Right. config.h should be included in all C sources never in .h file, it is also not protected for multiple includes. Don't know why the polarssl had this, as syshead used to perform this in the past so it should not have existed also in the past.
Thanks, Alon. On Thu, Jun 14, 2012 at 5:44 PM, Gert Doering <g...@greenie.muc.de> wrote: > Hi, > > openvpn-devel in the current openwrt tree is broken, due to upstream- > breakage. > > For the record, it's built like this: > > $ ./configure --target=mips-openwrt-linux --host=mips-openwrt-linux > --build=i686-pc-linux-gnu --program-prefix= --program-suffix= --prefix=/usr > --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin > --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share > --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --disable-nls > --enable-small --disable-selinux --disable-systemd --disable-plugins > --disable-debug --disable-eurephia --disable-pkcs11 --enable-lzo > --disable-crypto disable-x509-alt-username-ssl --enable-server > --disable-management --enable-socks --enable-http --enable-fragment > --enable-multihome --disable-iproute2 --enable-def-auth --enable-pf > --enable-ssl --enable-crypto --with-crypto-library=polarssl > > ... and the real breakage is the combination of --enable-pf, > --disable-plugins, --disable-management and --with-crypto-library=polarssl. > > What this will do is: > > - config.h defines ENABLE_PF > > /* Enable internal packet filter */ > #define ENABLE_PF 1 > > - syshead.h turns it off again > > #if defined(ENABLE_DEF_AUTH) && P2MP_SERVER && defined(ENABLE_MANAGEMENT) > #define MANAGEMENT_DEF_AUTH > #endif > ... > /* > * Enable packet filter? > */ > #if defined(ENABLE_PF) && P2MP_SERVER && defined(ENABLE_PLUGIN) && > defined(HAVE_STAT) > #define PLUGIN_PF > #endif > #if defined(ENABLE_PF) && P2MP_SERVER && defined(MANAGEMENT_DEF_AUTH) > #define MANAGEMENT_PF > #endif > #if !defined(PLUGIN_PF) && !defined(MANAGEMENT_PF) > #undef ENABLE_PF > #endif > > - so pf.c gets compiled into an empty pf.o module (all ok) > > - now, init.c does more interesting things > > - include "config.h" -> #define ENABLE_PF 1 > - include "syshead.h" -> #undef ENABLE_PF > - include "init.h" > include "openvpn.h" > include "ssl.h" > include "ssl_backend.h" > include "ssl_polarssl.h" > include "config.h" --> #define ENABLE_PF 1 > > - so init.c and multi.c get compiled with the function calls towards > pf.c, but pf.o is empty -> linker fails > > This cannot be triggered with --disable-pf, or OpenSSL (because ssl_openssl.h > does not include config.h), or if either plugins or management are enabled. > > > The quick fix is "remove config.h from ssl_polarssl.h" - because all .c > modules right now include this anyway, as the first thing, including all > SSL modules. I would propose to do that right away (patch attached), but > would like confirmation from Adriaan that I'm not overlooking anything. > > The "right" fix is manyfold (and I think I'll agree with Alon here) > > - stop calling our own include files many layers deep > > - stop modifying config.h variables from sysdep.h - if we want to > override ENABLE_PF depending on other options, let's do it in > configure > > - cleanup the amazing heap of #ifdefs in sysdep.h > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany g...@greenie.muc.de > fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
