diff options
author | James Yonan <james@openvpn.net> | 2010-08-20 20:24:42 +0000 |
---|---|---|
committer | James Yonan <james@openvpn.net> | 2010-08-20 20:24:42 +0000 |
commit | 5f866d914c71f010988fd85d5b178f3b8c3e2987 (patch) | |
tree | 88c2699ab799ac3270e0e8510867e89b60dc233c | |
parent | Windows security issue: (diff) | |
download | openvpn-5f866d914c71f010988fd85d5b178f3b8c3e2987.tar.xz |
Attempt to fix issue where domake-win build system was not properlyv2.1.3
signing drivers and .exe files.
Added win/tap_span.py for building multiple versions of the TAP driver
and tapinstall binaries using different DDK versions to span from Win2K
to Win7 and beyond.
Version 2.1.3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6404 e7ae566f-a301-0410-adde-c780ea21d3b5
-rw-r--r-- | install-win32/buildinstaller | 2 | ||||
-rw-r--r-- | install-win32/getgui | 3 | ||||
-rw-r--r-- | install-win32/getxgui | 6 | ||||
-rw-r--r-- | install-win32/maketap | 100 | ||||
-rw-r--r-- | install-win32/maketapinstall | 72 | ||||
-rw-r--r-- | install-win32/settings.in | 37 | ||||
-rw-r--r-- | version.m4 | 2 | ||||
-rw-r--r-- | win/build_ddk.py | 8 | ||||
-rw-r--r-- | win/settings.in | 3 | ||||
-rw-r--r-- | win/tap_span.py | 129 | ||||
-rw-r--r-- | win/wb.py | 32 |
11 files changed, 191 insertions, 203 deletions
diff --git a/install-win32/buildinstaller b/install-win32/buildinstaller index 83057bb..a17a027 100644 --- a/install-win32/buildinstaller +++ b/install-win32/buildinstaller @@ -10,5 +10,5 @@ tail -20 makensis.log # sign the installer if [ -d "$SIGNTOOL" ]; then - TARGET_EXE="$(echo $(pwd)/$GENOUT/*.exe)" $SIGNTOOL/signexe + python $SIGNTOOL/signapp.py "$(echo $(pwd)/$GENOUT/*.exe)" fi diff --git a/install-win32/getgui b/install-win32/getgui index b53a8f7..aa83e85 100644 --- a/install-win32/getgui +++ b/install-win32/getgui @@ -10,9 +10,6 @@ GUI="$OPENVPN_GUI_DIR/$OPENVPN_GUI" if [ -f "$GUI" ]; then mkdir -p $GENOUT/bin &>/dev/null cp $GUI $GENOUT/bin - if [ -d "$SIGNTOOL" ]; then - TARGET_EXE="$GENOUT/bin/$OPENVPN_GUI" $SIGNTOOL/signexe - fi fi if [ -f "$GENOUT/bin/$OPENVPN_GUI" ]; then diff --git a/install-win32/getxgui b/install-win32/getxgui index d3a21b8..3a1e626 100644 --- a/install-win32/getxgui +++ b/install-win32/getxgui @@ -19,12 +19,6 @@ if [ -d "$OPENVPN_XGUI_DIR" ]; then done fi - for f in $SIGNED_EXES; do - if [ -d "$SIGNTOOL" ]; then - TARGET_EXE="$GENOUT/bin/`basename $f`" $SIGNTOOL/signexe - fi - done - rm -rf $GENOUT/htdocs cp -a $OPENVPN_XGUI_DIR/ajax/htdocs $GENOUT/htdocs diff --git a/install-win32/maketap b/install-win32/maketap index 0d33329..b9c4070 100644 --- a/install-win32/maketap +++ b/install-win32/maketap @@ -1,101 +1,17 @@ #!/bin/sh -# Build the x86 and x64 versions of the TAP driver -# Requires the Windows DDK +# Get the x86 and x64 versions of the TAP driver # get version.nsi definitions . autodefs/defs.sh -if [ -n "$DDKVER" ] && [ -d "/c/WINDDK/$DDKVER" ] ; then - -# common declarations for all DDK build targets -. install-win32/ddk-common - -# configure tap driver sources -MACRO="perl install-win32/macro.pl autodefs/defs.in" -IFDEF="perl install-win32/ifdef.pl" -rm -rf tap-win32/amd64 -mkdir tap-win32/amd64 -$MACRO <tap-win32/SOURCES.in >tap-win32/SOURCES -$MACRO <tap-win32/i386/OemWin2k.inf.in | $IFDEF >tap-win32/i386/OemWin2k.inf -$MACRO <tap-win32/i386/OemWin2k.inf.in | $IFDEF -DAMD64 >tap-win32/amd64/OemWin2k.inf - -if [ -n "$PRODUCT_TAP_DEBUG" ] ; then - w2ktarget="w2k c" - amdtarget="chk $x64_tag WNET" -else - w2ktarget="w2k f" - amdtarget="fre $x64_tag WNET" -fi - -if [ -z "$DRVBINSRC" ] ; then - if [ -n "$TAP_BIN_AMD64" ]; then - amdtarget="" - fi - - cd tap-win32 - t=`pwd` - cd .. - - for mode in "$w2ktarget" "$amdtarget"; do - echo '**********' build TAP $mode - cmd //c "C:\\WINDDK\\$DDKVER\\bin\\setenv.bat C:\\WINDDK\\$DDKVER $mode && cd `perl install-win32/dosname.pl $t` && build -cef" - mv tap-win32/tapdrvr.cod "tap-win32/tapdrvr-$(echo $mode | tr ' ' '-').cod" +if [ -d "$TAPBINSRC" ]; then + mkdir -p $GENOUT/driver/i386 &>/dev/null + mkdir -p $GENOUT/driver/amd64 &>/dev/null + for arch in i386 amd64; do + s=$TAPBINSRC/$arch + cp $s/*.sys $s/*.cat $s/*.inf $GENOUT/driver/$arch done - - title openvpn-build &>/dev/null - - if [ -n "$TAP_BIN_AMD64" ]; then - mkdir -p $t/amd64 - cp "$TAP_BIN_AMD64" $t/amd64 - fi - - # copy driver files into tap-win32/dist - cd tap-win32 - rm -rf dist - mkdir dist - cd dist - mkdir i386 - mkdir amd64 - cd i386 - x86=`pwd` - cd ../amd64 - x64=`pwd` - cd ../.. - cp i386/OemWin2k.inf $x86 - cp i386/*.sys $x86 - cp amd64/OemWin2k.inf $x64 - cp amd64/*.sys $x64 - out="TAP driver catalog file is undefined"; - echo "$out" >$x86/$PRODUCT_TAP_ID.cat - echo "$out" >$x64/$PRODUCT_TAP_ID.cat - cd .. -fi - -# $DRVBINSRC, if defined, points to prebuilt TAP driver and -# tapinstall.exe. -mkdir $GENOUT &>/dev/null -rm -rf $GENOUT/driver -if [ -z "$DRVBINSRC" ] ; then - # Get TAP drivers - cp -a tap-win32/dist $GENOUT/driver - - # Sign TAP drivers - if [ -d "$SIGNTOOL" ]; then - $SIGNTOOL/signtap - fi -else - cp -a $DRVBINSRC/driver $GENOUT/driver -fi - -# $DRVBINDEST, if defined, points to a destination directory -# where TAP driver and tapinstall.exe will be saved, to be used -# as a $DRVBINSRC in future builds. -if [ -n "$DRVBINDEST" ] ; then - mkdir $DRVBINDEST &>/dev/null - cp -a $GENOUT/driver $DRVBINDEST -fi - else - echo Not building TAP driver -- DDK version $DDKVER NOT FOUND + echo Cannot find pre-built tap drivers fi diff --git a/install-win32/maketapinstall b/install-win32/maketapinstall index eae4471..9fe0470 100644 --- a/install-win32/maketapinstall +++ b/install-win32/maketapinstall @@ -1,77 +1,15 @@ #!/bin/sh -# Build the x86 and x64 versions of the tapinstall tool -# Requires the Windows DDK. -# TISRC should be set to directory containing -# tapinstall source code. +# Get the x86 and x64 versions of the tapinstall tool # get version.nsi definitions . autodefs/defs.sh -if [ -n "$DDKVER" ] && [ -d "/c/WINDDK/$DDKVER" ] ; then - -if ! [ -d "$TISRC" ] ; then - echo "$TISRC" NOT INSTALLED - exit 1 -fi - -# common declarations for all DDK build targets -. install-win32/ddk-common - -amdtarget="" -if [ -z "$TI_BIN_AMD64" ]; then - amdtarget="fre $x64_tag WNET" -fi - -if [ -z "$DRVBINSRC" ] ; then - rm -rf tapinstall - cp -a "$TISRC" tapinstall - - if [ -e tapinstall/sources.in ]; then - perl install-win32/ifdef.pl autodefs/defs.in <tapinstall/sources.in >tapinstall/sources - fi - - cd tapinstall - t=`pwd` - cd .. - - for mode in "w2k f" "$amdtarget"; do - if [ -n "$mode" ]; then - echo '**********' build TAPINSTALL $mode - cmd //c "C:\\WINDDK\\$DDKVER\\bin\\setenv.bat C:\\WINDDK\\$DDKVER $mode && cd `perl install-win32/dosname.pl $t` && build -cef" - fi - done -fi - -if [ -n "$TI_BIN_AMD64" ]; then - mkdir -p $t/objfre_wnet_amd64/amd64 - cp "$TI_BIN_AMD64" $t/objfre_wnet_amd64/amd64 -fi - -# $DRVBINSRC, if defined, points to prebuilt TAP driver and -# tapinstall.exe. -if [ -z "$DRVBINSRC" ] ; then - # Get tapinstall +if [ -d "$TAPBINSRC" ]; then mkdir -p $GENOUT/tapinstall/i386 &>/dev/null mkdir -p $GENOUT/tapinstall/amd64 &>/dev/null - cp tapinstall/objfre_w2k_x86/i386/tapinstall.exe $GENOUT/tapinstall/i386 - cp tapinstall/objfre_wnet_amd64/amd64/tapinstall.exe $GENOUT/tapinstall/amd64 -else - mkdir $GENOUT &>/dev/null - cp -a $DRVBINSRC/tapinstall $GENOUT/tapinstall -fi - -# $DRVBINDEST, if defined, points to a destination directory -# where TAP driver and tapinstall.exe will be saved, to be used -# as a $DRVBINSRC in future builds. -if [ -n "$DRVBINDEST" ] ; then - mkdir $DRVBINDEST &>/dev/null - cp -a $GENOUT/driver $DRVBINDEST - cp -a $GENOUT/tapinstall $DRVBINDEST -fi - -title openvpn-build &>/dev/null - + cp $TAPBINSRC/i386/tapinstall.exe $GENOUT/tapinstall/i386 + cp $TAPBINSRC/amd64/tapinstall.exe $GENOUT/tapinstall/amd64 else - echo Not building tapinstall -- DDK version $DDKVER NOT BUILT + echo Cannot find pre-built tapinstall fi diff --git a/install-win32/settings.in b/install-win32/settings.in index 21ea0a7..4a0a564 100644 --- a/install-win32/settings.in +++ b/install-win32/settings.in @@ -27,42 +27,19 @@ !define PKCS11_HELPER_DIR "../pkcs11-helper" ;!define DMALLOC_DIR "../dmalloc-5.4.2" +# Prebuilt TAP drivers and tapinstall +!define TAPBINSRC "../tap_dist" + +# Directory containing python script for signing .exe files +!define SIGNTOOL "../signtool" + # Optional directory of prebuilt OpenVPN binary components, # to be used as a source when build-from-scratch prerequisites # are not met. ;!define GENOUT_PREBUILT "../gen-prebuilt" -# tapinstall.exe source code. -# Not needed if DRVBINSRC is defined -# (or if using pre-built mode). -!define TISRC "../tapinstall/5600" - -# TAP Adapter parameters. Note that PRODUCT_TAP_ID is -# defined in version.m4. -!define PRODUCT_TAP_DEVICE_DESCRIPTION "TAP-Win32 Adapter V9" -!define PRODUCT_TAP_PROVIDER "TAP-Win32 Provider V9" -!define PRODUCT_TAP_MAJOR_VER 9 -!define PRODUCT_TAP_MINOR_VER 7 -!define PRODUCT_TAP_RELDATE "04/19/2010" - -# TAP adapter icon -- visible=0x81 or hidden=0x89 -!define PRODUCT_TAP_CHARACTERISTICS 0x81 - -# Build debugging version of TAP driver -;!define PRODUCT_TAP_DEBUG - -# DDK Version. -# DDK distribution is assumed to be in C:\WINDDK\${DDKVER} -!define DDKVER 6001.18002 -!define DDKVER_MAJOR 6001 - -# Code Signing. -# If undefined, don't sign any files. -!define SIGNTOOL "../signtool.old" -!define PRODUCT_SIGN_CN "openvpn" - # -j parameter passed to make -!define MAKE_JOBS 2 +!define MAKE_JOBS 1 # output directory for built binaries # and other generated files @@ -1,5 +1,5 @@ dnl define the OpenVPN version -define(PRODUCT_VERSION,[2.1.2]) +define(PRODUCT_VERSION,[2.1.3]) dnl define the TAP version define(PRODUCT_TAP_ID,[tap0901]) define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9]) diff --git a/win/build_ddk.py b/win/build_ddk.py index ca68e81..1a0cf82 100644 --- a/win/build_ddk.py +++ b/win/build_ddk.py @@ -2,9 +2,13 @@ import os from wb import system, home_fn, choose_arch
def build_ddk(config, dir, x64):
- setenv_bat = os.path.realpath(os.path.join(config['DDK_PATH'], 'bin/setenv.bat'))
+ ddk_path = config['DDK_PATH']
ddk_major = int(config['DDKVER_MAJOR'])
debug = 'PRODUCT_TAP_DEBUG' in config
+ return build_tap(ddk_path, ddk_major, debug, dir, x64)
+
+def build_tap(ddk_path, ddk_major, debug, dir, x64):
+ setenv_bat = os.path.realpath(os.path.join(ddk_path, 'bin/setenv.bat'))
target = 'chk' if debug else 'fre'
if x64:
target += ' x64'
@@ -23,7 +27,7 @@ def build_ddk(config, dir, x64): system('cmd /c "%s %s %s && cd %s && build -cef"' % (
setenv_bat,
- os.path.realpath(config['DDK_PATH']),
+ os.path.realpath(ddk_path),
target,
dir
))
diff --git a/win/settings.in b/win/settings.in index 0e1bb1c..f8eeb20 100644 --- a/win/settings.in +++ b/win/settings.in @@ -47,6 +47,9 @@ !define DDK_PATH "c:/winddk/7600.16385.1" ;!define DDK_PATH "c:/winddk/6001.18002" +# output path for tap_span.py +!define TAP_DIST "tap_dist" + # Visual studio path !define MSVC "C:/Program Files/Microsoft Visual Studio 9.0" diff --git a/win/tap_span.py b/win/tap_span.py new file mode 100644 index 0000000..9cd127b --- /dev/null +++ b/win/tap_span.py @@ -0,0 +1,129 @@ +import sys, os, shutil
+from wb import config, home_fn, mod_fn, preprocess, autogen, dict_def, build_autodefs, rm_rf, mkdir_silent, cp
+if 'SIGNTOOL' in config:
+ sys.path.append(home_fn(config['SIGNTOOL']))
+from signtool import SignTool
+from build_ddk import build_tap
+
+ti_dir = "c:/src/tapinstall"
+hi = ("c:/winddk/7600.16385.1", 7600, 7600, ("i386", "amd64"))
+low = ("c:/winddk/6001.18002", 6001, 5600, ("win2k",))
+dest_top = home_fn('tap_build')
+dist = home_fn(config['TAP_DIST'])
+
+def copy_tap(src, dest, x64):
+ dir = os.path.join(src, { False : 'i386', True: 'amd64' }[x64])
+ mkdir_silent(dest)
+ for dirpath, dirnames, filenames in os.walk(dir):
+ for f in filenames:
+ root, ext = os.path.splitext(f)
+ if ext in ('.inf', '.cat', '.sys'):
+ cp(os.path.join(dir, f), dest)
+ break
+
+def copy_tapinstall(src, dest, x64):
+ base = { False : 'i386', True: 'amd64' }[x64]
+ mkdir_silent(dest)
+ for dirpath, dirnames, filenames in os.walk(home_fn(src)):
+ for f in filenames:
+ if f == 'tapinstall.exe':
+ dir_name = os.path.basename(dirpath)
+ s = os.path.join(dirpath, f)
+ if dir_name == base:
+ cp(s, dest)
+
+def main():
+ rm_rf(dest_top)
+ os.mkdir(dest_top)
+
+ rm_rf(dist)
+ os.mkdir(dist)
+
+ for ver in hi, low:
+ top = os.path.join(dest_top, str(ver[1]))
+ os.mkdir(top)
+ tap_dest = os.path.join(top, "tap-win32")
+ ti_dest = os.path.join(top, "tapinstall")
+ ti_src = os.path.join(ti_dir, str(ver[2]))
+ shutil.copytree(home_fn("tap-win32"), tap_dest)
+ shutil.copytree(ti_src, ti_dest)
+
+ i386 = os.path.join(tap_dest, "i386")
+ amd64 = os.path.join(tap_dest, "amd64")
+
+ build_amd64 = (len(ver[3]) >= 2)
+
+ build_autodefs(config, mod_fn('autodefs.h.in'), os.path.join(top, 'autodefs.h'))
+
+ st = SignTool(config, tap_dest)
+
+ preprocess(config,
+ in_fn=os.path.join(tap_dest, 'SOURCES.in'),
+ out_fn=os.path.join(tap_dest, 'SOURCES'),
+ quote_begin='@@',
+ quote_end='@@',
+ head_comment='# %s\n\n' % autogen)
+
+ preprocess(config,
+ in_fn=os.path.join(i386, 'OemWin2k.inf.in'),
+ out_fn=os.path.join(i386, 'OemWin2k.inf'),
+ quote_begin='@@',
+ quote_end='@@',
+ if_prefix='!',
+ head_comment='; %s\n\n' % autogen)
+
+ preprocess(config,
+ in_fn=os.path.join(ti_dest, 'sources.in'),
+ out_fn=os.path.join(ti_dest, 'sources'),
+ if_prefix='!',
+ head_comment='# %s\n\n' % autogen)
+
+ build_tap(ddk_path=ver[0],
+ ddk_major=ver[1],
+ debug=False,
+ dir=tap_dest,
+ x64=False)
+
+ st.sign_verify(x64=False)
+
+ build_tap(ddk_path=ver[0],
+ ddk_major=ver[1],
+ debug=False,
+ dir=ti_dest,
+ x64=False)
+
+ tap_dist = os.path.join(dist, ver[3][0])
+
+ copy_tap(tap_dest, tap_dist, x64=False)
+ copy_tapinstall(ti_dest, tap_dist, x64=False)
+
+ if build_amd64:
+ os.mkdir(amd64)
+ preprocess(dict_def(config, [('AMD64', '1')]),
+ in_fn=os.path.join(i386, 'OemWin2k.inf.in'),
+ out_fn=os.path.join(amd64, 'OemWin2k.inf'),
+ quote_begin='@@',
+ quote_end='@@',
+ if_prefix='!',
+ head_comment='; %s\n\n' % autogen)
+
+ build_tap(ddk_path=ver[0],
+ ddk_major=ver[1],
+ debug=False,
+ dir=tap_dest,
+ x64=True)
+
+ build_tap(ddk_path=ver[0],
+ ddk_major=ver[1],
+ debug=False,
+ dir=ti_dest,
+ x64=True)
+
+ st.sign_verify(x64=True)
+
+ tap_dist_x64 = os.path.join(dist, ver[3][1])
+
+ copy_tap(tap_dest, tap_dist_x64, x64=True)
+ copy_tapinstall(ti_dest, tap_dist_x64, x64=True)
+
+main()
@@ -1,7 +1,7 @@ # Python module containing general build functions
# for OpenVPN on Windows
-import os, re, shutil
+import os, re, shutil, stat
autogen = "Automatically generated by OpenVPN Windows build system"
@@ -182,4 +182,34 @@ def cp(src, dest, dest_is_dir=True): print "COPY %s %s" % (src, dest)
shutil.copyfile(src, dest)
+def rm_rf(path):
+ try:
+ shutil.rmtree(path, onerror=onerror)
+ except:
+ pass
+
+def onerror(func, path, exc_info):
+ """
+ Error handler for ``shutil.rmtree``.
+
+ If the error is due to an access error (read only file)
+ it attempts to add write permission and then retries.
+
+ If the error is for another reason it re-raises the error.
+
+ Usage : ``shutil.rmtree(path, onerror=onerror)``
+ """
+ if not os.access(path, os.W_OK):
+ # Is the error an access error ?
+ os.chmod(path, stat.S_IWUSR)
+ func(path)
+ else:
+ raise
+
+def mkdir_silent(dir):
+ try:
+ os.mkdir(dir)
+ except:
+ pass
+
config = get_config()
|