\system32\\netsh.exe" #define WIN_ROUTE_PATH_SUFFIX "\\system32\\route.exe" #define WIN_IPCONFIG_PATH_SUFFIX "\\system32\\ipconfig.exe" #define WIN_NET_PATH_SUFFIX "\\system32\\net.exe" /* * Win32-specific OpenVPN code, targetted at the mingw * development environment. */ /* MSVC headers do not define this macro, so do it here */ #ifndef IN6_ARE_ADDR_EQUAL #define IN6_ARE_ADDR_EQUAL(a,b) \ (memcmp((const void *)(a), (const void *)(b), sizeof(struct in6_addr)) == 0) #endif void init_win32(void); void uninit_win32(void); void set_pause_exit_win32(void); struct security_attributes { SECURITY_ATTRIBUTES sa; SECURITY_DESCRIPTOR sd; }; #define HANDLE_DEFINED(h) ((h) != NULL && (h) != INVALID_HANDLE_VALUE) /* * Save old window title. */ struct window_title { bool saved; char old_window_title [256]; }; struct rw_handle { HANDLE read; HANDLE write; }; /* * Event-based notification of incoming TCP connections */ #define NE32_PERSIST_EVENT (1<<0) #define NE32_WRITE_EVENT (1<<1) static inline bool defined_net_event_win32(const struct rw_handle *event) { return event->read != NULL; } void init_net_event_win32(struct rw_handle *event, long network_events, socket_descriptor_t sd, unsigned int flags); long reset_net_event_win32(struct rw_handle *event, socket_descriptor_t sd); void close_net_event_win32(struct rw_handle *event, socket_descriptor_t sd, unsigned int flags); /* * A stateful variant of the net_event_win32 functions above */ struct net_event_win32 { struct rw_handle handle; socket_descriptor_t sd; long event_mask; }; void net_event_win32_init(struct net_event_win32 *ne); void net_event_win32_start(struct net_event_win32 *ne, long network_events, socket_descriptor_t sd); void net_event_win32_reset(struct net_event_win32 *ne); void net_event_win32_reset_write(struct net_event_win32 *ne); void net_event_win32_stop(struct net_event_win32 *ne); void net_event_win32_close(struct net_event_win32 *ne); static inline bool net_event_win32_defined(const struct net_event_win32 *ne) { return defined_net_event_win32(&ne->handle); } static inline struct rw_handle * net_event_win32_get_event(struct net_event_win32 *ne) { return &ne->handle; } static inline long net_event_win32_get_event_mask(const struct net_event_win32 *ne) { return ne->event_mask; } static inline void net_event_win32_clear_selected_events(struct net_event_win32 *ne, long selected_events) { ne->event_mask &= ~selected_events; } /* * Signal handling */ struct win32_signal { #define WSO_MODE_UNDEF 0 #define WSO_MODE_SERVICE 1 #define WSO_MODE_CONSOLE 2 int mode; struct rw_handle in; DWORD console_mode_save; bool console_mode_save_defined; }; extern struct win32_signal win32_signal; /* static/global */ extern struct window_title window_title; /* static/global */ void win32_signal_clear(struct win32_signal *ws); /* win32_signal_open startup type */ #define WSO_NOFORCE 0 #define WSO_FORCE_SERVICE 1 #define WSO_FORCE_CONSOLE 2 void win32_signal_open(struct win32_signal *ws, int force, /* set to WSO force parm */ const char *exit_event_name, bool exit_event_initial_state); void win32_signal_close(struct win32_signal *ws); int win32_signal_get(struct win32_signal *ws); void win32_pause(struct win32_signal *ws); bool win32_service_interrupt(struct win32_signal *ws); /* * Set the text on the window title bar */ void window_title_clear(struct window_title *wt); void window_title_save(struct window_title *wt); void window_title_restore(const struct window_title *wt); void window_title_generate(const char *title); /* * We try to do all Win32 I/O using overlapped * (i.e. asynchronous) I/O for a performance win. */ struct overlapped_io { #define IOSTATE_INITIAL 0 #define IOSTATE_QUEUED 1 /* overlapped I/O has been queued */ #define IOSTATE_IMMEDIATE_RETURN 2 /* I/O function returned immediately without queueing */ int iostate; OVERLAPPED overlapped; DWORD size; DWORD flags; int status; bool addr_defined; union { struct sockaddr_in addr; struct sockaddr_in6 addr6; }; int addrlen; struct buffer buf_init; struct buffer buf; }; void overlapped_io_init(struct overlapped_io *o, const struct frame *frame, BOOL event_state, bool tuntap_buffer); void overlapped_io_close(struct overlapped_io *o); static inline bool overlapped_io_active(struct overlapped_io *o) { return o->iostate == IOSTATE_QUEUED || o->iostate == IOSTATE_IMMEDIATE_RETURN; } char *overlapped_io_state_ascii(const struct overlapped_io *o); /* * Use to control access to resources that only one * OpenVPN process on a given machine can access at * a given time. */ struct semaphore { const char *name; bool locked; HANDLE hand; }; void semaphore_clear(struct semaphore *s); void semaphore_open(struct semaphore *s, const char *name); bool semaphore_lock(struct semaphore *s, int timeout_milliseconds); void semaphore_release(struct semaphore *s); void semaphore_close(struct semaphore *s); /* * Special global semaphore used to protect network * shell commands from simultaneous instantiation. * * It seems you can't run more than one instance * of netsh on the same machine at the same time. */ extern struct semaphore netcmd_semaphore; void netcmd_semaphore_init(void); void netcmd_semaphore_close(void); void netcmd_semaphore_lock(void); void netcmd_semaphore_release(void); /* Set Win32 security attributes structure to allow all access */ bool init_security_attributes_allow_all(struct security_attributes *obj); /* return true if filename is safe to be used on Windows */ bool win_safe_filename(const char *fn); /* add constant environmental variables needed by Windows */ struct env_set; /* get and set the current windows system path */ void set_win_sys_path(const char *newpath, struct env_set *es); void set_win_sys_path_via_env(struct env_set *es); char *get_win_sys_path(void); /* call self in a subprocess */ void fork_to_self(const char *cmdline); /* Find temporary directory */ const char *win_get_tempdir(void); /* Convert a string from UTF-8 to UCS-2 */ WCHAR *wide_string(const char *utf8, struct gc_arena *gc); bool win_wfp_block_dns(const NET_IFINDEX index, const HANDLE msg_channel); bool win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel); #define WIN_XP 0 #define WIN_VISTA 1 #define WIN_7 2 #define WIN_8 3 int win32_version_info(void); /* * String representation of Windows version number and name, see * https://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx */ const char *win32_version_string(struct gc_arena *gc, bool add_name); #endif /* ifndef OPENVPN_WIN32_H */ #endif /* ifdef _WIN32 */ openvpn-2.4.4/src/openvpnserv/000077500000000000000000000000001316434344000163645ustar00rootroot00000000000000openvpn-2.4.4/src/openvpnserv/Makefile.am000066400000000000000000000022221316434344000204160ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # include $(top_srcdir)/build/ltrc.inc MAINTAINERCLEANFILES = $(srcdir)/Makefile.in EXTRA_DIST = \ openvpnserv.vcxproj \ openvpnserv.vcxproj.filters AM_CPPFLAGS = \ -I$(top_srcdir)/include -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat if WIN32 sbin_PROGRAMS = openvpnserv openvpnserv_CFLAGS = \ -municode -D_UNICODE \ -UNTDDI_VERSION -U_WIN32_WINNT \ -D_WIN32_WINNT=_WIN32_WINNT_VISTA openvpnserv_LDADD = -ladvapi32 -luserenv -liphlpapi -lfwpuclnt -lrpcrt4 -lshlwapi -lnetapi32 -lws2_32 -lntdll endif openvpnserv_SOURCES = \ common.c \ automatic.c \ interactive.c \ service.c service.h \ validate.c validate.h \ $(top_srcdir)/src/openvpn/block_dns.c $(top_srcdir)/src/openvpn/block_dns.h \ openvpnserv_resources.rc openvpn-2.4.4/src/openvpnserv/Makefile.in000066400000000000000000001062011316434344000204310ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2008-2012 Alon Bar-Lev # # Required to build Windows resource file VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ DIST_COMMON = $(top_srcdir)/build/ltrc.inc $(srcdir)/Makefile.in \ $(srcdir)/Makefile.am $(top_srcdir)/depcomp @WIN32_TRUE@sbin_PROGRAMS = openvpnserv$(EXEEXT) subdir = src/openvpnserv ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(sbindir)" PROGRAMS = $(sbin_PROGRAMS) am_openvpnserv_OBJECTS = openvpnserv-common.$(OBJEXT) \ openvpnserv-automatic.$(OBJEXT) \ openvpnserv-interactive.$(OBJEXT) \ openvpnserv-service.$(OBJEXT) openvpnserv-validate.$(OBJEXT) \ openvpnserv-block_dns.$(OBJEXT) \ openvpnserv_resources.$(OBJEXT) openvpnserv_OBJECTS = $(am_openvpnserv_OBJECTS) openvpnserv_DEPENDENCIES = AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = openvpnserv_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(openvpnserv_CFLAGS) \ $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -I$(top_builddir)/include depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(openvpnserv_SOURCES) DIST_SOURCES = $(openvpnserv_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ RCCOMPILE = $(RC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ $(AM_CPPFLAGS) $(CPPFLAGS) LTRCCOMPILE = $(LIBTOOL) --mode=compile --tag=RC $(RCCOMPILE) MAINTAINERCLEANFILES = $(srcdir)/Makefile.in EXTRA_DIST = \ openvpnserv.vcxproj \ openvpnserv.vcxproj.filters AM_CPPFLAGS = \ -I$(top_srcdir)/include -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @WIN32_TRUE@openvpnserv_CFLAGS = \ @WIN32_TRUE@ -municode -D_UNICODE \ @WIN32_TRUE@ -UNTDDI_VERSION -U_WIN32_WINNT \ @WIN32_TRUE@ -D_WIN32_WINNT=_WIN32_WINNT_VISTA @WIN32_TRUE@openvpnserv_LDADD = -ladvapi32 -luserenv -liphlpapi -lfwpuclnt -lrpcrt4 -lshlwapi -lnetapi32 -lws2_32 -lntdll openvpnserv_SOURCES = \ common.c \ automatic.c \ interactive.c \ service.c service.h \ validate.c validate.h \ $(top_srcdir)/src/openvpn/block_dns.c $(top_srcdir)/src/openvpn/block_dns.h \ openvpnserv_resources.rc all: all-am .SUFFIXES: .SUFFIXES: .c .lo .mc .o .obj .rc $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(top_srcdir)/build/ltrc.inc $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/openvpnserv/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign src/openvpnserv/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_srcdir)/build/ltrc.inc: $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-sbinPROGRAMS: $(sbin_PROGRAMS) @$(NORMAL_INSTALL) @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ fi; \ for p in $$list; do echo "$$p $$p"; done | \ sed 's/$(EXEEXT)$$//' | \ while read p p1; do if test -f $$p \ || test -f $$p1 \ ; then echo "$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n;h' \ -e 's|.*|.|' \ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) files[d] = files[d] " " $$1; \ else { print "f", $$3 "/" $$4, $$1; } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ } \ ; done uninstall-sbinPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ -e 's/$$/$(EXEEXT)/' \ `; \ test -n "$$list" || exit 0; \ echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(sbindir)" && rm -f $$files clean-sbinPROGRAMS: @list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \ echo " rm -f" $$list; \ rm -f $$list || exit $$?; \ test -n "$(EXEEXT)" || exit 0; \ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list openvpnserv$(EXEEXT): $(openvpnserv_OBJECTS) $(openvpnserv_DEPENDENCIES) $(EXTRA_openvpnserv_DEPENDENCIES) @rm -f openvpnserv$(EXEEXT) $(AM_V_CCLD)$(openvpnserv_LINK) $(openvpnserv_OBJECTS) $(openvpnserv_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openvpnserv-automatic.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openvpnserv-block_dns.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openvpnserv-common.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openvpnserv-interactive.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openvpnserv-service.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openvpnserv-validate.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< openvpnserv-common.o: common.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -MT openvpnserv-common.o -MD -MP -MF $(DEPDIR)/openvpnserv-common.Tpo -c -o openvpnserv-common.o `test -f 'common.c' || echo '$(srcdir)/'`common.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/openvpnserv-common.Tpo $(DEPDIR)/openvpnserv-common.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='common.c' object='openvpnserv-common.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -c -o openvpnserv-common.o `test -f 'common.c' || echo '$(srcdir)/'`common.c openvpnserv-common.obj: common.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -MT openvpnserv-common.obj -MD -MP -MF $(DEPDIR)/openvpnserv-common.Tpo -c -o openvpnserv-common.obj `if test -f 'common.c'; then $(CYGPATH_W) 'common.c'; else $(CYGPATH_W) '$(srcdir)/common.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/openvpnserv-common.Tpo $(DEPDIR)/openvpnserv-common.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='common.c' object='openvpnserv-common.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -c -o openvpnserv-common.obj `if test -f 'common.c'; then $(CYGPATH_W) 'common.c'; else $(CYGPATH_W) '$(srcdir)/common.c'; fi` openvpnserv-automatic.o: automatic.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -MT openvpnserv-automatic.o -MD -MP -MF $(DEPDIR)/openvpnserv-automatic.Tpo -c -o openvpnserv-automatic.o `test -f 'automatic.c' || echo '$(srcdir)/'`automatic.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/openvpnserv-automatic.Tpo $(DEPDIR)/openvpnserv-automatic.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='automatic.c' object='openvpnserv-automatic.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -c -o openvpnserv-automatic.o `test -f 'automatic.c' || echo '$(srcdir)/'`automatic.c openvpnserv-automatic.obj: automatic.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -MT openvpnserv-automatic.obj -MD -MP -MF $(DEPDIR)/openvpnserv-automatic.Tpo -c -o openvpnserv-automatic.obj `if test -f 'automatic.c'; then $(CYGPATH_W) 'automatic.c'; else $(CYGPATH_W) '$(srcdir)/automatic.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/openvpnserv-automatic.Tpo $(DEPDIR)/openvpnserv-automatic.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='automatic.c' object='openvpnserv-automatic.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -c -o openvpnserv-automatic.obj `if test -f 'automatic.c'; then $(CYGPATH_W) 'automatic.c'; else $(CYGPATH_W) '$(srcdir)/automatic.c'; fi` openvpnserv-interactive.o: interactive.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -MT openvpnserv-interactive.o -MD -MP -MF $(DEPDIR)/openvpnserv-interactive.Tpo -c -o openvpnserv-interactive.o `test -f 'interactive.c' || echo '$(srcdir)/'`interactive.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/openvpnserv-interactive.Tpo $(DEPDIR)/openvpnserv-interactive.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='interactive.c' object='openvpnserv-interactive.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -c -o openvpnserv-interactive.o `test -f 'interactive.c' || echo '$(srcdir)/'`interactive.c openvpnserv-interactive.obj: interactive.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -MT openvpnserv-interactive.obj -MD -MP -MF $(DEPDIR)/openvpnserv-interactive.Tpo -c -o openvpnserv-interactive.obj `if test -f 'interactive.c'; then $(CYGPATH_W) 'interactive.c'; else $(CYGPATH_W) '$(srcdir)/interactive.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/openvpnserv-interactive.Tpo $(DEPDIR)/openvpnserv-interactive.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='interactive.c' object='openvpnserv-interactive.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -c -o openvpnserv-interactive.obj `if test -f 'interactive.c'; then $(CYGPATH_W) 'interactive.c'; else $(CYGPATH_W) '$(srcdir)/interactive.c'; fi` openvpnserv-service.o: service.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -MT openvpnserv-service.o -MD -MP -MF $(DEPDIR)/openvpnserv-service.Tpo -c -o openvpnserv-service.o `test -f 'service.c' || echo '$(srcdir)/'`service.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/openvpnserv-service.Tpo $(DEPDIR)/openvpnserv-service.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='service.c' object='openvpnserv-service.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -c -o openvpnserv-service.o `test -f 'service.c' || echo '$(srcdir)/'`service.c openvpnserv-service.obj: service.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -MT openvpnserv-service.obj -MD -MP -MF $(DEPDIR)/openvpnserv-service.Tpo -c -o openvpnserv-service.obj `if test -f 'service.c'; then $(CYGPATH_W) 'service.c'; else $(CYGPATH_W) '$(srcdir)/service.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/openvpnserv-service.Tpo $(DEPDIR)/openvpnserv-service.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='service.c' object='openvpnserv-service.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -c -o openvpnserv-service.obj `if test -f 'service.c'; then $(CYGPATH_W) 'service.c'; else $(CYGPATH_W) '$(srcdir)/service.c'; fi` openvpnserv-validate.o: validate.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -MT openvpnserv-validate.o -MD -MP -MF $(DEPDIR)/openvpnserv-validate.Tpo -c -o openvpnserv-validate.o `test -f 'validate.c' || echo '$(srcdir)/'`validate.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/openvpnserv-validate.Tpo $(DEPDIR)/openvpnserv-validate.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='validate.c' object='openvpnserv-validate.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -c -o openvpnserv-validate.o `test -f 'validate.c' || echo '$(srcdir)/'`validate.c openvpnserv-validate.obj: validate.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -MT openvpnserv-validate.obj -MD -MP -MF $(DEPDIR)/openvpnserv-validate.Tpo -c -o openvpnserv-validate.obj `if test -f 'validate.c'; then $(CYGPATH_W) 'validate.c'; else $(CYGPATH_W) '$(srcdir)/validate.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/openvpnserv-validate.Tpo $(DEPDIR)/openvpnserv-validate.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='validate.c' object='openvpnserv-validate.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -c -o openvpnserv-validate.obj `if test -f 'validate.c'; then $(CYGPATH_W) 'validate.c'; else $(CYGPATH_W) '$(srcdir)/validate.c'; fi` openvpnserv-block_dns.o: $(top_srcdir)/src/openvpn/block_dns.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -MT openvpnserv-block_dns.o -MD -MP -MF $(DEPDIR)/openvpnserv-block_dns.Tpo -c -o openvpnserv-block_dns.o `test -f '$(top_srcdir)/src/openvpn/block_dns.c' || echo '$(srcdir)/'`$(top_srcdir)/src/openvpn/block_dns.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/openvpnserv-block_dns.Tpo $(DEPDIR)/openvpnserv-block_dns.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(top_srcdir)/src/openvpn/block_dns.c' object='openvpnserv-block_dns.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -c -o openvpnserv-block_dns.o `test -f '$(top_srcdir)/src/openvpn/block_dns.c' || echo '$(srcdir)/'`$(top_srcdir)/src/openvpn/block_dns.c openvpnserv-block_dns.obj: $(top_srcdir)/src/openvpn/block_dns.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -MT openvpnserv-block_dns.obj -MD -MP -MF $(DEPDIR)/openvpnserv-block_dns.Tpo -c -o openvpnserv-block_dns.obj `if test -f '$(top_srcdir)/src/openvpn/block_dns.c'; then $(CYGPATH_W) '$(top_srcdir)/src/openvpn/block_dns.c'; else $(CYGPATH_W) '$(srcdir)/$(top_srcdir)/src/openvpn/block_dns.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/openvpnserv-block_dns.Tpo $(DEPDIR)/openvpnserv-block_dns.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(top_srcdir)/src/openvpn/block_dns.c' object='openvpnserv-block_dns.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(openvpnserv_CFLAGS) $(CFLAGS) -c -o openvpnserv-block_dns.obj `if test -f '$(top_srcdir)/src/openvpn/block_dns.c'; then $(CYGPATH_W) '$(top_srcdir)/src/openvpn/block_dns.c'; else $(CYGPATH_W) '$(srcdir)/$(top_srcdir)/src/openvpn/block_dns.c'; fi` mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(PROGRAMS) installdirs: for dir in "$(DESTDIR)$(sbindir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-sbinPROGRAMS install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-sbinPROGRAMS .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ clean-libtool clean-sbinPROGRAMS cscopelist-am ctags ctags-am \ distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-man install-pdf install-pdf-am \ install-ps install-ps-am install-sbinPROGRAMS install-strip \ installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am uninstall-sbinPROGRAMS .rc.lo: $(LTRCCOMPILE) -i "$<" -o "$@" .rc.o: $(RCCOMPILE) -i "$<" -o "$@" .mc.rc: $(WINDMC) "$<" # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/src/openvpnserv/automatic.c000066400000000000000000000316511316434344000205240ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * This program allows one or more OpenVPN processes to be started * as a service. To build, you must get the service sample from the * Platform SDK and replace Simple.c with this file. * * You should also apply service.patch to * service.c and service.h from the Platform SDK service sample. * * This code is designed to be built with the mingw compiler. */ #include "service.h" #include #include #include /* bool definitions */ #define bool int #define true 1 #define false 0 static SERVICE_STATUS_HANDLE service; static SERVICE_STATUS status; openvpn_service_t automatic_service = { automatic, TEXT(PACKAGE_NAME "ServiceLegacy"), TEXT(PACKAGE_NAME " Legacy Service"), TEXT(SERVICE_DEPENDENCIES), SERVICE_DEMAND_START }; struct security_attributes { SECURITY_ATTRIBUTES sa; SECURITY_DESCRIPTOR sd; }; /* * Which registry key in HKLM should * we get config info from? */ #define REG_KEY "SOFTWARE\\" PACKAGE_NAME static HANDLE exit_event = NULL; /* clear an object */ #define CLEAR(x) memset(&(x), 0, sizeof(x)) bool init_security_attributes_allow_all(struct security_attributes *obj) { CLEAR(*obj); obj->sa.nLength = sizeof(SECURITY_ATTRIBUTES); obj->sa.lpSecurityDescriptor = &obj->sd; obj->sa.bInheritHandle = TRUE; if (!InitializeSecurityDescriptor(&obj->sd, SECURITY_DESCRIPTOR_REVISION)) { return false; } if (!SetSecurityDescriptorDacl(&obj->sd, TRUE, NULL, FALSE)) { return false; } return true; } /* * This event is initially created in the non-signaled * state. It will transition to the signaled state when * we have received a terminate signal from the Service * Control Manager which will cause an asynchronous call * of ServiceStop below. */ #define EXIT_EVENT_NAME TEXT(PACKAGE "_exit_1") HANDLE create_event(LPCTSTR name, bool allow_all, bool initial_state, bool manual_reset) { if (allow_all) { struct security_attributes sa; if (!init_security_attributes_allow_all(&sa)) { return NULL; } return CreateEvent(&sa.sa, (BOOL)manual_reset, (BOOL)initial_state, name); } else { return CreateEvent(NULL, (BOOL)manual_reset, (BOOL)initial_state, name); } } void close_if_open(HANDLE h) { if (h != NULL) { CloseHandle(h); } } static bool match(const WIN32_FIND_DATA *find, LPCTSTR ext) { int i; if (find->dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { return false; } if (!_tcslen(ext)) { return true; } i = _tcslen(find->cFileName) - _tcslen(ext) - 1; if (i < 1) { return false; } return find->cFileName[i] == '.' && !_tcsicmp(find->cFileName + i + 1, ext); } /* * Modify the extension on a filename. */ static bool modext(LPTSTR dest, int size, LPCTSTR src, LPCTSTR newext) { int i; if (size > 0 && (_tcslen(src) + 1) <= size) { _tcscpy(dest, src); dest [size - 1] = TEXT('\0'); i = _tcslen(dest); while (--i >= 0) { if (dest[i] == TEXT('\\')) { break; } if (dest[i] == TEXT('.')) { dest[i] = TEXT('\0'); break; } } if (_tcslen(dest) + _tcslen(newext) + 2 <= size) { _tcscat(dest, TEXT(".")); _tcscat(dest, newext); return true; } dest[0] = TEXT('\0'); } return false; } static DWORD WINAPI ServiceCtrlAutomatic(DWORD ctrl_code, DWORD event, LPVOID data, LPVOID ctx) { SERVICE_STATUS *status = ctx; switch (ctrl_code) { case SERVICE_CONTROL_STOP: status->dwCurrentState = SERVICE_STOP_PENDING; ReportStatusToSCMgr(service, status); if (exit_event) { SetEvent(exit_event); } return NO_ERROR; case SERVICE_CONTROL_INTERROGATE: return NO_ERROR; default: return ERROR_CALL_NOT_IMPLEMENTED; } } VOID WINAPI ServiceStartAutomatic(DWORD dwArgc, LPTSTR *lpszArgv) { DWORD error = NO_ERROR; settings_t settings; service = RegisterServiceCtrlHandlerEx(automatic_service.name, ServiceCtrlAutomatic, &status); if (!service) { return; } status.dwServiceType = SERVICE_WIN32_SHARE_PROCESS; status.dwCurrentState = SERVICE_START_PENDING; status.dwServiceSpecificExitCode = NO_ERROR; status.dwWin32ExitCode = NO_ERROR; status.dwWaitHint = 3000; if (!ReportStatusToSCMgr(service, &status)) { MsgToEventLog(M_ERR, TEXT("ReportStatusToSCMgr #1 failed")); goto finish; } /* * Create our exit event */ exit_event = create_event(EXIT_EVENT_NAME, false, false, true); if (!exit_event) { MsgToEventLog(M_ERR, TEXT("CreateEvent failed")); goto finish; } /* * If exit event is already signaled, it means we were not * shut down properly. */ if (WaitForSingleObject(exit_event, 0) != WAIT_TIMEOUT) { MsgToEventLog(M_ERR, TEXT("Exit event is already signaled -- we were not shut down properly")); goto finish; } if (!ReportStatusToSCMgr(service, &status)) { MsgToEventLog(M_ERR, TEXT("ReportStatusToSCMgr #2 failed")); goto finish; } /* * Read info from registry in key HKLM\SOFTWARE\OpenVPN */ error = GetOpenvpnSettings(&settings); if (error != ERROR_SUCCESS) { goto finish; } /* * Instantiate an OpenVPN process for each configuration * file found. */ { WIN32_FIND_DATA find_obj; HANDLE find_handle; BOOL more_files; TCHAR find_string[MAX_PATH]; openvpn_sntprintf(find_string, MAX_PATH, TEXT("%s\\*"), settings.config_dir); find_handle = FindFirstFile(find_string, &find_obj); if (find_handle == INVALID_HANDLE_VALUE) { MsgToEventLog(M_ERR, TEXT("Cannot get configuration file list using: %s"), find_string); goto finish; } /* * Loop over each config file */ do { HANDLE log_handle = NULL; STARTUPINFO start_info; PROCESS_INFORMATION proc_info; struct security_attributes sa; TCHAR log_file[MAX_PATH]; TCHAR log_path[MAX_PATH]; TCHAR command_line[256]; CLEAR(start_info); CLEAR(proc_info); CLEAR(sa); if (!ReportStatusToSCMgr(service, &status)) { MsgToEventLog(M_ERR, TEXT("ReportStatusToSCMgr #3 failed")); FindClose(find_handle); goto finish; } /* does file have the correct type and extension? */ if (match(&find_obj, settings.ext_string)) { /* get log file pathname */ if (!modext(log_file, _countof(log_file), find_obj.cFileName, TEXT("log"))) { MsgToEventLog(M_ERR, TEXT("Cannot construct logfile name based on: %s"), find_obj.cFileName); FindClose(find_handle); goto finish; } openvpn_sntprintf(log_path, _countof(log_path), TEXT("%s\\%s"), settings.log_dir, log_file); /* construct command line */ openvpn_sntprintf(command_line, _countof(command_line), TEXT(PACKAGE " --service %s 1 --config \"%s\""), EXIT_EVENT_NAME, find_obj.cFileName); /* Make security attributes struct for logfile handle so it can * be inherited. */ if (!init_security_attributes_allow_all(&sa)) { error = MsgToEventLog(M_SYSERR, TEXT("InitializeSecurityDescriptor start_" PACKAGE " failed")); goto finish; } /* open logfile as stdout/stderr for soon-to-be-spawned subprocess */ log_handle = CreateFile(log_path, GENERIC_WRITE, FILE_SHARE_READ, &sa.sa, settings.append ? OPEN_ALWAYS : CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (log_handle == INVALID_HANDLE_VALUE) { error = MsgToEventLog(M_SYSERR, TEXT("Cannot open logfile: %s"), log_path); FindClose(find_handle); goto finish; } /* append to logfile? */ if (settings.append) { if (SetFilePointer(log_handle, 0, NULL, FILE_END) == INVALID_SET_FILE_POINTER) { error = MsgToEventLog(M_SYSERR, TEXT("Cannot seek to end of logfile: %s"), log_path); FindClose(find_handle); goto finish; } } /* fill in STARTUPINFO struct */ GetStartupInfo(&start_info); start_info.cb = sizeof(start_info); start_info.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW; start_info.wShowWindow = SW_HIDE; start_info.hStdInput = GetStdHandle(STD_INPUT_HANDLE); start_info.hStdOutput = start_info.hStdError = log_handle; /* create an OpenVPN process for one config file */ if (!CreateProcess(settings.exe_path, command_line, NULL, NULL, TRUE, settings.priority | CREATE_NEW_CONSOLE, NULL, settings.config_dir, &start_info, &proc_info)) { error = MsgToEventLog(M_SYSERR, TEXT("CreateProcess failed, exe='%s' cmdline='%s' dir='%s'"), settings.exe_path, command_line, settings.config_dir); FindClose(find_handle); CloseHandle(log_handle); goto finish; } /* close unneeded handles */ Sleep(1000); /* try to prevent race if we close logfile * handle before child process DUPs it */ if (!CloseHandle(proc_info.hProcess) || !CloseHandle(proc_info.hThread) || !CloseHandle(log_handle)) { error = MsgToEventLog(M_SYSERR, TEXT("CloseHandle failed")); goto finish; } } /* more files to process? */ more_files = FindNextFile(find_handle, &find_obj); } while (more_files); FindClose(find_handle); } /* we are now fully started */ status.dwCurrentState = SERVICE_RUNNING; status.dwWaitHint = 0; if (!ReportStatusToSCMgr(service, &status)) { MsgToEventLog(M_ERR, TEXT("ReportStatusToSCMgr SERVICE_RUNNING failed")); goto finish; } /* wait for our shutdown signal */ if (WaitForSingleObject(exit_event, INFINITE) != WAIT_OBJECT_0) { MsgToEventLog(M_ERR, TEXT("wait for shutdown signal failed")); } finish: if (exit_event) { CloseHandle(exit_event); } status.dwCurrentState = SERVICE_STOPPED; status.dwWin32ExitCode = error; ReportStatusToSCMgr(service, &status); } openvpn-2.4.4/src/openvpnserv/common.c000066400000000000000000000157561316434344000200360ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2011-2017 Heiko Hund * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include #include /* * These are necessary due to certain buggy implementations of (v)snprintf, * that don't guarantee null termination for size > 0. */ int openvpn_vsntprintf(LPTSTR str, size_t size, LPCTSTR format, va_list arglist) { int len = -1; if (size > 0) { len = _vsntprintf(str, size, format, arglist); str[size - 1] = 0; } return (len >= 0 && len < size); } int openvpn_sntprintf(LPTSTR str, size_t size, LPCTSTR format, ...) { va_list arglist; int len = -1; if (size > 0) { va_start(arglist, format); len = openvpn_vsntprintf(str, size, format, arglist); va_end(arglist); } return len; } #define REG_KEY TEXT("SOFTWARE\\" PACKAGE_NAME) static DWORD GetRegString(HKEY key, LPCTSTR value, LPTSTR data, DWORD size) { DWORD type; LONG status = RegQueryValueEx(key, value, NULL, &type, (LPBYTE) data, &size); if (status == ERROR_SUCCESS && type != REG_SZ) { status = ERROR_DATATYPE_MISMATCH; } if (status != ERROR_SUCCESS) { SetLastError(status); return MsgToEventLog(M_SYSERR, TEXT("Error querying registry value: HKLM\\%s\\%s"), REG_KEY, value); } return ERROR_SUCCESS; } DWORD GetOpenvpnSettings(settings_t *s) { TCHAR priority[64]; TCHAR append[2]; DWORD error; HKEY key; LONG status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, REG_KEY, 0, KEY_READ, &key); if (status != ERROR_SUCCESS) { SetLastError(status); return MsgToEventLog(M_SYSERR, TEXT("Could not open Registry key HKLM\\%s not found"), REG_KEY); } error = GetRegString(key, TEXT("exe_path"), s->exe_path, sizeof(s->exe_path)); if (error != ERROR_SUCCESS) { goto out; } error = GetRegString(key, TEXT("config_dir"), s->config_dir, sizeof(s->config_dir)); if (error != ERROR_SUCCESS) { goto out; } error = GetRegString(key, TEXT("config_ext"), s->ext_string, sizeof(s->ext_string)); if (error != ERROR_SUCCESS) { goto out; } error = GetRegString(key, TEXT("log_dir"), s->log_dir, sizeof(s->log_dir)); if (error != ERROR_SUCCESS) { goto out; } error = GetRegString(key, TEXT("priority"), priority, sizeof(priority)); if (error != ERROR_SUCCESS) { goto out; } error = GetRegString(key, TEXT("log_append"), append, sizeof(append)); if (error != ERROR_SUCCESS) { goto out; } /* read if present, else use default */ error = GetRegString(key, TEXT("ovpn_admin_group"), s->ovpn_admin_group, sizeof(s->ovpn_admin_group)); if (error != ERROR_SUCCESS) { openvpn_sntprintf(s->ovpn_admin_group, _countof(s->ovpn_admin_group), OVPN_ADMIN_GROUP); error = 0; /* this error is not fatal */ } /* set process priority */ if (!_tcsicmp(priority, TEXT("IDLE_PRIORITY_CLASS"))) { s->priority = IDLE_PRIORITY_CLASS; } else if (!_tcsicmp(priority, TEXT("BELOW_NORMAL_PRIORITY_CLASS"))) { s->priority = BELOW_NORMAL_PRIORITY_CLASS; } else if (!_tcsicmp(priority, TEXT("NORMAL_PRIORITY_CLASS"))) { s->priority = NORMAL_PRIORITY_CLASS; } else if (!_tcsicmp(priority, TEXT("ABOVE_NORMAL_PRIORITY_CLASS"))) { s->priority = ABOVE_NORMAL_PRIORITY_CLASS; } else if (!_tcsicmp(priority, TEXT("HIGH_PRIORITY_CLASS"))) { s->priority = HIGH_PRIORITY_CLASS; } else { SetLastError(ERROR_INVALID_DATA); error = MsgToEventLog(M_SYSERR, TEXT("Unknown priority name: %s"), priority); goto out; } /* set log file append/truncate flag */ if (append[0] == TEXT('0')) { s->append = FALSE; } else if (append[0] == TEXT('1')) { s->append = TRUE; } else { SetLastError(ERROR_INVALID_DATA); error = MsgToEventLog(M_ERR, TEXT("Log file append flag (given as '%s') must be '0' or '1'"), append); goto out; } out: RegCloseKey(key); return error; } LPCTSTR GetLastErrorText() { static TCHAR buf[256]; DWORD len; LPTSTR tmp = NULL; len = FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ARGUMENT_ARRAY, NULL, GetLastError(), LANG_NEUTRAL, (LPTSTR)&tmp, 0, NULL); if (len == 0 || (long) _countof(buf) < (long) len + 14) { buf[0] = TEXT('\0'); } else { tmp[_tcslen(tmp) - 2] = TEXT('\0'); /* remove CR/LF characters */ openvpn_sntprintf(buf, _countof(buf), TEXT("%s (0x%x)"), tmp, GetLastError()); } if (tmp) { LocalFree(tmp); } return buf; } DWORD MsgToEventLog(DWORD flags, LPCTSTR format, ...) { HANDLE hEventSource; TCHAR msg[2][256]; DWORD error = 0; LPCTSTR err_msg = TEXT(""); va_list arglist; if (flags & MSG_FLAGS_SYS_CODE) { error = GetLastError(); err_msg = GetLastErrorText(); } hEventSource = RegisterEventSource(NULL, APPNAME); if (hEventSource != NULL) { openvpn_sntprintf(msg[0], _countof(msg[0]), TEXT("%s%s: %s"), APPNAME, (flags & MSG_FLAGS_ERROR) ? TEXT(" error") : TEXT(""), err_msg); va_start(arglist, format); openvpn_vsntprintf(msg[1], _countof(msg[1]), format, arglist); va_end(arglist); const TCHAR *mesg[] = { msg[0], msg[1] }; ReportEvent(hEventSource, flags & MSG_FLAGS_ERROR ? EVENTLOG_ERROR_TYPE : EVENTLOG_INFORMATION_TYPE, 0, 0, NULL, 2, 0, mesg, NULL); DeregisterEventSource(hEventSource); } return error; } /* Convert a utf8 string to utf16. Caller should free the result */ wchar_t * utf8to16(const char *utf8) { int n = MultiByteToWideChar(CP_UTF8, 0, utf8, -1, NULL, 0); wchar_t *utf16 = malloc(n * sizeof(wchar_t)); if (!utf16) { return NULL; } MultiByteToWideChar(CP_UTF8, 0, utf8, -1, utf16, n); return utf16; } openvpn-2.4.4/src/openvpnserv/interactive.c000066400000000000000000001554361316434344000210630ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2012-2017 Heiko Hund * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "service.h" #include #include #include #include #include #include #include #include #include #ifdef HAVE_VERSIONHELPERS_H #include #else #include "compat-versionhelpers.h" #endif #include "openvpn-msg.h" #include "validate.h" #include "block_dns.h" #define IO_TIMEOUT 2000 /*ms*/ #define ERROR_OPENVPN_STARTUP 0x20000000 #define ERROR_STARTUP_DATA 0x20000001 #define ERROR_MESSAGE_DATA 0x20000002 #define ERROR_MESSAGE_TYPE 0x20000003 static SERVICE_STATUS_HANDLE service; static SERVICE_STATUS status; static HANDLE exit_event = NULL; static settings_t settings; static HANDLE rdns_semaphore = NULL; #define RDNS_TIMEOUT 600 /* seconds to wait for the semaphore */ openvpn_service_t interactive_service = { interactive, TEXT(PACKAGE_NAME "ServiceInteractive"), TEXT(PACKAGE_NAME " Interactive Service"), TEXT(SERVICE_DEPENDENCIES), SERVICE_AUTO_START }; typedef struct { WCHAR *directory; WCHAR *options; WCHAR *std_input; } STARTUP_DATA; /* Datatype for linked lists */ typedef struct _list_item { struct _list_item *next; LPVOID data; } list_item_t; /* Datatypes for undo information */ typedef enum { address, route, block_dns, undo_dns4, undo_dns6, _undo_type_max } undo_type_t; typedef list_item_t *undo_lists_t[_undo_type_max]; typedef struct { HANDLE engine; int index; int metric_v4; int metric_v6; } block_dns_data_t; static DWORD AddListItem(list_item_t **pfirst, LPVOID data) { list_item_t *new_item = malloc(sizeof(list_item_t)); if (new_item == NULL) { return ERROR_OUTOFMEMORY; } new_item->next = *pfirst; new_item->data = data; *pfirst = new_item; return NO_ERROR; } typedef BOOL (*match_fn_t) (LPVOID item, LPVOID ctx); static LPVOID RemoveListItem(list_item_t **pfirst, match_fn_t match, LPVOID ctx) { LPVOID data = NULL; list_item_t **pnext; for (pnext = pfirst; *pnext; pnext = &(*pnext)->next) { list_item_t *item = *pnext; if (!match(item->data, ctx)) { continue; } /* Found item, remove from the list and free memory */ *pnext = item->next; data = item->data; free(item); break; } return data; } static HANDLE CloseHandleEx(LPHANDLE handle) { if (handle && *handle && *handle != INVALID_HANDLE_VALUE) { CloseHandle(*handle); *handle = INVALID_HANDLE_VALUE; } return INVALID_HANDLE_VALUE; } static HANDLE InitOverlapped(LPOVERLAPPED overlapped) { ZeroMemory(overlapped, sizeof(OVERLAPPED)); overlapped->hEvent = CreateEvent(NULL, TRUE, FALSE, NULL); return overlapped->hEvent; } static BOOL ResetOverlapped(LPOVERLAPPED overlapped) { HANDLE io_event = overlapped->hEvent; if (!ResetEvent(io_event)) { return FALSE; } ZeroMemory(overlapped, sizeof(OVERLAPPED)); overlapped->hEvent = io_event; return TRUE; } typedef enum { peek, read, write } async_op_t; static DWORD AsyncPipeOp(async_op_t op, HANDLE pipe, LPVOID buffer, DWORD size, DWORD count, LPHANDLE events) { int i; BOOL success; HANDLE io_event; DWORD res, bytes = 0; OVERLAPPED overlapped; LPHANDLE handles = NULL; io_event = InitOverlapped(&overlapped); if (!io_event) { goto out; } handles = malloc((count + 1) * sizeof(HANDLE)); if (!handles) { goto out; } if (op == write) { success = WriteFile(pipe, buffer, size, NULL, &overlapped); } else { success = ReadFile(pipe, buffer, size, NULL, &overlapped); } if (!success && GetLastError() != ERROR_IO_PENDING && GetLastError() != ERROR_MORE_DATA) { goto out; } handles[0] = io_event; for (i = 0; i < count; i++) { handles[i + 1] = events[i]; } res = WaitForMultipleObjects(count + 1, handles, FALSE, op == peek ? INFINITE : IO_TIMEOUT); if (res != WAIT_OBJECT_0) { CancelIo(pipe); goto out; } if (op == peek) { PeekNamedPipe(pipe, NULL, 0, NULL, &bytes, NULL); } else { GetOverlappedResult(pipe, &overlapped, &bytes, TRUE); } out: CloseHandleEx(&io_event); free(handles); return bytes; } static DWORD PeekNamedPipeAsync(HANDLE pipe, DWORD count, LPHANDLE events) { return AsyncPipeOp(peek, pipe, NULL, 0, count, events); } static DWORD ReadPipeAsync(HANDLE pipe, LPVOID buffer, DWORD size, DWORD count, LPHANDLE events) { return AsyncPipeOp(read, pipe, buffer, size, count, events); } static DWORD WritePipeAsync(HANDLE pipe, LPVOID data, DWORD size, DWORD count, LPHANDLE events) { return AsyncPipeOp(write, pipe, data, size, count, events); } static VOID ReturnProcessId(HANDLE pipe, DWORD pid, DWORD count, LPHANDLE events) { const WCHAR msg[] = L"Process ID"; WCHAR buf[22 + _countof(msg)]; /* 10 chars each for error and PID and 2 for line breaks */ /* * Same format as error messages (3 line string) with error = 0 in * 0x%08x format, PID on line 2 and a description "Process ID" on line 3 */ _snwprintf(buf, _countof(buf), L"0x%08x\n0x%08x\n%s", 0, pid, msg); buf[_countof(buf) - 1] = '\0'; WritePipeAsync(pipe, buf, wcslen(buf) * 2, count, events); } static VOID ReturnError(HANDLE pipe, DWORD error, LPCWSTR func, DWORD count, LPHANDLE events) { DWORD result_len; LPWSTR result = L"0xffffffff\nFormatMessage failed\nCould not return result"; DWORD_PTR args[] = { (DWORD_PTR) error, (DWORD_PTR) func, (DWORD_PTR) "" }; if (error != ERROR_OPENVPN_STARTUP) { FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM |FORMAT_MESSAGE_ALLOCATE_BUFFER |FORMAT_MESSAGE_IGNORE_INSERTS, 0, error, 0, (LPWSTR) &args[2], 0, NULL); } result_len = FormatMessageW(FORMAT_MESSAGE_FROM_STRING |FORMAT_MESSAGE_ALLOCATE_BUFFER |FORMAT_MESSAGE_ARGUMENT_ARRAY, L"0x%1!08x!\n%2!s!\n%3!s!", 0, 0, (LPWSTR) &result, 0, (va_list *) args); WritePipeAsync(pipe, result, wcslen(result) * 2, count, events); #ifdef UNICODE MsgToEventLog(MSG_FLAGS_ERROR, result); #else MsgToEventLog(MSG_FLAGS_ERROR, "%S", result); #endif if (error != ERROR_OPENVPN_STARTUP) { LocalFree((LPVOID) args[2]); } if (result_len) { LocalFree(result); } } static VOID ReturnLastError(HANDLE pipe, LPCWSTR func) { ReturnError(pipe, GetLastError(), func, 1, &exit_event); } static VOID ReturnOpenvpnOutput(HANDLE pipe, HANDLE ovpn_output, DWORD count, LPHANDLE events) { WCHAR *wide_output = NULL; CHAR output[512]; DWORD size; ReadFile(ovpn_output, output, sizeof(output), &size, NULL); if (size == 0) { return; } wide_output = malloc((size) * sizeof(WCHAR)); if (wide_output) { MultiByteToWideChar(CP_UTF8, 0, output, size, wide_output, size); wide_output[size - 1] = 0; } ReturnError(pipe, ERROR_OPENVPN_STARTUP, wide_output, count, events); free(wide_output); } /* * Validate options against a white list. Also check the config_file is * inside the config_dir. The white list is defined in validate.c * Returns true on success */ static BOOL ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options) { WCHAR **argv; int argc; WCHAR buf[256]; BOOL ret = FALSE; int i; const WCHAR *msg1 = L"You have specified a config file location (%s relative to %s)" " that requires admin approval. This error may be avoided" " by adding your account to the \"%s\" group"; const WCHAR *msg2 = L"You have specified an option (%s) that may be used" " only with admin approval. This error may be avoided" " by adding your account to the \"%s\" group"; argv = CommandLineToArgvW(options, &argc); if (!argv) { ReturnLastError(pipe, L"CommandLineToArgvW"); ReturnError(pipe, ERROR_STARTUP_DATA, L"Cannot validate options", 1, &exit_event); goto out; } /* Note: argv[0] is the first option */ if (argc < 1) /* no options */ { ret = TRUE; goto out; } /* * If only one argument, it is the config file */ if (argc == 1) { WCHAR *argv_tmp[2] = { L"--config", argv[0] }; if (!CheckOption(workdir, 2, argv_tmp, &settings)) { snwprintf(buf, _countof(buf), msg1, argv[0], workdir, settings.ovpn_admin_group); buf[_countof(buf) - 1] = L'\0'; ReturnError(pipe, ERROR_STARTUP_DATA, buf, 1, &exit_event); } goto out; } for (i = 0; i < argc; ++i) { if (!IsOption(argv[i])) { continue; } if (!CheckOption(workdir, argc-i, &argv[i], &settings)) { if (wcscmp(L"--config", argv[i]) == 0 && argc-i > 1) { snwprintf(buf, _countof(buf), msg1, argv[i+1], workdir, settings.ovpn_admin_group); buf[_countof(buf) - 1] = L'\0'; ReturnError(pipe, ERROR_STARTUP_DATA, buf, 1, &exit_event); } else { snwprintf(buf, _countof(buf), msg2, argv[i], settings.ovpn_admin_group); buf[_countof(buf) - 1] = L'\0'; ReturnError(pipe, ERROR_STARTUP_DATA, buf, 1, &exit_event); } goto out; } } /* all options passed */ ret = TRUE; out: if (argv) { LocalFree(argv); } return ret; } static BOOL GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { size_t len; BOOL ret = FALSE; WCHAR *data = NULL; DWORD size, bytes, read; bytes = PeekNamedPipeAsync(pipe, 1, &exit_event); if (bytes == 0) { MsgToEventLog(M_SYSERR, TEXT("PeekNamedPipeAsync failed")); ReturnLastError(pipe, L"PeekNamedPipeAsync"); goto out; } size = bytes / sizeof(*data); data = malloc(bytes); if (data == NULL) { MsgToEventLog(M_SYSERR, TEXT("malloc failed")); ReturnLastError(pipe, L"malloc"); goto out; } read = ReadPipeAsync(pipe, data, bytes, 1, &exit_event); if (bytes != read) { MsgToEventLog(M_SYSERR, TEXT("ReadPipeAsync failed")); ReturnLastError(pipe, L"ReadPipeAsync"); goto out; } if (data[size - 1] != 0) { MsgToEventLog(M_ERR, TEXT("Startup data is not NULL terminated")); ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); goto out; } sud->directory = data; len = wcslen(sud->directory) + 1; size -= len; if (size <= 0) { MsgToEventLog(M_ERR, TEXT("Startup data ends at working directory")); ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); goto out; } sud->options = sud->directory + len; len = wcslen(sud->options) + 1; size -= len; if (size <= 0) { MsgToEventLog(M_ERR, TEXT("Startup data ends at command line options")); ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); goto out; } sud->std_input = sud->options + len; data = NULL; /* don't free data */ ret = TRUE; out: free(data); return ret; } static VOID FreeStartupData(STARTUP_DATA *sud) { free(sud->directory); } static SOCKADDR_INET sockaddr_inet(short family, inet_address_t *addr) { SOCKADDR_INET sa_inet; ZeroMemory(&sa_inet, sizeof(sa_inet)); sa_inet.si_family = family; if (family == AF_INET) { sa_inet.Ipv4.sin_addr = addr->ipv4; } else if (family == AF_INET6) { sa_inet.Ipv6.sin6_addr = addr->ipv6; } return sa_inet; } static DWORD InterfaceLuid(const char *iface_name, PNET_LUID luid) { NETIO_STATUS status; LPWSTR wide_name; int n; typedef NETIO_STATUS WINAPI (*ConvertInterfaceAliasToLuidFn) (LPCWSTR, PNET_LUID); static ConvertInterfaceAliasToLuidFn ConvertInterfaceAliasToLuid = NULL; if (!ConvertInterfaceAliasToLuid) { HMODULE iphlpapi = GetModuleHandle(TEXT("iphlpapi.dll")); if (iphlpapi == NULL) { return GetLastError(); } ConvertInterfaceAliasToLuid = (ConvertInterfaceAliasToLuidFn) GetProcAddress(iphlpapi, "ConvertInterfaceAliasToLuid"); if (!ConvertInterfaceAliasToLuid) { return GetLastError(); } } n = MultiByteToWideChar(CP_UTF8, 0, iface_name, -1, NULL, 0); wide_name = malloc(n * sizeof(WCHAR)); MultiByteToWideChar(CP_UTF8, 0, iface_name, -1, wide_name, n); status = ConvertInterfaceAliasToLuid(wide_name, luid); free(wide_name); return status; } static BOOL CmpAddress(LPVOID item, LPVOID address) { return memcmp(item, address, sizeof(MIB_UNICASTIPADDRESS_ROW)) == 0 ? TRUE : FALSE; } static DWORD DeleteAddress(PMIB_UNICASTIPADDRESS_ROW addr_row) { typedef NETIOAPI_API (*DeleteUnicastIpAddressEntryFn) (const PMIB_UNICASTIPADDRESS_ROW); static DeleteUnicastIpAddressEntryFn DeleteUnicastIpAddressEntry = NULL; if (!DeleteUnicastIpAddressEntry) { HMODULE iphlpapi = GetModuleHandle(TEXT("iphlpapi.dll")); if (iphlpapi == NULL) { return GetLastError(); } DeleteUnicastIpAddressEntry = (DeleteUnicastIpAddressEntryFn) GetProcAddress(iphlpapi, "DeleteUnicastIpAddressEntry"); if (!DeleteUnicastIpAddressEntry) { return GetLastError(); } } return DeleteUnicastIpAddressEntry(addr_row); } static DWORD HandleAddressMessage(address_message_t *msg, undo_lists_t *lists) { DWORD err; PMIB_UNICASTIPADDRESS_ROW addr_row; BOOL add = msg->header.type == msg_add_address; typedef NETIOAPI_API (*CreateUnicastIpAddressEntryFn) (const PMIB_UNICASTIPADDRESS_ROW); typedef NETIOAPI_API (*InitializeUnicastIpAddressEntryFn) (PMIB_UNICASTIPADDRESS_ROW); static CreateUnicastIpAddressEntryFn CreateUnicastIpAddressEntry = NULL; static InitializeUnicastIpAddressEntryFn InitializeUnicastIpAddressEntry = NULL; if (!CreateUnicastIpAddressEntry || !InitializeUnicastIpAddressEntry) { HMODULE iphlpapi = GetModuleHandle(TEXT("iphlpapi.dll")); if (iphlpapi == NULL) { return GetLastError(); } CreateUnicastIpAddressEntry = (CreateUnicastIpAddressEntryFn) GetProcAddress(iphlpapi, "CreateUnicastIpAddressEntry"); if (!CreateUnicastIpAddressEntry) { return GetLastError(); } InitializeUnicastIpAddressEntry = (InitializeUnicastIpAddressEntryFn) GetProcAddress(iphlpapi, "InitializeUnicastIpAddressEntry"); if (!InitializeUnicastIpAddressEntry) { return GetLastError(); } } addr_row = malloc(sizeof(*addr_row)); if (addr_row == NULL) { return ERROR_OUTOFMEMORY; } InitializeUnicastIpAddressEntry(addr_row); addr_row->Address = sockaddr_inet(msg->family, &msg->address); addr_row->OnLinkPrefixLength = (UINT8) msg->prefix_len; if (msg->iface.index != -1) { addr_row->InterfaceIndex = msg->iface.index; } else { NET_LUID luid; err = InterfaceLuid(msg->iface.name, &luid); if (err) { goto out; } addr_row->InterfaceLuid = luid; } if (add) { err = CreateUnicastIpAddressEntry(addr_row); if (err) { goto out; } err = AddListItem(&(*lists)[address], addr_row); if (err) { DeleteAddress(addr_row); } } else { err = DeleteAddress(addr_row); if (err) { goto out; } free(RemoveListItem(&(*lists)[address], CmpAddress, addr_row)); } out: if (!add || err) { free(addr_row); } return err; } static BOOL CmpRoute(LPVOID item, LPVOID route) { return memcmp(item, route, sizeof(MIB_IPFORWARD_ROW2)) == 0 ? TRUE : FALSE; } static DWORD DeleteRoute(PMIB_IPFORWARD_ROW2 fwd_row) { typedef NETIOAPI_API (*DeleteIpForwardEntry2Fn) (PMIB_IPFORWARD_ROW2); static DeleteIpForwardEntry2Fn DeleteIpForwardEntry2 = NULL; if (!DeleteIpForwardEntry2) { HMODULE iphlpapi = GetModuleHandle(TEXT("iphlpapi.dll")); if (iphlpapi == NULL) { return GetLastError(); } DeleteIpForwardEntry2 = (DeleteIpForwardEntry2Fn) GetProcAddress(iphlpapi, "DeleteIpForwardEntry2"); if (!DeleteIpForwardEntry2) { return GetLastError(); } } return DeleteIpForwardEntry2(fwd_row); } static DWORD HandleRouteMessage(route_message_t *msg, undo_lists_t *lists) { DWORD err; PMIB_IPFORWARD_ROW2 fwd_row; BOOL add = msg->header.type == msg_add_route; typedef NETIOAPI_API (*CreateIpForwardEntry2Fn) (PMIB_IPFORWARD_ROW2); static CreateIpForwardEntry2Fn CreateIpForwardEntry2 = NULL; if (!CreateIpForwardEntry2) { HMODULE iphlpapi = GetModuleHandle(TEXT("iphlpapi.dll")); if (iphlpapi == NULL) { return GetLastError(); } CreateIpForwardEntry2 = (CreateIpForwardEntry2Fn) GetProcAddress(iphlpapi, "CreateIpForwardEntry2"); if (!CreateIpForwardEntry2) { return GetLastError(); } } fwd_row = malloc(sizeof(*fwd_row)); if (fwd_row == NULL) { return ERROR_OUTOFMEMORY; } ZeroMemory(fwd_row, sizeof(*fwd_row)); fwd_row->ValidLifetime = 0xffffffff; fwd_row->PreferredLifetime = 0xffffffff; fwd_row->Protocol = MIB_IPPROTO_NETMGMT; fwd_row->Metric = msg->metric; fwd_row->DestinationPrefix.Prefix = sockaddr_inet(msg->family, &msg->prefix); fwd_row->DestinationPrefix.PrefixLength = (UINT8) msg->prefix_len; fwd_row->NextHop = sockaddr_inet(msg->family, &msg->gateway); if (msg->iface.index != -1) { fwd_row->InterfaceIndex = msg->iface.index; } else if (strlen(msg->iface.name)) { NET_LUID luid; err = InterfaceLuid(msg->iface.name, &luid); if (err) { goto out; } fwd_row->InterfaceLuid = luid; } if (add) { err = CreateIpForwardEntry2(fwd_row); if (err) { goto out; } err = AddListItem(&(*lists)[route], fwd_row); if (err) { DeleteRoute(fwd_row); } } else { err = DeleteRoute(fwd_row); if (err) { goto out; } free(RemoveListItem(&(*lists)[route], CmpRoute, fwd_row)); } out: if (!add || err) { free(fwd_row); } return err; } static DWORD HandleFlushNeighborsMessage(flush_neighbors_message_t *msg) { typedef NETIOAPI_API (*FlushIpNetTable2Fn) (ADDRESS_FAMILY, NET_IFINDEX); static FlushIpNetTable2Fn flush_fn = NULL; if (msg->family == AF_INET) { return FlushIpNetTable(msg->iface.index); } if (!flush_fn) { HMODULE iphlpapi = GetModuleHandle(TEXT("iphlpapi.dll")); if (iphlpapi == NULL) { return GetLastError(); } flush_fn = (FlushIpNetTable2Fn) GetProcAddress(iphlpapi, "FlushIpNetTable2"); if (!flush_fn) { if (GetLastError() == ERROR_PROC_NOT_FOUND) { return WSAEPFNOSUPPORT; } else { return GetLastError(); } } } return flush_fn(msg->family, msg->iface.index); } static void BlockDNSErrHandler(DWORD err, const char *msg) { TCHAR buf[256]; LPCTSTR err_str; if (!err) { return; } err_str = TEXT("Unknown Win32 Error"); if (FormatMessage(FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ARGUMENT_ARRAY, NULL, err, 0, buf, sizeof(buf), NULL)) { err_str = buf; } #ifdef UNICODE MsgToEventLog(M_ERR, L"%S (status = %lu): %s", msg, err, err_str); #else MsgToEventLog(M_ERR, "%s (status = %lu): %s", msg, err, err_str); #endif } /* Use an always-true match_fn to get the head of the list */ static BOOL CmpEngine(LPVOID item, LPVOID any) { return TRUE; } static DWORD HandleBlockDNSMessage(const block_dns_message_t *msg, undo_lists_t *lists) { DWORD err = 0; block_dns_data_t *interface_data; HANDLE engine = NULL; LPCWSTR exe_path; #ifdef UNICODE exe_path = settings.exe_path; #else WCHAR wide_path[MAX_PATH]; MultiByteToWideChar(CP_UTF8, 0, settings.exe_path, MAX_PATH, wide_path, MAX_PATH); exe_path = wide_path; #endif if (msg->header.type == msg_add_block_dns) { err = add_block_dns_filters(&engine, msg->iface.index, exe_path, BlockDNSErrHandler); if (!err) { interface_data = malloc(sizeof(block_dns_data_t)); if (!interface_data) { return ERROR_OUTOFMEMORY; } interface_data->engine = engine; interface_data->index = msg->iface.index; interface_data->metric_v4 = get_interface_metric(msg->iface.index, AF_INET); if (interface_data->metric_v4 < 0) { interface_data->metric_v4 = -1; } interface_data->metric_v6 = get_interface_metric(msg->iface.index, AF_INET6); if (interface_data->metric_v6 < 0) { interface_data->metric_v6 = -1; } err = AddListItem(&(*lists)[block_dns], interface_data); if (!err) { err = set_interface_metric(msg->iface.index, AF_INET, BLOCK_DNS_IFACE_METRIC); if (!err) { set_interface_metric(msg->iface.index, AF_INET6, BLOCK_DNS_IFACE_METRIC); } } } } else { interface_data = RemoveListItem(&(*lists)[block_dns], CmpEngine, NULL); if (interface_data) { engine = interface_data->engine; err = delete_block_dns_filters(engine); engine = NULL; if (interface_data->metric_v4 >= 0) { set_interface_metric(msg->iface.index, AF_INET, interface_data->metric_v4); } if (interface_data->metric_v6 >= 0) { set_interface_metric(msg->iface.index, AF_INET6, interface_data->metric_v6); } free(interface_data); } else { MsgToEventLog(M_ERR, TEXT("No previous block DNS filters to delete")); } } if (err && engine) { delete_block_dns_filters(engine); } return err; } /* * Execute a command and return its exit code. If timeout > 0, terminate * the process if still running after timeout milliseconds. In that case * the return value is the windows error code WAIT_TIMEOUT = 0x102 */ static DWORD ExecCommand(const WCHAR *argv0, const WCHAR *cmdline, DWORD timeout) { DWORD exit_code; STARTUPINFOW si; PROCESS_INFORMATION pi; DWORD proc_flags = CREATE_NO_WINDOW|CREATE_UNICODE_ENVIRONMENT; WCHAR *cmdline_dup = NULL; ZeroMemory(&si, sizeof(si)); ZeroMemory(&pi, sizeof(pi)); si.cb = sizeof(si); /* CreateProcess needs a modifiable cmdline: make a copy */ cmdline_dup = wcsdup(cmdline); if (cmdline_dup && CreateProcessW(argv0, cmdline_dup, NULL, NULL, FALSE, proc_flags, NULL, NULL, &si, &pi) ) { WaitForSingleObject(pi.hProcess, timeout ? timeout : INFINITE); if (!GetExitCodeProcess(pi.hProcess, &exit_code)) { MsgToEventLog(M_SYSERR, TEXT("ExecCommand: Error getting exit_code:")); exit_code = GetLastError(); } else if (exit_code == STILL_ACTIVE) { exit_code = WAIT_TIMEOUT; /* Windows error code 0x102 */ /* kill without impunity */ TerminateProcess(pi.hProcess, exit_code); MsgToEventLog(M_ERR, TEXT("ExecCommand: \"%s %s\" killed after timeout"), argv0, cmdline); } else if (exit_code) { MsgToEventLog(M_ERR, TEXT("ExecCommand: \"%s %s\" exited with status = %lu"), argv0, cmdline, exit_code); } else { MsgToEventLog(M_INFO, TEXT("ExecCommand: \"%s %s\" completed"), argv0, cmdline); } CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } else { exit_code = GetLastError(); MsgToEventLog(M_SYSERR, TEXT("ExecCommand: could not run \"%s %s\" :"), argv0, cmdline); } free(cmdline_dup); return exit_code; } /* * Entry point for register-dns thread. */ static DWORD WINAPI RegisterDNS(LPVOID unused) { DWORD err; DWORD i; WCHAR sys_path[MAX_PATH]; DWORD timeout = RDNS_TIMEOUT * 1000; /* in milliseconds */ /* default path of ipconfig command */ WCHAR ipcfg[MAX_PATH] = L"C:\\Windows\\system32\\ipconfig.exe"; struct { WCHAR *argv0; WCHAR *cmdline; DWORD timeout; } cmds [] = { { ipcfg, L"ipconfig /flushdns", timeout }, { ipcfg, L"ipconfig /registerdns", timeout }, }; int ncmds = sizeof(cmds) / sizeof(cmds[0]); HANDLE wait_handles[2] = {rdns_semaphore, exit_event}; if (GetSystemDirectory(sys_path, MAX_PATH)) { _snwprintf(ipcfg, MAX_PATH, L"%s\\%s", sys_path, L"ipconfig.exe"); ipcfg[MAX_PATH-1] = L'\0'; } if (WaitForMultipleObjects(2, wait_handles, FALSE, timeout) == WAIT_OBJECT_0) { /* Semaphore locked */ for (i = 0; i < ncmds; ++i) { ExecCommand(cmds[i].argv0, cmds[i].cmdline, cmds[i].timeout); } err = 0; if (!ReleaseSemaphore(rdns_semaphore, 1, NULL) ) { err = MsgToEventLog(M_SYSERR, TEXT("RegisterDNS: Failed to release regsiter-dns semaphore:")); } } else { MsgToEventLog(M_ERR, TEXT("RegisterDNS: Failed to lock register-dns semaphore")); err = ERROR_SEM_TIMEOUT; /* Windows error code 0x79 */ } return err; } static DWORD HandleRegisterDNSMessage(void) { DWORD err; HANDLE thread = NULL; /* Delegate this job to a sub-thread */ thread = CreateThread(NULL, 0, RegisterDNS, NULL, 0, NULL); /* * We don't add these thread handles to the undo list -- the thread and * processes it spawns are all supposed to terminate or timeout by themselves. */ if (thread) { err = 0; CloseHandle(thread); } else { err = GetLastError(); } return err; } /** * Run the command: netsh interface $proto $action dns $if_name $addr [validate=no] * @param action "delete" or "add" * @param proto "ipv6" or "ip" * @param if_name "name_of_interface" * @param addr IPv4 (for proto = ip) or IPv6 address as a string * * If addr is null and action = "delete" all addresses are deleted. */ static DWORD netsh_dns_cmd(const wchar_t *action, const wchar_t *proto, const wchar_t *if_name, const wchar_t *addr) { DWORD err = 0; int timeout = 30000; /* in msec */ wchar_t argv0[MAX_PATH]; if (!addr) { if (wcscmp(action, L"delete") == 0) { addr = L"all"; } else /* nothing to do -- return success*/ { goto out; } } /* Path of netsh */ int n = GetSystemDirectory(argv0, MAX_PATH); if (n > 0 && n < MAX_PATH) /* got system directory */ { wcsncat(argv0, L"\\netsh.exe", MAX_PATH - n - 1); } else { wcsncpy(argv0, L"C:\\Windows\\system32\\netsh.exe", MAX_PATH); } /* cmd template: * netsh interface $proto $action dns $if_name $addr [validate=no] */ const wchar_t *fmt = L"netsh interface %s %s dns \"%s\" %s"; /* max cmdline length in wchars -- include room for worst case and some */ int ncmdline = wcslen(fmt) + wcslen(if_name) + wcslen(addr) + 32 + 1; wchar_t *cmdline = malloc(ncmdline*sizeof(wchar_t)); if (!cmdline) { err = ERROR_OUTOFMEMORY; goto out; } openvpn_sntprintf(cmdline, ncmdline, fmt, proto, action, if_name, addr); if (IsWindows7OrGreater()) { wcsncat(cmdline, L" validate=no", ncmdline - wcslen(cmdline) - 1); } err = ExecCommand(argv0, cmdline, timeout); out: free(cmdline); return err; } /* Delete all IPv4 or IPv6 dns servers for an interface */ static DWORD DeleteDNS(short family, wchar_t *if_name) { wchar_t *proto = (family == AF_INET6) ? L"ipv6" : L"ip"; return netsh_dns_cmd(L"delete", proto, if_name, NULL); } /* Add an IPv4 or IPv6 dns server to an interface */ static DWORD AddDNS(short family, wchar_t *if_name, wchar_t *addr) { wchar_t *proto = (family == AF_INET6) ? L"ipv6" : L"ip"; return netsh_dns_cmd(L"add", proto, if_name, addr); } static BOOL CmpWString(LPVOID item, LPVOID str) { return (wcscmp(item, str) == 0) ? TRUE : FALSE; } static DWORD HandleDNSConfigMessage(const dns_cfg_message_t *msg, undo_lists_t *lists) { DWORD err = 0; wchar_t addr[46]; /* large enough to hold string representation of an ipv4 / ipv6 address */ undo_type_t undo_type = (msg->family == AF_INET6) ? undo_dns4 : undo_dns6; int addr_len = msg->addr_len; /* sanity check */ if (addr_len > _countof(msg->addr)) { addr_len = _countof(msg->addr); } if (!msg->iface.name[0]) /* interface name is required */ { return ERROR_MESSAGE_DATA; } wchar_t *wide_name = utf8to16(msg->iface.name); /* utf8 to wide-char */ if (!wide_name) { return ERROR_OUTOFMEMORY; } /* We delete all current addresses before adding any * OR if the message type is del_dns_cfg */ if (addr_len > 0 || msg->header.type == msg_del_dns_cfg) { err = DeleteDNS(msg->family, wide_name); if (err) { goto out; } free(RemoveListItem(&(*lists)[undo_type], CmpWString, wide_name)); } if (msg->header.type == msg_del_dns_cfg) /* job done */ { goto out; } for (int i = 0; i < addr_len; ++i) { if (msg->family == AF_INET6) { RtlIpv6AddressToStringW(&msg->addr[i].ipv6, addr); } else { RtlIpv4AddressToStringW(&msg->addr[i].ipv4, addr); } err = AddDNS(msg->family, wide_name, addr); if (i == 0 && err) { goto out; } /* We do not check for duplicate addresses, so any error in adding * additional addresses is ignored. */ } if (msg->addr_len > 0) { wchar_t *tmp_name = wcsdup(wide_name); if (!tmp_name || AddListItem(&(*lists)[undo_type], tmp_name)) { free(tmp_name); DeleteDNS(msg->family, wide_name); err = ERROR_OUTOFMEMORY; goto out; } } err = 0; out: free(wide_name); return err; } static VOID HandleMessage(HANDLE pipe, DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists) { DWORD read; union { message_header_t header; address_message_t address; route_message_t route; flush_neighbors_message_t flush_neighbors; block_dns_message_t block_dns; dns_cfg_message_t dns; } msg; ack_message_t ack = { .header = { .type = msg_acknowledgement, .size = sizeof(ack), .message_id = -1 }, .error_number = ERROR_MESSAGE_DATA }; read = ReadPipeAsync(pipe, &msg, bytes, count, events); if (read != bytes || read < sizeof(msg.header) || read != msg.header.size) { goto out; } ack.header.message_id = msg.header.message_id; switch (msg.header.type) { case msg_add_address: case msg_del_address: if (msg.header.size == sizeof(msg.address)) { ack.error_number = HandleAddressMessage(&msg.address, lists); } break; case msg_add_route: case msg_del_route: if (msg.header.size == sizeof(msg.route)) { ack.error_number = HandleRouteMessage(&msg.route, lists); } break; case msg_flush_neighbors: if (msg.header.size == sizeof(msg.flush_neighbors)) { ack.error_number = HandleFlushNeighborsMessage(&msg.flush_neighbors); } break; case msg_add_block_dns: case msg_del_block_dns: if (msg.header.size == sizeof(msg.block_dns)) { ack.error_number = HandleBlockDNSMessage(&msg.block_dns, lists); } break; case msg_register_dns: ack.error_number = HandleRegisterDNSMessage(); break; case msg_add_dns_cfg: case msg_del_dns_cfg: ack.error_number = HandleDNSConfigMessage(&msg.dns, lists); break; default: ack.error_number = ERROR_MESSAGE_TYPE; MsgToEventLog(MSG_FLAGS_ERROR, TEXT("Unknown message type %d"), msg.header.type); break; } out: WritePipeAsync(pipe, &ack, sizeof(ack), count, events); } static VOID Undo(undo_lists_t *lists) { undo_type_t type; block_dns_data_t *interface_data; for (type = 0; type < _undo_type_max; type++) { list_item_t **pnext = &(*lists)[type]; while (*pnext) { list_item_t *item = *pnext; switch (type) { case address: DeleteAddress(item->data); break; case route: DeleteRoute(item->data); break; case undo_dns4: DeleteDNS(AF_INET, item->data); break; case undo_dns6: DeleteDNS(AF_INET6, item->data); break; case block_dns: interface_data = (block_dns_data_t*)(item->data); delete_block_dns_filters(interface_data->engine); if (interface_data->metric_v4 >= 0) { set_interface_metric(interface_data->index, AF_INET, interface_data->metric_v4); } if (interface_data->metric_v6 >= 0) { set_interface_metric(interface_data->index, AF_INET6, interface_data->metric_v6); } break; } /* Remove from the list and free memory */ *pnext = item->next; free(item->data); free(item); } } } static DWORD WINAPI RunOpenvpn(LPVOID p) { HANDLE pipe = p; HANDLE ovpn_pipe, svc_pipe; PTOKEN_USER svc_user, ovpn_user; HANDLE svc_token = NULL, imp_token = NULL, pri_token = NULL; HANDLE stdin_read = NULL, stdin_write = NULL; HANDLE stdout_write = NULL; DWORD pipe_mode, len, exit_code = 0; STARTUP_DATA sud = { 0, 0, 0 }; STARTUPINFOW startup_info; PROCESS_INFORMATION proc_info; LPVOID user_env = NULL; TCHAR ovpn_pipe_name[36]; LPCWSTR exe_path; WCHAR *cmdline = NULL; size_t cmdline_size; undo_lists_t undo_lists; SECURITY_ATTRIBUTES inheritable = { .nLength = sizeof(inheritable), .lpSecurityDescriptor = NULL, .bInheritHandle = TRUE }; PACL ovpn_dacl; EXPLICIT_ACCESS ea[2]; SECURITY_DESCRIPTOR ovpn_sd; SECURITY_ATTRIBUTES ovpn_sa = { .nLength = sizeof(ovpn_sa), .lpSecurityDescriptor = &ovpn_sd, .bInheritHandle = FALSE }; ZeroMemory(&ea, sizeof(ea)); ZeroMemory(&startup_info, sizeof(startup_info)); ZeroMemory(&undo_lists, sizeof(undo_lists)); ZeroMemory(&proc_info, sizeof(proc_info)); if (!GetStartupData(pipe, &sud)) { goto out; } if (!InitializeSecurityDescriptor(&ovpn_sd, SECURITY_DESCRIPTOR_REVISION)) { ReturnLastError(pipe, L"InitializeSecurityDescriptor"); goto out; } /* Get SID of user the service is running under */ if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &svc_token)) { ReturnLastError(pipe, L"OpenProcessToken"); goto out; } len = 0; svc_user = NULL; while (!GetTokenInformation(svc_token, TokenUser, svc_user, len, &len)) { if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) { ReturnLastError(pipe, L"GetTokenInformation (service token)"); goto out; } free(svc_user); svc_user = malloc(len); if (svc_user == NULL) { ReturnLastError(pipe, L"malloc (service token user)"); goto out; } } if (!IsValidSid(svc_user->User.Sid)) { ReturnLastError(pipe, L"IsValidSid (service token user)"); goto out; } if (!ImpersonateNamedPipeClient(pipe)) { ReturnLastError(pipe, L"ImpersonateNamedPipeClient"); goto out; } if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &imp_token)) { ReturnLastError(pipe, L"OpenThreadToken"); goto out; } len = 0; ovpn_user = NULL; while (!GetTokenInformation(imp_token, TokenUser, ovpn_user, len, &len)) { if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) { ReturnLastError(pipe, L"GetTokenInformation (impersonation token)"); goto out; } free(ovpn_user); ovpn_user = malloc(len); if (ovpn_user == NULL) { ReturnLastError(pipe, L"malloc (impersonation token user)"); goto out; } } if (!IsValidSid(ovpn_user->User.Sid)) { ReturnLastError(pipe, L"IsValidSid (impersonation token user)"); goto out; } /* Check user is authorized or options are white-listed */ if (!IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group) && !ValidateOptions(pipe, sud.directory, sud.options)) { goto out; } /* OpenVPN process DACL entry for access by service and user */ ea[0].grfAccessPermissions = SPECIFIC_RIGHTS_ALL | STANDARD_RIGHTS_ALL; ea[0].grfAccessMode = SET_ACCESS; ea[0].grfInheritance = NO_INHERITANCE; ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[0].Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN; ea[0].Trustee.ptstrName = (LPTSTR) svc_user->User.Sid; ea[1].grfAccessPermissions = READ_CONTROL | SYNCHRONIZE | PROCESS_VM_READ |SYNCHRONIZE | PROCESS_TERMINATE | PROCESS_QUERY_INFORMATION; ea[1].grfAccessMode = SET_ACCESS; ea[1].grfInheritance = NO_INHERITANCE; ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[1].Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN; ea[1].Trustee.ptstrName = (LPTSTR) ovpn_user->User.Sid; /* Set owner and DACL of OpenVPN security descriptor */ if (!SetSecurityDescriptorOwner(&ovpn_sd, svc_user->User.Sid, FALSE)) { ReturnLastError(pipe, L"SetSecurityDescriptorOwner"); goto out; } if (SetEntriesInAcl(2, ea, NULL, &ovpn_dacl) != ERROR_SUCCESS) { ReturnLastError(pipe, L"SetEntriesInAcl"); goto out; } if (!SetSecurityDescriptorDacl(&ovpn_sd, TRUE, ovpn_dacl, FALSE)) { ReturnLastError(pipe, L"SetSecurityDescriptorDacl"); goto out; } /* Create primary token from impersonation token */ if (!DuplicateTokenEx(imp_token, TOKEN_ALL_ACCESS, NULL, 0, TokenPrimary, &pri_token)) { ReturnLastError(pipe, L"DuplicateTokenEx"); goto out; } /* use /dev/null for stdout of openvpn (client should use --log for output) */ stdout_write = CreateFile(_T("NUL"), GENERIC_WRITE, FILE_SHARE_WRITE, &inheritable, OPEN_EXISTING, 0, NULL); if (stdout_write == INVALID_HANDLE_VALUE) { ReturnLastError(pipe, L"CreateFile for stdout"); goto out; } if (!CreatePipe(&stdin_read, &stdin_write, &inheritable, 0) || !SetHandleInformation(stdin_write, HANDLE_FLAG_INHERIT, 0)) { ReturnLastError(pipe, L"CreatePipe"); goto out; } openvpn_sntprintf(ovpn_pipe_name, _countof(ovpn_pipe_name), TEXT("\\\\.\\pipe\\openvpn\\service_%lu"), GetCurrentThreadId()); ovpn_pipe = CreateNamedPipe(ovpn_pipe_name, PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE | FILE_FLAG_OVERLAPPED, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT, 1, 128, 128, 0, NULL); if (ovpn_pipe == INVALID_HANDLE_VALUE) { ReturnLastError(pipe, L"CreateNamedPipe"); goto out; } svc_pipe = CreateFile(ovpn_pipe_name, GENERIC_READ | GENERIC_WRITE, 0, &inheritable, OPEN_EXISTING, 0, NULL); if (svc_pipe == INVALID_HANDLE_VALUE) { ReturnLastError(pipe, L"CreateFile"); goto out; } pipe_mode = PIPE_READMODE_MESSAGE; if (!SetNamedPipeHandleState(svc_pipe, &pipe_mode, NULL, NULL)) { ReturnLastError(pipe, L"SetNamedPipeHandleState"); goto out; } cmdline_size = wcslen(sud.options) + 128; cmdline = malloc(cmdline_size * sizeof(*cmdline)); if (cmdline == NULL) { ReturnLastError(pipe, L"malloc"); goto out; } openvpn_sntprintf(cmdline, cmdline_size, L"openvpn %s --msg-channel %lu", sud.options, svc_pipe); if (!CreateEnvironmentBlock(&user_env, imp_token, FALSE)) { ReturnLastError(pipe, L"CreateEnvironmentBlock"); goto out; } startup_info.cb = sizeof(startup_info); startup_info.lpDesktop = L"winsta0\\default"; startup_info.dwFlags = STARTF_USESTDHANDLES; startup_info.hStdInput = stdin_read; startup_info.hStdOutput = stdout_write; startup_info.hStdError = stdout_write; #ifdef UNICODE exe_path = settings.exe_path; #else WCHAR wide_path[MAX_PATH]; MultiByteToWideChar(CP_UTF8, 0, settings.exe_path, MAX_PATH, wide_path, MAX_PATH); exe_path = wide_path; #endif /* TODO: make sure HKCU is correct or call LoadUserProfile() */ if (!CreateProcessAsUserW(pri_token, exe_path, cmdline, &ovpn_sa, NULL, TRUE, settings.priority | CREATE_NO_WINDOW | CREATE_UNICODE_ENVIRONMENT, user_env, sud.directory, &startup_info, &proc_info)) { ReturnLastError(pipe, L"CreateProcessAsUser"); goto out; } if (!RevertToSelf()) { TerminateProcess(proc_info.hProcess, 1); ReturnLastError(pipe, L"RevertToSelf"); goto out; } ReturnProcessId(pipe, proc_info.dwProcessId, 1, &exit_event); CloseHandleEx(&stdout_write); CloseHandleEx(&stdin_read); CloseHandleEx(&svc_pipe); DWORD input_size = WideCharToMultiByte(CP_UTF8, 0, sud.std_input, -1, NULL, 0, NULL, NULL); LPSTR input = NULL; if (input_size && (input = malloc(input_size))) { DWORD written; WideCharToMultiByte(CP_UTF8, 0, sud.std_input, -1, input, input_size, NULL, NULL); WriteFile(stdin_write, input, strlen(input), &written, NULL); free(input); } while (TRUE) { DWORD bytes = PeekNamedPipeAsync(ovpn_pipe, 1, &exit_event); if (bytes == 0) { break; } HandleMessage(ovpn_pipe, bytes, 1, &exit_event, &undo_lists); } WaitForSingleObject(proc_info.hProcess, IO_TIMEOUT); GetExitCodeProcess(proc_info.hProcess, &exit_code); if (exit_code == STILL_ACTIVE) { TerminateProcess(proc_info.hProcess, 1); } else if (exit_code != 0) { WCHAR buf[256]; int len = _snwprintf(buf, _countof(buf), L"OpenVPN exited with error: exit code = %lu", exit_code); buf[_countof(buf) - 1] = L'\0'; ReturnError(pipe, ERROR_OPENVPN_STARTUP, buf, 1, &exit_event); } Undo(&undo_lists); out: FlushFileBuffers(pipe); DisconnectNamedPipe(pipe); free(ovpn_user); free(svc_user); free(cmdline); DestroyEnvironmentBlock(user_env); FreeStartupData(&sud); CloseHandleEx(&proc_info.hProcess); CloseHandleEx(&proc_info.hThread); CloseHandleEx(&stdin_read); CloseHandleEx(&stdin_write); CloseHandleEx(&stdout_write); CloseHandleEx(&svc_token); CloseHandleEx(&imp_token); CloseHandleEx(&pri_token); CloseHandleEx(&ovpn_pipe); CloseHandleEx(&svc_pipe); CloseHandleEx(&pipe); return 0; } static DWORD WINAPI ServiceCtrlInteractive(DWORD ctrl_code, DWORD event, LPVOID data, LPVOID ctx) { SERVICE_STATUS *status = ctx; switch (ctrl_code) { case SERVICE_CONTROL_STOP: status->dwCurrentState = SERVICE_STOP_PENDING; ReportStatusToSCMgr(service, status); if (exit_event) { SetEvent(exit_event); } return NO_ERROR; case SERVICE_CONTROL_INTERROGATE: return NO_ERROR; default: return ERROR_CALL_NOT_IMPLEMENTED; } } static HANDLE CreateClientPipeInstance(VOID) { HANDLE pipe = NULL; PACL old_dacl, new_dacl; PSECURITY_DESCRIPTOR sd; static EXPLICIT_ACCESS ea[2]; static BOOL initialized = FALSE; DWORD flags = PIPE_ACCESS_DUPLEX | WRITE_DAC | FILE_FLAG_OVERLAPPED; if (!initialized) { PSID everyone, anonymous; ConvertStringSidToSid(TEXT("S-1-1-0"), &everyone); ConvertStringSidToSid(TEXT("S-1-5-7"), &anonymous); ea[0].grfAccessPermissions = FILE_GENERIC_WRITE; ea[0].grfAccessMode = GRANT_ACCESS; ea[0].grfInheritance = NO_INHERITANCE; ea[0].Trustee.pMultipleTrustee = NULL; ea[0].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[0].Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN; ea[0].Trustee.ptstrName = (LPTSTR) everyone; ea[1].grfAccessPermissions = 0; ea[1].grfAccessMode = REVOKE_ACCESS; ea[1].grfInheritance = NO_INHERITANCE; ea[1].Trustee.pMultipleTrustee = NULL; ea[1].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[1].Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN; ea[1].Trustee.ptstrName = (LPTSTR) anonymous; flags |= FILE_FLAG_FIRST_PIPE_INSTANCE; initialized = TRUE; } pipe = CreateNamedPipe(TEXT("\\\\.\\pipe\\openvpn\\service"), flags, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE, PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); if (pipe == INVALID_HANDLE_VALUE) { MsgToEventLog(M_SYSERR, TEXT("Could not create named pipe")); return INVALID_HANDLE_VALUE; } if (GetSecurityInfo(pipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &old_dacl, NULL, &sd) != ERROR_SUCCESS) { MsgToEventLog(M_SYSERR, TEXT("Could not get pipe security info")); return CloseHandleEx(&pipe); } if (SetEntriesInAcl(2, ea, old_dacl, &new_dacl) != ERROR_SUCCESS) { MsgToEventLog(M_SYSERR, TEXT("Could not set entries in new acl")); return CloseHandleEx(&pipe); } if (SetSecurityInfo(pipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, new_dacl, NULL) != ERROR_SUCCESS) { MsgToEventLog(M_SYSERR, TEXT("Could not set pipe security info")); return CloseHandleEx(&pipe); } return pipe; } static DWORD UpdateWaitHandles(LPHANDLE *handles_ptr, LPDWORD count, HANDLE io_event, HANDLE exit_event, list_item_t *threads) { static DWORD size = 10; static LPHANDLE handles = NULL; DWORD pos = 0; if (handles == NULL) { handles = malloc(size * sizeof(HANDLE)); *handles_ptr = handles; if (handles == NULL) { return ERROR_OUTOFMEMORY; } } handles[pos++] = io_event; if (!threads) { handles[pos++] = exit_event; } while (threads) { if (pos == size) { LPHANDLE tmp; size += 10; tmp = realloc(handles, size * sizeof(HANDLE)); if (tmp == NULL) { size -= 10; *count = pos; return ERROR_OUTOFMEMORY; } handles = tmp; *handles_ptr = handles; } handles[pos++] = threads->data; threads = threads->next; } *count = pos; return NO_ERROR; } static VOID FreeWaitHandles(LPHANDLE h) { free(h); } VOID WINAPI ServiceStartInteractive(DWORD dwArgc, LPTSTR *lpszArgv) { HANDLE pipe, io_event = NULL; OVERLAPPED overlapped; DWORD error = NO_ERROR; list_item_t *threads = NULL; PHANDLE handles = NULL; DWORD handle_count; BOOL CmpHandle(LPVOID item, LPVOID hnd) { return item == hnd; } service = RegisterServiceCtrlHandlerEx(interactive_service.name, ServiceCtrlInteractive, &status); if (!service) { return; } status.dwServiceType = SERVICE_WIN32_SHARE_PROCESS; status.dwCurrentState = SERVICE_START_PENDING; status.dwServiceSpecificExitCode = NO_ERROR; status.dwWin32ExitCode = NO_ERROR; status.dwWaitHint = 3000; ReportStatusToSCMgr(service, &status); /* Read info from registry in key HKLM\SOFTWARE\OpenVPN */ error = GetOpenvpnSettings(&settings); if (error != ERROR_SUCCESS) { goto out; } io_event = InitOverlapped(&overlapped); exit_event = CreateEvent(NULL, TRUE, FALSE, NULL); if (!exit_event || !io_event) { error = MsgToEventLog(M_SYSERR, TEXT("Could not create event")); goto out; } rdns_semaphore = CreateSemaphoreW(NULL, 1, 1, NULL); if (!rdns_semaphore) { error = MsgToEventLog(M_SYSERR, TEXT("Could not create semaphore for register-dns")); goto out; } error = UpdateWaitHandles(&handles, &handle_count, io_event, exit_event, threads); if (error != NO_ERROR) { goto out; } pipe = CreateClientPipeInstance(); if (pipe == INVALID_HANDLE_VALUE) { goto out; } status.dwCurrentState = SERVICE_RUNNING; status.dwWaitHint = 0; ReportStatusToSCMgr(service, &status); while (TRUE) { if (ConnectNamedPipe(pipe, &overlapped) == FALSE && GetLastError() != ERROR_PIPE_CONNECTED && GetLastError() != ERROR_IO_PENDING) { MsgToEventLog(M_SYSERR, TEXT("Could not connect pipe")); break; } error = WaitForMultipleObjects(handle_count, handles, FALSE, INFINITE); if (error == WAIT_OBJECT_0) { /* Client connected, spawn a worker thread for it */ HANDLE next_pipe = CreateClientPipeInstance(); HANDLE thread = CreateThread(NULL, 0, RunOpenvpn, pipe, CREATE_SUSPENDED, NULL); if (thread) { error = AddListItem(&threads, thread); if (!error) { error = UpdateWaitHandles(&handles, &handle_count, io_event, exit_event, threads); } if (error) { ReturnError(pipe, error, L"Insufficient resources to service new clients", 1, &exit_event); /* Update wait handles again after removing the last worker thread */ RemoveListItem(&threads, CmpHandle, thread); UpdateWaitHandles(&handles, &handle_count, io_event, exit_event, threads); TerminateThread(thread, 1); CloseHandleEx(&thread); CloseHandleEx(&pipe); } else { ResumeThread(thread); } } else { CloseHandleEx(&pipe); } ResetOverlapped(&overlapped); pipe = next_pipe; } else { CancelIo(pipe); if (error == WAIT_FAILED) { MsgToEventLog(M_SYSERR, TEXT("WaitForMultipleObjects failed")); SetEvent(exit_event); /* Give some time for worker threads to exit and then terminate */ Sleep(1000); break; } if (!threads) { /* exit event signaled */ CloseHandleEx(&pipe); ResetEvent(exit_event); error = NO_ERROR; break; } /* Worker thread ended */ HANDLE thread = RemoveListItem(&threads, CmpHandle, handles[error]); UpdateWaitHandles(&handles, &handle_count, io_event, exit_event, threads); CloseHandleEx(&thread); } } out: FreeWaitHandles(handles); CloseHandleEx(&io_event); CloseHandleEx(&exit_event); CloseHandleEx(&rdns_semaphore); status.dwCurrentState = SERVICE_STOPPED; status.dwWin32ExitCode = error; ReportStatusToSCMgr(service, &status); } openvpn-2.4.4/src/openvpnserv/openvpnserv.vcxproj000066400000000000000000000134451316434344000223750ustar00rootroot00000000000000 Debug Win32 Release Win32 {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD} openvpnserv Win32Proj Application MultiByte true v120 Application MultiByte v120 <_ProjectFileVersion>10.0.30319.1 $(SolutionDir)$(Platform)-Output\$(Configuration)\ $(Configuration)\ true $(SolutionDir)$(Platform)-Output\$(Configuration)\ $(Configuration)\ false Disabled $(SOURCEBASE);%(AdditionalIncludeDirectories) WIN32;_DEBUG;_CONSOLE;$(CPPFLAGS);%(PreprocessorDefinitions) true EnableFastChecks MultiThreadedDebugDLL Level3 EditAndContinue $(SOURCEBASE);%(AdditionalIncludeDirectories) true Console MachineX86 MaxSpeed true $(SOURCEBASE);%(AdditionalIncludeDirectories) WIN32;NDEBUG;_CONSOLE;$(CPPFLAGS);%(PreprocessorDefinitions) MultiThreadedDLL true Level3 ProgramDatabase $(SOURCEBASE);%(AdditionalIncludeDirectories) true Console true true MachineX86 {8598c2c8-34c4-47a1-99b0-7c295a890615} false openvpn-2.4.4/src/openvpnserv/openvpnserv.vcxproj.filters000066400000000000000000000024401316434344000240350ustar00rootroot00000000000000 {4FC737F1-C7A5-4376-A066-2A32D752A2FF} cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx {93995380-89BD-4b04-88EB-625FBE52EBFB} h;hpp;hxx;hm;inl;inc;xsd {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav Source Files Source Files Header Files Resource Files openvpn-2.4.4/src/openvpnserv/openvpnserv_resources.rc000066400000000000000000000020311316434344000233650ustar00rootroot00000000000000#ifdef HAVE_CONFIG_H #include #else #include #endif #include #pragma code_page(65001) /* UTF8 */ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL VS_VERSION_INFO VERSIONINFO FILEVERSION OPENVPN_VERSION_RESOURCE PRODUCTVERSION OPENVPN_VERSION_RESOURCE FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L #else FILEFLAGS 0x0L #endif FILEOS 0x40004L FILETYPE 0x2L FILESUBTYPE 0x0L BEGIN BLOCK "StringFileInfo" BEGIN BLOCK "040904b0" BEGIN VALUE "CompanyName", "The OpenVPN Project" VALUE "FileDescription", "OpenVPN Service" VALUE "FileVersion", PACKAGE_VERSION ".0" VALUE "InternalName", "OpenVPN" VALUE "LegalCopyright", "Copyright © The OpenVPN Project" VALUE "OriginalFilename", "openvpnserv.exe" VALUE "ProductName", "OpenVPN" VALUE "ProductVersion", PACKAGE_VERSION ".0" END END BLOCK "VarFileInfo" BEGIN VALUE "Translation", 0x409, 1200 END END openvpn-2.4.4/src/openvpnserv/service.c000066400000000000000000000163741316434344000202030ustar00rootroot00000000000000/* * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A * PARTICULAR PURPOSE. * * Copyright (C) 1993 - 2000. Microsoft Corporation. All rights reserved. * 2013 Heiko Hund */ #include "service.h" #include #include #include openvpn_service_t openvpn_service[_service_max]; BOOL ReportStatusToSCMgr(SERVICE_STATUS_HANDLE service, SERVICE_STATUS *status) { static DWORD dwCheckPoint = 1; BOOL res = TRUE; if (status->dwCurrentState == SERVICE_START_PENDING) { status->dwControlsAccepted = 0; } else { status->dwControlsAccepted = SERVICE_ACCEPT_STOP; } if (status->dwCurrentState == SERVICE_RUNNING || status->dwCurrentState == SERVICE_STOPPED) { status->dwCheckPoint = 0; } else { status->dwCheckPoint = dwCheckPoint++; } /* Report the status of the service to the service control manager. */ res = SetServiceStatus(service, status); if (!res) { MsgToEventLog(MSG_FLAGS_ERROR, TEXT("SetServiceStatus")); } return res; } static int CmdInstallServices() { SC_HANDLE service; SC_HANDLE svc_ctl_mgr; TCHAR path[512]; int i, ret = _service_max; if (GetModuleFileName(NULL, path + 1, 510) == 0) { _tprintf(TEXT("Unable to install service - %s\n"), GetLastErrorText()); return 1; } path[0] = TEXT('\"'); _tcscat(path, TEXT("\"")); svc_ctl_mgr = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE); if (svc_ctl_mgr == NULL) { _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText()); return 1; } for (i = 0; i < _service_max; i++) { service = CreateService(svc_ctl_mgr, openvpn_service[i].name, openvpn_service[i].display_name, SERVICE_QUERY_STATUS, SERVICE_WIN32_SHARE_PROCESS, openvpn_service[i].start_type, SERVICE_ERROR_NORMAL, path, NULL, NULL, openvpn_service[i].dependencies, NULL, NULL); if (service) { _tprintf(TEXT("%s installed.\n"), openvpn_service[i].display_name); CloseServiceHandle(service); --ret; } else { _tprintf(TEXT("CreateService failed - %s\n"), GetLastErrorText()); } } CloseServiceHandle(svc_ctl_mgr); return ret; } static int CmdStartService(openvpn_service_type type) { int ret = 1; SC_HANDLE svc_ctl_mgr; SC_HANDLE service; svc_ctl_mgr = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (svc_ctl_mgr == NULL) { _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText()); return 1; } service = OpenService(svc_ctl_mgr, openvpn_service[type].name, SERVICE_ALL_ACCESS); if (service) { if (StartService(service, 0, NULL)) { _tprintf(TEXT("Service Started\n")); ret = 0; } else { _tprintf(TEXT("StartService failed - %s\n"), GetLastErrorText()); } CloseServiceHandle(service); } else { _tprintf(TEXT("OpenService failed - %s\n"), GetLastErrorText()); } CloseServiceHandle(svc_ctl_mgr); return ret; } static int CmdRemoveServices() { SC_HANDLE service; SC_HANDLE svc_ctl_mgr; SERVICE_STATUS status; int i, ret = _service_max; svc_ctl_mgr = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT); if (svc_ctl_mgr == NULL) { _tprintf(TEXT("OpenSCManager failed - %s\n"), GetLastErrorText()); return 1; } for (i = 0; i < _service_max; i++) { openvpn_service_t *ovpn_svc = &openvpn_service[i]; service = OpenService(svc_ctl_mgr, ovpn_svc->name, DELETE | SERVICE_STOP | SERVICE_QUERY_STATUS); if (service == NULL) { _tprintf(TEXT("OpenService failed - %s\n"), GetLastErrorText()); goto out; } /* try to stop the service */ if (ControlService(service, SERVICE_CONTROL_STOP, &status)) { _tprintf(TEXT("Stopping %s."), ovpn_svc->display_name); Sleep(1000); while (QueryServiceStatus(service, &status)) { if (status.dwCurrentState == SERVICE_STOP_PENDING) { _tprintf(TEXT(".")); Sleep(1000); } else { break; } } if (status.dwCurrentState == SERVICE_STOPPED) { _tprintf(TEXT("\n%s stopped.\n"), ovpn_svc->display_name); } else { _tprintf(TEXT("\n%s failed to stop.\n"), ovpn_svc->display_name); } } /* now remove the service */ if (DeleteService(service)) { _tprintf(TEXT("%s removed.\n"), ovpn_svc->display_name); --ret; } else { _tprintf(TEXT("DeleteService failed - %s\n"), GetLastErrorText()); } CloseServiceHandle(service); } out: CloseServiceHandle(svc_ctl_mgr); return ret; } int _tmain(int argc, TCHAR *argv[]) { SERVICE_TABLE_ENTRY dispatchTable[] = { { automatic_service.name, ServiceStartAutomatic }, { interactive_service.name, ServiceStartInteractive }, { NULL, NULL } }; openvpn_service[0] = automatic_service; openvpn_service[1] = interactive_service; if (argc > 1 && (*argv[1] == TEXT('-') || *argv[1] == TEXT('/'))) { if (_tcsicmp(TEXT("install"), argv[1] + 1) == 0) { return CmdInstallServices(); } else if (_tcsicmp(TEXT("remove"), argv[1] + 1) == 0) { return CmdRemoveServices(); } else if (_tcsicmp(TEXT("start"), argv[1] + 1) == 0) { BOOL is_auto = argc < 3 || _tcsicmp(TEXT("interactive"), argv[2]) != 0; return CmdStartService(is_auto ? automatic : interactive); } else { goto dispatch; } return 0; } /* If it doesn't match any of the above parameters * the service control manager may be starting the service * so we must call StartServiceCtrlDispatcher */ dispatch: _tprintf(TEXT("%s -install to install the services\n"), APPNAME); _tprintf(TEXT("%s -start to start a service (\"automatic\" or \"interactive\")\n"), APPNAME); _tprintf(TEXT("%s -remove to remove the services\n"), APPNAME); _tprintf(TEXT("\nStartServiceCtrlDispatcher being called.\n")); _tprintf(TEXT("This may take several seconds. Please wait.\n")); if (!StartServiceCtrlDispatcher(dispatchTable)) { MsgToEventLog(MSG_FLAGS_ERROR, TEXT("StartServiceCtrlDispatcher failed.")); } return 0; } openvpn-2.4.4/src/openvpnserv/service.h000066400000000000000000000054531316434344000202040ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2013-2017 Heiko Hund * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef _SERVICE_H #define _SERVICE_H #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include #include #include #define APPNAME TEXT(PACKAGE "serv") #define SERVICE_DEPENDENCIES TAP_WIN_COMPONENT_ID "\0Dhcp\0\0" /* * Message handling */ #define MSG_FLAGS_ERROR (1<<0) #define MSG_FLAGS_SYS_CODE (1<<1) #define M_INFO (0) /* informational */ #define M_SYSERR (MSG_FLAGS_ERROR|MSG_FLAGS_SYS_CODE) /* error + system code */ #define M_ERR (MSG_FLAGS_ERROR) /* error */ typedef enum { automatic, interactive, _service_max } openvpn_service_type; typedef struct { openvpn_service_type type; TCHAR *name; TCHAR *display_name; TCHAR *dependencies; DWORD start_type; } openvpn_service_t; #define MAX_NAME 256 typedef struct { TCHAR exe_path[MAX_PATH]; TCHAR config_dir[MAX_PATH]; TCHAR ext_string[16]; TCHAR log_dir[MAX_PATH]; TCHAR ovpn_admin_group[MAX_NAME]; DWORD priority; BOOL append; } settings_t; extern openvpn_service_t automatic_service; extern openvpn_service_t interactive_service; VOID WINAPI ServiceStartAutomatic(DWORD argc, LPTSTR *argv); VOID WINAPI ServiceStartInteractive(DWORD argc, LPTSTR *argv); int openvpn_vsntprintf(LPTSTR str, size_t size, LPCTSTR format, va_list arglist); int openvpn_sntprintf(LPTSTR str, size_t size, LPCTSTR format, ...); DWORD GetOpenvpnSettings(settings_t *s); BOOL ReportStatusToSCMgr(SERVICE_STATUS_HANDLE service, SERVICE_STATUS *status); LPCTSTR GetLastErrorText(); DWORD MsgToEventLog(DWORD flags, LPCTSTR lpszMsg, ...); /* Convert a utf8 string to utf16. Caller should free the result */ wchar_t *utf8to16(const char *utf8); #endif /* ifndef _SERVICE_H */ openvpn-2.4.4/src/openvpnserv/validate.c000066400000000000000000000224741316434344000203320ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2016 Selva Nair * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "validate.h" #include #include #include static const WCHAR *white_list[] = { L"auth-retry", L"config", L"log", L"log-append", L"management", L"management-forget-disconnect", L"management-hold", L"management-query-passwords", L"management-query-proxy", L"management-signal", L"management-up-down", L"mute", L"setenv", L"service", L"verb", NULL /* last value */ }; static BOOL IsUserInGroup(PSID sid, const PTOKEN_GROUPS groups, const WCHAR *group_name); static PTOKEN_GROUPS GetTokenGroups(const HANDLE token); /* * Check workdir\fname is inside config_dir * The logic here is simple: we may reject some valid paths if ..\ is in any of the strings */ static BOOL CheckConfigPath(const WCHAR *workdir, const WCHAR *fname, const settings_t *s) { WCHAR tmp[MAX_PATH]; const WCHAR *config_file = NULL; const WCHAR *config_dir = NULL; /* convert fname to full path */ if (PathIsRelativeW(fname) ) { snwprintf(tmp, _countof(tmp), L"%s\\%s", workdir, fname); tmp[_countof(tmp)-1] = L'\0'; config_file = tmp; } else { config_file = fname; } #ifdef UNICODE config_dir = s->config_dir; #else if (MultiByteToWideChar(CP_UTF8, 0, s->config_dir, -1, widepath, MAX_PATH) == 0) { MsgToEventLog(M_SYSERR, TEXT("Failed to convert config_dir name to WideChar")); return FALSE; } config_dir = widepath; #endif if (wcsncmp(config_dir, config_file, wcslen(config_dir)) == 0 && wcsstr(config_file + wcslen(config_dir), L"..") == NULL) { return TRUE; } return FALSE; } /* * A simple linear search meant for a small wchar_t *array. * Returns index to the item if found, -1 otherwise. */ static int OptionLookup(const WCHAR *name, const WCHAR *white_list[]) { int i; for (i = 0; white_list[i]; i++) { if (wcscmp(white_list[i], name) == 0) { return i; } } return -1; } /* * The Administrators group may be localized or renamed by admins. * Get the local name of the group using the SID. */ static BOOL GetBuiltinAdminGroupName(WCHAR *name, DWORD nlen) { BOOL b = FALSE; PSID admin_sid = NULL; DWORD sid_size = SECURITY_MAX_SID_SIZE; SID_NAME_USE snu; WCHAR domain[MAX_NAME]; DWORD dlen = _countof(domain); admin_sid = malloc(sid_size); if (!admin_sid) { return FALSE; } b = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size); if (b) { b = LookupAccountSidW(NULL, admin_sid, name, &nlen, domain, &dlen, &snu); } free(admin_sid); return b; } /* * Check whether user is a member of Administrators group or * the group specified in ovpn_admin_group */ BOOL IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group) { const WCHAR *admin_group[2]; WCHAR username[MAX_NAME]; WCHAR domain[MAX_NAME]; WCHAR sysadmin_group[MAX_NAME]; DWORD len = MAX_NAME; BOOL ret = FALSE; SID_NAME_USE sid_type; /* Get username */ if (!LookupAccountSidW(NULL, sid, username, &len, domain, &len, &sid_type)) { MsgToEventLog(M_SYSERR, TEXT("LookupAccountSid")); /* not fatal as this is now used only for logging */ username[0] = '\0'; domain[0] = '\0'; } if (GetBuiltinAdminGroupName(sysadmin_group, _countof(sysadmin_group))) { admin_group[0] = sysadmin_group; } else { MsgToEventLog(M_SYSERR, TEXT("Failed to get the name of Administrators group. Using the default.")); /* use the default value */ admin_group[0] = SYSTEM_ADMIN_GROUP; } admin_group[1] = ovpn_admin_group; PTOKEN_GROUPS token_groups = GetTokenGroups(token); for (int i = 0; i < 2; ++i) { ret = IsUserInGroup(sid, token_groups, admin_group[i]); if (ret) { MsgToEventLog(M_INFO, TEXT("Authorizing user '%s@%s' by virtue of membership in group '%s'"), username, domain, admin_group[i]); goto out; } } out: free(token_groups); return ret; } /** * Get a list of groups in token. * Returns a pointer to TOKEN_GROUPS struct or NULL on error. * The caller should free the returned pointer. */ static PTOKEN_GROUPS GetTokenGroups(const HANDLE token) { PTOKEN_GROUPS groups = NULL; DWORD buf_size = 0; if (!GetTokenInformation(token, TokenGroups, groups, buf_size, &buf_size) && GetLastError() == ERROR_INSUFFICIENT_BUFFER) { groups = malloc(buf_size); } if (!groups) { MsgToEventLog(M_SYSERR, L"GetTokenGroups"); } else if (!GetTokenInformation(token, TokenGroups, groups, buf_size, &buf_size)) { MsgToEventLog(M_SYSERR, L"GetTokenInformation"); free(groups); } return groups; } /* * Find SID from name * * On input sid buffer should have space for at least sid_size bytes. * Returns true on success, false on failure. * Suggest: in caller allocate sid to hold SECURITY_MAX_SID_SIZE bytes */ static BOOL LookupSID(const WCHAR *name, PSID sid, DWORD sid_size) { SID_NAME_USE su; WCHAR domain[MAX_NAME]; DWORD dlen = _countof(domain); if (!LookupAccountName(NULL, name, sid, &sid_size, domain, &dlen, &su)) { return FALSE; /* not fatal as the group may not exist */ } return TRUE; } /** * User is in group if the token groups contain the SID of the group * of if the user is a direct member of the group. The latter check * catches dynamic changes in group membership in the local user * database not reflected in the token. * If token_groups or sid is NULL the corresponding check is skipped. * * Using sid and list of groups in token avoids reference to domains so that * this could be completed without access to a Domain Controller. * * Returns true if the user is in the group, false otherwise. */ static BOOL IsUserInGroup(PSID sid, const PTOKEN_GROUPS token_groups, const WCHAR *group_name) { BOOL ret = FALSE; DWORD_PTR resume = 0; DWORD err; BYTE grp_sid[SECURITY_MAX_SID_SIZE]; int nloop = 0; /* a counter used to not get stuck in the do .. while() */ /* first check in the token groups */ if (token_groups && LookupSID(group_name, (PSID) grp_sid, _countof(grp_sid))) { for (DWORD i = 0; i < token_groups->GroupCount; ++i) { if (EqualSid((PSID) grp_sid, token_groups->Groups[i].Sid)) { return TRUE; } } } /* check user's SID is a member of the group */ if (!sid) { return FALSE; } do { DWORD nread, nmax; LOCALGROUP_MEMBERS_INFO_0 *members = NULL; err = NetLocalGroupGetMembers(NULL, group_name, 0, (LPBYTE *) &members, MAX_PREFERRED_LENGTH, &nread, &nmax, &resume); if ((err != NERR_Success && err != ERROR_MORE_DATA)) { break; } /* If a match is already found, ret == TRUE and the loop is skipped */ for (int i = 0; i < nread && !ret; ++i) { ret = EqualSid(members[i].lgrmi0_sid, sid); } NetApiBufferFree(members); /* MSDN says the lookup should always iterate until err != ERROR_MORE_DATA */ } while (err == ERROR_MORE_DATA && nloop++ < 100); if (err != NERR_Success && err != NERR_GroupNotFound) { SetLastError(err); MsgToEventLog(M_SYSERR, TEXT("In NetLocalGroupGetMembers for group '%s'"), group_name); } return ret; } /* * Check whether option argv[0] is white-listed. If argv[0] == "--config", * also check that argv[1], if present, passes CheckConfigPath(). * The caller should set argc to the number of valid elements in argv[] array. */ BOOL CheckOption(const WCHAR *workdir, int argc, WCHAR *argv[], const settings_t *s) { /* Do not modify argv or *argv -- ideally it should be const WCHAR *const *, but alas...*/ if (wcscmp(argv[0], L"--config") == 0 && argc > 1 && !CheckConfigPath(workdir, argv[1], s) ) { return FALSE; } /* option name starts at 2 characters from argv[i] */ if (OptionLookup(argv[0] + 2, white_list) == -1) /* not found */ { return FALSE; } return TRUE; } openvpn-2.4.4/src/openvpnserv/validate.h000066400000000000000000000031421316434344000203260ustar00rootroot00000000000000 /* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2016 Selva Nair * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef VALIDATE_H #define VALIDATE_H #include "service.h" /* Authorized groups who can use any options and config locations */ #define SYSTEM_ADMIN_GROUP TEXT("Administrators") #define OVPN_ADMIN_GROUP TEXT("OpenVPN Administrators") /* The last one may be reset in registry: HKLM\Software\OpenVPN\ovpn_admin_group */ BOOL IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group); BOOL CheckOption(const WCHAR *workdir, int narg, WCHAR *argv[], const settings_t *s); static inline BOOL IsOption(const WCHAR *o) { return (wcsncmp(o, L"--", 2) == 0); } #endif /* ifndef VALIDATE_H */ openvpn-2.4.4/src/plugins/000077500000000000000000000000001316434344000154605ustar00rootroot00000000000000openvpn-2.4.4/src/plugins/Makefile.am000066400000000000000000000007651316434344000175240ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in SUBDIRS = auth-pam down-root openvpn-2.4.4/src/plugins/Makefile.in000066400000000000000000000510271316434344000175320ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = src/plugins DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ install-exec-recursive install-html-recursive \ install-info-recursive install-pdf-recursive \ install-ps-recursive install-recursive installcheck-recursive \ installdirs-recursive pdf-recursive ps-recursive \ tags-recursive uninstall-recursive am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive am__recursive_targets = \ $(RECURSIVE_TARGETS) \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ distdir am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ sed_first='s,^\([^/]*\)/.*$$,\1,'; \ sed_rest='s,^[^/]*/*,,'; \ sed_last='s,^.*/\([^/]*\)$$,\1,'; \ sed_butlast='s,/*[^/]*$$,,'; \ while test -n "$$dir1"; do \ first=`echo "$$dir1" | sed -e "$$sed_first"`; \ if test "$$first" != "."; then \ if test "$$first" = ".."; then \ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ else \ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ if test "$$first2" = "$$first"; then \ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ else \ dir2="../$$dir2"; \ fi; \ dir0="$$dir0"/"$$first"; \ fi; \ fi; \ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in SUBDIRS = auth-pam down-root all: all-recursive .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/plugins/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign src/plugins/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs # This directory's subdirectories are mostly independent; you can cd # into them and run 'make' without going through this Makefile. # To change the values of 'make' variables: instead of editing Makefiles, # (1) if the variable is set in 'config.status', edit 'config.status' # (which will cause the Makefiles to be regenerated when you run 'make'); # (2) otherwise, pass the desired values on the 'make' command line. $(am__recursive_targets): @fail=; \ if $(am__make_keepgoing); then \ failcom='fail=yes'; \ else \ failcom='exit 1'; \ fi; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ case "$@" in \ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ *) list='$(SUBDIRS)' ;; \ esac; \ for subdir in $$list; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ dot_seen=yes; \ local_target="$$target-am"; \ else \ local_target="$$target"; \ fi; \ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-recursive TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ empty_fix=.; \ else \ include_option=--include; \ empty_fix=; \ fi; \ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-recursive CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-recursive cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ $(am__make_dryrun) \ || test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ dir1=$$subdir; dir2="$(top_distdir)"; \ $(am__relativize); \ new_top_distdir=$$reldir; \ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ top_distdir="$$new_top_distdir" \ distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ done check-am: all-am check: check-recursive all-am: Makefile installdirs: installdirs-recursive installdirs-am: install: install-recursive install-exec: install-exec-recursive install-data: install-data-recursive uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-recursive install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-recursive clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-recursive -rm -f Makefile distclean-am: clean-am distclean-generic distclean-tags dvi: dvi-recursive dvi-am: html: html-recursive html-am: info: info-recursive info-am: install-data-am: install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: install-html: install-html-recursive install-html-am: install-info: install-info-recursive install-info-am: install-man: install-pdf: install-pdf-recursive install-pdf-am: install-ps: install-ps-recursive install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-recursive pdf-am: ps: ps-recursive ps-am: uninstall-am: .MAKE: $(am__recursive_targets) install-am install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \ check-am clean clean-generic clean-libtool cscopelist-am ctags \ ctags-am distclean distclean-generic distclean-libtool \ distclean-tags distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ installdirs-am maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ ps ps-am tags tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/src/plugins/auth-pam/000077500000000000000000000000001316434344000171745ustar00rootroot00000000000000openvpn-2.4.4/src/plugins/auth-pam/Makefile.am000066400000000000000000000012651316434344000212340ustar00rootroot00000000000000# # OpenVPN (TM) PAM Auth Plugin -- OpenVPN Plugin # # Copyright (C) 2012 Alon Bar-Lev # MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in AM_CFLAGS = \ -I$(top_srcdir)/include \ $(PLUGIN_AUTH_PAM_CFLAGS) \ $(OPTIONAL_CRYPTO_CFLAGS) if ENABLE_PLUGIN_AUTH_PAM plugin_LTLIBRARIES = openvpn-plugin-auth-pam.la dist_doc_DATA = README.auth-pam endif openvpn_plugin_auth_pam_la_SOURCES = \ utils.c \ auth-pam.c \ pamdl.c pamdl.h \ auth-pam.exports openvpn_plugin_auth_pam_la_LIBADD = \ $(PLUGIN_AUTH_PAM_LIBS) openvpn_plugin_auth_pam_la_LDFLAGS = $(AM_LDFLAGS) \ -export-symbols "$(srcdir)/auth-pam.exports" \ -module -shared -avoid-version -no-undefined openvpn-2.4.4/src/plugins/auth-pam/Makefile.in000066400000000000000000000600251316434344000212440ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN (TM) PAM Auth Plugin -- OpenVPN Plugin # # Copyright (C) 2012 Alon Bar-Lev # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = src/plugins/auth-pam DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp $(am__dist_doc_DATA_DIST) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(docdir)" LTLIBRARIES = $(plugin_LTLIBRARIES) am__DEPENDENCIES_1 = openvpn_plugin_auth_pam_la_DEPENDENCIES = $(am__DEPENDENCIES_1) am_openvpn_plugin_auth_pam_la_OBJECTS = utils.lo auth-pam.lo pamdl.lo openvpn_plugin_auth_pam_la_OBJECTS = \ $(am_openvpn_plugin_auth_pam_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = openvpn_plugin_auth_pam_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(AM_CFLAGS) $(CFLAGS) $(openvpn_plugin_auth_pam_la_LDFLAGS) \ $(LDFLAGS) -o $@ @ENABLE_PLUGIN_AUTH_PAM_TRUE@am_openvpn_plugin_auth_pam_la_rpath = \ @ENABLE_PLUGIN_AUTH_PAM_TRUE@ -rpath $(plugindir) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -I$(top_builddir)/include depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(openvpn_plugin_auth_pam_la_SOURCES) DIST_SOURCES = $(openvpn_plugin_auth_pam_la_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__dist_doc_DATA_DIST = README.auth-pam DATA = $(dist_doc_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in AM_CFLAGS = \ -I$(top_srcdir)/include \ $(PLUGIN_AUTH_PAM_CFLAGS) \ $(OPTIONAL_CRYPTO_CFLAGS) @ENABLE_PLUGIN_AUTH_PAM_TRUE@plugin_LTLIBRARIES = openvpn-plugin-auth-pam.la @ENABLE_PLUGIN_AUTH_PAM_TRUE@dist_doc_DATA = README.auth-pam openvpn_plugin_auth_pam_la_SOURCES = \ utils.c \ auth-pam.c \ pamdl.c pamdl.h \ auth-pam.exports openvpn_plugin_auth_pam_la_LIBADD = \ $(PLUGIN_AUTH_PAM_LIBS) openvpn_plugin_auth_pam_la_LDFLAGS = $(AM_LDFLAGS) \ -export-symbols "$(srcdir)/auth-pam.exports" \ -module -shared -avoid-version -no-undefined all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/plugins/auth-pam/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign src/plugins/auth-pam/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ list2=; for p in $$list; do \ if test -f $$p; then \ list2="$$list2 $$p"; \ else :; fi; \ done; \ test -z "$$list2" || { \ echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ } uninstall-pluginLTLIBRARIES: @$(NORMAL_UNINSTALL) @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ for p in $$list; do \ $(am__strip_dir) \ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ done clean-pluginLTLIBRARIES: -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) @list='$(plugin_LTLIBRARIES)'; \ locs=`for p in $$list; do echo $$p; done | \ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ sort -u`; \ test -z "$$locs" || { \ echo rm -f $${locs}; \ rm -f $${locs}; \ } openvpn-plugin-auth-pam.la: $(openvpn_plugin_auth_pam_la_OBJECTS) $(openvpn_plugin_auth_pam_la_DEPENDENCIES) $(EXTRA_openvpn_plugin_auth_pam_la_DEPENDENCIES) $(AM_V_CCLD)$(openvpn_plugin_auth_pam_la_LINK) $(am_openvpn_plugin_auth_pam_la_rpath) $(openvpn_plugin_auth_pam_la_OBJECTS) $(openvpn_plugin_auth_pam_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth-pam.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pamdl.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utils.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs install-dist_docDATA: $(dist_doc_DATA) @$(NORMAL_INSTALL) @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ done uninstall-dist_docDATA: @$(NORMAL_UNINSTALL) @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(LTLIBRARIES) $(DATA) installdirs: for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(docdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \ mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dist_docDATA install-pluginLTLIBRARIES install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-dist_docDATA uninstall-pluginLTLIBRARIES .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ clean-libtool clean-pluginLTLIBRARIES cscopelist-am ctags \ ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dist_docDATA install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-pluginLTLIBRARIES \ install-ps install-ps-am install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am uninstall-dist_docDATA \ uninstall-pluginLTLIBRARIES # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/src/plugins/auth-pam/README.auth-pam000066400000000000000000000050531316434344000215720ustar00rootroot00000000000000openvpn-auth-pam SYNOPSIS The openvpn-auth-pam module implements username/password authentication via PAM, and essentially allows any authentication method supported by PAM (such as LDAP, RADIUS, or Linux Shadow passwords) to be used with OpenVPN. While PAM supports username/password authentication, this can be combined with X509 certificates to provide two indepedent levels of authentication. This module uses a split privilege execution model which will function even if you drop openvpn daemon privileges using the user, group, or chroot directives. BUILD To build openvpn-auth-pam, you will need to have the pam-devel package installed. Build with the "make" command. The module will be named openvpn-auth-pam.so USAGE To use this plugin module, add to your OpenVPN config file: plugin openvpn-auth-pam.so service-type The required service-type parameter corresponds to the PAM service definition file usually found in /etc/pam.d. This plugin also supports the usage of a list of name/value pairs to answer PAM module queries. For example: plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD" tells auth-pam to (a) use the "login" PAM module, (b) answer a "login" query with the username given by the OpenVPN client, and (c) answer a "password" query with the password given by the OpenVPN client. This provides flexibility in dealing with the different types of query strings which different PAM modules might generate. For example, suppose you were using a PAM module called "test" which queried for "name" rather than "login": plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD" While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute to client-supplied values, it is also possible to name literal values to use as PAM module query responses. For example, suppose that the login module queried for a third parameter, "domain" which is to be answered with the constant value "mydomain.com": plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD domain mydomain.com" The following OpenVPN directives can also influence the operation of this plugin: client-cert-not-required username-as-common-name Run OpenVPN with --verb 7 or higher to get debugging output from this plugin, including the list of queries presented by the underlying PAM module. This is a useful debugging tool to figure out which queries a given PAM module is making, so that you can craft the appropriate plugin directive to answer it. CAVEATS This module will only work on *nix systems which support PAM, not Windows. openvpn-2.4.4/src/plugins/auth-pam/auth-pam.c000066400000000000000000000524341316434344000210640ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * OpenVPN plugin module to do PAM authentication using a split * privilege model. */ #ifdef HAVE_CONFIG_H #include #endif #include #ifdef USE_PAM_DLOPEN #include "pamdl.h" #endif #include #include #include #include #include #include #include #include #include #include #include #include "utils.h" #include #define DEBUG(verb) ((verb) >= 4) /* Command codes for foreground -> background communication */ #define COMMAND_VERIFY 0 #define COMMAND_EXIT 1 /* Response codes for background -> foreground communication */ #define RESPONSE_INIT_SUCCEEDED 10 #define RESPONSE_INIT_FAILED 11 #define RESPONSE_VERIFY_SUCCEEDED 12 #define RESPONSE_VERIFY_FAILED 13 /* Pointers to functions exported from openvpn */ static plugin_secure_memzero_t plugin_secure_memzero = NULL; /* * Plugin state, used by foreground */ struct auth_pam_context { /* Foreground's socket to background process */ int foreground_fd; /* Process ID of background process */ pid_t background_pid; /* Verbosity level of OpenVPN */ int verb; }; /* * Name/Value pairs for conversation function. * Special Values: * * "USERNAME" -- substitute client-supplied username * "PASSWORD" -- substitute client-specified password * "COMMONNAME" -- substitute client certificate common name */ #define N_NAME_VALUE 16 struct name_value { const char *name; const char *value; }; struct name_value_list { int len; struct name_value data[N_NAME_VALUE]; }; /* * Used to pass the username/password * to the PAM conversation function. */ struct user_pass { int verb; char username[128]; char password[128]; char common_name[128]; const struct name_value_list *name_value_list; }; /* Background process function */ static void pam_server(int fd, const char *service, int verb, const struct name_value_list *name_value_list); /* * Socket read/write functions. */ static int recv_control(int fd) { unsigned char c; const ssize_t size = read(fd, &c, sizeof(c)); if (size == sizeof(c)) { return c; } else { /*fprintf (stderr, "AUTH-PAM: DEBUG recv_control.read=%d\n", (int)size);*/ return -1; } } static int send_control(int fd, int code) { unsigned char c = (unsigned char) code; const ssize_t size = write(fd, &c, sizeof(c)); if (size == sizeof(c)) { return (int) size; } else { return -1; } } static int recv_string(int fd, char *buffer, int len) { if (len > 0) { ssize_t size; memset(buffer, 0, len); size = read(fd, buffer, len); buffer[len-1] = 0; if (size >= 1) { return (int)size; } } return -1; } static int send_string(int fd, const char *string) { const int len = strlen(string) + 1; const ssize_t size = write(fd, string, len); if (size == len) { return (int) size; } else { return -1; } } #ifdef DO_DAEMONIZE /* * Daemonize if "daemon" env var is true. * Preserve stderr across daemonization if * "daemon_log_redirect" env var is true. */ static void daemonize(const char *envp[]) { const char *daemon_string = get_env("daemon", envp); if (daemon_string && daemon_string[0] == '1') { const char *log_redirect = get_env("daemon_log_redirect", envp); int fd = -1; if (log_redirect && log_redirect[0] == '1') { fd = dup(2); } if (daemon(0, 0) < 0) { fprintf(stderr, "AUTH-PAM: daemonization failed\n"); } else if (fd >= 3) { dup2(fd, 2); close(fd); } } } #endif /* ifdef DO_DAEMONIZE */ /* * Close most of parent's fds. * Keep stdin/stdout/stderr, plus one * other fd which is presumed to be * our pipe back to parent. * Admittedly, a bit of a kludge, * but posix doesn't give us a kind * of FD_CLOEXEC which will stop * fds from crossing a fork(). */ static void close_fds_except(int keep) { int i; closelog(); for (i = 3; i <= 100; ++i) { if (i != keep) { close(i); } } } /* * Usually we ignore signals, because our parent will * deal with them. */ static void set_signals(void) { signal(SIGTERM, SIG_DFL); signal(SIGINT, SIG_IGN); signal(SIGHUP, SIG_IGN); signal(SIGUSR1, SIG_IGN); signal(SIGUSR2, SIG_IGN); signal(SIGPIPE, SIG_IGN); } /* * Return 1 if query matches match. */ static int name_value_match(const char *query, const char *match) { while (!isalnum(*query)) { if (*query == '\0') { return 0; } ++query; } return strncasecmp(match, query, strlen(match)) == 0; } OPENVPN_EXPORT int openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *ret) { pid_t pid; int fd[2]; struct auth_pam_context *context; struct name_value_list name_value_list; const int base_parms = 2; const char **argv = args->argv; const char **envp = args->envp; /* Check API compatibility -- struct version 4 or higher needed */ if (v3structver < 4) { fprintf(stderr, "AUTH-PAM: This plugin is incompatible with the running version of OpenVPN\n"); return OPENVPN_PLUGIN_FUNC_ERROR; } /* * Allocate our context */ context = (struct auth_pam_context *) calloc(1, sizeof(struct auth_pam_context)); if (!context) { goto error; } context->foreground_fd = -1; /* * Intercept the --auth-user-pass-verify callback. */ ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY); /* Save global pointers to functions exported from openvpn */ plugin_secure_memzero = args->callbacks->plugin_secure_memzero; /* * Make sure we have two string arguments: the first is the .so name, * the second is the PAM service type. */ if (string_array_len(argv) < base_parms) { fprintf(stderr, "AUTH-PAM: need PAM service parameter\n"); goto error; } /* * See if we have optional name/value pairs to match against * PAM module queried fields in the conversation function. */ name_value_list.len = 0; if (string_array_len(argv) > base_parms) { const int nv_len = string_array_len(argv) - base_parms; int i; if ((nv_len & 1) == 1 || (nv_len / 2) > N_NAME_VALUE) { fprintf(stderr, "AUTH-PAM: bad name/value list length\n"); goto error; } name_value_list.len = nv_len / 2; for (i = 0; i < name_value_list.len; ++i) { const int base = base_parms + i * 2; name_value_list.data[i].name = argv[base]; name_value_list.data[i].value = argv[base+1]; } } /* * Get verbosity level from environment */ { const char *verb_string = get_env("verb", envp); if (verb_string) { context->verb = atoi(verb_string); } } /* * Make a socket for foreground and background processes * to communicate. */ if (socketpair(PF_UNIX, SOCK_DGRAM, 0, fd) == -1) { fprintf(stderr, "AUTH-PAM: socketpair call failed\n"); goto error; } /* * Fork off the privileged process. It will remain privileged * even after the foreground process drops its privileges. */ pid = fork(); if (pid) { int status; /* * Foreground Process */ context->background_pid = pid; /* close our copy of child's socket */ close(fd[1]); /* don't let future subprocesses inherit child socket */ if (fcntl(fd[0], F_SETFD, FD_CLOEXEC) < 0) { fprintf(stderr, "AUTH-PAM: Set FD_CLOEXEC flag on socket file descriptor failed\n"); } /* wait for background child process to initialize */ status = recv_control(fd[0]); if (status == RESPONSE_INIT_SUCCEEDED) { context->foreground_fd = fd[0]; ret->handle = (openvpn_plugin_handle_t *) context; return OPENVPN_PLUGIN_FUNC_SUCCESS; } } else { /* * Background Process */ /* close all parent fds except our socket back to parent */ close_fds_except(fd[1]); /* Ignore most signals (the parent will receive them) */ set_signals(); #ifdef DO_DAEMONIZE /* Daemonize if --daemon option is set. */ daemonize(envp); #endif /* execute the event loop */ pam_server(fd[1], argv[1], context->verb, &name_value_list); close(fd[1]); exit(0); return 0; /* NOTREACHED */ } error: if (context) { free(context); } return OPENVPN_PLUGIN_FUNC_ERROR; } OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]) { struct auth_pam_context *context = (struct auth_pam_context *) handle; if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY && context->foreground_fd >= 0) { /* get username/password from envp string array */ const char *username = get_env("username", envp); const char *password = get_env("password", envp); const char *common_name = get_env("common_name", envp) ? get_env("common_name", envp) : ""; if (username && strlen(username) > 0 && password) { if (send_control(context->foreground_fd, COMMAND_VERIFY) == -1 || send_string(context->foreground_fd, username) == -1 || send_string(context->foreground_fd, password) == -1 || send_string(context->foreground_fd, common_name) == -1) { fprintf(stderr, "AUTH-PAM: Error sending auth info to background process\n"); } else { const int status = recv_control(context->foreground_fd); if (status == RESPONSE_VERIFY_SUCCEEDED) { return OPENVPN_PLUGIN_FUNC_SUCCESS; } if (status == -1) { fprintf(stderr, "AUTH-PAM: Error receiving auth confirmation from background process\n"); } } } } return OPENVPN_PLUGIN_FUNC_ERROR; } OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { struct auth_pam_context *context = (struct auth_pam_context *) handle; if (DEBUG(context->verb)) { fprintf(stderr, "AUTH-PAM: close\n"); } if (context->foreground_fd >= 0) { /* tell background process to exit */ if (send_control(context->foreground_fd, COMMAND_EXIT) == -1) { fprintf(stderr, "AUTH-PAM: Error signaling background process to exit\n"); } /* wait for background process to exit */ if (context->background_pid > 0) { waitpid(context->background_pid, NULL, 0); } close(context->foreground_fd); context->foreground_fd = -1; } free(context); } OPENVPN_EXPORT void openvpn_plugin_abort_v1(openvpn_plugin_handle_t handle) { struct auth_pam_context *context = (struct auth_pam_context *) handle; /* tell background process to exit */ if (context && context->foreground_fd >= 0) { send_control(context->foreground_fd, COMMAND_EXIT); close(context->foreground_fd); context->foreground_fd = -1; } } /* * PAM conversation function */ static int my_conv(int n, const struct pam_message **msg_array, struct pam_response **response_array, void *appdata_ptr) { const struct user_pass *up = ( const struct user_pass *) appdata_ptr; struct pam_response *aresp; int i; int ret = PAM_SUCCESS; *response_array = NULL; if (n <= 0 || n > PAM_MAX_NUM_MSG) { return (PAM_CONV_ERR); } if ((aresp = calloc(n, sizeof *aresp)) == NULL) { return (PAM_BUF_ERR); } /* loop through each PAM-module query */ for (i = 0; i < n; ++i) { const struct pam_message *msg = msg_array[i]; aresp[i].resp_retcode = 0; aresp[i].resp = NULL; if (DEBUG(up->verb)) { fprintf(stderr, "AUTH-PAM: BACKGROUND: my_conv[%d] query='%s' style=%d\n", i, msg->msg ? msg->msg : "NULL", msg->msg_style); } if (up->name_value_list && up->name_value_list->len > 0) { /* use name/value list match method */ const struct name_value_list *list = up->name_value_list; int j; /* loop through name/value pairs */ for (j = 0; j < list->len; ++j) { const char *match_name = list->data[j].name; const char *match_value = list->data[j].value; if (name_value_match(msg->msg, match_name)) { /* found name/value match */ aresp[i].resp = NULL; if (DEBUG(up->verb)) { fprintf(stderr, "AUTH-PAM: BACKGROUND: name match found, query/match-string ['%s', '%s'] = '%s'\n", msg->msg, match_name, match_value); } if (strstr(match_value, "USERNAME")) { aresp[i].resp = searchandreplace(match_value, "USERNAME", up->username); } else if (strstr(match_value, "PASSWORD")) { aresp[i].resp = searchandreplace(match_value, "PASSWORD", up->password); } else if (strstr(match_value, "COMMONNAME")) { aresp[i].resp = searchandreplace(match_value, "COMMONNAME", up->common_name); } else { aresp[i].resp = strdup(match_value); } if (aresp[i].resp == NULL) { ret = PAM_CONV_ERR; } break; } } if (j == list->len) { ret = PAM_CONV_ERR; } } else { /* use PAM_PROMPT_ECHO_x hints */ switch (msg->msg_style) { case PAM_PROMPT_ECHO_OFF: aresp[i].resp = strdup(up->password); if (aresp[i].resp == NULL) { ret = PAM_CONV_ERR; } break; case PAM_PROMPT_ECHO_ON: aresp[i].resp = strdup(up->username); if (aresp[i].resp == NULL) { ret = PAM_CONV_ERR; } break; case PAM_ERROR_MSG: case PAM_TEXT_INFO: break; default: ret = PAM_CONV_ERR; break; } } } if (ret == PAM_SUCCESS) { *response_array = aresp; } else { free(aresp); } return ret; } /* * Return 1 if authenticated and 0 if failed. * Called once for every username/password * to be authenticated. */ static int pam_auth(const char *service, const struct user_pass *up) { struct pam_conv conv; pam_handle_t *pamh = NULL; int status = PAM_SUCCESS; int ret = 0; const int name_value_list_provided = (up->name_value_list && up->name_value_list->len > 0); /* Initialize PAM */ conv.conv = my_conv; conv.appdata_ptr = (void *)up; status = pam_start(service, name_value_list_provided ? NULL : up->username, &conv, &pamh); if (status == PAM_SUCCESS) { /* Call PAM to verify username/password */ status = pam_authenticate(pamh, 0); if (status == PAM_SUCCESS) { status = pam_acct_mgmt(pamh, 0); } if (status == PAM_SUCCESS) { ret = 1; } /* Output error message if failed */ if (!ret) { fprintf(stderr, "AUTH-PAM: BACKGROUND: user '%s' failed to authenticate: %s\n", up->username, pam_strerror(pamh, status)); } /* Close PAM */ pam_end(pamh, status); } return ret; } /* * Background process -- runs with privilege. */ static void pam_server(int fd, const char *service, int verb, const struct name_value_list *name_value_list) { struct user_pass up; int command; #ifdef USE_PAM_DLOPEN static const char pam_so[] = "libpam.so"; #endif /* * Do initialization */ if (DEBUG(verb)) { fprintf(stderr, "AUTH-PAM: BACKGROUND: INIT service='%s'\n", service); } #ifdef USE_PAM_DLOPEN /* * Load PAM shared object */ if (!dlopen_pam(pam_so)) { fprintf(stderr, "AUTH-PAM: BACKGROUND: could not load PAM lib %s: %s\n", pam_so, dlerror()); send_control(fd, RESPONSE_INIT_FAILED); goto done; } #endif /* * Tell foreground that we initialized successfully */ if (send_control(fd, RESPONSE_INIT_SUCCEEDED) == -1) { fprintf(stderr, "AUTH-PAM: BACKGROUND: write error on response socket [1]\n"); goto done; } /* * Event loop */ while (1) { memset(&up, 0, sizeof(up)); up.verb = verb; up.name_value_list = name_value_list; /* get a command from foreground process */ command = recv_control(fd); if (DEBUG(verb)) { fprintf(stderr, "AUTH-PAM: BACKGROUND: received command code: %d\n", command); } switch (command) { case COMMAND_VERIFY: if (recv_string(fd, up.username, sizeof(up.username)) == -1 || recv_string(fd, up.password, sizeof(up.password)) == -1 || recv_string(fd, up.common_name, sizeof(up.common_name)) == -1) { fprintf(stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n", command); goto done; } if (DEBUG(verb)) { #if 0 fprintf(stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n", up.username, up.password); #else fprintf(stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username); #endif } if (pam_auth(service, &up)) /* Succeeded */ { if (send_control(fd, RESPONSE_VERIFY_SUCCEEDED) == -1) { fprintf(stderr, "AUTH-PAM: BACKGROUND: write error on response socket [2]\n"); goto done; } } else /* Failed */ { if (send_control(fd, RESPONSE_VERIFY_FAILED) == -1) { fprintf(stderr, "AUTH-PAM: BACKGROUND: write error on response socket [3]\n"); goto done; } } plugin_secure_memzero(up.password, sizeof(up.password)); break; case COMMAND_EXIT: goto done; case -1: fprintf(stderr, "AUTH-PAM: BACKGROUND: read error on command channel\n"); goto done; default: fprintf(stderr, "AUTH-PAM: BACKGROUND: unknown command code: code=%d, exiting\n", command); goto done; } } done: plugin_secure_memzero(up.password, sizeof(up.password)); #ifdef USE_PAM_DLOPEN dlclose_pam(); #endif if (DEBUG(verb)) { fprintf(stderr, "AUTH-PAM: BACKGROUND: EXIT\n"); } return; } openvpn-2.4.4/src/plugins/auth-pam/auth-pam.exports000066400000000000000000000001361316434344000223360ustar00rootroot00000000000000openvpn_plugin_open_v3 openvpn_plugin_func_v1 openvpn_plugin_close_v1 openvpn_plugin_abort_v1 openvpn-2.4.4/src/plugins/auth-pam/pamdl.c000066400000000000000000000130551316434344000204410ustar00rootroot00000000000000#ifdef HAVE_CONFIG_H #include #endif #ifdef USE_PAM_DLOPEN /* * If you want to dynamically load libpam using dlopen() or something, * then dlopen( ' this shared object ' ); It takes care of exporting * the right symbols to any modules loaded by libpam. * * Modified by JY for use with openvpn-pam-auth */ #include #include #include #include "pamdl.h" static void *libpam_h = NULL; #define RESOLVE_PAM_FUNCTION(x, y, z, err) \ { \ union { const void *tpointer; y(*fn) z; } fptr; \ fptr.tpointer = dlsym(libpam_h, #x); real_ ## x = fptr.fn; \ if (real_ ## x == NULL) { \ fprintf(stderr, "PAMDL: unable to resolve '%s': %s\n", #x, dlerror()); \ return err; \ } \ } int dlopen_pam(const char *so) { if (libpam_h == NULL) { libpam_h = dlopen(so, RTLD_GLOBAL|RTLD_NOW); } return libpam_h != NULL; } void dlclose_pam(void) { if (libpam_h != NULL) { dlclose(libpam_h); libpam_h = NULL; } } int pam_start(const char *service_name, const char *user, const struct pam_conv *pam_conversation, pam_handle_t **pamh) { int (*real_pam_start)(const char *, const char *, const struct pam_conv *, pam_handle_t **); RESOLVE_PAM_FUNCTION(pam_start, int, (const char *, const char *, const struct pam_conv *, pam_handle_t **), PAM_ABORT); return real_pam_start(service_name, user, pam_conversation, pamh); } int pam_end(pam_handle_t *pamh, int pam_status) { int (*real_pam_end)(pam_handle_t *, int); RESOLVE_PAM_FUNCTION(pam_end, int, (pam_handle_t *, int), PAM_ABORT); return real_pam_end(pamh, pam_status); } int pam_set_item(pam_handle_t *pamh, int item_type, const void *item) { int (*real_pam_set_item)(pam_handle_t *, int, const void *); RESOLVE_PAM_FUNCTION(pam_set_item, int, (pam_handle_t *, int, const void *), PAM_ABORT); return real_pam_set_item(pamh, item_type, item); } int pam_get_item(const pam_handle_t *pamh, int item_type, const void **item) { int (*real_pam_get_item)(const pam_handle_t *, int, const void **); RESOLVE_PAM_FUNCTION(pam_get_item, int, (const pam_handle_t *, int, const void **), PAM_ABORT); return real_pam_get_item(pamh, item_type, item); } int pam_fail_delay(pam_handle_t *pamh, unsigned int musec_delay) { int (*real_pam_fail_delay)(pam_handle_t *, unsigned int); RESOLVE_PAM_FUNCTION(pam_fail_delay, int, (pam_handle_t *, unsigned int), PAM_ABORT); return real_pam_fail_delay(pamh, musec_delay); } typedef const char *const_char_pointer; const_char_pointer pam_strerror(pam_handle_t *pamh, int errnum) { const_char_pointer (*real_pam_strerror)(pam_handle_t *, int); RESOLVE_PAM_FUNCTION(pam_strerror, const_char_pointer, (pam_handle_t *, int), NULL); return real_pam_strerror(pamh, errnum); } int pam_putenv(pam_handle_t *pamh, const char *name_value) { int (*real_pam_putenv)(pam_handle_t *, const char *); RESOLVE_PAM_FUNCTION(pam_putenv, int, (pam_handle_t *, const char *), PAM_ABORT); return real_pam_putenv(pamh, name_value); } const_char_pointer pam_getenv(pam_handle_t *pamh, const char *name) { const_char_pointer (*real_pam_getenv)(pam_handle_t *, const char *); RESOLVE_PAM_FUNCTION(pam_getenv, const_char_pointer, (pam_handle_t *, const char *), NULL); return real_pam_getenv(pamh, name); } typedef char **char_ppointer; char_ppointer pam_getenvlist(pam_handle_t *pamh) { char_ppointer (*real_pam_getenvlist)(pam_handle_t *); RESOLVE_PAM_FUNCTION(pam_getenvlist, char_ppointer, (pam_handle_t *), NULL); return real_pam_getenvlist(pamh); } /* Authentication management */ int pam_authenticate(pam_handle_t *pamh, int flags) { int (*real_pam_authenticate)(pam_handle_t *, int); RESOLVE_PAM_FUNCTION(pam_authenticate, int, (pam_handle_t *, int), PAM_ABORT); return real_pam_authenticate(pamh, flags); } int pam_setcred(pam_handle_t *pamh, int flags) { int (*real_pam_setcred)(pam_handle_t *, int); RESOLVE_PAM_FUNCTION(pam_setcred, int, (pam_handle_t *, int), PAM_ABORT); return real_pam_setcred(pamh, flags); } /* Account Management API's */ int pam_acct_mgmt(pam_handle_t *pamh, int flags) { int (*real_pam_acct_mgmt)(pam_handle_t *, int); RESOLVE_PAM_FUNCTION(pam_acct_mgmt, int, (pam_handle_t *, int), PAM_ABORT); return real_pam_acct_mgmt(pamh, flags); } /* Session Management API's */ int pam_open_session(pam_handle_t *pamh, int flags) { int (*real_pam_open_session)(pam_handle_t *, int); RESOLVE_PAM_FUNCTION(pam_open_session, int, (pam_handle_t *, int), PAM_ABORT); return real_pam_open_session(pamh, flags); } int pam_close_session(pam_handle_t *pamh, int flags) { int (*real_pam_close_session)(pam_handle_t *, int); RESOLVE_PAM_FUNCTION(pam_close_session, int, (pam_handle_t *, int), PAM_ABORT); return real_pam_close_session(pamh, flags); } /* Password Management API's */ int pam_chauthtok(pam_handle_t *pamh, int flags) { int (*real_pam_chauthtok)(pam_handle_t *, int); RESOLVE_PAM_FUNCTION(pam_chauthtok, int, (pam_handle_t *, int), PAM_ABORT); return real_pam_chauthtok(pamh, flags); } #endif /* ifdef USE_PAM_DLOPEN */ openvpn-2.4.4/src/plugins/auth-pam/pamdl.h000066400000000000000000000002111316434344000204340ustar00rootroot00000000000000#ifdef USE_PAM_DLOPEN /* Dynamically load and unload the PAM library */ int dlopen_pam(const char *so); void dlclose_pam(void); #endif openvpn-2.4.4/src/plugins/auth-pam/utils.c000066400000000000000000000057461316434344000205140ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * OpenVPN plugin module to do PAM authentication using a split * privilege model. */ #ifdef HAVE_CONFIG_H #include #endif #include #include #include #include #include #include #include "utils.h" char * searchandreplace(const char *tosearch, const char *searchfor, const char *replacewith) { if (!tosearch || !searchfor || !replacewith) { return NULL; } size_t tosearchlen = strlen(tosearch); size_t replacewithlen = strlen(replacewith); size_t templen = tosearchlen * replacewithlen; if (tosearchlen == 0 || strlen(searchfor) == 0 || replacewithlen == 0) { return NULL; } bool is_potential_integer_overflow = (templen == SIZE_MAX) || (templen / tosearchlen != replacewithlen); if (is_potential_integer_overflow) { return NULL; } /* state: all parameters are valid */ const char *searching = tosearch; char *scratch; char temp[templen+1]; temp[0] = 0; scratch = strstr(searching,searchfor); if (!scratch) { return strdup(tosearch); } while (scratch) { strncat(temp,searching,scratch-searching); strcat(temp,replacewith); searching = scratch+strlen(searchfor); scratch = strstr(searching,searchfor); } return strdup(temp); } const char * get_env(const char *name, const char *envp[]) { if (envp) { int i; const int namelen = strlen(name); for (i = 0; envp[i]; ++i) { if (!strncmp(envp[i], name, namelen)) { const char *cp = envp[i] + namelen; if (*cp == '=') { return cp + 1; } } } } return NULL; } int string_array_len(const char *array[]) { int i = 0; if (array) { while (array[i]) { ++i; } } return i; } openvpn-2.4.4/src/plugins/auth-pam/utils.h000066400000000000000000000046351316434344000205150ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef _PLUGIN_AUTH_PAM_UTILS__H #define _PLUGIN_AUTH_PAM_UTILS__H /** * Read 'tosearch', replace all occurences of 'searchfor' with 'replacewith' and return * a pointer to the NEW string. Does not modify the input strings. Will not enter an * infinite loop with clever 'searchfor' and 'replacewith' strings. * * @author Daniel Johnson - Progman2000@usa.net / djohnson@progman.us * * @param tosearch haystack to search in * @param searchfor needle to search for in the haystack * @param replacewith when a match is found, replace needle with this string * * @return Retuns NULL when any parameter is NULL or the worst-case result is to large ( >= SIZE_MAX). * Otherwise it returns a pointer to a new buffer containing the modified input */ char * searchandreplace(const char *tosearch, const char *searchfor, const char *replacewith); /** * Given an environmental variable name, search * the envp array for its value * * @param name Environment variable to look up * @param envp Environment variable table with all key/value pairs * * @return Returns a pointer to the value of the enviroment variable if found, otherwise NULL is returned. */ const char * get_env(const char *name, const char *envp[]); /** * Return the length of a string array * * @param array Pointer to the array to calculate size of * */ int string_array_len(const char *array[]); #endif openvpn-2.4.4/src/plugins/down-root/000077500000000000000000000000001316434344000174105ustar00rootroot00000000000000openvpn-2.4.4/src/plugins/down-root/Makefile.am000066400000000000000000000011031316434344000214370ustar00rootroot00000000000000# # OpenVPN (TM) Down Root Plugin -- OpenVPN Plugin # # Copyright (C) 2012 Alon Bar-Lev # MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in AM_CFLAGS = \ -I$(top_srcdir)/include \ $(OPTIONAL_CRYPTO_CFLAGS) if ENABLE_PLUGIN_DOWN_ROOT plugin_LTLIBRARIES = openvpn-plugin-down-root.la dist_doc_DATA = README.down-root endif openvpn_plugin_down_root_la_SOURCES = \ down-root.c \ down-root.exports openvpn_plugin_down_root_la_LDFLAGS = $(AM_LDFLAGS) \ -export-symbols "$(srcdir)/down-root.exports" \ -module -shared -avoid-version -no-undefined openvpn-2.4.4/src/plugins/down-root/Makefile.in000066400000000000000000000573551316434344000214740ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN (TM) Down Root Plugin -- OpenVPN Plugin # # Copyright (C) 2012 Alon Bar-Lev # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = src/plugins/down-root DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp $(am__dist_doc_DATA_DIST) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(docdir)" LTLIBRARIES = $(plugin_LTLIBRARIES) openvpn_plugin_down_root_la_LIBADD = am_openvpn_plugin_down_root_la_OBJECTS = down-root.lo openvpn_plugin_down_root_la_OBJECTS = \ $(am_openvpn_plugin_down_root_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = openvpn_plugin_down_root_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(AM_CFLAGS) $(CFLAGS) $(openvpn_plugin_down_root_la_LDFLAGS) \ $(LDFLAGS) -o $@ @ENABLE_PLUGIN_DOWN_ROOT_TRUE@am_openvpn_plugin_down_root_la_rpath = \ @ENABLE_PLUGIN_DOWN_ROOT_TRUE@ -rpath $(plugindir) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -I$(top_builddir)/include depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(openvpn_plugin_down_root_la_SOURCES) DIST_SOURCES = $(openvpn_plugin_down_root_la_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__dist_doc_DATA_DIST = README.down-root DATA = $(dist_doc_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in AM_CFLAGS = \ -I$(top_srcdir)/include \ $(OPTIONAL_CRYPTO_CFLAGS) @ENABLE_PLUGIN_DOWN_ROOT_TRUE@plugin_LTLIBRARIES = openvpn-plugin-down-root.la @ENABLE_PLUGIN_DOWN_ROOT_TRUE@dist_doc_DATA = README.down-root openvpn_plugin_down_root_la_SOURCES = \ down-root.c \ down-root.exports openvpn_plugin_down_root_la_LDFLAGS = $(AM_LDFLAGS) \ -export-symbols "$(srcdir)/down-root.exports" \ -module -shared -avoid-version -no-undefined all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/plugins/down-root/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign src/plugins/down-root/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ list2=; for p in $$list; do \ if test -f $$p; then \ list2="$$list2 $$p"; \ else :; fi; \ done; \ test -z "$$list2" || { \ echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ } uninstall-pluginLTLIBRARIES: @$(NORMAL_UNINSTALL) @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ for p in $$list; do \ $(am__strip_dir) \ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ done clean-pluginLTLIBRARIES: -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) @list='$(plugin_LTLIBRARIES)'; \ locs=`for p in $$list; do echo $$p; done | \ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ sort -u`; \ test -z "$$locs" || { \ echo rm -f $${locs}; \ rm -f $${locs}; \ } openvpn-plugin-down-root.la: $(openvpn_plugin_down_root_la_OBJECTS) $(openvpn_plugin_down_root_la_DEPENDENCIES) $(EXTRA_openvpn_plugin_down_root_la_DEPENDENCIES) $(AM_V_CCLD)$(openvpn_plugin_down_root_la_LINK) $(am_openvpn_plugin_down_root_la_rpath) $(openvpn_plugin_down_root_la_OBJECTS) $(openvpn_plugin_down_root_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/down-root.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs install-dist_docDATA: $(dist_doc_DATA) @$(NORMAL_INSTALL) @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ done uninstall-dist_docDATA: @$(NORMAL_UNINSTALL) @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(LTLIBRARIES) $(DATA) installdirs: for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(docdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \ mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dist_docDATA install-pluginLTLIBRARIES install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-dist_docDATA uninstall-pluginLTLIBRARIES .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ clean-libtool clean-pluginLTLIBRARIES cscopelist-am ctags \ ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dist_docDATA install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-pluginLTLIBRARIES \ install-ps install-ps-am install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am uninstall-dist_docDATA \ uninstall-pluginLTLIBRARIES # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/src/plugins/down-root/README.down-root000066400000000000000000000015421316434344000222210ustar00rootroot00000000000000down-root -- an OpenVPN Plugin Module SYNOPSIS The down-root module allows an OpenVPN configuration to call a down script with root privileges, even when privileges have been dropped using --user/--group/--chroot. This module uses a split privilege execution model which will fork() before OpenVPN drops root privileges, at the point where the --up script is usually called. The module will then remain in a wait state until it receives a message from OpenVPN via pipe to execute the down script. Thus, the down script will be run in the same execution environment as the up script. BUILD Build this module with the "make" command. The plugin module will be named openvpn-down-root.so USAGE To use this module, add to your OpenVPN config file: plugin openvpn-down-root.so "command ..." CAVEATS This module will only work on *nix systems, not Windows. openvpn-2.4.4/src/plugins/down-root/down-root.c000066400000000000000000000340361316434344000215120ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. * Copyright (C) 2013 David Sommerseth * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * OpenVPN plugin module to do privileged down-script execution. */ #ifdef HAVE_CONFIG_H #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #define DEBUG(verb) ((verb) >= 7) /* Command codes for foreground -> background communication */ #define COMMAND_RUN_SCRIPT 1 #define COMMAND_EXIT 2 /* Response codes for background -> foreground communication */ #define RESPONSE_INIT_SUCCEEDED 10 #define RESPONSE_INIT_FAILED 11 #define RESPONSE_SCRIPT_SUCCEEDED 12 #define RESPONSE_SCRIPT_FAILED 13 /* Background process function */ static void down_root_server(const int fd, char *const *argv, char *const *envp, const int verb); /* * Plugin state, used by foreground */ struct down_root_context { /* Foreground's socket to background process */ int foreground_fd; /* Process ID of background process */ pid_t background_pid; /* Verbosity level of OpenVPN */ int verb; /* down command */ char **command; }; /* * Given an environmental variable name, search * the envp array for its value, returning it * if found or NULL otherwise. */ static const char * get_env(const char *name, const char *envp[]) { if (envp) { int i; const int namelen = strlen(name); for (i = 0; envp[i]; ++i) { if (!strncmp(envp[i], name, namelen)) { const char *cp = envp[i] + namelen; if (*cp == '=') { return cp + 1; } } } } return NULL; } /* * Return the length of a string array */ static int string_array_len(const char *array[]) { int i = 0; if (array) { while (array[i]) { ++i; } } return i; } /* * Socket read/write functions. */ static int recv_control(int fd) { unsigned char c; const ssize_t size = read(fd, &c, sizeof(c)); if (size == sizeof(c)) { return c; } else { return -1; } } static int send_control(int fd, int code) { unsigned char c = (unsigned char) code; const ssize_t size = write(fd, &c, sizeof(c)); if (size == sizeof(c)) { return (int) size; } else { return -1; } } /* * Daemonize if "daemon" env var is true. * Preserve stderr across daemonization if * "daemon_log_redirect" env var is true. */ static void daemonize(const char *envp[]) { const char *daemon_string = get_env("daemon", envp); if (daemon_string && daemon_string[0] == '1') { const char *log_redirect = get_env("daemon_log_redirect", envp); int fd = -1; if (log_redirect && log_redirect[0] == '1') { fd = dup(2); } if (daemon(0, 0) < 0) { warn("DOWN-ROOT: daemonization failed"); } else if (fd >= 3) { dup2(fd, 2); close(fd); } } } /* * Close most of parent's fds. * Keep stdin/stdout/stderr, plus one * other fd which is presumed to be * our pipe back to parent. * Admittedly, a bit of a kludge, * but posix doesn't give us a kind * of FD_CLOEXEC which will stop * fds from crossing a fork(). */ static void close_fds_except(int keep) { int i; closelog(); for (i = 3; i <= 100; ++i) { if (i != keep) { close(i); } } } /* * Usually we ignore signals, because our parent will * deal with them. */ static void set_signals(void) { signal(SIGTERM, SIG_DFL); signal(SIGINT, SIG_IGN); signal(SIGHUP, SIG_IGN); signal(SIGUSR1, SIG_IGN); signal(SIGUSR2, SIG_IGN); signal(SIGPIPE, SIG_IGN); } static void free_context(struct down_root_context *context) { if (context) { if (context->command) { free(context->command); } free(context); } } /* Run the script using execve(). As execve() replaces the * current process with the new one, do a fork first before * calling execve() */ static int run_script(char *const *argv, char *const *envp) { pid_t pid; int ret = 0; pid = fork(); if (pid == (pid_t)0) /* child side */ { execve(argv[0], argv, envp); /* If execve() fails to run, exit child with exit code 127 */ err(127, "DOWN-ROOT: Failed execute: %s", argv[0]); } else if (pid < (pid_t)0) { warn("DOWN-ROOT: Failed to fork child to run %s", argv[0]); return -1; } else /* parent side */ { if (waitpid(pid, &ret, 0) != pid) { /* waitpid does not return error information via errno */ fprintf(stderr, "DOWN-ROOT: waitpid() failed, don't know exit code of child (%s)\n", argv[0]); return -1; } } return ret; } OPENVPN_EXPORT openvpn_plugin_handle_t openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *envp[]) { struct down_root_context *context; int i = 0; /* * Allocate our context */ context = (struct down_root_context *) calloc(1, sizeof(struct down_root_context)); if (!context) { warn("DOWN-ROOT: Could not allocate memory for plug-in context"); goto error; } context->foreground_fd = -1; /* * Intercept the --up and --down callbacks */ *type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP) | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN); /* * Make sure we have two string arguments: the first is the .so name, * the second is the script command. */ if (string_array_len(argv) < 2) { fprintf(stderr, "DOWN-ROOT: need down script command\n"); goto error; } /* * Save the arguments in our context */ context->command = calloc(string_array_len(argv), sizeof(char *)); if (!context->command) { warn("DOWN-ROOT: Could not allocate memory for command array"); goto error; } /* Ignore argv[0], as it contains just the plug-in file name */ for (i = 1; i < string_array_len(argv); i++) { context->command[i-1] = (char *) argv[i]; } /* * Get verbosity level from environment */ { const char *verb_string = get_env("verb", envp); if (verb_string) { context->verb = atoi(verb_string); } } return (openvpn_plugin_handle_t) context; error: free_context(context); return NULL; } OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]) { struct down_root_context *context = (struct down_root_context *) handle; if (type == OPENVPN_PLUGIN_UP && context->foreground_fd == -1) /* fork off a process to hold onto root */ { pid_t pid; int fd[2]; /* * Make a socket for foreground and background processes * to communicate. */ if (socketpair(PF_UNIX, SOCK_DGRAM, 0, fd) == -1) { warn("DOWN-ROOT: socketpair call failed"); return OPENVPN_PLUGIN_FUNC_ERROR; } /* * Fork off the privileged process. It will remain privileged * even after the foreground process drops its privileges. */ pid = fork(); if (pid) { int status; /* * Foreground Process */ context->background_pid = pid; /* close our copy of child's socket */ close(fd[1]); /* don't let future subprocesses inherit child socket */ if (fcntl(fd[0], F_SETFD, FD_CLOEXEC) < 0) { warn("DOWN-ROOT: Set FD_CLOEXEC flag on socket file descriptor failed"); } /* wait for background child process to initialize */ status = recv_control(fd[0]); if (status == RESPONSE_INIT_SUCCEEDED) { context->foreground_fd = fd[0]; return OPENVPN_PLUGIN_FUNC_SUCCESS; } } else { /* * Background Process */ /* close all parent fds except our socket back to parent */ close_fds_except(fd[1]); /* Ignore most signals (the parent will receive them) */ set_signals(); /* Daemonize if --daemon option is set. */ daemonize(envp); /* execute the event loop */ down_root_server(fd[1], context->command, (char *const *) envp, context->verb); close(fd[1]); exit(0); return 0; /* NOTREACHED */ } } else if (type == OPENVPN_PLUGIN_DOWN && context->foreground_fd >= 0) { if (send_control(context->foreground_fd, COMMAND_RUN_SCRIPT) == -1) { warn("DOWN-ROOT: Error sending script execution signal to background process"); } else { const int status = recv_control(context->foreground_fd); if (status == RESPONSE_SCRIPT_SUCCEEDED) { return OPENVPN_PLUGIN_FUNC_SUCCESS; } if (status == -1) { warn("DOWN-ROOT: Error receiving script execution confirmation from background process"); } } } return OPENVPN_PLUGIN_FUNC_ERROR; } OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { struct down_root_context *context = (struct down_root_context *) handle; if (DEBUG(context->verb)) { fprintf(stderr, "DOWN-ROOT: close\n"); } if (context->foreground_fd >= 0) { /* tell background process to exit */ if (send_control(context->foreground_fd, COMMAND_EXIT) == -1) { warn("DOWN-ROOT: Error signalling background process to exit"); } /* wait for background process to exit */ if (context->background_pid > 0) { waitpid(context->background_pid, NULL, 0); } close(context->foreground_fd); context->foreground_fd = -1; } free_context(context); } OPENVPN_EXPORT void openvpn_plugin_abort_v1(openvpn_plugin_handle_t handle) { struct down_root_context *context = (struct down_root_context *) handle; if (context && context->foreground_fd >= 0) { /* tell background process to exit */ send_control(context->foreground_fd, COMMAND_EXIT); close(context->foreground_fd); context->foreground_fd = -1; } } /* * Background process -- runs with privilege. */ static void down_root_server(const int fd, char *const *argv, char *const *envp, const int verb) { /* * Do initialization */ if (DEBUG(verb)) { fprintf(stderr, "DOWN-ROOT: BACKGROUND: INIT command='%s'\n", argv[0]); } /* * Tell foreground that we initialized successfully */ if (send_control(fd, RESPONSE_INIT_SUCCEEDED) == -1) { warn("DOWN-ROOT: BACKGROUND: write error on response socket [1]"); goto done; } /* * Event loop */ while (1) { int command_code; int exit_code = -1; /* get a command from foreground process */ command_code = recv_control(fd); if (DEBUG(verb)) { fprintf(stderr, "DOWN-ROOT: BACKGROUND: received command code: %d\n", command_code); } switch (command_code) { case COMMAND_RUN_SCRIPT: if ( (exit_code = run_script(argv, envp)) == 0) /* Succeeded */ { if (send_control(fd, RESPONSE_SCRIPT_SUCCEEDED) == -1) { warn("DOWN-ROOT: BACKGROUND: write error on response socket [2]"); goto done; } } else /* Failed */ { fprintf(stderr, "DOWN-ROOT: BACKGROUND: %s exited with exit code %i\n", argv[0], exit_code); if (send_control(fd, RESPONSE_SCRIPT_FAILED) == -1) { warn("DOWN-ROOT: BACKGROUND: write error on response socket [3]"); goto done; } } break; case COMMAND_EXIT: goto done; case -1: warn("DOWN-ROOT: BACKGROUND: read error on command channel"); goto done; default: fprintf(stderr, "DOWN-ROOT: BACKGROUND: unknown command code: code=%d, exiting\n", command_code); goto done; } } done: if (DEBUG(verb)) { fprintf(stderr, "DOWN-ROOT: BACKGROUND: EXIT\n"); } return; } /* * Local variables: * c-file-style: "bsd" * c-basic-offset: 4 * indent-tabs-mode: nil * End: */ openvpn-2.4.4/src/plugins/down-root/down-root.exports000066400000000000000000000001361316434344000227660ustar00rootroot00000000000000openvpn_plugin_open_v1 openvpn_plugin_func_v1 openvpn_plugin_close_v1 openvpn_plugin_abort_v1 openvpn-2.4.4/tests/000077500000000000000000000000001316434344000143525ustar00rootroot00000000000000openvpn-2.4.4/tests/Makefile.am000066400000000000000000000014221316434344000164050ustar00rootroot00000000000000# # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in SUBDIRS = unit_tests test_scripts = t_client.sh if ENABLE_CRYPTO test_scripts += t_lpback.sh t_cltsrv.sh endif TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)" TESTS = $(test_scripts) dist_noinst_SCRIPTS = \ $(test_scripts) \ t_cltsrv-down.sh \ update_t_client_ips.sh dist_noinst_DATA = \ t_client.rc-sample openvpn-2.4.4/tests/Makefile.in000066400000000000000000000611351316434344000164250ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ # # OpenVPN -- An application to securely tunnel IP networks # over a single UDP port, with support for SSL/TLS-based # session authentication and key exchange, # packet encryption, packet authentication, and # packet compression. # # Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @ENABLE_CRYPTO_TRUE@am__append_1 = t_lpback.sh t_cltsrv.sh subdir = tests DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(srcdir)/t_client.sh.in $(am__dist_noinst_SCRIPTS_DIST) \ $(dist_noinst_DATA) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = t_client.sh CONFIG_CLEAN_VPATH_FILES = am__dist_noinst_SCRIPTS_DIST = t_client.sh t_lpback.sh t_cltsrv.sh \ t_cltsrv-down.sh update_t_client_ips.sh SCRIPTS = $(dist_noinst_SCRIPTS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ install-exec-recursive install-html-recursive \ install-info-recursive install-pdf-recursive \ install-ps-recursive install-recursive installcheck-recursive \ installdirs-recursive pdf-recursive ps-recursive \ tags-recursive uninstall-recursive am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac DATA = $(dist_noinst_DATA) RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive am__recursive_targets = \ $(RECURSIVE_TARGETS) \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ distdir am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags am__tty_colors_dummy = \ mgn= red= grn= lgn= blu= brg= std=; \ am__color_tests=no am__tty_colors = { \ $(am__tty_colors_dummy); \ if test "X$(AM_COLOR_TESTS)" = Xno; then \ am__color_tests=no; \ elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ am__color_tests=yes; \ elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ am__color_tests=yes; \ fi; \ if test $$am__color_tests = yes; then \ red=''; \ grn=''; \ lgn=''; \ blu=''; \ mgn=''; \ brg=''; \ std=''; \ fi; \ } DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ sed_first='s,^\([^/]*\)/.*$$,\1,'; \ sed_rest='s,^[^/]*/*,,'; \ sed_last='s,^.*/\([^/]*\)$$,\1,'; \ sed_butlast='s,/*[^/]*$$,,'; \ while test -n "$$dir1"; do \ first=`echo "$$dir1" | sed -e "$$sed_first"`; \ if test "$$first" != "."; then \ if test "$$first" = ".."; then \ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ else \ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ if test "$$first2" = "$$first"; then \ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ else \ dir2="../$$dir2"; \ fi; \ dir0="$$dir0"/"$$first"; \ fi; \ fi; \ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in SUBDIRS = unit_tests test_scripts = t_client.sh $(am__append_1) TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)" TESTS = $(test_scripts) dist_noinst_SCRIPTS = \ $(test_scripts) \ t_cltsrv-down.sh \ update_t_client_ips.sh dist_noinst_DATA = \ t_client.rc-sample all: all-recursive .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tests/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign tests/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): t_client.sh: $(top_builddir)/config.status $(srcdir)/t_client.sh.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs # This directory's subdirectories are mostly independent; you can cd # into them and run 'make' without going through this Makefile. # To change the values of 'make' variables: instead of editing Makefiles, # (1) if the variable is set in 'config.status', edit 'config.status' # (which will cause the Makefiles to be regenerated when you run 'make'); # (2) otherwise, pass the desired values on the 'make' command line. $(am__recursive_targets): @fail=; \ if $(am__make_keepgoing); then \ failcom='fail=yes'; \ else \ failcom='exit 1'; \ fi; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ case "$@" in \ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ *) list='$(SUBDIRS)' ;; \ esac; \ for subdir in $$list; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ dot_seen=yes; \ local_target="$$target-am"; \ else \ local_target="$$target"; \ fi; \ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-recursive TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ empty_fix=.; \ else \ include_option=--include; \ empty_fix=; \ fi; \ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-recursive CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-recursive cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags check-TESTS: $(TESTS) @failed=0; all=0; xfail=0; xpass=0; skip=0; \ srcdir=$(srcdir); export srcdir; \ list=' $(TESTS) '; \ $(am__tty_colors); \ if test -n "$$list"; then \ for tst in $$list; do \ if test -f ./$$tst; then dir=./; \ elif test -f $$tst; then dir=; \ else dir="$(srcdir)/"; fi; \ if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ *[\ \ ]$$tst[\ \ ]*) \ xpass=`expr $$xpass + 1`; \ failed=`expr $$failed + 1`; \ col=$$red; res=XPASS; \ ;; \ *) \ col=$$grn; res=PASS; \ ;; \ esac; \ elif test $$? -ne 77; then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ *[\ \ ]$$tst[\ \ ]*) \ xfail=`expr $$xfail + 1`; \ col=$$lgn; res=XFAIL; \ ;; \ *) \ failed=`expr $$failed + 1`; \ col=$$red; res=FAIL; \ ;; \ esac; \ else \ skip=`expr $$skip + 1`; \ col=$$blu; res=SKIP; \ fi; \ echo "$${col}$$res$${std}: $$tst"; \ done; \ if test "$$all" -eq 1; then \ tests="test"; \ All=""; \ else \ tests="tests"; \ All="All "; \ fi; \ if test "$$failed" -eq 0; then \ if test "$$xfail" -eq 0; then \ banner="$$All$$all $$tests passed"; \ else \ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ fi; \ else \ if test "$$xpass" -eq 0; then \ banner="$$failed of $$all $$tests failed"; \ else \ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ fi; \ fi; \ dashes="$$banner"; \ skipped=""; \ if test "$$skip" -ne 0; then \ if test "$$skip" -eq 1; then \ skipped="($$skip test was not run)"; \ else \ skipped="($$skip tests were not run)"; \ fi; \ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ dashes="$$skipped"; \ fi; \ report=""; \ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ report="Please report to $(PACKAGE_BUGREPORT)"; \ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ dashes="$$report"; \ fi; \ dashes=`echo "$$dashes" | sed s/./=/g`; \ if test "$$failed" -eq 0; then \ col="$$grn"; \ else \ col="$$red"; \ fi; \ echo "$${col}$$dashes$${std}"; \ echo "$${col}$$banner$${std}"; \ test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \ test -z "$$report" || echo "$${col}$$report$${std}"; \ echo "$${col}$$dashes$${std}"; \ test "$$failed" -eq 0; \ else :; fi distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ $(am__make_dryrun) \ || test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ dir1=$$subdir; dir2="$(top_distdir)"; \ $(am__relativize); \ new_top_distdir=$$reldir; \ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ top_distdir="$$new_top_distdir" \ distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ done check-am: all-am $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-recursive all-am: Makefile $(SCRIPTS) $(DATA) installdirs: installdirs-recursive installdirs-am: install: install-recursive install-exec: install-exec-recursive install-data: install-data-recursive uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-recursive install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-recursive clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-recursive -rm -f Makefile distclean-am: clean-am distclean-generic distclean-tags dvi: dvi-recursive dvi-am: html: html-recursive html-am: info: info-recursive info-am: install-data-am: install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: install-html: install-html-recursive install-html-am: install-info: install-info-recursive install-info-am: install-man: install-pdf: install-pdf-recursive install-pdf-am: install-ps: install-ps-recursive install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-recursive pdf-am: ps: ps-recursive ps-am: uninstall-am: .MAKE: $(am__recursive_targets) check-am install-am install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \ check-TESTS check-am clean clean-generic clean-libtool \ cscopelist-am ctags ctags-am distclean distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-man install-pdf install-pdf-am \ install-ps install-ps-am install-strip installcheck \ installcheck-am installdirs installdirs-am maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/tests/t_client.rc-sample000066400000000000000000000052211316434344000177600ustar00rootroot00000000000000# # this is sourced from t_client.sh and defines which openvpn client tests # to run # # (sample config, copy to t_client.rc and adapt to your environment) # # # define these - if empty, no tests will run # top_srcdir="${top_srcdir:-..}" CA_CERT="${top_srcdir}/sample/sample-keys/ca.crt" CLIENT_KEY="${top_srcdir}/sample/sample-keys/client.key" CLIENT_CERT="${top_srcdir}/sample/sample-keys/client.crt" #FPING_EXTRA_ARGS="-t 1000" # Load EXPECT_IFCONFIG* parameters from cache if [ -r "${top_builddir}/t_client_ips.rc" ]; then . "${top_builddir}/t_client_ips.rc" else echo "NOTICE: missing t_client_ips.rc will be auto-generated" fi # # remote host (used as macro below) # REMOTE=mytestserver # # tests to run (list suffixes for config stanzas below) # TEST_RUN_LIST="1 2" # # use "sudo" (etc) to give openvpn the necessary privileges # if this is not active, "make check" must be run as root # #RUN_SUDO=sudo # # base confic that is the same for all the p2mp test runs # OPENVPN_BASE_P2MP="--client --ca $CA_CERT \ --cert $CLIENT_CERT --key $CLIENT_KEY \ --remote-cert-tls server --nobind --comp-lzo --verb 3" # base config for p2p tests # OPENVPN_BASE_P2P="..." # # # now define the individual tests - all variables suffixed with _1, _2 etc # will be used in test run "1", "2", etc. # # if something is not defined here, the corresponding test is not run # # possible test options: # # RUN_TITLE_x="what is being tested on here" (purely informational) # OPENVPN_CONF_x = "how to call ./openvpn" [mandatory] # EXPECT_IFCONFIG4_x = "this IPv4 address needs to show up in ifconfig" # EXPECT_IFCONFIG6_x = "this IPv6 address needs to show up in ifconfig" # PING4_HOSTS_x = "these hosts musts ping when openvpn is up (IPv4 fping)" # PING6_HOSTS_x = "these hosts musts ping when openvpn is up (IPv6 fping6)" # # Test 1: UDP / p2mp tun # specify IPv4+IPv6 addresses expected from server and ping targets # RUN_TITLE_1="testing tun/udp/ipv4+ipv6" OPENVPN_CONF_1="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194" PING4_HOSTS_1="10.100.50.1 10.100.0.1" PING6_HOSTS_1="2001:db8::1 2001:db8:a050::1" # Test 2: TCP / p2mp tun # RUN_TITLE_2="testing tun/tcp/ipv4+ipv6" OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto tcp --remote $REMOTE --port 51194" PING4_HOSTS_2="10.100.51.1 10.100.0.1" PING6_HOSTS_2="2001:db8::1 2001:db8:a051::1" # # run command after openvpn initialization is done - here: delay 5 seconds POSTINIT_CMD_2="sleep 5" # Test 3: UDP / p2p tun # ... # Test 4: TCP / p2p tun # ... # Test 5: UDP / p2mp tap # ... # Test 6: TCP / p2mp tun # ... # Test 7: UDP / p2p tap # ... # Test 8: TCP / p2p tap # ... # Test 9: whatever you want to test... :-) openvpn-2.4.4/tests/t_client.sh000077500000000000000000000277601316434344000165260ustar00rootroot00000000000000#!/bin/bash # # run OpenVPN client against ``test reference'' server # - check that ping, http, ... via tunnel works # - check that interface config / routes are properly cleaned after test end # # prerequisites: # - openvpn binary in current directory # - writable current directory to create subdir for logs # - t_client.rc in current directory OR source dir that specifies tests # - for "ping4" checks: fping binary in $PATH # - for "ping6" checks: fping6 binary in $PATH # srcdir="${srcdir:-.}" top_builddir="${top_builddir:-..}" if [ -r "${top_builddir}"/t_client.rc ] ; then . "${top_builddir}"/t_client.rc elif [ -r "${srcdir}"/t_client.rc ] ; then . "${srcdir}"/t_client.rc else echo "$0: cannot find 't_client.rc' in build dir ('${top_builddir}')" >&2 echo "$0: or source directory ('${srcdir}'). SKIPPING TEST." >&2 exit 77 fi # Check for external dependencies which fping > /dev/null if [ $? -ne 0 ]; then echo "$0: fping is not available in \$PATH" >&2 exit 77 fi which fping6 > /dev/null if [ $? -ne 0 ]; then echo "$0: fping6 is not available in \$PATH" >&2 exit 77 fi KILL_EXEC=`which kill` if [ $? -ne 0 ]; then echo "$0: kill not found in \$PATH" >&2 exit 77 fi if [ ! -x "${top_builddir}/src/openvpn/openvpn" ] then echo "no (executable) openvpn binary in current build tree. FAIL." >&2 exit 1 fi if [ ! -w . ] then echo "current directory is not writable (required for logging). FAIL." >&2 exit 1 fi if [ -z "$CA_CERT" ] ; then echo "CA_CERT not defined in 't_client.rc'. SKIP test." >&2 exit 77 fi if [ -z "$TEST_RUN_LIST" ] ; then echo "TEST_RUN_LIST empty, no tests defined. SKIP test." >&2 exit 77 fi # Ensure PREFER_KSU is in a known state PREFER_KSU="${PREFER_KSU:-0}" # make sure we have permissions to run ifconfig/route from OpenVPN # can't use "id -u" here - doesn't work on Solaris ID=`id` if expr "$ID" : "uid=0" >/dev/null then : else if [ "${PREFER_KSU}" -eq 1 ]; then # Check if we have a valid kerberos ticket klist -l 1>/dev/null 2>/dev/null if [ $? -ne 0 ]; then # No kerberos ticket found, skip ksu and fallback to RUN_SUDO PREFER_KSU=0 echo "$0: No Kerberos ticket available. Will not use ksu." else RUN_SUDO="ksu -q -e" fi fi if [ -z "$RUN_SUDO" ] then echo "$0: this test must run be as root, or RUN_SUDO=... " >&2 echo " must be set correctly in 't_client.rc'. SKIP." >&2 exit 77 else # We have to use sudo. Make sure that we (hopefully) do not have # to ask the users password during the test. This is done to # prevent timing issues, e.g. when the waits for openvpn to start if $RUN_SUDO $KILL_EXEC -0 $$ then echo "$0: $RUN_SUDO $KILL_EXEC -0 succeeded, good." else echo "$0: $RUN_SUDO $KILL_EXEC -0 failed, cannot go on. SKIP." >&2 exit 77 fi fi fi LOGDIR=t_client-`hostname`-`date +%Y%m%d-%H%M%S` if mkdir $LOGDIR then : else echo "can't create log directory '$LOGDIR'. FAIL." >&2 exit 1 fi exit_code=0 # ---------------------------------------------------------- # helper functions # ---------------------------------------------------------- # print failure message, increase FAIL counter fail() { echo "" echo "FAIL: $@" >&2 fail_count=$(( $fail_count + 1 )) } # print "all interface IP addresses" + "all routes" # this is higly system dependent... get_ifconfig_route() { # linux / iproute2? (-> if configure got a path) if [ -n "/bin/ip" ] then echo "-- linux iproute2 --" /bin/ip addr show | grep -v valid_lft /bin/ip route show /bin/ip -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g' return fi # try uname case `uname -s` in Linux) echo "-- linux / ifconfig --" LANG=C /sbin/ifconfig -a |egrep "( addr:|encap:)" LANG=C netstat -rn -4 -6 return ;; FreeBSD|NetBSD|Darwin) echo "-- FreeBSD/NetBSD/Darwin [MacOS X] --" /sbin/ifconfig -a | egrep "(flags=|inet)" netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' return ;; OpenBSD) echo "-- OpenBSD --" /sbin/ifconfig -a | egrep "(flags=|inet)" | \ sed -e 's/pltime [0-9]*//' -e 's/vltime [0-9]*//' netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' return ;; SunOS) echo "-- Solaris --" /sbin/ifconfig -a | egrep "(flags=|inet)" netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }' return ;; AIX) echo "-- AIX --" /sbin/ifconfig -a | egrep "(flags=|inet)" netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }' return ;; esac echo "get_ifconfig_route(): no idea how to get info on your OS. FAIL." >&2 exit 20 } # ---------------------------------------------------------- # check ifconfig # arg1: "4" or "6" -> for message # arg2: IPv4/IPv6 address that must show up in out of "get_ifconfig_route" check_ifconfig() { proto=$1 ; shift expect_list="$@" if [ -z "$expect_list" ] ; then return ; fi for expect in $expect_list do if get_ifconfig_route | fgrep "$expect" >/dev/null then : else fail "check_ifconfig(): expected IPv$proto address '$expect' not found in ifconfig output." fi done } # ---------------------------------------------------------- # run pings # arg1: "4" or "6" -> fping/fing6 # arg2: "want_ok" or "want_fail" (expected ping result) # arg3... -> fping arguments (host list) run_ping_tests() { proto=$1 ; want=$2 ; shift ; shift targetlist="$@" # "no targets" is fine if [ -z "$targetlist" ] ; then return ; fi case $proto in 4) cmd=fping ;; 6) cmd=fping6 ;; *) echo "internal error in run_ping_tests arg 1: '$proto'" >&2 exit 1 ;; esac case $want in want_ok) sizes_list="64 1440 3000" ;; want_fail) sizes_list="64" ;; esac for bytes in $sizes_list do echo "run IPv$proto ping tests ($want), $bytes byte packets..." echo "$cmd -b $bytes -C 20 -p 250 -q $FPING_EXTRA_ARGS $targetlist" >>$LOGDIR/$SUF:fping.out $cmd -b $bytes -C 20 -p 250 -q $FPING_EXTRA_ARGS $targetlist >>$LOGDIR/$SUF:fping.out 2>&1 # while OpenVPN is running, pings must succeed (want='want_ok') # before OpenVPN is up, pings must NOT succeed (want='want_fail') rc=$? if [ $rc = 0 ] # all ping OK then if [ $want = "want_fail" ] # not what we want then fail "IPv$proto ping test succeeded, but needs to *fail*." fi else # ping failed if [ $want = "want_ok" ] # not what we wanted then fail "IPv$proto ping test ($bytes bytes) failed, but should succeed." fi fi done } # ---------------------------------------------------------- # main test loop # ---------------------------------------------------------- SUMMARY_OK= SUMMARY_FAIL= for SUF in $TEST_RUN_LIST do # get config variables eval test_prep=\"\$PREPARE_$SUF\" eval test_postinit=\"\$POSTINIT_CMD_$SUF\" eval test_cleanup=\"\$CLEANUP_$SUF\" eval test_run_title=\"\$RUN_TITLE_$SUF\" eval openvpn_conf=\"\$OPENVPN_CONF_$SUF\" eval expect_ifconfig4=\"\$EXPECT_IFCONFIG4_$SUF\" eval expect_ifconfig6=\"\$EXPECT_IFCONFIG6_$SUF\" eval ping4_hosts=\"\$PING4_HOSTS_$SUF\" eval ping6_hosts=\"\$PING6_HOSTS_$SUF\" # If EXCEPT_IFCONFIG* variables for this test are missing, run an --up # script to generate them dynamically. if [ -z "$expect_ifconfig4" ] || [ -z "$expect_ifconfig6" ]; then up="--setenv TESTNUM $SUF --setenv TOP_BUILDDIR ${top_builddir} --script-security 2 --up ${srcdir}/update_t_client_ips.sh" else up="" fi echo -e "\n### test run $SUF: '$test_run_title' ###\n" fail_count=0 if [ -n "$test_prep" ]; then echo -e "running preparation: '$test_prep'" eval $test_prep fi echo "save pre-openvpn ifconfig + route" get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_pre.txt echo -e "\nrun pre-openvpn ping tests - targets must not be reachable..." run_ping_tests 4 want_fail "$ping4_hosts" run_ping_tests 6 want_fail "$ping6_hosts" if [ "$fail_count" = 0 ] ; then echo -e "OK.\n" else echo -e "FAIL: make sure that ping hosts are ONLY reachable via VPN, SKIP test $SUF". exit_code=31 continue fi pidfile="${top_builddir}/tests/$LOGDIR/openvpn-$SUF.pid" openvpn_conf="$openvpn_conf --writepid $pidfile $up" echo " run openvpn $openvpn_conf" echo "# src/openvpn/openvpn $openvpn_conf" >$LOGDIR/$SUF:openvpn.log umask 022 $RUN_SUDO "${top_builddir}/src/openvpn/openvpn" $openvpn_conf >>$LOGDIR/$SUF:openvpn.log & sudopid=$! # Check if OpenVPN has initialized before continuing. It will check every 3rd second up # to $ovpn_init_check times. ovpn_init_check=10 ovpn_init_success=0 while [ $ovpn_init_check -gt 0 ]; do sleep 3 # Wait for OpenVPN to initialize and have had time to write the pid file grep "Initialization Sequence Completed" $LOGDIR/$SUF:openvpn.log >/dev/null if [ $? -eq 0 ]; then ovpn_init_check=0 ovpn_init_success=1 fi ovpn_init_check=$(( $ovpn_init_check - 1 )) done opid=`cat $pidfile` if [ -n "$opid" ]; then echo " OpenVPN running with PID $opid" else echo " Could not read OpenVPN PID file" >&2 fi # If OpenVPN did not start if [ $ovpn_init_success -ne 1 -o -z "$opid" ]; then echo "$0: OpenVPN did not initialize in a reasonable time" >&2 if [ -n "$opid" ]; then $RUN_SUDO $KILL_EXEC $opid fi $RUN_SUDO $KILL_EXEC $sudopid echo "tail -5 $SUF:openvpn.log" >&2 tail -5 $LOGDIR/$SUF:openvpn.log >&2 echo -e "\nFAIL. skip rest of sub-tests for test run $SUF.\n" >&2 trap - 0 1 2 3 15 SUMMARY_FAIL="$SUMMARY_FAIL $SUF" exit_code=30 continue fi # make sure openvpn client is terminated in case shell exits trap "$RUN_SUDO $KILL_EXEC $opid" 0 trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15 # compare whether anything changed in ifconfig/route setup? echo "save ifconfig+route" get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route.txt echo -n "compare pre-openvpn ifconfig+route with current values..." if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \ $LOGDIR/$SUF:ifconfig_route.txt >/dev/null then fail "no differences between ifconfig/route before OpenVPN start and now." else echo -e " OK!\n" fi # post init script needed? if [ -n "$test_postinit" ]; then echo -e "running post-init cmd: '$test_postinit'" eval $test_postinit fi # expected ifconfig values in there? check_ifconfig 4 "$expect_ifconfig4" check_ifconfig 6 "$expect_ifconfig6" run_ping_tests 4 want_ok "$ping4_hosts" run_ping_tests 6 want_ok "$ping6_hosts" echo -e "ping tests done.\n" echo "stopping OpenVPN" $RUN_SUDO $KILL_EXEC $opid wait $! rc=$? if [ $rc != 0 ] ; then fail "OpenVPN return code $rc, expect 0" fi echo -e "\nsave post-openvpn ifconfig + route..." get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_post.txt echo -n "compare pre- and post-openvpn ifconfig + route..." if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \ $LOGDIR/$SUF:ifconfig_route_post.txt >$LOGDIR/$SUF:ifconfig_route_diff.txt then echo -e " OK.\n" else cat $LOGDIR/$SUF:ifconfig_route_diff.txt >&2 fail "differences between pre- and post-ifconfig/route" fi if [ "$fail_count" = 0 ] ; then echo -e "test run $SUF: all tests OK.\n" SUMMARY_OK="$SUMMARY_OK $SUF" else echo -e "test run $SUF: $fail_count test failures. FAIL.\n"; SUMMARY_FAIL="$SUMMARY_FAIL $SUF" exit_code=30 fi if [ -n "$test_cleanup" ]; then echo -e "cleaning up: '$test_cleanup'" eval $test_cleanup fi done if [ -z "$SUMMARY_OK" ] ; then SUMMARY_OK=" none"; fi if [ -z "$SUMMARY_FAIL" ] ; then SUMMARY_FAIL=" none"; fi echo "Test sets succeded:$SUMMARY_OK." echo "Test sets failed:$SUMMARY_FAIL." # remove trap handler trap - 0 1 2 3 15 exit $exit_code openvpn-2.4.4/tests/t_client.sh.in000077500000000000000000000277541316434344000171360ustar00rootroot00000000000000#!@SHELL@ # # run OpenVPN client against ``test reference'' server # - check that ping, http, ... via tunnel works # - check that interface config / routes are properly cleaned after test end # # prerequisites: # - openvpn binary in current directory # - writable current directory to create subdir for logs # - t_client.rc in current directory OR source dir that specifies tests # - for "ping4" checks: fping binary in $PATH # - for "ping6" checks: fping6 binary in $PATH # srcdir="${srcdir:-.}" top_builddir="${top_builddir:-..}" if [ -r "${top_builddir}"/t_client.rc ] ; then . "${top_builddir}"/t_client.rc elif [ -r "${srcdir}"/t_client.rc ] ; then . "${srcdir}"/t_client.rc else echo "$0: cannot find 't_client.rc' in build dir ('${top_builddir}')" >&2 echo "$0: or source directory ('${srcdir}'). SKIPPING TEST." >&2 exit 77 fi # Check for external dependencies which fping > /dev/null if [ $? -ne 0 ]; then echo "$0: fping is not available in \$PATH" >&2 exit 77 fi which fping6 > /dev/null if [ $? -ne 0 ]; then echo "$0: fping6 is not available in \$PATH" >&2 exit 77 fi KILL_EXEC=`which kill` if [ $? -ne 0 ]; then echo "$0: kill not found in \$PATH" >&2 exit 77 fi if [ ! -x "${top_builddir}/src/openvpn/openvpn" ] then echo "no (executable) openvpn binary in current build tree. FAIL." >&2 exit 1 fi if [ ! -w . ] then echo "current directory is not writable (required for logging). FAIL." >&2 exit 1 fi if [ -z "$CA_CERT" ] ; then echo "CA_CERT not defined in 't_client.rc'. SKIP test." >&2 exit 77 fi if [ -z "$TEST_RUN_LIST" ] ; then echo "TEST_RUN_LIST empty, no tests defined. SKIP test." >&2 exit 77 fi # Ensure PREFER_KSU is in a known state PREFER_KSU="${PREFER_KSU:-0}" # make sure we have permissions to run ifconfig/route from OpenVPN # can't use "id -u" here - doesn't work on Solaris ID=`id` if expr "$ID" : "uid=0" >/dev/null then : else if [ "${PREFER_KSU}" -eq 1 ]; then # Check if we have a valid kerberos ticket klist -l 1>/dev/null 2>/dev/null if [ $? -ne 0 ]; then # No kerberos ticket found, skip ksu and fallback to RUN_SUDO PREFER_KSU=0 echo "$0: No Kerberos ticket available. Will not use ksu." else RUN_SUDO="ksu -q -e" fi fi if [ -z "$RUN_SUDO" ] then echo "$0: this test must run be as root, or RUN_SUDO=... " >&2 echo " must be set correctly in 't_client.rc'. SKIP." >&2 exit 77 else # We have to use sudo. Make sure that we (hopefully) do not have # to ask the users password during the test. This is done to # prevent timing issues, e.g. when the waits for openvpn to start if $RUN_SUDO $KILL_EXEC -0 $$ then echo "$0: $RUN_SUDO $KILL_EXEC -0 succeeded, good." else echo "$0: $RUN_SUDO $KILL_EXEC -0 failed, cannot go on. SKIP." >&2 exit 77 fi fi fi LOGDIR=t_client-`hostname`-`date +%Y%m%d-%H%M%S` if mkdir $LOGDIR then : else echo "can't create log directory '$LOGDIR'. FAIL." >&2 exit 1 fi exit_code=0 # ---------------------------------------------------------- # helper functions # ---------------------------------------------------------- # print failure message, increase FAIL counter fail() { echo "" echo "FAIL: $@" >&2 fail_count=$(( $fail_count + 1 )) } # print "all interface IP addresses" + "all routes" # this is higly system dependent... get_ifconfig_route() { # linux / iproute2? (-> if configure got a path) if [ -n "@IPROUTE@" ] then echo "-- linux iproute2 --" @IPROUTE@ addr show | grep -v valid_lft @IPROUTE@ route show @IPROUTE@ -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g' return fi # try uname case `uname -s` in Linux) echo "-- linux / ifconfig --" LANG=C @IFCONFIG@ -a |egrep "( addr:|encap:)" LANG=C @NETSTAT@ -rn -4 -6 return ;; FreeBSD|NetBSD|Darwin) echo "-- FreeBSD/NetBSD/Darwin [MacOS X] --" @IFCONFIG@ -a | egrep "(flags=|inet)" @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' return ;; OpenBSD) echo "-- OpenBSD --" @IFCONFIG@ -a | egrep "(flags=|inet)" | \ sed -e 's/pltime [0-9]*//' -e 's/vltime [0-9]*//' @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' return ;; SunOS) echo "-- Solaris --" @IFCONFIG@ -a | egrep "(flags=|inet)" @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }' return ;; AIX) echo "-- AIX --" @IFCONFIG@ -a | egrep "(flags=|inet)" @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }' return ;; esac echo "get_ifconfig_route(): no idea how to get info on your OS. FAIL." >&2 exit 20 } # ---------------------------------------------------------- # check ifconfig # arg1: "4" or "6" -> for message # arg2: IPv4/IPv6 address that must show up in out of "get_ifconfig_route" check_ifconfig() { proto=$1 ; shift expect_list="$@" if [ -z "$expect_list" ] ; then return ; fi for expect in $expect_list do if get_ifconfig_route | fgrep "$expect" >/dev/null then : else fail "check_ifconfig(): expected IPv$proto address '$expect' not found in ifconfig output." fi done } # ---------------------------------------------------------- # run pings # arg1: "4" or "6" -> fping/fing6 # arg2: "want_ok" or "want_fail" (expected ping result) # arg3... -> fping arguments (host list) run_ping_tests() { proto=$1 ; want=$2 ; shift ; shift targetlist="$@" # "no targets" is fine if [ -z "$targetlist" ] ; then return ; fi case $proto in 4) cmd=fping ;; 6) cmd=fping6 ;; *) echo "internal error in run_ping_tests arg 1: '$proto'" >&2 exit 1 ;; esac case $want in want_ok) sizes_list="64 1440 3000" ;; want_fail) sizes_list="64" ;; esac for bytes in $sizes_list do echo "run IPv$proto ping tests ($want), $bytes byte packets..." echo "$cmd -b $bytes -C 20 -p 250 -q $FPING_EXTRA_ARGS $targetlist" >>$LOGDIR/$SUF:fping.out $cmd -b $bytes -C 20 -p 250 -q $FPING_EXTRA_ARGS $targetlist >>$LOGDIR/$SUF:fping.out 2>&1 # while OpenVPN is running, pings must succeed (want='want_ok') # before OpenVPN is up, pings must NOT succeed (want='want_fail') rc=$? if [ $rc = 0 ] # all ping OK then if [ $want = "want_fail" ] # not what we want then fail "IPv$proto ping test succeeded, but needs to *fail*." fi else # ping failed if [ $want = "want_ok" ] # not what we wanted then fail "IPv$proto ping test ($bytes bytes) failed, but should succeed." fi fi done } # ---------------------------------------------------------- # main test loop # ---------------------------------------------------------- SUMMARY_OK= SUMMARY_FAIL= for SUF in $TEST_RUN_LIST do # get config variables eval test_prep=\"\$PREPARE_$SUF\" eval test_postinit=\"\$POSTINIT_CMD_$SUF\" eval test_cleanup=\"\$CLEANUP_$SUF\" eval test_run_title=\"\$RUN_TITLE_$SUF\" eval openvpn_conf=\"\$OPENVPN_CONF_$SUF\" eval expect_ifconfig4=\"\$EXPECT_IFCONFIG4_$SUF\" eval expect_ifconfig6=\"\$EXPECT_IFCONFIG6_$SUF\" eval ping4_hosts=\"\$PING4_HOSTS_$SUF\" eval ping6_hosts=\"\$PING6_HOSTS_$SUF\" # If EXCEPT_IFCONFIG* variables for this test are missing, run an --up # script to generate them dynamically. if [ -z "$expect_ifconfig4" ] || [ -z "$expect_ifconfig6" ]; then up="--setenv TESTNUM $SUF --setenv TOP_BUILDDIR ${top_builddir} --script-security 2 --up ${srcdir}/update_t_client_ips.sh" else up="" fi echo -e "\n### test run $SUF: '$test_run_title' ###\n" fail_count=0 if [ -n "$test_prep" ]; then echo -e "running preparation: '$test_prep'" eval $test_prep fi echo "save pre-openvpn ifconfig + route" get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_pre.txt echo -e "\nrun pre-openvpn ping tests - targets must not be reachable..." run_ping_tests 4 want_fail "$ping4_hosts" run_ping_tests 6 want_fail "$ping6_hosts" if [ "$fail_count" = 0 ] ; then echo -e "OK.\n" else echo -e "FAIL: make sure that ping hosts are ONLY reachable via VPN, SKIP test $SUF". exit_code=31 continue fi pidfile="${top_builddir}/tests/$LOGDIR/openvpn-$SUF.pid" openvpn_conf="$openvpn_conf --writepid $pidfile $up" echo " run openvpn $openvpn_conf" echo "# src/openvpn/openvpn $openvpn_conf" >$LOGDIR/$SUF:openvpn.log umask 022 $RUN_SUDO "${top_builddir}/src/openvpn/openvpn" $openvpn_conf >>$LOGDIR/$SUF:openvpn.log & sudopid=$! # Check if OpenVPN has initialized before continuing. It will check every 3rd second up # to $ovpn_init_check times. ovpn_init_check=10 ovpn_init_success=0 while [ $ovpn_init_check -gt 0 ]; do sleep 3 # Wait for OpenVPN to initialize and have had time to write the pid file grep "Initialization Sequence Completed" $LOGDIR/$SUF:openvpn.log >/dev/null if [ $? -eq 0 ]; then ovpn_init_check=0 ovpn_init_success=1 fi ovpn_init_check=$(( $ovpn_init_check - 1 )) done opid=`cat $pidfile` if [ -n "$opid" ]; then echo " OpenVPN running with PID $opid" else echo " Could not read OpenVPN PID file" >&2 fi # If OpenVPN did not start if [ $ovpn_init_success -ne 1 -o -z "$opid" ]; then echo "$0: OpenVPN did not initialize in a reasonable time" >&2 if [ -n "$opid" ]; then $RUN_SUDO $KILL_EXEC $opid fi $RUN_SUDO $KILL_EXEC $sudopid echo "tail -5 $SUF:openvpn.log" >&2 tail -5 $LOGDIR/$SUF:openvpn.log >&2 echo -e "\nFAIL. skip rest of sub-tests for test run $SUF.\n" >&2 trap - 0 1 2 3 15 SUMMARY_FAIL="$SUMMARY_FAIL $SUF" exit_code=30 continue fi # make sure openvpn client is terminated in case shell exits trap "$RUN_SUDO $KILL_EXEC $opid" 0 trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15 # compare whether anything changed in ifconfig/route setup? echo "save ifconfig+route" get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route.txt echo -n "compare pre-openvpn ifconfig+route with current values..." if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \ $LOGDIR/$SUF:ifconfig_route.txt >/dev/null then fail "no differences between ifconfig/route before OpenVPN start and now." else echo -e " OK!\n" fi # post init script needed? if [ -n "$test_postinit" ]; then echo -e "running post-init cmd: '$test_postinit'" eval $test_postinit fi # expected ifconfig values in there? check_ifconfig 4 "$expect_ifconfig4" check_ifconfig 6 "$expect_ifconfig6" run_ping_tests 4 want_ok "$ping4_hosts" run_ping_tests 6 want_ok "$ping6_hosts" echo -e "ping tests done.\n" echo "stopping OpenVPN" $RUN_SUDO $KILL_EXEC $opid wait $! rc=$? if [ $rc != 0 ] ; then fail "OpenVPN return code $rc, expect 0" fi echo -e "\nsave post-openvpn ifconfig + route..." get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_post.txt echo -n "compare pre- and post-openvpn ifconfig + route..." if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \ $LOGDIR/$SUF:ifconfig_route_post.txt >$LOGDIR/$SUF:ifconfig_route_diff.txt then echo -e " OK.\n" else cat $LOGDIR/$SUF:ifconfig_route_diff.txt >&2 fail "differences between pre- and post-ifconfig/route" fi if [ "$fail_count" = 0 ] ; then echo -e "test run $SUF: all tests OK.\n" SUMMARY_OK="$SUMMARY_OK $SUF" else echo -e "test run $SUF: $fail_count test failures. FAIL.\n"; SUMMARY_FAIL="$SUMMARY_FAIL $SUF" exit_code=30 fi if [ -n "$test_cleanup" ]; then echo -e "cleaning up: '$test_cleanup'" eval $test_cleanup fi done if [ -z "$SUMMARY_OK" ] ; then SUMMARY_OK=" none"; fi if [ -z "$SUMMARY_FAIL" ] ; then SUMMARY_FAIL=" none"; fi echo "Test sets succeded:$SUMMARY_OK." echo "Test sets failed:$SUMMARY_FAIL." # remove trap handler trap - 0 1 2 3 15 exit $exit_code openvpn-2.4.4/tests/t_cltsrv-down.sh000077500000000000000000000000501316434344000175110ustar00rootroot00000000000000#! /bin/sh echo "${role}:${signal}" >&3 openvpn-2.4.4/tests/t_cltsrv.sh000077500000000000000000000060151316434344000165530ustar00rootroot00000000000000#! /bin/sh # # t_cltsrv.sh - script to test OpenVPN's crypto loopback # Copyright (C) 2005, 2006, 2008 Matthias Andree # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA # 02110-1301, USA. set -e srcdir="${srcdir:-.}" top_srcdir="${top_srcdir:-..}" top_builddir="${top_builddir:-..}" trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15 trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3 addopts= case `uname -s` in FreeBSD) # FreeBSD jails map the outgoing IP to the jail IP - we need to # allow the real IP unless we want the test to run forever. if test "`sysctl 2>/dev/null -n security.jail.jailed`" = 1 \ || ps -ostate= -p $$ | grep -q J; then addopts="--float" if test "x`ifconfig | grep inet`" = x ; then echo "###" echo "### To run the test in a FreeBSD jail, you MUST add an IP alias for the jail's IP." echo "###" exit 77 fi fi ;; esac # make sure that the --down script is executable -- fail (rather than # skip) test if it isn't. downscript="../tests/t_cltsrv-down.sh" root="${top_srcdir}/sample" test -x "${root}/${downscript}" || chmod +x "${root}/${downscript}" || { echo >&2 "${root}/${downscript} is not executable, failing." ; exit 1 ; } echo "The following test will take about two minutes." >&2 echo "If the addresses are in use, this test will retry up to two times." >&2 # go success=0 for i in 1 2 3 ; do set +e ( "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${root}" ${addopts} --setenv role srv --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-server" & "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${top_srcdir}/sample" ${addopts} --setenv role clt --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-client" ) 3>log.$$.signal >log.$$ 2>&1 e1=$? wait $! e2=$? grep 'TCP/UDP: Socket bind failed on local address.*in use' log.$$ >/dev/null && { echo 'address in use, retrying in 150 s' sleep 150 continue } grep -v ':inactive$' log.$$.signal >/dev/null && { cat log.$$.signal ; echo ; cat log.$$ ; exit 1 ; } success=1 break done set -e # exit code - defaults to 0, PASS ec=0 if [ $success != 1 ] ; then # couldn't run test -- addresses in use, skip test cat log.$$ ec=77 elif [ $e1 != 0 ] || [ $e2 != 0 ] ; then # failure -- fail test cat log.$$ ec=1 fi rm log.$$ log.$$.signal trap 0 exit $ec openvpn-2.4.4/tests/t_lpback.sh000077500000000000000000000037561316434344000165030ustar00rootroot00000000000000#! /bin/sh # # t_lpback.sh - script to test OpenVPN's crypto loopback # Copyright (C) 2005 Matthias Andree # Copyright (C) 2014 Steffan Karger # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA # 02110-1301, USA. set -eu top_builddir="${top_builddir:-..}" trap "rm -f key.$$ log.$$ ; trap 0 ; exit 77" 1 2 15 trap "rm -f key.$$ log.$$ ; exit 1" 0 3 # Get list of supported ciphers from openvpn --show-ciphers output CIPHERS=$(${top_builddir}/src/openvpn/openvpn --show-ciphers | \ sed -e '/The following/,/^$/d' -e s'/ .*//' -e '/^\s*$/d') # SK, 2014-06-04: currently the DES-EDE3-CFB1 implementation of OpenSSL is # broken (see http://rt.openssl.org/Ticket/Display.html?id=2867), so exclude # that cipher from this test. # GD, 2014-07-06 so is DES-CFB1 # GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5) CIPHERS=$(echo "$CIPHERS" | egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' ) # Also test cipher 'none' CIPHERS=${CIPHERS}$(printf "\nnone") "${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$ set +e e=0 for cipher in ${CIPHERS} do echo -n "Testing cipher ${cipher}... " ( "${top_builddir}/src/openvpn/openvpn" --test-crypto --secret key.$$ --cipher ${cipher} ) >log.$$ 2>&1 if [ $? != 0 ] ; then echo "FAILED" cat log.$$ e=1 else echo "OK" fi done rm key.$$ log.$$ trap 0 exit $e openvpn-2.4.4/tests/unit_tests/000077500000000000000000000000001316434344000165535ustar00rootroot00000000000000openvpn-2.4.4/tests/unit_tests/Makefile.am000066400000000000000000000001371316434344000206100ustar00rootroot00000000000000AUTOMAKE_OPTIONS = foreign if CMOCKA_INITIALIZED SUBDIRS = example_test openvpn plugins endif openvpn-2.4.4/tests/unit_tests/Makefile.in000066400000000000000000000501311316434344000206200ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = tests/unit_tests DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ install-exec-recursive install-html-recursive \ install-info-recursive install-pdf-recursive \ install-ps-recursive install-recursive installcheck-recursive \ installdirs-recursive pdf-recursive ps-recursive \ tags-recursive uninstall-recursive am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive am__recursive_targets = \ $(RECURSIVE_TARGETS) \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ distdir am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DIST_SUBDIRS = example_test openvpn plugins DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ sed_first='s,^\([^/]*\)/.*$$,\1,'; \ sed_rest='s,^[^/]*/*,,'; \ sed_last='s,^.*/\([^/]*\)$$,\1,'; \ sed_butlast='s,/*[^/]*$$,,'; \ while test -n "$$dir1"; do \ first=`echo "$$dir1" | sed -e "$$sed_first"`; \ if test "$$first" != "."; then \ if test "$$first" = ".."; then \ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ else \ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ if test "$$first2" = "$$first"; then \ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ else \ dir2="../$$dir2"; \ fi; \ dir0="$$dir0"/"$$first"; \ fi; \ fi; \ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign @CMOCKA_INITIALIZED_TRUE@SUBDIRS = example_test openvpn plugins all: all-recursive .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tests/unit_tests/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign tests/unit_tests/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs # This directory's subdirectories are mostly independent; you can cd # into them and run 'make' without going through this Makefile. # To change the values of 'make' variables: instead of editing Makefiles, # (1) if the variable is set in 'config.status', edit 'config.status' # (which will cause the Makefiles to be regenerated when you run 'make'); # (2) otherwise, pass the desired values on the 'make' command line. $(am__recursive_targets): @fail=; \ if $(am__make_keepgoing); then \ failcom='fail=yes'; \ else \ failcom='exit 1'; \ fi; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ case "$@" in \ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ *) list='$(SUBDIRS)' ;; \ esac; \ for subdir in $$list; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ dot_seen=yes; \ local_target="$$target-am"; \ else \ local_target="$$target"; \ fi; \ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-recursive TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ empty_fix=.; \ else \ include_option=--include; \ empty_fix=; \ fi; \ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-recursive CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-recursive cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ $(am__make_dryrun) \ || test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ dir1=$$subdir; dir2="$(top_distdir)"; \ $(am__relativize); \ new_top_distdir=$$reldir; \ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ top_distdir="$$new_top_distdir" \ distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ done check-am: all-am check: check-recursive all-am: Makefile installdirs: installdirs-recursive installdirs-am: install: install-recursive install-exec: install-exec-recursive install-data: install-data-recursive uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-recursive install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-recursive clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-recursive -rm -f Makefile distclean-am: clean-am distclean-generic distclean-tags dvi: dvi-recursive dvi-am: html: html-recursive html-am: info: info-recursive info-am: install-data-am: install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: install-html: install-html-recursive install-html-am: install-info: install-info-recursive install-info-am: install-man: install-pdf: install-pdf-recursive install-pdf-am: install-ps: install-ps-recursive install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-recursive pdf-am: ps: ps-recursive ps-am: uninstall-am: .MAKE: $(am__recursive_targets) install-am install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \ check-am clean clean-generic clean-libtool cscopelist-am ctags \ ctags-am distclean distclean-generic distclean-libtool \ distclean-tags distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ installdirs-am maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ ps ps-am tags tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/tests/unit_tests/example_test/000077500000000000000000000000001316434344000212455ustar00rootroot00000000000000openvpn-2.4.4/tests/unit_tests/example_test/Makefile.am000066400000000000000000000005531316434344000233040ustar00rootroot00000000000000AUTOMAKE_OPTIONS = foreign check_PROGRAMS = example_testdriver example2_testdriver TESTS = $(check_PROGRAMS) example_testdriver_CFLAGS = @TEST_CFLAGS@ example_testdriver_LDFLAGS = @TEST_LDFLAGS@ example_testdriver_SOURCES = test.c example2_testdriver_CFLAGS = @TEST_CFLAGS@ example2_testdriver_LDFLAGS = @TEST_LDFLAGS@ example2_testdriver_SOURCES = test2.c openvpn-2.4.4/tests/unit_tests/example_test/Makefile.in000066400000000000000000000674041316434344000233250ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ check_PROGRAMS = example_testdriver$(EXEEXT) \ example2_testdriver$(EXEEXT) subdir = tests/unit_tests/example_test DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am_example2_testdriver_OBJECTS = example2_testdriver-test2.$(OBJEXT) example2_testdriver_OBJECTS = $(am_example2_testdriver_OBJECTS) example2_testdriver_LDADD = $(LDADD) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = example2_testdriver_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(example2_testdriver_CFLAGS) $(CFLAGS) \ $(example2_testdriver_LDFLAGS) $(LDFLAGS) -o $@ am_example_testdriver_OBJECTS = example_testdriver-test.$(OBJEXT) example_testdriver_OBJECTS = $(am_example_testdriver_OBJECTS) example_testdriver_LDADD = $(LDADD) example_testdriver_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(example_testdriver_CFLAGS) $(CFLAGS) \ $(example_testdriver_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -I$(top_builddir)/include depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(example2_testdriver_SOURCES) $(example_testdriver_SOURCES) DIST_SOURCES = $(example2_testdriver_SOURCES) \ $(example_testdriver_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags am__tty_colors_dummy = \ mgn= red= grn= lgn= blu= brg= std=; \ am__color_tests=no am__tty_colors = { \ $(am__tty_colors_dummy); \ if test "X$(AM_COLOR_TESTS)" = Xno; then \ am__color_tests=no; \ elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ am__color_tests=yes; \ elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ am__color_tests=yes; \ fi; \ if test $$am__color_tests = yes; then \ red=''; \ grn=''; \ lgn=''; \ blu=''; \ mgn=''; \ brg=''; \ std=''; \ fi; \ } DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign TESTS = $(check_PROGRAMS) example_testdriver_CFLAGS = @TEST_CFLAGS@ example_testdriver_LDFLAGS = @TEST_LDFLAGS@ example_testdriver_SOURCES = test.c example2_testdriver_CFLAGS = @TEST_CFLAGS@ example2_testdriver_LDFLAGS = @TEST_LDFLAGS@ example2_testdriver_SOURCES = test2.c all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tests/unit_tests/example_test/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign tests/unit_tests/example_test/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): clean-checkPROGRAMS: @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ echo " rm -f" $$list; \ rm -f $$list || exit $$?; \ test -n "$(EXEEXT)" || exit 0; \ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list example2_testdriver$(EXEEXT): $(example2_testdriver_OBJECTS) $(example2_testdriver_DEPENDENCIES) $(EXTRA_example2_testdriver_DEPENDENCIES) @rm -f example2_testdriver$(EXEEXT) $(AM_V_CCLD)$(example2_testdriver_LINK) $(example2_testdriver_OBJECTS) $(example2_testdriver_LDADD) $(LIBS) example_testdriver$(EXEEXT): $(example_testdriver_OBJECTS) $(example_testdriver_DEPENDENCIES) $(EXTRA_example_testdriver_DEPENDENCIES) @rm -f example_testdriver$(EXEEXT) $(AM_V_CCLD)$(example_testdriver_LINK) $(example_testdriver_OBJECTS) $(example_testdriver_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/example2_testdriver-test2.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/example_testdriver-test.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< example2_testdriver-test2.o: test2.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(example2_testdriver_CFLAGS) $(CFLAGS) -MT example2_testdriver-test2.o -MD -MP -MF $(DEPDIR)/example2_testdriver-test2.Tpo -c -o example2_testdriver-test2.o `test -f 'test2.c' || echo '$(srcdir)/'`test2.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/example2_testdriver-test2.Tpo $(DEPDIR)/example2_testdriver-test2.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test2.c' object='example2_testdriver-test2.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(example2_testdriver_CFLAGS) $(CFLAGS) -c -o example2_testdriver-test2.o `test -f 'test2.c' || echo '$(srcdir)/'`test2.c example2_testdriver-test2.obj: test2.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(example2_testdriver_CFLAGS) $(CFLAGS) -MT example2_testdriver-test2.obj -MD -MP -MF $(DEPDIR)/example2_testdriver-test2.Tpo -c -o example2_testdriver-test2.obj `if test -f 'test2.c'; then $(CYGPATH_W) 'test2.c'; else $(CYGPATH_W) '$(srcdir)/test2.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/example2_testdriver-test2.Tpo $(DEPDIR)/example2_testdriver-test2.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test2.c' object='example2_testdriver-test2.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(example2_testdriver_CFLAGS) $(CFLAGS) -c -o example2_testdriver-test2.obj `if test -f 'test2.c'; then $(CYGPATH_W) 'test2.c'; else $(CYGPATH_W) '$(srcdir)/test2.c'; fi` example_testdriver-test.o: test.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(example_testdriver_CFLAGS) $(CFLAGS) -MT example_testdriver-test.o -MD -MP -MF $(DEPDIR)/example_testdriver-test.Tpo -c -o example_testdriver-test.o `test -f 'test.c' || echo '$(srcdir)/'`test.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/example_testdriver-test.Tpo $(DEPDIR)/example_testdriver-test.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test.c' object='example_testdriver-test.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(example_testdriver_CFLAGS) $(CFLAGS) -c -o example_testdriver-test.o `test -f 'test.c' || echo '$(srcdir)/'`test.c example_testdriver-test.obj: test.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(example_testdriver_CFLAGS) $(CFLAGS) -MT example_testdriver-test.obj -MD -MP -MF $(DEPDIR)/example_testdriver-test.Tpo -c -o example_testdriver-test.obj `if test -f 'test.c'; then $(CYGPATH_W) 'test.c'; else $(CYGPATH_W) '$(srcdir)/test.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/example_testdriver-test.Tpo $(DEPDIR)/example_testdriver-test.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test.c' object='example_testdriver-test.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(example_testdriver_CFLAGS) $(CFLAGS) -c -o example_testdriver-test.obj `if test -f 'test.c'; then $(CYGPATH_W) 'test.c'; else $(CYGPATH_W) '$(srcdir)/test.c'; fi` mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags check-TESTS: $(TESTS) @failed=0; all=0; xfail=0; xpass=0; skip=0; \ srcdir=$(srcdir); export srcdir; \ list=' $(TESTS) '; \ $(am__tty_colors); \ if test -n "$$list"; then \ for tst in $$list; do \ if test -f ./$$tst; then dir=./; \ elif test -f $$tst; then dir=; \ else dir="$(srcdir)/"; fi; \ if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ *[\ \ ]$$tst[\ \ ]*) \ xpass=`expr $$xpass + 1`; \ failed=`expr $$failed + 1`; \ col=$$red; res=XPASS; \ ;; \ *) \ col=$$grn; res=PASS; \ ;; \ esac; \ elif test $$? -ne 77; then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ *[\ \ ]$$tst[\ \ ]*) \ xfail=`expr $$xfail + 1`; \ col=$$lgn; res=XFAIL; \ ;; \ *) \ failed=`expr $$failed + 1`; \ col=$$red; res=FAIL; \ ;; \ esac; \ else \ skip=`expr $$skip + 1`; \ col=$$blu; res=SKIP; \ fi; \ echo "$${col}$$res$${std}: $$tst"; \ done; \ if test "$$all" -eq 1; then \ tests="test"; \ All=""; \ else \ tests="tests"; \ All="All "; \ fi; \ if test "$$failed" -eq 0; then \ if test "$$xfail" -eq 0; then \ banner="$$All$$all $$tests passed"; \ else \ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ fi; \ else \ if test "$$xpass" -eq 0; then \ banner="$$failed of $$all $$tests failed"; \ else \ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ fi; \ fi; \ dashes="$$banner"; \ skipped=""; \ if test "$$skip" -ne 0; then \ if test "$$skip" -eq 1; then \ skipped="($$skip test was not run)"; \ else \ skipped="($$skip tests were not run)"; \ fi; \ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ dashes="$$skipped"; \ fi; \ report=""; \ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ report="Please report to $(PACKAGE_BUGREPORT)"; \ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ dashes="$$report"; \ fi; \ dashes=`echo "$$dashes" | sed s/./=/g`; \ if test "$$failed" -eq 0; then \ col="$$grn"; \ else \ col="$$red"; \ fi; \ echo "$${col}$$dashes$${std}"; \ echo "$${col}$$banner$${std}"; \ test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \ test -z "$$report" || echo "$${col}$$report$${std}"; \ echo "$${col}$$dashes$${std}"; \ test "$$failed" -eq 0; \ else :; fi distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile installdirs: install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: .MAKE: check-am install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \ ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-man install-pdf install-pdf-am \ install-ps install-ps-am install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/tests/unit_tests/example_test/test.c000066400000000000000000000016751316434344000224010ustar00rootroot00000000000000#include #include #include #include #include #include #include static int setup(void **state) { int *answer = malloc(sizeof(int)); *answer = 42; *state = answer; return 0; } static int teardown(void **state) { free(*state); return 0; } static void null_test_success(void **state) { (void) state; } static void int_test_success(void **state) { int *answer = *state; assert_int_equal(*answer, 42); } static void failing_test(void **state) { /* This tests fails to test that make check fails */ assert_int_equal(0, 42); } int main(void) { const struct CMUnitTest tests[] = { cmocka_unit_test(null_test_success), cmocka_unit_test_setup_teardown(int_test_success, setup, teardown), /* cmocka_unit_test(failing_test), */ }; return cmocka_run_group_tests_name("success_test", tests, NULL, NULL); } openvpn-2.4.4/tests/unit_tests/example_test/test2.c000066400000000000000000000005751316434344000224610ustar00rootroot00000000000000#include #include #include #include #include #include #include static void test_true(void **state) { (void) state; } int main(void) { const struct CMUnitTest tests[] = { cmocka_unit_test(test_true), }; return cmocka_run_group_tests_name("success_test2", tests, NULL, NULL); } openvpn-2.4.4/tests/unit_tests/openvpn/000077500000000000000000000000001316434344000202405ustar00rootroot00000000000000openvpn-2.4.4/tests/unit_tests/openvpn/Makefile.am000066400000000000000000000035621316434344000223020ustar00rootroot00000000000000AUTOMAKE_OPTIONS = foreign check_PROGRAMS= if HAVE_LD_WRAP_SUPPORT check_PROGRAMS += argv_testdriver buffer_testdriver endif if ENABLE_CRYPTO check_PROGRAMS += packet_id_testdriver tls_crypt_testdriver endif TESTS = $(check_PROGRAMS) openvpn_includedir = $(top_srcdir)/include openvpn_srcdir = $(top_srcdir)/src/openvpn compat_srcdir = $(top_srcdir)/src/compat argv_testdriver_CFLAGS = @TEST_CFLAGS@ -I$(openvpn_srcdir) -I$(compat_srcdir) \ $(OPTIONAL_CRYPTO_CFLAGS) argv_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(openvpn_srcdir) -Wl,--wrap=parse_line \ $(OPTIONAL_CRYPTO_LIBS) argv_testdriver_SOURCES = test_argv.c mock_msg.c \ $(openvpn_srcdir)/platform.c \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/argv.c buffer_testdriver_CFLAGS = @TEST_CFLAGS@ -I$(openvpn_srcdir) -I$(compat_srcdir) buffer_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(openvpn_srcdir) -Wl,--wrap=parse_line buffer_testdriver_SOURCES = test_buffer.c mock_msg.c \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/platform.c packet_id_testdriver_CFLAGS = @TEST_CFLAGS@ \ -I$(openvpn_includedir) -I$(compat_srcdir) -I$(openvpn_srcdir) \ $(OPTIONAL_CRYPTO_CFLAGS) packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ \ $(OPTIONAL_CRYPTO_LIBS) packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/otime.c \ $(openvpn_srcdir)/packet_id.c \ $(openvpn_srcdir)/platform.c tls_crypt_testdriver_CFLAGS = @TEST_CFLAGS@ \ -I$(openvpn_includedir) -I$(compat_srcdir) -I$(openvpn_srcdir) \ $(OPTIONAL_CRYPTO_CFLAGS) tls_crypt_testdriver_LDFLAGS = @TEST_LDFLAGS@ \ $(OPTIONAL_CRYPTO_LIBS) tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/crypto.c \ $(openvpn_srcdir)/crypto_mbedtls.c \ $(openvpn_srcdir)/crypto_openssl.c \ $(openvpn_srcdir)/otime.c \ $(openvpn_srcdir)/packet_id.c \ $(openvpn_srcdir)/platform.c openvpn-2.4.4/tests/unit_tests/openvpn/Makefile.in000066400000000000000000002434171316434344000223200ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ check_PROGRAMS = $(am__EXEEXT_1) $(am__EXEEXT_2) @HAVE_LD_WRAP_SUPPORT_TRUE@am__append_1 = argv_testdriver buffer_testdriver @ENABLE_CRYPTO_TRUE@am__append_2 = packet_id_testdriver tls_crypt_testdriver subdir = tests/unit_tests/openvpn DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = @HAVE_LD_WRAP_SUPPORT_TRUE@am__EXEEXT_1 = argv_testdriver$(EXEEXT) \ @HAVE_LD_WRAP_SUPPORT_TRUE@ buffer_testdriver$(EXEEXT) @ENABLE_CRYPTO_TRUE@am__EXEEXT_2 = packet_id_testdriver$(EXEEXT) \ @ENABLE_CRYPTO_TRUE@ tls_crypt_testdriver$(EXEEXT) am_argv_testdriver_OBJECTS = argv_testdriver-test_argv.$(OBJEXT) \ argv_testdriver-mock_msg.$(OBJEXT) \ argv_testdriver-platform.$(OBJEXT) \ argv_testdriver-buffer.$(OBJEXT) \ argv_testdriver-argv.$(OBJEXT) argv_testdriver_OBJECTS = $(am_argv_testdriver_OBJECTS) argv_testdriver_LDADD = $(LDADD) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = argv_testdriver_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(argv_testdriver_CFLAGS) $(CFLAGS) $(argv_testdriver_LDFLAGS) \ $(LDFLAGS) -o $@ am_buffer_testdriver_OBJECTS = \ buffer_testdriver-test_buffer.$(OBJEXT) \ buffer_testdriver-mock_msg.$(OBJEXT) \ buffer_testdriver-buffer.$(OBJEXT) \ buffer_testdriver-platform.$(OBJEXT) buffer_testdriver_OBJECTS = $(am_buffer_testdriver_OBJECTS) buffer_testdriver_LDADD = $(LDADD) buffer_testdriver_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(buffer_testdriver_CFLAGS) $(CFLAGS) \ $(buffer_testdriver_LDFLAGS) $(LDFLAGS) -o $@ am_packet_id_testdriver_OBJECTS = \ packet_id_testdriver-test_packet_id.$(OBJEXT) \ packet_id_testdriver-mock_msg.$(OBJEXT) \ packet_id_testdriver-buffer.$(OBJEXT) \ packet_id_testdriver-otime.$(OBJEXT) \ packet_id_testdriver-packet_id.$(OBJEXT) \ packet_id_testdriver-platform.$(OBJEXT) packet_id_testdriver_OBJECTS = $(am_packet_id_testdriver_OBJECTS) packet_id_testdriver_LDADD = $(LDADD) packet_id_testdriver_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(packet_id_testdriver_CFLAGS) $(CFLAGS) \ $(packet_id_testdriver_LDFLAGS) $(LDFLAGS) -o $@ am_tls_crypt_testdriver_OBJECTS = \ tls_crypt_testdriver-test_tls_crypt.$(OBJEXT) \ tls_crypt_testdriver-mock_msg.$(OBJEXT) \ tls_crypt_testdriver-buffer.$(OBJEXT) \ tls_crypt_testdriver-crypto.$(OBJEXT) \ tls_crypt_testdriver-crypto_mbedtls.$(OBJEXT) \ tls_crypt_testdriver-crypto_openssl.$(OBJEXT) \ tls_crypt_testdriver-otime.$(OBJEXT) \ tls_crypt_testdriver-packet_id.$(OBJEXT) \ tls_crypt_testdriver-platform.$(OBJEXT) tls_crypt_testdriver_OBJECTS = $(am_tls_crypt_testdriver_OBJECTS) tls_crypt_testdriver_LDADD = $(LDADD) tls_crypt_testdriver_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) \ $(tls_crypt_testdriver_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -I$(top_builddir)/include depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(argv_testdriver_SOURCES) $(buffer_testdriver_SOURCES) \ $(packet_id_testdriver_SOURCES) \ $(tls_crypt_testdriver_SOURCES) DIST_SOURCES = $(argv_testdriver_SOURCES) $(buffer_testdriver_SOURCES) \ $(packet_id_testdriver_SOURCES) \ $(tls_crypt_testdriver_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags am__tty_colors_dummy = \ mgn= red= grn= lgn= blu= brg= std=; \ am__color_tests=no am__tty_colors = { \ $(am__tty_colors_dummy); \ if test "X$(AM_COLOR_TESTS)" = Xno; then \ am__color_tests=no; \ elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ am__color_tests=yes; \ elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ am__color_tests=yes; \ fi; \ if test $$am__color_tests = yes; then \ red=''; \ grn=''; \ lgn=''; \ blu=''; \ mgn=''; \ brg=''; \ std=''; \ fi; \ } DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign TESTS = $(check_PROGRAMS) openvpn_includedir = $(top_srcdir)/include openvpn_srcdir = $(top_srcdir)/src/openvpn compat_srcdir = $(top_srcdir)/src/compat argv_testdriver_CFLAGS = @TEST_CFLAGS@ -I$(openvpn_srcdir) -I$(compat_srcdir) \ $(OPTIONAL_CRYPTO_CFLAGS) argv_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(openvpn_srcdir) -Wl,--wrap=parse_line \ $(OPTIONAL_CRYPTO_LIBS) argv_testdriver_SOURCES = test_argv.c mock_msg.c \ $(openvpn_srcdir)/platform.c \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/argv.c buffer_testdriver_CFLAGS = @TEST_CFLAGS@ -I$(openvpn_srcdir) -I$(compat_srcdir) buffer_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(openvpn_srcdir) -Wl,--wrap=parse_line buffer_testdriver_SOURCES = test_buffer.c mock_msg.c \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/platform.c packet_id_testdriver_CFLAGS = @TEST_CFLAGS@ \ -I$(openvpn_includedir) -I$(compat_srcdir) -I$(openvpn_srcdir) \ $(OPTIONAL_CRYPTO_CFLAGS) packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ \ $(OPTIONAL_CRYPTO_LIBS) packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/otime.c \ $(openvpn_srcdir)/packet_id.c \ $(openvpn_srcdir)/platform.c tls_crypt_testdriver_CFLAGS = @TEST_CFLAGS@ \ -I$(openvpn_includedir) -I$(compat_srcdir) -I$(openvpn_srcdir) \ $(OPTIONAL_CRYPTO_CFLAGS) tls_crypt_testdriver_LDFLAGS = @TEST_LDFLAGS@ \ $(OPTIONAL_CRYPTO_LIBS) tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c \ $(openvpn_srcdir)/buffer.c \ $(openvpn_srcdir)/crypto.c \ $(openvpn_srcdir)/crypto_mbedtls.c \ $(openvpn_srcdir)/crypto_openssl.c \ $(openvpn_srcdir)/otime.c \ $(openvpn_srcdir)/packet_id.c \ $(openvpn_srcdir)/platform.c all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tests/unit_tests/openvpn/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign tests/unit_tests/openvpn/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): clean-checkPROGRAMS: @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ echo " rm -f" $$list; \ rm -f $$list || exit $$?; \ test -n "$(EXEEXT)" || exit 0; \ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list argv_testdriver$(EXEEXT): $(argv_testdriver_OBJECTS) $(argv_testdriver_DEPENDENCIES) $(EXTRA_argv_testdriver_DEPENDENCIES) @rm -f argv_testdriver$(EXEEXT) $(AM_V_CCLD)$(argv_testdriver_LINK) $(argv_testdriver_OBJECTS) $(argv_testdriver_LDADD) $(LIBS) buffer_testdriver$(EXEEXT): $(buffer_testdriver_OBJECTS) $(buffer_testdriver_DEPENDENCIES) $(EXTRA_buffer_testdriver_DEPENDENCIES) @rm -f buffer_testdriver$(EXEEXT) $(AM_V_CCLD)$(buffer_testdriver_LINK) $(buffer_testdriver_OBJECTS) $(buffer_testdriver_LDADD) $(LIBS) packet_id_testdriver$(EXEEXT): $(packet_id_testdriver_OBJECTS) $(packet_id_testdriver_DEPENDENCIES) $(EXTRA_packet_id_testdriver_DEPENDENCIES) @rm -f packet_id_testdriver$(EXEEXT) $(AM_V_CCLD)$(packet_id_testdriver_LINK) $(packet_id_testdriver_OBJECTS) $(packet_id_testdriver_LDADD) $(LIBS) tls_crypt_testdriver$(EXEEXT): $(tls_crypt_testdriver_OBJECTS) $(tls_crypt_testdriver_DEPENDENCIES) $(EXTRA_tls_crypt_testdriver_DEPENDENCIES) @rm -f tls_crypt_testdriver$(EXEEXT) $(AM_V_CCLD)$(tls_crypt_testdriver_LINK) $(tls_crypt_testdriver_OBJECTS) $(tls_crypt_testdriver_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/argv_testdriver-argv.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/argv_testdriver-buffer.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/argv_testdriver-mock_msg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/argv_testdriver-platform.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/argv_testdriver-test_argv.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/buffer_testdriver-buffer.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/buffer_testdriver-mock_msg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/buffer_testdriver-platform.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/buffer_testdriver-test_buffer.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet_id_testdriver-buffer.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet_id_testdriver-mock_msg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet_id_testdriver-otime.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet_id_testdriver-packet_id.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet_id_testdriver-platform.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet_id_testdriver-test_packet_id.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_crypt_testdriver-buffer.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_crypt_testdriver-crypto.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_crypt_testdriver-crypto_mbedtls.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_crypt_testdriver-crypto_openssl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_crypt_testdriver-mock_msg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_crypt_testdriver-otime.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_crypt_testdriver-packet_id.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_crypt_testdriver-platform.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_crypt_testdriver-test_tls_crypt.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< argv_testdriver-test_argv.o: test_argv.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -MT argv_testdriver-test_argv.o -MD -MP -MF $(DEPDIR)/argv_testdriver-test_argv.Tpo -c -o argv_testdriver-test_argv.o `test -f 'test_argv.c' || echo '$(srcdir)/'`test_argv.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/argv_testdriver-test_argv.Tpo $(DEPDIR)/argv_testdriver-test_argv.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_argv.c' object='argv_testdriver-test_argv.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -c -o argv_testdriver-test_argv.o `test -f 'test_argv.c' || echo '$(srcdir)/'`test_argv.c argv_testdriver-test_argv.obj: test_argv.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -MT argv_testdriver-test_argv.obj -MD -MP -MF $(DEPDIR)/argv_testdriver-test_argv.Tpo -c -o argv_testdriver-test_argv.obj `if test -f 'test_argv.c'; then $(CYGPATH_W) 'test_argv.c'; else $(CYGPATH_W) '$(srcdir)/test_argv.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/argv_testdriver-test_argv.Tpo $(DEPDIR)/argv_testdriver-test_argv.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_argv.c' object='argv_testdriver-test_argv.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -c -o argv_testdriver-test_argv.obj `if test -f 'test_argv.c'; then $(CYGPATH_W) 'test_argv.c'; else $(CYGPATH_W) '$(srcdir)/test_argv.c'; fi` argv_testdriver-mock_msg.o: mock_msg.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -MT argv_testdriver-mock_msg.o -MD -MP -MF $(DEPDIR)/argv_testdriver-mock_msg.Tpo -c -o argv_testdriver-mock_msg.o `test -f 'mock_msg.c' || echo '$(srcdir)/'`mock_msg.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/argv_testdriver-mock_msg.Tpo $(DEPDIR)/argv_testdriver-mock_msg.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mock_msg.c' object='argv_testdriver-mock_msg.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -c -o argv_testdriver-mock_msg.o `test -f 'mock_msg.c' || echo '$(srcdir)/'`mock_msg.c argv_testdriver-mock_msg.obj: mock_msg.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -MT argv_testdriver-mock_msg.obj -MD -MP -MF $(DEPDIR)/argv_testdriver-mock_msg.Tpo -c -o argv_testdriver-mock_msg.obj `if test -f 'mock_msg.c'; then $(CYGPATH_W) 'mock_msg.c'; else $(CYGPATH_W) '$(srcdir)/mock_msg.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/argv_testdriver-mock_msg.Tpo $(DEPDIR)/argv_testdriver-mock_msg.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mock_msg.c' object='argv_testdriver-mock_msg.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -c -o argv_testdriver-mock_msg.obj `if test -f 'mock_msg.c'; then $(CYGPATH_W) 'mock_msg.c'; else $(CYGPATH_W) '$(srcdir)/mock_msg.c'; fi` argv_testdriver-platform.o: $(openvpn_srcdir)/platform.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -MT argv_testdriver-platform.o -MD -MP -MF $(DEPDIR)/argv_testdriver-platform.Tpo -c -o argv_testdriver-platform.o `test -f '$(openvpn_srcdir)/platform.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/platform.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/argv_testdriver-platform.Tpo $(DEPDIR)/argv_testdriver-platform.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/platform.c' object='argv_testdriver-platform.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -c -o argv_testdriver-platform.o `test -f '$(openvpn_srcdir)/platform.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/platform.c argv_testdriver-platform.obj: $(openvpn_srcdir)/platform.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -MT argv_testdriver-platform.obj -MD -MP -MF $(DEPDIR)/argv_testdriver-platform.Tpo -c -o argv_testdriver-platform.obj `if test -f '$(openvpn_srcdir)/platform.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/platform.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/platform.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/argv_testdriver-platform.Tpo $(DEPDIR)/argv_testdriver-platform.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/platform.c' object='argv_testdriver-platform.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -c -o argv_testdriver-platform.obj `if test -f '$(openvpn_srcdir)/platform.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/platform.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/platform.c'; fi` argv_testdriver-buffer.o: $(openvpn_srcdir)/buffer.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -MT argv_testdriver-buffer.o -MD -MP -MF $(DEPDIR)/argv_testdriver-buffer.Tpo -c -o argv_testdriver-buffer.o `test -f '$(openvpn_srcdir)/buffer.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/buffer.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/argv_testdriver-buffer.Tpo $(DEPDIR)/argv_testdriver-buffer.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/buffer.c' object='argv_testdriver-buffer.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -c -o argv_testdriver-buffer.o `test -f '$(openvpn_srcdir)/buffer.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/buffer.c argv_testdriver-buffer.obj: $(openvpn_srcdir)/buffer.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -MT argv_testdriver-buffer.obj -MD -MP -MF $(DEPDIR)/argv_testdriver-buffer.Tpo -c -o argv_testdriver-buffer.obj `if test -f '$(openvpn_srcdir)/buffer.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/buffer.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/buffer.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/argv_testdriver-buffer.Tpo $(DEPDIR)/argv_testdriver-buffer.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/buffer.c' object='argv_testdriver-buffer.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -c -o argv_testdriver-buffer.obj `if test -f '$(openvpn_srcdir)/buffer.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/buffer.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/buffer.c'; fi` argv_testdriver-argv.o: $(openvpn_srcdir)/argv.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -MT argv_testdriver-argv.o -MD -MP -MF $(DEPDIR)/argv_testdriver-argv.Tpo -c -o argv_testdriver-argv.o `test -f '$(openvpn_srcdir)/argv.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/argv.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/argv_testdriver-argv.Tpo $(DEPDIR)/argv_testdriver-argv.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/argv.c' object='argv_testdriver-argv.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -c -o argv_testdriver-argv.o `test -f '$(openvpn_srcdir)/argv.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/argv.c argv_testdriver-argv.obj: $(openvpn_srcdir)/argv.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -MT argv_testdriver-argv.obj -MD -MP -MF $(DEPDIR)/argv_testdriver-argv.Tpo -c -o argv_testdriver-argv.obj `if test -f '$(openvpn_srcdir)/argv.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/argv.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/argv.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/argv_testdriver-argv.Tpo $(DEPDIR)/argv_testdriver-argv.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/argv.c' object='argv_testdriver-argv.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(argv_testdriver_CFLAGS) $(CFLAGS) -c -o argv_testdriver-argv.obj `if test -f '$(openvpn_srcdir)/argv.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/argv.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/argv.c'; fi` buffer_testdriver-test_buffer.o: test_buffer.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -MT buffer_testdriver-test_buffer.o -MD -MP -MF $(DEPDIR)/buffer_testdriver-test_buffer.Tpo -c -o buffer_testdriver-test_buffer.o `test -f 'test_buffer.c' || echo '$(srcdir)/'`test_buffer.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/buffer_testdriver-test_buffer.Tpo $(DEPDIR)/buffer_testdriver-test_buffer.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_buffer.c' object='buffer_testdriver-test_buffer.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -c -o buffer_testdriver-test_buffer.o `test -f 'test_buffer.c' || echo '$(srcdir)/'`test_buffer.c buffer_testdriver-test_buffer.obj: test_buffer.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -MT buffer_testdriver-test_buffer.obj -MD -MP -MF $(DEPDIR)/buffer_testdriver-test_buffer.Tpo -c -o buffer_testdriver-test_buffer.obj `if test -f 'test_buffer.c'; then $(CYGPATH_W) 'test_buffer.c'; else $(CYGPATH_W) '$(srcdir)/test_buffer.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/buffer_testdriver-test_buffer.Tpo $(DEPDIR)/buffer_testdriver-test_buffer.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_buffer.c' object='buffer_testdriver-test_buffer.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -c -o buffer_testdriver-test_buffer.obj `if test -f 'test_buffer.c'; then $(CYGPATH_W) 'test_buffer.c'; else $(CYGPATH_W) '$(srcdir)/test_buffer.c'; fi` buffer_testdriver-mock_msg.o: mock_msg.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -MT buffer_testdriver-mock_msg.o -MD -MP -MF $(DEPDIR)/buffer_testdriver-mock_msg.Tpo -c -o buffer_testdriver-mock_msg.o `test -f 'mock_msg.c' || echo '$(srcdir)/'`mock_msg.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/buffer_testdriver-mock_msg.Tpo $(DEPDIR)/buffer_testdriver-mock_msg.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mock_msg.c' object='buffer_testdriver-mock_msg.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -c -o buffer_testdriver-mock_msg.o `test -f 'mock_msg.c' || echo '$(srcdir)/'`mock_msg.c buffer_testdriver-mock_msg.obj: mock_msg.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -MT buffer_testdriver-mock_msg.obj -MD -MP -MF $(DEPDIR)/buffer_testdriver-mock_msg.Tpo -c -o buffer_testdriver-mock_msg.obj `if test -f 'mock_msg.c'; then $(CYGPATH_W) 'mock_msg.c'; else $(CYGPATH_W) '$(srcdir)/mock_msg.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/buffer_testdriver-mock_msg.Tpo $(DEPDIR)/buffer_testdriver-mock_msg.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mock_msg.c' object='buffer_testdriver-mock_msg.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -c -o buffer_testdriver-mock_msg.obj `if test -f 'mock_msg.c'; then $(CYGPATH_W) 'mock_msg.c'; else $(CYGPATH_W) '$(srcdir)/mock_msg.c'; fi` buffer_testdriver-buffer.o: $(openvpn_srcdir)/buffer.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -MT buffer_testdriver-buffer.o -MD -MP -MF $(DEPDIR)/buffer_testdriver-buffer.Tpo -c -o buffer_testdriver-buffer.o `test -f '$(openvpn_srcdir)/buffer.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/buffer.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/buffer_testdriver-buffer.Tpo $(DEPDIR)/buffer_testdriver-buffer.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/buffer.c' object='buffer_testdriver-buffer.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -c -o buffer_testdriver-buffer.o `test -f '$(openvpn_srcdir)/buffer.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/buffer.c buffer_testdriver-buffer.obj: $(openvpn_srcdir)/buffer.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -MT buffer_testdriver-buffer.obj -MD -MP -MF $(DEPDIR)/buffer_testdriver-buffer.Tpo -c -o buffer_testdriver-buffer.obj `if test -f '$(openvpn_srcdir)/buffer.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/buffer.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/buffer.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/buffer_testdriver-buffer.Tpo $(DEPDIR)/buffer_testdriver-buffer.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/buffer.c' object='buffer_testdriver-buffer.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -c -o buffer_testdriver-buffer.obj `if test -f '$(openvpn_srcdir)/buffer.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/buffer.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/buffer.c'; fi` buffer_testdriver-platform.o: $(openvpn_srcdir)/platform.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -MT buffer_testdriver-platform.o -MD -MP -MF $(DEPDIR)/buffer_testdriver-platform.Tpo -c -o buffer_testdriver-platform.o `test -f '$(openvpn_srcdir)/platform.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/platform.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/buffer_testdriver-platform.Tpo $(DEPDIR)/buffer_testdriver-platform.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/platform.c' object='buffer_testdriver-platform.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -c -o buffer_testdriver-platform.o `test -f '$(openvpn_srcdir)/platform.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/platform.c buffer_testdriver-platform.obj: $(openvpn_srcdir)/platform.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -MT buffer_testdriver-platform.obj -MD -MP -MF $(DEPDIR)/buffer_testdriver-platform.Tpo -c -o buffer_testdriver-platform.obj `if test -f '$(openvpn_srcdir)/platform.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/platform.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/platform.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/buffer_testdriver-platform.Tpo $(DEPDIR)/buffer_testdriver-platform.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/platform.c' object='buffer_testdriver-platform.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(buffer_testdriver_CFLAGS) $(CFLAGS) -c -o buffer_testdriver-platform.obj `if test -f '$(openvpn_srcdir)/platform.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/platform.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/platform.c'; fi` packet_id_testdriver-test_packet_id.o: test_packet_id.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -MT packet_id_testdriver-test_packet_id.o -MD -MP -MF $(DEPDIR)/packet_id_testdriver-test_packet_id.Tpo -c -o packet_id_testdriver-test_packet_id.o `test -f 'test_packet_id.c' || echo '$(srcdir)/'`test_packet_id.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/packet_id_testdriver-test_packet_id.Tpo $(DEPDIR)/packet_id_testdriver-test_packet_id.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_packet_id.c' object='packet_id_testdriver-test_packet_id.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -c -o packet_id_testdriver-test_packet_id.o `test -f 'test_packet_id.c' || echo '$(srcdir)/'`test_packet_id.c packet_id_testdriver-test_packet_id.obj: test_packet_id.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -MT packet_id_testdriver-test_packet_id.obj -MD -MP -MF $(DEPDIR)/packet_id_testdriver-test_packet_id.Tpo -c -o packet_id_testdriver-test_packet_id.obj `if test -f 'test_packet_id.c'; then $(CYGPATH_W) 'test_packet_id.c'; else $(CYGPATH_W) '$(srcdir)/test_packet_id.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/packet_id_testdriver-test_packet_id.Tpo $(DEPDIR)/packet_id_testdriver-test_packet_id.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_packet_id.c' object='packet_id_testdriver-test_packet_id.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -c -o packet_id_testdriver-test_packet_id.obj `if test -f 'test_packet_id.c'; then $(CYGPATH_W) 'test_packet_id.c'; else $(CYGPATH_W) '$(srcdir)/test_packet_id.c'; fi` packet_id_testdriver-mock_msg.o: mock_msg.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -MT packet_id_testdriver-mock_msg.o -MD -MP -MF $(DEPDIR)/packet_id_testdriver-mock_msg.Tpo -c -o packet_id_testdriver-mock_msg.o `test -f 'mock_msg.c' || echo '$(srcdir)/'`mock_msg.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/packet_id_testdriver-mock_msg.Tpo $(DEPDIR)/packet_id_testdriver-mock_msg.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mock_msg.c' object='packet_id_testdriver-mock_msg.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -c -o packet_id_testdriver-mock_msg.o `test -f 'mock_msg.c' || echo '$(srcdir)/'`mock_msg.c packet_id_testdriver-mock_msg.obj: mock_msg.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -MT packet_id_testdriver-mock_msg.obj -MD -MP -MF $(DEPDIR)/packet_id_testdriver-mock_msg.Tpo -c -o packet_id_testdriver-mock_msg.obj `if test -f 'mock_msg.c'; then $(CYGPATH_W) 'mock_msg.c'; else $(CYGPATH_W) '$(srcdir)/mock_msg.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/packet_id_testdriver-mock_msg.Tpo $(DEPDIR)/packet_id_testdriver-mock_msg.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mock_msg.c' object='packet_id_testdriver-mock_msg.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -c -o packet_id_testdriver-mock_msg.obj `if test -f 'mock_msg.c'; then $(CYGPATH_W) 'mock_msg.c'; else $(CYGPATH_W) '$(srcdir)/mock_msg.c'; fi` packet_id_testdriver-buffer.o: $(openvpn_srcdir)/buffer.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -MT packet_id_testdriver-buffer.o -MD -MP -MF $(DEPDIR)/packet_id_testdriver-buffer.Tpo -c -o packet_id_testdriver-buffer.o `test -f '$(openvpn_srcdir)/buffer.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/buffer.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/packet_id_testdriver-buffer.Tpo $(DEPDIR)/packet_id_testdriver-buffer.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/buffer.c' object='packet_id_testdriver-buffer.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -c -o packet_id_testdriver-buffer.o `test -f '$(openvpn_srcdir)/buffer.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/buffer.c packet_id_testdriver-buffer.obj: $(openvpn_srcdir)/buffer.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -MT packet_id_testdriver-buffer.obj -MD -MP -MF $(DEPDIR)/packet_id_testdriver-buffer.Tpo -c -o packet_id_testdriver-buffer.obj `if test -f '$(openvpn_srcdir)/buffer.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/buffer.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/buffer.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/packet_id_testdriver-buffer.Tpo $(DEPDIR)/packet_id_testdriver-buffer.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/buffer.c' object='packet_id_testdriver-buffer.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -c -o packet_id_testdriver-buffer.obj `if test -f '$(openvpn_srcdir)/buffer.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/buffer.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/buffer.c'; fi` packet_id_testdriver-otime.o: $(openvpn_srcdir)/otime.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -MT packet_id_testdriver-otime.o -MD -MP -MF $(DEPDIR)/packet_id_testdriver-otime.Tpo -c -o packet_id_testdriver-otime.o `test -f '$(openvpn_srcdir)/otime.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/otime.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/packet_id_testdriver-otime.Tpo $(DEPDIR)/packet_id_testdriver-otime.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/otime.c' object='packet_id_testdriver-otime.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -c -o packet_id_testdriver-otime.o `test -f '$(openvpn_srcdir)/otime.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/otime.c packet_id_testdriver-otime.obj: $(openvpn_srcdir)/otime.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -MT packet_id_testdriver-otime.obj -MD -MP -MF $(DEPDIR)/packet_id_testdriver-otime.Tpo -c -o packet_id_testdriver-otime.obj `if test -f '$(openvpn_srcdir)/otime.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/otime.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/otime.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/packet_id_testdriver-otime.Tpo $(DEPDIR)/packet_id_testdriver-otime.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/otime.c' object='packet_id_testdriver-otime.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -c -o packet_id_testdriver-otime.obj `if test -f '$(openvpn_srcdir)/otime.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/otime.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/otime.c'; fi` packet_id_testdriver-packet_id.o: $(openvpn_srcdir)/packet_id.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -MT packet_id_testdriver-packet_id.o -MD -MP -MF $(DEPDIR)/packet_id_testdriver-packet_id.Tpo -c -o packet_id_testdriver-packet_id.o `test -f '$(openvpn_srcdir)/packet_id.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/packet_id.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/packet_id_testdriver-packet_id.Tpo $(DEPDIR)/packet_id_testdriver-packet_id.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/packet_id.c' object='packet_id_testdriver-packet_id.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -c -o packet_id_testdriver-packet_id.o `test -f '$(openvpn_srcdir)/packet_id.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/packet_id.c packet_id_testdriver-packet_id.obj: $(openvpn_srcdir)/packet_id.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -MT packet_id_testdriver-packet_id.obj -MD -MP -MF $(DEPDIR)/packet_id_testdriver-packet_id.Tpo -c -o packet_id_testdriver-packet_id.obj `if test -f '$(openvpn_srcdir)/packet_id.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/packet_id.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/packet_id.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/packet_id_testdriver-packet_id.Tpo $(DEPDIR)/packet_id_testdriver-packet_id.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/packet_id.c' object='packet_id_testdriver-packet_id.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -c -o packet_id_testdriver-packet_id.obj `if test -f '$(openvpn_srcdir)/packet_id.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/packet_id.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/packet_id.c'; fi` packet_id_testdriver-platform.o: $(openvpn_srcdir)/platform.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -MT packet_id_testdriver-platform.o -MD -MP -MF $(DEPDIR)/packet_id_testdriver-platform.Tpo -c -o packet_id_testdriver-platform.o `test -f '$(openvpn_srcdir)/platform.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/platform.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/packet_id_testdriver-platform.Tpo $(DEPDIR)/packet_id_testdriver-platform.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/platform.c' object='packet_id_testdriver-platform.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -c -o packet_id_testdriver-platform.o `test -f '$(openvpn_srcdir)/platform.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/platform.c packet_id_testdriver-platform.obj: $(openvpn_srcdir)/platform.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -MT packet_id_testdriver-platform.obj -MD -MP -MF $(DEPDIR)/packet_id_testdriver-platform.Tpo -c -o packet_id_testdriver-platform.obj `if test -f '$(openvpn_srcdir)/platform.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/platform.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/platform.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/packet_id_testdriver-platform.Tpo $(DEPDIR)/packet_id_testdriver-platform.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/platform.c' object='packet_id_testdriver-platform.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(packet_id_testdriver_CFLAGS) $(CFLAGS) -c -o packet_id_testdriver-platform.obj `if test -f '$(openvpn_srcdir)/platform.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/platform.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/platform.c'; fi` tls_crypt_testdriver-test_tls_crypt.o: test_tls_crypt.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-test_tls_crypt.o -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-test_tls_crypt.Tpo -c -o tls_crypt_testdriver-test_tls_crypt.o `test -f 'test_tls_crypt.c' || echo '$(srcdir)/'`test_tls_crypt.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-test_tls_crypt.Tpo $(DEPDIR)/tls_crypt_testdriver-test_tls_crypt.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_tls_crypt.c' object='tls_crypt_testdriver-test_tls_crypt.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-test_tls_crypt.o `test -f 'test_tls_crypt.c' || echo '$(srcdir)/'`test_tls_crypt.c tls_crypt_testdriver-test_tls_crypt.obj: test_tls_crypt.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-test_tls_crypt.obj -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-test_tls_crypt.Tpo -c -o tls_crypt_testdriver-test_tls_crypt.obj `if test -f 'test_tls_crypt.c'; then $(CYGPATH_W) 'test_tls_crypt.c'; else $(CYGPATH_W) '$(srcdir)/test_tls_crypt.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-test_tls_crypt.Tpo $(DEPDIR)/tls_crypt_testdriver-test_tls_crypt.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_tls_crypt.c' object='tls_crypt_testdriver-test_tls_crypt.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-test_tls_crypt.obj `if test -f 'test_tls_crypt.c'; then $(CYGPATH_W) 'test_tls_crypt.c'; else $(CYGPATH_W) '$(srcdir)/test_tls_crypt.c'; fi` tls_crypt_testdriver-mock_msg.o: mock_msg.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-mock_msg.o -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-mock_msg.Tpo -c -o tls_crypt_testdriver-mock_msg.o `test -f 'mock_msg.c' || echo '$(srcdir)/'`mock_msg.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-mock_msg.Tpo $(DEPDIR)/tls_crypt_testdriver-mock_msg.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mock_msg.c' object='tls_crypt_testdriver-mock_msg.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-mock_msg.o `test -f 'mock_msg.c' || echo '$(srcdir)/'`mock_msg.c tls_crypt_testdriver-mock_msg.obj: mock_msg.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-mock_msg.obj -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-mock_msg.Tpo -c -o tls_crypt_testdriver-mock_msg.obj `if test -f 'mock_msg.c'; then $(CYGPATH_W) 'mock_msg.c'; else $(CYGPATH_W) '$(srcdir)/mock_msg.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-mock_msg.Tpo $(DEPDIR)/tls_crypt_testdriver-mock_msg.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mock_msg.c' object='tls_crypt_testdriver-mock_msg.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-mock_msg.obj `if test -f 'mock_msg.c'; then $(CYGPATH_W) 'mock_msg.c'; else $(CYGPATH_W) '$(srcdir)/mock_msg.c'; fi` tls_crypt_testdriver-buffer.o: $(openvpn_srcdir)/buffer.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-buffer.o -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-buffer.Tpo -c -o tls_crypt_testdriver-buffer.o `test -f '$(openvpn_srcdir)/buffer.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/buffer.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-buffer.Tpo $(DEPDIR)/tls_crypt_testdriver-buffer.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/buffer.c' object='tls_crypt_testdriver-buffer.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-buffer.o `test -f '$(openvpn_srcdir)/buffer.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/buffer.c tls_crypt_testdriver-buffer.obj: $(openvpn_srcdir)/buffer.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-buffer.obj -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-buffer.Tpo -c -o tls_crypt_testdriver-buffer.obj `if test -f '$(openvpn_srcdir)/buffer.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/buffer.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/buffer.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-buffer.Tpo $(DEPDIR)/tls_crypt_testdriver-buffer.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/buffer.c' object='tls_crypt_testdriver-buffer.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-buffer.obj `if test -f '$(openvpn_srcdir)/buffer.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/buffer.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/buffer.c'; fi` tls_crypt_testdriver-crypto.o: $(openvpn_srcdir)/crypto.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-crypto.o -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-crypto.Tpo -c -o tls_crypt_testdriver-crypto.o `test -f '$(openvpn_srcdir)/crypto.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/crypto.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-crypto.Tpo $(DEPDIR)/tls_crypt_testdriver-crypto.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/crypto.c' object='tls_crypt_testdriver-crypto.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-crypto.o `test -f '$(openvpn_srcdir)/crypto.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/crypto.c tls_crypt_testdriver-crypto.obj: $(openvpn_srcdir)/crypto.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-crypto.obj -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-crypto.Tpo -c -o tls_crypt_testdriver-crypto.obj `if test -f '$(openvpn_srcdir)/crypto.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/crypto.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/crypto.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-crypto.Tpo $(DEPDIR)/tls_crypt_testdriver-crypto.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/crypto.c' object='tls_crypt_testdriver-crypto.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-crypto.obj `if test -f '$(openvpn_srcdir)/crypto.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/crypto.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/crypto.c'; fi` tls_crypt_testdriver-crypto_mbedtls.o: $(openvpn_srcdir)/crypto_mbedtls.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-crypto_mbedtls.o -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-crypto_mbedtls.Tpo -c -o tls_crypt_testdriver-crypto_mbedtls.o `test -f '$(openvpn_srcdir)/crypto_mbedtls.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/crypto_mbedtls.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-crypto_mbedtls.Tpo $(DEPDIR)/tls_crypt_testdriver-crypto_mbedtls.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/crypto_mbedtls.c' object='tls_crypt_testdriver-crypto_mbedtls.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-crypto_mbedtls.o `test -f '$(openvpn_srcdir)/crypto_mbedtls.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/crypto_mbedtls.c tls_crypt_testdriver-crypto_mbedtls.obj: $(openvpn_srcdir)/crypto_mbedtls.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-crypto_mbedtls.obj -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-crypto_mbedtls.Tpo -c -o tls_crypt_testdriver-crypto_mbedtls.obj `if test -f '$(openvpn_srcdir)/crypto_mbedtls.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/crypto_mbedtls.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/crypto_mbedtls.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-crypto_mbedtls.Tpo $(DEPDIR)/tls_crypt_testdriver-crypto_mbedtls.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/crypto_mbedtls.c' object='tls_crypt_testdriver-crypto_mbedtls.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-crypto_mbedtls.obj `if test -f '$(openvpn_srcdir)/crypto_mbedtls.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/crypto_mbedtls.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/crypto_mbedtls.c'; fi` tls_crypt_testdriver-crypto_openssl.o: $(openvpn_srcdir)/crypto_openssl.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-crypto_openssl.o -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-crypto_openssl.Tpo -c -o tls_crypt_testdriver-crypto_openssl.o `test -f '$(openvpn_srcdir)/crypto_openssl.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/crypto_openssl.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-crypto_openssl.Tpo $(DEPDIR)/tls_crypt_testdriver-crypto_openssl.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/crypto_openssl.c' object='tls_crypt_testdriver-crypto_openssl.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-crypto_openssl.o `test -f '$(openvpn_srcdir)/crypto_openssl.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/crypto_openssl.c tls_crypt_testdriver-crypto_openssl.obj: $(openvpn_srcdir)/crypto_openssl.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-crypto_openssl.obj -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-crypto_openssl.Tpo -c -o tls_crypt_testdriver-crypto_openssl.obj `if test -f '$(openvpn_srcdir)/crypto_openssl.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/crypto_openssl.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/crypto_openssl.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-crypto_openssl.Tpo $(DEPDIR)/tls_crypt_testdriver-crypto_openssl.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/crypto_openssl.c' object='tls_crypt_testdriver-crypto_openssl.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-crypto_openssl.obj `if test -f '$(openvpn_srcdir)/crypto_openssl.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/crypto_openssl.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/crypto_openssl.c'; fi` tls_crypt_testdriver-otime.o: $(openvpn_srcdir)/otime.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-otime.o -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-otime.Tpo -c -o tls_crypt_testdriver-otime.o `test -f '$(openvpn_srcdir)/otime.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/otime.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-otime.Tpo $(DEPDIR)/tls_crypt_testdriver-otime.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/otime.c' object='tls_crypt_testdriver-otime.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-otime.o `test -f '$(openvpn_srcdir)/otime.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/otime.c tls_crypt_testdriver-otime.obj: $(openvpn_srcdir)/otime.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-otime.obj -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-otime.Tpo -c -o tls_crypt_testdriver-otime.obj `if test -f '$(openvpn_srcdir)/otime.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/otime.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/otime.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-otime.Tpo $(DEPDIR)/tls_crypt_testdriver-otime.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/otime.c' object='tls_crypt_testdriver-otime.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-otime.obj `if test -f '$(openvpn_srcdir)/otime.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/otime.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/otime.c'; fi` tls_crypt_testdriver-packet_id.o: $(openvpn_srcdir)/packet_id.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-packet_id.o -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-packet_id.Tpo -c -o tls_crypt_testdriver-packet_id.o `test -f '$(openvpn_srcdir)/packet_id.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/packet_id.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-packet_id.Tpo $(DEPDIR)/tls_crypt_testdriver-packet_id.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/packet_id.c' object='tls_crypt_testdriver-packet_id.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-packet_id.o `test -f '$(openvpn_srcdir)/packet_id.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/packet_id.c tls_crypt_testdriver-packet_id.obj: $(openvpn_srcdir)/packet_id.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-packet_id.obj -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-packet_id.Tpo -c -o tls_crypt_testdriver-packet_id.obj `if test -f '$(openvpn_srcdir)/packet_id.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/packet_id.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/packet_id.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-packet_id.Tpo $(DEPDIR)/tls_crypt_testdriver-packet_id.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/packet_id.c' object='tls_crypt_testdriver-packet_id.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-packet_id.obj `if test -f '$(openvpn_srcdir)/packet_id.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/packet_id.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/packet_id.c'; fi` tls_crypt_testdriver-platform.o: $(openvpn_srcdir)/platform.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-platform.o -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-platform.Tpo -c -o tls_crypt_testdriver-platform.o `test -f '$(openvpn_srcdir)/platform.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/platform.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-platform.Tpo $(DEPDIR)/tls_crypt_testdriver-platform.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/platform.c' object='tls_crypt_testdriver-platform.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-platform.o `test -f '$(openvpn_srcdir)/platform.c' || echo '$(srcdir)/'`$(openvpn_srcdir)/platform.c tls_crypt_testdriver-platform.obj: $(openvpn_srcdir)/platform.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -MT tls_crypt_testdriver-platform.obj -MD -MP -MF $(DEPDIR)/tls_crypt_testdriver-platform.Tpo -c -o tls_crypt_testdriver-platform.obj `if test -f '$(openvpn_srcdir)/platform.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/platform.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/platform.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_crypt_testdriver-platform.Tpo $(DEPDIR)/tls_crypt_testdriver-platform.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(openvpn_srcdir)/platform.c' object='tls_crypt_testdriver-platform.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_crypt_testdriver_CFLAGS) $(CFLAGS) -c -o tls_crypt_testdriver-platform.obj `if test -f '$(openvpn_srcdir)/platform.c'; then $(CYGPATH_W) '$(openvpn_srcdir)/platform.c'; else $(CYGPATH_W) '$(srcdir)/$(openvpn_srcdir)/platform.c'; fi` mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags check-TESTS: $(TESTS) @failed=0; all=0; xfail=0; xpass=0; skip=0; \ srcdir=$(srcdir); export srcdir; \ list=' $(TESTS) '; \ $(am__tty_colors); \ if test -n "$$list"; then \ for tst in $$list; do \ if test -f ./$$tst; then dir=./; \ elif test -f $$tst; then dir=; \ else dir="$(srcdir)/"; fi; \ if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ *[\ \ ]$$tst[\ \ ]*) \ xpass=`expr $$xpass + 1`; \ failed=`expr $$failed + 1`; \ col=$$red; res=XPASS; \ ;; \ *) \ col=$$grn; res=PASS; \ ;; \ esac; \ elif test $$? -ne 77; then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ *[\ \ ]$$tst[\ \ ]*) \ xfail=`expr $$xfail + 1`; \ col=$$lgn; res=XFAIL; \ ;; \ *) \ failed=`expr $$failed + 1`; \ col=$$red; res=FAIL; \ ;; \ esac; \ else \ skip=`expr $$skip + 1`; \ col=$$blu; res=SKIP; \ fi; \ echo "$${col}$$res$${std}: $$tst"; \ done; \ if test "$$all" -eq 1; then \ tests="test"; \ All=""; \ else \ tests="tests"; \ All="All "; \ fi; \ if test "$$failed" -eq 0; then \ if test "$$xfail" -eq 0; then \ banner="$$All$$all $$tests passed"; \ else \ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ fi; \ else \ if test "$$xpass" -eq 0; then \ banner="$$failed of $$all $$tests failed"; \ else \ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ fi; \ fi; \ dashes="$$banner"; \ skipped=""; \ if test "$$skip" -ne 0; then \ if test "$$skip" -eq 1; then \ skipped="($$skip test was not run)"; \ else \ skipped="($$skip tests were not run)"; \ fi; \ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ dashes="$$skipped"; \ fi; \ report=""; \ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ report="Please report to $(PACKAGE_BUGREPORT)"; \ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ dashes="$$report"; \ fi; \ dashes=`echo "$$dashes" | sed s/./=/g`; \ if test "$$failed" -eq 0; then \ col="$$grn"; \ else \ col="$$red"; \ fi; \ echo "$${col}$$dashes$${std}"; \ echo "$${col}$$banner$${std}"; \ test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \ test -z "$$report" || echo "$${col}$$report$${std}"; \ echo "$${col}$$dashes$${std}"; \ test "$$failed" -eq 0; \ else :; fi distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile installdirs: install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: .MAKE: check-am install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \ ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-man install-pdf install-pdf-am \ install-ps install-ps-am install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/tests/unit_tests/openvpn/mock_msg.c000066400000000000000000000045251316434344000222110ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2016-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include #include #include #include #include #include #include "errlevel.h" #include "error.h" unsigned int x_debug_level = 0; /* Default to (almost) no debugging output */ bool fatal_error_triggered = false; void mock_set_debug_level(int level) { x_debug_level = level; } void x_msg_va(const unsigned int flags, const char *format, va_list arglist) { if (flags & M_FATAL) { fatal_error_triggered = true; printf("FATAL ERROR:"); } vprintf(format, arglist); printf("\n"); } void x_msg(const unsigned int flags, const char *format, ...) { va_list arglist; va_start(arglist, format); x_msg_va(flags, format, arglist); va_end(arglist); } void assert_failed(const char *filename, int line, const char *condition) { mock_assert(false, condition ? condition : "", filename, line); /* Keep compiler happy. Should not happen, mock_assert() does not return */ exit(1); } /* * Fail memory allocation. Don't use msg() because it tries * to allocate memory as part of its operation. */ void out_of_memory(void) { fprintf(stderr, "Out of Memory\n"); exit(1); } bool dont_mute(unsigned int flags) { return true; } openvpn-2.4.4/tests/unit_tests/openvpn/test_argv.c000066400000000000000000000104071316434344000224040ustar00rootroot00000000000000#include "config.h" #include "syshead.h" #include #include #include #include #include #include #include #include #include "argv.h" #include "buffer.h" /* Defines for use in the tests and the mock parse_line() */ #define PATH1 "/s p a c e" #define PATH2 "/foo bar/baz" #define PARAM1 "param1" #define PARAM2 "param two" #define SCRIPT_CMD "\"" PATH1 PATH2 "\"" PARAM1 "\"" PARAM2 "\"" int __wrap_parse_line(const char *line, char **p, const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc) { p[0] = PATH1 PATH2; p[1] = PARAM1; p[2] = PARAM2; return 3; } static void argv_printf__multiple_spaces_in_format__parsed_as_one(void **state) { struct argv a = argv_new(); argv_printf(&a, " %s %s %d ", PATH1, PATH2, 42); assert_int_equal(a.argc, 3); argv_reset(&a); } static void argv_printf_cat__multiple_spaces_in_format__parsed_as_one(void **state) { struct argv a = argv_new(); argv_printf(&a, "%s ", PATH1); argv_printf_cat(&a, " %s %s", PATH2, PARAM1); assert_int_equal(a.argc, 3); argv_reset(&a); } static void argv_printf__combined_path_with_spaces__argc_correct(void **state) { struct argv a = argv_new(); argv_printf(&a, "%s%sc", PATH1, PATH2); assert_int_equal(a.argc, 1); argv_printf(&a, "%s%sc %d", PATH1, PATH2, 42); assert_int_equal(a.argc, 2); argv_printf(&a, "foo %s%sc %s x y", PATH2, PATH1, "foo"); assert_int_equal(a.argc, 5); argv_reset(&a); } static void argv_parse_cmd__command_string__argc_correct(void **state) { struct argv a = argv_new(); argv_parse_cmd(&a, SCRIPT_CMD); assert_int_equal(a.argc, 3); argv_reset(&a); } static void argv_parse_cmd__command_and_extra_options__argc_correct(void **state) { struct argv a = argv_new(); argv_parse_cmd(&a, SCRIPT_CMD); argv_printf_cat(&a, "bar baz %d %s", 42, PATH1); assert_int_equal(a.argc, 7); argv_reset(&a); } static void argv_printf_cat__used_twice__argc_correct(void **state) { struct argv a = argv_new(); argv_printf(&a, "%s %s %s", PATH1, PATH2, PARAM1); argv_printf_cat(&a, "%s", PARAM2); argv_printf_cat(&a, "foo"); assert_int_equal(a.argc, 5); argv_reset(&a); } static void argv_str__multiple_argv__correct_output(void **state) { struct argv a = argv_new(); struct gc_arena gc = gc_new(); const char *output; argv_printf(&a, "%s%sc", PATH1, PATH2); argv_printf_cat(&a, "%s", PARAM1); argv_printf_cat(&a, "%s", PARAM2); output = argv_str(&a, &gc, PA_BRACKET); assert_string_equal(output, "[" PATH1 PATH2 "] [" PARAM1 "] [" PARAM2 "]"); argv_reset(&a); gc_free(&gc); } static void argv_insert_head__empty_argv__head_only(void **state) { struct argv a = argv_new(); struct argv b; b = argv_insert_head(&a, PATH1); assert_int_equal(b.argc, 1); assert_string_equal(b.argv[0], PATH1); argv_reset(&b); argv_reset(&a); } static void argv_insert_head__non_empty_argv__head_added(void **state) { struct argv a = argv_new(); struct argv b; int i; argv_printf(&a, "%s", PATH2); b = argv_insert_head(&a, PATH1); assert_int_equal(b.argc, a.argc + 1); for (i = 0; i < b.argc; i++) { if (i == 0) { assert_string_equal(b.argv[i], PATH1); } else { assert_string_equal(b.argv[i], a.argv[i - 1]); } } argv_reset(&b); argv_reset(&a); } int main(void) { const struct CMUnitTest tests[] = { cmocka_unit_test(argv_printf__multiple_spaces_in_format__parsed_as_one), cmocka_unit_test(argv_printf_cat__multiple_spaces_in_format__parsed_as_one), cmocka_unit_test(argv_printf__combined_path_with_spaces__argc_correct), cmocka_unit_test(argv_parse_cmd__command_string__argc_correct), cmocka_unit_test(argv_parse_cmd__command_and_extra_options__argc_correct), cmocka_unit_test(argv_printf_cat__used_twice__argc_correct), cmocka_unit_test(argv_str__multiple_argv__correct_output), cmocka_unit_test(argv_insert_head__non_empty_argv__head_added), }; return cmocka_run_group_tests_name("argv", tests, NULL, NULL); } openvpn-2.4.4/tests/unit_tests/openvpn/test_buffer.c000066400000000000000000000031711316434344000227160ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2016-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include #include #include "buffer.h" static void buffer_strprefix(void **state) { assert_true(strprefix("123456", "123456")); assert_true(strprefix("123456", "123")); assert_true(strprefix("123456", "")); assert_false(strprefix("123456", "456")); assert_false(strprefix("12", "123")); } int main(void) { const struct CMUnitTest tests[] = { cmocka_unit_test(buffer_strprefix), }; return cmocka_run_group_tests_name("buffer", tests, NULL, NULL); } openvpn-2.4.4/tests/unit_tests/openvpn/test_packet_id.c000066400000000000000000000125601316434344000233720ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2016 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program (see the file COPYING included with this * distribution); if not, write to the Free Software Foundation, Inc., * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include #include #include #include #include "packet_id.h" #include "mock_msg.h" struct test_packet_id_write_data { struct { uint32_t buf_id; uint32_t buf_time; } test_buf_data; struct buffer test_buf; struct packet_id_send pis; }; static int test_packet_id_write_setup(void **state) { struct test_packet_id_write_data *data = calloc(1, sizeof(struct test_packet_id_write_data)); if (!data) { return -1; } data->test_buf.data = (void *) &data->test_buf_data; data->test_buf.capacity = sizeof(data->test_buf_data); *state = data; return 0; } static int test_packet_id_write_teardown(void **state) { free(*state); return 0; } static void test_packet_id_write_short(void **state) { struct test_packet_id_write_data *data = *state; now = 5010; assert_true(packet_id_write(&data->pis, &data->test_buf, false, false)); assert_true(data->pis.id == 1); assert_true(data->test_buf_data.buf_id == htonl(1)); assert_true(data->test_buf_data.buf_time == 0); } static void test_packet_id_write_long(void **state) { struct test_packet_id_write_data *data = *state; now = 5010; assert_true(packet_id_write(&data->pis, &data->test_buf, true, false)); assert(data->pis.id == 1); assert(data->pis.time == now); assert_true(data->test_buf_data.buf_id == htonl(1)); assert_true(data->test_buf_data.buf_time == htonl(now)); } static void test_packet_id_write_short_prepend(void **state) { struct test_packet_id_write_data *data = *state; data->test_buf.offset = sizeof(packet_id_type); now = 5010; assert_true(packet_id_write(&data->pis, &data->test_buf, false, true)); assert_true(data->pis.id == 1); assert_true(data->test_buf_data.buf_id == htonl(1)); assert_true(data->test_buf_data.buf_time == 0); } static void test_packet_id_write_long_prepend(void **state) { struct test_packet_id_write_data *data = *state; data->test_buf.offset = sizeof(data->test_buf_data); now = 5010; assert_true(packet_id_write(&data->pis, &data->test_buf, true, true)); assert(data->pis.id == 1); assert(data->pis.time == now); assert_true(data->test_buf_data.buf_id == htonl(1)); assert_true(data->test_buf_data.buf_time == htonl(now)); } static void test_packet_id_write_short_wrap(void **state) { struct test_packet_id_write_data *data = *state; data->pis.id = ~0; assert_false(packet_id_write(&data->pis, &data->test_buf, false, false)); } static void test_packet_id_write_long_wrap(void **state) { struct test_packet_id_write_data *data = *state; data->pis.id = ~0; data->pis.time = 5006; /* Write fails if time did not change */ now = 5006; assert_false(packet_id_write(&data->pis, &data->test_buf, true, false)); /* Write succeeds if time moved forward */ now = 5010; assert_true(packet_id_write(&data->pis, &data->test_buf, true, false)); assert(data->pis.id == 1); assert(data->pis.time == now); assert_true(data->test_buf_data.buf_id == htonl(1)); assert_true(data->test_buf_data.buf_time == htonl(now)); } int main(void) { const struct CMUnitTest tests[] = { cmocka_unit_test_setup_teardown(test_packet_id_write_short, test_packet_id_write_setup, test_packet_id_write_teardown), cmocka_unit_test_setup_teardown(test_packet_id_write_long, test_packet_id_write_setup, test_packet_id_write_teardown), cmocka_unit_test_setup_teardown(test_packet_id_write_short_prepend, test_packet_id_write_setup, test_packet_id_write_teardown), cmocka_unit_test_setup_teardown(test_packet_id_write_long_prepend, test_packet_id_write_setup, test_packet_id_write_teardown), cmocka_unit_test_setup_teardown(test_packet_id_write_short_wrap, test_packet_id_write_setup, test_packet_id_write_teardown), cmocka_unit_test_setup_teardown(test_packet_id_write_long_wrap, test_packet_id_write_setup, test_packet_id_write_teardown), }; return cmocka_run_group_tests_name("packet_id tests", tests, NULL, NULL); } openvpn-2.4.4/tests/unit_tests/openvpn/test_tls_crypt.c000066400000000000000000000206261316434344000234740ustar00rootroot00000000000000/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2016-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #ifdef ENABLE_CRYPTO #include "syshead.h" #include #include #include #include #include #include #include #include "tls_crypt.c" #include "mock_msg.h" #define TESTBUF_SIZE 128 const char plaintext_short[1]; struct test_context { struct crypto_options co; struct key_type kt; struct buffer source; struct buffer ciphertext; struct buffer unwrapped; }; static int setup(void **state) { struct test_context *ctx = calloc(1, sizeof(*ctx)); *state = ctx; struct key key = { 0 }; ctx->kt = tls_crypt_kt(); if (!ctx->kt.cipher || !ctx->kt.digest) { return 0; } init_key_ctx(&ctx->co.key_ctx_bi.encrypt, &key, &ctx->kt, true, "TEST"); init_key_ctx(&ctx->co.key_ctx_bi.decrypt, &key, &ctx->kt, false, "TEST"); packet_id_init(&ctx->co.packet_id, 0, 0, "test", 0); ctx->source = alloc_buf(TESTBUF_SIZE); ctx->ciphertext = alloc_buf(TESTBUF_SIZE); ctx->unwrapped = alloc_buf(TESTBUF_SIZE); /* Write test plaintext */ buf_write(&ctx->source, plaintext_short, sizeof(plaintext_short)); /* Write dummy opcode and session id */ buf_write(&ctx->ciphertext, "012345678", 1 + 8); return 0; } static int teardown(void **state) { struct test_context *ctx = (struct test_context *) *state; free_buf(&ctx->source); free_buf(&ctx->ciphertext); free_buf(&ctx->unwrapped); free_key_ctx_bi(&ctx->co.key_ctx_bi); free(ctx); return 0; } static void skip_if_tls_crypt_not_supported(struct test_context *ctx) { if (!ctx->kt.cipher || !ctx->kt.digest) { skip(); } } /** * Check that short messages are successfully wrapped-and-unwrapped. */ static void tls_crypt_loopback(void **state) { struct test_context *ctx = (struct test_context *) *state; skip_if_tls_crypt_not_supported(ctx); assert_true(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co)); assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext)); assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co)); assert_int_equal(BLEN(&ctx->source), BLEN(&ctx->unwrapped)); assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped), BLEN(&ctx->source)); } /** * Check that zero-byte messages are successfully wrapped-and-unwrapped. */ static void tls_crypt_loopback_zero_len(void **state) { struct test_context *ctx = (struct test_context *) *state; skip_if_tls_crypt_not_supported(ctx); buf_clear(&ctx->source); assert_true(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co)); assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext)); assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co)); assert_int_equal(BLEN(&ctx->source), BLEN(&ctx->unwrapped)); assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped), BLEN(&ctx->source)); } /** * Check that max-length messages are successfully wrapped-and-unwrapped. */ static void tls_crypt_loopback_max_len(void **state) { struct test_context *ctx = (struct test_context *) *state; skip_if_tls_crypt_not_supported(ctx); buf_clear(&ctx->source); assert_non_null(buf_write_alloc(&ctx->source, TESTBUF_SIZE - BLEN(&ctx->ciphertext) - tls_crypt_buf_overhead())); assert_true(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co)); assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext)); assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co)); assert_int_equal(BLEN(&ctx->source), BLEN(&ctx->unwrapped)); assert_memory_equal(BPTR(&ctx->source), BPTR(&ctx->unwrapped), BLEN(&ctx->source)); } /** * Check that too-long messages are gracefully rejected. */ static void tls_crypt_fail_msg_too_long(void **state) { struct test_context *ctx = (struct test_context *) *state; skip_if_tls_crypt_not_supported(ctx); buf_clear(&ctx->source); assert_non_null(buf_write_alloc(&ctx->source, TESTBUF_SIZE - BLEN(&ctx->ciphertext) - tls_crypt_buf_overhead() + 1)); assert_false(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co)); } /** * Check that packets that were wrapped (or unwrapped) with a different key * are not accepted. */ static void tls_crypt_fail_invalid_key(void **state) { struct test_context *ctx = (struct test_context *) *state; skip_if_tls_crypt_not_supported(ctx); /* Change decrypt key */ struct key key = { { 1 } }; free_key_ctx(&ctx->co.key_ctx_bi.decrypt); init_key_ctx(&ctx->co.key_ctx_bi.decrypt, &key, &ctx->kt, false, "TEST"); assert_true(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co)); assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext)); assert_false(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co)); } /** * Check that replayed packets are not accepted. */ static void tls_crypt_fail_replay(void **state) { struct test_context *ctx = (struct test_context *) *state; skip_if_tls_crypt_not_supported(ctx); assert_true(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co)); assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext)); struct buffer tmp = ctx->ciphertext; assert_true(tls_crypt_unwrap(&tmp, &ctx->unwrapped, &ctx->co)); buf_clear(&ctx->unwrapped); assert_false(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co)); } /** * Check that packet replays are accepted when CO_IGNORE_PACKET_ID is set. This * is used for the first control channel packet that arrives, because we don't * know the packet ID yet. */ static void tls_crypt_ignore_replay(void **state) { struct test_context *ctx = (struct test_context *) *state; skip_if_tls_crypt_not_supported(ctx); ctx->co.flags |= CO_IGNORE_PACKET_ID; assert_true(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co)); assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext)); struct buffer tmp = ctx->ciphertext; assert_true(tls_crypt_unwrap(&tmp, &ctx->unwrapped, &ctx->co)); buf_clear(&ctx->unwrapped); assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co)); } int main(void) { const struct CMUnitTest tests[] = { cmocka_unit_test_setup_teardown(tls_crypt_loopback, setup, teardown), cmocka_unit_test_setup_teardown(tls_crypt_loopback_zero_len, setup, teardown), cmocka_unit_test_setup_teardown(tls_crypt_loopback_max_len, setup, teardown), cmocka_unit_test_setup_teardown(tls_crypt_fail_msg_too_long, setup, teardown), cmocka_unit_test_setup_teardown(tls_crypt_fail_invalid_key, setup, teardown), cmocka_unit_test_setup_teardown(tls_crypt_fail_replay, setup, teardown), cmocka_unit_test_setup_teardown(tls_crypt_ignore_replay, setup, teardown), }; #if defined(ENABLE_CRYPTO_OPENSSL) OpenSSL_add_all_algorithms(); #endif int ret = cmocka_run_group_tests_name("tls-crypt tests", tests, NULL, NULL); #if defined(ENABLE_CRYPTO_OPENSSL) EVP_cleanup(); #endif return ret; } #endif /* ENABLE_CRYPTO */ openvpn-2.4.4/tests/unit_tests/plugins/000077500000000000000000000000001316434344000202345ustar00rootroot00000000000000openvpn-2.4.4/tests/unit_tests/plugins/Makefile.am000066400000000000000000000000571316434344000222720ustar00rootroot00000000000000AUTOMAKE_OPTIONS = foreign SUBDIRS = auth-pam openvpn-2.4.4/tests/unit_tests/plugins/Makefile.in000066400000000000000000000500621316434344000223040ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = tests/unit_tests/plugins DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ install-exec-recursive install-html-recursive \ install-info-recursive install-pdf-recursive \ install-ps-recursive install-recursive installcheck-recursive \ installdirs-recursive pdf-recursive ps-recursive \ tags-recursive uninstall-recursive am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive am__recursive_targets = \ $(RECURSIVE_TARGETS) \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ distdir am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ sed_first='s,^\([^/]*\)/.*$$,\1,'; \ sed_rest='s,^[^/]*/*,,'; \ sed_last='s,^.*/\([^/]*\)$$,\1,'; \ sed_butlast='s,/*[^/]*$$,,'; \ while test -n "$$dir1"; do \ first=`echo "$$dir1" | sed -e "$$sed_first"`; \ if test "$$first" != "."; then \ if test "$$first" = ".."; then \ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ else \ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ if test "$$first2" = "$$first"; then \ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ else \ dir2="../$$dir2"; \ fi; \ dir0="$$dir0"/"$$first"; \ fi; \ fi; \ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign SUBDIRS = auth-pam all: all-recursive .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tests/unit_tests/plugins/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign tests/unit_tests/plugins/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs # This directory's subdirectories are mostly independent; you can cd # into them and run 'make' without going through this Makefile. # To change the values of 'make' variables: instead of editing Makefiles, # (1) if the variable is set in 'config.status', edit 'config.status' # (which will cause the Makefiles to be regenerated when you run 'make'); # (2) otherwise, pass the desired values on the 'make' command line. $(am__recursive_targets): @fail=; \ if $(am__make_keepgoing); then \ failcom='fail=yes'; \ else \ failcom='exit 1'; \ fi; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ case "$@" in \ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ *) list='$(SUBDIRS)' ;; \ esac; \ for subdir in $$list; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ dot_seen=yes; \ local_target="$$target-am"; \ else \ local_target="$$target"; \ fi; \ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-recursive TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ empty_fix=.; \ else \ include_option=--include; \ empty_fix=; \ fi; \ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-recursive CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-recursive cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ $(am__make_dryrun) \ || test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ dir1=$$subdir; dir2="$(top_distdir)"; \ $(am__relativize); \ new_top_distdir=$$reldir; \ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ top_distdir="$$new_top_distdir" \ distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ done check-am: all-am check: check-recursive all-am: Makefile installdirs: installdirs-recursive installdirs-am: install: install-recursive install-exec: install-exec-recursive install-data: install-data-recursive uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-recursive install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-recursive clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-recursive -rm -f Makefile distclean-am: clean-am distclean-generic distclean-tags dvi: dvi-recursive dvi-am: html: html-recursive html-am: info: info-recursive info-am: install-data-am: install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: install-html: install-html-recursive install-html-am: install-info: install-info-recursive install-info-am: install-man: install-pdf: install-pdf-recursive install-pdf-am: install-ps: install-ps-recursive install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-recursive pdf-am: ps: ps-recursive ps-am: uninstall-am: .MAKE: $(am__recursive_targets) install-am install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \ check-am clean clean-generic clean-libtool cscopelist-am ctags \ ctags-am distclean distclean-generic distclean-libtool \ distclean-tags distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ installdirs-am maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ ps ps-am tags tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/tests/unit_tests/plugins/auth-pam/000077500000000000000000000000001316434344000217505ustar00rootroot00000000000000openvpn-2.4.4/tests/unit_tests/plugins/auth-pam/Makefile.am000066400000000000000000000006071316434344000240070ustar00rootroot00000000000000AUTOMAKE_OPTIONS = foreign if ENABLE_PLUGIN_AUTH_PAM check_PROGRAMS = auth_pam_testdriver TESTS = $(check_PROGRAMS) endif sut_sourcedir = $(top_srcdir)/src/plugins/auth-pam auth_pam_testdriver_SOURCES = test_search_and_replace.c $(sut_sourcedir)/utils.h $(sut_sourcedir)/utils.c auth_pam_testdriver_CFLAGS = @TEST_CFLAGS@ -I$(sut_sourcedir) auth_pam_testdriver_LDFLAGS = @TEST_LDFLAGS@ openvpn-2.4.4/tests/unit_tests/plugins/auth-pam/Makefile.in000066400000000000000000000700411316434344000240170ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @ENABLE_PLUGIN_AUTH_PAM_TRUE@check_PROGRAMS = \ @ENABLE_PLUGIN_AUTH_PAM_TRUE@ auth_pam_testdriver$(EXEEXT) subdir = tests/unit_tests/plugins/auth-pam DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am_auth_pam_testdriver_OBJECTS = \ auth_pam_testdriver-test_search_and_replace.$(OBJEXT) \ auth_pam_testdriver-utils.$(OBJEXT) auth_pam_testdriver_OBJECTS = $(am_auth_pam_testdriver_OBJECTS) auth_pam_testdriver_LDADD = $(LDADD) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = auth_pam_testdriver_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(auth_pam_testdriver_CFLAGS) $(CFLAGS) \ $(auth_pam_testdriver_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -I$(top_builddir)/include depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(auth_pam_testdriver_SOURCES) DIST_SOURCES = $(auth_pam_testdriver_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags am__tty_colors_dummy = \ mgn= red= grn= lgn= blu= brg= std=; \ am__color_tests=no am__tty_colors = { \ $(am__tty_colors_dummy); \ if test "X$(AM_COLOR_TESTS)" = Xno; then \ am__color_tests=no; \ elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ am__color_tests=yes; \ elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ am__color_tests=yes; \ fi; \ if test $$am__color_tests = yes; then \ red=''; \ grn=''; \ lgn=''; \ blu=''; \ mgn=''; \ brg=''; \ std=''; \ fi; \ } DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign @ENABLE_PLUGIN_AUTH_PAM_TRUE@TESTS = $(check_PROGRAMS) sut_sourcedir = $(top_srcdir)/src/plugins/auth-pam auth_pam_testdriver_SOURCES = test_search_and_replace.c $(sut_sourcedir)/utils.h $(sut_sourcedir)/utils.c auth_pam_testdriver_CFLAGS = @TEST_CFLAGS@ -I$(sut_sourcedir) auth_pam_testdriver_LDFLAGS = @TEST_LDFLAGS@ all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tests/unit_tests/plugins/auth-pam/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign tests/unit_tests/plugins/auth-pam/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): clean-checkPROGRAMS: @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ echo " rm -f" $$list; \ rm -f $$list || exit $$?; \ test -n "$(EXEEXT)" || exit 0; \ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list auth_pam_testdriver$(EXEEXT): $(auth_pam_testdriver_OBJECTS) $(auth_pam_testdriver_DEPENDENCIES) $(EXTRA_auth_pam_testdriver_DEPENDENCIES) @rm -f auth_pam_testdriver$(EXEEXT) $(AM_V_CCLD)$(auth_pam_testdriver_LINK) $(auth_pam_testdriver_OBJECTS) $(auth_pam_testdriver_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_pam_testdriver-test_search_and_replace.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_pam_testdriver-utils.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< auth_pam_testdriver-test_search_and_replace.o: test_search_and_replace.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(auth_pam_testdriver_CFLAGS) $(CFLAGS) -MT auth_pam_testdriver-test_search_and_replace.o -MD -MP -MF $(DEPDIR)/auth_pam_testdriver-test_search_and_replace.Tpo -c -o auth_pam_testdriver-test_search_and_replace.o `test -f 'test_search_and_replace.c' || echo '$(srcdir)/'`test_search_and_replace.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/auth_pam_testdriver-test_search_and_replace.Tpo $(DEPDIR)/auth_pam_testdriver-test_search_and_replace.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_search_and_replace.c' object='auth_pam_testdriver-test_search_and_replace.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(auth_pam_testdriver_CFLAGS) $(CFLAGS) -c -o auth_pam_testdriver-test_search_and_replace.o `test -f 'test_search_and_replace.c' || echo '$(srcdir)/'`test_search_and_replace.c auth_pam_testdriver-test_search_and_replace.obj: test_search_and_replace.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(auth_pam_testdriver_CFLAGS) $(CFLAGS) -MT auth_pam_testdriver-test_search_and_replace.obj -MD -MP -MF $(DEPDIR)/auth_pam_testdriver-test_search_and_replace.Tpo -c -o auth_pam_testdriver-test_search_and_replace.obj `if test -f 'test_search_and_replace.c'; then $(CYGPATH_W) 'test_search_and_replace.c'; else $(CYGPATH_W) '$(srcdir)/test_search_and_replace.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/auth_pam_testdriver-test_search_and_replace.Tpo $(DEPDIR)/auth_pam_testdriver-test_search_and_replace.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_search_and_replace.c' object='auth_pam_testdriver-test_search_and_replace.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(auth_pam_testdriver_CFLAGS) $(CFLAGS) -c -o auth_pam_testdriver-test_search_and_replace.obj `if test -f 'test_search_and_replace.c'; then $(CYGPATH_W) 'test_search_and_replace.c'; else $(CYGPATH_W) '$(srcdir)/test_search_and_replace.c'; fi` auth_pam_testdriver-utils.o: $(sut_sourcedir)/utils.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(auth_pam_testdriver_CFLAGS) $(CFLAGS) -MT auth_pam_testdriver-utils.o -MD -MP -MF $(DEPDIR)/auth_pam_testdriver-utils.Tpo -c -o auth_pam_testdriver-utils.o `test -f '$(sut_sourcedir)/utils.c' || echo '$(srcdir)/'`$(sut_sourcedir)/utils.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/auth_pam_testdriver-utils.Tpo $(DEPDIR)/auth_pam_testdriver-utils.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(sut_sourcedir)/utils.c' object='auth_pam_testdriver-utils.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(auth_pam_testdriver_CFLAGS) $(CFLAGS) -c -o auth_pam_testdriver-utils.o `test -f '$(sut_sourcedir)/utils.c' || echo '$(srcdir)/'`$(sut_sourcedir)/utils.c auth_pam_testdriver-utils.obj: $(sut_sourcedir)/utils.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(auth_pam_testdriver_CFLAGS) $(CFLAGS) -MT auth_pam_testdriver-utils.obj -MD -MP -MF $(DEPDIR)/auth_pam_testdriver-utils.Tpo -c -o auth_pam_testdriver-utils.obj `if test -f '$(sut_sourcedir)/utils.c'; then $(CYGPATH_W) '$(sut_sourcedir)/utils.c'; else $(CYGPATH_W) '$(srcdir)/$(sut_sourcedir)/utils.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/auth_pam_testdriver-utils.Tpo $(DEPDIR)/auth_pam_testdriver-utils.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$(sut_sourcedir)/utils.c' object='auth_pam_testdriver-utils.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(auth_pam_testdriver_CFLAGS) $(CFLAGS) -c -o auth_pam_testdriver-utils.obj `if test -f '$(sut_sourcedir)/utils.c'; then $(CYGPATH_W) '$(sut_sourcedir)/utils.c'; else $(CYGPATH_W) '$(srcdir)/$(sut_sourcedir)/utils.c'; fi` mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags check-TESTS: $(TESTS) @failed=0; all=0; xfail=0; xpass=0; skip=0; \ srcdir=$(srcdir); export srcdir; \ list=' $(TESTS) '; \ $(am__tty_colors); \ if test -n "$$list"; then \ for tst in $$list; do \ if test -f ./$$tst; then dir=./; \ elif test -f $$tst; then dir=; \ else dir="$(srcdir)/"; fi; \ if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ *[\ \ ]$$tst[\ \ ]*) \ xpass=`expr $$xpass + 1`; \ failed=`expr $$failed + 1`; \ col=$$red; res=XPASS; \ ;; \ *) \ col=$$grn; res=PASS; \ ;; \ esac; \ elif test $$? -ne 77; then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ *[\ \ ]$$tst[\ \ ]*) \ xfail=`expr $$xfail + 1`; \ col=$$lgn; res=XFAIL; \ ;; \ *) \ failed=`expr $$failed + 1`; \ col=$$red; res=FAIL; \ ;; \ esac; \ else \ skip=`expr $$skip + 1`; \ col=$$blu; res=SKIP; \ fi; \ echo "$${col}$$res$${std}: $$tst"; \ done; \ if test "$$all" -eq 1; then \ tests="test"; \ All=""; \ else \ tests="tests"; \ All="All "; \ fi; \ if test "$$failed" -eq 0; then \ if test "$$xfail" -eq 0; then \ banner="$$All$$all $$tests passed"; \ else \ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ fi; \ else \ if test "$$xpass" -eq 0; then \ banner="$$failed of $$all $$tests failed"; \ else \ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ fi; \ fi; \ dashes="$$banner"; \ skipped=""; \ if test "$$skip" -ne 0; then \ if test "$$skip" -eq 1; then \ skipped="($$skip test was not run)"; \ else \ skipped="($$skip tests were not run)"; \ fi; \ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ dashes="$$skipped"; \ fi; \ report=""; \ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ report="Please report to $(PACKAGE_BUGREPORT)"; \ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ dashes="$$report"; \ fi; \ dashes=`echo "$$dashes" | sed s/./=/g`; \ if test "$$failed" -eq 0; then \ col="$$grn"; \ else \ col="$$red"; \ fi; \ echo "$${col}$$dashes$${std}"; \ echo "$${col}$$banner$${std}"; \ test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \ test -z "$$report" || echo "$${col}$$report$${std}"; \ echo "$${col}$$dashes$${std}"; \ test "$$failed" -eq 0; \ else :; fi distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile installdirs: install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: .MAKE: check-am install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \ ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-man install-pdf install-pdf-am \ install-ps install-ps-am install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/tests/unit_tests/plugins/auth-pam/test_search_and_replace.c000066400000000000000000000041671316434344000267450ustar00rootroot00000000000000#include #include #include #include #include #include #include #include "utils.h" static void pass_any_null_param__returns_null() { char DUMMY[] = "DUMMY"; assert_null(searchandreplace(NULL,DUMMY,DUMMY)); assert_null(searchandreplace(DUMMY,NULL,DUMMY)); assert_null(searchandreplace(DUMMY,DUMMY,NULL)); } static void pass_any_empty_string__returns_null() { char DUMMY[] = "DUMMY"; char EMPTY[] = ""; assert_null(searchandreplace(EMPTY,DUMMY,DUMMY)); assert_null(searchandreplace(DUMMY,EMPTY,DUMMY)); assert_null(searchandreplace(DUMMY,DUMMY,EMPTY)); } static void replace_single_char__one_time__match_is_replaced() { char *replaced = searchandreplace("X","X","Y"); assert_non_null(replaced); assert_string_equal("Y", replaced); free(replaced); } static void replace_single_char__multiple_times__match_all_matches_are_replaced() { char *replaced = searchandreplace("XaX","X","Y"); assert_non_null(replaced); assert_string_equal("YaY", replaced); free(replaced); } static void replace_longer_text__multiple_times__match_all_matches_are_replaced() { char *replaced = searchandreplace("XXaXX","XX","YY"); assert_non_null(replaced); assert_string_equal("YYaYY", replaced); free(replaced); } static void pattern_not_found__returns_original() { char *replaced = searchandreplace("abc","X","Y"); assert_non_null(replaced); assert_string_equal("abc", replaced); free(replaced); } int main(void) { const struct CMUnitTest tests[] = { cmocka_unit_test(pass_any_null_param__returns_null), cmocka_unit_test(pass_any_empty_string__returns_null), cmocka_unit_test(replace_single_char__one_time__match_is_replaced), cmocka_unit_test(replace_single_char__multiple_times__match_all_matches_are_replaced), cmocka_unit_test(replace_longer_text__multiple_times__match_all_matches_are_replaced), cmocka_unit_test(pattern_not_found__returns_original), }; return cmocka_run_group_tests_name("searchandreplace", tests, NULL, NULL); } openvpn-2.4.4/tests/update_t_client_ips.sh000077500000000000000000000006521316434344000207320ustar00rootroot00000000000000#!/bin/sh # # This --up script caches the IPs handed out by the test VPN server to a file # for later use. RC="$TOP_BUILDDIR/t_client_ips.rc" grep EXPECT_IFCONFIG4_$TESTNUM= $RC > /dev/null 2>&1 if [ $? -ne 0 ]; then echo "EXPECT_IFCONFIG4_$TESTNUM=$ifconfig_local" >> $RC fi grep EXPECT_IFCONFIG6_$TESTNUM= $RC > /dev/null 2>&1 if [ $? -ne 0 ]; then echo "EXPECT_IFCONFIG6_$TESTNUM=$ifconfig_ipv6_local" >> $RC fi openvpn-2.4.4/vendor/000077500000000000000000000000001316434344000145055ustar00rootroot00000000000000openvpn-2.4.4/vendor/Makefile.am000066400000000000000000000010551316434344000165420ustar00rootroot00000000000000# needs an absolute path bc. of the cmake invocation cmockasrc = "@VENDOR_SRC_ROOT@/cmocka" cmockabuild = "@VENDOR_BUILD_ROOT@/cmocka" cmockainstall = "@VENDOR_DIST_ROOT@" MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in \ "$(cmockabuild)" \ "$(cmockainstall)" \ "@VENDOR_BUILD_ROOT@" libcmocka: if CMOCKA_INITIALIZED mkdir -p $(cmockabuild) $(cmockainstall) (cd $(cmockabuild) && cmake -DCMAKE_INSTALL_PREFIX=$(cmockainstall) $(cmockasrc) && make && make install) endif check: libcmocka clean: rm -rf $(cmockabuild) rm -rf $(cmockainstall) openvpn-2.4.4/vendor/Makefile.in000066400000000000000000000345231316434344000165610ustar00rootroot00000000000000# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = vendor DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AS = @AS@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DL_LIBS = @DL_LIBS@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GIT = @GIT@ GREP = @GREP@ IFCONFIG = @IFCONFIG@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ IPROUTE = @IPROUTE@ LD = @LD@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ LIBPAM_LIBS = @LIBPAM_LIBS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ OPENSSL_LIBS = @OPENSSL_LIBS@ OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ P11KIT_CFLAGS = @P11KIT_CFLAGS@ P11KIT_LIBS = @P11KIT_LIBS@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ SED = @SED@ SELINUX_LIBS = @SELINUX_LIBS@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ libsystemd_CFLAGS = @libsystemd_CFLAGS@ libsystemd_LIBS = @libsystemd_LIBS@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ # needs an absolute path bc. of the cmake invocation cmockasrc = "@VENDOR_SRC_ROOT@/cmocka" cmockabuild = "@VENDOR_BUILD_ROOT@/cmocka" cmockainstall = "@VENDOR_DIST_ROOT@" MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in \ "$(cmockabuild)" \ "$(cmockainstall)" \ "@VENDOR_BUILD_ROOT@" all: all-am .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign vendor/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign vendor/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs tags TAGS: ctags CTAGS: cscope cscopelist: distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile installdirs: install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic clean-libtool \ cscopelist-am ctags-am distclean distclean-generic \ distclean-libtool distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags-am uninstall uninstall-am libcmocka: @CMOCKA_INITIALIZED_TRUE@ mkdir -p $(cmockabuild) $(cmockainstall) @CMOCKA_INITIALIZED_TRUE@ (cd $(cmockabuild) && cmake -DCMAKE_INSTALL_PREFIX=$(cmockainstall) $(cmockasrc) && make && make install) check: libcmocka clean: rm -rf $(cmockabuild) rm -rf $(cmockainstall) # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: openvpn-2.4.4/version.m4000066400000000000000000000012251316434344000151370ustar00rootroot00000000000000dnl define the OpenVPN version define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [4]) define([PRODUCT_VERSION_PATCH], [.4]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) define([PRODUCT_VERSION_RESOURCE], [2,4,4,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) define([PRODUCT_TAP_WIN_MIN_MINOR], [9]) openvpn-2.4.4/version.sh.in000066400000000000000000000002341316434344000156350ustar00rootroot00000000000000OPENVPN_PACKAGE_NAME="@PACKAGE_NAME@" OPENVPN_PACKAGE_TARNAME="@PACKAGE_TARNAME@" OPENVPN_PACKAGE_VERSION="@PACKAGE_VERSION@" OPENVPN_PACKAGE_HOST="@host@"