Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2023-05-13 17:17:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvpn" Sat May 13 17:17:22 2023 rev:108 rq:1086774 version:2.6.4 Changes: -------- --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2023-04-27 19:56:49.492475991 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new.1533/openvpn.changes 2023-05-13 17:17:33.714353716 +0200 @@ -1,0 +2,14 @@ +Fri May 12 12:16:54 UTC 2023 - Paolo Stivanin <[email protected]> + +- Update to 2.6.4: + * DCO: support kernel-triggered key rotation (avoid IV reuse after + 2^32 packets). This is the userland side, accepting a message + from kernel, and initiating a TLS renegotiation. As of release, + * fix pkcs#11 usage with OpenSSL 3.x and PSS signing (Github #323) + * fix compile error on TARGET_ANDROID + * fix typo in help text + * manpage updates (--topology) + * encoding of non-ASCII windows error messages in log + management fixed +- Update openvpn.keyring + +------------------------------------------------------------------- Old: ---- openvpn-2.6.3.tar.gz openvpn-2.6.3.tar.gz.asc New: ---- openvpn-2.6.4.tar.gz openvpn-2.6.4.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openvpn.spec ++++++ --- /var/tmp/diff_new_pack.p2k1E2/_old 2023-05-13 17:17:35.902366305 +0200 +++ /var/tmp/diff_new_pack.p2k1E2/_new 2023-05-13 17:17:35.906366328 +0200 @@ -20,7 +20,7 @@ %define _rundir %{_localstatedir}/run %endif Name: openvpn -Version: 2.6.3 +Version: 2.6.4 Release: 0 Summary: Full-featured SSL VPN solution using a TUN/TAP Interface License: GPL-2.0-only WITH openvpn-openssl-exception ++++++ openvpn-2.3-plugin-man.dif ++++++ --- /var/tmp/diff_new_pack.p2k1E2/_old 2023-05-13 17:17:35.946366558 +0200 +++ /var/tmp/diff_new_pack.p2k1E2/_new 2023-05-13 17:17:35.950366581 +0200 @@ -1,6 +1,8 @@ +Index: doc/openvpn.8 +=================================================================== --- doc/openvpn.8.orig +++ doc/openvpn.8 -@@ -6059,9 +6059,9 @@ For more information and examples on how +@@ -6690,9 +6690,9 @@ For more information and examples on how modules, see the README file in the \fBplugin\fP folder of the OpenVPN source distribution. .sp ++++++ openvpn-2.6.3.tar.gz -> openvpn-2.6.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/COPYING new/openvpn-2.6.4/COPYING --- old/openvpn-2.6.3/COPYING 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/COPYING 2023-05-11 08:09:21.000000000 +0200 @@ -31,6 +31,53 @@ file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. +Apache2 linking exception: +--------------------------- +OpenVPN is currently undergoing a license change to add an exception for +Apache 2 linking. The following exception is only valid for new contributions +after 2023-05-03 and past contribution where the authors have already agreed +to the exception. + + In addition, as a special exception, OpenVPN Inc and the + contributors give permission to link the code of this program to + libraries (the "Libraries") licensed under the Apache License + version 2.0 (this work and any linked library the "Combined Work") + and copy and distribute the Combined Work without an obligation to + license the Libraries under the GNU General Public License v2 + (GPL-2.0) as required by Section 2 of the GPL-2.0, and without an + obligation to refrain from imposing any additional restrictions in + the Apache License version 2 that are not in the GPL-2.0, as + required by Section 6 of the GPL-2.0. You must comply with the + GPL-2.0 in all other respects for the Combined Work, including + the obligation to provide source code. If you modify this file, you + may extend this exception to your version of the file, but you are + not obligated to do so. If you do not wish to do so, delete this + exception statement from your version. + +For better understanding, in plain non-legalese English this basically says: + + * The intention for this license exception is to allow OpenVPN to be + linked against APL-2 licensed libraries, even where the GPL-2.0 and + APL-2 licenses conflict from a legal perspective. + + * OpenVPN itself will stay GPL-2.0 and the code belonging to the + OpenVPN project must comply to the GPL-2.0 license. This is NOT + dual-licensing of the OpenVPN code base. + + * This license exception DOES NOT require NOR expect a license change + of the APL-2 based library. This exception allows using the APL-2 + library as-is. However, when distributing a compiled OpenVPN binary + linking against APL-2 libraries ("Combined Work"), the REQUIREMENT is + that the APL-2 library MUST also be available on similar terms as in + GPL-2.0, like providing the source code of the library upon request, + except in the two specific ways mentioned. + + * If the APL-2 based library forbids such linking and distribution, + this license exception DOES NOT overrule the restriction of the APL-2 + based library. If the APL-2 library cannot satisfy the requirements + in this license exception, you CANNOT distribute an OpenVPN binary + linked with this library. + LZO license: ------------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/ChangeLog new/openvpn-2.6.4/ChangeLog --- old/openvpn-2.6.3/ChangeLog 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/ChangeLog 2023-05-11 08:09:21.000000000 +0200 @@ -1,6 +1,28 @@ OpenVPN ChangeLog Copyright (C) 2002-2023 OpenVPN Inc <[email protected]> +2023.05.11 -- Version 2.6.4 + +Arne Schwabe (3): + Remove unused variable line + Add Apache2 linking with for new commits + Fix compile error on TARGET_ANDROID + +Frank Lichtenheld (2): + man page: Remove cruft from --topology documentation + tests: do not include t_client.sh in dist + +Kristof Provost (1): + DCO: support key rotation notifications + +Michael Nix (1): + fix typo in help text: --ignore-unknown-option + +Selva Nair (2): + Format Windows error message in Unicode + Bugfix: dangling pointer passed to pkcs11-helper + + 2023.04.13 -- Version 2.6.3 Frank Lichtenheld (3): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/Changes.rst new/openvpn-2.6.4/Changes.rst --- old/openvpn-2.6.3/Changes.rst 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/Changes.rst 2023-05-11 08:09:21.000000000 +0200 @@ -1,3 +1,34 @@ +Overview of changes in 2.6.4 +============================ + +User visible changes +-------------------- +- License amendment: all NEW commits fall under a modified license that + explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) - + see COPYING for details. Existing code will fall under the new license + as soon as all contributors have agreed to the change - work ongoing. + +New features +------------ +- DCO: support kernel-triggered key rotation (avoid IV reuse after 2^32 + packets). This is the userland side, accepting a message from kernel, + and initiating a TLS renegotiation. As of release, only implemented in + FreeBSD kernel. + +Bug fixes +--------- +- fix pkcs#11 usage with OpenSSL 3.x and PSS signing (Github #323) + +- fix compile error on TARGET_ANDROID + +- fix typo in help text + +- manpage updates (--topology) + +- encoding of non-ASCII windows error messages in log + management fixed + (use UTF8 "as for everything else", not ANSI codepages) (Github #319) + + Overview of changes in 2.6.3 ============================ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/Makefile.in new/openvpn-2.6.4/Makefile.in --- old/openvpn-2.6.3/Makefile.in 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/Makefile.in 2023-05-11 08:09:21.000000000 +0200 @@ -219,8 +219,8 @@ DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \ $(srcdir)/version.sh.in AUTHORS COPYING ChangeLog INSTALL NEWS \ - README compile config.guess config.sub install-sh ltmain.sh \ - missing + README compile config.guess config.sub depcomp install-sh \ + ltmain.sh missing DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/configure new/openvpn-2.6.4/configure --- old/openvpn-2.6.3/configure 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/configure 2023-05-11 08:09:21.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for OpenVPN 2.6.3. +# Generated by GNU Autoconf 2.71 for OpenVPN 2.6.4. # # Report bugs to <[email protected]>. # @@ -621,8 +621,8 @@ # Identity of this package. PACKAGE_NAME='OpenVPN' PACKAGE_TARNAME='openvpn' -PACKAGE_VERSION='2.6.3' -PACKAGE_STRING='OpenVPN 2.6.3' +PACKAGE_VERSION='2.6.4' +PACKAGE_STRING='OpenVPN 2.6.4' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1522,7 +1522,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenVPN 2.6.3 to adapt to many kinds of systems. +\`configure' configures OpenVPN 2.6.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1593,7 +1593,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenVPN 2.6.3:";; + short | recursive ) echo "Configuration of OpenVPN 2.6.4:";; esac cat <<\_ACEOF @@ -1830,7 +1830,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -OpenVPN configure 2.6.3 +OpenVPN configure 2.6.4 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2487,7 +2487,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenVPN $as_me 2.6.3, which was +It was created by OpenVPN $as_me 2.6.4, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3267,13 +3267,13 @@ fi -printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,6,3,0" >>confdefs.h +printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,6,4,0" >>confdefs.h OPENVPN_VERSION_MAJOR=2 OPENVPN_VERSION_MINOR=6 -OPENVPN_VERSION_PATCH=.3 +OPENVPN_VERSION_PATCH=.4 printf "%s\n" "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h @@ -3282,7 +3282,7 @@ printf "%s\n" "#define OPENVPN_VERSION_MINOR 6" >>confdefs.h -printf "%s\n" "#define OPENVPN_VERSION_PATCH \".3\"" >>confdefs.h +printf "%s\n" "#define OPENVPN_VERSION_PATCH \".4\"" >>confdefs.h @@ -3811,7 +3811,7 @@ # Define the identity of the package. PACKAGE='openvpn' - VERSION='2.6.3' + VERSION='2.6.4' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -20072,7 +20072,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by OpenVPN $as_me 2.6.3, which was +This file was extended by OpenVPN $as_me 2.6.4, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -20140,7 +20140,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -OpenVPN config.status 2.6.3 +OpenVPN config.status 2.6.4 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/doc/man-sections/vpn-network-options.rst new/openvpn-2.6.4/doc/man-sections/vpn-network-options.rst --- old/openvpn-2.6.3/doc/man-sections/vpn-network-options.rst 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/doc/man-sections/vpn-network-options.rst 2023-05-11 08:09:21.000000000 +0200 @@ -499,7 +499,7 @@ Use a point-to-point topology, by allocating one /30 subnet per client. This is designed to allow point-to-point semantics when some or all of the connecting clients might be Windows systems. This is the - default on OpenVPN 2.0. + default. :code:`p2p` Use a point-to-point topology where the remote endpoint of @@ -513,12 +513,7 @@ configuring the tun interface with a local IP address and subnet mask, similar to the topology used in ``--dev tap`` and ethernet bridging mode. This mode allocates a single IP address per connecting client and - works on Windows as well. Only available when server and clients are - OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched - with the ``--topology`` directive code. When used on Windows, requires - version 8.2 or higher of the TAP-Win32 driver. When used on \*nix, - requires that the tun driver supports an ``ifconfig``\(8) command which - sets a subnet instead of a remote endpoint IP address. + works on Windows as well. *Note:* Using ``--topology subnet`` changes the interpretation of the arguments of ``--ifconfig`` to mean "address netmask", no longer "local diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/doc/openvpn.8 new/openvpn-2.6.4/doc/openvpn.8 --- old/openvpn-2.6.3/doc/openvpn.8 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/doc/openvpn.8 2023-05-11 08:09:21.000000000 +0200 @@ -5234,7 +5234,7 @@ Use a point\-to\-point topology, by allocating one /30 subnet per client. This is designed to allow point\-to\-point semantics when some or all of the connecting clients might be Windows systems. This is the -default on OpenVPN 2.0. +default. .TP .B \fBp2p\fP Use a point\-to\-point topology where the remote endpoint of @@ -5248,12 +5248,7 @@ configuring the tun interface with a local IP address and subnet mask, similar to the topology used in \fB\-\-dev tap\fP and ethernet bridging mode. This mode allocates a single IP address per connecting client and -works on Windows as well. Only available when server and clients are -OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched -with the \fB\-\-topology\fP directive code. When used on Windows, requires -version 8.2 or higher of the TAP\-Win32 driver. When used on *nix, -requires that the tun driver supports an \fBifconfig\fP(8) command which -sets a subnet instead of a remote endpoint IP address. +works on Windows as well. .UNINDENT .sp \fINote:\fP Using \fB\-\-topology subnet\fP changes the interpretation of the diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/doc/openvpn.8.html new/openvpn-2.6.4/doc/openvpn.8.html --- old/openvpn-2.6.3/doc/openvpn.8.html 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/doc/openvpn.8.html 2023-05-11 08:09:21.000000000 +0200 @@ -4568,7 +4568,7 @@ <dd>Use a point-to-point topology, by allocating one /30 subnet per client. This is designed to allow point-to-point semantics when some or all of the connecting clients might be Windows systems. This is the -default on OpenVPN 2.0.</dd> +default.</dd> <dt><code>p2p</code></dt> <dd>Use a point-to-point topology where the remote endpoint of the client's tun interface always points to the local endpoint of the @@ -4580,12 +4580,7 @@ configuring the tun interface with a local IP address and subnet mask, similar to the topology used in <tt class="docutils literal"><span class="pre">--dev</span> tap</tt> and ethernet bridging mode. This mode allocates a single IP address per connecting client and -works on Windows as well. Only available when server and clients are -OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched -with the <tt class="docutils literal"><span class="pre">--topology</span></tt> directive code. When used on Windows, requires -version 8.2 or higher of the TAP-Win32 driver. When used on *nix, -requires that the tun driver supports an <tt class="docutils literal">ifconfig</tt>(8) command which -sets a subnet instead of a remote endpoint IP address.</dd> +works on Windows as well.</dd> </dl> <p class="last"><em>Note:</em> Using <tt class="docutils literal"><span class="pre">--topology</span> subnet</tt> changes the interpretation of the arguments of <tt class="docutils literal"><span class="pre">--ifconfig</span></tt> to mean "address netmask", no longer "local diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/include/openvpn-plugin.h new/openvpn-2.6.4/include/openvpn-plugin.h --- old/openvpn-2.6.3/include/openvpn-plugin.h 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/include/openvpn-plugin.h 2023-05-11 08:09:21.000000000 +0200 @@ -53,7 +53,7 @@ */ #define OPENVPN_VERSION_MAJOR 2 #define OPENVPN_VERSION_MINOR 6 -#define OPENVPN_VERSION_PATCH ".3" +#define OPENVPN_VERSION_PATCH ".4" /* * Plug-in types. These types correspond to the set of script callbacks diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/sample/sample-plugins/Makefile new/openvpn-2.6.4/sample/sample-plugins/Makefile --- old/openvpn-2.6.3/sample/sample-plugins/Makefile 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/sample/sample-plugins/Makefile 2023-05-11 08:09:21.000000000 +0200 @@ -152,7 +152,7 @@ AWK = gawk CC = gcc CCDEPMODE = depmode=gcc3 -CFLAGS = -Wall -Wno-stringop-truncation -g -O2 -std=c99 -I/usr/include/libnl3 +CFLAGS = -Wall -Wno-stringop-truncation -g -O2 -std=c99 CMOCKA_CFLAGS = CMOCKA_LIBS = -lcmocka CPP = gcc -E @@ -187,19 +187,19 @@ LDFLAGS = LIBCAPNG_CFLAGS = LIBCAPNG_LIBS = -lcap-ng -LIBNL_GENL_CFLAGS = -I/usr/include/libnl3 -LIBNL_GENL_LIBS = -lnl-genl-3 -lnl-3 +LIBNL_GENL_CFLAGS = +LIBNL_GENL_LIBS = LIBOBJS = LIBPAM_CFLAGS = LIBPAM_LIBS = -lpam -LIBS = -lnl-genl-3 -lnl-3 -lcap-ng +LIBS = -lcap-ng LIBTOOL = $(SHELL) $(top_builddir)/libtool LIPO = LN_S = ln -s LTLIBOBJS = LT_SYS_LIBRARY_PATH = LZ4_CFLAGS = -LZ4_LIBS = -llz4 +LZ4_LIBS = LZO_CFLAGS = LZO_LIBS = -llzo2 MAKEINFO = ${SHELL} '/home/flichtenheld/openvpn/community/openvpn-build/src/openvpn/missing' makeinfo @@ -216,16 +216,16 @@ OPENSSL_LIBS = -lssl -lcrypto OPENVPN_VERSION_MAJOR = 2 OPENVPN_VERSION_MINOR = 6 -OPENVPN_VERSION_PATCH = .3 +OPENVPN_VERSION_PATCH = .4 OPTIONAL_CRYPTO_CFLAGS = OPTIONAL_CRYPTO_LIBS = -lssl -lcrypto OPTIONAL_DL_LIBS = -ldl OPTIONAL_INOTIFY_CFLAGS = OPTIONAL_INOTIFY_LIBS = OPTIONAL_LZ4_CFLAGS = -OPTIONAL_LZ4_LIBS = -llz4 +OPTIONAL_LZ4_LIBS = OPTIONAL_LZO_CFLAGS = -OPTIONAL_LZO_LIBS = -llzo2 +OPTIONAL_LZO_LIBS = OPTIONAL_PKCS11_HELPER_CFLAGS = OPTIONAL_PKCS11_HELPER_LIBS = OPTIONAL_SELINUX_LIBS = @@ -237,10 +237,10 @@ PACKAGE = openvpn PACKAGE_BUGREPORT = [email protected] PACKAGE_NAME = OpenVPN -PACKAGE_STRING = OpenVPN 2.6.3 +PACKAGE_STRING = OpenVPN 2.6.4 PACKAGE_TARNAME = openvpn PACKAGE_URL = -PACKAGE_VERSION = 2.6.3 +PACKAGE_VERSION = 2.6.4 PATH_SEPARATOR = : PKCS11_HELPER_CFLAGS = PKCS11_HELPER_LIBS = -lpthread -ldl -lcrypto -lpkcs11-helper @@ -249,7 +249,7 @@ PKG_CONFIG_PATH = PLUGINDIR = PLUGIN_AUTH_PAM_CFLAGS = -PLUGIN_AUTH_PAM_LIBS = -lpam +PLUGIN_AUTH_PAM_LIBS = RANLIB = ranlib RC = ROUTE = /usr/sbin/route @@ -268,9 +268,9 @@ TAP_WIN_MIN_MAJOR = 9 TAP_WIN_MIN_MINOR = 9 TEST_CFLAGS = -I$(top_srcdir)/include -TEST_LDFLAGS = -lssl -lcrypto -llzo2 -lcmocka +TEST_LDFLAGS = -lssl -lcrypto -lcmocka TMPFILES_DIR = -VERSION = 2.6.3 +VERSION = 2.6.4 WOLFSSL_CFLAGS = WOLFSSL_INCLUDEDIR = WOLFSSL_LIBS = diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/src/openvpn/dco_freebsd.c new/openvpn-2.6.4/src/openvpn/dco_freebsd.c --- old/openvpn-2.6.3/src/openvpn/dco_freebsd.c 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/src/openvpn/dco_freebsd.c 2023-05-11 08:09:21.000000000 +0200 @@ -550,6 +550,10 @@ dco->dco_message_type = OVPN_CMD_DEL_PEER; break; + case OVPN_NOTIF_ROTATE_KEY: + dco->dco_message_type = OVPN_CMD_SWAP_KEYS; + break; + default: msg(M_WARN, "Unknown kernel notification %d", type); break; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/src/openvpn/dco_freebsd.h new/openvpn-2.6.4/src/openvpn/dco_freebsd.h --- old/openvpn-2.6.3/src/openvpn/dco_freebsd.h 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/src/openvpn/dco_freebsd.h 2023-05-11 08:09:21.000000000 +0200 @@ -35,6 +35,7 @@ enum ovpn_message_type_t { OVPN_CMD_DEL_PEER, OVPN_CMD_PACKET, + OVPN_CMD_SWAP_KEYS, }; enum ovpn_del_reason_t { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/src/openvpn/error.c new/openvpn-2.6.4/src/openvpn/error.c --- old/openvpn-2.6.3/src/openvpn/error.c 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/src/openvpn/error.c 2023-05-11 08:09:21.000000000 +0200 @@ -970,19 +970,24 @@ /* format a windows error message */ { - char message[256]; + wchar_t wmessage[256]; + char *message = NULL; struct buffer out = alloc_buf_gc(256, gc); - const int status = FormatMessage( + const DWORD status = FormatMessageW( FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ARGUMENT_ARRAY, NULL, errnum, 0, - message, - sizeof(message), + wmessage, + SIZE(wmessage), NULL); - if (!status) + if (status) + { + message = utf16to8(wmessage, gc); + } + if (!status || !message) { buf_printf(&out, "[Unknown Win32 Error]"); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/src/openvpn/forward.c new/openvpn-2.6.4/src/openvpn/forward.c --- old/openvpn-2.6.3/src/openvpn/forward.c 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/src/openvpn/forward.c 2023-05-11 08:09:21.000000000 +0200 @@ -1232,20 +1232,30 @@ return; } - if (dco->dco_message_type != OVPN_CMD_DEL_PEER) + switch (dco->dco_message_type) { - msg(D_DCO_DEBUG, "%s: received message of type %u - ignoring", __func__, - dco->dco_message_type); - return; - } + case OVPN_CMD_DEL_PEER: + if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED) + { + msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id " + "%d", __func__, dco->dco_message_peer_id); + trigger_ping_timeout_signal(c); + return; + } + break; - if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED) - { - msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id " - "%d", __func__, dco->dco_message_peer_id); - trigger_ping_timeout_signal(c); - return; + case OVPN_CMD_SWAP_KEYS: + msg(D_DCO_DEBUG, "%s: received key rotation notification for peer-id %d", + __func__, dco->dco_message_peer_id); + tls_session_soft_reset(c->c2.tls_multi); + break; + + default: + msg(D_DCO_DEBUG, "%s: received message of type %u - ignoring", __func__, + dco->dco_message_type); + return; } + #endif /* if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD)) */ } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/src/openvpn/multi.c new/openvpn-2.6.4/src/openvpn/multi.c --- old/openvpn-2.6.3/src/openvpn/multi.c 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/src/openvpn/multi.c 2023-05-11 08:09:21.000000000 +0200 @@ -3284,6 +3284,10 @@ { process_incoming_del_peer(m, mi, dco); } + else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS) + { + tls_session_soft_reset(mi->context.c2.tls_multi); + } } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/src/openvpn/options.c new/openvpn-2.6.4/src/openvpn/options.c --- old/openvpn-2.6.3/src/openvpn/options.c 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/src/openvpn/options.c 2023-05-11 08:09:21.000000000 +0200 @@ -248,7 +248,7 @@ "--setenv name value : Set a custom environmental variable to pass to script.\n" "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n" " directives for future OpenVPN versions to be ignored.\n" - "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n" + "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n" " these options to be ignored when unknown\n" "--script-security level: Where level can be:\n" " 0 -- strictly no calling of external programs\n" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/src/openvpn/ovpn_dco_freebsd.h new/openvpn-2.6.4/src/openvpn/ovpn_dco_freebsd.h --- old/openvpn-2.6.3/src/openvpn/ovpn_dco_freebsd.h 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/src/openvpn/ovpn_dco_freebsd.h 2023-05-11 08:09:21.000000000 +0200 @@ -36,6 +36,7 @@ enum ovpn_notif_type { OVPN_NOTIF_DEL_PEER, + OVPN_NOTIF_ROTATE_KEY, }; enum ovpn_del_reason { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/src/openvpn/pkcs11_openssl.c new/openvpn-2.6.4/src/openvpn/pkcs11_openssl.c --- old/openvpn-2.6.3/src/openvpn/pkcs11_openssl.c 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/src/openvpn/pkcs11_openssl.c 2023-05-11 08:09:21.000000000 +0200 @@ -165,6 +165,7 @@ { pkcs11h_certificate_t cert = handle; CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0}; /* default value */ + CK_RSA_PKCS_PSS_PARAMS pss_params = {0}; unsigned char buf[EVP_MAX_MD_SIZE]; size_t buflen; @@ -203,7 +204,6 @@ } else if (!strcmp(sigalg.padmode, "pss")) { - CK_RSA_PKCS_PSS_PARAMS pss_params = {0}; mech.mechanism = CKM_RSA_PKCS_PSS; if (!set_pss_params(&pss_params, sigalg, cert)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/src/openvpn/pool.c new/openvpn-2.6.4/src/openvpn/pool.c --- old/openvpn-2.6.3/src/openvpn/pool.c 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/src/openvpn/pool.c 2023-05-11 08:09:21.000000000 +0200 @@ -608,7 +608,6 @@ struct gc_arena gc = gc_new(); struct buffer in = alloc_buf_gc(256, &gc); char *cn_buf, *ip_buf, *ip6_buf; - int line = 0; ALLOC_ARRAY_CLEAR_GC(cn_buf, char, buf_size, &gc); ALLOC_ARRAY_CLEAR_GC(ip_buf, char, buf_size, &gc); @@ -621,7 +620,6 @@ { break; } - ++line; if (!BLEN(&in)) { continue; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/src/openvpn/socket.c new/openvpn-2.6.4/src/openvpn/socket.c --- old/openvpn-2.6.3/src/openvpn/socket.c 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/src/openvpn/socket.c 2023-05-11 08:09:21.000000000 +0200 @@ -1165,7 +1165,7 @@ { if (!management) { - msg(M_FATAL, "Required management interface not available.") + msg(M_FATAL, "Required management interface not available."); } /* pass socket FD to management interface to pass on to VPNService API diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/src/openvpn/ssl.c new/openvpn-2.6.4/src/openvpn/ssl.c --- old/openvpn-2.6.3/src/openvpn/ssl.c 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/src/openvpn/ssl.c 2023-05-11 08:09:21.000000000 +0200 @@ -1918,6 +1918,12 @@ ks->remote_addr = ks_lame->remote_addr; } +void +tls_session_soft_reset(struct tls_multi *tls_multi) +{ + key_state_soft_reset(&tls_multi->session[TM_ACTIVE]); +} + /* * Read/write strings from/to a struct buffer with a u16 length prefix. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/src/openvpn/ssl.h new/openvpn-2.6.4/src/openvpn/ssl.h --- old/openvpn-2.6.3/src/openvpn/ssl.h 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/src/openvpn/ssl.h 2023-05-11 08:09:21.000000000 +0200 @@ -573,6 +573,9 @@ tls_session_generate_data_channel_keys(struct tls_multi *multi, struct tls_session *session); +void +tls_session_soft_reset(struct tls_multi *multi); + /** * Load ovpn.xkey provider used for external key signing */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/tests/Makefile.am new/openvpn-2.6.4/tests/Makefile.am --- old/openvpn-2.6.3/tests/Makefile.am 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/tests/Makefile.am 2023-05-11 08:09:21.000000000 +0200 @@ -25,8 +25,10 @@ TESTS = $(test_scripts) dist_noinst_SCRIPTS = \ - $(test_scripts) \ + t_cltsrv.sh \ t_cltsrv-down.sh \ + t_lpback.sh \ + t_net.sh \ update_t_client_ips.sh dist_noinst_DATA = \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/tests/Makefile.in new/openvpn-2.6.4/tests/Makefile.in --- old/openvpn-2.6.3/tests/Makefile.in 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/tests/Makefile.in 2023-05-11 08:09:21.000000000 +0200 @@ -111,15 +111,13 @@ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am $(am__dist_noinst_SCRIPTS_DIST) \ +DIST_COMMON = $(srcdir)/Makefile.am $(dist_noinst_SCRIPTS) \ $(dist_noinst_DATA) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = t_client.sh CONFIG_CLEAN_VPATH_FILES = -am__dist_noinst_SCRIPTS_DIST = t_client.sh t_lpback.sh t_cltsrv.sh \ - t_net.sh t_cltsrv-down.sh update_t_client_ips.sh SCRIPTS = $(dist_noinst_SCRIPTS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) @@ -425,8 +423,10 @@ TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)" TESTS = $(test_scripts) dist_noinst_SCRIPTS = \ - $(test_scripts) \ + t_cltsrv.sh \ t_cltsrv-down.sh \ + t_lpback.sh \ + t_net.sh \ update_t_client_ips.sh dist_noinst_DATA = \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/tests/t_client.sh new/openvpn-2.6.4/tests/t_client.sh --- old/openvpn-2.6.3/tests/t_client.sh 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/tests/t_client.sh 1970-01-01 01:00:00.000000000 +0100 @@ -1,463 +0,0 @@ -#!/bin/bash -# -# run OpenVPN client against ``test reference'' server -# - check that ping, http, ... via tunnel works -# - check that interface config / routes are properly cleaned after test end -# -# prerequisites: -# - openvpn binary in current directory -# - writable current directory to create subdir for logs -# - t_client.rc in current directory OR source dir that specifies tests -# - for "ping4" checks: fping binary in $PATH -# - for "ping6" checks: fping (4.0+) or fping6 binary in $PATH -# - -# by changing this to 1 we can force automated builds to fail -# that are expected to have all the prerequisites -TCLIENT_SKIP_RC="${TCLIENT_SKIP_RC:-77}" - -srcdir="${srcdir:-.}" -top_builddir="${top_builddir:-..}" -if [ -r "${top_builddir}"/t_client.rc ] ; then - . "${top_builddir}"/t_client.rc -elif [ -r "${srcdir}"/t_client.rc ] ; then - . "${srcdir}"/t_client.rc -else - echo "$0: cannot find 't_client.rc' in build dir ('${top_builddir}')" >&2 - echo "$0: or source directory ('${srcdir}'). SKIPPING TEST." >&2 - exit "${TCLIENT_SKIP_RC}" -fi - -# Check for external dependencies -FPING="fping" -FPING6="fping6" -which fping > /dev/null -if [ $? -ne 0 ]; then - echo "$0: fping is not available in \$PATH" >&2 - exit "${TCLIENT_SKIP_RC}" -fi -which fping6 > /dev/null -if [ $? -ne 0 ]; then - echo "$0: fping6 is not available in \$PATH, assuming fping 4.0 or later" >&2 - FPING="fping -4" - FPING6="fping -6" -fi - -KILL_EXEC=`which kill` -if [ $? -ne 0 ]; then - echo "$0: kill not found in \$PATH" >&2 - exit "${TCLIENT_SKIP_RC}" -fi - -if [ ! -x "${top_builddir}/src/openvpn/openvpn" ] -then - echo "no (executable) openvpn binary in current build tree. FAIL." >&2 - exit 1 -fi - -if [ ! -w . ] -then - echo "current directory is not writable (required for logging). FAIL." >&2 - exit 1 -fi - -if [ -z "$CA_CERT" ] ; then - echo "CA_CERT not defined in 't_client.rc'. SKIP test." >&2 - exit "${TCLIENT_SKIP_RC}" -fi - -if [ -z "$TEST_RUN_LIST" ] ; then - echo "TEST_RUN_LIST empty, no tests defined. SKIP test." >&2 - exit "${TCLIENT_SKIP_RC}" -fi - -# Ensure PREFER_KSU is in a known state -PREFER_KSU="${PREFER_KSU:-0}" - -# make sure we have permissions to run ifconfig/route from OpenVPN -# can't use "id -u" here - doesn't work on Solaris -ID=`id` -if expr "$ID" : "uid=0" >/dev/null -then : -else - if [ "${PREFER_KSU}" -eq 1 ]; - then - # Check if we have a valid kerberos ticket - klist -l 1>/dev/null 2>/dev/null - if [ $? -ne 0 ]; - then - # No kerberos ticket found, skip ksu and fallback to RUN_SUDO - PREFER_KSU=0 - echo "$0: No Kerberos ticket available. Will not use ksu." - else - RUN_SUDO="ksu -q -e" - fi - fi - - if [ -z "$RUN_SUDO" ] - then - echo "$0: this test must run be as root, or RUN_SUDO=... " >&2 - echo " must be set correctly in 't_client.rc'. SKIP." >&2 - exit "${TCLIENT_SKIP_RC}" - else - # We have to use sudo. Make sure that we (hopefully) do not have - # to ask the users password during the test. This is done to - # prevent timing issues, e.g. when the waits for openvpn to start - if $RUN_SUDO $KILL_EXEC -0 $$ - then - echo "$0: $RUN_SUDO $KILL_EXEC -0 succeeded, good." - else - echo "$0: $RUN_SUDO $KILL_EXEC -0 failed, cannot go on. SKIP." >&2 - exit "${TCLIENT_SKIP_RC}" - fi - fi -fi - -LOGDIR=t_client-`hostname`-`date +%Y%m%d-%H%M%S` -if mkdir $LOGDIR -then : -else - echo "can't create log directory '$LOGDIR'. FAIL." >&2 - exit 1 -fi - -# verbosity, defaults to "1" -V="${V:-1}" - -exit_code=0 - -# ---------------------------------------------------------- -# helper functions -# ---------------------------------------------------------- - -# output progress information -# depending on verbosity level, collect & print only on failure -output_start() -{ - case $V in - 0) outbuf="" ;; # no per-test output at all - 1) echo -e "$@" # compact, details only on failure - outbuf="\n" ;; - *) echo -e "\n$@\n" ;; # print all, with a bit formatting - esac -} - -output() -{ - NO_NL=''; if [ "X$1" = "X-n" ] ; then NO_NL=$1 ; shift ; fi - case $V in - 0) ;; # no per-test output at all - 1) outbuf="$outbuf$@" # print details only on failure - test -z "$NO_NL" && outbuf="$outbuf\n" - ;; - *) echo -e $NO_NL "$@" ;; # print everything - esac -} - -# print failure message, increase FAIL counter -fail() -{ - output "FAIL: $@\n" - fail_count=$(( $fail_count + 1 )) -} - -# print "all interface IP addresses" + "all routes" -# this is higly system dependent... -get_ifconfig_route() -{ - # linux / iproute2? (-> if configure got a path) - if [ -n "/usr/sbin/ip" ] - then - echo "-- linux iproute2 --" - /usr/sbin/ip addr show | grep -v valid_lft - /usr/sbin/ip route show - /usr/sbin/ip -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g' - return - fi - - # try uname - case `uname -s` in - Linux) - echo "-- linux / ifconfig --" - LANG=C /usr/sbin/ifconfig -a |egrep "( addr:|encap:)" - LANG=C netstat -rn -4 -6 - return - ;; - FreeBSD|NetBSD|Darwin) - echo "-- FreeBSD/NetBSD/Darwin [MacOS X] --" - /usr/sbin/ifconfig -a | egrep "(flags=|inet)" - netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' - return - ;; - OpenBSD) - echo "-- OpenBSD --" - /usr/sbin/ifconfig -a | egrep "(flags=|inet)" | \ - sed -e 's/pltime [0-9]*//' -e 's/vltime [0-9]*//' - netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' - return - ;; - SunOS) - echo "-- Solaris --" - /usr/sbin/ifconfig -a | egrep "(flags=|inet)" - netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }' - return - ;; - AIX) - echo "-- AIX --" - /usr/sbin/ifconfig -a | egrep "(flags=|inet)" - netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }' - return - ;; - esac - - echo "get_ifconfig_route(): no idea how to get info on your OS. FAIL." >&2 - exit 20 -} - -# ---------------------------------------------------------- -# check ifconfig -# arg1: "4" or "6" -> for message -# arg2: IPv4/IPv6 address that must show up in out of "get_ifconfig_route" -check_ifconfig() -{ - proto=$1 ; shift - expect_list="$@" - - if [ -z "$expect_list" ] ; then return ; fi - - for expect in $expect_list - do - if get_ifconfig_route | fgrep "$expect" >/dev/null - then : - else - fail "check_ifconfig(): expected IPv$proto address '$expect' not found in ifconfig output." - fi - done -} - -# ---------------------------------------------------------- -# run pings -# arg1: "4" or "6" -> fping/fing6 -# arg2: "want_ok" or "want_fail" (expected ping result) -# arg3... -> fping arguments (host list) -run_ping_tests() -{ - proto=$1 ; want=$2 ; shift ; shift - targetlist="$@" - - # "no targets" is fine - if [ -z "$targetlist" ] ; then return ; fi - - case $proto in - 4) cmd="$FPING" ;; - 6) cmd="$FPING6" ;; - *) echo "internal error in run_ping_tests arg 1: '$proto'" >&2 - exit 1 ;; - esac - - case $want in - want_ok) sizes_list="64 1440 3000" ;; - want_fail) sizes_list="64" ;; - esac - - for bytes in $sizes_list - do - output "run IPv$proto ping tests ($want), $bytes byte packets..." - - echo "$cmd -b $bytes -C 20 -p 250 -q $fping_args $targetlist" >>$LOGDIR/$SUF:fping.out - $cmd -b $bytes -C 20 -p 250 -q $fping_args $targetlist >>$LOGDIR/$SUF:fping.out 2>&1 - - # while OpenVPN is running, pings must succeed (want='want_ok') - # before OpenVPN is up, pings must NOT succeed (want='want_fail') - - rc=$? - if [ $rc = 0 ] # all ping OK - then - if [ $want = "want_fail" ] # not what we want - then - fail "IPv$proto ping test succeeded, but needs to *fail*." - fi - else # ping failed - if [ $want = "want_ok" ] # not what we wanted - then - fail "IPv$proto ping test ($bytes bytes) failed, but should succeed." - fi - fi - done -} - -# ---------------------------------------------------------- -# main test loop -# ---------------------------------------------------------- -SUMMARY_OK= -SUMMARY_FAIL= - -for SUF in $TEST_RUN_LIST -do - # get config variables - eval test_prep=\"\$PREPARE_$SUF\" - eval test_postinit=\"\$POSTINIT_CMD_$SUF\" - eval test_cleanup=\"\$CLEANUP_$SUF\" - eval test_run_title=\"\$RUN_TITLE_$SUF\" - eval openvpn_conf=\"\$OPENVPN_CONF_$SUF\" - eval expect_ifconfig4=\"\$EXPECT_IFCONFIG4_$SUF\" - eval expect_ifconfig6=\"\$EXPECT_IFCONFIG6_$SUF\" - eval ping4_hosts=\"\$PING4_HOSTS_$SUF\" - eval ping6_hosts=\"\$PING6_HOSTS_$SUF\" - eval fping_args=\"\$FPING_EXTRA_ARGS \$FPING_ARGS_$SUF\" - - # If EXCEPT_IFCONFIG* variables for this test are missing, run an --up - # script to generate them dynamically. - if [ -z "$expect_ifconfig4" ] || [ -z "$expect_ifconfig6" ]; then - up="--setenv TESTNUM $SUF --setenv TOP_BUILDDIR ${top_builddir} --script-security 2 --up ${srcdir}/update_t_client_ips.sh" - else - up="" - fi - - output_start "### test run $SUF: '$test_run_title' ###" - fail_count=0 - - if [ -n "$test_prep" ]; then - output "running preparation: '$test_prep'" - eval $test_prep - fi - - output "save pre-openvpn ifconfig + route" - get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_pre.txt - - output "\nrun pre-openvpn ping tests - targets must not be reachable..." - run_ping_tests 4 want_fail "$ping4_hosts" - run_ping_tests 6 want_fail "$ping6_hosts" - if [ "$fail_count" = 0 ] ; then - output "OK.\n" - else - fail "make sure that ping hosts are ONLY reachable via VPN, SKIP test $SUF." - SUMMARY_FAIL="$SUMMARY_FAIL $SUF" - exit_code=31 - echo -e "$outbuf" ; continue - fi - - pidfile="${top_builddir}/tests/$LOGDIR/openvpn-$SUF.pid" - openvpn_conf="$openvpn_conf --writepid $pidfile $up" - output " run openvpn $openvpn_conf" - echo "# src/openvpn/openvpn $openvpn_conf" >$LOGDIR/$SUF:openvpn.log - umask 022 - $RUN_SUDO "${top_builddir}/src/openvpn/openvpn" $openvpn_conf >>$LOGDIR/$SUF:openvpn.log & - sudopid=$! - - # Check if OpenVPN has initialized before continuing. It will check every 3rd second up - # to $ovpn_init_check times. - ovpn_init_check=10 - ovpn_init_success=0 - while [ $ovpn_init_check -gt 0 ]; - do - sleep 3 # Wait for OpenVPN to initialize and have had time to write the pid file - grep "Initialization Sequence Completed" $LOGDIR/$SUF:openvpn.log >/dev/null - if [ $? -eq 0 ]; then - ovpn_init_check=0 - ovpn_init_success=1 - fi - ovpn_init_check=$(( $ovpn_init_check - 1 )) - done - - opid=`cat $pidfile` - if [ -n "$opid" ]; then - output " OpenVPN running with PID $opid" - else - output " Could not read OpenVPN PID file" - fi - - # If OpenVPN did not start - if [ $ovpn_init_success -ne 1 -o -z "$opid" ]; then - output "$0: OpenVPN did not initialize in a reasonable time" - if [ -n "$opid" ]; then - $RUN_SUDO $KILL_EXEC $opid - fi - $RUN_SUDO $KILL_EXEC $sudopid - output "tail -5 $SUF:openvpn.log" - output "`tail -5 $LOGDIR/$SUF:openvpn.log`" - fail "skip rest of sub-tests for test run $SUF." - trap - 0 1 2 3 15 - SUMMARY_FAIL="$SUMMARY_FAIL $SUF" - exit_code=30 - echo -e "$outbuf" ; continue - fi - - # make sure openvpn client is terminated in case shell exits - trap "$RUN_SUDO $KILL_EXEC $opid" 0 - trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15 - - # compare whether anything changed in ifconfig/route setup? - output "save ifconfig+route" - get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route.txt - - output -n "compare pre-openvpn ifconfig+route with current values..." - if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \ - $LOGDIR/$SUF:ifconfig_route.txt >/dev/null - then - fail "no differences between ifconfig/route before OpenVPN start and now." - else - output " OK!\n" - fi - - # post init script needed? - if [ -n "$test_postinit" ]; then - output "running post-init cmd: '$test_postinit'" - eval $test_postinit - fi - - # expected ifconfig values in there? - check_ifconfig 4 "$expect_ifconfig4" - check_ifconfig 6 "$expect_ifconfig6" - - run_ping_tests 4 want_ok "$ping4_hosts" - run_ping_tests 6 want_ok "$ping6_hosts" - output "ping tests done.\n" - - output "stopping OpenVPN" - $RUN_SUDO $KILL_EXEC $opid - wait $! - rc=$? - if [ $rc != 0 ] ; then - fail "OpenVPN return code $rc, expect 0" - fi - - output "\nsave post-openvpn ifconfig + route..." - get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_post.txt - - output -n "compare pre- and post-openvpn ifconfig + route..." - if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \ - $LOGDIR/$SUF:ifconfig_route_post.txt >$LOGDIR/$SUF:ifconfig_route_diff.txt - then - output " OK.\n" - else - output "\n\n" "`cat $LOGDIR/$SUF:ifconfig_route_diff.txt`" "\n" - fail "differences between pre- and post-ifconfig/route." - fi - if [ "$fail_count" = 0 ] ; then - output "test run $SUF: all tests OK.\n" - SUMMARY_OK="$SUMMARY_OK $SUF" - else - if [ "$V" -gt 0 ] ; then - echo -e -n "$outbuf" - echo -e "test run $SUF: $fail_count test failures. FAIL.\n" - fi - SUMMARY_FAIL="$SUMMARY_FAIL $SUF" - exit_code=30 - fi - - if [ -n "$test_cleanup" ]; then - echo -e "cleaning up: '$test_cleanup'" - eval $test_cleanup - fi - -done - -if [ -z "$SUMMARY_OK" ] ; then SUMMARY_OK=" none"; fi -if [ -z "$SUMMARY_FAIL" ] ; then SUMMARY_FAIL=" none"; fi -echo "Test sets succeeded:$SUMMARY_OK." -echo "Test sets failed:$SUMMARY_FAIL." - -# remove trap handler -trap - 0 1 2 3 15 -exit $exit_code diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.6.3/version.m4 new/openvpn-2.6.4/version.m4 --- old/openvpn-2.6.3/version.m4 2023-04-13 07:57:29.000000000 +0200 +++ new/openvpn-2.6.4/version.m4 2023-05-11 08:09:21.000000000 +0200 @@ -3,12 +3,12 @@ define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [6]) -define([PRODUCT_VERSION_PATCH], [.3]) +define([PRODUCT_VERSION_PATCH], [.4]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [[email protected]]) -define([PRODUCT_VERSION_RESOURCE], [2,6,3,0]) +define([PRODUCT_VERSION_RESOURCE], [2,6,4,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) ++++++ openvpn.keyring ++++++ ++++ 748 lines (skipped) ++++ between openvpn.keyring ++++ and /work/SRC/openSUSE:Factory/.openvpn.new.1533/openvpn.keyring
