openvpn-2.7_alpha1/0000775000000000000000000000000015015650160012774 5ustar rootrootopenvpn-2.7_alpha1/.gitattributes0000664000000000000000000000013715015650160015670 0ustar rootroot*.c eol=lf *.h eol=lf *.rc eol=lf *.txt eol=lf *.bat eol=lf *.vc*proj* eol=crlf *.sln eol=crlf openvpn-2.7_alpha1/.gitignore0000664000000000000000000000160115015650160014762 0ustar rootroot*.[oa] *.l[oa] *.dll *.exe *.exe.* *.obj *.pyc *.so *~ *.idb *.suo *.ncb *.log out .vs .deps .libs Makefile Makefile.in aclocal.m4 autodefs.h autom4te.cache config.guess config.h config.h.in config.log config.status config.sub configure configure.h depcomp stamp-h1 install-sh missing ltmain.sh libtool m4/libtool.m4 m4/ltoptions.m4 m4/ltsugar.m4 m4/ltversion.m4 m4/lt~obsolete.m4 build doc/openvpn-examples.5 doc/openvpn-examples.5.html doc/openvpn.8 doc/openvpn.8.html /doc/doxygen/html/ /doc/doxygen/latex/ /doc/doxygen/openvpn.doxyfile distro/systemd/*.service distro/dns-scripts/dns-updown sample/sample-keys/sample-ca/ vendor/cmocka_build vendor/dist tests/t_client.sh tests/t_client-*-20??????-??????/ tests/t_server_null.rc t_client.rc t_client_ips.rc tests/unit_tests/**/*_testdriver src/openvpn/openvpn include/openvpn-plugin.h config-version.h nbproject test-driver compile stamp-h2 openvpn-2.7_alpha1/AUTHORS0000664000000000000000000000003415015650160014041 0ustar rootrootJames Yonan openvpn-2.7_alpha1/CMakeLists.txt0000664000000000000000000007472315015650160015551 0ustar rootrootcmake_minimum_required(VERSION 3.14) set(CMAKE_CONFIGURATION_TYPES "Release;Debug;ASAN") project(openvpn) # This CMake file implements building OpenVPN with CMAKE # # Note that this is *NOT* the official way to build openvpn on anything # other than Windows/mingw despite working on other platforms too. You will need # to add -DUNSUPPORTED_BUILDS=true to build on non Windows platforms. # # This cmake also makes a few assertions like lzo, lz4 being used # and OpenSSL having version 1.1.1+ and generally does not offer the same # configurability like autoconf find_package(PkgConfig REQUIRED) include(CheckSymbolExists) include(CheckIncludeFiles) include(CheckCCompilerFlag) include(CheckLinkerFlag OPTIONAL) include(CheckTypeSize) include(CheckStructHasMember) include(CTest) option(UNSUPPORTED_BUILDS "Allow unsupported builds" OFF) if (NOT WIN32 AND NOT ${UNSUPPORTED_BUILDS}) message(FATAL_ERROR "Note: on Unix platform the official and supported build method is using autoconfig. CMake based build should be only used for Windows and internal testing/development.") endif() if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/config.h") message(FATAL_ERROR "The top level source directory has a config.h file. Note that you can't mix in-tree autoconfig builds with out-of-tree cmake builds.") endif () option(MBED "BUILD with mbed" OFF) set(MBED_INCLUDE_PATH "" CACHE STRING "Path to mbed TLS include directory") set(MBED_LIBRARY_PATH "" CACHE STRING "Path to mbed library directory") option(WOLFSSL "BUILD with wolfSSL" OFF) option(ENABLE_LZ4 "BUILD with lz4" ON) option(ENABLE_LZO "BUILD with lzo" ON) option(ENABLE_PKCS11 "BUILD with pkcs11-helper" ON) option(USE_WERROR "Treat compiler warnings as errors (-Werror)" ON) option(FAKE_ANDROID "Target Android but do not use actual cross compile/Android cmake to build for simple compile checks on Linux") option(ENABLE_DNS_UPDOWN_BY_DEFAULT "Run --dns-updown hook by default" ON) set(DNS_UPDOWN_PATH "${CMAKE_INSTALL_PREFIX}/libexec/openvpn/dns-updown" CACHE STRING "Default location for the DNS up/down script") set(PLUGIN_DIR "${CMAKE_INSTALL_PREFIX}/lib/openvpn/plugins" CACHE FILEPATH "Location of the plugin directory") # Create machine readable compile commands option(ENABLE_COMPILE_COMMANDS "Generate compile_commands.json and a symlink for clangd to find it" OFF) if (ENABLE_COMPILE_COMMANDS) if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/build AND NOT IS_SYMLINK ${CMAKE_CURRENT_SOURCE_DIR}/build) message(FATAL_ERROR "The top level source directory contains a 'build' file or directory. Please remove or rename it. CMake creates a symlink with that name during build.") endif() set(CMAKE_EXPORT_COMPILE_COMMANDS 1) add_custom_target( symlink-build-dir ALL ${CMAKE_COMMAND} -E create_symlink ${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/build ) endif () # AddressSanitize - use CXX=clang++ CC=clang cmake -DCMAKE_BUILD_TYPE=asan to build with ASAN set(CMAKE_C_FLAGS_ASAN "-fsanitize=address,undefined -fno-sanitize-recover=all -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1" CACHE STRING "Flags used by the C compiler during AddressSanitizer builds." FORCE) set(CMAKE_CXX_FLAGS_ASAN "-fsanitize=address,undefined -fno-sanitize-recover=all -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1" CACHE STRING "Flags used by the C++ compiler during AddressSanitizer builds." FORCE) function(check_and_add_compiler_flag flag variable) check_c_compiler_flag(${flag} ${variable}) if (${variable}) add_compile_options(${flag}) endif() endfunction() if (MSVC) add_compile_definitions( _CRT_SECURE_NO_WARNINGS _CRT_NONSTDC_NO_DEPRECATE _WINSOCK_DEPRECATED_NO_WARNINGS ) if (USE_WERROR) add_compile_options(/WX) endif () add_compile_options( /MP /W2 /sdl /Qspectre /guard:cf /FC /ZH:SHA_256 "$<$:/GL>" "$<$:/Oi>" "$<$:/Gy>" "$<$:/Zi>" ) add_link_options( /Brepro "$<$:/LTCG:incremental>" "$<$:/DEBUG:FULL>" "$<$:/OPT:REF>" "$<$:/OPT:ICF>" ) if (${CMAKE_GENERATOR_PLATFORM} STREQUAL "x64" OR ${CMAKE_GENERATOR_PLATFORM} STREQUAL "x86") add_link_options("$<$:/CETCOMPAT>") endif() else () add_compile_options(-Wall -Wuninitialized) check_and_add_compiler_flag(-Wno-stringop-truncation NoStringOpTruncation) check_and_add_compiler_flag(-Wstrict-prototypes StrictPrototypes) check_and_add_compiler_flag(-Wold-style-definition OldStyleDefinition) # We are not ready for this #add_compile_options(-Wconversion -Wno-sign-conversion -Wsign-compare) if (USE_WERROR) add_compile_options(-Werror) endif () endif () find_package(Python3 REQUIRED COMPONENTS Interpreter) execute_process( COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/contrib/cmake/parse-version.m4.py ${CMAKE_CURRENT_SOURCE_DIR}/version.m4 WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} ) include(${CMAKE_CURRENT_BINARY_DIR}/version.cmake) set(OPENVPN_VERSION_MAJOR ${PRODUCT_VERSION_MAJOR}) set(OPENVPN_VERSION_MINOR ${PRODUCT_VERSION_MINOR}) set(OPENVPN_VERSION_PATCH ${PRODUCT_VERSION_PATCH}) set(OPENVPN_VERSION_RESOURCE ${PRODUCT_VERSION_RESOURCE}) set(CMAKE_C_STANDARD 11) # Set the various defines for config.h.cmake.in if (${CMAKE_SYSTEM_NAME} STREQUAL "Android" OR ${FAKE_ANDROID}) set(TARGET_ANDROID YES) set(ENABLE_ASYNC_PUSH YES) set(ENABLE_SITNL YES) set(HAVE_LINUX_TYPES_H 1) # Wacky workaround as OpenSSL package detection is otherwise broken (https://stackoverflow.com/questions/45958214/android-cmake-could-not-find-openssl) list(APPEND CMAKE_FIND_ROOT_PATH ${OPENSSL_ROOT_DIR}) elseif (${CMAKE_SYSTEM_NAME} STREQUAL "Linux") set(TARGET_LINUX YES) set(ENABLE_ASYNC_PUSH YES) set(ENABLE_LINUXDCO YES) set(ENABLE_SITNL YES) set(HAVE_DECL_SO_MARK YES) set(ENABLE_FEATURE_TUN_PERSIST 1) set(HAVE_LINUX_TYPES_H 1) set(ENABLE_DCO YES) elseif (${CMAKE_SYSTEM_NAME} STREQUAL "FreeBSD") set(TARGET_FREEBSD YES) set(ENABLE_DCO YES) link_libraries(-lnv) elseif (${CMAKE_SYSTEM_NAME} STREQUAL "OpenBSD") set(TARGET_OPENBSD YES) elseif (${CMAKE_SYSTEM_NAME} STREQUAL "SunOS") set(TARGET_SOLARIS YES) set(HAVE_SYS_SOCKIO_H 1) link_libraries(-lnsl -lsocket -lresolv) elseif (WIN32) set(ENABLE_DCO YES) elseif (APPLE) set(TARGET_DARWIN YES) else() message(FATAL_ERROR "Unknown system name: \"${CMAKE_SYSTEM_NAME}\"") endif () if (UNIX) set(PATH_SEPARATOR /) set(ENABLE_PORT_SHARE YES) set(HAVE_SA_FAMILY_T YES) elseif (WIN32) set(PATH_SEPARATOR \\\\) set(TARGET_WIN32 YES) endif () check_include_files(unistd.h HAVE_UNISTD_H) if (HAVE_UNISTD_H) check_symbol_exists(chroot unistd.h HAVE_CHROOT) check_symbol_exists(chdir unistd.h HAVE_CHDIR) check_symbol_exists(dup unistd.h HAVE_DUP) check_symbol_exists(dup2 unistd.h HAVE_DUP2) check_symbol_exists(fork unistd.h HAVE_FORK) check_symbol_exists(execve unistd.h HAVE_EXECVE) check_symbol_exists(ftruncate unistd.h HAVE_FTRUNCATE) check_symbol_exists(nice unistd.h HAVE_NICE) check_symbol_exists(setgid unistd.h HAVE_SETGID) check_symbol_exists(setuid unistd.h HAVE_SETUID) check_symbol_exists(setsid unistd.h HAVE_SETSID) check_symbol_exists(daemon "unistd.h;stdlib.h" HAVE_DAEMON) check_symbol_exists(getpeereid "unistd.h;sys/socket.h" HAVE_GETPEEREID) endif() check_include_files(grp.h HAVE_GRP_H) if (HAVE_GRP_H) check_symbol_exists(getgrnam grp.h HAVE_GETGRNAM) endif() check_include_files(libgen.h HAVE_LIBGEN_H) if (HAVE_LIBGEN_H) check_symbol_exists(basename libgen.h HAVE_BASENAME) check_symbol_exists(dirname libgen.h HAVE_DIRNAME) endif() check_include_files(pwd.h HAVE_PWD_H) if (HAVE_PWD_H) check_symbol_exists(getpwnam pwd.h HAVE_GETPWNAM) endif() check_include_files(sys/epoll.h HAVE_SYS_EPOLL_H) if (HAVE_SYS_EPOLL_H) check_symbol_exists(epoll_create sys/epoll.h HAVE_EPOLL_CREATE) endif() check_include_files(syslog.h HAVE_SYSLOG_H) if (HAVE_SYSLOG_H) check_symbol_exists(openlog syslog.h HAVE_OPENLOG) check_symbol_exists(syslog syslog.h HAVE_SYSLOG) endif() check_include_files(sys/mman.h HAVE_SYS_MMAN_H) if (HAVE_SYS_MMAN_H) check_symbol_exists(mlockall sys/mman.h HAVE_MLOCKALL) endif() check_include_files(sys/socket.h HAVE_SYS_SOCKET_H) if (HAVE_SYS_SOCKET_H) check_symbol_exists(sendmsg sys/socket.h HAVE_SENDMSG) check_symbol_exists(recvmsg sys/socket.h HAVE_RECVMSG) check_symbol_exists(getsockname sys/socket.h HAVE_GETSOCKNAME) # Checking for existence of structs with check_symbol_exists does not work, # so we use check_struct_hash_member with a member instead check_struct_has_member("struct cmsghdr" cmsg_len sys/socket.h HAVE_CMSGHDR) endif() check_include_files(sys/time.h HAVE_SYS_TIME_H) if (HAVE_SYS_TIME_H) check_symbol_exists(gettimeofday sys/time.h HAVE_GETTIMEOFDAY) check_symbol_exists(getrlimit "sys/time.h;sys/resource.h" HAVE_GETRLIMIT) endif() check_symbol_exists(chsize io.h HAVE_CHSIZE) check_symbol_exists(getrlimit sys/resource.h HAVE_GETRLIMIT) # Some OS (e.g. FreeBSD) need some basic headers to allow # including network headers set(NETEXTRA sys/types.h) check_include_files("${NETEXTRA};netinet/in.h" HAVE_NETINET_IN_H) if (HAVE_NETINET_IN_H) list(APPEND NETEXTRA netinet/in.h) endif () check_include_files(arpa/inet.h HAVE_ARPA_INET_H) check_include_files(dlfcn.h HAVE_DLFCN_H) check_include_files(dmalloc.h HAVE_DMALLOC_H) check_include_files(fcntl.h HAVE_FCNTL_H) check_include_files(err.h HAVE_ERR_H) check_include_files(linux/if_tun.h HAVE_LINUX_IF_TUN_H) check_include_files(linux/sockios.h HAVE_LINUX_SOCKIOS_H) check_include_files(netdb.h HAVE_NETDB_H) check_include_files("${NETEXTRA};netinet/in6.h" HAVE_NETINET_IN_H) check_include_files(net/if.h HAVE_NET_IF_H) check_include_files("${NETEXTRA};net/if_tun.h" HAVE_NET_IF_TUN_H) check_include_files(poll.h HAVE_POLL_H) check_include_files("${NETEXTRA};resolv.h" HAVE_RESOLV_H) check_include_files(sys/ioctl.h HAVE_SYS_IOCTL_H) check_include_files(sys/inotify.h HAVE_SYS_INOTIFY_H) check_include_files("${NETEXTRA};sys/uio.h" HAVE_SYS_UIO_H) check_include_files(sys/un.h HAVE_SYS_UN_H) check_include_files(sys/wait.h HAVE_SYS_WAIT_H) check_include_files("${NETEXTRA};netinet/ip.h" HAVE_NETINET_IP_H) if (HAVE_NETINET_IP_H) set(CMAKE_EXTRA_INCLUDE_FILES netinet/ip.h) check_type_size("struct in_pktinfo" IN_PKTINFO) check_struct_has_member("struct in_pktinfo" ipi_spec_dst netinet/ip.h HAVE_IPI_SPEC_DST) check_type_size("struct msghdr" MSGHDR) set(CMAKE_EXTRA_INCLUDE_FILES) endif() find_program(IFCONFIG_PATH ifconfig) find_program(IPROUTE_PATH ip) find_program(ROUTE_PATH route) if (${ENABLE_LZ4}) pkg_search_module(liblz4 liblz4 REQUIRED IMPORTED_TARGET) endif () if (${ENABLE_LZO}) pkg_search_module(lzo2 lzo2 REQUIRED IMPORTED_TARGET) endif () if (${ENABLE_PKCS11}) pkg_search_module(pkcs11-helper libpkcs11-helper-1 REQUIRED IMPORTED_TARGET) endif () function(check_mbed_configuration) if (NOT (MBED_INCLUDE_PATH STREQUAL "") ) set(CMAKE_REQUIRED_INCLUDES ${MBED_INCLUDE_PATH}) endif () if (NOT (MBED_LIBRARY_PATH STREQUAL "")) set(CMAKE_REQUIRED_LINK_OPTIONS "-L${MBED_LIBRARY_PATH}") endif () set(CMAKE_REQUIRED_LIBRARIES "mbedtls;mbedx509;mbedcrypto") check_symbol_exists(mbedtls_ctr_drbg_update_ret mbedtls/ctr_drbg.h HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET) check_symbol_exists(mbedtls_ssl_conf_export_keys_ext_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) check_symbol_exists(mbedtls_ssl_set_export_keys_cb mbedtls/ssl.h HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) check_include_files(psa/crypto.h HAVE_MBEDTLS_PSA_CRYPTO_H) endfunction() if (${MBED}) check_mbed_configuration() endif() function(add_library_deps target) if (${MBED}) if (NOT (MBED_INCLUDE_PATH STREQUAL "") ) target_include_directories(${target} PRIVATE ${MBED_INCLUDE_PATH}) endif () if(NOT (MBED_LIBRARY_PATH STREQUAL "")) target_link_directories(${target} PRIVATE ${MBED_LIBRARY_PATH}) endif () target_link_libraries(${target} PRIVATE -lmbedtls -lmbedx509 -lmbedcrypto) elseif (${WOLFSSL}) pkg_search_module(wolfssl wolfssl REQUIRED) target_link_libraries(${target} PUBLIC ${wolfssl_LINK_LIBRARIES}) target_include_directories(${target} PRIVATE ${wolfssl_INCLUDE_DIRS}/wolfssl) else () set(ENABLE_X509ALTUSERNAME YES) find_package(OpenSSL REQUIRED) target_link_libraries(${target} PUBLIC OpenSSL::SSL OpenSSL::Crypto) if (WIN32) target_link_libraries(${target} PUBLIC ws2_32.lib crypt32.lib fwpuclnt.lib iphlpapi.lib wininet.lib setupapi.lib rpcrt4.lib wtsapi32.lib ncrypt.lib bcrypt.lib) endif () endif () if (MINGW) target_compile_definitions(${target} PRIVATE WIN32_LEAN_AND_MEAN NTDDI_VERSION=NTDDI_VISTA _WIN32_WINNT=_WIN32_WINNT_VISTA ) endif() # optional dependencies target_link_libraries(${target} PUBLIC $ $ $ ) if (${CMAKE_SYSTEM_NAME} STREQUAL "Linux") pkg_search_module(libcapng REQUIRED libcap-ng IMPORTED_TARGET) pkg_search_module(libnl REQUIRED libnl-genl-3.0 IMPORTED_TARGET) target_link_libraries(${target} PUBLIC PkgConfig::libcapng PkgConfig::libnl) endif () endfunction() if (${MBED}) set(ENABLE_CRYPTO_MBEDTLS YES) elseif (${WOLFSSL}) set(ENABLE_CRYPTO_OPENSSL YES) set(ENABLE_CRYPTO_WOLFSSL YES) set(ENABLE_X509ALTUSERNAME YES) else () set(ENABLE_CRYPTO_OPENSSL YES) set(ENABLE_X509ALTUSERNAME YES) endif () include_directories(${CMAKE_CURRENT_SOURCE_DIR} src/compat include) add_custom_command( OUTPUT always_rebuild config-version.h COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/contrib/cmake/git-version.py ) set(HAVE_CONFIG_VERSION_H YES) configure_file(config.h.cmake.in config.h) configure_file(include/openvpn-plugin.h.in openvpn-plugin.h) # TODO we should remove the need for this, and always include config.h add_compile_definitions(HAVE_CONFIG_H) include_directories(${CMAKE_CURRENT_BINARY_DIR}) add_subdirectory(doc) add_subdirectory(src/openvpnmsica) add_subdirectory(src/openvpnserv) add_subdirectory(src/tapctl) set(SOURCE_FILES ${CMAKE_CURRENT_BINARY_DIR}/config.h ${CMAKE_CURRENT_BINARY_DIR}/config-version.h ${CMAKE_CURRENT_BINARY_DIR}/openvpn-plugin.h src/compat/compat-basename.c src/compat/compat-daemon.c src/compat/compat-dirname.c src/compat/compat-gettimeofday.c src/compat/compat-strsep.c src/openvpn/argv.c src/openvpn/argv.h src/openvpn/base64.c src/openvpn/base64.h src/openvpn/basic.h src/openvpn/buffer.c src/openvpn/buffer.h src/openvpn/circ_list.h src/openvpn/clinat.c src/openvpn/clinat.h src/openvpn/common.h src/openvpn/comp-lz4.c src/openvpn/comp-lz4.h src/openvpn/comp.c src/openvpn/comp.h src/openvpn/compstub.c src/openvpn/console.c src/openvpn/console_builtin.c src/openvpn/console.h src/openvpn/crypto.c src/openvpn/crypto.h src/openvpn/crypto_backend.h src/openvpn/crypto_epoch.c src/openvpn/crypto_epoch.h src/openvpn/crypto_openssl.c src/openvpn/crypto_openssl.h src/openvpn/crypto_mbedtls.c src/openvpn/crypto_mbedtls.h src/openvpn/cryptoapi.c src/openvpn/cryptoapi.h src/openvpn/dco.c src/openvpn/dco.h src/openvpn/dco_win.c src/openvpn/dco_win.h src/openvpn/dco_linux.c src/openvpn/dco_linux.h src/openvpn/dco_freebsd.c src/openvpn/dco_freebsd.h src/openvpn/dhcp.c src/openvpn/dhcp.h src/openvpn/dns.c src/openvpn/dns.h src/openvpn/errlevel.h src/openvpn/env_set.c src/openvpn/env_set.h src/openvpn/error.c src/openvpn/error.h src/openvpn/event.c src/openvpn/event.h src/openvpn/fdmisc.c src/openvpn/fdmisc.h src/openvpn/forward.c src/openvpn/forward.h src/openvpn/fragment.c src/openvpn/fragment.h src/openvpn/gremlin.c src/openvpn/gremlin.h src/openvpn/helper.c src/openvpn/helper.h src/openvpn/httpdigest.c src/openvpn/httpdigest.h src/openvpn/init.c src/openvpn/init.h src/openvpn/integer.h src/openvpn/interval.c src/openvpn/interval.h src/openvpn/list.c src/openvpn/list.h src/openvpn/lladdr.c src/openvpn/lladdr.h src/openvpn/lzo.c src/openvpn/lzo.h src/openvpn/manage.c src/openvpn/manage.h src/openvpn/mbuf.c src/openvpn/mbuf.h src/openvpn/memdbg.h src/openvpn/misc.c src/openvpn/misc.h src/openvpn/mroute.c src/openvpn/mroute.h src/openvpn/mss.c src/openvpn/mss.h src/openvpn/mstats.c src/openvpn/mstats.h src/openvpn/mtcp.c src/openvpn/mtcp.h src/openvpn/mtu.c src/openvpn/mtu.h src/openvpn/mudp.c src/openvpn/mudp.h src/openvpn/multi.c src/openvpn/multi.h src/openvpn/multi_io.h src/openvpn/multi_io.c src/openvpn/ntlm.c src/openvpn/ntlm.h src/openvpn/occ.c src/openvpn/occ.h src/openvpn/openvpn.c src/openvpn/openvpn.h src/openvpn/openvpn_win32_resources.rc src/openvpn/options.c src/openvpn/options.h src/openvpn/options_util.c src/openvpn/options_util.h src/openvpn/otime.c src/openvpn/otime.h src/openvpn/ovpn_dco_win.h src/openvpn/packet_id.c src/openvpn/packet_id.h src/openvpn/perf.c src/openvpn/perf.h src/openvpn/ping.c src/openvpn/ping.h src/openvpn/pkcs11.c src/openvpn/pkcs11.h src/openvpn/pkcs11_backend.h src/openvpn/pkcs11_openssl.c src/openvpn/pkcs11_mbedtls.c src/openvpn/platform.c src/openvpn/platform.h src/openvpn/plugin.c src/openvpn/plugin.h src/openvpn/pool.c src/openvpn/pool.h src/openvpn/proto.c src/openvpn/proto.h src/openvpn/proxy.c src/openvpn/proxy.h src/openvpn/ps.c src/openvpn/ps.h src/openvpn/push.c src/openvpn/push.h src/openvpn/pushlist.h src/openvpn/reflect_filter.c src/openvpn/reflect_filter.h src/openvpn/reliable.c src/openvpn/reliable.h src/openvpn/route.c src/openvpn/route.h src/openvpn/run_command.c src/openvpn/run_command.h src/openvpn/schedule.c src/openvpn/schedule.h src/openvpn/session_id.c src/openvpn/session_id.h src/openvpn/shaper.c src/openvpn/shaper.h src/openvpn/sig.c src/openvpn/sig.h src/openvpn/socket.c src/openvpn/socket.h src/openvpn/socks.c src/openvpn/socks.h src/openvpn/ssl.c src/openvpn/ssl.h src/openvpn/ssl_backend.h src/openvpn/ssl_common.h src/openvpn/ssl_openssl.c src/openvpn/ssl_openssl.h src/openvpn/ssl_mbedtls.c src/openvpn/ssl_mbedtls.h src/openvpn/ssl_verify.c src/openvpn/ssl_verify.h src/openvpn/ssl_verify_backend.h src/openvpn/ssl_verify_openssl.c src/openvpn/ssl_verify_openssl.h src/openvpn/ssl_verify_mbedtls.c src/openvpn/ssl_verify_mbedtls.h src/openvpn/status.c src/openvpn/status.h src/openvpn/syshead.h src/openvpn/tls_crypt.c src/openvpn/tun.c src/openvpn/tun.h src/openvpn/tun_afunix.c src/openvpn/tun_afunix.h src/openvpn/networking_sitnl.c src/openvpn/networking_freebsd.c src/openvpn/auth_token.c src/openvpn/auth_token.h src/openvpn/ssl_ncp.c src/openvpn/ssl_ncp.h src/openvpn/ssl_pkt.c src/openvpn/ssl_pkt.h src/openvpn/ssl_util.c src/openvpn/ssl_util.h src/openvpn/vlan.c src/openvpn/vlan.h src/openvpn/wfp_block.c src/openvpn/wfp_block.h src/openvpn/win32.c src/openvpn/win32-util.c src/openvpn/win32.h src/openvpn/win32-util.h src/openvpn/xkey_helper.c src/openvpn/xkey_provider.c ) add_executable(openvpn ${SOURCE_FILES}) add_library_deps(openvpn) target_compile_options(openvpn PRIVATE -DDEFAULT_DNS_UPDOWN=\"${DNS_UPDOWN_PATH}\") if(MINGW) target_compile_options(openvpn PRIVATE -municode -UUNICODE) target_link_options(openvpn PRIVATE -municode) endif() if (MSVC) # we have our own manifest target_link_options(openvpn PRIVATE /MANIFEST:NO) endif() if (${CMAKE_SYSTEM_NAME} STREQUAL "Linux") target_link_libraries(openvpn PUBLIC -ldl) endif () if (NOT WIN32) target_compile_options(openvpn PRIVATE -DPLUGIN_LIBDIR=\"${PLUGIN_DIR}\") find_library(resolv resolv) # some platform like BSDs already include resolver functionality in the libc and not have an extra resolv library if (${resolv} OR APPLE) target_link_libraries(openvpn PUBLIC -lresolv) endif () endif () if (BUILD_TESTING) find_package(cmocka CONFIG) if (TARGET cmocka::cmocka) set(CMOCKA_LIBRARIES cmocka::cmocka) else () pkg_search_module(cmocka cmocka REQUIRED IMPORTED_TARGET) set(CMOCKA_LIBRARIES PkgConfig::cmocka) endif () set(unit_tests "test_auth_token" "test_buffer" "test_crypto" "test_misc" "test_ncp" "test_packet_id" "test_pkt" "test_provider" "test_ssl" "test_user_pass" ) if (WIN32) list(APPEND unit_tests "test_cryptoapi" ) endif () # MSVC and Apple's LLVM ld do not support --wrap # This test requires cmake >= 3.18, so check if check_linker_flag is # available if (COMMAND check_linker_flag) check_linker_flag(C -Wl,--wrap=parse_line LD_SUPPORTS_WRAP) endif() # Clang-cl (which is also MSVC) is wrongly detected to support wrap if (NOT MSVC AND "${LD_SUPPORTS_WRAP}") list(APPEND unit_tests "test_argv" "test_tls_crypt" ) endif () # These tests work on only on Linux since they depend on special Linux features if (${CMAKE_SYSTEM_NAME} STREQUAL "Linux") list(APPEND unit_tests "test_networking" ) endif () if (NOT WIN32 AND ${ENABLE_PKCS11}) set(_HAVE_SOFTHSM2 YES) find_program(P11TOOL p11tool) find_program(SOFTHSM2_UTIL softhsm2-util) find_library(SOFTHSM2_MODULE softhsm2 PATH_SUFFIXES softhsm) if (P11TOOL STREQUAL "P11TOOL-NOTFOUND") message(STATUS "p11tool not found, pkcs11 UT disabled") set(_HAVE_SOFTHSM2 NO) elseif (SOFTHSM2_UTIL STREQUAL "SOFTHSM2_UTIL-NOTFOUND") message(STATUS "softhsm2-util not found, pkcs11 UT disabled") set(_HAVE_SOFTHSM2 NO) elseif (SOFTHSM2_MODULE STREQUAL "SOFTHSM2_MODULE-NOTFOUND") message(STATUS "softhsm2 module not found, pkcs11 UT disabled") set(_HAVE_SOFTHSM2 NO) endif () if (_HAVE_SOFTHSM2) message(VERBOSE "pkcs11 UT enabled") list(APPEND unit_tests "test_pkcs11" ) endif () endif () foreach (test_name ${unit_tests}) cmake_path(SET _UT_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/tests/unit_tests/openvpn) # test_networking needs special environment if (NOT ${test_name} STREQUAL "test_networking") add_test(${test_name} ${test_name}) # for compat with autotools make check set_tests_properties(${test_name} PROPERTIES ENVIRONMENT "srcdir=${_UT_SOURCE_DIR}") endif () add_executable(${test_name} tests/unit_tests/openvpn/${test_name}.c tests/unit_tests/openvpn/mock_msg.c tests/unit_tests/openvpn/mock_msg.h src/openvpn/platform.c src/openvpn/win32-util.c src/compat/compat-gettimeofday.c ) add_library_deps(${test_name}) target_link_libraries(${test_name} PUBLIC ${CMOCKA_LIBRARIES}) target_include_directories(${test_name} PRIVATE src/openvpn) # for compat with IDEs like Clion that ignore the tests properties # for the environment variable srcdir when running tests as fallback target_compile_definitions(${test_name} PRIVATE "UNIT_TEST_SOURCEDIR=\"${_UT_SOURCE_DIR}\"") if (NOT ${test_name} STREQUAL "test_buffer") target_sources(${test_name} PRIVATE src/openvpn/buffer.c ) endif () endforeach() target_sources(test_auth_token PRIVATE src/openvpn/base64.c src/openvpn/crypto_epoch.c src/openvpn/crypto_mbedtls.c src/openvpn/crypto_openssl.c src/openvpn/crypto.c src/openvpn/otime.c src/openvpn/packet_id.c ) target_sources(test_buffer PRIVATE tests/unit_tests/openvpn/mock_get_random.c ) target_sources(test_crypto PRIVATE src/openvpn/crypto_mbedtls.c src/openvpn/crypto_openssl.c src/openvpn/crypto_epoch.c src/openvpn/crypto.c src/openvpn/otime.c src/openvpn/packet_id.c src/openvpn/mtu.c src/openvpn/mss.c ) target_sources(test_ssl PRIVATE tests/unit_tests/openvpn/mock_management.c tests/unit_tests/openvpn/mock_ssl_dependencies.c tests/unit_tests/openvpn/mock_win32_execve.c src/openvpn/argv.c src/openvpn/base64.c src/openvpn/crypto_epoch.c src/openvpn/crypto_mbedtls.c src/openvpn/crypto_openssl.c src/openvpn/crypto.c src/openvpn/cryptoapi.c src/openvpn/env_set.c src/openvpn/mss.c src/openvpn/mtu.c src/openvpn/options_util.c src/openvpn/otime.c src/openvpn/packet_id.c src/openvpn/run_command.c src/openvpn/ssl_mbedtls.c src/openvpn/ssl_openssl.c src/openvpn/ssl_util.c src/openvpn/ssl_verify_mbedtls.c src/openvpn/ssl_verify_openssl.c src/openvpn/xkey_helper.c src/openvpn/xkey_provider.c ) target_sources(test_misc PRIVATE tests/unit_tests/openvpn/mock_get_random.c src/openvpn/options_util.c src/openvpn/ssl_util.c src/openvpn/list.c ) target_sources(test_ncp PRIVATE src/openvpn/crypto_epoch.c src/openvpn/crypto_mbedtls.c src/openvpn/crypto_openssl.c src/openvpn/crypto.c src/openvpn/otime.c src/openvpn/packet_id.c src/openvpn/ssl_util.c src/compat/compat-strsep.c ) target_sources(test_packet_id PRIVATE tests/unit_tests/openvpn/mock_get_random.c src/openvpn/otime.c src/openvpn/packet_id.c src/openvpn/reliable.c src/openvpn/session_id.c ) target_sources(test_pkt PRIVATE tests/unit_tests/openvpn/mock_win32_execve.c src/openvpn/argv.c src/openvpn/base64.c src/openvpn/crypto_epoch.c src/openvpn/crypto_mbedtls.c src/openvpn/crypto_openssl.c src/openvpn/crypto.c src/openvpn/env_set.c src/openvpn/otime.c src/openvpn/packet_id.c src/openvpn/reliable.c src/openvpn/run_command.c src/openvpn/session_id.c src/openvpn/ssl_pkt.c src/openvpn/tls_crypt.c ) target_sources(test_provider PRIVATE tests/unit_tests/openvpn/mock_get_random.c src/openvpn/xkey_provider.c src/openvpn/xkey_helper.c src/openvpn/base64.c ) target_sources(test_user_pass PRIVATE tests/unit_tests/openvpn/mock_get_random.c tests/unit_tests/openvpn/mock_win32_execve.c src/openvpn/base64.c src/openvpn/console.c src/openvpn/env_set.c src/openvpn/run_command.c ) if (TARGET test_argv) target_link_options(test_argv PRIVATE -Wl,--wrap=parse_line) target_sources(test_argv PRIVATE tests/unit_tests/openvpn/mock_get_random.c src/openvpn/argv.c ) endif () if (TARGET test_cryptoapi) target_sources(test_cryptoapi PRIVATE tests/unit_tests/openvpn/mock_get_random.c tests/unit_tests/openvpn/cert_data.h tests/unit_tests/openvpn/pkey_test_utils.c src/openvpn/xkey_provider.c src/openvpn/xkey_helper.c src/openvpn/base64.c ) endif () if (TARGET test_networking) target_link_options(test_networking PRIVATE -Wl,--wrap=parse_line) target_compile_options(test_networking PRIVATE -UNDEBUG) target_sources(test_networking PRIVATE src/openvpn/networking_sitnl.c src/openvpn/crypto_epoch.c src/openvpn/crypto_mbedtls.c src/openvpn/crypto_openssl.c src/openvpn/crypto.c src/openvpn/crypto_epoch.c src/openvpn/otime.c src/openvpn/packet_id.c ) endif () if (TARGET test_tls_crypt) target_link_options(test_tls_crypt PRIVATE -Wl,--wrap=parse_line) target_link_options(test_tls_crypt PRIVATE -Wl,--wrap=buffer_read_from_file -Wl,--wrap=buffer_write_file -Wl,--wrap=rand_bytes) target_sources(test_tls_crypt PRIVATE tests/unit_tests/openvpn/mock_win32_execve.c src/openvpn/argv.c src/openvpn/base64.c src/openvpn/crypto_epoch.c src/openvpn/crypto_mbedtls.c src/openvpn/crypto_openssl.c src/openvpn/crypto.c src/openvpn/env_set.c src/openvpn/otime.c src/openvpn/packet_id.c src/openvpn/run_command.c ) endif () if (TARGET test_pkcs11) target_compile_options(test_pkcs11 PRIVATE -DP11TOOL_PATH=\"${P11TOOL}\" -DSOFTHSM2_MODULE_PATH=\"${SOFTHSM2_MODULE}\" -DSOFTHSM2_UTIL_PATH=\"${SOFTHSM2_UTIL}\" ) target_sources(test_pkcs11 PRIVATE tests/unit_tests/openvpn/mock_get_random.c tests/unit_tests/openvpn/pkey_test_utils.c src/openvpn/argv.c src/openvpn/base64.c src/openvpn/env_set.c src/openvpn/otime.c src/openvpn/pkcs11.c src/openvpn/pkcs11_openssl.c src/openvpn/run_command.c src/openvpn/xkey_helper.c src/openvpn/xkey_provider.c ) endif () endif (BUILD_TESTING) openvpn-2.7_alpha1/CMakePresets.json0000664000000000000000000002063515015650160016223 0ustar rootroot{ "version": 3, "configurePresets": [ { "name": "base", "hidden": true, "cacheVariables": { "CMAKE_TOOLCHAIN_FILE": { "value": "$env{VCPKG_ROOT}/scripts/buildsystems/vcpkg.cmake", "type": "FILEPATH" }, "VCPKG_OVERLAY_TRIPLETS": { "value": "${sourceDir}/contrib/vcpkg-triplets", "type": "FILEPATH" }, "VCPKG_OVERLAY_PORTS": { "value": "${sourceDir}/contrib/vcpkg-ports", "type": "FILEPATH" } } }, { "name": "base-windows", "hidden": true, "binaryDir": "${sourceDir}/out/build/${presetName}", "generator": "Visual Studio 17 2022", "cacheVariables": { "VCPKG_MANIFEST_DIR": "${sourceDir}/contrib/vcpkg-manifests/windows", "VCPKG_HOST_TRIPLET": "x64-windows" }, "vendor": { "microsoft.com/VisualStudioSettings/CMake/1.0": { "hostOS": [ "Windows" ] } } }, { "name": "base-mingw", "hidden": true, "generator": "Ninja Multi-Config", "cacheVariables": { "CMAKE_SYSTEM_NAME": { "value": "Windows", "type": "STRING" }, "VCPKG_MANIFEST_DIR": "${sourceDir}/contrib/vcpkg-manifests/mingw" } }, { "name": "x64", "hidden": true, "architecture": { "value": "x64", "strategy": "set" }, "cacheVariables": { "VCPKG_TARGET_TRIPLET": "x64-windows-ovpn" } }, { "name": "x64-mingw", "hidden": true, "binaryDir": "out/build/mingw/x64", "cacheVariables": { "CMAKE_C_COMPILER": { "value": "x86_64-w64-mingw32-gcc", "type": "STRING" }, "CMAKE_CXX_COMPILER": { "value": "x86_64-w64-mingw32-g++", "type": "STRING" }, "VCPKG_TARGET_TRIPLET": "x64-mingw-ovpn" } }, { "name": "arm64", "hidden": true, "architecture": { "value": "arm64", "strategy": "set" }, "cacheVariables": { "VCPKG_TARGET_TRIPLET": "arm64-windows-ovpn" } }, { "name": "x86", "hidden": true, "architecture": { "value": "Win32", "strategy": "set" }, "cacheVariables": { "VCPKG_TARGET_TRIPLET": "x86-windows-ovpn" } }, { "name": "i686-mingw", "hidden": true, "binaryDir": "out/build/mingw/x86", "cacheVariables": { "CMAKE_C_COMPILER": { "value": "i686-w64-mingw32-gcc", "type": "STRING" }, "CMAKE_CXX_COMPILER": { "value": "i686-w64-mingw32-g++", "type": "STRING" }, "VCPKG_TARGET_TRIPLET": "x86-mingw-ovpn" } }, { "name": "debug", "hidden": true, "cacheVariables": { "CMAKE_BUILD_TYPE": "Debug" } }, { "name": "release", "hidden": true, "cacheVariables": { "CMAKE_BUILD_TYPE": "Release" } }, { "name": "clangtoolset", "toolset": "ClangCL" }, { "name": "mingw-x64", "inherits": [ "base", "base-mingw", "x64-mingw" ] }, { "name": "mingw-x86", "inherits": [ "base", "base-mingw", "i686-mingw" ] }, { "name": "win-amd64-release", "inherits": [ "base", "base-windows", "x64", "release" ] }, { "name": "win-amd64-clang-release", "inherits": [ "base", "base-windows", "clangtoolset", "x64", "release" ] }, { "name": "win-arm64-release", "inherits": [ "base", "base-windows", "arm64", "release" ] }, { "name": "win-x86-release", "inherits": [ "base", "base-windows", "x86", "release" ] }, { "name": "win-x86-clang-release", "inherits": [ "base", "base-windows", "clangtoolset", "x86", "release" ] }, { "name": "win-amd64-debug", "inherits": [ "base", "base-windows", "x64", "debug" ] }, { "name": "win-amd64-clang-debug", "inherits": [ "base", "base-windows", "clangtoolset", "x64", "debug" ] }, { "name": "win-arm64-debug", "inherits": [ "base", "base-windows", "arm64", "debug" ] }, { "name": "win-x86-debug", "inherits": [ "base", "base-windows", "x86", "debug" ] }, { "name": "win-x86-clang-debug", "inherits": [ "base", "base-windows", "clangtoolset", "x86", "debug" ] }, { "name": "unix-native", "generator": "Ninja Multi-Config", "binaryDir": "out/build/unix" } ], "buildPresets": [ { "name": "mingw-x64", "configurePreset": "mingw-x64" }, { "name": "mingw-x86", "configurePreset": "mingw-x86" }, { "name": "win-amd64-release", "configurePreset": "win-amd64-release", "configuration": "Release" }, { "name": "win-amd64-clang-release", "configurePreset": "win-amd64-clang-release", "configuration": "Release" }, { "name": "win-arm64-release", "configurePreset": "win-arm64-release", "configuration": "Release" }, { "name": "win-x86-release", "configurePreset": "win-x86-release", "configuration": "Release" }, { "name": "win-x86-clang-release", "configurePreset": "win-x86-clang-release", "configuration": "Release" }, { "name": "win-amd64-debug", "configurePreset": "win-amd64-debug", "configuration": "Debug" }, { "name": "win-amd64-clang-debug", "configurePreset": "win-amd64-clang-debug", "configuration": "Debug" }, { "name": "win-arm64-debug", "configurePreset": "win-arm64-debug", "configuration": "Debug" }, { "name": "win-x86-debug", "configurePreset": "win-x86-debug", "configuration": "Debug" }, { "name": "win-x86-clang-debug", "configurePreset": "win-x86-clang-debug", "configuration": "Debug" }, { "name": "unix-native", "configurePreset": "unix-native" } ], "testPresets": [ { "name": "win-amd64-release", "configurePreset": "win-amd64-release" }, { "name": "win-amd64-clang-release", "configurePreset": "win-amd64-clang-release" }, { "name": "win-x86-release", "configurePreset": "win-x86-release" }, { "name": "win-x86-clang-release", "configurePreset": "win-x86-clang-release" }, { "name": "win-amd64-debug", "configurePreset": "win-amd64-debug" }, { "name": "win-amd64-clang-debug", "configurePreset": "win-amd64-clang-debug" }, { "name": "win-x86-debug", "configurePreset": "win-x86-debug" }, { "name": "win-x86-clang-debug", "configurePreset": "win-x86-clang-debug" }, { "name": "unix-native", "configurePreset": "unix-native" } ] } openvpn-2.7_alpha1/CONTRIBUTING.rst0000664000000000000000000000404615015650160015441 0ustar rootrootCONTRIBUTING TO THE OPENVPN PROJECT =================================== Patches should be written against the Git "master" branch. Some patches may get backported to a release branch. The preferred procedure to send patches to the "openvpn-devel" mailing list: - https://lists.sourceforge.net/lists/listinfo/openvpn-devel While we do not merge GitHub pull requests as-is, we do allow their use for code review purposes. After the patch has been ACKed (reviewed and accepted), it must be sent to the mailing list. This last step does not necessarily need to be done by the patch author, although that is definitely recommended. When sending patches to "openvpn-devel" the subject line should be prefixed with [PATCH]. To avoid merging issues the patches should be generated with git-format-patch or sent using git-send-email. Try to split large patches into small, atomic pieces to make reviews easier. Please make sure that the source code formatting follows the guidelines at https://community.openvpn.net/openvpn/wiki/CodeStyle. Automated checking can be done with uncrustify (http://uncrustify.sourceforge.net/) and the configuration file which can be found in the git repository at dev-tools/uncrustify.conf. There is also a git pre-commit hook script, which runs uncrustify automatically each time you commit and lets you format your code conveniently, if needed. To install the hook simply run: dev-tools/git-pre-commit-uncrustify.sh install If you want quick feedback on a patch before sending it to openvpn-devel mailing list, you can visit the #openvpn-devel channel on irc.libera.chat. Note that you need to be logged in to Libera to join the channel: - https://libera.chat/guides/registration More detailed contribution instructions are available here: - https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation Note that the process for contributing to other OpenVPN projects such as openvpn-build, openvpn-gui, tap-windows6 and easy-rsa may differ from what was described above. Please refer to the contribution instructions of each respective project. openvpn-2.7_alpha1/COPYING0000664000000000000000000002664515015650160014044 0ustar rootrootOpenVPN (TM) -- An Open Source VPN daemon Copyright (C) 2002-2024 OpenVPN Inc This distribution contains multiple components, some of which fall under different licenses. By using OpenVPN or any of the bundled components enumerated below, you agree to be bound by the conditions of the license for each respective component. OpenVPN trademark ----------------- "OpenVPN" is a trademark of OpenVPN Inc OpenVPN license: ---------------- OpenVPN is distributed under the GPL license version 2 (see Below). Special exception for linking OpenVPN with OpenSSL: In addition, as a special exception, OpenVPN Inc gives permission to link the code of this program with the OpenSSL library (or with modified versions of OpenSSL that use the same license as OpenSSL), and distribute linked combinations including the two. You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL. If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. Apache2 linking exception: --------------------------- In addition, as a special exception, OpenVPN Inc and the contributors give permission to link the code of this program to libraries (the "Libraries") licensed under the Apache License version 2.0 (this work and any linked library the "Combined Work") and copy and distribute the Combined Work without an obligation to license the Libraries under the GNU General Public License v2 (GPL-2.0) as required by Section 2 of the GPL-2.0, and without an obligation to refrain from imposing any additional restrictions in the Apache License version 2 that are not in the GPL-2.0, as required by Section 6 of the GPL-2.0. You must comply with the GPL-2.0 in all other respects for the Combined Work, including the obligation to provide source code. If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. For better understanding, in plain non-legalese English this basically says: * The intention for this license exception is to allow OpenVPN to be linked against APL-2 licensed libraries, even where the GPL-2.0 and APL-2 licenses conflict from a legal perspective. * OpenVPN itself will stay GPL-2.0 and the code belonging to the OpenVPN project must comply to the GPL-2.0 license. This is NOT dual-licensing of the OpenVPN code base. * This license exception DOES NOT require NOR expect a license change of the APL-2 based library. This exception allows using the APL-2 library as-is. However, when distributing a compiled OpenVPN binary linking against APL-2 libraries ("Combined Work"), the REQUIREMENT is that the APL-2 library MUST also be available on similar terms as in GPL-2.0, like providing the source code of the library upon request, except in the two specific ways mentioned. * If the APL-2 based library forbids such linking and distribution, this license exception DOES NOT overrule the restriction of the APL-2 based library. If the APL-2 library cannot satisfy the requirements in this license exception, you CANNOT distribute an OpenVPN binary linked with this library. LZO license: ------------ LZO is Copyright (C) Markus F.X.J. Oberhumer, and is licensed under the GPL. Special exception for linking OpenVPN with both OpenSSL and LZO: Hereby I grant a special exception to the OpenVPN project (http://openvpn.net/) to link the LZO library with the OpenSSL library (http://www.openssl.org). Markus F.X.J. Oberhumer TAP-Win32/TAP-Win64 Driver license: ----------------------------------- This device driver was inspired by the CIPE-Win32 driver by Damion K. Wilson. The source and object code of the TAP-Win32/TAP-Win64 driver is Copyright (C) 2002-2018 OpenVPN Inc, and is released under the GPL version 2. Windows DDK Samples: -------------------- The Windows binary distribution includes devcon.exe, a Microsoft DDK sample which is redistributed under the terms of the DDK EULA. NSIS License: ------------- Copyright (C) 2002-2003 Joost Verburg This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any distribution. OpenSSL License: ---------------- The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org. /* ==================================================================== * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ Original SSLeay License ----------------------- /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ GNU Public License (GPL) ------------------------ OpenVPN, LZO, and the TAP-Win32 distributions are licensed under the GPL version 2 (see COPYRIGHT.GPL). In the Windows binary distribution of OpenVPN, the GPL is reproduced below. openvpn-2.7_alpha1/COPYRIGHT.GPL0000664000000000000000000004315215015650160014715 0ustar rootroot GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. openvpn-2.7_alpha1/ChangeLog0000664000000000000000000011275515015650160014561 0ustar rootrootOpenVPN ChangeLog Copyright (C) 2002-2025 OpenVPN Inc 2025.05.28 -- Version 2.7_alpha1 5andr0 (1): Implement server_poll_timeout for socks Alexander von Gluck (4): Haiku: Introduce basic platform / tun support Haiku: Add calls to manage routing table Haiku: change del to delete in route command. del is undocumented Haiku: Fix short interface path length Antonio Quartulli (32): disable DCO if --secret is specified dco: properly re-initialize dco_del_peer_reason dco: bail out when no peer-specific message is delivered dco: improve comment about hidden debug message dco: print proper message in case of transport disconnection dco_linux: update license for ovpn_dco_linux.h Update issue templates Avoid warning about missing braces when initialising key struct dco: don't use NetLink to exchange control packets dco: print version to log if available dco-linux: remove M_ERRNO flag when printing netlink error message multi: don't call DCO APIs if DCO is disabled dco-freebsd: use m->instances[] instead of m->hash dco-linux: implement dco_get_peer_stats{, multi} API configure.ac: fix typ0 in LIBCAPNG_CFALGS dco: fix crash when --multihome is used with --proto tcp dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification event/multi: add event_arg object to make event handling more generic pass link_socket object to i/o functions io_work: convert shift argument to uintptr_t io_work: pass event_arg object to event handler in case of socket event sitnl: replace NLMSG_TAIL macro with noinline function override ai_family if 'local' numeric address was specified Adapt socket handling to support listening on multiple sockets allow user to specify 'local' multiple times in config files dco_linux: extend netlink error cb with extra info man: extend --persist-tun section dco: pass remoteaddr only for UDP peers socket: use remote proto when creating client sockets dco_linux: fix peer stats parsing with new ovpn kernel module socket: don't transfer bind family to socket in case of ANY address dco_linux: avoid bogus text when netlink message is not parsed Aquila Macedo (1): doc: Correct typos in multiple documentation files Arne Schwabe (190): Fix connection cookie not including address and fix endianness in test Fix unit test of test_pkt on little endian Linux Disable DCO when TLS mode is not used Ignore connection attempts while server is shutting down Improve debug logging of DCO swap key message and Linux dco_new_peer Trigger a USR1 if dco_update_keys fails Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range Ensure that argument to parse_line has always space for final sentinel Improve documentation on user/password requirement and unicodize function Eliminate or comment empty blocks and switch fallthrough Remove unused gc_arena Fix corner case that might lead to leaked file descriptor Deprecate NTLMv1 proxy auth method. Use include "buffer.h" instead of include Ensure that dco keepalive and mssfix options are also set in pure p2p mode Make management password check constant time Rename TM_UNTRUSTED to TM_INITIAL, always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL Move dco_installed back to link_socket from link_socket.info.actual Do not set nl socket buffer size Also drop incoming dco packet content when dropping the packet Improve logging when seeing a message for an unkown peer Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions Replace custom min macro and use more C99 style in man_remote_entry_get Replace realloc with new gc_realloc function Add connect-freq-initial option to limit initial connection responses Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled Deprecate OCC checking Workaround: make ovpn-dco more reliable Fix unaligned access in auth-token Update LibreSSL to 3.7.0 in Github actions Add printing USAN stack trace on github actions Fix LibreSSL not building in Github Actions Add missing stdint.h includes in unit tests files Combine extra_tun/frame parameter of frame_calculate_payload_overhead Update the last sections in the man page to a be a bit less outdated Add building unit tests with mingw to github actions Revise the cipher negotiation info about OpenVPN3 in the man page Exit if a proper message instead of segfault on Android without management Use proper print format/casting when converting msg_channel handle Reduce initialisation spam from verb <= 3 and print summary instead Dynamic tls-crypt for secure soft_reset/session renegotiation Set netlink socket to be non-blocking Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key Fix memory leaks in open_tun_dco() Fix memory leaks in HMAC initial packet generation Use key_state instead of multi for tls_send_payload parameter Make sending plain text control message session aware Only update frame calculation if we have a valid link sockets Improve description of compat-mode Simplify --compress parsing in options.c Refuse connection if server pushes an option contradicting allow-compress Add 'allow-compression stub-only' internally for DCO Parse compression options and bail out when compression is disabled Remove unused variable line Add Apache2 linking with for new commits Fix compile error on TARGET_ANDROID Fix use-after-free with EVP_CIPHER_free Remove key_type argument from generate_key_random add basic CMake based build Avoid unused function warning/error on FreeBSD (and potientially others) Do not blindly assume python3 is also the interpreter that runs rst2html Only add -Wno-stringop-truncation on supported compilers fix warning with gcc 12.2.0 (compiler bug?) Fix CR_RESPONSE mangaement message using wrong key_id Print a more user-friendly error when tls-crypt-v2 client auth fails Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7 Mock openvpn_exece on win32 also for test_tls_crypt Check if the -wrap argument is actually supported by the platform's ld Revert commit 423ced962d Implement using --peer-fingerprint without CA certificates show extra info for OpenSSL errors Remove ability to use configurations without TLS by default Add warning for the --show-groups command that some groups are missing Print peer temporary key details Add warning if a p2p NCP client connects to a p2mp server Remove openssl engine method for loading the key Add undefined and abort on error to clang sanitize builds Add --enable-werror to all platforms in Github Actions Remove saving initial frame code Double check that we do not use a freed buffer when freeing a session Fix using to_link buffer after freed Remove CMake custom compiler flags for RELEASE and DEBUG build Do not check key_state buffers that are in S_UNDEF state Remove unused function prototype crypto_adjust_frame_parameters Introduce report_command_status helper function Log SSL alerts more prominently Remove unused/unneeded/add missing defines from configure/cmake Document tls-exit option mainly as test option Remove dead remains of extract_x509_field_test Replace character_class_debug with proper unit test Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway Fix check_session_buf_not_used using wrong index Add missing check for nl_socket_alloc failure Add check for nice in cmake config Minimal Solaris/OpenIndiana support to Cmake and clean up -Werror Remove compat versionhelpers.h and remove cmake/configure check for it Rename state_change to continue_tls_process Move tls_get_cipher_name_pair and get_num_elements to ssl_utils.c Fix building mbed TLS with CMake and allow specifying custom directories Extend the error message when TLS 1.0 PRF fails Fix unaligned access in macOS, FreeBSD, Solaris hwaddr Check PRF availability on initialisation and add --force-tls-key-material-export Make it more explicit and visible when pkg-config is not found Clarify that the tls-crypt-v2-verify has a very limited env set Move get_tmp_dir to win32-util.c and error out on failure Implement the --tls-export-cert feature Use mingw compile definition also to unit tests Add test_ssl unit test and test export of PEM to file Remove conditional text for Apache2 linking exception Fix ssl unit tests on OpenSSL 1.0.2 Ensure that all unit tests use unbuffered stdout and stderr Allow unit tests to fall back to hard coded location Add unit test for encrypting/decrypting data channel Print SSL peer signature information in handshake debug details Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs Turn dead list test code into unit test Use snprintf instead of sprintf for get_ssl_library_version Fix snprintf/swnprintf related compiler warnings Add bracket in fingerprint message and do not warn about missing verification Match ifdef for get_sigtype function with if ifdef of caller Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex Add missing EVP_KDF_CTX_free in ssl_tls1_PRF Replace macos11 with macos14 in github runners Remove openvpn_snprintf and similar functions Repeat the unknown command in errors from management interface Only run coverity scan in OpenVPN/OpenVPN repository Support OpenBSD with cmake Workaround issue in LibreSSL crashing when enumerating digests/ciphers Remove OpenSSL 1.0.2 support Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL Allow the TLS session to send out TLS alerts Properly handle null bytes and invalid characters in control messages Allow trailing \r and \n in control channel message Add Ubuntu 24.04 runner to Github Actions Implement support for AEAD tag at the end Remove check for anonymous unions from configure and cmake config Make read/write_tun_header static Avoid SIGUSR1 to SIGHUP remapping when the configuration is read from stdin Move to common backend_driver type in struct tuntap Introduce DRIVER_AFUNIX backend for use with lwipovpn Change dev null to be a driver type instead of a special mode of tun/tap Use print_tun_backend_driver instead of custom code to print type Automatically enable ifconfig-exec/route-exec behaviour for afunix tun/tap Ensure that the AF_UNIX socket pair has at least 65k of buffer space Fix check for CMake not detecting struct cmsg Remove null check after checking for checking for did_open_tun Remove a large number of unused structs and functions Remove unused methods write_key/read_key Refuse clients if username or password is longer than USER_PASS_LEN Move should_trigger_renegotiation into its own function Change --reneg-bytes and --reneg-packets to 64 bit counters Use XOR instead of concatenation for calculation of IV from implicit IV Trigger renegotiation of data key if getting close to the AEAD usage limit Implement HKDF expand function based on RFC 8446 Split init_key_ctx_bi into send/recv init Move initialisation of implicit IVs to init_key_ctx_bi methods Change internal id of packet id to uint64 Add small unit test for buf_chomp Add building/testing with msbuild and the clang compiler Ensure that Python3 is available Change API of init_key_ctx to use struct key_parameters Allow DEFAULT in data-ciphers and report both expanded and user set option Do not attempt to decrypt packets anymore after 2**36 failed decryptions Add methods to read/write packet ids for epoch data Implement methods to generate and manage OpenVPN Epoch keys Rename aead-tag-at-end to aead-epoch Improve peer fingerprint documentation Remove comparing username to NULL in tls_lock_username Print warnings/errors when numerical parameters cannot be parsed Add unit tests for atoi parsing options helper Improve error reporting from AF_UNIX tun/tap support Fix typo in positive_atoi Fix oversight of link socket code change in Android code path Implement epoch key data format Extend the unit test for data channel packets with aead limit tests Add (fake) Android cmake building Add android build to Github Actions Reconnect when TCP is on use on network-change management command Implement override-username Fix incorrect condition for checking password related check Directly use _countof in array initialisation Improve documentation for override-username Mention address if not unspecific on DNS failure Do not leave half-initialised key wrap struct when dynamic tls-crypt fails Allow tls-crypt-v2 to be setup only on initial packet of a session Use SSL_get0_peer_signature_name instead of SSL_get_peer_signature_nid Use USER_PASS_LEN instead of TLS_USERNAME_LEN for override-username Also print key agreement when printing negotiated details Fix mbed TLS key exporter functionality in 3.6.x and cmake Make --dh none behaviour default if not specified Ben Boeckel (1): console_systemd: remove the timeout when using 'systemd-ask-password' Christoph Schug (1): Update documentation references in systemd unit files Corubba Smith (3): Support IPv6 towards port-share proxy receiver Document x509-username-fields oid usage Remove x509-username-fields uppercasing David Sommerseth (4): ssl_verify: Fix memleak if creating deferred auth control files fails ntlm: Clarify details on NTLM phase 3 decoding Remove --tls-export-cert Remove superfluous x509_write_pem() Franco Fichtner (1): Allow to set ifmode for existing DCO interfaces in FreeBSD Frank Lichtenheld (174): options.c: fix format security error when compiling without optimization options.c: update usage description of --cipher Update copyright year to 2023 xkey_pkcs11h_sign: fix dangling pointer options: Always define options->management_flags check_engine_keys: make pass with OpenSSL 3 documentation: update 'unsupported options' section Changes.rst: document removal of --keysize Windows: fix unused function setenv_foreign_option Windows: fix unused variables in delete_route_ipv6 Windows: fix wrong printf format in x_check_status Windows: fix unused variable in win32_get_arch configure: enable DCO by default on FreeBSD/Linux Windows: fix signedness errors with recv/send configure: fix formatting of --disable-lz4 and --enable-comp-stub tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled GHA: remove Ubuntu 18.04 builds vcpkg: request "tools" feature of openssl for MSVC build Do not include net/in_systm.h version.sh: remove doc: run rst2* with --strict to catch warnings man page: Remove cruft from --topology documentation tests: do not include t_client.sh in dist vcpkg-ports/pkcs11-helper: Make compatible with mingw build vcpkg-ports/pkcs11-helper: Convert CONTROL to vcpkg.json vcpkg-ports/pkcs11-helper: reference upstream PRs in patches dco_linux: properly close dco version file DCO: fix memory leak in dco_get_peer_stats_multi for Linux Fix two unused assignments sample-plugins: Fix memleak in client-connect example plugin tests: Allow to override openvpn binary used test_buffer: add tests for buf_catrunc and its caller format_hex_ex buffer: use memcpy in buf_catrunc options: remove --key-method from usage message msvc-generate: include version.m4.in in tarball dist: add more missing files only used in the MSVC build vcpkg-ports/pkcs11-helper: rename patches to make file names shorter unit_tests: Add missing cert_data.h to source list for unit tests dist: Include all documentation in distribution CMake: Add complete MinGW and MSVC build Remove all traces of the previous MSVC build system CMake: Add /Brepro to MSVC link options GHA: update to run-vcpkg@v11 test_tls_crypt: Improve mock() usage to be more portable CMake: Throw a clear error when config.h in top-level source directory CMake: Support doc builds on Windows machines that do not have .py file association Remove old Travis CI related files README.cmake.md: Add new documentation for CMake buildsystem GHA: refactor mingw UTs and add missing tls_crypt GHA: Add macos-13 options: Do not hide variables from parent scope pkcs11_openssl: Disable unused code route: Fix overriding return value of add_route3 CMake: various small non-functional improvements GHA: do not trigger builds in openvpn-build anymore Remove --no-replay option GHA: new workflow to submit scan to Coverity Scan service doc: fix argument name in --route-delay documentation Change type of frame.mss_fix to uint16_t Remove last uses of inet_ntoa mss/mtu: make all size calculations use size_t dev-tools/gerrit-send-mail.py: tool to send Gerrit patchsets to Patchwork gerrit-send-mail.py: Add patch version to subject Add mbedtls3 GHA build platform.c: Do not depend Windows build on HAVE_CHDIR sample-keys: renew for the next 10 years GHA: clean up libressl builds with newer libressl configure.ac: Remove unused AC_TYPE_SIGNAL macro documentation: remove reference to removed option --show-proxy-settings unit_tests: remove includes for mock_msg.h buffer: add documentation for string_mod and extend related UT tests: disable automake serial_tests documentation: improve documentation of --x509-track configure: allow to disable NTLM configure: enable silent rules by default misc: make get_auth_challenge static Remove support for NTLM v1 proxy authentication GHA: increase verbosity for make check NTLM: add length check to add_security_buffer NTLM: increase size of phase 2 response we can handle Fix various 'Uninitialized scalar variable' warnings from Coverity proxy-options.rst: Add proper documentation for --http-proxy-user-pass NTLM: when NTLMv1 is requested, try NTLMv2 instead buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0' --http-proxy-user-pass: allow to specify in either order with --http-proxy test_user_pass: new UT for get_user_pass test_user_pass: Add UTs for character filtering gerrit-send-mail: Make output consistent across systems README.cmake.md: Document minimum required CMake version for --preset documentation: Update and fix documentation for --push-peer-info documentation: Fixes for previous fixes to --push-peer-info test_user_pass: add basic tests for static/dynamic challenges Fix typo --data-cipher-fallback samples: Remove tls-*.conf check_compression_settings_valid: Do not test for LZ4 in LZO check t_client.sh: Allow to skip tests gerrit-send-mail: add missing Signed-off-by Update Copyright statements to 2024 GHA: general update March 2024 samples: Update sample configurations documentation: make section levels consistent phase2_tcp_server: fix Coverity issue 'Dereference after null check' script-options.rst: Update ifconfig_* variables crypto_backend: fix type of enc parameter tests: fork default automake test-driver forked-test-driver: Show test output always Change default of "topology" to "subnet" Use topology default of "subnet" only for server mode Fix 'binary or' vs 'boolean or' related to server_bridge_proxy_dhcp configure: update old copy of pkg.m4 LZO: do not use lzoutils.h macros test_user_pass: Fix building with --enable-systemd Remove "experimental" denotation for --fast-io t_server_null.sh: Fix failure case configure: Add -Wstrict-prototypes and -Wold-style-definition configure: Try to detect LZO with pkg-config configure: Switch to C11 by default Fix missing spaces in various messages console_systemd: rename query_user_exec to query_user_systemd configure: Allow to detect git checkout if .git is not a directory GHA: Configure Renovate configure: Try to use pkg-config to detect mbedTLS tun: use is_tun_p2p more consistently Various fixes for -Wconversion errors generate_auth_token: simplify code GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1 GHA: Enable t_server_null tests configure: Handle libnl-genl and libcap-ng consistent with other libs configure: Review use of standard AC macros socket: Change return types of link_socket_write* to ssize_t GHA: Pin dependencies GHA: Update macOS runners GHA: Simplify macOS builds Remove support for compression on send Fix wrong doxygen comments Various typo fixes macOS: Assume that net/if_utun.h is always present Fix some formatting related to if/else and macros Fix memory leak in ntlm_support forward: Fix potential unaligned access in drop_if_recursive_routing GHA: General update December 2024 Review doxygen warnings Regenerate doxygen config file with doxygen -u Fix 'uninitialized pointer read' in openvpn_decrypt_aead ssl_openssl: Clean up unused functions and add missing "static" Fix some trivial sign-compare compiler warnings tls_crypt_v2_write_client_key_file: Fix missing-field-initializers compiler warning openvpnserv: Fix some inconsistent usages of TEXT() Fix doxygen warnings in crypto_epoch.h GHA: Drop Ubuntu 20.04 and other maintenance GHA: Publish Doxygen documentation to Github Pages Add more 'intentional fallthrough' comments Remove various unused function parameters Remove unused function check_subnet_conflict options: Cleanup and simplify options_postprocess_verify_ce Apply text-removal.sh script to Windows codebase openvpnserv: Clean up use of TEXT() from DNS patches Post tchar.h removal cleanup Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+ t_server_null_default.rc: Add some tests with --data-ciphers GHA: Pin version of CMake for all builds GHA: Dependency and Actions update April 2025 GHA: Make sure renovate notifies us about AWS LC releases Doxygen: Fix obsolete links to OpenSSL documentation GHA: Use CMake 4.0 and apply required fixes Doxygen: Clean up tls-crypt documentation Doxygen: Remove useless Python information Manually reformat some long trailing comments CMake: Make sure to treat UNIT_TEST_SOURCEDIR as path CMake: Sync list of compiler flags with configure.ac CMake: Reorganize header and symbol tests GHA: Dependency and Actions update May 2025 Doxygen: Fix missing parameter warnings Changes.rst: Collect, fix, and improve entries for 2.7 release George Pchelkin (1): fix typo: dhcp-options to dhcp-option in vpn-network-options.rst Gert Doering (21): Change version.m4 to 2.7_git bandaid fix for TCP multipoint server crash with Linux-DCO Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up Reduce logspam about 'dco_update_keys: peer_id=-1' in p2p server mode Fix OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT breakage on FreeBSD+DCO Repair special-casing of EEXIST for Linux/SITNL route install Get rid of unused 'bool tuntap_buffer' arguments. FreeBSD 12.x workaround for IPv6 ifconfig is needed on 12.4 as well Make received OCC exit messages more visible in log. OpenBSD: repair --show-gateway get_default_gateway() HWADDR overhaul make t_server_null 'server alive?' check more robust t_client.sh: conditionally skip ifconfig+route check send uname() release as IV_PLAT_VER= on non-windows versions options: add IPv4 support to '--show-gateway ' get_default_gateway(): implement platform support for Linux/SITNL get_default_gateway(): implement platform support for Linux/IPROUTE2 add missing (void) to win32 function declarations add more (void) to windows specific function prototypes and declarations Make 'lport 0' no longer sufficient to do '--bind'. Add information-gathering about DNS resolvers configured to t_client.sh(.in) Gianmarco De Gregori (17): Persist-key: enable persist-key option by default Minor fix to process_ip_header Http-proxy: fix bug preventing proxy credentials caching Ensures all params are ready before invoking dco_set_peer() Route: remove incorrect routes on exit Fix for msbuild/mingw GHA failures multiproto: move generic event handling code in dedicated files Fix PASS_BY_VALUE issue in options_postprocess_mutate_le() mroute: adapt to new protocol handling and hashing improvements mroute/management: repair mgmt client-kill for mroute with proto Add support for simultaneous use of UDP and TCP sockets Rename occurences of 'struct link_socket' from 'ls' to 'sock' Fix FreeBSD-DCO and Multisocket interaction manpage: fix HTML format for --local Fix dco_win and multisocket interaction dco_linux: Introduce new uAPIs Explicit-exit-notify and multisocket interaction Heiko Hund (21): dns option: allow up to eight addresses per server work around false positive warning with mingw 12 dns option: remove support for exclude-domains cmake: create and link compile_commands.json file cmake: symlink whole build dir not just .json file Windows: enforce 'block-local' with WFP filters add and send IV_PROTO_DNS_OPTION_V2 flag dns: store IPv4 addresses in network byte order dns: clone options via pointer instead of copy service: add utf8to16 function that takes a size dns: support multiple domains without DHCP dns: do not use netsh to set name server addresses win: calculate address string buffer size win: implement --dns option support with NRPT dns: apply settings via script on unixoid systems fix typo in haikuos dns-updown script dns: support running up/down command with privsep dns: don't publish env vars to non-dns scripts dns: fix potential NULL pointer dereference win: match search domains when creating exclude rules win: fix collecting DNS exclude data Heiko Wundram (1): Implement Windows CA template match for Crypto-API selector Ilia Shipitsin (3): src/openvpn/init.c: handle strdup failures sample/sample-plugins/defer/multi-auth.c: handle strdup errors tests/unit_tests/openvpn/test_auth_token.c: handle strdup errors Ilya Shipitsin (1): src/openvpn/dco_freebsd.c: handle malloc failure Juliusz Sosinowicz (1): Change include order for tests Klemens Nanni (1): Fix tmp-dir documentation Kristof Provost (10): Read DCO traffic stats from the kernel dco: Update counters when a client disconnects Read the peer deletion reason from the kernel dco: cleanup FreeBSD dco_do_read() options.c: enforce a minimal fragment size configure: improve FreeBSD DCO check dco: define OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT on FreeBSD dco: print FreeBSD version DCO: support key rotation notifications dco-freebsd: dynamically re-allocate buffer if it's too small Lev Stipakov (63): Rename dco_get_peer_stats to dco_get_peer_stats_multi management: add timer to output BYTECOUNT Introduce dco_get_peer_stats API and Windows implementation git-version.py: proper support for tags msvc: upgrade to Visual Studio 2022 tun: move print_windows_driver() out of tun.h openvpnmsica: remove dco installer custom actions openvpnmsica: remove unused declarations openvpnmsica: fix adapters discovery logic for DCO Allow certain DHCP options to be used without DHCP server dco-win: use proper calling convention on x86 Improve format specifier for socket handle in Windows Disable DCO if proxy is set via management Add logging for windows driver selection process Avoid management log loop with verb >= 6 Support --inactive option for DCO Fix '--inactive