- Increase required version to 2.60 since that is documented
minimum version for AC_USE_SYSTEM_EXTENSIONS
- Remove obsolete macros AC_C_CONST and AC_C_VOLATILE. They
are noops on every compiler we support.
- Add explicit call to AC_PROG_CC. We get this implictly as
dependency of other macros, but it is nicer to have it
explicitely as well.
- A few typo and whitespace fixes.
Change-Id: I7927a572611b7c1dc0b522fd6cdf05fd222a852d
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240918204551.2530-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29321.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Do not communicate any of the flags via the global
CFLAGS and LIBS, so that users are not confused when
overriding them on the command line.
Github: closesOpenVPN/openvpn#586
Change-Id: I39a6f58b11b922f5dbd3e55a5bc8574eda8a83fe
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240917133253.19616-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29282.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Anonymous unions/structs are technically a custom GNU C99 feature but
was already widely supported by other compilers. With C11 this feature
has become a standard feature so all compilers nowadays support it.
Change-Id: I1ef5f6f21f0135a628a63553c39515fa4549ce87
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240710160238.190189-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28914.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
mbedTLS does not seem to have pkg-config support on e.g.
Debian/Ubuntu, so we definitely need to keep the
fallback check as well.
Change-Id: I5d0da76018e874cda5dbab9202a2b817ad5e4692
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com>
Message-Id: <20240906160510.76387-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29090.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
E.g. if you use openvpn as a git submodule, it can be a
file that points to the parent's git directory.
The changes to Makefile.am are not strictly required, they
still work with that case, but I wanted to keep the usage
consistent.
Change-Id: I9b7a3df012e7606ddb04a944e3fa33247180e8dd
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com>
Message-Id: <20240906172112.87148-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29092.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Mostly so we can use anonymous structs without jumping through
hoops or relying on unofficial support.
Change-Id: I72934e747d1ad68a7e3675afbeb1b63df7941186
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240710160306.190351-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28916.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
On most systems this should work just fine.
v2:
- simplify code by removing -llzo special handling
v3:
- reintroduce support for autodetection without pkg-config,
no need to break backwards compatibility right now
v7:
- Handle case correctly where lzo/lzo1x.h can not be included
at all. On most distros this works even though the .pc
file suggests to use it without. We had some partly
solution for that but it wasn't really working.
v8:
- Handle systems that do not implicitly include limits.h
in configure test builds.
lzodefs.h usually relies on lzoconf.h to include it.
Change-Id: I1c038dc4ec80d3499582d81eee61fee74f26e693
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240626161921.179301-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28848.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These are not covered by -Wall (nor -Wextra) but we want
to enforce them.
Change-Id: I6e08920e4cf4762b9f14a7461a29fa77df15255c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240620144230.19586-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28823.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of lzo_{free,malloc} we can just use the
free and malloc as the lzoutils.h header itself
suggests.
Change-Id: I32ee28fde5d38d736f753c782d88a81de7fe2980
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240604211708.32315-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28705.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With Centos 7/Red Hat Enterprise Linux 7 being EOL this June, the last
distributions that still support OpenSSL 1.0.2 are finally EOL. This
means we no longer need to support OpenSSL 1.0.2
Change-Id: I90875311a4e4c403e77e30b609c1878cbaaaad45
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240514141550.17544-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28665.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
It turned out that symlinking compile_commands.json from the top level
source dir has some issues:
* file is not created on Windows and symlinking may cause an error
* some IDEs create their own json and error out b/c a file exists
Since clangd also looks for the json in build/ directories by default,
we now symlink the whole build directory instead, not just the json file.
This approach requires for the existing build/ dir in the repo to
vanish. Luckily it only contains one automake include file, which is
moved to the top level source dir.
Lastly, make this an opt-in feature, so that the default configuration
of the buildsystem never causes a build failure because of this.
Change-Id: Ib1a5c788269949d8de95d1da2cb0c32a65bf13f2
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240117134929.5317-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28061.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Users seem to struggle to read the full error message. This adds an
indication if pkg-config is actually found to the warning/error message
that use pkg-config.
On platforms that do not require pkg-config and for optional libraries,
the existence of pkg-config is mentioned as part of the error/warning message.
When found:
configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (/usr/bin/pkg-config) installed? Must be version 3.4.0 or newer for DCO
not found:
configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (not found) installed? Must be version 3.4.0 or newer for DCO
On platforms where pkg-config is required (only Linux at the moment),
configure will abort when not detecting pkg-config:
checking for pkg-config... no
configure: error: pkg-config is required
Change-Id: Iebaa35a23e217a4cd7739af229cbfc08a3d8854a
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240105140540.14757-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27939.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The default build log is big and basically
unreadable.
Go the way of other build systems and do not
print compile commands by default. Verbose
output can always be enabled with make V=1.
Change-Id: Ib226079d1543209e08e5fdcf7344cd20850bea9d
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231230142348.29108-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27865.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since we want to get rid of it, might be useful to
allow users to remove the support completely.
Change-Id: I199f83e2db5fc7c48a0ac9280cdbf9fa45f42300
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231230143817.4880-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27863.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Serial mode is the old one and offers much less options for
running the tests. Generally our tests seem to work fine
with the newer parallel mode. The only reason we stuck with
serial_tests seems to be that we didn't like that it doesn't
output the test output by default. We could fix that with a
custom test driver. But will put that into a separate commit.
Change-Id: Ic7265d89142637b0963a6847c6beb06d9163bbb1
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231214111635.237429-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27812.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The cmake file defined that file to be never present in contrast to the
old msvc-config.h that always had it present.
Remove also the compat implementation taken from mingw. All our current
build environments already have that header in place.
Change-Id: I9c85ccab6d51064ebff2c391740ba8c2d044ed1a
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231128103950.62407-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27573.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Recent autoconf warns:
configure.ac:448: warning: The macro `AC_TYPE_SIGNAL' is obsolete.
And it turns out that we do not actually use RETSIGTYPE.
Additionally, there is no reason to do so since as the
autoconf documentation says:
"These days, it is portable to assume C89, and that signal
handlers return void, without needing to use this macro or
RETSIGTYPE."
Change-Id: I7da7c2d7d34c7e5efd52d448646b4398a1005e77
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231128103740.61160-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27572.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Most struct fields in mbedtls 3 are private and now need accessor
functions. Most of it was straightforward to adapt, but for two things
there were no accessor functions yet:
* Netscape certificate type
* key usage (you can check key usage, but not get the raw bytes)
I decided to remove Netscape certificate type checks when using OpenVPN
with mbedtls. The key usage bytes were printed in an error message, and
I removed that part from it.
Adding the random number functions to the load private key function may
look weird, but the purpose is to make side channels for elliptic curve
operations harder to exploit.
Change-Id: I445a93e84dc54b865b757038d22318ac427fce96
Signed-off-by: Max Fillinger <max@max-fillinger.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231025121830.1030959-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is a contribution for loading engine key. OpenSSL engine is
deprecated since OpenSSL 3.0 and James Bottomley has not agreed to
the proposed license chagne. He is also okay with removing the
feature from the current code base as it is obsolete with OpenSSL 3.0.
The original commit ID was a0a8d801dd0d84e0ec844b9ca4c225df7 (plus
subsequent fixes).
Change-Id: I2d353a0cea0a62f289b8c1060244df66dd7a14cb
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231006111910.3541180-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27133.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Starting with LibreSSL 3.8.1 the engines have been removed which causes
the OpenVPN build to fail. This can be solved during configure by
checking if OPENSSL_NO_ENGINE is defined in opensslconf.h.
Signed-off-by: orbea <orbea@riseup.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230909134956.5902-1-orbea@riseup.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26994.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Completely replaced by the CMake build system now.
v3:
- rebase on top of my dist fixes
Change-Id: I807cffa40f18faa1adec4e15e84c032877a2b92e
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230620135310.94455-4-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20230620135310.94455-4-frank@lichtenheld.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This was added back in commit
6187644b66
to support the NSIS windows installer.
It is now unused.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230330094226.487951-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26560.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This only defines three types and none of them is
used anywhere in our source code.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230330094215.487924-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26559.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Load some test certificate/key pairs into a temporary softhsm2 token
and enumerate available objects through pkcs11-helper interface
- For each object, load it into SSL_CTX and test sign (if using OpenSSL 3)
or check the certificate and public-key match (if using OpenSSl 1.1.1.).
The pkcs11-id for each object is specified directly or
through a mocked management callback to test pkcs11-id-management
Limitations:
Depends on libsofthsm2.so and p11tool (install softhsm2 and gnutls-bin
packages). Mbed-TLS/pkcs11-helper combination is not tested.
If locations of these binaries are not auto-detected or need to be
overridden, use -DSOFTHSM2_UTIL=<path> -DP11TOOL=<path> to configure.
Location of SOFTHSM2_MODULE is not auto-detected and defaults to
/usr/lib/softhsm/libsofthsm2.so. It may be changed by passing
-DSOFTHSM2_MODULE=/some-path/libsofthsm2.so to configure.
Also see "configure --help".
The test is enabled only if --enable-pkcs11 is in use, and SOFTHSM2_UTIL
& P11TOOL are found in path or manually defined during configuring.
Changes relative to github PR
- Explicitly disable building the test on Windows: need to port mkstemp,
mkdtemp, setenv etc., before enabling this on Windows.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230322221456.1660425-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26483.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The libnv check doesn't work as expected on FreeBSD 14.x, because
FreeBSD has namespaced libnv to avoid conflicts with libnvpair.
This means that the naive check generated by AC_CHECK_LIB() fails to
detect libnv even though it's present.
Instead check for the if_ovpn.h header. This is a more accurate check
anyway, as libnv is present on FreeBSD versions prior to 14 (which do
not support DCO).
Signed-off-by: Kristof Provost <kprovost@netgate.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230301091848.80760-1-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26314.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Make consistent with the other options.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230206130846.63415-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26156.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Automatically disabled when
- iproute2 is enabled
(Don't want to force people specifying --disable-dco explicitely)
- libnv is missing on FreeBSD
(FreeBSD version too old anyway)
Will still error out if libnl-genl is missing on Linux to
make people aware of new dependency.
v2: error out when libnl-genl is missing as discussed with ordex on
IRC.
v3:
- improvements to the messages, suggested by Selva
- further improvements to the default specification, trying to make it clear
- if enabling iproute2, do not test for libnl-genl
v4: add updates for GHA
v5:
- v4 was missing the changes of v3. v5 combines the changes from v3 and v4
- fix build failure GHA/ubuntu1804/mbedtls
- fix build failure GHA/ubuntu2204/libressl
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230215162654.52137-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26272.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Minor changes to the build system to include some
dependencies for Windows build
- test_tls_crypt not built as it will pull in win32.c and
its dependencies
- If cross-compiling, "make check" will only build the tests but not
run any. Copy to Windows and run manually. Executables are in
<buid-dir>/tests/unit_tests/openvpn/.libs/ and these depend on
cmocka.dll in addition to openssl libs that some tests link to.
Building with mingw on Windows should run the tests (untested).
v2: networking_testdriver was mistakenly enabled to run, while
originally it was only set to build. Corrected.
v3: exclude check_engine_keys.sh when cross-compiling
As suggested by Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230208005925.393200-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26188.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Eliminates repeated warnings such as
warning: source file '$(openvpn_srcdir)/env_set.c' is in a subdirectory,
but option 'subdir-objects' is disabled
- Enabled only for automake >= 1.16 as older versions have a buggy
implementation of this option
Main side effect of this option is that object files like
openvpnserv-blockdns.o are now created in src/openvpn where block-dns.c
resides instead of in src/openvpnserv.
Same for object files for sources from $(openvpn_srcdir) compiled
into test executables.
See also past discussion on this topic:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00013.html
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230204004512.250271-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26147.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Move OCC warnings to debug level. This moves the only useful OCC message
of compress-migrate to D_PUSH
- remove configure option --enable-strict-options
- ignore disable-occ in TLS mode as it is logged under debug now only
disable-occ is now strictly a non-TLS option
- mark opt-verify and disable-occ as deprecated.
Patch v2: change one missed M_WARN to D_OCC
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230111134439.1107915-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25970.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Manually excluded ovpn_dco_win.h because it is an
imported file. ovpn_dco_linux.h is already excluded
because it still says 2021.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230110160531.81010-1-frank@lichtenheld.com>
URL: https://patchwork.openvpn.net/project/openvpn2/patch/20230110160531.81010-1-frank@lichtenheld.com/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220813204224.22576-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24919.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Implement data-channel offload for FreeBSD. The implementation and flow
is very similar to that of the Linux DCO support.
Signed-off-by: Kristof Provost <kprovost@netgate.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220812134154.16729-2-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24894.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
On Linux, when dropping privileges, interaction with
the network configuration, such as tearing down routes
or ovpn-dco interfaces will fail when --user/--group are
used.
This patch sets the CAP_NET_ADMIN capability, which grants
the needed privileges during the lifetime of the OpenVPN
process when dropping root privileges.
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
Reviewed-By: David Sommerseth <davids@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220514103717.235-1-timo@rothenpieler.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24360.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--mtu-disc (on Linux) needs two components to work:
- setsockopt() with IP_MTU_DISCOVER or IPV6_MTU_DISCOVER
- "extended error reporting" (setsockopt(IP_RECVERR) and
then via mtu.c/format_extended_socket_error()) to react on
"packet too big" errors on sendto() / sendmsg()
Some configure.ac reorganization broke detection of <linux/errqueue.h>
and "struct sock_extended_err". Re-add <linux/errqueue.h> to configure.ac,
remove all the other conditionals in syshead.h, and remove the
"struct sock_extended_err" check completely (assumption: if errqueue.h
exists, it contains what we need).
Thus, the "non-helpful" socket error message turns into:
2022-02-22 12:31:42 write UDPv4 [EMSGSIZE Path-MTU=800]: Message too long (fd=3,code=90)
2022-02-22 12:31:42 Note adjusting 'mssfix 1400 mtu' to 'mssfix 800 mtu' according to path MTU discovery
2022-02-22 12:31:42 Note adjusting 'fragment 1400 mtu' to 'fragment 800 mtu' according to path MTU discovery
... while at it, fix extra space in first part of these messages, and
print o->ce.fragment for the "fragment" message...
v2: assume that "if it's linux, and has these two headers, everything
else will be there as well" and get rid of most of the #ifdef checks
Trac: #1452
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220222113832.13383-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23863.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Update performed by means of: dev-tools/update-copyright.sh
Cc: David Sommerseth <davids@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220125142456.18176-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23650.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows to select engine support at configure time. For OpenSSL 1.1 the
default is not changed and we detect if engine support is available.
Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default
is to disable engine support as engine support is deprecated and generates
compiler warnings which in turn also break -Werror.
By using --with-openssl-engine=no or --with-openssl-engine=yes engine
support can be forced on or off. If it is enabled but not detected an
error will be thown.
This commit cleans up the configure logic a bit and removes the
ENGINE_cleanup checks as we can just assume that it will be also
available as macro or function if the other engine functions are
available. Before the cleanup we would only check for the existance
of engine.h if ENGINE_cleanup was not found.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211019183127.614175-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23000.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Historically we always had -Wno-unused-parameter and
-Wno-unused-function enabled along with -Wall.
When we made -Wall a default option, we carried the other two along and
made them default too (in 2018).
Now the code is much cleaner compared to the past and we do not really
require -Wno-unused-parameter and -Wno-unused-function anymore.
Actually they may hide really unused functions that we'd need to
cleanup.
For this reason remove -Wno-unused-parameter and -Wno-unused-function
for good from the default CFLAGS.
Any new warning should rather be fixed than hidden.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211005122736.4060-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22917.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
On some systems the rst2{man,html} executables may have a slightly
different name, like rst2{man,html}.py.
Add this name variation to the Generic Programs check.
This specific variation is found on Gentoo Linux.
Cc: David Sommerseth <davids@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210827144807.27004-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22777.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenVPN shipped a small packet filtering tool called PF. It has never
been straightforward as it required a plugin to work. On top of that,
keeping PF support, makes the code more complicated and increases the
maintenance cost of OpenVPN.
PF itself is not actually maintained at all and there is little
motivation in keeping it alive.
Some years ago an IPv6 extension for PF was proposed, but it was never
picked up for the reasons above.
External (and more appropriate) tools can still be used to implement
packet filtering on the OpenVPN interface.
Drop PF support for good.
Note that IDs used for external communication (i.e. to the plugin
or management interface) have been commented out, but not removed, as
they should not be used in the future.
v2:
* changed // to /* */
* changed "NOT IMPLEMENTED" to "REMOVED FEATURE"
* removed extra empty lines after removing ifdef blocks
* clarified on IRC that tls_final has to be removed and therefore that
hunk is correct
* removed mi_prefix() function as it is now unused
Cc: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210827190014.12640-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22780.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The mbedtls_ctr_drbg_update_ret() function was backported to various
older branches, including 2.14 and 2.7.
To avoid making the #if guard too complex, let's detect if this function
exist at configure time.
All versions not having this function, will use our compat code.
Cc: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20210812085300.4738-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22734.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
getpeername is part of SUSv3 and Windows also provides the function
as part of winsocks.
getpid is also provided by both Posix and windows and we do not even
use getpid on Windows since we rather call GetCurrentProcessId.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210512131511.1309914-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22340.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This macro is currently used only in 3 places in syshead.h
- EXTENDED_SOCKET_ERROR_CAPABILITY is linux specific anyway and
starts with #if defined(HAVE_LINUX_TYPES_H)
- port share and ip_pktinfo macros depends on sendmsg/recvmsg
that implicitly also require iovec
So in all three cases we can implicitly assume that iovec is present
and do not need to make this explicit check
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210512131511.1309914-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22343.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With this change we always build multihome support if the operating
system supports it.
Patch v2: Remove also from config-msvc.h
Patch v3: Remove also another line from configure.ac
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210503105638.3903379-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22290.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>