openvpn/configure.ac

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

1565 lines
43 KiB
Plaintext
Raw Normal View History

dnl OpenVPN -- An application to securely tunnel IP networks
dnl over a single UDP port, with support for SSL/TLS-based
dnl session authentication and key exchange,
dnl packet encryption, packet authentication, and
dnl packet compression.
dnl
dnl Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
dnl Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com>
dnl
dnl This program is free software; you can redistribute it and/or modify
dnl it under the terms of the GNU General Public License as published by
dnl the Free Software Foundation; either version 2 of the License, or
dnl (at your option) any later version.
dnl
dnl This program is distributed in the hope that it will be useful,
dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
dnl GNU General Public License for more details.
dnl
dnl You should have received a copy of the GNU General Public License along
dnl with this program; if not, write to the Free Software Foundation, Inc.,
dnl 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
dnl Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59)
m4_include(version.m4)
AC_INIT([PRODUCT_NAME], [PRODUCT_VERSION], [PRODUCT_BUGREPORT], [PRODUCT_TARNAME])
m4_include(compat.m4)
AC_DEFINE([OPENVPN_VERSION_RESOURCE], [PRODUCT_VERSION_RESOURCE], [Version in windows resource format])
AC_SUBST([OPENVPN_VERSION_MAJOR], [PRODUCT_VERSION_MAJOR], [OpenVPN major version])
AC_SUBST([OPENVPN_VERSION_MINOR], [PRODUCT_VERSION_MINOR], [OpenVPN minor version])
AC_SUBST([OPENVPN_VERSION_PATCH], [PRODUCT_VERSION_PATCH], [OpenVPN patch level - may be a string or integer])
AC_DEFINE([OPENVPN_VERSION_MAJOR], [PRODUCT_VERSION_MAJOR], [OpenVPN major version - integer])
AC_DEFINE([OPENVPN_VERSION_MINOR], [PRODUCT_VERSION_MINOR], [OpenVPN minor version - integer])
AC_DEFINE([OPENVPN_VERSION_PATCH], ["PRODUCT_VERSION_PATCH"], [OpenVPN patch level - may be a string or integer])
AC_CONFIG_AUX_DIR([.])
AC_CONFIG_HEADERS([config.h include/openvpn-plugin.h])
AC_CONFIG_SRCDIR([src/openvpn/syshead.h])
AC_CONFIG_MACRO_DIR([m4])
dnl Automake 1.14+ warns if sources are in sub-directories but subdir-objects
dnl options is not enabled. However, automake before 1.15a has a bug that causes
dnl variable expansion to fail in foo_SOURCES when this option is used.
dnl As most of our build systems are now likely to use automake 1.16+ add a
dnl work around to conditionally add subdir-objects option.
m4_define([subdir_objects], [
m4_esyscmd([automake --version |
head -1 |
awk '{split ($NF,a,"."); if (a[1] == 1 && a[2] >= 16) { print "subdir-objects" }}'
])
])
# This foreign option prevents autoreconf from overriding our COPYING and
# INSTALL targets:
AM_INIT_AUTOMAKE(foreign subdir_objects 1.9) dnl NB: Do not [quote] this parameter.
AM_SILENT_RULES([yes])
AC_CANONICAL_HOST
AC_USE_SYSTEM_EXTENSIONS
AC_ARG_ENABLE(
[lzo],
[AS_HELP_STRING([--disable-lzo], [disable LZO compression support @<:@default=yes@:>@])],
,
[enable_lzo="yes"]
)
AC_ARG_ENABLE(
[lz4],
[AS_HELP_STRING([--disable-lz4], [disable LZ4 compression support @<:@default=yes@:>@])],
[enable_lz4="$enableval"],
[enable_lz4="yes"]
)
AC_ARG_ENABLE(
[comp-stub],
[AS_HELP_STRING([--enable-comp-stub], [disable compression support but still allow limited interoperability with compression-enabled peers @<:@default=no@:>@])],
Added support for the Snappy compression algorithm Added support for the Snappy compression algorithm which has shown to have considerably better compression speed than LZO at a comparable compression ratio. To enable Snappy add: compress snappy to both client and server config files. Alternatively, enable compression framing on the client: compress and have the server selectively push "compress snappy" to the client. This change also extends the client capability handshake to include IV_SNAPPY so the server can be aware that a connecting client supports Snappy. Note that the Snappy implementation also includes an improved framing approach where the first byte of the compressed payload is replaced by the compression control byte (the first payload byte is moved to the end of the packet). This solves off-by-one alignment issues, which improves performance on ARM. By default, the configure script will try to build with Snappy support. To disable, use the --disable-snappy option. The --enable-lzo-stub configure directive is now --enable-comp-stub (because it's not actually "lzo" but "compression-enabled packet framing") Add compression overhead to extra buffer unconditionally, as long as USE_COMP is defined. OpenVPN SVN r8206 (2.1.21a) and r8212 (2.1.21b) Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1366393268-27392-3-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7531 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2012-09-18 14:33:34 +08:00
[enable_comp_stub="$enableval"],
[enable_comp_stub="no"]
)
AC_ARG_ENABLE(
[ofb-cfb],
[AS_HELP_STRING([--disable-ofb-cfb], [disable support for OFB and CFB cipher modes @<:@default=yes@:>@])],
,
[enable_crypto_ofb_cfb="yes"]
)
AC_ARG_ENABLE(
[x509-alt-username],
[AS_HELP_STRING([--enable-x509-alt-username], [enable the --x509-username-field feature @<:@default=no@:>@])],
,
[enable_x509_alt_username="no"]
)
AC_ARG_ENABLE(
[ntlm],
[AS_HELP_STRING([--disable-ntlm], [disable NTLMv2 proxy support @<:@default=yes@:>@])],
,
[enable_ntlm="yes"]
)
AC_ARG_ENABLE(
[plugins],
[AS_HELP_STRING([--disable-plugins], [disable plug-in support @<:@default=yes@:>@])],
,
[enable_plugins="yes"]
)
AC_ARG_ENABLE(
[management],
[AS_HELP_STRING([--disable-management], [disable management server support @<:@default=yes@:>@])],
,
[enable_management="yes"]
)
AC_ARG_ENABLE(
[pkcs11],
[AS_HELP_STRING([--enable-pkcs11], [enable pkcs11 support @<:@default=no@:>@])],
,
[enable_pkcs11="no"]
)
AC_ARG_ENABLE(
[fragment],
[AS_HELP_STRING([--disable-fragment], [disable internal fragmentation support (--fragment) @<:@default=yes@:>@])],
,
[enable_fragment="yes"]
)
AC_ARG_ENABLE(
[port-share],
[AS_HELP_STRING([--disable-port-share], [disable TCP server port-share support (--port-share) @<:@default=yes@:>@])],
,
[enable_port_share="yes"]
)
AC_ARG_ENABLE(
[debug],
[AS_HELP_STRING([--disable-debug], [disable debugging support (disable gremlin and verb 7+ messages) @<:@default=yes@:>@])],
,
[enable_debug="yes"]
)
AC_ARG_ENABLE(
[small],
[AS_HELP_STRING([--enable-small], [enable smaller executable size (disable OCC, usage message, and verb 4 parm list) @<:@default=no@:>@])],
,
[enable_small="no"]
)
AC_ARG_ENABLE(
[dco],
[AS_HELP_STRING([--disable-dco], [disable data channel offload support using the ovpn-dco kernel module @<:@default=yes@:>@ on Linux/FreeBSD, can't disable on Windows])],
,
[
case "$host" in
*-*-linux*)
enable_dco="auto"
;;
*-*-freebsd*)
enable_dco="auto"
;;
*)
# note that this does not disable it for Windows
enable_dco="no"
;;
esac
]
)
AC_ARG_ENABLE(
[iproute2],
[AS_HELP_STRING([--enable-iproute2], [enable support for iproute2 (disables DCO) @<:@default=no@:>@])],
,
[enable_iproute2="no"]
)
AC_ARG_ENABLE(
[plugin-auth-pam],
[AS_HELP_STRING([--disable-plugin-auth-pam], [disable auth-pam plugin @<:@default=platform specific@:>@])],
,
[
case "$host" in
*-*-openbsd*) enable_plugin_auth_pam="no";;
*-mingw*) enable_plugin_auth_pam="no";;
*) enable_plugin_auth_pam="yes";;
esac
]
)
AC_ARG_ENABLE(
[plugin-down-root],
[AS_HELP_STRING([--disable-plugin-down-root], [disable down-root plugin @<:@default=platform specific@:>@])],
,
[
case "$host" in
*-mingw*) enable_plugin_down_root="no";;
*) enable_plugin_down_root="yes";;
esac
]
)
AC_ARG_ENABLE(
[pam-dlopen],
[AS_HELP_STRING([--enable-pam-dlopen], [dlopen libpam @<:@default=no@:>@])],
,
[enable_pam_dlopen="no"]
)
AC_ARG_ENABLE(
[strict],
[AS_HELP_STRING([--enable-strict], [enable strict compiler warnings (debugging option) @<:@default=no@:>@])],
,
[enable_strict="no"]
)
AC_ARG_ENABLE(
[pedantic],
[AS_HELP_STRING([--enable-pedantic], [enable pedantic compiler warnings, will not generate a working executable (debugging option) @<:@default=no@:>@])],
,
[enable_pedantic="no"]
)
AC_ARG_ENABLE(
[werror],
[AS_HELP_STRING([--enable-werror], [promote compiler warnings to errors, will cause builds to fail if the compiler issues warnings (debugging option) @<:@default=no@:>@])],
,
[enable_werror="no"]
)
AC_ARG_ENABLE(
[strict-options],
[AS_HELP_STRING([--enable-strict-options], [enable strict options check between peers (debugging option) @<:@default=no@:>@])],
,
[enable_strict_options="no"]
)
AC_ARG_ENABLE(
[selinux],
[AS_HELP_STRING([--enable-selinux], [enable SELinux support @<:@default=no@:>@])],
,
[enable_selinux="no"]
)
AC_ARG_ENABLE(
[systemd],
[AS_HELP_STRING([--enable-systemd], [enable systemd support @<:@default=no@:>@])],
,
[enable_systemd="no"]
)
Send push reply right after async auth complete v3: * better comments * better variable naming * include sys/inotify.h if HAVE_SYS_INOTIFY_H is defined v2: More careful inotify_watchers handling * Ensure that same multi_instance is added only once * Ensure that multi_instance is always removed v1: This feature speeds up connection establishment in cases when async authentication result is not ready when first push request arrives. At the moment server sends push reply only when it receives next push request, which comes 5 seconds later. Implementation overview. Add new configure option ENABLE_ASYNC_PUSH, which can be enabled if system supports inotify. Add inotify descriptor to an event loop. Add inotify watch for a authentication control file. Store mapping between watch descriptor and multi_instance in a dictionary. When file is closed, inotify fires an event and we continue with connection establishment - call client- connect etc and send push reply. Inotify watch descriptor got automatically deleted after file is closed or when file is removed. We catch that event and remove it from the dictionary. Feature is easily tested with sample "defer" plugin and following settings: auth-user-pass-optional setenv test_deferred_auth 3 plugin simple.so Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Add doxygen comment Acked-by: David Sommerseth <davids@redhat.com> Message-Id: <1444493065-13506-1-git-send-email-lstipakov@gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/10248 Signed-off-by: David Sommerseth <davids@redhat.com>
2015-10-11 00:04:25 +08:00
AC_ARG_ENABLE(
[async-push],
[AS_HELP_STRING([--enable-async-push], [enable async-push support for plugins providing deferred authentication @<:@default=no@:>@])],
,
Send push reply right after async auth complete v3: * better comments * better variable naming * include sys/inotify.h if HAVE_SYS_INOTIFY_H is defined v2: More careful inotify_watchers handling * Ensure that same multi_instance is added only once * Ensure that multi_instance is always removed v1: This feature speeds up connection establishment in cases when async authentication result is not ready when first push request arrives. At the moment server sends push reply only when it receives next push request, which comes 5 seconds later. Implementation overview. Add new configure option ENABLE_ASYNC_PUSH, which can be enabled if system supports inotify. Add inotify descriptor to an event loop. Add inotify watch for a authentication control file. Store mapping between watch descriptor and multi_instance in a dictionary. When file is closed, inotify fires an event and we continue with connection establishment - call client- connect etc and send push reply. Inotify watch descriptor got automatically deleted after file is closed or when file is removed. We catch that event and remove it from the dictionary. Feature is easily tested with sample "defer" plugin and following settings: auth-user-pass-optional setenv test_deferred_auth 3 plugin simple.so Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Add doxygen comment Acked-by: David Sommerseth <davids@redhat.com> Message-Id: <1444493065-13506-1-git-send-email-lstipakov@gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/10248 Signed-off-by: David Sommerseth <davids@redhat.com>
2015-10-11 00:04:25 +08:00
[enable_async_push="no"]
)
AC_ARG_WITH(
[special-build],
[AS_HELP_STRING([--with-special-build=STRING], [specify special build string])],
[test -n "${withval}" && AC_DEFINE_UNQUOTED([CONFIGURE_SPECIAL_BUILD], ["${withval}"], [special build string])]
)
AC_ARG_WITH(
[mem-check],
[AS_HELP_STRING([--with-mem-check=TYPE], [build with debug memory checking, TYPE=no|dmalloc|valgrind|ssl @<:@default=no@:>@])],
[
case "${withval}" in
dmalloc|valgrind|ssl|no) ;;
*) AC_MSG_ERROR([bad value ${withval} for --mem-check]) ;;
esac
],
[with_mem_check="no"]
)
AC_ARG_WITH(
[crypto-library],
[AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
[
Migrate to mbed TLS 2.x PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move the master branch on to the 2.x series. This patch purges all references to polarssl, except for file names and some comments referring to 1.2 and earlier, which were never released as 'mbed TLS'. A separate patch for the file names follows, so the real changes are easier to spot without git-fu. This patch intends to not change any behaviour. The vast majority of this patch is just renaming functions and structs. There are some small changes in the implementation: * In ssl_polarssl.c: the debug callback prototype changed, so our implementation changed a bit too. * in ssl_polarssl.c: the old polarssl ssl_context is now split into a mbedtls_ssl_config and mbedtls_ssl_context. The intention is that mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context contains the per-connection state. That doesn't work for us, because we use per-connection verify callback data, while the verify callback is registered on mbed_tls_config. Therefore we still need to init a mbed_tls_config struct for each connection. * in ssl_polarssl.c: the mbed bio handling changed, so our implementation changed a bit too. * in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse functions now fail if we don't provide a NUL-terminated string, so use strlen()+1 as the length argument to include the terminating NUL. I tested this patch to work with: * 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1) * static key mode * TLS mode with PEM key file * TLS mode with password protected PEM key file * TLS mode with management-external-key * TLS mode with PKCS#11 * TLS mode with inline ca/key/cert/dh Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/11458 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2016-04-18 02:35:42 +08:00
case "${withval}" in
openssl|mbedtls|wolfssl) ;;
*) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
esac
],
[with_crypto_library="openssl"]
)
AC_ARG_ENABLE(
[wolfssl-options-h],
[AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])],
,
[enable_wolfssl_options_h="yes"]
)
AC_ARG_WITH(
[openssl-engine],
[AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])],
[
case "${withval}" in
auto|yes|no) ;;
*) AC_MSG_ERROR([bad value ${withval} for --with-engine]) ;;
esac
],
[with_openssl_engine="auto"]
)
AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@])
if test -n "${PLUGINDIR}"; then
plugindir="${PLUGINDIR}"
else
plugindir="\${libdir}/openvpn/plugins"
fi
AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our host])
AM_CONDITIONAL([TARGET_LINUX], [false])
case "$host" in
*-*-linux*)
AC_DEFINE([TARGET_LINUX], [1], [Are we running on Linux?])
AM_CONDITIONAL([TARGET_LINUX], [true])
AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["L"], [Target prefix])
have_sitnl="yes"
pkg_config_required="yes"
;;
*-*-solaris*)
AC_DEFINE([TARGET_SOLARIS], [1], [Are we running on Solaris?])
AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["S"], [Target prefix])
CPPFLAGS="$CPPFLAGS -D_XPG4_2"
test -x /bin/bash && SHELL="/bin/bash"
;;
*-*-openbsd*)
AC_DEFINE([TARGET_OPENBSD], [1], [Are we running on OpenBSD?])
AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["O"], [Target prefix])
;;
*-*-freebsd*)
AC_DEFINE([TARGET_FREEBSD], [1], [Are we running on FreeBSD?])
AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["F"], [Target prefix])
;;
*-*-netbsd*)
AC_DEFINE([TARGET_NETBSD], [1], [Are we running NetBSD?])
AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["N"], [Target prefix])
;;
*-*-darwin*)
AC_DEFINE([TARGET_DARWIN], [1], [Are we running on Mac OS X?])
AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["M"], [Target prefix])
have_tap_header="yes"
ac_cv_type_struct_in_pktinfo=no
;;
*-mingw*)
AC_DEFINE([TARGET_WIN32], [1], [Are we running WIN32?])
AC_DEFINE([ENABLE_DCO], [1], [DCO is always enabled on Windows])
AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["W"], [Target prefix])
CPPFLAGS="${CPPFLAGS} -DWIN32_LEAN_AND_MEAN"
CPPFLAGS="${CPPFLAGS} -DNTDDI_VERSION=NTDDI_VISTA -D_WIN32_WINNT=_WIN32_WINNT_VISTA"
WIN32=yes
;;
*-*-dragonfly*)
AC_DEFINE([TARGET_DRAGONFLY], [1], [Are we running on DragonFlyBSD?])
AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["D"], [Target prefix])
;;
*-aix*)
AC_DEFINE([TARGET_AIX], [1], [Are we running AIX?])
AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["A"], [Target prefix])
ROUTE="/usr/sbin/route"
have_tap_header="yes"
ac_cv_header_net_if_h="no" # exists, but breaks things
;;
*)
AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["X"], [Target prefix])
have_tap_header="yes"
;;
esac
AM_CONDITIONAL([CROSS_COMPILING], test "${cross_compiling}" = "yes")
PKG_PROG_PKG_CONFIG
# Add variable to print if pkg-config is found or not. Users often miss that
if test "${PKG_CONFIG}" = ""; then
if test "${pkg_config_required}" = "yes"; then
AC_MSG_ERROR([pkg-config is required])
fi
pkg_config_found="(not found)"
else
pkg_config_found="(${PKG_CONFIG})"
fi
AC_PROG_CPP
AC_PROG_INSTALL
AC_PROG_LN_S
AC_PROG_SED
AC_PROG_MAKE_SET
AC_ARG_VAR([IFCONFIG], [full path to ipconfig utility])
AC_ARG_VAR([ROUTE], [full path to route utility])
AC_ARG_VAR([IPROUTE], [full path to ip utility])
AC_ARG_VAR([NETSTAT], [path to netstat utility]) # tests
AC_ARG_VAR([GIT], [path to git utility])
AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility])
AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory @<:@default=LIBDIR/systemd/system@:>@])
AC_ARG_VAR([TMPFILES_DIR], [Path of tmpfiles directory @<:@default=LIBDIR/tmpfiles.d@:>@])
AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
AC_PATH_PROGS([SYSTEMD_ASK_PASSWORD], [systemd-ask-password],, [$PATH:/usr/local/bin:/usr/bin:/bin])
AC_CHECK_PROGS([NETSTAT], [netstat], [netstat], [$PATH:/usr/local/sbin:/usr/sbin:/sbin:/etc]) # tests
AC_CHECK_PROGS([GIT], [git]) # optional
AC_DEFINE_UNQUOTED([IFCONFIG_PATH], ["$IFCONFIG"], [Path to ifconfig tool])
AC_DEFINE_UNQUOTED([IPROUTE_PATH], ["$IPROUTE"], [Path to iproute tool])
AC_DEFINE_UNQUOTED([ROUTE_PATH], ["$ROUTE"], [Path to route tool])
AC_DEFINE_UNQUOTED([SYSTEMD_ASK_PASSWORD_PATH], ["$SYSTEMD_ASK_PASSWORD"], [Path to systemd-ask-password tool])
doc/man: convert openvpn.8 to split-up .rst files To avoid keeping around a full-size openvpn.rst file which is never needed but will take space in the repo forever, patches 01...04 of the big documentation overhaul projects were squashed togehter, keeping the individual commit logs and URL references below. Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is a combination of 4 commits. * This is the 1st commit message: doc/man: Add an .rst formatted version of the man page This is the first step to move away from a manually editing g/nroff encoded man page. Some modifications was needed to ensure formatting was consistent and rendered reasonably okay in GitHub and that the generated man page (using rst2man) is looking as a proper man page. Unsupported options has also been moved into its own section. HTML rendering directly using rst2html has also been used to validate the conversion. The rst2man and rst2html utilities comes from the python-docutils project: https://docutils.sourceforge.io/ Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-2-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063370/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #2: doc/man: Replace old man page with generated man page The doc/openvpn.8 and doc/openvpn.8.html files are now being removed from the git tree, as it will be generated from the doc/openvpn.8.rst file using python-docutils. An additional dist-hook is added so these files are generated automatically when source tarballs are generated for releases. This means users compiling directly from the source tarball will not need python-docutils installed. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-3-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063373/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #3: doc/man: Split up and reorganize main man page The openvpn.8.rst file is quite long and hard to edit, as it covers several hundred options. Some options were even documented multiple places. The example has also received some attention, cleaning up old and outdated infomration. In this commit the main man page is split up into multiple sections and options are sorted into each of the corresponding section. Inside each category, each option is for now sorted alphabetically. The main openvpn.8.rst file is currently kept unchanged and will be handled in the next commit. Many language improvements contributed by Richard Bonhomme has also been incorproated. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-4-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063376/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #4: doc/man: Complete openvpn.8.rst splitting This rebuilds the openvpn.8.rst content by using the text which was split out in the previous commit by using RST ..include statements. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-5-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063377/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-07-17 06:53:31 +08:00
#
# man page generation - based on python-docutils
#
AC_ARG_VAR([RST2MAN], [path to rst2man utility])
AC_ARG_VAR([RST2HTML], [path to rst2html utility])
AC_CHECK_PROGS([RST2MAN], [rst2man rst2man.py])
AC_CHECK_PROGS([RST2HTML], [rst2html rst2html.py])
doc/man: convert openvpn.8 to split-up .rst files To avoid keeping around a full-size openvpn.rst file which is never needed but will take space in the repo forever, patches 01...04 of the big documentation overhaul projects were squashed togehter, keeping the individual commit logs and URL references below. Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is a combination of 4 commits. * This is the 1st commit message: doc/man: Add an .rst formatted version of the man page This is the first step to move away from a manually editing g/nroff encoded man page. Some modifications was needed to ensure formatting was consistent and rendered reasonably okay in GitHub and that the generated man page (using rst2man) is looking as a proper man page. Unsupported options has also been moved into its own section. HTML rendering directly using rst2html has also been used to validate the conversion. The rst2man and rst2html utilities comes from the python-docutils project: https://docutils.sourceforge.io/ Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-2-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063370/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #2: doc/man: Replace old man page with generated man page The doc/openvpn.8 and doc/openvpn.8.html files are now being removed from the git tree, as it will be generated from the doc/openvpn.8.rst file using python-docutils. An additional dist-hook is added so these files are generated automatically when source tarballs are generated for releases. This means users compiling directly from the source tarball will not need python-docutils installed. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-3-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063373/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #3: doc/man: Split up and reorganize main man page The openvpn.8.rst file is quite long and hard to edit, as it covers several hundred options. Some options were even documented multiple places. The example has also received some attention, cleaning up old and outdated infomration. In this commit the main man page is split up into multiple sections and options are sorted into each of the corresponding section. Inside each category, each option is for now sorted alphabetically. The main openvpn.8.rst file is currently kept unchanged and will be handled in the next commit. Many language improvements contributed by Richard Bonhomme has also been incorproated. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-4-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063376/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #4: doc/man: Complete openvpn.8.rst splitting This rebuilds the openvpn.8.rst content by using the text which was split out in the previous commit by using RST ..include statements. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-5-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063377/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-07-17 06:53:31 +08:00
AM_CONDITIONAL([HAVE_PYDOCUTILS], [test "${RST2MAN}" -a "${RST2HTML}"])
# Set -std=c99 unless user already specified a -std=
case "${CFLAGS}" in
*-std=*) ;;
*) CFLAGS="${CFLAGS} -std=c99" ;;
esac
#
# Libtool
#
ifdef(
[LT_INIT],
[
LT_INIT([win32-dll])
LT_LANG([Windows Resource])
],
[
AC_LIBTOOL_WIN32_DLL
AC_LIBTOOL_RC
AC_PROG_LIBTOOL
]
)
AC_C_CONST
AC_C_INLINE
AC_C_VOLATILE
AC_TYPE_OFF_T
AC_TYPE_PID_T
AC_TYPE_SIZE_T
AC_TYPE_UID_T
AX_TYPE_SOCKLEN_T
AC_CHECK_SIZEOF([unsigned int])
AC_CHECK_SIZEOF([unsigned long])
AC_CHECK_HEADERS([ \
fcntl.h io.h \
sys/types.h sys/socket.h \
unistd.h dlfcn.h \
netinet/in.h \
netinet/tcp.h arpa/inet.h netdb.h \
])
AC_CHECK_HEADERS([ \
sys/time.h sys/ioctl.h sys/stat.h \
sys/mman.h sys/file.h sys/wait.h \
unistd.h libgen.h stropts.h \
syslog.h pwd.h grp.h termios.h \
sys/sockio.h sys/uio.h linux/sockios.h \
Fix --mtu-disc maybe|yes on Linux. --mtu-disc (on Linux) needs two components to work: - setsockopt() with IP_MTU_DISCOVER or IPV6_MTU_DISCOVER - "extended error reporting" (setsockopt(IP_RECVERR) and then via mtu.c/format_extended_socket_error()) to react on "packet too big" errors on sendto() / sendmsg() Some configure.ac reorganization broke detection of <linux/errqueue.h> and "struct sock_extended_err". Re-add <linux/errqueue.h> to configure.ac, remove all the other conditionals in syshead.h, and remove the "struct sock_extended_err" check completely (assumption: if errqueue.h exists, it contains what we need). Thus, the "non-helpful" socket error message turns into: 2022-02-22 12:31:42 write UDPv4 [EMSGSIZE Path-MTU=800]: Message too long (fd=3,code=90) 2022-02-22 12:31:42 Note adjusting 'mssfix 1400 mtu' to 'mssfix 800 mtu' according to path MTU discovery 2022-02-22 12:31:42 Note adjusting 'fragment 1400 mtu' to 'fragment 800 mtu' according to path MTU discovery ... while at it, fix extra space in first part of these messages, and print o->ce.fragment for the "fragment" message... v2: assume that "if it's linux, and has these two headers, everything else will be there as well" and get rid of most of the #ifdef checks Trac: #1452 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20220222113832.13383-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23863.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2022-02-22 19:38:32 +08:00
linux/types.h linux/errqueue.h poll.h sys/epoll.h err.h \
])
SOCKET_INCLUDES="
#include <stdlib.h>
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#endif
#ifdef HAVE_NET_IF_H
#include <net/if.h>
#endif
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef _WIN32
#include <windows.h>
#endif
#ifdef _WIN32
#include <winsock2.h>
#endif
#ifdef _WIN32
#include <ws2tcpip.h>
#endif
#ifdef HAVE_NETINET_IP_H
#include <netinet/ip.h>
#endif
"
AC_CHECK_HEADERS(
[net/if.h netinet/ip.h resolv.h sys/un.h net/if_utun.h sys/kern_control.h],
,
,
[[${SOCKET_INCLUDES}]]
)
AC_CHECK_TYPES(
[in_addr_t],
,
[AC_DEFINE([in_addr_t], [uint32_t], [Workaround missing in_addr_t])],
[[${SOCKET_INCLUDES}]]
)
AC_CHECK_TYPES(
[in_port_t],
,
[AC_DEFINE([in_port_t], [uint16_t], [Workaround missing in_port_t])],
[[${SOCKET_INCLUDES}]]
)
AC_CHECK_TYPE(
[struct iphdr],
[AC_DEFINE([HAVE_IPHDR], [1], [struct iphdr needed for IPv6 support])],
,
[[${SOCKET_INCLUDES}]]
)
AC_CHECK_TYPE(
[struct msghdr],
[AC_DEFINE([HAVE_MSGHDR], [1], [struct msghdr needed for extended socket error support])],
,
[[${SOCKET_INCLUDES}]]
)
AC_CHECK_TYPE(
[struct cmsghdr],
[AC_DEFINE([HAVE_CMSGHDR], [1], [struct cmsghdr needed for extended socket error support])],
,
[[${SOCKET_INCLUDES}]]
)
AC_CHECK_TYPE(
[struct in_pktinfo],
[AC_DEFINE([HAVE_IN_PKTINFO], [1], [struct in_pktinfo needed for IP_PKTINFO support])],
,
[[${SOCKET_INCLUDES}]]
)
AC_CHECK_TYPE(
[sa_family_t],
[AC_DEFINE([HAVE_SA_FAMILY_T], [1], [sa_family_t, needed to hold AF_* info])],
,
[[${SOCKET_INCLUDES}]]
)
AC_CHECK_MEMBER(
[struct in_pktinfo.ipi_spec_dst],
[AC_DEFINE([HAVE_IPI_SPEC_DST], [1], [struct in_pktinfo.ipi_spec_dst needed for IP_PKTINFO support])],
,
[[${SOCKET_INCLUDES}]]
)
AC_CHECK_TYPE(
[struct sockaddr_in6],
,
[AC_MSG_ERROR([struct sockaddr_in6 not found, needed for ipv6 transport support.])],
[[${SOCKET_INCLUDES}]]
)
AC_CHECK_DECLS(
[SO_MARK],
,
,
[[${SOCKET_INCLUDES}]]
)
AC_MSG_CHECKING([anonymous union support])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
struct mystruct {
union {
int m1;
char m2;
};
};
]],
[[
struct mystruct s;
s.m1 = 1; s.m2 = 2;
]]
)],
[
AC_MSG_RESULT([yes])
AC_DEFINE([HAVE_ANONYMOUS_UNION_SUPPORT], [], [Compiler supports anonymous unions])
],
[AC_MSG_RESULT([no])]
)
saved_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS -Wl,--wrap=exit"
AC_MSG_CHECKING([linker supports --wrap])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[[
void exit(int);
void __real_exit(int);
void __wrap_exit(int i) {
__real_exit(i);
}
]],
[[
exit(0);
]]
)],
[
AC_MSG_RESULT([yes])
have_ld_wrap_support=yes
],
[AC_MSG_RESULT([no])],
)
LDFLAGS="$saved_LDFLAGS"
dnl We emulate signals in Windows
AC_CHECK_DECLS(
[SIGHUP],
,
[AC_DEFINE([SIGHUP], [1], [SIGHUP replacement])],
[[
#include <signal.h>
]]
)
AC_CHECK_DECLS(
[SIGINT],
,
[AC_DEFINE([SIGINT], [2], [SIGINT replacement])],
[[
#include <signal.h>
]]
)
AC_CHECK_DECLS(
[SIGUSR1],
,
[AC_DEFINE([SIGUSR1], [10], [SIGUSR1 replacement])],
[[
#include <signal.h>
]]
)
AC_CHECK_DECLS(
[SIGUSR2],
,
[AC_DEFINE([SIGUSR2], [12], [SIGUSR2 replacement])],
[[
#include <signal.h>
]]
)
AC_CHECK_DECLS(
[SIGTERM],
,
[AC_DEFINE([SIGTERM], [15], [SIGTERM replacement])],
[[
#include <signal.h>
]]
)
AC_FUNC_FORK
AC_CHECK_FUNCS([ \
daemon chroot getpwnam setuid nice system dup dup2 \
syslog openlog mlockall getrlimit getgrnam setgid \
setgroups flock time gettimeofday \
setsid chdir \
chsize ftruncate execve getpeereid basename dirname access \
epoll_create strsep \
])
AC_CHECK_LIB(
[dl],
[dlopen],
[DL_LIBS="-ldl"]
)
AC_SUBST([DL_LIBS])
AC_CHECK_LIB(
[nsl],
[inet_ntoa],
[SOCKETS_LIBS="${SOCKETS_LIBS} -lnsl"]
)
AC_CHECK_LIB(
[socket],
[socket],
[SOCKETS_LIBS="${SOCKETS_LIBS} -lsocket"]
)
AC_CHECK_LIB(
[resolv],
[gethostbyname],
[SOCKETS_LIBS="${SOCKETS_LIBS} -lresolv"]
)
AC_SUBST([SOCKETS_LIBS])
old_LIBS="${LIBS}"
LIBS="${LIBS} ${SOCKETS_LIBS}"
AC_CHECK_FUNCS([sendmsg recvmsg])
LIBS="${old_LIBS}"
# we assume res_init() always exist, but need to find out *where*...
AC_SEARCH_LIBS(__res_init, resolv bind, ,
AC_SEARCH_LIBS(res_9_init, resolv bind, ,
AC_SEARCH_LIBS(res_init, resolv bind, , )))
AC_ARG_VAR([TAP_CFLAGS], [C compiler flags for tap])
old_CFLAGS="${CFLAGS}"
CFLAGS="${CFLAGS} ${TAP_CFLAGS}"
AC_CHECK_HEADERS(
[ \
net/if_tun.h net/tun/if_tun.h \
linux/if_tun.h \
tap-windows.h \
],
[have_tap_header="yes"]
)
AC_CHECK_DECLS(
[TUNSETPERSIST],
[AC_DEFINE([ENABLE_FEATURE_TUN_PERSIST], [1], [We have persist tun capability])],
,
[[
#ifdef HAVE_LINUX_IF_TUN_H
#include <linux/if_tun.h>
#endif
]]
)
CFLAGS="${old_CFLAGS}"
test "${have_tap_header}" = "yes" || AC_MSG_ERROR([no tap header could be found])
AC_CHECK_LIB(
[selinux],
[setcon],
[SELINUX_LIBS="-lselinux"]
)
AC_SUBST([SELINUX_LIBS])
AC_ARG_VAR([LIBPAM_CFLAGS], [C compiler flags for libpam])
AC_ARG_VAR([LIBPAM_LIBS], [linker flags for libpam])
if test -z "${LIBPAM_LIBS}"; then
AC_CHECK_LIB(
[pam],
[pam_start],
[LIBPAM_LIBS="-lpam"]
)
fi
case "${with_mem_check}" in
valgrind)
AC_CHECK_HEADERS(
[valgrind/memcheck.h],
[
CFLAGS="${CFLAGS} -g -fno-inline"
AC_DEFINE(
[USE_VALGRIND],
[1],
[Use valgrind memory debugging library]
)
],
[AC_MSG_ERROR([valgrind headers not found.])]
)
;;
dmalloc)
AC_CHECK_HEADERS(
[dmalloc.h],
[AC_CHECK_LIB(
[dmalloc],
[malloc],
[
LIBS="${LIBS} -ldmalloc"
AC_DEFINE(
[DMALLOC],
[1],
[Use dmalloc memory debugging library]
)
],
[AC_MSG_ERROR([dmalloc library not found.])]
)],
[AC_MSG_ERROR([dmalloc headers not found.])]
)
;;
ssl)
AC_CHECK_LIB(
[ssl],
[CRYPTO_mem_ctrl],
[
AC_DEFINE(
[CRYPTO_MDEBUG],
[1],
[Use memory debugging function in OpenSSL]
)
AC_MSG_NOTICE([NOTE: OpenSSL library must be compiled with CRYPTO_MDEBUG])
],
[AC_MSG_ERROR([Memory Debugging function in OpenSSL library not found.])]
)
;;
esac
PKG_CHECK_MODULES(
[PKCS11_HELPER],
[libpkcs11-helper-1 >= 1.11],
[have_pkcs11_helper="yes"],
[]
)
if test "$enable_dco" != "no"; then
enable_dco_arg="$enable_dco"
if test "${enable_iproute2}" = "yes"; then
AC_MSG_WARN([DCO cannot be enabled when using iproute2])
enable_dco="no"
fi
case "$host" in
*-*-linux*)
if test "$enable_dco" = "no"; then
if test "$enable_dco_arg" = "auto"; then
AC_MSG_WARN([DCO support disabled])
else
AC_MSG_ERROR([DCO support can't be enabled])
fi
else
dnl
dnl Include generic netlink library used to talk to ovpn-dco
dnl
PKG_CHECK_MODULES([LIBNL_GENL],
[libnl-genl-3.0 >= 3.4.0],
[have_libnl="yes"],
[
AC_MSG_ERROR([libnl-genl-3.0 package not found or too old. Is the development package and pkg-config ${pkg_config_found} installed? Must be version 3.4.0 or newer for DCO])
]
)
CFLAGS="${CFLAGS} ${LIBNL_GENL_CFLAGS}"
LIBS="${LIBS} ${LIBNL_GENL_LIBS}"
AC_DEFINE(ENABLE_DCO, 1, [Enable shared data channel offload])
AC_MSG_NOTICE([Enabled ovpn-dco support for Linux])
fi
;;
*-*-freebsd*)
AC_CHECK_HEADERS([net/if_ovpn.h],
[
LIBS="${LIBS} -lnv"
AC_DEFINE(ENABLE_DCO, 1, [Enable data channel offload for FreeBSD])
AC_MSG_NOTICE([Enabled ovpn-dco support for FreeBSD])
],
[
enable_dco="no"
AC_MSG_WARN([DCO header not found.])
]
)
if test "$enable_dco" = "no"; then
if test "$enable_dco_arg" = "auto"; then
AC_MSG_WARN([DCO support disabled])
else
AC_MSG_ERROR([DCO support can't be enabled])
fi
fi
;;
*-mingw*)
AC_MSG_NOTICE([NOTE: --enable-dco ignored on Windows because it's always enabled])
;;
*)
AC_MSG_NOTICE([Ignoring --enable-dco on non supported platform])
;;
esac
fi
dnl
dnl Depend on libcap-ng on Linux
dnl
case "$host" in
*-*-linux*)
# We require pkg-config
PKG_CHECK_MODULES([LIBCAPNG],
[libcap-ng],
[],
[AC_MSG_ERROR([libcap-ng package not found. Is the development package and pkg-config ${pkg_config_found} installed?])]
)
AC_CHECK_HEADER([sys/prctl.h],,[AC_MSG_ERROR([sys/prctl.h not found!])])
CFLAGS="${CFLAGS} ${LIBCAPNG_CFLAGS}"
LIBS="${LIBS} ${LIBCAPNG_LIBS}"
AC_DEFINE(HAVE_LIBCAPNG, 1, [Enable libcap-ng support])
;;
esac
if test "${with_crypto_library}" = "openssl"; then
AC_ARG_VAR([OPENSSL_CFLAGS], [C compiler flags for OpenSSL])
AC_ARG_VAR([OPENSSL_LIBS], [linker flags for OpenSSL])
if test -z "${OPENSSL_CFLAGS}" -a -z "${OPENSSL_LIBS}"; then
# if the user did not explicitly specify flags, try to autodetect
PKG_CHECK_MODULES(
[OPENSSL],
[openssl >= 1.0.2],
Fix broken ./configure on systems without openssl.pc Commit 039a89c331e9b799 changed the OpenSSL check slightly, but that broke ./configure on systems which do not install the openssl.pc pkg-config support file. This is typically an issue on most of the BSD platforms, where the OpenSSL package from the base repository does not provide that file. We should anyway in this case have a better check of OpenSSL version available. So in the case pkg-config fails, it will run an additional test looking for the OpenSSL version number in the opensslv.h header file and check against that version number. I did consider to rip out the pkg-config test all together, but decided to let it stay. If pkg-config works, it provides much more details to the ./configure script than just the version number check - such as include and library paths if those are outside the default system paths. If the user adds OPENSSL_CFLAGS or OPENSSL_LIBS to the ./configure script, the pkg-config will not be run. But this patch ensures that the OpenSSL version is also checked in this situation. This patch have been tested on Scientic Linux 7.3 (RHEL clone) and FreeBSD 10.3-RELEASE-p11. v5 - Remove the right OPENSSL_LIBS and preserve the old one - In PKG_CHECK_MODULES(), check for openssl instead of libssl + libcrypto - Fix tab/space issues once again v4 - Move the CFLAGS/LDFLAGS declarations before the manual version test; otherwise we're still testing the system install version v3 - Remove not needed and duplicated OPENSSL_LIBS assignment - Fix tab/space issues in modified lines v2 - Don't use try to simplify the version matching, use the full OPENSSL_VERSION_NUMBER - Fixed typo (OpneSSL -> OpenSSL) - Improve a few comments Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20170424143910.20118-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14503.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2017-04-24 22:39:10 +08:00
[have_openssl="yes"],
[AC_MSG_WARN([OpenSSL not found by pkg-config ${pkg_config_found}])] # If this fails, we will do another test next
)
OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}
fi
saved_CFLAGS="${CFLAGS}"
saved_LIBS="${LIBS}"
CFLAGS="${CFLAGS} ${OPENSSL_CFLAGS}"
LIBS="${LIBS} ${OPENSSL_LIBS}"
Fix broken ./configure on systems without openssl.pc Commit 039a89c331e9b799 changed the OpenSSL check slightly, but that broke ./configure on systems which do not install the openssl.pc pkg-config support file. This is typically an issue on most of the BSD platforms, where the OpenSSL package from the base repository does not provide that file. We should anyway in this case have a better check of OpenSSL version available. So in the case pkg-config fails, it will run an additional test looking for the OpenSSL version number in the opensslv.h header file and check against that version number. I did consider to rip out the pkg-config test all together, but decided to let it stay. If pkg-config works, it provides much more details to the ./configure script than just the version number check - such as include and library paths if those are outside the default system paths. If the user adds OPENSSL_CFLAGS or OPENSSL_LIBS to the ./configure script, the pkg-config will not be run. But this patch ensures that the OpenSSL version is also checked in this situation. This patch have been tested on Scientic Linux 7.3 (RHEL clone) and FreeBSD 10.3-RELEASE-p11. v5 - Remove the right OPENSSL_LIBS and preserve the old one - In PKG_CHECK_MODULES(), check for openssl instead of libssl + libcrypto - Fix tab/space issues once again v4 - Move the CFLAGS/LDFLAGS declarations before the manual version test; otherwise we're still testing the system install version v3 - Remove not needed and duplicated OPENSSL_LIBS assignment - Fix tab/space issues in modified lines v2 - Don't use try to simplify the version matching, use the full OPENSSL_VERSION_NUMBER - Fixed typo (OpneSSL -> OpenSSL) - Improve a few comments Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20170424143910.20118-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14503.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2017-04-24 22:39:10 +08:00
# If pkgconfig check failed or OPENSSL_CFLAGS/OPENSSL_LIBS env vars
# are used, check the version directly in the OpenSSL include file
if test "${have_openssl}" != "yes"; then
AC_MSG_CHECKING([additionally if OpenSSL is available and version >= 1.0.2])
Fix broken ./configure on systems without openssl.pc Commit 039a89c331e9b799 changed the OpenSSL check slightly, but that broke ./configure on systems which do not install the openssl.pc pkg-config support file. This is typically an issue on most of the BSD platforms, where the OpenSSL package from the base repository does not provide that file. We should anyway in this case have a better check of OpenSSL version available. So in the case pkg-config fails, it will run an additional test looking for the OpenSSL version number in the opensslv.h header file and check against that version number. I did consider to rip out the pkg-config test all together, but decided to let it stay. If pkg-config works, it provides much more details to the ./configure script than just the version number check - such as include and library paths if those are outside the default system paths. If the user adds OPENSSL_CFLAGS or OPENSSL_LIBS to the ./configure script, the pkg-config will not be run. But this patch ensures that the OpenSSL version is also checked in this situation. This patch have been tested on Scientic Linux 7.3 (RHEL clone) and FreeBSD 10.3-RELEASE-p11. v5 - Remove the right OPENSSL_LIBS and preserve the old one - In PKG_CHECK_MODULES(), check for openssl instead of libssl + libcrypto - Fix tab/space issues once again v4 - Move the CFLAGS/LDFLAGS declarations before the manual version test; otherwise we're still testing the system install version v3 - Remove not needed and duplicated OPENSSL_LIBS assignment - Fix tab/space issues in modified lines v2 - Don't use try to simplify the version matching, use the full OPENSSL_VERSION_NUMBER - Fixed typo (OpneSSL -> OpenSSL) - Improve a few comments Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20170424143910.20118-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14503.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2017-04-24 22:39:10 +08:00
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
#include <openssl/opensslv.h>
]],
[[
/* Version encoding: MNNFFPPS - see opensslv.h for details */
#if OPENSSL_VERSION_NUMBER < 0x10002000L
Fix broken ./configure on systems without openssl.pc Commit 039a89c331e9b799 changed the OpenSSL check slightly, but that broke ./configure on systems which do not install the openssl.pc pkg-config support file. This is typically an issue on most of the BSD platforms, where the OpenSSL package from the base repository does not provide that file. We should anyway in this case have a better check of OpenSSL version available. So in the case pkg-config fails, it will run an additional test looking for the OpenSSL version number in the opensslv.h header file and check against that version number. I did consider to rip out the pkg-config test all together, but decided to let it stay. If pkg-config works, it provides much more details to the ./configure script than just the version number check - such as include and library paths if those are outside the default system paths. If the user adds OPENSSL_CFLAGS or OPENSSL_LIBS to the ./configure script, the pkg-config will not be run. But this patch ensures that the OpenSSL version is also checked in this situation. This patch have been tested on Scientic Linux 7.3 (RHEL clone) and FreeBSD 10.3-RELEASE-p11. v5 - Remove the right OPENSSL_LIBS and preserve the old one - In PKG_CHECK_MODULES(), check for openssl instead of libssl + libcrypto - Fix tab/space issues once again v4 - Move the CFLAGS/LDFLAGS declarations before the manual version test; otherwise we're still testing the system install version v3 - Remove not needed and duplicated OPENSSL_LIBS assignment - Fix tab/space issues in modified lines v2 - Don't use try to simplify the version matching, use the full OPENSSL_VERSION_NUMBER - Fixed typo (OpneSSL -> OpenSSL) - Improve a few comments Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20170424143910.20118-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14503.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2017-04-24 22:39:10 +08:00
#error OpenSSL too old
#endif
]]
)],
[AC_MSG_RESULT([ok])],
[AC_MSG_ERROR([OpenSSL version too old])]
)
fi
AC_CHECK_FUNCS([SSL_CTX_new],
,
[AC_MSG_ERROR([openssl check failed])]
)
if test "${with_openssl_engine}" = "auto"; then
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
#include <openssl/opensslv.h>
#include <openssl/opensslconf.h>
]],
[[
/* Version encoding: MNNFFPPS - see opensslv.h for details */
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#error Engine support disabled by default in OpenSSL 3.0+
#endif
/* BoringSSL and LibreSSL >= 3.8.1 removed engine support */
#ifdef OPENSSL_NO_ENGINE
#error Engine support disabled in openssl/opensslconf.h
#endif
]]
)],
[have_openssl_engine="yes"],
[have_openssl_engine="no"]
)
if test "${have_openssl_engine}" = "yes"; then
AC_CHECK_FUNCS(
[ \
ENGINE_load_builtin_engines \
ENGINE_register_all_complete \
],
,
[have_openssl_engine="no"; break]
)
fi
else
have_openssl_engine="${with_openssl_engine}"
if test "${have_openssl_engine}" = "yes"; then
AC_CHECK_FUNCS(
[ \
ENGINE_load_builtin_engines \
ENGINE_register_all_complete \
],
,
[AC_MSG_ERROR([OpenSSL engine support not found])]
)
fi
fi
if test "${have_openssl_engine}" = "yes"; then
AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [OpenSSL engine support available])
fi
AC_CHECK_FUNC(
Add AEAD cipher support (GCM) Add Authenticated Encryption with Additional Data (AEAD) support for ciphers, which removes the need for a separate HMAC step. The MAC is integrated into the cipher and the MAC tag is prepended to the payload. This patch is inspired by the patch originally submitted by Kenny Root on the openvpn-devel mailinglist, but does a number things differently: * Don't support XTS (makes no sense for VPN) * Don't support CCM (needs extra code to make it actually work) * Don't force the user to specify "auth none" (that would break tls-auth) * Add support for PolarSSL (and change internal API for this) * Update openvpn frame size ('link mtu') calculation for AEAD modes * Use the HMAC key as an implicit part of the IV to save 8 bytes per data channel network packet. * Also authenticate the opcode/peer-id as AD in P_DATA_V2 packets. By using the negotiated HMAC key as an implicit part of the IV for AEAD-mode ciphers in TLS mode, we can save (at least) 8 bytes on each packet sent. This is particularly interesting for connections which transfer many small packets, such as remote desktop or voip connections. The current AEAD-mode ciphers (for now GCM) are based on CTR-mode cipher operation, which requires the IV to be unique (but does not require unpredictability). IV uniqueness is guaranteed by using a combination of at least 64-bits of the HMAC key (unique per TLS session), and a 32-bit packet counter. The last 32-bit word of the 128-bit cipher block is not part of the IV, but is used as a block counter. AEAD cipher mode is not available for static key mode, since IV uniqueness is harder the guarantee over sessions, and I believe supporting AEAD in static key mode too is not worth the extra complexity. Modern setups should simply use TLS mode. OpenSSL 1.0.1-1.0.1c will not work with AEAD mode, because those versions have an unnecessary check that fails to update the cipher if the tag was not already set. 1.0.1d, which fixes that, was released in February 2013. People should have updated, and distros should have backported the fix by now. Changes in v2: * Remove extra code that was just for making OpenSSL 1.0.1-1.0.1c work in AEAD mode. * Do not make AEAD support configurable in ./configure. * Get rid of '12' magic constant in openvpn_encrypt_aead(). * Update manpage to explain that --auth is ignored for the data channel when using an AEAD cipher. * Move setting the IV in AEAD cipher modes to the IV generation code. This is a more natural place and now we can pull iv[] into the IV generation scope. * Read packet ID directly from packet buffer instead of from iv buffer, to remove the need for an extra buffer. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <CAA1AbxL_S4umZr5Nd0VTvUvXEHjoWmji18GqM6FgmWqntOKqaA@mail.gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/11162 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2015-10-24 22:44:09 +08:00
[EVP_aes_256_gcm],
,
[AC_MSG_ERROR([OpenSSL check for AES-256-GCM support failed])]
Add AEAD cipher support (GCM) Add Authenticated Encryption with Additional Data (AEAD) support for ciphers, which removes the need for a separate HMAC step. The MAC is integrated into the cipher and the MAC tag is prepended to the payload. This patch is inspired by the patch originally submitted by Kenny Root on the openvpn-devel mailinglist, but does a number things differently: * Don't support XTS (makes no sense for VPN) * Don't support CCM (needs extra code to make it actually work) * Don't force the user to specify "auth none" (that would break tls-auth) * Add support for PolarSSL (and change internal API for this) * Update openvpn frame size ('link mtu') calculation for AEAD modes * Use the HMAC key as an implicit part of the IV to save 8 bytes per data channel network packet. * Also authenticate the opcode/peer-id as AD in P_DATA_V2 packets. By using the negotiated HMAC key as an implicit part of the IV for AEAD-mode ciphers in TLS mode, we can save (at least) 8 bytes on each packet sent. This is particularly interesting for connections which transfer many small packets, such as remote desktop or voip connections. The current AEAD-mode ciphers (for now GCM) are based on CTR-mode cipher operation, which requires the IV to be unique (but does not require unpredictability). IV uniqueness is guaranteed by using a combination of at least 64-bits of the HMAC key (unique per TLS session), and a 32-bit packet counter. The last 32-bit word of the 128-bit cipher block is not part of the IV, but is used as a block counter. AEAD cipher mode is not available for static key mode, since IV uniqueness is harder the guarantee over sessions, and I believe supporting AEAD in static key mode too is not worth the extra complexity. Modern setups should simply use TLS mode. OpenSSL 1.0.1-1.0.1c will not work with AEAD mode, because those versions have an unnecessary check that fails to update the cipher if the tag was not already set. 1.0.1d, which fixes that, was released in February 2013. People should have updated, and distros should have backported the fix by now. Changes in v2: * Remove extra code that was just for making OpenSSL 1.0.1-1.0.1c work in AEAD mode. * Do not make AEAD support configurable in ./configure. * Get rid of '12' magic constant in openvpn_encrypt_aead(). * Update manpage to explain that --auth is ignored for the data channel when using an AEAD cipher. * Move setting the IV in AEAD cipher modes to the IV generation code. This is a more natural place and now we can pull iv[] into the IV generation scope. * Read packet ID directly from packet buffer instead of from iv buffer, to remove the need for an extra buffer. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <CAA1AbxL_S4umZr5Nd0VTvUvXEHjoWmji18GqM6FgmWqntOKqaA@mail.gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/11162 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2015-10-24 22:44:09 +08:00
)
# All supported OpenSSL version (>= 1.0.2)
# have this feature
have_export_keying_material="yes"
CFLAGS="${saved_CFLAGS}"
LIBS="${saved_LIBS}"
AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use OpenSSL library])
CRYPTO_CFLAGS="${OPENSSL_CFLAGS}"
CRYPTO_LIBS="${OPENSSL_LIBS}"
elif test "${with_crypto_library}" = "mbedtls"; then
Migrate to mbed TLS 2.x PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move the master branch on to the 2.x series. This patch purges all references to polarssl, except for file names and some comments referring to 1.2 and earlier, which were never released as 'mbed TLS'. A separate patch for the file names follows, so the real changes are easier to spot without git-fu. This patch intends to not change any behaviour. The vast majority of this patch is just renaming functions and structs. There are some small changes in the implementation: * In ssl_polarssl.c: the debug callback prototype changed, so our implementation changed a bit too. * in ssl_polarssl.c: the old polarssl ssl_context is now split into a mbedtls_ssl_config and mbedtls_ssl_context. The intention is that mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context contains the per-connection state. That doesn't work for us, because we use per-connection verify callback data, while the verify callback is registered on mbed_tls_config. Therefore we still need to init a mbed_tls_config struct for each connection. * in ssl_polarssl.c: the mbed bio handling changed, so our implementation changed a bit too. * in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse functions now fail if we don't provide a NUL-terminated string, so use strlen()+1 as the length argument to include the terminating NUL. I tested this patch to work with: * 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1) * static key mode * TLS mode with PEM key file * TLS mode with password protected PEM key file * TLS mode with management-external-key * TLS mode with PKCS#11 * TLS mode with inline ca/key/cert/dh Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/11458 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2016-04-18 02:35:42 +08:00
AC_ARG_VAR([MBEDTLS_CFLAGS], [C compiler flags for mbedtls])
AC_ARG_VAR([MBEDTLS_LIBS], [linker flags for mbedtls])
saved_CFLAGS="${CFLAGS}"
saved_LIBS="${LIBS}"
Migrate to mbed TLS 2.x PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move the master branch on to the 2.x series. This patch purges all references to polarssl, except for file names and some comments referring to 1.2 and earlier, which were never released as 'mbed TLS'. A separate patch for the file names follows, so the real changes are easier to spot without git-fu. This patch intends to not change any behaviour. The vast majority of this patch is just renaming functions and structs. There are some small changes in the implementation: * In ssl_polarssl.c: the debug callback prototype changed, so our implementation changed a bit too. * in ssl_polarssl.c: the old polarssl ssl_context is now split into a mbedtls_ssl_config and mbedtls_ssl_context. The intention is that mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context contains the per-connection state. That doesn't work for us, because we use per-connection verify callback data, while the verify callback is registered on mbed_tls_config. Therefore we still need to init a mbed_tls_config struct for each connection. * in ssl_polarssl.c: the mbed bio handling changed, so our implementation changed a bit too. * in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse functions now fail if we don't provide a NUL-terminated string, so use strlen()+1 as the length argument to include the terminating NUL. I tested this patch to work with: * 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1) * static key mode * TLS mode with PEM key file * TLS mode with password protected PEM key file * TLS mode with management-external-key * TLS mode with PKCS#11 * TLS mode with inline ca/key/cert/dh Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/11458 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2016-04-18 02:35:42 +08:00
if test -z "${MBEDTLS_CFLAGS}" -a -z "${MBEDTLS_LIBS}"; then
# if the user did not explicitly specify flags, try to autodetect
LIBS="${LIBS} -lmbedtls -lmbedx509 -lmbedcrypto"
Migrate to mbed TLS 2.x PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move the master branch on to the 2.x series. This patch purges all references to polarssl, except for file names and some comments referring to 1.2 and earlier, which were never released as 'mbed TLS'. A separate patch for the file names follows, so the real changes are easier to spot without git-fu. This patch intends to not change any behaviour. The vast majority of this patch is just renaming functions and structs. There are some small changes in the implementation: * In ssl_polarssl.c: the debug callback prototype changed, so our implementation changed a bit too. * in ssl_polarssl.c: the old polarssl ssl_context is now split into a mbedtls_ssl_config and mbedtls_ssl_context. The intention is that mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context contains the per-connection state. That doesn't work for us, because we use per-connection verify callback data, while the verify callback is registered on mbed_tls_config. Therefore we still need to init a mbed_tls_config struct for each connection. * in ssl_polarssl.c: the mbed bio handling changed, so our implementation changed a bit too. * in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse functions now fail if we don't provide a NUL-terminated string, so use strlen()+1 as the length argument to include the terminating NUL. I tested this patch to work with: * 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1) * static key mode * TLS mode with PEM key file * TLS mode with password protected PEM key file * TLS mode with management-external-key * TLS mode with PKCS#11 * TLS mode with inline ca/key/cert/dh Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/11458 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2016-04-18 02:35:42 +08:00
AC_CHECK_LIB(
[mbedtls],
[mbedtls_ssl_init],
[MBEDTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto"],
Migrate to mbed TLS 2.x PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move the master branch on to the 2.x series. This patch purges all references to polarssl, except for file names and some comments referring to 1.2 and earlier, which were never released as 'mbed TLS'. A separate patch for the file names follows, so the real changes are easier to spot without git-fu. This patch intends to not change any behaviour. The vast majority of this patch is just renaming functions and structs. There are some small changes in the implementation: * In ssl_polarssl.c: the debug callback prototype changed, so our implementation changed a bit too. * in ssl_polarssl.c: the old polarssl ssl_context is now split into a mbedtls_ssl_config and mbedtls_ssl_context. The intention is that mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context contains the per-connection state. That doesn't work for us, because we use per-connection verify callback data, while the verify callback is registered on mbed_tls_config. Therefore we still need to init a mbed_tls_config struct for each connection. * in ssl_polarssl.c: the mbed bio handling changed, so our implementation changed a bit too. * in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse functions now fail if we don't provide a NUL-terminated string, so use strlen()+1 as the length argument to include the terminating NUL. I tested this patch to work with: * 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1) * static key mode * TLS mode with PEM key file * TLS mode with password protected PEM key file * TLS mode with management-external-key * TLS mode with PKCS#11 * TLS mode with inline ca/key/cert/dh Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/11458 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2016-04-18 02:35:42 +08:00
[AC_MSG_ERROR([Could not find mbed TLS.])],
[${PKCS11_HELPER_LIBS}]
)
fi
Migrate to mbed TLS 2.x PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move the master branch on to the 2.x series. This patch purges all references to polarssl, except for file names and some comments referring to 1.2 and earlier, which were never released as 'mbed TLS'. A separate patch for the file names follows, so the real changes are easier to spot without git-fu. This patch intends to not change any behaviour. The vast majority of this patch is just renaming functions and structs. There are some small changes in the implementation: * In ssl_polarssl.c: the debug callback prototype changed, so our implementation changed a bit too. * in ssl_polarssl.c: the old polarssl ssl_context is now split into a mbedtls_ssl_config and mbedtls_ssl_context. The intention is that mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context contains the per-connection state. That doesn't work for us, because we use per-connection verify callback data, while the verify callback is registered on mbed_tls_config. Therefore we still need to init a mbed_tls_config struct for each connection. * in ssl_polarssl.c: the mbed bio handling changed, so our implementation changed a bit too. * in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse functions now fail if we don't provide a NUL-terminated string, so use strlen()+1 as the length argument to include the terminating NUL. I tested this patch to work with: * 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1) * static key mode * TLS mode with PEM key file * TLS mode with password protected PEM key file * TLS mode with management-external-key * TLS mode with PKCS#11 * TLS mode with inline ca/key/cert/dh Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/11458 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2016-04-18 02:35:42 +08:00
CFLAGS="${MBEDTLS_CFLAGS} ${PKCS11_HELPER_CFLAGS} ${CFLAGS}"
LIBS="${MBEDTLS_LIBS} ${PKCS11_HELPER_LIBS} ${LIBS}"
Migrate to mbed TLS 2.x PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move the master branch on to the 2.x series. This patch purges all references to polarssl, except for file names and some comments referring to 1.2 and earlier, which were never released as 'mbed TLS'. A separate patch for the file names follows, so the real changes are easier to spot without git-fu. This patch intends to not change any behaviour. The vast majority of this patch is just renaming functions and structs. There are some small changes in the implementation: * In ssl_polarssl.c: the debug callback prototype changed, so our implementation changed a bit too. * in ssl_polarssl.c: the old polarssl ssl_context is now split into a mbedtls_ssl_config and mbedtls_ssl_context. The intention is that mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context contains the per-connection state. That doesn't work for us, because we use per-connection verify callback data, while the verify callback is registered on mbed_tls_config. Therefore we still need to init a mbed_tls_config struct for each connection. * in ssl_polarssl.c: the mbed bio handling changed, so our implementation changed a bit too. * in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse functions now fail if we don't provide a NUL-terminated string, so use strlen()+1 as the length argument to include the terminating NUL. I tested this patch to work with: * 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1) * static key mode * TLS mode with PEM key file * TLS mode with password protected PEM key file * TLS mode with management-external-key * TLS mode with PKCS#11 * TLS mode with inline ca/key/cert/dh Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/11458 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2016-04-18 02:35:42 +08:00
AC_MSG_CHECKING([mbedtls version])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
Migrate to mbed TLS 2.x PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move the master branch on to the 2.x series. This patch purges all references to polarssl, except for file names and some comments referring to 1.2 and earlier, which were never released as 'mbed TLS'. A separate patch for the file names follows, so the real changes are easier to spot without git-fu. This patch intends to not change any behaviour. The vast majority of this patch is just renaming functions and structs. There are some small changes in the implementation: * In ssl_polarssl.c: the debug callback prototype changed, so our implementation changed a bit too. * in ssl_polarssl.c: the old polarssl ssl_context is now split into a mbedtls_ssl_config and mbedtls_ssl_context. The intention is that mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context contains the per-connection state. That doesn't work for us, because we use per-connection verify callback data, while the verify callback is registered on mbed_tls_config. Therefore we still need to init a mbed_tls_config struct for each connection. * in ssl_polarssl.c: the mbed bio handling changed, so our implementation changed a bit too. * in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse functions now fail if we don't provide a NUL-terminated string, so use strlen()+1 as the length argument to include the terminating NUL. I tested this patch to work with: * 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1) * static key mode * TLS mode with PEM key file * TLS mode with password protected PEM key file * TLS mode with management-external-key * TLS mode with PKCS#11 * TLS mode with inline ca/key/cert/dh Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/11458 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2016-04-18 02:35:42 +08:00
#include <mbedtls/version.h>
]],
[[
#if MBEDTLS_VERSION_NUMBER < 0x02000000 || (MBEDTLS_VERSION_NUMBER >= 0x03000000 && MBEDTLS_VERSION_NUMBER < 0x03020100)
#error invalid version
#endif
]]
)],
[AC_MSG_RESULT([ok])],
[AC_MSG_ERROR([mbed TLS version >= 2.0.0 or >= 3.2.1 required])]
)
AC_CHECK_HEADER(
psa/crypto.h,
[AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [1], [yes])],
[AC_DEFINE([HAVE_MBEDTLS_PSA_CRYPTO_H], [0], [no])]
)
Add AEAD cipher support (GCM) Add Authenticated Encryption with Additional Data (AEAD) support for ciphers, which removes the need for a separate HMAC step. The MAC is integrated into the cipher and the MAC tag is prepended to the payload. This patch is inspired by the patch originally submitted by Kenny Root on the openvpn-devel mailinglist, but does a number things differently: * Don't support XTS (makes no sense for VPN) * Don't support CCM (needs extra code to make it actually work) * Don't force the user to specify "auth none" (that would break tls-auth) * Add support for PolarSSL (and change internal API for this) * Update openvpn frame size ('link mtu') calculation for AEAD modes * Use the HMAC key as an implicit part of the IV to save 8 bytes per data channel network packet. * Also authenticate the opcode/peer-id as AD in P_DATA_V2 packets. By using the negotiated HMAC key as an implicit part of the IV for AEAD-mode ciphers in TLS mode, we can save (at least) 8 bytes on each packet sent. This is particularly interesting for connections which transfer many small packets, such as remote desktop or voip connections. The current AEAD-mode ciphers (for now GCM) are based on CTR-mode cipher operation, which requires the IV to be unique (but does not require unpredictability). IV uniqueness is guaranteed by using a combination of at least 64-bits of the HMAC key (unique per TLS session), and a 32-bit packet counter. The last 32-bit word of the 128-bit cipher block is not part of the IV, but is used as a block counter. AEAD cipher mode is not available for static key mode, since IV uniqueness is harder the guarantee over sessions, and I believe supporting AEAD in static key mode too is not worth the extra complexity. Modern setups should simply use TLS mode. OpenSSL 1.0.1-1.0.1c will not work with AEAD mode, because those versions have an unnecessary check that fails to update the cipher if the tag was not already set. 1.0.1d, which fixes that, was released in February 2013. People should have updated, and distros should have backported the fix by now. Changes in v2: * Remove extra code that was just for making OpenSSL 1.0.1-1.0.1c work in AEAD mode. * Do not make AEAD support configurable in ./configure. * Get rid of '12' magic constant in openvpn_encrypt_aead(). * Update manpage to explain that --auth is ignored for the data channel when using an AEAD cipher. * Move setting the IV in AEAD cipher modes to the IV generation code. This is a more natural place and now we can pull iv[] into the IV generation scope. * Read packet ID directly from packet buffer instead of from iv buffer, to remove the need for an extra buffer. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <CAA1AbxL_S4umZr5Nd0VTvUvXEHjoWmji18GqM6FgmWqntOKqaA@mail.gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/11162 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2015-10-24 22:44:09 +08:00
AC_CHECK_FUNCS(
[ \
Migrate to mbed TLS 2.x PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move the master branch on to the 2.x series. This patch purges all references to polarssl, except for file names and some comments referring to 1.2 and earlier, which were never released as 'mbed TLS'. A separate patch for the file names follows, so the real changes are easier to spot without git-fu. This patch intends to not change any behaviour. The vast majority of this patch is just renaming functions and structs. There are some small changes in the implementation: * In ssl_polarssl.c: the debug callback prototype changed, so our implementation changed a bit too. * in ssl_polarssl.c: the old polarssl ssl_context is now split into a mbedtls_ssl_config and mbedtls_ssl_context. The intention is that mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context contains the per-connection state. That doesn't work for us, because we use per-connection verify callback data, while the verify callback is registered on mbed_tls_config. Therefore we still need to init a mbed_tls_config struct for each connection. * in ssl_polarssl.c: the mbed bio handling changed, so our implementation changed a bit too. * in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse functions now fail if we don't provide a NUL-terminated string, so use strlen()+1 as the length argument to include the terminating NUL. I tested this patch to work with: * 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1) * static key mode * TLS mode with PEM key file * TLS mode with password protected PEM key file * TLS mode with management-external-key * TLS mode with PKCS#11 * TLS mode with inline ca/key/cert/dh Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/11458 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2016-04-18 02:35:42 +08:00
mbedtls_cipher_write_tag \
mbedtls_cipher_check_tag \
Add AEAD cipher support (GCM) Add Authenticated Encryption with Additional Data (AEAD) support for ciphers, which removes the need for a separate HMAC step. The MAC is integrated into the cipher and the MAC tag is prepended to the payload. This patch is inspired by the patch originally submitted by Kenny Root on the openvpn-devel mailinglist, but does a number things differently: * Don't support XTS (makes no sense for VPN) * Don't support CCM (needs extra code to make it actually work) * Don't force the user to specify "auth none" (that would break tls-auth) * Add support for PolarSSL (and change internal API for this) * Update openvpn frame size ('link mtu') calculation for AEAD modes * Use the HMAC key as an implicit part of the IV to save 8 bytes per data channel network packet. * Also authenticate the opcode/peer-id as AD in P_DATA_V2 packets. By using the negotiated HMAC key as an implicit part of the IV for AEAD-mode ciphers in TLS mode, we can save (at least) 8 bytes on each packet sent. This is particularly interesting for connections which transfer many small packets, such as remote desktop or voip connections. The current AEAD-mode ciphers (for now GCM) are based on CTR-mode cipher operation, which requires the IV to be unique (but does not require unpredictability). IV uniqueness is guaranteed by using a combination of at least 64-bits of the HMAC key (unique per TLS session), and a 32-bit packet counter. The last 32-bit word of the 128-bit cipher block is not part of the IV, but is used as a block counter. AEAD cipher mode is not available for static key mode, since IV uniqueness is harder the guarantee over sessions, and I believe supporting AEAD in static key mode too is not worth the extra complexity. Modern setups should simply use TLS mode. OpenSSL 1.0.1-1.0.1c will not work with AEAD mode, because those versions have an unnecessary check that fails to update the cipher if the tag was not already set. 1.0.1d, which fixes that, was released in February 2013. People should have updated, and distros should have backported the fix by now. Changes in v2: * Remove extra code that was just for making OpenSSL 1.0.1-1.0.1c work in AEAD mode. * Do not make AEAD support configurable in ./configure. * Get rid of '12' magic constant in openvpn_encrypt_aead(). * Update manpage to explain that --auth is ignored for the data channel when using an AEAD cipher. * Move setting the IV in AEAD cipher modes to the IV generation code. This is a more natural place and now we can pull iv[] into the IV generation scope. * Read packet ID directly from packet buffer instead of from iv buffer, to remove the need for an extra buffer. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <CAA1AbxL_S4umZr5Nd0VTvUvXEHjoWmji18GqM6FgmWqntOKqaA@mail.gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/11162 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2015-10-24 22:44:09 +08:00
],
,
[AC_MSG_ERROR([mbed TLS check for AEAD support failed])]
Add AEAD cipher support (GCM) Add Authenticated Encryption with Additional Data (AEAD) support for ciphers, which removes the need for a separate HMAC step. The MAC is integrated into the cipher and the MAC tag is prepended to the payload. This patch is inspired by the patch originally submitted by Kenny Root on the openvpn-devel mailinglist, but does a number things differently: * Don't support XTS (makes no sense for VPN) * Don't support CCM (needs extra code to make it actually work) * Don't force the user to specify "auth none" (that would break tls-auth) * Add support for PolarSSL (and change internal API for this) * Update openvpn frame size ('link mtu') calculation for AEAD modes * Use the HMAC key as an implicit part of the IV to save 8 bytes per data channel network packet. * Also authenticate the opcode/peer-id as AD in P_DATA_V2 packets. By using the negotiated HMAC key as an implicit part of the IV for AEAD-mode ciphers in TLS mode, we can save (at least) 8 bytes on each packet sent. This is particularly interesting for connections which transfer many small packets, such as remote desktop or voip connections. The current AEAD-mode ciphers (for now GCM) are based on CTR-mode cipher operation, which requires the IV to be unique (but does not require unpredictability). IV uniqueness is guaranteed by using a combination of at least 64-bits of the HMAC key (unique per TLS session), and a 32-bit packet counter. The last 32-bit word of the 128-bit cipher block is not part of the IV, but is used as a block counter. AEAD cipher mode is not available for static key mode, since IV uniqueness is harder the guarantee over sessions, and I believe supporting AEAD in static key mode too is not worth the extra complexity. Modern setups should simply use TLS mode. OpenSSL 1.0.1-1.0.1c will not work with AEAD mode, because those versions have an unnecessary check that fails to update the cipher if the tag was not already set. 1.0.1d, which fixes that, was released in February 2013. People should have updated, and distros should have backported the fix by now. Changes in v2: * Remove extra code that was just for making OpenSSL 1.0.1-1.0.1c work in AEAD mode. * Do not make AEAD support configurable in ./configure. * Get rid of '12' magic constant in openvpn_encrypt_aead(). * Update manpage to explain that --auth is ignored for the data channel when using an AEAD cipher. * Move setting the IV in AEAD cipher modes to the IV generation code. This is a more natural place and now we can pull iv[] into the IV generation scope. * Read packet ID directly from packet buffer instead of from iv buffer, to remove the need for an extra buffer. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <CAA1AbxL_S4umZr5Nd0VTvUvXEHjoWmji18GqM6FgmWqntOKqaA@mail.gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/11162 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2015-10-24 22:44:09 +08:00
)
AC_CHECK_FUNC(
[mbedtls_ssl_tls_prf],
[AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [1], [yes])],
[AC_DEFINE([HAVE_MBEDTLS_SSL_TLS_PRF], [0], [no])]
)
have_export_keying_material="yes"
AC_CHECK_FUNC(
[mbedtls_ssl_conf_export_keys_ext_cb],
[AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [1], [yes])],
[AC_DEFINE([HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB], [0], [no])]
)
if test "x$ac_cv_func_mbedtls_ssl_conf_export_keys_ext_cb" != xyes; then
AC_CHECK_FUNC(
[mbedtls_ssl_set_export_keys_cb],
[AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [1], [yes])],
[AC_DEFINE([HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB], [0], [no])]
)
if test "x$ac_cv_func_mbedtls_ssl_set_export_keys_cb" != xyes; then
have_export_keying_material="no"
fi
fi
AC_CHECK_FUNC(
[mbedtls_ctr_drbg_update_ret],
AC_DEFINE([HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET], [1],
[Use mbedtls_ctr_drbg_update_ret from mbed TLS]),
)
CFLAGS="${saved_CFLAGS}"
LIBS="${saved_LIBS}"
Migrate to mbed TLS 2.x PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move the master branch on to the 2.x series. This patch purges all references to polarssl, except for file names and some comments referring to 1.2 and earlier, which were never released as 'mbed TLS'. A separate patch for the file names follows, so the real changes are easier to spot without git-fu. This patch intends to not change any behaviour. The vast majority of this patch is just renaming functions and structs. There are some small changes in the implementation: * In ssl_polarssl.c: the debug callback prototype changed, so our implementation changed a bit too. * in ssl_polarssl.c: the old polarssl ssl_context is now split into a mbedtls_ssl_config and mbedtls_ssl_context. The intention is that mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context contains the per-connection state. That doesn't work for us, because we use per-connection verify callback data, while the verify callback is registered on mbed_tls_config. Therefore we still need to init a mbed_tls_config struct for each connection. * in ssl_polarssl.c: the mbed bio handling changed, so our implementation changed a bit too. * in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse functions now fail if we don't provide a NUL-terminated string, so use strlen()+1 as the length argument to include the terminating NUL. I tested this patch to work with: * 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1) * static key mode * TLS mode with PEM key file * TLS mode with password protected PEM key file * TLS mode with management-external-key * TLS mode with PKCS#11 * TLS mode with inline ca/key/cert/dh Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/11458 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2016-04-18 02:35:42 +08:00
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
CRYPTO_LIBS="${MBEDTLS_LIBS}"
elif test "${with_crypto_library}" = "wolfssl"; then
AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should
contain the regular wolfSSL header files but also the
wolfSSL OpenSSL header files. Ex: -I/usr/local/include
-I/usr/local/include/wolfssl])
AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
saved_CFLAGS="${CFLAGS}"
saved_LIBS="${LIBS}"
if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
# if the user did not explicitly specify flags, try to autodetect
PKG_CHECK_MODULES(
[WOLFSSL],
[wolfssl],
[],
[AC_MSG_ERROR([Could not find wolfSSL using pkg-config ${pkg_config_found}])]
)
PKG_CHECK_VAR(
[WOLFSSL_INCLUDEDIR],
[wolfssl],
[includedir],
[],
[AC_MSG_ERROR([Could not find wolfSSL includedir variable.])]
)
WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl"
fi
saved_CFLAGS="${CFLAGS}"
saved_LIBS="${LIBS}"
CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}"
LIBS="${LIBS} ${WOLFSSL_LIBS}"
AC_CHECK_LIB(
[wolfssl],
[wolfSSL_Init],
[],
[AC_MSG_ERROR([Could not link wolfSSL library.])]
)
AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])])
# wolfSSL signal EKM support
have_export_keying_material="yes"
if test "${enable_wolfssl_options_h}" = "yes"; then
AC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library])
else
AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library])
fi
have_export_keying_material="yes"
CFLAGS="${saved_CFLAGS}"
LIBS="${saved_LIBS}"
AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library])
AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer])
CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}"
CRYPTO_LIBS="${WOLFSSL_LIBS}"
else
AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}])
fi
AC_ARG_VAR([LZO_CFLAGS], [C compiler flags for lzo])
AC_ARG_VAR([LZO_LIBS], [linker flags for lzo])
have_lzo="yes"
if test -z "${LZO_LIBS}"; then
AC_CHECK_LIB(
[lzo2],
[lzo1x_1_15_compress],
[LZO_LIBS="-llzo2"],
[AC_CHECK_LIB(
[lzo],
[lzo1x_1_15_compress],
[LZO_LIBS="-llzo"],
[have_lzo="no"]
)]
)
fi
if test "${have_lzo}" = "yes"; then
saved_CFLAGS="${CFLAGS}"
CFLAGS="${CFLAGS} ${LZO_CFLAGS}"
AC_CHECK_HEADERS(
[lzo/lzoutil.h],
,
[AC_CHECK_HEADERS(
[lzoutil.h],
,
[AC_MSG_ERROR([lzoutil.h is missing])]
)]
)
AC_CHECK_HEADERS(
[lzo/lzo1x.h],
,
[AC_CHECK_HEADERS(
[lzo1x.h],
,
[AC_MSG_ERROR([lzo1x.h is missing])]
)]
)
CFLAGS="${saved_CFLAGS}"
fi
dnl
dnl check for LZ4 library
dnl
AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
if test -z "${LZ4_CFLAGS}" -a -z "${LZ4_LIBS}"; then
# if the user did not explicitly specify flags, try to autodetect
PKG_CHECK_MODULES([LZ4],
lz4: Fix confused version check Older LZ4 library versions used a version number > 100 and not the current x.y.z versioning scheme. This results in version 122 being numberically higher than the check we have liblz4 > 1.7.1. And since that old version (122) does not have the LZ4_compress_default(), the building explodes later on. This patch enhances the version check to also ensure the version number is lower than 100. In addition the function checking we had was not triggered if system library was found via pkg-config, so this have now been reworked to really check if we have at least two of the most important LZ4 functions - as long as a system library have been found or been accepted via the LZ4_{CFLAGS,LIBS} variables. There are more ways to check for functions in autoconf. I opted for AC_CHECK_LIB() instead of AC_CHECK_FUNC{,S}() as the latter ones does not test if a function exists in a specific library. This have the downside of needing to tests instead of AC_CHECK_FUNCS() which could test for more functions in one go. We also do not overwrite the LZ4_LIBS variable on success, as that could change already set library paths (-L) Finally, a stupid typo got fixed as well. Trac: 939 Signed-off-by: David Sommerseth <davids@openvpn.net> Tested-by: Richard Bonhomme <fragmentux@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20171002161812.9376-1-davids@openvpn.net> URL: https://www.mail-archive.com/search?l=mid&q=20171002161812.9376-1-davids@openvpn.net Signed-off-by: Gert Doering <gert@greenie.muc.de>
2017-10-03 00:18:12 +08:00
[liblz4 >= 1.7.1 liblz4 < 100],
[have_lz4="yes"],
[LZ4_LIBS="-llz4"] # If this fails, we will do another test next.
# We also add set LZ4_LIBS otherwise the
# linker will not know about the lz4 library
)
fi
saved_CFLAGS="${CFLAGS}"
saved_LIBS="${LIBS}"
CFLAGS="${CFLAGS} ${LZ4_CFLAGS}"
LIBS="${LIBS} ${LZ4_LIBS}"
# If pkgconfig check failed or LZ4_CFLAGS/LZ4_LIBS env vars
# are used, check the version directly in the LZ4 include file
if test "${have_lz4}" != "yes"; then
AC_CHECK_HEADERS([lz4.h],
[have_lz4h="yes"],
[])
if test "${have_lz4h}" = "yes" ; then
AC_MSG_CHECKING([additionally if system LZ4 version >= 1.7.1])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[
#include <lz4.h>
]],
[[
/* Version encoding: MMNNPP (Major miNor Patch) - see lz4.h for details */
#if LZ4_VERSION_NUMBER < 10701L
#error LZ4 is too old
#endif
]]
)],
[
AC_MSG_RESULT([ok])
have_lz4="yes"
],
[AC_MSG_ERROR([system LZ4 library is too old])]
)
fi
fi
lz4: Fix confused version check Older LZ4 library versions used a version number > 100 and not the current x.y.z versioning scheme. This results in version 122 being numberically higher than the check we have liblz4 > 1.7.1. And since that old version (122) does not have the LZ4_compress_default(), the building explodes later on. This patch enhances the version check to also ensure the version number is lower than 100. In addition the function checking we had was not triggered if system library was found via pkg-config, so this have now been reworked to really check if we have at least two of the most important LZ4 functions - as long as a system library have been found or been accepted via the LZ4_{CFLAGS,LIBS} variables. There are more ways to check for functions in autoconf. I opted for AC_CHECK_LIB() instead of AC_CHECK_FUNC{,S}() as the latter ones does not test if a function exists in a specific library. This have the downside of needing to tests instead of AC_CHECK_FUNCS() which could test for more functions in one go. We also do not overwrite the LZ4_LIBS variable on success, as that could change already set library paths (-L) Finally, a stupid typo got fixed as well. Trac: 939 Signed-off-by: David Sommerseth <davids@openvpn.net> Tested-by: Richard Bonhomme <fragmentux@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20171002161812.9376-1-davids@openvpn.net> URL: https://www.mail-archive.com/search?l=mid&q=20171002161812.9376-1-davids@openvpn.net Signed-off-by: Gert Doering <gert@greenie.muc.de>
2017-10-03 00:18:12 +08:00
# Double check we have a few needed functions
if test "${have_lz4}" = "yes" ; then
AC_CHECK_LIB([lz4],
lz4: Fix confused version check Older LZ4 library versions used a version number > 100 and not the current x.y.z versioning scheme. This results in version 122 being numberically higher than the check we have liblz4 > 1.7.1. And since that old version (122) does not have the LZ4_compress_default(), the building explodes later on. This patch enhances the version check to also ensure the version number is lower than 100. In addition the function checking we had was not triggered if system library was found via pkg-config, so this have now been reworked to really check if we have at least two of the most important LZ4 functions - as long as a system library have been found or been accepted via the LZ4_{CFLAGS,LIBS} variables. There are more ways to check for functions in autoconf. I opted for AC_CHECK_LIB() instead of AC_CHECK_FUNC{,S}() as the latter ones does not test if a function exists in a specific library. This have the downside of needing to tests instead of AC_CHECK_FUNCS() which could test for more functions in one go. We also do not overwrite the LZ4_LIBS variable on success, as that could change already set library paths (-L) Finally, a stupid typo got fixed as well. Trac: 939 Signed-off-by: David Sommerseth <davids@openvpn.net> Tested-by: Richard Bonhomme <fragmentux@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20171002161812.9376-1-davids@openvpn.net> URL: https://www.mail-archive.com/search?l=mid&q=20171002161812.9376-1-davids@openvpn.net Signed-off-by: Gert Doering <gert@greenie.muc.de>
2017-10-03 00:18:12 +08:00
[LZ4_compress_default],
[],
[have_lz4="no"])
AC_CHECK_LIB([lz4],
[LZ4_decompress_safe],
[],
[have_lz4="no"])
fi
if test "${have_lz4}" != "yes" ; then
AC_MSG_ERROR([No compatible LZ4 compression library found. Consider --disable-lz4])
LZ4_LIBS=""
fi
OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}"
OPTIONAL_LZ4_LIBS="${LZ4_LIBS}"
AC_DEFINE(ENABLE_LZ4, [1], [Enable LZ4 compression library])
CFLAGS="${saved_CFLAGS}"
LIBS="${saved_LIBS}"
fi
dnl
dnl Check for systemd
dnl
AM_CONDITIONAL([ENABLE_SYSTEMD], [test "${enable_systemd}" = "yes"])
if test "$enable_systemd" = "yes" ; then
PKG_CHECK_MODULES([libsystemd], [systemd libsystemd],
[],
[PKG_CHECK_MODULES([libsystemd], [libsystemd-daemon])]
)
PKG_CHECK_EXISTS( [libsystemd > 216],
[AC_DEFINE([SYSTEMD_NEWER_THAN_216], [1],
[systemd is newer than v216])]
)
AC_CHECK_HEADERS(systemd/sd-daemon.h,
,
[
AC_MSG_ERROR([systemd development headers not found.])
])
saved_LIBS="${LIBS}"
LIBS="${LIBS} ${libsystemd_LIBS}"
AC_CHECK_FUNCS([sd_booted], [], [AC_MSG_ERROR([systemd library is missing sd_booted()])])
OPTIONAL_SYSTEMD_LIBS="${libsystemd_LIBS}"
AC_DEFINE(ENABLE_SYSTEMD, 1, [Enable systemd integration])
LIBS="${saved_LIBS}"
if test -n "${SYSTEMD_UNIT_DIR}"; then
systemdunitdir="${SYSTEMD_UNIT_DIR}"
else
systemdunitdir="\${libdir}/systemd/system"
fi
if test -n "${TMPFILES_DIR}"; then
tmpfilesdir="${TMPFILES_DIR}"
else
tmpfilesdir="\${libdir}/tmpfiles.d"
fi
fi
Added support for the Snappy compression algorithm Added support for the Snappy compression algorithm which has shown to have considerably better compression speed than LZO at a comparable compression ratio. To enable Snappy add: compress snappy to both client and server config files. Alternatively, enable compression framing on the client: compress and have the server selectively push "compress snappy" to the client. This change also extends the client capability handshake to include IV_SNAPPY so the server can be aware that a connecting client supports Snappy. Note that the Snappy implementation also includes an improved framing approach where the first byte of the compressed payload is replaced by the compression control byte (the first payload byte is moved to the end of the packet). This solves off-by-one alignment issues, which improves performance on ARM. By default, the configure script will try to build with Snappy support. To disable, use the --disable-snappy option. The --enable-lzo-stub configure directive is now --enable-comp-stub (because it's not actually "lzo" but "compression-enabled packet framing") Add compression overhead to extra buffer unconditionally, as long as USE_COMP is defined. OpenVPN SVN r8206 (2.1.21a) and r8212 (2.1.21b) Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1366393268-27392-3-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7531 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2012-09-18 14:33:34 +08:00
AC_MSG_CHECKING([git checkout])
GIT_CHECKOUT="no"
if test -n "${GIT}" -a -d "${srcdir}/.git"; then
AC_DEFINE([HAVE_CONFIG_VERSION_H], [1], [extra version available in config-version.h])
GIT_CHECKOUT="yes"
fi
AC_MSG_RESULT([${GIT_CHECKOUT}])
dnl enable --x509-username-field feature if requested
if test "${enable_x509_alt_username}" = "yes"; then
Migrate to mbed TLS 2.x PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move the master branch on to the 2.x series. This patch purges all references to polarssl, except for file names and some comments referring to 1.2 and earlier, which were never released as 'mbed TLS'. A separate patch for the file names follows, so the real changes are easier to spot without git-fu. This patch intends to not change any behaviour. The vast majority of this patch is just renaming functions and structs. There are some small changes in the implementation: * In ssl_polarssl.c: the debug callback prototype changed, so our implementation changed a bit too. * in ssl_polarssl.c: the old polarssl ssl_context is now split into a mbedtls_ssl_config and mbedtls_ssl_context. The intention is that mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context contains the per-connection state. That doesn't work for us, because we use per-connection verify callback data, while the verify callback is registered on mbed_tls_config. Therefore we still need to init a mbed_tls_config struct for each connection. * in ssl_polarssl.c: the mbed bio handling changed, so our implementation changed a bit too. * in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse functions now fail if we don't provide a NUL-terminated string, so use strlen()+1 as the length argument to include the terminating NUL. I tested this patch to work with: * 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1) * static key mode * TLS mode with PEM key file * TLS mode with password protected PEM key file * TLS mode with management-external-key * TLS mode with PKCS#11 * TLS mode with inline ca/key/cert/dh Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/11458 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2016-04-18 02:35:42 +08:00
if test "${with_crypto_library}" = "mbedtls" ; then
AC_MSG_ERROR([mbed TLS does not support the --x509-username-field feature])
fi
AC_DEFINE([ENABLE_X509ALTUSERNAME], [1], [Enable --x509-username-field feature])
fi
test "${enable_management}" = "yes" && AC_DEFINE([ENABLE_MANAGEMENT], [1], [Enable management server capability])
test "${enable_debug}" = "yes" && AC_DEFINE([ENABLE_DEBUG], [1], [Enable debugging support])
test "${enable_small}" = "yes" && AC_DEFINE([ENABLE_SMALL], [1], [Enable smaller executable size])
test "${enable_fragment}" = "yes" && AC_DEFINE([ENABLE_FRAGMENT], [1], [Enable internal fragmentation support])
test "${enable_port_share}" = "yes" && AC_DEFINE([ENABLE_PORT_SHARE], [1], [Enable TCP Server port sharing])
test "${enable_ntlm}" = "yes" && AC_DEFINE([ENABLE_NTLM], [1], [Enable NTLMv2 proxy support])
test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])
if test "${have_export_keying_material}" = "yes"; then
AC_DEFINE(
[HAVE_EXPORT_KEYING_MATERIAL], [1],
[Crypto library supports keying material exporter]
)
fi
OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CFLAGS}"
OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_LIBS}"
if test "${enable_plugins}" = "yes"; then
OPTIONAL_DL_LIBS="${DL_LIBS}"
AC_DEFINE([ENABLE_PLUGIN], [1], [Enable plug-in support])
else
enable_plugin_auth_pam="no"
enable_plugin_down_root="no"
fi
AM_CONDITIONAL([HAVE_SITNL], [false])
if test "${enable_iproute2}" = "yes"; then
test "${enable_dco}" = "yes" && AC_MSG_ERROR([iproute2 support cannot be enabled when using DCO])
test -z "${IPROUTE}" && AC_MSG_ERROR([ip utility is required but missing])
AC_DEFINE([ENABLE_IPROUTE], [1], [enable iproute2 support])
else if test "${have_sitnl}" = "yes"; then
AC_DEFINE([ENABLE_SITNL], [1], [enable sitnl support])
AM_CONDITIONAL([HAVE_SITNL], [true])
else if test "${WIN32}" != "yes" -a "${have_sitnl}" != "yes"; then
test -z "${ROUTE}" && AC_MSG_ERROR([route utility is required but missing])
test -z "${IFCONFIG}" && AC_MSG_ERROR([ifconfig utility is required but missing])
fi
fi
fi
if test "${enable_selinux}" = "yes"; then
test -z "${SELINUX_LIBS}" && AC_MSG_ERROR([libselinux required but missing])
OPTIONAL_SELINUX_LIBS="${SELINUX_LIBS}"
AC_DEFINE([ENABLE_SELINUX], [1], [SELinux support])
fi
if test "${enable_lzo}" = "yes"; then
test "${have_lzo}" != "yes" && AC_MSG_ERROR([lzo enabled but missing])
OPTIONAL_LZO_CFLAGS="${LZO_CFLAGS}"
OPTIONAL_LZO_LIBS="${LZO_LIBS}"
AC_DEFINE([ENABLE_LZO], [1], [Enable LZO compression library])
fi
Added support for the Snappy compression algorithm Added support for the Snappy compression algorithm which has shown to have considerably better compression speed than LZO at a comparable compression ratio. To enable Snappy add: compress snappy to both client and server config files. Alternatively, enable compression framing on the client: compress and have the server selectively push "compress snappy" to the client. This change also extends the client capability handshake to include IV_SNAPPY so the server can be aware that a connecting client supports Snappy. Note that the Snappy implementation also includes an improved framing approach where the first byte of the compressed payload is replaced by the compression control byte (the first payload byte is moved to the end of the packet). This solves off-by-one alignment issues, which improves performance on ARM. By default, the configure script will try to build with Snappy support. To disable, use the --disable-snappy option. The --enable-lzo-stub configure directive is now --enable-comp-stub (because it's not actually "lzo" but "compression-enabled packet framing") Add compression overhead to extra buffer unconditionally, as long as USE_COMP is defined. OpenVPN SVN r8206 (2.1.21a) and r8212 (2.1.21b) Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1366393268-27392-3-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7531 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2012-09-18 14:33:34 +08:00
if test "${enable_comp_stub}" = "yes"; then
test "${enable_lzo}" = "yes" && AC_MSG_ERROR([Cannot have both comp stub and lzo enabled (use --disable-lzo)])
test "${enable_lz4}" = "yes" && AC_MSG_ERROR([Cannot have both comp stub and LZ4 enabled (use --disable-lz4)])
Added support for the Snappy compression algorithm Added support for the Snappy compression algorithm which has shown to have considerably better compression speed than LZO at a comparable compression ratio. To enable Snappy add: compress snappy to both client and server config files. Alternatively, enable compression framing on the client: compress and have the server selectively push "compress snappy" to the client. This change also extends the client capability handshake to include IV_SNAPPY so the server can be aware that a connecting client supports Snappy. Note that the Snappy implementation also includes an improved framing approach where the first byte of the compressed payload is replaced by the compression control byte (the first payload byte is moved to the end of the packet). This solves off-by-one alignment issues, which improves performance on ARM. By default, the configure script will try to build with Snappy support. To disable, use the --disable-snappy option. The --enable-lzo-stub configure directive is now --enable-comp-stub (because it's not actually "lzo" but "compression-enabled packet framing") Add compression overhead to extra buffer unconditionally, as long as USE_COMP is defined. OpenVPN SVN r8206 (2.1.21a) and r8212 (2.1.21b) Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1366393268-27392-3-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7531 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2012-09-18 14:33:34 +08:00
AC_DEFINE([ENABLE_COMP_STUB], [1], [Enable compression stub capability])
fi
Unit tests: Test for PKCS#11 using a softhsm2 token - Load some test certificate/key pairs into a temporary softhsm2 token and enumerate available objects through pkcs11-helper interface - For each object, load it into SSL_CTX and test sign (if using OpenSSL 3) or check the certificate and public-key match (if using OpenSSl 1.1.1.). The pkcs11-id for each object is specified directly or through a mocked management callback to test pkcs11-id-management Limitations: Depends on libsofthsm2.so and p11tool (install softhsm2 and gnutls-bin packages). Mbed-TLS/pkcs11-helper combination is not tested. If locations of these binaries are not auto-detected or need to be overridden, use -DSOFTHSM2_UTIL=<path> -DP11TOOL=<path> to configure. Location of SOFTHSM2_MODULE is not auto-detected and defaults to /usr/lib/softhsm/libsofthsm2.so. It may be changed by passing -DSOFTHSM2_MODULE=/some-path/libsofthsm2.so to configure. Also see "configure --help". The test is enabled only if --enable-pkcs11 is in use, and SOFTHSM2_UTIL & P11TOOL are found in path or manually defined during configuring. Changes relative to github PR - Explicitly disable building the test on Windows: need to port mkstemp, mkdtemp, setenv etc., before enabling this on Windows. Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20230322221456.1660425-2-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26483.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2023-03-23 06:14:55 +08:00
AM_CONDITIONAL([HAVE_SOFTHSM2], [false])
if test "${enable_pkcs11}" = "yes"; then
test "${have_pkcs11_helper}" != "yes" && AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing])
OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}"
OPTIONAL_PKCS11_HELPER_LIBS="${PKCS11_HELPER_LIBS}"
AC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11])
PKG_CHECK_MODULES(
[P11KIT],
[p11-kit-1],
[proxy_module="`$PKG_CONFIG --variable=proxy_module p11-kit-1`"
AC_DEFINE_UNQUOTED([DEFAULT_PKCS11_MODULE], "${proxy_module}", [p11-kit proxy])],
[]
)
Unit tests: Test for PKCS#11 using a softhsm2 token - Load some test certificate/key pairs into a temporary softhsm2 token and enumerate available objects through pkcs11-helper interface - For each object, load it into SSL_CTX and test sign (if using OpenSSL 3) or check the certificate and public-key match (if using OpenSSl 1.1.1.). The pkcs11-id for each object is specified directly or through a mocked management callback to test pkcs11-id-management Limitations: Depends on libsofthsm2.so and p11tool (install softhsm2 and gnutls-bin packages). Mbed-TLS/pkcs11-helper combination is not tested. If locations of these binaries are not auto-detected or need to be overridden, use -DSOFTHSM2_UTIL=<path> -DP11TOOL=<path> to configure. Location of SOFTHSM2_MODULE is not auto-detected and defaults to /usr/lib/softhsm/libsofthsm2.so. It may be changed by passing -DSOFTHSM2_MODULE=/some-path/libsofthsm2.so to configure. Also see "configure --help". The test is enabled only if --enable-pkcs11 is in use, and SOFTHSM2_UTIL & P11TOOL are found in path or manually defined during configuring. Changes relative to github PR - Explicitly disable building the test on Windows: need to port mkstemp, mkdtemp, setenv etc., before enabling this on Windows. Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20230322221456.1660425-2-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26483.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2023-03-23 06:14:55 +08:00
#
# softhsm2 for pkcs11 tests
#
AC_ARG_VAR([P11TOOL], [full path to p11tool])
AC_PATH_PROGS([P11TOOL], [p11tool],, [$PATH:/usr/local/bin:/usr/bin:/bin])
AC_DEFINE_UNQUOTED([P11TOOL_PATH], ["$P11TOOL"], [Path to p11tool])
AC_ARG_VAR([SOFTHSM2_UTIL], [full path to softhsm2-util])
AC_ARG_VAR([SOFTHSM2_MODULE], [full path to softhsm2 module @<:@default=/usr/lib/softhsm/libsofthsm2.so@:>@])
AC_PATH_PROGS([SOFTHSM2_UTIL], [softhsm2-util],, [$PATH:/usr/local/bin:/usr/bin:/bin])
test -z "$SOFTHSM2_MODULE" && SOFTHSM2_MODULE=/usr/lib/softhsm/libsofthsm2.so
AC_DEFINE_UNQUOTED([SOFTHSM2_UTIL_PATH], ["$SOFTHSM2_UTIL"], [Path to softhsm2-util])
AC_DEFINE_UNQUOTED([SOFTHSM2_MODULE_PATH], ["$SOFTHSM2_MODULE"], [Path to softhsm2 module])
if test "${with_crypto_library}" = "openssl"; then
AM_CONDITIONAL([HAVE_SOFTHSM2], [test "${P11TOOL}" -a "${SOFTHSM2_UTIL}" -a "${SOFTHSM2_MODULE}"])
fi
fi
# When testing a compiler option, we add -Werror to force
# an error when the option is unsupported. This is not
# required for gcc, but some compilers such as clang needs it.
AC_DEFUN([ACL_CHECK_ADD_COMPILE_FLAGS], [
old_cflags="$CFLAGS"
CFLAGS="$1 -Werror $CFLAGS"
AC_MSG_CHECKING([whether the compiler accepts $1])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM()], [AC_MSG_RESULT([yes])]; CFLAGS="$1 $old_cflags",
[AC_MSG_RESULT([no]); CFLAGS="$old_cflags"])]
)
ACL_CHECK_ADD_COMPILE_FLAGS([-Wno-stringop-truncation])
ACL_CHECK_ADD_COMPILE_FLAGS([-Wall])
if test "${enable_pedantic}" = "yes"; then
enable_strict="yes"
CFLAGS="${CFLAGS} -pedantic"
AC_DEFINE([PEDANTIC], [1], [Enable pedantic mode])
fi
if test "${enable_strict}" = "yes"; then
CFLAGS="${CFLAGS} -Wsign-compare -Wuninitialized"
fi
if test "${enable_werror}" = "yes"; then
CFLAGS="${CFLAGS} -Werror"
fi
if test "${enable_plugin_auth_pam}" = "yes"; then
PLUGIN_AUTH_PAM_CFLAGS="${LIBPAM_CFLAGS}"
if test "${enable_pam_dlopen}" = "yes"; then
AC_DEFINE([USE_PAM_DLOPEN], [1], [dlopen libpam])
PLUGIN_AUTH_PAM_LIBS="${DL_LIBS}"
else
test -z "${LIBPAM_LIBS}" && AC_MSG_ERROR([libpam required but missing])
PLUGIN_AUTH_PAM_LIBS="${LIBPAM_LIBS}"
fi
fi
Send push reply right after async auth complete v3: * better comments * better variable naming * include sys/inotify.h if HAVE_SYS_INOTIFY_H is defined v2: More careful inotify_watchers handling * Ensure that same multi_instance is added only once * Ensure that multi_instance is always removed v1: This feature speeds up connection establishment in cases when async authentication result is not ready when first push request arrives. At the moment server sends push reply only when it receives next push request, which comes 5 seconds later. Implementation overview. Add new configure option ENABLE_ASYNC_PUSH, which can be enabled if system supports inotify. Add inotify descriptor to an event loop. Add inotify watch for a authentication control file. Store mapping between watch descriptor and multi_instance in a dictionary. When file is closed, inotify fires an event and we continue with connection establishment - call client- connect etc and send push reply. Inotify watch descriptor got automatically deleted after file is closed or when file is removed. We catch that event and remove it from the dictionary. Feature is easily tested with sample "defer" plugin and following settings: auth-user-pass-optional setenv test_deferred_auth 3 plugin simple.so Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Add doxygen comment Acked-by: David Sommerseth <davids@redhat.com> Message-Id: <1444493065-13506-1-git-send-email-lstipakov@gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/10248 Signed-off-by: David Sommerseth <davids@redhat.com>
2015-10-11 00:04:25 +08:00
if test "${enable_async_push}" = "yes"; then
case "$host" in
*-*-freebsd*)
PKG_CHECK_MODULES(
[OPTIONAL_INOTIFY],
[libinotify],
[
AC_DEFINE([HAVE_SYS_INOTIFY_H])
AC_DEFINE([ENABLE_ASYNC_PUSH], [1], [Enable async push])
]
)
;;
*)
AC_CHECK_HEADERS(
[sys/inotify.h],
AC_DEFINE([ENABLE_ASYNC_PUSH], [1], [Enable async push]),
AC_MSG_ERROR([inotify.h not found.])
)
;;
esac
Send push reply right after async auth complete v3: * better comments * better variable naming * include sys/inotify.h if HAVE_SYS_INOTIFY_H is defined v2: More careful inotify_watchers handling * Ensure that same multi_instance is added only once * Ensure that multi_instance is always removed v1: This feature speeds up connection establishment in cases when async authentication result is not ready when first push request arrives. At the moment server sends push reply only when it receives next push request, which comes 5 seconds later. Implementation overview. Add new configure option ENABLE_ASYNC_PUSH, which can be enabled if system supports inotify. Add inotify descriptor to an event loop. Add inotify watch for a authentication control file. Store mapping between watch descriptor and multi_instance in a dictionary. When file is closed, inotify fires an event and we continue with connection establishment - call client- connect etc and send push reply. Inotify watch descriptor got automatically deleted after file is closed or when file is removed. We catch that event and remove it from the dictionary. Feature is easily tested with sample "defer" plugin and following settings: auth-user-pass-optional setenv test_deferred_auth 3 plugin simple.so Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Add doxygen comment Acked-by: David Sommerseth <davids@redhat.com> Message-Id: <1444493065-13506-1-git-send-email-lstipakov@gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/10248 Signed-off-by: David Sommerseth <davids@redhat.com>
2015-10-11 00:04:25 +08:00
fi
CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`"
AC_DEFINE_UNQUOTED([CONFIGURE_DEFINES], ["`echo ${CONFIGURE_DEFINES}`"], [Configuration settings])
TAP_WIN_COMPONENT_ID="PRODUCT_TAP_WIN_COMPONENT_ID"
TAP_WIN_MIN_MAJOR="PRODUCT_TAP_WIN_MIN_MAJOR"
TAP_WIN_MIN_MINOR="PRODUCT_TAP_WIN_MIN_MINOR"
AC_DEFINE_UNQUOTED([TAP_WIN_COMPONENT_ID], ["${TAP_WIN_COMPONENT_ID}"], [The tap-windows id])
AC_DEFINE_UNQUOTED([TAP_WIN_MIN_MAJOR], [${TAP_WIN_MIN_MAJOR}], [The tap-windows version number is required for OpenVPN])
AC_DEFINE_UNQUOTED([TAP_WIN_MIN_MINOR], [${TAP_WIN_MIN_MINOR}], [The tap-windows version number is required for OpenVPN])
AC_SUBST([TAP_WIN_COMPONENT_ID])
AC_SUBST([TAP_WIN_MIN_MAJOR])
AC_SUBST([TAP_WIN_MIN_MINOR])
AC_SUBST([OPTIONAL_DL_LIBS])
AC_SUBST([OPTIONAL_SELINUX_LIBS])
AC_SUBST([OPTIONAL_CRYPTO_CFLAGS])
AC_SUBST([OPTIONAL_CRYPTO_LIBS])
AC_SUBST([OPTIONAL_LZO_CFLAGS])
AC_SUBST([OPTIONAL_LZO_LIBS])
AC_SUBST([OPTIONAL_LZ4_CFLAGS])
AC_SUBST([OPTIONAL_LZ4_LIBS])
AC_SUBST([OPTIONAL_SYSTEMD_LIBS])
AC_SUBST([OPTIONAL_PKCS11_HELPER_CFLAGS])
AC_SUBST([OPTIONAL_PKCS11_HELPER_LIBS])
AC_SUBST([OPTIONAL_INOTIFY_CFLAGS])
AC_SUBST([OPTIONAL_INOTIFY_LIBS])
AC_SUBST([PLUGIN_AUTH_PAM_CFLAGS])
AC_SUBST([PLUGIN_AUTH_PAM_LIBS])
AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"])
AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "yes"])
AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"])
AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = "yes"])
AM_CONDITIONAL([OPENSSL_ENGINE], [test "${have_openssl_engine}" = "yes"])
sampledir="\$(docdir)/sample"
AC_SUBST([plugindir])
AC_SUBST([sampledir])
AC_SUBST([systemdunitdir])
AC_SUBST([tmpfilesdir])
AC_ARG_ENABLE(
[unit-tests],
[AS_HELP_STRING([--disable-unit-tests],
[Disables building and running the unit tests suite])],
[],
[enable_unit_tests="yes"]
)
# Check if cmocka is available - needed for unit testing
PKG_CHECK_MODULES(
[CMOCKA], [cmocka],
[have_cmocka="yes"],
[AC_MSG_WARN([cmocka.pc not found on the system using pkg-config ${pkg_config_found}. Unit tests disabled])]
)
AM_CONDITIONAL([ENABLE_UNITTESTS], [test "${enable_unit_tests}" = "yes" -a "${have_cmocka}" = "yes" ])
AC_SUBST([ENABLE_UNITTESTS])
TEST_LDFLAGS="${OPTIONAL_CRYPTO_LIBS} ${OPTIONAL_PKCS11_HELPER_LIBS}"
TEST_LDFLAGS="${TEST_LDFLAGS} ${OPTIONAL_LZO_LIBS} ${CMOCKA_LIBS}"
TEST_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${OPTIONAL_PKCS11_HELPER_CFLAGS}"
TEST_CFLAGS="${TEST_CFLAGS} ${OPTIONAL_LZO_CFLAGS}"
TEST_CFLAGS="${TEST_CFLAGS} -I\$(top_srcdir)/include ${CMOCKA_CFLAGS}"
AC_SUBST([TEST_LDFLAGS])
AC_SUBST([TEST_CFLAGS])
AC_CONFIG_FILES([
Makefile
distro/Makefile
distro/systemd/Makefile
doc/Makefile
doc/doxygen/Makefile
doc/doxygen/openvpn.doxyfile
include/Makefile
sample-plugins: Partially autotoolize the sample-plugins build The sample-plugins have their own set of build/winbuild scripts in each of these plugin directories. This does not give a good way to reuse various macros the autoconf/automake/configure process enables; which can contain important macros to make some code build without errors or warnings. Normally we would embrace the full autoconf/automake approach. But this is sample code which we only want to build per request and the built code should not be installed anywhere via 'make install'. But since we do use libtool other plug-ins being installed and automake gets kind of cranky when it comes to define certain build targets not following the expected use cases, we try to only embrace just enough of automake to get our main goals achieved. This changeset kicks out the build scripts and replaces them with a single Makefile.plugins file, which defines the plugins we want to build by default when running 'make from the sample-plugins directory. Neither of these plugins are otherwise built by default. No sample-plugins are being installed. But we have enough strings attached to automake to grab the CFLAGS and LDFLAGS used by the rest of the code. This also makes it easy to use #include "config.h" in sample code, to also get various macros defined by the ./configure run. This patch does not touch the winbuild scripts, as it seems building these sample-plugins on Windows requires a bit different compile and linking steps than *nix systems in general. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200916141956.1277-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21020.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-09-16 22:19:56 +08:00
sample/sample-plugins/Makefile
src/Makefile
src/compat/Makefile
src/openvpn/Makefile
src/openvpnmsica/Makefile
src/openvpnserv/Makefile
src/plugins/Makefile
src/plugins/auth-pam/Makefile
src/plugins/down-root/Makefile
src/tapctl/Makefile
tests/Makefile
tests/unit_tests/Makefile
tests/unit_tests/example_test/Makefile
tests/unit_tests/openvpn/Makefile
tests/unit_tests/plugins/Makefile
tests/unit_tests/plugins/auth-pam/Makefile
sample/Makefile
])
AC_CONFIG_FILES([tests/t_client.sh], [chmod +x tests/t_client.sh])
AC_OUTPUT