Feat deferred client connect 2.4.4

.gitignore

@@ -51,10 +51,21 @@ config-msvc-local.h
 config-msvc-version.h
 doc/openvpn.8.html
 distro/rpm/openvpn.spec
+distro/systemd/*.service
+sample/sample-keys/sample-ca/
+vendor/.build
+vendor/dist
+
 tests/t_client.sh
 tests/t_client-*-20??????-??????/
+t_client.rc
+t_client_ips.rc
+tests/unit_tests/**/*_testdriver
+
 src/openvpn/openvpn
+include/openvpn-plugin.h
 config-version.h
 nbproject
 test-driver
 compile
+stamp-h2

.gitmodules

@@ -0,0 +1,4 @@
+[submodule "vendor/cmocka"]
+	path = vendor/cmocka
+	url = https://git.cryptomilk.org/projects/cmocka.git
+	branch = master

.mailmap

@@ -1 +1,13 @@
-James Yonan <james@openvpn.net>      james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>
+Adriaan de Jong <dejong@fox-it.com>             <adriaan@adriaan-VirtualBox.(none)>
+David Sommerseth <dazo@eurephia.net>            <dazo@users.sourceforge.net>
+Gert Doering <gert@greenie.muc.de>              <gd@medat.de>
+Gert Doering <gert@greenie.muc.de>              <gert@fbsd74.ov.greenie.net>
+Gert Doering <gert@greenie.muc.de>              <gert@fbsd90.ov.greenie.net>
+Gert Doering <gert@greenie.muc.de>              <gert@mobile.greenie.muc.de>
+James Yonan <james@openvpn.net>                 <james@e7ae566f-a301-0410-adde-c780ea21d3b5>
+Jan Just Keijser <janjust@nikhef.nl>            <janjust@nikhef.nl>
+JuanJo Ciarlante <jjo@google.com>               <jjo+ml@google.com>
+Karl O. Pinc <kop@meme.com>                     <kop@mofo.meme.com>
+Robert Fischer <ml-openvpn@trispace.org>        <ml-openvpn@trispace.org>
+Samuli Seppänen <samuli@openvpn.net>            <samuli@openvpn.net>
+Seth Mos <seth.mos@dds.nl>                      <seth.mos@dds.nl>

.travis.yml

@@ -0,0 +1,101 @@
+sudo: required
+dist: trusty
+
+os: linux
+
+language: c
+
+compiler:
+  - gcc
+
+env:
+  global:
+    - JOBS=3
+    - PREFIX="${HOME}/opt"
+    - TAP_WINDOWS_VERSION=9.21.2
+    - LZO_VERSION=2.10
+    - PKCS11_HELPER_VERSION=1.22
+    - MBEDTLS_VERSION="2.5.1"
+    - MBEDTLS_CFLAGS="-I${PREFIX}/include"
+    - MBEDTLS_LIBS="-L${PREFIX}/lib -lmbedtls -lmbedx509 -lmbedcrypto"
+    - OPENSSL_VERSION="1.0.2l"
+    - OPENSSL_CFLAGS="-I${PREFIX}/include"
+    - OPENSSL_LIBS="-L${PREFIX}/lib -lssl -lcrypto"
+    # The next declaration is the encrypted COVERITY_SCAN_TOKEN, created
+    #   via the "travis encrypt" command using the project repo's public key
+    - secure: "l9mSnEW4LJqjxftH5i1NdDaYfGmQB1mPXnSB3DXnsjzkCWZ+yJLfBemfQ0tx/wS7chBYxqUaUIMT0hw4zJVp/LANFJo2vfh//ymTS6h0uApRY1ofg9Pp1BFcV1laG6/u8pwSZ2EBy/GhCd3DS436oE8sYBRaFM9FU62L/oeQBfJ7r4ID/0eB1b8bqlbD4paty9MHui2P8EZJwR+KAD84prtfpZOcrSMxPh9OUhJxzxUvvVoP4s4+lZ5Kgg1bBQ3yzKGDqe8VOgK2BWCEuezqhMMc8oeKmAe7CUkoz5gsGYH++k3I9XzP9Z4xeJKoQnC/82qi4xkJmlaOxdionej9bHIcjfRt7D8j1J0U+wOj4p8VrDy7yHaxuN2fi0K5MGa/CaXQSrkna8dePniCng+xQ2MY/zxuRX2gA6xPNLUyQLU9LqIug7wj4z84Hk9iWib4L20MoPjeEo+vAUNq8FtjOPxMuHNpv4iGGx6kgJm7RXl5vC5hxfK6MprrnYe2U5Mcd8jpzagKBaKHL3zV2FxX9k0jRO9Mccz7M2WnaV0MQ6zcngzTN4+s0kCjhfGKd2F2ANT2Gkhj3Me36eNHfuE0dBbvYCMh4b3Mgd7b/OuXwQWdJ8PjJ1WHXjSOw5sHw1suaV6cEO2Meyz5j1tOkyOi0M9QF+LFenQ9vLH4sBCww8U="
+
+matrix:
+  include:
+    - env: SSLLIB="openssl" RUN_COVERITY="1"
+      os: linux
+      compiler: gcc
+    - env: SSLLIB="openssl" OPENSSL_VERSION="1.1.0f"
+      os: linux
+      compiler: gcc
+    - env: SSLLIB="openssl"
+      os: linux
+      compiler: clang
+    - env: SSLLIB="openssl" OPENSSL_VERSION="1.1.0f"
+      os: linux
+      compiler: clang
+    - env: SSLLIB="mbedtls"
+      os: linux
+      compiler: gcc
+    - env: SSLLIB="mbedtls"
+      os: linux
+      compiler: clang
+    - env: SSLLIB="openssl"
+      os: osx
+      osx_image: xcode7.3
+      compiler: clang
+    - env: SSLLIB="mbedtls"
+      os: osx
+      osx_image: xcode7.3
+      compiler: clang
+    - env: SSLLIB="openssl" CHOST=x86_64-w64-mingw32
+      os: linux
+      compiler: ": Win64 build only"
+    - env: SSLLIB="openssl" CHOST=i686-w64-mingw32
+      os: linux
+      compiler: ": Win32 build only"
+    - env: SSLLIB="openssl" EXTRA_CONFIG="--disable-crypto" EXTRA_SCRIPT="make distcheck"
+      os: linux
+      compiler: clang
+    - env: SSLLIB="openssl" EXTRA_CONFIG="--disable-lzo"
+      os: linux
+      compiler: clang
+    - env: SSLLIB="openssl" EXTRA_CONFIG="--enable-small"
+      os: linux
+      compiler: clang
+  exclude:
+    - compiler: gcc
+
+addons:
+  apt:
+    packages:
+      - liblzo2-dev
+      - libpam0g-dev
+      - liblz4-dev
+      - linux-libc-dev
+      - man2html
+
+cache:
+  ccache: true
+  directories:
+  - download-cache
+  - ${HOME}/opt
+
+before_install:
+  - if [ "${TRAVIS_OS_NAME}" = "osx" ]; then brew update     ; fi
+  - if [ "${TRAVIS_OS_NAME}" = "osx" ]; then brew install lzo; fi
+
+install:
+  - if [ ! -z "${CHOST}" ]; then unset CC; fi
+  - .travis/build-deps.sh > build-deps.log 2>&1 || (cat build-deps.log && exit 1)
+
+before_script:
+  - .travis/coverity.sh
+
+script:
+  - .travis/build-check.sh

.travis/build-check.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+set -eux
+
+if [ "${TRAVIS_OS_NAME}" = "linux" ]; then
+	export LD_LIBRARY_PATH="${PREFIX}/lib:${LD_LIBRARY_PATH:-}"
+fi
+
+if [ "${TRAVIS_OS_NAME}" = "osx"   ]; then
+	export DYLD_LIBRARY_PATH="${PREFIX}/lib:${DYLD_LIBRARY_PATH:-}"
+fi
+
+autoreconf -vi
+
+if [ -z ${CHOST+x} ]; then
+	./configure --with-crypto-library="${SSLLIB}" ${EXTRA_CONFIG:-} || (cat config.log && exit 1)
+	make -j$JOBS
+	src/openvpn/openvpn --version || true
+	if [ "${TRAVIS_OS_NAME}" = "linux" ]; then ldd src/openvpn/openvpn; fi
+	if [ "${TRAVIS_OS_NAME}" = "osx" ]; then otool -L src/openvpn/openvpn; fi
+	make check
+	${EXTRA_SCRIPT:-}
+else
+	export TAP_CFLAGS="-I${PWD}/tap-windows-${TAP_WINDOWS_VERSION}/include"
+	export LZO_CFLAGS="-I${PREFIX}/include"
+	export LZO_LIBS="-L${PREFIX}/lib -llzo2"
+	export PKCS11_HELPER_LIBS="-L${PREFIX}/lib -lpkcs11-helper"
+	export PKCS11_HELPER_CFLAGS="-I${PREFIX}/include"
+	./configure --with-crypto-library="${SSLLIB}" --host=${CHOST} --build=x86_64-pc-linux-gnu --enable-pkcs11 --disable-plugins || (cat config.log && exit 1)
+	make -j${JOBS}
+fi

.travis/build-deps.sh

@@ -0,0 +1,175 @@
+#!/bin/sh
+set -eux
+
+# Set defaults
+PREFIX="${PREFIX:-${HOME}/opt}"
+
+download_tap_windows () {
+    if [ ! -f "download-cache/tap-windows-${TAP_WINDOWS_VERSION}.zip" ]; then
+       wget -P download-cache/ \
+           "http://build.openvpn.net/downloads/releases/tap-windows-${TAP_WINDOWS_VERSION}.zip"
+    fi
+}
+
+download_lzo () {
+    if [ ! -f "download-cache/lzo-${LZO_VERSION}.tar.gz" ]; then
+        wget -P download-cache/ \
+            "http://www.oberhumer.com/opensource/lzo/download/lzo-${LZO_VERSION}.tar.gz"
+    fi
+}
+
+build_lzo () {
+    if [ "$(cat ${PREFIX}/.lzo-version)" != "${LZO_VERSION}" ]; then
+        tar zxf download-cache/lzo-${LZO_VERSION}.tar.gz
+        (
+            cd "lzo-${LZO_VERSION}"
+
+            ./configure --host=${CHOST} --program-prefix='' \
+                --libdir=${PREFIX}/lib --prefix=${PREFIX} --build=x86_64-pc-linux-gnu
+            make all install
+        )
+        echo "${LZO_VERSION}" > "${PREFIX}/.lzo-version"
+    fi
+}
+
+download_pkcs11_helper () {
+    if [ ! -f "pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.bz2" ]; then
+        wget -P download-cache/ \
+            "https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-${PKCS11_HELPER_VERSION}/pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.bz2"
+    fi
+}
+
+build_pkcs11_helper () {
+    if [ "$(cat ${PREFIX}/.pkcs11_helper-version)" != "${PKCS11_HELPER_VERSION}" ]; then
+        tar jxf download-cache/pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.bz2
+        (
+            cd "pkcs11-helper-${PKCS11_HELPER_VERSION}"
+
+            ./configure --host=${CHOST} --program-prefix='' --libdir=${PREFIX}/lib \
+                 --prefix=${PREFIX} --build=x86_64-pc-linux-gnu \
+                 --disable-crypto-engine-gnutls \
+                 --disable-crypto-engine-nss \
+                 --disable-crypto-engine-polarssl \
+                 --disable-crypto-engine-mbedtls
+            make all install
+         )
+         echo "${PKCS11_HELPER_VERSION}" > "${PREFIX}/.pkcs11_helper-version"
+    fi
+}
+
+download_mbedtls () {
+    if [ ! -f "download-cache/mbedtls-${MBEDTLS_VERSION}-apache.tgz" ]; then
+        wget -P download-cache/ \
+            "https://tls.mbed.org/download/mbedtls-${MBEDTLS_VERSION}-apache.tgz"
+    fi
+}
+
+build_mbedtls () {
+    if [ "$(cat ${PREFIX}/.mbedtls-version)" != "${MBEDTLS_VERSION}" ]; then
+        tar zxf download-cache/mbedtls-${MBEDTLS_VERSION}-apache.tgz
+        (
+            cd "mbedtls-${MBEDTLS_VERSION}"
+            make
+            make install DESTDIR="${PREFIX}"
+        )
+        echo "${MBEDTLS_VERSION}" > "${PREFIX}/.mbedtls-version"
+    fi
+}
+
+download_openssl () {
+    if [ ! -f "download-cache/openssl-${OPENSSL_VERSION}.tar.gz" ]; then
+        wget -P download-cache/ \
+            "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz"
+    fi
+}
+
+build_openssl_linux () {
+    (
+        cd "openssl-${OPENSSL_VERSION}/"
+        ./config shared --prefix="${PREFIX}" --openssldir="${PREFIX}" -DPURIFY
+        make all install_sw
+    )
+}
+
+build_openssl_osx () {
+    (
+        cd "openssl-${OPENSSL_VERSION}/"
+        ./Configure darwin64-x86_64-cc shared \
+            --prefix="${PREFIX}" --openssldir="${PREFIX}" -DPURIFY
+        make depend all install_sw
+    )
+}
+
+build_openssl_mingw () {
+    (
+        cd "openssl-${OPENSSL_VERSION}/"
+
+        if [ "${CHOST}" = "i686-w64-mingw32" ]; then
+            export TARGET=mingw
+        elif [ "${CHOST}" = "x86_64-w64-mingw32" ]; then
+            export TARGET=mingw64
+        fi
+
+        ./Configure --cross-compile-prefix=${CHOST}- shared \
+           ${TARGET} no-multilib no-capieng --prefix="${PREFIX}" --openssldir="${PREFIX}" -static-libgcc
+        make install
+    )
+}
+
+build_openssl () {
+    if [ "$(cat ${PREFIX}/.openssl-version)" != "${OPENSSL_VERSION}" ]; then
+        tar zxf "download-cache/openssl-${OPENSSL_VERSION}.tar.gz"
+        if [ ! -z ${CHOST+x} ]; then
+            build_openssl_mingw
+        elif [ "${TRAVIS_OS_NAME}" = "osx" ]; then
+            build_openssl_osx
+        elif [ "${TRAVIS_OS_NAME}" = "linux" ]; then
+            build_openssl_linux
+        fi
+        echo "${OPENSSL_VERSION}" > "${PREFIX}/.openssl-version"
+    fi
+}
+
+# Enable ccache
+if [ "${TRAVIS_OS_NAME}" != "osx" ] && [ -z ${CHOST+x} ]; then
+    # ccache not available on osx, see:
+    # https://github.com/travis-ci/travis-ci/issues/5567
+    # also ccache not enabled for cross builds
+    mkdir -p "${HOME}/bin"
+    ln -s "$(which ccache)" "${HOME}/bin/${CC}"
+    PATH="${HOME}/bin:${PATH}"
+fi
+
+if [ ! -z ${CHOST+x} ]; then
+      #
+      # openvpn requires at least mingw-gcc-4.9, which is available at xenial repo
+      #
+      sudo apt-add-repository "deb http://archive.ubuntu.com/ubuntu xenial main universe"
+      sudo apt-get update
+      sudo apt-get -y install dpkg mingw-w64
+fi
+
+# Download and build crypto lib
+if [ "${SSLLIB}" = "openssl" ]; then
+    download_openssl
+    build_openssl
+elif [ "${SSLLIB}" = "mbedtls" ]; then
+    download_mbedtls
+    build_mbedtls
+else
+    echo "Invalid crypto lib: ${SSLLIB}"
+    exit 1
+fi
+
+# Download and build dependencies for mingw cross build
+# dependencies are the same as in regular windows installer build
+if [ ! -z ${CHOST+x} ]; then
+      download_tap_windows
+      unzip download-cache/tap-windows-${TAP_WINDOWS_VERSION}.zip
+
+      download_lzo
+      build_lzo
+
+      download_pkcs11_helper
+      build_pkcs11_helper
+fi

.travis/coverity.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+set -eu
+
+RUN_COVERITY="${RUN_COVERITY:-0}"
+
+export COVERITY_SCAN_PROJECT_NAME="OpenVPN/openvpn"
+export COVERITY_SCAN_BRANCH_PATTERN="release\/2.4"
+export COVERITY_SCAN_NOTIFICATION_EMAIL="scan-reports@openvpn.net"
+export COVERITY_SCAN_BUILD_COMMAND_PREPEND="autoreconf -vi && ./configure --enable-iproute2 && make clean"
+export COVERITY_SCAN_BUILD_COMMAND="make"
+
+if [ "${RUN_COVERITY}" = "1" ]; then
+    # Ignore exit code, script exits with 1 if we're not on the right branch
+    curl -s "https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh" | bash || true
+else
+    echo "Skipping coverity scan because \$RUN_COVERITY != \"1\""
+fi