Re: [Openvpn-devel] 2.3alpha1 fails on OS X when the --up argument contains more than an execution path

[Jonathan K. Bullard]

On Wed, Mar 7, 2012 at 9:10 AM, David Sommerseth
 wrote:
[skipped]
> > OpenVPN 2.3alpha1 fails when the argument to "--up" contains more
> > than an execution path. The problem also occurs for the "--down"
> > option and the new "--route-pre-down" option (and presumably any other
> > options that take more than just an execution path).
[skipped]

> Ouch!  I see that check_file_access() needs to strip out any arguments.
> It will now basically 'access("/private/tmp/test/up.sh -x")' ... which is
> a file which doesn't exist ... but if it tested for
> 'access("/private/tmp/test/up.sh")' it should find the file.
>
> However, it isn't as easy to just skip through the string and "terminate
> it" on the first space (0x20) value, as it might have been escaped.
> Which can make quite typical paths like this fail:
>
>   "C:\Program Files\OpenVPN\bin\up-script.bat"


Below is a patch to fix this problem.

It causes the affected options (--up, --down, etc.) to call a new
function for verification: check_cmd_access(). It is called with the
same calling sequence as check_file_access() so as to simplify things,
and it uses check_file_access() to check the file once the path for it
has been isolated. I wrote a new function so that (a) I wouldn't
disturb the existing function, and (b) it could be extended -- for
example, to check for any problems with any arguments that follow the
path to the functions (mismatched quotes, for example).

It's my first proposed patch for OpenVPN, so please examine it _very_
carefully. I've tested it only OS X (and it works fine), but I don't
have a full debugging environment, so it was tested as a "black box"
using msg() calls to verify its behavior. I tried to conform to the
style I saw elsewhere in the source, but may have missed or
misunderstood something.

There are a couple of anomalies in the existing code that I have not dealt with:

1. --iproute also takes a "cmd" argument but the options.c code does
not call check_file_access() for it. (So I have not included it in
this patch),

2. Although the man page [1] says most of the "cmd" arguments can be a
"shell command", that doesn't seem correct. On OS X, for example,
backslashes are discarded (not used to escape the next character) and
double-quotes can only be used at the start and end of an individual
argument in "cmd". The bash shell implements both of these (rendering
 abc"def"ghi.\ txt
as
 abcdefghi.txt
for example. This patch is very restrictive: it allows a "cmd" to be a
path (optionally enclosed in double-quotes), optionally followed by a
space, which may be followed by anything.

I would particularly like input on these lines in the new routine (but
of course all input is welcome):

ASSERT((path_size <= OPTION_PARM_SIZE) || (path_size > 0));
msg (M_NOPREFIX|M_OPTERR, "%s fails with '%s': param_size BAD:
stop_char = '%c'; start_ix = %d; "
 "command = " ptr_format "; stop_ptr = " ptr_format ";
path_size = %d; OPTION_PARAM_SIZE = %d",
 opt, command, stop_char, start_ix,
 (ptr_type) command, (ptr_type) stop_ptr, path_size, (int)
OPTION_PARM_SIZE);
return true;

These lines test to make sure that OPTION_PARM_SIZE is reasonable. I
don't know your conventions, so I included both an assert and an error
message to be output before a failure return ("true" is a failure
indicator).

Let me know of any changes you'd like me to make.

- Jon Bullard

[1] http://openvpn.net/index.php/manuals/523-openvpn-23.html

===

--- openvpn/options.c   (revision 1964)
+++ openvpn/options.c   (working copy)
@@ -2656,6 +2656,72 @@
 }

 /*
+ * Check the command that comes after certain script options (e.g., --up).
+ *
+ * The command should consist of a path, which may be enclosed in
double-quotes, and may be
+ * optionally followed by a space which may be followed by arbitrary arguments.
+ *
+ * Once the path has been extracted from the command (if that is
necessary), check_file_access()
+ * is used to do the  sanity checking on it. The type, mode, and opt
arguments to this routine
+ * are the same as the corresponding check_file_access() arguments to
facilitate this.
+ */
+static bool
+check_cmd_access(const int type, const char *command, const int mode,
const char *opt)
+{
+  /* If no command configured, no errors to look for */
+  if (! command)
+return false;
+
+  /* Test for a quote as the first char of command
+ and for presence of a space in command */
+
+  int   start_ix  = 0;  /* Where the path starts within command
   (0 or 1) */
+  char  stop_char = '\000'; /* Character that terminates the path
within command (' ' or '"') */
+  char *stop_ptr  = NULL;   /* Pointer past end of path   (NULL
or points inside command) */
+
+  if (command[0] == '"')
+  {
+start_ix  = 1;
+stop_char = '"';
+stop_ptr  = strchr(command+1, '"');
+if (stop_ptr == NULL)
+{
+  msg (M_NOPREFIX|M_OPTERR, "%s fails with 

Re: [Openvpn-devel] [PATCH 33/52] build: properly detect and use socket libs

[Alon Bar-Lev]

Although I work with flameeyes closely in some of these issues...

I disagree with his opinion here as generic approach.

He is write as in most cases people just adds libraries as they go in
the configure process...
So you check for dl, then rt, then resolv, then selinux etc...
building your LIBS.
The result is one long LIBS which is common to all executables.

I take another approach and detect dependencies as atoms.

Yes... if one day dl will be merged into libc we fail in this case,
but then we can fix .

For now this is working perfectly.

Alon.

2012/3/8 Samuli Seppänen :
> Did some digging regarding AC_SEARCH_LIBS and AC_CHECK_LIB. Somebody
> with more autotools knowledge might want to read this one:
>
> 
>
> So, the question is: why AC_CHECK_LIB rather than AC_SEARCH_LIBS in this
> particular case? Apparently both have their uses.
>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>
>> Signed-off-by: Alon Bar-Lev 
>> ---
>>  configure.ac            |   27 +--
>>  src/openvpn/Makefile.am |    1 +
>>  2 files changed, 18 insertions(+), 10 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index a0dc462..c540f82 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -442,16 +442,6 @@ if test "${WIN32}" != "yes"; then
>>               [[${SOCKET_INCLUDES}]]
>>       )
>>
>> -     AC_CHECK_DECLS(
>> -             [SO_MARK],
>> -             ,
>> -             ,
>> -             [[${SOCKET_INCLUDES}]]
>> -     )
>> -
>> -     AC_SEARCH_LIBS([socket], [socket])
>> -     AC_SEARCH_LIBS([inet_ntoa], [nsl])
>> -     AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
>>       AC_FUNC_FORK
>>  fi
>>
>> @@ -613,6 +603,23 @@ AC_CHECK_LIB(
>>  )
>>  AC_SUBST([DL_LIBS])
>>
>> +AC_CHECK_LIB(
>> +     [nsl],
>> +     [inet_ntoa],
>> +     [SOCKETS_LIBS="${SOCKETS_LIBS} -lnsl"]
>> +)
>> +AC_CHECK_LIB(
>> +     [socket],
>> +     [socket],
>> +     [SOCKETS_LIBS="${SOCKETS_LIBS} -lsocket"]
>> +)
>> +AC_CHECK_LIB(
>> +     [resolv],
>> +     [gethostbyname],
>> +     [SOCKETS_LIBS="${SOCKETS_LIBS} -lresolv"]
>> +)
>> +AC_SUBST([SOCKETS_LIBS])
>> +
>>  case "${with_mem_check}" in
>>       valgrind)
>>               AC_CHECK_HEADER(
>> diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
>> index c7626c8..86abd09 100644
>> --- a/src/openvpn/Makefile.am
>> +++ b/src/openvpn/Makefile.am
>> @@ -96,6 +96,7 @@ openvpn_SOURCES = \
>>       win32.h win32.c \
>>       cryptoapi.h cryptoapi.c
>>  openvpn_LDADD = \
>> +     $(SOCKETS_LIBS) \
>>       $(OPTIONAL_DL_LIBS)
>>  if WIN32
>>  openvpn_SOURCES += openvpn_win32_resources.rc
>

Re: [Openvpn-devel] [PATCH 31/52] build: autoconf: commands as environment

[Alon Bar-Lev]

Just like CPP, CC, CXX, LD, AR, PKG_CONFIG
Programs are expected to be in environment.
The autoconf detection get/set these in environment too.

2012/3/8 Samuli Seppänen :
> So, this patch replaces (removes?) the "--with--path" configure 
> options with environment variables, right?  For example, if one has 
> "ifconfig" in a non-standard place, he can set the IFCONFIG environment 
> variable and the build will find it. Did I understand this correctly?
>
> I don't know autotools well enough to give this one an ACK at this point. 
> That said, the patch does clean up configure.ac a lot, and cleanups are 
> always nice :).
>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>
>> Signed-off-by: Alon Bar-Lev 
>> ---
>>  configure.ac |   66 
>> -
>>  1 files changed, 28 insertions(+), 38 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index 6b5cf71..ed98464 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -267,37 +267,6 @@ AC_ARG_WITH(
>>  )
>>
>>  AC_ARG_WITH(
>> -     [ifconfig-path],
>> -     [AS_HELP_STRING([--with-ifconfig-path=PATH], [Path to ifconfig tool])],
>> -     [IFCONFIG="$withval"],
>> -     [AC_PATH_PROG([IFCONFIG], [ifconfig], [ifconfig], 
>> [$PATH:/usr/local/sbin:/usr/sbin:/sbin])]
>> -)
>> -AC_DEFINE_UNQUOTED([IFCONFIG_PATH], ["$IFCONFIG"], [Path to ifconfig tool])
>> -
>> -AC_ARG_WITH(
>> -     [iproute-path],
>> -     [AS_HELP_STRING([--with-iproute-path=PATH], [Path to iproute tool])],
>> -     [IPROUTE="$withval"],
>> -     [AC_PATH_PROG([IPROUTE], [ip], [ip], 
>> [$PATH:/usr/local/sbin:/usr/sbin:/sbin])]
>> -)
>> -AC_DEFINE_UNQUOTED([IPROUTE_PATH], ["$IPROUTE"], [Path to iproute tool])
>> -
>> -AC_ARG_WITH([route-path],
>> -   [AS_HELP_STRING([--with-route-path=PATH], [Path to route tool])],
>> -   [ROUTE="$withval"],
>> -   [AC_PATH_PROG([ROUTE], [route], [route], 
>> [$PATH:/usr/local/sbin:/usr/sbin:/sbin])]
>> -)
>> -AC_DEFINE_UNQUOTED([ROUTE_PATH], ["$ROUTE"], [Path to route tool])
>> -
>> -AC_ARG_WITH(
>> -     [netstat-path],
>> -     [AS_HELP_STRING([--with-netstat-path=PATH], [Path to netstat tool])],
>> -     [NETSTAT="$withval"],
>> -     [AC_PATH_PROG([NETSTAT], [netstat], [netstat], 
>> [$PATH:/usr/local/sbin:/usr/sbin:/sbin:/etc])]
>> -)
>> -AC_DEFINE_UNQUOTED([NETSTAT_PATH], ["$NETSTAT"], [Path to netstat tool])
>> -
>> -AC_ARG_WITH(
>>       [mem-check],
>>       [AS_HELP_STRING([--with-mem-check=TYPE], [build with debug memory 
>> checking, TYPE=dmalloc|valgrind|ssl])],
>>       [
>> @@ -370,6 +339,20 @@ AC_PROG_INSTALL
>>  AC_PROG_LN_S
>>  AC_PROG_MAKE_SET
>>
>> +AC_ARG_VAR([IFCONFIG], [full path to ipconfig utility])
>> +AC_ARG_VAR([ROUTE], [full path to route utility])
>> +AC_ARG_VAR([IPROUTE], [full path to ip utility])
>> +AC_ARG_VAR([NETSTAT], [path to netstat utility]) # tests
>> +AC_ARG_VAR([MAN2HTML], [path to man2html utility])
>> +AC_PATH_PROGS([IFCONFIG], [ifconfig],, 
>> [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
>> +AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
>> +AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
>> +AC_CHECK_PROGS([NETSTAT], [netstat], [netstat], 
>> [$PATH:/usr/local/sbin:/usr/sbin:/sbin:/etc]) # tests
>> +AC_CHECK_PROGS([MAN2HTML], [man2html])
>> +AC_DEFINE_UNQUOTED([IFCONFIG_PATH], ["$IFCONFIG"], [Path to ifconfig tool])
>> +AC_DEFINE_UNQUOTED([IPROUTE_PATH], ["$IPROUTE"], [Path to iproute tool])
>> +AC_DEFINE_UNQUOTED([ROUTE_PATH], ["$ROUTE"], [Path to route tool])
>> +
>>  #
>>  # Libtool
>>  #
>> @@ -386,12 +369,6 @@ ifdef(
>>       ]
>>  )
>>
>> -if test "${WIN32}" = "yes"; then
>> -     AC_ARG_VAR([MAN2HTML], [man2html utility])
>> -     AC_CHECK_PROGS([MAN2HTML], [man2html])
>> -     test -z "${MAN2HTML}" && AC_MSG_ERROR([man2html is required for win32])
>> -fi
>> -
>>  AC_C_CONST
>>  AC_C_INLINE
>>  AC_C_VOLATILE
>> @@ -920,7 +897,16 @@ test "${enable_pf}" = "yes" && AC_DEFINE([ENABLE_PF], 
>> [1], [Enable internal pack
>>  test "${enable_strict_options}" = "yes" && 
>> AC_DEFINE([ENABLE_STRICT_OPTIONS_CHECK], [1], [Enable strict options check 
>> between peers])
>>  test "${enable_password_save}" = "yes" && AC_DEFINE([ENABLE_PASSWORD_SAVE], 
>> [1], [Allow --askpass and --auth-user-pass passwords to be read from a file])
>>  test "${enable_systemd}" = "yes" && AC_DEFINE([ENABLE_SYSTEMD], [1], 
>> [Enable systemd support])
>> -test "${enable_iproute2}" = "yes" && AC_DEFINE([ENABLE_IPROUTE], [1], 
>> [enable iproute2 support])
>> +
>> +if test "${enable_iproute2}" = "yes"; then
>> +     test -z "${IPROUTE}" && AC_MSG_ERROR([ip utility is required but 
>> missing])
>> +     AC_DEFINE([ENABLE_IPROUTE], [1], [enable iproute2 support])
>> +else
>> +     if test "${WIN32}" != "yes"; then
>> +             test -z "${ROUTE}" && AC_MSG_ERROR([route utility is required 
>> but missing])
>> +             test -z 

Re: [Openvpn-devel] [PATCH 35/52] build: proper selinux detection and usage

[Alon Bar-Lev]

I wrote this in the introduction of the patch set.

There are two approaches to detecting dependencies:

1. Detect all compile time dependences- you detect headers and
libraries, this is probably the safest way to go, but makes the code
very complex.

2. Detect library only - you assume that if library is present, the
functionality exists, this is what important... no need to check for
header, most probably this exists as well. This makes the code
simpler, in the risk of compile failure if header is missing.

In all project I wrote build for (opensc, uswsusp, ntfs3g, ecryptfs)
we took the 2nd approach, and it is fine.

Alon.

2012/3/8 Samuli Seppänen :
> Looks like a cleaner implementation than the earlier one. I take it 
> AC_CHECK_HEADER is not anymore needed to detect selinux.h, but why exactly?
>
> Besides that I give this one an ACK.
>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>> Signed-off-by: Alon Bar-Lev 
>> ---
>>  configure.ac            |   35 +++
>>  src/openvpn/Makefile.am |    1 +
>>  src/openvpn/init.c      |    4 ++--
>>  src/openvpn/options.c   |    6 +++---
>>  src/openvpn/options.h   |    2 +-
>>  src/openvpn/syshead.h   |    2 +-
>>  6 files changed, 23 insertions(+), 27 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index 98615c6..2388f17 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -215,7 +215,7 @@ AC_ARG_ENABLE(
>>
>>  AC_ARG_ENABLE(
>>       [selinux],
>> -     [AS_HELP_STRING([--disable-selinux], [disable SELinux support])],
>> +     [AS_HELP_STRING([--enable-selinux], [enable SELinux support])],
>>       ,
>>       [enable_selinux="no"]
>>  )
>> @@ -619,6 +619,13 @@ AC_CHECK_LIB(
>>  )
>>  AC_SUBST([SOCKETS_LIBS])
>>
>> +AC_CHECK_LIB(
>> +     [selinux],
>> +     [setcon],
>> +     [SELINUX_LIBS="-lselinux"]
>> +)
>> +AC_SUBST([SELINUX_LIBS])
>> +
>>  case "${with_mem_check}" in
>>       valgrind)
>>               AC_CHECK_HEADER(
>> @@ -826,25 +833,6 @@ if test "${enable_crypto}" = "yes"; then
>>     fi
>>  fi
>>
>> -dnl
>> -dnl check for SELinux library and headers
>> -dnl
>> -if test "${enable_selinux}" = "yes"; then
>> -     AC_CHECK_HEADER(
>> -             [selinux/selinux.h],
>> -             [AC_CHECK_LIB(
>> -                     [selinux],
>> -                     [setcon],
>> -                     [
>> -                             LIBS="${LIBS} -lselinux"
>> -                             AC_DEFINE(HAVE_SETCON, 1, [SELinux support])
>> -                     ],
>> -                     [AC_MSG_RESULT([SELinux library not found.])]
>> -             )],
>> -             [AC_MSG_ERROR([SELinux headers not found.])]
>> -     )
>> -fi
>> -
>>  if test -n "${SP_PLATFORM_WINDOWS}"; then
>>       AC_DEFINE_UNQUOTED([PATH_SEPARATOR], [''], [Path separator]) #"
>>       AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], [""], [Path separator]) #"
>> @@ -896,6 +884,12 @@ else
>>       fi
>>  fi
>>
>> +if test "${enable_selinux}" = "yes"; then
>> +     test -z "${SELINUX_LIBS}" && AC_MSG_ERROR([libselinux required but 
>> missing])
>> +     OPTIONAL_SELINUX_LIBS="${SELINUX_LIBS}"
>> +     AC_DEFINE([ENABLE_SELINUX], [1], [SELinux support])
>> +fi
>> +
>>  if test "${enable_pedantic}" = "yes"; then
>>       enable_strict="yes"
>>       CFLAGS="${CFLAGS} -ansi -pedantic"
>> @@ -922,6 +916,7 @@ AC_SUBST([TAP_WIN_MIN_MAJOR])
>>  AC_SUBST([TAP_WIN_MIN_MINOR])
>>
>>  AC_SUBST([OPTIONAL_DL_LIBS])
>> +AC_SUBST([OPTIONAL_SELINUX_LIBS])
>>
>>  AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
>>
>> diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
>> index 86abd09..a3f8b3a 100644
>> --- a/src/openvpn/Makefile.am
>> +++ b/src/openvpn/Makefile.am
>> @@ -97,6 +97,7 @@ openvpn_SOURCES = \
>>       cryptoapi.h cryptoapi.c
>>  openvpn_LDADD = \
>>       $(SOCKETS_LIBS) \
>> +     $(OPTIONAL_SELINUX_LIBS) \
>>       $(OPTIONAL_DL_LIBS)
>>  if WIN32
>>  openvpn_SOURCES += openvpn_win32_resources.rc
>> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
>> index b8f57b2..0c995ff 100644
>> --- a/src/openvpn/init.c
>> +++ b/src/openvpn/init.c
>> @@ -1038,7 +1038,7 @@ do_uid_gid_chroot (struct context *c, bool no_delay)
>>       mstats_open(c->options.memstats_fn);
>>  #endif
>>
>> -#ifdef HAVE_SETCON
>> +#ifdef ENABLE_SELINUX
>>        /* Apply a SELinux context in order to restrict what OpenVPN can do
>>         * to _only_ what it is supposed to do after initialization is 
>> complete
>>         * (basically just network I/O operations). Doing it after chroot
>> @@ -2465,7 +2465,7 @@ do_option_warnings (struct context *c)
>>      msg (M_WARN, "WARNING: --ping should normally be used with 
>> --ping-restart or --ping-exit");
>>
>>    if (o->username || o->groupname || o->chroot_dir
>> -#ifdef HAVE_SETCON
>> +#ifdef ENABLE_SELINUX
>>        || o->selinux_context
>>  #endif
>>        )
>> diff --git a/src/openvpn/options.c 

Re: [Openvpn-devel] [PATCH 41/52] build: autoconf: update defaults for options

[Alon Bar-Lev]

Yes. You cannot put '[' or ']' in m4.

2012/3/8 Samuli Seppänen :
> I'd rather not RTFM... could somebody explain to me what the funky
> "@<:@default=no@:>@" thing exactly does? Does it just add the default
> "enabled/disabled" value to the help strings?
>
> If so it's an ACK.
>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>
>> Signed-off-by: Alon Bar-Lev 
>> ---
>>  configure.ac |   56 
>>  1 files changed, 28 insertions(+), 28 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index 57d294d..9ffcc68 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -41,195 +41,195 @@ AC_USE_SYSTEM_EXTENSIONS
>>
>>  AC_ARG_ENABLE(
>>         [lzo],
>> -       [AS_HELP_STRING([--enable-lzo], [enable LZO compression support])],
>> +       [AS_HELP_STRING([--enable-lzo], [enable LZO compression support 
>> @<:@default=no@:>@])],
>>         ,
>>         [enable_lzo="no"]
>>  )
>>
>>  AC_ARG_ENABLE(
>>         [lzo-stub],
>> -       [AS_HELP_STRING([--enable-lzo-stub], [don't compile LZO compression 
>> support but still allow limited interoperability with LZO-enabled peers])],
>> +       [AS_HELP_STRING([--enable-lzo-stub], [don't compile LZO compression 
>> support but still allow limited interoperability with LZO-enabled peers 
>> @<:@default=no@:>@])],
>>         ,
>>         [enable_lzo_stub="no"]
>>  )
>>
>>  AC_ARG_ENABLE(
>>         [crypto],
>> -       [AS_HELP_STRING([--disable-crypto], [disable crypto support])],
>> +       [AS_HELP_STRING([--disable-crypto], [disable crypto support 
>> @<:@default=yes@:>@])],
>>         ,
>>         [enable_crypto="yes"]
>>  )
>>
>>  AC_ARG_ENABLE(
>>         [ssl],
>> -       [AS_HELP_STRING([--disable-ssl], [disable SSL support for TLS-based 
>> key exchange])],
>> +       [AS_HELP_STRING([--disable-ssl], [disable SSL support for TLS-based 
>> key exchange @<:@default=yes@:>@])],
>>         ,
>>         [enable_ssl="yes"]
>>  )
>>
>>  AC_ARG_ENABLE(
>>         [x509-alt-username],
>> -       [AS_HELP_STRING([--enable-x509-alt-username], [enable the 
>> --x509-username-field feature])],
>> +       [AS_HELP_STRING([--enable-x509-alt-username], [enable the 
>> --x509-username-field feature @<:@default=no@:>@])],
>>         ,
>>         [enable_x509_alt_username="no"]
>>  )
>>
>>  AC_ARG_ENABLE(
>>         [multi],
>> -       [AS_HELP_STRING([--disable-multi], [disable client/server support 
>> (--mode server + client mode)])],
>> +       [AS_HELP_STRING([--disable-multi], [disable client/server support 
>> (--mode server + client mode) @<:@default=yes@:>@])],
>>         ,
>>         [enable_multi="yes"]
>>  )
>>
>>  AC_ARG_ENABLE(
>>         [server],
>> -       [AS_HELP_STRING([--disable-server], [disable server support only 
>> (but retain client support)])],
>> +       [AS_HELP_STRING([--disable-server], [disable server support only 
>> (but retain client support) @<:@default=yes@:>@])],
>>         ,
>>         [enable_server="yes"]
>>  )
>>
>>  AC_ARG_ENABLE(
>>         [plugins],
>> -       [AS_HELP_STRING([--disable-plugins], [disable plug-in support])],
>> +       [AS_HELP_STRING([--disable-plugins], [disable plug-in support 
>> @<:@default=yes@:>@])],
>>         ,
>>         [enable_plugins="yes"]
>>  )
>>
>>  AC_ARG_ENABLE(
>>         [eurephia],
>> -       [AS_HELP_STRING([--disable-eurephia], [disable support for the 
>> eurephia plug-in])],
>> +       [AS_HELP_STRING([--disable-eurephia], [disable support for the 
>> eurephia plug-in @<:@default=yes@:>@])],
>>         ,
>>         [enable_eurephia="yes"]
>>  )
>>
>>  AC_ARG_ENABLE(
>>         [management],
>> -       [AS_HELP_STRING([--disable-management], [disable management server 
>> support])],
>> +       [AS_HELP_STRING([--disable-management], [disable management server 
>> support @<:@default=yes@:>@])],
>>         ,
>>         [enable_management="yes"]
>>  )
>>
>>  AC_ARG_ENABLE(
>>         [pkcs11],
>> -       [AS_HELP_STRING([--enable-pkcs11], [enable pkcs11 support])],
>> +       [AS_HELP_STRING([--enable-pkcs11], [enable pkcs11 support 
>> @<:@default=no@:>@])],
>>         ,
>>         [enable_pkcs11="no"]
>>  )
>>
>>  AC_ARG_ENABLE(
>>         [socks],
>> -       [AS_HELP_STRING([--disable-socks], [disable Socks support])],
>> +       [AS_HELP_STRING([--disable-socks], [disable Socks support 
>> @<:@default=yes@:>@])],
>>         ,
>>         [enable_socks="yes"]
>>  )
>>
>>  AC_ARG_ENABLE(
>>         [http-proxy],
>> -       [AS_HELP_STRING([--disable-http-proxy], [disable HTTP proxy 
>> support])],
>> +       [AS_HELP_STRING([--disable-http-proxy], [disable HTTP proxy support 
>> @<:@default=yes@:>@])],
>>         ,
>>         [enable_http_proxy="yes"]
>>  )
>>
>>  AC_ARG_ENABLE(
>>         [fragment],
>> -       [AS_HELP_STRING([--disable-fragment], [disable internal 
>> fragmentation support (--fragment)])],
>> +       

Re: [Openvpn-devel] [PATCH 47/52] build: move inet_ntop(), inet_pton() emulation into compat

[Alon Bar-Lev]

Not exactly... windows has this in Vista and above.
As long as we need to support XP we need to implement replacement functionality.

2012/3/8 Samuli Seppänen :
> Windows has this functionality, but not under the same function names as
> UNIX. So thse two are just wrappers around the Windows-specific
> functionality. In any case, I think it makes sense to move inet_pton and
> inet_ntop under src/compat. The actual code changes seem fairly trivial.
>
> ACK.
>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>
> PS. These links should cover the basic idea, in case somebody is interested:
>
> 
> 
>> Signed-off-by: Alon Bar-Lev 
>> ---
>>  configure.ac  I recall many issues with inet_ntop and inet_pton.
>>
>>                 |    2 +-
>>  src/compat/Makefile.am        |    4 ++-
>>  src/compat/compat-inet_ntop.c |   76 +++
>>  src/compat/compat-inet_pton.c |   79 
>> +
>>  src/compat/compat.h           |   17 -
>>  src/compat/compat.vcproj      |    8 
>>  src/openvpn/socket.c          |   55 
>>  src/openvpn/win32.h           |    6 ---
>>  8 files changed, 183 insertions(+), 64 deletions(-)
>>  create mode 100644 src/compat/compat-inet_ntop.c
>>  create mode 100644 src/compat/compat-inet_pton.c
>>
>> diff --git a/configure.ac b/configure.ac
>> index dc138ba..d53a74a 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -522,7 +522,7 @@ AC_CHECK_FUNCS([ \
>>         chsize ftruncate execve getpeereid umask basename dirname access \
>>         epoll_create \
>>  ])
>> -AC_CHECK_FUNCS([sendmsg recvmsg])
>> +AC_CHECK_FUNCS([sendmsg recvmsg inet_ntop inet_pton])
>>  AC_CHECK_FUNCS(
>>         [res_init],
>>         ,
>> diff --git a/src/compat/Makefile.am b/src/compat/Makefile.am
>> index c8a92ce..91b7f40 100644
>> --- a/src/compat/Makefile.am
>> +++ b/src/compat/Makefile.am
>> @@ -22,4 +22,6 @@ libcompat_la_SOURCES = \
>>         compat-dirname.c \
>>         compat-basename.c \
>>         compat-gettimeofday.c \
>> -       compat-daemon.c
>> +       compat-daemon.c \
>> +       compat-inet_ntop.c \
>> +       compat-inet_pton.c
>> diff --git a/src/compat/compat-inet_ntop.c b/src/compat/compat-inet_ntop.c
>> new file mode 100644
>> index 000..0d52142
>> --- /dev/null
>> +++ b/src/compat/compat-inet_ntop.c
>> @@ -0,0 +1,76 @@
>> +/*
>> + *  OpenVPN -- An application to securely tunnel IP networks
>> + *             over a single UDP port, with support for SSL/TLS-based
>> + *             session authentication and key exchange,
>> + *             packet encryption, packet authentication, and
>> + *             packet compression.
>> + *
>> + *  Copyright (C) 2011 - David Sommerseth 
>> + *
>> + *  This program is free software; you can redistribute it and/or modify
>> + *  it under the terms of the GNU General Public License version 2
>> + *  as published by the Free Software Foundation.
>> + *
>> + *  This program is distributed in the hope that it will be useful,
>> + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
>> + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>> + *  GNU General Public License for more details.
>> + *
>> + *  You should have received a copy of the GNU General Public License
>> + *  along with this program (see the file COPYING included with this
>> + *  distribution); if not, write to the Free Software Foundation, Inc.,
>> + *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
>> + */
>> +
>> +#ifdef HAVE_CONFIG_H
>> +#include "config.h"
>> +#elif defined(_MSC_VER)
>> +#include "config-msvc.h"
>> +#endif
>> +
>> +#ifndef HAVE_INET_NTOP
>> +
>> +#include "compat.h"
>> +
>> +#ifdef WIN32
>> +
>> +#include 
>> +
>> +/*
>> + * inet_ntop() and inet_pton() wrap-implementations using
>> + * WSAAddressToString() and WSAStringToAddress() functions
>> + *
>> + * this is needed as long as we support running OpenVPN on WinXP
>> + */
>> +
>> +const char *
>> +inet_ntop(int af, const void *src, char *dst, socklen_t size)
>> +{
>> +  struct sockaddr_storage ss;
>> +  unsigned long s = size;
>> +
>> +  ZeroMemory(, sizeof(ss));
>> +  ss.ss_family = af;
>> +
>> +  switch(af) {
>> +    case AF_INET:
>> +      ((struct sockaddr_in *))->sin_addr = *(struct in_addr *)src;
>> +      break;
>> +    case AF_INET6:
>> +      ((struct sockaddr_in6 *))->sin6_addr = *(struct in6_addr *)src;
>> +      break;
>> +    default:
>> +      return NULL;
>> +  }
>> +  /* cannot direclty use  because of strict aliasing rules */
>> +  return (WSAAddressToString((struct sockaddr *), sizeof(ss), NULL, dst, 
>> ) == 0)?
>> +          dst : NULL;
>> +}
>> +
>> 

Re: [Openvpn-devel] [PATCH 49/52] build: move wrappers into platform module

[Alon Bar-Lev]

Well, at first I wanted to split it into its own libplatform distinct
from libcompat.

libcompat - emulation of missing library functions, drop-in replacement.
libplatform - extensions to library functions, such as unicode or
security additions.

But then I've seen that there is too much openvpn specific logic,
especially in log messages. So I left what I would have placed in
libplatform in platform.c for now.

After this round we should consider if we want to progress in this.

One missing part is the exec wrappers which needs some work before
moving to platform.

Alon.

2012/3/8 Samuli Seppänen :
> This probably makes sense, lots of good refactorings. That said, I'd
> like to know how you selected what goes to platform.c?
>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>
>> + Some fixups within the platform.c functions.
>> - need to check environment set on Windows.
>>
>> Signed-off-by: Alon Bar-Lev 
>> ---
>>  src/openvpn/Makefile.am    |    1 +
>>  src/openvpn/buffer.c       |    2 +-
>>  src/openvpn/crypto.c       |    6 +-
>>  src/openvpn/error.c        |    2 +-
>>  src/openvpn/init.c         |   18 +-
>>  src/openvpn/manage.c       |   16 +-
>>  src/openvpn/misc.c         |  295 ++--
>>  src/openvpn/misc.h         |  106 +-
>>  src/openvpn/mstats.c       |    2 +-
>>  src/openvpn/multi.c        |    2 +-
>>  src/openvpn/openvpn.h      |    4 +-
>>  src/openvpn/openvpn.vcproj |    8 +
>>  src/openvpn/options.c      |   14 +-
>>  src/openvpn/packet_id.c    |    2 +-
>>  src/openvpn/pf.c           |    6 +-
>>  src/openvpn/platform.c     |  369 
>> 
>>  src/openvpn/platform.h     |  142 +
>>  src/openvpn/ps.c           |    2 +-
>>  src/openvpn/ssl_openssl.c  |    2 +-
>>  src/openvpn/ssl_verify.c   |    8 +-
>>  src/openvpn/status.c       |    6 +-
>>  src/openvpn/tun.c          |   12 +-
>>  src/openvpn/win32.c        |   27 
>>  23 files changed, 584 insertions(+), 468 deletions(-)
>>  create mode 100644 src/openvpn/platform.c
>>  create mode 100644 src/openvpn/platform.h
>>
>> diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
>> index 333eebc..6ba12b8 100644
>> --- a/src/openvpn/Makefile.am
>> +++ b/src/openvpn/Makefile.am
>> @@ -58,6 +58,7 @@ openvpn_SOURCES = \
>>         mbuf.c mbuf.h \
>>         memdbg.h \
>>         misc.c misc.h \
>> +       platform.c platform.h \
>>         console.c console.h \
>>         mroute.c mroute.h \
>>         mss.c mss.h \
>> diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c
>> index ad30223..5eee3ee 100644
>> --- a/src/openvpn/buffer.c
>> +++ b/src/openvpn/buffer.c
>> @@ -1080,7 +1080,7 @@ buffer_list_advance (struct buffer_list *ol, int n)
>>  struct buffer_list *
>>  buffer_list_file (const char *fn, int max_line_len)
>>  {
>> -  FILE *fp = openvpn_fopen (fn, "r");
>> +  FILE *fp = platform_fopen (fn, "r");
>>    struct buffer_list *bl = NULL;
>>
>>    if (fp)
>> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
>> index 2e2e5d7..f811966 100644
>> --- a/src/openvpn/crypto.c
>> +++ b/src/openvpn/crypto.c
>> @@ -868,7 +868,7 @@ read_key_file (struct key2 *key2, const char *file, 
>> const unsigned int flags)
>>  #endif
>>      {
>>        in = alloc_buf_gc (2048, );
>> -      fd = openvpn_open (file, O_RDONLY, 0);
>> +      fd = platform_open (file, O_RDONLY, 0);
>>        if (fd == -1)
>>         msg (M_ERR, "Cannot open file key file '%s'", file);
>>        size = read (fd, in.data, in.capacity);
>> @@ -1029,7 +1029,7 @@ read_passphrase_hash (const char *passphrase_file,
>>      const int min_passphrase_size = 8;
>>      uint8_t buf[64];
>>      int total_size = 0;
>> -    int fd = openvpn_open (passphrase_file, O_RDONLY, 0);
>> +    int fd = platform_open (passphrase_file, O_RDONLY, 0);
>>
>>      if (fd == -1)
>>        msg (M_ERR, "Cannot open passphrase file: '%s'", passphrase_file);
>> @@ -1079,7 +1079,7 @@ write_key_file (const int nkeys, const char *filename)
>>    const int bytes_per_line = 16;
>>
>>    /* open key file */
>> -  fd = openvpn_open (filename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | 
>> S_IWUSR);
>> +  fd = platform_open (filename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | 
>> S_IWUSR);
>>
>>    if (fd == -1)
>>      msg (M_ERR, "Cannot open shared secret file '%s' for write", filename);
>> diff --git a/src/openvpn/error.c b/src/openvpn/error.c
>> index 1f2dd86..d6ad639 100644
>> --- a/src/openvpn/error.c
>> +++ b/src/openvpn/error.c
>> @@ -640,7 +640,7 @@ x_check_status (int status,
>>                  my_errno);
>>
>>           if (x_cs_err_delay_ms)
>> -           sleep_milliseconds (x_cs_err_delay_ms);
>> +           platform_sleep_milliseconds (x_cs_err_delay_ms);
>>         }
>>        gc_free ();
>>      }
>> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
>> index bba3cf8..bc7718e 100644
>> --- 

Re: [Openvpn-devel] [PATCH 46/52] build: move daemon() emulation into compat

[Alon Bar-Lev]

daemon is gnu specific:
---
CONFORMING TO
   Not in POSIX.1-2001.  A similar function appears on the BSDs.
The daemon()  function
   first appeared in 4.4BSD.
---

Solaris, uclibc and other does not have it.

2012/3/8 Samuli Seppänen :
> Which platforms need daemon() emulation? Only Windows?
>
> I think it makes sense to isolate OS compatibility functions to files
> under src/compat. Better than having them in misc.c. Also, I can't see
> any obvious issues with the patch, code-vise.
>
> ACK.
>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>
>> Signed-off-by: Alon Bar-Lev 
>> ---
>>  src/compat/Makefile.am     |    3 +-
>>  src/compat/compat-daemon.c |  100 
>> 
>>  src/compat/compat.h        |    4 ++
>>  src/compat/compat.vcproj   |    4 ++
>>  src/openvpn/init.c         |    2 +-
>>  src/openvpn/misc.c         |   32 --
>>  src/openvpn/misc.h         |    4 --
>>  7 files changed, 111 insertions(+), 38 deletions(-)
>>  create mode 100644 src/compat/compat-daemon.c
>>
>> diff --git a/src/compat/Makefile.am b/src/compat/Makefile.am
>> index 5e9db5f..c8a92ce 100644
>> --- a/src/compat/Makefile.am
>> +++ b/src/compat/Makefile.am
>> @@ -21,4 +21,5 @@ libcompat_la_SOURCES = \
>>       compat.h \
>>       compat-dirname.c \
>>       compat-basename.c \
>> -     compat-gettimeofday.c
>> +     compat-gettimeofday.c \
>> +     compat-daemon.c
>> diff --git a/src/compat/compat-daemon.c b/src/compat/compat-daemon.c
>> new file mode 100644
>> index 000..dde96a2
>> --- /dev/null
>> +++ b/src/compat/compat-daemon.c
>> @@ -0,0 +1,100 @@
>> +/*
>> + *  OpenVPN -- An application to securely tunnel IP networks
>> + *             over a single UDP port, with support for SSL/TLS-based
>> + *             session authentication and key exchange,
>> + *             packet encryption, packet authentication, and
>> + *             packet compression.
>> + *
>> + *  Copyright (C) 2011 - David Sommerseth 
>> + *
>> + *  This program is free software; you can redistribute it and/or modify
>> + *  it under the terms of the GNU General Public License version 2
>> + *  as published by the Free Software Foundation.
>> + *
>> + *  This program is distributed in the hope that it will be useful,
>> + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
>> + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>> + *  GNU General Public License for more details.
>> + *
>> + *  You should have received a copy of the GNU General Public License
>> + *  along with this program (see the file COPYING included with this
>> + *  distribution); if not, write to the Free Software Foundation, Inc.,
>> + *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
>> + */
>> +
>> +#ifdef HAVE_CONFIG_H
>> +#include "config.h"
>> +#elif defined(_MSC_VER)
>> +#include "config-msvc.h"
>> +#endif
>> +
>> +#ifndef HAVE_DAEMON
>> +
>> +#ifdef HAVE_UNISTD_H
>> +#include 
>> +#endif
>> +
>> +#ifdef HAVE_STDLIB_H
>> +#include 
>> +#endif
>> +
>> +#ifdef HAVE_SYS_TYPES_H
>> +#include 
>> +#endif
>> +
>> +#ifdef HAVE_SYS_STAT_H
>> +#include 
>> +#endif
>> +
>> +#ifdef HAVE_FCNTL_H
>> +#include 
>> +#endif
>> +
>> +#ifdef HAVE_ERRNO_H
>> +#include 
>> +#endif
>> +
>> +int
>> +daemon(int nochdir, int noclose)
>> +{
>> +#if defined(HAVE_FORK) && defined(HAVE_SETSID)
>> +     switch (fork()) {
>> +             case -1:
>> +                     return (-1);
>> +             case 0:
>> +             break;
>> +             default:
>> +                     exit(0);
>> +     }
>> +
>> +     if (setsid() == -1)
>> +             return (-1);
>> +
>> +     if (!nochdir)
>> +             chdir("/");
>> +
>> +     if (!noclose) {
>> +#if defined(HAVE_DUP) && defined(HAVE_DUP2)
>> +             int fd;
>> +             if ((fd = open ("/dev/null", O_RDWR, 0)) != -1) {
>> +                     dup2 (fd, 0);
>> +                     dup2 (fd, 1);
>> +                     dup2 (fd, 2);
>> +                     if (fd > 2) {
>> +                             close (fd);
>> +                     }
>> +             }
>> +#endif
>> +     }
>> +
>> +     return 0;
>> +#else
>> +     (void)nochdir;
>> +     (void)noclose;
>> +     errno = EFAULT;
>> +     return -1;
>> +#endif
>> +}
>> +
>> +#endif
>> +
>> diff --git a/src/compat/compat.h b/src/compat/compat.h
>> index 3f9ac31..e9d51b8 100644
>> --- a/src/compat/compat.h
>> +++ b/src/compat/compat.h
>> @@ -46,4 +46,8 @@ char * basename(char *str);
>>  int gettimeofday (struct timeval *tv, void *tz);
>>  #endif
>>
>> +#ifndef HAVE_DAEMON
>> +int daemon(int nochdir, int noclose);
>> +#endif
>> +
>>  #endif /* COMPAT_H */
>> diff --git a/src/compat/compat.vcproj b/src/compat/compat.vcproj
>> index 235163c..efdecb4 100644
>> --- a/src/compat/compat.vcproj
>> +++ b/src/compat/compat.vcproj
>> @@ -162,6 +162,10 @@
>>                    

Re: [Openvpn-devel] [PATCH 50/52] build: windows: install version.sh to allow installer read version

[Alon Bar-Lev]

Not exactly.
It is used[1] by the packaging script... just sourced to get some
environment variables.

[1] https://github.com/alonbl/openvpn-build/blob/master/windows-nsis/build#L55

2012/3/8 Samuli Seppänen :
> Is this meant to allow using these variables[1] in the NSIS script(s)?
>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
> [1]
>
> OPENVPN_PACKAGE_NAME="@PACKAGE_NAME@"
> OPENVPN_PACKAGE_TARNAME="@PACKAGE_TARNAME@"
> OPENVPN_PACKAGE_VERSION="@PACKAGE_VERSION@"
> OPENVPN_PACKAGE_HOST="@host@"
>
>
>> Signed-off-by: Alon Bar-Lev 
>> ---
>>  .gitignore    |    1 +
>>  Makefile.am   |    5 +
>>  configure.ac  |    1 +
>>  version.sh.in |    4 
>>  4 files changed, 11 insertions(+), 0 deletions(-)
>>  create mode 100644 version.sh.in
>>
>> diff --git a/.gitignore b/.gitignore
>> index e7232cf..2f72ed8 100644
>> --- a/.gitignore
>> +++ b/.gitignore
>> @@ -39,6 +39,7 @@ m4/ltsugar.m4
>>  m4/ltversion.m4
>>  m4/lt~obsolete.m4
>>
>> +version.sh
>>  msvc-env-local.bat
>>  config-msvc-local.h
>>  config-msvc-version.h
>> diff --git a/Makefile.am b/Makefile.am
>> index 5293518..68aa0a8 100644
>> --- a/Makefile.am
>> +++ b/Makefile.am
>> @@ -69,3 +69,8 @@ endif
>>  dist_noinst_HEADERS = \
>>       config-msvc.h \
>>       config-msvc-version.h.in
>> +
>> +if WIN32
>> +rootdir=$(prefix)
>> +root_DATA = version.sh
>> +endif
>> diff --git a/configure.ac b/configure.ac
>> index d53a74a..0f2a62e 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -904,6 +904,7 @@ AC_SUBST([OPTIONAL_PKCS11_HELPER_LIBS])
>>  AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
>>
>>  AC_CONFIG_FILES([
>> +     version.sh
>>       Makefile
>>       build/Makefile
>>       build/msvc/Makefile
>> diff --git a/version.sh.in b/version.sh.in
>> new file mode 100644
>> index 000..2af5a36
>> --- /dev/null
>> +++ b/version.sh.in
>> @@ -0,0 +1,4 @@
>> +OPENVPN_PACKAGE_NAME="@PACKAGE_NAME@"
>> +OPENVPN_PACKAGE_TARNAME="@PACKAGE_TARNAME@"
>> +OPENVPN_PACKAGE_VERSION="@PACKAGE_VERSION@"
>> +OPENVPN_PACKAGE_HOST="@host@"
>
>

Re: [Openvpn-devel] [easy-rsa 1/4] cleanup: fix execute permission

[Alon Bar-Lev]

I can do this as well... unrelated to the packaging though... :)

2012/3/8 Samuli Seppänen :
> ACK. A few related questions/suggestions:
>
> - perhaps "easy-rsa/1.0" could be removed altogether?
> - perhaps "openssl-0.9.6.cnf" and any references to it could be removed
> also?
>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>> Signed-off-by: Alon Bar-Lev 
>> ---
>>  0 files changed, 0 insertions(+), 0 deletions(-)
>>  mode change 100644 => 100755 easy-rsa/1.0/list-crl
>>  mode change 100644 => 100755 easy-rsa/1.0/make-crl
>>  mode change 100644 => 100755 easy-rsa/1.0/revoke-crt
>>  mode change 100755 => 100644 easy-rsa/2.0/openssl-0.9.6.cnf
>>  mode change 100755 => 100644 easy-rsa/2.0/openssl-0.9.8.cnf
>>  mode change 100755 => 100644 easy-rsa/2.0/openssl-1.0.0.cnf
>>  mode change 100755 => 100644 easy-rsa/2.0/vars
>>  mode change 100755 => 100644 easy-rsa/Windows/init-config.bat
>>
>> diff --git a/easy-rsa/1.0/list-crl b/easy-rsa/1.0/list-crl
>> old mode 100644
>> new mode 100755
>> diff --git a/easy-rsa/1.0/make-crl b/easy-rsa/1.0/make-crl
>> old mode 100644
>> new mode 100755
>> diff --git a/easy-rsa/1.0/revoke-crt b/easy-rsa/1.0/revoke-crt
>> old mode 100644
>> new mode 100755
>> diff --git a/easy-rsa/2.0/openssl-0.9.6.cnf b/easy-rsa/2.0/openssl-0.9.6.cnf
>> old mode 100755
>> new mode 100644
>> diff --git a/easy-rsa/2.0/openssl-0.9.8.cnf b/easy-rsa/2.0/openssl-0.9.8.cnf
>> old mode 100755
>> new mode 100644
>> diff --git a/easy-rsa/2.0/openssl-1.0.0.cnf b/easy-rsa/2.0/openssl-1.0.0.cnf
>> old mode 100755
>> new mode 100644
>> diff --git a/easy-rsa/2.0/vars b/easy-rsa/2.0/vars
>> old mode 100755
>> new mode 100644
>> diff --git a/easy-rsa/Windows/init-config.bat 
>> b/easy-rsa/Windows/init-config.bat
>> old mode 100755
>> new mode 100644
>

Re: [Openvpn-devel] [easy-rsa 4/4] packaging: rpm: initial add

[Samuli Seppänen]

Support for RPM in easy-rsa, nice. Feature-vise it's an ACK. Afaics
autotools stuff is ok, but I'm no expert. Somebody else have a look
please :).

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


PS. We need Debian rules files too... that's probably something for me
to look into.
> Signed-off-by: Alon Bar-Lev 
> ---
>  Makefile.am |2 +
>  configure.ac|3 ++
>  distro/Makefile.am  |   15 +
>  distro/rpm/Makefile.am  |   15 +
>  distro/rpm/easy-rsa.spec.in |   68 
> +++
>  5 files changed, 103 insertions(+), 0 deletions(-)
>  create mode 100644 distro/Makefile.am
>  create mode 100644 distro/rpm/Makefile.am
>  create mode 100644 distro/rpm/easy-rsa.spec.in
>
> diff --git a/Makefile.am b/Makefile.am
> index 743da35..156a3c0 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -35,6 +35,8 @@ MAINTAINERCLEANFILES = \
>  
>  EXTRA_DIST = doc easy-rsa
>  
> +SUBDIRS = distro
> +
>  dist_doc_DATA = \
>   COPYRIGHT.GPL \
>   COPYING
> diff --git a/configure.ac b/configure.ac
> index 1e52ece..61703a2 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -48,5 +48,8 @@ AC_SUBST([easyrsadir])
>  AC_CONFIG_FILES([
>   Makefile
>   doc/Makefile
> + distro/Makefile
> + distro/rpm/Makefile
> + distro/rpm/easy-rsa.spec
>  ])
>  AC_OUTPUT
> diff --git a/distro/Makefile.am b/distro/Makefile.am
> new file mode 100644
> index 000..f26dc5a
> --- /dev/null
> +++ b/distro/Makefile.am
> @@ -0,0 +1,15 @@
> +#
> +#  Easy-RSA -- This is a small RSA key management package, based on the 
> openssl
> +#  command line tool, that can be found in the easy-rsa 
> subdirectory
> +#  of the OpenVPN distribution.  While this tool is primary 
> concerned
> +#  with key management for the SSL VPN application space, it can 
> also
> +#  be used for building web certificates.
> +#
> +#  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. 
> +#  Copyright (C) 2006-2012 Alon Bar-Lev 
> +#
> +
> +MAINTAINERCLEANFILES = \
> + $(srcdir)/Makefile.in
> +
> +SUBDIRS = rpm
> diff --git a/distro/rpm/Makefile.am b/distro/rpm/Makefile.am
> new file mode 100644
> index 000..49fe48c
> --- /dev/null
> +++ b/distro/rpm/Makefile.am
> @@ -0,0 +1,15 @@
> +#
> +#  Easy-RSA -- This is a small RSA key management package, based on the 
> openssl
> +#  command line tool, that can be found in the easy-rsa 
> subdirectory
> +#  of the OpenVPN distribution.  While this tool is primary 
> concerned
> +#  with key management for the SSL VPN application space, it can 
> also
> +#  be used for building web certificates.
> +#
> +#  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. 
> +#  Copyright (C) 2006-2012 Alon Bar-Lev 
> +#
> +
> +MAINTAINERCLEANFILES = \
> + $(srcdir)/Makefile.in
> +
> +dist_noinst_DATA = easy-rsa.spec
> diff --git a/distro/rpm/easy-rsa.spec.in b/distro/rpm/easy-rsa.spec.in
> new file mode 100644
> index 000..f0d9bfa
> --- /dev/null
> +++ b/distro/rpm/easy-rsa.spec.in
> @@ -0,0 +1,68 @@
> +#
> +#  Easy-RSA -- This is a small RSA key management package, based on the 
> openssl
> +#  command line tool, that can be found in the easy-rsa 
> subdirectory
> +#  of the OpenVPN distribution.  While this tool is primary 
> concerned
> +#  with key management for the SSL VPN application space, it can 
> also
> +#  be used for building web certificates.
> +#
> +#  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. 
> +#  Copyright (C) 2006-2012 Alon Bar-Lev 
> +#
> +#  This program is free software; you can redistribute it and/or modify
> +#  it under the terms of the GNU General Public License version 2
> +#  as published by the Free Software Foundation.
> +#
> +#  This program is distributed in the hope that it will be useful,
> +#  but WITHOUT ANY WARRANTY; without even the implied warranty of
> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +#  GNU General Public License for more details.
> +#
> +#  You should have received a copy of the GNU General Public License
> +#  along with this program (see the file COPYING included with this
> +#  distribution); if not, write to the Free Software Foundation, Inc.,
> +#  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
> +#
> +
> +Summary: Easy-RSA
> +Name:easy-rsa
> +Version: @PACKAGE_VERSION@
> +Release: 1
> +License: GPL-2
> +Group:   Security/Cryptography
> +Source:  %{name}-%{version}.tar.gz
> +Packager:OpenVPN Technologies, Inc. 
> +Vendor:  OpenVPN Technologies, Inc.
> +URL: http://openvpn.net
> 

Re: [Openvpn-devel] [easy-rsa 3/4] build: doc

[Samuli Seppänen]

Looks good. Moves docs into a separate directory with it's own makefile.
Provided that patch 2/4 was sane autotools-vise, I give this one an ACK.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


> Signed-off-by: Alon Bar-Lev 
> ---
>  Makefile.am |2 +-
>  configure.ac|1 +
>  doc/Makefile.am |   16 
>  doc/README-1.0  |  161 
>  doc/README-2.0  |  229 
> +++
>  easy-rsa/1.0/README |  161 
>  easy-rsa/2.0/README |  229 
> ---
>  7 files changed, 408 insertions(+), 391 deletions(-)
>  create mode 100644 doc/Makefile.am
>  create mode 100644 doc/README-1.0
>  create mode 100644 doc/README-2.0
>  delete mode 100644 easy-rsa/1.0/README
>  delete mode 100644 easy-rsa/2.0/README
>
> diff --git a/Makefile.am b/Makefile.am
> index f6433d5..743da35 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -33,7 +33,7 @@ MAINTAINERCLEANFILES = \
> $(srcdir)/depcomp $(srcdir)/aclocal.m4 \
> $(srcdir)/config.guess $(srcdir)/config.sub
>
> -EXTRA_DIST = easy-rsa
> +EXTRA_DIST = doc easy-rsa
>
>  dist_doc_DATA = \
> COPYRIGHT.GPL \
> diff --git a/configure.ac b/configure.ac
> index f9625e5..1e52ece 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -47,5 +47,6 @@ AC_SUBST([easyrsadir])
>
>  AC_CONFIG_FILES([
> Makefile
> +   doc/Makefile
>  ])
>  AC_OUTPUT
> diff --git a/doc/Makefile.am b/doc/Makefile.am
> new file mode 100644
> index 000..de183c6
> --- /dev/null
> +++ b/doc/Makefile.am
> @@ -0,0 +1,16 @@
> +#
> +#  Easy-RSA -- This is a small RSA key management package, based on the 
> openssl
> +#  command line tool, that can be found in the easy-rsa 
> subdirectory
> +#  of the OpenVPN distribution.  While this tool is primary 
> concerned
> +#  with key management for the SSL VPN application space, it can 
> also
> +#  be used for building web certificates.
> +#
> +#  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. 
> +#  Copyright (C) 2006-2012 Alon Bar-Lev 
> +#
> +
> +MAINTAINERCLEANFILES = \
> +   $(srcdir)/Makefile.in
> +
> +dist_doc_DATA = README-2.0
> +dist_noinst_DATA = README-1.0
> diff --git a/doc/README-1.0 b/doc/README-1.0
> new file mode 100644
> index 000..fd424ef
> --- /dev/null
> +++ b/doc/README-1.0
> @@ -0,0 +1,161 @@
> +This is a small RSA key management package,
> +based on the openssl command line tool, that
> +can be found in the easy-rsa subdirectory
> +of the OpenVPN distribution.
> +
> +These are reference notes.  For step
> +by step instructions, see the HOWTO:
> +
> +http://openvpn.net/howto.html
> +
> +INSTALL
> +
> +1. Edit vars.
> +2. Set KEY_CONFIG to point to the openssl.cnf file
> +   included in this distribution.
> +3. Set KEY_DIR to point to a directory which will
> +   contain all keys, certificates, etc.  This
> +   directory need not exist, and if it does,
> +   it will be deleted with rm -rf, so BE
> +   CAREFUL how you set KEY_DIR.
> +4. (Optional) Edit other fields in vars
> +   per your site data.  You may want to
> +   increase KEY_SIZE to 2048 if you are
> +   paranoid and don't mind slower key
> +   processing, but certainly 1024 is
> +   fine for testing purposes.  KEY_SIZE
> +   must be compatible across both peers
> +   participating in a secure SSL/TLS
> +   connection.
> +5  . vars
> +6. ./clean-all
> +7. As you create certificates, keys, and
> +   certificate signing requests, understand that
> +   only .key files should be kept confidential.
> +   .crt and .csr files can be sent over insecure
> +   channels such as plaintext email.
> +8. You should never need to copy a .key file
> +   between computers.  Normally each computer
> +   will have its own certificate/key pair.
> +
> +BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY
> +
> +1. ./build-ca
> +2. ca.crt and ca.key will be built in your KEY_DIR
> +   directory
> +
> +BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)
> +
> +1. ./build-inter inter
> +2. inter.crt and inter.key will be built in your KEY_DIR
> +   directory and signed with your root certificate.
> +
> +BUILD DIFFIE-HELLMAN PARAMETERS (necessary for
> +the server end of a SSL/TLS connection).
> +
> +1. ./build-dh
> +
> +BUILD A CERTIFICATE SIGNING REQUEST (If
> +you want to sign your certificate with a root
> +certificate controlled by another individual
> +or organization, or residing on a different machine).
> +
> +1. Get ca.crt (the root certificate) from your
> +   certificate authority.  Though this
> +   transfer can be over an insecure channel, to prevent
> +   man-in-the-middle attacks you must confirm that
> +   ca.crt was not tampered with.  Large CAs solve this
> +   problem by hardwiring their 

Re: [Openvpn-devel] [easy-rsa 1/4] cleanup: fix execute permission

[Samuli Seppänen]

ACK. A few related questions/suggestions:

- perhaps "easy-rsa/1.0" could be removed altogether?
- perhaps "openssl-0.9.6.cnf" and any references to it could be removed
also?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

> Signed-off-by: Alon Bar-Lev 
> ---
>  0 files changed, 0 insertions(+), 0 deletions(-)
>  mode change 100644 => 100755 easy-rsa/1.0/list-crl
>  mode change 100644 => 100755 easy-rsa/1.0/make-crl
>  mode change 100644 => 100755 easy-rsa/1.0/revoke-crt
>  mode change 100755 => 100644 easy-rsa/2.0/openssl-0.9.6.cnf
>  mode change 100755 => 100644 easy-rsa/2.0/openssl-0.9.8.cnf
>  mode change 100755 => 100644 easy-rsa/2.0/openssl-1.0.0.cnf
>  mode change 100755 => 100644 easy-rsa/2.0/vars
>  mode change 100755 => 100644 easy-rsa/Windows/init-config.bat
>
> diff --git a/easy-rsa/1.0/list-crl b/easy-rsa/1.0/list-crl
> old mode 100644
> new mode 100755
> diff --git a/easy-rsa/1.0/make-crl b/easy-rsa/1.0/make-crl
> old mode 100644
> new mode 100755
> diff --git a/easy-rsa/1.0/revoke-crt b/easy-rsa/1.0/revoke-crt
> old mode 100644
> new mode 100755
> diff --git a/easy-rsa/2.0/openssl-0.9.6.cnf b/easy-rsa/2.0/openssl-0.9.6.cnf
> old mode 100755
> new mode 100644
> diff --git a/easy-rsa/2.0/openssl-0.9.8.cnf b/easy-rsa/2.0/openssl-0.9.8.cnf
> old mode 100755
> new mode 100644
> diff --git a/easy-rsa/2.0/openssl-1.0.0.cnf b/easy-rsa/2.0/openssl-1.0.0.cnf
> old mode 100755
> new mode 100644
> diff --git a/easy-rsa/2.0/vars b/easy-rsa/2.0/vars
> old mode 100755
> new mode 100644
> diff --git a/easy-rsa/Windows/init-config.bat 
> b/easy-rsa/Windows/init-config.bat
> old mode 100755
> new mode 100644

Re: [Openvpn-devel] [PATCH 52/52] build: use tap-windows.h as external dependency

[Samuli Seppänen]

If I understood this correctly, include/tap-windows.h gets removed, and
will then be included using the same mechanism that's used to include
LZO headers, OpenSSL headers, etc. I think this makes sense now that the
TAP-driver is a separate subproject.

ACK.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



> tap-windows.h is provided by the tap project
>
> Signed-off-by: Alon Bar-Lev 
> ---
>  configure.ac   |   12 
>  include/Makefile.am|2 -
>  include/tap-windows.h  |   68 
> 
>  msvc-env.bat   |2 +
>  src/openvpn/Makefile.am|1 +
>  src/openvpn/openvpn.vcproj |4 +-
>  6 files changed, 17 insertions(+), 72 deletions(-)
>  delete mode 100644 include/tap-windows.h
>
> diff --git a/configure.ac b/configure.ac
> index 2b095a3..c6cabee 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -666,6 +666,18 @@ PKG_CHECK_MODULES(
> )]
>  )
>
> +AC_ARG_VAR([TAP_WINDOWS_CFLAGS], [C compiler flags for TAP-Windows])
> +if test "${WIN32}" = "yes"; then
> +   old_CFLAGS="${CFLAGS}"
> +   CFLAGS="${CFLAGS} ${TAP_WINDOWS_CFLAGS}"
> +   AC_CHECK_HEADERS(
> +   [tap-windows.h],
> +   ,
> +   [AC_MSG_ERROR([tap-windows.h is required but missing])]
> +   )
> +   CFLAGS="${old_CFLAGS}"
> +fi
> +
>  if test "${have_openssl_crypto}" = "yes"; then
> saved_CFLAGS="${CFLAGS}"
> saved_LIBS="${LIBS}"
> diff --git a/include/Makefile.am b/include/Makefile.am
> index 36eeb6c..13dee61 100644
> --- a/include/Makefile.am
> +++ b/include/Makefile.am
> @@ -12,6 +12,4 @@
>  MAINTAINERCLEANFILES = \
> $(srcdir)/Makefile.in
>
> -dist_noinst_HEADERS = tap-windows.h
> -
>  include_HEADERS = openvpn-plugin.h
> diff --git a/include/tap-windows.h b/include/tap-windows.h
> deleted file mode 100644
> index 243a4a2..000
> --- a/include/tap-windows.h
> +++ /dev/null
> @@ -1,68 +0,0 @@
> -/*
> - *  TAP-Windows -- A kernel driver to provide virtual tap
> - * device functionality on Windows.
> - *
> - *  This code was inspired by the CIPE-Win32 driver by Damion K. Wilson.
> - *
> - *  This source code is Copyright (C) 2002-2010 OpenVPN Technologies, Inc.,
> - *  and is released under the GPL version 2 (see below).
> - *
> - *  This program is free software; you can redistribute it and/or modify
> - *  it under the terms of the GNU General Public License version 2
> - *  as published by the Free Software Foundation.
> - *
> - *  This program is distributed in the hope that it will be useful,
> - *  but WITHOUT ANY WARRANTY; without even the implied warranty of
> - *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> - *  GNU General Public License for more details.
> - *
> - *  You should have received a copy of the GNU General Public License
> - *  along with this program (see the file COPYING included with this
> - *  distribution); if not, write to the Free Software Foundation, Inc.,
> - *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
> - */
> -#ifndef __TAP_WIN_H
> -#define __TAP_WIN_H
> -
> -//=
> -// TAP IOCTLs
> -//=
> -
> -#define TAP_WIN_CONTROL_CODE(request,method) \
> -  CTL_CODE (FILE_DEVICE_UNKNOWN, request, method, FILE_ANY_ACCESS)
> -
> -// Present in 8.1
> -
> -#define TAP_WIN_IOCTL_GET_MAC   TAP_WIN_CONTROL_CODE (1, 
> METHOD_BUFFERED)
> -#define TAP_WIN_IOCTL_GET_VERSION   TAP_WIN_CONTROL_CODE (2, 
> METHOD_BUFFERED)
> -#define TAP_WIN_IOCTL_GET_MTU   TAP_WIN_CONTROL_CODE (3, 
> METHOD_BUFFERED)
> -#define TAP_WIN_IOCTL_GET_INFO  TAP_WIN_CONTROL_CODE (4, 
> METHOD_BUFFERED)
> -#define TAP_WIN_IOCTL_CONFIG_POINT_TO_POINT TAP_WIN_CONTROL_CODE (5, 
> METHOD_BUFFERED)
> -#define TAP_WIN_IOCTL_SET_MEDIA_STATUS  TAP_WIN_CONTROL_CODE (6, 
> METHOD_BUFFERED)
> -#define TAP_WIN_IOCTL_CONFIG_DHCP_MASQ  TAP_WIN_CONTROL_CODE (7, 
> METHOD_BUFFERED)
> -#define TAP_WIN_IOCTL_GET_LOG_LINE  TAP_WIN_CONTROL_CODE (8, 
> METHOD_BUFFERED)
> -#define TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT   TAP_WIN_CONTROL_CODE (9, 
> METHOD_BUFFERED)
> -
> -// Added in 8.2
> -
> -/* obsoletes TAP_WIN_IOCTL_CONFIG_POINT_TO_POINT */
> -#define TAP_WIN_IOCTL_CONFIG_TUNTAP_WIN_CONTROL_CODE (10, 
> METHOD_BUFFERED)
> -
> -//=
> -// Registry keys
> -//=
> -
> -#define ADAPTER_KEY 
> "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}"
> -
> -#define NETWORK_CONNECTIONS_KEY 
> "SYSTEM\\CurrentControlSet\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"
> -
> -//==
> -// Filesystem prefixes
> -//==
> -
> -#define USERMODEDEVICEDIR ".\\Global\\"
> -#define SYSDEVICEDIR  "\\Device\\"
> -#define USERDEVICEDIR "\\DosDevices\\Global\\"
> -#define TAP_WIN_SUFFIX".tap"
> -

Re: [Openvpn-devel] [PATCH 49/52] build: move wrappers into platform module

[Samuli Seppänen]

This probably makes sense, lots of good refactorings. That said, I'd
like to know how you selected what goes to platform.c?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


> + Some fixups within the platform.c functions.
> - need to check environment set on Windows.
>
> Signed-off-by: Alon Bar-Lev 
> ---
>  src/openvpn/Makefile.am|1 +
>  src/openvpn/buffer.c   |2 +-
>  src/openvpn/crypto.c   |6 +-
>  src/openvpn/error.c|2 +-
>  src/openvpn/init.c |   18 +-
>  src/openvpn/manage.c   |   16 +-
>  src/openvpn/misc.c |  295 ++--
>  src/openvpn/misc.h |  106 +-
>  src/openvpn/mstats.c   |2 +-
>  src/openvpn/multi.c|2 +-
>  src/openvpn/openvpn.h  |4 +-
>  src/openvpn/openvpn.vcproj |8 +
>  src/openvpn/options.c  |   14 +-
>  src/openvpn/packet_id.c|2 +-
>  src/openvpn/pf.c   |6 +-
>  src/openvpn/platform.c |  369 
> 
>  src/openvpn/platform.h |  142 +
>  src/openvpn/ps.c   |2 +-
>  src/openvpn/ssl_openssl.c  |2 +-
>  src/openvpn/ssl_verify.c   |8 +-
>  src/openvpn/status.c   |6 +-
>  src/openvpn/tun.c  |   12 +-
>  src/openvpn/win32.c|   27 
>  23 files changed, 584 insertions(+), 468 deletions(-)
>  create mode 100644 src/openvpn/platform.c
>  create mode 100644 src/openvpn/platform.h
>
> diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
> index 333eebc..6ba12b8 100644
> --- a/src/openvpn/Makefile.am
> +++ b/src/openvpn/Makefile.am
> @@ -58,6 +58,7 @@ openvpn_SOURCES = \
> mbuf.c mbuf.h \
> memdbg.h \
> misc.c misc.h \
> +   platform.c platform.h \
> console.c console.h \
> mroute.c mroute.h \
> mss.c mss.h \
> diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c
> index ad30223..5eee3ee 100644
> --- a/src/openvpn/buffer.c
> +++ b/src/openvpn/buffer.c
> @@ -1080,7 +1080,7 @@ buffer_list_advance (struct buffer_list *ol, int n)
>  struct buffer_list *
>  buffer_list_file (const char *fn, int max_line_len)
>  {
> -  FILE *fp = openvpn_fopen (fn, "r");
> +  FILE *fp = platform_fopen (fn, "r");
>struct buffer_list *bl = NULL;
>
>if (fp)
> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index 2e2e5d7..f811966 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -868,7 +868,7 @@ read_key_file (struct key2 *key2, const char *file, const 
> unsigned int flags)
>  #endif
>  {
>in = alloc_buf_gc (2048, );
> -  fd = openvpn_open (file, O_RDONLY, 0);
> +  fd = platform_open (file, O_RDONLY, 0);
>if (fd == -1)
> msg (M_ERR, "Cannot open file key file '%s'", file);
>size = read (fd, in.data, in.capacity);
> @@ -1029,7 +1029,7 @@ read_passphrase_hash (const char *passphrase_file,
>  const int min_passphrase_size = 8;
>  uint8_t buf[64];
>  int total_size = 0;
> -int fd = openvpn_open (passphrase_file, O_RDONLY, 0);
> +int fd = platform_open (passphrase_file, O_RDONLY, 0);
>
>  if (fd == -1)
>msg (M_ERR, "Cannot open passphrase file: '%s'", passphrase_file);
> @@ -1079,7 +1079,7 @@ write_key_file (const int nkeys, const char *filename)
>const int bytes_per_line = 16;
>
>/* open key file */
> -  fd = openvpn_open (filename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | 
> S_IWUSR);
> +  fd = platform_open (filename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | 
> S_IWUSR);
>
>if (fd == -1)
>  msg (M_ERR, "Cannot open shared secret file '%s' for write", filename);
> diff --git a/src/openvpn/error.c b/src/openvpn/error.c
> index 1f2dd86..d6ad639 100644
> --- a/src/openvpn/error.c
> +++ b/src/openvpn/error.c
> @@ -640,7 +640,7 @@ x_check_status (int status,
>  my_errno);
>
>   if (x_cs_err_delay_ms)
> -   sleep_milliseconds (x_cs_err_delay_ms);
> +   platform_sleep_milliseconds (x_cs_err_delay_ms);
> }
>gc_free ();
>  }
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index bba3cf8..bc7718e 100644
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -935,7 +935,7 @@ do_genkey (const struct options * options)
>"shared secret output file (--secret)");
>
>if (options->mlock)  /* should we disable paging? */
> -   do_mlockall (true);
> +   platform_mlockall (true);
>
>nbits_written = write_key_file (2, options->shared_secret_file);
>
> @@ -1022,7 +1022,7 @@ do_uid_gid_chroot (struct context *c, bool no_delay)
>if (c->options.chroot_dir)
> {
>   if (no_delay)
> -   do_chroot (c->options.chroot_dir);
> +   platform_chroot (c->options.chroot_dir);
>   else
> msg (M_INFO, "NOTE: chroot %s", why_not);
> }
> @@ -1030,8 +1030,8 @@ 

Re: [Openvpn-devel] [PATCH 48/52] cleanup: move console related function into its own module

[Samuli Seppänen]

Currently many files (42) include misc.h, which is a lot. Also, misc.c
is among the biggest files in the codebase[1], so splitting it into
smaller files with good names and well-defined functionality makes sense:

"Oh, this include console.h, it must be using some console-related
functions"

Feature-vise I give this one an ACK. Somebody else might want to look at
the actual changes.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[1] For you own amusement, you can try something like this:

for i in `ls *.c`;do echo -n $i": ";cat $i|wc --lines;done|less
> Signed-off-by: Alon Bar-Lev 
> ---
>  src/openvpn/Makefile.am|1 +
>  src/openvpn/console.c  |  238 
> 
>  src/openvpn/console.h  |   33 ++
>  src/openvpn/misc.c |  125 +---
>  src/openvpn/misc.h |3 +-
>  src/openvpn/openvpn.vcproj |8 ++
>  src/openvpn/pkcs11.c   |1 +
>  src/openvpn/win32.c|   87 +
>  src/openvpn/win32.h|5 +-
>  9 files changed, 286 insertions(+), 215 deletions(-)
>  create mode 100644 src/openvpn/console.c
>  create mode 100644 src/openvpn/console.h
>
> diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
> index e170380..333eebc 100644
> --- a/src/openvpn/Makefile.am
> +++ b/src/openvpn/Makefile.am
> @@ -58,6 +58,7 @@ openvpn_SOURCES = \
> mbuf.c mbuf.h \
> memdbg.h \
> misc.c misc.h \
> +   console.c console.h \
> mroute.c mroute.h \
> mss.c mss.h \
> mstats.c mstats.h \
> diff --git a/src/openvpn/console.c b/src/openvpn/console.c
> new file mode 100644
> index 000..2464e7e
> --- /dev/null
> +++ b/src/openvpn/console.c
> @@ -0,0 +1,238 @@
> +/*
> + *  OpenVPN -- An application to securely tunnel IP networks
> + * over a single UDP port, with support for SSL/TLS-based
> + * session authentication and key exchange,
> + * packet encryption, packet authentication, and
> + * packet compression.
> + *
> + *  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. 
> + *
> + *  This program is free software; you can redistribute it and/or modify
> + *  it under the terms of the GNU General Public License version 2
> + *  as published by the Free Software Foundation.
> + *
> + *  This program is distributed in the hope that it will be useful,
> + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
> + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + *  GNU General Public License for more details.
> + *
> + *  You should have received a copy of the GNU General Public License
> + *  along with this program (see the file COPYING included with this
> + *  distribution); if not, write to the Free Software Foundation, Inc.,
> + *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
> + */
> +
> +#ifdef HAVE_CONFIG_H
> +#include "config.h"
> +#elif defined(_MSC_VER)
> +#include "config-msvc.h"
> +#endif
> +
> +#include "syshead.h"
> +#include "console.h"
> +#include "error.h"
> +#include "buffer.h"
> +#include "misc.h"
> +
> +#ifdef WIN32
> +
> +#include "win32.h"
> +
> +/*
> + * Get input from console.
> + *
> + * Return false on input error, or if service
> + * exit event is signaled.
> + */
> +
> +static bool
> +get_console_input_win32 (const char *prompt, const bool echo, char *input, 
> const int capacity)
> +{
> +  HANDLE in = INVALID_HANDLE_VALUE;
> +  HANDLE err = INVALID_HANDLE_VALUE;
> +  DWORD len = 0;
> +
> +  ASSERT (prompt);
> +  ASSERT (input);
> +  ASSERT (capacity > 0);
> +
> +  input[0] = '\0';
> +
> +  in = GetStdHandle (STD_INPUT_HANDLE);
> +  err = get_orig_stderr ();
> +
> +  if (in != INVALID_HANDLE_VALUE
> +  && err != INVALID_HANDLE_VALUE
> +  && !win32_service_interrupt (_signal)
> +  && WriteFile (err, prompt, strlen (prompt), , NULL))
> +{
> +  bool is_console = (GetFileType (in) == FILE_TYPE_CHAR);
> +  DWORD flags_save = 0;
> +  int status = 0;
> +  WCHAR *winput;
> +
> +  if (is_console)
> +   {
> + if (GetConsoleMode (in, _save))
> +   {
> + DWORD flags = ENABLE_LINE_INPUT | ENABLE_PROCESSED_INPUT;
> + if (echo)
> +   flags |= ENABLE_ECHO_INPUT;
> + SetConsoleMode (in, flags);
> +   }
> + else
> +   is_console = 0;
> +   }
> +
> +  if (is_console)
> +{
> +  winput = malloc (capacity * sizeof (WCHAR));
> +  if (winput == NULL)
> +return false;
> +
> +  status = ReadConsoleW (in, winput, capacity, , NULL);
> +  WideCharToMultiByte (CP_UTF8, 0, winput, len, input, capacity, 
> NULL, NULL);
> +  free (winput);
> +}
> +  else
> +status = ReadFile (in, input, capacity, , NULL);
> +
> +  string_null_terminate (input, (int)len, 

Re: [Openvpn-devel] [PATCH 47/52] build: move inet_ntop(), inet_pton() emulation into compat

[Samuli Seppänen]

Windows has this functionality, but not under the same function names as
UNIX. So thse two are just wrappers around the Windows-specific
functionality. In any case, I think it makes sense to move inet_pton and
inet_ntop under src/compat. The actual code changes seem fairly trivial.

ACK.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


PS. These links should cover the basic idea, in case somebody is interested:



> Signed-off-by: Alon Bar-Lev 
> ---
>  configure.ac  I recall many issues with inet_ntop and inet_pton.
>
> |2 +-
>  src/compat/Makefile.am|4 ++-
>  src/compat/compat-inet_ntop.c |   76 +++
>  src/compat/compat-inet_pton.c |   79 
> +
>  src/compat/compat.h   |   17 -
>  src/compat/compat.vcproj  |8 
>  src/openvpn/socket.c  |   55 
>  src/openvpn/win32.h   |6 ---
>  8 files changed, 183 insertions(+), 64 deletions(-)
>  create mode 100644 src/compat/compat-inet_ntop.c
>  create mode 100644 src/compat/compat-inet_pton.c
>
> diff --git a/configure.ac b/configure.ac
> index dc138ba..d53a74a 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -522,7 +522,7 @@ AC_CHECK_FUNCS([ \
> chsize ftruncate execve getpeereid umask basename dirname access \
> epoll_create \
>  ])
> -AC_CHECK_FUNCS([sendmsg recvmsg])
> +AC_CHECK_FUNCS([sendmsg recvmsg inet_ntop inet_pton])
>  AC_CHECK_FUNCS(
> [res_init],
> ,
> diff --git a/src/compat/Makefile.am b/src/compat/Makefile.am
> index c8a92ce..91b7f40 100644
> --- a/src/compat/Makefile.am
> +++ b/src/compat/Makefile.am
> @@ -22,4 +22,6 @@ libcompat_la_SOURCES = \
> compat-dirname.c \
> compat-basename.c \
> compat-gettimeofday.c \
> -   compat-daemon.c
> +   compat-daemon.c \
> +   compat-inet_ntop.c \
> +   compat-inet_pton.c
> diff --git a/src/compat/compat-inet_ntop.c b/src/compat/compat-inet_ntop.c
> new file mode 100644
> index 000..0d52142
> --- /dev/null
> +++ b/src/compat/compat-inet_ntop.c
> @@ -0,0 +1,76 @@
> +/*
> + *  OpenVPN -- An application to securely tunnel IP networks
> + * over a single UDP port, with support for SSL/TLS-based
> + * session authentication and key exchange,
> + * packet encryption, packet authentication, and
> + * packet compression.
> + *
> + *  Copyright (C) 2011 - David Sommerseth 
> + *
> + *  This program is free software; you can redistribute it and/or modify
> + *  it under the terms of the GNU General Public License version 2
> + *  as published by the Free Software Foundation.
> + *
> + *  This program is distributed in the hope that it will be useful,
> + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
> + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + *  GNU General Public License for more details.
> + *
> + *  You should have received a copy of the GNU General Public License
> + *  along with this program (see the file COPYING included with this
> + *  distribution); if not, write to the Free Software Foundation, Inc.,
> + *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
> + */
> +
> +#ifdef HAVE_CONFIG_H
> +#include "config.h"
> +#elif defined(_MSC_VER)
> +#include "config-msvc.h"
> +#endif
> +
> +#ifndef HAVE_INET_NTOP
> +
> +#include "compat.h"
> +
> +#ifdef WIN32
> +
> +#include 
> +
> +/*
> + * inet_ntop() and inet_pton() wrap-implementations using
> + * WSAAddressToString() and WSAStringToAddress() functions
> + *
> + * this is needed as long as we support running OpenVPN on WinXP
> + */
> +
> +const char *
> +inet_ntop(int af, const void *src, char *dst, socklen_t size)
> +{
> +  struct sockaddr_storage ss;
> +  unsigned long s = size;
> +
> +  ZeroMemory(, sizeof(ss));
> +  ss.ss_family = af;
> +
> +  switch(af) {
> +case AF_INET:
> +  ((struct sockaddr_in *))->sin_addr = *(struct in_addr *)src;
> +  break;
> +case AF_INET6:
> +  ((struct sockaddr_in6 *))->sin6_addr = *(struct in6_addr *)src;
> +  break;
> +default:
> +  return NULL;
> +  }
> +  /* cannot direclty use  because of strict aliasing rules */
> +  return (WSAAddressToString((struct sockaddr *), sizeof(ss), NULL, dst, 
> ) == 0)?
> +  dst : NULL;
> +}
> +
> +#else
> +
> +#error no emulation for inet_ntop
> +
> +#endif
> +
> +#endif
> diff --git a/src/compat/compat-inet_pton.c b/src/compat/compat-inet_pton.c
> new file mode 100644
> index 000..cdc8d4b
> --- /dev/null
> +++ b/src/compat/compat-inet_pton.c
> @@ -0,0 +1,79 @@
> +/*
> + *  OpenVPN -- An application to securely tunnel IP 

Re: [Openvpn-devel] [PATCH 46/52] build: move daemon() emulation into compat

[Samuli Seppänen]

Which platforms need daemon() emulation? Only Windows?

I think it makes sense to isolate OS compatibility functions to files
under src/compat. Better than having them in misc.c. Also, I can't see
any obvious issues with the patch, code-vise.

ACK.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


> Signed-off-by: Alon Bar-Lev 
> ---
>  src/compat/Makefile.am |3 +-
>  src/compat/compat-daemon.c |  100 
> 
>  src/compat/compat.h|4 ++
>  src/compat/compat.vcproj   |4 ++
>  src/openvpn/init.c |2 +-
>  src/openvpn/misc.c |   32 --
>  src/openvpn/misc.h |4 --
>  7 files changed, 111 insertions(+), 38 deletions(-)
>  create mode 100644 src/compat/compat-daemon.c
>
> diff --git a/src/compat/Makefile.am b/src/compat/Makefile.am
> index 5e9db5f..c8a92ce 100644
> --- a/src/compat/Makefile.am
> +++ b/src/compat/Makefile.am
> @@ -21,4 +21,5 @@ libcompat_la_SOURCES = \
>   compat.h \
>   compat-dirname.c \
>   compat-basename.c \
> - compat-gettimeofday.c
> + compat-gettimeofday.c \
> + compat-daemon.c
> diff --git a/src/compat/compat-daemon.c b/src/compat/compat-daemon.c
> new file mode 100644
> index 000..dde96a2
> --- /dev/null
> +++ b/src/compat/compat-daemon.c
> @@ -0,0 +1,100 @@
> +/*
> + *  OpenVPN -- An application to securely tunnel IP networks
> + * over a single UDP port, with support for SSL/TLS-based
> + * session authentication and key exchange,
> + * packet encryption, packet authentication, and
> + * packet compression.
> + *
> + *  Copyright (C) 2011 - David Sommerseth 
> + *
> + *  This program is free software; you can redistribute it and/or modify
> + *  it under the terms of the GNU General Public License version 2
> + *  as published by the Free Software Foundation.
> + *
> + *  This program is distributed in the hope that it will be useful,
> + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
> + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + *  GNU General Public License for more details.
> + *
> + *  You should have received a copy of the GNU General Public License
> + *  along with this program (see the file COPYING included with this
> + *  distribution); if not, write to the Free Software Foundation, Inc.,
> + *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
> + */
> +
> +#ifdef HAVE_CONFIG_H
> +#include "config.h"
> +#elif defined(_MSC_VER)
> +#include "config-msvc.h"
> +#endif
> +
> +#ifndef HAVE_DAEMON
> +
> +#ifdef HAVE_UNISTD_H
> +#include 
> +#endif
> +
> +#ifdef HAVE_STDLIB_H
> +#include 
> +#endif
> +
> +#ifdef HAVE_SYS_TYPES_H
> +#include 
> +#endif
> +
> +#ifdef HAVE_SYS_STAT_H
> +#include 
> +#endif
> +
> +#ifdef HAVE_FCNTL_H
> +#include 
> +#endif
> +
> +#ifdef HAVE_ERRNO_H
> +#include 
> +#endif
> +
> +int
> +daemon(int nochdir, int noclose)
> +{
> +#if defined(HAVE_FORK) && defined(HAVE_SETSID)
> + switch (fork()) {
> + case -1:
> + return (-1);
> + case 0:
> + break;
> + default:
> + exit(0);
> + }
> +
> + if (setsid() == -1)
> + return (-1);
> +
> + if (!nochdir)
> + chdir("/");
> +
> + if (!noclose) {
> +#if defined(HAVE_DUP) && defined(HAVE_DUP2)
> + int fd;
> + if ((fd = open ("/dev/null", O_RDWR, 0)) != -1) {
> + dup2 (fd, 0);
> + dup2 (fd, 1);
> + dup2 (fd, 2);
> + if (fd > 2) {
> + close (fd);
> + }
> + }
> +#endif
> + }
> +
> + return 0;
> +#else
> + (void)nochdir;
> + (void)noclose;
> + errno = EFAULT;
> + return -1;
> +#endif
> +}
> +
> +#endif
> +
> diff --git a/src/compat/compat.h b/src/compat/compat.h
> index 3f9ac31..e9d51b8 100644
> --- a/src/compat/compat.h
> +++ b/src/compat/compat.h
> @@ -46,4 +46,8 @@ char * basename(char *str);
>  int gettimeofday (struct timeval *tv, void *tz);
>  #endif
>  
> +#ifndef HAVE_DAEMON
> +int daemon(int nochdir, int noclose);
> +#endif
> +
>  #endif /* COMPAT_H */
> diff --git a/src/compat/compat.vcproj b/src/compat/compat.vcproj
> index 235163c..efdecb4 100644
> --- a/src/compat/compat.vcproj
> +++ b/src/compat/compat.vcproj
> @@ -162,6 +162,10 @@
>   RelativePath=".\compat-gettimeofday.c"
>   >
>   
> +  + RelativePath=".\compat-daemon.c"
> + >
> + 
>   
>  Name="Header Files"
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index e7edb05..bba3cf8 100644
> --- 

Re: [Openvpn-devel] [PATCH 44/52] build: split out compat

[Samuli Seppänen]

The commit message makes sense to me, so it's a feature-ACK. Somebody
else might want to look at the code itself.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


> compat should not use any of the main project headers or conventions,
> it should be a standalone library that provides missing library
> functions.
>
> Signed-off-by: Alon Bar-Lev 
> ---
>  configure.ac |3 +-
>  openvpn.sln  |7 ++
>  src/Makefile.am  |2 +-
>  src/compat/Makefile.am   |   23 ++
>  src/compat/compat-basename.c |   50 
>  src/compat/compat-dirname.c  |  119 +++
>  src/compat/compat.h  |   36 
>  src/compat/compat.vcproj |  181 
> ++
>  src/openvpn/Makefile.am  |6 +-
>  src/openvpn/compat.c |  135 ---
>  src/openvpn/compat.h |   40 -
>  src/openvpn/openvpn.vcproj   |   12 +---
>  src/openvpn/syshead.h|4 +
>  13 files changed, 429 insertions(+), 189 deletions(-)
>  create mode 100644 src/compat/Makefile.am
>  create mode 100644 src/compat/compat-basename.c
>  create mode 100644 src/compat/compat-dirname.c
>  create mode 100644 src/compat/compat.h
>  create mode 100644 src/compat/compat.vcproj
>  delete mode 100644 src/openvpn/compat.c
>  delete mode 100644 src/openvpn/compat.h
>
> diff --git a/configure.ac b/configure.ac
> index f5663eb..ff3df28 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -365,7 +365,7 @@ AC_CHECK_HEADERS([ \
>  AC_CHECK_HEADERS([ \
> sys/time.h sys/un.h sys/ioctl.h sys/stat.h \
> sys/mman.h sys/file.h \
> -   unistd.h signal.h  \
> +   unistd.h signal.h libgen.h \
> syslog.h pwd.h grp.h \
> net/if_tun.h net/tun/if_tun.h stropts.h \
> sys/sockio.h \
> @@ -914,6 +914,7 @@ AC_CONFIG_FILES([
> distro/rpm/openvpn.spec
> include/Makefile
> src/Makefile
> +   src/compat/Makefile
> src/openvpn/Makefile
> src/openvpnserv/Makefile
> tests/Makefile
> diff --git a/openvpn.sln b/openvpn.sln
> index cbd2093..be35d16 100644
> --- a/openvpn.sln
> +++ b/openvpn.sln
> @@ -8,6 +8,7 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = 
> "openvpnserv", "src\openvpns
>  EndProject
>  Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "openvpn", 
> "src\openvpn\openvpn.vcproj", "{29DF226E-4D4E-440F-ADAF-5829CFD4CA94}"
> ProjectSection(ProjectDependencies) = postProject
> +   {4B2E2719-E661-45D7-9203-F6F456B22F19} = 
> {4B2E2719-E661-45D7-9203-F6F456B22F19}
> {8598C2C8-34C4-47A1-99B0-7C295A890615} = 
> {8598C2C8-34C4-47A1-99B0-7C295A890615}
> EndProjectSection
>  EndProject
> @@ -20,6 +21,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "misc", 
> "misc", "{1AA03DE8-3
>  EndProject
>  Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "msvc-generate", 
> "build\msvc\msvc-generate\msvc-generate.vcproj", 
> "{8598C2C8-34C4-47A1-99B0-7C295A890615}"
>  EndProject
> +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "compat", 
> "src\compat\compat.vcproj", "{4B2E2719-E661-45D7-9203-F6F456B22F19}"
> +EndProject
>  Global
> GlobalSection(SolutionConfigurationPlatforms) = preSolution
> Debug|Win32 = Debug|Win32
> @@ -38,6 +41,10 @@ Global
> {8598C2C8-34C4-47A1-99B0-7C295A890615}.Debug|Win32.Build.0 = 
> Debug|Win32
> 
> {8598C2C8-34C4-47A1-99B0-7C295A890615}.Release|Win32.ActiveCfg = Release|Win32
> {8598C2C8-34C4-47A1-99B0-7C295A890615}.Release|Win32.Build.0 
> = Release|Win32
> +   {4B2E2719-E661-45D7-9203-F6F456B22F19}.Debug|Win32.ActiveCfg 
> = Debug|Win32
> +   {4B2E2719-E661-45D7-9203-F6F456B22F19}.Debug|Win32.Build.0 = 
> Debug|Win32
> +   
> {4B2E2719-E661-45D7-9203-F6F456B22F19}.Release|Win32.ActiveCfg = Release|Win32
> +   {4B2E2719-E661-45D7-9203-F6F456B22F19}.Release|Win32.Build.0 
> = Release|Win32
> EndGlobalSection
> GlobalSection(SolutionProperties) = preSolution
> HideSolutionNode = FALSE
> diff --git a/src/Makefile.am b/src/Makefile.am
> index f2481c2..b894977 100644
> --- a/src/Makefile.am
> +++ b/src/Makefile.am
> @@ -15,4 +15,4 @@ MAINTAINERCLEANFILES = \
>  EXTRA_DIST = \
> plugins
>
> -SUBDIRS = openvpn openvpnserv
> +SUBDIRS = compat openvpn openvpnserv
> diff --git a/src/compat/Makefile.am b/src/compat/Makefile.am
> new file mode 100644
> index 000..e33e5e7
> --- /dev/null
> +++ b/src/compat/Makefile.am
> @@ -0,0 +1,23 @@
> +#
> +#  OpenVPN -- An application to securely tunnel IP networks
> +# over a single UDP port, with support for SSL/TLS-based
> +# session authentication and key exchange,
> +# packet encryption, packet authentication, and
> +# 

Re: [Openvpn-devel] [PATCH 42/52] build: win-msvc: msbuild format

[Samuli Seppänen]

A huge patch :). So, this basically adds the new MSVC build system,
which we want, at least for now. All the changes to existing files are
fairly trivial.

I didn't go through all of this, but I suggest we give this one an ACK
and fix any issues later on. I've tested this buildsystem and it worked
fine on Windows 2008r2.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



> Signed-off-by: Alon Bar-Lev 
> ---
>  .gitignore|   11 +-
>  Makefile.am   |   10 +-
>  build/Makefile.am |2 +
>  build/msvc/Makefile.am|   15 +
>  build/msvc/msvc-generate/Makefile.am  |   18 +
>  build/msvc/msvc-generate/Makefile.mak |   13 +
>  build/msvc/msvc-generate/msvc-generate.js |  118 
>  build/msvc/msvc-generate/msvc-generate.vcproj |   74 +++
>  config-msvc-version.h.in  |   10 +
>  config-msvc.h |  122 
>  configure.ac  |5 +-
>  msvc-build.bat|   34 ++
>  msvc-dev.bat  |9 +
>  msvc-env.bat  |   29 +
>  openvpn.sln   |   45 ++
>  src/openvpn/Makefile.am   |3 +
>  src/openvpn/compat.h  |2 -
>  src/openvpn/crypto_backend.h  |2 -
>  src/openvpn/openvpn.vcproj|  769 
> +
>  src/openvpn/openvpn_win32_resources.rc|2 +-
>  src/openvpn/syshead.h |   14 +-
>  src/openvpn/tun.c |2 +-
>  src/openvpn/win32.c   |2 +-
>  src/openvpnserv/Makefile.am   |3 +
>  src/openvpnserv/openvpnserv.c |   16 +-
>  src/openvpnserv/openvpnserv.vcproj|  209 +++
>  src/openvpnserv/openvpnserv_resources.rc  |2 +-
>  src/openvpnserv/service.c |5 +
>  src/openvpnserv/service.h |2 -
>  29 files changed, 1527 insertions(+), 21 deletions(-)
>  create mode 100644 build/msvc/Makefile.am
>  create mode 100644 build/msvc/msvc-generate/Makefile.am
>  create mode 100755 build/msvc/msvc-generate/Makefile.mak
>  create mode 100644 build/msvc/msvc-generate/msvc-generate.js
>  create mode 100644 build/msvc/msvc-generate/msvc-generate.vcproj
>  create mode 100644 config-msvc-version.h.in
>  create mode 100644 config-msvc.h
>  create mode 100644 msvc-build.bat
>  create mode 100644 msvc-dev.bat
>  create mode 100644 msvc-env.bat
>  create mode 100644 openvpn.sln
>  create mode 100644 src/openvpn/openvpn.vcproj
>  create mode 100644 src/openvpnserv/openvpnserv.vcproj
>
> diff --git a/.gitignore b/.gitignore
> index 156b2c2..e7232cf 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -2,12 +2,18 @@
>  *.dll
>  *.exe
>  *.exe.*
> -*.mak
>  *.obj
>  *.pyc
>  *.so
>  *~
>  *.idb
> +*.suo
> +*.ncb
> +*.vcproj.*
> +*.log
> +Release
> +Debug
> +Win32-Output
>  .deps
>  Makefile
>  Makefile.in
> @@ -33,6 +39,9 @@ m4/ltsugar.m4
>  m4/ltversion.m4
>  m4/lt~obsolete.m4
>
> +msvc-env-local.bat
> +config-msvc-local.h
> +config-msvc-version.h
>  doc/openvpn.8.html
>  distro/rpm/openvpn.spec
>  tests/t_client.sh
> diff --git a/Makefile.am b/Makefile.am
> index ebc2252..5293518 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -54,10 +54,18 @@ dist_noinst_DATA = \
> .gitignore \
> PORTS \
> README.IPv6 TODO.IPv6 \
> -   README.polarssl
> +   README.polarssl \
> +   openvpn.sln \
> +   msvc-env.bat \
> +   msvc-dev.bat \
> +   msvc-build.bat
>
>  if WIN32
>  dist_doc_DATA += INSTALL-win32.txt
>  else
>  dist_noinst_DATA += INSTALL-win32.txt
>  endif
> +
> +dist_noinst_HEADERS = \
> +   config-msvc.h \
> +   config-msvc-version.h.in
> diff --git a/build/Makefile.am b/build/Makefile.am
> index a993b20..b53ff52 100644
> --- a/build/Makefile.am
> +++ b/build/Makefile.am
> @@ -13,3 +13,5 @@ MAINTAINERCLEANFILES = \
>
>  EXTRA_DIST = \
> ltrc.inc
> +
> +SUBDIRS = msvc
> diff --git a/build/msvc/Makefile.am b/build/msvc/Makefile.am
> new file mode 100644
> index 000..7dc3def
> --- /dev/null
> +++ b/build/msvc/Makefile.am
> @@ -0,0 +1,15 @@
> +#
> +#  OpenVPN -- An application to securely tunnel IP networks
> +# over a single UDP port, with support for SSL/TLS-based
> +# session authentication and key exchange,
> +# packet encryption, packet authentication, and
> +# packet compression.
> +#
> +#  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. 
> +#  Copyright (C) 2006-2012 Alon Bar-Lev 
> +#
> +
> +MAINTAINERCLEANFILES = \
> +   $(srcdir)/Makefile.in
> +
> +SUBDIRS = msvc-generate
> diff 

Re: [Openvpn-devel] [PATCH 41/52] build: autoconf: update defaults for options

[Samuli Seppänen]

I'd rather not RTFM... could somebody explain to me what the funky
"@<:@default=no@:>@" thing exactly does? Does it just add the default
"enabled/disabled" value to the help strings?

If so it's an ACK.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


> Signed-off-by: Alon Bar-Lev 
> ---
>  configure.ac |   56 
>  1 files changed, 28 insertions(+), 28 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 57d294d..9ffcc68 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -41,195 +41,195 @@ AC_USE_SYSTEM_EXTENSIONS
>
>  AC_ARG_ENABLE(
> [lzo],
> -   [AS_HELP_STRING([--enable-lzo], [enable LZO compression support])],
> +   [AS_HELP_STRING([--enable-lzo], [enable LZO compression support 
> @<:@default=no@:>@])],
> ,
> [enable_lzo="no"]
>  )
>
>  AC_ARG_ENABLE(
> [lzo-stub],
> -   [AS_HELP_STRING([--enable-lzo-stub], [don't compile LZO compression 
> support but still allow limited interoperability with LZO-enabled peers])],
> +   [AS_HELP_STRING([--enable-lzo-stub], [don't compile LZO compression 
> support but still allow limited interoperability with LZO-enabled peers 
> @<:@default=no@:>@])],
> ,
> [enable_lzo_stub="no"]
>  )
>
>  AC_ARG_ENABLE(
> [crypto],
> -   [AS_HELP_STRING([--disable-crypto], [disable crypto support])],
> +   [AS_HELP_STRING([--disable-crypto], [disable crypto support 
> @<:@default=yes@:>@])],
> ,
> [enable_crypto="yes"]
>  )
>
>  AC_ARG_ENABLE(
> [ssl],
> -   [AS_HELP_STRING([--disable-ssl], [disable SSL support for TLS-based 
> key exchange])],
> +   [AS_HELP_STRING([--disable-ssl], [disable SSL support for TLS-based 
> key exchange @<:@default=yes@:>@])],
> ,
> [enable_ssl="yes"]
>  )
>
>  AC_ARG_ENABLE(
> [x509-alt-username],
> -   [AS_HELP_STRING([--enable-x509-alt-username], [enable the 
> --x509-username-field feature])],
> +   [AS_HELP_STRING([--enable-x509-alt-username], [enable the 
> --x509-username-field feature @<:@default=no@:>@])],
> ,
> [enable_x509_alt_username="no"]
>  )
>
>  AC_ARG_ENABLE(
> [multi],
> -   [AS_HELP_STRING([--disable-multi], [disable client/server support 
> (--mode server + client mode)])],
> +   [AS_HELP_STRING([--disable-multi], [disable client/server support 
> (--mode server + client mode) @<:@default=yes@:>@])],
> ,
> [enable_multi="yes"]
>  )
>
>  AC_ARG_ENABLE(
> [server],
> -   [AS_HELP_STRING([--disable-server], [disable server support only (but 
> retain client support)])],
> +   [AS_HELP_STRING([--disable-server], [disable server support only (but 
> retain client support) @<:@default=yes@:>@])],
> ,
> [enable_server="yes"]
>  )
>
>  AC_ARG_ENABLE(
> [plugins],
> -   [AS_HELP_STRING([--disable-plugins], [disable plug-in support])],
> +   [AS_HELP_STRING([--disable-plugins], [disable plug-in support 
> @<:@default=yes@:>@])],
> ,
> [enable_plugins="yes"]
>  )
>
>  AC_ARG_ENABLE(
> [eurephia],
> -   [AS_HELP_STRING([--disable-eurephia], [disable support for the 
> eurephia plug-in])],
> +   [AS_HELP_STRING([--disable-eurephia], [disable support for the 
> eurephia plug-in @<:@default=yes@:>@])],
> ,
> [enable_eurephia="yes"]
>  )
>
>  AC_ARG_ENABLE(
> [management],
> -   [AS_HELP_STRING([--disable-management], [disable management server 
> support])],
> +   [AS_HELP_STRING([--disable-management], [disable management server 
> support @<:@default=yes@:>@])],
> ,
> [enable_management="yes"]
>  )
>
>  AC_ARG_ENABLE(
> [pkcs11],
> -   [AS_HELP_STRING([--enable-pkcs11], [enable pkcs11 support])],
> +   [AS_HELP_STRING([--enable-pkcs11], [enable pkcs11 support 
> @<:@default=no@:>@])],
> ,
> [enable_pkcs11="no"]
>  )
>
>  AC_ARG_ENABLE(
> [socks],
> -   [AS_HELP_STRING([--disable-socks], [disable Socks support])],
> +   [AS_HELP_STRING([--disable-socks], [disable Socks support 
> @<:@default=yes@:>@])],
> ,
> [enable_socks="yes"]
>  )
>
>  AC_ARG_ENABLE(
> [http-proxy],
> -   [AS_HELP_STRING([--disable-http-proxy], [disable HTTP proxy 
> support])],
> +   [AS_HELP_STRING([--disable-http-proxy], [disable HTTP proxy support 
> @<:@default=yes@:>@])],
> ,
> [enable_http_proxy="yes"]
>  )
>
>  AC_ARG_ENABLE(
> [fragment],
> -   [AS_HELP_STRING([--disable-fragment], [disable internal fragmentation 
> support (--fragment)])],
> +   [AS_HELP_STRING([--disable-fragment], [disable internal fragmentation 
> support (--fragment) @<:@default=yes@:>@])],
> ,
> [enable_fragment="yes"]
>  )
>
>  AC_ARG_ENABLE(
> [multihome],
> -   [AS_HELP_STRING([--disable-multihome], 

Re: [Openvpn-devel] [PATCH 37/52] build: proper pkcs11-helper detection and usage

[Samuli Seppänen]

These changes follow the same style as earlier patches, e.g. the selinux
patch. Pkg-config is now being used to detect pkcs11-helper afaics.
Also, pkcs11-helper now disabled by default, which I think makes sense.

I don't see why this shouldn't be included, so it's an ACK.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


> Signed-off-by: Alon Bar-Lev 
> ---
>  configure.ac   |   49 ---
>  distro/rpm/openvpn.spec.in |5 ++-
>  src/openvpn/Makefile.am|4 +++
>  src/openvpn/ssl.c  |2 +-
>  src/openvpn/syshead.h  |7 --
>  5 files changed, 26 insertions(+), 41 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 2388f17..baa66b2 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -111,9 +111,9 @@ AC_ARG_ENABLE(
>  
>  AC_ARG_ENABLE(
>   [pkcs11],
> - [AS_HELP_STRING([--disable-pkcs11], [disable pkcs11 support])],
> + [AS_HELP_STRING([--enable-pkcs11], [enable pkcs11 support])],
>   ,
> - [enable_pkcs11="yes"]
> + [enable_pkcs11="no"]
>  )
>  
>  AC_ARG_ENABLE(
> @@ -254,19 +254,6 @@ AC_ARG_WITH(
>  )
>  
>  AC_ARG_WITH(
> - [pkcs11-helper-headers],
> - [AS_HELP_STRING([--with-pkcs11-helper-headers=DIR], [pkcs11-helper 
> Include files location])],
> - [PKCS11_HELPER_HDR_DIR="$withval"]
> - [CPPFLAGS="$CPPFLAGS -I$withval"] 
> -)
> -
> -AC_ARG_WITH(
> - [pkcs11-helper-lib],
> - [AS_HELP_STRING([--with-pkcs11-helper-lib=DIR], [pkcs11-helper Library 
> location])],
> - [LDFLAGS="$LDFLAGS -L$withval"] 
> -)
> -
> -AC_ARG_WITH(
>   [mem-check],
>   [AS_HELP_STRING([--with-mem-check=TYPE], [build with debug memory 
> checking, TYPE=dmalloc|valgrind|ssl])],
>   [
> @@ -719,22 +706,12 @@ if test "${enable_lzo_stub}" = "yes"; then
>   AC_DEFINE([LZO_STUB], [1], [Enable LZO stub capability])
>  fi
>  
> -dnl
> -dnl enable pkcs11 capability
> -dnl
> -if test "${enable_pkcs11}" = "yes"; then
> -   AC_CHECKING([for pkcs11-helper Library and Header files])
> -   AC_CHECK_HEADER(pkcs11-helper-1.0/pkcs11h-core.h,
> - [AC_CHECK_LIB(pkcs11-helper, pkcs11h_initialize,
> - [
> -AC_DEFINE(USE_PKCS11, 1, [Enable PKCS11 capability])
> -LIBS="${LIBS} -lpkcs11-helper"
> - ],
> - [AC_MSG_RESULT([pkcs11-helper library not found.])]
> - )],
> - [AC_MSG_RESULT([pkcs11-helper headers not found.])]
> -   )
> -fi
> +PKG_CHECK_MODULES(
> + [PKCS11_HELPER],
> + [libpkcs11-helper-1 >= 1.02],
> + [have_pkcs11_helper="yes"],
> + []
> +)
>  
>  dnl
>  dnl check for SSL-crypto library
> @@ -890,6 +867,14 @@ if test "${enable_selinux}" = "yes"; then
>   AC_DEFINE([ENABLE_SELINUX], [1], [SELinux support])
>  fi
>  
> +if test "${enable_pkcs11}" = "yes"; then
> + test "${have_pkcs11_helper}" != "yes" && AC_MSG_ERROR([PKCS11 enabled 
> but libpkcs11-helper is missing])
> + test "${enable_ssl}" != "yes" && AC_MSG_ERROR([PKCS11 can be enabled 
> only if SSL is enabled])
> + OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}"
> + OPTIONAL_PKCS11_HELPER_LIBS="${PKCS11_HELPER_LIBS}"
> + AC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11])
> +fi
> +
>  if test "${enable_pedantic}" = "yes"; then
>   enable_strict="yes"
>   CFLAGS="${CFLAGS} -ansi -pedantic"
> @@ -917,6 +902,8 @@ AC_SUBST([TAP_WIN_MIN_MINOR])
>  
>  AC_SUBST([OPTIONAL_DL_LIBS])
>  AC_SUBST([OPTIONAL_SELINUX_LIBS])
> +AC_SUBST([OPTIONAL_PKCS11_HELPER_CFLAGS])
> +AC_SUBST([OPTIONAL_PKCS11_HELPER_LIBS])
>  
>  AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
>  
> diff --git a/distro/rpm/openvpn.spec.in b/distro/rpm/openvpn.spec.in
> index 455f739..8db5172 100644
> --- a/distro/rpm/openvpn.spec.in
> +++ b/distro/rpm/openvpn.spec.in
> @@ -52,8 +52,8 @@ Requires:  openssl   >= 0.9.6
>  %{!?without_pam:BuildRequires: pam-devel}
>  %{!?without_pam:Requires:  pam}
>  
> -%{!?with_pkcs11:BuildRequires: pkcs11-helper-devel}
> -%{!?with_pkcs11:Requires:  pkcs11-helper}
> +%{?with_pkcs11:BuildRequires: pkcs11-helper-devel}
> +%{?with_pkcs11:Requires:  pkcs11-helper}
>  
>  #
>  # Description
> @@ -111,6 +111,7 @@ Development support for OpenVPN.
>   --docdir="%{_docdir}/%{name}-%{version}" \
>   %{?with_password_save:--enable-password-save} \
>   %{?without_lzo:--disable-lzo} \
> + %{?with_pkcs11:--enable-pkcs11} \
>   %{?with_kerberos:--with-ssl-headers=/usr/kerberos/include}
>  %__make
>  
> diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
> index a3f8b3a..fd92225 100644
> --- a/src/openvpn/Makefile.am
> +++ b/src/openvpn/Makefile.am
> @@ -16,6 +16,9 @@ MAINTAINERCLEANFILES = \
>  
>  INCLUDES = -I$(top_srcdir)/include
>  
> +AM_CFLAGS = \
> + $(OPTIONAL_PKCS11_HELPER_CFLAGS)
> +
>  sbin_PROGRAMS = openvpn
>  
>  openvpn_SOURCES = \
> @@ -97,6 +100,7 @@ openvpn_SOURCES = \
>   cryptoapi.h 

Re: [Openvpn-devel] [PATCH 36/52] build: distribute pkg.m4

[Samuli Seppänen]

If we need pkg-config, then we also want this one:

"Macros to locate and utilise pkg-config"

ACK.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



> RHEL and others do not install this globally, so we provide our own copy.
>
> Signed-off-by: Alon Bar-Lev 
> ---
>  m4/pkg.m4 |  159 
> +
>  1 files changed, 159 insertions(+), 0 deletions(-)
>  create mode 100644 m4/pkg.m4
>
> diff --git a/m4/pkg.m4 b/m4/pkg.m4
> new file mode 100644
> index 000..9a71878
> --- /dev/null
> +++ b/m4/pkg.m4
> @@ -0,0 +1,159 @@
> +# pkg.m4 - Macros to locate and utilise pkg-config.-*- Autoconf 
> -*-
> +# serial 1 (pkg-config-0.24)
> +# 
> +# Copyright © 2004 Scott James Remnant .
> +#
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 2 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful, but
> +# WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +# General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program; if not, write to the Free Software
> +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
> +#
> +# As a special exception to the GNU General Public License, if you
> +# distribute this file as part of a program that contains a
> +# configuration script generated by Autoconf, you may include it under
> +# the same distribution terms that you use for the rest of that program.
> +
> +# PKG_PROG_PKG_CONFIG([MIN-VERSION])
> +# --
> +AC_DEFUN([PKG_PROG_PKG_CONFIG],
> +[m4_pattern_forbid([^_?PKG_[A-Z_]+$])
> +m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$])
> +m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$])
> +AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])
> +AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search 
> path])
> +AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in 
> search path])
> +
> +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
> + AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
> +fi
> +if test -n "$PKG_CONFIG"; then
> + _pkg_min_version=m4_default([$1], [0.9.0])
> + AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version])
> + if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
> + AC_MSG_RESULT([yes])
> + else
> + AC_MSG_RESULT([no])
> + PKG_CONFIG=""
> + fi
> +fi[]dnl
> +])# PKG_PROG_PKG_CONFIG
> +
> +# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
> +#
> +# Check to see whether a particular set of modules exists.  Similar
> +# to PKG_CHECK_MODULES(), but does not set variables or print errors.
> +#
> +# Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG])
> +# only at the first occurence in configure.ac, so if the first place
> +# it's called might be skipped (such as if it is within an "if", you
> +# have to call PKG_CHECK_EXISTS manually
> +# --
> +AC_DEFUN([PKG_CHECK_EXISTS],
> +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
> +if test -n "$PKG_CONFIG" && \
> +AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
> +  m4_default([$2], [:])
> +m4_ifvaln([$3], [else
> +  $3])dnl
> +fi])
> +
> +# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
> +# -
> +m4_define([_PKG_CONFIG],
> +[if test -n "$$1"; then
> +pkg_cv_[]$1="$$1"
> + elif test -n "$PKG_CONFIG"; then
> +PKG_CHECK_EXISTS([$3],
> + [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`
> +   test "x$?" != "x0" && pkg_failed=yes ],
> +  [pkg_failed=yes])
> + else
> +pkg_failed=untried
> +fi[]dnl
> +])# _PKG_CONFIG
> +
> +# _PKG_SHORT_ERRORS_SUPPORTED
> +# -
> +AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED],
> +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])
> +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
> +_pkg_short_errors_supported=yes
> +else
> +_pkg_short_errors_supported=no
> +fi[]dnl
> +])# _PKG_SHORT_ERRORS_SUPPORTED
> +
> +
> +# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
> +# [ACTION-IF-NOT-FOUND])
> +#
> +#
> +# Note that if there is a possibility the first call to
> +# PKG_CHECK_MODULES might not happen, you should be sure to include an
> +# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac
> +#
> +#
> +# --
> 

Re: [Openvpn-devel] [PATCH 35/52] build: proper selinux detection and usage

[Samuli Seppänen]

Looks like a cleaner implementation than the earlier one. I take it 
AC_CHECK_HEADER is not anymore needed to detect selinux.h, but why exactly?

Besides that I give this one an ACK.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

> Signed-off-by: Alon Bar-Lev 
> ---
>  configure.ac|   35 +++
>  src/openvpn/Makefile.am |1 +
>  src/openvpn/init.c  |4 ++--
>  src/openvpn/options.c   |6 +++---
>  src/openvpn/options.h   |2 +-
>  src/openvpn/syshead.h   |2 +-
>  6 files changed, 23 insertions(+), 27 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 98615c6..2388f17 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -215,7 +215,7 @@ AC_ARG_ENABLE(
>  
>  AC_ARG_ENABLE(
>   [selinux],
> - [AS_HELP_STRING([--disable-selinux], [disable SELinux support])],
> + [AS_HELP_STRING([--enable-selinux], [enable SELinux support])],
>   ,
>   [enable_selinux="no"]
>  )
> @@ -619,6 +619,13 @@ AC_CHECK_LIB(
>  )
>  AC_SUBST([SOCKETS_LIBS])
>  
> +AC_CHECK_LIB(
> + [selinux],
> + [setcon],
> + [SELINUX_LIBS="-lselinux"]
> +)
> +AC_SUBST([SELINUX_LIBS])
> +
>  case "${with_mem_check}" in
>   valgrind)
>   AC_CHECK_HEADER(
> @@ -826,25 +833,6 @@ if test "${enable_crypto}" = "yes"; then
> fi
>  fi
>  
> -dnl
> -dnl check for SELinux library and headers
> -dnl
> -if test "${enable_selinux}" = "yes"; then
> - AC_CHECK_HEADER(
> - [selinux/selinux.h],
> - [AC_CHECK_LIB(
> - [selinux],
> - [setcon],
> - [
> - LIBS="${LIBS} -lselinux"
> - AC_DEFINE(HAVE_SETCON, 1, [SELinux support])
> - ],
> - [AC_MSG_RESULT([SELinux library not found.])]
> - )],
> - [AC_MSG_ERROR([SELinux headers not found.])]
> - )
> -fi
> -
>  if test -n "${SP_PLATFORM_WINDOWS}"; then
>   AC_DEFINE_UNQUOTED([PATH_SEPARATOR], [''], [Path separator]) #"
>   AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], [""], [Path separator]) #"
> @@ -896,6 +884,12 @@ else
>   fi
>  fi
>  
> +if test "${enable_selinux}" = "yes"; then
> + test -z "${SELINUX_LIBS}" && AC_MSG_ERROR([libselinux required but 
> missing])
> + OPTIONAL_SELINUX_LIBS="${SELINUX_LIBS}"
> + AC_DEFINE([ENABLE_SELINUX], [1], [SELinux support])
> +fi
> +
>  if test "${enable_pedantic}" = "yes"; then
>   enable_strict="yes"
>   CFLAGS="${CFLAGS} -ansi -pedantic"
> @@ -922,6 +916,7 @@ AC_SUBST([TAP_WIN_MIN_MAJOR])
>  AC_SUBST([TAP_WIN_MIN_MINOR])
>  
>  AC_SUBST([OPTIONAL_DL_LIBS])
> +AC_SUBST([OPTIONAL_SELINUX_LIBS])
>  
>  AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
>  
> diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
> index 86abd09..a3f8b3a 100644
> --- a/src/openvpn/Makefile.am
> +++ b/src/openvpn/Makefile.am
> @@ -97,6 +97,7 @@ openvpn_SOURCES = \
>   cryptoapi.h cryptoapi.c
>  openvpn_LDADD = \
>   $(SOCKETS_LIBS) \
> + $(OPTIONAL_SELINUX_LIBS) \
>   $(OPTIONAL_DL_LIBS)
>  if WIN32
>  openvpn_SOURCES += openvpn_win32_resources.rc
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index b8f57b2..0c995ff 100644
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -1038,7 +1038,7 @@ do_uid_gid_chroot (struct context *c, bool no_delay)
>   mstats_open(c->options.memstats_fn);
>  #endif
>  
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
>/* Apply a SELinux context in order to restrict what OpenVPN can do
> * to _only_ what it is supposed to do after initialization is complete
> * (basically just network I/O operations). Doing it after chroot
> @@ -2465,7 +2465,7 @@ do_option_warnings (struct context *c)
>  msg (M_WARN, "WARNING: --ping should normally be used with 
> --ping-restart or --ping-exit");
>  
>if (o->username || o->groupname || o->chroot_dir
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
>|| o->selinux_context
>  #endif
>)
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index d7f848e..4e95b83 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -316,7 +316,7 @@ static const char usage_message[] =
>"--user user : Set UID to user after initialization.\n"
>"--group group   : Set GID to group after initialization.\n"
>"--chroot dir: Chroot to this directory after initialization.\n"
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
>"--setcon context: Apply this SELinux context after initialization.\n"
>  #endif
>"--cd dir: Change to this directory before initialization.\n"
> @@ -1477,7 +1477,7 @@ show_settings (const struct options *o)
>SHOW_STR (groupname);
>SHOW_STR (chroot_dir);
>SHOW_STR (cd_dir);
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
>SHOW_STR (selinux_context);
>  

Re: [Openvpn-devel] [PATCH 33/52] build: properly detect and use socket libs

[Samuli Seppänen]

Did some digging regarding AC_SEARCH_LIBS and AC_CHECK_LIB. Somebody
with more autotools knowledge might want to read this one:



So, the question is: why AC_CHECK_LIB rather than AC_SEARCH_LIBS in this
particular case? Apparently both have their uses.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


> Signed-off-by: Alon Bar-Lev 
> ---
>  configure.ac|   27 +--
>  src/openvpn/Makefile.am |1 +
>  2 files changed, 18 insertions(+), 10 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index a0dc462..c540f82 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -442,16 +442,6 @@ if test "${WIN32}" != "yes"; then
>   [[${SOCKET_INCLUDES}]]
>   )
>  
> - AC_CHECK_DECLS(
> - [SO_MARK],
> - ,
> - ,
> - [[${SOCKET_INCLUDES}]]
> - )
> -
> - AC_SEARCH_LIBS([socket], [socket])
> - AC_SEARCH_LIBS([inet_ntoa], [nsl])
> - AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
>   AC_FUNC_FORK
>  fi
>  
> @@ -613,6 +603,23 @@ AC_CHECK_LIB(
>  )
>  AC_SUBST([DL_LIBS])
>  
> +AC_CHECK_LIB(
> + [nsl],
> + [inet_ntoa],
> + [SOCKETS_LIBS="${SOCKETS_LIBS} -lnsl"]
> +)
> +AC_CHECK_LIB(
> + [socket],
> + [socket],
> + [SOCKETS_LIBS="${SOCKETS_LIBS} -lsocket"]
> +)
> +AC_CHECK_LIB(
> + [resolv],
> + [gethostbyname],
> + [SOCKETS_LIBS="${SOCKETS_LIBS} -lresolv"]
> +)
> +AC_SUBST([SOCKETS_LIBS])
> +
>  case "${with_mem_check}" in
>   valgrind)
>   AC_CHECK_HEADER(
> diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
> index c7626c8..86abd09 100644
> --- a/src/openvpn/Makefile.am
> +++ b/src/openvpn/Makefile.am
> @@ -96,6 +96,7 @@ openvpn_SOURCES = \
>   win32.h win32.c \
>   cryptoapi.h cryptoapi.c
>  openvpn_LDADD = \
> + $(SOCKETS_LIBS) \
>   $(OPTIONAL_DL_LIBS)
>  if WIN32
>  openvpn_SOURCES += openvpn_win32_resources.rc

Re: [Openvpn-devel] [PATCH 31/52] build: autoconf: commands as environment

[Samuli Seppänen]

So, this patch replaces (removes?) the "--with--path" configure 
options with environment variables, right?  For example, if one has "ifconfig" 
in a non-standard place, he can set the IFCONFIG environment variable and the 
build will find it. Did I understand this correctly?

I don't know autotools well enough to give this one an ACK at this point. That 
said, the patch does clean up configure.ac a lot, and cleanups are always nice 
:).

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


> Signed-off-by: Alon Bar-Lev 
> ---
>  configure.ac |   66 -
>  1 files changed, 28 insertions(+), 38 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 6b5cf71..ed98464 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -267,37 +267,6 @@ AC_ARG_WITH(
>  )
>  
>  AC_ARG_WITH(
> - [ifconfig-path],
> - [AS_HELP_STRING([--with-ifconfig-path=PATH], [Path to ifconfig tool])],
> - [IFCONFIG="$withval"],
> - [AC_PATH_PROG([IFCONFIG], [ifconfig], [ifconfig], 
> [$PATH:/usr/local/sbin:/usr/sbin:/sbin])]
> -)
> -AC_DEFINE_UNQUOTED([IFCONFIG_PATH], ["$IFCONFIG"], [Path to ifconfig tool])
> -
> -AC_ARG_WITH(
> - [iproute-path],
> - [AS_HELP_STRING([--with-iproute-path=PATH], [Path to iproute tool])],
> - [IPROUTE="$withval"],
> - [AC_PATH_PROG([IPROUTE], [ip], [ip], 
> [$PATH:/usr/local/sbin:/usr/sbin:/sbin])]
> -)
> -AC_DEFINE_UNQUOTED([IPROUTE_PATH], ["$IPROUTE"], [Path to iproute tool])
> -
> -AC_ARG_WITH([route-path],
> -   [AS_HELP_STRING([--with-route-path=PATH], [Path to route tool])],
> -   [ROUTE="$withval"],
> -   [AC_PATH_PROG([ROUTE], [route], [route], 
> [$PATH:/usr/local/sbin:/usr/sbin:/sbin])]
> -)
> -AC_DEFINE_UNQUOTED([ROUTE_PATH], ["$ROUTE"], [Path to route tool])
> -
> -AC_ARG_WITH(
> - [netstat-path],
> - [AS_HELP_STRING([--with-netstat-path=PATH], [Path to netstat tool])],
> - [NETSTAT="$withval"],
> - [AC_PATH_PROG([NETSTAT], [netstat], [netstat], 
> [$PATH:/usr/local/sbin:/usr/sbin:/sbin:/etc])]
> -)
> -AC_DEFINE_UNQUOTED([NETSTAT_PATH], ["$NETSTAT"], [Path to netstat tool])
> -
> -AC_ARG_WITH(
>   [mem-check],
>   [AS_HELP_STRING([--with-mem-check=TYPE], [build with debug memory 
> checking, TYPE=dmalloc|valgrind|ssl])],
>   [
> @@ -370,6 +339,20 @@ AC_PROG_INSTALL
>  AC_PROG_LN_S
>  AC_PROG_MAKE_SET
>  
> +AC_ARG_VAR([IFCONFIG], [full path to ipconfig utility])
> +AC_ARG_VAR([ROUTE], [full path to route utility])
> +AC_ARG_VAR([IPROUTE], [full path to ip utility])
> +AC_ARG_VAR([NETSTAT], [path to netstat utility]) # tests
> +AC_ARG_VAR([MAN2HTML], [path to man2html utility])
> +AC_PATH_PROGS([IFCONFIG], [ifconfig],, 
> [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
> +AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
> +AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
> +AC_CHECK_PROGS([NETSTAT], [netstat], [netstat], 
> [$PATH:/usr/local/sbin:/usr/sbin:/sbin:/etc]) # tests
> +AC_CHECK_PROGS([MAN2HTML], [man2html])
> +AC_DEFINE_UNQUOTED([IFCONFIG_PATH], ["$IFCONFIG"], [Path to ifconfig tool])
> +AC_DEFINE_UNQUOTED([IPROUTE_PATH], ["$IPROUTE"], [Path to iproute tool])
> +AC_DEFINE_UNQUOTED([ROUTE_PATH], ["$ROUTE"], [Path to route tool])
> +
>  #
>  # Libtool
>  #
> @@ -386,12 +369,6 @@ ifdef(
>   ]
>  )
>  
> -if test "${WIN32}" = "yes"; then
> - AC_ARG_VAR([MAN2HTML], [man2html utility])
> - AC_CHECK_PROGS([MAN2HTML], [man2html])
> - test -z "${MAN2HTML}" && AC_MSG_ERROR([man2html is required for win32])
> -fi
> -
>  AC_C_CONST
>  AC_C_INLINE
>  AC_C_VOLATILE
> @@ -920,7 +897,16 @@ test "${enable_pf}" = "yes" && AC_DEFINE([ENABLE_PF], 
> [1], [Enable internal pack
>  test "${enable_strict_options}" = "yes" && 
> AC_DEFINE([ENABLE_STRICT_OPTIONS_CHECK], [1], [Enable strict options check 
> between peers])
>  test "${enable_password_save}" = "yes" && AC_DEFINE([ENABLE_PASSWORD_SAVE], 
> [1], [Allow --askpass and --auth-user-pass passwords to be read from a file])
>  test "${enable_systemd}" = "yes" && AC_DEFINE([ENABLE_SYSTEMD], [1], [Enable 
> systemd support])
> -test "${enable_iproute2}" = "yes" && AC_DEFINE([ENABLE_IPROUTE], [1], 
> [enable iproute2 support])
> +
> +if test "${enable_iproute2}" = "yes"; then
> + test -z "${IPROUTE}" && AC_MSG_ERROR([ip utility is required but 
> missing])
> + AC_DEFINE([ENABLE_IPROUTE], [1], [enable iproute2 support])
> +else
> + if test "${WIN32}" != "yes"; then
> + test -z "${ROUTE}" && AC_MSG_ERROR([route utility is required 
> but missing])
> + test -z "${IFCONFIG}" && AC_MSG_ERROR([ifconfig utility is 
> required but missing])
> + fi
> +fi
>  
>  if test "${enable_pedantic}" = "yes"; then
>   enable_strict="yes"
> @@ -930,6 +916,10 @@ if test "${enable_strict}" = "yes"; then
>   CFLAGS="${CFLAGS} -Wall -Wno-unused-parameter -Wno-unused-function"
>  fi
>  
> +if test 

Re: [Openvpn-devel] [PATCH 28/52] build: remove awk and non-standard autoconf output processing

[Samuli Seppänen]

This looks ok. If I understood it correctly, earlier the Makefile called 
configure_h.awk to parse config.h to generate configure.h. This configure.h 
file contained only two defines:

#define CONFIGURE_DEFINES " ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA 
..."
#define CONFIGURE_CALL "  $ ./configure "

This patch removes configure_h.awk and thus phases out configure.h. After this 
change CONFIGURE_DEFINES is generated using this method:

CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`"

This should be safe if running "set" does not produce output that would match 
the regexps without being related to the OpenVPN builds. Given that the regexps 
are very strictly defined, that doesn't sound likely.

I give this one an ACK. Please NACK if you disagree :).

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


> Replace with simpler environment solution.
>
> Signed-off-by: Alon Bar-Lev 
> ---
>  Makefile.am   |   12 ++--
>  configure.ac  |3 +++
>  configure_h.awk   |   39 ---
>  configure_log.awk |   33 -
>  options.c |4 
>  5 files changed, 5 insertions(+), 86 deletions(-)
>  delete mode 100644 configure_h.awk
>  delete mode 100644 configure_log.awk
>
> diff --git a/Makefile.am b/Makefile.am
> index 6c0b2b4..a8ff457 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -36,7 +36,7 @@ MAINTAINERCLEANFILES = \
>   $(srcdir)/depcomp $(srcdir)/aclocal.m4 \
>   $(srcdir)/config.guess $(srcdir)/config.sub \
>   $(srcdir)/openvpn.spec
> -CLEANFILES = openvpn.8.html configure.h
> +CLEANFILES = openvpn.8.html
>  
>  EXTRA_DIST = \
>   sample-config-files \
> @@ -57,8 +57,7 @@ dist_doc_DATA = \
>  
>  dist_noinst_SCRIPTS = \
>   $(TESTS) \
> - t_cltsrv-down.sh \
> - configure_h.awk configure_log.awk
> + t_cltsrv-down.sh
>  
>  dist_doc_DATA = \
>   COPYRIGHT.GPL \
> @@ -156,13 +155,6 @@ openvpn_SOURCES = \
>   win32.h win32.c \
>   cryptoapi.h cryptoapi.c
>  
> -nodist_openvpn_SOURCES = configure.h
> -options.$(OBJEXT): configure.h
> -
> -configure.h: Makefile
> - awk -f $(srcdir)/configure_h.awk config.h > $@
> - awk -f $(srcdir)/configure_log.awk config.log >> $@
> -
>  if WIN32
>  dist_noinst_DATA += openvpn.8
>  nodist_html_DATA = openvpn.8.html
> diff --git a/configure.ac b/configure.ac
> index 81bf933..0b70325 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -913,6 +913,9 @@ if test "${enable_strict}" = "yes"; then
>   CFLAGS="${CFLAGS} -Wall -Wno-unused-parameter -Wno-unused-function"
>  fi
>  
> +CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`"
> +AC_DEFINE_UNQUOTED([CONFIGURE_DEFINES], ["`echo ${CONFIGURE_DEFINES}`"], 
> [Configuration settings])
> +
>  TAP_WIN_COMPONENT_ID="PRODUCT_TAP_WIN_COMPONENT_ID"
>  TAP_WIN_MIN_MAJOR="PRODUCT_TAP_WIN_MIN_MAJOR"
>  TAP_WIN_MIN_MINOR="PRODUCT_TAP_WIN_MIN_MINOR"
> diff --git a/configure_h.awk b/configure_h.awk
> deleted file mode 100644
> index 672e745..000
> --- a/configure_h.awk
> +++ /dev/null
> @@ -1,39 +0,0 @@
> -#
> -#  OpenVPN -- An application to securely tunnel IP networks
> -# over a single UDP port, with support for SSL/TLS-based
> -# session authentication and key exchange,
> -# packet encryption, packet authentication, and
> -# packet compression.
> -#
> -#  Copyright (C) 2010  David Sommerseth 
> -#
> -#  This program is free software; you can redistribute it and/or modify
> -#  it under the terms of the GNU General Public License version 2
> -#  as published by the Free Software Foundation.
> -#
> -#  This program is distributed in the hope that it will be useful,
> -#  but WITHOUT ANY WARRANTY; without even the implied warranty of
> -#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> -#  GNU General Public License for more details.
> -#
> -#  You should have received a copy of the GNU General Public License
> -#  along with this program (see the file COPYING included with this
> -#  distribution); if not, write to the Free Software Foundation, Inc.,
> -#  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
> -#
> -#
> -#  This script will build up a line which can be included into a C program.
> -#  The line will contain all interesting #define statements from f.ex. 
> ./config.h
> -#
> -
> -BEGIN {
> - printf ("#define CONFIGURE_DEFINES \"")
> -}
> -
> -/^#define (ENABLE|DISABLE|DEPRECATED|USE)_/ {
> - printf (" %s", $2)
> -}
> -
> -END {
> - printf ("\"\n")
> -}
> diff --git a/configure_log.awk b/configure_log.awk
> deleted file mode 100644
> index 099e5c4..000
> --- a/configure_log.awk
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -#
> -#  OpenVPN -- An application to securely tunnel IP networks
> -# over a single UDP port, with support for SSL/TLS-based
> -#

Re: [Openvpn-devel] [PATCH 27/52] build: autoconf: remove OPENVPN_ADD_LIBS useless macro

[Samuli Seppänen]

Looks fairly straightforward: the OPENVPN_ADD_LIBS(LIB) macro[1] from
"acinclude.m4" is being phased out, e.g.

OPENVPN_ADD_LIBS(-ldmalloc)

becomes

LIBS="${LIBS} -ldmalloc"

I don't think the macro does anything _that_ special it would be worth saving.

ACK.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


[1]

dnl OPENVPN_ADD_LIBS(LIB)
AC_DEFUN([OPENVPN_ADD_LIBS], [
  LIBS="$1 $LIBS"
])



> Signed-off-by: Alon Bar-Lev 
> ---
>  configure.ac |   26 ++
>  m4/ax_openvpn_lib.m4 |4 
>  2 files changed, 10 insertions(+), 20 deletions(-)
>  delete mode 100644 m4/ax_openvpn_lib.m4
>
> diff --git a/configure.ac b/configure.ac
> index 07b2e1a..81bf933 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -352,13 +352,7 @@ case "$host" in
>   AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["W"], [Target prefix])
>   CPPFLAGS="${CPPFLAGS} -DWIN32_LEAN_AND_MEAN -DWINVER=0x0501"
>   WIN32=yes
> - OPENVPN_ADD_LIBS(-lgdi32)
> - OPENVPN_ADD_LIBS(-lws2_32)
> - OPENVPN_ADD_LIBS(-lwininet)
> - OPENVPN_ADD_LIBS(-lcrypt32)
> - OPENVPN_ADD_LIBS(-liphlpapi)
> - OPENVPN_ADD_LIBS(-lwinmm)
> - OPENVPN_ADD_LIBS(-lshell32)
> + LIBS="${LIBS} -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi 
> -lwinmm -lshell32"
>   ;;
>   *-*-dragonfly*)
>   AC_DEFINE([TARGET_DRAGONFLY], [1], [Are we running on 
> DragonFlyBSD?])
> @@ -640,7 +634,7 @@ case "${with_mem_check}" in
>   [dmalloc],
>   [malloc],
>   [
> - OPENVPN_ADD_LIBS(-ldmalloc)
> + LIBS="${LIBS} -ldmalloc"
>   AC_DEFINE(
>   [DMALLOC],
>   [1],
> @@ -682,7 +676,7 @@ if test "${WIN32}" != "yes" -a "${enable_plugins}" = 
> "yes"; then
>   [dl],
>   [dlopen],
>   [
> - OPENVPN_ADD_LIBS(-ldl)
> + LIBS="${LIBS} -ldl"
>   AC_DEFINE(USE_LIBDL, 1, [Use libdl for 
> dynamic library loading])
>   ],
>   [AC_MSG_RESULT([libdl library not found.])]
> @@ -721,7 +715,7 @@ if test "${enable_lzo}" = "yes" && test 
> "${enable_lzo_stub}" = "no"; then
>   if test $havelzolib = 1 ; then break ; fi
>   AC_CHECK_LIB($i, lzo1x_1_15_compress,
>[
> - OPENVPN_ADD_LIBS(-l$i)
> + LIBS="${LIBS} -l$i"
>   AC_DEFINE(USE_LZO, 1, [Use LZO compression library])
>   AC_DEFINE_UNQUOTED(LZO_VERSION_NUM, "$LZO_H", [LZO version number])
>   havelzolib=1
> @@ -752,7 +746,7 @@ if test "${enable_pkcs11}" = "yes"; then
>   [AC_CHECK_LIB(pkcs11-helper, pkcs11h_initialize,
>   [
>  AC_DEFINE(USE_PKCS11, 1, [Enable PKCS11 capability])
> -OPENVPN_ADD_LIBS(-lpkcs11-helper)
> +LIBS="${LIBS} -lpkcs11-helper"
>   ],
>   [AC_MSG_RESULT([pkcs11-helper library not found.])]
>   )],
> @@ -773,7 +767,7 @@ if test "${enable_crypto}" = "yes"; then
>AC_CHECK_LIB($lib, EVP_CIPHER_CTX_init,
>  [
>   cryptofound=1
> - OPENVPN_ADD_LIBS(-l$lib)
> + LIBS="${LIBS} -l$lib"
>   ]
>)
> done
> @@ -807,7 +801,7 @@ if test "${enable_crypto}" = "yes"; then
>  AC_CHECK_HEADER(polarssl/aes.h,
>  [AC_CHECK_LIB(polarssl, aes_crypt_cbc,
>  [
> -OPENVPN_ADD_LIBS(-lpolarssl)
> + LIBS="${LIBS} -lpolarssl"
>  AC_DEFINE(USE_CRYPTO, 1, [Use crypto library])
>  AC_DEFINE(USE_POLARSSL, 1, [Use PolarSSL library])
>  ],
> @@ -831,7 +825,7 @@ if test "${enable_crypto}" = "yes"; then
>AC_CHECK_LIB($lib, SSL_CTX_new,
>  [
>  sslfound=1
> -OPENVPN_ADD_LIBS(-l$lib)
> +LIBS="${LIBS} -l$lib"
>  ]
>)
>   done
> @@ -845,7 +839,7 @@ if test "${enable_crypto}" = "yes"; then
>   AC_CHECK_HEADER(polarssl/ssl.h,
>[AC_CHECK_LIB(polarssl, ssl_init,
>[
> -  OPENVPN_ADD_LIBS(-lpolarssl)
> +   LIBS="${LIBS} -lpolarssl"
>AC_DEFINE(USE_SSL, 1, [Use SSL library])
>AC_DEFINE(USE_POLARSSL, 1, [Use PolarSSL library])
>],
> @@ -867,7 +861,7 @@ if test "${enable_selinux}" = "yes"; then
>  

Re: [Openvpn-devel] OpenVPN Management Interface

[Carsten Krüger]

Hallo David,

> However, how will this approach make sure that malware don't use such a
> (new) openvpn service to redirect all Internet traffic via a third-party
> which can analyse everything happening?

A malware on openvpn endpoint can analyse all decrypted traffic.
No need to redirect.
If you have malware on your system you've been lost.
No need to worry about that scenario.

greetings
Carsten